apiVersion: apps/v1
kind: Deployment
metadata:
  name: wg-easy
  namespace: wg-easy
spec:
  selector:
    matchLabels:
      app: wg-easy
  template:
    metadata:
      labels:
        app: wg-easy
    spec:
      securityContext:
        sysctls:
        - name: net.ipv4.ip_forward
          value: "1"
        - name: net.ipv4.conf.all.src_valid_mark
          value: "1"
      containers:
      - name: wg-easy
        image: ghcr.io/wg-easy/wg-easy
        imagePullPolicy: Always
        envFrom:
        - configMapRef:
            name: wg-easy-config
            optional: false
        ports:
        - containerPort: 51820
          protocol: UDP
        - containerPort: 51821
        securityContext:
          capabilities:
            add:
            - NET_ADMIN
            - SYS_MODULE
        volumeMounts:
        - name: config
          mountPath: /etc/wireguard
      restartPolicy: Always
      volumes:
      - name: config
        persistentVolumeClaim: 
          claimName: wg-easy-config