ansible-role-nebula/tasks/setup_ca.yml

---
- name: Verify that there isn't a CA key already
  ansible.builtin.stat:
    path: "{{ nebula_config_dir }}/ca.key"
  register: ca_key_check

- name: Verify that there isn't a CA cert already
  ansible.builtin.stat:
    path: "{{ nebula_config_dir }}/ca.crt"
  register: ca_cert_check

- name: Create a nebula CA certificate
  ansible.builtin.command:
    cmd: '{{ nebula_bin_dir }}/nebula-cert ca -name "{{ nebula_ca_name }}" -duration {{ nebula_ca_duration }} -out-key {{ nebula_config_dir }}/ca.key -out-crt {{ nebula_config_dir }}/ca.crt'
    creates: "{{ nebula_config_dir }}/ca.key"
  when:
    - not ca_key_check.stat.exists|bool
    - not ca_cert_check.stat.exists|bool

- name: Perform steps for non-ansible members
  when: nebula_nonmanaged_member_certs | length > 0
  block:
    - name: Write out the public keys of non-ansible members if needed
      delegate_to: "{{ nebula_ca_host }}"
      ansible.builtin.copy:
        dest: "{{ nebula_config_dir }}/{{ item.key }}.pub"
        content: "{{ item.value['public_key'] }}"
        mode: '0600'
      when: item.value['public_key'] is defined
      loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"

    - name: Create nebula certs for non-ansible members
      ansible.builtin.template:
        src: non-managed.sh.j2
        dest: "/var/tmp/{{ item.key }}-generator.sh"
        mode: "0755"
        owner: root
        group: root
      loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"

    - name: Run the generator
      ansible.builtin.command:
        cmd: "/bin/bash /var/tmp/{{ item.key }}-generator.sh"
        creates: "{{ nebula_config_dir }}/{{ item.key }}.crt"
      loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"

    - name: Create an archive of certs that do not have a private key
      community.general.archive:
        format: zip
        path:
          - "{{ nebula_config_dir }}/ca.crt"
          - "{{ nebula_config_dir }}/{{ item.key }}.crt"
        dest: "{{ nebula_config_dir }}/{{ item.key }}.zip"
        mode: '0600'
        owner: root
        group: root
      when: item.value['public_key'] is defined
      loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"

    - name: Create an archive of certs that do have a private key
      community.general.archive:
        format: zip
        path:
          - "{{ nebula_config_dir }}/ca.crt"
          - "{{ nebula_config_dir }}/{{ item.key }}.crt"
          - "{{ nebula_config_dir }}/{{ item.key }}.key"
        dest: "{{ nebula_config_dir }}/{{ item.key }}.zip"
        mode: '0600'
        owner: root
        group: root
      when: item.value['public_key'] is not defined
      loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"

    - name: Copy the nonmanaged certs
      ansible.builtin.fetch:
        src: "{{ nebula_config_dir }}/{{ item.key }}.zip"
        dest: "{{ nebula_nonmanaged_certs_download_dir }}/{{ item.key }}.zip"
        flat: true
      loop: "{{ nebula_nonmanaged_member_certs | dict2items }}"
...