xsrv v1.3.0 Release Notes
Release Date: 2021-06-08 // almost 3 years ago-
โฌ๏ธ Upgrade procedure:
- ๐
xsrv self-upgradeto upgrade the xsrv script to the latest release - ๐
xsrv upgradeto upgrade roles in your playbook to the latest release - if you had defined custom
netdata_http_checks, port them to the newnetdata_http_checks/netdata_x509_checkssyntax - ๐ (optional/cleanup)
xsrv edit-vault: remove allvault_prefixes from encrypted host variables;xsrv edit-host: remove all variables that are justvariable_name: {{ vault_variable_name }}references - (optional/cleanup) remove previous hardcoded/default
netdata_modtime_checksandnetdata_process_checksfrom your host variables - (optional)
xsrv checkto simulate and review changes - ๐
xsrv deployto apply changes
โ Removed:
- default playbook: remove hardcoded
netdata_modtime_checksandnetdata_process_checks(roles will automatically configure relevant checks) - default playbook/all roles: remove
variable_name: {{ vault_variable_name }}indirections/references - monitoring/netdata: remove ability to configure netdata modules git clone URLs (
netdata_*_git_urlvariables), always clone from upstream - monitoring/netdata: remove support for
check_x509parameter innetdata_httpchecks - ๐ง monitoring/rsyslog: remove hardcoded, service-specific configuration
โ Added:
- โ add graylog log analyzer role
- โ add gotty role
- monitoring/rsyslog: add ability forward logs to a remote syslog/graylog server over TCP/SSL/TLS (add [
rsyslog_enable_forwarding,rsyslog_forward_to_hostnameandrsyslog_forward_to_port](apt_unattended_upgrades_origins_patterns) variables) - jellyfin/common/apt: enable automatic upgrades for jellyfin by default (
apt_unattended_upgrades_origins_patterns) - monitoring: support all httpcheck parameters in
netdata_http_checks - monitoring/netdata: add
netdata_x509_checks(list of x509 certificate checks, supports all x509check parameters) - rocketchat: allow disabling rocketchat/mongodb services (
rocketchat_enable_service: yes/no) - โ
xsrv: add
xsrv edit-groupsubcommand (edit group variables - default group:all) - โ
xsrv: add
xsrv lssubcommand (list files in the playbooks directory - accepts a path) - โ
xsrv: add
xsrv edit-requirementssubcommand (edit ansible collections/requirements) - ๐ง xsrv: add
xsrv edit-cfgsubcommand (edit ansible configuration/ansible.cfg) - 0๏ธโฃ xsrv: add syntax highlighting to default text editor/pager (nano - requires manual installation of yaml syntax highlighting file), improve display
- homepage: add favicon
- ๐ง common: msmtp: make outgoing mail port configurable (
msmtp_port, default587)
๐ Changed:
- gitea: enable API by default (
gitea_enable_api) - โฌ๏ธ gitea: upgrade gitea to 1.14.2
- โฌ๏ธ openldap: upgrade ldap-account-manager to 7.5
- โฌ๏ธ nextcloud: upgrade nextcloud to 21.0.2
- โก๏ธ rocketchat: update rocket.chat to 3.15.0
- ๐ฑ homepage: switch to a responsive grid layout
- โ monitoring: decrease logcount warning alarm sensitivity, warn when error rate >= 10/min
- monitoring/all roles: let roles install their own syslog aggregation settings, if the
nodiscc.xsrv.monitoringrole is enabled. - monitoring/needrestart: by default, automatically restart services that require it after a security update (
needrestart_autorestart_services: yes) - monitoring/netdata/default playbook: let roles install their own HTTP/x509/modtime/port checks under
/etc/netdata/{python,go}.d/$module_name.conf.d/*.conf, if thenodiscc.xsrv.monitoringrole is enabled - ๐ท apache/common/mail: forward all local mail from
www-datatoroot- allowsrootto receive webserver cron jobs output - apache/monitoring: disable aggregation of access logs to syslog by default, add variable allowing to enable it (
apache_access_log_to_syslog) - ๐ท common: cron: ensure only root can access cron job files and directories (CIS 5.1.2 - 5.1.7)
- common: ssh: lower maximum concurrent unauthenticated connections to 60
- ๐ง common/mail: don't overwrite
/etc/aliases, ensurerootmail is forwarded to the configured user (set toansible_userby default) - โก๏ธ docker: speed up role execution - dont't force APT cache update when not necessary
- transmission: disable automatic backups of the downloads directory by default, add
transmission_backup_downloads: yes/novariable allowing to enable it - ๐ง rocketchat/monitoring: disable HTTP check when rocketchat service is explicitly disabled in the configuration
- mumble/checks: ensure that
mumble_welcome_textis set - transmission/jellyfin: allow jellyfin to read/write transmission downloads directory
- ๐ท tools: add Pull Request template, speed up Gitlab CI test suite (prebuild an image with required tools)
- โก๏ธ update ansible tags
- ๐ update roles metadata, remove coupling/dependencies between roles unless strictly required, make
nodiscc.xsrv.commonrole mostly optional - ๐จ xsrv: cleanup/reorder/DRY/refactoring, make
self-upgradesafer - ๐ doc: update documentation/formatting, fix manual backup command, fix ssh-copy-id instructions
๐ Fixed:
- jellyfin: fix automatic samba share creation
- ๐ common: fix
linux_userscreation when noauthorized_ssh_keys/sudo_nopasswd_commandsare defined - ๐ง common: users: allow creation of
linux_userswithout a password (login to these user accounts will be denied, SSH login with authorized keys are still possible if the user is in thesshgroup) - samba: fix error on LDAP domain creation
- nextcloud: fix condition for dependency on postgresql role
- โฌ๏ธ nextcloud: fix
allowed memory size exhaustedduring nextcloud upgrades - openldap: fix condition for dependency on apache role
- ๐ rsyslog: fix automatic aggregation fo fail2ban logs to syslog
- rocketchat: fix automatic backups when the service is disabled
- samba/rsnapshot/gitea: fix role when runing in 'check' mode, fix idempotence
- ๐ tools: fix release procedure/ansible-galaxy collection publication
- xsrv: fix wrong inventory formatting after running
xsrv init-host - โ remove unused/duplicate/leftover task files
- ๐ fix typos
๐ Security:
- common: fail2ban: fix bantime for ssh jail (~49 days)
- ๐