diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index 3974c7d..27520c0 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -10,11 +10,11 @@ - python3-systemd # for fail2ban systemd backend - name: Install firewalld and deps - when: ansible_distribution_major_version is version_compare('9', '>=') + when: ansible_distribution_major_version is version('9', '>=') apt: pkg={{ debian_firewall_packages }} state=present - name: Use iptables backend in firewalld - when: ansible_distribution_major_version is version_compare('10', '>=') + when: ansible_distribution_major_version is version('10', '>=') lineinfile: dest: /etc/firewalld/firewalld.conf regexp: '^FirewallBackend=nftables$' @@ -26,7 +26,7 @@ # backend. Using individual calls seems to work around it. # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722 - name: Use individual iptables calls - when: ansible_distribution_major_version is version_compare('10', '>=') + when: ansible_distribution_major_version is version('10', '>=') lineinfile: dest: /etc/firewalld/firewalld.conf regexp: '^IndividualCalls=no$' @@ -35,17 +35,17 @@ - restart firewalld - name: Copy firewalld public zone file - when: ansible_distribution_major_version is version_compare('9', '>=') + when: ansible_distribution_major_version is version('9', '>=') template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 - name: Format public.xml firewalld zone file - when: ansible_distribution_major_version is version_compare('9', '>=') + when: ansible_distribution_major_version is version('9', '>=') command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml notify: - restart firewalld - name: Copy ipsets of abusive IPs - when: ansible_distribution_major_version is version_compare('9', '>=') + when: ansible_distribution_major_version is version('9', '>=') copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 loop: - abusers-ipv4.xml @@ -54,7 +54,7 @@ - restart firewalld - include_tasks: fail2ban.yml - when: ansible_distribution_major_version is version_compare('9', '>=') + when: ansible_distribution_major_version is version('9', '>=') tags: firewall # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 0a4d63e..c836d90 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -10,21 +10,21 @@ - python3-systemd # for fail2ban systemd backend - name: Install firewalld and deps - when: ansible_distribution_version is version_compare('16.04', '>=') + when: ansible_distribution_version is version('16.04', '>=') apt: pkg={{ ubuntu_firewall_packages }} state=present - name: Copy firewalld public zone file - when: ansible_distribution_version is version_compare('16.04', '>=') + when: ansible_distribution_version is version('16.04', '>=') template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 - name: Format public.xml firewalld zone file - when: ansible_distribution_version is version_compare('16.04', '>=') + when: ansible_distribution_version is version('16.04', '>=') command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml notify: - restart firewalld - name: Copy ipsets of abusive IPs - when: ansible_distribution_major_version is version_compare('16.04', '>=') + when: ansible_distribution_major_version is version('16.04', '>=') copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 loop: - abusers-ipv4.xml @@ -33,7 +33,7 @@ - restart firewalld - include_tasks: fail2ban.yml - when: ansible_distribution_version is version_compare('16.04', '>=') + when: ansible_distribution_version is version('16.04', '>=') tags: firewall # vim: set sw=2 ts=2: diff --git a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 index ff5e5ef..b08d5a8 100644 --- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 +++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2 @@ -2,14 +2,14 @@ PrivateDevices=yes PrivateTmp=yes ProtectHome=read-only -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('18','==') %} +{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','==') %} ProtectSystem=strict {% else %} {# Older systemd versions don't have ProtectSystem=strict #} ProtectSystem=full {% endif %} NoNewPrivileges=yes -{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version_compare('18','==') %} +{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','==') %} ReadWritePaths=-/var/run/fail2ban ReadWritePaths=-/var/lib/fail2ban ReadWritePaths=-/var/log/fail2ban.log diff --git a/roles/nginx/tasks/letsencrypt.yml b/roles/nginx/tasks/letsencrypt.yml index bd31549..e9ff2d4 100644 --- a/roles/nginx/tasks/letsencrypt.yml +++ b/roles/nginx/tasks/letsencrypt.yml @@ -17,7 +17,7 @@ # Dependencies certbot checks for on its first run. I set them in a fact so that # I can pass the list directly to the apt module to install in one transaction. - name: Set certbot dependencies (Debian 10) - when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version_compare('10', '==') + when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==') set_fact: certbot_dependencies: - augeas-lenses @@ -68,7 +68,7 @@ # Dependencies certbot checks for on its first run. I set them in a fact so that # I can pass the list directly to the apt module to install in one transaction. - name: Set certbot dependencies (Debian 9) - when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version_compare('9', '==') + when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==') set_fact: certbot_dependencies: - augeas-doc @@ -120,7 +120,7 @@ # Dependencies certbot checks for on its first run. I set them in a fact so that # I can pass the list directly to the apt module to install in one transaction. - name: Set certbot dependencies (Ubuntu 16.04) - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('16.04', '==') + when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==') set_fact: certbot_dependencies: - augeas-doc @@ -163,7 +163,7 @@ # Dependencies certbot checks for on its first run. I set them in a fact so that # I can pass the list directly to the apt module to install in one transaction. - name: Set certbot dependencies (Ubuntu 18.04) - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('18.04', '==') + when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') set_fact: certbot_dependencies: - augeas-lenses diff --git a/roles/nginx/templates/vhost.conf.j2 b/roles/nginx/templates/vhost.conf.j2 index e5021b6..b2278ac 100644 --- a/roles/nginx/templates/vhost.conf.j2 +++ b/roles/nginx/templates/vhost.conf.j2 @@ -64,11 +64,11 @@ server { fastcgi_param HTTP_PROXY ""; {# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #} - {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version_compare('9', '==')) %} + {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %} fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock; - {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('18.04', '==') %} + {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %} fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock; - {% elif ansible_distribution == 'Debian' and ansible_distribution_version is version_compare('10', '==') %} + {% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %} fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock; {% else %} fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock; diff --git a/roles/php-fpm/tasks/main.yml b/roles/php-fpm/tasks/main.yml index bd6744e..fa44bf9 100644 --- a/roles/php-fpm/tasks/main.yml +++ b/roles/php-fpm/tasks/main.yml @@ -5,17 +5,17 @@ - name: Configure php-fpm on Ubuntu 16.04 and Debian 9 include_tasks: Ubuntu.yml - when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version_compare('9', '==')) + when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) tags: php-fpm - name: Configure php-fpm on Ubuntu 18.04 include_tasks: Ubuntu_18.04.yml - when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version_compare('18.04', '==') + when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') tags: php-fpm - name: Configure php-fpm on Debian 10 include_tasks: Debian_10.yml - when: ansible_distribution == 'Debian' and ansible_distribution_version is version_compare('10', '==') + when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') tags: php-fpm # vim: set ts=2 sw=2: