Refresh tasks and tasks handling with Ansible > 2.6

roles/common/defaults/main.yml

@@ -86,4 +86,4 @@ ssl_certs_auto: Null
 dkim_domains: Null
 with_opendkim: False
 
-# vim: ft=yaml
+# vim: ft=yaml.ansible

roles/common/handlers/base.yml

@@ -1,13 +1,19 @@
-- name: Reconfigure timezone
+- name: 'Reconfigure timezone'
   raw: rm -f /etc/timezone ; dpkg-reconfigure --frontend noninteractive tzdata
 
-- name: Apply kernel configuration (proc)
-  service: name=procps state=restarted
+- name: 'Apply kernel configuration (proc)'
+  service:
+    name: 'procps'
+    state: 'restarted'
 
-- name: Apply kernel configuration (sys)
-  service: name=sysfsutils state=restarted
+- name: 'Apply kernel configuration (sys)'
+  service:
+    name: 'sysfsutils'
+    state: 'restarted'
 
-- name: Refresh sysfs configuration
+- name: 'Refresh sysfs configuration'
   shell: cat /etc/sysfs.d/* > /etc/sysfs.conf
   notify:
-    - Apply kernel configuration (sys)
+    - 'Apply kernel configuration (sys)'
+
+# vim: ft=yaml.ansible

roles/common/handlers/dkim.yml

@@ -2,3 +2,5 @@
   service:
     name: 'opendkim'
     state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/common/handlers/firewall.yml

@@ -2,3 +2,5 @@
   service:
     name: 'ferm'
     state: 'reloaded'
+
+# vim: ft=yaml.ansible

roles/common/handlers/main.yml

@@ -6,3 +6,5 @@
 - include: ssh.yml
 - include: ssl.yml
 - include: smartd.yml
+
+# vim: ft=yaml.ansible

roles/common/handlers/security.yml

@@ -1,8 +1,10 @@
-- name: Reconfigure unattended-upgrades
+- name: 'Reconfigure unattended-upgrades'
   raw: rm -f /etc/apt/apt.conf.d/20auto-upgrades* ; UCF_FORCE_CONFFMISS=1 UCF_FORCE_CONFFNEW=1 dpkg-reconfigure --frontend noninteractive unattended-upgrades
 
-- name: Reconfigure rkhunter
+- name: 'Reconfigure rkhunter'
   raw: rm -f /etc/default/rkhunter* ; UCF_FORCE_CONFFMISS=1 UCF_FORCE_CONFFNEW=1 dpkg-reconfigure --frontend noninteractive rkhunter
 
-- name: Remount /proc
+- name: 'Remount /proc'
   shell: mount -o remount /proc
+
+# vim: ft=yaml.ansible

roles/common/handlers/smartd.yml

@@ -1,2 +1,6 @@
-- name: Restart smartmontools
-  service: name=smartmontools state=restarted
+- name: 'Restart smartmontools'
+  service:
+    name: 'smartmontools'
+    state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/common/handlers/smtp.yml

@@ -12,3 +12,5 @@
 
 - name: 'Rehash SASL sender relay map'
   command: 'postmap /etc/postfix/sasl/sender_relay'
+
+# vim: ft=yaml.ansible

roles/common/handlers/ssh.yml

@@ -1,2 +1,6 @@
-- name: Restart ssh
-  service: name=ssh state=restarted
+- name: 'Restart ssh'
+  service:
+    name: 'ssh'
+    state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/common/handlers/ssl.yml

@@ -1,3 +1,5 @@
 - name: 'Generate Lets Encrypt SSL certificates'
   shell: dehydrated --cron >/dev/null
   ignore_errors: True
+
+# vim: ft=yaml.ansible

roles/common/tasks/base.yml

@@ -1,19 +1,42 @@
 - name: 'Install hosts file'
-  template: src=hosts.j2 dest=/etc/hosts owner=root group=root mode=0644
+  template:
+    src: 'hosts.j2'
+    dest: '/etc/hosts'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   when: with_hosts
+  tags:
+    - 'base'
 
 - name: 'Install hosts.deny file'
-  template: src=hosts.deny.j2 dest=/etc/hosts.deny owner=root group=root mode=0644
+  template:
+    src: 'hosts.deny.j2'
+    dest: '/etc/hosts.deny'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   when: with_hostsdeny
+  tags:
+    - 'base'
 
 - name: 'Write /etc/apt/sources.list'
-  template: src=apt/sources.{{ ansible_lsb.codename }}.list.j2 dest=/etc/apt/sources.list owner=root group=root mode=0644
+  template:
+    src: 'apt/sources.{{ ansible_lsb.codename }}.list.j2'
+    dest: '/etc/apt/sources.list'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   register: apt_sources
+  tags:
+    - 'base'
 
 - name: 'Refresh apt cache'
   apt:
     update_cache: yes
   when: apt_sources.changed
+  tags:
+    - 'base'
 
 - name: 'Write /etc/apt/apt.conf.d configuration files'
   template:
@@ -26,6 +49,8 @@
     - 'nopdiffs'
     - 'norecommends'
     - 'progressbar'
+  tags:
+    - 'base'
 
 - name: 'Install apt key for custom Debian repositories'
   apt_key:
@@ -34,6 +59,8 @@
     state: 'present'
   with_items: '{{ apt_keys }}'
   when: apt_keys
+  tags:
+    - 'base'
 
 - name: 'Add apt sources for custom Debian repositories'
   apt_repository:
@@ -41,9 +68,14 @@
     state: 'present'
   with_items: '{{ apt_repositories }}'
   when: apt_repositories
+  tags:
+    - 'base'
 
 - name: 'Install base packages'
-  apt: pkg={{ item }} install_recommends=no state=present
+  apt:
+    pkg: '{{ item }}'
+    install_recommends: 'no'
+    state: 'present'
   with_items:
     - 'apt-transport-https'
     - 'apticron'
@@ -68,74 +100,154 @@
     - 'etckeeper'
     - 'sharutils'
     - 'ncdu'
+  tags:
+    - 'base'
 
 - name: 'Install additional packages'
-  apt: pkg={{ item }} install_recommends=no state=present
+  apt:
+    pkg: '{{ item }}'
+    install_recommends: 'no'
+    state: 'present'
   with_items: '{{ apt_additional_packages }}'
   when: apt_additional_packages
+  tags:
+    - 'base'
 
 - name: 'Install ntp daemon'
-  apt: pkg=ntp install_recommends=no state=present
+  apt:
+    pkg: 'ntp'
+    install_recommends: 'no'
+    state: 'present'
   when: with_ntp
+  tags:
+    - 'base'
 
 - name: 'Configure default locale ({{ locale }})'
   command: update-locale 'LANG={{ locale }}'
   changed_when: False
   when: locale is defined and locale != ''
+  tags:
+    - 'base'
 
 - name: 'Configure default timezone'
-  debconf: name="{{item.name}}" question="{{item.question}}" value="{{item.value}}" vtype="{{item.vtype}}"
+  debconf:
+    name: '{{ item.name }}'
+    question: '{{ item.question }}'
+    value: '{{ item.value }}'
+    vtype: '{{ item.vtype }}'
   with_items:
     - { name: 'tzdata', question: 'tzdata/Areas', value: '{{ timezone_area }}', vtype: 'select' }
     - { name: 'tzdata', question: 'tzdata/Zones/{{ timezone_area }}', value: '{{ timezone_city }}', vtype: 'select' }
   notify:
     - 'Reconfigure timezone'
+  tags:
+    - 'base'
 
 - name: 'Override logrotate configuration for rsyslog'
-  template: src=logrotate/rsyslog.j2 dest=/etc/logrotate.d/rsyslog owner=root group=root mode=0644
+  template:
+    src: 'logrotate/rsyslog.j2'
+    dest: '/etc/logrotate.d/rsyslog'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
+  tags:
+    - 'base'
 
 - name: 'Install kernel configuration (proc)'
-  template: src=kernel/sysctl.d/{{ item }}.j2 dest=/etc/sysctl.d/{{ item }} owner=root group=root mode=0644
+  template:
+    src: 'kernel/sysctl.d/{{ item }}.j2'
+    dest: '/etc/sysctl.d/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   with_items:
-      - '05-ipv6.conf'
-      - '10-increase-file-descriptors.conf'
+    - '05-ipv6.conf'
+    - '10-increase-file-descriptors.conf'
   notify:
     - 'Apply kernel configuration (proc)'
   tags:
-      - 'ipv6'
+    - 'base'
+    - 'ipv6'
 
