roles: update ansible.builtin.systemd builtin

Use ansible.builtin.systemd_service instead.

ansible.cfg

@@ -13,12 +13,6 @@ interpreter_python=auto
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False
 
-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
-
 [privilege_escalation]
 # instead of using -K
 become_ask_pass=True

group_vars/all

@@ -3,4 +3,12 @@
 
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:

roles/caddy/handlers/main.yml

@@ -3,7 +3,7 @@
 
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: caddy
     state: reloaded
 

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -36,7 +36,7 @@
     {% elif has_wordpress -%}
     root * {{ document_root }}
     encode
-    {%   if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
+    {%   if ansible_distribution_major_version is version('12', '==') -%}
     php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
     {%   endif -%}
     file_server

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/handlers/main.yml

@@ -2,7 +2,7 @@
 # ansible.builtin.file: roles/common/handlers/main.yml
 
 - name: Reload sshd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: "{{ sshd_service_name }}"
     state: reloaded
 
@@ -10,11 +10,11 @@
   ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
 - name: Reload systemd
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     daemon_reload: true
 
 - name: Restart nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nftables
     state: restarted
 
@@ -22,6 +22,6 @@
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
 - name: Restart fail2ban
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: restarted

roles/common/tasks/fail2ban.yml

@@ -1,7 +1,7 @@
 ---
 - name: Install fail2ban
-  when: ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
     name:
       - fail2ban
       - python3-systemd
@@ -47,7 +47,7 @@
     - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: started
     enabled: true

roles/common/tasks/firewall.yml

@@ -2,14 +2,14 @@
 # Debian 11+ will use nftables directly, with no firewalld.
 
 - name: Install Debian firewall packages
-  when: ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
     name: nftables
     state: present
     cache_valid_time: 3600
 
 - name: Remove iptables on newer Debian
-  when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_version is version('11', '>=')
   ansible.builtin.apt:
     pkg: iptables
     state: absent
@@ -19,7 +19,7 @@
   ansible.builtin.include_tasks: nftables.yml
 
 - name: Configure fail2ban
-  when: ansible_distribution_major_version is version('9', '>=')
+  when: ansible_distribution_version is version('9', '>=')
   ansible.builtin.include_tasks: fail2ban.yml
 
 # vim: set sw=2 ts=2:

roles/common/tasks/nftables.yml

@@ -75,12 +75,12 @@
 
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
-  ansible.builtin.systemd: # noqa no-handler
-    daemon_reload: true
   when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true
 
 - name: Start and enable nftables update timers
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: "{{ item }}"
     state: started
     enabled: true
@@ -88,7 +88,7 @@
     - update-firehol-nftables.timer
 
 - name: Start and enable nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nftables
     state: started
     enabled: true

roles/common/tasks/ntp.yml

@@ -12,11 +12,9 @@
 
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_version is version('11', '>='))
+  when: ansible_distribution_version is version('11', '>=')
   ansible.builtin.apt:
     name: systemd-timesyncd
     state: present
@@ -24,13 +22,17 @@
 
 - name: Start and enable systemd's NTP client
   when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: systemd-timesyncd
     state: started
     enabled: true
 
-- name: Uninstall ntp on modern Debian
-  when: ansible_service_mgr == 'systemd'
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_service_mgr == 'systemd'
+    - ansible_distribution_major_version is version('12', '==')
   ansible.builtin.apt:
     name: ntp
     state: absent

roles/common/tasks/packages.yml

@@ -48,8 +48,8 @@
         cache_valid_time: 3600
 
     - name: Remove cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
       tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml
 
     - name: Install tarsnap
       ansible.builtin.import_tasks: tarsnap.yml

roles/common/tasks/tarsnap.yml

@@ -5,6 +5,7 @@
   register: tarsnap_signing_key_stat
 
 - name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
   ansible.builtin.get_url:
     url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
@@ -12,9 +13,9 @@
     group: root
     mode: "0644"
   register: download_tarsnap_signing_key
-  when: not tarsnap_signing_key_stat.stat.exists
 
 - name: Add tarsnap.org repo
+  when: ansible_architecture != 'armv7l'
   ansible.builtin.template:
     src: tarsnap_sources.list.j2
     dest: /etc/apt/sources.list.d/tarsnap.list
@@ -22,12 +23,11 @@
     group: root
     mode: "0644"
   register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'
 
 - name: Update apt cache
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
 
 - name: Install tarsnap
   ansible.builtin.apt:

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -6,14 +6,14 @@ PartOf=nftables.service
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
+{% if ansible_distribution_version is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=') %}
+{% if ansible_distribution_version is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/mariadb/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: mariadb
     state: restarted
 

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/munin-node.yml

@@ -26,7 +26,7 @@
     - restart munin-node
 
 - name: Start munin-node
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: munin-node
     state: started
     enabled: true

roles/nginx/handlers/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Reload nginx
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: reloaded
 

roles/nginx/tasks/letsencrypt.yml

@@ -82,7 +82,7 @@
 
     # always issues daemon-reload just in case the service/timer changed
     - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
         name: renew-letsencrypt.timer
         state: started
         enabled: true

roles/nginx/tasks/main.yml

@@ -119,7 +119,7 @@
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: started
     enabled: true

roles/nginx/templates/vhost.conf.j2

@@ -77,7 +77,7 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
+        {% if ansible_distribution_major_version is version('12', '==') %}
         fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;

roles/php_fpm/handlers/main.yml

@@ -1,7 +1,7 @@
 ---
 # For Debian 12
 - name: Reload php8.2-fpm
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: php8.2-fpm
     state: reloaded