roles: use ansible_facts["foo"] pattern

Instead of ansible_foo. Ansible recently started warning that this
is deprecated.

Pipfile

@@ -10,4 +10,4 @@ ansible = "*"
 ansible-lint = "*"
 
 [requires]
-python_version = "3.10"
+python_version = "3.13"

README.md

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
 
-- You have a clean, minimal Ubuntu 20.04 or Debian 11/12 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host

ansible.cfg

@@ -13,12 +13,6 @@ interpreter_python=auto
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False
 
-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
-
 [privilege_escalation]
 # instead of using -K
 become_ask_pass=True

group_vars/all

@@ -3,4 +3,12 @@
 
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:

group_vars/web

@@ -8,4 +8,7 @@ webserver: nginx
 extra_fail2ban_filters:
   - nginx
 
+# root prefix for all web servers
+web_root_prefix: /var/www
+
 # vim: set ts=2 sw=2:

host_vars/nomad03

@@ -1,88 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-30626135313830363339656165316536336564353362383439346465373932326136363337343762
-3566343231306635313739303335616162396232303139620a323764663132323135663063393334
-62656434643333663062356266626235363439393231333734343432333363643934393636373935
-6332353333303231370a373839636135363730636539326335343533316633623366663230353262
-37396264313763366438663139376638613337336634393665663032623035646631653564353966
-30353165333638363864656531396165363430653438376465656233306639353336353237343532
-62363330333662316630656662633333626462363062366637386163336230386634353933316238
-36373365323735373435616262613933333964323033633233333766396362616534316166386432
-31333831353130616166633735366131653137363361313333363763623364303435346338643838
-63323831616135643830653839323663386239343430356437346665343937306666333836363163
-37386663616136653861663530383865343930306263663366633438363332336561326330353235
-64613332643962323930323436393934636263396239366364306136303437323739343237656263
-33613964363139363862396235636435626432326432663166633765613635666165363165663539
-62366232316632356233326564633737643466343535656564653833623766373637313833373331
-38356336396461666535386363633437376232396330623162333936366434376361326261343336
-35396237346663646334306663306633383061353333643639613335643661633835313732353963
-64623234373033656366613566363639663762646663396462323361363463373961383530653962
-61613962316336653266383638393630323338383161303565333862633932646463313134613232
-31326262336561383066633430383833353835373363623163303830663837313265663662313862
-39353062333234663631653565613135396337626664626264366534633566386236393562303861
-66316335343638356261396339353932633331356363343231363862333066366438323764633331
-39316236343262666337303839356138666338306130323462646633373464646163613734366132
-37623739333435396266316131383238323365646632636339353631376166613532386133393165
-64633933393062623230346430653961646366316662356336646162313466393964323332616431
-34336562343337636138616431313736613539373137303666666435373238346233383438383963
-39346138393635626263376137643436393736636435393234646439353932386136653034393961
-65336230356336386539386334653236303964623632323738383333623361643235656530363731
-39306538353533663538366362613739386463336632653665636533616462363530636466626165
-32623762616266623231393938663931306231626139663736613862363234643861366563633532
-31393934333433316138323131373836306135333061363231363461643933303836633231343266
-37323732383036326664376438343261333733636532303664613965353561376337633564373062
-64316133333263393138333261323062626363343765393161363935386232353862353762626334
-31346661303239383832343637376663316537353938346534306134626534363438386162653133
-66616237663864633837356132663139633734303532653637366138386534653462323163313836
-34633337643661656465653839316362633236633833646632393930656136313730646566316537
-39653935633636363635386435373062333031356363633661366530616537356533323133366339
-34336139323138336532313833633364363566613833636339396462326530313961613133613761
-63356231313363303862663032373663626262646565353933663963363633363663373238656632
-31393264333732366565376164623766663162386365356233383132303835643932386436333631
-65663334336434663562326238326338376662303339616233616464313139363864623463613761
-36326235396433633435366263393964383936616433653861326431343133346435663832363437
-33333232636536363863373037616436313335393639393966653062303330366463323861376661
-39383665316665303363636331373461623339323031393333323465313733336236303037313132
-37613163373432316132306235343061393530366237626134323431323836316261326237323965
-33643662663361356164653430323566666230656561633434333538303365663334373537306164
-65633264323836656537623766316533386564663765376661663537303835393438623430343263
-64353031633436343938383263313439383033326532313466653766616164653463333434353664
-30653034353632373561346565616631656235323637333562613538663538363936663464383064
-31336365613037626331363731376663653537613639313839303934633462666430306635613434
-65333736653430363936663566666535346231383563366630653535313038383964326630616264
-63616563356361313439303833646438386163313865356634636536336661626664316163333739
-63303465643861656362386530353363383836396534373461663630636461633336333862353830
-38666536353663386466313066376562383366643062343965386132666435376433626165353735
-61666432613133646130373839336261333565303532643164306264633736346637373835393266
-33306133346531333835303238393361663463346162636161646565313266616133623735653838
-62396531313634343936363861373031383830636538376334316161326364303930383435653936
-36653233343935646337376232396638343033613130663563326135633231636362373162623565
-39323762623966393332376235643666383461356263346332663939616235346564636233333463
-35356161616536613939313436616233386563343764643335653961643366656632646338313536
-35323732333539326239386436306230646230663336623566633763383534626162386463613961
-62353737363435653866383633343830356536633462373636323734656231636466336235306162
-62666133656166633838363262613930396236393862306438316135643131393737363531373631
-31626635613233313063326463663738393632373135373632323731396332323138633962356364
-39396565393038623532313230383539656564383134363161393663373539393837313335303636
-38626138613932643265643231366364373964623436663566623838643939323331646661653435
-37373765393736303861346164373938393532636637353737326539333435666562643664363365
-65646662626630663238336264663665663762666439626336376434386436653965363832346339
-30396630343430323762666232366336376563616430643136336630373864623132386465393761
-66396439346563393539616335383562633237353962383033356230323339353336343964366134
-38623661326336376561633937613565386164656462313863336339643733663834373732643266
-61666438666635656236376239393433306239613936613731636235353638396432326438396432
-63333237333633333761666630663339613232313136316232346234363562333937363463333137
-39653336343732303536616662643961623932643330653936343337316135366535363964616439
-37376433326332386339363961656537326632333830346435353234333661636434343730356139
-37346131303930306364623334313335323563333631653539383637376433623439386564633035
-38346436376661333233663334623762646633346530643466336664386134353662363430316438
-63393333333034623537303030353136633035353865383366613961373766646463366131623564
-34646630666233333834383761363566373935333037633666336261313566613762616531653739
-34643162323438646165643433333438656664383232376233306233623539366233633337663565
-35323636633533343064376434666435666564666134343839653630326236343262633431326133
-36663432396666306631613162643065313135373332303863326234356537366436333938303637
-36636334396231316564643733646662376138313637643232373836373632643362383363363530
-32363736646162303532356132373337616162636464643164323432623338363463663736373433
-34343136646339376132383434623261356163393032306134633665323130623766333738656639
-64306632346162396533316431343339366664333335643464386266376464393039633439653837
-36303363326239316663346434613336636239653331626661393962356166383339333234376135
-653361363631363366323165353538313438

host_vars/web22

@@ -1,138 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-30653462626164306438653362626264393131386663636363653639316638336263306533356134
-3864646330316365313863366539356635336131313162390a643864336434316537356233313639
-31383365653765643634663262643761633937663166383430616131383739616430646130653963
-3363613439666634330a376465653332643539653634666561303266306165303134343230616432
-64653139633837343264313533323766383435383538643030393036326338303266623262393731
-66343938363865633539656165363865616164343737396235313963633030643163363034353533
-64356639646362663832626430333166306366373365343437663964343966376263336439373965
-63383339323534386138366535636132633330663139323037363661366566316439623764613364
-62663563613361333835626365323266623731623663636339353933393835336135666263656233
-61376138623465623361393264383730336239363831366434663664346166363832613533643563
-32616432356162346536653966633862303338666338383736653433313039643961333138363337
-30373466353532373931343735353861326432623365633065643838383032373664653536663432
-34613432303563346335363933363064303731316239396631343134633765626464306666616463
-33643432613565383830376565373266316632613234643738656465393762383130613338363063
-30383139613137333431663561373232633062636334643762366261333964383461636132383534
-66613332336437316563356461346233343632643538623963313835396363623361326466363663
-31363735343634383335373438343465666536336431623263366461323465363965643938663334
-63636637653163633431313632316534366164336366393638343861363261656531616632626636
-31306364643130646635613262656537653063363133316562333830393964643730336636623863
-66303834336131393833633539636230643838316334303066396236383831663466363161653439
-32663665373263613163646630333335303065346437393931396332643830663833353166313464
-33383364313962623338643963623235366161653637343164396232666563323866666231366565
-65616232653163623863666432363065666238383432323466636439646230623239363837653634
-37633738336164383635323136333233333765666135303064396130326231663666636563613934
-34646639333963303338303865613735366265373763623465343636643234663136393130626663
-32623465303564653737323664316665613030316432366630396463653038393032313730613362
-62393934386336643666323861663830646538343362326166653564623365306639393539356431
-30643539656561623365653638613933376338643036373962376438633161306637373564313135
-62303438373037323565303033333339346165306237336638316461336333633834336362316261
-31316234313461336134643565636364393864333934633265616135396438313164303064373261
-37346262633165646539623365373134376363636435653032653431303533393964313662303361
-38383536643637333038303735383130636436336261356364363161636261343166613138343935
-32303261333332373636346565363535363237616530326639666663303462656266613861396531
-33393033343735303664333132313038343866656336383739356337613032333030376332386665
-32666261646366633736306239383232336163353766663532646264373337316362626134646134
-63633034336232316631623563313036623938373865366237373331303133386665303064353662
-35383833383837376637396265646237343139633531363262353731313032373039353562303764
-32383264343362366462373032646431643666653566623433656665303334616433373039353765
-31623933343532633166663939643064633965383232373664633338616534336564383038326264
-37613034646632626634303264636633633264393238343539386165343962623638656637633838
-65633162663430623831326365383435363363626230393339646262373837393736613935653338
-33623265373634363862386664613137316137336439353335653264646366383966326339316166
-38346432366638663163663439333038313866333733303535663230323139656335643763336337
-34656433656364633466393562653438373631363638363731363536366432386635303436656637
-39346139656363313631336661666362363630616634356234363235656136393166353932373634
-37313435653737343233643164646332316638313337366539303265313737656238336631346164
-39643236623234353266303163353931313033626564336332396266636537333662653030366630
-32313563346331373538333066643962316237333839313866353461346265326263623136646665
-62623136313934646430373063343466663130643331356562353735613063383335346466666265
-64316161323465666162343135313237653932396437666139323536646463633563393434656333
-62323736653439336463343039636464363265366137656330316262353732633063396335366539
-35343765363464386261346538396437663331326333663530623031643739303037306663363237
-61356137356561616439343966353832623065303365616234333135373432386332346462313965
-33336130623133653038653931303437356139663365646434633066333034383937643235633862
-33393039346439646136313936623331303436303262656466303134633437316431396530643066
-36363966316461353061663033353362643835353966396336646561343365663031343861366136
-35313965323735376336666531656266313166656663323762383332343530323531653235636539
-35363832336662383361363433613964306534643965643266376336346435333534363739623932
-31303363396665326366373732343065613663616133653433383463373063373431393264333231
-64373938613935626461353333663830656433386566303030393234313862373531333535333337
-35393332626139626566353135663439313438646333616434613134336465366236356137653061
-30636437313431653137313561376239656261353565393438333837383266396632666634646163
-31636538353565343862356638303831323738376331373131316564376536666666626438623962
-30653962363061373934376365373232613938343631633639363261663561643061626133356630
-31393366396538336332323366646432653431656664313131383639646236643736653334343739
-37363631393866356364353333623335636139393663326330636233646165316364656230616539
-35383434336465323838666464396465316531333137643463623762616262666166316365393936
-30396239336230303565366438306362653563626535326564356639356662363133363237656235
-66373839386264636136613138343932386662303335323864653536633432376364613432336161
-36363437613461633864643464373035656335376435373638326662383564303965333031363737
-36616266323761316462313433313538353761643565623331346136633235326165383036336632
-32663738356632383032363335343337396462333566356364306432353733323632336633333962
-36383465663263663235363339336331313736363534653739663564363039386266653838383838
-62623061613261303963613231363635383763346262336336626461346534633436653036613131
-63363539636664336232393564333036636361316332343237663865646333313132363965303465
-32323431663639616530646465323331643833383533396430333463626462353837303632613231
-34396534376262386532613531633662353833366131356664343764326537663136353063376635
-35303162623363386432376636356138353965643634366639633932303764306361393966306434
-66343436353761316638333933633231646435323434313132336538336331363535326631663334
-38383030396165616334343734666462643462353863303331666238353863383363616566633661
-64653736383065633566323532343932343236316438353061643362383262636439656532386166
-64306139353431303362366331356232313864626537623637376463303531353136343036633865
-30633266303535363035346234336162636437636563343230376466653662613563386438393836
-37633437383035366631313463626439653536373032313363616338623237313536343262376332
-62373835666530636338663030626331356330393361303236626236656533323230383361623664
-35303763663936636537383733623233653031336365353130336165613634383337323136366539
-30646439623264326464383138376465393931366463373262353936396365333437326337343435
-61393031383137613963353065346264306235623562343163303936333431336632306232316633
-39343436356462343137663436363730333164636662313039383338303039613337373763313062
-63636262393561323262336463656435663632343361353763376161366661623936613766323034
-64316666313834613931643762336266623636303532613339623433313631666131366633653364
-36396237646536663638393032313833643232386165363366353938663065666363613364636432
-37633561633138653461633335366530376630393133373335323435636362623663656336303161
-61366330656131643833643939613361663362386461373533616535333263376139376133373763
-38663064636538356465643136313639336634393738366263333663656539353032623865316135
-34623861313962383633366464613864333130316632616563343532633963323439383631643633
-31666430653535383834306331383033343235343739663562313534616638653465333838616137
-33653337643962666130383364626264646633393565393266316236333165316230643761663638
-62643363343663636666376531356561363362353466646135613231643439333930343861643463
-39633639373166616265303634343564313662346334346433643966663963396235626635333835
-66303264323763396166336562643638343530376166323330353035626432376463353232626430
-36656161386633373531636439393233653061376534646637643636366464646162393231666236
-35306536323431356364323666656531336238653065386333303633343362333730313366313035
-34393637663662386436393434313539336162343864326562313337313239613966623364303564
-32366462376333303632366561623464346534326335383530386461386239376235353966383265
-38356461393739336565353965633037643534386633636535656537343762333834396661393931
-64663963613835313635333130353734303139623265626430366666356431623639646465386430
-31383031316166333532343762363237383065396437396130656635393965363838393465303665
-39336332653436623133393064656337343465616430333531386635303433646533643338313931
-65316562636562366263386461356363313637353163343564663536613734666634353266366161
-34353839636138336539346165336365306435356239633064333432316466396162623936316638
-64336334646237653534666461303233376464343631343865633961633566373239653861656533
-36623163653361346361383431623032653336616430383265353935393734336333326134633630
-38343965396431623539393534376637316333646663643036376139646531353765303565636633
-37653033303335306636613565376362353862633965616535363064373937373566356165323933
-64333032653464303864383863333662306561656132643863336136633533346437333432336634
-30343961326661653534613833306263316637663035653839346661643766623565633136336163
-32303363316534383436353463663232336535336363313432663666323962336663323265356130
-61316333313930623366643765346265343566316364306532386264393438633231333562313061
-34653638366634623931343733336631383266346662666435363566303061393263663766383765
-31313363313039366534656664623966396562343762653862613933303936626132383638366137
-35653833333564666337366339336338666665353936343036326532316663366638613333373136
-31343361343534326135636363373038376462376161653664643438336430613634343736303638
-63393562333163623136313363323835653766316336623436386533393263333663613166663134
-65633639363264343561616330313533333330623339326161323532376432336239316464633563
-38626666306361313765323639373161623462363961633865386666356236326665633033633933
-33353331396539623966336235323938656238356436313133623633316564373966623365636537
-37643434323062366361636132623730353138666565363438343935363433633734313139653762
-39303533316338633964373237623335626430633437356632643164353866363134633463313236
-66346533363361313638363439333231386561643237326330373334316335383036303639323731
-37633231396336306336303161666231393238343731633563323361303439333432353730356261
-38623230326438653965373666313239393531623330323133373731643131356536336339326361
-33363032396462396566323162383935646335633962356466356238303562626565636363363532
-61303636646231323231353033383238383230633563393436303430663664383539663937666235
-65333931383365313164383865613330376539346539363636303939393633653061613465343131
-30613134306639353237356665393432323335346564313933306637643830306631343463623761
-3537
+65636230346264393938656566653961393466306338353435333061356463363836616435333731
+3537316534663335343333643435383663303438333433650a666133633965643939306661383536
+33626364316338306530393036653134373339653264616537623731323063646531383137333131
+6263363037613631360a343831393830646536326538363764643136613732636165316466316566
+65346162383337626631663533626230643061633139663661656365333738353530316661313864
+32373831396437386434313430666434363534656130613632643264393538663131336635653537
+61613065336133343130353862646130386136333231393962353064666335363330623064626631
+34333137363566313764343335646531326337616563366636316232633936333264373731653332
+66366361643261626563633838663061303762386234336133366233356564343562323965663731
+38326631333166643534313836323337663131313766306166333534336333613735643033326633
+39396335613362363230333863396535343464346437366632316336626539623865313239353539
+30643834633130333564666162623365323439396630333136616137633532363530623234376332
+66353539306637633432353231326666643261386466633533313063353061643761313132623035
+62653263636237666432336662633136653930323532623137386261333862623337326431336365
+36663364386364346631393031326434326334636166663739366435616166363130623463633733
+35383834326231363264623061303066326433613139333237656635643835393762313866356237
+62616435613863616161376666333966323030326531323261646436633233613635383438373834
+31343133326231636661353466396566656365396466343430613262316537623631376433633630
+62336664346363393363306163333662323338343139646238633830326535313034613739616138
+38313637333333383032316134316164363036396338306634633436633564306333336437393566
+61656337343030393936353364386461643766636564333864396130343762323630393839393463
+35343864393035333930313238663465663633633862623336663136626165666131383933626437
+31323936653737646231363036383764333335313762356465333635303334663734636531343331
+37386461643239363434373864373561353339343031346364383530663430393938333963333837
+63303966366364626665303530356433643264343861346238353937386338383034356633623231
+36663735386233396138306561326339626262326463336535646265666637383032396435333835
+31363266666230366438313432356637663632333530646263663563373137313262663937636532
+66633731333166386564386666363130633734643963653030386533393766623038383234646161
+36343135663231323030306430623535373534353835623339333738376362663930343436343637
+34383963306266623437323462356466336533643933653839366666393839626663353264326334
+32663461663561396631363533383334363361373764363132643435373537333839613066396463
+35386436326638353431363064626131306634363339653132396563356239653265303930333634
+32376332643863376237383966623233323864393338346537393865363661616338333631383532
+34373635316138663261633839333664353432666234306463306338653634633038373266646462
+32336534356537306366656236356663616336333031306431653239343132336234626165333032
+38303137666131363462363263333832356333616130346337663837376365346166306261373036
+63383236323738303562623631633064363564663861336162356262373861383965623935343931
+65663934623431363164356331353135633837616130363464353661663438323132363165343766
+31393633306261303762613537343034316535373731363365666530623361623630633137326466
+32326533313362333863383561343230626466303831623033613065363136396362373333306333
+32336464356364663564626234653832323265313364343631646633396362373438666165353962
+38396330333161356365626562383531323664636235643666613631636636323638376638396531
+38646531666164653161353932643662363261323564373537343731666232666532633063353431
+61386163363562313330393037656139303365396438313935306333656264373531373037303939
+63373962356233346164383163323532373163376364623766323933623063653939346537306338
+65353266656532636633326137356430666432333465626437633733356435363163626430303964
+39343935623937616130326637323061373538616633393465653266656666376661393635333662
+30363364653130356137393463613038663762396336306234363461396133306562323838336330
+63303735646132353766313137303162366164613530303966383636393934393035306264626465
+36613233376234633932663963623432663032656236323963353036356437383066373532323865
+36643431373966613533646164303564653336396535343366303339303134613936656137653939
+31333062623734613538333666636561386338306235633165386262383261333264623638383366
+34313266333636376337393736343062363539366235393136663561303663386438333834613539
+38623632656161653766363166653661336136653833336663616261663831656133666232633362
+31373166306134653162313134333432323134623336666632613766386662653831643732326330
+63643737333638626162646136373466613536653831663835616432343537323864343166316461
+34393732353930343430356231626636373763636561343430616533663861346566326262313232
+39623936366633363136353632346134643563383833376134363833336137613337326435613764
+37653232613632333334316162383261383836613936376230393633343336346633386539356232
+30316232373738363038356665366663623536626539376364303038643061386363636337386663
+61383634336530666163346239343838326138373932383339396265653764313039653138643938
+31613163653632656238376533363739346539623863623332653936643731623565613234663430
+39363935306330386634363634363233376234613837353765353732646638663830323335616234
+34366334636436633734333830306136333563666337623035653239313361626438316535313434
+37343930643832383136343737313365316238373638323130653766646637343464653134616137
+38313034383833626433326237633863313364353662326233636333333932633039396565356133
+64376166383064343239633364363861616136643061646636323437376162313438396230393331
+32633662323031666238643934646665303666383834336432363430363166356632353033336333
+64383861663563653531643832656238643066323564656134633639666234363363363132623836
+61386431643130333761376161646262346562363532353632633332343666393562313465303337
+31333732626164363464323531323239333963303333626466623966346361383832353765346565
+37303765363834376237636632386663373061346534643132636333623137366662646538306231
+33353538623231636166653838333264396463616437396264353537633661313932353133316438
+61323439363635383035316335363132383366613733383363306366356466333364633537393033
+66636434623962633063306236303831633637656430376533353436613934636466363461333562
+34613339373732343632343435333331353935303735633732656663643938663439656233613163
+65356232633865656439643430636332386663333761376638323630373930663837653638363963
+63656437323138633664613166353537306466666261353532326363346332343363343035386435
+33326238333730303539363265383761663862313961383030326263353034303866626661623334
+61623365373332366333376630626539343835663466666534636561643736646537646431386631
+36366132663830336234613065626262336564316339383038333330323237363665373935326438
+38646335346239316432636138633365373062663564326465643032633438306230363434323262
+34313932653361346261623030623739313665356464373666346361663430336362383063666134
+38323539653437623030333437373231646634333563306165393231653465313731633536323362
+65613262633563653031306139383436663834616339316164393365336437653730393331636464
+32313537313164386164313832396566353137376239303663656130383336336634313235376363
+63326530333339356432343938306465623636336161363133613864336339393635306234656263
+34343437336461303831393562653934633439336562663366643066393439396531653663386531
+65623061643064396534353364663633653331653535306133386466356236623239646432373066
+61313261366466663866613162323939646534653561356335393237376138633930663364636236
+36613834303338646530663565303438363831663865323531386635303239646464343936303832
+31323531363263333830623838666437636262306164386236643032356165323037656630383739
+65666333656639333263346465666463616534353835656337353464336134303732323037393538
+37366263656133643039373438636537343636663065646534616339303833666532396633616565
+38353139323739656564623065613364346164633863343738633163383031663531663365616534
+31663835323435643463666264623932396133336531626331303862356261306238326333366164
+66306262386137363432376530366432356432653333393833376532623333373337393830316263
+30326531613662313430663130613734663937613663353936346134356537393761373238393433
+37356136393731626561303430626339386531386333386536656465646232633934393630613339
+61333163613862346564316336353766346461626639303661353464633835626663313462613666
+33343561613662303036643937656431393432333831383461323631393262346464393539353537
+33633364383261663535323136393138333739356439663731636136393530323864333566323361
+62643961323264336662316661303630636430323838633535343036303437393439656637326566
+34363832366434316639393939313965633037653931323462363465643262653539623063326432
+36616434366432303235663062663138623336336165373734353838333662363239333762323932
+65393765326232373230666437656433373930643638386131363339343630636634636434326464
+39366339326263666239646237326534383665376536313536303263373265306537316161663262
+31346635346436313261626366333738333966643333313230623133313434373530366462653435
+33353434643635383833643736653461373765326537313430353164306566323733653237343632
+66346133656333303538306133313563393363313230323664303836323861346466343230343264
+36613934643662626365653036636136623630333638373565316437646232316263663433313762
+39353234333131623731643662303130626465386338353833393533646564646565623736343039
+38356635393461353166653565336535626366396532633961393334343234353764303431303663
+61666533633731663666346132383037646433336463643062396465383034346631346165323939
+33313937343338383737373164363930336236326432346465646166363430653932333932343236
+38336235613034386533613665393666633635383164646538373035623862343737353463623730
+33396233353331633463373538326365636231323535633737303562613262613730636237336632
+38626230313637336436623661666438666538333838356632653034303864313232623337306333
+66363464643061363337393732323065306335656531376337323438313733616539613538333837
+34363033666366613933343563303537613564356462313931353533323938656362393536386334
+38336237616335346334613534323130613861663239356363366564623933303737306138613535
+63643639323135663232336131643331343063363234336230653536623765323562393161663266
+32663839613564613636343166396463366665666333306239386338616366363236393931313439
+30386238316261323630633464386265353464333735336435646663656638316130333762666531
+38626463316165373434613436343335303633643965633230326534323761616365376630363039
+30336661313737383535343934366466353231396430353030653762383934666235646161653832
+31613565643031353535353234386665373636356362653337366563316630343838626231646462
+34623262343761373831303861313661666435373565386465336166306631376666643631303863
+37633934326262623737373266326631663932373863346466613133303961386466366336643235
+39303933333236626637663636633739343761393432616232643238663738313636346137316430
+34623238326430616134396166306339626261643032613661343763366138653830376463306461
+62366564393364306139633837646264633130383064383730393862633561303538363232663366
+30343633666632303530356637646337623339303236376164633962383839386265336666396436
+38616238656336343066333063393833623862646237323238393465633662393362353161313963
+63663539383630366536313933643565346162646363353035386666396363633635386564346666
+64336362633033346461353133396363646237613433306366333064626563656637383863323361
+31386262346631343565653836333764636366313330633462303533616531316537353538313031
+64366263666138356339373864383866303632366162633738383437323564313732373738373038
+39643862336136663165343736613730306339643237313361333438613438323439373966396138
+62323661383336396636

roles/caddy/defaults/main.yml

@@ -2,7 +2,7 @@
 # file: roles/caddy/defaults/main.yml
 
 # parent directory of vhost document roots
-caddy_root_prefix: /var/www
+caddy_root_prefix: "{{ web_root_prefix }}"
 
 # Email address to use for the ACME account managing the site's certificates.
 # Not sure what Caddy does if this doesn't exist.

roles/caddy/handlers/main.yml

@@ -3,7 +3,7 @@
 
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: caddy
     state: reloaded
 

roles/caddy/tasks/main.yml

@@ -71,6 +71,7 @@
     mode: "0755"
     owner: root
     group: root
+  tags: caddy
 
 # TODO: the variable is still named nginx_vhosts
 - name: Configure Caddy virtual hosts

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -8,6 +8,12 @@
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {% set static_site    = item.static_site | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 {% if domain_aliases %}
 {#   domain_aliases is a string, so we split on space #}
@@ -21,15 +27,20 @@
 {{ domain_name }} {
     {% if has_gitea %}
     reverse_proxy :3000
-    {% endif %}
+    {% elif static_site -%}
+    root * {{ document_root }}
 
-    {% if static_site -%}
-    root * {{ item.document_root }}
-
-    encode zstd gzip
+    encode
 
     file_server
-    {% endif %}
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_facts["distribution_major_version"] is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}
 
     import security-headers
 }

roles/common/defaults/main.yml

@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
+fail2ban_ignoreip: 127.0.0.0/8
 
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.

roles/common/files/abuseipdb-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define ABUSEIPDB_IPV6 = {
-fd21:3523:74e0:7301::
-}

roles/common/files/aggregate-cidr-addresses.pl

@@ -1,89 +0,0 @@
-#!/usr/bin/perl
-#
-# aggregate-cidr-addresses - combine a list of CIDR address blocks
-# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see L<http://www.gnu.org/licenses/>.
-#
-# [MJS 22 Oct 2001] Aggregate CIDR addresses
-# [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
-# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
-# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
-# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
-
-use strict;
-use warnings;
-use English qw( -no_match_vars );
-use Net::IP;
-
-## Read in all the IP addresses
-my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
-    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
-
-## Split any ranges into prefixes
-@addrs = map {
-    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
-        $_->find_prefixes
-} @addrs;
-
-## Sort the IP addresses
-@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
-
-## Handle overlaps
-my $count   = 0;
-my $current = $addrs[0];
-foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-    my $r = $current->overlaps($next);
-    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
-        $current = $next;
-        $count++;
-    }
-    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
-        $current = $next;
-        splice @addrs, $count, 1;
-    }
-    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
-        splice @addrs, $count + 1, 1;
-    }
-    else {
-        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
-    }
-}
-
-## Keep aggregating until we don't change anything
-my $change = 1;
-while ($change) {
-    $change = 0;
-    my @new_addrs = ();
-    $current = $addrs[0];
-    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-        if ( my $total = $current->aggregate($next) ) {
-            $current = $total;
-            $change  = 1;
-        }
-        else {
-            push @new_addrs, $current;
-            $current = $next;
-        }
-    }
-    push @new_addrs, $current;
-    @addrs = @new_addrs;
-}
-
-## Print out the IP addresses
-foreach (@addrs) {
-    print $_->prefix(), "\n";
-}
-
-# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

roles/common/files/etc/cron-apt/3-download

@@ -1,2 +0,0 @@
-autoclean -y
-upgrade -y -o APT::Get::Show-Upgraded=true

roles/common/files/etc/cron-apt/config

@@ -1,5 +0,0 @@
-# Configuration for cron-apt. For further information about the possible
-# configuration settings see the README file.
-
-MAILON="never"
-OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/files/firehol_level1-ipv4.nft

