# @summary Manages nginx resources for cgit
# @api private
class cgit::nginx {
  if ($cgit::certname == undef) {
    nginx::resource::server { 'cgit':
      server_name          => [$cgit::server_name],
      access_log           => 'absent',
      error_log            => 'absent',
      index_files          => [],
      try_files            => ['$uri', '@cgit'],
      ssl                  => false,
      use_default_location => true,
      www_root             => $cgit::root,
    }
  } else {
    nginx::resource::server { 'cgit':
      server_name          => [$cgit::server_name],
      access_log           => 'absent',
      error_log            => 'absent',
      index_files          => [],
      try_files            => ['$uri', '@cgit'],
      ssl                  => true,
      ssl_cert             => "/etc/letsencrypt/live/${cgit::certname}/fullchain.pem",
      ssl_key              => "/etc/letsencrypt/live/${cgit::certname}/privkey.pem",
      use_default_location => true,
      www_root             => $cgit::root,
      ssl_redirect         => true,
    }
  }

  nginx::resource::location { '@cgit':
    fastcgi_params => 'fastcgi_params',
    fastcgi_param  => {
      'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi',
      'PATH_INFO'       => '$fastcgi_script_name',
      'QUERY_STRING'    => '$args',
    },
    ssl_only       => $cgit::certname != undef,
    fastcgi        => 'unix:/run/fcgiwrap.socket',
    server         => [
      'cgit',
    ],
  }

  file { $cgit::htpasswd:
    ensure  => file,
    content => $cgit::users.map |$user| {
      [$user['name'], $user['pass']].join(':')
    }.join("\n"),
  }

  # TODO each repo name should be regex-escaped
  $re = $cgit::public_repos.join('|')

  nginx::resource::location { "~ ^(/(${re})\\.git/.*)" :
    server         => 'cgit',
    ssl_only       => $cgit::certname != undef,
    priority       => 450,
    fastcgi        => 'unix:/run/fcgiwrap.socket',
    fastcgi_params => 'fastcgi_params',
    fastcgi_param  => {
      'SCRIPT_FILENAME'     => '/usr/lib/git-core/git-http-backend',
      'GIT_PROJECT_ROOT'    => $cgit::scan_path,
      'GIT_HTTP_EXPORT_ALL' => '""',
      'PATH_INFO'           => '$1',
    },
  }

  nginx::resource::location { '~ (.*\.git/.*)':
    server              => 'cgit',
    ssl_only            => $cgit::certname != undef,
    location_cfg_append => {
      auth_basic           => '"CGit login"',
      auth_basic_user_file => $cgit::htpasswd,
    },
    fastcgi             => 'unix:/run/fcgiwrap.socket',
    fastcgi_params      => 'fastcgi_params',
    fastcgi_param       => {
      'SCRIPT_FILENAME'     => '/usr/lib/git-core/git-http-backend',
      'GIT_PROJECT_ROOT'    => $cgit::scan_path,
      'GIT_HTTP_EXPORT_ALL' => '""',
      'PATH_INFO'           => '$1',
    },
  }
}