---

- name: set fact es_same_keystore
  set_fact: es_same_keystore=false

- name: set fact es_same_keystore if stores match
  set_fact: es_same_keystore=true
  when: es_ssl_keystore == es_ssl_truststore

- name: Ensure certificate directory exists
  become: yes
  file:
    dest: "{{ es_ssl_certificate_path }}"
    state: directory
    owner: root
    group: "{{ es_group }}"
    mode: "750"
  when: es_ssl_upload

- name: Upload SSL/TLS keystore
  become: yes
  copy:
    src: "{{ es_ssl_keystore }}"
    dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_keystore | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
  notify: restart elasticsearch
  register: copy_keystore

- name: Upload SSL/TLS truststore
  become: yes
  copy:
    src: "{{ es_ssl_truststore }}"
    dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_truststore | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  when: es_ssl_upload and es_ssl_keystore and es_ssl_truststore
  notify: restart elasticsearch
  register: copy_truststore

- name: Upload SSL/TLS key and certificate
  become: yes
  copy:
    src: "{{ item }}"
    dest: "{{ es_ssl_certificate_path }}/{{ item | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  with_items:
    - "{{ es_ssl_key }}"
    - "{{ es_ssl_certificate }}"
  when: es_ssl_upload and es_ssl_key and es_ssl_certificate
  #Restart if these change
  notify: restart elasticsearch
  register: copy_certificates

- name: Upload SSL Certificate Authority
  become: yes
  copy:
    src: "{{ es_ssl_certificate_authority }}"
    dest: "{{ es_ssl_certificate_path }}/{{ es_ssl_certificate_authority | basename }}"
    owner: "{{ es_user }}"
    group: "{{ es_group }}"
    mode: "640"
  #Restart if this changes
  notify: restart elasticsearch
  when: es_ssl_upload and (es_ssl_certificate_authority is defined) and (es_ssl_certificate_authority|length > 0)

- name: Set keystore password
  become: yes
  shell: echo "{{ es_ssl_keystore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.keystore.secure_password'
  no_log: True
  when: es_ssl_keystore_password and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))
  with_items:
    - http
    - transport

- name: Set truststore password
  become: yes
  shell: echo "{{ es_ssl_truststore_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.truststore.secure_password'
  no_log: True
  when: es_ssl_truststore_password and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))
  with_items:
    - http
    - transport

- name: Remove keystore password
  become: yes
  shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.keystore.secure_password'"
  when: es_ssl_keystore_password == "" and (copy_keystore.changed or (es_same_keystore and copy_truststore.changed))
  ignore_errors: yes
  with_items:
    - http
    - transport

- name: Remove truststore password
  become: yes
  shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.truststore.secure_password'"
  when: es_ssl_truststore_password == "" and (copy_truststore.changed or (es_same_keystore and copy_keystore.changed))
  ignore_errors: yes
  with_items:
    - http
    - transport

- name: Set key password
  become: yes
  shell: echo "{{ es_ssl_key_password }}" | {{ es_home }}/bin/elasticsearch-keystore add -x -f 'xpack.security.{{ item }}.ssl.secure_key_passphrase'
  no_log: True
  when: es_ssl_key_password and copy_certificates.changed
  with_items:
    - http
    - transport

- name: Remove key password
  become: yes
  shell: "{{ es_home }}/bin/elasticsearch-keystore remove 'xpack.security.{{ item }}.ssl.secure_key_passphrase'"
  when: es_ssl_key_password == "" and copy_certificates.changed
  ignore_errors: yes
  with_items:
    - http
    - transport