infra/nomad/radicale.nomad

job "radicale" {
  datacenters = ["columbia"]
  region      = "global"
  type        = "service"

  constraint {
    attribute = "${meta.storage_optimized}"
    value     = "true"
  }

  update {
    stagger      = "30s"
    max_parallel = 1
  }

  group "radicale" {
    count = 1

    task "radicale" {
      vault {
        policies    = ["default", "ansible"]
        change_mode = "restart"
      }
      driver = "docker"
      config {
        image   = "docker.service.masked.name:8082/radicale"
        ports   = ["http"]
        volumes = [
            "/mnt/raid/radicale/collections:/collections"
        ]
      }

      service {
        name = "radicale"
        port = "http"

        check {
          name     = "radicale"
          type     = "tcp"
          interval = "10s"
          timeout  = "2s"
          address_mode = "driver"
        }
      }

      template {
        data = <<EOH
            {{- with secret "pki_int/issue/masked-dot-name" "common_name=radicale.service.masked.name" "alt_names=radicale.service.columbia.masked.name" -}}
            {{- .Data.certificate -}}
            {{- end -}}
        EOH
        destination   = "${NOMAD_SECRETS_DIR}/radicale.crt"
        change_mode   = "restart"
      }

      template {
        data = <<EOH
            {{- with secret "pki_int/issue/masked-dot-name" "common_name=radicale.service.masked.name" "alt_names=radicale.service.columbia.masked.name" -}}
            {{- .Data.private_key -}}
            {{- end -}}
        EOH
        destination   = "${NOMAD_SECRETS_DIR}/radicale.key"
        change_mode   = "restart"
      }

      template {
        data = <<EOH
[server]
hosts = 0.0.0.0:5232
max_connections = 20
max_content_length = 10000000
timeout = 60
ssl = False

[encoding]
request = utf-8
stock = utf-8

[auth]
type = htpasswd
htpasswd_filename = /secrets/users
htpasswd_encryption = bcrypt
delay = 1
realm = Radicale - Password Required

[storage]
type = multifilesystem
filesystem_folder = /collections

[logging]
mask_passwords = True

[headers]
Access-Control-Allow-Origin = *
EOH
        destination = "local/config"
      }


      template {
        data = <<EOH
amarpreet:{{ with secret "kv/data/radicale" }}{{ .Data.data.amarpreet }}{{ end }}
        EOH
        destination = "secrets/users"
      }

      env {
        RADICALE_CONFIG = "/local/config"
      }

      resources {
        cpu    = 2000
        memory = 2560
      }
    }

    network {
      port "http" {
        to = 5232
       }
    }

  }
}