roles: use ansible_facts["foo"] pattern

Instead of ansible_foo. Ansible recently started warning that this
is deprecated.

README.md

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
 
-- You have a clean, minimal Ubuntu 20.04 or Debian 11/12 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host

ansible.cfg

@@ -13,12 +13,6 @@ interpreter_python=auto
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False
 
-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
-
 [privilege_escalation]
 # instead of using -K
 become_ask_pass=True

group_vars/all

@@ -3,4 +3,12 @@
 
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:

group_vars/web

@@ -8,4 +8,7 @@ webserver: nginx
 extra_fail2ban_filters:
   - nginx
 
+# root prefix for all web servers
+web_root_prefix: /var/www
+
 # vim: set ts=2 sw=2:

host_vars/web22

@@ -1,138 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-33646330356131646633336561386366326338643135633339303839386237363531623634613339
-3038326539616236393166353135393963323965346237340a653938643364623764346636376163
-63353039386530636330636263353139633236653138663339333738666265343839313035353738
-3735663834643031330a393463613961656637393239643835663339306535373538333765383635
-62396364626366616465613863306163653462396262336634343536376134663736613634626662
-35366433636264633666396439643365616534663162653934636563633834303161623339376663
-62353233323932386564393564656534663139653035653566636362363434303761666435633231
-33323665613333343761363166643831383037343066313964626139316437663533366437343561
-37623934646361353135356664303739333938373666343438373236656466393336613265356261
-31333531323137633230366563353331613836346231326431356263393934306163666332356164
-33646532636234376462626166383630323537636630663062323532623138313362326534353761
-39646533396338653266386662343166316431363765623430656631633936626237306561393630
-33363737383638313538323139326662663133383637383135313439653663643163366462323363
-62373239396462396230663535373536613238653562343332346438636633646430396232613035
-61326532303436343533306161346431613931366335633261626239313862323735353763623439
-66306466366466663461623834356266613866636263316563663762313266386430646132646162
-65303435663332623162303234623539383165306162383062313031353565396537396166363231
-62613332393561343966333737336435306436376161613762613961653531633231333066353239
-37663262363735366465326263336266653461366230633965653861366334623763323766303064
-65396265656463353934323263666631653132313839613862663537616461323736666362666161
-35366535346666383735643364393032303063333135663330623336626235383264333930376361
-61656136653534623633313237396531343162373336653537633432646232623737346531343337
-36663838353434363534306661626466633033623431316538333331313535613865326262333132
-62646634636537616332313537353862303936636535333762383265383231303764323665663366
-31303635633861313332356434626665656239353665616432633536306163376261383638393935
-64666663363863353534393734643233653362643136396132353636323138663730363764643866
-31313062633739303937346661393934643262363638323765666333643736656266336335353734
-66643961303236633337653063326162626231336232663265306366386137346631623637616338
-61313137336237386263623130313133303537613064353536396432393937623231326132623632
-61333830343238643138326233633137326438393333383661376435613337643131633135663661
-62663961343333316632346562313438616163646264343034643136616663626232666463356665
-36373637663936333966326232346366326337323464383831383662356234656232316633333231
-61376332326335653566323039353135363438313632383130373533383262323966646463346232
-62373835616433636430633166373134323665356330633637646138316234366439366666306561
-35356535346136363739616235303361383139306136633839323331306266323266393333323866
-30613331653634306462396230613230313764636236396662363362383964626161303165313732
-66336334666462636166313564656434353539623035303763333537386138633937613237396462
-36303266336663356465646366613662313266376132666533343737353762396561313266363030
-61383738316465373165343930303564313234303065656632383334656539373736353261343533
-32383533306565376436643332363237373763356335346533653931656638643761626531613232
-32356636616433313736373432373934636236633531376466613662623830623935643439636530
-34653365363235373031316163313038326462313566396134363239336166313263323039383763
-30393239643062386437306261343431363438636265633663326637383333353239663930393561
-34643037343239393730376465666136353566626630363635633534353233353263316562646634
-36663438623034353831656430323636393530666638643137383465346364376434616434613733
-64613565356538666231336534396665656163353561356339353563376638336635326436313337
-35336166633535343864396535623965373632313836613436626664386463376432663565663863
-33316230366633303066393433373465663764663835356364363131353838663262393061343433
-36333939633237373862393636356234323636633435336366386137656339343632646561393039
-34663735646333643634666331363238393334356431336561393263613532326362656332313331
-61383562373533393038653033633964393463633662383563326664343430346632333339326466
-33643335303737613433636537303464626132333838313934373535653534303633373530653031
-36393931346239356364336266393136653635643665353164333739333836613966623561613664
-64353761323861396533373335626263303830353833376333636134613463663263383162366665
-30353833633735393764333539386138353466313663666162363234653963343637623238376161
-63393637643537643163356637353730633330353134636135663461393638343763303966656561
-32323866643063353634653266623136313734363931336166353736613461383365373061333639
-64626366323035353032303935646138656461626166636231663161396531343635353832633266
-39383463393135396433343166646431326330393161393832383665353834343637313933383035
-61313038653234353465613431636137623836373838313166653833636237363766386535633434
-62656165326161653062336662623737613536643031616134366434376464353637653161663761
-33666433376434663633383661383139333732663036636664663138666363643335663736326463
-32303066316633303633373363626463643533643466383839343134656339663838626233643762
-63643131353663613933306438366562333261643137313432646163336563383732346135376633
-65653836623730346263316132626163626263396462613835363433393438343634393939643432
-31373735386464376339323133623235363530616636313133343466653465366531303864383933
-32613065663264633062316561316562383563336130333766373334633231346439356230353137
-32633638393466633730316664626634396133363739366334333439366363633866636163323366
-62616661663435343462356466646530623264366539313230373331663633623165623132663834
-34393337356666613730626661353539303832353062383232343638353866386133323139653262
-30353861666630316436636130356635653364616265663362373664356662363261313334616239
-34646331636138326635623164656462303766653765643931663036393734313961616533623838
-30386162333465353365643330656639323863643238386535653735316132303938396436623535
-65663463653536643263326531326263633239313330386336306466643930373362623561623134
-36643132363539613836396461363731613035626439346434623336633833326132383435336164
-66393432313532373764316333363137646134343334376638623531373339343535363762343434
-31663230376531313032373964333735393761663263356432336366626438383333306630663238
-30633934346339616261313935316266366661306330336636616562316334303066626234396666
-64346163323431383839323638343163373063353138346464646538316366313735613533383434
-61316331383133636465313837323134616632373366383339353632333763666264353062333538
-36623236373934313364343937313133613563393136303765356536636530636561626364303465
-61636231653664323637643237356562316234616565623731363037363265356632623562326437
-61373266363333643964303339656638616161653164643434303830646238376363653062383239
-63356330333337323831653264616266313264323466643635633561323966663765653830363232
-30386130653631653865383234333631353536346565353962613335623538303130313962326239
-37366139363264613564323266366337366138343636366331633238633138313532386433336333
-62336638333532646135373162393962383865316365316431643562313437306164343464616263
-64323637613061663634333361616565303735643930393634656133643362663139656563633062
-34323331386333316639656463386136376330336166613034653364633135303837323465373465
-62356365666635313838313933613937313166326131386362383530373532613734626361323735
-36326361626432363731656266633632643763633966616338303132616562313965326532396231
-31613234623163386564396262326461366532626233333163333162656234303939366331643435
-31613266623636323535333161626330616430636431616435656361356664373530643331653461
-63313731393661396333386664363264353539613336336562323033666237666530663765633830
-66656530633131323034643734643563393464386438663735316530386135386163653534643432
-36373730613831616661316565626437313735353938666664323136343330326137343337333831
-61323266393236663237623263623864343262393630666262393938386637633436626165663432
-63613861366632613934636565323164323066653534646439393937343365306632383632383438
-61656437636438376362396432656339343539326562333533646539396263363338623462353963
-31343133396636313533393838636132393763396430363261626264333664613663336438343863
-37656430653464313238633431656665643537343634643330653334333337633364313738353339
-64353432646336633264343738623461356230656637626230343636303433353637393063626264
-64636330393262643730323961633734333861653031376134663261343032633330633938303735
-62663430343335643464633533393338633762636135346638313634663535643130373033393131
-32626136333038653831393933333339613935663336653632666635633833633564623562303466
-30393231386430613435643563356463633331653838336239393636323535656430386133626266
-39383737386330643164663636343165653739653238626130373464326364376165646162626437
-36366639636136373836316335623935333633613962623232646633316136393465323734343339
-38356664386565616236303238616466393864383332613561666530336165613535323639353861
-63343261353564326433353065303830646636636437366565333037646334323930313034303965
-37316239633131643735343133306638396436313235386439343566346432343238636264376234
-37633333353464643766336335623230633466336338313766313861326335376237613830626537
-64666263383365633836663530336437386262333562613962633063646138383035393431616338
-32363237383330653564633631373336616266316538336364613936366263666162316563616132
-36376537336535653234306535623265356161376232633030303366303164666163326131343763
-33643434383465353136626131623038323365366464646230326238333065353634336264623030
-63356362343536373766646631363863386631353436666163336664353561363063313761393337
-37336633343361393737356565663237306661636236656237643465303431633831666661383131
-65646430613230616636386363303134393839623861303134343131616661366265376262636130
-65396363376262666363393965343637643861646662386231353766323839613665323130333937
-63393539656338646237633062306663323035303763623933656634656166326664623435613637
-62333164323836333439646533626335326164313735376439666236376432396566383437366634
-39373834613836383039366134336264376565653562373330653232643633616566363530363230
-65366565343865656338363163636661616164643863313037303330376363633530363662633936
-64356464646633393533376663666664656437623637633866326261646338343866343432623765
-64333934326663653831376664323562646436646131626263366130313166643466646161636239
-63343831643839633030346230333238636434386633343035653864373738653739366665343436
-38346564646263663939396430666138386133666133663835366139633232363732323162363434
-39663861353730653432616130393632646435366137343964313664646661303734623464633131
-64353937613864306139343039666433646631343834336635646438663463626436313039626262
-32393334386634616238366664626563653765343738633465386232333565666539616262373630
-33646335653135363162313230303963363632383437343030333335623562303662353236613533
-63326631323732646161323533386637613565646334613266633932336130633235313636356131
-33633638663863643936313065666664633133313038643366616237323339623265363235633566
-38663366363064646264633033616462383661333834316134366162323961333638653738653839
-34623737333135316330313061623565353437633233633838386361326338636130396566636330
-3538
+65636230346264393938656566653961393466306338353435333061356463363836616435333731
+3537316534663335343333643435383663303438333433650a666133633965643939306661383536
+33626364316338306530393036653134373339653264616537623731323063646531383137333131
+6263363037613631360a343831393830646536326538363764643136613732636165316466316566
+65346162383337626631663533626230643061633139663661656365333738353530316661313864
+32373831396437386434313430666434363534656130613632643264393538663131336635653537
+61613065336133343130353862646130386136333231393962353064666335363330623064626631
+34333137363566313764343335646531326337616563366636316232633936333264373731653332
+66366361643261626563633838663061303762386234336133366233356564343562323965663731
+38326631333166643534313836323337663131313766306166333534336333613735643033326633
+39396335613362363230333863396535343464346437366632316336626539623865313239353539
+30643834633130333564666162623365323439396630333136616137633532363530623234376332
+66353539306637633432353231326666643261386466633533313063353061643761313132623035
+62653263636237666432336662633136653930323532623137386261333862623337326431336365
+36663364386364346631393031326434326334636166663739366435616166363130623463633733
+35383834326231363264623061303066326433613139333237656635643835393762313866356237
+62616435613863616161376666333966323030326531323261646436633233613635383438373834
+31343133326231636661353466396566656365396466343430613262316537623631376433633630
+62336664346363393363306163333662323338343139646238633830326535313034613739616138
+38313637333333383032316134316164363036396338306634633436633564306333336437393566
+61656337343030393936353364386461643766636564333864396130343762323630393839393463
+35343864393035333930313238663465663633633862623336663136626165666131383933626437
+31323936653737646231363036383764333335313762356465333635303334663734636531343331
+37386461643239363434373864373561353339343031346364383530663430393938333963333837
+63303966366364626665303530356433643264343861346238353937386338383034356633623231
+36663735386233396138306561326339626262326463336535646265666637383032396435333835
+31363266666230366438313432356637663632333530646263663563373137313262663937636532
+66633731333166386564386666363130633734643963653030386533393766623038383234646161
+36343135663231323030306430623535373534353835623339333738376362663930343436343637
+34383963306266623437323462356466336533643933653839366666393839626663353264326334
+32663461663561396631363533383334363361373764363132643435373537333839613066396463
+35386436326638353431363064626131306634363339653132396563356239653265303930333634
+32376332643863376237383966623233323864393338346537393865363661616338333631383532
+34373635316138663261633839333664353432666234306463306338653634633038373266646462
+32336534356537306366656236356663616336333031306431653239343132336234626165333032
+38303137666131363462363263333832356333616130346337663837376365346166306261373036
+63383236323738303562623631633064363564663861336162356262373861383965623935343931
+65663934623431363164356331353135633837616130363464353661663438323132363165343766
+31393633306261303762613537343034316535373731363365666530623361623630633137326466
+32326533313362333863383561343230626466303831623033613065363136396362373333306333
+32336464356364663564626234653832323265313364343631646633396362373438666165353962
+38396330333161356365626562383531323664636235643666613631636636323638376638396531
+38646531666164653161353932643662363261323564373537343731666232666532633063353431
+61386163363562313330393037656139303365396438313935306333656264373531373037303939
+63373962356233346164383163323532373163376364623766323933623063653939346537306338
+65353266656532636633326137356430666432333465626437633733356435363163626430303964
+39343935623937616130326637323061373538616633393465653266656666376661393635333662
+30363364653130356137393463613038663762396336306234363461396133306562323838336330
+63303735646132353766313137303162366164613530303966383636393934393035306264626465
+36613233376234633932663963623432663032656236323963353036356437383066373532323865
+36643431373966613533646164303564653336396535343366303339303134613936656137653939
+31333062623734613538333666636561386338306235633165386262383261333264623638383366
+34313266333636376337393736343062363539366235393136663561303663386438333834613539
+38623632656161653766363166653661336136653833336663616261663831656133666232633362
+31373166306134653162313134333432323134623336666632613766386662653831643732326330
+63643737333638626162646136373466613536653831663835616432343537323864343166316461
+34393732353930343430356231626636373763636561343430616533663861346566326262313232
+39623936366633363136353632346134643563383833376134363833336137613337326435613764
+37653232613632333334316162383261383836613936376230393633343336346633386539356232
+30316232373738363038356665366663623536626539376364303038643061386363636337386663
+61383634336530666163346239343838326138373932383339396265653764313039653138643938
+31613163653632656238376533363739346539623863623332653936643731623565613234663430
+39363935306330386634363634363233376234613837353765353732646638663830323335616234
+34366334636436633734333830306136333563666337623035653239313361626438316535313434
+37343930643832383136343737313365316238373638323130653766646637343464653134616137
+38313034383833626433326237633863313364353662326233636333333932633039396565356133
+64376166383064343239633364363861616136643061646636323437376162313438396230393331
+32633662323031666238643934646665303666383834336432363430363166356632353033336333
+64383861663563653531643832656238643066323564656134633639666234363363363132623836
+61386431643130333761376161646262346562363532353632633332343666393562313465303337
+31333732626164363464323531323239333963303333626466623966346361383832353765346565
+37303765363834376237636632386663373061346534643132636333623137366662646538306231
+33353538623231636166653838333264396463616437396264353537633661313932353133316438
+61323439363635383035316335363132383366613733383363306366356466333364633537393033
+66636434623962633063306236303831633637656430376533353436613934636466363461333562
+34613339373732343632343435333331353935303735633732656663643938663439656233613163
+65356232633865656439643430636332386663333761376638323630373930663837653638363963
+63656437323138633664613166353537306466666261353532326363346332343363343035386435
+33326238333730303539363265383761663862313961383030326263353034303866626661623334
+61623365373332366333376630626539343835663466666534636561643736646537646431386631
+36366132663830336234613065626262336564316339383038333330323237363665373935326438
+38646335346239316432636138633365373062663564326465643032633438306230363434323262
+34313932653361346261623030623739313665356464373666346361663430336362383063666134
+38323539653437623030333437373231646634333563306165393231653465313731633536323362
+65613262633563653031306139383436663834616339316164393365336437653730393331636464
+32313537313164386164313832396566353137376239303663656130383336336634313235376363
+63326530333339356432343938306465623636336161363133613864336339393635306234656263
+34343437336461303831393562653934633439336562663366643066393439396531653663386531
+65623061643064396534353364663633653331653535306133386466356236623239646432373066
+61313261366466663866613162323939646534653561356335393237376138633930663364636236
+36613834303338646530663565303438363831663865323531386635303239646464343936303832
+31323531363263333830623838666437636262306164386236643032356165323037656630383739
+65666333656639333263346465666463616534353835656337353464336134303732323037393538
+37366263656133643039373438636537343636663065646534616339303833666532396633616565
+38353139323739656564623065613364346164633863343738633163383031663531663365616534
+31663835323435643463666264623932396133336531626331303862356261306238326333366164
+66306262386137363432376530366432356432653333393833376532623333373337393830316263
+30326531613662313430663130613734663937613663353936346134356537393761373238393433
+37356136393731626561303430626339386531386333386536656465646232633934393630613339
+61333163613862346564316336353766346461626639303661353464633835626663313462613666
+33343561613662303036643937656431393432333831383461323631393262346464393539353537
+33633364383261663535323136393138333739356439663731636136393530323864333566323361
+62643961323264336662316661303630636430323838633535343036303437393439656637326566
+34363832366434316639393939313965633037653931323462363465643262653539623063326432
+36616434366432303235663062663138623336336165373734353838333662363239333762323932
+65393765326232373230666437656433373930643638386131363339343630636634636434326464
+39366339326263666239646237326534383665376536313536303263373265306537316161663262
+31346635346436313261626366333738333966643333313230623133313434373530366462653435
+33353434643635383833643736653461373765326537313430353164306566323733653237343632
+66346133656333303538306133313563393363313230323664303836323861346466343230343264
+36613934643662626365653036636136623630333638373565316437646232316263663433313762
+39353234333131623731643662303130626465386338353833393533646564646565623736343039
+38356635393461353166653565336535626366396532633961393334343234353764303431303663
+61666533633731663666346132383037646433336463643062396465383034346631346165323939
+33313937343338383737373164363930336236326432346465646166363430653932333932343236
+38336235613034386533613665393666633635383164646538373035623862343737353463623730
+33396233353331633463373538326365636231323535633737303562613262613730636237336632
+38626230313637336436623661666438666538333838356632653034303864313232623337306333
+66363464643061363337393732323065306335656531376337323438313733616539613538333837
+34363033666366613933343563303537613564356462313931353533323938656362393536386334
+38336237616335346334613534323130613861663239356363366564623933303737306138613535
+63643639323135663232336131643331343063363234336230653536623765323562393161663266
+32663839613564613636343166396463366665666333306239386338616366363236393931313439
+30386238316261323630633464386265353464333735336435646663656638316130333762666531
+38626463316165373434613436343335303633643965633230326534323761616365376630363039
+30336661313737383535343934366466353231396430353030653762383934666235646161653832
+31613565643031353535353234386665373636356362653337366563316630343838626231646462
+34623262343761373831303861313661666435373565386465336166306631376666643631303863
+37633934326262623737373266326631663932373863346466613133303961386466366336643235
+39303933333236626637663636633739343761393432616232643238663738313636346137316430
+34623238326430616134396166306339626261643032613661343763366138653830376463306461
+62366564393364306139633837646264633130383064383730393862633561303538363232663366
+30343633666632303530356637646337623339303236376164633962383839386265336666396436
+38616238656336343066333063393833623862646237323238393465633662393362353161313963
+63663539383630366536313933643565346162646363353035386666396363633635386564346666
+64336362633033346461353133396363646237613433306366333064626563656637383863323361
+31386262346631343565653836333764636366313330633462303533616531316537353538313031
+64366263666138356339373864383866303632366162633738383437323564313732373738373038
+39643862336136663165343736613730306339643237313361333438613438323439373966396138
+62323661383336396636

roles/caddy/defaults/main.yml

@@ -2,7 +2,7 @@
 # file: roles/caddy/defaults/main.yml
 
 # parent directory of vhost document roots
-caddy_root_prefix: /var/www
+caddy_root_prefix: "{{ web_root_prefix }}"
 
 # Email address to use for the ACME account managing the site's certificates.
 # Not sure what Caddy does if this doesn't exist.

roles/caddy/handlers/main.yml

@@ -3,7 +3,7 @@
 
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: caddy
     state: reloaded
 

roles/caddy/tasks/main.yml

@@ -71,6 +71,7 @@
     mode: "0755"
     owner: root
     group: root
+  tags: caddy
 
 # TODO: the variable is still named nginx_vhosts
 - name: Configure Caddy virtual hosts

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -8,6 +8,12 @@
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {% set static_site    = item.static_site | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 {% if domain_aliases %}
 {#   domain_aliases is a string, so we split on space #}
@@ -21,15 +27,20 @@
 {{ domain_name }} {
     {% if has_gitea %}
     reverse_proxy :3000
-    {% endif %}
+    {% elif static_site -%}
+    root * {{ document_root }}
 
-    {% if static_site -%}
-    root * {{ item.document_root }}
-
-    encode zstd gzip
+    encode
 
     file_server
-    {% endif %}
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_facts["distribution_major_version"] is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}
 
     import security-headers
 }

roles/common/defaults/main.yml

@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
+fail2ban_ignoreip: 127.0.0.0/8
 
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.

roles/common/files/etc/cron-apt/3-download

@@ -1,2 +0,0 @@
-autoclean -y
-upgrade -y -o APT::Get::Show-Upgraded=true

roles/common/files/etc/cron-apt/config

@@ -1,5 +0,0 @@
-# Configuration for cron-apt. For further information about the possible
-# configuration settings see the README file.
-
-MAILON="never"
-OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/files/update-firehol-nftables.service

@@ -1,10 +1,7 @@
 [Unit]
 Description=Update FireHOL lists
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
+# Make sure the network is up
+After=network-online.target
 Wants=network-online.target update-firehol-nftables.timer
 
 [Service]

roles/common/handlers/main.yml

@@ -1,27 +1,27 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml
 
-- name: reload sshd
-  ansible.builtin.systemd:
+- name: Reload sshd
+  ansible.builtin.systemd_service:
     name: "{{ sshd_service_name }}"
     state: reloaded
 
-- name: reload sysctl
-  command: sysctl -p /etc/sysctl.conf
+- name: Reload sysctl
+  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
-- name: reload systemd
-  ansible.builtin.systemd:
+- name: Reload systemd
+  ansible.builtin.systemd_service:
     daemon_reload: true
 
-- name: restart nftables
-  ansible.builtin.systemd:
+- name: Restart nftables
+  ansible.builtin.systemd_service:
     name: nftables
     state: restarted
 
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
-- name: restart fail2ban
-  ansible.builtin.systemd:
+- name: Restart fail2ban
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: restarted

roles/common/tasks/cron-apt.yml

@@ -1,11 +1,17 @@
 ---
-- name: Configure cron-apt (config)
-  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
-  loop:
-    - { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root }
-    - { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root }
+- name: Remove cron-apt
+  ansible.builtin.apt:
+    name: cron-apt
+    state: absent
+    cache_valid_time: 3600
 
-- name: Configure cron-apt (security)
-  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
+- name: Remove cron-apt configs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cron-apt/config
+    - /etc/cron-apt/action.d/3-download
+    - /etc/apt/security.sources.list
 
 # vim: set ts=2 sw=2:

roles/common/tasks/fail2ban.yml

@@ -1,8 +1,7 @@
 ---
 - name: Install fail2ban
-  when:
-    - ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
     name:
       - fail2ban
       - python3-systemd
@@ -15,7 +14,7 @@
     dest: /etc/fail2ban/jail.d/sshd.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Configure fail2ban nginx filter
   when:
@@ -27,7 +26,7 @@
     dest: /etc/fail2ban/jail.d/nginx.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Create fail2ban service override directory
   ansible.builtin.file:
@@ -44,11 +43,11 @@
     owner: root
     mode: "0644"
   notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: started
     enabled: true

roles/common/tasks/firewall.yml

@@ -1,20 +1,25 @@
 ---
-- name: Configure firewall (Debian)
-  when: ansible_distribution == 'Debian'
-  ansible.builtin.include_tasks:
-    file: firewall_Debian.yml
-    apply:
-      tags:
-        - firewall
-  tags: firewall
+# Debian 11+ will use nftables directly, with no firewalld.
 
-- name: Configure firewall (Ubuntu)
-  when: ansible_distribution == 'Ubuntu'
-  ansible.builtin.include_tasks:
-    file: firewall_Ubuntu.yml
-    apply:
-      tags:
-        - firewall
-  tags: firewall
+- name: Install Debian firewall packages
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    cache_valid_time: 3600
 
+- name: Remove iptables on newer Debian
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    pkg: iptables
+    state: absent
 
+- name: Configure nftables
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
+
+- name: Configure fail2ban
+  when: ansible_facts["distribution_version"] is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml
+
+# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Debian.yml

@@ -1,28 +0,0 @@
----
-# Debian 11+ will use nftables directly, with no firewalld.
-
-- name: Install Debian firewall packages
-  when: ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
-    name:
-      - libnet-ip-perl # for aggregate-cidr-addresses.pl
-      - nftables
-      - curl # for nftables update scripts
-    state: present
-    cache_valid_time: 3600
-
-- name: Remove iptables on newer Debian
-  when: ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.apt:
-    pkg: iptables
-    state: absent
-
-- name: Configure nftables
-  ansible.builtin.include_tasks: nftables.yml
-  when: ansible_distribution_version is version('11', '>=')
-
-- ansible.builtin.include_tasks: fail2ban.yml
-  when:
-    - ansible_distribution_major_version is version('9', '>=')
-
-# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,27 +0,0 @@
----
-# Ubuntu 20.04 will use nftables directly, with no firewalld.
-
-- name: Install Ubuntu firewall packages
-  when: ansible_distribution_version is version('20.04', '>=')
-  ansible.builtin.package:
-    name:
-      - libnet-ip-perl # for aggregate-cidr-addresses.pl
-      - nftables
-      - curl # for nftables update scripts
-    state: present
-    cache_valid_time: 3600
-
-- name: Remove ufw
-  ansible.builtin.package:
-    name: ufw
-    state: absent
-
-- name: Configure nftables
-  ansible.builtin.include_tasks: nftables.yml
-  when: ansible_distribution_version is version('20.04', '>=')
-
-- ansible.builtin.include_tasks: fail2ban.yml
-  when:
-    - ansible_distribution_version is version('16.04', '>=')
-
-# vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
+  ansible.builtin.include_vars: vars/{{ ansible_facts["distribution"] }}.yml
   tags: always
 
 - name: Configure network time
@@ -8,13 +8,7 @@
   tags: ntp
 
 - name: Install common packages
-  ansible.builtin.include_tasks: packages_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: packages
-
-- name: Install common packages
-  ansible.builtin.include_tasks: packages_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks: packages.yml
   tags: packages
 
 - name: Configure firewall
@@ -27,14 +21,24 @@
 
 # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
 - name: Reconfigure /etc/sysctl.conf
-  when: ansible_virtualization_role != 'host'
-  ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  when: ansible_facts["virtualization_role"] != 'host'
+  ansible.builtin.template:
+    src: "sysctl_{{ ansible_facts['distribution'] }}.j2"
+    dest: /etc/sysctl.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
-    - reload sysctl
+    - Reload sysctl
   tags: sysctl
 
 - name: Set I/O scheduler
-  ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: etc/udev/rules.d/60-scheduler.rules.j2
+    dest: /etc/udev/rules.d/60-scheduler.rules
+    owner: root
+    group: root
+    mode: "0644"
   tags: udev
 
 - name: Copy admin SSH keys

roles/common/tasks/nftables.yml

@@ -1,6 +1,5 @@
 ---
-# Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
-# and Debian 12.
+# Common nftables tasks for Debian 11 and Debian 12.
 
 - name: Copy nftables.conf
   ansible.builtin.template:
@@ -9,8 +8,7 @@
     owner: root
     mode: "0644"
   notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
 
 - name: Create /etc/nftables extra config directory
   ansible.builtin.file:
@@ -21,17 +19,14 @@
 
 - name: Copy extra nftables configuration files
   ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: /etc/nftables/{{ item.src }}
+    src: firehol_level1-ipv4.nft
+    dest: /etc/nftables/firehol_level1-ipv4.nft
     owner: root
     group: root
     mode: "0644"
-    force: "{{ item.force }}"
-  loop:
-    - { src: firehol_level1-ipv4.nft, force: false }
+    force: false
   notify:
-    - restart nftables
-    - restart fail2ban
+    - Restart nftables
 
 - name: Copy nftables update scripts
   ansible.builtin.template:
@@ -41,27 +36,6 @@
     owner: root
     group: root
 
-- name: Remove deprecated data and scripts
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /etc/nftables/spamhaus-ipv4.nft
-    - /etc/nftables/spamhaus-ipv6.nft
-    - /etc/nftables/abuseipdb-ipv4.nft
-    - /etc/nftables/abuseipdb-ipv6.nft
-    - /etc/nftables/abusech-ipv4.nft
-    - /usr/local/bin/update-abusech-nftables.sh
-    - /usr/local/bin/update-spamhaus-nftables.sh
-    - /etc/systemd/system/update-abusech-nftables.service
-    - /etc/systemd/system/update-abusech-nftables.timer
-    - /etc/systemd/system/update-spamhaus-nftables.service
-    - /etc/systemd/system/update-spamhaus-nftables.timer
-    - /usr/local/bin/aggregate-cidr-addresses.pl
-  notify:
-    - restart nftables
-    - restart fail2ban
-
 - name: Copy nftables systemd units
   ansible.builtin.copy:
     src: "{{ item }}"
@@ -76,20 +50,18 @@
 
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
-  ansible.builtin.systemd: # noqa no-handler
-    daemon_reload: true
   when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true
 
 - name: Start and enable nftables update timers
-  ansible.builtin.systemd:
-    name: "{{ item }}"
+  ansible.builtin.systemd_service:
+    name: update-firehol-nftables.timer
     state: started
     enabled: true
-  loop:
-    - update-firehol-nftables.timer
 
 - name: Start and enable nftables
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nftables
     state: started
     enabled: true

roles/common/tasks/ntp.yml

@@ -1,30 +1,40 @@
 ---
-# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
-# use systemd-timesyncd as a network time client instead of the standalone ntp
-# client.
+# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
+# as a network time client instead of the standalone ntp client.
 
 - name: Set timezone
   when:
     - timezone is defined
-    - ansible_service_mgr == 'systemd'
+    - ansible_facts["service_mgr"] == 'systemd'
   community.general.timezone:
     name: "{{ timezone }}"
   tags: timezone
 
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Ubuntu 20.04 and Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: systemd-timesyncd
+    state: present
+    cache_valid_time: 3600
 
 - name: Start and enable systemd's NTP client
-  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
+  when: ansible_facts["service_mgr"] == 'systemd'
+  ansible.builtin.systemd_service:
+    name: systemd-timesyncd
+    state: started
+    enabled: true
 
-- name: Uninstall ntp on modern Ubuntu/Debian
-  ansible.builtin.apt: name=ntp state=absent
-  when: ansible_service_mgr == 'systemd'
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_facts["service_mgr"] == 'systemd'
+    - ansible_facts["distribution_major_version"] is version('12', '==')
+  ansible.builtin.apt:
+    name: ntp
+    state: absent
 
 # vim: set ts=2 sw=2:

roles/common/tasks/packages.yml

@@ -1,19 +1,7 @@
 ---
 - name: Configure Debian packages
+  tags: packages
   block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('12', '<')
-
     # Scaleway seems to use a weird sources.list format as of Debian 12?
     - name: Check for weird Debian sources
       ansible.builtin.stat:
@@ -21,10 +9,15 @@
       register: weird_debian_sources_stat
 
     - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
       when:
-        - ansible_architecture != 'armv7l'
+        - ansible_facts["architecture"] != 'armv7l'
         - not weird_debian_sources_stat
+      ansible.builtin.template:
+        src: sources.list.j2
+        dest: /etc/apt/sources.list
+        owner: root
+        group: root
+        mode: "0644"
 
     - name: Set fact for base packages
       ansible.builtin.set_fact:
@@ -35,7 +28,6 @@
           - iotop
           - htop
           - strace
-          - cron-apt
           - safe-rm
           - debian-goodies
           - mosh
@@ -47,16 +39,19 @@
           - zstd
           - rsync
           - lsof
+          - unattended-upgrades
 
     - name: Install base packages
-      ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
+      ansible.builtin.apt:
+        name: "{{ base_packages }}"
+        state: present
+        cache_valid_time: 3600
 
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
+    - name: Remove cron-apt
       tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml
 
     - name: Install tarsnap
       ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
 
 # vim: set sw=2 ts=2:

roles/common/tasks/packages_Ubuntu.yml

@@ -1,105 +0,0 @@
----
-- name: Configure Ubuntu packages
-  block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('22.04', '<')
-
-    - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-      when: ansible_architecture != 'armv7l'
-
-    - name: Upgrade base OS
-      ansible.builtin.apt: upgrade=dist cache_valid_time=3600
-
-    - name: Set Ubuntu base packages
-      ansible.builtin.set_fact:
-        ubuntu_base_packages:
-          - git
-          - git-lfs
-          - tmux
-          - iotop
-          - htop
-          - strace
-          - cron-apt
-          - safe-rm
-          - debian-goodies
-          - mosh
-          - python-pycurl # for ansible's apt_repository
-          - vim
-          - unzip
-          - apt-transport-https # for https support in apt
-          - zstd
-          - rsync
-          - lsof
-
-    - name: Install base packages
-      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
-
-    # We have to remove snaps one by one in a specific order because some depend
-    # on others. Only after that can we remove the corresponding system packages.
-    - name: Remove lxd snap
-      community.general.snap: name=lxd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove core18 snap
-      community.general.snap: name=core18 state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove snapd snap
-      community.general.snap: name=snapd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Set fact for packages to remove (Ubuntu 20.04)
-      ansible.builtin.set_fact:
-        ubuntu_annoying_packages:
-          - whoopsie # security (CIS 4.1)
-          - apport # security (CIS 4.1)
-          - command-not-found # annoying
-          - command-not-found-data # annoying
-          - python3-commandnotfound # annoying
-          - snapd # annoying (Ubuntu >= 16.04)
-          - lxd-agent-loader # annoying (Ubuntu 20.04)
-      when: ansible_distribution_version is version('20.04', '==')
-
-    - name: Remove packages
-      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.file: path={{ item }} mode=0644 state=absent
-      loop:
-        - /etc/update-motd.d/99-esm # Ubuntu 14.04
-        - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
-        - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
-        - /etc/update-motd.d/80-esm # Ubuntu 18.04+
-        - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
-      ignore_errors: true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
-      when: ansible_service_mgr == 'systemd'
-      loop:
-        - motd-news.service
-        - motd-news.timer
-
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
-      tags: cron-apt
-
-    - name: Install tarsnap
-      ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
-
-# vim: set sw=2 ts=2:

roles/common/tasks/ssh-keys.yml

@@ -1,6 +1,8 @@
 ---
 - name: Zero .ssh/authorized_keys for provisioning user
-  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
+  ansible.builtin.file:
+    dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
+    state: absent
 
 - name: Add public keys to authorized_keys
   ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }

roles/common/tasks/sshd.yml

@@ -1,17 +1,26 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
-    mode=0600
-  when: ansible_distribution == 'Debian'
-  notify: reload sshd
+  when: ansible_facts["distribution_version"] is version('12', '<=')
+  ansible.builtin.template:
+    src: "sshd_config_{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.j2"
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
-# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
-# ie with new ciphers supported etc.
-- name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Ubuntu'
-  notify: reload sshd
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_facts["distribution_version"] is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +33,30 @@
       register: check_unsafe_moduli
 
     - name: Extract safe Diffie-Hellman SSH moduli
+      when: check_unsafe_moduli.stdout | length > 0
       ansible.builtin.shell:
         cmd: awk '$5 >= 3071' moduli > moduli.safe
         chdir: /etc/ssh
         creates: moduli.safe
-      when: check_unsafe_moduli.stdout | length > 0
       register: extract_safe_moduli
 
     - name: Replace unsafe Diffie-Hellman SSH moduli
+      when: extract_safe_moduli is changed
       ansible.builtin.command:
         cmd: mv moduli.safe moduli
         chdir: /etc/ssh
       register: replace_small_moduli
-      when: extract_safe_moduli is changed
-      notify: reload sshd
+      notify: Reload sshd
 
 - name: Remove DSA and ECDSA host keys
-  ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
+  ansible.builtin.file:
+    name: "/etc/ssh/{{ item }}"
+    state: absent
   loop:
     - ssh_host_dsa_key
     - ssh_host_dsa_key.pub
     - ssh_host_ecdsa_key
     - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 
 # vim: set sw=2 ts=2:

roles/common/tasks/tarsnap.yml

@@ -5,6 +5,7 @@
   register: tarsnap_signing_key_stat
 
 - name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
   ansible.builtin.get_url:
     url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
@@ -12,9 +13,9 @@
     group: root
     mode: "0644"
   register: download_tarsnap_signing_key
-  when: not tarsnap_signing_key_stat.stat.exists
 
 - name: Add tarsnap.org repo
+  when: ansible_facts["architecture"] != 'armv7l'
   ansible.builtin.template:
     src: tarsnap_sources.list.j2
     dest: /etc/apt/sources.list.d/tarsnap.list
@@ -22,12 +23,11 @@
     group: root
     mode: "0644"
   register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'
 
 - name: Update apt cache
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
 
 - name: Install tarsnap
   ansible.builtin.apt:

roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -1,15 +1,19 @@
+[Unit]
+# If nftables is stopped or restarted, propagate to fail2ban as well
+PartOf=nftables.service
+
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/common/templates/security.sources.list.j2

@@ -1,5 +0,0 @@
-{% if ansible_distribution == 'Ubuntu' %}
-deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
-{% elif ansible_distribution == 'Debian' %}
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
-{% endif %}

roles/common/templates/sources.list.j2

@@ -1,16 +1,6 @@
-{% if ansible_distribution == 'Ubuntu' %}
-{% set apt_mirror    = apt_mirror | default("ubuntu.mirror.ac.ke") %}
-
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
-deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
-
-{% else %}
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
-
-{% endif %} {# ansible_distribution #}

roles/common/templates/sshd_config_Ubuntu-20.04.j2

@@ -1,143 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
-LogLevel VERBOSE
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin prohibit-password
-#StrictModes yes
-MaxAuthTries 4
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-{% if ssh_password_authentication == 'disabled' %}
-PasswordAuthentication no
-{% else %}
-PasswordAuthentication yes
-{% endif %}
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp	/usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
-
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-
-{% if ssh_allowed_users is defined and ssh_allowed_users %}
-# Is there a list of allowed users?
-# Is it populated? (An empty list is 'None', which evaluates as False in Python)
-# merge the items of a list into one string using a space as a separator
-# http://jinja.pocoo.org/docs/dev/templates/#join
-AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
-{% endif %}

roles/common/templates/sysctl_Debian.j2

@@ -90,7 +90,7 @@ net.ipv4.tcp_wmem = 4096 65536 16777216
 # increase the length of the processor input queue
 net.core.netdev_max_backlog = 30000
 {# kernels after 2.6.32 don't have buggy cubic #}
-{% if ansible_kernel < "2.6.33" %}
+{% if ansible_facts["kernel"] < "2.6.33" %}
 # recommended default congestion control is htcp
 net.ipv4.tcp_congestion_control=htcp
 {% endif %}
@@ -98,7 +98,7 @@ net.ipv4.tcp_congestion_control=htcp
 #net.ipv4.tcp_mtu_probing=1
 
 {# disable iptables on bridge interfaces on VM hosts #}
-{% if ansible_virtualization_role == "host" %}
+{% if ansible_facts["virtualization_role"] == "host" %}
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

roles/common/templates/sysctl_Ubuntu.j2

@@ -1,100 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-#net.ipv4.conf.default.rp_filter=1
-#net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-#net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
-
-# CIS Benchmark Adjustments
-# See: https://github.com/alanorth/securekickstarts
-kernel.randomize_va_space = 2 
-net.ipv4.ip_forward = 0 
-net.ipv4.conf.all.send_redirects = 0 
-net.ipv4.conf.default.send_redirects = 0 
-net.ipv4.conf.all.accept_source_route = 0 
-net.ipv4.conf.default.accept_source_route = 0 
-net.ipv4.conf.all.accept_redirects = 0 
-net.ipv4.conf.default.accept_redirects = 0 
-net.ipv4.conf.all.secure_redirects = 0 
-net.ipv4.conf.default.secure_redirects = 0 
-net.ipv4.conf.all.log_martians = 1 
-net.ipv4.conf.default.log_martians = 1 
-net.ipv4.icmp_echo_ignore_broadcasts = 1 
-net.ipv4.icmp_ignore_bogus_error_responses = 1 
-net.ipv4.conf.all.rp_filter = 1 
-net.ipv4.conf.default.rp_filter = 1 
-net.ipv4.tcp_syncookies = 1
-
-# TCP stuff
-# See: http://fasterdata.es.net/host-tuning/linux/
-# increase TCP max buffer size settable using setsockopt()
-net.core.rmem_max = 16777216 
-net.core.wmem_max = 16777216 
-# increase Linux autotuning TCP buffer limit 
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
-# increase the length of the processor input queue
-net.core.netdev_max_backlog = 30000
-# recommended for hosts with jumbo frames enabled
-#net.ipv4.tcp_mtu_probing=1
-
-# increase quadruplets (src ip, src port, dest ip, dest port)
-# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
-net.ipv4.ip_local_port_range = 10240 65535
-# recommended for web servers, especially if running SPDY
-# see: http://www.chromium.org/spdy/spdy-best-practices
-net.ipv4.tcp_slow_start_after_idle = 0

roles/common/templates/tarsnap_sources.list.j2

@@ -1 +1 @@
-deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./

roles/common/templates/update-firehol-nftables.sh.j2

@@ -58,13 +58,8 @@ NFT_HEAD
     rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
 fi
 
-echo "Reloading nftables"
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '<=') %}
-{%   set systemctl_bin = '/bin/systemctl' %}
-{% else %}
-{%   set systemctl_bin = '/usr/bin/systemctl' %}
-{% endif -%}
+echo "Restarting nftables"
 
-{{ systemctl_bin }} reload nftables.service
+/usr/bin/systemctl restart nftables.service
 
 rm -v firehol_level1.netset

roles/mariadb/defaults/main.yml

@@ -1,15 +1,4 @@
 ---
-# ansible.builtin.file: roles/mariadb/defaults/main.yml
-#
-# Based on my running of mysqltuner.pl on a host with three WordPress databases
-#
-
-# default is 128MB but is a waste because it seems only the mysql table uses it
-key_buffer_size: 8M
-
-# default is 128MB but is a waste because it seems only information_schema uses
-# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
-aria_pagecache_buffer_size: 8M
 
 # default is 128M, but set to at least the size of your InnoDB data
 innodb_buffer_pool_size: 256M
@@ -22,10 +11,6 @@ mariadb_login_unix_socket: /run/mysqld/mysqld.sock
 # default is 100 but the max I've seen used is 5, so let's reduce it
 max_connections: 33
 
-# disable the query cache by default
-query_cache_size: 0
-query_cache_type: 0
-
 # mysqltuner says we should use larger than 32M on our setup
 tmp_table_size: 64M
 max_heap_table_size: 64M

roles/mariadb/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd: name=mariadb state=restarted
+  ansible.builtin.systemd_service:
+    name: mariadb
+    state: restarted
 
 # vim: set ts=2 sw=2:

roles/mariadb/tasks/main.yml

@@ -1,52 +1,4 @@
 ---
-- name: Remove MariaDB key from apt-key
-  ansible.builtin.apt_key:
-    id: "013577200103762554506315430003013705453362230723150730"
-    state: absent
-  tags:
-    - packages
-    - mariadb
-
-- name: Check MariaDB package signing key
-  ansible.builtin.stat:
-    path: /etc/apt/keyrings/mariadb_release_signing_key.asc
-  register: mariadb_signing_key_stat
-  tags:
-    - packages
-    - mariadb
-
-- name: Download MariaDB package signing key
-  ansible.builtin.get_url:
-    url: https://mariadb.org/mariadb_release_signing_key.asc
-    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
-    owner: root
-    group: root
-    mode: "0644"
-  register: download_mariadb_signing_key
-  when: not mariadb_signing_key_stat.stat.exists
-  tags:
-    - packages
-    - mariadb
-
-- name: Add MariaDB 10.11 repo
-  ansible.builtin.apt_repository:
-    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
-      }} main
-    filename: mariadb
-    state: present
-  register: add_mariadb_apt_repository
-  tags:
-    - packages
-    - mariadb
-
-- name: Update apt cache
-  ansible.builtin.apt: # noqa no-handler
-    update_cache: true
-  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
-  tags:
-    - packages
-    - mariadb
-
 - name: Install mariadb-server
   ansible.builtin.apt:
     name: [mariadb-server, python3-pymysql]
@@ -54,10 +6,10 @@
     cache_valid_time: 3600
   tags: mariadb, packages
 
-- name: Create system my.cnf
+- name: Add MariaDB configuration overrides
   ansible.builtin.template:
-    src: my.cnf.j2
-    dest: /etc/mysql/my.cnf
+    src: 70-local.cnf.j2
+    dest: /etc/mysql/mariadb.conf.d/70-local.cnf
     owner: root
     group: root
     mode: "0644"
@@ -87,16 +39,17 @@
 
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
 - name: Create MariaDB database(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_db:
     db: "{{ item.name }}"
     state: present
     encoding: utf8mb4
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 - name: Create MariaDB user(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_user:
     name: "{{ item.user }}"
     password: "{{ item.pass }}"
@@ -105,7 +58,6 @@
     state: present
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 # vim: set ts=2 sw=2:

roles/mariadb/templates/70-local.cnf.j2

@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+[mysqld]
+# don't resolve connection IPs to hostnames (make sure user accounts are using
+# IPs instead of "localhost")
+skip-name-resolve=1
+max_connections		= {{ max_connections }}
+tmp_table_size		= {{ tmp_table_size }}
+max_heap_table_size	= {{ max_heap_table_size }}
+innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}

roles/mariadb/templates/my.cnf.j2

@@ -1,196 +0,0 @@
-{{ ansible_managed | comment }}
-
-# MariaDB database server configuration file.
-#
-# You can copy this file to one of:
-# - "/etc/mysql/my.cnf" to set global options,
-# - "~/.my.cnf" to set user-specific options.
-# 
-# One can use all long options that the program supports.
-# Run program with --help to get a list of available options and with
-# --print-defaults to see which it would actually understand and use.
-#
-# For explanations see
-# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
-
-# This will be passed to all mysql clients
-# It has been reported that passwords should be enclosed with ticks/quotes
-# escpecially if they contain "#" chars...
-# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
-[client]
-port		= 3306
-socket		= /run/mysqld/mysqld.sock
-
-# Here is entries for some specific programs
-# The following values assume you have at least 32M ram
-
-# This was formally known as [safe_mysqld]. Both versions are currently parsed.
-[mysqld_safe]
-socket		= /run/mysqld/mysqld.sock
-nice		= 0
-
-[mysqld]
-#
-# * Basic Settings
-#
-user		= mysql
-pid-file	= /run/mysqld/mysqld.pid
-socket		= /run/mysqld/mysqld.sock
-port		= 3306
-basedir		= /usr
-datadir		= /var/lib/mysql
-tmpdir		= /tmp
-lc_messages_dir	= /usr/share/mysql
-lc_messages	= en_US
-skip-external-locking
-#
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
-
-# don't resolve connection IPs to hostnames (make sure user accounts are using
-# IPs instead of "localhost")
-skip-name-resolve=1
-#
-# * Fine Tuning
-#
-max_connections		= {{ max_connections }}
-connect_timeout		= 5
-wait_timeout		= 600
-max_allowed_packet	= 16M
-thread_cache_size       = 128
-sort_buffer_size	= 4M
-bulk_insert_buffer_size	= 16M
-tmp_table_size		= {{ tmp_table_size }}
-max_heap_table_size	= {{ max_heap_table_size }}
-#
-# * MyISAM
-#
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched. On error, make copy and try a repair.
-myisam_recover_options = BACKUP
-key_buffer_size		= {{ key_buffer_size }}
-#open-files-limit	= 2000
-table_open_cache	= 400
-myisam_sort_buffer_size	= 512M
-concurrent_insert	= 2
-read_buffer_size	= 2M
-read_rnd_buffer_size	= 1M
-#
-# * Query Cache Configuration
-#
-query_cache_limit		= 128K
-query_cache_size		= {{ query_cache_size }}
-query_cache_type		= {{ query_cache_type }}
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file        = /var/log/mysql/mysql.log
-#general_log             = 1
-#
-# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
-#
-# we do want to know about network errors and such
-log_warnings		= 2
-#
-# Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
-slow_query_log_file	= /var/log/mysql/mariadb-slow.log
-long_query_time = 10
-#log_slow_rate_limit	= 1000
-log_slow_verbosity	= query_plan
-
-#log-queries-not-using-indexes
-#log_slow_admin_statements
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id		= 1
-#report_host		= master1
-#auto_increment_increment = 2
-#auto_increment_offset	= 1
-log_bin			= /var/log/mysql/mariadb-bin
-log_bin_index		= /var/log/mysql/mariadb-bin.index
-# not fab for performance, but safer
-#sync_binlog		= 1
-expire_logs_days	= 10
-max_binlog_size         = 100M
-# slaves
-#relay_log		= /var/log/mysql/relay-bin
-#relay_log_index	= /var/log/mysql/relay-bin.index
-#relay_log_info_file	= /var/log/mysql/relay-bin.info
-#log_slave_updates
-#read_only
-#
-# If applications support it, this stricter sql_mode prevents some
-# mistakes like inserting invalid dates etc.
-#sql_mode		= NO_ENGINE_SUBSTITUTION,TRADITIONAL
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-default_storage_engine	= InnoDB
-# you can't just change log file size, requires special procedure
-#innodb_log_file_size	= 50M
-innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
-innodb_log_buffer_size	= 8M
-innodb_file_per_table	= 1
-innodb_open_files	= 400
-innodb_io_capacity	= 400
-innodb_flush_method	= O_DIRECT
-
-aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
-#
-# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
-#
-# ssl-ca=/etc/mysql/cacert.pem
-# ssl-cert=/etc/mysql/server-cert.pem
-# ssl-key=/etc/mysql/server-key.pem
-
-#
-# * Galera-related settings
-#
-[galera]
-# Mandatory settings
-#wsrep_on=ON
-#wsrep_provider=
-#wsrep_cluster_address=
-#binlog_format=row
-#default_storage_engine=InnoDB
-#innodb_autoinc_lock_mode=2
-#
-# Allow server to accept connections on all interfaces.
-#
-#bind-address=0.0.0.0
-#
-# Optional setting
-#wsrep_slave_threads=1
-#innodb_flush_log_at_trx_commit=0
-
-[mysqldump]
-quick
-quote-names
-max_allowed_packet	= 16M
-
-[mysql]
-#no-auto-rehash	# faster start of mysql but no tab completion
-
-[isamchk]
-key_buffer		= 16M
-
-#
-# * IMPORTANT: Additional settings that can override those from this file!
-#   The files must end with '.cnf', otherwise they'll be ignored.
-#
-!include /etc/mysql/mariadb.cnf
-!includedir /etc/mysql/conf.d/

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/munin-node.yml

@@ -1,16 +1,22 @@
 ---
 - name: Install munin-node
-  ansible.builtin.apt: name=munin-node state=present
+  ansible.builtin.apt:
+    name: munin-node
+    state: present
   tags: packages
 
 # some nice things to have for munin-node on Ubuntu
 # libwww-perl: for munin's nginx_status check
 - name: Install munin-node deps
-  ansible.builtin.apt: name=libwww-perl state=present
+  ansible.builtin.apt:
+    name: libwww-perl
+    state: present
   tags: packages
 
 - name: Create munin-node.conf
-  ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
+  ansible.builtin.template:
+    src: munin-node.conf.j2
+    dest: /etc/munin/munin-node.conf
   notify:
     - restart munin-node
 
@@ -20,6 +26,9 @@
     - restart munin-node
 
 - name: Start munin-node
-  ansible.builtin.systemd: name=munin-node state=started enabled=true
+  ansible.builtin.systemd_service:
+    name: munin-node
+    state: started
+    enabled: true
 
 # vim: set ts=2 sw=2:

roles/munin/tasks/munin.yml

@@ -1,9 +1,16 @@
 ---
 - name: Install munin package
-  ansible.builtin.apt: name=munin state=present
+  ansible.builtin.apt:
+    name: munin
+    state: present
   tags: packages
 
 - name: Create munin configuration file
-  ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: munin.conf.j2
+    dest: /etc/munin/munin.conf
+    owner: root
+    group: root
+    mode: "0644"
 
 # vim: set ts=2 sw=2:

roles/nginx/defaults/main.yml

@@ -5,16 +5,16 @@
 nginx_confd_path: /etc/nginx/conf.d
 
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
 
-# 1 hour timeout
-nginx_ssl_session_timeout: 1h
+# 1 day timeout
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
@@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
 
-# stable is 1.20.x
-# mainline is 1.21.x
+# stable is 1.26.x
+# mainline is 1.27.x
 nginx_version: mainline
 
 # vim: set ts=2 sw=2:

roles/nginx/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/letsencrypt.yml

@@ -1,7 +1,12 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
-- block:
+- name: Install and configure Let's Encrypt
+  tags: letsencrypt
+  when:
+    - ansible_facts["distribution"] == 'Debian'
+    - ansible_facts["distribution_version"] is version('11', '>=')
+  block:
     - name: Remove certbot
       ansible.builtin.apt:
         name: certbot
@@ -21,31 +26,31 @@
       register: acme_home
 
     - name: Download acme.sh
+      when: not acme_home.stat.exists
       ansible.builtin.get_url:
         url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
         dest: "{{ letsencrypt_acme_script_temp }}"
         mode: "0700"
       register: acme_download
-      when: not acme_home.stat.exists
 
     # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
     # have to chdir to the /root directory where the script exists or else it
     # fails. Ansible runs it, but the script can't find itself...).
     - name: Install acme.sh
+      when: acme_download is changed
       ansible.builtin.command:
         cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
         creates: "{{ letsencrypt_acme_home }}/acme.sh"
         chdir: /root
       register: acme_install
-      when: acme_download is changed
 
     - name: Remove temporary acme.sh script
-      ansible.builtin.file:
-        dest: "{{ letsencrypt_acme_script_temp }}"
-        state: absent
       when:
         - acme_install.rc is defined
         - acme_install.rc == 0
+      ansible.builtin.file:
+        dest: "{{ letsencrypt_acme_script_temp }}"
+        state: absent
 
     - name: Set default certificate authority for acme.sh
       ansible.builtin.command:
@@ -77,14 +82,10 @@
 
     # always issues daemon-reload just in case the service/timer changed
     - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
         name: renew-letsencrypt.timer
         state: started
         enabled: true
         daemon_reload: true
 
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  tags: letsencrypt
-
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -1,12 +1,4 @@
 ---
-- name: Remove nginx apt signing key from apt-key
-  ansible.builtin.apt_key:
-    id: "053473772654754373614404074646527257655730117366337542"
-    state: absent
-  tags:
-    - packages
-    - nginx
-
 - name: Download nginx apt signing key
   ansible.builtin.get_url:
     url: https://nginx.org/keys/nginx_signing.key
@@ -33,9 +25,9 @@
     - packages
 
 - name: Update apt cache
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
 
 - name: Install nginx
   ansible.builtin.apt:
@@ -54,7 +46,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Copy extra nginx configs
@@ -68,7 +60,7 @@
     - extra-security.conf
     - fastcgi_cache
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Remove default nginx vhost
@@ -87,13 +79,13 @@
   tags: nginx
 
 - name: Configure nginx virtual hosts
-  ansible.builtin.include_tasks: vhosts.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: vhosts.yml
   tags: nginx
 
 - name: Configure WordPress
-  ansible.builtin.include_tasks: wordpress.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: wordpress.yml
   tags: wordpress
 
 - name: Configure blank nginx vhost
@@ -104,7 +96,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Configure munin vhost
@@ -115,11 +107,11 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: started
     enabled: true

roles/nginx/tasks/vhosts.yml

@@ -1,16 +1,23 @@
 ---
-- block:
 - name: Configure https vhosts
-      ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
+  tags: nginx
+  block:
+    - name: Configure https vhosts
+      ansible.builtin.template:
+        src: vhost.conf.j2
+        dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
+        mode: "0644"
+        owner: root
+        group: root
       loop: "{{ nginx_vhosts }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Generate self-signed TLS cert
       ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
         -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Download 4096-bit RFC 7919 dhparams
       ansible.builtin.get_url:
@@ -18,12 +25,16 @@
         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
         dest: "{{ nginx_ssl_dhparam }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     # TODO: this could break because we can override the document root in host vars
     - name: Create vhost document roots
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        mode: "0755"
+        owner: nginx
+        group: nginx
       loop: "{{ nginx_vhosts }}"
-  tags: nginx
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,19 +1,31 @@
 ---
-- block:
+- name: Install and configure WordPress
+  tags: wordpress
+  block:
     - name: Install WordPress
-      ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
-        }} depth=1 force=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.git:
+        repo: https://github.com/WordPress/WordPress.git
+        dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
+        version: "{{ item.wordpress_version }}"
+        depth: 1
+        force: true
       loop: "{{ nginx_vhosts }}"
+      become: true
+      become_user: nginx
 
     - name: Fix WordPress directory permissions
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        owner: nginx
+        group: nginx
+        recurse: true
       loop: "{{ nginx_vhosts }}"
-  tags: wordpress
 
 # vim: set ts=2 sw=2:

roles/nginx/templates/blank-vhost.conf.j2

@@ -11,9 +11,11 @@ server {
 
     return 444;
 }
+
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
     server_name _;
 
     # self-signed "snakeoil" certificate

roles/nginx/templates/https.j2

@@ -27,8 +27,9 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
     {# OSCP stapling only works with real certs #}
     {% if use_letsencrypt == true or item.tls_certificate_path %}
@@ -38,15 +39,6 @@
     resolver {{ nginx_ssl_stapling_resolver }};
     {% endif %} {# end: use_letsencrypt #}
 
-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
     {% if enable_hsts == true %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store

roles/nginx/templates/nginx.conf.j2

@@ -14,7 +14,6 @@ error_log  /var/log/nginx/error.log warn;
 # The file storing the process ID of the main process
 pid        /var/run/nginx.pid;
 
-
 events {
     # If you need more connections than this, you start optimizing your OS.
     # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
@@ -23,6 +22,7 @@ events {
 }
 
 
+
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;

roles/nginx/templates/nginx_org_sources.list.j2

@@ -1,19 +1,7 @@
 {{ ansible_managed | comment }}
 
-{% if ansible_distribution == 'Ubuntu' %}
-
 {% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
-{% elif ansible_distribution == 'Debian' %}
-
-{% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
-{% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% endif %}

roles/nginx/templates/vhost.conf.j2

@@ -8,6 +8,12 @@
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 # http -> https vhost
 server {
@@ -26,15 +32,11 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
-    {# Allow sites to override the nginx document root #}
-    {% if item.document_root is defined %}
-    root {{ item.document_root }};
-    {% else %}
-    root {{ nginx_root_prefix }}/{{ domain_name }};
-    {% endif %}
+    root {{ document_root }};
 
     {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
     server_name {{ domain_name }} {{ domain_aliases }};
@@ -75,12 +77,8 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
+        {% if ansible_facts["distribution_major_version"] is version('12', '==') %}
         fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
-        {% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
-        {% else %}
-        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;
         # set script path relative to document root in server block

roles/php-fpm/handlers/main.yml

@@ -1,12 +0,0 @@
----
-# For Ubuntu 20.04 and Debian 11
-- name: reload php7.4-fpm
-  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
-
-# For Debian 12
-- name: reload php8.2-fpm
-  ansible.builtin.systemd:
-    name: php8.2-fpm
-    state: reloaded
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Debian_12.yml

@@ -1,50 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php8.2-fpm
-          # for WordPress
-          - php8.2-mysql
-          - php8.2-gd
-          - php8.2-curl
-          - php8.2-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt:
-        name: "{{ php_fpm_packages }}"
-        state: present
-        update_cache: true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template:
-        src: php8.2-pool.conf.j2
-        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
-        owner: root
-        group: root
-        mode: "0644"
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php8.2-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file:
-        path: /etc/php/8.2/fpm/pool.d/www.conf
-        state: absent
-      notify: reload php8.2-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template:
-        src: php8.2-php.ini.j2
-        dest: /etc/php/8.2/fpm/php.ini
-        owner: root
-        group: root
-        mode: "0644"
-      notify: reload php8.2-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_20.04.yml

@@ -1,35 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php7.4-fpm
-          # for WordPress
-          - php7.4-mysql
-          - php7.4-gd
-          - php7.4-curl
-          - php7.4-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php7.4-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-      notify: reload php7.4-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-      notify: reload php7.4-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/main.yml

@@ -1,53 +0,0 @@
----
-# Ubuntu 20.04 uses PHP 7.4
-# Debian 11 uses PHP 7.4
-# Debian 12 uses PHP 8.2
-
-# If any of the vhosts on this host need WordPress then we need to install PHP.
-# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
-# any that have has_wordpress defined, and has_wordpress set to true.
-#
-# See: https://stackoverflow.com/a/31896249
-- name: Check if any vhost needs WordPress
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
-
-# Legacy, was only for Piwik, but leaving for now.
-- name: Check if any vhost needs PHP
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
-
-# If install_php has not been set, then we assume no vhosts need PHP. This is
-# a bit hacky, but it's the closest we come to an if/then/else.
-- name: Set install_php to false
-  ansible.builtin.set_fact:
-    install_php: false
-  when: install_php is not defined
-
-- name: Configure php-fpm on Ubuntu 20.04
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Ubuntu'
-    - ansible_distribution_version is version('20.04', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 11
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('11', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 12
-  ansible.builtin.include_tasks: Debian_12.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('12', '==')
-    - install_php
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php_fpm/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+# For Debian 12
+- name: Reload php8.2-fpm
+  ansible.builtin.systemd_service:
+    name: php8.2-fpm
+    state: reloaded
+
+# For Debian 13
+- name: Reload php8.4-fpm
+  ansible.builtin.systemd_service:
+    name: php8.4-fpm
+    state: reloaded
+
+# vim: set ts=2 sw=2:

roles/php_fpm/tasks/main.yml

@@ -0,0 +1,90 @@
+---
+# Debian 12 uses PHP 8.2
+# Debian 13 uses PHP 8.4
+
+# If any of the vhosts on this host need WordPress then we need to install PHP.
+# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
+# any that have has_wordpress defined, and has_wordpress set to true.
+#
+# See: https://stackoverflow.com/a/31896249
+- name: Check if any vhost needs WordPress
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
+
+# Legacy, was only for Piwik, but leaving for now.
+- name: Check if any vhost needs PHP
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
+
+# If install_php has not been set, then we assume no vhosts need PHP. This is
+# a bit hacky, but it's the closest we come to an if/then/else.
+- name: Set install_php to false
+  ansible.builtin.set_fact:
+    install_php: false
+  when: install_php is not defined
+
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
+    - name: Set php-fpm packages
+      ansible.builtin.set_fact:
+        php_fpm_packages:
+          - php-fpm
+          # for WordPress
+          - php-mysql
+          - php-gd
+          - php-curl
+          - php-xml
+
+    - name: Install php-fpm and deps
+      ansible.builtin.apt:
+        name: "{{ php_fpm_packages }}"
+        state: present
+        update_cache: true
+
+    - name: Set PHP version for Debian 12
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('12', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.2
+
+    - name: Set PHP version for Debian 13
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('13', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.4
+
+    # only copy php-fpm config for vhosts that need WordPress or PHP
+    - name: Copy php-fpm pool config
+      ansible.builtin.template:
+        src: php{{ php_version }}-pool.conf.j2
+        dest: /etc/php/{{ php_version }}/fpm/pool.d/{{ item.domain_name }}.conf
+        owner: root
+        group: root
+        mode: "0644"
+      loop: "{{ nginx_vhosts }}"
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      notify: Reload php{{ php_version }}-fpm
+
+    - name: Remove default www pool
+      ansible.builtin.file:
+        path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
+        state: absent
+      notify: Reload php{{ php_version }}-fpm
+
+    # re-configure php.ini
+    - name: Update php.ini
+      ansible.builtin.template:
+        src: php{{ php_version }}-php.ini.j2
+        dest: /etc/php/{{ php_version }}/fpm/php.ini
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload php{{ php_version }}-fpm
+
+# vim: set ts=2 sw=2:

roles/php_fpm/templates/php8.2-pool.conf.j2

@@ -27,8 +27,8 @@
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
-user = nginx
-group = nginx
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -52,8 +52,8 @@ listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: Owner is set to the master process running user. If the group
 ;                 is not set, the owner's group is used. Mode is set to 0660.
-listen.owner = nginx
-listen.group = nginx
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
 
 ; When POSIX Access Control Lists are supported you can set them using

roles/php_fpm/templates/php8.4-pool.conf.j2

@@ -19,11 +19,16 @@
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -35,20 +40,22 @@ group = nginx
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
+listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 
 ; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
+
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
@@ -63,6 +70,10 @@ listen.group = nginx
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
@@ -71,8 +82,9 @@ listen.group = nginx
 ; Default Value: no set
 ; process.priority = -19
 
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
-; or group is differrent than the master process user. It allows to create process
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
@@ -94,6 +106,8 @@ listen.group = nginx
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
+;             pm.max_spawn_rate    - the maximum number of rate to spawn child
+;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
@@ -129,6 +143,12 @@ pm.min_spare_servers = 1
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
@@ -141,7 +161,7 @@ pm.max_spare_servers = 3
 ;pm.max_requests = 500
 
 ; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
+; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
@@ -211,8 +231,8 @@ pm.max_spare_servers = 3
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
+; If the process is in Idle state, then information is related to the
+; last request the process has served. Otherwise information is related to
 ; the current request being served.
 ; Example output:
 ;   ************************
@@ -231,7 +251,7 @@ pm.max_spare_servers = 3
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.4/fpm/status.html
+;       It's available in: /usr/share/php/8.4/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
@@ -239,6 +259,22 @@ pm.max_spare_servers = 3
 ; Default Value: not set
 ;pm.status_path = /status
 
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
@@ -271,13 +307,13 @@ pm.max_spare_servers = 3
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
+;      - %{milliseconds}d
+;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
+;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
@@ -306,14 +342,30 @@ pm.max_spare_servers = 3
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %u: remote user
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;  %u: basic auth user if specified in Authorization header
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precaution, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
 
 ; The log file for slow requests
 ; Default Value: not set
@@ -372,7 +424,7 @@ pm.max_spare_servers = 3
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes

vars/Ubuntu.yml

@@ -1,10 +0,0 @@
----
-
-# sshd service name is `ssh` on Debian/Ubuntu, but it's
-# `sshd` on CentOS
-sshd_service_name: ssh
-
-# provisioning user vars
-provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
-
-# vim: set ts=2 sw=2:

web.yml

@@ -9,7 +9,7 @@
     - { role: mariadb, when: mariadb_databases is defined}
     - { role: nginx, when: webserver is defined and webserver == 'nginx' }
     - { role: caddy, when: webserver is defined and webserver == 'caddy' }
-    - php-fpm
+    - php_fpm
     - munin
   vars_files:
     - vars/ipsets.yml