Remove Ubuntu 18.04 support

roles: use longer format for when conditionals
When the condition is an AND we can use this more succinct format.
2022-09-10 23:30:04 +03:00 · 2022-09-10 23:12:49 +03:00 · 2022-09-10 23:12:26 +03:00
20 changed files with 28 additions and 2755 deletions
--- a/README.md
+++ b/README.md
@ -4,7 +4,7 @@ Ansible playbook for base and initial configuration of the web server hosting my
 ## Assumptions
 Before you can run this, a few things are assumed:
- You have a clean, minimal Ubuntu 18.04/20.04 or Debian 10/11 host up and running
+- You have a clean, minimal Ubuntu 20.04 or Debian 10/11 host up and running
 - Python 3 is installed on the remote server (requirement of Ansible)
 - You have a user account with password-less SSH access to the machine
 - You have sudo privileges on the remote host
--- a/roles/common/files/update-spamhaus-lists.service
+++ b/roles/common/files/update-spamhaus-lists.service
@ -1,27 +0,0 @@
 [Unit]
 Description=Update Spamhaus lists
 # This service will fail if firewalld is not running so we use Requires to make
 # sure that firewalld is started.
 Requires=firewalld.service
 # Make sure the network is up and firewalld is started
 After=network-online.target firewalld.service
 Wants=network-online.target update-spamhaus-lists.timer
 [Service]
 # https://www.ctrl.blog/entry/systemd-service-hardening.html
 # Doesn't need access to /home or /root
 ProtectHome=true
 # Possibly only works on Ubuntu 18.04+
 ProtectKernelTunables=true
 ProtectSystem=full
 # Newer systemd can use ReadWritePaths to list files, but this works everywhere
 ReadWriteDirectories=/etc/firewalld/ipsets
 PrivateTmp=true
 WorkingDirectory=/var/tmp
 SyslogIdentifier=update-spamhaus-lists
 ExecStart=/usr/bin/flock -x update-spamhaus-lists.lck \
          /usr/local/bin/update-spamhaus-lists.sh
 [Install]
 WantedBy=multi-user.target
--- a/roles/common/files/update-spamhaus-lists.sh
+++ b/roles/common/files/update-spamhaus-lists.sh
@ -1,107 +0,0 @@
 #!/usr/bin/env bash
 #
 # update-spamhaus-lists.sh v0.0.5
 #
 # Download Spamhaus DROP lists and load them into firewalld ipsets. Should work
 # with both the iptables and nftables backends.
 # 
 # See: https://www.spamhaus.org/drop/
 #
 # Copyright (C) 2021 Alan Orth
 #
 # SPDX-License-Identifier: GPL-3.0-only
 # Exit on first error
 set -o errexit
 firewalld_ipsets=$(firewall-cmd --get-ipsets)
 xml_temp=$(mktemp)
 spamhaus_ipv4_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv4.xml
 spamhaus_ipv6_ipset_path=/etc/firewalld/ipsets/spamhaus-ipv6.xml
 function download() {
    echo "Downloading $1"
    wget -q -O - "https://www.spamhaus.org/drop/$1" > "$1"
 }
 download drop.txt
 download edrop.txt
 download dropv6.txt
 if [[ -f "drop.txt" && -f "edrop.txt" ]]; then
    echo "Processing IPv4 DROP lists"
    # Extract all networks from drop.txt and edrop.txt, skipping blank lines and
    # comments.
    networks=$(cat drop.txt edrop.txt | sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//')
    # If firewalld already has this ipset we should delete it first to emulate
    # `ipset flush` (but I don't want to use that because newer hosts might be
    # using nftables and firewalld will handle that for us).
    if [[ "$firewalld_ipsets" =~ spamhaus-ipv4 ]]; then
        echo "Deleting existing spamhaus-ipv4 ipset"
        # This deletes the firewalld ipset XML file as well as the ipset itself
        firewall-cmd --permanent --delete-ipset=spamhaus-ipv4
    else
        echo "Creating placeholder spamhaus-ipv4 ipset"
        # Create a placeholder ipset so firewalld doesn't complain when we try
        # to reload the ipset later after having added a new XML definition. I
        # don't know why, but depending on the system state there may not be a
        # ipset defined and firewalld errors on INVALID_IPSET.
        firewall-cmd --permanent --new-ipset=spamhaus-ipv4 --type=hash:net --option=family=inet
    fi
    # I'm not proud of this, but writing the XML directly is WAY faster than
    # using firewall-cmd to add each entry one by one (and we can't add from
    # a file because many of our hosts are using old firewalld).
    cat << XML_HEAD > "$xml_temp"
 <?xml version="1.0" encoding="utf-8"?>
 <ipset type="hash:net">
  <option name="family" value="inet" />
  <short>spamhaus-ipv4</short>
  <description>Spamhaus DROP and EDROP lists (IPv4).</description>
 XML_HEAD
    for network in $networks; do
 		echo "    <entry>$network</entry>" >> "$xml_temp"
    done
    echo "</ipset>" >> "$xml_temp"
    install -m 0600 "$xml_temp" "$spamhaus_ipv4_ipset_path"
 fi
 if [[ -f "dropv6.txt" ]]; then
    echo "Processing IPv6 DROP list"
    networks=$(sed -e '/^$/d' -e '/^;.*/d' -e 's/[[:space:]];[[:space:]].*//' dropv6.txt)
    if [[ "$firewalld_ipsets" =~ spamhaus-ipv6 ]]; then
        echo "Deleting existing spamhaus-ipv6 ipset"
        firewall-cmd --permanent --delete-ipset=spamhaus-ipv6
    else
        echo "Creating placeholder spamhaus-ipv6 ipset"
        firewall-cmd --permanent --new-ipset=spamhaus-ipv6 --type=hash:net --option=family=inet6
    fi
    cat << XML_HEAD > "$xml_temp"
 <?xml version="1.0" encoding="utf-8"?>
 <ipset type="hash:net">
  <option name="family" value="inet6" />
  <short>spamhaus-ipv6</short>
  <description>Spamhaus DROP lists (IPv6).</description>
 XML_HEAD
    for network in $networks; do
 		echo "    <entry>$network</entry>" >> "$xml_temp"
    done
    echo "</ipset>" >> "$xml_temp"
    install -m 0600 "$xml_temp" "$spamhaus_ipv6_ipset_path"
 fi
 echo "Reloading firewalld"
 firewall-cmd --reload
 rm -v drop.txt edrop.txt dropv6.txt "$xml_temp"
--- a/roles/common/files/update-spamhaus-lists.timer
+++ b/roles/common/files/update-spamhaus-lists.timer
@ -1,12 +0,0 @@
 [Unit]
 Description=Update Spamhaus lists
 [Timer]
 # Once a day at midnight
 OnCalendar=*-*-* 00:00:00
 # Add a random delay of 0–3600 seconds
 RandomizedDelaySec=3600
 Persistent=true
 [Install]
 WantedBy=timers.target
--- a/roles/common/tasks/fail2ban.yml
+++ b/roles/common/tasks/fail2ban.yml
@ -5,7 +5,9 @@
  notify: restart fail2ban
 - name: Configure fail2ban nginx filter
-  when: "extra_fail2ban_filters is defined and 'nginx' in extra_fail2ban_filters"
+  when:
    - extra_fail2ban_filters is defined
    - "'nginx' in extra_fail2ban_filters"
  ansible.builtin.template: src=etc/fail2ban/jail.d/nginx.local.j2 dest=/etc/fail2ban/jail.d/nginx.local owner=root mode=0644
  notify: restart fail2ban
--- a/roles/common/tasks/firewall_Ubuntu.yml
+++ b/roles/common/tasks/firewall_Ubuntu.yml
@ -1,18 +1,7 @@
 ---
 # Ubuntu 20.04 will use nftables directly, with no firewalld.
 # Ubuntu 18.04 will use firewalld with the nftables backend.
 # Ubuntu 16.04 will use firewalld with the iptables backend.
 - block:
  - name: Set Ubuntu firewall packages
    when: ansible_distribution_version is version('20.04', '<')
    ansible.builtin.set_fact:
      ubuntu_firewall_packages:
        - firewalld
        - tidy
        - fail2ban
        - python3-systemd # for fail2ban systemd backend
  - name: Set Ubuntu firewall packages
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.set_fact:
@ -54,41 +43,6 @@
      - restart nftables
      - restart fail2ban
  - name: Copy firewalld public zone file
    when: ansible_distribution_version is version('18.04', '<=')
    ansible.builtin.template: src=public.xml.j2 dest=/etc/firewalld/zones/public.xml owner=root mode=0600
  - name: Format public.xml firewalld zone file
    when: ansible_distribution_version is version('18.04', '<=')
    command: tidy -xml -iq -m -w 0 /etc/firewalld/zones/public.xml
    notify:
      - restart firewalld
      - restart fail2ban
  - name: Copy firewalld ipsets of abusive IPs
    when: ansible_distribution_version is version('18.04', '<=')
    ansible.builtin.copy: src={{ item }} dest=/etc/firewalld/ipsets/{{ item }} owner=root group=root mode=0600
    loop:
      - abusers-ipv4.xml
      - abusers-ipv6.xml
      - spamhaus-ipv4.xml
      - spamhaus-ipv6.xml
    notify:
      - restart firewalld
      - restart fail2ban
  - name: Copy Spamhaus firewalld update script
    when: ansible_distribution_version is version('18.04', '<=')
