diff options
| author | Paul Buetow <paul@buetow.org> | 2026-02-05 11:14:05 +0200 |
|---|---|---|
| committer | Paul Buetow <paul@buetow.org> | 2026-02-05 11:14:05 +0200 |
| commit | d1c50fcfc81d46bbf084227e4be2bf07efd0d100 (patch) | |
| tree | e7f786258d61a5cee84918dcd273c329e2c2a36f /f3s/navidrome | |
| parent | 29927d23c5d0b2c1a71763bf4899322073d00313 (diff) | |
Add LAN access via CARP and relayd
- Add cert-manager for self-signed TLS certificates
- Create wildcard cert for *.f3s.lan.buetow.org
- Add LAN ingress to Navidrome (navidrome.f3s.lan.buetow.org)
- Document FreeBSD relayd configuration for LAN access
- Add comprehensive setup guide
LAN access uses existing CARP VIP (192.168.1.138) on f0/f1
with relayd forwarding HTTP/HTTPS to k3s Traefik NodePorts.
External access via OpenBSD relayd continues unchanged.
Diffstat (limited to 'f3s/navidrome')
| -rw-r--r-- | f3s/navidrome/helm-chart/README.md | 40 | ||||
| -rw-r--r-- | f3s/navidrome/helm-chart/templates/ingress.yaml | 22 |
2 files changed, 61 insertions, 1 deletions
diff --git a/f3s/navidrome/helm-chart/README.md b/f3s/navidrome/helm-chart/README.md index bee6058..1c0a319 100644 --- a/f3s/navidrome/helm-chart/README.md +++ b/f3s/navidrome/helm-chart/README.md @@ -7,9 +7,47 @@ This directory contains the Kubernetes configuration for deploying Navidrome, a - **Application**: Navidrome - **Image**: `deluan/navidrome:latest` - **Namespace**: `services` -- **Ingress**: `navidrome.f3s.buetow.org` +- **External Ingress**: `navidrome.f3s.buetow.org` (via OpenBSD relayd) +- **LAN Ingress**: `navidrome.f3s.lan.buetow.org` (via FreeBSD CARP + relayd) - **Port**: 4533 +## Access Methods + +### External Access (Internet) + +Access from anywhere via `https://navidrome.f3s.buetow.org`: +- Routes through OpenBSD relayd (WireGuard tunnel) +- TLS certificates managed by Let's Encrypt +- Available from internet-connected devices + +### LAN Access (Local Network) + +Access from local network via `https://navidrome.f3s.lan.buetow.org`: +- Routes through FreeBSD CARP VIP (192.168.1.138) with relayd +- TLS certificates managed by cert-manager (self-signed) +- Direct access without WireGuard overhead +- Requires DNS configuration and CA certificate trust (see below) + +#### DNS Configuration for LAN + +Add to your DNS server or `/etc/hosts`: + +``` +192.168.1.138 navidrome.f3s.lan.buetow.org +``` + +#### Trusting Self-Signed CA + +To avoid browser warnings, install the f3s LAN CA certificate: + +1. Export CA from k3s: + ```bash + cd /home/paul/git/conf/f3s/cert-manager + just export-ca + ``` + +2. Install on your device (see `cert-manager/README.md` for platform-specific instructions) + ## Storage Navidrome requires two persistent volumes: diff --git a/f3s/navidrome/helm-chart/templates/ingress.yaml b/f3s/navidrome/helm-chart/templates/ingress.yaml index e8d94c6..f8d674c 100644 --- a/f3s/navidrome/helm-chart/templates/ingress.yaml +++ b/f3s/navidrome/helm-chart/templates/ingress.yaml @@ -18,3 +18,25 @@ spec: name: navidrome-service port: number: 4533 +--- +# LAN Ingress for navidrome.f3s.lan.buetow.org +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: navidrome-ingress-lan + namespace: services + annotations: + spec.ingressClassName: traefik + traefik.ingress.kubernetes.io/router.entrypoints: web +spec: + rules: + - host: navidrome.f3s.lan.buetow.org + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: navidrome-service + port: + number: 4533 |