class net::cisoassistant {
  $nftables_rules = {
    'allow_access_to_cisoassistant' => {
      from  => 'any',
      port  => 8443,
      to    => 'any',
      proto => 'tcp',
    },
    'allow_access_to_cisoassistant_api' => {
      from  => 'any',
      port  => 9443,
      to    => 'any',
      proto => 'tcp',
    },
    'allow_access_to_always_https_acme_c' => {
      from  => 'any',
      port  => 9443,
      to    => 'any',
      proto => 'tcp',
    },
  }
  $nftables_rules.each |$name, $params| {
    sunet::nftables::allow { $name:
      * => $params,
    }
  }
  sunet::docker_compose { 'always-https':
    image        => 'docker.sunet.se/always-https',
    service_name => 'acme_http'
    env          => ['ACME_URL=http://acme-c.sunet.se/'],
  }
  file { '/etc/docker/daemon.json':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/daemon.json'),
  }
  file { '/opt/cisoas/ciso-assistant-community/enterprise/docker-compose.yml':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/docker-compose.yml'),
  }
  file { '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/update-cisoas-enterprise.sh'),
  }
  sunet::scriptherder::cronjob { 'Upgrade cisoassistant images':
    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/update-cisoas-enterprise.sh',
    weekday     => 'Saturday',
    ok_criteria => ['exit_status=0', 'max_age=10d'],
  }
  file { '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/rotate-certs.sh'),
  }
  sunet::scriptherder::cronjob { 'Rotate le certificates':
    cmd         => '/opt/cisoas/ciso-assistant-community/enterprise/rotate-certs.sh',
    hour        => '1',
    ok_criteria => ['exit_status=0', 'max_age=48h'],
  }
  file { '/opt/cisoas/ciso-assistant-community/enterprise/Caddyfile':
    mode    => '0744',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/Caddyfile'),
  }
  file { "/etc/systemd/system/sunet-cisoas.service":
    mode    => '0644',
    owner   => 'root',
    group   => 'root',
    content => file('net/cisoassistant/sunet-cisoas.service'),
    notify  => [Class['sunet::systemd_reload']],
  }
  service { 'sunet-cisoas' :
    ensure   => 'running',
    enable   => true,
    require  => File['/etc/systemd/system/sunet-cisoas.service'],
    provider => 'systemd',
  }
}