# @summary A concourse web node.
# @param service
#   The name of the system service.
#   This service WILL be managed by us.
# @param service_unit
#   Exact unit name (in terms of systemd) of the service.
# @param conf_file
#   Where configuration environment variables will be stored.
#   Currently hard-coded in the service file.
# @param conf_dir
#   Where additional environment files will be stored. Used (at
#   least) by each auth resource.
# @param purge_conf_dir
#   Should the directory mentioned in `conf_dir` be purged. If this
#   is true then decomissioning sub-configurations are done by simply
#   removing that resource.
# @param ensure
# @param cluster
#   If this web node is part of a cluster of web nodes, name that
#   cluster. This will create an `nginx::resoruce::upstream::member`
#   resource for this node, which should be realized by
#   `concourse::proxy::nginx`
#
#   Also requires `peer_address` to be set
#
# @param peer_address
#   Peer address used when used in a cluster
#
#   Also requires `cluster` to be set.
#
# Remaining keys maps directly to concourse configurations.
class concourse::web (
  String $postgres_user                                   = lookup("concourse::${cluster}::postgres_user"),
  Variant[String, Sensitive[String]] $postgres_password   = lookup("concourse::${cluster}::postgres_password"),

  Variant[String, Sensitive[String]] $session_signing_key = lookup("concourse::${cluster}::session_signing_key"),
  Variant[String, Sensitive[String]] $tsa_private_key     = lookup("concourse::${cluster}::tsa_private_key"),
  Variant[String, Sensitive[String]] $tsa_public_key      = lookup("concourse::${cluster}::tsa_public_key"),
  Array[String] $worker_public_keys                       = [],

  String $key_dir                                         = '/usr/lib/concourse',
  String $session_signing_key_file                        = "${key_dir}/session_signing_key",
  String $tsa_host_key_file                               = "${key_dir}/tsa_host_key",
  String $tsa_authorized_keys_file                        = "${key_dir}/authorized_worker_keys",

  String $cluster                                         = 'default',
  Optional[String] $peer_address                          = undef,

  Optional[String] $postgres_host                         = undef,
  Optional[String] $postgres_port                         = undef,
  Optional[Stdlib::Unixpath] $postgres_socket             = undef,

  Optional[String] $postgres_database                     = undef,

  Optional[String] $external_url                          = undef,

  Optional[Integer] $api_max_conns                        = undef,
  Optional[Integer] $backend_max_conns                    = undef,

  String $service                                         = 'concourse',
  String $service_unit                                    = "${service}.service",
  Std::AbsolutePath $conf_file                            = '/etc/conf.d/concourse',
  Std::AbsolutePath $conf_dir                             = '/etc/conf.d/concourse.d',
  Boolean $purge_conf_dir                                 = true,
  Enum['absent', 'present'] $ensure                       = 'present',

  Array[String] $packages                                 = [
    'concourse',
    'councourse-resource-types',
  ],
) {
  include concourse

  ensure_packages($packages, {
    ensure => $ensure,
  })

  $env = {
    'CONCOURSE_SESSION_SIGNING_KEY' => $session_signing_key_file,
    'CONCOURSE_TSA_HOST_KEY'        => $tsa_host_key_file,
    'CONCOURSE_TSA_AUTHORIZED_KEYS' => $tsa_authorized_keys_file,
    'CONCOURSE_POSTGRES_USER'       => $postgres_user,
    'CONCOURSE_POSTGRES_PASSWORD'   => $postgres_password ? {
      String  => $postgres_password,
      default => $postgres_password.unwrap,
    },
    'CONCOURSE_CLUSTER'             => $cluster,
    'CONCOURSE_PEER_ADDRESS'        => $peer_address,
    'CONCOURSE_POSTGRES_HOST'       => $postgres_host,
    'CONCOURSE_POSTGRES_PORT'       => $postgres_port,
    'CONCOURSE_POSTGRES_SOCKET'     => $postgres_socket,
    'CONCOURSE_POSTGRES_DATABASE'   => $postgres_database,
    'CONCOURSE_EXTERNAL_URL'        => $external_url,
    'CONCOURSE_API_MAX_CONNS'       => $api_max_conns,
    'CONCOURSE_BACKEND_MAX_CONNS'   => $backend_max_conns,
  }

  file { $conf_file:
    ensure    => $ensure,
    mode      => '0600',
    show_diff => false,
    content   => epp("${module_name}/env.epp", $env),
  }

  file { $conf_dir:
    ensure  => if $ensure == 'present' { 'directory' } else { 'absent' },
    purge   => $purge_conf_dir,
    recurse => true,
    notify  => Service[$service],
  }

  file { $key_dir:
    ensure  => if $ensure == 'present' { 'directory' } else { 'absent' },
    mode    => '0700',
    recurse => true,
    forge   => true,
  }

  file {
    default:
      ensure => $ensure,
      mode   => '0600',
      ;
    $session_signing_key_file:
      content => $session_signing_key,
      ;
    $tsa_host_key_file:
      conent => $tsa_private_key,
      ;
    "${tsa_host_key_file}.pub":
      content => $tsa_public_key,
      ;
  }

  concat { "authorized_workers_key - ${cluster}":
    target         => $tsa_authorized_keys_file,
    warning        => '# File managed by puppet, local changes WILL be overwritten',
    ensure_newline => true,
  }

  $worker_public_keys.each |$key| {
    concat::fragment { sha1($key):
      content => $key,
      target  => "authorized_worker_keys - ${cluster}",
    }
  }

  Worker_key <<| cluster == $cluster |>>

  systemd::unit_file { $service_unit:
    ensure => $ensure,
    source => "puppet:///modules/${module_name}/concourse-web.service",
  } ~> service { $service:
    ensure => if $ensure == 'present' { 'running' } else { 'stopped' },
    enable => true,
  }

  if $peer_address {
    @@nginx::resource::upstream::member { $facts['trusted']['certname']:
      ensure   => $ensure,
      upstream => "concourse - ${cluster}",
      server   => $peer_address,
    }
  }
}