diff --git a/docs/architecture/compute.md b/docs/architecture/compute.md
index fe27f730..d4ccf6e1 100644
--- a/docs/architecture/compute.md
+++ b/docs/architecture/compute.md
@@ -2,7 +2,7 @@
## Overview
-The infrastructure runs on a single Dell R730 server with Proxmox VE, hosting a 5-node Kubernetes cluster. Compute resources are managed through a combination of Vertical Pod Autoscaler (VPA) recommendations, tier-based LimitRange defaults, and ResourceQuota enforcement. The cluster employs a no-CPU-limits policy to avoid CFS throttling while using memory requests=limits for stability. GPU workloads run on a dedicated node with Tesla T4 passthrough.
+The infrastructure runs on a single Dell R730 server with Proxmox VE, hosting a 7-node Kubernetes cluster. Compute resources are managed through a combination of Vertical Pod Autoscaler (VPA) recommendations, tier-based LimitRange defaults, and ResourceQuota enforcement. The cluster employs a no-CPU-limits policy to avoid CFS throttling while using memory requests=limits for stability. GPU workloads run on a dedicated node with Tesla T4 passthrough.
## Architecture Diagram
diff --git a/docs/architecture/dns.md b/docs/architecture/dns.md
index eec99830..e90956d2 100644
--- a/docs/architecture/dns.md
+++ b/docs/architecture/dns.md
@@ -28,7 +28,7 @@ graph TB
end
subgraph "Kubernetes Cluster"
- NodeLocalDNS[NodeLocal DNSCache
DaemonSet, 5 nodes
169.254.20.10 + 10.96.0.10]
+ NodeLocalDNS[NodeLocal DNSCache
DaemonSet, 7 nodes
169.254.20.10 + 10.96.0.10]
CoreDNS[CoreDNS
kube-system
.:53 + viktorbarzin.lan:53]
KubeDNSUpstream[kube-dns-upstream
ClusterIP, selects CoreDNS pods]
diff --git a/docs/architecture/mailserver.md b/docs/architecture/mailserver.md
index 0026b932..0edeffb4 100644
--- a/docs/architecture/mailserver.md
+++ b/docs/architecture/mailserver.md
@@ -22,7 +22,7 @@ flowchart TB
MX --> PF[pfSense WAN
vtnet0 192.168.1.2]
PF -->|NAT rdr
WAN:25/465/587/993
→ 10.0.20.1:same| HAP
HAP[pfSense HAProxy
4 TCP frontends on 10.0.20.1
send-proxy-v2 to backends]
- HAP -->|round-robin
tcp-check inter 120s| KN{k8s worker
node1..4}
+ HAP -->|round-robin
tcp-check inter 120s| KN{k8s worker
node1..6}
KN -->|NodePort 30125-30128
ETP: Cluster → kube-proxy SNAT| PODEXT
%% Internal ingress path
diff --git a/docs/architecture/overview.md b/docs/architecture/overview.md
index 8f1a19ce..5ca53660 100644
--- a/docs/architecture/overview.md
+++ b/docs/architecture/overview.md
@@ -134,10 +134,10 @@ This three-tier network design isolates Kubernetes workloads from management inf
### Compute Layer
-The Kubernetes cluster consists of 5 nodes:
+The Kubernetes cluster consists of 7 nodes:
- **k8s-master (200)**: 8c/32GB control plane running kube-apiserver, etcd, controller-manager
-- **k8s-node1 (201)**: 16c/32GB GPU node with Tesla T4 passthrough, tainted for GPU workloads only
-- **k8s-node2-4 (202-204)**: 8c/32GB workers running general-purpose workloads
+- **k8s-node1 (201)**: 16c/48GB GPU node with Tesla T4 passthrough, tainted for GPU workloads only
+- **k8s-node2-6 (202-206)**: 8c/32GB workers running general-purpose workloads
GPU passthrough on node1 uses PCIe device 0000:06:00.0. The NVIDIA GPU Operator's gpu-feature-discovery auto-labels whichever node carries the card with `nvidia.com/gpu.present=true`; `null_resource.gpu_node_config` taints the same set of nodes with `nvidia.com/gpu=true:PreferNoSchedule`. No hostname is hardcoded — moving the card to a different node requires no Terraform edits.
diff --git a/stacks/send/main.tf b/stacks/send/main.tf
index 91c785f9..c6ded3a7 100644
--- a/stacks/send/main.tf
+++ b/stacks/send/main.tf
@@ -27,33 +27,16 @@ module "tls_secret" {
tls_secret_name = var.tls_secret_name
}
-resource "kubernetes_persistent_volume_claim" "data_proxmox" {
- wait_until_bound = false
- metadata {
- name = "send-data-proxmox"
- namespace = kubernetes_namespace.send.metadata[0].name
- annotations = {
- "resize.topolvm.io/threshold" = "10%"
- "resize.topolvm.io/increase" = "100%"
- "resize.topolvm.io/storage_limit" = "5Gi"
- }
- }
- spec {
- access_modes = ["ReadWriteOnce"]
- storage_class_name = "proxmox-lvm"
- resources {
- requests = {
- storage = "1Gi"
- }
- }
- }
- lifecycle {
- # The autoresizer expands requests.storage up to storage_limit and
- # PVCs can't shrink. Without this, every TF apply tries to revert
- # to the spec value, K8s rejects the shrink, and the PVC ends up
- # in Terminating-but-in-use limbo.
- ignore_changes = [spec[0].resources[0].requests]
- }
+# Upload blobs on NFS. Migrated off proxmox-lvm 2026-06-05 for LUN-cap relief —
+# Send stores encrypted file blobs on disk (metadata in Redis), no embedded DB,
+# NFS-safe. See docs/plans/2026-06-05-block-storage-harden-nfs-design.md
+module "nfs_send" {
+ source = "../../modules/kubernetes/nfs_volume"
+ name = "send-data-nfs"
+ namespace = kubernetes_namespace.send.metadata[0].name
+ nfs_server = var.nfs_server
+ nfs_path = "/srv/nfs/send"
+ storage = "5Gi"
}
resource "kubernetes_deployment" "send" {
@@ -142,7 +125,7 @@ resource "kubernetes_deployment" "send" {
volume {
name = "data"
persistent_volume_claim {
- claim_name = kubernetes_persistent_volume_claim.data_proxmox.metadata[0].name
+ claim_name = module.nfs_send.claim_name
}
}
}