1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
apiVersion: apps/v1
kind: Deployment
metadata:
name: meta
spec:
replicas: 1
selector:
matchLabels:
component: meta
template:
metadata:
labels:
component: meta
spec:
containers:
- name: main
image: ghcr.io/xdavidwu/c/metasrht:3554
volumeMounts:
- name: secrets
mountPath: /etc/sr.ht/config.ini
subPath: config.ini
# PAM from host via pam_unix
# XXX perhaps socket-interfaced PAM instead (sssd?)
# or consider remote auth (is NIS or LDAP worth it?)
- name: passwd
mountPath: /etc/passwd
readOnly: true
- name: shadow
mountPath: /etc/shadow
readOnly: true
- name: group
mountPath: /etc/group
readOnly: true
readinessProbe:
httpGet:
port: 5000
securityContext:
runAsGroup: 0
- name: api
image: ghcr.io/xdavidwu/c/metasrht:3554
command:
- /usr/bin/meta.sr.ht-api
- metasrht.app:app
volumeMounts:
- name: secrets
mountPath: /etc/sr.ht/config.ini
subPath: config.ini
readinessProbe:
httpGet:
port: 5100
path: /query/api-meta.json
- name: webhooks
image: ghcr.io/xdavidwu/c/metasrht:3554
command:
- /usr/bin/celery
- -A
- metasrht.webhooks
- worker
- --loglevel=info
- --concurrency=2
volumeMounts:
- name: secrets
mountPath: /etc/sr.ht/config.ini
subPath: config.ini
nodeSelector:
kubernetes.io/hostname: parto
volumes:
- name: secrets
secret:
secretName: secrets
- name: passwd
hostPath:
path: /etc/passwd
type: File
- name: shadow
hostPath:
path: /etc/shadow
type: File
- name: group
hostPath:
path: /etc/group
type: File