From f80e1fa8688f53fa23d8cb8af49100b2c9480c38 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <viktorbarzin@meta.com>
Date: Mon, 6 Apr 2026 11:54:45 +0300
Subject: [PATCH] cluster health fixes: NFS CSI, Immich ML, dbaas, Redis, DNS,
 trading-bot removal
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- NFS CSI: fix liveness-probe port conflict (29652 → 29653)
- Immich ML: add gpu-workload priority class to enable preemption on node1
- dbaas: right-size MySQL memory limits (sidecar 6Gi→350Mi, main 4Gi→3Gi)
- Redis: add redis-master service via HAProxy for master-only routing,
  update config.tfvars redis_host to use it
- CoreDNS: forward .viktorbarzin.lan to Technitium ClusterIP (10.96.0.53)
  instead of stale LoadBalancer IP (10.0.20.200)
- Trading bot: comment out all resources (no longer needed)
- Vault: remove trading-bot PostgreSQL database role
---
 config.tfvars                                | Bin 10070 -> 10111 bytes
 stacks/dbaas/modules/dbaas/main.tf           |  31 ++++++---
 stacks/immich/main.tf                        |   1 +
 stacks/nfs-csi/modules/nfs-csi/main.tf       |   3 +
 stacks/platform/modules/nfs-csi/main.tf      |   3 +
 stacks/platform/modules/technitium/main.tf   |   4 +-
 stacks/redis/modules/redis/main.tf           |  30 +++++++++
 stacks/technitium/modules/technitium/main.tf |  64 ++++++++++++-------
 stacks/trading-bot/main.tf                   |   6 ++
 stacks/vault/main.tf                         |   8 ++-
 10 files changed, 115 insertions(+), 35 deletions(-)

