fix: Add no_log to tasks handling sensitive information

- Add no_log: true to OpenSSL commands that contain passwords/passphrases
- Add no_log: true to WireGuard key generation commands
- Add no_log: true to password/CA password generation tasks
- Add no_log: true to AWS credential handling tasks
- Add no_log: true to QR code generation that contains full configs

This prevents sensitive information like passwords, private keys, and
WireGuard configurations from being logged to syslog/journald.

Fixes #1617

roles/cloud-ec2/tasks/prompts.yml

@@ -21,6 +21,7 @@
 - set_fact:
     access_key: "{{ aws_access_key | default(_aws_access_key.user_input|default(None)) | default(lookup('env','AWS_ACCESS_KEY_ID'), true) }}"
     secret_key: "{{ aws_secret_key | default(_aws_secret_key.user_input|default(None)) | default(lookup('env','AWS_SECRET_ACCESS_KEY'), true) }}"
+  no_log: true
 
 - block:
     - name: Get regions

roles/common/tasks/facts.yml

@@ -3,11 +3,13 @@
   set_fact:
     p12_export_password: "{{ p12_password|default(lookup('password', '/dev/null length=9 chars=ascii_letters,digits,_,@')) }}"
   tags: update-users
+  no_log: true
 
 - name: Set facts
   set_fact:
     CA_password: "{{ ca_password|default(lookup('password', '/dev/null length=16 chars=ascii_letters,digits,_,@')) }}"
     IP_subject_alt_name: "{{ IP_subject_alt_name }}"
+  no_log: true
 
 - name: Set IPv6 support as a fact
   set_fact:

roles/strongswan/tasks/openssl.yml

@@ -65,6 +65,7 @@
         chdir: "{{ ipsec_pki_path }}"
         creates: "{{ IP_subject_alt_name }}_ca_generated"
         executable: bash
+      no_log: true
 
     - name: Copy the CA certificate
       copy:
@@ -99,6 +100,7 @@
         chdir: "{{ ipsec_pki_path }}"
         creates: certs/{{ IP_subject_alt_name }}_crt_generated
         executable: bash
+      no_log: true
 
     - name: Build the client's pair
       shell: >
@@ -123,6 +125,7 @@
         creates: certs/{{ item }}_crt_generated
         executable: bash
       with_items: "{{ users }}"
+      no_log: true
 
     - name: Build the tests pair
       shell: >
@@ -147,6 +150,7 @@
         creates: certs/google-algo-test-pair.com_crt_generated
         executable: bash
       when: tests|default(false)|bool
+      no_log: true
 
     - name: Build openssh public keys
       openssl_publickey:
@@ -185,6 +189,7 @@
         executable: bash
       with_items: "{{ users }}"
       register: p12
+      no_log: true
 
     - name: Build the client's p12 with the CA cert included
       shell: >
@@ -203,6 +208,7 @@
         executable: bash
       with_items: "{{ users }}"
       register: p12
+      no_log: true
 
     - name: Copy the p12 certificates
       copy:
@@ -235,6 +241,7 @@
         executable: bash
       when: item.split('@')[0] not in users
       with_items: "{{ valid_certs.stdout_lines }}"
+      no_log: true
 
     - name: Generate new CRL file
       shell: >
@@ -248,6 +255,7 @@
       args:
         chdir: "{{ ipsec_pki_path }}"
         executable: bash
+      no_log: true
   delegate_to: localhost
   become: false
   vars:

roles/wireguard/tasks/keys.yml

@@ -16,6 +16,7 @@
   with_items:
     - "{{ users }}"
     - "{{ IP_subject_alt_name }}"
+  no_log: true
 
 - block:
     - name: Save private keys
@@ -55,6 +56,7 @@
   with_items:
     - "{{ users }}"
     - "{{ IP_subject_alt_name }}"
+  no_log: true
 
 - block:
     - name: Save preshared keys
@@ -89,6 +91,7 @@
   with_items:
     - "{{ users }}"
     - "{{ IP_subject_alt_name }}"
+  no_log: true
 
 - name: Save public keys
   copy:

roles/wireguard/tasks/main.yml

@@ -74,6 +74,7 @@
           args:
             chdir: "{{ wireguard_config_path }}"
             executable: bash
+          no_log: true
       become: false
       delegate_to: localhost