26 changed files with 412 additions and 2975 deletions
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@ -18,7 +18,7 @@
    dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
    owner: root
    group: root
-    mode: "0644"
+    mode: 0644
  register: download_caddy_signing_key
  when: not caddy_signing_key_stat.stat.exists
  tags:
@ -27,7 +27,7 @@
 - name: Add Caddy stable repo
  ansible.builtin.apt_repository:
-    repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
+    repo: 'deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main'
    filename: caddy-stable
    state: present
  register: add_caddy_apt_repository
@ -38,7 +38,9 @@
 - name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
+  when:
    (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or
    add_caddy_apt_repository is changed
  tags:
    - packages
    - caddy
@ -57,7 +59,7 @@
  ansible.builtin.template:
    src: etc/caddy/Caddyfile.j2
    dest: /etc/caddy/Caddyfile
-    mode: "0755"
+    mode: 0755
    owner: root
    group: root
  notify:
@ -68,7 +70,7 @@
  ansible.builtin.file:
    path: /etc/caddy/conf.d
    state: directory
-    mode: "0755"
+    mode: 0755
    owner: root
    group: root
--- a/roles/caddy/tasks/vhosts.yml
+++ b/roles/caddy/tasks/vhosts.yml
@ -1,9 +1,10 @@
 ---
 - name: Configure vhosts
  ansible.builtin.template:
    src: etc/caddy/conf.d/vhost.j2
    dest: /etc/caddy/conf.d/{{ item.domain_name }}
-    mode: "0644"
+    mode: 0644
    owner: root
    group: root
  loop: "{{ nginx_vhosts }}"
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -2,26 +2,19 @@
 # ansible.builtin.file: roles/common/handlers/main.yml
 - name: reload sshd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
    name: "{{ sshd_service_name }}"
    state: reloaded
 - name: reload sysctl
  command: sysctl -p /etc/sysctl.conf
 - name: reload systemd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd: daemon_reload=true
    daemon_reload: true
 - name: restart nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd: name=nftables state=restarted
    name: nftables
    state: restarted
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
 - name: restart fail2ban
-  ansible.builtin.systemd:
+  ansible.builtin.systemd: name=fail2ban state=restarted
    name: fail2ban
    state: restarted
--- a/roles/common/tasks/cron-apt.yml
+++ b/roles/common/tasks/cron-apt.yml
@ -1,9 +1,10 @@
 ---
 - name: Configure cron-apt (config)
  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
  loop:
-    - { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root }
+    - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
-    - { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root }
+    - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
 - name: Configure cron-apt (security)
  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@ -1,32 +1,21 @@
 ---
 - name: Install fail2ban
  when:
    - ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.package:
    name:
      - fail2ban
      - python3-systemd
    state: present
    cache_valid_time: 3600
 - name: Configure fail2ban sshd filter
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/sshd.local.j2
    dest: /etc/fail2ban/jail.d/sshd.local
    owner: root
-    mode: "0644"
+    mode: 0644
  notify: restart fail2ban
 - name: Configure fail2ban nginx filter
  when:
    - webserver is defined and webserver == 'nginx'
    - extra_fail2ban_filters is defined
    - "'nginx' in extra_fail2ban_filters"
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/nginx.local.j2
    dest: /etc/fail2ban/jail.d/nginx.local
    owner: root
-    mode: "0644"
+    mode: 0644
  notify: restart fail2ban
 - name: Create fail2ban service override directory
@ -34,7 +23,7 @@
    path: /etc/systemd/system/fail2ban.service.d
    state: directory
    owner: root
-    mode: "0755"
+    mode: 0755
 # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
 - name: Configure fail2ban service override
@ -42,7 +31,7 @@
    src: etc/systemd/system/fail2ban.service.d/override.conf.j2
    dest: /etc/systemd/system/fail2ban.service.d/override.conf
    owner: root
-    mode: "0644"
+    mode: 0644
  notify:
    - reload systemd
    - restart fail2ban
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@ -6,8 +6,10 @@
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.package:
      name:
        - fail2ban
        - libnet-ip-perl # for aggregate-cidr-addresses.pl
        - nftables
        - python3-systemd
        - curl # for nftables update scripts
      state: present
      cache_valid_time: 3600
@ -24,7 +26,7 @@
      src: nftables.conf.j2
      dest: /etc/nftables.conf
      owner: root
-        mode: "0644"
+      mode: 0644
    notify:
      - restart nftables
      - restart fail2ban
@ -35,23 +37,23 @@
      path: /etc/nftables
      state: directory
      owner: root
-        mode: "0755"
+      mode: 0755
  - name: Copy extra nftables configuration files
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.copy:
      src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
+      dest: "/etc/nftables/{{ item.src }}"
      owner: root
      group: root
-        mode: "0644"
+      mode: 0644
      force: "{{ item.force }}"
    loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
+      - { src: "spamhaus-ipv4.nft", force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
+      - { src: "spamhaus-ipv6.nft", force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
+      - { src: "abusech-ipv4.nft", force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
+      - { src: "abuseipdb-ipv4.nft", force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
+      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables
      - restart fail2ban
@ -60,8 +62,8 @@
    when: ansible_distribution_version is version('11', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
+      dest: "/usr/local/bin/{{ item }}"
-        mode: "0755"
+      mode: 0755
      owner: root
      group: root
    loop:
@ -73,8 +75,8 @@
    when: ansible_distribution_version is version('11', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
+      dest: "/etc/systemd/system/{{ item }}"
-        mode: "0644"
+      mode: 0644
      owner: root
      group: root
    loop:
@ -108,8 +110,7 @@
      enabled: true
  - ansible.builtin.include_tasks: fail2ban.yml
-      when:
+    when: ansible_distribution_major_version is version('9', '>=')
        - ansible_distribution_major_version is version('9', '>=')
  tags: firewall
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@ -3,11 +3,12 @@
 - block:
  - name: Install Ubuntu firewall packages
      when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.package:
      name:
        - fail2ban
        - libnet-ip-perl # for aggregate-cidr-addresses.pl
        - nftables
        - python3-systemd
        - curl # for nftables update scripts
      state: present
      cache_valid_time: 3600
@ -23,7 +24,7 @@
      src: nftables.conf.j2
      dest: /etc/nftables.conf
      owner: root
-        mode: "0644"
+      mode: 0644
    notify:
      - restart nftables
      - restart fail2ban
@ -34,23 +35,23 @@
      path: /etc/nftables
      state: directory
      owner: root
-        mode: "0755"
+      mode: 0755
  - name: Copy extra nftables configuration files
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy:
      src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
+      dest: "/etc/nftables/{{ item.src }}"
      owner: root
      group: root
-        mode: "0644"
+      mode: 0644
      force: "{{ item.force }}"
    loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
+      - { src: "spamhaus-ipv4.nft", force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
+      - { src: "spamhaus-ipv6.nft", force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
+      - { src: "abusech-ipv4.nft", force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
+      - { src: "abuseipdb-ipv4.nft", force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
+      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables
      - restart fail2ban
@ -59,8 +60,8 @@
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
+      dest: "/usr/local/bin/{{ item }}"
-        mode: "0755"
+      mode: 0755
      owner: root
      group: root
    loop:
@ -72,8 +73,8 @@
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
+      dest: "/etc/systemd/system/{{ item }}"
-        mode: "0644"
+      mode: 0644
      owner: root
      group: root
    loop:
@ -107,8 +108,7 @@
      enabled: true
  - ansible.builtin.include_tasks: fail2ban.yml
-      when:
+    when: ansible_distribution_version is version('16.04', '>=')
        - ansible_distribution_version is version('16.04', '>=')
  tags: firewall
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
+  ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
  tags: always
 - name: Configure network time
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@ -12,8 +12,8 @@
 # I can see on existing servers, systemd-timesyncd is a standalone package on
 # Ubuntu 20.04 and Debian 11.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
+  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
-    is version('11', '>='))
+        (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
 - name: Start and enable systemd's NTP client
--- a/roles/common/tasks/packages_Debian.yml
+++ b/roles/common/tasks/packages_Debian.yml
@ -1,4 +1,5 @@
 ---
 - name: Configure Debian packages
  block:
    # Create directory for third-party package signing keys. Required on distros
@ -8,7 +9,7 @@
    - name: Create /etc/apt/keyrings
      file:
        path: /etc/apt/keyrings
-        mode: "0755"
+        mode: 0755
        owner: root
        group: root
        state: directory
--- a/roles/common/tasks/packages_Ubuntu.yml
+++ b/roles/common/tasks/packages_Ubuntu.yml
@ -1,4 +1,5 @@
 ---
 - name: Configure Ubuntu packages
  block:
    # Create directory for third-party package signing keys. Required on distros
@ -8,7 +9,7 @@
    - name: Create /etc/apt/keyrings
      file:
        path: /etc/apt/keyrings
-        mode: "0755"
+        mode: 0755
        owner: root
        group: root
        state: directory
--- a/roles/common/tasks/ssh-keys.yml
+++ b/roles/common/tasks/ssh-keys.yml
@ -3,7 +3,7 @@
  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
 - name: Add public keys to authorized_keys
-  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
  with_fileglob:
    # use descriptive names for keys, like: aorth-mzito-rsa.pub
    - ssh-pub-keys/*.pub
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -1,8 +1,8 @@
 ---
 # SSH configs don't change in Debian minor versions
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
+  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
    mode=0600
  when: ansible_distribution == 'Debian'
  notify: reload sshd
--- a/roles/common/tasks/tarsnap.yml
+++ b/roles/common/tasks/tarsnap.yml
@ -1,45 +1,24 @@
 ---
- name: Check tarsnap apt signing key
+- name: Add Tarsnap apt mirror
-  ansible.builtin.stat:
+  ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
    path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
  register: tarsnap_signing_key_stat
 - name: Download tarsnap apt signing key
  ansible.builtin.get_url:
    url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
    dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
    owner: root
    group: root
    mode: "0644"
  register: download_tarsnap_signing_key
  when: not tarsnap_signing_key_stat.stat.exists
 - name: Add tarsnap.org repo
  ansible.builtin.template:
    src: tarsnap_sources.list.j2
    dest: /etc/apt/sources.list.d/tarsnap.list
    owner: root
    group: root
    mode: "0644"
  register: add_tarsnap_apt_repository
  when: ansible_architecture != 'armv7l'
 - name: Add GPG key for Tarsnap
  ansible.builtin.apt_key: id=0xF608BA1BFB5CE8F8CAB088359F084BEE7F938A76 url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
  register: add_tarsnap_apt_key
 - name: Update apt cache
-  ansible.builtin.apt: # noqa no-handler
+  ansible.builtin.apt:
    update_cache: true
-  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
+  when:
    add_tarsnap_apt_key is changed or
    add_tarsnap_apt_repository is changed
 - name: Install tarsnap
-  ansible.builtin.apt:
+  ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
    pkg: tarsnap
    cache_valid_time: 3600
 - name: Copy tarsnaprc
-  ansible.builtin.copy:
+  ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
    src: tarsnaprc
    dest: /root/.tarsnaprc
    owner: root
    group: root
    mode: "0600"
 # vim: set sw=2 ts=2:
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: Remove MariaDB key from apt-key
  ansible.builtin.apt_key:
-    id: "013577200103762554506315430003013705453362230723150730"
+    id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
    state: absent
  tags:
    - packages
@ -21,7 +21,7 @@
    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
    owner: root
    group: root
-    mode: "0644"
+    mode: 0644
  register: download_mariadb_signing_key
  when: not mariadb_signing_key_stat.stat.exists
  tags:
@ -30,8 +30,7 @@
 - name: Add MariaDB 10.6 repo
  ansible.builtin.apt_repository:
-    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release
+    repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
      }} main
    filename: mariadb
    state: present
  register: add_mariadb_apt_repository
@ -42,14 +41,16 @@
 - name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
+  when:
    (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
    add_mariadb_apt_repository is changed
  tags:
    - packages
    - mariadb
 - name: Install mariadb-server
  ansible.builtin.apt:
-    name: [mariadb-server, python3-pymysql]
+    name: ['mariadb-server', 'python3-pymysql']
    state: present
    cache_valid_time: 3600
  tags: mariadb, packages
@ -60,7 +61,7 @@
    dest: /etc/mysql/my.cnf
    owner: root
    group: root
-    mode: "0644"
+    mode: 0644
  notify:
    - restart mariadb
  tags: mariadb
@ -82,7 +83,7 @@
    src: .my.cnf.j2
    dest: /root/.my.cnf
    owner: root
-    mode: "0600"
+    mode: 0600
  tags: mariadb
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -14,11 +14,11 @@ nginx_ssl_session_cache: shared:SSL:10m
