define profile::postgresql_master (
  $letsencrypt_host = undef,
  $backup_hosts     = [],
) {
  $password_seed = lookup("base_installation::puppet_pass_seed")

  ensure_resource("file", "/var/lib/postgres/data/certs", {
    ensure  => directory,
    mode    => "0700",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => File["/var/lib/postgres"],
  })

  ensure_resource("file", "/var/lib/postgres/data/certs/cert.pem", {
    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/cert.pem",
    mode    => "0600",
    links   => "follow",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
  })

  ensure_resource("file", "/var/lib/postgres/data/certs/privkey.pem", {
    source  => "file:///etc/letsencrypt/live/$letsencrypt_host/privkey.pem",
    mode    => "0600",
    links   => "follow",
    owner   => $::profile::postgresql::pg_user,
    group   => $::profile::postgresql::pg_user,
    require => [Letsencrypt::Certonly[$letsencrypt_host], File["/var/lib/postgres/data/certs"]]
  })

  ensure_resource("postgresql::server::config_entry", "wal_level", {
    value => "logical",
  })

  ensure_resource("postgresql::server::config_entry", "ssl", {
    value   => "on",
    require => Letsencrypt::Certonly[$letsencrypt_host],
  })

  ensure_resource("postgresql::server::config_entry", "ssl_cert_file", {
    value   => "/var/lib/postgres/data/certs/cert.pem",
    require => Letsencrypt::Certonly[$letsencrypt_host],
  })

  ensure_resource("postgresql::server::config_entry", "ssl_key_file", {
    value   => "/var/lib/postgres/data/certs/privkey.pem",
    require => Letsencrypt::Certonly[$letsencrypt_host],
  })

  $backup_hosts.each |$backup_host| {
    ensure_packages(["pam_ldap"])

    $host = find_host($facts["ldapvar"]["other"], $backup_host)
    unless empty($host) {
      $host["ipHostNumber"].each |$ip| {
        $infos = split($ip, "/")
        $ipaddress = $infos[0]
        if (length($infos) == 1 and $ipaddress =~ /:/) {
          $mask = "128"
        } elsif (length($infos) == 1) {
          $mask = "32"
        } else {
          $mask = $infos[1]
        }

        postgresql::server::pg_hba_rule { "allow TCP access to replication user from backup for replication from $ipaddress/$mask":
          type        => 'hostssl',
          database    => 'replication',
          user        => $backup_host,
          address     => "$ipaddress/$mask",
          auth_method => 'pam',
          order       => "06-01",
        }
      }

      postgresql::server::role { $backup_host:
        replication => true,
      }

      postgresql_replication_slot { regsubst($backup_host, '-', "_", "G"):
        ensure => present
      }
    }
  }

  $ldap_server = lookup("base_installation::ldap_server")
  $ldap_base   = lookup("base_installation::ldap_base")
  $ldap_dn     = lookup("base_installation::ldap_dn")
  $ldap_cn     = lookup("base_installation::ldap_cn")
  $ldap_password = generate_password(24, $password_seed, "ldap")
  $ldap_attribute = "cn"

  # This is to be replicated to the backup
  postgresql::server::role { $ldap_cn:
    replication => true,
  }

  file { "/etc/pam_ldap.d":
    ensure => directory,
    mode   => "0755",
    owner  => "root",
    group  => "root",
  } ->
  file { "/etc/pam_ldap.d/postgresql.conf":
    ensure  => "present",
    mode    => "0600",
    owner   => $::profile::postgresql::pg_user,
    group   => "root",
    content => template("profile/postgresql_master/pam_ldap_postgresql.conf.erb"),
  } ->
  file { "/etc/pam.d/postgresql":
    ensure => "present",
    mode   => "0644",
    owner  => "root",
    group  => "root",
    source => "puppet:///modules/profile/postgresql_master/pam_postgresql"
  }

}