xsrv v1.10.0 Release Notes
Release Date: 2022-11-19 // 4 months ago-
โฌ๏ธ Upgrade procedure:
- ๐
xsrv upgrade
to upgrade roles/ansible environments to the latest release - ๐ move the
public_keys/
directory from the root of your project directory, under thedata/
directory. - ๐ if it exists, move the
certificates/
directory from the root of your project directory, under thedata/
directory. - common: if you had changed the variable
os_security_kernel_enable_core_dump
from its default value in your hosts/groups configuration, rename it to [kernel_enable_core_dump
]((https://gitlab.com/nodiscc/xsrv/-/blob/master/roles/common/defaults/main.yml)) - graylog/monitoring_rsyslog: move the
*-graylog-ca.crt
file from thepublic_keys/
directory to thedata/certificates/
directory (create it if it does not exist) - openldap: self-sevice-password: if you had changed the variable
self_service_password_allowed_hosts
from its default value in your host/groups configuration, update it to the new format (YAML list instead of a list of addresses separated by spaces):
- ๐
Previous changes from v1.9.0
-
โฌ๏ธ Upgrade procedure:
- โฌ๏ธ
xsrv self-upgrade
to upgrade the xsrv script - ๐
xsrv upgrade
to upgrade roles/ansible environments to the latest release - gitea: if you rely on custom git hooks for your projects, set
gitea_enable_git_hooks: yes
in the host configuration/vars file (xsrv edit-host
) - ๐
xsrv deploy
to apply changes
โ Added:
- โ
xsrv: add
xsrv init-vm-template
command (create a libvirt Debian VM template, unattended using a preconfiguration file) - โ add wireguard role - fast and modern VPN server
- 0๏ธโฃ nextcloud: enable group folders app by default
- ๐ฆ common: allow setting up apt-listbugs to prevent installation of packages with known serious bugs (
apt_listbugs: yes/no
) - ๐ฆ common: allow specifying a list of packages to install/remove (
packages_install/remove
) - gitea: allow enabling/disabling git hooks and webhooks features globally (
gitea_enable_git_hooks/webhooks
) - gitea: allow configuring the list of hosts that can be called from webhooks (
gitea_webhook_allowed_hosts
) - gitea: allow configuring the SSH port exposed in the clone URL (
gitea_ssh_url_port
)
โ Removed:
- common: remove
setup_cli_utils
andsetup_haveged
variables. Usepackages_install/remove
instead.
๐ Changed:
- 0๏ธโฃ gitea: disable git hooks by default
- ๐ gitea: upgrade to v1.17.2 [1] [2] [3] [4]
- ๐ openldap: update self-service-password to v1.5.1 [1] [2]
- ๐ nextcloud: upgrade to v24.0.5 [1] [2]
- ๐ postgresql: update pgmetrics to v1.13.1
- 0๏ธโฃ shaarli: hardening: run shaarli under a dedicated
shaarli
user account (don't use the default sharedwww-data
user) - โฌ๏ธ xsrv: upgrade ansible to v6.4.0
- ๐ nextcloud/netdata: mitigate frequent httpckeck alarms on the nextcloud web service response time (
httpcheck_web_service_unreachable
), increase the timeout of the check to 3s - common: sysctl: automatically reboot the host after 60 seconds in case of kernel panic
- ๐ฒ common: hardening: ensure
/var/log/wtmp
is not world-readable - ๐ common: login/ssh: hardening: kill user processes when an interactive user logs out (except for root). Lock idle login sessions after 15 minutes of inactivity.
- 0๏ธโฃ common: ssh: hardening: replace the server's default 2048 bits RSA keypair with 4096 bits keypair
- ๐ง common: sudo: hardening: configure sudo to run processes in a pseudo-terminal
- common: users/pam: hardening: increase the number of rounds for hashing group passwords
- common: sysctl: hardening: only allow root/users with CAP_SYS_PTRACE to use ptrace
- 0๏ธโฃ common: sysctl: hardening: disable more kernel modules by default (bluetooth, audio I/O, USB storage, USB MIDI, UVC/V4L2/CPIA2 video devices, thunderbolt, floppy, PC speaker beep)
- common: sysctl: hardening: restrict loading TTY line disciplines to the CAP_SYS_MODULE capability
- common: sysctl: hardening: protect against unintentional writes to an attacker-controlled FIFO
- common: sysctl: hardening: prevent even the root user from reading kernel memory maps
- common: sysctl: hardening: enable BPF JIT hardening
- ๐ common: sysctl: hardening: disable ICMP redirect support for IPv6
- all roles: require
ansible-core>=2.12/ansible>=6.0.0
- ๐ common: improve check mode support before first deployment
- โ tools/tests: improve/simplify test tools
๐ Fixed:
- common: users: fix errors during creation fo
sftponly
user accounts when no groups are defined in the user definition
- โฌ๏ธ