roles/common: minor configuration of Debian 13 SSH

Tweak some of the new OpenSSH per-source penalty settings on Debian 13. For now only adjusting the source network masks and reusing the list of IPs to exempt from fail2ban. These being built in makes them easier to use, but I think I will end up sticking with fail2ban for the heavy lifting because it per- sists across restarts of the daemon, whereas OpenSSH's doesn't. I will monitor OpenSSH on Debian 13 to see how to best use it along side fail2ban.
roles/common: use 127.0.0.0/8 for fail2ban ignoreip
2025-09-23 10:33:24 +03:00 · 2025-09-23 10:33:23 +03:00 · 2025-09-23 10:33:23 +03:00 · 2025-09-23 10:33:11 +03:00 · 2025-09-21 23:09:40 +03:00 · 2025-09-21 22:20:31 +03:00
33 changed files with 157 additions and 100 deletions
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -13,12 +13,6 @@ interpreter_python=auto
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False

-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
-
 [privilege_escalation]
 # instead of using -K
 become_ask_pass=True
--- a/group_vars/all
+++ b/group_vars/all
@@ -3,4 +3,12 @@

 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"

+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@@ -3,7 +3,7 @@

 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: caddy
    state: reloaded

--- a/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
+++ b/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
@@ -36,7 +36,7 @@
    {% elif has_wordpress -%}
    root * {{ document_root }}
    encode
-    {%   if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
+    {%   if ansible_distribution_major_version is version('12', '==') -%}
    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
    {%   endif -%}
    file_server
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8
+fail2ban_ignoreip: 127.0.0.0/8

 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.
--- a/roles/common/files/etc/sudoers.d/provisioning
+++ b/roles/common/files/etc/sudoers.d/provisioning
@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -1,27 +1,27 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml

- name: reload sshd
-  ansible.builtin.systemd:
+- name: Reload sshd
+  ansible.builtin.systemd_service:
    name: "{{ sshd_service_name }}"
    state: reloaded

- name: reload sysctl
+- name: Reload sysctl
  ansible.builtin.command: sysctl -p /etc/sysctl.conf

- name: reload systemd
-  ansible.builtin.systemd:
+- name: Reload systemd
+  ansible.builtin.systemd_service:
    daemon_reload: true

- name: restart nftables
-  ansible.builtin.systemd:
+- name: Restart nftables
+  ansible.builtin.systemd_service:
    name: nftables
    state: restarted

 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
- name: restart fail2ban
-  ansible.builtin.systemd:
+- name: Restart fail2ban
+  ansible.builtin.systemd_service:
    name: fail2ban
    state: restarted
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -1,7 +1,7 @@
 ---
 - name: Install fail2ban
-  when: ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
    name:
      - fail2ban
      - python3-systemd
@@ -14,7 +14,7 @@
    dest: /etc/fail2ban/jail.d/sshd.local
    owner: root
    mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban

 - name: Configure fail2ban nginx filter
  when:
@@ -26,7 +26,7 @@
    dest: /etc/fail2ban/jail.d/nginx.local
    owner: root
    mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban

 - name: Create fail2ban service override directory
  ansible.builtin.file:
@@ -43,11 +43,11 @@
    owner: root
    mode: "0644"
  notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban

 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: fail2ban
    state: started
    enabled: true
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@@ -2,27 +2,24 @@
 # Debian 11+ will use nftables directly, with no firewalld.

 - name: Install Debian firewall packages
-  when: ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
-    name:
-      - libnet-ip-perl # for aggregate-cidr-addresses.pl
-      - nftables
-      - curl # for nftables update scripts
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
+    name: nftables
    state: present
    cache_valid_time: 3600

 - name: Remove iptables on newer Debian
-  when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
  ansible.builtin.apt:
    pkg: iptables
    state: absent

 - name: Configure nftables
-  ansible.builtin.include_tasks: nftables.yml
  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml

- ansible.builtin.include_tasks: fail2ban.yml
-  when:
-    - ansible_distribution_major_version is version('9', '>=')
+- name: Configure fail2ban
+  when: ansible_distribution_version is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml

 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -29,7 +29,7 @@
    group: root
    mode: "0644"
  notify:
-    - reload sysctl
+    - Reload sysctl
  tags: sysctl

 - name: Set I/O scheduler
--- a/roles/common/tasks/nftables.yml
+++ b/roles/common/tasks/nftables.yml
@@ -8,8 +8,8 @@
    owner: root
    mode: "0644"
  notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
+    - Restart fail2ban