    ansible.builtin.copy: src=update-spamhaus-lists.sh dest=/usr/local/bin/update-spamhaus-lists.sh mode=0755 owner=root group=root
  - name: Copy Spamhaus firewalld systemd units
    when: ansible_distribution_version is version('18.04', '<=')
    ansible.builtin.copy: src={{ item }} dest=/etc/systemd/system/{{ item }} mode=0644 owner=root group=root
    loop:
        - update-spamhaus-lists.service
        - update-spamhaus-lists.timer
    register: spamhaus_firewalld_systemd_units
  - name: Copy nftables update scripts
    when: ansible_distribution_version is version('20.04', '>=')
    ansible.builtin.copy: src={{ item }} dest=/usr/local/bin/{{ item }} mode=0755 owner=root group=root
@ -110,15 +64,7 @@
  # need to reload to pick up service/timer/environment changes
  - name: Reload systemd daemon
    ansible.builtin.systemd: daemon_reload=true
-    when: spamhaus_firewalld_systemd_units is changed or
+    when: nftables_systemd_units is changed
          nftables_systemd_units is changed
  - name: Start and enable Spamhaus firewalld update timer
    when: ansible_distribution_version is version('18.04', '<=')
    ansible.builtin.systemd: name=update-spamhaus-lists.timer state=started enabled=true
    notify:
      - restart firewalld
      - restart fail2ban
  - name: Start and enable nftables update timers
    when: ansible_distribution_version is version('20.04', '>=')
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@ -39,10 +39,6 @@
    - reload sysctl
  tags: sysctl
 - name: Reconfigure /etc/rc.local
  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('19.04', '<=')
  ansible.builtin.template: src=rc.local_Ubuntu.j2 dest=/etc/rc.local owner=root group=root mode=0755
 - name: Set I/O scheduler
  ansible.builtin.template: src=etc/udev/rules.d/60-scheduler.rules.j2 dest=/etc/udev/rules.d/60-scheduler.rules owner=root group=root mode=0644
  tags: udev
--- a/roles/common/tasks/packages_Ubuntu.yml
+++ b/roles/common/tasks/packages_Ubuntu.yml
@ -50,22 +50,6 @@
      when: ansible_distribution_version is version('20.04', '==')
      ignore_errors: true
    - name: Set fact for packages to remove (Ubuntu <= 18.04)
      ansible.builtin.set_fact:
        ubuntu_annoying_packages:
          - whoopsie # security (CIS 4.1)
          - apport   # security (CIS 4.1)
          - command-not-found # annoying
          - command-not-found-data # annoying
          - python3-commandnotfound # annoying
          - snapd # annoying (Ubuntu >= 16.04)
          - lxd # annoying (Ubuntu >= 16.04)
          - lxd-client # annoying (Ubuntu >= 16.04)
          - liblxc1 # annoying (Ubuntu >= 16.04)
          - lxc-common # annoying (Ubuntu >= 16.04)
          - lxcfs #annoying (Ubuntu >= 16.04)
      when: ansible_distribution_version is version('18.04', '<=')
    - name: Set fact for packages to remove (Ubuntu 20.04)
      ansible.builtin.set_fact:
        ubuntu_annoying_packages:
--- a/roles/common/templates/rc.local_Ubuntu.j2
+++ b/roles/common/templates/rc.local_Ubuntu.j2
@ -1,14 +0,0 @@
 #!/bin/sh -e
 #
 # rc.local
 #
 # This script is executed at the end of each multiuser runlevel.
 # Make sure that the script will "exit 0" on success or any other
 # value on error.
 #
 # In order to enable or disable this script just change the execution
 # bits.
 #
 # By default this script does nothing.
 exit 0
--- a/roles/common/templates/sshd_config_Ubuntu-18.04.j2
+++ b/roles/common/templates/sshd_config_Ubuntu-18.04.j2
@ -1,133 +0,0 @@
 #	$OpenBSD: sshd_config,v 1.101 2017/03/14 07:19:07 djm Exp $
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
 # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
 # The strategy used for options in the default sshd_config shipped with
 # OpenSSH is to specify options with their default value where
 # possible, but leave them commented.  Uncommented options override the
 # default value.
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
 #ListenAddress ::
 #HostKey /etc/ssh/ssh_host_rsa_key
 HostKey /etc/ssh/ssh_host_ed25519_key
 # Ciphers and keying
 #RekeyLimit default none
 # Logging
 #SyslogFacility AUTH
 # LogLevel VERBOSE logs user's key fingerprint on login. Needed to have a clear audit track of which key was using to log in.
 LogLevel VERBOSE
 # Authentication:
 #LoginGraceTime 2m
 PermitRootLogin prohibit-password
 #StrictModes yes
 MaxAuthTries 4
 #MaxSessions 10
 #PubkeyAuthentication yes
 # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
 #AuthorizedPrincipalsFile none
 #AuthorizedKeysCommand none
 #AuthorizedKeysCommandUser nobody
 # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
 #HostbasedAuthentication no
 # Change to yes if you don't trust ~/.ssh/known_hosts for
 # HostbasedAuthentication
 #IgnoreUserKnownHosts no
 # Don't read the user's ~/.rhosts and ~/.shosts files
 #IgnoreRhosts yes
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
 # Change to yes to enable challenge-response passwords (beware issues with
 # some PAM modules and threads)
 ChallengeResponseAuthentication no
 # Kerberos options
 #KerberosAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 # GSSAPI options
 #GSSAPIAuthentication no
 #GSSAPICleanupCredentials yes
 #GSSAPIStrictAcceptorCheck yes
 #GSSAPIKeyExchange no
 # Set this to 'yes' to enable PAM authentication, account processing,
 # and session processing. If this is enabled, PAM authentication will
 # be allowed through the ChallengeResponseAuthentication and
 # PasswordAuthentication.  Depending on your PAM configuration,
 # PAM authentication via ChallengeResponseAuthentication may bypass
 # the setting of "PermitRootLogin without-password".
 # If you just want the PAM account and session checks to run without
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 UsePAM yes
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
 X11Forwarding no
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PermitTTY yes
 PrintMotd no
 #PrintLastLog yes
 #TCPKeepAlive yes
 #UseLogin no
 #PermitUserEnvironment no
 #Compression delayed
 #ClientAliveInterval 0
 #ClientAliveCountMax 3
 #UseDNS no
 #PidFile /var/run/sshd.pid
 #MaxStartups 10:30:100
 #PermitTunnel no
 #ChrootDirectory none
 #VersionAddendum none
 # no default banner path
 #Banner none
 # Allow client to pass locale environment variables
 AcceptEnv LANG LC_*
 # override default of no subsystems
 Subsystem	sftp	/usr/lib/openssh/sftp-server
 # Example of overriding settings on a per-user basis
 #Match User anoncvs
 #	X11Forwarding no
 #	AllowTcpForwarding no
 #	PermitTTY no
 #	ForceCommand cvs server
 # Originally from: https://stribika.github.io/2015/01/04/secure-secure-shell.html
 # ... but with ciphers and MACs with < 256 bits removed, as NSA's Suite B now
 # does away with these! See: https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml
 Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes256-ctr
 MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256
 KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256
 # only allow shell access by provisioning user
 AllowUsers {{ provisioning_user.name }}
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@ -44,7 +44,9 @@
    ansible.builtin.file:
      dest: "{{ letsencrypt_acme_script_temp }}"
      state: absent
-    when: acme_install.rc is defined and acme_install.rc == 0
+    when:
      - acme_install.rc is defined
      - acme_install.rc == 0
  - name: Set default certificate authority for acme.sh
    ansible.builtin.command:
--- a/roles/nginx/tasks/wordpress.yml
+++ b/roles/nginx/tasks/wordpress.yml
@ -3,12 +3,16 @@
 - block:
  - name: Install WordPress
    ansible.builtin.git: repo=https://github.com/WordPress/WordPress.git dest={{ nginx_root_prefix }}/{{ item.domain_name }}/wordpress version={{ item.wordpress_version }} depth=1 force=true
-    when: item.has_wordpress is defined and item.has_wordpress
+    when:
      - item.has_wordpress is defined
      - item.has_wordpress == true
    loop: "{{ nginx_vhosts }}"
  - name: Fix WordPress directory permissions
    ansible.builtin.file: path={{ nginx_root_prefix }}/{{ item.domain_name }} state=directory owner=nginx group=nginx recurse=true
-    when: item.has_wordpress is defined and item.has_wordpress
+    when:
      - item.has_wordpress is defined
      - item.has_wordpress == true
    loop: "{{ nginx_vhosts }}"
  tags: wordpress
--- a/roles/nginx/templates/vhost.conf.j2
+++ b/roles/nginx/templates/vhost.conf.j2
@ -78,8 +78,6 @@ server {
        {# As of Ubuntu 16.04 and Debian 9, the PHP-FPM configs are the same #}
        {% if (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('16.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_major_version is version('9', '==')) %}
        fastcgi_pass unix:/run/php/php7.0-fpm-{{ domain_name }}.sock;
        {% elif ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') %}
        fastcgi_pass unix:/run/php/php7.2-fpm-{{ domain_name }}.sock;
        {% elif ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') %}
        fastcgi_pass unix:/run/php/php7.3-fpm-{{ domain_name }}.sock;
        {% elif (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==')) %}
--- a/roles/php-fpm/handlers/main.yml
