roles/common: re-work fail2ban and nftables

Re-work the fail2ban and nftables interaction. Use systemd's PartOf to indicate that fail2ban is part of the nftables service, which tells systemd to propogate stop/start signals to it. Then we tell the firehol update script to restart nftables instead of reload. The different between restart and reload is meaningless for nftables but we want systemd to propagate the stop/start signals to fail2ban.
roles/common: adjust update-firehol-nftables.service
2025-07-08 10:39:17 +03:00 · 2025-07-08 10:37:39 +03:00 · 2025-07-08 10:34:34 +03:00 · 2025-07-08 10:25:09 +03:00 · 2025-04-07 09:51:09 +03:00 · 2025-03-29 23:09:44 +03:00
71 changed files with 2188 additions and 11989 deletions
--- a/2
+++ b/2
@ -10,4 +10,4 @@ ansible = "*"
 ansible-lint = "*"
 [requires]
-python_version = "3.10"
+python_version = "3.13"
--- a/Pipfile.lock
+++ b/Pipfile.lock
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 20.04 or Debian 11 host up and running
+- You have a clean, minimal Debian 12 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host
--- a/ansible.cfg
+++ b/ansible.cfg
@ -2,10 +2,16 @@
 retry_files_enabled=False
 force_handlers=True
 inventory=hosts
 gathering = smart
 # instead of using --ask-vault-pass
 ask_vault_pass=True
 remote_user = provisioning
 interpreter_python=auto
 # Don't warn on unknown SSH host keys because it's super annoying for new hosts
 # or if you get a new laptop and run Ansible there!
 #
 # See: https://docs.ansible.com/ansible/latest/user_guide/connection_details.html#managing-host-key-checking
 host_key_checking = False
 ansible_managed = This file is managed by Ansible.%n
  template: {file}
--- a/group_vars/web
+++ b/group_vars/web
@ -1,8 +1,14 @@
 ---
 # file: group_vars/web
 # run nginx by default
 webserver: nginx
 # all hosts run fail2ban with the sshd filter, but some can use other filters
 extra_fail2ban_filters:
  - nginx
 # root prefix for all web servers
 web_root_prefix: /var/www
 # vim: set ts=2 sw=2:
--- a/host_vars/nomad02
+++ b/host_vars/nomad02
@ -1,163 +0,0 @@
 $ANSIBLE_VAULT;1.1;AES256
 36643866316634653430343333316233346137663238373035376232643132663036343736376464
 3033313234383933656361343938653362623265653030360a396638643333633137376231663538
 65313537316564303330663730333131633165633238643532646435386436623163346366383533
 3965636630393834620a343531623964626135636337313861653361393733333463633234363435
 64643934346466663934613962613230623562323666353231326363343430336637323666383634
 36626136643432343332343665343734653435383336313862383863626466663633363738313563
 30303666306439333836306161633432346636396333653434666531353966353430666436623531
 31636562656161333830313362653764306137396231346334613336346538306432636639386561
 65323737383865313264623934613365373465323065616130333837386665666333623832626239
 33333230643332373238363432306466613737373132643134363563613535376365616130333433
 35653262356233626331643432396237306237363135623830643536653938363461303738613130
 66613036393338393037386162383831663866323233383736303532363837663039376166363639
 34666237333562643665653165393730646632316237663337383937353365333532336462656362
 31353934393363363765616335626565343238336262653361306164383030303835303666326532
 31386332346362633433356161643536333862373030306364393935663061396538616637623230
 66383163396139306430343639346264336464646233316636666239643132376164613666363538
 33356365643430383732396235623038643566623131616461376261343563353236306663656634
 64643035373039383031303464346264383066623762323161643561366164313461613038633531
 36383161363065366164383932623231626633646166313835343264373366393236626336353039
 66646338303731346337363962353135346239306562663737363038306433386230326636336162
 65313132626564663738633531333662666661326463643032656136376564643938623061346464
 66653239663464306430613563666336643839323537626338666435336138613763313364323637
 30666566326463623438316263623233333434623366306330656564636163336636623433646631
 65316562616136626330333166646332366537666664303766346239316535333031396235303466
 34393664373361356231333530323865646333653237613636386632393730623330653437393164
 65343266373237386364373862656138633263666633333465623836366233663537393539393638
 34643963363865383434633163623832646632393234636136346137366361393638393461306337
 64653436313065326637363632336565306137613131306364336537613835306332633366313130
 34393732643361663731383661646631353035353064613931333330653031626435353163323633
 65326135376462666435643837333131313863313630336566333835613132383365343234366133
 39336131363366616136663636663334386361646465336331343836626439316532376566353565
 37643361646435643133336333643837633331316432303062623062396564373137613235363762
 32363838333337363035343631353261653063316138626133303937623233326531333837383033
 39366536333434303864616164313137613337643730306261626138343764663662393161613730
 36303736306631636266336131396336646635653131336265623364633038363339353933636632
 39626134353866313439333962376663393831303261633431303035663130613265333739616135
 62623138386235653935383364623230343662333138653562633266336534383963326237663132
 38646335623532383565303466386261613931666438313261653434633934353739613431636132
 39633133656230666231383936396264313630353434313035643565333661393736386637313264
 63636337373334313937643261313564333564383566633730396364653533666236643433643436
 33363061356362386535323038383637613364393639646363366630373735353234333134636565
 37653064636536376638626135393332626539346365353661636439323338653137383866663734
 62303139363436646464383266396464313565376132393937356665396536623332376134393366
 30346435313566313237326461346362353633353261373038656130323365383765613739323239
 38633934643531633037623036623839386637663762366631633033646138323936353433326430
 34396466653230643766636636393735373363616637386662333535643536626261653264346332
 34336337646133646261353939353166393530323730333063393365626365383366633464633236
 64656535613838313461623864666362373030636366373038373863616462373939356238353362
 36363535653734343533666532343166313964303236313135386134623963386535306435656330
 38386430303330303837326138356364373439313836636234656331643131646363386138653065
 64353837396533303463643130613339663166333933643362303565623432643064353865393635
 65663362666130623933623733323933343065633432613965373764383035316338316338373934
 65383061386635316331366532626437303664636436306535663365373064346136393063623335
 35643062363536633332313531356637313032666262366466626462666663303161653635666331
 32343130383231323239363235313031346438323330383938303733323436646336353163356132
 30336136646261323866663530336335636464623035626635333961623363396239353935636531
 64373231386163663962313834333538333133376433623363306239393462383930306432396562
 65393761633834663431353032393032396330393338343863333939323632393438646331613463
 35363530653161653266616331356531666434353663643364316564623438316132383463356437
 38626365343733383735383939646331376531376563623231323535323735356630336130383835
 39633335373163656431336130333664306164336536356431323438333933636365303330393233
 32353437393133646632373234376431626332626333343866643463653662373861346539663131
 32393333633766633738393937356134313236343633636533376665316134653632623061353866
 36373761366264653737386331383235306137323965363265653937353833343362633433313462
 32316466356335366630373635376561636233336165666661653632323835336563313134343064
 30333033333331303164323133613536613636373333663131633162616235316636346337333462
 64306336636562353733613538343462626233303661363131333665366135306332346135323136
 31306535643539303936346632623930333339353439376462633462626165633437393830373739
 61653230646366623830353630336661623466316136373264353762313065346632366164653261
 64313830303466306135313964613537633236383535343132613332613733316161623365333163
 38633930323439303030316433343764356538313632366635653437346161646439663563323832
 38363731353734303932653662326138646239306261383232643537313365393061383663643632
 31343736373739643164623437663239616663373335643262336664326365656137643066383463
 37356666306666353339626662326135636530386462613061326631366535383034303830323237
 65316135343135383230656638363564303635363333623833373163326365393430663235623231
 35646632643735363730613462656562356139323863616266343566343861356238623564326430
 31306366366330363036616137363163663136316565313334616164346639663465666338316439
 33643732343062313536313233333039366435386235333736333937633266653761616262346566
 32636337623266656464636634643632316134376334653932363134613336346539656438633137
 31306439663834663431346133653532636664636463376337616539393239316465636537633630
 30363461343733653465666332646236386633396530333863616236383437333931643731626364
 38393337656130666237373538393430306333333033306466343866303038643234646339306233
 32336364363838636563643939626665643231636633666166653539313461393238333461383262
 62346634633236343433336531396361323238386262313565396265663162353765343037303862
 63633034363664313733633433356332333633366530643863316364653065623161663932323831
 31646530613933613735333834373532616136393662346431656363346364353031303262326134
 31343332386166646530373635343039323163323366616263346431353765303430353636373539
 36346461303730313630373637346266323331373733383465323037343633313739306233336339
 63646137643332623834343462333263356432366631663065383962373634366639656133323964
 64343035323863373139313163323562643066306139363235626532396436663137653635353035
 31396334346137626461633436343539366635356537306231353961333963616334323037346637
 33626161333264643261656661643933653835356236333831343563653938303266323730363865
 31363562383666633636343935386535306361386234346535613363613363393065363832306363
 63643238383363646137306361306265666435363739306463663637343761643831633261633531
 36626562636333336434613365316232343832646163396338613839643064653834633832376230
 33343265386162303266373033353332393931633663623734396133326232303465666432356363
 66306338616634616631363662313963386638343266383063313166353437373433623736333361
 36333163386630376262616362613530346563383637656130363365366634633135323863646363
 35323430343033323734363533326334303438663065656535666432376661613435623365316139
 30623835373535623662633131393831376231623663316331313661646531393338613532623063
 66343665356338636438646339663761336636653332646233326264373435346263386130383861
 34623265373463653165383665306334643233373066356231343666663866373739336436653933
 65623134306536333538333061303066636339376636333438623666366362666137653261376539
 31346435613134303866333065306237343162333138643339313461663934643234303132613961
 65393037396463663034636534323566366161623365666466393634373764333437383263656535
 33643461636362646135626164373335386130303766633434633062356630336463623661396639
 32646565623164363631383731666161343762393639343839373234326337643766336263353166
 62633964303733643035326535656561366139626565643938356264646239336166316534373261
 30623765623338616537353062666338376262393966373033346233383132653839323731626663
 66393938313132653538313031323538333263333361303661646633366633353534373837313935
 37323635633431623365643738623834653631323564393436326562326439666462306263653331
 66316134616432323939373366343564623264336632376132663462396362663134643236643832
 31393366653961323763333335303135383934633538636335303435636334343737306232373561
 31343139363863326536613163663862343263313630336438666132306162646130613233393935
 37336330643361323032366433313939616134366134393032613862616136393339643232356139
 35326534623263353766326132623330323639303230616263636536366263643339663838376238
 35323731303163616236306439343632353561646339663933313937363739303864336438626638
 64633139633338623431343236333534373835356365343536636261386437613538303334663739
 62396532353832323262343763353365333561643633353638313534393164366539353431396336
 36653563633237333730376331326432663561343463616135613738663130323936373136393538
 65636634363631313364326665336164653939356133333031633632373030623666373562623564
 64616365616435393231646236623333333037346363666664666233306661353337343066626136
 35666164356537323735636131383266393064373538303966353531636561623032643233346566
 61633465376631656636366662373865623764336135323865316336663731383335303330616231
 64313836373063313061626365316538653831316562333165616531643434633964333438333665
 66376634323531356538343837326636636636393639396535346264656531613733386337353966
 31363730646365313834316234626532663563613234643563366566373662616335623035393536
 61653334346336613539313732383438313132653738393339373661336531633565303635353665
 31383939643261666538356633326666363934643738636430383537636165623264616236633863
 35336134386437383539303061343261313530313366316338663539383238663966653837663331
 33386464653161376335316536633532383035363066653234626363343232393165313463343930
 63323435613932626435363235396236313365636166663238323534623038663034303365326566
 66306635373433313730343536633931643935323062643136383434643138306138363366663834
 66613964303634616139323832363633363063653237366135613964663733376161373937323462
 30313833623733336366356635323261613132393734613735393062333232313236326264323366
 32376535616334376137663636633333323665333939363366313432633436653864306532393966
 61636337356534373164653637633162613235623364396539623961353466303036383031363162
 37313364613939613939343538633665666136363135656330623332656466383139656234336133
 62366262663064623137626363613066366666313733623463623562636131323435346264653564
 31323431663339653966336230356339303534353139663739363263633564373364323937386434
 37306462653630326366316530656462316539373263366262313930356663376334343562303361
 61623161613939616666386336626537333135346136643537326635383939663863623332373033
 32643730313861636163623133323061333631333332373838636163326562633936363631653062
 37336661626336623462616562333264373330323363363630313739363962323735393332303562
 62393161323962393039346432353066646162336332663636343739343566363833333738316437
 64333337363137643931366536396333633538633830353865323765616264356335383031353534
 33376363386630303332643263383738386532373434613963613764326636333133303262393832
 35373930383662383064333465633736363063363434333662396331633032353733353334363162
 32393361643562623362333963663262363235326536396131643435306665343438333933616466
 34326634373965313638666337326633653938343561663739333464343135346437636436633034
 62333039373136656664363531373430356363363736306533386135323061316339326636643739
 38363763653331646638613963646138666165666439643065363335343132613731623264376536
 37366533636564346661343966373964353731623861633463363638356163346165643164373535
 30373564326263393436326337653631383731313139636339356433333830666265343165323330
 36616538616534626237623862636536303336343331383237333333656637303266616137336439
 61653631636632366563373034346365313337356266636338336663643538303063613036383831
 65613635336366316263336131666238386237366264396438383966313762626639643236313532
 30663235666662396231376631366139653937646132343639396430643339393165656266636235
 38356135666433323434613238356537306630643861353436323037353461326534313632386232
 63643261373263646437373535333036336634396331616330353233613564363361396437326435
 38396462643833313362633436303637323163663166653231653866643733616432323663316362
 3037356363643462356137346638313963376637643162623062
--- a/host_vars/web21
+++ b/host_vars/web21
@ -1,46 +1,27 @@
 $ANSIBLE_VAULT;1.1;AES256
-31303064616130313334356131393461656264376237303838313334366562376338343931333036
+38663333313561616264323430323162323837623430363739623561633331656664613936666665
-3165636436393538633063303338636464663634643539310a323766633431376166393134303038
+6364373033623163393239663035306337383066343438310a383666313434323036643037363065
-34316264643034386661343566656139306234383430613032343332643363323534333238376233
+30396333626130303633663930663965666662646233393439376661346265616565616236623366
-6262383039383065660a313138653738643838346365633238326534646637353033623638306161
+3930373433646231610a336233663132306263656465633034333030316362643939316465666534
-31336565373635663661343930396463333632366665633464646264333732373431633463343462
+38353961393038613961353732613434663565633466303265383231343336386330333464376363
-64303538343234613532323431643765643738396233376138343561306361313864376165393064
+33616330643364376332623634363766656366666239633964316439376463313063333162343963
-37313964656461353466306433366538346131313034316633626265346665666332666665336635
+61356634393438313063666434626338616264613639656462626639616263366531663135393466
-64386261643536386536366337313938343134346532393866663065306434353766666132383666
+66346635616439306364356133303664376134626636616131373138656562363363306633333164
-37623138653430363964313566666165326130656239333965346234386233643537643231613163
+62623135343633393834393165383231316562643062343165663235313930663039623135373263
-61333336383265613930613239393663356566633464343732383133336435393036646536353834
+61343336643235303962333938613230356465346436376334373438386461366231383737643137
-31626235343330666233616533636636316637643665333861386263646363613237613638313835
+36343832353730366131653430633465383163396336353065306638373166386438356264616139
-39393736313734393539386563333331636361376137313631373833643763623338653462653066
+65346635663338366463343932336231386235393836616238373864626235623935663661396663
-31633061323161663139633761623662653434363362386235623061626662343535626461663934
+31633565356465333737303339333435383162316530396563333335613062623138333232336162
-33633966353263613466616439663631363162376466346535383963383332376130303265633935
+62376363666431363931663231643561616562383230643737393261623934363633313231333137
-31646533633330616136346239356366616530363539323466333765656537623862653633643930
+39383238656237343661626662366465356463396336386261326334613436396364633062646532
-64646261636239343866663238613834376339366666353534373666333966366264626663326430
+61313136366636363861316166396134316562666435653437326331363563653035343138636163
-61343530636536613032646630346136656231633730646331666633623634623235666535336536
+66336139636533656334643966383962383734623565323435333665666164353732663736326364
-36303735373331383332653731616136376163396337323536616431633934633830323531656633
+35616264383237316330386539363065376334643432393636643464646238633034333166663665
-65666565363133366166323866366137663332343633333262643433396531333833626532313663
+33313166393738626133636136346637646437306335326263393634363133663736666338313838
-62303265623764613231306365323362303565623232326137386135363262623366343330666134
+64623139613037653461643563666539613237323934376534376461313833336338623032616661
-64376435363164636332383061343066336439363433653939353235383934346331383933333130
+64643062663633366436383232366137373936383430306332616634636331326361383931363961
-36623437393461613137316634626638353039343465333161623632363735346438383537306236
+62313236313563326438303935373837666434313435653236643135303739373763656562393537
-37306531336433346461656466396566623263353632323364643963323835356666393062343137
+31653265653739346433663937343439656231663963333633373066356231623762313438393763
-36323065323639646330643437373965613563366663363739646237396563336633653232643466
+36306336656566633034373834316363333233326130626639313130643935333437653934313636
-30336534373463643733613536343762633435343636333632613936383930316532333933613961
+32383034346234333561333466653561323834346166633831303566376266373933356536383031
-31313535653639653331343364383662653434333833663464623164636538353763346134643762
+6236303934323963336662386666653138313165366133303434
 36383132326134353632336334303264376162316162646331656434663435326535636164663238
 62383435343366663932346131636530386434333064323734363061633166323363383566383931
 30626337656133613632313136656431623761343036613865663261653437343139303734383231
 33613938643264313138626639393132663032326235383439326132363361616463366266383439
 36656161386531303230396562356438356537653133666336306439303630393665623665396130
 37356633356165333737303235373062663664643434346366613536343164626339633039386538
 30653962373361626436616366396362343739613937633830613235373866613665306334663166
 63643965303465306637663666336563633234333437643565353262623963653562623662323337
 31353636353830336362643536396232333732663937616666383431616161646265313834393232
 66646338303134393232363133653837346638613165323035363266333566663163336338613335
 37303964326663303338643233353939633735616231356430663931646363613565653764303637
 36643063306362373666653531656534646465666134353866313333316239663363663062373038
 33393938663363376530303463636665663539626537373262366536363830653632663736356632
 35653465306236356166653739623461636434636132653237333932333965366464633365326430
 32306533303966373662353061343130306662623735363930626663393139323236613730356336
 34306436333734626339616438383934353934306233323863653964623435663863333330643061
 64626333623436623230613362373533343237313165313030616662633739373065376231313237
 61303561303432613336366238326534616631346364616135363562303161313334303866336434
 6164
--- a/host_vars/web22
+++ b/host_vars/web22
@ -1,130 +1,141 @@
 $ANSIBLE_VAULT;1.1;AES256
-38656665633261633138336335373266363136353736393735633130373737316562383130666636
+61623539626162633765633037643066613863623631336534396535353439376238646263306463
-6561646263333036333763366562326661353032316564330a383634366236376563613861353932
+3762323765316137356636623430333662386564626536350a333334393630653733353864636162
-63653365343662356634653231633364353062373539323165633339326364643933373464376166
+64623562623462373337363339343832336439363832653666316335313633343663396438346365
-6236613532633734640a626636316566373431323837656263663065303534343639356165313338
+6531343731363736340a373839663837396138366237303636326363663366656564306663663934
-37316361373062623233343265346334613337313765306162336430653563393631633532363661
+34333862643232383566306335363462653035313039353764643261663165613861623333663136
-33626138346232363635623365613632313536646236633736653931363931343062613738653162
+31333131303630356239636334346466643433356661383234383132653865326634643138613666
-36393565633535633939666530613765623738316263313839323139306134346530303664623861
+35386430646239643535373264386535316135623633303863646564313538323532333739653636
-63376230303062303262376534323332333336363832353630363262383931356139613539386133
+37393833363564323533333963376334326536666535626530383165613938353232356539633732
-34643961336134643262623634363839633463613365653839356364333961383737303263373632
+30633761336638636265353764643063316538353065376431616165343936323834303733326433
-30333063383835353961636333363564353664636132363930656136396638303431353738653937
+62626233643630643835323834343461333365333232373236376234376532636431396232633034
-66656335363933326162323036313930336465373763323161643437653338636635643064376635
+34303538313331383332643731653634313736383261393563393232643466386339363836623466
-37346461386136643332363961366638653531633239336631373933643336643066313062636132
+33383633353239623930363765326638643066373332653264633437323536366233383030346135
-37356134336666396265346466346465633139313239393636663931356431643936613830643033
+61353636353239376564396336353538616135663237613137366263353730366263643961373461
-32333036396365356362356332353265643765666466666464653265666562306534396530663530
+36646132646563646133373563653034646330653931396562643832666634383439313764646535
-39666465336663396436343436373434383537346262626663366337366163306133663530346461
+35643161356263316638363662626662346232633230363731633263333566376262396236363161
-63376237373230303063316439386630373566613134303631373362336538633531386233616238
+38636138306366666163663861346639323630663039353863346161613336363730633738386635
-65643662653130346165386338633965636431636237656162613634393530636138633937646639
+31356638623938353964346436353565363431636238326266373863316464396563336461336162
-62353433346664343332656166366161623330353934653631383961303931366231363030633262
+37323962343637626634386539643062343565313431386265323166623437346639363630343739
-37623235373438653037343033393365323365653561633736373930396261663638356163626630
+63613738656465346261653538643932666235356635346564356234613265353761393263373965
-63356639383231616339323530636338303465336462333036336636623964333834336234316163
+37326438346432306165616538363334653732643138643864633731363936626433303961373465
-34323866636239316634633236383635656265323133346534343435656561643034613337313336
+38383535396665643037363665623739346230666539643835343862646464303436303561313035
-32626234366532663033396561313838626437663961393131393962396137323531366262666362
+31356462656230326137616531363461316365333432326230373632356632313765333464313164
-62373332663532333061666332623261636239346137373933646335353238386232613739303634
+65393537656364656464343237646137396331643165343639643330353264333066633432363066
-39336331373231653635663330323539366563363135663863393632396332313464653533653138
+31336132373162393033363636386632313938333039393533313038623633613362646134363162
-36343364393063633437356638383935346131313932636131663965383465643561613633383962
+36346532306166346335643636353439323732663763396432613537316234376366616262626638
-39623830313463633437653364343339633939663831623565393039646666613062356562356237
+38613936626237343464373937383464356439383934353264643632386239353666396133656635
-33623463323336663664356334656130613665363739623263613032663732353435313639363130
+37666534383461663433653139383732383062643939653066656231646532666262386239616433
-33336263653039336139326164303565666661323737666533643837633438343762336462393534
+34386335363663313933663465623534633163316635353439616532386565613234373039653364
-65663932343635646435333362663237663835623332623038616465356632306663326433333463
+62376565613863656232643631343634636366643034386466323963643837653831653635333865
-34343830646535303638303033356630663534343435333237623462663466633062346131333163
+37383834626362613235623264613234653236323236383632356666643465313561626137343330
-38636539626539613431393336303935666334623638653134343637393930663561316339383664
+61643963306363366638306335653364616264613766346539316337623466666537616535333363
-31363532646636343439383539613738646163306336313862653465373636353136383666663163
+35306665383339643834616463396362663538303031386639343932346537363866663536373634
-63626139613031316665653330313565313831656561333830633735343861323134636237343562
+32623738363234326361336436626330363962316163653733663663316139393134666632633438
-62653834663035616665633761636631383233343037653034643064623932356239336366396266
+32303463343363383663636165643730653138356538326137613730383863373635646533373066
-36353462623732373831366661393266376561313563323730663165613737656136353831333232
+38323361373665376435313266373439636533646634326533626135313462303739313430383730
-64366461353264303434656161353639616133376465346232383437336537383463366466303839
+32333636633737376566623663323234376235623039313865663232323761616532666466306264
-64623730333037396162613762383962326135633934306338343635346463666135386364656665
+39623434333638323065623830656535353331326435643464333035326338366136666136663337
-65326161356539613362376635306231656465306262333936323234653538663963383838323062
+34336366333539333232653263396231633234313935396366646639383465326333653236383362
-65363330336137363163373661373464313164663630393761363366363635313139643163633834
+36656563653465346439653230333534656530373766653733373765623234336466663631323765
-39613334336336613434313364306134643332633332393466383265336537663231636663613464
+38636262373831393633343262356538393736666134633264353037383033343436346333306565
-36323436343136323538643134376430333331663738393134393032633838383966353866366337
+38663637333062653565666163616330393637616434666634633839373966373666323831353338
-35633838663230653930633665363664636333613538613839663937373139323738323133333938
+33666235646162343234343336356563663430643035306333623136323461636135386238396137
-66653432663330316537353364616664623935626666366533383539323830386530663131386130
+63323830316634653666333735663533336262303931653666356531343464656132326134313831
-36383831373965376666666165393266303465353738303962336563353531333364613765336432
+30666466373833313331316330353539646534333135373364343066643536636335633264306334
-35353232636663323231383932643532663330653337666563353735323436373436383639373363
+63396133626234323734666162343835613436393763303836383839323338323339313261383033
-35343465396265356336346134366437393238663861326332393135393432643335353563303362
+33616430376436663966626230343436643032353636363765303032333637396531623265393064
-64653033373461363865316237323264346535316163376162303839313734393865393137636530
+62336330396533346462313638613262363435306330366561303336316239313731623562316366
-63633733373430633332353264336566626262626565393832323164653534616636343164653339
+36373864373763383236663163363335373435636431613562373334396432323633373063346564
-36383536656463396239313863323835633937313963363439663535633036326634303239396233
+38616637316162396638356234323436383765663036366363323964613264373638656161393661
-32626433626338383434363331663864633436393663316239663362613734393132336638313466
+38623234356137383936303738306263376632393533613739613636613561333262333537616336
-66643965316466363362363136323336363862303661653161393234323361636135633838613739
+35393739636533373865343533633961316137626337363336316333616162643538343362613634
-34393662346430366666626136643434656131396463306462626538396236653466646331613735
+34376334393134643963383634646432643763316232656135663031373361346332636662653266
-34393035323038313932383631623961633761383734653132386562306430376365386464663238
+38663931663239666462626664373064666366613834623033346133306335333462623931646535
-66303036653866646633623266623736636361383339336164626439383031313162646632303963
+65343966313966386632333133363965623436313237343331366565323133343833623232326337
-31373864366661653033613165323061316138623462336236393933386431613736316635383938
+38363234336137633035333362383164656238326434366330336662653435343639663438613062
-63643332623465663432633139303231306162353035373338353162633530303934303436376535
+30346336353964346362393832653835303730383934316563333538376333353830376661313065
-64386535613861303064396666636363626137373336626334663631346566313732393065373532
+31353837333563363561663931386264346263323665616231383538353937393330303163306433
-36386436386537333561393336393363636133653737623431386531626163333961343162396139
+64376662393464643836636162373564376664306161656539626132313232343861396537386462
-63646631333063303033613533353963616634336230343930366566353664306430663263333835
+32376636333564323137623862396135313863306337346131323834396633333261633438646561
-38363937383363613932316130313236373932303763306335363136376362313931396139666334
+31613734343839373735356464643865663061363338346663353932313635393138613538303463
-30613639663163336363666664313737303561316164616234646630326432346134393738383834
+33373333373230383336336462636333353137303563366234363737343437323336386335633739
-61383734643337663138346533373339343733353332383863363234376330616531643931373161
+61363266633065383738336537346331376663313133393761633530633932643739636238633565
-66363938323764336161323437376463626661336234343739343632323936386265616531623863
+33343236633834383933336466636663383566633932643464353665643733613137633538346437
-30393830353064643138653233656135373032643065313663373039326462303866636462373835
+33366361663537343931653537333737633463336135623836373261663538303532633763646432
-63316365383331623063306334383861393535633536386236303130633530336130326536323461
+39343361383335636433666431616363373161646265393231353265393436633238303066613963
-32643761323533376637626366313133616232636161343334353362363261363262353532353336
+39633765663339643864386334613337666138333538333762353866333464386232396530306335
-37353232366337653030396239316631386665383866363966643139393763383035613535326334
+64306461363730313061633831343839613065313061326132613563666563656131383236623032
-64366164656338393831366136343465316534626661343431326333663664316331343438353236
+33346234333966653732643263313138333262343461623736386334356662383536633062653832
-34303165623062653934613532636163653263303837343561656136646333656261366530623766
+37626132376336643563396561626636346237393138343133656565643631646530326166613061
-39653239336562646234323261356266663030333139366466373931383866313139666239336161
+31353863623430656433356636616636303961336262613063616464313832343030333937356662
-37303462373637393139653762626430626431316362346233366466356337343831656635663431
+61353136633539306265386335393035313864366464303131663337383636363431636537646461
-38313465356538363066306163656236333839656437376233386361366232396536353964393630
+37646431643862646262623038336635653764383165376433666639363337623035616562663561
-35623331356630386164656237303262396339633939646133636636623266303765626138383365
+36613165393931336639306662656136663231316530663266666135353461613538653734316661
-37363962633332613062306536393431613934623530376639363331303238623866343237323232
+36363065663261323439653733336266613539363732323230346433353363333637616635666234
-66613437383837323466346230306330306532656632643337326264666532646330373530336437
+36373439343762336161313965396537363332316561303235666264653038353132633561393038
-63376330393364666635373066343132663239353038633539356537366338393861613037333336
+30373366303136656661353664396261393136623436323930666430636435623362396636646161
-38346230613233316435333637373234653566363537613737363534373138373036313338333161
+63613734663964656139393531316465623130666663376266616137316137616233373630396663
-38336561623662316537303033373061363137353262313866346262303365666535366463336366
+32326166663731643837623262393835656532393139396535393732626164316136626239663230
-64343336373936373034633335323533636531306463376364393962643133386337336431616535
+35326166346162626134626566313963333661643531353437666139396333343335306633643531
-36333937313466313339356130356232666466313934323433356539663239393335343865353636
+63386437646536633430643539623164306139316364646136306366373732373065376561303431
-66363565376234363933663033653763346439333331386139643661633734323833396462313763
+65363237353163656162393264316263303366633630303532623130343066636132613865363662
-64613735393030353965623839333134613664613264646439393934613865626133373138353962
+63323233323064633238356236616665373933626465393032326134363434613262653165343166
-66653733353362333539353934666135333133376338386536643238336462663432303132336438
+38313263376637383163336565376538326532353766626264346536353563663464623737653430
-33313532316264353635376132303237303639373132333039653063313733333266623838643963
+66373866343865326331333833353261386132393234303536353864343934353039323038363630
-63376138363539663963303265666330646138356163366663373237386264343263356362366664
+37373632356461633137336230353762316562353430323761623861343639393030653038313632
-64336432666639316664393237343532396337366239353930363330313464616162343037306336
+66636133643566306432333038623866333531613334396432306666316439366435383661336531
-62356361313331326139633864363861373936313163326139636464656165356635616466646662
+36373333623266353461383431333462343037306563616231663563353833653839313538613631
-34383830663932303239666139633766636265623364313462353730656563393763386230623530
+30646130383932343865363062313836323365616639346537663461343164363934653737613466
-30326630653165623965623164613235323837326466646338313936333631346437643438653939
+38326234356261343764323063613366313633313766613736663033666664613433363438646366
-62626661323866356136346161613661313438633165643464623764626537396632316363613534
+64366333373164333838363934636366336430343032316562653137323634303833616363393063
-65336337303634373766346265333332313663653831343861396238623264623134626462613065
+35343330663434356530333535663664336463396533393564663138623162666563323736366135
-30393932633337376338663033663365646366656134633665313936373531346366663766633032
+63653662306265326238363266393864393630333064303861376432333432386262306363336135
-33323431303130323133613764656164643861373035653962303565653866653362653834383561
+32333762333339383662303931376631326638666635353433636461386264633166313336636663
-39623035653862383836616165383963363064653036313563383561323236663931306165376532
+36313336663730363937316539623132313937633032396462616634346630383937353034343332
-32316666313231613565616562663736393630336336646362363039643462316432363330373339
+32346164363362346264353965633761306163343131323661313836636438646337396238653962
-34626133613166656166313565303436326563663239323334616533613561333263643365666135
+66306666366663343731333338666463313139373033306137643631313930353932616339636337
-66336265316166613039663937326164626439323038656562646237613439333535626462313162
+39363337376232616139663863303430353530643964633333376561326339373334663862383230
-64663332326533336436383364333735646534356631326262643736393364613137303736356365
+37613861373836643762386339666434623931376266643361383761373235393035303137613838
-39626463373735323062633939333865643237353435663464393262636433303861303537393031
+39383230393831373836396435323734316332663465376136333365393433633065666565393033
-33633864623730336136346434303762633932613938393432353230333230626539343962633564
+62356661346433643532633366313132313137623134626431343532373461396462653738613030
-35636335316537373138363330303962633839353537636361613237666135393632336330323331
+39323566326239383434616663626330646136386463646331616431386235633435333838363732
-36353235633935653333316331656465353030313765363237643865383231346439383335383665
+33633063363065343032383736643634313034663632373237663132373561656530396661326366
-63373462613564623261363264363936356130393831376164346464646361613132366137323038
+31313738633662616663646163386461336537313236313930336466346161306535373965366137
-65663030656338316166616635613934363965653165356331323165326635303431633764393365
+32383934626563663033356466653162333732633639363563663464353466383233373830633361
-33633966633662643536663135333666663264366265396537336637326537343736316332626166
+37326531636262313337333665626233303263633461356331343261353838396661656138323130
-34316331383438633133343432303837363339313561353737356535313663613361336162393636
+39316634666432656638623733333531303662613062323430333933626264376138393665363964
-33623231303764353533336631383232646365343035303064376662333830343738313238333636
+62633765313262653165393332336539363263636362383262303766373331353363363564333037
-30663435343538333135616366636162636637303930383131356663383631306431643036646361
+39373164633563303461313830383632623438666333333938613066313562623233353665653631
-62386531663739373066326666306235616662353835616166393739656564323737316131343134
+62313634373537356365633065333763333533313730353235363963643131316364323031643235
-36643063626464666337323634636536343365376233653363323565393731646536306637346630
+64313731343735346533646430346565393365363334626563353030313663363930363966313339
-33386633653165323762643638623739306363313433306338306162633333376463386261303466
+34346130626633333239663935376663393962363761663935303639346333326230363730363366
-64376531353238343435643865383061323364383362396432336539613230376235346537636362
+39313230353130373733396264616530303534383466633231303661663635623266346235363163
-34633637646230353463363763303239343766383935333861653137373266313534663335646230
+61383761623039666462383266666565643930303664616432393434666566636437616536626365
-66616339366532323766353365343433303432636134663834663834303932366663396131643337
+33336366333139633138386366333938343630373965613865663830366333363363303565633238
-61653733623361306336656333353664303165346238643738386536336335656165616131306131
+32313762303739356433383534653966376231316366396333616435343539376432633837666635
-33613139353839613764306161313764316233623361313037386163313238343031613931353332
+31396137373263386365616237396232376664653266663562356533613263323131356266666264
-62383839616365636435653634313736346438303565643133626161326534376636366537633037
+36636266623338323861303237623361666130373938306539343438316662326536376438306465
-33356533363234353263613662623334653465303561353934343230633664643536353538336437
+62656463356364363837353738663539316163346565333431343363303564376436666631383435
-34633631356363323836363439303131656361633162626232396636643436303032626335353534
+65333066383335633462613034383139336262393865383534323032323730343865303339343239
-36376437616533633934383034376464323530383965326432333834636132306438363334326262
+62343962363566643566356433623133333363343535376534333938623033656334613432326533
-61363532663439653937363935353831623562363737643066306537643433623262646535663166
+63666339373135353331326363303064666137383439663738373236623137383562346439356432
-31336661653539343236646361313930316562343630613535306231333734623265623064653031
+62383365373063376637313437346333643637376234376434613666353734333039353463313335
-37653633326131363433343732363264383366663965313836346561383833383138376136663164
+32326564343139383035313261646635313939366531323530393434303735306138633435333037
-35363835643630623037633032323162366333653963363736653537643739656665353638376132
+65666533366634666665393838616533656338353938333437363939616435636538313937303631
-61393639316336343731353038303033656164353839613764633635396438616336343533333065
+32663439396165333633653531353835366436323062326535366432313936323031613639633164
-31396337656433663736646338313062383337343466316137303032356266386562353833303636
+66323234613139626433326130396232366231623135366462393366616365653337346261663836
-64646637323836323930646530383339336636623934333833636565323164653862306462376365
+61386435636361336334333235663865343262633333633162376433383062336663396162303133
-30623031663832303265616563353164643336646131613963663530396336333637623836343137
+32666437336634323132396664373930316365626131646636366632616138626366613737616131
-6566
+64386439386265373631373232626538323936383162333535383134643438336336636435613033
 31336139376434316432343139363464616136626463396534646239646633363164646330373161
 31663233393234393837356133316462346563303435663262363532333963333535373031656434
 64303262633166346534396166643365326262636431353065613236666463336238633838633636
 35356265653935663963343737616563373663376239613436663138386566393438323735393362
 32616238623538366639373762336363353638306539336263316338323666303866633935386433
 62313865303732613266393066386533313263313432356434363734626365643338646438646633
 31346463313236643862303034363737343731343934666632623130613932323137376134653265
 35326164303031623235303265613765663263663333353066333633663636323635383832373865
 35626135333634346637346537373962646236376431393266306436333634646263646266326234
 37383037363364306230646334333532613464353931376338366532326134393437303535393033
 34316232326462343662
--- a/host_vars/web23
+++ b/host_vars/web23
@ -1,85 +1,67 @@
 $ANSIBLE_VAULT;1.1;AES256
-30633037383332656130363532373262623063623730666337373430336363383964343039663832
+64326662336532386161646564656439396461666266656463393335663130323930326139386562
-3633313230323565376234336433383330626238373665360a393234643435376431613363313036
+3639653630336132663666646161363938386334323064320a663564613066313533353433333434
-32386236343262643662356563633038333434333730616332353234333363356465326133623139
+30346561616465646163646534356339666639333862623637613435376361323032636439633930
-3830316433303631640a613231373138336330646639376135326238383230323534316464383135
+3731313063363337380a373961353530383764623830363935626231333734303364313565626633
-35333631356666323161313261633134636364396232323130333666373864333165346233666232
+37343037633862633632613165323136373662396438613663636433346566653064653632313338
-62346362353033636464323866343334633565373265623431613866623234633133633466383735
+36396333393334336434326630646164333531306432386133353664336535343363343939393464
-31343439646166633237643364386638306539626562636235666535333438343664323932383865
+34626335626436353239366138323863656336636536383733363931633933636331643263653566
-39333533363131633930353962336238363234393161623966376365326661643431303263653164
+30613931616462373336393337363430353962613665353936383533326364353365623333316664
-63666436616437326137303765303730303135663434663235373363323966623166376332393661
+62383439396131303831326562323264336638623461643361663763356236373464346464316237
-62336336366265623035346162303730323762353961376333313662626232343366653930656338
+65393232343733643338653734326562626166366562303037613862396564636662363066356664
-36353134333463663034363737653133633536356166353966373563316235636132383530643339
+32656363616637303039373732396533643432343961666365313963383131643464333765643737
-37326661346666663139326239396466373630633363373431346635626561623665366566653731
+32386165666131626365313938633530346361383734323334613464353862393931323836626563
-36396138643936623632613934633965663166313364396466633263303738666164316231366662
+62656531346532646530306463653364326362613162323536643836643839663933343132613435
-64636362356564663330363763323139623065336162353734626539663231663734333962343665
+63303234646335306632316166626266313635303566396363333464363631353834373761353837
-32613563363130376665333666313733303963633161313633636337646466353064653866623265
+65643461623135363139646564336430353461336433633765303138313730613630346465326666
-30653762316433653631306535303463663738653731633964666466623534396663326263643437
+61393133636262653836333664623333656164663361353130623863653863323131326136373238
-62663366613635373832316538653066623733336631663261666564333634643161653962373932
+33376333316433653337373834666136363130373261333330643439313734343036636364306532
-30313065656238663063313737383432393433656439383033346634373030643166306565646230
+63343662383539633235356162656366323965383331343139616361653466633865626337326562
-62353930336664393733663462343062323332323030356338316133393838656536306164623435
+63643761613536613334333065643533323066393764633931633066353064393966646161376361
-64393634363665643862346564326138336136393235316433313538383162396563303937356335
+37623939386636346161346164303832303534323038626335336665653634386132343031303861
-33646334646630646233323762323335303030393331636532656132313536663465383237623536
+61323765306366333936303765636436633465356539316631343562363535663932333666363035
-39633364363036636434323963613633353238346134643837316232653038616138373731643033
+30386233623265636464393662386464333430396337626230306438396563303437363938303061
-64396563353839386334313933653664613230323430383434653964636538393838386639356361
+32653939383136376365343934613339383563303935623664633639326137353437363261393637
-63643565643636653434343363333966653163616236363366356539313532393133666239376530
+66613331643530623862636665396536613730306537373666623135663837393466343261646461
-62663930343462633864373138633364636634643361363935303263353766373936386561376638
+62376162613861643633656334303132353034333834626664666237393534386439313638393933
-65316138646534396435636563326165643737326533303338323665656334346264643262636437
+35643663613432323432646466386434363335353234643264643463613334356462313766643030
-63303530363063316461333536333433366461356533393139313435396136353439323435366266
+30336364396235663230356235303264323339643761333036333537633862343862386130626533
-32343566616161636466663339613434643835613831346366613866343536663530326431343139
+36626536396663393031303533313238616133323239356634303830353439363133353839663266
-38653165383430653064613837343738623134303766373133623131646134613663383637336264
+36306539636563633734623162356230383232306138393831393336626336383966643335376564
-35313966646639613262623836393933376137623535323365393837326631663930313336313737
+36303730313936633361643736613736303163363536313038316432323039643362636538333037
-35626139386264303162393636306136306161383565353739643166653262366164386539353266
+65613663333032623035656665393565366363396134363832363163656532363537373435623233
-38323266343833323063343263346365383534643835353435626335333637303237633239646330
+36373961333237373264326634353363356537356538343663613034396132396366626330303365
-32643235666331613364616535326230346634333363633938646633633831633364653337373235
+62353461616434343938386237373365633861333733613631633234623034366364363761613636
-30316161633634303562613263633962376365363038346137316164323036616664626132386461
+34393532316466323264363363653335366639613731326131393335313039646538626665356333
-65323764383733666634643635633834396635343835663266623839383130343563386231376537
+62663435633539643237326631636563363833633130363535653336333538366137306235663730
-62326338643833303538343566616461353135333863626462663830366435636564626538346361
+36633934636536633865376262356239303966646638626638386536366662386432343466366161
-33646661613334636239653636383436653438376235376665363235653837303037363164633931
+36646436636538643366623864326630396565373462393132343834626638313437316137353564
-32633733326139346261323464393734316661633239643437373235303237643932633433313564
+34646138616438323065336266366434316135613938643131353034646230396632386433366365
-36643739613330303362663861626637613130383965646639356532353539373437326439356362
+38616436346232363563336439613939313464323861616530633962316634363462373530613665
-39643137666633313262356366616561353461633033376235313965646132343233326366353264
+63653636646565303664326631363535373037663734663965346430363831613431613365393832
-35393561633632306265373032306636326261646235623266636662646334363233623330333734
+62373030336262643430313635626261613232656236333130396537633238623265363932333966
-37663266363639623036323433656166383631386633313131303030306437643761343965353063
+34326135363762396564613064323135313663613565646461376162306532643433333336666532
-39373435363238616566643239306136366637646437633335313431623839616264616261633339
+65383661303137613335653336663666653463623565386137326662653839633536326135633764
-33313364323039373531346335333963343034323637643134653566666562373137656335633932
+33623437333931393737363061356235336232376437643131373531356566323336306138353561
-39653862653465626432663534663965653933623430616561363430666235363666613833656463
+66333863313461613930383231663162616261616639323238646439656166666261626533636161
-65326430383137663034623233393339623135356535666161366564383564336132363038646663
+38333362393033316266633364313739366262636530363937386137616234326638303137613433
-61353465393265613337643338326436333237336339326262356362643932623163616638643835
+65313962653566333364383732386165396136303666383439303064326463346563663434646364
-31323739646335383532396665326535373161666661306538653365346465366434346463663438
+62396130646632653039383661613638303162363538376236666338623865366639663138363636
-64323766353933633736313266386564656436666534326534663531613936633830386238303861
+36373766386234383465316635323931356233366262386135363238366538623135623361386436
-37363231656365383531613764386662356334313330333236363734646431383166636132383338
+64653533646233653463656334633566373433303365353965663732636566663332343337626337
-35343138353232663135366438386366626239326632333937666530626364313463613831313162
+34623861373562386264346430333133343631653631376366373735626664363965666561306262
-30363933623561396137616130656535393138346339663266353764653931316639636562666164
+35666235653235346233636361383566616533646662333662323139313865383264633734643263
-61333938363466623031653766313139306439396435663665386665663663306134666563373238
+63656431393834633935613430643839613433326431666665323136376562333737383862313261
-36316261363063666335363462353066313735386139313465623338366266383434643464643162
+65656431336439303563373833343965323965346439636131633366633431393032613963666539
-34383836636336316232343132363464383565366162313563393864376433386236376565623631
+38326539343132326334316233323362633835356265333031663066643535363639623031336362
-64656164646635666139396539353763333065323266663262643233306261656532613362346432
+64346230383638363763323462386261666266623134393139303264343234623132323437396630
-33373631613137336366666266633331303966653138393539326335653463303033613565663638
+66363738376133393731616535653230303262313937373333353932303038626166346366303163
-30663465643832643637643836323462633163643534663465336664313265353966306261613339
+66613831353731373165636532363165356561383137626437333563616561386666623234313438
-32616139353263663033373835653632386262396164343731613836336435616131356632653830
+37333435306530323235393164383138346131653235633536383636316161316238313064636261
-61613461333632666366653330626537396232323733663930633966663239356130306666376137
+33353963333430383236303038333939316637326130396430623964633338353863613534653663
-62636333373635356461633431346636643731656338306366396430323537626233316137656465
+30333839393230626261663966616230303330636335323565663938343562666663303536636332
-65643339346565376166373066643339356666663735313063303130313663393966623866613337
+34336665323764663163653161373166313631393534326532613538313637313136356336313433
-31386663363166336337633266646363666236623837303634643337316636353531653765323637
+34353036653738343433613763383137336562373332333062326134626638633938336364376131
-62313330326363303932633336383337353062643865383730613435353832663364643262626162
+61303435333163663636653135363162303663663266393438656430306532343438386436343735
-63303439383164333037306231613538313639626537323039366561363233303735323032653432
+31343231653263373532386263653263386435363633396638396164323539306233303562303862
-35643432336666616665386238353034333037353630323234316266373936356439353632336365
+3339306136613431636138333266633739323666633431363039
 37646462666537306534623937393939326663316532623837326564303330373261323630353863
 38343438316539336464376664326362353831396132393566396333613164646462636361646234
 35313837666463376233623762663239613134356632333730343363346238613334383861306635
 31623665666461643661383265633965386566656165663566376235343338636336336330336661
 64653032656365363835616634656663623365323766396537303361336533313132316631316533
 31353036663766643131386135653366313535366232636538346237613461383761393666336432
 31623364653166356565376463363437386533303062373930393761646163613962636462643865
 33376561323366363936386531663637343465626666623133396162306139366665616132326161
 63663535636465383836333061396239313463343635633135323464646135393031386361633539
 64396534396361323466326364326266386336643831643536383866313033366534636135613736
 34316661313335383239316536623862316637396465616563386361636261313330313466656239
 37626431613464363965343233666534323736363865373734633535343632393335346265643361
 65326436393631353264613761343237386561306261353261356364386137393362306566353032
 31313363613963323136303262323934333961343563626533666563636432653436393937303037
 37336566663932663062633534303632646162316262323935366661313938393735666561343237
 31616366363339353231643561373362613266343266623464323238356261303762316334333266
 39303633316164376330343864336636313333363862323835303735383866363334643933653337
 35373030353264323761
--- a/roles/caddy/defaults/main.yml
+++ b/roles/caddy/defaults/main.yml
@ -0,0 +1,11 @@
 ---
 # file: roles/caddy/defaults/main.yml
 # parent directory of vhost document roots
 caddy_root_prefix: "{{ web_root_prefix }}"
 # Email address to use for the ACME account managing the site's certificates.
 # Not sure what Caddy does if this doesn't exist.
 caddy_email: foo@example.com
 # vim: set ts=2 sw=2:
--- a/roles/caddy/handlers/main.yml
+++ b/roles/caddy/handlers/main.yml
@ -0,0 +1,10 @@
 ---
 # file: roles/caddy/handlers/main.yml
 # I'm currently not sure when we need to restart versus reload
 - name: reload caddy
  ansible.builtin.systemd:
    name: caddy
    state: reloaded
 # vim: set sw=2 ts=2:
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@ -0,0 +1,82 @@
 ---
 # file: roles/caddy/tasks/main.yml
 #
 # Configure Caddy.
 - name: Check Caddy package signing key
  ansible.builtin.stat:
    path: /etc/apt/keyrings/caddy-stable-archive-keyring.key
  register: caddy_signing_key_stat
  tags:
    - packages
    - caddy
 # See: https://caddyserver.com/docs/install#debian-ubuntu-raspbian
 - name: Download Caddy package signing key
  ansible.builtin.get_url:
    url: https://dl.cloudsmith.io/public/caddy/stable/gpg.key
    dest: /etc/apt/keyrings/caddy-stable-archive-keyring.key
    owner: root
    group: root
    mode: "0644"
  register: download_caddy_signing_key
  when: not caddy_signing_key_stat.stat.exists
  tags:
    - packages
    - caddy
 - name: Add Caddy stable repo
  ansible.builtin.apt_repository:
    repo: deb [signed-by=/etc/apt/keyrings/caddy-stable-archive-keyring.key] https://dl.cloudsmith.io/public/caddy/stable/deb/debian any-version main
    filename: caddy-stable
    state: present
  register: add_caddy_apt_repository
  tags:
    - packages
    - caddy
 - name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
  when: (download_caddy_signing_key.status_code is defined and download_caddy_signing_key.status_code == 200) or add_caddy_apt_repository is changed
  tags:
    - packages
    - caddy
 - name: Install Caddy
  ansible.builtin.apt:
    name: caddy
    state: present
    install_recommends: false
    cache_valid_time: 3600
  tags:
    - caddy
    - packages
 - name: Create Caddyfile
  ansible.builtin.template:
    src: etc/caddy/Caddyfile.j2
    dest: /etc/caddy/Caddyfile
    mode: "0755"
    owner: root
    group: root
  notify:
    - reload caddy
  tags: caddy
 - name: Create Caddy conf.d directory
  ansible.builtin.file:
    path: /etc/caddy/conf.d
    state: directory
    mode: "0755"
    owner: root
    group: root
  tags: caddy
 # TODO: the variable is still named nginx_vhosts
 - name: Configure Caddy virtual hosts
  ansible.builtin.include_tasks: vhosts.yml
  when: nginx_vhosts is defined
  tags: caddy
 # vim: set sw=2 ts=2:
--- a/roles/caddy/tasks/vhosts.yml
+++ b/roles/caddy/tasks/vhosts.yml
@ -0,0 +1,14 @@
 ---
 - name: Configure vhosts
  ansible.builtin.template:
    src: etc/caddy/conf.d/vhost.j2
    dest: /etc/caddy/conf.d/{{ item.domain_name }}
    mode: "0644"
    owner: root
    group: root
  loop: "{{ nginx_vhosts }}"
  notify:
    - reload caddy
  tags: caddy
 # vim: set ts=2 sw=2:
--- a/roles/caddy/templates/etc/caddy/Caddyfile.j2
+++ b/roles/caddy/templates/etc/caddy/Caddyfile.j2
@ -0,0 +1,29 @@
 # Global options
 {
    email {{ caddy_email }}
 }
 # Common security response headers
 (security-headers) {
    header {
        # disable Google FLoC tracking
        Permissions-Policy interest-cohort=()
