# @summary Generates and manages the eyaml keys
#
# @param keypath
#   Directory in which the public and private key will be stored. 
#   This directory will be managed by this module, and (in the future)
#   be exported through NFS.
# @param public_key
#   Local filename of the public key (no directory components).
# @param private_key
#   Local filename of the private key (no directory components).
# @param user
#   User which should own the keys.
# @param group
#   Group which should own the keys. Currently worthless, since the 
#   keys mode is set to 0600 (or equivalent).
class profiles::eyaml_master (
  Stdlib::Absolutepath $keypath = '/etc/puppetlabs/puppet/eyaml',
  String $public_key            = 'public_key.pkcs7.pem',
  String $private_key           = 'private_key.pkcs7.pem',
  String $user                  = 'puppet',
  String $group                 = 'puppet',
) {

  # Distro version should work fine
  ensure_packages(['hiera-eyaml'])

  file { $keypath:
    ensure => directory,
    mode   => '0700',
    owner  => $user,
    group  => $group,
  }

  # NOTE If eyaml was installed throuh `puppetserver gem install %`
  # then it ends up in `/opt/puppetlabs/puppet/bin`.
  exec { 'Create eyaml keys':
    command => [
      'eyaml', 'createkeys',
      '--pkcs7-public-key',  "${keypath}/${public_key}",
      '--pkcs7-private-key', "${keypath}/${private_key}",
    ],
    creates => "${keypath}/${private_key}",
    path    => ['/bin', '/usr/bin'],
    umask   => '0600',
    user    => $user,
    group   => $group,
  }

  # include profiles::nfs_server

  # concat::fragment { 'Export eyaml keys':
  #   target  => $profiles::nfs_server::exports_file,
  #   content => "${keypath}  *(ro,root_squash,no_subtree_check)",
  # }
}