# profiles::vault::server
class profiles::vault::server (
  Boolean   $members_lookup = false,
  Variant[
    String,
    Undef
  ]         $members_role   = undef,
  Array     $vault_servers  = [],
  Boolean       $tls_disable        = false,
  Stdlib::Port  $client_port        = 8200,
  Stdlib::Port  $cluster_port       = 8201,
  Boolean   $manage_storage_dir     = false,
  Stdlib::Absolutepath $data_dir    = '/opt/vault',
  Stdlib::Absolutepath $bin_dir     = '/usr/bin',
  Stdlib::Absolutepath $ssl_crt     = '/etc/pki/tls/vault/certificate.crt',
  Stdlib::Absolutepath $ssl_key     = '/etc/pki/tls/vault/private.key',
  Stdlib::Absolutepath $ssl_ca      = '/etc/pki/tls/certs/ca-bundle.crt',
  Stdlib::Absolutepath $audit_log   = '/var/log/vault_audit.log',
){

  # set a datacentre/cluster name
  $vault_cluster = "${::facts['country']}-${::facts['region']}"

  # if lookup is enabled, find all the hosts in the specified role and create the servers_array
  if $members_lookup and $members_role != undef {

    # if it is, find hosts, sort them so they dont cause changes every run
    $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))

  # else use provided array from params
  }else{
    $servers_array = $vault_servers
  }

  # configure vault if servers_array isnt empty
  if ! $servers_array.empty() {

    # set http scheme
    $http_scheme = $tls_disable ? {
      true    => 'http',
      false   => 'https'
    }

    # create vault urls
    $server_urls = $servers_array.map |$fqdn| {
      {
        leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
        leader_client_cert_file => $ssl_crt,
        leader_client_key_file  => $ssl_key,
        leader_ca_cert_file     => $ssl_ca,
      }
    }

    class { 'vault':
      manage_service     => false,
      manage_storage_dir => $manage_storage_dir,
      enable_ui          => true,
      storage            => {
        raft => {
          node_id    => $::facts['networking']['fqdn'],
          path       => $data_dir,
          retry_join => $server_urls,
        }
      },
      api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
      extra_config       => {
        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
      },
      listener           => [
        {
          tcp => {
            address         => "127.0.0.1:${client_port}",
            cluster_address => "127.0.0.1:${cluster_port}",
            tls_disable     => true,
          }
        },
        {
          tcp => {
            address         => "${::facts['networking']['ip']}:${client_port}",
            cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
            tls_disable     => $tls_disable,
            tls_cert_file   => $ssl_crt,
            tls_key_file    => $ssl_key,
          }
        }
      ]
    }

    # ensure the vault audit log exists
    file { $audit_log:
      ensure => 'file',
      owner  => 'vault',
      group  => 'vault',
      mode   => '0600',
    }

    service { 'vault':
      ensure    => true,
      enable    => true,
      subscribe => [File[$ssl_crt], File[$ssl_key]],
    }

    # include classes to manage vault
    include profiles::vault::unseal
  }
}