DebOps v2.1.0

« Changelog History

DebOps v2.1.0 Release Notes

• .. _debops v2.1.0: https://github.com/debops/debops/compare/v2.0.0...v2.1.0

  ➕ Added

  
  🆕 New DebOps roles
  ''''''''''''''''
  
  - The :ref:`debops.etesync` role allows to setup a EteSync__ server.
    EteSync is a cross-platform project to provide secure, end-to-end encrypted,
    and privacy respecting sync for your contacts, calendars and tasks.
  
  .. __: https://www.etesync.com/
  
  - The :ref:`debops.journald` role can be used to manage the
    :command:`systemd-journald` service, supports configuration of Forward Secure
    Sealing and can configure persistent storage of the log files. The role is
    included by default in the :file:`common.yml` playbook.
  
  - The :ref:`debops.dpkg_cleanup` role can create :command:`dpkg` hooks that
    help clean up custom and diverted files created by other roles when a given
    Debian package is removed. This should aid in cases of multiple roles
    managing services that provide the same functionality.
  
  - 🔧 The :ref:`debops.influxdata` role configures the APT repository and
    repository GPG keys of `InfluxData`__ company, creator of InfluxDB, Telegraf
    and other metric and time series tools.
  
    .. __: https://influxdata.com/
  
  - The :ref:`debops.influxdb_server` and :ref:`debops.influxdb` roles can be
    used to install the InfluxDB time series database service and manage its
    databases and users, respectively.
  
  - The :ref:`debops.fhs` role will be used to define base directory hierarchy
    used by other DebOps roles (previously done by the :ref:`debops.core` role).
    The role is included in the :file:`common.yml` playbook.
  
  - 🔧 The :ref:`debops.tzdata` role manages the host time zone configuration and
    provides the ``ansible_local.tzdata.timezone`` local fact with the time zone
    in the ``Area/Zone`` format. The role is included in the :file:`common.yml`
    playbook.
  
  :ref:`debops.pki` role
  ''''''''''''''''''''''
  
  - The role can now instruct acme-tiny to register an ACME account with one or
    more contact URLs. Let's Encrypt for example uses this information to notify
    you about expiring certificates and emergency revocation.
  
  - The :ref:`debops.dovecot` and :ref:`debops.postfix` roles now include the PKI
    hook scripts which will reload their corresponding services when the X.509
    certificates used by them are changed.
  
  :ref:`debops.postconf` role
  '''''''''''''''''''''''''''
  
  - 🔧 The additional Postfix configuration managed by the role can now be added or
    removed conditionally, controlled by the :envvar:`postconf__deploy_state`
    variable.
  
  :ref:`debops.python` role
  '''''''''''''''''''''''''
  
  - Introduce :envvar:`python__pip_version_check` which defaults to ``False`` to
    disable PIP update checks outside of the system package manager.
    Before, this was not configured by DebOps leaving it at PIP default which
    meant it would check for updates occasionally.
  
  :ref:`debops.resources` role
  ''''''''''''''''''''''''''''
  
  - Add support for the ``access_time`` and ``modification_time`` parameters of
    the Ansible file module to the role.
  
  :ref:`debops.roundcube` role
  ''''''''''''''''''''''''''''
  
  - 🔧 The role can now be configured to install Roundcube from private or internal
    :command:`git` repositories that might contain additional modifications to
    the application code required by some organizations. See the
    :ref:`roundcube__ref_private_repo` section in the documentation for details.
  
  🔄 Changed
  

  ⚡️ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

  • In the :ref:debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.11 and 10.4 respectively.

  • In the :ref:debops.owncloud role, the Nextcloud version installed by default has been updated to v17.0. The ownCloud version has been updated to v10.4.

  • In the :ref:debops.roundcube role, the Roundcube version installed by default has been updated to v1.4.4.

  • 0️⃣ In the :ref:debops.lxd role, the LXD version installed by default has been changed to the stable-4.0 branch, which is a LTS release. The role uses a :command:git branch instead of a specific tagged release to bypass broken LXD build dependency__ which is not yet fixed in a tagged release.

  .. __: https://github.com/lxc/lxd/issues/7357

  • 🚀 In the :ref:debops.gitlab role, the GitLab release installed on Debian Buster and newer OS releases is updated to 12-10-stable.

  This release requires Golang packages from buster-backports APT repository, which will be installed by default via the :ref:debops.golang role. Existing installations need to upgrade the Golang packages before the playbook is applied.

  • In the :ref:debops.ansible role, Ansible 2.9.x from the buster-backports repository will be installed on Debian Buster by default, when backports are enabled.

  • The :ref:debops.mailman role has been redesigned and now installs and configures Mailman 3.x instead of Mailman 2.x. Read the :ref:mailman__ref_mailman2_migration guide and the rest of the :ref:debops.mailman documentation for details.

  Continuous Integration ''''''''''''''''''''''

  • 0️⃣ The Vagrant provisioning script will install Ansible from PyPI by default. The version included in the current Debian Stable (Buster) is too old for the DebOps playbooks and roles.

  General '''''''

  • The DebOps Collection published on Ansible Galaxy has been split into multiple Collections due to the number of Ansible roles present in DebOps. The debops.debops collection will install additional debops.rolesXY collections automatically via collection dependencies. The playbooks have been updated to include new Collections.

  • The DebOps repository is now compliant with the REUSE Specification. The SPDX License Identifiers have been added to the files contained in the repository and a valid copyright and license information will be required to pass the test suite.

  .. _: https://reuse.software/spec/ .. _: https://spdx.org/ids

  • In new DebOps environments, Ansible will ignore any missing inventory groups using the host_pattern_mismatch parameter. This will disable the "Could not match supplied host pattern" warning message present in most of the playbooks included in DebOps. To disable this message in an existing environment, add in the :file:.debops.cfg configuration file:

  .. code-block:: ini

   [ansible inventory]
   host_pattern_mismatch = ignore
  

  • The :command:debops script will now use the Ansible inventory path defined in the :file:.debops.cfg configuration file [ansible defaults] section instead of the static :file:ansible/inventory/ path.

  • The variables in various DebOps roles that define filesystem paths have been switched from using the ansible_local.root.* Ansible local facts to the new ansible_local.fhs.* facts defined by the :ref:debops.fhs role. The new facts use the same base paths as the old ones; there should be no issues if the variables have not been modified through Ansible inventory.

  If you have redefined any core__root_* variables in the Ansible inventory to modify the filesystem paths used by DebOps roles, you will need to update the configuration. See the :ref:debops.fhs role documentation for details.

  • The use of ansible_local.core.fqdn and ansible_local.core.domain local facts in roles to define the host DNS domain and FQDN has been removed; the roles will use the ansible_fqdn and ansible_domain facts directly. This is due to issues with the :ref:debops.core local facts not updating when the host's domain is changed and causing the roles to use wrong domain names in configuration.

  :ref:debops.cran role '''''''''''''''''''''''

  • 🚚 The custom cran Ansible module used by the role has been moved to the :ref:debops.ansible_plugins role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.

  :ref:debops.etc_aliases role ''''''''''''''''''''''''''''''

  • 🚚 The custom filter plugin used by the role has been moved to the :ref:debops.ansible_plugins role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.

  :ref:debops.golang role '''''''''''''''''''''''''

  • 📦 On Debian Buster, Golang APT packages from the buster-backports APT repository will be preferred instead of their Buster version. This allows for installation of applications that depend on a newer Go runtime environment, like GitLab or MinIO.

  :ref:debops.lxd role ''''''''''''''''''''''

  • 👍 The support for the LXC containers managed by the :ref:debops.lxc role will be applied on the host when the LXD is configured, due to the build dependency on the lxc APT package. In this case, the lxcbr0 network bridge will not be configured by default.

  :ref:debops.mosquitto role ''''''''''''''''''''''''''''

  • ⚡️ Update the role for Debian Buster. No need anymore to install Python packages outside of the system package management.

  :ref:debops.nginx role ''''''''''''''''''''''''

  • 0️⃣ TLSv1.3 is now enabled by default for nginx version 1.13.0 and up.

  :ref:debops.nullmailer role '''''''''''''''''''''''''''''

  • The Nullmailer smtpd service can now listen on both IPv4 and IPv6 addresses. It listens on both loopback addresses by default, where it used to only listen on the IPv6 loopback address.

  :ref:debops.owncloud role '''''''''''''''''''''''''''

  • 👌 Support has been added for Nextcloud 17.0 and 18.0.

  :ref:debops.pki role ''''''''''''''''''''''

  • Use inventory_hostname variable instead of the ansible_fqdn variable in paths of the directories used to store data on Ansible Controller. This decouples the host FQDN and domain name from the certificate management tasks in the role.

  .. note:: The role will try to recreate existing X.509 certificates making the playbook execution idempotent. Removing the PKI realms and recreating them will fix this issue.

  :ref:debops.postfix role ''''''''''''''''''''''''''

  • 🔧 The persistent configuration stored on the Ansible Controller has been refactored and does not use multiple separate tasks to handle the JSON files.

  :ref:debops.rsyslog role ''''''''''''''''''''''''''

  • 🔌 The role has been refreshed and uses the custom Ansible filter plugins to manage the :command:rsyslog configuration files. The default configuration was rearranged, the :file:/etc/rsyslog.conf configuration file has the default contents that come with the Debian package and can be configured by the role. The configuration model has been redesigned; any changes in the configuration of the role set in the Ansible inventory need to be reviewed before applying the new version.

  • 📦 The rsyslog APT package and its service can be cleanly removed from the host, either via the role or by uninstalling the package itself.

  ✂ Removed

  
  :ref:`debops.console` role
  ''''''''''''''''''''''''''
  
  - 🚚 The local and NFS mount support has been removed from the
    :ref:`debops.console` role. Local mounts can be managed using the
    :ref:`debops.mount` role; NFS mounts can be managed by the :ref:`debops.nfs`
    role.
  
  :ref:`debops.core` role
  '''''''''''''''''''''''
  
  - The ``ansible_local.uuid`` local fact and corresponding variables and tasks
    have been removed from the role. A replacement fact, ``ansible_machine_id``
    is an Ansible built-in.
  
  - 🚚 The ``ansible_local.init`` fact has been removed from the role. A native
    ``ansible_service_mgr`` Ansible fact is it's replacement.
  
  - 🚚 The ``ansible_local.cap12s`` fact has been removed from the role. A native
    set of Ansible facts (``ansible_system_capabilities``,
    ``ansible_system_capabilities_enforced`` is be used as a replacement.
  
  - 📚 The :file:`root.fact` script, corresponding variables and documentation have
    been removed from the role. This functionality is now managed by the
    :ref:`debops.fhs` role.
  
  - The ``ansible_local.core.fqdn`` and ``ansible_local.core.domain`` local facts
    and their corresponding default variables have been removed from the role. In
    their place, ``ansible_fqdn`` and ``ansible_domain`` facts should be used
    instead.
  
  :ref:`debops.ntp` role
  ''''''''''''''''''''''
  
  - 🔧 The timezone configuration has been moved from the :ref:`debops.ntp` role to
    the :ref:`debops.tzdata` role.
  
  :ref:`debops.nullmailer` role
  '''''''''''''''''''''''''''''
  
  - The script and :command:`dpkg` hook that cleaned up the additional files
    maintained by the role has been removed; the :ref:`debops.dpkg_cleanup` role
    will be used for this purpose instead.
  
  🛠 Fixed
  ~~~~~
  
  General
  '''''''
  
  - 🛠 Fix `an issue with Ansible Collections`__ where roles used via the
    ``include_role`` Ansible module broke due to the split into multiple
    collections. All roles will now have the ``debops.debops`` collection
    included by default in the :file:`meta/main.yml` file to tell Ansible where
    to look for dependent roles.
  
    .. __: https://github.com/ansible/ansible/issues/67723
  
  - 🛠 Fix an issue with the collection creation script where the role files that
    contained multiple uses of a particular custom Ansible plugin, for example
    ``template_src`` or ``file_src``, were modified multiple times by the script.
  
  :ref:`debops.apt` role
  ''''''''''''''''''''''
  
  - 🛠 Fix BeagleBoards detection with Debian 10 image.
    Tested with a BeagleBoards Black.
  
  :ref:`debops.cron` role
  '''''''''''''''''''''''
  
  - 🛠 Fix creation of empty environment variables in :command:`cron` configuration
    files managed by Ansible.
  
  :ref:`debops.dnsmasq` role
  ''''''''''''''''''''''''''
  
  - :envvar:`dnsmasq__public_dns` did not create a firewall allow rule when no
    interfaces where specified.
  
  :ref:`debops.ferm` role
  '''''''''''''''''''''''
  
  - 🛠 Fixed incorrect removal of the ferm rule set by :ref:`debops.avahi` on
    IPv6-enabled systems.
  
  :ref:`debops.gitlab_runner` role
  ''''''''''''''''''''''''''''''''
  
  - 🚚 Don't re-create removed :file:`/etc/machine-id` contents during Vagrant box
    creation. This should fix issues with IP addresses received from DHCP by the
    Vagrant machines.
  
    .. warning:: This fix is applied using the :command:`patch` command on the
                 files packaged by APT. Existing installations will have to be
                 updated manually, alternatively the changes applied previously
                 should be removed from the affected files before the role is
                 applied. See the patch files in the role :file:`files/patches/`
                 directory for more information.
  
  - 📦 The GitLab package repository signing key has been replaced with the new key
    that has been in use since 2020-04-06, allowing APT to update package lists
    again. See the `GitLab.com blog`__ for more information about this change.
  
    .. __: https://about.gitlab.com/releases/2020/03/30/gpg-key-for-gitlab-package-repositories-metadata-changing/
  
  :ref:`debops.minio` role
  ''''''''''''''''''''''''
  
  - 🛠 Fix an issue during installation of recent MinIO releases, where during an
    initial restart the MinIO service would switch into "safe mode" when
    a problem with configuration is detected; this would prevent the service to
    be restarted correctly. Now the service should be properly stopped by
    :command:`systemd` after a stop timeout.
  
  :ref:`debops.netbase` role
  ''''''''''''''''''''''''''
  
  - ⏱ Use short timeout for DNS queries performed by the Ansible local fact script,
    in case that the DNS infrastructure is not configured. This avoids 60s
    timeouts during Ansible fact gathering in such cases.
  
  :ref:`debops.nginx` role
  ''''''''''''''''''''''''
  
  - 🔒 The role now always sets the HTTP Strict Transport Security header when it is
    enabled, regardless of the response code.
  
  :ref:`debops.postgresql_server` role
  ''''''''''''''''''''''''''''''''''''
  
  - In the :command:`autopostgresqlbackup` script, use the
    :command:`su  - postgres` command instead of the :command:`su postgres`
    command to start a login shell and switch to the correct home directory of
    the ``postgres`` user instead of staying in the :file:`/root/` home
    directory.  This avoids the issue during execution of the script via
    :command:`cron` where it would emit errors about not being able to change to
    the :file:`/root/` home directory due to the permissions.
  
  :ref:`debops.roundcube` role
  ''''''''''''''''''''''''''''
  
  - 👉 Use the Roundcube version from Ansible local facts instead of the one defined
    in role default variables to detect if a database migration is required after
    Roundcube :command:`git` repository is updated.
  
  :ref:`debops.slapd` role
  ''''''''''''''''''''''''
  
  - 🚚 Move the Private Enterprise Number and LDAP namespace OIDs of the DebOps
    organization to a separate :file:`debops.schema` file to avoid duplicated
    OIDs in the ``cn=schema`` LDAP subtree.
  
    Existing installations might need to be recreated to avoid warnings about
    duplicate OIDs emitted during OpenLDAP operations.
  

• All Versions
• Previous v2.0.0
• Next v2.2.0
• Latest Version