apiVersion: apps/v1
kind: Deployment
metadata:
  name: virtualinsanity-wordpress
  namespace: wordpress
  labels:
    app: wordpress
    site: virtualinsanity
spec:
  replicas: 1
  selector:
    matchLabels:
      app: wordpress
      site: virtualinsanity
  template:
    metadata:
      labels:
        app: wordpress
        site: virtualinsanity
    spec:
      initContainers:
        - name: volume-permissions
          image: alpine:latest
          command: ["sh", "-c", "chown -R 33:33 /var/www/html/wp-content"]
          securityContext:
            runAsNonRoot: false # Allow initContainer to run as root for chown
            runAsUser: 0
            runAsGroup: 0
            allowPrivilegeEscalation: true
            readOnlyRootFilesystem: false
          volumeMounts:
            - name: wp-content
              mountPath: /var/www/html/wp-content
      containers:
        - name: wordpress
          image: wordpress:php8.2-fpm-alpine
          ports:
            - containerPort: 9000
          securityContext:
            runAsNonRoot: true
            runAsUser: 33
            runAsGroup: 33
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
          volumeMounts:
            - name: wp-content
              mountPath: /var/www/html/wp-content
            - name: tmp-dir
              mountPath: /tmp
            - name: run-dir
              mountPath: /var/run
            - name: php-session-save-path
              mountPath: /var/lib/php/sessions
            - name: nginx-cache
              mountPath: /var/cache/nginx
          env:
            - name: WORDPRESS_DB_HOST
              value: "wordpress-db-rw.wordpress.svc.cluster.local"
            - name: WORDPRESS_DB_NAME
              valueFrom:
                secretKeyRef:
                  name: virtualinsanity-db-secret
                  key: dbname
            - name: WORDPRESS_DB_USER
              valueFrom:
                secretKeyRef:
                  name: virtualinsanity-db-secret
                  key: username
            - name: WORDPRESS_DB_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: virtualinsanity-db-secret
                  key: password
            - name: WP_HOME
              value: "https://virtualinsanity.giaco.net"
            - name: WP_SITEURL
              value: "https://virtualinsanity.giaco.net"

        - name: nginx
          image: nginx:alpine
          ports:
            - containerPort: 80
          securityContext:
            runAsNonRoot: true
            runAsUser: 101 # Specify a non-root user ID
            runAsGroup: 101 # Specify a non-root group ID
            allowPrivilegeEscalation: false # Prevent privilege escalation
            readOnlyRootFilesystem: false # Allow filesystem modifications for Nginx container
          volumeMounts:
            - name: wp-content
              mountPath: /var/www/html/wp-content
            - name: tmp-dir
              mountPath: /tmp
            - name: run-dir
              mountPath: /var/run
            - name: nginx-cache
              mountPath: /var/cache/nginx
            - name: nginx-conf
              mountPath: /etc/nginx/conf.d/default.conf
              subPath: default.conf

      volumes:
        - name: wp-content
          persistentVolumeClaim:
            claimName: virtualinsanity-wp-content
        - name: tmp-dir
          emptyDir: {}
        - name: run-dir
          emptyDir: {}
        - name: php-session-save-path
          emptyDir: {}
        - name: nginx-cache
          emptyDir: {}
        - name: nginx-conf
          configMap:
            name: virtualinsanity-nginx-conf