roles: use ansible_facts["foo"] pattern

Instead of ansible_foo. Ansible recently started warning that this
is deprecated.

Pipfile

@@ -10,4 +10,4 @@ ansible = "*"
 ansible-lint = "*"
 
 [requires]
-python_version = "3.12"
+python_version = "3.13"

README.md

@@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
 
-- You have a clean, minimal Ubuntu 20.04 or Debian 11/12 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host

ansible.cfg

@@ -13,12 +13,6 @@ interpreter_python=auto
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False
 
-ansible_managed = This file is managed by Ansible.%n
-  template: {file}
-  date: %Y-%m-%d %H:%M:%S
-  user: {uid}
-  host: {host}
-
 [privilege_escalation]
 # instead of using -K
 become_ask_pass=True

group_vars/all

@@ -3,4 +3,12 @@
 
 tls_cipher_suite: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
 
+ansible_managed: |-
+  This file is managed by Ansible.
+
+  {{ 'template: ' + template_path }}
+  {{ 'date: ' + (template_mtime | string) }}
+  {{ 'user: ' + template_uid }}
+  {{ 'host: ' + template_host }}
+
 # vim: set ts=2 sw=2:

group_vars/web

@@ -8,4 +8,7 @@ webserver: nginx
 extra_fail2ban_filters:
   - nginx
 
+# root prefix for all web servers
+web_root_prefix: /var/www
+
 # vim: set ts=2 sw=2:

host_vars/web22

@@ -1,138 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-62306563326366373066633666616634613536323861643835313830663066313030623337633665
-6365666338613131323039363363653130613338313230610a353565346637383638656432343665
-64326333643135303139633738653836363137313864616133353136303961616633346566333836
-3863343531643765330a336630623564636638623765373439353363363966626564316263633030
-30626639386465653362396433373064613664333938373431356539306338646236303834383532
-66356163313330613835353038303337333830356166396639383862336432343033346462303138
-38383030363061353032383930613164663339373566373233656639363765653636333536353365
-38316362633465663036373364376339623139636334656166636430363331636462373861363561
-33666661363231323031323565616664363636386531306165636130313130356431353664323737
-33386539353864383636306534376365393632316464633632313932356566636430313933356439
-38663634633337356165373332616630313436346633333135633434383130356537653230666332
-65613133643832326539306137623732373466353264626532333435636333333037623938396236
-38616631356134323765636261656162333234333537353238376364333937363361316664666131
-65323564346166643930316538313135643233313133373435656437323062306330326638326661
-35643337616464336133346132646234396438393562646365333638656539653736316461363537
-35383862343034323066393537396334366136343332376663626566373361653265313435326662
-35376636363739643837373263616337306234643162343633376163646332393238386236393831
-61306165613064383935313264343532353536656564313266663431373436633933646530656537
-61323465643939396637323138303662303730633133666236376435633663316135356136633962
-39356230663264373466626464666165636436343536373861613030303034333433306365326166
-31353538666666353331386263393430383437303462383663313938613735346233353363643133
-31303862636534343464383064626633323233303535313436626365323936383666343266363566
-61656636663237376439383365383562633366633230333131383861653032653862363934646632
-65326465373466393632613763643234303738633064303266653461663939316266653237363266
-64303139653031346335363137386332333734393039393233363433363836393330653431626136
-61386533393133613462646238383666323535623964633331373931326662373334333632366463
-39343937383863666338373231313964646364653334656534643238303064626566353234663834
-65356164353265396461323464393839613737643565366634613966333833346361356439346166
-39373761653661376331626166383162326435346361363664393862646239383237653130616238
-39343066636137393461336139646437306537323639343436386131653865616334363234653036
-39633934316366353834663736636639663738333737366630623037653764343566636364636531
-31363763646433353837326237323961353434386365663433306638663733393636663639396230
-65396236366633363131316161316461393964326366313239343633313136366265373361316663
-32646135343462613735336365303665393061336231353137303362386165616230636431363735
-64633462386535336162383365303936336132326665346439323637346636323662623833303966
-61373039343039653865333866613263633233613038373534653236373964323830396263346230
-33633337353563663037653864363862633866356536323032343336326537653261366564653536
-36393637316464383835343863343333613839396635633635343063383363343637643934373337
-35383739653866376265346634393932663130323233396465366635323733386337396634666661
-61623638343736626630353262316330666435316530626662396463336636633562383062346534
-37313637326534653965333362616135386339643863633539333530616663653766313433313462
-30393965643536356666346437333836653163313839366338373264343734383933613534353238
-61363834653239383563616135383836323761646239376339623730643634316236653737383134
-65643264306230303430376136613137386532343836363865626434663339613963616433383066
-33626630356134373336663938306134633736383366303736663238343034356130646235633039
-63643133393036336362346533613761613530323934326266633536373230346533333938633238
-39303564323537373934303064613738366333656333366435393731663937363230316163346461
-61356265356538303865623635656461626238336664396264653535643132336432623461393430
-61363264306662316233666137616662376238653338613266346134343231383731326632333130
-32313765366334313139636134386637653233656339303531643963316632313330646532376339
-37366562353461376436376132316264326565313736633938616232346634643539353133646438
-37316530663639616332653463326164373631333163386662346334393233333038333666666639
-37366464656133383634663132306536393564353365396138343335336562316535316438313534
-38663266383661306335656630316237313962353139343262616337303237376633313437356534
-39623932636633663635643132613330643331346637316264393935333062346562303366613765
-62653965303933323138663730373938323436363532346539386338386633666662383062383865
-64373730323639626538653962633736643534373963326566313135336530333463313336303037
-34323132373734626664366538306439663833643562333836333636346563373131643064393464
-64386635303436633538343961633331336334343463663165333964313565373933626337626631
-30376661323932303536643230303030616134633133316239656663626163623137613335653263
-39653338653038653832343964393537663935643965323332336531633237393862333439326534
-35656366343962333363633935396132303936336162656362383861663836613864653435346336
-64623566626139333438323562646639386632353139633464366331343132336365316338343066
-65623766343637616231316331376664616662373035623664343538666337326434356161653166
-34323431643532353461333633346561323937303437643732663765653666393165326535656634
-37303034326365666531633862303662386636663761613432653366346533356232323132323061
-34373032646137396663643832343663666533666262613933316666383165343465616464633035
-31343538383636656635326638343630363834343963326363633161316266303837326638313635
-34333665353833613634356137633262653665303065316265616332646231363039323030323832
-66633461636331386639306635343263386665663961396632653130616265313033363833343261
-30356439316430643463616533656330643862346334333238643734353035326633656264376666
-37313435356237343739396531303733613930333535613036313663633664616232613936663736
-38346539353866383365626536326535626665626563343039626663313430653135393736353866
-62343838653961366131393039663032336335636637383637633931396463363538663265323931
-31356334633764633366353366303036386365353762356664376234393864383232383339646437
-35666531663933646165303466356636653864333465313564383236333737313063353737326466
-34616430383164323361336333306435303636336465616137616638653362653632303034663236
-31373764613065663566656361656461393832323364336638323533663634356131363361393839
-32376562346632326138353937633065303861653437316632666364653462343539373134366135
-34353737623464313266653261613566343031396634393862383630316536303037316239653266
-36613031363064376566393166636366386330356635366338626366326461343733356363623238
-32336537363065373136646162383430663233333731613937643238343431376462313134316364
-38346236303838626538326164306262653732613366356539653437616133636565326561316662
-31653438343838366461336237313137653532383763643030306563346566646436356137653830
-38666231653165353562393361383363656439356130343336623831356431376266626333373636
-63623766393636336666643539313237636437333631643434623932313933353833633836396138
-36616165623966346364343165613537613963373333343035333730373030626534313831656236
-33613737356138323433303462323039316130636230356539366235333931353266393132633436
-32343235633634333562396133613332363462313461313565616230313738613030363963656631
-65383738353637373732353131306539353836323363616238356561633537336162396366623536
-39356639356464613562626463303939343263613932653630353235316136626464396433613365
-38333763346463616633323732643938356436373063316239363933313334656263636235636262
-38336239633763616337303038643663643365623031633664336530376132623466663537313665
-39333230376339633836383762656331376165343939646138623965666539313062373966343731
-66303465353532303864366136653031396132633635303933623265633238623737613064653064
-35623862323039663332316137366232313664633461363263626364623438643835613763313866
-64666438386262363335303636393934323830636263333262333530613032346337306562663138
-30646262666534663839636539316565623965373438613538653633356565646261383031313162
-30353065623334356264343139396464343830346638646137363665303330376439616330366634
-63313662333136333332666435653162663765666161623364393062326233306137356439313434
-39353561336437336430616236346433333866613238366165643734626433333835313862653836
-35313263663730616162373339303864326663663230306238306366346232373837636639346133
-33663031366566653938323139376639353963383864656638333062373365633937343663333562
-66313730333737336262656430626364326234373362336666326264363337643330623731306238
-31393539313430653661356432326633353532303330316433343135663066633732633139313464
-34343631626238376430306661626539363064303439613837643161353763336162303439653964
-33393834636338386362663438363834336437313162346635313836356436633564326639373338
-65343830663864343836376266313962383833626130326232616531636464623332323934316363
-62343139613630383636353463383938623466353639623464363665306438653066333136343232
-33613838616161326638333261393763373630356637353838363131326565336138626131653761
-62646264366231643936393235323465616430636338353832356432366533646565366131636230
-64303734376237363632363864656564326665353564643333356137396664343932386461333930
-61393761306134386337393831343361633938623262383861646662663430353364343134316563
-33366535353632356239326334393338376238313365356331633934353536353765366437666138
-63626136653762616636623937633866623332336634633262336535396362653335653739346132
-36616630303433303866393863643839313566643664343236383232393733306134626564343031
-34656436366537613861366433376635663030373039353437356139343364363664336665373663
-37306339303363663436653066383138623334643231353531333138393065663063666336343038
-66363033383834613037393366623831336438373962386566643761633834333635626466306232
-34396164343639396539373764333639623631636539636336633631356238663231323239623932
-62316536633363333637386162626537333831663161356361353964356633326336643562373138
-63663832343238666539353765303239653164376261653837366366366333313562646330363832
-39323861353432663264356635613861306164633030313662313637303131356436633436313066
-65376138386437363038663332623038343362616635393266643734316361373566616263383938
-38636237396164663339386437316631646666636364396439396465663364666536363733646336
-38633466616233613864393232323866393430646266326664333132646436346238313863373939
-33633034393063633962616138343066323462333339663463656165623238393263363137383836
-63316337313738626166333161373836396564323535363438333331656465633162393933346331
-64373764646637313264636637313166326231656333336261626461336330393462313934373066
-35643831626334663231366662333633326436656130313331303137383132393436373837653237
-36326139323135663066623630306666643561666238336432626435303865636261313864303862
-65353932323639323230343637393761386531663936386262313065363737313362306261356538
-65343735346238353064346636376232303833373637656431393338386262363736626464363862
-66646233333934363262346139653230636434623231613265616332383239646333363631333431
-65653466653331663137663265613137623934356235663033303164316234326364376130313834
-30353336323630366633626565616236393061333561636336653933623538333963373763313030
-3733
+65636230346264393938656566653961393466306338353435333061356463363836616435333731
+3537316534663335343333643435383663303438333433650a666133633965643939306661383536
+33626364316338306530393036653134373339653264616537623731323063646531383137333131
+6263363037613631360a343831393830646536326538363764643136613732636165316466316566
+65346162383337626631663533626230643061633139663661656365333738353530316661313864
+32373831396437386434313430666434363534656130613632643264393538663131336635653537
+61613065336133343130353862646130386136333231393962353064666335363330623064626631
+34333137363566313764343335646531326337616563366636316232633936333264373731653332
+66366361643261626563633838663061303762386234336133366233356564343562323965663731
+38326631333166643534313836323337663131313766306166333534336333613735643033326633
+39396335613362363230333863396535343464346437366632316336626539623865313239353539
+30643834633130333564666162623365323439396630333136616137633532363530623234376332
+66353539306637633432353231326666643261386466633533313063353061643761313132623035
+62653263636237666432336662633136653930323532623137386261333862623337326431336365
+36663364386364346631393031326434326334636166663739366435616166363130623463633733
+35383834326231363264623061303066326433613139333237656635643835393762313866356237
+62616435613863616161376666333966323030326531323261646436633233613635383438373834
+31343133326231636661353466396566656365396466343430613262316537623631376433633630
+62336664346363393363306163333662323338343139646238633830326535313034613739616138
+38313637333333383032316134316164363036396338306634633436633564306333336437393566
+61656337343030393936353364386461643766636564333864396130343762323630393839393463
+35343864393035333930313238663465663633633862623336663136626165666131383933626437
+31323936653737646231363036383764333335313762356465333635303334663734636531343331
+37386461643239363434373864373561353339343031346364383530663430393938333963333837
+63303966366364626665303530356433643264343861346238353937386338383034356633623231
+36663735386233396138306561326339626262326463336535646265666637383032396435333835
+31363266666230366438313432356637663632333530646263663563373137313262663937636532
+66633731333166386564386666363130633734643963653030386533393766623038383234646161
+36343135663231323030306430623535373534353835623339333738376362663930343436343637
+34383963306266623437323462356466336533643933653839366666393839626663353264326334
+32663461663561396631363533383334363361373764363132643435373537333839613066396463
+35386436326638353431363064626131306634363339653132396563356239653265303930333634
+32376332643863376237383966623233323864393338346537393865363661616338333631383532
+34373635316138663261633839333664353432666234306463306338653634633038373266646462
+32336534356537306366656236356663616336333031306431653239343132336234626165333032
+38303137666131363462363263333832356333616130346337663837376365346166306261373036
+63383236323738303562623631633064363564663861336162356262373861383965623935343931
+65663934623431363164356331353135633837616130363464353661663438323132363165343766
+31393633306261303762613537343034316535373731363365666530623361623630633137326466
+32326533313362333863383561343230626466303831623033613065363136396362373333306333
+32336464356364663564626234653832323265313364343631646633396362373438666165353962
+38396330333161356365626562383531323664636235643666613631636636323638376638396531
+38646531666164653161353932643662363261323564373537343731666232666532633063353431
+61386163363562313330393037656139303365396438313935306333656264373531373037303939
+63373962356233346164383163323532373163376364623766323933623063653939346537306338
+65353266656532636633326137356430666432333465626437633733356435363163626430303964
+39343935623937616130326637323061373538616633393465653266656666376661393635333662
+30363364653130356137393463613038663762396336306234363461396133306562323838336330
+63303735646132353766313137303162366164613530303966383636393934393035306264626465
+36613233376234633932663963623432663032656236323963353036356437383066373532323865
+36643431373966613533646164303564653336396535343366303339303134613936656137653939
+31333062623734613538333666636561386338306235633165386262383261333264623638383366
+34313266333636376337393736343062363539366235393136663561303663386438333834613539
+38623632656161653766363166653661336136653833336663616261663831656133666232633362
+31373166306134653162313134333432323134623336666632613766386662653831643732326330
+63643737333638626162646136373466613536653831663835616432343537323864343166316461
+34393732353930343430356231626636373763636561343430616533663861346566326262313232
+39623936366633363136353632346134643563383833376134363833336137613337326435613764
+37653232613632333334316162383261383836613936376230393633343336346633386539356232
+30316232373738363038356665366663623536626539376364303038643061386363636337386663
+61383634336530666163346239343838326138373932383339396265653764313039653138643938
+31613163653632656238376533363739346539623863623332653936643731623565613234663430
+39363935306330386634363634363233376234613837353765353732646638663830323335616234
+34366334636436633734333830306136333563666337623035653239313361626438316535313434
+37343930643832383136343737313365316238373638323130653766646637343464653134616137
+38313034383833626433326237633863313364353662326233636333333932633039396565356133
+64376166383064343239633364363861616136643061646636323437376162313438396230393331
+32633662323031666238643934646665303666383834336432363430363166356632353033336333
+64383861663563653531643832656238643066323564656134633639666234363363363132623836
+61386431643130333761376161646262346562363532353632633332343666393562313465303337
+31333732626164363464323531323239333963303333626466623966346361383832353765346565
+37303765363834376237636632386663373061346534643132636333623137366662646538306231
+33353538623231636166653838333264396463616437396264353537633661313932353133316438
+61323439363635383035316335363132383366613733383363306366356466333364633537393033
+66636434623962633063306236303831633637656430376533353436613934636466363461333562
+34613339373732343632343435333331353935303735633732656663643938663439656233613163
+65356232633865656439643430636332386663333761376638323630373930663837653638363963
+63656437323138633664613166353537306466666261353532326363346332343363343035386435
+33326238333730303539363265383761663862313961383030326263353034303866626661623334
+61623365373332366333376630626539343835663466666534636561643736646537646431386631
+36366132663830336234613065626262336564316339383038333330323237363665373935326438
+38646335346239316432636138633365373062663564326465643032633438306230363434323262
+34313932653361346261623030623739313665356464373666346361663430336362383063666134
+38323539653437623030333437373231646634333563306165393231653465313731633536323362
+65613262633563653031306139383436663834616339316164393365336437653730393331636464
+32313537313164386164313832396566353137376239303663656130383336336634313235376363
+63326530333339356432343938306465623636336161363133613864336339393635306234656263
+34343437336461303831393562653934633439336562663366643066393439396531653663386531
+65623061643064396534353364663633653331653535306133386466356236623239646432373066
+61313261366466663866613162323939646534653561356335393237376138633930663364636236
+36613834303338646530663565303438363831663865323531386635303239646464343936303832
+31323531363263333830623838666437636262306164386236643032356165323037656630383739
+65666333656639333263346465666463616534353835656337353464336134303732323037393538
+37366263656133643039373438636537343636663065646534616339303833666532396633616565
+38353139323739656564623065613364346164633863343738633163383031663531663365616534
+31663835323435643463666264623932396133336531626331303862356261306238326333366164
+66306262386137363432376530366432356432653333393833376532623333373337393830316263
+30326531613662313430663130613734663937613663353936346134356537393761373238393433
+37356136393731626561303430626339386531386333386536656465646232633934393630613339
+61333163613862346564316336353766346461626639303661353464633835626663313462613666
+33343561613662303036643937656431393432333831383461323631393262346464393539353537
+33633364383261663535323136393138333739356439663731636136393530323864333566323361
+62643961323264336662316661303630636430323838633535343036303437393439656637326566
+34363832366434316639393939313965633037653931323462363465643262653539623063326432
+36616434366432303235663062663138623336336165373734353838333662363239333762323932
+65393765326232373230666437656433373930643638386131363339343630636634636434326464
+39366339326263666239646237326534383665376536313536303263373265306537316161663262
+31346635346436313261626366333738333966643333313230623133313434373530366462653435
+33353434643635383833643736653461373765326537313430353164306566323733653237343632
+66346133656333303538306133313563393363313230323664303836323861346466343230343264
+36613934643662626365653036636136623630333638373565316437646232316263663433313762
+39353234333131623731643662303130626465386338353833393533646564646565623736343039
+38356635393461353166653565336535626366396532633961393334343234353764303431303663
+61666533633731663666346132383037646433336463643062396465383034346631346165323939
+33313937343338383737373164363930336236326432346465646166363430653932333932343236
+38336235613034386533613665393666633635383164646538373035623862343737353463623730
+33396233353331633463373538326365636231323535633737303562613262613730636237336632
+38626230313637336436623661666438666538333838356632653034303864313232623337306333
+66363464643061363337393732323065306335656531376337323438313733616539613538333837
+34363033666366613933343563303537613564356462313931353533323938656362393536386334
+38336237616335346334613534323130613861663239356363366564623933303737306138613535
+63643639323135663232336131643331343063363234336230653536623765323562393161663266
+32663839613564613636343166396463366665666333306239386338616366363236393931313439
+30386238316261323630633464386265353464333735336435646663656638316130333762666531
+38626463316165373434613436343335303633643965633230326534323761616365376630363039
+30336661313737383535343934366466353231396430353030653762383934666235646161653832
+31613565643031353535353234386665373636356362653337366563316630343838626231646462
+34623262343761373831303861313661666435373565386465336166306631376666643631303863
+37633934326262623737373266326631663932373863346466613133303961386466366336643235
+39303933333236626637663636633739343761393432616232643238663738313636346137316430
+34623238326430616134396166306339626261643032613661343763366138653830376463306461
+62366564393364306139633837646264633130383064383730393862633561303538363232663366
+30343633666632303530356637646337623339303236376164633962383839386265336666396436
+38616238656336343066333063393833623862646237323238393465633662393362353161313963
+63663539383630366536313933643565346162646363353035386666396363633635386564346666
+64336362633033346461353133396363646237613433306366333064626563656637383863323361
+31386262346631343565653836333764636366313330633462303533616531316537353538313031
+64366263666138356339373864383866303632366162633738383437323564313732373738373038
+39643862336136663165343736613730306339643237313361333438613438323439373966396138
+62323661383336396636

roles/caddy/defaults/main.yml

@@ -2,7 +2,7 @@
 # file: roles/caddy/defaults/main.yml
 
 # parent directory of vhost document roots
-caddy_root_prefix: /var/www
+caddy_root_prefix: "{{ web_root_prefix }}"
 
 # Email address to use for the ACME account managing the site's certificates.
 # Not sure what Caddy does if this doesn't exist.

roles/caddy/handlers/main.yml

@@ -3,7 +3,7 @@
 
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: caddy
     state: reloaded
 

roles/caddy/tasks/main.yml

@@ -71,6 +71,7 @@
     mode: "0755"
     owner: root
     group: root
+  tags: caddy
 
 # TODO: the variable is still named nginx_vhosts
 - name: Configure Caddy virtual hosts

roles/caddy/templates/etc/caddy/conf.d/vhost.j2

@@ -8,6 +8,12 @@
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {% set static_site    = item.static_site | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 {% if domain_aliases %}
 {#   domain_aliases is a string, so we split on space #}
@@ -21,15 +27,20 @@
 {{ domain_name }} {
     {% if has_gitea %}
     reverse_proxy :3000
-    {% endif %}
+    {% elif static_site -%}
+    root * {{ document_root }}
 
-    {% if static_site -%}
-    root * {{ item.document_root }}
-
-    encode zstd gzip
+    encode
 
     file_server
-    {% endif %}
+    {% elif has_wordpress -%}
+    root * {{ document_root }}
+    encode
+    {%   if ansible_facts["distribution_major_version"] is version('12', '==') -%}
+    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
+    {%   endif -%}
+    file_server
+    {% endif -%}
 
     import security-headers
 }

roles/common/defaults/main.yml

@@ -8,7 +8,7 @@ fail2ban_maxretry: 6
 fail2ban_findtime: 3600
 # 2 weeks in seconds
 fail2ban_bantime: 1209600
-fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
+fail2ban_ignoreip: 127.0.0.0/8
 
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.

roles/common/files/abuseipdb-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define ABUSEIPDB_IPV6 = {
-fd21:3523:74e0:7301::
-}

roles/common/files/aggregate-cidr-addresses.pl

@@ -1,89 +0,0 @@
-#!/usr/bin/perl
-#
-# aggregate-cidr-addresses - combine a list of CIDR address blocks
-# Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
-#
-# This program is free software: you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation, either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see L<http://www.gnu.org/licenses/>.
-#
-# [MJS 22 Oct 2001] Aggregate CIDR addresses
-# [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
-# [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
-# [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
-# [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
-
-use strict;
-use warnings;
-use English qw( -no_match_vars );
-use Net::IP;
-
-## Read in all the IP addresses
-my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
-    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
-
-## Split any ranges into prefixes
-@addrs = map {
-    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
-        $_->find_prefixes
-} @addrs;
-
-## Sort the IP addresses
-@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
-
-## Handle overlaps
-my $count   = 0;
-my $current = $addrs[0];
-foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-    my $r = $current->overlaps($next);
-    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
-        $current = $next;
-        $count++;
-    }
-    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
-        $current = $next;
-        splice @addrs, $count, 1;
-    }
-    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
-        splice @addrs, $count + 1, 1;
-    }
-    else {
-        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
-    }
-}
-
-## Keep aggregating until we don't change anything
-my $change = 1;
-while ($change) {
-    $change = 0;
-    my @new_addrs = ();
-    $current = $addrs[0];
-    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
-        if ( my $total = $current->aggregate($next) ) {
-            $current = $total;
-            $change  = 1;
-        }
-        else {
-            push @new_addrs, $current;
-            $current = $next;
-        }
-    }
-    push @new_addrs, $current;
-    @addrs = @new_addrs;
-}
-
-## Print out the IP addresses
-foreach (@addrs) {
-    print $_->prefix(), "\n";
-}
-
-# $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $

roles/common/files/etc/cron-apt/3-download

@@ -1,2 +0,0 @@
-autoclean -y
-upgrade -y -o APT::Get::Show-Upgraded=true

roles/common/files/etc/cron-apt/config

@@ -1,5 +0,0 @@
-# Configuration for cron-apt. For further information about the possible
-# configuration settings see the README file.
-
-MAILON="never"
-OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""

roles/common/files/etc/sudoers.d/provisioning

@@ -1 +0,0 @@
-provisioning   ALL=(ALL)  ALL

roles/common/files/firehol_level1-ipv4.nft

@@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
 
-define SPAMHAUS_IPV4 = {
+define FIREHOL_LEVEL1_IPV4 = {
 192.168.254.254/32
 }

roles/common/files/spamhaus-ipv6.nft

@@ -1,5 +0,0 @@
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-fd21:3523:74e0:7301::/64
-}

roles/common/files/update-abusech-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-abusech-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-abusech-nftables
-ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
-          /usr/local/bin/update-abusech-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-abusech-nftables.sh

