- name: Install unzip dependency.
  package:
    name: unzip
    state: present
  delegate_to: "127.0.0.1"
  when:
    - node_certs_generator

- name: Check if certificate exists locally
  stat:
    path: "{{ node_certs_destination }}/{{ elasticsearch_node_name }}.crt"
  register: certificate_file_exists

- name: Write the instances.yml file in the selected node (force = no)
  template:
    src: instances.yml.j2
    dest: "{{ node_certs_source }}/instances.yml"
    force: no
  register: instances_file_exists
  tags:
    - config
    - xpack-security
  when:
    - node_certs_generator
    - not certificate_file_exists.stat.exists

- name: Update instances.yml status after generation
  stat:
    path: "{{ node_certs_source }}/instances.yml"
  register: instances_file_exists
  when:
    - node_certs_generator

- name: Check if the certificates ZIP file exists
  stat:
    path: "{{ node_certs_source }}/certs.zip"
  register: xpack_certs_zip
  when:
    - node_certs_generator

- name: Importing custom CA key 
  copy:
    src: "{{ master_certs_destination }}/ca/{{ ca_key_name }}"
    dest: "{{ node_certs_source }}/{{ ca_key_name }}"
  when:
   - not generate_CA
  tags: xpack-security

- name: Importing custom CA cert
  copy:
    src: "{{ master_certs_destination }}/ca/{{ ca_cert_name }}"
    dest: "{{ node_certs_source }}/{{ ca_cert_name }}"
  when:
    - not generate_CA
  tags: xpack-security

- name: Generating certificates for Elasticsearch security (generating CA)
  shell: >-
    /usr/share/elasticsearch/bin/elasticsearch-certutil cert ca --pem --in 
    {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
  when:
    - node_certs_generator
    - not xpack_certs_zip.stat.exists
    - generate_CA
  tags: xpack-security

- name: Generating certificates for Elasticsearch security (using provided CA)
  shell: /usr/share/elasticsearch/bin/elasticsearch-certutil cert --ca-key {{ node_certs_source }}/{{ ca_key_name }} --ca-cert {{ node_certs_source }}/{{ ca_cert_name }} --pem --in {{ node_certs_source }}/instances.yml --out {{ node_certs_source }}/certs.zip
  when:
    - node_certs_generator
    - not xpack_certs_zip.stat.exists
    - not generate_CA
  tags: xpack-security 

- name: Create the certificates directory
  file:
    path: "{{master_certs_destination}}"
    state: directory
    mode: '0700'
  delegate_to: "127.0.0.1"
  when: 
    - node_certs_generator

- name: Copying certificates to Ansible master
  fetch:
    src: "{{node_certs_source}}/certs.zip"
    dest: "{{master_certs_destination}}/"
    flat: yes
    mode: 0700
  when: 
    - node_certs_generator
  tags: xpack-security

- name: Delete certs.zip in Generator node
  file:
    state: absent
    path: "{{ node_certs_source }}/certs.zip"
  when: 
    - node_certs_generator
    

- name: Unzip generated certs.zip
  unarchive:
    src: "{{master_certs_destination}}/certs.zip"
    dest: "{{master_certs_destination}}/"
  become: true
  delegate_to: "127.0.0.1"
  when: 
    - node_certs_generator
  tags: xpack-security

- name: Ensuring certificates folder owner
  file:
    path: "{{ node_certs_destination }}/"
    state: directory
    recurse: yes
    owner: elasticsearch
    group: elasticsearch
  tags: xpack-security

- name: Ensuring certificates folder owner
  file:
    path: "{{ node_certs_destination }}/"
    mode: '0770'
    recurse: yes
  tags: xpack-security

- name: Copying node's certificate from master
  copy:
    src: "{{item}}"
    dest: "{{node_certs_destination}}/"
  with_items: 
    - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.key" 
    - "{{master_certs_destination}}/{{elasticsearch_node_name}}/{{ elasticsearch_node_name }}.crt"
    - "{{master_certs_destination}}/ca/ca.crt"
  tags: xpack-security

- name: Set elasticsearch bootstrap password
  shell: >-
     echo {{ elasticsearch_xpack_security_password }} | {{ node_certs_source }}/bin/elasticsearch-keystore add -xf bootstrap.password
  when:
    - node_certs_generator