roles: use ansible_facts["foo"] pattern

Instead of ansible_foo. Ansible recently started warning that this is deprecated.
roles/nginx: git clone as nginx
2025-12-02 20:42:58 +03:00 · 2025-11-21 22:07:55 +03:00 · 2025-11-21 21:08:29 +03:00 · 2025-11-20 08:47:27 +03:00 · 2025-11-20 08:47:27 +03:00 · 2025-11-20 08:47:27 +03:00
88 changed files with 4455 additions and 12864 deletions
--- a/2
+++ b/2
@@ -10,4 +10,4 @@ ansible = "*"
 ansible-lint = "*"
 [requires]
-python_version = "3.10"
+python_version = "3.13"
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/README.md
+++ b/README.md
@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 20.04 or Debian 11/12 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -13,12 +13,6 @@ interpreter_python=auto
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False
 ansible_managed = This file is managed by Ansible.%n
  template: {file}
  date: %Y-%m-%d %H:%M:%S
  user: {uid}
  host: {host}
 [privilege_escalation]
 # instead of using -K
 become_ask_pass=True
--- a/group_vars/all
+++ b/group_vars/all
@@ -3,4 +3,12 @@
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 ansible_managed: |-
  This file is managed by Ansible.
  {{ 'template: ' + template_path }}
  {{ 'date: ' + (template_mtime | string) }}
  {{ 'user: ' + template_uid }}
  {{ 'host: ' + template_host }}
 # vim: set ts=2 sw=2:
--- a/group_vars/web
+++ b/group_vars/web
@@ -8,4 +8,7 @@ webserver: nginx
 extra_fail2ban_filters:
  - nginx
 # root prefix for all web servers
 web_root_prefix: /var/www
 # vim: set ts=2 sw=2:
--- a/host_vars/nomad03
+++ b/host_vars/nomad03
@@ -1,86 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 31396238396138613138623165346137663838366430363266646565643765303261636131663538
 3932326435366133356536343464633664353734386433330a626533613665623965656430393966
 33366238326164303438633265613862376530613236383733386433383437393431303761663534
 3131396534643134300a303364653539623938356363346664633539323266323265396565353664
 37613435616536343736356564656139633165383538383036313637656235646435363266346332
 30343632666438653532353930376461643234303062376134323762303161663832646463313664
 32383363316631346131656634393866326233323530656236383865613564633030383338303132
 36623236623132653634613966336437663464386662353262313334386465386435626463383536
 35376334386564613763343165333762383136353233346134326430386639333938383736613564
 65663431616164306231633935636462626232323764326234353966323530636363333432373535
 35356265623039623738336533646639336564316561623463353936393531393064326565616232
 36346163633164656132303738316531623735646662333936663034626438616430643638613136
 33343064376464343561313739616634643339323264306536666231373139376330306130383662
 33306364383039633239353062303262663531393538656539313161396538306437613432313662
 38303834386234313065326234393962643036633864306263346132373736613435306339393861
 34303438333038306431623632373263306336356132613236306438373663346131343536353664
 39633330363032653133623161623733323431663261663666306630303832323338646364353335
 37316338616561626231333265323134356666363136633938396133656532653338353935633365
 63633632626566326336653466343861646465373965643339383361303039613637626562353961
 62306236396530663835353438316438343431326237316137616639323732383138643138353666
 66386365333465666136343737623064396432323439366634376165663336373536653333373466
 32646434613535383539356232636664666237653838336561393530346263666665373962396439
 62393262616361366430633738343934383231626461393962663566633134326664613634376361
 36643733326563653639306361383434313763326631396165613334366634393465396361646331
 65313338623862633335366536626636643636376137663938656534366335393861333430636637
 37316662393564333231636433653637393738303933326531653362623935343434376439336665
 32653237333861626238616337383533636439366437393363366537393164663563626639343162
 38303463663931616437626638626563363937373732346534376438373537303136366666616662
 32303536646266396564656363393331643431393438316565386264383036643061656236666265
 61616165363336653464343235333762383263626438636665306330333339323438656263633361
 39316264356261653234386466623033366334303265633237366130656530366238663766313662
 33316336376362616132613661633039643735653565663562393462303436373335343135353864
 63393433336638363232333334653633616236383631626665656162303162313939316364393238
 38383761363037303864313465353963623438316563633562663130356361353036326333366332
 36636631343335313463346539666332626662643166633035363733323337303961646266316435
 31356235333433353936353163633132386430336161356238336234353336613761346161386663
 31343334393137356138376532363231356636396531646361383436666531646137346231363132
 30613362636238386635306264396463316432303437316265386131666535653739663762373138
 30643666336530343961336561303266383534393135356361633035393935333133386535666134
 37326665623264323233613834336537633935306532353936396361333037353562353734323936
 64643131656237666633383738636631303361633366386466633531396432636263626164306166
 33366538356165613134386130366433336539613036373934373764336566653039366531653232
 63353265663337366265623633373264633231333364666635393564306131303132613439643464
 36333434303230646631623433323863303836636466323931363130366465333562613432343032
 33353339353733326636373165663865646635353031313230313962303034356432393835666532
 31313838333136623466636236393164303232356363373237643762366161633038323565656266
 65653662393638383436386533633632386638633431316465393165393861396334386261663733
 33383237313233623035343530373963393562633434373563613066343366336233303766383431
 66393534613638663637626634316664363235333333616434633239613734363330653662646537
 65333731653430356563346435353433363936386664343232613537663233623437376164653562
 34343538663339633361323934636131663061353238333766623366653234643637643330646231
 35313235383232663533386663366336383632383236313731303533313039383063616136303534
 37616131663336353164636333323930366364316437396661663838653538316562616662616133
 62663766383933316363353163616338306164656636326238333338316330366135333338303064
 38383866643732376262643862383266316435623432623564643433383434373564656161303162
 30316434613965643063303663623830646361386132303433366663343464656239396230326438
 62643430643761666361623737343838393434343238373336343633363534383830656134383166
 65383437643765363036613130666664343935343264363733643330363366326332393636643561
 32303139633133646261356238623134643135333166363862666166366261663630323138353962
 35663535613131323237616365373866346432616133326136366666333262616536373939356165
 61376563633363333465393333323937376565636163623038383635376436613639366335336132
 64643132366630613065376334366231393162323931313532393830656432303338346665643034
 62653964663131313761363765333364356135616533646232613333646433623631376637303632
 33326533383139663266623234363264326233653166626563383263623038643766313062303030
 61326538363265336138346166613735363661396437303935373137623230613466613939633234
 61643135383539326239326134333163323633316239613238323564626632363863656662323134
 37373462343239306630333162643139653539353431623734633864353737626365373934363532
 30323334306161623866346532306665366637373730383164613932316230306236323366623564
 35326262336232613138646633333661396334393430303433303636643934666637333462326661
 37356263646165373739343065653539313034303133656537626662333036323064646634303066
 61653364663331306432313766376263643565626466346566343732333332623365643963323232
 62363366313936333162303632626561313934303264383338616639366135343337653935363861
 63623430343536306633313738313135383465636336663636396239356634303237386365626661
 65663861306435626663326137646161373133306430336132613762663735666363343163373432
 30353534373634326561633236373462633039353130656438323764363339663637616530316237
 35313532633937623633383534656665383066633365666462666331623437626465666466336438
 30636436643034316262376635383330383835613138626130363466643362363130356334373730
 65363934653138353834353761656265623230326532316161623332383234383139386265643737
 64316435653531366163636635636436383135636338313035336633326366663730613839626136
 30303735316562383637363462376663396262663333313964393538626665376139373565663963
 61663834643265306134316536393166626239643438373336353834383966346366616537363032
 64656466303062383731386661373661633666616163643034306661323635363964613736336466
 62656637616264393464653439356665653061356534646134373639613536613763393839333731
 39643737646566396466663732323237363064643131393065666266393165373331623536353135
 64376437643062393436383435343732623766656431353936336265356662393739
--- a/host_vars/web21
+++ b/host_vars/web21
@@ -1,26 +1,27 @@
 $ANSIBLE_VAULT;1.1;AES256
-30323335373866653137343434333334396130326232343331323131306335386539343766373739
+38663333313561616264323430323162323837623430363739623561633331656664613936666665
-3039386264306531346164376336323666373534623165610a393739636333336535626530626166
+6364373033623163393239663035306337383066343438310a383666313434323036643037363065
-34303361303965303738373231306566633566616535623832376639366339613165643466343366
+30396333626130303633663930663965666662646233393439376661346265616565616236623366
-3366663737646339640a643361643864356563396537383166333035643861393638616431383030
+3930373433646231610a336233663132306263656465633034333030316362643939316465666534
-38333464303264383161653330336631326666323935353864386334323630306336333431336233
+38353961393038613961353732613434663565633466303265383231343336386330333464376363
-64353432326430393964613737373936373561303865393537393436616530396364356139383136
+33616330643364376332623634363766656366666239633964316439376463313063333162343963
-38303035316437663661386233303963323866393266313565333863343234353138316264313865
+61356634393438313063666434626338616264613639656462626639616263366531663135393466
-31643132356334353830383639363532356365666463653964343735383831393962386635343335
+66346635616439306364356133303664376134626636616131373138656562363363306633333164
-30303463613730383165663139666339623335396630346566303663336334346264646439336637
+62623135343633393834393165383231316562643062343165663235313930663039623135373263
-34613537653163383039383230653065666263323538386333363165363566626133646230653930
+61343336643235303962333938613230356465346436376334373438386461366231383737643137
-36616132643732353039616131333261386439643464353836623731333562613031323161633862
+36343832353730366131653430633465383163396336353065306638373166386438356264616139
-66326230623064343632633463386233383036303636643037653238373064636363613634663030
+65346635663338366463343932336231386235393836616238373864626235623935663661396663
-36636262623036356533643139373363663166373363366234396439613438666665626137663936
+31633565356465333737303339333435383162316530396563333335613062623138333232336162
-36363837383735386537343038383965666435336162316235656631343662346465363031343364
+62376363666431363931663231643561616562383230643737393261623934363633313231333137
-66633465643732343434306263303435616663393835663930343932653535653866306231363261
+39383238656237343661626662366465356463396336386261326334613436396364633062646532
-33313766316137356639333330666335346634366261333163333635373061363065396163393239
+61313136366636363861316166396134316562666435653437326331363563653035343138636163
-64353264336335353937646331616334613961633935653731616238343365323237666639633832
+66336139636533656334643966383962383734623565323435333665666164353732663736326364
-39313861633034343563376534383764353963316161326461376131646633356462323736346638
+35616264383237316330386539363065376334643432393636643464646238633034333166663665
-32343635346263346536353439666132333361653730323335366463633964616234633435653663
+33313166393738626133636136346637646437306335326263393634363133663736666338313838
-33323239386333333465333563373839633564353837666534663863643262366663643731366536
+64623139613037653461643563666539613237323934376534376461313833336338623032616661
-31656661303238623439356331656635636534323735616133366164343632373734363236316666
+64643062663633366436383232366137373936383430306332616634636331326361383931363961
-32363834653836636466373462643362323036386262336362663762626436313761363563363536
+62313236313563326438303935373837666434313435653236643135303739373763656562393537
-30636136353039653735313135656230643234346337323632303766646163373161636438336633
+31653265653739346433663937343439656231663963333633373066356231623762313438393763
-64303233396665656362663163323635323531306261363462356433376538373266383936376265
+36306336656566633034373834316363333233326130626639313130643935333437653934313636
-3265
+32383034346234333561333466653561323834346166633831303566376266373933356536383031
 6236303934323963336662386666653138313165366133303434
--- a/host_vars/web22
+++ b/host_vars/web22
@@ -1,135 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-35376262343536323361666636343162396166663733666265366363373433376162303931323339
+65636230346264393938656566653961393466306338353435333061356463363836616435333731
-3934616330636638323866613564626634643065353336310a323436303031303532363932343632
+3537316534663335343333643435383663303438333433650a666133633965643939306661383536
-63336265363266643932623738323365303436656235383636303966353566376533653130646363
+33626364316338306530393036653134373339653264616537623731323063646531383137333131
-3462653937303030370a343130653735343966663031336665356663383132646635383738613539
+6263363037613631360a343831393830646536326538363764643136613732636165316466316566
-63626165336133393661306438366535613533326339636263343034623431366165663331366531
+65346162383337626631663533626230643061633139663661656365333738353530316661313864
-30646666633039633138346363666262356136363537353231666631333933393736666361376166
+32373831396437386434313430666434363534656130613632643264393538663131336635653537
-38323964313264343861306137643630636133356461643266356231333937363833366166376662
+61613065336133343130353862646130386136333231393962353064666335363330623064626631
-36663633313930363563376263356662623635313163393765323635306636363565663739333464
+34333137363566313764343335646531326337616563366636316232633936333264373731653332
-38663865363562636337336433363433633832396165393361663566633362396565646261313835
+66366361643261626563633838663061303762386234336133366233356564343562323965663731
-39356133623831303636346631373665343037353931323331373135336639653564316564643365
+38326631333166643534313836323337663131313766306166333534336333613735643033326633
-31396530633366393035356563386237306462646561633164626163646433653138313030313263
+39396335613362363230333863396535343464346437366632316336626539623865313239353539
-39653737326132633237363066666564653338396136613437336336383761333634393130363165
+30643834633130333564666162623365323439396630333136616137633532363530623234376332
-38343730386265623734376536383434363236323464613363393338303533373030313231356232
+66353539306637633432353231326666643261386466633533313063353061643761313132623035
-64383964376436323933356335626661336636353338346566383064383431363862383239666436
+62653263636237666432336662633136653930323532623137386261333862623337326431336365
-33306235623864393839313730643634316332353334376437326533383463393066663034343031
+36663364386364346631393031326434326334636166663739366435616166363130623463633733
-33333266393762616631643134366337383437396535363334616265616233346539386531383732
+35383834326231363264623061303066326433613139333237656635643835393762313866356237
-63616435326235336630663262333631613862386333316331633531653133653431643563353735
+62616435613863616161376666333966323030326531323261646436633233613635383438373834
-64393461306531613833326334366235356263666139623834616262643831323763316338623663
+31343133326231636661353466396566656365396466343430613262316537623631376433633630
-61316238373639643039346430623164626336393333316537636333356166626231393635333135
+62336664346363393363306163333662323338343139646238633830326535313034613739616138
-37613866663763323466613631373034666366663361366532336661363536313535373637346365
+38313637333333383032316134316164363036396338306634633436633564306333336437393566
-64346262313632363564376631343965313462353664633036376137333835336665323331386330
+61656337343030393936353364386461643766636564333864396130343762323630393839393463
-36323836623137343434353261666438313030333162666461343632646433643637393765666139
+35343864393035333930313238663465663633633862623336663136626165666131383933626437
-36333366643931636263383239643434616461623232646436313039316161656262303562666132
+31323936653737646231363036383764333335313762356465333635303334663734636531343331
-61393339366663333363653366613362313635376633653337313466633834346666313663663435
+37386461643239363434373864373561353339343031346364383530663430393938333963333837
-33626331363466366262346362396663326335316464333536653463306663643965623630306462
+63303966366364626665303530356433643264343861346238353937386338383034356633623231
-66313664353430366537303630396164633063383837653536333062626433343839376633653032
+36663735386233396138306561326339626262326463336535646265666637383032396435333835
-30633035326263393161353839663336623235323139323930656339666233616233376434316462
+31363266666230366438313432356637663632333530646263663563373137313262663937636532
-39626162353561376437613236363862646365616134356565333633336666353432313763623232
+66633731333166386564386666363130633734643963653030386533393766623038383234646161
-31376265303032316137623334623833343939393534616164616163366639393736623231663264
+36343135663231323030306430623535373534353835623339333738376362663930343436343637
-62396433313434343163323435663666316466636334613736623564373836646533623061393063
+34383963306266623437323462356466336533643933653839366666393839626663353264326334
-30393339643464623164336339656263366531616536353464666232343866666666336561613036
+32663461663561396631363533383334363361373764363132643435373537333839613066396463
-66623962643530613264363862383266373361623865363731656639343933663334333861376333
+35386436326638353431363064626131306634363339653132396563356239653265303930333634
-63663638653337366433656534306236363739343961616234656539633961616461386461326363
+32376332643863376237383966623233323864393338346537393865363661616338333631383532
-35343936616437626134653237623833333561623537623032663538343865393633623637346336
+34373635316138663261633839333664353432666234306463306338653634633038373266646462
-34306264613031373235666534656230336265363236653563303833663261343737626563663732
+32336534356537306366656236356663616336333031306431653239343132336234626165333032
-33346335383234396434613436313764626530623862323536626231363536616362336132656661
+38303137666131363462363263333832356333616130346337663837376365346166306261373036
-62353137303365643134663063383135363135306265363738646464316337336263303561633034
+63383236323738303562623631633064363564663861336162356262373861383965623935343931
-64616131656338613664373034643632613037303531623565613131356230653737386565626237
+65663934623431363164356331353135633837616130363464353661663438323132363165343766
-39393232616630626437393562653438666430393332636465363731663332383265626665613162
+31393633306261303762613537343034316535373731363365666530623361623630633137326466
-62623262653331623637313266626464366434306531326430636337373737383732643730333361
+32326533313362333863383561343230626466303831623033613065363136396362373333306333
-65313635346535353238363430636639643136366562333732633739353130363263363962336462
+32336464356364663564626234653832323265313364343631646633396362373438666165353962
-64616537386366316439626534646563336335323332663233613137323665616534356264656437
+38396330333161356365626562383531323664636235643666613631636636323638376638396531
-35393563633961366238653761616130393166663664666436386461633636656561353131666664
+38646531666164653161353932643662363261323564373537343731666232666532633063353431
-63343833326139316634323937633631323763353135663936623130343636663361666333653665
+61386163363562313330393037656139303365396438313935306333656264373531373037303939
-66313336363163656561636163316435303561313734623065616161613232323635653839366534
+63373962356233346164383163323532373163376364623766323933623063653939346537306338
-35653364356534326536353430663237323530353266653234633637383165663839343562303763
+65353266656532636633326137356430666432333465626437633733356435363163626430303964
-36333238653132353530366637636234633766353364633162373765333438373964323266636336
+39343935623937616130326637323061373538616633393465653266656666376661393635333662
-66376361656264386233303261346166303463303034623033336331633732343365316131326437
+30363364653130356137393463613038663762396336306234363461396133306562323838336330
-65323036306562373537303330623666323734646335363761373762653062323363383533653664
+63303735646132353766313137303162366164613530303966383636393934393035306264626465
-63613264353766356134336139613735633334313530353939363637376239333064376536343166
+36613233376234633932663963623432663032656236323963353036356437383066373532323865
-32613464323161313938393337323765303131666134306131366436383932373934363833303461
+36643431373966613533646164303564653336396535343366303339303134613936656137653939
-37353264303939333933373666333365376330326237303537616332633730356433663037363363
+31333062623734613538333666636561386338306235633165386262383261333264623638383366
-38613539633761373630353562366537333037313030643562383961633632363964363931336566
+34313266333636376337393736343062363539366235393136663561303663386438333834613539
-66643236626362356264643162626438333333326136336435643335313835353432353530633965
+38623632656161653766363166653661336136653833336663616261663831656133666232633362
-33633532356137353536633564346661316263333537316436653138316562396163356564393931
+31373166306134653162313134333432323134623336666632613766386662653831643732326330
-62383731613063396435336163353064303730356635633737663464663266303439636332303035
+63643737333638626162646136373466613536653831663835616432343537323864343166316461
-35623739326136336464373061373637613666316632343134313265306537383234363138393265
+34393732353930343430356231626636373763636561343430616533663861346566326262313232
-34346662356161613362393432656566663430306435386462633936383564653937626431663535
+39623936366633363136353632346134643563383833376134363833336137613337326435613764
-38363561626461353537623463376237613533376531613439346365616365366163353561633237
+37653232613632333334316162383261383836613936376230393633343336346633386539356232
-39666432336631356331396536643464616533323836363365316434383030643663636430336536
+30316232373738363038356665366663623536626539376364303038643061386363636337386663
-33626239373263383339613062666364376639346337666332346330313834663266663937353032
+61383634336530666163346239343838326138373932383339396265653764313039653138643938
-36613762663466623534653335646434356335333933313832363431343538616161363661653762
+31613163653632656238376533363739346539623863623332653936643731623565613234663430
-35323765356330633331356435623733663238396165366234323335666632306336643533333966
+39363935306330386634363634363233376234613837353765353732646638663830323335616234
-31383566623266663365613236613538333666646266396236616164303466653035636532363063
+34366334636436633734333830306136333563666337623035653239313361626438316535313434
-62383261636464383538313733393237373432306562656666303936383939373837643462366431
+37343930643832383136343737313365316238373638323130653766646637343464653134616137
-62636161653834353061633865323431646334636638366435303334353062653138373139323035
+38313034383833626433326237633863313364353662326233636333333932633039396565356133
-32366130666336626134393061383164626466303639343661393064626162383838653466656262
+64376166383064343239633364363861616136643061646636323437376162313438396230393331
-36613333623637656637313433353837383634393731353334616237636565653833643236356539
+32633662323031666238643934646665303666383834336432363430363166356632353033336333
-36343537356339303637356137323534646465333338336364643463333464393637646132383561
+64383861663563653531643832656238643066323564656134633639666234363363363132623836
-33656339623865663739376537313835393364653537333730346632383965343434636335613731
+61386431643130333761376161646262346562363532353632633332343666393562313465303337
-62313533326136613035613766666435356161323337353665346164633532363364643030666366
+31333732626164363464323531323239333963303333626466623966346361383832353765346565
-31663838333861626531616465396663363437373630353261313336353839643961316165393864
+37303765363834376237636632386663373061346534643132636333623137366662646538306231
-38396530346138313930643863623032326437333933383362393764643263616638636338383966
+33353538623231636166653838333264396463616437396264353537633661313932353133316438
-35346230656336386137333335613739636336316662346635623630373366336532633163616431
+61323439363635383035316335363132383366613733383363306366356466333364633537393033
-32313832623365666531366231353636356634313639623462316665646338653264336637663562
+66636434623962633063306236303831633637656430376533353436613934636466363461333562
-66383731373961663735646633353833376561356538333263653463626237393733633161646161
+34613339373732343632343435333331353935303735633732656663643938663439656233613163
-37393066316530313533383832636463393239303834326363636532393138323366666334376234
+65356232633865656439643430636332386663333761376638323630373930663837653638363963
-65373862333733643634613033616230656263333734663364656464383336646364643163356136
+63656437323138633664613166353537306466666261353532326363346332343363343035386435
-61663134323263356636626531393231656132323130373933616139646632353731396136323239
+33326238333730303539363265383761663862313961383030326263353034303866626661623334
-37363033636561666639376634646261356438663739346163323939336139303261333664323231
+61623365373332366333376630626539343835663466666534636561643736646537646431386631
-31333862343036376335376665613537663662623161386632396139353664656238306639346538
+36366132663830336234613065626262336564316339383038333330323237363665373935326438
-63383032386634363936323839666131623533353639356238623666313762343131306231613035
+38646335346239316432636138633365373062663564326465643032633438306230363434323262
-62646134313331363164383939303064396230353263623462383664613239626330396166303830
+34313932653361346261623030623739313665356464373666346361663430336362383063666134
-61306430353230343964663639656364333233376564393666366334376533636365386338613962
+38323539653437623030333437373231646634333563306165393231653465313731633536323362
-32343261313063323231373163616232653862383937323832313936643930616537323765666431
+65613262633563653031306139383436663834616339316164393365336437653730393331636464
-35376434666564636434306366346631393239303763313566613565383336353132623630633131
+32313537313164386164313832396566353137376239303663656130383336336634313235376363
-33333737643363616366326431636237646331333461353630383664306465643862636361333232
+63326530333339356432343938306465623636336161363133613864336339393635306234656263
-33393738326236313237373437393734313337323831386338623463663032636336383234346338
+34343437336461303831393562653934633439336562663366643066393439396531653663386531
-65393262303938643237623335663836363364353566663234646161373564333539306261643039
+65623061643064396534353364663633653331653535306133386466356236623239646432373066
-63343961363136333564323337356364396566623764306164396236316639383963633333366461
+61313261366466663866613162323939646534653561356335393237376138633930663364636236
-66343564323366396164616132353339653832373935386430633430303434363238623966383730
+36613834303338646530663565303438363831663865323531386635303239646464343936303832
-30616134396161353333383738313165643632373361363062623163623062323062366331653436
+31323531363263333830623838666437636262306164386236643032356165323037656630383739
-65303961356163653163393565656230383434326665343165626438363865313566666531363134
+65666333656639333263346465666463616534353835656337353464336134303732323037393538
-36643064393462333034336438623835316339303338366531396339356430336462323063616639
+37366263656133643039373438636537343636663065646534616339303833666532396633616565
-36623164396536633630373764643932366239616462613533653366356663393135393735353163
+38353139323739656564623065613364346164633863343738633163383031663531663365616534
-34306165333633653034653262666137323238636636396236353961353835663964353362376533
+31663835323435643463666264623932396133336531626331303862356261306238326333366164
-62386634623661616663616331333961333661663335353037313639643236386664316530623063
+66306262386137363432376530366432356432653333393833376532623333373337393830316263
-62636437336238353834343439306266366238643966396238333061383462343162636236643531
+30326531613662313430663130613734663937613663353936346134356537393761373238393433
-65353164366262623261393239326133643739346164366635393230336566623066303564633362
+37356136393731626561303430626339386531386333386536656465646232633934393630613339
-65663963623937303835626464303233383531666534643430663163643934393430653965613334
+61333163613862346564316336353766346461626639303661353464633835626663313462613666
-34383339636637396262623365323663316662353536646132646230616661373633346431323265
+33343561613662303036643937656431393432333831383461323631393262346464393539353537
-38636666343530343639356464653333333638666139613536316364353337626465633261646532
+33633364383261663535323136393138333739356439663731636136393530323864333566323361
-36303465323437626463323432666239316131656566333361326233643365613365323161623038
+62643961323264336662316661303630636430323838633535343036303437393439656637326566
-65373738313166653633376530626136616636656233366332626439323937353461356165363263
+34363832366434316639393939313965633037653931323462363465643262653539623063326432
-38613436373837306332356163313431633931386163333238643963356262663638343230326134
+36616434366432303235663062663138623336336165373734353838333662363239333762323932
-32616461653432343763353732393766343931346532396162643461303661313162303137656665
+65393765326232373230666437656433373930643638386131363339343630636634636434326464
-36316464316630353431666136613139353435346135373833386135383735333437386236643736
+39366339326263666239646237326534383665376536313536303263373265306537316161663262
-33353831393530326339366439613933306637393139383261643136353839373461623961373036
+31346635346436313261626366333738333966643333313230623133313434373530366462653435
-37653231336161613963666638316331363531376564613564313037666363643532323036303935
+33353434643635383833643736653461373765326537313430353164306566323733653237343632
-36356430663432636363393934366538373562383466396337353133396531313035323166616338
+66346133656333303538306133313563393363313230323664303836323861346466343230343264
-39383361353965396435333136633462346363623766373833313532363734316361333535373637
+36613934643662626365653036636136623630333638373565316437646232316263663433313762
-37656338333564396666613330316635376439353130386339643330396636616131313735346464
+39353234333131623731643662303130626465386338353833393533646564646565623736343039
-30373064663430623366663038363762666136376261313334633963663466663166353336303764
+38356635393461353166653565336535626366396532633961393334343234353764303431303663
-63626361626238363738663731653266356663306633313533366466376166366335346235396365
+61666533633731663666346132383037646433336463643062396465383034346631346165323939
-32616231316234643937313964643130313836393934663433353766323137373534373138643866
+33313937343338383737373164363930336236326432346465646166363430653932333932343236
-38346134653461343231346663303637663865333762613935643932626266393765363732333637
+38336235613034386533613665393666633635383164646538373035623862343737353463623730
-35373339333333366364303765323262313164396232653736653361373465653535666631323439
+33396233353331633463373538326365636231323535633737303562613262613730636237336632
-36393534373738653533333363646165653832616464623564663963316663386431613333633838
+38626230313637336436623661666438666538333838356632653034303864313232623337306333
-36363761373164383237616534643737353137643163396262633664323263643265303761326434
+66363464643061363337393732323065306335656531376337323438313733616539613538333837
-62643237393264343466643463653964303362626334633434653236623035613166616330346265
+34363033666366613933343563303537613564356462313931353533323938656362393536386334
-62366138376164326266346563623539343539333539366662396131633631313532633134363666
+38336237616335346334613534323130613861663239356363366564623933303737306138613535
-63663163303931666561376337386530363032353533653430363532316434643136346331346636
+63643639323135663232336131643331343063363234336230653536623765323562393161663266
-34623062343132306465336138336335636365313835373362363365373137396162333430636635
+32663839613564613636343166396463366665666333306239386338616366363236393931313439
-66376531343336303530393964656165373063633839633335386536373337643833663863343761
+30386238316261323630633464386265353464333735336435646663656638316130333762666531
-31323161613062636138393236363862663966636263363031306666396236316130333737346339
+38626463316165373434613436343335303633643965633230326534323761616365376630363039
-34343230323636653534366366636564393933343361353634626239393733666438303439356639
+30336661313737383535343934366466353231396430353030653762383934666235646161653832
-38363430646162666464643835306335646333313534663565333666376661306237656233373136
+31613565643031353535353234386665373636356362653337366563316630343838626231646462
-38653238363262623330653436373435303630663461393164393139653534363330613061316637
+34623262343761373831303861313661666435373565386465336166306631376666643631303863
-30333735333366306232626631656131366430396533616431663664663033316434346430343562
+37633934326262623737373266326631663932373863346466613133303961386466366336643235
-39323135653732633063323937646539626261643933383031663461376230613432653363363737
+39303933333236626637663636633739343761393432616232643238663738313636346137316430
-64323461366465616364386632303739383332383539313533326635306165373265316636316664
+34623238326430616134396166306339626261643032613661343763366138653830376463306461
-35636633356531393762303634383430336664346561663766613864626361636165326538663932
+62366564393364306139633837646264633130383064383730393862633561303538363232663366
-38643133666535333731376264393232343133393362396562383136613836306263376438363264
+30343633666632303530356637646337623339303236376164633962383839386265336666396436
-6364666333363839626132303233333063636163363661636162
+38616238656336343066333063393833623862646237323238393465633662393362353161313963
 63663539383630366536313933643565346162646363353035386666396363633635386564346666
 64336362633033346461353133396363646237613433306366333064626563656637383863323361
 31386262346631343565653836333764636366313330633462303533616531316537353538313031
 64366263666138356339373864383866303632366162633738383437323564313732373738373038
 39643862336136663165343736613730306339643237313361333438613438323439373966396138
 62323661383336396636
--- a/host_vars/web23
+++ b/host_vars/web23
@@ -1,66 +1,67 @@
 $ANSIBLE_VAULT;1.1;AES256
-61316332393939333164663961386365343936663433326263656334356337666439643666313230
+64326662336532386161646564656439396461666266656463393335663130323930326139386562
-3266663864383234633263626438653466643532323532620a636337353334366365336531313862
+3639653630336132663666646161363938386334323064320a663564613066313533353433333434
-39393864613739303933366136633032336563666338656161313838313839616433633831626237
+30346561616465646163646534356339666639333862623637613435376361323032636439633930
-3132363636383034380a313566653662663635386632613164626634376563323739653662323333
+3731313063363337380a373961353530383764623830363935626231333734303364313565626633
-61663634336137646232626365623632353663323466363130396238356337653834623336643865
+37343037633862633632613165323136373662396438613663636433346566653064653632313338
-64646664376330636665303034326537363132366532373631646533643963643263386366316634
+36396333393334336434326630646164333531306432386133353664336535343363343939393464
-30623432623333343462316239343962643263336132643634356137336664393335353530383635
+34626335626436353239366138323863656336636536383733363931633933636331643263653566
-36353537333933356232326666316363306639366433383164313566343739663734656337376237
+30613931616462373336393337363430353962613665353936383533326364353365623333316664
-61303534626331643939636432626533376131613439393138613433613936666262346535353436
+62383439396131303831326562323264336638623461643361663763356236373464346464316237
-36366532303164366363663738653162653238386639336230656362373163303634646230633830
+65393232343733643338653734326562626166366562303037613862396564636662363066356664
-33643765616534636237333133383436633330666436326332306663656336353961663363623934
+32656363616637303039373732396533643432343961666365313963383131643464333765643737
-36613135626565363131613062646232333038653662626361663232323061626339303666316337
+32386165666131626365313938633530346361383734323334613464353862393931323836626563
-31383863656162366436356138666131383063323431646466323731373164356332363636356661
+62656531346532646530306463653364326362613162323536643836643839663933343132613435
-39333235353566303130346537636364623265393939346137613638383832333434303966313931
+63303234646335306632316166626266313635303566396363333464363631353834373761353837
-65633962353736633938666530393561616463343039393162393033353731663735363137303661
+65643461623135363139646564336430353461336433633765303138313730613630346465326666
-36303264316137386666343566636332623762353236303364623134346361333231353130333439
+61393133636262653836333664623333656164663361353130623863653863323131326136373238
-66326163323962663736656339336330386531663462653563633964373231323834333832373861
+33376333316433653337373834666136363130373261333330643439313734343036636364306532
-33363039333837633430646336303939393038376663373735336232376534376237636630653932
+63343662383539633235356162656366323965383331343139616361653466633865626337326562
-35373565313337663532633330663462343435666663386365366231643230333138306333383831
+63643761613536613334333065643533323066393764633931633066353064393966646161376361
-35383536633565616265303434653736396439396437386439666631306134313935343863663765
+37623939386636346161346164303832303534323038626335336665653634386132343031303861
-63323230396333616163356330613962313666343531656364373738376266653236623332393930
+61323765306366333936303765636436633465356539316631343562363535663932333666363035
-63363162373765633535653661393261363238623931346435346236616235656365626431353466
+30386233623265636464393662386464333430396337626230306438396563303437363938303061
-39353835393761333132396533613632616237313761653734396665393337346431666462623636
+32653939383136376365343934613339383563303935623664633639326137353437363261393637
-65333337363637653436306638636366636563393434323631623865633036306235316263643863
+66613331643530623862636665396536613730306537373666623135663837393466343261646461
-34376234363635343133333038623931653833353064633937663462646332616630393066316230
+62376162613861643633656334303132353034333834626664666237393534386439313638393933
-32353765306631653163643536646464643435343935356235633835633333623930653030366335
+35643663613432323432646466386434363335353234643264643463613334356462313766643030
-34346430343466633834376163663661643337326232626137323365666363653334333231653034
+30336364396235663230356235303264323339643761333036333537633862343862386130626533
-63346136376538353063626564343063306634613435323133393433343665356266636366666134
+36626536396663393031303533313238616133323239356634303830353439363133353839663266
-36383661343364633134663465336266633332613138393563383336626137363063663132663230
+36306539636563633734623162356230383232306138393831393336626336383966643335376564
-32633763363838393936653064323136643861386431316139623862333163343730643061633534
+36303730313936633361643736613736303163363536313038316432323039643362636538333037
-66653030303333366366366233646265323836313830383334653335363461386435326633663536
+65613663333032623035656665393565366363396134363832363163656532363537373435623233
-34666335343438626638376563346364373362326130633066653062343737303538636339663932
+36373961333237373264326634353363356537356538343663613034396132396366626330303365
-38326137363466396566386236373531353130653963313166383866323363373063653934356333
+62353461616434343938386237373365633861333733613631633234623034366364363761613636
-32303533613134376164336634343531363638613563643136343135636538623437333630616431
+34393532316466323264363363653335366639613731326131393335313039646538626665356333
-31373837383066366365386235316431626232356366313932373833356465656232663638393131
+62663435633539643237326631636563363833633130363535653336333538366137306235663730
-61663761313531353064313739323863323836333563636566356234363339656336313638646663
+36633934636536633865376262356239303966646638626638386536366662386432343466366161
-63356665393734633735323966323466393335363031643237353132376536643039626130353461
+36646436636538643366623864326630396565373462393132343834626638313437316137353564
-33303236306663363034386234633632393439653433386261646139396364663964333230303534
+34646138616438323065336266366434316135613938643131353034646230396632386433366365
-32356663326661653133336338393332626435366333346230326335643765656561316533643835
+38616436346232363563336439613939313464323861616530633962316634363462373530613665
-65326634633438363562313366646637663031363066316534336361623061613431633064353039
+63653636646565303664326631363535373037663734663965346430363831613431613365393832
-39643834366236633535346138356662323039303134363030623630626165313263613561616362
+62373030336262643430313635626261613232656236333130396537633238623265363932333966
-64623461393437633238656133343432316437666238643530646338353436343936386139376438
+34326135363762396564613064323135313663613565646461376162306532643433333336666532
-37626237646230656433326433353333386661373433353835343866656632616235393964306333
+65383661303137613335653336663666653463623565386137326662653839633536326135633764
-36663439383836383265616634643763643963663461666165636536643062356664373565303431
+33623437333931393737363061356235336232376437643131373531356566323336306138353561
-37646563376339636434376262323539633139373364613561626462393432326463646530386638
+66333863313461613930383231663162616261616639323238646439656166666261626533636161
-36633730323136643364613432383935656533363064633035626333633538623534376463316138
+38333362393033316266633364313739366262636530363937386137616234326638303137613433
-62633763633135373561363332363665303432646365326365636664346230393731643662616231
+65313962653566333364383732386165396136303666383439303064326463346563663434646364
-63333033393133653932633133323937646131373038663266643631623831303036623566653863
+62396130646632653039383661613638303162363538376236666338623865366639663138363636
-39306561393835636437346566366639396464303937643733363334383064323665636333623439
+36373766386234383465316635323931356233366262386135363238366538623135623361386436
-66303934663966313935383261363037636233636262666333343131326165633134393635633563
+64653533646233653463656334633566373433303365353965663732636566663332343337626337
-37656163393133646165353838663534343731323065393932396338616663633361626566666630
+34623861373562386264346430333133343631653631376366373735626664363965666561306262
-32656437616632323736303230613862613433666538653439303034646238333032303731336432
+35666235653235346233636361383566616533646662333662323139313865383264633734643263
-31363132373034333262636464346237353264323632393836663837313665303365376331373161
+63656431393834633935613430643839613433326431666665323136376562333737383862313261
-36653337633366613764383566383762626638613365373065633133366361653632653135623530
+65656431336439303563373833343965323965346439636131633366633431393032613963666539
-30333961633963366161313164313539613466353331363630313562316535313331306531383334
+38326539343132326334316233323362633835356265333031663066643535363639623031336362
-37313636666364376235633035326333633436333238643164393830643361646666633036623565
+64346230383638363763323462386261666266623134393139303264343234623132323437396630
-36393432356661656333363436613365346161646332386634386531363337663035633561353430
+66363738376133393731616535653230303262313937373333353932303038626166346366303163
-37323531303033623938373036313738373434623032643434383565343163393438333763646131
+66613831353731373165636532363165356561383137626437333563616561386666623234313438
-65373138643563666162343865636237353931623466613466623135666266613561343738613162
+37333435306530323235393164383138346131653235633536383636316161316238313064636261
-65636338336164613862393031303039663131316662373138663437666230353365323931656233
+33353963333430383236303038333939316637326130396430623964633338353863613534653663
-62303164353366313234613965393838316533396237363032303031336430346138353138393061
+30333839393230626261663966616230303330636335323565663938343562666663303536636332
-35396236306330646135333662663066303466616535313638636161383138663933653531376333
+34336665323764663163653161373166313631393534326532613538313637313136356336313433
-36366563363130363463393235363631663064356163353963383331326239666265343362306232
+34353036653738343433613763383137336562373332333062326134626638633938336364376131
-34616134633766663932346339396537633561343264326537653062323561383266316539646530
+61303435333163663636653135363162303663663266393438656430306532343438386436343735
-6636
+31343231653263373532386263653263386435363633396638396164323539306233303562303862
 3339306136613431636138333266633739323666633431363039
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@@ -2,7 +2,7 @@
 # file: roles/caddy/defaults/main.yml
 # parent directory of vhost document roots
-caddy_root_prefix: /var/www
+caddy_root_prefix: "{{ web_root_prefix }}"
