Bug fixes 2.x pr devel 2.x (#2149)

* Changing-aws-acl-when-statement (#2063)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* R71127 r71052 check pr 2.x (#2073)

* r71127-r71052-attemt-to-workaround-elb-module-change-or-bug

* debug alb issue

* revert changes as the bug is outside of ce-provision ansible-collections/amazon.aws#2376

* Newer aws collection test pr 2.x (#2077)

* newer_aws_collection_test

* 8.2.1 didnt work, back to 8.0.1

* r71171-efs-client-upgrade (#2079)

* Turning-off-ami-cleanup-task (#2083)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Changing subnet for rds pr 2.x (#2087)

* Changing-subnet-for-RDS

* Uncommenting-tasks

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* fix(debian/duplicity): Fix missing compilation dependencies (#2029)

* fix(php-fpm): Set a good process children default for bigger servers (#1895)

* fix(php-fpm): Set a good process children default for bigger servers

* Fix min max logic

* formatting

* Fixing-RDS-backup-validation (#2089)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Updating-postfix-default-transport-maps (#2092)

* Updating CI to 2.x.

* Defending against missing Ansible.

* Making the ce-provision-config branch in CI dynamic.

* We do not want a 'ce-dev provision' because it breaks our controller.

* Reverting 'ce-dev provision' change.

* Trying a different ansible_facts var.

* Testing using the source branch in ce-dev.

* Setting max_childen to an integer to avoid CI issues.

* Trying to change the python interpreter used.

* Adding platform and cgroup values to ce-dev compose template.

* Updated lambda backup validation reporting pr 2.x (#2099)

* Updated-lambda-backup-validation-reporting

* Updating-docs

* Updating-lambda-handler

* Adding-region-to-cloudwatch-task

* Trimming-version-number-from-lambda

* Fixing-text-manipulation

* Updating-arn-for-cloudwatch-task

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Trying latest ubuntu containers in GitHub Actions.

* Fixing the test.sh script to work with venvs.

* Documentation for PHP in CI.

* Bug fixes 2.x pr 2.x (#2096)

* Improving AWS subnet docs.

* Error in timers structure in the SSL role.

* Removing obsolete backports requirements.

* Allow the billing role to access Sustainability information.

* Missing comma in IAM billing policy.

* Removing broken GitLab Runner code.

* Fixed the include_role task in gitlab_runner.

* Suppressing a failure if there is no system pip to call.

* Logic error in Ansible installer username, needs to be set from calling role.

* ansible_user is a reserved variable, seems to be causing issues.

* _ansible_ANYTHING is reserved, using _install_username instead.

* python_boto role also needs the username set in the calling role.

* Updating python_boto docs.

* Making profile.d loading more robust.

* Also pip removing ansible-core and trying with pip and pip3 to cover all bases.

* Updating bad AWS SG role var namespacing in other roles.

* Refactoring how we handle python3-pip.

* Allow passing in of the Python interpreter to Ansible.

* Updating the packages server for CE.

* Installing Ansible in a venv on all machines.

* Changing common_base format for readability.

* No need to specify Python to the point release.

* Docs update.

* Fixing LDAP SSL to use systemd timer.

* Allowing different systemd timer names for different Ansible installs.

* Fixing dynamic key name in ansible role.

* Trying to debug missing timer_command var.

* Treating the timer string so it becomes a dict.

* Moving default log location for clamav.

* Updating ClamAV docs.

* Grouping systemd timer tasks together.

* Exposing ce-provision version in build output.

* Wrong variable in meta role for controller username.

* Removing any reference to _aws variables in debian role defaults.

* Setting more sane ASG defaults.

* Making ClamAV timers a list so they can be entirely replaced.

* Spacing fix for linting.

* Renaming npm module.

* Removing NGINX installation as part of phpMyAdmin role by default.

* Fixing Varnish handler names.

* Excluding name[casing] rule from linting due to false positives.

* Put rule in wrong place!

* Removing lock file behaviour from ASGs as it cannot work unless controller and ASG are in the same VPC.

* Capturing lock file limitations in comment.

* Updating documentation for LE.

* Using pip to install certbot plugins.