+++ b/roles/php-fpm/handlers/main.yml
@ -1,8 +1,4 @@
 ---
 # For Ubuntu 18.04
 - name: reload php7.2-fpm
  ansible.builtin.systemd: name=php7.2-fpm state=reloaded
 # For Debian 10
 - name: reload php7.3-fpm
  ansible.builtin.systemd: name=php7.3-fpm state=reloaded
--- a/roles/php-fpm/tasks/Debian_10.yml
+++ b/roles/php-fpm/tasks/Debian_10.yml
@ -30,6 +30,6 @@
    notify: reload php7.3-fpm
  tags: php-fpm
-  when: install_php
+  when: install_php == true
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Ubuntu_18.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_18.04.yml
@ -1,35 +0,0 @@
 ---
 - block:
  - name: Set php-fpm packages
    ansible.builtin.set_fact:
      php_fpm_packages:
        - php-fpm
        # for WordPress
        - php-mysql
        - php-gd
        - php-curl
  - name: Install php-fpm and deps
    ansible.builtin.apt: name={{ php_fpm_packages }} state=present update_cache=true
  # only copy php-fpm config for vhosts that need WordPress or PHP
  - name: Copy php-fpm pool config
    ansible.builtin.template: src=php7.2-pool.conf.j2 dest=/etc/php/7.2/fpm/pool.d/{{ item.domain_name }}.conf owner=root group=root mode=0644
    loop: "{{ nginx_vhosts }}"
    when: (item.has_wordpress is defined and item.has_wordpress) or (item.needs_php is defined and item.needs_php)
    notify: reload php7.2-fpm
  - name: Remove default www pool
    ansible.builtin.file: path=/etc/php/7.2/fpm/pool.d/www.conf state=absent
    notify: reload php7.2-fpm
  # re-configure php.ini
  - name: Update php.ini
    ansible.builtin.template: src=php7.2-php.ini.j2 dest=/etc/php/7.2/fpm/php.ini owner=root group=root mode=0644
    notify: reload php7.2-fpm
  tags: php-fpm
  when: install_php
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/Ubuntu_20.04.yml
+++ b/roles/php-fpm/tasks/Ubuntu_20.04.yml
@ -31,6 +31,6 @@
    notify: reload php7.4-fpm
  tags: php-fpm
-  when: install_php
+  when: install_php == true
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/tasks/main.yml
+++ b/roles/php-fpm/tasks/main.yml
@ -1,5 +1,4 @@
 ---
 # Ubuntu 18.04 uses php-fpm 7.2
 # Debian 10 uses php-fpm 7.3
 # Ubuntu 20.04 uses PHP 7.4
 # Debian 11 uses PHP 7.4
@ -27,24 +26,28 @@
    install_php: false
  when: install_php is not defined
 - name: Configure php-fpm on Ubuntu 18.04
  ansible.builtin.include_tasks: Ubuntu_18.04.yml
  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('18.04', '==') and install_php
  tags: php-fpm
 - name: Configure php-fpm on Debian 10
  ansible.builtin.include_tasks: Debian_10.yml
-  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('10', '==') and install_php
+  when:
    - ansible_distribution == 'Debian'
    - ansible_distribution_version is version('10', '==')
    - install_php == true
  tags: php-fpm
 - name: Configure php-fpm on Ubuntu 20.04
  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when: ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==') and install_php
+  when:
    - ansible_distribution == 'Ubuntu'
    - ansible_distribution_version is version('20.04', '==')
    - install_php == true
  tags: php-fpm
 - name: Configure php-fpm on Debian 11
  ansible.builtin.include_tasks: Ubuntu_20.04.yml
-  when: ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '==') and install_php
+  when:
    - ansible_distribution == 'Debian'
    - ansible_distribution_version is version('11', '==')
    - install_php == true
  tags: php-fpm
 # vim: set ts=2 sw=2:
--- a/roles/php-fpm/templates/php7.2-php.ini.j2
+++ b/roles/php-fpm/templates/php7.2-php.ini.j2
--- a/roles/php-fpm/templates/php7.2-pool.conf.j2
+++ b/roles/php-fpm/templates/php7.2-pool.conf.j2
@ -1,415 +0,0 @@
 {% set domain_name  = item.domain_name %}
 ; Start a new pool named '{{ domain_name }}'.
 ; the variable $pool can we used in any directive and will be replaced by the
 ; pool name ('{{ domain_name }}' here)
 [{{ domain_name }}]
 ; Per pool prefix
 ; It only applies on the following directives:
 ; - 'access.log'
 ; - 'slowlog'
 ; - 'listen' (unixsocket)
 ; - 'chroot'
 ; - 'chdir'
 ; - 'php_values'
 ; - 'php_admin_values'
 ; When not set, the global prefix (or /usr) applies instead.
 ; Note: This directive can also be relative to the global prefix.
 ; Default Value: none
 ;prefix = /path/to/pools/$pool
 ; Unix user/group of processes
 ; Note: The user is mandatory. If the group is not set, the default user's group
 ;       will be used.
 user = nginx
 group = nginx
 ; The address on which to accept FastCGI requests.
 ; Valid syntaxes are:
 ;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
 ;                            a specific port;
 ;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
 ;                            a specific port;
 ;   'port'                 - to listen on a TCP socket to all addresses
 ;                            (IPv6 and IPv4-mapped) on a specific port;
 ;   '/path/to/unix/socket' - to listen on a unix socket.
