job "garage-staging" {
  type = "system"
  priority = 90

  datacenters = [ "neptune" ]

  update {
    max_parallel = 1
    stagger = "30s"
    min_healthy_time = "10s"
  }

  group "garage-staging" {
    network {
      port "s3" { static = 3990 }
      port "rpc" { static = 3991 }
      port "web" { static = 3992 }
      port "k2v" { static = 3993 }
      port "admin" { static = 3909 }
    }

    task "server" {
      driver = "nix2"

      config {
        packages = [
          "bash", # so that we can enter a shell inside container
          "git+https://git.deuxfleurs.fr/Deuxfleurs/garage.git?ref=nix-remove-system&rev=60c26fbc628d7b450ae39214b578ab6a30583d5c",
        ]
        command = "garage"
        args = [ "server" ]
        bind = {
          "/mnt/storage/garage-staging/data" = "/data",
          "/mnt/ssd/garage-staging/meta" = "/meta",
        }
      }

      env = {
        RUST_LOG = "garage=debug",
      }

      # files currently owned by root, we don't want to chown everything
      user = "root"

      template {
        data = file("../config/garage.toml")
        destination = "etc/garage.toml"
      }

      template {
        data = "{{ key \"secrets/consul/consul-ca.crt\" }}"
        destination = "etc/garage/consul-ca.crt"
      }

      template {
        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
        destination = "etc/garage/consul-client.crt"
      }

      template {
        data = "{{ key \"secrets/consul/consul-client.key\" }}"
        destination = "etc/garage/consul-client.key"
      }

      resources {
        memory = 2000
        memory_max = 3000
        cpu = 500
      }

      kill_signal = "SIGINT"
      kill_timeout = "20s"

      service {
        name = "garage-staging-rpc"
        tags = ["garage-staging-rpc"]
        port = "rpc"
        # No check on RPC, it wouldn't try connecting to the correct address
        # (Garage listens only on IPv6 for RPC, see config file)
      }

      service {
        name = "garage-staging-s3-api"
        tags = [
          "garage-staging-api",
          "tricot garage.staging.deuxfleurs.org",
          "tricot-add-header Access-Control-Allow-Origin *",
        ]
        port = "s3"
        check {
          type = "tcp"
          interval = "60s"
          timeout = "5s"
          check_restart {
            limit = 3
            grace = "90s"
          }
        }
      }

      service {
        name = "garage-staging-k2v-api"
        tags = [
          "garage-staging-k2v-api",
          "tricot k2v.staging.deuxfleurs.org",
          "tricot-add-header Access-Control-Allow-Origin *",
        ]
        port = "k2v"
        check {
          type = "tcp"
          interval = "60s"
          timeout = "5s"
          check_restart {
            limit = 3
            grace = "90s"
          }
        }
      }

      service {
        name = "garage-staging-web"
        tags = [
            "garage-staging-web",
            "tricot *.web.staging.deuxfleurs.org",
            "tricot staging.deuxfleurs.org",
            "tricot matrix.home.adnab.me/.well-known/matrix/server",
            "tricot-add-header Access-Control-Allow-Origin *",
        ]
        port = "web"
        check {
          type = "tcp"
          interval = "60s"
          timeout = "5s"
          check_restart {
            limit = 3
            grace = "90s"
          }
        }
      }

      service {
        name = "garage-staging-admin"
        tags = [
          "garage-staging-admin",
        ]
        port = "admin"
        check {
          type = "tcp"
          interval = "60s"
          timeout = "5s"
          check_restart {
            limit = 3
            grace = "90s"
          }
        }
      }

      restart {
        interval = "5m"
        attempts = 10
        delay    = "15s"
        mode     = "delay"
      }
    }
  }
}