Add various fixes to make roles compatibles with ansible >= 2.8

ansible.cfg

@@ -55,6 +55,15 @@ gathering = smart
 # environment.
 # gather_timeout = 10
 
+# Ansible facts are available inside the ansible_facts.* dictionary
+# namespace. This setting maintains the behaviour which was the default prior
+# to 2.5, duplicating these variables into the main namespace, each with a
+# prefix of 'ansible_'.
+# This variable is set to True by default for backwards compatibility. It
+# will be changed to a default of 'False' in a future release.
+# ansible_facts.
+# inject_facts_as_vars = True
+
 # additional paths to search for roles in, colon separated
 #roles_path    = /etc/ansible/roles
 
@@ -181,6 +190,7 @@ display_skipped_hosts = False
 
 # set plugin path directories here, separate with colons
 #action_plugins     = /usr/share/ansible/plugins/action
+#become_plugins     = /usr/share/ansible/plugins/become
 #cache_plugins      = /usr/share/ansible/plugins/cache
 #callback_plugins   = /usr/share/ansible/plugins/callback
 #connection_plugins = /usr/share/ansible/plugins/connection
@@ -233,10 +243,17 @@ nocows = 1
 # current IP information.
 #fact_caching = memory
 
+#This option tells Ansible where to cache facts. The value is plugin dependent.
+#For the jsonfile plugin, it should be a path to a local directory.
+#For the redis plugin, the value is a host:port:database triplet: fact_caching_connection = localhost:6379:0
+
+#fact_caching_connection=/tmp
+
+
 
 # retry files
-# When a playbook fails by default a .retry file will be created in ~/
-# You can disable this feature by setting retry_files_enabled to False
+# When a playbook fails a .retry file can be created that will be placed in ~/
+# You can enable this feature by setting retry_files_enabled to True
 # and you can change the location of the files by setting retry_files_save_path
 
 #retry_files_enabled = False
@@ -309,7 +326,7 @@ module_compression = 'ZIP_DEFLATED'
 #any_errors_fatal = False
 
 [inventory]
-# enable inventory plugins, default: 'host_list', 'script', 'yaml', 'ini'
+# enable inventory plugins, default: 'host_list', 'script', 'auto', 'yaml', 'ini', 'toml'
 #enable_plugins = host_list, virtualbox, yaml, constructed
 
 # ignore these extensions when parsing a directory as inventory source
@@ -368,7 +385,7 @@ ssh_args = -C -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes
 
 # The path to use for the ControlPath sockets. This defaults to a hashed string of the hostname,
 # port and username (empty string in the config). The hash mitigates a common problem users
-# found with long hostames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
+# found with long hostnames and the conventional %(directory)s/ansible-ssh-%%h-%%p-%%r format.
 # In those cases, a "too long for Unix domain socket" ssh error would occur.
 #
 # Example:
@@ -406,7 +423,7 @@ pipelining = True
 
 # The -tt argument is passed to ssh when pipelining is not enabled because sudo 
 # requires a tty by default. 
-#use_tty = True
+#usetty = True
 
 # Number of times to retry an SSH connection to a host, in case of UNREACHABLE.
 # For each retry attempt, there is an exponential backoff,
@@ -421,13 +438,6 @@ pipelining = True
 # expires, the connection is shutdown. The default value is 30 seconds.
 connect_timeout = 30
 
-# Configures the persistent connection retry timeout.  This value configures the
-# the retry timeout that ansible-connection will wait to connect
-# to the local domain socket. This value must be larger than the
-# ssh timeout (timeout) and less than persistent connection idle timeout (connect_timeout).
-# The default value is 15 seconds.
-connect_retry_timeout = 30
-
 # The command timeout value defines the amount of time to wait for a command
 # or RPC call before timing out. The value for the command timeout must
 # be less than the value of the persistent connection idle timeout (connect_timeout)

roles/common/defaults/main.yml

@@ -4,7 +4,7 @@
 
 ansible_master: 'root@localhost'
 
-admins: Null
+admins: []
 admins_emails:
   - 'root@localhost'
 
@@ -15,21 +15,21 @@ timezone_city: 'Paris'
 with_hosts: False
 with_hostsdeny: False
 hosts_fqdn: True
-hosts_static_lookup: Null
+hosts_static_lookup: []
 
 ipv6_disabled: False
 
 debian_mirror: 'http://httpredir.debian.org/debian'
 
-apt_keys: Null
-apt_repositories: Null
-apt_additional_packages: Null
+apt_keys: []
+apt_repositories: []
+apt_additional_packages: []
 
 hosts_deny_nfs: False
 host_deny_paranoid: False
 
 with_auto_upgrade: False
-auto_upgrade_additional_patterns: Null
+auto_upgrade_additional_patterns: []
 
 with_logcheck: False
 with_rkhunter: False
@@ -65,7 +65,7 @@ ssh_strengthened: True
 ssh_ports:
   - 22
 ssh_usedns: True
-ssh_allowed_users: Null
+ssh_allowed_users: []
 ssh_allowed_groups:
   - 'root'
   - 'operator'
@@ -80,10 +80,10 @@ dotfiles_repo: 'https://git.openics.org/kolter/dotfiles-sys.git'
 dotfiles_dest: '/srv/hosting-tools/shell'
 dotfiles_lcsshvars: 0
 
-ssl_certs: Null
-ssl_certs_auto: Null
+ssl_certs: []
+ssl_certs_auto: []
 
-dkim_domains: Null
+dkim_domains: []
 with_opendkim: False
 
 # vim: ft=yaml.ansible

roles/common/tasks/base.yml

@@ -5,7 +5,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_hosts
+  when: with_hosts|bool
   tags:
     - 'base'
 
@@ -16,7 +16,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_hostsdeny
+  when: with_hostsdeny|bool
   tags:
     - 'base'
 
@@ -58,7 +58,7 @@
     url: '{{ item.url }}'
     state: 'present'
   with_items: '{{ apt_keys }}'
-  when: apt_keys
+  when: apt_keys|length > 0
   tags:
     - 'base'
 
@@ -67,49 +67,47 @@
     repo: 'deb {{ item.uri }} {{ ansible_lsb.codename }} {{ item.sections }}'
     state: 'present'
   with_items: '{{ apt_repositories }}'
-  when: apt_repositories
+  when: apt_repositories|length > 0
   tags:
     - 'base'
 
 - name: 'Install base packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'apt-transport-https'
+      - 'apticron'
+      - 'locales-all'
+      - 'locales'
+      - 'lsb-release'
+      - 'facter'
+      - 'zsh'
+      - 'git-core'
+      - 'tig'
+      - 'vim-nox'
+      - 'ccze'
+      - 'tree'
+      - 'pydf'
+      - 'htop'
+      - 'sudo'
+      - 'sysfsutils'
+      - 'tmux'
+      - 'rsync'
+      - 'ca-certificates'
+      - 'sysstat'
+      - 'etckeeper'
+      - 'sharutils'
+      - 'ncdu'
     install_recommends: 'no'
     state: 'present'
-  with_items:
-    - 'apt-transport-https'
-    - 'apticron'
-    - 'locales-all'
-    - 'locales'
-    - 'lsb-release'
-    - 'facter'
-    - 'zsh'
-    - 'git-core'
-    - 'tig'
-    - 'vim-nox'
-    - 'ccze'
-    - 'tree'
-    - 'pydf'
-    - 'htop'
-    - 'sudo'
-    - 'sysfsutils'
-    - 'tmux'
-    - 'rsync'
-    - 'ca-certificates'
-    - 'sysstat'
-    - 'etckeeper'
-    - 'sharutils'
-    - 'ncdu'
   tags:
     - 'base'
 
 - name: 'Install additional packages'
   apt:
-    pkg: '{{ item }}'
+    pkg: '{{ apt_additional_packages }}'
     install_recommends: 'no'
     state: 'present'
-  with_items: '{{ apt_additional_packages }}'
-  when: apt_additional_packages
+  when: apt_additional_packages|length > 0
   tags:
     - 'base'
 
@@ -118,14 +116,14 @@
     pkg: 'ntp'
     install_recommends: 'no'
     state: 'present'
-  when: with_ntp
+  when: with_ntp|bool
   tags:
     - 'base'
 
 - name: 'Configure default locale ({{ locale }})'
   command: update-locale 'LANG={{ locale }}'
   changed_when: False
-  when: locale is defined and locale != ''
+  when: locale is defined and locale|length > 0
   tags:
     - 'base'
 
@@ -226,7 +224,7 @@
     shell: '/bin/zsh'
     state: 'present'
   with_items: '{{ admins }}'
-  when: admins
+  when: admins|length > 0
   tags:
     - 'base'
 
@@ -236,7 +234,7 @@
     key: "{{ lookup('file', 'data/users/' + item.user + '/sshkey.pub') }}"
     state: 'present'
   with_items: '{{ admins }}'
-  when: admins
+  when: admins|length > 0
   tags:
     - 'base'
 
@@ -246,7 +244,7 @@
     key: "{{ lookup('file', 'data/users/' + item.user + '/sshkey.pub') }}"
     state: 'present'
   with_items: '{{ admins }}'
-  when: admins
+  when: admins|length > 0
   tags:
     - 'base'
 

roles/common/tasks/dkim.yml

@@ -1,10 +1,9 @@
 - name: 'Install opendkim packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'opendkim'
     install_recommends: 'no'
     state: 'present'
-  with_items:
-    - 'opendkim'
   tags:
     - 'dkim'
 
@@ -68,7 +67,7 @@
 
 - name: 'Install DKIM private keys'
   copy:
-    content: "{{lookup('file', 'data/dkim/' + item + '.pem')}}"
+    content: "{{ lookup('file', 'data/dkim/' + item + '.pem') }}"
     dest: '/etc/opendkim/{{ item }}_default.pem'
     owner: 'root'
     group: 'opendkim'

roles/common/tasks/dns.yml

@@ -1,21 +1,19 @@
 - name: 'Remove bind9 (not a suitable dnscache) packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'bind9'
     state: 'absent'
     purge: 'yes'
-  with_items:
-    - 'bind9'
-  when: with_dnscache
+  when: with_dnscache|bool
   tags:
     - 'dns'
 
 - name: 'Install unbound (dnscache) packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'unbound'
     state: 'present'
-  with_items:
-    - 'unbound'
-  when: with_dnscache
+  when: with_dnscache|bool
   tags:
     - 'dns'
 
@@ -26,7 +24,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_dnscache or (nameservers is defined and nameservers)
+  when: with_dnscache|bool or (nameservers is defined and nameservers|length > 0)
   tags:
     - 'dns'
 

roles/common/tasks/dotfiles.yml

@@ -13,7 +13,7 @@
   lineinfile:
     dest: '/etc/zsh/zshrc'
     regexp: 'source {{ dotfiles_dest }}'
-    line: '[[ -f {{ dotfiles_dest }}/zsh/zshrc ]] && export LC_SSH_VARS={{ dotfiles_lcsshvars}} && source {{ dotfiles_dest }}/zsh/zshrc'
+    line: '[[ -f {{ dotfiles_dest }}/zsh/zshrc ]] && export LC_SSH_VARS={{ dotfiles_lcsshvars }} && source {{ dotfiles_dest }}/zsh/zshrc'
   tags:
     - 'base'
     - 'dotfiles'

roles/common/tasks/firewall.yml

@@ -1,10 +1,9 @@
 - name: 'Install firewall package (ferm)'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'linux-image-{{ facter_architecture }}'
+      - 'ferm'
     state: 'present'
-  with_items:
-    - 'linux-image-{{ facter_architecture }}'
-    - 'ferm'
   tags:
     - 'firewall'
 

roles/common/tasks/main.yml

@@ -3,18 +3,18 @@
     - 'base'
     - 'ipv6'
 - include_tasks: dotfiles.yml
-  when: with_dotfiles
+  when: with_dotfiles|bool
   tags:
     - 'base'
 - include_tasks: ssl.yml
-  when: ssl_certs or ssl_certs_auto
+  when: ssl_certs|length > 0 or ssl_certs_auto|length > 0
   tags:
     - 'ssl'
 - include_tasks: dns.yml
   tags:
     - 'dns'
 - include_tasks: firewall.yml
-  when: with_firewall
+  when: with_firewall|bool
   tags:
     - 'firewall'
 - include_tasks: security.yml
@@ -22,18 +22,18 @@
     - 'security'
     - 'logcheck'
 - include_tasks: smtp.yml
-  when: with_postfix or with_mail_aliases
+  when: with_postfix|bool or with_mail_aliases|bool
   tags:
     - 'smtp'
 - include_tasks: dkim.yml
-  when: with_opendkim
+  when: with_opendkim|bool
   tags:
     - 'dkim'
 - include_tasks: ssh.yml
   tags:
     - 'ssh'
 - include_tasks: smartd.yml
-  when: with_smartd
+  when: with_smartd|bool
   tags:
     - 'smartd'
 

roles/common/tasks/security.yml

@@ -1,8 +1,9 @@
 - name: 'Install auto upgrades package'
   apt:
-    pkg: 'unattended-upgrades'
+    pkg:
+      - 'unattended-upgrades'
     state: 'present'
-  when: with_auto_upgrade
+  when: with_auto_upgrade|bool
   tags:
     - 'security'
 
@@ -14,7 +15,7 @@
     vtype: 'boolean'
   notify:
     - 'Reconfigure unattended-upgrades'
-  when: with_auto_upgrade
+  when: with_auto_upgrade|bool
   tags:
     - 'security'
 
@@ -28,18 +29,17 @@
   with_first_found:
     - 'apt/auto-upgrades.{{ ansible_lsb.codename }}.j2'
     - 'apt/auto-upgrades.j2'
-  when: with_auto_upgrade
+  when: with_auto_upgrade|bool
   tags:
     - 'security'
 
 - name: 'Install logcheck packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'logcheck'
+      - 'logcheck-database'
     state: 'present'
-  with_items:
-    - 'logcheck'
-    - 'logcheck-database'
-  when: with_logcheck
+  when: with_logcheck|bool
   tags:
     - 'security'
 
@@ -88,7 +88,7 @@
     - 'sympa'
     - 'systemd'
     - 'zabbix-agentd'
-  when: with_logcheck
+  when: with_logcheck|bool
   tags:
     - 'security'
     - 'logcheck'
@@ -100,36 +100,35 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_logcheck
+  when: with_logcheck|bool
   tags:
     - 'security'
     - 'logcheck'
 
 - name: 'Install rkhunter related packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'lsof'
+      - 'unhide'
+      - 'rkhunter'
     state: 'present'
-  with_items:
-    - 'lsof'
-    - 'unhide'
-    - 'rkhunter'
-  when: with_rkhunter
+  when: with_rkhunter|bool
   tags:
     - 'security'
 
 - name: 'Reconfigure rkhunter package'
   debconf:
-    name: '{{item.name}}'
-    question: '{{item.question}}'
-    value: '{{item.value}}'
-    vtype: '{{item.vtype}}'
+    name: '{{ item.name }}'
+    question: '{{ item.question }}'
+    value: '{{ item.value }}'
+    vtype: '{{ item.vtype }}'
   with_items:
     - { name: 'rkhunter', question: 'rkhunter/apt_autogen', value: 'true', vtype: 'boolean' }
     - { name: 'rkhunter', question: 'rkhunter/cron_daily_run', value: 'true', vtype: 'boolean' }
     - { name: 'rkhunter', question: 'rkhunter/cron_db_update', value: 'true', vtype: 'boolean' }
   notify:
     - 'Reconfigure rkhunter'
-  when: with_rkhunter
+  when: with_rkhunter|bool
   tags:
     - 'security'
 
@@ -140,13 +139,13 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_rkhunter
+  when: with_rkhunter|bool
   tags:
     - 'security'
 
 - name: 'Update chkrootkit configuration'
   template: src=chkrootkit/chkrootkit.conf.j2 dest=/etc/chkrootkit.conf owner=root group=root mode=0644
-  when: with_chkrootkit
+  when: with_chkrootkit|bool
   tags:
     - 'security'
 
@@ -158,7 +157,7 @@
     backrefs: 'yes'
   notify:
       - 'Remount /proc'
-  when: with_hideproc and hideproc_gid == ''
+  when: with_hideproc|bool and hideproc_gid|length == 0
   tags:
     - 'security'
 
@@ -166,11 +165,11 @@
   lineinfile:
     dest: '/etc/fstab'
     regexp: '(^proc\s+/proc\s+proc\s+)(\S+)(\s+[0-9]\s+[0-9])\s*$'
-    line: '\1defaults,hidepid=2,gid={{hideproc_gid}}\3'
+    line: '\1defaults,hidepid=2,gid={{ hideproc_gid }}\3'
     backrefs: 'yes'
   notify:
       - 'Remount /proc'
-  when: with_hideproc and hideproc_gid != ''
+  when: with_hideproc|bool and hideproc_gid|length > 0
   tags:
     - 'security'
 

roles/common/tasks/smartd.yml

@@ -1,6 +1,7 @@
 - name: 'Install smartmontools package'
   apt:
-    pkg: 'smartmontools'
+    pkg:
+      - 'smartmontools'
     state: 'present'
   tags:
     - 'smartd'

roles/common/tasks/smtp.yml

@@ -1,14 +1,13 @@
 - name: 'Install Postfix packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'postfix'
+      - 'ca-certificates'
+      - 'procmail'
+      - 'libsasl2-modules'
     install_recommends: 'no'
     state: 'present'
-  with_items:
-    - 'postfix'
-    - 'ca-certificates'
-    - 'procmail'
-    - 'libsasl2-modules'
-  when: with_postfix
+  when: with_postfix|bool
   tags:
     - 'smtp'
 
@@ -21,7 +20,7 @@
     mode: '0644'
   notify:
     - 'Regenerate aliases cache'
-  when: with_mail_aliases
+  when: with_mail_aliases|bool
   tags:
     - 'smtp'
 
@@ -34,7 +33,7 @@
     mode: '0644'
   notify:
     - 'Reload Postfix'
-  when: with_postfix
+  when: with_postfix|bool
   tags:
     - 'smtp'
 
@@ -48,7 +47,7 @@
             -o slowsmtp_destination_rate_delay=1
   notify:
     - 'Reload Postfix'
-  when: with_postfix_slowsmtp
+  when: with_postfix_slowsmtp|bool
   tags:
     - 'smtp'
 
@@ -62,7 +61,7 @@
   notify:
     - 'Rehash slowsmtp transport map'
     - 'Reload Postfix'
-  when: with_postfix_slowsmtp
+  when: with_postfix_slowsmtp|bool
   tags:
     - 'smtp'
 
@@ -76,7 +75,7 @@
   notify:
     - 'Rehash SASL sender relay map'
     - 'Reload Postfix'
-  when: with_postfix_external_smtp
+  when: with_postfix_external_smtp|bool
   tags:
     - 'smtp'
 
@@ -90,7 +89,7 @@
   notify:
     - 'Rehash SASL credentials map'
     - 'Reload Postfix'
-  when: with_postfix_external_smtp
+  when: with_postfix_external_smtp|bool
   tags:
     - 'smtp'
 
@@ -103,7 +102,7 @@
     mode: '0600'
   notify:
     - 'Reload Postfix'
-  when: with_postfix_external_smtp and postfix_external_sender_rewrites
+  when: with_postfix_external_smtp|bool and postfix_external_sender_rewrites
   tags:
     - 'smtp'
 

roles/common/tasks/ssh.yml

@@ -1,11 +1,10 @@
 - name: "Install ssh packages"
   apt:
-    pkg: '{{ item }}'
+    pkg:
+     - 'openssh-server'
+     - 'openssh-client'
     state: 'present'
-  with_items:
-    - 'openssh-server'
-    - 'openssh-client'
-  when: with_ssh
+  when: with_ssh|bool
   tags:
     - 'ssh'
 
@@ -18,7 +17,7 @@
     mode: 0644
   notify:
     - Restart ssh
-  when: with_ssh and ansible_lsb.major_release|int <= 8
+  when: with_ssh|bool and ansible_lsb.major_release|int <= 8
   tags:
     - 'ssh'
 
@@ -31,7 +30,7 @@
     mode: 0644
   notify:
     - Restart ssh
-  when: with_ssh and ansible_lsb.major_release|int >= 9
+  when: with_ssh|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'ssh'
 
@@ -39,7 +38,7 @@
   service:
     name: 'ssh'
     state: 'started'
-  when: with_ssh
+  when: with_ssh|bool
   tags:
     - 'ssh'
 

roles/common/tasks/ssl.yml

@@ -6,46 +6,46 @@
     group: 'root'
     mode: '0755'
   with_items: '{{ ssl_certs }}'
-  when: ssl_certs
+  when: ssl_certs|length > 0
   tags:
     - 'ssl'
 
 - name: 'Install ssl certificates (certificate)'
   copy:
-    content: "{{lookup('file', 'data/ssl/' + item + '/' + item + '.crt')}}"
+    content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.crt') }}"
     dest: '/etc/ssl/local/certs/{{ item }}/cert.pem'
     owner: 'root'
     group: 'root'
     mode: '0640'
   register: ssl_cert_result
   with_items: '{{ ssl_certs }}'
-  when: ssl_certs
+  when: ssl_certs|length > 0
   tags:
     - 'ssl'
 
 - name: 'Install ssl certificates (private key)'
   copy:
-    content: "{{lookup('file', 'data/ssl/' + item + '/' + item + '.key')}}"
+    content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.key') }}"
     dest: '/etc/ssl/local/certs/{{ item }}/privkey.pem'
     owner: 'root'
     group: 'root'
     mode: '0640'
   register: ssl_key_result
   with_items: '{{ ssl_certs }}'
-  when: ssl_certs
+  when: ssl_certs|length > 0
   tags:
     - 'ssl'
 
 - name: 'Install ssl certificates (chain)'
   copy:
-    content: "{{lookup('file', 'data/ssl/' + item + '/bundle.crt')}}"
+    content: "{{ lookup('file', 'data/ssl/' + item + '/bundle.crt') }}"
     dest: '/etc/ssl/local/certs/{{ item }}/chain.pem'
     owner: 'root'
     group: 'root'
     mode: '0644'
   register: ssl_chain_result
   with_items: '{{ ssl_certs }}'
-  when: ssl_certs
+  when: ssl_certs|length > 0
   tags:
     - 'ssl'
 
@@ -54,7 +54,7 @@
     path: '/etc/ssl/local/certs/{{ item }}/fullchain.pem'
   with_items: '{{ ssl_certs }}'
   register: ssl_fullchain_stats
-  when: ssl_certs
+  when: ssl_certs|length > 0
   tags:
     - 'ssl'
 
@@ -63,21 +63,21 @@
     path: '/etc/ssl/local/certs/{{ item }}/bundle.pem'
   with_items: '{{ ssl_certs }}'
   register: ssl_bundle_stats
-  when: ssl_certs
+  when: ssl_certs|length > 0
   tags:
     - 'ssl'
 
 - name: 'Create ssl certificates full chain (certificate + chain)'
   shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/fullchain.pem'
   with_items: '{{ ssl_fullchain_stats.results }}'
-  when: ssl_certs and (not item.stat.exists or ssl_cert_result is changed or ssl_chain_result is changed)
+  when: ssl_certs|length > 0 and (not item.stat.exists or ssl_cert_result is changed or ssl_chain_result is changed)
   tags:
     - 'ssl'
 
 - name: 'Create ssl certificates bundle (key + certificate + bundle)'
   shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/privkey.pem' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/bundle.pem'
   with_items: '{{ ssl_bundle_stats.results }}'
-  when: ssl_certs and (not item.stat.exists or ssl_key_result is changed or ssl_cert_result is changed or ssl_chain_result is changed)
+  when: ssl_certs|length > 0 and (not item.stat.exists or ssl_key_result is changed or ssl_cert_result is changed or ssl_chain_result is changed)
   tags:
     - 'ssl'
 
@@ -86,7 +86,7 @@
     pkg: 'dehydrated'
     state: 'present'
     default_release: '{{ ansible_lsb.codename }}'
-  when: ssl_certs_auto and ansible_lsb.major_release|int != 9
+  when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int != 9
   tags:
     - 'ssl'
 
@@ -95,7 +95,7 @@
     pkg: 'dehydrated'
     state: 'present'
     default_release: '{{ ansible_lsb.codename }}-backports'
-  when: ssl_certs_auto and ansible_lsb.major_release|int == 9
+  when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int == 9
   tags:
     - 'ssl'
 
@@ -106,7 +106,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'ssl'
 
@@ -115,7 +115,7 @@
   register: ssl_certs_auto_installed
   changed_when: False
   ignore_errors: True
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'ssl'
 
@@ -126,7 +126,7 @@
   changed_when: ssl_certs_auto_missing.stdout_lines != []
   notify:
     - 'Generate Lets Encrypt SSL certificates'
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'ssl'
 
@@ -137,14 +137,14 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'ssl'
 
 - name: 'Register and accept Lets Encrypt terms of service'
   shell: if dehydrated --help | grep -q -- 'register' && dehydrated --help | grep -q -- 'accept-terms' ; then dehydrated --register --accept-terms ; fi
   changed_when: False
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'ssl'
 

roles/common/templates/dns/resolv.conf.j2

@@ -2,7 +2,7 @@
 {% from 'templates/ansible/prolog.j2' import prolog with context %}
 {{ prolog() }}
 {% endif -%}
-{% if with_dnscache %}
+{% if with_dnscache|bool %}
 nameserver 127.0.0.1
 {% endif %}
 {% if nameservers is defined %}

roles/common/templates/postfix/main.cf.j2

@@ -65,7 +65,7 @@ mydestination = $myhostname {% if postfix_hostname is defined %}{{ postfix_hostn
 
 {% if smtp_relay_host is defined %}
 relayhost = {{ smtp_relay_host }}
-{% elif with_postfix_external_smtp %}
+{% elif with_postfix_external_smtp|bool %}
 smtp_sasl_auth_enable = yes
 smtp_sasl_security_options = noanonymous
 smtp_sasl_password_maps = hash:/etc/postfix/sasl/credentials
@@ -83,7 +83,7 @@ sender_canonical_maps = regexp:/etc/postfix/sasl/sender_rewrite
 alias_maps = hash:/etc/aliases
 alias_database = $alias_maps
 
-{% if with_postfix_slowsmtp %}
+{% if with_postfix_slowsmtp|bool %}
 transport_maps =
     hash:/etc/postfix/transport_slowsmtp
 slowsmtp_destination_recipient_limit = 20
@@ -134,7 +134,7 @@ smtpd_sender_restrictions =
     reject_non_fqdn_sender,
     reject_unknown_sender_domain
 
