Add option to forcefully download nebula and install to /opt

galaxy.yml

@@ -8,7 +8,7 @@ namespace: norohind
 name: nebula
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 1.0.1
+version: 1.1.0
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

roles/configure/defaults/main.yml

@@ -19,6 +19,8 @@ nebula_service_name_default: nebula
 service_name_mapping:
   - Debian: "nebula@config"
 
+force_download: false
+
 duration:
 nebula_groups:
 

roles/configure/tasks/download-nebula.yaml

@@ -11,12 +11,6 @@
     dest: "{{ nebula_bin_dir }}"
     remote_src: true
 
-- name: Create nebula config directory
-  ansible.builtin.file:
-    path: "{{ config_prefix }}"
-    state: directory
-    mode: "0755"
-
 - name: Template nebula systemd unit
   ansible.builtin.template:
     src: nebula.service.j2

roles/configure/tasks/main.yml

@@ -8,17 +8,38 @@
 
 - name: Correct nebula_addr
   when: not nebula_addr is search("/")
+  tags:
+    - sign
   set_fact:
     nebula_addr: "{{ nebula_addr + '/' + nebula_subnet }}"
 
 - name: Set nebula service name
+  when: not force_download
   tags:
     - installation
   set_fact:
     nebula_service_name: "{{ service_name_mapping[ansible_distribution] | default(nebula_service_name_default) }}"
 
+- name: Set nebula service name
+  when: force_download
+  tags:
+    - installation
+  set_fact:
+    nebula_service_name: "{{ nebula_service_name_default }}"
+
+- name: Create nebula config directory
+  tags:
+    - sign
+    - installation
+    - config
+
+  ansible.builtin.file:
+    path: "{{ config_prefix }}"
+    state: directory
+    mode: "0755"
+
 - name: Install nebula
-  when: ansible_distribution != "Ubuntu"
+  when: ansible_distribution != "Ubuntu" and not force_download
   tags:
     - installation
   ansible.builtin.package:
@@ -26,30 +47,38 @@
     state: present
 
 - name: Install nebula from GitHub
-  when: ansible_distribution == "Ubuntu"
+  when: ansible_distribution == "Ubuntu" or force_download
   tags:
     - installation
   ansible.builtin.import_tasks: download-nebula.yaml
 
 - name: Generate Nebula key pair
+  tags:
+    - sign
   command: nebula-cert keygen -out-key {{ inventory_hostname }}.key -out-pub {{ inventory_hostname }}.pub
   args:
     chdir: "{{ config_prefix }}"
     creates: "{{ inventory_hostname }}.pub"
 
 - name: Copy public key of a remote host to sign locally
+  tags:
+    - sign
   fetch:
     flat: true
     src: "{{ config_prefix }}/{{ inventory_hostname }}.pub"
     dest: "{{ pub_dir }}/{{ inventory_hostname }}.pub"
 
 - name: Check cert exists on remote host
+  tags:
+    - sign
   stat:
     path: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
   register: cert_present
 
 - name: Fetch cert properties from remote host
   when: cert_present.stat.exists
+  tags:
+    - sign
   command:
     cmd: 'nebula-cert print -path "{{ config_prefix }}/{{ inventory_hostname }}.crt" -json'
   failed_when: cert_properties.stderr | length > 0 or cert_properties.rc != 0
@@ -59,6 +88,8 @@
 
 - name: Compare groups, name, address; check cert expiration
   when: cert_present.stat.exists
+  tags:
+    - sign
   set_fact:
     comparison:
       - property: name
@@ -94,16 +125,22 @@
 
 - name: Set do_reissue
   when: cert_present.stat.exists
+  tags:
+    - sign
   set_fact:
     do_reissue: "{{ comparison | map(attribute='should_reissue') | select('equalto', true) | list | length > 0 }}"
 
 - name: Log reason for certificate reissuance
   when: do_reissue
+  tags:
+    - sign
   debug:
     var: comparison | selectattr('should_reissue')
 
 - name: Issue certificate
   when: not cert_present.stat.exists or do_reissue
+  tags:
+    - sign
   delegate_to: localhost
   shell: >
     nebula-cert sign \
@@ -122,6 +159,8 @@
 
 - name: Log new cert data
   when: not cert_present.stat.exists or do_reissue
+  tags:
+    - sign
   delegate_to: localhost
   shell: >
     nebula-cert print -path {{ inventory_hostname | quote }}.crt -json >> {{ ct_log_file | quote }}
@@ -129,6 +168,8 @@
 - name: Copy issued certificate
   notify: nebula_reload
   when: not cert_present.stat.exists or do_reissue
+  tags:
+    - sign
   copy:
     src: "{{ inventory_hostname }}.crt"
     dest: "{{ config_prefix }}/{{ inventory_hostname }}.crt"
@@ -136,6 +177,8 @@
 - name: Delete issued certificate from management node
   delegate_to: localhost
   when: not cert_present.stat.exists or do_reissue
+  tags:
+    - sign
   file:
     path: "{{ inventory_hostname }}.crt"
     state: absent
@@ -143,11 +186,15 @@
 - name: Generate Nebula ssh host key
   shell: >
     ssh-keygen -t ed25519 -f ssh_host_ed25519_key -N "" < /dev/null
+  tags:
+    - debug-ssh
   args:
     chdir: "{{ config_prefix }}"
     creates: ssh_host_ed25519_key
 
 - name: Copy nebula config
+  tags:
+    - config
   notify: nebula_reload
   copy:
     src: "{{ configs_dir }}/{{ inventory_hostname }}.yaml"
@@ -155,6 +202,8 @@
 
 - name: Verify configuration
   command: "nebula -test -config {{ config_prefix }}/config.yml"
+  tags:
+    - config
   changed_when: false
 
 - name: Enable nebula service (systemd)