apiVersion: v1
kind: Namespace
metadata:
  name: nas-proxy
---
apiVersion: v1
kind: Service
metadata:
  name: synology-nas
  namespace: nas-proxy
spec:
  # Selector-less Service backed by the manual Endpoints below.
  # (Traefik rejects ExternalName services by default, so we point a
  # normal ClusterIP Service at the NAS IP via an Endpoints object.)
  type: ClusterIP
  clusterIP: None
  ports:
  - port: 5001
    targetPort: 5001
    protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
  name: synology-nas
  namespace: nas-proxy
subsets:
- addresses:
  - ip: 10.88.30.10
  ports:
  - port: 5001
    protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: nas
  namespace: nas-proxy
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # Tell Traefik the backend is HTTPS (DSM uses HTTPS on 5001)
    traefik.ingress.kubernetes.io/router.tls: "true"
    # Skip backend TLS verification since DSM uses a self-signed cert
    traefik.ingress.kubernetes.io/service.serversscheme: https
    traefik.ingress.kubernetes.io/service.serverstransport: skip-verify@file
    traefik.ingress.kubernetes.io/max-request-body-bytes: "5368709120"
spec:
  ingressClassName: traefik
  tls:
  - hosts:
    - nas.rogi.casa
    secretName: nas-tls
  rules:
  - host: nas.rogi.casa
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: synology-nas
            port:
              number: 5001