diff --git a/config.tfvars b/config.tfvars
index 706a3ded71fa64f18554059cfe09eca8194f88ee..9c50b8ef14018c7384c8105279eca3a33545c6b4 100644
GIT binary patch
literal 10111
zcmV-_CxF-hM@dveQdv+`0QQ|VN;C~?P4pmOVBS8ECft9<sfY`v9+<hDNsQs5ZWh(M
z+=NlFvIzZM3f(Yx3Hf}1Aw-QeHa5>UiYb;<5J$H_=B5TRt3Nm942k6UY<tF2X$7PV
zjoTj156NZS^g-%v)Uj1oqn53YHJ$4iW?ehL)h-_s*%cL&P%o_X8f&#jl>N>H&;hTr
z*=orlr+{<}=U9NHtcp^D0HH~4#_aX3Qa;Zs{wU7+KX7LXouLt)1Gl=XU}F2E_<hT!
zv!i=VMs$)ZlWzcZ&VM?K7n6;dt2@<KsO2JM-l*fYN6Q%4E%JF*kibUhym&-p-~8w4
zoC6`A0~Ih;eko()s4Pp=adj=s96VfOH##385m==<+gL7B!bkB-Z3Bj(wO)b8|0w-F
zdJFr38Cn0lM^@4a|7^td4r(z<lHZeyDhJseEhy8~4ISAkAPY~0-T8aY4t|U;V2ovw
zI)|+BIcGPMT4B5kwFjymi}mjJF)r|eLRBQMl3^n=y~(HP8R{}x_rh_n4}Uhi*4l>!
z?wjke1WVQbQ+?IUYpzOYMP?`-h6wOn=oz$cpZ}1mQa<s`<*-mRTvRy9hcxhKeUeN;
z(FI*+&aS%4S;c^*ckgZhD$9Sd6K#M}Wl*vkT<V<OIf+Ra@H?7E|7iOE^D;=whZ;^8
zdv#Jt31qnzx3`ufUXAh6`f6e%RI&O^_(LWJ4A03SmNo#8^lPVd(FaU!Lj5z_3L>o1
z8N@J_Ypt<{=mhG9`D1@)6})wPif2$(^d^&wTXobQr98n+7EM3(hXYe&CPyI0%411w
zNi53bp+o6cS5Dd;wA0xs)CGZaG-IWV>O~<eT}Z3Dc9=qV0m2eca31Mesz%k+nW8rM
z&dG462WU@YHBoTytj$gZ<H8JQ(S-8jUuWhm*79`PDUUW@%tP!5KP3H?$%4Uc&tlez
z^k_#9A#G@{EP^_CoetuF8UWD_2<U4JshQ%3f7_JBhSSuQ>%@j=xQT^31M`M)YI=6$
zZBm2~WIQ&|PvNW{*+&ffap*Wxm2<UtGBL)097;Vydbqc#5~Q|@-Ov8#RS)p|&u?2H
z{tcIX`hNOjsmHXx=lk!U8-oit*<t0_B-y6uSM_l5ha0?+EjO-1=AwRRz0O1N9~0K+
zI^ONmkj3qAJ;P)%c}DZ9pe;83sDw+7!ncBF0h73-cp(tdaN@Puysj@BK88Ix!QPFO
zv51k9)NiB`?-g4Uzo58KC=_k;lrp2-FZ3p?r9(%(!^Eq1RM2~AU2L@7rC9Zn?X2Ng
zH}+419Jm&(5=5RQG!D#MmvF@c;SE<?A)T-@cZJ&Z3&d5WIHW2y?m;2U?J_eKvyZ>;
zVc|6wU)eu;4cz}Q^Ca`Zx{c4lV-CD;J%6y|dA4oB%yPNVIK^J{`{#iqki`PLN2d1n
z`k<u5Xcn(H^BIvS)E9Fm;*s($1(LtJl&%;=yDkx3|D+F@?}AG_jsE~Z|B?OV*Ser+
z+U_|vR4)son682NcTS;{8r|P`Ej_fG*d+RSpK9kxxZsr}9(h4JI@VqGG_DL|*}Aq0
zjf{c|NSrnsm{`+@<3J$2t}iKf(Tl!zP`a~vp*5Aot;zIJQtJ|n$KW!EDhp7@xxe?4
z{j8md^x|zni|ZdoGfOa5p&js`mzfmq;Ly{e`{N-otFn_1?<e`pOz1aHG_mn@9k04V
zW_vAeMV!NTl#8oyE^RU3TQhn31k+P@n(OuS>JJe=E;!4i!c}4bK`=!o*2YMnZnJ7O
z$=0Qnec3%f)`-mKwSwPFMBmBkGmN>4#!l<{&O~Irc5@=~n}_5c3*j*YCadV4UPz^>
z@Kpi!IUF55i(OAVrtg|BE`Y9CI$#1eeh4~(3Qm(-^oK9aTT>wsnKJ{3)wFc!TF=%b
z=;6(JFKLUl+rwR`G*O=^w*8(vgdYuEu)4xH5Fmyx$sgu{zKH-K=x}=+>vMhNNM-3V
z8^sr6jD_IO1MzZLA1vpaCoYf(JWHxOC$o?FIT5>Q)Yw^Rwj9#i@(??EkhQ19So_?E
z)gbyP+vSrE->&P&*i(farZ10p*gm8(rwXrhmNwUGWJ#V|hb>)?Ef?%0&ju}1yiGK~
z;Ux;@9;CGh@#wv78>Vr$2Gn3b0|vV-OsRA0Ek@$iUpmTpulM$$h-a?WUjC*|;6VZG
zD?H@pU6GVjjp^a$)SQN7FT26cqqqU}j2iII{DT{!nmJtf$Q95rF`+nrqN}P$%ZJd2
zt^3Tz7TK4>L=o7LHPx1%x+c+Fhc8KvyJU$Iqr7Gh?N%_cdOob1Gm0!T4s@a$6h?cY
zulUN0zsOsH{`;pm$pQ|Nrmd{uHAL94cknt6`hX-0-r@cFRp!s9fBXV;iwnHc9XMW<
z?D=HLu$Yn?#r7BPkQN`5$>L#2x#e*q(P^aW9+@O1Qnd2qhFE7hI*!sdLaLfcem+mP
zL@cq}*|Iv4m_5*j#sP&Mb_N_}M!bPRQA1Z_xOtgPbam()g6bGFZR?r~gF40JE|fL1
zw45uLM_G(K7P9w0acG`#T73VOWIQc9SS{332QS{`9}@C>IxD|P#GTEX6u*`M!B#pg
zCqNx`!@G<@{m}6z1|NtLV7+O{&8x+t;G$nmc;tU1PZm-LwlIGn&wl_tXG==kB=r1`
z_X*AOFIl~}$`Z}!2g1fGW`1>u5Pv#!xA9;vtXs_RomYl{E0a}!^C98O=Ge@scK9}}
zr5%lVjPy%Pe9trTT^)>mcwP7x59EIU!G-WiMuaQ)JC--4wBQ2T4CA&wNH4KR919?q
zNz!kd+7cc_(;QewL3nf}T7hyqPR0ii!d|}>Vgvnb?~^see$Wc_E|;lyS=mZZ5T(G{
zITwMoBx-81wr}5{O|Qp$_q(u?Mff4<;0`bP!H%~iT!$dZ`@@Jajn`%Ci7c+nMl5~&
zW};wjc`M36ja_OAVPkg?e^`GW<IBq#4df~3GTBQT8K{Gnz;;KQy}380K{{+Mol0^9
z?>HR97sRhvn~wDFRaZevLRarRa3v6bv|i-3efQ;o<Tv^C{(8gF<a{OTn-Aq~U4(Qd
z<|kp;E5-NCH00hf82WFLVq1;cGJSB`u@45?eL+j)YmSEuqO3_FIIMpfs2q=^=NmSk
z10VfxD8*Ubp&*W$d8NB_507*lolF6n&&f1AsWcB&41SCzh)+NZek&tJRU;xCBa<pE
zvyexhvNN<p;6R<02H|DuahURDYO@APyLJd!pvKj)czuO{^8o~mXHnotOQCPCiRs4H
zDOGBh$(fYk6oct(o!*k`()=_c+~jgihw~h%s`6G(Dy@#gSayI$SFIqw?Y)(IC>hX5
zIa}i<+urYoD!S~f<&>0)#}e+&EzXvAOl|ITjY<9iV)W5h+E#F)XK;Y-UHzR1<&WRG
z{3ehb!Fa5Wu6sp0#j+=?f^xlG!gsCD%`n4@diO4BZ6S_#2yWr;aP*enN$ejCamUWQ
z*6ldI`LkP@_%+W!7}zrKZmS&2Bc3n}7&Xnd-%DRgGx$)A7gIHGg8XQTwYKFN&!B>x
zBzy7%S9{Q;pJ?5)ff)lK(2tyoJ{=sw2`YWlA#xp|im&X3Roo}EWe<7kB52T4PucF6
zBx|ZSRgtqckoIn??!vIW44pAH#1DUl`;hf7k>;8W+KVHSTF<$l0?8SMI!QsL_57T)
z^453i%H|#4+!%BH82Fqp59}#CkkA_b$&m{7MWt6XP_rZxB$67eyqq%7`q46$J3QXz
zS4zDYFvNkL6+$e@*T0=Gi@TTR=fwWb_nhQHq#;{jeDsYf<`gk$o+)Clc1Fg2hsOiQ
z0R%axrw%V1CplD?92uFRZ}D^*UQKI=Xt(6XER(@KF>6O1v}d-&VrfE_E(P0x{b?#E
zcd3l-6lpDO&2eyaL?EA+u;T#+s=SNF3<EUC3G!IZI_&KiK>HuR-c1={<L$p|OGf=k
zM)<8?u`4<mIGiqG@{F-ST_J)1<faAKlXV#W`cGj0ntFLn(A9In5+6Bwam+D59Lg!p
z5|36Zy;>0m`YwvVFEt*8S(++ppGX_lOGE7a0{q5wMg#+%f4T&WL#brjKqJ3BFPlIP
z3Z+#+i=!mbVOv)_bk}L$p#dMZH}&-4w9Z42GOR_lK_NfPr*DCH?>S~Io<-&cE}Ss3
z%W8?7pE<f*B0e+bu~o_@r<AF17LU;o<vi6-H3-AXLhp8by+*Yl8W4}Sspz6x41yi7
zh0tAv1U<6-Nba9oXQw(;mFV<sM!Z2U-sjHc!^xr#;9O;dF#khm7%cj>+XqQIdU`oY
z(WQ8Fr;q56a@EvZ<<X!n8nJ4;H-&=0vt^O<%8R@S57~TW@bWp%PQ*W2P$jYx<_`X_
zJLAwJAmIXBdT1=jF)UormOX?NzO+@UYSXEcn)&mMb<PDL=Q)DT9!?2C9y=7dxG9)U
zo3GjT`N1vFwoYxAtOLA<YkL#q1%>D_tPsO+XTI(Jaf_4<RVh(OkXEu+ft2W<^;|L`
zYRDf70IxZ6Wsv!EqsaH40m;)4-fL=V1%m?w;uFfHmm_W4h>&_lKkm|v>-r6Qpx{5i
zoEpwl_Yk@8C$%F|P4h3s72cRP31*HDsp-TO-9;%!G%Vv5lRea~ou6|BWbt*GXb$C$
zYk_DZ$|dViLy)e@npIHN%%1-%LS)jZFr3Hl)od7XEZaAq%{==J^meOTHDnlY$2!{G
zAcRMujOA$-Dcl9<$2F&uA8CJ|@~&H|xD*I!keb+Ch^>O*c99|S64VtE{605xt6Zhg
zXdHJ0^WuWB^`_tF>1Y2nT~D<<B@F{DG<~CSs!77ma;FCY@!*e92`x9FY<kJbyvMU`
z1hKJ+LZ$bG#z+*Si*PmH7^LXRxf^mgabpo>*w^!!QPKfm&@fH)D2FO4u!kyH<ymLC
zA(nNd@WR^u5DU}cX=f^IjfK-pkvIkKxNc@at@D#9ZL~-^$X}#4Lm8q^Ora=<sWlV~
z2vh;*j)<;)i{r^8pHArtJb;(?TtMIU0mo96ie7ftsG>@|0+RCgb&x-F<tGzHVm?KW
zG3>JEDw>O(JnPAt9Q7Coiuqr-x6i;!jBcFz6uGW;O46PIXgsI8QspzX&x#%PB$%<R
z3o_81C&7pI(;q}+QlfTNexM+StXmnVgU0as4yv>uI9J}!BuF4_$5WzW==dIA7)BUV
zBn1rUY?BBJwPl>1_@1W*uve~+{_>@A704i7*K@&YK?z#gUO{9Lrw;G@<-b~cSnQi0
zOa2O@VlF@tFgR|Uqs@kU&-B=bg}sZ{>hu{3P|fBE9j;{)9^@~G{5oY>emRV)u_^($
zGT4*xSXD4!4u%oA&5TO5b5$T@5dIzV_Y)lyu>)k{S3V{k4D3d~iY#Vmy{vk-!Wtdg
zSm-EGliKVJ)1sNj4$M`qF?B*nm_M#@4bklRB9Ee0Q!pPKZkaTts`tYy;UMp}2IMA$
zhP~z9ba7}WKuH{HgkDk*#pFLhEE6P83->Y}EJA*!8PGMxRx~o$QrQ>jiWQ?^q(O;)
zUFN8O>9d+4$OAoxFuNE+l@eMp7*Q_;!rnfY73)zF!9c{!qXn@<@{9UWQJ!F880iBb
zqI3s37_$>G4o1%R6><zL=E0IVWsb#~TAVh55HwR35cmj<*La>PWXRr})4B(&MD8gE
z^S_C&z#pmRo#ONBqu0IAl+iNC+Gbm`L0eHPKN30lOh>>E))QB_Hp03;P0jY7o1i5d
zF^ITv_9Bo#YkHXaH1R%$VUVq29F`WKhF(*&nD8y?#7~xRdH+0jdYh#Rpc}Z0^sM#Q
zRb`Igb9A>}xDJ1=FIyzIsZ^6|K}G8EL$NjS%~XPgd}fI4z7%K^sV|7Ulcz(JJ#VMy
z3=mj$AelAyG9Z3%)&8-c?i@su&xD0Dy19A*em{at2E4G84r_q;(GC;YWR1mh?6ULr
zBHo%BK7VFag{kylH;93}iyY~d3@%jUaS8&G3NIQkYmx6Egg>{lWH=#3biRWqhRffN
z`sUqMxn7;iN8hGW!45YS7g<#?<B_q)IGLCuc-=O_3qZ1WW?F~MqP_b_e6otJ@spwR
zl)u3b)dF_nBMd|Q@#(Ia+6-XEYiAFtB}j5674&ko0ZGbr*($vK=(K?2gQSw88aR9X
z6Sw>xoedS5V72*yzDQE~I&>c<q4@h>V{$0L|C6fE9pG(PJWc%_?OyXdVbc`G0=1;l
zCmwT6I;;DyDTQuP=}^jf?;Ehc&{ZEfuTI6-FYbG<Xs&0duJ5{63j<Yd$urmx$8O4N
z-KuRti!amx)L^2aBBPqk1*OX<8)d%q^Y1L~JV9gc(}n`*zJ&XnGtJSud?~#RWh*Zw
zVN+IX74QV!7f9<L1spZ&n7BSh1rCP0JXRHo8Bc@g=wVKg-`|?2n{ik9v0G0z1{~*?
z-pZ*MM%MkV7g~fkFrHuUnKV?ArifxbGed{ive6;J_)rXKADFjw7Md$0S3E4kNMOgR
z{dFt*qI`4j;m!s>Q?~YyYV$uDurn7vkj|K2XODedUesnZm@}v2{?H}^xlJektRs<(
