roles/nginx: git clone as nginx

roles/nginx: fix syntax
roles/mariadb: rework to use Debian's mariadb
2025-11-21 22:07:55 +03:00 · 2025-11-21 21:08:29 +03:00 · 2025-11-20 08:47:27 +03:00 · 2025-11-20 08:47:27 +03:00 · 2025-11-20 08:47:27 +03:00 · 2025-11-20 08:47:26 +03:00
18 changed files with 3094 additions and 940 deletions
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/host_vars/web22
+++ b/host_vars/web22
@@ -1,141 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-38353762626535363837346634333565643931386536313339336365663162656533363636383931
-3737373161623364396366323338613062386466313539640a653334643937326338386262623261
-65643635373532636439396235373964303537646334343633633531633435323037313433346636
-3866306363303338360a356166353265386130616163616662623764313536616666656237636563
-30323036353635303438363234646234656530373365396530666539393132643831653039666562
-65383962306465363862333131383263353736623264616465336139313638343462653361333239
-64363562653366396664623662376433663335313231653935626237663430303734326433333739
-62616265373732316530366331323664373637386661353664626464646264356465346466663539
-31613435366362343564313732616639376664613630316236373333653634386130663463626231
-31396631623466666364316237313363366439326231653035316437616134643035393138383364
-35313738373562353632366637663232393638396330626165323535343538633264353366663738
-30663135646162396331623837343661613333313437313434313365623664316135626239636230
-65376137303439323166346536353831653537326662356330393362666430633831323537623830
-65326164663136383339353138663936306166633662346363353063663435323266653137666630
-61353263653735626236373233313436343466653238376634623366356431333439323932343938
-33303432613063383135633261653837633961643737623462626439373335613430356532353031
-31626666663963643736323731613735376239663530373166626365666339346435323761333637
-35383464626437646665653931653932653033376464386132383038633734373138313830303466
-39313532333866303565353161636435646231313461646639316566386639323561363633636139
-37613661626162306431313266383964323434343039386533333535646565373933396565613565
-34666136633265663035306261623531333665636336303665613635333232316331643935353461
-32643735623532313363663530656630653531666335323565353063316537396334383230386462
-33333565616634356537376466373332356663376363353166656139623336396130653564333739
-39303733303939313838363331356437646632386631343466383332313037616430313566396335
-31363038373437643266656463373662653966653832613935303462303031653761336165646162
-31646631373335336435383638666562373236656231613662646161613533376237366463383630
-36393532316336303531353032303937353963306164663162386137393664353962323865616532
-63326462626130386234643639363762323863326134623063343731366433306431303763363233
-36366334386266616261616266386439623665326339653562373836306165353137353137376337
-37316363653935623736613138356333653936363866356665303737363032363564643532303234
-37656432656363336564393263353430373437303337303461613763346461646565646535366638
-34366337343033666134383966646563356533626665373337646231313431346239303635353261
-62313939383762303235373537643531623465353062303939383666323139396630346461626136
-38656632373637616532666433626564376338363239326234656561636239653536366331633234
-65366139623238336234363564616430646435666562616636303064663437663731303839313365
-38636438386162623862363865646233346336636439663833343136316165343564393339653565
-38346166346434386338303032303430303535373635336562663030336566666435623537363137
-61373161343138656365376531633830313561336632633330323035346431643837383062343537
-66663961306666333535656432393134363565656635333633363732626665656365356138623164
-65303936633666643034313636663262616661313739663135653335366261613133643630343362
-66343033363835613031626635336538303362393561313032336136306465316231366137373736
-62303335393333306132326135393562666431303631306538326433613362306131316139386361
-31383665386466653066613038633335636233396335383764336462636138333034383836386365
-38323739346630643532346161383336646165333336393961663930623531303434366265313861
-39613231373335373338656434636134663036636234393534353033613133383034343437626434
-31646339613430343265333833303231333739666266646436336161363330396264313636616461
-61396332363537636162316261363030393466356263353938343236323932306366316535366533
-38633165393339356339383939666161336461653438353632653530326639313238323761386461
-63653765313532646166306237386435663432633934343039666637323362626338313135623034
-30356438633635363738383932393861376235353962303663313963313964383530306530316363
-64656638363436326562323234303961396333323931666365656433663865616439336138656232
-66653964383034343837663936306632336562373637346132333063663263306237303461333732
-65363661623064643663623661393563353739373535373764356163666639376236313839336438
-35386265646331313663653761353864663934663261313037396135373938343265353934353361
-30343564623631316366343838656135393364353836613330393536623662383637333039383133
-37653733626662646631616563306638366263323634303636616331323964393962643061646361
-39363562396634656637626630653533396236613334343332326439656165306537326464613436
-37333632663731316165613432353339356561316431623038303365303663326666303666646363
-66656630396661353765666131393737636630366666373136313837373165303437316233656261
-38346463303964343132393162663762346163363739383733326635643264616166393264633934
-64333137373532343032303431316633613836323631613231346133366635616435366436316239
-64353633366431386664623239353735623037623364346431633733336563303430653233313637
-35353138616164643834343339653739373038633531303039333632663566323565383637646561
-31383965396365653364343761363161656432656665383963656463613637633938376234353532
-33653837613266666661613165376665626432643439363637623333336234313836373232333736
