roles: use ansible_facts["foo"] pattern

Instead of ansible_foo. Ansible recently started warning that this
is deprecated.

Pipfile

@@ -10,4 +10,4 @@ ansible = "*"
 ansible-lint = "*"
 
 [requires]
-python_version = "3.12"
+python_version = "3.13"

README.md

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
 
-- You have a clean, minimal Ubuntu 20.04 or Debian 11/12 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host

ansible.cfg

@@ -13,12 +13,6 @@ interpreter_python=auto
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False
 
-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
-
 [privilege_escalation]
 # instead of using -K
 become_ask_pass=True

group_vars/all

@@ -3,4 +3,12 @@
 
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:

group_vars/web

@@ -8,4 +8,7 @@ webserver: nginx
 extra_fail2ban_filters:
   - nginx
 
+# root prefix for all web servers
+web_root_prefix: /var/www
+
 # vim: set ts=2 sw=2:

host_vars/web22

@@ -1,138 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-39373066313030346161656231616436326166363937663239363666356462633536316336343663
-6630363832396134326536306235656137393433313335360a333535613834626562303036396637
-63663133643630313438383966383536333732636136613934396530646133303962373961343563
-3361343730306332650a333739353237363939353736643938393263623438626464613766313066
-36316133666133656637376432363837383061616630613061393731306361333138653561356236
-38383934663735656162656234613031386266663838346365363763653835316334343239633961
-31366633386166356434393637353565643739666537373433393830343236323336626664336666
-64346165653435333139613334616234383164346466346663616434303632663436336234653130
-39373264643465303335663132303231393036366266343335636230353930333164313833636537
-38393466623937313831373330373039343164336463356366343537666266393033363537313462
-32613831306366636134333332656135343038346263343735376165623330663865306138656162
-37393565386661643336323933653234356334633638333138643235366534363530356330316436
-34663331366665363831643064633437303031653135653137643366646530363336393762383230
-66643966366366623631333737313433373739396135383964383439306561343630646530313738
-65333431326238353031646635383931333732383564363532313936376563626237623434316436
-65636538383532623661326431306638353463363434333238613661656238343334613661613736
-39396139326534636562383138396666616433613665393061623637633233353566383061666531
-66323764643438656235316537626332313739333239396164636138633739316333616263366366
-35313839306263326533633638346630616362383761656534353839356536653436323139373362
-62653134633639663730306163323633656462316164616464626363343462316538373135333965
-38333365303662633366663933313235666563373934663234373630653834396234306638393364
-32623965396134356535343337616461663633653034653830633032343031383034613136633863
-33316636643731313634663264336533663238663337643337663061313231303930353961623263
-61643638363338616366313539393066666365323162326335656464303232336337326366346639
-37313831316633343535373638316335336561346235616663376338653634336633383666373332
-31313166363664343830323830633666336632663333643064346332336431393236353833366233
-64313435306464376237643062356437666461316463343562326163616434333436343031323163
-61666430663062333839646532393761366531343430616338363532356164313937336463333033
-64326630303632386634346465366630633935323836386364623031633336366661623037663465
-35663039376530343038366361373064346537613538616136613439303538636431396464633633
-33306362616533333833613239373632646266643432383663626166653432616666353761363835
-62643734393965393939373366313936313264666439363763643930383735623564396233323638
-64396235353033383730653164396531316266643938373238393737393338626336313063346335
-63653232383566646430343039616365363833326639373230613030306366303065383165383962
-33633666313765636638306235386661316537393764333235326565363739643566626231383836
-61366462346162633736316433313161316430653466333731396535376632626431663539396231
-35306361316461306134303136373336636437656663356665643233353865356366396266623335
-35303061303261323531336131346237623963646432616234313066316137613237326164383465
-34333931323733653737363532366264623038653866303934353065613865366332356434333233
-66393532313662316633313832373737653663656466323764353965306630303532386262633266
-63653039643365636436356366343637643237373639373335653962386663663264653861393831
-65613031326465363832333564306634613733313965323731653937353563386536616537353236
-32333038393961623238343437633036346539336134376235353834333735376538383539393535
-62373266303462303338663730303339663230633931663935393165363336326333666665656564
-39666136633830626133316232353537393934393465356430303563366165386635373634636234
-64316238623365373736393937613533666233343866313234643861333033393739326164333139
-62316130616663666337353039356533636537663536646165333836356638623266356161656462
-36623062636330643966333531613234616531326438323135383961633131303763306130303139
-61663137613731353232616336353938646335333165316133633738343563353862306135316534
-64313931663036333934356664626663636566393264666564353037303236366334653365333433
-31333961623237336162626666383831346565313566323362653064306632306239643331323662
-38326539393739343062646464633633663935366434353735636535336135303936613937343234
-66616531336161396239636531646565323166306137366462346662303832393031666365306539
-38386262326435636661336366636264636139333533393736313263643833313431613364636566
-36383731656664623338386339376435623662633333303532386531376365663732623831356366
-65353534633132336137656362396437633332363361663666323935316435356238306462653964
-38633731303665353230663237343664623234663161633366393163623339356466636233343263
-31616330613565336336343438323836363134343433373537626261336362656566613766396234
-34613865613533306264356233663866616166616465663434643465393161336539353765393664
-31396231313139373837646562636262633733353963613138613231373438363265386561383364
-64383931663338363762353334323631313636393539623436383536636166353733333437653465
-35383931326233373730346434323364616538646463316264333761653864306538383362663835
-64643833616135363037613835633565313566346233623061643566376633303366316635303262
-35656334656533333932376264663537313466386336316237643737353863653233636235333762
-63376163386665666434616565316338353834303935363532303433653337623062306233336130
-66623735663463393764396537353265313136373739623334346232353338343134653539643162
-32646431316137636537393339373266383136353730303630643330653364316461363532616362
-34656239346537373664633439393137316163623264356462396333626564643031633038306633
-37366135323763616230643537323830383434633838303865393664396233373032366461303433
-33656634333864366139376534623763346630303337373431363338616261666637326264373662
-62346164346234643965623936353037623433653463386163623235316566653134613233366137
-38316163326537363130353630656532313630396339316536323464336435636133663133363863
-32353236636662346338616563323466393663323963623662353433343331356363333964303435
-64343430623331633962613231383039373130303935333935646130313238306333613564653864
-62353634623166343761656533373265616539636362346462626563613939643065383664346537
-39373962333065656637313035613262316161323762353436373965323431326364613537356163
-33373537663062366261383434333838336161373635303136616635323861386338346530343430
-35363139313434633162376266326538393861336530333036366633323536373339373838326131
-31323436663530656339313964373331626132626461336666636530313330643533306334613161
-65363365353465346434376365353336333538356631393662646534336166353439393837663838
-32616530323663376138323132326364353434613665646133363730636165386164633532303435
-34366363333739653833373834313236623439323265343232326133386332356363663063393339
-63333661363133386138306463383363666263306464393533633236303536613661323137333733
-32353362373164326635323661383035343531386263666262653266363131373335626535323263
-38303334643161313262336365393963356133616364626561373735303365323638643130303332
-38653165366134393062313366396564653735393439353237646564373362383665393731326139
-30303265346164653863633838663434663635616332363163646235396633633138303061353530
-32326133373064646165343865306464663564646237633030616131306134623866663731393763
-61333630346431656163356231643062366530333462663638373037623165383962306531306333
-36313462646138336565326561663765656636633833393133363262666337616535633165333439
-38393634336239303338623235323761663265313332616135623963613933636636633964646461
-30363936373561663832393832646230326533333438656534366136656365616335336632653339
-33313466336135326135323366343262376435376237373038363061636361653737373361316263
-62366665616135333937666164346366316462643939393065646462636132623164613433333336
-61313234623631326233366532323733303839326434636633303037666630336463663535613434
-36396132393566326635323736366336333365343132626338633336396662313562323461303832
-39376431613764633066663233393035333333626634346333306462316639393464666666333432
-66396133613930313639663832333831333363353436613137373739653761356132663765646137
-66666365613938363564646535353731313431306637343331303730353433623039383633323536
-31363332623165346132663165316139393830353566666236373132353762356131373364336261
-66643666306133636633646135313263633233306337366566626131383862303461373563386231
-37313535363339373730343163336162343563366562326465306466336464366133336537353266
-37623636376435363363363538396165656561356266346334333163333433373530616430303866
-61613034356139356539653165616630393963623030653333623130363464376361623263623339
-32363961383566366131323135666163643638613239313934326364303165336365626663353962
-64396461633230313761616566663931663638366238646466383562363331663532666432386233
-34613661353231633832343638323565356662366630313537363964646164363238366431343266
-33616532633631393164656538353838313636393566373934393430333263333939363531636437
-32323332626237393035303461653761343631346534653130643361373836613966326332343337
-36656237363134613137373865396530383130363031383836366536643761643033373635383063
-34363837663065393161336334366439383636376566613331353530313434623061313764313739
-62356531353533323637313030663032313163336661356137356136313366633064616531343437
-30666562336230386636656432346435363138656465383031386536343532343331383539303238
-30613938343864393637633562383461346537326335386331326662633532653436393535386635
-34653430633535396263366536626330656366663565316230313633666433376161323665353766
-39343239323066346136623336396362383664373839313131303263393265373736353237323433
-62616634616163363638333063373462623061303561616531363331633566663334653239386466
-61373465616431323535343037396337666631383362323431663264383965373761383261356164
-31623263646263313061313934343430383331643638396262336235623032343835323430396537
-35353862313937393664653533386436393833656166613963643436643430623330383565373036
-33303731376430376234646233646465363663316139373838623637646138313437653039303239
-30313562636466323162663338343763303964313062396662633935626132656464313336303864
-35666466643265353130636231373430333366643532653466343065663762663662646461323235
-62336338326565653630383261316537373462336135336265643737626366633664393861663834
-32663637326266336437343330646265346162653035653563376137626430306263333132343131
-32623831336334386330656234656439316238626531396462393435396430393564376230326666
-32643034653464343835613738633564646635653536383030316531646532323062623336623737
-36373139363561373038643239646231393032323561316463323330356535393533613734643563
-62663431306330383534663836623135313239616261613162316461666432653935313631386132
-31623039356438633964323436633334656230636337306261616631373265633837383834666432
-65306238623235396464366363633739323861396133323235656234323361396566346565623066
-66373463373737363037323834613833613737353964313131326436326333653934306535343538
-34353939356164623736303366366138396163643437623761643134323762656337616633646161
-62303039386162363966653161323438363866303663616537353961343566616333626563663166
-32386438393363393635303163613239363764343462643038343663396632323138646333373461
-32393066346633633064376136313834386361383335616666626131386565373666386432626334
-6534
+65636230346264393938656566653961393466306338353435333061356463363836616435333731
+3537316534663335343333643435383663303438333433650a666133633965643939306661383536
+33626364316338306530393036653134373339653264616537623731323063646531383137333131
+6263363037613631360a343831393830646536326538363764643136613732636165316466316566
+65346162383337626631663533626230643061633139663661656365333738353530316661313864
+32373831396437386434313430666434363534656130613632643264393538663131336635653537
+61613065336133343130353862646130386136333231393962353064666335363330623064626631
+34333137363566313764343335646531326337616563366636316232633936333264373731653332
+66366361643261626563633838663061303762386234336133366233356564343562323965663731
+38326631333166643534313836323337663131313766306166333534336333613735643033326633
+39396335613362363230333863396535343464346437366632316336626539623865313239353539
+30643834633130333564666162623365323439396630333136616137633532363530623234376332
+66353539306637633432353231326666643261386466633533313063353061643761313132623035
+62653263636237666432336662633136653930323532623137386261333862623337326431336365
+36663364386364346631393031326434326334636166663739366435616166363130623463633733
+35383834326231363264623061303066326433613139333237656635643835393762313866356237
+62616435613863616161376666333966323030326531323261646436633233613635383438373834
+31343133326231636661353466396566656365396466343430613262316537623631376433633630
+62336664346363393363306163333662323338343139646238633830326535313034613739616138
+38313637333333383032316134316164363036396338306634633436633564306333336437393566
+61656337343030393936353364386461643766636564333864396130343762323630393839393463
+35343864393035333930313238663465663633633862623336663136626165666131383933626437
+31323936653737646231363036383764333335313762356465333635303334663734636531343331
+37386461643239363434373864373561353339343031346364383530663430393938333963333837
+63303966366364626665303530356433643264343861346238353937386338383034356633623231
+36663735386233396138306561326339626262326463336535646265666637383032396435333835
+31363266666230366438313432356637663632333530646263663563373137313262663937636532
+66633731333166386564386666363130633734643963653030386533393766623038383234646161
+36343135663231323030306430623535373534353835623339333738376362663930343436343637
+34383963306266623437323462356466336533643933653839366666393839626663353264326334
+32663461663561396631363533383334363361373764363132643435373537333839613066396463
+35386436326638353431363064626131306634363339653132396563356239653265303930333634
+32376332643863376237383966623233323864393338346537393865363661616338333631383532
+34373635316138663261633839333664353432666234306463306338653634633038373266646462
+32336534356537306366656236356663616336333031306431653239343132336234626165333032
+38303137666131363462363263333832356333616130346337663837376365346166306261373036
+63383236323738303562623631633064363564663861336162356262373861383965623935343931
+65663934623431363164356331353135633837616130363464353661663438323132363165343766
+31393633306261303762613537343034316535373731363365666530623361623630633137326466
+32326533313362333863383561343230626466303831623033613065363136396362373333306333
+32336464356364663564626234653832323265313364343631646633396362373438666165353962
+38396330333161356365626562383531323664636235643666613631636636323638376638396531
+38646531666164653161353932643662363261323564373537343731666232666532633063353431
+61386163363562313330393037656139303365396438313935306333656264373531373037303939
+63373962356233346164383163323532373163376364623766323933623063653939346537306338
+65353266656532636633326137356430666432333465626437633733356435363163626430303964
+39343935623937616130326637323061373538616633393465653266656666376661393635333662
+30363364653130356137393463613038663762396336306234363461396133306562323838336330
+63303735646132353766313137303162366164613530303966383636393934393035306264626465
+36613233376234633932663963623432663032656236323963353036356437383066373532323865
+36643431373966613533646164303564653336396535343366303339303134613936656137653939
+31333062623734613538333666636561386338306235633165386262383261333264623638383366
+34313266333636376337393736343062363539366235393136663561303663386438333834613539
+38623632656161653766363166653661336136653833336663616261663831656133666232633362
+31373166306134653162313134333432323134623336666632613766386662653831643732326330
+63643737333638626162646136373466613536653831663835616432343537323864343166316461
+34393732353930343430356231626636373763636561343430616533663861346566326262313232
+39623936366633363136353632346134643563383833376134363833336137613337326435613764
+37653232613632333334316162383261383836613936376230393633343336346633386539356232
+30316232373738363038356665366663623536626539376364303038643061386363636337386663
+61383634336530666163346239343838326138373932383339396265653764313039653138643938
+31613163653632656238376533363739346539623863623332653936643731623565613234663430
+39363935306330386634363634363233376234613837353765353732646638663830323335616234
+34366334636436633734333830306136333563666337623035653239313361626438316535313434
+37343930643832383136343737313365316238373638323130653766646637343464653134616137
+38313034383833626433326237633863313364353662326233636333333932633039396565356133
+64376166383064343239633364363861616136643061646636323437376162313438396230393331
+32633662323031666238643934646665303666383834336432363430363166356632353033336333
+64383861663563653531643832656238643066323564656134633639666234363363363132623836
+61386431643130333761376161646262346562363532353632633332343666393562313465303337
+31333732626164363464323531323239333963303333626466623966346361383832353765346565
+37303765363834376237636632386663373061346534643132636333623137366662646538306231
+33353538623231636166653838333264396463616437396264353537633661313932353133316438
+61323439363635383035316335363132383366613733383363306366356466333364633537393033
+66636434623962633063306236303831633637656430376533353436613934636466363461333562
+34613339373732343632343435333331353935303735633732656663643938663439656233613163
+65356232633865656439643430636332386663333761376638323630373930663837653638363963
+63656437323138633664613166353537306466666261353532326363346332343363343035386435
+33326238333730303539363265383761663862313961383030326263353034303866626661623334
+61623365373332366333376630626539343835663466666534636561643736646537646431386631
+36366132663830336234613065626262336564316339383038333330323237363665373935326438
+38646335346239316432636138633365373062663564326465643032633438306230363434323262
+34313932653361346261623030623739313665356464373666346361663430336362383063666134
+38323539653437623030333437373231646634333563306165393231653465313731633536323362
+65613262633563653031306139383436663834616339316164393365336437653730393331636464
+32313537313164386164313832396566353137376239303663656130383336336634313235376363
+63326530333339356432343938306465623636336161363133613864336339393635306234656263
+34343437336461303831393562653934633439336562663366643066393439396531653663386531
+65623061643064396534353364663633653331653535306133386466356236623239646432373066
+61313261366466663866613162323939646534653561356335393237376138633930663364636236
+36613834303338646530663565303438363831663865323531386635303239646464343936303832
+31323531363263333830623838666437636262306164386236643032356165323037656630383739
+65666333656639333263346465666463616534353835656337353464336134303732323037393538
+37366263656133643039373438636537343636663065646534616339303833666532396633616565
+38353139323739656564623065613364346164633863343738633163383031663531663365616534
+31663835323435643463666264623932396133336531626331303862356261306238326333366164
+66306262386137363432376530366432356432653333393833376532623333373337393830316263
+30326531613662313430663130613734663937613663353936346134356537393761373238393433
+37356136393731626561303430626339386531386333386536656465646232633934393630613339
+61333163613862346564316336353766346461626639303661353464633835626663313462613666
+33343561613662303036643937656431393432333831383461323631393262346464393539353537
+33633364383261663535323136393138333739356439663731636136393530323864333566323361
+62643961323264336662316661303630636430323838633535343036303437393439656637326566
+34363832366434316639393939313965633037653931323462363465643262653539623063326432
+36616434366432303235663062663138623336336165373734353838333662363239333762323932
+65393765326232373230666437656433373930643638386131363339343630636634636434326464
+39366339326263666239646237326534383665376536313536303263373265306537316161663262
+31346635346436313261626366333738333966643333313230623133313434373530366462653435
+33353434643635383833643736653461373765326537313430353164306566323733653237343632
+66346133656333303538306133313563393363313230323664303836323861346466343230343264
+36613934643662626365653036636136623630333638373565316437646232316263663433313762
+39353234333131623731643662303130626465386338353833393533646564646565623736343039
+38356635393461353166653565336535626366396532633961393334343234353764303431303663
+61666533633731663666346132383037646433336463643062396465383034346631346165323939
+33313937343338383737373164363930336236326432346465646166363430653932333932343236
+38336235613034386533613665393666633635383164646538373035623862343737353463623730
+33396233353331633463373538326365636231323535633737303562613262613730636237336632
+38626230313637336436623661666438666538333838356632653034303864313232623337306333
+66363464643061363337393732323065306335656531376337323438313733616539613538333837
+34363033666366613933343563303537613564356462313931353533323938656362393536386334
+38336237616335346334613534323130613861663239356363366564623933303737306138613535
+63643639323135663232336131643331343063363234336230653536623765323562393161663266
+32663839613564613636343166396463366665666333306239386338616366363236393931313439
+30386238316261323630633464386265353464333735336435646663656638316130333762666531
+38626463316165373434613436343335303633643965633230326534323761616365376630363039
+30336661313737383535343934366466353231396430353030653762383934666235646161653832
+31613565643031353535353234386665373636356362653337366563316630343838626231646462
+34623262343761373831303861313661666435373565386465336166306631376666643631303863
+37633934326262623737373266326631663932373863346466613133303961386466366336643235
+39303933333236626637663636633739343761393432616232643238663738313636346137316430
+34623238326430616134396166306339626261643032613661343763366138653830376463306461
+62366564393364306139633837646264633130383064383730393862633561303538363232663366
+30343633666632303530356637646337623339303236376164633962383839386265336666396436
+38616238656336343066333063393833623862646237323238393465633662393362353161313963
+63663539383630366536313933643565346162646363353035386666396363633635386564346666
+64336362633033346461353133396363646237613433306366333064626563656637383863323361
+31386262346631343565653836333764636366313330633462303533616531316537353538313031
+64366263666138356339373864383866303632366162633738383437323564313732373738373038
+39643862336136663165343736613730306339643237313361333438613438323439373966396138
+62323661383336396636

