class profiles::xandikos (
  String $sock,
  String $server_name = "xandikos.${::fqdn}",
  String $user_file = '/etc/xandikos/htpasswd',
  String $user = 'xandikos',
  String $group = 'www-data',
) {
  ensure_packages(['xandikos'])

  user { $user:
    system => true,
  }

  systemd::unit_file { 'xandikos.service':
    content => @("EOF")
    [Unit]
    Description=Xandikos CalDAV/CardDAV server
    After=network.target

    [Service]
    ExecStart=/usr/bin/xandikos -d /var/lib/xandikos --route-prefix=/dav --current-user-principal=/jelmer -l /run/sock
    User=${user}
    Group=${group}
    Restart=on-failure
    KillSignal=SIGQUIT
    Type=simple
    NotifyAccess=all
    | EOF
  }

  $certname = lookup('certname')
  $cert_dir = $facts['letsencrypt_directory'][$certname]

  nginx::resource::server { $server_name:
    ipv6_enable          => true,
    ipv6_listen_options  => '',
    ssl                  => true,
    ssl_redirect         => true,
    use_default_location => false,
    ssl_cert             => "${cert_dir}/fullchain.pem",
    ssl_key              => "${cert_dir}/privkey.pem",
  }

  nginx::resource::location {
  default:
    server   => $server_name,
    ssl      => true,
    ssl_only => true,
    ;
  '/.well-known/caldav':
    location_cfg_append => { 'return' =>'307 $scheme://$host/users/calendars' },
    ;
  '/.well-known/cardav':
    location_cfg_append => { 'return' => '307 $scheme://$host/user/contacts' },
    ;
  'xandikos /':
    location             => '/',
    proxy                => "http://unix:${sock}",
    auth_basic           => 'Login Required',
    auth_basic_user_file => $user_file,
    ;
  }

}