        # enable HSTS
        Strict-Transport-Security max-age=31536000
        # disable clients from sniffing the media type
        X-Content-Type-Options nosniff
        # clickjacking protection: refuse to allow rendering this page
        # in a frame, iframe, etc.
        X-Frame-Options DENY
        # keep referrer data off of HTTP connections
        Referrer-Policy no-referrer-when-downgrade
    }
 }
 # Import additional caddy config files in /etc/caddy/conf.d/
 # Note: these are imported in lexical sort order!
 import /etc/caddy/conf.d/*
--- a/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
+++ b/roles/caddy/templates/etc/caddy/conf.d/vhost.j2
@ -0,0 +1,46 @@
 {{ ansible_managed | comment }}
 {# helper variables and per-site defaults that we can't set in role defaults #}
 {% set domain_name    = item.domain_name %}
 {% set domain_aliases = item.domain_aliases | default("") %}
 {# assume optional features are off unless a vhost explicitly sets them #}
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {% set static_site    = item.static_site | default(false) %}
 {# Allow sites to override the document root #}
 {% if item.document_root is defined %}
 {%   set document_root = item.document_root %}
 {% else %}
 {%   set document_root = (caddy_root_prefix, domain_name) | ansible.builtin.path_join %}
 {% endif %}
 {% if domain_aliases %}
 {#   domain_aliases is a string, so we split on space #}
 {%   for domain in domain_aliases | split (' ') %}
 {{ domain }} {
    redir https://{{domain_name}}{uri}
 }
 {%   endfor %}
 {% endif %}
 {{ domain_name }} {
    {% if has_gitea %}
    reverse_proxy :3000
    {% elif static_site -%}
    root * {{ document_root }}
    encode
    file_server
    {% elif has_wordpress -%}
    root * {{ document_root }}
    encode
    {%   if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') -%}
    php_fastcgi unix//run/php/php8.2-fpm-{{ domain_name }}.sock
    {%   endif -%}
    file_server
    {% endif -%}
    import security-headers
 }
--- a/roles/common/defaults/main.yml
+++ b/roles/common/defaults/main.yml
@ -10,4 +10,8 @@ fail2ban_findtime: 3600
 fail2ban_bantime: 1209600
 fail2ban_ignoreip: 127.0.0.1/8 172.26.0.0/16 192.168.5.0/24
 # Disable SSH passwords. Must use SSH keys. This is OK because we add the keys
 # before re-configuring the SSH daemon to disable passwords.
 ssh_password_authentication: disabled
 # vim: set ts=2 sw=2:
--- a/roles/common/files/abuseipdb-ipv4.nft
+++ b/roles/common/files/abuseipdb-ipv4.nft
--- a/roles/common/files/abuseipdb-ipv6.nft
+++ b/roles/common/files/abuseipdb-ipv6.nft
@ -1,5 +0,0 @@
 #!/usr/sbin/nft -f
 define ABUSEIPDB_IPV6 = {
 fd21:3523:74e0:7301::
 }
--- a/roles/common/files/aggregate-cidr-addresses.pl
+++ b/roles/common/files/aggregate-cidr-addresses.pl
@ -1,89 +0,0 @@
 #!/usr/bin/perl
 #
 # aggregate-cidr-addresses - combine a list of CIDR address blocks
 # Copyright (C) 2001,2007 Mark Suter <suter@zwitterion.org>
 #
 # This program is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
 # the Free Software Foundation, either version 3 of the License, or
 # (at your option) any later version.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see L<http://www.gnu.org/licenses/>.
 #
 # [MJS 22 Oct 2001] Aggregate CIDR addresses
 # [MJS  9 Oct 2007] Overlap idea from Anthony Ledesma at theplanet dot com.
 # [MJS 16 Feb 2012] Prompted to clarify license by Alexander Talos-Zens - at at univie dot ac dot at
 # [MJS 21 Feb 2012] IPv6 fixes by Alexander Talos-Zens
 # [MJS 21 Feb 2012] Split ranges into prefixes (fixes a 10+ year old bug)
 use strict;
 use warnings;
 use English qw( -no_match_vars );
 use Net::IP;
 ## Read in all the IP addresses
 my @addrs = map { Net::IP->new($_) or die "$PROGRAM_NAME: Not an IP: \"$_\"."; }
    map { / \A \s* (.+?) \s* \Z /msix and $1; } <>;
 ## Split any ranges into prefixes
@addrs = map {
    defined $_->prefixlen ? $_ : map { Net::IP->new($_) }
        $_->find_prefixes
 } @addrs;
 ## Sort the IP addresses
@addrs = sort { $a->version <=> $b->version or $a->bincomp( 'lt', $b ) ? -1 : $a->bincomp( 'gt', $b ) ? 1 : 0 } @addrs;
 ## Handle overlaps
 my $count   = 0;
 my $current = $addrs[0];
 foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
    my $r = $current->overlaps($next);
    if ( $current->version != $next->version or $r == $IP_NO_OVERLAP ) {
        $current = $next;
        $count++;
    }
    elsif ( $r == $IP_A_IN_B_OVERLAP ) {
        $current = $next;
        splice @addrs, $count, 1;
    }
    elsif ( $r == $IP_B_IN_A_OVERLAP or $r == $IP_IDENTICAL ) {
        splice @addrs, $count + 1, 1;
    }
    else {
        die "$PROGRAM_NAME: internal error - overlaps() returned an unexpected value!\n";
    }
 }
 ## Keep aggregating until we don't change anything
 my $change = 1;
 while ($change) {
    $change = 0;
    my @new_addrs = ();
    $current = $addrs[0];
    foreach my $next ( @addrs[ 1 .. $#addrs ] ) {
        if ( my $total = $current->aggregate($next) ) {
            $current = $total;
            $change  = 1;
        }
        else {
            push @new_addrs, $current;
            $current = $next;
        }
    }
    push @new_addrs, $current;
    @addrs = @new_addrs;
 }
 ## Print out the IP addresses
 foreach (@addrs) {
    print $_->prefix(), "\n";
 }
 # $Id: aggregate-cidr-addresses,v 1.9 2012/02/21 10:14:22 suter Exp suter $
--- a/roles/common/files/etc/cron-apt/3-download
+++ b/roles/common/files/etc/cron-apt/3-download
@ -1,2 +0,0 @@
 autoclean -y
 upgrade -y -o APT::Get::Show-Upgraded=true
--- a/roles/common/files/etc/cron-apt/config
+++ b/roles/common/files/etc/cron-apt/config
@ -1,5 +0,0 @@
 # Configuration for cron-apt. For further information about the possible
 # configuration settings see the README file.
 MAILON="never"
 OPTIONS="-o quiet=1 -o Dir::Etc::SourceList=/etc/apt/security.sources.list -o Dir::Etc::SourceParts=\"/dev/null\""
--- a/roles/common/files/firehol_level1-ipv4.nft
+++ b/roles/common/files/firehol_level1-ipv4.nft
@ -1,5 +1,5 @@
 #!/usr/sbin/nft -f
-define SPAMHAUS_IPV4 = {
+define FIREHOL_LEVEL1_IPV4 = {
 192.168.254.254/32
 }
--- a/roles/common/files/spamhaus-ipv6.nft
+++ b/roles/common/files/spamhaus-ipv6.nft
@ -1,5 +0,0 @@
 #!/usr/sbin/nft -f
 define SPAMHAUS_IPV6 = {
 fd21:3523:74e0:7301::/64
 }
--- a/roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub
+++ b/roles/common/files/ssh-pub-keys/aorth-thinkpad2-ed25519.pub
@ -0,0 +1 @@
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi
--- a/roles/common/files/update-abusech-nftables.service
+++ b/roles/common/files/update-abusech-nftables.service
@ -1,27 +0,0 @@
 [Unit]
 Description=Update Abuse.ch SSL Blacklist IPs
 # This service will fail if nftables is not running so we use Requires to make
 # sure that nftables is started.
 Requires=nftables.service
 # Make sure the network is up and nftables is started
 After=network-online.target nftables.service
 Wants=network-online.target update-abusech-nftables.timer
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
 # Doesn't need access to /home or /root
 ProtectHome=true
 # Possibly only works on Ubuntu 18.04+
 ProtectKernelTunables=true
 ProtectSystem=full
 # Newer systemd can use ReadWritePaths to list files, but this works everywhere
 ReadWriteDirectories=/etc/nftables
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 SyslogIdentifier=update-abusech-nftables
 ExecStart=/usr/bin/flock -x update-abusech-nftables.lck \
          /usr/local/bin/update-abusech-nftables.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/files/update-abusech-nftables.sh
+++ b/roles/common/files/update-abusech-nftables.sh
@ -1,63 +0,0 @@
 #!/usr/bin/env bash
 #
 # update-abuseipdb-nftables.sh v0.0.1
 #
 # Download IP addresses seen using a blacklisted SSL certificate and load them
 # into nftables sets. As of 2021-07-28 these appear to only be IPv4.
 # 
 # See: https://sslbl.abuse.ch/blacklist
 #
 # Copyright (C) 2021 Alan Orth
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Exit on first error
 set -o errexit
 abusech_ipv4_set_path=/etc/nftables/abusech-ipv4.nft
 abusech_list_temp=$(mktemp)
 echo "Downloading Abuse.sh SSL Blacklist IPs"
 abusech_response=$(curl -s -G -w "%{http_code}\n" https://sslbl.abuse.ch/blacklist/sslipblacklist.txt --output "$abusech_list_temp")
 if [[ $abusech_response -ne 200 ]]; then
 	echo "Abuse.ch responded: HTTP $abusech_response"
 	exit 1
 fi
 if [[ -f "$abusech_list_temp" ]]; then
    echo "Processing IPv4 list"
    abusech_ipv4_list_temp=$(mktemp)
    abusech_ipv4_set_temp=$(mktemp)
    # Remove comments, DOS carriage returns, and IPv6 addresses (even though
    # Abuse.ch seems to only have IPv4 addresses, let's not break our shit on
    # that assumption some time down the line).
    sed -e '/#/d' -e 's/
 //' -e '/:/d' "$abusech_list_temp" > "$abusech_ipv4_list_temp"
    echo "Building abusech-ipv4 set"
    cat << NFT_HEAD > "$abusech_ipv4_set_temp"
 #!/usr/sbin/nft -f
 define ABUSECH_IPV4 = {
 NFT_HEAD
    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$abusech_ipv4_set_temp"
    done < $abusech_ipv4_list_temp
    echo "}" >> "$abusech_ipv4_set_temp"
    install -m 0600 "$abusech_ipv4_set_temp" "$abusech_ipv4_set_path"
    rm -f "$abusech_list_temp" "$abusech_ipv4_list_temp" "$abusech_ipv4_set_temp"
 fi
 echo "Reloading nftables"
 # The abusech nftables sets are included by nftables.conf
--- a/roles/common/files/update-abusech-nftables.timer
+++ b/roles/common/files/update-abusech-nftables.timer
@ -1,12 +0,0 @@
 [Unit]
 Description=Update Abuse.ch SSL Blacklist IPs
 [Timer]
 # Once a day at midnight
 OnCalendar=*-*-* 00:00:00
 # Add a random delay of 0–3600 seconds
 RandomizedDelaySec=3600
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/roles/common/files/update-firehol-nftables.service
+++ b/roles/common/files/update-firehol-nftables.service
@ -0,0 +1,24 @@
 [Unit]
 Description=Update FireHOL lists
 # Make sure the network is up
 After=network-online.target
 Wants=network-online.target update-firehol-nftables.timer
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
 # Doesn't need access to /home or /root
 ProtectHome=true
 # Possibly only works on Ubuntu 18.04+
 ProtectKernelTunables=true
 ProtectSystem=full
 # Newer systemd can use ReadWritePaths to list files, but this works everywhere
 ReadWriteDirectories=/etc/nftables
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 SyslogIdentifier=update-firehol-nftables
 ExecStart=/usr/bin/flock -x update-firehol-nftables.lck \
          /usr/local/bin/update-firehol-nftables.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/files/update-spamhaus-nftables.timer
+++ b/roles/common/files/update-spamhaus-nftables.timer
@ -1,5 +1,5 @@
 [Unit]
-Description=Update Spamhaus lists
+Description=Update FireHOL lists
 [Timer]
 # Once a day at midnight
--- a/roles/common/files/update-spamhaus-nftables.service
+++ b/roles/common/files/update-spamhaus-nftables.service
@ -1,27 +0,0 @@
 [Unit]
 Description=Update Spamhaus lists
 # This service will fail if nftables is not running so we use Requires to make
 # sure that nftables is started.
 Requires=nftables.service
 # Make sure the network is up and nftables is started
 After=network-online.target nftables.service
 Wants=network-online.target update-spamhaus-nftables.timer
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
 # Doesn't need access to /home or /root
 ProtectHome=true
 # Possibly only works on Ubuntu 18.04+
 ProtectKernelTunables=true
 ProtectSystem=full
 # Newer systemd can use ReadWritePaths to list files, but this works everywhere
 ReadWriteDirectories=/etc/nftables
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 SyslogIdentifier=update-spamhaus-nftables
 ExecStart=/usr/bin/flock -x update-spamhaus-nftables.lck \
          /usr/local/bin/update-spamhaus-nftables.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/files/update-spamhaus-nftables.sh
+++ b/roles/common/files/update-spamhaus-nftables.sh
@ -1,91 +0,0 @@
 #!/usr/bin/env bash
 #
 # update-spamhaus-nftables.sh v0.0.1
 #
 # Download Spamhaus DROP lists and load them into nftables sets.
 # 
 # See: https://www.spamhaus.org/drop/
 #
 # Copyright (C) 2021 Alan Orth
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Exit on first error
 set -o errexit
 spamhaus_ipv4_set_path=/etc/nftables/spamhaus-ipv4.nft
 spamhaus_ipv6_set_path=/etc/nftables/spamhaus-ipv6.nft
 function download() {
    echo "Downloading $1"
    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
 }
 download drop.txt
 download edrop.txt
 download dropv6.txt
 if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
    echo "Processing IPv4 DROP lists"
    spamhaus_ipv4_list_temp=$(mktemp)
    spamhaus_ipv4_set_temp=$(mktemp)
    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
    # comments. Use aggregate-cidr-addresses.pl to merge overlapping IPv4 CIDR
    # ranges to work around a firewalld bug.
    #
    # See: https://bugzilla.redhat.com/show_bug.cgi?id=1836571
    cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' | aggregate-cidr-addresses.pl > "$spamhaus_ipv4_list_temp"
    echo "Building spamhaus-ipv4 set"
    cat << NFT_HEAD > "$spamhaus_ipv4_set_temp"
 #!/usr/sbin/nft -f
 define SPAMHAUS_IPV4 = {
 NFT_HEAD
    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$spamhaus_ipv4_set_temp"
    done < $spamhaus_ipv4_list_temp
    echo "}" >> "$spamhaus_ipv4_set_temp"
    install -m 0600 "$spamhaus_ipv4_set_temp" "$spamhaus_ipv4_set_path"
    rm -f "$spamhaus_ipv4_list_temp" "$spamhaus_ipv4_set_temp"
 fi
 if [[ -f "dropv6.txt" ]]; then
    echo "Processing IPv6 DROP lists"
    spamhaus_ipv6_list_temp=$(mktemp)
    spamhaus_ipv6_set_temp=$(mktemp)
    sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt > "$spamhaus_ipv6_list_temp"
    echo "Building spamhaus-ipv6 set"
    cat << NFT_HEAD > "$spamhaus_ipv6_set_temp"
 #!/usr/sbin/nft -f
 define SPAMHAUS_IPV6 = {
 NFT_HEAD
    while read -r network; do
        echo "$network," >> "$spamhaus_ipv6_set_temp"
    done < $spamhaus_ipv6_list_temp
    echo "}" >> "$spamhaus_ipv6_set_temp"
    install -m 0600 "$spamhaus_ipv6_set_temp" "$spamhaus_ipv6_set_path"
    rm -f "$spamhaus_ipv6_list_temp" "$spamhaus_ipv6_set_temp"
 fi
 echo "Reloading nftables"
 # The spamhaus nftables sets are included by nftables.conf
 /usr/sbin/nft -f /etc/nftables.conf
 rm -v drop.txt edrop.txt dropv6.txt
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@ -2,19 +2,26 @@
 # ansible.builtin.file: roles/common/handlers/main.yml
 - name: reload sshd
-  ansible.builtin.systemd: name={{ sshd_service_name }} state=reloaded
+  ansible.builtin.systemd:
    name: "{{ sshd_service_name }}"
    state: reloaded
 - name: reload sysctl
  command: sysctl -p /etc/sysctl.conf
 - name: reload systemd
-  ansible.builtin.systemd: daemon_reload=true
+  ansible.builtin.systemd:
    daemon_reload: true
 - name: restart nftables
-  ansible.builtin.systemd: name=nftables state=restarted
+  ansible.builtin.systemd:
    name: nftables
    state: restarted
 # 2021-09-28: note to self to keep fail2ban at the end, as handlers are executed
 # in the order they are defined, not in the order they are listed in the task's
 # notify statement and we must restart fail2ban after updating the firewall.
 - name: restart fail2ban
-  ansible.builtin.systemd: name=fail2ban state=restarted
+  ansible.builtin.systemd:
    name: fail2ban
    state: restarted
--- a/roles/common/tasks/cron-apt.yml
+++ b/roles/common/tasks/cron-apt.yml
@ -1,12 +1,17 @@
 ---
 - name: Remove cron-apt
  ansible.builtin.apt:
    name: cron-apt
    state: absent
    cache_valid_time: 3600
- name: Configure cron-apt (config)
+- name: Remove cron-apt configs
-  ansible.builtin.copy: src={{ item.src }} dest={{ item.dest }} mode={{ item.mode }} owner={{ item.owner }} group={{ item.group }}
+  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
-    - { src: 'etc/cron-apt/config', dest: '/etc/cron-apt/config', mode: '0644', owner: 'root', group: 'root' }
+    - /etc/cron-apt/config
-    - { src: 'etc/cron-apt/3-download', dest: '/etc/cron-apt/action.d/3-download', mode: '0644', owner: 'root', group: 'root' }
+    - /etc/cron-apt/action.d/3-download
-
+    - /etc/apt/security.sources.list
 - name: Configure cron-apt (security)
  ansible.builtin.template: src=security.sources.list.j2 dest=/etc/apt/security.sources.list mode=0644 owner=root group=root
 # vim: set ts=2 sw=2:
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@ -1,21 +1,32 @@
 ---
 - name: Install fail2ban
  when:
    - ansible_distribution_major_version is version('11', '>=')
  ansible.builtin.package:
    name:
      - fail2ban
      - python3-systemd
    state: present
    cache_valid_time: 3600
 - name: Configure fail2ban sshd filter
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/sshd.local.j2
    dest: /etc/fail2ban/jail.d/sshd.local
    owner: root
-    mode: 0644
+    mode: "0644"
  notify: restart fail2ban
 - name: Configure fail2ban nginx filter
  when:
    - webserver is defined and webserver == 'nginx'
    - extra_fail2ban_filters is defined
    - "'nginx' in extra_fail2ban_filters"
  ansible.builtin.template:
    src: etc/fail2ban/jail.d/nginx.local.j2
    dest: /etc/fail2ban/jail.d/nginx.local
    owner: root
-    mode: 0644
+    mode: "0644"
  notify: restart fail2ban
 - name: Create fail2ban service override directory
@ -23,7 +34,7 @@
    path: /etc/systemd/system/fail2ban.service.d
    state: directory
    owner: root
-    mode: 0755
+    mode: "0755"
 # See Arch Linux's example: https://wiki.archlinux.org/index.php/Fail2ban
 - name: Configure fail2ban service override
@ -31,7 +42,7 @@
    src: etc/systemd/system/fail2ban.service.d/override.conf.j2
    dest: /etc/systemd/system/fail2ban.service.d/override.conf
    owner: root
-    mode: 0644
+    mode: "0644"
  notify:
    - reload systemd
    - restart fail2ban
--- a/roles/common/tasks/firewall.yml
+++ b/roles/common/tasks/firewall.yml
@ -0,0 +1,20 @@
 ---
 - name: Configure firewall (Debian)
  when: ansible_distribution == 'Debian'
  ansible.builtin.include_tasks:
    file: firewall_Debian.yml
    apply:
      tags:
        - firewall
  tags: firewall
 - name: Configure firewall (Ubuntu)
  when: ansible_distribution == 'Ubuntu'
  ansible.builtin.include_tasks:
    file: firewall_Ubuntu.yml
    apply:
      tags:
        - firewall
  tags: firewall
--- a/roles/common/tasks/firewall_Debian.yml
+++ b/roles/common/tasks/firewall_Debian.yml
@ -1,84 +1,28 @@
 ---
-# Debian 11 will use nftables directly, with no firewalld.
