infrastructure/ansible/roles/pve_nebula_route/tasks/main.yml

- name: Get routes
  command:
    argv:
      - ip
      - route
      - show
      - "{{ nebula.cidr }}"
  register: routes
  changed_when: false
  become: true

- name: Add route to nebula hosts via ingress
  command:
    argv:
      - ip
      - route
      - add
      - "{{ nebula.cidr }}"
      - via
      - "{{ pve_hosts.ingress.internal_ip }}"
  become: true
  when: nebula.cidr not in routes.stdout