DebOps v2.2.0 Release Notes

Release Date: 2021-01-31 // 12 months ago
  • .. _debops v2.2.0: https://github.com/debops/debops/compare/v2.1.0...v2.2.0

    ➕ Added

    
    🆕 New DebOps roles
    ''''''''''''''''
    
    - The :ref:`debops.dhcrelay` role can be used to manage the ISC DHCP Relay
      Agent, which forwards DHCP traffic between networks. This role replaces the
      dhcrelay functionality in :ref:`debops.dhcpd`.
    
    - The :ref:`debops.global_handlers` Ansible role provides a central place to
      maintain handlers for other Ansible roles. Keeping them centralized allows
      Ansible roles to use handlers from different roles without including them
      entirely in the playbook.
    
    - 🔧 The :ref:`debops.filebeat` role can be used to install and configure
      `Filebeat`__, a log shipping agent from Elastic, part of the Elastic Stack.
    
      .. __: https://www.elastic.co/beats/filebeat
    
    General
    '''''''
    
    - The :file:`tools/reboot.yml` can be used to reboot DebOps hosts even if they
      are secured by the ``molly-guard`` package.
    
    - The code in the DebOps monorepo is now checked using `GitHub Actions`__,
      which will replace Travis-CI. Thank you, Travis, for years of service. :)
    
      .. __: https://github.com/features/actions
    
    LDAP
    ''''
    
    - The :ref:`next available UID and GID values <ldap__ref_next_uid_gid>` can now
      be tracked using special LDAP objects in the directory. These can be used by
      the client-side account and group management applications to easily allocate
      unique UID/GID numbers for newly created accounts and groups.
    
      The objects will be created automatically with the next available UID/GID
      values by the :file:`ldap/init-directory.yml` playbook. In existing
      environments users might want to create them manually to ensure that the
      correct ``uidNumber`` and ``gidNumber`` values are stored instead of the
      default ones which might already be allocated.
    
    - The ``root`` UNIX account will now have full write access to the main
      directory via the ``ldapi://`` external authentication and can create and
      modify the LDAP objects and their attributes. This is required so that the
      :ref:`debops.slapd` role can initialize the directory tree and create/remove
      the ACL test objects as needed.
    
    :ref:`debops.apt` role
    ''''''''''''''''''''''
    
    - The role facts now include the main APT architecture (``amd64``, for example)
      and a list of foreign architectures if any are enabled. The
      ``ansible_local.apt.architecture`` fact can be used in other roles that need
      that information.
    
    :ref:`debops.apt_install` role
    ''''''''''''''''''''''''''''''
    
    - 📦 The role now installs CPU microcode packages on physical hosts by default.
      These firmware updates correct CPU behaviour and mitigate vulnerabilities like
      Spectre and Meltdown. You still need to take measures to protect your virtual
      machines; for this, take a look at the `QEMU documentation`__.
    
      .. __: https://www.qemu.org/docs/master/system/target-i386.html#important-cpu-features-for-intel-x86-hosts
    
    :ref:`debops.icinga` role
    '''''''''''''''''''''''''
    
    - 🔧 The role can now create Icinga configuration on the Icinga "master" node via
      task delegation. This can be useful in centralized environments without
      Icinga Director support.
    
    :ref:`debops.lvm` role
    ''''''''''''''''''''''
    
    - 🔧 Default LVM2 configuration for Debian Stretch and Buster has been added.
    
    :ref:`debops.owncloud` role
    '''''''''''''''''''''''''''
    
    - ⬆️ Drop Nextcloud 16, 17 and 18 support because it is EOL. You need to upgrade Nextcloud
      manually if you are running version 18 or below. The role now defaults to
      Nextcloud 19 for new installations.
    
    :ref:`debops.postgresql` role
    '''''''''''''''''''''''''''''
    
    - 🚚 The role can now drop PostgreSQL databases and remove roles when their state
      is set to ``absent`` in the Ansible inventory.
    
    :ref:`debops.resources` role
    ''''''''''''''''''''''''''''
    
    - 👌 Support manipulating file privileges using the Linux
      :manpage:`capabilities(7)` with the help of the Ansible capabilities
      module.
    
    :ref:`debops.roundcube` role
    ''''''''''''''''''''''''''''
    
    - 0️⃣ The role will enable more plugins by default: ``help``, ``markasjunk``,
      ``password`` (only with LDAP).
    
    - 0️⃣ Roundcube will offer local spell checking support by default with ``Enchant``
      library. English language is supported by default, more languages can be
      added via Ansible inventory.
    
    :ref:`debops.slapd` role
    ''''''''''''''''''''''''
    
    - 👌 Support for the dynamic LDAP groups maintained by the
      :ref:`slapd__ref_autogroup_overlay` has been implemented in the role. Debian
      Buster or newer is recommended for this feature to work properly.
    
    - A set of `FreeRADIUS`__ LDAP schema has been added to the role. RADIUS
      Profiles, Clients and FreeRADIUS DHCP configuration can be stored in the LDAP
      directory managed by DebOps and used by the :ref:`debops.freeradius` Ansible
      role.
    
      .. __: https://freeradius.org/
    
    - 👌 Support for empty LDAP groups has been added via the :ref:`groupfentries
      schema <slapd__ref_groupofentries>` with a corresponding ``memberOf``
      overlay. This change changes the order of existing overlays in the LDAP
      database which means that the directory server will have to be rebuilt.
    
    - New :ref:`orgstructure schema <slapd__ref_orgstructure_schema>` provides the
      ``organizationalStructure`` LDAP object class which is used to define the
      base directory objects, such as ``ou=People``, ``ou=Groups``, etc.
    
    - Members of the ``cn=LDAP Administrator`` LDAP role can now manage the server
      configuration stored in the ``cn=config`` LDAP subtree.
    
    :ref:`debops.sysctl` role
    '''''''''''''''''''''''''
    
    - The role can now be enabled or disabled conditionally via Ansible inventory.
      This might be required in certain cases, for example LXD containers or
      systems protected with AppArmor rules, which make the :file:`/proc/sys/`
      directory read-only.
    
    🔄 Changed
    

    ⚡️ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

    • In the :ref:debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.13 and 10.7 respectively.

    • In the :ref:debops.roundcube role, the Roundcube version installed by default has been updated to 1.4.10.

    • In the :ref:debops.owncloud role, the Nextcloud version installed by default has been updated to v18.0.

    • 0️⃣ In the :ref:debops.phpipam role, the phpIPAM version installed by default has been updated to v1.4.1.

    • ⚡️ In the :ref:debops.netbox role, the NetBox version has been updated to v2.10.3. The plugin support added in v2.8.0 can be configured from DebOps. The NetBox Request Queue Worker service is configured to support background jobs like reports to work.

    • 👍 The :ref:debops.mariadb and :ref:debops.mariadb_server roles now support installation of Percona Server/Client v8.0 from upstream APT repositories.

    General '''''''

    • The debops.debops role has been renamed to the :ref:debops.controller role to allow for the debops__ variable namespace to be used for global variables. All role variables have been renamed along with the role inventory group, you will have to update your inventory.

    • 🚚 Most of the handers from different DebOps roles have been moved to the new :ref:debops.global_handlers role to allow for easier cross-role handler notification. The role has been imported in roles that rely on the handlers.

    • The debops-contrib.* roles included in the DebOps monorepo have been renamed to drop the prefix. This is enforced by the new release of the :command:ansible-lint linter. These roles are not yet cleaned up and integrated with the main playbook.

    • 🚚 The dependency on pyOpenSSL has been removed. This dependency was required in Ansible < 2.8.0 because these versions were unable to use the cryptography module, but DebOps is nowadays developed against Ansible 2.9. pyOpenSSL was used only to generate private RSA keys for the :ref:debops.opendkim role. Switching to cryptography is also a security precaution and the Python Cryptographic Authority recommends__ doing so.

    .. __: https://github.com/pyca/cryptography/blob/master/docs/faq.rst#why-use-cryptography)

    LDAP ''''

    • The :ref:LDAP-POSIX integration <ldap__ref_posix> can now be disabled using a default variable. This will disable LDAP support in the POSIX environment and specific services (user accounts, PAM, :command:sshd, :command:sudo) while leaving higher-level services unaffected.

    • 🚚 The LDAP directory structure creation has been moved from a separate :file:ansible/playbooks/ldap/init-directory.yml playbook into the :ref:debops.slapd role to allow for better ACL testing. The playbook is still used for administrator account creation.

    • The base directory objects created by the :ref:debops.slapd role (ou=People, ou=Groups, etc.) as well as other DebOps roles (:ref:debops.dokuwiki, :ref:debops.ldap, :ref:debops.postldap) changed their structural object type from organizationalUnit to organizationalStructure. Existing directories should not be affected by this change, but users might want to update them using the :ref:backup and restore procedure <slapd__ref_backup_restore> to allow for more extensive ACL rules in the future.

    :ref:debops.core role '''''''''''''''''''''''

    • The fact script will generate the list of private e-mail addresses used to send administrative mail notifications based on the list of admin accounts and the detected domain of the host; this can be overriden via the :envvar:core__admin_private_email variable. The change is done to avoid sending mail messages to 'account-only' addresses on hosts without local mail support.

    :ref:debops.dhcpd role ''''''''''''''''''''''''

    • 👍 The debops.dhcpd role has been largely rewritten in order to support both IPv4 and IPv6 on the same server, and to modernize many aspects of the role.

    • 🚚 The DHCP Relay Agent functionality has been moved to :ref:debops.dhcrelay.

