From ff98c7e3b52d51b1dd76df1c8dcac39c98644150 Mon Sep 17 00:00:00 2001
From: technofab <admin@technofab.de>
Date: Sun, 10 Mar 2024 14:53:01 +0100
Subject: [PATCH] fix(attic): securityContext improvements and conditionally
 switch to StatefulSet

---
 nixlets/attic/deployment.nix | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/nixlets/attic/deployment.nix b/nixlets/attic/deployment.nix
index b76d58e..9435131 100644
--- a/nixlets/attic/deployment.nix
+++ b/nixlets/attic/deployment.nix
@@ -3,15 +3,26 @@
   lib,
   ...
 }: {
-  kubernetes.resources = {
-    deployments."${values.uniqueName}" = {
+  kubernetes.resources = let
+    # switch to a StatefulSet if we don't use an external storage configuration
+    type =
+      if values.externalStorage
+      then "deployments"
+      else "statefulSets";
+  in {
+    ${type}."${values.uniqueName}" = {
       spec = {
         replicas = values.replicaCount;
         selector.matchLabels.app = "${values.uniqueName}";
+        serviceName = "attic";
         template = {
           metadata.labels.app = "${values.uniqueName}";
           spec = {
-            securityContext.fsGroup = 1000;
+            securityContext = {
+              fsGroup = 1000;
+              runAsUser = 1000;
+              runAsGroup = 1000;
+            };
             containers."api-server" = {
               image = "${values.image.repository}:${values.image.tag}";
               imagePullPolicy = values.image.pullPolicy;