# @summary Sets up the Concourse CI/CD system
#
# TODO file modes for just about everything.
#
# https://concourse-ci.org/
class profiles::concourse (
  String $database_name = 'atc',
  String $database_username = 'concourse',
  String $database_password = extlib::cache_data('profiles', 'concourse_database_password', extlib::random_password(25)),

  String $keydir = '/usr/lib/concourse',
  String $session_signing_key = "${keydir}/session_signing_key",
  String $tsa_host_key = "${keydir}/tsa_host_key",
  String $worker_key = "${keydir}/worker_key",
  String $authorized_worker_keys = "${keydir}/authorized_worker_keys",
) {
  ensure_packages([
    'concourse',
    'concourse-resource-types',
    'concourse-fly-cli',
  ])

  include ::profiles::postgresql

  postgresql::server::db { $database_name:
    user     => $database_username,
    password => $database_password,
    grant    => 'all',
    comment  => 'Concourse CI',
  }

  exec { 'Concourse generate signing key':
    command => ['concourse', 'generate-key', '-t', 'rsa', '-f', $session_signing_key],
    creates => $session_signing_key,
    path    => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',]
  }

  exec { 'Concourse generate TSA host key':
    command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $tsa_host_key],
    creates => $tsa_host_key,
    path    => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',]
  }

  exec { 'Concourse generate worker key':
    command => ['concourse', 'generate-key', '-t', 'ssh', '-f', $worker_key],
    creates => $worker_key,
    path    => ['/sbin', '/usr/sbin', '/bin', '/usr/bin',]
  }

  file { $authorized_worker_keys:
    content   => $worker_key,
    require   => Exec['Concourse generate worker key'],
    subscribe => Exec['Concourse generate worker key'],
  }

  $env = {
    'CONCOURSE_ADD_LOCAL_USER'       => 'hugo:password',
    'CONCOURSE_MAIN_TEAM_LOCAL_USER' => 'hugo',

    'CONCOURSE_SESSION_SIGNING_KEY'  => $session_signing_key,
    'CONCOURSE_TSA_HOST_KEY'         => $tsa_host_key,
    'CONCOURSE_TSA_AUTHORIZED_KEYS'  => $authorized_worker_keys,

    'CONCOURSE_POSTGRES_USER'        => $database_username,
    'CONCOURSE_POSTGRES_PASSWORD'    => $database_password,
  }

  $env_declarations = $env.map |$k, $v| { "${k}=${v}" }.join("\n")
  $env_str = @("EOF")
  # Environment file for concourse.service
  # File managed by Puppet. Local changes WILL be overwritten.
  ${env_declarations}
  | EOF

  file { '/etc/conf.d/concourse':
    content => $env_str,
  }

  systemd::unit_file { 'concourse.service':
    source => "puppet:///modules/${module_name}/concourse.service",
  } ~> service { 'concourse':
    ensure => running,
    enable => true,
  }

  # concourse quickstart --worker-work-dir=/usr/local/data/concourse
  #
  # cat worker-key >> authorized-worker-keys
}