xsrv v1.3.0 Release Notes
Release Date: 2021-06-08 // almost 3 years ago-
โฌ๏ธ Upgrade procedure:
- ๐
xsrv self-upgrade
to upgrade the xsrv script to the latest release - ๐
xsrv upgrade
to upgrade roles in your playbook to the latest release - if you had defined custom
netdata_http_checks
, port them to the newnetdata_http_checks
/netdata_x509_checks
syntax - ๐ (optional/cleanup)
xsrv edit-vault
: remove allvault_
prefixes from encrypted host variables;xsrv edit-host
: remove all variables that are justvariable_name: {{ vault_variable_name }}
references - (optional/cleanup) remove previous hardcoded/default
netdata_modtime_checks
andnetdata_process_checks
from your host variables - (optional)
xsrv check
to simulate and review changes - ๐
xsrv deploy
to apply changes
โ Removed:
- default playbook: remove hardcoded
netdata_modtime_checks
andnetdata_process_checks
(roles will automatically configure relevant checks) - default playbook/all roles: remove
variable_name: {{ vault_variable_name }}
indirections/references - monitoring/netdata: remove ability to configure netdata modules git clone URLs (
netdata_*_git_url
variables), always clone from upstream - monitoring/netdata: remove support for
check_x509
parameter innetdata_httpchecks
- ๐ง monitoring/rsyslog: remove hardcoded, service-specific configuration
โ Added:
- โ add graylog log analyzer role
- โ add gotty role
- monitoring/rsyslog: add ability forward logs to a remote syslog/graylog server over TCP/SSL/TLS (add [
rsyslog_enable_forwarding
,rsyslog_forward_to_hostname
andrsyslog_forward_to_port
](apt_unattended_upgrades_origins_patterns
) variables) - jellyfin/common/apt: enable automatic upgrades for jellyfin by default (
apt_unattended_upgrades_origins_patterns
) - monitoring: support all httpcheck parameters in
netdata_http_checks
- monitoring/netdata: add
netdata_x509_checks
(list of x509 certificate checks, supports all x509check parameters) - rocketchat: allow disabling rocketchat/mongodb services (
rocketchat_enable_service: yes/no
) - โ
xsrv: add
xsrv edit-group
subcommand (edit group variables - default group:all
) - โ
xsrv: add
xsrv ls
subcommand (list files in the playbooks directory - accepts a path) - โ
xsrv: add
xsrv edit-requirements
subcommand (edit ansible collections/requirements) - ๐ง xsrv: add
xsrv edit-cfg
subcommand (edit ansible configuration/ansible.cfg
) - 0๏ธโฃ xsrv: add syntax highlighting to default text editor/pager (nano - requires manual installation of yaml syntax highlighting file), improve display
- homepage: add favicon
- ๐ง common: msmtp: make outgoing mail port configurable (
msmtp_port
, default587
)
๐ Changed:
- gitea: enable API by default (
gitea_enable_api
) - โฌ๏ธ gitea: upgrade gitea to 1.14.2
- โฌ๏ธ openldap: upgrade ldap-account-manager to 7.5
- โฌ๏ธ nextcloud: upgrade nextcloud to 21.0.2
- โก๏ธ rocketchat: update rocket.chat to 3.15.0
- ๐ฑ homepage: switch to a responsive grid layout
- โ monitoring: decrease logcount warning alarm sensitivity, warn when error rate >= 10/min
- monitoring/all roles: let roles install their own syslog aggregation settings, if the
nodiscc.xsrv.monitoring
role is enabled. - monitoring/needrestart: by default, automatically restart services that require it after a security update (
needrestart_autorestart_services: yes
) - monitoring/netdata/default playbook: let roles install their own HTTP/x509/modtime/port checks under
/etc/netdata/{python,go}.d/$module_name.conf.d/*.conf
, if thenodiscc.xsrv.monitoring
role is enabled - ๐ท apache/common/mail: forward all local mail from
www-data
toroot
- allowsroot
to receive webserver cron jobs output - apache/monitoring: disable aggregation of access logs to syslog by default, add variable allowing to enable it (
apache_access_log_to_syslog
) - ๐ท common: cron: ensure only root can access cron job files and directories (CIS 5.1.2 - 5.1.7)
- common: ssh: lower maximum concurrent unauthenticated connections to 60
- ๐ง common/mail: don't overwrite
/etc/aliases
, ensureroot
mail is forwarded to the configured user (set toansible_user
by default) - โก๏ธ docker: speed up role execution - dont't force APT cache update when not necessary
- transmission: disable automatic backups of the downloads directory by default, add
transmission_backup_downloads: yes/no
variable allowing to enable it - ๐ง rocketchat/monitoring: disable HTTP check when rocketchat service is explicitly disabled in the configuration
- mumble/checks: ensure that
mumble_welcome_text
is set - transmission/jellyfin: allow jellyfin to read/write transmission downloads directory
- ๐ท tools: add Pull Request template, speed up Gitlab CI test suite (prebuild an image with required tools)
- โก๏ธ update ansible tags
- ๐ update roles metadata, remove coupling/dependencies between roles unless strictly required, make
nodiscc.xsrv.common
role mostly optional - ๐จ xsrv: cleanup/reorder/DRY/refactoring, make
self-upgrade
safer - ๐ doc: update documentation/formatting, fix manual backup command, fix ssh-copy-id instructions
๐ Fixed:
- jellyfin: fix automatic samba share creation
- ๐ common: fix
linux_users
creation when noauthorized_ssh_keys
/sudo_nopasswd_commands
are defined - ๐ง common: users: allow creation of
linux_users
without a password (login to these user accounts will be denied, SSH login with authorized keys are still possible if the user is in thessh
group) - samba: fix error on LDAP domain creation
- nextcloud: fix condition for dependency on postgresql role
- โฌ๏ธ nextcloud: fix
allowed memory size exhausted
during nextcloud upgrades - openldap: fix condition for dependency on apache role
- ๐ rsyslog: fix automatic aggregation fo fail2ban logs to syslog
- rocketchat: fix automatic backups when the service is disabled
- samba/rsnapshot/gitea: fix role when runing in 'check' mode, fix idempotence
- ๐ tools: fix release procedure/ansible-galaxy collection publication
- xsrv: fix wrong inventory formatting after running
xsrv init-host
- โ remove unused/duplicate/leftover task files
- ๐ fix typos
๐ Security:
- common: fail2ban: fix bantime for ssh jail (~49 days)
- ๐