Add LAN access via CARP and relayd

- Add cert-manager for self-signed TLS certificates - Create wildcard cert for *.f3s.lan.buetow.org - Add LAN ingress to Navidrome (navidrome.f3s.lan.buetow.org) - Document FreeBSD relayd configuration for LAN access - Add comprehensive setup guide LAN access uses existing CARP VIP (192.168.1.138) on f0/f1 with relayd forwarding HTTP/HTTPS to k3s Traefik NodePorts. External access via OpenBSD relayd continues unchanged.
author: Paul Buetow <paul@buetow.org> 2026-02-05 11:14:05 +0200
committer: Paul Buetow <paul@buetow.org> 2026-02-05 11:14:05 +0200
commit: d1c50fcfc81d46bbf084227e4be2bf07efd0d100 (patch)
tree: e7f786258d61a5cee84918dcd273c329e2c2a36f /f3s/navidrome/helm-chart
parent: 29927d23c5d0b2c1a71763bf4899322073d00313 (diff)
2 files changed, 61 insertions, 1 deletions
diff --git a/f3s/navidrome/helm-chart/README.md b/f3s/navidrome/helm-chart/README.md
index bee6058..1c0a319 100644
--- a/f3s/navidrome/helm-chart/README.md
+++ b/f3s/navidrome/helm-chart/README.md
@@ -7,9 +7,47 @@ This directory contains the Kubernetes configuration for deploying Navidrome, a
 - **Application**: Navidrome
 - **Image**: `deluan/navidrome:latest`
 - **Namespace**: `services`
-- **Ingress**: `navidrome.f3s.buetow.org`
+- **External Ingress**: `navidrome.f3s.buetow.org` (via OpenBSD relayd)
+- **LAN Ingress**: `navidrome.f3s.lan.buetow.org` (via FreeBSD CARP + relayd)
 - **Port**: 4533
 
+## Access Methods
+
+### External Access (Internet)
+
+Access from anywhere via `https://navidrome.f3s.buetow.org`:
+- Routes through OpenBSD relayd (WireGuard tunnel)
+- TLS certificates managed by Let's Encrypt
+- Available from internet-connected devices
+
+### LAN Access (Local Network)
+
+Access from local network via `https://navidrome.f3s.lan.buetow.org`:
+- Routes through FreeBSD CARP VIP (192.168.1.138) with relayd
+- TLS certificates managed by cert-manager (self-signed)
+- Direct access without WireGuard overhead
+- Requires DNS configuration and CA certificate trust (see below)
+
+#### DNS Configuration for LAN
+
+Add to your DNS server or `/etc/hosts`:
+
+```
+192.168.1.138  navidrome.f3s.lan.buetow.org
+```
+
+#### Trusting Self-Signed CA
+
+To avoid browser warnings, install the f3s LAN CA certificate:
+
+1. Export CA from k3s:
+   ```bash
+   cd /home/paul/git/conf/f3s/cert-manager
+   just export-ca
+   ```
+
+2. Install on your device (see `cert-manager/README.md` for platform-specific instructions)
+
 ## Storage
 
 Navidrome requires two persistent volumes:
diff --git a/f3s/navidrome/helm-chart/templates/ingress.yaml b/f3s/navidrome/helm-chart/templates/ingress.yaml
index e8d94c6..f8d674c 100644
--- a/f3s/navidrome/helm-chart/templates/ingress.yaml
+++ b/f3s/navidrome/helm-chart/templates/ingress.yaml
@@ -18,3 +18,25 @@ spec:
                 name: navidrome-service
                 port:
                   number: 4533
+---
+# LAN Ingress for navidrome.f3s.lan.buetow.org
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: navidrome-ingress-lan
+  namespace: services
+  annotations:
+    spec.ingressClassName: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+    - host: navidrome.f3s.lan.buetow.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: navidrome-service
+                port:
+                  number: 4533
author	Paul Buetow <paul@buetow.org>	2026-02-05 11:14:05 +0200
committer	Paul Buetow <paul@buetow.org>	2026-02-05 11:14:05 +0200
commit	d1c50fcfc81d46bbf084227e4be2bf07efd0d100 (patch)
tree	e7f786258d61a5cee84918dcd273c329e2c2a36f /f3s/navidrome/helm-chart
parent	29927d23c5d0b2c1a71763bf4899322073d00313 (diff)