[[ $c := merge .acme . -]]

job "[[ .instance ]]" {
  type = "[[ if ne "" .acme.cron ]]service[[ else ]]batch[[ end ]]"

[[ template "common/job_start" $c ]]

  group "acme-to-vault" {

    network {
      mode = "bridge"
    }

    ephemeral_disk {
      size = 101
    }

    service {
      name = "[[ .instance ]][[ .consul.suffix ]]"
      port = 8787

[[ template "common/connect" $c ]]

      tags = [
[[ template "common/traefik_tags" $c ]]
      ]
    }

    task "acme-to-vault" {
      driver = "[[ $c.nomad.driver ]]"
      user   = 8787

      config {
[[ template "common/image" $c ]]
        pids_limit      = 50
[[ template "common/tmpfs" dict "target" "/data" "size" "10000000" ]]
      }

      vault {
        policies = ["[[ .instance ]][[ .consul.suffix ]]"]
      }

[[ template "common/file_env" $c ]]

      template {
        data =<<_EOT
[[- if has .acme.vault "service_name" ]]
VAULT_ADDR=http://localhost:8200
[[- else ]]
VAULT_ADDR=[[ .acme.vault.addr ]]
[[- end ]]
[[- if ne .acme.cron "" ]]
MINIT_MAIN_KIND=cron
MINIT_MAIN_CRON=[[ .acme.cron ]]
MINIT_MAIN_IMMEDIATE=true
[[- else ]]
MINIT_MAIN_KIND=once
[[- end ]]
ACME_KV_ACCOUNT_ROOT=[[ .acme.vault.kv_account_root ]]
[[- range $acc_idx, $account := .acme.accounts ]]
ACME_[[ $acc_idx ]]_CA=[[ $account.ca ]]
ACME_[[ $acc_idx ]]_EMAIL=[[ $account.email ]]
ACME_[[ $acc_idx ]]_KV_CERT_ROOT=[[ $account.kv_cert_root ]]
  [[- if has $account "challenge" ]]
ACME_[[ $acc_idx ]]_CHALLENGE=[[ $account.challenge ]]
    [[- if eq $account.challenge "dns-01" ]]
ACME_[[ $acc_idx ]]_DNS_PROVIDER=[[ $account.dns_provider ]]
ACME_[[ $acc_idx ]]_DNS_KEY_ENV=[[ $account.dns_key_env ]]
ACME_[[ $acc_idx ]]_DNS_KEY_VALUE=[[ $account.dns_key_value ]]
    [[- if has $account "dns_resolvers" ]]
ACME_[[ $acc_idx ]]_DNS_RESOLVERS=[[ join $account.dns_resolvers "," ]]
    [[- end ]]
  [[- else ]]
ACME_[[ $acc_idx ]]_CHALLENGE=http-01
    [[- end ]]
  [[- end ]]
  [[- if has $account "key_type" ]]
ACME_[[ $acc_idx ]]_KEY_TYPE=[[ $account.key_type ]]
  [[- end ]]
  [[- range $crt_idx, $crt := $account.certs ]]
ACME_[[ $acc_idx ]]_CERT_[[ $crt_idx ]]=[[ $crt ]]
  [[- end ]]
[[- end ]]
_EOT
        destination = "secrets/acme-to-vault.env"
        perms       = 0400
        env         = true
      }

[[ template "common/resources" $c ]]
    }
  }
}

# vim: syntax=hcl