 # 1400 bytes to fit in one MTU (default is 16k!)
 nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
-nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
-nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
+nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
 # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
 # in seconds, see: https://hstspreload.org/
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@ -1,4 +1,5 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
 - block:
@ -24,7 +25,7 @@
    ansible.builtin.get_url:
      url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
      dest: "{{ letsencrypt_acme_script_temp }}"
-        mode: "0700"
+      mode: 0700
    register: acme_download
    when: not acme_home.stat.exists
@ -63,7 +64,7 @@
    ansible.builtin.template:
      src: renew-letsencrypt.service.j2
      dest: /etc/systemd/system/renew-letsencrypt.service
-        mode: "0644"
+      mode: 0644
      owner: root
      group: root
@ -71,7 +72,7 @@
    ansible.builtin.copy:
      src: renew-letsencrypt.timer
      dest: /etc/systemd/system/renew-letsencrypt.timer
-        mode: "0644"
+      mode: 0644
      owner: root
      group: root
@ -83,8 +84,8 @@
      enabled: true
      daemon_reload: true
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
+  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
-    is version('11', '>='))
+        or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
  tags: letsencrypt
 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: Remove nginx apt signing key from apt-key
  ansible.builtin.apt_key:
-    id: "053473772654754373614404074646527257655730117366337542"
+    id: 0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62
    state: absent
  tags:
    - packages
@ -21,7 +21,7 @@
    dest: /usr/share/keyrings/nginx_signing.key
    owner: root
    group: root
-    mode: "0644"
+    mode: 0644
  register: download_nginx_signing_key
  when: not nginx_signing_key_stat.stat.exists
  tags:
@ -34,7 +34,7 @@
    dest: /etc/apt/sources.list.d/nginx_org_sources.list
    owner: root
    group: root
-    mode: "0644"
+    mode: 0644
  register: add_nginx_apt_repository
  tags:
    - nginx
@ -43,7 +43,9 @@
 - name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
+  when:
    (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or
    add_nginx_apt_repository is changed
 - name: Install nginx
  ansible.builtin.apt:
@ -58,7 +60,7 @@
  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
-    mode: "0644"
+    mode: 0644
    owner: root
    group: root
  notify:
@ -68,8 +70,8 @@
 - name: Copy extra nginx configs
  ansible.builtin.copy:
    src: "{{ item }}"
-    dest: /etc/nginx/{{ item }}
+    dest: "/etc/nginx/{{ item }}"
-    mode: "0644"
+    mode: 0644
    owner: root
    group: root
  loop:
@ -91,7 +93,7 @@
    state: directory
    owner: nginx
    group: nginx
-    mode: "0755"
+    mode: 0755
  tags: nginx
 - name: Configure nginx virtual hosts
@ -108,7 +110,7 @@
  ansible.builtin.template:
    src: blank-vhost.conf.j2
    dest: "{{ nginx_confd_path }}/blank-vhost.conf"
-    mode: "0644"
+    mode: 0644
    owner: root
    group: root
  notify:
@ -119,7 +121,7 @@
  ansible.builtin.copy:
    src: munin.conf
    dest: /etc/nginx/conf.d/munin.conf
-    mode: "0644"
+    mode: 0644
    owner: root
    group: root
  notify:
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -1,4 +1,5 @@
 ---
 - block:
  - name: Configure https vhosts
    ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
@ -7,8 +8,7 @@
      - reload nginx
  - name: Generate self-signed TLS cert
-      ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
+    ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
        -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
    notify:
      - reload nginx
--- a/roles/nginx/tasks/wordpress.yml
+++ b/roles/nginx/tasks/wordpress.yml
@ -1,8 +1,8 @@
 ---
 - block:
  - name: Install WordPress
-      ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
+    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
        }} depth=1 force=true
    when:
      - item.has_wordpress is defined
      - item.has_wordpress
--- a/roles/php-fpm/handlers/main.yml
+++ b/roles/php-fpm/handlers/main.yml
@ -3,10 +3,4 @@
 - name: reload php7.4-fpm
  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
 # For Debian 12
 - name: reload php8.2-fpm
  ansible.builtin.systemd:
    name: php8.2-fpm
    state: reloaded
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Debian_12.yml
+++ b/roles/php-fpm/tasks/Debian_12.yml
@ -1,50 +0,0 @@
 ---
 - block:
    - name: Set php-fpm packages
      ansible.builtin.set_fact:
        php_fpm_packages:
          - php8.2-fpm
          # for WordPress
          - php8.2-mysql
          - php8.2-gd
          - php8.2-curl
          - php8.2-xml
    - name: Install php-fpm and deps
      ansible.builtin.apt:
        name: "{{ php_fpm_packages }}"
        state: present
        update_cache: true
    # only copy php-fpm config for vhosts that need WordPress or PHP
    - name: Copy php-fpm pool config
      ansible.builtin.template:
        src: php8.2-pool.conf.j2
        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
        owner: root
        group: root
        mode: "0644"
      loop: "{{ nginx_vhosts }}"
      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
      notify: reload php8.2-fpm
    - name: Remove default www pool
      ansible.builtin.file:
        path: /etc/php/8.2/fpm/pool.d/www.conf
        state: absent
      notify: reload php8.2-fpm
    # re-configure php.ini
    - name: Update php.ini
      ansible.builtin.template:
        src: php8.2-php.ini.j2
        dest: /etc/php/8.2/fpm/php.ini
        owner: root
        group: root
        mode: "0644"
      notify: reload php8.2-fpm
  tags: php-fpm
  when: install_php
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Ubuntu_20.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_20.04.yml
@ -1,4 +1,5 @@
 ---
 - block:
  - name: Set php-fpm packages
    ansible.builtin.set_fact:
--- a/roles/php-fpm/tasks/main.yml
+++ b/roles/php-fpm/tasks/main.yml
@ -1,7 +1,6 @@
 ---
 # Ubuntu 20.04 uses PHP 7.4
 # Debian 11 uses PHP 7.4
 # Debian 12 uses PHP 8.2
 # If any of the vhosts on this host need WordPress then we need to install PHP.
 # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
@ -11,13 +10,13 @@
 - name: Check if any vhost needs WordPress
  ansible.builtin.set_fact:
    install_php: true
-  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
+  when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
 # Legacy, was only for Piwik, but leaving for now.
 - name: Check if any vhost needs PHP
  ansible.builtin.set_fact:
    install_php: true
-  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
+  when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
 # If install_php has not been set, then we assume no vhosts need PHP. This is
 # a bit hacky, but it's the closest we come to an if/then/else.
@ -31,7 +30,7 @@
  when:
    - ansible_distribution == 'Ubuntu'
    - ansible_distribution_version is version('20.04', '==')
-    - install_php
+    - install_php == true
  tags: php-fpm
 - name: Configure php-fpm on Debian 11
@ -39,15 +38,7 @@
  when:
    - ansible_distribution == 'Debian'
    - ansible_distribution_major_version is version('11', '==')
-    - install_php
+    - install_php == true
  tags: php-fpm
 - name: Configure php-fpm on Debian 12
  ansible.builtin.include_tasks: Debian_12.yml
  when:
    - ansible_distribution == 'Debian'
    - ansible_distribution_major_version is version('12', '==')
    - install_php
  tags: php-fpm
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/templates/php8.2-php.ini.j2
+++ b/roles/php-fpm/templates/php8.2-php.ini.j2
--- a/roles/php-fpm/templates/php8.2-pool.conf.j2
+++ b/roles/php-fpm/templates/php8.2-pool.conf.j2
@ -1,492 +0,0 @@
 {% set domain_name  = item.domain_name %}
 ; Start a new pool named '{{ domain_name }}'.
 ; the variable $pool can be used in any directive and will be replaced by the
 ; pool name ('{{ domain_name }}' here)
 [{{ domain_name }}]
 ; Per pool prefix
 ; It only applies on the following directives:
 ; - 'access.log'
 ; - 'slowlog'
 ; - 'listen' (unixsocket)
 ; - 'chroot'
 ; - 'chdir'
 ; - 'php_values'
 ; - 'php_admin_values'
 ; When not set, the global prefix (or /usr) applies instead.
 ; Note: This directive can also be relative to the global prefix.
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 ; Unix user/group of the child processes. This can be used only if the master
 ; process running user is root. It is set after the child process is created.
 ; The user and group can be specified either by their name or by their numeric
 ; IDs.
 ; Note: If the user is root, the executable needs to be started with
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
 user = www-data
 group = www-data
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
 listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; Set listen(2) backlog.
 ; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
 ; BSD-derived systems allow connections regardless of permissions. The owner
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: Owner is set to the master process running user. If the group
 ;                 is not set, the owner's group is used. Mode is set to 0660.
 listen.owner = www-data
 listen.group = www-data
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
 ;listen.acl_users =
 ;listen.acl_groups =
 ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
 ; must be separated by a comma. If this value is left blank, connections will be
 ; accepted from any ip address.
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 ; Set the associated the route table (FIB). FreeBSD only
 ; Default Value: -1
 ;listen.setfib = 1
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
 ;       - The pool processes will inherit the master process priority
 ;         unless it specified otherwise
 ; Default Value: no set
 ; process.priority = -19
 ; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
 ; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
 ; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
 ;   static  - a fixed number (pm.max_children) of child processes;
 ;   dynamic - the number of child processes are set dynamically based on the
 ;             following directives. With this process management, there will be
 ;             always at least 1 children.
 ;             pm.max_children      - the maximum number of children that can
 ;                                    be alive at the same time.
 ;             pm.start_servers     - the number of children created on startup.
 ;             pm.min_spare_servers - the minimum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is less than this
 ;                                    number then some children will be created.
 ;             pm.max_spare_servers - the maximum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
 ;             pm.max_spawn_rate    - the maximum number of rate to spawn child
 ;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
 ;                                         can be alive at the same time.
 ;             pm.process_idle_timeout   - The number of seconds after which
 ;                                         an idle process will be killed.
 ; Note: This value is mandatory.
 pm = dynamic
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
 ; This value sets the limit on the number of simultaneous requests that will be
 ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
 ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
 ; CGI. The below defaults are based on a server without much resources. Don't
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
 pm.max_children = 5
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
 ; Default Value: (min_spare_servers + max_spare_servers) / 2
 pm.start_servers = 2
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.min_spare_servers = 1
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 ; The number of rate to spawn child processes at once.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 ; Default Value: 32
 ;pm.max_spawn_rate = 32
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
 ;pm.process_idle_timeout = 10s;
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
 ;pm.max_requests = 500
 ; The URI to view the FPM status page. If this value is not set, no URI will be
 ; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
 ;   start since          - number of seconds since FPM has started;
 ;   accepted conn        - the number of request accepted by the pool;
 ;   listen queue         - the number of request in the queue of pending
 ;                          connections (see backlog in listen(2));
 ;   max listen queue     - the maximum number of requests in the queue
 ;                          of pending connections since FPM has started;
 ;   listen queue len     - the size of the socket queue of pending connections;
 ;   idle processes       - the number of idle processes;
 ;   active processes     - the number of active processes;
 ;   total processes      - the number of idle + active processes;
 ;   max active processes - the maximum number of active processes since FPM
 ;                          has started;
 ;   max children reached - number of times, the process limit has been reached,
 ;                          when pm tries to start more children (works only for
 ;                          pm 'dynamic' and 'ondemand');
 ; Value are updated in real time.
