job "hydra" {
  datacenters = [ "homelab-1" ]
  type = "service"

  constraint {
    attribute = "${attr.unique.hostname}"
    value = "blowhole"
  }

  group "svc" {
    count = 1

    volume "hydra-data" {
      type = "csi"
      source = "hydra-data"
      read_only = false

      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }

    volume "hydra-nix" {
      type = "csi"
      source = "hydra-nix"
      read_only = false
      
      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }

    volume "hydra-db" {
      type = "csi"
      source = "hydra-db"
      read_only = false

      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }

    restart {
      attempts = 5
      delay = "5s"
    }

    network {
      mode = "bridge"
    }

    service {
      name = "hydra"
      port = "3000"

      check {
	type = "http"
	address_mode = "alloc"
	path = "/"
	port = "3000"
	interval = "2s"
	timeout = "2s"
      }

      connect {
	sidecar_service {}
      }
    }

    task "hydra" {
      driver = "docker"

      volume_mount {
	volume = "hydra-data"
	destination = "/var/lib/hydra"
	read_only = false
      }

      volume_mount {
	volume = "hydra-nix"
	destination = "/nix-persist"
	read_only = false
      }

      config {
	image = "nixng-hydra:local"

	devices = [
	  {
	    host_path = "/dev/fuse"
	    container_path = "/dev/fuse"
	  },
	]
	privileged = true

	memory_hard_limit = 3072
      }

      vault {
	policies = ["hydra-policy"]
      }

      resources {
	cpu = 4000
	memory = 1024
      }

      template {
	data = <<EOF
{{ with secret "kv/data/hydra" }}{{ .Data.data.nixbuild_key }}{{ end }}
EOF
	destination = "secrets/ssh-key"
	perms = "400"
      }

      template {
	data = <<EOF
dbi:Pg:dbname=hydra;host=127.0.0.1;port=5432;user=hydra;
EOF
	destination = "local/dbi"
      }

      template {
	data = <<EOF
127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
EOF
	destination = "secrets/pgpass"
	perms = "400"
      }

      template {
	data = <<EOF
127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
EOF
	destination = "secrets/pgpass-www"
	perms = "400"
      }
      
      template {
	data = <<EOF
127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
EOF
	destination = "secrets/pgpass-queue-runner"
	perms = "400"
      }
    }

    task "postgresql" {
      driver = "docker"

      volume_mount {
	volume = "hydra-db"
	destination = "/var/lib/postgresql"
	read_only = false
      }

      config {
	image = "nixng-hydra-postgresql:local"

	memory_hard_limit = 256
      }

      resources {
	cpu = 500
	memory = 128
      }

      template {
	data = <<EOF
alter user hydra with encrypted password '{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}';
EOF
	destination = "secrets/init.sql"
      }

      vault {
	policies = ["hydra-policy"]
      }
    }
  }
}