ansible/roles/k3s_server/tasks/pull_token.yaml

- name: Get K3s token from the primary server
  ansible.builtin.slurp:
    src: /var/lib/rancher/k3s/server/node-token
  register: k3s_token_raw
  delegate_to: "{{ groups['k3s_server'] | first }}"
  run_once: true
  become: true

- name: Set k3s_token fact
  ansible.builtin.set_fact:
    k3s_token: "{{ k3s_token_raw['content'] | b64decode | trim }}"
  run_once: true

- name: Write K3s token to local file for encryption
  ansible.builtin.copy:
    content: |
      k3s_token: "{{ k3s_token }}"
    dest: "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
    mode: "0600"
  delegate_to: localhost
  run_once: true

- name: Encrypt k3s token
  ansible.builtin.shell: cd ../; ansible-vault encrypt "{{ playbook_dir }}/{{ k3s_server_token_vault_file }}"
  delegate_to: localhost
  run_once: true