job "diagrams" {


  datacenters = ["dc1"]
  region      = "global"




  group "diagrams" {
    network {
      mode = "bridge"
    }

    service {
      name = "diagrams"
      port = 8282

      connect {
        sidecar_service {
        }
        sidecar_task {
          config {
            args = [
              "-c",
              "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
              "-l",
              "${meta.connect.log_level}",
              "--concurrency",
              "${meta.connect.proxy_concurrency}",
              "--disable-hot-restart"
            ]
          }

          resources {
            cpu    = 50
            memory = 64
          }

        }
      }


      check {
        type     = "http"
        path     = "/health"
        expose   = true
        interval = "1m"
        timeout  = "8s"

        check_restart {
          limit = 4
          grace = "1m"
        }
      }

      tags = [

        "traefik.enable=true",
        "traefik.http.routers.diagrams.entrypoints=https",
        "traefik.http.routers.diagrams.rule=Host(`draw.example.org`)",
        "traefik.http.middlewares.csp-diagrams.headers.contentsecuritypolicy=connect-src 'self' https://*.dropboxapi.com https://api.trello.com https://api.github.com https://raw.githubusercontent.com https://*.googleapis.com https://*.googleusercontent.com https://graph.microsoft.com https://*.1drv.com https://*.sharepoint.com https://gitlab.com https://*.google.com https://fonts.gstatic.com https://fonts.googleapis.com;default-src 'self';font-src * about:;frame-src 'self' https://*.google.com;img-src  * data:;media-src * data:;script-src 'self' https://storage.googleapis.com https://apis.google.com https://docs.google.com https://code.jquery.com 'unsafe-inline';style-src 'self' 'unsafe-inline' https://fonts.googleapis.com;",
        "traefik.http.routers.diagrams.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-diagrams",

      ]
    }

    task "diagrams" {
      driver = "docker"

      config {
        image           = "danielberteaud/diagrams:24.2.0-1"
        pids_limit      = 200
        readonly_rootfs = true
        volumes = [
          "local/PreConfig.js:/opt/tomcat/webapps/draw/js/PreConfig.js",
          "local/PostConfig.js:/opt/tomcat/webapps/draw/js/PostConfig.js"
        ]
      }

      env {
        JAVA_OPTS      = "-Djava.io.tmpdir=/local"
        TOMCAT_ADDRESS = "127.0.0.1"
      }

      template {
        data        = <<_EOT
window.DRAWIO_BASE_URL = 'https://draw.example.org';
window.DRAWIO_SERVER_URL = 'https://draw.example.org/';
window.DRAWIO_VIEWER_URL = 'https://draw.example.org/js/viewer.min.js';
window.DRAWIO_LIGHTBOX_URL = '';
window.DRAW_MATH_URL = 'math/es5';
window.DRAWIO_CONFIG = null;
urlParams['sync'] = 'manual'; //Disable Real-Time
urlParams['db'] = '0'; //dropbox
urlParams['gh'] = '0'; //github
urlParams['tr'] = '0'; //trello
urlParams['gapi'] = '0'; //Google Drive
urlParams['od'] = '0'; //OneDrive
urlParams['gl'] = '0'; //Gitlab

_EOT
        destination = "local/PreConfig.js"
      }

      template {
        data        = <<_EOT
window.VSD_CONVERT_URL = null;
window.ICONSEARCH_PATH = null;
EditorUi.enableLogging = false; //Disable logging
window.EMF_CONVERT_URL = null;
App.prototype.isDriveDomain = function() { return true; }

_EOT
        destination = "local/PostConfig.js"
      }



      # Use a template block instead of env {} so we can fetch values from vault
      template {
        data        = <<_EOT
LANG=fr_FR.utf8
TZ=Europe/Paris
_EOT
        destination = "secrets/.env"
        perms       = 400
        env         = true
      }


      resources {
        cpu    = 200
        memory = 256
      }

    }
  }
}