data_dir = "{{ nomad_root_dir }}/data"
plugin_dir = "{{ nomad_root_dir }}/plugins"
bind_addr = "0.0.0.0"

{% if nomad_conf.datacenter is defined %}
datacenter = "{{ nomad_conf.datacenter }}"
{% endif %}

{% if nomad_conf.region is defined %}
region = "{{ nomad_conf.region }}"
{% endif %}

{% if nomad_conf.name is defined %}
name = {{ nomad_conf.name }}
{% endif %}

disable_update_check = true

advertise {
{% for service in ['http', 'rpc', 'serf' ] %}
{% if nomad_services[service].advertise is defined %}
  {{ service }} = {{ nomad_services[service].advertise }}
{% endif %}
{% endfor %}
}

ports {
{% for service in ['http', 'rpc', 'serf' ] %}
  {{ service }} = {{ nomad_services[service].port }}
{% endfor %}
}

acl {
  enabled = {{ nomad_conf.acl.enabled | ternary('true', 'false') }}
{% if nomad_conf.acl.replication_token is defined and nomad_conf.region is defined and nomad_conf.server.authoritative_region is defined and nomad_conf.region != nomad_conf.server.authoritative_region %}
  replication_token = "{{ nomad_conf.acl.replication_token }}"
{% endif %}
}

server {
  enabled = {{ nomad_conf.server.enabled | ternary('true', 'false') }}
  bootstrap_expect = {{ nomad_conf.server.bootstrap_expect }}
{% if nomad_conf.server.encrypt is defined %}
  encrypt = "{{ nomad_conf.server.encrypt }}"
{% endif %}
  server_join {
    retry_join = [
{% for server in nomad_servers %}
      "{{ server }}",
{% endfor %}
    ]
  }
{% if nomad_conf.server.authoritative_region is defined %}
  authoritative_region = "{{ nomad_conf.server.authoritative_region }}"
{% endif %}

  default_scheduler_config {
    scheduler_algorithm = "{{ nomad_conf.server.default_scheduler_config.scheduler_algorithm }}"
    memory_oversubscription_enabled = {{ nomad_conf.server.default_scheduler_config.memory_oversubscription_enabled | ternary('true', 'false') }}
    preemption_config {
{% for type in ['batch', 'system', 'sysbatch', 'service'] %}
      {{ type }}_scheduler_enabled = {{ nomad_conf.server.default_scheduler_config.preemption_config[type ~ '_scheduler_enabled'] | ternary('true', 'false') }}
{% endfor %}
    }
  }
}

{% if nomad_conf.client.enabled %}
client {
  enabled = true

  servers = [
{% for server in nomad_servers %}
    "{{ server }}",
{% endfor %}
  ]

{% if nomad_conf.client.node_pool is defined %}
  node_pool = "{{ nomad_conf.client.node_pool }}"
{% endif %}

{% if nomad_conf.client.drain_on_shutdown is defined %}
  drain_on_shutdown {
{% if nomad_conf.client.drain_on_shutdown.deadline is defined %}
    deadline = "{{ nomad_conf.client.drain_on_shutdown.deadline }}"
{% endif %}
{% for param in ['force', 'ignore_system_jobs'] %}
{% if nomad_conf.client.drain_on_shutdown[param] is defined %}
    {{ param }} = {{ nomad_conf.client.drain_on_shutdown[param] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
  }
{% endif %}

{% for volume in nomad_conf.client.host_volumes %}
  host_volume "{{ volume.name }}" {
    path = "{{ volume.path }}"
{% if volume.read_only is defined %}
    read_only = "{{ volume.read_only | ternary('true', 'false') }}"
{% endif %}
  }
{% endfor %}

  reserved {
    cpu = {{ nomad_conf.client.reserved.cpu }}
    memory = {{ (nomad_conf.client.reserved.memory is search('%$')) | ternary([((nomad_conf.client.reserved.memory | regex_replace('%$', '') | int) * ansible_memtotal_mb * 0.01), nomad_conf.client.reserved.memory_min] | max | int, nomad_conf.client.reserved.memory) }}
    disk = {{ nomad_conf.client.reserved.disk }}
    reserved_ports = "{{ nomad_conf.client.reserved.reserved_ports | join(',') }}"
  }

  meta {
{% for meta in nomad_conf.client.meta.keys() | list %}
    {{ meta }} = "{{ nomad_conf.client.meta[meta] }}"
{% endfor %}
  }

{% if nomad_conf.client.node_class is defined %}
  node_class = "{{ nomad_conf.client.node_class }}"
{% endif %}

  options {
    "driver.allowlist" = "{{ nomad_enabled_task_drivers | join(',') }}"
  }

  max_kill_timeout = "{{ nomad_conf.client.max_kill_timeout }}"
}

{% if 'docker' in nomad_enabled_task_drivers %}
plugin "docker" {
  config {
    allow_privileged = {{ nomad_conf.client.task_drivers.docker.allow_privileged | ternary('true', 'false') }}
    auth {
      config = "{{ nomad_root_dir }}/docker/auth.json"
    }
{% if nomad_conf.client.task_drivers.docker.volumes.enabled %}
    volumes {
      enabled = true
    }
{% endif %}
{% if nomad_conf.client.task_drivers.docker.allow_caps is defined %}
    allow_caps = [
{% for cap in nomad_conf.client.task_drivers.docker.allow_caps %}
      "{{ cap }}",
{% endfor %}
    ]
{% endif %}
    extra_labels = [
{% for label in nomad_conf.client.task_drivers.docker.extra_labels %}
      "{{ label }}",
{% endfor %}
    ]

    gc {
{% for gc in ['image_delay'] %}
{% if nomad_conf.client.task_drivers.docker.gc[gc] is defined %}
      {{ gc }} = "{{ nomad_conf.client.task_drivers.docker.gc[gc] }}"
{% endif %}
{% endfor %}
    }
  }
}

