job "vault-cluster-ha" {
  datacenters = ["dc1"]
  type        = "service"

  group "vault-leader" {
    count = 1

    volume "vault-storage" {
      type      = "host"
      read_only = false
      source    = "vault-storage"
    }

    constraint {
      attribute = "${node.unique.name}"
      operator  = "="
      value     = "warden"
    }

    network {
      port "http" {
        static = 8200
        to     = 8200
      }
      port "cluster" {
        static = 8201
        to     = 8201
      }
    }

    task "vault" {
      driver = "exec"

      volume_mount {
        volume      = "vault-storage"
        destination = "/opt/nomad/data/vault-storage"
        read_only   = false
      }

      resources {
        cpu    = 1000
        memory = 2048
      }

      env {
        VAULT_ADDR = "http://127.0.0.1:8200"
        VAULT_CLUSTER_ADDR = "http://127.0.0.1:8201"
      }

      # Vault 集群配置 - Leader 节点
      template {
        data = <<EOF
ui = true
disable_mlock = true

# 使用 Consul 作为存储后端
storage "consul" {
  address = "ch4.tailnet-68f9.ts.net:8500"
  path    = "vault/"
  
  # 集群配置
  datacenter = "dc1"
  service = "vault"
  service_tags = "vault-server"
  
  # 会话配置
  session_ttl = "15s"
  lock_wait_time = "15s"
  
  # 健康检查
  check_timeout = "5s"
}

# HTTP 监听器
listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

# 集群监听器
listener "tcp" {
  address = "0.0.0.0:8201"
  purpose = "cluster"
}

# API 地址 - 使用 Tailscale 网络
api_addr = "http://warden.tailnet-68f9.ts.net:8200"

# 集群地址 - 使用 Tailscale 网络
cluster_addr = "http://warden.tailnet-68f9.ts.net:8201"

# 集群名称
cluster_name = "vault-cluster"

# 日志配置
log_level = "INFO"

# 高可用配置
ha_storage "consul" {
  address = "ch4.tailnet-68f9.ts.net:8500"
  path    = "vault-ha/"
  
  datacenter = "dc1"
  service = "vault"
  service_tags = "vault-server"
  
  session_ttl = "15s"
  lock_wait_time = "15s"
  check_timeout = "5s"
}
EOF
        destination = "local/vault.hcl"
        perms       = "644"
      }

      config {
        command = "vault"
        args = [
          "server",
          "-config=/local/vault.hcl"
        ]
      }

      restart {
        attempts = 3
        interval = "30m"
        delay    = "15s"
        mode     = "fail"
      }

      # 健康检查
      service {
        name = "vault"
        port = "http"
        
        check {
          type     = "http"
          path     = "/v1/sys/health"
          interval = "10s"
          timeout  = "5s"
        }
      }
    }

    update {
      max_parallel     = 1
      health_check     = "checks"
      min_healthy_time = "30s"
      healthy_deadline = "5m"
      progress_deadline = "10m"
      auto_revert      = true
      canary           = 0
    }
  }

  group "vault-follower-1" {
    count = 1

    volume "vault-storage" {
      type      = "host"
      read_only = false
      source    = "vault-storage"
    }

    constraint {
      attribute = "${node.unique.name}"
      operator  = "="
      value     = "ch4"
    }

    network {
      port "http" {
        static = 8200
        to     = 8200
      }
      port "cluster" {
        static = 8201
        to     = 8201
      }
    }

    task "vault" {
      driver = "exec"

      volume_mount {
        volume      = "vault-storage"
        destination = "/opt/nomad/data/vault-storage"
        read_only   = false
      }

      resources {
        cpu    = 1000
        memory = 2048
      }

      env {
        VAULT_ADDR = "http://127.0.0.1:8200"
        VAULT_CLUSTER_ADDR = "http://127.0.0.1:8201"
      }