zG~yD$2@wX$I5z~CnFr{zSp44Ub4K7X6*ft^4$K=c$GP8hcic^b1S^nyJV1y{q<0N)
z;kWS#AkUKN6)E#64a%O!JMQ<{PpGM+N2-fHqbYv>T)`t_hed^OP05AZ81mbLyh=X#
zju{I&)5+$-7zh-?9L#|~IOi}=1Hz=|fOH<5&iC`BY<E~e0-cNcd)QULXP8#tfr$S;
z94%HPMgeF6)wbPi`6p1u4;e)20e{$cI=+<;2H0j@b`|wVM~_4!?X)3-M(lh0$0&|D
zS0)}8`@ePrfxKeR5q9UKLKt%-RFv$<Hj)l`+%2MmXxMSQ>!C|dKVHuLMqqJxMn0}O
znRhPMIZ`r-%t1zE?Y7MHTRnKt%lHt!D`+tjo8`M+P;~G=l3|w-_A(BRxOb&)zS?e6
zJ_axmIlvB*$iwOXp#~<*siU!@uzqf@d=x2b>`*l_M46T`oa<N?rbFV3f>Dp9aT^H}
z+jFZ{WOb!LzzC+A+aP7U$fh3pKVhRSw+-mtb)$3n=?i_-qU=zmQ?*TxVd<0rh!?P*
zc{fgajMkI}8hr^ZSkJ`<bg9>wPD9o>w$NQjYo5-1uEkkXQaVdS#+1-~-)(sG?mbX>
zCKDNdi!s>Vuvi>U(1N0Q^d>oc10Jh<al6VB2+TQHN)k_2EXaCHdwP|z8IPYYNM!as
zHXJH<eBgju<WG%tQnD?O1&7QIjs$%l%Y!8?fwxX1yzS{wEs4sVYrsAT^(vV4prFzS
z#Z07eGoT+^O`LV9@o38n6$4Z~v1%(9rwk{)clZ|Fr=U9TS8_vAKqk;lr3gKo_{qF%
zt-n4uiHW9jinz%3u{Y@VJoR2h>fBl2oy*uGQ;NiRJDYr709|ulM~CSzGi)K;u(V%h
z!cNZb-UM5SZTQ`AdvCa2;JubJx$85**(d_OkhK)iIEAh7@wEelhW`rV5b9J+H-ZGE
z%Y}Ty_W4zk1*A-;Ujq%QRM&R7i|MVAhW9p2G0if|dpNQ70bhD`n}DS%C1XSy$PIg>
zak19(evmCc`HnPbda$0%i^C7oz~=*OT{!+as`UBKz;Tw@{I{)ikM1%jHZHg%`DK2S
zq0OBcFBy=D^|0zR?3PF?5XT@SlRy}1Cn?_c3v0aBP(XxCO>SaFF5sGg3>&g^>^40C
zsl*FA7WUIf62$%PIk}npy+5byc;k>&N<4e=OI(&GHydG}(e1YKGA1Mtm)<ZRq~Sq(
zlyQ(rZ)~k5;TISQbmpICvu@QoS=zUB_DVzJO}>VuCZ6jVyFG&jt)@EV3AwUhA9v2A
z*7X)e>tCeJ0r{4jjLfI0$&c&@NX7T{%_*Kq(=C4yF0F4;ik)pjF806*O$QSy%B%ty
z)+(~ReOFz$&RWu<02t2jbA$+7lYmeotk_20Xu#9IC`WqW)_+nsE-=bo|5x_Uk=8LI
zKBb5Qx}_0kU7vT7e^+G?W5$%w_PqDM_dagJEV7{TiG_UoQY66kO#Qb$+62Q#6Hpv>
zy_s+SS#pa)o*{o?mqC#=(XnZTF%vYJm@osKngurtseV*^x>cJgttyz1o?}o;!H%ez
zRMNLUu(Q3S0;5xtfa{+RziQFUfEzp<vm^a^S57iLsPd7UC&q3p<18AX4M35Y!ZK2&
z?`h)6_t(^H`Qccud3pNwo%h18X9ZJ*%d`|mK%`2l<>?hS+i$zy`c85AjY!()o_ZRa
zAETnwulVU{pPm`B<4fc?yd}st_}U5D{k7CxADOLVG-umrI-+L<Vjx4MWim+t@x%5)
z0fiH+2?EVWo6W3!xT;9F_^WU7wE0r(j5?RGN9+(_H5X5n1LId%R)r&qw9c>A!E5w5
zoP|@JcnwGMtV9}uDbkoZE}dddOz{EV{l6+qP)^-rTT+ciCJ0Lm5!e7Qs0Er6Un7Wm
zaeEy1rU%Wmb%T5xT`C1syxw#=c-D(z8Po)mfXB5^HFq}EEH2azE?Ds0j}96U`$_cc
z9@C#)N0AEisY7QNKcjrM-t={)6>j8Tf0tGd|G}g(qHcZ0z`y0)ekUTJUVp3>z6!oQ
z%HYqjid-jl&?aqwcz~-5Cn81!P!rMW0v!c>h-}a1D`$AuF#1EuZkSw&B1s!@<^9kN
zb3u5DGQb7ywgaqs@YmZbA)+iF^0jU&gNpc}d-D`zyhvhDE)VcKplu#GXR8~9nqg;M
z3|uVqD19<@gn(N&>C=#&WaU~Naop=mMX3FUFQ#&Wt`WnxK{O^z4ZZED2u7Qjxk*m7
z<F`?3pldz)4+oa-oy-^~LWc|3=;8ME3<Fm9KR(XD+hOGQBfpHyS3YXv&&({2_8oJo
za!(fD4SL-O+j!|A0h!V73?48(SMwW5NB`Cb@7E3Yu8@|_qvb6EPUduKY%L=(gE!Q6
zMaXLG|2_$csg8mal5mh@|NhE<(_Jpy4@qdzjbQ-i87RLgSFx*zU8GvQ%>dbYB5nw=
zS|ToCR$<x7%?E)`c&zaAT{$71zbA?ld7&YMpLQzJoS%0X-Xy1X9>6FAG}0hueG5yd
zqHRuqG(&3}{CS4i0-m%s3ZHmJn?TwFzUcx>&RAw#_DaAZ4LpgfeKJOiXHMc@O_{=Z
z`O9V*@)(84m;8;U&t?h7AAM#i>5DcTkg<OkMfT9@F+6lbK44hVM{8?ongl`J3ct9@
zO!HgFLrnOk>(9-l3jifa3exfrlrzAzQd`FEf**Fjc#rFczyU0`7p)WIZgQJ%-Us&H
z+QdCUwc;Z;kt9{P%qjrH*<(NPF_@PJ0e&o%fFclZ4L=NJPU@md5Io2-R&&4~Enw^?
zGu~f1A5pYhKqAa<be2XD<Lxs6Zl#n-XtghyB^Y(l*H%XGPWvqVj8)3X63+AfGogr+
zxYDK~YlS~l6I>|a%~Hd+->L4t%+zn(2k`Ya4(eIQ^FHFKWc!ge`(bkWGr>8$CKL&H
zPB!zLj*YW<`7hvIPM9jBTAtC-L#O(|+TBaRIA*bb<Cnhay)9O*`z4ew23EG2`GXi&
z!~PH1=#>bSkn-ns6^u@FYE@D6y#6++Jz<R052riN1zuS*Gc;fpMq|9##{DeeV;cVu
z8hO(e81YXV;%64)=<*Kryj5o~d?*osLbd^>5%*PQmCjlGzoQqe<r#e~-zn*{;+ge6
zJt!J#KQ8GbC5`WLAX(O1Dl4K*qR~i&l)_(wX=Fx@>Xi`4uZ%A{iXS?^ivI37H*U88
z4b?#^K6te*kGh2*78L`4g}>HPI-V=kEDAc`Ijj%50sp_JYeZ=T5+4H8aIgMbF4T8R
z_;g$)l5R0G$@u<`CcQoJ4|hG_C@^Ta#CO2|WCulQzZgMYtecs#$r2><5oH;cR_M>)
zHAW#?QD*MKV2=*vUmxAc$@8y`?V$fX``gx79aQ^X9K?k*u-(vK)wlE&&}Yhzz-SQ3
zAkxzOD}Z(9#n#XrJz6?y9N2keY}X(8<`_B_izb)`>mqT1o<7et-gr*Iae7*PHB%ku
zkGz3&Q=!ju6Y%e-osDTc;K;;kIsQKb0@y_u4+kR@)|xbzs3ePy-`k0zW<Ye9Tvmch
zZm{r=GQ4S$^q}A4caDEUsIjISpoSu0qyTw+t9pC>^(BtV5)?0i)AnB*2K6%MlKVvq
zuvI{aD<x7Gdrta0j^z%VDUB-BKZ|pWv@r)=h#nj!c~@S1jy{<S@&>kMD=lk=@ITEJ
zCeh|qBI77+4jU%Iw$-jzJ<2*L?XJi5|2W58u={CWLbziwEst;f9T$ASy-z4*Jz{=?
zf=gy?3$<`!<A$pU)sFG?!%sxL2eywvJuIVwgePTKDJ4;_hPN<Fun)1QIbJT^F>MPf
zA%Irq&{Z^D-hlY3Ixn^wCpikQtwnG>B1`x8a_WxE2F-1^|4~}H!wG`*jQ?Y}C*z8k
zTSX7%eH+D%HrpYsgv*Z_QEff|v_4|S)ez&7?4o`!aPHZ)L#7?L=1{O?QuGtkvn93j
ztEF#x`QgG4OfhEh8FY>`4q_xb-LStF8t52&yXA^6R91~|NW}VlguhXE**AU)7t*X!
z>m}H5DLFzYmyLCiU^sOdr7spr8wTgD&o?O|<f$jSf%_b=ZN@qFpS>iG%rjR^>gIiI
zP>LXlwf!!}5Kx*TT7njc@gNZg)0iTZn}~k(^R*4_f)pT0AY~ydOT{~vDREU~yB@mV
zhskxy&ss>E=8!_BS4wYAA`bzn^ju=z?BV`X2*kkt-fB8yIGX|a!UM73jhBw#$Jy)~
z5CF-X3qeS@tV`U2O))|Ryd{1o7P?DMhA8j*GcM`3Ch|9{0xr1J0Sp<J_xMg+%{J}+
zSXwB0D``~-dty^S#)COAg-6wYX<*z1*ubkCs$a(X?&Vy2c<`vK6UJC!m2eLB7WN?M
zI}l}cP}Pl!%dmwDzM|@G<QHlky?620yxZmfu`BpGF>D<WLc;wpCaL%}R-rJkEke;O
zwWixkxdP>--<<i>YFgVaiF|=3Snaz`&X`i}Xe;jN7aLZO8_#yX+E%DK-TbM7&^Pce
z<bAxp-M_E4EkL7F$b6{xCRQP07(iTEp!<Nlt_}wGJNAOrP9?kXRbX^oGk`48MhG2q
z_VG7sS52ox^L{6-<}_~#nzDWc9!LVU%^|A*B;?IDC!_j7Q2at;j(Vp=*-OhRqPXGi
zH>~dL8;_!uFavtC;@W7}xX`ikxa|RxGC&%RXb0tV02#Ld&-<Lv!_wuQZpA88cK64w
zr8Q5;`DNoIWkUSTuh%7YU814Z;5B{;G9>#hbBlD#xwKClZ+&hfo>bv1S1kys_YyYf
zI7w`DTwP~2xiIOt$2i*`)<-~c`z9iT@ShiA-B(m`Yx&f<4?Fed+GO<YrdYqTzjXu2
z|3i1LU{a(qdSm>C`leM$CfZwdGFT@OWC^dC9VHW_`}Vac(Em!=qQ_&(I~$F&sK>@6
zf`~g%LV$VY5d_$xqJBov%sZ-uRVGstk>g%_%koV2hbY_5p9TG0KDLntwOYrbaIJSJ
z^CVQ&-s)@w7y())+GG1!(f&`VKC6`ijY~fq&<4T8VO`m?9YwS2#R?@mB{6@AMibU>
zr0_}~vdnV!Zps#;In8v2g<73luN31g!b{dSq<kEsPxmIRlv;Y<;06kaS3tPLYzT<y
zkeXU*4@$XJ8+IRX4UaLo`sKV<=gPQHs)n}qf^sd@|H&KVPCXiZrxU}?Cbw-~mg!I&
z@7T%8a~_?)59zHf=muh6Mk{G7WPU~<car_lQoOA^!}3x;oCUC3cwk{=mQ=f$KiIl*
znPq(eT7H^#pX!!53U9l9mD-FKP889zYTCwV%$EQ0U;wf>@%vF&4*1E0ZMMAtC7Fd(
z$>QerQuR)u7|;e->@p4M#x~n6atKXLO*!~)<{O4!eE!I5>cH#jB4mK}l(ob8dVmT;
za`)~>Fq+z6Q$(QEvN&<5C;#nf3?KeaBgQV~Vp?cV&3Z<uCZ!mqbHW@V^_c|RUoSVm
z#8tlah?|P)`91B&_|eHT*6Xi*ZGXEWxazIS7wnWNoGO+>E+|t3GhPNg>V<a?3v1J3
z_)IBD`#x{ZLo!uA1~8>lJFH2p%aqhhv$VSEX3H0dq*9HE6B>|@RF8Pf#;M{t%{1B(
zF4@wh<~z&z8w$n#AY(QzOhCgaez{FQO+`@*%5glydJX^9G{%g=e&9DH{(sm<CWJ4g
z0YjVS8i7_V+P``)fO(JQGXupZKh^%uZtrYsFU#gjX_HUzLqjvhzaRU;Iy+EGLeoop
zN-}*8-)Q{{=qtqmoBp<P|0lKCJG$k9dYBub&*eKN+=A)5Kula3U`*Kn;HpZ1MXa|1
z?qEQtmSnF#ac<Cy4VZ0RwUwc1wmgC!VzT$hR)hJ94>D0QjmK7W$vGp(ihS{_BupH4
z05BiK{b|6PqxWZyBdbpjInv(Ovu|>FlE5p*Na(}%t>H(Ol%+#wY#ehrNi_QE^;gYX
z6i{-pza>u|+fdOzrU7A+S+(%kH=ARnl$r_;D|Zfj0HvgEHY(4U<WU?8ytR5!4+U15
zJj)Wh{#9vNBEc{WDhkfipy=_Nk+IS|k*^9?PLa*L$NDwhQUTFq=xItf+0CMy+lUzd
ziPSEz%MSS2U@-TFe~l=oicO!it1_xzlZc~d4v6jX&t0u078D0h1KDuy5v?c7+Sgqt
zNh3Ywvx9>ZI&A(y#}xdOLfa|LHSdHxcDU~pPOd%_uMS*`VkoMk*s+EBo=QZx$RN_`
ze54@b6R1GKvGunbc-*;p)!&K=VCcFtWNoc5+$RSf-1sb-;!15P3o5I3Mey)xx9q-1
zKHncy|DN&_&Y13TgbPJ*B|eh7y`Mr!&(7j+8d`<<?x`A1Q!+m@m(`g|-zE?lH`Btq
zY`#!%V7T-1F98?t=4MQEU?QyO*+3qY0HVZ3lNprBZVpNKjteiPGPcdTOv%xa9$5YY
z<k9fzyik-Gp0XgdCy~NnB2G0fM}nF#_UgWCbL=MPxQ7)?$Nc)J5&yO8A{p~y%z?7k
zn7b_1akLLem~mjc<qz2p&c>w)6PY3XGzHc5jUljLOd;w|CVu6U!^TrZCD6xu%ItqH
z-t1`UGk5?9AsoPK7UMt2{lwjIv$$>rP-AHEU3TqqI%9bFiXK~7lyA@x=u#N$Y6OUF
zK}I89&0{iVc|zb~zXqt==3%#gBvhej&sa1pBYw0R7f!ML;Nv}>HpC<UGz6lKJ*&a2
hIf_|+<x%5d=G{dGC=jbRTcjm81j^{IX3#_kZa4-Hi?aX#

literal 10070
zcmV-cC#l!~M@dveQdv+`06CnVQkwwa^+V>7yJ+@>b0bKX{zX}S@G2am+g9+rx$Eul
z1tSzpg>@_mwClEq(`(mU7`U>r9@bwMmqK&E426hLE<FuUfZ}VS*ebF`s=vlf4ggJ7
z$L?-@`ZDp10g9{p*KT(uo_`^wtzdaB{(4;o*krg&h;u5Qa4??sX)_UUucyW7LH?C|
zZlF^#bFoms9D5Cihk3>XIgjSs;mn{xJ4<0$JOaa+3zujO)bm9jD~-SL6>?*=r_y@d
zlV5Vr8oc(Q7&>k_mEq3SLiZ;-MrqrRG|Z9hIBN)ssFdbpJM@xyLUIhqt?g4X0r?k}
ziPbYp+|8??<a<qzZRcMGtJm;KBFXpTtA92bL7C0=kCa3~tH<7*!E}lrPs^u^V%j+1
zv$FC^c8$ho+q-qnuto;z#rZzxU;derCPJ;%WmWnK(P&{rNdUeHz;81G>lWUk_H(7a
zT^s@3%q18{F;!uBUk#PbUCUy-YZMP!C>_$0Yvr;`?-Jw0snY*v1IH7X;MHZg;ry8<
zM<0_L)n4G81hdEWI+$pb&Tm>;y0H74m)Jlba<DleJ21cY;ZhSc3oNQY5&e^=AQC4B
zb8deR%CVU){Q4@ljECWr2D;#F1jBGJnjL(i`&#}8o)vdr+oO4s8{8o8oez$r6zPm?
zNB?#2;pHd~S9Uax^@u~6FysP`%Zgv7D_0fUUc^vsiTPQw6dNFcdDoV`il8URNi>rm
zxaQct4yMhc*z#LZ>Ad*tf^Akzx?$;3b2<2QipO_|jSy+5Sab+T6+S4aLDAp%b8Cey
zxJYmW5u)JysqJ^gxx;sFH3+y&mfGR)nA(U!6E`tL15Faxt0a)_LSNL?5EqlLTEAGx
z$xY;66-;hyP5RtL+0ZwzTN-U2B3+A0j!~8?kHg6#$fQu&sByX$RV64>i10hoo!-j8
zw@?FGbVK<bk;(SA5=h-2|Hl!Pw*N0QOLht|5rpDlw42vb>y=%1k82g8iBe47yX=qp
z0xZEa#PhbZ+>9Hv?O9JOU6EAfKK7|nwQDV4FdE9~Cf~*^q~I%1)oSGV?U3^R-kdH^
za09Ebrr4woPURDeVzLVL7tloXlr<iG8`<l@RX$9pmsjDqOU@Np2!X~l_2`}m8YK3G
zol@{^CUO>DAlg0^+B(Py{W+aOpp^FIg3*q+-bo^mjUi*RoAH{1EOJM9q`_<>lGRqT
zpQ}gKr}XNJ$$tU7bc2RRoJ;zM^KFaN@kiVZ&IE4+M#n!(JsiN7@!TTAocKN_mstp?
zLAq{e0>P+I<1bECUYh1$R8GSkL({>svQ8K-DdYScE#B17k<F5RGT}I7+79ONX2e_g
zikr{n$-vRRb-bng1|=GcP@OWPm@W;H8x$veeTF!{IC3TqPLs{3E>Sh6B{UCaJ6WOR
zbY|ZI&f@+#sq4`ywqJHfIf}Uxjr=EU2Rw*j5jQFU-L0TL>7sP0mrlKp@v-a;L2v`K
z7!8#m5?+N8_x<b=g8`wZ4GT|%<SfdRdW@wNv%3E#ZHQK8vEGbzqYG<H5pPOts6Ra^
zCEDA=5bcbquD9;}#|n)YfDChHyy#RA8FG$vTFL3x5?!O+jY3n^^x<Ub21kJ!k}^rS
zMj|CAkaP+OPP|ej@KmiQ5Gv)kyr)did29fgDg*x<-z@iZtlViZQ_V%Skz7iyUV}{@
zTa)for<<wGs@hN)K0`tZZqg9Cfwz#N=jhde_izU&s35Oft$n<ph=(?0;AELuO1|KJ
zT6AP#hbT=DlbN@z0}5hdyO)&acuXZ2Gr3<hm-)=`o_CqdA$D+Fo~+}tsj`B)%}KOb
z;|*~2nW9UYpO|Y!$~8Wj<5c#2Aq!PLUrx(B5cLJzR^S=pxsT}i-?(-%H-BCj5)fWr
zfDaA{lM{s#_bqSwc^;JPZu<di&0bNeN&7v9kl)hjY``6}^6<F_R3B+@E12WEch1c>
zL9#5({L}=+bsIM9cy;QlCQFiaf?VWSRSQ_^A717GF;M8!X1j=1GZ2Xuu#;-(7GOa!
z?#!OB1g6Dr0vF2^!*O%4Ke5W0)Z32vs(0hh+&(do0P38p!XXbgM!&umff-JF&r)yA
z0NY}_ymLoWPe)q5+Ygd6_||ju-)xhzFiheG(bGnbjKPjfQa)Mh>36D(Xw#<@F~%;&
zZ9}KIDX4x~+pf;fmI2rV?K{2>%JgPPDK;5GT)(?f8msFzu%*@B?b%~b-fx4AEu4E5
zc8y%XY_fT*cYF#uWrLe=L6d)jR?!wP@cMbgd;sva@=#)~Q!j5nN9#&#5;S^EI=9D0
zb{eRv>s+;=PXpxUgcs3fF0eeFic{WV!W{QYPWX8LwTkCUPLaN|x#(!uubpi<pVYUO
zU71N%o67g_Kb!0?xI$ebDp9%3YY8hvm32mt&zB^ev8yE}a0UPGSG^E~;9-;XhX(FA
zrrlc)=Hc9fP)Bo{N`;If5pOU~Lgc*$kHJ}s^NMZOUl@WT1wK#6u^#+HPz|iX>0Cb3
z&F9D4+WuYPl+^BTCTG+=)6xwEP!;RIz&}57fgN6`-;AN4WivN4`hrf9FA4{ZMXDSf
zdLeVXu}{~{6Y+nl-X?7}!pHml9=G1ZIH!=MD-s>&yKv@wn5~K8lf8Auab7J#j^<tS
zHsT#W+N`wU=ZCv*1Z|C6af#uC28HBzURO(NI@l^D+qV<=A1m<vf1D2mM-Mq^n-yCt
zRpk>uZ-!a0XvB^eUK$?m=nYTP^u&YI0wB_Lck{3zBV%l}BlWCgjG;zJfP|1Ke6z(Z
zS{;`tS)0>mi)LYZ7f&Fw2JJpt-j?~X{BZ2VjCaunA^lOTKp*4B{{1}~tT)d4v9`|p
z3@4R%C1@fW>XK-8lK$U(U^mozZQfGb$M>&})oo{Fgs5l!Ng({gRWEHCeOU?v1!Ma8
zh|)3Mgf$CFO^kKwKavJ5S<&G<riuXbxen{fYA!647y$}1Fwim-N#JV;vNkVar_i(O
zfWDu3-*%1=8!XhVG}u?#1p8(iR`2DYP@HD|RG>u9cRxdm3;PDPryMYe)FSu;{D98Z
zh5E4A+^En>J9S&pm~e4Qsp`!32#RHeaz1O0^Ag_iVJ<S#_mIh){}nD<-+TptpH{r_
zY@pPC8Bd?LT*P5R!Sw;#`1IhR8-1~ePfQob^dx6Sps<zuCXS*`V`|^H4*UnVY9V$?
zZtwm3Bj3VQ?PLK<JrwcWU(c0k^xSj0smP|XGQ$j|w+ERjX3@H&0=8ziScGv#GEQpW
zn1~7D#nI$mcvQf%M)+vFu`2z#U;^ro=d6WYk1ce3cFB_{L!dvW(LH;=q`Mut{>Q}|
zhr!Regovp4ZMM`avNlK+iv)sU+qL;&RUzW>uNOxJyQ#XP{Xi3;Fh8A_52TY4W6^3L
zZh=KeD<W#-{F3@;<f!bIrH?U<@AZ9zJO;cV&2tF^S~ekjhVdyDTtE@#Er2W_0Dyc3
zF$6u$lzz_7A-=xE<@CowFU+63Oq6Phr@aqRvW23m%>Gn?5;!9~z=_0|;q-MkVK$J;
z;N!N-0KEneH6{FWI}cl@RJV2!H$V(7y{dkr#)dtIS%9JyNEDGF(;DKC>#jBpBP4_)
ztl0QHAU2+j^(-MMPPVWOS+(g4rk6L-N31!iYrlsE(V|*xcoYojwtFFYHhX&2=;|u-
zbog@3mezP<WR^|wLD^-g1NH>^owL$ZNn#3!?|a}#=Y%vOXG#%|*;>Pi$!8<|^CTli
z5z(^M_QAbCt}s=YG-q^1>hr@`@ht4@I*j*+CMcPKPaP@3eDS-c#_jBLBm4Wb0$bJ4
zSqUfd3Q{Q;Gc9w&H-S}&Fzo&EiRnhUCd^FMt_q3aJ4f6Xf#1^{K)d@GFo<e+&&o9f
z_R0!xP_#itOX$>xmu>>dl2<v95hu`s)U!x&j5$K>^=ealRJ$UP_=lsAjS77+s(t}V
zJbDqj$?ha(v{L)M2&P8G3QAnZWsSVZz8p@;1HE~&Yc0iyZqZ6<ev!fEMn%VePXsU5
zP=%UTD_{%9FMYAu@-Z6>0mc`hg;Er!;V0@c%;qmq-kP;4bNzZFZK01@NkT+{=20S5
z_o5oXG!m@OXT$X%<%I}bpkU!=z%GN=K}XLTvpL}Iyn-qOUM;%AY03KVAA?XViJuGH
z6*tt+aWftoH=Oo990=u>FHuy58a0^wMzOOq2J69Q_j19=?lFr2g0I0zYMt{K_yV{a
zbMeSu$~LIuw5krMJnmCku;0&ZYM^QpI7kc8i+m;?&H)}Z0^rF^?bzAJJR~<;ov&Ay
zl;VJ(&pn&E3_h&vnWqfOEMH*b5)0#vmVq`X4@x^Li6JKCs~xPq1Y^XTxt)%J7~^@=
zz`BgeHF8@@lzn^#?E<{;?YS$on`tLJ=es?i<~_K+huj<c0<y#sD061Lu=$=YZRxz$
zjPMXHeM%AVvTTz+-+EvvJ)!|60o?3Nu|83*qR6%mAhladT&I6&iZWxXmS|em_$wOu
z<H|m(f_F?iD<93ApMU<%1lb#>f*=WVze2F{9w9lAq_?UjvtPW@1DxeY6K1e20I`1+
zyRoPV`FfjSAg8cgjp0-^GxSR42pqiytwGpqvx4m;pDVIvS4EZNZIX;onS%O71F@5R
zAg&+qWdFvM4=E`CL-i~M;O)c@v*4%oQnHw$rv4cOd(iOsB$rs-r`1pIUO-00?ujV1
z+8w6+>p(uWWrnY@h|tqv3$0vk9Rx*xIv)-pau}sk9X#(jcxXIRB7Fb8qZn03Wln%M
zTk?y~i}n#vEs7lNG9pNg%7;KWk5olBvW?Znl!%x@2X`yp?^N3G117c?d=RgxiZS53
z7R(4Aw!L8e)I|HOkMkWM;ZOMKz+6iF9L}Q60M4N}(?I-yu}*CsClb?oe^`up0?lJG
zf}DI?DAlBiPLv&ME>04`-oIrrDO&<IZ80=dbvcjlInHm}vc)MUg&g@2$l6N)Yj;7{
zlRG|ER=r8Aj3QP?`=>zfS!Xg!@}TmV>gn#%jQr+-=ViFqsj{*WqK6w{k0*Ok*T5??
z5(Sj1(6&f!ahnP|!*^0ZiB|q5?;&~ZwNpJ%>-AN!$HI*bUX)po62GW<#F5;f6IvVs
z(MQ^k&m6~8{ykQLh0)e%f?!)%h>}oK_{p@TM)b&Ifk+qbOO}}$z)6D2B0)JH*EL;e
zDt&|u1Y-yMn$vm0X|MxS7Ql_FBqX8&{U7<^^!v>4iCF=h0$<K?qxy#aBf}qA8_;G#
z{bcc(J$kq!s+sNkh5AUA6g08gGtmgg!UfJ-;pz@9kJ44HP4-X8jlzOz8B*BdlfCyi
zOZ_+E+%g5g-DRPyMr0u9OIoN{$seLJPw3)SH6bY_g%T2^Nlxv+gBYifnA@$*)#<42
z!IX`Li-%Xr$s^Oun9(00|K@yTy7jJ$mxJUpo5I;3lOh7YKJ;x@dP~^*r8vLcpBm4W
zA4))Xi;=Ua`_%$~%Wxi;!+7x_hr!s!(>8^d8>oy@)l10^-cTIJ>y*DJUkYDohoa~;
zaxJQW(;pT{oH?u94$R)?nMZF-ro7?TNpJ$UB8ZQtdEXi5jQ?|)q1%hCcb%m%Pj^@7
z)Gj|#oAA*M!Qh5BC|21*PGipLy;sk0;-PUr@38TmE$a)2uGOPU$$B4YY!!UpyT32e
zf$Qh-2}3RW-a8o1ocP*DcdALC+YDbu_Wb$rcQ`AWOZfDWC1^f~X|%XvL5)-5)EF(#
zd{>9@-{C0_Fx5jvk$!vPu#Aq;FiaVX_u7ti5@7O;P6!Nw0!!mVnrh3#k)at4IU=9#
zx8CsDIg?lo{_EIWpoIHA-+1=yDxKgeL7W=G7%l?Nf1E_>(}5Y2D{6)bT_4+}X#Jt;
z);g`|{+i0^F+MQ0HpJ&=nUo_042GcjwToM7y!i(9X{=r*Rz6rpGK4V`spggS*)H!N
za`Bk!ZYW5v(QCLObV1VyIV8k2vhvl*b|57oIP%EiO~x`X!jMt(jB+kBEe}x-`v!x`
zS`cUh6_HJYU^a*Jhc4D7-}=i4?)TIK!+$*=LtKaw*>x$9CBQprYOWgUX<@R{VvWwK
zGxBGEBwFuck%Ub=<6#+7-su_R{rwvYC$bxdk^i_e*fkPVrchlh{s%W;+ss<9vnd{Q
zyENfr(7?HzRxWNKFt!l^j@C+yj#R8-;fgyL=7CMwbUx{C#9Hi5lG?oXClSN<73y~I
z5H}S4;x|(tyeWVwqf}!V64J!)oFi-c&+Kwduhpmv0LK=&S@7#AV>IC-)M3bLGg#n}
zFwLlqU3vNI99K&S?!C4-H;m-V_=|58>=%Ss#zP9R_b%OpY+?PHcL|IKF$j8%vJ<Th
zI3?V4JN!p#C|=vgeNt6F`82b8Q{7B~A!#yxf~w>KBKi$HI~sH9!+7M}d<8F?E8L>t
zxY|rsrJSW&Y`n*jEh12b)Z23`Q^gV=E))&XH9R8aI5mUb!qQoLaq!(pN@_+Ktb`|v
zQt52&BS#jRVm%L;q$JH@_!xHIZ=1XqY*vUZ58sF)oP9Mqnuel3VZY45e$T1xS*Vem
zY$u~f>9{0N^^gMn3MKZ3yh-^QZTRnHc%A*BHZ;OK_zl{*4Ay5x8ONwFoH1SB_aG9a