roles/caddy/defaults/main.yml

@@ -2,7 +2,7 @@
 # file: roles/caddy/defaults/main.yml
 
 # parent directory of vhost document roots
-caddy_root_prefix: /var/www
+caddy_root_prefix: "{{ web_root_prefix }}"
 
 # Email address to use for the ACME account managing the site's certificates.
 # Not sure what Caddy does if this doesn't exist.

roles/caddy/handlers/main.yml

@@ -3,7 +3,7 @@
 
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: caddy
     state: reloaded
 

roles/caddy/tasks/main.yml

@@ -71,6 +71,7 @@
     mode: "0755"
     owner: root
     group: root
+  tags: caddy
 
 # TODO: the variable is still named nginx_vhosts
 - name: Configure Caddy virtual hosts

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -8,6 +8,12 @@
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {% set static_site    = item.static_site | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 {% if domain_aliases %}
 {#   domain_aliases is a string, so we split on space #}
@@ -21,15 +27,20 @@
 {{ domain_name }} {
     {% if has_gitea %}
     reverse_proxy :3000
-    {% endif %}
+    {% elif static_site -%}
+    root * {{ document_root }}
 
-    {% if static_site -%}
-    root * {{ item.document_root }}
-
-    encode zstd gzip
+    encode
 
     file_server
-    {% endif %}
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_facts["distribution_major_version"] is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}
 
     import security-headers
 }

roles/common/defaults/main.yml

@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
+fail2ban_ignoreip: 127.0.0.0/8
 
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.

roles/common/files/abuseipdb-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define ABUSEIPDB_IPV6 = {
-fd21:3523:74e0:7301::
-}

roles/common/files/aggregate-cidr-addresses.pl

@@ -1,89 +0,0 @@
-#!/usr/bin/perl
-#
-# aggregate-cidr-addresses - combine a list of CIDR address blocks
-# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see L<http://www.gnu.org/licenses/>.
-#
-# [MJS 22 Oct 2001] Aggregate CIDR addresses
-# [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
-# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
-# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
-# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
-
-use strict;
-use warnings;
-use English qw( -no_match_vars );
-use Net::IP;
-
-## Read in all the IP addresses
-my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
-    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
-
-## Split any ranges into prefixes
-@addrs = map {
-    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
-        $_->find_prefixes
-} @addrs;
-
-## Sort the IP addresses
-@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
-
-## Handle overlaps
-my $count   = 0;
-my $current = $addrs[0];
-foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-    my $r = $current->overlaps($next);
-    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
-        $current = $next;
-        $count++;
-    }
-    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
-        $current = $next;
-        splice @addrs, $count, 1;
-    }
-    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
-        splice @addrs, $count + 1, 1;
-    }
-    else {
-        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
-    }
-}
-
-## Keep aggregating until we don't change anything
-my $change = 1;
-while ($change) {
-    $change = 0;
-    my @new_addrs = ();
-    $current = $addrs[0];
-    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-        if ( my $total = $current->aggregate($next) ) {
-            $current = $total;
-            $change  = 1;
-        }
-        else {
-            push @new_addrs, $current;
-            $current = $next;
-        }
-    }
-    push @new_addrs, $current;
-    @addrs = @new_addrs;
-}
-
-## Print out the IP addresses
-foreach (@addrs) {
-    print $_->prefix(), "\n";
-}
-
-# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

roles/common/files/etc/cron-apt/3-download

@@ -1,2 +0,0 @@
-autoclean -y
-upgrade -y -o APT::Get::Show-Upgraded=true

roles/common/files/etc/cron-apt/config

@@ -1,5 +0,0 @@
-# Configuration for cron-apt. For further information about the possible
-# configuration settings see the README file.
-
-MAILON="never"
-OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/files/firehol_level1-ipv4.nft

@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
 
-define SPAMHAUS_IPV4 = {
+define FIREHOL_LEVEL1_IPV4 = {
 192.168.254.254/32
 }

roles/common/files/spamhaus-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-fd21:3523:74e0:7301::/64
-}

roles/common/files/update-abusech-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-abusech-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-abusech-nftables
-ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
-          /usr/local/bin/update-abusech-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-abusech-nftables.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-abuseipdb-nftables.sh v0.0.1
-#
-# Download IP addresses seen using a blacklisted SSL certificate and load them
-# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
-# 
-# See: https://sslbl.abuse.ch/blacklist
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
-abusech_list_temp=$(mktemp)
-
-echo "Downloading Abuse.sh SSL Blacklist IPs"
-
-abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
-
-if [[ $abusech_response -ne 200 ]]; then
-	echo "Abuse.ch responded: HTTP $abusech_response"
-
-	exit 1
-fi
-
-if [[ -f "$abusech_list_temp" ]]; then
-    echo "Processing IPv4 list"
-
-    abusech_ipv4_list_temp=$(mktemp)
-    abusech_ipv4_set_temp=$(mktemp)
-
-    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
-    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
-    # that assumption some time down the line).
-    sed -e '/#/d' -e 's/
-//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
-
-    echo "Building abusech-ipv4 set"
-    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define ABUSECH_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$abusech_ipv4_set_temp"
-    done < $abusech_ipv4_list_temp
-
-    echo "}" >> "$abusech_ipv4_set_temp"
-
-    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
-
-    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
-fi
-
-echo "Reloading nftables"
-# The abusech nftables sets are included by nftables.conf

roles/common/files/update-abusech-nftables.timer

@@ -1,12 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-
-[Timer]
-# Once a day at midnight
-OnCalendar=*-*-* 00:00:00
-# Add a random delay of 0–3600 seconds
-RandomizedDelaySec=3600
-Persistent=true
-
-[Install]
-WantedBy=timers.target

roles/common/files/update-firehol-nftables.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Update FireHOL lists
+# Make sure the network is up
+After=network-online.target
+Wants=network-online.target update-firehol-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-firehol-nftables
+ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
+          /usr/local/bin/update-firehol-nftables.sh
+
+[Install]
+WantedBy=multi-user.target

roles/common/files/update-firehol-nftables.timer

@@ -1,5 +1,5 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 
 [Timer]
 # Once a day at midnight

roles/common/files/update-spamhaus-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Spamhaus lists
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-spamhaus-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-spamhaus-nftables
-ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
-          /usr/local/bin/update-spamhaus-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-spamhaus-nftables.sh

@@ -1,91 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-spamhaus-nftables.sh v0.0.1
-#
-# Download Spamhaus DROP lists and load them into nftables sets.
-# 
-# See: https://www.spamhaus.org/drop/
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
-spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
-
-function download() {
-    echo "Downloading $1"
-    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
-}
-
-download drop.txt
-download edrop.txt
-download dropv6.txt
-
-if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
-    echo "Processing IPv4 DROP lists"
-
-    spamhaus_ipv4_list_temp=$(mktemp)
-    spamhaus_ipv4_set_temp=$(mktemp)
-
-    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
-    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
-    # ranges to work around a firewalld bug.
-    #
-    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
-    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
-
-    echo "Building spamhaus-ipv4 set"
-    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$spamhaus_ipv4_set_temp"
-    done < $spamhaus_ipv4_list_temp
-
-    echo "}" >> "$spamhaus_ipv4_set_temp"
-
-    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
-
-    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
-fi
-
-if [[ -f "dropv6.txt" ]]; then
-    echo "Processing IPv6 DROP lists"
-
-    spamhaus_ipv6_list_temp=$(mktemp)
-    spamhaus_ipv6_set_temp=$(mktemp)
-
-    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
-
-    echo "Building spamhaus-ipv6 set"
-    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-NFT_HEAD
-
-    while read -r network; do
-        echo "$network," >> "$spamhaus_ipv6_set_temp"
-    done < $spamhaus_ipv6_list_temp
-
-    echo "}" >> "$spamhaus_ipv6_set_temp"
-
-    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
-
-    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
-fi
-
-echo "Reloading nftables"
-# The spamhaus nftables sets are included by nftables.conf
-/usr/sbin/nft -f /etc/nftables.conf
-
-rm -v drop.txt edrop.txt dropv6.txt

roles/common/handlers/main.yml

@@ -1,27 +1,27 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml
 
-- name: reload sshd
-  ansible.builtin.systemd:
+- name: Reload sshd
+  ansible.builtin.systemd_service:
     name: "{{ sshd_service_name }}"
     state: reloaded
 
