job "ntfy" {
  group "ntfy" {
    network {
      mode = "bridge"
      port "http" {
        to = 80
      }
    }

    # Consul Connect sidecar with upstream to postgres
    service {
      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "postgres"
              local_bind_port  = 5432
            }
          }
        }
      }
    }

    service {
      name = "ntfy"
      port = "http"

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.ntfy.middlewares=auth@file",
        # Token subdomain bypasses Authelia — ntfy's own token auth is sufficient for API access
        "traefik.http.routers.ntfy-token.rule=Host(`ntfy-2e30e5869ab6bfde4961012b48761a9b.othrayte.one`)",
      ]

      check {
        type     = "http"
        path     = "/healthz"
        interval = "10s"
        timeout  = "2s"
      }
    }

    # Users and tokens are provisioned declaratively via auth-users / auth-tokens in server.yml.
    # ntfy reads and applies them on every startup — no poststart task, no race conditions.
    #
    # Bcrypt hashes are not secrets and are hardcoded below (same as /etc/shadow — safe to commit).
    # Generate with: docker run --rm -it binwiederhier/ntfy user hash
    #            or: echo "mypassword" | docker run --rm -i binwiederhier/ntfy user hash
    # For the diun account the plaintext is irrelevant (token-only auth); use a random password:
    #            openssl rand -base64 32 | docker run --rm -i binwiederhier/ntfy user hash
    #
    # Required SOPS keys:
    #   ntfy.database_pw  — postgres password for the ntfy role
    #   diun.ntfy_token   — access token for Diun (actual secret — grants write access)
    #                       Must start with "tk_" and be exactly 32 chars total.
    #                       Generate: tok=$(openssl rand -hex 15); echo "tk_${tok:0:29}"
    task "ntfy" {
      driver = "docker"

      config {
        image   = "binwiederhier/ntfy:latest"
        ports   = ["http"]
        command = "serve"
        volumes = [
          "local/server.yml:/etc/ntfy/server.yml",
        ]
      }

      env = {
        TZ = "Australia/Melbourne"
      }

      template {
        data        = <<EOF
base-url: "https://ntfy.othrayte.one"
listen-http: ":80"
database-url: "postgres://ntfy:{{ with nomadVar "nomad/jobs/ntfy" }}{{ .database_pw }}{{ end }}@localhost:5432/ntfy"
auth-default-access: "deny-all"
behind-proxy: true
enable-login: true
auth-users:
  - "admin:$2a$10$rLp4qagJnsA8Es5hQlISH.WrlzwMrXE2MBaEgz7zdd2lkAVu30lMy:admin"
  - "diun:$2y$10$4wi1VG.Vp5p3Q2OEIXaTSOmwZm.G9dpNca9BqQRMdGGnk2yQqK3Gq:user"
auth-tokens:
  - "diun:{{with nomadVar "nomad/jobs/ntfy"}}{{.diun_token}}{{end}}:Diun"
auth-access:
  - "diun:diun:write-only"
EOF
        destination = "local/server.yml"
      }

      resources {
        cpu        = 50
        memory     = 64
        memory_max = 128
      }
    }

  }
}