apiVersion: apps/v1
kind: Deployment
metadata:
  name: monerod
  namespace: monero
  labels: { app: monerod }
spec:
  replicas: 1
  strategy: { type: Recreate }
  selector: { matchLabels: { app: monerod } }
  template:
    metadata:
      labels: { app: monerod }
    spec:
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      initContainers:
      - name: fetch-monero-cli
        image: debian:bookworm-slim
        command: ["/bin/sh","-lc"]
        args:
          - |
            set -euo pipefail
            apt-get update
            apt-get install -y --no-install-recommends ca-certificates curl gnupg tar bzip2
            mkdir -p /opt/monero/bin /tmp/gnupg
            gpg --homedir /tmp/gnupg --import /keys/binaryfate.asc
            curl -fL https://downloads.getmonero.org/cli/linux64 -o /tmp/monero-cli.tar.bz2
            curl -fL https://downloads.getmonero.org/cli/linux64.sig -o /tmp/monero-cli.tar.bz2.asc
            gpg --homedir /tmp/gnupg --verify /tmp/monero-cli.tar.bz2.asc /tmp/monero-cli.tar.bz2
            tar -xjf /tmp/monero-cli.tar.bz2 -C /opt/monero
            MONEROD=$(find /opt/monero -type f -name monerod | head -n1)
            install -m 0755 "$MONEROD" /opt/monero/bin/monerod
        volumeMounts:
        - { name: monero-bin, mountPath: /opt/monero }
        - { name: release-keys, mountPath: /keys, readOnly: true }

      containers:
      - name: monerod
        image: debian:bookworm-slim
        command: ["/bin/sh","-lc"]
        args:
          - |
            exec /opt/monero/bin/monerod \
              --data-dir /chain \
              --prune-blockchain \
              --rpc-bind-ip 0.0.0.0 --rpc-bind-port 18081 \
              --confirm-external-bind \
              --non-interactive \
              --max-concurrency 2
        ports:
        - { containerPort: 18081, name: rpc }
        volumeMounts:
        - { name: chain, mountPath: /chain }
        - { name: monero-bin, mountPath: /opt/monero/bin }
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          runAsNonRoot: true
          runAsUser: 1000
          capabilities: { drop: ["ALL"] }
        readinessProbe:
          httpGet: { path: /get_info, port: 18081 }
          initialDelaySeconds: 20
          periodSeconds: 10
        livenessProbe:
          httpGet: { path: /get_info, port: 18081 }
          initialDelaySeconds: 60
          periodSeconds: 20
      volumes:
      - name: chain
        persistentVolumeClaim: { claimName: monerod-chain }
      - name: monero-bin
        emptyDir: {}
      - name: release-keys
        configMap: { name: monero-release-keys }