From f49e341445de98cb6a9bd76a9d02d5653a83e467 Mon Sep 17 00:00:00 2001
From: Brad Stein <Brad.Stein@gmail.com>
Date: Tue, 16 Sep 2025 22:45:15 -0500
Subject: [PATCH] pegasus 1.2.17

---
 services/pegasus/deployment.yaml | 125 +++++++++++++++++++------------
 1 file changed, 76 insertions(+), 49 deletions(-)

diff --git a/services/pegasus/deployment.yaml b/services/pegasus/deployment.yaml
index 709e4b2..86f0248 100644
--- a/services/pegasus/deployment.yaml
+++ b/services/pegasus/deployment.yaml
@@ -1,4 +1,3 @@
-# services/pegasus/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,59 +21,87 @@ spec:
         - name: zot-regcred
       securityContext:
         runAsNonRoot: true
-        # runAsUser: 10001
-        # runAsGroup: 10001
-        # fsGroup: 1000
         runAsUser: 65532
         runAsGroup: 65532
         fsGroup: 65532
         fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+        - name: fix-perms
+          image: alpine:3.20
+          command:
+            - sh
+            - -lc
+            - |
+              set -eux
+
+              # Scratch area for tus uploads (always writable)
+              mkdir -p /media/.pegasus-tus
+              chmod 0777 /media/.pegasus-tus
+
+              # Make each top-level library dir group-writable and setgid,
+              # and try to set its group to 65532 (so the app can write).
+              for d in /media/*; do
+                [ -d "$d" ] || continue
+                base="$(basename "$d")"
+                [ "$base" = ".pegasus-tus" ] && continue
+                # chgrp can fail on some backends; don't block the pod if it does.
+                chgrp 65532 "$d" || true
+                chmod 2775 "$d" || true
+              done
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          volumeMounts:
+            - { name: media, mountPath: /media }
+
       containers:
-      - name: pegasus
-        image: registry.bstein.dev/pegasus:1.2.18 # {"$imagepolicy": "jellyfin:pegasus"}
-        imagePullPolicy: Always
-        command: ["/pegasus"]
-        env:
-          - name: PEGASUS_MEDIA_ROOT
-            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
-          - name: PEGASUS_BIND
-            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
-          - name: PEGASUS_USER_MAP_FILE
-            value: "/config/user-map.yaml"
-          - name: PEGASUS_SESSION_KEY
-            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
-          - name: JELLYFIN_URL
-            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
-          - name: PEGASUS_DEBUG
-            value: "1"
-          - name: PEGASUS_DRY_RUN
-            value: "0"
-        ports: [{ name: http, containerPort: 8080 }]
-        readinessProbe:
-          httpGet: { path: /healthz, port: http }
-          initialDelaySeconds: 2
-          periodSeconds: 5
-          timeoutSeconds: 1
-        livenessProbe:
-          httpGet: { path: /healthz, port: http }
-          initialDelaySeconds: 10
-          periodSeconds: 10
-          timeoutSeconds: 2
-        securityContext:
-          allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
-          capabilities: { drop: ["ALL"] }
-        resources:
-          requests: { cpu: 100m, memory: 256Mi }
-          limits:   { cpu: 1000m, memory: 1Gi }
-        volumeMounts:
-          - name: media
-            mountPath: /media
-          - name: config
-            mountPath: /config
-            readOnly: true
-          - name: tmp
-            mountPath: /tmp
+        - name: pegasus
+          image: registry.bstein.dev/pegasus:1.2.19 # {"$imagepolicy": "jellyfin:pegasus"}
+          imagePullPolicy: Always
+          command: ["/pegasus"]
+          env:
+            - name: PEGASUS_MEDIA_ROOT
+              valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
+            - name: PEGASUS_BIND
+              valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
+            - name: PEGASUS_USER_MAP_FILE
+              value: "/config/user-map.yaml"
+            - name: PEGASUS_SESSION_KEY
+              valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
+            - name: JELLYFIN_URL
+              valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
+            - name: PEGASUS_DEBUG
+              value: "1"
+            - name: PEGASUS_DRY_RUN
+              value: "0"
+          ports: [{ name: http, containerPort: 8080 }]
+          readinessProbe:
+            httpGet: { path: /healthz, port: http }
+            initialDelaySeconds: 2
+            periodSeconds: 5
+            timeoutSeconds: 1
+          livenessProbe:
+            httpGet: { path: /healthz, port: http }
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 2
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities: { drop: ["ALL"] }
+          resources:
+            requests: { cpu: 100m, memory: 256Mi }
+            limits:   { cpu: 1000m, memory: 1Gi }
+          volumeMounts:
+            - name: media
+              mountPath: /media
+            - name: config
+              mountPath: /config
+              readOnly: true
+            - name: tmp
+              mountPath: /tmp
       volumes:
         - name: media
           persistentVolumeClaim: