class soc::intelmq(
  Optional[String]    $tls_cert   = undef,
  Optional[String]    $tls_chain  = undef,
  Optional[String]    $tls_key    = undef,
  String              $servername = $facts['networking']['fqdn'],
  Boolean             $use_snakeoil = false,
) {
  include sunet::systemd_reload

  group { 'intelmq':
    ensure => present,
  }

  user { 'intelmq':
    ensure     => present,
    gid        => 'intelmq',
    groups     => 'www-data',
    home       => '/opt/intelmq',
    managehome => true,
    shell      => '/bin/bash',
  }

  file { '/etc/intelmq':
    ensure => directory,
    owner  => 'intelmq',
    group  => 'intelmq',
  }

  #  file { '/opt/sso/apache/groups.txt':
  #  ensure  => file,
  #    content => template('soc/sso/apache-groups.txt.erb')
  #  }

  package { 'apache2':
    ensure => 'latest',
  }

  package { 'libapache2-mod-wsgi-py3':
    ensure => 'latest',
  }

  package { ['postgresql', 'python3-venv', 'python3-pip', 'python3-gpg', 'python3-psycopg2', 'redict', ]:
    ensure => 'latest',
  }

  exec { 'Install IntelMQ venv':
    command => 'sudo -u intelmq /usr/bin/python3 -m venv --system-site-packages /opt/intelmq/venv',
    creates => '/opt/intelmq/venv',
  }

  file { '/opt/intelmq/install-intelmq.sh':
    ensure  => file,
    content => file('soc/intelmq/install-intelmq.sh'),
    mode    => '0555',
  }

  exec { 'Install IntelMQ':
    command => 'sudo -u intelmq /opt/intelmq/install-intelmq.sh',
    creates => '/opt/intelmq/.installed'
  }

  exec { 'Run IntelMQ setup script':
    command => '/opt/intelmq/venv/bin/intelmqsetup --state-file /opt/intelmq/.setup_state',
    creates => '/opt/intelmq/.setup_state',
    returns => ['0', '1',],
  }

  file { '/etc/sudoers.d/01_intelmq-api':
    ensure  => file,
    content => file('soc/intelmq/sudoers-01-intelmq-api'),
    mode    => '0440',
  }

  service { 'apache2':
    ensure  => 'running',
    enable  => true,
    require => Package['apache2'],
  }

  exec { 'Enable Apache2 modules':
    command => 'a2enmod ssl wsgi proxy proxy_http headers rewrite',
    require => Package['libapache2-mod-wsgi-py3'],
    notify  => Service['apache2'],
  }

  file { '/etc/apache2/conf-available/wsgi-venv.conf':
    ensure  => file,
    content => file('soc/intelmq/apache/wsgi-venv.conf'),
  }

  exec { 'Enable wsgi-venv conf':
    command => 'a2enconf wsgi-venv',
    creates => '/etc/apache2/conf-enabled/wsgi-venv.conf',
    notify  => Service['apache2'],
  }

  file { '/etc/apache2/sites-available/intelmq-vhost.conf':
    ensure   => file,
    template => 'soc/intelmq/intelmq-vhost.conf.erb'
  }

  file { '/etc/intelmq/api-config.json':
    ensure  => file,
    owner   => 'intelmq',
    group   => 'intelmq',
    mode    => '0444',
    content => 'soc/intelmq/api-config.json',
  }

  file { 'api-session.sqlite':
    ensure  => 'present',
    replace => 'no',
    owner   => 'intelmq',
    group   => 'www-data',
    mode    => '0660'
  }

  file { '/etc/systemd/system/intelmq-api.service':
    ensure  => file,
    content => 'soc/intelmq/intelmq-api.service',
    notify  => [Class['sunet:systemd_reload'], Service['intelmq-api.service'],],
  }

  file { '/etc/systemd/system/intelmq-api.socket':
    ensure  => file,
    content => 'soc/intelmq/intelmq-api.socket',
    notify  => [Class['sunet:systemd_reload'], Service['intelmq-api.socket'],],
  }

  service { 'intelmq-api.service':
    ensure     => running,
    name       => 'intelmq-api.service',
    enabled    => true,
    hasrestart => true,
  }

  service { 'intelmq-api.socket':
    ensure     => running,
    name       => 'intelmq-api.socket',
    enabled    => true,
    hasrestart => true,
  }

}