roles: update ansible.builtin.systemd builtin

Use ansible.builtin.systemd_service instead.
2025-09-23 10:33:11 +03:00
15 changed files with 19 additions and 72 deletions
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@@ -3,7 +3,7 @@
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: caddy
    state: reloaded
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.0/8
+fail2ban_ignoreip: 127.0.0.1/8
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -2,7 +2,7 @@
 # ansible.builtin.file: roles/common/handlers/main.yml
 - name: Reload sshd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: "{{ sshd_service_name }}"
    state: reloaded
@@ -10,11 +10,11 @@
  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 - name: Reload systemd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    daemon_reload: true
 - name: Restart nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: nftables
    state: restarted
@@ -22,6 +22,6 @@
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
 - name: Restart fail2ban
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: fail2ban
    state: restarted
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@@ -47,7 +47,7 @@
    - Restart fail2ban
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: fail2ban
    state: started
    enabled: true
--- a/roles/common/tasks/nftables.yml
+++ b/roles/common/tasks/nftables.yml
@@ -76,11 +76,11 @@
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
  when: nftables_systemd_units is changed
-  ansible.builtin.systemd: # noqa no-handler
+  ansible.builtin.systemd_service: # noqa no-handler
    daemon_reload: true
 - name: Start and enable nftables update timers
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: "{{ item }}"
    state: started
    enabled: true
@@ -88,7 +88,7 @@
    - update-firehol-nftables.timer
 - name: Start and enable nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: nftables
    state: started
    enabled: true
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@@ -22,7 +22,7 @@
 - name: Start and enable systemd's NTP client
  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: systemd-timesyncd
    state: started
    enabled: true
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -1,7 +1,6 @@
 ---
-# Only override the system sshd configuration on older Debian.
+# SSH configs don't change in Debian minor versions
 - name: Reconfigure /etc/ssh/sshd_config
  when: ansible_distribution_version is version('12', '<=')
  ansible.builtin.template:
    src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
    dest: /etc/ssh/sshd_config
@@ -10,18 +9,6 @@
    mode: "0600"
  notify: Reload sshd
 # Newer OpenSSH versions support including extra configuration. The includes
 # happen at the beginning of the file and the first value to be read is used.
 - name: Configure sshd_config.d overrides
  when: ansible_distribution_version is version('13', '>=')
  ansible.builtin.template:
    src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
    dest: /etc/ssh/sshd_config.d/01-custom.conf
    owner: root
    group: root
    mode: "0600"
  notify: Reload sshd
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
  block:
--- a/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
@@ -1,40 +0,0 @@
 {{ ansible_managed | comment }}
 HostKey /etc/ssh/ssh_host_ed25519_key
 # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
 # audit track of which key was using to log in.
 LogLevel VERBOSE
 MaxAuthTries 4
 AuthorizedKeysFile	.ssh/authorized_keys
 # To disable tunneled clear text passwords, change to no here!
 {% if ssh_password_authentication == 'disabled' %}
 PasswordAuthentication no
 {% else %}
 PasswordAuthentication yes
 {% endif %}
 X11Forwarding no
 # Based on the ssh-audit profile for Debian 13, but with but with all algos with
 # less than 256 bits removed, as NSA's Suite B removed them years ago and the
 # new (2018) CNSA suite is 256 bits and up.
 #
 # See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
 {% endif %}
 PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
 # Mask to use for IPv4 and IPv6 respectively when applying network penalties.
 # The default is 32:128.
 PerSourceNetBlockSize 24:56
--- a/roles/mariadb/handlers/main.yml
+++ b/roles/mariadb/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: mariadb
    state: restarted
--- a/roles/munin/handlers/main.yml
+++ b/roles/munin/handlers/main.yml
@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted
--- a/roles/munin/tasks/munin-node.yml
+++ b/roles/munin/tasks/munin-node.yml
@@ -26,7 +26,7 @@
    - restart munin-node
 - name: Start munin-node
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: munin-node
    state: started
    enabled: true
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Reload nginx
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: nginx
    state: reloaded
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@@ -82,7 +82,7 @@
    # always issues daemon-reload just in case the service/timer changed
    - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
        name: renew-letsencrypt.timer
        state: started
        enabled: true
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -119,7 +119,7 @@
  tags: nginx
 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: nginx
    state: started
    enabled: true
--- a/roles/php_fpm/handlers/main.yml
+++ b/roles/php_fpm/handlers/main.yml
@@ -1,7 +1,7 @@
 ---
 # For Debian 12
 - name: Reload php8.2-fpm
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
    name: php8.2-fpm
    state: reloaded