apiVersion: v1
kind: ConfigMap
metadata:
  name: jellyfin-network-config
data:
  network.xml: |
    <?xml version="1.0" encoding="utf-8"?>
    <NetworkConfiguration xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
      <BaseUrl>/</BaseUrl>
      <EnableHttps>true</EnableHttps>
      <RequireHttps>true</RequireHttps>
      <InternalHttpPort>8096</InternalHttpPort>
      <InternalHttpsPort>8920</InternalHttpsPort>
      <PublicHttpPort>80</PublicHttpPort>
      <PublicHttpsPort>443</PublicHttpsPort>
      <EnableRemoteAccess>true</EnableRemoteAccess>
      <EnablePublishedServerUriByRequest>true</EnablePublishedServerUriByRequest>
      <PublishedServerUri>https://${JELLYFIN_HOST}</PublishedServerUri>
    </NetworkConfiguration>

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: jellyfin
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jellyfin
  template:
    metadata:
      labels:
        app: jellyfin
    spec:
      containers:
        - name: jellyfin
          image: jellyfin/jellyfin:10.10.7
          ports:
            - containerPort: 8096
          volumeMounts:
            - name: plex-media
              mountPath: /media
            - name: config
              mountPath: /config
            - name: network-config
              mountPath: /config/config/    network.xml
              subPath: network.xml
      volumes:
        - name: plex-media
          persistentVolumeClaim:
            claimName: media-nfs-pvc
        - name: config
          persistentVolumeClaim:
            claimName: jellyfin-config-pvc
        - name: network-config
          configMap:
            name: jellyfin-network-config

---
apiVersion: v1
kind: Service
metadata:
  name: jellyfin-service
spec:
  selector:
    app: jellyfin
  ports:
    - protocol: TCP
      port: 8096
      targetPort: 8096
  type: ClusterIP

# ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
#   name: jellyfin-ingress
#   annotations:
#     traefik.ingress.kubernetes.io/router.middlewares: jellyfin-headers@kubernetescrd
# spec:
#   entryPoints:
#     - websecure
#   routes:
#     - match: Host(`${JELLYFIN_HOST}`)
#       kind: Rule
#       services:
#         - name: jellyfin-service
#           port: 8096
#   tls:
#     secretName: jellyfin-tls-secret

# ---
# apiVersion: traefik.io/v1alpha1
# kind: Middleware
# metadata:
#   name: jellyfin-headers
# spec:
#   headers:
#     customRequestHeaders:
#       X-Forwarded-Proto: "https"
#     customResponseHeaders:
#       X-Frame-Options: "SAMEORIGIN"

---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: jellyfin-ingress
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
    nginx.ingress.kubernetes.io/server-header: "X-Frame-Options SAMEORIGIN"
    nginx.ingress.kubernetes.io/proxy-set-header: "X-Forwarded-Proto https"
spec:
  ingressClassName: nginx
  rules:
    - host: ${JELLYFIN_HOST}
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: jellyfin-service
                port:
                  number: 8096
  tls:
    - hosts:
        - ${JELLYFIN_HOST}
      secretName: jellyfin-tls-secret

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: jellyfin-cert
spec:
  secretName: jellyfin-tls-secret
  issuerRef:
    name: acme-issuer
    kind: ClusterIssuer
  dnsNames:
    - ${JELLYFIN_HOST}