 - name: Create /etc/nftables extra config directory
  ansible.builtin.file:
@@ -29,8 +29,8 @@
  loop:
    - { src: firehol_level1-ipv4.nft, force: false }
  notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
+    - Restart fail2ban

 - name: Copy nftables update scripts
  ansible.builtin.template:
@@ -58,8 +58,8 @@
    - /etc/systemd/system/update-spamhaus-nftables.timer
    - /usr/local/bin/aggregate-cidr-addresses.pl
  notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
+    - Restart fail2ban

 - name: Copy nftables systemd units
  ansible.builtin.copy:
@@ -75,12 +75,12 @@

 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
-  ansible.builtin.systemd: # noqa no-handler
-    daemon_reload: true
  when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true

 - name: Start and enable nftables update timers
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: "{{ item }}"
    state: started
    enabled: true
@@ -88,7 +88,7 @@
    - update-firehol-nftables.timer

 - name: Start and enable nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: nftables
    state: started
    enabled: true
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -12,11 +12,9 @@

 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_version is version('11', '>='))
+  when: ansible_distribution_version is version('11', '>=')
  ansible.builtin.apt:
    name: systemd-timesyncd
    state: present
@@ -24,13 +22,17 @@

 - name: Start and enable systemd's NTP client
  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: systemd-timesyncd
    state: started
    enabled: true

- name: Uninstall ntp on modern Debian
-  when: ansible_service_mgr == 'systemd'
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_service_mgr == 'systemd'
+    - ansible_distribution_major_version is version('12', '==')
  ansible.builtin.apt:
    name: ntp
    state: absent
--- a/roles/common/tasks/packages.yml
+++ b/roles/common/tasks/packages.yml
@@ -48,8 +48,8 @@
        cache_valid_time: 3600

    - name: Remove cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
      tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml

    - name: Install tarsnap
      ansible.builtin.import_tasks: tarsnap.yml
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -1,13 +1,26 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
+  when: ansible_distribution_version is version('12', '<=')
  ansible.builtin.template:
    src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
    dest: /etc/ssh/sshd_config
    owner: root
    group: root
    mode: "0600"
-  notify: reload sshd
+  notify: Reload sshd
+
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_distribution_version is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd

 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -33,7 +46,7 @@
        cmd: mv moduli.safe moduli
        chdir: /etc/ssh
      register: replace_small_moduli
-      notify: reload sshd
+      notify: Reload sshd

 - name: Remove DSA and ECDSA host keys
  ansible.builtin.file:
@@ -44,6 +57,6 @@
    - ssh_host_dsa_key.pub
    - ssh_host_ecdsa_key
    - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd

 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/tarsnap.yml
+++ b/roles/common/tasks/tarsnap.yml
@@ -5,6 +5,7 @@
  register: tarsnap_signing_key_stat

 - name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
  ansible.builtin.get_url:
    url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
    dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
@@ -12,9 +13,9 @@
    group: root
    mode: "0644"
  register: download_tarsnap_signing_key
-  when: not tarsnap_signing_key_stat.stat.exists

 - name: Add tarsnap.org repo
+  when: ansible_architecture != 'armv7l'
  ansible.builtin.template:
    src: tarsnap_sources.list.j2
    dest: /etc/apt/sources.list.d/tarsnap.list
@@ -22,12 +23,11 @@
    group: root
    mode: "0644"
  register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'

 - name: Update apt cache
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed

 - name: Install tarsnap
  ansible.builtin.apt:
--- a/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56
--- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
+++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
@@ -6,14 +6,14 @@ PartOf=nftables.service
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
+{% if ansible_distribution_version is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
+{% if ansible_distribution_version is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: mariadb
    state: restarted

--- a/roles/munin/handlers/main.yml
+++ b/roles/munin/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted
--- a/roles/munin/tasks/munin-node.yml
+++ b/roles/munin/tasks/munin-node.yml
@@ -26,7 +26,7 @@
    - restart munin-node

 - name: Start munin-node
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: munin-node
    state: started
    enabled: true
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,5 +1,7 @@
 ---
- name: reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded

 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@@ -1,7 +1,12 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
- block:
+- name: Install and configure Let's Encrypt
+  tags: letsencrypt
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_version is version('11', '>='))
+  block:
    - name: Remove certbot
      ansible.builtin.apt:
        name: certbot
@@ -77,15 +82,10 @@

    # always issues daemon-reload just in case the service/timer changed
    - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
        name: renew-letsencrypt.timer
        state: started
        enabled: true
        daemon_reload: true

-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_version is version('11', '>='))
-  tags: letsencrypt
-
 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -54,7 +54,7 @@
    owner: root
    group: root
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx

 - name: Copy extra nginx configs
@@ -68,7 +68,7 @@
    - extra-security.conf
    - fastcgi_cache
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx

 - name: Remove default nginx vhost
@@ -104,7 +104,7 @@
    owner: root
    group: root
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx

 - name: Configure munin vhost
@@ -115,11 +115,11 @@
    owner: root
    group: root
  notify:
-    - reload nginx
+    - Reload nginx
  tags: nginx

 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: nginx
    state: started
    enabled: true
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@@ -1,5 +1,7 @@
 ---
- block:
+- name: Configure https vhosts
+  tags: nginx
+  block:
    - name: Configure https vhosts
      ansible.builtin.template:
        src: vhost.conf.j2
@@ -9,13 +11,13 @@
        group: root
      loop: "{{ nginx_vhosts }}"
      notify:
-        - reload nginx
+        - Reload nginx

    - name: Generate self-signed TLS cert
      ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
        -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
      notify:
-        - reload nginx
+        - Reload nginx

    - name: Download 4096-bit RFC 7919 dhparams
      ansible.builtin.get_url:
@@ -23,7 +25,7 @@
        checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
        dest: "{{ nginx_ssl_dhparam }}"
      notify:
-        - reload nginx
+        - Reload nginx

    # TODO: this could break because we can override the document root in host vars
    - name: Create vhost document roots
@@ -34,6 +36,5 @@
        owner: nginx
        group: nginx
      loop: "{{ nginx_vhosts }}"
-  tags: nginx

 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/wordpress.yml
+++ b/roles/nginx/tasks/wordpress.yml
@@ -1,5 +1,7 @@
 ---
- block:
+- name: Install and configure WordPress
+  tags: wordpress
+  block:
    - name: Install WordPress
      when:
        - item.has_wordpress is defined
@@ -23,6 +25,5 @@
        group: nginx
        recurse: true
      loop: "{{ nginx_vhosts }}"
-  tags: wordpress

 # vim: set ts=2 sw=2:
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@@ -77,7 +77,7 @@ server {
        # See: https://httpoxy.org/
        fastcgi_param HTTP_PROXY "";

-        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
+        {% if ansible_distribution_major_version is version('12', '==') %}
        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
        {% endif %}
        fastcgi_index index.php;
--- a/roles/php_fpm/defaults/main.yml
+++ b/roles/php_fpm/defaults/main.yml
--- a/roles/php_fpm/handlers/main.yml
+++ b/roles/php_fpm/handlers/main.yml
@@ -1,7 +1,7 @@
 ---
 # For Debian 12
- name: reload php8.2-fpm
-  ansible.builtin.systemd:
+- name: Reload php8.2-fpm
+  ansible.builtin.systemd_service:
    name: php8.2-fpm
    state: reloaded

--- a/roles/php_fpm/tasks/Debian_12.yml
+++ b/roles/php_fpm/tasks/Debian_12.yml
@@ -1,5 +1,8 @@
 ---
- block:
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
    - name: Set php-fpm packages
      ansible.builtin.set_fact:
        php_fpm_packages:
@@ -26,13 +29,13 @@
        mode: "0644"
      loop: "{{ nginx_vhosts }}"
      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php8.2-fpm
+      notify: Reload php8.2-fpm

    - name: Remove default www pool
      ansible.builtin.file:
        path: /etc/php/8.2/fpm/pool.d/www.conf
        state: absent
-      notify: reload php8.2-fpm
+      notify: Reload php8.2-fpm

    # re-configure php.ini
    - name: Update php.ini
@@ -42,9 +45,6 @@
        owner: root
        group: root
        mode: "0644"
-      notify: reload php8.2-fpm
-
-  tags: php-fpm
-  when: install_php
+      notify: Reload php8.2-fpm

 # vim: set ts=2 sw=2:
--- a/roles/php_fpm/tasks/main.yml
+++ b/roles/php_fpm/tasks/main.yml
--- a/roles/php_fpm/templates/php8.2-php.ini.j2
+++ b/roles/php_fpm/templates/php8.2-php.ini.j2
--- a/roles/php_fpm/templates/php8.2-pool.conf.j2
+++ b/roles/php_fpm/templates/php8.2-pool.conf.j2
--- a/web.yml
+++ b/web.yml
@@ -9,7 +9,7 @@
    - { role: mariadb, when: mariadb_databases is defined}
    - { role: nginx, when: webserver is defined and webserver == 'nginx' }
    - { role: caddy, when: webserver is defined and webserver == 'caddy' }
-    - php-fpm
+    - php_fpm
    - munin
  vars_files:
    - vars/ipsets.yml
Author	SHA1	Message	Date
Alan Orth	d51f8fefaa	roles/common: minor configuration of Debian 13 SSH Tweak some of the new OpenSSH per-source penalty settings on Debian 13. For now only adjusting the source network masks and reusing the list of IPs to exempt from fail2ban. These being built in makes them easier to use, but I think I will end up sticking with fail2ban for the heavy lifting because it per- sists across restarts of the daemon, whereas OpenSSH's doesn't. I will monitor OpenSSH on Debian 13 to see how to best use it along side fail2ban.	2025-09-23 10:33:24 +03:00
Alan Orth	9ff6e19135	roles/common: use 127.0.0.0/8 for fail2ban ignoreip We can re-use our fail2ban ignoreip setting for Debian 13's OpenSSH PerSourcePenaltyExemptList, but OpenSSH is more strict with regards to masks not being applied to the host portion. I had never noticed that fail2ban's default was applying the mask on the host portion!	2025-09-23 10:33:23 +03:00
Alan Orth	4680999680	roles/common: sshd overrides for Debian 13	2025-09-23 10:33:23 +03:00
Alan Orth	602734acce	roles: update ansible.builtin.systemd builtin Use ansible.builtin.systemd_service instead.	2025-09-23 10:33:11 +03:00
Alan Orth	0db7911b70	roles/common: remove sudoers.d We are not using this.	2025-09-21 23:09:40 +03:00
Alan Orth	ee4c62e5f9	roles: remove tests for Debian We only run on Debian now.	2025-09-21 22:20:31 +03:00
Alan Orth	a315db8a7c	roles/common: use ansible_distribution_version In most cases it is enough to use the full version (ie 12.12) since we use Ansible's version comparison function. We rarely need to use the major version (ie 12) directly.	2025-09-21 22:19:00 +03:00
Alan Orth	5f00892df3	roles/common: adjust when in tasks	2025-09-21 22:04:25 +03:00
Alan Orth	9357265d27	roles/common: use ansible.builtin.apt module	2025-09-21 22:00:39 +03:00
Alan Orth	dd62266340	roles/common: update comment in ntp task	2025-09-21 21:58:11 +03:00
Alan Orth	a1bec20824	roles/common: simplify when logic in ntp task	2025-09-21 21:57:34 +03:00
Alan Orth	8e91c44529	roles/common: fix syntax error in npt when	2025-09-21 21:56:15 +03:00
Alan Orth	02d4135c79	roles/common: adjust ntp task On Debian 12 we need to explicitly remove ntp because it does not conflict with other time daemons.	2025-09-21 21:55:09 +03:00
Alan Orth	37e148d009	Re-work ansible_managed This is no longer a configuration setting. Now we must set it like any other template variabled.	2025-09-21 21:15:12 +03:00
Alan Orth	73dbbd23b6	roles/common: adjust handlers Should start with an upper case letter.	2025-09-21 20:22:58 +03:00
Alan Orth	b84283aa38	roles/common: remove unneeded firewall packages We don't need curl or libnet-ip-perl anymore.	2025-09-21 20:15:11 +03:00
Alan Orth	1695fdf8d1	roles/common: syntax in firewall play	2025-09-21 20:11:46 +03:00
Alan Orth	9f1f7b1c69	roles/nginx: more syntax fixes to tasks	2025-09-21 20:08:51 +03:00
Alan Orth	7d725f2084	roles/nginx: adjust task syntax Tasks should start with an upper case letter and we should not use free form syntax anymore.	2025-09-21 20:04:53 +03:00
Alan Orth	4c39b0d48c	roles/php_fpm: adjust task syntax All tasks need names, and we can use name, tags, when, block order for task keys. Suggested by ansible-lint.	2025-09-21 20:02:46 +03:00
Alan Orth	f4023d0b20	roles/php_fpm: rename handler Suggested by ansible-lint.	2025-09-21 19:59:23 +03:00
Alan Orth	6aaface4a2	Rename roles/php-fpm to roles/php_fpm Suggested by ansible-lint.	2025-09-21 19:56:20 +03:00