[infra] TrueNAS decommission — remove active references from Terraform + configs

TrueNAS VM 9000 at 10.0.10.15 was operationally decommissioned 2026-04-13.
The subagent-driven doc sweep in 5a0b24f5 covered the prose. This commit
removes the remaining in-code references:

- reverse-proxy: drop truenas Traefik ingress + Cloudflare record
  (truenas.viktorbarzin.me was 502-ing since the VM stopped), drop
  truenas_homepage_token variable.
- config.tfvars: drop deprecated `truenas IN A 10.0.10.15`, `iscsi CNAME
  truenas`, and the commented-out `iscsi`/`zabbix` A records.
- dashy/conf.yml: remove Truenas dashboard entry (&ref_28).
- monitoring/loki.yaml: change storageClass from the decommissioned
  `iscsi-truenas` to `proxmox-lvm` so a future re-enable has a valid SC
  (Loki is currently disabled).
- actualbudget/main.tf + freedify/main.tf: update new-deployment
  docstrings to cite Proxmox host NFS instead of TrueNAS.
- nfs-csi: add an explanatory comment to the `nfs-truenas` StorageClass
  noting the name is historical — 48 bound PVs reference it, SC names
  are immutable on PVs, rename not worth the churn.

Also cleaned out-of-band:
- Technitium DNS: deleted `truenas.viktorbarzin.lan` A and
  `iscsi.viktorbarzin.lan` CNAME records.
- Vault: `secret/viktor` → removed `truenas_api_key` and
  `truenas_ssh_private_key`; `secret/platform.homepage_credentials.reverse_proxy.truenas_token` removed.
- Terraform-applied: `scripts/tg apply -target=module.reverse-proxy.module.truenas`
  destroyed the 3 K8s/Cloudflare resources cleanly.

Deferred:
- VM 9000 is still stopped on PVE. Deletion (destructive) awaits explicit
  user go-ahead.
- `nfs-truenas` StorageClass name retained (see nfs-csi comment above).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

stacks/actualbudget/main.tf

@@ -46,7 +46,7 @@ locals {
 
 # To create a new deployment:
 /**
-  1. Export a new nfs share with {name} in truenas
+  1. Create a subdirectory for {name} under /srv/nfs on the Proxmox host (192.168.1.127)
   2. Add {name} as proxied cloudflare route (tfvars)
   3. Add module here
 */
@@ -83,6 +83,7 @@ module "viktor" {
   tier                       = local.tiers.edge
   enable_http_api            = true
   enable_bank_sync           = true
+  storage_size               = "4Gi"
   budget_encryption_password = lookup(local.credentials["viktor"], "password", null)
   sync_id                    = lookup(local.credentials["viktor"], "sync_id", null)
   homepage_annotations = {

stacks/dashy/conf.yml

@@ -265,12 +265,6 @@ sections:
         url: https://redis.viktorbarzin.me/
         target: newtab
         id: 6_1364_redis
-      - &ref_28
-        title: Truenas
-        description: Network Storage VM
-        icon: si-truenas
-        url: http://truenas.viktorbarzin.me/ui/dashboard
-        id: 7_1364_truenas
     icon: si-adminer
     filteredItems:
       - *ref_21
@@ -280,7 +274,6 @@ sections:
       - *ref_25
       - *ref_26
       - *ref_27
-      - *ref_28
   - name: Public Services
     displayData:
       sortBy: alphabetical

stacks/freedify/main.tf

@@ -44,7 +44,7 @@ locals {
 
 # To create a new deployment:
 /**
-  1. Export a new nfs share with {name} in truenas at /mnt/main/freedify/{name}
+  1. Create a subdirectory {name} under /srv/nfs/freedify on the Proxmox host (192.168.1.127)
   2. Add {name} as proxied cloudflare route (tfvars)
   3. Add module here
 */

stacks/monitoring/modules/monitoring/loki.yaml

@@ -53,7 +53,7 @@ singleBinary:
   persistence:
     enabled: true
     size: 50Gi
-    storageClass: "iscsi-truenas"
+    storageClass: "proxmox-lvm"
   extraVolumes:
     - name: wal
       emptyDir:

stacks/nfs-csi/modules/nfs-csi/main.tf

@@ -75,6 +75,11 @@ resource "helm_release" "nfs_csi_driver" {
   })]
 }
 
+# Historical name retained for PV compatibility — 48 bound PVs reference
+# storageClassName: nfs-truenas. The actual backend is the Proxmox host NFS
+# (var.nfs_server = 192.168.1.127) since TrueNAS was decommissioned
+# 2026-04-13. SC names are immutable on PVs, so renaming would require
+# migrating every PV. Not worth the churn for a cosmetic change.
 resource "kubernetes_storage_class" "nfs_truenas" {
   metadata {
     name = "nfs-truenas"

stacks/reverse-proxy/main.tf

@@ -12,7 +12,6 @@ locals {
 module "reverse-proxy" {
   source                 = "./modules/reverse_proxy"
   tls_secret_name        = var.tls_secret_name
-  truenas_homepage_token = local.homepage_credentials["reverse_proxy"]["truenas_token"]
   pfsense_homepage_token = local.homepage_credentials["reverse_proxy"]["pfsense_token"]
   haos_homepage_token    = try(local.homepage_credentials["home_assistant"]["token"], "")
 }

stacks/reverse-proxy/modules/reverse_proxy/main.tf

@@ -2,7 +2,6 @@
 # outside of K8S but would be nice to use the Nginx-ingress
 
 variable "tls_secret_name" {}
-variable "truenas_homepage_token" {}
 variable "pfsense_homepage_token" {}
 variable "haos_homepage_token" {
   type      = string
@@ -126,31 +125,6 @@ module "tp-link-gateway" {
   extra_annotations  = { "gethomepage.dev/enabled" = "false" }
 }
 
-# https://truenas.viktorbarzin.me/
-module "truenas" {
-  source          = "./factory"
-  dns_type        = "proxied"
-  name            = "truenas"
-  external_name   = "truenas.viktorbarzin.lan"
-  port            = 80
-  tls_secret_name = var.tls_secret_name
-  max_body_size   = "0m"
-
-  extra_annotations = {
-    "gethomepage.dev/enabled" : "true"
-    "gethomepage.dev/description" : "TrueNAS"
-    "gethomepage.dev/group" : "Infrastructure"
-    "gethomepage.dev/icon" : "truenas.png"
-    "gethomepage.dev/name" : "TrueNAS"
-    "gethomepage.dev/widget.type" : "truenas"
-    "gethomepage.dev/widget.url" : "https://truenas.viktorbarzin.lan"
-    "gethomepage.dev/widget.key" : var.truenas_homepage_token
-    # "gethomepage.dev/widget.enablePools" : "true"
-    # "gethomepage.dev/pod-selector" : ""
-  }
-  depends_on = [kubernetes_namespace.reverse-proxy]
-}
-
 # https://proxmox.viktorbarzin.me/
 module "proxmox" {
   source           = "./factory"