pegasus 1.2.17

2025-09-16 22:45:15 -05:00 · 2025-09-16 22:45:15 -05:00 · f49e341445
commit f49e341445
parent 8c64a4b067
1 changed files with 76 additions and 49 deletions
--- a/services/pegasus/deployment.yaml
+++ b/services/pegasus/deployment.yaml
@ -1,4 +1,3 @@
 # services/pegasus/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@ -22,59 +21,87 @@ spec:
        - name: zot-regcred
      securityContext:
        runAsNonRoot: true
        # runAsUser: 10001
        # runAsGroup: 10001
        # fsGroup: 1000
        runAsUser: 65532
        runAsGroup: 65532
        fsGroup: 65532
        fsGroupChangePolicy: "OnRootMismatch"
      initContainers:
        - name: fix-perms
          image: alpine:3.20
          command:
            - sh
            - -lc
            - |
              set -eux
              # Scratch area for tus uploads (always writable)
              mkdir -p /media/.pegasus-tus
              chmod 0777 /media/.pegasus-tus
              # Make each top-level library dir group-writable and setgid,
              # and try to set its group to 65532 (so the app can write).
              for d in /media/*; do
                [ -d "$d" ] || continue
                base="$(basename "$d")"
                [ "$base" = ".pegasus-tus" ] && continue
                # chgrp can fail on some backends; don't block the pod if it does.
                chgrp 65532 "$d" || true
                chmod 2775 "$d" || true
              done
          securityContext:
            runAsUser: 0
            runAsGroup: 0
            runAsNonRoot: false
            allowPrivilegeEscalation: false
          volumeMounts:
            - { name: media, mountPath: /media }
      containers:
-      - name: pegasus
+        - name: pegasus
-        image: registry.bstein.dev/pegasus:1.2.18 # {"$imagepolicy": "jellyfin:pegasus"}
+          image: registry.bstein.dev/pegasus:1.2.19 # {"$imagepolicy": "jellyfin:pegasus"}
-        imagePullPolicy: Always
+          imagePullPolicy: Always
-        command: ["/pegasus"]
+          command: ["/pegasus"]
-        env:
+          env:
-          - name: PEGASUS_MEDIA_ROOT
+            - name: PEGASUS_MEDIA_ROOT
-            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
+              valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } }
-          - name: PEGASUS_BIND
+            - name: PEGASUS_BIND
-            valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
+              valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } }
-          - name: PEGASUS_USER_MAP_FILE
+            - name: PEGASUS_USER_MAP_FILE
-            value: "/config/user-map.yaml"
+              value: "/config/user-map.yaml"
-          - name: PEGASUS_SESSION_KEY
+            - name: PEGASUS_SESSION_KEY
-            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
+              valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } }
-          - name: JELLYFIN_URL
+            - name: JELLYFIN_URL
-            valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
+              valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } }
-          - name: PEGASUS_DEBUG
+            - name: PEGASUS_DEBUG
-            value: "1"
+              value: "1"
-          - name: PEGASUS_DRY_RUN
+            - name: PEGASUS_DRY_RUN
-            value: "0"
+              value: "0"
-        ports: [{ name: http, containerPort: 8080 }]
+          ports: [{ name: http, containerPort: 8080 }]
-        readinessProbe:
+          readinessProbe:
-          httpGet: { path: /healthz, port: http }
+            httpGet: { path: /healthz, port: http }
-          initialDelaySeconds: 2
+            initialDelaySeconds: 2
-          periodSeconds: 5
+            periodSeconds: 5
-          timeoutSeconds: 1
+            timeoutSeconds: 1
-        livenessProbe:
+          livenessProbe:
-          httpGet: { path: /healthz, port: http }
+            httpGet: { path: /healthz, port: http }
-          initialDelaySeconds: 10
+            initialDelaySeconds: 10
-          periodSeconds: 10
+            periodSeconds: 10
-          timeoutSeconds: 2
+            timeoutSeconds: 2
-        securityContext:
+          securityContext:
-          allowPrivilegeEscalation: false
+            allowPrivilegeEscalation: false
-          readOnlyRootFilesystem: true
+            readOnlyRootFilesystem: true
-          capabilities: { drop: ["ALL"] }
+            capabilities: { drop: ["ALL"] }
-        resources:
+          resources:
-          requests: { cpu: 100m, memory: 256Mi }
+            requests: { cpu: 100m, memory: 256Mi }
-          limits:   { cpu: 1000m, memory: 1Gi }
+            limits:   { cpu: 1000m, memory: 1Gi }
-        volumeMounts:
+          volumeMounts:
-          - name: media
+            - name: media
-            mountPath: /media
+              mountPath: /media
-          - name: config
+            - name: config
-            mountPath: /config
+              mountPath: /config
-            readOnly: true
+              readOnly: true
-          - name: tmp
+            - name: tmp
-            mountPath: /tmp
+              mountPath: /tmp
      volumes:
        - name: media
          persistentVolumeClaim: