apiVersion: apps/v1
kind: Deployment
metadata:
  name: qbittorrent
  namespace: media
spec:
  selector:
    matchLabels:
      app: qbittorrent
  template:
    metadata:
      labels:
        app: qbittorrent
    spec:
      securityContext:
        sysctls:
        - name: net.ipv4.conf.all.src_valid_mark
          value: "1"
      containers:
      - name: qbittorrent
        image: lscr.io/linuxserver/qbittorrent:libtorrentv1
        envFrom:
        - configMapRef:
            name: qbittorrent-config
            optional: false
        ports:
        - containerPort: 8080
          name: http
          protocol: TCP
        volumeMounts:
        - name: qbittorrent-config
          mountPath: /config
        - name: data
          mountPath: /data/downloads
          subPath: downloads
      - name: wireguard
        image: lscr.io/linuxserver/wireguard:latest
        envFrom:
        - configMapRef:
            name: wireguard-config
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
        volumeMounts:
        - name: wireguard-config-secret
          mountPath: /config/wg_confs
        - name: wireguard-config
          mountPath: /config
        - name: natpmp-script
          mountPath: /custom-services.d/natpmp.sh
          subPath: natpmp.sh
          readOnly: true
      volumes:
      - name: qbittorrent-config
        persistentVolumeClaim:
          claimName: qbittorrent-config
      - name: data
        persistentVolumeClaim:
          claimName: media-data
      - name: wireguard-config
        persistentVolumeClaim:
          claimName: wireguard-config
      - name: wireguard-config-secret
        secret:
          secretName: wireguard-config-secret
      - name: natpmp-script
        configMap:
          name: natpmp-script