{% if 'podman' in nomad_enabled_task_drivers %}
plugin "podman-driver-podman" {
  config {
    recover_stopped = {{ nomad_conf.client.task_drivers.podman.recover_stopped | ternary('true', 'false') }}
{% if nomad_conf.client.task_drivers.podman.socket_path is defined %}
    socket_path = "{{ nomad_conf.client.task_drivers.podman.socket_path }}"
{% endif %}
{% if nomad_conf.client.task_drivers.podman.volumes.enabled %}
    volumes {
      enabled = true
    }
{% endif %}
    extra_labels = [
{% for label in nomad_conf.client.task_drivers.podman.extra_labels %}
      "{{ label }}",
{% endfor %}
    ]
  }
}
{% endif %}

plugin "raw_exec" {
  config {
    enabled = {{ ('raw_exec' in nomad_enabled_task_drivers) | ternary('true', 'false') }}
  }
}

plugin "containerd-driver" {
  config {
    enabled = {{ ('containerd-driver' in nomad_enabled_task_drivers) | ternary('true', 'false') }}
    containerd_runtime = "{{ nomad_conf.client.task_drivers['containerd-driver'].containerd_runtime }}"
    allow_privileged = {{ nomad_conf.client.task_drivers['containerd-driver'].allow_privileged | ternary('true', 'false') }}
  }
}

{% endif %}
{% else %}
client {
  enabled = false
}
{% endif %}
ui {
  enabled = {{ nomad_conf.ui.enabled | ternary('true', 'false') }}
{% if nomad_conf.ui.consul_ui is defined %}
  consul {
    ui_url = "{{ nomad_conf.ui.consul_ui }}"
  }
{% endif %}
{% if nomad_conf.ui.vault_ui is defined %}
  vault {
    ui_url = "{{ nomad_conf.ui.vault_ui }}"
  }
{% endif %}
}

telemetry {
  prometheus_metrics = {{ nomad_conf.telemetry.prometheus_metrics | ternary('true', 'false') }}
  disable_hostname = {{ nomad_conf.telemetry.disable_hostname | ternary('true', 'false') }}
  publish_allocation_metrics = {{ nomad_conf.telemetry.publish_allocation_metrics | ternary('true', 'false') }}
  publish_node_metrics = {{ nomad_conf.telemetry.publish_node_metrics | ternary('true', 'false') }}
}

consul {
{% for key in ['address', 'auth', 'client_service_name', 'server_service_name', 'grpc_address', 'token'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = "{{ nomad_conf.consul[key] }}"
{% endif %}
{% endfor %}

{% for key in ['allow_unauthenticated', 'auto_advertise', 'checks_use_advertise', 'server_auto_join'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = {{ nomad_conf.consul[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}

{% if nomad_conf.consul.tags is defined and nomad_conf.consul.tags is iterable %}
  tags = [
{% for tag in nomad_conf.consul.tags %}
    "{{ tag }}",
{% endfor %}
  ]
{% endif %}

{% if nomad_conf.consul.ssl %}
  ssl = true
{% for key in ['ca_file', 'cert_file', 'key_file'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = "{{ nomad_conf.consul[key] }}"
{% endif %}
{% endfor %}

{% for key in ['verify_ssl', 'share_ssl'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = {{ nomad_conf.consul[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}

{% endif %}
}

vault {
{% for key in ['enabled', 'tls_skip_verify', 'allow_unauthenticated'] %}
{% if nomad_conf.vault[key] is defined %}
  {{ key }} = {{ nomad_conf.vault[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
{% if nomad_conf.server.enabled %}
{% for key in ['address', 'create_from_role', 'task_token_ttl', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'namespace', 'tls_server_name', 'token'] %}
{% if nomad_conf.vault[key] is defined %}
  {{ key }} = "{{ nomad_conf.vault[key] }}"
{% endif %}
{% endfor %}
{% elif nomad_conf.client.enabled and not nomad_conf.server.enabled %}
{% for key in ['address', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'namespace', 'tls_server_name'] %}
{% if nomad_conf.vault[key] is defined %}
  {{ key }} = "{{ nomad_conf.vault[key] }}"
{% endif %}
{% endfor %}

{% endif %}
}

tls {
{% for key in ['ca_file', 'cert_file', 'key_file', 'tls_min_version', 'tls_cipher_suites'] %}
{% if nomad_conf.tls[key] is defined %}
  {{ key }} = "{{ nomad_conf.tls[key] }}"
{% endif %}
{% endfor %}

{% for key in ['http', 'rpc', 'rpc_upgrade_mode', 'tls_prefer_server_cipher_suites', 'verify_https_client', 'verify_server_hostname'] %}
{% if nomad_conf.tls[key] is defined %}
  {{ key }} = {{ nomad_conf.tls[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
}