job "authentik" {
  datacenters = ["alo"]

  group "auth" {
    network {
      port "http" {
        # traefik forwardAuth hardcodes this port
        static = 9000
      }
      port "https" {
        to = 9443
      }
      port "metrics" {
        to = 9300
      }
    }

    task "server" {
      driver = "docker"

      config {
        image = "ghcr.io/goauthentik/server:${var.authentik_version}"
        ports = [
          "http",
          "https",
          "metrics"
        ]
        command = "server"
      }

      env {
        AUTHENTIK_REDIS__HOST = "redis.service.consul"
        AUTHENTIK_POSTGRESQL__HOST = "postgres.service.consul"
        AUTHENTIK_POSTGRESQL__NAME = "${var.pg_db}"
        AUTHENTIK_POSTGRESQL__USER = "${var.pg_user}"
        AUTHENTIK_POSTGRESQL__PASSWORD = "${var.pg_password}"
        AUTHENTIK_SECRET_KEY = "${var.secret_key}" 
        AUTHENTIK_EMAIL__HOST = "192.168.1.1"
        AUTHENTIK_EMAIL__FROM = "authentik@paler.net"
      }

      resources {
        cpu = 2000
        memory = 1024
      }

      service {
        name = "authentik"
        port = "http"
        tags = [
          "traefik.enable=true",
          # Main UI
          "traefik.http.routers.authentik.entryPoints=websecure",
          "traefik.http.routers.authentik.rule=Host(`authentik.v.paler.net`) || Host(`authentik.alo.land`)",
          # Embedded outpost for forward auth
          "traefik.http.routers.authentik-palernet.entryPoints=websecure",
          "traefik.http.routers.authentik-palernet.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.v.paler.net`) && PathPrefix(`/outpost.goauthentik.io/`)",
          "traefik.http.routers.authentik-aloland.entryPoints=websecure",
          "traefik.http.routers.authentik-aloland.rule=HostRegexp(`{subdomain:[a-z0-9-]+}.alo.land`) && PathPrefix(`/outpost.goauthentik.io/`)",
        ]
      }
      service {
        name = "authentik-metrics"
        port = "metrics"
        tags = [ "metrics" ]
      }
    }

    task "worker" {
      driver = "docker"

      config {
        image = "ghcr.io/goauthentik/server:${var.authentik_version}"
        command = "worker"
      }

      env {
        AUTHENTIK_REDIS__HOST = "redis.service.consul"
        AUTHENTIK_POSTGRESQL__HOST = "postgres.service.consul"
        AUTHENTIK_POSTGRESQL__NAME = "${var.pg_db}"
        AUTHENTIK_POSTGRESQL__USER = "${var.pg_user}"
        AUTHENTIK_POSTGRESQL__PASSWORD = "${var.pg_password}"
        AUTHENTIK_SECRET_KEY = "${var.secret_key}" 
        AUTHENTIK_EMAIL__HOST = "192.168.1.1"
        AUTHENTIK_EMAIL__FROM = "authentik@paler.net"
      }

      resources {
        memory = 400
      }
    }
  }
}

variable "pg_user" {
  type = string
  default = "authentik"
}

variable "pg_password" {
  type = string
  default = "aQueiquuo6aiyah5eoch"
}

variable "pg_db" {
  type = string
  default = "authentik"
}

variable "secret_key" {
  type = string
  default = "uUzCYhGV93Z8wKLAScuGFqBskxyzSfG4cz6bnXq6McM67Ho7p9"
}

variable "authentik_version" {
  type = string
  default = "2024.10.0"
}