refactor: Enhance privacy implementation with surgical filtering and comprehensive documentation

- **StrongSwan Logging**: Changed from level 0 to level 1 (alert) to preserve critical error reporting
- **DNS Configuration**: Made syslog logging configurable based on privacy settings instead of hardcoded disable
- **Regex Security**: Strengthened rsyslog patterns with anchored matching to prevent bypass attempts
- **Variable Consistency**: Standardized on `privacy_enhanced` throughout codebase

Added inline documentation to 50+ `no_log: true` directives across all cloud providers:
- **AWS (EC2/Lightsail)**: Access keys, secret keys, AMI searches, CloudFormation operations
- **DigitalOcean/Linode/Vultr**: API tokens, authorization headers, region queries
- **Google Cloud**: Service account credentials, project information
- **Azure**: Service principal credentials, pip installation output
- **Hetzner/CloudStack**: API keys, secrets, endpoints
- **Scaleway**: API configuration paths

- **Smart Filtering**: Hide user activity (handshakes, connections) while preserving operational logs
- **Security Monitoring**: Keep failed handshakes for brute force detection and debugging
- **Strengthened Patterns**: Use character classes `[A-Za-z0-9+/=]` and line anchors `^[^:]*:` for security
- **Configurable DNS**: Privacy-aware syslog control in dnscrypt-proxy configuration

- **Balanced Approach**: Level 1 StrongSwan logging preserves critical errors while maintaining privacy
- **Template Security**: Improved Jinja2 conditional logic for user-friendly boolean rendering
- **Configuration Mapping**: Robust variable handling with secure defaults

- **Cloud Providers**: All major providers now have documented `no_log` usage
- **Privacy Templates**: Enhanced rsyslog filtering with security-focused patterns
- **DNS Configuration**: Privacy-conscious dnscrypt-proxy template updates
- **Core Privacy**: Improved StrongSwan log level handling and variable mapping

- **Credential Protection**: All API tokens, keys, and secrets properly documented and protected
- **Pattern Security**: Regex patterns hardened against injection and bypass attempts
- **Secure Defaults**: `algo_no_log | default(true)` pattern ensures secure-by-default behavior
- **Error Preservation**: Critical system errors and security events always logged

This implementation maintains Algo's security-first philosophy while providing reasonable privacy improvements and comprehensive credential protection.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: dguido

roles/cloud-azure/tasks/prompts.yml

@@ -4,7 +4,7 @@
     tenant: "{{ azure_tenant | default(lookup('env','AZURE_TENANT'), true) }}"
     client_id: "{{ azure_client_id | default(lookup('env','AZURE_CLIENT_ID'), true) }}"
     subscription_id: "{{ azure_subscription_id | default(lookup('env','AZURE_SUBSCRIPTION_ID'), true) }}"
-  no_log: true
+  no_log: true  # Protect Azure service principal credentials from being logged
 
 - block:
     - name: Set the default region

roles/cloud-azure/tasks/venv.yml

@@ -4,4 +4,4 @@
     requirements: https://raw.githubusercontent.com/ansible-collections/azure/v3.7.0/requirements.txt
     state: latest
     virtualenv_python: python3
-  no_log: true
+  no_log: true  # Suppress verbose pip installation output that may contain package paths

roles/cloud-cloudstack/tasks/main.yml

@@ -57,4 +57,4 @@
     CLOUDSTACK_KEY: "{{ algo_cs_key }}"
     CLOUDSTACK_SECRET: "{{ algo_cs_token }}"
     CLOUDSTACK_ENDPOINT: "{{ algo_cs_url }}"
-  no_log: true
+  no_log: true  # Prevent CloudStack API credentials from appearing in server creation logs

roles/cloud-cloudstack/tasks/prompts.yml

@@ -8,7 +8,7 @@
       when:
         - cs_key is undefined
         - lookup('env','CLOUDSTACK_KEY')|length <= 0
-      no_log: true
+      no_log: true  # Protect CloudStack API key from appearing in logs
 
     - pause:
         prompt: |
@@ -18,7 +18,7 @@
       when:
         - cs_secret is undefined
         - lookup('env','CLOUDSTACK_SECRET')|length <= 0
-      no_log: true
+      no_log: true  # Protect CloudStack API secret from appearing in logs
 
     - pause:
         prompt: |
@@ -36,7 +36,7 @@
           {{ cs_url | default(_cs_url.user_input|default(None)) |
              default(lookup('env', 'CLOUDSTACK_ENDPOINT'), true) |
              default('https://api.exoscale.com/compute', true) }}
-      no_log: "{{ algo_no_log | default(true) | bool }}"
+      no_log: "{{ algo_no_log | default(true) | bool }}"  # Protect CloudStack API credentials from being logged
 
     - name: Get zones on cloud
       cs_zone_info:
@@ -45,7 +45,7 @@
         CLOUDSTACK_KEY: "{{ algo_cs_key }}"
         CLOUDSTACK_SECRET: "{{ algo_cs_token }}"
         CLOUDSTACK_ENDPOINT: "{{ algo_cs_url }}"
-      no_log: true
+      no_log: true  # Prevent CloudStack credentials from appearing in API response logs
 
     - name: Extract zones from output
       set_fact:

roles/cloud-digitalocean/tasks/prompts.yml

@@ -7,12 +7,12 @@
   when:
     - do_token is undefined
     - lookup('env','DO_API_TOKEN')|length <= 0
-  no_log: true
+  no_log: true  # Protect API token from appearing in logs
 
 - name: Set the token as a fact
   set_fact:
     algo_do_token: "{{ do_token | default(_do_token.user_input|default(None)) | default(lookup('env','DO_API_TOKEN'), true) }}"
-  no_log: true
+  no_log: true  # Protect API token variable from being logged
 
 - name: Get regions
   uri:
@@ -23,7 +23,7 @@
       Content-Type: application/json
       Authorization: Bearer {{ algo_do_token }}
   register: _do_regions
-  no_log: true
+  no_log: true  # Prevent API token in Authorization header from being logged
 
 - name: Set facts about the regions
   set_fact:

roles/cloud-ec2/tasks/cloudformation.yml

@@ -20,4 +20,4 @@
     tags:
       Environment: Algo
   register: stack
-  no_log: true
+  no_log: true  # Prevent AWS credentials from appearing in CloudFormation deployment logs

roles/cloud-ec2/tasks/main.yml

@@ -15,7 +15,7 @@
       architecture: "{{ cloud_providers.ec2.image.arch }}"
       name: ubuntu/images/hvm-ssd/{{ cloud_providers.ec2.image.name }}-*64-server-*
   register: ami_search
-  no_log: true
+  no_log: true  # Prevent AWS credentials from appearing in AMI search logs
 
 - name: Set the ami id as a fact
   set_fact:

roles/cloud-ec2/tasks/prompts.yml

@@ -63,7 +63,7 @@
          | default(lookup('env', 'AWS_SESSION_TOKEN'))
          | default(_file_session_token)
          | default('') }}
-  no_log: "{{ algo_no_log | default(true) | bool }}"
+  no_log: "{{ algo_no_log | default(true) | bool }}"  # Protect AWS access keys from being logged
 
 - block:
     - name: Get regions
@@ -73,7 +73,7 @@
         aws_session_token: "{{ session_token if session_token else omit }}"
         region: us-east-1
       register: _aws_regions
-      no_log: true
+      no_log: true  # Prevent AWS credentials from appearing in API response logs
 
     - name: Set facts about the regions
       set_fact:
@@ -115,7 +115,7 @@
         aws_session_token: "{{ session_token if session_token else omit }}"
         region: "{{ algo_region }}"
       register: raw_eip_addresses
-      no_log: true
+      no_log: true  # Protect AWS credentials used in EIP API calls from being logged
 
     - set_fact:
         available_eip_addresses: "{{ raw_eip_addresses.addresses | selectattr('association_id', 'undefined') | list }}"

roles/cloud-gce/tasks/prompts.yml

@@ -7,23 +7,23 @@
   when:
     - gce_credentials_file is undefined
     - lookup('env','GCE_CREDENTIALS_FILE_PATH')|length <= 0
-  no_log: true
+  no_log: true  # Protect GCE credentials file path from appearing in logs
 
 - set_fact:
     credentials_file_path: >-
       {{ gce_credentials_file | default(_gce_credentials_file.user_input|default(None)) |
          default(lookup('env','GCE_CREDENTIALS_FILE_PATH'), true) }}
     ssh_public_key_lookup: "{{ lookup('file', '{{ ssh_keys.public }}') }}"
-  no_log: "{{ algo_no_log | default(true) | bool }}"
+  no_log: "{{ algo_no_log | default(true) | bool }}"  # Protect credentials file path and SSH key content from being logged
 
 - set_fact:
     credentials_file_lookup: "{{ lookup('file', '{{ credentials_file_path }}') }}"
-  no_log: true
+  no_log: true  # Protect GCE service account credentials from being logged
 
 - set_fact:
     service_account_email: "{{ credentials_file_lookup.client_email | default(lookup('env','GCE_EMAIL')) }}"
     project_id: "{{ credentials_file_lookup.project_id | default(lookup('env','GCE_PROJECT')) }}"
-  no_log: true
+  no_log: true  # Protect GCE service account email and project ID from being logged
 
 - block:
     - name: Get regions

roles/cloud-hetzner/tasks/prompts.yml

@@ -7,12 +7,12 @@
   when:
     - hcloud_token is undefined
     - lookup('env','HCLOUD_TOKEN')|length <= 0
-  no_log: true
+  no_log: true  # Protect Hetzner Cloud API token from appearing in logs
 
 - name: Set the token as a fact
   set_fact:
     algo_hcloud_token: "{{ hcloud_token | default(_hcloud_token.user_input|default(None)) | default(lookup('env','HCLOUD_TOKEN'), true) }}"
-  no_log: true
+  no_log: true  # Protect Hetzner Cloud API token variable from being logged
 
 - name: Get regions
   hetzner.hcloud.datacenter_info: