DebOps v3.0.0 Release Notes

Release Date: 2022-02-17 // 7 months ago
  • .. _debops v3.0.0: https://github.com/debops/debops/compare/v2.3.0...v3.0.0

    โž• Added

    
    ๐Ÿ†• New DebOps roles
    ''''''''''''''''
    
    - ๐Ÿ”ง The :ref:`debops.minidlna` role configures the MiniDLNA service that can be
      used to provide media (video, music, images) to other devices on the local
      network that support the DLNA protocol.
    
    - The :ref:`debops.pdns` role manages the `PowerDNS Authoritative Server`__,
      which is an authoritative DNS server with support for DNSSEC, DNS UPDATE,
      geographical load balancing, and storing zone data and metadata in one or
      more backends like relational databases, LDAP databases, and plain text
      files.
    
      .. __: https://www.powerdns.com/auth.html
    
    - The :ref:`debops.telegraf` role can be used to install and manage the
      `Telegraf`__ metrics server, which can send data to various other services.
    
      .. __: https://www.influxdata.com/time-series-platform/telegraf/
    
    - ๐Ÿ”ง The :ref:`debops.lldpd` role provides support for managing and configuring
      the :command:`lldpd` service, which can be used to locate other network
      devices connected to a given host using the Link-Layer Discovery Protocol.
      The role is included in the :file:`common.yml` playbook by default.
    
    - ๐Ÿ”ง The :ref:`debops.zabbix_agent` role can install and configure Zabbix Agent,
      used for monitoring and metrics.
    
    - The :ref:`debops.keepalived` role can be used to install and manage
      :command:`keepalived` daemon, a lightweight load balancing and high
      availability service.
    
    - The :ref:`debops.rspamd` role can be used to install `rspamd`__ service, an
      anti-spam mail filter. The role automatically integrates with the
      :ref:`debops.postfix` role to provide anti-spam support.
    
      .. __: https://rspamd.org/
    
    - ๐Ÿ”ง The :ref:`debops.imapproxy` role can install and configure the IMAP Proxy
      service, useful for web mail applications that use IMAP to access the mail
      services.
    
    General
    '''''''
    
    - New Jinja filters ``from_toml`` and ``to_toml`` are available to DebOps
      roles, provided using a custom Ansible plugin. The filters require the
      ``toml`` Python package to be installed on the Ansible Controller.
    
    - ๐Ÿ†• New Ansible custom lookup plugin ``dig_srv`` can be used in Ansible variables
      and tasks to simplify DNS SRV record parsing. The plugin can retrieve an
      existing SRV record or if none is found, fall back to a predefined default
      values for the hostname and port.
    
    - A new Ansible tag, ``meta::facts`` has been added in all DebOps roles to the
      tasks that install Ansible local facts. This can be useful during initial
      provisioning to avoid issues with Ansible ``--check`` mode when certain
      configurations depend on the presence of the local facts to gather details
      from the remote hosts.
    
    :ref:`debops.apt` role
    ''''''''''''''''''''''
    
    - The role can now enable additional Debian architectures on a given host,
      which allows for `Multiarch`__ installations.
    
      .. __: https://wiki.debian.org/Multiarch/HOWTO
    
    - ๐Ÿ”ง You can now purge specific APT packages along with their configuration and
      unused dependencies. This might be useful during bootstrap or provisioning
      process to remove unused or conflicting services installed by the provider.
    
    - ๐Ÿ”ง The role can now configure :file:`/etc/apt/auth.conf.d/` configuration files
      to enable access to restricted APT repositories that require HTTP Basic
      Authentication.
    
    :ref:`debops.dokuwiki` role
    '''''''''''''''''''''''''''
    
    - The role now provides a set of variables and tasks which can be used to add
      or remove custom files in the DokuWiki installation, useful in certain
      setups.
    
    :ref:`debops.elasticsearch` role
    ''''''''''''''''''''''''''''''''
    
    - ๐Ÿš€ In a cluster deployment on hosts with PKI environment configured, the role
      will automatically enable the X-Pack plugin and configure TLS encryption for
      HTTP client and inter-cluster communication.
    
    - Elasticsearch user accounts and role definitions can be managed via Ansible
      using the API access, when the encrypted communication and X-Pack plugin is
      enabled. The role will initialize a set of built-in user accounts in the
      Elasticsearch cluster automatically.
    
    :ref:`debops.ferm` role
    '''''''''''''''''''''''
    
    - ๐Ÿ“ฆ The ``arptables`` and ``ebtables`` APT packages will be installed by default.
      This is needed so that various alternatives for :command:`iptables` backends
      can be correctly synchronized.
    
    :ref:`debops.keyring` role
    ''''''''''''''''''''''''''
    
    - ๐Ÿ”ง The role can now configure :file:`/etc/apt/auth.conf.d/` configuration files
      to enable access to restricted APT repositories that require HTTP Basic
      Authentication.
    
    :ref:`debops.kibana` role
    '''''''''''''''''''''''''
    
    - If the username and password for connection to the Elasticsearch service are
      provided, the role will configure Kibana to use TLS encryption for
      communication with the Elasticsearch cluster, based on the PKI environment
      managed by the :ref:`debops.pki` Ansible role.
    
    :ref:`debops.libvirtd` role
    '''''''''''''''''''''''''''
    
    - The role will now install UEFI firmware for amd64 VMs, alongside traditional
      BIOS.
    
    :ref:`debops.lvm` role
    ''''''''''''''''''''''
    
    - The role can now manage `LVM Thin Pool Logical Volumes`__.
    
