# profiles::vault::server
class profiles::vault::server (
  Boolean   $members_lookup = false,
  Variant[
    String,
    Undef
  ]         $members_role   = undef,
  Array     $vault_servers  = [],
  Enum[
    'archive',
    'repo'
  ]         $install_method = 'archive',
  Boolean       $tls_disable        = false,
  Stdlib::Port  $client_port        = 8200,
  Stdlib::Port  $cluster_port       = 8201,
  Boolean   $manage_storage_dir     = false,
  Stdlib::Absolutepath $data_dir    = '/opt/vault',
  Stdlib::Absolutepath $bin_dir     = '/usr/bin',
){

  # use puppet certs as base
  include profiles::pki::puppetcerts

  # set a datacentre/cluster name
  $vault_cluster = "${::facts['country']}-${::facts['region']}"

  # if lookup is enabled, find all the hosts in the specified role and create the servers_array
  if $members_lookup and $members_role != undef {

    # if it is, find hosts, sort them so they dont cause changes every run
    $servers_array = sort(query_nodes("enc_role='${members_role}' and region='${::facts['region']}'", 'networking.fqdn'))

  # else use provided array from params
  }else{
    $servers_array = $vault_servers
  }

  # configure vault if servers_array isnt empty
  if ! $servers_array.empty() {

    # set http scheme
    $http_scheme = $tls_disable ? {
      true    => 'http',
      false   => 'https'
    }

    # create vault urls
    $server_urls = $servers_array.map |$fqdn| {
      {
        leader_api_addr         => "${http_scheme}://${fqdn}:${client_port}",
        leader_client_cert_file => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
        leader_client_key_file  => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
        leader_ca_cert_file     => '/etc/pki/tls/puppet/ca.pem',
      }
    }

    class { 'vault':
      install_method     => $install_method,
      manage_storage_dir => $manage_storage_dir,
      enable_ui          => true,
      storage            => {
        raft => {
          node_id    => $::facts['networking']['fqdn'],
          path       => $data_dir,
          retry_join => $server_urls,
        }
      },
      api_addr           => "${http_scheme}://${::facts['networking']['fqdn']}:${client_port}",
      extra_config       => {
        cluster_addr => "${http_scheme}://${::facts['networking']['fqdn']}:${cluster_port}",
      },
      listener           => [
        {
          tcp => {
            address         => "127.0.0.1:${client_port}",
            cluster_address => "127.0.0.1:${cluster_port}",
            tls_disable     => true,
          }
        },
        {
          tcp => {
            address         => "${::facts['networking']['ip']}:${client_port}",
            cluster_address => "${::facts['networking']['ip']}:${cluster_port}",
            tls_disable     => $tls_disable,
            tls_cert_file   => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.crt",
            tls_key_file    => "/etc/pki/tls/puppet/${facts['networking']['fqdn']}.key",
          }
        }
      ]
    }

    # include unseal class
    include profiles::vault::unseal
  }
}