apiVersion: apps/v1
kind: Deployment
metadata:
  name: copyparty
  namespace: copyparty
spec:
  replicas: 1
  selector:
    matchLabels:
      app: copyparty
  template:
    metadata:
      labels:
        app: copyparty
    spec:
      containers:
        - name: copyparty
          image: copyparty/ac
          env:
            - name: ADMIN_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: copyparty-admin
                  key: password
            - name: LD_PRELOAD
              value: /usr/lib/libmimalloc-secure.so.2
          command:
            - python3
            - -m
            - copyparty
            - -c
            - /cfg/copyparty.conf
            - -a
            - admin:$(ADMIN_PASSWORD)
            - --rproxy
            - "-1"
            - --idp-h-usr
            - x-forwarded-preferred-username
            - --idp-cookie
            - "86400"
            - --shr
            - /share
            - --shr-site
            - https://files.josie.cloud
          ports:
            - containerPort: 3923
          volumeMounts:
            - name: data
              mountPath: /w
            - name: config
              mountPath: /cfg/copyparty.conf
              subPath: copyparty.conf
              readOnly: true
            - name: hists
              mountPath: /cfg/hists
          readinessProbe:
            httpGet:
              path: /
              port: 3923
            initialDelaySeconds: 5
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /
              port: 3923
            initialDelaySeconds: 10
            periodSeconds: 30
          resources:
            requests:
              cpu: 100m
              memory: 128Mi
            limits:
              cpu: 500m
              memory: 512Mi
        - name: oauth2-proxy
          image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
          args:
            - --http-address=0.0.0.0:4180
            - --upstream=http://localhost:3923
            - --provider=keycloak-oidc
            - --oidc-issuer-url=https://auth.josie.cloud/realms/josie
            - --client-id=$(CLIENT_ID)
            - --client-secret=$(CLIENT_SECRET)
            - --cookie-secret=$(COOKIE_SECRET)
            - --cookie-secure=true
            - --cookie-samesite=lax
            - --email-domain=*
            - --redirect-url=https://files.josie.cloud/oauth2/callback
            - --pass-access-token=false
            - --pass-user-headers=true
            - --skip-provider-button=true
            - --code-challenge-method=S256
            - --oidc-extra-audience=account
            - --skip-auth-regex=^/(\.well-known|share)/
            - --pass-authorization-header=true
          env:
            - name: CLIENT_ID
              valueFrom:
                secretKeyRef:
                  name: oauth2-proxy
                  key: client-id
            - name: CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: oauth2-proxy
                  key: client-secret
            - name: COOKIE_SECRET
              valueFrom:
                secretKeyRef:
                  name: oauth2-proxy
                  key: cookie-secret
          ports:
            - containerPort: 4180
          readinessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 3
            periodSeconds: 10
          livenessProbe:
            httpGet:
              path: /ping
              port: 4180
            initialDelaySeconds: 3
            periodSeconds: 30
          resources:
            requests:
              cpu: 50m
              memory: 32Mi
            limits:
              cpu: 200m
              memory: 64Mi
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: copyparty-data
        - name: config
          configMap:
            name: copyparty-config
        - name: hists
          emptyDir: {}