- name: Get K3s token from the first server
  when: ansible_default_ipv4.address == k3s_primary_server_ip
  ansible.builtin.slurp:
    src: /var/lib/rancher/k3s/server/node-token
  register: k3s_token
  become: true

- name: Set fact on k3s_primary_server_ip
  ansible.builtin.set_fact:
    k3s_token: "{{ k3s_token['content'] | b64decode | trim }}"
  when:
    - ansible_default_ipv4.address == k3s_primary_server_ip

- name: Write K3s token to local file for encryption
  ansible.builtin.copy:
    content: |
      k3s_token: "{{ k3s_token }}"
    dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
    mode: "0600"
  delegate_to: localhost
  run_once: true

- name: Encrypt k3s token
  ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{k3s_server_token_vault_file}}"
  delegate_to: localhost
  run_once: true