 # Email address to use for the ACME account managing the site's certificates.
 # Not sure what Caddy does if this doesn't exist.
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@@ -3,7 +3,7 @@
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: caddy
    state: reloaded
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@@ -18,7 +18,7 @@
    dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"
  register: download_caddy_signing_key
  when: not caddy_signing_key_stat.stat.exists
  tags:
@@ -27,7 +27,7 @@
 - name: Add Caddy stable repo
  ansible.builtin.apt_repository:
-    repo: 'deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main'
+    repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
    filename: caddy-stable
    state: present
  register: add_caddy_apt_repository
@@ -38,9 +38,7 @@
 - name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when:
+  when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
    (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or
    add_caddy_apt_repository is changed
  tags:
    - packages
    - caddy
@@ -59,7 +57,7 @@
  ansible.builtin.template:
    src: etc/caddy/Caddyfile.j2
    dest: /etc/caddy/Caddyfile
-    mode: 0755
+    mode: "0755"
    owner: root
    group: root
  notify:
@@ -70,9 +68,10 @@
  ansible.builtin.file:
    path: /etc/caddy/conf.d
    state: directory
-    mode: 0755
+    mode: "0755"
    owner: root
    group: root
  tags: caddy
 # TODO: the variable is still named nginx_vhosts
 - name: Configure Caddy virtual hosts
--- a/roles/caddy/tasks/vhosts.yml
+++ b/roles/caddy/tasks/vhosts.yml
@@ -1,10 +1,9 @@
 ---
 - name: Configure vhosts
  ansible.builtin.template:
    src: etc/caddy/conf.d/vhost.j2
    dest: /etc/caddy/conf.d/{{ item.domain_name }}
-    mode: 0644
+    mode: "0644"
    owner: root
    group: root
  loop: "{{ nginx_vhosts }}"
--- a/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
+++ b/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
@@ -8,6 +8,12 @@
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {% set static_site    = item.static_site | default(false) %}
 {# Allow sites to override the document root #}
 {% if item.document_root is defined %}
 {%   set document_root = item.document_root %}
 {% else %}
 {%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
 {% endif %}
 {% if domain_aliases %}
 {#   domain_aliases is a string, so we split on space #}
@@ -21,15 +27,20 @@
 {{ domain_name }} {
    {% if has_gitea %}
    reverse_proxy :3000
-    {% endif %}
+    {% elif static_site -%}
    root * {{ document_root }}
-    {% if static_site -%}
+    encode
    root * {{ item.document_root }}
    encode zstd gzip
    file_server
-    {% endif %}
+    {% elif has_wordpress -%}
    root * {{ document_root }}
    encode
    {%   if ansible_facts["distribution_major_version"] is version('12', '==') -%}
    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
    {%   endif -%}
    file_server
    {% endif -%}
    import security-headers
 }
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -8,6 +8,10 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
+fail2ban_ignoreip: 127.0.0.0/8
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.
 ssh_password_authentication: disabled
 # vim: set ts=2 sw=2:
--- a/roles/common/files/abuseipdb-ipv4.nft
+++ b/roles/common/files/abuseipdb-ipv4.nft
--- a/roles/common/files/abuseipdb-ipv6.nft
+++ b/roles/common/files/abuseipdb-ipv6.nft
@@ -1,5 +0,0 @@
 #!/usr/sbin/nft -f
 define ABUSEIPDB_IPV6 = {
 fd21:3523:74e0:7301::
 }
--- a/roles/common/files/aggregate-cidr-addresses.pl
+++ b/roles/common/files/aggregate-cidr-addresses.pl
@@ -1,89 +0,0 @@
 #!/usr/bin/perl
 #
 # aggregate-cidr-addresses - combine a list of CIDR address blocks
 # Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see L<http://www.gnu.org/licenses/>.
 #
 # [MJS 22 Oct 2001] Aggregate CIDR addresses
 # [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
 # [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
 # [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
 # [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
 use strict;
 use warnings;
 use English qw( -no_match_vars );
 use Net::IP;
 ## Read in all the IP addresses
 my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
 ## Split any ranges into prefixes
@addrs = map {
    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
        $_->find_prefixes
 } @addrs;
 ## Sort the IP addresses
@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
 ## Handle overlaps
 my $count   = 0;
 my $current = $addrs[0];
 foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
    my $r = $current->overlaps($next);
    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
        $current = $next;
        $count++;
    }
    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
        $current = $next;
        splice @addrs, $count, 1;
    }
    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
        splice @addrs, $count + 1, 1;
    }
    else {
        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
    }
 }
 ## Keep aggregating until we don't change anything
 my $change = 1;
 while ($change) {
    $change = 0;
    my @new_addrs = ();
    $current = $addrs[0];
    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
        if ( my $total = $current->aggregate($next) ) {
            $current = $total;
            $change  = 1;
        }
        else {
            push @new_addrs, $current;
            $current = $next;
        }
    }
    push @new_addrs, $current;
    @addrs = @new_addrs;
 }
 ## Print out the IP addresses
 foreach (@addrs) {
    print $_->prefix(), "\n";
 }
 # $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $
--- a/roles/common/files/etc/cron-apt/3-download
+++ b/roles/common/files/etc/cron-apt/3-download
@@ -1,2 +0,0 @@
 autoclean -y
 upgrade -y -o APT::Get::Show-Upgraded=true
--- a/roles/common/files/etc/cron-apt/config
+++ b/roles/common/files/etc/cron-apt/config
@@ -1,5 +0,0 @@
 # Configuration for cron-apt. For further information about the possible
 # configuration settings see the README file.
 MAILON="never"
 OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""
--- a/roles/common/files/etc/sudoers.d/provisioning
+++ b/roles/common/files/etc/sudoers.d/provisioning
@@ -1 +0,0 @@
 provisioning   ALL=(ALL)  ALL
--- a/roles/common/files/firehol_level1-ipv4.nft
+++ b/roles/common/files/firehol_level1-ipv4.nft
@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
-define SPAMHAUS_IPV4 = {
+define FIREHOL_LEVEL1_IPV4 = {
 192.168.254.254/32
 }
--- a/roles/common/files/spamhaus-ipv6.nft
+++ b/roles/common/files/spamhaus-ipv6.nft
@@ -1,5 +0,0 @@
 #!/usr/sbin/nft -f
 define SPAMHAUS_IPV6 = {
 fd21:3523:74e0:7301::/64
 }
--- a/roles/common/files/update-abusech-nftables.service
+++ b/roles/common/files/update-abusech-nftables.service
@@ -1,27 +0,0 @@
 [Unit]
 Description=Update Abuse.ch SSL Blacklist IPs
 # This service will fail if nftables is not running so we use Requires to make
 # sure that nftables is started.
 Requires=nftables.service
 # Make sure the network is up and nftables is started
 After=network-online.target nftables.service
 Wants=network-online.target update-abusech-nftables.timer
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
 # Doesn't need access to /home or /root
 ProtectHome=true
 # Possibly only works on Ubuntu 18.04+
 ProtectKernelTunables=true
 ProtectSystem=full
 # Newer systemd can use ReadWritePaths to list files, but this works everywhere
 ReadWriteDirectories=/etc/nftables
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 SyslogIdentifier=update-abusech-nftables
 ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
          /usr/local/bin/update-abusech-nftables.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/files/update-abusech-nftables.sh
+++ b/roles/common/files/update-abusech-nftables.sh
@@ -1,63 +0,0 @@
 #!/usr/bin/env bash
 #
 # update-abuseipdb-nftables.sh v0.0.1
 #
 # Download IP addresses seen using a blacklisted SSL certificate and load them
 # into nftables sets. As of 2021-07-28 these appear to only be IPv4.
 # 
 # See: https://sslbl.abuse.ch/blacklist
 #
 # Copyright (C) 2021 Alan Orth
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Exit on first error
 set -o errexit
 abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
 abusech_list_temp=$(mktemp)
 echo "Downloading Abuse.sh SSL Blacklist IPs"
 abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
 if [[ $abusech_response -ne 200 ]]; then
 	echo "Abuse.ch responded: HTTP $abusech_response"
 	exit 1
 fi
 if [[ -f "$abusech_list_temp" ]]; then
    echo "Processing IPv4 list"
    abusech_ipv4_list_temp=$(mktemp)
    abusech_ipv4_set_temp=$(mktemp)
    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
    # that assumption some time down the line).
    sed -e '/#/d' -e 's/
 //' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
    echo "Building abusech-ipv4 set"
    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
 #!/usr/sbin/nft -f
 define ABUSECH_IPV4 = {
 NFT_HEAD
    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$abusech_ipv4_set_temp"
    done < $abusech_ipv4_list_temp
    echo "}" >> "$abusech_ipv4_set_temp"
    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
 fi
 echo "Reloading nftables"
 # The abusech nftables sets are included by nftables.conf
--- a/roles/common/files/update-abusech-nftables.timer
+++ b/roles/common/files/update-abusech-nftables.timer
@@ -1,12 +0,0 @@
 [Unit]
 Description=Update Abuse.ch SSL Blacklist IPs
 [Timer]
 # Once a day at midnight
 OnCalendar=*-*-* 00:00:00
 # Add a random delay of 0–3600 seconds
 RandomizedDelaySec=3600
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/roles/common/files/update-firehol-nftables.service
+++ b/roles/common/files/update-firehol-nftables.service
@@ -0,0 +1,24 @@
 [Unit]
 Description=Update FireHOL lists
 # Make sure the network is up
 After=network-online.target
 Wants=network-online.target update-firehol-nftables.timer
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
 # Doesn't need access to /home or /root
 ProtectHome=true
 # Possibly only works on Ubuntu 18.04+
 ProtectKernelTunables=true
 ProtectSystem=full
 # Newer systemd can use ReadWritePaths to list files, but this works everywhere
 ReadWriteDirectories=/etc/nftables
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 SyslogIdentifier=update-firehol-nftables
 ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
          /usr/local/bin/update-firehol-nftables.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/files/update-spamhaus-nftables.timer
+++ b/roles/common/files/update-spamhaus-nftables.timer
@@ -1,5 +1,5 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 [Timer]
 # Once a day at midnight
--- a/roles/common/files/update-spamhaus-nftables.service
+++ b/roles/common/files/update-spamhaus-nftables.service
@@ -1,27 +0,0 @@
 [Unit]
 Description=Update Spamhaus lists
 # This service will fail if nftables is not running so we use Requires to make
 # sure that nftables is started.
 Requires=nftables.service
 # Make sure the network is up and nftables is started
 After=network-online.target nftables.service
 Wants=network-online.target update-spamhaus-nftables.timer
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
 # Doesn't need access to /home or /root
 ProtectHome=true
 # Possibly only works on Ubuntu 18.04+
 ProtectKernelTunables=true
 ProtectSystem=full
 # Newer systemd can use ReadWritePaths to list files, but this works everywhere
 ReadWriteDirectories=/etc/nftables
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 SyslogIdentifier=update-spamhaus-nftables
 ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
          /usr/local/bin/update-spamhaus-nftables.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/files/update-spamhaus-nftables.sh
+++ b/roles/common/files/update-spamhaus-nftables.sh
@@ -1,91 +0,0 @@
 #!/usr/bin/env bash
 #
 # update-spamhaus-nftables.sh v0.0.1
 #
 # Download Spamhaus DROP lists and load them into nftables sets.
 # 
 # See: https://www.spamhaus.org/drop/
 #
 # Copyright (C) 2021 Alan Orth
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Exit on first error
 set -o errexit
 spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
 spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
 function download() {
    echo "Downloading $1"
    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
 }
 download drop.txt
 download edrop.txt
 download dropv6.txt
 if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
    echo "Processing IPv4 DROP lists"
    spamhaus_ipv4_list_temp=$(mktemp)
    spamhaus_ipv4_set_temp=$(mktemp)
    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
    # ranges to work around a firewalld bug.
    #
    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
    echo "Building spamhaus-ipv4 set"
    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
 #!/usr/sbin/nft -f
 define SPAMHAUS_IPV4 = {
 NFT_HEAD
    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$spamhaus_ipv4_set_temp"
    done < $spamhaus_ipv4_list_temp
    echo "}" >> "$spamhaus_ipv4_set_temp"
    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
 fi
 if [[ -f "dropv6.txt" ]]; then
    echo "Processing IPv6 DROP lists"
    spamhaus_ipv6_list_temp=$(mktemp)
    spamhaus_ipv6_set_temp=$(mktemp)
    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
    echo "Building spamhaus-ipv6 set"
    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
 #!/usr/sbin/nft -f
 define SPAMHAUS_IPV6 = {
 NFT_HEAD
    while read -r network; do
        echo "$network," >> "$spamhaus_ipv6_set_temp"
    done < $spamhaus_ipv6_list_temp
    echo "}" >> "$spamhaus_ipv6_set_temp"
    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
 fi
 echo "Reloading nftables"
 # The spamhaus nftables sets are included by nftables.conf
 /usr/sbin/nft -f /etc/nftables.conf
 rm -v drop.txt edrop.txt dropv6.txt
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -1,20 +1,27 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml
- name: reload sshd
+- name: Reload sshd
-  ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
+  ansible.builtin.systemd_service:
    name: "{{ sshd_service_name }}"
    state: reloaded
- name: reload sysctl
+- name: Reload sysctl
-  command: sysctl -p /etc/sysctl.conf
+  ansible.builtin.command: sysctl -p /etc/sysctl.conf
- name: reload systemd
+- name: Reload systemd
-  ansible.builtin.systemd: daemon_reload=true
+  ansible.builtin.systemd_service:
    daemon_reload: true
- name: restart nftables
+- name: Restart nftables
-  ansible.builtin.systemd: name=nftables state=restarted
+  ansible.builtin.systemd_service:
    name: nftables
    state: restarted
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
+- name: Restart fail2ban
-  ansible.builtin.systemd: name=fail2ban state=restarted
+  ansible.builtin.systemd_service:
    name: fail2ban
    state: restarted
--- a/roles/common/tasks/cron-apt.yml
+++ b/roles/common/tasks/cron-apt.yml
@@ -1,12 +1,17 @@
 ---
 - name: Remove cron-apt
  ansible.builtin.apt:
    name: cron-apt
    state: absent
    cache_valid_time: 3600
- name: Configure cron-apt (config)
+- name: Remove cron-apt configs
-  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
+  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
-    - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
+    - /etc/cron-apt/config
-    - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
+    - /etc/cron-apt/action.d/3-download
-
+    - /etc/apt/security.sources.list
 - name: Configure cron-apt (security)
  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
 # vim: set ts=2 sw=2:
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,29 +1,39 @@
 ---
 - name: Install fail2ban
  when: ansible_facts["distribution_version"] is version('11', '>=')
  ansible.builtin.apt:
    name:
      - fail2ban
      - python3-systemd
    state: present
    cache_valid_time: 3600
 - name: Configure fail2ban sshd filter
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/sshd.local.j2
    dest: /etc/fail2ban/jail.d/sshd.local
    owner: root
-    mode: 0644
+    mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 - name: Configure fail2ban nginx filter
  when:
    - webserver is defined and webserver == 'nginx'
    - extra_fail2ban_filters is defined
    - "'nginx' in extra_fail2ban_filters"
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/nginx.local.j2
    dest: /etc/fail2ban/jail.d/nginx.local
    owner: root
-    mode: 0644
+    mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 - name: Create fail2ban service override directory
  ansible.builtin.file:
    path: /etc/systemd/system/fail2ban.service.d
    state: directory
    owner: root
-    mode: 0755
+    mode: "0755"
 # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
 - name: Configure fail2ban service override
@@ -31,13 +41,13 @@
    src: etc/systemd/system/fail2ban.service.d/override.conf.j2
    dest: /etc/systemd/system/fail2ban.service.d/override.conf
    owner: root
-    mode: 0644
+    mode: "0644"
  notify:
-    - reload systemd
+    - Reload systemd
-    - restart fail2ban
+    - Restart fail2ban
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: fail2ban
    state: started
    enabled: true
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -0,0 +1,25 @@
 ---
 # Debian 11+ will use nftables directly, with no firewalld.
 - name: Install Debian firewall packages
  when: ansible_facts["distribution_version"] is version('11', '>=')
  ansible.builtin.apt:
    name: nftables
    state: present
    cache_valid_time: 3600
 - name: Remove iptables on newer Debian
  when: ansible_facts["distribution_version"] is version('11', '>=')
  ansible.builtin.apt:
    pkg: iptables
    state: absent
 - name: Configure nftables
  when: ansible_facts["distribution_version"] is version('11', '>=')
  ansible.builtin.include_tasks: nftables.yml
 - name: Configure fail2ban
  when: ansible_facts["distribution_version"] is version('9', '>=')
  ansible.builtin.include_tasks: fail2ban.yml
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@@ -1,116 +0,0 @@
 ---
 # Debian 11+ will use nftables directly, with no firewalld.
 - block:
  - name: Install Debian firewall packages
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.package:
      name:
        - fail2ban
        - libnet-ip-perl # for aggregate-cidr-addresses.pl
        - nftables
        - python3-systemd
        - curl # for nftables update scripts
      state: present
      cache_valid_time: 3600
  - name: Remove iptables on newer Debian
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.apt:
      pkg: iptables
      state: absent
  - name: Copy nftables.conf
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.template:
      src: nftables.conf.j2
      dest: /etc/nftables.conf
      owner: root
      mode: 0644
    notify:
      - restart nftables
      - restart fail2ban
  - name: Create /etc/nftables extra config directory
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.file:
      path: /etc/nftables
      state: directory
      owner: root
      mode: 0755
  - name: Copy extra nftables configuration files
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.copy:
      src: "{{ item.src }}"
      dest: "/etc/nftables/{{ item.src }}"
      owner: root
      group: root
      mode: 0644
      force: "{{ item.force }}"
    loop:
      - { src: "spamhaus-ipv4.nft", force: "no" }
      - { src: "spamhaus-ipv6.nft", force: "no" }
      - { src: "abusech-ipv4.nft", force: "no" }
      - { src: "abuseipdb-ipv4.nft", force: "yes" }
      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables
      - restart fail2ban
  - name: Copy nftables update scripts
    when: ansible_distribution_version is version('11', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
      dest: "/usr/local/bin/{{ item }}"
      mode: 0755
      owner: root
      group: root
    loop:
      - update-spamhaus-nftables.sh
      - aggregate-cidr-addresses.pl
      - update-abusech-nftables.sh
  - name: Copy nftables systemd units
    when: ansible_distribution_version is version('11', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
      dest: "/etc/systemd/system/{{ item }}"
      mode: 0644
      owner: root
      group: root
    loop:
      - update-spamhaus-nftables.service
      - update-spamhaus-nftables.timer
      - update-abusech-nftables.service
      - update-abusech-nftables.timer
    register: nftables_systemd_units
  # need to reload to pick up service/timer/environment changes
  - name: Reload systemd daemon
    ansible.builtin.systemd:
      daemon_reload: true
    when: nftables_systemd_units is changed
  - name: Start and enable nftables update timers
    when: ansible_distribution_version is version('11', '>=')
    ansible.builtin.systemd:
      name: "{{ item }}"
      state: started
      enabled: true
    loop:
      - update-spamhaus-nftables.timer
      - update-abusech-nftables.timer
  - name: Start and enable nftables
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.systemd:
      name: nftables
      state: started
      enabled: true
  - ansible.builtin.include_tasks: fail2ban.yml
    when: ansible_distribution_major_version is version('9', '>=')
