1.9.0

v1.9.0 - 2022-09-18

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• gitea: if you rely on custom git hooks for your projects, set gitea_enable_git_hooks: yes in the host configuration/vars file (xsrv edit-host)
• xsrv deploy to apply changes

Added:

• xsrv: add xsrv init-vm-template command (create a libvirt Debian VM template, unattended using a preconfiguration file)
• add wireguard role - fast and modern VPN server
• nextcloud: enable group folders app by default
• common: allow setting up apt-listbugs to prevent installation of packages with known serious bugs (apt_listbugs: yes/no)
• common: allow specifying a list of packages to install/remove (packages_install/remove)
• gitea: allow enabling/disabling git hooks and webhooks features globally (gitea_enable_git_hooks/webhooks)
• gitea: allow configuring the list of hosts that can be called from webhooks (gitea_webhook_allowed_hosts)
• gitea: allow configuring the SSH port exposed in the clone URL (gitea_ssh_url_port)

Removed:

• common: remove setup_cli_utils and setup_haveged variables. Use packages_install/remove instead.

Changed:

• gitea: disable git hooks by default
• gitea: upgrade to v1.17.2 [1] [2] [3] [4]
• openldap: update self-service-password to v1.5.1 [1] [2]
• nextcloud: upgrade to v24.0.5 [1] [2]
• postgresql: update pgmetrics to v1.13.1
• shaarli: hardening: run shaarli under a dedicated shaarli user account (don't use the default shared www-data user)
• xsrv: upgrade ansible to v6.4.0
• nextcloud/netdata: mitigate frequent httpckeck alarms on the nextcloud web service response time (httpcheck_web_service_unreachable), increase the timeout of the check to 3s
• common: sysctl: automatically reboot the host after 60 seconds in case of kernel panic
• common: hardening: ensure /var/log/wtmp is not world-readable
• common: login/ssh: hardening: kill user processes when an interactive user logs out (except for root). Lock idle login sessions after 15 minutes of inactivity.
• common: ssh: hardening: replace the server's default 2048 bits RSA keypair with 4096 bits keypair
• common: sudo: hardening: configure sudo to run processes in a pseudo-terminal
• common: users/pam: hardening: increase the number of rounds for hashing group passwords
• common: sysctl: hardening: only allow root/users with CAP_SYS_PTRACE to use ptrace
• common: sysctl: hardening: disable more kernel modules by default (bluetooth, audio I/O, USB storage, USB MIDI, UVC/V4L2/CPIA2 video devices, thunderbolt, floppy, PC speaker beep
• common: sysctl: hardening: restrict loading TTY line disciplines to the CAP_SYS_MODULE capability
• common: sysctl: hardening: protect against unintentional writes to an attacker-controlled FIFO
• common: sysctl: hardening: prevent even the root user from reading kernel memory maps
• common: sysctl: hardening: enable BPF JIT hardening
• common: sysctl: hardening: disable ICMP redirect support for IPv6
• all roles: require ansible-core>=2.12/ansible>=6.0.0
• common: improve check mode support before first deployment
• tools/tests: improve/simplify test tools

Fixed:

• common: users: fix errors during creation fo sftponly user accounts when no groups are defined in the user definition

1.8.1

v1.8.1 - 2022-07-10

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Fixed:

• backup/rsnapshot: fix rsnapshot installation, always install from Debian repositories

1.8.0

v1.8.0 - 2022-07-04

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• gitea/gotty/graylog/homepage/jellyfin/nextcloud/openldap/rocketchat/rss_bridge/shaarli/transmission/tt_rss: ensure the apache role or equivalent is explicitly deployed to the host before deploying any of these roles.
• jellyfin/samba: if both jellyfin and samba roles are deployed on the same host, ensure samba is deployed before jellyfin (xsrv edit-playbook)
• valheim_server: if you are using the valheim_server role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.valheim_server role instead.
• xsrv deploy to apply changes

Added:

• add mail_dovecot role - IMAP mailbox server
• monitoring: netdata: allow streaming charts data/alarms to/from other netdata nodes (netdata_streaming_*)
• monitoring: netdata: enable monitoring of hard drives SMART status
• xsrv: add xsrv ssh subcommand (alias for shell)
• openldap: allow secure LDAP communication over SSL/TLS on port 636/tcp (use a self-signed certificate)
• common: allow disabling PAM/user accounts configuration tasks (setup_users: yes/no)
• common: allow blacklisting unused/potentially insecure kernel modules (kernel_modules_blacklist), disable unused network/firewire modules by default
• common: automatically remove (purge) configuration files of removed packages, nightly, enabled by default (apt_purge_nightly: yes/no)
• common: attempt to automatically repair (fsck) failed filesystems on boot
• docker: allow enabling automatic firewall/iptables rules setup by Docker (docker_iptables: no/yes)
• docker: install requirements for logging in to private docker registries
• openldap: self-service-password/ldap-account-manager: make LDAP server URI configurable (*_ldap_url)
• openldap: ldap-account-manager: allow specifying a trusted LDAPS server certificate (ldap_account_manager_ldaps_cert)
• samba: make events logged by full_audit configurable (samba_log_full_audit_success_events)
• shaarli: add an option to configure thumbnail generation mode (shaarli_thumbnails_mode) and default number of links per page (shaarli_links_per_page, default 30)
• postgresql: download pgmetrics report to the controller when running TAGS=utils-pgmetrics
• all roles: checks: add an info message pointing to roles documentation when one or more variables are not correctly defined
• xsrv: xsrv help-tags will now parse tag descriptions from custom roles in roles/ in addition to collections
• monitoring: utils: add iputils-ping package (ping utility)

Removed:

• common: firewalld/mail/msmtp: drop compatibilty with Debian 10
• valheim_server: remove role, archive it to separate repository (installs non-free components)

Changed:

• netdata: needrestart: don't send e-mail notifications for needrestart alarms
• netdata: debsecan: refresh debsecan reports every 6 hours instead of every hour
• netdata: disable metrics gathering for /dev and /dev/shm virtual filesystems
• all roles: checks all variables values before failing, when one or more variables are not correctly defined
• tt_rss: don't send feed update errors by mail, log them to syslog
• xsrv: always use the first host/group in alphabetical order when no host/group is specified
• xsrv: upgrade ansible to v5.10.0
• apache/proxmox: only setup fail2ban when it is marked as managed by ansible through ansible local facts
• common: ssh: increase the frequency of "client alive" messages to 1 every 5 minutes
• common: ssh/users: don't allow login for users without an existing home directory
• apache: rsyslog: prefix apache access logs with apache-access: in syslog when apache_access_log_to_syslog: yes
• homepage: improve homepage styling/layout, link directly to ssh:// and sftp:// URIs
• homepage: reword default homepage_message
• shaarli: default to generating thumbnails only for common media hosts
• transmission: firewall: always allow bittorrent peer traffic from the public zone
• monitoring_utils: lynis: review and whitelist unapplicable "suggestion" level report items (lynis_skip_tests)
• nextcloud: upgrade to v24.0.1 [1] [2] [3]
• gitea: upgrade to v1.16.8 [1] [2] [3]
• openldap: ldap-account-manager: upgrade to v7.9.1
• rss_bridge: upgrade to v2022-06-14
• postgresql: update pgmetrics to v1.13.0
• gitea/gotty/graylog/homepage/jellyfin/nextcloud/openldap/rocketchat/rss_bridge/shaarli/transmission/tt_rss: remove hard dependency on apache role
• cleanup: proxmox: use a single file to configure proxmox APT repositories
• cleanup: apache: ensure no leftover mod-php installations are present
• cleanup: common: users: move PAM configuration to the main limits.conf configuration file
• cleanup/tools: improve check mode support, standardize task names, remove unused template files, make usage of ansible_facts consistent in all roles, clarify xsrv script, reorder functions by purpose/component, automate documentation generation, improve tests/release procedure, automate initial check mode/deployment/idempotence tests
• update documentation

Fixed:

