From 4479c0318a83c1495f21500e8ebc00734af8282d Mon Sep 17 00:00:00 2001
From: Dan Guido <dan@trailofbits.com>
Date: Wed, 6 Aug 2025 21:41:31 -0700
Subject: [PATCH] Fix StrongSwan handlers - handlers cannot be blocks
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ansible handlers cannot be blocks. Fixed by:

1. Making each handler a separate task that can notify the next handler
2. restart strongswan -> notifies -> wait for strongswan
3. rereadcrls -> notifies -> purgecrls

This maintains the proper execution order while conforming to Ansible's
handler constraints. The wait and retry logic is preserved.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 roles/strongswan/handlers/main.yml | 36 ++++++++++++++----------------
 1 file changed, 17 insertions(+), 19 deletions(-)

diff --git a/roles/strongswan/handlers/main.yml b/roles/strongswan/handlers/main.yml
index 21756e28..462a9256 100644
--- a/roles/strongswan/handlers/main.yml
+++ b/roles/strongswan/handlers/main.yml
@@ -1,16 +1,15 @@
 ---
 - name: restart strongswan
-  block:
-    - name: restart strongswan service
-      service: name={{ strongswan_service }} state=restarted
+  service: name={{ strongswan_service }} state=restarted
+  notify: wait for strongswan
 
-    - name: wait for strongswan to be ready
-      wait_for:
-        port: 500
-        host: 127.0.0.1
-        delay: 2
-        timeout: 30
-        state: started
+- name: wait for strongswan
+  wait_for:
+    port: 500
+    host: 127.0.0.1
+    delay: 2
+    timeout: 30
+    state: started
 
 - name: daemon-reload
   systemd: daemon_reload=true
@@ -19,13 +18,12 @@
   service: name=apparmor state=restarted
 
 - name: rereadcrls
-  block:
-    - name: reload certificate revocation lists
-      command: ipsec rereadcrls
-      register: rereadcrls_result
-      retries: 3
-      delay: 2
-      until: rereadcrls_result.rc == 0
+  command: ipsec rereadcrls
+  register: rereadcrls_result
+  retries: 3
+  delay: 2
+  until: rereadcrls_result.rc == 0
+  notify: purgecrls
 
-    - name: purge old certificate revocation lists
-      command: ipsec purgecrls
+- name: purgecrls
+  command: ipsec purgecrls