# NATS — JetStream-enabled message broker, leafnode-capable
# JetStream enabled with persistent storage via local-path PVC
# Unpinned — scheduler places freely
# NodePorts: 32386 (client), 32387 (websocket), 32388 (monitoring), 32389 (leaf)
#
# Deploy:
#   kubectl create secret generic nats-leaf-secret \
#     --namespace <ns> \
#     --from-literal=password="$(openssl rand -base64 32)"
#   kubectl apply -f nats.yaml -n <ns>
#
# Internal cluster DNS: nats:4222
# WebSocket: nats:8080
# Monitoring: nats:8222
# Leafnode: nats:7422 (user=leaf, password from secret)
#
# Leaf client config snippet (workstation / VPS):
#   leafnodes {
#     remotes = [
#       { urls: ["nats-leaf://leaf:PASSWORD@<any-node-wg-ip>:32389"] }
#     ]
#   }

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: nats-config
data:
  nats.conf: |
    jetstream {
      store_dir: /data
    }

    http_port: 8222

    websocket {
      port: 8080
      no_tls: true
    }

    leafnodes {
      port: 7422
      authorization {
        user: leaf
        password: $LEAF_PASSWORD
      }
    }

---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: nats-pvc
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: local-path
  resources:
    requests:
      storage: 10Gi

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nats
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nats
  template:
    metadata:
      labels:
        app: nats
    spec:
      containers:
        - name: nats
          image: nats:latest
          args: ["-c", "/etc/nats/nats.conf"]
          env:
            - name: LEAF_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: nats-leaf-secret
                  key: password
          ports:
            - containerPort: 4222
            - containerPort: 8080
            - containerPort: 8222
            - containerPort: 7422
          volumeMounts:
            - name: nats-config
              mountPath: /etc/nats
            - name: nats-data
              mountPath: /data
      volumes:
        - name: nats-config
          configMap:
            name: nats-config
        - name: nats-data
          persistentVolumeClaim:
            claimName: nats-pvc

---
apiVersion: v1
kind: Service
metadata:
  name: nats
spec:
  selector:
    app: nats
  ports:
    - name: client
      port: 4222
      targetPort: 4222
      nodePort: 32386
    - name: websocket
      port: 8080
      targetPort: 8080
      nodePort: 32387
    - name: monitoring
      port: 8222
      targetPort: 8222
      nodePort: 32388
    - name: leaf
      port: 7422
      targetPort: 7422
      nodePort: 32389
  type: NodePort