# This puppet manifest is used to configure Sweden Connect proxy servers

# @param version              Version of the docker image to use. (referenced in compose file)
# @param service_name         Name of the service, for example qa.proxy.eidas.swedenconnect.se
# @param server_fqdn          The FQDN of the server. (referenced in compose file)
# @param proxy_directory      The directory where all proxy related config and files are stored. (referenced in compose file)
# @param contry               Used while creating directories and referenced in compsose file
class eid::proxy (
  String                     $version = '',
  String                     $service_name = '',
  String                     $server_fqdn = $facts['networking']['fqdn'],
  String                     $proxy_directory = '/opt/eidas-proxy',
  String                     $spring_config_param = 'SPRING_CONFIG_ADDITIONAL_LOCATION',
  String                     $country = 'se',
) {

  $pkcs11_pin = safe_hiera('pkcs11_pin')
  $eidas_proxy_oidc_rp_jks = safe_hiera('eidas_proxy_oidc_rp_jks','')
  $proxy_service_cookie_encrypt_pw = safe_hiera('proxy_service_cookie_encrypt_pw')

  if $version and $service_name and $pkcs11_pin != 'NOT_SET_IN_HIERA' and $eidas_proxy_oidc_rp_jks  != 'NOT_SET_IN_HIERA' and $proxy_service_cookie_encrypt_pw != 'NOT_SET_IN_HIERA'{

    sunet::nftables::allow { 'allow-http-from-any':
      from => any,
      port => 80,
    }
    sunet::nftables::allow { 'allow-https-from-any':
      from => any,
      port => 443,
    }

    file { "${proxy_directory}/":
      ensure => directory,
      mode   => '0755',
      owner  => 'root',
      group  => 'root',
    }
    file { "${proxy_directory}/${country}":
      ensure => directory,
      mode   => '0755',
      owner  => 'root',
      group  => 'root',
    }
    file { "${proxy_directory}/${country}/keystore":
      ensure => directory,
      mode   => '0755',
      owner  => 'root',
      group  => 'root',
    }
    sunet::snippets::secret_file {"${proxy_directory}/${country}/metadata.p12":
      hiera_key => 'eidas_metadata_key',
      base64    => true
    }
    sunet::snippets::secret_file {"${proxy_directory}/${country}/proxy.p12":
      hiera_key => 'eidas_proxy_key',
      base64    => true
    }
    file { ['/etc/luna','/etc/luna/cert']:
      ensure => directory,
      mode   => '0755',
      owner  => 'root',
      group  => 'root',
    }
    if $eidas_proxy_oidc_rp_jks != '' {
      sunet::snippets::secret_file {"${proxy_directory}/${country}/keystore/oidc-rp.jks":
          hiera_key => 'eidas_proxy_oidc_rp_jks',
          base64    => true
      }
    }

    sunet::docker_compose { 'eidas-proxy':
      content          => template('eid/proxy/docker-compose.yml.erb'),
      service_name     => 'eidas-proxy',
      compose_dir      => '/opt/',
      compose_filename => 'docker-compose.yml',
      description      => 'eidas proxy'
    }

    sunet::nagios::nrpe_check_fileage {'proxy_eidas_metadata_cache':
      filename     => "${proxy_directory}/se/ps-mdcache/metadata-cache.xml",
      warning_age  => '600',
      critical_age => '172800'
    }
  }
}