fix: Prevent sensitive information from being logged (#14779)

* fix: Add no_log to tasks handling sensitive information

- Add no_log: true to OpenSSL commands that contain passwords/passphrases
- Add no_log: true to WireGuard key generation commands
- Add no_log: true to password/CA password generation tasks
- Add no_log: true to AWS credential handling tasks
- Add no_log: true to QR code generation that contains full configs

This prevents sensitive information like passwords, private keys, and
WireGuard configurations from being logged to syslog/journald.

Fixes #1617

* feat: Comprehensive privacy enhancements

- Add no_log directives to all cloud provider credential handling
- Set privacy-focused defaults (StrongSwan logging disabled, DNSCrypt syslog off)
- Implement privacy role with log rotation, history clearing, and log filtering
- Add Privacy Considerations section to README
- Make all privacy features configurable and enabled by default

This update significantly reduces Algo's logging footprint to enhance user privacy
while maintaining the ability to enable logging for debugging when needed.

* docs: Move privacy documentation from README to FAQ

- Remove Privacy Considerations section from README
- Add expanded 'Does Algo support zero logging?' question to FAQ
- Better placement alongside existing logging/monitoring questions
- More detailed explanation of privacy features and limitations

* fix: Remove invalid 'bool' filter from Jinja2 template

The privacy-monitor.sh.j2 template was using '| bool' which is not a valid
Jinja2 filter. The 'bool' is a built-in Python function, not a Jinja2 filter.

Fixed by removing the '| bool' filter and directly outputting the boolean
variables as they will be rendered correctly by Jinja2.

This resolves the template syntax error that was causing CI tests to fail:
"No filter named 'bool'" error in privacy monitoring script template.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Fix YAML linting issues in privacy role

* Fix linting warnings: shellcheck and ansible-lint issues

- Fixed all shellcheck warnings in test scripts:
  - Quoted variables to prevent word splitting
  - Replaced A && B || C constructs with proper if-then-else
  - Changed unused loop variable to _
  - Added shellcheck directives for FreeBSD rc.d script

- Fixed ansible-lint risky-file-permissions warnings:
  - Added explicit file permissions for sensitive files (mode 0600)
  - Added permissions for config files and certificates (mode 0644)
  - Set proper permissions for directories (mode 0755)

- Fixed yamllint compatibility with ansible-lint:
  - Added required octal-values configuration
  - Quoted all octal mode values to prevent YAML misinterpretation
  - Added comments-indentation: false as required

All tests pass and functionality remains unchanged.

* Remove algo.egg-info from version control

This directory is generated by Python package tools (pip/setuptools) and
should not be tracked in git. It's already listed in .gitignore but was
accidentally committed. The directory contains build metadata that is
regenerated when the package is installed.

* Restructure privacy documentation for clarity

- Simplified FAQ entry to be concise with link to README for details
- Added comprehensive Privacy and Logging section to README
- Clarified what IS logged by default vs what is not
- Explained two separate privacy settings (strongswan_log_level and privacy_enhancements_enabled)
- Added clear debugging instructions (need to change both settings)
- Removed confusing language about "enabling additional features"
- Made documentation more natural and less AI-generated sounding

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Fix Ubuntu 22.04 iptables deployment issues and simplify config.cfg

Issues fixed:
1. Added base 'iptables' package to batch installation list (was missing, only iptables-persistent was included)
2. Fixed alternatives configuration for Ubuntu 22.04+ - only configure main iptables/ip6tables alternatives, not save/restore (they're handled as slaves)

Config.cfg improvements:
- Reduced from 308 to 198 lines (35% reduction)
- Moved privacy settings above "Advanced users only" line for better accessibility
- Clarified algo_no_log is for Ansible output, not server privacy
- Simplified verbose comments throughout
- Moved experimental performance options to commented section at end
- Better organized into logical sections

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Add privacy features to README and improve feature descriptions

- Added privacy-focused feature bullet highlighting minimal logging and privacy enhancements
- Simplified IKEv2 bullet (removed redundant platform list)
- Updated helper scripts description to be more comprehensive
- Specified Ubuntu 22.04 LTS and automatic security updates
- Made feature list more concise and accurate

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Fix logrotate duplicate entries error in privacy role

The privacy role was creating logrotate configs that duplicated the default
Ubuntu rsyslog logrotate rules, causing deployment failures with errors like
'duplicate log entry for /var/log/syslog'.

Changes:
- Disable default rsyslog logrotate config before applying privacy configs
- Consolidate system log rotation into single config file
- Add missingok flag to handle logs that may not exist on all systems
- Remove forced immediate rotation that was triggering the error

This ensures privacy-enhanced log rotation works without conflicts.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Fix 'history: not found' error in privacy role

The 'history -c' command was failing because history is a bash built-in
that doesn't exist in /bin/sh (Ubuntu's default shell for scripts).

Changes:
- Removed the 'Clear current session history' task since it's ineffective
  in Ansible context (each task runs in a new shell)
- History files are already cleared by the existing file removal tasks
- Added explanatory comment about why session history clearing is omitted

This fixes the deployment failure while maintaining all effective history
clearing functionality.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

* Fix BPF JIT sysctl error in privacy role

The net.core.bpf_jit_enable sysctl parameter was failing on some systems
because BPF JIT support is not available in all kernel configurations.

Changes:
- Separated BPF JIT setting into its own task with ignore_errors
- Made BPF JIT disabling optional since it's not critical for privacy
- Added explanatory comments about kernel support variability
- Both runtime sysctl and persistent config now handle missing parameter

This allows deployments to succeed on systems without BPF JIT support
while still applying the setting where available.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

---------

Co-authored-by: Claude <[email protected]>

Author: dguido

.yamllint

@@ -17,6 +17,10 @@ rules:
     level: warning
   comments:
     min-spaces-from-content: 1
+  comments-indentation: false
+  octal-values:
+    forbid-implicit-octal: true
+    forbid-explicit-octal: true
   braces:
     max-spaces-inside: 1
   truthy:

README.md

@@ -8,14 +8,15 @@ See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo
 
 ## Features
 
-* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, macOS, and Linux
+* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, MacOS, and Linux
 * Supports [WireGuard](https://www.wireguard.com/) for all of the above, in addition to Android and Windows 11
 * Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
 * Generates Apple profiles to auto-configure iOS and macOS devices for IPsec - no client software required
-* Includes a helper script to add and remove users
+* Includes helper scripts to add, remove, and manage users
 * Blocks ads with a local DNS resolver (optional)
 * Sets up limited SSH users for tunneling traffic (optional)
-* Based on current versions of Ubuntu and strongSwan
+* Privacy-focused with minimal logging, automatic log rotation, and configurable privacy enhancements
+* Based on Ubuntu 22.04 LTS with automatic security updates
 * Installs to DigitalOcean, Amazon Lightsail, Amazon EC2, Vultr, Microsoft Azure, Google Compute Engine, Scaleway, OpenStack, CloudStack, Hetzner Cloud, Linode, or [your own Ubuntu server (for advanced users)](docs/deploy-to-ubuntu.md)
 
 ## Anti-features
@@ -175,6 +176,33 @@ To add or remove users, first edit the `users` list in your `config.cfg` file. A
 
 After the process completes, new configuration files will be generated in the `configs` directory for any new users. The Algo VPN server will be updated to contain only the users listed in the `config.cfg` file. Removed users will no longer be able to connect, and new users will have fresh certificates and configuration files ready for use.
 
+## Privacy and Logging
+
+Algo takes a pragmatic approach to privacy. By default, we minimize logging while maintaining enough information for security and troubleshooting.
+
+What IS logged by default:
+* System security events (failed SSH attempts, firewall blocks, system updates)
+* Kernel messages and boot diagnostics (with reduced verbosity)
+* WireGuard client state (visible via `sudo wg` - shows last endpoint and handshake time)
+* Basic service status (service starts/stops/errors)
+* All logs automatically rotate and delete after 7 days
+
+Privacy is controlled by two main settings in `config.cfg`:
+* `strongswan_log_level: -1` - Controls StrongSwan connection logging (-1 = disabled, 2 = debug)
+* `privacy_enhancements_enabled: true` - Master switch for log rotation, history clearing, log filtering, and cleanup
+
+To enable full debugging when troubleshooting, set both `strongswan_log_level: 2` and `privacy_enhancements_enabled: false`. This will capture detailed connection logs and disable all privacy features. Remember to revert these changes after debugging.
+
+After deployment, verify your privacy settings:
+```bash
+ssh -F configs/<server_ip>/ssh_config <hostname>
+sudo /usr/local/bin/privacy-monitor.sh
+```
+
+Perfect privacy is impossible with any VPN solution. Your cloud provider sees and logs network traffic metadata regardless of your server configuration. And of course, your ISP knows you're connecting to a VPN server, even if they can't see what you're doing through it.
+
+For the highest level of privacy, treat your Algo servers as disposable. Spin up a new instance when you need it, use it for your specific purpose, then destroy it completely. The ephemeral nature of cloud infrastructure can be a privacy feature if you use it intentionally.
+
 ## Additional Documentation
 * [FAQ](docs/faq.md)
 * [Troubleshooting](docs/troubleshooting.md)

config.cfg

@@ -12,106 +12,61 @@ users:
 
 ### Review these options BEFORE you run Algo, as they are very difficult/impossible to change after the server is deployed.
 
-# Performance optimizations (reduces deployment time)
-# Skip reboots unless kernel was updated (saves 0-5 minutes)
-performance_skip_optional_reboots: false
-# Use parallel key generation for certificates (saves 1-2 minutes)  
-performance_parallel_crypto: false
-# Batch install all packages in one operation (saves 30-60 seconds)
-performance_parallel_packages: false
-# Pre-install universal packages via cloud-init (saves 30-90 seconds)
-performance_preinstall_packages: false
-# Configure VPN services in parallel (saves 1-2 minutes)
-performance_parallel_services: false
-
-# Change default SSH port for the cloud roles only
-# It doesn't apply if you deploy to your existing Ubuntu Server
+# SSH port for cloud deployments (doesn't apply to existing Ubuntu servers)
 ssh_port: 4160
 
-# Deploy StrongSwan to enable IPsec support
+# VPN protocols to deploy
 ipsec_enabled: true
-
-# Deploy WireGuard
-# WireGuard will listen on 51820/UDP. You might need to change to another port
-# if your network blocks this one. Be aware that 53/UDP (DNS) is blocked on some
-# mobile data networks.
 wireguard_enabled: true
-wireguard_port: 51820
+wireguard_port: 51820  # Change if blocked by your network (avoid 53/UDP)
 
-# This feature allows you to configure the Algo server to send outbound traffic
-# through a different external IP address than the one you are establishing the VPN connection with.
-# More info https://trailofbits.github.io/algo/cloud-alternative-ingress-ip.html
-# Available for the following cloud providers:
-# - DigitalOcean
+# Use different IP for outbound traffic (DigitalOcean only)
 alternative_ingress_ip: false
 
-# Reduce the MTU of the VPN tunnel
-# Some cloud and internet providers use a smaller MTU (Maximum Transmission
-# Unit) than the normal value of 1500 and if you don't reduce the MTU of your
-# VPN tunnel some network connections will hang. Algo will attempt to set this
-# automatically based on your server, but if connections hang you might need to
-# adjust this yourself.
-# See: https://github.com/trailofbits/algo/blob/master/docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
+# Reduce MTU if connections hang (0 = auto-detect)
+# See: docs/troubleshooting.md#various-websites-appear-to-be-offline-through-the-vpn
 reduce_mtu: 0
 
-# Algo will use the following lists to block ads. You can add new block lists
-# after deployment by modifying the line starting "BLOCKLIST_URLS=" at:
-# /usr/local/sbin/adblock.sh
-# If you load very large blocklists, you may also have to modify resource limits:
-# /etc/systemd/system/dnsmasq.service.d/100-CustomLimitations.conf
+# Ad blocking lists (modify /usr/local/sbin/adblock.sh after deployment to add more)
 adblock_lists:
- - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
+  - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts"
 
-# Enable DNS encryption.
-# If 'false', 'dns_servers' should be specified below.
-# DNS encryption can not be disabled if DNS adblocking is enabled
+# DNS encryption (required if using ad blocking)
 dns_encryption: true
 
-# Block traffic between connected clients. Change this to false to enable
-# connected clients to reach each other, as well as other computers on the
-# same LAN as your Algo server (i.e. the "road warrior" setup). In this
-# case, you may also want to enable SMB/CIFS and NETBIOS traffic below.
+# Client isolation (set false for "road warrior" setup where clients can reach each other)
 BetweenClients_DROP: true
+block_smb: true          # Block SMB/CIFS traffic
+block_netbios: true      # Block NETBIOS traffic
 
-# Block SMB/CIFS traffic
-block_smb: true
-
-# Block NETBIOS traffic
-block_netbios: true
-
-# Your Algo server will automatically install security updates. Some updates
-# require a reboot to take effect but your Algo server will not reboot itself
-# automatically unless you change 'enabled' below from 'false' to 'true', in
-# which case a reboot will take place if necessary at the time specified (as
-# HH:MM) in the time zone of your Algo server. The default time zone is UTC.
+# Automatic reboot for security updates (time in server's timezone, default UTC)
 unattended_reboot:
   enabled: false
   time: 06:00
 
+### Privacy Settings ###
+# StrongSwan connection logging (-1 = disabled, 2 = debug)
+strongswan_log_level: -1
+
+# Master switch for privacy enhancements (log rotation, history clearing, etc.)
+# Set to false for debugging. For advanced privacy options, see roles/privacy/defaults/main.yml
+privacy_enhancements_enabled: true
+
 ### Advanced users only below this line ###
 
-# DNS servers which will be used if 'dns_encryption' is 'true'. Multiple
-# providers may be specified, but avoid mixing providers that filter results
-# (like Cisco) with those that don't (like Cloudflare) or you could get
-# inconsistent results. The list of available public providers can be found
-# here:
-# https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md
+# DNSCrypt providers (see https://github.com/DNSCrypt/dnscrypt-resolvers/blob/master/v2/public-resolvers.md)
 dnscrypt_servers:
   ipv4:
     - cloudflare
 #   - google
-#   - <YourCustomServer>  # E.g., if using NextDNS, this will be something like NextDNS-abc123.
-                          # You must also fill in custom_server_stamps below. You may specify
-                          # multiple custom servers.
+#   - YourCustomServer  # For NextDNS etc., add stamp below
   ipv6:
     - cloudflare-ipv6
 
 custom_server_stamps:
 # YourCustomServer: 'sdns://...'
 
-# DNS servers which will be used if 'dns_encryption' is 'false'.
-# Fallback resolvers for systemd-resolved
-# The default is to use Cloudflare.
+# DNS servers when encryption is disabled
 dns_servers:
   ipv4:
     - 1.1.1.1
@@ -120,37 +75,36 @@ dns_servers:
     - 2606:4700:4700::1111
     - 2606:4700:4700::1001
 
-# Store the PKI in a ram disk. Enabled only if store_pki (retain the PKI) is set to false
-# Supports on MacOS and Linux only (including Windows Subsystem for Linux)
+# Store PKI in RAM disk when not retaining (MacOS/Linux only)
 pki_in_tmpfs: true
 
-# Set this to 'true' when running './algo update-users' if you want ALL users to get new certs, not just new users.
+# Regenerate ALL user certs on update-users (not just new users)
 keys_clean_all: false
 
-# StrongSwan log level
-# https://wiki.strongswan.org/projects/strongswan/wiki/LoggerConfiguration
-strongswan_log_level: 2
-
-# rightsourceip for ipsec
-# ipv4
+### VPN Network Configuration ###
 strongswan_network: 10.48.0.0/16
-# ipv6
 strongswan_network_ipv6: '2001:db8:4160::/48'
 
-# If you're behind NAT or a firewall and you want to receive incoming connections long after network traffic has gone silent.
-# This option will keep the "connection" open in the eyes of NAT.
-# See: https://www.wireguard.com/quickstart/#nat-and-firewall-traversal-persistence
-wireguard_PersistentKeepalive: 0
-
-# WireGuard network configuration
 wireguard_network_ipv4: 10.49.0.0/16
 wireguard_network_ipv6: 2001:db8:a160::/48
 
+# Keep NAT connections alive (0 = disabled)
+wireguard_PersistentKeepalive: 0
+
+### Experimental Performance Options ###
+# These are experimental and may cause issues. Enable at your own risk.
+# performance_skip_optional_reboots: false  # Skip non-kernel reboots
+# performance_parallel_crypto: false        # Parallel key generation
+# performance_parallel_packages: false      # Batch package installation
+# performance_preinstall_packages: false    # Pre-install via cloud-init
+# performance_parallel_services: false      # Configure VPN services in parallel
+
 # Randomly generated IP address for the local dns resolver
 local_service_ip: "{{ '172.16.0.1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 local_service_ipv6: "{{ 'fd00::1' | ansible.utils.ipmath(1048573 | random(seed=algo_server_name + ansible_fqdn)) }}"
 
-# Hide sensitive data
+# Hide sensitive data in Ansible output during deployment (passwords, keys, etc.)
+# This is NOT related to privacy/logging on the VPN server itself
 algo_no_log: true
 
 congrats:
@@ -218,11 +172,11 @@ cloud_providers:
     image: Ubuntu 22.04 Jammy Jellyfish
     arch: x86_64
   hetzner:
-    server_type: cpx11 
+    server_type: cpx11
     image: ubuntu-22.04
   openstack:
     flavor_ram: ">=512"
-    image:  Ubuntu-22.04
+    image: Ubuntu-22.04
   cloudstack:
     size: Micro
     image: Linux Ubuntu 22.04 LTS 64-bit

docs/faq.md

@@ -10,6 +10,7 @@
 * [I deployed an Algo server. Can you update it with new features?](#i-deployed-an-algo-server-can-you-update-it-with-new-features)
 * [Where did the name "Algo" come from?](#where-did-the-name-algo-come-from)
 * [Can DNS filtering be disabled?](#can-dns-filtering-be-disabled)
+* [Does Algo support zero logging?](#does-algo-support-zero-logging)
 * [Wasn't IPSEC backdoored by the US government?](#wasnt-ipsec-backdoored-by-the-us-government)
 * [What inbound ports are used?](#what-inbound-ports-are-used)
 * [How do I monitor user activity?](#how-do-i-monitor-user-activity)
@@ -59,6 +60,10 @@ Algo is short for "Al Gore", the **V**ice **P**resident of **N**etworks everywhe
 
 You can temporarily disable DNS filtering for all IPsec clients at once with the following workaround: SSH to your Algo server (using the 'shell access' command printed upon a successful deployment), edit `/etc/ipsec.conf`, and change `rightdns=<random_ip>` to `rightdns=8.8.8.8`. Then run `sudo systemctl restart strongswan`. DNS filtering for WireGuard clients has to be disabled on each client device separately by modifying the settings in the app, or by directly modifying the `DNS` setting on the `clientname.conf` file. If all else fails, we recommend deploying a new Algo server without the adblocking feature enabled.
 
+## Does Algo support zero logging?
+
+Yes, Algo includes privacy enhancements that minimize logging by default. StrongSwan connection logging is disabled, DNSCrypt syslog is turned off, and logs are automatically rotated after 7 days. However, some system-level logging remains for security and troubleshooting purposes. For detailed privacy configuration and limitations, see the [Privacy and Logging](#privacy-and-logging) section in the README.
+
 ## Wasn't IPSEC backdoored by the US government?
 
 No.

roles/client/tasks/main.yml

@@ -45,11 +45,14 @@
     dest: "{{ item.dest }}"
     line: "{{ item.line }}"
     create: true
+    mode: "{{ item.mode }}"
   with_items:
     - dest: "{{ configs_prefix }}/ipsec.conf"
       line: include ipsec.{{ IP_subject_alt_name }}.conf
+      mode: '0644'
     - dest: "{{ configs_prefix }}/ipsec.secrets"
       line: include ipsec.{{ IP_subject_alt_name }}.secrets
+      mode: '0600'
   notify:
     - restart strongswan
 
@@ -59,18 +62,22 @@
     dest: "{{ configs_prefix }}/strongswan.d/relax-ca-constraints.conf"
     owner: root
     group: root
-    mode: 0644
+    mode: '0644'
 
 - name: Setup the certificates and keys
   template:
     src: "{{ item.src }}"
     dest: "{{ item.dest }}"
+    mode: "{{ item.mode }}"
   with_items:
     - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/certs/{{ vpn_user }}.crt
       dest: "{{ configs_prefix }}/ipsec.d/certs/{{ vpn_user }}.crt"
+      mode: '0644'
     - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/cacert.pem
       dest: "{{ configs_prefix }}/ipsec.d/cacerts/{{ IP_subject_alt_name }}.pem"
+      mode: '0644'
     - src: configs/{{ IP_subject_alt_name }}/ipsec/.pki/private/{{ vpn_user }}.key
       dest: "{{ configs_prefix }}/ipsec.d/private/{{ vpn_user }}.key"
+      mode: '0600'
   notify:
     - restart strongswan

roles/cloud-azure/tasks/prompts.yml

@@ -4,6 +4,7 @@
     tenant: "{{ azure_tenant | default(lookup('env', 'AZURE_TENANT'), true) }}"
     client_id: "{{ azure_client_id | default(lookup('env', 'AZURE_CLIENT_ID'), true) }}"
     subscription_id: "{{ azure_subscription_id | default(lookup('env', 'AZURE_SUBSCRIPTION_ID'), true) }}"
+  no_log: true
 
 - block:
     - name: Set the default region

roles/cloud-cloudstack/tasks/main.yml

@@ -57,3 +57,4 @@
     CLOUDSTACK_KEY: "{{ algo_cs_key }}"
     CLOUDSTACK_SECRET: "{{ algo_cs_token }}"
     CLOUDSTACK_ENDPOINT: "{{ algo_cs_url }}"
+  no_log: true

roles/cloud-cloudstack/tasks/prompts.yml

@@ -8,6 +8,7 @@
       when:
         - cs_key is undefined
         - lookup('env', 'CLOUDSTACK_KEY')|length <= 0
+      no_log: true
 
     - pause:
         prompt: |
@@ -17,6 +18,7 @@
       when:
         - cs_secret is undefined
         - lookup('env', 'CLOUDSTACK_SECRET')|length <= 0
+      no_log: true
 
     - pause:
         prompt: |
@@ -34,6 +36,7 @@
           {{ cs_url | default(_cs_url.user_input|default(None)) |
              default(lookup('env', 'CLOUDSTACK_ENDPOINT'), true) |
              default('https://api.exoscale.com/compute', true) }}
+      no_log: true
 
     - name: Get zones on cloud
       cs_zone_info:
@@ -42,6 +45,7 @@
         CLOUDSTACK_KEY: "{{ algo_cs_key }}"
         CLOUDSTACK_SECRET: "{{ algo_cs_token }}"
         CLOUDSTACK_ENDPOINT: "{{ algo_cs_url }}"
+      no_log: true
 
     - name: Extract zones from output
       set_fact:

roles/cloud-digitalocean/tasks/prompts.yml

@@ -7,10 +7,12 @@
   when:
     - do_token is undefined
     - lookup('env', 'DO_API_TOKEN')|length <= 0
+  no_log: true
 
 - name: Set the token as a fact
   set_fact:
     algo_do_token: "{{ do_token | default(_do_token.user_input | default(None)) | default(lookup('env', 'DO_API_TOKEN'), true) }}"
+  no_log: true
 
 - name: Get regions
   uri:
@@ -21,6 +23,7 @@
       Content-Type: application/json
       Authorization: Bearer {{ algo_do_token }}
   register: _do_regions
+  no_log: true
 
 - name: Set facts about the regions
   set_fact:

roles/cloud-ec2/tasks/cloudformation.yml

@@ -20,3 +20,4 @@
     tags:
       Environment: Algo
   register: stack
+  no_log: true