trailofbits · juju4 · Aug 26, 2023 · Aug 26, 2023
@@ -1,10 +1,15 @@
+---
 skip_list:
- - yaml
- - '204'
+ - package-latest
+ - jinja[spacing]
 verbosity: 1
 
 warn_list:
- - no-changed-when
- - no-handler
- - fqcn-builtins
- - var-spacing
+ - experimental
+ - var-naming[pattern]
+ - yaml[line-length]
+ # - no-changed-when
+ # - var-spacing
+exclude_paths:
+ - .github/workflows/
+ - roles/cloud-*/files/stack.yaml
@@ -25,8 +25,9 @@ jobs:
  - name: Checks and linters
  run: |
  /snap/bin/shellcheck algo install.sh
+ [ -f requirements.yml ] && ansible-galaxy install -r requirements.yml
  ansible-playbook main.yml --syntax-check
- ansible-lint -x experimental,package-latest,unnamed-task -v *.yml roles/{local,cloud-*}/*/*.yml || true
+ ansible-lint *.yml roles/{local,cloud-*}/*/*.yml || true
 
  scripted-deploy:
  runs-on: ubuntu-20.04

@@ -7,6 +7,7 @@ timeout = 60
 stdout_callback = default
 display_skipped_hosts = no
 force_valid_group_names = ignore
+callbacks_enabled = profile_tasks, timer
 
 [paramiko_connection]
 record_host_keys = False

@@ -7,15 +7,16 @@
  - config.cfg
 
  tasks:
- - block:
+ - name: Play cloud
+ block:
  - name: Local pre-tasks
- import_tasks: playbooks/cloud-pre.yml
+ ansible.builtin.import_tasks: tasks/cloud-pre.yml
 
  - name: Include a provisioning role
- include_role:
+ ansible.builtin.include_role:
  name: "{{ 'local' if algo_provider == 'local' else 'cloud-' + algo_provider }}"
 
  - name: Local post-tasks
- import_tasks: playbooks/cloud-post.yml
+ ansible.builtin.import_tasks: tasks/cloud-post.yml
  rescue:
- - include_tasks: playbooks/rescue.yml
+ - ansible.builtin.include_tasks: tasks/rescue.yml
@@ -7,7 +7,7 @@
 
  tasks:
  - name: Add the droplet to an inventory group
- add_host:
+ ansible.builtin.add_host:
  name: "{{ client_ip }}"
  groups: client-host
  ansible_ssh_user: "{{ 'root' if client_ip == 'localhost' else ssh_user }}"

@@ -27,9 +27,10 @@
  - config.cfg
 
  tasks:
- - block:
+ - name: Inputs
+ block:
  - name: Cloud prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  What provider would you like to use?
  {% for p in providers_map %}
@@ -41,11 +42,11 @@
  when: provider is undefined
 
  - name: Set facts based on the input
- set_fact:
+ ansible.builtin.set_fact:
  algo_provider: "{{ provider | default(providers_map[_algo_provider.user_input|default(omit)|int - 1]['alias']) }}"
 
  - name: VPN server name prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  Name the vpn server
  [algo]
@@ -55,23 +56,23 @@
  - algo_provider != "local"
 
  - name: Cellular On Demand prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  Do you want macOS/iOS clients to enable "Connect On Demand" when connected to cellular networks?
  [y/N]
  register: _ondemand_cellular
  when: ondemand_cellular is undefined
 
  - name: Wi-Fi On Demand prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  Do you want macOS/iOS clients to enable "Connect On Demand" when connected to Wi-Fi?
  [y/N]
  register: _ondemand_wifi
  when: ondemand_wifi is undefined
 
  - name: Trusted Wi-Fi networks prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  List the names of any trusted Wi-Fi networks where macOS/iOS clients should not use "Connect On Demand"
  (e.g., your home network. Comma-separated value, e.g., HomeNet,OfficeWifi,AlgoWiFi)
@@ -81,7 +82,7 @@
  - (ondemand_wifi|default(false)|bool) or (booleans_map[_ondemand_wifi.user_input|default(omit)]|default(false))
 
  - name: Retain the PKI prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  Do you want to retain the keys (PKI)? (required to add users in the future, but less secure)
  [y/N]
@@ -91,23 +92,23 @@
  - ipsec_enabled
 
  - name: DNS adblocking prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  Do you want to enable DNS ad blocking on this VPN server?
  [y/N]
  register: _dns_adblocking
  when: dns_adblocking is undefined
 
  - name: SSH tunneling prompt
- pause:
+ ansible.builtin.pause:
  prompt: |
  Do you want each user to have their own account for SSH tunneling?
  [y/N]
  register: _ssh_tunneling
  when: ssh_tunneling is undefined
 
  - name: Set facts based on the input
- set_fact:
+ ansible.builtin.set_fact:
  algo_server_name: >-
  {% if server_name is defined %}{% set _server = server_name %}
  {%- elif _algo_server_name.user_input is defined and _algo_server_name.user_input|length > 0 -%}
@@ -140,4 +141,4 @@
  {%- elif _store_pki.user_input is defined %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }}
  {%- else %}false{% endif %}{% endif %}
  rescue:
- - include_tasks: playbooks/rescue.yml
+ - ansible.builtin.include_tasks: tasks/rescue.yml
@@ -1,28 +1,30 @@
 ---
-- hosts: localhost
+- name: Main playbook
+ hosts: localhost
  become: false
  tasks:
  - name: Playbook dir stat
- stat:
+ ansible.builtin.stat:
  path: "{{ playbook_dir }}"
  register: _playbook_dir
 
