[[- $c := merge .squid . -]]

job "[[ .instance ]]" {

[[ template "common/job_start" $c ]]

  group "squid" {
    network {
      mode = "bridge"
[[- if conv.ToBool $c.prometheus.enabled ]]
      port "metrics" {}
[[- end ]]
    }

    count = [[ $c.count ]]

    service {
      name = "[[ .instance ]][[ .consul.suffix ]]"
      port = 3128
[[ template "common/service_meta" $c ]]
[[ template "common/connect" $c ]]
    }

    task "squid" {
      driver = "[[ $c.nomad.driver ]]"
  
      config {
        image           = "[[ .squid.image ]]"
        readonly_rootfs = true
        pids_limit      = 100
        volumes         = [
          "local/squid.conf:/etc/squid/squid.conf:ro",
          "secrets/:/etc/squid/conf.d",
          "local/filter-acl.sh:/entrypoint.d/30-filter-acl.sh:ro"
        ]
      }

[[ template "common/artifacts" $c ]]
[[ template "common/vault.policies" $c ]]

      env {
        SQUID_LISTS_DIR         = "/local/lists"
        SQUID_CONF_5_auth_param = "basic program /usr/lib/squid/basic_ncsa_auth /secrets/auth"
        SQUID_CONF_5_acl        = "ssl_ports port [[ join .squid.ssl_ports " " ]]"
      }

      template {
        data =<<_EOT
[[ template "squid/filter_acl.sh.tpl" $c ]]
_EOT
        destination = "local/filter-acl.sh"
        uid = 100000
        gid = 100000
        perms = 755
      }

      template {
        data =<<_EOT
[[ template "squid/squid.conf" $c ]]
_EOT
        destination = "local/squid.conf"
      }

      template {
        data =<<_EOT
[[ template "squid/reload.sh.tpl" $c ]]
_EOT
        destination = "local/reload.sh"
        uid = 100000
        gid = 100000
        perms = 755
      }

      template {
        data =<<_EOT
[[ template "squid/auth.tpl" $c ]]
_EOT
        destination = "secrets/auth"
        uid = 100000
        gid = 100031
        perms = 0640
        change_mode = "noop"
      }

      template {
        data =<<_EOT
[[ template "squid/acl.conf.tpl" $c ]]
_EOT
        destination = "secrets/acl.conf"
        uid = 100000
        gid = 100031
        perms = 0640
        change_mode = "script"
        change_script {
          command = "/local/reload.sh"
        }
      }

[[- range $k, $v := .squid.lists ]]
  [[- if has $v "url" ]]

      artifact {
        source      = "[[ $v.url ]]"
        destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
        mode        = "file"
      }
  [[- else if has $v "content" ]]

      template {
        data =<<_EOT
[[ $v.content ]]
_EOT
        destination = "local/lists/[[ $v.category ]]/[[ $k ]].list"
        change_mode = "script"
        change_script {
          command = "/local/reload.sh"
        }
      }
  [[- end ]]
[[- end ]]
  
[[ template "common/file_env" $c ]]
[[ template "common/resources" $c ]]
    }

[[- if conv.ToBool $c.prometheus.enabled ]]

[[ template "common/task.metrics_proxy" $c ]]

[[- $c := merge $c.exporter $c ]]

    task "exporter" {
      driver = "[[ $c.nomad.driver ]]"

      lifecycle {
        hook    = "poststart"
        sidecar = true
      }

      config {
        image           = "[[ $c.image ]]"
        readonly_rootfs = true
        pids_limit      = 20
      }

[[ template "common/vault.policies" $c ]]

      template {
        data = <<_EOT
SQUID_EXPORTER_LISTEN=127.0.0.1:9301
SQUID_LOGIN=squid_manager
SQUID_PASSWORD='{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.manager_pwd }}{{ end }}'
_EOT
        destination = "secrets/.squid-exporter.env"
        perms       = 400
        env         = true
      }

[[ template "common/resources" $c ]]
    }

[[- end ]]
  }
}