From f11fad30a52a1868db533827397095d1641cc275 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Tue, 9 May 2023 13:20:36 -0700
Subject: [PATCH] Use stunnel for mysql

Doesn't remove wesher or normal mysql service
---
 core/.terraform.lock.hcl                      | 38 -----------
 core/blocky/blocky.nomad                      | 25 +++++--
 core/blocky/config.yml                        |  9 ++-
 core/main.tf                                  | 32 ++++-----
 core/metrics/grafana.nomad                    | 68 ++++++++++++++++---
 .../provisioning/datasources/mysql.yml        |  4 +-
 databases/adminer.nomad                       | 51 --------------
 databases/main.tf                             |  8 ---
 databases/mysql.nomad                         | 59 ++++++++++++++++
 databases/redis.nomad                         |  4 +-
 service.nomad                                 |  1 +
 services/.terraform.lock.hcl                  | 19 ------
 services/backups/backup.nomad                 | 62 +++++++++++++++--
 services/main.tf                              | 21 +++++-
 services/service/main.tf                      |  2 +-
 services/service/service_template.nomad       | 55 +++++++++++----
 16 files changed, 278 insertions(+), 180 deletions(-)
 delete mode 100644 databases/adminer.nomad

diff --git a/core/.terraform.lock.hcl b/core/.terraform.lock.hcl
index d9f93d1..04ee26b 100644
--- a/core/.terraform.lock.hcl
+++ b/core/.terraform.lock.hcl
@@ -1,44 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.terraform.io/hashicorp/consul" {
-  version = "2.16.2"
-  hashes = [
-    "h1:epldE7sZPBTQHnWEA4WlNJIOVT1UEX+/02SMg5nniaE=",
-    "zh:0a2e11ca2ba650954951a087a1daec95eee2f3000456b295409a9880c4a10b1a",
-    "zh:34f6bda06a0d1c213fa8d87d4313687681e67bc8c40c4cbaa7dbe59ce24a4f7e",
-    "zh:5b85cf93db11ee890f720c317a38158927071feb634855786a0c0cd65825a43c",
-    "zh:75ef915f3d087e6045751a66fbb7066a852a0944ec8c97200d1134dd84df7ffc",
-    "zh:8a4a95697bd91ad51a581c12fe50ac61a114afba27895d027f77ac4154a7ea15",
-    "zh:973d538c8d72793861a1ac9718249a9493f417a2b5096846367560054fd843b9",
-    "zh:9feb2bdc06fdc2d8370cc9aad9a0c69e7e5ae38aac43f315c3f57507c57be030",
-    "zh:c5709672d0afecbbe298bf519741ebcb9d04f02a73b5ee0c186dfa241aa5a524",
-    "zh:c65c60570de6da7190e1e7762577655a463caeb59bc5d38e33034821ed0cbcb9",
-    "zh:c958d6282650fc472aade61d5df4300936033f43cfb898293ef86aceccdfdf1d",
-    "zh:cdd3632c81e1d11d3becd193aaa061688840f39147950c45c4301d042743ae6a",
-    "zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
-  ]
-}
-
-provider "registry.terraform.io/hashicorp/external" {
-  version = "2.2.2"
-  hashes = [
-    "h1:e7RpnZ2PbJEEPnfsg7V0FNwbfSk0/Z3FdrLsXINBmDY=",
-    "zh:0b84ab0af2e28606e9c0c1289343949339221c3ab126616b831ddb5aaef5f5ca",
-    "zh:10cf5c9b9524ca2e4302bf02368dc6aac29fb50aeaa6f7758cce9aa36ae87a28",
-    "zh:56a016ee871c8501acb3f2ee3b51592ad7c3871a1757b098838349b17762ba6b",
-    "zh:719d6ef39c50e4cffc67aa67d74d195adaf42afcf62beab132dafdb500347d39",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:7fbfc4d37435ac2f717b0316f872f558f608596b389b895fcb549f118462d327",
-    "zh:8ac71408204db606ce63fe8f9aeaf1ddc7751d57d586ec421e62d440c402e955",
-    "zh:a4cacdb06f114454b6ed0033add28006afa3f65a0ea7a43befe45fc82e6809fb",
-    "zh:bb5ce3132b52ae32b6cc005bc9f7627b95259b9ffe556de4dad60d47d47f21f0",
-    "zh:bb60d2976f125ffd232a7ccb4b3f81e7109578b23c9c6179f13a11d125dca82a",
-    "zh:f9540ecd2e056d6e71b9ea5f5a5cf8f63dd5c25394b9db831083a9d4ea99b372",
-    "zh:ffd998b55b8a64d4335a090b6956b4bf8855b290f7554dd38db3302de9c41809",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/nomad" {
   version = "1.4.19"
   hashes = [
diff --git a/core/blocky/blocky.nomad b/core/blocky/blocky.nomad
index cd9e07b..3c361d1 100644
--- a/core/blocky/blocky.nomad
+++ b/core/blocky/blocky.nomad
@@ -105,7 +105,7 @@ job "blocky" {
       }
     }
 
