# Manage the sync scripts and their configurations.

# the reason that each one is selected seperately is that not all environments get the same sync scripts.
# while these are intended for install on the tools server,
# this is still flexible enough to put it on the master

class su_ldap::sync_scripts (
  $ldap_master_fqdn                   = undef,
  $env                                = undef,
  # select the sync scripts one by one in the hiera file
  $enable_ldap_wg_maint               = false,
  $enable_ldap_sync_attribute         = false,
  $enable_ldap_group_maint            = false,
  $enable_ldap_sync_sugal_attributes  = false,
  $enable_ldap_alias_maint            = false,
  $enable_posix_account_sync          = false,
  $enable_ldap_reports                = false,
) {

  ## First, a single ketab for all this stuph
  # this is the sync keytab ticket, for service/ldap-$env
  $k5start_service_name  = "k5start-ldap-sync-$env"
  $keytab_path           = "/etc/ldapadmin/ldap-sync-$env.keytab"
  $ticket_file_path      = "/var/run/ldap-sync-$env.tkt"

  # for debugging
  notify {"k5start_service_name = k5start-ldap-sync-$env ; keytab_path = /etc/ldapadmin/ldap-sync-$env.keytab ; ticket_file_path = /var/run/ldap-sync-$env.tkt"

  # A directory where we put any configuration for ldap monitoring.
  file { '/etc/ldapadmin':
    ensure => directory,
  }

  # Set up a krb5 ticket keep-alive service for the above principal.
  systemd_k5start { $k5start_service_name:
    ensure      => present,
    keytab      => $keytab_path,
    ticket_file => $ticket_file_path,
  }
  service { $k5start_service_name:
    ensure  => 'running',
    enable  => true,
    require => Systemd_K5start[$k5start_service_name],
  }

  # Add the service/ldap-$env keytab. This is single env only, with accountsTreeWrite,peopleTreeWrite,groupsTreeWrite.
  base::wallet { "service/ldap-$env":
    path    => $keytab_path,
    primary => false,
    require => Base::Wallet["host/$fqdn"],
    ensure  => present,
  }

  # ldap-wg-maint.service
  if ($enable_ldap_wg_maint) {
    class { 'su_ldap::sync_scripts::ldap_wg_maint':
      ensure => present,
      ticket_file_path => $ticket_file_path,
      env => $env,
    }
  }

  # ldap-group-maint.service
  if ($enable_ldap_group_maint) {
    class { 's_ldap::base::sync_scripts::ldap_group_maint':
      ensure => present,
    }
  }

  # ldap-sync-sugal-attributes.service
  if ($enable_ldap_sync_sugal_attributes) {
    class { 'su_ldap::sync_scripts::ldap_sync_sugal_attributes':
      ensure => present,
    }
  }

  # ldap-sync-suprivilegegroup.service
  if (false) {
    class { 'su_ldap::sync_scripts::ldap_sync_suprivilegegroup':
      ensure => present,
    }
  }

  # ldap-alias-maint
  if (false) {
    class{ 'su_ldap::sync_scripts::ldap_alias_maint':
      ensure => present,
    }

  }

  # posix accounts
  if ($enable_posix_account_sync) {
    su_ldap::sync_scripts::posix_account_sync { 'aeroastroarl': ensure => present, }
    su_ldap::sync_scripts::posix_account_sync { 'anesthesia':   ensure => present, }
    su_ldap::sync_scripts::posix_account_sync { 'statistics':   ensure => present, }
  }

  # ldap_reports
  if ($enable_ldap_reports) {
    class{ 'su_ldap::sync_scripts::ldap_reports':
      ensure => present,
      addresses => $addresses,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  }


# end of file
}