job "backup_daily" {
  datacenters = ["neptune", "scorpio", "bespin"]
  type = "batch"

  priority = "60"

  periodic {
    cron = "@daily"
    // Do not allow overlapping runs.
    prohibit_overlap = true
  }

  group "backup-dovecot" {
    constraint {
      attribute = "${attr.unique.hostname}"
      operator = "="
      value = "celeri"
    }

    task "main" {
      driver = "docker"

      config {
        image = "restic/restic:0.16.4"
        entrypoint = [ "/bin/sh", "-c" ]
        args = [ "restic backup /mail && restic forget --group-by paths --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
        volumes = [
          "/mnt/ssd/mail:/mail"
        ]
      }

      template {
        data = <<EOH
AWS_ACCESS_KEY_ID={{ key "secrets/email/dovecot/backup_aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/email/dovecot/backup_aws_secret_access_key" }}
RESTIC_REPOSITORY={{ key "secrets/email/dovecot/backup_restic_repository" }}
RESTIC_PASSWORD={{ key "secrets/email/dovecot/backup_restic_password" }}
EOH

         destination = "secrets/env_vars"
         env = true
      }

      resources {
        cpu = 500
        memory = 100
		memory_max = 1000
      }

      restart {
        attempts = 2
        interval = "30m"
        delay = "15s"
        mode = "fail"
      }
    }
  }

  group "backup-consul" {
    task "consul-kv-export" {
      driver = "docker"

      lifecycle {      
        hook = "prestart"      
        sidecar = false    
      }

      config {
        image = "consul:1.13.1"
        network_mode = "host"
        entrypoint = [ "/bin/sh", "-c" ]
        args = [ "/bin/consul kv export > $NOMAD_ALLOC_DIR/consul.json" ]
        volumes = [
          "secrets:/etc/consul",
        ]
      }

      env {
        CONSUL_HTTP_ADDR = "https://consul.service.prod.consul:8501"
	CONSUL_HTTP_SSL = "true"
	CONSUL_CACERT = "/etc/consul/consul.crt"
	CONSUL_CLIENT_CERT = "/etc/consul/consul-client.crt"
	CONSUL_CLIENT_KEY = "/etc/consul/consul-client.key"
      }

      resources {
        cpu = 200
        memory = 200
      }


      template {
        data = "{{ key \"secrets/consul/consul.crt\" }}"
        destination = "secrets/consul.crt"
      }

      template {
        data = "{{ key \"secrets/consul/consul-client.crt\" }}"
        destination = "secrets/consul-client.crt"
      }

      template {
        data = "{{ key \"secrets/consul/consul-client.key\" }}"
        destination = "secrets/consul-client.key"
      }

      restart {
        attempts = 2
        interval = "30m"
        delay = "15s"
        mode = "fail"
      }
    }

    task "restic-backup" {
      driver = "docker"

      config {
        image = "restic/restic:0.16.4"
        entrypoint = [ "/bin/sh", "-c" ]
        args = [ "restic backup $NOMAD_ALLOC_DIR/consul.json && restic forget --group-by paths --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
      }


      template {
        data = <<EOH
AWS_ACCESS_KEY_ID={{ key "secrets/backup/consul/backup_aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/backup/consul/backup_aws_secret_access_key" }}
RESTIC_REPOSITORY={{ key "secrets/backup/consul/backup_restic_repository" }}
RESTIC_PASSWORD={{ key "secrets/backup/consul/backup_restic_password" }}
EOH

         destination = "secrets/env_vars"
         env = true
      }

      resources {
        cpu = 200
        memory = 200
      }

      restart {
        attempts = 2
        interval = "30m"
        delay = "15s"
        mode = "fail"
      }
    }
  }

  group "backup-cryptpad" {
    constraint {
      attribute = "${attr.unique.hostname}"
      operator = "="
      value = "courgette"
    }

    task "main" {
      driver = "docker"

      config {
        image = "restic/restic:0.16.4"
        entrypoint = [ "/bin/sh", "-c" ]
        args = [ "restic backup /cryptpad && restic forget --group-by paths --keep-within 1m1d --keep-within-weekly 3m --keep-within-monthly 1y && restic prune --max-unused 50% --max-repack-size 2G && restic check" ]
        volumes = [
          "/mnt/ssd/cryptpad:/cryptpad"
        ]
      }

      template {
        data = <<EOH
AWS_ACCESS_KEY_ID={{ key "secrets/backup/cryptpad/backup_aws_access_key_id" }}
AWS_SECRET_ACCESS_KEY={{ key "secrets/backup/cryptpad/backup_aws_secret_access_key" }}
RESTIC_REPOSITORY={{ key "secrets/backup/cryptpad/backup_restic_repository" }}
RESTIC_PASSWORD={{ key "secrets/backup/cryptpad/backup_restic_password" }}
EOH

         destination = "secrets/env_vars"
         env = true
      }

      resources {
        cpu = 500
        memory = 100
		memory_max = 1000
      }

      restart {
        attempts = 2
        interval = "30m"
        delay = "15s"
        mode = "fail"
      }
    }
  }
}