cluster health fixes: NFS CSI, Immich ML, dbaas, Redis, DNS, trading-bot removal

- NFS CSI: fix liveness-probe port conflict (29652 → 29653)
- Immich ML: add gpu-workload priority class to enable preemption on node1
- dbaas: right-size MySQL memory limits (sidecar 6Gi→350Mi, main 4Gi→3Gi)
- Redis: add redis-master service via HAProxy for master-only routing,
  update config.tfvars redis_host to use it
- CoreDNS: forward .viktorbarzin.lan to Technitium ClusterIP (10.96.0.53)
  instead of stale LoadBalancer IP (10.0.20.200)
- Trading bot: comment out all resources (no longer needed)
- Vault: remove trading-bot PostgreSQL database role

stacks/redis/modules/redis/main.tf

@@ -236,6 +236,36 @@ resource "kubernetes_deployment" "haproxy" {
   depends_on = [helm_release.redis]
 }
 
+# Dedicated service for HAProxy master-only routing.
+# Clients should use redis-master.redis.svc.cluster.local for write-safe connections.
+# HAProxy health-checks Redis nodes and only routes to the current master.
+resource "kubernetes_service" "redis_master" {
+  metadata {
+    name      = "redis-master"
+    namespace = kubernetes_namespace.redis.metadata[0].name
+    labels = {
+      app = "redis-haproxy"
+    }
+  }
+  spec {
+    selector = {
+      app = "redis-haproxy"
+    }
+    port {
+      name        = "redis"
+      port        = 6379
+      target_port = 6379
+    }
+    port {
+      name        = "sentinel"
+      port        = 26379
+      target_port = 26379
+    }
+  }
+
+  depends_on = [kubernetes_deployment.haproxy]
+}
+
 # The Helm chart creates a `redis` Service that selects all nodes (master + replica),
 # causing READONLY errors when clients hit the replica. We patch it post-Helm to
 # route through HAProxy instead, which health-checks and routes only to the master.