#cloud-config
users:
  - default
package_update: true

packages:
  - ca-certificates
  - cron
  - docker.io
  - jq
  - restic
  - syslog-ng
  - watchdog

write_files:
  - content: |
      {
        #acme_ca https://acme-staging-v02.api.letsencrypt.org/directory
      }

      sondages.cours-de-latin.com {
        reverse_proxy heyform:9157 {
          flush_interval -1
        }
      }
    path: /etc/caddy/Caddyfile
  - content: |
      #!/bin/sh
      export AWS_ACCESS_KEY_ID=$(cloud-init query ds.metadata.RESTIC_AWS_ACCESS_KEY_ID)
      export AWS_SECRET_ACCESS_KEY=$(cloud-init query ds.metadata.RESTIC_AWS_SECRET_ACCESS_KEY)

      export RESTIC_REPOSITORY=$(cloud-init query ds.metadata.RESTIC_REPOSITORY)
      export RESTIC_PASSWORD=$(cloud-init query ds.metadata.RESTIC_PASSWORD)
      export RESTIC_COMPRESSION=max

      export $(docker exec mongo env | grep MONGO_INIT)

      mkdir -p /var/backups/mongodb

      docker exec mongo mongodump --username root --password "$MONGO_INITDB_ROOT_PASSWORD" --out /var/backups/mongodb/

      restic backup /var/backups/mongodb /var/lib/heyform
    path: /etc/cron.daily/backup_mongodb
    permissions: 0o755
  - content: |
      #!/bin/sh
      docker inspect caddy > /dev/null && {
        docker pull caddy:latest
        docker stop caddy
        docker rm caddy
      }

      docker run -d --restart unless-stopped --network local \
        -v /etc/caddy:/etc/caddy \
        -v /var/lib/caddy:/data/caddy \
        -p 80:80 -p 443:443 \
        --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=caddy \
        --name caddy \
        caddy:latest
    path: /root/launch_caddy.sh
    permissions: 0o755
  - content: |
      #!/bin/sh
      export SMTP_USER=$(cloud-init query ds.metadata.SMTP_USER)
      export SMTP_PASSWORD=$(cloud-init query ds.metadata.SMTP_PASSWORD)
      export SESSION_KEY=$(cloud-init query ds.metadata.SESSION_KEY)
      export FORM_ENCRYPTION_KEY=$(cloud-init query ds.metadata.FORM_ENCRYPTION_KEY)
      export OPENAI_API_KEY=$(cloud-init query ds.metadata.SENSUS_API_KEY)

      docker inspect heyform > /dev/null && {
        MONGO_PASSWORD=$(docker inspect -f "{{ json .Config.Env }}" heyform | jq -r '.[] | select(startswith("MONGO_PASSWORD="))' | cut -d = -f 2-)

        docker pull heyform/community-edition:latest
        docker stop heyform
        docker rm heyform
      }

      docker run -d --restart unless-stopped --network local \
        -v /var/lib/heyform/upload:/app/static/upload \
        -e APP_HOMEPAGE_URL=https://sondages.cours-de-latin.com \
        -e SESSION_KEY -e FORM_ENCRYPTION_KEY \
        -e MONGO_URI="mongodb://mongo:27017/heyform?authSource=admin" \
        -e MONGO_USER=root -e MONGO_PASSWORD \
        -e REDIS_HOST=keydb -e REDIS_PORT=6379 \
        -e OPENAI_BASE_URL=https://sensus.p0m.fr/v1 -e OPENAI_API_KEY -e OPENAI_GPT_MODEL=ibm-granite_granite-4.0-h-micro \
        -e SMTP_HOST=djehouty.pomail.fr -e SMTP_PORT=465 -e SMTP_SECURE=true -e SMTP_FROM="Heyform <contact+heyform@cours-de-latin.com>" -e SMTP_USER -e SMTP_PASSWORD \
        -e GENERIC_TIMEZONE="Europe/Paris" -e TZ="Europe/Paris" \
        --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=heyform \
        --name heyform --pull always \
        heyform/community-edition:latest
    path: /root/launch_heyform.sh
    permissions: 0o755

runcmd:
  # Allow traffic in IPv4
  - sed -i '/-A INPUT -j REJECT/i-A INPUT -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT\n-A INPUT -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT' /etc/iptables/rules.v4
  - iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 443 -j ACCEPT
  - iptables -I INPUT 5 -p tcp -m state --state NEW -m tcp --dport 80 -j ACCEPT

  # Retrieve last backups
  - export AWS_ACCESS_KEY_ID=$(cloud-init query ds.metadata.RESTIC_AWS_ACCESS_KEY_ID)
  - export AWS_SECRET_ACCESS_KEY=$(cloud-init query ds.metadata.RESTIC_AWS_SECRET_ACCESS_KEY)
  - export RESTIC_REPOSITORY=$(cloud-init query ds.metadata.RESTIC_REPOSITORY)
  - export RESTIC_PASSWORD=$(cloud-init query ds.metadata.RESTIC_PASSWORD)
  - mkdir -p /var/backups/mongodb /var/lib/heyform
  - restic restore latest --target / --include /var/backups/mongodb
  - restic restore latest --target / --include /var/lib/heyform

  # Create docker network
  - docker network create local

  # Launch database
  # Generate database password
  - export MONGO_PASSWORD=$(openssl rand -base64 30)

  # Launch database
  - docker run -d --restart always --network local \
    -v /var/backups/mongodb/:/var/backups/mongodb/ -v /var/lib/mongodb:/data/db \
    -e MONGO_INITDB_ROOT_USERNAME=root \
    -e MONGO_INITDB_ROOT_PASSWORD="${MONGO_PASSWORD}" \
    --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=mongo \
    --pull always --name mongo \
    mongo:4.4

  - docker run -d --restart always --network local \
    -v /var/backups/keydb/:/var/backups/keydb/ \
    -v /var/lib/keydb:/data \
    --log-driver syslog --log-opt "syslog-address=unixgram:///dev/log" --log-opt syslog-facility=daemon --log-opt tag=keydb \
    --pull always --name keydb \
    eqalpha/keydb:latest keydb-server --appendonly yes

  # Launch web server
  - /root/launch_caddy.sh

  # Restore database
  - sleep 10
  - docker exec mongo mongorestore --username root --password "$MONGO_PASSWORD" /var/backups/mongodb/

  # Launch main container
  - /root/launch_heyform.sh