variable "postgres_image" {
  type = string
  default = "postgres:14"
}

variable "immich_tag" {
  type = string
  default = "release"
}

job "immich" {
  datacenters = ["dc1"]
  type = "service"

  group "immich" {
    count = 1

    network {
      mode = "bridge"

      port "server" {
        host_network = "loopback"
        to = 3001
      }

      port "microservices" {
        host_network = "loopback"
        to = 3001
      }

      port "web" {
        host_network = "loopback"
        to = 3000
      }

      port "proxy" {
        host_network = "loopback"
        to = 80
      }
    }

    volume "immich-upload" {
      type = "host"
      read_only = false
      source = "immich-upload"
    }

    service {
      name = "immich"
      port = "proxy"

      connect {
        sidecar_service {
          proxy {
            local_service_port = 80

            upstreams {
              destination_name = "redis"
              local_bind_port = 6379
            }

            upstreams {
              destination_name = "postgres"
              local_bind_port = 5432
            }
          }
        }

        sidecar_task {
          resources {
            cpu = 50
            memory = 50
          }
        }
      }

      tags = [
        "traefik.enable=true",
      ]
    }

    task "immich-bootstrap" {
      driver = "docker"

      config {
        image = "${var.postgres_image}"
        args = [
          "/bin/bash",
          "-c",
          "/usr/bin/psql --no-password -f ${NOMAD_SECRETS_DIR}/bootstrap.sql",
        ]
      }

      resources {
        cpu = 50
        memory = 20
        memory_max = 100
      }

      vault {
        policies = [
          "access-tables",
          "nomad-task",
        ]
      }

      env {
        PGHOST = "${NOMAD_UPSTREAM_IP_postgres}"
        PGPORT = "${NOMAD_UPSTREAM_PORT_postgres}"
        PGUSER = "root"
      }

      template {
        data = <<EOH
        {{ with secret "kv/data/postgres" }}
        PGPASSWORD={{ .Data.data.superuser_password }}
        {{ end }}
        EOH
        destination = "secrets/pgpass.env"
        env = true
      }

      template {
        data = <<EOF
        {{ with secret "kv/data/immich" }}
        DB_DATABASE_NAME={{ .Data.data.db_name }}
        DB_USERNAME={{ .Data.data.db_user }}
        DB_PASSWORD={{ .Data.data.db_pass }}
        {{ end }}
        EOF
        destination = "secrets/immich-db.env"
        env = true
      }

      template {
        data = <<EOH
        {{ with secret "kv/data/immich" }}
        DO
        $do$
        BEGIN
        IF EXISTS (
          SELECT FROM pg_catalog.pg_roles
          WHERE  rolname = '{{ .Data.data.db_user }}') THEN

          RAISE NOTICE 'Role "{{ .Data.data.db_user }}" already exists. Skipping.';
          ELSE
          CREATE ROLE {{ .Data.data.db_user }} LOGIN PASSWORD '{{ .Data.data.db_pass }}';
          END IF;

          IF EXISTS (SELECT FROM pg_database WHERE datname = '{{ .Data.data.db_name }}') THEN
          RAISE NOTICE 'Database already exists';  -- optional
          ELSE
          PERFORM dblink_exec('dbname=' || current_database()  -- current db
          , 'CREATE DATABASE {{ .Data.data.db_name }}');
          REVOKE ALL ON DATABASE {{ .Data.data.db_name }} FROM public;
          GRANT ALL PRIVILEGES ON DATABASE {{ .Data.data.db_name }} TO {{ .Data.data.db_user }};
          END IF;
          END
          $do$;
          {{ end }}
          EOH
          destination = "secrets/bootstrap.sql"
        }
      }

      task "immich-server" {
        driver = "docker"

        volume_mount {
          volume = "immich-upload"
          destination = "/usr/src/app/upload"
          read_only = false
        }

        config {
          image = "altran1502/immich-server:${var.immich_tag}"
          entrypoint = ["/bin/sh", "./start-server.sh"]
          ports = ["server"]
        }

