roles: run ansible-lint --write

roles/caddy/tasks/main.yml

@@ -18,7 +18,7 @@
     dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   register: download_caddy_signing_key
   when: not caddy_signing_key_stat.stat.exists
   tags:
@@ -27,7 +27,7 @@
 
 - name: Add Caddy stable repo
   ansible.builtin.apt_repository:
-    repo: 'deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main'
+    repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
     filename: caddy-stable
     state: present
   register: add_caddy_apt_repository
@@ -38,9 +38,7 @@
 - name: Update apt cache
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when:
+  when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
-    (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or
-    add_caddy_apt_repository is changed
   tags:
     - packages
     - caddy
@@ -59,7 +57,7 @@
   ansible.builtin.template:
     src: etc/caddy/Caddyfile.j2
     dest: /etc/caddy/Caddyfile
-    mode: 0755
+    mode: "0755"
     owner: root
     group: root
   notify:
@@ -70,7 +68,7 @@
   ansible.builtin.file:
     path: /etc/caddy/conf.d
     state: directory
-    mode: 0755
+    mode: "0755"
     owner: root
     group: root
 

roles/caddy/tasks/vhosts.yml

@@ -1,10 +1,9 @@
 ---
-
 - name: Configure vhosts
   ansible.builtin.template:
     src: etc/caddy/conf.d/vhost.j2
     dest: /etc/caddy/conf.d/{{ item.domain_name }}
-    mode: 0644
+    mode: "0644"
     owner: root
     group: root
   loop: "{{ nginx_vhosts }}"

roles/mariadb/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Remove MariaDB key from apt-key
   ansible.builtin.apt_key:
-    id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
+    id: "013577200103762554506315430003013705453362230723150730"
     state: absent
   tags:
     - packages
@@ -21,7 +21,7 @@
     dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   register: download_mariadb_signing_key
   when: not mariadb_signing_key_stat.stat.exists
   tags:
@@ -30,7 +30,8 @@
 
 - name: Add MariaDB 10.6 repo
   ansible.builtin.apt_repository:
-    repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
+    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release
+      }} main
     filename: mariadb
     state: present
   register: add_mariadb_apt_repository
@@ -41,16 +42,14 @@
 - name: Update apt cache
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when:
+  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
-    (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
-    add_mariadb_apt_repository is changed
   tags:
     - packages
     - mariadb
 
 - name: Install mariadb-server
   ansible.builtin.apt:
-    name: ['mariadb-server', 'python3-pymysql']
+    name: [mariadb-server, python3-pymysql]
     state: present
     cache_valid_time: 3600
   tags: mariadb, packages
@@ -61,7 +60,7 @@
     dest: /etc/mysql/my.cnf
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   notify:
     - restart mariadb
   tags: mariadb
@@ -83,7 +82,7 @@
     src: .my.cnf.j2
     dest: /root/.my.cnf
     owner: root
-    mode: 0600
+    mode: "0600"
   tags: mariadb
 
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html

roles/nginx/defaults/main.yml

@@ -14,11 +14,11 @@ nginx_ssl_session_cache: shared:SSL:10m
 # 1400 bytes to fit in one MTU (default is 16k!)
 nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
-nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
+nginx_ssl_protocols: TLSv1.2 TLSv1.3
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
-nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
+nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
 
 # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
 # in seconds, see: https://hstspreload.org/

roles/nginx/tasks/letsencrypt.yml

@@ -1,91 +1,90 @@
 ---
-
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
 - block:
-  - name: Remove certbot
+    - name: Remove certbot
-    ansible.builtin.apt:
+      ansible.builtin.apt:
-      name: certbot
+        name: certbot
-      state: absent
+        state: absent
 
-  - name: Remove old certbot post and pre hooks for nginx
+    - name: Remove old certbot post and pre hooks for nginx
-    ansible.builtin.file:
+      ansible.builtin.file:
-      dest: "{{ item }}"
+        dest: "{{ item }}"
-      state: absent
+        state: absent
-    with_items:
+      with_items:
-      - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
+        - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
-      - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
+        - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
 
-  - name: Check if acme.sh is installed
+    - name: Check if acme.sh is installed
-    ansible.builtin.stat:
+      ansible.builtin.stat:
-      path: "{{ letsencrypt_acme_home }}"
+        path: "{{ letsencrypt_acme_home }}"
-    register: acme_home
+      register: acme_home
 
