From a21afd98b44386fd34577a78e8a3672b9899d84e Mon Sep 17 00:00:00 2001
From: Scrublord MacBad <Scrublord@Mac.Bad>
Date: Tue, 21 Apr 2026 22:24:34 +0200
Subject: [PATCH] fix: add per-service TLS and cert-manager annotations

---
 apps/production/element-server-suite.yaml | 45 ++++++++++++++++++-----
 1 file changed, 36 insertions(+), 9 deletions(-)

diff --git a/apps/production/element-server-suite.yaml b/apps/production/element-server-suite.yaml
index 38d596a..84c9b9e 100644
--- a/apps/production/element-server-suite.yaml
+++ b/apps/production/element-server-suite.yaml
@@ -26,39 +26,66 @@ spec:
       enabled: true
       ingress:
         host: matrix.axion1337.chat
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          traefik.ingress.kubernetes.io/router.tls: "true"
+        tls:
+          - secretName: matrix-axion1337-chat-tls
+            hosts:
+              - matrix.axion1337.chat
 
     # Matrix Authentication Service – braucht eine Subdomain
     matrixAuthenticationService:
       enabled: true
       ingress:
         host: account.axion1337.chat
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          traefik.ingress.kubernetes.io/router.tls: "true"
+        tls:
+          - secretName: account-axion1337-chat-tls
+            hosts:
+              - account.axion1337.chat
 
     # Matrix RTC (Element Call) – braucht auch eine Subdomain
     matrixRTC:
       enabled: true
       ingress:
         host: mrtc.axion1337.chat
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          traefik.ingress.kubernetes.io/router.tls: "true"
+        tls:
+          - secretName: mrtc-axion1337-chat-tls
+            hosts:
+              - mrtc.axion1337.chat
 
     # Element Web
     elementWeb:
       enabled: true
       ingress:
         host: axion1337.chat
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          traefik.ingress.kubernetes.io/router.tls: "true"
+        tls:
+          - secretName: axion1337-chat-tls
+            hosts:
+              - axion1337.chat
 
     # Element Admin
     elementAdmin:
       enabled: true
       ingress:
         host: admin.axion1337.chat
+        annotations:
+          cert-manager.io/cluster-issuer: letsencrypt-prod
+          traefik.ingress.kubernetes.io/router.tls: "true"
+        tls:
+          - secretName: admin-axion1337-chat-tls
+            hosts:
+              - admin.axion1337.chat
 
     # Well-Known auf der Apex-Domain (axion1337.chat/.well-known/matrix/*)
     wellKnownDelegation:
-      enabled: true
-
-    # Gemeinsame Ingress-Basis (wird von allen Komponenten geerbt)
-    ingress:
-      className: traefik
-      annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.tls: "true"
-      tlsEnabled: true
\ No newline at end of file
+      enabled: true
\ No newline at end of file