Fix StrongSwan CRL handler properly without ignoring errors

Instead of ignoring errors (anti-pattern), this fix properly handles the race condition when StrongSwan restarts: 1. After restarting StrongSwan, wait for port 500 (IKE) to be listening - This ensures the daemon is fully ready before proceeding - Waits up to 30 seconds with proper timeout handling 2. When reloading CRLs, use Ansible's retry mechanism - Retries up to 3 times with 2-second delays - Handles transient failures during startup 3. Separated rereadcrls and purgecrls into distinct tasks - Better error reporting and debugging - Cleaner task organization This approach ensures the installation works reliably on fresh installs without hiding potential real errors. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-03 10:33:13 +02:00 · 2025-08-06 21:28:52 -07:00 · 2025-08-06 21:28:52 -07:00 · bb9a9aab59
commit bb9a9aab59
parent 4be204f1d5
1 changed files with 21 additions and 12 deletions
--- a/roles/strongswan/handlers/main.yml
+++ b/roles/strongswan/handlers/main.yml
@ -1,6 +1,16 @@
 ---
 - name: restart strongswan
-  service: name={{ strongswan_service }} state=restarted
+  block:
+    - name: restart strongswan service
+      service: name={{ strongswan_service }} state=restarted
+
+    - name: wait for strongswan to be ready
+      wait_for:
+        port: 500
+        host: 127.0.0.1
+        delay: 2
+        timeout: 30
+        state: started

 - name: daemon-reload
  systemd: daemon_reload=true
@ -9,14 +19,13 @@
  service: name=apparmor state=restarted

 - name: rereadcrls
-  shell: |
-    # Wait for ipsec daemon to be ready (up to 10 seconds)
-    for i in $(seq 1 10); do
-      if ipsec statusall >/dev/null 2>&1; then
-        ipsec rereadcrls && ipsec purgecrls
-        exit 0
-      fi
-      sleep 1
-    done
-    # If daemon still not ready, try anyway but don't fail the playbook
-    ipsec rereadcrls; ipsec purgecrls || true
+  block:
+    - name: reload certificate revocation lists
+      command: ipsec rereadcrls
+      register: rereadcrls_result
+      retries: 3
+      delay: 2
+      until: rereadcrls_result.rc == 0
+
+    - name: purge old certificate revocation lists
+      command: ipsec purgecrls