variable "flake_ref" {
  type = string
}

variable "flake_sha" {
  type = string
}

job "hydra" {
  datacenters = [ "homelab-1" ]
  type = "service"

  constraint {
    attribute = "${attr.unique.hostname}"
    value = "blowhole"
  }

  group "svc" {
    count = 1

    volume "hydra-data" {
      type = "csi"
      source = "hydra-data"
      read_only = false

      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }

    volume "hydra-nix" {
      type = "csi"
      source = "hydra-nix"
      read_only = false

      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }

    volume "hydra-db" {
      type = "csi"
      source = "hydra-db"
      read_only = false

      attachment_mode = "file-system"
      access_mode     = "single-node-writer"
    }

    restart {
      attempts = 5
      delay = "5s"
    }

    network {
      mode = "bridge"
    }

    service {
      name = "hydra"
      port = "3000"

      check {
        type = "http"
        address_mode = "alloc"
        path = "/"
        port = "3000"
        interval = "2s"
        timeout = "2s"
      }

      connect {
        sidecar_service {}
      }
    }

    task "hydra" {
      driver = "docker"

      volume_mount {
        volume = "hydra-data"
        destination = "/var/lib/hydra"
        read_only = false
      }

      volume_mount {
        volume = "hydra-nix"
        destination = "/nix-persist"
        read_only = false
      }

      config {
        nix_flake_ref = "${var.flake_ref}#nixngSystems.hydra.config.system.build.toplevel"
        nix_flake_sha = var.flake_sha
        entrypoint = [ "init" ]

        devices = [
          {
            host_path = "/dev/fuse"
            container_path = "/dev/fuse"
          }
        ]
        privileged = true
      }

      vault {
        policies = ["hydra-policy"]
      }

      resources {
        cpu = 4000
        memory = 4096
        memory_max = 8096
      }

      template {
        data = <<EOF
{{ with secret "kv/data/hydra" }}{{ .Data.data.nixbuild_key }}{{ end }}
EOF
        destination = "secrets/ssh-key"
        perms = "400"
      }

      template {
        data = <<EOF
dbi:Pg:dbname=hydra;host=127.0.0.1;port=5432;user=hydra;
EOF
        destination = "local/dbi"
      }

      template {
        data = <<EOF
127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
EOF
        destination = "secrets/pgpass"
        perms = "400"
      }

      template {
        data = <<EOF
127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
EOF
        destination = "secrets/pgpass-www"
        perms = "400"
      }

      template {
        data = <<EOF
127.0.0.1:*:*:hydra:{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}
EOF
        destination = "secrets/pgpass-queue-runner"
        perms = "400"
      }
    }

    task "postgresql" {
      driver = "docker"

      volume_mount {
        volume = "hydra-db"
        destination = "/var/lib/postgresql"
        read_only = false
      }

      config {
        nix_flake_ref = "${var.flake_ref}#nixngSystems.hydraPostgresql.config.system.build.toplevel"
        nix_flake_sha = var.flake_sha
        entrypoint = [ "init" ]
      }

      resources {
        cpu = 500
        memory = 128
        memory_max = 256
      }

      template {
        data = <<EOF
alter user hydra with encrypted password '{{ with secret "kv/data/hydra" }}{{ .Data.data.pgpass}}{{ end }}';
EOF
        destination = "secrets/init.sql"
      }

      vault {
        policies = ["hydra-policy"]
      }
    }
  }
}