From f3b7d23bb7b7f970491003ba0e7a63c8918c1dbf Mon Sep 17 00:00:00 2001
From: gilgamezh <mail@gilgamezh.me>
Date: Sun, 11 Jan 2026 12:22:18 +0100
Subject: [PATCH] upgrade cert-manager and configure it to use dns instead of
 http

---
 non_argo_values/gitea_values.yaml        |  2 +-
 resources/cluster-issuer-production.yaml | 12 +++++++----
 resources/ingress.yaml                   | 27 ++++++++++++++++++++++++
 3 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/non_argo_values/gitea_values.yaml b/non_argo_values/gitea_values.yaml
index 51f9340..bdc537d 100644
--- a/non_argo_values/gitea_values.yaml
+++ b/non_argo_values/gitea_values.yaml
@@ -23,7 +23,7 @@ ingress:
   annotations:
     # Restrict to LAN access (matching your existing pattern)
     traefik.ingress.kubernetes.io/whitelist.sourcerange: "192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
   hosts:
     - host: gitea.gilgamezh.me
       paths:
diff --git a/resources/cluster-issuer-production.yaml b/resources/cluster-issuer-production.yaml
index bd8e478..134b8d3 100644
--- a/resources/cluster-issuer-production.yaml
+++ b/resources/cluster-issuer-production.yaml
@@ -10,7 +10,11 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-production
     solvers:
-    - selector: {}
-      http01:
-        ingress:
-          class: traefik
+    - selector:
+        dnsZones:
+          - gilgamezh.me
+      dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
diff --git a/resources/ingress.yaml b/resources/ingress.yaml
index 37830c3..9ca44f7 100644
--- a/resources/ingress.yaml
+++ b/resources/ingress.yaml
@@ -79,3 +79,30 @@ spec:
     - hosts:
         - sonarr.gilgamezh.me
       secretName: sonarr-gilgamezh-me
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    kubernetes.io/ingress.class: traefik
+  labels:
+    app: lidarr
+  name: lidarr
+  namespace: default
+spec:
+  rules:
+    - host: lidarr.gilgamezh.me
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: lidarr
+                port:
+                  number: 8686
+  tls:
+    - hosts:
+        - lidarr.gilgamezh.me
+      secretName: lidarr-gilgamezh-me