job "gitea" {
  group "gitea" {
    network {
      mode = "bridge"
      port "http" {
        to = 3000
      }
    }

    service {
      connect {
        sidecar_service {
          proxy {
            upstreams {
              destination_name = "postgres"
              local_bind_port  = 5432
            }
          }
        }
      }
    }

    service {
      name = "code"
      port = "http"

      tags = [
        "traefik.enable=true",
        "traefik.http.routers.gitea.middlewares=auth@file",
        # Token subdomain — no auth middleware — used by act_runner step containers for git checkout
        "traefik.http.routers.gitea-token.rule=Host(`gitea-1ef0bea6b75a4fd3e9393a9f7f7e4b02.othrayte.one`)",
      ]

      check {
        type     = "http"
        path     = "/"
        interval = "10s"
        timeout  = "2s"
      }
    }

    # Separate service for Consul Connect ingress (address_mode=alloc avoids hairpin NAT issue)
    service {
      name         = "code-connect"
      port         = "http"
      address_mode = "alloc"

      connect {
        sidecar_service {}
      }
    }

    task "gitea" {
      driver = "docker"

      config {
        image = "gitea/gitea:latest"

        ports = ["http"]

        volumes = ["local/app.ini:/data/gitea/conf/app.ini"]
      }

      env = {
        USER_UID = "1000"
        USER_GID = "1000"
      }

      resources {
        cpu    = 500
        memory = 512
      }

      volume_mount {
        volume      = "unraid_appdata_gitea"
        destination = "/data"
        read_only   = false
      }

      template {
        data        = <<EOF
# Gitea configuration file
WORK_PATH = /data/

[database]
DB_TYPE = postgres
HOST = localhost:5432
NAME = gitea
USER = gitea
PASSWD = {{ with nomadVar "nomad/jobs/gitea" }}{{ .database_pw }}{{ end }}

[repository]
ROOT = /data/git/repositories

[server]
DOMAIN = code.othrayte.one
SSH_DOMAIN = git.othrayte.one
ROOT_URL = https://code.othrayte.one/

[lfs]
PATH = /data/git/lfs

[log]
MODE = console
LEVEL = info
ROOT_PATH = /data/gitea/log

[security]
INSTALL_LOCK = true
INTERNAL_TOKEN = {{ with nomadVar "nomad/jobs/gitea" }}{{ .internal_token }}{{ end }}
PASSWORD_HASH_ALGO = pbkdf2

[oauth2]
JWT_SECRET = {{ with nomadVar "nomad/jobs/gitea" }}{{ .jwt_secret }}{{ end }}
EOF
        destination = "local/app.ini"
      }
    }

    task "tailscale" {
      driver = "docker"

      config {
        image = "tailscale/tailscale:latest"
      }

      env = {
        TS_HOSTNAME   = "git"
        TS_AUTHKEY    = "${ts_oauthsecret}?ephemeral=true"
        TS_EXTRA_ARGS = "--advertise-tags=tag:nomad"
      }

      resources {
        cpu    = 100
        memory = 64
      }

      lifecycle {
        hook    = "prestart"
        sidecar = true
      }
    }

    volume "unraid_appdata_gitea" {
      type            = "csi"
      read_only       = false
      source          = "unraid_appdata_gitea"
      access_mode     = "single-node-writer"
      attachment_mode = "file-system"

      mount_options {
        mount_flags = ["uid=1000", "gid=1000"]
      }
    }
  }
}