roles/common: Add firewall task for Alpine

roles/common: Add TODO about tarsnap on Alpine
roles/common: Add Alpine packages
2021-02-13 12:18:58 +02:00 · 2021-02-13 12:18:58 +02:00 · 2021-02-13 12:18:58 +02:00 · 2021-02-13 12:18:58 +02:00 · 2021-02-13 12:18:58 +02:00
24 changed files with 7748 additions and 7593 deletions
--- a/Pipfile.lock
+++ b/Pipfile.lock
@ -18,125 +18,145 @@
    "default": {
        "ansible": {
            "hashes": [
-                "sha256:ca34e2c0c3f92cad5e528c94c133e620845feb11cc62f42e98d28271fe5bd924"
+                "sha256:ae97002e4fb1ed3de947428ff43906c76c66751fe104721cf6b25fa115dbbe8d"
            ],
            "index": "pypi",
-            "version": "==3.4.0"
+            "version": "==2.10.6"
        },
        "ansible-base": {
            "hashes": [
-                "sha256:04635d3e08fc29358c76b8e7f1e9db0ce443fb09ce30b2acc6cacaad165f2151"
+                "sha256:33ae323923b841f3d822f355380ce7c92610440362efeed67b4b39db41e555af"
            ],
            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
-            "version": "==2.10.9"
+            "version": "==2.10.5"
        },
        "cffi": {
            "hashes": [
-                "sha256:005a36f41773e148deac64b08f233873a4d0c18b053d37da83f6af4d9087b813",
-                "sha256:0857f0ae312d855239a55c81ef453ee8fd24136eaba8e87a2eceba644c0d4c06",
-                "sha256:1071534bbbf8cbb31b498d5d9db0f274f2f7a865adca4ae429e147ba40f73dea",
-                "sha256:158d0d15119b4b7ff6b926536763dc0714313aa59e320ddf787502c70c4d4bee",
-                "sha256:1f436816fc868b098b0d63b8920de7d208c90a67212546d02f84fe78a9c26396",
-                "sha256:2894f2df484ff56d717bead0a5c2abb6b9d2bf26d6960c4604d5c48bbc30ee73",
-                "sha256:29314480e958fd8aab22e4a58b355b629c59bf5f2ac2492b61e3dc06d8c7a315",
-                "sha256:34eff4b97f3d982fb93e2831e6750127d1355a923ebaeeb565407b3d2f8d41a1",
-                "sha256:35f27e6eb43380fa080dccf676dece30bef72e4a67617ffda586641cd4508d49",
-                "sha256:3d3dd4c9e559eb172ecf00a2a7517e97d1e96de2a5e610bd9b68cea3925b4892",
-                "sha256:43e0b9d9e2c9e5d152946b9c5fe062c151614b262fda2e7b201204de0b99e482",
-                "sha256:48e1c69bbacfc3d932221851b39d49e81567a4d4aac3b21258d9c24578280058",
-                "sha256:51182f8927c5af975fece87b1b369f722c570fe169f9880764b1ee3bca8347b5",
-                "sha256:58e3f59d583d413809d60779492342801d6e82fefb89c86a38e040c16883be53",
-                "sha256:5de7970188bb46b7bf9858eb6890aad302577a5f6f75091fd7cdd3ef13ef3045",
-                "sha256:65fa59693c62cf06e45ddbb822165394a288edce9e276647f0046e1ec26920f3",
-                "sha256:69e395c24fc60aad6bb4fa7e583698ea6cc684648e1ffb7fe85e3c1ca131a7d5",
-                "sha256:6c97d7350133666fbb5cf4abdc1178c812cb205dc6f41d174a7b0f18fb93337e",
-                "sha256:6e4714cc64f474e4d6e37cfff31a814b509a35cb17de4fb1999907575684479c",
-                "sha256:72d8d3ef52c208ee1c7b2e341f7d71c6fd3157138abf1a95166e6165dd5d4369",
-                "sha256:8ae6299f6c68de06f136f1f9e69458eae58f1dacf10af5c17353eae03aa0d827",
-                "sha256:8b198cec6c72df5289c05b05b8b0969819783f9418e0409865dac47288d2a053",
-                "sha256:99cd03ae7988a93dd00bcd9d0b75e1f6c426063d6f03d2f90b89e29b25b82dfa",
-                "sha256:9cf8022fb8d07a97c178b02327b284521c7708d7c71a9c9c355c178ac4bbd3d4",
-                "sha256:9de2e279153a443c656f2defd67769e6d1e4163952b3c622dcea5b08a6405322",
-                "sha256:9e93e79c2551ff263400e1e4be085a1210e12073a31c2011dbbda14bda0c6132",
-                "sha256:9ff227395193126d82e60319a673a037d5de84633f11279e336f9c0f189ecc62",
-                "sha256:a465da611f6fa124963b91bf432d960a555563efe4ed1cc403ba5077b15370aa",
-                "sha256:ad17025d226ee5beec591b52800c11680fca3df50b8b29fe51d882576e039ee0",
-                "sha256:afb29c1ba2e5a3736f1c301d9d0abe3ec8b86957d04ddfa9d7a6a42b9367e396",
-                "sha256:b85eb46a81787c50650f2392b9b4ef23e1f126313b9e0e9013b35c15e4288e2e",
-                "sha256:bb89f306e5da99f4d922728ddcd6f7fcebb3241fc40edebcb7284d7514741991",
-                "sha256:cbde590d4faaa07c72bf979734738f328d239913ba3e043b1e98fe9a39f8b2b6",
-                "sha256:cd2868886d547469123fadc46eac7ea5253ea7fcb139f12e1dfc2bbd406427d1",
-                "sha256:d42b11d692e11b6634f7613ad8df5d6d5f8875f5d48939520d351007b3c13406",
-                "sha256:f2d45f97ab6bb54753eab54fffe75aaf3de4ff2341c9daee1987ee1837636f1d",
-                "sha256:fd78e5fee591709f32ef6edb9a015b4aa1a5022598e36227500c8f4e02328d9c"
+                "sha256:00a1ba5e2e95684448de9b89888ccd02c98d512064b4cb987d48f4b40aa0421e",
+                "sha256:00e28066507bfc3fe865a31f325c8391a1ac2916219340f87dfad602c3e48e5d",
+                "sha256:045d792900a75e8b1e1b0ab6787dd733a8190ffcf80e8c8ceb2fb10a29ff238a",
+                "sha256:0638c3ae1a0edfb77c6765d487fee624d2b1ee1bdfeffc1f0b58c64d149e7eec",
+                "sha256:105abaf8a6075dc96c1fe5ae7aae073f4696f2905fde6aeada4c9d2926752362",
+                "sha256:155136b51fd733fa94e1c2ea5211dcd4c8879869008fc811648f16541bf99668",
+                "sha256:1a465cbe98a7fd391d47dce4b8f7e5b921e6cd805ef421d04f5f66ba8f06086c",
+                "sha256:1d2c4994f515e5b485fd6d3a73d05526aa0fcf248eb135996b088d25dfa1865b",
+                "sha256:2c24d61263f511551f740d1a065eb0212db1dbbbbd241db758f5244281590c06",
+                "sha256:51a8b381b16ddd370178a65360ebe15fbc1c71cf6f584613a7ea08bfad946698",
+                "sha256:594234691ac0e9b770aee9fcdb8fa02c22e43e5c619456efd0d6c2bf276f3eb2",
+                "sha256:5cf4be6c304ad0b6602f5c4e90e2f59b47653ac1ed9c662ed379fe48a8f26b0c",
+                "sha256:64081b3f8f6f3c3de6191ec89d7dc6c86a8a43911f7ecb422c60e90c70be41c7",
+                "sha256:6bc25fc545a6b3d57b5f8618e59fc13d3a3a68431e8ca5fd4c13241cd70d0009",
+                "sha256:798caa2a2384b1cbe8a2a139d80734c9db54f9cc155c99d7cc92441a23871c03",
+                "sha256:7c6b1dece89874d9541fc974917b631406233ea0440d0bdfbb8e03bf39a49b3b",
+                "sha256:7ef7d4ced6b325e92eb4d3502946c78c5367bc416398d387b39591532536734e",
+                "sha256:840793c68105fe031f34d6a086eaea153a0cd5c491cde82a74b420edd0a2b909",
+                "sha256:8d6603078baf4e11edc4168a514c5ce5b3ba6e3e9c374298cb88437957960a53",
+                "sha256:9cc46bc107224ff5b6d04369e7c595acb700c3613ad7bcf2e2012f62ece80c35",
+                "sha256:9f7a31251289b2ab6d4012f6e83e58bc3b96bd151f5b5262467f4bb6b34a7c26",
+                "sha256:9ffb888f19d54a4d4dfd4b3f29bc2c16aa4972f1c2ab9c4ab09b8ab8685b9c2b",
+                "sha256:a5ed8c05548b54b998b9498753fb9cadbfd92ee88e884641377d8a8b291bcc01",
+                "sha256:a7711edca4dcef1a75257b50a2fbfe92a65187c47dab5a0f1b9b332c5919a3fb",
+                "sha256:af5c59122a011049aad5dd87424b8e65a80e4a6477419c0c1015f73fb5ea0293",
+                "sha256:b18e0a9ef57d2b41f5c68beefa32317d286c3d6ac0484efd10d6e07491bb95dd",
+                "sha256:b4e248d1087abf9f4c10f3c398896c87ce82a9856494a7155823eb45a892395d",
+                "sha256:ba4e9e0ae13fc41c6b23299545e5ef73055213e466bd107953e4a013a5ddd7e3",
+                "sha256:c6332685306b6417a91b1ff9fae889b3ba65c2292d64bd9245c093b1b284809d",
+                "sha256:d5ff0621c88ce83a28a10d2ce719b2ee85635e85c515f12bac99a95306da4b2e",
+                "sha256:d9efd8b7a3ef378dd61a1e77367f1924375befc2eba06168b6ebfa903a5e59ca",
+                "sha256:df5169c4396adc04f9b0a05f13c074df878b6052430e03f50e68adf3a57aa28d",
+                "sha256:ebb253464a5d0482b191274f1c8bf00e33f7e0b9c66405fbffc61ed2c839c775",
+                "sha256:ec80dc47f54e6e9a78181ce05feb71a0353854cc26999db963695f950b5fb375",
+                "sha256:f032b34669220030f905152045dfa27741ce1a6db3324a5bc0b96b6c7420c87b",
+                "sha256:f60567825f791c6f8a592f3c6e3bd93dd2934e3f9dac189308426bd76b00ef3b",
+                "sha256:f803eaa94c2fcda012c047e62bc7a51b0bdabda1cad7a92a522694ea2d76e49f"
            ],
-            "version": "==1.14.5"
+            "version": "==1.14.4"
        },
        "cryptography": {
            "hashes": [
-                "sha256:0f1212a66329c80d68aeeb39b8a16d54ef57071bf22ff4e521657b27372e327d",
-                "sha256:1e056c28420c072c5e3cb36e2b23ee55e260cb04eee08f702e0edfec3fb51959",
-                "sha256:240f5c21aef0b73f40bb9f78d2caff73186700bf1bc6b94285699aff98cc16c6",
-                "sha256:26965837447f9c82f1855e0bc8bc4fb910240b6e0d16a664bb722df3b5b06873",
-                "sha256:37340614f8a5d2fb9aeea67fd159bfe4f5f4ed535b1090ce8ec428b2f15a11f2",
-                "sha256:3d10de8116d25649631977cb37da6cbdd2d6fa0e0281d014a5b7d337255ca713",
-                "sha256:3d8427734c781ea5f1b41d6589c293089704d4759e34597dce91014ac125aad1",
-                "sha256:7ec5d3b029f5fa2b179325908b9cd93db28ab7b85bb6c1db56b10e0b54235177",
-                "sha256:8e56e16617872b0957d1c9742a3f94b43533447fd78321514abbe7db216aa250",
-                "sha256:de4e5f7f68220d92b7637fc99847475b59154b7a1b3868fb7385337af54ac9ca",
-                "sha256:eb8cc2afe8b05acbd84a43905832ec78e7b3873fb124ca190f574dca7389a87d",
-                "sha256:ee77aa129f481be46f8d92a1a7db57269a2f23052d5f2433b4621bb457081cc9"
+                "sha256:0003a52a123602e1acee177dc90dd201f9bb1e73f24a070db7d36c588e8f5c7d",
+                "sha256:0e85aaae861d0485eb5a79d33226dd6248d2a9f133b81532c8f5aae37de10ff7",
+                "sha256:594a1db4511bc4d960571536abe21b4e5c3003e8750ab8365fafce71c5d86901",
+                "sha256:69e836c9e5ff4373ce6d3ab311c1a2eed274793083858d3cd4c7d12ce20d5f9c",
+                "sha256:788a3c9942df5e4371c199d10383f44a105d67d401fb4304178020142f020244",
+                "sha256:7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6",
+                "sha256:83d9d2dfec70364a74f4e7c70ad04d3ca2e6a08b703606993407bf46b97868c5",
+                "sha256:84ef7a0c10c24a7773163f917f1cb6b4444597efd505a8aed0a22e8c4780f27e",
+                "sha256:9e21301f7a1e7c03dbea73e8602905a4ebba641547a462b26dd03451e5769e7c",
+                "sha256:9f6b0492d111b43de5f70052e24c1f0951cb9e6022188ebcb1cc3a3d301469b0",
+                "sha256:a69bd3c68b98298f490e84519b954335154917eaab52cf582fa2c5c7efc6e812",
+                "sha256:b4890d5fb9b7a23e3bf8abf5a8a7da8e228f1e97dc96b30b95685df840b6914a",
+                "sha256:c366df0401d1ec4e548bebe8f91d55ebcc0ec3137900d214dd7aac8427ef3030",
+                "sha256:dc42f645f8f3a489c3dd416730a514e7a91a59510ddaadc09d04224c098d3302"
            ],
-            "markers": "python_version >= '3.6'",
-            "version": "==3.4.7"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
+            "version": "==3.3.1"
        },
        "jinja2": {
            "hashes": [
-                "sha256:2f2de5285cf37f33d33ecd4a9080b75c87cd0c1994d5a9c6df17131ea1f049c6",
-                "sha256:ea8d7dd814ce9df6de6a761ec7f1cac98afe305b8cdc4aaae4e114b8d8ce24c5"
+                "sha256:03e47ad063331dd6a3f04a43eddca8a966a26ba0c5b7207a9a9e4e08f1b29419",
+                "sha256:a6d58433de0ae800347cab1fa3043cebbabe8baa9d29e668f1c768cb87a333c6"
            ],
-            "markers": "python_version >= '3.6'",
-            "version": "==3.0.0"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
+            "version": "==2.11.3"
        },
        "markupsafe": {
            "hashes": [
-                "sha256:007dc055dbce5b1104876acee177dbfd18757e19d562cd440182e1f492e96b95",
-                "sha256:031bf79a27d1c42f69c276d6221172417b47cb4b31cdc73d362a9bf5a1889b9f",
-                "sha256:161d575fa49395860b75da5135162481768b11208490d5a2143ae6785123e77d",
-                "sha256:24bbc3507fb6dfff663af7900a631f2aca90d5a445f272db5fc84999fa5718bc",
-                "sha256:2efaeb1baff547063bad2b2893a8f5e9c459c4624e1a96644bbba08910ae34e0",
-                "sha256:32200f562daaab472921a11cbb63780f1654552ae49518196fc361ed8e12e901",
-                "sha256:3261fae28155e5c8634dd7710635fe540a05b58f160cef7713c7700cb9980e66",
-                "sha256:3b54a9c68995ef4164567e2cd1a5e16db5dac30b2a50c39c82db8d4afaf14f63",
-                "sha256:3c352ff634e289061711608f5e474ec38dbaa21e3e168820d53d5f4015e5b91b",
-                "sha256:3fb47f97f1d338b943126e90b79cad50d4fcfa0b80637b5a9f468941dbbd9ce5",
-                "sha256:441ce2a8c17683d97e06447fcbccbdb057cbf587c78eb75ae43ea7858042fe2c",
-                "sha256:45535241baa0fc0ba2a43961a1ac7562ca3257f46c4c3e9c0de38b722be41bd1",
-                "sha256:4aca81a687975b35e3e80bcf9aa93fe10cd57fac37bf18b2314c186095f57e05",
-                "sha256:4cc563836f13c57f1473bc02d1e01fc37bab70ad4ee6be297d58c1d66bc819bf",
-                "sha256:4fae0677f712ee090721d8b17f412f1cbceefbf0dc180fe91bab3232f38b4527",
-                "sha256:58bc9fce3e1557d463ef5cee05391a05745fd95ed660f23c1742c711712c0abb",
-                "sha256:664832fb88b8162268928df233f4b12a144a0c78b01d38b81bdcf0fc96668ecb",
-                "sha256:70820a1c96311e02449591cbdf5cd1c6a34d5194d5b55094ab725364375c9eb2",
-                "sha256:79b2ae94fa991be023832e6bcc00f41dbc8e5fe9d997a02db965831402551730",
-                "sha256:83cf0228b2f694dcdba1374d5312f2277269d798e65f40344964f642935feac1",
-                "sha256:87de598edfa2230ff274c4de7fcf24c73ffd96208c8e1912d5d0fee459767d75",
-                "sha256:8f806bfd0f218477d7c46a11d3e52dc7f5fdfaa981b18202b7dc84bbc287463b",
-                "sha256:90053234a6479738fd40d155268af631c7fca33365f964f2208867da1349294b",
-                "sha256:a00dce2d96587651ef4fa192c17e039e8cfab63087c67e7d263a5533c7dad715",
-                "sha256:a08cd07d3c3c17cd33d9e66ea9dee8f8fc1c48e2d11bd88fd2dc515a602c709b",
-                "sha256:a19d39b02a24d3082856a5b06490b714a9d4179321225bbf22809ff1e1887cc8",
-                "sha256:d00a669e4a5bec3ee6dbeeeedd82a405ced19f8aeefb109a012ea88a45afff96",
-                "sha256:dab0c685f21f4a6c95bfc2afd1e7eae0033b403dd3d8c1b6d13a652ada75b348",
-                "sha256:df561f65049ed3556e5b52541669310e88713fdae2934845ec3606f283337958",
-                "sha256:e4570d16f88c7f3032ed909dc9e905a17da14a1c4cfd92608e3fda4cb1208bbd",
-                "sha256:e77e4b983e2441aff0c0d07ee711110c106b625f440292dfe02a2f60c8218bd6",
-                "sha256:e79212d09fc0e224d20b43ad44bb0a0a3416d1e04cf6b45fed265114a5d43d20",
-                "sha256:f58b5ba13a5689ca8317b98439fccfbcc673acaaf8241c1869ceea40f5d585bf",
-                "sha256:fef86115fdad7ae774720d7103aa776144cf9b66673b4afa9bcaa7af990ed07b"
+                "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473",
+                "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161",
+                "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235",
+                "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5",
+                "sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42",
+                "sha256:195d7d2c4fbb0ee8139a6cf67194f3973a6b3042d742ebe0a9ed36d8b6f0c07f",
+                "sha256:22c178a091fc6630d0d045bdb5992d2dfe14e3259760e713c490da5323866c39",
+                "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff",
+                "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b",
+                "sha256:2beec1e0de6924ea551859edb9e7679da6e4870d32cb766240ce17e0a0ba2014",
+                "sha256:3b8a6499709d29c2e2399569d96719a1b21dcd94410a586a18526b143ec8470f",
+                "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1",
+                "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e",
+                "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183",
+                "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66",
+                "sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b",
+                "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1",
+                "sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15",
+                "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1",
+                "sha256:6f1e273a344928347c1290119b493a1f0303c52f5a5eae5f16d74f48c15d4a85",
+                "sha256:6fffc775d90dcc9aed1b89219549b329a9250d918fd0b8fa8d93d154918422e1",
+                "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e",
+                "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b",
+                "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905",
+                "sha256:7fed13866cf14bba33e7176717346713881f56d9d2bcebab207f7a036f41b850",
+                "sha256:84dee80c15f1b560d55bcfe6d47b27d070b4681c699c572af2e3c7cc90a3b8e0",
+                "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735",
+                "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d",
+                "sha256:98bae9582248d6cf62321dcb52aaf5d9adf0bad3b40582925ef7c7f0ed85fceb",
+                "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e",
+                "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d",
+                "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c",
+                "sha256:a6a744282b7718a2a62d2ed9d993cad6f5f585605ad352c11de459f4108df0a1",
+                "sha256:acf08ac40292838b3cbbb06cfe9b2cb9ec78fce8baca31ddb87aaac2e2dc3bc2",
+                "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21",
+                "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2",
+                "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5",
+                "sha256:b1dba4527182c95a0db8b6060cc98ac49b9e2f5e64320e2b56e47cb2831978c7",
+                "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b",
+                "sha256:b7d644ddb4dbd407d31ffb699f1d140bc35478da613b441c582aeb7c43838dd8",
+                "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
+                "sha256:bf5aa3cbcfdf57fa2ee9cd1822c862ef23037f5c832ad09cfea57fa846dec193",
+                "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
+                "sha256:caabedc8323f1e93231b52fc32bdcde6db817623d33e100708d9a68e1f53b26b",
+                "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
+                "sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2",
+                "sha256:d53bc011414228441014aa71dbec320c66468c1030aae3a6e29778a3382d96e5",
+                "sha256:d73a845f227b0bfe8a7455ee623525ee656a9e2e749e4742706d80a6065d5e2c",
+                "sha256:d9be0ba6c527163cbed5e0857c451fcd092ce83947944d6c14bc95441203f032",
+                "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7",
+                "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be",
+                "sha256:feb7b34d6325451ef96bc0e36e1a6c0c1c64bc1fbec4b854f4529e51887b1621"
            ],
-            "markers": "python_version >= '3.6'",
-            "version": "==2.0.0"
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "version": "==1.1.1"
        },
        "packaging": {
            "hashes": [
@ -176,26 +196,26 @@
                "sha256:5accb17103e43963b80e6f837831f38d314a0495500067cb25afab2e8d7a4018",
                "sha256:607774cbba28732bfa802b54baa7484215f530991055bb562efbed5b2f20a45e",
                "sha256:6c78645d400265a062508ae399b60b8c167bf003db364ecb26dcab2bda048253",
-                "sha256:72a01f726a9c7851ca9bfad6fd09ca4e090a023c00945ea05ba1638c09dc3347",
                "sha256:74c1485f7707cf707a7aef42ef6322b8f97921bd89be2ab6317fd782c2d53183",
-                "sha256:895f61ef02e8fed38159bb70f7e100e00f471eae2bc838cd0f4ebb21e28f8541",
                "sha256:8c1be557ee92a20f184922c7b6424e8ab6691788e6d86137c5d93c1a6ec1b8fb",
                "sha256:bb4191dfc9306777bc594117aee052446b3fa88737cd13b7188d0e7aa8162185",
-                "sha256:bfb51918d4ff3d77c1c856a9699f8492c612cde32fd3bcd344af9be34999bfdc",
                "sha256:c20cfa2d49991c8b4147af39859b167664f2ad4561704ee74c1de03318e898db",
-                "sha256:cb333c16912324fd5f769fff6bc5de372e9e7a202247b48870bc251ed40239aa",
                "sha256:d2d9808ea7b4af864f35ea216be506ecec180628aced0704e34aca0b040ffe46",
-                "sha256:d483ad4e639292c90170eb6f7783ad19490e7a8defb3e46f97dfe4bacae89122",
                "sha256:dd5de0646207f053eb0d6c74ae45ba98c3395a571a2891858e87df7c9b9bd51b",
                "sha256:e1d4970ea66be07ae37a3c2e48b5ec63f7ba6804bdddfdbd3cfd954d25a82e63",
                "sha256:e4fac90784481d221a8e4b1162afa7c47ed953be40d31ab4629ae917510051df",
-                "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc",
-                "sha256:fd7f6999a8070df521b6384004ef42833b9bd62cfee11a09bda1079b4b704247",
-                "sha256:fdc842473cd33f45ff6bce46aea678a54e3d21f1b61a7750ce3c498eedfe25d6",
-                "sha256:fe69978f3f768926cfa37b867e3843918e012cf83f680806599ddce33c2c68b0"
+                "sha256:fa5ae20527d8e831e8230cbffd9f8fe952815b2b7dae6ffec25318803a7528fc"
            ],
            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
            "version": "==5.4.1"
+        },
+        "six": {
+            "hashes": [
+                "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
+                "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
+            ],
+            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
+            "version": "==1.15.0"
        }
    },
    "develop": {}
--- a/README.md
+++ b/README.md
@ -25,7 +25,7 @@ Once you've satisfied the the above assumptions, you can execute:
 - Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)

 ## License
-Copyright (C) 2014–2021 Alan Orth
+Copyright (C) 2014–2020 Alan Orth

 The contents of this repository are free software: you can redistribute
 it and/or modify it under the terms of the GNU General Public License
--- a/host_vars/web19
+++ b/host_vars/web19
@ -1,102 +1,111 @@
 $ANSIBLE_VAULT;1.1;AES256
-30633561663166653033636139646638303766383862316635636634653364653934626266626364
-3934313636653036363039396165613466363864373635390a626665393037366566633438323265
-63313164386365303533623333313465656538363638366132643731366364356666663865653730
-3965653761613131320a386137343031613139396232623866393165386130353033343166356539
-66376162333961646233653032646363313333396632656263653931643035663565633431376234
-36356434643161386162343634633338336364333365323334343938366264653362373731626162
-64623961333463376664326635386335626234656164303636656532363939636465616232316663
-34373764663735353931326262633437626364336138313337666438373464643339666565386665
-64633032373432626230363638616132383431663636393263623339613438396133343862336164
-38656631663161626236303963323937373165336163303161376264396337366533396264623636
-62623366373130643834313637653734633062663635373233653636633665613162663939306666
-39616130623738383361646165646339626639336661373833633336313666303237393039366465
-39336461346337386537663030633865366332643934363563316261663537653761373462396130
-38313238323630303763323636666537353862643732663164636631623934643931396666323334
-38303663623136356364366433303536633664313365633439646132336237363333376161633262
-32343837363432396134663732616461633063346232323838383736353834303635616536363661
-34626639363534633436303030343638616332616530393364393831613238393833636164633431
-64386563303031316365333862333334376535363265616364623838303838663637396162356130
-61386261633665633334626664663362636633386362616336646565663933363036386139623535
-37666532616137343837613861646536373630323566313338303562633135663832616535363464
-30353936633030653030633230616531646364393037636332323934363063666236343566333538
-39333537623439653337653934306337653964343438303435623536303131343235353064346135
-33363666613439336462383636666331373736366638366164636465626466623365353133353761
-61343133663332646430303339343733666563643766306336313732393666306465356366306434
-66663230363366643964303234653432616533386465383930633132393162333863643737306432
-37663937343635616239613936343832656264386261393538316238303638383162303131666633
-62353966386366343131653862666236303234366430313235626134303965643738653434356666
-61653761643134336630636264313062323939306461633436653230663137363164343836366230
-64366432616430393637316466663762343139393932643734616434633262336632393439636436
-33376165633238336161656138666338653439366536663130303637303230636565343039663033
-38653734626430343732613963636639616635326664633336633161623638653035343130313964
-30663866303636633237626163323264353061393632323430316461356230336335323664333531
-32386333363761393130316366666636363735666535326632613735633664356437303861343930
-64373233646130633435313531333962663632333364613239313262353039363363383564663666
-39323062343436633864313238613637353534356437366563623137353831306633633763613635
-36653862653034653935636563393966303930316637316138323833363064623364396332323365
-38626361376535373663623266386665386134306131666263373630313263313339656638636265
-64636232653864343030333835336434646135366531383730346563363964623665636531306666
-39343765356266636465656438386266376539356664363861383339383636336538346632363232
-35356161663037656637633766346634343132343663343263393865336462343337336233316431
-32336530346130653263663033616463376632306139353433633065343334613061333536613235
-33656433366339353766646239386535616337353032616265303931613166663939333664613738
-61633839663162623062663235653862316130353838393530613564343731393732373564663464
-61323562363065623066616235663161326536633634633964386462633934326639646162363937
-66316161323334356532336364386437343430393261363233666662316162636665613463666364
-34313438333233313939353030633263323839636532626231343630323437643861323133656432
-38383333616262633463363734663565313036386133636635653266353461613165363334346633
-65663739333434383961306335616639343863623237373332633138313838366638663664333638
-38396235623561626162303837373562383731666365343661616139343938326331313737386431
-65353634613736373364363365656365326437383366626433636232623761663935666532376633
-37653766313866663861653736646334376134323262666538333530623463643930393764366466
-61633932363963633631316534613964643261326636396262333662366666306461663630666433
-63316433343631356537366565316639333730323439363230306338646564346536346637616563
-33613234373936393438626363386562313362396531363964363033313362303164626365653562
-32636663366265633362353764306138633431393462653165653463306461316363613533373861
-37633238396534313533363735313030633938643439643337383435613930343065663535373537
-34316231323331326364653637633231343237363762653361363962396338353433366266333636
-37666133626337393464376132353063646231326564663437646436363031316134336632613735
-36346263353961343833333863313637386366316165386130303932653332303562303364343939
-62653365363061343765326565613334623165643435643438373430663461323939636566343435
-65633237643164626465633964306235666666633165386364613330393663666633643761313034
-36306233383935316666346135373564636535633861666138656130383135373633313263303863
-66613164636437343038373234376361333133663332653238316236653961383033396335323264
-32346532303038653462366364343064306633373338663036633162626263376361333266386466
-30353934313936316431663966643239386263376434626131643666663033653631636635333062
-33636139326161663536343233343431373739363636383364663131363061666632653062653362
-38663236383832306439316263336234353837623964316664316436303832663638333431326564
-34653161373866383534373130386134653461663733613739313634616234323162643163656263
-39633964383835663634366238326163353662383766303361653265643233666439393162636135
-63303332363536393230613334643866376233623063376137303934393465353230393730636464
-38366634646231353333666433303735366532346338376165363937656362363939336136366237
-34663234363137653235393531323332343932376235386639346565393766343537386162323466
-33386132613635646338323630363461393433333032346461353835653366653230653461366437
-32626663666531303865363939333331356265613365656262356531376466363237333262666232
-30313764353636666365336163656232636563616534663833613061306564353231373034613565
-66636665633530396637303662316463353261313236306166323837383032663763333961353335
-33613364393533623433386661616533663362356237653936643762323961326530356139643539
-33653733623138316161616439386461643535336162663062303562663662333537626164643563
-63383862316162633837346438663764306533393061663363653231633638653431633065313437
-36306263353533383862313535303437663461313564376238613030393735306534303039646433
-34326339373738646231643361653736363266366363346438663036316234326134653638353631
-33373566356537376262383631343562353233353137666364316331623035653961326337346664
-36343933383035643632373938333935326234336638373162326534396433363633376338306530
-61633934363936636237663234383862313132306139653362343232643632363036366135653063
-30373532383862353464303231316134343831633732643339623639356362303432326466653965
-65656133653836636136316266363366313337656635323434326562383138303334663630656166
-61383230663035346432313238356639643662616336306166613066663632366538663161366464
-30636561656338646633323237633761386162623463663266383730353339343633666465313538
-63383365343639613330346130643833393935396632373631613565336330666430373039646462
-65333230663836663366333539316565663931666632363634303761613465616161373238373732
-32313561343234356362363562653532343665393264346263656635313438363333396335393062
-65336533343336336364313365646237643163303733313030353863646363316633336430313763
-64316639646563633837393037356632616131303439366564333131653638373139643961363235
-38666636366137303437623965613763643933613762616532383163386232636262626262653038
-63323835613933633932633531323936346163666264326665633436393934343163316433653562
-36306561633936663733363630393363356338626265653162343461336561393063373839633164
-36373136353336376431396166663636636435303430626361353139633732383739313238333437
-30396166666330666263623063343432633262343636656132383064643039316332303462353263
-38376461633239366136323264623735656165313062626632343438386531373962346366623730
-63313664343835386561333562393461666135306237306437333363366636613365333966303139
-3263
+66313066303030333063353236313063303262626561316535646263633936336534356437353265
+3432356362393665303438333166643066666164363861610a643434356531666366393936353233
+37353036656435616361613164323038663364666464373964653337396465373061666533373938
+6536323936393135370a666134613830306533623365363933376631313534326265666634366235
+36623637383636396437333735336238343434353733303764326237303033303562353237353165
+31653866633363623764353533356262643239613531643039393335313731383038343638663830
+36356139336363343437666230656366636132613531613339353962373435643563313734646135
+61613330323938363063313430343738306536636233353963636665393132643162303562666531
+61343365326634303730656133633632353936386431303631363731313730666132656334353731
+33616537313230666462653165643535386134663166346262363535383365616431613838383863
+65326163303966373938653033613238326634393166643630316230613065353437306237313933
+65366131396266393236373162343866383565633030356465613461353131643562343630336566
+30633534636634616666616462383136373830623137396366626639373230373834316563343464
+38303333366166323238346237646165383633383264333431663530326462323432366332333630
+62633132666439313034616465663861323064646564303963633565353734353665313138373636
+34653639353333373737613238626535356333633833363737646330643163326131386364646365
+64356435636635663737376239313236356361363061313731626230366336326535663866373231
+37623262613135636538343934336262633662383266653238613965356639626339303437306633
+38373837653737313465376231363637353561303937336138343465376638326163643065336462
+61633236373737363633646135396565303835643336393763393933613964663435306336346636
+38316231383363616533616437366362376664393135623765646330323161366134323263376466
+31386332333565643764343863353039313466643962373736643533666562353766383862326134
+31633366636365313231366337313334333130373833656135396262373136393135353039623739
+63626463636237633963323739303961663632376330336236663134666461383965303861333835
+38663337393930383834653936636365663966333033346562356331306430306338333761353762
+38363733356262363161353135633836336363376232326261623264623338663230663838386330
+35353762393839646338366365313763346339666433306532353530353261363838356639623436
+62306437616630663039653862393466353933333763386163373035373335343834663439633039
+34613463303436366631396462363866656533343063356265333539353038326637613063326164
+62663833363165643436343538666565386561383335393964313839626237623031343564656632
+35613534636437306463373466653431336562303132313462326233663561343837323331353035
+33303336356237306464363564666136633230396635623066376564373737353335356432343231
+66633735316466633039663338316566343739373664316335366462356237366139363731643366
+33353039373665333232383235303932623435366638313465396333316565646134343463336330
+65306334623631386364353364313638643930306265343363666366663164643435333834376439
+64396434366362343733323366343232653930646565313762376436663965626562636238623066
+63303236326362323966666630343136336563343564393833636465333832396666396638653661
+61323561393563326437386462656266303830353730313839613136656331323938616631386235
+30633730303838313038313263363363633136623861326662623366613461343133356261633030
+34333732343037396131343764366535343639326333353036353038656533333339306363653435
+39656166393265356338656631353065653630303237663761386332323530663966343864663438
+65356365386131333236396234623537323062363539383061323832363563326435306465663234
+66316638376436613265353662646264666138666165343763393330613765346163356138616633
+66373338393163333435666236386239663735653135386532633135646539316665313036323763
+38666464363432656534313263306266323066646133353765386463343264633131633936373036
+31326138633131393962633861333036373537366163613562383033336333616130636435326331
+66653766653065306164613335623933616135393335383438356337633239363131303237653566
+62636263383236656136376237646363363234363232643636623333396531363461303538373662
+36313537393238626337613964623731666261316366346666323261386661643035353164613637
+32303061336363306335306431613263646266303038323739636662326465303961616339333461
+65626263366333333562386461636231636438623966626136663932303035343531363234356663
+37313661353764343764396666633666613238323638646233353138383638353938303933396431
+65366564353533363039383838313562663561633434393833636365303561333534393930653630
+63663464613334623864313663383630353166363862373132343532393135313666626464376436
+34616566663764363566663530646638363338653538353661393835383035346236646233363564
+34656165303737326261353032363435333731363031343366353863313138653865346535636564
+31393134336534616161303132353764343833636465356661376638633163643739383830616534
+65386262663734356134303039623265303935363764623537326565633030613465666435636232
+61623334393734616262613232306339396639643636373762653738333463616361653430656438
+63316265303634323033303330353232636136333863366261656532383065313334386335666636
+34303564636333356364663565333932343064333266383638663365366636643866353132373966
+66336563346233656531643735663062393630616537656264323136353266623161353261333239
+33636563376566333331366336353338343730383962653138636535623039643461303763333961
+63373264333037653563643937373664373665343136396635316634613632653232353033666266
+31333064623765326536386630353435333438326232633565663531303730636530386564366633
+63326335333639376266396562343838636430643664303737373565363635643037616231393665
+36636337633564373561343266666632656235646662633965663733383731633832373334646335
+34396163636635633637393834396566663062633135383330396564656536333330623737636332
+36646362623131366166626639386238616566323135323334636638393934663336663532306336
+38396634393433623963316261303061616634333566306239366666373238376466633166623464
+33313538663838373465626638316432613135386262376233633362616463623363646433353666
+32633838303837656335333336353564343461373236353736623032663139333338646463323533
+65326131616433666563343163663462393235366135633661366564623662303932626164366632
+38306430356238633162656337303536663065653639353562343965663366373861646162653562
+62306236326163393336643232663336656637623539353835613536653164393038623966316433
+32623462343037616465623736306530633736623061343430356638633530313331306363323837
+63396263393136363137643632623938316363386238346237333862303735363065386633366263
+31313834646239323631393335633534383930373630663538653864383930666465653731616263
+35333830633430343436646266663231303466343138643338343634346133613666613734313037
+34383931643631633539346262653631336565623366343564303332333831346436373162356362
+66383864313732303962653662333036373239343335623765616536306465623030393138663838
+30313861636631393462653836626164373034666533323338383262393132396436666639363262
+39356132343939366534666665393231346566663432653236376333323363643166393431316161
+33343666316138353333346263346266343731613065356631336231373266343338393939663038
+35343235393563623434313266306163323266346662623063353631663433646436613130636663
+38356335616438633638383236333131663163613436303934386335363432323063303234383331
+34636432653262643438653931313233626462623034346137303738643932353334373531303439
+30366233373535343431373365393566383538363763313036623262343066346236303061326631
+64376463336538363132656464666365343861393330313637356237666361343666633436346534
+33636332386336646333616330613738343264626438613135313962336534373130316330366233
+30316333636564326165663565666361643430656366393939616538323530383632636661326331
+35366663646533313034333764626237623637363164356163636432653765656439326438383134
+62623638633934336334393636333336633164343066336161333138653637333435306230653865
+35363032393633623331363933373463623032333361616365373037666333643634343963663835
+34363033363731346663643363383965336536353332646262326136353965353137383737336165
+33613733656463376333376264633935373239363337323538356636636439393564373332323031
+31623733663530326632373235313830396133373430613061613438653336653462316336623438
+30343032346133363830656231663966653734326635333831626639393666303033653437326238
+65333566643066393331323466366662383135383734313537663664376161323265613436653535
+63643832616663303632623433636161333339376635333635626137326662396562633830343337
+65376165376564396433343736313134656332383533356138383039386266636238613936653962
+32373337346335383136303838343034376432363436356465613836366230313463303239373531
+65383334646431346565656638353537333765623430333133663663326134646566306137643663
+65643338386439666636376461356466396261326165333030623633613364343631343830653939
+64323266626131666332666433386434313936306361633164373532626231366234623735333932
+62306362346164336433336139313561366162303666353635653634396139313734626463663735
+38306466626237626634666138363665326636316563356431333432313534363638613833613539
+38306237353764376462323238663034646662393433623830616361623735343162666465626230
+30633731323939633265323338373537383261333235303262633336636433316339383433653861
+3861653261646632636364623830626561393864666135346634
--- a/roles/common/files/abusers-ipv4.xml
+++ b/roles/common/files/abusers-ipv4.xml
--- a/roles/common/files/abusers-ipv6.xml
+++ b/roles/common/files/abusers-ipv6.xml
@ -3,15 +3,12 @@
  <option name="family" value="inet6" />
  <short>abusers-ipv6</short>
  <description>A list of abusive IPv6 addresses.</description>
-  <entry>2001:19f0:200:3191:225:90ff:fe88:27a8</entry>
-  <entry>2001:41d0:2:5137::</entry>
-  <entry>2402:1f00:8101:4::</entry>
-  <entry>2604:2dc0:200:1424::</entry>
-  <entry>2604:a880:0:1010::76:f001</entry>
-  <entry>2607:5300:60:2540::</entry>
-  <entry>2607:f1c0:842:3400::5c:29d</entry>
-  <entry>2a00:d680:20:50::cdb4</entry>
-  <entry>2a01:4f8:192:62c7::2</entry>
-  <entry>2a01:4f8:251:15ea::2</entry>
-  <entry>2a04:3543:1000:2310:cc4:41ff:fe7a:54cc</entry>
+  <entry>2001:41d0:1:f934::1</entry>
+  <entry>2001:41d0:602:238d::</entry>
+  <entry>2001:41d0:a:2a31::</entry>
+  <entry>2400:6180:0:d1::476:7001</entry>
+  <entry>2402:1f00:8001:8bd::</entry>
+  <entry>2604:a880:800:10::5bf:2001</entry>
+  <entry>2a00:d680:20:50::bcb2</entry>
+  <entry>2a02:2168:a01:33ee::1</entry>
 </ipset>
--- a/roles/common/tasks/firewall_Alpine.yml
+++ b/roles/common/tasks/firewall_Alpine.yml
@ -0,0 +1,15 @@
+---
+# TODO: configure awall (ipsets?)
+# TODO: configure fail2ban
+
+- block:
+  - name: Set Alpine firewall packages
+    set_fact:
+      alpine_firewall_packages:
+        - awall
+        - fail2ban
+
+  - name: Install Alpine firewall packages
+    apk: name={{ alpine_firewall_packages }} state=present
+
+# vim: set sw=2 ts=2:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -17,6 +17,11 @@
  when: ansible_distribution == 'Ubuntu'
  tags: packages

+- name: Install common packages
+  include_tasks: packages_Alpine.yml
+  when: ansible_distribution == 'Alpine'
+  tags: packages
+
 - name: Configure firewall
  include_tasks: firewall_Debian.yml
  when: ansible_distribution == 'Debian'
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@ -1,6 +1,7 @@
 ---
 # Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
 # use timedatectl as a network time client instead of the standalone ntp client.
+# Alpine can use chrony.

 - name: Set timezone
  when: timezone is defined and ansible_service_mgr == 'systemd'
@ -15,4 +16,8 @@
  apt: name=ntp state=absent update_cache=yes
  when: ansible_service_mgr == 'systemd'

+- name: Install chronyd on Alpine
+  apt: name=chrony state=present
+  when: ansible_distribution == 'Alpine'
+
 # vim: set ts=2 sw=2:
--- a/roles/common/tasks/packages_Alpine.yml
+++ b/roles/common/tasks/packages_Alpine.yml
@ -0,0 +1,28 @@
+---
+# requires: ansible-galaxy collection install community.general
+# TODO: configure tarsnap
+
+- block:
+  - name: Upgrade base OS
+    apk: upgrade=yes update_cache=yes
+
+  - name: Set Alpine base packages
+    set_fact:
+      alpine_base_packages:
+      - git
+      - tmux
+      - htop
+      - strace
+      - mosh
+      - vim
+      - unzip
+      - zstd
+
+  - name: Install Alpine base packages
+    apk: name={{ alpine_base_packages }} state=present update_cache=yes
+
+  #- name: Install tarsnap
+  #  import_tasks: tarsnap.yml
+  tags: packages
+
+# vim: set sw=2 ts=2:
--- a/roles/common/tasks/tarsnap.yml
+++ b/roles/common/tasks/tarsnap.yml
@ -5,7 +5,7 @@
  when: ansible_architecture != 'armv7l'

 - name: Add GPG key for Tarsnap
-  apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
+  apt_key: id=0xFC72A10BF6B692AA url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
  register: add_tarsnap_apt_key

 - name: Update apt cache
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@ -34,8 +34,10 @@
 - name: Update MariaDB root password for all root accounts
  mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
  loop:
+    - "{{ inventory_hostname }}"
    - 127.0.0.1
    - ::1
+    - localhost
  tags: mariadb

 - name: Create .my.conf file with root credentials
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -20,25 +20,18 @@ nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
 nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'

-# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
-# in seconds, see: https://hstspreload.org/
-nginx_hsts_max_age: 31536000
-
-# install acme.sh?
+# install certbot + dependencies?
 # True unless you're in development and using "localhost" + snakeoil certs
 use_letsencrypt: True

 # Directory root for Let's Encrypt certs
-letsencrypt_root: /etc/ssl
+letsencrypt_root: /etc/letsencrypt/live

-# Location where to save initial acme.sh script. After installation the script
-# will automatically create its home in the /root/.acme.sh directory (including
-# a copy of the script itself).
-letsencrypt_acme_script: /root/acme.sh
-letsencrypt_acme_home: /root/.acme.sh
+# Location of Let's Encrypt's certbot script
+letsencrypt_certbot_dest: /opt/certbot-auto

-# stable is 1.20.x
-# mainline is 1.21.x
+# stable is 1.18.x
+# mainline is 1.19.x
 nginx_version: mainline

 # vim: set ts=2 sw=2:
--- a/roles/nginx/files/extra-security.conf
+++ b/roles/nginx/files/extra-security.conf
@ -15,6 +15,3 @@ add_header X-XSS-Protection "1; mode=block" always;
 # CSP can be quite difficult to configure, and cause real issues if you get it wrong
 # There is website that helps you generate a policy here http://cspisawesome.com/
 # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
-
-# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
-add_header Permissions-Policy interest-cohort=() always;
--- a/roles/nginx/files/start-nginx.sh
+++ b/roles/nginx/files/start-nginx.sh
@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+/bin/systemctl start nginx
--- a/roles/nginx/files/stop-nginx.sh
+++ b/roles/nginx/files/stop-nginx.sh
@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+/bin/systemctl stop nginx
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@ -1,57 +1,135 @@
 ---

-# Use acme.sh instead of certbot because they only support installation via
-# snap now.
 - block:
-  - name: Remove certbot
-    apt:
-      name: certbot
-      state: absent
-
-  - name: Remove old certbot post and pre hooks for nginx
-    file:
-      dest: "{{ item }}"
-      state: absent
-    with_items:
-      - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
-      - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
-
-  - name: Download acme.sh
-    get_url:
-      url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
-      dest: "{{ letsencrypt_acme_script }}"
-
-  - name: Prepare Let's Encrypt well-known directory
-    file:
-      state: directory
-      path: /var/lib/letsencrypt/.well-known
-      owner: root
-      group: nginx
-      mode: g+s
-
  - name: Copy systemd service to renew Let's Encrypt certs
-    template:
-      src: renew-letsencrypt.service.j2
-      dest: /etc/systemd/system/renew-letsencrypt.service
-      mode: 0644
-      owner: root
-      group: root
+    template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root

  - name: Copy systemd timer to renew Let's Encrypt certs
-    copy:
-      src: renew-letsencrypt.timer
-      dest: /etc/systemd/system/renew-letsencrypt.timer
-      mode: 0644
-      owner: root
-      group: root
+    copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root