-    task "redis-stunnel" {
+    task "stunnel" {
       driver = "docker"
 
       lifecycle {
@@ -139,6 +139,14 @@ syslog = no
 foreground = yes
 delay = yes
 
+[mysql_client]
+client = yes
+accept = 127.0.0.1:3306
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
+
 [redis_client]
 client = yes
 accept = 127.0.0.1:6379
@@ -152,9 +160,14 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
 
       template {
         data = <<EOF
-{{ with nomadVar "nomad/jobs/blocky" -}}
-{{ .redis_stunnel_psk }}
-{{- end }}
+{{- with nomadVar "nomad/jobs/blocky/blocky/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
+      }
+
+      template {
+        data = <<EOF
+{{- with nomadVar "nomad/jobs/blocky/blocky/stunnel" -}}{{ .redis_stunnel_psk }}{{ end -}}
         EOF
         destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
       }
@@ -171,9 +184,11 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
       config {
         image = "mariadb:10"
         args = [
+          "/usr/bin/timeout",
+          "2m",
           "/bin/bash",
           "-c",
-          "/usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql || echo 'SQL Failed'",
+          "until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
         ]
       }
 
diff --git a/core/blocky/config.yml b/core/blocky/config.yml
index bcdd335..bd34856 100644
--- a/core/blocky/config.yml
+++ b/core/blocky/config.yml
@@ -107,13 +107,12 @@ redis:
     connectionCooldown: 3s
 {{ end -}}
 
-{{ $mysql_addr := "" }}
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-{{ $mysql_addr = print .Address ":" .Port }}
-{{- end }}
+
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
 {{ with nomadVar "nomad/jobs/blocky" -}}
 queryLog:
     type: mysql
-    target: {{ .db_user }}:{{ .db_pass }}@tcp({{ $mysql_addr }})/{{ .db_name }}?charset=utf8mb4&parseTime=True&loc=Local
+    target: {{ .db_user }}:{{ .db_pass }}@tcp(127.0.0.1:3306)/{{ .db_name }}?charset=utf8mb4&parseTime=True&loc=Local
     logRetentionDays: 14
 {{ end -}}
+{{ end -}}
diff --git a/core/main.tf b/core/main.tf
index c933af3..78ddd35 100644
--- a/core/main.tf
+++ b/core/main.tf
@@ -23,24 +23,22 @@ resource "nomad_job" "nomad-client-stalker" {
 }
 
 module "loki" {
-  source  = "IamTheFij/levant/nomad"
-  version = "0.1.0"
+  source = "../services/service"
 
-  template_path = "service.nomad"
-  variables = {
-    name         = "loki"
-    image        = "grafana/loki:2.2.1"
-    service_port = 3100
-    ingress      = true
-    sticky_disk  = true
-    healthcheck  = "/ready"
-    templates = jsonencode([
-      {
-        data = file("${path.module}/loki-config.yml")
-        dest = "/etc/loki/local-config.yaml"
-      }
-    ])
-  }
+  name         = "loki"
+  image        = "grafana/loki:2.2.1"
+  args         = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]
+  service_port = 3100
+  ingress      = true
+  sticky_disk  = true
+  # healthcheck  = "/ready"
+  templates = [
+    {
+      data  = file("${path.module}/loki-config.yml")
+      dest  = "loki-config.yml"
+      mount = false
+    }
+  ]
 }
 
 resource "nomad_job" "syslog-ng" {
diff --git a/core/metrics/grafana.nomad b/core/metrics/grafana.nomad
index d1e6ed9..095e7be 100644
--- a/core/metrics/grafana.nomad
+++ b/core/metrics/grafana.nomad
@@ -29,6 +29,60 @@ job "grafana" {
       ]
     }
 