  tags: firewall
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@@ -1,114 +0,0 @@
 ---
 # Ubuntu 20.04 will use nftables directly, with no firewalld.
 - block:
  - name: Install Ubuntu firewall packages
    ansible.builtin.package:
      name:
        - fail2ban
        - libnet-ip-perl # for aggregate-cidr-addresses.pl
        - nftables
        - python3-systemd
        - curl # for nftables update scripts
      state: present
      cache_valid_time: 3600
  - name: Remove ufw
    ansible.builtin.package:
      name: ufw
      state: absent
  - name: Copy nftables.conf
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.template:
      src: nftables.conf.j2
      dest: /etc/nftables.conf
      owner: root
      mode: 0644
    notify:
      - restart nftables
      - restart fail2ban
  - name: Create /etc/nftables extra config directory
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.file:
      path: /etc/nftables
      state: directory
      owner: root
      mode: 0755
  - name: Copy extra nftables configuration files
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy:
      src: "{{ item.src }}"
      dest: "/etc/nftables/{{ item.src }}"
      owner: root
      group: root
      mode: 0644
      force: "{{ item.force }}"
    loop:
      - { src: "spamhaus-ipv4.nft", force: "no" }
      - { src: "spamhaus-ipv6.nft", force: "no" }
      - { src: "abusech-ipv4.nft", force: "no" }
      - { src: "abuseipdb-ipv4.nft", force: "yes" }
      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables
      - restart fail2ban
  - name: Copy nftables update scripts
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
      dest: "/usr/local/bin/{{ item }}"
      mode: 0755
      owner: root
      group: root
    loop:
      - update-spamhaus-nftables.sh
      - aggregate-cidr-addresses.pl
      - update-abusech-nftables.sh
  - name: Copy nftables systemd units
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy:
      src: "{{ item }}"
      dest: "/etc/systemd/system/{{ item }}"
      mode: 0644
      owner: root
      group: root
    loop:
        - update-spamhaus-nftables.service
        - update-spamhaus-nftables.timer
        - update-abusech-nftables.service
        - update-abusech-nftables.timer
    register: nftables_systemd_units
  # need to reload to pick up service/timer/environment changes
  - name: Reload systemd daemon
    ansible.builtin.systemd:
      daemon_reload: true
    when: nftables_systemd_units is changed
  - name: Start and enable nftables update timers
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.systemd:
      name: "{{ item }}"
      state: started
      enabled: true
    loop:
      - update-spamhaus-nftables.timer
      - update-abusech-nftables.timer
  - name: Start and enable nftables
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.systemd:
      name: nftables
      state: started
      enabled: true
  - ansible.builtin.include_tasks: fail2ban.yml
    when: ansible_distribution_version is version('16.04', '>=')
  tags: firewall
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: vars/{{ ansible_facts["distribution"] }}.yml
  tags: always
 - name: Configure network time
@@ -8,23 +8,11 @@
  tags: ntp
 - name: Install common packages
-  ansible.builtin.include_tasks: packages_Debian.yml
+  ansible.builtin.include_tasks: packages.yml
  when: ansible_distribution == 'Debian'
  tags: packages
 - name: Install common packages
  ansible.builtin.include_tasks: packages_Ubuntu.yml
  when: ansible_distribution == 'Ubuntu'
  tags: packages
 - name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Debian.yml
+  ansible.builtin.import_tasks: firewall.yml
  when: ansible_distribution == 'Debian'
  tags: firewall
 - name: Configure firewall
  ansible.builtin.include_tasks: firewall_Ubuntu.yml
  when: ansible_distribution == 'Ubuntu'
  tags: firewall
 - name: Configure secure shell daemon
@@ -33,14 +21,24 @@
 # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
 - name: Reconfigure /etc/sysctl.conf
-  when: ansible_virtualization_role != 'host'
+  when: ansible_facts["virtualization_role"] != 'host'
-  ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  ansible.builtin.template:
    src: "sysctl_{{ ansible_facts['distribution'] }}.j2"
    dest: /etc/sysctl.conf
    owner: root
    group: root
    mode: "0644"
  notify:
-    - reload sysctl
+    - Reload sysctl
  tags: sysctl
 - name: Set I/O scheduler
-  ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
+  ansible.builtin.template:
    src: etc/udev/rules.d/60-scheduler.rules.j2
    dest: /etc/udev/rules.d/60-scheduler.rules
    owner: root
    group: root
    mode: "0644"
  tags: udev
 - name: Copy admin SSH keys
--- a/roles/common/tasks/nftables.yml
+++ b/roles/common/tasks/nftables.yml
@@ -0,0 +1,69 @@
 ---
 # Common nftables tasks for Debian 11 and Debian 12.
 - name: Copy nftables.conf
  ansible.builtin.template:
    src: nftables.conf.j2
    dest: /etc/nftables.conf
    owner: root
    mode: "0644"
  notify:
    - Restart nftables
 - name: Create /etc/nftables extra config directory
  ansible.builtin.file:
    path: /etc/nftables
    state: directory
    owner: root
    mode: "0755"
 - name: Copy extra nftables configuration files
  ansible.builtin.copy:
    src: firehol_level1-ipv4.nft
    dest: /etc/nftables/firehol_level1-ipv4.nft
    owner: root
    group: root
    mode: "0644"
    force: false
  notify:
    - Restart nftables
 - name: Copy nftables update scripts
  ansible.builtin.template:
    src: update-firehol-nftables.sh.j2
    dest: /usr/local/bin/update-firehol-nftables.sh
    mode: "0755"
    owner: root
    group: root
 - name: Copy nftables systemd units
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/systemd/system/{{ item }}
    mode: "0644"
    owner: root
    group: root
  loop:
    - update-firehol-nftables.service
    - update-firehol-nftables.timer
  register: nftables_systemd_units
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
  when: nftables_systemd_units is changed
  ansible.builtin.systemd_service: # noqa no-handler
    daemon_reload: true
 - name: Start and enable nftables update timers
  ansible.builtin.systemd_service:
    name: update-firehol-nftables.timer
    state: started
    enabled: true
 - name: Start and enable nftables
  ansible.builtin.systemd_service:
    name: nftables
    state: started
    enabled: true
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -1,27 +1,40 @@
 ---
-# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
+# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
-# use systemd-timesyncd as a network time client instead of the standalone ntp
+# as a network time client instead of the standalone ntp client.
 # client.
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
+  when:
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+    - timezone is defined
    - ansible_facts["service_mgr"] == 'systemd'
  community.general.timezone:
    name: "{{ timezone }}"
  tags: timezone
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Ubuntu 20.04 and Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
+  when: ansible_facts["distribution_version"] is version('11', '>=')
-        (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '>='))
+  ansible.builtin.apt:
-  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
+    name: systemd-timesyncd
    state: present
    cache_valid_time: 3600
 - name: Start and enable systemd's NTP client
-  when: ansible_service_mgr == 'systemd'
+  when: ansible_facts["service_mgr"] == 'systemd'
-  ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
+  ansible.builtin.systemd_service:
    name: systemd-timesyncd
    state: started
    enabled: true
- name: Uninstall ntp on modern Ubuntu/Debian
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
-  ansible.builtin.apt: name=ntp state=absent
+# remove it to be sure.
-  when: ansible_service_mgr == 'systemd'
+- name: Uninstall ntp on Debian 12
  when:
    - ansible_facts["service_mgr"] == 'systemd'
    - ansible_facts["distribution_major_version"] is version('12', '==')
  ansible.builtin.apt:
    name: ntp
    state: absent
 # vim: set ts=2 sw=2:
--- a/roles/common/tasks/packages_Debian.yml
+++ b/roles/common/tasks/packages_Debian.yml
@@ -1,20 +1,7 @@
 ---
 - name: Configure Debian packages
  tags: packages
  block:
    # Create directory for third-party package signing keys. Required on distros
    # older than Debian 12 / Ubuntu 22.04.
    #
    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
    - name: Create /etc/apt/keyrings
      file:
        path: /etc/apt/keyrings
        mode: 0755
        owner: root
        group: root
        state: directory
      when: ansible_distribution_major_version is version('12', '<')
    # Scaleway seems to use a weird sources.list format as of Debian 12?
    - name: Check for weird Debian sources
      ansible.builtin.stat:
@@ -22,10 +9,15 @@
      register: weird_debian_sources_stat
    - name: Configure apt mirror
      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
      when:
-        - ansible_architecture != 'armv7l'
+        - ansible_facts["architecture"] != 'armv7l'
        - not weird_debian_sources_stat
      ansible.builtin.template:
        src: sources.list.j2
        dest: /etc/apt/sources.list
        owner: root
        group: root
        mode: "0644"
    - name: Set fact for base packages
      ansible.builtin.set_fact:
@@ -36,7 +28,6 @@
          - iotop
          - htop
          - strace
          - cron-apt
          - safe-rm
          - debian-goodies
          - mosh
@@ -48,16 +39,19 @@
          - zstd
          - rsync
          - lsof
          - unattended-upgrades
    - name: Install base packages
-      ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
+      ansible.builtin.apt:
        name: "{{ base_packages }}"
        state: present
        cache_valid_time: 3600
-    - name: Configure cron-apt
+    - name: Remove cron-apt
      ansible.builtin.import_tasks: cron-apt.yml
      tags: cron-apt
      ansible.builtin.import_tasks: cron-apt.yml
    - name: Install tarsnap
      ansible.builtin.import_tasks: tarsnap.yml
  tags: packages
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/packages_Ubuntu.yml
+++ b/roles/common/tasks/packages_Ubuntu.yml
@@ -1,106 +0,0 @@
 ---
 - name: Configure Ubuntu packages
  block:
    # Create directory for third-party package signing keys. Required on distros
    # older than Debian 12 / Ubuntu 22.04.
    #
    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
    - name: Create /etc/apt/keyrings
      file:
        path: /etc/apt/keyrings
        mode: 0755
        owner: root
        group: root
        state: directory
      when: ansible_distribution_major_version is version('22.04', '<')
    - name: Configure apt mirror
      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
      when: ansible_architecture != 'armv7l'
    - name: Upgrade base OS
      ansible.builtin.apt: upgrade=dist cache_valid_time=3600
    - name: Set Ubuntu base packages
      ansible.builtin.set_fact:
        ubuntu_base_packages:
        - git
        - git-lfs
        - tmux
        - iotop
        - htop
        - strace
        - cron-apt
        - safe-rm
        - debian-goodies
        - mosh
        - python-pycurl # for ansible's apt_repository
        - vim
        - unzip
        - apt-transport-https # for https support in apt
        - zstd
        - rsync
        - lsof
    - name: Install base packages
      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
    # We have to remove snaps one by one in a specific order because some depend
    # on others. Only after that can we remove the corresponding system packages.
    - name: Remove lxd snap
      community.general.snap: name=lxd state=absent
      when: ansible_distribution_version is version('20.04', '==')
      ignore_errors: true
    - name: Remove core18 snap
      community.general.snap: name=core18 state=absent
      when: ansible_distribution_version is version('20.04', '==')
      ignore_errors: true
    - name: Remove snapd snap
      community.general.snap: name=snapd state=absent
      when: ansible_distribution_version is version('20.04', '==')
      ignore_errors: true
    - name: Set fact for packages to remove (Ubuntu 20.04)
      ansible.builtin.set_fact:
        ubuntu_annoying_packages:
          - whoopsie # security (CIS 4.1)
          - apport   # security (CIS 4.1)
          - command-not-found # annoying
          - command-not-found-data # annoying
          - python3-commandnotfound # annoying
          - snapd # annoying (Ubuntu >= 16.04)
          - lxd-agent-loader # annoying (Ubuntu 20.04)
      when: ansible_distribution_version is version('20.04', '==')
    - name: Remove packages
      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
    - name: Disable annoying Canonical spam in MOTD
      ansible.builtin.file: path={{ item }} mode=0644 state=absent
      loop:
        - /etc/update-motd.d/99-esm # Ubuntu 14.04
        - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
        - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
        - /etc/update-motd.d/80-esm # Ubuntu 18.04+
        - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
      ignore_errors: true
    - name: Disable annoying Canonical spam in MOTD
      ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
      when: ansible_service_mgr == 'systemd'
      loop:
        - motd-news.service
        - motd-news.timer
    - name: Configure cron-apt
      ansible.builtin.import_tasks: cron-apt.yml
      tags: cron-apt
    - name: Install tarsnap
      ansible.builtin.import_tasks: tarsnap.yml
  tags: packages
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/ssh-keys.yml
+++ b/roles/common/tasks/ssh-keys.yml
@@ -1,9 +1,11 @@
 ---
 - name: Zero .ssh/authorized_keys for provisioning user
-  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
+  ansible.builtin.file:
    dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
    state: absent
 - name: Add public keys to authorized_keys
-  ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
  with_fileglob:
    # use descriptive names for keys, like: aorth-mzito-rsa.pub
    - ssh-pub-keys/*.pub
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -1,17 +1,26 @@
 ---
-
+# Only override the system sshd configuration on older Debian.
 # SSH configs don't change in Debian minor versions
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
+  when: ansible_facts["distribution_version"] is version('12', '<=')
-  when: ansible_distribution == 'Debian'
+  ansible.builtin.template:
-  notify: reload sshd
+    src: "sshd_config_{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.j2"
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: "0600"
  notify: Reload sshd
-# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
+# Newer OpenSSH versions support including extra configuration. The includes
-# ie with new ciphers supported etc.
+# happen at the beginning of the file and the first value to be read is used.
- name: Reconfigure /etc/ssh/sshd_config
+- name: Configure sshd_config.d overrides
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
+  when: ansible_facts["distribution_version"] is version('13', '>=')
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.template:
-  notify: reload sshd
+    src: etc/ssh/sshd_config.d/01-{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}.conf.j2
    dest: /etc/ssh/sshd_config.d/01-custom.conf
    owner: root
    group: root
    mode: "0600"
  notify: Reload sshd
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +33,30 @@
      register: check_unsafe_moduli
    - name: Extract safe Diffie-Hellman SSH moduli
      when: check_unsafe_moduli.stdout | length > 0
      ansible.builtin.shell:
        cmd: awk '$5 >= 3071' moduli > moduli.safe
        chdir: /etc/ssh
        creates: moduli.safe
      when: check_unsafe_moduli.stdout | length > 0
      register: extract_safe_moduli
    - name: Replace unsafe Diffie-Hellman SSH moduli
      when: extract_safe_moduli is changed
      ansible.builtin.command:
        cmd: mv moduli.safe moduli
        chdir: /etc/ssh
      register: replace_small_moduli
-      when: extract_safe_moduli is changed
+      notify: Reload sshd
      notify: reload sshd
 - name: Remove DSA and ECDSA host keys
-  ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
+  ansible.builtin.file:
    name: "/etc/ssh/{{ item }}"
    state: absent
  loop:
    - ssh_host_dsa_key
    - ssh_host_dsa_key.pub
    - ssh_host_ecdsa_key
    - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/tarsnap.yml
+++ b/roles/common/tasks/tarsnap.yml
@@ -1,24 +1,45 @@
 ---
- name: Add Tarsnap apt mirror
+- name: Check tarsnap apt signing key
-  ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
+  ansible.builtin.stat:
-  register: add_tarsnap_apt_repository
+    path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
-  when: ansible_architecture != 'armv7l'
+  register: tarsnap_signing_key_stat
- name: Add GPG key for Tarsnap
+- name: Download tarsnap apt signing key
-  ansible.builtin.apt_key: id=0xF608BA1BFB5CE8F8CAB088359F084BEE7F938A76 url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
+  when: not tarsnap_signing_key_stat.stat.exists
-  register: add_tarsnap_apt_key
+  ansible.builtin.get_url:
    url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
    dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
    owner: root
    group: root
    mode: "0644"
  register: download_tarsnap_signing_key
 - name: Add tarsnap.org repo
  when: ansible_facts["architecture"] != 'armv7l'
  ansible.builtin.template:
    src: tarsnap_sources.list.j2
    dest: /etc/apt/sources.list.d/tarsnap.list
    owner: root
    group: root
    mode: "0644"
  register: add_tarsnap_apt_repository
 - name: Update apt cache
-  ansible.builtin.apt:
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
  when:
    add_tarsnap_apt_key is changed or
    add_tarsnap_apt_repository is changed
 - name: Install tarsnap
-  ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
+  ansible.builtin.apt:
    pkg: tarsnap
    cache_valid_time: 3600
 - name: Copy tarsnaprc
-  ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
+  ansible.builtin.copy:
    src: tarsnaprc
    dest: /root/.tarsnaprc
    owner: root
    group: root
    mode: "0600"
 # vim: set sw=2 ts=2:
--- a/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
@@ -0,0 +1,40 @@
 {{ ansible_managed | comment }}
 HostKey /etc/ssh/ssh_host_ed25519_key
 # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
 # audit track of which key was using to log in.
 LogLevel VERBOSE
 MaxAuthTries 4
 AuthorizedKeysFile	.ssh/authorized_keys
 # To disable tunneled clear text passwords, change to no here!
 {% if ssh_password_authentication == 'disabled' %}
 PasswordAuthentication no
 {% else %}
 PasswordAuthentication yes
 {% endif %}
 X11Forwarding no
 # Based on the ssh-audit profile for Debian 13, but with but with all algos with
 # less than 256 bits removed, as NSA's Suite B removed them years ago and the
 # new (2018) CNSA suite is 256 bits and up.
 #
 # See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
 {% endif %}
 PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
 # Mask to use for IPv4 and IPv6 respectively when applying network penalties.
 # The default is 32:128.
 PerSourceNetBlockSize 24:56
--- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
+++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
@@ -1,15 +1,19 @@
 [Unit]
 # If nftables is stopped or restarted, propagate to fail2ban as well
 PartOf=nftables.service
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log
--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@@ -5,47 +5,18 @@
 flush ruleset
-# Lists updated daily by update-spamhaus-nftables.sh
+# List updated daily by update-firehol-nftables.sh
-include "/etc/nftables/spamhaus-ipv4.nft"
+include "/etc/nftables/firehol_level1-ipv4.nft"
 include "/etc/nftables/spamhaus-ipv6.nft"
 # Lists updated monthly (manually)
 include "/etc/nftables/abuseipdb-ipv4.nft"
 include "/etc/nftables/abuseipdb-ipv6.nft"
 # Lists updated daily by update-abusech-nftables.sh
 include "/etc/nftables/abusech-ipv4.nft"
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-    set spamhaus-ipv4 {
+    set firehol_level1-ipv4 {
        type ipv4_addr
        # if the set contains prefixes we need to use the interval flag
        flags interval
-        elements = $SPAMHAUS_IPV4
+        elements = $FIREHOL_LEVEL1_IPV4
    }
    set spamhaus-ipv6 {
        type ipv6_addr
        flags interval
        elements = $SPAMHAUS_IPV6
    }
    set abusech-ipv4 {
        type ipv4_addr
        elements = $ABUSECH_IPV4
    }
    set abuseipdb-ipv4 {
        type ipv4_addr
        elements = $ABUSEIPDB_IPV4
    }
    set abuseipdb-ipv6 {
        type ipv6_addr
        elements = $ABUSEIPDB_IPV6
    }
    chain input {
@@ -55,13 +26,7 @@ table inet filter {
        ct state invalid counter drop comment "Early drop of invalid connections"
-        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
        iifname lo accept comment "Allow from loopback"
@@ -105,12 +70,6 @@ table inet filter {
    chain output {
        type filter hook output priority 0;
-        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
    }
 }
--- a/roles/common/templates/security.sources.list.j2
+++ b/roles/common/templates/security.sources.list.j2
@@ -1,5 +0,0 @@
 {% if ansible_distribution == 'Ubuntu' %}
 deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
 {% elif ansible_distribution == 'Debian' %}
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
 {% endif %}
--- a/roles/common/templates/sources.list.j2
+++ b/roles/common/templates/sources.list.j2
@@ -1,16 +1,6 @@
 {% if ansible_distribution == 'Ubuntu' %}
 {% set apt_mirror    = apt_mirror | default("ubuntu.mirror.ac.ke") %}
 deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
 deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
 deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
 {% else %}
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
 {% endif %} {# ansible_distribution #}
--- a/roles/common/templates/sshd_config_Debian-11.j2
+++ b/roles/common/templates/sshd_config_Debian-11.j2
@@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
 PasswordAuthentication no
 {% else %}
 PasswordAuthentication yes
 {% endif %}
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
@@ -122,7 +126,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
- 
+
 # Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
 # with less than 256 bits removed, as NSA's Suite B removed them years ago and
 # the new (2018) CNSA suite is 256 bits and up.
@@ -131,7 +135,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256, curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?
--- a/roles/common/templates/sshd_config_Debian-12.j2
+++ b/roles/common/templates/sshd_config_Debian-12.j2
@@ -56,8 +56,12 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 {% if ssh_password_authentication == 'disabled' %}
 PasswordAuthentication no
 {% else %}
 PasswordAuthentication yes
-PermitEmptyPasswords no
+{% endif %}
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
@@ -130,7 +134,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
--- a/roles/common/templates/sshd_config_Ubuntu-20.04.j2
+++ b/roles/common/templates/sshd_config_Ubuntu-20.04.j2
@@ -1,140 +0,0 @@
 #	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 Include /etc/ssh/sshd_config.d/*.conf
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 # Logging
 #SyslogFacility AUTH
 # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
 LogLevel VERBOSE
 # Authentication:
 #LoginGraceTime 2m
 PermitRootLogin prohibit-password
 #StrictModes yes
 MaxAuthTries 4
 #MaxSessions 10
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd no
 #PrintLastLog yes
 #TCPKeepAlive yes
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 # override default of no subsystems
 Subsystem sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 PasswordAuthentication yes
 # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
 # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
 # does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?
 # Is it populated? (An empty list is 'None', which evaluates as False in Python)
 # merge the items of a list into one string using a space as a separator
 # http://jinja.pocoo.org/docs/dev/templates/#join
 AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
 {% endif %}
--- a/roles/common/templates/sysctl_Debian.j2
+++ b/roles/common/templates/sysctl_Debian.j2
@@ -90,7 +90,7 @@ net.ipv4.tcp_wmem = 4096 65536 16777216
 # increase the length of the processor input queue
 net.core.netdev_max_backlog = 30000
 {# kernels after 2.6.32 don't have buggy cubic #}
-{% if ansible_kernel < "2.6.33" %}
+{% if ansible_facts["kernel"] < "2.6.33" %}
 # recommended default congestion control is htcp
 net.ipv4.tcp_congestion_control=htcp
 {% endif %}
@@ -98,7 +98,7 @@ net.ipv4.tcp_congestion_control=htcp
 #net.ipv4.tcp_mtu_probing=1
 {# disable iptables on bridge interfaces on VM hosts #}
-{% if ansible_virtualization_role == "host" %}
+{% if ansible_facts["virtualization_role"] == "host" %}
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0
--- a/roles/common/templates/sysctl_Ubuntu.j2
+++ b/roles/common/templates/sysctl_Ubuntu.j2
@@ -1,100 +0,0 @@
 #
 # /etc/sysctl.conf - Configuration file for setting system variables
 # See /etc/sysctl.d/ for additional system variables
 # See sysctl.conf (5) for information.
 #
 #kernel.domainname = example.com
 # Uncomment the following to stop low-level messages on console
 #kernel.printk = 3 4 1 3
 ##############################################################3
 # Functions previously found in netbase
 #
 # Uncomment the next two lines to enable Spoof protection (reverse-path filter)
 # Turn on Source Address Verification in all interfaces to
 # prevent some spoofing attacks
 #net.ipv4.conf.default.rp_filter=1
 #net.ipv4.conf.all.rp_filter=1
 # Uncomment the next line to enable TCP/IP SYN cookies
 # See http://lwn.net/Articles/277146/
 # Note: This may impact IPv6 TCP sessions too
 #net.ipv4.tcp_syncookies=1
 # Uncomment the next line to enable packet forwarding for IPv4
 #net.ipv4.ip_forward=1
 # Uncomment the next line to enable packet forwarding for IPv6
 #  Enabling this option disables Stateless Address Autoconfiguration
 #  based on Router Advertisements for this host
 #net.ipv6.conf.all.forwarding=1
 ###################################################################
 # Additional settings - these settings can improve the network
 # security of the host and prevent against some network attacks
 # including spoofing attacks and man in the middle attacks through
 # redirection. Some network environments, however, require that these
 # settings are disabled so review and enable them as needed.
 #
 # Do not accept ICMP redirects (prevent MITM attacks)
 #net.ipv4.conf.all.accept_redirects = 0
 #net.ipv6.conf.all.accept_redirects = 0
 # _or_
 # Accept ICMP redirects only for gateways listed in our default
 # gateway list (enabled by default)
 # net.ipv4.conf.all.secure_redirects = 1
 #
 # Do not send ICMP redirects (we are not a router)
 #net.ipv4.conf.all.send_redirects = 0
 #
 # Do not accept IP source route packets (we are not a router)
 #net.ipv4.conf.all.accept_source_route = 0
 #net.ipv6.conf.all.accept_source_route = 0
 #
 # Log Martian Packets
 #net.ipv4.conf.all.log_martians = 1
 #
 # CIS Benchmark Adjustments
 # See: https://github.com/alanorth/securekickstarts
 kernel.randomize_va_space = 2 
 net.ipv4.ip_forward = 0 
 net.ipv4.conf.all.send_redirects = 0 
 net.ipv4.conf.default.send_redirects = 0 
 net.ipv4.conf.all.accept_source_route = 0 
 net.ipv4.conf.default.accept_source_route = 0 
 net.ipv4.conf.all.accept_redirects = 0 
 net.ipv4.conf.default.accept_redirects = 0 
 net.ipv4.conf.all.secure_redirects = 0 
 net.ipv4.conf.default.secure_redirects = 0 
 net.ipv4.conf.all.log_martians = 1 
 net.ipv4.conf.default.log_martians = 1 
 net.ipv4.icmp_echo_ignore_broadcasts = 1 
 net.ipv4.icmp_ignore_bogus_error_responses = 1 
 net.ipv4.conf.all.rp_filter = 1 
 net.ipv4.conf.default.rp_filter = 1 
 net.ipv4.tcp_syncookies = 1
 # TCP stuff
 # See: http://fasterdata.es.net/host-tuning/linux/
 # increase TCP max buffer size settable using setsockopt()
 net.core.rmem_max = 16777216 
 net.core.wmem_max = 16777216 
 # increase Linux autotuning TCP buffer limit 
 net.ipv4.tcp_rmem = 4096 87380 16777216
 net.ipv4.tcp_wmem = 4096 65536 16777216
 # increase the length of the processor input queue
 net.core.netdev_max_backlog = 30000
 # recommended for hosts with jumbo frames enabled
 #net.ipv4.tcp_mtu_probing=1
 # increase quadruplets (src ip, src port, dest ip, dest port)
 # see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
 net.ipv4.ip_local_port_range = 10240 65535
 # recommended for web servers, especially if running SPDY
 # see: http://www.chromium.org/spdy/spdy-best-practices
 net.ipv4.tcp_slow_start_after_idle = 0
--- a/roles/common/templates/tarsnap_sources.list.j2
+++ b/roles/common/templates/tarsnap_sources.list.j2
@@ -1 +1 @@
-deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./
--- a/roles/common/templates/update-firehol-nftables.sh.j2
+++ b/roles/common/templates/update-firehol-nftables.sh.j2
@@ -0,0 +1,65 @@
 #!/usr/bin/env bash
 #
 # update-firehol-nftables.sh v0.0.1
 #
 # Download FireHOL lists and load them into nftables sets.
 # 
 # See: https://iplists.firehol.org/
 #
 # Copyright (C) 2025 Alan Orth
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Exit on first error
 set -o errexit
 firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
 function download() {
    echo "Downloading $1"
    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
 }
 download firehol_level1.netset
 if [[ -f "firehol_level1.netset" ]]; then
    echo "Processing FireHOL Level 1 list"
    firehol_level1_ipv4_list_temp=$(mktemp)
    firehol_level1_ipv4_set_temp=$(mktemp)
    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
    # for local services like systemd-resolved and others on localhost. Ideally
    # these are blocked already at the WAN side by network administrators.
    cat firehol_level1.netset \
        | sed \
            -e '/^$/d' \
            -e '/^#.*/d' \
            -e '/^127\.0\.0\.0\/8/d' \
        > "$firehol_level1_ipv4_list_temp"
    echo "Building firehol_level1-ipv4 set"
    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
 #!/usr/sbin/nft -f
 define FIREHOL_LEVEL1_IPV4 = {
 NFT_HEAD
    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$firehol_level1_ipv4_set_temp"
    done < $firehol_level1_ipv4_list_temp
    echo "}" >> "$firehol_level1_ipv4_set_temp"
    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
 fi
 echo "Restarting nftables"
 /usr/bin/systemctl restart nftables.service
 rm -v firehol_level1.netset
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@@ -1,15 +1,4 @@
 ---
 # ansible.builtin.file: roles/mariadb/defaults/main.yml
 #
 # Based on my running of mysqltuner.pl on a host with three WordPress databases
 #
 # default is 128MB but is a waste because it seems only the mysql table uses it
 key_buffer_size: 8M
 # default is 128MB but is a waste because it seems only information_schema uses
 # AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
 aria_pagecache_buffer_size: 8M
 # default is 128M, but set to at least the size of your InnoDB data
 innodb_buffer_pool_size: 256M
@@ -22,10 +11,6 @@ mariadb_login_unix_socket: /run/mysqld/mysqld.sock
 # default is 100 but the max I've seen used is 5, so let's reduce it
 max_connections: 33
 # disable the query cache by default
 query_cache_size: 0
 query_cache_type: 0
 # mysqltuner says we should use larger than 32M on our setup
 tmp_table_size: 64M
 max_heap_table_size: 64M
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -1,5 +1,7 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd: name=mariadb state=restarted
+  ansible.builtin.systemd_service:
    name: mariadb
    state: restarted
 # vim: set ts=2 sw=2:
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -1,67 +1,18 @@
 ---
 - name: Remove MariaDB key from apt-key
  ansible.builtin.apt_key:
    id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
    state: absent
  tags:
    - packages
    - mariadb
 - name: Check MariaDB package signing key
  ansible.builtin.stat:
    path: /etc/apt/keyrings/mariadb_release_signing_key.asc
  register: mariadb_signing_key_stat
  tags:
    - packages
    - mariadb
 - name: Download MariaDB package signing key
  ansible.builtin.get_url:
    url: https://mariadb.org/mariadb_release_signing_key.asc
    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
    owner: root
    group: root
    mode: 0644
  register: download_mariadb_signing_key
  when: not mariadb_signing_key_stat.stat.exists
  tags:
    - packages
    - mariadb
 - name: Add MariaDB 10.6 repo
  ansible.builtin.apt_repository:
    repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
    filename: mariadb
    state: present
  register: add_mariadb_apt_repository
  tags:
    - packages
    - mariadb
 - name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
  when:
    (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
    add_mariadb_apt_repository is changed
  tags:
    - packages
    - mariadb
 - name: Install mariadb-server
  ansible.builtin.apt:
-    name: ['mariadb-server', 'python3-pymysql']
+    name: [mariadb-server, python3-pymysql]
    state: present
    cache_valid_time: 3600
  tags: mariadb, packages
- name: Create system my.cnf
+- name: Add MariaDB configuration overrides
  ansible.builtin.template:
-    src: my.cnf.j2
+    src: 70-local.cnf.j2
-    dest: /etc/mysql/my.cnf
+    dest: /etc/mysql/mariadb.conf.d/70-local.cnf
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"
  notify:
    - restart mariadb
  tags: mariadb
@@ -83,21 +34,22 @@
    src: .my.cnf.j2
    dest: /root/.my.cnf
    owner: root
-    mode: 0600
+    mode: "0600"
  tags: mariadb
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
 - name: Create MariaDB database(s)
  when: mariadb_databases is defined
  community.mysql.mysql_db:
    db: "{{ item.name }}"
    state: present
    encoding: utf8mb4
    login_unix_socket: "{{ mariadb_login_unix_socket }}"
  loop: "{{ mariadb_databases }}"
  when: mariadb_databases is defined
  tags: mariadb
 - name: Create MariaDB user(s)
  when: mariadb_databases is defined
  community.mysql.mysql_user:
    name: "{{ item.user }}"
    password: "{{ item.pass }}"
@@ -106,7 +58,6 @@
    state: present
    login_unix_socket: "{{ mariadb_login_unix_socket }}"
  loop: "{{ mariadb_databases }}"
  when: mariadb_databases is defined
  tags: mariadb
 # vim: set ts=2 sw=2:
--- a/roles/mariadb/templates/70-local.cnf.j2
+++ b/roles/mariadb/templates/70-local.cnf.j2
@@ -0,0 +1,10 @@
 {{ ansible_managed | comment }}
 [mysqld]
 # don't resolve connection IPs to hostnames (make sure user accounts are using
 # IPs instead of "localhost")
 skip-name-resolve=1
 max_connections		= {{ max_connections }}
 tmp_table_size		= {{ tmp_table_size }}
 max_heap_table_size	= {{ max_heap_table_size }}
 innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
--- a/roles/mariadb/templates/my.cnf.j2
+++ b/roles/mariadb/templates/my.cnf.j2
@@ -1,196 +0,0 @@
 {{ ansible_managed | comment }}
 # MariaDB database server configuration file.
 #
 # You can copy this file to one of:
 # - "/etc/mysql/my.cnf" to set global options,
 # - "~/.my.cnf" to set user-specific options.
 # 
 # One can use all long options that the program supports.
 # Run program with --help to get a list of available options and with
 # --print-defaults to see which it would actually understand and use.
 #
 # For explanations see
 # http://dev.mysql.com/doc/mysql/en/server-system-variables.html
 # This will be passed to all mysql clients
 # It has been reported that passwords should be enclosed with ticks/quotes
 # escpecially if they contain "#" chars...
 # Remember to edit /etc/mysql/debian.cnf when changing the socket location.
 [client]
 port		= 3306
 socket		= /run/mysqld/mysqld.sock
 # Here is entries for some specific programs
 # The following values assume you have at least 32M ram
 # This was formally known as [safe_mysqld]. Both versions are currently parsed.
 [mysqld_safe]
 socket		= /run/mysqld/mysqld.sock
 nice		= 0
 [mysqld]
 #
 # * Basic Settings
 #
 user		= mysql
 pid-file	= /run/mysqld/mysqld.pid
 socket		= /run/mysqld/mysqld.sock
 port		= 3306
 basedir		= /usr
 datadir		= /var/lib/mysql
 tmpdir		= /tmp
 lc_messages_dir	= /usr/share/mysql
 lc_messages	= en_US
 skip-external-locking
 #
 # Instead of skip-networking the default is now to listen only on
 # localhost which is more compatible and is not less secure.
 bind-address		= 127.0.0.1
 # don't resolve connection IPs to hostnames (make sure user accounts are using
 # IPs instead of "localhost")
 skip-name-resolve=1
 #
 # * Fine Tuning
 #
 max_connections		= {{ max_connections }}
 connect_timeout		= 5
 wait_timeout		= 600
 max_allowed_packet	= 16M
 thread_cache_size       = 128
 sort_buffer_size	= 4M
 bulk_insert_buffer_size	= 16M
 tmp_table_size		= {{ tmp_table_size }}
 max_heap_table_size	= {{ max_heap_table_size }}
 #
 # * MyISAM
 #
 # This replaces the startup script and checks MyISAM tables if needed
 # the first time they are touched. On error, make copy and try a repair.
 myisam_recover_options = BACKUP
 key_buffer_size		= {{ key_buffer_size }}
 #open-files-limit	= 2000
 table_open_cache	= 400
 myisam_sort_buffer_size	= 512M
 concurrent_insert	= 2
 read_buffer_size	= 2M
 read_rnd_buffer_size	= 1M
 #
 # * Query Cache Configuration
 #
 query_cache_limit		= 128K
 query_cache_size		= {{ query_cache_size }}
 query_cache_type		= {{ query_cache_type }}
 #
 # * Logging and Replication
 #
 # Both location gets rotated by the cronjob.
 # Be aware that this log type is a performance killer.
 # As of 5.1 you can enable the log at runtime!
 #general_log_file        = /var/log/mysql/mysql.log
 #general_log             = 1
 #
 # Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
 #
 # we do want to know about network errors and such
 log_warnings		= 2
 #
 # Enable the slow query log to see queries with especially long duration
 #slow_query_log[={0|1}]