@@ -1,63 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-abuseipdb-nftables.sh v0.0.1
-#
-# Download IP addresses seen using a blacklisted SSL certificate and load them
-# into nftables sets. As of 2021-07-28 these appear to only be IPv4.
-# 
-# See: https://sslbl.abuse.ch/blacklist
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
-abusech_list_temp=$(mktemp)
-
-echo "Downloading Abuse.sh SSL Blacklist IPs"
-
-abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
-
-if [[ $abusech_response -ne 200 ]]; then
-	echo "Abuse.ch responded: HTTP $abusech_response"
-
-	exit 1
-fi
-
-if [[ -f "$abusech_list_temp" ]]; then
-    echo "Processing IPv4 list"
-
-    abusech_ipv4_list_temp=$(mktemp)
-    abusech_ipv4_set_temp=$(mktemp)
-
-    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
-    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
-    # that assumption some time down the line).
-    sed -e '/#/d' -e 's/
-//' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
-
-    echo "Building abusech-ipv4 set"
-    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define ABUSECH_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$abusech_ipv4_set_temp"
-    done < $abusech_ipv4_list_temp
-
-    echo "}" >> "$abusech_ipv4_set_temp"
-
-    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
-
-    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
-fi
-
-echo "Reloading nftables"
-# The abusech nftables sets are included by nftables.conf

roles/common/files/update-abusech-nftables.timer

@@ -1,12 +0,0 @@
-[Unit]
-Description=Update Abuse.ch SSL Blacklist IPs
-
-[Timer]
-# Once a day at midnight
-OnCalendar=*-*-* 00:00:00
-# Add a random delay of 0–3600 seconds
-RandomizedDelaySec=3600
-Persistent=true
-
-[Install]
-WantedBy=timers.target

roles/common/files/update-firehol-nftables.service

@@ -0,0 +1,24 @@
+[Unit]
+Description=Update FireHOL lists
+# Make sure the network is up
+After=network-online.target
+Wants=network-online.target update-firehol-nftables.timer
+
+[Service]
+# https://www.ctrl.blog/entry/systemd-service-hardening.html
+# Doesn't need access to /home or /root
+ProtectHome=true
+# Possibly only works on Ubuntu 18.04+
+ProtectKernelTunables=true
+ProtectSystem=full
+# Newer systemd can use ReadWritePaths to list files, but this works everywhere
+ReadWriteDirectories=/etc/nftables
+PrivateTmp=true
+WorkingDirectory=/var/tmp
+
+SyslogIdentifier=update-firehol-nftables
+ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
+          /usr/local/bin/update-firehol-nftables.sh
+
+[Install]
+WantedBy=multi-user.target

roles/common/files/update-firehol-nftables.timer

@@ -1,5 +1,5 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 
 [Timer]
 # Once a day at midnight

roles/common/files/update-spamhaus-nftables.service

@@ -1,27 +0,0 @@
-[Unit]
-Description=Update Spamhaus lists
-# This service will fail if nftables is not running so we use Requires to make
-# sure that nftables is started.
-Requires=nftables.service
-# Make sure the network is up and nftables is started
-After=network-online.target nftables.service
-Wants=network-online.target update-spamhaus-nftables.timer
-
-[Service]
-# https://www.ctrl.blog/entry/systemd-service-hardening.html
-# Doesn't need access to /home or /root
-ProtectHome=true
-# Possibly only works on Ubuntu 18.04+
-ProtectKernelTunables=true
-ProtectSystem=full
-# Newer systemd can use ReadWritePaths to list files, but this works everywhere
-ReadWriteDirectories=/etc/nftables
-PrivateTmp=true
-WorkingDirectory=/var/tmp
-
-SyslogIdentifier=update-spamhaus-nftables
-ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
-          /usr/local/bin/update-spamhaus-nftables.sh
-
-[Install]
-WantedBy=multi-user.target

roles/common/files/update-spamhaus-nftables.sh

@@ -1,91 +0,0 @@
-#!/usr/bin/env bash
-#
-# update-spamhaus-nftables.sh v0.0.1
-#
-# Download Spamhaus DROP lists and load them into nftables sets.
-# 
-# See: https://www.spamhaus.org/drop/
-#
-# Copyright (C) 2021 Alan Orth
-#
-# SPDX-License-Identifier: GPL-3.0-only
-
-# Exit on first error
-set -o errexit
-
-spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
-spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
-
-function download() {
-    echo "Downloading $1"
-    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
-}
-
-download drop.txt
-download edrop.txt
-download dropv6.txt
-
-if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
-    echo "Processing IPv4 DROP lists"
-
-    spamhaus_ipv4_list_temp=$(mktemp)
-    spamhaus_ipv4_set_temp=$(mktemp)
-
-    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
-    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
-    # ranges to work around a firewalld bug.
-    #
-    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
-    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
-
-    echo "Building spamhaus-ipv4 set"
-    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV4 = {
-NFT_HEAD
-
-    while read -r network; do
-        # nftables doesn't mind if the last element in the set has a trailing
-        # comma so we don't need to do anything special here.
-        echo "$network," >> "$spamhaus_ipv4_set_temp"
-    done < $spamhaus_ipv4_list_temp
-
-    echo "}" >> "$spamhaus_ipv4_set_temp"
-
-    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
-
-    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
-fi
-
-if [[ -f "dropv6.txt" ]]; then
-    echo "Processing IPv6 DROP lists"
-
-    spamhaus_ipv6_list_temp=$(mktemp)
-    spamhaus_ipv6_set_temp=$(mktemp)
-
-    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
-
-    echo "Building spamhaus-ipv6 set"
-    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
-#!/usr/sbin/nft -f
-
-define SPAMHAUS_IPV6 = {
-NFT_HEAD
-
-    while read -r network; do
-        echo "$network," >> "$spamhaus_ipv6_set_temp"
-    done < $spamhaus_ipv6_list_temp
-
-    echo "}" >> "$spamhaus_ipv6_set_temp"
-
-    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
-
-    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
-fi
-
-echo "Reloading nftables"
-# The spamhaus nftables sets are included by nftables.conf
-/usr/sbin/nft -f /etc/nftables.conf
-
-rm -v drop.txt edrop.txt dropv6.txt

roles/common/handlers/main.yml

@@ -1,27 +1,27 @@
 ---
 # ansible.builtin.file: roles/common/handlers/main.yml
 
-- name: reload sshd
-  ansible.builtin.systemd:
+- name: Reload sshd
+  ansible.builtin.systemd_service:
     name: "{{ sshd_service_name }}"
     state: reloaded
 
-- name: reload sysctl
-  command: sysctl -p /etc/sysctl.conf
+- name: Reload sysctl
+  ansible.builtin.command: sysctl -p /etc/sysctl.conf
 
-- name: reload systemd
-  ansible.builtin.systemd:
+- name: Reload systemd
+  ansible.builtin.systemd_service:
     daemon_reload: true
 
-- name: restart nftables
-  ansible.builtin.systemd:
+- name: Restart nftables
+  ansible.builtin.systemd_service:
     name: nftables
     state: restarted
 
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
-- name: restart fail2ban
-  ansible.builtin.systemd:
+- name: Restart fail2ban
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: restarted

roles/common/tasks/cron-apt.yml

@@ -1,11 +1,17 @@
 ---
-- name: Configure cron-apt (config)
-  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
-  loop:
-    - { src: etc/cron-apt/config, dest: /etc/cron-apt/config, mode: "0644", owner: root, group: root }
-    - { src: etc/cron-apt/3-download, dest: /etc/cron-apt/action.d/3-download, mode: "0644", owner: root, group: root }
+- name: Remove cron-apt
+  ansible.builtin.apt:
+    name: cron-apt
+    state: absent
+    cache_valid_time: 3600
 
-- name: Configure cron-apt (security)
-  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
+- name: Remove cron-apt configs
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/cron-apt/config
+    - /etc/cron-apt/action.d/3-download
+    - /etc/apt/security.sources.list
 
 # vim: set ts=2 sw=2:

roles/common/tasks/fail2ban.yml

@@ -1,8 +1,7 @@
 ---
 - name: Install fail2ban
-  when:
-    - ansible_distribution_major_version is version('11', '>=')
-  ansible.builtin.package:
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
     name:
       - fail2ban
       - python3-systemd
@@ -15,7 +14,7 @@
     dest: /etc/fail2ban/jail.d/sshd.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Configure fail2ban nginx filter
   when:
@@ -27,7 +26,7 @@
     dest: /etc/fail2ban/jail.d/nginx.local
     owner: root
     mode: "0644"
-  notify: restart fail2ban
+  notify: Restart fail2ban
 
 - name: Create fail2ban service override directory
   ansible.builtin.file:
@@ -44,11 +43,11 @@
     owner: root
     mode: "0644"
   notify:
-    - reload systemd
-    - restart fail2ban
+    - Reload systemd
+    - Restart fail2ban
 
 - name: Start and enable fail2ban service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: fail2ban
     state: started
     enabled: true

roles/common/tasks/firewall.yml

@@ -0,0 +1,25 @@
+---
+# Debian 11+ will use nftables directly, with no firewalld.
+
+- name: Install Debian firewall packages
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: nftables
+    state: present
+    cache_valid_time: 3600
+
+- name: Remove iptables on newer Debian
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    pkg: iptables
+    state: absent
+
+- name: Configure nftables
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
+
+- name: Configure fail2ban
+  when: ansible_facts["distribution_version"] is version('9', '>=')
+  ansible.builtin.include_tasks: fail2ban.yml
+
+# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Debian.yml

@@ -1,115 +0,0 @@
----
-# Debian 11+ will use nftables directly, with no firewalld.
-
-- block:
-    - name: Install Debian firewall packages
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
-
-    - name: Remove iptables on newer Debian
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.apt:
-        pkg: iptables
-        state: absent
-
-    - name: Copy nftables.conf
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_major_version is version('11', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_major_version is version('9', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/firewall_Ubuntu.yml

@@ -1,114 +0,0 @@
----
-# Ubuntu 20.04 will use nftables directly, with no firewalld.
-
-- block:
-    - name: Install Ubuntu firewall packages
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.package:
-        name:
-          - libnet-ip-perl # for aggregate-cidr-addresses.pl
-          - nftables
-          - curl # for nftables update scripts
-        state: present
-        cache_valid_time: 3600
-
-    - name: Remove ufw
-      ansible.builtin.package:
-        name: ufw
-        state: absent
-
-    - name: Copy nftables.conf
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.template:
-        src: nftables.conf.j2
-        dest: /etc/nftables.conf
-        owner: root
-        mode: "0644"
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Create /etc/nftables extra config directory
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.file:
-        path: /etc/nftables
-        state: directory
-        owner: root
-        mode: "0755"
-
-    - name: Copy extra nftables configuration files
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item.src }}"
-        dest: /etc/nftables/{{ item.src }}
-        owner: root
-        group: root
-        mode: "0644"
-        force: "{{ item.force }}"
-      loop:
-        - { src: spamhaus-ipv4.nft, force: "no" }
-        - { src: spamhaus-ipv6.nft, force: "no" }
-        - { src: abusech-ipv4.nft, force: "no" }
-        - { src: abuseipdb-ipv4.nft, force: "yes" }
-        - { src: abuseipdb-ipv6.nft, force: "yes" }
-      notify:
-        - restart nftables
-        - restart fail2ban
-
-    - name: Copy nftables update scripts
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /usr/local/bin/{{ item }}
-        mode: "0755"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.sh
-        - aggregate-cidr-addresses.pl
-        - update-abusech-nftables.sh
-
-    - name: Copy nftables systemd units
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.copy:
-        src: "{{ item }}"
-        dest: /etc/systemd/system/{{ item }}
-        mode: "0644"
-        owner: root
-        group: root
-      loop:
-        - update-spamhaus-nftables.service
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.service
-        - update-abusech-nftables.timer
-      register: nftables_systemd_units
-
-    # need to reload to pick up service/timer/environment changes
-    - name: Reload systemd daemon
-      ansible.builtin.systemd:
-        daemon_reload: true
-      when: nftables_systemd_units is changed
-
-    - name: Start and enable nftables update timers
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: "{{ item }}"
-        state: started
-        enabled: true
-      loop:
-        - update-spamhaus-nftables.timer
-        - update-abusech-nftables.timer
-
-    - name: Start and enable nftables
-      when: ansible_distribution_version is version('20.04', '>=')
-      ansible.builtin.systemd:
-        name: nftables
-        state: started
-        enabled: true
-
-    - ansible.builtin.include_tasks: fail2ban.yml
-      when:
-        - ansible_distribution_version is version('16.04', '>=')
-  tags: firewall
-
-# vim: set sw=2 ts=2:

roles/common/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
+  ansible.builtin.include_vars: vars/{{ ansible_facts["distribution"] }}.yml
   tags: always
 
 - name: Configure network time
@@ -8,23 +8,11 @@
   tags: ntp
 
 - name: Install common packages
-  ansible.builtin.include_tasks: packages_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: packages
-
-- name: Install common packages
-  ansible.builtin.include_tasks: packages_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.include_tasks: packages.yml
   tags: packages
 
 - name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Debian.yml
-  when: ansible_distribution == 'Debian'
-  tags: firewall
-
-- name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Ubuntu.yml
-  when: ansible_distribution == 'Ubuntu'
+  ansible.builtin.import_tasks: firewall.yml
   tags: firewall
 
