---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: soulseekd
  namespace: soulseekd
  labels:
    app: soulseekd
spec:
  replicas: 1
  serviceName: soulseekd
  selector:
    matchLabels:
      app: soulseekd
  template:
    metadata:
      labels:
        app: soulseekd
    spec:
      initContainers:
        - name: gluetun
          image: ghcr.io/qdm12/gluetun
          ports:
            - name: slskd-http
              containerPort: 5030
              protocol: TCP
          envFrom:
            - configMapRef:
                name: gluetun-envs
            - secretRef:
                name: gluetun-env-secrets
          volumeMounts:
            - mountPath: /dev/net/tun
              name: dev-tun
            - mountPath: /gluetun/wireguard
              name: gluetun-wgconfig
              readOnly: true
            - name: gluetun-tmp
              mountPath: /tmp/gluetun
          restartPolicy: Always
          lifecycle:
            postStart:
              exec:
                command:
                  [
                    "/bin/sh",
                    "-c",
                    "(ip rule del table 51820; ip -6 rule del table 51820) || true",
                  ]
          readinessProbe:
            exec:
              command:
                - sh
                - -c
                - "ping -c 1 9.9.9.9"
            initialDelaySeconds: 5
            periodSeconds: 3
            timeoutSeconds: 2
            failureThreshold: 3
          livenessProbe:
            exec:
              command:
                - sh
                - -c
                - "ping -c 1 9.9.9.9"
            initialDelaySeconds: 10
            periodSeconds: 15
            timeoutSeconds: 2
            failureThreshold: 3
          securityContext:
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: true
            capabilities:
              drop:
                - "ALL"
              add:
                - "CHOWN"
                - "NET_ADMIN"
                - "NET_RAW"
      containers:
        - name: slskd
          image: docker.io/slskd/slskd
          imagePullPolicy: IfNotPresent
          envFrom:
            - configMapRef:
                name: slskd-envs
            - secretRef:
                name: slskd-env-secrets
          volumeMounts:
            - mountPath: /config
              name: slskd-config
            - mountPath: /shared/media/downloads
              name: nfs-media-downloads
            - mountPath: /shared/media/music
              name: nfs-media-music
          securityContext:
            seccompProfile:
              type: RuntimeDefault
            allowPrivilegeEscalation: false
            capabilities:
              drop:
                - "ALL"
              add:
                - "CHOWN"
                - "SETUID"
                - "SETGID"
      volumes:
        - name: dev-tun
          hostPath:
            path: /dev/net/tun
            type: CharDevice
        - name: slskd-config
          persistentVolumeClaim:
            claimName: slskd-storage
        - name: gluetun-wgconfig
          secret:
            secretName: gluetun-wgconfig
        - name: gluetun-tmp
          emptyDir: {}
        - name: nfs-media-downloads
          persistentVolumeClaim:
            claimName: nfs-media-downloads
        - name: nfs-media-music
          persistentVolumeClaim:
            claimName: nfs-media-music