-65313232373233613763376463663161643636663162643864363962376232326462643936383131
-39366164323038376633376238363663313238336166386663616261306532633331643537376631
-31376663393036363566653061353636326565376636346466656263663266326332656461336437
-32646162313932646632663738646532663439313630393038383530653562313439336631663535
-36396265353231373435353137303164356633653938373166363663616632303764633738333439
-62626533346561333565626163643235393164353861636662636531333834623965323034363735
-33336138356663303462393864343434636364346432383665313931653062363138623261326438
-31616533643163363261386635653732343939633965363362643536626264323537656238633539
-62393935386433313366656133633532353131343237623466376632623434626362363062326531
-33346165643164363365626432333631393664316266613731663162313764386336333231396632
-36666536336333623063346166306164376138343566353063343866316432333266366337623866
-61313039663661643863663434343732313139653037373065333463383635393061323938643162
-61383064303461366162636439343438376266313931323934313563623435346634663739666565
-62333035346634303139626432313262383262633437663436323763313361633235393037343665
-62316564376464333133343134333230383765303834613233613232626131343631326433373062
-36343466396430313534336332636233623337613134333861646334326633396434353765636163
-37343638363234313030363661306337393361333332306331396164346633336130336366396430
-62306539656332313162626239303066656664383639353730633738643132386662643733393761
-62666339346130626163656237623730363066343838303036613038613763356263363365366238
-62623435303838623630333231663137393362323234383533393763623235376164626461373736
-36343761353362623433663936623433353439646463613233363732613435373564616239626564
-61313066333939326435656535333963313831316231356232346534633531613963353130333432
-37656163663230626632393939363532356366643764323330366630656334623261656334633865
-61303066333566363061626437643132353664383061383364333338666230313034373535613063
-63386237383638333263323337313336373830303865303466363965303839316162663431656538
-33376332643335366537306133613761613132643232316438623939356331656263633933613935
-65653465383434386561323462626362623566663330656439386361616562353430303938636436
-66636531343063633561363330663436383930613438323764356562383536393933646264323135
-64633764356166343965346362323466306636363633656466653934313230326435336536306230
-38353432323537393131313239373861386237313530366139313338313330326632313536353837
-63386161336335363834356437326630353031373435316462613634633039336132646134653236
-31346664353932323339366464356161333637313761666138386164313163333531626235663338
-62386333303264306363646136646463393134373939346438383465393439343337643336633039
-62316464663038326439656334373331303165346534346466663538313632633561393335333931
-65363964363335616639643462393463343437626539363838626439386164303464316666633663
-63656639626133653266306266306531646331386366343936316136363935323662336335326338
-30666130316265666631306635646565363039306138313462376662626161313134383633653834
-32376163383763306165323466306264616366343332636564636162666434333732643635336163
-61626162626331613438373464336465303739316130343965633532336531313661613961313164
-39636165316638616338653965373833333732396363393463383433383930353361636166346232
-61323935663536306533336137356566383130393564623938666231393431626136396137633066
-36633133313861353338616561373838363833353531633465363731336237663561383561326635
-62306338643965613635353536613335363934666362366466663461646135346436336164346536
-62666631303638386137356233303235613636346661303834613335616161396238663530643165
-65366364336139303766303938643038303461656335303438396565346330313665636165626432
-64326666313562646239356231663834326566313331303363343064346539626636346438313266
-65643364656164336166353435343730376266333633666230316464356439336463316464653137
-66303865613961373732323439326535373933393537656462303831333432636261613564636330
-63323361366332386331376437666234346661373233653432343733346363306130383665626437
-33313330336365633464643563643465393935653132376135663163393161616462353838336664
-35393833656135643733623765626639386561333336623930303465323963613164666531396632
-35326365386566353966383635643132316230383363393539653335633934646239316131653536
-66656161653030343462346337653434313062343663633665363838393865336536626532623132
-66643636656134353363636433636538623930396262663864343332303066333566653063336464
-32303030396137346636636164323133396364623532643332363638643761323938616530353836
-65366331633561623331393231323534343239323565333330636136383836616230343034633036
-38373530616532653166653932643665396434373465376530313663646236336238656266616261
-33396463303963646633373038336662623161643135656136326533646337316562323932613833
-65616434316239353531666131383335383733333830613934393465663138353662613063323537
-31393337343737646537666430323666366338303731623339323063393636353132636233343436
-61653862333837623666343061633531396235633565313631663937393337303764316466613130
-33653732373034613639326338353438643664653461616133646235393864386564353765313932
-36613165323465333937626165316632313334313364353463366239356630653530313761373261
-35326331313438656238646535643131656634396238363734626431633734336238616538383636
-32303331666531653331306263303534613332653535643833303062653566393632333030383263
-63393636643264656439373165383861323534333462353763343931363065393738323433323839
-33333530323434363662633939303261636465356663326565633238663333656131376130396561
-63363636613161383465323233626630613265346162386439353665393832383961616564636538
-65333635336638646436623033343831356339656638333231666439643337306636313931643466
-32393765303361323735646130613035346564356562656631373435653832663165313131336236
-31636634663466366234386262623234626161663461386661656435656133616339383633386230
-34313065396335636630333066633339646432313632373131306235333164336534363630313939
-32623062393230633732323130613338363833356533306662616637326337343330303635343532
-38396665633938313932656130303263396631343761616631616637633831666139343130313236
-62356630346264376432
+65636230346264393938656566653961393466306338353435333061356463363836616435333731
+3537316534663335343333643435383663303438333433650a666133633965643939306661383536
+33626364316338306530393036653134373339653264616537623731323063646531383137333131
+6263363037613631360a343831393830646536326538363764643136613732636165316466316566
+65346162383337626631663533626230643061633139663661656365333738353530316661313864
+32373831396437386434313430666434363534656130613632643264393538663131336635653537
+61613065336133343130353862646130386136333231393962353064666335363330623064626631
+34333137363566313764343335646531326337616563366636316232633936333264373731653332
+66366361643261626563633838663061303762386234336133366233356564343562323965663731
+38326631333166643534313836323337663131313766306166333534336333613735643033326633
+39396335613362363230333863396535343464346437366632316336626539623865313239353539
+30643834633130333564666162623365323439396630333136616137633532363530623234376332
+66353539306637633432353231326666643261386466633533313063353061643761313132623035
+62653263636237666432336662633136653930323532623137386261333862623337326431336365
+36663364386364346631393031326434326334636166663739366435616166363130623463633733
+35383834326231363264623061303066326433613139333237656635643835393762313866356237
+62616435613863616161376666333966323030326531323261646436633233613635383438373834
+31343133326231636661353466396566656365396466343430613262316537623631376433633630
+62336664346363393363306163333662323338343139646238633830326535313034613739616138
+38313637333333383032316134316164363036396338306634633436633564306333336437393566
+61656337343030393936353364386461643766636564333864396130343762323630393839393463
+35343864393035333930313238663465663633633862623336663136626165666131383933626437
+31323936653737646231363036383764333335313762356465333635303334663734636531343331
+37386461643239363434373864373561353339343031346364383530663430393938333963333837
+63303966366364626665303530356433643264343861346238353937386338383034356633623231
+36663735386233396138306561326339626262326463336535646265666637383032396435333835
+31363266666230366438313432356637663632333530646263663563373137313262663937636532
+66633731333166386564386666363130633734643963653030386533393766623038383234646161
+36343135663231323030306430623535373534353835623339333738376362663930343436343637
+34383963306266623437323462356466336533643933653839366666393839626663353264326334
+32663461663561396631363533383334363361373764363132643435373537333839613066396463
+35386436326638353431363064626131306634363339653132396563356239653265303930333634
+32376332643863376237383966623233323864393338346537393865363661616338333631383532
+34373635316138663261633839333664353432666234306463306338653634633038373266646462
+32336534356537306366656236356663616336333031306431653239343132336234626165333032
+38303137666131363462363263333832356333616130346337663837376365346166306261373036
+63383236323738303562623631633064363564663861336162356262373861383965623935343931
+65663934623431363164356331353135633837616130363464353661663438323132363165343766
+31393633306261303762613537343034316535373731363365666530623361623630633137326466
+32326533313362333863383561343230626466303831623033613065363136396362373333306333
+32336464356364663564626234653832323265313364343631646633396362373438666165353962
+38396330333161356365626562383531323664636235643666613631636636323638376638396531
+38646531666164653161353932643662363261323564373537343731666232666532633063353431
+61386163363562313330393037656139303365396438313935306333656264373531373037303939
+63373962356233346164383163323532373163376364623766323933623063653939346537306338
+65353266656532636633326137356430666432333465626437633733356435363163626430303964
+39343935623937616130326637323061373538616633393465653266656666376661393635333662
+30363364653130356137393463613038663762396336306234363461396133306562323838336330
+63303735646132353766313137303162366164613530303966383636393934393035306264626465
+36613233376234633932663963623432663032656236323963353036356437383066373532323865
+36643431373966613533646164303564653336396535343366303339303134613936656137653939
+31333062623734613538333666636561386338306235633165386262383261333264623638383366
+34313266333636376337393736343062363539366235393136663561303663386438333834613539
+38623632656161653766363166653661336136653833336663616261663831656133666232633362
+31373166306134653162313134333432323134623336666632613766386662653831643732326330
+63643737333638626162646136373466613536653831663835616432343537323864343166316461
+34393732353930343430356231626636373763636561343430616533663861346566326262313232
+39623936366633363136353632346134643563383833376134363833336137613337326435613764
+37653232613632333334316162383261383836613936376230393633343336346633386539356232
+30316232373738363038356665366663623536626539376364303038643061386363636337386663
+61383634336530666163346239343838326138373932383339396265653764313039653138643938
+31613163653632656238376533363739346539623863623332653936643731623565613234663430
+39363935306330386634363634363233376234613837353765353732646638663830323335616234
+34366334636436633734333830306136333563666337623035653239313361626438316535313434
+37343930643832383136343737313365316238373638323130653766646637343464653134616137
+38313034383833626433326237633863313364353662326233636333333932633039396565356133
+64376166383064343239633364363861616136643061646636323437376162313438396230393331
+32633662323031666238643934646665303666383834336432363430363166356632353033336333
+64383861663563653531643832656238643066323564656134633639666234363363363132623836
+61386431643130333761376161646262346562363532353632633332343666393562313465303337
+31333732626164363464323531323239333963303333626466623966346361383832353765346565
+37303765363834376237636632386663373061346534643132636333623137366662646538306231
+33353538623231636166653838333264396463616437396264353537633661313932353133316438
+61323439363635383035316335363132383366613733383363306366356466333364633537393033
+66636434623962633063306236303831633637656430376533353436613934636466363461333562
+34613339373732343632343435333331353935303735633732656663643938663439656233613163
+65356232633865656439643430636332386663333761376638323630373930663837653638363963
+63656437323138633664613166353537306466666261353532326363346332343363343035386435
+33326238333730303539363265383761663862313961383030326263353034303866626661623334
+61623365373332366333376630626539343835663466666534636561643736646537646431386631
+36366132663830336234613065626262336564316339383038333330323237363665373935326438
+38646335346239316432636138633365373062663564326465643032633438306230363434323262
+34313932653361346261623030623739313665356464373666346361663430336362383063666134
+38323539653437623030333437373231646634333563306165393231653465313731633536323362
+65613262633563653031306139383436663834616339316164393365336437653730393331636464
+32313537313164386164313832396566353137376239303663656130383336336634313235376363
+63326530333339356432343938306465623636336161363133613864336339393635306234656263
+34343437336461303831393562653934633439336562663366643066393439396531653663386531
+65623061643064396534353364663633653331653535306133386466356236623239646432373066
+61313261366466663866613162323939646534653561356335393237376138633930663364636236
+36613834303338646530663565303438363831663865323531386635303239646464343936303832
+31323531363263333830623838666437636262306164386236643032356165323037656630383739
+65666333656639333263346465666463616534353835656337353464336134303732323037393538
+37366263656133643039373438636537343636663065646534616339303833666532396633616565
+38353139323739656564623065613364346164633863343738633163383031663531663365616534
+31663835323435643463666264623932396133336531626331303862356261306238326333366164
+66306262386137363432376530366432356432653333393833376532623333373337393830316263
+30326531613662313430663130613734663937613663353936346134356537393761373238393433
+37356136393731626561303430626339386531386333386536656465646232633934393630613339
+61333163613862346564316336353766346461626639303661353464633835626663313462613666
+33343561613662303036643937656431393432333831383461323631393262346464393539353537
+33633364383261663535323136393138333739356439663731636136393530323864333566323361
+62643961323264336662316661303630636430323838633535343036303437393439656637326566
+34363832366434316639393939313965633037653931323462363465643262653539623063326432
+36616434366432303235663062663138623336336165373734353838333662363239333762323932
+65393765326232373230666437656433373930643638386131363339343630636634636434326464
+39366339326263666239646237326534383665376536313536303263373265306537316161663262
+31346635346436313261626366333738333966643333313230623133313434373530366462653435
+33353434643635383833643736653461373765326537313430353164306566323733653237343632
+66346133656333303538306133313563393363313230323664303836323861346466343230343264
+36613934643662626365653036636136623630333638373565316437646232316263663433313762
+39353234333131623731643662303130626465386338353833393533646564646565623736343039
+38356635393461353166653565336535626366396532633961393334343234353764303431303663
+61666533633731663666346132383037646433336463643062396465383034346631346165323939
+33313937343338383737373164363930336236326432346465646166363430653932333932343236
+38336235613034386533613665393666633635383164646538373035623862343737353463623730
+33396233353331633463373538326365636231323535633737303562613262613730636237336632
+38626230313637336436623661666438666538333838356632653034303864313232623337306333
+66363464643061363337393732323065306335656531376337323438313733616539613538333837
+34363033666366613933343563303537613564356462313931353533323938656362393536386334
+38336237616335346334613534323130613861663239356363366564623933303737306138613535
+63643639323135663232336131643331343063363234336230653536623765323562393161663266
+32663839613564613636343166396463366665666333306239386338616366363236393931313439
+30386238316261323630633464386265353464333735336435646663656638316130333762666531
+38626463316165373434613436343335303633643965633230326534323761616365376630363039
+30336661313737383535343934366466353231396430353030653762383934666235646161653832
+31613565643031353535353234386665373636356362653337366563316630343838626231646462
+34623262343761373831303861313661666435373565386465336166306631376666643631303863
+37633934326262623737373266326631663932373863346466613133303961386466366336643235
+39303933333236626637663636633739343761393432616232643238663738313636346137316430
+34623238326430616134396166306339626261643032613661343763366138653830376463306461
+62366564393364306139633837646264633130383064383730393862633561303538363232663366
+30343633666632303530356637646337623339303236376164633962383839386265336666396436
+38616238656336343066333063393833623862646237323238393465633662393362353161313963
+63663539383630366536313933643565346162646363353035386666396363633635386564346666
+64336362633033346461353133396363646237613433306366333064626563656637383863323361
+31386262346631343565653836333764636366313330633462303533616531316537353538313031
+64366263666138356339373864383866303632366162633738383437323564313732373738373038
+39643862336136663165343736613730306339643237313361333438613438323439373966396138
+62323661383336396636
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8
+fail2ban_ignoreip: 127.0.0.0/8

 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.
--- a/roles/common/tasks/nftables.yml
+++ b/roles/common/tasks/nftables.yml
@@ -9,7 +9,6 @@
    mode: "0644"
  notify:
    - Restart nftables
-    - Restart fail2ban

 - name: Create /etc/nftables extra config directory
  ansible.builtin.file:
@@ -20,17 +19,14 @@

 - name: Copy extra nftables configuration files
  ansible.builtin.copy:
-    src: "{{ item.src }}"
-    dest: /etc/nftables/{{ item.src }}
+    src: firehol_level1-ipv4.nft
+    dest: /etc/nftables/firehol_level1-ipv4.nft
    owner: root
    group: root
    mode: "0644"
-    force: "{{ item.force }}"
-  loop:
-    - { src: firehol_level1-ipv4.nft, force: false }
+    force: false
  notify:
    - Restart nftables
-    - Restart fail2ban

 - name: Copy nftables update scripts
  ansible.builtin.template:
@@ -40,27 +36,6 @@
    owner: root
    group: root

- name: Remove deprecated data and scripts
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: absent
-  loop:
-    - /etc/nftables/spamhaus-ipv4.nft
-    - /etc/nftables/spamhaus-ipv6.nft
-    - /etc/nftables/abuseipdb-ipv4.nft
-    - /etc/nftables/abuseipdb-ipv6.nft
-    - /etc/nftables/abusech-ipv4.nft
-    - /usr/local/bin/update-abusech-nftables.sh
-    - /usr/local/bin/update-spamhaus-nftables.sh
-    - /etc/systemd/system/update-abusech-nftables.service
-    - /etc/systemd/system/update-abusech-nftables.timer
-    - /etc/systemd/system/update-spamhaus-nftables.service
-    - /etc/systemd/system/update-spamhaus-nftables.timer
-    - /usr/local/bin/aggregate-cidr-addresses.pl
-  notify:
-    - Restart nftables
-    - Restart fail2ban
-
 - name: Copy nftables systemd units
  ansible.builtin.copy:
    src: "{{ item }}"
@@ -81,11 +56,9 @@

 - name: Start and enable nftables update timers
  ansible.builtin.systemd_service:
-    name: "{{ item }}"
+    name: update-firehol-nftables.timer
    state: started
    enabled: true
-  loop:
-    - update-firehol-nftables.timer

 - name: Start and enable nftables
  ansible.builtin.systemd_service:
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@@ -1,6 +1,7 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
+  when: ansible_distribution_version is version('12', '<=')
  ansible.builtin.template:
    src: "sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2"
    dest: /etc/ssh/sshd_config
@@ -9,6 +10,18 @@
    mode: "0600"
  notify: Reload sshd

+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_distribution_version is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
+
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
  block:
--- a/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
+++ b/roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2
@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56
--- a/roles/mariadb/defaults/main.yml
+++ b/roles/mariadb/defaults/main.yml
@@ -1,15 +1,4 @@
 ---
-# ansible.builtin.file: roles/mariadb/defaults/main.yml
-#
-# Based on my running of mysqltuner.pl on a host with three WordPress databases
-#
-
-# default is 128MB but is a waste because it seems only the mysql table uses it
-key_buffer_size: 8M
-
-# default is 128MB but is a waste because it seems only information_schema uses
-# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
-aria_pagecache_buffer_size: 8M

 # default is 128M, but set to at least the size of your InnoDB data
 innodb_buffer_pool_size: 256M
@@ -22,10 +11,6 @@ mariadb_login_unix_socket: /run/mysqld/mysqld.sock
 # default is 100 but the max I've seen used is 5, so let's reduce it
 max_connections: 33

-# disable the query cache by default
-query_cache_size: 0
-query_cache_type: 0
-
 # mysqltuner says we should use larger than 32M on our setup
 tmp_table_size: 64M
 max_heap_table_size: 64M
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@@ -1,52 +1,4 @@
 ---
- name: Remove MariaDB key from apt-key
-  ansible.builtin.apt_key:
-    id: "013577200103762554506315430003013705453362230723150730"
-    state: absent
-  tags:
-    - packages
-    - mariadb
-
- name: Check MariaDB package signing key
-  ansible.builtin.stat:
-    path: /etc/apt/keyrings/mariadb_release_signing_key.asc
-  register: mariadb_signing_key_stat
-  tags:
-    - packages
-    - mariadb
-
- name: Download MariaDB package signing key
-  when: not mariadb_signing_key_stat.stat.exists
-  ansible.builtin.get_url:
-    url: https://mariadb.org/mariadb_release_signing_key.asc
-    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
-    owner: root
-    group: root
-    mode: "0644"
-  register: download_mariadb_signing_key
-  tags:
-    - packages
-    - mariadb
-
- name: Add MariaDB 10.11 repo
-  ansible.builtin.apt_repository:
-    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
-      }} main
-    filename: mariadb
-    state: present
-  register: add_mariadb_apt_repository
-  tags:
-    - packages
-    - mariadb
-
- name: Update apt cache
-  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
-  ansible.builtin.apt: # noqa no-handler
-    update_cache: true
-  tags:
-    - packages
-    - mariadb
-
 - name: Install mariadb-server
  ansible.builtin.apt:
    name: [mariadb-server, python3-pymysql]
@@ -54,10 +6,10 @@
    cache_valid_time: 3600
  tags: mariadb, packages

- name: Create system my.cnf
+- name: Add MariaDB configuration overrides
  ansible.builtin.template:
-    src: my.cnf.j2
-    dest: /etc/mysql/my.cnf
+    src: 70-local.cnf.j2
+    dest: /etc/mysql/mariadb.conf.d/70-local.cnf
    owner: root
    group: root
    mode: "0644"
--- a/roles/mariadb/templates/70-local.cnf.j2
+++ b/roles/mariadb/templates/70-local.cnf.j2
@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+[mysqld]
+# don't resolve connection IPs to hostnames (make sure user accounts are using
+# IPs instead of "localhost")
+skip-name-resolve=1
+max_connections		= {{ max_connections }}
+tmp_table_size		= {{ tmp_table_size }}
+max_heap_table_size	= {{ max_heap_table_size }}
+innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
--- a/roles/mariadb/templates/my.cnf.j2
+++ b/roles/mariadb/templates/my.cnf.j2
@@ -1,196 +0,0 @@
-{{ ansible_managed | comment }}
-
-# MariaDB database server configuration file.
-#
-# You can copy this file to one of:
-# - "/etc/mysql/my.cnf" to set global options,
-# - "~/.my.cnf" to set user-specific options.
-# 
-# One can use all long options that the program supports.
-# Run program with --help to get a list of available options and with
-# --print-defaults to see which it would actually understand and use.
-#
-# For explanations see
-# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
-
-# This will be passed to all mysql clients
-# It has been reported that passwords should be enclosed with ticks/quotes
-# escpecially if they contain "#" chars...
-# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
-[client]
-port		= 3306
-socket		= /run/mysqld/mysqld.sock
-
-# Here is entries for some specific programs
-# The following values assume you have at least 32M ram
-
-# This was formally known as [safe_mysqld]. Both versions are currently parsed.
-[mysqld_safe]
-socket		= /run/mysqld/mysqld.sock
-nice		= 0
-
-[mysqld]
-#
-# * Basic Settings
-#
-user		= mysql
-pid-file	= /run/mysqld/mysqld.pid
-socket		= /run/mysqld/mysqld.sock
-port		= 3306
-basedir		= /usr
-datadir		= /var/lib/mysql
-tmpdir		= /tmp
-lc_messages_dir	= /usr/share/mysql
-lc_messages	= en_US
-skip-external-locking
-#
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
-
-# don't resolve connection IPs to hostnames (make sure user accounts are using
-# IPs instead of "localhost")
-skip-name-resolve=1
-#
-# * Fine Tuning
-#
-max_connections		= {{ max_connections }}
-connect_timeout		= 5
-wait_timeout		= 600
-max_allowed_packet	= 16M
-thread_cache_size       = 128
-sort_buffer_size	= 4M
-bulk_insert_buffer_size	= 16M
-tmp_table_size		= {{ tmp_table_size }}
-max_heap_table_size	= {{ max_heap_table_size }}
-#
-# * MyISAM
-#
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched. On error, make copy and try a repair.
-myisam_recover_options = BACKUP
-key_buffer_size		= {{ key_buffer_size }}
-#open-files-limit	= 2000
-table_open_cache	= 400
-myisam_sort_buffer_size	= 512M
-concurrent_insert	= 2
-read_buffer_size	= 2M
-read_rnd_buffer_size	= 1M
-#
-# * Query Cache Configuration
-#
-query_cache_limit		= 128K
-query_cache_size		= {{ query_cache_size }}
-query_cache_type		= {{ query_cache_type }}
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file        = /var/log/mysql/mysql.log
-#general_log             = 1
-#
-# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
-#
-# we do want to know about network errors and such
-log_warnings		= 2
-#
-# Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
-slow_query_log_file	= /var/log/mysql/mariadb-slow.log
-long_query_time = 10
-#log_slow_rate_limit	= 1000
-log_slow_verbosity	= query_plan
-
-#log-queries-not-using-indexes
-#log_slow_admin_statements
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id		= 1
-#report_host		= master1
-#auto_increment_increment = 2
-#auto_increment_offset	= 1
-log_bin			= /var/log/mysql/mariadb-bin
-log_bin_index		= /var/log/mysql/mariadb-bin.index
-# not fab for performance, but safer
-#sync_binlog		= 1
-expire_logs_days	= 10
-max_binlog_size         = 100M
-# slaves
-#relay_log		= /var/log/mysql/relay-bin
-#relay_log_index	= /var/log/mysql/relay-bin.index
-#relay_log_info_file	= /var/log/mysql/relay-bin.info
-#log_slave_updates
-#read_only
-#
-# If applications support it, this stricter sql_mode prevents some
-# mistakes like inserting invalid dates etc.
-#sql_mode		= NO_ENGINE_SUBSTITUTION,TRADITIONAL
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-default_storage_engine	= InnoDB
-# you can't just change log file size, requires special procedure
-#innodb_log_file_size	= 50M
-innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
-innodb_log_buffer_size	= 8M
-innodb_file_per_table	= 1
-innodb_open_files	= 400
-innodb_io_capacity	= 400
-innodb_flush_method	= O_DIRECT
-
-aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
-#
-# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
-#
-# ssl-ca=/etc/mysql/cacert.pem
-# ssl-cert=/etc/mysql/server-cert.pem
-# ssl-key=/etc/mysql/server-key.pem
-
-#
-# * Galera-related settings
-#
-[galera]
-# Mandatory settings
-#wsrep_on=ON
-#wsrep_provider=
-#wsrep_cluster_address=
-#binlog_format=row
-#default_storage_engine=InnoDB
-#innodb_autoinc_lock_mode=2
-#
-# Allow server to accept connections on all interfaces.
-#
-#bind-address=0.0.0.0
-#
-# Optional setting
-#wsrep_slave_threads=1
-#innodb_flush_log_at_trx_commit=0
-
-[mysqldump]
-quick
-quote-names
-max_allowed_packet	= 16M
-
-[mysql]
-#no-auto-rehash	# faster start of mysql but no tab completion
-
-[isamchk]
-key_buffer		= 16M
-
-#
-# * IMPORTANT: Additional settings that can override those from this file!
-#   The files must end with '.cnf', otherwise they'll be ignored.
-#
-!include /etc/mysql/mariadb.cnf
-!includedir /etc/mysql/conf.d/
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@@ -5,7 +5,7 @@
  tags: letsencrypt
  when:
    - ansible_distribution == 'Debian'
-    - ansible_distribution_version is version('11', '>='))
+    - ansible_distribution_version is version('11', '>=')
  block:
    - name: Remove certbot
      ansible.builtin.apt:
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,12 +1,4 @@
 ---
- name: Remove nginx apt signing key from apt-key
-  ansible.builtin.apt_key:
-    id: "053473772654754373614404074646527257655730117366337542"
-    state: absent
-  tags:
-    - packages
-    - nginx
-
 - name: Download nginx apt signing key
  ansible.builtin.get_url:
    url: https://nginx.org/keys/nginx_signing.key
--- a/roles/nginx/tasks/wordpress.yml
+++ b/roles/nginx/tasks/wordpress.yml
@@ -13,6 +13,8 @@
        depth: 1
        force: true
      loop: "{{ nginx_vhosts }}"
+      become: true
+      become_user: nginx

    - name: Fix WordPress directory permissions
      when:
--- a/roles/php_fpm/handlers/main.yml
+++ b/roles/php_fpm/handlers/main.yml
@@ -5,4 +5,10 @@
    name: php8.2-fpm
    state: reloaded

+# For Debian 13
+- name: Reload php8.4-fpm
+  ansible.builtin.systemd_service:
+    name: php8.4-fpm
+    state: reloaded
+
 # vim: set ts=2 sw=2:
--- a/roles/php_fpm/tasks/Debian_12.yml
+++ b/roles/php_fpm/tasks/Debian_12.yml
@@ -1,50 +0,0 @@
---
- name: Install and configure php-fpm
-  tags: php-fpm
-  when: install_php
-  block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php8.2-fpm
-          # for WordPress
-          - php8.2-mysql
-          - php8.2-gd
-          - php8.2-curl
-          - php8.2-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt:
-        name: "{{ php_fpm_packages }}"
-        state: present
-        update_cache: true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template:
-        src: php8.2-pool.conf.j2
-        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
-        owner: root
-        group: root
-        mode: "0644"
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: Reload php8.2-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file:
-        path: /etc/php/8.2/fpm/pool.d/www.conf
-        state: absent
-      notify: Reload php8.2-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template:
-        src: php8.2-php.ini.j2
-        dest: /etc/php/8.2/fpm/php.ini
-        owner: root
-        group: root
-        mode: "0644"
-      notify: Reload php8.2-fpm
-
-# vim: set ts=2 sw=2:
--- a/roles/php_fpm/tasks/main.yml
+++ b/roles/php_fpm/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 # Debian 12 uses PHP 8.2
+# Debian 13 uses PHP 8.4

 # If any of the vhosts on this host need WordPress then we need to install PHP.
 # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
@@ -24,12 +25,66 @@
    install_php: false
  when: install_php is not defined

- name: Configure php-fpm on Debian 12
-  ansible.builtin.include_tasks: Debian_12.yml
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
+    - name: Set php-fpm packages
+      ansible.builtin.set_fact:
+        php_fpm_packages:
+          - php-fpm
+          # for WordPress
+          - php-mysql
+          - php-gd
+          - php-curl
+          - php-xml
+
+    - name: Install php-fpm and deps
+      ansible.builtin.apt:
+        name: "{{ php_fpm_packages }}"
+        state: present
+        update_cache: true
+
+    - name: Set PHP version for Debian 12
      when:
        - ansible_distribution == 'Debian'
        - ansible_distribution_major_version is version('12', '==')
-    - install_php
-  tags: php-fpm
+      ansible.builtin.set_fact:
+        php_version: 8.2
+
+    - name: Set PHP version for Debian 13
+      when:
+        - ansible_distribution == 'Debian'
+        - ansible_distribution_major_version is version('13', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.4
+
+    # only copy php-fpm config for vhosts that need WordPress or PHP
+    - name: Copy php-fpm pool config
+      ansible.builtin.template:
+        src: php{{ php_version }}-pool.conf.j2
+        dest: /etc/php/{{ php_version }}/fpm/pool.d/{{ item.domain_name }}.conf
+        owner: root
+        group: root
+        mode: "0644"
+      loop: "{{ nginx_vhosts }}"
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      notify: Reload php{{ php_version }}-fpm
+
+    - name: Remove default www pool
+      ansible.builtin.file:
+        path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
+        state: absent
+      notify: Reload php{{ php_version }}-fpm
+
+    # re-configure php.ini
+    - name: Update php.ini
+      ansible.builtin.template:
+        src: php{{ php_version }}-php.ini.j2
+        dest: /etc/php/{{ php_version }}/fpm/php.ini
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload php{{ php_version }}-fpm

 # vim: set ts=2 sw=2:
--- a/roles/php_fpm/templates/php8.4-php.ini.j2
+++ b/roles/php_fpm/templates/php8.4-php.ini.j2
--- a/roles/php_fpm/templates/php8.4-pool.conf.j2
+++ b/roles/php_fpm/templates/php8.4-pool.conf.j2
@@ -0,0 +1,488 @@
+{% set domain_name  = item.domain_name %}
+
+; Start a new pool named '{{ domain_name }}'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('{{ domain_name }}' here)
+[{{ domain_name }}]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = {{ webserver }}
+group = {{ webserver }}
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
+
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
+;listen.mode = 0660
+
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;             pm.max_spawn_rate    - the maximum number of rate to spawn child
+;                                    processes at once.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 5
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: (min_spare_servers + max_spare_servers) / 2
+pm.start_servers = 2
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 1
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 3
+
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following information:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then information is related to the
+; last request the process has served. Otherwise information is related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/8.4/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;pm.status_path = /status
+
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{milliseconds}d
+;      - %{milli}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some examples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;  %u: basic auth user if specified in Authorization header
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precaution, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environment, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M
Author	SHA1	Message	Date
Alan Orth	8439b674dd	roles/nginx: git clone as nginx	2025-11-21 22:07:55 +03:00
Alan Orth	c2c9f1b88d	roles/nginx: fix syntax	2025-11-21 21:08:29 +03:00
Alan Orth	3763ce80e1	roles/mariadb: rework to use Debian's mariadb There are no MariaDB builds for Debian 13 (trixie) yet. This seems to happen every new release. Surprisingly Debian's mariadb-server is very new and we can simplify our tasks and templates a lot.	2025-11-20 08:47:27 +03:00
Alan Orth	a8e4821ad0	roles/nginx: remove apt-key task	2025-11-20 08:47:27 +03:00
Alan Orth	6ff4cf30f7	roles/mariadb: remove apt-key task This is not longer present as of Debian 13, and the old MariaDB key should not be present on any of my hosts anymore anyway.	2025-11-20 08:47:27 +03:00
Alan Orth	8f57a5a974	roles/php_fpm: rework for Debian 13 We can use metapackages like php-fpm on each version as those pull in the correct package. This allows us to use the same playbook lo- gic for Debian 12 (PHP 8.2) and Debian 13 (PHP 8.4).	2025-11-20 08:47:26 +03:00
Alan Orth	cac74c53ef	roles/common: minor configuration of Debian 13 SSH Tweak some of the new OpenSSH per-source penalty settings on Debian 13. For now only adjusting the source network masks and reusing the list of IPs to exempt from fail2ban. These being built in makes them easier to use, but I think I will end up sticking with fail2ban for the heavy lifting because it per- sists across restarts of the daemon, whereas OpenSSH's doesn't. I will monitor OpenSSH on Debian 13 to see how to best use it along side fail2ban.	2025-11-20 08:47:26 +03:00
Alan Orth	078c5b36d8	roles/common: use 127.0.0.0/8 for fail2ban ignoreip We can re-use our fail2ban ignoreip setting for Debian 13's OpenSSH PerSourcePenaltyExemptList, but OpenSSH is more strict with regards to masks not being applied to the host portion. I had never noticed that fail2ban's default was applying the mask on the host portion!	2025-11-20 08:47:25 +03:00
Alan Orth	a18c1e6a16	roles/common: sshd overrides for Debian 13	2025-11-20 08:47:25 +03:00
Alan Orth	36cf98026b	Pipfile.lock: run pipenv update	2025-11-20 08:46:41 +03:00
Alan Orth	98746b3eb8	host_vars/web22: WordPress 6.8.3	2025-11-20 08:44:23 +03:00
Alan Orth	afffd87201	roles/common: remove old firewall cleanup	2025-11-14 22:38:43 +03:00
Alan Orth	d21f3d9371	roles/common: remove loops with one item	2025-11-14 22:38:17 +03:00
Alan Orth	a6ef7a1c4e	roles/common: don't notify fail2ban We set the fail2ban service as "PartOf" the nftables service, so it receives stop and restart events already.	2025-11-14 22:26:09 +03:00