From 9f74a88be7b89f10cb00dd06807076cdcb30cbb3 Mon Sep 17 00:00:00 2001
From: Roger Oriol <rogi23696@gmail.com>
Date: Fri, 26 Jun 2026 18:40:41 +0200
Subject: [PATCH] fix nas ingress

---
 nas/ingress.yaml | 118 ++++++++++++++++++++++++++++-------------------
 1 file changed, 70 insertions(+), 48 deletions(-)

diff --git a/nas/ingress.yaml b/nas/ingress.yaml
index 86ec110..6ab2e59 100644
--- a/nas/ingress.yaml
+++ b/nas/ingress.yaml
@@ -3,61 +3,83 @@ kind: Namespace
 metadata:
   name: nas-proxy
 ---
-apiVersion: v1
-kind: Service
+# cert-manager Certificate for nas.rogi.casa.
+# Standalone (not owned by an Ingress) so it survives independent of routing.
+apiVersion: cert-manager.io/v1
+kind: Certificate
 metadata:
-  name: synology-nas
+  name: nas-tls
   namespace: nas-proxy
 spec:
-  # Selector-less Service backed by the manual Endpoints below.
-  # (Traefik rejects ExternalName services by default, so we point a
-  # normal ClusterIP Service at the NAS IP via an Endpoints object.)
-  type: ClusterIP
-  clusterIP: None
-  ports:
-  - port: 5001
-    targetPort: 5001
-    protocol: TCP
+  secretName: nas-tls
+  dnsNames:
+    - nas.rogi.casa
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: letsencrypt-prod
+  usages:
+    - digital signature
+    - key encipherment
 ---
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: synology-nas
-  namespace: nas-proxy
-subsets:
-- addresses:
-  - ip: 10.88.30.10
-  ports:
-  - port: 5001
-    protocol: TCP
----
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+# Traefik IngressRoute that dials the NAS directly via kind: Servers.
+# This avoids:
+#   - Traefik rejecting an ExternalName Service (allowexternalnameservices=false), and
+#   - ArgoCD excluding an Endpoints object (resource.exclusions strips Endpoints).
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
   name: nas
   namespace: nas-proxy
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    # Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001)
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    # Skip backend TLS verification since DSM uses a self-signed cert
-    traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file
-    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
 spec:
-  ingressClassName: traefik
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nas.rogi.casa`)
+      kind: Rule
+      priority: 1
+      services:
+        - kind: Servers
+          scheme: https
+          serversTransport: skip-verify
+          servers:
+            - url: https://10.88.30.10:5001
+          passHostHeader: true
+          responseForwarding:
+            flushInterval: 100ms
   tls:
-  - hosts:
-    - nas.rogi.casa
     secretName: nas-tls
-  rules:
-  - host: nas.rogi.casa
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: synology-nas
-            port:
-              number: 5001
+---
+# HTTP -> HTTPS redirect for nas.rogi.casa
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nas-http-redirect
+  namespace: nas-proxy
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`nas.rogi.casa`)
+      kind: Rule
+      priority: 1
+      middlewares:
+        - name: redirect-to-https
+          namespace: nas-proxy
+      services:
+        # Syntactically required backend; never reached because the redirect
+        # middleware short-circuits the request.
+        - kind: Servers
+          scheme: https
+          servers:
+            - url: https://10.88.30.10:5001
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-to-https
+  namespace: nas-proxy
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true