job "[[PROJECT_NAME]]" {
  region      = "global"
  datacenters = ["dc1"]
  type        = "service"

  update {
    stagger           = "60s"
    max_parallel      = 1
    progress_deadline = "6m"
    auto_revert       = true
  }

  group "[[PROJECT_NAME]]-group" {
    count = 1

    network {
      port "http" {
        to = [[PORT]]  # Internal application port
      }
    }

    # Host volume for persistent data (optional)
    # Uncomment if your app needs persistent storage
    # volume "data" {
    #   type      = "host"
    #   source    = "[[PROJECT_NAME]]-data"
    #   read_only = false
    # }

    # Register the service with Consul
    service {
      provider = "consul"
      name     = "[[PROJECT_NAME]]"
      port     = "http"

      # Traefik-specific tags for routing
      tags = [
        "traefik.enable=true",
        "traefik.http.routers.[[PROJECT_NAME]].rule=Host(`[[PROJECT_NAME]].i80.dk`)",
        "traefik.http.routers.[[PROJECT_NAME]].tls=true",
        "PORT=${NOMAD_PORT_http}"
      ]

      # HTTP health check - CRITICAL!
      # Your app MUST implement /health endpoint
      check {
        name     = "http_health"
        type     = "http"
        path     = "/health"
        interval = "10s"
        timeout  = "2s"
        
        # Important: Use interpolated port
        port     = "http"
        
        # Give app time to start before first check
        check_restart {
          limit           = 3
          grace           = "10s"
          ignore_warnings = false
        }
      }

      # Backup TCP check (if HTTP health check fails during startup)
      check {
        name     = "tcp_alive"
        type     = "tcp"
        interval = "30s"
        timeout  = "2s"
        port     = "http"
      }
    }

    task "[[PROJECT_NAME]]-task" {
      driver = "docker"

      config {
        image = "registry.i80.dk/gitea/[[PROJECT_NAME]]:latest"
        ports = ["http"]
        
        # Force pull latest image on each deployment
        force_pull = true
        
        # Optional: Mount host volume
        # Uncomment if using volume above
        # volumes = [
        #   "data:/app/data"
        # ]
      }

      # Mount volume (if declared above)
      # volume_mount {
      #   volume      = "data"
      #   destination = "/app/data"
      #   read_only   = false
      # }

      # Environment variables
      env {
        APP_ENV = "production"
        PORT    = "${NOMAD_PORT_http}"
        
        # Workaround for Vault being down:
        # Set secrets as plain environment variables
        # TODO: Move to Vault when available
        # DATABASE_URL = "sqlite:///app/data/app.db"
        # API_KEY      = "your-api-key-here"  # Replace with actual value
      }

      # Secrets from Vault (when Vault is working)
      # Uncomment when Vault is available
      # template {
      #   data = <<EOH
      # {{ with secret "secret/data/[[PROJECT_NAME]]" }}
      # DATABASE_URL="{{ .Data.data.database_url }}"
      # API_KEY="{{ .Data.data.api_key }}"
      # {{ end }}
      # EOH
      #   destination = "secrets/config.env"
      #   env         = true
      # }

      # Logs configuration
      logs {
        max_files     = 5
        max_file_size = 10  # MB
      }

      resources {
        cpu    = 250  # MHz
        memory = 128  # MB
        
        # Optional: Memory oversubscription
        # memory_max = 256
      }

      # Kill timeout - give app time to gracefully shutdown
      kill_timeout = "30s"
    }

    # Restart policy
    restart {
      attempts = 3
      interval = "5m"
      delay    = "15s"
      mode     = "fail"
    }

    # Ephemeral disk (for temporary files)
    ephemeral_disk {
      size    = 300  # MB
      migrate = false
    }
  }
}