 slow_query_log_file	= /var/log/mysql/mariadb-slow.log
 long_query_time = 10
 #log_slow_rate_limit	= 1000
 log_slow_verbosity	= query_plan
 #log-queries-not-using-indexes
 #log_slow_admin_statements
 #
 # The following can be used as easy to replay backup logs or for replication.
 # note: if you are setting up a replication slave, see README.Debian about
 #       other settings you may need to change.
 #server-id		= 1
 #report_host		= master1
 #auto_increment_increment = 2
 #auto_increment_offset	= 1
 log_bin			= /var/log/mysql/mariadb-bin
 log_bin_index		= /var/log/mysql/mariadb-bin.index
 # not fab for performance, but safer
 #sync_binlog		= 1
 expire_logs_days	= 10
 max_binlog_size         = 100M
 # slaves
 #relay_log		= /var/log/mysql/relay-bin
 #relay_log_index	= /var/log/mysql/relay-bin.index
 #relay_log_info_file	= /var/log/mysql/relay-bin.info
 #log_slave_updates
 #read_only
 #
 # If applications support it, this stricter sql_mode prevents some
 # mistakes like inserting invalid dates etc.
 #sql_mode		= NO_ENGINE_SUBSTITUTION,TRADITIONAL
 #
 # * InnoDB
 #
 # InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
 # Read the manual for more InnoDB related options. There are many!
 default_storage_engine	= InnoDB
 # you can't just change log file size, requires special procedure
 #innodb_log_file_size	= 50M
 innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
 innodb_log_buffer_size	= 8M
 innodb_file_per_table	= 1
 innodb_open_files	= 400
 innodb_io_capacity	= 400
 innodb_flush_method	= O_DIRECT
 aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
 #
 # * Security Features
 #
 # Read the manual, too, if you want chroot!
 # chroot = /var/lib/mysql/
 #
 # For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
 #
 # ssl-ca=/etc/mysql/cacert.pem
 # ssl-cert=/etc/mysql/server-cert.pem
 # ssl-key=/etc/mysql/server-key.pem
 #
 # * Galera-related settings
 #
 [galera]
 # Mandatory settings
 #wsrep_on=ON
 #wsrep_provider=
 #wsrep_cluster_address=
 #binlog_format=row
 #default_storage_engine=InnoDB
 #innodb_autoinc_lock_mode=2
 #
 # Allow server to accept connections on all interfaces.
 #
 #bind-address=0.0.0.0
 #
 # Optional setting
 #wsrep_slave_threads=1
 #innodb_flush_log_at_trx_commit=0
 [mysqldump]
 quick
 quote-names
 max_allowed_packet	= 16M
 [mysql]
 #no-auto-rehash	# faster start of mysql but no tab completion
 [isamchk]
 key_buffer		= 16M
 #
 # * IMPORTANT: Additional settings that can override those from this file!
 #   The files must end with '.cnf', otherwise they'll be ignored.
 #
 !include /etc/mysql/mariadb.cnf
 !includedir /etc/mysql/conf.d/
--- a/roles/munin/handlers/main.yml
+++ b/roles/munin/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted
--- a/roles/munin/tasks/munin-node.yml
+++ b/roles/munin/tasks/munin-node.yml
@@ -1,16 +1,22 @@
 ---
 - name: Install munin-node
-  ansible.builtin.apt: name=munin-node state=present
+  ansible.builtin.apt:
    name: munin-node
    state: present
  tags: packages
 # some nice things to have for munin-node on Ubuntu
 # libwww-perl: for munin's nginx_status check
 - name: Install munin-node deps
-  ansible.builtin.apt: name=libwww-perl state=present
+  ansible.builtin.apt:
    name: libwww-perl
    state: present
  tags: packages
 - name: Create munin-node.conf
-  ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
+  ansible.builtin.template:
    src: munin-node.conf.j2
    dest: /etc/munin/munin-node.conf
  notify:
    - restart munin-node
@@ -20,6 +26,9 @@
    - restart munin-node
 - name: Start munin-node
-  ansible.builtin.systemd: name=munin-node state=started enabled=true
+  ansible.builtin.systemd_service:
    name: munin-node
    state: started
    enabled: true
 # vim: set ts=2 sw=2:
--- a/roles/munin/tasks/munin.yml
+++ b/roles/munin/tasks/munin.yml
@@ -1,9 +1,16 @@
 ---
 - name: Install munin package
-  ansible.builtin.apt: name=munin state=present
+  ansible.builtin.apt:
    name: munin
    state: present
  tags: packages
 - name: Create munin configuration file
-  ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  ansible.builtin.template:
    src: munin.conf.j2
    dest: /etc/munin/munin.conf
    owner: root
    group: root
    mode: "0644"
 # vim: set ts=2 sw=2:
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -5,20 +5,20 @@
 nginx_confd_path: /etc/nginx/conf.d
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
-# 1 hour timeout
+# 1 day timeout
-nginx_ssl_session_timeout: 1h
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
+nginx_ssl_buffer_size: 4k
 nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
-nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
+nginx_ssl_protocols: TLSv1.2 TLSv1.3
 nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
-nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
+nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
 # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
 # in seconds, see: https://hstspreload.org/
@@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
-# stable is 1.20.x
+# stable is 1.26.x
-# mainline is 1.21.x
+# mainline is 1.27.x
 nginx_version: mainline
 # vim: set ts=2 sw=2:
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,5 +1,7 @@
 ---
- name: reload nginx
+- name: Reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+  ansible.builtin.systemd_service:
    name: nginx
    state: reloaded
 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@@ -1,91 +1,91 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
- block:
+- name: Install and configure Let's Encrypt
  - name: Remove certbot
    ansible.builtin.apt:
      name: certbot
      state: absent
  - name: Remove old certbot post and pre hooks for nginx
    ansible.builtin.file:
      dest: "{{ item }}"
      state: absent
    with_items:
      - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
      - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
  - name: Check if acme.sh is installed
    ansible.builtin.stat:
      path: "{{ letsencrypt_acme_home }}"
    register: acme_home
  - name: Download acme.sh
    ansible.builtin.get_url:
      url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
      dest: "{{ letsencrypt_acme_script_temp }}"
      mode: 0700
    register: acme_download
    when: not acme_home.stat.exists
  # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
  # have to chdir to the /root directory where the script exists or else it
  # fails. Ansible runs it, but the script can't find itself...).
  - name: Install acme.sh
    ansible.builtin.command:
      cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
      creates: "{{ letsencrypt_acme_home }}/acme.sh"
      chdir: /root
    register: acme_install
    when: acme_download is changed
  - name: Remove temporary acme.sh script
    ansible.builtin.file:
      dest: "{{ letsencrypt_acme_script_temp }}"
      state: absent
    when:
      - acme_install.rc is defined
      - acme_install.rc == 0
  - name: Set default certificate authority for acme.sh
    ansible.builtin.command:
      cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
  - name: Prepare Let's Encrypt well-known directory
    ansible.builtin.file:
      state: directory
      path: /var/lib/letsencrypt/.well-known
      owner: root
      group: nginx
      mode: g+s
  - name: Copy systemd service to renew Let's Encrypt certs
    ansible.builtin.template:
      src: renew-letsencrypt.service.j2
      dest: /etc/systemd/system/renew-letsencrypt.service
      mode: 0644
      owner: root
      group: root
  - name: Copy systemd timer to renew Let's Encrypt certs
    ansible.builtin.copy:
      src: renew-letsencrypt.timer
      dest: /etc/systemd/system/renew-letsencrypt.timer
      mode: 0644
      owner: root
      group: root
  # always issues daemon-reload just in case the service/timer changed
  - name: Start and enable systemd timer to renew Let's Encrypt certs
    ansible.builtin.systemd:
      name: renew-letsencrypt.timer
      state: started
      enabled: true
      daemon_reload: true
  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
        or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
  tags: letsencrypt
  when:
    - ansible_facts["distribution"] == 'Debian'
    - ansible_facts["distribution_version"] is version('11', '>=')
  block:
    - name: Remove certbot
      ansible.builtin.apt:
        name: certbot
        state: absent
    - name: Remove old certbot post and pre hooks for nginx
      ansible.builtin.file:
        dest: "{{ item }}"
        state: absent
      with_items:
        - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
        - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
    - name: Check if acme.sh is installed
      ansible.builtin.stat:
        path: "{{ letsencrypt_acme_home }}"
      register: acme_home
    - name: Download acme.sh
      when: not acme_home.stat.exists
      ansible.builtin.get_url:
        url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
        dest: "{{ letsencrypt_acme_script_temp }}"
        mode: "0700"
      register: acme_download
    # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
    # have to chdir to the /root directory where the script exists or else it
    # fails. Ansible runs it, but the script can't find itself...).
    - name: Install acme.sh
      when: acme_download is changed
      ansible.builtin.command:
        cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
        creates: "{{ letsencrypt_acme_home }}/acme.sh"
        chdir: /root
      register: acme_install
    - name: Remove temporary acme.sh script
      when:
        - acme_install.rc is defined
        - acme_install.rc == 0
      ansible.builtin.file:
        dest: "{{ letsencrypt_acme_script_temp }}"
        state: absent
    - name: Set default certificate authority for acme.sh
      ansible.builtin.command:
        cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
    - name: Prepare Let's Encrypt well-known directory
      ansible.builtin.file:
        state: directory
        path: /var/lib/letsencrypt/.well-known
        owner: root
        group: nginx
        mode: g+s
    - name: Copy systemd service to renew Let's Encrypt certs
      ansible.builtin.template:
        src: renew-letsencrypt.service.j2
        dest: /etc/systemd/system/renew-letsencrypt.service
        mode: "0644"
        owner: root
        group: root
    - name: Copy systemd timer to renew Let's Encrypt certs
      ansible.builtin.copy:
        src: renew-letsencrypt.timer
        dest: /etc/systemd/system/renew-letsencrypt.timer
        mode: "0644"
        owner: root
        group: root
    # always issues daemon-reload just in case the service/timer changed
    - name: Start and enable systemd timer to renew Let's Encrypt certs
      ansible.builtin.systemd_service:
        name: renew-letsencrypt.timer
        state: started
        enabled: true
        daemon_reload: true
 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,72 +1,120 @@
 ---
- name: Add nginx.org apt signing key
+- name: Download nginx apt signing key
-  ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
+  ansible.builtin.get_url:
-  register: add_nginx_apt_key
+    url: https://nginx.org/keys/nginx_signing.key
-  tags: nginx, packages
+    dest: /usr/share/keyrings/nginx_signing.key
    owner: root
    group: root
    mode: "0644"
    checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
  register: download_nginx_signing_key
  tags:
    - packages
    - nginx
 - name: Add nginx.org repo
-  ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
+  ansible.builtin.template:
    src: nginx_org_sources.list.j2
    dest: /etc/apt/sources.list.d/nginx_org_sources.list
    owner: root
    group: root
    mode: "0644"
  register: add_nginx_apt_repository
-  tags: nginx, packages
+  tags:
    - nginx
    - packages
 - name: Update apt cache
-  ansible.builtin.apt:
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
  when:
    add_nginx_apt_key is changed or
    add_nginx_apt_repository is changed
 - name: Install nginx
-  ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
+  ansible.builtin.apt:
-  tags: nginx, packages
+    pkg: nginx
    cache_valid_time: 3600
    state: present
  tags:
    - nginx
    - packages
 - name: Copy nginx.conf
-  ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
+  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    mode: "0644"
    owner: root
    group: root
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx
 - name: Copy extra nginx configs
-  ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
+  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/nginx/{{ item }}
    mode: "0644"
    owner: root
    group: root
  loop:
    - extra-security.conf
    - fastcgi_cache
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx
 - name: Remove default nginx vhost
-  ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
+  ansible.builtin.file:
    path: /etc/nginx/conf.d/default.conf
    state: absent
  tags: nginx
 - name: Create fastcgi cache dir
-  ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
+  ansible.builtin.file:
    path: /var/cache/nginx/cached/fastcgi
    state: directory
    owner: nginx
    group: nginx
    mode: "0755"
  tags: nginx
 - name: Configure nginx virtual hosts
  ansible.builtin.include_tasks: vhosts.yml
  when: nginx_vhosts is defined
  ansible.builtin.include_tasks: vhosts.yml
  tags: nginx
 - name: Configure WordPress
  ansible.builtin.include_tasks: wordpress.yml
  when: nginx_vhosts is defined
  ansible.builtin.include_tasks: wordpress.yml
  tags: wordpress
 - name: Configure blank nginx vhost
-  ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  ansible.builtin.template:
    src: blank-vhost.conf.j2
    dest: "{{ nginx_confd_path }}/blank-vhost.conf"
    mode: "0644"
    owner: root
    group: root
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx
 - name: Configure munin vhost
-  ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
+  ansible.builtin.copy:
    src: munin.conf
    dest: /etc/nginx/conf.d/munin.conf
    mode: "0644"
    owner: root
    group: root
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx
 - name: Start and enable nginx service
-  ansible.builtin.systemd: name=nginx state=started enabled=true
+  ansible.builtin.systemd_service:
    name: nginx
    state: started
    enabled: true
  tags: nginx
 - name: Configure Let's Encrypt
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@@ -1,29 +1,40 @@
 ---
-
+- name: Configure https vhosts
 - block:
  - name: Configure https vhosts
    ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
    loop: "{{ nginx_vhosts }}"
    notify:
      - reload nginx
  - name: Generate self-signed TLS cert
    ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
    notify:
      - reload nginx
  - name: Download 4096-bit RFC 7919 dhparams
    ansible.builtin.get_url:
      url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
      checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
      dest: "{{ nginx_ssl_dhparam }}"
    notify:
      - reload nginx
  # TODO: this could break because we can override the document root in host vars
  - name: Create vhost document roots
    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
    loop: "{{ nginx_vhosts }}"
  tags: nginx
  block:
    - name: Configure https vhosts
      ansible.builtin.template:
        src: vhost.conf.j2
        dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
        mode: "0644"
        owner: root
        group: root
      loop: "{{ nginx_vhosts }}"
      notify:
        - Reload nginx
    - name: Generate self-signed TLS cert
      ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
        -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
      notify:
        - Reload nginx
    - name: Download 4096-bit RFC 7919 dhparams
      ansible.builtin.get_url:
        url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
        checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
        dest: "{{ nginx_ssl_dhparam }}"
      notify:
        - Reload nginx
    # TODO: this could break because we can override the document root in host vars
    - name: Create vhost document roots
      ansible.builtin.file:
        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
        state: directory
        mode: "0755"
        owner: nginx
        group: nginx
      loop: "{{ nginx_vhosts }}"
 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/wordpress.yml
+++ b/roles/nginx/tasks/wordpress.yml
@@ -1,19 +1,31 @@
 ---
-
+- name: Install and configure WordPress
 - block:
  - name: Install WordPress
    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
    when:
      - item.has_wordpress is defined
      - item.has_wordpress
    loop: "{{ nginx_vhosts }}"
  - name: Fix WordPress directory permissions
    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
    when:
      - item.has_wordpress is defined
      - item.has_wordpress
    loop: "{{ nginx_vhosts }}"
  tags: wordpress
  block:
    - name: Install WordPress
      when:
        - item.has_wordpress is defined
        - item.has_wordpress
      ansible.builtin.git:
        repo: https://github.com/WordPress/WordPress.git
        dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
        version: "{{ item.wordpress_version }}"
        depth: 1
        force: true
      loop: "{{ nginx_vhosts }}"
      become: true
      become_user: nginx
    - name: Fix WordPress directory permissions
      when:
        - item.has_wordpress is defined
        - item.has_wordpress
      ansible.builtin.file:
        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
        state: directory
        owner: nginx
        group: nginx
        recurse: true
      loop: "{{ nginx_vhosts }}"
 # vim: set ts=2 sw=2:
--- a/roles/nginx/templates/blank-vhost.conf.j2
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@@ -11,9 +11,11 @@ server {
    return 444;
 }
 server {
-    listen 443 ssl http2 default_server;
+    listen 443 ssl default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen [::]:443 ssl default_server;
    http2 on;
    server_name _;
    # self-signed "snakeoil" certificate
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@@ -27,8 +27,9 @@
    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
    ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
    {# OSCP stapling only works with real certs #}
    {% if use_letsencrypt == true or item.tls_certificate_path %}
@@ -38,15 +39,6 @@
    resolver {{ nginx_ssl_stapling_resolver }};
    {% endif %} {# end: use_letsencrypt #}
    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;
    {% if enable_hsts == true %}
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@@ -14,7 +14,6 @@ error_log  /var/log/nginx/error.log warn;
 # The file storing the process ID of the main process
 pid        /var/run/nginx.pid;
 events {
    # If you need more connections than this, you start optimizing your OS.
    # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
@@ -23,6 +22,7 @@ events {
 }
 http {
    include       /etc/nginx/mime.types;
    default_type  application/octet-stream;
--- a/roles/nginx/templates/nginx_org_sources.list.j2
+++ b/roles/nginx/templates/nginx_org_sources.list.j2
@@ -1,19 +1,7 @@
 {{ ansible_managed | comment }}
 {% if ansible_distribution == 'Ubuntu' %}
 {% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% endif %}
 {% elif ansible_distribution == 'Debian' %}
 {% if nginx_version == "stable" %}
 deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
 {% elif nginx_version == "mainline" %}
 deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
 {% endif %}
 {% endif %}
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@@ -8,6 +8,12 @@
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {# Allow sites to override the document root #}
 {% if item.document_root is defined %}
 {%   set document_root = item.document_root %}
 {% else %}
 {%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
 {% endif %}
 # http -> https vhost
 server {
@@ -26,15 +32,11 @@ server {
 }
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    http2 on;
-    {# Allow sites to override the nginx document root #}
+    root {{ document_root }};
    {% if item.document_root is defined %}
    root {{ item.document_root }};
    {% else %}
    root {{ nginx_root_prefix }}/{{ domain_name }};
    {% endif %}
    {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
    server_name {{ domain_name }} {{ domain_aliases }};
@@ -75,10 +77,8 @@ server {
        # See: https://httpoxy.org/
        fastcgi_param HTTP_PROXY "";
-        {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
+        {% if ansible_facts["distribution_major_version"] is version('12', '==') %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
+        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
        {% else %}
        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
        {% endif %}
        fastcgi_index index.php;
        # set script path relative to document root in server block
--- a/roles/php-fpm/handlers/main.yml
+++ b/roles/php-fpm/handlers/main.yml
@@ -1,6 +0,0 @@
 ---
 # For Ubuntu 20.04 and Debian 11
 - name: reload php7.4-fpm
  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Ubuntu_20.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_20.04.yml
@@ -1,36 +0,0 @@
 ---
 - block:
  - name: Set php-fpm packages
    ansible.builtin.set_fact:
      php_fpm_packages:
        - php7.4-fpm
        # for WordPress
        - php7.4-mysql
        - php7.4-gd
        - php7.4-curl
        - php7.4-xml
  - name: Install php-fpm and deps
    ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
  # only copy php-fpm config for vhosts that need WordPress or PHP
  - name: Copy php-fpm pool config
    ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
    loop: "{{ nginx_vhosts }}"
    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
    notify: reload php7.4-fpm
  - name: Remove default www pool
    ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
    notify: reload php7.4-fpm
  # re-configure php.ini
  - name: Update php.ini
    ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
    notify: reload php7.4-fpm
  tags: php-fpm
  when: install_php
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/main.yml
+++ b/roles/php-fpm/tasks/main.yml
@@ -1,44 +0,0 @@
 ---
 # Ubuntu 20.04 uses PHP 7.4
 # Debian 11 uses PHP 7.4
 # If any of the vhosts on this host need WordPress then we need to install PHP.
 # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
 # any that have has_wordpress defined, and has_wordpress set to true.
 #
 # See: https://stackoverflow.com/a/31896249
 - name: Check if any vhost needs WordPress
  ansible.builtin.set_fact:
    install_php: true
  when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
 # Legacy, was only for Piwik, but leaving for now.
 - name: Check if any vhost needs PHP
  ansible.builtin.set_fact:
    install_php: true
  when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
 # If install_php has not been set, then we assume no vhosts need PHP. This is
 # a bit hacky, but it's the closest we come to an if/then/else.
 - name: Set install_php to false
  ansible.builtin.set_fact:
    install_php: false
  when: install_php is not defined
 - name: Configure php-fpm on Ubuntu 20.04
  ansible.builtin.include_tasks: Ubuntu_20.04.yml
  when:
    - ansible_distribution == 'Ubuntu'
    - ansible_distribution_version is version('20.04', '==')
    - install_php == true
  tags: php-fpm
 - name: Configure php-fpm on Debian 11
  ansible.builtin.include_tasks: Ubuntu_20.04.yml
  when:
    - ansible_distribution == 'Debian'
    - ansible_distribution_major_version is version('11', '==')
    - install_php == true
  tags: php-fpm
 # vim: set ts=2 sw=2:
--- a/roles/php_fpm/defaults/main.yml
+++ b/roles/php_fpm/defaults/main.yml
--- a/roles/php_fpm/handlers/main.yml
+++ b/roles/php_fpm/handlers/main.yml
@@ -0,0 +1,14 @@
 ---
 # For Debian 12
 - name: Reload php8.2-fpm
  ansible.builtin.systemd_service:
    name: php8.2-fpm
    state: reloaded
 # For Debian 13
 - name: Reload php8.4-fpm
  ansible.builtin.systemd_service:
    name: php8.4-fpm
    state: reloaded
 # vim: set ts=2 sw=2:
--- a/roles/php_fpm/tasks/main.yml
+++ b/roles/php_fpm/tasks/main.yml
@@ -0,0 +1,90 @@
 ---
 # Debian 12 uses PHP 8.2
 # Debian 13 uses PHP 8.4
 # If any of the vhosts on this host need WordPress then we need to install PHP.
 # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
 # any that have has_wordpress defined, and has_wordpress set to true.
 #
 # See: https://stackoverflow.com/a/31896249
 - name: Check if any vhost needs WordPress
  ansible.builtin.set_fact:
    install_php: true
  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
 # Legacy, was only for Piwik, but leaving for now.
 - name: Check if any vhost needs PHP
  ansible.builtin.set_fact:
    install_php: true
  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
 # If install_php has not been set, then we assume no vhosts need PHP. This is
 # a bit hacky, but it's the closest we come to an if/then/else.
 - name: Set install_php to false
  ansible.builtin.set_fact:
    install_php: false
  when: install_php is not defined
 - name: Install and configure php-fpm
  tags: php-fpm
  when: install_php
  block:
    - name: Set php-fpm packages
      ansible.builtin.set_fact:
        php_fpm_packages:
          - php-fpm
          # for WordPress
          - php-mysql
          - php-gd
          - php-curl
          - php-xml
    - name: Install php-fpm and deps
      ansible.builtin.apt:
        name: "{{ php_fpm_packages }}"
        state: present
        update_cache: true
    - name: Set PHP version for Debian 12
      when:
        - ansible_facts["distribution"] == 'Debian'
        - ansible_facts["distribution_major_version"] is version('12', '==')
      ansible.builtin.set_fact:
        php_version: 8.2
    - name: Set PHP version for Debian 13
      when:
        - ansible_facts["distribution"] == 'Debian'
        - ansible_facts["distribution_major_version"] is version('13', '==')
      ansible.builtin.set_fact:
        php_version: 8.4
    # only copy php-fpm config for vhosts that need WordPress or PHP
    - name: Copy php-fpm pool config
      ansible.builtin.template:
        src: php{{ php_version }}-pool.conf.j2
        dest: /etc/php/{{ php_version }}/fpm/pool.d/{{ item.domain_name }}.conf
        owner: root
        group: root
        mode: "0644"
      loop: "{{ nginx_vhosts }}"
      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
      notify: Reload php{{ php_version }}-fpm
    - name: Remove default www pool
      ansible.builtin.file:
        path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
        state: absent
      notify: Reload php{{ php_version }}-fpm
    # re-configure php.ini
    - name: Update php.ini
      ansible.builtin.template:
        src: php{{ php_version }}-php.ini.j2
        dest: /etc/php/{{ php_version }}/fpm/php.ini
        owner: root
        group: root
        mode: "0644"
      notify: Reload php{{ php_version }}-fpm
 # vim: set ts=2 sw=2:
--- a/roles/php_fpm/templates/php8.2-php.ini.j2
+++ b/roles/php_fpm/templates/php8.2-php.ini.j2
--- a/roles/php_fpm/templates/php8.2-pool.conf.j2
+++ b/roles/php_fpm/templates/php8.2-pool.conf.j2
@@ -19,11 +19,16 @@
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
-; Unix user/group of processes
+; Unix user/group of the child processes. This can be used only if the master
-; Note: The user is mandatory. If the group is not set, the default user's group
+; process running user is root. It is set after the child process is created.
-;       will be used.
+; The user and group can be specified either by their name or by their numeric
-user = nginx
+; IDs.
-group = nginx
+; Note: If the user is root, the executable needs to be started with
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
 user = {{ webserver }}
 group = {{ webserver }}
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -35,20 +40,22 @@ group = nginx
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
+listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
+; BSD-derived systems allow connections regardless of permissions. The owner
-; Default Values: user and group are set as the running user
+; and group can be specified either by name or by their numeric IDs.
-;                 mode is set to 0660
+; Default Values: Owner is set to the master process running user. If the group
-listen.owner = nginx
+;                 is not set, the owner's group is used. Mode is set to 0660.
-listen.group = nginx
+listen.owner = {{ webserver }}
 listen.group = {{ webserver }}
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
@@ -63,6 +70,10 @@ listen.group = nginx
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 ; Set the associated the route table (FIB). FreeBSD only
 ; Default Value: -1
 ;listen.setfib = 1
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
@@ -71,8 +82,9 @@ listen.group = nginx
 ; Default Value: no set
 ; process.priority = -19
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
-; or group is differrent than the master process user. It allows to create process
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
 ; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
@@ -94,6 +106,8 @@ listen.group = nginx
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
 ;             pm.max_spawn_rate    - the maximum number of rate to spawn child
 ;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
@@ -129,6 +143,12 @@ pm.min_spare_servers = 1
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 ; The number of rate to spawn child processes at once.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 ; Default Value: 32
 ;pm.max_spawn_rate = 32
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
@@ -141,7 +161,7 @@ pm.max_spare_servers = 3
 ;pm.max_requests = 500
 ; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
+; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
@@ -231,7 +251,7 @@ pm.max_spare_servers = 3
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.4/fpm/status.html
+;       It's available in: /usr/share/php/8.2/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
@@ -239,6 +259,22 @@ pm.max_spare_servers = 3
 ; Default Value: not set
 ;pm.status_path = /status
 ; The address on which to accept FastCGI status request. This creates a new
 ; invisible pool that can handle requests independently. This is useful
 ; if the main pool is busy with long running requests because it is still possible
 ; to get the status before finishing the long running requests.
 ;
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Default Value: value of the listen option
 ;pm.status_listen = 127.0.0.1:9001
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
@@ -271,13 +307,13 @@ pm.max_spare_servers = 3
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
-;      - %{miliseconds}d
+;      - %{milliseconds}d
-;      - %{mili}d
+;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
+;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
@@ -306,14 +342,30 @@ pm.max_spare_servers = 3
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
 ; A list of request_uri values which should be filtered from the access log.
 ;
 ; As a security precuation, this setting will be ignored if:
 ;     - the request method is not GET or HEAD; or
 ;     - there is a request body; or
 ;     - there are query parameters; or
 ;     - the response code is outwith the successful range of 200 to 299
 ;
 ; Note: The paths are matched against the output of the access.format tag "%r".
 ;       On common configurations, this may look more like SCRIPT_NAME than the
 ;       expected pre-rewrite URI.
 ;
 ; Default Value: not set
 ;access.suppress_path[] = /ping
 ;access.suppress_path[] = /health_check.php
 ; The log file for slow requests
 ; Default Value: not set
@@ -372,7 +424,7 @@ pm.max_spare_servers = 3
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes
--- a/roles/php_fpm/templates/php8.4-php.ini.j2
+++ b/roles/php_fpm/templates/php8.4-php.ini.j2
--- a/roles/php_fpm/templates/php8.4-pool.conf.j2
+++ b/roles/php_fpm/templates/php8.4-pool.conf.j2
@@ -0,0 +1,488 @@
 {% set domain_name  = item.domain_name %}
 ; Start a new pool named '{{ domain_name }}'.
 ; the variable $pool can be used in any directive and will be replaced by the
 ; pool name ('{{ domain_name }}' here)
 [{{ domain_name }}]
 ; Per pool prefix
 ; It only applies on the following directives:
 ; - 'access.log'
 ; - 'slowlog'
 ; - 'listen' (unixsocket)
 ; - 'chroot'
 ; - 'chdir'
 ; - 'php_values'
 ; - 'php_admin_values'
 ; When not set, the global prefix (or /usr) applies instead.
 ; Note: This directive can also be relative to the global prefix.
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 ; Unix user/group of the child processes. This can be used only if the master
 ; process running user is root. It is set after the child process is created.
 ; The user and group can be specified either by their name or by their numeric
 ; IDs.
 ; Note: If the user is root, the executable needs to be started with
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
 user = {{ webserver }}
 group = {{ webserver }}
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
 listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; Set listen(2) backlog.
 ; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
 ; BSD-derived systems allow connections regardless of permissions. The owner
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: Owner is set to the master process running user. If the group
 ;                 is not set, the owner's group is used. Mode is set to 0660.
 listen.owner = {{ webserver }}
 listen.group = {{ webserver }}
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
 ;listen.acl_users =
 ;listen.acl_groups =
 ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
 ; must be separated by a comma. If this value is left blank, connections will be
 ; accepted from any ip address.
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 ; Set the associated the route table (FIB). FreeBSD only
 ; Default Value: -1
 ;listen.setfib = 1
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
 ;       - The pool processes will inherit the master process priority
 ;         unless it specified otherwise
 ; Default Value: no set
 ; process.priority = -19
 ; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
 ; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
 ; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
 ;   static  - a fixed number (pm.max_children) of child processes;
 ;   dynamic - the number of child processes are set dynamically based on the
 ;             following directives. With this process management, there will be
 ;             always at least 1 children.
 ;             pm.max_children      - the maximum number of children that can
 ;                                    be alive at the same time.
 ;             pm.start_servers     - the number of children created on startup.
 ;             pm.min_spare_servers - the minimum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is less than this
 ;                                    number then some children will be created.
 ;             pm.max_spare_servers - the maximum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
 ;             pm.max_spawn_rate    - the maximum number of rate to spawn child
 ;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
 ;                                         can be alive at the same time.
 ;             pm.process_idle_timeout   - The number of seconds after which
 ;                                         an idle process will be killed.
 ; Note: This value is mandatory.
 pm = dynamic
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
 ; This value sets the limit on the number of simultaneous requests that will be
 ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
 ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
 ; CGI. The below defaults are based on a server without much resources. Don't
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
 pm.max_children = 5
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
 ; Default Value: (min_spare_servers + max_spare_servers) / 2
 pm.start_servers = 2
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.min_spare_servers = 1
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 ; The number of rate to spawn child processes at once.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 ; Default Value: 32
 ;pm.max_spawn_rate = 32
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
 ;pm.process_idle_timeout = 10s;
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
 ;pm.max_requests = 500
 ; The URI to view the FPM status page. If this value is not set, no URI will be
 ; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
 ;   start since          - number of seconds since FPM has started;
 ;   accepted conn        - the number of request accepted by the pool;
 ;   listen queue         - the number of request in the queue of pending
 ;                          connections (see backlog in listen(2));
 ;   max listen queue     - the maximum number of requests in the queue
 ;                          of pending connections since FPM has started;
 ;   listen queue len     - the size of the socket queue of pending connections;
 ;   idle processes       - the number of idle processes;
 ;   active processes     - the number of active processes;
 ;   total processes      - the number of idle + active processes;
 ;   max active processes - the maximum number of active processes since FPM
 ;                          has started;
 ;   max children reached - number of times, the process limit has been reached,
 ;                          when pm tries to start more children (works only for
 ;                          pm 'dynamic' and 'ondemand');
 ; Value are updated in real time.
 ; Example output:
 ;   pool:                 www
 ;   process manager:      static
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          62636
 ;   accepted conn:        190460
 ;   listen queue:         0
 ;   max listen queue:     1
 ;   listen queue len:     42
 ;   idle processes:       4
 ;   active processes:     11
 ;   total processes:      15
 ;   max active processes: 12
 ;   max children reached: 0
 ;
 ; By default the status page output is formatted as text/plain. Passing either
 ; 'html', 'xml' or 'json' in the query string will return the corresponding
 ; output syntax. Example:
 ;   http://www.foo.bar/status
 ;   http://www.foo.bar/status?json
 ;   http://www.foo.bar/status?html
 ;   http://www.foo.bar/status?xml
 ;
 ; By default the status page only outputs short status. Passing 'full' in the
 ; query string will also return status for each pool process.
 ; Example:
 ;   http://www.foo.bar/status?full
 ;   http://www.foo.bar/status?json&full
 ;   http://www.foo.bar/status?html&full
 ;   http://www.foo.bar/status?xml&full
 ; The Full status returns for each process:
 ;   pid                  - the PID of the process;
 ;   state                - the state of the process (Idle, Running, ...);
 ;   start time           - the date and time the process has started;
 ;   start since          - the number of seconds since the process has started;
 ;   requests             - the number of requests the process has served;
 ;   request duration     - the duration in µs of the requests;
 ;   request method       - the request method (GET, POST, ...);
 ;   request URI          - the request URI with the query string;
 ;   content length       - the content length of the request (only with POST);
 ;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
 ;   script               - the main script called (or '-' if not set);
 ;   last request cpu     - the %cpu the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because CPU calculation is done when the request
 ;                          processing has terminated;
 ;   last request memory  - the max amount of memory the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
 ; If the process is in Idle state, then information is related to the
 ; last request the process has served. Otherwise information is related to
 ; the current request being served.
 ; Example output:
 ;   ************************
 ;   pid:                  31330
 ;   state:                Running
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          63087
 ;   requests:             12808
 ;   request duration:     1250261
 ;   request method:       GET
 ;   request URI:          /test_mem.php?N=10000
 ;   content length:       0
 ;   user:                 -
 ;   script:               /home/fat/web/docs/php/test_mem.php
 ;   last request cpu:     0.00
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
 ;       It's available in: /usr/share/php/8.4/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;pm.status_path = /status
 ; The address on which to accept FastCGI status request. This creates a new
 ; invisible pool that can handle requests independently. This is useful
 ; if the main pool is busy with long running requests because it is still possible
 ; to get the status before finishing the long running requests.
 ;
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Default Value: value of the listen option
 ;pm.status_listen = 127.0.0.1:9001
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
 ; - create a graph of FPM availability (rrd or such);
 ; - remove a server from a group if it is not responding (load balancing);
 ; - trigger alerts for the operating team (24/7).
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;ping.path = /ping
 ; This directive may be used to customize the response of a ping request. The
 ; response is formatted as text/plain with a 200 response code.
 ; Default Value: pong
 ;ping.response = pong
 ; The access log file
 ; Default: not set
 ;access.log = log/$pool.access.log
 ; The access log format.
 ; The following syntax is allowed
 ;  %%: the '%' character
 ;  %C: %CPU used by the request
 ;      it can accept the following format:
 ;      - %{user}C for user CPU only
 ;      - %{system}C for system CPU only
 ;      - %{total}C  for user + system CPU (default)
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
 ;      - %{milliseconds}d
 ;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
 ;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
 ;  %l: content-length of the request (for POST request only)
 ;  %m: request method
 ;  %M: peak of memory allocated by PHP
 ;      it can accept the following format:
 ;      - %{bytes}M (default)
 ;      - %{kilobytes}M
 ;      - %{kilo}M
 ;      - %{megabytes}M
 ;      - %{mega}M
 ;  %n: pool name
 ;  %o: output header
 ;      it must be associated with embraces to specify the name of the header:
 ;      - %{Content-Type}o
 ;      - %{X-Powered-By}o
 ;      - %{Transfert-Encoding}o
 ;      - ....
 ;  %p: PID of the child that serviced the request
 ;  %P: PID of the parent of the child that serviced the request
 ;  %q: the query string
 ;  %Q: the '?' character if query string exists
 ;  %r: the request URI (without the query string, see %q and %Q)
 ;  %R: remote IP address
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
 ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
 ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %u: basic auth user if specified in Authorization header
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
 ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
 ; A list of request_uri values which should be filtered from the access log.
 ;
 ; As a security precaution, this setting will be ignored if:
 ;     - the request method is not GET or HEAD; or
 ;     - there is a request body; or
 ;     - there are query parameters; or
 ;     - the response code is outwith the successful range of 200 to 299
 ;
 ; Note: The paths are matched against the output of the access.format tag "%r".
 ;       On common configurations, this may look more like SCRIPT_NAME than the
 ;       expected pre-rewrite URI.
 ;
 ; Default Value: not set
 ;access.suppress_path[] = /ping
 ;access.suppress_path[] = /health_check.php
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set
 ;slowlog = log/$pool.log.slow
 ; The timeout for serving a single request after which a PHP backtrace will be
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_slowlog_timeout = 0
 ; Depth of slow log stack trace.
 ; Default Value: 20
 ;request_slowlog_trace_depth = 20
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_terminate_timeout = 0
 ; The timeout set by 'request_terminate_timeout' ini option is not engaged after
 ; application calls 'fastcgi_finish_request' or when application has finished and
 ; shutdown functions are being called (registered via register_shutdown_function).
 ; This option will enable timeout limit to be applied unconditionally
 ; even in such cases.
 ; Default Value: no
 ;request_terminate_timeout_track_finished = no
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
 ;rlimit_files = 1024
 ; Set max core size rlimit.
 ; Possible Values: 'unlimited' or an integer greater or equal to 0
 ; Default Value: system defined value
 ;rlimit_core = 0
 ; Chroot to this directory at the start. This value must be defined as an
 ; absolute path. When this value is not set, chroot is not used.
 ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
 ; of its subdirectories. If the pool prefix is not set, the global prefix
 ; will be used instead.
 ; Note: chrooting is a great security feature and should be used whenever
 ;       possible. However, all PHP paths will be relative to the chroot
 ;       (error_log, sessions.save_path, ...).
 ; Default Value: not set
 ;chroot =
 ; Chdir to this directory at the start.
 ; Note: relative path can be used.
 ; Default Value: current directory or / when chroot
 ;chdir = /var/www
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
 ; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes
 ; Decorate worker output with prefix and suffix containing information about
 ; the child that writes to the log and if stdout or stderr is used as well as
 ; log level and time. This options is used only if catch_workers_output is yes.
 ; Settings to "no" will output data as written to the stdout or stderr.
 ; Default value: yes
 ;decorate_workers_output = no
 ; Clear environment in FPM workers
 ; Prevents arbitrary environment variables from reaching FPM worker processes
 ; by clearing the environment in workers before env vars specified in this
 ; pool configuration are added.
 ; Setting to "no" will make all environment variables available to PHP code
 ; via getenv(), $_ENV and $_SERVER.
 ; Default Value: yes
 ;clear_env = no
 ; Limits the extensions of the main script FPM will allow to parse. This can
 ; prevent configuration mistakes on the web server side. You should only limit
 ; FPM to .php extensions to prevent malicious users to use other extensions to
 ; execute php code.
 ; Note: set an empty value to allow all extensions.
 ; Default Value: .php
 ;security.limit_extensions = .php .php3 .php4 .php5 .php7
 ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
 ; the current environment.
 ; Default Value: clean env
 ;env[HOSTNAME] = $HOSTNAME
 ;env[PATH] = /usr/local/bin:/usr/bin:/bin
 ;env[TMP] = /tmp
 ;env[TMPDIR] = /tmp
 ;env[TEMP] = /tmp
 ; Additional php.ini defines, specific to this pool of workers. These settings
 ; overwrite the values previously defined in the php.ini. The directives are the
 ; same as the PHP SAPI:
 ;   php_value/php_flag             - you can set classic ini defines which can
 ;                                    be overwritten from PHP call 'ini_set'.
 ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
 ;                                     PHP call 'ini_set'
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
 ; Defining 'extension' will load the corresponding shared extension from
 ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
 ; overwrite previously defined php.ini values, but will append the new value
 ; instead.
