Changelog History
Page 2
-
v1.2.2 Changes
April 01, 2021🚀 Upgrade procedure:
xsrv upgrade
to upgrade roles in your playbook to the latest release🛠 Fixed:
- samba: fix nscd default log level, update samba default log level
-
v1.2.1 Changes
April 01, 2021🚀 Upgrade procedure:
xsrv upgrade
to upgrade roles in your playbook to the latest release🛠 Fixed:
- tt_rss: fix initial tt-rss schema installation (file has moved)
⚡️ samba: fix nscd default log level, update samba default log level
-
v1.2.0 Changes
March 27, 2021➕ Added:
- 🔧 homepage: add configurable message/paragraph to homepage (homepage_message)
- add ability to configure multiple aliases/valid domain names for the homepage virtualhost (homepage_vhost_aliases: [])
- 🐎 nextcloud: improve performance (auto-add missing primary keys/indices in database, convert columns to bigint)
✂ Removed:
- openldap: remove
self_service_password_keyphrase
variable (unused since tokens/SMS/question based password resets are disabled) - 🚚 common: ssh: cleanup/remove unused
MatchGroup rsyncasroot
directive
🔄 Changed:
- 🌲 common: sysctl: enable logging of martian packets
- common: sysctl: ensure sysctl settings also apply to all network interfaces added in the future
- 0️⃣ common: ssh: set loglevel to VERBOSE by default
- 🔊 samba: increase log level, enable detailed authentication success/failure logs, clarify log prefix
- 📚 update documentation
🛠 Fixed:
- rocketchat: fix role idempotence (ownership of data directories)
🔒 Security:
- rocketchat: fix port 3001 exposed on 0.0.0.0 instead of localhost-only/firewall bypass
- ⚡️ gitea: update to v1.13.6
-
v1.1.0 Changes
March 14, 2021➕ Added:
- ⬆️ xsrv: add self-upgrade command
- monitoring: add netdata-debsecan module
- common: ensure NTP service is started
- 🔧 common: make timezone configurable (default to not touching the timezone)
- 📚 openldap: add Self Service Password password reset tool (fixes #401)
- requires manual configuration of
self_service_password_fqdn
andvault_self_service_password_keyphrase
- auto-configure apache and
selfsigned
orletsencrypt
certificates + php-fpm. - by default only allow access from LAN/private addresses in
self_service_password_allowed_hosts
- when samba role is enabled, use the LDAP admin DN to access the directory (required to be able to change
sambaNtPassword
attribute) - make various settings configurable, add correctness checks for all variables
- requires manual configuration of
- 🔧 openldap: make log level configurable
- homepage: add jellyfin/self-service-password links (when relevant roles/variables are enabled)
- 📚 jellyfin: add LDAP authentication documentation
- 🔧 jellyfin: add fail2ban configuration/bruteforce prevention on jellyfin login attempts
- jellyfin/backup: add automatic backups (only backup db/metadata/configuration by default, allow enabling media directory backups with
jellyfin_enable_media_backups
) - 0️⃣ jellyfin: create subdirectories for each library type under the default media directory/jellyfin samba share
- samba/backup: allow disabling automatic backups of samba shares (
samba_enable_backups
) - 🌲 shaarli/monitoring: aggregate data/log.txt to syslog using the imfile module
🔄 Changed:
- 📚 update documentation (upgrade procedure, example playbook, mirrors, TOC, links, ansible-collection installation, list of all variables, ansible.cfg, sysctl settings...)
- ⬆️ openldap: upgrade ldap-account-manager to v7.4 (https://www.ldap-account-manager.org/lamcms/changelog)
- openldap: prevent LDAP lookups for local user accounts
- 🌲 openldap: decrease log verbosity
- 🚀 gitea: upgrade to 1.13.3 - https://github.com/go-gitea/gitea/releases
- ⬆️ nextcloud: upgrade to 20.0.8 - https://nextcloud.com/changelog/
🛠 Fixed:
- 0️⃣ xsrv: fix show-defaults command (by default display all role defaults for the default playbook)
- homepage: fix mumble and ldap-account-manager links
- samba: fix duplicate execution of the openldap role when samba uses LDAP passdb backend
- rocketchat: fix variable checks not being run before applying the role
- rocketchat: fix permissions/ownership of mongodb/rocketchat data directories
- tt_rss: fix error 'Please set SELF_URL_PATH to the correct value detected for your server'
- samba/jellyfin: fix automatic jellyfin samba share creation, fix permissions on jellyfin samba share
- monitoring: fix ansible --check mode when netdata is not installed yet
- 🔊 shaarli: set apache directoryindex to index.php, prevent error messages in logs at every page access
🚧 Tools/maintenance:
- 🖨 Makefile: add a make changelog target (print commits since last tag)
- 🚀 Makefile: automate release procedure
make release
- tt-rss: cleanup/grouping
- 0️⃣ roles/*/defaults/main.yml: add header for all defaults files
- ⬆️ upgrade ansible to 2.10.7 - https://pypi.org/project/ansible/#history
- 🚚 move TODOs to issues
-
v1.0.0 Changes
February 12, 2021🚀 This is a major rewrite of https://github.com/nodiscc/srv01. To upgrade/migrate from previous releases, you must redeploy services to a new instance, and restore user data from backups/exports.
📚 This releases improves usability, portability, standards compliance, separation of concerns, performance, documentation, security, simplifies installation and usage, and adds new features to all roles/components. A summary of changes is included below. See [README.md](README.md) for more information.
xsrv command-line tool
- 👌 improve/simplify command-line usage, see
xsrv help
- 🔨 refactor main script/simplify/cleanup
- 👉 use pwgen (optional) to generate random passwords during host creation
- 👉 make installation to $PATH and use of sudo optional
- ⬆️ use ansible-galaxy collections for role upgrades method
🔨 example playbook: refactor:
- add examples for playbook, inventory, group_vars and host_vars (cleartext and vaulted) files
- 0️⃣ disable all but essential roles by default. Additional roles should be enabled manually by the admin
- 0️⃣ firewall: by default, allow incoming traffic for netdata dashboard from LAN (monitoring role is enabled by default)
- 0️⃣ firewall: by default, allow incoming SSH from anywhere (key-based authentication is enabled so this is reasonably secure)
- 0️⃣ firewall: by default, allow HTTP/HTTPS access from anywhere (required for let's encrypt http-01 challenge, and apache role is enabled by default)
- 🔧 firewall: change the default policy for the 'global' firehol_network definition to RETURN (changes nothing in the default configuration, makes adding other network definitions easier)
- 0️⃣ doc: add firewall examples for all services (only from LAN by default)
- doc: add example .gitlab-ci.yml
- 0️⃣ ansible/all roles: use ansible-vault as default storage for sensitive values
- ansible: use .ansible-vault-password as vault password file
- ansible: speed up ansible SSH operations using controlmaster and pipelining SSH options
- host_vars: add a netdata check for successful daily backups
- host_vars: add netdata process checks for ssh, fail2ban, ntp, httpd, sql
- 0️⃣ host_vars: auto-restart services by default when needrestart detects a restart is required
- ✂ remove unused directories, cleanup
🔨 common: refactor role:
- import from https://gitlab.com/nodiscc/ansible-xsrv-common
- ⚡️ unattended-upgrades: allow automatic upgrades from stable-updates repository
- ⬆️ unattended-upgrades: install apt-listchanges (mail with a summary of changes will be sent to the server admin)
- 👉 add ansible_user_allow_sudo_rsync_nopasswd option (allow ansible user to run sudo rsync without password)
- 🔧 msmtp: require manual configuration of msmtp host/username/password (if msmtp installation is enabled)
- 🔧 dns: add ability to configure multiple DNS nameservers in /etc/resolv.conf
- 📦 packages: enable haveged installation by default
- 📦 packages: don't install pwgen/secure-delete/autojump by default, add man package
- 🚚 sshd: remove deprecated UsePrivilegeSeparation option
- 🔧 sshd: make ssh server log level, PasswordAuthentication, AllowTcpForwarding and PermitRootLogin options configurable
- sshd: fix accepted environment variables LANG,LC_* accepted from the client
- sshd: explicitely deny AllowTcpForwarding, AllowAgentForwarding, GatewayPorts and X11Forwarding for the sftponly group
- sshd: add [email protected] KexAlgorithm
- 🐳 firewall: add an option to generate firewall rules compatible with docker swarm routing/port forwarding
- 0️⃣ firewall: allow outgoing mail submission/port 587 by default
- firewall: make firewall config file only readable by root
- firewall: use an alias/variable to define LAN IP networks, templatize
- 🔧 firewall/fail2ban: prevent firehol from overwriting fail2Ban rules, remove interaction/integration between services, split firewall/fail2ban configuration tasks, add ability to disable both
- 🔧 fail2ban: make more settings configurable (destination e-mail, default findtime/maxretry/bantime)
- users: simplify management, remove remotebackup options/special remotebackup user/tasks
- 👉 users: linux_users is now compatible with ansible users module syntax, with added ssh_authorized_keys and sudo_nopasswd_commands parameters
- users: fix user password generation (use random salt, make task idempotent by setting update_password: on_create by default)
- 👉 users: ensure ansible user home is not world-readable
🔨 monitoring: refactor role:
- import from https://gitlab.com/nodiscc/ansible-xsrv-monitoring
- 0️⃣ netdata: add ssl/x509 expiration checks, make http check timeout value optional, default to 1s)
- 📦 netdata: allow installation from deb packages/packagecloud APT repository, make it the default
- 🌲 netdata: decrease frequency of apache status checks to 10 seconds (decrease log spam)
- netdata: disable access logs and debug logs by default (performance), add netdata_disable_*_log variables to configure it
- netdata: disable cloud/SaaS features by default, add netdata_cloud_enabled variable to configure it
- 🌐 netdata: disable web server gzip compression since we only use ssl
- 🔧 netdata: install and configure https://gitlab.com/nodiscc/netdata-logcountmodule, disable notifications by default
