feat!: configure traefik, add jellyfin

nix/homelab/kustomize/cert-manager/config.yaml

@@ -0,0 +1,32 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: luca_lise@icloud.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-account-key
+    solvers:
+      - dns01:
+          route53:
+            region: ca-central-1
+            hostedZoneID: Z0948300LINP3SX1WI4O
+            accessKeyID: AKIAYQOC475R6YBXHPE7
+            secretAccessKeySecretRef:
+              name: route53-credentials
+              key: secret-access-key
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-lucalise.ca
+  namespace: kube-system
+spec:
+  secretName: wildcard-lucalise.ca-tls
+  dnsNames:
+    - "*.lucalise.ca"
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer

nix/homelab/kustomize/kustomization.yaml

@@ -3,3 +3,6 @@ kind: Kustomization
 
 resources:
   - ./metallb/pool.yaml
+  - ./traefik/config.yaml
+  - ./cert-manager/config.yaml
+  - ./routes/media.yaml

nix/homelab/kustomize/metallb/pool.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: metallb-system
 spec:
   addresses:
-    - 192.168.x.x
+    - 192.168.122.132/26
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement

nix/homelab/kustomize/routes/media.yaml

@@ -0,0 +1,15 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: jellyfin
+  namespace: media
+spec:
+  parentRefs:
+    - name: traefik-gateway
+      namespace: kube-system
+  hostnames:
+    - "media.lucalise.ca"
+  rules:
+    - backendRefs:
+        - name: jellyfin
+          port: 8096

nix/homelab/kustomize/traefik/config.yaml

@@ -0,0 +1,75 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChartConfig
+metadata:
+  name: traefik
+  namespace: kube-system
+spec:
+  valuesContent: |-
+    ports:
+      web:
+        port: 80
+        nodePort: 30000
+        redirections:
+          entryPoint:
+            to: websecure
+            scheme: https
+            permanent: true 
+      websecure:
+        port: 443
+        nodePort: 30001
+
+      ssh:
+        port: 22
+        expose:
+          default: true
+        exposedPort: 22
+        protocol: TCP
+
+    persistence:
+        enabled: true
+        size: 128Mi
+
+    api:
+      dashboard: true
+      insecure: true
+    
+    ingressRoute:
+      dashboard:
+        enabled: true
+        matchRule: Host(`traefik.lucalise.ca`)
+        entryPoints:
+          - websecure
+
+    ingressClass:
+      enabled: false
+    providers:
+      kubernetesIngress:
+         enabled: false
+      kubernetesGateway:
+         enabled: true
+    gateway:
+      listeners:
+        web:
+          port: 80
+          protocol: HTTP
+          namespacePolicy:
+            from: All
+        websecure:
+          port: 443
+          protocol: HTTPS
+          namespacePolicy:
+            from: All
+          mode: Terminate
+          certificateRefs:    
+            - kind: Secret
+              name: wildcard-lucalise.ca-tls
+              group: ""
+    logs:
+      general:
+        level: INFO
+      # This enables access logs, outputting them to Traefik's standard output by default. The [Access Logs Documentation](https://doc.traefik.io/traefik/observability/access-logs/) covers formatting, filtering, and output options.
+      access:
+        enabled: true
+    metrics:
+      prometheus:
+        enabled: false