- name: set combined cert info
  set_fact:
    combined: "{{ cert | combine(common | d({}), recursive=true) }}"


- name: clear san list
  set_fact:
    san_list: "{{ [] }}"


- block:
    - name: build san list
      set_fact:
        san_list: "{{ (san_list | d([])) + ['DNS:' ~ (item.fqdn | d((item.hostname | d(host_name)) ~ '.' ~ (item.tld | d(host_tld))))] }}"
      loop: "{{ cert.hosts }}"
  when: (cert.hosts is defined) and (cert.hosts | type_debug == 'list')


- name: generate certificate through external ns
  include_role:
    name: ca
  vars:
    function: certs
    ca_options:
      mode: '0400'
      owner: "{{ combined.owner | d(None) }}"
      group: "{{ combined.group | d(None) }}"
      concat_inter: yes
      preset: web
      acme: yes
      ocsp_must_staple: "{{ combined.stapling | d(false) }}"
      notify: "{{ combined.notify | d(None) }}"
    ca_certs:
      - type: "{{ 'ecc384' if (combined.ecc | d(false) == true) else 'rsa2048' }}"
        cert: "{{ cert.cert }}"
        key: "{{ cert.key }}"
        cn: "{% if cert.hosts is defined and cert.hosts | type_debug == 'list' -%}\
               {{ cert.hosts[0].fqdn | d((cert.hosts[0].hostname | d(host_name)) ~ '.' ~ (cert.hosts[0].tld | d(host_tld))) }}\
             {%- else -%}\
               {{ combined.fqdn | d((combined.hostname | d(host_name)) ~ '.' ~ (combined.tld | d(host_tld))) }}\
             {%- endif -%}"
        san: "{% if san_list | length > 0 -%}\
                {{ san_list }}\
              {%- else -%}\
                {{ 'DNS:' ~ (combined.fqdn | d((combined.hostname | d(host_name)) ~ '.' ~ (combined.tld | d(host_tld)))) }}\
              {%- endif -%}"