All Versions
15
Latest Version
Avg Release Cycle
46 days
Latest Release
496 days ago

Changelog History
Page 1

  • v1.10.0 Changes

    November 19, 2022

    โฌ†๏ธ Upgrade procedure:

    • ๐Ÿš€ xsrv upgrade to upgrade roles/ansible environments to the latest release
    • ๐Ÿšš move the public_keys/ directory from the root of your project directory, under the data/ directory.
    • ๐Ÿšš if it exists, move the certificates/ directory from the root of your project directory, under the data/ directory.
    • common: if you had changed the variable os_security_kernel_enable_core_dump from its default value in your hosts/groups configuration, rename it to [kernel_enable_core_dump]((https://gitlab.com/nodiscc/xsrv/-/blob/master/roles/common/defaults/main.yml))
    • graylog/monitoring_rsyslog: move the *-graylog-ca.crt file from the public_keys/ directory to the data/certificates/ directory (create it if it does not exist)
    • openldap: self-sevice-password: if you had changed the variable self_service_password_allowed_hosts from its default value in your host/groups configuration, update it to the new format (YAML list instead of a list of addresses separated by spaces):
  • v1.9.0 Changes

    September 18, 2022

    โฌ†๏ธ Upgrade procedure:

    • โฌ†๏ธ xsrv self-upgrade to upgrade the xsrv script
    • ๐Ÿš€ xsrv upgrade to upgrade roles/ansible environments to the latest release
    • gitea: if you rely on custom git hooks for your projects, set gitea_enable_git_hooks: yes in the host configuration/vars file (xsrv edit-host)
    • ๐Ÿš€ xsrv deploy to apply changes

    โž• Added:

    โœ‚ Removed:

    ๐Ÿ”„ Changed:

    • 0๏ธโƒฃ gitea: disable git hooks by default
    • ๐Ÿš€ gitea: upgrade to v1.17.2 [1] [2] [3] [4]
    • ๐Ÿš€ openldap: update self-service-password to v1.5.1 [1] [2]
    • ๐Ÿš€ nextcloud: upgrade to v24.0.5 [1] [2]
    • ๐Ÿš€ postgresql: update pgmetrics to v1.13.1
    • 0๏ธโƒฃ shaarli: hardening: run shaarli under a dedicated shaarli user account (don't use the default shared www-data user)
    • โฌ†๏ธ xsrv: upgrade ansible to v6.4.0
    • ๐ŸŒ nextcloud/netdata: mitigate frequent httpckeck alarms on the nextcloud web service response time (httpcheck_web_service_unreachable), increase the timeout of the check to 3s
    • common: sysctl: automatically reboot the host after 60 seconds in case of kernel panic
    • ๐ŸŒฒ common: hardening: ensure /var/log/wtmp is not world-readable
    • ๐Ÿ”’ common: login/ssh: hardening: kill user processes when an interactive user logs out (except for root). Lock idle login sessions after 15 minutes of inactivity.
    • 0๏ธโƒฃ common: ssh: hardening: replace the server's default 2048 bits RSA keypair with 4096 bits keypair
    • ๐Ÿ”ง common: sudo: hardening: configure sudo to run processes in a pseudo-terminal
    • common: users/pam: hardening: increase the number of rounds for hashing group passwords
    • common: sysctl: hardening: only allow root/users with CAP_SYS_PTRACE to use ptrace
    • 0๏ธโƒฃ common: sysctl: hardening: disable more kernel modules by default (bluetooth, audio I/O, USB storage, USB MIDI, UVC/V4L2/CPIA2 video devices, thunderbolt, floppy, PC speaker beep)
    • common: sysctl: hardening: restrict loading TTY line disciplines to the CAP_SYS_MODULE capability
    • common: sysctl: hardening: protect against unintentional writes to an attacker-controlled FIFO
    • common: sysctl: hardening: prevent even the root user from reading kernel memory maps
    • common: sysctl: hardening: enable BPF JIT hardening
    • ๐Ÿ‘ common: sysctl: hardening: disable ICMP redirect support for IPv6
    • all roles: require ansible-core>=2.12/ansible>=6.0.0
    • ๐Ÿš€ common: improve check mode support before first deployment
    • โœ… tools/tests: improve/simplify test tools

    ๐Ÿ›  Fixed:

    • common: users: fix errors during creation fo sftponly user accounts when no groups are defined in the user definition

    Full changes since v1.8.1


  • v1.8.1 Changes

    July 10, 2022

    โฌ†๏ธ Upgrade procedure:

    • ๐Ÿš€ xsrv upgrade to upgrade roles/ansible environments to the latest release
    • ๐Ÿš€ xsrv deploy to apply changes

    ๐Ÿ›  Fixed:

    • backup/rsnapshot: fix rsnapshot installation, always install from Debian repositories

    Full changes since v1.8.0


  • v1.8.0 Changes

    July 04, 2022

    โฌ†๏ธ Upgrade procedure:

    • โฌ†๏ธ xsrv self-upgrade to upgrade the xsrv script
    • ๐Ÿš€ xsrv upgrade to upgrade roles/ansible environments to the latest release
    • gitea/gotty/graylog/homepage/jellyfin/nextcloud/openldap/rocketchat/rss_bridge/shaarli/transmission/tt_rss: ensure the apache role or equivalent is explicitly deployed to the host before deploying any of these roles.
    • jellyfin/samba: if both jellyfin and samba roles are deployed on the same host, ensure samba is deployed before jellyfin (xsrv edit-playbook)
    • valheim_server: if you are using the valheim_server role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.valheim_server role instead.
    • ๐Ÿš€ xsrv deploy to apply changes

    โž• Added:

    • add mail_dovecot role - IMAP mailbox server
    • monitoring: netdata: allow streaming charts data/alarms to/from other netdata nodes (netdata_streaming_*)
    • monitoring: netdata: enable monitoring of hard drives SMART status
    • โœ… xsrv: add xsrv ssh subcommand (alias for shell)
    • openldap: allow secure LDAP communication over SSL/TLS on port 636/tcp (use a self-signed certificate)
    • ๐Ÿ”ง common: allow disabling PAM/user accounts configuration tasks (setup_users: yes/no)
    • common: allow blacklisting unused/potentially insecure kernel modules (kernel_modules_blacklist), disable unused network/firewire modules by default
    • common: automatically remove (purge) configuration files of removed packages, nightly, enabled by default (apt_purge_nightly: yes/no)
    • common: attempt to automatically repair (fsck) failed filesystems on boot
    • ๐Ÿณ docker: allow enabling automatic firewall/iptables rules setup by Docker (docker_iptables: no/yes)
    • ๐Ÿณ docker: install requirements for logging in to private docker registries
    • openldap: self-service-password/ldap-account-manager: make LDAP server URI configurable (*_ldap_url)
    • openldap: ldap-account-manager: allow specifying a trusted LDAPS server certificate (ldap_account_manager_ldaps_cert)
    • ๐Ÿ”ง samba: make events logged by full_audit configurable (samba_log_full_audit_success_events)
    • shaarli: add an option to configure thumbnail generation mode (shaarli_thumbnails_mode) and default number of links per page (shaarli_links_per_page, default 30)
    • postgresql: download pgmetrics report to the controller when running TAGS=utils-pgmetrics
    • ๐Ÿ“š all roles: checks: add an info message pointing to roles documentation when one or more variables are not correctly defined
    • โœ… xsrv: xsrv help-tags will now parse tag descriptions from custom roles in roles/ in addition to collections
    • ๐Ÿ“ฆ monitoring: utils: add iputils-ping package (ping utility)

    โœ‚ Removed:

    • common: firewalld/mail/msmtp: drop compatibilty with Debian 10
    • ๐Ÿšš valheim_server: remove role, archive it to separate repository (installs non-free components)

    ๐Ÿ”„ Changed:

    • netdata: needrestart: don't send e-mail notifications for needrestart alarms
    • netdata: debsecan: refresh debsecan reports every 6 hours instead of every hour
    • netdata: disable metrics gathering for /dev and /dev/shm virtual filesystems
    • all roles: checks all variables values before failing, when one or more variables are not correctly defined
    • โšก๏ธ tt_rss: don't send feed update errors by mail, log them to syslog
    • xsrv: always use the first host/group in alphabetical order when no host/group is specified
    • โฌ†๏ธ xsrv: upgrade ansible to v5.10.0
    • apache/proxmox: only setup fail2ban when it is marked as managed by ansible through ansible local facts
    • common: ssh: increase the frequency of "client alive" messages to 1 every 5 minutes
    • common: ssh/users: don't allow login for users without an existing home directory
    • apache: rsyslog: prefix apache access logs with apache-access: in syslog when apache_access_log_to_syslog: yes
    • homepage: improve homepage styling/layout, link directly to ssh:// and sftp:// URIs
    • 0๏ธโƒฃ homepage: reword default homepage_message
    • 0๏ธโƒฃ shaarli: default to generating thumbnails only for common media hosts
    • transmission: firewall: always allow bittorrent peer traffic from the public zone
    • monitoring_utils: lynis: review and whitelist unapplicable "suggestion" level report items (lynis_skip_tests)
    • ๐Ÿš€ nextcloud: upgrade to v24.0.1 [1] [2] [3]
    • ๐Ÿš€ gitea: upgrade to v1.16.8 [1] [2] [3]
    • โฌ†๏ธ openldap: ldap-account-manager: upgrade to v7.9.1
    • ๐Ÿš€ rss_bridge: upgrade to v2022-06-14
    • ๐Ÿš€ postgresql: update pgmetrics to v1.13.0
    • gitea/gotty/graylog/homepage/jellyfin/nextcloud/openldap/rocketchat/rss_bridge/shaarli/transmission/tt_rss: remove hard dependency on apache role
    • ๐Ÿ”ง cleanup: proxmox: use a single file to configure proxmox APT repositories
    • cleanup: apache: ensure no leftover mod-php installations are present
    • ๐Ÿ”ง cleanup: common: users: move PAM configuration to the main limits.conf configuration file
    • ๐Ÿ“š cleanup/tools: improve check mode support, standardize task names, remove unused template files, make usage of ansible_facts consistent in all roles, clarify xsrv script, reorder functions by purpose/component, automate documentation generation, improve tests/release procedure, automate initial check mode/deployment/idempotence tests
    • ๐Ÿ“š update documentation

    ๐Ÿ›  Fixed:

    • xsrv: init-project: fix inventory not correctly initialized
    • xsrv: fix xsrv shell/fetch-backups when a non-default XSRV_PROJECTS_DIR is specified by the user
    • common: ssh: fix confusion between AcceptEnv and PermitUserEnvironment settings
    • all roles: monitoring/netdata: fix systemd services health checks not loaded by netdata
    • apache: monitoring/rsyslog: fix rsyslog config installation when running with only --tags=monitoring
    • ๐Ÿ”ง graylog: fix elasticsearch/graylog unable to start caused by too strict permissions on configuration files
    • openldap: ldap-account-manager: fix access to tree view
    • ๐Ÿš€ homepage: fix homepage generation when the mumble role was deployed from a different play
    • 0๏ธโƒฃ jellyfin/samba: fix jellyfin samba share creation when samba role is not part of the same play
    • samba: fix samba_passdb_backend: ldapsam mode when openldap role is not part of the same play
    • โœ… xsrv: fetch-backups: use the first host in alphabetical order, when no host is specified
    • monitoring: rsyslog: add correctness checks for syslog_retention_days variable
    • monitoring: netdata/needrestart: fix needrestart_autorestart_services value not taken into account when true
    • shaarli/transmission: fix *_https_mode variable checks
    • doc: fix broken links

    ๐Ÿ”’ Security:

    • proxmox: fail2ban: fix detection of failed login attempts

    Full changes since v1.7.0


  • v1.7.0 Changes

    April 22, 2022

    โฌ†๏ธ Upgrade procedure:

    • โฌ†๏ธ xsrv self-upgrade to upgrade the xsrv script
    • ๐Ÿš€ xsrv upgrade to upgrade roles/ansible environments to the latest release
    • โฌ†๏ธ this upgrade will cause Nextcloud instances to go down for a few minutes, depending on the number of files in their data directory

    โž• Added:

    • ๐Ÿš€ xsrv: add init-vm command (initialize a ready-to-deploy libvirt VM from a template)
    • โœ… xsrv: add edit-group-vault command (edit encrypted group variables file)
    • ๐ŸŒฒ common: make cron jobs log level configurable (cron_log_level)
    • common: apt: clean downloaded package archives every 7 days by default (apt_clean_days)
    • netdata: allow configuring the fping plugin (ping hosts/measure loss/latency) (netdata_fping_*)
    • netdata: make netdata filechecks configurable (netdata_file_checks)
    • ๐Ÿš€ transmission/gotty/jellyfin/docker: monitoring/netdata: raise alarms when corresponding systemd services are in the failed state (and the monitoring_netdata role is deployed)
    • ๐Ÿš€ homepage: add rss-bridge to the homepage when the rss_bridge role is deployed on the host
    • โž• add ansible tags: netdata-modules, netdata-needrestart, netdata-debsecan, netdata-logcount, netdata-config

    ๐Ÿ”„ Changed:

    • ๐Ÿ”’ common: sysctl/security: disable potentially exploitable unprivileged BPF and user namespaces
    • gitea: limit systemd service automatic restart attempts to 4 in 10 seconds
    • ๐Ÿš€ gitea: update to v1.16.5 [1] [2] [3] [4] [5]
    • gotty: attempt to restart the systemd service every 2 seconds in case of failure, for a maximum of 4 times in 10 seconds
    • ๐Ÿ”Œ netdata: disable more internal monitoring charts (plugin execution time, webserver threads CPU)
    • 0๏ธโƒฃ netdata: re-add default netdata alarms for the systemdunits module
    • โšก๏ธ nextcloud: update to v23.0.3 [1] [2]
    • nextcloud: run nextcloud PHP processes under a dedicated nextcloud user, if an older installation owned by www-data is found, it will be migrated to the new user automatically
    • ๐Ÿš€ openldap: update LDAP Account Manager to v8.0.1
    • ๐Ÿš€ rocketchat: update to v3.18.4
    • ๐Ÿšš apache/fail2ban/nextcloud: remove obsolete workaround for nextcloud desktop client issue
    • xsrv: store group_vars files under group_vars/$group_name/ (allows multiple vars files per group). If a group_vars/$group_name.yml file is found, it will be moved to the subdirectory automatically.
    • โšก๏ธ xsrv: update ansible to v5.5.0
    • ๐Ÿ”ง cleanup: make netdata assembled configuration more readable (add blank line delimiters)
    • cleanup: standardize file names
    • all roles: check that variables are correctly defined before running roles
    • ๐Ÿ‘• tests: ansible-lint: ignore fqcn-bultins,truthy,braces,line-length rules
    • ๐Ÿšš tests: remove broken jinja2 syntax test
    • ๐Ÿ‘• tests: remove obsolete ansible-playbook --syntax-check and yamllint tests, replaced by ansible-lint
    • ๐Ÿš€ tests: automate tests for init-vm, xsrv check, xsrv deploy
    • ๐Ÿ“š doc: update documentation, default playbook README, Gitlab CI example

    ๐Ÿ›  Fixed:

    • ๐Ÿš€ all roles: ensure check mode doesn't fail when running it before before first deployment
    • common: ssh/users: fix SFTP-only user accounts creation (set permissions after creating user accounts)
    • all roles: firewall: fix 'reload firewall/fail2ban/apache' handlers failures when called from other roles
    • ๐Ÿ“ฆ openldap: fix ldap-ccount-manager installation on Debian 11 (php package name changes)
    • ๐Ÿ”ง graylog: fix graylog service not starting/incorrect permissions on configuration files
    • graylog/mumble: monitoring/netdata: fix healthcheck/alarm not returning correct status when systemd services are in the failed state
    • ๐Ÿ”ง netdata: fix location for needrestart module configuration file
    • netdata: fix/standardize indentation in configuration files produced by to_nice_yaml
    • homepage: fix homepage templating when the homepage role is not part of the same play as related roles
    • ๐Ÿ“ฆ shaarli: explicitly use php 7.4 packages, fix possible installation problems on Debian 11
    • ๐Ÿ‘• tests: fix and speed up ansible-lint tests, fix ansible-lint warnings

    Full changes since v1.6.0


  • v1.6.0 Changes

    March 17, 2022

    โฌ†๏ธ Upgrade procedure:

    • โฌ†๏ธ xsrv self-upgrade to upgrade the xsrv script
    • ๐Ÿš€ xsrv upgrade to upgrade roles in your playbook to the latest release

    โž• Added:

    • add rss_bridge role - the RSS feed for websites missing it
    • ๐Ÿ“ฆ monitoring_utils: install debsums utility for the verification of packages with known good database (by default, run weekly)
    • common: cron: allow disabling cron setup (setup_cron: yes/no)
    • ๐Ÿ”ง monitoring_netdata: allow configuring netdata notification downtime periods (start/end)
    • โœ… tests: automate basic testing of the xsrv command-line tool (xsrv init-project xsrv-test my.example.org)

    ๐Ÿ”„ Changed:

    • common: cron: include the FDQN in subject when sending mail
    • ๐Ÿ‘ท common: cron: log beginning and end of cron jobs
    • all roles: replace netdata process checks/alarms with more accurate systemd unit checks, raise alarms/notifications when a service is in the failed state
    • cleanup: standardize task names
    • xsrv: init-project: allow adding a first host directly using xsrv init-project [project] [host]

    ๐Ÿ›  Fixed:

    • ๐Ÿ›  fix check mode support for self-signed certificate generation tasks/netdata configuration
    • โฌ†๏ธ apt: fix automatic upgrades for packages installed from Debian Backports
    • xsrv: fix error on new project creation/init-playbook - missing playbook directory
    • xsrv: fix support for XSRV_PROJECTS_DIR environment variable

    Full changes since v1.5.0


  • v1.5.0 Changes

    February 25, 2022

    โฌ†๏ธ Upgrade procedure:

    • โฌ†๏ธ xsrv self-upgrade to upgrade the xsrv script
    • ๐Ÿš€ xsrv upgrade to upgrade roles in your playbook to the latest release
    • ๐Ÿš€ TAGS=utils-debian10to11 xsrv deploy to upgrade your host's distribution from Debian 10 "Buster" to Debian 11 "Bullseye". Debian 10 compatibility will not be maintained after this release.
    • common/firewall: remove firehol_* variables from your configuration. Roles from the xsrv collection will automatically insert their own rules, if firewalld is deployed. If you had custom firewall rules in place/not related to xsrv roles, please port them to the new firewalld configuration)
    • common/hosts: if the hosts: variable (hosts file entries) is used in your host/group_vars, rename it to host_file_entries. If setup_hosts is used in your host/group_vars, rename it to setup_hosts_file.
    • mariadb: if you had the nodiscc.xsrv.mariadb role enabled, migrate to PostgreSQL, or use the archived nodiscc.toolbox.mariadb role.
    • gitea/nextcloud/tt_rss: if any of these roles is listed in your playbook, ensure nodiscc.xsrv.postgresql is explicitly deployed before it.
    • ๐Ÿณ jellyfin/proxmox/docker: remove jellyfin_auto_upgrade, proxmox_auto_upgrade or docker_auto_upgrade variables from your configuration, if you changed the defaults. These settings are now controlled by the apt_unattended_upgrades_origins_patterns list, automatic upgrades are enabled by default for these components.
    • jellyfin/samba: if you have both the samba and jellyfin roles enabled on a host, and want to keep using the jellyfin samba share for media storage, explicitly set jellyfin_samba_share: yes in the host's configuration variables.
    • monitoring: remove setup_monitoring_cli_utils: yes/no and setup_rsyslog: yes/no variables from your configuration, if you changed the defaults. If you don't want monitoring utilities or rsyslog set up, enable individual monitoring_netdata/rsyslog/utils roles, instead of the global monitoring role.
    • (optional) xsrv check to simulate changes.
    • ๐Ÿš€ xsrv deploy to apply changes.

    โž• Added:

    • โž• add dnsmasq lightweight DNS server role
    • common: add firewalld firewall management tool
    • โฌ†๏ธ common: apt: allow configuration of allowed origins for unattended-upgrades
    • โฑ common: packages: add at task scheduler
    • monitoring: netdata: allow disabling specific plugins (netdata_disabled_plugins), disable ebpf plugin by default
    • 0๏ธโƒฃ monitoring: lynis: enable lynis installation and daily reports by default
    • โš  common: ssh: fix lynis warning FILE-7524 (ensure /root/.ssh is mode 0700)
    • common: mail/msmtp: allow disabling SMTP authentication/LOGIN (msmtp_auth_enabled), allow disabling SMTP server TLS certificate verification completely (msmtp_tls_certcheck: yes/no)
    • common: mail/msmtp: allow disabling TLS (msmtp_tls_enabled)
    • ๐Ÿš€ monitoring: netdata: automate testing netdata mail notifications (TAGS=utils-netdata-test-notifications xsrv deploy)
    • monitoring: netdata: monitor systemd units state (timers/services/sockets)
    • docker: add a nightly cleanup of unused docker images/containers/networks/build cache, allow disabling it through docker_prune_nighlty: no
    • โœ… xsrv: add xsrv help-tags subcommand (show the list of ansible tags in the play and their descriptions)
    • ๐Ÿš€ install ansible local fact files for each deployed role/component

    โœ‚ Removed:

    • ๐Ÿ”ง common: remove firehol firewall management tool, remove firehol_* configuration variables
    • ๐Ÿšš common: firewall: remove ability to filter outgoing traffic, will be re-added later
    • โฌ‡๏ธ drop compatibility with Debian 9
    • monitoring: remove setup_monitoring_cli_utils: yes/no and setup_rsyslog: yes/no variables
    • ๐Ÿšš common: fail2ban: remove fail2ban_destemail variable, always send mail to root
    • ๐Ÿšš mariadb: remove role, archive it to separate repository
    • โœ‚ remove ansible tags certificates lamp valheim valheim-server

    ๐Ÿ”„ Changed:

    • ๐Ÿ‘‰ make all roles compatible with Debian 11
    • ๐Ÿš€ common/firewall/all roles: let roles manage their own firewall rules if the nodiscc.xsrv.firewalld role is deployed
    • ๐ŸŽ all roles: refactor/performance: only flush handlers once, unless required otherwise, refactor service start/stop/enable/disable tasks
    • common: fail2ban: ban offenders on all ports
    • jellyfin: the jellyfin samba share automatic setup is now disabled by default (jellyfin_samba_share_enabled: no)
    • apache/tt_rss/shaarli/nextcloud: make roles compatible with Debian 11 (PHP 7.4))
    • jellyfin/proxmox/docker: remove jellyfin_auto_upgrade, proxmox_auto_upgrade, docker_auto_upgrade variables, add these origins to the default list of apt_unattended_upgrades_origins_patterns
    • monitoring: split role to smaller monitoring_rsyslog/monitoring_netdata/monitoring_utils roles, make the monitoring role an alias for these 3 roles
    • common: apt: explicitly install aptitude
    • โฌ†๏ธ common: apt: remove unused packages after automatic upgrades
    • โฌ†๏ธ common: apt: automatically remove unused dependency packages on every install/upgrade/remove operation
    • common: fail2ban: increase maximum IP/attempts count retention to 1 year
    • ๐Ÿ”Š common: ssh: decrease SFTP logs verbosity to INFO by default
    • common/graylog: apt: enable automatic upgrades for graylog/mongodb/elasticsearch packages by default (apt_unattended_upgrades_origins_patterns)
    • ๐Ÿš€ gitea: upgrade to v1.16.0 [1], [2], [3], [4], [5]
    • โฌ†๏ธ xsrv: upgrade ansible to 5.2.0
    • โšก๏ธ gitea: cleanup/maintenance: update config file comments/ordering to reduce diff with upstream example file
    • apache: relax permissions on apache virtualhost config files (make them world-readable)
    • โฌ†๏ธ nextcloud: upgrade to 23.0.1 [1]
    • 0๏ธโƒฃ nextcloud: add Nextcloud Bookmarks to the default list of apps (default disabled)
    • ๐Ÿ“ฆ xsrv/tools/doc: don't install python3-cryptography from pip, install from OS packages
    • ๐Ÿšš gitea/nextcloud/tt_rss: remove hard dependency on postgresql role
    • ๐Ÿšš openldap: remove hard dependency on common role
    • ๐Ÿ”ง transmission: log/show diff on configuration file changes
    • netdata/docker: move netdata_min/max_running_docker_containers configuration variables to the docker role
    • ๐Ÿ“ฆ netdata: no longer install python3-mysqldb/mysql support packages
    • mumble: force superuser password change task to never return "changed" (instead of always)
    • ๐Ÿ“š doc: update documentation, document all ansible tags, refactor command-line usage doc
    • ๐Ÿ”จ refactoring: move fail2ban/samba/rsyslog/netdata/... tasks to separate task files inside each role
    • ๐Ÿท tags: add ssl tag to all ssl-related tasks, add rsnapshot-ssh-key tag to all ssh-key-related tasks
    • ๐Ÿš€ cleanup: remove unused tasks/improve deployment times

    ๐Ÿ›  Fixed:

    • ๐Ÿ›  fix integration between roles when roles are part of different plays: use ansible local facts installed by other roles to detect installed components, instead of checking the list of roles in the current play
    • proxmox: fix missing ansible fact file template
    • ๐Ÿ”ง proxmox: fix APT configuration on Debian 10/11
    • ๐Ÿ›  fix check mode compatibility issues, fix ansible-lint warnings
    • common: ssh: fix creation of SFTP-only accounts (bad ownership or modes for chroot directory)
    • common: ssh: ssh: fix root ssh logins when ssh_permit_root_login: without-password/prohibit-password/forced-commands-only
    • monitoring: netdata: fix chart values incorrectly increased by 1 in debsecan module
    • backup: fix mode/idempotence for /root/.ssh directory creation
    • ๐Ÿ”ง graylog: fix configuration file templating always returning changed in check mode
    • 0๏ธโƒฃ default playbook/xsrv: fix invalid "%%ANSIBLE_HOST%%" value set by xsrv init-host
    • โš  common: hosts: fix warning: Found variable using reserved name: hosts

    Full changes since v1.4.0


  • v1.4.0 Changes

    December 17, 2021

    โฌ†๏ธ Upgrade procedure:

    • โฌ†๏ธ xsrv self-upgrade to upgrade the xsrv script
    • ๐Ÿš€ xsrv upgrade to upgrade roles in your playbook to the latest release
    • ๐Ÿš€ xsrv deploy to apply changes
    • ๐Ÿš€ (optional) TAGS=debian10to11 xsrv deploy to upgrade your host's distribution from Debian 10 "Buster" to Debian 11 "Bullseye"
    • (optional) remove custom netdata_modtime_checks from your configuration, if any (the modtime module was removed, use the filecheck module instead)

    โž• Added:

    • โž• add [proxmox](roles/proxmox) role (basic Proxmox VE hypervisor setup)
    • add [valheim_server](roles/valheim_server) role (Valheim multiplayer game server)
    • gitea: make number of issues per page configurable (gitea_issue_paging_num , increase to 20 by default)
    • shaarli: make hide_timestamp,header_link,debug,formatter settings configurable
    • ๐Ÿ”’ monitoring: add lynis security audit tool (optional, default disabled), schedule a daily report
    • monitoring/postgresql: allow netdata to monitor postgresql server
    • docker: allow enabling unattended upgrades of docker engine packages (docker_auto_upgrade: yes/no)
    • common: apt: allow enabling contrib and non-free software sections (apt_enable_nonfree)
    • common: allow disabling hostname setup (setup_hostname: yes/no)
    • common, monitoring: make roles compatible with Debian 11 "Bullseye"
    • homepage: add link to graylog instance (when graylog role is enabled)
    • ๐Ÿ”ง monitoring: allow configuration of syslog retention duration, default to 186 days instead of 7
    • monitoring: allow defining a number of maximum expected running docker containers (netdata_max_running_docker_containers)
    • โฑ monitoring: add logwatch log analyzer, disable scheduled execution
    • monitoring: install requirements for postgresql monitoring
    • postgresql: add ability to enable/disable the service and enforce started/stopped/enabled/disabled state
    • ๐Ÿ”ง backup: make rsnapshot verbosity configurable
    • backup: download rsnapshot's/root SSH public key to the controller (public_keys/ directory)
    • ๐Ÿ‘‰ common: allow configuring the list of users allowed to use crontab (linux_users_crontab_allow)
    • โฌ†๏ธ common: add an procedure for Debian 10 -> 11 upgrades
    • ๐Ÿšš common: add ability to add/remove entries from the hosts (/etc/hosts) file

    ๐Ÿ”„ Changed:

    • โฌ†๏ธ nextcloud: upgrade to 22.2.3
    • nextcloud: silence cron/background tasks output to prevent mail notification spam
    • nextcloud: allow installation of ONLYOFFICE realtime collaborative document edition tools
    • ๐Ÿš€ gitea: upgrade to 1.15.7
    • โšก๏ธ gitea update fail2ban login failure detection for gitea v1.15+
    • common: sysctl: disable IP source routing for IPv6 (was already disabled for IPv4)
    • ๐Ÿ”ง common: msmtp: check that configuration variables have correct values/types when msmtp_setup: yes
    • monitoring: increate netdata charts retention duration to ~7 days
    • monitoring: allow disabling needrestart/logcount/debsecan modules installation
    • ๐Ÿš‘ monitoring: decrease alarm sensitivity for logcount module (warning on 10 alarms/min, critical on 100 errors/min)
    • 0๏ธโƒฃ monitoring: disable lynis checks AUTH-9283 and FIRE-4512 by default (false positives)
    • ๐Ÿณ monitoring: only enable "number of running docker container" checks when the nodiscc.xsrv.docker role is enabled
    • โšก๏ธ monitoring: update configuration for netdata > 1.30
    • ๐Ÿ”Œ backup, monitoring: replace custom modtime module with built-in netdata filecheck module
    • xsrv: rename top-level directory concept (playbook -> project)
    • ๐Ÿ”Š xsrv: logs: don't ask for sudo password if syslog is readable without it
    • โšก๏ธ xsrv: switch to ansible "distribution" versioning, upgrade to 4.9.0 (ansible-core 2.11.6), update playbook for compatibility
    • xsrv: store virtualenv inside the project directory, improve startup time
    • โšก๏ธ homepage: update theme (use light theme), use web safe fonts
    • apache: make role compatible with Debian 11 "Bullseye"
    • backup: make dependency on monitoring role optional
    • ๐Ÿ”ง backup: ensure only root can read the rsnapshot configuration file
    • โฑ backup: re-schedule monthly backups at 04:01 on the first day of the month
    • ๐Ÿ”ง all roles/monitoring: apply role-specific netdata/rsyslog configuration immediately after installing it
    • 0๏ธโƒฃ default playbook: .gitignore data/ and cache/ directories
    • ๐Ÿ“š doc: update/refactor documentation and roles metadata
    • ๐Ÿ“š tools: improve automatic documentation generation
    • ๐Ÿ”จ refactor: refactor integration between roles (use ansible_local facts, fix intergation when roles are not part of the same play)

    โœ‚ Removed:

    • 0๏ธโƒฃ nextcloud: disable deck app by default

    ๐Ÿ›  Fixed:

    • โšก๏ธ homepage: really update page title from homepage_title variable
    • jellyfin: use samba_shares_path variable to determine samba shares path
    • โฌ†๏ธ nextcloud: fix upgrade procedure order (upgrade incompatible apps)
    • โฌ†๏ธ nextcloud: fix check mode on upgrades
    • โฑ graylog: respect elasticsearch_timeout_start_sec value
    • ๐ŸŒ monitoring: netdata: enable gzip compression on web server responses, fix empty dashboard
    • ๐Ÿšš monitoring: fix netdata modtime module installation, remove obsolete tasks file
    • monitoring: rsyslog: ensure that requirements for self-signed certificates generation are installed
    • monitoring: ensure requirements for self-signed certificate generation are installed
    • ๐Ÿ‘ monitoring: also allow access to netdata.conf from netdata_allow_connections_from addresses
    • ๐Ÿ“ฆ monitoring: fix APT package manager logs aggregation to syslog
    • โšก๏ธ tt_rss: fix permission denied errors when updating feeds
    • ๐Ÿ“ฑ homepage: fix grid responsiveness on mobile devices
    • ๐Ÿ”ง transmission: don't attempt to reload the service when it is disabled in host configuration
    • don't ignore expected errors when not running in check mode

    ๐Ÿ”’ Security:

    • ๐ŸŒฒ nextcloud: fail2ban: fix log file location/login failures not detected by fail2ban
    • โšก๏ธ common: automatically apply security updates for packages installed from Debian Backports

    Full changes since v1.3.1


  • v1.3.1 Changes

    June 24, 2021

    โฌ†๏ธ Upgrade procedure:

    • ๐Ÿš€ xsrv upgrade to upgrade roles in your playbook to the latest release
    • ๐Ÿš€ xsrv deploy to apply changes

    ๐Ÿ›  Fixed:

    • common: msmtp: fix msmtp unable to read /etc/aliases (/etc/aliases: line 1: invalid address)
    • ๐Ÿ”ง common: msmtp: fix unreadable /etc/msmtprc configuration for un privileged users
    • โฌ†๏ธ nextcloud/apache/php: fix path to PHP APCU configuration file (really fix cannot allocate memory errors on nextcloud upgrades)
    • ๐Ÿ“š tt_rss: fix/automate initial database population and schema upgrades, update documentation

    โž• Added:

    • common: msmtp: allow disabling STARTTLS (msmtp_starttls: yes/no)
    • backup: rsnapshot: don't update timestamp file after weekly/monthly backups (monitoring only measures time since the last successful daily backup)

    ๐Ÿ”„ Changed:

    • โฌ†๏ธ nextcloud: upgrade to 20.0.10
    • ๐Ÿ“š update documentation (virt-manager/add basic VM provisioning procedure)

    Full changes since v1.3.0


  • v1.3.0 Changes

    June 08, 2021

    โฌ†๏ธ Upgrade procedure:

    • ๐Ÿš€ xsrv self-upgrade to upgrade the xsrv script to the latest release
    • ๐Ÿš€ xsrv upgrade to upgrade roles in your playbook to the latest release
    • if you had defined custom netdata_http_checks, port them to the new netdata_http_checks/netdata_x509_checks syntax
    • ๐Ÿšš (optional/cleanup) xsrv edit-vault: remove all vault_ prefixes from encrypted host variables; xsrv edit-host: remove all variables that are just variable_name: {{ vault_variable_name }} references
    • (optional/cleanup) remove previous hardcoded/default netdata_modtime_checks and netdata_process_checks from your host variables
    • (optional) xsrv check to simulate and review changes
    • ๐Ÿš€ xsrv deploy to apply changes

    โœ‚ Removed:

    • default playbook: remove hardcoded netdata_modtime_checks and netdata_process_checks (roles will automatically configure relevant checks)
    • default playbook/all roles: remove variable_name: {{ vault_variable_name }} indirections/references
    • monitoring/netdata: remove ability to configure netdata modules git clone URLs (netdata_*_git_url variables), always clone from upstream
    • monitoring/netdata: remove support for check_x509 parameter in netdata_httpchecks
    • ๐Ÿ”ง monitoring/rsyslog: remove hardcoded, service-specific configuration

    โž• Added:

    • โž• add graylog log analyzer role
    • โž• add gotty role
    • monitoring/rsyslog: add ability forward logs to a remote syslog/graylog server over TCP/SSL/TLS (add [rsyslog_enable_forwarding, rsyslog_forward_to_hostname and rsyslog_forward_to_port](apt_unattended_upgrades_origins_patterns) variables)
    • jellyfin/common/apt: enable automatic upgrades for jellyfin by default (apt_unattended_upgrades_origins_patterns)
    • monitoring: support all httpcheck parameters in netdata_http_checks
    • monitoring/netdata: add netdata_x509_checks (list of x509 certificate checks, supports all x509check parameters)
    • rocketchat: allow disabling rocketchat/mongodb services (rocketchat_enable_service: yes/no)
    • โœ… xsrv: add xsrv edit-group subcommand (edit group variables - default group: all)
    • โœ… xsrv: add xsrv ls subcommand (list files in the playbooks directory - accepts a path)
    • โœ… xsrv: add xsrv edit-requirements subcommand (edit ansible collections/requirements)
    • ๐Ÿ”ง xsrv: add xsrv edit-cfg subcommand (edit ansible configuration/ansible.cfg)
    • 0๏ธโƒฃ xsrv: add syntax highlighting to default text editor/pager (nano - requires manual installation of yaml syntax highlighting file), improve display
    • homepage: add favicon
    • ๐Ÿ”ง common: msmtp: make outgoing mail port configurable (msmtp_port, default 587)

    ๐Ÿ”„ Changed:

    • gitea: enable API by default (gitea_enable_api)
    • โฌ†๏ธ gitea: upgrade gitea to 1.14.2
    • โฌ†๏ธ openldap: upgrade ldap-account-manager to 7.5
    • โฌ†๏ธ nextcloud: upgrade nextcloud to 21.0.2
    • โšก๏ธ rocketchat: update rocket.chat to 3.15.0
    • ๐Ÿ“ฑ homepage: switch to a responsive grid layout
    • โš  monitoring: decrease logcount warning alarm sensitivity, warn when error rate >= 10/min
    • monitoring/all roles: let roles install their own syslog aggregation settings, if the nodiscc.xsrv.monitoring role is enabled.
    • monitoring/needrestart: by default, automatically restart services that require it after a security update (needrestart_autorestart_services: yes)
    • monitoring/netdata/default playbook: let roles install their own HTTP/x509/modtime/port checks under /etc/netdata/{python,go}.d/$module_name.conf.d/*.conf, if the nodiscc.xsrv.monitoring role is enabled
    • ๐Ÿ‘ท apache/common/mail: forward all local mail from www-data to root - allows root to receive webserver cron jobs output
    • apache/monitoring: disable aggregation of access logs to syslog by default, add variable allowing to enable it (apache_access_log_to_syslog)
    • ๐Ÿ‘ท common: cron: ensure only root can access cron job files and directories (CIS 5.1.2 - 5.1.7)
    • common: ssh: lower maximum concurrent unauthenticated connections to 60
    • ๐Ÿ”ง common/mail: don't overwrite /etc/aliases, ensure root mail is forwarded to the configured user (set to ansible_user by default)
    • โšก๏ธ docker: speed up role execution - dont't force APT cache update when not necessary
    • transmission: disable automatic backups of the downloads directory by default, add transmission_backup_downloads: yes/no variable allowing to enable it
    • ๐Ÿ”ง rocketchat/monitoring: disable HTTP check when rocketchat service is explicitly disabled in the configuration
    • mumble/checks: ensure that mumble_welcome_text is set
    • transmission/jellyfin: allow jellyfin to read/write transmission downloads directory
    • ๐Ÿ‘ท tools: add Pull Request template, speed up Gitlab CI test suite (prebuild an image with required tools)
    • โšก๏ธ update ansible tags
    • ๐Ÿ“‡ update roles metadata, remove coupling/dependencies between roles unless strictly required, make nodiscc.xsrv.common role mostly optional
    • ๐Ÿ”จ xsrv: cleanup/reorder/DRY/refactoring, make self-upgrade safer
    • ๐Ÿ“š doc: update documentation/formatting, fix manual backup command, fix ssh-copy-id instructions

    ๐Ÿ›  Fixed:

    • jellyfin: fix automatic samba share creation
    • ๐Ÿ‘‰ common: fix linux_users creation when no authorized_ssh_keys/sudo_nopasswd_commands are defined
    • ๐Ÿง common: users: allow creation of linux_users without a password (login to these user accounts will be denied, SSH login with authorized keys are still possible if the user is in the ssh group)
    • samba: fix error on LDAP domain creation
    • nextcloud: fix condition for dependency on postgresql role
    • โฌ†๏ธ nextcloud: fix allowed memory size exhausted during nextcloud upgrades
    • openldap: fix condition for dependency on apache role
    • ๐Ÿ”Š rsyslog: fix automatic aggregation fo fail2ban logs to syslog
    • rocketchat: fix automatic backups when the service is disabled
    • samba/rsnapshot/gitea: fix role when runing in 'check' mode, fix idempotence
    • ๐Ÿš€ tools: fix release procedure/ansible-galaxy collection publication
    • xsrv: fix wrong inventory formatting after running xsrv init-host
    • โœ‚ remove unused/duplicate/leftover task files
    • ๐Ÿ›  fix typos

    ๐Ÿ”’ Security:

    • common: fail2ban: fix bantime for ssh jail (~49 days)

    Full changes since v1.2.2