 - name: Configure secure shell daemon
@@ -33,14 +21,24 @@
 
 # containers identify as virtualization hosts, which makes this tricky, because we have actual Debian VM hosts!
 - name: Reconfigure /etc/sysctl.conf
-  when: ansible_virtualization_role != 'host'
-  ansible.builtin.template: src=sysctl_{{ ansible_distribution }}.j2 dest=/etc/sysctl.conf owner=root group=root mode=0644
+  when: ansible_facts["virtualization_role"] != 'host'
+  ansible.builtin.template:
+    src: "sysctl_{{ ansible_facts['distribution'] }}.j2"
+    dest: /etc/sysctl.conf
+    owner: root
+    group: root
+    mode: "0644"
   notify:
-    - reload sysctl
+    - Reload sysctl
   tags: sysctl
 
 - name: Set I/O scheduler
-  ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: etc/udev/rules.d/60-scheduler.rules.j2
+    dest: /etc/udev/rules.d/60-scheduler.rules
+    owner: root
+    group: root
+    mode: "0644"
   tags: udev
 
 - name: Copy admin SSH keys

roles/common/tasks/nftables.yml

@@ -0,0 +1,69 @@
+---
+# Common nftables tasks for Debian 11 and Debian 12.
+
+- name: Copy nftables.conf
+  ansible.builtin.template:
+    src: nftables.conf.j2
+    dest: /etc/nftables.conf
+    owner: root
+    mode: "0644"
+  notify:
+    - Restart nftables
+
+- name: Create /etc/nftables extra config directory
+  ansible.builtin.file:
+    path: /etc/nftables
+    state: directory
+    owner: root
+    mode: "0755"
+
+- name: Copy extra nftables configuration files
+  ansible.builtin.copy:
+    src: firehol_level1-ipv4.nft
+    dest: /etc/nftables/firehol_level1-ipv4.nft
+    owner: root
+    group: root
+    mode: "0644"
+    force: false
+  notify:
+    - Restart nftables
+
+- name: Copy nftables update scripts
+  ansible.builtin.template:
+    src: update-firehol-nftables.sh.j2
+    dest: /usr/local/bin/update-firehol-nftables.sh
+    mode: "0755"
+    owner: root
+    group: root
+
+- name: Copy nftables systemd units
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: /etc/systemd/system/{{ item }}
+    mode: "0644"
+    owner: root
+    group: root
+  loop:
+    - update-firehol-nftables.service
+    - update-firehol-nftables.timer
+  register: nftables_systemd_units
+
+# need to reload to pick up service/timer/environment changes
+- name: Reload systemd daemon
+  when: nftables_systemd_units is changed
+  ansible.builtin.systemd_service: # noqa no-handler
+    daemon_reload: true
+
+- name: Start and enable nftables update timers
+  ansible.builtin.systemd_service:
+    name: update-firehol-nftables.timer
+    state: started
+    enabled: true
+
+- name: Start and enable nftables
+  ansible.builtin.systemd_service:
+    name: nftables
+    state: started
+    enabled: true
+
+# vim: set sw=2 ts=2:

roles/common/tasks/ntp.yml

@@ -1,27 +1,40 @@
 ---
-# Hosts running Ubuntu 16.04+ and Debian 9+ use systemd init system and should
-# use systemd-timesyncd as a network time client instead of the standalone ntp
-# client.
+# Hosts running Debian 9+ use systemd init system and can use systemd-timesyncd
+# as a network time client instead of the standalone ntp client.
 
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+  when:
+    - timezone is defined
+    - ansible_facts["service_mgr"] == 'systemd'
+  community.general.timezone:
+    name: "{{ timezone }}"
   tags: timezone
 
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
-# Ubuntu 20.04 and Debian 11.
+# Debian 11 and Debian 12.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
+  when: ansible_facts["distribution_version"] is version('11', '>=')
+  ansible.builtin.apt:
+    name: systemd-timesyncd
+    state: present
+    cache_valid_time: 3600
 
 - name: Start and enable systemd's NTP client
-  when: ansible_service_mgr == 'systemd'
-  ansible.builtin.systemd: name=systemd-timesyncd state=started enabled=true
+  when: ansible_facts["service_mgr"] == 'systemd'
+  ansible.builtin.systemd_service:
+    name: systemd-timesyncd
+    state: started
+    enabled: true
 
-- name: Uninstall ntp on modern Ubuntu/Debian
-  ansible.builtin.apt: name=ntp state=absent
-  when: ansible_service_mgr == 'systemd'
+# On Debian 12 ntp doesn't conflict with systemd-timesyncd so we should try to
+# remove it to be sure.
+- name: Uninstall ntp on Debian 12
+  when:
+    - ansible_facts["service_mgr"] == 'systemd'
+    - ansible_facts["distribution_major_version"] is version('12', '==')
+  ansible.builtin.apt:
+    name: ntp
+    state: absent
 
 # vim: set ts=2 sw=2:

roles/common/tasks/packages.yml

@@ -1,19 +1,7 @@
 ---
 - name: Configure Debian packages
+  tags: packages
   block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('12', '<')
-
     # Scaleway seems to use a weird sources.list format as of Debian 12?
     - name: Check for weird Debian sources
       ansible.builtin.stat:
@@ -21,10 +9,15 @@
       register: weird_debian_sources_stat
 
     - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
       when:
-        - ansible_architecture != 'armv7l'
+        - ansible_facts["architecture"] != 'armv7l'
         - not weird_debian_sources_stat
+      ansible.builtin.template:
+        src: sources.list.j2
+        dest: /etc/apt/sources.list
+        owner: root
+        group: root
+        mode: "0644"
 
     - name: Set fact for base packages
       ansible.builtin.set_fact:
@@ -35,7 +28,6 @@
           - iotop
           - htop
           - strace
-          - cron-apt
           - safe-rm
           - debian-goodies
           - mosh
@@ -47,16 +39,19 @@
           - zstd
           - rsync
           - lsof
+          - unattended-upgrades
 
     - name: Install base packages
-      ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
+      ansible.builtin.apt:
+        name: "{{ base_packages }}"
+        state: present
+        cache_valid_time: 3600
 
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
+    - name: Remove cron-apt
       tags: cron-apt
+      ansible.builtin.import_tasks: cron-apt.yml
 
     - name: Install tarsnap
       ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
 
 # vim: set sw=2 ts=2:

roles/common/tasks/packages_Ubuntu.yml

@@ -1,105 +0,0 @@
----
-- name: Configure Ubuntu packages
-  block:
-    # Create directory for third-party package signing keys. Required on distros
-    # older than Debian 12 / Ubuntu 22.04.
-    #
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
-    - name: Create /etc/apt/keyrings
-      file:
-        path: /etc/apt/keyrings
-        mode: "0755"
-        owner: root
-        group: root
-        state: directory
-      when: ansible_distribution_major_version is version('22.04', '<')
-
-    - name: Configure apt mirror
-      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-      when: ansible_architecture != 'armv7l'
-
-    - name: Upgrade base OS
-      ansible.builtin.apt: upgrade=dist cache_valid_time=3600
-
-    - name: Set Ubuntu base packages
-      ansible.builtin.set_fact:
-        ubuntu_base_packages:
-          - git
-          - git-lfs
-          - tmux
-          - iotop
-          - htop
-          - strace
-          - cron-apt
-          - safe-rm
-          - debian-goodies
-          - mosh
-          - python-pycurl # for ansible's apt_repository
-          - vim
-          - unzip
-          - apt-transport-https # for https support in apt
-          - zstd
-          - rsync
-          - lsof
-
-    - name: Install base packages
-      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
-
-    # We have to remove snaps one by one in a specific order because some depend
-    # on others. Only after that can we remove the corresponding system packages.
-    - name: Remove lxd snap
-      community.general.snap: name=lxd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove core18 snap
-      community.general.snap: name=core18 state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Remove snapd snap
-      community.general.snap: name=snapd state=absent
-      when: ansible_distribution_version is version('20.04', '==')
-      ignore_errors: true
-
-    - name: Set fact for packages to remove (Ubuntu 20.04)
-      ansible.builtin.set_fact:
-        ubuntu_annoying_packages:
-          - whoopsie # security (CIS 4.1)
-          - apport # security (CIS 4.1)
-          - command-not-found # annoying
-          - command-not-found-data # annoying
-          - python3-commandnotfound # annoying
-          - snapd # annoying (Ubuntu >= 16.04)
-          - lxd-agent-loader # annoying (Ubuntu 20.04)
-      when: ansible_distribution_version is version('20.04', '==')
-
-    - name: Remove packages
-      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.file: path={{ item }} mode=0644 state=absent
-      loop:
-        - /etc/update-motd.d/99-esm # Ubuntu 14.04
-        - /etc/update-motd.d/10-help-text # Ubuntu 14.04+
-        - /etc/update-motd.d/50-motd-news # Ubuntu 18.04+
-        - /etc/update-motd.d/80-esm # Ubuntu 18.04+
-        - /etc/update-motd.d/80-livepatch # Ubuntu 18.04+
-      ignore_errors: true
-
-    - name: Disable annoying Canonical spam in MOTD
-      ansible.builtin.systemd: name={{ item }} state=stopped enabled=no
-      when: ansible_service_mgr == 'systemd'
-      loop:
-        - motd-news.service
-        - motd-news.timer
-
-    - name: Configure cron-apt
-      ansible.builtin.import_tasks: cron-apt.yml
-      tags: cron-apt
-
-    - name: Install tarsnap
-      ansible.builtin.import_tasks: tarsnap.yml
-  tags: packages
-
-# vim: set sw=2 ts=2:

roles/common/tasks/ssh-keys.yml

@@ -1,9 +1,11 @@
 ---
 - name: Zero .ssh/authorized_keys for provisioning user
-  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
+  ansible.builtin.file:
+    dest: "{{ provisioning_user.home }}/.ssh/authorized_keys"
+    state: absent
 
 - name: Add public keys to authorized_keys
-  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file', item) }}" }
   with_fileglob:
     # use descriptive names for keys, like: aorth-mzito-rsa.pub
     - ssh-pub-keys/*.pub

roles/common/tasks/sshd.yml

@@ -1,17 +1,26 @@
 ---
-# SSH configs don't change in Debian minor versions
+# Only override the system sshd configuration on older Debian.
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
-    mode=0600
-  when: ansible_distribution == 'Debian'
-  notify: reload sshd
+  when: ansible_facts["distribution_version"] is version('12', '<=')
+  ansible.builtin.template:
+    src: "sshd_config_{{ ansible_facts['distribution'] }}-{{ ansible_facts['distribution_major_version'] }}.j2"
+    dest: /etc/ssh/sshd_config
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
-# Ubuntu is the only distro we have where SSH version is very different from 14.04 -> 14.10,
-# ie with new ciphers supported etc.
-- name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
-  when: ansible_distribution == 'Ubuntu'
-  notify: reload sshd
+# Newer OpenSSH versions support including extra configuration. The includes
+# happen at the beginning of the file and the first value to be read is used.
+- name: Configure sshd_config.d overrides
+  when: ansible_facts["distribution_version"] is version('13', '>=')
+  ansible.builtin.template:
+    src: etc/ssh/sshd_config.d/01-{{ ansible_facts["distribution"] }}-{{ ansible_facts["distribution_major_version"] }}.conf.j2
+    dest: /etc/ssh/sshd_config.d/01-custom.conf
+    owner: root
+    group: root
+    mode: "0600"
+  notify: Reload sshd
 
 # See: WeakDH (2015): https://weakdh.org/sysadmin.html
 - name: Remove small Diffie-Hellman SSH moduli
@@ -24,28 +33,30 @@
       register: check_unsafe_moduli
 
     - name: Extract safe Diffie-Hellman SSH moduli
+      when: check_unsafe_moduli.stdout | length > 0
       ansible.builtin.shell:
         cmd: awk '$5 >= 3071' moduli > moduli.safe
         chdir: /etc/ssh
         creates: moduli.safe
-      when: check_unsafe_moduli.stdout | length > 0
       register: extract_safe_moduli
 
     - name: Replace unsafe Diffie-Hellman SSH moduli
+      when: extract_safe_moduli is changed
       ansible.builtin.command:
         cmd: mv moduli.safe moduli
         chdir: /etc/ssh
       register: replace_small_moduli
-      when: extract_safe_moduli is changed
-      notify: reload sshd
+      notify: Reload sshd
 
 - name: Remove DSA and ECDSA host keys
-  ansible.builtin.file: name=/etc/ssh/{{ item }} state=absent
+  ansible.builtin.file:
+    name: "/etc/ssh/{{ item }}"
+    state: absent
   loop:
     - ssh_host_dsa_key
     - ssh_host_dsa_key.pub
     - ssh_host_ecdsa_key
     - ssh_host_ecdsa_key.pub
-  notify: reload sshd
+  notify: Reload sshd
 
 # vim: set sw=2 ts=2:

roles/common/tasks/tarsnap.yml

@@ -5,6 +5,7 @@
   register: tarsnap_signing_key_stat
 
 - name: Download tarsnap apt signing key
+  when: not tarsnap_signing_key_stat.stat.exists
   ansible.builtin.get_url:
     url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
     dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
@@ -12,9 +13,9 @@
     group: root
     mode: "0644"
   register: download_tarsnap_signing_key
-  when: not tarsnap_signing_key_stat.stat.exists
 
 - name: Add tarsnap.org repo
+  when: ansible_facts["architecture"] != 'armv7l'
   ansible.builtin.template:
     src: tarsnap_sources.list.j2
     dest: /etc/apt/sources.list.d/tarsnap.list
@@ -22,12 +23,11 @@
     group: root
     mode: "0644"
   register: add_tarsnap_apt_repository
-  when: ansible_architecture != 'armv7l'
 
 - name: Update apt cache
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
 
 - name: Install tarsnap
   ansible.builtin.apt:

roles/common/templates/etc/ssh/sshd_config.d/01-Debian-13.conf.j2

@@ -0,0 +1,40 @@
+{{ ansible_managed | comment }}
+
+HostKey /etc/ssh/ssh_host_ed25519_key
+
+# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear
+# audit track of which key was using to log in.
+LogLevel VERBOSE
+
+MaxAuthTries 4
+
+AuthorizedKeysFile	.ssh/authorized_keys
+
+# To disable tunneled clear text passwords, change to no here!
+{% if ssh_password_authentication == 'disabled' %}
+PasswordAuthentication no
+{% else %}
+PasswordAuthentication yes
+{% endif %}
+
+X11Forwarding no
+
+# Based on the ssh-audit profile for Debian 13, but with but with all algos with
+# less than 256 bits removed, as NSA's Suite B removed them years ago and the
+# new (2018) CNSA suite is 256 bits and up.
+#
+# See: ssh-audit.py -P "Hardened Debian 13 (version 1)"
+# See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
+KexAlgorithms mlkem768x25519-sha256,sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com
+
+{% if ssh_allowed_users is defined and ssh_allowed_users %}
+AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
+{% endif %}
+
+PerSourcePenaltyExemptList {{ fail2ban_ignoreip | replace(" ", ",") }}
+
+# Mask to use for IPv4 and IPv6 respectively when applying network penalties.
+# The default is 32:128.
+PerSourceNetBlockSize 24:56

roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2

@@ -1,15 +1,19 @@
+[Unit]
+# If nftables is stopped or restarted, propagate to fail2ban as well
+PartOf=nftables.service
+
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
 ProtectHome=read-only
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ProtectSystem=strict
 {% else %}
 {# Older systemd versions don't have ProtectSystem=strict #}
 ProtectSystem=full
 {% endif %}
 NoNewPrivileges=yes
-{% if (ansible_distribution == 'Ubuntu' and ansible_distribution_major_version is version('18','>=')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11','>=')) %}
+{% if ansible_facts["distribution_version"] is version('11','>=') %}
 ReadWritePaths=-/var/run/fail2ban
 ReadWritePaths=-/var/lib/fail2ban
 ReadWritePaths=-/var/log/fail2ban.log

roles/common/templates/nftables.conf.j2

@@ -5,47 +5,18 @@
 
 flush ruleset
 
-# Lists updated daily by update-spamhaus-nftables.sh
-include "/etc/nftables/spamhaus-ipv4.nft"
-include "/etc/nftables/spamhaus-ipv6.nft"
-
-# Lists updated monthly (manually)
-include "/etc/nftables/abuseipdb-ipv4.nft"
-include "/etc/nftables/abuseipdb-ipv6.nft"
-
-# Lists updated daily by update-abusech-nftables.sh
-include "/etc/nftables/abusech-ipv4.nft"
+# List updated daily by update-firehol-nftables.sh
+include "/etc/nftables/firehol_level1-ipv4.nft"
 
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-    set spamhaus-ipv4 {
+    set firehol_level1-ipv4 {
         type ipv4_addr
         # if the set contains prefixes we need to use the interval flag
         flags interval
-        elements = $SPAMHAUS_IPV4
-    }
-
-    set spamhaus-ipv6 {
-        type ipv6_addr
-        flags interval
-        elements = $SPAMHAUS_IPV6
-    }
-
-    set abusech-ipv4 {
-        type ipv4_addr
-        elements = $ABUSECH_IPV4
-    }
-
-    set abuseipdb-ipv4 {
-        type ipv4_addr
-        elements = $ABUSEIPDB_IPV4
-    }
-
-    set abuseipdb-ipv6 {
-        type ipv6_addr
-        elements = $ABUSEIPDB_IPV6
+        elements = $FIREHOL_LEVEL1_IPV4
     }
 
     chain input {
@@ -55,13 +26,7 @@ table inet filter {
 
         ct state invalid counter drop comment "Early drop of invalid connections"
 
-        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
-        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
-
-        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
-
-        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
-        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
 
         iifname lo accept comment "Allow from loopback"
 
@@ -105,12 +70,6 @@ table inet filter {
     chain output {
         type filter hook output priority 0;
 
-        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
-        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
-
-        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
-
-        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
-        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
     }
 }

roles/common/templates/security.sources.list.j2

@@ -1,5 +0,0 @@
-{% if ansible_distribution == 'Ubuntu' %}
-deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
-{% elif ansible_distribution == 'Debian' %}
-deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
-{% endif %}

roles/common/templates/sources.list.j2

@@ -1,16 +1,6 @@
-{% if ansible_distribution == 'Ubuntu' %}
-{% set apt_mirror    = apt_mirror | default("ubuntu.mirror.ac.ke") %}
-
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }} main restricted universe multiverse
-deb http://{{ apt_mirror }}/ubuntu/ {{ ansible_distribution_release }}-updates main restricted universe multiverse
-deb http://security.ubuntu.com/ubuntu/ {{ ansible_distribution_release }}-security main restricted universe multiverse
-
-{% else %}
 {% set apt_mirror    = apt_mirror | default('deb.debian.org') %}
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }} main contrib non-free
 
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}-security main contrib non-free
 
 deb http://{{ apt_mirror }}/debian/ {{ ansible_distribution_release }}-updates main contrib non-free
-
-{% endif %} {# ansible_distribution #}

roles/common/templates/sshd_config_Ubuntu-20.04.j2

@@ -1,143 +0,0 @@
-#	$OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
-
-# This is the sshd server system-wide configuration file.  See
-# sshd_config(5) for more information.
-
-# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
-
-# The strategy used for options in the default sshd_config shipped with
-# OpenSSH is to specify options with their default value where
-# possible, but leave them commented.  Uncommented options override the
-# default value.
-
-Include /etc/ssh/sshd_config.d/*.conf
-
-#Port 22
-#AddressFamily any
-#ListenAddress 0.0.0.0
-#ListenAddress ::
-
-#HostKey /etc/ssh/ssh_host_rsa_key
-HostKey /etc/ssh/ssh_host_ed25519_key
-
-# Ciphers and keying
-#RekeyLimit default none
-
-# Logging
-#SyslogFacility AUTH
-# LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
-LogLevel VERBOSE
-
-# Authentication:
-
-#LoginGraceTime 2m
-PermitRootLogin prohibit-password
-#StrictModes yes
-MaxAuthTries 4
-#MaxSessions 10
-
-#PubkeyAuthentication yes
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
-# but this is overridden so installations will only check .ssh/authorized_keys
-AuthorizedKeysFile	.ssh/authorized_keys
-
-#AuthorizedPrincipalsFile none
-
-#AuthorizedKeysCommand none
-#AuthorizedKeysCommandUser nobody
-
-# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
-#HostbasedAuthentication no
-# Change to yes if you don't trust ~/.ssh/known_hosts for
-# HostbasedAuthentication
-#IgnoreUserKnownHosts no
-# Don't read the user's ~/.rhosts and ~/.shosts files
-#IgnoreRhosts yes
-
-# To disable tunneled clear text passwords, change to no here!
-{% if ssh_password_authentication == 'disabled' %}
-PasswordAuthentication no
-{% else %}
-PasswordAuthentication yes
-{% endif %}
-#PermitEmptyPasswords no
-
-# Change to yes to enable challenge-response passwords (beware issues with
-# some PAM modules and threads)
-ChallengeResponseAuthentication no
-
-# Kerberos options
-#KerberosAuthentication no
-#KerberosOrLocalPasswd yes
-#KerberosTicketCleanup yes
-#KerberosGetAFSToken no
-
-# GSSAPI options
-#GSSAPIAuthentication no
-#GSSAPICleanupCredentials yes
-#GSSAPIStrictAcceptorCheck yes
-#GSSAPIKeyExchange no
-
-# Set this to 'yes' to enable PAM authentication, account processing,
-# and session processing. If this is enabled, PAM authentication will
-# be allowed through the ChallengeResponseAuthentication and
-# PasswordAuthentication.  Depending on your PAM configuration,
-# PAM authentication via ChallengeResponseAuthentication may bypass
-# the setting of "PermitRootLogin without-password".
-# If you just want the PAM account and session checks to run without
-# PAM authentication, then enable this but set PasswordAuthentication
-# and ChallengeResponseAuthentication to 'no'.
-UsePAM yes
-
-#AllowAgentForwarding yes
-#AllowTcpForwarding yes
-#GatewayPorts no
-X11Forwarding no
-#X11DisplayOffset 10
-#X11UseLocalhost yes
-#PermitTTY yes
-PrintMotd no
-#PrintLastLog yes
-#TCPKeepAlive yes
-#PermitUserEnvironment no
-#Compression delayed
-#ClientAliveInterval 0
-#ClientAliveCountMax 3
-#UseDNS no
-#PidFile /var/run/sshd.pid
-#MaxStartups 10:30:100
-#PermitTunnel no
-#ChrootDirectory none
-#VersionAddendum none
-
-# no default banner path
-#Banner none
-
-# Allow client to pass locale environment variables
-AcceptEnv LANG LC_*
-
-# override default of no subsystems
-Subsystem sftp	/usr/lib/openssh/sftp-server
-
-# Example of overriding settings on a per-user basis
-#Match User anoncvs
-#	X11Forwarding no
-#	AllowTcpForwarding no
-#	PermitTTY no
-#	ForceCommand cvs server
-
-# Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
-# ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
-# does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
-
-{% if ssh_allowed_users is defined and ssh_allowed_users %}
-# Is there a list of allowed users?
-# Is it populated? (An empty list is 'None', which evaluates as False in Python)
-# merge the items of a list into one string using a space as a separator
-# http://jinja.pocoo.org/docs/dev/templates/#join
-AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
-{% endif %}

roles/common/templates/sysctl_Debian.j2

@@ -90,7 +90,7 @@ net.ipv4.tcp_wmem = 4096 65536 16777216
 # increase the length of the processor input queue
 net.core.netdev_max_backlog = 30000
 {# kernels after 2.6.32 don't have buggy cubic #}
-{% if ansible_kernel < "2.6.33" %}
+{% if ansible_facts["kernel"] < "2.6.33" %}
 # recommended default congestion control is htcp
 net.ipv4.tcp_congestion_control=htcp
 {% endif %}
@@ -98,7 +98,7 @@ net.ipv4.tcp_congestion_control=htcp
 #net.ipv4.tcp_mtu_probing=1
 
 {# disable iptables on bridge interfaces on VM hosts #}
-{% if ansible_virtualization_role == "host" %}
+{% if ansible_facts["virtualization_role"] == "host" %}
 net.bridge.bridge-nf-call-ip6tables = 0
 net.bridge.bridge-nf-call-iptables = 0
 net.bridge.bridge-nf-call-arptables = 0