• xsrv: init-project: fix inventory not correctly initialized
• xsrv: fix xsrv shell/fetch-backups when a non-default XSRV_PROJECTS_DIR is specified by the user
• common: ssh: fix confusion between AcceptEnv and PermitUserEnvironment settings
• all roles: monitoring/netdata: fix systemd services health checks not loaded by netdata
• apache: monitoring/rsyslog: fix rsyslog config installation when running with only --tags=monitoring
• graylog: fix elasticsearch/graylog unable to start caused by too strict permissions on configuration files
• openldap: ldap-account-manager: fix access to tree view
• homepage: fix homepage generation when the mumble role was deployed from a different play
• jellyfin/samba: fix jellyfin samba share creation when samba role is not part of the same play
• samba: fix samba_passdb_backend: ldapsam mode when openldap role is not part of the same play
• xsrv: fetch-backups: use the first host in alphabetical order, when no host is specified
• monitoring: rsyslog: add correctness checks for syslog_retention_days variable
• monitoring: netdata/needrestart: fix needrestart_autorestart_services value not taken into account when true
• shaarli/transmission: fix *_https_mode variable checks
• doc: fix broken links

Security:

• proxmox: fail2ban: fix detection of failed login attempts

1.7.0

v1.7.0 - 2022-04-22

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• this upgrade will cause Nextcloud instances to go down for a few minutes, depending on the number of files in their data directory

Added:

• xsrv: add init-vm command (initialize a ready-to-deploy libvirt VM from a template)
• xsrv: add edit-group-vault command (edit encrypted group variables file)
• common: make cron jobs log level configurable (cron_log_level)
• common: apt: clean downloaded package archives every 7 days by default (apt_clean_days)
• netdata: allow configuring the fping plugin (ping hosts/measure loss/latency) (netdata_fping_*)
• netdata: make netdata filechecks configurable (netdata_file_checks)
• transmission/gotty/jellyfin/docker: monitoring/netdata: raise alarms when corresponding systemd services are in the failed state (and the monitoring_netdata role is deployed)
• homepage: add rss-bridge to the homepage when the rss_bridge role is deployed on the host
• add ansible tags: netdata-modules, netdata-needrestart, netdata-debsecan, netdata-logcount, netdata-config

Changed:

• common: sysctl/security: disable potentially exploitable unprivileged BPF and user namespaces
• gitea: limit systemd service automatic restart attempts to 4 in 10 seconds
• gitea: update to v1.16.5 [1] [2] [3] [4] [5]
• gotty: attempt to restart the systemd service every 2 seconds in case of failure, for a maximum of 4 times in 10 seconds
• netdata: disable more internal monitoring charts (plugin execution time, webserver threads CPU)
• netdata: re-add default netdata alarms for the systemdunits module
• nextcloud: update to v23.0.3 [1] [2]
• nextcloud: run nextcloud PHP processes under a dedicated nextcloud user, if an older installation owned by www-data is found, it will be migrated to the new user automatically
• openldap: update LDAP Account Manager to v7.9
• rocketchat: update to v3.18.4
• apache/fail2ban/nextcloud: remove obsolete workaround for nextcloud desktop client issue
• xsrv: store group_vars files under group_vars/$group_name/ (allows multiple vars files per group). If a group_vars/$group_name.yml file is found, it will be moved to the subdirectory automatically.
• xsrv: update ansible to v5.5.0
• cleanup: make netdata assembled configuration more readable (add blank line delimiters)
• cleanup: standardize file names
• all roles: check that variables are correctly defined before running roles
• tests: ansible-lint: ignore fqcn-bultins,truthy,braces,line-length rules
• tests: remove broken jinja2 syntax test
• tests: remove obsolete ansible-playbook --syntax-check and yamllint tests, replaced by ansible-lint
• tests: automate tests for init-vm, xsrv check, xsrv deploy
• doc: update documentation, default playbook README, Gitlab CI example

Fixed:

• all roles: ensure check mode doesn't fail when running it before before first deployment
• common: ssh/users: fix SFTP-only user accounts creation (set permissions after creating user accounts)
• all roles: firewall: fix 'reload firewall/fail2ban/apache' handlers failures when called from other roles
• openldap: fix ldap-ccount-manager installation on Debian 11 (php package name changes)
• graylog: fix graylog service not starting/incorrect permissions on configuration files
• graylog/mumble: monitoring/netdata: fix healthcheck/alarm not returning correct status when systemd services are in the failed state
• netdata: fix location for needrestart module configuration file
• netdata: fix/standardize indentation in configuration files produced by to_nice_yaml
• homepage: fix homepage templating when the homepage role is not part of the same play as related roles
• shaarli: explicitly use php 7.4 packages, fix possible installation problems on Debian 11
• tests: fix and speed up ansible-lint tests, fix ansible-lint warnings

Full changes since v1.6.0

1.6.0

v1.6.0 - 2022-03-17

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles in your playbook to the latest release

Added:

• add rss_bridge role - the RSS feed for websites missing it
• monitoring_utils: install debsums utility for the verification of packages with known good database (by default, run weekly)
• common: cron: allow disabling cron setup (setup_cron: yes/no)
• monitoring_netdata: allow configuring netdata notification downtime periods (start/end)
• tests: automate basic testing of the xsrv command-line tool (xsrv init-project xsrv-test my.example.org)

Changed:

• common: cron: include the FDQN in subject when sending mail
• common: cron: log beginning and end of cron jobs
• all roles: replace netdata process checks/alarms with more accurate systemd unit checks, raise alarms/notifications when a service is in the failed state
• cleanup: standardize task names
• xsrv: init-project: allow adding a first host directly using xsrv init-project [project] [host]

Fixed:

• fix check mode support for self-signed certificate generation tasks/netdata configuration
• apt: fix automatic upgrades for packages installed from Debian Backports
• xsrv: fix error on new project creation/init-playbook - missing playbook directory
• xsrv: fix support for XSRV_PROJECTS_DIR environment variable

1.5.0

v1.5.0 - 2022-02-25

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles in your playbook to the latest release
• TAGS=utils-debian10to11 xsrv deploy to upgrade your host's distribution from Debian 10 "Buster" to Debian 11 "Bullseye". Debian 10 compatibility will not be maintained after this release.
• common/firewall: remove firehol_* variables from your configuration. Roles from the xsrv collection will automatically insert their own rules, if firewalld is deployed. If you had custom firewall rules in place/not related to xsrv roles, please port them to the new firewalld configuration)
• common/hosts: if the hosts: variable (hosts file entries) is used in your host/group_vars, rename it to host_file_entries. If setup_hosts is used in your host/group_vars, rename it to setup_hosts_file.
• mariadb: if you had the nodiscc.xsrv.mariadb role enabled, migrate to PostgreSQL, or use the archived nodiscc.toolbox.mariadb role.
• gitea/nextcloud/tt_rss: if any of these roles is listed in your playbook, ensure nodiscc.xsrv.postgresql is explicitly deployed before it.
• jellyfin/proxmox/docker: remove jellyfin_auto_upgrade, proxmox_auto_upgrade or docker_auto_upgrade variables from your configuration, if you changed the defaults. These settings are now controlled by the apt_unattended_upgrades_origins_patterns list, automatic upgrades are enabled by default for these components.
• jellyfin/samba: if you have both the samba and jellyfin roles enabled on a host, and want to keep using the jellyfin samba share for media storage, explicitly set jellyfin_samba_share: yes in the host's configuration variables.
• monitoring: remove setup_monitoring_cli_utils: yes/no and setup_rsyslog: yes/no variables from your configuration, if you changed the defaults. If you don't want monitoring utilities or rsyslog set up, enable individual monitoring_netdata/rsyslog/utils roles, instead of the global monitoring role.
• (optional) xsrv check to simulate changes.
• xsrv deploy to apply changes.

Added:

• add dnsmasq lightweight DNS server role
• common: add firewalld firewall management tool
• common: apt: allow configuration of allowed origins for unattended-upgrades
• common: packages: add at task scheduler
• monitoring: netdata: allow disabling specific plugins (netdata_disabled_plugins), disable ebpf plugin by default
• monitoring: lynis: enable lynis installation and daily reports by default
• common: ssh: fix lynis warning FILE-7524 (ensure /root/.ssh is mode 0700)
• common: mail/msmtp: allow disabling SMTP authentication/LOGIN (msmtp_auth_enabled), allow disabling SMTP server TLS certificate verification completely (msmtp_tls_certcheck: yes/no)
• common: mail/msmtp: allow disabling TLS (msmtp_tls_enabled)
• monitoring: netdata: automate testing netdata mail notifications (TAGS=utils-netdata-test-notifications xsrv deploy)
• monitoring: netdata: monitor systemd units state (timers/services/sockets)
• docker: add a nightly cleanup of unused docker images/containers/networks/build cache, allow disabling it through docker_prune_nighlty: no
• xsrv: add xsrv help-tags subcommand (show the list of ansible tags in the play and their descriptions)
• install ansible local fact files for each deployed role/component

Removed:

• common: remove firehol firewall management tool, remove firehol_* configuration variables
• common: firewall: remove ability to filter outgoing traffic, will be re-added later
• drop compatibility with Debian 9
• monitoring: remove setup_monitoring_cli_utils: yes/no and setup_rsyslog: yes/no variables
• common: fail2ban: remove fail2ban_destemail variable, always send mail to root
• mariadb: remove role, archive it to separate repository
• remove ansible tags certificates lamp valheim valheim-server

Changed:

• make all roles compatible with Debian 11
• common/firewall/all roles: let roles manage their own firewall rules if the nodiscc.xsrv.firewalld role is deployed
• all roles: refactor/performance: only flush handlers once, unless required otherwise, refactor service start/stop/enable/disable tasks
• common: fail2ban: ban offenders on all ports
• jellyfin: the jellyfin samba share automatic setup is now disabled by default (jellyfin_samba_share_enabled: no)
• apache/tt_rss/shaarli/nextcloud: make roles compatible with Debian 11 (PHP 7.4))
• jellyfin/proxmox/docker: remove jellyfin_auto_upgrade, proxmox_auto_upgrade, docker_auto_upgrade variables, add these origins to the default list of apt_unattended_upgrades_origins_patterns
• monitoring: split role to smaller monitoring_rsyslog/monitoring_netdata/monitoring_utils roles, make the monitoring role an alias for these 3 roles
• common: apt: explicitly install aptitude
• common: apt: remove unused packages after automatic upgrades
• common: apt: automatically remove unused dependency packages on every install/upgrade/remove operation
• common: fail2ban: increase maximum IP/attempts count retention to 1 year
• common: ssh: decrease SFTP logs verbosity to INFO by default
• common/graylog: apt: enable automatic upgrades for graylog/mongodb/elasticsearch packages by default
• gitea: upgrade to v1.16.0 [1], [2], [3], [4], [5]
• xsrv: upgrade ansible to 5.2.0
• gitea: cleanup/maintenance: update config file comments/ordering to reduce diff with upstream example file
• apache: relax permissions on apache virtualhost config files (make them world-readable)
• nextcloud: upgrade to 23.0.1 [1]
• nextcloud: add Nextcloud Bookmarks to the default list of apps (default disabled)
• xsrv/tools/doc: don't install python3-cryptography from pip, install from OS packages
• gitea/nextcloud/tt_rss: remove hard dependency on postgresql role
• openldap: remove hard dependency on common role
• transmission: log/show diff on configuration file changes
• netdata/docker: move netdata_min/max_running_docker_containers configuration variables to the docker role
• netdata: no longer install python3-mysqldb/mysql support packages
• mumble: force superuser password change task to never return "changed" (instead of always)
• doc: update documentation, document all ansible tags, refactor command-line usage doc
• refactoring: move fail2ban/samba/rsyslog/netdata/... tasks to separate task files inside each role
• tags: add ssl tag to all ssl-related tasks, add rsnapshot-ssh-key tag to all ssh-key-related tasks
• cleanup: remove unused tasks/improve deployment times

Fixed:

