diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml index 60939fe..138965f 100644 --- a/roles/common/handlers/main.yml +++ b/roles/common/handlers/main.yml @@ -1,23 +1,23 @@ --- -# file: roles/common/handlers/main.yml +# ansible.builtin.file: roles/common/handlers/main.yml - name: reload sshd - systemd: name={{ sshd_service_name }} state=reloaded + ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded - name: reload sysctl command: sysctl -p /etc/sysctl.conf - name: restart firewalld - systemd: name=firewalld state=restarted + ansible.builtin.systemd: name=firewalld state=restarted - name: reload systemd - systemd: daemon_reload=yes + ansible.builtin.systemd: daemon_reload=yes - name: restart nftables - systemd: name=nftables state=restarted + ansible.builtin.systemd: name=nftables state=restarted # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed # in the order they are defined, not in the order they are listed in the task's # notify statement and we must restart fail2ban after updating the firewall. - name: restart fail2ban - systemd: name=fail2ban state=restarted + ansible.builtin.systemd: name=fail2ban state=restarted diff --git a/roles/common/tasks/cron-apt.yml b/roles/common/tasks/cron-apt.yml index ceadfac..91627ff 100644 --- a/roles/common/tasks/cron-apt.yml +++ b/roles/common/tasks/cron-apt.yml @@ -1,12 +1,12 @@ --- - name: Configure cron-apt (config) - copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} + ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }} loop: - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' } - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' } - name: Configure cron-apt (security) - template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root + ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root # vim: set ts=2 sw=2: diff --git a/roles/common/tasks/fail2ban.yml b/roles/common/tasks/fail2ban.yml index cf36d34..7720d6e 100644 --- a/roles/common/tasks/fail2ban.yml +++ b/roles/common/tasks/fail2ban.yml @@ -1,25 +1,25 @@ --- - name: Configure fail2ban sshd filter - template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 + ansible.builtin.template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644 notify: restart fail2ban - name: Configure fail2ban nginx filter when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters" - template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644 + ansible.builtin.template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644 notify: restart fail2ban - name: Create fail2ban service override directory - file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 + ansible.builtin.file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755 # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban - name: Configure fail2ban service override - template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 + ansible.builtin.template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644 notify: - reload systemd - restart fail2ban - name: Start and enable fail2ban service - systemd: name=fail2ban state=started enabled=yes + ansible.builtin.systemd: name=fail2ban state=started enabled=yes # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/firewall_Debian.yml b/roles/common/tasks/firewall_Debian.yml index 896e7fe..176c3ff 100644 --- a/roles/common/tasks/firewall_Debian.yml +++ b/roles/common/tasks/firewall_Debian.yml @@ -5,7 +5,7 @@ - block: - name: Set Debian firewall packages when: ansible_distribution_major_version is version('10', '<=') - set_fact: + ansible.builtin.set_fact: debian_firewall_packages: - firewalld - tidy @@ -14,7 +14,7 @@ - name: Set Debian firewall packages when: ansible_distribution_major_version is version('11', '>=') - set_fact: + ansible.builtin.set_fact: debian_firewall_packages: - fail2ban - libnet-ip-perl # for aggregate-cidr-addresses.pl @@ -23,26 +23,26 @@ - curl # for nftables update scripts - name: Install firewall packages - apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600 + ansible.builtin.apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600 - name: Remove iptables on newer Debian when: ansible_distribution_major_version is version('11', '>=') - apt: pkg=iptables state=absent + ansible.builtin.apt: pkg=iptables state=absent - name: Copy nftables.conf when: ansible_distribution_major_version is version('11', '>=') - template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 + ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 notify: - restart nftables - restart fail2ban - name: Create /etc/nftables extra config directory when: ansible_distribution_major_version is version('11', '>=') - file: path=/etc/nftables state=directory owner=root mode=0755 + ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755 - name: Copy extra nftables configuration files when: ansible_distribution_major_version is version('11', '>=') - copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }} + ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }} loop: - { src: "spamhaus-ipv4.nft", force: "no" } - { src: "spamhaus-ipv6.nft", force: "no" } @@ -55,7 +55,7 @@ - name: Use iptables backend in firewalld when: ansible_distribution_major_version is version('10', '==') - lineinfile: + ansible.builtin.lineinfile: dest: /etc/firewalld/firewalld.conf