  - name: Ensure Ansible is not being run in a world writable directory
- assert:
+ ansible.builtin.assert:
  that: _playbook_dir.stat.mode|int <= 775
  msg: >
  Ansible is being run in a world writable directory ({{ playbook_dir }}), ignoring it as an ansible.cfg source.
  For more information see https://docs.ansible.com/ansible/devel/reference_appendices/config.html#cfg-in-world-writable-dir
 
  - name: Ensure the requirements installed
- debug:
+ ansible.builtin.debug:
  msg: "{{ '' | ipaddr }}"
  ignore_errors: true
  no_log: true
  register: ipaddr
 
+ # FIXME! failing if another matching pattern in requirements.txt aka ansible-lint
  - name: Set required ansible version as a fact
- set_fact:
+ ansible.builtin.set_fact:
  required_ansible_version: "{{ item | regex_replace('^ansible[\\s+]?(?P<op>[=,>,<]+)[\\s+]?(?P<ver>\\d.\\d+(.\\d+)?)$', '{\"op\": \"\\g<op>\",\"ver\"\
  : \"\\g<ver>\" }') }}"
  when: '"ansible" in item'
@@ -33,15 +35,15 @@
  register: pip_package_info
 
  - name: Verify Python meets Algo VPN requirements
- assert:
+ ansible.builtin.assert:
  that: (ansible_python.version.major|string + '.' + ansible_python.version.minor|string) is version('3.8', '>=')
  msg: >
  Python version is not supported.
  You must upgrade to at least Python 3.8 to use this version of Algo.
  See for more details - https://trailofbits.github.io/algo/troubleshooting.html#python-version-is-not-supported
 
  - name: Verify Ansible meets Algo VPN requirements
- assert:
+ ansible.builtin.assert:
  that:
  - pip_package_info.packages.pip.ansible.0.version is version(required_ansible_version.ver, required_ansible_version.op)
  - not ipaddr.failed

@@ -1,3 +1,3 @@
-ansible==6.1.0
+ansible==8.3.0
 jinja2~=3.0.3
 netaddr
@@ -0,0 +1,12 @@
+---
+
+collections:
+ - community.general
+ - community.aws
+ - community.digitalocean
+ - amazon.aws
+ - azure.azcollection
+ - google.cloud
+ - hetzner.hcloud
+ - ngine_io.cloudstack
+ - vultr.cloud
@@ -1,3 +1,5 @@
 ---
-- name: restart strongswan
- service: name={{ strongswan_service }} state=restarted
+- name: Restart strongswan
+ ansible.builtin.service:
+ name: "{{ strongswan_service }}"
+ state: restarted
@@ -1,11 +1,13 @@
 ---
 - name: Gather Facts
- setup:
+ ansible.builtin.setup:
 - name: Include system based facts and tasks
- import_tasks: systems/main.yml
+ ansible.builtin.import_tasks: systems/main.yml
 
 - name: Install prerequisites
- package: name="{{ item }}" state=present
+ ansible.builtin.package:
+ name: "{{ item }}"
+ state: present
  with_items:
  - "{{ prerequisites }}"
  register: result
@@ -14,34 +16,36 @@
  delay: 3
 
 - name: Install strongSwan
- package: name=strongswan state=present
+ ansible.builtin.package:
+ name: strongswan
+ state: present
  register: result
  until: result is succeeded
  retries: 10
  delay: 3
 
 - name: Setup the ipsec config
- template:
+ ansible.builtin.template:
  src: roles/strongswan/templates/client_ipsec.conf.j2
  dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.conf"
  mode: "0644"
  with_items:
  - "{{ vpn_user }}"
  notify:
- - restart strongswan
+ - Restart strongswan
 
 - name: Setup the ipsec secrets
- template:
+ ansible.builtin.template:
  src: roles/strongswan/templates/client_ipsec.secrets.j2
  dest: "{{ configs_prefix }}/ipsec.{{ IP_subject_alt_name }}.secrets"
  mode: "0600"
  with_items:
  - "{{ vpn_user }}"
  notify:
- - restart strongswan
+ - Restart strongswan
 
 - name: Include additional ipsec config
- lineinfile:
+ ansible.builtin.lineinfile:
  dest: "{{ item.dest }}"
  line: "{{ item.line }}"
  create: true
@@ -51,26 +55,30 @@
  - dest: "{{ configs_prefix }}/ipsec.secrets"
  line: include ipsec.{{ IP_subject_alt_name }}.secrets
  notify:
- - restart strongswan
+ - Restart strongswan
 
 - name: Configure libstrongswan to relax CA constraints
- copy:
+ ansible.builtin.copy:
  src: libstrongswan-relax-constraints.conf
  dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
  owner: root
  group: root
- mode: 0644
+ mode: "0644"
 
 - name: Setup the certificates and keys
- template:
+ ansible.builtin.template:
  src: "{{ item.src }}"
  dest: "{{ item.dest }}"
+ mode: "{{ item.mode }}"
  with_items:
  - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
  dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
+ mode: "0644"
  - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
  dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
+ mode: "0644"
  - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
  dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
+ mode: "0600"
  notify:
- - restart strongswan
+ - Restart strongswan
@@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
- set_fact:
+ ansible.builtin.set_fact:
  prerequisites:
  - epel-release
  configs_prefix: /etc/strongswan
@@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
- set_fact:
+ ansible.builtin.set_fact:
  prerequisites:
  - libstrongswan-standard-plugins
  configs_prefix: /etc
@@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
- set_fact:
+ ansible.builtin.set_fact:
  prerequisites:
  - libselinux-python
  configs_prefix: /etc/strongswan
@@ -1,6 +1,6 @@
 ---
 - name: Set OS specific facts
- set_fact:
+ ansible.builtin.set_fact:
  prerequisites:
  - libstrongswan-standard-plugins
  configs_prefix: /etc