---
- name: keycloak-certificates | TLS certificates management with Letsencrypt
  when:
    - keycloak_letsencrypt_certs
    - letsencrypt_acme_install
  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
  block:
    - name: keycloak-certificates | Create the acme hooks directory if it does not yet exist
      ansible.builtin.file:
        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
        state: directory
        owner: root
        group: root
        mode: "0755"

    - name: keycloak-certificates | Copy the key file where keycloak expects it
      ansible.builtin.copy:
        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
        dest: '{{ keycloak_conf_directory }}/server.key.pem'
        owner: root
        group: '{{ keycloak_user }}'
        mode: "0640"
        remote_src: true
      notify: Restart Keycloak

    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
      ansible.builtin.copy:
        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
        owner: root
        group: '{{ keycloak_user }}'
        mode: "0640"
        remote_src: true
      notify: Restart Keycloak

    - name: keycloak-certificates | Install a script that updates the certificates upon renewal
      ansible.builtin.template:
        src: keycloak-letsencrypt-hook.j2
        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
        owner: root
        group: root
        mode: "4555"

- name: keycloak-certificates | TLS certificates management without Letsencrypt
  when: not keycloak_letsencrypt_certs
  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']
  block:
    - name: keycloak-certificates | Copy the key file where keycloak expects it
      ansible.builtin.copy:
        src: '{{ keycloak_source_cert_key }}'
        dest: '{{ keycloak_conf_directory }}/server.key.pem'
        owner: root
        group: '{{ keycloak_user }}'
        mode: "0640"
        remote_src: true
      notify: Restart Keycloak

    - name: keycloak-certificates | Copy the certificate file where keycloak expects it
      ansible.builtin.copy:
        src: '{{ keycloak_source_cert_file }}'
        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
        owner: root
        group: '{{ keycloak_user }}'
        mode: "0640"
        remote_src: true
      notify: Restart Keycloak