+    task "stunnel" {
+      driver = "docker"
+
+      lifecycle {
+        hook = "prestart"
+        sidecar = true
+      }
+
+      config {
+        image = "alpine:3.17"
+        args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "$${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[mysql_client]
+client = yes
+accept = 127.0.0.1:3306
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
+        EOF
+        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      # TODO: Get psk for backup jobs despite multiple job declarations
+      # Probably should use variable ACLs to grant each node job to this path
+      template {
+        data = <<EOF
+{{- with nomadVar "nomad/jobs/grafana/grafana/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
+      }
+    }
+
     task "grafana-bootstrap" {
       driver = "docker"
 
@@ -40,19 +94,19 @@ job "grafana" {
       config {
         image = "mariadb:10"
         args = [
+          "/usr/bin/timeout",
+          "2m",
           "/bin/bash",
           "-c",
-          "/usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql",
+          "until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
         ]
       }
 
       template {
         data = <<EOF
 [client]
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-host={{ .Address }}
-port={{ .Port }}
-{{ end -}}
+host=127.0.0.1
+port=3306
 user=root
 {{ with nomadVar "nomad/jobs" -}}
 password={{ .mysql_root_password }}
@@ -110,9 +164,7 @@ GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
 {{ if .db_name -}}
 # Database storage
 GF_DATABASE_TYPE=mysql
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-GF_DATABASE_HOST={{ .Address }}:{{ .Port }}
-{{- end }}
+GF_DATABASE_HOST=127.0.0.1:3306
 GF_DATABASE_NAME={{ .db_name }}
 GF_DATABASE_USER={{ .db_user }}
 GF_DATABASE_PASSWORD={{ .db_pass }}
diff --git a/core/metrics/grafana/provisioning/datasources/mysql.yml b/core/metrics/grafana/provisioning/datasources/mysql.yml
index 5f7f433..0b9bc59 100644
--- a/core/metrics/grafana/provisioning/datasources/mysql.yml
+++ b/core/metrics/grafana/provisioning/datasources/mysql.yml
@@ -3,9 +3,7 @@ apiVersion: 1
 
 datasources:
   - name: Blocky logs
-    {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-    url: {{ .Address }}:{{ .Port }}
-    {{- end }}
+    url: 127.0.0.1:3306
     # TODO: Looking for an acl friendly way to expose this since it's a variable in blocky setup
     database: blocky
     type: mysql
diff --git a/databases/adminer.nomad b/databases/adminer.nomad
deleted file mode 100644
index 953a19a..0000000
--- a/databases/adminer.nomad
+++ /dev/null
@@ -1,51 +0,0 @@
-job "adminer" {
-  datacenters = ["dc1"]
-  type = "service"
-
-  group "adminer" {
-    count = 1
-    # Some affinity to stateful hosts?
-
-    network {
-      mode = "bridge"
-      port "adminer" {
-        to = 8080
-      }
-    }
-
-    service {
-      name = "adminer"
-      provider = "nomad"
-      port = "adminer"
-
-      tags = [
-        "traefik.enable=true",
-        "traefik.http.routers.adminer.entryPoints=websecure",
-      ]
-    }
-
-    task "adminer" {
-      driver = "docker"
-
-      config {
-        image = "adminer"
-        ports = ["adminer"]
-      }
-
-      template {
-        data = <<EOF
-        {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-        ADMINER_DEFAULT_SERVER={{ .Address }}:{{ .Port }}
-        {{- end }}
-        EOF
-        env = true
-        destination = "env"
-      }
-
-      resources {
-        cpu = 50
-        memory = 50
-      }
-    }
-  }
-}
diff --git a/databases/main.tf b/databases/main.tf
index d0a43a4..6d25af5 100644
--- a/databases/main.tf
+++ b/databases/main.tf
@@ -20,14 +20,6 @@ resource "nomad_job" "postgres-server" {
   detach = false
 }
 
-resource "nomad_job" "adminer" {
-  hcl2 {
-    enabled = true
-  }
-
-  jobspec = file("${path.module}/adminer.nomad")
-}
-
 resource "nomad_job" "redis" {
   hcl2 {
     enabled = true
diff --git a/databases/mysql.nomad b/databases/mysql.nomad
index 25193c3..a50f889 100644
--- a/databases/mysql.nomad
+++ b/databases/mysql.nomad
@@ -20,6 +20,10 @@ job "mysql-server" {
         to = 3306
         host_network = "wesher"
       }
+
+      port "tls" {
+        host_network = "wesher"
+      }
     }
 
     volume "mysql-data" {
@@ -34,6 +38,12 @@ job "mysql-server" {
       port = "db"
     }
 
+    service {
+      name = "mysql-tls"
+      provider = "nomad"
+      port = "tls"
+    }
+
     task "mysql-server" {
       driver = "docker"
 
