# Configure a SUNET CDN CA server
class cdn::ca(
  String $step_ca_version = '0.27.4',
)
{

  $ca_secrets = lookup({ 'name' => 'cdn::ca-secrets', 'default_value' => undef })

  file { '/opt/step-ca':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  # The owner/group matches the 'step' user in the step-ca container
  file { '/opt/step-ca/data':
    ensure => directory,
    owner  => '1000',
    group  => '1000',
    mode   => '0750',
  }

  # Files used for initial install of step-ca
  file { '/opt/step-ca/init':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  file { '/opt/step-ca/init/secrets':
    ensure => directory,
    owner  => '1000',
    group  => '1000',
    mode   => '0750',
  }

  file { '/opt/step-ca/init/scripts':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  file { '/opt/step-ca/init/scripts/set-provisioner-pw':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
    content => file('cdn/ca/set-provisioner-pw'),
  }

  file { '/opt/step-ca/init/scripts/bootstrap-client':
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0755',
    content => file('cdn/ca/bootstrap-client'),
  }

  file { '/opt/step-ca/init/deb':
    ensure => directory,
    owner  => 'root',
    group  => 'root',
    mode   => '0755',
  }

  exec { 'curl -LO https://dl.smallstep.com/gh-release/cli/gh-release-header/v0.27.4/step-cli_0.27.4-1_amd64.deb':
    cwd     => '/opt/step-ca/init/deb',
    creates => '/opt/step-ca/init/deb/step-cli_0.27.4-1_amd64.deb',
  }

  package {'step-cli':
    ensure => present,
    source => '/opt/step-ca/init/deb/step-cli_0.27.4-1_amd64.deb',
  }

  if $ca_secrets {
    if $ca_secrets['key_password'] {
      file { '/opt/step-ca/init/secrets/key-password':
        ensure  => file,
        owner   => '1000',
        group   => '1000',
        mode    => '0640',
        content => template('cdn/ca/key-password.erb'),
      }
    }

    if $ca_secrets['provisioner_password'] {
      file { '/opt/step-ca/init/secrets/provisioner-password':
        ensure  => file,
        owner   => '1000',
        group   => '1000',
        mode    => '0640',
        content => template('cdn/ca/provisioner-password.erb'),
      }
    }
  }

  sunet::nftables::docker_expose { 'expose step-ca' :
    allow_clients => 'any',
    port          => 9000,
    iif           => $facts['networking']['primary'],
  }

  sunet::docker_compose { 'sunet-cdn-ca':
    content          => template('cdn/ca/docker-compose.yml.erb'),
    service_name     => 'cdn-ca',
    compose_dir      => '/opt/sunet-cdn/compose',
    compose_filename => 'docker-compose.yml',
    description      => 'SUNET CDN CA',
  }

  exec { '/opt/step-ca/init/scripts/bootstrap-client':
    creates => '/root/.step/config/defaults.json',
    onlyif  => 'test -f /opt/step-ca/data/certs/root_ca.crt'
  }
}