@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
 
-define SPAMHAUS_IPV4 = {
+define FIREHOL_LEVEL1_IPV4 = {
 192.168.254.254/32
 }

roles/common/files/spamhaus-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-fd21:3523:74e0:7301::/64
-}

roles/common/files/update-abusech-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-abusech-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-abusech-nftables
-ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
-          /usr/local/bin/update-abusech-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-abusech-nftables.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-abuseipdb-nftables.sh v0.0.1
-#
-# Download IP addresses seen using a blacklisted SSL certificate and load them
-# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
-# 
-# See: https://sslbl.abuse.ch/blacklist
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
-abusech_list_temp=$(mktemp)
-
-echo "Downloading Abuse.sh SSL Blacklist IPs"
-
-abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
-
-if [[ $abusech_response -ne 200 ]]; then
-	echo "Abuse.ch responded: HTTP $abusech_response"
-
-	exit 1
-fi
-
-if [[ -f "$abusech_list_temp" ]]; then
-    echo "Processing IPv4 list"
-
-    abusech_ipv4_list_temp=$(mktemp)
-    abusech_ipv4_set_temp=$(mktemp)
-
-    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
-    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
-    # that assumption some time down the line).
-    sed -e '/#/d' -e 's/
-//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
-
-    echo "Building abusech-ipv4 set"
-    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define ABUSECH_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$abusech_ipv4_set_temp"
-    done < $abusech_ipv4_list_temp
-
-    echo "}" >> "$abusech_ipv4_set_temp"
-
-    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
-
-    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
-fi
-
-echo "Reloading nftables"
-# The abusech nftables sets are included by nftables.conf

roles/common/files/update-abusech-nftables.timer

@@ -1,12 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-
-[Timer]
-# Once a day at midnight
-OnCalendar=*-*-* 00:00:00
-# Add a random delay of 0–3600 seconds
-RandomizedDelaySec=3600
-Persistent=true
-
-[Install]
-WantedBy=timers.target

roles/common/files/update-firehol-nftables.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Update FireHOL lists
+# Make sure the network is up
+After=network-online.target
+Wants=network-online.target update-firehol-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-firehol-nftables
+ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
+          /usr/local/bin/update-firehol-nftables.sh
+
+[Install]
+WantedBy=multi-user.target

roles/common/files/update-firehol-nftables.timer

@@ -1,5 +1,5 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 
 [Timer]
 # Once a day at midnight

roles/common/files/update-spamhaus-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Spamhaus lists
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-spamhaus-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-spamhaus-nftables
-ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
-          /usr/local/bin/update-spamhaus-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-spamhaus-nftables.sh

@@ -1,91 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-spamhaus-nftables.sh v0.0.1
-#
-# Download Spamhaus DROP lists and load them into nftables sets.
-# 
-# See: https://www.spamhaus.org/drop/
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
-spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
-
-function download() {
-    echo "Downloading $1"
-    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
-}
-
-download drop.txt
-download edrop.txt
-download dropv6.txt
-
-if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
-    echo "Processing IPv4 DROP lists"
-
-    spamhaus_ipv4_list_temp=$(mktemp)
-    spamhaus_ipv4_set_temp=$(mktemp)
-
-    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
-    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
-    # ranges to work around a firewalld bug.
-    #
-    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
-    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
-
-    echo "Building spamhaus-ipv4 set"
-    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$spamhaus_ipv4_set_temp"
-    done < $spamhaus_ipv4_list_temp
-
-    echo "}" >> "$spamhaus_ipv4_set_temp"
-
-    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
-
-    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
-fi
-
-if [[ -f "dropv6.txt" ]]; then
-    echo "Processing IPv6 DROP lists"
-
-    spamhaus_ipv6_list_temp=$(mktemp)
-    spamhaus_ipv6_set_temp=$(mktemp)
-
-    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
-
-    echo "Building spamhaus-ipv6 set"
-    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-NFT_HEAD
-
-    while read -r network; do
-        echo "$network," >> "$spamhaus_ipv6_set_temp"
-    done < $spamhaus_ipv6_list_temp
-
-    echo "}" >> "$spamhaus_ipv6_set_temp"
-
-    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
-
-    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
-fi
-
-echo "Reloading nftables"
-# The spamhaus nftables sets are included by nftables.conf
-/usr/sbin/nft -f /etc/nftables.conf
-
-rm -v drop.txt edrop.txt dropv6.txt

roles/common/handlers/main.yml

@@ -1,27 +1,27 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml
 
-- name: reload sshd
-  ansible.builtin.systemd:
+- name: Reload sshd
+  ansible.builtin.systemd_service:
     name: "{{ sshd_service_name }}"
     state: reloaded
 
-- name: reload sysctl
-  command: sysctl -p /etc/sysctl.conf
+- name: Reload sysctl
+  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
-- name: reload systemd
-  ansible.builtin.systemd:
+- name: Reload systemd
+  ansible.builtin.systemd_service:
     daemon_reload: true
 
-- name: restart nftables
-  ansible.builtin.systemd:
+- name: Restart nftables
+  ansible.builtin.systemd_service:
     name: nftables
     state: restarted
 
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
-- name: restart fail2ban
-  ansible.builtin.systemd:
+- name: Restart fail2ban
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: restarted

roles/common/tasks/cron-apt.yml

@@ -1,11 +1,17 @@
 ---
-- name: Configure cron-apt (config)
-  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
-  loop:
-    - { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root }
-    - { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root }
+- name: Remove cron-apt
+  ansible.builtin.apt:
+    name: cron-apt
+    state: absent
+    cache_valid_time: 3600
 
-- name: Configure cron-apt (security)
-  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
+- name: Remove cron-apt configs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cron-apt/config
+    - /etc/cron-apt/action.d/3-download
+    - /etc/apt/security.sources.list
 
 # vim: set ts=2 sw=2:

roles/common/tasks/fail2ban.yml

@@ -1,8 +1,7 @@
 ---
 - name: Install fail2ban
-  when:
-    - ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
     name:
       - fail2ban
       - python3-systemd
@@ -15,7 +14,7 @@
     dest: /etc/fail2ban/jail.d/sshd.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Configure fail2ban nginx filter
   when:
@@ -27,7 +26,7 @@
     dest: /etc/fail2ban/jail.d/nginx.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Create fail2ban service override directory
   ansible.builtin.file:
@@ -44,11 +43,11 @@
     owner: root
     mode: "0644"
   notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: started
     enabled: true

roles/common/tasks/firewall.yml

@@ -0,0 +1,25 @@
+---
+# Debian 11+ will use nftables directly, with no firewalld.
+
+- name: Install Debian firewall packages
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    cache_valid_time: 3600
+
+- name: Remove iptables on newer Debian
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    pkg: iptables
+    state: absent
+
+- name: Configure nftables
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
+
+- name: Configure fail2ban
+  when: ansible_facts["distribution_version"] is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml
+
+# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Debian.yml

@@ -1,115 +0,0 @@
----
-# Debian 11+ will use nftables directly, with no firewalld.
-
-- block:
-    - name: Install Debian firewall packages
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
-
-    - name: Remove iptables on newer Debian
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.apt:
-        pkg: iptables
-        state: absent
-
-    - name: Copy nftables.conf
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_major_version is version('9', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,114 +0,0 @@
----
-# Ubuntu 20.04 will use nftables directly, with no firewalld.
-
-- block:
-    - name: Install Ubuntu firewall packages
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
-
-    - name: Remove ufw
-      ansible.builtin.package:
-        name: ufw
-        state: absent
-
-    - name: Copy nftables.conf
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_version is version('16.04', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
+  ansible.builtin.include_vars: vars/{{ ansible_facts["distribution"] }}.yml
   tags: always
 
 - name: Configure network time
@@ -8,23 +8,11 @@
   tags: ntp
 
 - name: Install common packages
-  ansible.builtin.include_tasks: packages_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: packages
-
-- name: Install common packages
-  ansible.builtin.include_tasks: packages_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks: packages.yml
   tags: packages
 
 - name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: firewall
-
-- name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.import_tasks: firewall.yml
   tags: firewall
 
 - name: Configure secure shell daemon
@@ -33,14 +21,24 @@
 
 # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
 - name: Reconfigure /etc/sysctl.conf
-  when: ansible_virtualization_role != 'host'
-  ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  when: ansible_facts["virtualization_role"] != 'host'
+  ansible.builtin.template:
+    src: "sysctl_{{ ansible_facts['distribution'] }}.j2"
+    dest: /etc/sysctl.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
-    - reload sysctl
+    - Reload sysctl
   tags: sysctl
 
 - name: Set I/O scheduler
-  ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: etc/udev/rules.d/60-scheduler.rules.j2
+    dest: /etc/udev/rules.d/60-scheduler.rules
+    owner: root
+    group: root
+    mode: "0644"
   tags: udev
 
 - name: Copy admin SSH keys

roles/common/tasks/nftables.yml

@@ -0,0 +1,69 @@
+---
+# Common nftables tasks for Debian 11 and Debian 12.
+
+- name: Copy nftables.conf
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    mode: "0644"
+  notify:
+    - Restart nftables
+
+- name: Create /etc/nftables extra config directory
+  ansible.builtin.file:
+    path: /etc/nftables
+    state: directory
+    owner: root
+    mode: "0755"
+
+- name: Copy extra nftables configuration files
+  ansible.builtin.copy:
+    src: firehol_level1-ipv4.nft
+    dest: /etc/nftables/firehol_level1-ipv4.nft
+    owner: root
+    group: root
+    mode: "0644"
+    force: false
+  notify:
+    - Restart nftables
+
+- name: Copy nftables update scripts
+  ansible.builtin.template:
+    src: update-firehol-nftables.sh.j2
+    dest: /usr/local/bin/update-firehol-nftables.sh
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: Copy nftables systemd units
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop:
+    - update-firehol-nftables.service
+    - update-firehol-nftables.timer
+  register: nftables_systemd_units
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true
+
+- name: Start and enable nftables update timers
+  ansible.builtin.systemd_service:
+    name: update-firehol-nftables.timer
+    state: started
+    enabled: true
+
+- name: Start and enable nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: started
+    enabled: true
+
+# vim: set sw=2 ts=2:

roles/common/tasks/ntp.yml

@@ -1,27 +1,40 @@
 ---
-# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
-# use systemd-timesyncd as a network time client instead of the standalone ntp
-# client.
+# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
+# as a network time client instead of the standalone ntp client.
 
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+  when:
+    - timezone is defined
+    - ansible_facts["service_mgr"] == 'systemd'
+  community.general.timezone:
+    name: "{{ timezone }}"
   tags: timezone
 
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Ubuntu 20.04 and Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: systemd-timesyncd
+    state: present
+    cache_valid_time: 3600
 
 - name: Start and enable systemd's NTP client
-  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
+  when: ansible_facts["service_mgr"] == 'systemd'
+  ansible.builtin.systemd_service:
+    name: systemd-timesyncd
+    state: started
+    enabled: true
 
-- name: Uninstall ntp on modern Ubuntu/Debian
-  ansible.builtin.apt: name=ntp state=absent
-  when: ansible_service_mgr == 'systemd'
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_facts["service_mgr"] == 'systemd'
+    - ansible_facts["distribution_major_version"] is version('12', '==')
+  ansible.builtin.apt:
+    name: ntp
+    state: absent
 
 # vim: set ts=2 sw=2:

roles/common/tasks/packages.yml

@@ -1,19 +1,7 @@
 ---
 - name: Configure Debian packages
+  tags: packages
   block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('12', '<')
-
     # Scaleway seems to use a weird sources.list format as of Debian 12?
     - name: Check for weird Debian sources
       ansible.builtin.stat:
@@ -21,10 +9,15 @@
       register: weird_debian_sources_stat
 
     - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
       when:
-        - ansible_architecture != 'armv7l'
+        - ansible_facts["architecture"] != 'armv7l'
         - not weird_debian_sources_stat
+      ansible.builtin.template:
+        src: sources.list.j2
+        dest: /etc/apt/sources.list
+        owner: root
+        group: root
+        mode: "0644"
 
     - name: Set fact for base packages
       ansible.builtin.set_fact:
@@ -35,7 +28,6 @@
           - iotop
           - htop
           - strace
-          - cron-apt
           - safe-rm
           - debian-goodies
           - mosh
@@ -47,16 +39,19 @@
           - zstd
           - rsync
           - lsof
+          - unattended-upgrades
 
     - name: Install base packages
-      ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
+      ansible.builtin.apt:
+        name: "{{ base_packages }}"
+        state: present
+        cache_valid_time: 3600
 
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
+    - name: Remove cron-apt
       tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml
 
     - name: Install tarsnap
       ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
 
 # vim: set sw=2 ts=2:

roles/common/tasks/packages_Ubuntu.yml

@@ -1,105 +0,0 @@
----
-- name: Configure Ubuntu packages
-  block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('22.04', '<')
-
-    - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-      when: ansible_architecture != 'armv7l'
-
-    - name: Upgrade base OS
-      ansible.builtin.apt: upgrade=dist cache_valid_time=3600
-
-    - name: Set Ubuntu base packages
-      ansible.builtin.set_fact:
-        ubuntu_base_packages:
-          - git
-          - git-lfs
-          - tmux
-          - iotop
-          - htop
-          - strace
-          - cron-apt
-          - safe-rm
-          - debian-goodies
-          - mosh
-          - python-pycurl # for ansible's apt_repository
-          - vim
-          - unzip
-          - apt-transport-https # for https support in apt
-          - zstd
-          - rsync
-          - lsof
-
-    - name: Install base packages
-      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
-
-    # We have to remove snaps one by one in a specific order because some depend
-    # on others. Only after that can we remove the corresponding system packages.
-    - name: Remove lxd snap
-      community.general.snap: name=lxd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove core18 snap
-      community.general.snap: name=core18 state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove snapd snap
-      community.general.snap: name=snapd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Set fact for packages to remove (Ubuntu 20.04)
-      ansible.builtin.set_fact:
-        ubuntu_annoying_packages:
-          - whoopsie # security (CIS 4.1)
-          - apport # security (CIS 4.1)
-          - command-not-found # annoying
-          - command-not-found-data # annoying
-          - python3-commandnotfound # annoying
-          - snapd # annoying (Ubuntu >= 16.04)
-          - lxd-agent-loader # annoying (Ubuntu 20.04)
-      when: ansible_distribution_version is version('20.04', '==')
-
-    - name: Remove packages
-      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.file: path={{ item }} mode=0644 state=absent
-      loop:
-        - /etc/update-motd.d/99-esm # Ubuntu 14.04
-        - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
-        - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
-        - /etc/update-motd.d/80-esm # Ubuntu 18.04+
-        - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
-      ignore_errors: true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
-      when: ansible_service_mgr == 'systemd'
-      loop:
-        - motd-news.service
-        - motd-news.timer
-
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
-      tags: cron-apt
-
-    - name: Install tarsnap
-      ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
-
-# vim: set sw=2 ts=2:

roles/common/tasks/ssh-keys.yml

@@ -1,6 +1,8 @@
 ---
 - name: Zero .ssh/authorized_keys for provisioning user
-  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
+  ansible.builtin.file:
+    dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
+    state: absent
 
 - name: Add public keys to authorized_keys
   ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }

roles/common/tasks/sshd.yml

@@ -1,17 +1,26 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
-    mode=0600
-  when: ansible_distribution == 'Debian'
-  notify: reload sshd
+  when: ansible_facts["distribution_version"] is version('12', '<=')
+  ansible.builtin.template:
+    src: "sshd_config_{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.j2"
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
-# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
-# ie with new ciphers supported etc.
-- name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Ubuntu'
-  notify: reload sshd
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_facts["distribution_version"] is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +33,30 @@
       register: check_unsafe_moduli
 
     - name: Extract safe Diffie-Hellman SSH moduli
+      when: check_unsafe_moduli.stdout | length > 0
       ansible.builtin.shell:
         cmd: awk '$5 >= 3071' moduli > moduli.safe
         chdir: /etc/ssh
         creates: moduli.safe
-      when: check_unsafe_moduli.stdout | length > 0
       register: extract_safe_moduli
 
     - name: Replace unsafe Diffie-Hellman SSH moduli
+      when: extract_safe_moduli is changed
       ansible.builtin.command:
         cmd: mv moduli.safe moduli
         chdir: /etc/ssh
       register: replace_small_moduli
-      when: extract_safe_moduli is changed
-      notify: reload sshd
+      notify: Reload sshd
 
 - name: Remove DSA and ECDSA host keys
-  ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
+  ansible.builtin.file:
+    name: "/etc/ssh/{{ item }}"
+    state: absent
   loop:
     - ssh_host_dsa_key
     - ssh_host_dsa_key.pub
     - ssh_host_ecdsa_key
     - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 
 # vim: set sw=2 ts=2:

roles/common/tasks/tarsnap.yml

@@ -5,6 +5,7 @@
   register: tarsnap_signing_key_stat
 
 - name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
   ansible.builtin.get_url:
     url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
@@ -12,9 +13,9 @@
     group: root
     mode: "0644"
   register: download_tarsnap_signing_key
-  when: not tarsnap_signing_key_stat.stat.exists
 
 - name: Add tarsnap.org repo
+  when: ansible_facts["architecture"] != 'armv7l'
   ansible.builtin.template:
     src: tarsnap_sources.list.j2
     dest: /etc/apt/sources.list.d/tarsnap.list
@@ -22,12 +23,11 @@
     group: root
     mode: "0644"
   register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'
 
 - name: Update apt cache
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
 
 - name: Install tarsnap
   ansible.builtin.apt:

roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -1,15 +1,19 @@
+[Unit]
+# If nftables is stopped or restarted, propagate to fail2ban as well
+PartOf=nftables.service
+
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/common/templates/nftables.conf.j2

@@ -5,47 +5,18 @@
 
 flush ruleset
 
-# Lists updated daily by update-spamhaus-nftables.sh
-include "/etc/nftables/spamhaus-ipv4.nft"
-include "/etc/nftables/spamhaus-ipv6.nft"
-
-# Lists updated monthly (manually)
-include "/etc/nftables/abuseipdb-ipv4.nft"
-include "/etc/nftables/abuseipdb-ipv6.nft"
-
-# Lists updated daily by update-abusech-nftables.sh
-include "/etc/nftables/abusech-ipv4.nft"
+# List updated daily by update-firehol-nftables.sh
+include "/etc/nftables/firehol_level1-ipv4.nft"
 
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-    set spamhaus-ipv4 {
+    set firehol_level1-ipv4 {
         type ipv4_addr
         # if the set contains prefixes we need to use the interval flag
         flags interval
-        elements = $SPAMHAUS_IPV4
-    }
-
-    set spamhaus-ipv6 {
-        type ipv6_addr
-        flags interval
-        elements = $SPAMHAUS_IPV6
-    }
-
-    set abusech-ipv4 {
-        type ipv4_addr
-        elements = $ABUSECH_IPV4
-    }
-
-    set abuseipdb-ipv4 {
-        type ipv4_addr
-        elements = $ABUSEIPDB_IPV4
-    }
-
-    set abuseipdb-ipv6 {
-        type ipv6_addr
-        elements = $ABUSEIPDB_IPV6
+        elements = $FIREHOL_LEVEL1_IPV4
     }
 
     chain input {
@@ -55,13 +26,7 @@ table inet filter {
 
         ct state invalid counter drop comment "Early drop of invalid connections"
 
-        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
-        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
-
-        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
-
-        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
-        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
 
         iifname lo accept comment "Allow from loopback"
 
@@ -105,12 +70,6 @@ table inet filter {
     chain output {
         type filter hook output priority 0;
 
-        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
-        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
-
-        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
-
-        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
-        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
     }
 }

roles/common/templates/security.sources.list.j2

@@ -1,5 +0,0 @@
-{% if ansible_distribution == 'Ubuntu' %}
-deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
-{% elif ansible_distribution == 'Debian' %}
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
-{% endif %}

roles/common/templates/sources.list.j2

@@ -1,16 +1,6 @@
-{% if ansible_distribution == 'Ubuntu' %}
-{% set apt_mirror    = apt_mirror | default("ubuntu.mirror.ac.ke") %}
-
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
-deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
-
-{% else %}
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
-
-{% endif %} {# ansible_distribution #}

roles/common/templates/sshd_config_Ubuntu-20.04.j2

@@ -1,143 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
-LogLevel VERBOSE
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin prohibit-password
-#StrictModes yes
-MaxAuthTries 4
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-{% if ssh_password_authentication == 'disabled' %}
-PasswordAuthentication no
-{% else %}
-PasswordAuthentication yes
-{% endif %}
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp	/usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
-
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-
-{% if ssh_allowed_users is defined and ssh_allowed_users %}
-# Is there a list of allowed users?
-# Is it populated? (An empty list is 'None', which evaluates as False in Python)
-# merge the items of a list into one string using a space as a separator
-# http://jinja.pocoo.org/docs/dev/templates/#join
-AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
-{% endif %}

roles/common/templates/sysctl_Debian.j2

@@ -90,7 +90,7 @@ net.ipv4.tcp_wmem = 4096 65536 16777216
 # increase the length of the processor input queue
 net.core.netdev_max_backlog = 30000
 {# kernels after 2.6.32 don't have buggy cubic #}
-{% if ansible_kernel < "2.6.33" %}
+{% if ansible_facts["kernel"] < "2.6.33" %}
 # recommended default congestion control is htcp
 net.ipv4.tcp_congestion_control=htcp
 {% endif %}
@@ -98,7 +98,7 @@ net.ipv4.tcp_congestion_control=htcp
 #net.ipv4.tcp_mtu_probing=1
 
 {# disable iptables on bridge interfaces on VM hosts #}
-{% if ansible_virtualization_role == "host" %}
+{% if ansible_facts["virtualization_role"] == "host" %}
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

roles/common/templates/sysctl_Ubuntu.j2

@@ -1,100 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-#net.ipv4.conf.default.rp_filter=1
-#net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-#net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
-
-# CIS Benchmark Adjustments
-# See: https://github.com/alanorth/securekickstarts
-kernel.randomize_va_space = 2 
-net.ipv4.ip_forward = 0 
-net.ipv4.conf.all.send_redirects = 0 
-net.ipv4.conf.default.send_redirects = 0 
-net.ipv4.conf.all.accept_source_route = 0 
-net.ipv4.conf.default.accept_source_route = 0 
-net.ipv4.conf.all.accept_redirects = 0 
-net.ipv4.conf.default.accept_redirects = 0 
-net.ipv4.conf.all.secure_redirects = 0 
-net.ipv4.conf.default.secure_redirects = 0 
-net.ipv4.conf.all.log_martians = 1 
-net.ipv4.conf.default.log_martians = 1 
-net.ipv4.icmp_echo_ignore_broadcasts = 1 
-net.ipv4.icmp_ignore_bogus_error_responses = 1 
-net.ipv4.conf.all.rp_filter = 1 
-net.ipv4.conf.default.rp_filter = 1 
-net.ipv4.tcp_syncookies = 1
-
-# TCP stuff
-# See: http://fasterdata.es.net/host-tuning/linux/
-# increase TCP max buffer size settable using setsockopt()
-net.core.rmem_max = 16777216 
-net.core.wmem_max = 16777216 
-# increase Linux autotuning TCP buffer limit 
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
-# increase the length of the processor input queue
-net.core.netdev_max_backlog = 30000
-# recommended for hosts with jumbo frames enabled
-#net.ipv4.tcp_mtu_probing=1
-
-# increase quadruplets (src ip, src port, dest ip, dest port)
-# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
-net.ipv4.ip_local_port_range = 10240 65535
-# recommended for web servers, especially if running SPDY
-# see: http://www.chromium.org/spdy/spdy-best-practices
-net.ipv4.tcp_slow_start_after_idle = 0

roles/common/templates/tarsnap_sources.list.j2

@@ -1 +1 @@
-deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./

roles/common/templates/update-firehol-nftables.sh.j2

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+#
+# update-firehol-nftables.sh v0.0.1
+#
+# Download FireHOL lists and load them into nftables sets.
+# 
+# See: https://iplists.firehol.org/
+#
+# Copyright (C) 2025 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
+}
+
+download firehol_level1.netset
+
+if [[ -f "firehol_level1.netset" ]]; then
+    echo "Processing FireHOL Level 1 list"
+
+    firehol_level1_ipv4_list_temp=$(mktemp)
+    firehol_level1_ipv4_set_temp=$(mktemp)
+
+    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
+    # for local services like systemd-resolved and others on localhost. Ideally
+    # these are blocked already at the WAN side by network administrators.
+    cat firehol_level1.netset \
+        | sed \
+            -e '/^$/d' \
+            -e '/^#.*/d' \
+            -e '/^127\.0\.0\.0\/8/d' \
+        > "$firehol_level1_ipv4_list_temp"
+
+    echo "Building firehol_level1-ipv4 set"
+    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define FIREHOL_LEVEL1_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$firehol_level1_ipv4_set_temp"
+    done < $firehol_level1_ipv4_list_temp
+
+    echo "}" >> "$firehol_level1_ipv4_set_temp"
+
+    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
+
+    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
+fi
+
+echo "Restarting nftables"
+
+/usr/bin/systemctl restart nftables.service
+
+rm -v firehol_level1.netset

roles/mariadb/defaults/main.yml

@@ -1,15 +1,4 @@
 ---
-# ansible.builtin.file: roles/mariadb/defaults/main.yml
-#
-# Based on my running of mysqltuner.pl on a host with three WordPress databases
-#
-
-# default is 128MB but is a waste because it seems only the mysql table uses it
-key_buffer_size: 8M
-
-# default is 128MB but is a waste because it seems only information_schema uses
-# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
-aria_pagecache_buffer_size: 8M
 
 # default is 128M, but set to at least the size of your InnoDB data
 innodb_buffer_pool_size: 256M
@@ -22,10 +11,6 @@ mariadb_login_unix_socket: /run/mysqld/mysqld.sock
 # default is 100 but the max I've seen used is 5, so let's reduce it
 max_connections: 33
 
-# disable the query cache by default
-query_cache_size: 0
-query_cache_type: 0
-
 # mysqltuner says we should use larger than 32M on our setup
 tmp_table_size: 64M
 max_heap_table_size: 64M

roles/mariadb/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd: name=mariadb state=restarted
+  ansible.builtin.systemd_service:
+    name: mariadb
+    state: restarted
 
 # vim: set ts=2 sw=2:

roles/mariadb/tasks/main.yml

@@ -1,52 +1,4 @@
 ---
-- name: Remove MariaDB key from apt-key
-  ansible.builtin.apt_key:
-    id: "013577200103762554506315430003013705453362230723150730"
-    state: absent
-  tags:
-    - packages
-    - mariadb
-
-- name: Check MariaDB package signing key
-  ansible.builtin.stat:
-    path: /etc/apt/keyrings/mariadb_release_signing_key.asc
-  register: mariadb_signing_key_stat
-  tags:
-    - packages
-    - mariadb
-
-- name: Download MariaDB package signing key
-  ansible.builtin.get_url:
-    url: https://mariadb.org/mariadb_release_signing_key.asc
-    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
-    owner: root
-    group: root
-    mode: "0644"
-  register: download_mariadb_signing_key
-  when: not mariadb_signing_key_stat.stat.exists
-  tags:
-    - packages
-    - mariadb
-
-- name: Add MariaDB 10.11 repo
-  ansible.builtin.apt_repository:
-    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
-      }} main
-    filename: mariadb
-    state: present
-  register: add_mariadb_apt_repository
-  tags:
-    - packages
-    - mariadb
-
-- name: Update apt cache
-  ansible.builtin.apt: # noqa no-handler
-    update_cache: true
-  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
-  tags:
-    - packages
-    - mariadb
-
 - name: Install mariadb-server
   ansible.builtin.apt:
     name: [mariadb-server, python3-pymysql]
@@ -54,10 +6,10 @@
     cache_valid_time: 3600
   tags: mariadb, packages
 
-- name: Create system my.cnf
+- name: Add MariaDB configuration overrides
   ansible.builtin.template:
-    src: my.cnf.j2
-    dest: /etc/mysql/my.cnf
+    src: 70-local.cnf.j2
+    dest: /etc/mysql/mariadb.conf.d/70-local.cnf
     owner: root
     group: root
     mode: "0644"
@@ -87,16 +39,17 @@
 
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
 - name: Create MariaDB database(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_db:
     db: "{{ item.name }}"
     state: present
     encoding: utf8mb4
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 - name: Create MariaDB user(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_user:
     name: "{{ item.user }}"
     password: "{{ item.pass }}"
@@ -105,7 +58,6 @@
     state: present
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 # vim: set ts=2 sw=2:

roles/mariadb/templates/70-local.cnf.j2

@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+[mysqld]
+# don't resolve connection IPs to hostnames (make sure user accounts are using
+# IPs instead of "localhost")
+skip-name-resolve=1
+max_connections		= {{ max_connections }}
+tmp_table_size		= {{ tmp_table_size }}
+max_heap_table_size	= {{ max_heap_table_size }}
+innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}

