home-server/ansible/roles/noble_cert_manager/tasks/from_env.yml

---
# See repository **.env.sample** — copy to **.env** (gitignored).
- name: Stat repository .env for deploy secrets
  ansible.builtin.stat:
    path: "{{ noble_repo_root }}/.env"
  register: noble_deploy_env_file
  changed_when: false

- name: Create cert-manager Cloudflare DNS secret from .env
  ansible.builtin.shell: |
    set -euo pipefail
    set -a
    . "{{ noble_repo_root }}/.env"
    set +a
    if [ -z "${CLOUDFLARE_DNS_API_TOKEN:-}" ]; then
      echo NO_TOKEN
      exit 0
    fi
    kubectl -n cert-manager create secret generic cloudflare-dns-api-token \
      --from-literal=api-token="${CLOUDFLARE_DNS_API_TOKEN}" \
      --dry-run=client -o yaml | kubectl apply -f -
    echo APPLIED
  environment:
    KUBECONFIG: "{{ noble_kubeconfig }}"
  when: noble_deploy_env_file.stat.exists | default(false)
  no_log: true
  register: noble_cf_secret_from_env
  changed_when: "'APPLIED' in (noble_cf_secret_from_env.stdout | default(''))"