-- name: reload sysctl
-  command: sysctl -p /etc/sysctl.conf
+- name: Reload sysctl
+  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
-- name: reload systemd
-  ansible.builtin.systemd:
+- name: Reload systemd
+  ansible.builtin.systemd_service:
     daemon_reload: true
 
-- name: restart nftables
-  ansible.builtin.systemd:
+- name: Restart nftables
+  ansible.builtin.systemd_service:
     name: nftables
     state: restarted
 
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
-- name: restart fail2ban
-  ansible.builtin.systemd:
+- name: Restart fail2ban
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: restarted

roles/common/tasks/cron-apt.yml

@@ -1,11 +1,17 @@
 ---
-- name: Configure cron-apt (config)
-  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
-  loop:
-    - { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root }
-    - { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root }
+- name: Remove cron-apt
+  ansible.builtin.apt:
+    name: cron-apt
+    state: absent
+    cache_valid_time: 3600
 
-- name: Configure cron-apt (security)
-  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
+- name: Remove cron-apt configs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cron-apt/config
+    - /etc/cron-apt/action.d/3-download
+    - /etc/apt/security.sources.list
 
 # vim: set ts=2 sw=2:

roles/common/tasks/fail2ban.yml

@@ -1,8 +1,7 @@
 ---
 - name: Install fail2ban
-  when:
-    - ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
     name:
       - fail2ban
       - python3-systemd
@@ -15,7 +14,7 @@
     dest: /etc/fail2ban/jail.d/sshd.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Configure fail2ban nginx filter
   when:
@@ -27,7 +26,7 @@
     dest: /etc/fail2ban/jail.d/nginx.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Create fail2ban service override directory
   ansible.builtin.file:
@@ -44,11 +43,11 @@
     owner: root
     mode: "0644"
   notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: started
     enabled: true

roles/common/tasks/firewall.yml

@@ -0,0 +1,25 @@
+---
+# Debian 11+ will use nftables directly, with no firewalld.
+
+- name: Install Debian firewall packages
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    cache_valid_time: 3600
+
+- name: Remove iptables on newer Debian
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    pkg: iptables
+    state: absent
+
+- name: Configure nftables
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
+
+- name: Configure fail2ban
+  when: ansible_facts["distribution_version"] is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml
+
+# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Debian.yml

@@ -1,115 +0,0 @@
----
-# Debian 11+ will use nftables directly, with no firewalld.
-
-- block:
-    - name: Install Debian firewall packages
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
-
-    - name: Remove iptables on newer Debian
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.apt:
-        pkg: iptables
-        state: absent
-
-    - name: Copy nftables.conf
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_major_version is version('9', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,114 +0,0 @@
----
-# Ubuntu 20.04 will use nftables directly, with no firewalld.
-
-- block:
-    - name: Install Ubuntu firewall packages
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
-
-    - name: Remove ufw
-      ansible.builtin.package:
-        name: ufw
-        state: absent
-
-    - name: Copy nftables.conf
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_version is version('16.04', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
+  ansible.builtin.include_vars: vars/{{ ansible_facts["distribution"] }}.yml
   tags: always
 
 - name: Configure network time
@@ -8,23 +8,11 @@
   tags: ntp
 
 - name: Install common packages
-  ansible.builtin.include_tasks: packages_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: packages
-
-- name: Install common packages
-  ansible.builtin.include_tasks: packages_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks: packages.yml
   tags: packages
 
 - name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: firewall
-
-- name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.import_tasks: firewall.yml
   tags: firewall
 
 - name: Configure secure shell daemon
@@ -33,14 +21,24 @@
 
 # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
 - name: Reconfigure /etc/sysctl.conf
-  when: ansible_virtualization_role != 'host'
-  ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  when: ansible_facts["virtualization_role"] != 'host'
+  ansible.builtin.template:
+    src: "sysctl_{{ ansible_facts['distribution'] }}.j2"
+    dest: /etc/sysctl.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
-    - reload sysctl
+    - Reload sysctl
   tags: sysctl
 
 - name: Set I/O scheduler
-  ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: etc/udev/rules.d/60-scheduler.rules.j2
+    dest: /etc/udev/rules.d/60-scheduler.rules
+    owner: root
+    group: root
+    mode: "0644"
   tags: udev
 
 - name: Copy admin SSH keys

roles/common/tasks/nftables.yml

@@ -0,0 +1,69 @@
+---
+# Common nftables tasks for Debian 11 and Debian 12.
+
+- name: Copy nftables.conf
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    mode: "0644"
+  notify:
+    - Restart nftables
+
+- name: Create /etc/nftables extra config directory
+  ansible.builtin.file:
+    path: /etc/nftables
+    state: directory
+    owner: root
+    mode: "0755"
+
+- name: Copy extra nftables configuration files
+  ansible.builtin.copy:
+    src: firehol_level1-ipv4.nft
+    dest: /etc/nftables/firehol_level1-ipv4.nft
+    owner: root
+    group: root
+    mode: "0644"
+    force: false
+  notify:
+    - Restart nftables
+
+- name: Copy nftables update scripts
+  ansible.builtin.template:
+    src: update-firehol-nftables.sh.j2
+    dest: /usr/local/bin/update-firehol-nftables.sh
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: Copy nftables systemd units
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop:
+    - update-firehol-nftables.service
+    - update-firehol-nftables.timer
+  register: nftables_systemd_units
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true
+
+- name: Start and enable nftables update timers
+  ansible.builtin.systemd_service:
+    name: update-firehol-nftables.timer
+    state: started
+    enabled: true
+
+- name: Start and enable nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: started
+    enabled: true
+
+# vim: set sw=2 ts=2:

roles/common/tasks/ntp.yml

@@ -1,27 +1,40 @@
 ---
-# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
-# use systemd-timesyncd as a network time client instead of the standalone ntp
-# client.
+# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
+# as a network time client instead of the standalone ntp client.
 
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+  when:
+    - timezone is defined
+    - ansible_facts["service_mgr"] == 'systemd'
+  community.general.timezone:
+    name: "{{ timezone }}"
   tags: timezone
 
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Ubuntu 20.04 and Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: systemd-timesyncd
+    state: present
+    cache_valid_time: 3600
 
 - name: Start and enable systemd's NTP client
-  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
+  when: ansible_facts["service_mgr"] == 'systemd'
+  ansible.builtin.systemd_service:
+    name: systemd-timesyncd
+    state: started
+    enabled: true
 
-- name: Uninstall ntp on modern Ubuntu/Debian
-  ansible.builtin.apt: name=ntp state=absent
-  when: ansible_service_mgr == 'systemd'
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_facts["service_mgr"] == 'systemd'
+    - ansible_facts["distribution_major_version"] is version('12', '==')
+  ansible.builtin.apt:
+    name: ntp
+    state: absent
 
 # vim: set ts=2 sw=2:

roles/common/tasks/packages.yml

@@ -1,19 +1,7 @@
 ---
 - name: Configure Debian packages
+  tags: packages
   block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('12', '<')
-
     # Scaleway seems to use a weird sources.list format as of Debian 12?
     - name: Check for weird Debian sources
       ansible.builtin.stat:
@@ -21,10 +9,15 @@
       register: weird_debian_sources_stat
 
     - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
       when:
-        - ansible_architecture != 'armv7l'
+        - ansible_facts["architecture"] != 'armv7l'
         - not weird_debian_sources_stat
+      ansible.builtin.template:
+        src: sources.list.j2
+        dest: /etc/apt/sources.list
+        owner: root
+        group: root
+        mode: "0644"
 
     - name: Set fact for base packages
       ansible.builtin.set_fact:
@@ -35,7 +28,6 @@
           - iotop
           - htop
           - strace
-          - cron-apt
           - safe-rm
           - debian-goodies
           - mosh
@@ -47,16 +39,19 @@
           - zstd
           - rsync
           - lsof
+          - unattended-upgrades
 
     - name: Install base packages
-      ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
+      ansible.builtin.apt:
+        name: "{{ base_packages }}"
+        state: present
+        cache_valid_time: 3600
 
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
+    - name: Remove cron-apt
       tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml
 
     - name: Install tarsnap
       ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
 
 # vim: set sw=2 ts=2:

roles/common/tasks/packages_Ubuntu.yml

@@ -1,105 +0,0 @@
----
-- name: Configure Ubuntu packages
-  block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('22.04', '<')
-
-    - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-      when: ansible_architecture != 'armv7l'
-
-    - name: Upgrade base OS
-      ansible.builtin.apt: upgrade=dist cache_valid_time=3600
-
-    - name: Set Ubuntu base packages
-      ansible.builtin.set_fact:
-        ubuntu_base_packages:
-          - git
-          - git-lfs
-          - tmux
-          - iotop
-          - htop
-          - strace
-          - cron-apt
-          - safe-rm
-          - debian-goodies
-          - mosh
-          - python-pycurl # for ansible's apt_repository
-          - vim
-          - unzip
-          - apt-transport-https # for https support in apt
-          - zstd
-          - rsync
-          - lsof
-
-    - name: Install base packages
-      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
-
-    # We have to remove snaps one by one in a specific order because some depend
-    # on others. Only after that can we remove the corresponding system packages.
-    - name: Remove lxd snap
-      community.general.snap: name=lxd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove core18 snap
-      community.general.snap: name=core18 state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove snapd snap
-      community.general.snap: name=snapd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Set fact for packages to remove (Ubuntu 20.04)
-      ansible.builtin.set_fact:
-        ubuntu_annoying_packages:
-          - whoopsie # security (CIS 4.1)
-          - apport # security (CIS 4.1)
-          - command-not-found # annoying
-          - command-not-found-data # annoying
-          - python3-commandnotfound # annoying
-          - snapd # annoying (Ubuntu >= 16.04)
-          - lxd-agent-loader # annoying (Ubuntu 20.04)
-      when: ansible_distribution_version is version('20.04', '==')
-
-    - name: Remove packages
-      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.file: path={{ item }} mode=0644 state=absent
-      loop:
-        - /etc/update-motd.d/99-esm # Ubuntu 14.04
-        - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
-        - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
-        - /etc/update-motd.d/80-esm # Ubuntu 18.04+
-        - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
-      ignore_errors: true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
-      when: ansible_service_mgr == 'systemd'
-      loop:
-        - motd-news.service
-        - motd-news.timer
-
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
-      tags: cron-apt
-
-    - name: Install tarsnap
-      ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
-
-# vim: set sw=2 ts=2:

roles/common/tasks/ssh-keys.yml

@@ -1,9 +1,11 @@
 ---
 - name: Zero .ssh/authorized_keys for provisioning user
-  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
+  ansible.builtin.file:
+    dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
+    state: absent
 
 - name: Add public keys to authorized_keys
-  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
   with_fileglob:
     # use descriptive names for keys, like: aorth-mzito-rsa.pub
     - ssh-pub-keys/*.pub

roles/common/tasks/sshd.yml

@@ -1,17 +1,26 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
-    mode=0600
-  when: ansible_distribution == 'Debian'
-  notify: reload sshd
+  when: ansible_facts["distribution_version"] is version('12', '<=')
+  ansible.builtin.template:
+    src: "sshd_config_{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.j2"
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
-# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
-# ie with new ciphers supported etc.
-- name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Ubuntu'
-  notify: reload sshd
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_facts["distribution_version"] is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +33,30 @@
       register: check_unsafe_moduli
 
     - name: Extract safe Diffie-Hellman SSH moduli
+      when: check_unsafe_moduli.stdout | length > 0
       ansible.builtin.shell:
         cmd: awk '$5 >= 3071' moduli > moduli.safe
         chdir: /etc/ssh
         creates: moduli.safe
-      when: check_unsafe_moduli.stdout | length > 0
       register: extract_safe_moduli
 
     - name: Replace unsafe Diffie-Hellman SSH moduli
+      when: extract_safe_moduli is changed
       ansible.builtin.command:
         cmd: mv moduli.safe moduli
         chdir: /etc/ssh
       register: replace_small_moduli
-      when: extract_safe_moduli is changed
-      notify: reload sshd
+      notify: Reload sshd
 
 - name: Remove DSA and ECDSA host keys
-  ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
+  ansible.builtin.file:
+    name: "/etc/ssh/{{ item }}"
+    state: absent
   loop:
     - ssh_host_dsa_key
     - ssh_host_dsa_key.pub
     - ssh_host_ecdsa_key
     - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 
 # vim: set sw=2 ts=2:

roles/common/tasks/tarsnap.yml

@@ -5,6 +5,7 @@
   register: tarsnap_signing_key_stat
 
 - name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
   ansible.builtin.get_url:
     url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
@@ -12,9 +13,9 @@
     group: root
     mode: "0644"
   register: download_tarsnap_signing_key
-  when: not tarsnap_signing_key_stat.stat.exists
 
 - name: Add tarsnap.org repo
+  when: ansible_facts["architecture"] != 'armv7l'
   ansible.builtin.template:
     src: tarsnap_sources.list.j2
     dest: /etc/apt/sources.list.d/tarsnap.list
@@ -22,12 +23,11 @@
     group: root
     mode: "0644"
   register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'
 
 - name: Update apt cache
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
 
 - name: Install tarsnap
   ansible.builtin.apt:

roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -1,15 +1,19 @@
+[Unit]
+# If nftables is stopped or restarted, propagate to fail2ban as well
+PartOf=nftables.service
+
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/common/templates/nftables.conf.j2

@@ -5,47 +5,18 @@
 
 flush ruleset
 
-# Lists updated daily by update-spamhaus-nftables.sh
-include "/etc/nftables/spamhaus-ipv4.nft"
-include "/etc/nftables/spamhaus-ipv6.nft"
-
-# Lists updated monthly (manually)
-include "/etc/nftables/abuseipdb-ipv4.nft"
-include "/etc/nftables/abuseipdb-ipv6.nft"
-
-# Lists updated daily by update-abusech-nftables.sh
-include "/etc/nftables/abusech-ipv4.nft"
+# List updated daily by update-firehol-nftables.sh
+include "/etc/nftables/firehol_level1-ipv4.nft"
 
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-    set spamhaus-ipv4 {
+    set firehol_level1-ipv4 {
         type ipv4_addr
         # if the set contains prefixes we need to use the interval flag
         flags interval
-        elements = $SPAMHAUS_IPV4
-    }
-
-    set spamhaus-ipv6 {
-        type ipv6_addr
-        flags interval
-        elements = $SPAMHAUS_IPV6
-    }
-
-    set abusech-ipv4 {
-        type ipv4_addr
-        elements = $ABUSECH_IPV4
-    }
-
-    set abuseipdb-ipv4 {
-        type ipv4_addr
-        elements = $ABUSEIPDB_IPV4
-    }
-
-    set abuseipdb-ipv6 {
-        type ipv6_addr
-        elements = $ABUSEIPDB_IPV6
+        elements = $FIREHOL_LEVEL1_IPV4
     }
 
     chain input {
@@ -55,13 +26,7 @@ table inet filter {
 
         ct state invalid counter drop comment "Early drop of invalid connections"
 
-        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
-        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
-
-        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
-
-        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
-        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
 
         iifname lo accept comment "Allow from loopback"
 
@@ -105,12 +70,6 @@ table inet filter {
     chain output {
         type filter hook output priority 0;
 
-        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
-        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
-
-        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
-
-        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
-        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
     }
 }

roles/common/templates/security.sources.list.j2

@@ -1,5 +0,0 @@
-{% if ansible_distribution == 'Ubuntu' %}
-deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
-{% elif ansible_distribution == 'Debian' %}
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
-{% endif %}

roles/common/templates/sources.list.j2

@@ -1,16 +1,6 @@
-{% if ansible_distribution == 'Ubuntu' %}
-{% set apt_mirror    = apt_mirror | default("ubuntu.mirror.ac.ke") %}
-
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
-deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
-
-{% else %}
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
-
-{% endif %} {# ansible_distribution #}

roles/common/templates/sshd_config_Ubuntu-20.04.j2

@@ -1,143 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
-LogLevel VERBOSE
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin prohibit-password
-#StrictModes yes
-MaxAuthTries 4
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-{% if ssh_password_authentication == 'disabled' %}
-PasswordAuthentication no
-{% else %}
-PasswordAuthentication yes
-{% endif %}
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp	/usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
-
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-
-{% if ssh_allowed_users is defined and ssh_allowed_users %}
-# Is there a list of allowed users?
-# Is it populated? (An empty list is 'None', which evaluates as False in Python)
-# merge the items of a list into one string using a space as a separator
-# http://jinja.pocoo.org/docs/dev/templates/#join
-AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
-{% endif %}

roles/common/templates/sysctl_Debian.j2

@@ -90,7 +90,7 @@ net.ipv4.tcp_wmem = 4096 65536 16777216
 # increase the length of the processor input queue
 net.core.netdev_max_backlog = 30000
 {# kernels after 2.6.32 don't have buggy cubic #}
-{% if ansible_kernel < "2.6.33" %}
+{% if ansible_facts["kernel"] < "2.6.33" %}
 # recommended default congestion control is htcp
 net.ipv4.tcp_congestion_control=htcp
 {% endif %}
@@ -98,7 +98,7 @@ net.ipv4.tcp_congestion_control=htcp
 #net.ipv4.tcp_mtu_probing=1
 
 {# disable iptables on bridge interfaces on VM hosts #}
-{% if ansible_virtualization_role == "host" %}
+{% if ansible_facts["virtualization_role"] == "host" %}
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

roles/common/templates/sysctl_Ubuntu.j2

@@ -1,100 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-#net.ipv4.conf.default.rp_filter=1
-#net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-#net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
-
-# CIS Benchmark Adjustments
-# See: https://github.com/alanorth/securekickstarts
-kernel.randomize_va_space = 2 
-net.ipv4.ip_forward = 0 
-net.ipv4.conf.all.send_redirects = 0 
-net.ipv4.conf.default.send_redirects = 0 
-net.ipv4.conf.all.accept_source_route = 0 
-net.ipv4.conf.default.accept_source_route = 0 
-net.ipv4.conf.all.accept_redirects = 0 
-net.ipv4.conf.default.accept_redirects = 0 
-net.ipv4.conf.all.secure_redirects = 0 
-net.ipv4.conf.default.secure_redirects = 0 
-net.ipv4.conf.all.log_martians = 1 
-net.ipv4.conf.default.log_martians = 1 
-net.ipv4.icmp_echo_ignore_broadcasts = 1 
-net.ipv4.icmp_ignore_bogus_error_responses = 1 
-net.ipv4.conf.all.rp_filter = 1 
-net.ipv4.conf.default.rp_filter = 1 
-net.ipv4.tcp_syncookies = 1
-
-# TCP stuff
-# See: http://fasterdata.es.net/host-tuning/linux/
-# increase TCP max buffer size settable using setsockopt()
-net.core.rmem_max = 16777216 
-net.core.wmem_max = 16777216 
-# increase Linux autotuning TCP buffer limit 
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
-# increase the length of the processor input queue
-net.core.netdev_max_backlog = 30000
-# recommended for hosts with jumbo frames enabled
-#net.ipv4.tcp_mtu_probing=1
-
-# increase quadruplets (src ip, src port, dest ip, dest port)
-# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
-net.ipv4.ip_local_port_range = 10240 65535
-# recommended for web servers, especially if running SPDY
-# see: http://www.chromium.org/spdy/spdy-best-practices
-net.ipv4.tcp_slow_start_after_idle = 0

roles/common/templates/tarsnap_sources.list.j2

@@ -1 +1 @@
-deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./

roles/common/templates/update-firehol-nftables.sh.j2

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+#
+# update-firehol-nftables.sh v0.0.1
+#
+# Download FireHOL lists and load them into nftables sets.
+# 
+# See: https://iplists.firehol.org/
+#
+# Copyright (C) 2025 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
+}
+
+download firehol_level1.netset
+
+if [[ -f "firehol_level1.netset" ]]; then
+    echo "Processing FireHOL Level 1 list"
+
+    firehol_level1_ipv4_list_temp=$(mktemp)
+    firehol_level1_ipv4_set_temp=$(mktemp)
+
+    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
+    # for local services like systemd-resolved and others on localhost. Ideally
+    # these are blocked already at the WAN side by network administrators.
+    cat firehol_level1.netset \
+        | sed \
+            -e '/^$/d' \
+            -e '/^#.*/d' \
+            -e '/^127\.0\.0\.0\/8/d' \
+        > "$firehol_level1_ipv4_list_temp"
+
+    echo "Building firehol_level1-ipv4 set"
+    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define FIREHOL_LEVEL1_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$firehol_level1_ipv4_set_temp"
+    done < $firehol_level1_ipv4_list_temp
+
+    echo "}" >> "$firehol_level1_ipv4_set_temp"
+
+    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
+
+    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
+fi
+
+echo "Restarting nftables"
+
+/usr/bin/systemctl restart nftables.service
+
+rm -v firehol_level1.netset

roles/mariadb/defaults/main.yml

@@ -1,15 +1,4 @@
 ---
-# ansible.builtin.file: roles/mariadb/defaults/main.yml
-#
-# Based on my running of mysqltuner.pl on a host with three WordPress databases
-#
-
-# default is 128MB but is a waste because it seems only the mysql table uses it
-key_buffer_size: 8M
-
-# default is 128MB but is a waste because it seems only information_schema uses
-# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
-aria_pagecache_buffer_size: 8M
 
 # default is 128M, but set to at least the size of your InnoDB data
 innodb_buffer_pool_size: 256M
@@ -22,10 +11,6 @@ mariadb_login_unix_socket: /run/mysqld/mysqld.sock
 # default is 100 but the max I've seen used is 5, so let's reduce it
 max_connections: 33
 
-# disable the query cache by default
-query_cache_size: 0
-query_cache_type: 0
-
 # mysqltuner says we should use larger than 32M on our setup
 tmp_table_size: 64M
 max_heap_table_size: 64M

roles/mariadb/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd: name=mariadb state=restarted
+  ansible.builtin.systemd_service:
+    name: mariadb
+    state: restarted
 
 # vim: set ts=2 sw=2:

roles/mariadb/tasks/main.yml

@@ -1,52 +1,4 @@
 ---
-- name: Remove MariaDB key from apt-key
-  ansible.builtin.apt_key:
-    id: "013577200103762554506315430003013705453362230723150730"
-    state: absent
-  tags:
-    - packages
-    - mariadb
-
-- name: Check MariaDB package signing key
-  ansible.builtin.stat:
-    path: /etc/apt/keyrings/mariadb_release_signing_key.asc
-  register: mariadb_signing_key_stat
-  tags:
-    - packages
-    - mariadb
-
-- name: Download MariaDB package signing key
-  ansible.builtin.get_url:
-    url: https://mariadb.org/mariadb_release_signing_key.asc
-    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
-    owner: root
-    group: root
-    mode: "0644"
-  register: download_mariadb_signing_key
-  when: not mariadb_signing_key_stat.stat.exists
-  tags:
-    - packages
-    - mariadb
-
-- name: Add MariaDB 10.11 repo
-  ansible.builtin.apt_repository:
-    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
-      }} main
-    filename: mariadb
-    state: present
-  register: add_mariadb_apt_repository
-  tags:
-    - packages
-    - mariadb
-
-- name: Update apt cache
-  ansible.builtin.apt: # noqa no-handler
-    update_cache: true
-  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
-  tags:
-    - packages
-    - mariadb
-
 - name: Install mariadb-server
   ansible.builtin.apt:
     name: [mariadb-server, python3-pymysql]
@@ -54,10 +6,10 @@
     cache_valid_time: 3600
   tags: mariadb, packages
 
-- name: Create system my.cnf
+- name: Add MariaDB configuration overrides
   ansible.builtin.template:
-    src: my.cnf.j2
-    dest: /etc/mysql/my.cnf
+    src: 70-local.cnf.j2
+    dest: /etc/mysql/mariadb.conf.d/70-local.cnf
     owner: root
     group: root
     mode: "0644"
@@ -87,16 +39,17 @@
 
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
 - name: Create MariaDB database(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_db:
     db: "{{ item.name }}"
     state: present
     encoding: utf8mb4
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 - name: Create MariaDB user(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_user:
     name: "{{ item.user }}"
     password: "{{ item.pass }}"
@@ -105,7 +58,6 @@
     state: present
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 # vim: set ts=2 sw=2:

roles/mariadb/templates/70-local.cnf.j2

@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+[mysqld]
+# don't resolve connection IPs to hostnames (make sure user accounts are using
+# IPs instead of "localhost")
+skip-name-resolve=1
+max_connections		= {{ max_connections }}
+tmp_table_size		= {{ tmp_table_size }}
+max_heap_table_size	= {{ max_heap_table_size }}
+innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}

roles/mariadb/templates/my.cnf.j2

@@ -1,196 +0,0 @@
-{{ ansible_managed | comment }}
-
-# MariaDB database server configuration file.
-#
-# You can copy this file to one of:
-# - "/etc/mysql/my.cnf" to set global options,
-# - "~/.my.cnf" to set user-specific options.
-# 
-# One can use all long options that the program supports.
-# Run program with --help to get a list of available options and with
-# --print-defaults to see which it would actually understand and use.
-#
-# For explanations see
-# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
-
-# This will be passed to all mysql clients
-# It has been reported that passwords should be enclosed with ticks/quotes
-# escpecially if they contain "#" chars...
-# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
-[client]
-port		= 3306
-socket		= /run/mysqld/mysqld.sock
-
-# Here is entries for some specific programs
-# The following values assume you have at least 32M ram
-
-# This was formally known as [safe_mysqld]. Both versions are currently parsed.
-[mysqld_safe]
-socket		= /run/mysqld/mysqld.sock
-nice		= 0
-
-[mysqld]
-#
-# * Basic Settings
-#
-user		= mysql
-pid-file	= /run/mysqld/mysqld.pid
-socket		= /run/mysqld/mysqld.sock
-port		= 3306
-basedir		= /usr
-datadir		= /var/lib/mysql
-tmpdir		= /tmp
-lc_messages_dir	= /usr/share/mysql
-lc_messages	= en_US
-skip-external-locking
-#
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
-
-# don't resolve connection IPs to hostnames (make sure user accounts are using
-# IPs instead of "localhost")
-skip-name-resolve=1
-#
-# * Fine Tuning
-#
-max_connections		= {{ max_connections }}
-connect_timeout		= 5
-wait_timeout		= 600
-max_allowed_packet	= 16M
-thread_cache_size       = 128
-sort_buffer_size	= 4M
-bulk_insert_buffer_size	= 16M
-tmp_table_size		= {{ tmp_table_size }}
-max_heap_table_size	= {{ max_heap_table_size }}
-#
-# * MyISAM
-#
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched. On error, make copy and try a repair.
-myisam_recover_options = BACKUP
-key_buffer_size		= {{ key_buffer_size }}
-#open-files-limit	= 2000
-table_open_cache	= 400
-myisam_sort_buffer_size	= 512M
-concurrent_insert	= 2
-read_buffer_size	= 2M
-read_rnd_buffer_size	= 1M
-#
-# * Query Cache Configuration
-#
-query_cache_limit		= 128K
-query_cache_size		= {{ query_cache_size }}
-query_cache_type		= {{ query_cache_type }}
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file        = /var/log/mysql/mysql.log
-#general_log             = 1
-#
-# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
-#
-# we do want to know about network errors and such
-log_warnings		= 2
-#
-# Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
-slow_query_log_file	= /var/log/mysql/mariadb-slow.log
-long_query_time = 10
-#log_slow_rate_limit	= 1000
-log_slow_verbosity	= query_plan
-
-#log-queries-not-using-indexes
-#log_slow_admin_statements
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id		= 1
-#report_host		= master1
-#auto_increment_increment = 2
-#auto_increment_offset	= 1
-log_bin			= /var/log/mysql/mariadb-bin
-log_bin_index		= /var/log/mysql/mariadb-bin.index
-# not fab for performance, but safer
-#sync_binlog		= 1
-expire_logs_days	= 10
-max_binlog_size         = 100M
-# slaves
-#relay_log		= /var/log/mysql/relay-bin
-#relay_log_index	= /var/log/mysql/relay-bin.index
-#relay_log_info_file	= /var/log/mysql/relay-bin.info
-#log_slave_updates
-#read_only
-#
-# If applications support it, this stricter sql_mode prevents some
-# mistakes like inserting invalid dates etc.
-#sql_mode		= NO_ENGINE_SUBSTITUTION,TRADITIONAL
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-default_storage_engine	= InnoDB
-# you can't just change log file size, requires special procedure
-#innodb_log_file_size	= 50M
-innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
-innodb_log_buffer_size	= 8M
-innodb_file_per_table	= 1
-innodb_open_files	= 400
-innodb_io_capacity	= 400
-innodb_flush_method	= O_DIRECT
-
-aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
-#
-# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
-#
-# ssl-ca=/etc/mysql/cacert.pem
-# ssl-cert=/etc/mysql/server-cert.pem
-# ssl-key=/etc/mysql/server-key.pem
-
-#
-# * Galera-related settings
-#
-[galera]
-# Mandatory settings
-#wsrep_on=ON
-#wsrep_provider=
-#wsrep_cluster_address=
-#binlog_format=row
-#default_storage_engine=InnoDB
-#innodb_autoinc_lock_mode=2
-#
-# Allow server to accept connections on all interfaces.
-#
-#bind-address=0.0.0.0
-#
-# Optional setting
-#wsrep_slave_threads=1
-#innodb_flush_log_at_trx_commit=0
-
-[mysqldump]
-quick
-quote-names
-max_allowed_packet	= 16M
-
-[mysql]
-#no-auto-rehash	# faster start of mysql but no tab completion
-
-[isamchk]
-key_buffer		= 16M
-
-#
-# * IMPORTANT: Additional settings that can override those from this file!
-#   The files must end with '.cnf', otherwise they'll be ignored.
-#
-!include /etc/mysql/mariadb.cnf
-!includedir /etc/mysql/conf.d/

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/munin-node.yml

@@ -1,16 +1,22 @@
 ---
 - name: Install munin-node
-  ansible.builtin.apt: name=munin-node state=present
+  ansible.builtin.apt:
+    name: munin-node
+    state: present
   tags: packages
 
 # some nice things to have for munin-node on Ubuntu
 # libwww-perl: for munin's nginx_status check
 - name: Install munin-node deps
-  ansible.builtin.apt: name=libwww-perl state=present
+  ansible.builtin.apt:
+    name: libwww-perl
+    state: present
   tags: packages
 
 - name: Create munin-node.conf
-  ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
+  ansible.builtin.template:
+    src: munin-node.conf.j2
+    dest: /etc/munin/munin-node.conf
   notify:
     - restart munin-node
 
@@ -20,6 +26,9 @@
     - restart munin-node
 
 - name: Start munin-node
-  ansible.builtin.systemd: name=munin-node state=started enabled=true
+  ansible.builtin.systemd_service:
+    name: munin-node
+    state: started
+    enabled: true
 
 # vim: set ts=2 sw=2:

roles/munin/tasks/munin.yml

@@ -1,9 +1,16 @@
 ---
 - name: Install munin package
-  ansible.builtin.apt: name=munin state=present
+  ansible.builtin.apt:
+    name: munin
+    state: present
   tags: packages
 
 - name: Create munin configuration file
-  ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: munin.conf.j2
+    dest: /etc/munin/munin.conf
+    owner: root
+    group: root
+    mode: "0644"
 
 # vim: set ts=2 sw=2:

roles/nginx/defaults/main.yml

@@ -5,16 +5,16 @@
 nginx_confd_path: /etc/nginx/conf.d
 
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
 
-# 1 hour timeout
-nginx_ssl_session_timeout: 1h
+# 1 day timeout
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
@@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
 
-# stable is 1.20.x
-# mainline is 1.21.x
+# stable is 1.26.x
+# mainline is 1.27.x
 nginx_version: mainline
 
 # vim: set ts=2 sw=2:

roles/nginx/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/letsencrypt.yml

@@ -1,7 +1,12 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
-- block:
+- name: Install and configure Let's Encrypt
+  tags: letsencrypt
+  when:
+    - ansible_facts["distribution"] == 'Debian'
+    - ansible_facts["distribution_version"] is version('11', '>=')
+  block:
     - name: Remove certbot
       ansible.builtin.apt:
         name: certbot
@@ -21,31 +26,31 @@
       register: acme_home
 
     - name: Download acme.sh
+      when: not acme_home.stat.exists
       ansible.builtin.get_url:
         url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
         dest: "{{ letsencrypt_acme_script_temp }}"
         mode: "0700"
       register: acme_download
-      when: not acme_home.stat.exists
 
     # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
     # have to chdir to the /root directory where the script exists or else it
     # fails. Ansible runs it, but the script can't find itself...).
     - name: Install acme.sh
+      when: acme_download is changed
       ansible.builtin.command:
         cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
         creates: "{{ letsencrypt_acme_home }}/acme.sh"
         chdir: /root
       register: acme_install
-      when: acme_download is changed
 
     - name: Remove temporary acme.sh script
-      ansible.builtin.file:
-        dest: "{{ letsencrypt_acme_script_temp }}"
-        state: absent
       when:
         - acme_install.rc is defined
         - acme_install.rc == 0
+      ansible.builtin.file:
+        dest: "{{ letsencrypt_acme_script_temp }}"
+        state: absent
 
     - name: Set default certificate authority for acme.sh
       ansible.builtin.command:
@@ -77,14 +82,10 @@
 
     # always issues daemon-reload just in case the service/timer changed
     - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
         name: renew-letsencrypt.timer
         state: started
         enabled: true
         daemon_reload: true
 
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  tags: letsencrypt
-
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -1,12 +1,4 @@
 ---
-- name: Remove nginx apt signing key from apt-key
-  ansible.builtin.apt_key:
-    id: "053473772654754373614404074646527257655730117366337542"
-    state: absent
-  tags:
-    - packages
-    - nginx
-
 - name: Download nginx apt signing key
   ansible.builtin.get_url:
     url: https://nginx.org/keys/nginx_signing.key
@@ -33,9 +25,9 @@
     - packages
 
 - name: Update apt cache
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
 
 - name: Install nginx
   ansible.builtin.apt:
@@ -54,7 +46,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Copy extra nginx configs
@@ -68,7 +60,7 @@
     - extra-security.conf
     - fastcgi_cache
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Remove default nginx vhost
@@ -87,13 +79,13 @@
   tags: nginx
 
 - name: Configure nginx virtual hosts
-  ansible.builtin.include_tasks: vhosts.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: vhosts.yml
   tags: nginx
 
 - name: Configure WordPress
-  ansible.builtin.include_tasks: wordpress.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: wordpress.yml
   tags: wordpress
 
 - name: Configure blank nginx vhost
@@ -104,7 +96,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Configure munin vhost
@@ -115,11 +107,11 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: started
     enabled: true

roles/nginx/tasks/vhosts.yml

@@ -1,16 +1,23 @@
 ---
-- block:
+- name: Configure https vhosts
+  tags: nginx
+  block:
     - name: Configure https vhosts
-      ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
+      ansible.builtin.template:
+        src: vhost.conf.j2
+        dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
+        mode: "0644"
+        owner: root
+        group: root
       loop: "{{ nginx_vhosts }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Generate self-signed TLS cert
       ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
         -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Download 4096-bit RFC 7919 dhparams
       ansible.builtin.get_url:
@@ -18,12 +25,16 @@
         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
         dest: "{{ nginx_ssl_dhparam }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     # TODO: this could break because we can override the document root in host vars
     - name: Create vhost document roots
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        mode: "0755"
+        owner: nginx
+        group: nginx
       loop: "{{ nginx_vhosts }}"
-  tags: nginx
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,19 +1,31 @@
 ---
-- block:
+- name: Install and configure WordPress
+  tags: wordpress
+  block:
     - name: Install WordPress
-      ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
-        }} depth=1 force=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.git:
+        repo: https://github.com/WordPress/WordPress.git
+        dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
+        version: "{{ item.wordpress_version }}"
+        depth: 1
+        force: true
       loop: "{{ nginx_vhosts }}"
+      become: true
+      become_user: nginx
 
     - name: Fix WordPress directory permissions
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        owner: nginx
+        group: nginx
+        recurse: true
       loop: "{{ nginx_vhosts }}"
-  tags: wordpress
 
 # vim: set ts=2 sw=2:

roles/nginx/templates/blank-vhost.conf.j2

@@ -11,9 +11,11 @@ server {
 
     return 444;
 }
+
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
     server_name _;
 
     # self-signed "snakeoil" certificate

roles/nginx/templates/https.j2

@@ -27,8 +27,9 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
     {# OSCP stapling only works with real certs #}
     {% if use_letsencrypt == true or item.tls_certificate_path %}
@@ -38,15 +39,6 @@
     resolver {{ nginx_ssl_stapling_resolver }};
     {% endif %} {# end: use_letsencrypt #}
 