* Updating README docs.

* Docs error corrected.

* Working around deprecated SSH algorithms.

* Upgrading SSH key type standard for controller and deploy users.

* Adding SCP args for legacy mode needed by Packer.

* Adding an extra when clause to ACM SAN cert check.

* Trying different approach to ACM SAN cert check.

* Removing /bin/which from rkhunter defaults, it isn't present in Debian 11.

* RDS param group module has changed name.

* Adding passlib to libraries installed for ce-provision.

* Adding in valid path for 'which' to rkhunter.

* Catching up documentation.

* Catching up documentation.

* Making user creation optional and home directories a variable.

* Missed passing new home var to task.

* Fixing firewall.bash deletion issues.

* Getting rid of accidental extra braces.

* Simplifying usernames so you only need to set one var.

* Docs update and making Ansible installation via _init an option.

* Variable path error.

* Updating linter ignore paths.

* Making the NGINX test result var private.

* Documentation update.

* Fixing role dependency in NGINX role.

* Adding installation path handling for Galaxy collections.

* Removing -p option due to unexpected ill effects for role paths.

* Moving X-Content-Type-Options header to project type templates.

* Adding some inline documentation.

* Fixing Postfix template to allow external relays.

* Adding a FQDN postfix transport map.

* Updating CI to 2.x.

* Defending against missing Ansible.

* Making the ce-provision-config branch in CI dynamic.

* We do not want a 'ce-dev provision' because it breaks our controller.

* Reverting 'ce-dev provision' change.

* Trying a different ansible_facts var.

* Testing using the source branch in ce-dev.

* Setting max_childen to an integer to avoid CI issues.

* Trying to change the python interpreter used.

* Adding platform and cgroup values to ce-dev compose template.

* Trying latest ubuntu containers in GitHub Actions.

* Fixing the test.sh script to work with venvs.

* Documentation for PHP in CI.

* Adding GitLab test back in.

* Fixing role namespaces.

* Avoiding-backup-restoration-for-dev-env (#2108)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Updating-nodejs-to-nodistro (#2094)

* Updating-nodejs-to-nodistro

* Fixing-nodejs-unattended-upgrades

* r71344-Updating-aws-acl-role (#2111)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* r71344-Updating-aws-acl-role (#2112)

* r71344-Updating-aws-acl-role

* Adding-option-to-avoid-recreating-ACLs

* Updating-aws-acl-vars

* Updating-aws-acl-vars-2

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Fixing-non-utf8-item (#2116)

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Fixing non utf8 item pr 2.x (#2117)

* Fixing-non-utf8-item

* Changing-var-name-for-when-condition

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Minor bug fixes to ce-provision installer.

* Testing installing ce-provision in the GitHub Actions container directly.

* Using the submitted install script as well.

* Trying as runner user.

* Trying to use the ce-dev base container.

* Fixing-utf8 (#2129)

* Fixing utf8-2.x (#2131)

* Fixing-utf8

* Adding-debug

* Changing-lambda-creation-from-tip-file-to-s3 (#2122)

* Changing-lambda-creation-from-tip-file-to-s3

* Fixing-syntax-error

* indentation-fix

* Finishing-backup-valdation-role

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Updating email notification title pr 2.x (#2140)

* Updating-email-notification-title

* Resolving-conflicts

* Resolving-conflicts-2

---------

Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>

* Adding-defaults-to-max-children (#2141)

* Adding defaults to max children pr 2.x (#2144)

* Adding-defaults-to-max-children

* Updating-max-children

* Updating-php-defaults (#2145)

* Updating php defaults pr 2.x (#2147)

* Updating-php-defaults

* Updating-php-defaults

* Updating-php-defaults

* Updating key name.

* Suppressing systemd actions in Docker.

* Seems Ansible flags have changed.

* Still trying to get --extra-vars right!

* Catching Ansible Galaxy upgrade timers for docker containers.

* Trying to force --roles-path for Galaxy.

* Trying different quotes.

* Missed a line.

* Trying a different approach to passing vars.

* Adding some debug.

* Running ce-python debug first.

* Trying moving to the ce-provision directory.

* Checking the specific path to galaxy roles in ce-provision.

* Trying as controller user again.

* Trying to make the roles dir.

* Being consistent about paths in bash.

* Removing debug lines for now.

* Allowing script to skip iptables.

* Misnamed flag.

* Adding user_provision role to configure controller user.

* Wrapping cleanup so it doesn't break GitHub Actions.

* Completing variables for user_provisin.

* Missed the sudoers var.

* Quoting vars.

* GitLab installer needs _domain_name.

* Logic error in clean-up script.

* Fixing paths to ce-provision in container.

* Trying to fix CI perms issues.

* Git dubious ownership error.

* Git dubious ownership error.

* Running the web server test as the controller user.

* Missed a controller var.

* Commenting out the CE container to test.

* Adding a separate step for Git actions.

* Need sudo for Ubuntu.

* efs_version_fix_for_old_debian_workaround (#2151)

* Using a volume to persist data between steps.

* Adding debug commands to test volumes.

* Tweaking volumes.

* Adding the checkout command back in.

* Trying a different approach.

* ls command looks good, so putting web build back in.

* More Ansible Galaxy debug.

* Trying to make ansible-galaxy detect installed roles.

* Run galaxy command as controller.

* Trying galaxy command and cd wrapped in su.

* Specifically checking the contents of galaxy/roles.

* Trying a double-tap install process.

* Quick refactor and debug of SSH.

* Adding OpenSSH server package.

* Checking for a firewall.

* Checking listening packages.

* Starting SSHD especially.

* Starting SSHD without systemd.

* Pre-empting config a bit more.

* More galaxy path debug.

* fix(duplicity): Fix file name of include/exclude list (#2152)

* Running a find to see if we can find the missing roles.

* More verbosity.

* Checking for missing requirements file.

* Removing eroneous when clause.

* Tidying up redundant debug lines.

* Creating a separate ci.yml play targeting localhost.

* Making sure sshd is running.

* Tidying up GitLab CI file and installing SSHD.

* Installing SSHD as a separate step.

* SSHD already installed, starting it instead.

* Don't create systemd timers in containers.

* Preparing a test GitLab build.

* Making builds nightly and fixing GitLab role bug.

* Ensuring is_local var exists and making lock behaviour optional.

* Fixing location and owner of Blackfire config so it is configurable.

* Documentation update.

* Removing all is defined checks for is_local since it is now always defined.

* Letting GitLab know it's on Docker earlier.

* Trying to run runsvdir-start to avoid container freezing.

* Temporarily skipping reconfigure of GitLab to test the rest.

* Trying to move GitLab reconfigure commands to CI.

* Fixing service namespace for runner and reinstating GitLab tasks.

* Trying to get config script working for GitLab in CI.

* No systemd, do not try to restart gitlab-runner.

* Removing firewall role from CI GitLab test, don't need it and it breaks CI.

* Outputting PostGreSQL logs to see if there are errors.

* Outputting PostGreSQL logs to see if there are errors.

* Trying the config script for GitLab again.

* Suppressing extra GitLab config for CI runs.

* Setting Blackfire CLI defaults to use ce-dev user.

---------

Co-authored-by: Matej Štajduhar <30931414+matej5@users.noreply.github.com>
Co-authored-by: Matej Stajduhar <matej.stajduhar@codeenigma.com>
Co-authored-by: tymofiisobchenko <104431720+tymofiisobchenko@users.noreply.github.com>
Co-authored-by: Klaus Purer <klaus.purer@protonmail.ch>
Co-authored-by: drazenCE <140631110+drazenCE@users.noreply.github.com>

Author: 6 people

Diff for: .github/workflows/ce-provision-test-gitlab.yml

@@ -1,42 +1,42 @@
 name: Run GitLab server test build
 
-# Run this workflow every time a new commit pushed to your repository
-on: pull_request
+# Run this workflow nightly and every time a new commit pushed to your repository
+on:
+  schedule:
+    - cron: '30 4 * * *'
+  pull_request:
 
 jobs:
   # Set the job key. The key is displayed as the job name
   # when a job name is not provided
   test-gitlab:
+    if: ${{ github.event.pull_request.head.ref != 'documentation' }}
     # Name the Job
-    name: Run tests against Ansible code base
+    name: Build a GitLab server with ce-provision
     # Set the type of machine to run on
     runs-on: ubuntu-latest
 
-    steps:
-      # Checks out a copy of your repository on the ubuntu-latest machine
-      - name: Checkout code
-        if: ${{ github.event.pull_request.head.ref != 'documentation' }}
-        uses: actions/checkout@v2
+    # Use our ce-dev Debian base container
+    container:
+      image: codeenigma/ce-dev:2.x
+      volumes:
+        - ${{ github.workspace }}:/home/controller
 
-      # Installs the ce-dev stack
-      - name: Install ce-dev
-        if: ${{ github.event.pull_request.head.ref != 'documentation' }}
+    steps:
+      - name: Install ce-provision
         run: |
-          cd /tmp
-          wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz
-          sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz
-          export PATH=$PATH:/usr/local/go/bin
-          git clone https://github.com/FiloSottile/mkcert && cd mkcert
-          go build -ldflags "-X main.Version=$(git describe --tags)"
-          sudo mv ./mkcert /usr/local/bin && cd ../
-          sudo chmod +x /usr/local/bin/mkcert
-          rm -Rf mkcert
-          curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/${{ github.event.pull_request.base.ref }}/install.sh | /bin/sh -s -- --platform linux
+          /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh
+          /usr/bin/chmod +x ./install.sh
+          /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall
 
-      # Uses the ce-dev stack to run a test provision
-      - name: Run a test provision
-        if: ${{ github.event.pull_request.head.ref != 'documentation' }}
+      # Run a GitLab server provision
+      - name: Prepare Git repos on disk
         run: |
-          git clone --branch ${{ github.event.pull_request.base.ref }} https://github.com/codeenigma/ce-dev-ce-provision-config.git config
-          /bin/bash ce-dev/ansible/test.sh --examples gitlab --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }}
-        shell: bash
+          /usr/bin/git config --global --add safe.directory /home/controller/ce-provision
+          /usr/bin/git config --global --add safe.directory /home/controller/ce-provision/config
+
+      - name: Start SSHD
+        run: /usr/sbin/sshd&
+
+      - name: Provision a test GitLab server
+        run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/gitlab/ci.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force"

Diff for: .github/workflows/ce-provision-test-web.yml

@@ -1,60 +1,42 @@
 name: Run web server test build
 
-# Run this workflow every time a new commit pushed to your repository
-on: pull_request
+# Run this workflow nightly and every time a new commit pushed to your repository
+on:
+  schedule:
+    - cron: '30 4 * * *'
+  pull_request:
 
 jobs:
   # Set the job key. The key is displayed as the job name
   # when a job name is not provided
   test-web:
+    if: ${{ github.event.pull_request.head.ref != 'documentation' }}
     # Name the Job
-    name: Run tests against Ansible code base
+    name: Build a web server with ce-provision
     # Set the type of machine to run on
     runs-on: ubuntu-latest
 
     # Use our ce-dev Debian base container
     container:
       image: codeenigma/ce-dev:2.x
+      volumes:
+        - ${{ github.workspace }}:/home/controller
 
     steps:
-      # Checks out a copy of your repository on the ubuntu-latest machine
-      #- name: Checkout code
-      #  if: ${{ github.event.pull_request.head.ref != 'documentation' }}
-      #  uses: actions/checkout@v2
-
-      # Installs ce-provision
       - name: Install ce-provision
-        if: ${{ github.event.pull_request.head.ref != 'documentation' }}
         run: |
-          curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh
-          chmod +x ./install.sh
-          sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker
+          /usr/bin/curl -LO https://raw.githubusercontent.com/codeenigma/ce-provision/${{ github.event.pull_request.head.ref }}/install.sh
+          /usr/bin/chmod +x ./install.sh
+          /usr/bin/sudo ./install.sh --version ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --docker --no-firewall
 