@@ -69,5 +79,54 @@ MYSQL_ROOT_PASSWORD={{ .mysql_root_password }}
         memory = 1024
       }
     }
+
+    task "stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[mysql_server]
+
+accept = {{ env "NOMAD_PORT_tls" }}
+connect = 127.0.0.1:3306
+ciphers = PSK
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/mysql-server" -}}
+{{ .allowed_psks }}
+{{- end }}
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
   }
 }
diff --git a/databases/redis.nomad b/databases/redis.nomad
index 2d57a21..3b6fc33 100644
--- a/databases/redis.nomad
+++ b/databases/redis.nomad
@@ -15,9 +15,7 @@ job "redis" {
     network {
       mode = "bridge"
 
-      port "tls" {
-        host_network = "wesher"
-      }
+      port "tls" {}
     }
 
     service {
diff --git a/service.nomad b/service.nomad
index fe2253f..9ac7db4 100644
--- a/service.nomad
+++ b/service.nomad
@@ -1,3 +1,4 @@
+DEPRECATED
 # Vars
 # name = string*
 # image = string*
diff --git a/services/.terraform.lock.hcl b/services/.terraform.lock.hcl
index 4bcdaad..04ee26b 100644
--- a/services/.terraform.lock.hcl
+++ b/services/.terraform.lock.hcl
@@ -1,25 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.terraform.io/hashicorp/consul" {
-  version = "2.16.2"
-  hashes = [
-    "h1:epldE7sZPBTQHnWEA4WlNJIOVT1UEX+/02SMg5nniaE=",
-    "zh:0a2e11ca2ba650954951a087a1daec95eee2f3000456b295409a9880c4a10b1a",
-    "zh:34f6bda06a0d1c213fa8d87d4313687681e67bc8c40c4cbaa7dbe59ce24a4f7e",
-    "zh:5b85cf93db11ee890f720c317a38158927071feb634855786a0c0cd65825a43c",
-    "zh:75ef915f3d087e6045751a66fbb7066a852a0944ec8c97200d1134dd84df7ffc",
-    "zh:8a4a95697bd91ad51a581c12fe50ac61a114afba27895d027f77ac4154a7ea15",
-    "zh:973d538c8d72793861a1ac9718249a9493f417a2b5096846367560054fd843b9",
-    "zh:9feb2bdc06fdc2d8370cc9aad9a0c69e7e5ae38aac43f315c3f57507c57be030",
-    "zh:c5709672d0afecbbe298bf519741ebcb9d04f02a73b5ee0c186dfa241aa5a524",
-    "zh:c65c60570de6da7190e1e7762577655a463caeb59bc5d38e33034821ed0cbcb9",
-    "zh:c958d6282650fc472aade61d5df4300936033f43cfb898293ef86aceccdfdf1d",
-    "zh:cdd3632c81e1d11d3becd193aaa061688840f39147950c45c4301d042743ae6a",
-    "zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/nomad" {
   version = "1.4.19"
   hashes = [
diff --git a/services/backups/backup.nomad b/services/backups/backup.nomad
index 7bff59c..1cc3653 100644
--- a/services/backups/backup.nomad
+++ b/services/backups/backup.nomad
@@ -89,16 +89,14 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
 