regexp: '^FirewallBackend=nftables$' line: 'FirewallBackend=iptables' @@ -68,7 +68,7 @@ # See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722 - name: Use individual iptables calls when: ansible_distribution_major_version is version('10', '==') - lineinfile: + ansible.builtin.lineinfile: dest: /etc/firewalld/firewalld.conf regexp: '^IndividualCalls=no$' line: 'IndividualCalls=yes' @@ -78,7 +78,7 @@ - name: Copy firewalld public zone file when: ansible_distribution_major_version is version('10', '<=') - template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 + ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 - name: Format public.xml firewalld zone file when: ansible_distribution_major_version is version('10', '<=') @@ -89,7 +89,7 @@ - name: Copy firewalld ipsets of abusive IPs when: ansible_distribution_major_version is version('10', '<=') - copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 + ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 loop: - abusers-ipv4.xml - abusers-ipv6.xml @@ -101,11 +101,11 @@ - name: Copy Spamhaus firewalld update script when: ansible_distribution_version is version('10', '<=') - copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root + ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root - name: Copy Spamhaus firewalld systemd units when: ansible_distribution_version is version('10', '<=') - copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root + ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root loop: - update-spamhaus-lists.service - update-spamhaus-lists.timer @@ -113,7 +113,7 @@ - name: Copy Spamhaus nftables update scripts when: ansible_distribution_version is version('11', '>=') - copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root + ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root loop: - update-spamhaus-nftables.sh - aggregate-cidr-addresses.pl @@ -121,7 +121,7 @@ - name: Copy nftables systemd units when: ansible_distribution_version is version('11', '>=') - copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root + ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root loop: - update-spamhaus-nftables.service - update-spamhaus-nftables.timer @@ -131,29 +131,29 @@ # need to reload to pick up service/timer/environment changes - name: Reload systemd daemon - systemd: daemon_reload=yes + ansible.builtin.systemd: daemon_reload=yes when: spamhaus_firewalld_systemd_units is changed or nftables_systemd_units is changed - name: Start and enable Spamhaus firewalld update timer when: ansible_distribution_version is version('10', '<=') - systemd: name=update-spamhaus-lists.timer state=started enabled=yes + ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes notify: - restart firewalld - restart fail2ban - name: Start and enable nftables update timers when: ansible_distribution_version is version('11', '>=') - systemd: name={{ item }} state=started enabled=yes + ansible.builtin.systemd: name={{ item }} state=started enabled=yes loop: - update-spamhaus-nftables.timer - update-abusech-nftables.timer - name: Start and enable nftables when: ansible_distribution_major_version is version('11', '>=') - systemd: name=nftables state=started enabled=yes + ansible.builtin.systemd: name=nftables state=started enabled=yes - - include_tasks: fail2ban.yml + - ansible.builtin.include_tasks: fail2ban.yml when: ansible_distribution_major_version is version('9', '>=') tags: firewall diff --git a/roles/common/tasks/firewall_Ubuntu.yml b/roles/common/tasks/firewall_Ubuntu.yml index 71a06fb..2143736 100644 --- a/roles/common/tasks/firewall_Ubuntu.yml +++ b/roles/common/tasks/firewall_Ubuntu.yml @@ -6,7 +6,7 @@ - block: - name: Set Ubuntu firewall packages when: ansible_distribution_version is version('20.04', '<') - set_fact: + ansible.builtin.set_fact: ubuntu_firewall_packages: - firewalld - tidy @@ -15,7 +15,7 @@ - name: Set Ubuntu firewall packages when: ansible_distribution_version is version('20.04', '>=') - set_fact: + ansible.builtin.set_fact: ubuntu_firewall_packages: - fail2ban - libnet-ip-perl # for aggregate-cidr-addresses.pl @@ -24,26 +24,26 @@ - curl # for nftables update scripts - name: Install firewall packages - apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600 + ansible.builtin.apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600 - name: Remove ufw when: ansible_distribution_version is version('16.04', '>=') - apt: pkg=ufw state=absent + ansible.builtin.apt: pkg=ufw state=absent - name: Copy nftables.conf when: ansible_distribution_version is version('20.04', '>=') - template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 + ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644 notify: - restart nftables - restart fail2ban - name: Create /etc/nftables extra config directory when: ansible_distribution_version is version('20.04', '>=') - file: path=/etc/nftables state=directory owner=root mode=0755 + ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755 - name: Copy extra nftables configuration files when: ansible_distribution_version is version('20.04', '>=') - copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }} + ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }} loop: - { src: "spamhaus-ipv4.nft", force: "no" } - { src: "spamhaus-ipv6.nft", force: "no" } @@ -56,7 +56,7 @@ - name: Copy firewalld public zone file when: ansible_distribution_version is version('18.04', '<=') - template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 + ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600 - name: Format public.xml firewalld zone file when: ansible_distribution_version is version('18.04', '<=') @@ -67,7 +67,7 @@ - name: Copy firewalld ipsets of abusive IPs when: ansible_distribution_version is version('18.04', '<=') - copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 + ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600 loop: - abusers-ipv4.xml - abusers-ipv6.xml @@ -79,11 +79,11 @@ - name: Copy Spamhaus firewalld update script when: ansible_distribution_version is version('18.04', '<=') - copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root + ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root - name: Copy Spamhaus firewalld systemd units when: ansible_distribution_version is version('18.04', '<=') - copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root + ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root loop: - update-spamhaus-lists.service - update-spamhaus-lists.timer @@ -91,7 +91,7 @@ - name: Copy nftables update scripts when: ansible_distribution_version is version('20.04', '>=') - copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root + ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root loop: - update-spamhaus-nftables.sh - aggregate-cidr-addresses.pl @@ -99,7 +99,7 @@ - name: Copy nftables systemd units when: ansible_distribution_version is version('20.04', '>=') - copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root + ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root loop: - update-spamhaus-nftables.service - update-spamhaus-nftables.timer @@ -109,29 +109,29 @@ # need to reload to pick up service/timer/environment changes - name: Reload systemd daemon - systemd: daemon_reload=yes + ansible.builtin.systemd: daemon_reload=yes when: spamhaus_firewalld_systemd_units is changed or nftables_systemd_units is changed - name: Start and enable Spamhaus firewalld update timer when: ansible_distribution_version is version('18.04', '<=') - systemd: name=update-spamhaus-lists.timer state=started enabled=yes + ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes notify: - restart firewalld - restart fail2ban - name: Start and enable nftables update timers when: ansible_distribution_version is version('20.04', '>=') - systemd: name={{ item }} state=started enabled=yes + ansible.builtin.systemd: name={{ item }} state=started enabled=yes loop: - update-spamhaus-nftables.timer - update-abusech-nftables.timer - name: Start and enable nftables when: ansible_distribution_version is version('20.04', '>=') - systemd: name=nftables state=started enabled=yes + ansible.builtin.systemd: name=nftables state=started enabled=yes - - include_tasks: fail2ban.yml + - ansible.builtin.include_tasks: fail2ban.yml when: ansible_distribution_version is version('16.04', '>=') tags: firewall diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index def4856..06f1d60 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,54 +1,54 @@ --- - name: Import OS-specific variables - include_vars: "vars/{{ ansible_distribution }}.yml" + ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml" tags: always - name: Configure network time - import_tasks: ntp.yml + ansible.builtin.import_tasks: ntp.yml tags: ntp - name: Install common packages - include_tasks: packages_Debian.yml + ansible.builtin.include_tasks: packages_Debian.yml when: ansible_distribution == 'Debian' tags: packages - name: Install common packages - include_tasks: packages_Ubuntu.yml + ansible.builtin.include_tasks: packages_Ubuntu.yml when: ansible_distribution == 'Ubuntu' tags: packages - name: Configure firewall - include_tasks: firewall_Debian.yml + ansible.builtin.include_tasks: firewall_Debian.yml when: ansible_distribution == 'Debian' tags: firewall - name: Configure firewall - include_tasks: firewall_Ubuntu.yml + ansible.builtin.include_tasks: firewall_Ubuntu.yml when: ansible_distribution == 'Ubuntu' tags: firewall - name: Configure secure shell daemon - import_tasks: sshd.yml + ansible.builtin.import_tasks: sshd.yml tags: sshd # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts! - name: Reconfigure /etc/sysctl.conf when: ansible_virtualization_role != 'host' - template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 + ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644 notify: - reload sysctl tags: sysctl - name: Reconfigure /etc/rc.local when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=') - template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755 + ansible.builtin.template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755 - name: Set I/O scheduler - template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 + ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644 tags: udev - name: Copy admin SSH keys - import_tasks: ssh-keys.yml + ansible.builtin.import_tasks: ssh-keys.yml tags: ssh-keys # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/ntp.yml b/roles/common/tasks/ntp.yml index ab07eb3..5d538d4 100644 --- a/roles/common/tasks/ntp.yml +++ b/roles/common/tasks/ntp.yml @@ -14,14 +14,14 @@ - name: Install systemd-timesyncd when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) - apt: name=systemd-timesyncd state=present cache_valid_time=3600 + ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600 - name: Start and enable systemd's NTP client when: ansible_service_mgr == 'systemd' - systemd: name=systemd-timesyncd state=started enabled=yes + ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=yes - name: Uninstall ntp on modern Ubuntu/Debian - apt: name=ntp state=absent + ansible.builtin.apt: name=ntp state=absent when: ansible_service_mgr == 'systemd' # vim: set ts=2 sw=2: diff --git a/roles/common/tasks/packages_Debian.yml b/roles/common/tasks/packages_Debian.yml index 8175b2e..423b608 100644 --- a/roles/common/tasks/packages_Debian.yml +++ b/roles/common/tasks/packages_Debian.yml @@ -2,11 +2,11 @@ - block: - name: Configure apt mirror - template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 + ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 when: ansible_architecture != 'armv7l' - name: Set fact for base packages - set_fact: + ansible.builtin.set_fact: base_packages: - git - git-lfs @@ -28,14 +28,14 @@ - lsof - name: Install base packages - apt: name={{ base_packages }} state=present cache_valid_time=3600 + ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600 - name: Configure cron-apt - import_tasks: cron-apt.yml + ansible.builtin.import_tasks: cron-apt.yml tags: cron-apt - name: Install tarsnap - import_tasks: tarsnap.yml + ansible.builtin.import_tasks: tarsnap.yml tags: packages # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/packages_Ubuntu.yml b/roles/common/tasks/packages_Ubuntu.yml index f4e665e..4e9a4bd 100644 --- a/roles/common/tasks/packages_Ubuntu.yml +++ b/roles/common/tasks/packages_Ubuntu.yml @@ -2,14 +2,14 @@ - block: - name: Configure apt mirror - template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 + ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644 when: ansible_architecture != 'armv7l' - name: Upgrade base OS - apt: upgrade=dist cache_valid_time=3600 + ansible.builtin.apt: upgrade=dist cache_valid_time=3600 - name: Set Ubuntu base packages - set_fact: + ansible.builtin.set_fact: ubuntu_base_packages: - git - git-lfs @@ -30,27 +30,27 @@ - lsof - name: Install base packages - apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600 + ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600 # We have to remove snaps one by one in a specific order because some depend # on others. Only after that can we remove the corresponding system packages. - name: Remove lxd snap - snap: name=lxd state=absent + community.general.snap: name=lxd state=absent when: ansible_distribution_version is version('20.04', '==') ignore_errors: yes - name: Remove core18 snap - snap: name=core18 state=absent + community.general.snap: name=core18 state=absent when: ansible_distribution_version is version('20.04', '==') ignore_errors: yes - name: Remove snapd snap - snap: name=snapd state=absent + community.general.snap: name=snapd state=absent when: ansible_distribution_version is version('20.04', '==') ignore_errors: yes - name: Set fact for packages to remove (Ubuntu <= 18.04) - set_fact: + ansible.builtin.set_fact: ubuntu_annoying_packages: - whoopsie # security (CIS 4.1) - apport # security (CIS 4.1) @@ -66,7 +66,7 @@ when: ansible_distribution_version is version('18.04', '<=') - name: Set fact for packages to remove (Ubuntu 20.04) - set_fact: + ansible.builtin.set_fact: ubuntu_annoying_packages: - whoopsie # security (CIS 4.1) - apport # security (CIS 4.1) @@ -78,10 +78,10 @@ when: ansible_distribution_version is version('20.04', '==') - name: Remove packages - apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes + ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes - name: Disable annoying Canonical spam in MOTD - file: path={{ item }} mode=0644 state=absent + ansible.builtin.file: path={{ item }} mode=0644 state=absent loop: - /etc/update-motd.d/99-esm # Ubuntu 14.04 - /etc/update-motd.d/10-help-text # Ubuntu 14.04+ @@ -91,18 +91,18 @@ ignore_errors: yes - name: Disable annoying Canonical spam in MOTD - systemd: name={{ item }} state=stopped enabled=no + ansible.builtin.systemd: name={{ item }} state=stopped enabled=no when: ansible_service_mgr == 'systemd' loop: - motd-news.service - motd-news.timer - name: Configure cron-apt - import_tasks: cron-apt.yml + ansible.builtin.import_tasks: cron-apt.yml tags: cron-apt - name: Install tarsnap - import_tasks: tarsnap.yml + ansible.builtin.import_tasks: tarsnap.yml tags: packages # vim: set sw=2 ts=2: diff --git a/roles/common/tasks/ssh-keys.yml b/roles/common/tasks/ssh-keys.yml index ba78919..e07b0eb 100644 --- a/roles/common/tasks/ssh-keys.yml +++ b/roles/common/tasks/ssh-keys.yml @@ -1,9 +1,9 @@ --- - name: Zero .ssh/authorized_keys for provisioning user - file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent + ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent - name: Add public keys to authorized_keys - authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } + ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" } with_fileglob: # use descriptive names for keys, like: aorth-mzito-rsa.pub - ssh-pub-keys/*.pub diff --git a/roles/common/tasks/sshd.yml b/roles/common/tasks/sshd.yml index 6bcfccd..ddb1f9f 100644 --- a/roles/common/tasks/sshd.yml +++ b/roles/common/tasks/sshd.yml @@ -2,14 +2,14 @@ # SSH configs don't change in Debian minor versions - name: Reconfigure /etc/ssh/sshd_config - template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 + ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 when: ansible_distribution == 'Debian' notify: reload sshd # Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10, # ie with new ciphers supported etc. - name: Reconfigure /etc/ssh/sshd_config - template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 + ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600 when: ansible_distribution == 'Ubuntu' notify: reload sshd @@ -40,7 +40,7 @@ notify: reload sshd - name: Remove DSA and ECDSA host keys - file: name=/etc/ssh/{{ item }} state=absent + ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent loop: - ssh_host_dsa_key - ssh_host_dsa_key.pub diff --git a/roles/common/tasks/tarsnap.yml b/roles/common/tasks/tarsnap.yml index 076e4c4..47ad498 100644 --- a/roles/common/tasks/tarsnap.yml +++ b/roles/common/tasks/tarsnap.yml @@ -1,24 +1,24 @@ --- - name: Add Tarsnap apt mirror - template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 + ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644 register: add_tarsnap_apt_repository when: ansible_architecture != 'armv7l' - name: Add GPG key for Tarsnap - apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present + ansible.builtin.apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present register: add_tarsnap_apt_key - name: Update apt cache - apt: + ansible.builtin.apt: update_cache: yes when: add_tarsnap_apt_key is changed or add_tarsnap_apt_repository is changed - name: Install tarsnap - apt: pkg=tarsnap cache_valid_time=3600 + ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600 - name: Copy tarsnaprc - copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 + ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600 # vim: set sw=2 ts=2: diff --git a/roles/mariadb/defaults/main.yml b/roles/mariadb/defaults/main.yml index bd7206e..780d274 100644 --- a/roles/mariadb/defaults/main.yml +++ b/roles/mariadb/defaults/main.yml @@ -1,5 +1,5 @@ --- -# file: roles/mariadb/defaults/main.yml +# ansible.builtin.file: roles/mariadb/defaults/main.yml # # Based on my running of mysqltuner.pl on a host with three WordPress databases # diff --git a/roles/mariadb/handlers/main.yml b/roles/mariadb/handlers/main.yml index b7e4b76..ea3e2e1 100644 --- a/roles/mariadb/handlers/main.yml +++ b/roles/mariadb/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: restart mariadb - systemd: name=mariadb state=restarted + ansible.builtin.systemd: name=mariadb state=restarted # vim: set ts=2 sw=2: diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml index 4725362..74b4ff9 100644 --- a/roles/mariadb/tasks/main.yml +++ b/roles/mariadb/tasks/main.yml @@ -1,55 +1,55 @@ --- - name: Add GPG key for MariaDB repo - apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc + ansible.builtin.apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc register: add_mariadb_apt_key tags: mariadb, packages - name: Add MariaDB 10.5 repo - template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 + ansible.builtin.template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644 register: add_mariadb_apt_repository tags: mariadb, packages - name: Update apt cache - apt: + ansible.builtin.apt: update_cache: yes when: add_mariadb_apt_key is changed or add_mariadb_apt_repository is changed - name: Install mariadb-server - apt: name={{ item }} state=present cache_valid_time=3600 + ansible.builtin.apt: name={{ item }} state=present cache_valid_time=3600 loop: - mariadb-server - python3-pymysql # for ansible tags: mariadb, packages - name: Create system my.cnf - template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 + ansible.builtin.template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644 notify: - restart mariadb tags: mariadb # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html - name: Update MariaDB root password for all root accounts - mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} + community.mysql.mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }} loop: - 127.0.0.1 - ::1 tags: mariadb - name: Create .my.conf file with root credentials - template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 + ansible.builtin.template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600 tags: mariadb # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html - name: Create MariaDB database(s) - mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }} + community.mysql.mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }} loop: "{{ mariadb_databases }}" when: mariadb_databases is defined tags: mariadb - name: Create MariaDB user(s) - mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }} + community.mysql.mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }} loop: "{{ mariadb_databases }}" when: mariadb_databases is defined tags: mariadb diff --git a/roles/munin/handlers/main.yml b/roles/munin/handlers/main.yml index 0e14edf..6628797 100644 --- a/roles/munin/handlers/main.yml +++ b/roles/munin/handlers/main.yml @@ -1,4 +1,4 @@ --- -# file: roles/munin/handlers/main.yml +# ansible.builtin.file: roles/munin/handlers/main.yml - name: restart munin-node - systemd: name=munin-node state=restarted + ansible.builtin.systemd: name=munin-node state=restarted diff --git a/roles/munin/tasks/main.yml b/roles/munin/tasks/main.yml index a45dd07..9d11876 100644 --- a/roles/munin/tasks/main.yml +++ b/roles/munin/tasks/main.yml @@ -1,8 +1,8 @@ --- - name: Configure munin scraper - import_tasks: munin.yml + ansible.builtin.import_tasks: munin.yml tags: munin - name: Configure munin listener - import_tasks: munin-node.yml + ansible.builtin.import_tasks: munin-node.yml tags: munin-node diff --git a/roles/munin/tasks/munin-node.yml b/roles/munin/tasks/munin-node.yml index e39effe..65fc2bf 100644 --- a/roles/munin/tasks/munin-node.yml +++ b/roles/munin/tasks/munin-node.yml @@ -1,25 +1,25 @@ --- - name: Install munin-node - apt: name=munin-node state=present + ansible.builtin.apt: name=munin-node state=present tags: packages # some nice things to have for munin-node on Ubuntu # libwww-perl: for munin's nginx_status check - name: Install munin-node deps - apt: name=libwww-perl state=present + ansible.builtin.apt: name=libwww-perl state=present tags: packages - name: Create munin-node.conf - template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf + ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf notify: - restart munin-node - name: Configure munin-node - shell: munin-node-configure --shell --families=contrib,auto | sh -x + ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x notify: - restart munin-node - name: Start munin-node - systemd: name=munin-node state=started enabled=true + ansible.builtin.systemd: name=munin-node state=started enabled=true # vim: set ts=2 sw=2: diff --git a/roles/munin/tasks/munin.yml b/roles/munin/tasks/munin.yml index 8ac97c8..e0da955 100644 --- a/roles/munin/tasks/munin.yml +++ b/roles/munin/tasks/munin.yml @@ -1,9 +1,9 @@ --- - name: Install munin package - apt: name=munin state=present + ansible.builtin.apt: name=munin state=present tags: packages - name: Create munin configuration file - template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 + ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644 # vim: set ts=2 sw=2: diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 316bb20..5e18635 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1,5 +1,5 @@ --- -# file: roles/nginx/defaults/main.yml +# ansible.builtin.file: roles/nginx/defaults/main.yml # path config nginx_confd_path: /etc/nginx/conf.d diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml index ebe0b09..e4922e7 100644 --- a/roles/nginx/handlers/main.yml +++ b/roles/nginx/handlers/main.yml @@ -1,5 +1,5 @@ --- - name: reload nginx - systemd: name=nginx state=reloaded + ansible.builtin.systemd: name=nginx state=reloaded # vim: set ts=2 sw=2: diff --git a/roles/nginx/tasks/letsencrypt.yml b/roles/nginx/tasks/letsencrypt.yml index 20a0681..e8ad128 100644 --- a/roles/nginx/tasks/letsencrypt.yml +++ b/roles/nginx/tasks/letsencrypt.yml @@ -4,12 +4,12 @@ # snap now. - block: - name: Remove certbot - apt: + ansible.builtin.apt: name: certbot state: absent - name: Remove old certbot post and pre hooks for nginx - file: + ansible.builtin.file: dest: "{{ item }}" state: absent with_items: @@ -17,12 +17,12 @@ - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh - name: Check if acme.sh is installed - stat: + ansible.builtin.stat: path: "{{ letsencrypt_acme_home }}" register: acme_home - name: Download acme.sh - get_url: + ansible.builtin.get_url: url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh dest: "{{ letsencrypt_acme_script_temp }}" mode: 0700 @@ -41,7 +41,7 @@ when: acme_download is changed - name: Remove temporary acme.sh script - file: + ansible.builtin.file: dest: "{{ letsencrypt_acme_script_temp }}" state: absent when: acme_install.rc is defined and acme_install.rc == 0 @@ -51,7 +51,7 @@ cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt" - name: Prepare Let's Encrypt well-known directory - file: + ansible.builtin.file: state: directory path: /var/lib/letsencrypt/.well-known owner: root @@ -59,7 +59,7 @@ mode: g+s - name: Copy systemd service to renew Let's Encrypt certs - template: + ansible.builtin.template: src: renew-letsencrypt.service.j2 dest: /etc/systemd/system/renew-letsencrypt.service mode: 0644 @@ -67,7 +67,7 @@ group: root - name: Copy systemd timer to renew Let's Encrypt certs - copy: + ansible.builtin.copy: src: renew-letsencrypt.timer dest: /etc/systemd/system/renew-letsencrypt.timer mode: 0644 @@ -76,7 +76,7 @@ # always issues daemon-reload just in case the service/timer changed - name: Start and enable systemd timer to renew Let's Encrypt certs - systemd: + ansible.builtin.systemd: name: renew-letsencrypt.timer state: started enabled: yes diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e442c7f..8819eb3 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,33 +1,33 @@ --- - name: Add nginx.org apt signing key - apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present + ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present register: add_nginx_apt_key tags: nginx, packages - name: Add nginx.org repo - template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 + ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644 register: add_nginx_apt_repository tags: nginx, packages - name: Update apt cache - apt: + ansible.builtin.apt: update_cache: yes when: add_nginx_apt_key is changed or add_nginx_apt_repository is changed - name: Install nginx - apt: pkg=nginx cache_valid_time=3600 state=present + ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present tags: nginx, packages - name: Copy nginx.conf - template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root + ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root notify: - reload nginx tags: nginx - name: Copy extra nginx configs - copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root + ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root loop: - extra-security.conf - fastcgi_cache @@ -36,41 +36,41 @@ tags: nginx - name: Remove default nginx vhost - file: path=/etc/nginx/conf.d/default.conf state=absent + ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent tags: nginx - name: Create fastcgi cache dir - file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 + ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755 tags: nginx - name: Configure nginx virtual hosts - include_tasks: vhosts.yml + ansible.builtin.include_tasks: vhosts.yml when: nginx_vhosts is defined tags: nginx - name: Configure WordPress - include_tasks: wordpress.yml + ansible.builtin.include_tasks: wordpress.yml when: nginx_vhosts is defined tags: wordpress - name: Configure blank nginx vhost - template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root + ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf mode=0644 owner=root group=root notify: - reload nginx tags: nginx - name: Configure munin vhost - copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root + ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root notify: - reload nginx tags: nginx - name: Start and enable nginx service - systemd: name=nginx state=started enabled=yes + ansible.builtin.systemd: name=nginx state=started enabled=yes tags: nginx - name: Configure Let's Encrypt - include_tasks: letsencrypt.yml + ansible.builtin.include_tasks: letsencrypt.yml tags: letsencrypt # vim: set ts=2 sw=2: diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml index 511d844..66e6024 100644 --- a/roles/nginx/tasks/vhosts.yml +++ b/roles/nginx/tasks/vhosts.yml @@ -2,18 +2,18 @@ - block: - name: Configure https vhosts - template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root + ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root loop: "{{ nginx_vhosts }}" notify: - reload nginx - name: Generate self-signed TLS cert - command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt + ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt notify: - reload nginx - name: Download 4096-bit RFC 7919 dhparams - get_url: + ansible.builtin.get_url: url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3 dest: "{{ nginx_ssl_dhparam }}" @@ -22,7 +22,7 @@ # TODO: this could break because we can override the document root in host vars - name: Create vhost document roots - file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx + ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx loop: "{{ nginx_vhosts }}" tags: nginx diff --git a/roles/nginx/tasks/wordpress.yml b/roles/nginx/tasks/wordpress.yml index 11d7a2c..92c5247 100644 --- a/roles/nginx/tasks/wordpress.yml +++ b/roles/nginx/tasks/wordpress.yml @@ -2,12 +2,12 @@ - block: - name: Install WordPress - git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes + ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes when: item.has_wordpress is defined and item.has_wordpress loop: "{{ nginx_vhosts }}" - name: Fix WordPress directory permissions - file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes + ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes when: item.has_wordpress is defined and item.has_wordpress loop: "{{ nginx_vhosts }}" tags: wordpress diff --git a/roles/php-fpm/defaults/main.yml b/roles/php-fpm/defaults/main.yml index 1c6efe5..e43b1d6 100644 --- a/roles/php-fpm/defaults/main.yml +++ b/roles/php-fpm/defaults/main.yml @@ -1,5 +1,5 @@ --- -# file: roles/php-fpm/defaults/main.yml +# ansible.builtin.file: roles/php-fpm/defaults/main.yml # default is on, but turn it off because of protection in nginx vhosts cgi_fix_pathinfo: 0 diff --git a/roles/php-fpm/handlers/main.yml b/roles/php-fpm/handlers/main.yml index 6ab1ec6..7b2f7cb 100644 --- a/roles/php-fpm/handlers/main.yml +++ b/roles/php-fpm/handlers/main.yml @@ -1,14 +1,14 @@ --- # For Ubuntu 18.04 - name: reload php7.2-fpm - systemd: name=php7.2-fpm state=reloaded + ansible.builtin.systemd: name=php7.2-fpm state=reloaded # For Debian 10 - name: reload php7.3-fpm - systemd: name=php7.3-fpm state=reloaded + ansible.builtin.systemd: name=php7.3-fpm state=reloaded # For Ubuntu 20.04 - name: reload php7.4-fpm - systemd: name=php7.4-fpm state=reloaded + ansible.builtin.systemd: name=php7.4-fpm state=reloaded # vim: set ts=2 sw=2: diff --git a/roles/php-fpm/tasks/Debian_10.yml b/roles/php-fpm/tasks/Debian_10.yml index 82cc2fa..c27b2cf 100644 --- a/roles/php-fpm/tasks/Debian_10.yml +++ b/roles/php-fpm/tasks/Debian_10.yml @@ -2,7 +2,7 @@ - block: - name: Set php-fpm packages - set_fact: + ansible.builtin.set_fact: php_fpm_packages: - php-fpm # for WordPress @@ -11,22 +11,22 @@ - php-curl - name: Install php-fpm and deps - apt: name={{ php_fpm_packages }} state=present update_cache=yes + ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes # only copy php-fpm config for vhosts that need WordPress or PHP - name: Copy php-fpm pool config - template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 + ansible.builtin.template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 loop: "{{ nginx_vhosts }}" when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) notify: reload php7.3-fpm - name: Remove default www pool - file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent + ansible.builtin.file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent notify: reload php7.3-fpm # re-configure php.ini - name: Update php.ini - template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644 + ansible.builtin.template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644 notify: reload php7.3-fpm tags: php-fpm diff --git a/roles/php-fpm/tasks/Ubuntu_18.04.yml b/roles/php-fpm/tasks/Ubuntu_18.04.yml index a5c6cc1..9feb748 100644 --- a/roles/php-fpm/tasks/Ubuntu_18.04.yml +++ b/roles/php-fpm/tasks/Ubuntu_18.04.yml @@ -2,7 +2,7 @@ - block: - name: Set php-fpm packages - set_fact: + ansible.builtin.set_fact: php_fpm_packages: - php-fpm # for WordPress @@ -11,22 +11,22 @@ - php-curl - name: Install php-fpm and deps - apt: name={{ php_fpm_packages }} state=present update_cache=yes + ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes # only copy php-fpm config for vhosts that need WordPress or PHP - name: Copy php-fpm pool config - template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 + ansible.builtin.template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 loop: "{{ nginx_vhosts }}" when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) notify: reload php7.2-fpm - name: Remove default www pool - file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent + ansible.builtin.file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent notify: reload php7.2-fpm # re-configure php.ini - name: Update php.ini - template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644 + ansible.builtin.template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644 notify: reload php7.2-fpm tags: php-fpm diff --git a/roles/php-fpm/tasks/Ubuntu_20.04.yml b/roles/php-fpm/tasks/Ubuntu_20.04.yml index aaf56a2..4d7c73b 100644 --- a/roles/php-fpm/tasks/Ubuntu_20.04.yml +++ b/roles/php-fpm/tasks/Ubuntu_20.04.yml @@ -2,7 +2,7 @@ - block: - name: Set php-fpm packages - set_fact: + ansible.builtin.set_fact: php_fpm_packages: - php7.4-fpm # for WordPress @@ -12,22 +12,22 @@ - php7.4-xml - name: Install php-fpm and deps - apt: name={{ php_fpm_packages }} state=present update_cache=yes + ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes # only copy php-fpm config for vhosts that need WordPress or PHP - name: Copy php-fpm pool config - template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 + ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644 loop: "{{ nginx_vhosts }}" when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php) notify: reload php7.4-fpm - name: Remove default www pool - file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent + ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent notify: reload php7.4-fpm # re-configure php.ini - name: Update php.ini - template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644 + ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644 notify: reload php7.4-fpm tags: php-fpm diff --git a/roles/php-fpm/tasks/main.yml b/roles/php-fpm/tasks/main.yml index 966a02f..b70a934 100644 --- a/roles/php-fpm/tasks/main.yml +++ b/roles/php-fpm/tasks/main.yml @@ -10,40 +10,40 @@ # # See: https://stackoverflow.com/a/31896249 - name: Check if any vhost needs WordPress - set_fact: + ansible.builtin.set_fact: install_php: True when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', True) | list | length > 0" # Legacy, was only for Piwik, but leaving for now. - name: Check if any vhost needs PHP - set_fact: + ansible.builtin.set_fact: install_php: True when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', True) | list | length > 0" # If install_php has not been set, then we assume no vhosts need PHP. This is # a bit hacky, but it's the closest we come to an if/then/else. - name: Set install_php to False - set_fact: + ansible.builtin.set_fact: install_php: False when: install_php is not defined - name: Configure php-fpm on Ubuntu 18.04 - include_tasks: Ubuntu_18.04.yml + ansible.builtin.include_tasks: Ubuntu_18.04.yml when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php tags: php-fpm - name: Configure php-fpm on Debian 10 - include_tasks: Debian_10.yml + ansible.builtin.include_tasks: Debian_10.yml when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php tags: php-fpm - name: Configure php-fpm on Ubuntu 20.04 - include_tasks: Ubuntu_20.04.yml + ansible.builtin.include_tasks: Ubuntu_20.04.yml when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php tags: php-fpm - name: Configure php-fpm on Debian 11 - include_tasks: Ubuntu_20.04.yml + ansible.builtin.include_tasks: Ubuntu_20.04.yml when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php tags: php-fpm