[ci skip] Move Terraform modules into stack directories

Move all 88 service modules (66 individual + 22 platform) from
modules/kubernetes/<service>/ into their corresponding stack directories:

- Service stacks: stacks/<service>/module/
- Platform stack: stacks/platform/modules/<service>/

This collocates module source code with its Terragrunt definition.
Only shared utility modules remain in modules/kubernetes/:
ingress_factory, setup_tls_secret, dockerhub_secret, oauth-proxy.

All cross-references to shared modules updated to use correct
relative paths. Verified with terragrunt run --all -- plan:
0 adds, 0 destroys across all 68 stacks.

stacks/actualbudget/module/factory/main.tf

@@ -0,0 +1,213 @@
+variable "tls_secret_name" {}
+variable "name" {}
+variable "tag" {
+  default = "latest"
+}
+variable "tier" { type = string }
+variable "sync_id" {
+  type    = string
+  default = null # If not passed, we won't run banksync
+}
+variable "budget_encryption_password" {
+  type    = string
+  default = null # If not passed, we won't run banksync ;known after initial installation
+}
+
+resource "kubernetes_deployment" "actualbudget" {
+  metadata {
+    name      = "actualbudget-${var.name}"
+    namespace = "actualbudget"
+    labels = {
+      app  = "actualbudget-${var.name}"
+      tier = var.tier
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "Recreate"
+    }
+    selector {
+      match_labels = {
+        app = "actualbudget-${var.name}"
+      }
+    }
+    template {
+      metadata {
+        annotations = {
+          "diun.enable"       = "false" # daily updates; pretty noisy
+          "diun.include_tags" = "^${var.tag}$"
+        }
+        labels = {
+          app = "actualbudget-${var.name}"
+        }
+      }
+      spec {
+        container {
+          image = "actualbudget/actual-server:${var.tag}"
+          name  = "actualbudget"
+
+          port {
+            container_port = 5006
+          }
+          volume_mount {
+            name       = "data"
+            mount_path = "/data"
+          }
+        }
+        volume {
+          name = "data"
+          nfs {
+            path   = "/mnt/main/actualbudget/${var.name}"
+            server = "10.0.10.15"
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "actualbudget" {
+  metadata {
+    name      = "budget-${var.name}"
+    namespace = "actualbudget"
+    labels = {
+      app = "actualbudget-${var.name}"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "actualbudget-${var.name}"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 5006
+    }
+  }
+}
+
+module "ingress" {
+  source          = "../../../../modules/kubernetes/ingress_factory"
+  namespace       = "actualbudget"
+  name            = "budget-${var.name}"
+  tls_secret_name = var.tls_secret_name
+  rybbit_site_id  = "3e6b6b68088a"
+}
+
+
+resource "random_string" "api-key" {
+  length = 32
+  lower  = true
+}
+
+resource "kubernetes_deployment" "actualbudget-http-api" {
+  count = var.budget_encryption_password != null ? 1 : 0
+  metadata {
+    name      = "actualbudget-http-api-${var.name}"
+    namespace = "actualbudget"
+    labels = {
+      app  = "actualbudget-http-api-${var.name}"
+      tier = var.tier
+    }
+  }
+  spec {
+    replicas = 1
+    strategy {
+      type = "RollingUpdate"
+    }
+    selector {
+      match_labels = {
+        app = "actualbudget-http-api-${var.name}"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "actualbudget-http-api-${var.name}"
+        }
+      }
+      spec {
+        container {
+          image = "jhonderson/actual-http-api:latest"
+          name  = "actualbudget"
+
+          port {
+            container_port = 5007
+          }
+          env {
+            name  = "ACTUAL_SERVER_URL"
+            value = "https://budget-${var.name}.viktorbarzin.me"
+          }
+          env {
+            name  = "ACTUAL_SERVER_PASSWORD"
+            value = var.budget_encryption_password
+          }
+          env {
+            name  = "API_KEY"
+            value = random_string.api-key.result
+          }
+
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "actualbudget-http-api" {
+  metadata {
+    name      = "budget-http-api-${var.name}"
+    namespace = "actualbudget"
+    labels = {
+      app = "actualbudget-http-api-${var.name}"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "actualbudget-http-api-${var.name}"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 5007
+    }
+  }
+}
+
+resource "kubernetes_cron_job_v1" "bank-sync" {
+  count = var.sync_id != null && var.budget_encryption_password != null ? 1 : 0
+  metadata {
+    name      = "bank-sync-${var.name}"
+    namespace = "actualbudget"
+  }
+  spec {
+    concurrency_policy            = "Replace"
+    failed_jobs_history_limit     = 5
+    schedule                      = "0 0 * * *" # Daily
+    starting_deadline_seconds     = 10
+    successful_jobs_history_limit = 10
+    job_template {
+      metadata {}
+      spec {
+        backoff_limit              = 3
+        ttl_seconds_after_finished = 10
+        template {
+          metadata {}
+          spec {
+            container {
+              name  = "bank-sync"
+              image = "curlimages/curl"
+              command = ["/bin/sh", "-c", <<-EOT
+              # set -eux # Shows credentials so use only when debugging
+              curl -X POST --location 'http://budget-http-api-${var.name}/v1/budgets/${var.sync_id}/accounts/banksync' --header 'accept: application/json' --header 'budget-encryption-password: ${var.budget_encryption_password}' --header 'x-api-key: ${random_string.api-key.result}'
+              EOT
+              ]
+            }
+          }
+        }
+      }
+    }
+  }
+}