From 64886cdbaf205c4207fb8d5831d3ad8b17e9861e Mon Sep 17 00:00:00 2001
From: Nathan Rashleigh <ntr@strix.systems>
Date: Mon, 7 Apr 2025 23:36:44 +1000
Subject: [PATCH] certmanager

---
 README.md                    |  2 ++
 media/jellyfin.yaml          | 29 ++++++++++++++++++
 media/jellyseerr.yaml        | 17 +++++++++++
 networking/cert-manager.yaml | 59 ++++++++++++++++++++++++++++++++++++
 networking/haproxy.yaml      | 13 +++-----
 networking/networking.yaml   |  6 ++++
 6 files changed, 118 insertions(+), 8 deletions(-)
 create mode 100644 networking/cert-manager.yaml
 create mode 100644 networking/networking.yaml

diff --git a/README.md b/README.md
index 5cbb973..ae5986a 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,8 @@
 
 [ ] sabnzbd ini config map
 [ ] tdarr
+[ ] subtitle extractor
+[ ] intro-skipper
 
 [x] private registry
 [x] secrets
diff --git a/media/jellyfin.yaml b/media/jellyfin.yaml
index 667bde6..18f4535 100644
--- a/media/jellyfin.yaml
+++ b/media/jellyfin.yaml
@@ -92,8 +92,14 @@ kind: Ingress
 metadata:
   name: jellyfin-ingress
   namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: haproxy
+  tls:
+  - secretName: jellyfin-ingress
+    hosts:
+    - jf.ntwl.xyz
   rules:
     - host: jf.ntwl.xyz
       http:
@@ -106,3 +112,26 @@ spec:
             path: /
             pathType: Prefix
 
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyfin-lan-ingress
+  namespace: media
+  annotations:
+    haproxy.org/ssl-redirect: "false"
+    haproxy.org/ssl-certificate: "default/tls-secret"
+spec:
+  ingressClassName: haproxy
+  rules:
+    - host: jfl.ntwl.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: jellyfin
+                port:
+                  name: web
+            path: /
+            pathType: Prefix
\ No newline at end of file
diff --git a/media/jellyseerr.yaml b/media/jellyseerr.yaml
index 7fe7ff7..3edfba2 100644
--- a/media/jellyseerr.yaml
+++ b/media/jellyseerr.yaml
@@ -76,8 +76,15 @@ kind: Ingress
 metadata:
   name: jellyseerr-ingress
   namespace: media
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
 spec:
   ingressClassName: haproxy
+  tls:
+  - secretName: jellyseerr-ingress
+    hosts:
+    - jellyseerr.ntwl.xyz
+    - get.ntwl.xyz
   rules:
     - host: jellyseerr.ntwl.xyz
       http:
@@ -89,3 +96,13 @@ spec:
                   name: web
             path: /
             pathType: Prefix
+    - host: get.ntwl.xyz
+      http:
+        paths:
+          - backend:
+              service:
+                name: jellyseerr
+                port:
+                  name: web
+            path: /
+            pathType: Prefix
diff --git a/networking/cert-manager.yaml b/networking/cert-manager.yaml
new file mode 100644
index 0000000..6975f9c
--- /dev/null
+++ b/networking/cert-manager.yaml
@@ -0,0 +1,59 @@
+# using the same issuer for everything
+# ntr@strix is the big boss
+
+---
+
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  repo: https://charts.jetstack.io
+  chart: cert-manager
+  targetNamespace: networking
+  valuesContent: |-
+    crds:
+      enabled: true
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ntr@strix.systems
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: haproxy
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ntr@strix.systems
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: haproxy
+
diff --git a/networking/haproxy.yaml b/networking/haproxy.yaml
index 35b814d..bbc7d40 100644
--- a/networking/haproxy.yaml
+++ b/networking/haproxy.yaml
@@ -1,11 +1,4 @@
 ---
-
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: networking
-
----
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
 metadata:
@@ -19,4 +12,8 @@ spec:
     controller:
       kind: DaemonSet
       daemonset:
-        useHostPort: true
\ No newline at end of file
+        useHostPort: true
+      config:
+        ssl-redirect-port: "443"
+
+# - --https-bind-port=443
diff --git a/networking/networking.yaml b/networking/networking.yaml
new file mode 100644
index 0000000..3d80313
--- /dev/null
+++ b/networking/networking.yaml
@@ -0,0 +1,6 @@
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: networking