apiVersion: v1
kind: Namespace
metadata:
  name: nas-proxy
---
# cert-manager Certificate for nas.rogi.casa.
# Standalone (not owned by an Ingress) so it survives independent of routing.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: nas-tls
  namespace: nas-proxy
spec:
  secretName: nas-tls
  dnsNames:
    - nas.rogi.casa
  issuerRef:
    group: cert-manager.io
    kind: ClusterIssuer
    name: letsencrypt-prod
  usages:
    - digital signature
    - key encipherment
---
# Traefik IngressRoute that dials the NAS directly via kind: Servers.
# This avoids:
#   - Traefik rejecting an ExternalName Service (allowexternalnameservices=false), and
#   - ArgoCD excluding an Endpoints object (resource.exclusions strips Endpoints).
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: nas
  namespace: nas-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`nas.rogi.casa`)
      kind: Rule
      priority: 1
      services:
        - kind: Servers
          scheme: https
          serversTransport: skip-verify
          servers:
            - url: https://10.88.30.10:5001
          passHostHeader: true
          responseForwarding:
            flushInterval: 100ms
  tls:
    secretName: nas-tls
---
# HTTP -> HTTPS redirect for nas.rogi.casa
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: nas-http-redirect
  namespace: nas-proxy
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`nas.rogi.casa`)
      kind: Rule
      priority: 1
      middlewares:
        - name: redirect-to-https
          namespace: nas-proxy
      services:
        # Syntactically required backend; never reached because the redirect
        # middleware short-circuits the request.
        - kind: Servers
          scheme: https
          servers:
            - url: https://10.88.30.10:5001
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-to-https
  namespace: nas-proxy
spec:
  redirectScheme:
    scheme: https
    permanent: true