job "miniflux" {


  datacenters = ["dc1"]
  region      = "global"




  group "miniflux" {

    count = 1

    network {
      mode = "bridge"
    }

    ephemeral_disk {
      size = 101
    }

    service {
      name = "miniflux"
      port = 8085

      meta {
        alloc      = "${NOMAD_ALLOC_INDEX}"
        datacenter = "${NOMAD_DC}"
        group      = "${NOMAD_GROUP_NAME}"
        job        = "${NOMAD_JOB_NAME}"
        namespace  = "${NOMAD_NAMESPACE}"
        node       = "${node.unique.name}"
        region     = "${NOMAD_REGION}"
      }

      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "postgres"
              local_bind_port  = 5432
              # Work arround, see https://github.com/hashicorp/nomad/issues/18538
              destination_type = "service"
            }
          }
        }
        sidecar_task {
          config {
            args = [
              "-c",
              "${NOMAD_SECRETS_DIR}/envoy_bootstrap.json",
              "-l",
              "${meta.connect.log_level}",
              "--concurrency",
              "${meta.connect.proxy_concurrency}",
              "--disable-hot-restart"
            ]
          }

          resources {
            cpu    = 50
            memory = 64
          }

        }
      }


      check {
        type     = "http"
        path     = "/healthcheck"
        expose   = true
        interval = "10s"
        timeout  = "3s"

        check_restart {
          limit = 20
          grace = "20s"
        }
      }

      tags = [

        "traefik.enable=true",
        "traefik.http.routers.miniflux.entrypoints=https",
        "traefik.http.routers.miniflux.rule=Host(`flux.example.org`)",
        "traefik.http.middlewares.csp-miniflux.headers.contentsecuritypolicy=default-src 'self';font-src 'self' data:;img-src 'self' data:;script-src 'self' 'unsafe-inline' 'unsafe-eval';style-src 'self' 'unsafe-inline';",
        "traefik.http.routers.miniflux.middlewares=security-headers@file,rate-limit-std@file,forward-proto@file,inflight-std@file,hsts@file,compression@file,csp-miniflux",

      ]
    }




    # wait for required services tp be ready before starting the main task
    task "wait-for" {

      driver = "docker"
      user   = 1053

      config {
        image           = "danielberteaud/wait-for:24.3-1"
        readonly_rootfs = true
        pids_limit      = 20
      }

      lifecycle {
        hook = "prestart"
      }

      env {
        SERVICE_0 = "master.postgres.service.consul"
      }

      resources {
        cpu        = 10
        memory     = 10
        memory_max = 30
      }
    }





    task "miniflux" {
      driver = "docker"

      config {
        image           = "danielberteaud/miniflux:2.1.1-1"
        pids_limit      = 100
        readonly_rootfs = true
      }


      vault {
        policies     = ["miniflux"]
        env          = false
        disable_file = true
        change_mode  = "noop"
      }


      env {
        LISTEN_ADDR = "127.0.0.1:8085"
        BASE_URL    = "https://flux.example.org"
      }

      template {
        data        = <<_EOT
DATABASE_URL=postgresql://{{ with secret "database/creds/miniflux" }}{{ .Data.username }}{{ end }}:{{ with secret "database/creds/miniflux" }}{{ urlquery .Data.password }}{{ end }}@127.0.0.1:5432/miniflux?sslmode=disable
_EOT
        destination = "secrets/.db.env"
        perms       = 400
        env         = true
      }



      # Use a template block instead of env {} so we can fetch values from vault
      template {
        data        = <<_EOT
LANG=fr_FR.utf8
TZ=Europe/Paris
_EOT
        destination = "secrets/.env"
        perms       = 400
        env         = true
      }


      resources {
        cpu    = 50
        memory = 192
      }

    }
  }
}