DebOps latest version

« Changelog History

DebOps v3.0.0 Release Notes

Release Date: 2022-02-17 // about 3 years ago

.. _debops v3.0.0: https://github.com/debops/debops/compare/v2.3.0...v3.0.0

➕ Added


🆕 New DebOps roles
''''''''''''''''

- 🔧 The :ref:`debops.minidlna` role configures the MiniDLNA service that can be
  used to provide media (video, music, images) to other devices on the local
  network that support the DLNA protocol.

- The :ref:`debops.pdns` role manages the `PowerDNS Authoritative Server`__,
  which is an authoritative DNS server with support for DNSSEC, DNS UPDATE,
  geographical load balancing, and storing zone data and metadata in one or
  more backends like relational databases, LDAP databases, and plain text
  files.

  .. __: https://www.powerdns.com/auth.html

- The :ref:`debops.telegraf` role can be used to install and manage the
  `Telegraf`__ metrics server, which can send data to various other services.

  .. __: https://www.influxdata.com/time-series-platform/telegraf/

- 🔧 The :ref:`debops.lldpd` role provides support for managing and configuring
  the :command:`lldpd` service, which can be used to locate other network
  devices connected to a given host using the Link-Layer Discovery Protocol.
  The role is included in the :file:`common.yml` playbook by default.

- 🔧 The :ref:`debops.zabbix_agent` role can install and configure Zabbix Agent,
  used for monitoring and metrics.

- The :ref:`debops.keepalived` role can be used to install and manage
  :command:`keepalived` daemon, a lightweight load balancing and high
  availability service.

- The :ref:`debops.rspamd` role can be used to install `rspamd`__ service, an
  anti-spam mail filter. The role automatically integrates with the
  :ref:`debops.postfix` role to provide anti-spam support.

  .. __: https://rspamd.org/

- 🔧 The :ref:`debops.imapproxy` role can install and configure the IMAP Proxy
  service, useful for web mail applications that use IMAP to access the mail
  services.

General
'''''''

- New Jinja filters ``from_toml`` and ``to_toml`` are available to DebOps
  roles, provided using a custom Ansible plugin. The filters require the
  ``toml`` Python package to be installed on the Ansible Controller.

- 🆕 New Ansible custom lookup plugin ``dig_srv`` can be used in Ansible variables
  and tasks to simplify DNS SRV record parsing. The plugin can retrieve an
  existing SRV record or if none is found, fall back to a predefined default
  values for the hostname and port.

- A new Ansible tag, ``meta::facts`` has been added in all DebOps roles to the
  tasks that install Ansible local facts. This can be useful during initial
  provisioning to avoid issues with Ansible ``--check`` mode when certain
  configurations depend on the presence of the local facts to gather details
  from the remote hosts.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role can now enable additional Debian architectures on a given host,
  which allows for `Multiarch`__ installations.

  .. __: https://wiki.debian.org/Multiarch/HOWTO

- 🔧 You can now purge specific APT packages along with their configuration and
  unused dependencies. This might be useful during bootstrap or provisioning
  process to remove unused or conflicting services installed by the provider.

- 🔧 The role can now configure :file:`/etc/apt/auth.conf.d/` configuration files
  to enable access to restricted APT repositories that require HTTP Basic
  Authentication.

:ref:`debops.dokuwiki` role
'''''''''''''''''''''''''''

- The role now provides a set of variables and tasks which can be used to add
  or remove custom files in the DokuWiki installation, useful in certain
  setups.

:ref:`debops.elasticsearch` role
''''''''''''''''''''''''''''''''

- 🚀 In a cluster deployment on hosts with PKI environment configured, the role
  will automatically enable the X-Pack plugin and configure TLS encryption for
  HTTP client and inter-cluster communication.

- Elasticsearch user accounts and role definitions can be managed via Ansible
  using the API access, when the encrypted communication and X-Pack plugin is
  enabled. The role will initialize a set of built-in user accounts in the
  Elasticsearch cluster automatically.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- 📦 The ``arptables`` and ``ebtables`` APT packages will be installed by default.
  This is needed so that various alternatives for :command:`iptables` backends
  can be correctly synchronized.

:ref:`debops.keyring` role
''''''''''''''''''''''''''

- 🔧 The role can now configure :file:`/etc/apt/auth.conf.d/` configuration files
  to enable access to restricted APT repositories that require HTTP Basic
  Authentication.

:ref:`debops.kibana` role
'''''''''''''''''''''''''

- If the username and password for connection to the Elasticsearch service are
  provided, the role will configure Kibana to use TLS encryption for
  communication with the Elasticsearch cluster, based on the PKI environment
  managed by the :ref:`debops.pki` Ansible role.

:ref:`debops.libvirtd` role
'''''''''''''''''''''''''''

- The role will now install UEFI firmware for amd64 VMs, alongside traditional
  BIOS.

:ref:`debops.lvm` role
''''''''''''''''''''''

- The role can now manage `LVM Thin Pool Logical Volumes`__.

  .. __: https://man7.org/linux/man-pages/man7/lvmthin.7.html

- It is now possible to apply custom options to :ref:`lvm__thin_pools` and
  :ref:`lvm__logical_volumes`.

:ref:`debops.lxc` role
''''''''''''''''''''''

- The role can define a list of SSH identities added to the ``root`` UNIX
  account in new LXC containers by default. This can be used to grant multiple
  system administrators access to the containers.

:ref:`debops.netbase` role
''''''''''''''''''''''''''

- The :man:`hosts(5)` database FQDN entries defined as strings will
  automatically create hostname aliases when the role uses a template to
  generate the :file:`/etc/hosts` database.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- The role can be used in "config-only" mode where the :command:`nginx`
  packages are not installed but are expected to be present and in
  configuration compatible with DebOps.

- 🔧 The :command:`nginx` server can now be configured to send logs to the
  :command:`syslog` service via a :file:`/dev/log` UNIX socket, instead of
  storing them in separate configuration files.

:ref:`debops.pki` role
''''''''''''''''''''''

- 👍 The role gained support for `Certbot`__ tool as an alternative to
  :command:`acme-tiny` script. Certbot provides `Lets' Encrypt DNS-01
  challenge`__ functionality with wildcard and internal certificates. See role
  documentation for more details.

  .. __: https://certbot.eff.org/
  .. __: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- 0️⃣ It is now possible to override the default ``netstream_driver``,
  ``driver_mode`` and ``driver_authmode`` parameters in every
  :ref:`rsyslog__ref_forward` forwarding rule.

:ref:`debops.sshd` role
'''''''''''''''''''''''

- The ``sshd__ferm_interface`` variable can now be used to limit access to SSH
  via the host firewall based on interface.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The `SCHema for ACademia`__ (schac) LDAP schema has been added to the role to
  provide more LDAP attributes and object classes useful in university
  environments.

  .. __: https://wiki.refeds.org/display/STAN/SCHAC

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- 📦 The ``systemd`` Debian package in Debian Bullseye provides
  a :command:`sysctl` configuration file which increases the maximum number of
  PIDs allowed by the kernel. The role will create a "masked" configuration
  file to ensure that :command:`sysctl` configuration works in LXC containers,
  where the ``kernel.pid_max`` parameter will be commented out since it cannot
  be modified from inside of a container. On hardware and VM hosts the
  configuration will be applied as expected.

🔄 Changed

⚡️ Updates of upstream application versions ''''''''''''''''''''''''''''''''''''''''

In the :ref:debops.ipxe role, the Debian Buster netboot installer version has been updated to the next point release, 10.11. Debian Bullseye has been updated to the next point relase as well, 11.2.

Debian 11 (Bullseye) has been released. The :ref:debops.ipxe role will now prepare a netboot installer with this release and set Bullseye as the default Stable installation option.

⚡️ The :file:lxc_ssh.py Ansible connection plugin has been updated to include latest changes and bugfixes.
🔧 The Elastic APT repository configured on new installations by :ref:debops.elastic_co has been updated to version 7.x. Updating the repository configuration on existing hosts requires that you manually update the local facts or to set the elastic_co__version variable to '7.x' before running the playbook.
⚡️ In the :ref:debops.netbox role, the NetBox version has been updated to v3.1.6. Note that you need v2.11.0 or later to upgrade to v3.0.
🌐 The Icinga Web 2 modules installed by :ref:debops.icinga_web have been updated to their latest versions. A quick database migration is needed after updating to get Director to work again. Just click the database migration button on the 'Icinga Director' -> 'Activities log' page.
In the :ref:debops.roundcube role, the Roundcube version installed by default has been updated to 1.4.13.
⬆️ Drop Nextcloud 20 and 21 support because they are EOL. You need to upgrade Nextcloud manually if you are running version 21 or below. The role now defaults to Nextcloud 22 for new installations.
⚡️ In the :ref:debops.wpcli role, the WpCli version has been updated to 2.5.0. 2.3.0 and 2.4.0 can be installed by changing wpcli__version

General '''''''

🔒 DebOps tasks that import local SSH keys will now recognize FIDO U2F security keys used via the SSH agent.
🔧 The APT configuration by the :ref:debops.apt and :ref:debops.apt_proxy roles in the :file:common.yml playbook has been moved to a separate play to ensure feature parity with the bootstrap playbooks.
The :command:debops Python scripts have been completely rewritten and reorganized. The UI has been redesigned to use subcommands rather than separate scripts. This pans the way for easy extension of the script functionality in the future and improvements for various tasks done on the Ansible Controller.
The DebOps monorepo can now be used as an "Ansible Collection" when path to the :file:ansible/collections/ subdirectory inside of the :command:git repository is specified in the collections_paths__ variable in the Ansible configuration file.

.. note:: The roles and plugins included in DebOps are not yet fully compatible with the Collection system. They will be converted at a later time.

.. __: https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths

🐳 The base Docker image used by DebOps Dockerfile has been changed from debian:buster-slim to debian:bullseye-slim. The Dockerfile has been updated to build and install DebOps from the monorepo instead of installing a release from PyPI.
🔌 The references for custom Ansible lookup and filter plugins have been modified to use the Fully Qualified Collection Name format to allow the DebOps monorepo to work as an Ansible Collection.
🔌 Custom Ansible plugins included in the :ref:debops.ansible_plugins role have been copied to the :file:ansible/plugins/ subdirectories to make them available through the Ansible Collection mechanisms.
Multiple roles that use the DNS SRV Resource Records to find related services have been updated to utilize the new dig_srv Ansible lookup plugin to find the records. This change should make the role code easier to maintain.
Most of the DebOps roles now use :envvar:debops__no_log variable in tasks with the no_log Ansible keyword. This should provide an easier way to debug issues with various roles.
Roles which use the :command:dpkg-divert Debian utility to preserve original configuration files have been updated to use the dpkg_divert custom Ansible module included in the DebOps Collection instead of using the command or shell Ansible modules to manage the diversion and reversion.

Continuous Integration ''''''''''''''''''''''

⚡️ The default box used by Vagrant for DebOps VMs has been updated from debian/buster64 to debian/bullseye64.

LDAP ''''

The :file:ldap/init-directory.yml playbook can now store the administrator credentials in the :file:secret/ directory managed by the :ref:debops.secret role. THe credentials can also be randomly generated if the playbook is used non-interactively.

:ref:debops.apt role ''''''''''''''''''''''

⚡️ The role defaults have been updated, Bullseye is the new Stable.

:ref:debops.apt_install role ''''''''''''''''''''''''''''''

📦 The haveged Debian package will not be installed in a virtual machine if the underlying hypervisor technology already provides access to the host's RNG device through virtualization.

:ref:debops.dhparam role ''''''''''''''''''''''''''

The role will no longer install the :command:cron service directly; instead it depends on the :ref:debops.cron role to ensure that the service is present. This allows replacing the cron Debian package with a different backend, for example systemd-cron package.

🐳 :ref:debops.docker_server role ''''''''''''''''''''''''''''''''

⏪ The role now enables live restore__ by default.

.. __: https://docs.docker.com/config/containers/live-restore/

:ref:debops.dovecot role ''''''''''''''''''''''''''

The role has been throughly refreshed and now uses the :ref:universal_configuration format for the service configuration. All role variables have been renamed to put them in a separate namespace.

.. warning:: If you use a Dovecot installation in your environment, you should check the new role documentation and update the relevant configuration in the Ansible inventory before applying the new role on your infrastructure.

:ref:debops.elasticsearch role ''''''''''''''''''''''''''''''''

🔧 The main configuration is reorganized, original contents of the configuration file are set in the :envvar:elasticsearch__original_configuration variable and the options changed by the role are set in the :envvar:elasticsearch__default_configuration variable.

:ref:debops.etckeeper role ''''''''''''''''''''''''''''

➕ Add etckeeper__gitattributes option to be able to appended to the :file:/etc/.gitattributes file.

:ref:debops.ferm role '''''''''''''''''''''''

🔧 The backend configuration will now manage all relevant alternatives for :command:arptables, :command:ebtables, :command:iptables and :command:ip6tables commands to keep various parts of the firewall synchronized.

.. warning:: The variable which controls what backend is used has been renamed to :envvar:ferm__iptables_backend_type due to value change. You might need to update your Ansible inventory to select the correct backend.

0️⃣ The default backend for :command:iptables is changed to legacy on newer OS releases, because there's no plans__ to support :command:nftables backend by the :command:ferm project. You might want to check if the firewall configuration is correctly applied after running the role against already configured hosts.

.. __: https://github.com/MaxKellermann/ferm/issues/47

:ref:debops.grub role '''''''''''''''''''''''

0️⃣ The role now enables the serial console by default.

:ref:debops.ipxe role '''''''''''''''''''''''

0️⃣ You can now define what kernel parameters are used by default in the Debian Installer, using an iPXE variable.

:ref:debops.keyring role ''''''''''''''''''''''''''

0️⃣ The default keyserver used by the role has been changed to Ubuntu keyserver__ due to deprecation of the SKS Keyserver pool.

.. __: https://keyserver.ubuntu.com/

:ref:debops.logrotate role ''''''''''''''''''''''''''''

The role will no longer install the :command:cron service directly; instead it depends on the :ref:debops.cron role to ensure that the service is present. This allows replacing the cron Debian package with a different backend, for example systemd-cron package.

:ref:debops.netbox role '''''''''''''''''''''''''

Add netbox__config_custom option to be able to configure not explicitly supported options in a raw format.

:ref:debops.nginx role ''''''''''''''''''''''''

🔧 The item.location_list entries in the server configuration can now define access policy for a specific location and use subnet ranges or password authentication to control access.
Length and characters included in the passwords generated by the role for HTTP Basic Authentication can now be controlled using default variables.

:ref:debops.php role ''''''''''''''''''''''

🔖 php7.4 has been added to the php__version_preference list. This ensures that PHP-related packages are installed on Debian 11 (Bullseye) systems.

:ref:debops.pki role ''''''''''''''''''''''

The RootCA certificate for the Let's Encrypt ACME certificates has been changed to :file:mozilla/ISRG_Root_X1.crt, the previous CA certificate is now expired. Existing PKI realms will not be modified, you might need to recreate them or replace the :file:acme/root.pem symlink manually.

:ref:debops.postldap role '''''''''''''''''''''''''''

A few changes to the Postfix LDAP lookup tables were made, most notably a better split between alias lookups (ldap_virtual_alias_maps.cf) and distribution list lookups (ldap_virtual_forward_maps.cf).

👀 :ref:debops.preseed role ''''''''''''''''''''''''''

The role has been redesigned from the ground up and uses :ref:universal_configuration to manage Preseed configuration files. Multiple "flavors" are provided to permit installation of Debian in a variety of environments. See the :ref:upgrade_notes for details about upgrading an existing installation.

:ref:debops.reprepro role '''''''''''''''''''''''''''

The role has been redesigned from scratch. It can now manage multiple APT repository instances on separate DNS domains, repositories can have access restrictions, the :command:inoticoming service has been replaced by a :command:systemd .path units. Repositories are now configured via the :ref:universal_configuration system. See the new role documentation for details.

:ref:debops.rsyslog role ''''''''''''''''''''''''''

0️⃣ The default NetStream driver mode and authentication mode are now set based on whether the gtls driver is enabled.

:ref:debops.slapd role ''''''''''''''''''''''''

The :file:mailservice.schema LDAP schema has been modified to add new LDAP attributes, mailPrivateAddress and mailContactAddress. This change includes additional constraints on uniqueness and requires a rebuild of the OpenLDAP service. See :ref:upgrade_notes for details.
The sudoUser attribute index in the OpenLDAP service has been changed to sudoHost,sudoUser eq,sub to provide better search performance for the :command:sssd service. This will have to be changed manually on existing OpenLDAP installations before the role is idempotent.

:ref:debops.sshd role '''''''''''''''''''''''

Keep the SSH_CONNECTION environment variable when running commands with sudo.

:ref:debops.sysctl role '''''''''''''''''''''''''

🔧 The role will configure protection for FIFOs and regular files along with protection for symlinks and hardlinks, introduced in Debian Bullseye.

:ref:debops.system_users role '''''''''''''''''''''''''''''''

The role assumes that Ansible Controller has Python 3 available and will not check for Python 2.7 anymore while gathering local UNIX account details, to avoid issues with non-existent host facts.

⬆️ :ref:debops.unattended_upgrades role ''''''''''''''''''''''''''''''''''''''

The role now defaults to the admin_private_email Ansible fact (as provided by :ref:debops.core) for the :envvar:unattended_upgrades__mail_to variable.

🛠 Fixed


General
'''''''

- 🛠 Fixed an issue with user and group management roles where the UNIX account
  home directories were created even if they were specifically disabled. Roles
  should now be more careful and respect the administrator wishes.

LDAP
''''

- 👍 The :file:`ldap/init-directory.yml` playbook should now work better with
  non-local UNIX accounts and provide better defaults for standardized account
  names like ``ansible``.

- The ``*__ldap_bindpw`` variables in various roles have been modified to
  create the passwords only when LDAP support is enabled. This should fix an
  issue in non-LDAP environments where Ansible would stop playbook execution
  when a single password file for an LDAP object was created by multiple hosts,
  generating a race condition due to empty domain part of the Distinguished
  Name.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role no longer disables the backports repository of a Debian LTS or
  archive release.

:ref:`debops.apt_cacher_ng` role
''''''''''''''''''''''''''''''''

- The role no longer creates an unnecessary NGINX webroot directory.

:ref:`debops.dhcpd` role
''''''''''''''''''''''''

- host-identifier parameters are now always quoted in dhcpd6.conf. This is
  needed when the host-identifier contains periods (e.g. fully qualified
  domain names).

:ref:`debops.dnsmasq` role
''''''''''''''''''''''''''

- 🔧 Ensure that the configuration entries with ``a`` or ``aaaa`` parameter are
  correctly recognized as host entries.

:ref:`debops.ipxe` role
'''''''''''''''''''''''

- 👀 Make sure that the correct Preseed flavor is used when the user changes it
  using the menu item.

:ref:`debops.kmod` role
'''''''''''''''''''''''

- 🛠 Fixed an issue with role facts where the script ended with exception when the
  ``kmod`` package wasn't installed and the :command:`lsmod` command was not
  available.

:ref:`debops.ldap` role
'''''''''''''''''''''''

- The role will refresh the local facts when the :file:`/etc/ldap/ldap.conf`
  configuration changes to ensure that other roles have correct information
  available, for example when a new set of LDAP servers is used.

:ref:`debops.libvirt` role
''''''''''''''''''''''''''

- 🚀 The ``virt-top`` APT package is not part of the Debian Bullseye release,
  therefore the role will not try to install it by default.

:ref:`debops.libvirtd` role
'''''''''''''''''''''''''''

- 🚀 The ``virt-top`` APT package is not part of the Debian Bullseye release,
  therefore the role will not try to install it by default.

- 0️⃣ The root account will no longer be added to the 'libvirt' group by default.

:ref:`debops.lxc` role
''''''''''''''''''''''

- 0️⃣ Use the Ubuntu GPG keyserver by default to download LXC container signing
  keys when the container is created by the :command:`lxc-new-unprivileged`
  script as well as through the ``lxc_container`` Ansible module (the SKS
  keyserver pool has been deprecated).

- 🔧 Enable AppArmor nesting configuration in LXC v4.0.x version, used in Debian
  Bullseye. Without this, various :command:`systemd` services inside of the
  LXC containers cannot start and SSH/console login is delayed ~25 seconds.

:ref:`debops.netbase` role
''''''''''''''''''''''''''

- 🛠 Fixed an issue where the fact script broke when it tried to find the host's
  IP address using DNS and the host does not have an entry in the DNS or in
  :file:`/etc/hosts` database.

- 🛠 Fixed an issue where the initial bootstrap and common playbook execution
  didn't provide the correct configuration for the :ref:`debops.netbase` role,
  resulting in a non-idempotent execution and wrong :file:`/etc/hosts` database
  contents. The order of the :ref:`debops.python` role in bootstrap and common
  playbooks has been adjusted to ensure that the Python packages required by
  the :ref:`debops.netbase` role are installed before its execution.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- Set ``client_max_body_size`` to ``25m`` in Nginx as in the NetBox Nginx
  config example.
  Before, it was at the Nginx default of ``1m`` which caused Nginx to reject
  larger picture uploads to NetBox.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- Access to the ACME challenge directories is now always allowed, even if a
  server-wide allowlist configuration or HTTP basic authentication enforcement
  has been applied. This ensures that it is always possible to request and renew
  certificates through the ACME protocol.

- 🚚 Do not remove the whole PKI hook directory when the :command:`nginx` hook
  script is removed by the role.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- 🛠 Fixed an issue with the :ref:`debops.nginx` configuration where some
  Nextcloud pages (LDAP configuration, for example) did not work correctly.

:ref:`debops.pki` role
''''''''''''''''''''''

- Ensure that the X.509 certificate requests generated by the
  :command:`pki-realm` script to renew Let's Encrypt/ACME certificates include
  SubjectAltNames defined in the PKI realm.

:ref:`debops.postfix` role
''''''''''''''''''''''''''

- 🚚 Do not remove the whole PKI hook directory when the :command:`postfix` hook
  script is removed by the role.

:ref:`debops.proc_hidepid` role
'''''''''''''''''''''''''''''''

- ➕ Add the ``procadmins`` UNIX group as a supplementary group in the
  :file:`[email protected]` :command:`systemd` unit to fix an issue where the user
  service does not start when unified cgroupv2 hierarchy is used.

:ref:`debops.prosody` role
''''''''''''''''''''''''''

- 🚚 Do not remove the whole PKI hook directory when the :command:`prosody` hook
  script is removed by the role.

:ref:`debops.rabbitmq_server` role
''''''''''''''''''''''''''''''''''

- Correctly interpret the list of RabbitMQ user accounts to not create unwanted
  vhosts.

:ref:`debops.redis_server` role
'''''''''''''''''''''''''''''''

- 🛠 Fixed an issue with facts not showing Redis instances correctly when password
  is empty.

debops.reprepro role
''''''''''''''''''''

- ➕ Added missing architectures (all expected architectures for Bookworm, and
  some missing architectures for older releases).

:ref:`debops.resolvconf` role
'''''''''''''''''''''''''''''

- Ensure that the fact script correctly includes information about upstream
  nameservers when :command:`systemd-resolved` service is used.

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- 🔧 The rsyslog role always configured the streamDriverPermittedPeers option,
  even when the ``anon`` network driver authentication mode was selected.

:ref:`debops.sshd` role
'''''''''''''''''''''''

- The role will no longer create an LDAP account when it is not needed.

- The default :envvar:`sshd__login_grace_time` has been increased from 30 to 60
  seconds. This mitigates a lock-out issue when :envvar:`sshd__use_dns` is
  enabled (the default) and your DNS resolvers are unreachable.

- The role will avoid leaking the LDAP bind password through the process list
  during password file creation on the remote host.

:ref:`debops.sudo` role
'''''''''''''''''''''''

- 🛠 Fixed an issue in the fact script which resulted in a wrong string being
  picked up as the version number when :command:`sudo` was configured to use
  LDAP, but the LDAP service was not available.

- 📦 The role will now skip installing the ``sudo-ldap`` package and creating the
  LDAP account object if :envvar:`sudo__ldap_enabled` is ``False``.

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- 0️⃣ The role's default of explicitly disabling packet forwarding conflicted with
  the sysctl configuration done by Docker Server. The role would disable
  essential (for Docker) packet forwarding, which would only be enabled again
  when the Docker daemon was manually restarted or the sysctl parameter was
  manually corrected. This has been fixed by letting the role default to
  enabling packet forwarding on Docker Server hosts.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- ✏️ The ``create_home`` parameter was not functional because of typos in the
  Ansible task.

✂ Removed

General '''''''

🚚 The old DebOps scripts have been removed from the monorepo, they are replaced with new, cleaner scripts that support subcommands.
⚡️ The :command:debops-update script has been dropped from the project. Existing users should use :command:git clone command to install the DebOps monorepo if they wish to use the rolling release. There's also no need to install the debops PyPI package; DebOps scripts can be installed directly from the monorepo in development mode if desired.
The :command:debops-task script has been dropped. You can use the :command:ansible command directly to perform ad-hoc commands against the Ansible inventory.
🚚 The :command:debops-defaults script has been removed from the project. Easy access to the role defaults will be implemented at a later date.
The :command:debops-init script has been replaced with the :command:debops project init subcommand.
🚚 The :command:debops-padlock script has been removed from the project. It's functionality is now available via the :command:debops project subcommands.

:ref:debops.nginx role ''''''''''''''''''''''''

🚚 The support for SPDY__ protocol has been removed from the role; it has been replaced in the technology stack by HTTP/2__ specification.

.. _: https://en.wikipedia.org/wiki/SPDY .. _: https://en.wikipedia.org/wiki/HTTP/2

👀 :ref:debops.preseed role ''''''''''''''''''''''''''

👌 Support for installing and configuring Salt Minions during host provisioning has been removed.

:ref:debops.snmpd role ''''''''''''''''''''''''

The tasks and other code which managed the :command:lldpd daemon has been removed from the role. The :ref:debops.lldpd role now provides the LLDP support and automatically integrates with SNMP daemon when it is detected.

🔒 Security


General
'''''''

- Specific DebOps roles (:ref:`debops.dovecot`, :ref:`debops.owncloud`,
  :ref:`debops.postldap`) used password generation lookups with invalid
  parameters which might have resulted in a weaker passwords generated during
  their deployment. The parameters in the password lookups have been fixed; you
  might consider regenerating the passwords created by them by removing
  existing ones from the :ref:`debops.secret` storage on the Ansible Controller
  and re-running the roles.

Previous changes from v2.3.0

.. _debops v2.3.0: https://github.com/debops/debops/compare/v2.2.0...v2.3.0

➕ Added


🆕 New DebOps roles
''''''''''''''''

- The :ref:`debops.extrepo` role provides an interface for the `extrepo`__
  Debian package, an external APT source manager. It can be used to configure
  third-party APT repositories.

  .. __: https://grep.be/blog/en/computer/debian/Announcing_extrepo/

- 🔒 The :ref:`debops.sssd` role can be used to manage the System Security
  Services Daemon (``sssd``), an alternative approach to centralized
  credentials managed by remote databases like LDAP or Active Directory.

General

The new :file:bootstrap-sss.yml Ansible playbook can be used to provision a new host with LDAP support based on the :command:sssd service instead of the :command:nslcd and :command:nscd services.
🔧 The :ref:debops.apache and :ref:debops.nginx roles will configure the managed websites to opt-out from the Federated Learning of Cohorts__ (FLoC) feature by default. This can be turned off on a site-by-site basis.

.. __: https://github.com/WICG/floc

:ref:debops.etckeeper role ''''''''''''''''''''''''''''

🔧 The :command:etckeeper script can be configured to send e-mail messages with changes to the system administrator.

:ref:debops.ferm role '''''''''''''''''''''''

🔧 You can now configure the :command:iptables backend (nft or legacy) after installing :command:ferm service using the alternatives system. This might be needed on newer OS releases to keep :command:ferm usable.

:ref:debops.netbox role '''''''''''''''''''''''''

➕ Added wrapper around :file:manage.py called :file:netbox-manage for NetBox power users.

:ref:debops.global_handlers role ''''''''''''''''''''''''''''''''''

🆕 New global handlers available to roles:
- Refresh host facts: re-gather host facts using the setup Ansible module, required to ensure that Ansible has accurate information about the current host state.
- Reload service manager: update the :command:init daemon runtime configuration, useful when new services are added or their :command:systemd configuration changes.
- Create temporary files: ensure that files and directories created at system boot by tools like :command:systemd-tmpfiles are present on the host.

🔄 Changed


⚡️ Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''

- In the :ref:`debops.ipxe` role, the Debian Buster netboot installer version
  has been updated to the next point release, 10.9.

- In the :ref:`debops.roundcube` role, the Roundcube version installed by
  default has been updated to ``1.4.11``.

- The :ref:`debops.elasticsearch`, :ref:`debops.kibana` and
  :ref:`debops.filebeat` roles were updated to use the :ref:`debops.extrepo`
  role to configure the Elastic.co APT repositories. This will result in
  installation of ES, Kibana and Filebeat 7.x versions by default on new
  installations; existing installations will not be automatically upgraded by
  the roles, but the packages themselves might be upgraded by other APT
  mechanisms.

- ⚡️ In the :ref:`debops.netbox` role, the NetBox version has been updated to
  ``v2.11.2``.

- ⚡️ In the :ref:`debops.owncloud` role, the Nextcloud version has been updated to
  ``v20.0``. ``19.0`` support has been dropped.

- 🔌 The ``lxc_ssh.py`` connection plugin that enables management of LXC
  containers without the need of an :command:`sshd` server installed inside of
  the containers has been refreshed to get latest changes in the upstream
  project and make it work correctly on newer Ansible releases.

Continuous Integration
''''''''''''''''''''''

- The Vagrant provisioning script now installs Cryptography from the Debian
  archive instead of from PyPI.

- 👕 The :command:`ansible-lint` check will now use Ansible playbooks as the
  starting point to test the whole codebase. Roles and playbooks not included
  in the :file:`site.yml` playbook can be tested manually if needed.

:ref:`debops.authorized_keys` role
''''''''''''''''''''''''''''''''''

- The management of the SSH public keys has been redesigned. Instead of
  focusing on UNIX accounts with one or more keys, the role now focuses on
  separate public keys as "SSH identities" that are configured on one or more
  UNIX accounts. This should provide more flexibility in environments where
  small number of users utilizes large number of UNIX accounts, for example
  small development team with multiple applications deployed on separate
  accounts.

``debops.boxbackup`` role
'''''''''''''''''''''''''

- 0️⃣ Some of the default variables in the role have been renamed to aoid using
  uppercase letters in variables.

:ref:`debops.dovecot` role
''''''''''''''''''''''''''

- The LDAP user filer has been changed to use the ``mailRecipient`` LDAP object
  class from the :ref:`mailservice LDAP schema <slapd__ref_mailservice>` to
  lookup mail accounts. Ensure that your LDAP directory has correct information
  before applying the change in production.

- If the LDAP entry of a mail user has the ``mailHomeDirectory`` attribute, it
  will be used to specify the mail home directory relative to the mail root
  directory, instead of generating one which depends on the domain and username
  of a given account.

:ref:`debops.lxc` role
''''''''''''''''''''''

- On hosts which use LXC v4.0.x, for example with Debian Bullseye as the
  operating system, the role will configure new LXC containers to not drop the
  ``CAP_SYS_ADMIN`` capability by default. This is required for correct
  container operation on this version of LXC.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- ✅ ownCloud is not supported in the latest version of DebOps due to lack of
  maintainers. Use DebOps v2.2.x if you need it and consider becoming a
  maintainer.

:ref:`debops.postgresql_server` role
''''''''''''''''''''''''''''''''''''

- The :command:`autopostgresqlbackup` script will not be installed on Debian
  Bullseye because the package was dropped from that release.

:ref:`debops.postldap` role
'''''''''''''''''''''''''''

- The Postfix LDAP integration is redesigned to use the :ref:`mailservice LDAP
  schema <slapd__ref_mailservice>` for account and mailbox management. There
  are extensive changes in how the Postfix service utilizes the LDAP directory;
  existing installations will have to update their LDAP directory entries.
  Please test these changes in a development environment before applying them
  in production.

:ref:`debops.python` role
'''''''''''''''''''''''''

- 👍 The support for Python 2.7 environment will be enabled only when explicitly
  requested using the :envvar:`python__v2` variable. This should avoid issues
  with installation of Python 2.7 packages on Debian Bullseye and later.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- The address autocompletion will show only a specific e-mail address instead
  of all available ones for a given recipient.

- 🔧 The role will configure Roundcube to search the LDAP directory for a given
  user's Distinguished Name when their LDAP entry uses a different attribute
  than ``uid`` as RDN. Directory will be searched using the Roundcube's own
  login credentials. See :ref:`roundcube__ref_ldap_dit` for details.

- 👉 The ``new_user_identity`` plugin will be re-enabled by default and adjusted
  to use the ``mail`` attribute to search for user identities. Roundcube v1.4.x
  installations `might need to be patched`__ for the plugin to work correctly
  with user-based LDAP logins.

  .. __: https://github.com/roundcube/roundcubemail/issues/7667

:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

- The SMTPd service will search for ``mailRecipient`` LDAP Object Class instead
  of the ``inetOrgPerson`` Object Class to authenticate mail senders.

🔄 Changes to DebOps Enhancement Proposals
'''''''''''''''''''''''''''''''''''''''

- DEP 3 - Sources of software used by DebOps now requires for roles that
  configure upstream APT repositories to use ``debops.extrepo`` instead of the
  previously used way of including the OpenPGP fingerprint and repo details in
  the role. This applies to all new roles. Existing roles will be updated over
  time.

🛠 Fixed
~~~~~

General
'''''''

- 0️⃣ The :command:`debops-defaults` script should now correctly display role
  defaults, without trying to add the ``debops.`` prefix to the role names.

- ⚡️ The :command:`debops-update` script should now correctly detect cloned DebOps
  monorepo.

- The :command:`debops` script will no longer check Ansible version to work
  around an issue that was fixed in Ansible 2.0.

🔌 :ref:`debops.ansible_plugins` role
''''''''''''''''''''''''''''''''''

- In the ``parse_kv_config`` custom Ansible filter, correctly skip
  configuration entries which have been marked with the ``ignore`` state.

:ref:`debops.apt` role
''''''''''''''''''''''

- 🔒 The role configured the Debian Bullseye security repository with the
  'bullseye/updates' suite name. This is incorrect, the Bullseye security suite
  is called 'bullseye-security'.

:ref:`debops.core` role
'''''''''''''''''''''''

- 🛠 Fixed local fact script execution on hosts without a defined DNS domain. You
  might need to remove the :file:`core.fact` script from the remote host
  manually so that Ansible can gather facts correctly before the fixed version
  of the script can be installed. To do that on all affected hosts, execute the
  command:

  .. code-block:: console

     ansible all -b -m file -a 'path=/etc/ansible/facts.d/core.fact state=absent'

:ref:`debops.cron` role
'''''''''''''''''''''''

- 🛠 Fix role execution on hosts without :command:`systemd` as the service manager.

:ref:`debops.etesync` role
''''''''''''''''''''''''''

- 0️⃣ The EteSync playbook is now included in the default DebOps playbook.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- The management of the :command:`iptables` backend symlink using the
  'alternatives' system is disabled on Debian 9, where it is unsupported.

:ref:`debops.iscsi` role
''''''''''''''''''''''''

- 🛠 Fixed a typo that caused the iSCSI target discovery task to fail.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- NetBox crashed when it tried to send Emails.
  For example when an exception occured during page loading, the reponse was
  just "Internal Server Error". The service as a whole survives this.
  The bug in the configuration template has been fixed.

:ref:`debops.opendkim` role
'''''''''''''''''''''''''''

- ⏪ Restored compatibility with Ansible versions prior to 2.10 by omitting the
  ``regenerate`` parameter of the openssl_privatekey module on those versions.

:ref:`debops.pki` role
''''''''''''''''''''''

- The pki-realm script will now attempt another ACME certificate request in case
  the previous attempt failed and was more than two days ago. The previous
  situation was that the script would not perform any ACME requests if the
  acme/error.log file was present in the PKI realm, because performing multiple
  certificate issuance requests could easily trigger a rate limit. The downside
  of this was that the script would also completely give up on renewal attempts
  if the first attempt happened to fail (e.g. due to some issue at Let's
  Encrypt).

:ref:`debops.php` role
''''''''''''''''''''''

- 🛠 Fixed an issue where role did not have a list of PHP packages for an unknown
  OS release which stopped its execution. Now the role should fallback to
  a defult list in this case.

:ref:`debops.python` role
'''''''''''''''''''''''''

- 🛠 Fixed an issue where the "raw" Python play used during host bootstrapping
  hanged indefinitely, stopping the playbook execution. The role will now reset
  the connection to the host after preparing the Python environment, allowing
  Ansible to re-estabilish the communication channel properly.

:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

- The :command:`saslauthd` daemon should correctly use the local and realm
  parts in the ``user@realm`` logins for authentication using LDAP directory.

:ref:`debops.sudo` role
'''''''''''''''''''''''

- The role no longer adds a duplicate includedir line to /etc/sudoers. This was
  an issue with sudo 1.9.1 (and later), which `changed`__ the includedir syntax
  from '#includedir' to '\@includedir'.

  .. __: https://www.sudo.ws/stable.html#1.9.1

- 👉 Use the English locale to read the :command:`sudo` version information since
  the output differs in different languages.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- 👉 Use the Python version detected on the Ansible Controller instead of the
  remote host to run the UNIX account fact gathering script.

🔒 Security

:ref:debops.hashicorp role ''''''''''''''''''''''''''''

🚀 Due to a security incident__, the existing Hashicorp release GPG key has been rotated. The role will remove the revoked GPG key and install new one when applied on a host.

.. __: https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512