-  # always issues daemon-reload just in case the service/timer changed
+  # always issues daemon-reload just in case the server/timer changed
  - name: Start and enable systemd timer to renew Let's Encrypt certs
-    systemd:
-      name: renew-letsencrypt.timer
-      state: started
-      enabled: yes
-      daemon_reload: yes
+    systemd: name=renew-letsencrypt.timer state=started enabled=yes daemon_reload=yes
+
+  - name: Download certbot
+    get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700
+
+  # Dependencies certbot checks for on its first run. I set them in a fact so that
+  # I can pass the list directly to the apt module to install in one transaction.
+  - name: Set certbot dependencies (Debian 10)
+    when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==')
+    set_fact:
+      certbot_dependencies:
+        - augeas-lenses
+        - binutils
+        - binutils-common
+        - binutils-x86-64-linux-gnu
+        - cpp
+        - cpp-8
+        - gcc
+        - gcc-8
+        - libasan5
+        - libatomic1
+        - libaugeas0
+        - libbinutils
+        - libc-dev-bin
+        - libc6-dev
+        - libcc1-0
+        - libexpat1-dev
+        - libffi-dev
+        - libgcc-8-dev
+        - libgomp1
+        - libisl19
+        - libitm1
+        - liblsan0
+        - libmpc3
+        - libmpfr6
+        - libmpx2
+        - libpython-dev
+        - libpython2-dev
+        - libpython2.7
+        - libpython2.7-dev
+        - libquadmath0
+        - libssl-dev
+        - libtsan0
+        - libubsan1
+        - linux-libc-dev
+        - python-dev
+        - python-pip-whl
+        - python-pkg-resources
+        - python-virtualenv
+        - python2-dev
+        - python2.7-dev
+        - python3-distutils
+        - python3-lib2to3
+        - python3-virtualenv
+        - virtualenv
+
+  # Dependencies certbot checks for on its first run. I set them in a fact so that
+  # I can pass the list directly to the apt module to install in one transaction.
+  - name: Set certbot dependencies (Ubuntu 18.04)
+    when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
+    set_fact:
+      certbot_dependencies:
+        - augeas-lenses
+        - binutils
+        - binutils-common
+        - binutils-x86-64-linux-gnu
+        - cpp
+        - cpp-7
+        - gcc
+        - gcc-7
+        - gcc-7-base
+        - libasan4
+        - libatomic1
+        - libaugeas0
+        - libbinutils
+        - libc-dev-bin
+        - libc6-dev
+        - libcc1-0
+        - libcilkrts5
+        - libexpat1-dev
+        - libffi-dev
+        - libgcc-7-dev
+        - libgomp1
+        - libisl19
+        - libitm1
+        - liblsan0
+        - libmpc3
+        - libmpx2
+        - libpython-dev
+        - libpython2.7
+        - libpython2.7-dev
+        - libquadmath0
+        - libssl-dev
+        - libtsan0
+        - libubsan0
+        - linux-libc-dev
+        - python-dev
+        - python-pip-whl
+        - python-pkg-resources
+        - python-virtualenv
+        - python2.7-dev
+        - python3-virtualenv
+        - virtualenv
+
+  - name: Install certbot dependencies
+    apt: name={{ certbot_dependencies }} state=present update_cache=yes
+
+  when: ansible_distribution != 'Ubuntu' and ansible_distribution_major_version is version('20.04', '!=')
+  tags: letsencrypt
+
+# On Ubuntu 20.04 it is no longer recommended/supported to use the standalone
+# certbot-auto so I guess we need to use the one from the repositories.
+- block:
+  - name: Install certbot (Ubuntu 20.04)
+    apt: name=certbot state=present update_cache=yes
+
+  - name: Copy certbot post and pre hooks for nginx
+    copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0755
+    with_items:
+      - { src: 'stop-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh' }
+      - { src: 'start-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/start-nginx.sh' }

  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
  tags: letsencrypt
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -71,7 +71,7 @@

 - name: Configure Let's Encrypt
  include_tasks: letsencrypt.yml
-  #when: use_letsencrypt is defined and use_letsencrypt
+  when: use_letsencrypt is defined and use_letsencrypt
  tags: letsencrypt

 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -12,11 +12,8 @@
    notify:
      - reload nginx

-  - name: Download 4096-bit RFC 7919 dhparams
-    get_url:
-      url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
-      checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
-      dest: "{{ nginx_ssl_dhparam }}"
+  - name: Generate 2048-bit dhparam
+    command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
    notify:
      - reload nginx

--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -16,8 +16,8 @@

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ letsencrypt_root }}/certs/{{ domain_name }}.fullchain.pem;
-    ssl_certificate_key {{ letsencrypt_root }}/private/{{ domain_name }}.key.pem;
+    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
+    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;

    {% endif %}

@ -51,5 +51,5 @@
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
    # See: https://hstspreload.appspot.com/
-    add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
+    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
    {% endif %}
--- a/roles/nginx/templates/renew-letsencrypt.service.j2
+++ b/roles/nginx/templates/renew-letsencrypt.service.j2
@ -1,9 +1,7 @@
 [Unit]
 Description=Renew Let's Encrypt certificates
-ConditionFileIsExecutable={{ letsencrypt_acme_home }}/acme.sh
+ConditionFileIsExecutable={{ letsencrypt_certbot_dest }}

 [Service]
 Type=oneshot
-ExecStart={{ letsencrypt_acme_home }}/acme.sh --cron --home {{ letsencrypt_acme_home }} --reloadcmd "/bin/systemctl reload nginx" -w /var/lib/letsencrypt
-
-SuccessExitStatus=0 2
+ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -14,8 +14,6 @@ server {
    listen [::]:80;
    server_name {{ domain_name }} {{ domain_aliases }};

-    {% include 'well-known.j2' %}
-
    # redirect http -> https
    location / {
        # ? in rewrite makes sure nginx doesn't append query string again
@ -98,7 +96,7 @@ server {
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
        {% endif %}

        include extra-security.conf;
--- a/roles/nginx/templates/well-known.j2
+++ b/roles/nginx/templates/well-known.j2
@ -1,6 +0,0 @@
-location ^~ /.well-known/acme-challenge/ {
-  allow all;
-  root /var/lib/letsencrypt/;
-  default_type "text/plain";
-  try_files $uri =404;
-}
--- a/roles/nginx/templates/wordpress.j2
+++ b/roles/nginx/templates/wordpress.j2
@ -9,7 +9,7 @@
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
        {% endif %}
    }

@ -20,7 +20,7 @@
        # Enable this if you want HSTS (recommended, but be careful)
        # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
        # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
        {% endif %}
    }   

--- a/vars/Alpine.yml
+++ b/vars/Alpine.yml
@ -0,0 +1,10 @@
+---
+
+# sshd service name is `ssh` on Debian/Ubuntu, but it's
+# `sshd` on CentOS and Alpine
+sshd_service_name: sshd
+
+# provisioning user vars
+provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
+
+# vim: set ts=2 sw=2:
Author	SHA1	Message	Date
Alan Orth	4846cbd968	roles/common: Add firewall task for Alpine	2021-02-13 12:18:58 +02:00
Alan Orth	aa63f5946c	roles/common: Add TODO about tarsnap on Alpine	2021-02-13 12:18:58 +02:00
Alan Orth	53d574dd12	roles/common: Add Alpine packages	2021-02-13 12:18:58 +02:00
Alan Orth	92c23bc2b5	roles/common: Use chrony for NTP on Alpine	2021-02-13 12:18:58 +02:00
Alan Orth	e93b8af949	Add vars/Alpine.yml	2021-02-13 12:18:58 +02:00