---
- name: generate/install TLS client certificate
  loop: "{{ hostvars[inventory_hostname] | apps_publish_zones }}"
  loop_control:
    label: "{{ item.name }}"
  vars:
    x509_certificate_name: "apps-publish-{{ item.name }}"
    x509_certificate_hostnames: []
    x509_certificate_config:
      ca: "{{ item.certificate_ca_config }}"
      cert:
        common_name: "{{ inventory_hostname }}"
        extended_key_usage:
        - clientAuth
        extended_key_usage_critical: yes
        create_subject_key_identifier: yes
        not_after: +100w
    x509_certificate_reload_services:
    - nginx
  include_role:
    name: "x509/{{ item.certificate_provider }}/cert"
    allow_duplicates: yes