 - name: 'Create sysfs configuration directory - /etc/sysfs.d'
-  file: path=/etc/sysfs.d state=directory owner=root group=root mode=0755
+  file:
+    path: '/etc/sysfs.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags:
+    - 'base'
 
 - name: 'Install kernel configuration (sys)'
-  template: src=kernel/sysfs.d/{{ item }}.j2 dest=/etc/sysfs.d/{{ item }} owner=root group=root mode=0644
+  template:
+    src: 'kernel/sysfs.d/{{ item }}.j2'
+    dest: '/etc/sysfs.d/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   with_items:
-      - '00-sysfs-prolog.conf'
+    - '00-sysfs-prolog.conf'
   notify:
     - 'Refresh sysfs configuration'
+  tags:
+    - 'base'
 
 - name: 'Install kernel configuration (sys) for disks'
-  template: src=kernel/sysfs.d/{{ item }}.j2 dest=/etc/sysfs.d/{{ item }} owner=root group=root mode=0644
+  template:
+    src: 'kernel/sysfs.d/{{ item }}.j2'
+    dest: '/etc/sysfs.d/{{ item }}'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   with_items:
-      - '10-disks.conf'
+    - '10-disks.conf'
   notify:
     - 'Refresh sysfs configuration'
+  tags:
+    - 'base'
 
 - name: 'Install sudo configuration'
-  template: src=sudo/local-admin.j2 dest=/etc/sudoers.d/local-admin owner=root group=root mode=0440
+  template:
+    src: 'sudo/local-admin.j2'
+    dest: '/etc/sudoers.d/local-admin'
+    owner: 'root'
+    group: 'root'
+    mode: '0440'
+  tags:
+    - 'base'
 
 - name: 'Install unprivileged user'
-  user: name="{{item.user}}" comment="{{item.fullname}}" groups=adm,operator,sudo append=yes shell=/bin/zsh state=present
+  user:
+    name: '{{ item.user }}'
+    comment: '{{ item.fullname }}'
+    groups: 'adm,operator,sudo'
+    append: 'yes'
+    shell: '/bin/zsh'
+    state: 'present'
   with_items: '{{ admins }}'
   when: admins
+  tags:
+    - 'base'
 
 - name: 'Install SSH key for unprivileged user'
-  authorized_key: user="{{item.user}}" key="{{lookup('file', 'data/users/' + item.user + '/sshkey.pub')}}" state=present
+  authorized_key:
+    user: '{{ item.user }}'
+    key: "{{ lookup('file', 'data/users/' + item.user + '/sshkey.pub') }}"
+    state: 'present'
   with_items: '{{ admins }}'
   when: admins
+  tags:
+    - 'base'
 
 - name: 'Install SSH key for root'
-  authorized_key: user=root key="{{lookup('file', 'data/users/' + item.user + '/sshkey.pub')}}" state=present
+  authorized_key:
+    user: 'root'
+    key: "{{ lookup('file', 'data/users/' + item.user + '/sshkey.pub') }}"
+    state: 'present'
   with_items: '{{ admins }}'
   when: admins
+  tags:
+    - 'base'
 
+# vim: ft=yaml.ansible

roles/common/tasks/dkim.yml

@@ -5,6 +5,8 @@
     state: 'present'
   with_items:
     - 'opendkim'
+  tags:
+    - 'dkim'
 
 - name: 'Install opendkim main configuration'
   template:
@@ -15,6 +17,8 @@
     mode: '0640'
   notify:
     - 'Restart opendkim'
+  tags:
+    - 'dkim'
 
 - name: 'Create opendkim config directory'
   file:
@@ -23,6 +27,8 @@
     owner: 'root'
     group: 'opendkim'
     mode: '0750'
+  tags:
+    - 'dkim'
 
 - name: 'Install opendkim KeyTable'
   template:
@@ -33,6 +39,8 @@
     mode: '0640'
   notify:
     - 'Restart opendkim'
+  tags:
+    - 'dkim'
 
 - name: 'Install opendkim SigningTable'
   template:
@@ -43,6 +51,8 @@
     mode: '0640'
   notify:
     - 'Restart opendkim'
+  tags:
+    - 'dkim'
 
 - name: 'Install opendkim InternalHosts'
   template:
@@ -53,6 +63,8 @@
     mode: '0640'
   notify:
     - 'Restart opendkim'
+  tags:
+    - 'dkim'
 
 - name: 'Install DKIM private keys'
   copy:
@@ -63,3 +75,7 @@
     mode: '0640'
   with_items: '{{ dkim_domains }}'
   when: dkim_domains
+  tags:
+    - 'dkim'
+
+# vim: ft=yaml.ansible

roles/common/tasks/dns.yml

@@ -1,15 +1,33 @@
-- name: Remove bind9 (not a suitable dnscache) packages
-  apt: pkg={{ item }} state=absent purge=yes
+- name: 'Remove bind9 (not a suitable dnscache) packages'
+  apt:
+    pkg: '{{ item }}'
+    state: 'absent'
+    purge: 'yes'
   with_items:
-    - bind9
+    - 'bind9'
   when: with_dnscache
+  tags:
+    - 'dns'
 
-- name: Install unbound (dnscache) packages
-  apt: pkg={{ item }} state=present
+- name: 'Install unbound (dnscache) packages'
+  apt:
+    pkg: '{{ item }}'
+    state: 'present'
   with_items:
-    - unbound
+    - 'unbound'
   when: with_dnscache
+  tags:
+    - 'dns'
 
-- name: Install resolv.conf
-  template: src=dns/resolv.conf.j2 dest=/etc/resolv.conf owner=root group=root mode=0644
+- name: 'Install resolv.conf'
+  template:
+    src: 'dns/resolv.conf.j2'
+    dest: '/etc/resolv.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   when: with_dnscache or (nameservers is defined and nameservers)
+  tags:
+    - 'dns'
+
+# vim: ft=yaml.ansible

roles/common/tasks/dotfiles.yml

@@ -1,5 +1,21 @@
-- name: Install dotfiles
-  git: repo={{ dotfiles_repo }} dest={{ dotfiles_dest }} recursive=yes accept_hostkey=yes force=yes
+- name: 'Install dotfiles'
+  git:
+    repo: '{{ dotfiles_repo }}'
+    dest: '{{ dotfiles_dest }}'
+    recursive: 'yes'
+    accept_hostkey: 'yes'
+    force: 'yes'
+  tags:
+    - 'base'
+    - 'dotfiles'
 
-- name: Enable sourcing of dotfiles
-  lineinfile: dest=/etc/zsh/zshrc regexp='source {{ dotfiles_dest }}' line='[[ -f {{ dotfiles_dest }}/zsh/zshrc ]] && export LC_SSH_VARS={{ dotfiles_lcsshvars}} && source {{ dotfiles_dest }}/zsh/zshrc'
+- name: 'Enable sourcing of dotfiles'
+  lineinfile:
+    dest: '/etc/zsh/zshrc'
+    regexp: 'source {{ dotfiles_dest }}'
+    line: '[[ -f {{ dotfiles_dest }}/zsh/zshrc ]] && export LC_SSH_VARS={{ dotfiles_lcsshvars}} && source {{ dotfiles_dest }}/zsh/zshrc'
+  tags:
+    - 'base'
+    - 'dotfiles'
+
+# vim: ft=yaml.ansible

roles/common/tasks/firewall.yml

@@ -5,6 +5,8 @@
   with_items:
     - 'linux-image-{{ facter_architecture }}'
     - 'ferm'
+  tags:
+    - 'firewall'
 
 - name: 'Install firewall configuration (ferm.conf)'
   template:
@@ -15,3 +17,7 @@
     mode: '0644'
   notify:
     - 'Apply firewall rules (ferm)'
+  tags:
+    - 'firewall'
+
+# vim: ft=yaml.ansible

roles/common/tasks/main.yml

@@ -1,26 +1,40 @@
 - include_tasks: base.yml
-  tags: [base]
+  tags:
+    - 'base'
+    - 'ipv6'
 - include_tasks: dotfiles.yml
   when: with_dotfiles
-  tags: [base]
+  tags:
+    - 'base'
 - include_tasks: ssl.yml
-  tags: [ssl]
   when: ssl_certs or ssl_certs_auto
+  tags:
+    - 'ssl'
 - include_tasks: dns.yml
-  tags: [dns]
+  tags:
+    - 'dns'
 - include_tasks: firewall.yml
-  tags: [firewall]
   when: with_firewall
+  tags:
+    - 'firewall'
 - include_tasks: security.yml
-  tags: [security]
+  tags:
+    - 'security'
+    - 'logcheck'
 - include_tasks: smtp.yml
-  tags: [smtp]
   when: with_postfix or with_mail_aliases
+  tags:
+    - 'smtp'
 - include_tasks: dkim.yml
-  tags: [dkim]
   when: with_opendkim
+  tags:
+    - 'dkim'
 - include_tasks: ssh.yml
-  tags: [ssh]
+  tags:
+    - 'ssh'
 - include_tasks: smartd.yml
-  tags: [smartd]
   when: with_smartd
+  tags:
+    - 'smartd'
+
+# vim: ft=yaml.ansible

roles/common/tasks/security.yml

@@ -3,6 +3,8 @@
     pkg: 'unattended-upgrades'
     state: 'present'
   when: with_auto_upgrade
+  tags:
+    - 'security'
 
 - name: 'Reconfigure unattended-upgrades package'
   debconf:
@@ -13,6 +15,8 @@
   notify:
     - 'Reconfigure unattended-upgrades'
   when: with_auto_upgrade
+  tags:
+    - 'security'
 
 - name: 'Update unattended-upgrades configuration'
   template:
@@ -25,6 +29,8 @@
     - 'apt/auto-upgrades.{{ ansible_lsb.codename }}.j2'
     - 'apt/auto-upgrades.j2'
   when: with_auto_upgrade
+  tags:
+    - 'security'
 
 - name: 'Install logcheck packages'
   apt:
@@ -34,6 +40,8 @@
     - 'logcheck'
     - 'logcheck-database'
   when: with_logcheck
+  tags:
+    - 'security'
 
 - name: 'Install local configuration files for logcheck'
   copy:
@@ -82,7 +90,8 @@
     - 'zabbix-agentd'
   when: with_logcheck
   tags:
-      - 'logcheck'
+    - 'security'
+    - 'logcheck'
 
 - name: 'Update logcheck cron job'
   template:
@@ -92,6 +101,9 @@
     group: 'root'
     mode: '0644'
   when: with_logcheck
+  tags:
+    - 'security'
+    - 'logcheck'
 
 - name: 'Install rkhunter related packages'
   apt:
@@ -102,6 +114,8 @@
     - 'unhide'
     - 'rkhunter'
   when: with_rkhunter
+  tags:
+    - 'security'
 
 - name: 'Reconfigure rkhunter package'
   debconf:
@@ -116,26 +130,49 @@
   notify:
     - 'Reconfigure rkhunter'
   when: with_rkhunter
+  tags:
+    - 'security'
 
-- name: Update rkhunter configuration
-  template: src=rkhunter/{{ ansible_lsb.codename }}.conf.j2 dest=/etc/rkhunter.conf owner=root group=root mode=0644
+- name: 'Update rkhunter configuration'
+  template:
+    src: 'rkhunter/{{ ansible_lsb.codename }}.conf.j2'
+    dest: '/etc/rkhunter.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   when: with_rkhunter
+  tags:
+    - 'security'
 
-- name: Update chkrootkit configuration
+- name: 'Update chkrootkit configuration'
   template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
   when: with_chkrootkit
+  tags:
+    - 'security'
 
-- name: Update fstab to hide pids from /proc
-  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2\3' backrefs=yes
+- name: 'Update fstab to hide pids from /proc'
+  lineinfile:
+    dest: '/etc/fstab'
+    regexp: '(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$'
+    line: '\1defaults,hidepid=2\3'
+    backrefs: 'yes'
   notify:
-      - Remount /proc
+      - 'Remount /proc'
   when: with_hideproc and hideproc_gid == ''
+  tags:
+    - 'security'
 
-- name: Update fstab to hide pids from /proc with group id (gid)
-  lineinfile: dest=/etc/fstab regexp='(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$' line='\1defaults,hidepid=2,gid={{hideproc_gid}}\3' backrefs=yes
+- name: 'Update fstab to hide pids from /proc with group id (gid)'
+  lineinfile:
+    dest: '/etc/fstab'
+    regexp: '(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$'
+    line: '\1defaults,hidepid=2,gid={{hideproc_gid}}\3'
+    backrefs: 'yes'
   notify:
-      - Remount /proc
+      - 'Remount /proc'
   when: with_hideproc and hideproc_gid != ''
+  tags:
+    - 'security'
 
 - name: 'Create Diffie-Helman parameters'
   command: 'openssl dhparam -2 -out /etc/ssl/private/dh{{ item }}.pem {{ item }}'
@@ -143,3 +180,7 @@
     creates: '/etc/ssl/private/dh{{ item }}.pem'
   with_items:
     - '2048'
+  tags:
+    - 'security'
+
+# vim: ft=yaml.ansible

roles/common/tasks/smartd.yml

@@ -1,15 +1,39 @@
-- name: Install smartmontools package
-  apt: pkg=smartmontools state=present
+- name: 'Install smartmontools package'
+  apt:
+    pkg: 'smartmontools'
+    state: 'present'
+  tags:
+    - 'smartd'
 
-- name: Install smartd configuration
-  template: src=smartd/smartd.conf.j2 dest=/etc/smartd.conf owner=root group=root mode=0644
+- name: 'Install smartd configuration'
+  template:
+    src: 'smartd/smartd.conf.j2'
+    dest: '/etc/smartd.conf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   notify:
-    - Restart smartmontools
+    - 'Restart smartmontools'
+  tags:
+    - 'smartd'
 
-- name: Update smartmontools default/init parameters
-  template: src=smartd/default.j2 dest=/etc/default/smartmontools owner=root group=root mode=0644
+- name: 'Update smartmontools default/init parameters'
+  template:
+    src: 'smartd/default.j2'
+    dest: '/etc/default/smartmontools'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   notify:
-    - Restart smartmontools
+    - 'Restart smartmontools'
+  tags:
+    - 'smartd'
 
-- name: Ensure smartmontools is running
-  service: name=smartmontools state=started
+- name: 'Ensure smartmontools is running'
+  service:
+    name: 'smartmontools'
+    state: 'started'
+  tags:
+    - 'smartd'
+
+# vim: ft=yaml.ansible

roles/common/tasks/smtp.yml

@@ -9,6 +9,8 @@
     - 'procmail'
     - 'libsasl2-modules'
   when: with_postfix
+  tags:
+    - 'smtp'
 
 - name: 'Install mail aliases file'
   template:
@@ -20,6 +22,8 @@
   notify:
     - 'Regenerate aliases cache'
   when: with_mail_aliases
+  tags:
+    - 'smtp'
 
 - name: 'Install Postfix main configuration'
   template:
@@ -31,6 +35,8 @@
   notify:
     - 'Reload Postfix'
   when: with_postfix
+  tags:
+    - 'smtp'
 
 - name: 'Update Postfix master config for slowsmtp transport'
   blockinfile:
@@ -43,6 +49,8 @@
   notify:
     - 'Reload Postfix'
   when: with_postfix_slowsmtp
+  tags:
+    - 'smtp'
 
 - name: 'Install Postfix slowsmtp transport map'
   template:
@@ -55,6 +63,8 @@
     - 'Rehash slowsmtp transport map'
     - 'Reload Postfix'
   when: with_postfix_slowsmtp
+  tags:
+    - 'smtp'
 
 - name: 'Install Postfix SASL sender relay map'
   template:
@@ -67,6 +77,8 @@
     - 'Rehash SASL sender relay map'
     - 'Reload Postfix'
   when: with_postfix_external_smtp
+  tags:
+    - 'smtp'
 
 - name: 'Install Postfix SASL credentials map'
   template:
@@ -79,6 +91,8 @@
     - 'Rehash SASL credentials map'
     - 'Reload Postfix'
   when: with_postfix_external_smtp
+  tags:
+    - 'smtp'
 
 - name: 'Install Postfix SASL sender rewrite map'
   template:
@@ -90,3 +104,7 @@
   notify:
     - 'Reload Postfix'
   when: with_postfix_external_smtp and postfix_external_sender_rewrites
+  tags:
+    - 'smtp'
+
+# vim: ft=yaml.ansible

roles/common/tasks/ssh.yml

@@ -6,6 +6,8 @@
     - 'openssh-server'
     - 'openssh-client'
   when: with_ssh
+  tags:
+    - 'ssh'
 
 - name: 'Install sshd configuration (Debian <= 8)'
   template:
@@ -17,6 +19,8 @@
   notify:
     - Restart ssh
   when: with_ssh and ansible_lsb.major_release|int <= 8
+  tags:
+    - 'ssh'
 
 - name: 'Install sshd configuration (Debian >= 9)'
   template:
@@ -28,9 +32,15 @@
   notify:
     - Restart ssh
   when: with_ssh and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'ssh'
 
 - name: 'Ensure ssh is running'
   service:
     name: 'ssh'
     state: 'started'
   when: with_ssh
+  tags:
+    - 'ssh'
+
+# vim: ft=yaml.ansible

roles/common/tasks/ssl.yml

@@ -7,6 +7,8 @@
     mode: '0755'
   with_items: '{{ ssl_certs }}'
   when: ssl_certs
+  tags:
+    - 'ssl'
 
 - name: 'Install ssl certificates (certificate)'
   copy:
@@ -18,6 +20,8 @@
   register: ssl_cert_result
   with_items: '{{ ssl_certs }}'
   when: ssl_certs
+  tags:
+    - 'ssl'
 
 - name: 'Install ssl certificates (private key)'
   copy:
@@ -29,6 +33,8 @@
   register: ssl_key_result
   with_items: '{{ ssl_certs }}'
   when: ssl_certs
+  tags:
+    - 'ssl'
 
 - name: 'Install ssl certificates (chain)'
   copy:
@@ -40,6 +46,8 @@
   register: ssl_chain_result
   with_items: '{{ ssl_certs }}'
   when: ssl_certs
+  tags:
+    - 'ssl'
 
 - name: 'Gathering info about ssl full chain (certificate + chain)'
   stat:
@@ -47,6 +55,8 @@
   with_items: '{{ ssl_certs }}'
   register: ssl_fullchain_stats
   when: ssl_certs
+  tags:
+    - 'ssl'
 
 - name: 'Gathering info about ssl bundle (key + fullchain)'
   stat:
@@ -54,16 +64,22 @@
   with_items: '{{ ssl_certs }}'
   register: ssl_bundle_stats
   when: ssl_certs
+  tags:
+    - 'ssl'
 
 - name: 'Create ssl certificates full chain (certificate + chain)'
   shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/fullchain.pem'
   with_items: '{{ ssl_fullchain_stats.results }}'
-  when: ssl_certs and (not item.stat.exists or ssl_cert_result|changed or ssl_chain_result|changed)
+  when: ssl_certs and (not item.stat.exists or ssl_cert_result is changed or ssl_chain_result is changed)
+  tags:
+    - 'ssl'
 
 - name: 'Create ssl certificates bundle (key + certificate + bundle)'
   shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/privkey.pem' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/bundle.pem'
   with_items: '{{ ssl_bundle_stats.results }}'
-  when: ssl_certs and (not item.stat.exists or ssl_key_result|changed or ssl_cert_result|changed or ssl_chain_result|changed)
+  when: ssl_certs and (not item.stat.exists or ssl_key_result is changed or ssl_cert_result is changed or ssl_chain_result is changed)
+  tags:
+    - 'ssl'
 
 - name: 'Install Lets Encrypt client'
   apt:
@@ -71,6 +87,8 @@
     state: 'present'
     default_release: '{{ ansible_lsb.codename }}-backports'
   when: ssl_certs_auto
+  tags:
+    - 'ssl'
 
 - name: 'Install Lets Encrypt domains configuration'
   template:
@@ -80,6 +98,8 @@
     group: 'root'
     mode: '0644'
   when: ssl_certs_auto
+  tags:
+    - 'ssl'
 
 - name: 'List Lets Encrypt SSL installed certificates'
   shell: find /var/lib/dehydrated/certs -iname privkey.pem | cut -d / -f6
@@ -87,6 +107,8 @@
   changed_when: False
   ignore_errors: True
   when: ssl_certs_auto
+  tags:
+    - 'ssl'
 
 - name: 'List Lets Encrypt SSL certificates to be generated'
   shell: egrep -v '^#' /etc/dehydrated/domains.txt | cut -d ' ' -f 1 | while read c ; do test -f "/var/lib/dehydrated/certs/${c}/privkey.pem" || echo "${c}" ; done
@@ -96,6 +118,8 @@
   notify:
     - 'Generate Lets Encrypt SSL certificates'
   when: ssl_certs_auto
+  tags:
+    - 'ssl'
 
 - name: 'Install Lets Encrypt cron job'
   template:
@@ -105,8 +129,14 @@
     group: 'root'
     mode: '0644'
   when: ssl_certs_auto
+  tags:
+    - 'ssl'
 
 - name: 'Register and accept Lets Encrypt terms of service'
   shell: if dehydrated --help | grep -q -- 'register' && dehydrated --help | grep -q -- 'accept-terms' ; then dehydrated --register --accept-terms ; fi
   changed_when: False
   when: ssl_certs_auto
+  tags:
+    - 'ssl'
+
+# vim: ft=yaml.ansible

roles/dbserver/defaults/main.yml

@@ -1,5 +1,5 @@
 #
-# Default variables for webservers
+# Default variables for dbservers
 #
 
 with_mysql: False
@@ -11,4 +11,4 @@ mysql_admin_password: ''
 with_postgresql: False
 with_postgresql_backup: True
 
-# vim: ft=yaml
+# vim: ft=yaml.ansible

roles/dbserver/tasks/main.yml

@@ -1,6 +1,12 @@
 - include_tasks: mysql.yml
-  tags: [sql,mysql]
   when: with_mysql or with_mariadb
+  tags:
+    - 'mysql'
+    - 'sql'
 - include_tasks: postgresql.yml
-  tags: [sql,postgresql]
   when: with_postgresql
+  tags:
+    - 'postgresql'
+    - 'sql'
+
+# vim: ft=yaml.ansible

roles/dbserver/tasks/mysql.yml

@@ -1,37 +1,65 @@
-- name: Install MySQL server related packages
-  apt: pkg={{ item }} state=present
+- name: 'Install MySQL server related packages'
+  apt:
+    pkg: '{{ item }}'
+    state: 'present'
   with_items:
-    - mysql-server
-    - mysql-client
+    - 'mysql-server'
+    - 'mysql-client'
   when: with_mysql
+  tags:
+    - 'mysql'
+    - 'sql'
 
-- name: Install MariaDB server related packages
-  apt: pkg={{ item }} state=present
+- name: 'Install MariaDB server related packages'
+  apt:
+    pkg: '{{ item }}'
+    state: 'present'
   with_items:
-    - mariadb-server
-    - mariadb-client
+    - 'mariadb-server'
+    - 'mariadb-client'
   when: with_mariadb
+  tags:
+    - 'mysql'
+    - 'sql'
 
-- name: Install MySQL or MariaDB backup related packages (automysqlbackup)
-  apt: pkg=automysqlbackup state=present
+- name: 'Install MySQL or MariaDB backup related packages (automysqlbackup)'
+  apt:
+    pkg: 'automysqlbackup'
+    state: 'present'
   when: with_mysql_backup
+  tags:
+    - 'mysql'
+    - 'sql'
 
-- name: Fix automysqlbackup to handle events properly
+- name: 'Fix automysqlbackup to handle events properly'
   lineinfile:
-    dest: /usr/sbin/automysqlbackup
-    regexp: "^OPT="
+    dest: '/usr/sbin/automysqlbackup'
+    regexp: '^OPT='
     line: 'OPT="--quote-names --events" # OPT string for use with mysqldump ( see man mysqldump )'
   when: with_mysql_backup
+  tags:
+    - 'mysql'
+    - 'sql'
 
-- name: Change MySQL or MariaDB root default password
+- name: 'Change MySQL or MariaDB root default password'
   raw: if ! echo "SELECT VERSION();" | mysql -u root --password='{{ mysql_root_password }}' >/dev/null 2>&1 ; then echo "UPDATE mysql.user SET Password=PASSWORD('{{ mysql_root_password }}') WHERE User IN ('', 'root'); FLUSH PRIVILEGES;" | mysql --defaults-file=/etc/mysql/debian.cnf ; fi
   changed_when: False
   when: mysql_root_password != ''
+  tags:
+    - 'mysql'
+    - 'sql'
 
-- name: Add MySQL or MariaDB admin account
+- name: 'Add MySQL or MariaDB admin account'
   raw: if ! echo "SELECT VERSION();" | mysql -u admin --password='{{ mysql_admin_password }}' >/dev/null 2>&1 ; then echo "CREATE USER 'admin'@'localhost' IDENTIFIED BY '{{ mysql_admin_password }}'; GRANT ALL PRIVILEGES ON * . * TO 'admin'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES;" | mysql --defaults-file=/etc/mysql/debian.cnf ; fi
   changed_when: False
   when: mysql_admin_password != ''
+  tags:
+    - 'mysql'
+    - 'sql'
 
-- name: Ensure MySQL or MariaDB is running
-  service: name=mysql state=started
+- name: 'Ensure MySQL or MariaDB is running'
+  service:
+    name: mysql
+    state: started
+
+# vim: ft=yaml.ansible

roles/dbserver/tasks/postgresql.yml

@@ -1,12 +1,29 @@
-- name: Install PostgreSQL server related packages
-  apt: pkg={{ item }} state=present
+- name: 'Install PostgreSQL server related packages'
+  apt:
+    pkg: '{{ item }}'
+    state: 'present'
   with_items:
-    - postgresql
-    - postgresql-client
+    - 'postgresql'
+    - 'postgresql-client'
+  tags:
+    - 'postgresql'
+    - 'sql'
 
-- name: Install AutoPostgreSQLBackup package
-  apt: pkg=autopostgresqlbackup state=present
+- name: 'Install AutoPostgreSQLBackup package'
+  apt:
+    pkg: 'autopostgresqlbackup'
+    state: 'present'
   when: with_postgresql_backup
+  tags:
+    - 'postgresql'
+    - 'sql'
 
-- name: Ensure PostgreSQL server is running
-  service: name=postgresql state=started
+- name: 'Ensure PostgreSQL server is running'
+  service:
+    name: postgresql
+    state: started
+  tags:
+    - 'postgresql'
+    - 'sql'
+
+# vim: ft=yaml.ansible

roles/ftpserver/defaults/main.yml

@@ -1,5 +1,5 @@
 #
-# Default variables for webservers
+# Default variables for ftpservers
 #
 
 with_ftp: False
@@ -7,4 +7,4 @@ with_ftp_tls: False
 ftp_tls_domain: Null
 ftp_accounts: Null
 
-# vim: ft=yaml
+# vim: ft=yaml.ansible

roles/ftpserver/handlers/common.yml

@@ -1,2 +1,4 @@
 - name: 'Load kernel modules for ftp server'
   raw: egrep -v  '^(\s*#|$)' /etc/modules-load.d/ftpd.conf | xargs --no-run-if-empty --max-args 1 modprobe
+
+# vim: ft=yaml.ansible

roles/ftpserver/handlers/main.yml

@@ -1,2 +1,4 @@
 - include: 'common.yml'
 - include: 'pure-ftpd.yml'
+
+# vim: ft=yaml.ansible

roles/ftpserver/handlers/pure-ftpd.yml

@@ -2,3 +2,5 @@
   service:
     name: 'pure-ftpd'
     state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/ftpserver/tasks/common.yml

@@ -8,3 +8,7 @@
   notify:
     - 'Load kernel modules for ftp server'
   when: ansible_lsb.major_release|int >= 8
+  tags:
+    - 'ftp'
+
+# vim: ft=yaml.ansible

roles/ftpserver/tasks/main.yml

@@ -1,6 +1,11 @@
 - include_tasks: 'common.yml'
-  tags: [ftp]
   when: with_ftp
+  tags:
+    - 'ftp'
 - include_tasks: 'pure-ftpd.yml'
-  tags: [ftp,pure-ftpd]
   when: with_ftp
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
+
+# vim: ft=yaml.ansible

roles/ftpserver/tasks/pure-ftpd.yml

@@ -4,6 +4,9 @@
     state: 'present'
   with_items:
     - 'pure-ftpd'
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Install pure-ftpd configuration (TLS settings)'
   lineinfile:
@@ -17,6 +20,9 @@
   notify:
     - 'Restart pure-ftpd'
   when: with_ftp_tls
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Create pure-ftpd SSL bundle certificate symlink'
   file:
@@ -26,6 +32,9 @@
   notify:
     - 'Restart pure-ftpd'
   when: with_ftp_tls and ftp_tls_domain
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Create pure-ftpd Diffie Hellman Param file symlink'
   file:
@@ -35,6 +44,9 @@
   notify:
     - 'Restart pure-ftpd'
   when: with_ftp_tls
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Install pure-ftpd configuration'
   lineinfile:
@@ -54,6 +66,9 @@
     - { dest: 'PassivePortRange', regexp: '^[0-9]+ [0-9]+$', line: '64000 65000' }
   notify:
     - 'Restart pure-ftpd'
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Enable pure-ftpd internal DB'
   file:
@@ -62,32 +77,52 @@
     state: 'link'
   notify:
     - 'Restart pure-ftpd'
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Clean up pure-ftpd internal DB'
   raw: pure-pw list 2>/dev/null | sed -r 's/^(\S+)\s.*$/\1/' | while read u ; do pure-pw userdel "${u}" ; done
   changed_when: False
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Create FTP accounts home directory'
   file:
-    path: '{{item.home}}'
-    owner: '{{item.uid}}'
-    group: '{{item.gid}}'
+    path: '{{ item.home }}'
+    owner: '{{ item.uid }}'
+    group: '{{ item.gid }}'
     mode: 0755
     state: 'directory'
   with_items: '{{ ftp_accounts }}'
   when: ftp_accounts
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Add FTP accounts in pure-ftpd'
-  raw: printf "{{item.password}}\n{{item.password}}\n" | pure-pw useradd "{{item.user}}" -d "{{item.home}}" -u "{{item.uid}}" -g "{{item.gid}}"
+  raw: printf "{{ item.password }}\n{{ item.password }}\n" | pure-pw useradd "{{ item.user }}" -d "{{ item.home }}" -u "{{ item.uid }}" -g "{{ item.gid }}"
   with_items: '{{ ftp_accounts }}'
   changed_when: False
   when: ftp_accounts and with_ftp
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Rebuild pure-ftpd internal DB'
   raw: pure-pw mkdb 2>/dev/null
   changed_when: False
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
 
 - name: 'Ensure pure-ftpd is running'
   service:
     name: 'pure-ftpd'
     state: 'started'
+  tags:
+    - 'ftp'
+    - 'pure-ftpd'
+
+# vim: ft=yaml.ansible

roles/hypervisor/defaults/main.yml

@@ -1,5 +1,5 @@
 #
-# Default variables
+# Default variables for hypervisors
 #
 
 with_xen: False
@@ -9,4 +9,4 @@ xen_grub_opts: ''
 
 with_ganeti: False
 
-# vim: ft=yaml
+# vim: ft=yaml.ansible

roles/hypervisor/handlers/ganeti.yml

@@ -1,2 +1,4 @@
 - name: 'Rebuild initramfs'
   command: update-initramfs -u -k all
+
+# vim: ft=yaml.ansible

roles/hypervisor/handlers/main.yml

@@ -1,2 +1,4 @@
 - include: 'xen.yml'
 - include: 'ganeti.yml'
+
+# vim: ft=yaml.ansible

roles/hypervisor/handlers/xen.yml

@@ -1,2 +1,4 @@
 - name: 'Update GRUB'
   command: update-grub
+
+# vim: ft=yaml.ansible

roles/hypervisor/tasks/ganeti.yml

@@ -8,7 +8,9 @@
     - 'ganeti-instance-debootstrap'
     - 'drbd-utils'
     - 'dnsutils'
-  when: with_ganeti
+  tags:
+    - 'hypervisor'
+    - 'ganeti'
 
 - name: 'Install ganeti instances templates for debootstrap'
   template:
@@ -20,7 +22,9 @@
   with_items:
     - 'jessie'
     - 'stretch'
-  when: with_ganeti
+  tags:
+    - 'hypervisor'
+    - 'ganeti'
 
 - name: 'Enable ganeti instances templates for debootstrap'
   lineinfile:
@@ -33,7 +37,9 @@
   with_items:
     - 'jessie'
     - 'stretch'
-  when: with_ganeti
+  tags:
+    - 'hypervisor'
+    - 'ganeti'
 
 - name: 'Exclude DRBD devices from lvm devices while using ganeti'
   blockinfile:
@@ -41,7 +47,9 @@
     marker: '    # ======= {mark} Exclude DRBD devices while using ganeti (managed by ansible) ======'
     content: '    filter = ["r|/dev/drbd[0-9]+|"]'
     insertafter: '^\s*devices\s+{'
-  when: with_ganeti
+  tags:
+    - 'hypervisor'
+    - 'ganeti'
 
 - name: 'Add options for kernel modules while using ganeti'
   template:
@@ -52,7 +60,9 @@
     mode: '0644'
   notify:
     - 'Rebuild initramfs'
-  when: with_ganeti
+  tags:
+    - 'hypervisor'
+    - 'ganeti'
 
 - name: 'Add kernel modules to load while using ganeti'
   template:
@@ -61,5 +71,8 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_ganeti
+  tags:
+    - 'hypervisor'
+    - 'ganeti'
 
+# vim: ft=yaml.ansible

roles/hypervisor/tasks/main.yml

@@ -1,4 +1,12 @@
 - include_tasks: 'xen.yml'
-  tags: [hypervisor,xen]
+  when: with_xen
+  tags:
+    - 'hypervisor'
+    - 'xen'
 - include_tasks: 'ganeti.yml'
-  tags: [hypervisor,ganeti]
+  when: with_ganeti
+  tags:
+    - 'hypervisor'
+    - 'ganeti'
+
+# vim: ft=yaml.ansible

roles/hypervisor/tasks/xen.yml

@@ -8,7 +8,9 @@
     - 'grub-xen-host'
     - 'bridge-utils'
     - 'debootstrap'
-  when: with_xen
+  tags:
+    - 'hypervisor'
+    - 'xen'
 
 - name: 'Add GRUB options for Xen'
   lineinfile:
@@ -18,13 +20,14 @@
     line: 'GRUB_CMDLINE_XEN_DEFAULT="dom0_mem={{ xendom0_mem  }}M,max:{{ xendom0_mem }}M dom0_max_vcpus=1 dom0_vcpus_pin {{ xen_grub_opts }}"'
   notify:
     - 'Update GRUB'
-  when: with_xen
+  tags:
+    - 'hypervisor'
+    - 'xen'
 
 - name: 'Set Xen hypervisor to boot first'
   command: 'dpkg-divert --divert /etc/grub.d/09_linux_xen --rename /etc/grub.d/20_linux_xen creates=/etc/grub.d/09_linux_xen'
   notify:
     - 'Update GRUB'
-  when: with_xen
 
 - name: 'Configure Xend'
   template: 
@@ -33,7 +36,9 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_xen
+  tags:
+    - 'hypervisor'
+    - 'xen'
 
 - name: 'Configure Xendomains init script (disable save and restore)'
   lineinfile:
@@ -43,4 +48,8 @@
   with_items:
     - { regexp: '^#?XENDOMAINS_RESTORE=', line: 'XENDOMAINS_RESTORE=false' }
     - { regexp: '^#?XENDOMAINS_SAVE=', line: 'XENDOMAINS_SAVE=' }
-  when: with_xen
+  tags:
+    - 'hypervisor'
+    - 'xen'
+
+# vim: ft=yaml.ansible

roles/monitoring/defaults/main.yml

@@ -8,4 +8,4 @@ with_zabbix_agent: False
 zabbix_remote_server: 'zabbix.domain.tld'
 zabbix_plugins_config: Null
 
-# vim: ft=yaml
+# vim: ft=yaml.ansible

roles/monitoring/handlers/main.yml

@@ -1,2 +1,4 @@
 - include: mon.yml
 - include: zabbix.yml
+
+# vim: ft=yaml.ansible

roles/monitoring/handlers/mon.yml

@@ -1,2 +1,6 @@
-- name: Restart mon
-  service: name=mon state=restarted
+- name: 'Restart mon'
+  service:
+    name: 'mon'
+    state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/monitoring/handlers/zabbix.yml

@@ -1,2 +1,6 @@
-- name: Restart zabbix agent
-  service: name=zabbix-agent state=restarted
+- name: 'Restart zabbix agent'
+  service:
+    name: 'zabbix-agent'
+    state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/monitoring/tasks/main.yml

@@ -1,6 +1,12 @@
-- include_tasks: mon.yml
-  tags: [monitoring,mon]
-  when: with_mon
 - include_tasks: zabbix.yml
-  tags: [monitoring,zabbix]
   when: with_zabbix_agent
+  tags:
+    - 'monitoring'
+    - 'zabbix'
+- include_tasks: mon.yml
+  when: with_mon
+  tags:
+    - 'monitoring'
+    - 'mon'
+
+# vim: ft=yaml.ansible

roles/monitoring/tasks/mon.yml

@@ -1,38 +1,88 @@
-- name: Install mon packages
-  apt: pkg=mon state=present
+- name: 'Install mon packages'
+  apt:
+    pkg: 'mon'
+    state: 'present'
+  tags:
+    - 'monitoring'
+    - 'mon'
 
-- name: Create need directory for mon configuration
-  file: path=/etc/mon/mon.d state=directory owner=root group=root mode=0755
+- name: 'Create need directory for mon configuration'
+  file:
+    path: '/etc/mon/mon.d'
+    state: 'directory'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
+  tags:
+    - 'monitoring'
+    - 'mon'
 
-- name: Install mon configuration
-  template: src=mon/{{ ansible_hostname }}.conf.j2 dest=/etc/mon/mon.cf owner=root group=root mode=0644
+- name: 'Install mon configuration'
+  template:
+    src: 'mon/{{ ansible_hostname }}.conf.j2'
+    dest: '/etc/mon/mon.cf'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   notify:
-    - Restart mon
+    - 'Restart mon'
+  tags:
+    - 'monitoring'
+    - 'mon'
 
-- name: Install mon (default) configuration
-  template: src=mon/default.j2 dest=/etc/default/mon owner=root group=root mode=0644
+- name: 'Install mon (default) configuration'
+  template:
+    src: 'mon/default.j2'
+    dest: '/etc/default/mon'
+    owner: 'root'
+    group: 'root'
+    mode: '0644'
   notify:
-    - Restart mon
+    - 'Restart mon'
+  tags:
+    - 'monitoring'
+    - 'mon'
 
-- name: Install custom mon plugins
-  copy: src=mon/{{ item }}.monitor dest=/etc/mon/mon.d/{{ item }}.monitor owner=root group=root mode=0755
+- name: 'Install custom mon plugins'
+  copy:
+    src: 'mon/{{ item }}.monitor'
+    dest: '/etc/mon/mon.d/{{ item }}.monitor'
+    owner: 'root'
+    group: 'root'
+    mode: '0755'
   with_items:
-    - https
-    - imaps
-    - dns
+    - 'https'
+    - 'imaps'
+    - 'dns'
   notify:
-    - Restart mon
+    - 'Restart mon'
+  tags:
+    - 'monitoring'
+    - 'mon'
 
-- name: Install mon plugins
-  file: src=/usr/lib/mon/mon.d/{{ item }}.monitor path=/etc/mon/mon.d/{{ item }}.monitor state=link
+- name: 'Install mon plugins'
+  file:
+    src: '/usr/lib/mon/mon.d/{{ item }}.monitor'
+    path: '/etc/mon/mon.d/{{ item }}.monitor'
+    state: 'link'
   with_items:
-    - fping
-    - http
-    - smtp
-    - imap
-    - tcp
+    - 'fping'
+    - 'http'
+    - 'smtp'
+    - 'imap'
+    - 'tcp'
   notify:
-    - Restart mon
+    - 'Restart mon'
+  tags:
+    - 'monitoring'
+    - 'mon'
 
-- name: Ensure mon is running
-  service: name=mon state=started
+- name: 'Ensure mon is running'
+  service:
+    name: 'mon'
+    state: 'started'
+  tags:
+    - 'monitoring'
+    - 'mon'
+
+# vim: ft=yaml.ansible

roles/monitoring/tasks/zabbix.yml

@@ -4,6 +4,9 @@
     state: 'present'
   with_items:
     - 'zabbix-agent'
+  tags:
+    - 'monitoring'
+    - 'zabbix'
 
 - name: 'Install Zabbix agent config file'
   template:
@@ -14,6 +17,9 @@
     mode: '0644'
   notify:
     - 'Restart zabbix agent'
+  tags:
+    - 'monitoring'
+    - 'zabbix'
 
 - name: 'Create zabbix plugins configuration directory'
   file:
@@ -23,6 +29,9 @@
     mode: '0755'
     state: 'directory'
   when: zabbix_plugins_config
+  tags:
+    - 'monitoring'
+    - 'zabbix'
 
 - name: 'Install zabbix plugins configuration (ssl, web availability)'
   template:
@@ -35,3 +44,8 @@
     - 'ssl-discovery'
     - 'web-availability-discovery'
   when: zabbix_plugins_config
+  tags:
+    - 'monitoring'
+    - 'zabbix'
+
+# vim: ft=yaml.ansible

roles/rsyncserver/defaults/main.yml

@@ -7,4 +7,4 @@ rsyncd_uid: backup
 rsyncd_gid: backup
 rsyncd_max_connections: 10
 
-# vim: ft=ansible
+# vim: ft=yaml.ansible

roles/rsyncserver/handlers/main.yml

@@ -1 +1,3 @@
 - include: 'rsyncd.yml'
+
+# vim: ft=yaml.ansible

roles/rsyncserver/handlers/rsyncd.yml

@@ -3,4 +3,4 @@
     name: 'rsync'
     state: 'restarted'
 
-# vim: ft=ansible
+# vim: ft=yaml.ansible

roles/rsyncserver/tasks/main.yml

@@ -1,5 +1,6 @@
 - include_tasks: 'rsyncd.yml'
-  tags: [rsync]
   when: with_rsyncd
+  tags:
+    - 'rsyncd'
 
-# vim: ft=ansible
+# vim: ft=yaml.ansible

roles/rsyncserver/tasks/rsyncd.yml

@@ -4,6 +4,8 @@
     state: 'present'
   with_items:
     - 'rsync'
+  tags:
+    - 'rsyncd'
 
 - name: 'Create Rsync daemon configuration directory'
   file:
@@ -12,6 +14,8 @@
     group: 'root'
     mode: 0755
     state: 'directory'
+  tags:
+    - 'rsyncd'
 
 - name: 'Install Rsync daemon configuration'
   template:
@@ -22,10 +26,14 @@
     mode: 0644
   notify:
     - 'Restart Rsync Daemon'
+  tags:
+    - 'rsyncd'
 
 - name: 'Ensure Rsync daemon is running'
   service:
     name: 'rsync'
     state: 'started'
+  tags:
+    - 'rsyncd'
 
-# vim: ft=ansible
+# vim: ft=yaml.ansible

roles/webserver/defaults/main.yml

@@ -67,4 +67,4 @@ http_auth_admin_password: Null
 http_auth_user_name: Null
 http_auth_user_password: Null
 
-# vim: ft=ansible
+# vim: ft=yaml.ansible

roles/webserver/handlers/apache2.yml

@@ -1,5 +1,9 @@
-- name: Reload apache2
+- name: 'Reload apache2'
   shell: apache2ctl configtest && apache2ctl graceful
 
-- name: Restart apache2
-  service: name=apache2 state=restarted
+- name: 'Restart apache2'
+  service:
+    name: 'apache2'
+    state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/webserver/handlers/fpm.yml

@@ -7,3 +7,5 @@
   service:
     name: 'php{{ php_version }}-fpm'
     state: 'reloaded'
+
+# vim: ft=yaml.ansible

roles/webserver/handlers/main.yml

@@ -2,3 +2,5 @@
 - include: nginx.yml
 - include: fpm.yml
 - include: php.yml
+
+# vim: ft=yaml.ansible

roles/webserver/handlers/nginx.yml

@@ -1,5 +1,9 @@
-- name: Reload nginx
+- name: 'Reload nginx'
   shell: nginx -t && nginx -s reload
 
-- name: Restart nginx
-  service: name=nginx state=restarted
+- name: 'Restart nginx'
+  service:
+    name: 'nginx'
+    state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/webserver/handlers/php.yml

@@ -1,2 +1,6 @@
-- name: Reload rsyslog for php
-  service: name=rsyslog state=restarted
+- name: 'Reload rsyslog for php'
+  service:
+    name: 'rsyslog'
+    state: 'restarted'
+
+# vim: ft=yaml.ansible

roles/webserver/tasks/apache2.yml

@@ -2,6 +2,9 @@
   apt:
     pkg: 'apache2'
     state: 'present'
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install logrotate configuration for Apache'
   template:
@@ -10,6 +13,9 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install SSL vhost configuration for Apache'
   template:
@@ -22,6 +28,9 @@
   notify:
     - 'Reload apache2'
   when: ssl_certs
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install SSL vhost configuration for Apache (Lets Encrypt certificates)'
   template:
@@ -34,6 +43,9 @@
   notify:
     - 'Reload apache2'
   when: ssl_certs_auto
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install Apache2 basic security configuration (Debian < 8)'
   template:
@@ -45,6 +57,9 @@
   notify:
     - 'Reload apache2'
   when: ansible_lsb.major_release|int < 8
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install Apache2 basic security configuration (Debian >= 8)'
   template:
@@ -56,6 +71,9 @@
   notify:
     - 'Reload apache2'
   when: ansible_lsb.major_release|int >= 8
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install Lets Encrypt configuration for Apache2 (conf-available)'
   template:
@@ -67,6 +85,9 @@
   notify:
     - 'Reload apache2'
   when: ssl_certs_auto
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Create basic authentication file for admin (Apache2)'
   template:
@@ -76,6 +97,9 @@
     group: 'www-data'
     mode: '0640'
   when: http_auth_admin_password is defined and http_auth_admin_password
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install PHPMyAdmin virtual host for Apache2 (sites-available)'
   template:
@@ -87,6 +111,9 @@
   notify:
     - 'Reload apache2'
   when: with_phpmyadmin
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install PHPMyAdmin virtual host for Apache2 (sites-enabled)'
   file:
@@ -96,6 +123,9 @@
   notify:
     - 'Reload apache2'
   when: with_phpmyadmin
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: "Install PHPPgAdmin virtual host for Apache2 (sites-available)"
   template:
@@ -107,6 +137,9 @@
   notify:
     - 'Reload apache2'
   when: with_phppgadmin
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install PHPPgAdmin virtual host for Apache2 (sites-enabled)'
   file:
@@ -116,6 +149,9 @@
   notify:
     - 'Reload apache2'
   when: with_phppgadmin
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install PHP system checks virtual host for Apache2 (sites-available)'
   template:
@@ -127,6 +163,9 @@
   notify:
     - 'Reload apache2'
   when: with_php
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Install PHP system checks virtual host for Apache2 (sites-enabled)'
   file:
@@ -136,8 +175,16 @@
   notify:
     - 'Reload apache2'
   when: with_php
+  tags:
+    - 'web'
+    - 'apache2'
 
 - name: 'Ensure apache2 is running'
   service:
     name: 'apache2'
     state: 'started'
+  tags:
+    - 'web'
+    - 'apache2'
+
+# vim: ft=yaml.ansible

roles/webserver/tasks/main.yml

@@ -1,12 +1,17 @@
 - include_tasks: apache2.yml
-  tags: [web,apache2]
   when: with_apache2
+  tags:
+    - 'web'
+    - 'apache2'
 - include_tasks: nginx.yml
-  tags: [web,nginx]
   when: with_nginx
+  tags:
+    - 'web'
+    - 'nginx'
 - include_tasks: php.yml
-  tags: [web,php]
   when: with_php
-- include_tasks: webstats.yml
-  tags: [web,webstats]
-  when: with_webstats
+  tags:
+    - 'web'
+    - 'php'
+
+# vim: ft=yaml.ansible

roles/webserver/tasks/nginx.yml

@@ -2,6 +2,9 @@
   apt:
     pkg: 'nginx'
     state: 'present'
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install logrotate configuration for nginx'
   template:
@@ -10,6 +13,9 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install nginx default file configuration'
   template:
@@ -20,6 +26,9 @@
     mode: '0644'
   notify:
     - 'Restart nginx'
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install custom mime types for nginx'
   template:
@@ -30,6 +39,9 @@
     mode: '0644'
   notify:
     - 'Restart nginx'
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install nginx configuration'
   template:
@@ -40,6 +52,9 @@
     mode: '0644'
   notify:
     - 'Restart nginx'
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install additional nginx configuration params (conf.d/)'
   template:
@@ -52,6 +67,9 @@
     - 'status'
   notify:
     - 'Reload nginx'
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install additional nginx configuration params (vhost_*)'
   template:
@@ -68,6 +86,9 @@
     - 'security'
   notify:
     - 'Reload nginx'
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install SSL vhost configuration for Nginx'
   template:
@@ -80,6 +101,9 @@
   notify:
     - 'Reload nginx'
   when: ssl_certs
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install SSL vhost configuration for Nginx (Lets Encrypt certificates)'
   template:
@@ -92,6 +116,9 @@
   notify:
     - 'Reload nginx'
   when: ssl_certs_auto
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install Let Encrypt configuration for Nginx'
   template:
@@ -103,6 +130,9 @@
   notify:
     - 'Reload nginx'
   when: ssl_certs_auto
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Create basic authentication file for admin (Nginx)'
   template:
@@ -112,6 +142,9 @@
     group: 'www-data'
     mode: '0640'
   when: http_auth_admin_password is defined and http_auth_admin_password
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install PHPMyAdmin virtual host for nginx (sites-available)'
   template:
@@ -123,6 +156,9 @@
   notify:
     - 'Reload nginx'
   when: with_phpmyadmin
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install PHPMyAdmin virtual host for nginx (sites-enabled)'
   file:
@@ -132,6 +168,9 @@
   notify:
     - 'Reload nginx'
   when: with_phpmyadmin
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install PHPPgAdmin virtual host for nginx (sites-available)'
   template:
@@ -143,6 +182,9 @@
   notify:
     - 'Reload nginx'
   when: with_phppgadmin
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install PHPPgAdmin virtual host for nginx (sites-enabled)'
   file:
@@ -152,6 +194,9 @@
   notify:
     - 'Reload nginx'
   when: with_phppgadmin
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install PHP system checks virtual host for nginx (sites-available)'
   template:
@@ -163,6 +208,9 @@
   notify:
     - 'Reload nginx'
   when: with_php
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Install PHP system checks virtual host for nginx (sites-enabled)'
   file:
@@ -172,8 +220,16 @@
   notify:
     - 'Reload nginx'
   when: with_php
+  tags:
+    - 'web'
+    - 'nginx'
 
 - name: 'Ensure nginx is running'
   service:
     name: 'nginx'
     state: 'started'
+  tags:
+    - 'web'
+    - 'nginx'
+
+# vim: ft=yaml.ansible

roles/webserver/tasks/php.yml

@@ -12,6 +12,9 @@
     - 'php5-pgsql'
     - 'php5-sqlite'
   when: with_php and ansible_lsb.major_release|int <= 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install common PHP dependencies (Debian >= 9)'
   apt:
@@ -27,6 +30,9 @@
     - 'php{{ php_version }}-pgsql'
     - 'php{{ php_version }}-sqlite3'
   when: with_php and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Create PHP log directory'
   file:
@@ -34,8 +40,11 @@
     state: directory
     owner: 'root'
     group: 'root'
-    mode: 0755
+    mode: '0755'
   when: with_fpm
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install PHP configuration for syslog'
   template:
@@ -43,13 +52,17 @@
     dest: '{{ item.dest }}'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   with_items:
     - { src: 'rsyslog/php-errors.conf.j2', dest: '/etc/rsyslog.d/php-errors.conf' }
     - { src: 'logrotate/php-errors.j2', dest: '/etc/logrotate.d/php-errors' }
   notify:
       - 'Reload rsyslog for php'
   when: with_fpm
+  tags:
+    - 'web'
+    - 'php'
+
 
 - name: 'Install local PHP configuration overrides for php5-cli (Debian 8)'
   template:
@@ -57,8 +70,11 @@
     dest: '/etc/php5/cli/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   when: with_php and ansible_lsb.major_release|int == 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install local PHP configuration overrides for php{{ php_version }}-cli (Debian >= 9)'
   template:
@@ -66,8 +82,11 @@
     dest: '/etc/php/{{php_version }}/cli/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   when: with_php and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install Apache2 module for php5'
   apt:
@@ -76,6 +95,9 @@
   notify:
       - 'Reload apache2'
   when: with_modphp5
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install Apache2 module for php{{ php_version }}'
   apt:
@@ -84,6 +106,9 @@
   notify:
       - 'Reload apache2'
   when: with_modphp
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install local PHP configuration (Debian < 8)'
   template:
@@ -91,10 +116,13 @@
     dest: '/etc/php5/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   notify:
       - 'Reload apache2'
   when: with_modphp5 and ansible_lsb.major_release|int < 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install local PHP configuration for Apache 2 (Debian 8)'
   template:
@@ -102,10 +130,13 @@
     dest: '/etc/php5/apache2/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   notify:
       - 'Reload apache2'
   when: with_modphp5 and ansible_lsb.major_release|int == 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install local PHP configuration for Apache 2 (Debian >= 9)'
   template:
@@ -113,10 +144,13 @@
     dest: '/etc/php/{{ php_version }}/apache2/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   notify:
       - 'Reload apache2'
   when: with_modphp and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Create system checks directory /etc/phpsyscheck'
   file:
@@ -124,7 +158,10 @@
     state: 'directory'
     owner: 'root'
     group: 'root'
-    mode: 0755
+    mode: '0755'
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install phpinfo system check'
   template:
@@ -132,19 +169,25 @@
     dest: '/etc/phpsyscheck/index.php'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
 
 - name: 'Install PHP APC extension (Debian <= 8)'
   apt:
     pkg: 'php-apc'
     state: 'present'
   when: with_php_apc and ansible_lsb.major_release|int <= 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install PHP APC extension (Debian >= 9)'
   apt:
     pkg: 'php-apcu'
     state: 'present'
   when: with_php_apc and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install php-apc system check'
   template:
@@ -152,44 +195,65 @@
     dest: '/etc/phpsyscheck/apc.php'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   when: with_php_apc
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install MySQL extension for PHP - native driver (Debian 8)'
   apt:
     pkg: 'php5-mysqlnd'
     state: 'present'
   when: not with_php_mysql_legacy and ansible_lsb.major_release|int == 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install MySQL extension for PHP (old driver)'
   apt:
     pkg: 'php5-mysql'
     state: 'present'
   when: with_php_mysql_legacy
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install PHPMyAdmin'
   apt:
     pkg: 'phpmyadmin'
     state: 'present'
   when: with_phpmyadmin
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install PHPPgAdmin'
   apt:
     pkg: 'phppgadmin'
     state: 'present'
   when: with_phppgadmin
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install FPM for PHP 5 (Debian <= 8)'
   apt:
     pkg: 'php5-fpm'
     state: 'present'
   when: with_fpm and ansible_lsb.major_release|int <= 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install FPM for PHP {{ php_version }} (Debian >= 9)'
   apt:
     pkg: 'php{{ php_version }}-fpm'
     state: 'present'
   when: with_fpm and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Configure FPM for PHP 5 (Debian <= 8)'
   lineinfile:
@@ -208,6 +272,9 @@
   notify:
       - 'Reload FPM for PHP 5'
   when: with_fpm and ansible_lsb.major_release|int <= 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Configure FPM for PHP {{ php_version }} (Debian >= 9)'
   lineinfile:
@@ -226,6 +293,9 @@
   notify:
       - 'Reload FPM for PHP'
   when: with_fpm and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install FPM pools configuration for PHP 5 (Debian <= 8)'
   template:
@@ -233,10 +303,13 @@
     dest: '/etc/php5/fpm/pool.d/local-pool.cnf'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   notify:
       - 'Reload FPM for PHP 5'
   when: with_fpm and ansible_lsb.major_release|int <= 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install FPM pools configuration for PHP {{ php_version }} (Debian > 9)'
   template:
@@ -244,10 +317,13 @@
     dest: '/etc/php/{{ php_version }}/fpm/pool.d/local-pool.cnf'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   notify:
       - 'Reload FPM for PHP'
   when: with_fpm and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install local PHP configuration overrides for php5-fpm (Debian 8)'
   template:
@@ -255,8 +331,11 @@
     dest: '/etc/php5/fpm/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   when: with_fpm and ansible_lsb.major_release|int == 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install local PHP configuration overrides for php{{ php_version }}-fpm (Debian >= 9)'
   template:
@@ -264,8 +343,11 @@
     dest: '/etc/php/{{ php_version }}/fpm/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   when: with_fpm and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install Nginx config files for PHP FPM (fpm servers pool)'
   template:
@@ -273,10 +355,13 @@
     dest: '/etc/nginx/conf.d/fpm-pool.conf'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   notify:
       - 'Reload nginx'
   when: with_fpm and with_nginx
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Install Nginx config files for PHP FPM (fpm fastcgi config)'
   template:
@@ -284,21 +369,30 @@
     dest: '/etc/nginx/fastcgi_pass_fpm'
     owner: 'root'
     group: 'root'
-    mode: 0644
+    mode: '0644'
   notify:
       - 'Reload nginx'
   when: with_fpm and with_nginx
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Ensure FPM for PHP 5 is running (Debian <= 8)'
   service:
     name: 'php5-fpm'
     state: 'started'
   when: with_fpm and ansible_lsb.major_release|int <= 8
+  tags:
+    - 'web'
+    - 'php'
 
 - name: 'Ensure FPM for PHP {{ php_version }} is running (Debian >= 9)'
   service:
     name: 'php{{ php_version }}-fpm'
     state: 'started'
   when: with_fpm and ansible_lsb.major_release|int >= 9
+  tags:
+    - 'web'
+    - 'php'
 
-# vim: ft=ansible
+# vim: ft=yaml.ansible