alanorth/ansible-personal
1
0
Fork 0
Code Issues 4 Pull Requests Projects Releases Wiki Activity

Compare commits

base: alanorth:5f00892df3695694ef3930dec526db20b2bed3d1
Branches Tags
alanorth:master alanorth:debian13 alanorth:alpine
..
compare: alanorth:0db7911b7037ef9755954459531dead723b7a5b0
Branches Tags
alanorth:debian13 alanorth:master alanorth:alpine

3 Commits
5f00892df3 ... 0db7911b70

Author SHA1 Message Date
Alan Orth
0db7911b70 roles/common: remove sudoers.d 
We are not using this.
 2025-09-21 23:09:40 +03:00
Alan Orth
ee4c62e5f9 roles: remove tests for Debian 
We only run on Debian now.
 2025-09-21 22:20:31 +03:00
Alan Orth
a315db8a7c roles/common: use ansible_distribution_version 
In most cases it is enough to use the full version (ie 12.12) since
we use Ansible's version comparison function. We rarely need to use
the major version (ie 12) directly.
 2025-09-21 22:19:00 +03:00
6 changed files with 8 additions and 9 deletions
Expand all files Collapse all files

2
roles/caddy/templates/etc/caddy/conf.d/vhost.j2
View File

@@ -36,7 +36,7 @@
{% elif has_wordpress -%}
root * {{ document_root }}
encode
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
{% if ansible_distribution_major_version is version('12', '==') -%}
php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
{% endif -%}
file_server

1
roles/common/files/etc/sudoers.d/provisioning
View File

@@ -1 +0,0 @@
provisioning ALL=(ALL) ALL

2
roles/common/tasks/fail2ban.yml
View File

@@ -1,6 +1,6 @@
---
- name: Install fail2ban
when: ansible_distribution_major_version is version('11', '>=')
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
name:
- fail2ban

6
roles/common/tasks/firewall.yml
View File

@@ -2,14 +2,14 @@
# Debian 11+ will use nftables directly, with no firewalld.
- name: Install Debian firewall packages
when: ansible_distribution_major_version is version('11', '>=')
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
name: nftables
state: present
cache_valid_time: 3600
- name: Remove iptables on newer Debian
when: ansible_distribution_major_version is version('11', '>=')
when: ansible_distribution_version is version('11', '>=')
ansible.builtin.apt:
pkg: iptables
state: absent
@@ -19,7 +19,7 @@
ansible.builtin.include_tasks: nftables.yml
- name: Configure fail2ban
when: ansible_distribution_major_version is version('9', '>=')
when: ansible_distribution_version is version('9', '>=')
ansible.builtin.include_tasks: fail2ban.yml
# vim: set sw=2 ts=2:

4
roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
View File

@@ -6,14 +6,14 @@ PartOf=nftables.service
PrivateDevices=yes
PrivateTmp=yes
ProtectHome=read-only
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
{% if ansible_distribution_version is version('11','>=') %}
ProtectSystem=strict
{% else %}
{# Older systemd versions don't have ProtectSystem=strict #}
ProtectSystem=full
{% endif %}
NoNewPrivileges=yes
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
{% if ansible_distribution_version is version('11','>=') %}
ReadWritePaths=-/var/run/fail2ban
ReadWritePaths=-/var/lib/fail2ban
ReadWritePaths=-/var/log/fail2ban.log

2
roles/nginx/templates/vhost.conf.j2
View File

@@ -77,7 +77,7 @@ server {
# See: https://httpoxy.org/
fastcgi_param HTTP_PROXY "";
{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
{% if ansible_distribution_major_version is version('12', '==') %}
fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
{% endif %}
fastcgi_index index.php;