titan-iac/services/pegasus/deployment.yaml

# services/pegasus/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pegasus
  namespace: jellyfin
spec:
  replicas: 1
  revisionHistoryLimit: 3
  strategy:
    type: RollingUpdate
    rollingUpdate:
      maxSurge: 0
      maxUnavailable: 1
  selector: { matchLabels: { app: pegasus } }
  template:
    metadata:
      labels: { app: pegasus }
      annotations:
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/role: "pegasus"
        vault.hashicorp.com/agent-inject-secret-pegasus-env: "kv/data/atlas/pegasus/pegasus-secrets"
        vault.hashicorp.com/agent-inject-template-pegasus-env: |
          {{- with secret "kv/data/atlas/pegasus/pegasus-secrets" -}}
          export PEGASUS_SESSION_KEY="{{ .Data.data.PEGASUS_SESSION_KEY }}"
          export JELLYFIN_URL="{{ .Data.data.JELLYFIN_URL }}"
          export JELLYFIN_API_KEY="{{ .Data.data.JELLYFIN_API_KEY }}"
          {{- end -}}
    spec:
      nodeSelector:
        kubernetes.io/arch: arm64
        node-role.kubernetes.io/worker: "true"
      serviceAccountName: pegasus-vault-sync
      imagePullSecrets:
        - name: harbor-regcred
      securityContext:
        runAsNonRoot: true
        runAsUser: 65532
        runAsGroup: 65532
        fsGroup: 65532
        fsGroupChangePolicy: "OnRootMismatch"
      initContainers:
        - name: fix-perms
          image: alpine:3.20
          command:
            - sh
            - -lc
            - |
              set -eux

              # Scratch area for tus uploads (always writable)
              mkdir -p /media/.pegasus-tus
              chmod 0777 /media/.pegasus-tus

              # Make each top-level library dir group-writable and setgid,
              # and try to set its group to 65532 (so the app can write).
              for d in /media/*; do
                [ -d "$d" ] || continue
                base="$(basename "$d")"
                [ "$base" = ".pegasus-tus" ] && continue
                # chgrp can fail on some backends; don't block the pod if it does.
                chgrp 65532 "$d" || true
                chmod 2775 "$d" || true
              done
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
          volumeMounts:
            - { name: media, mountPath: /media }

      containers:
        - name: pegasus
          image: registry.bstein.dev/streaming/pegasus-vault:1.2.32 # {"$imagepolicy": "jellyfin:pegasus"}
          imagePullPolicy: Always
          env:
            - name: PEGASUS_MEDIA_ROOT
              valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
            - name: PEGASUS_BIND
              valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
            - name: PEGASUS_USER_MAP_FILE
              value: "/config/user-map.yaml"
            - name: VAULT_ENV_FILE
              value: /vault/secrets/pegasus-env
            - name: PEGASUS_DEBUG
              value: "1"
            - name: PEGASUS_DRY_RUN
              value: "0"
          ports: [{ name: http, containerPort: 8080 }]
          readinessProbe:
            httpGet: { path: /healthz, port: http }
            initialDelaySeconds: 2
            periodSeconds: 5
            timeoutSeconds: 1
          livenessProbe:
            httpGet: { path: /healthz, port: http }
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 2
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            capabilities: { drop: ["ALL"] }
          resources:
            requests: { cpu: 100m, memory: 256Mi }
            limits:   { cpu: 1000m, memory: 1Gi }
          volumeMounts:
            - name: media
              mountPath: /media
            - name: config
              mountPath: /config
              readOnly: true
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: media
          persistentVolumeClaim:
            claimName: jellyfin-media-asteria-new
        - name: config
          configMap: { name: pegasus-user-map }
        - name: tmp
          emptyDir: {}
vault: prep helm releases and image pins 2026-01-13 19:29:14 -03:00			`# services/pegasus/deployment.yaml`
jitsi setup 2025-09-07 13:20:49 -05:00			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: pegasus`
			`namespace: jellyfin`
			`spec:`
pegasus on 2025-10-09 23:23:41 -05:00			`replicas: 1`
pegasus: pin image digest + command + probes + tls 2025-09-15 13:00:39 -05:00			`revisionHistoryLimit: 3`
			`strategy:`
			`type: RollingUpdate`
			`rollingUpdate:`
			`maxSurge: 0`
			`maxUnavailable: 1`
jitsi setup 2025-09-07 13:20:49 -05:00			`selector: { matchLabels: { app: pegasus } }`
			`template:`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`metadata:`
			`labels: { app: pegasus }`
			`annotations:`
			`vault.hashicorp.com/agent-inject: "true"`
			`vault.hashicorp.com/role: "pegasus"`
			`vault.hashicorp.com/agent-inject-secret-pegasus-env: "kv/data/atlas/pegasus/pegasus-secrets"`
			`vault.hashicorp.com/agent-inject-template-pegasus-env: \|`
			`{{- with secret "kv/data/atlas/pegasus/pegasus-secrets" -}}`
			`export PEGASUS_SESSION_KEY="{{ .Data.data.PEGASUS_SESSION_KEY }}"`
			`export JELLYFIN_URL="{{ .Data.data.JELLYFIN_URL }}"`
			`export JELLYFIN_API_KEY="{{ .Data.data.JELLYFIN_API_KEY }}"`
			`{{- end -}}`
jitsi setup 2025-09-07 13:20:49 -05:00			`spec:`
pegasus flux'd 2025-09-15 12:32:52 -05:00			`nodeSelector:`
monero ingress + move pegasus to arm64 2025-12-18 02:02:21 -03:00			`kubernetes.io/arch: arm64`
			`node-role.kubernetes.io/worker: "true"`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`serviceAccountName: pegasus-vault-sync`
vault: sync harbor pulls 2026-01-14 10:07:31 -03:00			`imagePullSecrets:`
			`- name: harbor-regcred`
jitsi setup 2025-09-07 13:20:49 -05:00			`securityContext:`
			`runAsNonRoot: true`
pegasus 1.2.17 2025-09-16 20:08:50 -05:00			`runAsUser: 65532`
			`runAsGroup: 65532`
			`fsGroup: 65532`
jitsi setup 2025-09-07 13:20:49 -05:00			`fsGroupChangePolicy: "OnRootMismatch"`
pegasus 1.2.17 2025-09-16 22:45:15 -05:00			`initContainers:`
			`- name: fix-perms`
			`image: alpine:3.20`
			`command:`
			`- sh`
			`- -lc`
			`- \|`
			`set -eux`

			`# Scratch area for tus uploads (always writable)`
			`mkdir -p /media/.pegasus-tus`
			`chmod 0777 /media/.pegasus-tus`

			`# Make each top-level library dir group-writable and setgid,`
			`# and try to set its group to 65532 (so the app can write).`
			`for d in /media/*; do`
			`[ -d "$d" ] \|\| continue`
			`base="$(basename "$d")"`
			`[ "$base" = ".pegasus-tus" ] && continue`
			`# chgrp can fail on some backends; don't block the pod if it does.`
			`chgrp 65532 "$d" \|\| true`
			`chmod 2775 "$d" \|\| true`
			`done`
			`securityContext:`
			`runAsUser: 0`
			`runAsGroup: 0`
			`runAsNonRoot: false`
			`allowPrivilegeEscalation: false`
			`volumeMounts:`
			`- { name: media, mountPath: /media }`

jitsi setup 2025-09-07 13:20:49 -05:00			`containers:`
pegasus 1.2.17 2025-09-16 22:45:15 -05:00			`- name: pegasus`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`image: registry.bstein.dev/streaming/pegasus-vault:1.2.32 # {"$imagepolicy": "jellyfin:pegasus"}`
pegasus 1.2.17 2025-09-16 22:45:15 -05:00			`imagePullPolicy: Always`
			`env:`
			`- name: PEGASUS_MEDIA_ROOT`
			`valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }`
			`- name: PEGASUS_BIND`
			`valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }`
			`- name: PEGASUS_USER_MAP_FILE`
			`value: "/config/user-map.yaml"`
vault: inject remaining services with wrappers 2026-01-14 17:29:09 -03:00			`- name: VAULT_ENV_FILE`
			`value: /vault/secrets/pegasus-env`
pegasus 1.2.17 2025-09-16 22:45:15 -05:00			`- name: PEGASUS_DEBUG`
			`value: "1"`
			`- name: PEGASUS_DRY_RUN`
			`value: "0"`
			`ports: [{ name: http, containerPort: 8080 }]`
			`readinessProbe:`
			`httpGet: { path: /healthz, port: http }`
			`initialDelaySeconds: 2`
			`periodSeconds: 5`
			`timeoutSeconds: 1`
			`livenessProbe:`
			`httpGet: { path: /healthz, port: http }`
			`initialDelaySeconds: 10`
			`periodSeconds: 10`
			`timeoutSeconds: 2`
			`securityContext:`
			`allowPrivilegeEscalation: false`
			`readOnlyRootFilesystem: true`
			`capabilities: { drop: ["ALL"] }`
			`resources:`
			`requests: { cpu: 100m, memory: 256Mi }`
			`limits: { cpu: 1000m, memory: 1Gi }`
			`volumeMounts:`
			`- name: media`
			`mountPath: /media`
			`- name: config`
			`mountPath: /config`
			`readOnly: true`
			`- name: tmp`
			`mountPath: /tmp`
jitsi setup 2025-09-07 13:20:49 -05:00			`volumes:`
			`- name: media`
			`persistentVolumeClaim:`
monitoring add, jellyfin/pegasus update, and traefik tweaks 2025-10-07 23:26:27 -05:00			`claimName: jellyfin-media-asteria-new`
jitsi setup 2025-09-07 13:20:49 -05:00			`- name: config`
			`configMap: { name: pegasus-user-map }`
			`- name: tmp`
pegasus on 2025-09-15 02:45:22 -05:00			`emptyDir: {}`