Remove logic for Ubuntu 20.04 and Debian 11

roles/caddy: use default for encode
host_vars/web22: update vhosts
2025-03-29 23:09:44 +03:00 · 2025-03-29 22:49:30 +03:00 · 2025-03-29 22:48:19 +03:00 · 2025-03-29 22:35:56 +03:00 · 2025-03-29 22:34:41 +03:00 · 2025-03-29 22:34:37 +03:00
19 changed files with 191 additions and 2685 deletions
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:

- You have a clean, minimal Ubuntu 20.04 or Debian 11/12 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host
--- a/group_vars/web
+++ b/group_vars/web
@ -8,4 +8,7 @@ webserver: nginx
 extra_fail2ban_filters:
  - nginx

+# root prefix for all web servers
+web_root_prefix: /var/www
+
 # vim: set ts=2 sw=2:
--- a/host_vars/web22
+++ b/host_vars/web22
@ -1,138 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-33646330356131646633336561386366326338643135633339303839386237363531623634613339
-3038326539616236393166353135393963323965346237340a653938643364623764346636376163
-63353039386530636330636263353139633236653138663339333738666265343839313035353738
-3735663834643031330a393463613961656637393239643835663339306535373538333765383635
-62396364626366616465613863306163653462396262336634343536376134663736613634626662
-35366433636264633666396439643365616534663162653934636563633834303161623339376663
-62353233323932386564393564656534663139653035653566636362363434303761666435633231
-33323665613333343761363166643831383037343066313964626139316437663533366437343561
-37623934646361353135356664303739333938373666343438373236656466393336613265356261
-31333531323137633230366563353331613836346231326431356263393934306163666332356164
-33646532636234376462626166383630323537636630663062323532623138313362326534353761
-39646533396338653266386662343166316431363765623430656631633936626237306561393630
-33363737383638313538323139326662663133383637383135313439653663643163366462323363
-62373239396462396230663535373536613238653562343332346438636633646430396232613035
-61326532303436343533306161346431613931366335633261626239313862323735353763623439
-66306466366466663461623834356266613866636263316563663762313266386430646132646162
-65303435663332623162303234623539383165306162383062313031353565396537396166363231
-62613332393561343966333737336435306436376161613762613961653531633231333066353239
-37663262363735366465326263336266653461366230633965653861366334623763323766303064
-65396265656463353934323263666631653132313839613862663537616461323736666362666161
-35366535346666383735643364393032303063333135663330623336626235383264333930376361
-61656136653534623633313237396531343162373336653537633432646232623737346531343337
-36663838353434363534306661626466633033623431316538333331313535613865326262333132
-62646634636537616332313537353862303936636535333762383265383231303764323665663366
-31303635633861313332356434626665656239353665616432633536306163376261383638393935
-64666663363863353534393734643233653362643136396132353636323138663730363764643866
-31313062633739303937346661393934643262363638323765666333643736656266336335353734
-66643961303236633337653063326162626231336232663265306366386137346631623637616338
-61313137336237386263623130313133303537613064353536396432393937623231326132623632
-61333830343238643138326233633137326438393333383661376435613337643131633135663661
-62663961343333316632346562313438616163646264343034643136616663626232666463356665
-36373637663936333966326232346366326337323464383831383662356234656232316633333231
-61376332326335653566323039353135363438313632383130373533383262323966646463346232
-62373835616433636430633166373134323665356330633637646138316234366439366666306561
-35356535346136363739616235303361383139306136633839323331306266323266393333323866
-30613331653634306462396230613230313764636236396662363362383964626161303165313732
-66336334666462636166313564656434353539623035303763333537386138633937613237396462
-36303266336663356465646366613662313266376132666533343737353762396561313266363030
-61383738316465373165343930303564313234303065656632383334656539373736353261343533
-32383533306565376436643332363237373763356335346533653931656638643761626531613232
-32356636616433313736373432373934636236633531376466613662623830623935643439636530
-34653365363235373031316163313038326462313566396134363239336166313263323039383763
-30393239643062386437306261343431363438636265633663326637383333353239663930393561
-34643037343239393730376465666136353566626630363635633534353233353263316562646634
-36663438623034353831656430323636393530666638643137383465346364376434616434613733
-64613565356538666231336534396665656163353561356339353563376638336635326436313337
-35336166633535343864396535623965373632313836613436626664386463376432663565663863
-33316230366633303066393433373465663764663835356364363131353838663262393061343433
-36333939633237373862393636356234323636633435336366386137656339343632646561393039
-34663735646333643634666331363238393334356431336561393263613532326362656332313331
-61383562373533393038653033633964393463633662383563326664343430346632333339326466
-33643335303737613433636537303464626132333838313934373535653534303633373530653031
-36393931346239356364336266393136653635643665353164333739333836613966623561613664
-64353761323861396533373335626263303830353833376333636134613463663263383162366665
-30353833633735393764333539386138353466313663666162363234653963343637623238376161
-63393637643537643163356637353730633330353134636135663461393638343763303966656561
-32323866643063353634653266623136313734363931336166353736613461383365373061333639
-64626366323035353032303935646138656461626166636231663161396531343635353832633266
-39383463393135396433343166646431326330393161393832383665353834343637313933383035
-61313038653234353465613431636137623836373838313166653833636237363766386535633434
-62656165326161653062336662623737613536643031616134366434376464353637653161663761
-33666433376434663633383661383139333732663036636664663138666363643335663736326463
-32303066316633303633373363626463643533643466383839343134656339663838626233643762
-63643131353663613933306438366562333261643137313432646163336563383732346135376633
-65653836623730346263316132626163626263396462613835363433393438343634393939643432
-31373735386464376339323133623235363530616636313133343466653465366531303864383933
-32613065663264633062316561316562383563336130333766373334633231346439356230353137
-32633638393466633730316664626634396133363739366334333439366363633866636163323366
-62616661663435343462356466646530623264366539313230373331663633623165623132663834
-34393337356666613730626661353539303832353062383232343638353866386133323139653262
-30353861666630316436636130356635653364616265663362373664356662363261313334616239
-34646331636138326635623164656462303766653765643931663036393734313961616533623838
-30386162333465353365643330656639323863643238386535653735316132303938396436623535
-65663463653536643263326531326263633239313330386336306466643930373362623561623134
-36643132363539613836396461363731613035626439346434623336633833326132383435336164
-66393432313532373764316333363137646134343334376638623531373339343535363762343434
-31663230376531313032373964333735393761663263356432336366626438383333306630663238
-30633934346339616261313935316266366661306330336636616562316334303066626234396666
-64346163323431383839323638343163373063353138346464646538316366313735613533383434
-61316331383133636465313837323134616632373366383339353632333763666264353062333538
-36623236373934313364343937313133613563393136303765356536636530636561626364303465
-61636231653664323637643237356562316234616565623731363037363265356632623562326437
-61373266363333643964303339656638616161653164643434303830646238376363653062383239
-63356330333337323831653264616266313264323466643635633561323966663765653830363232
-30386130653631653865383234333631353536346565353962613335623538303130313962326239
-37366139363264613564323266366337366138343636366331633238633138313532386433336333
-62336638333532646135373162393962383865316365316431643562313437306164343464616263
-64323637613061663634333361616565303735643930393634656133643362663139656563633062
-34323331386333316639656463386136376330336166613034653364633135303837323465373465
-62356365666635313838313933613937313166326131386362383530373532613734626361323735
-36326361626432363731656266633632643763633966616338303132616562313965326532396231
-31613234623163386564396262326461366532626233333163333162656234303939366331643435
-31613266623636323535333161626330616430636431616435656361356664373530643331653461
-63313731393661396333386664363264353539613336336562323033666237666530663765633830
-66656530633131323034643734643563393464386438663735316530386135386163653534643432
-36373730613831616661316565626437313735353938666664323136343330326137343337333831
-61323266393236663237623263623864343262393630666262393938386637633436626165663432
-63613861366632613934636565323164323066653534646439393937343365306632383632383438
-61656437636438376362396432656339343539326562333533646539396263363338623462353963
-31343133396636313533393838636132393763396430363261626264333664613663336438343863
-37656430653464313238633431656665643537343634643330653334333337633364313738353339
-64353432646336633264343738623461356230656637626230343636303433353637393063626264
-64636330393262643730323961633734333861653031376134663261343032633330633938303735
-62663430343335643464633533393338633762636135346638313634663535643130373033393131
-32626136333038653831393933333339613935663336653632666635633833633564623562303466
-30393231386430613435643563356463633331653838336239393636323535656430386133626266
-39383737386330643164663636343165653739653238626130373464326364376165646162626437
-36366639636136373836316335623935333633613962623232646633316136393465323734343339
-38356664386565616236303238616466393864383332613561666530336165613535323639353861
-63343261353564326433353065303830646636636437366565333037646334323930313034303965
-37316239633131643735343133306638396436313235386439343566346432343238636264376234
-37633333353464643766336335623230633466336338313766313861326335376237613830626537
-64666263383365633836663530336437386262333562613962633063646138383035393431616338
-32363237383330653564633631373336616266316538336364613936366263666162316563616132
-36376537336535653234306535623265356161376232633030303366303164666163326131343763
-33643434383465353136626131623038323365366464646230326238333065353634336264623030
-63356362343536373766646631363863386631353436666163336664353561363063313761393337
-37336633343361393737356565663237306661636236656237643465303431633831666661383131
-65646430613230616636386363303134393839623861303134343131616661366265376262636130
-65396363376262666363393965343637643861646662386231353766323839613665323130333937
-63393539656338646237633062306663323035303763623933656634656166326664623435613637
-62333164323836333439646533626335326164313735376439666236376432396566383437366634
-39373834613836383039366134336264376565653562373330653232643633616566363530363230
-65366565343865656338363163636661616164643863313037303330376363633530363662633936
-64356464646633393533376663666664656437623637633866326261646338343866343432623765
-64333934326663653831376664323562646436646131626263366130313166643466646161636239
-63343831643839633030346230333238636434386633343035653864373738653739366665343436
-38346564646263663939396430666138386133666133663835366139633232363732323162363434
-39663861353730653432616130393632646435366137343964313664646661303734623464633131
-64353937613864306139343039666433646631343834336635646438663463626436313039626262
-32393334386634616238366664626563653765343738633465386232333565666539616262373630
-33646335653135363162313230303963363632383437343030333335623562303662353236613533
-63326631323732646161323533386637613565646334613266633932336130633235313636356131
-33633638663863643936313065666664633133313038643366616237323339623265363235633566
-38663366363064646264633033616462383661333834316134366162323961333638653738653839
-34623737333135316330313061623565353437633233633838386361326338636130396566636330
-3538
+64313136396662396631396561646634386134313337316166376264346466386533383934393130
+6339663736653462613737323932396664643132383036370a343032653931343063326337626336
+38383332346637633636663865333031636166643161323335363663653033646234656332333462
+3833643037313134320a613332303261356363363138636138323661633233353365623665663632
+30616166383161663534666337303632663532343866366261393935373935666536616530373862
+66653836393966346463393061646431336666316537613364643939663938303135386463616661
+31633330663364353663646338386338323039646530373165386663646235303963623837646533
+30316236313736303837353536633161326564643566643533363431303130376338383034623365
+34303861356264333463613739373635616363366362333738383838326162313238313966313765
+35356637623833663437373765333237323961383133336161363439316632363634623734373962
+32326466303536363164666532313264343661336364396562383630653865316132366538313066
+65666661343632383434346639353462623735373933303263613938363635353666656139663832
+66333638636136393166636332623934613938656336663431323032333339336165366664636334
+65363166616462303939383838363363623530313539386635313664333136643035623262663333
+35643335346639623363323535633735613965333133323639383339323166366635303536376265
+35613939376135393165653466366462656162353632393139376666666334386166366162643438
+31313033353661313031303961313032613539396561303734356533373234633233613465306431
+31303332643931333037343164643162663738393466346639306632306534613065376138323564
+31326462666336633938396230666231356439343630336132313064363636333563373637313666
+32303230616235653733323032343238303230396232623364643765613764336137646630363462
+64343239343530636333663764643338623630366163636232353734616333306339626136313338
+35616632326436663734376263366437356236343339663430323632646136373066373961666135
+38313838316266313830626234366262383037646661386537663534633263633239306461346535
+32643032316266373931346232356162336437623137623365616132643731666361313637316536
+39656332383466346236633461366437386538373734646337393666346562323139663734326436
+65623633363266323563666437633666326363626561313133633031623632633333346332623334