roles/common/templates/sysctl_Ubuntu.j2

@@ -1,100 +0,0 @@
-#
-# /etc/sysctl.conf - Configuration file for setting system variables
-# See /etc/sysctl.d/ for additional system variables
-# See sysctl.conf (5) for information.
-#
-
-#kernel.domainname = example.com
-
-# Uncomment the following to stop low-level messages on console
-#kernel.printk = 3 4 1 3
-
-##############################################################3
-# Functions previously found in netbase
-#
-
-# Uncomment the next two lines to enable Spoof protection (reverse-path filter)
-# Turn on Source Address Verification in all interfaces to
-# prevent some spoofing attacks
-#net.ipv4.conf.default.rp_filter=1
-#net.ipv4.conf.all.rp_filter=1
-
-# Uncomment the next line to enable TCP/IP SYN cookies
-# See http://lwn.net/Articles/277146/
-# Note: This may impact IPv6 TCP sessions too
-#net.ipv4.tcp_syncookies=1
-
-# Uncomment the next line to enable packet forwarding for IPv4
-#net.ipv4.ip_forward=1
-
-# Uncomment the next line to enable packet forwarding for IPv6
-#  Enabling this option disables Stateless Address Autoconfiguration
-#  based on Router Advertisements for this host
-#net.ipv6.conf.all.forwarding=1
-
-
-###################################################################
-# Additional settings - these settings can improve the network
-# security of the host and prevent against some network attacks
-# including spoofing attacks and man in the middle attacks through
-# redirection. Some network environments, however, require that these
-# settings are disabled so review and enable them as needed.
-#
-# Do not accept ICMP redirects (prevent MITM attacks)
-#net.ipv4.conf.all.accept_redirects = 0
-#net.ipv6.conf.all.accept_redirects = 0
-# _or_
-# Accept ICMP redirects only for gateways listed in our default
-# gateway list (enabled by default)
-# net.ipv4.conf.all.secure_redirects = 1
-#
-# Do not send ICMP redirects (we are not a router)
-#net.ipv4.conf.all.send_redirects = 0
-#
-# Do not accept IP source route packets (we are not a router)
-#net.ipv4.conf.all.accept_source_route = 0
-#net.ipv6.conf.all.accept_source_route = 0
-#
-# Log Martian Packets
-#net.ipv4.conf.all.log_martians = 1
-#
-
-# CIS Benchmark Adjustments
-# See: https://github.com/alanorth/securekickstarts
-kernel.randomize_va_space = 2 
-net.ipv4.ip_forward = 0 
-net.ipv4.conf.all.send_redirects = 0 
-net.ipv4.conf.default.send_redirects = 0 
-net.ipv4.conf.all.accept_source_route = 0 
-net.ipv4.conf.default.accept_source_route = 0 
-net.ipv4.conf.all.accept_redirects = 0 
-net.ipv4.conf.default.accept_redirects = 0 
-net.ipv4.conf.all.secure_redirects = 0 
-net.ipv4.conf.default.secure_redirects = 0 
-net.ipv4.conf.all.log_martians = 1 
-net.ipv4.conf.default.log_martians = 1 
-net.ipv4.icmp_echo_ignore_broadcasts = 1 
-net.ipv4.icmp_ignore_bogus_error_responses = 1 
-net.ipv4.conf.all.rp_filter = 1 
-net.ipv4.conf.default.rp_filter = 1 
-net.ipv4.tcp_syncookies = 1
-
-# TCP stuff
-# See: http://fasterdata.es.net/host-tuning/linux/
-# increase TCP max buffer size settable using setsockopt()
-net.core.rmem_max = 16777216 
-net.core.wmem_max = 16777216 
-# increase Linux autotuning TCP buffer limit 
-net.ipv4.tcp_rmem = 4096 87380 16777216
-net.ipv4.tcp_wmem = 4096 65536 16777216
-# increase the length of the processor input queue
-net.core.netdev_max_backlog = 30000
-# recommended for hosts with jumbo frames enabled
-#net.ipv4.tcp_mtu_probing=1
-
-# increase quadruplets (src ip, src port, dest ip, dest port)
-# see: http://vincent.bernat.im/en/blog/2014-tcp-time-wait-state-linux.html
-net.ipv4.ip_local_port_range = 10240 65535
-# recommended for web servers, especially if running SPDY
-# see: http://www.chromium.org/spdy/spdy-best-practices
-net.ipv4.tcp_slow_start_after_idle = 0

roles/common/templates/tarsnap_sources.list.j2

@@ -1 +1 @@
-deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_facts["distribution_release"] }} ./

roles/common/templates/update-firehol-nftables.sh.j2

@@ -0,0 +1,65 @@
+#!/usr/bin/env bash
+#
+# update-firehol-nftables.sh v0.0.1
+#
+# Download FireHOL lists and load them into nftables sets.
+# 
+# See: https://iplists.firehol.org/
+#
+# Copyright (C) 2025 Alan Orth
+#
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Exit on first error
+set -o errexit
+
+firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
+
+function download() {
+    echo "Downloading $1"
+    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
+}
+
+download firehol_level1.netset
+
+if [[ -f "firehol_level1.netset" ]]; then
+    echo "Processing FireHOL Level 1 list"
+
+    firehol_level1_ipv4_list_temp=$(mktemp)
+    firehol_level1_ipv4_set_temp=$(mktemp)
+
+    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
+    # for local services like systemd-resolved and others on localhost. Ideally
+    # these are blocked already at the WAN side by network administrators.
+    cat firehol_level1.netset \
+        | sed \
+            -e '/^$/d' \
+            -e '/^#.*/d' \
+            -e '/^127\.0\.0\.0\/8/d' \
+        > "$firehol_level1_ipv4_list_temp"
+
+    echo "Building firehol_level1-ipv4 set"
+    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
+#!/usr/sbin/nft -f
+
+define FIREHOL_LEVEL1_IPV4 = {
+NFT_HEAD
+
+    while read -r network; do
+        # nftables doesn't mind if the last element in the set has a trailing
+        # comma so we don't need to do anything special here.
+        echo "$network," >> "$firehol_level1_ipv4_set_temp"
+    done < $firehol_level1_ipv4_list_temp
+
+    echo "}" >> "$firehol_level1_ipv4_set_temp"
+
+    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
+
+    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
+fi
+
+echo "Restarting nftables"
+
+/usr/bin/systemctl restart nftables.service
+
+rm -v firehol_level1.netset

roles/mariadb/defaults/main.yml

@@ -1,15 +1,4 @@
 ---
-# ansible.builtin.file: roles/mariadb/defaults/main.yml
-#
-# Based on my running of mysqltuner.pl on a host with three WordPress databases
-#
-
-# default is 128MB but is a waste because it seems only the mysql table uses it
-key_buffer_size: 8M
-
-# default is 128MB but is a waste because it seems only information_schema uses
-# AriaDB, see: https://mariadb.com/kb/en/mariadb/aria-system-variables
-aria_pagecache_buffer_size: 8M
 
 # default is 128M, but set to at least the size of your InnoDB data
 innodb_buffer_pool_size: 256M
@@ -22,10 +11,6 @@ mariadb_login_unix_socket: /run/mysqld/mysqld.sock
 # default is 100 but the max I've seen used is 5, so let's reduce it
 max_connections: 33
 
-# disable the query cache by default
-query_cache_size: 0
-query_cache_type: 0
-
 # mysqltuner says we should use larger than 32M on our setup
 tmp_table_size: 64M
 max_heap_table_size: 64M

roles/mariadb/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
 - name: restart mariadb
-  ansible.builtin.systemd: name=mariadb state=restarted
+  ansible.builtin.systemd_service:
+    name: mariadb
+    state: restarted
 
 # vim: set ts=2 sw=2:

roles/mariadb/tasks/main.yml

@@ -1,52 +1,4 @@
 ---
-- name: Remove MariaDB key from apt-key
-  ansible.builtin.apt_key:
-    id: "013577200103762554506315430003013705453362230723150730"
-    state: absent
-  tags:
-    - packages
-    - mariadb
-
-- name: Check MariaDB package signing key
-  ansible.builtin.stat:
-    path: /etc/apt/keyrings/mariadb_release_signing_key.asc
-  register: mariadb_signing_key_stat
-  tags:
-    - packages
-    - mariadb
-
-- name: Download MariaDB package signing key
-  ansible.builtin.get_url:
-    url: https://mariadb.org/mariadb_release_signing_key.asc
-    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
-    owner: root
-    group: root
-    mode: "0644"
-  register: download_mariadb_signing_key
-  when: not mariadb_signing_key_stat.stat.exists
-  tags:
-    - packages
-    - mariadb
-
-- name: Add MariaDB 10.11 repo
-  ansible.builtin.apt_repository:
-    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
-      }} main
-    filename: mariadb
-    state: present
-  register: add_mariadb_apt_repository
-  tags:
-    - packages
-    - mariadb
-
-- name: Update apt cache
-  ansible.builtin.apt: # noqa no-handler
-    update_cache: true
-  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
-  tags:
-    - packages
-    - mariadb
-
 - name: Install mariadb-server
   ansible.builtin.apt:
     name: [mariadb-server, python3-pymysql]
@@ -54,10 +6,10 @@
     cache_valid_time: 3600
   tags: mariadb, packages
 
-- name: Create system my.cnf
+- name: Add MariaDB configuration overrides
   ansible.builtin.template:
-    src: my.cnf.j2
-    dest: /etc/mysql/my.cnf
+    src: 70-local.cnf.j2
+    dest: /etc/mysql/mariadb.conf.d/70-local.cnf
     owner: root
     group: root
     mode: "0644"
@@ -87,16 +39,17 @@
 
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
 - name: Create MariaDB database(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_db:
     db: "{{ item.name }}"
     state: present
     encoding: utf8mb4
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 - name: Create MariaDB user(s)
+  when: mariadb_databases is defined
   community.mysql.mysql_user:
     name: "{{ item.user }}"
     password: "{{ item.pass }}"
@@ -105,7 +58,6 @@
     state: present
     login_unix_socket: "{{ mariadb_login_unix_socket }}"
   loop: "{{ mariadb_databases }}"
-  when: mariadb_databases is defined
   tags: mariadb
 
 # vim: set ts=2 sw=2:

roles/mariadb/templates/70-local.cnf.j2

@@ -0,0 +1,10 @@
+{{ ansible_managed | comment }}
+
+[mysqld]
+# don't resolve connection IPs to hostnames (make sure user accounts are using
+# IPs instead of "localhost")
+skip-name-resolve=1
+max_connections		= {{ max_connections }}
+tmp_table_size		= {{ tmp_table_size }}
+max_heap_table_size	= {{ max_heap_table_size }}
+innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}

roles/mariadb/templates/my.cnf.j2

@@ -1,196 +0,0 @@
-{{ ansible_managed | comment }}
-
-# MariaDB database server configuration file.
-#
-# You can copy this file to one of:
-# - "/etc/mysql/my.cnf" to set global options,
-# - "~/.my.cnf" to set user-specific options.
-# 
-# One can use all long options that the program supports.
-# Run program with --help to get a list of available options and with
-# --print-defaults to see which it would actually understand and use.
-#
-# For explanations see
-# http://dev.mysql.com/doc/mysql/en/server-system-variables.html
-
-# This will be passed to all mysql clients
-# It has been reported that passwords should be enclosed with ticks/quotes
-# escpecially if they contain "#" chars...
-# Remember to edit /etc/mysql/debian.cnf when changing the socket location.
-[client]
-port		= 3306
-socket		= /run/mysqld/mysqld.sock
-
-# Here is entries for some specific programs
-# The following values assume you have at least 32M ram
-
-# This was formally known as [safe_mysqld]. Both versions are currently parsed.
-[mysqld_safe]
-socket		= /run/mysqld/mysqld.sock
-nice		= 0
-
-[mysqld]
-#
-# * Basic Settings
-#
-user		= mysql
-pid-file	= /run/mysqld/mysqld.pid
-socket		= /run/mysqld/mysqld.sock
-port		= 3306
-basedir		= /usr
-datadir		= /var/lib/mysql
-tmpdir		= /tmp
-lc_messages_dir	= /usr/share/mysql
-lc_messages	= en_US
-skip-external-locking
-#
-# Instead of skip-networking the default is now to listen only on
-# localhost which is more compatible and is not less secure.
-bind-address		= 127.0.0.1
-
-# don't resolve connection IPs to hostnames (make sure user accounts are using
-# IPs instead of "localhost")
-skip-name-resolve=1
-#
-# * Fine Tuning
-#
-max_connections		= {{ max_connections }}
-connect_timeout		= 5
-wait_timeout		= 600
-max_allowed_packet	= 16M
-thread_cache_size       = 128
-sort_buffer_size	= 4M
-bulk_insert_buffer_size	= 16M
-tmp_table_size		= {{ tmp_table_size }}
-max_heap_table_size	= {{ max_heap_table_size }}
-#
-# * MyISAM
-#
-# This replaces the startup script and checks MyISAM tables if needed
-# the first time they are touched. On error, make copy and try a repair.
-myisam_recover_options = BACKUP
-key_buffer_size		= {{ key_buffer_size }}
-#open-files-limit	= 2000
-table_open_cache	= 400
-myisam_sort_buffer_size	= 512M
-concurrent_insert	= 2
-read_buffer_size	= 2M
-read_rnd_buffer_size	= 1M
-#
-# * Query Cache Configuration
-#
-query_cache_limit		= 128K
-query_cache_size		= {{ query_cache_size }}
-query_cache_type		= {{ query_cache_type }}
-#
-# * Logging and Replication
-#
-# Both location gets rotated by the cronjob.
-# Be aware that this log type is a performance killer.
-# As of 5.1 you can enable the log at runtime!
-#general_log_file        = /var/log/mysql/mysql.log
-#general_log             = 1
-#
-# Error logging goes to syslog due to /etc/mysql/conf.d/mysqld_safe_syslog.cnf.
-#
-# we do want to know about network errors and such
-log_warnings		= 2
-#
-# Enable the slow query log to see queries with especially long duration
-#slow_query_log[={0|1}]
-slow_query_log_file	= /var/log/mysql/mariadb-slow.log
-long_query_time = 10
-#log_slow_rate_limit	= 1000
-log_slow_verbosity	= query_plan
-
-#log-queries-not-using-indexes
-#log_slow_admin_statements
-#
-# The following can be used as easy to replay backup logs or for replication.
-# note: if you are setting up a replication slave, see README.Debian about
-#       other settings you may need to change.
-#server-id		= 1
-#report_host		= master1
-#auto_increment_increment = 2
-#auto_increment_offset	= 1
-log_bin			= /var/log/mysql/mariadb-bin
-log_bin_index		= /var/log/mysql/mariadb-bin.index
-# not fab for performance, but safer
-#sync_binlog		= 1
-expire_logs_days	= 10
-max_binlog_size         = 100M
-# slaves
-#relay_log		= /var/log/mysql/relay-bin
-#relay_log_index	= /var/log/mysql/relay-bin.index
-#relay_log_info_file	= /var/log/mysql/relay-bin.info
-#log_slave_updates
-#read_only
-#
-# If applications support it, this stricter sql_mode prevents some
-# mistakes like inserting invalid dates etc.
-#sql_mode		= NO_ENGINE_SUBSTITUTION,TRADITIONAL
-#
-# * InnoDB
-#
-# InnoDB is enabled by default with a 10MB datafile in /var/lib/mysql/.
-# Read the manual for more InnoDB related options. There are many!
-default_storage_engine	= InnoDB
-# you can't just change log file size, requires special procedure
-#innodb_log_file_size	= 50M
-innodb_buffer_pool_size	= {{ innodb_buffer_pool_size }}
-innodb_log_buffer_size	= 8M
-innodb_file_per_table	= 1
-innodb_open_files	= 400
-innodb_io_capacity	= 400
-innodb_flush_method	= O_DIRECT
-
-aria_pagecache_buffer_size = {{ aria_pagecache_buffer_size }}
-#
-# * Security Features
-#
-# Read the manual, too, if you want chroot!
-# chroot = /var/lib/mysql/
-#
-# For generating SSL certificates I recommend the OpenSSL GUI "tinyca".
-#
-# ssl-ca=/etc/mysql/cacert.pem
-# ssl-cert=/etc/mysql/server-cert.pem
-# ssl-key=/etc/mysql/server-key.pem
-
-#
-# * Galera-related settings
-#
-[galera]
-# Mandatory settings
-#wsrep_on=ON
-#wsrep_provider=
-#wsrep_cluster_address=
-#binlog_format=row
-#default_storage_engine=InnoDB
-#innodb_autoinc_lock_mode=2
-#
-# Allow server to accept connections on all interfaces.
-#
-#bind-address=0.0.0.0
-#
-# Optional setting
-#wsrep_slave_threads=1
-#innodb_flush_log_at_trx_commit=0
-
-[mysqldump]
-quick
-quote-names
-max_allowed_packet	= 16M
-
-[mysql]
-#no-auto-rehash	# faster start of mysql but no tab completion
-
-[isamchk]
-key_buffer		= 16M
-
-#
-# * IMPORTANT: Additional settings that can override those from this file!
-#   The files must end with '.cnf', otherwise they'll be ignored.
-#
-!include /etc/mysql/mariadb.cnf
-!includedir /etc/mysql/conf.d/

