viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/linkwarden/main.tf
Viktor Barzin ca648ff9bb
[ci skip] right-size all pod resources based on VPA + live metrics audit 
Full cluster resource audit: cross-referenced Goldilocks VPA recommendations,
live kubectl top metrics, and Terraform definitions for 100+ containers.

Critical fixes:
- dashy: CPU throttled at 98% (490m/500m) → 2 CPU limit
- stirling-pdf: CPU throttled at 99.7% (299m/300m) → 2 CPU limit
- traefik auth-proxy/bot-block-proxy: mem limit 32Mi → 128Mi

Added explicit resources to ~40 containers that had none:
- audiobookshelf, changedetection, cyberchef, dawarich, diun, echo,
  excalidraw, freshrss, hackmd, isponsorblocktv, linkwarden, n8n,
  navidrome, ntfy, owntracks, privatebin, send, shadowsocks, tandoor,
  tor-proxy, wealthfolio, networking-toolbox, rybbit, mailserver,
  cloudflared, pgadmin, phpmyadmin, crowdsec-web, xray, wireguard,
  k8s-portal, tuya-bridge, ollama-ui, whisper, piper, immich-server,
  immich-postgresql, osrm-foot

GPU containers: added CPU/mem alongside GPU limits:
- ollama: removed CPU/mem limits (models vary in size), keep GPU only
- frigate: req 500m/2Gi, lim 4/8Gi + GPU
- immich-ml: req 100m/1Gi, lim 2/4Gi + GPU

Right-sized ~25 over-provisioned containers:
- kms-web-page: 500m/512Mi → 50m/64Mi (was using 0m/10Mi)
- onlyoffice: CPU 8 → 2 (VPA upper 45m)
- realestate-crawler-api: CPU 2000m → 250m
- blog/travel-blog/webhook-handler: 500m → 100m
- coturn/health/plotting-book: reduced to match actual usage

Conservative methodology: limits = max(VPA upper * 2, live usage * 2)
2026-03-01 19:18:50 +00:00

135 lines
3.3 KiB
HCL
Raw Blame History

variable "tls_secret_name" { type = string }
variable "linkwarden_postgresql_password" { type = string }
variable "linkwarden_authentik_client_id" { type = string }
variable "linkwarden_authentik_client_secret" { type = string }
variable "postgresql_host" { type = string }
resource "kubernetes_namespace" "linkwarden" {
metadata {
name = "linkwarden"
labels = {
tier = local.tiers.aux
}
}
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
tls_secret_name = var.tls_secret_name
}
resource "random_string" "secret" {
length = 32
special = true
override_special = "/@£$"
}
resource "kubernetes_deployment" "linkwarden" {
metadata {
name = "linkwarden"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
labels = {
app = "linkwarden"
tier = local.tiers.aux
}
annotations = {
"reloader.stakater.com/search" = "true"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "linkwarden"
}
}
template {
metadata {
labels = {
app = "linkwarden"
}
annotations = {
"diun.enable" = "false"
"diun.include_tags" = "latest"
}
}
spec {
container {
image = "ghcr.io/linkwarden/linkwarden:latest"
name = "linkwarden"
port {
container_port = 3000
}
env {
name = "DATABASE_URL"
value = "postgresql://linkwarden:${var.linkwarden_postgresql_password}@${var.postgresql_host}:5432/linkwarden"
}
env {
name = "NEXT_PUBLIC_AUTHENTIK_ENABLED"
value = "true"
}
env {
name = "NEXTAUTH_SECRET"
value = random_string.secret.result
}
env {
name = "NEXTAUTH_URL"
value = "https://linkwarden.viktorbarzin.me/api/v1/auth"
}
env {
name = "AUTHENTIK_ISSUER"
value = "https://authentik.viktorbarzin.me/application/o/linkwarden"
}
env {
name = "AUTHENTIK_CLIENT_ID"
value = var.linkwarden_authentik_client_id
}
env {
name = "AUTHENTIK_CLIENT_SECRET"
value = var.linkwarden_authentik_client_secret
}
resources {
requests = {
cpu = "25m"
memory = "256Mi"
}
limits = {
cpu = "500m"
memory = "1536Mi"
}
}
}
}
}
}
}
resource "kubernetes_service" "linkwarden" {
metadata {
name = "linkwarden"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
labels = {
app = "linkwarden"
}
}
spec {
selector = {
app = "linkwarden"
}
port {
name = "linkwarden"
port = 80
target_port = 3000
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
name = "linkwarden"
tls_secret_name = var.tls_secret_name
}
Reference in a new issue View git blame Copy permalink