      .. __: https://man7.org/linux/man-pages/man7/lvmthin.7.html
    
    - It is now possible to apply custom options to :ref:`lvm__thin_pools` and
      :ref:`lvm__logical_volumes`.
    
    :ref:`debops.lxc` role
    ''''''''''''''''''''''
    
    - The role can define a list of SSH identities added to the ``root`` UNIX
      account in new LXC containers by default. This can be used to grant multiple
      system administrators access to the containers.
    
    :ref:`debops.netbase` role
    ''''''''''''''''''''''''''
    
    - The :man:`hosts(5)` database FQDN entries defined as strings will
      automatically create hostname aliases when the role uses a template to
      generate the :file:`/etc/hosts` database.
    
    :ref:`debops.nginx` role
    ''''''''''''''''''''''''
    
    - The role can be used in "config-only" mode where the :command:`nginx`
      packages are not installed but are expected to be present and in
      configuration compatible with DebOps.
    
    - ๐Ÿ”ง The :command:`nginx` server can now be configured to send logs to the
      :command:`syslog` service via a :file:`/dev/log` UNIX socket, instead of
      storing them in separate configuration files.
    
    :ref:`debops.pki` role
    ''''''''''''''''''''''
    
    - ๐Ÿ‘ The role gained support for `Certbot`__ tool as an alternative to
      :command:`acme-tiny` script. Certbot provides `Lets' Encrypt DNS-01
      challenge`__ functionality with wildcard and internal certificates. See role
      documentation for more details.
    
      .. __: https://certbot.eff.org/
      .. __: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge
    
    :ref:`debops.rsyslog` role
    ''''''''''''''''''''''''''
    
    - 0๏ธโƒฃ It is now possible to override the default ``netstream_driver``,
      ``driver_mode`` and ``driver_authmode`` parameters in every
      :ref:`rsyslog__ref_forward` forwarding rule.
    
    :ref:`debops.sshd` role
    '''''''''''''''''''''''
    
    - The ``sshd__ferm_interface`` variable can now be used to limit access to SSH
      via the host firewall based on interface.
    
    :ref:`debops.slapd` role
    ''''''''''''''''''''''''
    
    - The `SCHema for ACademia`__ (schac) LDAP schema has been added to the role to
      provide more LDAP attributes and object classes useful in university
      environments.
    
      .. __: https://wiki.refeds.org/display/STAN/SCHAC
    
    :ref:`debops.sysctl` role
    '''''''''''''''''''''''''
    
    - ๐Ÿ“ฆ The ``systemd`` Debian package in Debian Bullseye provides
      a :command:`sysctl` configuration file which increases the maximum number of
      PIDs allowed by the kernel. The role will create a "masked" configuration
      file to ensure that :command:`sysctl` configuration works in LXC containers,
      where the ``kernel.pid_max`` parameter will be commented out since it cannot
      be modified from inside of a container. On hardware and VM hosts the
      configuration will be applied as expected.
    
    ๐Ÿ”„ Changed
    

    โšก๏ธ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

    • In the :ref:debops.ipxe role, the Debian Buster netboot installer version has been updated to the next point release, 10.11. Debian Bullseye has been updated to the next point relase as well, 11.2.

    Debian 11 (Bullseye) has been released. The :ref:debops.ipxe role will now prepare a netboot installer with this release and set Bullseye as the default Stable installation option.

    • โšก๏ธ The :file:lxc_ssh.py Ansible connection plugin has been updated to include latest changes and bugfixes.

    • ๐Ÿ”ง The Elastic APT repository configured on new installations by :ref:debops.elastic_co has been updated to version 7.x. Updating the repository configuration on existing hosts requires that you manually update the local facts or to set the elastic_co__version variable to '7.x' before running the playbook.

    • โšก๏ธ In the :ref:debops.netbox role, the NetBox version has been updated to v3.1.6. Note that you need v2.11.0 or later to upgrade to v3.0.

    • ๐ŸŒ The Icinga Web 2 modules installed by :ref:debops.icinga_web have been updated to their latest versions. A quick database migration is needed after updating to get Director to work again. Just click the database migration button on the 'Icinga Director' -> 'Activities log' page.

    • In the :ref:debops.roundcube role, the Roundcube version installed by default has been updated to 1.4.13.

    • โฌ†๏ธ Drop Nextcloud 20 and 21 support because they are EOL. You need to upgrade Nextcloud manually if you are running version 21 or below. The role now defaults to Nextcloud 22 for new installations.

    • โšก๏ธ In the :ref:debops.wpcli role, the WpCli version has been updated to 2.5.0. 2.3.0 and 2.4.0 can be installed by changing wpcli__version

    General '''''''

    • ๐Ÿ”’ DebOps tasks that import local SSH keys will now recognize FIDO U2F security keys used via the SSH agent.

    • ๐Ÿ”ง The APT configuration by the :ref:debops.apt and :ref:debops.apt_proxy roles in the :file:common.yml playbook has been moved to a separate play to ensure feature parity with the bootstrap playbooks.

    • The :command:debops Python scripts have been completely rewritten and reorganized. The UI has been redesigned to use subcommands rather than separate scripts. This pans the way for easy extension of the script functionality in the future and improvements for various tasks done on the Ansible Controller.

    • The DebOps monorepo can now be used as an "Ansible Collection" when path to the :file:ansible/collections/ subdirectory inside of the :command:git repository is specified in the collections_paths__ variable in the Ansible configuration file.

    .. note:: The roles and plugins included in DebOps are not yet fully compatible with the Collection system. They will be converted at a later time.

    .. __: https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths

    • ๐Ÿณ The base Docker image used by DebOps Dockerfile has been changed from debian:buster-slim to debian:bullseye-slim. The Dockerfile has been updated to build and install DebOps from the monorepo instead of installing a release from PyPI.

    • ๐Ÿ”Œ The references for custom Ansible lookup and filter plugins have been modified to use the Fully Qualified Collection Name format to allow the DebOps monorepo to work as an Ansible Collection.

    • ๐Ÿ”Œ Custom Ansible plugins included in the :ref:debops.ansible_plugins role have been copied to the :file:ansible/plugins/ subdirectories to make them available through the Ansible Collection mechanisms.

    • Multiple roles that use the DNS SRV Resource Records to find related services have been updated to utilize the new dig_srv Ansible lookup plugin to find the records. This change should make the role code easier to maintain.

    • Most of the DebOps roles now use :envvar:debops__no_log variable in tasks with the no_log Ansible keyword. This should provide an easier way to debug issues with various roles.

    • Roles which use the :command:dpkg-divert Debian utility to preserve original configuration files have been updated to use the dpkg_divert custom Ansible module included in the DebOps Collection instead of using the command or shell Ansible modules to manage the diversion and reversion.

    Continuous Integration ''''''''''''''''''''''

    • โšก๏ธ The default box used by Vagrant for DebOps VMs has been updated from debian/buster64 to debian/bullseye64.

    LDAP ''''

    • The :file:ldap/init-directory.yml playbook can now store the administrator credentials in the :file:secret/ directory managed by the :ref:debops.secret role. THe credentials can also be randomly generated if the playbook is used non-interactively.

    :ref:debops.apt role ''''''''''''''''''''''

    • โšก๏ธ The role defaults have been updated, Bullseye is the new Stable.

    :ref:debops.apt_install role ''''''''''''''''''''''''''''''

    • ๐Ÿ“ฆ The haveged Debian package will not be installed in a virtual machine if the underlying hypervisor technology already provides access to the host's RNG device through virtualization.

    :ref:debops.dhparam role ''''''''''''''''''''''''''

    • The role will no longer install the :command:cron service directly; instead it depends on the :ref:debops.cron role to ensure that the service is present. This allows replacing the cron Debian package with a different backend, for example systemd-cron package.

    ๐Ÿณ :ref:debops.docker_server role ''''''''''''''''''''''''''''''''

    • โช The role now enables live restore__ by default.

    .. __: https://docs.docker.com/config/containers/live-restore/

    :ref:debops.dovecot role ''''''''''''''''''''''''''

    • The role has been throughly refreshed and now uses the :ref:universal_configuration format for the service configuration. All role variables have been renamed to put them in a separate namespace.

    .. warning:: If you use a Dovecot installation in your environment, you should check the new role documentation and update the relevant configuration in the Ansible inventory before applying the new role on your infrastructure.

    :ref:debops.elasticsearch role ''''''''''''''''''''''''''''''''

    • ๐Ÿ”ง The main configuration is reorganized, original contents of the configuration file are set in the :envvar:elasticsearch__original_configuration variable and the options changed by the role are set in the :envvar:elasticsearch__default_configuration variable.

    :ref:debops.etckeeper role ''''''''''''''''''''''''''''

    • โž• Add etckeeper__gitattributes option to be able to appended to the :file:/etc/.gitattributes file.

    :ref:debops.ferm role '''''''''''''''''''''''

    • ๐Ÿ”ง The backend configuration will now manage all relevant alternatives for :command:arptables, :command:ebtables, :command:iptables and :command:ip6tables commands to keep various parts of the firewall synchronized.

    .. warning:: The variable which controls what backend is used has been renamed to :envvar:ferm__iptables_backend_type due to value change. You might need to update your Ansible inventory to select the correct backend.

    • 0๏ธโƒฃ The default backend for :command:iptables is changed to legacy on newer OS releases, because there's no plans__ to support :command:nftables backend by the :command:ferm project. You might want to check if the firewall configuration is correctly applied after running the role against already configured hosts.

    .. __: https://github.com/MaxKellermann/ferm/issues/47

    :ref:debops.grub role '''''''''''''''''''''''

    • 0๏ธโƒฃ The role now enables the serial console by default.

    :ref:debops.ipxe role '''''''''''''''''''''''

    • 0๏ธโƒฃ You can now define what kernel parameters are used by default in the Debian Installer, using an iPXE variable.

    :ref:debops.keyring role ''''''''''''''''''''''''''

    • 0๏ธโƒฃ The default keyserver used by the role has been changed to Ubuntu keyserver__ due to deprecation of the SKS Keyserver pool.

    .. __: https://keyserver.ubuntu.com/

    :ref:debops.logrotate role ''''''''''''''''''''''''''''

    • The role will no longer install the :command:cron service directly; instead it depends on the :ref:debops.cron role to ensure that the service is present. This allows replacing the cron Debian package with a different backend, for example systemd-cron package.

    :ref:debops.netbox role '''''''''''''''''''''''''

    • Add netbox__config_custom option to be able to configure not explicitly supported options in a raw format.

    :ref:debops.nginx role ''''''''''''''''''''''''

    • ๐Ÿ”ง The item.location_list entries in the server configuration can now define access policy for a specific location and use subnet ranges or password authentication to control access.

    • Length and characters included in the passwords generated by the role for HTTP Basic Authentication can now be controlled using default variables.

    :ref:debops.php role ''''''''''''''''''''''

    • ๐Ÿ”– php7.4 has been added to the php__version_preference list. This ensures that PHP-related packages are installed on Debian 11 (Bullseye) systems.

    :ref:debops.pki role ''''''''''''''''''''''

    • The RootCA certificate for the Let's Encrypt ACME certificates has been changed to :file:mozilla/ISRG_Root_X1.crt, the previous CA certificate is now expired. Existing PKI realms will not be modified, you might need to recreate them or replace the :file:acme/root.pem symlink manually.

    :ref:debops.postldap role '''''''''''''''''''''''''''

    • A few changes to the Postfix LDAP lookup tables were made, most notably a better split between alias lookups (ldap_virtual_alias_maps.cf) and distribution list lookups (ldap_virtual_forward_maps.cf).

    ๐Ÿ‘€ :ref:debops.preseed role ''''''''''''''''''''''''''

    • The role has been redesigned from the ground up and uses :ref:universal_configuration to manage Preseed configuration files. Multiple "flavors" are provided to permit installation of Debian in a variety of environments. See the :ref:upgrade_notes for details about upgrading an existing installation.

    :ref:debops.reprepro role '''''''''''''''''''''''''''

    • The role has been redesigned from scratch. It can now manage multiple APT repository instances on separate DNS domains, repositories can have access restrictions, the :command:inoticoming service has been replaced by a :command:systemd .path units. Repositories are now configured via the :ref:universal_configuration system. See the new role documentation for details.

    :ref:debops.rsyslog role ''''''''''''''''''''''''''

    • 0๏ธโƒฃ The default NetStream driver mode and authentication mode are now set based on whether the gtls driver is enabled.

    :ref:debops.slapd role ''''''''''''''''''''''''

    • The :file:mailservice.schema LDAP schema has been modified to add new LDAP attributes, mailPrivateAddress and mailContactAddress. This change includes additional constraints on uniqueness and requires a rebuild of the OpenLDAP service. See :ref:upgrade_notes for details.

    • The sudoUser attribute index in the OpenLDAP service has been changed to sudoHost,sudoUser eq,sub to provide better search performance for the :command:sssd service. This will have to be changed manually on existing OpenLDAP installations before the role is idempotent.

    :ref:debops.sshd role '''''''''''''''''''''''

    • Keep the SSH_CONNECTION environment variable when running commands with sudo.

    :ref:debops.sysctl role '''''''''''''''''''''''''

    • ๐Ÿ”ง The role will configure protection for FIFOs and regular files along with protection for symlinks and hardlinks, introduced in Debian Bullseye.

    :ref:debops.system_users role '''''''''''''''''''''''''''''''

    • The role assumes that Ansible Controller has Python 3 available and will not check for Python 2.7 anymore while gathering local UNIX account details, to avoid issues with non-existent host facts.

    โฌ†๏ธ :ref:debops.unattended_upgrades role ''''''''''''''''''''''''''''''''''''''

    • The role now defaults to the admin_private_email Ansible fact (as provided by :ref:debops.core) for the :envvar:unattended_upgrades__mail_to variable.

    ๐Ÿ›  Fixed

    
    General
    '''''''
    
    - ๐Ÿ›  Fixed an issue with user and group management roles where the UNIX account
      home directories were created even if they were specifically disabled. Roles
      should now be more careful and respect the administrator wishes.
    
    LDAP
    ''''
    
    - ๐Ÿ‘ The :file:`ldap/init-directory.yml` playbook should now work better with
      non-local UNIX accounts and provide better defaults for standardized account
      names like ``ansible``.
    
    - The ``*__ldap_bindpw`` variables in various roles have been modified to
      create the passwords only when LDAP support is enabled. This should fix an
      issue in non-LDAP environments where Ansible would stop playbook execution
      when a single password file for an LDAP object was created by multiple hosts,
      generating a race condition due to empty domain part of the Distinguished
      Name.
    
    :ref:`debops.apt` role
    ''''''''''''''''''''''
    
    - The role no longer disables the backports repository of a Debian LTS or
      archive release.
    
    :ref:`debops.apt_cacher_ng` role
    ''''''''''''''''''''''''''''''''
    
    - The role no longer creates an unnecessary NGINX webroot directory.
    
    :ref:`debops.dhcpd` role
    ''''''''''''''''''''''''
    
    - host-identifier parameters are now always quoted in dhcpd6.conf. This is
      needed when the host-identifier contains periods (e.g. fully qualified
      domain names).
    
    :ref:`debops.dnsmasq` role
    ''''''''''''''''''''''''''
    
    - ๐Ÿ”ง Ensure that the configuration entries with ``a`` or ``aaaa`` parameter are
      correctly recognized as host entries.
    
    :ref:`debops.ipxe` role
    '''''''''''''''''''''''
    
    - ๐Ÿ‘€ Make sure that the correct Preseed flavor is used when the user changes it
      using the menu item.
    
    :ref:`debops.kmod` role
    '''''''''''''''''''''''
    
    - ๐Ÿ›  Fixed an issue with role facts where the script ended with exception when the
      ``kmod`` package wasn't installed and the :command:`lsmod` command was not
      available.
    
    :ref:`debops.ldap` role
    '''''''''''''''''''''''
    
    - The role will refresh the local facts when the :file:`/etc/ldap/ldap.conf`
      configuration changes to ensure that other roles have correct information
      available, for example when a new set of LDAP servers is used.
    
    :ref:`debops.libvirt` role
    ''''''''''''''''''''''''''
    
    - ๐Ÿš€ The ``virt-top`` APT package is not part of the Debian Bullseye release,
      therefore the role will not try to install it by default.
    
    :ref:`debops.libvirtd` role
    '''''''''''''''''''''''''''
    
    - ๐Ÿš€ The ``virt-top`` APT package is not part of the Debian Bullseye release,
      therefore the role will not try to install it by default.
    
    - 0๏ธโƒฃ The root account will no longer be added to the 'libvirt' group by default.
    
    :ref:`debops.lxc` role
    ''''''''''''''''''''''
    
    - 0๏ธโƒฃ Use the Ubuntu GPG keyserver by default to download LXC container signing
      keys when the container is created by the :command:`lxc-new-unprivileged`
      script as well as through the ``lxc_container`` Ansible module (the SKS
      keyserver pool has been deprecated).
    
    - ๐Ÿ”ง Enable AppArmor nesting configuration in LXC v4.0.x version, used in Debian
      Bullseye. Without this, various :command:`systemd` services inside of the
      LXC containers cannot start and SSH/console login is delayed ~25 seconds.
    
    :ref:`debops.netbase` role
    ''''''''''''''''''''''''''
    
    - ๐Ÿ›  Fixed an issue where the fact script broke when it tried to find the host's
      IP address using DNS and the host does not have an entry in the DNS or in
      :file:`/etc/hosts` database.
    
    - ๐Ÿ›  Fixed an issue where the initial bootstrap and common playbook execution
      didn't provide the correct configuration for the :ref:`debops.netbase` role,
      resulting in a non-idempotent execution and wrong :file:`/etc/hosts` database
      contents. The order of the :ref:`debops.python` role in bootstrap and common
      playbooks has been adjusted to ensure that the Python packages required by
      the :ref:`debops.netbase` role are installed before its execution.
    
    :ref:`debops.netbox` role
    '''''''''''''''''''''''''
    
    - Set ``client_max_body_size`` to ``25m`` in Nginx as in the NetBox Nginx
      config example.
      Before, it was at the Nginx default of ``1m`` which caused Nginx to reject
      larger picture uploads to NetBox.
    
    :ref:`debops.nginx` role
    ''''''''''''''''''''''''
    
    - Access to the ACME challenge directories is now always allowed, even if a
      server-wide allowlist configuration or HTTP basic authentication enforcement
      has been applied. This ensures that it is always possible to request and renew
      certificates through the ACME protocol.
    
    - ๐Ÿšš Do not remove the whole PKI hook directory when the :command:`nginx` hook
      script is removed by the role.
    
    :ref:`debops.owncloud` role
    '''''''''''''''''''''''''''
    
    - ๐Ÿ›  Fixed an issue with the :ref:`debops.nginx` configuration where some
      Nextcloud pages (LDAP configuration, for example) did not work correctly.
    
    :ref:`debops.pki` role
    ''''''''''''''''''''''
    
    - Ensure that the X.509 certificate requests generated by the
      :command:`pki-realm` script to renew Let's Encrypt/ACME certificates include
      SubjectAltNames defined in the PKI realm.
    
    :ref:`debops.postfix` role
    ''''''''''''''''''''''''''
    
    - ๐Ÿšš Do not remove the whole PKI hook directory when the :command:`postfix` hook
      script is removed by the role.
    
    :ref:`debops.proc_hidepid` role
    '''''''''''''''''''''''''''''''
    
    - โž• Add the ``procadmins`` UNIX group as a supplementary group in the
      :file:`[email protected]` :command:`systemd` unit to fix an issue where the user
      service does not start when unified cgroupv2 hierarchy is used.
    
    :ref:`debops.prosody` role
    ''''''''''''''''''''''''''
    
    - ๐Ÿšš Do not remove the whole PKI hook directory when the :command:`prosody` hook
      script is removed by the role.
    
    :ref:`debops.rabbitmq_server` role
    ''''''''''''''''''''''''''''''''''
    
    - Correctly interpret the list of RabbitMQ user accounts to not create unwanted
      vhosts.
    
    :ref:`debops.redis_server` role
    '''''''''''''''''''''''''''''''
    
    - ๐Ÿ›  Fixed an issue with facts not showing Redis instances correctly when password
      is empty.
    
    debops.reprepro role
    ''''''''''''''''''''
    
    - โž• Added missing architectures (all expected architectures for Bookworm, and
      some missing architectures for older releases).
    
    :ref:`debops.resolvconf` role
    '''''''''''''''''''''''''''''
    
    - Ensure that the fact script correctly includes information about upstream
      nameservers when :command:`systemd-resolved` service is used.
    
    :ref:`debops.rsyslog` role
    ''''''''''''''''''''''''''
    
    - ๐Ÿ”ง The rsyslog role always configured the streamDriverPermittedPeers option,
      even when the ``anon`` network driver authentication mode was selected.
    
    :ref:`debops.sshd` role
    '''''''''''''''''''''''
    
    - The role will no longer create an LDAP account when it is not needed.
    
    - The default :envvar:`sshd__login_grace_time` has been increased from 30 to 60
      seconds. This mitigates a lock-out issue when :envvar:`sshd__use_dns` is
      enabled (the default) and your DNS resolvers are unreachable.
    
    - The role will avoid leaking the LDAP bind password through the process list
      during password file creation on the remote host.
    
    :ref:`debops.sudo` role
    '''''''''''''''''''''''
    
    - ๐Ÿ›  Fixed an issue in the fact script which resulted in a wrong string being
      picked up as the version number when :command:`sudo` was configured to use
      LDAP, but the LDAP service was not available.
    
    - ๐Ÿ“ฆ The role will now skip installing the ``sudo-ldap`` package and creating the
      LDAP account object if :envvar:`sudo__ldap_enabled` is ``False``.
    
    :ref:`debops.sysctl` role
    '''''''''''''''''''''''''
    
    - 0๏ธโƒฃ The role's default of explicitly disabling packet forwarding conflicted with
      the sysctl configuration done by Docker Server. The role would disable
      essential (for Docker) packet forwarding, which would only be enabled again
      when the Docker daemon was manually restarted or the sysctl parameter was
      manually corrected. This has been fixed by letting the role default to
      enabling packet forwarding on Docker Server hosts.
    
    :ref:`debops.system_users` role
    '''''''''''''''''''''''''''''''
    
    - โœ๏ธ The ``create_home`` parameter was not functional because of typos in the
      Ansible task.
    
    โœ‚ Removed
    

    General '''''''

    • ๐Ÿšš The old DebOps scripts have been removed from the monorepo, they are replaced with new, cleaner scripts that support subcommands.

    • โšก๏ธ The :command:debops-update script has been dropped from the project. Existing users should use :command:git clone command to install the DebOps monorepo if they wish to use the rolling release. There's also no need to install the debops PyPI package; DebOps scripts can be installed directly from the monorepo in development mode if desired.

    • The :command:debops-task script has been dropped. You can use the :command:ansible command directly to perform ad-hoc commands against the Ansible inventory.

    • ๐Ÿšš The :command:debops-defaults script has been removed from the project. Easy access to the role defaults will be implemented at a later date.

    • The :command:debops-init script has been replaced with the :command:debops project init subcommand.

    • ๐Ÿšš The :command:debops-padlock script has been removed from the project. It's functionality is now available via the :command:debops project subcommands.

    :ref:debops.nginx role ''''''''''''''''''''''''

    • ๐Ÿšš The support for SPDY__ protocol has been removed from the role; it has been replaced in the technology stack by HTTP/2__ specification.

    .. _: https://en.wikipedia.org/wiki/SPDY .. _: https://en.wikipedia.org/wiki/HTTP/2

    ๐Ÿ‘€ :ref:debops.preseed role ''''''''''''''''''''''''''

    • ๐Ÿ‘Œ Support for installing and configuring Salt Minions during host provisioning has been removed.

    :ref:debops.snmpd role ''''''''''''''''''''''''

    • The tasks and other code which managed the :command:lldpd daemon has been removed from the role. The :ref:debops.lldpd role now provides the LLDP support and automatically integrates with SNMP daemon when it is detected.

    ๐Ÿ”’ Security

    
    General
    '''''''
    
    - Specific DebOps roles (:ref:`debops.dovecot`, :ref:`debops.owncloud`,
      :ref:`debops.postldap`) used password generation lookups with invalid
      parameters which might have resulted in a weaker passwords generated during
      their deployment. The parameters in the password lookups have been fixed; you
      might consider regenerating the passwords created by them by removing
      existing ones from the :ref:`debops.secret` storage on the Ansible Controller
      and re-running the roles.
    

Previous changes from v2.3.0

  • .. _debops v2.3.0: https://github.com/debops/debops/compare/v2.2.0...v2.3.0

    โž• Added

    
    ๐Ÿ†• New DebOps roles
    ''''''''''''''''
    
    - The :ref:`debops.extrepo` role provides an interface for the `extrepo`__
      Debian package, an external APT source manager. It can be used to configure
      third-party APT repositories.
    
      .. __: https://grep.be/blog/en/computer/debian/Announcing_extrepo/
    
    - ๐Ÿ”’ The :ref:`debops.sssd` role can be used to manage the System Security
      Services Daemon (``sssd``), an alternative approach to centralized
      credentials managed by remote databases like LDAP or Active Directory.
    
    General
    
    • The new :file:bootstrap-sss.yml Ansible playbook can be used to provision a new host with LDAP support based on the :command:sssd service instead of the :command:nslcd and :command:nscd services.

    • ๐Ÿ”ง The :ref:debops.apache and :ref:debops.nginx roles will configure the managed websites to opt-out from the Federated Learning of Cohorts__ (FLoC) feature by default. This can be turned off on a site-by-site basis.

    .. __: https://github.com/WICG/floc

    :ref:debops.etckeeper role ''''''''''''''''''''''''''''

    • ๐Ÿ”ง The :command:etckeeper script can be configured to send e-mail messages with changes to the system administrator.

    :ref:debops.ferm role '''''''''''''''''''''''

    • ๐Ÿ”ง You can now configure the :command:iptables backend (nft or legacy) after installing :command:ferm service using the alternatives system. This might be needed on newer OS releases to keep :command:ferm usable.

    :ref:debops.netbox role '''''''''''''''''''''''''

    • โž• Added wrapper around :file:manage.py called :file:netbox-manage for NetBox power users.

    :ref:debops.global_handlers role ''''''''''''''''''''''''''''''''''

    • ๐Ÿ†• New global handlers available to roles:

      • Refresh host facts: re-gather host facts using the setup Ansible module, required to ensure that Ansible has accurate information about the current host state.
      • Reload service manager: update the :command:init daemon runtime configuration, useful when new services are added or their :command:systemd configuration changes.
      • Create temporary files: ensure that files and directories created at system boot by tools like :command:systemd-tmpfiles are present on the host.