 ; Note: This value is mandatory.
 listen = /run/php/php7.2-fpm-{{ domain_name }}.sock
 ; Set listen(2) backlog.
 ; Default Value: 511 (-1 on FreeBSD and OpenBSD)
 ;listen.backlog = 511
 ; Set permissions for unix socket, if one is used. In Linux, read/write
 ; permissions must be set in order to allow connections from a web server. Many
 ; BSD-derived systems allow connections regardless of permissions.
 ; Default Values: user and group are set as the running user
 ;                 mode is set to 0660
 listen.owner = nginx
 listen.group = nginx
 ;listen.mode = 0660
 ; When POSIX Access Control Lists are supported you can set them using
 ; these options, value is a comma separated list of user/group names.
 ; When set, listen.owner and listen.group are ignored
 ;listen.acl_users =
 ;listen.acl_groups =
 ; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
 ; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
 ; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
 ; must be separated by a comma. If this value is left blank, connections will be
 ; accepted from any ip address.
 ; Default Value: any
 ;listen.allowed_clients = 127.0.0.1
 ; Specify the nice(2) priority to apply to the pool processes (only if set)
 ; The value can vary from -19 (highest priority) to 20 (lower priority)
 ; Note: - It will only work if the FPM master process is launched as root
 ;       - The pool processes will inherit the master process priority
 ;         unless it specified otherwise
 ; Default Value: no set
 ; process.priority = -19
 ; Choose how the process manager will control the number of child processes.
 ; Possible Values:
 ;   static  - a fixed number (pm.max_children) of child processes;
 ;   dynamic - the number of child processes are set dynamically based on the
 ;             following directives. With this process management, there will be
 ;             always at least 1 children.
 ;             pm.max_children      - the maximum number of children that can
 ;                                    be alive at the same time.
 ;             pm.start_servers     - the number of children created on startup.
 ;             pm.min_spare_servers - the minimum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is less than this
 ;                                    number then some children will be created.
 ;             pm.max_spare_servers - the maximum number of children in 'idle'
 ;                                    state (waiting to process). If the number
 ;                                    of 'idle' processes is greater than this
 ;                                    number then some children will be killed.
 ;  ondemand - no children are created at startup. Children will be forked when
 ;             new requests will connect. The following parameter are used:
 ;             pm.max_children           - the maximum number of children that
 ;                                         can be alive at the same time.
 ;             pm.process_idle_timeout   - The number of seconds after which
 ;                                         an idle process will be killed.
 ; Note: This value is mandatory.
 pm = dynamic
 ; The number of child processes to be created when pm is set to 'static' and the
 ; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
 ; This value sets the limit on the number of simultaneous requests that will be
 ; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
 ; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
 ; CGI. The below defaults are based on a server without much resources. Don't
 ; forget to tweak pm.* to fit your needs.
 ; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
 ; Note: This value is mandatory.
 pm.max_children = 5
 ; The number of child processes created on startup.
 ; Note: Used only when pm is set to 'dynamic'
 ; Default Value: min_spare_servers + (max_spare_servers - min_spare_servers) / 2
 pm.start_servers = 2
 ; The desired minimum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.min_spare_servers = 1
 ; The desired maximum number of idle server processes.
 ; Note: Used only when pm is set to 'dynamic'
 ; Note: Mandatory when pm is set to 'dynamic'
 pm.max_spare_servers = 3
 ; The number of seconds after which an idle process will be killed.
 ; Note: Used only when pm is set to 'ondemand'
 ; Default Value: 10s
 ;pm.process_idle_timeout = 10s;
 ; The number of requests each child process should execute before respawning.
 ; This can be useful to work around memory leaks in 3rd party libraries. For
 ; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
 ; Default Value: 0
 ;pm.max_requests = 500
 ; The URI to view the FPM status page. If this value is not set, no URI will be
 ; recognized as a status page. It shows the following informations:
 ;   pool                 - the name of the pool;
 ;   process manager      - static, dynamic or ondemand;
 ;   start time           - the date and time FPM has started;
 ;   start since          - number of seconds since FPM has started;
 ;   accepted conn        - the number of request accepted by the pool;
 ;   listen queue         - the number of request in the queue of pending
 ;                          connections (see backlog in listen(2));
 ;   max listen queue     - the maximum number of requests in the queue
 ;                          of pending connections since FPM has started;
 ;   listen queue len     - the size of the socket queue of pending connections;
 ;   idle processes       - the number of idle processes;
 ;   active processes     - the number of active processes;
 ;   total processes      - the number of idle + active processes;
 ;   max active processes - the maximum number of active processes since FPM
 ;                          has started;
 ;   max children reached - number of times, the process limit has been reached,
 ;                          when pm tries to start more children (works only for
 ;                          pm 'dynamic' and 'ondemand');
 ; Value are updated in real time.
 ; Example output:
 ;   pool:                 www
 ;   process manager:      static
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          62636
 ;   accepted conn:        190460
 ;   listen queue:         0
 ;   max listen queue:     1
 ;   listen queue len:     42
 ;   idle processes:       4
 ;   active processes:     11
 ;   total processes:      15
 ;   max active processes: 12
 ;   max children reached: 0
 ;
 ; By default the status page output is formatted as text/plain. Passing either
 ; 'html', 'xml' or 'json' in the query string will return the corresponding
 ; output syntax. Example:
 ;   http://www.foo.bar/status
 ;   http://www.foo.bar/status?json
 ;   http://www.foo.bar/status?html
 ;   http://www.foo.bar/status?xml
 ;
 ; By default the status page only outputs short status. Passing 'full' in the
 ; query string will also return status for each pool process.
 ; Example:
 ;   http://www.foo.bar/status?full
 ;   http://www.foo.bar/status?json&full
 ;   http://www.foo.bar/status?html&full
 ;   http://www.foo.bar/status?xml&full
 ; The Full status returns for each process:
 ;   pid                  - the PID of the process;
 ;   state                - the state of the process (Idle, Running, ...);
 ;   start time           - the date and time the process has started;
 ;   start since          - the number of seconds since the process has started;
 ;   requests             - the number of requests the process has served;
 ;   request duration     - the duration in µs of the requests;
 ;   request method       - the request method (GET, POST, ...);
 ;   request URI          - the request URI with the query string;
 ;   content length       - the content length of the request (only with POST);
 ;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
 ;   script               - the main script called (or '-' if not set);
 ;   last request cpu     - the %cpu the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because CPU calculation is done when the request
 ;                          processing has terminated;
 ;   last request memory  - the max amount of memory the last request consumed
 ;                          it's always 0 if the process is not in Idle state
 ;                          because memory calculation is done when the request
 ;                          processing has terminated;
 ; If the process is in Idle state, then informations are related to the
 ; last request the process has served. Otherwise informations are related to
 ; the current request being served.
 ; Example output:
 ;   ************************
 ;   pid:                  31330
 ;   state:                Running
 ;   start time:           01/Jul/2011:17:53:49 +0200
 ;   start since:          63087
 ;   requests:             12808
 ;   request duration:     1250261
 ;   request method:       GET
 ;   request URI:          /test_mem.php?N=10000
 ;   content length:       0
 ;   user:                 -
 ;   script:               /home/fat/web/docs/php/test_mem.php
 ;   last request cpu:     0.00
 ;   last request memory:  0
 ;
 ; Note: There is a real-time FPM status monitoring sample web page available
 ;       It's available in: /usr/share/php/7.2/fpm/status.html
 ;
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;pm.status_path = /status
 ; The ping URI to call the monitoring page of FPM. If this value is not set, no
 ; URI will be recognized as a ping page. This could be used to test from outside
 ; that FPM is alive and responding, or to
 ; - create a graph of FPM availability (rrd or such);
 ; - remove a server from a group if it is not responding (load balancing);
 ; - trigger alerts for the operating team (24/7).
 ; Note: The value must start with a leading slash (/). The value can be
 ;       anything, but it may not be a good idea to use the .php extension or it
 ;       may conflict with a real PHP file.
 ; Default Value: not set
 ;ping.path = /ping
 ; This directive may be used to customize the response of a ping request. The
 ; response is formatted as text/plain with a 200 response code.
 ; Default Value: pong
 ;ping.response = pong
 ; The access log file
 ; Default: not set
 ;access.log = log/$pool.access.log
 ; The access log format.
 ; The following syntax is allowed
 ;  %%: the '%' character
 ;  %C: %CPU used by the request
 ;      it can accept the following format:
 ;      - %{user}C for user CPU only
 ;      - %{system}C for system CPU only
 ;      - %{total}C  for user + system CPU (default)
 ;  %d: time taken to serve the request
 ;      it can accept the following format:
 ;      - %{seconds}d (default)
 ;      - %{miliseconds}d
 ;      - %{mili}d
 ;      - %{microseconds}d
 ;      - %{micro}d
 ;  %e: an environment variable (same as $_ENV or $_SERVER)
 ;      it must be associated with embraces to specify the name of the env
 ;      variable. Some exemples:
 ;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
 ;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
 ;  %f: script filename
 ;  %l: content-length of the request (for POST request only)
 ;  %m: request method
 ;  %M: peak of memory allocated by PHP
 ;      it can accept the following format:
 ;      - %{bytes}M (default)
 ;      - %{kilobytes}M
 ;      - %{kilo}M
 ;      - %{megabytes}M
 ;      - %{mega}M
 ;  %n: pool name
 ;  %o: output header
 ;      it must be associated with embraces to specify the name of the header:
 ;      - %{Content-Type}o
 ;      - %{X-Powered-By}o
 ;      - %{Transfert-Encoding}o
 ;      - ....
