Don't set CA facts if ipsec is disabled

users.yml

@@ -51,21 +51,21 @@
           include_vars:
             file: "configs/{{ algo_server }}/.config.yml"
 
-        - name: CA password prompt
+        - when: ipsec_enabled
-          pause:
+          block:
-            prompt: Enter the password for the private CA key
+          - name: CA password prompt
-            echo: false
+            pause:
-          register: _ca_password
+              prompt: Enter the password for the private CA key
-          when:
+              echo: false
-            - ca_password is undefined
+            register: _ca_password
-            - ipsec_enabled
+            when: ca_password is undefined
 
-        - name: Set facts based on the input
+          - name: Set facts based on the input
-          set_fact:
+            set_fact:
-            CA_password: >-
+              CA_password: >-
-              {% if ca_password is defined %}{{ ca_password }}
+                {% if ca_password is defined %}{{ ca_password }}
-              {%- elif _ca_password.user_input %}{{ _ca_password.user_input }}
+                {%- elif _ca_password.user_input %}{{ _ca_password.user_input }}
-              {%- else %}omit{% endif %}
+                {%- else %}omit{% endif %}
 
         - name: Local pre-tasks
           import_tasks: playbooks/cloud-pre.yml
@@ -78,7 +78,7 @@
             ansible_ssh_user: "{{ server_user|default('root') }}"
             ansible_connection: "{% if algo_server == 'localhost' %}local{% else %}ssh{% endif %}"
             ansible_python_interpreter: "/usr/bin/python3"
-            CA_password: "{{ CA_password }}"
+            CA_password: "{{ CA_password|default(omit) }}"
       rescue:
         - include_tasks: playbooks/rescue.yml