job "unifi-network" {
  group "unifi-network" {
    count = 1

    task "unifi-controller" {
      driver = "docker"

      config {
        image = "jacobalberty/unifi:v9.5.21"

        // Fixed IP on the actual network so that devices can find it
        network_mode = "macvlan"
        ipv4_address = "192.168.1.50"
      }

      env {
        TZ                 = "Australia/Melbourne"
        SYSTEM_IP          = "192.168.1.50"
        JVM_INIT_HEAP_SIZE = "1024M"
        JVM_MAX_HEAP_SIZE  = "1024M"
        UNIFI_STDOUT       = "true"
      }

      # Register in Consul so Traefik and health checks can find it.
      # address_mode=driver uses the macvlan IP (192.168.1.50) rather than the host IP.
      service {
        name         = "unifi-network"
        port         = 8443
        address_mode = "driver"

        # TCP/HTTP checks from the Consul agent can't reach the macvlan IP (host↔macvlan
        # isolation). Use a script check instead — it runs inside the container via
        # docker exec and connects to localhost:8443 directly.
        check {
          name     = "alive"
          type     = "script"
          command  = "/usr/bin/curl"
          args     = ["-sk", "--max-time", "5", "-o", "/dev/null", "https://localhost:8443"]
          interval = "30s"
          timeout  = "10s"
        }
      }

      volume_mount {
        volume      = "unraid_appdata_unifi_network"
        destination = "/unifi" # Expected root directory (contains data, log, cert subdirs)
        read_only   = false
      }

      resources {
        cpu        = 200
        memory     = 1850
        memory_max = 2500
      }
    }

    # CSI volume for UniFi Controller persistent data/logs
    volume "unraid_appdata_unifi_network" {
      type            = "csi"
      read_only       = false
      source          = "unraid_appdata_unifi_network"
      access_mode     = "single-node-writer"
      attachment_mode = "file-system"

      mount_options {
        mount_flags = ["uid=0", "gid=0"]
      }
    }
  }
}