homelab-nomad/core/blocky/blocky.nomad

variable "config_data" {
  type = string
  description = "Plain text config file for blocky"
}

job "blocky" {
  datacenters = ["dc1"]
  type = "system"
  priority = 100

  update {
    max_parallel = 1
    # TODO: maybe switch to service job from system so we can use canary and autorollback
    # auto_revert = true
  }

  group "blocky" {

    network {
      mode = "bridge"

      port "dns" {
        static = "53"
      }

      port "api" {
        # TODO: This may be broken. It seems we're exposing the loopback address which can't be reached
        # host_network = "loopback"
        to = "4000"
      }

      dns {
        # Set expclicit DNS servers because tasks, by default, use this task
        servers = ["1.1.1.1", "1.0.0.1"]
      }
    }

    service {
      name = "blocky-dns"
      port = "dns"
    }

    service {
      name = "blocky-api"
      port = "api"

      meta {
        metrics_addr = "${NOMAD_ADDR_api}"
      }

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.blocky-api.entryPoints=websecure",
      ]

      connect {
        sidecar_service {
          proxy {
            local_service_port = 4000

            expose {
              path {
                path = "/metrics"
                protocol = "http"
                local_path_port = 4000
                listener_port = "api"
              }
            }

            upstreams {
              destination_name = "redis"
              local_bind_port = 6379
            }

            upstreams {
              destination_name = "mysql-server"
              local_bind_port = 4040
            }
          }
        }

        sidecar_task {
          resources {
            cpu    = 50
            memory = 20
            memory_max = 50
          }
        }
      }

      check {
        name     = "api-health"
        port     = "api"
        type     = "http"
        path     = "/"
        interval = "10s"
        timeout  = "3s"
      }
    }

    task "blocky" {
      driver = "docker"

      config {
        image = "ghcr.io/0xerr0r/blocky"
        ports = ["dns", "api"]

        mount {
          type = "bind"
          target = "/app/config.yml"
          source = "app/config.yml"
        }
      }

      resources {
        cpu = 50
        memory = 50
        memory_max = 100
      }

      vault {
        policies = [
          "access-tables",
          "nomad-task",
        ]
      }

      template {
        data = var.config_data
        destination = "app/config.yml"
        splay = "1m"

        wait {
          min = "10s"
          max = "20s"
        }
      }
    }

    task "blocky-bootstrap" {
      driver = "docker"

      lifecycle {
        hook = "prestart"
        sidecar = false
      }

      config {
        image = "mariadb:10"
        args = [
          "/bin/bash",
          "-c",
          "/usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql",
        ]
      }

      vault {
        policies = [
          "access-tables",
          "nomad-task",
        ]
      }

      template {
        data = <<EOF
[client]
host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
user=root
{{ with secret "kv/data/mysql" }}
password={{ .Data.data.root_password }}
{{ end }}
        EOF
        destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
      }

      template {
        data = <<EOF
{{ with secret "kv/data/blocky" -}}
{{ if .Data.data.db_name -}}
{{ $db_name := .Data.data.db_name }}
CREATE DATABASE IF NOT EXISTS `{{ $db_name }}`;
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass }}';
GRANT ALL ON `{{ $db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
{{ with secret "kv/data/grafana" -}}
-- Add grafana read_only user
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user_ro }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass_ro }}';
GRANT SELECT ON `{{ $db_name }}`.* to '{{ .Data.data.db_user_ro }}'@'%';
{{ end -}}
{{ else -}}
SELECT 'NOOP';
{{ end -}}
{{ end -}}
        EOF
        destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
      }

      resources {
        cpu = 50
        memory = 50
      }
    }
  }
}