class profiles::gandalf_web (
  String $certname,
) {

  class { '::nginx':
    manage_repo          => false,
    # server_purge       => true,
    package_name         => 'nginx-mainline',
    service_config_check => true,
    http_cfg_append      => {
      'charset'          => 'utf-8',
    },
    mime_types_preserve_defaults => true,
    mime_types => {
      'text/plain' => 'wiki txt',
    },
    include_modules_enabled => true,
    server_purge            => true,
  }

  file { '/etc/nginx/modules-enabled':
    ensure  => directory,
    purge   => true,
    recurse => true,
  }

  # TODO this fails at bootstrapping, since letsencrypt requires nginx
  # to be enabled, but nginx can't be enabled if any cert file is
  # missing
  # Letsencrypt::Certonly <| |> -> Nginx::Resource::Server <| |>

  $domains = [
    'bookmark.gandalf.adrift.space',
    'calendar.gandalf.adrift.space',
    'repo.gandalf.adrift.space',
    'gandalf.adrift.space',
    'hack.adrift.space',
    'adrift.space',
  ]

  ensure_packages (['cronie',], { ensure => installed })

  ensure_packages (['certbot', 'certbot-nginx'], { ensure => installed })
  class { '::letsencrypt':
    config   => {
      email  => 'hugo@hornquist.se',
      # server => 'https://acme-staging-v02.api.letsencrypt.org/directory',
      server => 'https://acme-v02.api.letsencrypt.org/directory',
    },
    manage_install => false,
  }

  letsencrypt::certonly { $certname:
    ensure             => present,
    domains            => $domains,
    manage_cron        => true,
    plugin             => 'nginx',
    additional_args    => [ '--quiet', ],
    # pre_hook_commands  => [ 'systemctl stop nginx.service', ],
    post_hook_commands => [ 'systemctl restart nginx.service', ],
  }


  nginx::resource::server { 'gandalf':
    ipv6_enable          => true,
    listen_options       => 'default_server',
    ipv6_listen_options  => 'default_server',
    server_name          => [ '_' ],
    access_log           => absent,
    error_log            => absent,
    ssl                  => true,
    ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
    ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
    ssl_redirect         => true,
    index_files          => [ 'index.html', ],
    www_root             => '/var/www/adrift.space',
    use_default_location => false,
  }

  nginx::resource::location { '/':
    try_files   => ['$uri', '$uri/', '=404'],
    index_files => [],
    ssl         => true,
    ssl_only    => true,
    autoindex   => on,
    server      => 'gandalf',
  }

  nginx::resource::server { 'repo.gandalf.adrift.space':
    ipv6_enable         => true,
    ipv6_listen_options => '',
    server_name         => [ 'repo.gandalf.adrift.space', ],
    ssl                 => true,
    ssl_cert             => "/etc/letsencrypt/live/${certname}/fullchain.pem",
    ssl_key              => "/etc/letsencrypt/live/${certname}/privkey.pem",
    ssl_redirect         => true,
    index_files          => [ 'index.html', ],
    www_root             => '/usr/net/repo/',
    use_default_location => true,
  }

}