roles/munin/handlers/main.yml

@@ -1,4 +1,4 @@
 ---
 # ansible.builtin.file: roles/munin/handlers/main.yml
 - name: restart munin-node
-  ansible.builtin.systemd: name=munin-node state=restarted
+  ansible.builtin.systemd_service: name=munin-node state=restarted

roles/munin/tasks/munin-node.yml

@@ -1,16 +1,22 @@
 ---
 - name: Install munin-node
-  ansible.builtin.apt: name=munin-node state=present
+  ansible.builtin.apt:
+    name: munin-node
+    state: present
   tags: packages
 
 # some nice things to have for munin-node on Ubuntu
 # libwww-perl: for munin's nginx_status check
 - name: Install munin-node deps
-  ansible.builtin.apt: name=libwww-perl state=present
+  ansible.builtin.apt:
+    name: libwww-perl
+    state: present
   tags: packages
 
 - name: Create munin-node.conf
-  ansible.builtin.template: src=munin-node.conf.j2 dest=/etc/munin/munin-node.conf
+  ansible.builtin.template:
+    src: munin-node.conf.j2
+    dest: /etc/munin/munin-node.conf
   notify:
     - restart munin-node
 
@@ -20,6 +26,9 @@
     - restart munin-node
 
 - name: Start munin-node
-  ansible.builtin.systemd: name=munin-node state=started enabled=true
+  ansible.builtin.systemd_service:
+    name: munin-node
+    state: started
+    enabled: true
 
 # vim: set ts=2 sw=2:

roles/munin/tasks/munin.yml

@@ -1,9 +1,16 @@
 ---
 - name: Install munin package
-  ansible.builtin.apt: name=munin state=present
+  ansible.builtin.apt:
+    name: munin
+    state: present
   tags: packages
 
 - name: Create munin configuration file
-  ansible.builtin.template: src=munin.conf.j2 dest=/etc/munin/munin.conf owner=root group=root mode=0644
+  ansible.builtin.template:
+    src: munin.conf.j2
+    dest: /etc/munin/munin.conf
+    owner: root
+    group: root
+    mode: "0644"
 
 # vim: set ts=2 sw=2:

roles/nginx/defaults/main.yml

@@ -5,16 +5,16 @@
 nginx_confd_path: /etc/nginx/conf.d
 
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
 
-# 1 hour timeout
-nginx_ssl_session_timeout: 1h
+# 1 day timeout
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
-nginx_ssl_buffer_size: 1400
+nginx_ssl_buffer_size: 4k
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
 nginx_ssl_protocols: TLSv1.2 TLSv1.3
+nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
@@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
 
-# stable is 1.20.x
-# mainline is 1.21.x
+# stable is 1.26.x
+# mainline is 1.27.x
 nginx_version: mainline
 
 # vim: set ts=2 sw=2:

roles/nginx/handlers/main.yml

@@ -1,5 +1,7 @@
 ---
-- name: reload nginx
-  ansible.builtin.systemd: name=nginx state=reloaded
+- name: Reload nginx
+  ansible.builtin.systemd_service:
+    name: nginx
+    state: reloaded
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/letsencrypt.yml

@@ -1,7 +1,12 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
-- block:
+- name: Install and configure Let's Encrypt
+  tags: letsencrypt
+  when:
+    - ansible_facts["distribution"] == 'Debian'
+    - ansible_facts["distribution_version"] is version('11', '>=')
+  block:
     - name: Remove certbot
       ansible.builtin.apt:
         name: certbot
@@ -21,31 +26,31 @@
       register: acme_home
 
     - name: Download acme.sh
+      when: not acme_home.stat.exists
       ansible.builtin.get_url:
         url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
         dest: "{{ letsencrypt_acme_script_temp }}"
         mode: "0700"
       register: acme_download
-      when: not acme_home.stat.exists
 
     # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
     # have to chdir to the /root directory where the script exists or else it
     # fails. Ansible runs it, but the script can't find itself...).
     - name: Install acme.sh
+      when: acme_download is changed
       ansible.builtin.command:
         cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
         creates: "{{ letsencrypt_acme_home }}/acme.sh"
         chdir: /root
       register: acme_install
-      when: acme_download is changed
 
     - name: Remove temporary acme.sh script
-      ansible.builtin.file:
-        dest: "{{ letsencrypt_acme_script_temp }}"
-        state: absent
       when:
         - acme_install.rc is defined
         - acme_install.rc == 0
+      ansible.builtin.file:
+        dest: "{{ letsencrypt_acme_script_temp }}"
+        state: absent
 
     - name: Set default certificate authority for acme.sh
       ansible.builtin.command:
@@ -77,14 +82,10 @@
 
     # always issues daemon-reload just in case the service/timer changed
     - name: Start and enable systemd timer to renew Let's Encrypt certs
-      ansible.builtin.systemd:
+      ansible.builtin.systemd_service:
         name: renew-letsencrypt.timer
         state: started
         enabled: true
         daemon_reload: true
 
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-    is version('11', '>='))
-  tags: letsencrypt
-
 # vim: set ts=2 sw=2:

roles/nginx/tasks/main.yml

@@ -1,12 +1,4 @@
 ---
-- name: Remove nginx apt signing key from apt-key
-  ansible.builtin.apt_key:
-    id: "053473772654754373614404074646527257655730117366337542"
-    state: absent
-  tags:
-    - packages
-    - nginx
-
 - name: Download nginx apt signing key
   ansible.builtin.get_url:
     url: https://nginx.org/keys/nginx_signing.key
@@ -33,9 +25,9 @@
     - packages
 
 - name: Update apt cache
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
   ansible.builtin.apt: # noqa no-handler
     update_cache: true
-  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
 
 - name: Install nginx
   ansible.builtin.apt:
@@ -54,7 +46,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Copy extra nginx configs
@@ -68,7 +60,7 @@
     - extra-security.conf
     - fastcgi_cache
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Remove default nginx vhost
@@ -87,13 +79,13 @@
   tags: nginx
 
 - name: Configure nginx virtual hosts
-  ansible.builtin.include_tasks: vhosts.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: vhosts.yml
   tags: nginx
 
 - name: Configure WordPress
-  ansible.builtin.include_tasks: wordpress.yml
   when: nginx_vhosts is defined
+  ansible.builtin.include_tasks: wordpress.yml
   tags: wordpress
 
 - name: Configure blank nginx vhost
@@ -104,7 +96,7 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Configure munin vhost
@@ -115,11 +107,11 @@
     owner: root
     group: root
   notify:
-    - reload nginx
+    - Reload nginx
   tags: nginx
 
 - name: Start and enable nginx service
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: nginx
     state: started
     enabled: true

roles/nginx/tasks/vhosts.yml

@@ -1,16 +1,23 @@
 ---
-- block:
+- name: Configure https vhosts
+  tags: nginx
+  block:
     - name: Configure https vhosts
-      ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
+      ansible.builtin.template:
+        src: vhost.conf.j2
+        dest: "{{ nginx_confd_path }}/{{ item.domain_name }}.conf"
+        mode: "0644"
+        owner: root
+        group: root
       loop: "{{ nginx_vhosts }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Generate self-signed TLS cert
       ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
         -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
       notify:
-        - reload nginx
+        - Reload nginx
 
     - name: Download 4096-bit RFC 7919 dhparams
       ansible.builtin.get_url:
@@ -18,12 +25,16 @@
         checksum: sha256:64852d6890ff9e62eecd1ee89c72af9af244dfef5b853bcedea3dfd7aade22b3
         dest: "{{ nginx_ssl_dhparam }}"
       notify:
-        - reload nginx
+        - Reload nginx
 
     # TODO: this could break because we can override the document root in host vars
     - name: Create vhost document roots
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory mode=0755 owner=nginx group=nginx
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        mode: "0755"
+        owner: nginx
+        group: nginx
       loop: "{{ nginx_vhosts }}"
-  tags: nginx
 
 # vim: set ts=2 sw=2:

roles/nginx/tasks/wordpress.yml

@@ -1,19 +1,31 @@
 ---
-- block:
+- name: Install and configure WordPress
+  tags: wordpress
+  block:
     - name: Install WordPress
-      ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
-        }} depth=1 force=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.git:
+        repo: https://github.com/WordPress/WordPress.git
+        dest: "{{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress"
+        version: "{{ item.wordpress_version }}"
+        depth: 1
+        force: true
       loop: "{{ nginx_vhosts }}"
+      become: true
+      become_user: nginx
 
     - name: Fix WordPress directory permissions
-      ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
       when:
         - item.has_wordpress is defined
         - item.has_wordpress
+      ansible.builtin.file:
+        path: "{{ nginx_root_prefix }}/{{ item.domain_name }}"
+        state: directory
+        owner: nginx
+        group: nginx
+        recurse: true
       loop: "{{ nginx_vhosts }}"
-  tags: wordpress
 
 # vim: set ts=2 sw=2:

roles/nginx/templates/blank-vhost.conf.j2

@@ -11,9 +11,11 @@ server {
 
     return 444;
 }
+
 server {
-    listen 443 ssl http2 default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen 443 ssl default_server;
+    listen [::]:443 ssl default_server;
+    http2 on;
     server_name _;
 
     # self-signed "snakeoil" certificate

roles/nginx/templates/https.j2

@@ -27,8 +27,9 @@
 
     ssl_dhparam {{ nginx_ssl_dhparam }};
     ssl_protocols {{ nginx_ssl_protocols }};
+    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
     ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
 
     {# OSCP stapling only works with real certs #}
     {% if use_letsencrypt == true or item.tls_certificate_path %}
@@ -38,15 +39,6 @@
     resolver {{ nginx_ssl_stapling_resolver }};
     {% endif %} {# end: use_letsencrypt #}
 
-    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
-    # when a restart is performed the previous key is lost, which resets all previous
-    # sessions. The fix for this is to setup a manual rotation mechanism:
-    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
-    #
-    # Note that you'll have to define and rotate the keys securely by yourself. In absence
-    # of such infrastructure, consider turning off session tickets:
-    ssl_session_tickets off;
-
     {% if enable_hsts == true %}
     # Enable this if you want HSTS (recommended, but be careful)
     # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store

roles/nginx/templates/nginx.conf.j2

@@ -14,7 +14,6 @@ error_log  /var/log/nginx/error.log warn;
 # The file storing the process ID of the main process
 pid        /var/run/nginx.pid;
 
-
 events {
     # If you need more connections than this, you start optimizing your OS.
     # That's probably the point at which you hire people who are smarter than you as this is *a lot* of requests.
@@ -23,6 +22,7 @@ events {
 }
 
