Merge 2ca2d8c4e2 into 2170a8ff25

.travis.yml

@@ -10,14 +10,14 @@ matrix:
 addons:
   apt:
     sources:
-    - sourceline: 'ppa:ubuntu-lxc/stable'
+      - sourceline: 'ppa:ubuntu-lxc/stable'
     packages:
-    - python-pip
+      - python-pip
-    - lxc
+      - lxc
-    - lxc-templates
+      - lxc-templates
-    - expect-dev
+      - expect-dev
-    - debootstrap
+      - debootstrap
-    - shellcheck
+      - shellcheck
 
 cache:
   directories:
@@ -34,6 +34,7 @@ env:
   - LXC_NAME=ubuntu1704 LXC_DISTRO=ubuntu LXC_RELEASE=zesty
 
 install:
+  - pip install ansible-lint
   - sudo tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache."
   - export LXC_ROOTFS=/var/lib/lxc/$LXC_NAME/rootfs
   - 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --mirror http://mirrors.us.kernel.org/ubuntu --packages python || true'
@@ -49,8 +50,8 @@ install:
 
 script:
   - awesome_bot --allow-dupe --skip-save-results *.md docs/*.md --white-list paypal.com,do.co,microsoft.com,https://github.com/trailofbits/algo/archive/master.zip,https://github.com/trailofbits/algo/issues/new
-#  - shellcheck algo
+  - shellcheck algo
-#  - ansible-lint deploy.yml users.yml deploy_client.yml
+  - ansible-lint deploy.yml users.yml deploy_client.yml
   - ansible-playbook deploy.yml --syntax-check
   - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y"
 

algo

@@ -5,7 +5,8 @@ set -e
 ACTIVATE_SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/env/bin/activate"
 if [ -f "$ACTIVATE_SCRIPT" ]
 then
-	source $ACTIVATE_SCRIPT
+	# shellcheck disable=SC1090
+	source "$ACTIVATE_SCRIPT"
 else
 	echo "$ACTIVATE_SCRIPT not found.  Did you follow documentation to install dependencies?"
 	exit 1
@@ -176,7 +177,7 @@ Enter the number of your desired region:
   esac
 
   ROLES="azure vpn cloud"
-  EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region"
+  EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name region=$region"
 }
 
 digitalocean () {
@@ -287,7 +288,7 @@ Enter the number of your desired region:
   esac
 
   ROLES="ec2 vpn cloud"
-  EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region"
+  EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name region=$region"
 }
 
 gce () {
@@ -372,7 +373,7 @@ Please choose the number of your zone. Press enter for default (#14) zone.
   esac
 
   ROLES="gce vpn cloud"
-  EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone max_mss=1316"
+  EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name zone=$zone max_mss=1316"
 }
 
 non_cloud () {

deploy.yml

@@ -19,7 +19,7 @@
         - debug: var=fail_hint
           tags: always
         - fail:
-          tags: always
+          tags: [ 'always', 'skip_ansible_lint' ]
 
   roles:
     - { role: cloud-digitalocean, tags: ['digitalocean'] }
@@ -38,7 +38,7 @@
         - debug: var=fail_hint
           tags: always
         - fail:
-          tags: always
+          tags: [ 'always', 'skip_ansible_lint' ]
 
 - name: Configure the server and install required software
   hosts: vpn-host
@@ -57,7 +57,7 @@
         - debug: var=fail_hint
           tags: always
         - fail:
-          tags: always
+          tags: [ 'always', 'skip_ansible_lint' ]
 
   roles:
     - { role: security, tags: [ 'security' ] }
@@ -93,4 +93,4 @@
         - debug: var=fail_hint
           tags: always
         - fail:
-          tags: always
+          tags: [ 'always', 'skip_ansible_lint' ]

deploy_client.yml

@@ -24,6 +24,7 @@
     - name: Get the OS
       raw: uname -a
       register: distribution
+      changed_when: false
 
     - name: Modify the server name fact
       set_fact:

roles/client/tasks/main.yml

@@ -1,3 +1,5 @@
+---
+
 - name: Gather Facts
   setup:
 

roles/client/tasks/systems/CentOS.yml

@@ -1,6 +1,7 @@
 ---
 
-- set_fact:
+- name: Set system-based facts
+  set_fact:
     prerequisites:
       - epel-release
     configs_prefix: /etc/strongswan/

roles/client/tasks/systems/Debian.yml

@@ -1,5 +1,6 @@
 ---
 
-- set_fact:
+- name: Set system-based facts
+  set_fact:
     prerequisites: []
     configs_prefix: /etc/

roles/client/tasks/systems/Fedora.yml

@@ -1,6 +1,7 @@
 ---
 
-- set_fact:
+- name: Set system-based facts
+  set_fact:
     prerequisites:
       - libselinux-python
     configs_prefix: /etc/strongswan/

roles/client/tasks/systems/Ubuntu.yml

@@ -1,5 +1,6 @@
 ---
 
-- set_fact:
+- name: Set system-based facts
+  set_fact:
     prerequisites: []
     configs_prefix: /etc/

roles/cloud-azure/tasks/main.yml

@@ -1,6 +1,7 @@
 ---
 - block:
-    - set_fact:
+    - name: Extract credentials
+      set_fact:
         resource_group: "Algo_{{ region }}"
         secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}"
         tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}"
@@ -94,7 +95,8 @@
 
       # To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt?
 
-    - set_fact:
+    - name: Set network facts
+      set_fact:
         ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}"
         networkinterface_name: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].name }}"
 
@@ -120,7 +122,8 @@
         cloud_provider: azure
         ipv6_support: no
 
-    - set_fact:
+    - name: Set the instance IP
+      set_fact:
         cloud_instance_ip: "{{ ip_address }}"
 
     - name: Ensure the group azure exists in the dynamic inventory file
@@ -140,4 +143,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/cloud-digitalocean/tasks/main.yml

@@ -66,7 +66,8 @@
         cloud_provider: digitalocean
         ipv6_support: true
 
-    - set_fact:
+    - name: Set the instance IP
+      set_fact:
         cloud_instance_ip: "{{ do.droplet.ip_address }}"
 
     - name: Tag the droplet
@@ -105,4 +106,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/cloud-ec2/tasks/encrypt_image.yml

@@ -12,7 +12,8 @@
     region: "{{ region }}"
   register: search_crypt
 
-- set_fact:
+- name: Set the Image ID
+  set_fact:
     ami_image: "{{ search_crypt.results[0].ami_id }}"
   when: search_crypt.results
 
@@ -32,6 +33,7 @@
   register: enc_image
   when: not search_crypt.results
 
-- set_fact:
+- name: Set the Image ID
+  set_fact:
     ami_image: "{{ enc_image.image_id }}"
   when: not search_crypt.results

roles/cloud-ec2/tasks/main.yml

@@ -1,5 +1,6 @@
 - block:
-    - set_fact:
+    - name: Extract credentials
+      set_fact:
         access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}"
         secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}"
         stack_name: "{{ aws_server_name | replace('.', '-') }}"
@@ -16,7 +17,8 @@
         region: "{{ region }}"
       register: ami_search
 
-    - set_fact:
+    - name: Set the Image ID
+      set_fact:
         ami_image: "{{ ami_search.results[0].ami_id }}"
 
     - include: encrypt_image.yml
@@ -34,7 +36,8 @@
         cloud_provider: ec2
         ipv6_support: yes
 
-    - set_fact:
+    - name: Set the instance IP
+      set_fact:
         cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}"
 
     - name: Get EC2 instances
@@ -66,4 +69,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/cloud-gce/tasks/main.yml

@@ -1,20 +1,23 @@
 - block:
-    - set_fact:
+    - name: Extract credentials
+      set_fact:
         credentials_file_path: "{{ credentials_file | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}"
         ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}"
 
-    - set_fact:
+    - name: Extract credentials
+      set_fact:
         credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}"
 
-    - set_fact:
+    - name: Extract credentials
+      set_fact:
         service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}"
         project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}"
 
     - name: Network configured
       gce_net:
-        name: "algo-{{ server_name }}"
+        name: "algo-net-{{ server_name }}"
-        fwname: "algo-{{ server_name }}-fw"
+        fwname: "algo-net-{{ server_name }}-fw"
-        allowed: "udp:500,4500;tcp:22;icmp"
+        allowed: "udp:500,4500;tcp:22"
         state: "present"
         mode: auto
         src_range: 0.0.0.0/0
@@ -47,7 +50,8 @@
         cloud_provider: gce
         ipv6_support: no
 
-    - set_fact:
+    - name: Set the instance IP
+      set_fact:
         cloud_instance_ip: "{{ google_vm.instance_data[0].public_ip }}"
 
     - name: Ensure the group gce exists in the dynamic inventory file
@@ -67,4 +71,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/common/tasks/freebsd.yml

@@ -1,6 +1,7 @@
 ---
 
-- set_fact:
+- name: Set system-based facts
+  set_fact:
     tools:
       - git
       - subversion
@@ -48,5 +49,6 @@
   shell: >
     kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 &&
     bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1
+  changed_when: false
 
 - meta: flush_handlers

roles/common/tasks/main.yml

@@ -25,4 +25,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/common/tasks/ubuntu.yml

@@ -11,6 +11,7 @@
   args:
     executable: /bin/bash
   register: reboot_required
+  changed_when: "'required' in reboot_required.stdout"
   tags:
     - cloud
 
@@ -63,15 +64,18 @@
     - always
 
 - name: Check apparmor support
-  shell: apparmor_status
+  command: apparmor_status
   ignore_errors: yes
+  changed_when: false
   register: apparmor_status
 
-- set_fact:
+- name: Seth the apparmor fact
+  set_fact:
     apparmor_enabled: true
-  when: '"profiles are in enforce mode" in apparmor_status.stdout'
+  when: apparmor_status|succeeded
 
-- set_fact:
+- name: Set system-based facts
+  set_fact:
     tools:
       - git
       - screen

roles/dns_adblocking/handlers/main.yml

@@ -1,5 +1,7 @@
+---
+
 - name: restart dnsmasq
-  service: name=dnsmasq state=restarted
+  service: name=dnsmasq state=restarted daemon_reload=yes
 
 - name: restart apparmor
-  service: name=apparmor state=restarted
+  service: name=apparmor state=restarted daemon_reload=yes

roles/dns_adblocking/tasks/main.yml

@@ -1,6 +1,5 @@
 ---
 - block:
-
     - name: The DNS tag is defined
       set_fact:
         local_dns: Y
@@ -44,8 +43,9 @@
         user: dnsmasq
 
     - name: Update adblock hosts
-      shell: >
+      command: /usr/local/sbin/adblock.sh
-        sudo -u dnsmasq "/usr/local/sbin/adblock.sh"
+      become: true
+      become_user: dnsmasq
 
     - meta: flush_handlers
 
@@ -58,4 +58,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/dns_adblocking/tasks/ubuntu.yml

@@ -12,7 +12,9 @@
     - restart dnsmasq
 
 - name: Ubuntu | Enforce the dnsmasq AppArmor policy
-  shell: aa-enforce usr.sbin.dnsmasq
+  command: aa-enforce usr.sbin.dnsmasq
+  register: output
+  changed_when: false
   when: apparmor_enabled is defined and apparmor_enabled == true
   tags: ['apparmor']
 
@@ -29,5 +31,4 @@
     src: 100-CustomLimitations.conf.j2
     dest: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
   notify:
-    - daemon-reload
     - restart dnsmasq

roles/local/tasks/main.yml

@@ -19,7 +19,8 @@
         cloud_provider: local
       when: server_ip == "localhost"
 
-    - set_fact:
+    - name: Set the instance IP
+      set_fact:
         cloud_instance_ip: "{{ server_ip }}"
 
     - name: Ensure the group local exists in the dynamic inventory file
@@ -39,4 +40,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/security/tasks/main.yml

@@ -4,6 +4,7 @@
       apt: name="{{ item }}" state=latest
       with_items:
         - unattended-upgrades
+      tags: skip_ansible_lint
 
     - name: Configure unattended-upgrades
       template:
@@ -165,4 +166,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/ssh_tunneling/tasks/main.yml

@@ -102,4 +102,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/vpn/handlers/main.yml

@@ -1,17 +1,17 @@
-- name: restart strongswan
+---
-  service: name=strongswan state=restarted
 
-- name: daemon-reload
+- name: restart strongswan
-  shell: systemctl daemon-reload
+  systemd: name=strongswan state=restarted daemon_reload=yes
 
 - name: restart apparmor
   service: name=apparmor state=restarted
 
 - name: save iptables
-  shell: service netfilter-persistent save
+  command: service netfilter-persistent save
+  tags: skip_ansible_lint
 
