variable "flake_ref" {
  type = string
}

variable "flake_sha" {
  type = string
}

job "ingress" {
  datacenters = [ "do-1", "homelab-1" ]
  type = "service"

  group "ingress-toothpick" {
    count = 1

    constraint {
      attribute = "${attr.unique.hostname}"
      value = "toothpick"
    }

    volume "ingress-letsencrypt" {
      type = "csi"
      source = "ingress-letsencrypt"
      read_only = false

      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }

    network {
      mode = "bridge"
      port "http" {
	static = 80
	to = 80
	host_network = "public"
      }

      port "https" {
	static = 443
	to = 443
	host_network = "public"
      }

      port "minecraft" {
	static = 25565
	to = 25565
	host_network = "public"
      }
    }

    service {
      name = "ingress-toothpick"
      port = "http"

      connect {
	sidecar_service {
	  proxy {
	    upstreams {
	      destination_name = "gitea"
	      local_bind_port  = 3000
	      datacenter = "homelab-1"

	      mesh_gateway {
		mode = "local"
	      }
	    }

	    upstreams {
	      destination_name = "hydra"
	      local_bind_port  = 8666
	      datacenter = "homelab-1"

	      mesh_gateway {
		mode = "local"
	      }
	    }

	    upstreams {
	      destination_name = "nextcloud"
	      local_bind_port  = 8777
	      datacenter = "homelab-1"

	      mesh_gateway {
		mode = "local"
	      }
	    }

	    upstreams {
	      destination_name = "website"
	      local_bind_port  = 8080
	      datacenter = "homelab-1"

	      mesh_gateway {
		mode = "local"
	      }
	    }

	    upstreams {
	      destination_name = "minecraft"
	      local_bind_port  = 2666
	      datacenter = "homelab-1"

	      mesh_gateway {
		mode = "local"
	      }
	    }

	    upstreams {
	      destination_name = "reicio"
	      local_bind_port  = 8000
	      datacenter = "homelab-1"

	      mesh_gateway {
		mode = "local"
	      }
	    }
	  }
	}
      }
    }

    task "nginx" {
      driver = "docker"

      volume_mount {
	volume = "ingress-letsencrypt"
	destination = "/etc/letsencrypt"
	read_only = false
      }

      # artifact {
      # source = "http://hydra/build/99/download/1/image.tar.gz"
      # }

      config {
	# load = "nixng-ingress.tar.gz"
	image = "nixng-ingress:local"

	ports = ["http", "https", "minecraft"]
	memory_hard_limit = 128
      }

      resources {
	cpu = 200
	memory = 32
      }

      template {
	data = <<EOF
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
        destination   = "local/ssl.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
EOF
	destination   = "local/headers.conf"
	change_mode   = "signal"
	change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
EOF
	destination   = "local/security.conf"
	change_mode   = "signal"
	change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
upstream minecraft {
  server {{ env "NOMAD_UPSTREAM_ADDR_minecraft" }};
}

server {
  listen 25565;

  proxy_pass minecraft;
}
EOF
	destination   = "local/streams.conf"
	change_mode   = "signal"
	change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
upstream gitea {
  server {{ env "NOMAD_UPSTREAM_ADDR_gitea" }};
}

upstream hydra {
  server {{ env "NOMAD_UPSTREAM_ADDR_hydra" }};
}

upstream nextcloud {
  server {{ env "NOMAD_UPSTREAM_ADDR_nextcloud" }};
}

upstream website {
  server {{ env "NOMAD_UPSTREAM_ADDR_website" }};
}

upstream reicio {
  server {{ env "NOMAD_UPSTREAM_ADDR_reicio" }};
}

server {
  listen 443 ssl;
  
  server_name _;

  include /local/ssl.conf;

  return 404;
}

server {
  listen 443 ssl;
  
  server_name gitea.redalder.org;

  include /local/security.conf;
  include /local/ssl.conf;

  client_max_body_size 100M;

  location / {
    include /local/headers.conf;
    proxy_pass http://gitea;
  }
}

server {
  listen 443 ssl;
   
  server_name hydra.redalder.org;

  include /local/security.conf;
  include /local/ssl.conf;

  location / {
    include /local/headers.conf;
    proxy_pass http://hydra;
  }
}

server {
  listen 443 ssl;

  server_name redalder.org nixng.org;
  
  include /local/security.conf;
  include /local/ssl.conf;

  location /nextcloud/ {
    include /local/headers.conf;
    proxy_pass http://nextcloud/;
  }

  location /reicio/ {
    include /local/headers.conf;
    proxy_pass http://reicio/;
  }

  location / {
    include /local/headers.conf;
    proxy_pass http://website;
  }
}
EOF
        destination   = "local/upstreams.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }
    }
  }