       # Run a web server provision
-      - name: Provision a test web server
-        if: ${{ github.event.pull_request.head.ref != 'documentation' }}
+      - name: Prepare Git repos on disk
         run: |
-          /bin/sh /home/runner/ce-provision/scripts/provision.sh --python-interpreter /home/runner/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/runner/ce-provision/ce-dev/ansible --playbook plays/web/web.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force
+          /usr/bin/git config --global --add safe.directory /home/controller/ce-provision
+          /usr/bin/git config --global --add safe.directory /home/controller/ce-provision/config
 
-      # Installs the ce-dev stack
-      #- name: Install ce-dev
-      #  if: ${{ github.event.pull_request.head.ref != 'documentation' }}
-      #  run: |
-      #    cd /tmp
-      #    wget https://golang.org/dl/go1.15.8.linux-amd64.tar.gz
-      #    sudo tar -C /usr/local -xzf go1.15.8.linux-amd64.tar.gz
-      #    export PATH=$PATH:/usr/local/go/bin
-      #    git clone https://github.com/FiloSottile/mkcert && cd mkcert
-      #    go build -ldflags "-X main.Version=$(git describe --tags)"
-      #    sudo mv ./mkcert /usr/local/bin && cd ../
-      #    sudo chmod +x /usr/local/bin/mkcert
-      #    rm -Rf mkcert
-      #    curl -sL https://raw.githubusercontent.com/codeenigma/ce-dev/${{ github.event.pull_request.base.ref }}/install.sh | /bin/sh -s -- --platform linux
+      - name: Start SSHD
+        run: /usr/sbin/sshd&
 
-      # Uses the ce-dev stack to run a test provision
-      #- name: Run a test provision
-      #  if: ${{ github.event.pull_request.head.ref != 'documentation' }}
-      #  run: |
-      #    git clone --branch ${{ github.event.pull_request.base.ref }} https://github.com/codeenigma/ce-dev-ce-provision-config.git config
-      #    /bin/bash ce-dev/ansible/test.sh --examples web --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }}
-      #  shell: bash
+      - name: Provision a test web server
+        run: /usr/bin/su - controller -c "cd /home/controller/ce-provision && /bin/sh /home/controller/ce-provision/scripts/provision.sh --python-interpreter /home/controller/ce-python/bin/python3 --repo dummy --branch dummy --workspace /home/controller/ce-provision/ce-dev/ansible --playbook plays/web/ci.yml --own-branch ${{ github.event.pull_request.head.ref }} --config-branch ${{ github.event.pull_request.base.ref }} --force"

Diff for: ce-dev/ansible/plays/gitlab/ci.yml

@@ -0,0 +1,37 @@
+---
+- hosts: localhost
+  become: true
+
+  vars:
+    project_name: gitlab
+    is_local: true
+    _ce_provision_base_dir: /home/ce-dev/ce-provision
+    _init:
+      force_play: true
+      vars_dirs:
+        - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/_common"
+        - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/{{ project_name }}"
+
+  tasks:
+    - ansible.builtin.import_role:
+        name: _init
+    - ansible.builtin.import_role:
+        name: debian/user_provision
+    - ansible.builtin.import_role:
+        name: _meta/common_base
+    - ansible.builtin.import_role:
+        name: debian/ce_deploy
+    - ansible.builtin.import_role:
+        name: aws/aws_credentials
+    - ansible.builtin.import_role:
+        name: debian/gitlab
+    - ansible.builtin.import_role:
+        name: debian/gitlab_runner
+    - ansible.builtin.import_role:
+        name: debian/ssh_server
+    - ansible.builtin.import_role:
+        name: debian/sops
+    - ansible.builtin.import_role:
+        name: debian/gpg_key
+    - ansible.builtin.import_role:
+        name: _exit

Diff for: ce-dev/ansible/plays/web/ci.yml

@@ -0,0 +1,22 @@
+---
+# Spin up a "web" instance.
+- hosts: localhost
+  become: true
+
+  vars:
+    project_name: web
+    is_local: true
+    _ce_provision_base_dir: /home/ce-dev/ce-provision
+    _init:
+      force_play: true
+      vars_dirs:
+        - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/_common"
+        - "{{ _ce_provision_base_dir }}/ce-dev/ansible/vars/{{ project_name }}"
+
+  tasks:
+    - ansible.builtin.import_role:
+        name: _init
+    - ansible.builtin.import_role:
+        name: _meta/webserver
+    - ansible.builtin.import_role:
+        name: _exit

Diff for: ce-dev/ansible/vars/gitlab/gitlab_runner.yml

@@ -0,0 +1,2 @@
+gitlab_runner:
+  restart: false # no systemd in CI containers

Diff for: docs/roles/_init.md

@@ -9,7 +9,10 @@ This is meant to ALWAYS be included as the first task of a play. If you include
 ## Default variables
 ```yaml
 ---
-_ce_provision_username: "{% if is_local is defined and is_local %}ce-dev{% else %}controller{% endif %}"
+# Set this variable to true to tell ce-provision it is running in a container.
+is_local: false
+
+_ce_provision_username: "{% if is_local %}ce-dev{% else %}controller{% endif %}"
 _venv_path: "/home/{{ _ce_provision_username }}/ce-python"
 _venv_command: /usr/bin/python3 -m venv
 _venv_install_username: "{{ _ce_provision_username }}"
@@ -25,8 +28,8 @@ _init:
   # This is used to detect if the playbook must re-run or not.
   vars_dirs: []
   force_play: false
-  lock_file: /tmp/ce-provision-lock
-  deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy
+  lock_file: /tmp/ce-provision-lock # set to an empty string to disable locking behaviour
+  deploy_lock_file: /tmp/ce-deploy-lock # must match lock_file in ce-deploy, set to an empty string to disable locking behaviour
   ce_provision_version: 2.x # Outputted by the _init role at the start of plays
   install_ansible: true # set to false to not install Ansible in a venv
 

Diff for: docs/roles/debian/aws_efs_client.md

@@ -46,7 +46,7 @@ _mount_state: present
 aws_efs_client:
   aws_profile: example # AWS boto profile name - can be substituted for "{{ _aws_profile }}" if set
   region: eu-west-1 # AWS region name - can be substituted for "{{ _aws_region }}" if set
-  version: 2.1.0 # version of AWS EFS utils to use
+  version: "{{ '1.35.0' if ansible_distribution_major_version | int < 12 else '2.1.0' }}" # 2.1.0 requires libssl v3 which is absent on Debian < 12 by default.
   build_suffix: "-1_all" # sometimes there is a suffix appended to the package name, e.g. `amazon-efs-utils-1.35.0-1_all.deb`
   deb_url: "" # provide an alternative location for the .deb package
   # See https://docs.ansible.com/ansible/latest/modules/mount_module.html

Diff for: docs/roles/debian/ce_deploy.md

@@ -8,7 +8,7 @@ Installs Code Enigma's deploy stack on a server.
 ```yaml
 ---
 _ce_deploy:
-  username: "{% if is_local is defined and is_local %}ce-dev{% else %}deploy{% endif %}"
+  username: "{% if is_local %}ce-dev{% else %}deploy{% endif %}"
 
 ce_deploy:
   # These are usually set in the _init role using _venv_path, _venv_command and _venv_install_username but can be overridden.

Diff for: docs/roles/debian/gitlab.md

@@ -38,6 +38,7 @@ gitlab:
   ssl: # @see the 'ssl' role. Note that domain is autopopulated from server_name above.
     enabled: false # manual SSL handling disabled by default
     handling: selfsigned
+    replace_existing: false
   # Linux setup
   linux_user: git
   linux_group: git

Diff for: docs/roles/debian/php-fpm.md

@@ -23,7 +23,7 @@ php:
     # It is important to scale up processes on bigger servers, so that more
     # requests can be handled. Double the number of vCPUs is a good default.
     # Can be between 5 and 64.
-    max_children: "{{ [5, [ansible_facts.ansible_processor_nproc * 2, 64] | min] | max }}"
+    max_children: "{{ [5, [(ansible_facts.ansible_processor_nproc | default(1)) * 2, 64] | min] | max }}" # Fallback in case ansible_processor_nproc is not gathered before tasks
     start_servers: 2
     min_spare_servers: 1
     max_spare_servers: 3