All Versions
Latest Version
Avg Release Cycle
46 days
Latest Release
571 days ago

Changelog History
Page 2

  • v1.2.2 Changes

    April 01, 2021

    ๐Ÿš€ Upgrade procedure: xsrv upgrade to upgrade roles in your playbook to the latest release

    ๐Ÿ›  Fixed:

    • samba: fix nscd default log level, update samba default log level

    Full changes since v1.2.1

  • v1.2.1 Changes

    April 01, 2021

    ๐Ÿš€ Upgrade procedure: xsrv upgrade to upgrade roles in your playbook to the latest release

    ๐Ÿ›  Fixed:

    • tt_rss: fix initial tt-rss schema installation (file has moved)

    โšก๏ธ samba: fix nscd default log level, update samba default log level

    Full changes since v1.2.0

  • v1.2.0 Changes

    March 27, 2021

    โž• Added:

    • ๐Ÿ”ง homepage: add configurable message/paragraph to homepage (homepage_message)
    • add ability to configure multiple aliases/valid domain names for the homepage virtualhost (homepage_vhost_aliases: [])
    • ๐ŸŽ nextcloud: improve performance (auto-add missing primary keys/indices in database, convert columns to bigint)

    โœ‚ Removed:

    • openldap: remove self_service_password_keyphrase variable (unused since tokens/SMS/question based password resets are disabled)
    • ๐Ÿšš common: ssh: cleanup/remove unused MatchGroup rsyncasroot directive

    ๐Ÿ”„ Changed:

    • ๐ŸŒฒ common: sysctl: enable logging of martian packets
    • common: sysctl: ensure sysctl settings also apply to all network interfaces added in the future
    • 0๏ธโƒฃ common: ssh: set loglevel to VERBOSE by default
    • ๐Ÿ”Š samba: increase log level, enable detailed authentication success/failure logs, clarify log prefix
    • ๐Ÿ“š update documentation

    ๐Ÿ›  Fixed:

    • rocketchat: fix role idempotence (ownership of data directories)

    ๐Ÿ”’ Security:

    • rocketchat: fix port 3001 exposed on instead of localhost-only/firewall bypass
    • โšก๏ธ gitea: update to v1.13.6

    Full changes since v1.1.0

  • v1.1.0 Changes

    March 14, 2021

    โž• Added:

    • โฌ†๏ธ xsrv: add self-upgrade command
    • monitoring: add netdata-debsecan module
    • common: ensure NTP service is started
    • ๐Ÿ”ง common: make timezone configurable (default to not touching the timezone)
    • ๐Ÿ“š openldap: add Self Service Password password reset tool (fixes #401)
      • requires manual configuration of self_service_password_fqdn and vault_self_service_password_keyphrase
      • auto-configure apache and selfsigned or letsencrypt certificates + php-fpm.
      • by default only allow access from LAN/private addresses in self_service_password_allowed_hosts
      • when samba role is enabled, use the LDAP admin DN to access the directory (required to be able to change sambaNtPassword attribute)
      • make various settings configurable, add correctness checks for all variables
    • ๐Ÿ”ง openldap: make log level configurable
    • homepage: add jellyfin/self-service-password links (when relevant roles/variables are enabled)
    • ๐Ÿ“š jellyfin: add LDAP authentication documentation
    • ๐Ÿ”ง jellyfin: add fail2ban configuration/bruteforce prevention on jellyfin login attempts
    • jellyfin/backup: add automatic backups (only backup db/metadata/configuration by default, allow enabling media directory backups with jellyfin_enable_media_backups)
    • 0๏ธโƒฃ jellyfin: create subdirectories for each library type under the default media directory/jellyfin samba share
    • samba/backup: allow disabling automatic backups of samba shares (samba_enable_backups)
    • ๐ŸŒฒ shaarli/monitoring: aggregate data/log.txt to syslog using the imfile module

    ๐Ÿ”„ Changed:

    ๐Ÿ›  Fixed:

    • 0๏ธโƒฃ xsrv: fix show-defaults command (by default display all role defaults for the default playbook)
    • homepage: fix mumble and ldap-account-manager links
    • samba: fix duplicate execution of the openldap role when samba uses LDAP passdb backend
    • rocketchat: fix variable checks not being run before applying the role
    • rocketchat: fix permissions/ownership of mongodb/rocketchat data directories
    • tt_rss: fix error 'Please set SELF_URL_PATH to the correct value detected for your server'
    • samba/jellyfin: fix automatic jellyfin samba share creation, fix permissions on jellyfin samba share
    • monitoring: fix ansible --check mode when netdata is not installed yet
    • ๐Ÿ”Š shaarli: set apache directoryindex to index.php, prevent error messages in logs at every page access

    ๐Ÿšง Tools/maintenance:

    • ๐Ÿ–จ Makefile: add a make changelog target (print commits since last tag)
    • ๐Ÿš€ Makefile: automate release procedure make release
    • tt-rss: cleanup/grouping
    • 0๏ธโƒฃ roles/*/defaults/main.yml: add header for all defaults files
    • โฌ†๏ธ upgrade ansible to 2.10.7 -
    • ๐Ÿšš move TODOs to issues

    Full changes since v1.0.0

  • v1.0.0 Changes

    February 12, 2021

    ๐Ÿš€ This is a major rewrite of To upgrade/migrate from previous releases, you must redeploy services to a new instance, and restore user data from backups/exports.

    ๐Ÿ“š This releases improves usability, portability, standards compliance, separation of concerns, performance, documentation, security, simplifies installation and usage, and adds new features to all roles/components. A summary of changes is included below. See []( for more information.

    xsrv command-line tool

    • ๐Ÿ‘Œ improve/simplify command-line usage, see xsrv help
    • ๐Ÿ”จ refactor main script/simplify/cleanup
    • ๐Ÿ‘‰ use pwgen (optional) to generate random passwords during host creation
    • ๐Ÿ‘‰ make installation to $PATH and use of sudo optional
    • โฌ†๏ธ use ansible-galaxy collections for role upgrades method

    ๐Ÿ”จ example playbook: refactor:

    • add examples for playbook, inventory, group_vars and host_vars (cleartext and vaulted) files
    • 0๏ธโƒฃ disable all but essential roles by default. Additional roles should be enabled manually by the admin
    • 0๏ธโƒฃ firewall: by default, allow incoming traffic for netdata dashboard from LAN (monitoring role is enabled by default)
    • 0๏ธโƒฃ firewall: by default, allow incoming SSH from anywhere (key-based authentication is enabled so this is reasonably secure)
    • 0๏ธโƒฃ firewall: by default, allow HTTP/HTTPS access from anywhere (required for let's encrypt http-01 challenge, and apache role is enabled by default)
    • ๐Ÿ”ง firewall: change the default policy for the 'global' firehol_network definition to RETURN (changes nothing in the default configuration, makes adding other network definitions easier)
    • 0๏ธโƒฃ doc: add firewall examples for all services (only from LAN by default)
    • doc: add example .gitlab-ci.yml
    • 0๏ธโƒฃ ansible/all roles: use ansible-vault as default storage for sensitive values
    • ansible: use .ansible-vault-password as vault password file
    • ansible: speed up ansible SSH operations using controlmaster and pipelining SSH options
    • host_vars: add a netdata check for successful daily backups
    • host_vars: add netdata process checks for ssh, fail2ban, ntp, httpd, sql
    • 0๏ธโƒฃ host_vars: auto-restart services by default when needrestart detects a restart is required
    • โœ‚ remove unused directories, cleanup

    ๐Ÿ”จ common: refactor role:

    • import from
    • โšก๏ธ unattended-upgrades: allow automatic upgrades from stable-updates repository
    • โฌ†๏ธ unattended-upgrades: install apt-listchanges (mail with a summary of changes will be sent to the server admin)
    • ๐Ÿ‘‰ add ansible_user_allow_sudo_rsync_nopasswd option (allow ansible user to run sudo rsync without password)
    • ๐Ÿ”ง msmtp: require manual configuration of msmtp host/username/password (if msmtp installation is enabled)
    • ๐Ÿ”ง dns: add ability to configure multiple DNS nameservers in /etc/resolv.conf
    • ๐Ÿ“ฆ packages: enable haveged installation by default
    • ๐Ÿ“ฆ packages: don't install pwgen/secure-delete/autojump by default, add man package
    • ๐Ÿšš sshd: remove deprecated UsePrivilegeSeparation option
    • ๐Ÿ”ง sshd: make ssh server log level, PasswordAuthentication, AllowTcpForwarding and PermitRootLogin options configurable
    • sshd: fix accepted environment variables LANG,LC_* accepted from the client
    • sshd: explicitely deny AllowTcpForwarding, AllowAgentForwarding, GatewayPorts and X11Forwarding for the sftponly group
    • sshd: add [email protected] KexAlgorithm
    • ๐Ÿณ firewall: add an option to generate firewall rules compatible with docker swarm routing/port forwarding
    • 0๏ธโƒฃ firewall: allow outgoing mail submission/port 587 by default
    • firewall: make firewall config file only readable by root
    • firewall: use an alias/variable to define LAN IP networks, templatize
    • ๐Ÿ”ง firewall/fail2ban: prevent firehol from overwriting fail2Ban rules, remove interaction/integration between services, split firewall/fail2ban configuration tasks, add ability to disable both
    • ๐Ÿ”ง fail2ban: make more settings configurable (destination e-mail, default findtime/maxretry/bantime)
    • users: simplify management, remove remotebackup options/special remotebackup user/tasks
    • ๐Ÿ‘‰ users: linux_users is now compatible with ansible users module syntax, with added ssh_authorized_keys and sudo_nopasswd_commands parameters
    • users: fix user password generation (use random salt, make task idempotent by setting update_password: on_create by default)
    • ๐Ÿ‘‰ users: ensure ansible user home is not world-readable

    ๐Ÿ”จ monitoring: refactor role:

    • import from
    • 0๏ธโƒฃ netdata: add ssl/x509 expiration checks, make http check timeout value optional, default to 1s)
    • ๐Ÿ“ฆ netdata: allow installation from deb packages/packagecloud APT repository, make it the default
    • ๐ŸŒฒ netdata: decrease frequency of apache status checks to 10 seconds (decrease log spam)
    • netdata: disable access logs and debug logs by default (performance), add netdata_disable_*_log variables to configure it
    • netdata: disable cloud/SaaS features by default, add netdata_cloud_enabled variable to configure it
    • ๐ŸŒ netdata: disable web server gzip compression since we only use ssl
    • ๐Ÿ”ง netdata: install and configure, disable notifications by default
    • ๐Ÿ”ง netdata: install and configure module
    • ๐Ÿ”ง netdata: make dbengine disk space size and memory page cache size configurable
    • netdata: monitor mysql server if mariadb role is enabled (add netdata mysql user)
    • ๐Ÿ”ง netdata: add default configuration for health notifications
    • ๐Ÿš€ netdata: upgrade to latest stable release
    • 0๏ธโƒฃ rsyslog: aggregate all log messages to /var/log/syslog by default
    • โฌ†๏ธ rsyslog: monitor samba, gitea, mumble-server, openldap, nextcloud, unattended-upgrades and rsnapshot log files with imfile module (when corresponding roles are enabled)
    • ๐Ÿ”Š rsyslog: make aggregation of apache access logs to syslog optional, disable by default
    • ๐Ÿ”Š rsyslog: disable aggregation of netdata logs to syslog by default (very noisy, many false-positive ERROR messages)
    • ๐Ÿ”Š rsyslog: discard apache access logs caused by netdata apche monitoring
    • 0๏ธโƒฃ needrestart: don't auto-restart services by default
    • extend list of command-line monitoring tools (lsof/strace)
    • ๐Ÿ“š various fixes, reorder, cleanup, update documentation, fix role/certificate generation idempotence, make more components optional

    backup role

    • import from
    • ๐Ÿšš auto-load rsnapshot configuration from /etc/rsnapshot.d/.conf, remove hardcoded xsrv roles integration
    • ๐Ÿ”ง check rsnapshot configuration after copying files
    • restrict access to backups directory to root only
    • ๐Ÿ‘ท redirect cron job stdout to /dev/null, only send errors by mail
    • write rsnapshot last success time to file (allows monitoring the time since last successful backup)
    • store ssh public key to ansible facts (this will allow generating a human readable document/dashboard with hosts information)

    ๐Ÿ”จ lamp role: refactor:

    apache role:

    • ๐Ÿ”จ import/refactor/split role from
    • ๐Ÿšš use apache mod-md for Let's Encrypt certificate generation, remove certbot and associated ansible tasks
    • ๐Ÿšš switch to php-fpm interpreter, remove mod_php
    • switch to mpm_event, disable mpm_worker
    • switch to HTTP2
    • โœ‚ remove ability to create custom virtualhosts
    • โœ‚ remove automatic homepage generation feature (will be split to separate role)
    • enforce fail2ban bans on HTTP basic auth failures
    • 0๏ธโƒฃ set the default log format to vhost_combined (all vhosts to a single file)
    • rename cert_mode variable to https_mode
    • 0๏ธโƒฃ don't enable mod-deflate by default
    • ๐Ÿ‘ add variable apache_allow_robots (allow/disabllow robots globally, default no)
    • โž• add hard dependency on common role
    • โšก๏ธ update doc, cleanup, formatting, add screenshot
    • ๐Ÿ”ง require manual configuration of the letsencrypt admin email address
    • ๐Ÿ”’ disable X-Frame-Options header as Content-Security-Policy frame-ancestors replaces/obsoletes it
    • ๐Ÿ”’ disable setting a default Content-Security-Policy, each application is responsible for setting an appropriate CSP
    • mark HTTP->HTTPS redirects as permanent (HTTP code 301)
    • exclude /server-status from automatic HTTP -> HTTPS redirects
    • 0๏ธโƒฃ ensure the default/fallback vhost is always the first in load order, raise HTTP error 403 and autoindex:error when accessing the default vhost

    ๐Ÿ”จ nextcloud: refactor role:

    • import from
    • โฌ†๏ธ determine appropriate setup procedure depending on whether nextcloud is already installed or not, installed version and current role version (installation/upgrades are now idempotent)
    • add support for let's encrypt certificates (use mod_md when nextcloud_rss_https_mode: letsencrypt. else generate self-signed certificates)
    • ๐Ÿ‘‰ use ansible local fact file to store nextcloud installed version
    • ensure correct/restrictive permissions are set
    • ๐Ÿ‘Œ support postgresql as database engine, make it the default
    • ๐Ÿ”ง move apache configuration steps to separate file, add full automatic virtualhost configuration for nextcloud
    • reorder setup procedure (setup apache last)
    • enable additional php modules
    • reload apache instead of restarting when possible
    • ๐Ÿ”ง make basic settings configurable through ansible (FQDN, install directory, full URL, share_folder...)
    • ๐Ÿ”ง require manual configuration of nextcloud FQDN
    • enforce fail2ban bans on nextcloud login failures
    • โฌ†๏ธ upgrade nextcloud to latest stable version (
    • โฌ†๏ธ upgrade all nextcloud apps to latest compatible versions
    • ๐Ÿ”ง make installed/enabled applications configurable
    • enable APCu memcache
    • gallery app replaced with photos app
    • optional integration with backup role, delegate database backups to the respective database role (mariadb/postgresql)
    • โž• add deck, notes, admin_audit and maps apps
    • โž• add php-fpm configuration
    • ๐Ÿ‘ท run background jobs via cron every 5 minutes

    Migrating Nextcloud data to Postgresql from a MySQL-based installation: