apiVersion: apps/v1
kind: Deployment
metadata:
  name: matrix-media-repo
spec:
  template:
    spec:
      # This does not currently work as there are some weird expectations on
      # run scripts as running as non-root
      securityContext:
        fsGroup: 1000
      containers:
        - name: media-repo
          image: drgrove/matrix-media-repo
          ports:
            - name: http
              containerPort: 8000
              protocol: TCP
            - name: metrics
              containerPort: 9000
              protocol: TCP
          volumeMounts:
            - mountPath: /home/user/media/
              name: ephemeral
            - mountPath: /home/user/config/media-repo.yaml
              name: config
              subPath: config.yaml
              readOnly: true
          securityContext:
            capabilities:
              drop:
                - ALL
            allowPrivilegeEscalation: false
            # Right now setting this to true is not possible
            readOnlyRootFilesystem: false
      volumes:
        - name: config
          secret:
            secretName: mmr-config
        - name: ephemeral
          emptyDir: {}