---
- name: Register p12 PayloadContent
  shell: |
    set -o pipefail
    cat private/{{ item }}.p12 |
    base64
  register: PayloadContent
  changed_when: false
  args:
    executable: bash
    chdir: "{{ ipsec_pki_path }}"
  with_items: "{{ users }}"

- name: Set facts for mobileconfigs
  set_fact:
    PayloadContentCA: "{{ lookup('file' , '{{ ipsec_pki_path }}/cacert.pem')|b64encode }}"

- name: Build the mobileconfigs
  template:
    src: mobileconfig.j2
    dest: "{{ ipsec_config_path }}/apple/{{ item.0 }}.mobileconfig"
    mode: 0600
  with_together:
    - "{{ users }}"
    - "{{ PayloadContent.results }}"
  no_log: "{{ no_log|bool }}"

- name: Build the client ipsec config file
  template:
    src: client_ipsec.conf.j2
    dest: "{{ ipsec_config_path }}/manual/{{ item }}.conf"
    mode: 0600
  with_items:
    - "{{ users }}"

- name: Build the client ipsec secret file
  template:
    src: client_ipsec.secrets.j2
    dest: "{{ ipsec_config_path }}/manual/{{ item }}.secrets"
    mode: 0600
  with_items:
    - "{{ users }}"

- name: Restrict permissions for the local private directories
  file:
    path: "{{ ipsec_config_path }}"
    state: directory
    mode: 0700