---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: invidious-companion
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: invidious-companion
  template:
    metadata:
      labels:
        app: invidious-companion
    spec:
      initContainers:
      - name: vpn
        restartPolicy: Always
        image: qmcgaw/gluetun:v3.40.0
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        env:
        - name: OPENVPN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: openvpn-secrets
              key: OPENVPN_PASSWORD
        - name: OPENVPN_USER
          valueFrom:
            secretKeyRef:
              name: openvpn-secrets
              key: OPENVPN_USER
        - name: VPN_SERVICE_PROVIDER
          value: "surfshark"
        - name: SERVER_COUNTRIES
          value: "Netherlands"
        - name: FIREWALL_INPUT_PORTS
          value: "8282"
        - name: FIREWALL_VPN_INPUT_PORTS
          value: "8282"
        - name: FIREWALL_OUTBOUND_SUBNETS
          value: "192.168.1.0/24"
        volumeMounts:
        - name: companion-cache
          mountPath: /var/tmp/youtubei.js
          subPath: youtubei.js
      containers:
      - name: invidious-companion
        image: quay.io/invidious/invidious-companion@sha256:b07edc4d81efc756ec3e625993db086c23e748db861abd6e0943fe43042c3407
        env:
        - name: SERVER_SECRET_KEY
          valueFrom:
            secretKeyRef:
              name: invidious-secrets
              key: SERVER_SECRET_KEY
        ports:
        - containerPort: 8283
        securityContext:
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
            - ALL
        volumeMounts:
        - name: companion-cache
          mountPath: /var/tmp/youtubei.js
          subPath: youtubei.js
      volumes:
      - name: companion-cache
        persistentVolumeClaim:
          claimName: longhorn-invidious-cache