apiVersion: v1
kind: Namespace
metadata:
  name: nas-proxy
---
# Standalone cert-manager Certificate for nas.rogi.casa (not owned by an Ingress,
# since cert-manager's ingress-shim would otherwise create one owned by the
# Ingress below and tie its lifecycle to it; keeping it standalone is cleaner).
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nas-tls
  namespace: nas-proxy
spec:
  secretName: nas-tls
  dnsNames:
    - nas.rogi.casa
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt-prod
  usages:
    - digital signature
    - key encipherment
---
# Selector-less Service + manual Endpoints pointing at the NAS.
# (Endpoints is no longer excluded in argocd-cm, so ArgoCD manages it.)
apiVersion: v1
kind: Service
metadata:
  name: synology-nas
  namespace: nas-proxy
spec:
  type: ClusterIP
  clusterIP: None
  ports:
    - port: 5001
      targetPort: 5001
      protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
  name: synology-nas
  namespace: nas-proxy
subsets:
  - addresses:
      - ip: 10.88.30.10
    ports:
      - port: 5001
        protocol: TCP
---
# Traefik IngressRoute (CRD provider) where scheme: https is a first-class
# field. The standard kubernetes Ingress `service.serversscheme` annotation is
# ignored for selector-less/Endpoints-backed services in Traefik v3, which
# caused Traefik to dial the NAS with plain HTTP -> 400 from DSM's nginx.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: nas
  namespace: nas-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`nas.rogi.casa`)
      kind: Rule
      services:
        - kind: Service
          name: synology-nas
          namespace: nas-proxy
          port: 5001
          scheme: https
          serversTransport: skip-verify
          passHostHeader: true
  tls:
    secretName: nas-tls