# Manage the sync scripts and their configurations.

# the reason that each one is selected seperately is that not all environments get the same sync scripts.
# while these are intended for install on the tools server,
# this is still flexible enough to put it on the master

class su_ldap::sync_scripts (
  $ldap_master_fqdn                   = undef,
  $env                                = undef,
  # select the sync scripts one by one in the hiera file
  $enable_ldap_wg_maint               = false,
  $enable_ldap_group_maint            = false,
  $enable_ldap_sync_sugal_attributes  = false,
  $enable_ldap_sync_suprivilegegroup  = false,
  $enable_ldap_alias_maint            = false,
  $enable_posix_account_sync          = false,
  $enable_ldap_reports                = false,
  $enable_ldap_posix_group_remctl     = false,
) {

  # install the sync scripts package first
  package{ 'libstanford-ldap-sync-scripts-perl': ensure => installed }

  # some of the syncs need this
  ensure_packages(['libcrypt-ssleay-perl'], { ensure => 'present' })

  ## First, a single ketab for all this stuph
  # this is the sync keytab ticket, for service/ldap-$env
  $k5start_service_name  = "k5start-ldap-sync-$env"
  $keytab_path           = "/etc/ldapadmin/ldap-sync-$env.keytab"
  $ticket_file_path      = "/var/run/ldap-sync-$env.tkt"

  # for debugging
  #notify { "k5start_service_name = k5start-ldap-sync-$env ; keytab_path = /etc/ldapadmin/ldap-sync-$env.keytab ; ticket_file_path = /var/run/ldap-sync-$env.tkt": }

  # A directory where we put any configuration for ldap monitoring.
  file { '/etc/ldapadmin':
    ensure => directory,
  }

  # Set up a krb5 ticket keep-alive service for the above principal.
  systemd_k5start { $k5start_service_name:
    ensure      => present,
    keytab      => $keytab_path,
    ticket_file => $ticket_file_path,
  }
  service { $k5start_service_name:
    ensure  => 'running',
    enable  => true,
    require => Systemd_K5start[$k5start_service_name],
  }

  # Add the service/ldap-$env keytab. This is single env only, with accountsTreeWrite,peopleTreeWrite,groupsTreeWrite.
  base::wallet { "service/ldap-$env":
    path    => $keytab_path,
    primary => false,
    require => Base::Wallet["host/$fqdn"],
    ensure  => present,
  }

  # several things use this, so put it here
  ## Service (listener)
  include s_ldap::base::systemd

  # ldap-wg-maint.service
  if ($enable_ldap_wg_maint) {
    class { 'su_ldap::sync_scripts::ldap_wg_maint':
      ensure => present,
      ldap_master_fqdn => $ldap_master_fqdn,
      ticket_file_path => $ticket_file_path,
      env => $env,
    }
  } else {
    class { 'su_ldap::sync_scripts::ldap_wg_maint':
      ensure => absent,
      ldap_master_fqdn => $ldap_master_fqdn,
      ticket_file_path => $ticket_file_path,
      env => $env,
    }
  }

  # ldap-group-maint.service
  if ($enable_ldap_group_maint) {
    class { 'su_ldap::sync_scripts::ldap_group_maint':
      ensure => present,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  } else {
    class { 'su_ldap::sync_scripts::ldap_group_maint':
      ensure => absent,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  }

  # ldap-sync-sugal-attributes.service
  if ($enable_ldap_sync_sugal_attributes) {
    class { 'su_ldap::sync_scripts::ldap_sync_sugal_attributes':
      ensure => present,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  } else {
    class { 'su_ldap::sync_scripts::ldap_sync_sugal_attributes':
      ensure => absent,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  }

  # ldap-sync-suprivilegegroup.service
  if ($enable_ldap_sync_suprivilegegroup) {
    class { 'su_ldap::sync_scripts::ldap_sync_suprivilegegroup':
      ensure => present,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  } else {
    class { 'su_ldap::sync_scripts::ldap_sync_suprivilegegroup':
      ensure => absent,
      env => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  }

  # ldap-alias-maint
  if ($enable_ldap_alias_maint) {
    class { 'su_ldap::sync_scripts::ldap_alias_maint':
      ensure           => present,
      env              => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  } else {
    class { 'su_ldap::sync_scripts::ldap_alias_maint':
      ensure           => absent,
      env              => $env,
      ldap_master_fqdn => $ldap_master_fqdn,
    }
  }

  # posix accounts
  if ($enable_posix_account_sync) {
    su_ldap::sync_scripts::posix_account_sync { 'aeroastroarl':
      ensure => present,
      env    => $env,
    }
    su_ldap::sync_scripts::posix_account_sync { 'anesthesia':
      ensure => present,
      env    => $env,
    }
    su_ldap::sync_scripts::posix_account_sync { 'statistics':
      ensure => present,
      env    => $env,
    }
  } else {
    su_ldap::sync_scripts::posix_account_sync { 'aeroastroarl':
      ensure => absent,
      env    => $env,
    }
    su_ldap::sync_scripts::posix_account_sync { 'anesthesia':
      ensure => absent,
      env    => $env,
    }
    su_ldap::sync_scripts::posix_account_sync { 'statistics':
      ensure => absent,
      env    => $env,
    }
  }

  # ldap_reports
  if ($enable_ldap_reports) {
    class { 'su_ldap::sync_scripts::ldap_reports':
      ensure => present,
      addresses => $addresses,
      ldap_master_fqdn => $ldap_master_fqdn,
    } 
  } else {
    class { 'su_ldap::sync_scripts::ldap_reports':
      ensure => absent,
    }
  }

  ## add another remctl driven sync
  # LDAP posixgroup (ldap-posix-group)
  if ($enable_ldap_posix_group_remctl) {
    class { 'su_ldap::ldapadmin::posixgroup':
      env    => $env,
      ensure => 'present',
    }
  } else {
    class { 'su_ldap::ldapadmin::posixgroup':
      env    => $env,
      ensure => 'absent',
    }
  }


# end of file
}