job "lldap" {
  datacenters = ["dc1"]
  type = "service"
  priority = 80

  group "lldap" {

    network {
      mode = "bridge"

      port "web" {
        %{~ if use_wesher ~}
        host_network = "wesher"
        %{~ endif ~}
      }

      port "ldap" {
        %{~ if use_wesher ~}
        host_network = "wesher"
        %{~ endif ~}
      }

      port "tls" {}
    }

    service {
      name = "lldap"
      provider = "nomad"
      port = "ldap"
    }

    service {
      name = "lldap-tls"
      provider = "nomad"
      port = "tls"
    }

    service {
      name = "ldap-admin"
      provider = "nomad"
      port = "web"

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.ldap-admin.entryPoints=websecure",
      ]
    }

    task "lldap" {
      driver = "docker"

      config {
        image = "ghcr.io/lldap/lldap:v0.5"
        ports = ["ldap", "web"]
        args = ["run", "--config-file", "$${NOMAD_TASK_DIR}/lldap_config.toml"]
      }

      env = {
        "LLDAP_VERBOSE" = "true"
        "LLDAP_LDAP_PORT" = "$${NOMAD_PORT_ldap}"
        "LLDAP_HTTP_PORT" = "$${NOMAD_PORT_web}"
        "LLDAP_DATABASE_URL_FILE" = "$${NOMAD_SECRETS_DIR}/database_url.txt"
        "LLDAP_KEY_SEED_FILE" = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
        "LLDAP_JWT_SECRET_FILE" = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
        "LLDAP_USER_PASS_FILE" = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
        "LLDAP_SMTP_OPTIONS__PASSWORD_FILE" = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
      }

      template {
        data = <<EOH
ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}"

{{ with nomadVar "secrets/ldap" -}}
ldap_user_dn = "{{ .admin_user }}"
ldap_user_email = "{{ .admin_email }}"
{{ end -}}

{{ with nomadVar "nomad/jobs/lldap" -}}
[smtp_options]
from = "{{ .smtp_from }}"
reply_to = "{{ .smtp_reply_to }}"
enable_password_reset = true
{{ end -}}
{{ with nomadVar "secrets/smtp" -}}
server = "{{ .server }}"
port = {{ .port }}
tls_required = {{ .tls.Value | toLower }}
user = "{{ .user }}"
{{ end -}}
        EOH
        destination = "$${NOMAD_TASK_DIR}/lldap_config.toml"
        change_mode = "restart"
      }

      template {
        data = "{{ with nomadVar \"nomad/jobs/lldap\" }}mysql://{{ .db_user }}:{{ .db_pass }}@127.0.0.1:3306/{{ .db_name }}{{ end }}"
        destination = "$${NOMAD_SECRETS_DIR}/database_url.txt"
        change_mode = "restart"
      }

      template {
        data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .key_seed }}{{ end }}"
        destination = "$${NOMAD_SECRETS_DIR}/key_seed.txt"
        change_mode = "restart"
      }

      template {
        data = "{{ with nomadVar \"nomad/jobs/lldap\" }}{{ .jwt_secret }}{{ end }}"
        destination = "$${NOMAD_SECRETS_DIR}/jwt_secret.txt"
        change_mode = "restart"
      }

      template {
        data = "{{ with nomadVar \"secrets/ldap\" }}{{ .admin_password }}{{ end }}"
        destination = "$${NOMAD_SECRETS_DIR}/user_pass.txt"
        change_mode = "restart"
      }

      template {
        data = "{{ with nomadVar \"secrets/smtp\" }}{{ .password }}{{ end }}"
        destination = "$${NOMAD_SECRETS_DIR}/smtp_password.txt"
        change_mode = "restart"
      }

      resources {
        cpu = 10
        memory = 200
        memory_max = 200
      }
    }

    task "bootstrap" {
      driver = "docker"

      lifecycle {
        hook = "prestart"
        sidecar = false
      }

      config {
        image = "mariadb:10"
        args = [
          "/usr/bin/timeout",
          "2m",
          "/bin/bash",
          "-c",
          "until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
        ]
      }

      template {
        data = <<EOF
[client]
host=127.0.0.1
port=3306
user=root
{{ with nomadVar "secrets/mysql" -}}
password={{ .mysql_root_password }}
{{ end -}}
        EOF
        destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
      }

      template {
        data = <<EOF
{{ with nomadVar "nomad/jobs/lldap" -}}
{{ $db_name := .db_name }}
CREATE DATABASE IF NOT EXISTS `{{ .db_name }}`
  CHARACTER SET = 'utf8mb4'
  COLLATE = 'utf8mb4_unicode_ci';
DROP USER IF EXISTS '{{ .db_user }}'@'%';
CREATE USER '{{ .db_user }}'@'%'
  IDENTIFIED BY '{{ .db_pass }}';
GRANT ALL ON `{{ .db_name }}`.*
  TO '{{ .db_user }}'@'%';
{{ else -}}
SELECT 'NOOP';
{{ end -}}
        EOF
        destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
      }

      resources {
        cpu = 50
        memory = 50
      }
    }

    task "stunnel" {
      driver = "docker"

      lifecycle {
        hook = "prestart"
        sidecar = true
      }

      config {
        image = "iamthefij/stunnel:latest"
        args = ["$${NOMAD_TASK_DIR}/stunnel.conf"]
        ports = ["tls"]
      }

      resources {
        cpu = 100
        memory = 100
      }

      template {
        data = <<EOF
syslog = no
foreground = yes
delay = yes

[ldap_server]
accept = {{ env "NOMAD_PORT_tls" }}
connect = 127.0.0.1:{{ env "NOMAD_PORT_ldap" }}
ciphers = PSK
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt

[mysql_client]
client = yes
accept = 127.0.0.1:3306
{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-tls" -}}
connect = {{ .Address }}:{{ .Port }}
{{- end }}
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
        EOF
        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
      }

      template {
        data = <<EOF
{{ range nomadVarList "secrets/ldap/allowed_psks" -}}
{{ with nomadVar .Path }}{{ .psk }}{{ end }}
{{ end -}}
EOF
        destination = "$${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
      }

      template {
        data = <<EOF
{{- with nomadVar "secrets/mysql/allowed_psks/lldap" }}{{ .psk }}{{ end -}}
EOF
        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
      }

    }
  }
}