class profiles::gandalf_web (
  String $certname,
) {

  include ::nginx

  file { '/etc/nginx/modules-enabled':
    ensure  => directory,
    purge   => true,
    recurse => true,
  }

  # TODO this fails at bootstrapping, since letsencrypt requires nginx
  # to be enabled, but nginx can't be enabled if any cert file is
  # missing
  # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |>

  $domains = [
    'bookmark.gandalf.adrift.space',
    'calendar.gandalf.adrift.space',
    'repo.gandalf.adrift.space',
    'gandalf.adrift.space',
    'hack.adrift.space',
    'adrift.space',
  ]

  ensure_packages (['cronie',], { ensure => installed })

  ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed })
  class { '::letsencrypt':
    config   => {
      email  => 'hugo@hornquist.se',
      # server => 'https://acme-staging-v02.api.letsencrypt.org/directory',
      server => 'https://acme-v02.api.letsencrypt.org/directory',
    },
    manage_install => false,
  }

  letsencrypt::certonly { $certname:
    ensure             => present,
    domains            => $domains,
    manage_cron        => true,
    plugin             => 'nginx',
    additional_args    => [ '--quiet', ],
    # pre_hook_commands  => [ 'systemctl stop nginx.service', ],
    post_hook_commands => [ 'systemctl restart nginx.service', ],
  }

}