class ekeyd-tunnel {

  include site-stunnel

  # set the ekeyd bind address/port that the actual ekeyd will use and this
  # tunnel will connect to
  $ekeyd_host = '127.0.0.1'
  $ekeyd_port = '8889'

  # the ekeyd class ensures that we're not on a vserver or xen domU
  # so we're either on a vhost, a xen dom0, or a plain old machine, all of
  # which might be places we'd want to run this class
  include ekeyd 

  # stunnel service that listens on pn 8888/SSL and sends to localhost
  # 8889/nonSSL
  stunnel::service {
    "ekeyd":
      accept => "${ekeyd_tunnel_address}:8888",
      connect => "127.0.0.1:8889",
      client => false,
      chroot => false,
      pid => "/var/run/stunnel4/ekeyd.pid",
      cafile => "/etc/certs/roots/${domain}.pem",
      cert => "/etc/certs/stunnel/certs/${fqdn}/${fqdn}_server.crt",
      key => "/etc/certs/stunnel/keys/${fqdn}/${fqdn}_server.key",
      verify => "2",
      rndfile => "/var/lib/stunnel4/.rnd",
      debuglevel => "4";
  }

}

class egd-tunnel {

  include site-stunnel

  # set the ekeyd bind address that egd will connect to, which is stunnel on
  # localhost, then the tunnel will connect to the tunnel on the ekeyd server
  $ekeyd_host = '127.0.0.1'

  # the egd class ensures that we're not on a vserver, so we're either
  # on a vhost, a xen dom0, a xen domU, or a plain old machine, all of
  # which might be places we'd want to run this class
  include egd 

  # stunnel service that listens on localhost 8888/nonSSL and sends to 
  # pn 8888/SSL on the ekeyd server
  stunnel::service {
    "egd":
      accept => "127.0.0.1:8888",
      connect => "${ekeyd_tunnel_address}:8888",
      client => true,
      chroot => false,
      pid => "/var/run/stunnel4/egd.pid",
      cafile => "/etc/certs/roots/${domain}.pem",
      cert => "/etc/certs/stunnel/certs/${fqdn}/${fqdn}_client.crt",
      key => "/etc/certs/stunnel/keys/${fqdn}/${fqdn}_client.key",
      verify => "2",
      rndfile => "/var/lib/stunnel4/.rnd",
      debuglevel => "4";
  }

  # egd needs stunnel to be up, but by default egd starts before stunnel
  # (both are started at rc2.d/s20). So we need to adjust egd.
  # See #576387

  # On machines where we use loop-aes, we need to move egd to
  # runlevel 3 (since stunnel starts there too since it needs the certs
  # in /crypt). Unfortunately we don't have a variable to tell us
  # if a machine is running loop-aes. But since all of our machines
  # use either dmcrypt or loop-aes and we have a way to know if they
  # are using the former, then we can just do all machines NOT using
  # dmcrypt. If someone ends up using this on machines without
  # encryption, this will break.
  if ( ! $root_is_encrypted ) {
    # We're on a loop-aes machine
    exec {
      "fix_egd_priority":
        command => "/bin/sh -c 'update-rc.d -f ekeyd-egd-linux remove && update-rc.d ekeyd-egd-linux start 21 3 . stop 21 0 1 2 4 5 6 .'",
        onlyif => '/usr/bin/test -L /etc/rc3.d/S20ekeyd-egd-linux';
    }
  }
  else {
    # We're on a dmcrypt machine
    exec {
      "fix_egd_priority":
        command => "/bin/sh -c 'update-rc.d -f ekeyd-egd-linux remove && update-rc.d ekeyd-egd-linux defaults 21'",
        onlyif => '/usr/bin/test -L /etc/rc3.d/S20ekeyd-egd-linux';
    }
  }
}