2025-07-15 16:51:11 +03:00
4 changed files with 9 additions and 54 deletions
--- a/galaxy.yml
+++ b/galaxy.yml
@ -8,7 +8,7 @@ namespace: norohind
 name: nebula

 # The version of the collection. Must be compatible with semantic versioning
-version: 1.1.0
+version: 1.0.1

 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md
--- a/roles/configure/defaults/main.yml
+++ b/roles/configure/defaults/main.yml
@ -19,8 +19,6 @@ nebula_service_name_default: nebula
 service_name_mapping:
  - Debian: "nebula@config"

-force_download: false
-
 duration:
 nebula_groups:

--- a/roles/configure/tasks/download-nebula.yaml
+++ b/roles/configure/tasks/download-nebula.yaml
@ -11,6 +11,12 @@
    dest: "{{ nebula_bin_dir }}"
    remote_src: true

+- name: Create nebula config directory
+  ansible.builtin.file:
+    path: "{{ config_prefix }}"
+    state: directory
+    mode: "0755"
+
 - name: Template nebula systemd unit
  ansible.builtin.template:
    src: nebula.service.j2
--- a/roles/configure/tasks/main.yml
+++ b/roles/configure/tasks/main.yml
@ -8,38 +8,17 @@

 - name: Correct nebula_addr
  when: not nebula_addr is search("/")
-  tags:
-    - sign
  set_fact:
    nebula_addr: "{{ nebula_addr + '/' + nebula_subnet }}"

 - name: Set nebula service name
-  when: not force_download
  tags:
    - installation
  set_fact:
    nebula_service_name: "{{ service_name_mapping[ansible_distribution] | default(nebula_service_name_default) }}"

- name: Set nebula service name
-  when: force_download
-  tags:
-    - installation
-  set_fact:
-    nebula_service_name: "{{ nebula_service_name_default }}"
-
- name: Create nebula config directory
-  tags:
-    - sign
-    - installation
-    - config
-
-  ansible.builtin.file:
-    path: "{{ config_prefix }}"
-    state: directory
-    mode: "0755"
-
 - name: Install nebula
-  when: ansible_distribution != "Ubuntu" and not force_download
+  when: ansible_distribution != "Ubuntu"
  tags:
    - installation
  ansible.builtin.package:
@ -47,38 +26,30 @@
    state: present

 - name: Install nebula from GitHub
-  when: ansible_distribution == "Ubuntu" or force_download
+  when: ansible_distribution == "Ubuntu"
  tags:
    - installation
  ansible.builtin.import_tasks: download-nebula.yaml

 - name: Generate Nebula key pair
-  tags:
-    - sign
  command: nebula-cert keygen -out-key {{ inventory_hostname }}.key -out-pub {{ inventory_hostname }}.pub
  args:
    chdir: "{{ config_prefix }}"
    creates: "{{ inventory_hostname }}.pub"

 - name: Copy public key of a remote host to sign locally
-  tags:
-    - sign
  fetch:
    flat: true
    src: "{{ config_prefix }}/{{ inventory_hostname }}.pub"
    dest: "{{ pub_dir }}/{{ inventory_hostname }}.pub"

 - name: Check cert exists on remote host
-  tags:
-    - sign
  stat:
    path: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
  register: cert_present

 - name: Fetch cert properties from remote host
  when: cert_present.stat.exists
-  tags:
-    - sign
  command:
    cmd: 'nebula-cert print -path "{{ config_prefix }}/{{ inventory_hostname }}.crt" -json'
  failed_when: cert_properties.stderr | length > 0 or cert_properties.rc != 0
@ -88,8 +59,6 @@

 - name: Compare groups, name, address; check cert expiration
  when: cert_present.stat.exists
-  tags:
-    - sign
  set_fact:
    comparison:
      - property: name
@ -125,22 +94,16 @@

 - name: Set do_reissue
  when: cert_present.stat.exists
-  tags:
-    - sign
  set_fact:
    do_reissue: "{{ comparison | map(attribute='should_reissue') | select('equalto', true) | list | length > 0 }}"

 - name: Log reason for certificate reissuance
  when: do_reissue
-  tags:
-    - sign
  debug:
    var: comparison | selectattr('should_reissue')

 - name: Issue certificate
  when: not cert_present.stat.exists or do_reissue
-  tags:
-    - sign
  delegate_to: localhost
  shell: >
    nebula-cert sign \
@ -159,8 +122,6 @@

 - name: Log new cert data
  when: not cert_present.stat.exists or do_reissue
-  tags:
-    - sign
  delegate_to: localhost
  shell: >
    nebula-cert print -path {{ inventory_hostname | quote }}.crt -json >> {{ ct_log_file | quote }}
@ -168,8 +129,6 @@
 - name: Copy issued certificate
  notify: nebula_reload
  when: not cert_present.stat.exists or do_reissue
-  tags:
-    - sign
  copy:
    src: "{{ inventory_hostname }}.crt"
    dest: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
@ -177,8 +136,6 @@
 - name: Delete issued certificate from management node
  delegate_to: localhost
  when: not cert_present.stat.exists or do_reissue
-  tags:
-    - sign
  file:
    path: "{{ inventory_hostname }}.crt"
    state: absent
@ -186,15 +143,11 @@
 - name: Generate Nebula ssh host key
  shell: >
    ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
-  tags:
-    - debug-ssh
  args:
    chdir: "{{ config_prefix }}"
    creates: ssh_host_ed25519_key

 - name: Copy nebula config
-  tags:
-    - config
  notify: nebula_reload
  copy:
    src: "{{ configs_dir }}/{{ inventory_hostname }}.yaml"
@ -202,8 +155,6 @@

 - name: Verify configuration
  command: "nebula -test -config {{ config_prefix }}/config.yml"
-  tags:
-    - config
  changed_when: false

 - name: Enable nebula service (systemd)