node 'gandalf.adrift.space' {
  profiles::remarkable { 'any name':
    addr => '3',
  }

  # Rebuilt my local xmonad config after an upgrade to xmonad.
  # It's required, I think due to something with dynamic linking.
  # It's actually pretty ugly that I'm hardcoded in here, but
  # something had to be done.
  pacman::hook { 'xmonad':
    description => 'Rebuild local xmonad config.',
    when        => 'PostTransaction',
    exec        => '/bin/sudo -Hu hugo xmonad --recompile',
    trigger       => {
      type      => 'Package',
      operation => ['Upgrade', 'Install'],
      target    => 'xmonad*',
    },
  }

  pacman::hook { 'systemd daemon-reload':
    description => 'Reload systemd user daemon',
    exec       => '/bin/sudo -Hu hugo systemctl --user daemon-reload',
    when       => 'PostTransaction',
    trigger    => {
      operation => 'Upgrade',
      type      => 'Path',
      target    => '/usr/lib/systemd/user/*',
    },
  }
}

node 'hornquist.se' {

	include ::profiles::firewall

	ensure_packages([
		'cowsay',
	], { ensure => installed })

	$cgit_root = '/var/www/cgit'
	$blog_root = '/var/www/blog'

	class { '::cgit':
		root => $cgit_root,
		root_title    => 'Hornquist Git Repositiories',
		root_desc     => 'ᛏᚨᚾᛞᛖᛋ᛫ᛖᚾᛞᚨᛋᛏ᛫ᛗᛟᛏ᛫ᛚᚨᛞᚨᚾᛋ᛫ᛈᛚᚨᚾ',
		about_filter  => 'hugo-pre.sh',
		auth_filter   => 'hugo-authentication.lua',
		source_filter => 'hugo-highlighting.sh',
		scan_path     => '/home/git/git',
		clone_url     => [
			'https://git.hornquist.se/$CGIT_REPO_URL',
			'git@hornquist.se:$CGIT_REPO_URL.git',
			'(HTTP_only_for_public_repos)',
		],
	}

	blog { 'Hugos blog':
		root => "${blog_root}/hugo",
	}

	service { 'php7.4-fpm':
		ensure => running,
		enable => true,
	}

	service { 'fcgiwrap.socket':
		ensure => running,
		enable => true,
	}

	file { '/etc/systemd/system/php7.4-fpm.service.d':
		ensure => directory,
	}

	file { '/etc/systemd/system/php7.4-fpm.service.d/override.conf':
		ensure => file,
		notify => Service['php7.4-fpm'],
		content => @(EOF)
		[Service]
		RuntimeDirectory=php
		| EOF
	}

	# include apt
	class { '::nginx':
		manage_repo => false,
		server_purge => true,
		service_config_check => true,
	}

	$certname = 'hornquist'

	class { 'letsencrypt':
		email => 'hugo.hornquist@gmail.com',
		renew_cron_ensure => present,
	}

	letsencrypt::certonly { $certname:
		domains => [
			'blog.hornquist.se',
			'blogg.hornquist.se',
			'www.hornquist.se',
			'hornquist.se',
			'git.hornquist.se',
			'wiki.hornquist.se',
		],
		plugin => 'nginx',
	}

	nginx::resource::server { 'blogg':
		server_name => [ 'blogg.hornquist.se', ],
		access_log           => 'absent',
		error_log            => 'absent',
		ssl                  => true,
		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
		use_default_location => false,
		server_cfg_append => {
			'return' => '301 $scheme://blog.hornquist.se$request_uri',
		}
	}

	nginx::resource::server { 'blog':
		server_name => [
			'blog.hornquist.se',
		],
		access_log           => 'absent',
		error_log            => 'absent',
		index_files          => [ 'index.php', 'index.html', 'index.htm', ],
		ssl                  => true,
		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
		use_default_location => false,
		www_root             => $blog_root,
	}

