roles/nginx: use nginx-acme-module for TLS certs

Use the nginx-acme module for TLS certs instead of acme.sh because
it requires less configuration, less tooling, and works using the
tls-alpn challenge.

.python-version

@@ -0,0 +1 @@
+3.13

Pipfile

@@ -1,12 +0,0 @@
-[[source]]
-name = "pypi"
-url = "https://pypi.org/simple"
-verify_ssl = true
-
-[dev-packages]
-
-[packages]
-ansible = "*"
-
-[requires]
-python_version = "3.9"

Pipfile.lock

@@ -1,193 +0,0 @@
-{
-    "_meta": {
-        "hash": {
-            "sha256": "65b615b857250757470e21fc3a4b1cdfe75b4b012c0d1d633a5ebf1988d9cb91"
-        },
-        "pipfile-spec": 6,
-        "requires": {
-            "python_version": "3.9"
-        },
-        "sources": [
-            {
-                "name": "pypi",
-                "url": "https://pypi.org/simple",
-                "verify_ssl": true
-            }
-        ]
-    },
-    "default": {
-        "ansible": {
-            "hashes": [
-                "sha256:98e718aea82199be62db7731373d660627aa1e938d34446588f2f49c228638ee"
-            ],
-            "index": "pypi",
-            "version": "==2.10.4"
-        },
-        "ansible-base": {
-            "hashes": [
-                "sha256:d4dad569864c08d8efb6ad99acf48ec46d7d118f8ced64f1185f8eac2c280ec3"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
-            "version": "==2.10.4"
-        },
-        "cffi": {
-            "hashes": [
-                "sha256:00a1ba5e2e95684448de9b89888ccd02c98d512064b4cb987d48f4b40aa0421e",
-                "sha256:00e28066507bfc3fe865a31f325c8391a1ac2916219340f87dfad602c3e48e5d",
-                "sha256:045d792900a75e8b1e1b0ab6787dd733a8190ffcf80e8c8ceb2fb10a29ff238a",
-                "sha256:0638c3ae1a0edfb77c6765d487fee624d2b1ee1bdfeffc1f0b58c64d149e7eec",
-                "sha256:105abaf8a6075dc96c1fe5ae7aae073f4696f2905fde6aeada4c9d2926752362",
-                "sha256:155136b51fd733fa94e1c2ea5211dcd4c8879869008fc811648f16541bf99668",
-                "sha256:1a465cbe98a7fd391d47dce4b8f7e5b921e6cd805ef421d04f5f66ba8f06086c",
-                "sha256:1d2c4994f515e5b485fd6d3a73d05526aa0fcf248eb135996b088d25dfa1865b",
-                "sha256:2c24d61263f511551f740d1a065eb0212db1dbbbbd241db758f5244281590c06",
-                "sha256:51a8b381b16ddd370178a65360ebe15fbc1c71cf6f584613a7ea08bfad946698",
-                "sha256:594234691ac0e9b770aee9fcdb8fa02c22e43e5c619456efd0d6c2bf276f3eb2",
-                "sha256:5cf4be6c304ad0b6602f5c4e90e2f59b47653ac1ed9c662ed379fe48a8f26b0c",
-                "sha256:64081b3f8f6f3c3de6191ec89d7dc6c86a8a43911f7ecb422c60e90c70be41c7",
-                "sha256:6bc25fc545a6b3d57b5f8618e59fc13d3a3a68431e8ca5fd4c13241cd70d0009",
-                "sha256:798caa2a2384b1cbe8a2a139d80734c9db54f9cc155c99d7cc92441a23871c03",
-                "sha256:7c6b1dece89874d9541fc974917b631406233ea0440d0bdfbb8e03bf39a49b3b",
-                "sha256:840793c68105fe031f34d6a086eaea153a0cd5c491cde82a74b420edd0a2b909",
-                "sha256:8d6603078baf4e11edc4168a514c5ce5b3ba6e3e9c374298cb88437957960a53",
-                "sha256:9cc46bc107224ff5b6d04369e7c595acb700c3613ad7bcf2e2012f62ece80c35",
-                "sha256:9f7a31251289b2ab6d4012f6e83e58bc3b96bd151f5b5262467f4bb6b34a7c26",
-                "sha256:9ffb888f19d54a4d4dfd4b3f29bc2c16aa4972f1c2ab9c4ab09b8ab8685b9c2b",
-                "sha256:a5ed8c05548b54b998b9498753fb9cadbfd92ee88e884641377d8a8b291bcc01",
-                "sha256:a7711edca4dcef1a75257b50a2fbfe92a65187c47dab5a0f1b9b332c5919a3fb",
-                "sha256:af5c59122a011049aad5dd87424b8e65a80e4a6477419c0c1015f73fb5ea0293",
-                "sha256:b18e0a9ef57d2b41f5c68beefa32317d286c3d6ac0484efd10d6e07491bb95dd",
-                "sha256:b4e248d1087abf9f4c10f3c398896c87ce82a9856494a7155823eb45a892395d",
-                "sha256:ba4e9e0ae13fc41c6b23299545e5ef73055213e466bd107953e4a013a5ddd7e3",
-                "sha256:c6332685306b6417a91b1ff9fae889b3ba65c2292d64bd9245c093b1b284809d",
-                "sha256:d5ff0621c88ce83a28a10d2ce719b2ee85635e85c515f12bac99a95306da4b2e",
-                "sha256:d9efd8b7a3ef378dd61a1e77367f1924375befc2eba06168b6ebfa903a5e59ca",
-                "sha256:df5169c4396adc04f9b0a05f13c074df878b6052430e03f50e68adf3a57aa28d",
-                "sha256:ebb253464a5d0482b191274f1c8bf00e33f7e0b9c66405fbffc61ed2c839c775",
-                "sha256:ec80dc47f54e6e9a78181ce05feb71a0353854cc26999db963695f950b5fb375",
-                "sha256:f032b34669220030f905152045dfa27741ce1a6db3324a5bc0b96b6c7420c87b",
-                "sha256:f60567825f791c6f8a592f3c6e3bd93dd2934e3f9dac189308426bd76b00ef3b",
-                "sha256:f803eaa94c2fcda012c047e62bc7a51b0bdabda1cad7a92a522694ea2d76e49f"
-            ],
-            "version": "==1.14.4"
-        },
-        "cryptography": {
-            "hashes": [
-                "sha256:0003a52a123602e1acee177dc90dd201f9bb1e73f24a070db7d36c588e8f5c7d",
-                "sha256:0e85aaae861d0485eb5a79d33226dd6248d2a9f133b81532c8f5aae37de10ff7",
-                "sha256:594a1db4511bc4d960571536abe21b4e5c3003e8750ab8365fafce71c5d86901",
-                "sha256:69e836c9e5ff4373ce6d3ab311c1a2eed274793083858d3cd4c7d12ce20d5f9c",
-                "sha256:788a3c9942df5e4371c199d10383f44a105d67d401fb4304178020142f020244",
-                "sha256:7e177e4bea2de937a584b13645cab32f25e3d96fc0bc4a4cf99c27dc77682be6",
-                "sha256:83d9d2dfec70364a74f4e7c70ad04d3ca2e6a08b703606993407bf46b97868c5",
-                "sha256:84ef7a0c10c24a7773163f917f1cb6b4444597efd505a8aed0a22e8c4780f27e",
-                "sha256:9e21301f7a1e7c03dbea73e8602905a4ebba641547a462b26dd03451e5769e7c",
-                "sha256:9f6b0492d111b43de5f70052e24c1f0951cb9e6022188ebcb1cc3a3d301469b0",
-                "sha256:a69bd3c68b98298f490e84519b954335154917eaab52cf582fa2c5c7efc6e812",
-                "sha256:b4890d5fb9b7a23e3bf8abf5a8a7da8e228f1e97dc96b30b95685df840b6914a",
-                "sha256:c366df0401d1ec4e548bebe8f91d55ebcc0ec3137900d214dd7aac8427ef3030",
-                "sha256:dc42f645f8f3a489c3dd416730a514e7a91a59510ddaadc09d04224c098d3302"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4, 3.5'",
-            "version": "==3.3.1"
-        },
-        "jinja2": {
-            "hashes": [
-                "sha256:89aab215427ef59c34ad58735269eb58b1a5808103067f7bb9d5836c651b3bb0",
-                "sha256:f0a4641d3cf955324a89c04f3d94663aa4d638abe8f733ecd3582848e1c37035"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3, 3.4'",
-            "version": "==2.11.2"
-        },
-        "markupsafe": {
-            "hashes": [
-                "sha256:00bc623926325b26bb9605ae9eae8a215691f33cae5df11ca5424f06f2d1f473",
-                "sha256:09027a7803a62ca78792ad89403b1b7a73a01c8cb65909cd876f7fcebd79b161",
-                "sha256:09c4b7f37d6c648cb13f9230d847adf22f8171b1ccc4d5682398e77f40309235",
-                "sha256:1027c282dad077d0bae18be6794e6b6b8c91d58ed8a8d89a89d59693b9131db5",
-                "sha256:13d3144e1e340870b25e7b10b98d779608c02016d5184cfb9927a9f10c689f42",
-                "sha256:24982cc2533820871eba85ba648cd53d8623687ff11cbb805be4ff7b4c971aff",
-                "sha256:29872e92839765e546828bb7754a68c418d927cd064fd4708fab9fe9c8bb116b",
-                "sha256:43a55c2930bbc139570ac2452adf3d70cdbb3cfe5912c71cdce1c2c6bbd9c5d1",
-                "sha256:46c99d2de99945ec5cb54f23c8cd5689f6d7177305ebff350a58ce5f8de1669e",
-                "sha256:500d4957e52ddc3351cabf489e79c91c17f6e0899158447047588650b5e69183",
-                "sha256:535f6fc4d397c1563d08b88e485c3496cf5784e927af890fb3c3aac7f933ec66",
-                "sha256:596510de112c685489095da617b5bcbbac7dd6384aeebeda4df6025d0256a81b",
-                "sha256:62fe6c95e3ec8a7fad637b7f3d372c15ec1caa01ab47926cfdf7a75b40e0eac1",
-                "sha256:6788b695d50a51edb699cb55e35487e430fa21f1ed838122d722e0ff0ac5ba15",
-                "sha256:6dd73240d2af64df90aa7c4e7481e23825ea70af4b4922f8ede5b9e35f78a3b1",
-                "sha256:717ba8fe3ae9cc0006d7c451f0bb265ee07739daf76355d06366154ee68d221e",
-                "sha256:79855e1c5b8da654cf486b830bd42c06e8780cea587384cf6545b7d9ac013a0b",
-                "sha256:7c1699dfe0cf8ff607dbdcc1e9b9af1755371f92a68f706051cc8c37d447c905",
-                "sha256:88e5fcfb52ee7b911e8bb6d6aa2fd21fbecc674eadd44118a9cc3863f938e735",
-                "sha256:8defac2f2ccd6805ebf65f5eeb132adcf2ab57aa11fdf4c0dd5169a004710e7d",
-                "sha256:98c7086708b163d425c67c7a91bad6e466bb99d797aa64f965e9d25c12111a5e",
-                "sha256:9add70b36c5666a2ed02b43b335fe19002ee5235efd4b8a89bfcf9005bebac0d",
-                "sha256:9bf40443012702a1d2070043cb6291650a0841ece432556f784f004937f0f32c",
-                "sha256:ade5e387d2ad0d7ebf59146cc00c8044acbd863725f887353a10df825fc8ae21",
-                "sha256:b00c1de48212e4cc9603895652c5c410df699856a2853135b3967591e4beebc2",
-                "sha256:b1282f8c00509d99fef04d8ba936b156d419be841854fe901d8ae224c59f0be5",
-                "sha256:b2051432115498d3562c084a49bba65d97cf251f5a331c64a12ee7e04dacc51b",
-                "sha256:ba59edeaa2fc6114428f1637ffff42da1e311e29382d81b339c1817d37ec93c6",
-                "sha256:c8716a48d94b06bb3b2524c2b77e055fb313aeb4ea620c8dd03a105574ba704f",
-                "sha256:cd5df75523866410809ca100dc9681e301e3c27567cf498077e8551b6d20e42f",
-                "sha256:cdb132fc825c38e1aeec2c8aa9338310d29d337bebbd7baa06889d09a60a1fa2",
-                "sha256:e249096428b3ae81b08327a63a485ad0878de3fb939049038579ac0ef61e17e7",
-                "sha256:e8313f01ba26fbbe36c7be1966a7b7424942f670f38e666995b88d012765b9be"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==1.1.1"
-        },
-        "packaging": {
-            "hashes": [
-                "sha256:24e0da08660a87484d1602c30bb4902d74816b6985b93de36926f5bc95741858",
-                "sha256:78598185a7008a470d64526a8059de9aaa449238f280fc9eb6b13ba6c4109093"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==20.8"
-        },
-        "pycparser": {
-            "hashes": [
-                "sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0",
-                "sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==2.20"
-        },
-        "pyparsing": {
-            "hashes": [
-                "sha256:c203ec8783bf771a155b207279b9bccb8dea02d8f0c9e5f8ead507bc3246ecc1",
-                "sha256:ef9d7589ef3c200abe66653d3f1ab1033c3c419ae9b9bdb1240a85b024efc88b"
-            ],
-            "markers": "python_version >= '2.6' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==2.4.7"
-        },
-        "pyyaml": {
-            "hashes": [
-                "sha256:06a0d7ba600ce0b2d2fe2e78453a470b5a6e000a985dd4a4e54e436cc36b0e97",
-                "sha256:240097ff019d7c70a4922b6869d8a86407758333f02203e0fc6ff79c5dcede76",
-                "sha256:4f4b913ca1a7319b33cfb1369e91e50354d6f07a135f3b901aca02aa95940bd2",
-                "sha256:6034f55dab5fea9e53f436aa68fa3ace2634918e8b5994d82f3621c04ff5ed2e",
-                "sha256:69f00dca373f240f842b2931fb2c7e14ddbacd1397d57157a9b005a6a9942648",
-                "sha256:73f099454b799e05e5ab51423c7bcf361c58d3206fa7b0d555426b1f4d9a3eaf",
-                "sha256:74809a57b329d6cc0fdccee6318f44b9b8649961fa73144a98735b0aaf029f1f",
-                "sha256:7739fc0fa8205b3ee8808aea45e968bc90082c10aef6ea95e855e10abf4a37b2",
-                "sha256:95f71d2af0ff4227885f7a6605c37fd53d3a106fcab511b8860ecca9fcf400ee",
-                "sha256:ad9c67312c84def58f3c04504727ca879cb0013b2517c85a9a253f0cb6380c0a",
-                "sha256:b8eac752c5e14d3eca0e6dd9199cd627518cb5ec06add0de9d32baeee6fe645d",
-                "sha256:cc8955cfbfc7a115fa81d85284ee61147059a753344bc51098f3ccd69b0d7e0c",
-                "sha256:d13155f591e6fcc1ec3b30685d50bf0711574e2c0dfffd7644babf8b5102ca1a"
-            ],
-            "version": "==5.3.1"
-        },
-        "six": {
-            "hashes": [
-                "sha256:30639c035cdb23534cd4aa2dd52c3bf48f06e5f4a941509c8bafd8ce11080259",
-                "sha256:8b74bedcbbbaca38ff6d7491d76f2b06b3592611af620f8426e82dddb04a5ced"
-            ],
-            "markers": "python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'",
-            "version": "==1.15.0"
-        }
-    },
-    "develop": {}
-}

README.md

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
 
-- You have a clean, minimal Ubuntu 18.04, Debian 10, or Ubuntu 20.04 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host
@@ -20,12 +20,12 @@ Once you've satisfied the the above assumptions, you can execute:
 
     $ ansible-playbook web.yml
 
-## Todo
+## TODO
 
-- Switch from `cron-apt` to [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades)
+- Switch from tarsnap to restic
 
 ## License
-Copyright (C) 2014–2020 Alan Orth
+Copyright (C) 2014–2021 Alan Orth
 
 The contents of this repository are free software: you can redistribute
 it and/or modify it under the terms of the GNU General Public License

ansible.cfg

@@ -2,15 +2,16 @@
 retry_files_enabled=False
 force_handlers=True
 inventory=hosts
+gathering = smart
 # instead of using --ask-vault-pass
 ask_vault_pass=True
 remote_user = provisioning
-
-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
+interpreter_python=auto
+# Don't warn on unknown SSH host keys because it's super annoying for new hosts
+# or if you get a new laptop and run Ansible there!
+#
+# See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
+host_key_checking = False
 
 [privilege_escalation]
 # instead of using -K

group_vars/all

@@ -3,4 +3,12 @@
 
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:

group_vars/web

@@ -0,0 +1,14 @@
+---
+# file: group_vars/web
+
+# run nginx by default
+webserver: nginx
+
+# all hosts run fail2ban with the sshd filter, but some can use other filters
+extra_fail2ban_filters:
+  - nginx
+
+# root prefix for all web servers
+web_root_prefix: /var/www
+
+# vim: set ts=2 sw=2:

host_vars/nomad01

@@ -1,87 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-37356463383831623061363666396235346361663734326234323239633332383431656534636337
-3238613566336363636235393535373330363562333135630a626531343430396666323139633833
-37656533353537393335393966323637326335666134613633643330313334383237383736623637
-6533343338396536640a376466633436643162393533646464343930346665616165613835373630
-66353037653339633038353033316463393234313630646138636633643066653636343739383730
-65343161306339343931323737336531646131363034343163366137616231363638313330343365
-31663932343436313364326331373733373830646637313733323335306161626135616438656363
-32623333646637633636316139613234613232393462306364633966666639623231643735663266
-35396266313936326532383139346361626532323263633662373139363638303961616638636535
-65343862623865386436643930353834323566356164386432373434336536363262356638313333
-64626633353565303538353634626438363131633164636263643938386538323932346337343730
-31336266343532306531626234323962353930343333656436356436343666336335633233386462
-34623332393734633761303762306336656232326533313131316331326639376338393437363834
-32663766633037316266373064376638643237343434356166613862383963633231353531646432
-36393438653234326330316438333862396163383231623034383963336435393533393263653739
-38373764373034313231373536653233666230333437626431383161346636376434383135393434
-30353361343136663135356536316630643163613930306363343830323932393635343936396535
-38366638353737336637356237646332353438303632396238356364343464323064373031656331
-31346134323965646336666336303835326463656339356131613633336539613234653332353539
-35613362653335663863626532363433663634393036373462663833636333646661643865353533
-39376535313635373434633466643135323762613539366135376536653761303134303964343534
-65333934396638373239646339343732623139303037336133363533653330383261383437393061
-37336334363237333437633664313637366566396232336337303235366337616530333261356662
-39666531653762326364353534623431333530653935316161383535663762636136316239336233
-35373962623934633663656337306439616431316165666563336532373135323566386431303733
-36313264323066653164346338653433393337623666646162383666303930613939396662373965
-38653863623935336632666366373764383136376163663137313234663761343066336235626232
-35303532376537643663653431323830623364623362346437396664386363396632646364666130
-62663265363334383663626661363632646432393463373564396633393235353434636437623261
-30323866636332356136396662363930613961613961343963313733343033616539316131323262
-65666665663731636633623464353430623135373430313065626438396363366335363466316132
-64353730383761386563353133396262366265343637643931643565386461303138613565303239
-37646339316366316431663237653230346464643433376639356462643133643234386131613965
-66333831663832326131343134633231636633373735333634663861393531633738366136356130
-38653534666662303539353534636537343665366231346565376437313037646162663365666630
-33366631653530326234326333623333346535343362666263376561333334633533356264393637
-64633864616430653663366133343962376233656562643335633336326335626664653861323334
-65653864323062616234343636633435396332636635653266353032623637356133383538383034
-36383936666238333366386637313434656332626266346439346566666537623039323936303936
-62353130663632636636623466326663623639313433353766346230383138323461643962666562
-65646234346631613139393265666663663537323236383832373532393662643566636164653364
-39636133613937393433636231626238386463376434666166643662313661663635356436636165
-38333830313638643863373162636530346433613366613437643932383035643464363732663633
-38633065366638656635356462393935383665386532633936366437333233316563366231393935
-32393736343365383164346634326336373436386630386630616436373139646531353038333562
-39646132643332373563613664303931633735656135376561646166343934396130343834653461
-62343662386239313731336538393430316263333966306530616161633763306331633834323633
-35633237333136366439376666636461356131663830323832646462653035643561396337633362
-64323532663637323966663262353266316361353931333738323762656532343165626266653035
-36353462306361383233303464353766323466393862313037386139326231656230343630616139
-34626533323065646636643736323535356461623063663262656562333466666634376239356633
-38373362363030346434316261643236363337663237323032623339393936303130393662666434
-33386134386633623930376334333466666137356432636131373562306533333836353332316136
-63653533336232336632353465373263363037313933663131633763343366663034353364373661
-63333166306332663837313334623231653561363964306337353564326266353366343538366433
-63383335336566366564333735383337353765613035383135616135653662346133333338303730
-36303334623335613836333938646366376634353664633731666235346638346662656634393631
-35396262323939393562306530323763353939363264666331373266363937653063366138636364
-36623835383961336331303439613731633734343135323938306263363637616235336461333732
-65303636623766313038356266363666316665343832623662643263623233356232333062333933
-65373763376430366565363161333330376138313130363534623364653434616438363732643333
-61336631653762613231373236613164623566663730396163383136366430353439346637623965
-39356138633037313165333034633234353666646132656532386332393962626239383633383833
-64396430343535346438623233326632663839336233316336383261346330353739633331396362
-65643161396430646436376636613061656566623038633665623938656232633665633365613837
-36386633313032306238373063346662333539313931366232323931613165343639666437386630
-63343766633336346632393231303566323562373236656135366135376262613163646235646635
-31356264393231353335363331663666623832643638653064366438373063623462333631663631
-32356664663332356538636462383364633036303733393161366565393361363530626431623532
-34303538653032313138373339663833613637356364376561316535643238356633356130376665
-37643231333037626164663634383666323333316235353832333335393262366235613461623166
-30343933643637656262613337313962666432656632323631353066353838373864383734646361
-35393966646331633466316636326162343831393639383034396133383537313138646339646163
-37363736613135326634363031626132326664343732646161623362373036323337623063653064
-37373839396261653764626338393438643634666463336263346566653366336536376464643934
-31366261353734383064346433363730623762636463613432373338356337656665376338353965
-34353866343734633661633466313132663463323962653431316536643565666364386438336236
-35376163313462383130366337653239623866663837666238346262636238623932333435623634
-65333132373436353533333834653131656638336362623535613366346266653863326431666137
-32613563316138333837333131663637346634663962616230623534383239616132623130646137
-62613863626632323838343736633765393666336664313563316535346130333462353063656166
-62376237663566396665366238323937343434363964653133393163343932353761353038373234
-33303462613837653730646462643765396631656536353335353532663033663433613032623833
-36656534646163353266316531343137626131316536396338666262336136653734613838333133
-62663937346566626131323033313432333562633337326634623866656363393165363235386265
-6332653639336330336135333865633662363738613565303766

host_vars/nomad02

@@ -1,127 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-35356461313263333464373365643730653766393437316133336138313761343130646131363861
-3834623038366139376261326439633334393565346666650a323963393665366134386535316530
-61316264343737383331663361353838656333623335393635393762303533313036373161393462
-6664616164633039360a613766323932323266613166646635376333626333356364316233633931
-37646436383339343938356164646262363032663063393038616535346139633435623265343762
-33663036393761643861386538336665366537626464373931386535666237636439383133393636
-31383938376331313531366237336463323563323134313037393435333239613663663234376239
-62346163663061316666636138353962383336623133333030396534323033626632343561386466
-30356266313566316565626562376364643238386561323165633730383262343638326337636264
-35636264386262363264633833653265393962373435653639363733636562343238363931663031
-63666135613437366166643130623034616636616632633838653464666130383365326434666234
-32643164353766323131343137373438613663646635326338303934613065653466613036323961
-38353034636434663061353138393130316432366539643937623935643834633964653630326564
-31636563336138623433366536663632313863313435333531353865623066656631343032383937
-65313535303563653762646261396366333737306331643037366433323030303265613638616164
-36336338333837393235326539303964323261393039393533643538623634613432643532333863
-66376166336662306564323433356330336662333433633061313266323638396165656665663965
-38376465383662626633396366326466333436333338373361363039306539396337333061643264
-37356562623130373765366331643332376337353065366561656261353131666533636466386432
-31643438633464356464333065316139626166326164616666363666393562356239343637333030
-39366231316462663265346464613333306336316163643131303235616432613565613733333466
-33343036326435643736336465303861643739663536343965346433363231323065643733336634
-63646133633037613964393935373161666161383862616333376638616336616537616363643661
-36326665316332303537663935633431626533323838393638653661343665306332396130393866
-66303231666533393132396538393963626132643366373539656437386663653261323465613366
-39633964366362353866326562313834313266656265363161316261386638623737393034663665
-66303966623830366431316432323863386332383362396534396166343238616534346335323761
-31366164623465643331323330323736336337653230623362626230623365636364633261653765
-38613566626537386134373133376139623062383736356634393739353665326164343131323833
-31313038363663316636356431613032636131303964373564633462303735323364636131373033
-30623336306663346639326638303930383466323938356163633964623565313261363139303238
-31326666363164376261393062616339643039316163346362633865356433346636323664656262
-65323565346137333338363864346437373261383936626531316330316539653339303464623462
-32616635373631323465646632323732323432316332353033656339366639663732313939303733
-37306130656662383237613361326161313039326561396538396333373362633365353130343963
-35613833616635353266636265313766323635303764346236306664346432366632376132333034
-65303235366137356634666138343232366533613966363030376537386162396638656637663932
-66663939393737313634383430323339663634333533653265656163326637636635386163313333
-38666236626131333139633834373534316638303364666135396361616130303061313431643936
-64666134623666363937356334356134306463386466613365363136663136393833616430623836
-65373663363664333766373136336636393663376535623532626632396665366436623661636665
-62333961383034353664323333353766343939666636616539653236646634313333373639643765
-32353161633665306463386633616131333130303139306134646134663865306463353838323565
-39313538393034323065333031386634396261336131333763393466633335666238373663623564
-38316633663536383730376532633830623939633662346636356632653031633335313732666663
-33613133653666313564626261353730373637396137323964363866653964373838613130643337
-32376165356236663332366566626639313038363138343061306438313435613862626564613830
-61306262613262366539663338643962313066613665353063306537643561666462333763623866
-30643230313334646535336662616137326437323438336361376562663361376230316362323235
-65363630666464323638323761343033313763633866623361376636653631396263626239613764
-64656163343435643838353033316364306134663833616231343831613338653330643466643630
-62323039396231366136353432373732613465336163326132353731313765356163323866633736
-35326665613165373339353165613036646665313065343432663563306664323163306535613338
-31663138333639666133323139326339313733663334336637373866636661636538666630346233
-31393364313433626565616661313265336165613534666232333835383963646433316632303533
-62626134623830363533393833633439313034633965346163393932636464326664653335643833
-35386332663736343766656232313031306534653434363164623530613232306531336561373534
-37333763626135373538313561303737623035653832333533663534313035313530373037616634
-30613937626664373333643735633164663930316235336663376132353338356333623431343535
-37623138363937646665626535303463643330333233363136313134383939343535646539346363
-61633966396234393961663735646634373266373264626635306162386632376262646336316266
-36363166393332626533613736353038656266323263333036303964656662663436616532396665
-64366638386164313466313630663138333066653061666362336661336539653339616234646538
-30316334346162363065313438663865346434313564363863613532313637313430653439333962
-34643039383030623564666230623264303338343564643961653531366463623166333661653630
-38613062626464663963626233663837653533626532653239343065383036663162646261386535
-36356231383263396365653639613664346361643666336463623136616330336161373336643535
-36613530396266633861643530633732333436373966613437343736653537333531663466383438
-64323064356262646133363463316639353630653766663731653030616461393139396265343033
-31336662366465633264643065386432376435346236323565326562663161396435373762613839
-36316365633937636330643837646335613262363734396261313633373731363466356632636532
-37653036336665393733343832363739323739383730306635306666333566366663396230623433
-64663338626239313265623838383933653539666666383633623939343461393036303230663562
-35363232636635613739356536386439326537363965626261363962383231386532623565343662
-61633931613131303836356366653030656333623235663266636535666632353666386666386630
-36303134613262663335623330356639383432353133333137363665633565363037333136653933
-64396230613837396435333835343265633638346232303738663764663032343061346539393135
-63303064366130333030663739326331633762386332333162393631346234306363313737663261
-31303437376339353634393438316139663862333530653339393030633932343765326435303530
-30326566336361646563313433663063396338663661353832666561393437306131336465343332
-63316533623362613062626337306530633833323132616662613366653566396136643936653435
-33323938333666333439653037383335353763386132643362643361386232383964366237326538
-32343061643462343265383234366465366232666434623634383132303138643333343663613039
-65663339663030326364663561383833333432633437313232356265396532303735316234353565
-39313532306437333238373064643238666632383166313832326662663762316165323936623239
-62366239393530366666343866376566623863373333666266316334346138396566613263333539
-38373438653663353537323961373434363735303838306262323330616538636333306366373663
-62666462336331623761363036353331356632643664373665656332663530613931376666353261
-64346531363265316439393633346334383439623338653334343739353464316436626635653139
-39633232626463303463646162633131626538353232646663356335363663613234376338623539
-30303765636635633331326337373334626664343063623130393438633863306531653631323763
-63323661356362346536646430623864306135663766313833366165653066343439663064336331
-33353135383830373831623463646461616665326139623565666464363961306461343361343665
-30633331666533383161623130613963376266613533366334393262313730313630323836623162
-33613637363431306632366230336537373732613337613830666635353632383834383465303261
-39633334616561386163353661306564333632653731363434666562353561363462376563626563
-63353666653637336666376138333966643237633434396561386164623435333836653238383261
-30643331373138313062616532366265313831613938373865336435383564636266663462636461
-63663230626532613130623566376437356337653564303033393737663735316130633234643163
-30373264363331366435383837303762363531333335613738613463336139643333626239346232
-31393631663861623330353536313731353332313135363436643161353435653865313666373639
-37313734306461633338363033623535653066633135666463303261383366333266613830623138
-37303963666139306632666537633137326434366231333435323335623130356332313165353733
-37656238613138396635303765376666303631633034306133393639363662313066653062373638
-63313961343932393964643538663863313664616164363264663438393639306161373539653265
-34346535373939316563353437663066656439353161623337343935396463363231636262656565
-61653766616238393030333837616631373736323837363136623337623539336661633533653663
-37376530303630313861376261323231303464653666323237373466353037313230333861373366
-61323964636235373030343462326166323533343266353236653138326639363664633066346239
-66636439373262646536333134306363313531333437316536656337633764356339633933336131
-64366565323438343864666462356232616263623530613631303265313861383135333562343263
-39633938313435313266386538346132336638303938373964616535313035653063636435643538
-31636134393930363635613733343538326637366661623833396531623832616238323637633866
-35666266656465323830356432653839633763643430363431326632393664656464363238363364
-64356132326561376330316434393765663661356466346463366538323439393531343632316134
-65313436623664613230616562323138343831623033643338363839343837303334346361356433
-63356163626432343733336531366333636466613863613438373662643266636134633934326432
-31386634363161653965303230306336373434613232613237343836353061613533616237666462
-35393935383431323764646465636563363633336463353064346631363531383061333135386161
-64363366303262336464646232316231613332333732373932643562626534666634316565343164
-39336436366163326137396236393034363162366634616233376465303063663330386137343733
-65393231343634316365326663666532646162623633373530393563313861653638353932396137
-38666161336432303666316263396538663665353334376637343762613262303062313932363831
-65346637366163333233633562393535306263666330666636613363383939393035643132326162
-35656130366237363136643938633931363731623662343536623136313436616265333138646239
-3765356139356136346264386137316437303865646335643530

host_vars/web19

@@ -1,112 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-34636661633964333963313436313765666332666339336233356538653664643432383732356635
-6137633362376666343931393930636336616335666161310a626439616637643531363739646536
-34393135666639636161633566313264336363646666323963366331616362383436396462376631
-6666356161386237370a633463353738626131353263353337376638353465383330393062336464
-36633930623933616135653439626466653930336366666265313566653839346237333966353036
-61376564656539326535393830373634343237663865326635363364663230356434376437356665
-35633762663036623831373465363836646366616330633962383538393965333832366433363866
-63333337356132323630656538666635333234343838306330646361623833353336326132643238
-61383337373666313364656333326264633763633062636265396637656630373033363133663834
-63656333313161666566333131333534306133653365636164656139313531623439373639363234
-38636265613337323733323364373832656465653266363334306133613035393937333539643736
-35363231663662366633373264663636333735643064316262646436616139643364616534316462
-64383734326132663734383435653034663061393561313438363934313661613463346338616466
-64616565623136316261366563356538313532336439373031646561336631633830323437303632
-61333761663538333762333736323865376365333963346331313432633862363436366366643235
-34653832666362643162643136656132336465643966336438316563643161636136343536653932
-39626335376338313334663564363863646563336435343162623562653431663432306537616161
-35623865343833343863336664383163636430396637346639653738613739333961613938633032
-34396462313033323061353639643465386433613734313664663336613833323764653635336233
-63646362323362643936313330636131346562323233393036323036656465656662353163386665
-66333036396161356539346330306165613438386438623732636634353365303836373565396364
-34393336626166613465353833613031656537383730623761653333313332356164356534313031
-36376139383065313563303962313664636361376631383335343131336139303233326162306633
-39393432303839613133363231336665353636366165333564313330663763303233343462646664
-38653936383566623461386536333836353833303764393663393066363234336537613331623363
-31353338323164666265613464643532663938363064626431383938393136396361653464643730
-31663838343030313930396632306136646335306562326561353237636266326464663464633166
-65306661346438626332343864646534336435653239623135346639303330313330333362353039
-63613266636563616265333534346164333134316537356138323632666138336362356664613734
-62356266376135353636343362336135623662376361343766663034363765376130613730386236
-39343638303732613635376530633231376534643266333031653233656361353439303334313238
-31353431323133666439663835346230333665326561383339616532373036346366653332663539
-33343034653633303432343731376538646263336436323438303961663730666438333435343362
-33616230643863313465363562393263323633666232653839356636313264353365633765613865
-65643862366464383233346239653431383439303439353838333864653433353165383533393437
-37616436376633313633383866363830303536326435656366613638653064376433393730396466
-31613137366538643636303964373339383466373734636235393030333461366466373963373962
-61663661663936366233613762353462656664326566333734383466316336623636383733616130
-33653662626134356232373438653937646234356630393732393533653430386464313134393037
-31633330663531343833313265666237616164383561363063643866633930656630663866313630
-38383932393132366231333932663765623662396266363362376135383064303265653733363763
-61346230386231393165663062643464313436313635343933363133663463636366363135323430
-66643461396237656336643062643166313335663261633964663935333034613034393864656635
-34363936393538316364323836623939633330393130323631376265346439353438396433333231
-64623635343439646466333234643835613365663633373365656439333563663337623537393830
-63386436613963323938643030633435623563636265326463313534353664613930336437643939
-37383835343636316230323765303539383933623637396461666666663462316338663835646564
-39613362353764663939626631363862373235303462376532303131626431646165363730323035
-36343734383536653166616564336431346236623266306661346536623263316332666661333837
-38373765393435363030303362383362396532626130353036376237633030313336666663636562
-33313262613332386365383861393261386333396530386565623537643330363135323039616563
-65376163333963326234653535316235363339656236396465373435343138323765643566393432
-39366231376364633836356230353538343030303533356130653864346336633238303264306130
-35306130616464396439656432313930653161393262356333323066343065343264356163613761
-32656631636237303031313366653065323463343039303132396639653866376563393132636437
-62396236363835383533306265646162666339623966656465396630633931396262333432653730
-37643864643066623662616331653734343765323362326366623238333732316235643435303961
-36636565636539663163336166633363376438303364633034306330393630653835613465353663
-65393961356539653164343231663836366363663637643834633066663562366465316562356537
-33383039343764343933383937363361386235643163363934396666353864323865666434653935
-62633134643536653138316230346431643636623966643833646131633336346263653665343533
-65626235646337623832663764363832303232333936363034616535636530303231653530643564
-35363963393030333432326562636338343664353132343731323137303965613239613663323631
-32316534636238373037303830313530323130363964616161333832343963646262373065663138
-39343363663131386564626263353233353230386266343232303361316630333835636137306332
-30343836623636633966666434326539356233643234356333376633303230306235623564326166
-33386361336163626430376139656335656230636337306133326339663532313131633931383934
-66316531643266383436386537663239623533636362323031366135656539613734316339383964
-61383837643663373162623763353335326636366164616261623231353538653862366565326463
-35633639363238653261303834303835346361623766636631616538353036356230316161626261
-66663736373838303265336339383230343563336664383737623865653133343034373862373865
-33626232663637313539663564623837336539366138393562383532636164633433353565666239
-38636637633665303032646437663862346365333231373161353464633438313032636331303263
-65623438666439333239646261613631363664356537396163353532393532343561383966353438
-35376336613133633261656364623436643939323166373362346230316336343166663762636336
-31396465366263633435616463396530343830393361323738616330393766656237373862323066
-66663337366137363362383934373763373634363763633538363461316134616530386131316261
-64643862373831343234356532376265633362633961313163333738353730643237316539333234
-61343738656138353264376465636332376562303631643665636539323439373764393239353837
-63613264653064333537363436383861656430383430366462323764636564643264633962336162
-63643532626333656132393362376131396535623762646132356637343738633130303936663038
-64643337373232356238616233343564316134343939326135653164613536646336353965323762
-39346463353130376335346165346235366538356137646366383336313630653366336165613530
-36653962326265643962653464623061376432636632343732616637393963663937383932313138
-35353837373261646161663838633862663333656237353733303033663364373237623765393661
-36333662373237646466333062306133303637363862333839653663346530353162356562343134
-30326461343432653332396464333062666536623964363465663639643464393437646638326537
-33323830633235313030616139363663373565343836616530623732316133613035626430363839
-30613733656563323034383061303837323338393866363364393832306139396337323636613032
-30383966663765303564356263363038383864613965306163326432323663396134326431353732
-39663130346337323464396634623831626466616361343834656238326138666266363861306339
-61393334646432373038373235363735623733346635653934303135346534343133653762613362
-39643632663337326232316162396463663638303863616635633737326166313933396337376433
-38383731373536316361303430313730656364633032396135356665366538623032656234343436
-38653935636565313237326631383135366261363064613937306135643336343636386165626137
-34346161366564323131343538316338633162333434646666666334316439653434623237393737
-65613231316165666330373734366234646366313131633030373839353733323936336461366665
-39643161373963646130656636326130613131316263333632356338303863343739313232626530
-36343165396239616662386263363238393130333431303230303831653130343031353263623039
-37393766616232363465356437366639396264313062643935363437373636623566343463303736
-39393166323638663032633064646638306230313061626366306439353236623862393837366666
-37303366333861643664383662303433353263303831313636653933366137623033656139373338
-39646564373762303238346665373732633534333137376231666262623862333361636236386263
-62383538343361363132616231663233323562323964383964346531343530643965366439393163
-65383534356234383162656138313763613636323439386234386463336139653233323862633739
-30613837363135666564393834383233353937346163303764393131663863396631373232616237
-38373865383832356536343633373764313839626233666130323364303632323066636661353764
-65636138646335313831313032653163633831373736653036326136353239613463376262333530
-39383434643538316163643934396265353962616537633161663233633966656265646563373333
-63626533333030353434316364653833333161366663343030326636313530316430356363396434
-346338653161323532663932626435323866

host_vars/web21

@@ -0,0 +1,27 @@
+$ANSIBLE_VAULT;1.1;AES256
+38663333313561616264323430323162323837623430363739623561633331656664613936666665
+6364373033623163393239663035306337383066343438310a383666313434323036643037363065
+30396333626130303633663930663965666662646233393439376661346265616565616236623366
+3930373433646231610a336233663132306263656465633034333030316362643939316465666534
+38353961393038613961353732613434663565633466303265383231343336386330333464376363
+33616330643364376332623634363766656366666239633964316439376463313063333162343963
+61356634393438313063666434626338616264613639656462626639616263366531663135393466
+66346635616439306364356133303664376134626636616131373138656562363363306633333164
+62623135343633393834393165383231316562643062343165663235313930663039623135373263
+61343336643235303962333938613230356465346436376334373438386461366231383737643137
+36343832353730366131653430633465383163396336353065306638373166386438356264616139
+65346635663338366463343932336231386235393836616238373864626235623935663661396663
+31633565356465333737303339333435383162316530396563333335613062623138333232336162
+62376363666431363931663231643561616562383230643737393261623934363633313231333137
+39383238656237343661626662366465356463396336386261326334613436396364633062646532
+61313136366636363861316166396134316562666435653437326331363563653035343138636163
+66336139636533656334643966383962383734623565323435333665666164353732663736326364
+35616264383237316330386539363065376334643432393636643464646238633034333166663665
+33313166393738626133636136346637646437306335326263393634363133663736666338313838
+64623139613037653461643563666539613237323934376534376461313833336338623032616661
+64643062663633366436383232366137373936383430306332616634636331326361383931363961
+62313236313563326438303935373837666434313435653236643135303739373763656562393537
+31653265653739346433663937343439656231663963333633373066356231623762313438393763
+36306336656566633034373834316363333233326130626639313130643935333437653934313636
+32383034346234333561333466653561323834346166633831303566376266373933356536383031
+6236303934323963336662386666653138313165366133303434

host_vars/web22

@@ -0,0 +1,141 @@
+$ANSIBLE_VAULT;1.1;AES256
+65636230346264393938656566653961393466306338353435333061356463363836616435333731
+3537316534663335343333643435383663303438333433650a666133633965643939306661383536
+33626364316338306530393036653134373339653264616537623731323063646531383137333131
+6263363037613631360a343831393830646536326538363764643136613732636165316466316566
+65346162383337626631663533626230643061633139663661656365333738353530316661313864
+32373831396437386434313430666434363534656130613632643264393538663131336635653537
+61613065336133343130353862646130386136333231393962353064666335363330623064626631
+34333137363566313764343335646531326337616563366636316232633936333264373731653332
+66366361643261626563633838663061303762386234336133366233356564343562323965663731
+38326631333166643534313836323337663131313766306166333534336333613735643033326633
+39396335613362363230333863396535343464346437366632316336626539623865313239353539
+30643834633130333564666162623365323439396630333136616137633532363530623234376332
+66353539306637633432353231326666643261386466633533313063353061643761313132623035
+62653263636237666432336662633136653930323532623137386261333862623337326431336365
+36663364386364346631393031326434326334636166663739366435616166363130623463633733
+35383834326231363264623061303066326433613139333237656635643835393762313866356237
+62616435613863616161376666333966323030326531323261646436633233613635383438373834
+31343133326231636661353466396566656365396466343430613262316537623631376433633630
+62336664346363393363306163333662323338343139646238633830326535313034613739616138
+38313637333333383032316134316164363036396338306634633436633564306333336437393566
+61656337343030393936353364386461643766636564333864396130343762323630393839393463
+35343864393035333930313238663465663633633862623336663136626165666131383933626437
+31323936653737646231363036383764333335313762356465333635303334663734636531343331
+37386461643239363434373864373561353339343031346364383530663430393938333963333837
+63303966366364626665303530356433643264343861346238353937386338383034356633623231
+36663735386233396138306561326339626262326463336535646265666637383032396435333835
+31363266666230366438313432356637663632333530646263663563373137313262663937636532
+66633731333166386564386666363130633734643963653030386533393766623038383234646161
+36343135663231323030306430623535373534353835623339333738376362663930343436343637
+34383963306266623437323462356466336533643933653839366666393839626663353264326334
+32663461663561396631363533383334363361373764363132643435373537333839613066396463
+35386436326638353431363064626131306634363339653132396563356239653265303930333634
+32376332643863376237383966623233323864393338346537393865363661616338333631383532
+34373635316138663261633839333664353432666234306463306338653634633038373266646462
+32336534356537306366656236356663616336333031306431653239343132336234626165333032
+38303137666131363462363263333832356333616130346337663837376365346166306261373036
+63383236323738303562623631633064363564663861336162356262373861383965623935343931
+65663934623431363164356331353135633837616130363464353661663438323132363165343766
+31393633306261303762613537343034316535373731363365666530623361623630633137326466
+32326533313362333863383561343230626466303831623033613065363136396362373333306333
+32336464356364663564626234653832323265313364343631646633396362373438666165353962
+38396330333161356365626562383531323664636235643666613631636636323638376638396531
+38646531666164653161353932643662363261323564373537343731666232666532633063353431
+61386163363562313330393037656139303365396438313935306333656264373531373037303939
+63373962356233346164383163323532373163376364623766323933623063653939346537306338
+65353266656532636633326137356430666432333465626437633733356435363163626430303964
+39343935623937616130326637323061373538616633393465653266656666376661393635333662
+30363364653130356137393463613038663762396336306234363461396133306562323838336330
+63303735646132353766313137303162366164613530303966383636393934393035306264626465
+36613233376234633932663963623432663032656236323963353036356437383066373532323865
+36643431373966613533646164303564653336396535343366303339303134613936656137653939
+31333062623734613538333666636561386338306235633165386262383261333264623638383366
+34313266333636376337393736343062363539366235393136663561303663386438333834613539
+38623632656161653766363166653661336136653833336663616261663831656133666232633362
+31373166306134653162313134333432323134623336666632613766386662653831643732326330
+63643737333638626162646136373466613536653831663835616432343537323864343166316461
+34393732353930343430356231626636373763636561343430616533663861346566326262313232
+39623936366633363136353632346134643563383833376134363833336137613337326435613764
+37653232613632333334316162383261383836613936376230393633343336346633386539356232
+30316232373738363038356665366663623536626539376364303038643061386363636337386663
+61383634336530666163346239343838326138373932383339396265653764313039653138643938
+31613163653632656238376533363739346539623863623332653936643731623565613234663430
+39363935306330386634363634363233376234613837353765353732646638663830323335616234
+34366334636436633734333830306136333563666337623035653239313361626438316535313434
+37343930643832383136343737313365316238373638323130653766646637343464653134616137
+38313034383833626433326237633863313364353662326233636333333932633039396565356133
+64376166383064343239633364363861616136643061646636323437376162313438396230393331
+32633662323031666238643934646665303666383834336432363430363166356632353033336333
+64383861663563653531643832656238643066323564656134633639666234363363363132623836
+61386431643130333761376161646262346562363532353632633332343666393562313465303337
+31333732626164363464323531323239333963303333626466623966346361383832353765346565
+37303765363834376237636632386663373061346534643132636333623137366662646538306231
+33353538623231636166653838333264396463616437396264353537633661313932353133316438
+61323439363635383035316335363132383366613733383363306366356466333364633537393033
+66636434623962633063306236303831633637656430376533353436613934636466363461333562
+34613339373732343632343435333331353935303735633732656663643938663439656233613163
+65356232633865656439643430636332386663333761376638323630373930663837653638363963
+63656437323138633664613166353537306466666261353532326363346332343363343035386435
+33326238333730303539363265383761663862313961383030326263353034303866626661623334
+61623365373332366333376630626539343835663466666534636561643736646537646431386631
+36366132663830336234613065626262336564316339383038333330323237363665373935326438
+38646335346239316432636138633365373062663564326465643032633438306230363434323262
+34313932653361346261623030623739313665356464373666346361663430336362383063666134
+38323539653437623030333437373231646634333563306165393231653465313731633536323362
+65613262633563653031306139383436663834616339316164393365336437653730393331636464
+32313537313164386164313832396566353137376239303663656130383336336634313235376363
+63326530333339356432343938306465623636336161363133613864336339393635306234656263
+34343437336461303831393562653934633439336562663366643066393439396531653663386531
+65623061643064396534353364663633653331653535306133386466356236623239646432373066
+61313261366466663866613162323939646534653561356335393237376138633930663364636236
+36613834303338646530663565303438363831663865323531386635303239646464343936303832
+31323531363263333830623838666437636262306164386236643032356165323037656630383739
+65666333656639333263346465666463616534353835656337353464336134303732323037393538
+37366263656133643039373438636537343636663065646534616339303833666532396633616565
+38353139323739656564623065613364346164633863343738633163383031663531663365616534
+31663835323435643463666264623932396133336531626331303862356261306238326333366164
+66306262386137363432376530366432356432653333393833376532623333373337393830316263
+30326531613662313430663130613734663937613663353936346134356537393761373238393433
+37356136393731626561303430626339386531386333386536656465646232633934393630613339
+61333163613862346564316336353766346461626639303661353464633835626663313462613666
+33343561613662303036643937656431393432333831383461323631393262346464393539353537
+33633364383261663535323136393138333739356439663731636136393530323864333566323361
+62643961323264336662316661303630636430323838633535343036303437393439656637326566
+34363832366434316639393939313965633037653931323462363465643262653539623063326432
+36616434366432303235663062663138623336336165373734353838333662363239333762323932
+65393765326232373230666437656433373930643638386131363339343630636634636434326464
+39366339326263666239646237326534383665376536313536303263373265306537316161663262
+31346635346436313261626366333738333966643333313230623133313434373530366462653435
+33353434643635383833643736653461373765326537313430353164306566323733653237343632
+66346133656333303538306133313563393363313230323664303836323861346466343230343264
+36613934643662626365653036636136623630333638373565316437646232316263663433313762
+39353234333131623731643662303130626465386338353833393533646564646565623736343039
+38356635393461353166653565336535626366396532633961393334343234353764303431303663
+61666533633731663666346132383037646433336463643062396465383034346631346165323939
+33313937343338383737373164363930336236326432346465646166363430653932333932343236
+38336235613034386533613665393666633635383164646538373035623862343737353463623730
+33396233353331633463373538326365636231323535633737303562613262613730636237336632
+38626230313637336436623661666438666538333838356632653034303864313232623337306333
+66363464643061363337393732323065306335656531376337323438313733616539613538333837
+34363033666366613933343563303537613564356462313931353533323938656362393536386334
+38336237616335346334613534323130613861663239356363366564623933303737306138613535
+63643639323135663232336131643331343063363234336230653536623765323562393161663266
+32663839613564613636343166396463366665666333306239386338616366363236393931313439
+30386238316261323630633464386265353464333735336435646663656638316130333762666531
+38626463316165373434613436343335303633643965633230326534323761616365376630363039
+30336661313737383535343934366466353231396430353030653762383934666235646161653832
+31613565643031353535353234386665373636356362653337366563316630343838626231646462
+34623262343761373831303861313661666435373565386465336166306631376666643631303863
+37633934326262623737373266326631663932373863346466613133303961386466366336643235
+39303933333236626637663636633739343761393432616232643238663738313636346137316430
+34623238326430616134396166306339626261643032613661343763366138653830376463306461
+62366564393364306139633837646264633130383064383730393862633561303538363232663366
+30343633666632303530356637646337623339303236376164633962383839386265336666396436
+38616238656336343066333063393833623862646237323238393465633662393362353161313963
+63663539383630366536313933643565346162646363353035386666396363633635386564346666
+64336362633033346461353133396363646237613433306366333064626563656637383863323361
+31386262346631343565653836333764636366313330633462303533616531316537353538313031
+64366263666138356339373864383866303632366162633738383437323564313732373738373038
+39643862336136663165343736613730306339643237313361333438613438323439373966396138
+62323661383336396636

host_vars/web23

@@ -0,0 +1,67 @@
+$ANSIBLE_VAULT;1.1;AES256
+64326662336532386161646564656439396461666266656463393335663130323930326139386562
+3639653630336132663666646161363938386334323064320a663564613066313533353433333434
+30346561616465646163646534356339666639333862623637613435376361323032636439633930
+3731313063363337380a373961353530383764623830363935626231333734303364313565626633
+37343037633862633632613165323136373662396438613663636433346566653064653632313338
+36396333393334336434326630646164333531306432386133353664336535343363343939393464
+34626335626436353239366138323863656336636536383733363931633933636331643263653566
+30613931616462373336393337363430353962613665353936383533326364353365623333316664
+62383439396131303831326562323264336638623461643361663763356236373464346464316237
+65393232343733643338653734326562626166366562303037613862396564636662363066356664
+32656363616637303039373732396533643432343961666365313963383131643464333765643737
+32386165666131626365313938633530346361383734323334613464353862393931323836626563
+62656531346532646530306463653364326362613162323536643836643839663933343132613435
+63303234646335306632316166626266313635303566396363333464363631353834373761353837
+65643461623135363139646564336430353461336433633765303138313730613630346465326666
+61393133636262653836333664623333656164663361353130623863653863323131326136373238
+33376333316433653337373834666136363130373261333330643439313734343036636364306532
+63343662383539633235356162656366323965383331343139616361653466633865626337326562
+63643761613536613334333065643533323066393764633931633066353064393966646161376361
+37623939386636346161346164303832303534323038626335336665653634386132343031303861
+61323765306366333936303765636436633465356539316631343562363535663932333666363035
+30386233623265636464393662386464333430396337626230306438396563303437363938303061
+32653939383136376365343934613339383563303935623664633639326137353437363261393637
+66613331643530623862636665396536613730306537373666623135663837393466343261646461
+62376162613861643633656334303132353034333834626664666237393534386439313638393933
+35643663613432323432646466386434363335353234643264643463613334356462313766643030
+30336364396235663230356235303264323339643761333036333537633862343862386130626533
+36626536396663393031303533313238616133323239356634303830353439363133353839663266
+36306539636563633734623162356230383232306138393831393336626336383966643335376564
+36303730313936633361643736613736303163363536313038316432323039643362636538333037
+65613663333032623035656665393565366363396134363832363163656532363537373435623233
+36373961333237373264326634353363356537356538343663613034396132396366626330303365
+62353461616434343938386237373365633861333733613631633234623034366364363761613636
+34393532316466323264363363653335366639613731326131393335313039646538626665356333
+62663435633539643237326631636563363833633130363535653336333538366137306235663730
+36633934636536633865376262356239303966646638626638386536366662386432343466366161
+36646436636538643366623864326630396565373462393132343834626638313437316137353564
+34646138616438323065336266366434316135613938643131353034646230396632386433366365
+38616436346232363563336439613939313464323861616530633962316634363462373530613665
+63653636646565303664326631363535373037663734663965346430363831613431613365393832
+62373030336262643430313635626261613232656236333130396537633238623265363932333966
+34326135363762396564613064323135313663613565646461376162306532643433333336666532
+65383661303137613335653336663666653463623565386137326662653839633536326135633764
+33623437333931393737363061356235336232376437643131373531356566323336306138353561
+66333863313461613930383231663162616261616639323238646439656166666261626533636161
+38333362393033316266633364313739366262636530363937386137616234326638303137613433
+65313962653566333364383732386165396136303666383439303064326463346563663434646364
+62396130646632653039383661613638303162363538376236666338623865366639663138363636
+36373766386234383465316635323931356233366262386135363238366538623135623361386436
+64653533646233653463656334633566373433303365353965663732636566663332343337626337
+34623861373562386264346430333133343631653631376366373735626664363965666561306262
+35666235653235346233636361383566616533646662333662323139313865383264633734643263
+63656431393834633935613430643839613433326431666665323136376562333737383862313261
+65656431336439303563373833343965323965346439636131633366633431393032613963666539
+38326539343132326334316233323362633835356265333031663066643535363639623031336362
+64346230383638363763323462386261666266623134393139303264343234623132323437396630
+66363738376133393731616535653230303262313937373333353932303038626166346366303163
+66613831353731373165636532363165356561383137626437333563616561386666623234313438
+37333435306530323235393164383138346131653235633536383636316161316238313064636261
+33353963333430383236303038333939316637326130396430623964633338353863613534653663
+30333839393230626261663966616230303330636335323565663938343562666663303536636332
+34336665323764663163653161373166313631393534326532613538313637313136356336313433
+34353036653738343433613763383137336562373332333062326134626638633938336364376131
+61303435333163663636653135363162303663663266393438656430306532343438386436343735
+31343231653263373532386263653263386435363633396638396164323539306233303562303862
+3339306136613431636138333266633739323666633431363039

misc-plays/change_password.yml

@@ -13,13 +13,13 @@
 
 - hosts: all
   user: provisioning
-  become: yes
+  become: true
   vars_files:
     - "../vars/{{ ansible_distribution }}.yml"
 
   tasks:
     - name: Set password, shell, homedir for provisioning user
       when: provisioning_user is defined
-      user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=no
+      user: name={{ provisioning_user.name }} password={{ provisioning_user.password }} shell={{ provisioning_user.shell }} state={{ provisioning_user.state }} createhome=false
 
 # vim: set sw=2 ts=2:

nomads.yml

@@ -2,7 +2,7 @@
 # file: nomads.yml
 
 - hosts: nomads
-  become: yes
+  become: true
   roles:
     - common
     - munin

pyproject.toml

@@ -0,0 +1,10 @@
+[project]
+name = "ansible-personal"
+version = "0.1.0"
+description = "Ansible playbook for base and initial configuration of web server hosting my personal websites"
+readme = "README.md"
+requires-python = ">=3.13"
+dependencies = [
+    "ansible>=13.2.0",
+    "ansible-lint>=25.12.2",
+]

roles/caddy/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+# file: roles/caddy/defaults/main.yml
+
+# parent directory of vhost document roots
+caddy_root_prefix: "{{ web_root_prefix }}"
+
+# Email address to use for the ACME account managing the site's certificates.
+# Not sure what Caddy does if this doesn't exist.
+caddy_email: foo@example.com
+
+# vim: set ts=2 sw=2:

roles/caddy/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+# file: roles/caddy/handlers/main.yml
+
+# I'm currently not sure when we need to restart versus reload
+- name: reload caddy
+  ansible.builtin.systemd_service:
+    name: caddy
+    state: reloaded
+
+# vim: set sw=2 ts=2:

roles/caddy/tasks/main.yml

@@ -0,0 +1,82 @@
+---
+# file: roles/caddy/tasks/main.yml
+#
+# Configure Caddy.
+
+- name: Check Caddy package signing key
+  ansible.builtin.stat:
+    path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
+  register: caddy_signing_key_stat
+  tags:
+    - packages
+    - caddy
+
+# See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
+- name: Download Caddy package signing key
+  ansible.builtin.get_url:
+    url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
+    dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
+    owner: root
+    group: root
+    mode: "0644"
+  register: download_caddy_signing_key
+  when: not caddy_signing_key_stat.stat.exists
+  tags:
+    - packages
+    - caddy
+
+- name: Add Caddy stable repo
+  ansible.builtin.apt_repository:
+    repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
+    filename: caddy-stable
+    state: present
+  register: add_caddy_apt_repository
+  tags:
+    - packages
+    - caddy
+
+- name: Update apt cache
+  ansible.builtin.apt: # noqa no-handler
+    update_cache: true
+  when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
+  tags:
+    - packages
+    - caddy
+
+- name: Install Caddy
+  ansible.builtin.apt:
+    name: caddy
+    state: present
+    install_recommends: false
+    cache_valid_time: 3600
+  tags:
+    - caddy
+    - packages
+
+- name: Create Caddyfile
+  ansible.builtin.template:
+    src: etc/caddy/Caddyfile.j2
+    dest: /etc/caddy/Caddyfile
+    mode: "0755"
+    owner: root
+    group: root
+  notify:
+    - reload caddy
+  tags: caddy
+
+- name: Create Caddy conf.d directory
+  ansible.builtin.file:
+    path: /etc/caddy/conf.d
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  tags: caddy
+
+# TODO: the variable is still named nginx_vhosts
+- name: Configure Caddy virtual hosts
+  ansible.builtin.include_tasks: vhosts.yml
+  when: nginx_vhosts is defined
+  tags: caddy
+
+# vim: set sw=2 ts=2:

roles/caddy/tasks/vhosts.yml

@@ -0,0 +1,14 @@
+---
+- name: Configure vhosts
+  ansible.builtin.template:
+    src: etc/caddy/conf.d/vhost.j2
+    dest: /etc/caddy/conf.d/{{ item.domain_name }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop: "{{ nginx_vhosts }}"
+  notify:
+    - reload caddy
+  tags: caddy
+
+# vim: set ts=2 sw=2:

roles/caddy/templates/etc/caddy/Caddyfile.j2

@@ -0,0 +1,29 @@
+# Global options
+{
+    email {{ caddy_email }}
+}
+
+# Common security response headers
+(security-headers) {
+    header {
+        # disable Google FLoC tracking
+        Permissions-Policy interest-cohort=()
+
+        # enable HSTS
+        Strict-Transport-Security max-age=31536000
+
+        # disable clients from sniffing the media type
+        X-Content-Type-Options nosniff
+
+        # clickjacking protection: refuse to allow rendering this page
+        # in a frame, iframe, etc.
+        X-Frame-Options DENY
+
+        # keep referrer data off of HTTP connections
+        Referrer-Policy no-referrer-when-downgrade
+    }
+}
+
+# Import additional caddy config files in /etc/caddy/conf.d/
+# Note: these are imported in lexical sort order!
+import /etc/caddy/conf.d/*

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -0,0 +1,46 @@
+{{ ansible_managed | comment }}
+
+{# helper variables and per-site defaults that we can't set in role defaults #}
+{% set domain_name    = item.domain_name %}
+{% set domain_aliases = item.domain_aliases | default("") %}
+{# assume optional features are off unless a vhost explicitly sets them #}
+{% set has_wordpress  = item.has_wordpress | default(false) %}
+{% set needs_php      = item.needs_php | default(false) %}
+{% set has_gitea      = item.has_gitea | default(false) %}
+{% set static_site    = item.static_site | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
+
+{% if domain_aliases %}
+{#   domain_aliases is a string, so we split on space #}
+{%   for domain in domain_aliases | split (' ') %}
+{{ domain }} {
+    redir https://{{domain_name}}{uri}
+}
+{%   endfor %}
+{% endif %}
+
+{{ domain_name }} {
+    {% if has_gitea %}
+    reverse_proxy :3000
+    {% elif static_site -%}
+    root * {{ document_root }}
+
+    encode
+
+    file_server
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_facts["distribution_major_version"] is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}
+
+    import security-headers
+}

roles/common/defaults/main.yml

@@ -1,11 +1,17 @@
 ---
 #file - roles/common/defaults/main.yml
 
+# add a dummy API key for AbuseIPDB.com (override with real one in host_vars)
+abuseipdb_api_key: dummy
 fail2ban_maxretry: 6
 # 1 hour in seconds
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8,172.26.0.0/16,192.168.5.0/24
+fail2ban_ignoreip: 127.0.0.0/8
+
+# Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
+# before re-configuring the SSH daemon to disable passwords.
+ssh_password_authentication: disabled
 
 # vim: set ts=2 sw=2:

roles/common/files/00-persistent-journal.conf

@@ -1,2 +0,0 @@
-[Journal]
-Storage=persistent

roles/common/files/abusech-ipv4.nft

@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+define ABUSECH_IPV4 = {
+192.168.254.254
+}

roles/common/files/abusers-ipv6.xml

@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<ipset type="hash:ip">
-  <option name="family" value="inet6" />
-  <short>abusers-ipv6</short>
-  <description>A list of abusive IPv6 addresses.</description>
-  <entry>2001:41d0:a:3307::</entry>
-  <entry>2402:1f00:8001:8bd::</entry>
-  <entry>2604:a880:800:10::5bf:2001</entry>
-  <entry>2607:5300:120:878::</entry>
-  <entry>2a03:b0c0:3:d0::d4d:b001</entry>
-</ipset>

roles/common/files/etc/cron-apt/3-download

@@ -1,2 +0,0 @@
-autoclean -y
-upgrade -y -o APT::Get::Show-Upgraded=true

roles/common/files/etc/cron-apt/config

@@ -1,5 +0,0 @@
-# Configuration for cron-apt. For further information about the possible
-# configuration settings see the README file.
-
-MAILON="never"
-OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/files/firehol_level1-ipv4.nft

@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+define FIREHOL_LEVEL1_IPV4 = {
+192.168.254.254/32
+}

roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi

roles/common/files/update-firehol-nftables.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Update FireHOL lists
+# Make sure the network is up
+After=network-online.target
+Wants=network-online.target update-firehol-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-firehol-nftables
+ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
+          /usr/local/bin/update-firehol-nftables.sh
+
+[Install]
+WantedBy=multi-user.target

roles/common/files/update-firehol-nftables.timer

@@ -1,9 +1,9 @@
 [Unit]
-Description=Renew Let's Encrypt certificates
+Description=Update FireHOL lists
 
 [Timer]
-# twice a day, at midnight and noon
-OnCalendar=*-*-* 00,12:00:00
+# Once a day at midnight
+OnCalendar=*-*-* 00:00:00
 # Add a random delay of 0–3600 seconds
 RandomizedDelaySec=3600
 Persistent=true

roles/common/handlers/main.yml

@@ -1,17 +1,27 @@
 ---
-# file: roles/common/handlers/main.yml
+# ansible.builtin.file: roles/common/handlers/main.yml
 
-- name: reload sshd
-  systemd: name={{ sshd_service_name }} state=reloaded
+- name: Reload sshd
+  ansible.builtin.systemd_service:
+    name: "{{ sshd_service_name }}"
+    state: reloaded
 
-- name: reload sysctl
-  command: sysctl -p /etc/sysctl.conf
+- name: Reload sysctl
+  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
-- name: restart firewalld
-  systemd: name=firewalld state=restarted
+- name: Reload systemd
+  ansible.builtin.systemd_service:
+    daemon_reload: true
 
-- name: restart fail2ban
-  systemd: name=fail2ban state=restarted
+- name: Restart nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: restarted
 
-- name: reload systemd
-  systemd: daemon_reload=yes
+# 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
+# in the order they are defined, not in the order they are listed in the task's
+# notify statement and we must restart fail2ban after updating the firewall.
+- name: Restart fail2ban
+  ansible.builtin.systemd_service:
+    name: fail2ban
+    state: restarted

roles/common/tasks/cron-apt.yml

@@ -1,12 +1,17 @@
 ---
+- name: Remove cron-apt
+  ansible.builtin.apt:
+    name: cron-apt
+    state: absent
+    cache_valid_time: 3600
 
-- name: Configure cron-apt (config)
-  copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
+- name: Remove cron-apt configs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
   loop:
-    - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
-    - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
-
-- name: Configure cron-apt (security)
-  template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
+    - /etc/cron-apt/config
+    - /etc/cron-apt/action.d/3-download
+    - /etc/apt/security.sources.list
 
 # vim: set ts=2 sw=2:

roles/common/tasks/fail2ban.yml

@@ -1,20 +1,55 @@
 ---
+- name: Install fail2ban
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name:
+      - fail2ban
+      - python3-systemd
+    state: present
+    cache_valid_time: 3600
 
 - name: Configure fail2ban sshd filter
-  template: src=etc/fail2ban/jail.d/sshd.local.j2 dest=/etc/fail2ban/jail.d/sshd.local owner=root mode=0644
-  notify: restart fail2ban
+  ansible.builtin.template:
+    src: etc/fail2ban/jail.d/sshd.local.j2
+    dest: /etc/fail2ban/jail.d/sshd.local
+    owner: root
+    mode: "0644"
+  notify: Restart fail2ban
+
+- name: Configure fail2ban nginx filter
+  when:
+    - webserver is defined and webserver == 'nginx'
+    - extra_fail2ban_filters is defined
+    - "'nginx' in extra_fail2ban_filters"
+  ansible.builtin.template:
+    src: etc/fail2ban/jail.d/nginx.local.j2
+    dest: /etc/fail2ban/jail.d/nginx.local
+    owner: root
+    mode: "0644"
+  notify: Restart fail2ban
 
 - name: Create fail2ban service override directory
-  file: path=/etc/systemd/system/fail2ban.service.d state=directory owner=root mode=0755
+  ansible.builtin.file:
+    path: /etc/systemd/system/fail2ban.service.d
+    state: directory
+    owner: root
+    mode: "0755"
 
 # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
 - name: Configure fail2ban service override
-  template: src=etc/systemd/system/fail2ban.service.d/override.conf.j2 dest=/etc/systemd/system/fail2ban.service.d/override.conf owner=root mode=0644
+  ansible.builtin.template:
+    src: etc/systemd/system/fail2ban.service.d/override.conf.j2
+    dest: /etc/systemd/system/fail2ban.service.d/override.conf
+    owner: root
+    mode: "0644"
   notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  systemd: name=fail2ban state=started enabled=yes
+  ansible.builtin.systemd_service:
+    name: fail2ban
+    state: started
+    enabled: true
 
 # vim: set sw=2 ts=2:

roles/common/tasks/firewall.yml

@@ -0,0 +1,25 @@
+---
+# Debian 11+ will use nftables directly, with no firewalld.
+
+- name: Install Debian firewall packages
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    cache_valid_time: 3600
+
+- name: Remove iptables on newer Debian
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    pkg: iptables
+    state: absent
+
+- name: Configure nftables
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
+
+- name: Configure fail2ban
+  when: ansible_facts["distribution_version"] is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml
+
+# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Debian.yml

@@ -1,60 +0,0 @@
----
-
-- block:
-  - name: Set Debian firewall packages
-    set_fact:
-      debian_firewall_packages:
-        - firewalld
-        - tidy
-        - fail2ban
-        - python3-systemd # for fail2ban systemd backend
-
-  - name: Install firewalld and deps
-    when: ansible_distribution_major_version is version('9', '>=')
-    apt: pkg={{ debian_firewall_packages }} state=present
-
-  - name: Use iptables backend in firewalld
-    when: ansible_distribution_major_version is version('10', '>=')
-    lineinfile:
-      dest: /etc/firewalld/firewalld.conf
-      regexp: '^FirewallBackend=nftables$'
-      line: 'FirewallBackend=iptables'
-    notify:
-      - restart firewalld
-
-# firewalld seems to have an issue with iptables 1.8.2 when using the nftables
-# backend. Using individual calls seems to work around it.
-# See: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=931722
-  - name: Use individual iptables calls
-    when: ansible_distribution_major_version is version('10', '>=')
-    lineinfile:
-      dest: /etc/firewalld/firewalld.conf
-      regexp: '^IndividualCalls=no$'
-      line: 'IndividualCalls=yes'
-    notify:
-      - restart firewalld
-
-  - name: Copy firewalld public zone file
-    when: ansible_distribution_major_version is version('9', '>=')
-    template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
-
-  - name: Format public.xml firewalld zone file
-    when: ansible_distribution_major_version is version('9', '>=')
-    command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
-    notify:
-      - restart firewalld
-
-  - name: Copy ipsets of abusive IPs
-    when: ansible_distribution_major_version is version('9', '>=')
-    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
-    loop:
-      - abusers-ipv4.xml
-      - abusers-ipv6.xml
-    notify:
-      - restart firewalld
-
-  - include_tasks: fail2ban.yml
-    when: ansible_distribution_major_version is version('9', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,64 +0,0 @@
----
-
-- block:
-  - name: Set Ubuntu firewall packages
-    set_fact:
-      ubuntu_firewall_packages:
-        - firewalld
-        - tidy
-        - fail2ban
-        - python3-systemd # for fail2ban systemd backend
-
-  - name: Install firewalld and deps
-    when: ansible_distribution_version is version('16.04', '>=')
-    apt: pkg={{ ubuntu_firewall_packages }} state=present
-
-  - name: Remove ufw
-    when: ansible_distribution_version is version('16.04', '>=')
-    apt: pkg=ufw state=absent
-
-  # I'm not sure why, but you can use firewalld with the nftables backend even
-  # if nftables itself is not installed. In that case the only way to see the
-  # currently active rules is with firewall-cmd. I prefer installing nftables
-  # so that we can have somewhat of a parallel with iptables:
-  #
-  #   nft list ruleset
-  #
-  # See: https://firewalld.org/2018/07/nftables-backend
-  - name: Install nftables
-    when: ansible_distribution_version is version('20.04', '==')
-    apt: pkg=nftables state=present
-
-  - name: Use nftables backend in firewalld
-    when: ansible_distribution_version is version('20.04', '==')
-    lineinfile:
-      dest: /etc/firewalld/firewalld.conf
-      regexp: '^FirewallBackend=iptables$'
-      line: 'FirewallBackend=nftables'
-    notify:
-      - restart firewalld
-
-  - name: Copy firewalld public zone file
-    when: ansible_distribution_version is version('16.04', '>=')
-    template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
-
-  - name: Format public.xml firewalld zone file
-    when: ansible_distribution_version is version('16.04', '>=')
-    command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
-    notify:
-      - restart firewalld
-
-  - name: Copy ipsets of abusive IPs
-    when: ansible_distribution_version is version('16.04', '>=')
-    copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
-    loop:
-      - abusers-ipv4.xml
-      - abusers-ipv6.xml
-    notify:
-      - restart firewalld
-
-  - include_tasks: fail2ban.yml
-    when: ansible_distribution_version is version('16.04', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -1,54 +1,48 @@
 ---
 - name: Import OS-specific variables
-  include_vars: "vars/{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: vars/{{ ansible_facts["distribution"] }}.yml
   tags: always
 
 - name: Configure network time
-  import_tasks: ntp.yml
+  ansible.builtin.import_tasks: ntp.yml
   tags: ntp
 
 - name: Install common packages
-  include_tasks: packages_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: packages
-
-- name: Install common packages
-  include_tasks: packages_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks: packages.yml
   tags: packages
 
 - name: Configure firewall
-  include_tasks: firewall_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: firewall
-
-- name: Configure firewall
-  include_tasks: firewall_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.import_tasks: firewall.yml
   tags: firewall
 
 - name: Configure secure shell daemon
-  import_tasks: sshd.yml
+  ansible.builtin.import_tasks: sshd.yml
   tags: sshd
 
 # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
 - name: Reconfigure /etc/sysctl.conf
-  when: ansible_virtualization_role != 'host'
-  template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  when: ansible_facts["virtualization_role"] != 'host'
+  ansible.builtin.template:
+    src: "sysctl_{{ ansible_facts['distribution'] }}.j2"
+    dest: /etc/sysctl.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
-    - reload sysctl
+    - Reload sysctl
   tags: sysctl
 
-- name: Reconfigure /etc/rc.local
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
-  template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
-
 - name: Set I/O scheduler
-  template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: etc/udev/rules.d/60-scheduler.rules.j2
+    dest: /etc/udev/rules.d/60-scheduler.rules
+    owner: root
+    group: root
+    mode: "0644"
   tags: udev
 
 - name: Copy admin SSH keys
-  import_tasks: ssh-keys.yml
+  ansible.builtin.import_tasks: ssh-keys.yml
   tags: ssh-keys
 
 # vim: set sw=2 ts=2:

roles/common/tasks/nftables.yml

@@ -0,0 +1,69 @@
+---
+# Common nftables tasks for Debian 11 and Debian 12.
+
+- name: Copy nftables.conf
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    mode: "0644"
+  notify:
+    - Restart nftables
+
+- name: Create /etc/nftables extra config directory
+  ansible.builtin.file:
+    path: /etc/nftables
+    state: directory
+    owner: root
+    mode: "0755"
+
+- name: Copy extra nftables configuration files
+  ansible.builtin.copy:
+    src: firehol_level1-ipv4.nft
+    dest: /etc/nftables/firehol_level1-ipv4.nft
+    owner: root
+    group: root
+    mode: "0644"
+    force: false
+  notify:
+    - Restart nftables
+
+- name: Copy nftables update scripts
+  ansible.builtin.template:
+    src: update-firehol-nftables.sh.j2
+    dest: /usr/local/bin/update-firehol-nftables.sh
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: Copy nftables systemd units
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop:
+    - update-firehol-nftables.service
+    - update-firehol-nftables.timer
+  register: nftables_systemd_units
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true
+
+- name: Start and enable nftables update timers
+  ansible.builtin.systemd_service:
+    name: update-firehol-nftables.timer
+    state: started
+    enabled: true
+
+- name: Start and enable nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: started
+    enabled: true
+
+# vim: set sw=2 ts=2:

roles/common/tasks/ntp.yml

@@ -1,18 +1,40 @@
 ---
-# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
-# use timedatectl as a network time client instead of the standalone ntp client.
+# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
+# as a network time client instead of the standalone ntp client.
 
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+  when:
+    - timezone is defined
+    - ansible_facts["service_mgr"] == 'systemd'
+  community.general.timezone:
+    name: "{{ timezone }}"
   tags: timezone
 
-- name: Start and enable systemd's NTP client
-  when: ansible_service_mgr == 'systemd'
-  systemd: name=systemd-timesyncd state=started enabled=yes
+# Apparently some cloud images don't have this installed by default. From what
+# I can see on existing servers, systemd-timesyncd is a standalone package on
+# Debian 11 and Debian 12.
+- name: Install systemd-timesyncd
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: systemd-timesyncd
+    state: present
+    cache_valid_time: 3600
 
-- name: Uninstall ntp on modern Ubuntu/Debian
-  apt: name=ntp state=absent update_cache=yes
-  when: ansible_service_mgr == 'systemd'
+- name: Start and enable systemd's NTP client
+  when: ansible_facts["service_mgr"] == 'systemd'
+  ansible.builtin.systemd_service:
+    name: systemd-timesyncd
+    state: started
+    enabled: true
+
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_facts["service_mgr"] == 'systemd'
+    - ansible_facts["distribution_major_version"] is version('12', '==')
+  ansible.builtin.apt:
+    name: ntp
+    state: absent
 
 # vim: set ts=2 sw=2:

roles/common/tasks/packages.yml

@@ -0,0 +1,57 @@
+---
+- name: Configure Debian packages
+  tags: packages
+  block:
+    # Scaleway seems to use a weird sources.list format as of Debian 12?
+    - name: Check for weird Debian sources
+      ansible.builtin.stat:
+        path: /etc/apt/sources.list.d/debian.sources
+      register: weird_debian_sources_stat
+
+    - name: Configure apt mirror
+      when:
+        - ansible_facts["architecture"] != 'armv7l'
+        - not weird_debian_sources_stat
+      ansible.builtin.template:
+        src: sources.list.j2
+        dest: /etc/apt/sources.list
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Set fact for base packages
+      ansible.builtin.set_fact:
+        base_packages:
+          - git
+          - git-lfs
+          - tmux
+          - iotop
+          - htop
+          - strace
+          - safe-rm
+          - debian-goodies
+          - mosh
+          - python3-pycurl # for ansible's apt_repository
+          - vim
+          - unzip
+          - apt-transport-https # for https support in apt
+          - gnupg2
+          - zstd
+          - rsync
+          - lsof
+          - unattended-upgrades
+
+    - name: Install base packages
+      ansible.builtin.apt:
+        name: "{{ base_packages }}"
+        state: present
+        cache_valid_time: 3600
+
+    - name: Remove cron-apt
+      tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml
+
+    - name: Install tarsnap
+      ansible.builtin.import_tasks: tarsnap.yml
+
+# vim: set sw=2 ts=2:

roles/common/tasks/packages_Debian.yml

@@ -1,37 +0,0 @@
----
-
-- block:
-  - name: Configure apt mirror
-    template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-
-  - name: Set fact for base packages
-    set_fact:
-      base_packages:
-        - git
-        - tmux
-        - iotop
-        - htop
-        - strace
-        - cron-apt
-        - safe-rm
-        - debian-goodies
-        - mosh
-        - python3-pycurl # for ansible's apt_repository
-        - vim
-        - unzip
-        - apt-transport-https # for https support in apt
-        - gnupg2
-        - zstd
-
-  - name: Install base packages
-    apt: name={{ base_packages }} state=present update_cache=yes cache_valid_time=3600
-
-  - name: Configure cron-apt
-    import_tasks: cron-apt.yml
-    tags: cron-apt
-
-  - name: Install tarsnap
-    import_tasks: tarsnap.yml
-  tags: packages
-
-# vim: set sw=2 ts=2:

roles/common/tasks/packages_Ubuntu.yml

@@ -1,105 +0,0 @@
----
-
-- block:
-  - name: Configure apt mirror
-    template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-    when: ansible_architecture != 'armv7l'
-
-  - name: Upgrade base OS
-    apt: upgrade=dist update_cache=yes cache_valid_time=3600
-
-  - name: Set Ubuntu base packages
-    set_fact:
-      ubuntu_base_packages:
-      - git
-      - tmux
-      - iotop
-      - htop
-      - strace
-      - cron-apt
-      - safe-rm
-      - debian-goodies
-      - mosh
-      - python-pycurl # for ansible's apt_repository
-      - vim
-      - unzip
-      - apt-transport-https # for https support in apt
-      - zstd
-
-  - name: Install base packages
-    apt: pkg={{ ubuntu_base_packages }} state=present update_cache=yes cache_valid_time=3600
-
-  # We have to remove snaps one by one in a specific order because some depend
-  # on others. Only after that can we remove the corresponding system packages.
-  - name: Remove lxd snap
-    snap: name=lxd state=absent
-    when: ansible_distribution_version is version('20.04', '==')
-    ignore_errors: yes
-
-  - name: Remove core18 snap
-    snap: name=core18 state=absent
-    when: ansible_distribution_version is version('20.04', '==')
-    ignore_errors: yes
-
-  - name: Remove snapd snap
-    snap: name=snapd state=absent
-    when: ansible_distribution_version is version('20.04', '==')
-    ignore_errors: yes
-
-  - name: Set fact for packages to remove (Ubuntu <= 18.04)
-    set_fact:
-      ubuntu_annoying_packages:
-        - whoopsie # security (CIS 4.1)
-        - apport   # security (CIS 4.1)
-        - command-not-found # annoying
-        - command-not-found-data # annoying
-        - python3-commandnotfound # annoying
-        - snapd # annoying (Ubuntu >= 16.04)
-        - lxd # annoying (Ubuntu >= 16.04)
-        - lxd-client # annoying (Ubuntu >= 16.04)
-        - liblxc1 # annoying (Ubuntu >= 16.04)
-        - lxc-common # annoying (Ubuntu >= 16.04)
-        - lxcfs #annoying (Ubuntu >= 16.04)
-    when: ansible_distribution_version is version('18.04', '<=')
-
-  - name: Set fact for packages to remove (Ubuntu 20.04)
-    set_fact:
-      ubuntu_annoying_packages:
-        - whoopsie # security (CIS 4.1)
-        - apport   # security (CIS 4.1)
-        - command-not-found # annoying
-        - command-not-found-data # annoying
-        - python3-commandnotfound # annoying
-        - snapd # annoying (Ubuntu >= 16.04)
-        - lxd-agent-loader # annoying (Ubuntu 20.04)
-    when: ansible_distribution_version is version('20.04', '==')
-
-  - name: Remove packages
-    apt: name={{ ubuntu_annoying_packages }} state=absent purge=yes
-
-  - name: Disable annoying Canonical spam in MOTD
-    file: path={{ item }} mode=0644 state=absent
-    loop:
-      - /etc/update-motd.d/99-esm # Ubuntu 14.04
-      - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
-      - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
-      - /etc/update-motd.d/80-esm # Ubuntu 18.04+
-      - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
-    ignore_errors: yes
-
-  - name: Disable annoying Canonical spam in MOTD
-    systemd: name={{ item }} state=stopped enabled=no
-    when: ansible_service_mgr == 'systemd'
-    loop:
-      - motd-news.service
-      - motd-news.timer
-
-  - name: Configure cron-apt
-    import_tasks: cron-apt.yml
-    tags: cron-apt
-
-  - name: Install tarsnap
-    import_tasks: tarsnap.yml
-  tags: packages
-
-# vim: set sw=2 ts=2:

roles/common/tasks/ssh-keys.yml

@@ -1,9 +1,11 @@
 ---
 - name: Zero .ssh/authorized_keys for provisioning user
-  file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
+  ansible.builtin.file:
+    dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
+    state: absent
 
 - name: Add public keys to authorized_keys
-  authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
   with_fileglob:
     # use descriptive names for keys, like: aorth-mzito-rsa.pub
     - ssh-pub-keys/*.pub

roles/common/tasks/sshd.yml

@@ -1,25 +1,62 @@
 ---
-
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
-  template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Debian'
-  notify: reload sshd
+  when: ansible_facts["distribution_version"] is version('12', '<=')
+  ansible.builtin.template:
+    src: "sshd_config_{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.j2"
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
-# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
-# ie with new ciphers supported etc.
-- name: Reconfigure /etc/ssh/sshd_config
-  template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Ubuntu'
-  notify: reload sshd
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_facts["distribution_version"] is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
+
+# See: WeakDH (2015): https://weakdh.org/sysadmin.html
+- name: Remove small Diffie-Hellman SSH moduli
+  block:
+    - name: Check unsafe Diffie-Hellman SSH moduli
+      ansible.builtin.shell:
+        cmd: awk '$5 < 3071' moduli
+        chdir: /etc/ssh
+        creates: moduli.safe
+      register: check_unsafe_moduli
+
+    - name: Extract safe Diffie-Hellman SSH moduli
+      when: check_unsafe_moduli.stdout | length > 0
+      ansible.builtin.shell:
+        cmd: awk '$5 >= 3071' moduli > moduli.safe
+        chdir: /etc/ssh
+        creates: moduli.safe
+      register: extract_safe_moduli
+
+    - name: Replace unsafe Diffie-Hellman SSH moduli
+      when: extract_safe_moduli is changed
+      ansible.builtin.command:
+        cmd: mv moduli.safe moduli
+        chdir: /etc/ssh
+      register: replace_small_moduli
+      notify: Reload sshd
 
 - name: Remove DSA and ECDSA host keys
-  file: name=/etc/ssh/{{ item }} state=absent
+  ansible.builtin.file:
+    name: "/etc/ssh/{{ item }}"
+    state: absent
   loop:
     - ssh_host_dsa_key
     - ssh_host_dsa_key.pub
     - ssh_host_ecdsa_key
     - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 
 # vim: set sw=2 ts=2:

roles/common/tasks/tarsnap.yml

@@ -1,24 +1,45 @@
 ---
-- name: Add Tarsnap apt mirror
-  template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
-  register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'
+- name: Check tarsnap apt signing key
+  ansible.builtin.stat:
+    path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
+  register: tarsnap_signing_key_stat
 
-- name: Add GPG key for Tarsnap
-  apt_key: id=0xFC72A10BF6B692AA url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
-  register: add_tarsnap_apt_key
+- name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
+  ansible.builtin.get_url:
+    url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
+    dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
+    owner: root
+    group: root
+    mode: "0644"
+  register: download_tarsnap_signing_key
+
+- name: Add tarsnap.org repo
+  when: ansible_facts["architecture"] != 'armv7l'
+  ansible.builtin.template:
+    src: tarsnap_sources.list.j2
+    dest: /etc/apt/sources.list.d/tarsnap.list
+    owner: root
+    group: root
+    mode: "0644"
+  register: add_tarsnap_apt_repository
 
 - name: Update apt cache
-  apt:
-    update_cache: yes
-  when:
-    add_tarsnap_apt_key is changed or
-    add_tarsnap_apt_repository is changed
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
+  ansible.builtin.apt: # noqa no-handler
+    update_cache: true
 
 - name: Install tarsnap
-  apt: pkg=tarsnap cache_valid_time=3600
+  ansible.builtin.apt:
+    pkg: tarsnap
+    cache_valid_time: 3600
 
 - name: Copy tarsnaprc
-  copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
+  ansible.builtin.copy:
+    src: tarsnaprc
+    dest: /root/.tarsnaprc
+    owner: root
+    group: root
+    mode: "0600"
 
 # vim: set sw=2 ts=2:

roles/common/templates/etc/fail2ban/jail.d/nginx.local.j2

@@ -0,0 +1,13 @@
+[nginx]
+enabled   = true
+# See: /etc/fail2ban/filter.d/nginx-botsearch.conf
+filter    = nginx-botsearch
+# Integrate with nftables
+banaction=nftables[type=allports]
+backend   = pyinotify
+logpath   = /var/log/nginx/*-access.log
+# Try to find a non-existent wp-login.php once and get banned. Tough luck.
+maxretry  = 1
+findtime  = {{ fail2ban_findtime }}
+bantime   = {{ fail2ban_bantime }}
+ignoreip  = {{ fail2ban_ignoreip }}

roles/common/templates/etc/fail2ban/jail.d/sshd.local.j2

@@ -2,8 +2,8 @@
 enabled   = true
 # See: /etc/fail2ban/filter.d/sshd.conf
 filter    = sshd
-# Integrate with firewalld and ipsets
-banaction = firewallcmd-ipset
+# Integrate with nftables
+banaction=nftables[type=allports]
 backend   = systemd
 maxretry  = {{ fail2ban_maxretry }}
 findtime  = {{ fail2ban_findtime }}

roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -1,15 +1,19 @@
+[Unit]
+# If nftables is stopped or restarted, propagate to fail2ban as well
+PartOf=nftables.service
+
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=') %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/common/templates/nftables.conf.j2

@@ -0,0 +1,75 @@
+#!/usr/sbin/nft -f
+#
+# Initially based on: https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server
+#
+
+flush ruleset
+
+# List updated daily by update-firehol-nftables.sh
+include "/etc/nftables/firehol_level1-ipv4.nft"
+
+# Notes:
+#   - tables hold chains, chains hold rules
+#   - inet is for both ipv4 and ipv6
+table inet filter {
+    set firehol_level1-ipv4 {
+        type ipv4_addr
+        # if the set contains prefixes we need to use the interval flag
+        flags interval
+        elements = $FIREHOL_LEVEL1_IPV4
+    }
+
+    chain input {
+        type filter hook input priority 0;
+
+        ct state {established, related} accept comment "Allow traffic from established and related packets"
+
+        ct state invalid counter drop comment "Early drop of invalid connections"
+
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
+
+        iifname lo accept comment "Allow from loopback"
+
+        ip protocol icmp limit rate 4/second accept comment "Allow ICMP"
+        ip6 nexthdr ipv6-icmp limit rate 4/second accept comment "Allow IPv6 ICMP"
+        ip protocol igmp limit rate 4/second accept comment "Allow IGMP"
+
+        {# SSH rules #}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
+        ip6 saddr ::/0 ct state new tcp dport 22 counter accept comment "Allow SSH"
+
+        {# Web rules #}
+        {% if 'web' in group_names %}
+        ip saddr 0.0.0.0/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
+        ip saddr 0.0.0.0/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
+        ip6 saddr ::/0 ct state new tcp dport 80 counter accept comment "Allow HTTP"
+        ip6 saddr ::/0 ct state new tcp dport 443 counter accept comment "Allow HTTPS"
+        {% endif %}
+
+        ip saddr 0.0.0.0/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
+        ip6 saddr ::/0 ct state new udp dport 60001-60003 counter accept comment "Allow mosh"
+
+        {# Extra rules #}
+        {% if extra_iptables_rules is defined %}
+        {% for rule in extra_iptables_rules %}
+        ip saddr {{ ghetto_ipsets[rule.acl].src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+
+        {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
+        ip6 saddr {{ ghetto_ipsets[rule.acl].ipv6src }} ct state new {{ rule.protocol }} dport {{ rule.port }} counter accept
+        {% endif %}
+
+        {% endfor %}
+        {% endif %}
+
+        # everything else
+        reject with icmpx type port-unreachable
+    }
+    chain forward {
+        type filter hook forward priority 0;
+    }
+    chain output {
+        type filter hook output priority 0;
+
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
+    }
+}

roles/common/templates/public.xml.j2

@@ -1,72 +0,0 @@
-<zone>
-    <short>Public</short>
-    <description>For use in public areas. You do not trust the other computers on networks to not harm your computer. Only selected incoming connections are accepted.</description>
-    <interface name="{{ ansible_default_ipv4.interface }}"/>
-
-    {# ssh rules #}
-    <rule family="ipv4">
-        <source address="0.0.0.0/0"/>
-        <port protocol="tcp" port="22"/>
-        <accept/>
-    </rule>
-
-    {# ipv6 ssh rules #}
-    <rule family="ipv6">
-        <source address="::/0"/>
-        <port protocol="tcp" port="22"/>
-        <accept/>
-    </rule>
-
-    {# web rules #}
-    <rule family="ipv4">
-        <source address="0.0.0.0/0"/>
-        <port protocol="tcp" port="80"/>
-        <accept/>
-    </rule>
-
-    {# ipv6 web rules #}
-    <rule family="ipv6">
-        <source address="::/0"/>
-        <port protocol="tcp" port="80"/>
-        <accept/>
-    </rule>
-
-    {# munin rules #}
-    {% if munin_master_host is defined %}
-    <rule family="ipv4">
-        <source address="{{ ghetto_ipsets[munin_master_host].src }}"/>
-        <port protocol="tcp" port="{{ munin_node_port }}"/>
-        <accept/>
-    </rule>
-    {% endif %}
-
-    {# extra rules #}
-    {% if extra_iptables_rules is defined %}
-    {% for rule in extra_iptables_rules %}
-    <rule family="ipv4">
-        <source address="{{ ghetto_ipsets[rule.acl].src }}"/>
-        <port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
-        <accept/>
-    </rule>
-
-    {# ipv6 extra rules #}
-    {% if ghetto_ipsets[rule.acl].ipv6src is defined %}
-    <rule family="ipv6">
-        <source address="{{ ghetto_ipsets[rule.acl].ipv6src }}"/>
-        <port protocol="{{ rule.protocol }}" port="{{ rule.port }}"/>
-        <accept/>
-    </rule>
-    {% endif %}
-
-    {% endfor %}
-    {% endif %}
-
-    <rule>
-      <source ipset="abusers-ipv4"/>
-      <drop/>
-    </rule>
-    <rule>
-      <source ipset="abusers-ipv6"/>
-      <drop/>
-    </rule>
-</zone>

roles/common/templates/rc.local_Ubuntu.j2

@@ -1,14 +0,0 @@
-#!/bin/sh -e
-#
-# rc.local
-#
-# This script is executed at the end of each multiuser runlevel.
-# Make sure that the script will "exit 0" on success or any other
-# value on error.
-#
-# In order to enable or disable this script just change the execution
-# bits.
-#
-# By default this script does nothing.
-
-exit 0

roles/common/templates/security.sources.list.j2

@@ -1,5 +0,0 @@
-{% if ansible_distribution == 'Ubuntu' %}
-deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
-{% elif ansible_distribution == 'Debian' %}
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
-{% endif %}

roles/common/templates/sources.list.j2

@@ -1,16 +1,6 @@
-{% if ansible_distribution == 'Ubuntu' %}
-{% set apt_mirror    = apt_mirror | default("ubuntu.mirror.ac.ke") %}
-
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
-deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
-
-{% else %}
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
+deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
-
-{% endif %} {# ansible_distribution #}

roles/common/templates/sshd_config_Debian-11.j2

@@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
@@ -114,7 +118,7 @@ PrintMotd no
 AcceptEnv LANG LC_*
 
 # override default of no subsystems
-Subsystem sftp	/usr/lib/openssh/sftp-server
+Subsystem	sftp	/usr/lib/openssh/sftp-server
 
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
@@ -122,14 +126,16 @@ Subsystem sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
-PasswordAuthentication yes
 
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
+# Based on the ssh-audit profile for OpenSSH 8.4, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?

roles/common/templates/sshd_config_Debian-12.j2

@@ -1,21 +1,23 @@
-#	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
+# This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
 
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 
+Include /etc/ssh/sshd_config.d/*.conf
+
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 
 #HostKey /etc/ssh/ssh_host_rsa_key
+#HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 
 # Ciphers and keying
@@ -54,12 +56,16 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
 #PermitEmptyPasswords no
 
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
-ChallengeResponseAuthentication no
+KbdInteractiveAuthentication no
 
 # Kerberos options
 #KerberosAuthentication no
@@ -75,13 +81,13 @@ ChallengeResponseAuthentication no
 
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
+# be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
+# PAM authentication via KbdInteractiveAuthentication may bypass
+# the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
+# and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 
 #AllowAgentForwarding yes
@@ -94,13 +100,12 @@ X11Forwarding no
 PrintMotd no
 #PrintLastLog yes
 #TCPKeepAlive yes
-#UseLogin no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
-#PidFile /var/run/sshd.pid
+#PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
@@ -122,12 +127,20 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 #	PermitTTY no
 #	ForceCommand cvs server
 
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
+# Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
+# with less than 256 bits removed, as NSA's Suite B removed them years ago and
+# the new (2018) CNSA suite is 256 bits and up.
+#
+# See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 
-# only allow shell access by provisioning user
-AllowUsers {{ provisioning_user.name }}
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+# Is there a list of allowed users?
+# Is it populated? (An empty list is 'None', which evaluates as False in Python)
+# merge the items of a list into one string using a space as a separator
+# http://jinja.pocoo.org/docs/dev/templates/#join
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}

roles/common/templates/sysctl_Debian.j2

@@ -90,7 +90,7 @@ net.ipv4.tcp_wmem = 4096 65536 16777216
 # increase the length of the processor input queue
 net.core.netdev_max_backlog = 30000
 {# kernels after 2.6.32 don't have buggy cubic #}
-{% if ansible_kernel < "2.6.33" %}
+{% if ansible_facts["kernel"] < "2.6.33" %}
 # recommended default congestion control is htcp
 net.ipv4.tcp_congestion_control=htcp
 {% endif %}
@@ -98,7 +98,7 @@ net.ipv4.tcp_congestion_control=htcp
 #net.ipv4.tcp_mtu_probing=1
 
 {# disable iptables on bridge interfaces on VM hosts #}
-{% if ansible_virtualization_role == "host" %}
+{% if ansible_facts["virtualization_role"] == "host" %}
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

roles/common/templates/sysctl_Ubuntu.j2

@@ -1,100 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-#net.ipv4.conf.default.rp_filter=1
-#net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-#net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
-
-# CIS Benchmark Adjustments
-# See: https://github.com/alanorth/securekickstarts
-kernel.randomize_va_space = 2 
-net.ipv4.ip_forward = 0 
-net.ipv4.conf.all.send_redirects = 0 
-net.ipv4.conf.default.send_redirects = 0 
-net.ipv4.conf.all.accept_source_route = 0 
-net.ipv4.conf.default.accept_source_route = 0 
-net.ipv4.conf.all.accept_redirects = 0 
-net.ipv4.conf.default.accept_redirects = 0 
-net.ipv4.conf.all.secure_redirects = 0 
-net.ipv4.conf.default.secure_redirects = 0 
-net.ipv4.conf.all.log_martians = 1 
-net.ipv4.conf.default.log_martians = 1 
-net.ipv4.icmp_echo_ignore_broadcasts = 1 
-net.ipv4.icmp_ignore_bogus_error_responses = 1 
-net.ipv4.conf.all.rp_filter = 1 
-net.ipv4.conf.default.rp_filter = 1 
-net.ipv4.tcp_syncookies = 1
-
-# TCP stuff
-# See: http://fasterdata.es.net/host-tuning/linux/
-# increase TCP max buffer size settable using setsockopt()
-net.core.rmem_max = 16777216 
-net.core.wmem_max = 16777216 
-# increase Linux autotuning TCP buffer limit 
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
-# increase the length of the processor input queue
-net.core.netdev_max_backlog = 30000
-# recommended for hosts with jumbo frames enabled
-#net.ipv4.tcp_mtu_probing=1
-
-# increase quadruplets (src ip, src port, dest ip, dest port)
-# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
-net.ipv4.ip_local_port_range = 10240 65535
-# recommended for web servers, especially if running SPDY
-# see: http://www.chromium.org/spdy/spdy-best-practices
-net.ipv4.tcp_slow_start_after_idle = 0

roles/common/templates/tarsnap_sources.list.j2

@@ -1 +1 @@
-deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./

roles/common/templates/update-firehol-nftables.sh.j2

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+#
+# update-firehol-nftables.sh v0.0.1
+#
+# Download FireHOL lists and load them into nftables sets.
+# 
+# See: https://iplists.firehol.org/
+#
+# Copyright (C) 2025 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
+}
+
+download firehol_level1.netset
+
+if [[ -f "firehol_level1.netset" ]]; then
+    echo "Processing FireHOL Level 1 list"
+
+    firehol_level1_ipv4_list_temp=$(mktemp)
+    firehol_level1_ipv4_set_temp=$(mktemp)
+
+    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
+    # for local services like systemd-resolved and others on localhost. Ideally
+    # these are blocked already at the WAN side by network administrators.
+    cat firehol_level1.netset \
+        | sed \
+            -e '/^$/d' \
+            -e '/^#.*/d' \
+            -e '/^127\.0\.0\.0\/8/d' \
+        > "$firehol_level1_ipv4_list_temp"
+
+    echo "Building firehol_level1-ipv4 set"
+    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define FIREHOL_LEVEL1_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$firehol_level1_ipv4_set_temp"
+    done < $firehol_level1_ipv4_list_temp
+
+    echo "}" >> "$firehol_level1_ipv4_set_temp"
+
+    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
+
+    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
+fi
+
+echo "Restarting nftables"
+
+/usr/bin/systemctl restart nftables.service
+
+rm -v firehol_level1.netset

roles/mariadb/defaults/main.yml

@@ -1,30 +1,18 @@
 ---
-# file: roles/mariadb/defaults/main.yml
-#
-# Based on my running of mysqltuner.pl on a host with three WordPress databases
-# and a Piwik instance monitoring three sites.
-#
-
-# default is 128MB but is a waste because it seems only the mysql table uses it
-key_buffer_size: 32M
-
-# default is 128MB but is a waste because it seems only information_schema uses
-# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
-aria_pagecache_buffer_size: 8M
 
 # default is 128M, but set to at least the size of your InnoDB data
 innodb_buffer_pool_size: 256M
 
-# Unless you have a pool size over 1GB, use a single instance
-# See: https://mariadb.com/kb/en/mariadb/xtradbinnodb-server-system-variables
-innodb_buffer_pool_instances: 1
-
 # Ansible 2.7.x with PyMySQL seems to default to TCP connection so we should
 # force it to use a Unix socket.
 # See: https://github.com/ansible/ansible/issues/47736
-mariadb_login_unix_socket: /var/run/mysqld/mysqld.sock
+mariadb_login_unix_socket: /run/mysqld/mysqld.sock
 
 # default is 100 but the max I've seen used is 5, so let's reduce it
 max_connections: 33
 
+# mysqltuner says we should use larger than 32M on our setup
+tmp_table_size: 64M
+max_heap_table_size: 64M
+
 # vim: set ts=2 sw=2:

roles/mariadb/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: restart mysql
-  systemd: name=mysql state=restarted
+- name: restart mariadb
+  ansible.builtin.systemd_service:
+    name: mariadb
+    state: restarted
 
 # vim: set ts=2 sw=2:

roles/mariadb/tasks/main.yml

@@ -1,59 +1,63 @@
 ---
-- name: Add GPG key for MariaDB repo
-  apt_key: id=0x177F4010FE56CA3336300305F1656F24C74CD1D8 url=https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x177F4010FE56CA3336300305F1656F24C74CD1D8
-  register: add_mariadb_apt_key
-  tags: mariadb, packages
-
-- name: Add MariaDB 10.4 repo
-  template: src=mariadb.list.j2 dest=/etc/apt/sources.list.d/mariadb.list owner=root group=root mode=0644
-  register: add_mariadb_apt_repository
-  tags: mariadb, packages
-
-- name: Update apt cache
-  apt:
-    update_cache: yes
-  when:
-    add_mariadb_apt_key is changed or
-    add_mariadb_apt_repository is changed
-
 - name: Install mariadb-server
-  apt: name={{ item }} state=present cache_valid_time=3600
-  loop:
-    - mariadb-server
-    - python3-pymysql # for ansible
+  ansible.builtin.apt:
+    name: [mariadb-server, python3-pymysql]
+    state: present
+    cache_valid_time: 3600
   tags: mariadb, packages
 
-- name: Create system my.cnf
-  template: src=my.cnf.j2 dest=/etc/mysql/my.cnf owner=root group=root mode=0644
+- name: Add MariaDB configuration overrides
+  ansible.builtin.template:
+    src: 70-local.cnf.j2
+    dest: /etc/mysql/mariadb.conf.d/70-local.cnf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
-    - restart mysql
+    - restart mariadb
   tags: mariadb
 
-# 'localhost' needs to be the last item for idempotency, see
-# https://docs.ansible.com/ansible/latest/mysql_user_module.html
+# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_user_module.html
 - name: Update MariaDB root password for all root accounts
-  mysql_user: name=root host={{ item }} password={{ mariadb_root_password }} login_unix_socket={{ mariadb_login_unix_socket }}
+  community.mysql.mysql_user:
+    name: root
+    host: "{{ item }}"
+    password: "{{ mariadb_root_password }}"
+    login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop:
-    - "{{ inventory_hostname }}"
     - 127.0.0.1
     - ::1
-    - localhost
   tags: mariadb
 
 - name: Create .my.conf file with root credentials
-  template: src=.my.cnf.j2 dest=/root/.my.cnf owner=root mode=0600
+  ansible.builtin.template:
+    src: .my.cnf.j2
+    dest: /root/.my.cnf
+    owner: root
+    mode: "0600"
   tags: mariadb
 
+# See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
 - name: Create MariaDB database(s)
-  mysql_db: db={{ item.name }} state=present encoding=utf8mb4
-  loop: "{{ mariadb_databases }}"
   when: mariadb_databases is defined
+  community.mysql.mysql_db:
+    db: "{{ item.name }}"
+    state: present
+    encoding: utf8mb4
+    login_unix_socket: "{{ mariadb_login_unix_socket }}"
+  loop: "{{ mariadb_databases }}"
   tags: mariadb
 
 - name: Create MariaDB user(s)
-  mysql_user: name={{ item.user }} password={{ item.pass }} priv={{ item.name }}.*:ALL state=present
-  loop: "{{ mariadb_databases }}"
   when: mariadb_databases is defined
+  community.mysql.mysql_user:
+    name: "{{ item.user }}"
+    password: "{{ item.pass }}"
+    priv: "{{ item.name }}.*:ALL"
+    host: 127.0.0.1
+    state: present
+    login_unix_socket: "{{ mariadb_login_unix_socket }}"
+  loop: "{{ mariadb_databases }}"
   tags: mariadb
 
 # vim: set ts=2 sw=2:

roles/mariadb/templates/70-local.cnf.j2

@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+[mysqld]
+# don't resolve connection IPs to hostnames (make sure user accounts are using
+# IPs instead of "localhost")
+skip-name-resolve=1
+max_connections		= {{ max_connections }}
+tmp_table_size		= {{ tmp_table_size }}
+max_heap_table_size	= {{ max_heap_table_size }}
+innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}

roles/mariadb/templates/mariadb.list.j2

@@ -1,3 +0,0 @@
-{{ ansible_managed | comment }}
-
-deb [arch=amd64] http://mirror.23media.de/mariadb/repo/10.4/{{ ansible_distribution | lower }} {{ ansible_distribution_release }} main

roles/mariadb/templates/my.cnf.j2

@@ -1,195 +0,0 @@
-{{ ansible_managed | comment }}
-
-# MariaDB database server configuration file.
-#
-# You can copy this file to one of:
-# - "/etc/mysql/my.cnf" to set global options,
-# - "~/.my.cnf" to set user-specific options.
-# 
-# One can use all long options that the program supports.
-# Run program with --help to get a list of available options and with
-# --print-defaults to see which it would actually understand and use.
-#
-# For explanations see
-# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
-
-# This will be passed to all mysql clients
-# It has been reported that passwords should be enclosed with ticks/quotes
-# escpecially if they contain "#" chars...
-# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
-[client]
-port		= 3306
-socket		= /var/run/mysqld/mysqld.sock
-
-# Here is entries for some specific programs
-# The following values assume you have at least 32M ram
-
-# This was formally known as [safe_mysqld]. Both versions are currently parsed.
-[mysqld_safe]
-socket		= /var/run/mysqld/mysqld.sock
-nice		= 0
-
-[mysqld]
-#
-# * Basic Settings
-#
-user		= mysql
-pid-file	= /var/run/mysqld/mysqld.pid
-socket		= /var/run/mysqld/mysqld.sock
-port		= 3306
-basedir		= /usr
-datadir		= /var/lib/mysql
-tmpdir		= /tmp
-lc_messages_dir	= /usr/share/mysql
-lc_messages	= en_US
-skip-external-locking
-#
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
-#
-# * Fine Tuning
-#
-max_connections		= {{ max_connections }}
-connect_timeout		= 5
-wait_timeout		= 600
-max_allowed_packet	= 16M
-thread_cache_size       = 128
-sort_buffer_size	= 4M
-bulk_insert_buffer_size	= 16M
-tmp_table_size		= 32M
-max_heap_table_size	= 32M
-#
-# * MyISAM
-#
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched. On error, make copy and try a repair.
-myisam_recover_options = BACKUP
-key_buffer_size		= {{ key_buffer_size }}
-#open-files-limit	= 2000
-table_open_cache	= 400
-myisam_sort_buffer_size	= 512M
-concurrent_insert	= 2
-read_buffer_size	= 2M
-read_rnd_buffer_size	= 1M
-#
-# * Query Cache Configuration
-#
-# Cache only tiny result sets, so we can fit more in the query cache.
-query_cache_limit		= 128K
-query_cache_size		= 64M
-# for more write intensive setups, set to DEMAND or OFF
-#query_cache_type		= DEMAND
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file        = /var/log/mysql/mysql.log
-#general_log             = 1
-#
-# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
-#
-# we do want to know about network errors and such
-log_warnings		= 2
-#
-# Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
-slow_query_log_file	= /var/log/mysql/mariadb-slow.log
-long_query_time = 10
-#log_slow_rate_limit	= 1000
-log_slow_verbosity	= query_plan
-
-#log-queries-not-using-indexes
-#log_slow_admin_statements
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id		= 1
-#report_host		= master1
-#auto_increment_increment = 2
-#auto_increment_offset	= 1
-log_bin			= /var/log/mysql/mariadb-bin
-log_bin_index		= /var/log/mysql/mariadb-bin.index
-# not fab for performance, but safer
-#sync_binlog		= 1
-expire_logs_days	= 10
-max_binlog_size         = 100M
-# slaves
-#relay_log		= /var/log/mysql/relay-bin
-#relay_log_index	= /var/log/mysql/relay-bin.index
-#relay_log_info_file	= /var/log/mysql/relay-bin.info
-#log_slave_updates
-#read_only
-#
-# If applications support it, this stricter sql_mode prevents some
-# mistakes like inserting invalid dates etc.
-#sql_mode		= NO_ENGINE_SUBSTITUTION,TRADITIONAL
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-default_storage_engine	= InnoDB
-# you can't just change log file size, requires special procedure
-#innodb_log_file_size	= 50M
-innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
-innodb_log_buffer_size	= 8M
-innodb_file_per_table	= 1
-innodb_open_files	= 400
-innodb_io_capacity	= 400
-innodb_flush_method	= O_DIRECT
-innodb_buffer_pool_instances = {{ innodb_buffer_pool_instances }}
-
-aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
-#
-# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
-#
-# ssl-ca=/etc/mysql/cacert.pem
-# ssl-cert=/etc/mysql/server-cert.pem
-# ssl-key=/etc/mysql/server-key.pem
-
-#
-# * Galera-related settings
-#
-[galera]
-# Mandatory settings
-#wsrep_on=ON
-#wsrep_provider=
-#wsrep_cluster_address=
-#binlog_format=row
-#default_storage_engine=InnoDB
-#innodb_autoinc_lock_mode=2
-#
-# Allow server to accept connections on all interfaces.
-#
-#bind-address=0.0.0.0
-#
-# Optional setting
-#wsrep_slave_threads=1
-#innodb_flush_log_at_trx_commit=0
-
-[mysqldump]
-quick
-quote-names
-max_allowed_packet	= 16M
-
-[mysql]
-#no-auto-rehash	# faster start of mysql but no tab completion
-
-[isamchk]
-key_buffer		= 16M
-
-#
-# * IMPORTANT: Additional settings that can override those from this file!
-#   The files must end with '.cnf', otherwise they'll be ignored.
-#
-!include /etc/mysql/mariadb.cnf
-!includedir /etc/mysql/conf.d/

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
-# file: roles/munin/handlers/main.yml
+# ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/main.yml

@@ -1,8 +1,8 @@
 ---
 - name: Configure munin scraper
-  import_tasks: munin.yml
+  ansible.builtin.import_tasks: munin.yml
   tags: munin
 
 - name: Configure munin listener
-  import_tasks: munin-node.yml
+  ansible.builtin.import_tasks: munin-node.yml
   tags: munin-node

roles/munin/tasks/munin-node.yml

@@ -1,25 +1,34 @@
 ---
 - name: Install munin-node
-  apt: name=munin-node state=present
+  ansible.builtin.apt:
+    name: munin-node
+    state: present
   tags: packages
 
 # some nice things to have for munin-node on Ubuntu
 # libwww-perl: for munin's nginx_status check
 - name: Install munin-node deps
-  apt: name=libwww-perl state=present
+  ansible.builtin.apt:
+    name: libwww-perl
+    state: present
   tags: packages
 
 - name: Create munin-node.conf
-  template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
+  ansible.builtin.template:
+    src: munin-node.conf.j2
+    dest: /etc/munin/munin-node.conf
   notify:
     - restart munin-node
 
 - name: Configure munin-node
-  shell: munin-node-configure --shell --families=contrib,auto | sh -x
+  ansible.builtin.shell: munin-node-configure --shell --families=contrib,auto | sh -x
   notify:
     - restart munin-node
 
 - name: Start munin-node
-  systemd: name=munin-node state=started enabled=true
+  ansible.builtin.systemd_service:
+    name: munin-node
+    state: started
+    enabled: true
 
 # vim: set ts=2 sw=2:

roles/munin/tasks/munin.yml

@@ -1,9 +1,16 @@
 ---
 - name: Install munin package
-  apt: name=munin state=present
+  ansible.builtin.apt:
+    name: munin
+    state: present
   tags: packages
 
 - name: Create munin configuration file
-  template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: munin.conf.j2
+    dest: /etc/munin/munin.conf
+    owner: root
+    group: root
+    mode: "0644"
 
 # vim: set ts=2 sw=2:

roles/nginx/defaults/main.yml

@@ -1,37 +1,37 @@
 ---
-# file: roles/nginx/defaults/main.yml
+# ansible.builtin.file: roles/nginx/defaults/main.yml
 
 # path config
 nginx_confd_path: /etc/nginx/conf.d
 
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
 
-# 1 hour timeout
-nginx_ssl_session_timeout: 1h
+# 1 day timeout
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
-nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
+nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
-# DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
-# See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
-nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
+# DNS resolvers (default to Cloudflare public DNS)
+nginx_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
 
-# install certbot + dependencies?
-# True unless you're in development and using "localhost" + snakeoil certs
-use_letsencrypt: True
+# HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
+# in seconds, see: https://hstspreload.org/
+nginx_hsts_max_age: 31536000
 
-# Directory root for Let's Encrypt certs
-letsencrypt_root: /etc/letsencrypt/live
+# Use Let's Encrypt via nginx's acme module?
+# true unless you're in development and using "localhost" + snakeoil certs
+use_letsencrypt: true
 
-# Location of Let's Encrypt's certbot script
-letsencrypt_certbot_dest: /opt/certbot-auto
+# Email address to use for the ACME account managing the site's certificates.
+letsencrypt_contact: foo@example.com
 
-# stable is 1.18.x
-# mainline is 1.19.x
+# stable is 1.26.x
+# mainline is 1.27.x
 nginx_version: mainline
 
 # vim: set ts=2 sw=2:

roles/nginx/files/extra-security.conf

@@ -15,3 +15,6 @@ add_header X-XSS-Protection "1; mode=block" always;
 # CSP can be quite difficult to configure, and cause real issues if you get it wrong
 # There is website that helps you generate a policy here http://cspisawesome.com/
 # add_header Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' https://www.google-analytics.com;" always;
+
+# Opt this site out of Google Chrome's Federated Learning of Cohorts (FLoC)
+add_header Permissions-Policy interest-cohort=() always;

roles/nginx/files/start-nginx.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-/bin/systemctl start nginx

roles/nginx/files/stop-nginx.sh

@@ -1,3 +0,0 @@
-#!/usr/bin/env bash
-
-/bin/systemctl stop nginx

roles/nginx/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: reload nginx
-  systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/letsencrypt.yml

@@ -1,137 +1,35 @@
 ---
-
-- block:
-  - name: Copy systemd service to renew Let's Encrypt certs
-    template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root
-
-  - name: Copy systemd timer to renew Let's Encrypt certs
-    copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root
-
-  # always issues daemon-reload just in case the server/timer changed
-  - name: Start and enable systemd timer to renew Let's Encrypt certs
-    systemd: name=renew-letsencrypt.timer state=started enabled=yes daemon_reload=yes
-
-  - name: Download certbot
-    get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700
-
-  # Dependencies certbot checks for on its first run. I set them in a fact so that
-  # I can pass the list directly to the apt module to install in one transaction.
-  - name: Set certbot dependencies (Debian 10)
-    when: ansible_distribution == 'Debian' and ansible_distribution_major_version is version('10', '==')
-    set_fact:
-      certbot_dependencies:
-        - augeas-lenses
-        - binutils
-        - binutils-common
-        - binutils-x86-64-linux-gnu
-        - cpp
-        - cpp-8
-        - gcc
-        - gcc-8
-        - libasan5
-        - libatomic1
-        - libaugeas0
-        - libbinutils
-        - libc-dev-bin
-        - libc6-dev
-        - libcc1-0
-        - libexpat1-dev
-        - libffi-dev
-        - libgcc-8-dev
-        - libgomp1
-        - libisl19
-        - libitm1
-        - liblsan0
-        - libmpc3
-        - libmpfr6
-        - libmpx2
-        - libpython-dev
-        - libpython2-dev
-        - libpython2.7
-        - libpython2.7-dev
-        - libquadmath0
-        - libssl-dev
-        - libtsan0
-        - libubsan1
-        - linux-libc-dev
-        - python-dev
-        - python-pip-whl
-        - python-pkg-resources
-        - python-virtualenv
-        - python2-dev
-        - python2.7-dev
-        - python3-distutils
-        - python3-lib2to3
-        - python3-virtualenv
-        - virtualenv
-
-  # Dependencies certbot checks for on its first run. I set them in a fact so that
-  # I can pass the list directly to the apt module to install in one transaction.
-  - name: Set certbot dependencies (Ubuntu 18.04)
-    when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
-    set_fact:
-      certbot_dependencies:
-        - augeas-lenses
-        - binutils
-        - binutils-common
-        - binutils-x86-64-linux-gnu
-        - cpp
-        - cpp-7
-        - gcc
-        - gcc-7
-        - gcc-7-base
-        - libasan4
-        - libatomic1
-        - libaugeas0
-        - libbinutils
-        - libc-dev-bin
-        - libc6-dev
-        - libcc1-0
-        - libcilkrts5
-        - libexpat1-dev
-        - libffi-dev
-        - libgcc-7-dev
-        - libgomp1
-        - libisl19
-        - libitm1
-        - liblsan0
-        - libmpc3
-        - libmpx2
-        - libpython-dev
-        - libpython2.7
-        - libpython2.7-dev
-        - libquadmath0
-        - libssl-dev
-        - libtsan0
-        - libubsan0
-        - linux-libc-dev
-        - python-dev
-        - python-pip-whl
-        - python-pkg-resources
-        - python-virtualenv
-        - python2.7-dev
-        - python3-virtualenv
-        - virtualenv
-
-  - name: Install certbot dependencies
-    apt: name={{ certbot_dependencies }} state=present update_cache=yes
-
-  when: ansible_distribution != 'Ubuntu' and ansible_distribution_major_version is version('20.04', '!=')
+# Remove any standalone Let's Encrypt clients because we use nginx's acme module.
+- name: Remove standalone Let's Encrypt clients
   tags: letsencrypt
+  when:
+    - ansible_facts["distribution"] == 'Debian'
+    - ansible_facts["distribution_version"] is version('11', '>=')
+  block:
+    - name: Remove certbot
+      ansible.builtin.apt:
+        name: certbot
+        state: absent
 
-# On Ubuntu 20.04 it is no longer recommended/supported to use the standalone
-# certbot-auto so I guess we need to use the one from the repositories.
-- block:
-  - name: Install certbot (Ubuntu 20.04)
-    apt: name=certbot state=present update_cache=yes
+    - name: Remove old certbot post and pre hooks for nginx
+      ansible.builtin.file:
+        dest: "{{ item }}"
+        state: absent
+      with_items:
+        - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
+        - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
 
-  - name: Copy certbot post and pre hooks for nginx
-    copy: src={{ item.src }} dest={{ item.dest }} owner=root group=root mode=0755
-    with_items:
-      - { src: 'stop-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh' }
-      - { src: 'start-nginx.sh', dest: '/etc/letsencrypt/renewal-hooks/post/start-nginx.sh' }
+    - name: Remove unused Let's Encrypt well-known directory
+      ansible.builtin.file:
+        state: absent
+        path: /var/lib/letsencrypt/.well-known
 
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
-  tags: letsencrypt
+    - name: Remove unused Let's Encrypt systemd units
+      ansible.builtin.file:
+        state: absent
+        path: "{{ item }}"
+      loop:
+        - /etc/systemd/system/renew-letsencrypt.service
+        - /etc/systemd/system/renew-letsencrypt.timer
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -1,77 +1,127 @@
 ---
-- name: Add nginx.org apt signing key
-  apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
-  register: add_nginx_apt_key
-  tags: nginx, packages
+- name: Download nginx apt signing key
+  ansible.builtin.get_url:
+    url: https://nginx.org/keys/nginx_signing.key
+    dest: /usr/share/keyrings/nginx_signing.key
+    owner: root
+    group: root
+    mode: "0644"
+    checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
+  register: download_nginx_signing_key
+  tags:
+    - packages
+    - nginx
 
 - name: Add nginx.org repo
-  template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: nginx_org_sources.list.j2
+    dest: /etc/apt/sources.list.d/nginx_org_sources.list
+    owner: root
+    group: root
+    mode: "0644"
   register: add_nginx_apt_repository
-  tags: nginx, packages
+  tags:
+    - nginx
+    - packages
 
 - name: Update apt cache
-  apt:
-    update_cache: yes
-  when:
-    add_nginx_apt_key is changed or
-    add_nginx_apt_repository is changed
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
+  ansible.builtin.apt: # noqa no-handler
+    update_cache: true
 
 - name: Install nginx
-  apt: pkg=nginx cache_valid_time=3600 state=present
-  tags: nginx, packages
+  ansible.builtin.apt:
+    pkg: [nginx, nginx-module-acme]
+    cache_valid_time: 3600
+    state: present
+  tags:
+    - nginx
+    - packages
 
-- name: Copy nginx.conf
-  template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
+- name: Copy nginx configs (templates)
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    mode: "0644"
+    owner: root
+    group: root
+  loop:
+    - { src: nginx.conf.j2, dest: /etc/nginx/nginx.conf }
+    - { src: 01-acme.conf.j2, dest: /etc/nginx/conf.d/01-acme.conf }
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
-- name: Copy extra nginx configs
-  copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
+- name: Copy nginx configs (files)
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/nginx/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
   loop:
     - extra-security.conf
     - fastcgi_cache
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Remove default nginx vhost
-  file: path=/etc/nginx/conf.d/default.conf state=absent
+  ansible.builtin.file:
+    path: /etc/nginx/conf.d/default.conf
+    state: absent
   tags: nginx
 
 - name: Create fastcgi cache dir
-  file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
+  ansible.builtin.file:
+    path: /var/cache/nginx/cached/fastcgi
+    state: directory
+    owner: nginx
+    group: nginx
+    mode: "0755"
   tags: nginx
 
 - name: Configure nginx virtual hosts
-  include_tasks: vhosts.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: vhosts.yml
   tags: nginx
 
 - name: Configure WordPress
-  include_tasks: wordpress.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: wordpress.yml
   tags: wordpress
 
 - name: Configure blank nginx vhost
-  template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  ansible.builtin.template:
+    src: blank-vhost.conf.j2
+    dest: "{{ nginx_confd_path }}/blank-vhost.conf"
+    mode: "0644"
+    owner: root
+    group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Configure munin vhost
-  copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
+  ansible.builtin.copy:
+    src: munin.conf
+    dest: /etc/nginx/conf.d/munin.conf
+    mode: "0644"
+    owner: root
+    group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Start and enable nginx service
-  systemd: name=nginx state=started enabled=yes
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: started
+    enabled: true
   tags: nginx
 
 - name: Configure Let's Encrypt
-  include_tasks: letsencrypt.yml
-  when: use_letsencrypt is defined and use_letsencrypt
+  ansible.builtin.include_tasks: letsencrypt.yml
   tags: letsencrypt
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/vhosts.yml

@@ -1,25 +1,40 @@
 ---
-
-- block:
-  - name: Configure https vhosts
-    template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
-    loop: "{{ nginx_vhosts }}"
-    notify:
-      - reload nginx
-
-  - name: Generate self-signed TLS cert
-    command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
-    notify:
-      - reload nginx
-
-  - name: Generate 2048-bit dhparam
-    command: openssl dhparam -out dhparam.pem 2048 chdir=/etc/ssl/certs creates=dhparam.pem
-    notify:
-      - reload nginx
-
-  - name: Create vhost document roots
-    file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
-    loop: "{{ nginx_vhosts }}"
+- name: Configure https vhosts
   tags: nginx
+  block:
+    - name: Configure https vhosts
+      ansible.builtin.template:
+        src: vhost.conf.j2
+        dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
+        mode: "0644"
+        owner: root
+        group: root
+      loop: "{{ nginx_vhosts }}"
+      notify:
+        - Reload nginx
+
+    - name: Generate self-signed TLS cert
+      ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
+        -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+      notify:
+        - Reload nginx
+
+    - name: Download 4096-bit RFC 7919 dhparams
+      ansible.builtin.get_url:
+        url: https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem
+        checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
+        dest: "{{ nginx_ssl_dhparam }}"
+      notify:
+        - Reload nginx
+
+    # TODO: this could break because we can override the document root in host vars
+    - name: Create vhost document roots
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        mode: "0755"
+        owner: nginx
+        group: nginx
+      loop: "{{ nginx_vhosts }}"
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,15 +1,31 @@
 ---
-
-- block:
-  - name: Install WordPress
-    git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=yes
-    when: item.has_wordpress is defined and item.has_wordpress
-    loop: "{{ nginx_vhosts }}"
-
-  - name: Fix WordPress directory permissions
-    file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=yes
-    when: item.has_wordpress is defined and item.has_wordpress
-    loop: "{{ nginx_vhosts }}"
+- name: Install and configure WordPress
   tags: wordpress
+  block:
+    - name: Install WordPress
+      when:
+        - item.has_wordpress is defined
+        - item.has_wordpress
+      ansible.builtin.git:
+        repo: https://github.com/WordPress/WordPress.git
+        dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
+        version: "{{ item.wordpress_version }}"
+        depth: 1
+        force: true
+      loop: "{{ nginx_vhosts }}"
+      become: true
+      become_user: nginx
+
+    - name: Fix WordPress directory permissions
+      when:
+        - item.has_wordpress is defined
+        - item.has_wordpress
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        owner: nginx
+        group: nginx
+        recurse: true
+      loop: "{{ nginx_vhosts }}"
 
 # vim: set ts=2 sw=2:

roles/nginx/templates/01-acme.conf.j2

@@ -0,0 +1,14 @@
+{{ ansible_managed | comment }}
+
+# Setting the resolver is important because nginx uses it for upstream servers
+# and ACME requests. nginx attempts to resolve these at startup and will fail
+# if it cannot.
+resolver {{ nginx_resolver }};
+
+acme_issuer letsencrypt {
+    uri         https://acme-v02.api.letsencrypt.org/directory;
+    contact     {{ letsencrypt_contact }};
+    challenge   tls-alpn;
+    state_path  /var/cache/nginx/acme-letsencrypt;
+    accept_terms_of_service;
+}

roles/nginx/templates/blank-vhost.conf.j2

@@ -11,12 +11,14 @@ server {
 
     return 444;
 }
+
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
     server_name _;
 
-    # "snakeoil" certificate (self signed!)
+    # self-signed "snakeoil" certificate
     ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
     ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
 

roles/nginx/templates/gitea.j2

@@ -0,0 +1,5 @@
+
+    location / {
+        proxy_pass http://localhost:3000;
+    }
+

roles/nginx/templates/https.j2

@@ -1,7 +1,7 @@
 {# helper variables and per-site defaults that we can't set in role defaults #}
 {% set domain_name       = item.domain_name %}
-{# assume HSTS is off unless a vhost explicitly sets it to True #}
-{% set enable_hsts       = item.enable_hsts | default(False) %}
+{# assume HSTS is off unless a vhost explicitly sets it to true #}
+{% set enable_hsts       = item.enable_hsts | default(false) %}
 
     {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
     {% if item.tls_certificate_path is defined and item.tls_key_path is defined %}
@@ -14,10 +14,13 @@
     {# otherwise, assume host is using letsencrypt #}
     {% else %}
 
-    # concatenated key + cert
-    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
-    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
+    acme_certificate letsencrypt;
+
+    ssl_certificate       $acme_certificate;
+    ssl_certificate_key   $acme_certificate_key;
+
+    # do not parse the certificate on each request
+    ssl_certificate_cache max=2;
 
     {% endif %}
 
@@ -27,29 +30,13 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
-    {# OSCP stapling only works with real certs #}
-    {% if use_letsencrypt == True or item.tls_certificate_path %}
-    # OCSP stapling...
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    resolver {{ nginx_ssl_stapling_resolver }};
-    {% endif %} {# end: use_letsencrypt #}
-
-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
-    {% if enable_hsts == True %}
+    {% if enable_hsts == true %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
     # See: https://hstspreload.appspot.com/
-    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+    add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
     {% endif %}

roles/nginx/templates/nginx.conf.j2

@@ -14,6 +14,7 @@ error_log  /var/log/nginx/error.log warn;
 # The file storing the process ID of the main process
 pid        /var/run/nginx.pid;
 
+load_module modules/ngx_http_acme_module.so;
 
 events {
     # If you need more connections than this, you start optimizing your OS.
@@ -23,6 +24,7 @@ events {
 }
 
 
+
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;

roles/nginx/templates/nginx_org_sources.list.j2

@@ -1,19 +1,7 @@
 {{ ansible_managed | comment }}
 
-{% if ansible_distribution == 'Ubuntu' %}
-
 {% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
-{% elif ansible_distribution == 'Debian' %}
-
-{% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
-{% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% endif %}

roles/nginx/templates/renew-letsencrypt.service.j2

@@ -1,7 +0,0 @@
-[Unit]
-Description=Renew Let's Encrypt certificates
-ConditionFileIsExecutable={{ letsencrypt_certbot_dest }}
-
-[Service]
-Type=oneshot
-ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"

roles/nginx/templates/vhost.conf.j2

@@ -4,9 +4,16 @@
 {% set domain_name    = item.domain_name %}
 {% set domain_aliases = item.domain_aliases | default("") %}
 {# assume optional features are off unless a vhost explicitly sets them #}
-{% set enable_hsts    = item.enable_hsts | default(False) %}
-{% set has_wordpress  = item.has_wordpress | default(False) %}
-{% set needs_php      = item.needs_php | default(False) %}
+{% set enable_hsts    = item.enable_hsts | default(false) %}
+{% set has_wordpress  = item.has_wordpress | default(false) %}
+{% set needs_php      = item.needs_php | default(false) %}
+{% set has_gitea      = item.has_gitea | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 # http -> https vhost
 server {
@@ -23,36 +30,36 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
-    {# Allow sites to override the nginx document root #}
-    {% if item.document_root is defined %}
-    root {{ item.document_root }};
-    {% else %}
-    root {{ nginx_root_prefix }}/{{ domain_name }};
-    {% endif %}
+    root {{ document_root }};
 
     {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
     server_name {{ domain_name }} {{ domain_aliases }};
 
-    index {% if has_wordpress == True or needs_php == True %}index.php{% else %}index.html{% endif %};
+    index {% if has_wordpress == true or needs_php == true %}index.php{% else %}index.html{% endif %};
 
     access_log  /var/log/nginx/{{ domain_name }}-access.log;
     error_log   /var/log/nginx/{{ domain_name }}-error.log;
 
     {% include 'https.j2' %}
 
-    {% if has_wordpress == True %}
+    {% if has_wordpress == true %}
         {% include 'wordpress.j2' %}
     {% endif %}
 
+    {% if has_gitea == true %}
+        {% include 'gitea.j2' %}
+    {% endif %}
+
     error_page 500 502 503 504 /50x.html;
     location = /50x.html {
         root /usr/share/nginx/html;
     }
 
-    {% if has_wordpress == True or needs_php == True %}
+    {% if has_wordpress == true or needs_php == true %}
     location ~ [^/]\.php(/|$) {
         # Zero-day exploit defense.
         # http://forum.nginx.org/read.php?2,88845,page=3
@@ -68,17 +75,8 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #}
-        {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %}
-        fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
-        {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
-        fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
-        {% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
-        fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
-        {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
-        {% else %}
-        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
+        {% if ansible_facts["distribution_major_version"] is version('12', '==') %}
+        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;
         # set script path relative to document root in server block
@@ -92,11 +90,11 @@ server {
         fastcgi_cache_bypass $http_pragma $wordpress_logged_in;
         fastcgi_no_cache $http_pragma $wordpress_logged_in;
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
         {% endif %}
 
         include extra-security.conf;
@@ -106,7 +104,7 @@ server {
     include extra-security.conf;
 }
 
-{% if has_wordpress == True %}
+{% if has_wordpress == true %}
 # Check if a user is logged in
 # if so, set $wordpress_logged_in = 1
 # otherwise, set $wordpress_logged_in = 0

roles/nginx/templates/wordpress.j2

@@ -5,22 +5,22 @@
     location / {
         try_files $uri $uri/ /index.php?$args;
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
         {% endif %}
     }
 
     location ~* \.(?:ico|css|js|gif|jpe?g|png|svg)$ {
         add_header Cache-Control "max-age=604800";
 
-        {% if enable_hsts == True %}
+        {% if enable_hsts == true %}
         # Enable this if you want HSTS (recommended, but be careful)
         # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
         # See: https://hstspreload.appspot.com/
-        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" always;
+        add_header Strict-Transport-Security "max-age={{ nginx_hsts_max_age }}; includeSubDomains; preload" always;
         {% endif %}
     }   
 

roles/php-fpm/handlers/main.yml

@@ -1,14 +0,0 @@
----
-# For Ubuntu 18.04
-- name: reload php7.2-fpm
-  systemd: name=php7.2-fpm state=reloaded
-
-# For Debian 10
-- name: reload php7.3-fpm
-  systemd: name=php7.3-fpm state=reloaded
-
-# For Ubuntu 20.04
-- name: reload php7.4-fpm
-  systemd: name=php7.4-fpm state=reloaded
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Debian_10.yml

@@ -1,36 +0,0 @@
----
-
-- block:
-  - name: Set php-fpm packages
-    set_fact:
-      php_fpm_packages:
-        - php-fpm
-        # for WordPress
-        - php-mysql
-        - php-gd
-        - php-curl
-        # for Piwik
-        - php-mbstring
-        - php-xml
-
-  - name: Install php-fpm and deps
-    apt: name={{ php_fpm_packages }} state=present update_cache=yes
-
-  # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
-    template: src=php7.3-pool.conf.j2 dest=/etc/php/7.3/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-    loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php7.3-fpm
-
-  - name: Remove default www pool
-    file: path=/etc/php/7.3/fpm/pool.d/www.conf state=absent
-    notify: reload php7.3-fpm
-
-  # re-configure php.ini
-  - name: Update php.ini
-    template: src=php7.3-php.ini.j2 dest=/etc/php/7.3/fpm/php.ini owner=root group=root mode=0644
-    notify: reload php7.3-fpm
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_18.04.yml

@@ -1,36 +0,0 @@
----
-
-- block:
-  - name: Set php-fpm packages
-    set_fact:
-      php_fpm_packages:
-        - php-fpm
-        # for WordPress
-        - php-mysql
-        - php-gd
-        - php-curl
-        # for Piwik
-        - php-mbstring
-        - php-xml
-
-  - name: Install php-fpm and deps
-    apt: name={{ php_fpm_packages }} state=present update_cache=yes
-
-  # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
-    template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-    loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php7.2-fpm
-
-  - name: Remove default www pool
-    file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
-    notify: reload php7.2-fpm
-
-  # re-configure php.ini
-  - name: Update php.ini
-    template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
-    notify: reload php7.2-fpm
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_20.04.yml

@@ -1,36 +0,0 @@
----
-
-- block:
-  - name: Set php-fpm packages
-    set_fact:
-      php_fpm_packages:
-        - php-fpm
-        # for WordPress
-        - php-mysql
-        - php-gd
-        - php-curl
-        # for Piwik
-        - php-mbstring
-        - php-xml
-
-  - name: Install php-fpm and deps
-    apt: name={{ php_fpm_packages }} state=present update_cache=yes
-
-  # only copy php-fpm config for vhosts that need WordPress or PHP
-  - name: Copy php-fpm pool config
-    template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-    loop: "{{ nginx_vhosts }}"
-    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-    notify: reload php7.4-fpm
-
-  - name: Remove default www pool
-    file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-    notify: reload php7.4-fpm
-
-  # re-configure php.ini
-  - name: Update php.ini
-    template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-    notify: reload php7.4-fpm
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/main.yml

@@ -1,21 +0,0 @@
----
-# Ubuntu 18.04 uses php-fpm 7.2
-# Debian 10 uses php-fpm 7.3
-# Ubuntu 20.04 uses PHP 7.4
-
-- name: Configure php-fpm on Ubuntu 18.04
-  include_tasks: Ubuntu_18.04.yml
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==')
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 10
-  include_tasks: Debian_10.yml
-  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==')
-  tags: php-fpm
-
-- name: Configure php-fpm on Ubuntu 20.04
-  include_tasks: Ubuntu_20.04.yml
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php-fpm/templates/php7.2-pool.conf.j2

@@ -1,415 +0,0 @@
-{% set domain_name  = item.domain_name %}
-
-; Start a new pool named '{{ domain_name }}'.
-; the variable $pool can we used in any directive and will be replaced by the
-; pool name ('{{ domain_name }}' here)
-[{{ domain_name }}]
-
-; Per pool prefix
-; It only applies on the following directives:
-; - 'access.log'
-; - 'slowlog'
-; - 'listen' (unixsocket)
-; - 'chroot'
-; - 'chdir'
-; - 'php_values'
-; - 'php_admin_values'
-; When not set, the global prefix (or /usr) applies instead.
-; Note: This directive can also be relative to the global prefix.
-; Default Value: none
-;prefix = /path/to/pools/$pool
-
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
-
-; The address on which to accept FastCGI requests.
-; Valid syntaxes are:
-;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
-;                            a specific port;
-;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
-;                            a specific port;
-;   'port'                 - to listen on a TCP socket to all addresses
-;                            (IPv6 and IPv4-mapped) on a specific port;
-;   '/path/to/unix/socket' - to listen on a unix socket.
-; Note: This value is mandatory.
-listen = /run/php/php7.2-fpm-{{ domain_name }}.sock
-
-; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
-;listen.backlog = 511
-
-; Set permissions for unix socket, if one is used. In Linux, read/write
-; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
-;listen.mode = 0660
-; When POSIX Access Control Lists are supported you can set them using
-; these options, value is a comma separated list of user/group names.
-; When set, listen.owner and listen.group are ignored
-;listen.acl_users =
-;listen.acl_groups =
-
-; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
-; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
-; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
-; must be separated by a comma. If this value is left blank, connections will be
-; accepted from any ip address.
-; Default Value: any
-;listen.allowed_clients = 127.0.0.1
-
-; Specify the nice(2) priority to apply to the pool processes (only if set)
-; The value can vary from -19 (highest priority) to 20 (lower priority)
-; Note: - It will only work if the FPM master process is launched as root
-;       - The pool processes will inherit the master process priority
-;         unless it specified otherwise
-; Default Value: no set
-; process.priority = -19
-
-; Choose how the process manager will control the number of child processes.
-; Possible Values:
-;   static  - a fixed number (pm.max_children) of child processes;
-;   dynamic - the number of child processes are set dynamically based on the
-;             following directives. With this process management, there will be
-;             always at least 1 children.
-;             pm.max_children      - the maximum number of children that can
-;                                    be alive at the same time.
-;             pm.start_servers     - the number of children created on startup.
-;             pm.min_spare_servers - the minimum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is less than this
-;                                    number then some children will be created.
-;             pm.max_spare_servers - the maximum number of children in 'idle'
-;                                    state (waiting to process). If the number
-;                                    of 'idle' processes is greater than this
-;                                    number then some children will be killed.
-;  ondemand - no children are created at startup. Children will be forked when
-;             new requests will connect. The following parameter are used:
-;             pm.max_children           - the maximum number of children that
-;                                         can be alive at the same time.
-;             pm.process_idle_timeout   - The number of seconds after which
-;                                         an idle process will be killed.
-; Note: This value is mandatory.
-pm = dynamic
-
-; The number of child processes to be created when pm is set to 'static' and the
-; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
-; This value sets the limit on the number of simultaneous requests that will be
-; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
-; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
-; CGI. The below defaults are based on a server without much resources. Don't
-; forget to tweak pm.* to fit your needs.
-; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
-; Note: This value is mandatory.
-pm.max_children = 5
-
-; The number of child processes created on startup.
-; Note: Used only when pm is set to 'dynamic'
-; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
-pm.start_servers = 2
-
-; The desired minimum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.min_spare_servers = 1
-
-; The desired maximum number of idle server processes.
-; Note: Used only when pm is set to 'dynamic'
-; Note: Mandatory when pm is set to 'dynamic'
-pm.max_spare_servers = 3
-
-; The number of seconds after which an idle process will be killed.
-; Note: Used only when pm is set to 'ondemand'
-; Default Value: 10s
-;pm.process_idle_timeout = 10s;
-
-; The number of requests each child process should execute before respawning.
-; This can be useful to work around memory leaks in 3rd party libraries. For
-; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
-; Default Value: 0
-;pm.max_requests = 500
-
-; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
-;   pool                 - the name of the pool;
-;   process manager      - static, dynamic or ondemand;
-;   start time           - the date and time FPM has started;
-;   start since          - number of seconds since FPM has started;
-;   accepted conn        - the number of request accepted by the pool;
-;   listen queue         - the number of request in the queue of pending
-;                          connections (see backlog in listen(2));
-;   max listen queue     - the maximum number of requests in the queue
-;                          of pending connections since FPM has started;
-;   listen queue len     - the size of the socket queue of pending connections;
-;   idle processes       - the number of idle processes;
-;   active processes     - the number of active processes;
-;   total processes      - the number of idle + active processes;
-;   max active processes - the maximum number of active processes since FPM
-;                          has started;
-;   max children reached - number of times, the process limit has been reached,
-;                          when pm tries to start more children (works only for
-;                          pm 'dynamic' and 'ondemand');
-; Value are updated in real time.
-; Example output:
-;   pool:                 www
-;   process manager:      static
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          62636
-;   accepted conn:        190460
-;   listen queue:         0
-;   max listen queue:     1
-;   listen queue len:     42
-;   idle processes:       4
-;   active processes:     11
-;   total processes:      15
-;   max active processes: 12
-;   max children reached: 0
-;
-; By default the status page output is formatted as text/plain. Passing either
-; 'html', 'xml' or 'json' in the query string will return the corresponding
-; output syntax. Example:
-;   http://www.foo.bar/status
-;   http://www.foo.bar/status?json
-;   http://www.foo.bar/status?html
-;   http://www.foo.bar/status?xml
-;
-; By default the status page only outputs short status. Passing 'full' in the
-; query string will also return status for each pool process.
-; Example:
-;   http://www.foo.bar/status?full
-;   http://www.foo.bar/status?json&full
-;   http://www.foo.bar/status?html&full
-;   http://www.foo.bar/status?xml&full
-; The Full status returns for each process:
-;   pid                  - the PID of the process;
-;   state                - the state of the process (Idle, Running, ...);
-;   start time           - the date and time the process has started;
-;   start since          - the number of seconds since the process has started;
-;   requests             - the number of requests the process has served;
-;   request duration     - the duration in µs of the requests;
-;   request method       - the request method (GET, POST, ...);
-;   request URI          - the request URI with the query string;
-;   content length       - the content length of the request (only with POST);
-;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
-;   script               - the main script called (or '-' if not set);
-;   last request cpu     - the %cpu the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because CPU calculation is done when the request
-;                          processing has terminated;
-;   last request memory  - the max amount of memory the last request consumed
-;                          it's always 0 if the process is not in Idle state
-;                          because memory calculation is done when the request
-;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
-; the current request being served.
-; Example output:
-;   ************************
-;   pid:                  31330
-;   state:                Running
-;   start time:           01/Jul/2011:17:53:49 +0200
-;   start since:          63087
-;   requests:             12808
-;   request duration:     1250261
-;   request method:       GET
-;   request URI:          /test_mem.php?N=10000
-;   content length:       0
-;   user:                 -
-;   script:               /home/fat/web/docs/php/test_mem.php
-;   last request cpu:     0.00
-;   last request memory:  0
-;
-; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.2/fpm/status.html
-;
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;pm.status_path = /status
-
-; The ping URI to call the monitoring page of FPM. If this value is not set, no
-; URI will be recognized as a ping page. This could be used to test from outside
-; that FPM is alive and responding, or to
-; - create a graph of FPM availability (rrd or such);
-; - remove a server from a group if it is not responding (load balancing);
-; - trigger alerts for the operating team (24/7).
-; Note: The value must start with a leading slash (/). The value can be
-;       anything, but it may not be a good idea to use the .php extension or it
-;       may conflict with a real PHP file.
-; Default Value: not set
-;ping.path = /ping
-
-; This directive may be used to customize the response of a ping request. The
-; response is formatted as text/plain with a 200 response code.
-; Default Value: pong
-;ping.response = pong
-
-; The access log file
-; Default: not set
-;access.log = log/$pool.access.log
-
-; The access log format.
-; The following syntax is allowed
-;  %%: the '%' character
-;  %C: %CPU used by the request
-;      it can accept the following format:
-;      - %{user}C for user CPU only
-;      - %{system}C for system CPU only
-;      - %{total}C  for user + system CPU (default)
-;  %d: time taken to serve the request
-;      it can accept the following format:
-;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
-;      - %{microseconds}d
-;      - %{micro}d
-;  %e: an environment variable (same as $_ENV or $_SERVER)
-;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
-;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
-;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
-;  %f: script filename
-;  %l: content-length of the request (for POST request only)
-;  %m: request method
-;  %M: peak of memory allocated by PHP
-;      it can accept the following format:
-;      - %{bytes}M (default)
-;      - %{kilobytes}M
-;      - %{kilo}M
-;      - %{megabytes}M
-;      - %{mega}M
-;  %n: pool name
-;  %o: output header
-;      it must be associated with embraces to specify the name of the header:
-;      - %{Content-Type}o
-;      - %{X-Powered-By}o
-;      - %{Transfert-Encoding}o
-;      - ....
-;  %p: PID of the child that serviced the request
-;  %P: PID of the parent of the child that serviced the request
-;  %q: the query string
-;  %Q: the '?' character if query string exists
-;  %r: the request URI (without the query string, see %q and %Q)
-;  %R: remote IP address
-;  %s: status (response code)
-;  %t: server time the request was received
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %T: time the log has been written (the request has finished)
-;      it can accept a strftime(3) format:
-;      %d/%b/%Y:%H:%M:%S %z (default)
-;  %u: remote user
-;
-; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
-
-; The log file for slow requests
-; Default Value: not set
-; Note: slowlog is mandatory if request_slowlog_timeout is set
-;slowlog = log/$pool.log.slow
-
-; The timeout for serving a single request after which a PHP backtrace will be
-; dumped to the 'slowlog' file. A value of '0s' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_slowlog_timeout = 0
-
-; Depth of slow log stack trace.
-; Default Value: 20
-;request_slowlog_trace_depth = 20
-
-; The timeout for serving a single request after which the worker process will
-; be killed. This option should be used when the 'max_execution_time' ini option
-; does not stop script execution for some reason. A value of '0' means 'off'.
-; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
-; Default Value: 0
-;request_terminate_timeout = 0
-
-; Set open file descriptor rlimit.
-; Default Value: system defined value
-;rlimit_files = 1024
-
-; Set max core size rlimit.
-; Possible Values: 'unlimited' or an integer greater or equal to 0
-; Default Value: system defined value
-;rlimit_core = 0
-
-; Chroot to this directory at the start. This value must be defined as an
-; absolute path. When this value is not set, chroot is not used.
-; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
-; of its subdirectories. If the pool prefix is not set, the global prefix
-; will be used instead.
-; Note: chrooting is a great security feature and should be used whenever
-;       possible. However, all PHP paths will be relative to the chroot
-;       (error_log, sessions.save_path, ...).
-; Default Value: not set
-;chroot =
-
-; Chdir to this directory at the start.
-; Note: relative path can be used.
-; Default Value: current directory or / when chroot
-;chdir = /var/www
-
-; Redirect worker stdout and stderr into main error log. If not set, stdout and
-; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
-; process time (several ms).
-; Default Value: no
-catch_workers_output = yes
-
-; Clear environment in FPM workers
-; Prevents arbitrary environment variables from reaching FPM worker processes
-; by clearing the environment in workers before env vars specified in this
-; pool configuration are added.
-; Setting to "no" will make all environment variables available to PHP code
-; via getenv(), $_ENV and $_SERVER.
-; Default Value: yes
-;clear_env = no
-
-; Limits the extensions of the main script FPM will allow to parse. This can
-; prevent configuration mistakes on the web server side. You should only limit
-; FPM to .php extensions to prevent malicious users to use other extensions to
-; execute php code.
-; Note: set an empty value to allow all extensions.
-; Default Value: .php
-;security.limit_extensions = .php .php3 .php4 .php5 .php7
-
-; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
-; the current environment.
-; Default Value: clean env
-;env[HOSTNAME] = $HOSTNAME
-;env[PATH] = /usr/local/bin:/usr/bin:/bin
-;env[TMP] = /tmp
-;env[TMPDIR] = /tmp
-;env[TEMP] = /tmp
-
-; Additional php.ini defines, specific to this pool of workers. These settings
-; overwrite the values previously defined in the php.ini. The directives are the
-; same as the PHP SAPI:
-;   php_value/php_flag             - you can set classic ini defines which can
-;                                    be overwritten from PHP call 'ini_set'.
-;   php_admin_value/php_admin_flag - these directives won't be overwritten by
-;                                     PHP call 'ini_set'
-; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
-
-; Defining 'extension' will load the corresponding shared extension from
-; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
-; overwrite previously defined php.ini values, but will append the new value
-; instead.
-
-; Note: path INI options can be relative and will be expanded with the prefix
-; (pool, global or /usr)
-
-; Default Value: nothing is defined by default except the values in php.ini and
-;                specified at startup with the -d argument
-;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
-;php_flag[display_errors] = off
-;php_admin_value[error_log] = /var/log/fpm-php.www.log
-;php_admin_flag[log_errors] = on
-;php_admin_value[memory_limit] = 32M

roles/php_fpm/defaults/main.yml

@@ -1,5 +1,5 @@
 ---
-# file: roles/php-fpm/defaults/main.yml
+# ansible.builtin.file: roles/php-fpm/defaults/main.yml
 
 # default is on, but turn it off because of protection in nginx vhosts
 cgi_fix_pathinfo: 0