# ensure the ca certificate for vault is installed everywhere
class profiles::pki::vaultca {
  $root_cacert = 'vaultcaroot.pem'

  # Define the target path based on the operating system
  case $facts['os']['family'] {
    'RedHat': {
      $ca_cert_target_path = "/etc/pki/ca-trust/source/anchors/${root_cacert}"
      $update_ca_cert_command = 'update-ca-trust extract'
    }
    'Debian': {
      $ca_cert_target_path = "/usr/local/share/ca-certificates/${root_cacert}"
      $update_ca_cert_command = 'update-ca-certificates'
    }
    default: {
      fail("Unsupported operating system: ${facts['os']['family']}")
    }
  }

  # Ensure the CA certificate is present and contains the content from the template
  file { $ca_cert_target_path:
    ensure  => file,
    owner   => 'root',
    group   => 'root',
    mode    => '0644',
    content => template('profiles/pki/vaultcaroot.pem.erb'),
    notify  => Exec['update_ca_trust_store'],
  }

  # Execute the system command to update the CA trust store
  exec { 'update_ca_trust_store':
    command     => $update_ca_cert_command,
    path        => ['/bin', '/usr/bin', 'sbin', '/usr/sbin'],
    refreshonly => true,
    require     => File[$ca_cert_target_path],
  }
}