zC@>oG%5a3lwAJB$4Qc&CGB%J{*u)#iMst*6Bfde;u<!)>kw60{G<^?kyFiqXKT%S$
z2;<K78}A&K!LxVAJ;OZm@Kc_T(D=#KhSW%H`?jw!UoG!}^m8Vt<+rj|^sCD^$q>6y
zaXYdXQTlbd_H5AQbvF6Xqcvb8)u>mx3o{Jv`eFIGf8@s)GQ?sx37GdgaAe6QvU-_Q
zhARm)guY$kZb1VsTRFA^6}xJsx<>>ty~WT?q+f;l|4YV!M3U;?*`J&Q2iRg6)wOZ5
zi!M+xuhXIZu=DGb{G;u<7S6nTw`*@nP#IW`cs!9J$5f~hK;0m=4c6Nl&dt-gfS_#J
zu7cU9T!g_X!gWP3%ub`*T)#s2P^cgNi7*uM^;8()2d7d1@XTX|A+II`>HEp}*m79K
z3z*L}17Vw1O;W?1f#OXuo?ICKin9ia-UN9&q5;*vzAJ5rcS*hPmYqSavd-P@>PVqL
zYWy!;&(=GJ#<R>uVauI}qDhn?K`Yczt{4L>&xP)g%yO64rTp!*n8{tb4h|p^&93EW
zI^LA+6xN-bCHIJgvJmkq_KB?2%3EsLlMkIQs#5(CeY^&Su-p^dXmRI+iyCk?M%*6)
zRB6!aufrf{fH8^f6vJRckC4B6126Wu%&D1?PtX{l9~S7tL6WT``O41dCL4e-YW~!R
z?s68y5BhtiW)3>%;^!kHGyzxOYX$NyFT>hAMwaB7{2r|UYyh>7hbAi1bItg1t(QiZ
z-uVzcUT=F{VBN;k!Tc8v#Smionnrh{=Vtz3d_wCkVoEsX&1+ZzQm*VS58l{yUo1Es
zjWHgAuJ-=a)X2E6evf)V><z)Fh6N}eAQjW1uv-R06vv|o{->@d)pm1q=E(Ti!{sT&
zYXCwbDW`@FS1-n0Nm%ODQwIV);_)82SffLxlyh8(FFiQ!S#FaO4G&tc)18#sPXzg`
zRNPP5nn$L%vnQ2<|6Z}N&<z(BP?3JHE*0^2XrnL|YY3Qs`}6t~z!Bil0~RLbT$l`Q
zj$#PUgg@5VYbR?}Dd4!NU1fRf@P7@~p+A4K4vYFtZYGEC7<iMI;seiIv7rhAqI-Nx
zdbn+in?IbbFcw<x&btVi_9uV8MW!%_j{aTJ5m1)%>c^Z<GRa9{JQ>?PyAMrw%TEE=
z^d0geOD2QO3wdX*kzLcX65Ve#=z>a?hE+gyh(kE7+95!<j?;*4tkEaPgRSw9Q87#%
zxl%@DiH0d@kE~y3H9+4v;?GoVKlpol(zJ{Weg54OR=>Uuj}LB}RB8&G^7$d{Z#VsJ
z{M=rZK!E91H1V&(UtWPsY>B4}lIV>H7{y+5NsPCi4?BmwhouSCH4qEx!8(JUf`ap6
zMt3*V33W?W7>|a_o>jP!&Gxxm&xs5c@r(Mpt^>b#_i;`QRLfOLD-s2x-aTF)rPdLt
zQ)wHmhZ2TC`~)vqJ?{|te^uKbhVML-m#Dr%^K<WpF?cWcX>=x~YTx@u@KjJyun0U3
zRRF%pfY>aan0pHR0xOx`_8*Hqv1-NNijO=)S@*`uL3I{sapl*CHjIY?a=(*jMg@^!
zT^GiIMu!?6%k;k=1gwn&FQ#4f3z%SIo&Tf0%wX)av<%!D&}*4*8VRQO4Ff?O2%O>l
zolFA<+lg@$@Jepxb|_nJJ)ZH<Vv%#C5l{8aAGgTi!FjCE*l#=}z%n8P*ELoCA_%K<
zib|N@UdaOw<l?ZZ@z-QXzjypoT%m<lyiP-`YNFB)$Z{WY^b%EXT`M)LP?$?09RaX@
z#YmLxwV^)^%BWjU3i*6bvdBkR?|(>vVcruBC&?=hSaB=WJIL!AN}W@)v92LD?ZUxY
z^3}7WDNQ(!_{;e<o_?Vn#id`l<;_3f3`Mqc1?}Irg-`yE*1&7O_KQu0f)Z1q2cO5M
zX<luzL9DOFWWr4@)kL>R*rD$%x@6scDw_VBMi}$}42?E^rSmMaW}0;iF4UMRLmq%g
zZka@}m$yK7s%$s{eOUQ-H-Vq1wr?Uo$#i)#63J7-$)GbLq>)@Uj-C~fBX^lb6c43L
zhZ1JJC;IRv?HoCE+z!Dkg3Nw%wxg{Qi)5;f((e>i&<DpkuoI~o>t7->G+%y#tI-U*
z!jzdh{9uNTcH^rpNL2e2_MwGfQpE!*BiiFNeZI^)<Nw|}i0GtZe4*#;-*YAFg4gXs
zdn<v)K7589+iA`cRO$}dut99+M8GG@*@*~&>QI?Tx`D^Aa&K*t%<Afw*4IPLwAhKk
zk^y76HE9=3c!w0v>IIN+6P@Xd|7xKDFaC5^UGmCQEWn!q1$0%9-{jguL{PmU2pT<Z
zQOdZElFe=(X&~?~uc6lp-<xyIEPs-;-HPHsycnHCI*aDE=#&#SEEADZ+k^jgY|hI<
zqAsILwbjBi+vdg*#CVB*EM3))2aHVAUpDcf*q=<vnZMF5*Mlir&;>G+@+KxPdZat(
z)pJ-%sS7jTR)ezeSLD1*JSCoL#mVk4&AueBB)WNNv5%+o%l12RJ<FHKxR;qr%z?bx
ziP-2rOoFV_ZJXDOR(dg9Wl!5Z+AOeuhrno}He)@1>H@~wp2a<+se%%X?dGrLjjf}U
z4jzv<5nB^|p06rZqTid~R76oi1JD@h6?Bu>NX%iY*y=Q7yb}$R9}P(y7Mco&?@0PJ
ztDahepCvqbgCf|7u1X-GMJ|vFk;eJ`j;zB;Z2AIh<c?9th@Gi1*P8R<6E@D@9sD&W
z2Y!gqK4F10|2X6em0hwcJ1X_!8!@??G2a#1BSwp!QRrYX*%`>@?v=Pim*%j|T~A-0
zK^=0imlTJX*oXy2W^savCz%d&o-I5nuX%pEyUOZgC9g49eNpLfC%3K=dR>)CR?P!5
zPa>{|QmB1}3fn$x4}&$|JXN{DKJ6r!7C7&XgUoUTu;%-<ths@^*~e=Ng8haVax}|C
zze3bVS88fAd%-)fl7^|3bjyho_FKQD#Kjmh_C55*jl~LX3LicEuiR2z!yy`3{SL$9
zTJil?xS-(Ww875ooG^M~?!2|JX3urw$f==PYY^r4Ofd_U=86ZDJD_&ALvn%|<Y-On
z?JDQa4LoK1i%^cOL@%!17bj{E68iEde&G&4PHErdW5`0m3Ovf0#<EvHae~&PtMV99
zuV`9uIzB?r6=3oJW;y~kwGMWjAycu1)0{^Kjzf@I^JCcnOZSnYqEsKuMo%VCri~5@
zv-fLkzm*ZTn+@-+YXlpXqq)iK^<q7M_k}Oh2Ni7XEA&gNgetCR!bu9bucz2w7<2BQ
zHC-j$z2cw6WH(<n#k*;9_Z<eV1wUyGw_#30@*#myBW}>xXH(2T(i=#-IhkJ!Y#vy1
zq!)YGpZNA5!TA0TfKgAIRuZMN<uqUkOm>^vPuhD^IZV4;dkUyVtb-<!G|pur>JEto
z72!PnysGxH6KND|xqp58Rqfh6i=MM^PBH(eAC3}4BX6r=msV_dV@(y+4@V%TLG1Hy
zrws|>hgb_|$cZwuS0(?%MASAL%vjv44!`xK$_g8$9dz@tT0tMuK%Op!Bsb8JBAl`P
zjZWIp3ub2t<wd0Fk2Vpz*tzO`dqA}IfOTFXE5yG+)a5_msBU_woL@IOpVD&JQr@Ve
z&yb77r+k(d+BvR+So@N$C80mwD~6jqQzda{02{Adtv~2q5GMmb1iRQ?Nd0eA{SQIB
z7HX`YB$q!^JF3Zk5+qGsvIdj4ZFEea1F<~)Ou$wESLkcS<7{VnXiNYLF;9k#%!_T$
z*3G0o=Tcz1UCL|5w=zt6Yl?wHW)9#5!plC+qI%Sx9zZ5at6H+S+@}C`+U7#}6R>3j
z;UcLhC<0_i1blPf&zKD+&Lpe&gm&v@S_MPys@!T>9SZM7JyO$3EK1JGO%i%w1>`b!
zv+wLluvV*+$+NZ7kP?JW$Y(45%_Ag>G{HC36LL75`&f92{Tv1^#hve3=|@r3dq&NN
zco2bVFWvA$e6|s+seA7^P!kWmY39Uz4gq)%*Wtsd&TGTa6s^U!-Vs(M1117jsA<V9
zD{5f5upk@YzyFhixm|YW^e&_0uE*2R<Fq0u*x~$M@q-Q#_1T+pL@zA#cOlI|NP`<3
z#H=_GdXZB&yU!WzA}8Qf4Nb&0noX{tn$-ASb4@b7z^Nc_MIFlFzv|FDZc(;q%@-0@
zyba|D;N3=@XGk2@#_yUabLY6xF(!$EFHB5!6&)AvhwTS2_pJ`3$u#gX$_Cs2hr3oN
zgLjgQZpsBxU}4`mlyl)<YTs?We6xb(8Kkg0^p47egrH}*ym(w!-^n!DCpWb<NRsoa
zgruTL&-zW@!Ma%b?)U!@#CIXUU0b5CT~BgOtG6Ie=;h2EtP6)V3?gkQGnqZe)!R8o
zawd|(G`^s7sHiCiJ}hoxC~$#`QYmDbgX3IO7Udp%-l{L;yj39bW2B6Jt!S+@7xty=
zE6^-sxPGF<;M8Rk7q=y<(^(=L+&VR|h=jX2ulGdCE^*!5*oum;T84$f?6}(cOlSix
zx<+Z$b|(h{+`wMx0H{wa0W5HFyE@TlfeA)UOqSg>hMH=h(Pb_Xj^xFF6#e(Zk-2w-
z{za9oucABVap#03olCOl4auCi2y<XsRe*NZ=6Y{<PxwP)q?KT*I#K8&FuCQ(#uNRP
z;SN>HD<Yv}`NeNK#AJeyZ_0@0rl*hFNP4eQp);>-EN5JN)cANEtF-F_zRyOXUyVzH
zm~Nnf{LUgyuOwmY@Zkv+yO+TMYDgZ4RgtPsSgugtLmS4{kT&i1a<AuAz-T$Tpy_q^
zPJ&QSErpu`#Qte98qcK@V8>^4OKZ~xX8szSD}EFZ>)XNB)_ZNS3lygmQFKVgi}1mc
z2k)cIcU(?_PCgnu#c##2GVV-!2VG`xtLsE@1e3WZ8fEH{K(Y>-gh{QNFzI}FAJ8WX
zwG?ae^f*q&+TO?yE2G&@QR=8(DX=%pH&q^0h+SeJzs;w__vJM3``^fmn)(0zz`cHh
zEjcXXTiLA4yV%C1j2)#u`9h-5pUT*14Y5+v$RliJEiWSb%-;m)S-#EwPF9llp_@5I
zr%rIgNZ59R@#C)+d~cMt1baFT4mC2<*p}PBwf<R*H|MdkNw8+OU!f_rY{|>0bSR7b
z_#j9tC5*lq(Osy6Fi!!%HJurqyuvt@!It~scJC(-I$dzH2fa{8M%+n6vGT5EZOXUF
z)P4D3R%zX#VQ>>i9n#5^bGeB*jSOL5L6^yUI9=^RRIWc{i~Wo@4g<jntI$LgAfiDt
zTxbJ^>RsY0j7Dxkh2UyWgfdA&(gEBg9$Oktov{=GuW8OBd3mN+(|hV)!Eytu-x7^r
zas~jv7I$F@??*_eG7jb`y1%5`wz4AA$)%^-PRAL=V^RTo;wHd!1B~+?LEK7#Y<&RL
zU!_W;6<45)08TVVyq;om?;WLhm8M{fNZlu=A0Esn{&-6O0&UfQ?o7@SbMi%`*v7?@
zX8Q#=k5?rkf7x{3IeP?ww@0Sf(ytV5C|QkPODGS=nS$@nJX>1iJ!&iC#1PGSH`-{J
zwOwh{*U#C5xe}POY3JQZt#etX2qLJU$A9?#0uZm|L$jy^XUQv)QsLQZ?_!!l?XcpE
zEGs$IF`EE(3le7tAdyXMHZzr!Cfb$2F`t+DB9~P(eOaNAO0}Z8nEY~%->8u~tlDz%
zn4H-WwX#p-*(}L4oMNB?3#znvSP4;_MdOp67Hdx_im{O^mgK@%^o|T7YwCBjzW*-(
znifSKFA0$f7~C2L%fB#=9%B528}NnNsq*(O+1J(-ecl)^0-t5eQNRjcM%O{tUyI5E
z^P7eYcN7e?;KA`{_*K+}qA0D^(*<(NQO&hVdA0Z|371HK-ly(_Nx>@|-u=8!theV-
zU26&B)vw*&GRt>tpXE`1vDFzUi_ogeC|hh5j_$pr((nC*9cY`VKn5F9P@h7&ACAYJ
z0PDG89fJB6P27<lC726fbOg1C!MG3gyP>+<Ah)%(uEyca*YQuGS6^UG|9U5SoNupW
z>1j<8a+lrC)*;CwT2zbBsOmb#XLRmm<e5EFTBJBDIk(shW`dS7Vs=7m@tS~SCQjms
zsc`D9nPX)cgfIY}q{@WoK@pZNQUQh#(M|z#74L4l*^U6w%*EW_w*f<&UjP}`#M8|P
z%9xz#vZ=CL(w4ZB>;YVzrqfk~#4ErQ$u1FCWrK*-bgQ@5Z>5iaqv%zUK_B<ksIexW
zBdFzr_09jY2?(H<%)0YHr5!6|D^3F_Tv(fD<h`I3`h&j(oB2mO(yTpw=^#WY{nXX>
zoAjGgW!d=!#CI%WqUD1mu!V?H7Fe62rz~g$+_iZrjPb>S&$#_fw?<hA!5Q-G3&JYC
z(RQ<XQj$%6q5WX)G<}R_#{{@qn~}XU`QZQqMP3xm*3^FjW)e)GVgoCth{<ZZM);_@
zD;y_ciRIr)nW+j3crY9a1swJ<sJWoU@~$ZQAHx1_Xt|}a7(N2$AbHECu(wHdW;~=v
zl0G}PZP`A%4dvO-9mF2@8}HJYccT;0!4nYNK#84gnvLh4A(?PXUhH2cKJhCt+ebB|
s>ewMO3!fJFWi+1YDIw`xt3zo}V!9{9?f!@y@9Voxt`9_tOvXw~?NQ#cGynhq

