ansible-role-nebula/tasks/setup_member.yml

---
- name: Perform all member tasks on CA host
  delegate_to: "{{ nebula_ca_host }}"
  block:
    - name: Waiting for CA certificate to be generated (default 5 minutes) if needed
      ansible.builtin.wait_for:
        path: "{{ nebula_config_dir }}/ca.key"
        timeout: "{{ nebula_ca_wait_timeout_seconds }}"

    - name: Writing public key of member node if applicable
      ansible.builtin.copy:
        dest: "{{ nebula_config_dir }}/{{ nebula_nodename }}.pub"
        content: "{{ nebula_cert_public_key }}"
        mode: '0600'
        owner: root
        group: root
      when: nebula_cert_public_key is defined

    - name: Create nebula cert generator for ansible members
      ansible.builtin.template:
        src: managed.sh.j2
        dest: "/var/tmp/{{ nebula_nodename }}-generator.sh"
        mode: "0755"
        owner: root
        group: root

    - name: Run the member generator
      ansible.builtin.command:
        cmd: "/bin/bash /var/tmp/{{ item.key }}-generator.sh"
        creates: "{{ nebula_config_dir }}/{{ nebula_nodename }}.crt"

    - name: Register CA cert
      ansible.builtin.slurp:
        src: "{{ nebula_config_dir }}/ca.crt"
      register: ca_cert_data

    - name: Register client cert
      ansible.builtin.slurp:
        src: "{{ nebula_config_dir }}/{{ nebula_nodename }}.crt"
      register: client_cert_data

    - name: Register client key
      ansible.builtin.slurp:
        src: "{{ nebula_config_dir }}/{{ nebula_nodename }}.key"
      register: client_key_data
      when: nebula_cert_public_key is not defined

- name: Deploy the CA certificate
  ansible.builtin.copy:
    dest: "{{ nebula_config_dir }}/ca.crt"
    content: "{{ ca_cert_data.content | b64decode }}"
    mode: '0600'
  no_log: true

- name: Deploy the client certificate
  ansible.builtin.copy:
    dest: "{{ nebula_config_dir }}/{{ nebula_nodename }}.crt"
    content: "{{ client_cert_data.content | b64decode }}"
    mode: '0600'
  no_log: true

- name: Deploy client key if applicable
  ansible.builtin.copy:
    dest: "{{ nebula_config_dir }}/{{ nebula_nodename }}.key"
    content: "{{ nebula_cert_private_key }}"
    mode: '0600'
  when: nebula_cert_private_key is defined
  no_log: true

- name: Deploy client key generated on CA host
  ansible.builtin.copy:
    dest: "{{ nebula_config_dir }}/{{ nebula_nodename }}.key"
    content: "{{ client_key_data.content | b64decode }}"
    mode: '0600'
  when: nebula_cert_public_key is not defined
  no_log: true

- name: Waiting for a routable IP for nebula to be set on all the lighthouses
  ansible.builtin.wait_for:
    timeout: 10
  retries: 12
  delay: 10
  when: hostvars[item]['nebula_am_lighthouse']|bool
  until: hostvars[item]['nebula_routable_ip'] is defined
  loop: "{{ ansible_play_hosts_all }}"
  loop_control:
    loop_var: item

- name: Push out nebula configuration
  ansible.builtin.template:
    src: config.yml.j2
    dest: "{{ nebula_config_dir }}/config.yml"
    mode: '0644'
    owner: root
    group: root
  notify: restart_nebula
...