{{- if eq .Values.CLAMAV_ENABLED "yes" }}
apiVersion: apps/v1
kind: Deployment
metadata:
  annotations:
    kompose.version: 1.37.0 (fb0539e64)
  labels:
    io.kompose.service: nextcloud-aio-clamav
  name: nextcloud-aio-clamav
  namespace: "{{ .Values.NAMESPACE }}"
spec:
  replicas: 1
  selector:
    matchLabels:
      io.kompose.service: nextcloud-aio-clamav
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        kompose.version: 1.37.0 (fb0539e64)
      labels:
        io.kompose.service: nextcloud-aio-clamav
    spec:
      securityContext:
        # The items below only work in pod context
        fsGroup: 100
        fsGroupChangePolicy: "OnRootMismatch"
        # The items below work in both contexts
        runAsUser: 100
        runAsGroup: 100
        runAsNonRoot: true
        {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
        seccompProfile:
          type: RuntimeDefault
        {{- end }}
      initContainers:
        - name: init-subpath
          image: ghcr.io/nextcloud-releases/aio-alpine:20250927_081431
          command:
            - mkdir
            - "-p"
            - /nextcloud-aio-clamav/data
          volumeMounts:
            - name: nextcloud-aio-clamav
              mountPath: /nextcloud-aio-clamav
          securityContext:
            # The items below only work in container context
            allowPrivilegeEscalation: false
            capabilities:
              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
              drop: ["ALL"]
              {{- else }}
              drop: ["NET_RAW"]
              {{- end }}
      containers:
        - env:
            - name: MAX_SIZE
              value: "{{ .Values.NEXTCLOUD_UPLOAD_LIMIT }}"
            - name: TZ
              value: "{{ .Values.TIMEZONE }}"
          image: ghcr.io/nextcloud-releases/aio-clamav:20250927_081431
          readinessProbe:
            exec:
              command:
                - /healthcheck.sh
            failureThreshold: 9
            initialDelaySeconds: 60
            periodSeconds: 30
            timeoutSeconds: 30
          livenessProbe:
            exec:
              command:
                - /healthcheck.sh
            failureThreshold: 9
            initialDelaySeconds: 60
            periodSeconds: 30
            timeoutSeconds: 30
          name: nextcloud-aio-clamav
          ports:
            - containerPort: 3310
              protocol: TCP
          securityContext:
            # The items below only work in container context
            allowPrivilegeEscalation: false
            capabilities:
              {{- if eq (.Values.RPSS_ENABLED | default "no") "yes" }}
              drop: ["ALL"]
              {{- else }}
              drop: ["NET_RAW"]
              {{- end }}
          volumeMounts:
            - mountPath: /var/lib/clamav
              subPath: data
              name: nextcloud-aio-clamav
      volumes:
        - name: nextcloud-aio-clamav
          persistentVolumeClaim:
            claimName: nextcloud-aio-clamav
{{- end }}