certmanager

README.md

@@ -6,6 +6,8 @@
 
 [ ] sabnzbd ini config map
 [ ] tdarr
+[ ] subtitle extractor
+[ ] intro-skipper
 
 [x] private registry
 [x] secrets

media/jellyfin.yaml

@@ -92,8 +92,14 @@ kind: Ingress
 metadata:
   name: jellyfin-ingress
   namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: haproxy
+  tls:
+  - secretName: jellyfin-ingress
+    hosts:
+    - jf.ntwl.xyz
   rules:
     - host: jf.ntwl.xyz
       http:
@@ -106,3 +112,26 @@ spec:
             path: /
             pathType: Prefix
 
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyfin-lan-ingress
+  namespace: media
+  annotations:
+    haproxy.org/ssl-redirect: "false"
+    haproxy.org/ssl-certificate: "default/tls-secret"
+spec:
+  ingressClassName: haproxy
+  rules:
+    - host: jfl.ntwl.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: jellyfin
+                port:
+                  name: web
+            path: /
+            pathType: Prefix

media/jellyseerr.yaml

@@ -76,8 +76,15 @@ kind: Ingress
 metadata:
   name: jellyseerr-ingress
   namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: haproxy
+  tls:
+  - secretName: jellyseerr-ingress
+    hosts:
+    - jellyseerr.ntwl.xyz
+    - get.ntwl.xyz
   rules:
     - host: jellyseerr.ntwl.xyz
       http:
@@ -89,3 +96,13 @@ spec:
                   name: web
             path: /
             pathType: Prefix
+    - host: get.ntwl.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: jellyseerr
+                port:
+                  name: web
+            path: /
+            pathType: Prefix

networking/cert-manager.yaml

@@ -0,0 +1,59 @@
+# using the same issuer for everything
+# ntr@strix is the big boss
+
+---
+
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  repo: https://charts.jetstack.io
+  chart: cert-manager
+  targetNamespace: networking
+  valuesContent: |-
+    crds:
+      enabled: true
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ntr@strix.systems
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: haproxy
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ntr@strix.systems
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: haproxy
+

networking/haproxy.yaml

@@ -1,11 +1,4 @@
 ---
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: networking
-
----
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
 metadata:
@@ -19,4 +12,8 @@ spec:
     controller:
       kind: DaemonSet
       daemonset:
-        useHostPort: true
+        useHostPort: true
+      config:
+        ssl-redirect-port: "443"
+
+# - --https-bind-port=443

networking/networking.yaml

@@ -0,0 +1,6 @@
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: networking