roles/mariadb/templates/my.cnf.j2

@@ -1,196 +0,0 @@
-{{ ansible_managed | comment }}
-
-# MariaDB database server configuration file.
-#
-# You can copy this file to one of:
-# - "/etc/mysql/my.cnf" to set global options,
-# - "~/.my.cnf" to set user-specific options.
-# 
-# One can use all long options that the program supports.
-# Run program with --help to get a list of available options and with
-# --print-defaults to see which it would actually understand and use.
-#
-# For explanations see
-# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
-
-# This will be passed to all mysql clients
-# It has been reported that passwords should be enclosed with ticks/quotes
-# escpecially if they contain "#" chars...
-# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
-[client]
-port		= 3306
-socket		= /run/mysqld/mysqld.sock
-
-# Here is entries for some specific programs
-# The following values assume you have at least 32M ram
-
-# This was formally known as [safe_mysqld]. Both versions are currently parsed.
-[mysqld_safe]
-socket		= /run/mysqld/mysqld.sock
-nice		= 0
-
-[mysqld]
-#
-# * Basic Settings
-#
-user		= mysql
-pid-file	= /run/mysqld/mysqld.pid
-socket		= /run/mysqld/mysqld.sock
-port		= 3306
-basedir		= /usr
-datadir		= /var/lib/mysql
-tmpdir		= /tmp
-lc_messages_dir	= /usr/share/mysql
-lc_messages	= en_US
-skip-external-locking
-#
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
-
-# don't resolve connection IPs to hostnames (make sure user accounts are using
-# IPs instead of "localhost")
-skip-name-resolve=1
-#
-# * Fine Tuning
-#
-max_connections		= {{ max_connections }}
-connect_timeout		= 5
-wait_timeout		= 600
-max_allowed_packet	= 16M
-thread_cache_size       = 128
-sort_buffer_size	= 4M
-bulk_insert_buffer_size	= 16M
-tmp_table_size		= {{ tmp_table_size }}
-max_heap_table_size	= {{ max_heap_table_size }}
-#
-# * MyISAM
-#
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched. On error, make copy and try a repair.
-myisam_recover_options = BACKUP
-key_buffer_size		= {{ key_buffer_size }}
-#open-files-limit	= 2000
-table_open_cache	= 400
-myisam_sort_buffer_size	= 512M
-concurrent_insert	= 2
-read_buffer_size	= 2M
-read_rnd_buffer_size	= 1M
-#
-# * Query Cache Configuration
-#
-query_cache_limit		= 128K
-query_cache_size		= {{ query_cache_size }}
-query_cache_type		= {{ query_cache_type }}
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file        = /var/log/mysql/mysql.log
-#general_log             = 1
-#
-# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
-#
-# we do want to know about network errors and such
-log_warnings		= 2
-#
-# Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
-slow_query_log_file	= /var/log/mysql/mariadb-slow.log
-long_query_time = 10
-#log_slow_rate_limit	= 1000
-log_slow_verbosity	= query_plan
-
-#log-queries-not-using-indexes
-#log_slow_admin_statements
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id		= 1
-#report_host		= master1
-#auto_increment_increment = 2
-#auto_increment_offset	= 1
-log_bin			= /var/log/mysql/mariadb-bin
-log_bin_index		= /var/log/mysql/mariadb-bin.index
-# not fab for performance, but safer
-#sync_binlog		= 1
-expire_logs_days	= 10
-max_binlog_size         = 100M
-# slaves
-#relay_log		= /var/log/mysql/relay-bin
-#relay_log_index	= /var/log/mysql/relay-bin.index
-#relay_log_info_file	= /var/log/mysql/relay-bin.info
-#log_slave_updates
-#read_only
-#
-# If applications support it, this stricter sql_mode prevents some
-# mistakes like inserting invalid dates etc.
-#sql_mode		= NO_ENGINE_SUBSTITUTION,TRADITIONAL
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-default_storage_engine	= InnoDB
-# you can't just change log file size, requires special procedure
-#innodb_log_file_size	= 50M
-innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
-innodb_log_buffer_size	= 8M
-innodb_file_per_table	= 1
-innodb_open_files	= 400
-innodb_io_capacity	= 400
-innodb_flush_method	= O_DIRECT
-
-aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
-#
-# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
-#
-# ssl-ca=/etc/mysql/cacert.pem
-# ssl-cert=/etc/mysql/server-cert.pem
-# ssl-key=/etc/mysql/server-key.pem
-
-#
-# * Galera-related settings
-#
-[galera]
-# Mandatory settings
-#wsrep_on=ON
-#wsrep_provider=
-#wsrep_cluster_address=
-#binlog_format=row
-#default_storage_engine=InnoDB
-#innodb_autoinc_lock_mode=2
-#
-# Allow server to accept connections on all interfaces.
-#
-#bind-address=0.0.0.0
-#
-# Optional setting
-#wsrep_slave_threads=1
-#innodb_flush_log_at_trx_commit=0
-
-[mysqldump]
-quick
-quote-names
-max_allowed_packet	= 16M
-
-[mysql]
-#no-auto-rehash	# faster start of mysql but no tab completion
-
-[isamchk]
-key_buffer		= 16M
-
-#
-# * IMPORTANT: Additional settings that can override those from this file!
-#   The files must end with '.cnf', otherwise they'll be ignored.
-#
-!include /etc/mysql/mariadb.cnf
-!includedir /etc/mysql/conf.d/

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/munin-node.yml

@@ -1,16 +1,22 @@
 ---
 - name: Install munin-node
-  ansible.builtin.apt: name=munin-node state=present
+  ansible.builtin.apt:
+    name: munin-node
+    state: present
   tags: packages
 
 # some nice things to have for munin-node on Ubuntu
 # libwww-perl: for munin's nginx_status check
 - name: Install munin-node deps
-  ansible.builtin.apt: name=libwww-perl state=present
+  ansible.builtin.apt:
+    name: libwww-perl
+    state: present
   tags: packages
 
 - name: Create munin-node.conf
-  ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
+  ansible.builtin.template:
+    src: munin-node.conf.j2
+    dest: /etc/munin/munin-node.conf
   notify:
     - restart munin-node
 
@@ -20,6 +26,9 @@
     - restart munin-node
 
 - name: Start munin-node
-  ansible.builtin.systemd: name=munin-node state=started enabled=true
+  ansible.builtin.systemd_service:
+    name: munin-node
+    state: started
+    enabled: true
 
 # vim: set ts=2 sw=2:

roles/munin/tasks/munin.yml

@@ -1,9 +1,16 @@
 ---
 - name: Install munin package
-  ansible.builtin.apt: name=munin state=present
+  ansible.builtin.apt:
+    name: munin
+    state: present
   tags: packages
 
 - name: Create munin configuration file
-  ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: munin.conf.j2
+    dest: /etc/munin/munin.conf
+    owner: root
+    group: root
+    mode: "0644"
 
 # vim: set ts=2 sw=2:

roles/nginx/defaults/main.yml

@@ -5,16 +5,16 @@
 nginx_confd_path: /etc/nginx/conf.d
 
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
 
-# 1 hour timeout
-nginx_ssl_session_timeout: 1h
+# 1 day timeout
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
@@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
 
-# stable is 1.20.x
-# mainline is 1.21.x
+# stable is 1.26.x
+# mainline is 1.27.x
 nginx_version: mainline
 
 # vim: set ts=2 sw=2:

roles/nginx/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/letsencrypt.yml

@@ -1,7 +1,12 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
-- block:
+- name: Install and configure Let's Encrypt
+  tags: letsencrypt
+  when:
+    - ansible_facts["distribution"] == 'Debian'
+    - ansible_facts["distribution_version"] is version('11', '>=')
+  block:
     - name: Remove certbot
       ansible.builtin.apt:
         name: certbot
@@ -21,31 +26,31 @@
       register: acme_home
 
     - name: Download acme.sh
+      when: not acme_home.stat.exists
       ansible.builtin.get_url:
         url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
         dest: "{{ letsencrypt_acme_script_temp }}"
         mode: "0700"
       register: acme_download
-      when: not acme_home.stat.exists
 
     # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
     # have to chdir to the /root directory where the script exists or else it
     # fails. Ansible runs it, but the script can't find itself...).
     - name: Install acme.sh
+      when: acme_download is changed
       ansible.builtin.command:
         cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
         creates: "{{ letsencrypt_acme_home }}/acme.sh"
         chdir: /root
       register: acme_install
-      when: acme_download is changed
 
     - name: Remove temporary acme.sh script
-      ansible.builtin.file:
-        dest: "{{ letsencrypt_acme_script_temp }}"
-        state: absent
       when:
         - acme_install.rc is defined
         - acme_install.rc == 0
+      ansible.builtin.file:
+        dest: "{{ letsencrypt_acme_script_temp }}"
+        state: absent
 
     - name: Set default certificate authority for acme.sh
       ansible.builtin.command:
@@ -77,14 +82,10 @@
 
     # always issues daemon-reload just in case the service/timer changed
     - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
         name: renew-letsencrypt.timer
         state: started
         enabled: true
         daemon_reload: true
 
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  tags: letsencrypt
-
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -1,20 +1,4 @@
 ---
-- name: Remove nginx apt signing key from apt-key
-  ansible.builtin.apt_key:
-    id: "053473772654754373614404074646527257655730117366337542"
-    state: absent
-  tags:
-    - packages
-    - nginx
-
-- name: Check nginx apt signing key
-  ansible.builtin.stat:
-    path: /usr/share/keyrings/nginx_signing.key
-  register: nginx_signing_key_stat
-  tags:
-    - packages
-    - nginx
-
 - name: Download nginx apt signing key
   ansible.builtin.get_url:
     url: https://nginx.org/keys/nginx_signing.key
@@ -22,8 +6,8 @@
     owner: root
     group: root
     mode: "0644"
+    checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
   register: download_nginx_signing_key
-  when: not nginx_signing_key_stat.stat.exists
   tags:
     - packages
     - nginx
@@ -41,9 +25,9 @@
     - packages
 
 - name: Update apt cache
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
 
 - name: Install nginx
   ansible.builtin.apt:
@@ -62,7 +46,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Copy extra nginx configs
@@ -76,7 +60,7 @@
     - extra-security.conf
     - fastcgi_cache
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Remove default nginx vhost
@@ -95,13 +79,13 @@
   tags: nginx
 
 - name: Configure nginx virtual hosts
-  ansible.builtin.include_tasks: vhosts.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: vhosts.yml
   tags: nginx
 
 - name: Configure WordPress
-  ansible.builtin.include_tasks: wordpress.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: wordpress.yml
   tags: wordpress
 
 - name: Configure blank nginx vhost
@@ -112,7 +96,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Configure munin vhost
@@ -123,11 +107,11 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: started
     enabled: true

roles/nginx/tasks/vhosts.yml

@@ -1,16 +1,23 @@
 ---
-- block:
 - name: Configure https vhosts
-      ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
+  tags: nginx
+  block:
+    - name: Configure https vhosts
+      ansible.builtin.template:
+        src: vhost.conf.j2
+        dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
+        mode: "0644"
+        owner: root
+        group: root
       loop: "{{ nginx_vhosts }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Generate self-signed TLS cert
       ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
         -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Download 4096-bit RFC 7919 dhparams
       ansible.builtin.get_url:
@@ -18,12 +25,16 @@
         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
         dest: "{{ nginx_ssl_dhparam }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     # TODO: this could break because we can override the document root in host vars
     - name: Create vhost document roots
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        mode: "0755"
+        owner: nginx
+        group: nginx
       loop: "{{ nginx_vhosts }}"
-  tags: nginx
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,19 +1,31 @@
 ---
-- block:
+- name: Install and configure WordPress
+  tags: wordpress
+  block:
     - name: Install WordPress
-      ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
-        }} depth=1 force=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.git:
+        repo: https://github.com/WordPress/WordPress.git
+        dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
+        version: "{{ item.wordpress_version }}"
+        depth: 1
+        force: true
       loop: "{{ nginx_vhosts }}"
+      become: true
+      become_user: nginx
 
