xsrv v1.9.0 Release Notes

Release Date: 2022-09-18 // 9 months ago
  • ⬆️ Upgrade procedure:

    • ⬆️ xsrv self-upgrade to upgrade the xsrv script
    • 🚀 xsrv upgrade to upgrade roles/ansible environments to the latest release
    • gitea: if you rely on custom git hooks for your projects, set gitea_enable_git_hooks: yes in the host configuration/vars file (xsrv edit-host)
    • 🚀 xsrv deploy to apply changes



    🔄 Changed:

    • 0️⃣ gitea: disable git hooks by default
    • 🚀 gitea: upgrade to v1.17.2 [1] [2] [3] [4]
    • 🚀 openldap: update self-service-password to v1.5.1 [1] [2]
    • 🚀 nextcloud: upgrade to v24.0.5 [1] [2]
    • 🚀 postgresql: update pgmetrics to v1.13.1
    • 0️⃣ shaarli: hardening: run shaarli under a dedicated shaarli user account (don't use the default shared www-data user)
    • ⬆️ xsrv: upgrade ansible to v6.4.0
    • 🌐 nextcloud/netdata: mitigate frequent httpckeck alarms on the nextcloud web service response time (httpcheck_web_service_unreachable), increase the timeout of the check to 3s
    • common: sysctl: automatically reboot the host after 60 seconds in case of kernel panic
    • 🌲 common: hardening: ensure /var/log/wtmp is not world-readable
    • 🔒 common: login/ssh: hardening: kill user processes when an interactive user logs out (except for root). Lock idle login sessions after 15 minutes of inactivity.
    • 0️⃣ common: ssh: hardening: replace the server's default 2048 bits RSA keypair with 4096 bits keypair
    • 🔧 common: sudo: hardening: configure sudo to run processes in a pseudo-terminal
    • common: users/pam: hardening: increase the number of rounds for hashing group passwords
    • common: sysctl: hardening: only allow root/users with CAP_SYS_PTRACE to use ptrace
    • 0️⃣ common: sysctl: hardening: disable more kernel modules by default (bluetooth, audio I/O, USB storage, USB MIDI, UVC/V4L2/CPIA2 video devices, thunderbolt, floppy, PC speaker beep)
    • common: sysctl: hardening: restrict loading TTY line disciplines to the CAP_SYS_MODULE capability
    • common: sysctl: hardening: protect against unintentional writes to an attacker-controlled FIFO
    • common: sysctl: hardening: prevent even the root user from reading kernel memory maps
    • common: sysctl: hardening: enable BPF JIT hardening
    • 👍 common: sysctl: hardening: disable ICMP redirect support for IPv6
    • all roles: require ansible-core>=2.12/ansible>=6.0.0
    • 🚀 common: improve check mode support before first deployment
    • ✅ tools/tests: improve/simplify test tools

    🛠 Fixed:

    • common: users: fix errors during creation fo sftponly user accounts when no groups are defined in the user definition

    Full changes since v1.8.1