class soc::intelmq(
  Optional[String]    $tls_cert   = undef,
  Optional[String]    $tls_chain  = undef,
  Optional[String]    $tls_key    = undef,
  String              $servername = $facts['networking']['fqdn'],
  Boolean             $use_snakeoil = false,
) {
  include sunet::systemd_reload

  # Set some global variables
  $api_user = lookup('intelmq_api_user.username', undef, undef, 'test')
  $api_pass = lookup('intelmq_api_user.password', undef, undef, 'pass')
  $db_user = lookup('intelmq_db_user.username', undef, undef, 'test')
  $db_pass = lookup('intelmq_db_user.password', undef, undef, 'pass')

  group { 'intelmq':
    ensure => present,
  }

  user { 'intelmq':
    ensure     => present,
    gid        => 'intelmq',
    groups     => 'www-data',
    home       => '/opt/intelmq',
    managehome => true,
    shell      => '/bin/bash',
  }

  file {
    '/etc/intelmq':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'intelmq',
      ;
    '/etc/intelmq/mailgen':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'intelmq',
      ;
    '/etc/intelmq/mailgen/formats':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'intelmq',
      ;
    '/etc/intelmq/mailgen/gnupghome':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'intelmq',
      ;
    '/etc/intelmq/mailgen/templates':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'intelmq',
      ;
  }

  file { '/etc/intelmq/api':
    ensure => directory,
    owner  => 'intelmq',
    group  => 'www-data',
    mode   => '0770',
  }

  file { '/etc/intelmq/fody':
    ensure => directory,
    owner  => 'intelmq',
    group  => 'www-data',
    mode   => '0770',
  }

  package { 'apache2':
    ensure => 'latest',
  }

  package { 'libapache2-mod-wsgi-py3':
    ensure => 'latest',
  }

  file { '/opt/intelmq/install':
    ensure => directory,
    owner  => 'intelmq',
    group  => 'intelmq',
    mode   => '0755',
  }

  file {
    '/opt/intelmq/www':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'intelmq',
      mode   => '0755',
      ;
    '/opt/intelmq/www/intelmq-manager':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'www-data',
      mode   => '0750',
      ;
    '/opt/intelmq/www/fody':
      ensure => directory,
      owner  => 'intelmq',
      group  => 'www-data',
      mode   => '0750',
      ;
  }

  file { '/opt/intelmq/install/setup-nodesource.sh':
    ensure  => file,
    content => file('soc/intelmq/setup-nodesource.sh'),
    mode    => '0540',
  }

  exec { 'Add nodesource repo':
    command => '/opt/intelmq/install/setup-nodesource.sh',
    creates => '/etc/apt/sources.list.d/nodesource.list',
  }

  package { ['postgresql', 'python3-venv', 'python3-pip', 'python3-gpg', 'python3-psycopg2', 'redict', 'nodejs', ]:
    ensure => 'latest',
  }

  package { ['cmdtest', ]:
    ensure => 'absent',
  }

  exec { 'Install yarn from npm':
    command => 'npm install --global yarn',
    creates => '/usr/bin/yarn',
  }

  exec { 'Install IntelMQ venv':
    command => 'sudo -u intelmq /usr/bin/python3 -m venv --system-site-packages /opt/intelmq/venv',
    creates => '/opt/intelmq/venv',
  }

  exec { 'Always active venv for IntelMQ':
    command => 'echo ". venv/bin/activate" >> /opt/intelmq/.profile',
    unless  => 'grep -q activate /opt/intelmq/.profile 2> /dev/null',
  }

  file { '/opt/intelmq/install/eventdb-notifications.sql':
    ensure  => file,
    content => file('soc/intelmq/eventdb-notifications.sql'),
  }

  file { '/opt/intelmq/install/install-intelmq.sh':
    ensure  => file,
    content => file('soc/intelmq/install-intelmq.sh'),
    mode    => '0555',
  }

  exec { 'Install IntelMQ':
    command => 'sudo -u intelmq /opt/intelmq/install/install-intelmq.sh',
    creates => '/opt/intelmq/.installed'
  }

  exec { 'Run IntelMQ setup script':
    command => '/opt/intelmq/venv/bin/intelmqsetup',
    creates => '/opt/intelmq/var/lib/state.json',
    returns => ['0', '1',],
  }

  file { '/usr/bin/intelmqctl':
    ensure  => file,
    mode    => '0555',
    content => file('soc/intelmq/usr-bin-intelmqctl'),
  }

  file { '/opt/intelmq/install/setup-pgsql.sh':
    ensure  => file,
    content => template('soc/intelmq/setup-pgsql.sh'),
    mode    => '0500',
  }

  exec { 'Setup IntelMQ eventdb':
    command => '/opt/intelmq/install/setup-pgsql.sh',
    creates => '/opt/intelmq/.pgsql-installed',
  }

  file { '/etc/sudoers.d/01_intelmq-api':
    ensure  => file,
    content => file('soc/intelmq/sudoers-01-intelmq-api'),
    mode    => '0440',
  }

  service { 'apache2':
    ensure  => 'running',
    enable  => true,
    require => Package['apache2'],
  }

  $apache_modules = ['ssl', 'proxy', 'proxy_http', 'headers', 'rewrite',]
  $apache_modules.each |String $module| {
    exec { 'Enable Apache2 modules':
      command => "a2enmod ${module}",
      notify  => Service['apache2'],
      unless  => "test -f /etc/apache2/mods-enabled/${module}.load",
    }
  }

  exec { 'Enable mod_wsgi':
    command => 'a2enmod wsgi',
    require => Package['libapache2-mod-wsgi-py3'],
    notify  => Service['apache2'],
  ¦ unless  => "test -f /etc/apache2/mods-enabled/${module}.load",
  }

  file { '/etc/apache2/conf-available/wsgi-venv.conf':
    ensure  => file,
    content => file('soc/intelmq/apache/wsgi-venv.conf'),
  }

  exec { 'Enable wsgi-venv conf':
    command => 'a2enconf wsgi-venv',
    creates => '/etc/apache2/conf-enabled/wsgi-venv.conf',
    notify  => Service['apache2'],
  }

  file { '/etc/apache2/sites-available/intelmq-vhost.conf':
    ensure  => file,
    content => template('soc/intelmq/intelmq-vhost.conf.erb'),
    notify  => Service['apache2'],
  }

  file { '/etc/intelmq/api-config.json':
    ensure  => file,
    owner   => 'intelmq',
    group   => 'intelmq',
    mode    => '0444',
    content => file('soc/intelmq/api-config.json'),
  }

  file { '/etc/intelmq/fody-session.conf':
    ensure  => file,
    owner   => 'intelmq',
    group   => 'intelmq',
    mode    => '0444',
    content => file('soc/intelmq/fody-session.conf'),
  }

  exec { 'Setup intelmq-api user':
    command => "sudo -u intelmq /opt/intelmq/venv/bin/intelmq-api-adduser --user ${api_user} --password ${api_pass}",
    creates => '/etc/intelmq/api/api-session.sqlite',
  }

  file { '/etc/intelmq/api/api-session.sqlite':
    ensure  => 'present',
    replace => 'no',
    owner   => 'intelmq',
    group   => 'www-data',
    mode    => '0660'
  }

  file { '/etc/intelmq/fody/fody-session.sqlite':
    ensure  => 'present',
    replace => 'no',
    owner   => 'intelmq',
    group   => 'www-data',
    mode    => '0660'
  }

  exec { 'Setup fody-api user':
    command => "sudo -u intelmq /opt/intelmq/venv/bin/fody-adduser --user ${api_user} --password ${api_pass}",
    unless  => "sqlite3 /etc/intelmq/fody/fody-session.sqlite \"SELECT username FROM user WHERE username ='${api_user}'\" | grep -q ${api_user}",
  }

  file {
    '/etc/intelmq/contactdb-serve.conf':
      ensure  => file,
      owner   => 'intelmq',
      group   => 'www-data',
      mode    => '0440',
      content => template('soc/intelmq/contactdb-serve.conf.erb'),
    ;
    '/etc/intelmq/eventdb-serve.conf':
      ensure  => file,
      owner   => 'intelmq',
      group   => 'www-data',
      mode    => '0440',
      content => template('soc/intelmq/eventdb-serve.conf.erb'),
    ;
    '/etc/intelmq/tickets-serve.conf':
      ensure  => file,
      owner   => 'intelmq',
      group   => 'www-data',
      mode    => '0440',
      content => template('soc/intelmq/tickets-serve.conf.erb'),
    ;
    '/etc/intelmq/intelmq-mailgen.conf':
      ensure  => file,
      owner   => 'intelmq',
      group   => 'www-data',
      mode    => '0440',
      content => template('soc/intelmq/intelmq-mailgen.conf.erb'),
    ;

  }

  file { '/etc/systemd/system/intelmq-api.service':
    ensure  => file,
    content => file('soc/intelmq/intelmq-api.service'),
    notify  => [Class['sunet::systemd_reload'], Service['intelmq-api.service'],],
  }

  file { '/etc/systemd/system/intelmq-api.socket':
    ensure  => file,
    content => file('soc/intelmq/intelmq-api.socket'),
    notify  => [Class['sunet::systemd_reload'], Service['intelmq-api.socket'],],
  }

  file { '/opt/intelmq/etc/runtime.yaml':
    ensure  => 'present',
    replace => 'no',
    owner   => 'intelmq',
    group   => 'www-data',
    mode    => '0660',
  }

  file { '/opt/intelmq/etc/runtime.yaml.bak':
    ensure  => 'present',
    replace => 'no',
    owner   => 'www-data',
    group   => 'www-data',
    mode    => '0660',
    content => '',
  }

  file { '/opt/intelmq/etc/manager':
    ensure => directory,
    owner  => 'www-data',
    group  => 'www-data',
    mode   => '0775',
  }

  service { 'intelmq-api.service':
    ensure     => running,
    name       => 'intelmq-api.service',
    enable     => true,
    hasrestart => true,
  }

  service { 'intelmq-api.socket':
    ensure     => running,
    name       => 'intelmq-api.socket',
    enable     => true,
    hasrestart => true,
  }

  exec { 'Disable default apache conf':
    command => 'a2dissite 000-default',
    onlyif  => 'test -f /etc/apache2/sites-enabled/000-default.conf',
    notify  => Service['apache2'],
  }

  exec { 'Enable intelmq apache conf':
    command => 'a2ensite intelmq-vhost',
    creates => '/etc/apache2/sites-enabled/intelmq-vhost.conf',
    notify  => Service['apache2'],
  }

  sunet::nftables::allow { 'allow_http':
    from => any,
    port => 80,
  }

  sunet::nftables::allow { 'allow_https':
    from => any,
    port => 443,
  }
}