klaster/apps/nas/deployment.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nas-ssh
  namespace: nas
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nas-ssh
  template:
    metadata:
      labels:
        app: nas-ssh
    spec:
      securityContext:
        fsGroup: 1000
      initContainers:
        - name: prepare-config
          image: alpine:3.20.3
          imagePullPolicy: IfNotPresent
          command:
            - /bin/sh
            - -c
            - |
              set -euo pipefail
              chown root:root /config
              chmod 755 /config
              mkdir -p /config/data
              chown 1000:1000 /config/data
              chmod 750 /config/data
              mkdir -p /config/ssh_host_keys
              chown root:root /config/ssh_host_keys
              chmod 700 /config/ssh_host_keys
              for key in /config/ssh_host_keys/*; do
                [ -f "$key" ] || continue
                chown root:root "$key"
                chmod 600 "$key"
              done
              mkdir -p /config/sshd/sshd_config.d
              cp /defaults/00-chroot.conf /config/sshd/sshd_config.d/00-chroot.conf
              chown root:root /config/sshd/sshd_config.d/00-chroot.conf
              chmod 644 /config/sshd/sshd_config.d/00-chroot.conf
          volumeMounts:
            - name: data
              mountPath: /config
            - name: sshd-config
              mountPath: /defaults/00-chroot.conf
              subPath: 00-chroot.conf
              readOnly: true
      containers:
        - name: ssh
          image: lscr.io/linuxserver/openssh-server:version-10.0_p1-r9
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
              value: "1000"
            - name: PGID
              value: "1000"
            - name: TZ
              value: Etc/UTC
            - name: USER_NAME
              value: nas
            - name: SUDO_ACCESS
              value: "false"
            - name: PASSWORD_ACCESS
              value: "false"
            - name: LOG_STDOUT
              value: "true"
            - name: PUBLIC_KEY
              valueFrom:
                secretKeyRef:
                  name: nas-ssh-authorized-keys
                  key: public_key
          ports:
            - containerPort: 2222
              name: ssh
              protocol: TCP
          volumeMounts:
            - name: data
              mountPath: /config
          resources:
            requests:
              cpu: 50m
              memory: 128Mi
            limits:
              memory: 512Mi
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: nas-data
        - name: sshd-config
          configMap:
            name: nas-sshd-config