downgrade to Vultr Regular Performance 1vCPU/1GB and tighten resource limits

Switch from High Frequency 2vCPU/2GB ($18/mo) to Regular Performance
1vCPU/1GB ($5/mo). Tighten HAProxy rate limits from 100/50/30 RPM to
60/30/15 RPM with lower global RPS thresholds (200/300 instead of
300/500). Reduce maxconn, socket buffers, file descriptor limits, and
Docker resource settings to fit within 1GB RAM constraints. Update all
user-facing content and translations across 14 locales.

Author: NetworkCats

deploy/INSTALL.md

@@ -64,7 +64,7 @@ This triggers the full pipeline. Monitor progress under the **Actions** tab in t
 
 ### Infrastructure Details
 
-- **VPS**: Vultr High Frequency (`vhf-2c-2gb`), Debian 13, region `dfw` (Dallas)
+- **VPS**: Vultr Regular Performance (`vc2-1c-1gb`), Debian 13, region `dfw` (Dallas)
 - **Firewall**: SSH open, HTTPS restricted to Cloudflare IP ranges
 - **Deployment**: Blue-green with HAProxy traffic switching
 - **First deploy**: Automatically applies base OS hardening (UFW, fail2ban, sysctl tuning) and installs Docker

deploy/ansible/roles/app/templates/docker-compose.yml.j2

@@ -15,10 +15,10 @@ services:
     restart: unless-stopped
     ulimits:
       nofile:
-        soft: 65536
-        hard: 65536
+        soft: 32768
+        hard: 32768
     sysctls:
-      net.core.somaxconn: "16384"
+      net.core.somaxconn: "4096"
       net.ipv4.tcp_tw_reuse: "1"
     networks:
       - internal
@@ -38,8 +38,8 @@ services:
     restart: unless-stopped
     ulimits:
       nofile:
-        soft: 65536
-        hard: 65536
+        soft: 32768
+        hard: 32768
     networks:
       - internal
 
@@ -58,8 +58,8 @@ services:
     restart: unless-stopped
     ulimits:
       nofile:
-        soft: 65536
-        hard: 65536
+        soft: 32768
+        hard: 32768
     networks:
       - internal
 

deploy/ansible/roles/app/templates/haproxy.cfg.j2

@@ -1,10 +1,10 @@
 global
     log stderr local0 err
-    maxconn 10000
-    # Performance tuning for high-throughput
+    maxconn 4096
+    # Performance tuning (sized for 1 vCPU / 1 GB RAM)
     tune.bufsize 16384
     tune.maxrewrite 1024
-    tune.http.maxhdr 128
+    tune.http.maxhdr 101
     tune.comp.maxlevel 1
     # TLS configuration optimized for Cloudflare Origin CA ECC certificates
     ssl-default-bind-curves prime256v1:X25519:secp384r1
@@ -18,7 +18,7 @@ defaults
     option  httplog
     option  dontlog-normal
     option  http-keep-alive
-    maxconn 10000
+    maxconn 4096
     timeout connect 5s
     timeout client  30s
     timeout server  30s
@@ -63,12 +63,12 @@ frontend http_in
     # Track global request rate (per second)
     http-request track-sc1 str(global) table global_rate_tracking
 
-    # Tier 3: global >= 500 RPS -> limit each IP to 30 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 500 } { sc_http_req_rate(0) gt 30 }
-    # Tier 2: global >= 300 RPS -> limit each IP to 50 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 300 } { sc_http_req_rate(0) gt 50 }
-    # Tier 1: default -> limit each IP to 100 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
+    # Tier 3: global >= 300 RPS -> limit each IP to 15 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 300 } { sc_http_req_rate(0) gt 15 }
+    # Tier 2: global >= 200 RPS -> limit each IP to 30 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 200 } { sc_http_req_rate(0) gt 30 }
+    # Tier 1: default -> limit each IP to 60 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 60 }
 
     # Block /health from external access
     acl is_health path /health
@@ -115,12 +115,12 @@ frontend https_in
     # Track global request rate (per second)
     http-request track-sc1 str(global) table global_rate_tracking
 
-    # Tier 3: global >= 500 RPS -> limit each IP to 30 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 500 } { sc_http_req_rate(0,http_in) gt 30 }
-    # Tier 2: global >= 300 RPS -> limit each IP to 50 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 300 } { sc_http_req_rate(0,http_in) gt 50 }
-    # Tier 1: default -> limit each IP to 100 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(0,http_in) gt 100 }
+    # Tier 3: global >= 300 RPS -> limit each IP to 15 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 300 } { sc_http_req_rate(0,http_in) gt 15 }
+    # Tier 2: global >= 200 RPS -> limit each IP to 30 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 200 } { sc_http_req_rate(0,http_in) gt 30 }
+    # Tier 1: default -> limit each IP to 60 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(0,http_in) gt 60 }
 
     # Block /health from external access
     acl is_health path /health

deploy/ansible/roles/base/templates/limits.conf.j2

@@ -1,5 +1,5 @@
-# System-wide file descriptor limits for web service (10k concurrent connections)
-*    soft    nofile    65536
-*    hard    nofile    65536
-root soft    nofile    65536
-root hard    nofile    65536
+# System-wide file descriptor limits for web service (1 vCPU / 1 GB RAM)
+*    soft    nofile    32768
+*    hard    nofile    32768
+root soft    nofile    32768
+root hard    nofile    32768

deploy/ansible/roles/base/templates/sysctl.conf.j2

@@ -1,19 +1,19 @@
-# Network performance tuning for web service (10k concurrent connections)
+# Network performance tuning for web service (1 vCPU / 1 GB RAM)
 
-# Socket buffer sizes
-net.core.rmem_max = 8388608
-net.core.wmem_max = 8388608
-net.core.rmem_default = 262144
-net.core.wmem_default = 262144
+# Socket buffer sizes (reduced for 1 GB RAM)
+net.core.rmem_max = 4194304
+net.core.wmem_max = 4194304
+net.core.rmem_default = 131072
+net.core.wmem_default = 131072
 
-# TCP buffer auto-tuning
-net.ipv4.tcp_rmem = 4096 87380 8388608
-net.ipv4.tcp_wmem = 4096 65536 8388608
+# TCP buffer auto-tuning (reduced for 1 GB RAM)
+net.ipv4.tcp_rmem = 4096 65536 4194304
+net.ipv4.tcp_wmem = 4096 32768 4194304
 
-# Connection backlog
-net.core.somaxconn = 16384
-net.core.netdev_max_backlog = 16384
-net.ipv4.tcp_max_syn_backlog = 16384
+# Connection backlog (reduced for 1 vCPU)
+net.core.somaxconn = 4096
+net.core.netdev_max_backlog = 4096
+net.ipv4.tcp_max_syn_backlog = 4096
 
 # TCP connection reuse and timeout
 net.ipv4.tcp_tw_reuse = 1
@@ -44,16 +44,16 @@ net.ipv4.tcp_sack = 1
 
 # SYN flood protection
 net.ipv4.tcp_syncookies = 1
-net.ipv4.tcp_max_tw_buckets = 200000
+net.ipv4.tcp_max_tw_buckets = 65536
 
-# File descriptor limits
-fs.file-max = 131072
-fs.nr_open = 131072
+# File descriptor limits (reduced for 1 GB RAM)
+fs.file-max = 65536
+fs.nr_open = 65536
 
-# VM tuning
-vm.swappiness = 10
-vm.dirty_ratio = 15
+# VM tuning (increased swappiness slightly for 1 GB RAM)
+vm.swappiness = 30
+vm.dirty_ratio = 10
 vm.dirty_background_ratio = 5
 
 # Connection tracking (for iptables/fail2ban)
-net.netfilter.nf_conntrack_max = 32768
+net.netfilter.nf_conntrack_max = 16384

deploy/ansible/roles/docker/tasks/main.yml

@@ -58,8 +58,8 @@
     dest: /etc/systemd/system/docker.service.d/override.conf
     content: |
       [Service]
-      LimitNOFILE=65536
-      LimitNPROC=8192
+      LimitNOFILE=32768
+      LimitNPROC=4096
       LimitCORE=infinity
     owner: root
     group: root

deploy/ansible/roles/docker/templates/daemon.json.j2

@@ -1,21 +1,21 @@
 {
   "log-driver": "json-file",
   "log-opts": {
-    "max-size": "10m",
-    "max-file": "3"
+    "max-size": "5m",
+    "max-file": "2"
   },
   "live-restore": true,
   "default-ulimits": {
     "nofile": {
       "Name": "nofile",
-      "Hard": 65536,
-      "Soft": 65536
+      "Hard": 32768,
+      "Soft": 32768
     },
     "nproc": {
       "Name": "nproc",
-      "Hard": 8192,
-      "Soft": 8192
+      "Hard": 4096,
+      "Soft": 4096
     }
   },
-  "default-shm-size": "256M"
+  "default-shm-size": "64M"
 }

deploy/terraform/variables.tf

@@ -16,9 +16,9 @@ variable "region" {
 }
 
 variable "plan" {
-  description = "Vultr plan ID (High Frequency 2 vCPU / 2 GB)"
+  description = "Vultr plan ID (Regular Performance 1 vCPU / 1 GB)"
   type        = string
-  default     = "vhf-2c-2gb"
+  default     = "vc2-1c-1gb"
 }
 
 variable "os_id" {

haproxy/haproxy.cfg

@@ -47,12 +47,12 @@ frontend https_in
     # Track global request rate (per second)
     http-request track-sc1 str(global) table global_rate_tracking
 
-    # Tier 3: global >= 500 RPS -> limit each IP to 30 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 500 } { sc_http_req_rate(0) gt 30 }
-    # Tier 2: global >= 300 RPS -> limit each IP to 50 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 300 } { sc_http_req_rate(0) gt 50 }
-    # Tier 1: default -> limit each IP to 100 RPM
-    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 100 }
+    # Tier 3: global >= 300 RPS -> limit each IP to 15 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 300 } { sc_http_req_rate(0) gt 15 }
+    # Tier 2: global >= 200 RPS -> limit each IP to 30 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(1,global_rate_tracking) ge 200 } { sc_http_req_rate(0) gt 30 }
+    # Tier 1: default -> limit each IP to 60 RPM
+    http-request deny deny_status 429 if { sc_http_req_rate(0) gt 60 }
 
