# inspiration: https://github.com/astro/skyflake/blob/main/nixos-modules/nomad.nix
{ pkgs, config, ... }:
let
  servers = [ "c1" "c2" "c3" ];
  server_enabled = builtins.elem config.networking.hostName servers;
in
{
  services.nomad = {
    enable = true;
    package = pkgs.unstable.nomad;
    # true breaks at least CSI volumes
    dropPrivileges = false;

    settings = {
      datacenter = "alo";

      client = {
        enabled = true;
        server_join.retry_join = servers;
        host_network.tailscale = {
          interface = "tailscale0";
          cidr = "100.64.0.0/10";
        };
      };

      server = {
        enabled = server_enabled;
        bootstrap_expect = (builtins.length servers + 2) / 2;
        server_join.retry_join = servers;
      };
    };

    extraSettingsPaths = [ "/etc/nomad-alo.json" ];
  };

  systemd.services.nomad.wants = [ "network-online.target" ];

  environment.etc."nomad-alo.json".text = builtins.toJSON {
    plugin.docker.config = {
      allow_privileged = true;
      # for keepalived, though only really needing "NET_ADMIN","NET_BROADCAST","NET_RAW" on top of default
      allow_caps = ["all"];
    };
  };

  environment.persistence."/persist".directories = [
    "/var/lib/docker"
    "/var/lib/nomad"
  ];

  environment.systemPackages = with pkgs; [
    nomad
    wander
    damon
  ];

  networking.firewall = {
    allowedTCPPorts = if server_enabled then [ 4646 4647 4648 ] else [ 4646 ];
    allowedUDPPorts = if server_enabled then [ 4648 ] else [];
  };
}