viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/linkwarden/main.tf
Viktor Barzin 2be858f616 fix: eliminate memory overcommit to prevent node OOM crashes 
Set requests = limits (Guaranteed QoS) across LimitRange defaults and
explicit pod resources. Node2 crashed 2026-03-14 from 250% memory
overcommit (61GB limits on 24GB node).

Changes:
- LimitRange: default = defaultRequest for all 6 tiers
- Grafana: 3 → 2 replicas
- Grampsweb: document why replicas=0
- Prometheus: 1Gi/4Gi → 3Gi/3Gi
- OpenClaw: 512Mi/2Gi → 768Mi/768Mi
- Immich server: 256Mi/2Gi → 512Mi/512Mi
- Immich postgresql: 256Mi/1Gi → 512Mi/512Mi
- Calibre: 256Mi/1536Mi → 256Mi/256Mi
- Linkwarden: 256Mi/1536Mi → 768Mi/768Mi
- N8N: 256Mi/1Gi → 512Mi/512Mi
- MySQL cluster: 1Gi/3-4Gi → 2Gi/2Gi
- pg-cluster (CNPG): 512Mi/4Gi → 512Mi/512Mi
- DBaaS ResourceQuota limits.memory: 64Gi → 12Gi

[ci skip]
2026-03-14 16:01:41 +00:00

158 lines
3.9 KiB
HCL
Raw Blame History

variable "tls_secret_name" {
type = string
sensitive = true
}
variable "linkwarden_postgresql_password" {
type = string
sensitive = true
}
variable "linkwarden_authentik_client_id" { type = string }
variable "linkwarden_authentik_client_secret" {
type = string
sensitive = true
}
variable "postgresql_host" { type = string }
variable "homepage_credentials" {
type = map(any)
sensitive = true
}
resource "kubernetes_namespace" "linkwarden" {
metadata {
name = "linkwarden"
labels = {
tier = local.tiers.aux
}
}
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
tls_secret_name = var.tls_secret_name
}
resource "random_string" "secret" {
length = 32
special = true
override_special = "/@£$"
}
resource "kubernetes_deployment" "linkwarden" {
metadata {
name = "linkwarden"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
labels = {
app = "linkwarden"
tier = local.tiers.aux
}
annotations = {
"reloader.stakater.com/search" = "true"
}
}
spec {
replicas = 1
selector {
match_labels = {
app = "linkwarden"
}
}
template {
metadata {
labels = {
app = "linkwarden"
}
annotations = {
"diun.enable" = "false"
"diun.include_tags" = "latest"
}
}
spec {
container {
image = "ghcr.io/linkwarden/linkwarden:latest"
name = "linkwarden"
port {
container_port = 3000
}
env {
name = "DATABASE_URL"
value = "postgresql://linkwarden:${var.linkwarden_postgresql_password}@${var.postgresql_host}:5432/linkwarden"
}
env {
name = "NEXT_PUBLIC_AUTHENTIK_ENABLED"
value = "true"
}
env {
name = "NEXTAUTH_SECRET"
value = random_string.secret.result
}
env {
name = "NEXTAUTH_URL"
value = "https://linkwarden.viktorbarzin.me/api/v1/auth"
}
env {
name = "AUTHENTIK_ISSUER"
value = "https://authentik.viktorbarzin.me/application/o/linkwarden"
}
env {
name = "AUTHENTIK_CLIENT_ID"
value = var.linkwarden_authentik_client_id
}
env {
name = "AUTHENTIK_CLIENT_SECRET"
value = var.linkwarden_authentik_client_secret
}
resources {
requests = {
cpu = "50m"
memory = "768Mi"
}
limits = {
memory = "768Mi"
}
}
}
}
}
}
}
resource "kubernetes_service" "linkwarden" {
metadata {
name = "linkwarden"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
labels = {
app = "linkwarden"
}
}
spec {
selector = {
app = "linkwarden"
}
port {
name = "linkwarden"
port = 80
target_port = 3000
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
name = "linkwarden"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "Linkwarden"
"gethomepage.dev/description" = "Bookmark manager"
"gethomepage.dev/icon" = "linkwarden.png"
"gethomepage.dev/group" = "Productivity"
"gethomepage.dev/pod-selector" = ""
"gethomepage.dev/widget.type" = "linkwarden"
"gethomepage.dev/widget.url" = "http://linkwarden.linkwarden.svc.cluster.local"
"gethomepage.dev/widget.key" = var.homepage_credentials["linkwarden"]["api_key"]
}
}
Reference in a new issue View git blame Copy permalink