class acmessl (
    String[1] $username = 'acmecert',
    String[1] $homedir = '/var/lib/acmecert',
    String[1] $nsupdate_key,
    String[1] $dnszone,
    String[1] $dnsserver,
    Optional[String[1]] $emailaddress = undef,
) {
    $certsdir = "$homedir/certs"

    include acmessl::tools
    include acmessl::rehash

    class { "acmessl::user":
        user    => $username,
        homedir => $homedir,
    }->
    class { "acmessl::pullconfig":
        user         => $username,
        homedir      => $homedir,
        dnsserver    => $dnsserver,
        dnszone      => $dnszone,
        nsupdate_key => $nsupdate_key,
        certsdir     => $certsdir,
        emailaddress => $emailaddress,
    }->
    class { "acmessl::sslfiles":
        certsdir     => $certsdir,
    }
}

class acmessl::sslfiles (
    Stdlib::Absolutepath $certsdir,
) {

    $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] }
    $fqdn = $netfacts[fqdn]
    file { "/etc/ssl/certs/${fqdn}.pem":
        ensure => present,
        owner  => root,
        group  => root,
        mode   => "0444",
        source => "${certsdir}/cert.pem",
        notify => Exec["update-ca-certificates"],
    }
    file { "/etc/ssl/certs/Lets_Encrypt_Authority_X3.pem":
        ensure => present,
        owner  => root,
        group  => root,
        mode   => "0444",
        source => "${certsdir}/chain.pem",
        notify => Exec["update-ca-certificates"],
    }
    file { "/etc/ssl/private/${fqdn}.pem":
        ensure => present,
        owner  => root,
        group  => "ssl-cert",
        mode   => "0440",
        source => "${certsdir}/privkey.pem",
    }

}

class acmessl::pullconfig (
    String[1] $user,
    Stdlib::Absolutepath $homedir,
    Stdlib::Absolutepath $certsdir,
    String[1] $dnsserver,
    String[1] $dnszone,
    String[1] $nsupdate_key,
    Optional[Array[String[1]]] $dns_alt_names = undef,
    Optional[String[1]] $emailaddress = undef,
) {
    $confdir = "$homedir/dehydrated"
    $basedir = "$confdir/spool"
    $logsdir = "$homedir/logs"
    $_keyparts = $nsupdate_key.split(' ')
    $key = "${_keyparts[0]}:$dnszone:${_keyparts[1]}"
    $netfacts = $facts[networking] ? { undef => $facts, default => $facts[networking] }
    $fqdn = $netfacts[fqdn]
    $_dns_alt_names = $dns_alt_names ? {
        undef => "",
        default => $dns_alt_names.join(' '),
    }
    $_emailaddress = $emailaddress ? {
        undef    => undef,
        /.+@.+/  => $emailaddress,
        default  => "${emailaddress}@${netfacts[fqdn]}",
    }

    file { default:
            ensure  => present,
            owner   => $user,
            group   => $user,
        ;
        "$confdir":
            ensure  => directory,
            mode    => "2770",
        ;
        "$basedir":
            ensure  => directory,
            mode    => "2770",
        ;
        "$confdir/dehydrated.conf":
            mode    => "0440",
            content => epp("acmessl/dehydrated.conf.epp", {
                            basedir => $basedir,
                            emailaddress => $_emailaddress,
                            }),
        ;
        "$confdir/domains.txt":
            mode    => "0440",
            content => "$fqdn $_dns_alt_names\n",
        ;
        "$confdir/dehydrated-wrapper":
            mode    => "0550",
            content => epp("acmessl/dehydrated-wrapper.epp", {
                            logsdir => $logsdir,
                            }),
        ;
        "$confdir/dehydrated-hook":
            mode    => "0550",
            content => epp("acmessl/dehydrated-hook.epp", {
                            dnsserver => $dnsserver,
                            dnszone   => $dnszone,
                            deploydir => $certsdir,
                            }),
        ;
        "$confdir/nsupdate-wrapper":
            mode    => "0550",
            content => epp("acmessl/nsupdate-wrapper.epp", {
                            nsupdate_key => $key,
                            })
        ;
        "$certsdir":
            ensure  => directory,
            mode    => "2770",
        ;
    }

    class { "acmessl::register":
        user    => $user,
        confdir => $confdir,
        basedir => $basedir,
    }

    class { "acmessl::schedule":
        user    => $user,
        confdir => $confdir,
    }
}

class acmessl::schedule (
    String[1] $user,
    Stdlib::Absolutepath $confdir,
) {
    schedule { "Try to renew ACME certificates once a day":
        period => daily,
    }->
    exec { "$confdir/dehydrated-wrapper --cron":
        require   => [ Class["acmessl::tools"]
                     , Class["acmessl::pullconfig"]
                     , Class["acmessl::register"]
                     ],
        user      => $user,
        umask     => "0007",
        logoutput => true,
        schedule  => "Try to renew ACME certificates once a day",
    }
}

class acmessl::tools {
    ensure_packages( [ 'dehydrated', 'dnsutils', 'ssl-cert', 'gnutls-bin' ], {
                        ensure => latest
                    })

    file { [ "/etc/ssl/certs/ssl-cert-snakeoil.pem"
           , "/etc/ssl/private/ssl-cert-snakeoil.key" ]:
               ensure => absent,
    }
}

class acmessl::register (
    String[1] $user,
    Stdlib::Absolutepath $confdir,
    Stdlib::Absolutepath $basedir,
) {
    exec { "Register with Letsencrypt":
        require   => [ Class["acmessl::tools"]
                     , Class["acmessl::pullconfig"]
                     ],
        creates   => "$basedir/accounts",
        command   => "$confdir/dehydrated-wrapper --register --accept-terms",
        logoutput => true,
        user      => $user,
        umask     => "0007",
    }
}

class acmessl::user (
    String[1] $user,
    Stdlib::Absolutepath $homedir,
)
{
    group { $user:
        ensure => present,
        system => true,
    }->
    user { $user:
        ensure         => present,
        comment        => "ACME certificate manager,,,",
        home           => $homedir,
        gid            => $user,
        system         => true,
        shell          => "/usr/sbin/nologin",
        purge_ssh_keys => true,
    }->
    file { "$homedir":
        ensure  => directory,
        owner   => $user,
        group   => $user,
        mode    => "2770",
        recurse => true,
        purge   => true,
        force   => true,
    }
}

class acmessl::rehash {
    ensure_resource("exec", "update-ca-certificates", {
        command     => "update-ca-certificates --fresh",
        path        => "/usr/sbin:/usr/bin:/sbin:/bin",
        cwd         => "/etc/ssl/certs",
        logoutput   => true,
        refreshonly => true,
    })
}