---
- block:
    - name: Copy certs and private key (content)
      copy:
        content: "{{ item.src }}"
        dest: "{{ item.dest }}"
        mode: "{{ item.mode }}"
      with_items:
        - { src: "{{ nginx_tls_key_source }}", dest: '/etc/pki/tls/private/{{ nginx_tls_key_file }}', mode: '0600' }
        - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' }
      loop_control:
        label: "{{ item.dest }}"
      notify: __nginx_reload
      when: nginx_tls_source_use_content

    - name: Copy certs and private key (files)
      copy:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        mode: "{{ item.mode }}"
      with_items:
        - { src: "{{ nginx_tls_key_source }}", dest: '/etc/pki/tls/private/{{ nginx_tls_key_file }}', mode: '0600' }
        - { src: "{{ nginx_tls_cert_source }}", dest: '/etc/pki/tls/certs/{{ nginx_tls_cert_file }}', mode: '0750' }
      loop_control:
        label: "{{ item.dest }}"
      notify: __nginx_reload
      when: nginx_tls_source_use_files

    - name: Update tls.conf
      template:
        src: etc/nginx/conf.d/tls.conf.j2
        dest: /etc/nginx/conf.d/tls.conf
        owner: root
        group: root
        mode: 0640
        validate: bash -c 'nginx -t -c /dev/stdin <<< "events {worker_connections 1;} http { include %s; }"'
      notify: __nginx_reload
  become: True
  become_user: root