 ;  %p: PID of the child that serviced the request
 ;  %P: PID of the parent of the child that serviced the request
 ;  %q: the query string
 ;  %Q: the '?' character if query string exists
 ;  %r: the request URI (without the query string, see %q and %Q)
 ;  %R: remote IP address
 ;  %s: status (response code)
 ;  %t: server time the request was received
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
 ;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
 ; The log file for slow requests
 ; Default Value: not set
 ; Note: slowlog is mandatory if request_slowlog_timeout is set
 ;slowlog = log/$pool.log.slow
 ; The timeout for serving a single request after which a PHP backtrace will be
 ; dumped to the 'slowlog' file. A value of '0s' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_slowlog_timeout = 0
 ; Depth of slow log stack trace.
 ; Default Value: 20
 ;request_slowlog_trace_depth = 20
 ; The timeout for serving a single request after which the worker process will
 ; be killed. This option should be used when the 'max_execution_time' ini option
 ; does not stop script execution for some reason. A value of '0' means 'off'.
 ; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
 ; Default Value: 0
 ;request_terminate_timeout = 0
 ; Set open file descriptor rlimit.
 ; Default Value: system defined value
 ;rlimit_files = 1024
 ; Set max core size rlimit.
 ; Possible Values: 'unlimited' or an integer greater or equal to 0
 ; Default Value: system defined value
 ;rlimit_core = 0
 ; Chroot to this directory at the start. This value must be defined as an
 ; absolute path. When this value is not set, chroot is not used.
 ; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
 ; of its subdirectories. If the pool prefix is not set, the global prefix
 ; will be used instead.
 ; Note: chrooting is a great security feature and should be used whenever
 ;       possible. However, all PHP paths will be relative to the chroot
 ;       (error_log, sessions.save_path, ...).
 ; Default Value: not set
 ;chroot =
 ; Chdir to this directory at the start.
 ; Note: relative path can be used.
 ; Default Value: current directory or / when chroot
 ;chdir = /var/www
 ; Redirect worker stdout and stderr into main error log. If not set, stdout and
 ; stderr will be redirected to /dev/null according to FastCGI specs.
 ; Note: on highloaded environement, this can cause some delay in the page
 ; process time (several ms).
 ; Default Value: no
 catch_workers_output = yes
 ; Clear environment in FPM workers
 ; Prevents arbitrary environment variables from reaching FPM worker processes
 ; by clearing the environment in workers before env vars specified in this
 ; pool configuration are added.
 ; Setting to "no" will make all environment variables available to PHP code
 ; via getenv(), $_ENV and $_SERVER.
 ; Default Value: yes
 ;clear_env = no
 ; Limits the extensions of the main script FPM will allow to parse. This can
 ; prevent configuration mistakes on the web server side. You should only limit
 ; FPM to .php extensions to prevent malicious users to use other extensions to
 ; execute php code.
 ; Note: set an empty value to allow all extensions.
 ; Default Value: .php
 ;security.limit_extensions = .php .php3 .php4 .php5 .php7
 ; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
 ; the current environment.
 ; Default Value: clean env
 ;env[HOSTNAME] = $HOSTNAME
 ;env[PATH] = /usr/local/bin:/usr/bin:/bin
 ;env[TMP] = /tmp
 ;env[TMPDIR] = /tmp
 ;env[TEMP] = /tmp
 ; Additional php.ini defines, specific to this pool of workers. These settings
 ; overwrite the values previously defined in the php.ini. The directives are the
 ; same as the PHP SAPI:
 ;   php_value/php_flag             - you can set classic ini defines which can
 ;                                    be overwritten from PHP call 'ini_set'.
 ;   php_admin_value/php_admin_flag - these directives won't be overwritten by
 ;                                     PHP call 'ini_set'
 ; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
 ; Defining 'extension' will load the corresponding shared extension from
 ; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
 ; overwrite previously defined php.ini values, but will append the new value
 ; instead.
 ; Note: path INI options can be relative and will be expanded with the prefix
 ; (pool, global or /usr)
 ; Default Value: nothing is defined by default except the values in php.ini and
 ;                specified at startup with the -d argument
 ;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
 ;php_flag[display_errors] = off
 ;php_admin_value[error_log] = /var/log/fpm-php.www.log
 ;php_admin_flag[log_errors] = on
 ;php_admin_value[memory_limit] = 32M
Author	SHA1	Message	Date
Alan Orth	0240897b1b	Remove Ubuntu 18.04 support	2022-09-10 23:30:04 +03:00
Alan Orth	1da0da53ec	roles: use longer format for when conditionals When the condition is an AND we can use this more succinct format.	2022-09-10 23:12:49 +03:00
Alan Orth	677cc9f160	roles/php-fpm: fix truthy-ness in when	2022-09-10 23:12:26 +03:00