xsrv v1.10.0 Release Notes

Release Date: 2022-11-19 // over 1 year ago
  • โฌ†๏ธ Upgrade procedure:

    • ๐Ÿš€ xsrv upgrade to upgrade roles/ansible environments to the latest release
    • ๐Ÿšš move the public_keys/ directory from the root of your project directory, under the data/ directory.
    • ๐Ÿšš if it exists, move the certificates/ directory from the root of your project directory, under the data/ directory.
    • common: if you had changed the variable os_security_kernel_enable_core_dump from its default value in your hosts/groups configuration, rename it to [kernel_enable_core_dump]((https://gitlab.com/nodiscc/xsrv/-/blob/master/roles/common/defaults/main.yml))
    • graylog/monitoring_rsyslog: move the *-graylog-ca.crt file from the public_keys/ directory to the data/certificates/ directory (create it if it does not exist)
    • openldap: self-sevice-password: if you had changed the variable self_service_password_allowed_hosts from its default value in your host/groups configuration, update it to the new format (YAML list instead of a list of addresses separated by spaces):

Previous changes from v1.9.0

  • โฌ†๏ธ Upgrade procedure:

    • โฌ†๏ธ xsrv self-upgrade to upgrade the xsrv script
    • ๐Ÿš€ xsrv upgrade to upgrade roles/ansible environments to the latest release
    • gitea: if you rely on custom git hooks for your projects, set gitea_enable_git_hooks: yes in the host configuration/vars file (xsrv edit-host)
    • ๐Ÿš€ xsrv deploy to apply changes

    โž• Added:

    โœ‚ Removed:

    ๐Ÿ”„ Changed:

    • 0๏ธโƒฃ gitea: disable git hooks by default
    • ๐Ÿš€ gitea: upgrade to v1.17.2 [1] [2] [3] [4]
    • ๐Ÿš€ openldap: update self-service-password to v1.5.1 [1] [2]
    • ๐Ÿš€ nextcloud: upgrade to v24.0.5 [1] [2]
    • ๐Ÿš€ postgresql: update pgmetrics to v1.13.1
    • 0๏ธโƒฃ shaarli: hardening: run shaarli under a dedicated shaarli user account (don't use the default shared www-data user)
    • โฌ†๏ธ xsrv: upgrade ansible to v6.4.0
    • ๐ŸŒ nextcloud/netdata: mitigate frequent httpckeck alarms on the nextcloud web service response time (httpcheck_web_service_unreachable), increase the timeout of the check to 3s
    • common: sysctl: automatically reboot the host after 60 seconds in case of kernel panic
    • ๐ŸŒฒ common: hardening: ensure /var/log/wtmp is not world-readable
    • ๐Ÿ”’ common: login/ssh: hardening: kill user processes when an interactive user logs out (except for root). Lock idle login sessions after 15 minutes of inactivity.
    • 0๏ธโƒฃ common: ssh: hardening: replace the server's default 2048 bits RSA keypair with 4096 bits keypair
    • ๐Ÿ”ง common: sudo: hardening: configure sudo to run processes in a pseudo-terminal
    • common: users/pam: hardening: increase the number of rounds for hashing group passwords
    • common: sysctl: hardening: only allow root/users with CAP_SYS_PTRACE to use ptrace
    • 0๏ธโƒฃ common: sysctl: hardening: disable more kernel modules by default (bluetooth, audio I/O, USB storage, USB MIDI, UVC/V4L2/CPIA2 video devices, thunderbolt, floppy, PC speaker beep)
    • common: sysctl: hardening: restrict loading TTY line disciplines to the CAP_SYS_MODULE capability
    • common: sysctl: hardening: protect against unintentional writes to an attacker-controlled FIFO
    • common: sysctl: hardening: prevent even the root user from reading kernel memory maps
    • common: sysctl: hardening: enable BPF JIT hardening
    • ๐Ÿ‘ common: sysctl: hardening: disable ICMP redirect support for IPv6
    • all roles: require ansible-core>=2.12/ansible>=6.0.0
    • ๐Ÿš€ common: improve check mode support before first deployment
    • โœ… tools/tests: improve/simplify test tools

    ๐Ÿ›  Fixed:

    • common: users: fix errors during creation fo sftponly user accounts when no groups are defined in the user definition

    Full changes since v1.8.1