 
+
 http {
     include       /etc/nginx/mime.types;
     default_type  application/octet-stream;

roles/nginx/templates/nginx_org_sources.list.j2

@@ -1,19 +1,7 @@
 {{ ansible_managed | comment }}
 
-{% if ansible_distribution == 'Ubuntu' %}
-
 {% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
-{% elif ansible_distribution == 'Debian' %}
-
-{% if nginx_version == "stable" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
-{% elif nginx_version == "mainline" %}
-deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
-{% endif %}
-
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_facts["distribution_release"] }} nginx
 {% endif %}

roles/nginx/templates/vhost.conf.j2

@@ -8,6 +8,12 @@
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
+{# Allow sites to override the document root #}
+{% if item.document_root is defined %}
+{%   set document_root = item.document_root %}
+{% else %}
+{%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
+{% endif %}
 
 # http -> https vhost
 server {
@@ -26,15 +32,11 @@ server {
 }
 
 server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
 
-    {# Allow sites to override the nginx document root #}
-    {% if item.document_root is defined %}
-    root {{ item.document_root }};
-    {% else %}
-    root {{ nginx_root_prefix }}/{{ domain_name }};
-    {% endif %}
+    root {{ document_root }};
 
     {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
     server_name {{ domain_name }} {{ domain_aliases }};
@@ -75,12 +77,8 @@ server {
         # See: https://httpoxy.org/
         fastcgi_param HTTP_PROXY "";
 
-        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
+        {% if ansible_facts["distribution_major_version"] is version('12', '==') %}
         fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
-        {% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('11', '==')) %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
-        {% else %}
-        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
         {% endif %}
         fastcgi_index index.php;
         # set script path relative to document root in server block

roles/php-fpm/handlers/main.yml

@@ -1,12 +0,0 @@
----
-# For Ubuntu 20.04 and Debian 11
-- name: reload php7.4-fpm
-  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
-
-# For Debian 12
-- name: reload php8.2-fpm
-  ansible.builtin.systemd:
-    name: php8.2-fpm
-    state: reloaded
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Debian_12.yml

@@ -1,50 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php8.2-fpm
-          # for WordPress
-          - php8.2-mysql
-          - php8.2-gd
-          - php8.2-curl
-          - php8.2-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt:
-        name: "{{ php_fpm_packages }}"
-        state: present
-        update_cache: true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template:
-        src: php8.2-pool.conf.j2
-        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
-        owner: root
-        group: root
-        mode: "0644"
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php8.2-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file:
-        path: /etc/php/8.2/fpm/pool.d/www.conf
-        state: absent
-      notify: reload php8.2-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template:
-        src: php8.2-php.ini.j2
-        dest: /etc/php/8.2/fpm/php.ini
-        owner: root
-        group: root
-        mode: "0644"
-      notify: reload php8.2-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/Ubuntu_20.04.yml

@@ -1,35 +0,0 @@
----
-- block:
-    - name: Set php-fpm packages
-      ansible.builtin.set_fact:
-        php_fpm_packages:
-          - php7.4-fpm
-          # for WordPress
-          - php7.4-mysql
-          - php7.4-gd
-          - php7.4-curl
-          - php7.4-xml
-
-    - name: Install php-fpm and deps
-      ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
-
-    # only copy php-fpm config for vhosts that need WordPress or PHP
-    - name: Copy php-fpm pool config
-      ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
-      loop: "{{ nginx_vhosts }}"
-      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
-      notify: reload php7.4-fpm
-
-    - name: Remove default www pool
-      ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
-      notify: reload php7.4-fpm
-
-    # re-configure php.ini
-    - name: Update php.ini
-      ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
-      notify: reload php7.4-fpm
-
-  tags: php-fpm
-  when: install_php
-
-# vim: set ts=2 sw=2:

roles/php-fpm/tasks/main.yml

@@ -1,53 +0,0 @@
----
-# Ubuntu 20.04 uses PHP 7.4
-# Debian 11 uses PHP 7.4
-# Debian 12 uses PHP 8.2
-
-# If any of the vhosts on this host need WordPress then we need to install PHP.
-# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
-# any that have has_wordpress defined, and has_wordpress set to true.
-#
-# See: https://stackoverflow.com/a/31896249
-- name: Check if any vhost needs WordPress
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
-
-# Legacy, was only for Piwik, but leaving for now.
-- name: Check if any vhost needs PHP
-  ansible.builtin.set_fact:
-    install_php: true
-  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
-
-# If install_php has not been set, then we assume no vhosts need PHP. This is
-# a bit hacky, but it's the closest we come to an if/then/else.
-- name: Set install_php to false
-  ansible.builtin.set_fact:
-    install_php: false
-  when: install_php is not defined
-
-- name: Configure php-fpm on Ubuntu 20.04
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Ubuntu'
-    - ansible_distribution_version is version('20.04', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 11
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('11', '==')
-    - install_php
-  tags: php-fpm
-
-- name: Configure php-fpm on Debian 12
-  ansible.builtin.include_tasks: Debian_12.yml
-  when:
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version is version('12', '==')
-    - install_php
-  tags: php-fpm
-
-# vim: set ts=2 sw=2:

roles/php_fpm/handlers/main.yml

@@ -0,0 +1,14 @@
+---
+# For Debian 12
+- name: Reload php8.2-fpm
+  ansible.builtin.systemd_service:
+    name: php8.2-fpm
+    state: reloaded
+
+# For Debian 13
+- name: Reload php8.4-fpm
+  ansible.builtin.systemd_service:
+    name: php8.4-fpm
+    state: reloaded
+
+# vim: set ts=2 sw=2:

roles/php_fpm/tasks/main.yml

@@ -0,0 +1,90 @@
+---
+# Debian 12 uses PHP 8.2
+# Debian 13 uses PHP 8.4
+
+# If any of the vhosts on this host need WordPress then we need to install PHP.
+# This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
+# any that have has_wordpress defined, and has_wordpress set to true.
+#
+# See: https://stackoverflow.com/a/31896249
+- name: Check if any vhost needs WordPress
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
+
+# Legacy, was only for Piwik, but leaving for now.
+- name: Check if any vhost needs PHP
+  ansible.builtin.set_fact:
+    install_php: true
+  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
+
+# If install_php has not been set, then we assume no vhosts need PHP. This is
+# a bit hacky, but it's the closest we come to an if/then/else.
+- name: Set install_php to false
+  ansible.builtin.set_fact:
+    install_php: false
+  when: install_php is not defined
+
+- name: Install and configure php-fpm
+  tags: php-fpm
+  when: install_php
+  block:
+    - name: Set php-fpm packages
+      ansible.builtin.set_fact:
+        php_fpm_packages:
+          - php-fpm
+          # for WordPress
+          - php-mysql
+          - php-gd
+          - php-curl
+          - php-xml
+
+    - name: Install php-fpm and deps
+      ansible.builtin.apt:
+        name: "{{ php_fpm_packages }}"
+        state: present
+        update_cache: true
+
+    - name: Set PHP version for Debian 12
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('12', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.2
+
+    - name: Set PHP version for Debian 13
+      when:
+        - ansible_facts["distribution"] == 'Debian'
+        - ansible_facts["distribution_major_version"] is version('13', '==')
+      ansible.builtin.set_fact:
+        php_version: 8.4
+
+    # only copy php-fpm config for vhosts that need WordPress or PHP
+    - name: Copy php-fpm pool config
+      ansible.builtin.template:
+        src: php{{ php_version }}-pool.conf.j2
+        dest: /etc/php/{{ php_version }}/fpm/pool.d/{{ item.domain_name }}.conf
+        owner: root
+        group: root
+        mode: "0644"
+      loop: "{{ nginx_vhosts }}"
+      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
+      notify: Reload php{{ php_version }}-fpm
+
+    - name: Remove default www pool
+      ansible.builtin.file:
+        path: /etc/php/{{ php_version }}/fpm/pool.d/www.conf
+        state: absent
+      notify: Reload php{{ php_version }}-fpm
+
+    # re-configure php.ini
+    - name: Update php.ini
+      ansible.builtin.template:
+        src: php{{ php_version }}-php.ini.j2
+        dest: /etc/php/{{ php_version }}/fpm/php.ini
+        owner: root
+        group: root
+        mode: "0644"
+      notify: Reload php{{ php_version }}-fpm
+
+# vim: set ts=2 sw=2:

roles/php_fpm/templates/php8.2-pool.conf.j2

@@ -27,8 +27,8 @@
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
-user = nginx
-group = nginx
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -52,8 +52,8 @@ listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; and group can be specified either by name or by their numeric IDs.
 ; Default Values: Owner is set to the master process running user. If the group
 ;                 is not set, the owner's group is used. Mode is set to 0660.
-listen.owner = nginx
-listen.group = nginx
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
 
 ; When POSIX Access Control Lists are supported you can set them using

roles/php_fpm/templates/php8.4-pool.conf.j2

@@ -19,11 +19,16 @@
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 
-; Unix user/group of processes
-; Note: The user is mandatory. If the group is not set, the default user's group
-;       will be used.
-user = nginx
-group = nginx
+; Unix user/group of the child processes. This can be used only if the master
+; process running user is root. It is set after the child process is created.
+; The user and group can be specified either by their name or by their numeric
+; IDs.
+; Note: If the user is root, the executable needs to be started with
+;       --allow-to-run-as-root option to work.
+; Default Values: The user is set to master process running user by default.
+;                 If the group is not set, the user's group is used.
+user = {{ webserver }}
+group = {{ webserver }}
 
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@@ -35,20 +40,22 @@ group = nginx
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
+listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 
 ; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
-; Default Values: user and group are set as the running user
-;                 mode is set to 0660
-listen.owner = nginx
-listen.group = nginx
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: Owner is set to the master process running user. If the group
+;                 is not set, the owner's group is used. Mode is set to 0660.
+listen.owner = {{ webserver }}
+listen.group = {{ webserver }}
 ;listen.mode = 0660
+
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
@@ -63,6 +70,10 @@ listen.group = nginx
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 
+; Set the associated the route table (FIB). FreeBSD only
+; Default Value: -1
+;listen.setfib = 1
+
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
@@ -71,8 +82,9 @@ listen.group = nginx
 ; Default Value: no set
 ; process.priority = -19
 
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
-; or group is differrent than the master process user. It allows to create process
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
+; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
@@ -94,6 +106,8 @@ listen.group = nginx
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
+;             pm.max_spawn_rate    - the maximum number of rate to spawn child
+;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
@@ -129,6 +143,12 @@ pm.min_spare_servers = 1
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 
+; The number of rate to spawn child processes at once.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+; Default Value: 32
+;pm.max_spawn_rate = 32
+
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
@@ -141,7 +161,7 @@ pm.max_spare_servers = 3
 ;pm.max_requests = 500
 
 ; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
+; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
@@ -211,8 +231,8 @@ pm.max_spare_servers = 3
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
-; If the process is in Idle state, then informations are related to the
-; last request the process has served. Otherwise informations are related to
+; If the process is in Idle state, then information is related to the
+; last request the process has served. Otherwise information is related to
 ; the current request being served.
 ; Example output:
 ;   ************************
@@ -231,7 +251,7 @@ pm.max_spare_servers = 3
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.4/fpm/status.html
+;       It's available in: /usr/share/php/8.4/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
@@ -239,6 +259,22 @@ pm.max_spare_servers = 3
 ; Default Value: not set
 ;pm.status_path = /status
 
+; The address on which to accept FastCGI status request. This creates a new
+; invisible pool that can handle requests independently. This is useful
+; if the main pool is busy with long running requests because it is still possible
+; to get the status before finishing the long running requests.
+;
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Default Value: value of the listen option
+;pm.status_listen = 127.0.0.1:9001
+
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
@@ -271,13 +307,13 @@ pm.max_spare_servers = 3
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
-;      - %{miliseconds}d
-;      - %{mili}d
+;      - %{milliseconds}d
+;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
+;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
@@ -306,14 +342,30 @@ pm.max_spare_servers = 3
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;  %u: remote user
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
+;  %u: basic auth user if specified in Authorization header
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
+
+; A list of request_uri values which should be filtered from the access log.
+;
+; As a security precaution, this setting will be ignored if:
+;     - the request method is not GET or HEAD; or
+;     - there is a request body; or
+;     - there are query parameters; or
+;     - the response code is outwith the successful range of 200 to 299
+;
+; Note: The paths are matched against the output of the access.format tag "%r".
+;       On common configurations, this may look more like SCRIPT_NAME than the
+;       expected pre-rewrite URI.
+;
+; Default Value: not set
+;access.suppress_path[] = /ping
+;access.suppress_path[] = /health_check.php
 
 ; The log file for slow requests
 ; Default Value: not set
@@ -372,7 +424,7 @@ pm.max_spare_servers = 3
 
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes

vars/Ubuntu.yml

@@ -1,10 +0,0 @@
----
-
-# sshd service name is `ssh` on Debian/Ubuntu, but it's
-# `sshd` on CentOS
-sshd_service_name: ssh
-
-# provisioning user vars
-provisioning_user: { name: 'provisioning', home: '/home/provisioning' }
-
-# vim: set ts=2 sw=2:

web.yml

@@ -9,7 +9,7 @@
     - { role: mariadb, when: mariadb_databases is defined}
     - { role: nginx, when: webserver is defined and webserver == 'nginx' }
     - { role: caddy, when: webserver is defined and webserver == 'caddy' }
-    - php-fpm
+    - php_fpm
     - munin
   vars_files:
     - vars/ipsets.yml