 ; Note: path INI options can be relative and will be expanded with the prefix
 ; (pool, global or /usr)
 ; Default Value: nothing is defined by default except the values in php.ini and
 ;                specified at startup with the -d argument
 ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
 ;php_flag[display_errors] = off
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
--- a/vars/Ubuntu.yml
+++ b/vars/Ubuntu.yml
@@ -1,10 +0,0 @@
 ---
 # sshd service name is `ssh` on Debian/Ubuntu, but it's
 # `sshd` on CentOS
 sshd_service_name: ssh
 # provisioning user vars
 provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
 # vim: set ts=2 sw=2:
--- a/web.yml
+++ b/web.yml
@@ -9,7 +9,7 @@
    - { role: mariadb, when: mariadb_databases is defined}
    - { role: nginx, when: webserver is defined and webserver == 'nginx' }
    - { role: caddy, when: webserver is defined and webserver == 'caddy' }
-    - php-fpm
+    - php_fpm
    - munin
  vars_files:
    - vars/ipsets.yml
Author	SHA1	Message	Date
Alan Orth	43dad7c261	roles: use ansible_facts["foo"] pattern Instead of ansible_foo. Ansible recently started warning that this is deprecated.	2025-12-02 20:42:58 +03:00
Alan Orth	8439b674dd	roles/nginx: git clone as nginx	2025-11-21 22:07:55 +03:00
Alan Orth	c2c9f1b88d	roles/nginx: fix syntax	2025-11-21 21:08:29 +03:00
Alan Orth	3763ce80e1	roles/mariadb: rework to use Debian's mariadb There are no MariaDB builds for Debian 13 (trixie) yet. This seems to happen every new release. Surprisingly Debian's mariadb-server is very new and we can simplify our tasks and templates a lot.	2025-11-20 08:47:27 +03:00
Alan Orth	a8e4821ad0	roles/nginx: remove apt-key task	2025-11-20 08:47:27 +03:00
Alan Orth	6ff4cf30f7	roles/mariadb: remove apt-key task This is not longer present as of Debian 13, and the old MariaDB key should not be present on any of my hosts anymore anyway.	2025-11-20 08:47:27 +03:00
Alan Orth	8f57a5a974	roles/php_fpm: rework for Debian 13 We can use metapackages like php-fpm on each version as those pull in the correct package. This allows us to use the same playbook lo- gic for Debian 12 (PHP 8.2) and Debian 13 (PHP 8.4).	2025-11-20 08:47:26 +03:00
Alan Orth	cac74c53ef	roles/common: minor configuration of Debian 13 SSH Tweak some of the new OpenSSH per-source penalty settings on Debian 13. For now only adjusting the source network masks and reusing the list of IPs to exempt from fail2ban. These being built in makes them easier to use, but I think I will end up sticking with fail2ban for the heavy lifting because it per- sists across restarts of the daemon, whereas OpenSSH's doesn't. I will monitor OpenSSH on Debian 13 to see how to best use it along side fail2ban.	2025-11-20 08:47:26 +03:00
Alan Orth	078c5b36d8	roles/common: use 127.0.0.0/8 for fail2ban ignoreip We can re-use our fail2ban ignoreip setting for Debian 13's OpenSSH PerSourcePenaltyExemptList, but OpenSSH is more strict with regards to masks not being applied to the host portion. I had never noticed that fail2ban's default was applying the mask on the host portion!	2025-11-20 08:47:25 +03:00
Alan Orth	a18c1e6a16	roles/common: sshd overrides for Debian 13	2025-11-20 08:47:25 +03:00
Alan Orth	36cf98026b	Pipfile.lock: run pipenv update	2025-11-20 08:46:41 +03:00
Alan Orth	98746b3eb8	host_vars/web22: WordPress 6.8.3	2025-11-20 08:44:23 +03:00
Alan Orth	afffd87201	roles/common: remove old firewall cleanup	2025-11-14 22:38:43 +03:00
Alan Orth	d21f3d9371	roles/common: remove loops with one item	2025-11-14 22:38:17 +03:00
Alan Orth	a6ef7a1c4e	roles/common: don't notify fail2ban We set the fail2ban service as "PartOf" the nftables service, so it receives stop and restart events already.	2025-11-14 22:26:09 +03:00
Alan Orth	602734acce	roles: update ansible.builtin.systemd builtin Use ansible.builtin.systemd_service instead.	2025-09-23 10:33:11 +03:00
Alan Orth	0db7911b70	roles/common: remove sudoers.d We are not using this.	2025-09-21 23:09:40 +03:00
Alan Orth	ee4c62e5f9	roles: remove tests for Debian We only run on Debian now.	2025-09-21 22:20:31 +03:00
Alan Orth	a315db8a7c	roles/common: use ansible_distribution_version In most cases it is enough to use the full version (ie 12.12) since we use Ansible's version comparison function. We rarely need to use the major version (ie 12) directly.	2025-09-21 22:19:00 +03:00
Alan Orth	5f00892df3	roles/common: adjust when in tasks	2025-09-21 22:04:25 +03:00
Alan Orth	9357265d27	roles/common: use ansible.builtin.apt module	2025-09-21 22:00:39 +03:00
Alan Orth	dd62266340	roles/common: update comment in ntp task	2025-09-21 21:58:11 +03:00
Alan Orth	a1bec20824	roles/common: simplify when logic in ntp task	2025-09-21 21:57:34 +03:00
Alan Orth	8e91c44529	roles/common: fix syntax error in npt when	2025-09-21 21:56:15 +03:00
Alan Orth	02d4135c79	roles/common: adjust ntp task On Debian 12 we need to explicitly remove ntp because it does not conflict with other time daemons.	2025-09-21 21:55:09 +03:00
Alan Orth	37e148d009	Re-work ansible_managed This is no longer a configuration setting. Now we must set it like any other template variabled.	2025-09-21 21:15:12 +03:00
Alan Orth	73dbbd23b6	roles/common: adjust handlers Should start with an upper case letter.	2025-09-21 20:22:58 +03:00
Alan Orth	b84283aa38	roles/common: remove unneeded firewall packages We don't need curl or libnet-ip-perl anymore.	2025-09-21 20:15:11 +03:00
Alan Orth	1695fdf8d1	roles/common: syntax in firewall play	2025-09-21 20:11:46 +03:00
Alan Orth	9f1f7b1c69	roles/nginx: more syntax fixes to tasks	2025-09-21 20:08:51 +03:00
Alan Orth	7d725f2084	roles/nginx: adjust task syntax Tasks should start with an upper case letter and we should not use free form syntax anymore.	2025-09-21 20:04:53 +03:00
Alan Orth	4c39b0d48c	roles/php_fpm: adjust task syntax All tasks need names, and we can use name, tags, when, block order for task keys. Suggested by ansible-lint.	2025-09-21 20:02:46 +03:00
Alan Orth	f4023d0b20	roles/php_fpm: rename handler Suggested by ansible-lint.	2025-09-21 19:59:23 +03:00
Alan Orth	6aaface4a2	Rename roles/php-fpm to roles/php_fpm Suggested by ansible-lint.	2025-09-21 19:56:20 +03:00
Alan Orth	333e1cbeb9	roles/mariadb/handlers/main.yml: update syntax	2025-09-21 17:32:57 +03:00
Alan Orth	0c62f4bdf0	roles/common/tasks/packages.yml: improve task key order Suggested by ansible-lint. Makes it easier to see the tags after the very long block.	2025-09-21 17:30:54 +03:00
Alan Orth	26f22c0447	roles/munin: update task syntax	2025-09-21 17:29:22 +03:00
Alan Orth	05881e2585	roles: fix unquoted octal modes	2025-09-21 17:25:22 +03:00
Alan Orth	d4d326c2f7	roles/common: use FQCN in handler	2025-09-21 17:09:45 +03:00
Alan Orth	1d4a6f208b	roles/common: update default fail2ban ignores	2025-09-21 17:06:48 +03:00
Alan Orth	8b22076d4a	roles/common: json spacing	2025-09-21 17:06:01 +03:00
Alan Orth	38176cb34c	roles/nginx: update task syntax for plays	2025-09-21 16:59:08 +03:00
Alan Orth	da737b71f7	roles/mariadb: update task syntax for mariadb play	2025-09-21 16:54:19 +03:00
Alan Orth	c28189a1a5	roles/common: update task syntax for fail2ban play	2025-09-21 16:54:03 +03:00
Alan Orth	b600141e89	roles/common: update task syntax for sshd play	2025-09-21 16:51:23 +03:00
Alan Orth	4be98d1a33	roles/common: update task syntax for ssh-keys play	2025-09-21 16:49:32 +03:00
Alan Orth	2bb018a40c	roles/common: rename firewall and packages task files Don't use firewall_Debian.yml or packages_Debian.yml since I am not deploying Ubuntu anymore there is no need to distinguish.	2025-09-21 16:45:51 +03:00
Alan Orth	89a1e11b7a	roles/common: update task syntax in main play	2025-09-21 16:40:37 +03:00
Alan Orth	0c0cad9084	Remove Ubuntu logic For a few years now I have only been deploying Debian for personal use.	2025-09-21 16:34:57 +03:00
Alan Orth	9dce701a19	roles/common: update task syntax in packages play	2025-09-21 16:23:10 +03:00
Alan Orth	3e9ee44d5b	roles/common: update task syntax in ntp play	2025-09-21 16:18:32 +03:00
Alan Orth	599b5e5e83	Pipfile.lock: run pipenv update	2025-09-21 15:57:28 +03:00
Alan Orth	bc700ea532	Pipfile.lock: pipenv update	2025-08-17 10:28:23 +03:00
Alan Orth	8016701b57	host_vars/web22: WordPress 6.8.2	2025-08-17 10:26:43 +03:00
Alan Orth	00558c7dea	roles/common: re-work fail2ban and nftables Re-work the fail2ban and nftables interaction. Use systemd's PartOf to indicate that fail2ban is part of the nftables service, which tells systemd to propogate stop/start signals to it. Then we tell the firehol update script to restart nftables instead of reload. The different between restart and reload is meaningless for nftables but we want systemd to propagate the stop/start signals to fail2ban.	2025-07-08 10:39:17 +03:00
Alan Orth	c927186837	roles/common: adjust update-firehol-nftables.service This service does not actually depend on nftables, at least not in the systemd sense of dependency. Furthermore, this hard dependency was causing the service to fail when it restarts nftables at the end, which causes systemd to start it again and again until it hits a restarting too quickly error.	2025-07-08 10:37:39 +03:00
Alan Orth	690774c862	host_vars/web22: WordPress 6.8.1	2025-07-08 10:34:34 +03:00
Alan Orth	cc021bd14a	Pipfile.lock: run pipenv update	2025-07-08 10:25:09 +03:00
Alan Orth	73fd06fe3a	roles/common: remove cron-apt Use unattended-upgrades instead. It has sane defaults on Debian at least (I haven't checked Ubuntu).	2025-04-07 09:51:09 +03:00
Alan Orth	88cb3a370e	Remove logic for Ubuntu 20.04 and Debian 11	2025-03-29 23:09:44 +03:00
Alan Orth	027a43ddbe	roles/caddy: use default for encode	2025-03-29 22:49:30 +03:00
Alan Orth	bb30c3be20	host_vars/web22: update vhosts	2025-03-29 22:48:19 +03:00
Alan Orth	d8d9790d21	roles/nginx: enable nginx ssl_session_tickets This has apparently been supported since nginx 1.23.2 and is safe to use the default (on) now. See: https://github.com/mozilla/server-side-tls/issues/284	2025-03-29 22:35:56 +03:00
Alan Orth	9a500ebc0d	roles/nginx: disable nginx ssl_prefer_server_ciphers This is apparently the default and recommended by Mozilla's server- side SSL configurator also recommends. This lets the client choose the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are not currently known to be dangerous).	2025-03-29 22:34:41 +03:00
Alan Orth	4bae942585	roles/nginx: add nginx ssl_ecdh_curve This seems to be new since I last looked at the Mozilla server-side SSL configurator.	2025-03-29 22:34:37 +03:00
Alan Orth	99866c0c90	roles/nginx: use one day for nginx ssl_session_timeout This is a new default since I last looked at the Mozilla server-side SSL configurator.	2025-03-29 22:34:32 +03:00
Alan Orth	0afb8a4493	roles/nginx: update nginx ssl_buffer_size The old default has not been changed in eight years and I see that there have been some discussions over the years about this. I will change this from the slightly extreme 1400 bytes to 4k (nginx def- ault is still 16k so this is more "optimal" for HTML/CSS content). See: https://github.com/igrigorik/istlsfastyet.com/issues/63	2025-03-29 22:34:27 +03:00
Alan Orth	506695da31	roles/nginx/defaults: update version comments	2025-03-29 22:24:49 +03:00
Alan Orth	f67ed7762c	roles/nginx: fix http2 syntax	2025-03-29 22:20:49 +03:00
Alan Orth	014f4d9502	roles/nginx: add newline	2025-03-29 22:19:41 +03:00
Alan Orth	22c16e1ed3	roles/caddy/templates: closer to supporting WordPress I still wouldn't want to deploy WordPress on Caddy until it's more obvious and standard to block paths that shouldn't be accessible. It seems that this is still left as an exercise to the site admin. This discussion has some tips, but it is four years old and hasn't changed since I last looked. See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575	2025-03-29 22:09:37 +03:00
Alan Orth	5aa6a33e51	roles/php-fpm: set user and group based on webserver We use either caddy or nginx, which are conveniently named the same as the Unix user and group.	2025-03-29 21:01:56 +03:00
Alan Orth	7f9b06af9c	roles/nginx: smarter setting of document root	2025-03-29 19:34:53 +03:00
Alan Orth	84db337fea	roles/caddy: smarter setting of document root	2025-03-29 19:33:02 +03:00
Alan Orth	7b23f5f94f	roles/caddy: add missing tag	2025-03-29 19:16:03 +03:00
Alan Orth	9830338be3	Use one default root prefix for nginx and caddy	2025-03-29 19:15:56 +03:00
Alan Orth	e3eed26765	roles/caddy: update vhost template	2025-03-29 18:37:28 +03:00
Alan Orth	8b31c7e148	host_vars/web22: WordPress 6.7.2	2025-03-29 16:10:23 +03:00
Alan Orth	3ff8043aaf	Pipfile.lock: run pipenv update	2025-03-29 15:30:08 +03:00
Alan Orth	cb79f7ef70	roles/common: minor change to firehol update script They include bogons like 127.0.0.1 that should not be routed on the public Internet, but this blocks local applications we proxy to.	2025-01-28 09:14:48 +03:00
Alan Orth	bb14f05d2a	roles/common: use Ansible timezone module No need to use a command for that. The module does it better because it doesn't register a change unless the timezone changes.	2025-01-27 23:11:56 +03:00
Alan Orth	5b1530fa91	roles/common: rework firewall Use firehol instead of all the others. AbuseIPDB.com can't be upd- ated automatically, Abuse.ch is no longer maintained, and Spamhaus is already in firehol.	2025-01-27 23:05:45 +03:00
Alan Orth	5312dc6bd5	roles/common: use common nftables task Use a common nftables task on Debian and Ubuntu.	2025-01-27 23:05:38 +03:00
Alan Orth	d6e060d3af	roles/common: simplify firewall tasks Apply firewall tag to included tasks, then we don't need to use a block.	2025-01-27 22:30:50 +03:00
Alan Orth	b873af004a	roles/common: single firewall task include Use one include from the main tasks file.	2025-01-27 22:28:27 +03:00
Alan Orth	7ea3ab46f8	host_vars/web22: WordPress 6.7.1	2025-01-27 21:48:16 +03:00
Alan Orth	0561bd5b52	Pipfile.lock: run pipenv update	2025-01-27 21:36:13 +03:00
Alan Orth	d62572f02c	Pipfile: python 3.13	2025-01-27 21:35:58 +03:00
Alan Orth	2ffe5e87d9	host_vars/web22: WordPress 6.6.2	2024-12-30 11:03:47 +03:00
Alan Orth	38d4f1a303	Pipfile.lock: run pipenv update	2024-12-30 11:03:35 +03:00
Alan Orth	ed8cb88038	host_vars/web22: WordPress 6.5.5	2024-06-25 08:18:22 +03:00
Alan Orth	c31e447861	roles/nginx: update signing key	2024-06-25 08:11:59 +03:00
Alan Orth	545684467c	host_vars/nomad03: remove	2024-06-05 20:35:29 +03:00
Alan Orth	24ae5eaab1	host_vars/web22: WordPress 6.5.3	2024-05-13 14:51:45 +03:00
Alan Orth	dac23f1427	Pipfile: use Python 3.12	2024-05-13 14:51:34 +03:00
Alan Orth	41fbc73dd1	host_vars/web22: WordPress 6.4.3	2024-03-20 20:28:13 +03:00
Alan Orth	fee794bcf0	Update Pipfile	2024-03-20 20:28:00 +03:00
Alan Orth	8bce1d8b1b	host_vars/web22: WordPress 6.4.1	2023-12-02 22:40:06 +03:00
Alan Orth	6dc2ea36b6	roles/nginx: fix path to php 8.2 socket	2023-09-11 19:55:24 +03:00
Alan Orth	af71a9b5f8	roles/php-fpm: remove fmt strings Ansible confuses them for jinja2 tokens.	2023-09-11 19:52:18 +03:00
Alan Orth	4dd57803e2	roles/php-fpm: fix user/group for php 8.2 configs	2023-09-11 19:51:59 +03:00
Alan Orth	18d4245fc0	roles/common: fix tarsnap signing of apt repo	2023-09-11 19:37:49 +03:00
Alan Orth	1bddf3cccd	Pipfile.lock: run pipenv update	2023-09-11 18:52:25 +03:00
Alan Orth	20dbe61fe1	roles/mariadb: use MariaDB 10.11 The server has already been updated from 10.6 to 10.11. See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/	2023-09-10 22:53:10 +03:00
Alan Orth	899e87321b	host_vars/web22: WordPress 6.3.1	2023-09-10 22:44:23 +03:00
Alan Orth	06416a3b64	roles: run ansible-lint --write	2023-08-23 22:22:51 +03:00
Alan Orth	7a9a24ef5d	roles/common: rework fail2ban again Actually, we do want to run fail2ban on all hosts because the sshd monitoring via systemd is nice. At the very least it reduces spam from failed logins in our systemd journal.	2023-08-23 22:15:24 +03:00
Alan Orth	067adcd9f5	roles/common: rework fail2ban tasks We can only run fail2ban when we have logs to monitor. When a host is running Caddy we don't have logs, so fail2ban doesn't have any- thing to monitor out of the box. For now I will restrict the task to hosts running nginx.	2023-08-23 21:59:28 +03:00
Alan Orth	84d210cfab	roles/common: re-format handlers Use the newer Ansible format.	2023-08-23 21:35:28 +03:00
Alan Orth	17736a4f14	roles/common: run ansible-lint --write	2023-08-23 21:33:22 +03:00
Alan Orth	b9e91c4a3d	roles/common: minor updates to tarsnap task Use modern Ansible task format	2023-08-23 21:20:22 +03:00
Alan Orth	51c95e5d4c	roles/common: update tarsnap task Update tarsnap task to use apt signed-by for package signing keys instead of adding keys directly to apt-key.	2023-08-23 21:18:27 +03:00
Alan Orth	8dbec29d2a	roles/nginx: prepare letsencrypt task for Debian 12	2023-08-23 21:01:12 +03:00
Alan Orth	d3bf3dab04	roles/php-fpm: add support for PHP 8.2 This is used in Debian 12.	2023-08-23 20:56:35 +03:00
Alan Orth	8f50b7756b	host_vars/web22: WordPress 6.3	2023-08-22 21:33:49 +03:00
Alan Orth	e86ccc9979	roles/nginx: minor rework of apt key stuff	2023-08-22 21:33:19 +03:00
Alan Orth	cea8529f49	Pipfile.lock: run pipenv update	2023-08-22 21:02:17 +03:00
Alan Orth	d77718edae	host_vars: add fail2ban_ignoreip	2023-08-14 16:37:07 +02:00
Alan Orth	14d57fc477	roles/nginx: reformat main tasks	2023-08-10 22:44:47 +02:00
Alan Orth	5c39f1abd8	roles/common: minor changes to Debian sshd_config files	2023-08-10 22:10:04 +02:00
Alan Orth	6794eb0432	roles/common: default to disabling SSH passwords	2023-08-10 22:09:03 +02:00
		`@@ -1,2 +0,0 @@`
			`autoclean -y`
			`upgrade -y -o APT::Get::Show-Upgraded=true`
`@@ -1 +1 @@`
	`deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./`	`deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./`