    🐳 :ref:debops.docker_server role ''''''''''''''''''''''''''''''''

    • 0️⃣ The role's virtual environment is no longer created by default when :envvar:docker_server__upstream is False. This does not impact existing virtualenvs. You can remove /usr/local/lib/docker/virtualenv yourself if you like.

    :ref:debops.etckeeper role ''''''''''''''''''''''''''''

    • 0️⃣ The role now installs etckeeper on all hosts by default, not just on hosts that have a Python 2 environment. etckeeper is also installed from buster-backports instead of the main Debian 10 repository.

    :ref:debops.fhs role ''''''''''''''''''''''

    • 0️⃣ The role will create the :file:/srv/www/ directory by default to allow for home directories used by web applications.

    :ref:debops.gitlab role '''''''''''''''''''''''''

    • The :command:systemd services no longer require Redis to be installed on the same host as GitLab itself.

    • 👌 Improved support for GitLab Pages, including optional access control and fixed configuration of the :command:systemd service.

    :ref:debops.grub role '''''''''''''''''''''''

    • The role will now activate both the serial console and the (previously disabled) native platform console when grub__serial_console is True.

    :ref:debops.icinga_web role '''''''''''''''''''''''''''''

    • 🔧 The role now automatically configures LDAP user and group support.

    • 🔧 The role will install and configure the Icinga Certificate Monitoring__ module.

    .. __: https://icinga.com/docs/icinga-certificate-monitoring/latest/

    :ref:debops.lvm role ''''''''''''''''''''''

    • 🐧 Linux Software RAID devices are now scanned by default.

    :ref:debops.lxd role ''''''''''''''''''''''

    • During installation, the role will enable trust for the GitHub's GPG signing key to allow for verification of the LXD source code. Check the :ref:lxd__ref_install_details for more information.

    :ref:debops.nginx role ''''''''''''''''''''''''

    • ⚡️ The default SSL configuration used by the role has been updated to bring it to the modern standards. By default only TLSv1.2 and TLSv1.3 protocols are enabled, along with an improved set of ciphers. The HTTP Strict Transport Security age has been increased from 6 months to 2 years. The configuration is based on the intermediate Mozilla SSL recommendations__ to support wide range of possible clients.

    .. __: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6

    • 🔧 The server can be configured to support TLSv1.3 protocol only using the :envvar:nginx_default_tls_protocols variable, which will disable the use of custom Diffie-Hellman parameters and allow the HTTPS clients to select their own preferred ciphers to use for connections. The preferred set of ciphers will also change to Mozilla modern__ variant. Keep in mind that not all clients support this configuration.

    .. __: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.6

    :ref:debops.postfix role ''''''''''''''''''''''''''

    • 🔧 Postfix :file:main.cf configuration overrides are now written to the :file:master.cf configuration file using 'long form' notation supported since Postfix 3.0. This allows specifying parameter values that contain whitespace.

    • 0️⃣ The DSN command__ is now disabled by default. DSN (:rfc:3464) gives senders control over successful and failed delivery status notifications. This allows spammers to learn about an organization's internal mail infrastructure, and gives them the ability to confirm that an address is in use. When DSN support is disabled, Postfix will still let the SMTP client know that their message has been received as part of the SMTP transaction; they just will not get successful delivery notices from your internal systems.

    .. __: http://www.postfix.org/DSN_README.html

    • 0️⃣ The ETRN command__ is now disabled by default. ETRN, also known as Remote Message Queue Starting (:rfc:1985), was designed for sites that have intermittent Internet connectivity, but is rarely used nowadays.

    .. __: http://www.postfix.org/ETRN_README.html

    :ref:debops.resolvconf role '''''''''''''''''''''''''''''

    • 🚚 The 'domain', 'nameservers' and 'search' variables have been removed from the resolvconf Ansible local facts script. You are encouraged to use the ansible_domain, ansible_dns.nameservers and ansible_dns.search variables instead.

    :ref:debops.slapd role ''''''''''''''''''''''''

    • The role will set up an additional instance of the memberof OpenLDAP overlay to update role membership in the organizationalRole LDAP objects. This change modifies the list of overlays and will require re-initialization of the OpenLDAP directory.

    • 🆕 New equality indexes have been added to the :command:slapd service: roleOccupant, memberOf and employeeNumber.

    • The :file:eduperson.schema LDAP schema has been extended with additional attributes not present in the official specification. The new schema will not be applied automatically on existing installations.

    • In the OpenLDAP ACL rules, authenticated object owners can now re-authenticate themselves using the userPassword attribute. This is needed for the LDAP Password Modify Extended Operation (:rfc:3062) to work correctly in Roundcube.

    • In the :file:mailservice.schema LDAP schema, the mailACLGroups attribute has been renamed to mailGroupACL since this seems to be the name used by different applications like Dovecot and Roundcube.

    This change will not be applied automatically in an existing LDAP directories

    • they will need to be rebuilt to apply new schema changes.

      • The role will install a modified :ref:OpenSSH-LPK schema <slapd__ref_openssh_lpk> instead of the version from the FusionDirectory project, to add support for storing SSH public key fingerprints in the LDAP directory. Existing installations shouldn't be affected.
      • ✅ The :command:slapacl test map with additional object RDNs has been redesigned into a list of test LDAP objects which can be created or removed by the role as needed. They will not be added to the directory by default and can be enabled via Ansible inventory.
      • 👍 The support for OpenLDAP monitoring is improved. The root UNIX account as well as members of the "LDAP Administrator" and "LDAP Monitor" roles can now read the cn=Monitor information.

    ✂ Removed

    
    :ref:`debops.ldap` role
    '''''''''''''''''''''''
    
    - Creation of various LDAP directory objects (``ou=People``, ``ou=Groups``,
      ...) has been removed from the default list of LDAP tasks performed by the
      role. These objects are now automatically created by the :ref:`debops.slapd`
      role. The :ref:`debops.ldap` role will still ensure that all LDAP objects
      needed to maintain the hosts' directory information are present.
    
    🛠 Fixed
    

    General '''''''

    • 🛠 Fixed an issue where the :command:debops scripts did not expand the :file:~/ prefix of the file and directory paths in user home directories.

    • 🛠 Fixed an issue with custom lookup plugins (:file:task_src, :file:file_src, :file:template_src) which resulted in Ansible 2.10 not finding them correctly.

    LDAP ''''

    • The :file:ldap/init-directory.yml playbook will correctly initialize the LDAP directory when the local UNIX account does not have any GECOS information.

    :ref:debops.apt role ''''''''''''''''''''''

    • 🛠 Fixed an issue where the role would attempt to add APT keys from a PGP keyserver without installing the :command:gnupg package first.

    :ref:debops.dokuwiki role '''''''''''''''''''''''''''

    • 🚚 A few custom DokuWiki plugins will be removed if installed, otherwise they will not be installed anymore due to issues with newest DokuWiki release. Affected plugins: advrack, rst, gitlab, ghissues.

    • 🔌 Ensure that the authldap DokuWiki plugin is enabled when LDAP support is configured by the role.

    :ref:debops.etherpad role '''''''''''''''''''''''''''

    • 🛠 Fixed the installation of Etherpad with the PostgreSQL backend by removing unused dependent variables.

    :ref:debops.fail2ban role '''''''''''''''''''''''''''

    • 🛠 Fixed the configuration support on Ubuntu Focal due to bantime feature changes in the :command:fail2ban v0.11.

    :ref:debops.fcgiwrap role '''''''''''''''''''''''''''

    • The role can now be used in check mode without throwing an AnsibleFilterError.

    :ref:debops.gitlab role '''''''''''''''''''''''''

    • 🛠 Fixed an issue where the git UNIX account was not added to the _sshusers local group when LDAP support was enabled on the host. This prevented the usage of GitLab via SSH.

    :ref:debops.ifupdown role '''''''''''''''''''''''''''

    • 🔧 Network configuration with bonded interfaces should now be correctly applied by the reconfiguration script.

    :ref:debops.iscsi role ''''''''''''''''''''''''

    • Fixed uninitialized local fact ansible_local.iscsi.discovered_portals.

    :ref:debops.ldap role '''''''''''''''''''''''

    • 🛠 Fixed multiple issues with adding and updating hosts to the LDAP directory when these hosts were configured for network bonding.

    :ref:debops.lvm role ''''''''''''''''''''''

    • 🛠 Fixed an issue where the role would fail in check mode. The role tries to simulate creating a filesystem, but this failed when the underlying LVM volume did not actually exist (which is to be expected when running in check mode).

    • 📚 Made default behaviour match the documentation: the role now automatically takes care of mounting a filesystem on an LVM volume if the mount point is specified with item.mount. This previously required setting the item.fs parameter to True as well.

    :ref:debops.nginx role ''''''''''''''''''''''''

    • Disabled gzip compression of text/vcard MIME types. Vcards contain, by nature, sensitive information and should not be gzipped to prevent successful BREACH attacks.

    :ref:debops.netbox role '''''''''''''''''''''''''

    • 🛠 Fixed initial superuser account creation.

    :ref:debops.nslcd role ''''''''''''''''''''''''

    • Enabled idle_timelimit to make sure that connections to the LDAP server are properly closed. A disabled or too high idle_timelimit causes the LDAP server to time out, resulting in nslcd errors like "ldap_result() failed: Can't contact LDAP server".

    :ref:debops.nfs role ''''''''''''''''''''''

    • 0️⃣ Ensure that with default mount options disabled, options specified by the user still are added in the configuration.

    :ref:debops.ntp role ''''''''''''''''''''''

    • Don't try to disable or stop the systemd-timesyncd service when using an alternative NTP service implementation and systemd-timesyncd is not available.

    :ref:debops.owncloud role ''''''''''''''''''''''''''''

    • 🛠 Fixed multiple issues which caused dry runs of the :ref:debops.owncloud role to incorrectly show pending changes or fail altogether.

    :ref:debops.php role ''''''''''''''''''''''

    • Set correct APT preferences for the Backports or Sury APT repository to the libapache2-mod-php* APT packages to ensure that the selected repository is the same as the php* APT packages.

    :ref:debops.pki role ''''''''''''''''''''''

    • The :command:acme-tiny script will be installed from Debian/Ubuntu repositories on Debian Buster, Ubuntu Focal and newer OS releases. This solves the issue with acme-tiny script in upstream having #!/usr/bin/env python shebang hard-coded which makes the script unusable on hosts without Python 2.7 installed.

    The installation location of the script from upstream is changed from :file:/usr/local/lib/pki/ to :file:/usr/local/bin/ to leverage the $PATH variable so that the OS version is used without issues. The script is now also symlinked into place instead of copied over.

    :ref:debops.postgresql_server role ''''''''''''''''''''''''''''''''''''

    • Rename the wal_keep_segments PostgreSQL configuration option to wal_keep_size on PostgreSQL 13 and later to avoid issues with starting the database service. You might need to update the inventory configuration if you use this parameter.

    • 🛠 Fixed an issue with the role always reporting "changed" state due to postgresql_privs Ansible module not detecting changes in the PUBLIC PostgreSQL role.

    :ref:debops.python role '''''''''''''''''''''''''

    • 🚀 The python-pip APT package will be installed only on older OS releases, since it has been removed from newer OS releases like Debian Bullseye and Ubuntu Focal.

    :ref:debops.rsnapshot role ''''''''''''''''''''''''''''

    • 🛠 Fixed an issue which caused dry runs of the :ref:debops.rsnapshot role to fail.

    :ref:debops.rsyslog role ''''''''''''''''''''''''''

    • Fixed the forgotten :envvar:rsyslog__send_permitted_peers variable which defines what server is accepted by the client during TLS handshakes. The value will now be defined using the streamDriverPermittedPeers parameter in :command:rsyslog configuration.

    :ref:debops.saslauthd role ''''''''''''''''''''''''''''

    • 🛠 Fixed SMTP AUTH e-mail authentication for satellite hosts. Mail messages sent by :command:nullmailer and authenticated using LDAP should now be accepted by the SMTP server.

    :ref:debops.slapd role ''''''''''''''''''''''''

    • Modify the :file:mailservice.schema LDAP schema so that various mail-related attributes do not use the mail attribute as SUPerior attribute. This fixes an issue where searching for mail attribute values returned entries with the values present in related attributes, for example mailForwardTo, causing problems with account lookups.

    This change will require the rebuild of the OpenLDAP directory to be applied correctly. The role will not apply the changes on existing installations automatically due to the :file:mailservice.schema being loaded into the database.

    • The :command:slapd-snapshot script will now correctly create database snapshots when the cn=Monitor database is disabled or not configured.

    :ref:debops.snmpd role ''''''''''''''''''''''''

    • Don't create or modify the home directory of the :command:snmpd UNIX account to avoid issues on Ubuntu 20.04.

    :ref:debops.system_users role '''''''''''''''''''''''''''''''

    • 🛠 Fixed an issue where the role execution broke if the :envvar:system_users__self_name variable was set to an UNIX account which does not exist on the Ansible Controller, for example ansible. The role will now correctly create such UNIX accounts on the remote hosts with default GECOS and shell values.

    :ref:debops.tinc role '''''''''''''''''''''''

    • 🛠 Fix issue with Tinc VPN interfaces starting before the general host networking is set up and failing to bind to the selected bridge interface. The Tinc :command:systemd service will wait for the network-online.target unit to start up before activation.

    • 🛠 Fixed an issue with the role where setting :envvar:tinc__modprobe variable to False did not turn off support for loading required kernel modules.


Previous changes from v2.1.0

  • .. _debops v2.1.0: https://github.com/debops/debops/compare/v2.0.0...v2.1.0

    ➕ Added

    
    🆕 New DebOps roles
    ''''''''''''''''
    
    - The :ref:`debops.etesync` role allows to setup a EteSync__ server.
      EteSync is a cross-platform project to provide secure, end-to-end encrypted,
      and privacy respecting sync for your contacts, calendars and tasks.
    
    .. __: https://www.etesync.com/
    
    - The :ref:`debops.journald` role can be used to manage the
      :command:`systemd-journald` service, supports configuration of Forward Secure
      Sealing and can configure persistent storage of the log files. The role is
      included by default in the :file:`common.yml` playbook.
    
    - The :ref:`debops.dpkg_cleanup` role can create :command:`dpkg` hooks that
      help clean up custom and diverted files created by other roles when a given
      Debian package is removed. This should aid in cases of multiple roles
      managing services that provide the same functionality.
    
    - 🔧 The :ref:`debops.influxdata` role configures the APT repository and
      repository GPG keys of `InfluxData`__ company, creator of InfluxDB, Telegraf
      and other metric and time series tools.
    
      .. __: https://influxdata.com/
    
    - The :ref:`debops.influxdb_server` and :ref:`debops.influxdb` roles can be
      used to install the InfluxDB time series database service and manage its
      databases and users, respectively.
    
    - The :ref:`debops.fhs` role will be used to define base directory hierarchy
      used by other DebOps roles (previously done by the :ref:`debops.core` role).
      The role is included in the :file:`common.yml` playbook.
    
    - 🔧 The :ref:`debops.tzdata` role manages the host time zone configuration and
      provides the ``ansible_local.tzdata.timezone`` local fact with the time zone
      in the ``Area/Zone`` format. The role is included in the :file:`common.yml`
      playbook.
    
    :ref:`debops.pki` role
    ''''''''''''''''''''''
    
    - The role can now instruct acme-tiny to register an ACME account with one or
      more contact URLs. Let's Encrypt for example uses this information to notify
      you about expiring certificates and emergency revocation.
    
    - The :ref:`debops.dovecot` and :ref:`debops.postfix` roles now include the PKI
      hook scripts which will reload their corresponding services when the X.509
      certificates used by them are changed.
    
    :ref:`debops.postconf` role
    '''''''''''''''''''''''''''
    
    - 🔧 The additional Postfix configuration managed by the role can now be added or
      removed conditionally, controlled by the :envvar:`postconf__deploy_state`
      variable.
    
    :ref:`debops.python` role
    '''''''''''''''''''''''''
    
    - Introduce :envvar:`python__pip_version_check` which defaults to ``False`` to
      disable PIP update checks outside of the system package manager.
      Before, this was not configured by DebOps leaving it at PIP default which
      meant it would check for updates occasionally.
    
    :ref:`debops.resources` role
    ''''''''''''''''''''''''''''
    
    - Add support for the ``access_time`` and ``modification_time`` parameters of
      the Ansible file module to the role.
    
    :ref:`debops.roundcube` role
    ''''''''''''''''''''''''''''
    
    - 🔧 The role can now be configured to install Roundcube from private or internal
      :command:`git` repositories that might contain additional modifications to
      the application code required by some organizations. See the
      :ref:`roundcube__ref_private_repo` section in the documentation for details.
    
    🔄 Changed
    

    ⚡️ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

    • In the :ref:debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.11 and 10.4 respectively.

    • In the :ref:debops.owncloud role, the Nextcloud version installed by default has been updated to v17.0. The ownCloud version has been updated to v10.4.

    • In the :ref:debops.roundcube role, the Roundcube version installed by default has been updated to v1.4.4.

    • 0️⃣ In the :ref:debops.lxd role, the LXD version installed by default has been changed to the stable-4.0 branch, which is a LTS release. The role uses a :command:git branch instead of a specific tagged release to bypass broken LXD build dependency__ which is not yet fixed in a tagged release.

    .. __: https://github.com/lxc/lxd/issues/7357

    • 🚀 In the :ref:debops.gitlab role, the GitLab release installed on Debian Buster and newer OS releases is updated to 12-10-stable.

    This release requires Golang packages from buster-backports APT repository, which will be installed by default via the :ref:debops.golang role. Existing installations need to upgrade the Golang packages before the playbook is applied.

    • In the :ref:debops.ansible role, Ansible 2.9.x from the buster-backports repository will be installed on Debian Buster by default, when backports are enabled.

    • The :ref:debops.mailman role has been redesigned and now installs and configures Mailman 3.x instead of Mailman 2.x. Read the :ref:mailman__ref_mailman2_migration guide and the rest of the :ref:debops.mailman documentation for details.

    Continuous Integration ''''''''''''''''''''''

    • 0️⃣ The Vagrant provisioning script will install Ansible from PyPI by default. The version included in the current Debian Stable (Buster) is too old for the DebOps playbooks and roles.

    General '''''''

    • The DebOps Collection published on Ansible Galaxy has been split into multiple Collections due to the number of Ansible roles present in DebOps. The debops.debops collection will install additional debops.rolesXY collections automatically via collection dependencies. The playbooks have been updated to include new Collections.

    • The DebOps repository is now compliant with the REUSE Specification. The SPDX License Identifiers have been added to the files contained in the repository and a valid copyright and license information will be required to pass the test suite.