diff --git a/stacks/dbaas/modules/dbaas/main.tf b/stacks/dbaas/modules/dbaas/main.tf
index 79489348..474cb610 100644
--- a/stacks/dbaas/modules/dbaas/main.tf
+++ b/stacks/dbaas/modules/dbaas/main.tf
@@ -213,13 +213,16 @@ resource "helm_release" "mysql_cluster" {
       EOT
     }
 
+    # Top-level resources apply to SIDECAR container
+    # VPA shows sidecar needs only 248Mi target / 334Mi upper bound
+    # Setting to 350Mi (was 2Gi/4Gi - 17× over-provisioned)
     resources = {
       requests = {
         cpu    = "250m"
-        memory = "2Gi"
+        memory = "350Mi"
       }
       limits = {
-        memory = "4Gi"
+        memory = "350Mi"
       }
     }
 
@@ -251,15 +254,18 @@ resource "helm_release" "mysql_cluster" {
           }]
         }
       }
+      # Container-specific resources for MYSQL container
+      # VPA shows 2.98Gi target / 5.26Gi upper bound
+      # Current usage ~1.8Gi peak. Reducing limit from 4Gi to 3Gi
       containers = [{
         name = "mysql"
         resources = {
           requests = {
-            memory = "3Gi"
+            memory = "2Gi"
             cpu    = "250m"
           }
           limits = {
-            memory = "6Gi"
+            memory = "3Gi"
           }
         }
       }]
@@ -287,6 +293,15 @@ resource "helm_release" "mysql_cluster" {
         }
       ]
     }
+
+# MySQL Router - explicitly set resources (chart does not expose router.resources)
+# VPA shows 100Mi upper bound, setting to 128Mi
+# Note: This requires manual kubectl patch after helm release:
+#   kubectl patch deployment mysql-cluster-router -n dbaas --type=json -p='[
+#     {"op": "replace", "path": "/spec/template/spec/containers/0/resources",
+#      "value": {"requests": {"cpu": "25m", "memory": "128Mi"}, "limits": {"memory": "128Mi"}}}]'
+# TODO: migrate to mysql-operator fork or wait for upstream router.resources support
+
   })]
 
   depends_on = [helm_release.mysql_operator]
@@ -637,10 +652,10 @@ resource "kubernetes_deployment" "phpmyadmin" {
           resources {
             requests = {
               cpu    = "15m"
-              memory = "128Mi"
+              memory = "100Mi"
             }
             limits = {
-              memory = "128Mi"
+              memory = "100Mi"
             }
           }
         }
@@ -1076,10 +1091,10 @@ resource "kubernetes_deployment" "pgadmin" {
           resources {
             requests = {
               cpu    = "25m"
-              memory = "512Mi"
+              memory = "450Mi"
             }
             limits = {
-              memory = "512Mi"
+              memory = "450Mi"
             }
           }
 
diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf
index 5c7558be..5802a713 100644
--- a/stacks/immich/main.tf
+++ b/stacks/immich/main.tf
@@ -517,6 +517,7 @@ resource "kubernetes_deployment" "immich-machine-learning" {
         }
       }
       spec {
+        priority_class_name = "gpu-workload"
         node_selector = {
           "gpu" : "true"
         }
diff --git a/stacks/nfs-csi/modules/nfs-csi/main.tf b/stacks/nfs-csi/modules/nfs-csi/main.tf
index 962a1fe4..af2cbfd3 100644
--- a/stacks/nfs-csi/modules/nfs-csi/main.tf
+++ b/stacks/nfs-csi/modules/nfs-csi/main.tf
@@ -23,6 +23,9 @@ resource "helm_release" "nfs_csi_driver" {
   values = [yamlencode({
     controller = {
       replicas = 2
+      livenessProbe = {
+        httpPort = 29653
+      }
       resources = {
         csiProvisioner = {
           requests = { cpu = "10m", memory = "128Mi" }
diff --git a/stacks/platform/modules/nfs-csi/main.tf b/stacks/platform/modules/nfs-csi/main.tf
index 962a1fe4..af2cbfd3 100644
--- a/stacks/platform/modules/nfs-csi/main.tf
+++ b/stacks/platform/modules/nfs-csi/main.tf
@@ -23,6 +23,9 @@ resource "helm_release" "nfs_csi_driver" {
   values = [yamlencode({
     controller = {
       replicas = 2
+      livenessProbe = {
+        httpPort = 29653
+      }
       resources = {
         csiProvisioner = {
           requests = { cpu = "10m", memory = "128Mi" }
diff --git a/stacks/platform/modules/technitium/main.tf b/stacks/platform/modules/technitium/main.tf
index a8b8910a..69f3c76b 100644
--- a/stacks/platform/modules/technitium/main.tf
+++ b/stacks/platform/modules/technitium/main.tf
@@ -30,7 +30,7 @@ module "tls_secret" {
 }
 
 # CoreDNS Corefile - manages cluster DNS resolution
-# The viktorbarzin.lan block forwards to Technitium via LoadBalancer.
+# The viktorbarzin.lan block forwards to Technitium via ClusterIP (stable, LB-independent).
 # A template regex in the viktorbarzin.lan block short-circuits junk queries
 # caused by ndots:5 search domain expansion (e.g. www.cloudflare.com.viktorbarzin.lan,
 # redis.redis.svc.cluster.local.viktorbarzin.lan) by returning NXDOMAIN for any
@@ -74,7 +74,7 @@ resource "kubernetes_config_map" "coredns" {
           rcode NXDOMAIN
           fallthrough
         }
-        forward . 10.0.20.200 # Technitium LoadBalancer
+        forward . 10.96.0.53 # Technitium ClusterIP (technitium-dns-internal)
         cache {
           success 10000 300 6
           denial 10000 300 60
diff --git a/stacks/redis/modules/redis/main.tf b/stacks/redis/modules/redis/main.tf
index 24dbcb1c..19c8b0a3 100644
--- a/stacks/redis/modules/redis/main.tf
+++ b/stacks/redis/modules/redis/main.tf
@@ -236,6 +236,36 @@ resource "kubernetes_deployment" "haproxy" {
   depends_on = [helm_release.redis]
 }
 
+# Dedicated service for HAProxy master-only routing.
+# Clients should use redis-master.redis.svc.cluster.local for write-safe connections.
+# HAProxy health-checks Redis nodes and only routes to the current master.
+resource "kubernetes_service" "redis_master" {
+  metadata {
+    name      = "redis-master"
+    namespace = kubernetes_namespace.redis.metadata[0].name
+    labels = {
+      app = "redis-haproxy"
+    }
+  }
+  spec {
+    selector = {
+      app = "redis-haproxy"
+    }
+    port {
+      name        = "redis"
+      port        = 6379
+      target_port = 6379
+    }
+    port {
+      name        = "sentinel"
+      port        = 26379
+      target_port = 26379
+    }
+  }
+
+  depends_on = [kubernetes_deployment.haproxy]
+}
+
 # The Helm chart creates a `redis` Service that selects all nodes (master + replica),
 # causing READONLY errors when clients hit the replica. We patch it post-Helm to
 # route through HAProxy instead, which health-checks and routes only to the master.
diff --git a/stacks/technitium/modules/technitium/main.tf b/stacks/technitium/modules/technitium/main.tf
index 41a9934c..569b2207 100644
--- a/stacks/technitium/modules/technitium/main.tf
+++ b/stacks/technitium/modules/technitium/main.tf
@@ -30,7 +30,7 @@ module "tls_secret" {
 }
 
 # CoreDNS Corefile - manages cluster DNS resolution
-# The viktorbarzin.lan block forwards to Technitium via LoadBalancer.
+# The viktorbarzin.lan block forwards to Technitium via ClusterIP (stable, LB-independent).
 # A template regex in the viktorbarzin.lan block short-circuits junk queries
 # caused by ndots:5 search domain expansion (e.g. www.cloudflare.com.viktorbarzin.lan,
 # redis.redis.svc.cluster.local.viktorbarzin.lan) by returning NXDOMAIN for any
@@ -74,7 +74,7 @@ resource "kubernetes_config_map" "coredns" {
           rcode NXDOMAIN
           fallthrough
         }
-        forward . 10.0.20.200 # Technitium LoadBalancer
+        forward . 10.96.0.53 # Technitium ClusterIP (technitium-dns-internal)
         cache {
           success 10000 300 6
           denial 10000 300 60
@@ -148,22 +148,6 @@ resource "kubernetes_deployment" "technitium" {
       }
       spec {
         affinity {
-          # Prefer nodes running Traefik for network locality
-          pod_affinity {
-            preferred_during_scheduling_ignored_during_execution {
-              weight = 100
-              pod_affinity_term {
-                label_selector {
-                  match_expressions {
-                    key      = "app.kubernetes.io/name"
-                    operator = "In"
-                    values   = ["traefik"]
-                  }
-                }
-                topology_key = "kubernetes.io/hostname"
-              }
-            }
-          }
           # Spread DNS pods across nodes for HA
           pod_anti_affinity {
             required_during_scheduling_ignored_during_execution {
@@ -225,7 +209,7 @@ resource "kubernetes_deployment" "technitium" {
         volume {
           name = "nfs-config"
           persistent_volume_claim {
-            claim_name = kubernetes_persistent_volume_claim.config_proxmox.metadata[0].name
+            claim_name = module.nfs_config.claim_name
           }
         }
         volume {
@@ -284,24 +268,58 @@ resource "kubernetes_service" "technitium-dns" {
       "app" = "technitium"
     }
     annotations = {
-      "metallb.io/loadBalancerIPs" = "10.0.20.200"
-      "metallb.io/allow-shared-ip" = "shared"
+      "metallb.io/loadBalancerIPs" = "10.0.20.201"
     }
   }
 
   spec {
     type = "LoadBalancer"
     port {
-      name     = "technitium-dns"
+      name     = "dns-udp"
       port     = 53
       protocol = "UDP"
     }
-    external_traffic_policy = "Cluster"
+    port {
+      name     = "dns-tcp"
+      port     = 53
+      protocol = "TCP"
+    }
+    external_traffic_policy = "Local"
     selector = {
       "dns-server" = "true"
     }
   }
 }
+
+# Fixed ClusterIP for CoreDNS forwarding — bypasses MetalLB entirely.
+# IP 10.96.0.53 is pinned so it survives Service recreation.
+resource "kubernetes_service" "technitium_dns_internal" {
+  metadata {
+    name      = "technitium-dns-internal"
+    namespace = kubernetes_namespace.technitium.metadata[0].name
+    labels = {
+      app = "technitium"
+    }
+  }
+  spec {
+    type       = "ClusterIP"
+    cluster_ip = "10.96.0.53"
+    selector = {
+      "dns-server" = "true"
+    }
+    port {
+      name     = "dns-udp"
+      port     = 53
+      protocol = "UDP"
+    }
+    port {
+      name     = "dns-tcp"
+      port     = 53
+      protocol = "TCP"
+    }
+  }
+}
+
 module "ingress" {
   source          = "../../../../modules/kubernetes/ingress_factory"
   namespace       = kubernetes_namespace.technitium.metadata[0].name
diff --git a/stacks/trading-bot/main.tf b/stacks/trading-bot/main.tf
index fe0246bd..0a7230a7 100644
--- a/stacks/trading-bot/main.tf
+++ b/stacks/trading-bot/main.tf
@@ -1,3 +1,8 @@
+/*
+# TRADING-BOT STACK COMMENTED OUT - 2026-04-06
+# Deployments scaled to 0, infrastructure disabled to prevent re-creation on apply
+# To re-enable: uncomment this entire block
+
 variable "tls_secret_name" {
   type      = string
   sensitive = true
@@ -620,3 +625,4 @@ module "ingress" {
     "gethomepage.dev/pod-selector" = ""
   }
 }
+*/
diff --git a/stacks/vault/main.tf b/stacks/vault/main.tf
index 9dbd39da..5818bc2c 100644
--- a/stacks/vault/main.tf
+++ b/stacks/vault/main.tf
@@ -189,7 +189,7 @@ resource "vault_policy" "sops_admin" {
   policy = <<-EOT
     path "transit/encrypt/sops-state-*" { capabilities = ["update"] }
     path "transit/decrypt/sops-state-*" { capabilities = ["update"] }
-    path "transit/keys/sops-state-*"    { capabilities = ["read"] }
+    path "transit/keys/sops-state-*"    { capabilities = ["create", "read", "update"] }
   EOT
 }
 
@@ -481,7 +481,8 @@ resource "vault_database_secret_backend_connection" "postgresql" {
   backend       = vault_mount.database.path
   name          = "postgresql"
   allowed_roles = [
-    "pg-trading", "pg-health", "pg-linkwarden",
+    # "pg-trading",  # Commented out 2026-04-06 - trading-bot disabled
+    "pg-health", "pg-linkwarden",
     "pg-affine", "pg-woodpecker", "pg-claude-memory"
   ]
 
@@ -545,6 +546,8 @@ resource "vault_database_secret_backend_static_role" "mysql_grafana" {
 
 # --- PostgreSQL Static Roles ---
 
+/*
+# Commented out 2026-04-06 - trading-bot disabled
 resource "vault_database_secret_backend_static_role" "pg_trading" {
   backend         = vault_mount.database.path
   db_name         = vault_database_secret_backend_connection.postgresql.name
@@ -552,6 +555,7 @@ resource "vault_database_secret_backend_static_role" "pg_trading" {
   username        = "trading"
   rotation_period = 604800
 }
+*/
 
 resource "vault_database_secret_backend_static_role" "pg_health" {
   backend         = vault_mount.database.path