remove deprecated nginx config options

This commit removes the Nginx configuration options related to OCSP stapling and OCSP Must-Staple.
Let's Encrypt is discontinuing OCSP support in favor of CRLs (Certificate Revocation Lists) to improve privacy and simplify infrastructure.

roles/lego/defaults/main.yml

@@ -0,0 +1,14 @@
+---
+# lego_certificate_domains:
+#   - cn: "dns.ows.cx"
+#     sans: [*.dns.ows.cx]
+
+# lego_certificate_destination:
+#   path: /etc/nginx/certs
+#   owner: root
+#   group: nginx
+
+# lego_services_reload:
+#   name: nginx
+#   # OR
+#   command: /usr/sbin/nginx -s reload

roles/lego/tasks/main.yml

@@ -1,14 +1,21 @@
 ---
-
 - name: Get latest lego version
-  github_release:
+  become: false
+  delegate_to: localhost
+  run_once: true
+  when: lego_version is undefined
+  block:
+    - name: Get latest version from Github
+      github_release:  # needs Python Module github3.py
         user: go-acme
         repo: lego
         action: latest_release
         token: "{{ vault_github_token }}"
-  delegate_to: localhost
-  run_once: true
-  register: lego_version
+      register: lego_github_version
+
+    - name: "{{ lego_github_version }}"
+      set_fact:
+        lego_version: "{{ lego_github_version.tag }}"
 
 - name: Set architecture alias
   set_fact:
@@ -20,10 +27,10 @@
     architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
   when: ansible_architecture == "aarch64"
 
-- name: "Download lego from GitHub ({{ lego_version.tag }})"
+- name: "Download lego from GitHub"
   get_url:
     url: "https://github.com/go-acme/lego/releases/download/\
-          {{ lego_version.tag }}/lego_{{ lego_version.tag }}\
+          {{ lego_version }}/lego_{{ lego_version }}\
           _linux_{{ architecture_alias }}.tar.gz"
     dest: "/var/tmp/lego.tar.gz"
     mode: "0644"
@@ -48,22 +55,44 @@
     mode: "0755"
     state: directory
 
+- name: Copy ACME renew-hook script
+  template:
+    src: "renew-hook.sh.j2"
+    dest: "{{ lego_config_dir }}/renew-hook.sh"
+    mode: "0750"
+  vars:
+    lego_cert_dir: "{{ lego_config_dir }}/certificates"
+
 - name: Register lego and create cert
-  command: |
+  shell: >
       {{ lego_install_dir }}/lego --accept-tos
-    {% for dns in certificate_domains %}
-    --domains="{{ dns }}"
-    {%   endfor %}
+      --domains="{{ item.cn }}"
+      {% if item.sans is defined and item.sans %}
+      {% for san in item.sans %}--domains="{{ san }}" {% endfor %}
+      {% endif %}
       {{ lego_cli_params | join(' ') }}
-    run
+      run &&
+      {{ lego_config_dir }}/renew-hook.sh '{{ item.cn }}'
   args:
-    creates: "/etc/lego/accounts"
+    creates: "{{ lego_certificate_destination.path | default(lego_config_dir + '/certificates') }}/{{ item.cn }}.crt"
   environment: '{ "{{ lego_provider|upper }}_API_KEY": "{{ vault_ionos_token_dns }}" }'
+  loop: "{{ lego_certificate_domains }}"
+  loop_control:
+    label: "{{ item.cn }}"
 
 - name: Copy lego systemd service
   template:
-    src: "{{ item }}.j2"
-    dest: "/etc/systemd/system/{{ item }}"
+    src: "lego.{{ item.1 }}.j2"
+    dest: "/etc/systemd/system/lego_{{ item.0.cn }}.{{ item.1 }}"
     mode: "0644"
-  loop: [lego.service, lego.timer]
-  notify: [Restart lego_service, Restart lego_timer]
+  loop: "{{ lego_certificate_domains | product(['service', 'timer']) | list }}"
+  loop_control:
+    label: "lego_{{ item.0.cn }}.{{ item.1 }}"
+
+- name: Start lego_timer
+  systemd:
+    daemon_reload: true
+    enabled: true
+    name: "lego_{{ item.cn }}.timer"
+    state: started
+  loop: "{{ lego_certificate_domains }}"

roles/lego/templates/lego.service.j2

@@ -1,19 +1,31 @@
 ## Managed by Ansible ##
 
 [Unit]
-Description=Run lego renew
+Description=Renew Lets Encrypt certificate for {{ item.0.cn }}
 After=network-online.target
 
 [Service]
 Type=oneshot
+{% if lego_provider == "ionos" %}
 Environment={{ lego_provider|upper }}_API_KEY={{ vault_ionos_token_dns }}
+{% endif %}
 ExecStart={{ lego_install_dir }}/lego \
-    {% for dns in certificate_domains %}
-    --domains="{{ dns }}" \
-    {%   endfor %}
-    {{ lego_cli_params|join(' ') }} \
-    renew 
+    --domains="{{ item.0.cn }}" \
+{% if item.0.sans is defined and item.0.sans %}
+{% for san in item.0.sans %}
+    --domains="{{ san }}" \
+{% endfor %}
+{% endif %}
+    {{ lego_cli_params | join(' ') }} \
+    renew \
+    --renew-hook="{{ lego_config_dir }}/renew-hook.sh {{ item.0.cn }}"
 User=root
 
+# Restart if renewal fails, but not too quickly
+RestartSec=12h
+Restart=on-failure
+StartLimitInterval=72h
+StartLimitBurst=3
+
 [Install]
 WantedBy=multi-user.target

roles/lego/templates/lego.timer.j2

@@ -1,12 +1,12 @@
 ## Managed by Ansible ##
 
 [Unit]
-Description=Start lego renew
+Description=Timer for Lets Encrypt certificate renewal of {{ item.0.cn  }}
 
 [Timer]
 Persistent=true
-OnCalendar=Mon 04:00:00
-RandomizedDelaySec=3600
+OnCalendar=Mon 03:00:00
+RandomizedDelaySec=1h
 
 [Install]
 WantedBy=timers.target

roles/lego/templates/renew-hook.sh.j2

@@ -0,0 +1,134 @@
+#!/usr/bin/bash
+
+## Managed by Ansible ##
+
+# Variables set by Ansible
+cert_src_path="{{ lego_cert_dir }}"
+
+# Certificate destination variables (if defined)
+cert_dest_path="{{ lego_certificate_destination.path | default('') }}"
+cert_owner="{{ lego_certificate_destination.owner | default('') }}"
+cert_group="{{ lego_certificate_destination.group | default('') }}"
+
+# Service reload variables (if defined)
+service_name="{{ lego_services_reload.name | default('') }}"
+service_command="{{ lego_services_reload.command | default('') }}"
+
+copy_certificate_files() {
+  local domain="$1"
+  local success=true
+  
+  # Check if destination is defined
+  if [ -z "$cert_dest_path" ]; then
+    echo "No certificate destination defined, skipping copy"
+    return 0
+  fi
+  
+  echo "Copying certificate files for $domain..."
+  echo "Copying to $cert_dest_path..."
+  
+  # Create destination directory if it doesn't exist
+  mkdir -p "$cert_dest_path"
+  
+  # Copy certificate files
+  cp "$cert_src_path/${domain}.crt" "$cert_dest_path/${domain}.crt" || success=false
+  cp "$cert_src_path/${domain}.key" "$cert_dest_path/${domain}.key" || success=false
+  
+  # Copy issuer cert if it exists
+  if [ -f "$cert_src_path/${domain}.issuer.crt" ]; then
+    cp "$cert_src_path/${domain}.issuer.crt" "$cert_dest_path/${domain}.issuer.crt" || success=false
+  fi
+  
+  # Set standard secure permissions
+  # 644 for certificates, 600 for keys
+  chmod 644 "$cert_dest_path/${domain}.crt" || success=false
+  chmod 600 "$cert_dest_path/${domain}.key" || success=false
+  
+  # Set issuer cert permissions if it exists
+  if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
+    chmod 644 "$cert_dest_path/${domain}.issuer.crt" || success=false
+  fi
+  
+  # Set ownership if specified
+  if [ -n "$cert_owner" ] && [ -n "$cert_group" ]; then
+    if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
+      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" "$cert_dest_path/${domain}.issuer.crt" || success=false
+    else
+      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" || success=false
+    fi
+  fi
+  
+  if $success; then
+    echo "Certificate files copied successfully"
+    return 0
+  else
+    echo "Error copying certificate files"
+    return 1
+  fi
+}
+
+reload_service() {
+  local domain="$1"
+  local success=true
+  
+  # Check if service reload is defined
+  if [ -z "$service_name" ] && [ -z "$service_command" ]; then
+    echo "No service reload defined, skipping reload"
+    return 0
+  fi
+  
+  echo "Reloading service..."
+  
+  if [ -n "$service_command" ]; then
+    echo "Running command: $service_command"
+    eval "$service_command" || success=false
+  elif [ -n "$service_name" ]; then
+    echo "Reloading $service_name..."
+    systemctl reload "$service_name" || systemctl restart "$service_name" || success=false
+  fi
+  
+  if $success; then
+    echo "Service reloaded successfully"
+    return 0
+  else
+    echo "Error reloading service"
+    return 1
+  fi
+}
+
+# Check if domain is provided as parameter
+if [ $# -lt 1 ]; then
+  echo "Error: Domain parameter is required"
+  echo "Usage: $0 <domain>"
+  exit 1
+fi
+
+# Get domain from parameter
+domain="$1"
+
+# Main execution
+echo "Certificate renewal hook triggered for $domain"
+
+# Call the functions
+copy_certificate_files "$domain"
+copy_result=$?
+
+reload_service "$domain"
+reload_result=$?
+
+# Send webhook notification
+message="$domain certificate was successfully renewed"
+
+if [ -n "$cert_dest_path" ]; then
+  message="${message}, files copied"
+fi
+
+if [ -n "$service_name" ] || [ -n "$service_command" ]; then
+  message="${message}, and service reloaded"
+fi
+
+if [ $copy_result -eq 0 ] && [ $reload_result -eq 0 ]; then
+  echo "$message"
+else
+  echo "$domain certificate was renewed but post-renewal tasks failed"
+fi

roles/lego/vars/main.yml

@@ -1,21 +1,17 @@
 ---
+# Lego
 lego_install_dir: "/usr/local/bin"
-lego_config_dir: "/etc/lego"
+lego_config_dir: "/var/lib/lego"
 lego_provider: "ionos"
-lego_cert_mail: !vault |
+lego_cli_params:
+  - --path={{ lego_config_dir }}
+  - --email={{ vault_lego_cert_mail }}
+  - --dns={{ lego_provider }}
+  - --key-type=ec256
+vault_lego_cert_mail: !vault |
   $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
   32353064653631636431646333633664363866666439306235303138306461313266343939346463
   6565636462656666366133653638333433393730656362360a333363623561646436613530623662
   34623331313964316464653333646134353037333065373063346164623037663235316361646666
   3466623937663061340a643863633034633665316364313065303166643363653366363063303261
   34316163616637633837333539626337356563616566346561333439646565373665
-lego_cli_params:
-  - --path={{ lego_config_dir }}
-  - --email={{ lego_cert_mail }}
-  - --dns={{ lego_provider }}
-  - --key-type=ec384
-
-# Certificates
-certificate_domains:
-  - "twirling.de"
-  - "*.twirling.de"

roles/mariadb/tasks/mariadb.yml

@@ -18,7 +18,14 @@
 - name: Add MariaDB Repository
   apt_repository:
     repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/mariadb_release_signing_key.gpg] \
-          https://mirrors.n-ix.net/mariadb/repo/{{ mariadb_server_version }}/ubuntu {{ ansible_distribution_release }} main/debug"
+          https://dlm.mariadb.com/repo/mariadb-server/{{ mariadb_server_version }}/repo/ubuntu {{ ansible_distribution_release }} main"
+    state: present
+    update_cache: true
+
+- name: Add MariaDB Debug Repository
+  apt_repository:
+    repo: "deb [arch={{ architecture_alias }} signed-by=/usr/share/keyrings/mariadb_release_signing_key.gpg] \
+          https://dlm.mariadb.com/repo/mariadb-server/{{ mariadb_server_version }}/repo/ubuntu {{ ansible_distribution_release }} main/debug"
     state: present
     update_cache: true
 

roles/mariadb/vars/main.yml

@@ -1,7 +1,7 @@
 ---
 # MariaDB
 
-mariadb_server_version: "10.10"
+mariadb_server_version: "11.rolling"
 mariadb_config:
   # - name: unix_socket_directories
   #   value: default  # comma-separated list of directories. default: "/var/run/mariadb"

roles/nextcloud/handlers/main.yml

@@ -35,10 +35,3 @@
     enabled: true
     name: nextcloud_exporter.service
     state: restarted
-
-- name: Restart nextcloud_backup_timer
-  systemd:
-    daemon_reload: true
-    enabled: true
-    name: nextcloud_backup.timer
-    state: restarted

roles/nextcloud/tasks/configure.yml

@@ -18,7 +18,17 @@
   args:
     chdir: "{{ nextcloud_dir }}"
     creates: "{{ nextcloud_dir }}/apps/{{ item }}"
-  with_items: "{{ nextcloud_occ_install_app }}"
+  loop: "{{ nextcloud_occ_install_app }}"
+
+- name: Update apps
+  become: true
+  become_user: "{{ webserver_user }}"
+  command:
+    cmd: php occ app:update --all
+  args:
+    chdir: "{{ nextcloud_dir }}"
+  register: nextcloud_apps_update
+  changed_when: "' updated' in nextcloud_apps_update.stdout"
 
 - name: Set configs via occ
   become: true
@@ -56,7 +66,7 @@
     architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
   when: ansible_architecture == "aarch64"
 
-- name: "Download nextcloud_exporter from GitHub (v{{ nextcloud_exporter_version.tag }})"
+- name: "Download nextcloud_exporter from GitHub"
   get_url:
     url: "https://github.com/xperimental/nextcloud-exporter/releases/download/\
           v{{ nextcloud_exporter_version.tag }}/nextcloud-exporter_{{ nextcloud_exporter_version.tag }}\
@@ -101,7 +111,7 @@
     nextcloud_notify_push_version: "{{ nextcloud_notify_push_version | replace('v', '', 1) | trim }}"
   run_once: true
 
-- name: "Download nextcloud_notify_push from GitHub (v{{ nextcloud_notify_push_version.tag }})"
+- name: "Download nextcloud_notify_push from GitHub"
   get_url:
     url: "https://github.com/nextcloud/notify_push/releases/download/v{{ nextcloud_notify_push_version.tag }}\
           /notify_push-{{ ansible_architecture }}-unknown-linux-musl"

roles/nextcloud/tasks/dependencies.yml

@@ -1,17 +1,4 @@
 ---
-- name: Install required system packages
-  apt:
-    name:
-      - python3-pip
-    state: latest
-    update_cache: true
-    cache_valid_time: 3600
-
-- name: Install required python packages
-  pip:
-    name: gtar  # needed for latest nextcloud tar.bz2 archiv
-    state: latest
-
 - name: Enable APCu
   lineinfile:
     path: /etc/php/{{ php_version }}/cli/conf.d/20-apcu.ini

roles/nextcloud/templates/nextcloud_nightlycron.timer.j2

@@ -5,7 +5,7 @@ Description=Run Nextcloud nightly background job every night
 
 [Timer]
 OnCalendar=00:00:00
-RandomizedDelaySec=600
+RandomizedDelaySec=10m
 Unit=nextcloud_nightlycron.service
 
 [Install]

roles/nextcloud/templates/nextcloud_notify_push.service.j2

@@ -5,6 +5,7 @@ Description = Push daemon for Nextcloud clients
 
 [Service]
 Environment = SOCKET_PATH={{ nextcloud_notify_push_socket }} METRICS_PORT=9206
+Type=notify
 User={{ webserver_user }}
 Group={{ webserver_user }}
 RuntimeDirectory=nextcloud

roles/nextcloud/templates/rclone_mount_nextcloud.service.j2

@@ -5,8 +5,6 @@ Description = rclone crypt mount {{ nextcloud_rclone_mount_dir }}
 After = network-online.target
 
 [Service]
-Environment=RCLONE_RCD_USER=rclone
-Environment=RCLONE_RCD_PASSWORD={{ vault_rclone_rcd_pass }}
 Type=notify
 ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_dir }} \
         --devname rclone \
@@ -33,11 +31,7 @@ ExecStart=/usr/bin/rclone mount DTSV_crypt:cloud_data {{ nextcloud_rclone_mount_
         --cache-dir={{ rclone_cache_dir }} \
         --log-file={{ rclone_log_dir }}/mount_nextcloud.log \
         --log-level=INFO \
-        --rc \
-        --rc-addr "0.0.0.0:5572" \
-        --rc-enable-metrics \
-	--rc-user $RCLONE_RCD_USER \
-	--rc-pass $RCLONE_RCD_PASSWORD \
+        --metrics-addr "0.0.0.0:5573" \
         --user-agent "{{ rclone_user_agent_gd }}"
 ExecStop=/bin/fusermount -u -z {{ nextcloud_rclone_mount_dir }}
 Restart=on-failure

roles/nextcloud/vars/main.yml

@@ -61,10 +61,10 @@ vault_nextcloud_smtp_pass: !vault |
 nextcloud_user_ini:
   - type: php_value
     option: upload_max_filesize
-    value: "{{ nextcloud_max_upload_size }}B"
+    value: "{{ nextcloud_max_upload_size }}"
   - type: php_value
     option: post_max_size
-    value: "{{ nextcloud_max_upload_size }}B"
+    value: "{{ nextcloud_max_upload_size }}"
   - type: php_value
     option: max_input_time
     value: 3600

roles/nginx/tasks/main.yml

@@ -1,5 +1,4 @@
 ---
-
 - name: Set architecture alias
   set_fact:
     architecture_alias: "amd64"  # noqa: var-naming[no-role-prefix]
@@ -35,11 +34,14 @@
     path: /etc/nginx/conf.d/default.conf
     state: absent
 
-- name: Create global config folder
+- name: Create additional config folder
   file:
-    path: "/etc/nginx/global"
+    path: "/etc/nginx/{{ item }}"
     mode: "0755"
     state: directory
+  loop:
+    - global
+    - snippets
 
 - name: Copy Nginx SSL Config
   template:

roles/nginx/templates/ssl.conf.j2

@@ -6,10 +6,6 @@
     ssl_prefer_server_ciphers off;
     ssl_early_data on;
     ssl_dhparam {{ nginx_ssl_dhparam }};
-# OCSP Stapling fetch OCSP records from URL in ssl_certificate and cache them
-    ssl_stapling on;
-    ssl_stapling_verify on;
-    resolver 1.1.1.1 1.0.0.1 [2606:4700:4700::1111] [2606:4700:4700::1001];
 # SSL session handling
     ssl_session_cache shared:SSL:10m;
     ssl_session_timeout 1d;

roles/nginx_exporter/tasks/main.yml

@@ -24,7 +24,7 @@
     architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
   when: ansible_architecture == "aarch64"
 
-- name: "Download nginx_exporter from GitHub (v{{ nginx_exporter_version.tag }})"
+- name: "Download nginx_exporter from GitHub"
   get_url:
     url: "https://github.com/nginxinc/nginx-prometheus-exporter/releases/download/\
           v{{ nginx_exporter_version.tag }}/nginx-prometheus-exporter_{{ nginx_exporter_version.tag }}\

roles/node_exporter/tasks/main.yml

@@ -41,7 +41,7 @@
     architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
   when: ansible_architecture == "aarch64"
 
-- name: "Download node_exporter from GitHub (v{{ node_exporter_version.tag }})"
+- name: "Download node_exporter from GitHub"
   get_url:
     url: "https://github.com/prometheus/node_exporter/releases/download/\
           v{{ node_exporter_version.tag }}/node_exporter-{{ node_exporter_version.tag }}\

roles/php/tasks/main.yml

@@ -1,8 +1,14 @@
 ---
+# - name: Add Sury PHP GPG apt key
+#   apt_key:
+#     url: https://packages.sury.org/php/apt.gpg
+#     keyring: /usr/share/keyrings/deb.sury.org-php.gpg
+#     state: present
+
 - name: Add Sury PHP Repository
   command: add-apt-repository -y ppa:ondrej/php
   args:
-    creates: "/etc/apt/sources.list.d/ondrej-ubuntu-php-jammy.list"
+    creates: "/etc/apt/sources.list.d/ondrej-ubuntu-php-{{ ansible_distribution_release }}.sources"
   when: php_version is defined  # add repo when version is specified, otherwise use default repo
 
 - name: Uninstall old PHP version
@@ -12,6 +18,10 @@
     purge: true
   when: php_old_version is defined  # uninstall when old version is specified
 
+# - name: Print php_modules list
+#   debug:
+#     msg: "{{ ['php' + php_version] | product(php_modules) | map('join', '-') | list }}"
+
 - name: "Install custom PHP modules {{ php_modules }}"
   apt:
     name: "{{ ['php' + php_version] | product(php_modules) | map('join', '-') | list }}"

roles/php_fpm_exporter/tasks/main.yml

@@ -30,7 +30,7 @@
     architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
   when: ansible_architecture == "aarch64"
 
-- name: "Download php_fpm_exporter from GitHub (v{{ php_fpm_exporter_version.tag }})"
+- name: "Download php_fpm_exporter from GitHub"
   get_url:
     url: "https://github.com/hipages/php-fpm_exporter/releases/download/\
           v{{ php_fpm_exporter_version.tag }}/php-fpm_exporter_{{ php_fpm_exporter_version.tag }}\

roles/postgresql/tasks/postgres_exporter.yml

@@ -24,7 +24,7 @@
     architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
   when: ansible_architecture == "aarch64"
 
-- name: "Download postgres_exporter from GitHub (v{{ postgresql_exporter_version.tag }})"
+- name: "Download postgres_exporter from GitHub"
   get_url:
     url: "https://github.com/prometheus-community/postgres_exporter/releases/download/\
           v{{ postgresql_exporter_version.tag }}/postgres_exporter-{{ postgresql_exporter_version.tag }}\

roles/postgresql/tasks/postgresql.yml

@@ -40,8 +40,8 @@
 - name: Set PostgreSQL parameters
   become: true
   become_user: postgres
-  community.postgresql.postgresql_set:
-    name: "{{ item.name }}"
+  community.postgresql.postgresql_alter_system:
+    param: "{{ item.param }}"
     value: "{{ item.value }}"
   register: postgresql_set
   loop: "{{ pgsql_config }}"

roles/postgresql/vars/main.yml

@@ -3,33 +3,33 @@
 
 pgsql_server_version: 15
 pgsql_config:
-  # - name: unix_socket_directories
+  # - param: unix_socket_directories
   #   value: default  # comma-separated list of directories. default: "/var/run/postgresql"
-  - name: listen_addresses
+  - param: listen_addresses
     value: "{{ pgsql_server_ip }}"  # what IP address(es) to listen on;
-  - name: password_encryption
-    value: default  # default scram-sha-256
-  - name: max_connections
+  - param: password_encryption
+    value: scram-sha-256  # default scram-sha-256
+  - param: max_connections
     value: "200"  # default 100
-  - name: shared_buffers
+  - param: shared_buffers
     value: "1GB"  # min 128kB, default 128MB
-  - name: effective_cache_size
+  - param: effective_cache_size
     value: "3GB"  # default 4GB
-  - name: maintenance_work_mem
+  - param: maintenance_work_mem
     value: "256MB"  # min 1MB, default 64MB
-  - name: checkpoint_completion_target
+  - param: checkpoint_completion_target
     value: "0.9"  # checkpoint target duration, 0.0 - 1.0, default 0.9
-  - name: wal_buffers
+  - param: wal_buffers
     value: "16MB"  # min 32kB, default -1 sets based on shared_buffers
-  - name: random_page_cost
+  - param: random_page_cost
     value: "1.1"  # how long it take to seek to a random disk page, default 4.0
-  - name: effective_io_concurrency
+  - param: effective_io_concurrency
     value: "200"  # 1-1000; 0 disables prefetching, default 1
-  - name: work_mem
+  - param: work_mem
     value: "2621kB"  # min 64kB, default 4MB
-  - name: min_wal_size
+  - param: min_wal_size
     value: "1GB"  # default 80MB
-  - name: max_wal_size
+  - param: max_wal_size
     value: "4GB"  # default 1GB
 
 pgsql_client_auth:

roles/rclone/vars/main.yml

@@ -6,7 +6,7 @@ rclone_config_dir: "/root/.config/rclone"
 rclone_config_file: "{{ rclone_config_dir }}/rclone.conf"
 rclone_cache_dir: "/var/cache/rclone"
 rclone_log_dir: "/var/log/rclone"
-rclone_user_agent_gd: 'GoogleDriveFS/81.0.5.0 (Windows;OSVer=10.0.22631;)'
+rclone_user_agent_gd: 'GoogleDriveFS/107.0.3.0 (Windows;OSVer=10.0.26100;)'
 
 vault_td_dtsv_id: !vault |
   $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
@@ -48,12 +48,3 @@ td_dtsv_service_account_remote: |
   remote = DTSV:crypt
   password = {{ vault_td_dtsv_crypt_password }}
   password2 = {{ vault_td_dtsv_crypt_password2 }}
-
-# Rclone Exporter (same password see monitoring role)
-vault_rclone_rcd_pass: !vault |
-  $ANSIBLE_VAULT;1.2;AES256;dtsv-dev
-  34616137336639363734323532366663626166336638356538663534346530636564333066636337
-  6636626538653634383063616532393461393036383464620a613765363037306365666236396661
-  65356565383436383664356338333266353962396239316533303330626335303961383066633066
-  3032623266653639340a376361376361373235373939623137633630666333383237363138303933
-  66333735646465306165396536396166616462633766333732323965363566656132

roles/systemd_exporter/tasks/main.yml

@@ -24,7 +24,7 @@
     architecture_alias: "arm64"  # noqa: var-naming[no-role-prefix]
   when: ansible_architecture == "aarch64"
 
-- name: "Download systemd_exporter from GitHub (v{{ systemd_exporter_version.tag }})"
+- name: "Download systemd_exporter from GitHub"
   get_url:
     url: "https://github.com/povilasv/systemd_exporter/releases/download/\
           v{{ systemd_exporter_version.tag }}/systemd_exporter-{{ systemd_exporter_version.tag }}\

roles/webserver/meta/main.yml

@@ -1,5 +1,14 @@
 ---
 dependencies:
+  - role: lego
+    vars:
+      lego_certificate_domains:
+        - cn: "{{ webserver_domain }}"
+          sans: ["*.{{ webserver_domain }}"]
+      lego_certificate_destination:
+        path: "{{ webserver_nginx_cert_path }}"
+      lego_services_reload:
+        name: nginx
   - role: rclone
   - role: nginx
   - role: nginx_exporter

roles/webserver/tasks/nginx.yml

@@ -7,10 +7,10 @@
     mode: "0644"
   loop:
     - {src: "nginx.conf.j2", dest: "/etc/nginx/nginx.conf"}
-    - {src: "cert.conf.j2", dest: "/etc/nginx/global/cert.conf"}
+    - {src: "cert.conf.j2", dest: "/etc/nginx/snippets/cert.conf"}
     - {src: "header.conf.j2", dest: "/etc/nginx/global/header.conf"}
     - {src: "proxy.conf.j2", dest: "/etc/nginx/global/proxy.conf"}
-    - {src: "php_optimization.j2", dest: "/etc/nginx/global/php_optimization"}
+    - {src: "php_optimization.j2", dest: "/etc/nginx/snippets/php_optimization.conf"}
   notify: Reload nginx
 
 - name: Copy virtual server configs
@@ -21,26 +21,6 @@
   with_fileglob: "../templates/conf.d/*.j2"
   notify: Reload nginx
 
-## Certificates
-
-- name: Create Certificate directory
-  file:
-    path: "{{ webserver_nginx_cert_path }}"
-    state: directory
-    mode: "0755"
-
-- name: "Copy SSL certificates for {{ webserver_domain }}"
-  copy:
-    remote_src: true
-    # make sure that ssl certs are available
-    src: "{{ lego_config_dir }}/certificates/{{ webserver_domain }}.{{ item }}"
-    dest: "{{ webserver_nginx_cert_path }}/{{ webserver_domain }}.{{ item }}"
-    owner: root
-    group: root
-    mode: "0600"
-  loop: [crt, key, issuer.crt]
-  notify: Reload nginx
-
 - name: Create nginx.service.d directory
   file:
     path: /etc/systemd/system/nginx.service.d

roles/webserver/templates/conf.d/cloud.conf.j2

@@ -7,31 +7,35 @@ upstream nextcloud-notify-push {
 # Set the `immutable` cache control options only for assets with a cache busting `v` argument
 map $arg_v $asset_immutable {
     "" "";
-    default "immutable";
+    default ", immutable";
 }
 
-
 server {
     listen 80;
     listen [::]:80;
     server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
-    # enforce https
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
+    # Enforce HTTPS
     return 301 https://$server_name$request_uri;
 }
 
 server {
     listen 443 ssl;
     listen [::]:443 ssl;
-    # Enable QUIC and HTTP/3.
-    listen 443 quic;
-    listen [::]:443 quic;
+    http2 on;
 
     server_name {{ nextcloud_domain_name }} www.{{ nextcloud_domain_name }};
-    include global/cert.conf;
+    include snippets/cert.conf;
 
     # Path to the root of your installation
     root {{ nextcloud_dir }};
 
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
     # HSTS settings
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
@@ -51,33 +55,38 @@ server {
     gzip_comp_level 4;
     gzip_min_length 256;
     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
     # Pagespeed is not supported by Nextcloud, so if your server is built
     # with the `ngx_pagespeed` module, uncomment this line to disable it.
     #pagespeed off;
 
-    # The settings allows you to optimize the HTTP2 bandwitdth.
+    # The settings allows you to optimize the HTTP2 bandwidth.
     # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
-    # for tunning hints
+    # for tuning hints
     client_body_buffer_size 512k;
 
     # HTTP response headers borrowed from Nextcloud `.htaccess`
     add_header Referrer-Policy                   "no-referrer"       always;
     add_header X-Content-Type-Options            "nosniff"           always;
-    add_header X-Download-Options                "noopen"            always;
     add_header X-Frame-Options                   "SAMEORIGIN"        always;
     add_header X-Permitted-Cross-Domain-Policies "none"              always;
     add_header X-Robots-Tag                      "noindex, nofollow" always;
     add_header X-XSS-Protection                  "1; mode=block"     always;
 
-    # Add Alt-Svc header to negotiate HTTP/3.
-    add_header Alt-Svc 'h2=":443"; ma=86400, h3-29=":443"; ma=86400, h3=":443"; ma=86400' always;
-    add_header x-quic 'h3' always;
-
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 
+    # Set .mjs and .wasm MIME types
+    # Either include it in the default mime.types list
+    # and include that list explicitly or add the file extension
+    # only for Nextcloud like below:
+    include mime.types;
+    types {
+        text/javascript mjs;
+	application/wasm wasm;
+    }
+
     # Specify how to handle directories -- specifying `/index.php$request_uri`
     # here as the fallback means that Nginx always exhibits the desired behaviour
     # when a client requests a path that corresponds to a directory that exists
@@ -85,7 +94,7 @@ server {
     # that file is correctly served; if it doesn't, then the request is passed to
     # the front-end controller. This consistent behaviour means that we don't need
     # to specify custom rules for certain paths (e.g. images and other assets,
-    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `/updater`, `/ocs-provider`), and thus
     # `try_files $uri $uri/ /index.php$request_uri`
     # always provides the desired behaviour.
     index index.php index.html /index.php$request_uri;
@@ -132,7 +141,7 @@ server {
     # to the URI, resulting in a HTTP 500 error response.
     location ~ \.php(?:$|/) {
         # Required for legacy support
-        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
 
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         set $path_info $fastcgi_path_info;
@@ -154,17 +163,21 @@ server {
         fastcgi_max_temp_file_size 0;
     }
 
-    location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
+    # Serve static files
+    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
         try_files $uri /index.php$request_uri;
-        add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+        # HTTP response headers borrowed from Nextcloud `.htaccess`
+        add_header Cache-Control                     "public, max-age=15778463$asset_immutable";
+        add_header Referrer-Policy                   "no-referrer"       always;
+        add_header X-Content-Type-Options            "nosniff"           always;
+        add_header X-Frame-Options                   "SAMEORIGIN"        always;
+        add_header X-Permitted-Cross-Domain-Policies "none"              always;
+        add_header X-Robots-Tag                      "noindex, nofollow" always;
+        add_header X-XSS-Protection                  "1; mode=block"     always;
         access_log off;     # Optional: Don't log access to assets
-
-        location ~ \.wasm$ {
-            default_type application/wasm;
-        }
     }
 
-    location ~ \.woff2?$ {
+    location ~ \.(otf|woff2?)$ {
         try_files $uri /index.php$request_uri;
         expires 7d;         # Cache-Control policy borrowed from `.htaccess`
         access_log off;     # Optional: Don't log access to assets

roles/webserver/templates/conf.d/twirling.conf.j2

@@ -21,7 +21,7 @@ server {
     quic_gso on;
 
     server_name {{ webserver_domain }} www.{{ webserver_domain }};
-    include global/cert.conf;
+    include snippets/cert.conf;
     include global/header.conf;
 
     # Path to the root of your installation

roles/webserver/vars/main.yml

@@ -44,8 +44,8 @@ php_fpm_ini_options:
   - {option: memory_limit, value: 512M}
   - {section: opcache, option: opcache.enable, value: 1}
   - {section: opcache, option: opcache.interned_strings_buffer, value: 64}
-  - {section: opcache, option: opcache.max_accelerated_files, value: 10000}
-  - {section: opcache, option: opcache.memory_consumption, value: 256}
+  - {section: opcache, option: opcache.max_accelerated_files, value: 50000}
+  - {section: opcache, option: opcache.memory_consumption, value: 512}
   - {section: opcache, option: opcache.save_comments, value: 1}
   - {section: opcache, option: opcache.revalidate_freq, value: 60}
   - {section: opcache, option: opcache.validate_timestamps, value: 0}
@@ -61,4 +61,4 @@ php_fpm_pool_options:
   - {option: pm.start_servers, value: 5}
   - {option: pm.min_spare_servers, value: 5}
   - {option: pm.max_spare_servers, value: 15}
-  - {option: pm.max_requests, value: 200}
+  - {option: pm.max_requests, value: 500}

web.yml

@@ -3,7 +3,6 @@
 - name: Install Webserver
   hosts: WEB
   roles:
-    - lego
     - nextcloud
     - wordpress
   become: true