 - name: restart iptables
   service: name=netfilter-persistent state=restarted
 
 - name: rereadcrls
-  shell: ipsec rereadcrls
+  command: ipsec rereadcrls

roles/vpn/tasks/client_configs.yml

@@ -3,6 +3,7 @@
 - name: Register p12 PayloadContent
   shell: cat private/{{ item }}.p12 | base64
   register:  PayloadContent
+  changed_when: false
   args:
     chdir: "configs/{{ IP_subject_alt_name }}/pki/"
   with_items: "{{ users }}"

roles/vpn/tasks/freebsd.yml

@@ -70,6 +70,7 @@
 
     - fail:
         msg: "Something went wrong. Check the debug output above."
+      tags: skip_ansible_lint
 
 - block:
     - name: FreeBSD / HardenedBSD | The kernel is being built...
@@ -97,6 +98,7 @@
 
     - fail:
         msg: "Something went wrong. Check the debug output above."
+      tags: skip_ansible_lint
 
 - name: FreeBSD / HardenedBSD | Reboot
   shell: sleep 2 && shutdown -r now

roles/vpn/tasks/ipec_configuration.yml

@@ -30,6 +30,7 @@
   shell: >
     find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; | cut -f1 -d.
   register: strongswan_plugins
+  changed_when: false
 
 - name: Disable unneeded plugins
   lineinfile:

roles/vpn/tasks/main.yml

@@ -32,4 +32,4 @@
     - debug: var=fail_hint
       tags: always
     - fail:
-      tags: always
+      tags: [ 'always', 'skip_ansible_lint' ]

roles/vpn/tasks/openssl.yml

@@ -52,6 +52,7 @@
       creates: "{{ IP_subject_alt_name }}_ca_generated"
     environment:
       subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
+    tags: skip_ansible_lint
 
   - name: Copy the CA certificate
     copy:
@@ -64,6 +65,7 @@
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
       creates: serial_generated
+    tags: skip_ansible_lint
 
   - name: Build the server pair
     shell: >
@@ -86,6 +88,7 @@
       creates: certs/{{ IP_subject_alt_name }}_crt_generated
     environment:
       subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}"
+    tags: skip_ansible_lint
 
   - name: Build the client's pair
     shell: >
@@ -109,6 +112,7 @@
     environment:
       subjectAltName: "DNS:{{ item }}"
     with_items: "{{ users }}"
+    tags: skip_ansible_lint
 
   - name: Build the client's p12
     shell: >
@@ -124,6 +128,7 @@
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
     with_items: "{{ users }}"
     register: p12
+    tags: skip_ansible_lint
 
   - name: Copy the p12 certificates
     copy:
@@ -142,6 +147,7 @@
     args:
       chdir: "configs/{{ IP_subject_alt_name }}/pki/"
     register: valid_certs
+    tags: skip_ansible_lint
 
   - name: Revoke non-existing users
     shell: >
@@ -157,6 +163,7 @@
       subjectAltName: "DNS:{{ item }}"
     when: item not in users
     with_items: "{{ valid_certs.stdout_lines }}"
+    tags: skip_ansible_lint
 
   delegate_to: localhost
   become: no

roles/vpn/tasks/ubuntu.yml

@@ -1,6 +1,7 @@
 ---
 
-- set_fact:
+- name: Set system-based facts
+  set_fact:
     strongswan_additional_plugins: []
 
 - name: Ubuntu | Install strongSwan
@@ -9,9 +10,10 @@
     state: latest
     update_cache: yes
     install_recommends: yes
+  tags: skip_ansible_lint
 
 - name: Ubuntu | Enforcing ipsec with apparmor
-  shell: aa-enforce "{{ item }}"
+  command: aa-enforce "{{ item }}"
   when: apparmor_enabled is defined and apparmor_enabled == true
   with_items:
     - /usr/lib/ipsec/charon
@@ -41,7 +43,6 @@
     src: 100-CustomLimitations.conf.j2
     dest: /etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf
   notify:
-    - daemon-reload
     - restart strongswan
 
 - include: iptables.yml

users.yml

@@ -33,7 +33,7 @@
         - debug: var=fail_hint
           tags: always
         - fail:
-          tags: always
+          tags: [ 'always', 'skip_ansible_lint' ]
 
 - name: User management
   hosts: vpn-host
@@ -51,7 +51,7 @@
         - debug: var=fail_hint
           tags: always
         - fail:
-          tags: always
+          tags: [ 'always', 'skip_ansible_lint' ]
 
   roles:
     - { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" }
@@ -68,4 +68,4 @@
         - debug: var=fail_hint
           tags: always
         - fail:
-          tags: always
+          tags: [ 'always', 'skip_ansible_lint' ]