class incus (
  Array[String] $packages     = [
    'incus',
    'incus-tools',
    'incus-client'
  ],
  Boolean       $cluster      = false,
  Boolean       $init         = true,
  String        $bridge       = 'incusbr0',
  Stdlib::Port        $server_port = 8443,
  Stdlib::IP::Address $server_addr = $facts['networking']['ip'],
  Optional[String] $storage_images_volume = undef,
) {

  package { $packages:
    ensure => installed,
  }

  service { 'incus':
    ensure     => running,
    enable     => true,
    hasstatus  => true,
    hasrestart => true,
    subscribe  => [
      File['/var/lib/incus/server.crt'],
      File['/var/lib/incus/server.key'],
    ],
  }

  file_line { 'subuid_root':
    ensure => present,
    path   => '/etc/subuid',
    line   => 'root:1000000:1000000000',
    match  => '^root:',
    notify => Service['incus'],
  }

  file_line { 'subgid_root':
    ensure => present,
    path   => '/etc/subgid',
    line   => 'root:1000000:1000000000',
    match  => '^root:',
    notify => Service['incus'],
  }

  if $init {
    file {'/root/incus.preseed.yaml':
      ensure  => file,
      owner   => root,
      group   => root,
      content => template('incus/join_preseed.yaml.erb')
    }

    exec { 'initiate_incus':
      path    => ['/bin', '/usr/bin', '/sbin', '/usr/sbin'],
      command => 'cat /root/incus.preseed.yaml | incus admin init --preseed && touch /root/.incus_initialized',
      creates => '/root/.incus_initialized',
      require => File['/root/incus.preseed.yaml'],
    }
  }

  file { '/var/lib/incus/server.crt':
    ensure => file,
    source => '/etc/pki/tls/vault/certificate.crt',
    owner  => 'root',
    group  => 'root',
    mode   => '0644',
  }

  file { '/var/lib/incus/server.key':
    ensure => file,
    source => '/etc/pki/tls/vault/private.key',
    owner  => 'root',
    group  => 'root',
    mode   => '0600',
  }

  if $facts['incus'] and $facts['incus']['config'] {
    # set core.https_address
    if $facts['incus']['config']['core.https_address'] != "${server_addr}:${server_port}" {
      exec { 'incus_config_set_core_https_address':
        path    => ['/bin', '/usr/bin'],
        command => "incus config set core.https_address ${server_addr}:${server_port}",
      }
    }
    # set storage.images_volume # path to store images
    if $storage_images_volume {
      if $facts['incus']['config']['storage.images_volume'] != $storage_images_volume {
        exec { 'incus_config_set_storage_images_volume':
          path    => ['/bin', '/usr/bin'],
          command => "incus config set storage.images_volume ${storage_images_volume}",
        }
      }
    }

    # Collect exported client certificates and manage trust
    Incus::Client_cert <<| tag == 'incus_client' |>> {
      require => Service['incus'],
    }
  }
}