job "renovate" {
  type = "batch"

  periodic {
    cron             = "0 4 * * *" # Daily at 4am
    prohibit_overlap = true
  }

  group "renovate" {
    network {
      mode = "bridge"
    }

    # Consul Connect sidecar with upstream to Gitea (service: code-connect, port 3000)
    service {
      name = "renovate"
      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "code-connect"
              local_bind_port  = 3000
            }
          }
        }
      }
    }

    task "renovate" {
      driver = "docker"

      config {
        image = "renovate/renovate:latest"
      }

      env = {
        RENOVATE_PLATFORM     = "gitea"
        RENOVATE_ENDPOINT     = "http://localhost:3000"
        RENOVATE_GIT_URL      = "endpoint"
        RENOVATE_REPOSITORIES = "othrayte/infra"
        RENOVATE_GIT_AUTHOR   = "Renovate Bot <renovate@othrayte.one>"
        LOG_LEVEL             = "debug"
      }

      # Required SOPS key:
      #   renovate.gitea_token  — PAT for the renovate bot account in Gitea
      #   Create a dedicated 'renovate' user in Gitea with these token scopes:
      #     repo (read+write), user (read), issue (read+write), organization (read)
      template {
        data        = <<EOF
RENOVATE_TOKEN={{ with nomadVar "nomad/jobs/renovate" }}{{ .gitea_token }}{{ end }}
EOF
        destination = "secrets/renovate.env"
        env         = true
      }

      resources {
        cpu        = 500
        memory     = 512
        memory_max = 1024
      }
    }
  }
}