apiVersion: apps/v1
kind: Deployment
metadata:
  name: wg-easy
  namespace: wg-easy
spec:
  selector:
    matchLabels:
      app: wg-easy
  template:
    metadata:
      labels:
        app: wg-easy
    spec:
      # securityContext:
      #   sysctls:
      #   - name: net.ipv4.ip_forward
      #     value: "1"
      #   - name: net.ipv4.conf.all.src_valid_mark
      #     value: "1"
      containers:
      - name: wg-easy
        image: ghcr.io/wg-easy/wg-easy
        imagePullPolicy: Always
        envFrom:
        - configMapRef:
            name: wg-easy-config
            optional: false
        ports:
        - containerPort: 30000
          name: wg
          protocol: UDP
        - containerPort: 51821
          name: http
          protocol: TCP
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - SYS_MODULE
        volumeMounts:
        - name: config
          mountPath: /etc/wireguard
      restartPolicy: Always
      volumes:
      - name: config
        persistentVolumeClaim:
          claimName: wg-easy-config