  group "ingress-blowhole" {
    count = 1

    constraint {
      attribute = "${attr.unique.hostname}"
      value = "blowhole"
    }

    network {
      mode = "bridge"
      port "http" {
	static = 8080
	to = 80
      }

      port "https" {
	static = 443
	to = 443
      }

      port "jellyfin" {
	static = 8096
	to = 8096
      }

      port "imap" {
	static = 143
	to = 143
      }
    }

    service {
      name = "ingress-blowhole"
      port = "80"

      connect {
	sidecar_service {
	  proxy {
	    upstreams {
	      destination_name = "jellyfin"
	      local_bind_port  = 8001
	    }

	    upstreams {
	      destination_name = "zigbee2mqtt"
	      local_bind_port  = 8002
	    }

	    upstreams {
	      destination_name = "home-assistant"
	      local_bind_port  = 8003
	    }

	    upstreams {
	      destination_name = "syncthing"
	      local_bind_port  = 8004
	    }

	    upstreams {
	      destination_name = "dovecot-imap"
	      local_bind_port  = 8005
	    }
	  }
	}

	sidecar_task {
	  resources {
	    cpu = 75
	    memory = 48
	  }

	  config {
	    memory_hard_limit = 96
	    image = "envoyproxy/envoy:v1.20.2"
	  }
	}
      }
    }

    task "nginx" {
      driver = "docker"

      config {
	image = "ra-systems-ingress-blowhole:local"

	ports = ["http", "https", "jellyfin"]
	memory_hard_limit = 128
      }

      resources {
	cpu = 200
	memory = 32
      }

      template {
	data = <<EOF
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
        destination   = "local/ssl.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
EOF
	destination   = "local/headers.conf"
	change_mode   = "signal"
	change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
EOF
	destination   = "local/security.conf"
	change_mode   = "signal"
	change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
upstream jellyfin {
  server {{ env "NOMAD_UPSTREAM_ADDR_jellyfin" }};
}

upstream zigbee2mqtt {
  server {{ env "NOMAD_UPSTREAM_ADDR_zigbee2mqtt" }};
}

upstream home-assistant {
  server {{ env "NOMAD_UPSTREAM_ADDR_home-assistant" }};
}

upstream syncthing {
  server {{ env "NOMAD_UPSTREAM_ADDR_syncthing" }};
}

server {
  listen 8096;
  
  server_name _;

  include /local/security.conf;

  client_max_body_size 100M;

  location /jellyfin/ {
     # Proxy main Jellyfin traffic

     # The / at the end is significant.
     # https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/

     proxy_pass http://jellyfin/jellyfin/;

     proxy_pass_request_headers on;

     proxy_set_header Host $host;

     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Host $http_host;

     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $http_connection;

     # Disable buffering when the nginx proxy gets very resource heavy upon streaming
     proxy_buffering off;
  }

  location /syncthing/ {
    include /local/headers.conf;

    proxy_pass http://syncthing/;
  }

  location ~ "^/(static/icons/|static/fonts/|static/translations/|static/images/|static/panels/|static/polyfills|api/|auth/|frontend_latest/|frontend_es5/|local/|lovelace|map|config|developer-tools|history|logbook|profile|states|hassio|onboarding.html|service_worker.js|authorize.html|manifest.json)" {
    include /local/headers.conf;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://home-assistant;
  }

  location /home-assistant {
    include /local/headers.conf;

    rewrite /home-assistant/(.*) /$1 break;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://home-assistant;
  }

  location /zigbee2mqtt/ {
    include /local/headers.conf;

#    rewrite /zigbee2mqtt/(.*) /$1 break;

    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    proxy_pass http://zigbee2mqtt/;
  }
}

server {
  listen 80;
  
  server_name _;

  include /local/security.conf;

  client_max_body_size 100M;

  location /jellyfin/ {
     # Proxy main Jellyfin traffic

     # The / at the end is significant.
     # https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/

     proxy_pass http://jellyfin/jellyfin/;

     proxy_pass_request_headers on;

     proxy_set_header Host $host;

     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_set_header X-Forwarded-Host $http_host;

     proxy_set_header Upgrade $http_upgrade;
     proxy_set_header Connection $http_connection;

     # Disable buffering when the nginx proxy gets very resource heavy upon streaming
     proxy_buffering off;
  }
}
EOF
        destination   = "local/upstreams.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
	data = <<EOF
upstream dovecot-imap {
  server {{ env "NOMAD_UPSTREAM_ADDR_dovecot-imap" }};
}

server {
  listen 143;

  proxy_pass dovecot-imap;
}
EOF
	destination   = "local/streams.conf"
	change_mode   = "signal"
	change_signal = "SIGHUP"
      }
    }
  }
}