# Define the exported resource type for incus client certificates
define incus::client_cert (
  String $hostname,
  Optional[String] $certificate = undef,
) {

  if $certificate {
    # Check if this hostname is already in the trust list
    $trust_list = $facts['incus_trust_list']
    $existing_client = $trust_list.filter |$client| { $client['name'] == $hostname }

    if $existing_client.empty {
      # Add new certificate using exec with heredoc
      exec { "incus_trust_add_${hostname}":
        path    => ['/bin', '/usr/bin'],
        command => "echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
        unless  => "incus config trust list --format=json | grep '\"name\":\"${hostname}\"'",
      }
    } else {
      # Remove existing and add new certificate
      $fingerprint = $existing_client[0]['fingerprint']

      exec { "incus_trust_update_${hostname}":
        path    => ['/bin', '/usr/bin'],
        command => "incus config trust remove ${fingerprint} && \
echo '${certificate}' > /tmp/${hostname}.crt && \
incus config trust add-certificate /tmp/${hostname}.crt --name ${hostname} && \
rm -f /tmp/${hostname}.crt",
        onlyif  => "incus config trust list --format=json | grep '${fingerprint}'",
      }
    }
  }
}