-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
     {% if enable_hsts == true %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store

roles/nginx/templates/nginx.conf.j2

@@ -14,7 +14,6 @@ error_log  /var/log/nginx/error.log warn;
 # The file storing the process ID of the main process
 pid        /var/run/nginx.pid;
 
-
 events {
     # If you need more connections than this, you start optimizing your OS.
     # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
@@ -23,6 +22,7 @@ events {
 }
 
 
+
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;

roles/nginx/templates/nginx_org_sources.list.j2

@@ -1,19 +1,7 @@
 {{ ansible_managed | comment }}
 
-{% if ansible_distribution == 'Ubuntu' %}
-
 {% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
-{% elif ansible_distribution == 'Debian' %}
-
-{% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
-{% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% endif %}

roles/nginx/templates/vhost.conf.j2

@@ -8,6 +8,12 @@
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 # http -> https vhost
 server {
@@ -26,15 +32,11 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
-    {# Allow sites to override the nginx document root #}
-    {% if item.document_root is defined %}
-    root {{ item.document_root }};
-    {% else %}
-    root {{ nginx_root_prefix }}/{{ domain_name }};
-    {% endif %}
+    root {{ document_root }};
 
     {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
     server_name {{ domain_name }} {{ domain_aliases }};
@@ -75,12 +77,8 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
+        {% if ansible_facts["distribution_major_version"] is version('12', '==') %}
         fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
-        {% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
-        {% else %}
-        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;
         # set script path relative to document root in server block

roles/php-fpm/handlers/main.yml

@@ -1,12 +0,0 @@
----
-# For Ubuntu 20.04 and Debian 11
-- name: reload php7.4-fpm
-  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
-
-# For Debian 12
-- name: reload php8.2-fpm
-  ansible.builtin.systemd:
-    name: php8.2-fpm
-    state: reloaded
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Debian_12.yml

@@ -1,50 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php8.2-fpm
-          # for WordPress
-          - php8.2-mysql
-          - php8.2-gd
-          - php8.2-curl
-          - php8.2-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt:
-        name: "{{ php_fpm_packages }}"
-        state: present
-        update_cache: true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template:
-        src: php8.2-pool.conf.j2
-        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
-        owner: root
-        group: root
-        mode: "0644"
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php8.2-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file:
-        path: /etc/php/8.2/fpm/pool.d/www.conf
-        state: absent
-      notify: reload php8.2-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template:
-        src: php8.2-php.ini.j2
-        dest: /etc/php/8.2/fpm/php.ini
-        owner: root
-        group: root
-        mode: "0644"
-      notify: reload php8.2-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_20.04.yml

@@ -1,35 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php7.4-fpm
-          # for WordPress
-          - php7.4-mysql
-          - php7.4-gd
-          - php7.4-curl
-          - php7.4-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php7.4-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-      notify: reload php7.4-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-      notify: reload php7.4-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/main.yml

@@ -1,53 +0,0 @@
----
-# Ubuntu 20.04 uses PHP 7.4
-# Debian 11 uses PHP 7.4
-# Debian 12 uses PHP 8.2
-
-# If any of the vhosts on this host need WordPress then we need to install PHP.
-# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
-# any that have has_wordpress defined, and has_wordpress set to true.
-#
-# See: https://stackoverflow.com/a/31896249
-- name: Check if any vhost needs WordPress
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
-
-# Legacy, was only for Piwik, but leaving for now.
-- name: Check if any vhost needs PHP
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
-
-# If install_php has not been set, then we assume no vhosts need PHP. This is
-# a bit hacky, but it's the closest we come to an if/then/else.
-- name: Set install_php to false
-  ansible.builtin.set_fact:
-    install_php: false
-  when: install_php is not defined
-
-- name: Configure php-fpm on Ubuntu 20.04
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Ubuntu'
-    - ansible_distribution_version is version('20.04', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 11
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('11', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 12
-  ansible.builtin.include_tasks: Debian_12.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('12', '==')
-    - install_php
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php_fpm/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+# For Debian 12
+- name: Reload php8.2-fpm
+  ansible.builtin.systemd_service:
+    name: php8.2-fpm
+    state: reloaded
+
+# For Debian 13
+- name: Reload php8.4-fpm
+  ansible.builtin.systemd_service:
+    name: php8.4-fpm
+    state: reloaded
+
+# vim: set ts=2 sw=2:

roles/php_fpm/tasks/main.yml

@@ -0,0 +1,90 @@
+---
+# Debian 12 uses PHP 8.2
+# Debian 13 uses PHP 8.4
+
+# If any of the vhosts on this host need WordPress then we need to install PHP.
+# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
+# any that have has_wordpress defined, and has_wordpress set to true.
+#
+# See: https://stackoverflow.com/a/31896249
+- name: Check if any vhost needs WordPress
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
+
+# Legacy, was only for Piwik, but leaving for now.
+- name: Check if any vhost needs PHP
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
+
+# If install_php has not been set, then we assume no vhosts need PHP. This is
+# a bit hacky, but it's the closest we come to an if/then/else.
+- name: Set install_php to false
+  ansible.builtin.set_fact:
+    install_php: false
+  when: install_php is not defined
+
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
+    - name: Set php-fpm packages
+      ansible.builtin.set_fact:
+        php_fpm_packages:
+          - php-fpm
+          # for WordPress
+          - php-mysql
+          - php-gd
+          - php-curl
+          - php-xml
+
+    - name: Install php-fpm and deps
+      ansible.builtin.apt:
+        name: "{{ php_fpm_packages }}"
+        state: present
+        update_cache: true
+
+    - name: Set PHP version for Debian 12
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('12', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.2
+
+    - name: Set PHP version for Debian 13
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('13', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.4
+
+    # only copy php-fpm config for vhosts that need WordPress or PHP
+    - name: Copy php-fpm pool config
+      ansible.builtin.template:
+        src: php{{ php_version }}-pool.conf.j2
+        dest: /etc/php/{{ php_version }}/fpm/pool.d/{{ item.domain_name }}.conf
+        owner: root
+        group: root
+        mode: "0644"
+      loop: "{{ nginx_vhosts }}"
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      notify: Reload php{{ php_version }}-fpm
+
+    - name: Remove default www pool
+      ansible.builtin.file:
+        path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
+        state: absent
+      notify: Reload php{{ php_version }}-fpm
+
+    # re-configure php.ini
+    - name: Update php.ini
+      ansible.builtin.template:
+        src: php{{ php_version }}-php.ini.j2
+        dest: /etc/php/{{ php_version }}/fpm/php.ini
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload php{{ php_version }}-fpm
+
+# vim: set ts=2 sw=2:

roles/php_fpm/templates/php8.2-pool.conf.j2

@@ -27,8 +27,8 @@
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
-user = nginx
-group = nginx
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -52,8 +52,8 @@ listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: Owner is set to the master process running user. If the group
 ;                 is not set, the owner's group is used. Mode is set to 0660.
-listen.owner = nginx
-listen.group = nginx
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
 
 ; When POSIX Access Control Lists are supported you can set them using

roles/php_fpm/templates/php8.4-pool.conf.j2

@@ -19,11 +19,16 @@
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -35,20 +40,22 @@ group = nginx
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
+listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 
 ; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
+
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
@@ -63,6 +70,10 @@ listen.group = nginx
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
@@ -71,8 +82,9 @@ listen.group = nginx
 ; Default Value: no set
 ; process.priority = -19
 
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
-; or group is differrent than the master process user. It allows to create process
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
@@ -94,6 +106,8 @@ listen.group = nginx
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
+;             pm.max_spawn_rate    - the maximum number of rate to spawn child
+;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
@@ -129,6 +143,12 @@ pm.min_spare_servers = 1
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
@@ -141,7 +161,7 @@ pm.max_spare_servers = 3
 ;pm.max_requests = 500
 
 ; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
+; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
@@ -211,8 +231,8 @@ pm.max_spare_servers = 3
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
+; If the process is in Idle state, then information is related to the
+; last request the process has served. Otherwise information is related to
 ; the current request being served.
 ; Example output:
 ;   ************************
@@ -231,7 +251,7 @@ pm.max_spare_servers = 3
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.4/fpm/status.html
+;       It's available in: /usr/share/php/8.4/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
@@ -239,6 +259,22 @@ pm.max_spare_servers = 3
 ; Default Value: not set
 ;pm.status_path = /status
 
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
@@ -271,13 +307,13 @@ pm.max_spare_servers = 3
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
+;      - %{milliseconds}d
+;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
+;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
@@ -306,14 +342,30 @@ pm.max_spare_servers = 3
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %u: remote user
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;  %u: basic auth user if specified in Authorization header
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precaution, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
 
 ; The log file for slow requests
 ; Default Value: not set
@@ -372,7 +424,7 @@ pm.max_spare_servers = 3
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes

vars/Ubuntu.yml

@@ -1,10 +0,0 @@
----
-
-# sshd service name is `ssh` on Debian/Ubuntu, but it's
-# `sshd` on CentOS
-sshd_service_name: ssh
-
-# provisioning user vars
-provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
-
-# vim: set ts=2 sw=2:

web.yml

@@ -9,7 +9,7 @@
     - { role: mariadb, when: mariadb_databases is defined}
     - { role: nginx, when: webserver is defined and webserver == 'nginx' }
     - { role: caddy, when: webserver is defined and webserver == 'caddy' }
-    - php-fpm
+    - php_fpm
     - munin
   vars_files:
     - vars/ipsets.yml