# services/pegasus/deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: pegasus namespace: jellyfin spec: replicas: 1 selector: { matchLabels: { app: pegasus } } template: metadata: { labels: { app: pegasus } } spec: securityContext: runAsNonRoot: true runAsUser: 10001 runAsGroup: 10001 fsGroup: 1000 fsGroupChangePolicy: "OnRootMismatch" containers: - name: pegasus image: registry.bstein.dev/pegasus:1.1.0 imagePullPolicy: IfNotPresent env: - name: PEGASUS_MEDIA_ROOT valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_MEDIA_ROOT } } - name: PEGASUS_BIND valueFrom: { configMapKeyRef: { name: pegasus-config, key: PEGASUS_BIND } } - name: PEGASUS_USER_MAP_FILE value: "/config/user-map.yaml" - name: PEGASUS_SESSION_KEY valueFrom: { secretKeyRef: { name: pegasus-secrets, key: PEGASUS_SESSION_KEY } } - name: JELLYFIN_URL valueFrom: { secretKeyRef: { name: pegasus-secrets, key: JELLYFIN_URL } } - name: PEGASUS_DEBUG value: "1" - name: PEGASUS_DRY_RUN value: "1" ports: [{ name: http, containerPort: 8080 }] volumeMounts: - name: media mountPath: /media - name: config mountPath: /config readOnly: true - name: tmp mountPath: /tmp readinessProbe: { httpGet: { path: "/", port: http } } livenessProbe: { httpGet: { path: "/metrics", port: http } } securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: { drop: ["ALL"] } resources: requests: { cpu: 100m, memory: 256Mi } limits: { cpu: 1000m, memory: 1Gi } volumes: - name: media persistentVolumeClaim: claimName: jellyfin-media-asteria - name: config configMap: { name: pegasus-user-map } - name: tmp emptyDir: {} imagePullSecrects: [{"name":"zot-regcred"}]