apiVersion: apps/v1
kind: Deployment
metadata:
  name: player
  namespace: services
spec:
  replicas: 1
  # Recreate so the old pod fully terminates before the new one starts —
  # avoids NFS-lock races on the hostPath-backed PVC during rolling updates.
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: player
  template:
    metadata:
      labels:
        app: player
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 65534
        runAsGroup: 65534
        fsGroup: 65534
      initContainers:
        - name: nfs-check-data
          image: busybox:stable
          command:
            - sh
            - -c
            - |
              test -f /mnt/.nfs-sentinel || (
                echo "ERROR: NFS sentinel missing at /mnt/.nfs-sentinel"
                echo "refusing to start; node likely has NFS unmounted"
                echo "pod would otherwise bind-mount the local-XFS shadow"
                exit 1
              )
          volumeMounts:
            - name: player-data
              mountPath: /mnt
              readOnly: true
        - name: nfs-check-media
          image: busybox:stable
          command:
            - sh
            - -c
            - |
              test -f /mnt/.nfs-sentinel || (
                echo "ERROR: NFS sentinel missing at /mnt/.nfs-sentinel"
                echo "refusing to start; node likely has NFS unmounted"
                echo "pod would otherwise bind-mount the local-XFS shadow"
                exit 1
              )
          volumeMounts:
            - name: player-media
              mountPath: /mnt
              readOnly: true
      containers:
        - name: player
          image: registry.lan.buetow.org:30001/player:dd3a961
          imagePullPolicy: IfNotPresent
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            runAsUser: 65534
            runAsGroup: 65534
          ports:
            - containerPort: 8080
              name: http
          env:
            - name: PORT
              value: "8080"
            - name: DB_PATH
              value: "/data/media.db"
            - name: MEDIA_ROOT
              value: "/media"
            - name: SECURE_COOKIES
              value: "true"
          livenessProbe:
            httpGet:
              path: /healthz
              port: http
            initialDelaySeconds: 5
            periodSeconds: 10
          startupProbe:
            httpGet:
              path: /healthz
              port: http
            periodSeconds: 5
            failureThreshold: 60
          readinessProbe:
            httpGet:
              path: /readyz
              port: http
            initialDelaySeconds: 3
            periodSeconds: 5
          resources:
            requests:
              memory: 128Mi
              cpu: 100m
            limits:
              memory: 512Mi
              cpu: "1"
          volumeMounts:
            - name: player-data
              mountPath: /data
            - name: player-media
              mountPath: /media
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: player-data
          persistentVolumeClaim:
            claimName: player-data-pvc
        - name: player-media
          persistentVolumeClaim:
            claimName: player-media-pvc
        - name: tmp
          emptyDir: {}