+# Debian 11+ will use nftables directly, with no firewalld.
- block:
+- name: Install Debian firewall packages
  - name: Set Debian firewall packages
  when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.set_fact:
+  ansible.builtin.package:
-      debian_firewall_packages:
+    name:
        - fail2ban
      - libnet-ip-perl # for aggregate-cidr-addresses.pl
      - nftables
        - python3-systemd
      - curl # for nftables update scripts
    state: present
    cache_valid_time: 3600
-  - name: Install firewall packages
+- name: Remove iptables on newer Debian
    ansible.builtin.apt: pkg={{ debian_firewall_packages }} state=present cache_valid_time=3600
  - name: Remove iptables on newer Debian
  when: ansible_distribution_major_version is version('11', '>=')
-    ansible.builtin.apt: pkg=iptables state=absent
+  ansible.builtin.apt:
    pkg: iptables
    state: absent
-  - name: Copy nftables.conf
+- name: Configure nftables
-    when: ansible_distribution_major_version is version('11', '>=')
+  ansible.builtin.include_tasks: nftables.yml
    ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
    notify:
      - restart nftables
      - restart fail2ban
  - name: Create /etc/nftables extra config directory
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
  - name: Copy extra nftables configuration files
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
    loop:
      - { src: "spamhaus-ipv4.nft", force: "no" }
      - { src: "spamhaus-ipv6.nft", force: "no" }
      - { src: "abusech-ipv4.nft", force: "no" }
      - { src: "abuseipdb-ipv4.nft", force: "yes" }
      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables
      - restart fail2ban
  - name: Copy Spamhaus nftables update scripts
  when: ansible_distribution_version is version('11', '>=')
    ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
    loop:
      - update-spamhaus-nftables.sh
      - aggregate-cidr-addresses.pl
      - update-abusech-nftables.sh
-  - name: Copy nftables systemd units
+- ansible.builtin.include_tasks: fail2ban.yml
-    when: ansible_distribution_version is version('11', '>=')
+  when:
-    ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
+    - ansible_distribution_major_version is version('9', '>=')
    loop:
        - update-spamhaus-nftables.service
        - update-spamhaus-nftables.timer
        - update-abusech-nftables.service
        - update-abusech-nftables.timer
    register: nftables_systemd_units
  # need to reload to pick up service/timer/environment changes
  - name: Reload systemd daemon
    ansible.builtin.systemd: daemon_reload=true
    when: nftables_systemd_units is changed
  - name: Start and enable nftables update timers
    when: ansible_distribution_version is version('11', '>=')
    ansible.builtin.systemd: name={{ item }} state=started enabled=true
    loop:
      - update-spamhaus-nftables.timer
      - update-abusech-nftables.timer
  - name: Start and enable nftables
    when: ansible_distribution_major_version is version('11', '>=')
    ansible.builtin.systemd: name=nftables state=started enabled=true
  - ansible.builtin.include_tasks: fail2ban.yml
    when: ansible_distribution_major_version is version('9', '>=')
  tags: firewall
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@ -1,84 +1,27 @@
 ---
 # Ubuntu 20.04 will use nftables directly, with no firewalld.
- block:
+- name: Install Ubuntu firewall packages
  - name: Set Ubuntu firewall packages
  when: ansible_distribution_version is version('20.04', '>=')
-    ansible.builtin.set_fact:
+  ansible.builtin.package:
-      ubuntu_firewall_packages:
+    name:
        - fail2ban
      - libnet-ip-perl # for aggregate-cidr-addresses.pl
      - nftables
        - python3-systemd
      - curl # for nftables update scripts
    state: present
    cache_valid_time: 3600
-  - name: Install firewall packages
+- name: Remove ufw
-    ansible.builtin.apt: pkg={{ ubuntu_firewall_packages }} state=present cache_valid_time=3600
+  ansible.builtin.package:
    name: ufw
    state: absent
-  - name: Remove ufw
+- name: Configure nftables
-    when: ansible_distribution_version is version('16.04', '>=')
+  ansible.builtin.include_tasks: nftables.yml
    ansible.builtin.apt: pkg=ufw state=absent
  - name: Copy nftables.conf
  when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.template: src=nftables.conf.j2 dest=/etc/nftables.conf owner=root mode=0644
    notify:
      - restart nftables
      - restart fail2ban
-  - name: Create /etc/nftables extra config directory
+- ansible.builtin.include_tasks: fail2ban.yml
-    when: ansible_distribution_version is version('20.04', '>=')
+  when:
-    ansible.builtin.file: path=/etc/nftables state=directory owner=root mode=0755
+    - ansible_distribution_version is version('16.04', '>=')
  - name: Copy extra nftables configuration files
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy: src={{ item.src }} dest=/etc/nftables/{{ item.src }} owner=root group=root mode=0644 force={{ item.force }}
    loop:
      - { src: "spamhaus-ipv4.nft", force: "no" }
      - { src: "spamhaus-ipv6.nft", force: "no" }
      - { src: "abusech-ipv4.nft", force: "no" }
      - { src: "abuseipdb-ipv4.nft", force: "yes" }
      - { src: "abuseipdb-ipv6.nft", force: "yes" }
    notify:
      - restart nftables
      - restart fail2ban
  - name: Copy nftables update scripts
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
    loop:
      - update-spamhaus-nftables.sh
      - aggregate-cidr-addresses.pl
      - update-abusech-nftables.sh
  - name: Copy nftables systemd units
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
    loop:
        - update-spamhaus-nftables.service
        - update-spamhaus-nftables.timer
        - update-abusech-nftables.service
        - update-abusech-nftables.timer
    register: nftables_systemd_units
  # need to reload to pick up service/timer/environment changes
  - name: Reload systemd daemon
    ansible.builtin.systemd: daemon_reload=true
    when: nftables_systemd_units is changed
  - name: Start and enable nftables update timers
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.systemd: name={{ item }} state=started enabled=true
    loop:
      - update-spamhaus-nftables.timer
      - update-abusech-nftables.timer
  - name: Start and enable nftables
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.systemd: name=nftables state=started enabled=true
  - ansible.builtin.include_tasks: fail2ban.yml
    when: ansible_distribution_version is version('16.04', '>=')
  tags: firewall
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -1,6 +1,6 @@
 ---
 - name: Import OS-specific variables
-  ansible.builtin.include_vars: "vars/{{ ansible_distribution }}.yml"
+  ansible.builtin.include_vars: vars/{{ ansible_distribution }}.yml
  tags: always
 - name: Configure network time
@ -18,13 +18,7 @@
  tags: packages
 - name: Configure firewall
-  ansible.builtin.include_tasks: firewall_Debian.yml
+  ansible.builtin.import_tasks: firewall.yml
  when: ansible_distribution == 'Debian'
  tags: firewall
 - name: Configure firewall
  ansible.builtin.include_tasks: firewall_Ubuntu.yml
  when: ansible_distribution == 'Ubuntu'
  tags: firewall
 - name: Configure secure shell daemon
--- a/roles/common/tasks/nftables.yml
+++ b/roles/common/tasks/nftables.yml
@ -0,0 +1,97 @@
 ---
 # Common nftables tasks for Ubuntu 20.04, Ubuntu 22.04, Ubuntu 24.04, Debian 11,
 # and Debian 12.
 - name: Copy nftables.conf
  ansible.builtin.template:
    src: nftables.conf.j2
    dest: /etc/nftables.conf
    owner: root
    mode: "0644"
  notify:
    - restart nftables
    - restart fail2ban
 - name: Create /etc/nftables extra config directory
  ansible.builtin.file:
    path: /etc/nftables
    state: directory
    owner: root
    mode: "0755"
 - name: Copy extra nftables configuration files
  ansible.builtin.copy:
    src: "{{ item.src }}"
    dest: /etc/nftables/{{ item.src }}
    owner: root
    group: root
    mode: "0644"
    force: "{{ item.force }}"
  loop:
    - { src: firehol_level1-ipv4.nft, force: false }
  notify:
    - restart nftables
    - restart fail2ban
 - name: Copy nftables update scripts
  ansible.builtin.template:
    src: update-firehol-nftables.sh.j2
    dest: /usr/local/bin/update-firehol-nftables.sh
    mode: "0755"
    owner: root
    group: root
 - name: Remove deprecated data and scripts
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
  loop:
    - /etc/nftables/spamhaus-ipv4.nft
    - /etc/nftables/spamhaus-ipv6.nft
    - /etc/nftables/abuseipdb-ipv4.nft
    - /etc/nftables/abuseipdb-ipv6.nft
    - /etc/nftables/abusech-ipv4.nft
    - /usr/local/bin/update-abusech-nftables.sh
    - /usr/local/bin/update-spamhaus-nftables.sh
    - /etc/systemd/system/update-abusech-nftables.service
    - /etc/systemd/system/update-abusech-nftables.timer
    - /etc/systemd/system/update-spamhaus-nftables.service
    - /etc/systemd/system/update-spamhaus-nftables.timer
    - /usr/local/bin/aggregate-cidr-addresses.pl
  notify:
    - restart nftables
    - restart fail2ban
 - name: Copy nftables systemd units
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/systemd/system/{{ item }}
    mode: "0644"
    owner: root
    group: root
  loop:
    - update-firehol-nftables.service
    - update-firehol-nftables.timer
  register: nftables_systemd_units
 # need to reload to pick up service/timer/environment changes
 - name: Reload systemd daemon
  ansible.builtin.systemd: # noqa no-handler
    daemon_reload: true
  when: nftables_systemd_units is changed
 - name: Start and enable nftables update timers
  ansible.builtin.systemd:
    name: "{{ item }}"
    state: started
    enabled: true
  loop:
    - update-firehol-nftables.timer
 - name: Start and enable nftables
  ansible.builtin.systemd:
    name: nftables
    state: started
    enabled: true
 # vim: set sw=2 ts=2:
--- a/roles/common/tasks/ntp.yml
+++ b/roles/common/tasks/ntp.yml
@ -4,16 +4,19 @@
 # client.
 - name: Set timezone
-  when: timezone is defined and ansible_service_mgr == 'systemd'
+  when:
-  command: /usr/bin/timedatectl set-timezone {{ timezone }}
+    - timezone is defined
    - ansible_service_mgr == 'systemd'
  community.general.timezone:
    name: "{{ timezone }}"
  tags: timezone
 # Apparently some cloud images don't have this installed by default. From what
 # I can see on existing servers, systemd-timesyncd is a standalone package on
 # Ubuntu 20.04 and Debian 11.
 - name: Install systemd-timesyncd
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or
+  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-        (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
+    is version('11', '>='))
  ansible.builtin.apt: name=systemd-timesyncd state=present cache_valid_time=3600
 - name: Start and enable systemd's NTP client
--- a/roles/common/tasks/packages_Debian.yml
+++ b/roles/common/tasks/packages_Debian.yml
@ -1,23 +1,17 @@
 ---
 - name: Configure Debian packages
  block:
-    # Create directory for third-party package signing keys. Required on distros
+    # Scaleway seems to use a weird sources.list format as of Debian 12?
-    # older than Debian 12 / Ubuntu 22.04.
+    - name: Check for weird Debian sources
-    #
+      ansible.builtin.stat:
-    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
+        path: /etc/apt/sources.list.d/debian.sources
-    - name: Create /etc/apt/keyrings
+      register: weird_debian_sources_stat
      file:
        path: /etc/apt/keyrings
        mode: 0755
        owner: root
        group: root
        state: directory
      when: ansible_distribution_major_version is version('12', '<')
    - name: Configure apt mirror
      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
-      when: ansible_architecture != 'armv7l'
+      when:
        - ansible_architecture != 'armv7l'
        - not weird_debian_sources_stat
    - name: Set fact for base packages
      ansible.builtin.set_fact:
@ -28,7 +22,6 @@
          - iotop
          - htop
          - strace
          - cron-apt
          - safe-rm
          - debian-goodies
          - mosh
@ -40,11 +33,12 @@
          - zstd
          - rsync
          - lsof
          - unattended-upgrades
    - name: Install base packages
      ansible.builtin.apt: name={{ base_packages }} state=present cache_valid_time=3600
-    - name: Configure cron-apt
+    - name: Remove cron-apt
      ansible.builtin.import_tasks: cron-apt.yml
      tags: cron-apt
--- a/roles/common/tasks/packages_Ubuntu.yml
+++ b/roles/common/tasks/packages_Ubuntu.yml
@ -1,20 +1,6 @@
 ---
 - name: Configure Ubuntu packages
  block:
    # Create directory for third-party package signing keys. Required on distros
    # older than Debian 12 / Ubuntu 22.04.
    #
    # See: https://wiki.debian.org/DebianRepository/UseThirdParty
    - name: Create /etc/apt/keyrings
      file:
        path: /etc/apt/keyrings
        mode: 0755
        owner: root
        group: root
        state: directory
      when: ansible_distribution_major_version is version('22.04', '<')
    - name: Configure apt mirror
      ansible.builtin.template: src=sources.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
      when: ansible_architecture != 'armv7l'
@ -46,38 +32,6 @@
    - name: Install base packages
      ansible.builtin.apt: pkg={{ ubuntu_base_packages }} state=present cache_valid_time=3600
    # We have to remove snaps one by one in a specific order because some depend
    # on others. Only after that can we remove the corresponding system packages.
    - name: Remove lxd snap
      community.general.snap: name=lxd state=absent
      when: ansible_distribution_version is version('20.04', '==')
      ignore_errors: true
    - name: Remove core18 snap
      community.general.snap: name=core18 state=absent
      when: ansible_distribution_version is version('20.04', '==')
      ignore_errors: true
    - name: Remove snapd snap
      community.general.snap: name=snapd state=absent
      when: ansible_distribution_version is version('20.04', '==')
      ignore_errors: true
    - name: Set fact for packages to remove (Ubuntu 20.04)
      ansible.builtin.set_fact:
        ubuntu_annoying_packages:
          - whoopsie # security (CIS 4.1)
          - apport   # security (CIS 4.1)
          - command-not-found # annoying
          - command-not-found-data # annoying
          - python3-commandnotfound # annoying
          - snapd # annoying (Ubuntu >= 16.04)
          - lxd-agent-loader # annoying (Ubuntu 20.04)
      when: ansible_distribution_version is version('20.04', '==')
    - name: Remove packages
      ansible.builtin.apt: name={{ ubuntu_annoying_packages }} state=absent purge=true
    - name: Disable annoying Canonical spam in MOTD
      ansible.builtin.file: path={{ item }} mode=0644 state=absent
      loop:
--- a/roles/common/tasks/ssh-keys.yml
+++ b/roles/common/tasks/ssh-keys.yml
@ -3,7 +3,7 @@
  ansible.builtin.file: dest={{ provisioning_user.home }}/.ssh/authorized_keys state=absent
 - name: Add public keys to authorized_keys
-  ansible.posix.authorized_key: { user: '{{ provisioning_user.name }}', key: "{{ lookup('file',item) }}" }
+  ansible.posix.authorized_key: { user: "{{ provisioning_user.name }}", key: "{{ lookup('file',item) }}" }
  with_fileglob:
    # use descriptive names for keys, like: aorth-mzito-rsa.pub
    - ssh-pub-keys/*.pub
--- a/roles/common/tasks/sshd.yml
+++ b/roles/common/tasks/sshd.yml
@ -1,8 +1,8 @@
 ---
 # SSH configs don't change in Debian minor versions
 - name: Reconfigure /etc/ssh/sshd_config
-  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root mode=0600
+  ansible.builtin.template: src=sshd_config_{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.j2 dest=/etc/ssh/sshd_config owner=root group=root
    mode=0600
  when: ansible_distribution == 'Debian'
  notify: reload sshd
--- a/roles/common/tasks/tarsnap.yml
+++ b/roles/common/tasks/tarsnap.yml
@ -1,24 +1,45 @@
 ---
- name: Add Tarsnap apt mirror
+- name: Check tarsnap apt signing key
-  ansible.builtin.template: src=tarsnap_sources.list.j2 dest=/etc/apt/sources.list.d/tarsnap.list owner=root group=root mode=0644
+  ansible.builtin.stat:
    path: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
  register: tarsnap_signing_key_stat
 - name: Download tarsnap apt signing key
  ansible.builtin.get_url:
    url: https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc
    dest: /etc/apt/keyrings/tarsnap-deb-packaging-key.asc
    owner: root
    group: root
    mode: "0644"
  register: download_tarsnap_signing_key
  when: not tarsnap_signing_key_stat.stat.exists
 - name: Add tarsnap.org repo
  ansible.builtin.template:
    src: tarsnap_sources.list.j2
    dest: /etc/apt/sources.list.d/tarsnap.list
    owner: root
    group: root
    mode: "0644"
  register: add_tarsnap_apt_repository
  when: ansible_architecture != 'armv7l'
 - name: Add GPG key for Tarsnap
  ansible.builtin.apt_key: id=0xBF75EEAB040E447C url=https://pkg.tarsnap.com/tarsnap-deb-packaging-key.asc state=present
  register: add_tarsnap_apt_key
 - name: Update apt cache
-  ansible.builtin.apt:
+  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when:
+  when: (download_tarsnap_signing_key.status_code is defined and download_tarsnap_signing_key.status_code == 200) or add_tarsnap_apt_repository is changed
    add_tarsnap_apt_key is changed or
    add_tarsnap_apt_repository is changed
 - name: Install tarsnap
-  ansible.builtin.apt: pkg=tarsnap cache_valid_time=3600
+  ansible.builtin.apt:
    pkg: tarsnap
    cache_valid_time: 3600
 - name: Copy tarsnaprc
-  ansible.builtin.copy: src=tarsnaprc dest=/root/.tarsnaprc owner=root group=root mode=0600
+  ansible.builtin.copy:
    src: tarsnaprc
    dest: /root/.tarsnaprc
    owner: root
    group: root
    mode: "0600"
 # vim: set sw=2 ts=2:
--- a/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
+++ b/roles/common/templates/etc/systemd/system/fail2ban.service.d/override.conf.j2
@ -1,3 +1,7 @@
 [Unit]
 # If nftables is stopped or restarted, propagate to fail2ban as well
 PartOf=nftables.service
 [Service]
 PrivateDevices=yes
 PrivateTmp=yes
--- a/roles/common/templates/nftables.conf.j2
+++ b/roles/common/templates/nftables.conf.j2
@ -5,47 +5,18 @@
 flush ruleset
-# Lists updated daily by update-spamhaus-nftables.sh
+# List updated daily by update-firehol-nftables.sh
-include "/etc/nftables/spamhaus-ipv4.nft"
+include "/etc/nftables/firehol_level1-ipv4.nft"
 include "/etc/nftables/spamhaus-ipv6.nft"
 # Lists updated monthly (manually)
 include "/etc/nftables/abuseipdb-ipv4.nft"
 include "/etc/nftables/abuseipdb-ipv6.nft"
 # Lists updated daily by update-abusech-nftables.sh
 include "/etc/nftables/abusech-ipv4.nft"
 # Notes:
 #   - tables hold chains, chains hold rules
 #   - inet is for both ipv4 and ipv6
 table inet filter {
-    set spamhaus-ipv4 {
+    set firehol_level1-ipv4 {
        type ipv4_addr
        # if the set contains prefixes we need to use the interval flag
        flags interval
-        elements = $SPAMHAUS_IPV4
+        elements = $FIREHOL_LEVEL1_IPV4
    }
    set spamhaus-ipv6 {
        type ipv6_addr
        flags interval
        elements = $SPAMHAUS_IPV6
    }
    set abusech-ipv4 {
        type ipv4_addr
        elements = $ABUSECH_IPV4
    }
    set abuseipdb-ipv4 {
        type ipv4_addr
        elements = $ABUSEIPDB_IPV4
    }
    set abuseipdb-ipv6 {
        type ipv6_addr
        elements = $ABUSEIPDB_IPV6
    }
    chain input {
@ -55,13 +26,7 @@ table inet filter {
        ct state invalid counter drop comment "Early drop of invalid connections"
-        ip saddr @spamhaus-ipv4 counter drop comment "Early drop of incoming packets matching spamhaus-ipv4 list"
+        ip saddr @firehol_level1-ipv4 counter drop comment "Early drop of incoming packets matching firehol_level1-ipv4 list"
        ip6 saddr @spamhaus-ipv6 counter drop comment "Early drop of incoming packets matching spamhaus-ipv6 list"
        ip saddr @abusech-ipv4 counter drop comment "Early drop of packets matching abusech-ipv4 list"
        ip saddr @abuseipdb-ipv4 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv4 list"
        ip6 saddr @abuseipdb-ipv6 counter drop comment "Early drop of incoming packets matching abuseipdb-ipv6 list"
        iifname lo accept comment "Allow from loopback"
@ -105,12 +70,6 @@ table inet filter {
    chain output {
        type filter hook output priority 0;
-        ip daddr @spamhaus-ipv4 counter drop comment "Drop outgoing packets matching spamhaus-ipv4 list"
+        ip daddr @firehol_level1-ipv4 counter drop comment "Drop outgoing packets matching firehol_level1-ipv4 list"
        ip6 daddr @spamhaus-ipv6 counter drop comment "Drop outgoing packets matching spamhaus-ipv6 list"
        ip daddr @abusech-ipv4 counter drop comment "Drop outgoing packets matching abusech-ipv4 list"
        ip daddr @abuseipdb-ipv4 counter drop comment "Drop outgoing packets matching abuseipdb-ipv4 list"
        ip6 daddr @abuseipdb-ipv6 counter drop comment "Drop outgoing packets matching abuseipdb-ipv6 list"
    }
 }
--- a/roles/common/templates/security.sources.list.j2
+++ b/roles/common/templates/security.sources.list.j2
@ -1,5 +0,0 @@
 {% if ansible_distribution == 'Ubuntu' %}
 deb http://security.ubuntu.com/ubuntu {{ ansible_distribution_release }}-security main restricted universe multiverse
 {% elif ansible_distribution == 'Debian' %}
 deb http://security.debian.org/debian-security {{ ansible_distribution_release }}/updates main contrib non-free
 {% endif %}
--- a/roles/common/templates/sshd_config_Debian-11.j2
+++ b/roles/common/templates/sshd_config_Debian-11.j2
@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
 PasswordAuthentication no
 {% else %}
 PasswordAuthentication yes
 {% endif %}
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
@ -131,8 +135,7 @@ Subsystem	sftp	/usr/lib/openssh/sftp-server
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
-KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256
+KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?
--- a/roles/common/templates/sshd_config_Debian-12.j2
+++ b/roles/common/templates/sshd_config_Debian-12.j2
@ -0,0 +1,146 @@
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 Include /etc/ssh/sshd_config.d/*.conf
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 #HostKey /etc/ssh/ssh_host_ecdsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 # Logging
 #SyslogFacility AUTH
 # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
 LogLevel VERBOSE
 # Authentication:
 #LoginGraceTime 2m
 PermitRootLogin prohibit-password
 #StrictModes yes
 MaxAuthTries 4
 #MaxSessions 10
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 {% if ssh_password_authentication == 'disabled' %}
 PasswordAuthentication no
 {% else %}
 PasswordAuthentication yes
 {% endif %}
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 KbdInteractiveAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the KbdInteractiveAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via KbdInteractiveAuthentication may bypass
 # the setting of "PermitRootLogin prohibit-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and KbdInteractiveAuthentication to 'no'.
 UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd no
 #PrintLastLog yes
 #TCPKeepAlive yes
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
 #PidFile /run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 # Based on the ssh-audit profile for OpenSSH 9.2, but with but with all algos
 # with less than 256 bits removed, as NSA's Suite B removed them years ago and
 # the new (2018) CNSA suite is 256 bits and up.
 #
 # See: https://github.com/jtesta/ssh-audit/blob/master/src/ssh_audit/policy.py
 # See: https://en.wikipedia.org/wiki/Commercial_National_Security_Algorithm_Suite
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
 KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
 {% if ssh_allowed_users is defined and ssh_allowed_users %}
 # Is there a list of allowed users?
 # Is it populated? (An empty list is 'None', which evaluates as False in Python)
 # merge the items of a list into one string using a space as a separator
 # http://jinja.pocoo.org/docs/dev/templates/#join
 AllowUsers {{ ssh_allowed_users|join(" ") }} {{ provisioning_user.name }}
 {% endif %}
--- a/roles/common/templates/sshd_config_Ubuntu-20.04.j2
+++ b/roles/common/templates/sshd_config_Ubuntu-20.04.j2
@ -56,7 +56,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
-#PasswordAuthentication yes
+{% if ssh_password_authentication == 'disabled' %}
 PasswordAuthentication no
 {% else %}
 PasswordAuthentication yes
 {% endif %}
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
@ -122,7 +126,6 @@ Subsystem sftp	/usr/lib/openssh/sftp-server
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 PasswordAuthentication yes
 # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
 # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
--- a/roles/common/templates/tarsnap_sources.list.j2
+++ b/roles/common/templates/tarsnap_sources.list.j2
@ -1 +1 @@
-deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
+deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./
--- a/roles/common/templates/update-firehol-nftables.sh.j2
+++ b/roles/common/templates/update-firehol-nftables.sh.j2
@ -0,0 +1,65 @@
 #!/usr/bin/env bash
 #
 # update-firehol-nftables.sh v0.0.1
 #
 # Download FireHOL lists and load them into nftables sets.
 # 
 # See: https://iplists.firehol.org/
 #
 # Copyright (C) 2025 Alan Orth
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Exit on first error
 set -o errexit
 firehol_level1_ipv4_set_path=/etc/nftables/firehol_level1-ipv4.nft
 function download() {
    echo "Downloading $1"
    wget -q -O - "https://iplists.firehol.org/files/$1" > "$1"
 }
 download firehol_level1.netset
 if [[ -f "firehol_level1.netset" ]]; then
    echo "Processing FireHOL Level 1 list"
    firehol_level1_ipv4_list_temp=$(mktemp)
    firehol_level1_ipv4_set_temp=$(mktemp)
    # Filter blank lines, comments, and bogons we use inside the LAN, DMZ, and
    # for local services like systemd-resolved and others on localhost. Ideally
    # these are blocked already at the WAN side by network administrators.
    cat firehol_level1.netset \
        | sed \
            -e '/^$/d' \
            -e '/^#.*/d' \
            -e '/^127\.0\.0\.0\/8/d' \
        > "$firehol_level1_ipv4_list_temp"
    echo "Building firehol_level1-ipv4 set"
    cat << NFT_HEAD > "$firehol_level1_ipv4_set_temp"
 #!/usr/sbin/nft -f
 define FIREHOL_LEVEL1_IPV4 = {
 NFT_HEAD
    while read -r network; do
        # nftables doesn't mind if the last element in the set has a trailing
        # comma so we don't need to do anything special here.
        echo "$network," >> "$firehol_level1_ipv4_set_temp"
    done < $firehol_level1_ipv4_list_temp
    echo "}" >> "$firehol_level1_ipv4_set_temp"
    install -m 0600 "$firehol_level1_ipv4_set_temp" "$firehol_level1_ipv4_set_path"
    rm -f "$firehol_level1_ipv4_list_temp" "$firehol_level1_ipv4_set_temp"
 fi
 echo "Restarting nftables"
 /usr/bin/systemctl restart nftables.service
 rm -v firehol_level1.netset
--- a/roles/mariadb/tasks/main.yml
+++ b/roles/mariadb/tasks/main.yml
@ -1,7 +1,7 @@
 ---
 - name: Remove MariaDB key from apt-key
  ansible.builtin.apt_key:
-    id: 0x177F4010FE56CA3336300305F1656F24C74CD1D8
+    id: "013577200103762554506315430003013705453362230723150730"
    state: absent
  tags:
    - packages
@ -21,16 +21,17 @@
    dest: /etc/apt/keyrings/mariadb_release_signing_key.asc
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"
  register: download_mariadb_signing_key
  when: not mariadb_signing_key_stat.stat.exists
  tags:
    - packages
    - mariadb
- name: Add MariaDB 10.6 repo
+- name: Add MariaDB 10.11 repo
  ansible.builtin.apt_repository:
-    repo: 'deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.6/repo/debian {{ ansible_distribution_release }} main'
+    repo: deb [arch=amd64 signed-by=/etc/apt/keyrings/mariadb_release_signing_key.asc] https://dlm.mariadb.com/repo/mariadb-server/10.11/repo/debian {{ ansible_distribution_release
      }} main
    filename: mariadb
    state: present
  register: add_mariadb_apt_repository
@ -41,16 +42,14 @@
 - name: Update apt cache
  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when:
+  when: (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or add_mariadb_apt_repository is changed
    (download_mariadb_signing_key.status_code is defined and download_mariadb_signing_key.status_code == 200) or
    add_mariadb_apt_repository is changed
  tags:
    - packages
    - mariadb
 - name: Install mariadb-server
  ansible.builtin.apt:
-    name: ['mariadb-server', 'python3-pymysql']
+    name: [mariadb-server, python3-pymysql]
    state: present
    cache_valid_time: 3600
  tags: mariadb, packages
@ -61,7 +60,7 @@
    dest: /etc/mysql/my.cnf
    owner: root
    group: root
-    mode: 0644
+    mode: "0644"
  notify:
    - restart mariadb
  tags: mariadb
@ -83,7 +82,7 @@
    src: .my.cnf.j2
    dest: /root/.my.cnf
    owner: root
-    mode: 0600
+    mode: "0600"
  tags: mariadb
 # See: https://docs.ansible.com/ansible/latest/collections/community/mysql/mysql_db_module.html
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -5,20 +5,20 @@
 nginx_confd_path: /etc/nginx/conf.d
 # parent directory of vhost roots
-nginx_root_prefix: /var/www
+nginx_root_prefix: "{{ web_root_prefix }}"
-# 1 hour timeout
+# 1 day timeout
-nginx_ssl_session_timeout: 1h
+nginx_ssl_session_timeout: 1d
 # 10MB -> 40,000 sessions
 nginx_ssl_session_cache: shared:SSL:10m
-# 1400 bytes to fit in one MTU (default is 16k!)
+nginx_ssl_buffer_size: 4k
 nginx_ssl_buffer_size: 1400
 nginx_ssl_dhparam: /etc/ssl/certs/dhparam.pem
-nginx_ssl_protocols: 'TLSv1.2 TLSv1.3'
+nginx_ssl_protocols: TLSv1.2 TLSv1.3
 nginx_ssl_ecdh_curve: X25519:prime256v1:secp384r1
 # DNS resolvers for OCSP stapling (default to Cloudflare public DNS)
 # See: https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_stapling
-nginx_ssl_stapling_resolver: '1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]'
+nginx_ssl_stapling_resolver: 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001]
 # HTTP Strict-Transport-Security header, recommended by Google to be ~1 year
 # in seconds, see: https://hstspreload.org/
@ -37,8 +37,8 @@ letsencrypt_root: /etc/ssl
 letsencrypt_acme_script_temp: /root/acme.sh
 letsencrypt_acme_home: /root/.acme.sh
-# stable is 1.20.x
+# stable is 1.26.x
-# mainline is 1.21.x
+# mainline is 1.27.x
 nginx_version: mainline
 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@ -1,5 +1,4 @@
 ---
 # Use acme.sh instead of certbot because they only support installation via
 # snap now.
 - block:
@ -25,7 +24,7 @@
      ansible.builtin.get_url:
        url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
        dest: "{{ letsencrypt_acme_script_temp }}"
-      mode: 0700
+        mode: "0700"
      register: acme_download
      when: not acme_home.stat.exists
@ -64,7 +63,7 @@
      ansible.builtin.template:
        src: renew-letsencrypt.service.j2
        dest: /etc/systemd/system/renew-letsencrypt.service
-      mode: 0644
+        mode: "0644"
        owner: root
        group: root
@ -72,7 +71,7 @@
      ansible.builtin.copy:
        src: renew-letsencrypt.timer
        dest: /etc/systemd/system/renew-letsencrypt.timer
-      mode: 0644
+        mode: "0644"
        owner: root
        group: root
@ -84,8 +83,8 @@
        enabled: true
        daemon_reload: true
-  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
+  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
-        or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
+    is version('11', '>='))
  tags: letsencrypt
 # vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -1,33 +1,69 @@
 ---
- name: Add nginx.org apt signing key
+- name: Remove nginx apt signing key from apt-key
-  ansible.builtin.apt_key: id=0x573BFD6B3D8FBC641079A6ABABF5BD827BD9BF62 url=https://nginx.org/keys/nginx_signing.key state=present
+  ansible.builtin.apt_key:
-  register: add_nginx_apt_key
+    id: "053473772654754373614404074646527257655730117366337542"
-  tags: nginx, packages
+    state: absent
  tags:
    - packages
    - nginx
 - name: Download nginx apt signing key
  ansible.builtin.get_url:
    url: https://nginx.org/keys/nginx_signing.key
    dest: /usr/share/keyrings/nginx_signing.key
    owner: root
    group: root
    mode: "0644"
    checksum: sha256:55385da31d198fa6a5012d40ae98ecb272a6c4e8fffffba94719ffd3e87de37a
  register: download_nginx_signing_key
  tags:
    - packages
    - nginx
 - name: Add nginx.org repo
-  ansible.builtin.template: src=nginx_org_sources.list.j2 dest=/etc/apt/sources.list.d/nginx_org_sources.list owner=root group=root mode=0644
+  ansible.builtin.template:
    src: nginx_org_sources.list.j2
    dest: /etc/apt/sources.list.d/nginx_org_sources.list
    owner: root
    group: root
    mode: "0644"
  register: add_nginx_apt_repository
-  tags: nginx, packages
+  tags:
    - nginx
    - packages
 - name: Update apt cache
-  ansible.builtin.apt:
+  ansible.builtin.apt: # noqa no-handler
    update_cache: true
-  when:
+  when: (download_nginx_signing_key.status_code is defined and download_nginx_signing_key.status_code == 200) or add_nginx_apt_repository is changed
    add_nginx_apt_key is changed or
    add_nginx_apt_repository is changed
 - name: Install nginx
-  ansible.builtin.apt: pkg=nginx cache_valid_time=3600 state=present
+  ansible.builtin.apt:
-  tags: nginx, packages
+    pkg: nginx
    cache_valid_time: 3600
    state: present
  tags:
    - nginx
    - packages
 - name: Copy nginx.conf
-  ansible.builtin.template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf mode=0644 owner=root group=root
+  ansible.builtin.template:
    src: nginx.conf.j2
    dest: /etc/nginx/nginx.conf
    mode: "0644"
    owner: root
    group: root
  notify:
    - reload nginx
  tags: nginx
 - name: Copy extra nginx configs
-  ansible.builtin.copy: src={{ item }} dest=/etc/nginx/{{ item }} mode=0644 owner=root group=root
+  ansible.builtin.copy:
    src: "{{ item }}"
    dest: /etc/nginx/{{ item }}
    mode: "0644"
    owner: root
    group: root
  loop:
    - extra-security.conf
    - fastcgi_cache
@ -36,11 +72,18 @@
  tags: nginx
 - name: Remove default nginx vhost
-  ansible.builtin.file: path=/etc/nginx/conf.d/default.conf state=absent
+  ansible.builtin.file:
    path: /etc/nginx/conf.d/default.conf
    state: absent
  tags: nginx
 - name: Create fastcgi cache dir
-  ansible.builtin.file: path=/var/cache/nginx/cached/fastcgi state=directory owner=nginx group=nginx mode=0755
+  ansible.builtin.file:
    path: /var/cache/nginx/cached/fastcgi
    state: directory
    owner: nginx
    group: nginx
    mode: "0755"
  tags: nginx
 - name: Configure nginx virtual hosts
@ -54,19 +97,32 @@
  tags: wordpress
 - name: Configure blank nginx vhost
-  ansible.builtin.template: src=blank-vhost.conf.j2 dest={{ nginx_confd_path }}/blank-vhost.conf  mode=0644 owner=root group=root
+  ansible.builtin.template:
    src: blank-vhost.conf.j2
    dest: "{{ nginx_confd_path }}/blank-vhost.conf"
    mode: "0644"
    owner: root
    group: root
  notify:
    - reload nginx
  tags: nginx
 - name: Configure munin vhost
-  ansible.builtin.copy: src=munin.conf dest=/etc/nginx/conf.d/munin.conf mode=0644 owner=root group=root
+  ansible.builtin.copy:
    src: munin.conf
    dest: /etc/nginx/conf.d/munin.conf
    mode: "0644"
    owner: root
    group: root
  notify:
    - reload nginx
  tags: nginx
 - name: Start and enable nginx service
-  ansible.builtin.systemd: name=nginx state=started enabled=true
+  ansible.builtin.systemd:
    name: nginx
    state: started
    enabled: true
  tags: nginx
 - name: Configure Let's Encrypt
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -1,5 +1,4 @@
 ---
 - block:
    - name: Configure https vhosts
      ansible.builtin.template: src=vhost.conf.j2 dest={{ nginx_confd_path }}/{{ item.domain_name }}.conf mode=0644 owner=root group=root
@ -8,7 +7,8 @@
        - reload nginx
    - name: Generate self-signed TLS cert
-    ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
+      ansible.builtin.command: openssl req -x509 -nodes -sha256 -days 365 -subj "/C=SO/ST=SO/L=snakeoil/O=snakeoil/CN=snakeoil" -newkey rsa:2048 -keyout /etc/ssl/private/nginx-snakeoil.key
        -out /etc/ssl/certs/nginx-snakeoil.crt -extensions v3_ca creates=/etc/ssl/certs/nginx-snakeoil.crt
      notify:
        - reload nginx
--- a/roles/nginx/tasks/wordpress.yml
+++ b/roles/nginx/tasks/wordpress.yml
@ -1,8 +1,8 @@
 ---
 - block:
    - name: Install WordPress
-    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
+      ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version
        }} depth=1 force=true
      when:
        - item.has_wordpress is defined
        - item.has_wordpress
--- a/roles/nginx/templates/blank-vhost.conf.j2
+++ b/roles/nginx/templates/blank-vhost.conf.j2
@ -11,9 +11,11 @@ server {
    return 444;
 }
 server {
-    listen 443 ssl http2 default_server;
+    listen 443 ssl default_server;
-    listen [::]:443 ssl http2 default_server;
+    listen [::]:443 ssl default_server;
    http2 on;
    server_name _;
    # self-signed "snakeoil" certificate
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -27,8 +27,9 @@
    ssl_dhparam {{ nginx_ssl_dhparam }};
    ssl_protocols {{ nginx_ssl_protocols }};
    ssl_ecdh_curve {{ nginx_ssl_ecdh_curve }};
    ssl_ciphers "{{ tls_cipher_suite }}";
-    ssl_prefer_server_ciphers on;
+    ssl_prefer_server_ciphers off;
    {# OSCP stapling only works with real certs #}
    {% if use_letsencrypt == true or item.tls_certificate_path %}
@ -38,15 +39,6 @@
    resolver {{ nginx_ssl_stapling_resolver }};
    {% endif %} {# end: use_letsencrypt #}
    # nginx does not auto-rotate session ticket keys: only a HUP / restart will do so and
    # when a restart is performed the previous key is lost, which resets all previous
    # sessions. The fix for this is to setup a manual rotation mechanism:
    # http://trac.nginx.org/nginx/changeset/1356a3b9692441e163b4e78be4e9f5a46c7479e9/nginx
    #
    # Note that you'll have to define and rotate the keys securely by yourself. In absence
    # of such infrastructure, consider turning off session tickets:
    ssl_session_tickets off;
    {% if enable_hsts == true %}
    # Enable this if you want HSTS (recommended, but be careful)
    # Include all subdomains and indicate to Google that we want this pre-loaded in Chrome's HSTS store
--- a/roles/nginx/templates/nginx_org_sources.list.j2
+++ b/roles/nginx/templates/nginx_org_sources.list.j2
@ -3,17 +3,17 @@
 {% if ansible_distribution == 'Ubuntu' %}
 {% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/ubuntu/ {{ ansible_distribution_release }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/ubuntu/ {{ ansible_distribution_release }} nginx
 {% endif %}
 {% elif ansible_distribution == 'Debian' %}
 {% if nginx_version == "stable" %}
-deb [arch=amd64] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/debian/ {{ ansible_distribution_release }} nginx
 {% elif nginx_version == "mainline" %}
-deb [arch=amd64] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
+deb [arch=amd64 signed-by=/usr/share/keyrings/nginx_signing.key] https://nginx.org/packages/mainline/debian/ {{ ansible_distribution_release }} nginx
 {% endif %}
 {% endif %}
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -8,6 +8,12 @@
 {% set has_wordpress  = item.has_wordpress | default(false) %}
 {% set needs_php      = item.needs_php | default(false) %}
 {% set has_gitea      = item.has_gitea | default(false) %}
 {# Allow sites to override the document root #}
 {% if item.document_root is defined %}
 {%   set document_root = item.document_root %}
 {% else %}
 {%   set document_root = (nginx_root_prefix, domain_name) | ansible.builtin.path_join %}
 {% endif %}
 # http -> https vhost
 server {
@ -26,15 +32,11 @@ server {
 }
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
    http2 on;
-    {# Allow sites to override the nginx document root #}
+    root {{ document_root }};
    {% if item.document_root is defined %}
    root {{ item.document_root }};
    {% else %}
    root {{ nginx_root_prefix }}/{{ domain_name }};
    {% endif %}
    {# will only work if the TLS cert covers the domain + aliases, like example.com and www.example.com #}
    server_name {{ domain_name }} {{ domain_aliases }};
@ -75,10 +77,8 @@ server {
        # See: https://httpoxy.org/
        fastcgi_param HTTP_PROXY "";
-        {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) %}
+        {% if ansible_distribution == 'Debian' and ansible_distribution_major_version is version('12', '==') %}
-        fastcgi_pass unix:/run/php/php7.4-fpm-{{ domain_name }}.sock;
+        fastcgi_pass unix:/run/php/php8.2-fpm-{{ domain_name }}.sock;
        {% else %}
        fastcgi_pass unix:/var/run/php5-fpm-{{ domain_name }}.sock;
        {% endif %}
        fastcgi_index index.php;
        # set script path relative to document root in server block
--- a/roles/php-fpm/handlers/main.yml
+++ b/roles/php-fpm/handlers/main.yml
@ -1,6 +1,8 @@
 ---
-# For Ubuntu 20.04 and Debian 11
+# For Debian 12
- name: reload php7.4-fpm
+- name: reload php8.2-fpm
-  ansible.builtin.systemd: name=php7.4-fpm state=reloaded
+  ansible.builtin.systemd:
    name: php8.2-fpm
    state: reloaded
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Debian_12.yml
+++ b/roles/php-fpm/tasks/Debian_12.yml
@ -0,0 +1,50 @@
 ---
 - block:
    - name: Set php-fpm packages
      ansible.builtin.set_fact:
        php_fpm_packages:
          - php8.2-fpm
          # for WordPress
          - php8.2-mysql
          - php8.2-gd
          - php8.2-curl
          - php8.2-xml
    - name: Install php-fpm and deps
      ansible.builtin.apt:
        name: "{{ php_fpm_packages }}"
        state: present
        update_cache: true
    # only copy php-fpm config for vhosts that need WordPress or PHP
    - name: Copy php-fpm pool config
      ansible.builtin.template:
        src: php8.2-pool.conf.j2
        dest: /etc/php/8.2/fpm/pool.d/{{ item.domain_name }}.conf
        owner: root
        group: root
        mode: "0644"
      loop: "{{ nginx_vhosts }}"
      when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
      notify: reload php8.2-fpm
    - name: Remove default www pool
      ansible.builtin.file:
        path: /etc/php/8.2/fpm/pool.d/www.conf
        state: absent
      notify: reload php8.2-fpm
    # re-configure php.ini
    - name: Update php.ini
      ansible.builtin.template:
        src: php8.2-php.ini.j2
        dest: /etc/php/8.2/fpm/php.ini
        owner: root
        group: root
        mode: "0644"
      notify: reload php8.2-fpm
  tags: php-fpm
  when: install_php
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Ubuntu_20.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_20.04.yml
@ -1,36 +0,0 @@
 ---
 - block:
  - name: Set php-fpm packages
    ansible.builtin.set_fact:
      php_fpm_packages:
        - php7.4-fpm
        # for WordPress
        - php7.4-mysql
        - php7.4-gd
        - php7.4-curl
        - php7.4-xml
  - name: Install php-fpm and deps
    ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
  # only copy php-fpm config for vhosts that need WordPress or PHP
  - name: Copy php-fpm pool config
    ansible.builtin.template: src=php7.4-pool.conf.j2 dest=/etc/php/7.4/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
    loop: "{{ nginx_vhosts }}"
    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
    notify: reload php7.4-fpm
  - name: Remove default www pool
    ansible.builtin.file: path=/etc/php/7.4/fpm/pool.d/www.conf state=absent
    notify: reload php7.4-fpm
  # re-configure php.ini
  - name: Update php.ini
    ansible.builtin.template: src=php7.4-php.ini.j2 dest=/etc/php/7.4/fpm/php.ini owner=root group=root mode=0644
    notify: reload php7.4-fpm
  tags: php-fpm
  when: install_php
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/main.yml
+++ b/roles/php-fpm/tasks/main.yml
@ -1,6 +1,5 @@
 ---
-# Ubuntu 20.04 uses PHP 7.4
+# Debian 12 uses PHP 8.2
 # Debian 11 uses PHP 7.4
 # If any of the vhosts on this host need WordPress then we need to install PHP.
 # This uses selectattr to filter the list of dicts in nginx_vhosts, selecting
@ -10,13 +9,13 @@
 - name: Check if any vhost needs WordPress
  ansible.builtin.set_fact:
    install_php: true
-  when: "nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0"
+  when: nginx_vhosts | selectattr('has_wordpress', 'defined') | selectattr('has_wordpress', 'equalto', true) | list | length > 0
 # Legacy, was only for Piwik, but leaving for now.
 - name: Check if any vhost needs PHP
  ansible.builtin.set_fact:
    install_php: true
-  when: "nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0"
+  when: nginx_vhosts | selectattr('needs_php', 'defined') | selectattr('needs_php', 'equalto', true) | list | length > 0
 # If install_php has not been set, then we assume no vhosts need PHP. This is
 # a bit hacky, but it's the closest we come to an if/then/else.
@ -25,20 +24,12 @@
    install_php: false
  when: install_php is not defined
- name: Configure php-fpm on Ubuntu 20.04
+- name: Configure php-fpm on Debian 12
-  ansible.builtin.include_tasks: Ubuntu_20.04.yml
+  ansible.builtin.include_tasks: Debian_12.yml
  when:
    - ansible_distribution == 'Ubuntu'
    - ansible_distribution_version is version('20.04', '==')
    - install_php == true
  tags: php-fpm
 - name: Configure php-fpm on Debian 11
  ansible.builtin.include_tasks: Ubuntu_20.04.yml
  when:
    - ansible_distribution == 'Debian'
-    - ansible_distribution_version is version('11', '==')
+    - ansible_distribution_major_version is version('12', '==')
-    - install_php == true
+    - install_php
  tags: php-fpm
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/templates/php8.2-php.ini.j2
+++ b/roles/php-fpm/templates/php8.2-php.ini.j2
--- a/roles/php-fpm/templates/php8.2-pool.conf.j2
+++ b/roles/php-fpm/templates/php8.2-pool.conf.j2
@ -19,11 +19,16 @@
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
-; Unix user/group of processes
+; Unix user/group of the child processes. This can be used only if the master
-; Note: The user is mandatory. If the group is not set, the default user's group
+; process running user is root. It is set after the child process is created.
-;       will be used.
+; The user and group can be specified either by their name or by their numeric
-user = nginx
+; IDs.
-group = nginx
+; Note: If the user is root, the executable needs to be started with
 ;       --allow-to-run-as-root option to work.
 ; Default Values: The user is set to master process running user by default.
 ;                 If the group is not set, the user's group is used.
 user = {{ webserver }}
 group = {{ webserver }}
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
@ -35,20 +40,22 @@ group = nginx
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
-listen = /run/php/php7.4-fpm-{{ domain_name }}.sock
+listen = /run/php/php8.2-fpm-{{ domain_name }}.sock
 ; Set listen(2) backlog.
-; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+; Default Value: 511 (-1 on Linux, FreeBSD and OpenBSD)
 ;listen.backlog = 511
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
-; BSD-derived systems allow connections regardless of permissions.
+; BSD-derived systems allow connections regardless of permissions. The owner
-; Default Values: user and group are set as the running user
+; and group can be specified either by name or by their numeric IDs.
-;                 mode is set to 0660
+; Default Values: Owner is set to the master process running user. If the group
-listen.owner = nginx
+;                 is not set, the owner's group is used. Mode is set to 0660.
-listen.group = nginx
+listen.owner = {{ webserver }}
 listen.group = {{ webserver }}
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
@ -63,6 +70,10 @@ listen.group = nginx
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 ; Set the associated the route table (FIB). FreeBSD only
 ; Default Value: -1
 ;listen.setfib = 1
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
@ -71,8 +82,9 @@ listen.group = nginx
 ; Default Value: no set
 ; process.priority = -19
-; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl for Linux or
-; or group is differrent than the master process user. It allows to create process
+; PROC_TRACE_CTL procctl for FreeBSD) even if the process user
 ; or group is different than the master process user. It allows to create process
 ; core dump and ptrace the process for the pool user.
 ; Default Value: no
 ; process.dumpable = yes
@ -94,6 +106,8 @@ listen.group = nginx
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
 ;             pm.max_spawn_rate    - the maximum number of rate to spawn child
 ;                                    processes at once.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
@ -129,6 +143,12 @@ pm.min_spare_servers = 1
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 ; The number of rate to spawn child processes at once.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 ; Default Value: 32
 ;pm.max_spawn_rate = 32
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
@ -141,7 +161,7 @@ pm.max_spare_servers = 3
 ;pm.max_requests = 500
 ; The URI to view the FPM status page. If this value is not set, no URI will be
-; recognized as a status page. It shows the following informations:
+; recognized as a status page. It shows the following information:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
@ -231,7 +251,7 @@ pm.max_spare_servers = 3
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
-;       It's available in: /usr/share/php/7.4/fpm/status.html
+;       It's available in: /usr/share/php/8.2/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
@ -239,6 +259,22 @@ pm.max_spare_servers = 3
 ; Default Value: not set
 ;pm.status_path = /status
 ; The address on which to accept FastCGI status request. This creates a new
 ; invisible pool that can handle requests independently. This is useful
 ; if the main pool is busy with long running requests because it is still possible
 ; to get the status before finishing the long running requests.
 ;
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Default Value: value of the listen option
 ;pm.status_listen = 127.0.0.1:9001
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
@ -271,13 +307,13 @@ pm.max_spare_servers = 3
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
-;      - %{miliseconds}d
+;      - %{milliseconds}d
-;      - %{mili}d
+;      - %{milli}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
-;      variable. Some exemples:
+;      variable. Some examples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
@ -306,14 +342,30 @@ pm.max_spare_servers = 3
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
-;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      The strftime(3) format must be encapsulated in a %{<strftime_format>}t tag
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
-;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{milli}d %{kilo}M %C%%"
 ; A list of request_uri values which should be filtered from the access log.
 ;
 ; As a security precuation, this setting will be ignored if:
 ;     - the request method is not GET or HEAD; or
 ;     - there is a request body; or
 ;     - there are query parameters; or
 ;     - the response code is outwith the successful range of 200 to 299
 ;
 ; Note: The paths are matched against the output of the access.format tag "%r".
 ;       On common configurations, this may look more like SCRIPT_NAME than the
 ;       expected pre-rewrite URI.
 ;
 ; Default Value: not set
 ;access.suppress_path[] = /ping
 ;access.suppress_path[] = /health_check.php
 ; The log file for slow requests
 ; Default Value: not set
@ -372,7 +424,7 @@ pm.max_spare_servers = 3
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
-; Note: on highloaded environement, this can cause some delay in the page
+; Note: on highloaded environment, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 ;catch_workers_output = yes
--- a/site.yml
+++ b/site.yml
@ -1,7 +1,10 @@
 ---
 # file: site.yml
- import_playbook: nomads.yml
+- name: Import nomads playbook
- import_playbook: web.yml
+  ansible.builtin.import_playbook: nomads.yml
 - name: Import web playbook
  ansible.builtin.import_playbook: web.yml
 # vim: set sw=2 ts=2:
--- a/web.yml
+++ b/web.yml
@ -7,7 +7,8 @@
  roles:
    - common
    - { role: mariadb, when: mariadb_databases is defined}
-    - nginx
+    - { role: nginx, when: webserver is defined and webserver == 'nginx' }
    - { role: caddy, when: webserver is defined and webserver == 'caddy' }
    - php-fpm
    - munin
  vars_files:
Author	SHA1	Message	Date
Alan Orth	00558c7dea	roles/common: re-work fail2ban and nftables Re-work the fail2ban and nftables interaction. Use systemd's PartOf to indicate that fail2ban is part of the nftables service, which tells systemd to propogate stop/start signals to it. Then we tell the firehol update script to restart nftables instead of reload. The different between restart and reload is meaningless for nftables but we want systemd to propagate the stop/start signals to fail2ban.	2025-07-08 10:39:17 +03:00
Alan Orth	c927186837	roles/common: adjust update-firehol-nftables.service This service does not actually depend on nftables, at least not in the systemd sense of dependency. Furthermore, this hard dependency was causing the service to fail when it restarts nftables at the end, which causes systemd to start it again and again until it hits a restarting too quickly error.	2025-07-08 10:37:39 +03:00
Alan Orth	690774c862	host_vars/web22: WordPress 6.8.1	2025-07-08 10:34:34 +03:00
Alan Orth	cc021bd14a	Pipfile.lock: run pipenv update	2025-07-08 10:25:09 +03:00
Alan Orth	73fd06fe3a	roles/common: remove cron-apt Use unattended-upgrades instead. It has sane defaults on Debian at least (I haven't checked Ubuntu).	2025-04-07 09:51:09 +03:00
Alan Orth	88cb3a370e	Remove logic for Ubuntu 20.04 and Debian 11	2025-03-29 23:09:44 +03:00
Alan Orth	027a43ddbe	roles/caddy: use default for encode	2025-03-29 22:49:30 +03:00
Alan Orth	bb30c3be20	host_vars/web22: update vhosts	2025-03-29 22:48:19 +03:00
Alan Orth	d8d9790d21	roles/nginx: enable nginx ssl_session_tickets This has apparently been supported since nginx 1.23.2 and is safe to use the default (on) now. See: https://github.com/mozilla/server-side-tls/issues/284	2025-03-29 22:35:56 +03:00
Alan Orth	9a500ebc0d	roles/nginx: disable nginx ssl_prefer_server_ciphers This is apparently the default and recommended by Mozilla's server- side SSL configurator also recommends. This lets the client choose the ciphers best for them (and the ciphers in TLS 1.2 and 1.3 are not currently known to be dangerous).	2025-03-29 22:34:41 +03:00
Alan Orth	4bae942585	roles/nginx: add nginx ssl_ecdh_curve This seems to be new since I last looked at the Mozilla server-side SSL configurator.	2025-03-29 22:34:37 +03:00
Alan Orth	99866c0c90	roles/nginx: use one day for nginx ssl_session_timeout This is a new default since I last looked at the Mozilla server-side SSL configurator.	2025-03-29 22:34:32 +03:00
Alan Orth	0afb8a4493	roles/nginx: update nginx ssl_buffer_size The old default has not been changed in eight years and I see that there have been some discussions over the years about this. I will change this from the slightly extreme 1400 bytes to 4k (nginx def- ault is still 16k so this is more "optimal" for HTML/CSS content). See: https://github.com/igrigorik/istlsfastyet.com/issues/63	2025-03-29 22:34:27 +03:00
Alan Orth	506695da31	roles/nginx/defaults: update version comments	2025-03-29 22:24:49 +03:00
Alan Orth	f67ed7762c	roles/nginx: fix http2 syntax	2025-03-29 22:20:49 +03:00
Alan Orth	014f4d9502	roles/nginx: add newline	2025-03-29 22:19:41 +03:00
Alan Orth	22c16e1ed3	roles/caddy/templates: closer to supporting WordPress I still wouldn't want to deploy WordPress on Caddy until it's more obvious and standard to block paths that shouldn't be accessible. It seems that this is still left as an exercise to the site admin. This discussion has some tips, but it is four years old and hasn't changed since I last looked. See: https://caddy.community/t/using-caddy-to-harden-wordpress/13575	2025-03-29 22:09:37 +03:00
Alan Orth	5aa6a33e51	roles/php-fpm: set user and group based on webserver We use either caddy or nginx, which are conveniently named the same as the Unix user and group.	2025-03-29 21:01:56 +03:00
Alan Orth	7f9b06af9c	roles/nginx: smarter setting of document root	2025-03-29 19:34:53 +03:00
Alan Orth	84db337fea	roles/caddy: smarter setting of document root	2025-03-29 19:33:02 +03:00
Alan Orth	7b23f5f94f	roles/caddy: add missing tag	2025-03-29 19:16:03 +03:00
Alan Orth	9830338be3	Use one default root prefix for nginx and caddy	2025-03-29 19:15:56 +03:00
Alan Orth	e3eed26765	roles/caddy: update vhost template	2025-03-29 18:37:28 +03:00
Alan Orth	8b31c7e148	host_vars/web22: WordPress 6.7.2	2025-03-29 16:10:23 +03:00
Alan Orth	3ff8043aaf	Pipfile.lock: run pipenv update	2025-03-29 15:30:08 +03:00
Alan Orth	cb79f7ef70	roles/common: minor change to firehol update script They include bogons like 127.0.0.1 that should not be routed on the public Internet, but this blocks local applications we proxy to.	2025-01-28 09:14:48 +03:00
Alan Orth	bb14f05d2a	roles/common: use Ansible timezone module No need to use a command for that. The module does it better because it doesn't register a change unless the timezone changes.	2025-01-27 23:11:56 +03:00
Alan Orth	5b1530fa91	roles/common: rework firewall Use firehol instead of all the others. AbuseIPDB.com can't be upd- ated automatically, Abuse.ch is no longer maintained, and Spamhaus is already in firehol.	2025-01-27 23:05:45 +03:00
Alan Orth	5312dc6bd5	roles/common: use common nftables task Use a common nftables task on Debian and Ubuntu.	2025-01-27 23:05:38 +03:00
Alan Orth	d6e060d3af	roles/common: simplify firewall tasks Apply firewall tag to included tasks, then we don't need to use a block.	2025-01-27 22:30:50 +03:00
Alan Orth	b873af004a	roles/common: single firewall task include Use one include from the main tasks file.	2025-01-27 22:28:27 +03:00
Alan Orth	7ea3ab46f8	host_vars/web22: WordPress 6.7.1	2025-01-27 21:48:16 +03:00
Alan Orth	0561bd5b52	Pipfile.lock: run pipenv update	2025-01-27 21:36:13 +03:00
Alan Orth	d62572f02c	Pipfile: python 3.13	2025-01-27 21:35:58 +03:00
Alan Orth	2ffe5e87d9	host_vars/web22: WordPress 6.6.2	2024-12-30 11:03:47 +03:00
Alan Orth	38d4f1a303	Pipfile.lock: run pipenv update	2024-12-30 11:03:35 +03:00
Alan Orth	ed8cb88038	host_vars/web22: WordPress 6.5.5	2024-06-25 08:18:22 +03:00
Alan Orth	c31e447861	roles/nginx: update signing key	2024-06-25 08:11:59 +03:00
Alan Orth	545684467c	host_vars/nomad03: remove	2024-06-05 20:35:29 +03:00
Alan Orth	24ae5eaab1	host_vars/web22: WordPress 6.5.3	2024-05-13 14:51:45 +03:00
Alan Orth	dac23f1427	Pipfile: use Python 3.12	2024-05-13 14:51:34 +03:00
Alan Orth	41fbc73dd1	host_vars/web22: WordPress 6.4.3	2024-03-20 20:28:13 +03:00
Alan Orth	fee794bcf0	Update Pipfile	2024-03-20 20:28:00 +03:00
Alan Orth	8bce1d8b1b	host_vars/web22: WordPress 6.4.1	2023-12-02 22:40:06 +03:00
Alan Orth	6dc2ea36b6	roles/nginx: fix path to php 8.2 socket	2023-09-11 19:55:24 +03:00
Alan Orth	af71a9b5f8	roles/php-fpm: remove fmt strings Ansible confuses them for jinja2 tokens.	2023-09-11 19:52:18 +03:00
Alan Orth	4dd57803e2	roles/php-fpm: fix user/group for php 8.2 configs	2023-09-11 19:51:59 +03:00
Alan Orth	18d4245fc0	roles/common: fix tarsnap signing of apt repo	2023-09-11 19:37:49 +03:00
Alan Orth	1bddf3cccd	Pipfile.lock: run pipenv update	2023-09-11 18:52:25 +03:00
Alan Orth	20dbe61fe1	roles/mariadb: use MariaDB 10.11 The server has already been updated from 10.6 to 10.11. See: https://mariadb.com/kb/en/upgrading-from-mariadb-10-6-to-mariadb-10-11/	2023-09-10 22:53:10 +03:00
Alan Orth	899e87321b	host_vars/web22: WordPress 6.3.1	2023-09-10 22:44:23 +03:00
Alan Orth	06416a3b64	roles: run ansible-lint --write	2023-08-23 22:22:51 +03:00
Alan Orth	7a9a24ef5d	roles/common: rework fail2ban again Actually, we do want to run fail2ban on all hosts because the sshd monitoring via systemd is nice. At the very least it reduces spam from failed logins in our systemd journal.	2023-08-23 22:15:24 +03:00
Alan Orth	067adcd9f5	roles/common: rework fail2ban tasks We can only run fail2ban when we have logs to monitor. When a host is running Caddy we don't have logs, so fail2ban doesn't have any- thing to monitor out of the box. For now I will restrict the task to hosts running nginx.	2023-08-23 21:59:28 +03:00
Alan Orth	84d210cfab	roles/common: re-format handlers Use the newer Ansible format.	2023-08-23 21:35:28 +03:00
Alan Orth	17736a4f14	roles/common: run ansible-lint --write	2023-08-23 21:33:22 +03:00
Alan Orth	b9e91c4a3d	roles/common: minor updates to tarsnap task Use modern Ansible task format	2023-08-23 21:20:22 +03:00
Alan Orth	51c95e5d4c	roles/common: update tarsnap task Update tarsnap task to use apt signed-by for package signing keys instead of adding keys directly to apt-key.	2023-08-23 21:18:27 +03:00
Alan Orth	8dbec29d2a	roles/nginx: prepare letsencrypt task for Debian 12	2023-08-23 21:01:12 +03:00
Alan Orth	d3bf3dab04	roles/php-fpm: add support for PHP 8.2 This is used in Debian 12.	2023-08-23 20:56:35 +03:00
Alan Orth	8f50b7756b	host_vars/web22: WordPress 6.3	2023-08-22 21:33:49 +03:00
Alan Orth	e86ccc9979	roles/nginx: minor rework of apt key stuff	2023-08-22 21:33:19 +03:00
Alan Orth	cea8529f49	Pipfile.lock: run pipenv update	2023-08-22 21:02:17 +03:00
Alan Orth	d77718edae	host_vars: add fail2ban_ignoreip	2023-08-14 16:37:07 +02:00
Alan Orth	14d57fc477	roles/nginx: reformat main tasks	2023-08-10 22:44:47 +02:00
Alan Orth	5c39f1abd8	roles/common: minor changes to Debian sshd_config files	2023-08-10 22:10:04 +02:00
Alan Orth	6794eb0432	roles/common: default to disabling SSH passwords	2023-08-10 22:09:03 +02:00
Alan Orth	11614e3725	host_vars: replace nomad02 with nomad03 The former is Ubuntu 20.04, the latter is Debian 12. Running Drone CI.	2023-08-10 08:37:09 +02:00
Alan Orth	b106f9d9e5	roles/common: ignore apt sources.list on Scaleway While testing Debian 12 on Scaleway I noticed their apt sources.list is in some weird format I've never seen before, so let's skip it on those hosts.	2023-08-10 08:08:42 +02:00
Alan Orth	3c8250e6ac	Pipfile.lock: run pipenv update	2023-08-09 22:07:54 +02:00
Alan Orth	d280859b0d	roles/common: minor updates to Debian 11 sshd_config	2023-08-09 21:55:04 +02:00
Alan Orth	bca1629d2f	Minor comment updates for Debian 12	2023-08-09 21:51:53 +02:00
Alan Orth	4fa82faf18	roles/common: adjust sshd_config for Debian 12 Adjust sshd_config based on ssh-audit profile for OpenSSH 9.2.	2023-08-09 21:27:19 +02:00
Alan Orth	b8f0b4b1fb	roles/common: add vanilla sshd_config for Debian 12	2023-08-09 21:16:50 +02:00
Alan Orth	68e5d05bbb	host_vars/web22: WordPress 6.2.2	2023-07-27 18:48:37 +03:00
Alan Orth	446d402778	roles: minor fix to Debian version comparisons	2023-07-27 18:48:07 +03:00
Alan Orth	67379fc2e4	host_vars/web22: WordPress 6.2	2023-05-04 07:10:40 +03:00
Alan Orth	73546967b6	Pipfile.lock: run pipenv update	2023-05-04 06:58:25 +03:00
Alan Orth	16b661efe1	Pipfile.lock: run pipenv update	2023-04-14 10:09:29 -07:00
Alan Orth	fdb9a75489	roles/common: update tarsnap GPG key	2023-04-14 10:09:11 -07:00
Alan Orth	232d7a0348	host_vars/web22: WordPress 6.1.1	2022-11-24 18:31:48 +03:00
Alan Orth	6e4bb5bc34	host_vars/web21: use caddy	2022-11-13 18:58:57 +03:00
Alan Orth	c840ffe018	roles/caddy: improve vhost template Support domain aliases that redirect to the main domain and allow sites to say they are static sites where they only need a document root.	2022-11-13 18:54:03 +03:00
Alan Orth	45c9d7ea0a	Pipfile.lock: run pipenv update	2022-11-13 16:50:07 +03:00
Alan Orth	a62bc446e8	host_vars/web22: WordPress 6.1	2022-11-06 23:00:41 +03:00
Alan Orth	62a6a491db	host_vars/web23: use caddy	2022-11-02 22:30:32 +03:00
Alan Orth	4867d6da6a	Add basic caddy role	2022-11-02 22:29:30 +03:00
Alan Orth	d9f7c7a93b	group_vars/web: set default webserver to nginx While I'm still getting experience with caddy and adapting it to my workloads.	2022-11-02 22:12:36 +03:00
Alan Orth	bc8c030700	roles/common: update Tarsnap GPG key	2022-11-02 22:11:37 +03:00
Alan Orth	f7598d8f1c	Pipfile.lock: run pipenv update	2022-11-02 20:50:59 +03:00
Alan Orth	c353e84a84	site.yml: use fully-qualified modules	2022-10-25 21:08:27 +03:00
Alan Orth	99ca23f258	Pipfile.lock: run pipenv update	2022-10-17 19:56:30 +03:00
Alan Orth	b663d27fd8	roles/common: rework firewall_Debian.yml playbook Use newer Ansible task format, move from apt to package module, and do package installs in one transaction using a list instead of a loop.	2022-09-12 17:25:40 +03:00
Alan Orth	67c99dacf6	roles/common: rework firewall_Ubuntu.yml playbook Use newer Ansible task format, move from apt to package module, and do package installs in one transaction using a list instead of a loop.	2022-09-12 17:18:33 +03:00
Alan Orth	4abf2b10e4	ansible.cfg: smart fact gathering	2022-09-12 17:18:19 +03:00
Alan Orth	f5199264f9	ansible.cfg: disable SSH host key checking	2022-09-12 17:14:39 +03:00
Alan Orth	b259f09cbd	roles/common: add SSH public key from other machine	2022-09-12 17:06:31 +03:00
		`@ -1,2 +0,0 @@`
			`autoclean -y`
			`upgrade -y -o APT::Get::Show-Upgraded=true`
		`@ -0,0 +1 @@`
							`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHmRO6E0G4Ls3TifVfJ+mQjlfWiBZNJfsSXGhwQ/HA1M aorth@balozi`
`@ -1 +1 @@`
	`deb [arch=amd64] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./`	`deb [arch=amd64 signed-by=/etc/apt/keyrings/tarsnap-deb-packaging-key.asc] https://pkg.tarsnap.com/deb/{{ ansible_distribution_release }} ./`