pegasus 1.2.17

services/pegasus/deployment.yaml

@@ -1,4 +1,3 @@
-# services/pegasus/deployment.yaml
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -22,16 +21,44 @@ spec:
         - name: zot-regcred
       securityContext:
         runAsNonRoot: true
-        # runAsUser: 10001
-        # runAsGroup: 10001
-        # fsGroup: 1000
         runAsUser: 65532
         runAsGroup: 65532
         fsGroup: 65532
         fsGroupChangePolicy: "OnRootMismatch"
+      initContainers:
+        - name: fix-perms
+          image: alpine:3.20
+          command:
+            - sh
+            - -lc
+            - |
+              set -eux
+
+              # Scratch area for tus uploads (always writable)
+              mkdir -p /media/.pegasus-tus
+              chmod 0777 /media/.pegasus-tus
+
+              # Make each top-level library dir group-writable and setgid,
+              # and try to set its group to 65532 (so the app can write).
+              for d in /media/*; do
+                [ -d "$d" ] || continue
+                base="$(basename "$d")"
+                [ "$base" = ".pegasus-tus" ] && continue
+                # chgrp can fail on some backends; don't block the pod if it does.
+                chgrp 65532 "$d" || true
+                chmod 2775 "$d" || true
+              done
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+            runAsNonRoot: false
+            allowPrivilegeEscalation: false
+          volumeMounts:
+            - { name: media, mountPath: /media }
+
       containers:
         - name: pegasus
-        image: registry.bstein.dev/pegasus:1.2.18 # {"$imagepolicy": "jellyfin:pegasus"}
+          image: registry.bstein.dev/pegasus:1.2.19 # {"$imagepolicy": "jellyfin:pegasus"}
           imagePullPolicy: Always
           command: ["/pegasus"]
           env: