- include_tasks: prepare_item.yml


- name: slurp root from ca
  slurp:
    src: "{{ ca_dir }}/{{ ca_rp }}{{ kt.name }}.{{ ca_crt_ext }}"
  register: root
  delegate_to: "{{ services.ca.hostname }}"


- name: copy root to memory
  set_fact:
    "root_{{ kt.name }}": "{{ root.content | b64decode }}"
  when: (ca_options | combine(item)).memory | d(false) == true


- name: copy root to remote node
  copy:
    dest: "{%- if item.path is defined -%}{{ item.path }}\
           {%- else -%}{{ ca_options.path ~ '/' ~ ca_rp ~ kt.name ~ '.' ~ ca_crt_ext }}\
           {%- endif -%}"
    content: "{{ root.content | b64decode }}"
    mode: "{{ k_mode | d(omit) }}"
    owner: "{{ k_owner | d(omit) }}"
    group: "{{ k_group | d(omit) }}"
  when: (ca_options | combine(item)).path is defined


- name: copy root to system storage
  block:
    - name: ensure ca-certificates is installed
      package:
        name: ca-certificates

    - name: upload root cert to user cert storage
      copy:
        dest: "/usr/local/share/ca-certificates/{{ ca_rp }}{{ kt.name }}.{{ ca_crt_ext }}"
        content: "{{ root.content | b64decode }}"

    - name: update ca certificates
      command: /usr/sbin/update-ca-certificates
      changed_when: no

  when: (ca_options | combine(item)).system | d(false) == true