From 2eab82b430b21dc7ae21aaf579db631fe48269e8 Mon Sep 17 00:00:00 2001
From: Roger Oriol <rogi23696@gmail.com>
Date: Fri, 26 Jun 2026 19:01:08 +0200
Subject: [PATCH] fix nas ingress

---
 nas/ingress.yaml | 48 +++++++++++++++++++++---------------------------
 1 file changed, 21 insertions(+), 27 deletions(-)

diff --git a/nas/ingress.yaml b/nas/ingress.yaml
index 4373656..219f943 100644
--- a/nas/ingress.yaml
+++ b/nas/ingress.yaml
@@ -24,8 +24,7 @@ spec:
     - key encipherment
 ---
 # Selector-less Service + manual Endpoints pointing at the NAS.
-# Requires the argocd-cm `resource.exclusions` to NOT exclude Endpoints
-# (the default K3s/ArgoCD exclusion strips all Endpoints objects).
+# (Endpoints is no longer excluded in argocd-cm, so ArgoCD manages it.)
 apiVersion: v1
 kind: Service
 metadata:
@@ -51,33 +50,28 @@ subsets:
       - port: 5001
         protocol: TCP
 ---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
+# Traefik IngressRoute (CRD provider) where scheme: https is a first-class
+# field. The standard kubernetes Ingress `service.serversscheme` annotation is
+# ignored for selector-less/Endpoints-backed services in Traefik v3, which
+# caused Traefik to dial the NAS with plain HTTP -> 400 from DSM's nginx.
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
 metadata:
   name: nas
   namespace: nas-proxy
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    # Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001)
-    traefik.ingress.kubernetes.io/router.tls: "true"
-    # Skip backend TLS verification since DSM uses a self-signed cert
-    traefik.ingress.kubernetes.io/service.serversscheme: https
-    traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file
-    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
 spec:
-  ingressClassName: traefik
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nas.rogi.casa`)
+      kind: Rule
+      services:
+        - kind: Service
+          name: synology-nas
+          namespace: nas-proxy
+          port: 5001
+          scheme: https
+          serversTransport: skip-verify
+          passHostHeader: true
   tls:
-    - hosts:
-        - nas.rogi.casa
-      secretName: nas-tls
-  rules:
-    - host: nas.rogi.casa
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: synology-nas
-                port:
-                  number: 5001
+    secretName: nas-tls