variable "flake_ref" {
  type = string
}

variable "flake_sha" {
  type = string
}

variable "store_path" {
  type = string
}

variable "upstreams" {
  type = string
}

job "ingress" {
  datacenters = [ "homelab-1" ]
  type = "service"

  group "ingress" {
    count = 1

    constraint {
      attribute = "${attr.unique.hostname}"
      value = "blowhole"
    }

    network {
      mode = "bridge"

      port "http-paccess" {
        static = 80
        to = 81
        host_network = "wan"
      }

      port "http" {
        static = 80
        to = 80
        host_network = "default"
      }

      port "https" {
        static = 443
        to = 443
        host_network = "default"
      }

      port "imap" {
        static = 143
        to = 143
        host_network = "default"
      }
    }

    service {
      name = "ingress-blowhole"
      port = "80"

      check {
        type = "http"
        path = "/health"
        name = "jellyfin"
        port = "http"
        interval = "5s"
        timeout = "5s"
        header {
          Host = [ "jellyfin.in.redalder.org" ]
        }
      }

      check {
        type = "http"
        path = "/"
        name = "zigbee2mqtt"
        port = "http"
        interval = "5s"
        timeout = "5s"
        header {
          Host = [ "zigbee2mqtt.in.redalder.org" ]
        }
      }

      check {
        type = "http"
        path = "/"
        name = "home-assistant"
        port = "http"
        interval = "5s"
        timeout = "5s"
        header {
          Host = [ "hass.in.redalder.org" ]
        }
      }

      # check {
      #   type = "http"
      #   path = "/"
      #   name = "syncthing"
      #   port = "http"
      #   interval = "5s"
      #   timeout = "5s"
      #   header {
      #     Host = [ "syncthing.in.redalder.org" ]
      #   }
      # }

      check {
        type = "http"
        path = "/api/health"
        name = "grafana"
        port = "http"
        interval = "5s"
        timeout = "5s"
        header {
          Host = [ "grafana.in.redalder.org" ]
        }
      }

      check {
        type = "http"
        path = "/health"
        name = "influx"
        port = "http"
        interval = "5s"
        timeout = "5s"
        header {
          Host = [ "influx.in.redalder.org" ]
        }
      }

      check {
        type = "http"
        path = "/"
        name = "mainsail"
        port = "http"
        interval = "5s"
        timeout = "5s"
        header {
          Host = [ "mainsail.in.redalder.org" ]
        }
      }

      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "jellyfin"
              local_bind_port  = 8001
            }

            upstreams {
              destination_name = "zigbee2mqtt"
              local_bind_port  = 8002
            }

            upstreams {
              destination_name = "home-assistant"
              local_bind_port  = 8003
            }

            upstreams {
              destination_name = "syncthing"
              local_bind_port  = 8004
            }

            upstreams {
              destination_name = "dovecot-imap"
              local_bind_port  = 8005
            }

            upstreams {
              destination_name = "grafana"
              local_bind_port  = 8006
            }

            upstreams {
              destination_name = "influx"
              local_bind_port  = 8007
            }

            upstreams {
              destination_name = "mainsail"
              local_bind_port  = 8008
            }

            upstreams {
              destination_name = "matrix-synapse"
              local_bind_port  = 8009
            }

            upstreams {
              destination_name = "matrix-mautrix-facebook"
              local_bind_port  = 8010
            }
          }
        }

        sidecar_task {
          resources {
            cpu = 75
            memory = 48
          }

          config {
            memory_hard_limit = 96
          }
        }
      }
    }

    task "nginx" {
      driver = "docker"

      config {
        nix_flake_ref = "${var.flake_ref}#nixngConfigurations.ingressBlowhole.config.system.build.toplevel"
        nix_flake_sha = var.flake_sha
        nix_flake_store_path = var.store_path
        entrypoint = [ "init" ]

        labels {
          grok_type = "nginx"
        }
      }

      resources {
        cpu = 200
        memory = 32
        memory_max = 128
      }

      template {
        data = <<EOF
ssl_certificate_key /etc/letsencrypt/live/redalder.org/privkey.pem;
ssl_certificate /etc/letsencrypt/live/redalder.org/fullchain.pem;

ssl_session_cache shared:le_nginx_SSL:10m;
ssl_session_timeout 1440m;
ssl_session_tickets off;

ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers off;

ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
EOF
        destination   = "local/ssl.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
        data = <<EOF
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
EOF
        destination   = "local/headers.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
        data = <<EOF
add_header X-Frame-Options "SAMEORIGIN";
add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
EOF
        destination   = "local/security.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
        data = var.upstreams

        destination   = "local/upstreams.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }

      template {
        data = <<EOF
upstream dovecot-imap {
  server {{ env "NOMAD_UPSTREAM_ADDR_dovecot-imap" }};
}

server {
  listen 143;

  proxy_pass dovecot-imap;
}
EOF
        destination   = "local/streams.conf"
        change_mode   = "signal"
        change_signal = "SIGHUP"
      }
    }
  }
}