apiVersion: apps/v1
kind: Deployment
metadata:
  name: keybr
  namespace: services
spec:
  replicas: 1
  # Recreate so the old pod fully terminates before the new one starts —
  # avoids NFS-lock races on the hostPath-backed PVC during rolling updates.
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: keybr
  template:
    metadata:
      labels:
        app: keybr
    spec:
      initContainers:
      - name: nfs-check-keybr-data
        image: busybox:stable
        command:
        - sh
        - -c
        - |
          test -f /mnt/.nfs-sentinel || (
            echo "ERROR: NFS sentinel missing at /mnt/.nfs-sentinel"
            echo "refusing to start; node likely has NFS unmounted"
            echo "pod would otherwise bind-mount the local-XFS shadow"
            exit 1
          )
        volumeMounts:
        - name: keybr-data
          mountPath: /mnt
          readOnly: true
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
      - name: keybr
        image: ryanrhymes/keybr:latest
        securityContext:
          allowPrivilegeEscalation: false
        ports:
        - containerPort: 3000
        env:
        - name: APP_URL
          value: "http://keybr.f3s.buetow.org/"
        - name: COOKIE_DOMAIN
          value: "keybr.f3s.buetow.org"
        - name: COOKIE_SECURE
          value: "false"
        - name: DATA_DIR
          value: "/data"
        - name: DATABASE_CLIENT
          value: "sqlite"
        - name: DATABASE_FILENAME
          value: "/data/database.sqlite"
        volumeMounts:
        - name: keybr-data
          mountPath: /data
      volumes:
      - name: keybr-data
        persistentVolumeClaim:
          claimName: keybr-data-pvc