# Debian SSO class.
#
# This sets up the web service as well as the LDAP backend for ftmg
#
# @param db_address     hostname of the postgres server for this service
# @param db_port        port of the postgres server for this service
class roles::sso (
  String  $db_address,
  Integer $db_port,
) {
  include apache2
  include roles::sso_rp

  ssl::service { 'sso.debian.org':
    notify => Exec['service apache2 reload'],
    key    => true,
  }
  ssl::service { 'ftmg.sso.debian.org':
    notify => Exec['service apache2 reload'],
    key    => true,
  }

  $ftmg_dsa_root_password = hkdf('/etc/puppet/secret', "roles::sso::slapd-ftmg::${::fqdn}")

  ensure_packages ( [
    'slapd',
    ], {
    ensure => 'installed',
  })
  service { 'slapd':
    ensure  => running,
  }
  file { '/etc/ldap/slapd.d':
    ensure => absent,
    force  => true,
    notify => Service['slapd'],
  }
  file { '/etc/ldap/slapd.conf':
    source => 'puppet:///modules/roles/sso/slapd.conf',
    notify => Service['slapd'],
  }
  file { '/etc/ldap/slapd-ftmg.conf':
    content => template('roles/sso/slapd-ftmg.conf.erb'),
    notify  => Service['slapd'],
    group   => 'openldap',
    mode    => '0440',
  }
  file { '/etc/default/slapd':
    source => 'puppet:///modules/roles/sso/default-slapd',
    notify => Service['slapd'],
  }
  file { '/var/lib/ldap-ftmg':
    ensure => directory,
    mode   => '0700',
    owner  => 'openldap',
    group  => 'openldap',
    notify => Service['slapd'],
  }

  file { '/etc/ldap/schema/openssh-ldap.schema':
    source => 'puppet:///modules/roles/sso/openssh-ldap.schema',
    notify => Service['slapd'],
  }

  @@postgres::cluster::hba_entry { "debsso-${::fqdn}":
    tag      => "postgres::cluster::${db_port}::hba::${db_address}",
    pg_port  => $db_port,
    database => 'debsso',
    user     => ['debsso', 'debssoweb'],
    address  => $base::public_addresses,
  }
}