From 280eb685ad7f37aa4da6917ea9d79154e2968d32 Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 31 Jan 2026 08:30:57 +0200
Subject: refactor(jellyfin): expose via NodePorts, bypass Traefik to avoid
 double-proxy issues

Amp-Thread-ID: https://ampcode.com/threads/T-019c12b1-e861-773b-8f74-64b6c2255a5f
Co-authored-by: Amp <amp@ampcode.com>
---
 f3s/jellyfin/helm-chart/templates/deployment.yaml |  8 +++++-
 f3s/jellyfin/helm-chart/templates/ingress.yaml    | 32 +++--------------------
 2 files changed, 10 insertions(+), 30 deletions(-)

diff --git a/f3s/jellyfin/helm-chart/templates/deployment.yaml b/f3s/jellyfin/helm-chart/templates/deployment.yaml
index c646e8f..89ad51a 100644
--- a/f3s/jellyfin/helm-chart/templates/deployment.yaml
+++ b/f3s/jellyfin/helm-chart/templates/deployment.yaml
@@ -58,11 +58,17 @@ metadata:
   name: jellyfin-server
   namespace: services
 spec:
-  type: ClusterIP
+  type: NodePort
   ports:
     - name: http
       port: 8096
       protocol: TCP
       targetPort: 8096
+      nodePort: 30096
+    - name: https
+      port: 8920
+      protocol: TCP
+      targetPort: 8096
+      nodePort: 30920
   selector:
     app: jellyfin-server
diff --git a/f3s/jellyfin/helm-chart/templates/ingress.yaml b/f3s/jellyfin/helm-chart/templates/ingress.yaml
index 3ea2291..ed01eca 100644
--- a/f3s/jellyfin/helm-chart/templates/ingress.yaml
+++ b/f3s/jellyfin/helm-chart/templates/ingress.yaml
@@ -1,29 +1,3 @@
-# Jellyfin Traefik Ingress
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: jellyfin-ingress
-  namespace: services
-spec:
-  entryPoints:
-    - web
-  routes:
-    - match: Host(`jellyfin.f3s.buetow.org`)
-      kind: Rule
-      middlewares:
-        - name: jellyfin-headers
-      services:
-        - name: jellyfin-server
-          port: 8096
----
-# Middleware to add headers for reverse proxy (relayd TLS offloading)
-apiVersion: traefik.io/v1alpha1
-kind: Middleware
-metadata:
-  name: jellyfin-headers
-  namespace: services
-spec:
-  headers:
-    customRequestHeaders:
-      X-Forwarded-Proto: https
-      X-Forwarded-Host: jellyfin.f3s.buetow.org
+# Jellyfin is exposed via NodePorts 30096 and 30920
+# relayd on frontend proxies directly to these ports, bypassing Traefik
+# This avoids double reverse-proxy complexity and certificate chain issues
-- 
cgit v1.2.3