variable "app_ini" {
  type = string
}

job "gitea" {
  region = "global"
  datacenters = ["dc1"]

  type = "service"

  group "gitea" {

    network {
      mode = "bridge"

      port "web" {
        host_network = "loopback"
        to = 3000
      }

      port "ssh" {
        host_network = "loopback"
        to = 22
      }
    }

    volume "gitea-data" {
      type = "host"
      read_only = false
      source = "gitea-data"
    }

    service {
      name = "gitea-web"
      port = "web"

      connect {
        sidecar_service {
          proxy {
            local_service_port = 514

            upstreams {
              destination_name = "mysql-server"
              local_bind_port = 6060
            }
          }
        }

        sidecar_task {
          resources {
            cpu = 50
            memory = 50
          }
        }
      }

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.gitea.entryPoints=websecure",
      ]
    }

    service {
      name = "gitea-ssh"
      port = "ssh"

      connect {
        sidecar_service {
          proxy {
            local_service_port = 22
          }
        }

        sidecar_task {
          resources {
            cpu = 50
            memory = 50
          }
        }
      }

      tags = [
        "traefik.enable=true",
        "traefik.tcp.routers.gitea-ssh.rule=HostSNI(`*`)",
        "traefik.tcp.routers.gitea-ssh.entryPoints=gitssh",
      ]
    }

    task "gitea-bootstrap" {
      driver = "docker"

      lifecycle {
        hook = "prestart"
        sidecar = false
      }

      config {
        image = "mysql:8"
        args = [
          "/bin/bash",
          "-c",
          "/usr/bin/mysql --defaults-extra-file=/task/my.cnf < /task/bootstrap.sql",
        ]

        mount {
          type = "bind"
          source = "local/"
          target = "/task/"
        }
      }

      vault {
        policies = [
          "access-tables",
          "nomad-task",
        ]
      }

      template {
        data = <<EOF
[client]
host={{ env "NOMAD_UPSTREAM_IP_mysql_server" }}
port={{ env "NOMAD_UPSTREAM_PORT_mysql_server" }}
user=root
{{ with secret "kv/data/mysql" }}
password={{ .Data.data.root_password }}
{{ end }}
        EOF
        destination = "local/my.cnf"
      }

      template {
        data = <<EOF
{{ with secret "kv/data/gitea" -}}
{{ if .Data.data.db_name -}}
CREATE DATABASE IF NOT EXISTS `{{ .Data.data.db_name }}`;
CREATE USER IF NOT EXISTS '{{ .Data.data.db_user }}'@'%' IDENTIFIED BY '{{ .Data.data.db_pass }}';
GRANT ALL ON `{{ .Data.data.db_name }}`.* to '{{ .Data.data.db_user }}'@'%';
{{ else -}}
SELECT 'NOOP';
{{ end -}}
{{ end -}}
        EOF
        destination = "local/bootstrap.sql"
      }

      resources {
        cpu = 50
        memory = 50
      }
    }

    task "gitea" {
      driver = "docker"

      volume_mount {
        volume = "gitea-data"
        destination = "/data"
        read_only = false
      }

      config {
        image = "gitea/gitea:1.17.3"
        ports = ["web", "ssh"]
      }

      env = {
        "GITEA_CUSTOM" = "${NOMAD_TASK_DIR}"
      }

      vault {
        policies = [
          "access-tables",
          "nomad-task",
        ]
      }

      template {
        data = var.app_ini
        destination = "local/conf/app.ini"
      }

      template {
        data = <<EOF
{{ with secret "kv/data/gitea" -}}
{{ .Data.data.secret_key }}
{{ end -}}
      EOF
        destination = "secrets/secret_key"
      }
    }
  }
}