#
# Copyright:: Copyright (c) 2017 GitLab Inc.
# License:: Apache License, Version 2.0
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
#     http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
account_helper = AccountHelper.new(node)
omnibus_helper = OmnibusHelper.new(node)
logfiles_helper = LogfilesHelper.new(node)
logging_settings = logfiles_helper.logging_settings('gitaly')

working_dir = node['gitaly']['dir']
env_directory = node['gitaly']['env_directory']
config_path = File.join(working_dir, "config.toml")
gitaly_path = node['gitaly']['bin_path']
wrapper_path = "#{gitaly_path}-wrapper"
pid_file = File.join(working_dir, "gitaly.pid")
json_logging = node.dig('gitaly', 'configuration', 'logging', 'format').eql?('json')
open_files_ulimit = node['gitaly']['open_files_ulimit']
runtime_dir = node.dig('gitaly', 'configuration', 'runtime_dir')
cgroups_enabled = node.dig('gitaly', 'configuration', 'cgroups', 'repositories', 'count')&.positive?
cgroups_mountpoint = node.dig('gitaly', 'configuration', 'cgroups', 'mountpoint') || '/sys/fs/cgroup'
cgroups_hierarchy_root = node.dig('gitaly', 'configuration', 'cgroups', 'hierarchy_root') || File.join('gitlab.slice', 'gitaly')
cgroups_parent_cgroup_procs_file = File.join(cgroups_mountpoint, File.dirname(cgroups_hierarchy_root), 'cgroup.procs')
use_wrapper = node['gitaly']['use_wrapper']

include_recipe 'gitaly::git_data_dirs'

directory working_dir do
  owner account_helper.gitlab_user
  mode '0700'
  recursive true
end

directory runtime_dir do
  owner account_helper.gitlab_user
  mode '0700'
  recursive true
end

directory logging_settings[:log_directory] do
  owner logging_settings[:log_directory_owner]
  mode logging_settings[:log_directory_mode]
  if log_group = logging_settings[:log_directory_group]
    group log_group
  end
  recursive true
end

# Support for the internal socket directory was removed in v15.0. If the old
# default internal socket directory still exists we can thus remove it.
directory File.join(node['gitaly']['dir'], 'internal_sockets') do
  action :delete
  recursive true
end

# Doing this in attributes/default.rb will need gitlab cookbook to be loaded
# before gitaly cookbook. This means gitaly cookbook has to depend on gitlab
# cookbook.  Since gitlab cookbook already depends on gitaly cookbook, this
# causes a circular dependency. To avoid it, the default value is set in the
# recipe itself.
node.default['gitaly']['env'] = {
  'HOME' => node['gitlab']['user']['home'],
  'PATH' => "#{node['package']['install-dir']}/bin:#{node['package']['install-dir']}/embedded/bin:/bin:/usr/bin",
  'TZ' => ':/etc/localtime',
  # This is needed by gitlab-markup to import Python docutils
  'PYTHONPATH' => "#{node['package']['install-dir']}/embedded/lib/python3.9/site-packages",
  # Charlock Holmes and libicu will report U_FILE_ACCESS_ERROR if this is not set to the right path
  # See https://gitlab.com/gitlab-org/gitlab-foss/issues/17415#note_13868167
  'ICU_DATA' => "#{node['package']['install-dir']}/embedded/share/icu/current",
  'SSL_CERT_DIR' => "#{node['package']['install-dir']}/embedded/ssl/certs/",
  # wrapper script parameters
  'GITALY_PID_FILE' => pid_file,
  'WRAPPER_JSON_LOGGING' => json_logging.to_s
}

env_dir env_directory do
  variables node['gitaly']['env']
  notifies :restart, "runit_service[gitaly]" if omnibus_helper.should_notify?('gitaly')
end

gitlab_url, gitlab_relative_path = WebServerHelper.internal_api_url(node)

secret_file = node['gitaly']['configuration']['gitlab']['secret_file']
file secret_file do
  owner "root"
  group "root"
  mode "0644"
  sensitive true
  content node['gitaly']['gitlab_secret']
  notifies :restart, 'runit_service[gitaly]' if omnibus_helper.should_notify?('gitaly')
end

template "Create Gitaly config.toml" do
  path config_path
  source "gitaly-config.toml.erb"
  owner "root"
  group account_helper.gitlab_group
  mode "0640"
  variables node['gitaly'].to_hash.merge(
    {
      configuration: node.dig('gitaly', 'configuration').merge(
        {
          # The gitlab section is not configured by the user directly. Its values are derived
          # from other configuration.
          gitlab: {
            url: gitlab_url,
            relative_url_root: gitlab_relative_path,
            'http-settings': node.dig('gitlab', 'gitlab_shell', 'http_settings')
          }.merge(node.dig('gitaly', 'configuration', 'gitlab') || {}).compact,

          # These options below were historically hard coded values in the template. They
          # are set here to retain the behavior of them not being overridable by the user.
          bin_dir: '/opt/gitlab/embedded/bin',
          git: (node.dig('gitaly', 'configuration', 'git') || {}).merge(
            {
              # Ignore gitconfig files so that the only source of truth for how Git commands
              # are configured are Gitaly's own defaults and the Git configuration injected
              # in this file.
              ignore_gitconfig: true
            }
          ),
          # Omnibus provides defaults for the mountpoint and hierarchy_root if not explicitly
          # set by the user. This provides a working out-of-box configuration since we override
          # runsv's cgroup subtree location in gitlab-runsvdir.service.erb.
          cgroups: cgroups_enabled && (node.dig('gitaly', 'configuration', 'cgroups') || {}).merge(
            {
              mountpoint: cgroups_mountpoint,
              hierarchy_root: cgroups_hierarchy_root,
            }
          ) || nil,
          'gitlab-shell': (node.dig('gitaly', 'configuration', 'gitlab-shell') || {}).merge(
            {
              dir: '/opt/gitlab/embedded/service/gitlab-shell'
            }
          ),
        }
      ).compact
    }
  )
  notifies :hup, "runit_service[gitaly]" if omnibus_helper.should_notify?('gitaly')
  sensitive true
end

runit_service 'gitaly' do
  start_down node['gitaly']['ha']

  options({
    user: account_helper.gitlab_user,
    groupname: account_helper.gitlab_group,
    working_dir: working_dir,
    env_dir: env_directory,
    bin_path: gitaly_path,
    wrapper_path: wrapper_path,
    config_path: config_path,
    log_directory: logging_settings[:log_directory],
    log_user: logging_settings[:runit_owner],
    log_group: logging_settings[:runit_group],
    json_logging: json_logging,
    open_files_ulimit: open_files_ulimit,
    cgroups_mountpoint: cgroups_mountpoint,
    cgroups_hierarchy_root: cgroups_hierarchy_root,
    cgroups_enabled: cgroups_enabled,
    cgroups_v2_enabled: Gitaly.cgroups_v2?(cgroups_mountpoint),
    cgroups_parent_cgroup_procs_file: cgroups_parent_cgroup_procs_file,
    use_wrapper: use_wrapper,
  }.merge(params))
  log_options logging_settings[:options]
end

if node['gitlab']['bootstrap']['enable']
  execute "/opt/gitlab/bin/gitlab-ctl start gitaly" do
    retries 20
  end
end

version_file 'Create version file for Gitaly' do
  version_file_path File.join(working_dir, 'VERSION')
  version_check_cmd "/opt/gitlab/embedded/bin/ruby -rdigest/sha2 -e 'puts %(sha256:) + Digest::SHA256.file(%(/opt/gitlab/embedded/bin/gitaly)).hexdigest'"
  notifies :hup, "runit_service[gitaly]"
end

consul_service node['gitaly']['consul_service_name'] do
  id 'gitaly'
  meta node['gitaly']['consul_service_meta']
  action Prometheus.service_discovery_action
  socket_address node.dig('gitaly', 'configuration', 'prometheus_listen_addr')
  reload_service false unless Services.enabled?('consul')
end