actualbudget: dedicated traefik rate-limit (50/300) for budget ingresses

The Actual web app boots with ~70 near-parallel requests (55 /data/migrations/*.sql + statics, all served cache-control max-age=0 so every page load re-validates them). The shared rate-limit middleware (average 10, burst 50) 429s the tail of that storm, so every cold boot shows 'Server returned an error while checking its status' and every load stalls in retry backoff — measured up to 5min stalls when two loads from one IP overlap. Viktor asked to relax the limit after the anca slow-load investigation (beads code-7zv). Same pattern as immich: dedicated actualbudget-rate-limit middleware in the traefik stack, budget-* ingresses opt out of the default via skip_default_rate_limit + extra_middlewares. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
2026-06-10 19:36:42 +00:00 · 2026-06-10 19:36:42 +00:00 · acb847b858
commit acb847b858
parent aac807fb3a
4 changed files with 34 additions and 4 deletions
--- a/stacks/traefik/modules/traefik/middleware.tf
+++ b/stacks/traefik/modules/traefik/middleware.tf
@ -294,6 +294,31 @@ resource "kubernetes_manifest" "middleware_immich_rate_limit" {
  depends_on = [helm_release.traefik]
 }

+# ActualBudget-specific rate limit. The Actual web app boots with ~70
+# near-parallel requests (55 /data/migrations/*.sql + statics, all served
+# max-age=0 so every load re-validates them); the default 10/50 limiter
+# 429s the tail and stalls every page load with retry backoff (the
+# "Server returned an error while checking its status" screen). Burst must
+# absorb a few simultaneous device boots from one client IP.
+resource "kubernetes_manifest" "middleware_actualbudget_rate_limit" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "actualbudget-rate-limit"
+      namespace = kubernetes_namespace.traefik.metadata[0].name
+    }
+    spec = {
+      rateLimit = {
+        average = 50
+        burst   = 300
+      }
+    }
+  }
+
+  depends_on = [helm_release.traefik]
+}
+
 # Compress responses to clients at the entrypoint level (outermost).
 # Applied at websecure entrypoint so all responses get compressed.
 # Uses includedContentTypes (whitelist) instead of excludedContentTypes: