DebOps v2.1.0 Release Notes
Release Date: 2020-06-21 // almost 4 years ago-
.. _debops v2.1.0: https://github.com/debops/debops/compare/v2.0.0...v2.1.0
โ Added
๐ New DebOps roles '''''''''''''''' - The :ref:`debops.etesync` role allows to setup a EteSync__ server. EteSync is a cross-platform project to provide secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars and tasks. .. __: https://www.etesync.com/ - The :ref:`debops.journald` role can be used to manage the :command:`systemd-journald` service, supports configuration of Forward Secure Sealing and can configure persistent storage of the log files. The role is included by default in the :file:`common.yml` playbook. - The :ref:`debops.dpkg_cleanup` role can create :command:`dpkg` hooks that help clean up custom and diverted files created by other roles when a given Debian package is removed. This should aid in cases of multiple roles managing services that provide the same functionality. - ๐ง The :ref:`debops.influxdata` role configures the APT repository and repository GPG keys of `InfluxData`__ company, creator of InfluxDB, Telegraf and other metric and time series tools. .. __: https://influxdata.com/ - The :ref:`debops.influxdb_server` and :ref:`debops.influxdb` roles can be used to install the InfluxDB time series database service and manage its databases and users, respectively. - The :ref:`debops.fhs` role will be used to define base directory hierarchy used by other DebOps roles (previously done by the :ref:`debops.core` role). The role is included in the :file:`common.yml` playbook. - ๐ง The :ref:`debops.tzdata` role manages the host time zone configuration and provides the ``ansible_local.tzdata.timezone`` local fact with the time zone in the ``Area/Zone`` format. The role is included in the :file:`common.yml` playbook. :ref:`debops.pki` role '''''''''''''''''''''' - The role can now instruct acme-tiny to register an ACME account with one or more contact URLs. Let's Encrypt for example uses this information to notify you about expiring certificates and emergency revocation. - The :ref:`debops.dovecot` and :ref:`debops.postfix` roles now include the PKI hook scripts which will reload their corresponding services when the X.509 certificates used by them are changed. :ref:`debops.postconf` role ''''''''''''''''''''''''''' - ๐ง The additional Postfix configuration managed by the role can now be added or removed conditionally, controlled by the :envvar:`postconf__deploy_state` variable. :ref:`debops.python` role ''''''''''''''''''''''''' - Introduce :envvar:`python__pip_version_check` which defaults to ``False`` to disable PIP update checks outside of the system package manager. Before, this was not configured by DebOps leaving it at PIP default which meant it would check for updates occasionally. :ref:`debops.resources` role '''''''''''''''''''''''''''' - Add support for the ``access_time`` and ``modification_time`` parameters of the Ansible file module to the role. :ref:`debops.roundcube` role '''''''''''''''''''''''''''' - ๐ง The role can now be configured to install Roundcube from private or internal :command:`git` repositories that might contain additional modifications to the application code required by some organizations. See the :ref:`roundcube__ref_private_repo` section in the documentation for details. ๐ Changed
โก๏ธ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''
In the :ref:
debops.ipxe
role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.11 and 10.4 respectively.In the :ref:
debops.owncloud
role, the Nextcloud version installed by default has been updated tov17.0
. The ownCloud version has been updated tov10.4
.In the :ref:
debops.roundcube
role, the Roundcube version installed by default has been updated tov1.4.4
.0๏ธโฃ In the :ref:
debops.lxd
role, the LXD version installed by default has been changed to thestable-4.0
branch, which is a LTS release. The role uses a :command:git
branch instead of a specific tagged release to bypassbroken LXD build dependency
__ which is not yet fixed in a tagged release.
.. __: https://github.com/lxc/lxd/issues/7357
- ๐ In the :ref:
debops.gitlab
role, the GitLab release installed on Debian Buster and newer OS releases is updated to12-10-stable
.
This release requires Golang packages from
buster-backports
APT repository, which will be installed by default via the :ref:debops.golang
role. Existing installations need to upgrade the Golang packages before the playbook is applied.In the :ref:
debops.ansible
role, Ansible 2.9.x from thebuster-backports
repository will be installed on Debian Buster by default, when backports are enabled.The :ref:
debops.mailman
role has been redesigned and now installs and configures Mailman 3.x instead of Mailman 2.x. Read the :ref:mailman__ref_mailman2_migration
guide and the rest of the :ref:debops.mailman
documentation for details.
Continuous Integration ''''''''''''''''''''''
- 0๏ธโฃ The Vagrant provisioning script will install Ansible from PyPI by default. The version included in the current Debian Stable (Buster) is too old for the DebOps playbooks and roles.
General '''''''
The DebOps Collection published on Ansible Galaxy has been split into multiple Collections due to the number of Ansible roles present in DebOps. The
debops.debops
collection will install additionaldebops.rolesXY
collections automatically via collection dependencies. The playbooks have been updated to include new Collections.The DebOps repository is now compliant with the
REUSE Specification
. TheSPDX License Identifiers
have been added to the files contained in the repository and a valid copyright and license information will be required to pass the test suite.
