from bundlewrap.metadata import atomic


defaults = {
    'apt': {
        'packages': {
            'db-util': {},
            'ldap-utils': {},
            'slapd': {},
            'slapd-contrib': {},
        },
    },
    'backups': {
        'paths': {
            # Create backups both from ZFS and from dumps. Because
            # they're cheap.
            '/var/lib/ldap',
            '/var/tmp/ldapdumps',
        },
    },
    'cron': {
    },
    'icinga2_api': {
        'openldap': {
            'services': {
                'OPENLDAP PROCESS': {
                    'command_on_monitored_host': '/usr/lib/nagios/plugins/check_procs -C slapd -c 1:1',
                },
            },
        },
    },
    'monit': {
        'services': {
            'openldap': {
                'bin': '/usr/sbin/slapd',
                'systemd_unit': 'slapd',
                'ports': {
                    '389': {},
                    '636': {},
                },
            },
        },
    },
    'openldap': {
        'rootpw': repo.vault.password_for(f'{node.name} openldap rootpw'),
    },
}


@metadata_reactor.provides(
    'icinga2_api/openldap/services/OPENLDAP CERTIFICATE',
)
def cert_check(metadata):
    return {
        'icinga2_api': {
            'openldap': {
                'services': {
                    'OPENLDAP CERTIFICATE': {
                        'check_command': 'check_certificate_at',
                        'vars.domain': metadata.get('openldap/my_hostname'),
                        'vars.port': '636',
                    },
                },
            },
        },
    }


@metadata_reactor.provides(
    'firewall/port_rules/389',
    'firewall/port_rules/636',
)
def sperrfix(metadata):
    sources = metadata.get('openldap/restrict-to', set())

    return {
        'firewall': {
            'port_rules': {
                '389': atomic(sources),
                '636': atomic(sources),
            },
        },
    }