     # Block /health from external access
     acl is_health path /health

locales/ar.po

@@ -87,8 +87,8 @@ msgstr "أرسل طلبًا إلى نقطة النهاية <code>/json</code>،
 msgid "Can I call your service programmatically?"
 msgstr "هل يمكنني استدعاء خدمتكم برمجيًا؟"
 
-msgid "Sure, but please respect our rate limits. Normally it's 100 RPM, and under heavy load we may drop it to 50 or 30 RPM."
-msgstr "بالتأكيد، لكن يرجى الالتزام بحدود المعدل. عادةً يكون 100 طلبًا في الدقيقة، وتحت الحمل الثقيل قد نخفضه إلى 50 أو 30 طلبًا في الدقيقة."
+msgid "Sure, but please respect our rate limits. Normally it's 60 RPM, and under heavy load we may drop it to 30 or 15 RPM."
+msgstr "بالتأكيد، لكن يرجى الالتزام بحدود المعدل. عادةً يكون 60 طلبًا في الدقيقة، وتحت الحمل الثقيل قد نخفضه إلى 30 أو 15 طلبًا في الدقيقة."
 
 msgid "The API is meant for manual use or small projects. If your site uses our API to look up visitor IPs, please use a message queue so requests don't block. If your project has high traffic or needs low latency, you're better off using our open source offline database: <a href=\"https://github.com/NetworkCats/Merged-IP-Data\">Merged IP Database</a>. That's actually what this project uses under the hood."
 msgstr "واجهة برمجة التطبيقات مخصصة للاستخدام اليدوي أو المشاريع الصغيرة. إذا كان موقعك يستخدم واجهة برمجة التطبيقات الخاصة بنا للبحث عن عناوين IP للزوار، يرجى استخدام قائمة انتظار الرسائل حتى لا تتعطل الطلبات. إذا كان مشروعك يتعامل مع حركة مرور عالية أو يحتاج إلى زمن استجابة منخفض، فمن الأفضل استخدام قاعدة بياناتنا المحلية مفتوحة المصدر: <a href=\"https://github.com/NetworkCats/Merged-IP-Data\">Merged IP Database</a>. هذا في الواقع ما يستخدمه هذا المشروع داخليًا."
@@ -123,11 +123,11 @@ msgstr "تجربة المستخدم أيضًا أفضل من معظم مواقع
 msgid "Is this service reliable?"
 msgstr "هل هذه الخدمة موثوقة؟"
 
-msgid "The whole thing is written in Rust, so performance is great. It can handle L7 DDoS traffic and stay up fine. It runs on a 2 core 2 GB VPS, which is already more than enough. The only thing that could cause real trouble is a large scale L7 DDoS, but we have Cloudflare in front of us."
-msgstr "كل شيء مكتوب بلغة Rust، لذا الأداء ممتاز. يمكنه التعامل مع هجمات DDoS من الطبقة السابعة والاستمرار في العمل. يعمل على خادم VPS ثنائي النواة بذاكرة 2 غيغابايت، وهو أكثر من كافٍ. الشيء الوحيد الذي قد يسبب مشكلة حقيقية هو هجوم DDoS واسع النطاق من الطبقة السابعة، لكن لدينا Cloudflare أمامنا."
+msgid "The whole thing is written in Rust, so performance is great. It can handle L7 DDoS traffic and stay up fine. It runs on a 1 core 1 GB VPS, which is already more than enough. The only thing that could cause real trouble is a large scale L7 DDoS, but we have Cloudflare in front of us."
+msgstr "كل شيء مكتوب بلغة Rust، لذا الأداء ممتاز. يمكنه التعامل مع هجمات DDoS من الطبقة السابعة والاستمرار في العمل. يعمل على خادم VPS أحادي النواة بذاكرة 1 غيغابايت، وهو أكثر من كافٍ. الشيء الوحيد الذي قد يسبب مشكلة حقيقية هو هجوم DDoS واسع النطاق من الطبقة السابعة، لكن لدينا Cloudflare أمامنا."
 
-msgid "It costs me $18.00/month to run, which is pretty cheap. I'm not going to shut it down over hosting costs anytime soon, and there won't be any ads."
-msgstr "تكلفة التشغيل 18.00 دولار شهريًا، وهو رخيص جدًا. لن أوقفها بسبب تكاليف الاستضافة، ولن تكون هناك أي إعلانات."
+msgid "It costs me $5.00/month to run, which is pretty cheap. I'm not going to shut it down over hosting costs anytime soon, and there won't be any ads."
+msgstr "تكلفة التشغيل 5.00 دولار شهريًا، وهو رخيص جدًا. لن أوقفها بسبب تكاليف الاستضافة، ولن تكون هناك أي إعلانات."
 
 msgid "This service is not going to rug pull on you."
 msgstr "هذه الخدمة لن تختفي فجأة."