roles/common: minor configuration of Debian 13 SSH

Tweak some of the new OpenSSH per-source penalty settings on Debian
13. For now only adjusting the source network masks and reusing the
list of IPs to exempt from fail2ban.

These being built in makes them easier to use, but I think I will
end up sticking with fail2ban for the heavy lifting because it per-
sists across restarts of the daemon, whereas OpenSSH's doesn't. I
will monitor OpenSSH on Debian 13 to see how to best use it along
side fail2ban.

Pipfile

@@ -10,4 +10,4 @@ ansible = "*"
 ansible-lint = "*"
 
 [requires]
-python_version = "3.10"
+python_version = "3.13"

README.md

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
 
-- You have a clean, minimal Ubuntu 18.04/20.04 or Debian 10/11 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host

ansible.cfg

@@ -2,16 +2,16 @@
 retry_files_enabled=False
 force_handlers=True
 inventory=hosts
+gathering = smart
 # instead of using --ask-vault-pass
 ask_vault_pass=True
 remote_user = provisioning
 interpreter_python=auto
-
-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
+# Don't warn on unknown SSH host keys because it's super annoying for new hosts
+# or if you get a new laptop and run Ansible there!
+#
+# See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
+host_key_checking = False
 
 [privilege_escalation]
 # instead of using -K

group_vars/all

@@ -3,4 +3,12 @@
 
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:

group_vars/web

@@ -1,8 +1,14 @@
 ---
 # file: group_vars/web
 
+# run nginx by default
+webserver: nginx
+
 # all hosts run fail2ban with the sshd filter, but some can use other filters
 extra_fail2ban_filters:
   - nginx
 
+# root prefix for all web servers
+web_root_prefix: /var/www
+
 # vim: set ts=2 sw=2:

host_vars/nomad02

@@ -1,163 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-36643866316634653430343333316233346137663238373035376232643132663036343736376464
-3033313234383933656361343938653362623265653030360a396638643333633137376231663538
-65313537316564303330663730333131633165633238643532646435386436623163346366383533
-3965636630393834620a343531623964626135636337313861653361393733333463633234363435
-64643934346466663934613962613230623562323666353231326363343430336637323666383634
-36626136643432343332343665343734653435383336313862383863626466663633363738313563
-30303666306439333836306161633432346636396333653434666531353966353430666436623531
-31636562656161333830313362653764306137396231346334613336346538306432636639386561
-65323737383865313264623934613365373465323065616130333837386665666333623832626239
-33333230643332373238363432306466613737373132643134363563613535376365616130333433
-35653262356233626331643432396237306237363135623830643536653938363461303738613130
-66613036393338393037386162383831663866323233383736303532363837663039376166363639
-34666237333562643665653165393730646632316237663337383937353365333532336462656362
-31353934393363363765616335626565343238336262653361306164383030303835303666326532
-31386332346362633433356161643536333862373030306364393935663061396538616637623230
-66383163396139306430343639346264336464646233316636666239643132376164613666363538
-33356365643430383732396235623038643566623131616461376261343563353236306663656634
-64643035373039383031303464346264383066623762323161643561366164313461613038633531
-36383161363065366164383932623231626633646166313835343264373366393236626336353039
-66646338303731346337363962353135346239306562663737363038306433386230326636336162
-65313132626564663738633531333662666661326463643032656136376564643938623061346464
-66653239663464306430613563666336643839323537626338666435336138613763313364323637
-30666566326463623438316263623233333434623366306330656564636163336636623433646631
-65316562616136626330333166646332366537666664303766346239316535333031396235303466
-34393664373361356231333530323865646333653237613636386632393730623330653437393164
-65343266373237386364373862656138633263666633333465623836366233663537393539393638
-34643963363865383434633163623832646632393234636136346137366361393638393461306337
-64653436313065326637363632336565306137613131306364336537613835306332633366313130
-34393732643361663731383661646631353035353064613931333330653031626435353163323633
-65326135376462666435643837333131313863313630336566333835613132383365343234366133
-39336131363366616136663636663334386361646465336331343836626439316532376566353565
-37643361646435643133336333643837633331316432303062623062396564373137613235363762
-32363838333337363035343631353261653063316138626133303937623233326531333837383033
-39366536333434303864616164313137613337643730306261626138343764663662393161613730
-36303736306631636266336131396336646635653131336265623364633038363339353933636632
-39626134353866313439333962376663393831303261633431303035663130613265333739616135
-62623138386235653935383364623230343662333138653562633266336534383963326237663132
-38646335623532383565303466386261613931666438313261653434633934353739613431636132
-39633133656230666231383936396264313630353434313035643565333661393736386637313264
-63636337373334313937643261313564333564383566633730396364653533666236643433643436
-33363061356362386535323038383637613364393639646363366630373735353234333134636565
-37653064636536376638626135393332626539346365353661636439323338653137383866663734
-62303139363436646464383266396464313565376132393937356665396536623332376134393366
-30346435313566313237326461346362353633353261373038656130323365383765613739323239
-38633934643531633037623036623839386637663762366631633033646138323936353433326430
-34396466653230643766636636393735373363616637386662333535643536626261653264346332
-34336337646133646261353939353166393530323730333063393365626365383366633464633236
-64656535613838313461623864666362373030636366373038373863616462373939356238353362
-36363535653734343533666532343166313964303236313135386134623963386535306435656330
-38386430303330303837326138356364373439313836636234656331643131646363386138653065
-64353837396533303463643130613339663166333933643362303565623432643064353865393635
-65663362666130623933623733323933343065633432613965373764383035316338316338373934
-65383061386635316331366532626437303664636436306535663365373064346136393063623335
-35643062363536633332313531356637313032666262366466626462666663303161653635666331
-32343130383231323239363235313031346438323330383938303733323436646336353163356132
-30336136646261323866663530336335636464623035626635333961623363396239353935636531
-64373231386163663962313834333538333133376433623363306239393462383930306432396562
-65393761633834663431353032393032396330393338343863333939323632393438646331613463
-35363530653161653266616331356531666434353663643364316564623438316132383463356437
-38626365343733383735383939646331376531376563623231323535323735356630336130383835
-39633335373163656431336130333664306164336536356431323438333933636365303330393233
-32353437393133646632373234376431626332626333343866643463653662373861346539663131
-32393333633766633738393937356134313236343633636533376665316134653632623061353866
-36373761366264653737386331383235306137323965363265653937353833343362633433313462
-32316466356335366630373635376561636233336165666661653632323835336563313134343064
-30333033333331303164323133613536613636373333663131633162616235316636346337333462
-64306336636562353733613538343462626233303661363131333665366135306332346135323136
-31306535643539303936346632623930333339353439376462633462626165633437393830373739
-61653230646366623830353630336661623466316136373264353762313065346632366164653261
-64313830303466306135313964613537633236383535343132613332613733316161623365333163
-38633930323439303030316433343764356538313632366635653437346161646439663563323832
-38363731353734303932653662326138646239306261383232643537313365393061383663643632
-31343736373739643164623437663239616663373335643262336664326365656137643066383463
-37356666306666353339626662326135636530386462613061326631366535383034303830323237
-65316135343135383230656638363564303635363333623833373163326365393430663235623231
-35646632643735363730613462656562356139323863616266343566343861356238623564326430
-31306366366330363036616137363163663136316565313334616164346639663465666338316439
-33643732343062313536313233333039366435386235333736333937633266653761616262346566
-32636337623266656464636634643632316134376334653932363134613336346539656438633137
-31306439663834663431346133653532636664636463376337616539393239316465636537633630
-30363461343733653465666332646236386633396530333863616236383437333931643731626364
-38393337656130666237373538393430306333333033306466343866303038643234646339306233
-32336364363838636563643939626665643231636633666166653539313461393238333461383262
-62346634633236343433336531396361323238386262313565396265663162353765343037303862
-63633034363664313733633433356332333633366530643863316364653065623161663932323831
-31646530613933613735333834373532616136393662346431656363346364353031303262326134
-31343332386166646530373635343039323163323366616263346431353765303430353636373539
-36346461303730313630373637346266323331373733383465323037343633313739306233336339
-63646137643332623834343462333263356432366631663065383962373634366639656133323964
-64343035323863373139313163323562643066306139363235626532396436663137653635353035
-31396334346137626461633436343539366635356537306231353961333963616334323037346637
-33626161333264643261656661643933653835356236333831343563653938303266323730363865
-31363562383666633636343935386535306361386234346535613363613363393065363832306363
-63643238383363646137306361306265666435363739306463663637343761643831633261633531
-36626562636333336434613365316232343832646163396338613839643064653834633832376230
-33343265386162303266373033353332393931633663623734396133326232303465666432356363
-66306338616634616631363662313963386638343266383063313166353437373433623736333361
-36333163386630376262616362613530346563383637656130363365366634633135323863646363
-35323430343033323734363533326334303438663065656535666432376661613435623365316139
-30623835373535623662633131393831376231623663316331313661646531393338613532623063
-66343665356338636438646339663761336636653332646233326264373435346263386130383861
-34623265373463653165383665306334643233373066356231343666663866373739336436653933
-65623134306536333538333061303066636339376636333438623666366362666137653261376539
-31346435613134303866333065306237343162333138643339313461663934643234303132613961
-65393037396463663034636534323566366161623365666466393634373764333437383263656535
-33643461636362646135626164373335386130303766633434633062356630336463623661396639
-32646565623164363631383731666161343762393639343839373234326337643766336263353166
-62633964303733643035326535656561366139626565643938356264646239336166316534373261
-30623765623338616537353062666338376262393966373033346233383132653839323731626663
-66393938313132653538313031323538333263333361303661646633366633353534373837313935
-37323635633431623365643738623834653631323564393436326562326439666462306263653331
-66316134616432323939373366343564623264336632376132663462396362663134643236643832
-31393366653961323763333335303135383934633538636335303435636334343737306232373561
-31343139363863326536613163663862343263313630336438666132306162646130613233393935
-37336330643361323032366433313939616134366134393032613862616136393339643232356139
-35326534623263353766326132623330323639303230616263636536366263643339663838376238
-35323731303163616236306439343632353561646339663933313937363739303864336438626638
-64633139633338623431343236333534373835356365343536636261386437613538303334663739
-62396532353832323262343763353365333561643633353638313534393164366539353431396336
-36653563633237333730376331326432663561343463616135613738663130323936373136393538
-65636634363631313364326665336164653939356133333031633632373030623666373562623564
-64616365616435393231646236623333333037346363666664666233306661353337343066626136
-35666164356537323735636131383266393064373538303966353531636561623032643233346566
-61633465376631656636366662373865623764336135323865316336663731383335303330616231
-64313836373063313061626365316538653831316562333165616531643434633964333438333665
-66376634323531356538343837326636636636393639396535346264656531613733386337353966
-31363730646365313834316234626532663563613234643563366566373662616335623035393536
-61653334346336613539313732383438313132653738393339373661336531633565303635353665
-31383939643261666538356633326666363934643738636430383537636165623264616236633863
-35336134386437383539303061343261313530313366316338663539383238663966653837663331
-33386464653161376335316536633532383035363066653234626363343232393165313463343930
-63323435613932626435363235396236313365636166663238323534623038663034303365326566
-66306635373433313730343536633931643935323062643136383434643138306138363366663834
-66613964303634616139323832363633363063653237366135613964663733376161373937323462
-30313833623733336366356635323261613132393734613735393062333232313236326264323366
-32376535616334376137663636633333323665333939363366313432633436653864306532393966
-61636337356534373164653637633162613235623364396539623961353466303036383031363162
-37313364613939613939343538633665666136363135656330623332656466383139656234336133
-62366262663064623137626363613066366666313733623463623562636131323435346264653564
-31323431663339653966336230356339303534353139663739363263633564373364323937386434
-37306462653630326366316530656462316539373263366262313930356663376334343562303361
-61623161613939616666386336626537333135346136643537326635383939663863623332373033
-32643730313861636163623133323061333631333332373838636163326562633936363631653062
-37336661626336623462616562333264373330323363363630313739363962323735393332303562
-62393161323962393039346432353066646162336332663636343739343566363833333738316437
-64333337363137643931366536396333633538633830353865323765616264356335383031353534
-33376363386630303332643263383738386532373434613963613764326636333133303262393832
-35373930383662383064333465633736363063363434333662396331633032353733353334363162
-32393361643562623362333963663262363235326536396131643435306665343438333933616466
-34326634373965313638666337326633653938343561663739333464343135346437636436633034
-62333039373136656664363531373430356363363736306533386135323061316339326636643739
-38363763653331646638613963646138666165666439643065363335343132613731623264376536
-37366533636564346661343966373964353731623861633463363638356163346165643164373535
-30373564326263393436326337653631383731313139636339356433333830666265343165323330
-36616538616534626237623862636536303336343331383237333333656637303266616137336439
-61653631636632366563373034346365313337356266636338336663643538303063613036383831
-65613635336366316263336131666238386237366264396438383966313762626639643236313532
-30663235666662396231376631366139653937646132343639396430643339393165656266636235
-38356135666433323434613238356537306630643861353436323037353461326534313632386232
-63643261373263646437373535333036336634396331616330353233613564363361396437326435
-38396462643833313362633436303637323163663166653231653866643733616432323663316362
-3037356363643462356137346638313963376637643162623062

host_vars/web21

@@ -1,46 +1,27 @@
 $ANSIBLE_VAULT;1.1;AES256
-65653532333862366436303432656664373261323934306234623534633335356466623330373063
-3164363863313131303330363564326130383433646332640a373233653965653164353663633038
-63363966646361366637643261613062393736366361356235633139323537636638396264316534
-6366313732323066620a333738656661656537646632326262663862393434663435313037653564
-66303732396261373436373538396466643330633336623066313933323266386438363566343834
-38616661303931376136616532386637386130326264336430613336613836323666326261643838
-36613565323062626662313864633539323538316562346533363437373766343764346132333631
-66336135383732393939383133626662343335376531336364303662356566393034326635333066
-64333635303633306639656161623631333139653034633939303565386330383236616364353136
-62663536613565383064633235613539313933373530306164356462353861383761363931613430
-37373939616564663562376635333862646234353133663331396661626234356665633835323137
-39343462303438376131626335346637316238626462333430346539313838386662363031336636
-34366132363439653137393662653661663262346632306533376565353037616362316161333566
-30393530656566643136613039363537613035666465656530366637393664343665666534383837
-63393133336664313466636538386338653937643563633737633962626562326637356661633463
-61613231346532306265623361636330376563396266393330393166643833353165363934313533
-66333832373035376334326336616534326566666361616665633363383032393236336634303232
-36656336316635376431396233626539633839386533333436633264613761353361333565656233
-65373331306434363938393339333133336461646130666535343965646536656263623530666333
-36353664643132623465353661656466383363376261363534303462306661623564663561656664
-37633936636263623065366666666530616264396334623766613036313735353264356162613836
-35643737346530393933643537333561356465363239353630343333373038373836623231336437
-30343932363864663435656634343138353638343461623665336461326565636164643231323133
-65383664633665343365363764353566653635663137633033303731303030613565653565303433
-35373930396166646134326165653436613137383630653338613634633361623432373839376430
-38376630633363613632316530663839326538366366626230356337323536306665616661373261
-36653965623936663963353836653636306362663062636466613034333532633534646635313737
-33313962323636643132396166626566366466336238323163656332383530363833613633383165
-66366239613530613264313739396661386165343162633237303034373765643037656564653061
-63373036356134353633633532663365323932633531616261373735313737333033353532656434
-36316339303930336464393261323035626330366133626137373034396166336263333964333963
-62636432386531306133623163643461336137653331653861383139373938353162636566623566
-35616637663638313566653832343634613632663861333162333932336264613730313864663663
-38396563373339626365353766646565336335656539393738376331383038353436313963633438
-33373433613034373763643434613365303938373764306662363635626636633266643035663836
-65353632313137366231323764313036613134643830326330653763656362343561643964623361
-64336565666630626339346563663931393035363938663734616666356435326638353131383434
-65623539613662393936653161663264343132333936303661643534343536363165313564333037
-39343561656461313265393466346662343530313230386266646662633262643464366661363630
-63376463396631666366313266633964396137373661643764666537366539373337333731343933
-31613232363436643236623935326265353666313861303531633462623363373536636534623532
-66636533356363353735653839646263663631316239326164646463396532343038373861393033
-36623962396231633164356335623865326632303237643864656335326435373234366536313565
-34313638373063303434613663323136646263393036356336323532373130386536306235343165
-6462
+38663333313561616264323430323162323837623430363739623561633331656664613936666665
+6364373033623163393239663035306337383066343438310a383666313434323036643037363065
+30396333626130303633663930663965666662646233393439376661346265616565616236623366
+3930373433646231610a336233663132306263656465633034333030316362643939316465666534
+38353961393038613961353732613434663565633466303265383231343336386330333464376363
+33616330643364376332623634363766656366666239633964316439376463313063333162343963
+61356634393438313063666434626338616264613639656462626639616263366531663135393466
+66346635616439306364356133303664376134626636616131373138656562363363306633333164
+62623135343633393834393165383231316562643062343165663235313930663039623135373263
+61343336643235303962333938613230356465346436376334373438386461366231383737643137
+36343832353730366131653430633465383163396336353065306638373166386438356264616139
+65346635663338366463343932336231386235393836616238373864626235623935663661396663
+31633565356465333737303339333435383162316530396563333335613062623138333232336162
+62376363666431363931663231643561616562383230643737393261623934363633313231333137
+39383238656237343661626662366465356463396336386261326334613436396364633062646532
+61313136366636363861316166396134316562666435653437326331363563653035343138636163
+66336139636533656334643966383962383734623565323435333665666164353732663736326364
+35616264383237316330386539363065376334643432393636643464646238633034333166663665
+33313166393738626133636136346637646437306335326263393634363133663736666338313838
+64623139613037653461643563666539613237323934376534376461313833336338623032616661
+64643062663633366436383232366137373936383430306332616634636331326361383931363961
+62313236313563326438303935373837666434313435653236643135303739373763656562393537
+31653265653739346433663937343439656231663963333633373066356231623762313438393763
+36306336656566633034373834316363333233326130626639313130643935333437653934313636
+32383034346234333561333466653561323834346166633831303566376266373933356536383031
+6236303934323963336662386666653138313165366133303434

host_vars/web22

@@ -1,130 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-39636134663665643464643338356231376435336538643763366638376134666231653233303038
-3265393239336335396630373963343436386634613466340a643036336562653165343066386238
-34343737346139653030323439636431306632666132343135643231326230323064353665643938
-3535376333636164380a633633313630373436616130386330633234323731646634646432303963
-35393137656639613630343265393938353236333032346537383832633163613832386365663838
-33346538306634346564636337396464306533336561373033626333623239653630376530386666
-39663961633439663739303338323261326364333534623737313132343237303831383332626461
-37306531316637366137363933633838376462616264613933383465663862323730613731383032
-64616463356431363864393038313563383363343465643433316435383739316665663433333338
-31393766626663313664353535333835636537333262613462346135376438663730653463363333
-65643539326338666366356639323863643637383330373061653539666632303939336432646662
-32366166613361303730616536636133646666636663383930396638356335396665353932643764
-39643066366333363966366530643162326139653663326464366162323135373637623431643366
-62356334653931303838353633643435643935336634336534363465643935326532356636663638
-62353237373137393539396337393236663866313235346531333265373763613232336666633465
-34336566396662633731326462376439353432616430366236373536333835613266626262643761
-30633836346663666664366135336161666335316130623633346233633634633133343032613637
-38666339326539363837366331623162666437383561663137326163396637313866613336346237
-64373534386435306332633537633665386538663363393963306561666437333534316130656333
-31666635636466346461383934363837396330336561653563383463396539313038316539353064
-31363262346636613235326665333639636635623836366663623237393862623663613836633966
-62653565383837383439306466353866626538303437393634306636366133386561366363656237
-30396634366436343639356339393939376366326461613837386566366136343134396238373731
-36333966656536633961313162396365363262353761386138313633626131356231383936306335
-34366633353962363638346163323939306339343939616538313961383435636166333166346264
-32653538303036643562393632353965383366366636356266366531383731633633656231396632
-39353361393738346665326661633832333261303163626364346561383131653830323533663830
-65333638663535663038343137326132613663323364363436636662346438613864663732353130
-30633836313037356238363837376430313462363766616530636365393861383435313235326661
-63353764333365626261666439633263356665303638393032396231383434363533653430633933
-38623663363236613861613431323463626133633933643338353734393061363065343832663530
-39666132626436306136643934313239643432386436323462646132313263656563303766353366
-63316561623165623131313761393839363261373864376537353436363662313465303738336335
-36303262356666336632303866646662386233653564363864326236346334373133663234646365
-65373733363030323933326463636337326535393066313332663664353131616432326336336639
-37633335323531653864393836323962643961323531353466396263646362353238373933633634
-36616361336139373465306563383561393765666262343637643231623837666263333235353931
-33353932326161626130366438633666313562303266653631663330343034643537653862643562
-34383337376663616266333366366561346436633233383132363034323566303036383065616431
-36373465343563306166396439363731613066623236613862373532316630376561386562366134
-63306366346239343063613462393539626662666264393431363761333033656434393031623738
-33373233323564313732353137636636356463353134313861646136303135343462353366336637
-37633032623630323035383964383966343636613733353762386333663466303765373864666564
-63386430353134386138633736623062363239356265363866336635623363366535653566653661
-34366539643362346238663133646163306561363530656139373830643831363933343663323638
-63316534326131343263356330303335656664613862313439326338306635383639653737353638
-36336233633733343630373733623564363866333038643465393338346137623832626533656534
-34393631386237356561636339346364376161666236353537373061313836656164353066656262
-66613830313961643637326230353037646166393863396663653839623964613232636531663265
-65316632316363333933336230326339653231643038653532616236623463303932303435386339
-38396232616262306461323561383338653333656165396533636562643333656139323837396266
-63346339333439303133323762653136643938303138346635373131653634666365316462663139
-39323164363134343833316132343762333034383161663336313335303662336638653536313835
-62626334326266383162623765623635646333303763343736396336666237646339646438636430
-36633239326261636661346236613438316665626663393562653234386466616561383066313535
-66356437646435643865333261363538303862623066353631396165333938336234383738396434
-31346161396639623362376333373761626133633330363566303161356265396236373163313765
-39306439616336366465396332636234623966393238346564333361373666363037366566626665
-37393232363430646566303837343432326265323831356565376562646538363335323835353162
-66643330323437356533656635343666663663333335363534633532356637383362366264326262
-33383830326437336264346133393230373339306132663233653165333862633833386631643730
-63306466373463376666613762393433373232616166626133363932333434386538323433343139
-36666163343134643939613766646564386535373834333164613237656661366335353666663035
-61646339373438393066633031396633356664383363653134663437653333613565613166346130
-32376266653365366163343033343636306461653437393030363837363138393131356432613734
-64653932333565393032363138313461623939313736383535333732663462656662356635383034
-66656637663733633735336237323432386266623930373034666464616636636235656238316339
-37633737363738326466666430363063623836396232306638663032373662663261656339666165
-63336138653265366261373534623934363731343566386534376332343630313230333336323436
-65626138356265363266303534396462626462376332346232653438373235386461313739333136
-36616333616134376236666566383130396639323134623932393837643934663866653864623064
-65643132323066636137356233613938666262316130383037643563343965653335626466376239
-39313062386232653436626338643661336136633436373432633261663335313165346136643230
-35346131393034353034626137336531306361373266663836653833613865356631333032323333
-36646464383662376336353330623662636432353763323266366635666366666431666164363138
-61326135633066356338346133353837333062376430613830666332623062663437613533663362
-38633964303463316436646339336361666138393639663832373430343332633532376330376433
-63343939666266356431383963326436636432356433643461366330313964333565336264303238
-36316134373365313466393063636664393936303533306537643330323836386461323631666565
-35633365356166616634326637623634353963656337666230636235646236343935663134643532
-31353762613030323130366233313466333438626161653437386239633962653161313234323264
-34323066326131323835326263316433636137303830363336643336646138363266346265376133
-37613465663262333739323566643236373731613336613030666538616438323262323063633266
-35653637656464376564386232623739393365656366343966663233636234376132636466373031
-35346561313764623738656532653362636366623964626234386538306435373162336430333162
-63393134333238323365643761663665333931383431383065393361303435316433316431616261
-33643737303733633736373837336130383538303261613531633037646234363936613464353164
-65376631373133323863383331323734353764336236313738656435346166383261613061626134
-38636134386664353564303464373430663461303232373439383566626535626163343962306239
-37393238663066633132333938363666656531346133336565613632613365316331633964623430
-36343134366430316536336363343435633339316266353336356533313935643135613931386339
-33323137313861623962383531393831303036363930366236616562623532613462323932326635
-39653365653462386466366539373632666232333665663464376537616366653364653530303336
-37303035643931633335353735366664363461303534633637623265656331616364383362343266
-64633936663864343866646366623263323964653062383465613132663238633537356336643365
-38313435633733323233313531623764316363653261306436366134326538333739313335666464
-66646239306239346637333131373030313737393133373639363139333862656631333561613864
-66373566373539316466633961383738616335313965323234306365356261653135643264633662
-35373935336337333364316637306135393264376434636466373137326561353731383230616538
-62656635396131306266666365666135616263633938386338396164656163613864666135656533
-38356166386664313938343366323635353564363438346166653064343261376433616636353432
-37343666343634343437363837333261383466333132353461303138316264323531333161343236
-35333339386431653165363163323434336138363463653134333336306233313165393565393833
-65353963356164303931383565393732323064353733383661373434663837613862353730303037
-33336463613435343237373134363336643532336437656663616632616237353765336634656234
-62393835313234626434313535366164383165393537303864626364393534313035366461336261
-63623166363661653661643738623434363838393964316535653637346164643238313961666464
-38646231333638326461656165663464623736366636656162623533303161366263306536383434
-33626334633434303930303466373563333630633364333135623734363835663732383064653063
-62653030366635643234663338316638393933626339643864616165343966306662333836316130
-34353638383038346365386433366133343137653932643032613435376430323635616232353830
-38653731623835393066363732386562653539383834306565363664643161306136323663323436
-30356539383931303532386162303533376535623936376434346337616238343739626333616462
-31343362613331626465373635613135653339393664623136663365626437613862643465656433
-30313464303962316336333662393331303565363330376534383734653738373833303838303365
-65316339643035346165346364326334653035663061653135633834386331326161383761623439
-34353563666438356330366266353836346338393938376539613336656331616430626135333063
-31326436326164323334346366643163653131323136306630633965376362616539626638393535
-31643237636165316164316430626466303236663530316339653866363363303132383664363037
-35623962633235323762653434636563626365353734623833333830656363373161306464386234
-37356465393066636132393939383266303464313761663466333664623165373138373739393962
-34306130336332336661306565366263633161363766393836663166623763306133646635633635
-65396163333937383732353461666563393866326238623763373439343330646430643136376366
-33346363353931323434346261356334653030313932323964633538333364386137383338633437
-32333939303631333730326466343936316134393930633835313666363730646365626138346132
-39636162363531656366306566366133383761663135313064376130306436346134343336366432
-34326334646230353766373038306632643665303537623333303936396430396264663665376131
-66303930363932396464323132383230343865363937393439326333313438326231363636333762
-3132
+38353762626535363837346634333565643931386536313339336365663162656533363636383931
+3737373161623364396366323338613062386466313539640a653334643937326338386262623261
+65643635373532636439396235373964303537646334343633633531633435323037313433346636
+3866306363303338360a356166353265386130616163616662623764313536616666656237636563
+30323036353635303438363234646234656530373365396530666539393132643831653039666562
+65383962306465363862333131383263353736623264616465336139313638343462653361333239
+64363562653366396664623662376433663335313231653935626237663430303734326433333739
+62616265373732316530366331323664373637386661353664626464646264356465346466663539
+31613435366362343564313732616639376664613630316236373333653634386130663463626231
+31396631623466666364316237313363366439326231653035316437616134643035393138383364
+35313738373562353632366637663232393638396330626165323535343538633264353366663738
+30663135646162396331623837343661613333313437313434313365623664316135626239636230
+65376137303439323166346536353831653537326662356330393362666430633831323537623830
+65326164663136383339353138663936306166633662346363353063663435323266653137666630
+61353263653735626236373233313436343466653238376634623366356431333439323932343938
+33303432613063383135633261653837633961643737623462626439373335613430356532353031
+31626666663963643736323731613735376239663530373166626365666339346435323761333637
+35383464626437646665653931653932653033376464386132383038633734373138313830303466
+39313532333866303565353161636435646231313461646639316566386639323561363633636139
+37613661626162306431313266383964323434343039386533333535646565373933396565613565
+34666136633265663035306261623531333665636336303665613635333232316331643935353461
+32643735623532313363663530656630653531666335323565353063316537396334383230386462
+33333565616634356537376466373332356663376363353166656139623336396130653564333739
+39303733303939313838363331356437646632386631343466383332313037616430313566396335
+31363038373437643266656463373662653966653832613935303462303031653761336165646162
+31646631373335336435383638666562373236656231613662646161613533376237366463383630
+36393532316336303531353032303937353963306164663162386137393664353962323865616532
+63326462626130386234643639363762323863326134623063343731366433306431303763363233
+36366334386266616261616266386439623665326339653562373836306165353137353137376337
+37316363653935623736613138356333653936363866356665303737363032363564643532303234
+37656432656363336564393263353430373437303337303461613763346461646565646535366638
+34366337343033666134383966646563356533626665373337646231313431346239303635353261
+62313939383762303235373537643531623465353062303939383666323139396630346461626136
+38656632373637616532666433626564376338363239326234656561636239653536366331633234
+65366139623238336234363564616430646435666562616636303064663437663731303839313365
+38636438386162623862363865646233346336636439663833343136316165343564393339653565
+38346166346434386338303032303430303535373635336562663030336566666435623537363137
+61373161343138656365376531633830313561336632633330323035346431643837383062343537
+66663961306666333535656432393134363565656635333633363732626665656365356138623164
+65303936633666643034313636663262616661313739663135653335366261613133643630343362
+66343033363835613031626635336538303362393561313032336136306465316231366137373736
+62303335393333306132326135393562666431303631306538326433613362306131316139386361
+31383665386466653066613038633335636233396335383764336462636138333034383836386365
+38323739346630643532346161383336646165333336393961663930623531303434366265313861
+39613231373335373338656434636134663036636234393534353033613133383034343437626434
+31646339613430343265333833303231333739666266646436336161363330396264313636616461
+61396332363537636162316261363030393466356263353938343236323932306366316535366533
+38633165393339356339383939666161336461653438353632653530326639313238323761386461
+63653765313532646166306237386435663432633934343039666637323362626338313135623034
+30356438633635363738383932393861376235353962303663313963313964383530306530316363
+64656638363436326562323234303961396333323931666365656433663865616439336138656232
+66653964383034343837663936306632336562373637346132333063663263306237303461333732
+65363661623064643663623661393563353739373535373764356163666639376236313839336438
+35386265646331313663653761353864663934663261313037396135373938343265353934353361
+30343564623631316366343838656135393364353836613330393536623662383637333039383133
+37653733626662646631616563306638366263323634303636616331323964393962643061646361
+39363562396634656637626630653533396236613334343332326439656165306537326464613436
+37333632663731316165613432353339356561316431623038303365303663326666303666646363
+66656630396661353765666131393737636630366666373136313837373165303437316233656261
+38346463303964343132393162663762346163363739383733326635643264616166393264633934
+64333137373532343032303431316633613836323631613231346133366635616435366436316239
+64353633366431386664623239353735623037623364346431633733336563303430653233313637
+35353138616164643834343339653739373038633531303039333632663566323565383637646561
+31383965396365653364343761363161656432656665383963656463613637633938376234353532
+33653837613266666661613165376665626432643439363637623333336234313836373232333736
+65313232373233613763376463663161643636663162643864363962376232326462643936383131
+39366164323038376633376238363663313238336166386663616261306532633331643537376631
+31376663393036363566653061353636326565376636346466656263663266326332656461336437
+32646162313932646632663738646532663439313630393038383530653562313439336631663535
+36396265353231373435353137303164356633653938373166363663616632303764633738333439
+62626533346561333565626163643235393164353861636662636531333834623965323034363735
+33336138356663303462393864343434636364346432383665313931653062363138623261326438
+31616533643163363261386635653732343939633965363362643536626264323537656238633539
+62393935386433313366656133633532353131343237623466376632623434626362363062326531
+33346165643164363365626432333631393664316266613731663162313764386336333231396632
+36666536336333623063346166306164376138343566353063343866316432333266366337623866
+61313039663661643863663434343732313139653037373065333463383635393061323938643162
+61383064303461366162636439343438376266313931323934313563623435346634663739666565
+62333035346634303139626432313262383262633437663436323763313361633235393037343665
+62316564376464333133343134333230383765303834613233613232626131343631326433373062
+36343466396430313534336332636233623337613134333861646334326633396434353765636163
+37343638363234313030363661306337393361333332306331396164346633336130336366396430
+62306539656332313162626239303066656664383639353730633738643132386662643733393761
+62666339346130626163656237623730363066343838303036613038613763356263363365366238
+62623435303838623630333231663137393362323234383533393763623235376164626461373736
+36343761353362623433663936623433353439646463613233363732613435373564616239626564
+61313066333939326435656535333963313831316231356232346534633531613963353130333432
+37656163663230626632393939363532356366643764323330366630656334623261656334633865
+61303066333566363061626437643132353664383061383364333338666230313034373535613063
+63386237383638333263323337313336373830303865303466363965303839316162663431656538
+33376332643335366537306133613761613132643232316438623939356331656263633933613935
+65653465383434386561323462626362623566663330656439386361616562353430303938636436
+66636531343063633561363330663436383930613438323764356562383536393933646264323135
+64633764356166343965346362323466306636363633656466653934313230326435336536306230
+38353432323537393131313239373861386237313530366139313338313330326632313536353837
+63386161336335363834356437326630353031373435316462613634633039336132646134653236
+31346664353932323339366464356161333637313761666138386164313163333531626235663338
+62386333303264306363646136646463393134373939346438383465393439343337643336633039
+62316464663038326439656334373331303165346534346466663538313632633561393335333931
+65363964363335616639643462393463343437626539363838626439386164303464316666633663
+63656639626133653266306266306531646331386366343936316136363935323662336335326338
+30666130316265666631306635646565363039306138313462376662626161313134383633653834
+32376163383763306165323466306264616366343332636564636162666434333732643635336163
+61626162626331613438373464336465303739316130343965633532336531313661613961313164
+39636165316638616338653965373833333732396363393463383433383930353361636166346232
+61323935663536306533336137356566383130393564623938666231393431626136396137633066
+36633133313861353338616561373838363833353531633465363731336237663561383561326635
+62306338643965613635353536613335363934666362366466663461646135346436336164346536
+62666631303638386137356233303235613636346661303834613335616161396238663530643165
+65366364336139303766303938643038303461656335303438396565346330313665636165626432
+64326666313562646239356231663834326566313331303363343064346539626636346438313266
+65643364656164336166353435343730376266333633666230316464356439336463316464653137
+66303865613961373732323439326535373933393537656462303831333432636261613564636330
+63323361366332386331376437666234346661373233653432343733346363306130383665626437
+33313330336365633464643563643465393935653132376135663163393161616462353838336664
+35393833656135643733623765626639386561333336623930303465323963613164666531396632
+35326365386566353966383635643132316230383363393539653335633934646239316131653536
+66656161653030343462346337653434313062343663633665363838393865336536626532623132
+66643636656134353363636433636538623930396262663864343332303066333566653063336464
+32303030396137346636636164323133396364623532643332363638643761323938616530353836
+65366331633561623331393231323534343239323565333330636136383836616230343034633036
+38373530616532653166653932643665396434373465376530313663646236336238656266616261
+33396463303963646633373038336662623161643135656136326533646337316562323932613833
+65616434316239353531666131383335383733333830613934393465663138353662613063323537
+31393337343737646537666430323666366338303731623339323063393636353132636233343436
+61653862333837623666343061633531396235633565313631663937393337303764316466613130
+33653732373034613639326338353438643664653461616133646235393864386564353765313932
+36613165323465333937626165316632313334313364353463366239356630653530313761373261
+35326331313438656238646535643131656634396238363734626431633734336238616538383636
+32303331666531653331306263303534613332653535643833303062653566393632333030383263
+63393636643264656439373165383861323534333462353763343931363065393738323433323839
+33333530323434363662633939303261636465356663326565633238663333656131376130396561
+63363636613161383465323233626630613265346162386439353665393832383961616564636538
+65333635336638646436623033343831356339656638333231666439643337306636313931643466
+32393765303361323735646130613035346564356562656631373435653832663165313131336236
+31636634663466366234386262623234626161663461386661656435656133616339383633386230
+34313065396335636630333066633339646432313632373131306235333164336534363630313939
+32623062393230633732323130613338363833356533306662616637326337343330303635343532
+38396665633938313932656130303263396631343761616631616637633831666139343130313236
+62356630346264376432

host_vars/web23

@@ -1,85 +1,67 @@
 $ANSIBLE_VAULT;1.1;AES256
-34643866316432643663656661633339313239653763623430356538363761393162626338336433
-6535353761396539323630396230316637363536396631350a343338396638613636396364323762
-62306431363961393937633033373963623064333363633034623430613031383032363562663536
-3566646634303639340a366236343164666563366130636433383832656563376463333431303861
-34323164323161303762616164366632663761626665323832366166386166636130383830633065
-64646563396264303035636661663162393332613661663564316466313363656263646533633861
-30366136316131643734356431633064373062613539643937626539373536666663646331643862
-39366666386438373335396136616662346230363631326465373065333633313638303564336165
-62323164373933396166363236396461623432363931636637613235636663613432636136616664
-64643130373337353936663863356363653630633033343538623133616662386430343632303031
-61386331346561346138643735393162616135633333343135653238366533663733626361656666
-61616130313031646365613638633463353861353935623562646666393733656266643834396361
-38333363633162636561323331646262643139643135666261343364333634613138343431623637
-39383635393565656139666535386336616165623333386266383431663936313034393439626234
-30386263323630303563613334393538306430396537613436613264646664616261323336366432
-62333061333730393064666131346339623061306637633261333635336233363831353662653437
-33626333333130386161323038333465613737393835656632346436396361383761303865333339
-36613062353630316633336464336463633230633762366663396463303234343266323233326165
-30303637353163613464633930336463326535623662636638643066333733623032353564393164
-66363732393438393462353034626363636664316464356432363235366134326261326335306462
-61623330656538633364373561336436353362303638356539393031336531396139343539353936
-66323332336235393162376436346330386537336239636434346565386565373365343462323164
-63373462313861653561313762363338623664333233316632303562393736346665626530643061
-65353337623230643136616262623430323235346439626364376362653337303735646663326535
-63393937366232623663623165323965303563323137383462623339396163353433343836383666
-39633065373839646235326130633635316237366631333765343333613564333461326465356134
-37663735393537333532363062633161313437623831356332663765613936383338343634386239
-37303137623138396261663230303530343132346665386363346230663836656634316364373064
-61666262363638376162393339636138353634633630333435383437313433316564663963323532
-30383835336565346337613464343561343832653263663465393133343566333864633766613531
-39653238633237373736663635306563323631346331353362343031303636366439356362306138
-64656166653232633239633037373330343139636261646238613662613364656632643334343233
-31633438386433633736663564613230393662316534336132333636326137353831373335396666
-63636530633037643339326466386638323733363732323939323862326432303231393435616630
-63303461616338386230303933636161306238613861326633636331376464643531333939303735
-38653165303832313739363136616266363837613337306230336433643237326232356333343963
-62316139393661323965313066636530393433613438633430373864343438623631666564386639
-34656461643530636537383264313266653465333764623166383838373366323662653939613439
-38386339393164363863373838303839353532346238643163616635363064343435393933303234
-64306431623738656434333766343263653865393935626466353433386463623739393130386332
-32623762353665393863383762643035313266643863363062626332316439616639616333623730
-35373662316131393836333936656438316334363364323339343236376634323365386461373061
-38363335353965646563646231653434623531336465333231396530623365306137643931633238
-32663937616366393237623861323337623963353964313233353433643733313730666239373031
-62316338623734303839616639303539643439613062656438633563653337626364316535373661
-32313337366465656533653766356436623638316534623666346666646364633436656330663666
-38636439333834313639316663326630356531613432353837616465353763623335623464363734
-34366335656366323634636465353563633532616334636665396439326438656462386336326265
-32393131636362633230366330633564376165313830616134393931613566383433646632363536
-39636563313662656439613565353663613962653730313666636263373065613230313965336130
-30346637323565333139643332336239646636643037316436373134663232373738363564613633
-64396330316332616631346339323466376162336539656433353666643438323365663665623661
-33656162643163323161373931353963303934643532343561643838336236386139316334636161
-38316239356165373036306464313066623432383037613134633364373762313639366330306333
-66643139336436643535353466393830363136386431373962656165633465326135616430316634
-39333966373361613433333631353334343765643435353466626536636437333739353036346635
-64346235336132393030666531343761366562396233386236356332343963363438373535633065
-64643730333465316439363735396566636338303236623438393566316533613333396561353930
-66633631303336346333306332663639643138656636373266353061623234386339313266376564
-37376130336230366630396335343330663162396237366131306237663232316361633939333365
-36366234663735393664353934303930616566336133313664313538326136343363323530343865
-63663633383338323363353061393366353064346232623464333863666334616636333662323265
-35653761323965376364343362643734646439373237333632373736353436326133376663346132
-38373530333137323038653534623761353265313336303538376565626363626535663635313235
-35663765376334366661383764663066383232323431623262626662623138323431383863363736
-66366462303838656234373263653835373666623934633865353533316537363431646661636433
-30383862626636613636323639313063323632323731613134303863356166613137363538333466
-65666635666563616464616538343639363331336233663038616332663032616364393761343036
-61373636623331636136313038333661613339623763663132306131663665663237363730646339
-36363766376437643930663363333635666366343431376439613961353039663938303834316433
-34326235386164373130643533373566653061366636623565303361666234616530346561386239
-37346337336137663366353632323434343263636435313034646639376430633133626466343737
-61656334656639393239633361316635646665633532323461663432633135353264383666666438
-33306336343732643234623430653538613064653635363765303166303061316636393736663561
-66393935663835633437326265656239353730626262333038616633326138623261343864613161
-35333233613163666461323339663063646361646563653531356337373663343166613965366232
-65313839633730386436633962373434643636396264646431653639343361363335633633383062
-34356232366132346537313838663730323336613661376331636363353464316266633336383639
-30373564333265653839666161643366313163356161356237383133636130333330316430613632
-34376338383561613635323030613731636637653961646632363838316665313934646130663361
-65633232396539646337333061326234316534333866383830343632306331663631343864313236
-65613932643938313161353331613634656230303863653037343434373862353462336134646637
-32616266353730336663613865316164626364303262663461363436323133653663636665323134
-30306431336637663130
+64326662336532386161646564656439396461666266656463393335663130323930326139386562
+3639653630336132663666646161363938386334323064320a663564613066313533353433333434
+30346561616465646163646534356339666639333862623637613435376361323032636439633930
+3731313063363337380a373961353530383764623830363935626231333734303364313565626633
+37343037633862633632613165323136373662396438613663636433346566653064653632313338
+36396333393334336434326630646164333531306432386133353664336535343363343939393464
+34626335626436353239366138323863656336636536383733363931633933636331643263653566
+30613931616462373336393337363430353962613665353936383533326364353365623333316664
+62383439396131303831326562323264336638623461643361663763356236373464346464316237
+65393232343733643338653734326562626166366562303037613862396564636662363066356664
+32656363616637303039373732396533643432343961666365313963383131643464333765643737
+32386165666131626365313938633530346361383734323334613464353862393931323836626563
+62656531346532646530306463653364326362613162323536643836643839663933343132613435
+63303234646335306632316166626266313635303566396363333464363631353834373761353837
+65643461623135363139646564336430353461336433633765303138313730613630346465326666
+61393133636262653836333664623333656164663361353130623863653863323131326136373238
+33376333316433653337373834666136363130373261333330643439313734343036636364306532
+63343662383539633235356162656366323965383331343139616361653466633865626337326562
+63643761613536613334333065643533323066393764633931633066353064393966646161376361
+37623939386636346161346164303832303534323038626335336665653634386132343031303861
+61323765306366333936303765636436633465356539316631343562363535663932333666363035
+30386233623265636464393662386464333430396337626230306438396563303437363938303061
+32653939383136376365343934613339383563303935623664633639326137353437363261393637
+66613331643530623862636665396536613730306537373666623135663837393466343261646461
+62376162613861643633656334303132353034333834626664666237393534386439313638393933
+35643663613432323432646466386434363335353234643264643463613334356462313766643030
+30336364396235663230356235303264323339643761333036333537633862343862386130626533
+36626536396663393031303533313238616133323239356634303830353439363133353839663266
+36306539636563633734623162356230383232306138393831393336626336383966643335376564
+36303730313936633361643736613736303163363536313038316432323039643362636538333037
+65613663333032623035656665393565366363396134363832363163656532363537373435623233
+36373961333237373264326634353363356537356538343663613034396132396366626330303365
+62353461616434343938386237373365633861333733613631633234623034366364363761613636
+34393532316466323264363363653335366639613731326131393335313039646538626665356333
+62663435633539643237326631636563363833633130363535653336333538366137306235663730
+36633934636536633865376262356239303966646638626638386536366662386432343466366161
+36646436636538643366623864326630396565373462393132343834626638313437316137353564
+34646138616438323065336266366434316135613938643131353034646230396632386433366365
+38616436346232363563336439613939313464323861616530633962316634363462373530613665
+63653636646565303664326631363535373037663734663965346430363831613431613365393832
+62373030336262643430313635626261613232656236333130396537633238623265363932333966
+34326135363762396564613064323135313663613565646461376162306532643433333336666532
+65383661303137613335653336663666653463623565386137326662653839633536326135633764
+33623437333931393737363061356235336232376437643131373531356566323336306138353561
+66333863313461613930383231663162616261616639323238646439656166666261626533636161
+38333362393033316266633364313739366262636530363937386137616234326638303137613433
+65313962653566333364383732386165396136303666383439303064326463346563663434646364
+62396130646632653039383661613638303162363538376236666338623865366639663138363636
+36373766386234383465316635323931356233366262386135363238366538623135623361386436
+64653533646233653463656334633566373433303365353965663732636566663332343337626337
+34623861373562386264346430333133343631653631376366373735626664363965666561306262
+35666235653235346233636361383566616533646662333662323139313865383264633734643263
+63656431393834633935613430643839613433326431666665323136376562333737383862313261
+65656431336439303563373833343965323965346439636131633366633431393032613963666539
+38326539343132326334316233323362633835356265333031663066643535363639623031336362
+64346230383638363763323462386261666266623134393139303264343234623132323437396630
+66363738376133393731616535653230303262313937373333353932303038626166346366303163
+66613831353731373165636532363165356561383137626437333563616561386666623234313438
+37333435306530323235393164383138346131653235633536383636316161316238313064636261
+33353963333430383236303038333939316637326130396430623964633338353863613534653663
+30333839393230626261663966616230303330636335323565663938343562666663303536636332
+34336665323764663163653161373166313631393534326532613538313637313136356336313433
+34353036653738343433613763383137336562373332333062326134626638633938336364376131
+61303435333163663636653135363162303663663266393438656430306532343438386436343735
+31343231653263373532386263653263386435363633396638396164323539306233303562303862
+3339306136613431636138333266633739323666633431363039

misc-plays/change_password.yml

@@ -13,13 +13,13 @@
 
 - hosts: all
   user: provisioning
-  become: yes
+  become: true
   vars_files:
     - "../vars/{{ ansible_distribution }}.yml"
 
   tasks:
     - name: Set password, shell, homedir for provisioning user
       when: provisioning_user is defined
-      user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=no
+      user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=false
 
 # vim: set sw=2 ts=2:

nomads.yml

@@ -2,7 +2,7 @@
 # file: nomads.yml
 
 - hosts: nomads
-  become: yes
+  become: true
   roles:
     - common
     - munin

roles/caddy/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+# file: roles/caddy/defaults/main.yml
+
+# parent directory of vhost document roots
+caddy_root_prefix: "{{ web_root_prefix }}"
+
+# Email address to use for the ACME account managing the site's certificates.
+# Not sure what Caddy does if this doesn't exist.
+caddy_email: foo@example.com
+
+# vim: set ts=2 sw=2:

roles/caddy/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+# file: roles/caddy/handlers/main.yml
+
+# I'm currently not sure when we need to restart versus reload
+- name: reload caddy
+  ansible.builtin.systemd_service:
+    name: caddy
+    state: reloaded
+
+# vim: set sw=2 ts=2:

roles/caddy/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+# file: roles/caddy/tasks/main.yml
+#
+# Configure Caddy.
+
+- name: Check Caddy package signing key
+  ansible.builtin.stat:
+    path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
+  register: caddy_signing_key_stat
+  tags:
+    - packages
+    - caddy
+
+# See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
+- name: Download Caddy package signing key
+  ansible.builtin.get_url:
+    url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+    dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
+    owner: root
+    group: root
+    mode: "0644"
+  register: download_caddy_signing_key
+  when: not caddy_signing_key_stat.stat.exists
+  tags:
+    - packages
+    - caddy
+
+- name: Add Caddy stable repo
+  ansible.builtin.apt_repository:
+    repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
+    filename: caddy-stable
+    state: present
+  register: add_caddy_apt_repository
+  tags:
+    - packages
+    - caddy
+
+- name: Update apt cache
+  ansible.builtin.apt: # noqa no-handler
+    update_cache: true
+  when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
+  tags:
+    - packages
+    - caddy
+
+- name: Install Caddy
+  ansible.builtin.apt:
+    name: caddy
+    state: present
+    install_recommends: false
+    cache_valid_time: 3600
+  tags:
+    - caddy
+    - packages
+
+- name: Create Caddyfile
+  ansible.builtin.template:
+    src: etc/caddy/Caddyfile.j2
+    dest: /etc/caddy/Caddyfile
+    mode: "0755"
+    owner: root
+    group: root
+  notify:
+    - reload caddy
+  tags: caddy
+
+- name: Create Caddy conf.d directory
+  ansible.builtin.file:
+    path: /etc/caddy/conf.d
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  tags: caddy
+
+# TODO: the variable is still named nginx_vhosts
+- name: Configure Caddy virtual hosts
+  ansible.builtin.include_tasks: vhosts.yml
+  when: nginx_vhosts is defined
+  tags: caddy
+
+# vim: set sw=2 ts=2:

roles/caddy/tasks/vhosts.yml

@@ -0,0 +1,14 @@
+---
+- name: Configure vhosts
+  ansible.builtin.template:
+    src: etc/caddy/conf.d/vhost.j2
+    dest: /etc/caddy/conf.d/{{ item.domain_name }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop: "{{ nginx_vhosts }}"
+  notify:
+    - reload caddy
+  tags: caddy
+
+# vim: set ts=2 sw=2:

roles/caddy/templates/etc/caddy/Caddyfile.j2

@@ -0,0 +1,29 @@
+# Global options
+{
+    email {{ caddy_email }}
+}
+
+# Common security response headers
+(security-headers) {
+    header {
+        # disable Google FLoC tracking
+        Permissions-Policy interest-cohort=()
+
+        # enable HSTS
+        Strict-Transport-Security max-age=31536000
+
+        # disable clients from sniffing the media type
+        X-Content-Type-Options nosniff
+
+        # clickjacking protection: refuse to allow rendering this page
+        # in a frame, iframe, etc.
+        X-Frame-Options DENY
+
+        # keep referrer data off of HTTP connections
+        Referrer-Policy no-referrer-when-downgrade
+    }
+}
+
+# Import additional caddy config files in /etc/caddy/conf.d/
+# Note: these are imported in lexical sort order!
+import /etc/caddy/conf.d/*

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -0,0 +1,46 @@
+{{ ansible_managed | comment }}
+
+{# helper variables and per-site defaults that we can't set in role defaults #}
+{% set domain_name    = item.domain_name %}
+{% set domain_aliases = item.domain_aliases | default("") %}
+{# assume optional features are off unless a vhost explicitly sets them #}
+{% set has_wordpress  = item.has_wordpress | default(false) %}
+{% set needs_php      = item.needs_php | default(false) %}
+{% set has_gitea      = item.has_gitea | default(false) %}
+{% set static_site    = item.static_site | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
+
+{% if domain_aliases %}
+{#   domain_aliases is a string, so we split on space #}
+{%   for domain in domain_aliases | split (' ') %}
+{{ domain }} {
+    redir https://{{domain_name}}{uri}
+}
+{%   endfor %}
+{% endif %}
+
+{{ domain_name }} {
+    {% if has_gitea %}
+    reverse_proxy :3000
+    {% elif static_site -%}
+    root * {{ document_root }}
+
+    encode
+
+    file_server
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_distribution_major_version is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}
+
+    import security-headers
+}

roles/common/defaults/main.yml

@@ -8,6 +8,10 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
+fail2ban_ignoreip: 127.0.0.0/8
+
+# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
+# before re-configuring the SSH daemon to disable passwords.
+ssh_password_authentication: disabled
 
 # vim: set ts=2 sw=2:

roles/common/files/abuseipdb-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define ABUSEIPDB_IPV6 = {
-fd21:3523:74e0:7301::
-}

roles/common/files/abusers-ipv6.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<ipset type="hash:ip">
-  <option name="family" value="inet6" />
-  <short>abusers-ipv6</short>
-  <description>A list of abusive IPv6 addresses.</description>
-</ipset>

roles/common/files/aggregate-cidr-addresses.pl

@@ -1,89 +0,0 @@
-#!/usr/bin/perl
-#
-# aggregate-cidr-addresses - combine a list of CIDR address blocks
-# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see L<http://www.gnu.org/licenses/>.
-#
-# [MJS 22 Oct 2001] Aggregate CIDR addresses
-# [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
-# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
-# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
-# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
-
-use strict;
-use warnings;
-use English qw( -no_match_vars );
-use Net::IP;
-
-## Read in all the IP addresses
-my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
-    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
-
-## Split any ranges into prefixes
-@addrs = map {
-    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
-        $_->find_prefixes
-} @addrs;
-
-## Sort the IP addresses
-@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
-
-## Handle overlaps
-my $count   = 0;
-my $current = $addrs[0];
-foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-    my $r = $current->overlaps($next);
-    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
-        $current = $next;
-        $count++;
-    }
-    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
-        $current = $next;
-        splice @addrs, $count, 1;
-    }
-    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
-        splice @addrs, $count + 1, 1;
-    }
-    else {
-        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
-    }
-}
-
-## Keep aggregating until we don't change anything
-my $change = 1;
-while ($change) {
-    $change = 0;
-    my @new_addrs = ();
-    $current = $addrs[0];
-    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-        if ( my $total = $current->aggregate($next) ) {
-            $current = $total;
-            $change  = 1;
-        }
-        else {
-            push @new_addrs, $current;
-            $current = $next;
-        }
-    }
-    push @new_addrs, $current;
-    @addrs = @new_addrs;
-}
-
-## Print out the IP addresses
-foreach (@addrs) {
-    print $_->prefix(), "\n";
-}
-
-# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

roles/common/files/etc/cron-apt/3-download

@@ -1,2 +0,0 @@
-autoclean -y
-upgrade -y -o APT::Get::Show-Upgraded=true

roles/common/files/etc/cron-apt/config

@@ -1,5 +0,0 @@
-# Configuration for cron-apt. For further information about the possible
-# configuration settings see the README file.
-
-MAILON="never"
-OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/files/firehol_level1-ipv4.nft

@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
 
-define SPAMHAUS_IPV4 = {
+define FIREHOL_LEVEL1_IPV4 = {
 192.168.254.254/32
 }

roles/common/files/spamhaus-ipv4.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<ipset type="hash:net">
-  <option name="family" value="inet" />
-  <short>spamhaus-ipv4</short>
-  <description>Spamhaus DROP and EDROP lists placeholder (IPv4).</description>
-</ipset>

roles/common/files/spamhaus-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-fd21:3523:74e0:7301::/64
-}

roles/common/files/spamhaus-ipv6.xml

@@ -1,6 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<ipset type="hash:net">
-  <option name="family" value="inet6" />
-  <short>spamhaus-ipv6</short>
-  <description>Spamhaus DROP list placeholder (IPv6).</description>
-</ipset>

roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

roles/common/files/update-abusech-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-abusech-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-abusech-nftables
-ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
-          /usr/local/bin/update-abusech-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-abusech-nftables.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-abuseipdb-nftables.sh v0.0.1
-#
-# Download IP addresses seen using a blacklisted SSL certificate and load them
-# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
-# 
-# See: https://sslbl.abuse.ch/blacklist
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
-abusech_list_temp=$(mktemp)
-
-echo "Downloading Abuse.sh SSL Blacklist IPs"
-
-abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
-
-if [[ $abusech_response -ne 200 ]]; then
-	echo "Abuse.ch responded: HTTP $abusech_response"
-
-	exit 1
-fi
-
-if [[ -f "$abusech_list_temp" ]]; then
-    echo "Processing IPv4 list"
-
-    abusech_ipv4_list_temp=$(mktemp)
-    abusech_ipv4_set_temp=$(mktemp)
-
-    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
-    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
-    # that assumption some time down the line).
-    sed -e '/#/d' -e 's/
-//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
-
-    echo "Building abusech-ipv4 set"
-    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define ABUSECH_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$abusech_ipv4_set_temp"
-    done < $abusech_ipv4_list_temp
-
-    echo "}" >> "$abusech_ipv4_set_temp"
-
-    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
-
-    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
-fi
-
-echo "Reloading nftables"
-# The abusech nftables sets are included by nftables.conf

roles/common/files/update-abusech-nftables.timer

@@ -1,12 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-
-[Timer]
-# Once a day at midnight
-OnCalendar=*-*-* 00:00:00
-# Add a random delay of 0–3600 seconds
-RandomizedDelaySec=3600
-Persistent=true
-
-[Install]
-WantedBy=timers.target

roles/common/files/update-firehol-nftables.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Update FireHOL lists
+# Make sure the network is up
+After=network-online.target
+Wants=network-online.target update-firehol-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-firehol-nftables
+ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
+          /usr/local/bin/update-firehol-nftables.sh
+
+[Install]
+WantedBy=multi-user.target

roles/common/files/update-firehol-nftables.timer

@@ -1,5 +1,5 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 
 [Timer]
 # Once a day at midnight

roles/common/files/update-spamhaus-lists.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Spamhaus lists
-# This service will fail if firewalld is not running so we use Requires to make
-# sure that firewalld is started.
-Requires=firewalld.service
-# Make sure the network is up and firewalld is started
-After=network-online.target firewalld.service
-Wants=network-online.target update-spamhaus-lists.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/firewalld/ipsets
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-spamhaus-lists
-ExecStart=/usr/bin/flock -x update-spamhaus-lists.lck \
-          /usr/local/bin/update-spamhaus-lists.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-spamhaus-lists.sh

@@ -1,107 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-spamhaus-lists.sh v0.0.5
-#
-# Download Spamhaus DROP lists and load them into firewalld ipsets. Should work
-# with both the iptables and nftables backends.
-# 
-# See: https://www.spamhaus.org/drop/
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-firewalld_ipsets=$(firewall-cmd --get-ipsets)
-xml_temp=$(mktemp)
-spamhaus_ipv4_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv4.xml
-spamhaus_ipv6_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv6.xml
-
-function download() {
-    echo "Downloading $1"
-    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
-}
-
-download drop.txt
-download edrop.txt
-download dropv6.txt
-
-if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
-    echo "Processing IPv4 DROP lists"
-
-    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
-    # comments.
-    networks=$(cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//')
-
-    # If firewalld already has this ipset we should delete it first to emulate
-    # `ipset flush` (but I don't want to use that because newer hosts might be
-    # using nftables and firewalld will handle that for us).
-    if [[ "$firewalld_ipsets" =~ spamhaus-ipv4 ]]; then
-        echo "Deleting existing spamhaus-ipv4 ipset"
-        # This deletes the firewalld ipset XML file as well as the ipset itself
-        firewall-cmd --permanent --delete-ipset=spamhaus-ipv4
-    else
-        echo "Creating placeholder spamhaus-ipv4 ipset"
-        # Create a placeholder ipset so firewalld doesn't complain when we try
-        # to reload the ipset later after having added a new XML definition. I
-        # don't know why, but depending on the system state there may not be a
-        # ipset defined and firewalld errors on INVALID_IPSET.
-        firewall-cmd --permanent --new-ipset=spamhaus-ipv4 --type=hash:net --option=family=inet
-    fi
-
-    # I'm not proud of this, but writing the XML directly is WAY faster than
-    # using firewall-cmd to add each entry one by one (and we can't add from
-    # a file because many of our hosts are using old firewalld).
-    cat << XML_HEAD > "$xml_temp"
-<?xml version="1.0" encoding="utf-8"?>
-<ipset type="hash:net">
-  <option name="family" value="inet" />
-  <short>spamhaus-ipv4</short>
-  <description>Spamhaus DROP and EDROP lists (IPv4).</description>
-XML_HEAD
-
-    for network in $networks; do
-		echo "    <entry>$network</entry>" >> "$xml_temp"
-    done
-
-    echo "</ipset>" >> "$xml_temp"
-
-    install -m 0600 "$xml_temp" "$spamhaus_ipv4_ipset_path"
-fi
-
-if [[ -f "dropv6.txt" ]]; then
-    echo "Processing IPv6 DROP list"
-
-    networks=$(sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt)
-
-    if [[ "$firewalld_ipsets" =~ spamhaus-ipv6 ]]; then
-        echo "Deleting existing spamhaus-ipv6 ipset"
-        firewall-cmd --permanent --delete-ipset=spamhaus-ipv6
-    else
-        echo "Creating placeholder spamhaus-ipv6 ipset"
-        firewall-cmd --permanent --new-ipset=spamhaus-ipv6 --type=hash:net --option=family=inet6
-    fi
-
-    cat << XML_HEAD > "$xml_temp"
-<?xml version="1.0" encoding="utf-8"?>
-<ipset type="hash:net">
-  <option name="family" value="inet6" />
-  <short>spamhaus-ipv6</short>
-  <description>Spamhaus DROP lists (IPv6).</description>
-XML_HEAD
-
-    for network in $networks; do
-		echo "    <entry>$network</entry>" >> "$xml_temp"
-    done
-
-    echo "</ipset>" >> "$xml_temp"
-
-    install -m 0600 "$xml_temp" "$spamhaus_ipv6_ipset_path"
-fi
-
-echo "Reloading firewalld"
-firewall-cmd --reload
-
-rm -v drop.txt edrop.txt dropv6.txt "$xml_temp"

roles/common/files/update-spamhaus-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Spamhaus lists
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-spamhaus-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-spamhaus-nftables
-ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
-          /usr/local/bin/update-spamhaus-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-spamhaus-nftables.sh

@@ -1,91 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-spamhaus-nftables.sh v0.0.1
-#
-# Download Spamhaus DROP lists and load them into nftables sets.
-# 
-# See: https://www.spamhaus.org/drop/
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
-spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
-
-function download() {
-    echo "Downloading $1"
-    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
-}
-
-download drop.txt
-download edrop.txt
-download dropv6.txt
-
-if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
-    echo "Processing IPv4 DROP lists"
-
-    spamhaus_ipv4_list_temp=$(mktemp)
-    spamhaus_ipv4_set_temp=$(mktemp)
-
-    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
-    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
-    # ranges to work around a firewalld bug.
-    #
-    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
-    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
-
-    echo "Building spamhaus-ipv4 set"
-    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$spamhaus_ipv4_set_temp"
-    done < $spamhaus_ipv4_list_temp
-
-    echo "}" >> "$spamhaus_ipv4_set_temp"
-
-    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
-
-    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
-fi
-
-if [[ -f "dropv6.txt" ]]; then
-    echo "Processing IPv6 DROP lists"
-
-    spamhaus_ipv6_list_temp=$(mktemp)
-    spamhaus_ipv6_set_temp=$(mktemp)
-
-    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
-
-    echo "Building spamhaus-ipv6 set"
-    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-NFT_HEAD
-
-    while read -r network; do
-        echo "$network," >> "$spamhaus_ipv6_set_temp"
-    done < $spamhaus_ipv6_list_temp
-
-    echo "}" >> "$spamhaus_ipv6_set_temp"
-
-    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
-
-    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
-fi
-
-echo "Reloading nftables"
-# The spamhaus nftables sets are included by nftables.conf
-/usr/sbin/nft -f /etc/nftables.conf
-
-rm -v drop.txt edrop.txt dropv6.txt

roles/common/files/update-spamhaus-nftables.timer

@@ -1,12 +0,0 @@
-[Unit]
-Description=Update Spamhaus lists
-
-[Timer]
-# Once a day at midnight
-OnCalendar=*-*-* 00:00:00
-# Add a random delay of 0–3600 seconds
-RandomizedDelaySec=3600
-Persistent=true
-
-[Install]
-WantedBy=timers.target

roles/common/handlers/main.yml

@@ -1,23 +1,27 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml
 
-- name: reload sshd
-  ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
+- name: Reload sshd
+  ansible.builtin.systemd_service:
+    name: "{{ sshd_service_name }}"
+    state: reloaded
 
-- name: reload sysctl
-  command: sysctl -p /etc/sysctl.conf
+- name: Reload sysctl
+  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
-- name: restart firewalld
-  ansible.builtin.systemd: name=firewalld state=restarted
+- name: Reload systemd
+  ansible.builtin.systemd_service:
+    daemon_reload: true
 
-- name: reload systemd
-  ansible.builtin.systemd: daemon_reload=yes
-
-- name: restart nftables
-  ansible.builtin.systemd: name=nftables state=restarted
+- name: Restart nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: restarted
 
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
-- name: restart fail2ban
-  ansible.builtin.systemd: name=fail2ban state=restarted
+- name: Restart fail2ban
+  ansible.builtin.systemd_service:
+    name: fail2ban
+    state: restarted

roles/common/tasks/cron-apt.yml

@@ -1,12 +1,17 @@
 ---
+- name: Remove cron-apt
+  ansible.builtin.apt:
+    name: cron-apt
+    state: absent
+    cache_valid_time: 3600
 
-- name: Configure cron-apt (config)
-  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
+- name: Remove cron-apt configs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
   loop:
-    - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
-    - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
-
-- name: Configure cron-apt (security)
-  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
+    - /etc/cron-apt/config
+    - /etc/cron-apt/action.d/3-download
+    - /etc/apt/security.sources.list
 
 # vim: set ts=2 sw=2:

roles/common/tasks/fail2ban.yml

@@ -1,25 +1,55 @@
 ---
+- name: Install fail2ban
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
+    name:
+      - fail2ban
+      - python3-systemd
+    state: present
+    cache_valid_time: 3600
 
 - name: Configure fail2ban sshd filter
-  ansible.builtin.template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
-  notify: restart fail2ban
+  ansible.builtin.template:
+    src: etc/fail2ban/jail.d/sshd.local.j2
+    dest: /etc/fail2ban/jail.d/sshd.local
+    owner: root
+    mode: "0644"
+  notify: Restart fail2ban
 
 - name: Configure fail2ban nginx filter
-  when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters"
-  ansible.builtin.template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
-  notify: restart fail2ban
+  when:
+    - webserver is defined and webserver == 'nginx'
+    - extra_fail2ban_filters is defined
+    - "'nginx' in extra_fail2ban_filters"
+  ansible.builtin.template:
+    src: etc/fail2ban/jail.d/nginx.local.j2
+    dest: /etc/fail2ban/jail.d/nginx.local
+    owner: root
+    mode: "0644"
+  notify: Restart fail2ban
 
 - name: Create fail2ban service override directory
-  ansible.builtin.file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
+  ansible.builtin.file:
+    path: /etc/systemd/system/fail2ban.service.d
+    state: directory
+    owner: root
+    mode: "0755"
 
 # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
 - name: Configure fail2ban service override
-  ansible.builtin.template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
+  ansible.builtin.template:
+    src: etc/systemd/system/fail2ban.service.d/override.conf.j2
+    dest: /etc/systemd/system/fail2ban.service.d/override.conf
+    owner: root
+    mode: "0644"
   notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd: name=fail2ban state=started enabled=yes
+  ansible.builtin.systemd_service:
+    name: fail2ban
+    state: started
+    enabled: true
 
 # vim: set sw=2 ts=2:

roles/common/tasks/firewall.yml

@@ -0,0 +1,25 @@
+---
+# Debian 11+ will use nftables directly, with no firewalld.
+
+- name: Install Debian firewall packages
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    cache_valid_time: 3600
+
+- name: Remove iptables on newer Debian
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
+    pkg: iptables
+    state: absent
+
+- name: Configure nftables
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
+
+- name: Configure fail2ban
+  when: ansible_distribution_version is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml
+
+# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Debian.yml

@@ -1,160 +0,0 @@
----
-# Debian 10 will use firewalld with the iptables backend.
-# Debian 11 will use nftables directly, with no firewalld.
-
-- block:
-  - name: Set Debian firewall packages
-    when: ansible_distribution_major_version is version('10', '<=')
-    ansible.builtin.set_fact:
-      debian_firewall_packages:
-        - firewalld
-        - tidy
-        - fail2ban
-        - python3-systemd # for fail2ban systemd backend
-
-  - name: Set Debian firewall packages
-    when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.set_fact:
-      debian_firewall_packages:
-        - fail2ban
-        - libnet-ip-perl # for aggregate-cidr-addresses.pl
-        - nftables
-        - python3-systemd
-        - curl # for nftables update scripts
-
-  - name: Install firewall packages
-    ansible.builtin.apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
-
-  - name: Remove iptables on newer Debian
-    when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.apt: pkg=iptables state=absent
-
-  - name: Copy nftables.conf
-    when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
-    notify:
-      - restart nftables
-      - restart fail2ban
-
-  - name: Create /etc/nftables extra config directory
-    when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
-
-  - name: Copy extra nftables configuration files
-    when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
-    loop:
-      - { src: "spamhaus-ipv4.nft", force: "no" }
-      - { src: "spamhaus-ipv6.nft", force: "no" }
-      - { src: "abusech-ipv4.nft", force: "no" }
-      - { src: "abuseipdb-ipv4.nft", force: "yes" }
-      - { src: "abuseipdb-ipv6.nft", force: "yes" }
-    notify:
-      - restart nftables
-      - restart fail2ban
-
-  - name: Use iptables backend in firewalld
-    when: ansible_distribution_major_version is version('10', '==')
-    ansible.builtin.lineinfile:
-      dest: /etc/firewalld/firewalld.conf
-      regexp: '^FirewallBackend=nftables$'
-      line: 'FirewallBackend=iptables'
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
-# backend. Using individual calls seems to work around it.
-# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
-  - name: Use individual iptables calls
-    when: ansible_distribution_major_version is version('10', '==')
-    ansible.builtin.lineinfile:
-      dest: /etc/firewalld/firewalld.conf
-      regexp: '^IndividualCalls=no$'
-      line: 'IndividualCalls=yes'
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-  - name: Copy firewalld public zone file
-    when: ansible_distribution_major_version is version('10', '<=')
-    ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
-
-  - name: Format public.xml firewalld zone file
-    when: ansible_distribution_major_version is version('10', '<=')
-    command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-  - name: Copy firewalld ipsets of abusive IPs
-    when: ansible_distribution_major_version is version('10', '<=')
-    ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
-    loop:
-      - abusers-ipv4.xml
-      - abusers-ipv6.xml
-      - spamhaus-ipv4.xml
-      - spamhaus-ipv6.xml
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-  - name: Copy Spamhaus firewalld update script
-    when: ansible_distribution_version is version('10', '<=')
-    ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
-
-  - name: Copy Spamhaus firewalld systemd units
-    when: ansible_distribution_version is version('10', '<=')
-    ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
-    loop:
-        - update-spamhaus-lists.service
-        - update-spamhaus-lists.timer
-    register: spamhaus_firewalld_systemd_units
-
-  - name: Copy Spamhaus nftables update scripts
-    when: ansible_distribution_version is version('11', '>=')
-    ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
-    loop:
-      - update-spamhaus-nftables.sh
-      - aggregate-cidr-addresses.pl
-      - update-abusech-nftables.sh
-
-  - name: Copy nftables systemd units
-    when: ansible_distribution_version is version('11', '>=')
-    ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
-    loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-    register: nftables_systemd_units
-
-  # need to reload to pick up service/timer/environment changes
-  - name: Reload systemd daemon
-    ansible.builtin.systemd: daemon_reload=yes
-    when: spamhaus_firewalld_systemd_units is changed or
-          nftables_systemd_units is changed
-
-  - name: Start and enable Spamhaus firewalld update timer
-    when: ansible_distribution_version is version('10', '<=')
-    ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-  - name: Start and enable nftables update timers
-    when: ansible_distribution_version is version('11', '>=')
-    ansible.builtin.systemd: name={{ item }} state=started enabled=yes
-    loop:
-      - update-spamhaus-nftables.timer
-      - update-abusech-nftables.timer
-
-  - name: Start and enable nftables
-    when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.systemd: name=nftables state=started enabled=yes
-
-  - ansible.builtin.include_tasks: fail2ban.yml
-    when: ansible_distribution_major_version is version('9', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,138 +0,0 @@
----
-# Ubuntu 20.04 will use nftables directly, with no firewalld.
-# Ubuntu 18.04 will use firewalld with the nftables backend.
-# Ubuntu 16.04 will use firewalld with the iptables backend.
-
-- block:
-  - name: Set Ubuntu firewall packages
-    when: ansible_distribution_version is version('20.04', '<')
-    ansible.builtin.set_fact:
-      ubuntu_firewall_packages:
-        - firewalld
-        - tidy
-        - fail2ban
-        - python3-systemd # for fail2ban systemd backend
-
-  - name: Set Ubuntu firewall packages
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.set_fact:
-      ubuntu_firewall_packages:
-        - fail2ban
-        - libnet-ip-perl # for aggregate-cidr-addresses.pl
-        - nftables
-        - python3-systemd
-        - curl # for nftables update scripts
-
-  - name: Install firewall packages
-    ansible.builtin.apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
-
-  - name: Remove ufw
-    when: ansible_distribution_version is version('16.04', '>=')
-    ansible.builtin.apt: pkg=ufw state=absent
-
-  - name: Copy nftables.conf
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
-    notify:
-      - restart nftables
-      - restart fail2ban
-
-  - name: Create /etc/nftables extra config directory
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
-
-  - name: Copy extra nftables configuration files
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
-    loop:
-      - { src: "spamhaus-ipv4.nft", force: "no" }
-      - { src: "spamhaus-ipv6.nft", force: "no" }
-      - { src: "abusech-ipv4.nft", force: "no" }
-      - { src: "abuseipdb-ipv4.nft", force: "yes" }
-      - { src: "abuseipdb-ipv6.nft", force: "yes" }
-    notify:
-      - restart nftables
-      - restart fail2ban
-
-  - name: Copy firewalld public zone file
-    when: ansible_distribution_version is version('18.04', '<=')
-    ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
-
-  - name: Format public.xml firewalld zone file
-    when: ansible_distribution_version is version('18.04', '<=')
-    command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-  - name: Copy firewalld ipsets of abusive IPs
-    when: ansible_distribution_version is version('18.04', '<=')
-    ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
-    loop:
-      - abusers-ipv4.xml
-      - abusers-ipv6.xml
-      - spamhaus-ipv4.xml
-      - spamhaus-ipv6.xml
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-  - name: Copy Spamhaus firewalld update script
-    when: ansible_distribution_version is version('18.04', '<=')
-    ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
-
-  - name: Copy Spamhaus firewalld systemd units
-    when: ansible_distribution_version is version('18.04', '<=')
-    ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
-    loop:
-        - update-spamhaus-lists.service
-        - update-spamhaus-lists.timer
-    register: spamhaus_firewalld_systemd_units
-
-  - name: Copy nftables update scripts
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
-    loop:
-      - update-spamhaus-nftables.sh
-      - aggregate-cidr-addresses.pl
-      - update-abusech-nftables.sh
-
-  - name: Copy nftables systemd units
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
-    loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-    register: nftables_systemd_units
-
-  # need to reload to pick up service/timer/environment changes
-  - name: Reload systemd daemon
-    ansible.builtin.systemd: daemon_reload=yes
-    when: spamhaus_firewalld_systemd_units is changed or
-          nftables_systemd_units is changed
-
-  - name: Start and enable Spamhaus firewalld update timer
-    when: ansible_distribution_version is version('18.04', '<=')
-    ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=yes
-    notify:
-      - restart firewalld
-      - restart fail2ban
-
-  - name: Start and enable nftables update timers
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.systemd: name={{ item }} state=started enabled=yes
-    loop:
-      - update-spamhaus-nftables.timer
-      - update-abusech-nftables.timer
-
-  - name: Start and enable nftables
-    when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.systemd: name=nftables state=started enabled=yes
-
-  - ansible.builtin.include_tasks: fail2ban.yml
-    when: ansible_distribution_version is version('16.04', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
   tags: always
 
 - name: Configure network time
@@ -8,23 +8,11 @@
   tags: ntp
 
 - name: Install common packages
-  ansible.builtin.include_tasks: packages_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: packages
-
-- name: Install common packages
-  ansible.builtin.include_tasks: packages_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks: packages.yml
   tags: packages
 
 - name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: firewall
-
-- name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.import_tasks: firewall.yml
   tags: firewall
 
 - name: Configure secure shell daemon
@@ -34,17 +22,23 @@
 # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
 - name: Reconfigure /etc/sysctl.conf
   when: ansible_virtualization_role != 'host'
-  ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: "sysctl_{{ ansible_distribution }}.j2"
+    dest: /etc/sysctl.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
-    - reload sysctl
+    - Reload sysctl
   tags: sysctl
 
-- name: Reconfigure /etc/rc.local
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
-  ansible.builtin.template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
-
 - name: Set I/O scheduler
-  ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: etc/udev/rules.d/60-scheduler.rules.j2
+    dest: /etc/udev/rules.d/60-scheduler.rules
+    owner: root
+    group: root
+    mode: "0644"
   tags: udev
 
 - name: Copy admin SSH keys

roles/common/tasks/nftables.yml

@@ -0,0 +1,96 @@
+---
+# Common nftables tasks for Debian 11 and Debian 12.
+
+- name: Copy nftables.conf
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    mode: "0644"
+  notify:
+    - Restart nftables
+    - Restart fail2ban
+
+- name: Create /etc/nftables extra config directory
+  ansible.builtin.file:
+    path: /etc/nftables
+    state: directory
+    owner: root
+    mode: "0755"
+
+- name: Copy extra nftables configuration files
+  ansible.builtin.copy:
+    src: "{{ item.src }}"
+    dest: /etc/nftables/{{ item.src }}
+    owner: root
+    group: root
+    mode: "0644"
+    force: "{{ item.force }}"
+  loop:
+    - { src: firehol_level1-ipv4.nft, force: false }
+  notify:
+    - Restart nftables
+    - Restart fail2ban
+
+- name: Copy nftables update scripts
+  ansible.builtin.template:
+    src: update-firehol-nftables.sh.j2
+    dest: /usr/local/bin/update-firehol-nftables.sh
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: Remove deprecated data and scripts
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/nftables/spamhaus-ipv4.nft
+    - /etc/nftables/spamhaus-ipv6.nft
+    - /etc/nftables/abuseipdb-ipv4.nft
+    - /etc/nftables/abuseipdb-ipv6.nft
+    - /etc/nftables/abusech-ipv4.nft
+    - /usr/local/bin/update-abusech-nftables.sh
+    - /usr/local/bin/update-spamhaus-nftables.sh
+    - /etc/systemd/system/update-abusech-nftables.service
+    - /etc/systemd/system/update-abusech-nftables.timer
+    - /etc/systemd/system/update-spamhaus-nftables.service
+    - /etc/systemd/system/update-spamhaus-nftables.timer
+    - /usr/local/bin/aggregate-cidr-addresses.pl
+  notify:
+    - Restart nftables
+    - Restart fail2ban
+
+- name: Copy nftables systemd units
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop:
+    - update-firehol-nftables.service
+    - update-firehol-nftables.timer
+  register: nftables_systemd_units
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true
+
+- name: Start and enable nftables update timers
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
+    state: started
+    enabled: true
+  loop:
+    - update-firehol-nftables.timer
+
+- name: Start and enable nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: started
+    enabled: true
+
+# vim: set sw=2 ts=2:

roles/common/tasks/ntp.yml

@@ -1,27 +1,40 @@
 ---
-# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
-# use systemd-timesyncd as a network time client instead of the standalone ntp
-# client.
+# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
+# as a network time client instead of the standalone ntp client.
 
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+  when:
+    - timezone is defined
+    - ansible_service_mgr == 'systemd'
+  community.general.timezone:
+    name: "{{ timezone }}"
   tags: timezone
 
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Ubuntu 20.04 and Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
-        (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
-  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
+  when: ansible_distribution_version is version('11', '>=')
+  ansible.builtin.apt:
+    name: systemd-timesyncd
+    state: present
+    cache_valid_time: 3600
 
 - name: Start and enable systemd's NTP client
   when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=yes
+  ansible.builtin.systemd_service:
+    name: systemd-timesyncd
+    state: started
+    enabled: true
 
-- name: Uninstall ntp on modern Ubuntu/Debian
-  ansible.builtin.apt: name=ntp state=absent
-  when: ansible_service_mgr == 'systemd'
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_service_mgr == 'systemd'
+    - ansible_distribution_major_version is version('12', '==')
+  ansible.builtin.apt:
+    name: ntp
+    state: absent
 
 # vim: set ts=2 sw=2:

roles/common/tasks/packages.yml

@@ -1,10 +1,23 @@
 ---
-
 - name: Configure Debian packages
+  tags: packages
   block:
+    # Scaleway seems to use a weird sources.list format as of Debian 12?
+    - name: Check for weird Debian sources
+      ansible.builtin.stat:
+        path: /etc/apt/sources.list.d/debian.sources
+      register: weird_debian_sources_stat
+
     - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-      when: ansible_architecture != 'armv7l'
+      when:
+        - ansible_architecture != 'armv7l'
+        - not weird_debian_sources_stat
+      ansible.builtin.template:
+        src: sources.list.j2
+        dest: /etc/apt/sources.list
+        owner: root
+        group: root
+        mode: "0644"
 
     - name: Set fact for base packages
       ansible.builtin.set_fact:
@@ -15,7 +28,6 @@
           - iotop
           - htop
           - strace
-          - cron-apt
           - safe-rm
           - debian-goodies
           - mosh
@@ -27,16 +39,19 @@
           - zstd
           - rsync
           - lsof
+          - unattended-upgrades
 
     - name: Install base packages
-      ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
+      ansible.builtin.apt:
+        name: "{{ base_packages }}"
+        state: present
+        cache_valid_time: 3600
 
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
+    - name: Remove cron-apt
       tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml
 
     - name: Install tarsnap
       ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
 
 # vim: set sw=2 ts=2:

roles/common/tasks/packages_Ubuntu.yml

@@ -1,109 +0,0 @@
----
-
-- name: Configure Ubuntu packages
-  block:
-    - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-      when: ansible_architecture != 'armv7l'
-
-    - name: Upgrade base OS
-      ansible.builtin.apt: upgrade=dist cache_valid_time=3600
-
-    - name: Set Ubuntu base packages
-      ansible.builtin.set_fact:
-        ubuntu_base_packages:
-        - git
-        - git-lfs
-        - tmux
-        - iotop
-        - htop
-        - strace
-        - cron-apt
-        - safe-rm
-        - debian-goodies
-        - mosh
-        - python-pycurl # for ansible's apt_repository
-        - vim
-        - unzip
-        - apt-transport-https # for https support in apt
-        - zstd
-        - rsync
-        - lsof
-
-    - name: Install base packages
-      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
-
-    # We have to remove snaps one by one in a specific order because some depend
-    # on others. Only after that can we remove the corresponding system packages.
-    - name: Remove lxd snap
-      community.general.snap: name=lxd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: yes
-
-    - name: Remove core18 snap
-      community.general.snap: name=core18 state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: yes
-
-    - name: Remove snapd snap
-      community.general.snap: name=snapd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: yes
-
-    - name: Set fact for packages to remove (Ubuntu <= 18.04)
-      ansible.builtin.set_fact:
-        ubuntu_annoying_packages:
-          - whoopsie # security (CIS 4.1)
-          - apport   # security (CIS 4.1)
-          - command-not-found # annoying
-          - command-not-found-data # annoying
-          - python3-commandnotfound # annoying
-          - snapd # annoying (Ubuntu >= 16.04)
-          - lxd # annoying (Ubuntu >= 16.04)
-          - lxd-client # annoying (Ubuntu >= 16.04)
-          - liblxc1 # annoying (Ubuntu >= 16.04)
-          - lxc-common # annoying (Ubuntu >= 16.04)
-          - lxcfs #annoying (Ubuntu >= 16.04)
-      when: ansible_distribution_version is version('18.04', '<=')
-
-    - name: Set fact for packages to remove (Ubuntu 20.04)
-      ansible.builtin.set_fact:
-        ubuntu_annoying_packages:
-          - whoopsie # security (CIS 4.1)
-          - apport   # security (CIS 4.1)
-          - command-not-found # annoying
-          - command-not-found-data # annoying
-          - python3-commandnotfound # annoying
-          - snapd # annoying (Ubuntu >= 16.04)
-          - lxd-agent-loader # annoying (Ubuntu 20.04)
-      when: ansible_distribution_version is version('20.04', '==')
-
-    - name: Remove packages
-      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.file: path={{ item }} mode=0644 state=absent
-      loop:
-        - /etc/update-motd.d/99-esm # Ubuntu 14.04
-        - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
-        - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
-        - /etc/update-motd.d/80-esm # Ubuntu 18.04+
-        - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
-      ignore_errors: yes
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
-      when: ansible_service_mgr == 'systemd'
-      loop:
-        - motd-news.service
-        - motd-news.timer
-
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
-      tags: cron-apt
-
-    - name: Install tarsnap
-      ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
-
-# vim: set sw=2 ts=2:

roles/common/tasks/ssh-keys.yml

@@ -1,9 +1,11 @@
 ---
 - name: Zero .ssh/authorized_keys for provisioning user
-  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
+  ansible.builtin.file:
+    dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
+    state: absent
 
 - name: Add public keys to authorized_keys
-  ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
   with_fileglob:
     # use descriptive names for keys, like: aorth-mzito-rsa.pub
     - ssh-pub-keys/*.pub

roles/common/tasks/sshd.yml

@@ -1,17 +1,26 @@
 ---
-
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Debian'
-  notify: reload sshd
+  when: ansible_distribution_version is version('12', '<=')
+  ansible.builtin.template:
+    src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
-# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
-# ie with new ciphers supported etc.
-- name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Ubuntu'
-  notify: reload sshd
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_distribution_version is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +33,30 @@
       register: check_unsafe_moduli
 
     - name: Extract safe Diffie-Hellman SSH moduli
+      when: check_unsafe_moduli.stdout | length > 0
       ansible.builtin.shell:
         cmd: awk '$5 >= 3071' moduli > moduli.safe
         chdir: /etc/ssh
         creates: moduli.safe
-      when: check_unsafe_moduli.stdout | length > 0
       register: extract_safe_moduli
 
     - name: Replace unsafe Diffie-Hellman SSH moduli
+      when: extract_safe_moduli is changed
       ansible.builtin.command:
         cmd: mv moduli.safe moduli
         chdir: /etc/ssh
       register: replace_small_moduli
-      when: extract_safe_moduli is changed
-      notify: reload sshd
+      notify: Reload sshd
 
 - name: Remove DSA and ECDSA host keys
-  ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
+  ansible.builtin.file:
+    name: "/etc/ssh/{{ item }}"
+    state: absent
   loop:
     - ssh_host_dsa_key
     - ssh_host_dsa_key.pub
     - ssh_host_ecdsa_key
     - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 
 # vim: set sw=2 ts=2:

roles/common/tasks/tarsnap.yml

@@ -1,24 +1,45 @@
 ---
-- name: Add Tarsnap apt mirror
-  ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
-  register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'
+- name: Check tarsnap apt signing key
+  ansible.builtin.stat:
+    path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
+  register: tarsnap_signing_key_stat
 
-- name: Add GPG key for Tarsnap
-  ansible.builtin.apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
-  register: add_tarsnap_apt_key
+- name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
+  ansible.builtin.get_url:
+    url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
+    dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
+    owner: root
+    group: root
+    mode: "0644"
+  register: download_tarsnap_signing_key
+
+- name: Add tarsnap.org repo
+  when: ansible_architecture != 'armv7l'
+  ansible.builtin.template:
+    src: tarsnap_sources.list.j2
+    dest: /etc/apt/sources.list.d/tarsnap.list
+    owner: root
+    group: root
+    mode: "0644"
+  register: add_tarsnap_apt_repository
 
 - name: Update apt cache
-  ansible.builtin.apt:
-    update_cache: yes
-  when:
-    add_tarsnap_apt_key is changed or
-    add_tarsnap_apt_repository is changed
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
+  ansible.builtin.apt: # noqa no-handler
+    update_cache: true
 
 - name: Install tarsnap
-  ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
+  ansible.builtin.apt:
+    pkg: tarsnap
+    cache_valid_time: 3600
 
 - name: Copy tarsnaprc
-  ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
+  ansible.builtin.copy:
+    src: tarsnaprc
+    dest: /root/.tarsnaprc
+    owner: root
+    group: root
+    mode: "0600"
 
 # vim: set sw=2 ts=2:

roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2

@@ -2,13 +2,8 @@
 enabled   = true
 # See: /etc/fail2ban/filter.d/nginx-botsearch.conf
 filter    = nginx-botsearch
-{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
 # Integrate with nftables
 banaction=nftables[type=allports]
-{% else %}
-# Integrate with firewalld and ipsets
-banaction = firewallcmd-ipset
-{% endif %}
 backend   = pyinotify
 logpath   = /var/log/nginx/*-access.log
 # Try to find a non-existent wp-login.php once and get banned. Tough luck.

roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2

@@ -2,13 +2,8 @@
 enabled   = true
 # See: /etc/fail2ban/filter.d/sshd.conf
 filter    = sshd
-{% if (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '>=')) or (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '>=')) %}
 # Integrate with nftables
 banaction=nftables[type=allports]
-{% else %}
-# Integrate with firewalld and ipsets
-banaction = firewallcmd-ipset
-{% endif %}
 backend   = systemd
 maxretry  = {{ fail2ban_maxretry }}
 findtime  = {{ fail2ban_findtime }}

roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -1,15 +1,19 @@
+[Unit]
+# If nftables is stopped or restarted, propagate to fail2ban as well
+PartOf=nftables.service
+
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_distribution_version is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_distribution_version is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/common/templates/nftables.conf.j2

@@ -5,47 +5,18 @@
 
 flush ruleset
 
-# Lists updated daily by update-spamhaus-nftables.sh
-include "/etc/nftables/spamhaus-ipv4.nft"
-include "/etc/nftables/spamhaus-ipv6.nft"
-
-# Lists updated monthly (manually)
-include "/etc/nftables/abuseipdb-ipv4.nft"
-include "/etc/nftables/abuseipdb-ipv6.nft"
-
-# Lists updated daily by update-abusech-nftables.sh
-include "/etc/nftables/abusech-ipv4.nft"
+# List updated daily by update-firehol-nftables.sh
+include "/etc/nftables/firehol_level1-ipv4.nft"
 
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-    set spamhaus-ipv4 {
+    set firehol_level1-ipv4 {
         type ipv4_addr
         # if the set contains prefixes we need to use the interval flag
         flags interval
-        elements = $SPAMHAUS_IPV4
-    }
-
-    set spamhaus-ipv6 {
-        type ipv6_addr
-        flags interval
-        elements = $SPAMHAUS_IPV6
-    }
-
-    set abusech-ipv4 {
-        type ipv4_addr
-        elements = $ABUSECH_IPV4
-    }
-
-    set abuseipdb-ipv4 {
-        type ipv4_addr
-        elements = $ABUSEIPDB_IPV4
-    }
-
-    set abuseipdb-ipv6 {
-        type ipv6_addr
-        elements = $ABUSEIPDB_IPV6
+        elements = $FIREHOL_LEVEL1_IPV4
     }
 
     chain input {
@@ -55,13 +26,7 @@ table inet filter {
 
         ct state invalid counter drop comment "Early drop of invalid connections"
 
-        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
-        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
-
-        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
-
-        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
-        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
 
         iifname lo accept comment "Allow from loopback"
 
@@ -105,12 +70,6 @@ table inet filter {
     chain output {
         type filter hook output priority 0;
 
-        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
-        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
-
-        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
-
-        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
-        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
     }
 }

roles/common/templates/public.xml.j2

@@ -1,81 +0,0 @@
-<zone>
-    <short>Public</short>
-    <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
-    <interface name="{{ ansible_default_ipv4.interface }}"/>
-
-    {# ssh rules #}
-    <rule family="ipv4">
-        <source address="0.0.0.0/0"/>
-        <port protocol="tcp" port="22"/>
-        <accept/>
-    </rule>
-
-    {# ipv6 ssh rules #}
-    <rule family="ipv6">
-        <source address="::/0"/>
-        <port protocol="tcp" port="22"/>
-        <accept/>
-    </rule>
-
-    {# web rules #}
-    <rule family="ipv4">
-        <source address="0.0.0.0/0"/>
-        <port protocol="tcp" port="80"/>
-        <accept/>
-    </rule>
-
-    {# ipv6 web rules #}
-    <rule family="ipv6">
-        <source address="::/0"/>
-        <port protocol="tcp" port="80"/>
-        <accept/>
-    </rule>
-
-    {# munin rules #}
-    {% if munin_master_host is defined %}
-    <rule family="ipv4">
-        <source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
-        <port protocol="tcp" port="{{ munin_node_port }}"/>
-        <accept/>
-    </rule>
-    {% endif %}
-
-    {# extra rules #}
-    {% if extra_iptables_rules is defined %}
-    {% for rule in extra_iptables_rules %}
-    <rule family="ipv4">
-        <source address="{{ ghetto_ipsets[rule.acl].src }}"/>
-        <port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
-        <accept/>
-    </rule>
-
-    {# ipv6 extra rules #}
-    {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
-    <rule family="ipv6">
-        <source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
-        <port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
-        <accept/>
-    </rule>
-    {% endif %}
-
-    {% endfor %}
-    {% endif %}
-
-    <rule>
-      <source ipset="abusers-ipv4"/>
-      <drop/>
-    </rule>
-    <rule>
-      <source ipset="abusers-ipv6"/>
-      <drop/>
-    </rule>
-    <rule>
-      <source ipset="spamhaus-ipv4"/>
-      <drop/>
-    </rule>
-    <rule>
-      <source ipset="spamhaus-ipv6"/>
-      <drop/>
-    </rule>
-
-</zone>

roles/common/templates/rc.local_Ubuntu.j2

@@ -1,14 +0,0 @@
-#!/bin/sh -e
-#
-# rc.local
-#
-# This script is executed at the end of each multiuser runlevel.
-# Make sure that the script will "exit 0" on success or any other
-# value on error.
-#
-# In order to enable or disable this script just change the execution
-# bits.
-#
-# By default this script does nothing.
-
-exit 0

roles/common/templates/security.sources.list.j2

@@ -1,5 +0,0 @@
-{% if ansible_distribution == 'Ubuntu' %}
-deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
-{% elif ansible_distribution == 'Debian' %}
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
-{% endif %}

roles/common/templates/sources.list.j2

@@ -1,16 +1,6 @@
-{% if ansible_distribution == 'Ubuntu' %}
-{% set apt_mirror    = apt_mirror | default("ubuntu.mirror.ac.ke") %}
-
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
-deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
-
-{% else %}
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
-
-{% endif %} {# ansible_distribution #}

roles/common/templates/sshd_config_Debian-11.j2

@@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
@@ -131,8 +135,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?

roles/common/templates/sshd_config_Debian-12.j2

@@ -1,9 +1,8 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
@@ -18,6 +17,7 @@ Include /etc/ssh/sshd_config.d/*.conf
 #ListenAddress ::
 
 #HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Ciphers and keying
@@ -56,12 +56,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
-ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -77,13 +81,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
 #AllowAgentForwarding yes
@@ -101,7 +105,7 @@ PrintMotd no
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
-#PidFile /var/run/sshd.pid
+#PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
@@ -122,14 +126,16 @@ Subsystem sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
-PasswordAuthentication yes
 
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
+# Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?

roles/common/templates/sshd_config_Ubuntu-18.04.j2

@@ -1,133 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
-LogLevel VERBOSE
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin prohibit-password
-#StrictModes yes
-MaxAuthTries 4
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#UseLogin no
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem	sftp	/usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
-
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
-
-# only allow shell access by provisioning user
-AllowUsers {{ provisioning_user.name }}

roles/common/templates/sysctl_Ubuntu.j2

@@ -1,100 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-#net.ipv4.conf.default.rp_filter=1
-#net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-#net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
-
-# CIS Benchmark Adjustments
-# See: https://github.com/alanorth/securekickstarts
-kernel.randomize_va_space = 2 
-net.ipv4.ip_forward = 0 
-net.ipv4.conf.all.send_redirects = 0 
-net.ipv4.conf.default.send_redirects = 0 
-net.ipv4.conf.all.accept_source_route = 0 
-net.ipv4.conf.default.accept_source_route = 0 
-net.ipv4.conf.all.accept_redirects = 0 
-net.ipv4.conf.default.accept_redirects = 0 
-net.ipv4.conf.all.secure_redirects = 0 
-net.ipv4.conf.default.secure_redirects = 0 
-net.ipv4.conf.all.log_martians = 1 
-net.ipv4.conf.default.log_martians = 1 
-net.ipv4.icmp_echo_ignore_broadcasts = 1 
-net.ipv4.icmp_ignore_bogus_error_responses = 1 
-net.ipv4.conf.all.rp_filter = 1 
-net.ipv4.conf.default.rp_filter = 1 
-net.ipv4.tcp_syncookies = 1
-
-# TCP stuff
-# See: http://fasterdata.es.net/host-tuning/linux/
-# increase TCP max buffer size settable using setsockopt()
-net.core.rmem_max = 16777216 
-net.core.wmem_max = 16777216 
-# increase Linux autotuning TCP buffer limit 
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
-# increase the length of the processor input queue
-net.core.netdev_max_backlog = 30000
-# recommended for hosts with jumbo frames enabled
-#net.ipv4.tcp_mtu_probing=1
-
-# increase quadruplets (src ip, src port, dest ip, dest port)
-# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
-net.ipv4.ip_local_port_range = 10240 65535
-# recommended for web servers, especially if running SPDY
-# see: http://www.chromium.org/spdy/spdy-best-practices
-net.ipv4.tcp_slow_start_after_idle = 0

roles/common/templates/tarsnap_sources.list.j2

@@ -1 +1 @@
-deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./

roles/common/templates/update-firehol-nftables.sh.j2

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+#
+# update-firehol-nftables.sh v0.0.1
+#
+# Download FireHOL lists and load them into nftables sets.
+# 
+# See: https://iplists.firehol.org/
+#
+# Copyright (C) 2025 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
+}
+
+download firehol_level1.netset
+
+if [[ -f "firehol_level1.netset" ]]; then
+    echo "Processing FireHOL Level 1 list"
+
+    firehol_level1_ipv4_list_temp=$(mktemp)
+    firehol_level1_ipv4_set_temp=$(mktemp)
+
+    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
+    # for local services like systemd-resolved and others on localhost. Ideally
+    # these are blocked already at the WAN side by network administrators.
+    cat firehol_level1.netset \
+        | sed \
+            -e '/^$/d' \
+            -e '/^#.*/d' \
+            -e '/^127\.0\.0\.0\/8/d' \
+        > "$firehol_level1_ipv4_list_temp"
+
+    echo "Building firehol_level1-ipv4 set"
+    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define FIREHOL_LEVEL1_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$firehol_level1_ipv4_set_temp"
+    done < $firehol_level1_ipv4_list_temp
+
+    echo "}" >> "$firehol_level1_ipv4_set_temp"
+
+    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
+
+    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
+fi
+
+echo "Restarting nftables"
+
+/usr/bin/systemctl restart nftables.service
+
+rm -v firehol_level1.netset

roles/mariadb/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd: name=mariadb state=restarted
+  ansible.builtin.systemd_service:
+    name: mariadb
+    state: restarted
 
 # vim: set ts=2 sw=2:

roles/mariadb/tasks/main.yml

@@ -1,57 +1,111 @@
 ---
-- name: Add GPG key for MariaDB repo
-  ansible.builtin.apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://mariadb.org/mariadb_release_signing_key.asc
-  register: add_mariadb_apt_key
-  tags: mariadb, packages
+- name: Remove MariaDB key from apt-key
+  ansible.builtin.apt_key:
+    id: "013577200103762554506315430003013705453362230723150730"
+    state: absent
+  tags:
+    - packages
+    - mariadb
 
-- name: Add MariaDB 10.5 repo
-  ansible.builtin.template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644
+- name: Check MariaDB package signing key
+  ansible.builtin.stat:
+    path: /etc/apt/keyrings/mariadb_release_signing_key.asc
+  register: mariadb_signing_key_stat
+  tags:
+    - packages
+    - mariadb
+
+- name: Download MariaDB package signing key
+  when: not mariadb_signing_key_stat.stat.exists
+  ansible.builtin.get_url:
+    url: https://mariadb.org/mariadb_release_signing_key.asc
+    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
+    owner: root
+    group: root
+    mode: "0644"
+  register: download_mariadb_signing_key
+  tags:
+    - packages
+    - mariadb
+
+- name: Add MariaDB 10.11 repo
+  ansible.builtin.apt_repository:
+    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
+      }} main
+    filename: mariadb
+    state: present
   register: add_mariadb_apt_repository
-  tags: mariadb, packages
+  tags:
+    - packages
+    - mariadb
 
 - name: Update apt cache
-  ansible.builtin.apt:
-    update_cache: yes
-  when:
-    add_mariadb_apt_key is changed or
-    add_mariadb_apt_repository is changed
+  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
+  ansible.builtin.apt: # noqa no-handler
+    update_cache: true
+  tags:
+    - packages
+    - mariadb
 
 - name: Install mariadb-server
-  ansible.builtin.apt: name={{ item }} state=present cache_valid_time=3600
-  loop:
-    - mariadb-server
-    - python3-pymysql # for ansible
+  ansible.builtin.apt:
+    name: [mariadb-server, python3-pymysql]
+    state: present
+    cache_valid_time: 3600
   tags: mariadb, packages
 
 - name: Create system my.cnf
-  ansible.builtin.template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: my.cnf.j2
+    dest: /etc/mysql/my.cnf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
     - restart mariadb
   tags: mariadb
 
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
 - name: Update MariaDB root password for all root accounts
-  community.mysql.mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
+  community.mysql.mysql_user:
+    name: root
+    host: "{{ item }}"
+    password: "{{ mariadb_root_password }}"
+    login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop:
     - 127.0.0.1
     - ::1
   tags: mariadb
 
 - name: Create .my.conf file with root credentials
-  ansible.builtin.template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600
+  ansible.builtin.template:
+    src: .my.cnf.j2
+    dest: /root/.my.cnf
+    owner: root
+    mode: "0600"
   tags: mariadb
 
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
 - name: Create MariaDB database(s)
-  community.mysql.mysql_db: db={{ item.name }} state=present encoding=utf8mb4 login_unix_socket={{ mariadb_login_unix_socket }}
-  loop: "{{ mariadb_databases }}"
   when: mariadb_databases is defined
+  community.mysql.mysql_db:
+    db: "{{ item.name }}"
+    state: present
+    encoding: utf8mb4
+    login_unix_socket: "{{ mariadb_login_unix_socket }}"
+  loop: "{{ mariadb_databases }}"
   tags: mariadb
 
 - name: Create MariaDB user(s)
-  community.mysql.mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL host=127.0.0.1 state=present login_unix_socket={{ mariadb_login_unix_socket }}
-  loop: "{{ mariadb_databases }}"
   when: mariadb_databases is defined
+  community.mysql.mysql_user:
+    name: "{{ item.user }}"
+    password: "{{ item.pass }}"
+    priv: "{{ item.name }}.*:ALL"
+    host: 127.0.0.1
+    state: present
+    login_unix_socket: "{{ mariadb_login_unix_socket }}"
+  loop: "{{ mariadb_databases }}"
   tags: mariadb
 
 # vim: set ts=2 sw=2:

roles/mariadb/templates/mariadb.list.j2

@@ -1,3 +0,0 @@
-{{ ansible_managed | comment }}
-
-deb [arch=amd64] https://dlm.mariadb.com/repo/mariadb-server/10.5/repo/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/munin-node.yml

@@ -1,16 +1,22 @@
 ---
 - name: Install munin-node
-  ansible.builtin.apt: name=munin-node state=present
+  ansible.builtin.apt:
+    name: munin-node
+    state: present
   tags: packages
 
 # some nice things to have for munin-node on Ubuntu
 # libwww-perl: for munin's nginx_status check
 - name: Install munin-node deps
-  ansible.builtin.apt: name=libwww-perl state=present
+  ansible.builtin.apt:
+    name: libwww-perl
+    state: present
   tags: packages
 
 - name: Create munin-node.conf
-  ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
+  ansible.builtin.template:
+    src: munin-node.conf.j2
+    dest: /etc/munin/munin-node.conf
   notify:
     - restart munin-node
 
@@ -20,6 +26,9 @@
     - restart munin-node
 
 - name: Start munin-node
-  ansible.builtin.systemd: name=munin-node state=started enabled=true
+  ansible.builtin.systemd_service:
+    name: munin-node
+    state: started
+    enabled: true
 
 # vim: set ts=2 sw=2:

roles/munin/tasks/munin.yml

@@ -1,9 +1,16 @@
 ---
 - name: Install munin package
-  ansible.builtin.apt: name=munin state=present
+  ansible.builtin.apt:
+    name: munin
+    state: present
   tags: packages
 
 - name: Create munin configuration file
-  ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: munin.conf.j2
+    dest: /etc/munin/munin.conf
+    owner: root
+    group: root
+    mode: "0644"
 
 # vim: set ts=2 sw=2:

roles/nginx/defaults/main.yml

@@ -5,28 +5,28 @@
 nginx_confd_path: /etc/nginx/conf.d
 
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
 
-# 1 hour timeout
-nginx_ssl_session_timeout: 1h
+# 1 day timeout
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
-nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
+nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
-nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
+nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
 
 # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
 # in seconds, see: https://hstspreload.org/
 nginx_hsts_max_age: 31536000
 
 # install acme.sh?
-# True unless you're in development and using "localhost" + snakeoil certs
-use_letsencrypt: True
+# true unless you're in development and using "localhost" + snakeoil certs
+use_letsencrypt: true
 
 # Directory root for Let's Encrypt certs
 letsencrypt_root: /etc/ssl
@@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
 
-# stable is 1.20.x
-# mainline is 1.21.x
+# stable is 1.26.x
+# mainline is 1.27.x
 nginx_version: mainline
 
 # vim: set ts=2 sw=2:

roles/nginx/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/letsencrypt.yml

@@ -1,8 +1,12 @@
 ---
-
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
-- block:
+- name: Install and configure Let's Encrypt
+  tags: letsencrypt
+  when:
+    - ansible_distribution == 'Debian'
+    - ansible_distribution_version is version('11', '>='))
+  block:
     - name: Remove certbot
       ansible.builtin.apt:
         name: certbot
@@ -22,29 +26,31 @@
       register: acme_home
 
     - name: Download acme.sh
+      when: not acme_home.stat.exists
       ansible.builtin.get_url:
         url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
         dest: "{{ letsencrypt_acme_script_temp }}"
-      mode: 0700
+        mode: "0700"
       register: acme_download
-    when: not acme_home.stat.exists
 
     # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
     # have to chdir to the /root directory where the script exists or else it
     # fails. Ansible runs it, but the script can't find itself...).
     - name: Install acme.sh
+      when: acme_download is changed
       ansible.builtin.command:
         cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
         creates: "{{ letsencrypt_acme_home }}/acme.sh"
         chdir: /root
       register: acme_install
-    when: acme_download is changed
 
     - name: Remove temporary acme.sh script
+      when:
+        - acme_install.rc is defined
+        - acme_install.rc == 0
       ansible.builtin.file:
         dest: "{{ letsencrypt_acme_script_temp }}"
         state: absent
-    when: acme_install.rc is defined and acme_install.rc == 0
 
     - name: Set default certificate authority for acme.sh
       ansible.builtin.command:
@@ -62,7 +68,7 @@
       ansible.builtin.template:
         src: renew-letsencrypt.service.j2
         dest: /etc/systemd/system/renew-letsencrypt.service
-      mode: 0644
+        mode: "0644"
         owner: root
         group: root
 
@@ -70,20 +76,16 @@
       ansible.builtin.copy:
         src: renew-letsencrypt.timer
         dest: /etc/systemd/system/renew-letsencrypt.timer
-      mode: 0644
+        mode: "0644"
         owner: root
         group: root
 
     # always issues daemon-reload just in case the service/timer changed
     - name: Start and enable systemd timer to renew Let's Encrypt certs
-    ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
         name: renew-letsencrypt.timer
         state: started
-      enabled: yes
-      daemon_reload: yes
-
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
-        or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
-  tags: letsencrypt
+        enabled: true
+        daemon_reload: true
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -1,72 +1,128 @@
 ---
-- name: Add nginx.org apt signing key
-  ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
-  register: add_nginx_apt_key
-  tags: nginx, packages
+- name: Remove nginx apt signing key from apt-key
+  ansible.builtin.apt_key:
+    id: "053473772654754373614404074646527257655730117366337542"
+    state: absent
+  tags:
+    - packages
+    - nginx
+
+- name: Download nginx apt signing key
+  ansible.builtin.get_url:
+    url: https://nginx.org/keys/nginx_signing.key
+    dest: /usr/share/keyrings/nginx_signing.key
+    owner: root
+    group: root
+    mode: "0644"
+    checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
+  register: download_nginx_signing_key
+  tags:
+    - packages
+    - nginx
 
 - name: Add nginx.org repo
-  ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: nginx_org_sources.list.j2
+    dest: /etc/apt/sources.list.d/nginx_org_sources.list
+    owner: root
+    group: root
+    mode: "0644"
   register: add_nginx_apt_repository
-  tags: nginx, packages
+  tags:
+    - nginx
+    - packages
 
 - name: Update apt cache
-  ansible.builtin.apt:
-    update_cache: yes
-  when:
-    add_nginx_apt_key is changed or
-    add_nginx_apt_repository is changed
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
+  ansible.builtin.apt: # noqa no-handler
+    update_cache: true
 
 - name: Install nginx
-  ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
-  tags: nginx, packages
+  ansible.builtin.apt:
+    pkg: nginx
+    cache_valid_time: 3600
+    state: present
+  tags:
+    - nginx
+    - packages
 
 - name: Copy nginx.conf
-  ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
+  ansible.builtin.template:
+    src: nginx.conf.j2
+    dest: /etc/nginx/nginx.conf
+    mode: "0644"
+    owner: root
+    group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Copy extra nginx configs
-  ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/nginx/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
   loop:
     - extra-security.conf
     - fastcgi_cache
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Remove default nginx vhost
-  ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/default.conf
+    state: absent
   tags: nginx
 
 - name: Create fastcgi cache dir
-  ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
+  ansible.builtin.file:
+    path: /var/cache/nginx/cached/fastcgi
+    state: directory
+    owner: nginx
+    group: nginx
+    mode: "0755"
   tags: nginx
 
 - name: Configure nginx virtual hosts
-  ansible.builtin.include_tasks: vhosts.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: vhosts.yml
   tags: nginx
 
 - name: Configure WordPress
-  ansible.builtin.include_tasks: wordpress.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: wordpress.yml
   tags: wordpress
 
 - name: Configure blank nginx vhost
-  ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  ansible.builtin.template:
+    src: blank-vhost.conf.j2
+    dest: "{{ nginx_confd_path }}/blank-vhost.conf"
+    mode: "0644"
+    owner: root
+    group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Configure munin vhost
-  ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
+  ansible.builtin.copy:
+    src: munin.conf
+    dest: /etc/nginx/conf.d/munin.conf
+    mode: "0644"
+    owner: root
+    group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd: name=nginx state=started enabled=yes
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: started
+    enabled: true
   tags: nginx
 
 - name: Configure Let's Encrypt

roles/nginx/tasks/vhosts.yml

@@ -1,16 +1,23 @@
 ---
-
-- block:
+- name: Configure https vhosts
+  tags: nginx
+  block:
     - name: Configure https vhosts
-    ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
+      ansible.builtin.template:
+        src: vhost.conf.j2
+        dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
+        mode: "0644"
+        owner: root
+        group: root
       loop: "{{ nginx_vhosts }}"
       notify:
-      - reload nginx
+        - Reload nginx
 
     - name: Generate self-signed TLS cert
-    ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+      ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
+        -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
       notify:
-      - reload nginx
+        - Reload nginx
 
     - name: Download 4096-bit RFC 7919 dhparams
       ansible.builtin.get_url:
@@ -18,12 +25,16 @@
         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
         dest: "{{ nginx_ssl_dhparam }}"
       notify:
-      - reload nginx
+        - Reload nginx
 
     # TODO: this could break because we can override the document root in host vars
     - name: Create vhost document roots
-    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        mode: "0755"
+        owner: nginx
+        group: nginx
       loop: "{{ nginx_vhosts }}"
-  tags: nginx
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,15 +1,29 @@
 ---
-
-- block:
+- name: Install and configure WordPress
+  tags: wordpress
+  block:
     - name: Install WordPress
-    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
-    when: item.has_wordpress is defined and item.has_wordpress
+      when:
+        - item.has_wordpress is defined
+        - item.has_wordpress
+      ansible.builtin.git:
+        repo: https://github.com/WordPress/WordPress.git
+        dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
+        version: "{{ item.wordpress_version }}"
+        depth: 1
+        force: true
       loop: "{{ nginx_vhosts }}"
 
     - name: Fix WordPress directory permissions
-    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
-    when: item.has_wordpress is defined and item.has_wordpress
+      when:
+        - item.has_wordpress is defined
+        - item.has_wordpress
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        owner: nginx
+        group: nginx
+        recurse: true
       loop: "{{ nginx_vhosts }}"
-  tags: wordpress
 
 # vim: set ts=2 sw=2:

roles/nginx/templates/blank-vhost.conf.j2

@@ -11,9 +11,11 @@ server {
 
     return 444;
 }
+
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
     server_name _;
 
     # self-signed "snakeoil" certificate

roles/nginx/templates/https.j2

@@ -1,7 +1,7 @@
 {# helper variables and per-site defaults that we can't set in role defaults #}
 {% set domain_name       = item.domain_name %}
-{# assume HSTS is off unless a vhost explicitly sets it to True #}
-{% set enable_hsts       = item.enable_hsts | default(False) %}
+{# assume HSTS is off unless a vhost explicitly sets it to true #}
+{% set enable_hsts       = item.enable_hsts | default(false) %}
 
     {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
     {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@@ -27,27 +27,19 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
     {# OSCP stapling only works with real certs #}
-    {% if use_letsencrypt == True or item.tls_certificate_path %}
+    {% if use_letsencrypt == true or item.tls_certificate_path %}
     # OCSP stapling...
     ssl_stapling on;
     ssl_stapling_verify on;
     resolver {{ nginx_ssl_stapling_resolver }};
     {% endif %} {# end: use_letsencrypt #}
 
-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
-    {% if enable_hsts == True %}
+    {% if enable_hsts == true %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
     # See: https://hstspreload.appspot.com/

roles/nginx/templates/nginx_org_sources.list.j2

@@ -1,19 +1,7 @@
 {{ ansible_managed | comment }}
 
-{% if ansible_distribution == 'Ubuntu' %}
-
 {% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
-{% elif ansible_distribution == 'Debian' %}
-
-{% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
-{% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
 {% endif %}

roles/nginx/templates/vhost.conf.j2

@@ -4,10 +4,16 @@
 {% set domain_name    = item.domain_name %}
 {% set domain_aliases = item.domain_aliases | default("") %}
 {# assume optional features are off unless a vhost explicitly sets them #}
-{% set enable_hsts    = item.enable_hsts | default(False) %}
-{% set has_wordpress  = item.has_wordpress | default(False) %}
-{% set needs_php      = item.needs_php | default(False) %}
-{% set has_gitea      = item.has_gitea | default(False) %}
+{% set enable_hsts    = item.enable_hsts | default(false) %}
+{% set has_wordpress  = item.has_wordpress | default(false) %}
+{% set needs_php      = item.needs_php | default(false) %}
+{% set has_gitea      = item.has_gitea | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 # http -> https vhost
 server {
@@ -26,31 +32,27 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
-    {# Allow sites to override the nginx document root #}
-    {% if item.document_root is defined %}
-    root {{ item.document_root }};
-    {% else %}
-    root {{ nginx_root_prefix }}/{{ domain_name }};
-    {% endif %}
+    root {{ document_root }};
 
     {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
     server_name {{ domain_name }} {{ domain_aliases }};
 
-    index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %};
+    index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
 
     access_log  /var/log/nginx/{{ domain_name }}-access.log;
     error_log   /var/log/nginx/{{ domain_name }}-error.log;
 
     {% include 'https.j2' %}
 
-    {% if has_wordpress == True %}
+    {% if has_wordpress == true %}
         {% include 'wordpress.j2' %}
     {% endif %}
 
-    {% if has_gitea == True %}
+    {% if has_gitea == true %}
         {% include 'gitea.j2' %}
     {% endif %}
 
@@ -59,7 +61,7 @@ server {
         root /usr/share/nginx/html;
     }
 
-    {% if has_wordpress == True or needs_php == True %}
+    {% if has_wordpress == true or needs_php == true %}
     location ~ [^/]\.php(/|$) {
         # Zero-day exploit defense.
         # http://forum.nginx.org/read.php?2,88845,page=3
@@ -75,17 +77,8 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #}
-        {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %}
-        fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
-        {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
-        fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
-        {% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
-        fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
-        {% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
-        {% else %}
-        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
+        {% if ansible_distribution_major_version is version('12', '==') %}
+        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;
         # set script path relative to document root in server block
@@ -99,7 +92,7 @@ server {
         fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
         fastcgi_no_cache $http_pragma $wordpress_logged_in;
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
@@ -113,7 +106,7 @@ server {
     include extra-security.conf;
 }
 
-{% if has_wordpress == True %}
+{% if has_wordpress == true %}
 # Check if a user is logged in
 # if so, set $wordpress_logged_in = 1
 # otherwise, set $wordpress_logged_in = 0

roles/nginx/templates/wordpress.j2

@@ -5,7 +5,7 @@
     location / {
         try_files $uri $uri/ /index.php?$args;
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
@@ -16,7 +16,7 @@
     location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
         add_header Cache-Control "max-age=604800";
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/

roles/php-fpm/handlers/main.yml

@@ -1,14 +0,0 @@
----
-# For Ubuntu 18.04
-- name: reload php7.2-fpm
-  ansible.builtin.systemd: name=php7.2-fpm state=reloaded
-
-# For Debian 10
-- name: reload php7.3-fpm
-  ansible.builtin.systemd: name=php7.3-fpm state=reloaded
-
-# For Ubuntu 20.04
-- name: reload php7.4-fpm
-  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Debian_10.yml

@@ -1,35 +0,0 @@
----
-
-- block:
-  - name: Set php-fpm packages
-    ansible.builtin.set_fact:
-      php_fpm_packages:
-        - php-fpm
-        # for WordPress
-        - php-mysql
-        - php-gd
-        - php-curl
-
-  - name: Install php-fpm and deps
-    ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
-
-  # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
-    ansible.builtin.template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-    loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php7.3-fpm
-
-  - name: Remove default www pool
-    ansible.builtin.file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
-    notify: reload php7.3-fpm
-
-  # re-configure php.ini
-  - name: Update php.ini
-    ansible.builtin.template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
-    notify: reload php7.3-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_18.04.yml

@@ -1,35 +0,0 @@
----
-
-- block:
-  - name: Set php-fpm packages
-    ansible.builtin.set_fact:
-      php_fpm_packages:
-        - php-fpm
-        # for WordPress
-        - php-mysql
-        - php-gd
-        - php-curl
-
-  - name: Install php-fpm and deps
-    ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
-
-  # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
-    ansible.builtin.template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-    loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php7.2-fpm
-
-  - name: Remove default www pool
-    ansible.builtin.file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
-    notify: reload php7.2-fpm
-
-  # re-configure php.ini
-  - name: Update php.ini
-    ansible.builtin.template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
-    notify: reload php7.2-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_20.04.yml

@@ -1,36 +0,0 @@
----
-
-- block:
-  - name: Set php-fpm packages
-    ansible.builtin.set_fact:
-      php_fpm_packages:
-        - php7.4-fpm
-        # for WordPress
-        - php7.4-mysql
-        - php7.4-gd
-        - php7.4-curl
-        - php7.4-xml
-
-  - name: Install php-fpm and deps
-    ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=yes
-
-  # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
-    ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-    loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php7.4-fpm
-
-  - name: Remove default www pool
-    ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-    notify: reload php7.4-fpm
-
-  # re-configure php.ini
-  - name: Update php.ini
-    ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-    notify: reload php7.4-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/main.yml

@@ -1,50 +0,0 @@
----
-# Ubuntu 18.04 uses php-fpm 7.2
-# Debian 10 uses php-fpm 7.3
-# Ubuntu 20.04 uses PHP 7.4
-# Debian 11 uses PHP 7.4
-
-# If any of the vhosts on this host need WordPress then we need to install PHP.
-# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
-# any that have has_wordpress defined, and has_wordpress set to True.
-#
-# See: https://stackoverflow.com/a/31896249
-- name: Check if any vhost needs WordPress
-  ansible.builtin.set_fact:
-    install_php: True
-  when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', True) | list | length > 0"
-
-# Legacy, was only for Piwik, but leaving for now.
-- name: Check if any vhost needs PHP
-  ansible.builtin.set_fact:
-    install_php: True
-  when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', True) | list | length > 0"
-
-# If install_php has not been set, then we assume no vhosts need PHP. This is
-# a bit hacky, but it's the closest we come to an if/then/else.
-- name: Set install_php to False
-  ansible.builtin.set_fact:
-    install_php: False
-  when: install_php is not defined
-
-- name: Configure php-fpm on Ubuntu 18.04
-  ansible.builtin.include_tasks: Ubuntu_18.04.yml
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 10
-  ansible.builtin.include_tasks: Debian_10.yml
-  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Ubuntu 20.04
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 11
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php-fpm/templates/php7.2-pool.conf.j2

@@ -1,415 +0,0 @@
-{% set domain_name  = item.domain_name %}
-
-; Start a new pool named '{{ domain_name }}'.
-; the variable $pool can we used in any directive and will be replaced by the
-; pool name ('{{ domain_name }}' here)
-[{{ domain_name }}]
-
-; Per pool prefix
-; It only applies on the following directives:
-; - 'access.log'
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
-;                            a specific port;
-;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses
-;                            (IPv6 and IPv4-mapped) on a specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = /run/php/php7.2-fpm-{{ domain_name }}.sock
-
-; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 511
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
-;listen.mode = 0660
-; When POSIX Access Control Lists are supported you can set them using
-; these options, value is a comma separated list of user/group names.
-; When set, listen.owner and listen.group are ignored
-;listen.acl_users =
-;listen.acl_groups =
-
-; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-;listen.allowed_clients = 127.0.0.1
-
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; process.priority = -19
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
-pm = dynamic
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 5
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 2
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
-
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
-
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example:
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.2/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;pm.status_path = /status
-
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: output header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-;slowlog = log/$pool.log.slow
-
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
-
-; Depth of slow log stack trace.
-; Default Value: 20
-;request_slowlog_trace_depth = 20
-
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
-
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
-
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
-
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot =
-
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-;chdir = /var/www
-
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-catch_workers_output = yes
-
-; Clear environment in FPM workers
-; Prevents arbitrary environment variables from reaching FPM worker processes
-; by clearing the environment in workers before env vars specified in this
-; pool configuration are added.
-; Setting to "no" will make all environment variables available to PHP code
-; via getenv(), $_ENV and $_SERVER.
-; Default Value: yes
-;clear_env = no
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; execute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5 .php7
-
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'.
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M

roles/php-fpm/templates/php7.3-pool.conf.j2

@@ -1,428 +0,0 @@
-{% set domain_name  = item.domain_name %}
-
-; Start a new pool named '{{ domain_name }}'.
-; the variable $pool can be used in any directive and will be replaced by the
-; pool name ('{{ domain_name }}' here)
-[{{ domain_name }}]
-
-; Per pool prefix
-; It only applies on the following directives:
-; - 'access.log'
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
-;                            a specific port;
-;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses
-;                            (IPv6 and IPv4-mapped) on a specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = /run/php/php7.3-fpm-{{ domain_name }}.sock
-
-; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 511
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
-;listen.mode = 0660
-; When POSIX Access Control Lists are supported you can set them using
-; these options, value is a comma separated list of user/group names.
-; When set, listen.owner and listen.group are ignored
-;listen.acl_users =
-;listen.acl_groups =
-
-; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-;listen.allowed_clients = 127.0.0.1
-
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; process.priority = -19
-
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
-; or group is differrent than the master process user. It allows to create process
-; core dump and ptrace the process for the pool user.
-; Default Value: no
-; process.dumpable = yes
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
-pm = dynamic
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 5
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 2
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
-
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
-
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example:
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.3/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;pm.status_path = /status
-
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: output header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-;slowlog = log/$pool.log.slow
-
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
-
-; Depth of slow log stack trace.
-; Default Value: 20
-;request_slowlog_trace_depth = 20
-
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
-
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
-
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
-
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot =
-
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-;chdir = /var/www
-
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-;catch_workers_output = yes
-
-; Decorate worker output with prefix and suffix containing information about
-; the child that writes to the log and if stdout or stderr is used as well as
-; log level and time. This options is used only if catch_workers_output is yes.
-; Settings to "no" will output data as written to the stdout or stderr.
-; Default value: yes
-;decorate_workers_output = no
-
-; Clear environment in FPM workers
-; Prevents arbitrary environment variables from reaching FPM worker processes
-; by clearing the environment in workers before env vars specified in this
-; pool configuration are added.
-; Setting to "no" will make all environment variables available to PHP code
-; via getenv(), $_ENV and $_SERVER.
-; Default Value: yes
-;clear_env = no
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; execute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5 .php7
-
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'.
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M

roles/php_fpm/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+# For Debian 12
+- name: Reload php8.2-fpm
+  ansible.builtin.systemd_service:
+    name: php8.2-fpm
+    state: reloaded
+
+# vim: set ts=2 sw=2:

roles/php_fpm/tasks/Debian_12.yml

@@ -0,0 +1,50 @@
+---
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
+    - name: Set php-fpm packages
+      ansible.builtin.set_fact:
+        php_fpm_packages:
+          - php8.2-fpm
+          # for WordPress
+          - php8.2-mysql
+          - php8.2-gd
+          - php8.2-curl
+          - php8.2-xml
+
+    - name: Install php-fpm and deps
+      ansible.builtin.apt:
+        name: "{{ php_fpm_packages }}"
+        state: present
+        update_cache: true
+
+    # only copy php-fpm config for vhosts that need WordPress or PHP
+    - name: Copy php-fpm pool config
+      ansible.builtin.template:
+        src: php8.2-pool.conf.j2
+        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
+        owner: root
+        group: root
+        mode: "0644"
+      loop: "{{ nginx_vhosts }}"
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      notify: Reload php8.2-fpm
+
+    - name: Remove default www pool
+      ansible.builtin.file:
+        path: /etc/php/8.2/fpm/pool.d/www.conf
+        state: absent
+      notify: Reload php8.2-fpm
+
+    # re-configure php.ini
+    - name: Update php.ini
+      ansible.builtin.template:
+        src: php8.2-php.ini.j2
+        dest: /etc/php/8.2/fpm/php.ini
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload php8.2-fpm
+
+# vim: set ts=2 sw=2: