# This puppet manifest is used to configure Sweden Connect proxy servers

# @param environment          The environment that the server belongs to. (referenced in compose file)
# @param version              Version of the docker image to use. (referenced in compose file)
# @param service_name         Name of the service, for example qa.proxy.eidas.swedenconnect.se
# @param server_fqdn          The FQDN of the server. (referenced in compose file)
# @param proxy_directory      The directory where all proxy related config and files are stored. (referenced in compose file)
# @param spring_config_param  Used as parameter name in compose file
# @param country              Used while creating directories and referenced in compsose file
# @param use_hsm              Configure if HSM is used or not
class eid::proxy (
  Enum['test', 'qa', 'prod'] $environment,
  String                     $version = '',
  String                     $service_name = '',
  String                     $server_fqdn = $facts['networking']['fqdn'],
  String                     $proxy_directory = '/opt/eidas-proxy',
  String                     $spring_config_param = 'SPRING_CONFIG_ADDITIONAL_LOCATION',
  String                     $country = 'se',
  Boolean                    $use_hsm=true,
) {

  if $use_hsm {
    $pkcs11_pin = safe_hiera('pkcs11_pin')
  }
  $eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','')
  $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw')

  if $version and $service_name and $eidas_proxy_oidc_rp_jks  != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{

    # Allow HTTP/HTTPS from load balancer servers
    $lb_ips = hiera_array("lb_${environment}_servers",[])
    sunet::nftables::allow { 'allow-http-from-lbs':
      from => $lb_ips,
      port => 80,
    }
    sunet::nftables::allow { 'allow-https-from-lbs':
      from => $lb_ips,
      port => 443,
    }

    sunet::docker_compose { 'eidas-proxy':
      content          => template('eid/proxy/docker-compose.yml.erb'),
      service_name     => 'eidas-proxy',
      compose_dir      => '/opt/',
      compose_filename => 'docker-compose.yml',
      description      => 'eidas proxy',
      mode             => '0755'
    }

    file { "${proxy_directory}/${country}":
      ensure => directory,
      mode   => '0755',
      owner  => 'root',
      group  => 'root',
    }
    file { "${proxy_directory}/${country}/keystore":
      ensure => directory,
      mode   => '0755',
      owner  => 'root',
      group  => 'root',
    }
    sunet::snippets::secret_file {"${proxy_directory}/${country}/metadata.p12":
      hiera_key => 'eidas_metadata_key',
      base64    => true
    }
    sunet::snippets::secret_file {"${proxy_directory}/${country}/proxy.p12":
      hiera_key => 'eidas_proxy_key',
      base64    => true
    }
    if $eidas_proxy_oidc_rp_jks != '' {
      sunet::snippets::secret_file {"${proxy_directory}/${country}/keystore/oidc-rp.jks":
          hiera_key => 'eidas_proxy_oidc_rp_jks',
          base64    => true
      }
    }

    if $use_hsm {
      file { ['/etc/luna','/etc/luna/cert']:
        ensure => directory,
        mode   => '0755',
        owner  => 'root',
        group  => 'root',
      }
    }

    sunet::nagios::nrpe_check_fileage {'proxy_eidas_metadata_cache_age':
      filename     => "${proxy_directory}/se/ps-mdcache/metadata-cache.xml",
      warning_age  => '600',
      critical_age => '172800'
    }
  }
}