---
- name: TLS certificates management with Letsencrypt
  block:
    - name: Create the acme hooks directory if it does not yet exist
      file:
        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
        state: directory
        owner: root
        group: root

    - name: Copy the key file where keycloak expects it
      copy:
        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
        dest: '{{ keycloak_conf_directory }}/server.key.pem'
        owner: root
        group: '{{ keycloak_user }}'
        mode: 0640
        remote_src: true
      notify: Restart Keycloak

    - name: Copy the certificate file where keycloak expects it
      copy:
        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
        dest: '{{ keycloak_conf_directory }}/server.crt.pem'
        owner: root
        group: '{{ keycloak_user }}'
        mode: 0640
        remote_src: true
      notify: Restart Keycloak

    - name: Install a script that updates the certificates upon renewal
      template:
        src: keycloak-letsencrypt-hook.j2
        dest: '{{ letsencrypt_acme_services_scripts_dir }}/keycloak'
        owner: root
        group: root
        mode: 4555

  when:
    - keycloak_letsencrypt_certs
    - letsencrypt_acme_install
  tags: ['keycloak', 'keycloak_baremetal', 'keycloak_letsencrypt']