 ; Example output:
 ;   pool:                 www
 ;   process manager:      static
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          62636
 ;   accepted conn:        190460
 ;   listen queue:         0
 ;   max listen queue:     1
 ;   listen queue len:     42
 ;   idle processes:       4
 ;   active processes:     11
 ;   total processes:      15
 ;   max active processes: 12
 ;   max children reached: 0
 ;
 ; By default the status page output is formatted as text/plain. Passing either
 ; 'html', 'xml' or 'json' in the query string will return the corresponding
 ; output syntax. Example:
 ;   http://www.foo.bar/status
 ;   http://www.foo.bar/status?json
 ;   http://www.foo.bar/status?html
 ;   http://www.foo.bar/status?xml
 ;
 ; By default the status page only outputs short status. Passing 'full' in the
 ; query string will also return status for each pool process.
 ; Example:
 ;   http://www.foo.bar/status?full
 ;   http://www.foo.bar/status?json&full
 ;   http://www.foo.bar/status?html&full
 ;   http://www.foo.bar/status?xml&full
 ; The Full status returns for each process:
 ;   pid                  - the PID of the process;
 ;   state                - the state of the process (Idle, Running, ...);
 ;   start time           - the date and time the process has started;
 ;   start since          - the number of seconds since the process has started;
 ;   requests             - the number of requests the process has served;
 ;   request duration     - the duration in µs of the requests;
 ;   request method       - the request method (GET, POST, ...);
 ;   request URI          - the request URI with the query string;
 ;   content length       - the content length of the request (only with POST);
 ;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
 ;   script               - the main script called (or '-' if not set);
 ;   last request cpu     - the %cpu the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because CPU calculation is done when the request
 ;                          processing has terminated;
 ;   last request memory  - the max amount of memory the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
 ; If the process is in Idle state, then informations are related to the
 ; last request the process has served. Otherwise informations are related to
 ; the current request being served.
 ; Example output:
 ;   ************************
 ;   pid:                  31330
 ;   state:                Running
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          63087
 ;   requests:             12808
 ;   request duration:     1250261
 ;   request method:       GET
 ;   request URI:          /test_mem.php?N=10000
 ;   content length:       0
 ;   user:                 -
 ;   script:               /home/fat/web/docs/php/test_mem.php
 ;   last request cpu:     0.00
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
 ;       It's available in: /usr/share/php/8.2/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;pm.status_path = /status
 ; The address on which to accept FastCGI status request. This creates a new
 ; invisible pool that can handle requests independently. This is useful
 ; if the main pool is busy with long running requests because it is still possible
 ; to get the status before finishing the long running requests.
 ;
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Default Value: value of the listen option
 ;pm.status_listen = 127.0.0.1:9001
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
 ; - create a graph of FPM availability (rrd or such);
 ; - remove a server from a group if it is not responding (load balancing);
 ; - trigger alerts for the operating team (24/7).
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;ping.path = /ping
 ; This directive may be used to customize the response of a ping request. The
 ; response is formatted as text/plain with a 200 response code.
 ; Default Value: pong
 ;ping.response = pong
 ; The access log file
 ; Default: not set
 ;access.log = log/$pool.access.log
 ; The access log format.
 ; The following syntax is allowed
 ;  %%: the '%' character
 ;  %C: %CPU used by the request
 ;      it can accept the following format:
 ;      - %{user}C for user CPU only
 ;      - %{system}C for system CPU only
 ;      - %{total}C  for user + system CPU (default)
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
 ;      - %{milliseconds}d
 ;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
 ;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
 ;  %l: content-length of the request (for POST request only)
 ;  %m: request method
 ;  %M: peak of memory allocated by PHP
 ;      it can accept the following format:
 ;      - %{bytes}M (default)
 ;      - %{kilobytes}M
 ;      - %{kilo}M
 ;      - %{megabytes}M
 ;      - %{mega}M
 ;  %n: pool name
 ;  %o: output header
 ;      it must be associated with embraces to specify the name of the header:
 ;      - %{Content-Type}o
 ;      - %{X-Powered-By}o
 ;      - %{Transfert-Encoding}o
 ;      - ....
 ;  %p: PID of the child that serviced the request
 ;  %P: PID of the parent of the child that serviced the request
 ;  %q: the query string
 ;  %Q: the '?' character if query string exists
 ;  %r: the request URI (without the query string, see %q and %Q)
 ;  %R: remote IP address
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
 ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
 ; A list of request_uri values which should be filtered from the access log.