      # Vault 集群配置 - Follower 节点
      template {
        data = <<EOF
ui = true
disable_mlock = true

# 使用 Consul 作为存储后端
storage "consul" {
  address = "ch4.tailnet-68f9.ts.net:8500"
  path    = "vault/"
  
  # 集群配置
  datacenter = "dc1"
  service = "vault"
  service_tags = "vault-server"
  
  # 会话配置
  session_ttl = "15s"
  lock_wait_time = "15s"
  
  # 健康检查
  check_timeout = "5s"
}

# HTTP 监听器
listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

# 集群监听器
listener "tcp" {
  address = "0.0.0.0:8201"
  purpose = "cluster"
}

# API 地址 - 使用 Tailscale 网络
api_addr = "http://ch4.tailnet-68f9.ts.net:8200"

# 集群地址 - 使用 Tailscale 网络
cluster_addr = "http://ch4.tailnet-68f9.ts.net:8201"

# 集群名称
cluster_name = "vault-cluster"

# 日志配置
log_level = "INFO"

# 高可用配置
ha_storage "consul" {
  address = "ch4.tailnet-68f9.ts.net:8500"
  path    = "vault-ha/"
  
  datacenter = "dc1"
  service = "vault"
  service_tags = "vault-server"
  
  session_ttl = "15s"
  lock_wait_time = "15s"
  check_timeout = "5s"
}
EOF
        destination = "local/vault.hcl"
        perms       = "644"
      }

      config {
        command = "vault"
        args = [
          "server",
          "-config=/local/vault.hcl"
        ]
      }

      restart {
        attempts = 3
        interval = "30m"
        delay    = "15s"
        mode     = "fail"
      }

      # 健康检查
      service {
        name = "vault"
        port = "http"
        
        check {
          type     = "http"
          path     = "/v1/sys/health"
          interval = "10s"
          timeout  = "5s"
        }
      }
    }

    update {
      max_parallel     = 1
      health_check     = "checks"
      min_healthy_time = "30s"
      healthy_deadline = "5m"
      progress_deadline = "10m"
      auto_revert      = true
      canary           = 0
    }
  }

  group "vault-follower-2" {
    count = 1

    volume "vault-storage" {
      type      = "host"
      read_only = false
      source    = "vault-storage"
    }

    constraint {
      attribute = "${node.unique.name}"
      operator  = "="
      value     = "ash3c"
    }

    network {
      port "http" {
        static = 8200
        to     = 8200
      }
      port "cluster" {
        static = 8201
        to     = 8201
      }
    }

    task "vault" {
      driver = "exec"

      volume_mount {
        volume      = "vault-storage"
        destination = "/opt/nomad/data/vault-storage"
        read_only   = false
      }

      resources {
        cpu    = 1000
        memory = 2048
      }

      env {
        VAULT_ADDR = "http://127.0.0.1:8200"
        VAULT_CLUSTER_ADDR = "http://127.0.0.1:8201"
      }

      # Vault 集群配置 - Follower 节点
      template {
        data = <<EOF
ui = true
disable_mlock = true

# 使用 Consul 作为存储后端
storage "consul" {
  address = "ch4.tailnet-68f9.ts.net:8500"
  path    = "vault/"
  
  # 集群配置
  datacenter = "dc1"
  service = "vault"
  service_tags = "vault-server"
  
  # 会话配置
  session_ttl = "15s"
  lock_wait_time = "15s"
  
  # 健康检查
  check_timeout = "5s"
}

# HTTP 监听器
listener "tcp" {
  address     = "0.0.0.0:8200"
  tls_disable = 1
}

# 集群监听器
listener "tcp" {
  address = "0.0.0.0:8201"
  purpose = "cluster"
}

# API 地址 - 使用 Tailscale 网络
api_addr = "http://ash3c.tailnet-68f9.ts.net:8200"

# 集群地址 - 使用 Tailscale 网络
cluster_addr = "http://ash3c.tailnet-68f9.ts.net:8201"

# 集群名称
cluster_name = "vault-cluster"

# 日志配置
log_level = "INFO"

# 高可用配置
ha_storage "consul" {
  address = "ch4.tailnet-68f9.ts.net:8500"
  path    = "vault-ha/"
  
  datacenter = "dc1"
  service = "vault"
  service_tags = "vault-server"
  
  session_ttl = "15s"
  lock_wait_time = "15s"
  check_timeout = "5s"
}
EOF
        destination = "local/vault.hcl"
        perms       = "644"
      }

      config {
        command = "vault"
        args = [
          "server",
          "-config=/local/vault.hcl"
        ]
      }

      restart {
        attempts = 3
        interval = "30m"
        delay    = "15s"
        mode     = "fail"
      }

      # 健康检查
      service {
        name = "vault"
        port = "http"
        
        check {
          type     = "http"
          path     = "/v1/sys/health"
          interval = "10s"
          timeout  = "5s"
        }
      }
    }

    update {
      max_parallel     = 1
      health_check     = "checks"
      min_healthy_time = "30s"
      healthy_deadline = "5m"
      progress_deadline = "10m"
      auto_revert      = true
      canary           = 0
    }
  }
}