---
- name: Copy tls cert and key
  copy:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    mode: "{{ item.mode }}"
  with_items:
    - { src: "{{ unifi_tls_key_path }}", dest: '/etc/pki/tls/private/unifi.pem', mode: '0600' }
    - { src: "{{ unifi_tls_cert_path }}", dest: '/etc/pki/tls/certs/unifi.pem', mode: '0750' }
  loop_control:
    label: "{{ item.dest }}"
  register: __unifi_certs
  become: True
  become_user: root

- block:
  - set_fact:
      __unifi_pkcs12_path: /tmp/unifi.p12
      __unifi_keystore_path: "{{ unifi_base_dir }}/{{ unifi_version }}//UniFi/data/keystore"

  - name: Create temp openssl pkcs12 keystore at '{{ __unifi_pkcs12_path }}'
    openssl_pkcs12:
      path: "{{ __unifi_pkcs12_path }}"
      friendly_name: ubnt
      privatekey_path: /etc/pki/tls/private/unifi.pem
      cert_path: /etc/pki/tls/certs/unifi.pem
      passphrase: "{{ unifi_tls_pkcs12_passphrase }}"
      state: present

  - name: Delete current keystore file
    file:
      path: "{{ __unifi_keystore_path }}"
      state: absent

  - name: Create java keystore at '{{ __unifi_keystore_path }}'
    java_cert:
      pkcs12_path: "{{ __unifi_pkcs12_path }}"
      cert_alias: ubnt
      pkcs12_alias: ubnt
      keystore_path: "{{ __unifi_keystore_path }}"
      keystore_pass: aircontrolenterprise
      pkcs12_password: "{{ unifi_tls_pkcs12_passphrase }}"
      keystore_create: yes
      state: present
    notify: __unifi_restart

  - name: Adjust keystore filesystem permissions
    file:
      path: "{{ __unifi_keystore_path }}"
      owner: "{{ unifi_user }}"
      group: "{{ unifi_group }}"
      mode: 0600

  - name: Remove '{{ __unifi_pkcs12_path }}'
    file:
      path: "{{ __unifi_pkcs12_path }}"
      state: absent
  become: True
  become_user: root
  when: __unifi_certs.changed