roles/common: adjust handlers

Should start with an upper case letter.

roles/common/handlers/main.yml

@@ -1,19 +1,19 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml
 
-- name: reload sshd
+- name: Reload sshd
   ansible.builtin.systemd:
     name: "{{ sshd_service_name }}"
     state: reloaded
 
-- name: reload sysctl
+- name: Reload sysctl
   ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
-- name: reload systemd
+- name: Reload systemd
   ansible.builtin.systemd:
     daemon_reload: true
 
-- name: restart nftables
+- name: Restart nftables
   ansible.builtin.systemd:
     name: nftables
     state: restarted
@@ -21,7 +21,7 @@
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
-- name: restart fail2ban
+- name: Restart fail2ban
   ansible.builtin.systemd:
     name: fail2ban
     state: restarted

roles/common/tasks/fail2ban.yml

@@ -14,7 +14,7 @@
     dest: /etc/fail2ban/jail.d/sshd.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Configure fail2ban nginx filter
   when:
@@ -26,7 +26,7 @@
     dest: /etc/fail2ban/jail.d/nginx.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Create fail2ban service override directory
   ansible.builtin.file:
@@ -43,8 +43,8 @@
     owner: root
     mode: "0644"
   notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban
 
 - name: Start and enable fail2ban service
   ansible.builtin.systemd:

roles/common/tasks/firewall.yml

@@ -4,10 +4,7 @@
 - name: Install Debian firewall packages
   when: ansible_distribution_major_version is version('11', '>=')
   ansible.builtin.package:
-    name:
-      - libnet-ip-perl # for aggregate-cidr-addresses.pl
-      - nftables
-      - curl # for nftables update scripts
+    name: nftables
     state: present
     cache_valid_time: 3600
 
@@ -18,11 +15,11 @@
     state: absent
 
 - name: Configure nftables
-  ansible.builtin.include_tasks: nftables.yml
   when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
 
-- ansible.builtin.include_tasks: fail2ban.yml
-  when:
-    - ansible_distribution_major_version is version('9', '>=')
+- name: Configure fail2ban
+  when: ansible_distribution_major_version is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml
 
 # vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -29,7 +29,7 @@
     group: root
     mode: "0644"
   notify:
-    - reload sysctl
+    - Reload sysctl
   tags: sysctl
 
 - name: Set I/O scheduler

roles/common/tasks/nftables.yml

@@ -8,8 +8,8 @@
     owner: root
     mode: "0644"
   notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
+    - Restart fail2ban
 
 - name: Create /etc/nftables extra config directory
   ansible.builtin.file:
@@ -29,8 +29,8 @@
   loop:
     - { src: firehol_level1-ipv4.nft, force: false }
   notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
+    - Restart fail2ban
 
 - name: Copy nftables update scripts
   ansible.builtin.template:
@@ -58,8 +58,8 @@
     - /etc/systemd/system/update-spamhaus-nftables.timer
     - /usr/local/bin/aggregate-cidr-addresses.pl
   notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
+    - Restart fail2ban
 
 - name: Copy nftables systemd units
   ansible.builtin.copy:

roles/common/tasks/sshd.yml

@@ -7,7 +7,7 @@
     owner: root
     group: root
     mode: "0600"
-  notify: reload sshd
+  notify: Reload sshd
 
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -33,7 +33,7 @@
         cmd: mv moduli.safe moduli
         chdir: /etc/ssh
       register: replace_small_moduli
-      notify: reload sshd
+      notify: Reload sshd
 
 - name: Remove DSA and ECDSA host keys
   ansible.builtin.file:
@@ -44,6 +44,6 @@
     - ssh_host_dsa_key.pub
     - ssh_host_ecdsa_key
     - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 
 # vim: set sw=2 ts=2:

roles/nginx/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd:
+    name: nginx
+    state: reloaded
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/letsencrypt.yml

@@ -1,7 +1,12 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
-- block:
+- name: Install and configure Let's Encrypt
+  tags: letsencrypt
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_version is version('11', '>='))
+  block:
     - name: Remove certbot
       ansible.builtin.apt:
         name: certbot
@@ -83,9 +88,4 @@
         enabled: true
         daemon_reload: true
 
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_version is version('11', '>='))
-  tags: letsencrypt
-
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -54,7 +54,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Copy extra nginx configs
@@ -68,7 +68,7 @@
     - extra-security.conf
     - fastcgi_cache
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Remove default nginx vhost
@@ -104,7 +104,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Configure munin vhost
@@ -115,7 +115,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Start and enable nginx service

roles/nginx/tasks/vhosts.yml

@@ -1,5 +1,7 @@
 ---
-- block:
+- name: Configure https vhosts
+  tags: nginx
+  block:
     - name: Configure https vhosts
       ansible.builtin.template:
         src: vhost.conf.j2
@@ -9,13 +11,13 @@
         group: root
       loop: "{{ nginx_vhosts }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Generate self-signed TLS cert
       ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
         -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Download 4096-bit RFC 7919 dhparams
       ansible.builtin.get_url:
@@ -23,7 +25,7 @@
         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
         dest: "{{ nginx_ssl_dhparam }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     # TODO: this could break because we can override the document root in host vars
     - name: Create vhost document roots
@@ -34,6 +36,5 @@
         owner: nginx
         group: nginx
       loop: "{{ nginx_vhosts }}"
-  tags: nginx
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,5 +1,7 @@
 ---
-- block:
+- name: Install and configure WordPress
+  tags: wordpress
+  block:
     - name: Install WordPress
       when:
         - item.has_wordpress is defined
@@ -23,6 +25,5 @@
         group: nginx
         recurse: true
       loop: "{{ nginx_vhosts }}"
-  tags: wordpress
 
 # vim: set ts=2 sw=2:

roles/php_fpm/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 # For Debian 12
-- name: reload php8.2-fpm
+- name: Reload php8.2-fpm
   ansible.builtin.systemd:
     name: php8.2-fpm
     state: reloaded

roles/php_fpm/tasks/Debian_12.yml

@@ -1,5 +1,8 @@
 ---
-- block:
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
     - name: Set php-fpm packages
       ansible.builtin.set_fact:
         php_fpm_packages:
@@ -26,13 +29,13 @@
         mode: "0644"
       loop: "{{ nginx_vhosts }}"
       when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php8.2-fpm
+      notify: Reload php8.2-fpm
 
     - name: Remove default www pool
       ansible.builtin.file:
         path: /etc/php/8.2/fpm/pool.d/www.conf
         state: absent
-      notify: reload php8.2-fpm
+      notify: Reload php8.2-fpm
 
     # re-configure php.ini
     - name: Update php.ini
@@ -42,9 +45,6 @@
         owner: root
         group: root
         mode: "0644"
-      notify: reload php8.2-fpm
-
-  tags: php-fpm
-  when: install_php
+      notify: Reload php8.2-fpm
 
 # vim: set ts=2 sw=2:

web.yml

@@ -9,7 +9,7 @@
     - { role: mariadb, when: mariadb_databases is defined}
     - { role: nginx, when: webserver is defined and webserver == 'nginx' }
     - { role: caddy, when: webserver is defined and webserver == 'caddy' }
-    - php-fpm
+    - php_fpm
     - munin
   vars_files:
     - vars/ipsets.yml