diff --git a/.travis.yml b/.travis.yml index 98ba83b7..7720e4db 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,14 +10,14 @@ matrix: addons: apt: sources: - - sourceline: 'ppa:ubuntu-lxc/stable' + - sourceline: 'ppa:ubuntu-lxc/stable' packages: - - python-pip - - lxc - - lxc-templates - - expect-dev - - debootstrap - - shellcheck + - python-pip + - lxc + - lxc-templates + - expect-dev + - debootstrap + - shellcheck cache: directories: @@ -34,6 +34,7 @@ env: - LXC_NAME=ubuntu1704 LXC_DISTRO=ubuntu LXC_RELEASE=zesty install: + - pip install ansible-lint - sudo tar xf $HOME/lxc/cache.tar -C / || echo "Didn't extract cache." - export LXC_ROOTFS=/var/lib/lxc/$LXC_NAME/rootfs - 'sudo lxc-create -n $LXC_NAME -t ubuntu -- -r $LXC_RELEASE --mirror http://mirrors.us.kernel.org/ubuntu --packages python || true' @@ -49,8 +50,8 @@ install: script: - awesome_bot --allow-dupe --skip-save-results *.md docs/*.md --white-list paypal.com,do.co,microsoft.com,https://github.com/trailofbits/algo/archive/master.zip,https://github.com/trailofbits/algo/issues/new -# - shellcheck algo -# - ansible-lint deploy.yml users.yml deploy_client.yml + - shellcheck algo + - ansible-lint deploy.yml users.yml deploy_client.yml - ansible-playbook deploy.yml --syntax-check - ansible-playbook deploy.yml -t local,vpn,dns,ssh_tunneling,security,tests -e "server_ip=$LXC_IP server_user=root IP_subject_alt_name=$LXC_IP local_dns=Y" diff --git a/algo b/algo index 6aeb6897..179f0798 100755 --- a/algo +++ b/algo @@ -5,7 +5,8 @@ set -e ACTIVATE_SCRIPT="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )/env/bin/activate" if [ -f "$ACTIVATE_SCRIPT" ] then - source $ACTIVATE_SCRIPT + # shellcheck disable=SC1090 + source "$ACTIVATE_SCRIPT" else echo "$ACTIVATE_SCRIPT not found. Did you follow documentation to install dependencies?" exit 1 @@ -176,7 +177,7 @@ Enter the number of your desired region: esac ROLES="azure vpn cloud" - EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name ssh_public_key=$ssh_public_key region=$region" + EXTRA_VARS="azure_secret=$azure_secret azure_tenant=$azure_tenant azure_client_id=$azure_client_id azure_subscription_id=$azure_subscription_id azure_server_name=$azure_server_name region=$region" } digitalocean () { @@ -287,7 +288,7 @@ Enter the number of your desired region: esac ROLES="ec2 vpn cloud" - EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name ssh_public_key=$ssh_public_key region=$region" + EXTRA_VARS="aws_access_key=$aws_access_key aws_secret_key=$aws_secret_key aws_server_name=$aws_server_name region=$region" } gce () { @@ -360,7 +361,7 @@ Please choose the number of your zone. Press enter for default (#14) zone. esac ROLES="gce vpn cloud" - EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name ssh_public_key=$ssh_public_key zone=$zone max_mss=1316" + EXTRA_VARS="credentials_file=$credentials_file server_name=$server_name zone=$zone max_mss=1316" } non_cloud () { diff --git a/deploy.yml b/deploy.yml index 91721c11..965ba55f 100644 --- a/deploy.yml +++ b/deploy.yml @@ -19,7 +19,7 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] roles: - { role: cloud-digitalocean, tags: ['digitalocean'] } @@ -38,7 +38,7 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] - name: Configure the server and install required software hosts: vpn-host @@ -57,7 +57,7 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] roles: - { role: security, tags: [ 'security' ] } @@ -93,4 +93,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/deploy_client.yml b/deploy_client.yml index 21fd7709..4ffe7219 100644 --- a/deploy_client.yml +++ b/deploy_client.yml @@ -24,6 +24,7 @@ - name: Get the OS raw: uname -a register: distribution + changed_when: false - name: Modify the server name fact set_fact: diff --git a/roles/client/handlers/main.yml b/roles/client/handlers/main.yml index 84c893a1..f6430199 100644 --- a/roles/client/handlers/main.yml +++ b/roles/client/handlers/main.yml @@ -1,4 +1,4 @@ --- - + - name: restart strongswan service: name=strongswan state=restarted diff --git a/roles/client/tasks/main.yml b/roles/client/tasks/main.yml index 68397148..713ffd5e 100644 --- a/roles/client/tasks/main.yml +++ b/roles/client/tasks/main.yml @@ -1,3 +1,5 @@ +--- + - name: Gather Facts setup: diff --git a/roles/client/tasks/systems/CentOS.yml b/roles/client/tasks/systems/CentOS.yml index 60df753f..60a37c9e 100644 --- a/roles/client/tasks/systems/CentOS.yml +++ b/roles/client/tasks/systems/CentOS.yml @@ -1,6 +1,7 @@ --- -- set_fact: +- name: Set system-based facts + set_fact: prerequisites: - epel-release configs_prefix: /etc/strongswan/ diff --git a/roles/client/tasks/systems/Debian.yml b/roles/client/tasks/systems/Debian.yml index 9e5461d2..69fcf195 100644 --- a/roles/client/tasks/systems/Debian.yml +++ b/roles/client/tasks/systems/Debian.yml @@ -1,5 +1,6 @@ --- -- set_fact: +- name: Set system-based facts + set_fact: prerequisites: [] configs_prefix: /etc/ diff --git a/roles/client/tasks/systems/Fedora.yml b/roles/client/tasks/systems/Fedora.yml index ec920927..74e78823 100644 --- a/roles/client/tasks/systems/Fedora.yml +++ b/roles/client/tasks/systems/Fedora.yml @@ -1,6 +1,7 @@ --- -- set_fact: +- name: Set system-based facts + set_fact: prerequisites: - libselinux-python configs_prefix: /etc/strongswan/ diff --git a/roles/client/tasks/systems/Ubuntu.yml b/roles/client/tasks/systems/Ubuntu.yml index 9e5461d2..69fcf195 100644 --- a/roles/client/tasks/systems/Ubuntu.yml +++ b/roles/client/tasks/systems/Ubuntu.yml @@ -1,5 +1,6 @@ --- -- set_fact: +- name: Set system-based facts + set_fact: prerequisites: [] configs_prefix: /etc/ diff --git a/roles/cloud-azure/tasks/main.yml b/roles/cloud-azure/tasks/main.yml index 4cf621fa..492cf334 100644 --- a/roles/cloud-azure/tasks/main.yml +++ b/roles/cloud-azure/tasks/main.yml @@ -1,6 +1,7 @@ --- - block: - - set_fact: + - name: Extract credentials + set_fact: resource_group: "Algo_{{ region }}" secret: "{{ azure_secret | default(lookup('env','AZURE_SECRET'), true) }}" tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}" @@ -94,7 +95,8 @@ # To-do: Add error handling - if vm_size requested is not available, can we fall back to another, ideally with a prompt? - - set_fact: + - name: Set network facts + set_fact: ip_address: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].properties.ipConfigurations[0].properties.publicIPAddress.properties.ipAddress }}" networkinterface_name: "{{ azure_rm_virtualmachine.ansible_facts.azure_vm.properties.networkProfile.networkInterfaces[0].name }}" @@ -120,7 +122,8 @@ cloud_provider: azure ipv6_support: no - - set_fact: + - name: Set the instance IP + set_fact: cloud_instance_ip: "{{ ip_address }}" - name: Ensure the group azure exists in the dynamic inventory file @@ -140,4 +143,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/cloud-digitalocean/tasks/main.yml b/roles/cloud-digitalocean/tasks/main.yml index 66308423..574376a7 100644 --- a/roles/cloud-digitalocean/tasks/main.yml +++ b/roles/cloud-digitalocean/tasks/main.yml @@ -66,7 +66,8 @@ cloud_provider: digitalocean ipv6_support: true - - set_fact: + - name: Set the instance IP + set_fact: cloud_instance_ip: "{{ do.droplet.ip_address }}" - name: Tag the droplet @@ -105,4 +106,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/cloud-ec2/tasks/encrypt_image.yml b/roles/cloud-ec2/tasks/encrypt_image.yml index 11779ea4..1041b61f 100644 --- a/roles/cloud-ec2/tasks/encrypt_image.yml +++ b/roles/cloud-ec2/tasks/encrypt_image.yml @@ -12,7 +12,8 @@ region: "{{ region }}" register: search_crypt -- set_fact: +- name: Set the Image ID + set_fact: ami_image: "{{ search_crypt.results[0].ami_id }}" when: search_crypt.results @@ -32,6 +33,7 @@ register: enc_image when: not search_crypt.results -- set_fact: +- name: Set the Image ID + set_fact: ami_image: "{{ enc_image.image_id }}" when: not search_crypt.results diff --git a/roles/cloud-ec2/tasks/main.yml b/roles/cloud-ec2/tasks/main.yml index e32e70a5..e7abbb01 100644 --- a/roles/cloud-ec2/tasks/main.yml +++ b/roles/cloud-ec2/tasks/main.yml @@ -1,5 +1,6 @@ - block: - - set_fact: + - name: Extract credentials + set_fact: access_key: "{{ aws_access_key | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}" secret_key: "{{ aws_secret_key | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}" stack_name: "{{ aws_server_name | replace('.', '-') }}" @@ -16,7 +17,8 @@ region: "{{ region }}" register: ami_search - - set_fact: + - name: Set the Image ID + set_fact: ami_image: "{{ ami_search.results[0].ami_id }}" - include: encrypt_image.yml @@ -34,7 +36,8 @@ cloud_provider: ec2 ipv6_support: yes - - set_fact: + - name: Set the instance IP + set_fact: cloud_instance_ip: "{{ stack.stack_outputs.ElasticIP }}" - name: Get EC2 instances @@ -66,4 +69,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/cloud-gce/tasks/main.yml b/roles/cloud-gce/tasks/main.yml index 8737a7e7..5d1905db 100644 --- a/roles/cloud-gce/tasks/main.yml +++ b/roles/cloud-gce/tasks/main.yml @@ -1,12 +1,15 @@ - block: - - set_fact: + - name: Extract credentials + set_fact: credentials_file_path: "{{ credentials_file | default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}" ssh_public_key_lookup: "{{ lookup('file', '{{ SSH_keys.public }}') }}" - - set_fact: + - name: Extract credentials + set_fact: credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}" - - set_fact: + - name: Extract credentials + set_fact: service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}" project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}" @@ -47,7 +50,8 @@ cloud_provider: gce ipv6_support: no - - set_fact: + - name: Set the instance IP + set_fact: cloud_instance_ip: "{{ google_vm.instance_data[0].public_ip }}" - name: Ensure the group gce exists in the dynamic inventory file @@ -67,4 +71,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/common/tasks/freebsd.yml b/roles/common/tasks/freebsd.yml index 67d247d8..ed50d832 100644 --- a/roles/common/tasks/freebsd.yml +++ b/roles/common/tasks/freebsd.yml @@ -1,6 +1,7 @@ --- -- set_fact: +- name: Set system-based facts + set_fact: tools: - git - subversion @@ -48,5 +49,6 @@ shell: > kldstat -n ipfw.ko || kldload ipfw ; sysctl net.inet.ip.fw.enable=0 && bash /etc/rc.firewall && sysctl net.inet.ip.fw.enable=1 + changed_when: false - meta: flush_handlers diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 781930e2..25d8cde3 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -25,4 +25,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml index b512af61..1106a3b3 100644 --- a/roles/common/tasks/ubuntu.yml +++ b/roles/common/tasks/ubuntu.yml @@ -11,6 +11,7 @@ args: executable: /bin/bash register: reboot_required + changed_when: "'required' in reboot_required.stdout" tags: - cloud @@ -63,15 +64,18 @@ - always - name: Check apparmor support - shell: apparmor_status + command: apparmor_status ignore_errors: yes + changed_when: false register: apparmor_status -- set_fact: +- name: Seth the apparmor fact + set_fact: apparmor_enabled: true - when: '"profiles are in enforce mode" in apparmor_status.stdout' + when: apparmor_status|succeeded -- set_fact: +- name: Set system-based facts + set_fact: tools: - git - screen diff --git a/roles/dns_adblocking/handlers/main.yml b/roles/dns_adblocking/handlers/main.yml index 98278cef..4e652f73 100644 --- a/roles/dns_adblocking/handlers/main.yml +++ b/roles/dns_adblocking/handlers/main.yml @@ -1,5 +1,7 @@ +--- + - name: restart dnsmasq - service: name=dnsmasq state=restarted + service: name=dnsmasq state=restarted daemon_reload=yes - name: restart apparmor - service: name=apparmor state=restarted + service: name=apparmor state=restarted daemon_reload=yes diff --git a/roles/dns_adblocking/tasks/main.yml b/roles/dns_adblocking/tasks/main.yml index 3989bf4f..39dedf99 100644 --- a/roles/dns_adblocking/tasks/main.yml +++ b/roles/dns_adblocking/tasks/main.yml @@ -1,6 +1,5 @@ --- - block: - - name: The DNS tag is defined set_fact: local_dns: Y @@ -44,8 +43,9 @@ user: dnsmasq - name: Update adblock hosts - shell: > - sudo -u dnsmasq "/usr/local/sbin/adblock.sh" + command: /usr/local/sbin/adblock.sh + become: true + become_user: dnsmasq - meta: flush_handlers @@ -58,4 +58,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/dns_adblocking/tasks/ubuntu.yml b/roles/dns_adblocking/tasks/ubuntu.yml index 8e4cf3d0..c30d26b4 100644 --- a/roles/dns_adblocking/tasks/ubuntu.yml +++ b/roles/dns_adblocking/tasks/ubuntu.yml @@ -12,7 +12,9 @@ - restart dnsmasq - name: Ubuntu | Enforce the dnsmasq AppArmor policy - shell: aa-enforce usr.sbin.dnsmasq + command: aa-enforce usr.sbin.dnsmasq + register: output + changed_when: false when: apparmor_enabled is defined and apparmor_enabled == true tags: ['apparmor'] @@ -29,5 +31,4 @@ src: 100-CustomLimitations.conf.j2 dest: /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf notify: - - daemon-reload - restart dnsmasq diff --git a/roles/local/tasks/main.yml b/roles/local/tasks/main.yml index 555baa45..6a4c6b20 100644 --- a/roles/local/tasks/main.yml +++ b/roles/local/tasks/main.yml @@ -19,7 +19,8 @@ cloud_provider: local when: server_ip == "localhost" - - set_fact: + - name: Set the instance IP + set_fact: cloud_instance_ip: "{{ server_ip }}" - name: Ensure the group local exists in the dynamic inventory file @@ -39,4 +40,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/security/tasks/main.yml b/roles/security/tasks/main.yml index 4289ad1f..1400d394 100644 --- a/roles/security/tasks/main.yml +++ b/roles/security/tasks/main.yml @@ -4,6 +4,7 @@ apt: name="{{ item }}" state=latest with_items: - unattended-upgrades + tags: skip_ansible_lint - name: Configure unattended-upgrades template: @@ -165,4 +166,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/ssh_tunneling/tasks/main.yml b/roles/ssh_tunneling/tasks/main.yml index 8a1d4965..65bb05ad 100644 --- a/roles/ssh_tunneling/tasks/main.yml +++ b/roles/ssh_tunneling/tasks/main.yml @@ -102,4 +102,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/vpn/handlers/main.yml b/roles/vpn/handlers/main.yml index 9b481d43..1d40bcdb 100644 --- a/roles/vpn/handlers/main.yml +++ b/roles/vpn/handlers/main.yml @@ -1,17 +1,17 @@ -- name: restart strongswan - service: name=strongswan state=restarted +--- -- name: daemon-reload - shell: systemctl daemon-reload +- name: restart strongswan + systemd: name=strongswan state=restarted daemon_reload=yes - name: restart apparmor service: name=apparmor state=restarted - name: save iptables - shell: service netfilter-persistent save + command: service netfilter-persistent save + tags: skip_ansible_lint - name: restart iptables service: name=netfilter-persistent state=restarted - name: rereadcrls - shell: ipsec rereadcrls + command: ipsec rereadcrls diff --git a/roles/vpn/tasks/client_configs.yml b/roles/vpn/tasks/client_configs.yml index ea1621a2..538d2326 100644 --- a/roles/vpn/tasks/client_configs.yml +++ b/roles/vpn/tasks/client_configs.yml @@ -3,6 +3,7 @@ - name: Register p12 PayloadContent shell: cat private/{{ item }}.p12 | base64 register: PayloadContent + changed_when: false args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" with_items: "{{ users }}" diff --git a/roles/vpn/tasks/freebsd.yml b/roles/vpn/tasks/freebsd.yml index 1dbecd5f..4b434e0c 100644 --- a/roles/vpn/tasks/freebsd.yml +++ b/roles/vpn/tasks/freebsd.yml @@ -70,6 +70,7 @@ - fail: msg: "Something went wrong. Check the debug output above." + tags: skip_ansible_lint - block: - name: FreeBSD / HardenedBSD | The kernel is being built... @@ -97,6 +98,7 @@ - fail: msg: "Something went wrong. Check the debug output above." + tags: skip_ansible_lint - name: FreeBSD / HardenedBSD | Reboot shell: sleep 2 && shutdown -r now diff --git a/roles/vpn/tasks/ipec_configuration.yml b/roles/vpn/tasks/ipec_configuration.yml index cc7c21ec..449e402c 100644 --- a/roles/vpn/tasks/ipec_configuration.yml +++ b/roles/vpn/tasks/ipec_configuration.yml @@ -30,6 +30,7 @@ shell: > find {{ config_prefix|default('/') }}etc/strongswan.d/charon/ -type f -name '*.conf' -exec basename {} \; | cut -f1 -d. register: strongswan_plugins + changed_when: false - name: Disable unneeded plugins lineinfile: diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 8e732e1d..1bb93090 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -32,4 +32,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] diff --git a/roles/vpn/tasks/openssl.yml b/roles/vpn/tasks/openssl.yml index a1709bc0..21337a67 100644 --- a/roles/vpn/tasks/openssl.yml +++ b/roles/vpn/tasks/openssl.yml @@ -52,6 +52,7 @@ creates: "{{ IP_subject_alt_name }}_ca_generated" environment: subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}" + tags: skip_ansible_lint - name: Copy the CA certificate copy: @@ -64,6 +65,7 @@ args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" creates: serial_generated + tags: skip_ansible_lint - name: Build the server pair shell: > @@ -86,6 +88,7 @@ creates: certs/{{ IP_subject_alt_name }}_crt_generated environment: subjectAltName: "DNS:{{ IP_subject_alt_name }},IP:{{ IP_subject_alt_name }}" + tags: skip_ansible_lint - name: Build the client's pair shell: > @@ -109,6 +112,7 @@ environment: subjectAltName: "DNS:{{ item }}" with_items: "{{ users }}" + tags: skip_ansible_lint - name: Build the client's p12 shell: > @@ -124,6 +128,7 @@ chdir: "configs/{{ IP_subject_alt_name }}/pki/" with_items: "{{ users }}" register: p12 + tags: skip_ansible_lint - name: Copy the p12 certificates copy: @@ -142,6 +147,7 @@ args: chdir: "configs/{{ IP_subject_alt_name }}/pki/" register: valid_certs + tags: skip_ansible_lint - name: Revoke non-existing users shell: > @@ -157,6 +163,7 @@ subjectAltName: "DNS:{{ item }}" when: item not in users with_items: "{{ valid_certs.stdout_lines }}" + tags: skip_ansible_lint delegate_to: localhost become: no diff --git a/roles/vpn/tasks/ubuntu.yml b/roles/vpn/tasks/ubuntu.yml index ccc561b3..33354794 100644 --- a/roles/vpn/tasks/ubuntu.yml +++ b/roles/vpn/tasks/ubuntu.yml @@ -1,6 +1,7 @@ --- -- set_fact: +- name: Set system-based facts + set_fact: strongswan_additional_plugins: [] - name: Ubuntu | Install strongSwan @@ -9,9 +10,10 @@ state: latest update_cache: yes install_recommends: yes + tags: skip_ansible_lint - name: Ubuntu | Enforcing ipsec with apparmor - shell: aa-enforce "{{ item }}" + command: aa-enforce "{{ item }}" when: apparmor_enabled is defined and apparmor_enabled == true with_items: - /usr/lib/ipsec/charon @@ -41,7 +43,6 @@ src: 100-CustomLimitations.conf.j2 dest: /etc/systemd/system/strongswan.service.d/100-CustomLimitations.conf notify: - - daemon-reload - restart strongswan - include: iptables.yml diff --git a/users.yml b/users.yml index 92792085..03939016 100644 --- a/users.yml +++ b/users.yml @@ -33,7 +33,7 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] - name: User management hosts: vpn-host @@ -51,7 +51,7 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ] roles: - { role: ssh_tunneling, tags: always, when: ssh_tunneling_enabled is defined and ssh_tunneling_enabled == "y" } @@ -68,4 +68,4 @@ - debug: var=fail_hint tags: always - fail: - tags: always + tags: [ 'always', 'skip_ansible_lint' ]