[pull] master from trailofbits:master

.ansible-lint

@@ -1,10 +1,37 @@
+# Ansible-lint configuration
+exclude_paths:
+  - .cache/
+  - .github/
+  - tests/legacy-lxd/
+  - tests/
+
 skip_list:
-  - yaml
-  - '204'
-verbosity: 1
+  - 'package-latest'  # Package installs should not use latest - needed for updates
+  - 'experimental'  # Experimental rules
+  - 'fqcn[action]'  # Use FQCN for module actions - gradual migration
+  - 'fqcn[action-core]'  # Use FQCN for builtin actions - gradual migration
+  - 'var-naming[no-role-prefix]'  # Variable naming
+  - 'var-naming[pattern]'  # Variable naming patterns
+  - 'no-free-form'  # Avoid free-form syntax - some legacy usage
+  - 'key-order[task]'  # Task key order
+  - 'jinja[spacing]'  # Jinja2 spacing
+  - 'name[casing]'  # Name casing
+  - 'yaml[document-start]'  # YAML document start
+  - 'role-name'  # Role naming convention - too many cloud-* roles
+  - 'no-handler'  # Handler usage - some legitimate non-handler use cases
 
 warn_list:
   - no-changed-when
-  - no-handler
-  - fqcn-builtins
-  - var-spacing
+  - yaml[line-length]
+  - risky-file-permissions
+  - name[missing]
+
+# Enable additional rules
+enable_list:
+  - no-log-password
+  - no-same-owner
+  - partial-become
+
+verbosity: 1
+
+# vim: ft=yaml

.github/workflows/docker-image.yaml

@@ -17,26 +17,28 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
 
       - name: Log in to the Container registry
-        uses: docker/login-action@v3
+        uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567  # v3.3.0
         with:
           registry: ${{ env.REGISTRY }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v5
+        uses: docker/metadata-action@8e5442c4ef9f78752691e2d8f8d19755c6f78e81  # v5.5.1
         with:
           images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
           tags: |
             # set latest tag for master branch
-            type=raw,value=latest,enable=${{ github.ref == format('refs/heads/{0}', 'master') }}
+            type=raw,value=latest,enable=${{ github.ref == 'refs/heads/master' }}
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v5
+        uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75  # v6.9.0
         with:
           context: .
           push: true

.github/workflows/integration-tests.yml

@@ -0,0 +1,250 @@
+name: Integration Tests
+
+on:
+  pull_request:
+    types: [opened, synchronize, reopened]
+    paths:
+      - 'main.yml'
+      - 'roles/**'
+      - 'playbooks/**'
+      - 'library/**'
+  workflow_dispatch:
+  schedule:
+    - cron: '0 2 * * 1'  # Weekly on Monday at 2 AM
+
+permissions:
+  contents: read
+
+jobs:
+  localhost-deployment:
+    name: Localhost VPN Deployment Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 30
+    if: false  # Disabled until we fix the ansible issues
+    strategy:
+      matrix:
+        vpn_type: ['wireguard', 'ipsec', 'both']
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
+
+      - uses: actions/setup-python@f677139bbe7f9c59b41e40162b753c062f5d49a3  # v5.2.0
+        with:
+          python-version: '3.11'
+          cache: 'pip'
+
+      - name: Install system dependencies
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y \
+            wireguard \
+            wireguard-tools \
+            strongswan \
+            libstrongswan-standard-plugins \
+            dnsmasq \
+            qrencode \
+            openssl \
+            linux-headers-$(uname -r)
+
+      - name: Install Python dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt
+
+      - name: Create test configuration
+        run: |
+          cat > integration-test.cfg << EOF
+          users:
+            - alice
+            - bob
+          cloud_providers:
+            local:
+              server: localhost
+              endpoint: 127.0.0.1
+          wireguard_enabled: ${{ matrix.vpn_type == 'wireguard' || matrix.vpn_type == 'both' }}
+          ipsec_enabled: ${{ matrix.vpn_type == 'ipsec' || matrix.vpn_type == 'both' }}
+          dns_adblocking: true
+          ssh_tunneling: false
+          store_pki: true
+          algo_provider: local
+          algo_server_name: github-ci-test
+          server: localhost
+          algo_ssh_port: 22
+          CA_password: "test-ca-password-${{ github.run_id }}"
+          p12_export_password: "test-p12-password-${{ github.run_id }}"
+          tests: true
+          no_log: false
+          ansible_connection: local
+          ansible_python_interpreter: /usr/bin/python3
+          dns_encryption: true
+          algo_dns_adblocking: true
+          algo_ssh_tunneling: false
+          BetweenClients_DROP: true
+          block_smb: true
+          block_netbios: true
+          pki_in_tmpfs: true
+          endpoint: 127.0.0.1
+          ssh_port: 4160
+          EOF
+
+      - name: Run Algo deployment
+        run: |
+          sudo ansible-playbook main.yml \
+            -i "localhost," \
+            -c local \
+            -e @integration-test.cfg \
+            -e "provider=local" \
+            -vv
+
+      - name: Verify services are running
+        run: |
+          # Check WireGuard
+          if [[ "${{ matrix.vpn_type }}" == "wireguard" || "${{ matrix.vpn_type }}" == "both" ]]; then
+            echo "Checking WireGuard..."
+            sudo wg show
+            if ! sudo systemctl is-active --quiet wg-quick@wg0; then
+              echo "✗ WireGuard service not running"
+              exit 1
+            fi
+            echo "✓ WireGuard is running"
+          fi
+
+          # Check StrongSwan
+          if [[ "${{ matrix.vpn_type }}" == "ipsec" || "${{ matrix.vpn_type }}" == "both" ]]; then
+            echo "Checking StrongSwan..."
+            sudo ipsec statusall
+            if ! sudo systemctl is-active --quiet strongswan; then
+              echo "✗ StrongSwan service not running"
+              exit 1
+            fi
+            echo "✓ StrongSwan is running"
+          fi
+
+          # Check dnsmasq
+          if ! sudo systemctl is-active --quiet dnsmasq; then
+            echo "⚠️  dnsmasq not running (may be expected)"
+          else
+            echo "✓ dnsmasq is running"
+          fi
+
+      - name: Verify generated configs
+        run: |
+          echo "Checking generated configuration files..."
+
+          # WireGuard configs
+          if [[ "${{ matrix.vpn_type }}" == "wireguard" || "${{ matrix.vpn_type }}" == "both" ]]; then
+            for user in alice bob; do
+              if [ ! -f "configs/localhost/wireguard/${user}.conf" ]; then
+                echo "✗ Missing WireGuard config for ${user}"
+                exit 1
+              fi
+              if [ ! -f "configs/localhost/wireguard/${user}.png" ]; then
+                echo "✗ Missing WireGuard QR code for ${user}"
+                exit 1
+              fi
+            done
+            echo "✓ All WireGuard configs generated"
+          fi
+
+          # IPsec configs
+          if [[ "${{ matrix.vpn_type }}" == "ipsec" || "${{ matrix.vpn_type }}" == "both" ]]; then
+            for user in alice bob; do
+              if [ ! -f "configs/localhost/ipsec/${user}.p12" ]; then
+                echo "✗ Missing IPsec certificate for ${user}"
+                exit 1
+              fi
+              if [ ! -f "configs/localhost/ipsec/${user}.mobileconfig" ]; then
+                echo "✗ Missing IPsec mobile config for ${user}"
+                exit 1
+              fi
+            done
+            echo "✓ All IPsec configs generated"
+          fi
+
+      - name: Test VPN connectivity
+        run: |
+          echo "Testing basic VPN connectivity..."
+
+          # Test WireGuard
+          if [[ "${{ matrix.vpn_type }}" == "wireguard" || "${{ matrix.vpn_type }}" == "both" ]]; then
+            # Get server's WireGuard public key
+            SERVER_PUBKEY=$(sudo wg show wg0 public-key)
+            echo "Server public key: $SERVER_PUBKEY"
+
+            # Check if interface has peers
+            PEER_COUNT=$(sudo wg show wg0 peers | wc -l)
+            echo "✓ WireGuard has $PEER_COUNT peer(s) configured"
+          fi
+
+          # Test StrongSwan
+          if [[ "${{ matrix.vpn_type }}" == "ipsec" || "${{ matrix.vpn_type }}" == "both" ]]; then
+            # Check IPsec policies
+            sudo ipsec statusall | grep -E "INSTALLED|ESTABLISHED" || echo "No active IPsec connections (expected)"
+          fi
+
+      - name: Upload configs as artifacts
+        if: always()
+        uses: actions/upload-artifact@5d5d22a31266ced268874388b861e4b58bb5c2f3  # v4.3.1
+        with:
+          name: vpn-configs-${{ matrix.vpn_type }}-${{ github.run_id }}
+          path: configs/
+          retention-days: 7
+
+      - name: Upload logs on failure
+        if: failure()
+        run: |
+          echo "=== Ansible Log ==="
+          sudo journalctl -u ansible --no-pager || true
+          echo "=== WireGuard Log ==="
+          sudo journalctl -u wg-quick@wg0 --no-pager || true
+          echo "=== StrongSwan Log ==="
+          sudo journalctl -u strongswan --no-pager || true
+          echo "=== System Log (last 100 lines) ==="
+          sudo journalctl -n 100 --no-pager || true
+
+  docker-build-test:
+    name: Docker Image Build Test
+    runs-on: ubuntu-22.04
+    timeout-minutes: 10
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332  # v4.1.7
+        with:
+          persist-credentials: false
+
+      - name: Build Algo Docker image
+        run: |
+          docker build -t algo:ci-test .
+
+      - name: Test Docker image
+        run: |
+          # Test that the image can run and show help
+          docker run --rm --entrypoint /bin/sh algo:ci-test -c "cd /algo && ./algo --help" || true
+
+          # Test that required binaries exist in the virtual environment
+          docker run --rm --entrypoint /bin/sh algo:ci-test -c "cd /algo && source .env/bin/activate && which ansible"
+          docker run --rm --entrypoint /bin/sh algo:ci-test -c "which python3"
+          docker run --rm --entrypoint /bin/sh algo:ci-test -c "which rsync"
+
+      - name: Test Docker config validation
+        run: |
+          # Create a minimal valid config
+          mkdir -p test-data
+          cat > test-data/config.cfg << 'EOF'
+          users:
+            - test-user
+          cloud_providers:
+            ec2:
+              size: t3.micro
+              region: us-east-1
+          wireguard_enabled: true
+          ipsec_enabled: false
+          dns_encryption: true
+          algo_provider: ec2
+          EOF
+
+          # Test that config is readable
+          docker run --rm --entrypoint cat -v $(pwd)/test-data:/data algo:ci-test /data/config.cfg
+
+          echo "✓ Docker image built and basic tests passed"
+