    .. _: https://reuse.software/spec/ .. _: https://spdx.org/ids

    • In new DebOps environments, Ansible will ignore any missing inventory groups using the host_pattern_mismatch parameter. This will disable the "Could not match supplied host pattern" warning message present in most of the playbooks included in DebOps. To disable this message in an existing environment, add in the :file:.debops.cfg configuration file:

    .. code-block:: ini

     [ansible inventory]
     host_pattern_mismatch = ignore
    
    • The :command:debops script will now use the Ansible inventory path defined in the :file:.debops.cfg configuration file [ansible defaults] section instead of the static :file:ansible/inventory/ path.

    • The variables in various DebOps roles that define filesystem paths have been switched from using the ansible_local.root.* Ansible local facts to the new ansible_local.fhs.* facts defined by the :ref:debops.fhs role. The new facts use the same base paths as the old ones; there should be no issues if the variables have not been modified through Ansible inventory.

    If you have redefined any core__root_* variables in the Ansible inventory to modify the filesystem paths used by DebOps roles, you will need to update the configuration. See the :ref:debops.fhs role documentation for details.

    • The use of ansible_local.core.fqdn and ansible_local.core.domain local facts in roles to define the host DNS domain and FQDN has been removed; the roles will use the ansible_fqdn and ansible_domain facts directly. This is due to issues with the :ref:debops.core local facts not updating when the host's domain is changed and causing the roles to use wrong domain names in configuration.

    :ref:debops.cran role '''''''''''''''''''''''

    • 🚚 The custom cran Ansible module used by the role has been moved to the :ref:debops.ansible_plugins role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.

    :ref:debops.etc_aliases role ''''''''''''''''''''''''''''''

    • 🚚 The custom filter plugin used by the role has been moved to the :ref:debops.ansible_plugins role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.

    :ref:debops.golang role '''''''''''''''''''''''''

    • 📦 On Debian Buster, Golang APT packages from the buster-backports APT repository will be preferred instead of their Buster version. This allows for installation of applications that depend on a newer Go runtime environment, like GitLab or MinIO.

    :ref:debops.lxd role ''''''''''''''''''''''

    • 👍 The support for the LXC containers managed by the :ref:debops.lxc role will be applied on the host when the LXD is configured, due to the build dependency on the lxc APT package. In this case, the lxcbr0 network bridge will not be configured by default.

    :ref:debops.mosquitto role ''''''''''''''''''''''''''''

    • ⚡️ Update the role for Debian Buster. No need anymore to install Python packages outside of the system package management.

    :ref:debops.nginx role ''''''''''''''''''''''''

    • 0️⃣ TLSv1.3 is now enabled by default for nginx version 1.13.0 and up.

    :ref:debops.nullmailer role '''''''''''''''''''''''''''''

    • The Nullmailer smtpd service can now listen on both IPv4 and IPv6 addresses. It listens on both loopback addresses by default, where it used to only listen on the IPv6 loopback address.

    :ref:debops.owncloud role '''''''''''''''''''''''''''

    • 👌 Support has been added for Nextcloud 17.0 and 18.0.

    :ref:debops.pki role ''''''''''''''''''''''

    • Use inventory_hostname variable instead of the ansible_fqdn variable in paths of the directories used to store data on Ansible Controller. This decouples the host FQDN and domain name from the certificate management tasks in the role.

    .. note:: The role will try to recreate existing X.509 certificates making the playbook execution idempotent. Removing the PKI realms and recreating them will fix this issue.

    :ref:debops.postfix role ''''''''''''''''''''''''''

    • 🔧 The persistent configuration stored on the Ansible Controller has been refactored and does not use multiple separate tasks to handle the JSON files.

    :ref:debops.rsyslog role ''''''''''''''''''''''''''

    • 🔌 The role has been refreshed and uses the custom Ansible filter plugins to manage the :command:rsyslog configuration files. The default configuration was rearranged, the :file:/etc/rsyslog.conf configuration file has the default contents that come with the Debian package and can be configured by the role. The configuration model has been redesigned; any changes in the configuration of the role set in the Ansible inventory need to be reviewed before applying the new version.

    • 📦 The rsyslog APT package and its service can be cleanly removed from the host, either via the role or by uninstalling the package itself.

    ✂ Removed

    
    :ref:`debops.console` role
    ''''''''''''''''''''''''''
    
    - 🚚 The local and NFS mount support has been removed from the
      :ref:`debops.console` role. Local mounts can be managed using the
      :ref:`debops.mount` role; NFS mounts can be managed by the :ref:`debops.nfs`
      role.
    
    :ref:`debops.core` role
    '''''''''''''''''''''''
    
    - The ``ansible_local.uuid`` local fact and corresponding variables and tasks
      have been removed from the role. A replacement fact, ``ansible_machine_id``
      is an Ansible built-in.
    
    - 🚚 The ``ansible_local.init`` fact has been removed from the role. A native
      ``ansible_service_mgr`` Ansible fact is it's replacement.
    
    - 🚚 The ``ansible_local.cap12s`` fact has been removed from the role. A native
      set of Ansible facts (``ansible_system_capabilities``,
      ``ansible_system_capabilities_enforced`` is be used as a replacement.
    
    - 📚 The :file:`root.fact` script, corresponding variables and documentation have
      been removed from the role. This functionality is now managed by the
      :ref:`debops.fhs` role.
    
    - The ``ansible_local.core.fqdn`` and ``ansible_local.core.domain`` local facts
      and their corresponding default variables have been removed from the role. In
      their place, ``ansible_fqdn`` and ``ansible_domain`` facts should be used
      instead.
    
    :ref:`debops.ntp` role
    ''''''''''''''''''''''
    
    - 🔧 The timezone configuration has been moved from the :ref:`debops.ntp` role to
      the :ref:`debops.tzdata` role.
    
    :ref:`debops.nullmailer` role
    '''''''''''''''''''''''''''''
    
    - The script and :command:`dpkg` hook that cleaned up the additional files
      maintained by the role has been removed; the :ref:`debops.dpkg_cleanup` role
      will be used for this purpose instead.
    
    🛠 Fixed
    

    General '''''''

    • 🛠 Fix an issue with Ansible Collections__ where roles used via the include_role Ansible module broke due to the split into multiple collections. All roles will now have the debops.debops collection included by default in the :file:meta/main.yml file to tell Ansible where to look for dependent roles.

    .. __: https://github.com/ansible/ansible/issues/67723

    • 🛠 Fix an issue with the collection creation script where the role files that contained multiple uses of a particular custom Ansible plugin, for example template_src or file_src, were modified multiple times by the script.

    :ref:debops.apt role ''''''''''''''''''''''

    • 🛠 Fix BeagleBoards detection with Debian 10 image. Tested with a BeagleBoards Black.

    :ref:debops.cron role '''''''''''''''''''''''

    • 🛠 Fix creation of empty environment variables in :command:cron configuration files managed by Ansible.

    :ref:debops.dnsmasq role ''''''''''''''''''''''''''

    • :envvar:dnsmasq__public_dns did not create a firewall allow rule when no interfaces where specified.

    :ref:debops.ferm role '''''''''''''''''''''''

    • 🛠 Fixed incorrect removal of the ferm rule set by :ref:debops.avahi on IPv6-enabled systems.

    :ref:debops.gitlab_runner role ''''''''''''''''''''''''''''''''

    • 🚚 Don't re-create removed :file:/etc/machine-id contents during Vagrant box creation. This should fix issues with IP addresses received from DHCP by the Vagrant machines.

    .. warning:: This fix is applied using the :command:patch command on the files packaged by APT. Existing installations will have to be updated manually, alternatively the changes applied previously should be removed from the affected files before the role is applied. See the patch files in the role :file:files/patches/ directory for more information.

    • 📦 The GitLab package repository signing key has been replaced with the new key that has been in use since 2020-04-06, allowing APT to update package lists again. See the GitLab.com blog__ for more information about this change.

    .. __: https://about.gitlab.com/releases/2020/03/30/gpg-key-for-gitlab-package-repositories-metadata-changing/

    :ref:debops.minio role ''''''''''''''''''''''''

    • 🛠 Fix an issue during installation of recent MinIO releases, where during an initial restart the MinIO service would switch into "safe mode" when a problem with configuration is detected; this would prevent the service to be restarted correctly. Now the service should be properly stopped by :command:systemd after a stop timeout.

    :ref:debops.netbase role ''''''''''''''''''''''''''

    • ⏱ Use short timeout for DNS queries performed by the Ansible local fact script, in case that the DNS infrastructure is not configured. This avoids 60s timeouts during Ansible fact gathering in such cases.

    :ref:debops.nginx role ''''''''''''''''''''''''

    • 🔒 The role now always sets the HTTP Strict Transport Security header when it is enabled, regardless of the response code.

    :ref:debops.postgresql_server role ''''''''''''''''''''''''''''''''''''

    • In the :command:autopostgresqlbackup script, use the :command:su - postgres command instead of the :command:su postgres command to start a login shell and switch to the correct home directory of the postgres user instead of staying in the :file:/root/ home directory. This avoids the issue during execution of the script via :command:cron where it would emit errors about not being able to change to the :file:/root/ home directory due to the permissions.

    :ref:debops.roundcube role ''''''''''''''''''''''''''''

    • 👉 Use the Roundcube version from Ansible local facts instead of the one defined in role default variables to detect if a database migration is required after Roundcube :command:git repository is updated.

    :ref:debops.slapd role ''''''''''''''''''''''''

    • 🚚 Move the Private Enterprise Number and LDAP namespace OIDs of the DebOps organization to a separate :file:debops.schema file to avoid duplicated OIDs in the cn=schema LDAP subtree.

    Existing installations might need to be recreated to avoid warnings about duplicate OIDs emitted during OpenLDAP operations.