---
- block:
    - name: Create pki folder structure
      file:
        path: "{{ item }}"
        state: directory
        recurse: True
      with_items:
        - /etc/pki/tls/certs
        - /etc/pki/tls/private

    - name: Copy certs and private key (file)
      copy:
        src: "{{ item.src }}"
        dest: "{{ item.dest }}"
        mode: "{{ item.mode }}"
      with_items:
        - { src: "{{ pve_tls_cert_source }}", dest: "/etc/pki/tls/certs/pveproxy-ssl.pem", mode: "0750" }
        - { src: "{{ pve_tls_key_source }}", dest: "/etc/pki/tls/private/pveproxy-ssl.key", mode: "0600" }
      loop_control:
        label: "{{ item.dest }}"
      register: __pve_copy_cert_file
      when: pve_tls_source_use_files

    - name: Set tls control variable
      set_fact:
        __pve_copy_cert: "{{ __pve_copy_cert_file }}"
      when: pve_tls_source_use_files

    - name: Copy certs and private key (content)
      copy:
        content: "{{ item.src }}"
        dest: "{{ item.dest }}"
        mode: "{{ item.mode }}"
      with_items:
        - { src: "{{ pve_tls_cert_source }}", dest: "/etc/pki/tls/certs", mode: "0750" }
        - { src: "{{ pve_tls_key_source }}", dest: "/etc/pki/tls/private", mode: "0600" }
      loop_control:
        label: "{{ item.dest }}"
      register: __pve_copy_cert_content
      when: pve_tls_source_use_content

    - name: Set tls control variable
      set_fact:
        __pve_copy_cert: "{{ __pve_copy_cert_content }}"
      when: pve_tls_source_use_content

    - name: Copy cert/key to pve filesystem
      command: "/bin/cp -rf {{ item[0].dest }} /etc/pve/nodes/{{ item[1] }}/{{ item[0].dest | basename }}"
      when: item[0].changed
      changed_when: item[0].changed
      with_nested:
        - "{{ __pve_copy_cert.results }}"
        - "{{ pve_nodes }}"
      loop_control:
        label: "/etc/pve/nodes/{{ item[1] }}/{{ item[0].dest | basename }}"
      notify: __pveproxy_restart
  become: True
  become_user: root