	nginx::resource::server { 'hornquist':
		server_name => [
			'hornquist.se',
			'www.hornquist.se',
			'_',
		],
		access_log           => 'absent',
		error_log            => 'absent',
		index_files          => [ 'index.php', 'index.html', 'index.htm', ],
		listen_options       => 'default_server',
		ssl                  => true,
		ssl_cert             => '/etc/letsencrypt/live/hornquist/fullchain.pem',
		ssl_key              => '/etc/letsencrypt/live/hornquist/privkey.pem',
		use_default_location => false,
		www_root             => '/var/www/html',
		# autoindex => 'on',
	}

	nginx::resource::server { 'userdir':
		server_name => [
			'~^(?P<uname>[a-z][-a-z0-9]*)\.hornquist\.se',
		],
		access_log           => 'absent',
		error_log            => 'absent',
		index_files          => [ 'index.cgi', 'index.php', 'index.html', 'index.htm', ],
		# SSL sites for userdir lack a cert due to wildcard certificates being
		# "problematic". However, it's enabled here since a ::location with
		# ssl => true WILL generate locations, even when server is missing.
		ssl                  => true,
		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
		use_default_location => false,
		www_root             => '/home/$uname/.public',
		# autoindex => 'on',
	}


	nginx::resource::server { 'wiki':
		server_name => [
			'wiki.hornquist.se',
		],
		access_log           => 'absent',
		error_log            => 'absent',
		index_files          => [ 'index.html', ],
		ssl                  => true,
		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
		use_default_location => true,
		www_root             => '/var/www/wiki/html',
	}

	nginx::resource::server { 'cgit':
		server_name => [
			'git.hornquist.se',
		],
		access_log           => 'absent',
		error_log            => 'absent',
		index_files          => [],
		try_files => [ '$uri', '@cgit' ],
		ssl                  => true,
		ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
		ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
		use_default_location => true,
		www_root             => $cgit_root,
		ssl_redirect => true,
		# /usr/lib/cgit/cgit.cgi
		# /usr/share/cgit/cgit.css
	}

	nginx::resource::location { '@cgit':
		fastcgi_params => 'fastcgi_params',
		fastcgi_param => {
			'SCRIPT_FILENAME' => '/usr/lib/cgit/cgit.cgi',
			'PATH_INFO' => '$fastcgi_script_name',
			'QUERY_STRING' => '$args',
		},
		ssl_only => true,
		fastcgi => 'unix:/run/fcgiwrap.socket',
		server => [
			'cgit',
		],
	}

	# TODO extra locations for dumb git clones?

	nginx::resource::location { '/':
		try_files => ['$uri', '$uri/', '=404'],
		index_files => [],
		ssl => true,
		autoindex => on,
		server => [
			'blog',
			'hornquist',
			'userdir',
		]
	}

	nginx::resource::location { '/nyar':
		location_custom_cfg => { return => '307 http://www.lysator.liu.se/~hugo/song/2018.html' },
		ssl => true,
		index_files => [],
		server => [ 'hornquist', ],
	}

	nginx::resource::location { '= /':
		# temprory redirect
		location_custom_cfg => { return => '307 /hugo' },
		ssl => true,
		index_files => [],
		server => [ 'blog', ],
	}

	nginx::resource::location { '~ \.php$':
		fastcgi_params => 'snippets/fastcgi-php.conf',
		fastcgi => 'unix:/run/php/php-fpm.sock',
		ssl => true,
		server => [
			'blog',
			'hornquist',
			'userdir',
		],
	}

	nginx::resource::location { '~ \.cgi$':
		fastcgi_params => 'fastcgi_params',
		fastcgi_param => {
			# 'SCRIPT_FILENAME' => '$document_root/*.cgi',
			'PATH_INFO' => '$fastcgi_script_name',
			'QUERY_STRING' => '$args',
		},
		fastcgi => 'unix:/run/fcgiwrap.socket',
		server => [
			'userdir',
		],
	}

	nginx::resource::location { '~ /\.ht':
		location_cfg_append => { deny => 'all' },
		index_files => [],
		ssl => true,
		server => [
			'blog',
			'hornquist',
			'userdir',
		],
	}
}