-{% if with_opendkim is defined and with_opendkim %}
+{% if with_opendkim is defined and with_opendkim|bool %}
 # DKIM support
 milter_default_action = accept
 smtpd_milters = inet:localhost:8891

roles/common/templates/ssl/letsencrypt_domains.j2

@@ -2,7 +2,7 @@
 {% from 'templates/ansible/prolog.j2' import prolog with context %}
 {{ prolog() }}
 {% endif -%}
-{% if ssl_certs_auto is defined %}
+{% if ssl_certs_auto|length > 0 %}
 {% for d in ssl_certs_auto %}
 {{ d }}
 {% endfor %}

roles/dbserver/tasks/main.yml

@@ -1,10 +1,10 @@
 - include_tasks: mysql.yml
-  when: with_mysql or with_mariadb
+  when: with_mysql|bool or with_mariadb|bool
   tags:
     - 'mysql'
     - 'sql'
 - include_tasks: postgresql.yml
-  when: with_postgresql
+  when: with_postgresql|bool
   tags:
     - 'postgresql'
     - 'sql'

roles/dbserver/tasks/mysql.yml

@@ -1,32 +1,31 @@
 - name: 'Install MySQL server related packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'mysql-server'
+      - 'mysql-client'
     state: 'present'
-  with_items:
-    - 'mysql-server'
-    - 'mysql-client'
-  when: with_mysql
+  when: with_mysql|bool
   tags:
     - 'mysql'
     - 'sql'
 
 - name: 'Install MariaDB server related packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'mariadb-server'
+      - 'mariadb-client'
     state: 'present'
-  with_items:
-    - 'mariadb-server'
-    - 'mariadb-client'
-  when: with_mariadb
+  when: with_mariadb|bool
   tags:
     - 'mysql'
     - 'sql'
 
 - name: 'Install MySQL or MariaDB backup related packages (automysqlbackup)'
   apt:
-    pkg: 'automysqlbackup'
+    pkg:
+      - 'automysqlbackup'
     state: 'present'
-  when: with_mysql_backup
+  when: with_mysql_backup|bool
   tags:
     - 'mysql'
     - 'sql'
@@ -36,7 +35,7 @@
     dest: '/usr/sbin/automysqlbackup'
     regexp: '^OPT='
     line: 'OPT="--quote-names --events" # OPT string for use with mysqldump ( see man mysqldump )'
-  when: with_mysql_backup
+  when: with_mysql_backup|bool
   tags:
     - 'mysql'
     - 'sql'
@@ -44,7 +43,7 @@
 - name: 'Change MySQL or MariaDB root default password'
   raw: if ! echo "SELECT VERSION();" | mysql -u root --password='{{ mysql_root_password }}' >/dev/null 2>&1 ; then echo "UPDATE mysql.user SET Password=PASSWORD('{{ mysql_root_password }}') WHERE User IN ('', 'root'); FLUSH PRIVILEGES;" | mysql --defaults-file=/etc/mysql/debian.cnf ; fi
   changed_when: False
-  when: mysql_root_password != ''
+  when: mysql_root_password|length > 0
   tags:
     - 'mysql'
     - 'sql'
@@ -52,7 +51,7 @@
 - name: 'Add MySQL or MariaDB admin account'
   raw: if ! echo "SELECT VERSION();" | mysql -u admin --password='{{ mysql_admin_password }}' >/dev/null 2>&1 ; then echo "CREATE USER 'admin'@'localhost' IDENTIFIED BY '{{ mysql_admin_password }}'; GRANT ALL PRIVILEGES ON * . * TO 'admin'@'localhost' WITH GRANT OPTION; FLUSH PRIVILEGES;" | mysql --defaults-file=/etc/mysql/debian.cnf ; fi
   changed_when: False
-  when: mysql_admin_password != ''
+  when: mysql_admin_password|length > 0
   tags:
     - 'mysql'
     - 'sql'

roles/dbserver/tasks/postgresql.yml

@@ -1,19 +1,19 @@
 - name: 'Install PostgreSQL server related packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'postgresql'
+      - 'postgresql-client'
     state: 'present'
-  with_items:
-    - 'postgresql'
-    - 'postgresql-client'
   tags:
     - 'postgresql'
     - 'sql'
 
 - name: 'Install AutoPostgreSQLBackup package'
   apt:
-    pkg: 'autopostgresqlbackup'
+    pkg:
+      - 'autopostgresqlbackup'
     state: 'present'
-  when: with_postgresql_backup
+  when: with_postgresql_backup|bool
   tags:
     - 'postgresql'
     - 'sql'

roles/ftpserver/defaults/main.yml

@@ -5,6 +5,6 @@
 with_ftp: False
 with_ftp_tls: False
 ftp_tls_domain: Null
-ftp_accounts: Null
+ftp_accounts: []
 
 # vim: ft=yaml.ansible

roles/ftpserver/tasks/main.yml

@@ -1,9 +1,9 @@
 - include_tasks: 'common.yml'
-  when: with_ftp
+  when: with_ftp|bool
   tags:
     - 'ftp'
 - include_tasks: 'pure-ftpd.yml'
-  when: with_ftp
+  when: with_ftp|bool
   tags:
     - 'ftp'
     - 'pure-ftpd'

roles/hypervisor/tasks/ganeti.yml

@@ -1,13 +1,12 @@
 - name: 'Install Ganeti related packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'ganeti'
+      - 'ganeti-instance-debootstrap'
+      - 'drbd-utils'
+      - 'dnsutils'
     install_recommends: 'no'
     state: 'present'
-  with_items:
-    - 'ganeti'
-    - 'ganeti-instance-debootstrap'
-    - 'drbd-utils'
-    - 'dnsutils'
   tags:
     - 'hypervisor'
     - 'ganeti'

roles/hypervisor/tasks/main.yml

@@ -1,10 +1,10 @@
 - include_tasks: 'xen.yml'
-  when: with_xen
+  when: with_xen|bool
   tags:
     - 'hypervisor'
     - 'xen'
 - include_tasks: 'ganeti.yml'
-  when: with_ganeti
+  when: with_ganeti|bool
   tags:
     - 'hypervisor'
     - 'ganeti'

roles/hypervisor/tasks/xen.yml

@@ -1,13 +1,12 @@
 - name: 'Install Xen related packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'xen-linux-system-amd64'
+      - 'grub-xen-host'
+      - 'bridge-utils'
+      - 'debootstrap'
     install_recommends: 'no'
     state: 'present'
-  with_items:
-    - 'xen-linux-system-amd64'
-    - 'grub-xen-host'
-    - 'bridge-utils'
-    - 'debootstrap'
   tags:
     - 'hypervisor'
     - 'xen'

roles/monitoring/defaults/main.yml

@@ -6,6 +6,6 @@ with_mon: False
 
 with_zabbix_agent: False
 zabbix_remote_server: 'zabbix.domain.tld'
-zabbix_plugins_config: Null
+zabbix_plugins_config: []
 
 # vim: ft=yaml.ansible

roles/monitoring/tasks/main.yml

@@ -1,10 +1,10 @@
 - include_tasks: zabbix.yml
-  when: with_zabbix_agent
+  when: with_zabbix_agent|bool
   tags:
     - 'monitoring'
     - 'zabbix'
 - include_tasks: mon.yml
-  when: with_mon
+  when: with_mon|bool
   tags:
     - 'monitoring'
     - 'mon'

roles/monitoring/tasks/zabbix.yml

@@ -1,9 +1,8 @@
 - name: 'Install Zabbix agent'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'zabbix-agent'
     state: 'present'
-  with_items:
-    - 'zabbix-agent'
   tags:
     - 'monitoring'
     - 'zabbix'
@@ -28,7 +27,7 @@
     group: 'root'
     mode: '0755'
     state: 'directory'
-  when: zabbix_plugins_config
+  when: zabbix_plugins_config|length > 0
   tags:
     - 'monitoring'
     - 'zabbix'
@@ -43,7 +42,7 @@
   with_items:
     - 'ssl-discovery'
     - 'web-availability-discovery'
-  when: zabbix_plugins_config
+  when: zabbix_plugins_config|length > 0
   tags:
     - 'monitoring'
     - 'zabbix'

roles/rsyncserver/tasks/main.yml

@@ -1,5 +1,5 @@
 - include_tasks: 'rsyncd.yml'
-  when: with_rsyncd
+  when: with_rsyncd|bool
   tags:
     - 'rsyncd'
 

roles/rsyncserver/tasks/rsyncd.yml

@@ -1,9 +1,8 @@
 - name: 'Install Rsync daemon related packages'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'rsync'
     state: 'present'
-  with_items:
-    - 'rsync'
   tags:
     - 'rsyncd'
 

roles/webserver/tasks/apache2.yml

@@ -1,6 +1,7 @@
 - name: 'Install Apache2 packages'
   apt:
-    pkg: 'apache2'
+    pkg:
+      - 'apache2'
     state: 'present'
   tags:
     - 'web'
@@ -66,7 +67,7 @@
   with_items: '{{ ssl_certs_auto }}'
   notify:
     - 'Reload apache2'
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'web'
     - 'apache2'
@@ -108,7 +109,7 @@
     mode: '0644'
   notify:
     - 'Reload apache2'
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'web'
     - 'apache2'
@@ -134,7 +135,7 @@
     mode: '0644'
   notify:
     - 'Reload apache2'
-  when: with_phpmyadmin
+  when: with_phpmyadmin|bool
   tags:
     - 'web'
     - 'apache2'
@@ -146,7 +147,7 @@
     state: 'link'
   notify:
     - 'Reload apache2'
-  when: with_phpmyadmin
+  when: with_phpmyadmin|bool
   tags:
     - 'web'
     - 'apache2'
@@ -160,7 +161,7 @@
     mode: '0644'
   notify:
     - 'Reload apache2'
-  when: with_phppgadmin
+  when: with_phppgadmin|bool
   tags:
     - 'web'
     - 'apache2'
@@ -172,7 +173,7 @@
     state: 'link'
   notify:
     - 'Reload apache2'
-  when: with_phppgadmin
+  when: with_phppgadmin|bool
   tags:
     - 'web'
     - 'apache2'
@@ -186,7 +187,7 @@
     mode: '0644'
   notify:
     - 'Reload apache2'
-  when: with_php
+  when: with_php|bool
   tags:
     - 'web'
     - 'apache2'
@@ -198,7 +199,7 @@
     state: 'link'
   notify:
     - 'Reload apache2'
-  when: with_php
+  when: with_php|bool
   tags:
     - 'web'
     - 'apache2'

roles/webserver/tasks/main.yml

@@ -1,15 +1,15 @@
 - include_tasks: apache2.yml
-  when: with_apache2
+  when: with_apache2|bool
   tags:
     - 'web'
     - 'apache2'
 - include_tasks: nginx.yml
-  when: with_nginx
+  when: with_nginx|bool
   tags:
     - 'web'
     - 'nginx'
 - include_tasks: php.yml
-  when: with_php
+  when: with_php|bool
   tags:
     - 'web'
     - 'php'

roles/webserver/tasks/nginx.yml

@@ -1,6 +1,7 @@
 - name: 'Install nginx package'
   apt:
-    pkg: 'nginx'
+    pkg:
+      - 'nginx'
     state: 'present'
   tags:
     - 'web'
@@ -115,7 +116,7 @@
   with_items: '{{ ssl_certs_auto }}'
   notify:
     - 'Reload nginx'
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'web'
     - 'nginx'
@@ -129,7 +130,7 @@
     mode: '0644'
   notify:
     - 'Reload nginx'
-  when: ssl_certs_auto
+  when: ssl_certs_auto|length > 0
   tags:
     - 'web'
     - 'nginx'
@@ -155,7 +156,7 @@
     mode: '0644'
   notify:
     - 'Reload nginx'
-  when: with_phpmyadmin
+  when: with_phpmyadmin|bool
   tags:
     - 'web'
     - 'nginx'
@@ -167,7 +168,7 @@
     state: 'link'
   notify:
     - 'Reload nginx'
-  when: with_phpmyadmin
+  when: with_phpmyadmin|bool
   tags:
     - 'web'
     - 'nginx'
@@ -181,7 +182,7 @@
     mode: '0644'
   notify:
     - 'Reload nginx'
-  when: with_phppgadmin
+  when: with_phppgadmin|bool
   tags:
     - 'web'
     - 'nginx'
@@ -193,7 +194,7 @@
     state: 'link'
   notify:
     - 'Reload nginx'
-  when: with_phppgadmin
+  when: with_phppgadmin|bool
   tags:
     - 'web'
     - 'nginx'
@@ -207,7 +208,7 @@
     mode: '0644'
   notify:
     - 'Reload nginx'
-  when: with_php
+  when: with_php|bool
   tags:
     - 'web'
     - 'nginx'
@@ -219,7 +220,7 @@
     state: 'link'
   notify:
     - 'Reload nginx'
-  when: with_php
+  when: with_php|bool
   tags:
     - 'web'
     - 'nginx'

roles/webserver/tasks/php.yml

@@ -1,45 +1,42 @@
 - name: 'Install common PHP dependencies (Debian <= 8)'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'php5-cli'
+      - 'php5-curl'
+      - 'php5-gd'
+      - 'php5-intl'
+      - 'php5-mcrypt'
+      - 'php-mime-type'
+      - 'php5-pgsql'
+      - 'php5-sqlite'
     state: 'present'
-  with_items:
-    - 'php5-cli'
-    - 'php5-curl'
-    - 'php5-gd'
-    - 'php5-intl'
-    - 'php5-mcrypt'
-    - 'php-mime-type'
-    - 'php5-pgsql'
-    - 'php5-sqlite'
-  when: with_php and ansible_lsb.major_release|int <= 8
+  when: with_php|bool and ansible_lsb.major_release|int <= 8
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install common PHP dependencies (Debian >= 9)'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'php{{ php_version }}-cli'
+      - 'php{{ php_version }}-curl'
+      - 'php{{ php_version }}-gd'
+      - 'php{{ php_version }}-intl'
+      - 'php{{ php_version }}-mysql'
+      - 'php{{ php_version }}-pgsql'
+      - 'php{{ php_version }}-sqlite3'
     state: 'present'
-  with_items:
-    - 'php{{ php_version }}-cli'
-    - 'php{{ php_version }}-curl'
-    - 'php{{ php_version }}-gd'
-    - 'php{{ php_version }}-intl'
-    - 'php{{ php_version }}-mysql'
-    - 'php{{ php_version }}-pgsql'
-    - 'php{{ php_version }}-sqlite3'
-  when: with_php and ansible_lsb.major_release|int >= 9
+  when: with_php|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install common PHP dependencies (Debian >= 9 and PHP < 7.2)'
   apt:
-    pkg: '{{ item }}'
+    pkg:
+      - 'php{{ php_version }}-mcrypt'
     state: 'present'
-  with_items:
-    - 'php{{ php_version }}-mcrypt'
-  when: with_php and ansible_lsb.major_release|int >= 9 and php_version|float < 7.2
+  when: with_php|bool and ansible_lsb.major_release|int >= 9 and php_version|float < 7.2
   tags:
     - 'web'
     - 'php'
@@ -51,7 +48,7 @@
     owner: 'root'
     group: 'root'
     mode: '0755'
-  when: with_fpm
+  when: with_fpm|bool
   tags:
     - 'web'
     - 'php'
@@ -68,7 +65,7 @@
     - { src: 'logrotate/php-errors.j2', dest: '/etc/logrotate.d/php-errors' }
   notify:
       - 'Reload rsyslog for php'
-  when: with_fpm
+  when: with_fpm|bool
   tags:
     - 'web'
     - 'php'
@@ -81,7 +78,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_php and ansible_lsb.major_release|int == 8
+  when: with_php|bool and ansible_lsb.major_release|int == 8
   tags:
     - 'web'
     - 'php'
@@ -89,33 +86,35 @@
 - name: 'Install local PHP configuration overrides for php{{ php_version }}-cli (Debian >= 9)'
   template:
     src: 'php/php-config-cli.ini.j2'
-    dest: '/etc/php/{{php_version }}/cli/conf.d/99-local-config.ini'
+    dest: '/etc/php/{{ php_version }}/cli/conf.d/99-local-config.ini'
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_php and ansible_lsb.major_release|int >= 9
+  when: with_php|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install Apache2 module for php5'
   apt:
-    pkg: 'libapache2-mod-php5'
+    pkg:
+      - 'libapache2-mod-php5'
     state: 'present'
   notify:
       - 'Reload apache2'
-  when: with_modphp5
+  when: with_modphp5|bool
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install Apache2 module for php{{ php_version }}'
   apt:
-    pkg: 'libapache2-mod-php{{php_version}}'
+    pkg:
+      - 'libapache2-mod-php{{ php_version }}'
     state: 'present'
   notify:
       - 'Reload apache2'
-  when: with_modphp
+  when: with_modphp|bool
   tags:
     - 'web'
     - 'php'
@@ -130,7 +129,7 @@
     - {name: 'mpm_event', state: 'present', ignore_configcheck: 'yes'}
     - {name: 'php{{ php_version }}', state: 'absent', ignore_configcheck: 'no'}
     - {name: 'proxy_fcgi', state: 'present', ignore_configcheck: 'no'}
-  when: with_fpm and with_apache2
+  when: with_fpm|bool and with_apache2|bool
   notify:
       - 'Reload apache2'
   tags:
@@ -146,7 +145,7 @@
     - {name: 'mpm_event', state: 'absent', ignore_configcheck: 'yes'}
     - {name: 'mpm_prefork', state: 'present', ignore_configcheck: 'yes'}
     - {name: 'php{{ php_version }}', state: 'present', ignore_configcheck: 'no'}
-  when: with_modphp
+  when: with_modphp|bool
   notify:
       - 'Reload apache2'
   tags:
@@ -162,7 +161,7 @@
     mode: '0644'
   notify:
       - 'Reload apache2'
-  when: with_modphp5 and ansible_lsb.major_release|int < 8
+  when: with_modphp5|bool and ansible_lsb.major_release|int < 8
   tags:
     - 'web'
     - 'php'
@@ -176,7 +175,7 @@
     mode: '0644'
   notify:
       - 'Reload apache2'
-  when: with_modphp5 and ansible_lsb.major_release|int == 8
+  when: with_modphp5|bool and ansible_lsb.major_release|int == 8
   tags:
     - 'web'
     - 'php'
@@ -190,7 +189,7 @@
     mode: '0644'
   notify:
       - 'Reload apache2'
-  when: with_modphp and ansible_lsb.major_release|int >= 9
+  when: with_modphp|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
@@ -216,18 +215,20 @@
 
 - name: 'Install PHP APC extension (Debian <= 8)'
   apt:
-    pkg: 'php-apc'
+    pkg:
+      - 'php-apc'
     state: 'present'
-  when: with_php_apc and ansible_lsb.major_release|int <= 8
+  when: with_php_apc|bool and ansible_lsb.major_release|int <= 8
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install PHP APC extension (Debian >= 9)'
   apt:
-    pkg: 'php-apcu'
+    pkg:
+      - 'php-apcu'
     state: 'present'
-  when: with_php_apc and ansible_lsb.major_release|int >= 9
+  when: with_php_apc|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
@@ -239,16 +240,17 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_php_apc
+  when: with_php_apc|bool
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install MySQL extension for PHP - native driver (Debian 8)'
   apt:
-    pkg: 'php5-mysqlnd'
+    pkg:
+      - 'php5-mysqlnd'
     state: 'present'
-  when: not with_php_mysql_legacy and ansible_lsb.major_release|int == 8
+  when: not with_php_mysql_legacy|bool and ansible_lsb.major_release|int == 8
   tags:
     - 'web'
     - 'php'
@@ -257,43 +259,47 @@
   apt:
     pkg: 'php5-mysql'
     state: 'present'
-  when: with_php_mysql_legacy
+  when: with_php_mysql_legacy|bool
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install PHPMyAdmin'
   apt:
-    pkg: 'phpmyadmin'
+    pkg:
+      - 'phpmyadmin'
     state: 'present'
-  when: with_phpmyadmin
+  when: with_phpmyadmin|bool
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install PHPPgAdmin'
   apt:
-    pkg: 'phppgadmin'
+    pkg:
+      - 'phppgadmin'
     state: 'present'
-  when: with_phppgadmin
+  when: with_phppgadmin|bool
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install FPM for PHP 5 (Debian <= 8)'
   apt:
-    pkg: 'php5-fpm'
+    pkg:
+      - 'php5-fpm'
     state: 'present'
-  when: with_fpm and ansible_lsb.major_release|int <= 8
+  when: with_fpm|bool and ansible_lsb.major_release|int <= 8
   tags:
     - 'web'
     - 'php'
 
 - name: 'Install FPM for PHP {{ php_version }} (Debian >= 9)'
   apt:
-    pkg: 'php{{ php_version }}-fpm'
+    pkg:
+      - 'php{{ php_version }}-fpm'
     state: 'present'
-  when: with_fpm and ansible_lsb.major_release|int >= 9
+  when: with_fpm|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
@@ -301,9 +307,9 @@
 - name: 'Configure FPM for PHP 5 (Debian <= 8)'
   lineinfile:
     dest: '/etc/php5/fpm/php-fpm.conf'
-    regexp: '^{{item.key}}\s*=.*$'
-    line: '{{item.key}} = {{item.value}}'
-    insertafter: '^;{{item.key}}'
+    regexp: '^{{ item.key }}\s*=.*$'
+    line: '{{ item.key }} = {{ item.value }}'
+    insertafter: '^;{{ item.key }}'
   with_items:
     - { key: 'error_log', value: 'syslog' }
     - { key: 'log_level', value: 'warning' }
@@ -314,7 +320,7 @@
     - { key: 'include', value: '/etc/php5/fpm/pool.d/local-pool.cnf' }
   notify:
       - 'Reload FPM for PHP 5'
-  when: with_fpm and ansible_lsb.major_release|int <= 8
+  when: with_fpm|bool and ansible_lsb.major_release|int <= 8
   tags:
     - 'web'
     - 'php'
@@ -322,9 +328,9 @@
 - name: 'Configure FPM for PHP {{ php_version }} (Debian >= 9)'
   lineinfile:
     dest: '/etc/php/{{ php_version }}/fpm/php-fpm.conf'
-    regexp: '^{{item.key}}\s*=.*$'
-    line: '{{item.key}} = {{item.value}}'
-    insertafter: '^;{{item.key}}'
+    regexp: '^{{ item.key }}\s*=.*$'
+    line: '{{ item.key }} = {{ item.value }}'
+    insertafter: '^;{{ item.key }}'
   with_items:
     - { key: 'error_log', value: 'syslog' }
     - { key: 'log_level', value: 'warning' }
@@ -335,7 +341,7 @@
     - { key: 'include', value: '/etc/php/{{ php_version }}/fpm/pool.d/local-pool.cnf' }
   notify:
       - 'Reload FPM for PHP'
-  when: with_fpm and ansible_lsb.major_release|int >= 9
+  when: with_fpm|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
@@ -349,7 +355,7 @@
     mode: '0644'
   notify:
       - 'Reload FPM for PHP 5'
-  when: with_fpm and ansible_lsb.major_release|int <= 8
+  when: with_fpm|bool and ansible_lsb.major_release|int <= 8
   tags:
     - 'web'
     - 'php'
@@ -363,7 +369,7 @@
     mode: '0644'
   notify:
       - 'Reload FPM for PHP'
-  when: with_fpm and ansible_lsb.major_release|int >= 9
+  when: with_fpm|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
@@ -375,7 +381,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_fpm and ansible_lsb.major_release|int == 8
+  when: with_fpm|bool and ansible_lsb.major_release|int == 8
   tags:
     - 'web'
     - 'php'
@@ -387,7 +393,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_fpm and ansible_lsb.major_release|int >= 9
+  when: with_fpm|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'
@@ -399,7 +405,7 @@
     owner: 'root'
     group: 'root'
     mode: '0644'
-  when: with_fpm and with_apache2
+  when: with_fpm|bool and with_apache2|bool
   tags:
     - 'web'
     - 'php'
@@ -413,7 +419,7 @@
     mode: '0644'
   notify:
       - 'Reload nginx'
-  when: with_fpm and with_nginx
+  when: with_fpm|bool and with_nginx|bool
   tags:
     - 'web'
     - 'php'
@@ -427,7 +433,7 @@
     mode: '0644'
   notify:
       - 'Reload nginx'
-  when: with_fpm and with_nginx
+  when: with_fpm|bool and with_nginx|bool
   tags:
     - 'web'
     - 'php'
@@ -436,7 +442,7 @@
   service:
     name: 'php5-fpm'
     state: 'started'
-  when: with_fpm and ansible_lsb.major_release|int <= 8
+  when: with_fpm|bool and ansible_lsb.major_release|int <= 8
   tags:
     - 'web'
     - 'php'
@@ -445,7 +451,7 @@
   service:
     name: 'php{{ php_version }}-fpm'
     state: 'started'
-  when: with_fpm and ansible_lsb.major_release|int >= 9
+  when: with_fpm|bool and ansible_lsb.major_release|int >= 9
   tags:
     - 'web'
     - 'php'

roles/webserver/templates/apache2/pga_vhost.j2

@@ -35,7 +35,7 @@
         php_admin_value post_max_size 128M
     </IfModule>
 
-{% if with_fpm %}
+{% if with_fpm|bool %}
     Include conf-available/fpm-pool.conf
 {% endif %}
 

roles/webserver/templates/apache2/pma_vhost.j2

@@ -32,7 +32,7 @@
         php_admin_value post_max_size 128M
     </IfModule>
 
-{% if with_fpm %}
+{% if with_fpm|bool %}
     Include conf-available/fpm-pool.conf
 {% endif %}
 
@@ -78,7 +78,7 @@
         php_admin_value post_max_size 128M
     </IfModule>
 
-{% if with_fpm %}
+{% if with_fpm|bool %}
     Include conf-available/fpm-pool.conf
 {% endif %}
 

roles/webserver/templates/apache2/sys_vhost.j2

@@ -29,7 +29,7 @@
         Allow from all
     </Directory>
 
-{% if with_fpm %}
+{% if with_fpm|bool %}
     Include conf-available/fpm-pool.conf
 {% endif %}
 
@@ -74,7 +74,7 @@
         php_admin_value post_max_size 128M
     </IfModule>
 
-{% if with_fpm %}
+{% if with_fpm|bool %}
     Include conf-available/fpm-pool.conf
 {% endif %}