job "redis" {
  datacenters = ["dc1"]
  type = "service"
  priority = 60

  group "cache" {
    count = 1

    ephemeral_disk {
      migrate = true
      sticky = true
      size = 300
    }

    network {
      mode = "bridge"

      port "tls" {}
    }

    service {
      name = "redis-tls"
      provider = "nomad"
      port = "tls"
    }

    task "redis" {
      driver = "docker"

      config {
        image = "redis:6"
        args = ["redis-server", "--save", "60", "1", "--loglevel", "warning", "--dir", "${NOMAD_ALLOC_DIR}/data"]
        ports = ["main"]
      }

      resources {
        cpu = 100
        memory = 128
        memory_max = 512
      }
    }

    task "stunnel" {
      driver = "docker"

      config {
        image = "alpine:3.17"
        ports = ["tls"]
        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
      }

      resources {
        cpu = 100
        memory = 100
      }

      template {
        data = <<EOF
set -e
apk add stunnel
exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
        EOF
        destination = "${NOMAD_TASK_DIR}/start.sh"
      }

      template {
        data = <<EOF
syslog = no
foreground = yes
delay = yes

[redis_server]

accept = {{ env "NOMAD_PORT_tls" }}
connect = 127.0.0.1:6379
ciphers = PSK
PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
        EOF
        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
      }

      template {
        data = <<EOF
{{ with nomadVar "nomad/jobs/redis" -}}
{{ .allowed_psks }}
{{- end }}
        EOF
        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
      }
    }
  }
}