node 'fm.ics.muni.cz' {
  resources { 'firewall':
    purge => true,
  }

  Firewall {
    before  => Class['my_fw::post'],
    require => Class['my_fw::pre'],
  }

  class { ['my_fw::pre', 'my_fw::post']: }
  class { 'firewall': }

  firewall { '100 allow test puppetmaster':
    chain  => 'INPUT',
    source => '95.105.237.38',
    proto  => 'tcp',
    action => 'accept',
  }

  firewall { '101 allow all for certbot port':
    chain  => 'INPUT',
    dport  => '14831',
    proto  => 'tcp',
    action => 'accept',
  }

  ##########Usefull part below##################################
  
  class { '::letsencrypt':
    configure_epel => false,
    config         => {
      email  => 'janca@cesnet.cz',
      server => 'https://acme-v01.api.letsencrypt.org/directory',
    }
  }

  letsencrypt::certonly { 'fm-bootstrap':
    domains => ['fm.ics.muni.cz'],
  }

  group { 'puppet': }

  class { '::foreman':
    repo                 => '1.17',
    server_ssl_ca        => '/etc/letsencrypt/live/fm.ics.muni.cz/chain.pem',
    server_ssl_chain     => '/etc/letsencrypt/live/fm.ics.muni.cz/chain.pem',
    server_ssl_cert      => '/etc/letsencrypt/live/fm.ics.muni.cz/cert.pem',
    server_ssl_key       => '/etc/letsencrypt/live/fm.ics.muni.cz/privkey.pem',
    server_ssl_crl       => '',
  }

  class { 'foreman::cli': }

  package {'python-certbot-apache':
      ensure => present,
  }

  letsencrypt::certonly { 'fm.ics.muni.cz':
    plugin               => 'apache',
    additional_args      => ['--tls-sni-01-port 14831'],
    manage_cron          => true,
    cron_success_command => '/bin/systemctl reload httpd.service',
  }

  Class['::letsencrypt']
  -> Letsencrypt::Certonly['fm-bootstrap']
  -> Group['puppet']
  -> Class['::foreman']
  -> Package['python-certbot-apache']
  -> Letsencrypt::Certonly['fm.ics.muni.cz']
  -> Class['my_fw::pre']
}