titan-iac/services/crypto/monerod/deployment.yaml

# services/crypto/monerod/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: monerod
  namespace: crypto
  labels: { app: monerod }
spec:
  replicas: 1
  strategy: { type: Recreate }
  selector: { matchLabels: { app: monerod } }
  template:
    metadata:
      labels: { app: monerod }
    spec:
      securityContext:
        fsGroup: 1000
        fsGroupChangePolicy: OnRootMismatch
      initContainers:
      - name: fetch-monero-cli
        image: debian:bookworm-slim
        command: ["/bin/sh","-c"]
        args:
          - |
            set -eux
            apt-get update
            apt-get install -y --no-install-recommends ca-certificates curl bzip2
            update-ca-certificates
            ARCH="$(uname -m)"
            case "$ARCH" in
              x86_64)           F="monero-linux-x64" ;;
              aarch64|arm64)    F="monero-linux-armv8" ;;
              armv7l)           F="monero-linux-armv7" ;;
              *) echo "Unsupported arch: $ARCH" >&2; exit 1 ;;
            esac
            VER="v0.18.4.1"
            URL="https://downloads.getmonero.org/cli/${F}-${VER}.tar.bz2"
            echo "Downloading $URL"
            cd /data
            curl -fL "$URL" -o monero.tar.bz2
            tar -xjf monero.tar.bz2 --strip-components=1
            rm -f monero.tar.bz2
        volumeMounts:
        - name: data
          mountPath: /data

      containers:
      - name: monerod
        image: debian:bookworm-slim
        command: ["/data/monerod"]
        args:
          - exec /data/monerod \
              --data-dir=/data \
              --non-interactive \
              --prune-blockchain \
              --rpc-bind-ip=0.0.0.0 --rpc-bind-port=18081 \
              --confirm-external-bind \
              --p2p-bind-ip=0.0.0.0 --p2p-bind-port=18080
        ports:
          - { name: rpc, port: 18081, targetPort: 18081 }
          - { name: p2p, port: 18080, targetPort: 18080 }
        # securityContext:
        #   allowPrivilegeEscalation: false
        #   readOnlyRootFilesystem: true
        #   runAsNonRoot: true
        #   runAsUser: 1000
        #   capabilities: { drop: ["ALL"] }
        readinessProbe:
          httpGet: { path: /get_info, port: 18081 }
          initialDelaySeconds: 120
          periodSeconds: 10
          timeoutSeconds: 3
          failureThreshold: 6
        livenessProbe:
          httpGet: { path: /get_info, port: 18081 }
          initialDelaySeconds: 300
          periodSeconds: 20
          timeoutSeconds: 3
          failureThreshold: 6
        volumeMounts:
        - { name: data, mountPath: /data }
        - { name: tmp,  mountPath: /tmp }
      volumes:
      - name: data
        persistentVolumeClaim: { claimName: monerod-chain }
      - name: tmp
        emptyDir: {}