• fix integration between roles when roles are part of different plays: use ansible local facts installed by other roles to detect installed components, instead of checking the list of roles in the current play
• proxmox: fix missing ansible fact file template
• proxmox: fix APT configuration on Debian 10/11
• fix check mode compatibility issues, fix ansible-lint warnings
• common: ssh: fix creation of SFTP-only accounts (bad ownership or modes for chroot directory)
• common: ssh: ssh: fix root ssh logins when ssh_permit_root_login: without-password/prohibit-password/forced-commands-only
• monitoring: netdata: fix chart values incorrectly increased by 1 in debsecan module
• backup: fix mode/idempotence for /root/.ssh directory creation
• graylog: fix configuration file templating always returning changed in check mode
• default playbook/xsrv: fix invalid "%%ANSIBLE_HOST%%" value set by xsrv init-host
• common: hosts: fix warning: Found variable using reserved name: hosts

1.4.0

v1.4.0 - 2021-12-17

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles in your playbook to the latest release
• xsrv deploy to apply changes
• (optional) TAGS=debian10to11 xsrv deploy to upgrade your host's distribution from Debian 10 "Buster" to Debian 11 "Bullseye"
• (optional) remove custom netdata_modtime_checks from your configuration, if any (the modtime module was removed, use the filecheck module instead)

Added:

• add proxmox role (basic Proxmox VE hypervisor setup)
• add valheim_server role (Valheim multiplayer game server)
• gitea: make number of issues per page configurable (gitea_issue_paging_num , increase to 20 by default)
• shaarli: make hide_timestamp,header_link,debug,formatter settings configurable
• monitoring: add lynis security audit tool (optional, default disabled), schedule a daily report
• monitoring/postgresql: allow netdata to monitor postgresql server
• docker: allow enabling unattended upgrades of docker engine packages (docker_auto_upgrade: yes/no)
• common: apt: allow enabling contrib and non-free software sections (apt_enable_nonfree)
• common, monitoring: make roles compatible with Debian 11 "Bullseye"
• homepage: add link to graylog instance (when graylog role is enabled)
• monitoring: allow configuration of syslog retention duration, default to 186 days instead of 7
• monitoring: allow defining a number of maximum expected running docker containers (netdata_max_running_docker_containers)
• monitoring: add logwatch log analyzer, disable scheduled execution
• monitoring: install requirements for postgresql monitoring
• postgresql: add ability to enable/disable the service and enforce started/stopped/enabled/disabled state
• backup: make rsnapshot verbosity configurable
• backup: download rsnapshot's/root SSH public key to the controller (public_keys/ directory)
• common: allow configuring the list of users allowed to use crontab (linux_users_crontab_allow)
• common: add an procedure for Debian 10 -> 11 upgrades
• common: add ability to add/remove entries from the hosts (/etc/hosts) file

Changed:

• nextcloud: upgrade to 22.2.3
• nextcloud: silence cron/background tasks output to prevent mail notification spam
• nextcloud: allow installation of ONLYOFFICE realtime collaborative document edition tools
• gitea: upgrade to 1.15.7
• gitea update fail2ban login failure detection for gitea v1.15+
• common: sysctl: disable IP source routing for IPv6 (was already disabled for IPv4)
• common: msmtp: check that configuration variables have correct values/types when msmtp_setup: yes
• monitoring: increate netdata charts retention duration to ~7 days
• monitoring: allow disabling needrestart/logcount/debsecan modules installation
• monitoring: decrease alarm sensitivity for logcount module (warning on 10 alarms/min, critical on 100 errors/min)
• monitoring: disable lynis checks AUTH-9283 and FIRE-4512 by default (false positives)
• monitoring: only enable "number of running docker container" checks when the nodiscc.xsrv.docker role is enabled
• monitoring: update configuration for netdata > 1.30
• backup, monitoring: replace custom modtime module with built-in netdata filecheck module
• xsrv: rename top-level directory concept (playbook -> project)
• xsrv: logs: don't ask for sudo password if syslog is readable without it
• xsrv: switch to ansible "distribution" versioning, upgrade to 4.9.0 (ansible-core 2.11.6), update playbook for compatibility
• xsrv: store virtualenv inside the project directory, improve startup time
• homepage: update theme (use light theme), use web safe fonts
• apache: make role compatible with Debian 11 "Bullseye"
• backup: make dependency on monitoring role optional
• backup: ensure only root can read the rsnapshot configuration file
• backup: re-schedule monthly backups at 04:01 on the first day of the month
• all roles/monitoring: apply role-specific netdata/rsyslog configuration immediately after installing it
• default playbook: .gitignore data/ and cache/ directories
• doc: update/refactor documentation and roles metadata
• tools: improve automatic doc generation
• refactor: refactor integration between roles (use ansible_local facts, fix intergation when roles are not part of the same play)

Removed:

• nextcloud: disable deck app by default

Fixed:

• homepage: really update page title from homepage_title variable
• jellyfin: use samba_shares_path variable to determine samba shares path
• nextcloud: fix upgrade procedure order (upgrade incompatible apps)
• nextcloud: fix check mode on upgrades
• graylog: respect elasticsearch_timeout_start_sec value
• monitoring: netdata: enable gzip compression on web server responses, fix empty dashboard
• monitoring: fix netdata modtime module installation, remove obsolete tasks file
• monitoring: rsyslog: ensure that requirements for self-signed certificates generation are installed
• monitoring: ensure requirements for self-signed certificate generation are installed
• monitoring: also allow access to netdata.conf from netdata_allow_connections_from addresses
• monitoring: fix APT package manager logs aggregation to syslog
• tt_rss: fix permission denied errors when updating feeds
• homepage: fix grid responsiveness on mobile devices
• transmission: don't attempt to reload the service when it is disabled in host configuration
• don't ignore expected errors when not running in check mode

Security:

• nextcloud: fail2ban: fix log file location/login failures not detected by fail2ban
• common: automatically apply security updates for packages installed from Debian Backports

1.3.1

v1.3.1 - 2021-06-24

Upgrade procedure:

• xsrv upgrade to upgrade roles in your playbook to the latest release
• xsrv deploy to apply changes

Fixed:

• common: msmtp: fix msmtp unable to read /etc/aliases (/etc/aliases: line 1: invalid address)
• common: msmtp: fix unreadable /etc/msmtprc configuration for un privileged users
• nextcloud/apache/php: fix path to PHP APCU configuration file (really fix cannot allocate memory errors on nextcloud upgrades)
• tt_rss: fix/automate initial database population and schema upgrades, update documentation

Added:

• common: msmtp: allow disabling STARTTLS (msmtp_starttls: yes/no)
• backup: rsnapshot: don't update timestamp file after weekly/monthly backups (monitoring only measures time since the last successful daily backup)

Changed:

• nextcloud: upgrade to 20.0.10
• update documentation (virt-manager/add basic VM provisioning procedure)

1.3.0

v1.3.0 - 2021-06-08

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script to the latest release
• xsrv upgrade to upgrade roles in your playbook to the latest release
• if you had defined custom netdata_http_checks, port them to the new netdata_http_checks/netdata_x509_checks syntax
• (optional/cleanup) xsrv edit-vault: remove all vault_ prefixes from encrypted host variables; xsrv edit-host: remove all variables that are just variable_name: {{ vault_variable_name }} references
• (optional/cleanup) remove previous hardcoded/default netdata_modtime_checks and netdata_process_checks from your host variables
• (optional) xsrv check to simulate and review changes
• xsrv deploy to apply changes

Removed:

• default playbook: remove hardcoded netdata_modtime_checks and netdata_process_checks (roles will automatically configure relevant checks)
• default playbook/all roles: remove variable_name: {{ vault_variable_name }} indirections/references
• monitoring/netdata: remove ability to configure netdata modules git clone URLs (netdata_*_git_url variables), always clone from upstream
• monitoring/netdata: remove support for check_x509 parameter in netdata_httpchecks
• monitoring/rsyslog: remove hardcoded, service-specific configuration

Added:

• add graylog log analyzer role
• add gotty role
• monitoring/rsyslog: add ability forward logs to a remote syslog/graylog server over TCP/SSL/TLS (add rsyslog_enable_forwarding, rsyslog_forward_to_hostname and rsyslog_forward_to_port variables)
• jellyfin/common/apt: add automatic upgrades for jellyfin, enable by default
• monitoring: support all httpcheck parameters in netdata_http_checks
• monitoring/netdata: add netdata_x509_checks (list of x509 certificate checks, supports all x509check parameters)
• rocketchat: allow disabling rocketchat/mongodb services (rocketchat_enable_service: yes/no)
• xsrv: add xsrv edit-group subcommand (edit group variables - default group: all)
• xsrv: add xsrv ls subcommand (list files in the playbooks directory - accepts a path)
• xsrv: add syntax highlighting to default text editor/pager (nano - requires manual installation of yaml syntax highlighting file), improve display
• homepage: add favicon
• common: msmtp: make outgoing mail port configurable (msmtp_port, default 587)

Changed:

• gitea: enable API by default (gitea_enable_api)
• gitea: upgrade gitea to 1.14.2
• openldap: upgrade ldap-account-manager to 7.5
• nextcloud: upgrade nextcloud to 21.0.2
• rocketchat: update rocket.chat to 3.15.0
• homepage: switch to a responsive grid layout
• monitoring: decrease logcount warning alarm sensitivity, warn when error rate >= 10/min
• monitoring/all roles: let roles install their own syslog aggregation settings, if the nodiscc.xsrv.monitoring role is enabled.
• monitoring/needrestart: by default, automatically restart services that require it after a security update (needrestart_autorestart_services: yes)
• monitoring/netdata/default playbook: let roles install their own HTTP/x509/modtime/port checks under /etc/netdata/{python,go}.d/$module_name.conf.d/*.conf, if the nodiscc.xsrv.monitoring role is enabled
• apache/common/mail: forward all local mail from www-data to root - allows root to receive webserver cron jobs output
• apache/monitoring: disable aggregation of access logs to syslog by default, add variable allowing to enable it (apache_access_log_to_syslog)
• common: cron: ensure only root can access cron job files and directories (CIS 5.1.2 - 5.1.7)
• common: ssh: lower maximum concurrent unauthenticated connections to 60
• common/mail: don't overwrite /etc/aliases, ensure root mail is forwarded to the configured user (set to ansible_user by default)
• docker: speed up role execution - dont't force APT cache update when not necessary
• transmission: disable automatic backups of the downloads directory by default, add transmission_backup_downloads: yes/no variable allowing to enable it
• rocketchat/monitoring: disable HTTP check when rocketchat service is explicitly disabled in the configuration
• mumble/checks: ensure that mumble_welcome_text is set
• transmission/jellyfin: allow jellyfin to read/write transmission downloads directory
• tools: add Pull Request template, speed up Gitlab CI test suite (prebuild an image with required tools)
• update ansible tags
• update roles metadata, remove coupling/dependencies between roles unless strictly required, make nodiscc.xsrv.common role mostly optional
• xsrv: cleanup/reorder/DRY/refactoring, make self-upgrade safer
• doc: update documentation/formatting, fix manual backup command, fix ssh-copy-id instructions

Fixed:

• jellyfin: fix automatic samba share creation
• common: fix linux_users creation when no authorized_ssh_keys/sudo_nopasswd_commands are defined
• common: users: allow creation of linux_users without a password (login to these user accounts will be denied, SSH login with authorized keys are still possible if the user is in the ssh group)
• samba: fix error on LDAP domain creation
• nextcloud: fix condition for dependency on postgresql role
• nextcloud: fix allowed memory size exhausted during nextcloud upgrades
• openldap: fix condition for dependency on apache role
• rsyslog: fix automatic aggregation fo fail2ban logs to syslog
• rocketchat: fix automatic backups when the service is disabled
• samba/rsnapshot/gitea: fix role when runing in 'check' mode, fix idempotence
• tools: fix release procedure/ansible-galaxy collection publication
• xsrv: fix wrong inventory formatting after running xsrv init-host
• remove unused/duplicate/leftover task files
• fix typos

Security:

• common: fail2ban: fix bantime for ssh jail (~49 days)

1.2.2

v1.2.2 - 2021-04-01

Upgrade procedure: xsrv upgrade to upgrade roles in your playbook to the latest release

Fixed:

• samba: fix nscd default log level, update samba default log level