- 🔧 netdata: install and configure https://gitlab.com/nodiscc/netdata-modtime module
- 🔧 netdata: make dbengine disk space size and memory page cache size configurable
- netdata: monitor mysql server if mariadb role is enabled (add netdata mysql user)
- 🔧 netdata: add default configuration for health notifications
- 🚀 netdata: upgrade to latest stable release
- 0️⃣ rsyslog: aggregate all log messages to
/var/log/syslog
by default - ⬆️ rsyslog: monitor samba, gitea, mumble-server, openldap, nextcloud, unattended-upgrades and rsnapshot log files with imfile module (when corresponding roles are enabled)
- 🔊 rsyslog: make aggregation of apache access logs to syslog optional, disable by default
- 🔊 rsyslog: disable aggregation of netdata logs to syslog by default (very noisy, many false-positive ERROR messages)
- 🔊 rsyslog: discard apache access logs caused by netdata apche monitoring
- 0️⃣ needrestart: don't auto-restart services by default
- extend list of command-line monitoring tools (lsof/strace)
- 📚 various fixes, reorder, cleanup, update documentation, fix role/certificate generation idempotence, make more components optional
backup role
- import from https://gitlab.com/nodiscc/ansible-xsrv-backup
- 🚚 auto-load rsnapshot configuration from /etc/rsnapshot.d/.conf, remove hardcoded xsrv roles integration
- 🔧 check rsnapshot configuration after copying files
- restrict access to backups directory to root only
- 👷 redirect cron job stdout to /dev/null, only send errors by mail
- write rsnapshot last success time to file (allows monitoring the time since last successful backup)
- store ssh public key to ansible facts (this will allow generating a human readable document/dashboard with hosts information)
🔨 lamp role: refactor:
- import from https://gitlab.com/nodiscc/ansible-xsrv-lamp
- split lamp role to separate apache and mariadb roles
apache role:
- 🔨 import/refactor/split role from https://gitlab.com/nodiscc/ansible-xsrv-lamp
- 🚚 use apache mod-md for Let's Encrypt certificate generation, remove certbot and associated ansible tasks
- 🚚 switch to php-fpm interpreter, remove mod_php
- switch to mpm_event, disable mpm_worker
- switch to HTTP2
- ✂ remove ability to create custom virtualhosts
- ✂ remove automatic homepage generation feature (will be split to separate role)
- enforce fail2ban bans on HTTP basic auth failures
- 0️⃣ set the default log format to
vhost_combined
(all vhosts to a single file) - rename cert_mode variable to https_mode
- 0️⃣ don't enable mod-deflate by default
- 👍 add variable apache_allow_robots (allow/disabllow robots globally, default no)
- ➕ add hard dependency on common role
- ⚡️ update doc, cleanup, formatting, add screenshot
- 🔧 require manual configuration of the letsencrypt admin email address
- 🔒 disable X-Frame-Options header as Content-Security-Policy frame-ancestors replaces/obsoletes it
- 🔒 disable setting a default Content-Security-Policy, each application is responsible for setting an appropriate CSP
- mark HTTP->HTTPS redirects as permanent (HTTP code 301)
- exclude /server-status from automatic HTTP -> HTTPS redirects
- 0️⃣ ensure the default/fallback vhost is always the first in load order, raise HTTP error 403 and autoindex:error when accessing the default vhost
🔨 nextcloud: refactor role:
- import from https://gitlab.com/nodiscc/ansible-xsrv-nextcloud
- ⬆️ determine appropriate setup procedure depending on whether nextcloud is already installed or not, installed version and current role version (installation/upgrades are now idempotent)
- add support for let's encrypt certificates (use mod_md when nextcloud_rss_https_mode: letsencrypt. else generate self-signed certificates)
- 👉 use ansible local fact file to store nextcloud installed version
- ensure correct/restrictive permissions are set
- 👌 support postgresql as database engine, make it the default
- 🔧 move apache configuration steps to separate file, add full automatic virtualhost configuration for nextcloud
- reorder setup procedure (setup apache last)
- enable additional php modules https://docs.nextcloud.com/server/16/admin_manual/installation/source_installation.html#apache-web-server-configuration
- reload apache instead of restarting when possible
- 🔧 make basic settings configurable through ansible (FQDN, install directory, full URL, share_folder...)
- 🔧 require manual configuration of nextcloud FQDN
- enforce fail2ban bans on nextcloud login failures
- ⬆️ upgrade nextcloud to latest stable version (https://nextcloud.com/changelog)
- ⬆️ upgrade all nextcloud apps to latest compatible versions
- 🔧 make installed/enabled applications configurable
- enable APCu memcache
- gallery app replaced with photos app
- optional integration with backup role, delegate database backups to the respective database role (mariadb/postgresql)
- ➕ add deck, notes, admin_audit and maps apps
- ➕ add php-fpm configuration
- 👷 run background jobs via cron every 5 minutes
Migrating Nextcloud data to Postgresql from a MySQL-based installation:
- 👌 improve/simplify command-line usage, see