cluster health fixes: NFS CSI, Immich ML, dbaas, Redis, DNS, trading-bot removal

- NFS CSI: fix liveness-probe port conflict (29652 → 29653)
- Immich ML: add gpu-workload priority class to enable preemption on node1
- dbaas: right-size MySQL memory limits (sidecar 6Gi→350Mi, main 4Gi→3Gi)
- Redis: add redis-master service via HAProxy for master-only routing,
  update config.tfvars redis_host to use it
- CoreDNS: forward .viktorbarzin.lan to Technitium ClusterIP (10.96.0.53)
  instead of stale LoadBalancer IP (10.0.20.200)
- Trading bot: comment out all resources (no longer needed)
- Vault: remove trading-bot PostgreSQL database role

stacks/platform/modules/nfs-csi/main.tf

@@ -23,6 +23,9 @@ resource "helm_release" "nfs_csi_driver" {
   values = [yamlencode({
     controller = {
       replicas = 2
+      livenessProbe = {
+        httpPort = 29653
+      }
       resources = {
         csiProvisioner = {
           requests = { cpu = "10m", memory = "128Mi" }

stacks/platform/modules/technitium/main.tf

@@ -30,7 +30,7 @@ module "tls_secret" {
 }
 
 # CoreDNS Corefile - manages cluster DNS resolution
-# The viktorbarzin.lan block forwards to Technitium via LoadBalancer.
+# The viktorbarzin.lan block forwards to Technitium via ClusterIP (stable, LB-independent).
 # A template regex in the viktorbarzin.lan block short-circuits junk queries
 # caused by ndots:5 search domain expansion (e.g. www.cloudflare.com.viktorbarzin.lan,
 # redis.redis.svc.cluster.local.viktorbarzin.lan) by returning NXDOMAIN for any
@@ -74,7 +74,7 @@ resource "kubernetes_config_map" "coredns" {
           rcode NXDOMAIN
           fallthrough
         }
-        forward . 10.0.20.200 # Technitium LoadBalancer
+        forward . 10.96.0.53 # Technitium ClusterIP (technitium-dns-internal)
         cache {
           success 10000 300 6
           denial 10000 300 60