xsrv v1.5.0 Release Notes
Release Date: 2022-02-25 // about 2 years ago-
⬆️ Upgrade procedure:
- ⬆️
xsrv self-upgrade
to upgrade the xsrv script - 🚀
xsrv upgrade
to upgrade roles in your playbook to the latest release - 🚀
TAGS=utils-debian10to11 xsrv deploy
to upgrade your host's distribution from Debian 10 "Buster" to Debian 11 "Bullseye". Debian 10 compatibility will not be maintained after this release. - common/firewall: remove
firehol_*
variables from your configuration. Roles from thexsrv
collection will automatically insert their own rules, if firewalld is deployed. If you had custom firewall rules in place/not related to xsrv roles, please port them to the newfirewalld
configuration) - common/hosts: if the
hosts:
variable (hosts file entries) is used in yourhost/group_vars
, rename it tohost_file_entries
. Ifsetup_hosts
is used in yourhost/group_vars
, rename it tosetup_hosts_file
. - mariadb: if you had the
nodiscc.xsrv.mariadb
role enabled, migrate to PostgreSQL, or use the archivednodiscc.toolbox.mariadb
role. - gitea/nextcloud/tt_rss: if any of these roles is listed in your playbook, ensure
nodiscc.xsrv.postgresql
is explicitly deployed before it. - 🐳 jellyfin/proxmox/docker: remove
jellyfin_auto_upgrade
,proxmox_auto_upgrade
ordocker_auto_upgrade
variables from your configuration, if you changed the defaults. These settings are now controlled by theapt_unattended_upgrades_origins_patterns
list, automatic upgrades are enabled by default for these components. - jellyfin/samba: if you have both the
samba
andjellyfin
roles enabled on a host, and want to keep using the jellyfin samba share for media storage, explicitly setjellyfin_samba_share: yes
in the host's configuration variables. - monitoring: remove
setup_monitoring_cli_utils: yes/no
andsetup_rsyslog: yes/no
variables from your configuration, if you changed the defaults. If you don't want monitoring utilities or rsyslog set up, enable individualmonitoring_netdata/rsyslog/utils
roles, instead of the globalmonitoring
role. - (optional)
xsrv check
to simulate changes. - 🚀
xsrv deploy
to apply changes.
➕ Added:
- ➕ add dnsmasq lightweight DNS server role
- common: add firewalld firewall management tool
- ⬆️ common: apt: allow configuration of allowed origins for unattended-upgrades
- ⏱ common: packages: add
at
task scheduler - monitoring: netdata: allow disabling specific plugins (
netdata_disabled_plugins
), disableebpf
plugin by default - 0️⃣ monitoring: lynis: enable lynis installation and daily reports by default
- ⚠ common: ssh: fix lynis warning FILE-7524 (ensure
/root/.ssh
is mode 0700) - common: mail/msmtp: allow disabling SMTP authentication/LOGIN (
msmtp_auth_enabled
), allow disabling SMTP server TLS certificate verification completely (msmtp_tls_certcheck: yes/no
) - common: mail/msmtp: allow disabling TLS (
msmtp_tls_enabled
) - 🚀 monitoring: netdata: automate testing netdata mail notifications (
TAGS=utils-netdata-test-notifications xsrv deploy
) - monitoring: netdata: monitor systemd units state (timers/services/sockets)
- docker: add a nightly cleanup of unused docker images/containers/networks/build cache, allow disabling it through
docker_prune_nighlty: no
- ✅ xsrv: add
xsrv help-tags
subcommand (show the list of ansible tags in the play and their descriptions) - 🚀 install ansible local fact files for each deployed role/component
✂ Removed:
- 🔧 common: remove firehol firewall management tool, remove
firehol_*
configuration variables - 🚚 common: firewall: remove ability to filter outgoing traffic, will be re-added later
- ⬇️ drop compatibility with Debian 9
- monitoring: remove
setup_monitoring_cli_utils: yes/no
andsetup_rsyslog: yes/no
variables - 🚚 common: fail2ban: remove
fail2ban_destemail
variable, always send mail to root - 🚚 mariadb: remove role, archive it to separate repository
- ✂ remove ansible tags
certificates lamp valheim valheim-server
🔄 Changed:
- 👉 make all roles compatible with Debian 11
- 🚀 common/firewall/all roles: let roles manage their own firewall rules if the
nodiscc.xsrv.firewalld
role is deployed - 🐎 all roles: refactor/performance: only flush handlers once, unless required otherwise, refactor service start/stop/enable/disable tasks
- common: fail2ban: ban offenders on all ports
- jellyfin: the jellyfin samba share automatic setup is now disabled by default (
jellyfin_samba_share_enabled: no
) - apache/tt_rss/shaarli/nextcloud: make roles compatible with Debian 11 (PHP 7.4))
- jellyfin/proxmox/docker: remove
jellyfin_auto_upgrade
,proxmox_auto_upgrade
,docker_auto_upgrade
variables, add these origins to the default list ofapt_unattended_upgrades_origins_patterns
- monitoring: split role to smaller
monitoring_rsyslog
/monitoring_netdata
/monitoring_utils
roles, make themonitoring
role an alias for these 3 roles - common: apt: explicitly install aptitude
- ⬆️ common: apt: remove unused packages after automatic upgrades
- ⬆️ common: apt: automatically remove unused dependency packages on every install/upgrade/remove operation
- common: fail2ban: increase maximum IP/attempts count retention to 1 year
- 🔊 common: ssh: decrease SFTP logs verbosity to INFO by default
- common/graylog: apt: enable automatic upgrades for graylog/mongodb/elasticsearch packages by default (
apt_unattended_upgrades_origins_patterns
) - 🚀 gitea: upgrade to v1.16.0 [1], [2], [3], [4], [5]
- ⬆️ xsrv: upgrade ansible to 5.2.0
- ⚡️ gitea: cleanup/maintenance: update config file comments/ordering to reduce diff with upstream example file
- apache: relax permissions on apache virtualhost config files (make them world-readable)
- ⬆️ nextcloud: upgrade to 23.0.1 [1]
- 0️⃣ nextcloud: add Nextcloud Bookmarks to the default list of apps (default disabled)
- 📦 xsrv/tools/doc: don't install python3-cryptography from pip, install from OS packages
- 🚚 gitea/nextcloud/tt_rss: remove hard dependency on postgresql role
- 🚚 openldap: remove hard dependency on common role
- 🔧 transmission: log/show diff on configuration file changes
- netdata/docker: move
netdata_min/max_running_docker_containers
configuration variables to thedocker
role - 📦 netdata: no longer install
python3-mysqldb
/mysql support packages - mumble: force superuser password change task to never return "changed" (instead of always)
- 📚 doc: update documentation, document all ansible tags, refactor command-line usage doc
- 🔨 refactoring: move fail2ban/samba/rsyslog/netdata/... tasks to separate task files inside each role
- 🏷 tags: add
ssl
tag to all ssl-related tasks, addrsnapshot-ssh-key
tag to all ssh-key-related tasks - 🚀 cleanup: remove unused tasks/improve deployment times
🛠 Fixed:
- 🛠 fix integration between roles when roles are part of different plays: use ansible local facts installed by other roles to detect installed components, instead of checking the list of roles in the current play
- proxmox: fix missing ansible fact file template
- 🔧 proxmox: fix APT configuration on Debian 10/11
- 🛠 fix
check
mode compatibility issues, fix ansible-lint warnings - common: ssh: fix creation of SFTP-only accounts (
bad ownership or modes for chroot directory
) - common: ssh: ssh: fix root ssh logins when
ssh_permit_root_login: without-password/prohibit-password/forced-commands-only
- monitoring: netdata: fix chart values incorrectly increased by 1 in debsecan module
- backup: fix mode/idempotence for
/root/.ssh
directory creation - 🔧 graylog: fix configuration file templating always returning changed in check mode
- 0️⃣ default playbook/xsrv: fix invalid
"%%ANSIBLE_HOST%%"
value set byxsrv init-host
- ⚠ common: hosts: fix warning: Found variable using reserved name: hosts
- ⬆️