+31396365333336313939633161613639383963633136616562333236636666306139663430363265
+63353261306332346439313534393363626638633531633532363365663265353331336231316238
+37323439383930346136383036303833316565306139613235333633373832313130316534666435
+30323262623037623939336265303866356532653064303436653131633162616630326362616430
+33343538353139326663653735343436623834653264376264363761313835376433653531623266
+34386266613733653634363135616335303138303062316664623666643263323939643939303133
+32393564323833666132626664646436333733396565623164646363343065343464363465383330
+33636562613734303665343366656630303732323739363339306337316266356635323262643031
+63393261363764613638666231663837373263353137643265336134646364343130353237336463
+62306363373339363235343034393230623035373366656531666663323936323366643938646135
+62643135383734663766353230356463373337613936633037396538643365393738363234313166
+62303038326236656332663939333364633132386266383665363632386235643731616631313431
+37613566616463613662633734316461386261646464636539353439373431323133663435333763
+63333230663431323136373564613239386531356463646366313537303861616234626561663133
+32643134666337633938633530323034653131663663643732623636633834323064633832396339
+35613738366666653765333434616336383635323765626561376232363062373761383665313735
+30643165633930656566633339383439353931303836333537343634353434653433333933386338
+64393566616166353731313261386239646531316563623363646537653964366631663266353366
+65666638393337663633366132663933376135396334303461653232353765626365303464626338
+30653334393439373632393662653032633264363238626431326136653561636164646237373033
+32646464616137366163313634623864656666346336383037373562633333633432313439323631
+34646132643834323261316166303531666238333964396165313936393937366533396436633832
+34663538613139623063346666306165306530646363353732353431343831303161343535623539
+38663537323132653034393335623232623530343432336531643538356430636262313132356430
+33363062333931306633643733313239373934313635336465643139616266613237353166626334
+35643138633561393531313835623665303531313437323664616561633764316332393435373065
+38633766623633666362633336326466343938623461393736666137313965386133396433303236
+34366339326637323934323236346239373565623565313433376433303061353763383732663239
+65313636646539623037653761316662303565636262376262333332316136623737613338303036
+37623837313636333464626664323163633136343762306462323339646535636237326138613132
+33613761646237396265616135346639636566316633646165616332656333383233343836316163
+36313736343263343534656533646463343933333031666433393635623461633639356430303434
+34663033333933333439386532623664316364343066646232353335643536353733326165623231
+66306661343939616235313238353761643034623062326632393161336462333365636536343934
+63343866666237636563363561366339623161643362326632333532613562336238653562346231
+33623337386233636331326232393465346362336439303336303638643430623864323434633333
+63623036623764646234636433383364333763613866626230316533643535356662306136346664
+36353734663866306336303439623537336266383131303365383439356462306237363030306432
+38623738643434396138373837386334616435383662363032663930363038666536653334613261
+36623730666333393564346539653533656434346439346632643730356665313865396463343737
+31326633646661666461396365643061333361643638363835343235646231633637616464343265
+36646439383737336531303236666136313063653563653433306563643362353536663863653266
+38613461363432333666343264333461396461653231646133383861363763353763626334373635
+35313431346465336636363531363766633234653066376366636263306238393361343936663066
+61653739303230316232626335383865636235363638663463396435623737616661346666613037
+32666436333937356530326566626237303065363834313837383837306432383833643632376564
+39623937653631656562306565376232333463626563336630633331663764346138323466303433
+38303965386635386565653035666631616239306231616530363965306134633034623936396135
+32366430333763333039613734343563663065636538616139646239303533336437616162366532
+38343137366563333866343537393532353835386230623536663966643730663031636639313232
+33636133303432343531626539633862646466653864393737363333366238666536303663343837
+39363330383432353465633132346165333564646262383736366664303239366365643533353738
+65656163313966306464633237383530316338666665666236656164636433653735353739393363
+30633462393933646436356365323864383239633963306366356534333036663438643438303365
+37366638383066653965383764323436336230363336303233303433656563656563343630613935
+64373965366662323137353631323233643463366338393639663833633635313531616539366333
+30656663666561353938393761353266386533383361326439383338363762633538396638386630
+31383131316137346234336462333032366337393438343237613231323164306132373136323233
+38643133356166303661363761646430363734373130363334376535356565386638366630306362
+63626539336134356539366166616331626361356335616665336564636638316137316230643961
+65623465336232326533616538653561646263626536333738346531366661336134366362386239
+39643665663566376264356332653062313536353635656231656566386333636330353765373664
+34616338623161333232653832386436343361636461653338363932633337623537303261396334
+30386663613335303438376234333138363432633234646133646466323930656330623161373530
+36383261373139663932623933626164313765613930323035326334373231303033616665346337
+32353235663465336433666539333032376365373266363436353063366139616232373037383664
+31323062383063373932623030356461353039326363336165326138353335326436363165393639
+33643830353734616164653833613830333066626161636130323861643866386234383136313336
+37333337363462313831633437636633383137303736303264393236333633383933303939383533
+38626138396537663463633961303766663636353737336365393638383832303735323266646337
+62643665353431326465386162633737613935353261633963616531306233613966643862316166
+38316164383433333263363630386462313639336464653061373239633235346633613237646563
+62383836393063613365653635663136356538623962623961326434646635633464313932626333
+36383666653264366236396638626265356338653630303930383861386534393732633437363663
+38623739313131643038396335326437323231636661346164353433303235356432306532353066
+63373662313366376363653039316361366266616466663663313732303962336339616235366432
+32643832366231396132333236313962313932343230333832616664356333646533323732656466
+34393862393434383362303531653638303366323530656661623236336630383064663135373862
+61313761643038333035376535633964303564616532646139393964353165353763626235303662
+65633465626365393033376437633134333532656262366462323365653466616462316664323837
+64346533366238656637366665303339666433623261623635383631303862616438353166353866
+66346366316562316230306233323937313364656537393063306537353237353737626164663365
+38636331363138326336646434653238636463633138343134373937373835373232356363663366
+37386633353439656162613736303932633333313131653364616364343761363335343430396432
+39636630343066616633376237643062616666666135363232376632666132396333363334623036
+63323531626632383062353162346536663233656132383734643761396264623165663738616564
+61316234386135656538363861363531373232303163643364366136616130643737346438353334
+63653234376562663937663135363763656236346663363738313836383466656162643131636138
+63383430653030383232333830656333373765333639303265643938323833613262643863643835
+66326466313730323666643939623539326639663838663737326665326164366262323731623037
+33383631616530383238626431333033366134383839613761656264366331663539363131396361
+64316333373134636163666634656561306130616337383030653063626161303930653730623130
+33653730656332616135663631653336386166363866303932643163353963396466646662626439
+39653562613461353633313533356336393334643066626137306164643530343331666430636330
+63613763336663613639343036363332626232346530366633646536396338613164666163663235
+37333334313436326233653866316438626366633632653336393633333931353961353132376639
+66343362646630376537356638396263623262363138323630363834386162656236313365393766
+39616135303337303166313663383635636165373333313463623731346561356430326164663164
+30333839386564616133393630396538633032616332646639616161643739626437306532356136
+34383432626136336261666166633739313663333664663035333533626334623132373037663239
+38393638323833643730353432656365396161353161613733653562303731616462623436643832
+35376133653665333432303132383966333362313262393931373264616664643438346566333764
+34303439633538376439646435646631336361316436306330653838363665366461333366656239
+33303038643139643431613764333864306134666166376164623038333330613933333766643830
+30653637666533363234626465353734303538623233623532393936303566306434346537343932
+39393863373635626530326139376339653764623265636530323330376633363265636439353738
+32353634316162656461353666666338633233393039343935613539623766363237656161383364
+61356165313637343134363932333136643464353436323333653939613666653164303363656637
+32386561326461353665633339373038616464633430303763666234313032653735373832393539
+33333334663336346139373064633364353530366166636465343734633465623065666563383539
+30316166356239316530633239313765623438306234666235616464313765356165363435303336
+39633532393965646539356439396132616637383430653762616562323065343233383034363130
+32623331343035306165313637356131633963353035313838363439343133636631626532613366
+33323364616262303962
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@ -2,7 +2,7 @@
 # file: roles/caddy/defaults/main.yml

 # parent directory of vhost document roots
-caddy_root_prefix: /var/www
+caddy_root_prefix: "{{ web_root_prefix }}"

 # Email address to use for the ACME account managing the site's certificates.
 # Not sure what Caddy does if this doesn't exist.
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@ -71,6 +71,7 @@
    mode: "0755"
    owner: root
    group: root
+  tags: caddy

 # TODO: the variable is still named nginx_vhosts
 - name: Configure Caddy virtual hosts
--- a/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
+++ b/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
@ -8,6 +8,12 @@
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {% set static_site    = item.static_site | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}

 {% if domain_aliases %}
 {#   domain_aliases is a string, so we split on space #}
@ -21,15 +27,20 @@
 {{ domain_name }} {
    {% if has_gitea %}
    reverse_proxy :3000
-    {% endif %}
+    {% elif static_site -%}
+    root * {{ document_root }}

-    {% if static_site -%}
-    root * {{ item.document_root }}
-
-    encode zstd gzip
+    encode

    file_server
-    {% endif %}
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}

    import security-headers
 }
--- a/roles/common/tasks/packages_Debian.yml
+++ b/roles/common/tasks/packages_Debian.yml
@ -1,19 +1,6 @@
 ---
 - name: Configure Debian packages
  block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('12', '<')
-
    # Scaleway seems to use a weird sources.list format as of Debian 12?
    - name: Check for weird Debian sources
      ansible.builtin.stat:
--- a/roles/common/tasks/packages_Ubuntu.yml
+++ b/roles/common/tasks/packages_Ubuntu.yml
@ -1,19 +1,6 @@
 ---
 - name: Configure Ubuntu packages
  block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('22.04', '<')
-
    - name: Configure apt mirror
      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
      when: ansible_architecture != 'armv7l'
@ -45,38 +32,6 @@
    - name: Install base packages
      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600

-    # We have to remove snaps one by one in a specific order because some depend
-    # on others. Only after that can we remove the corresponding system packages.
-    - name: Remove lxd snap
-      community.general.snap: name=lxd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove core18 snap
-      community.general.snap: name=core18 state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove snapd snap
-      community.general.snap: name=snapd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Set fact for packages to remove (Ubuntu 20.04)
-      ansible.builtin.set_fact:
-        ubuntu_annoying_packages:
-          - whoopsie # security (CIS 4.1)
-          - apport # security (CIS 4.1)
-          - command-not-found # annoying
-          - command-not-found-data # annoying
-          - python3-commandnotfound # annoying
-          - snapd # annoying (Ubuntu >= 16.04)
-          - lxd-agent-loader # annoying (Ubuntu 20.04)
-      when: ansible_distribution_version is version('20.04', '==')
-
-    - name: Remove packages
-      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
-
    - name: Disable annoying Canonical spam in MOTD
      ansible.builtin.file: path={{ item }} mode=0644 state=absent
      loop:
--- a/roles/common/templates/update-firehol-nftables.sh.j2
+++ b/roles/common/templates/update-firehol-nftables.sh.j2
@ -59,12 +59,7 @@ NFT_HEAD
 fi

 echo "Reloading nftables"
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<=') %}
-{%   set systemctl_bin = '/bin/systemctl' %}
-{% else %}
-{%   set systemctl_bin = '/usr/bin/systemctl' %}
-{% endif -%}

-{{ systemctl_bin }} reload nftables.service
+/usr/bin/systemctl reload nftables.service

 rm -v firehol_level1.netset
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -5,16 +5,16 @@
 nginx_confd_path: /etc/nginx/conf.d

 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"

-# 1 hour timeout
-nginx_ssl_session_timeout: 1h
+# 1 day timeout
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1

 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh

-# stable is 1.20.x
-# mainline is 1.21.x
+# stable is 1.26.x
+# mainline is 1.27.x
 nginx_version: mainline

 # vim: set ts=2 sw=2:
--- a/roles/nginx/templates/blank-vhost.conf.j2
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@ -11,9 +11,11 @@ server {

    return 444;
 }
+
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
    server_name _;

    # self-signed "snakeoil" certificate
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -27,8 +27,9 @@

    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
    ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;

    {# OSCP stapling only works with real certs #}
    {% if use_letsencrypt == true or item.tls_certificate_path %}
@ -38,15 +39,6 @@
    resolver {{ nginx_ssl_stapling_resolver }};
    {% endif %} {# end: use_letsencrypt #}

-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
    {% if enable_hsts == true %}
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -8,6 +8,12 @@
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}

 # http -> https vhost
 server {
@ -26,15 +32,11 @@ server {
 }

 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;

-    {# Allow sites to override the nginx document root #}
-    {% if item.document_root is defined %}
-    root {{ item.document_root }};
-    {% else %}
-    root {{ nginx_root_prefix }}/{{ domain_name }};
-    {% endif %}
+    root {{ document_root }};

