roles: strict truthy values

According to Ansible we can use yes, true, True, "or any quoted st-
ring" for a boolean true, but ansible-lint wants us to use either
true or false.

See: https://chronicler.tech/red-hat-ansible-yes-no-and/

roles/nginx/defaults/main.yml

@@ -25,8 +25,8 @@ nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:
 nginx_hsts_max_age: 31536000
 
 # install acme.sh?
-# True unless you're in development and using "localhost" + snakeoil certs
-use_letsencrypt: True
+# true unless you're in development and using "localhost" + snakeoil certs
+use_letsencrypt: true
 
 # Directory root for Let's Encrypt certs
 letsencrypt_root: /etc/ssl

roles/nginx/tasks/letsencrypt.yml

@@ -79,8 +79,8 @@
     ansible.builtin.systemd:
       name: renew-letsencrypt.timer
       state: started
-      enabled: yes
-      daemon_reload: yes
+      enabled: true
+      daemon_reload: true
 
   when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
         or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))

roles/nginx/tasks/main.yml

@@ -11,7 +11,7 @@
 
 - name: Update apt cache
   ansible.builtin.apt:
-    update_cache: yes
+    update_cache: true
   when:
     add_nginx_apt_key is changed or
     add_nginx_apt_repository is changed
@@ -66,7 +66,7 @@
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd: name=nginx state=started enabled=yes
+  ansible.builtin.systemd: name=nginx state=started enabled=true
   tags: nginx
 
 - name: Configure Let's Encrypt

roles/nginx/tasks/wordpress.yml

@@ -2,12 +2,12 @@
 
 - block:
   - name: Install WordPress
-    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
+    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
     when: item.has_wordpress is defined and item.has_wordpress
     loop: "{{ nginx_vhosts }}"
 
   - name: Fix WordPress directory permissions
-    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
+    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
     when: item.has_wordpress is defined and item.has_wordpress
     loop: "{{ nginx_vhosts }}"
   tags: wordpress

roles/nginx/templates/https.j2

@@ -1,7 +1,7 @@
 {# helper variables and per-site defaults that we can't set in role defaults #}
 {% set domain_name       = item.domain_name %}
-{# assume HSTS is off unless a vhost explicitly sets it to True #}
-{% set enable_hsts       = item.enable_hsts | default(False) %}
+{# assume HSTS is off unless a vhost explicitly sets it to true #}
+{% set enable_hsts       = item.enable_hsts | default(false) %}
 
     {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
     {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@@ -31,7 +31,7 @@
     ssl_prefer_server_ciphers on;
 
     {# OSCP stapling only works with real certs #}
-    {% if use_letsencrypt == True or item.tls_certificate_path %}
+    {% if use_letsencrypt == true or item.tls_certificate_path %}
     # OCSP stapling...
     ssl_stapling on;
     ssl_stapling_verify on;
@@ -47,7 +47,7 @@
     # of such infrastructure, consider turning off session tickets:
     ssl_session_tickets off;
 
-    {% if enable_hsts == True %}
+    {% if enable_hsts == true %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
     # See: https://hstspreload.appspot.com/

roles/nginx/templates/vhost.conf.j2

@@ -4,10 +4,10 @@
 {% set domain_name    = item.domain_name %}
 {% set domain_aliases = item.domain_aliases | default("") %}
 {# assume optional features are off unless a vhost explicitly sets them #}
-{% set enable_hsts    = item.enable_hsts | default(False) %}
-{% set has_wordpress  = item.has_wordpress | default(False) %}
-{% set needs_php      = item.needs_php | default(False) %}
-{% set has_gitea      = item.has_gitea | default(False) %}
+{% set enable_hsts    = item.enable_hsts | default(false) %}
+{% set has_wordpress  = item.has_wordpress | default(false) %}
+{% set needs_php      = item.needs_php | default(false) %}
+{% set has_gitea      = item.has_gitea | default(false) %}
 
 # http -> https vhost
 server {
@@ -39,18 +39,18 @@ server {
     {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
     server_name {{ domain_name }} {{ domain_aliases }};
 
-    index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %};
+    index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
 
     access_log  /var/log/nginx/{{ domain_name }}-access.log;
     error_log   /var/log/nginx/{{ domain_name }}-error.log;
 
     {% include 'https.j2' %}
 
-    {% if has_wordpress == True %}
+    {% if has_wordpress == true %}
         {% include 'wordpress.j2' %}
     {% endif %}
 
-    {% if has_gitea == True %}
+    {% if has_gitea == true %}
         {% include 'gitea.j2' %}
     {% endif %}
 
@@ -59,7 +59,7 @@ server {
         root /usr/share/nginx/html;
     }
 
-    {% if has_wordpress == True or needs_php == True %}
+    {% if has_wordpress == true or needs_php == true %}
     location ~ [^/]\.php(/|$) {
         # Zero-day exploit defense.
         # http://forum.nginx.org/read.php?2,88845,page=3
@@ -99,7 +99,7 @@ server {
         fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
         fastcgi_no_cache $http_pragma $wordpress_logged_in;
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
@@ -113,7 +113,7 @@ server {
     include extra-security.conf;
 }
 
-{% if has_wordpress == True %}
+{% if has_wordpress == true %}
 # Check if a user is logged in
 # if so, set $wordpress_logged_in = 1
 # otherwise, set $wordpress_logged_in = 0

roles/nginx/templates/wordpress.j2

@@ -5,7 +5,7 @@
     location / {
         try_files $uri $uri/ /index.php?$args;
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
@@ -16,7 +16,7 @@
     location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
         add_header Cache-Control "max-age=604800";
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/