viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge branch 'wizard/budget-rate-limit'
Some checks failed
ci/woodpecker/push/default Pipeline failed
Details
ci/woodpecker/push/build-cli Pipeline was successful
Details

Browse source
This commit is contained in:
Viktor Barzin 2026-06-10 19:42:19 +00:00
commit 9fff77cbea
4 changed files with 34 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

5
stacks/actualbudget/factory/main.tf
View file

@ -183,6 +183,11 @@ module "ingress" {
tls_secret_name = var.tls_secret_name
dns_type = "proxied"
extra_annotations = var.homepage_annotations
# Actual's app boot fires ~70 parallel asset/migration revalidations
# (max-age=0); the default 10/50 limiter 429s the tail and stalls every
# load. Dedicated higher-burst limiter, same pattern as Immich.
skip_default_rate_limit = true
extra_middlewares = ["traefik-actualbudget-rate-limit@kubernetescrd"]
}

25
stacks/traefik/modules/traefik/middleware.tf
View file

@ -294,6 +294,31 @@ resource "kubernetes_manifest" "middleware_immich_rate_limit" {
depends_on = [helm_release.traefik]
}
# ActualBudget-specific rate limit. The Actual web app boots with ~70
# near-parallel requests (55 /data/migrations/*.sql + statics, all served
# max-age=0 so every load re-validates them); the default 10/50 limiter
# 429s the tail and stalls every page load with retry backoff (the
# "Server returned an error while checking its status" screen). Burst must
# absorb a few simultaneous device boots from one client IP.
resource "kubernetes_manifest" "middleware_actualbudget_rate_limit" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "Middleware"
metadata = {
name = "actualbudget-rate-limit"
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec = {
rateLimit = {
average = 50
burst = 300
}
}
}
depends_on = [helm_release.traefik]
}
# Compress responses to clients at the entrypoint level (outermost).
# Applied at websecure entrypoint so all responses get compressed.
# Uses includedContentTypes (whitelist) instead of excludedContentTypes: