All Versions
15
Latest Version
Avg Release Cycle
46 days
Latest Release
880 days ago
Changelog History
Page 1
Changelog History
Page 1
-
v1.10.0 Changes
November 19, 2022โฌ๏ธ Upgrade procedure:
- ๐
xsrv upgrade
to upgrade roles/ansible environments to the latest release - ๐ move the
public_keys/
directory from the root of your project directory, under thedata/
directory. - ๐ if it exists, move the
certificates/
directory from the root of your project directory, under thedata/
directory. - common: if you had changed the variable
os_security_kernel_enable_core_dump
from its default value in your hosts/groups configuration, rename it to [kernel_enable_core_dump
]((https://gitlab.com/nodiscc/xsrv/-/blob/master/roles/common/defaults/main.yml)) - graylog/monitoring_rsyslog: move the
*-graylog-ca.crt
file from thepublic_keys/
directory to thedata/certificates/
directory (create it if it does not exist) - openldap: self-sevice-password: if you had changed the variable
self_service_password_allowed_hosts
from its default value in your host/groups configuration, update it to the new format (YAML list instead of a list of addresses separated by spaces):
- ๐
-
v1.9.0 Changes
September 18, 2022โฌ๏ธ Upgrade procedure:
- โฌ๏ธ
xsrv self-upgrade
to upgrade the xsrv script - ๐
xsrv upgrade
to upgrade roles/ansible environments to the latest release - gitea: if you rely on custom git hooks for your projects, set
gitea_enable_git_hooks: yes
in the host configuration/vars file (xsrv edit-host
) - ๐
xsrv deploy
to apply changes
โ Added:
- โ
xsrv: add
xsrv init-vm-template
command (create a libvirt Debian VM template, unattended using a preconfiguration file) - โ add wireguard role - fast and modern VPN server
- 0๏ธโฃ nextcloud: enable group folders app by default
- ๐ฆ common: allow setting up apt-listbugs to prevent installation of packages with known serious bugs (
apt_listbugs: yes/no
) - ๐ฆ common: allow specifying a list of packages to install/remove (
packages_install/remove
) - gitea: allow enabling/disabling git hooks and webhooks features globally (
gitea_enable_git_hooks/webhooks
) - gitea: allow configuring the list of hosts that can be called from webhooks (
gitea_webhook_allowed_hosts
) - gitea: allow configuring the SSH port exposed in the clone URL (
gitea_ssh_url_port
)
โ Removed:
- common: remove
setup_cli_utils
andsetup_haveged
variables. Usepackages_install/remove
instead.
๐ Changed:
- 0๏ธโฃ gitea: disable git hooks by default
- ๐ gitea: upgrade to v1.17.2 [1] [2] [3] [4]
- ๐ openldap: update self-service-password to v1.5.1 [1] [2]
- ๐ nextcloud: upgrade to v24.0.5 [1] [2]
- ๐ postgresql: update pgmetrics to v1.13.1
- 0๏ธโฃ shaarli: hardening: run shaarli under a dedicated
shaarli
user account (don't use the default sharedwww-data
user) - โฌ๏ธ xsrv: upgrade ansible to v6.4.0
- ๐ nextcloud/netdata: mitigate frequent httpckeck alarms on the nextcloud web service response time (
httpcheck_web_service_unreachable
), increase the timeout of the check to 3s - common: sysctl: automatically reboot the host after 60 seconds in case of kernel panic
- ๐ฒ common: hardening: ensure
/var/log/wtmp
is not world-readable - ๐ common: login/ssh: hardening: kill user processes when an interactive user logs out (except for root). Lock idle login sessions after 15 minutes of inactivity.
- 0๏ธโฃ common: ssh: hardening: replace the server's default 2048 bits RSA keypair with 4096 bits keypair
- ๐ง common: sudo: hardening: configure sudo to run processes in a pseudo-terminal
- common: users/pam: hardening: increase the number of rounds for hashing group passwords
- common: sysctl: hardening: only allow root/users with CAP_SYS_PTRACE to use ptrace
- 0๏ธโฃ common: sysctl: hardening: disable more kernel modules by default (bluetooth, audio I/O, USB storage, USB MIDI, UVC/V4L2/CPIA2 video devices, thunderbolt, floppy, PC speaker beep)
- common: sysctl: hardening: restrict loading TTY line disciplines to the CAP_SYS_MODULE capability
- common: sysctl: hardening: protect against unintentional writes to an attacker-controlled FIFO
- common: sysctl: hardening: prevent even the root user from reading kernel memory maps
- common: sysctl: hardening: enable BPF JIT hardening
- ๐ common: sysctl: hardening: disable ICMP redirect support for IPv6
- all roles: require
ansible-core>=2.12/ansible>=6.0.0
- ๐ common: improve check mode support before first deployment
- โ tools/tests: improve/simplify test tools
๐ Fixed:
- common: users: fix errors during creation fo
sftponly
user accounts when no groups are defined in the user definition
- โฌ๏ธ
-
v1.8.1 Changes
July 10, 2022โฌ๏ธ Upgrade procedure:
- ๐
xsrv upgrade
to upgrade roles/ansible environments to the latest release - ๐
xsrv deploy
to apply changes
๐ Fixed:
- backup/rsnapshot: fix rsnapshot installation, always install from Debian repositories
- ๐
-
v1.8.0 Changes
July 04, 2022โฌ๏ธ Upgrade procedure:
- โฌ๏ธ
xsrv self-upgrade
to upgrade the xsrv script - ๐
xsrv upgrade
to upgrade roles/ansible environments to the latest release - gitea/gotty/graylog/homepage/jellyfin/nextcloud/openldap/rocketchat/rss_bridge/shaarli/transmission/tt_rss: ensure the
apache
role or equivalent is explicitly deployed to the host before deploying any of these roles. - jellyfin/samba: if both jellyfin and samba roles are deployed on the same host, ensure
samba
is deployed beforejellyfin
(xsrv edit-playbook
) - valheim_server: if you are using the
valheim_server
role, updaterequirements.yml
(xsrv edit-requirements
) andplaybook.yml
(xsrv edit-playbook
) to use the archivednodiscc.toolbox.valheim_server
role instead. - ๐
xsrv deploy
to apply changes
โ Added:
- add
mail_dovecot
role - IMAP mailbox server - monitoring: netdata: allow streaming charts data/alarms to/from other netdata nodes (
netdata_streaming_*
) - monitoring: netdata: enable monitoring of hard drives SMART status
- โ
xsrv: add
xsrv ssh
subcommand (alias forshell
) - openldap: allow secure LDAP communication over SSL/TLS on port 636/tcp (use a self-signed certificate)
- ๐ง common: allow disabling PAM/user accounts configuration tasks (
setup_users: yes/no
) - common: allow blacklisting unused/potentially insecure kernel modules (
kernel_modules_blacklist
), disable unused network/firewire modules by default - common: automatically remove (purge) configuration files of removed packages, nightly, enabled by default (
apt_purge_nightly: yes/no
) - common: attempt to automatically repair (fsck) failed filesystems on boot
- ๐ณ docker: allow enabling automatic firewall/iptables rules setup by Docker (
docker_iptables: no/yes
) - ๐ณ docker: install requirements for logging in to private docker registries
- openldap: self-service-password/ldap-account-manager: make LDAP server URI configurable (
*_ldap_url
) - openldap: ldap-account-manager: allow specifying a trusted LDAPS server certificate (
ldap_account_manager_ldaps_cert
) - ๐ง samba: make events logged by full_audit configurable (
samba_log_full_audit_success_events
) - shaarli: add an option to configure thumbnail generation mode (
shaarli_thumbnails_mode
) and default number of links per page (shaarli_links_per_page
, default 30) - postgresql: download pgmetrics report to the controller when running
TAGS=utils-pgmetrics
- ๐ all roles: checks: add an info message pointing to roles documentation when one or more variables are not correctly defined
- โ
xsrv:
xsrv help-tags
will now parse tag descriptions from custom roles inroles/
in addition to collections - ๐ฆ monitoring: utils: add
iputils-ping
package (ping utility)
โ Removed:
- common: firewalld/mail/msmtp: drop compatibilty with Debian 10
- ๐ valheim_server: remove role, archive it to separate repository (installs non-free components)
๐ Changed:
- netdata: needrestart: don't send e-mail notifications for needrestart alarms
- netdata: debsecan: refresh debsecan reports every 6 hours instead of every hour
- netdata: disable metrics gathering for
/dev
and/dev/shm
virtual filesystems - all roles: checks all variables values before failing, when one or more variables are not correctly defined
- โก๏ธ tt_rss: don't send feed update errors by mail, log them to syslog
- xsrv: always use the first host/group in alphabetical order when no host/group is specified
- โฌ๏ธ xsrv: upgrade ansible to v5.10.0
- apache/proxmox: only setup fail2ban when it is marked as managed by ansible through ansible local facts
- common: ssh: increase the frequency of "client alive" messages to 1 every 5 minutes
- common: ssh/users: don't allow login for users without an existing home directory
- apache: rsyslog: prefix apache access logs with
apache-access:
in syslog whenapache_access_log_to_syslog: yes
- homepage: improve homepage styling/layout, link directly to
ssh://
andsftp://
URIs - 0๏ธโฃ homepage: reword default
homepage_message
- 0๏ธโฃ shaarli: default to generating thumbnails only for common media hosts
- transmission: firewall: always allow bittorrent peer traffic from the public zone
- monitoring_utils: lynis: review and whitelist unapplicable "suggestion" level report items (
lynis_skip_tests
) - ๐ nextcloud: upgrade to v24.0.1 [1] [2] [3]
- ๐ gitea: upgrade to v1.16.8 [1] [2] [3]
- โฌ๏ธ openldap: ldap-account-manager: upgrade to v7.9.1
- ๐ rss_bridge: upgrade to v2022-06-14
- ๐ postgresql: update pgmetrics to v1.13.0
- gitea/gotty/graylog/homepage/jellyfin/nextcloud/openldap/rocketchat/rss_bridge/shaarli/transmission/tt_rss: remove hard dependency on apache role
- ๐ง cleanup: proxmox: use a single file to configure proxmox APT repositories
- cleanup: apache: ensure no leftover mod-php installations are present
- ๐ง cleanup: common: users: move PAM configuration to the main
limits.conf
configuration file - ๐ cleanup/tools: improve
check
mode support, standardize task names, remove unused template files, make usage of ansible_facts consistent in all roles, clarify xsrv script, reorder functions by purpose/component, automate documentation generation, improve tests/release procedure, automate initial check mode/deployment/idempotence tests - ๐ update documentation
๐ Fixed:
- xsrv:
init-project
: fix inventory not correctly initialized - xsrv: fix
xsrv shell/fetch-backups
when a non-defaultXSRV_PROJECTS_DIR
is specified by the user - common: ssh: fix confusion between
AcceptEnv
andPermitUserEnvironment
settings - all roles: monitoring/netdata: fix systemd services health checks not loaded by netdata
- apache: monitoring/rsyslog: fix rsyslog config installation when running with only
--tags=monitoring
- ๐ง graylog: fix elasticsearch/graylog unable to start caused by too strict permissions on configuration files
- openldap: ldap-account-manager: fix access to tree view
- ๐ homepage: fix homepage generation when the mumble role was deployed from a different play
- 0๏ธโฃ jellyfin/samba: fix jellyfin samba share creation when samba role is not part of the same play
- samba: fix
samba_passdb_backend: ldapsam
mode when openldap role is not part of the same play - โ
xsrv:
fetch-backups
: use the first host in alphabetical order, when no host is specified - monitoring: rsyslog: add correctness checks for
syslog_retention_days
variable - monitoring: netdata/needrestart: fix
needrestart_autorestart_services
value not taken into account when true - shaarli/transmission: fix
*_https_mode
variable checks - doc: fix broken links
๐ Security:
- proxmox: fail2ban: fix detection of failed login attempts
- โฌ๏ธ
-
v1.7.0 Changes
April 22, 2022โฌ๏ธ Upgrade procedure:
- โฌ๏ธ
xsrv self-upgrade
to upgrade the xsrv script - ๐
xsrv upgrade
to upgrade roles/ansible environments to the latest release - โฌ๏ธ this upgrade will cause Nextcloud instances to go down for a few minutes, depending on the number of files in their data directory
โ Added:
- ๐ xsrv: add
init-vm
command (initialize a ready-to-deploy libvirt VM from a template) - โ
xsrv: add
edit-group-vault
command (edit encrypted group variables file) - ๐ฒ common: make cron jobs log level configurable (
cron_log_level
) - common: apt: clean downloaded package archives every 7 days by default (
apt_clean_days
) - netdata: allow configuring the fping plugin (ping hosts/measure loss/latency) (
netdata_fping_*
) - netdata: make netdata filechecks configurable (
netdata_file_checks
) - ๐ transmission/gotty/jellyfin/docker: monitoring/netdata: raise alarms when corresponding systemd services are in the failed state (and the
monitoring_netdata
role is deployed) - ๐ homepage: add rss-bridge to the homepage when the rss_bridge role is deployed on the host
- โ add ansible tags:
netdata-modules
,netdata-needrestart
,netdata-debsecan
,netdata-logcount
,netdata-config
๐ Changed:
- ๐ common: sysctl/security: disable potentially exploitable unprivileged BPF and user namespaces
- gitea: limit systemd service automatic restart attempts to 4 in 10 seconds
- ๐ gitea: update to v1.16.5 [1] [2] [3] [4] [5]
- gotty: attempt to restart the systemd service every 2 seconds in case of failure, for a maximum of 4 times in 10 seconds
- ๐ netdata: disable more internal monitoring charts (plugin execution time, webserver threads CPU)
- 0๏ธโฃ netdata: re-add default netdata alarms for the
systemdunits
module - โก๏ธ nextcloud: update to v23.0.3 [1] [2]
- nextcloud: run nextcloud PHP processes under a dedicated
nextcloud
user, if an older installation owned bywww-data
is found, it will be migrated to the new user automatically - ๐ openldap: update LDAP Account Manager to v8.0.1
- ๐ rocketchat: update to v3.18.4
- ๐ apache/fail2ban/nextcloud: remove obsolete workaround for nextcloud desktop client issue
- xsrv: store group_vars files under
group_vars/$group_name/
(allows multiple vars files per group). If agroup_vars/$group_name.yml
file is found, it will be moved to the subdirectory automatically. - โก๏ธ xsrv: update ansible to v5.5.0
- ๐ง cleanup: make netdata assembled configuration more readable (add blank line delimiters)
- cleanup: standardize file names
- all roles: check that variables are correctly defined before running roles
- ๐ tests: ansible-lint: ignore
fqcn-bultins,truthy,braces,line-length
rules - ๐ tests: remove broken jinja2 syntax test
- ๐ tests: remove obsolete
ansible-playbook --syntax-check
andyamllint
tests, replaced by ansible-lint - ๐ tests: automate tests for
init-vm
,xsrv check
,xsrv deploy
- ๐ doc: update documentation, default playbook README, Gitlab CI example
๐ Fixed:
- ๐ all roles: ensure
check
mode doesn't fail when running it before before first deployment - common: ssh/users: fix SFTP-only user accounts creation (set permissions after creating user accounts)
- all roles: firewall: fix 'reload firewall/fail2ban/apache' handlers failures when called from other roles
- ๐ฆ openldap: fix ldap-ccount-manager installation on Debian 11 (php package name changes)
- ๐ง graylog: fix graylog service not starting/incorrect permissions on configuration files
- graylog/mumble: monitoring/netdata: fix healthcheck/alarm not returning correct status when systemd services are in the failed state
- ๐ง netdata: fix location for needrestart module configuration file
- netdata: fix/standardize indentation in configuration files produced by
to_nice_yaml
- homepage: fix homepage templating when the homepage role is not part of the same play as related roles
- ๐ฆ shaarli: explicitly use php 7.4 packages, fix possible installation problems on Debian 11
- ๐ tests: fix and speed up
ansible-lint
tests, fix ansible-lint warnings
- โฌ๏ธ
-
v1.6.0 Changes
March 17, 2022โฌ๏ธ Upgrade procedure:
- โฌ๏ธ
xsrv self-upgrade
to upgrade the xsrv script - ๐
xsrv upgrade
to upgrade roles in your playbook to the latest release
โ Added:
- add rss_bridge role - the RSS feed for websites missing it
- ๐ฆ monitoring_utils: install debsums utility for the verification of packages with known good database (by default, run weekly)
- common: cron: allow disabling cron setup (
setup_cron: yes/no
) - ๐ง monitoring_netdata: allow configuring netdata notification downtime periods (start/end)
- โ
tests: automate basic testing of the xsrv command-line tool (
xsrv init-project xsrv-test my.example.org
)
๐ Changed:
- common: cron: include the FDQN in subject when sending mail
- ๐ท common: cron: log beginning and end of cron jobs
- all roles: replace netdata process checks/alarms with more accurate systemd unit checks, raise alarms/notifications when a service is in the failed state
- cleanup: standardize task names
- xsrv: init-project: allow adding a first host directly using
xsrv init-project [project] [host]
๐ Fixed:
- ๐ fix
check
mode support for self-signed certificate generation tasks/netdata configuration - โฌ๏ธ apt: fix automatic upgrades for packages installed from Debian Backports
- xsrv: fix error on new project creation/
init-playbook
- missing playbook directory - xsrv: fix support for
XSRV_PROJECTS_DIR
environment variable
- โฌ๏ธ
-
v1.5.0 Changes
February 25, 2022โฌ๏ธ Upgrade procedure:
- โฌ๏ธ
xsrv self-upgrade
to upgrade the xsrv script - ๐
xsrv upgrade
to upgrade roles in your playbook to the latest release - ๐
TAGS=utils-debian10to11 xsrv deploy
to upgrade your host's distribution from Debian 10 "Buster" to Debian 11 "Bullseye". Debian 10 compatibility will not be maintained after this release. - common/firewall: remove
firehol_*
variables from your configuration. Roles from thexsrv
collection will automatically insert their own rules, if firewalld is deployed. If you had custom firewall rules in place/not related to xsrv roles, please port them to the newfirewalld
configuration) - common/hosts: if the
hosts:
variable (hosts file entries) is used in yourhost/group_vars
, rename it tohost_file_entries
. Ifsetup_hosts
is used in yourhost/group_vars
, rename it tosetup_hosts_file
. - mariadb: if you had the
nodiscc.xsrv.mariadb
role enabled, migrate to PostgreSQL, or use the archivednodiscc.toolbox.mariadb
role. - gitea/nextcloud/tt_rss: if any of these roles is listed in your playbook, ensure
nodiscc.xsrv.postgresql
is explicitly deployed before it. - ๐ณ jellyfin/proxmox/docker: remove
jellyfin_auto_upgrade
,proxmox_auto_upgrade
ordocker_auto_upgrade
variables from your configuration, if you changed the defaults. These settings are now controlled by theapt_unattended_upgrades_origins_patterns
list, automatic upgrades are enabled by default for these components. - jellyfin/samba: if you have both the
samba
andjellyfin
roles enabled on a host, and want to keep using the jellyfin samba share for media storage, explicitly setjellyfin_samba_share: yes
in the host's configuration variables. - monitoring: remove
setup_monitoring_cli_utils: yes/no
andsetup_rsyslog: yes/no
variables from your configuration, if you changed the defaults. If you don't want monitoring utilities or rsyslog set up, enable individualmonitoring_netdata/rsyslog/utils
roles, instead of the globalmonitoring
role. - (optional)
xsrv check
to simulate changes. - ๐
xsrv deploy
to apply changes.
โ Added:
- โ add dnsmasq lightweight DNS server role
- common: add firewalld firewall management tool
- โฌ๏ธ common: apt: allow configuration of allowed origins for unattended-upgrades
- โฑ common: packages: add
at
task scheduler - monitoring: netdata: allow disabling specific plugins (
netdata_disabled_plugins
), disableebpf
plugin by default - 0๏ธโฃ monitoring: lynis: enable lynis installation and daily reports by default
- โ common: ssh: fix lynis warning FILE-7524 (ensure
/root/.ssh
is mode 0700) - common: mail/msmtp: allow disabling SMTP authentication/LOGIN (
msmtp_auth_enabled
), allow disabling SMTP server TLS certificate verification completely (msmtp_tls_certcheck: yes/no
) - common: mail/msmtp: allow disabling TLS (
msmtp_tls_enabled
) - ๐ monitoring: netdata: automate testing netdata mail notifications (
TAGS=utils-netdata-test-notifications xsrv deploy
) - monitoring: netdata: monitor systemd units state (timers/services/sockets)
- docker: add a nightly cleanup of unused docker images/containers/networks/build cache, allow disabling it through
docker_prune_nighlty: no
- โ
xsrv: add
xsrv help-tags
subcommand (show the list of ansible tags in the play and their descriptions) - ๐ install ansible local fact files for each deployed role/component
โ Removed:
- ๐ง common: remove firehol firewall management tool, remove
firehol_*
configuration variables - ๐ common: firewall: remove ability to filter outgoing traffic, will be re-added later
- โฌ๏ธ drop compatibility with Debian 9
- monitoring: remove
setup_monitoring_cli_utils: yes/no
andsetup_rsyslog: yes/no
variables - ๐ common: fail2ban: remove
fail2ban_destemail
variable, always send mail to root - ๐ mariadb: remove role, archive it to separate repository
- โ remove ansible tags
certificates lamp valheim valheim-server
๐ Changed:
- ๐ make all roles compatible with Debian 11
- ๐ common/firewall/all roles: let roles manage their own firewall rules if the
nodiscc.xsrv.firewalld
role is deployed - ๐ all roles: refactor/performance: only flush handlers once, unless required otherwise, refactor service start/stop/enable/disable tasks
- common: fail2ban: ban offenders on all ports
- jellyfin: the jellyfin samba share automatic setup is now disabled by default (
jellyfin_samba_share_enabled: no
) - apache/tt_rss/shaarli/nextcloud: make roles compatible with Debian 11 (PHP 7.4))
- jellyfin/proxmox/docker: remove
jellyfin_auto_upgrade
,proxmox_auto_upgrade
,docker_auto_upgrade
variables, add these origins to the default list ofapt_unattended_upgrades_origins_patterns
- monitoring: split role to smaller
monitoring_rsyslog
/monitoring_netdata
/monitoring_utils
roles, make themonitoring
role an alias for these 3 roles - common: apt: explicitly install aptitude
- โฌ๏ธ common: apt: remove unused packages after automatic upgrades
- โฌ๏ธ common: apt: automatically remove unused dependency packages on every install/upgrade/remove operation
- common: fail2ban: increase maximum IP/attempts count retention to 1 year
- ๐ common: ssh: decrease SFTP logs verbosity to INFO by default
- common/graylog: apt: enable automatic upgrades for graylog/mongodb/elasticsearch packages by default (
apt_unattended_upgrades_origins_patterns
) - ๐ gitea: upgrade to v1.16.0 [1], [2], [3], [4], [5]
- โฌ๏ธ xsrv: upgrade ansible to 5.2.0
- โก๏ธ gitea: cleanup/maintenance: update config file comments/ordering to reduce diff with upstream example file
- apache: relax permissions on apache virtualhost config files (make them world-readable)
- โฌ๏ธ nextcloud: upgrade to 23.0.1 [1]
- 0๏ธโฃ nextcloud: add Nextcloud Bookmarks to the default list of apps (default disabled)
- ๐ฆ xsrv/tools/doc: don't install python3-cryptography from pip, install from OS packages
- ๐ gitea/nextcloud/tt_rss: remove hard dependency on postgresql role
- ๐ openldap: remove hard dependency on common role
- ๐ง transmission: log/show diff on configuration file changes
- netdata/docker: move
netdata_min/max_running_docker_containers
configuration variables to thedocker
role - ๐ฆ netdata: no longer install
python3-mysqldb
/mysql support packages - mumble: force superuser password change task to never return "changed" (instead of always)
- ๐ doc: update documentation, document all ansible tags, refactor command-line usage doc
- ๐จ refactoring: move fail2ban/samba/rsyslog/netdata/... tasks to separate task files inside each role
- ๐ท tags: add
ssl
tag to all ssl-related tasks, addrsnapshot-ssh-key
tag to all ssh-key-related tasks - ๐ cleanup: remove unused tasks/improve deployment times
๐ Fixed:
- ๐ fix integration between roles when roles are part of different plays: use ansible local facts installed by other roles to detect installed components, instead of checking the list of roles in the current play
- proxmox: fix missing ansible fact file template
- ๐ง proxmox: fix APT configuration on Debian 10/11
- ๐ fix
check
mode compatibility issues, fix ansible-lint warnings - common: ssh: fix creation of SFTP-only accounts (
bad ownership or modes for chroot directory
) - common: ssh: ssh: fix root ssh logins when
ssh_permit_root_login: without-password/prohibit-password/forced-commands-only
- monitoring: netdata: fix chart values incorrectly increased by 1 in debsecan module
- backup: fix mode/idempotence for
/root/.ssh
directory creation - ๐ง graylog: fix configuration file templating always returning changed in check mode
- 0๏ธโฃ default playbook/xsrv: fix invalid
"%%ANSIBLE_HOST%%"
value set byxsrv init-host
- โ common: hosts: fix warning: Found variable using reserved name: hosts
- โฌ๏ธ
-
v1.4.0 Changes
December 17, 2021โฌ๏ธ Upgrade procedure:
- โฌ๏ธ
xsrv self-upgrade
to upgrade the xsrv script - ๐
xsrv upgrade
to upgrade roles in your playbook to the latest release - ๐
xsrv deploy
to apply changes - ๐ (optional)
TAGS=debian10to11 xsrv deploy
to upgrade your host's distribution from Debian 10 "Buster" to Debian 11 "Bullseye" - (optional) remove custom
netdata_modtime_checks
from your configuration, if any (the modtime module was removed, use the filecheck module instead)
โ Added:
- โ add [proxmox](roles/proxmox) role (basic Proxmox VE hypervisor setup)
- add [valheim_server](roles/valheim_server) role (Valheim multiplayer game server)
- gitea: make number of issues per page configurable (
gitea_issue_paging_num
, increase to 20 by default) - shaarli: make
hide_timestamp,header_link,debug,formatter
settings configurable - ๐ monitoring: add lynis security audit tool (optional, default disabled), schedule a daily report
- monitoring/postgresql: allow netdata to monitor postgresql server
- docker: allow enabling unattended upgrades of docker engine packages (
docker_auto_upgrade: yes/no
) - common: apt: allow enabling
contrib
andnon-free
software sections (apt_enable_nonfree
) - common: allow disabling hostname setup (
setup_hostname: yes/no
) - common, monitoring: make roles compatible with Debian 11 "Bullseye"
- homepage: add link to graylog instance (when graylog role is enabled)
- ๐ง monitoring: allow configuration of syslog retention duration, default to 186 days instead of 7
- monitoring: allow defining a number of maximum expected running docker containers (
netdata_max_running_docker_containers
) - โฑ monitoring: add logwatch log analyzer, disable scheduled execution
- monitoring: install requirements for postgresql monitoring
- postgresql: add ability to enable/disable the service and enforce started/stopped/enabled/disabled state
- ๐ง backup: make rsnapshot verbosity configurable
- backup: download rsnapshot's/root SSH public key to the controller (public_keys/ directory)
- ๐ common: allow configuring the list of users allowed to use
crontab
(linux_users_crontab_allow
) - โฌ๏ธ common: add an procedure for Debian 10 -> 11 upgrades
- ๐ common: add ability to add/remove entries from the hosts (
/etc/hosts
) file
๐ Changed:
- โฌ๏ธ nextcloud: upgrade to 22.2.3
- nextcloud: silence cron/background tasks output to prevent mail notification spam
- nextcloud: allow installation of ONLYOFFICE realtime collaborative document edition tools
- ๐ gitea: upgrade to 1.15.7
- โก๏ธ gitea update fail2ban login failure detection for gitea v1.15+
- common: sysctl: disable IP source routing for IPv6 (was already disabled for IPv4)
- ๐ง common: msmtp: check that configuration variables have correct values/types when
msmtp_setup: yes
- monitoring: increate netdata charts retention duration to ~7 days
- monitoring: allow disabling needrestart/logcount/debsecan modules installation
- ๐ monitoring: decrease alarm sensitivity for logcount module (warning on 10 alarms/min, critical on 100 errors/min)
- 0๏ธโฃ monitoring: disable lynis checks AUTH-9283 and FIRE-4512 by default (false positives)
- ๐ณ monitoring: only enable "number of running docker container" checks when the nodiscc.xsrv.docker role is enabled
- โก๏ธ monitoring: update configuration for netdata > 1.30
- ๐ backup, monitoring: replace custom modtime module with built-in netdata filecheck module
- xsrv: rename top-level directory concept (playbook -> project)
- ๐ xsrv: logs: don't ask for sudo password if syslog is readable without it
- โก๏ธ xsrv: switch to ansible "distribution" versioning, upgrade to 4.9.0 (ansible-core 2.11.6), update playbook for compatibility
- xsrv: store virtualenv inside the project directory, improve startup time
- โก๏ธ homepage: update theme (use light theme), use web safe fonts
- apache: make role compatible with Debian 11 "Bullseye"
- backup: make dependency on monitoring role optional
- ๐ง backup: ensure only
root
can read the rsnapshot configuration file - โฑ backup: re-schedule monthly backups at 04:01 on the first day of the month
- ๐ง all roles/monitoring: apply role-specific netdata/rsyslog configuration immediately after installing it
- 0๏ธโฃ default playbook: .gitignore data/ and cache/ directories
- ๐ doc: update/refactor documentation and roles metadata
- ๐ tools: improve automatic documentation generation
- ๐จ refactor: refactor integration between roles (use ansible_local facts, fix intergation when roles are not part of the same play)
โ Removed:
- 0๏ธโฃ nextcloud: disable deck app by default
๐ Fixed:
- โก๏ธ homepage: really update page title from
homepage_title
variable - jellyfin: use
samba_shares_path
variable to determine samba shares path - โฌ๏ธ nextcloud: fix upgrade procedure order (upgrade incompatible apps)
- โฌ๏ธ nextcloud: fix
check
mode on upgrades - โฑ graylog: respect
elasticsearch_timeout_start_sec
value - ๐ monitoring: netdata: enable gzip compression on web server responses, fix empty dashboard
- ๐ monitoring: fix netdata modtime module installation, remove obsolete tasks file
- monitoring: rsyslog: ensure that requirements for self-signed certificates generation are installed
- monitoring: ensure requirements for self-signed certificate generation are installed
- ๐ monitoring: also allow access to netdata.conf from
netdata_allow_connections_from
addresses - ๐ฆ monitoring: fix APT package manager logs aggregation to syslog
- โก๏ธ tt_rss: fix permission denied errors when updating feeds
- ๐ฑ homepage: fix grid responsiveness on mobile devices
- ๐ง transmission: don't attempt to reload the service when it is disabled in host configuration
- don't ignore expected errors when not running in check mode
๐ Security:
- ๐ฒ nextcloud: fail2ban: fix log file location/login failures not detected by fail2ban
- โก๏ธ common: automatically apply security updates for packages installed from Debian Backports
- โฌ๏ธ
-
v1.3.1 Changes
June 24, 2021โฌ๏ธ Upgrade procedure:
- ๐
xsrv upgrade
to upgrade roles in your playbook to the latest release - ๐
xsrv deploy
to apply changes
๐ Fixed:
- common: msmtp: fix msmtp unable to read /etc/aliases (
/etc/aliases: line 1: invalid address
) - ๐ง common: msmtp: fix unreadable /etc/msmtprc configuration for un privileged users
- โฌ๏ธ nextcloud/apache/php: fix path to PHP APCU configuration file (really fix
cannot allocate memory
errors on nextcloud upgrades) - ๐ tt_rss: fix/automate initial database population and schema upgrades, update documentation
โ Added:
- common: msmtp: allow disabling STARTTLS (
msmtp_starttls: yes/no
) - backup: rsnapshot: don't update timestamp file after weekly/monthly backups (monitoring only measures time since the last successful daily backup)
๐ Changed:
- โฌ๏ธ nextcloud: upgrade to 20.0.10
- ๐ update documentation (virt-manager/add basic VM provisioning procedure)
- ๐
-
v1.3.0 Changes
June 08, 2021โฌ๏ธ Upgrade procedure:
- ๐
xsrv self-upgrade
to upgrade the xsrv script to the latest release - ๐
xsrv upgrade
to upgrade roles in your playbook to the latest release - if you had defined custom
netdata_http_checks
, port them to the newnetdata_http_checks
/netdata_x509_checks
syntax - ๐ (optional/cleanup)
xsrv edit-vault
: remove allvault_
prefixes from encrypted host variables;xsrv edit-host
: remove all variables that are justvariable_name: {{ vault_variable_name }}
references - (optional/cleanup) remove previous hardcoded/default
netdata_modtime_checks
andnetdata_process_checks
from your host variables - (optional)
xsrv check
to simulate and review changes - ๐
xsrv deploy
to apply changes
โ Removed:
- default playbook: remove hardcoded
netdata_modtime_checks
andnetdata_process_checks
(roles will automatically configure relevant checks) - default playbook/all roles: remove
variable_name: {{ vault_variable_name }}
indirections/references - monitoring/netdata: remove ability to configure netdata modules git clone URLs (
netdata_*_git_url
variables), always clone from upstream - monitoring/netdata: remove support for
check_x509
parameter innetdata_httpchecks
- ๐ง monitoring/rsyslog: remove hardcoded, service-specific configuration
โ Added:
- โ add graylog log analyzer role
- โ add gotty role
- monitoring/rsyslog: add ability forward logs to a remote syslog/graylog server over TCP/SSL/TLS (add [
rsyslog_enable_forwarding
,rsyslog_forward_to_hostname
andrsyslog_forward_to_port
](apt_unattended_upgrades_origins_patterns
) variables) - jellyfin/common/apt: enable automatic upgrades for jellyfin by default (
apt_unattended_upgrades_origins_patterns
) - monitoring: support all httpcheck parameters in
netdata_http_checks
- monitoring/netdata: add
netdata_x509_checks
(list of x509 certificate checks, supports all x509check parameters) - rocketchat: allow disabling rocketchat/mongodb services (
rocketchat_enable_service: yes/no
) - โ
xsrv: add
xsrv edit-group
subcommand (edit group variables - default group:all
) - โ
xsrv: add
xsrv ls
subcommand (list files in the playbooks directory - accepts a path) - โ
xsrv: add
xsrv edit-requirements
subcommand (edit ansible collections/requirements) - ๐ง xsrv: add
xsrv edit-cfg
subcommand (edit ansible configuration/ansible.cfg
) - 0๏ธโฃ xsrv: add syntax highlighting to default text editor/pager (nano - requires manual installation of yaml syntax highlighting file), improve display
- homepage: add favicon
- ๐ง common: msmtp: make outgoing mail port configurable (
msmtp_port
, default587
)
๐ Changed:
- gitea: enable API by default (
gitea_enable_api
) - โฌ๏ธ gitea: upgrade gitea to 1.14.2
- โฌ๏ธ openldap: upgrade ldap-account-manager to 7.5
- โฌ๏ธ nextcloud: upgrade nextcloud to 21.0.2
- โก๏ธ rocketchat: update rocket.chat to 3.15.0
- ๐ฑ homepage: switch to a responsive grid layout
- โ monitoring: decrease logcount warning alarm sensitivity, warn when error rate >= 10/min
- monitoring/all roles: let roles install their own syslog aggregation settings, if the
nodiscc.xsrv.monitoring
role is enabled. - monitoring/needrestart: by default, automatically restart services that require it after a security update (
needrestart_autorestart_services: yes
) - monitoring/netdata/default playbook: let roles install their own HTTP/x509/modtime/port checks under
/etc/netdata/{python,go}.d/$module_name.conf.d/*.conf
, if thenodiscc.xsrv.monitoring
role is enabled - ๐ท apache/common/mail: forward all local mail from
www-data
toroot
- allowsroot
to receive webserver cron jobs output - apache/monitoring: disable aggregation of access logs to syslog by default, add variable allowing to enable it (
apache_access_log_to_syslog
) - ๐ท common: cron: ensure only root can access cron job files and directories (CIS 5.1.2 - 5.1.7)
- common: ssh: lower maximum concurrent unauthenticated connections to 60
- ๐ง common/mail: don't overwrite
/etc/aliases
, ensureroot
mail is forwarded to the configured user (set toansible_user
by default) - โก๏ธ docker: speed up role execution - dont't force APT cache update when not necessary
- transmission: disable automatic backups of the downloads directory by default, add
transmission_backup_downloads: yes/no
variable allowing to enable it - ๐ง rocketchat/monitoring: disable HTTP check when rocketchat service is explicitly disabled in the configuration
- mumble/checks: ensure that
mumble_welcome_text
is set - transmission/jellyfin: allow jellyfin to read/write transmission downloads directory
- ๐ท tools: add Pull Request template, speed up Gitlab CI test suite (prebuild an image with required tools)
- โก๏ธ update ansible tags
- ๐ update roles metadata, remove coupling/dependencies between roles unless strictly required, make
nodiscc.xsrv.common
role mostly optional - ๐จ xsrv: cleanup/reorder/DRY/refactoring, make
self-upgrade
safer - ๐ doc: update documentation/formatting, fix manual backup command, fix ssh-copy-id instructions
๐ Fixed:
- jellyfin: fix automatic samba share creation
- ๐ common: fix
linux_users
creation when noauthorized_ssh_keys
/sudo_nopasswd_commands
are defined - ๐ง common: users: allow creation of
linux_users
without a password (login to these user accounts will be denied, SSH login with authorized keys are still possible if the user is in thessh
group) - samba: fix error on LDAP domain creation
- nextcloud: fix condition for dependency on postgresql role
- โฌ๏ธ nextcloud: fix
allowed memory size exhausted
during nextcloud upgrades - openldap: fix condition for dependency on apache role
- ๐ rsyslog: fix automatic aggregation fo fail2ban logs to syslog
- rocketchat: fix automatic backups when the service is disabled
- samba/rsnapshot/gitea: fix role when runing in 'check' mode, fix idempotence
- ๐ tools: fix release procedure/ansible-galaxy collection publication
- xsrv: fix wrong inventory formatting after running
xsrv init-host
- โ remove unused/duplicate/leftover task files
- ๐ fix typos
๐ Security:
- common: fail2ban: fix bantime for ssh jail (~49 days)
- ๐