---
apiVersion: v1
kind: Secret
metadata:
  name: gcsr-secrets
type: Opaque
data:
  username: "Z2l0LXRhemppbi5nbWFpbC5jb20="
  # This credential is a GCSR 'gitcookie' token.
  password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}'
  # This credential is an OAuth token for builds.sr.ht
  sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}'
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: cgit
  labels:
    app: cgit
spec:
  replicas: 1
  selector:
    matchLabels:
      app: cgit
  template:
    metadata:
      labels:
        app: cgit
    spec:
      securityContext:
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      containers:
      - name: cgit
        image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }}
        command: [ "cgit-launch" ]
        env:
          - name: HOME
            value: /git
        volumeMounts:
          - name: git-volume
            mountPath: /git
      - name: sync-gcsr
        image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }}
        command: [ "sync-gcsr" ]
        env:
          - name: SYNC_USER
            valueFrom:
              secretKeyRef:
                name: gcsr-secrets
                key: username
          - name: SYNC_PASS
            valueFrom:
              secretKeyRef:
                name: gcsr-secrets
                key: password
          - name: SRHT_TOKEN
            valueFrom:
              secretKeyRef:
                name: gcsr-secrets
                key: sourcehut
        volumeMounts:
          - name: git-volume
            mountPath: /git
      volumes:
        - name: git-volume
          emptyDir: {}
---
apiVersion: v1
kind: Service
metadata:
  name: cgit
spec:
  selector:
    app: cgit
  ports:
    - protocol: TCP
      port: 80
      targetPort: 8080