define tunnel::autossh::instance(
  $host,
  $localport,
  $hostport,
  $ensure              = present,
  $user                = $hostname,
  $sshport             = '22',
  $keytype             = 'rsa',
  $root_mail_recipient = hiera('mail::root_mail_recipient', 'nobody')
) {
  $dir     = "/var/backups/remote/${user}.${::domain}"
  $tag     = "backupninja-${::fqdn}"
  $ssh_dir = "${dir}/.ssh"

  autossh::tunnel { $name:
    ensure      => $ensure,
    user        => 'root',
    remote_user => $user,
    port        => $localport,
    hostport    => $hostport,
    host        => $host,
    remote_host => $host,
    sshport     => $sshport,
  }

  if !defined(Tunnel_server_realize["${::hostname}@${host}"]) {
    # this defines just maps that $host host an user environment for $fdqn
    @@tunnel_server_realize { "${::hostname}@${host}":
      host => $::fqdn,
      tag  => $host,
    }
  }

  if !defined(File["${dir}"]) {
    @@file { "${dir}":
      ensure => directory,
      mode   => 0750,
      owner  => $user,
      group  => 0,
      tag    => "${tag}",
    }
  }

  if !defined(File["${ssh_dir}"]) {
    @@file { "${ssh_dir}":
      ensure  => directory,
      mode    => 0700,
      owner   => $user,
      group   => 0,
      require => [User[$user], File["${dir}"]],
      tag     => "${tag}",
    }
  }

  if !defined(File["${ssh_dir}/authorized_keys"]) {
    @@file { "${ssh_dir}/authorized_keys":
      ensure  => present,
      mode    => 0644,
      owner   => 0,
      group   => 0,
      source  => "puppet:///modules/site_keys/${user}_id_${keytype}.pub",
      require => File["${ssh_dir}"],
      tag     => "${tag}",
    }
  }

  if !defined(User["{$user}"]) {
    @@user { "${user}":
      ensure     => "present",
      comment    => "${user} backup sandbox",
      home       => "${dir}",
      gid        => "backupninjas",
      managehome => true,
      shell      => "/bin/sh",
      password   => '*',
      require    => Group['backupninjas'],
      tag        => "${tag}"
    }
  }
}