job "mariadb" {

  datacenters = ["dc1"]
  region      = "global"




  group "server" {

    network {
      mode = "bridge"
    }


    volume "data" {
      source          = "mariadb-data"
      type            = "csi"
      access_mode     = "single-node-writer"
      attachment_mode = "file-system"
      per_alloc       = true
    }


    service {
      name = "mariadb"
      port = 3306

      connect {
        sidecar_service {
          disable_default_tcp_check = true
        }
        sidecar_task {
          config {
            args = [
              "-c",
              "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
              "-l",
              "${meta.connect.log_level}",
              "--concurrency",
              "${meta.connect.proxy_concurrency}",
              "--disable-hot-restart"
            ]
          }

          resources {
            cpu    = 50
            memory = 64
          }

        }
      }


      check {
        name    = "alive"
        type    = "script"
        task    = "mariadb"
        command = "mysqladmin"
        args = [
          "ping"
        ]
        timeout  = "10s"
        interval = "5s"
      }

      tags = [


      ]
    }

    # Run mysql_upgrade
    task "upgrade" {
      driver = "docker"

      lifecycle {
        hook = "poststart"
      }

      config {
        image      = "danielberteaud/mariadb:24.3-1"
        pids_limit = 100
        command    = "/local/mysql_upgrade.sh"
      }


      vault {
        policies     = ["mariadb"]
        env          = false
        disable_file = true
        change_mode  = "noop"
      }


      template {
        data        = <<_EOT
[client]
user = root
host = 127.0.0.1
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT
        destination = "secrets/.my.cnf"
        uid         = 100100
        gid         = 100101
        perms       = 640
      }

      template {
        data        = <<_EOT
#!/bin/sh

set -euo pipefail

HOME=/secrets

COUNT=0
while true; do
  if mysqladmin ping; then
    echo "MariaDB is ready, running mysql_upgrade"
    mysql_upgrade
    exit 0
  fi
  echo "MariaDB not ready yet, waiting a bit more"
  COUNT=$((COUNT+1))
  sleep 1
done


_EOT
        destination = "local/mysql_upgrade.sh"
        perms       = 755
      }

      volume_mount {
        volume      = "data"
        destination = "/data"
      }

      resources {
        cpu        = 10
        memory     = 32
        memory_max = 64
      }
    }

    task "mariadb" {
      driver = "docker"
      leader = true

      kill_timeout = "5m"

      config {
        image = "danielberteaud/mariadb:24.3-1"
        volumes = [
          "secrets/:/etc/my.cnf.d",
          "secrets/my.conf:/var/lib/mysql/.my.cnf:ro",
        ]
        pids_limit = 300
        #readonly_rootfs = true
      }


      vault {
        policies     = ["mariadb"]
        env          = false
        disable_file = true
        change_mode  = "noop"
      }


      env {
        MYSQL_CONF_11_bind-address = "127.0.0.1"

        LANG = "fr_FR.utf8"
        TZ   = "Europe/Paris"

      }

      template {
        data        = <<_EOT
{{ with secret "kv/service/mariadb" }}
MYSQL_ROOT_PASSWORD={{ .Data.data.root_pwd }}
{{ end }}
_EOT
        destination = "secrets/mariadb.env"
        uid         = 100000
        gid         = 100000
        perms       = 400
        env         = true
      }

      template {
        data        = <<_EOT
[client]
user = root
password = {{ with secret "kv/service/mariadb" }}{{ .Data.data.root_pwd }}{{ end }}
_EOT
        destination = "secrets/my.conf"
        uid         = 100100
        gid         = 100101
        perms       = 640
      }

      volume_mount {
        volume      = "data"
        destination = "/data"
      }


      resources {
        cpu    = 1000
        memory = 512
      }


    }
  }
}