.. _: https://reuse.software/spec/ .. _: https://spdx.org/ids
- In new DebOps environments, Ansible will ignore any missing inventory groups
using the
host_pattern_mismatch
parameter. This will disable the "Could not match supplied host pattern" warning message present in most of the playbooks included in DebOps. To disable this message in an existing environment, add in the :file:.debops.cfg
configuration file:
.. code-block:: ini
[ansible inventory] host_pattern_mismatch = ignore
The :command:
debops
script will now use the Ansible inventory path defined in the :file:.debops.cfg
configuration file[ansible defaults]
section instead of the static :file:ansible/inventory/
path.The variables in various DebOps roles that define filesystem paths have been switched from using the
ansible_local.root.*
Ansible local facts to the newansible_local.fhs.*
facts defined by the :ref:debops.fhs
role. The new facts use the same base paths as the old ones; there should be no issues if the variables have not been modified through Ansible inventory.
If you have redefined any
core__root_*
variables in the Ansible inventory to modify the filesystem paths used by DebOps roles, you will need to update the configuration. See the :ref:debops.fhs
role documentation for details.- The use of
ansible_local.core.fqdn
andansible_local.core.domain
local facts in roles to define the host DNS domain and FQDN has been removed; the roles will use theansible_fqdn
andansible_domain
facts directly. This is due to issues with the :ref:debops.core
local facts not updating when the host's domain is changed and causing the roles to use wrong domain names in configuration.
:ref:
debops.cran
role '''''''''''''''''''''''- ๐ The custom
cran
Ansible module used by the role has been moved to the :ref:debops.ansible_plugins
role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.
:ref:
debops.etc_aliases
role ''''''''''''''''''''''''''''''- ๐ The custom filter plugin used by the role has been moved to the
:ref:
debops.ansible_plugins
role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.
:ref:
debops.golang
role '''''''''''''''''''''''''- ๐ฆ On Debian Buster, Golang APT packages from the
buster-backports
APT repository will be preferred instead of their Buster version. This allows for installation of applications that depend on a newer Go runtime environment, like GitLab or MinIO.
:ref:
debops.lxd
role ''''''''''''''''''''''- ๐ The support for the LXC containers managed by the :ref:
debops.lxc
role will be applied on the host when the LXD is configured, due to the build dependency on thelxc
APT package. In this case, thelxcbr0
network bridge will not be configured by default.
:ref:
debops.mosquitto
role ''''''''''''''''''''''''''''- โก๏ธ Update the role for Debian Buster. No need anymore to install Python packages outside of the system package management.
:ref:
debops.nginx
role ''''''''''''''''''''''''- 0๏ธโฃ TLSv1.3 is now enabled by default for nginx version 1.13.0 and up.
:ref:
debops.nullmailer
role '''''''''''''''''''''''''''''- The Nullmailer smtpd service can now listen on both IPv4 and IPv6 addresses. It listens on both loopback addresses by default, where it used to only listen on the IPv6 loopback address.
:ref:
debops.owncloud
role '''''''''''''''''''''''''''- ๐ Support has been added for Nextcloud 17.0 and 18.0.
:ref:
debops.pki
role ''''''''''''''''''''''- Use
inventory_hostname
variable instead of theansible_fqdn
variable in paths of the directories used to store data on Ansible Controller. This decouples the host FQDN and domain name from the certificate management tasks in the role.
.. note:: The role will try to recreate existing X.509 certificates making the playbook execution idempotent. Removing the PKI realms and recreating them will fix this issue.
:ref:
debops.postfix
role ''''''''''''''''''''''''''- ๐ง The persistent configuration stored on the Ansible Controller has been refactored and does not use multiple separate tasks to handle the JSON files.
:ref:
debops.rsyslog
role ''''''''''''''''''''''''''๐ The role has been refreshed and uses the custom Ansible filter plugins to manage the :command:
rsyslog
configuration files. The default configuration was rearranged, the :file:/etc/rsyslog.conf
configuration file has the default contents that come with the Debian package and can be configured by the role. The configuration model has been redesigned; any changes in the configuration of the role set in the Ansible inventory need to be reviewed before applying the new version.๐ฆ The
rsyslog
APT package and its service can be cleanly removed from the host, either via the role or by uninstalling the package itself.
โ Removed
:ref:`debops.console` role '''''''''''''''''''''''''' - ๐ The local and NFS mount support has been removed from the :ref:`debops.console` role. Local mounts can be managed using the :ref:`debops.mount` role; NFS mounts can be managed by the :ref:`debops.nfs` role. :ref:`debops.core` role ''''''''''''''''''''''' - The ``ansible_local.uuid`` local fact and corresponding variables and tasks have been removed from the role. A replacement fact, ``ansible_machine_id`` is an Ansible built-in. - ๐ The ``ansible_local.init`` fact has been removed from the role. A native ``ansible_service_mgr`` Ansible fact is it's replacement. - ๐ The ``ansible_local.cap12s`` fact has been removed from the role. A native set of Ansible facts (``ansible_system_capabilities``, ``ansible_system_capabilities_enforced`` is be used as a replacement. - ๐ The :file:`root.fact` script, corresponding variables and documentation have been removed from the role. This functionality is now managed by the :ref:`debops.fhs` role. - The ``ansible_local.core.fqdn`` and ``ansible_local.core.domain`` local facts and their corresponding default variables have been removed from the role. In their place, ``ansible_fqdn`` and ``ansible_domain`` facts should be used instead. :ref:`debops.ntp` role '''''''''''''''''''''' - ๐ง The timezone configuration has been moved from the :ref:`debops.ntp` role to the :ref:`debops.tzdata` role. :ref:`debops.nullmailer` role ''''''''''''''''''''''''''''' - The script and :command:`dpkg` hook that cleaned up the additional files maintained by the role has been removed; the :ref:`debops.dpkg_cleanup` role will be used for this purpose instead. ๐ Fixed ~~~~~ General ''''''' - ๐ Fix `an issue with Ansible Collections`__ where roles used via the ``include_role`` Ansible module broke due to the split into multiple collections. All roles will now have the ``debops.debops`` collection included by default in the :file:`meta/main.yml` file to tell Ansible where to look for dependent roles. .. __: https://github.com/ansible/ansible/issues/67723 - ๐ Fix an issue with the collection creation script where the role files that contained multiple uses of a particular custom Ansible plugin, for example ``template_src`` or ``file_src``, were modified multiple times by the script. :ref:`debops.apt` role '''''''''''''''''''''' - ๐ Fix BeagleBoards detection with Debian 10 image. Tested with a BeagleBoards Black. :ref:`debops.cron` role ''''''''''''''''''''''' - ๐ Fix creation of empty environment variables in :command:`cron` configuration files managed by Ansible. :ref:`debops.dnsmasq` role '''''''''''''''''''''''''' - :envvar:`dnsmasq__public_dns` did not create a firewall allow rule when no interfaces where specified. :ref:`debops.ferm` role ''''''''''''''''''''''' - ๐ Fixed incorrect removal of the ferm rule set by :ref:`debops.avahi` on IPv6-enabled systems. :ref:`debops.gitlab_runner` role '''''''''''''''''''''''''''''''' - ๐ Don't re-create removed :file:`/etc/machine-id` contents during Vagrant box creation. This should fix issues with IP addresses received from DHCP by the Vagrant machines. .. warning:: This fix is applied using the :command:`patch` command on the files packaged by APT. Existing installations will have to be updated manually, alternatively the changes applied previously should be removed from the affected files before the role is applied. See the patch files in the role :file:`files/patches/` directory for more information. - ๐ฆ The GitLab package repository signing key has been replaced with the new key that has been in use since 2020-04-06, allowing APT to update package lists again. See the `GitLab.com blog`__ for more information about this change. .. __: https://about.gitlab.com/releases/2020/03/30/gpg-key-for-gitlab-package-repositories-metadata-changing/ :ref:`debops.minio` role '''''''''''''''''''''''' - ๐ Fix an issue during installation of recent MinIO releases, where during an initial restart the MinIO service would switch into "safe mode" when a problem with configuration is detected; this would prevent the service to be restarted correctly. Now the service should be properly stopped by :command:`systemd` after a stop timeout. :ref:`debops.netbase` role '''''''''''''''''''''''''' - โฑ Use short timeout for DNS queries performed by the Ansible local fact script, in case that the DNS infrastructure is not configured. This avoids 60s timeouts during Ansible fact gathering in such cases. :ref:`debops.nginx` role '''''''''''''''''''''''' - ๐ The role now always sets the HTTP Strict Transport Security header when it is enabled, regardless of the response code. :ref:`debops.postgresql_server` role '''''''''''''''''''''''''''''''''''' - In the :command:`autopostgresqlbackup` script, use the :command:`su - postgres` command instead of the :command:`su postgres` command to start a login shell and switch to the correct home directory of the ``postgres`` user instead of staying in the :file:`/root/` home directory. This avoids the issue during execution of the script via :command:`cron` where it would emit errors about not being able to change to the :file:`/root/` home directory due to the permissions. :ref:`debops.roundcube` role '''''''''''''''''''''''''''' - ๐ Use the Roundcube version from Ansible local facts instead of the one defined in role default variables to detect if a database migration is required after Roundcube :command:`git` repository is updated. :ref:`debops.slapd` role '''''''''''''''''''''''' - ๐ Move the Private Enterprise Number and LDAP namespace OIDs of the DebOps organization to a separate :file:`debops.schema` file to avoid duplicated OIDs in the ``cn=schema`` LDAP subtree. Existing installations might need to be recreated to avoid warnings about duplicate OIDs emitted during OpenLDAP operations.