     - name: Fix WordPress directory permissions
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        owner: nginx
+        group: nginx
+        recurse: true
       loop: "{{ nginx_vhosts }}"
-  tags: wordpress
 
 # vim: set ts=2 sw=2:

roles/nginx/templates/blank-vhost.conf.j2

@@ -11,9 +11,11 @@ server {
 
     return 444;
 }
+
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
     server_name _;
 
     # self-signed "snakeoil" certificate

roles/nginx/templates/https.j2

@@ -27,8 +27,9 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
     {# OSCP stapling only works with real certs #}
     {% if use_letsencrypt == true or item.tls_certificate_path %}
@@ -38,15 +39,6 @@
     resolver {{ nginx_ssl_stapling_resolver }};
     {% endif %} {# end: use_letsencrypt #}
 
-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
     {% if enable_hsts == true %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store

roles/nginx/templates/nginx.conf.j2

@@ -14,7 +14,6 @@ error_log  /var/log/nginx/error.log warn;
 # The file storing the process ID of the main process
 pid        /var/run/nginx.pid;
 
-
 events {
     # If you need more connections than this, you start optimizing your OS.
     # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
@@ -23,6 +22,7 @@ events {
 }
 
 
+
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;

roles/nginx/templates/nginx_org_sources.list.j2

@@ -1,19 +1,7 @@
 {{ ansible_managed | comment }}
 
-{% if ansible_distribution == 'Ubuntu' %}
-
 {% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
-{% elif ansible_distribution == 'Debian' %}
-
-{% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
-{% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% endif %}

roles/nginx/templates/vhost.conf.j2

@@ -8,6 +8,12 @@
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 # http -> https vhost
 server {
@@ -26,15 +32,11 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
-    {# Allow sites to override the nginx document root #}
-    {% if item.document_root is defined %}
-    root {{ item.document_root }};
-    {% else %}
-    root {{ nginx_root_prefix }}/{{ domain_name }};
-    {% endif %}
+    root {{ document_root }};
 
     {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
     server_name {{ domain_name }} {{ domain_aliases }};
@@ -75,10 +77,8 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
-        {% else %}
-        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
+        {% if ansible_facts["distribution_major_version"] is version('12', '==') %}
+        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;
         # set script path relative to document root in server block

roles/php-fpm/handlers/main.yml

@@ -1,12 +0,0 @@
----
-# For Ubuntu 20.04 and Debian 11
-- name: reload php7.4-fpm
-  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
-
-# For Debian 12
-- name: reload php8.2-fpm
-  ansible.builtin.systemd:
-    name: php8.2-fpm
-    state: reloaded
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Debian_12.yml

@@ -1,50 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php8.2-fpm
-          # for WordPress
-          - php8.2-mysql
-          - php8.2-gd
-          - php8.2-curl
-          - php8.2-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt:
-        name: "{{ php_fpm_packages }}"
-        state: present
-        update_cache: true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template:
-        src: php8.2-pool.conf.j2
-        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
-        owner: root
-        group: root
-        mode: "0644"
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php8.2-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file:
-        path: /etc/php/8.2/fpm/pool.d/www.conf
-        state: absent
-      notify: reload php8.2-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template:
-        src: php8.2-php.ini.j2
-        dest: /etc/php/8.2/fpm/php.ini
-        owner: root
-        group: root
-        mode: "0644"
-      notify: reload php8.2-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_20.04.yml

@@ -1,35 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php7.4-fpm
-          # for WordPress
-          - php7.4-mysql
-          - php7.4-gd
-          - php7.4-curl
-          - php7.4-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php7.4-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-      notify: reload php7.4-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-      notify: reload php7.4-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/main.yml

@@ -1,53 +0,0 @@
----
-# Ubuntu 20.04 uses PHP 7.4
-# Debian 11 uses PHP 7.4
-# Debian 12 uses PHP 8.2
-
-# If any of the vhosts on this host need WordPress then we need to install PHP.
-# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
-# any that have has_wordpress defined, and has_wordpress set to true.
-#
-# See: https://stackoverflow.com/a/31896249
-- name: Check if any vhost needs WordPress
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
-
-# Legacy, was only for Piwik, but leaving for now.
-- name: Check if any vhost needs PHP
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
-
-# If install_php has not been set, then we assume no vhosts need PHP. This is
-# a bit hacky, but it's the closest we come to an if/then/else.
-- name: Set install_php to false
-  ansible.builtin.set_fact:
-    install_php: false
-  when: install_php is not defined
-
-- name: Configure php-fpm on Ubuntu 20.04
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Ubuntu'
-    - ansible_distribution_version is version('20.04', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 11
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('11', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 12
-  ansible.builtin.include_tasks: Debian_12.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('12', '==')
-    - install_php
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php_fpm/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+# For Debian 12
+- name: Reload php8.2-fpm
+  ansible.builtin.systemd_service:
+    name: php8.2-fpm
+    state: reloaded
+
+# For Debian 13
+- name: Reload php8.4-fpm
+  ansible.builtin.systemd_service:
+    name: php8.4-fpm
+    state: reloaded
+
+# vim: set ts=2 sw=2:

roles/php_fpm/tasks/main.yml

@@ -0,0 +1,90 @@
+---
+# Debian 12 uses PHP 8.2
+# Debian 13 uses PHP 8.4
+
+# If any of the vhosts on this host need WordPress then we need to install PHP.
+# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
+# any that have has_wordpress defined, and has_wordpress set to true.
+#
+# See: https://stackoverflow.com/a/31896249
+- name: Check if any vhost needs WordPress
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
+
+# Legacy, was only for Piwik, but leaving for now.
+- name: Check if any vhost needs PHP
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
+
+# If install_php has not been set, then we assume no vhosts need PHP. This is
+# a bit hacky, but it's the closest we come to an if/then/else.
+- name: Set install_php to false
+  ansible.builtin.set_fact:
+    install_php: false
+  when: install_php is not defined
+
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
+    - name: Set php-fpm packages
+      ansible.builtin.set_fact:
+        php_fpm_packages:
+          - php-fpm
+          # for WordPress
+          - php-mysql
+          - php-gd
+          - php-curl
+          - php-xml
+
+    - name: Install php-fpm and deps
+      ansible.builtin.apt:
+        name: "{{ php_fpm_packages }}"
+        state: present
+        update_cache: true
+
+    - name: Set PHP version for Debian 12
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('12', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.2
+
+    - name: Set PHP version for Debian 13
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('13', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.4
+
+    # only copy php-fpm config for vhosts that need WordPress or PHP
+    - name: Copy php-fpm pool config
+      ansible.builtin.template:
+        src: php{{ php_version }}-pool.conf.j2
+        dest: /etc/php/{{ php_version }}/fpm/pool.d/{{ item.domain_name }}.conf
+        owner: root
+        group: root
+        mode: "0644"
+      loop: "{{ nginx_vhosts }}"
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      notify: Reload php{{ php_version }}-fpm
+
+    - name: Remove default www pool
+      ansible.builtin.file:
+        path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
+        state: absent
+      notify: Reload php{{ php_version }}-fpm
+
+    # re-configure php.ini
+    - name: Update php.ini
+      ansible.builtin.template:
+        src: php{{ php_version }}-php.ini.j2
+        dest: /etc/php/{{ php_version }}/fpm/php.ini
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload php{{ php_version }}-fpm
+
+# vim: set ts=2 sw=2:

roles/php_fpm/templates/php8.2-pool.conf.j2

@@ -27,8 +27,8 @@
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
-user = www-data
-group = www-data
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -52,8 +52,8 @@ listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: Owner is set to the master process running user. If the group
 ;                 is not set, the owner's group is used. Mode is set to 0660.
-listen.owner = www-data
-listen.group = www-data
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
 
 ; When POSIX Access Control Lists are supported you can set them using
@@ -342,14 +342,10 @@ pm.max_spare_servers = 3
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
-;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
-;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"

roles/php_fpm/templates/php8.4-pool.conf.j2

@@ -19,11 +19,16 @@
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -35,20 +40,22 @@ group = nginx
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
+listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 
 ; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
+
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
@@ -63,6 +70,10 @@ listen.group = nginx
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
@@ -71,8 +82,9 @@ listen.group = nginx
 ; Default Value: no set
 ; process.priority = -19
 
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
-; or group is differrent than the master process user. It allows to create process
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
@@ -94,6 +106,8 @@ listen.group = nginx
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
+;             pm.max_spawn_rate    - the maximum number of rate to spawn child
+;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
@@ -129,6 +143,12 @@ pm.min_spare_servers = 1
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
@@ -141,7 +161,7 @@ pm.max_spare_servers = 3
 ;pm.max_requests = 500
 
 ; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
+; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
@@ -211,8 +231,8 @@ pm.max_spare_servers = 3
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
+; If the process is in Idle state, then information is related to the
+; last request the process has served. Otherwise information is related to
 ; the current request being served.
 ; Example output:
 ;   ************************
@@ -231,7 +251,7 @@ pm.max_spare_servers = 3
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.4/fpm/status.html
+;       It's available in: /usr/share/php/8.4/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
@@ -239,6 +259,22 @@ pm.max_spare_servers = 3
 ; Default Value: not set
 ;pm.status_path = /status
 
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
@@ -271,13 +307,13 @@ pm.max_spare_servers = 3
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
+;      - %{milliseconds}d
+;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
+;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
@@ -306,14 +342,30 @@ pm.max_spare_servers = 3
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %u: remote user
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;  %u: basic auth user if specified in Authorization header
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precaution, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
 
 ; The log file for slow requests
 ; Default Value: not set
@@ -372,7 +424,7 @@ pm.max_spare_servers = 3
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes

vars/Ubuntu.yml

@@ -1,10 +0,0 @@
----
-
-# sshd service name is `ssh` on Debian/Ubuntu, but it's
-# `sshd` on CentOS
-sshd_service_name: ssh
-
-# provisioning user vars
-provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
-
-# vim: set ts=2 sw=2:

web.yml

@@ -9,7 +9,7 @@
     - { role: mariadb, when: mariadb_databases is defined}
     - { role: nginx, when: webserver is defined and webserver == 'nginx' }
     - { role: caddy, when: webserver is defined and webserver == 'caddy' }
-    - php-fpm
+    - php_fpm
     - munin
   vars_files:
     - vars/ipsets.yml