       template {
         data = <<EOF
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-MYSQL_HOST={{ .Address }}
-MYSQL_PORT={{ .Port }}
-{{- end }}
+MYSQL_HOST=127.0.0.1
+MYSQL_PORT=3306
 # TODO: Move this to new mysql root pass path
 {{ with nomadVar "nomad/jobs" }}
 MYSQL_USER=root
 MYSQL_PASSWORD={{ .mysql_root_password }}
 {{ end -}}
-{{ with nomadVar "nomad/jobs/backup" -}}
+{{ with nomadVar (print "nomad/jobs/" (env "NOMAD_JOB_ID")) -}}
 BACKUP_PASSPHRASE={{ .backup_passphrase }}
 RCLONE_FTP_HOST={{ .nas_ftp_host }}
 RCLONE_FTP_USER={{ .nas_ftp_user }}
@@ -160,5 +158,59 @@ ${file("${module_path}/jobs/nzbget.hcl")}
         memory = 256
       }
     }
+
+    task "stunnel" {
+      driver = "docker"
+
+      lifecycle {
+        hook = "prestart"
+        sidecar = true
+      }
+
+      config {
+        image = "alpine:3.17"
+        args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "$${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[mysql_client]
+client = yes
+accept = 127.0.0.1:3306
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
+        EOF
+        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      # TODO: Get psk for backup jobs despite multiple job declarations
+      # Probably should use variable ACLs to grant each node job to this path
+      template {
+        data = <<EOF
+{{- with nomadVar (print "nomad/jobs/" (env "NOMAD_JOB_ID")) }}{{ .mysql_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
+      }
+    }
   }
 }
diff --git a/services/main.tf b/services/main.tf
index bf38f2c..74ceb30 100644
--- a/services/main.tf
+++ b/services/main.tf
@@ -131,9 +131,7 @@ module "photoprism_module" {
       PHOTOPRISM_DATABASE_NAME={{ .db_name }}
       PHOTOPRISM_DATABASE_USER={{ .db_user }}
       PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
-      {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-      PHOTOPRISM_DATABASE_SERVER="{{ .Address }}:{{ .Port }}"
-      {{- end }}
+      PHOTOPRISM_DATABASE_SERVER=127.0.0.1:3306
       {{- end }}
       {{ if eq (env "meta.hw_transcode.type") "raspberry" -}}
       PHOTOPRISM_FFMPEG_ENCODER=raspberry
@@ -184,3 +182,20 @@ module "diun" {
     },
   ]
 }
+
+module "adminer" {
+  source = "./service"
+
+  name  = "adminer"
+  image = "adminer"
+
+  ingress      = true
+  service_port = 8080
+
+  use_mysql = true
+
+  resources = {
+    cpu    = 50
+    memory = 50
+  }
+}
diff --git a/services/service/main.tf b/services/service/main.tf
index 7e52fb2..2172167 100644
--- a/services/service/main.tf
+++ b/services/service/main.tf
@@ -22,7 +22,7 @@ resource "nomad_job" "service" {
     templates    = var.templates
     host_volumes = var.host_volumes
 
-    use_mysql = var.use_mysql
+    use_mysql = var.use_mysql || var.mysql_bootstrap != null
     use_redis = var.use_redis
     use_ldap  = var.use_ldap
 
diff --git a/services/service/service_template.nomad b/services/service/service_template.nomad
index 21ca9fd..937c553 100644
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@@ -150,7 +150,7 @@ EOF
       %{~ endif }
     }
 
-    %{ if mysql_bootstrap != null }
+    %{ if mysql_bootstrap != null ~}
     task "${name}-bootstrap" {
       driver = "docker"
 
@@ -162,19 +162,19 @@ EOF
       config {
         image = "mariadb:10"
         args = [
+          "/usr/bin/timeout",
+          "2m",
           "/bin/bash",
           "-c",
-          "/usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql",
+          "until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
         ]
       }
 
       template {
         data = <<EOF
 [client]
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-host={{ .Address }}
-port={{ .Port }}
-{{ end -}}
+host=127.0.0.1
+port=3306
 user=root
 # TODO: Use via lesser scoped access
 {{ with nomadVar "nomad/jobs" -}}
@@ -214,10 +214,16 @@ SELECT 'NOOP';
       }
     }
     %{ endif }
-    %{ if use_redis ~}
-    task "redis-stunnel" {
+
+    %{ if use_mysql || use_redis ~}
+    task "stunnel" {
       driver = "docker"
 
+      lifecycle {
+        hook = "prestart"
+        sidecar = true
+      }
+
       config {
         image = "alpine:3.17"
         args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
@@ -243,25 +249,46 @@ syslog = no
 foreground = yes
 delay = yes
 
+%{~ if use_mysql }
+[mysql_client]
+client = yes
+accept = 127.0.0.1:3306
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
+%{~ endif }
+
+%{~ if use_redis }
 [redis_client]
 client = yes
 accept = 127.0.0.1:6379
 {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
 connect = {{ .Address }}:{{ .Port }}
 {{- end }}
-PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/redis_stunnel_psk.txt
+%{~ endif }
         EOF
         destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
       }
 
+      %{~ if use_mysql }
       template {
         data = <<EOF
-{{ with nomadVar "nomad/jobs/${name}" -}}
-{{ .redis_stunnel_psk }}
-{{- end }}
-        EOF
-        destination = "$${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+{{- with nomadVar "nomad/jobs/${name}" }}{{ .mysql_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
       }
+      %{ endif }
+
+      %{~ if use_redis }
+      template {
+        data = <<EOF
+{{- with nomadVar "nomad/jobs/${name}" }}{{ .redis_stunnel_psk }}{{ end -}}
+EOF
+        destination = "$${NOMAD_SECRETS_DIR}/redis_stunnel_psk.txt"
+      }
+      %{~ endif }
     }
     %{~ endif }
   }