job "${name}" {
  region = "global"
  datacenters = ["dc1"]

  type = "service"

  group "${name}" {
    network {
      mode = "bridge"
      %{ if service_port != null ~}
      port "main" {
        %{ if ingress }
        host_network = "loopback"
        %{~ endif }
        to = ${service_port}
      }
      %{ endif }
      %{ if connect }
      port "envoy_metrics" {
        to = 9123
      }
      %{~ endif }
    }

    %{ if length(group_meta) > 0 }
    meta = {
      %{ for k, v in group_meta }
      ${k} = ${jsonencode(v)}
      %{ endfor }
    }
    %{~ endif }
    %{ if sticky_disk }
    ephemeral_disk {
      migrate = true
      sticky = true
    }
    %{~ endif }
    %{ for host_volume in host_volumes }
    volume "${host_volume.name}" {
      type = "host"
      read_only = ${host_volume.read_only}
      source = "${host_volume.name}"
    }
    %{ endfor }
    %{ if service_port != null ~}
    service {
      name = "${replace(name, "_", "-")}"
      port = "main"

      %{ if connect }
      connect {
        sidecar_service {
          proxy {
            local_service_port = ${service_port}
            %{ if use_mysql }
            upstreams {
              destination_name = "mysql-server"
              local_bind_port = 4040
            }
            %{ endif ~}
            %{ if use_redis }
            upstreams {
              destination_name = "redis"
              local_bind_port = 6379
            }
            %{ endif ~}
            %{ if use_ldap }
            upstreams {
              destination_name = "lldap"
              local_bind_port = 3890
            }
            %{ endif ~}
            %{ for upstream in upstreams ~}
            upstreams {
              destination_name = "${upstream.destination_name}"
              local_bind_port = ${upstream.local_bind_port}
            }
            %{ endfor }

            config {
              envoy_prometheus_bind_addr = "0.0.0.0:9123"
            }
          }
        }

        sidecar_task {
          resources {
            cpu    = 50
            memory = 50
            memory_max = 100
          }
        }
      }

      %{~ endif }
      %{ if healthcheck_path != null }
      check {
        type = "http"
        path = "${healthcheck_path}"
        port = "main"
        interval = "10s"
        timeout = "10s"
      }

      %{~ endif }
      meta {
        %{ if metrics_port_name != null }
        metrics_addr = "$${NOMAD_ADDR_${metrics_port_name}}"
        %{ endif }
        %{ if connect }
        envoy_metrics_addr = "$${NOMAD_ADDR_envoy_metrics}"
        %{~ endif }
      }

      tags = [
        %{ if ingress }
        "traefik.enable=true",
        "traefik.http.routers.${name}.entryPoints=websecure",
        %{ if try(ingress_rule, null) != null ~}
        "traefik.http.routers.${name}.rule=${ingress_rule}",
        %{ endif ~}
        %{ for middleware in ingress_middlewares ~}
        "traefik.http.routers.${name}.middlewares=${middleware}",
        %{~ endfor }
        %{~ endif }
      ]
    }

    %{ endif ~}
    task "${name}" {
      driver = "docker"

      %{ if length(meta) > 0 ~}
      meta = {
        %{ for k, v in meta ~}
        ${k} = ${jsonencode(v)}
        %{ endfor ~}
      }

      %{ endif ~}
      config {
        image = "${image}"
        %{if image_pull_timeout != null ~}
        image_pull_timeout = "${image_pull_timeout}"
        %{ endif ~}
        %{ if service_port != null ~}
        ports = ["main"]
        %{ endif ~}
        %{ if length(try(args, [])) > 0 ~}
        args = ${jsonencode(args)}
        %{ endif ~}
        %{ for template in templates ~}
        %{ if template.mount && !template.env ~}

        mount {
          type = "bind"
          target = "${template.dest}"
          source = "${template.dest_prefix}/${template.dest}"
        }
        %{ endif ~}
        %{ endfor ~}
      }
      %{ if use_vault ~}

      vault {
        policies = [
          "access-tables",
          "nomad-task",
        ]
      }
      %{ endif ~}
      %{ if length(env) > 0 ~}

      env = {
        %{ for k, v in env ~}
        "${k}" = "${v}"
        %{ endfor }
      }
      %{ endif ~}
      %{ for volume in host_volumes ~}

      volume_mount {
        volume = "${volume.name}"
        destination = "${volume.dest}"
        read_only = ${volume.read_only}
      }
      %{ endfor ~}
      %{ for template in templates ~}

      template {
        data = <<EOF
${template.data}
EOF
        destination = "${coalesce(template.dest_prefix, "$${NOMAD_TASK_DIR}")}/${template.dest}"
        %{ if template.left_delimiter != null }left_delimiter = "${template.left_delimiter}"%{ endif }
        %{ if template.right_delimiter != null }right_delimiter = "${template.right_delimiter}"%{ endif }
        %{ if template.change_mode != null }change_mode = "${template.change_mode}"%{ endif }
        %{ if template.change_signal != null }change_signal = "${template.change_signal}"%{ endif }
        %{ if template.env != null }env = ${template.env}%{ endif }
      }
      %{ endfor ~}
      %{ if resources != null }

      resources {
        cpu = ${resources.cpu}
        memory = ${resources.memory}
        %{ if resources.memory_max != null }memory_max = ${resources.memory_max}%{ endif }
      }
      %{~ endif }
    }
    %{ if mysql_bootstrap != null }
    task "${name}-bootstrap" {
      driver = "docker"

      lifecycle {
        hook = "prestart"
        sidecar = false
      }

      config {
        image = "mariadb:10"
        args = [
          "/bin/bash",
          "-c",
          "/usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql",
        ]
      }

      vault {
        policies = [
          "access-tables",
          "nomad-task",
        ]
      }

      template {
        data = <<EOF
[client]
host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
user=root
{{ with secret "kv/data/mysql" -}}
password={{ .Data.data.root_password }}
{{ end -}}
        EOF
        destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
      }

      template {
        data = <<EOF
{{ with secret "${mysql_bootstrap.vault_key}" -}}
CREATE DATABASE IF NOT EXISTS `{{ .Data.data.${mysql_bootstrap.db_name_key} }}`
  CHARACTER SET = 'utf8mb4'
  COLLATE = 'utf8mb4_unicode_ci';
CREATE USER IF NOT EXISTS '{{ .Data.data.${mysql_bootstrap.db_user_key} }}'@'%'
  IDENTIFIED BY '{{ .Data.data.${mysql_bootstrap.db_pass_key} }}';
GRANT ALL ON `{{ .Data.data.${mysql_bootstrap.db_name_key} }}`.*
  TO '{{ .Data.data.${mysql_bootstrap.db_user_key} }}'@'%';
{{ else -}}
SELECT 'NOOP';
{{ end -}}
        EOF
        destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
      }

      resources {
        cpu = 50
        memory = 50
      }
    }
    %{ endif }
  }
}