    ๐Ÿ”„ Changed

    
    โšก๏ธ Updates of upstream application versions
    ''''''''''''''''''''''''''''''''''''''''
    
    - In the :ref:`debops.ipxe` role, the Debian Buster netboot installer version
      has been updated to the next point release, 10.9.
    
    - In the :ref:`debops.roundcube` role, the Roundcube version installed by
      default has been updated to ``1.4.11``.
    
    - The :ref:`debops.elasticsearch`, :ref:`debops.kibana` and
      :ref:`debops.filebeat` roles were updated to use the :ref:`debops.extrepo`
      role to configure the Elastic.co APT repositories. This will result in
      installation of ES, Kibana and Filebeat 7.x versions by default on new
      installations; existing installations will not be automatically upgraded by
      the roles, but the packages themselves might be upgraded by other APT
      mechanisms.
    
    - โšก๏ธ In the :ref:`debops.netbox` role, the NetBox version has been updated to
      ``v2.11.2``.
    
    - โšก๏ธ In the :ref:`debops.owncloud` role, the Nextcloud version has been updated to
      ``v20.0``. ``19.0`` support has been dropped.
    
    - ๐Ÿ”Œ The ``lxc_ssh.py`` connection plugin that enables management of LXC
      containers without the need of an :command:`sshd` server installed inside of
      the containers has been refreshed to get latest changes in the upstream
      project and make it work correctly on newer Ansible releases.
    
    Continuous Integration
    ''''''''''''''''''''''
    
    - The Vagrant provisioning script now installs Cryptography from the Debian
      archive instead of from PyPI.
    
    - ๐Ÿ‘• The :command:`ansible-lint` check will now use Ansible playbooks as the
      starting point to test the whole codebase. Roles and playbooks not included
      in the :file:`site.yml` playbook can be tested manually if needed.
    
    :ref:`debops.authorized_keys` role
    ''''''''''''''''''''''''''''''''''
    
    - The management of the SSH public keys has been redesigned. Instead of
      focusing on UNIX accounts with one or more keys, the role now focuses on
      separate public keys as "SSH identities" that are configured on one or more
      UNIX accounts. This should provide more flexibility in environments where
      small number of users utilizes large number of UNIX accounts, for example
      small development team with multiple applications deployed on separate
      accounts.
    
    ``debops.boxbackup`` role
    '''''''''''''''''''''''''
    
    - 0๏ธโƒฃ Some of the default variables in the role have been renamed to aoid using
      uppercase letters in variables.
    
    :ref:`debops.dovecot` role
    ''''''''''''''''''''''''''
    
    - The LDAP user filer has been changed to use the ``mailRecipient`` LDAP object
      class from the :ref:`mailservice LDAP schema <slapd__ref_mailservice>` to
      lookup mail accounts. Ensure that your LDAP directory has correct information
      before applying the change in production.
    
    - If the LDAP entry of a mail user has the ``mailHomeDirectory`` attribute, it
      will be used to specify the mail home directory relative to the mail root
      directory, instead of generating one which depends on the domain and username
      of a given account.
    
    :ref:`debops.lxc` role
    ''''''''''''''''''''''
    
    - On hosts which use LXC v4.0.x, for example with Debian Bullseye as the
      operating system, the role will configure new LXC containers to not drop the
      ``CAP_SYS_ADMIN`` capability by default. This is required for correct
      container operation on this version of LXC.
    
    :ref:`debops.owncloud` role
    '''''''''''''''''''''''''''
    
    - โœ… ownCloud is not supported in the latest version of DebOps due to lack of
      maintainers. Use DebOps v2.2.x if you need it and consider becoming a
      maintainer.
    
    :ref:`debops.postgresql_server` role
    ''''''''''''''''''''''''''''''''''''
    
    - The :command:`autopostgresqlbackup` script will not be installed on Debian
      Bullseye because the package was dropped from that release.
    
    :ref:`debops.postldap` role
    '''''''''''''''''''''''''''
    
    - The Postfix LDAP integration is redesigned to use the :ref:`mailservice LDAP
      schema <slapd__ref_mailservice>` for account and mailbox management. There
      are extensive changes in how the Postfix service utilizes the LDAP directory;
      existing installations will have to update their LDAP directory entries.
      Please test these changes in a development environment before applying them
      in production.
    
    :ref:`debops.python` role
    '''''''''''''''''''''''''
    
    - ๐Ÿ‘ The support for Python 2.7 environment will be enabled only when explicitly
      requested using the :envvar:`python__v2` variable. This should avoid issues
      with installation of Python 2.7 packages on Debian Bullseye and later.
    
    :ref:`debops.roundcube` role
    ''''''''''''''''''''''''''''
    
    - The address autocompletion will show only a specific e-mail address instead
      of all available ones for a given recipient.
    
    - ๐Ÿ”ง The role will configure Roundcube to search the LDAP directory for a given
      user's Distinguished Name when their LDAP entry uses a different attribute
      than ``uid`` as RDN. Directory will be searched using the Roundcube's own
      login credentials. See :ref:`roundcube__ref_ldap_dit` for details.
    
    - ๐Ÿ‘‰ The ``new_user_identity`` plugin will be re-enabled by default and adjusted
      to use the ``mail`` attribute to search for user identities. Roundcube v1.4.x
      installations `might need to be patched`__ for the plugin to work correctly
      with user-based LDAP logins.
    
      .. __: https://github.com/roundcube/roundcubemail/issues/7667
    
    :ref:`debops.saslauthd` role
    ''''''''''''''''''''''''''''
    
    - The SMTPd service will search for ``mailRecipient`` LDAP Object Class instead
      of the ``inetOrgPerson`` Object Class to authenticate mail senders.
    
    ๐Ÿ”„ Changes to DebOps Enhancement Proposals
    '''''''''''''''''''''''''''''''''''''''
    
    - DEP 3 - Sources of software used by DebOps now requires for roles that
      configure upstream APT repositories to use ``debops.extrepo`` instead of the
      previously used way of including the OpenPGP fingerprint and repo details in
      the role. This applies to all new roles. Existing roles will be updated over
      time.
    
    ๐Ÿ›  Fixed
    

    General '''''''

    • 0๏ธโƒฃ The :command:debops-defaults script should now correctly display role defaults, without trying to add the debops. prefix to the role names.

    • โšก๏ธ The :command:debops-update script should now correctly detect cloned DebOps monorepo.

    • The :command:debops script will no longer check Ansible version to work around an issue that was fixed in Ansible 2.0.

    ๐Ÿ”Œ :ref:debops.ansible_plugins role ''''''''''''''''''''''''''''''''''

    • In the parse_kv_config custom Ansible filter, correctly skip configuration entries which have been marked with the ignore state.

    :ref:debops.apt role ''''''''''''''''''''''

    • ๐Ÿ”’ The role configured the Debian Bullseye security repository with the 'bullseye/updates' suite name. This is incorrect, the Bullseye security suite is called 'bullseye-security'.

    :ref:debops.core role '''''''''''''''''''''''

    • ๐Ÿ›  Fixed local fact script execution on hosts without a defined DNS domain. You might need to remove the :file:core.fact script from the remote host manually so that Ansible can gather facts correctly before the fixed version of the script can be installed. To do that on all affected hosts, execute the command:

    .. code-block:: console

     ansible all -b -m file -a 'path=/etc/ansible/facts.d/core.fact state=absent'
    

    :ref:debops.cron role '''''''''''''''''''''''

    • ๐Ÿ›  Fix role execution on hosts without :command:systemd as the service manager.

    :ref:debops.etesync role ''''''''''''''''''''''''''

    • 0๏ธโƒฃ The EteSync playbook is now included in the default DebOps playbook.

    :ref:debops.ferm role '''''''''''''''''''''''

    • The management of the :command:iptables backend symlink using the 'alternatives' system is disabled on Debian 9, where it is unsupported.

    :ref:debops.iscsi role ''''''''''''''''''''''''

    • ๐Ÿ›  Fixed a typo that caused the iSCSI target discovery task to fail.

    :ref:debops.netbox role '''''''''''''''''''''''''

    • NetBox crashed when it tried to send Emails. For example when an exception occured during page loading, the reponse was just "Internal Server Error". The service as a whole survives this. The bug in the configuration template has been fixed.

    :ref:debops.opendkim role '''''''''''''''''''''''''''

    • โช Restored compatibility with Ansible versions prior to 2.10 by omitting the regenerate parameter of the openssl_privatekey module on those versions.

    :ref:debops.pki role ''''''''''''''''''''''

    • The pki-realm script will now attempt another ACME certificate request in case the previous attempt failed and was more than two days ago. The previous situation was that the script would not perform any ACME requests if the acme/error.log file was present in the PKI realm, because performing multiple certificate issuance requests could easily trigger a rate limit. The downside of this was that the script would also completely give up on renewal attempts if the first attempt happened to fail (e.g. due to some issue at Let's Encrypt).

    :ref:debops.php role ''''''''''''''''''''''

    • ๐Ÿ›  Fixed an issue where role did not have a list of PHP packages for an unknown OS release which stopped its execution. Now the role should fallback to a defult list in this case.

    :ref:debops.python role '''''''''''''''''''''''''

    • ๐Ÿ›  Fixed an issue where the "raw" Python play used during host bootstrapping hanged indefinitely, stopping the playbook execution. The role will now reset the connection to the host after preparing the Python environment, allowing Ansible to re-estabilish the communication channel properly.

    :ref:debops.saslauthd role ''''''''''''''''''''''''''''

    • The :command:saslauthd daemon should correctly use the local and realm parts in the [email protected] logins for authentication using LDAP directory.

    :ref:debops.sudo role '''''''''''''''''''''''

    • The role no longer adds a duplicate includedir line to /etc/sudoers. This was an issue with sudo 1.9.1 (and later), which changed__ the includedir syntax from '#includedir' to '\@includedir'.

    .. __: https://www.sudo.ws/stable.html#1.9.1

    • ๐Ÿ‘‰ Use the English locale to read the :command:sudo version information since the output differs in different languages.

    :ref:debops.system_users role '''''''''''''''''''''''''''''''

    • ๐Ÿ‘‰ Use the Python version detected on the Ansible Controller instead of the remote host to run the UNIX account fact gathering script.

    ๐Ÿ”’ Security

    
    :ref:`debops.hashicorp` role
    ''''''''''''''''''''''''''''
    
    - ๐Ÿš€ Due to a `security incident`__, the existing Hashicorp release GPG key has
      been rotated. The role will remove the revoked GPG key and install new one
      when applied on a host.
    
      .. __: https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512