From dc3c9d8f6bfd2c4e0258e24bc39bec093f73ba9d Mon Sep 17 00:00:00 2001
From: Paul Buetow <paul@buetow.org>
Date: Sat, 31 Jan 2026 08:23:17 +0200
Subject: fix(jellyfin): use X-Forwarded-Proto header for TLS offloading via
 relayd

Amp-Thread-ID: https://ampcode.com/threads/T-019c12b1-e861-773b-8f74-64b6c2255a5f
Co-authored-by: Amp <amp@ampcode.com>
---
 f3s/jellyfin/helm-chart/templates/ingress.yaml | 31 ++++++--------------------
 1 file changed, 7 insertions(+), 24 deletions(-)

(limited to 'f3s')

diff --git a/f3s/jellyfin/helm-chart/templates/ingress.yaml b/f3s/jellyfin/helm-chart/templates/ingress.yaml
index e7f0ade..6c5571b 100644
--- a/f3s/jellyfin/helm-chart/templates/ingress.yaml
+++ b/f3s/jellyfin/helm-chart/templates/ingress.yaml
@@ -1,27 +1,9 @@
-# Jellyfin Traefik IngressRoute - HTTPS
+# Jellyfin Traefik Ingress
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: jellyfin-ingress
   namespace: services
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    - match: Host(`jellyfin.f3s.buetow.org`)
-      kind: Rule
-      services:
-        - name: jellyfin-server
-          port: 8096
-  tls:
-    certResolver: letsencrypt
----
-# Redirect HTTP to HTTPS
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: jellyfin-ingress-redirect
-  namespace: services
 spec:
   entryPoints:
     - web
@@ -29,17 +11,18 @@ spec:
     - match: Host(`jellyfin.f3s.buetow.org`)
       kind: Rule
       middlewares:
-        - name: redirect-https
+        - name: jellyfin-headers
       services:
         - name: jellyfin-server
           port: 8096
 ---
+# Middleware to add X-Forwarded-Proto header so Jellyfin knows it's HTTPS
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
-  name: redirect-https
+  name: jellyfin-headers
   namespace: services
 spec:
-  redirectScheme:
-    scheme: https
-    permanent: true
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: https
-- 
cgit v1.2.3