---
- name: create base directory for root ca
  file:
    path: "/usr/local/share/ca-certificates/{{ x509_root_ca_name }}"
    state: directory

- name: copy certificates for ca
  loop: "{{ x509_root_ca_certificates | dict2items }}"
  loop_control:
    label: "{{ item.key }}"
  copy:
    src: "{{ item.value.file | default(omit) }}"
    content: "{{ item.value.content | default(omit) }}"
    dest: "/usr/local/share/ca-certificates/{{ x509_root_ca_name }}/{{ item.key }}.crt"
  notify: update ca certificates

- name: fetch list of currently installed certificates
  find:
    paths: "/usr/local/share/ca-certificates/{{ x509_root_ca_name }}"
    patterns: "*.crt"
  register: x509_root_ca_certificates_installed

- name: remove superflous certificates
  loop: "{{ x509_root_ca_certificates_installed.files | map(attribute='path') | map('basename') | map('splitext') | map('first') | difference(x509_root_ca_certificates | list) }}"
  file:
    path: "/usr/local/share/ca-certificates/{{ x509_root_ca_name }}/{{ item }}.crt"
    state: absent
  notify: update ca certificates fresh