apiVersion: apps/v1 kind: Deployment metadata: name: nas-ssh namespace: nas spec: replicas: 1 selector: matchLabels: app: nas-ssh template: metadata: labels: app: nas-ssh spec: securityContext: fsGroup: 1000 initContainers: - name: prepare-config image: alpine:3.20.3 imagePullPolicy: IfNotPresent command: - /bin/sh - -c - | set -euo pipefail chown root:root /config chmod 755 /config mkdir -p /config/data chown 1000:1000 /config/data chmod 750 /config/data mkdir -p /config/ssh_host_keys chown root:root /config/ssh_host_keys chmod 700 /config/ssh_host_keys for key in /config/ssh_host_keys/*; do [ -f "$key" ] || continue chown root:root "$key" chmod 600 "$key" done mkdir -p /config/sshd/sshd_config.d cp /defaults/00-chroot.conf /config/sshd/sshd_config.d/00-chroot.conf chown root:root /config/sshd/sshd_config.d/00-chroot.conf chmod 644 /config/sshd/sshd_config.d/00-chroot.conf volumeMounts: - name: data mountPath: /config - name: sshd-config mountPath: /defaults/00-chroot.conf subPath: 00-chroot.conf readOnly: true containers: - name: ssh image: lscr.io/linuxserver/openssh-server:version-10.0_p1-r9 imagePullPolicy: IfNotPresent env: - name: PUID value: "1000" - name: PGID value: "1000" - name: TZ value: Etc/UTC - name: USER_NAME value: nas - name: SUDO_ACCESS value: "false" - name: PASSWORD_ACCESS value: "false" - name: LOG_STDOUT value: "true" - name: PUBLIC_KEY valueFrom: secretKeyRef: name: nas-ssh-authorized-keys key: public_key ports: - containerPort: 2222 name: ssh protocol: TCP volumeMounts: - name: data mountPath: /config resources: requests: cpu: 50m memory: 128Mi limits: memory: 512Mi volumes: - name: data persistentVolumeClaim: claimName: nas-data - name: sshd-config configMap: name: nas-sshd-config