    {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
    server_name {{ domain_name }} {{ domain_aliases }};
@ -77,10 +79,6 @@ server {

        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
-        {% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
-        {% else %}
-        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
        {% endif %}
        fastcgi_index index.php;
        # set script path relative to document root in server block
--- a/roles/php-fpm/handlers/main.yml
+++ b/roles/php-fpm/handlers/main.yml
@ -1,8 +1,4 @@
 ---
-# For Ubuntu 20.04 and Debian 11
- name: reload php7.4-fpm
-  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
-
 # For Debian 12
 - name: reload php8.2-fpm
  ansible.builtin.systemd:
--- a/roles/php-fpm/tasks/Ubuntu_20.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_20.04.yml
@ -1,35 +0,0 @@
---
- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php7.4-fpm
-          # for WordPress
-          - php7.4-mysql
-          - php7.4-gd
-          - php7.4-curl
-          - php7.4-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php7.4-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-      notify: reload php7.4-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-      notify: reload php7.4-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/main.yml
+++ b/roles/php-fpm/tasks/main.yml
@ -1,6 +1,4 @@
 ---
-# Ubuntu 20.04 uses PHP 7.4
-# Debian 11 uses PHP 7.4
 # Debian 12 uses PHP 8.2

 # If any of the vhosts on this host need WordPress then we need to install PHP.
@ -26,22 +24,6 @@
    install_php: false
  when: install_php is not defined

- name: Configure php-fpm on Ubuntu 20.04
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Ubuntu'
-    - ansible_distribution_version is version('20.04', '==')
-    - install_php
-  tags: php-fpm
-
- name: Configure php-fpm on Debian 11
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('11', '==')
-    - install_php
-  tags: php-fpm
-
 - name: Configure php-fpm on Debian 12
  ansible.builtin.include_tasks: Debian_12.yml
  when:
--- a/roles/php-fpm/templates/php7.4-php.ini.j2
+++ b/roles/php-fpm/templates/php7.4-php.ini.j2
--- a/roles/php-fpm/templates/php7.4-pool.conf.j2
+++ b/roles/php-fpm/templates/php7.4-pool.conf.j2
@ -1,436 +0,0 @@
-{% set domain_name  = item.domain_name %}
-
-; Start a new pool named '{{ domain_name }}'.
-; the variable $pool can be used in any directive and will be replaced by the
-; pool name ('{{ domain_name }}' here)
-[{{ domain_name }}]
-
-; Per pool prefix
-; It only applies on the following directives:
-; - 'access.log'
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
-;                            a specific port;
-;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses
-;                            (IPv6 and IPv4-mapped) on a specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
-
-; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 511
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
-;listen.mode = 0660
-; When POSIX Access Control Lists are supported you can set them using
-; these options, value is a comma separated list of user/group names.
-; When set, listen.owner and listen.group are ignored
-;listen.acl_users =
-;listen.acl_groups =
-
-; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-;listen.allowed_clients = 127.0.0.1
-
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; process.priority = -19
-
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
-; or group is differrent than the master process user. It allows to create process
-; core dump and ptrace the process for the pool user.
-; Default Value: no
-; process.dumpable = yes
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
-pm = dynamic
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 5
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: (min_spare_servers + max_spare_servers) / 2
-pm.start_servers = 2
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
-
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
-
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example:
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.4/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;pm.status_path = /status
-
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: output header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-;slowlog = log/$pool.log.slow
-
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
-
-; Depth of slow log stack trace.
-; Default Value: 20
-;request_slowlog_trace_depth = 20
-
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
-
-; The timeout set by 'request_terminate_timeout' ini option is not engaged after
-; application calls 'fastcgi_finish_request' or when application has finished and
-; shutdown functions are being called (registered via register_shutdown_function).
-; This option will enable timeout limit to be applied unconditionally
-; even in such cases.
-; Default Value: no
-;request_terminate_timeout_track_finished = no
-
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
-
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
-
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot =
-
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-;chdir = /var/www
-
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-;catch_workers_output = yes
-
-; Decorate worker output with prefix and suffix containing information about
-; the child that writes to the log and if stdout or stderr is used as well as
-; log level and time. This options is used only if catch_workers_output is yes.
-; Settings to "no" will output data as written to the stdout or stderr.
-; Default value: yes
-;decorate_workers_output = no
-
-; Clear environment in FPM workers
-; Prevents arbitrary environment variables from reaching FPM worker processes
-; by clearing the environment in workers before env vars specified in this
-; pool configuration are added.
-; Setting to "no" will make all environment variables available to PHP code
-; via getenv(), $_ENV and $_SERVER.
-; Default Value: yes
-;clear_env = no
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; execute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5 .php7
-
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'.
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M
--- a/roles/php-fpm/templates/php8.2-pool.conf.j2
+++ b/roles/php-fpm/templates/php8.2-pool.conf.j2
@ -27,8 +27,8 @@
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
-user = nginx
-group = nginx
+user = {{ webserver }}
+group = {{ webserver }}

