diff --git a/.ansible-lint b/.ansible-lint index 8df42e1..bbc1dbe 100644 --- a/.ansible-lint +++ b/.ansible-lint @@ -19,18 +19,27 @@ skip_list: - 'yaml[document-start]' # YAML document start - 'role-name' # Role naming convention - too many cloud-* roles - 'no-handler' # Handler usage - some legitimate non-handler use cases + - 'name[missing]' # All tasks should be named - 113 issues to fix (temporary) warn_list: - no-changed-when - yaml[line-length] - risky-file-permissions - - name[missing] # Enable additional rules enable_list: - no-log-password - no-same-owner - partial-become + - name[play] # All plays should be named + - yaml[new-line-at-end-of-file] # Files should end with newline + +# Rules we're actively working on fixing +# Move these from skip_list to enable_list as we fix them +# - 'name[missing]' # All tasks should be named - 113 issues to fix +# - 'no-changed-when' # Commands should not change things +# - 'yaml[line-length]' # Line length limit +# - 'risky-file-permissions' # File permissions verbosity: 1 diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 254b45f..3a95305 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -27,8 +27,7 @@ jobs: - name: Run ansible-lint run: | - # Run with || true temporarily while we make the linter less strict - ansible-lint -v *.yml roles/{local,cloud-*}/*/*.yml || true + ansible-lint -v *.yml roles/{local,cloud-*}/*/*.yml yaml-lint: name: YAML linting diff --git a/install.sh b/install.sh index aad6b31..ec30c3a 100644 --- a/install.sh +++ b/install.sh @@ -47,9 +47,9 @@ publicIpFromInterface() { tryGetMetadata() { # Helper function to fetch metadata with retry - local url="$1" - local headers="$2" - local response="" + url="$1" + headers="$2" + response="" # Try up to 2 times for attempt in 1 2; do diff --git a/main.yml b/main.yml index 1b68d4c..bea2af9 100644 --- a/main.yml +++ b/main.yml @@ -1,5 +1,6 @@ --- -- hosts: localhost +- name: Algo VPN Setup + hosts: localhost become: false tasks: - name: Playbook dir stat diff --git a/requirements.yml b/requirements.yml index 41bed6b..f1afede 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,4 +3,4 @@ collections: - name: ansible.posix - name: community.general - name: community.crypto - - name: openstack.cloud \ No newline at end of file + - name: openstack.cloud diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index 15d2d91..9eb92dc 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -25,7 +25,7 @@ async: 1 poll: 0 when: reboot_required is defined and reboot_required.stdout == 'required' - ignore_errors: true + failed_when: false - name: Wait until the server becomes ready... wait_for_connection: diff --git a/roles/local/tasks/prompts.yml b/roles/local/tasks/prompts.yml index 76d2a4e..88c65ff 100644 --- a/roles/local/tasks/prompts.yml +++ b/roles/local/tasks/prompts.yml @@ -1,15 +1,14 @@ --- - pause: - prompt: "{{ item }}" + prompt: | + https://trailofbits.github.io/algo/deploy-to-ubuntu.html + + Local installation might break your server. Use at your own risk. + + Proceed? Press ENTER to continue or CTRL+C and A to abort... when: not tests|default(false)|bool tags: - skip_ansible_lint - with_items: | - https://trailofbits.github.io/algo/deploy-to-ubuntu.html - - Local installation might break your server. Use at your own risk. - - Proceed? Press ENTER to continue or CTRL+C and A to abort... - pause: prompt: | diff --git a/roles/strongswan/tasks/openssl.yml b/roles/strongswan/tasks/openssl.yml index f51a74d..bdbc3db 100644 --- a/roles/strongswan/tasks/openssl.yml +++ b/roles/strongswan/tasks/openssl.yml @@ -212,12 +212,14 @@ - "{{ users }}" - name: Get active users - shell: > + shell: | + set -o pipefail grep ^V index.txt | grep -v "{{ IP_subject_alt_name }}" | awk '{print $5}' | sed 's/\/CN=//g' args: + executable: /bin/bash chdir: "{{ ipsec_pki_path }}" register: valid_certs diff --git a/users.yml b/users.yml index 3545da5..02aa55a 100644 --- a/users.yml +++ b/users.yml @@ -1,5 +1,6 @@ --- -- hosts: localhost +- name: Manage VPN Users + hosts: localhost gather_facts: false tags: always vars_files: