apiVersion: apps/v1
kind: Deployment
metadata:
  name: wireguard-socks
spec:
  selector:
    matchLabels:
      app: wireguard-socks
  template:
    spec:
      volumes:
        - name: config
          secret:
            secretName: wireguard
      initContainers:
        - name: setup
          image: busybox
          command:
          - sysctl 
          - -w
          - net.ipv4.conf.all.src_valid_mark=1
          securityContext:
            privileged: true
      containers:
        - name: wireguard
          image: linuxserver/wireguard:amd64-1.0.20210914
          resources:
            limits:
              cpu: 50m
              memory: 32Mi
          imagePullPolicy: IfNotPresent
          securityContext:
            privileged: false
            capabilities:
              add:
                - NET_ADMIN
                - SYS_MODULE
          volumeMounts:
            - name: config
              mountPath: /config
        - name: socks5
          image: netbyte/socks5-server
          resources:
            limits:
              cpu: 50m
              memory: 32Mi
          args:
            - '-l'
            - ':1089'
          imagePullPolicy: IfNotPresent