        resources {
          cpu = 100
          memory = 200
        }

        env {
          NODE_ENV = "production"
          REDIS_HOSTNAME = "${NOMAD_UPSTREAM_IP_redis}"
          REDIS_PORT = "${NOMAD_UPSTREAM_PORT_redis}"
          # REDIS_DBINDEX=0
          # REDIS_PASSWORD=
          # REDIS_SOCKET=
        }

        vault {
          policies = [
            "access-tables",
            "nomad-task",
          ]
        }

        template {
          data = <<EOF
          DB_HOSTNAME="${NOMAD_UPSTREAM_IP_postgres}"
          DB_PORT="${NOMAD_UPSTREAM_PORT_postgres}"
          {{ with secret "kv/data/immich" }}
          DB_DATABASE_NAME={{ .Data.data.db_name }}
          DB_USERNAME={{ .Data.data.db_user }}
          DB_PASSWORD={{ .Data.data.db_pass }}
          {{ end }}
          EOF
          destination = "secrets/db.env"
          env = true
        }
      }

      task "immich-microservices" {
        driver = "docker"

        volume_mount {
          volume = "immich-upload"
          destination = "/usr/src/app/upload"
          read_only = false
        }

        config {
          image = "altran1502/immich-server:${var.immich_tag}"
          entrypoint = ["/bin/sh", "./start-microservices.sh"]
          ports = ["microservices"]
        }

        resources {
          cpu = 100
          memory = 50
          memory_max = 200
        }

        env {
          NODE_ENV = "production"
          REDIS_HOSTNAME = "${NOMAD_UPSTREAM_IP_redis}"
          REDIS_PORT = "${NOMAD_UPSTREAM_PORT_redis}"
          # REDIS_DBINDEX=0
          # REDIS_PASSWORD=
          # REDIS_SOCKET=
        }

        vault {
          policies = [
            "access-tables",
            "nomad-task",
          ]
        }

        template {
          data = <<EOF
          DB_HOSTNAME="${NOMAD_UPSTREAM_IP_postgres}"
          DB_PORT="${NOMAD_UPSTREAM_PORT_postgres}"
          {{ with secret "kv/data/immich" }}
          DB_DATABASE_NAME={{ .Data.data.db_name }}
          DB_USERNAME={{ .Data.data.db_user }}
          DB_PASSWORD={{ .Data.data.db_pass }}
          {{ end }}
          EOF
          destination = "secrets/db.env"
          env = true
        }
      }

      task "immich-machine-learning" {
        driver = "docker"

        volume_mount {
          volume = "immich-upload"
          destination = "/usr/src/app/upload"
          read_only = false
        }

        config {
          image = "altran1502/immich-machine-learning:${var.immich_tag}"
          entrypoint = ["/bin/sh", "./entrypoint.sh"]
        }

        resources {
          cpu = 500
          memory = 100
          memory_max = 500
        }

        env {
          NODE_ENV = "production"
        }

        vault {
          policies = [
            "access-tables",
            "nomad-task",
          ]
        }

        template {
          data = <<EOF
          DB_HOSTNAME="${NOMAD_UPSTREAM_IP_postgres}"
          DB_PORT="${NOMAD_UPSTREAM_PORT_postgres}"
          {{ with secret "kv/data/immich" }}
          DB_DATABASE_NAME={{ .Data.data.db_name }}
          DB_USERNAME={{ .Data.data.db_user }}
          DB_PASSWORD={{ .Data.data.db_pass }}
          {{ end }}
          EOF
          destination = "secrets/db.env"
          env = true
        }
      }

      task "immich-web" {
        driver = "docker"

        config {
          image = "altran1502/immich-web:${var.immich_tag}"
          entrypoint = ["/bin/sh", "./entrypoint.sh"]
          ports = ["web"]
        }

        resources {
          cpu = 50
          memory = 50
        }
      }

      task "immich-proxy" {
        driver = "docker"

        config {
          ports = ["proxy"]
          image = "altran1502/immich-proxy:${var.immich_tag}"
        }

        resources {
          cpu = 50
          memory = 50
        }
      }
    }
  }