-  - name: Download acme.sh
+    - name: Download acme.sh
-    ansible.builtin.get_url:
+      ansible.builtin.get_url:
-      url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
+        url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
-      dest: "{{ letsencrypt_acme_script_temp }}"
+        dest: "{{ letsencrypt_acme_script_temp }}"
-      mode: 0700
+        mode: "0700"
-    register: acme_download
+      register: acme_download
-    when: not acme_home.stat.exists
+      when: not acme_home.stat.exists
 
-  # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
+    # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
-  # have to chdir to the /root directory where the script exists or else it
+    # have to chdir to the /root directory where the script exists or else it
-  # fails. Ansible runs it, but the script can't find itself...).
+    # fails. Ansible runs it, but the script can't find itself...).
-  - name: Install acme.sh
+    - name: Install acme.sh
-    ansible.builtin.command:
+      ansible.builtin.command:
-      cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
+        cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
-      creates: "{{ letsencrypt_acme_home }}/acme.sh"
+        creates: "{{ letsencrypt_acme_home }}/acme.sh"
-      chdir: /root
+        chdir: /root
-    register: acme_install
+      register: acme_install
-    when: acme_download is changed
+      when: acme_download is changed
 
-  - name: Remove temporary acme.sh script
+    - name: Remove temporary acme.sh script
-    ansible.builtin.file:
+      ansible.builtin.file:
-      dest: "{{ letsencrypt_acme_script_temp }}"
+        dest: "{{ letsencrypt_acme_script_temp }}"
-      state: absent
+        state: absent
-    when:
+      when:
-      - acme_install.rc is defined
+        - acme_install.rc is defined
-      - acme_install.rc == 0
+        - acme_install.rc == 0
 
-  - name: Set default certificate authority for acme.sh
+    - name: Set default certificate authority for acme.sh
-    ansible.builtin.command:
+      ansible.builtin.command:
-      cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
+        cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
 
-  - name: Prepare Let's Encrypt well-known directory
+    - name: Prepare Let's Encrypt well-known directory
-    ansible.builtin.file:
+      ansible.builtin.file:
-      state: directory
+        state: directory
-      path: /var/lib/letsencrypt/.well-known
+        path: /var/lib/letsencrypt/.well-known
-      owner: root
+        owner: root
-      group: nginx
+        group: nginx
-      mode: g+s
+        mode: g+s
 
-  - name: Copy systemd service to renew Let's Encrypt certs
+    - name: Copy systemd service to renew Let's Encrypt certs
-    ansible.builtin.template:
+      ansible.builtin.template:
-      src: renew-letsencrypt.service.j2
+        src: renew-letsencrypt.service.j2
-      dest: /etc/systemd/system/renew-letsencrypt.service
+        dest: /etc/systemd/system/renew-letsencrypt.service
-      mode: 0644
+        mode: "0644"
-      owner: root
+        owner: root
-      group: root
+        group: root
 
-  - name: Copy systemd timer to renew Let's Encrypt certs
+    - name: Copy systemd timer to renew Let's Encrypt certs
-    ansible.builtin.copy:
+      ansible.builtin.copy:
-      src: renew-letsencrypt.timer
+        src: renew-letsencrypt.timer
-      dest: /etc/systemd/system/renew-letsencrypt.timer
+        dest: /etc/systemd/system/renew-letsencrypt.timer
-      mode: 0644
+        mode: "0644"
-      owner: root
+        owner: root
-      group: root
+        group: root
 
-  # always issues daemon-reload just in case the service/timer changed
+    # always issues daemon-reload just in case the service/timer changed
-  - name: Start and enable systemd timer to renew Let's Encrypt certs
+    - name: Start and enable systemd timer to renew Let's Encrypt certs
-    ansible.builtin.systemd:
+      ansible.builtin.systemd:
-      name: renew-letsencrypt.timer
+        name: renew-letsencrypt.timer
-      state: started
+        state: started
-      enabled: true
+        enabled: true
-      daemon_reload: true
+        daemon_reload: true
 
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
+  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-        or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
+    is version('11', '>='))
   tags: letsencrypt
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 - name: Remove nginx apt signing key from apt-key
   ansible.builtin.apt_key:
-    id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
+    id: "053473772654754373614404074646527257655730117366337542"
     state: absent
   tags:
     - packages
@@ -21,7 +21,7 @@
     dest: /usr/share/keyrings/nginx_signing.key
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   register: download_nginx_signing_key
   when: not nginx_signing_key_stat.stat.exists
   tags:
@@ -34,7 +34,7 @@
     dest: /etc/apt/sources.list.d/nginx_org_sources.list
     owner: root
     group: root
-    mode: 0644
+    mode: "0644"
   register: add_nginx_apt_repository
   tags:
     - nginx
@@ -43,9 +43,7 @@
 - name: Update apt cache
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when:
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
-    (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or
-    add_nginx_apt_repository is changed
 
 - name: Install nginx
   ansible.builtin.apt:
@@ -60,7 +58,7 @@
   ansible.builtin.template:
     src: nginx.conf.j2
     dest: /etc/nginx/nginx.conf
-    mode: 0644
+    mode: "0644"
     owner: root
     group: root
   notify:
@@ -70,8 +68,8 @@
 - name: Copy extra nginx configs
   ansible.builtin.copy:
     src: "{{ item }}"
-    dest: "/etc/nginx/{{ item }}"
+    dest: /etc/nginx/{{ item }}
-    mode: 0644
+    mode: "0644"
     owner: root
     group: root
   loop:
@@ -93,7 +91,7 @@
     state: directory
     owner: nginx
     group: nginx
-    mode: 0755
+    mode: "0755"
   tags: nginx
 
 - name: Configure nginx virtual hosts
@@ -110,7 +108,7 @@
   ansible.builtin.template:
     src: blank-vhost.conf.j2
     dest: "{{ nginx_confd_path }}/blank-vhost.conf"
-    mode: 0644
+    mode: "0644"
     owner: root
     group: root
   notify:
@@ -121,7 +119,7 @@
   ansible.builtin.copy:
     src: munin.conf
     dest: /etc/nginx/conf.d/munin.conf
-    mode: 0644
+    mode: "0644"
     owner: root
     group: root
   notify:

roles/nginx/tasks/vhosts.yml

@@ -1,29 +1,29 @@
 ---
-
 - block:
-  - name: Configure https vhosts
+    - name: Configure https vhosts
-    ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
+      ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
-    loop: "{{ nginx_vhosts }}"
+      loop: "{{ nginx_vhosts }}"
-    notify:
+      notify:
-      - reload nginx
+        - reload nginx
 
-  - name: Generate self-signed TLS cert
+    - name: Generate self-signed TLS cert
-    ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+      ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
-    notify:
+        -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
-      - reload nginx
+      notify:
+        - reload nginx
 
-  - name: Download 4096-bit RFC 7919 dhparams
+    - name: Download 4096-bit RFC 7919 dhparams
-    ansible.builtin.get_url:
+      ansible.builtin.get_url:
-      url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
+        url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
-      checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
+        checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
-      dest: "{{ nginx_ssl_dhparam }}"
+        dest: "{{ nginx_ssl_dhparam }}"
-    notify:
+      notify:
-      - reload nginx
+        - reload nginx
 
-  # TODO: this could break because we can override the document root in host vars
+    # TODO: this could break because we can override the document root in host vars
-  - name: Create vhost document roots
+    - name: Create vhost document roots
-    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
+      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
-    loop: "{{ nginx_vhosts }}"
+      loop: "{{ nginx_vhosts }}"
   tags: nginx
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,19 +1,19 @@
 ---
-
 - block:
-  - name: Install WordPress
+    - name: Install WordPress
-    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
+      ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
-    when:
+        }} depth=1 force=true
-      - item.has_wordpress is defined
+      when:
-      - item.has_wordpress
+        - item.has_wordpress is defined
-    loop: "{{ nginx_vhosts }}"
+        - item.has_wordpress
+      loop: "{{ nginx_vhosts }}"
 
-  - name: Fix WordPress directory permissions
+    - name: Fix WordPress directory permissions
-    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
+      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
-    when:
+      when:
-      - item.has_wordpress is defined
+        - item.has_wordpress is defined
-      - item.has_wordpress
+        - item.has_wordpress
-    loop: "{{ nginx_vhosts }}"
+      loop: "{{ nginx_vhosts }}"
   tags: wordpress
 
 # vim: set ts=2 sw=2:

roles/php-fpm/tasks/Debian_12.yml

@@ -1,49 +1,48 @@
 ---
-
 - block:
-  - name: Set php-fpm packages
+    - name: Set php-fpm packages
-    ansible.builtin.set_fact:
+      ansible.builtin.set_fact:
-      php_fpm_packages:
+        php_fpm_packages:
-        - php8.2-fpm
+          - php8.2-fpm
-        # for WordPress
+          # for WordPress
-        - php8.2-mysql
+          - php8.2-mysql
-        - php8.2-gd
+          - php8.2-gd
-        - php8.2-curl
+          - php8.2-curl
-        - php8.2-xml
+          - php8.2-xml
 
-  - name: Install php-fpm and deps
+    - name: Install php-fpm and deps
-    ansible.builtin.apt:
+      ansible.builtin.apt:
-      name: "{{ php_fpm_packages }}"
+        name: "{{ php_fpm_packages }}"
-      state: present
+        state: present
-      update_cache: true
+        update_cache: true
 
-  # only copy php-fpm config for vhosts that need WordPress or PHP
+    # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
+    - name: Copy php-fpm pool config
-    ansible.builtin.template:
+      ansible.builtin.template:
-      src: php8.2-pool.conf.j2
+        src: php8.2-pool.conf.j2
-      dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
+        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
-      owner: root
+        owner: root
-      group: root
+        group: root
-      mode: 0644
+        mode: "0644"
-    loop: "{{ nginx_vhosts }}"
+      loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php8.2-fpm
+      notify: reload php8.2-fpm
 
-  - name: Remove default www pool
+    - name: Remove default www pool
-    ansible.builtin.file:
+      ansible.builtin.file:
-      path: /etc/php/8.2/fpm/pool.d/www.conf
+        path: /etc/php/8.2/fpm/pool.d/www.conf
-      state: absent
+        state: absent
-    notify: reload php8.2-fpm
+      notify: reload php8.2-fpm
 
-  # re-configure php.ini
+    # re-configure php.ini
-  - name: Update php.ini
+    - name: Update php.ini
-    ansible.builtin.template:
+      ansible.builtin.template:
-      src: php8.2-php.ini.j2
+        src: php8.2-php.ini.j2
-      dest: /etc/php/8.2/fpm/php.ini
+        dest: /etc/php/8.2/fpm/php.ini
-      owner: root
+        owner: root
-      group: root
+        group: root
-      mode: 0644
+        mode: "0644"
-    notify: reload php8.2-fpm
+      notify: reload php8.2-fpm
 
   tags: php-fpm
   when: install_php

roles/php-fpm/tasks/Ubuntu_20.04.yml

@@ -1,34 +1,33 @@
 ---
-
 - block:
-  - name: Set php-fpm packages
+    - name: Set php-fpm packages
-    ansible.builtin.set_fact:
+      ansible.builtin.set_fact:
-      php_fpm_packages:
+        php_fpm_packages:
-        - php7.4-fpm
+          - php7.4-fpm
-        # for WordPress
+          # for WordPress
-        - php7.4-mysql
+          - php7.4-mysql
-        - php7.4-gd
+          - php7.4-gd
-        - php7.4-curl
+          - php7.4-curl
-        - php7.4-xml
+          - php7.4-xml
 
-  - name: Install php-fpm and deps
+    - name: Install php-fpm and deps
-    ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
+      ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
 
-  # only copy php-fpm config for vhosts that need WordPress or PHP
+    # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
+    - name: Copy php-fpm pool config
-    ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
+      ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-    loop: "{{ nginx_vhosts }}"
+      loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php7.4-fpm
+      notify: reload php7.4-fpm
 
-  - name: Remove default www pool
+    - name: Remove default www pool
-    ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
+      ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-    notify: reload php7.4-fpm
+      notify: reload php7.4-fpm
 
-  # re-configure php.ini
+    # re-configure php.ini
-  - name: Update php.ini
+    - name: Update php.ini
-    ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
+      ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-    notify: reload php7.4-fpm
+      notify: reload php7.4-fpm
 
   tags: php-fpm
   when: install_php

roles/php-fpm/tasks/main.yml

@@ -11,13 +11,13 @@
 - name: Check if any vhost needs WordPress
   ansible.builtin.set_fact:
     install_php: true
-  when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
+  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
 
 # Legacy, was only for Piwik, but leaving for now.
 - name: Check if any vhost needs PHP
   ansible.builtin.set_fact:
     install_php: true
-  when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
+  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
 
 # If install_php has not been set, then we assume no vhosts need PHP. This is
 # a bit hacky, but it's the closest we come to an if/then/else.
@@ -31,7 +31,7 @@
   when:
     - ansible_distribution == 'Ubuntu'
     - ansible_distribution_version is version('20.04', '==')
-    - install_php == true
+    - install_php
   tags: php-fpm
 
 - name: Configure php-fpm on Debian 11
@@ -39,7 +39,7 @@
   when:
     - ansible_distribution == 'Debian'
     - ansible_distribution_major_version is version('11', '==')
-    - install_php == true
+    - install_php
   tags: php-fpm
 
 - name: Configure php-fpm on Debian 12
@@ -47,7 +47,7 @@
   when:
     - ansible_distribution == 'Debian'
     - ansible_distribution_major_version is version('12', '==')
-    - install_php == true
+    - install_php
   tags: php-fpm
 
 # vim: set ts=2 sw=2: