# Mealie on ringtail k3s — Nix image.
#
# Single gunicorn process (the Nix image's default `mealie-run` entrypoint
# runs init_db then gunicorn), serving the prebuilt frontend. DB is SQLite
# on the mealie-data PVC; its contents are copied from the minikube PVC at
# cutover. See [[migrate-wave1-ringtail]].
apiVersion: apps/v1
kind: Deployment
metadata:
  name: mealie
  namespace: mealie
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: mealie
  template:
    metadata:
      labels:
        app: mealie
    spec:
      securityContext:
        seccompProfile:
          type: RuntimeDefault
      containers:
        - name: mealie
          image: registry.ops.eblu.me/blumeops/mealie:kustomized
          ports:
            - containerPort: 9000
          env:
            - name: BASE_URL
              value: "https://meals.ops.eblu.me"
            - name: ALLOW_SIGNUP
              value: "false"
            - name: TZ
              value: "America/Los_Angeles"
            - name: MAX_WORKERS
              value: "1"
            - name: WEB_CONCURRENCY
              value: "1"
            # OIDC — Authentik (public client, PKCE)
            - name: OIDC_AUTH_ENABLED
              value: "true"
            - name: OIDC_CONFIGURATION_URL
              value: "https://authentik.ops.eblu.me/application/o/mealie/.well-known/openid-configuration"
            - name: OIDC_CLIENT_ID
              value: "mealie"
            - name: OIDC_CLIENT_SECRET
              valueFrom:
                secretKeyRef:
                  name: mealie-secrets
                  key: oidc-client-secret
            - name: OIDC_AUTO_REDIRECT
              value: "false"
            - name: OIDC_PROVIDER_NAME
              value: "Authentik"
            - name: OIDC_ADMIN_GROUP
              value: "admins"
            - name: OIDC_SIGNUP_ENABLED
              value: "true"
            - name: OIDC_USER_CLAIM
              value: "email"
            # OpenAI — recipe parsing, image OCR, ingredient extraction
            - name: OPENAI_API_KEY
              valueFrom:
                secretKeyRef:
                  name: mealie-secrets
                  key: openai-api-key
            - name: OPENAI_MODEL
              value: "gpt-4o"
            - name: OPENAI_REQUEST_TIMEOUT
              value: "120"
            - name: OPENAI_WORKERS
              value: "1"
          volumeMounts:
            - name: data
              mountPath: /app/data
          resources:
            requests:
              memory: "128Mi"
              cpu: "50m"
            limits:
              memory: "1000Mi"
              cpu: "500m"
          livenessProbe:
            httpGet:
              path: /api/app/about
              port: 9000
            initialDelaySeconds: 30
            periodSeconds: 30
          readinessProbe:
            httpGet:
              path: /api/app/about
              port: 9000
            initialDelaySeconds: 10
            periodSeconds: 10
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: mealie-data