wild-directory/lemmy/deployment-backend.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: lemmy-backend
  namespace: {{ .namespace }}
spec:
  replicas: {{ .backendReplicas }}
  selector:
    matchLabels:
      component: backend
  template:
    metadata:
      labels:
        component: backend
    spec:
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
        seccompProfile:
          type: RuntimeDefault
      initContainers:
      - name: config-prep
        image: busybox:stable
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: [ALL]
          readOnlyRootFilesystem: true
        command:
        - sh
        - -c
        - |
          cp /config-template/lemmy.hjson /config/lemmy.hjson
          sed -i "s|DBPASSWORD|${DB_PASSWORD}|g" /config/lemmy.hjson
          sed -i "s|PICTRS_API_KEY|${PICTRS_API_KEY}|g" /config/lemmy.hjson
          sed -i "s|SMTP_PASSWORD|${SMTP_PASSWORD}|g" /config/lemmy.hjson
          sed -i "s|ADMIN_PASSWORD|${ADMIN_PASSWORD}|g" /config/lemmy.hjson
        env:
        - name: DB_PASSWORD
          valueFrom:
            secretKeyRef:
              name: lemmy-secrets
              key: dbPassword
        - name: PICTRS_API_KEY
          valueFrom:
            secretKeyRef:
              name: lemmy-secrets
              key: jwtSecret
        - name: SMTP_PASSWORD
          valueFrom:
            secretKeyRef:
              name: lemmy-secrets
              key: smtpPassword
        - name: ADMIN_PASSWORD
          valueFrom:
            secretKeyRef:
              name: lemmy-secrets
              key: adminPassword
        volumeMounts:
        - name: config-template
          mountPath: /config-template
        - name: config
          mountPath: /config
      containers:
      - name: backend
        image: {{ .backendImage }}
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: [ALL]
          readOnlyRootFilesystem: false
        env:
        - name: LEMMY_CONFIG_LOCATION
          value: /config/lemmy.hjson
        - name: TZ
          value: "{{ .timezone }}"
        ports:
        - containerPort: {{ .backendPort }}
          name: http
        volumeMounts:
        - name: config
          mountPath: /config
        livenessProbe:
          httpGet:
            path: /api/v3/site
            port: {{ .backendPort }}
          initialDelaySeconds: 30
          periodSeconds: 10
        readinessProbe:
          httpGet:
            path: /api/v3/site
            port: {{ .backendPort }}
          initialDelaySeconds: 10
          periodSeconds: 5
      volumes:
      - name: config-template
        configMap:
          name: lemmy-config
      - name: config
        emptyDir: {}