 ;
 ; As a security precuation, this setting will be ignored if:
 ;     - the request method is not GET or HEAD; or
 ;     - there is a request body; or
 ;     - there are query parameters; or
 ;     - the response code is outwith the successful range of 200 to 299
 ;
 ; Note: The paths are matched against the output of the access.format tag "%r".
 ;       On common configurations, this may look more like SCRIPT_NAME than the
 ;       expected pre-rewrite URI.
 ;
 ; Default Value: not set
 ;access.suppress_path[] = /ping
 ;access.suppress_path[] = /health_check.php
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set
 ;slowlog = log/$pool.log.slow
 ; The timeout for serving a single request after which a PHP backtrace will be
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_slowlog_timeout = 0
 ; Depth of slow log stack trace.
 ; Default Value: 20
 ;request_slowlog_trace_depth = 20
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_terminate_timeout = 0
 ; The timeout set by 'request_terminate_timeout' ini option is not engaged after
 ; application calls 'fastcgi_finish_request' or when application has finished and
 ; shutdown functions are being called (registered via register_shutdown_function).
 ; This option will enable timeout limit to be applied unconditionally
 ; even in such cases.
 ; Default Value: no
 ;request_terminate_timeout_track_finished = no
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
 ;rlimit_files = 1024
 ; Set max core size rlimit.
 ; Possible Values: 'unlimited' or an integer greater or equal to 0
 ; Default Value: system defined value
 ;rlimit_core = 0
 ; Chroot to this directory at the start. This value must be defined as an
 ; absolute path. When this value is not set, chroot is not used.
 ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
 ; of its subdirectories. If the pool prefix is not set, the global prefix
 ; will be used instead.
 ; Note: chrooting is a great security feature and should be used whenever
 ;       possible. However, all PHP paths will be relative to the chroot
 ;       (error_log, sessions.save_path, ...).
 ; Default Value: not set
 ;chroot =
 ; Chdir to this directory at the start.
 ; Note: relative path can be used.
 ; Default Value: current directory or / when chroot
 ;chdir = /var/www
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
 ; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes
 ; Decorate worker output with prefix and suffix containing information about
 ; the child that writes to the log and if stdout or stderr is used as well as
 ; log level and time. This options is used only if catch_workers_output is yes.
 ; Settings to "no" will output data as written to the stdout or stderr.
 ; Default value: yes
 ;decorate_workers_output = no
 ; Clear environment in FPM workers
 ; Prevents arbitrary environment variables from reaching FPM worker processes
 ; by clearing the environment in workers before env vars specified in this
 ; pool configuration are added.
 ; Setting to "no" will make all environment variables available to PHP code
 ; via getenv(), $_ENV and $_SERVER.
 ; Default Value: yes
 ;clear_env = no
 ; Limits the extensions of the main script FPM will allow to parse. This can
 ; prevent configuration mistakes on the web server side. You should only limit
 ; FPM to .php extensions to prevent malicious users to use other extensions to
 ; execute php code.
 ; Note: set an empty value to allow all extensions.
 ; Default Value: .php
 ;security.limit_extensions = .php .php3 .php4 .php5 .php7
 ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
 ; the current environment.
 ; Default Value: clean env
 ;env[HOSTNAME] = $HOSTNAME
 ;env[PATH] = /usr/local/bin:/usr/bin:/bin
 ;env[TMP] = /tmp
 ;env[TMPDIR] = /tmp
 ;env[TEMP] = /tmp
 ; Additional php.ini defines, specific to this pool of workers. These settings
 ; overwrite the values previously defined in the php.ini. The directives are the
 ; same as the PHP SAPI:
 ;   php_value/php_flag             - you can set classic ini defines which can
 ;                                    be overwritten from PHP call 'ini_set'.
 ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
 ;                                     PHP call 'ini_set'
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
 ; Defining 'extension' will load the corresponding shared extension from
 ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
 ; overwrite previously defined php.ini values, but will append the new value
 ; instead.
 ; Note: path INI options can be relative and will be expanded with the prefix
 ; (pool, global or /usr)
 ; Default Value: nothing is defined by default except the values in php.ini and
 ;                specified at startup with the -d argument
 ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
 ;php_flag[display_errors] = off
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M