# Define the exported resource type for incus client certificates
define incus::client_cert (
  String $hostname,
  Optional[String] $certificate = undef,
  Optional[String] $fingerprint = undef,
) {

  # Only proceed if we have both certificate and fingerprint
  if $certificate and $fingerprint {

    $trust_list = $facts['incus_trust_list']
    $existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }

    if $existing_client.empty {
      # Add new certificate
      exec { "incus_trust_add_${hostname}":
        path    => ['/bin', '/usr/bin'],
        command => "echo '${certificate}' > /tmp/${hostname}.crt && \
                    incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
                    rm -f /tmp/${hostname}.crt",
        unless  => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
      }
    } else {
      # Check if fingerprints are different
      $existing_fingerprint = $existing_client[0]['fingerprint']

      if $existing_fingerprint != $fingerprint {
        # Remove existing and add new certificate only if fingerprints differ
        exec { "incus_trust_update_${hostname}":
          path    => ['/bin', '/usr/bin'],
          command => "incus config trust remove ${existing_fingerprint} && \
                      echo '${certificate}' > /tmp/${hostname}.crt && \
                      incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
                      rm -f /tmp/${hostname}.crt",
          onlyif  => "incus config trust list --format=json | grep '${existing_fingerprint}'",
        }
      }
      # If fingerprints match, do nothing (certificate is already correct)
    }
  }
}