[[ $c := merge .mariadb.manage . -]]
job "[[ .mariadb.instance ]]-manage" {
  type = "batch"
[[ template "common/job_start.tpl" $c ]]

  meta {
    # Force job to run each time
    run = "${uuidv4()}"
  }

  group "manage" {
    network {
      mode = "bridge"
    }

    service {
      name = "[[ .mariadb.instance ]]-manage[[ $c.consul.suffix ]]"
[[ template "common/connect.tpl" $c ]]
    }

[[ template "common/task.wait_for.tpl" dict
  "ctx" .
  "wait_for" (coll.Slice (dict "service" .mariadb.instance)) ]]

    task "manage" {
      driver = [[ $c.nomad.driver | toJSON ]]

      config {
        image           = [[ .mariadb.manage.image | toJSON ]]
        pids_limit      = 50
        readonly_rootfs = true
        command         = "/local/manage.sh"
        volumes         = [
          "secrets/my.cnf:/root/.my.cnf:ro"
        ]
      }

      vault {
        policies = ["[[ .mariadb.instance ]][[ $c.consul.suffix ]]"]
      }

      env {
[[ template "common/env.tpl" $c.env ]]
      }

      template {
        data = <<_EOT
[[- range $idx, $db := .mariadb.manage.databases ]]
MY_DB_[[ $idx ]]=[[ $db.name ]]
  [[- if has $db "charset" ]]
MY_DB_[[ $idx ]]_CHARSET=[[ $db.charset ]]
  [[- end ]]
  [[- if has $db "collate" ]]
MY_DB_[[ $idx ]]_COLLATE=[[ $db.collate ]]
  [[- end ]]
[[- end ]]
[[- range $idx, $user := .mariadb.manage.users ]]
MY_USER_[[ $idx ]]=[[ $user.name ]]
  [[- if has $user "host" ]]
MY_USER_[[ $idx ]]_HOST=[[ $user.host ]]
  [[- else ]]
MY_USER_[[ $idx ]]_HOST=%
  [[- end ]]
  [[- if has $user "password" ]]
MY_USER_[[ $idx ]]_PASSWORD=[[ $user.password ]]
  [[- end ]]
  [[- if has $user "grants" ]]
    [[- range $gidx, $grant := $user.grants ]]
MY_USER_[[ $idx ]]_GRANT_[[ $gidx ]]=[[ $grant ]]
    [[- end ]]
  [[- end ]]
[[- end ]]
_EOT
        destination = "secrets/userdb.env"
        uid = 100000
        gid = 100000
        perms = 0400
        env = true
      }

      template {
        data        = <<_EOT
[[ template "mariadb/manage.sh.tpl" $c ]]
_EOT
        destination = "local/manage.sh"
        uid         = 100000
        gid         = 100000
        perms       = 755
      }

      template {
        data        = <<_EOT
[client]
host = 127.0.0.1
user = root
password = {{ with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT
        destination = "secrets/my.cnf"
        uid         = 100100
        gid         = 100101
        perms       = 640
      }

      template {
        data = <<_EOT
VAULT_INITIAL_PASSWORD={{  with secret "[[ .vault.prefix ]]kv/service/[[ .mariadb.instance ]]" }}{{ .Data.data.vault_initial_pwd }}{{ end }}
_EOT
        destination = "secrets/manage.env"
        uid = 100000
        gid = 100000
        perms = 400
        env = true
      }

[[ template "common/resources.tpl" .mariadb.manage.resources ]]
    }
  }
}