roles: update ansible.builtin.systemd builtin

Use ansible.builtin.systemd_service instead.

roles/caddy/handlers/main.yml

@@ -3,7 +3,7 @@
 
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: caddy
     state: reloaded
 

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -36,7 +36,7 @@
     {% elif has_wordpress -%}
     root * {{ document_root }}
     encode
-    {%   if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
+    {%   if ansible_distribution_major_version is version('12', '==') -%}
     php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
     {%   endif -%}
     file_server

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/handlers/main.yml

@@ -2,7 +2,7 @@
 # ansible.builtin.file: roles/common/handlers/main.yml
 
 - name: Reload sshd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: "{{ sshd_service_name }}"
     state: reloaded
 
@@ -10,11 +10,11 @@
   ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
 - name: Reload systemd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     daemon_reload: true
 
 - name: Restart nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nftables
     state: restarted
 
@@ -22,6 +22,6 @@
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
 - name: Restart fail2ban
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: restarted

roles/common/tasks/fail2ban.yml

@@ -1,6 +1,6 @@
 ---
 - name: Install fail2ban
-  when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
   ansible.builtin.apt:
     name:
       - fail2ban
@@ -47,7 +47,7 @@
     - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: started
     enabled: true

roles/common/tasks/firewall.yml

@@ -2,14 +2,14 @@
 # Debian 11+ will use nftables directly, with no firewalld.
 
 - name: Install Debian firewall packages
-  when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
   ansible.builtin.apt:
     name: nftables
     state: present
     cache_valid_time: 3600
 
 - name: Remove iptables on newer Debian
-  when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
   ansible.builtin.apt:
     pkg: iptables
     state: absent
@@ -19,7 +19,7 @@
   ansible.builtin.include_tasks: nftables.yml
 
 - name: Configure fail2ban
-  when: ansible_distribution_major_version is version('9', '>=')
+  when: ansible_distribution_version is version('9', '>=')
   ansible.builtin.include_tasks: fail2ban.yml
 
 # vim: set sw=2 ts=2:

roles/common/tasks/nftables.yml

@@ -76,11 +76,11 @@
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
   when: nftables_systemd_units is changed
-  ansible.builtin.systemd: # noqa no-handler
+  ansible.builtin.systemd_service: # noqa no-handler
     daemon_reload: true
 
 - name: Start and enable nftables update timers
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: "{{ item }}"
     state: started
     enabled: true
@@ -88,7 +88,7 @@
     - update-firehol-nftables.timer
 
 - name: Start and enable nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nftables
     state: started
     enabled: true

roles/common/tasks/ntp.yml

@@ -22,7 +22,7 @@
 
 - name: Start and enable systemd's NTP client
   when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: systemd-timesyncd
     state: started
     enabled: true

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -6,14 +6,14 @@ PartOf=nftables.service
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
+{% if ansible_distribution_version is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
+{% if ansible_distribution_version is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/mariadb/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: mariadb
     state: restarted
 

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/munin-node.yml

@@ -26,7 +26,7 @@
     - restart munin-node
 
 - name: Start munin-node
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: munin-node
     state: started
     enabled: true

roles/nginx/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Reload nginx
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: reloaded
 

roles/nginx/tasks/letsencrypt.yml

@@ -82,7 +82,7 @@
 
     # always issues daemon-reload just in case the service/timer changed
     - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
         name: renew-letsencrypt.timer
         state: started
         enabled: true

roles/nginx/tasks/main.yml

@@ -119,7 +119,7 @@
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: started
     enabled: true

roles/nginx/templates/vhost.conf.j2

@@ -77,7 +77,7 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
+        {% if ansible_distribution_major_version is version('12', '==') %}
         fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;

roles/php_fpm/handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 # For Debian 12
 - name: Reload php8.2-fpm
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: php8.2-fpm
     state: reloaded