 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@ -52,8 +52,8 @@ listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: Owner is set to the master process running user. If the group
 ;                 is not set, the owner's group is used. Mode is set to 0660.
-listen.owner = nginx
-listen.group = nginx
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660

 ; When POSIX Access Control Lists are supported you can set them using
Author	SHA1	Message	Date
Alan Orth	88cb3a370e	Remove logic for Ubuntu 20.04 and Debian 11	2025-03-29 23:09:44 +03:00
Alan Orth	027a43ddbe	roles/caddy: use default for encode	2025-03-29 22:49:30 +03:00
Alan Orth	bb30c3be20	host_vars/web22: update vhosts	2025-03-29 22:48:19 +03:00
Alan Orth	d8d9790d21	roles/nginx: enable nginx ssl_session_tickets This has apparently been supported since nginx 1.23.2 and is safe to use the default (on) now. See: https://github.com/mozilla/server-side-tls/issues/284	2025-03-29 22:35:56 +03:00
Alan Orth	9a500ebc0d	roles/nginx: disable nginx ssl_prefer_server_ciphers This is apparently the default and recommended by Mozilla's server- side SSL configurator also recommends. This lets the client choose the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are not currently known to be dangerous).	2025-03-29 22:34:41 +03:00
Alan Orth	4bae942585	roles/nginx: add nginx ssl_ecdh_curve This seems to be new since I last looked at the Mozilla server-side SSL configurator.	2025-03-29 22:34:37 +03:00
Alan Orth	99866c0c90	roles/nginx: use one day for nginx ssl_session_timeout This is a new default since I last looked at the Mozilla server-side SSL configurator.	2025-03-29 22:34:32 +03:00
Alan Orth	0afb8a4493	roles/nginx: update nginx ssl_buffer_size The old default has not been changed in eight years and I see that there have been some discussions over the years about this. I will change this from the slightly extreme 1400 bytes to 4k (nginx def- ault is still 16k so this is more "optimal" for HTML/CSS content). See: https://github.com/igrigorik/istlsfastyet.com/issues/63	2025-03-29 22:34:27 +03:00
Alan Orth	506695da31	roles/nginx/defaults: update version comments	2025-03-29 22:24:49 +03:00
Alan Orth	f67ed7762c	roles/nginx: fix http2 syntax	2025-03-29 22:20:49 +03:00
Alan Orth	014f4d9502	roles/nginx: add newline	2025-03-29 22:19:41 +03:00
Alan Orth	22c16e1ed3	roles/caddy/templates: closer to supporting WordPress I still wouldn't want to deploy WordPress on Caddy until it's more obvious and standard to block paths that shouldn't be accessible. It seems that this is still left as an exercise to the site admin. This discussion has some tips, but it is four years old and hasn't changed since I last looked. See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575	2025-03-29 22:09:37 +03:00
Alan Orth	5aa6a33e51	roles/php-fpm: set user and group based on webserver We use either caddy or nginx, which are conveniently named the same as the Unix user and group.	2025-03-29 21:01:56 +03:00
Alan Orth	7f9b06af9c	roles/nginx: smarter setting of document root	2025-03-29 19:34:53 +03:00
Alan Orth	84db337fea	roles/caddy: smarter setting of document root	2025-03-29 19:33:02 +03:00
Alan Orth	7b23f5f94f	roles/caddy: add missing tag	2025-03-29 19:16:03 +03:00
Alan Orth	9830338be3	Use one default root prefix for nginx and caddy	2025-03-29 19:15:56 +03:00
Alan Orth	e3eed26765	roles/caddy: update vhost template	2025-03-29 18:37:28 +03:00