1.2.0

v1.2.0 - 2021-03-27

Upgrade procedure:

• xsrv upgrade to upgrade roles in your playbook to the latest release (or xsrv upgrade PLAYBOOK_NAME if you have multiple playbooks)
• xsrv self-upgrade to upgrade the xsrv script (optional)
• xsrv deploy to apply changes

Added:

• homepage: add configurable message/paragraph to homepage (homepage_message)
• add ability to configure multiple aliases/valid domain names for the homepage virtualhost (homepage_vhost_aliases: [])
• nextcloud: improve performance (auto-add missing primary keys/indices in database, convert columns to bigint)

Removed:

• openldap: remove self_service_password_keyphrase variable (unused, tokens/SMS/question based password resets are disabled)
• common: ssh: cleanup/remove unused MatchGroup rsyncasroot directive

Changed:

• common: sysctl: enable logging of martian packets
• common: sysctl: ensure sysctl settings also apply to all network interfaces added in the future
• common: ssh: set loglevel to VERBOSE by default
• samba: increase log level, enable detailed authentication success/failure logs, clarify log prefix
• update documentation

Fixed:

• rocketchat: fix role idempotence (ownership of data directories)

Security:

• rocketchat: fix port 3001 exposed on 0.0.0.0 instead of localhost-only/firewall bypass
• gitea: update to v1.13.6

1.1.0

v1.1.0 - 2021-03-14

Upgrade procedure:

• Upgrading the xsrv script: git clone https://gitlab.com/nodiscc/xsrv && sudo cp xsrv/xsrv /usr/local/bin/xsrv (or wherever you installed the xsrv script). On next releases, xsrv self-upgrade will handle upgrades of the script.
• Upgrading roles: xsrv upgrade

Added:

• xsrv: add self-upgrade command
• monitoring: add netdata-debsecan module
• common: ensure NTP service is started
• common: make timezone configurable (default to not touching the timezone)
• openldap: add Self Service Password password reset tool (fixes #401)
  • requires manual configuration of self_service_password_fqdn and vault_self_service_password_keyphrase
  • auto-configure apache and selfsigned or letsencrypt certificates + php-fpm.
  • by default only allow access from LAN/private addresses in self_service_password_allowed_hosts
  • when samba role is enabled, use the LDAP admin DN to access the directory (required to be able to change sambaNtPassword attribute)
  • make various settings configurable, add correctness checks for all variables
• openldap: make log level configurable
• homepage: add jellyfin/self-service-password links (when relevant roles/variables are enabled)
• jellyfin: add LDAP authentication documentation
• jellyfin: add fail2ban configuration/bruteforce prevention on jellyfin login attempts
• jellyfin/backup: add automatic backups (only backup db/metadata/configuration by default, allow enabling media directory backups with jellyfin_enable_media_backups)
• jellyfin: create subdirectories for each library type under the default media directory/jellyfin samba share
• samba/backup: allow disabling automatic backups of samba shares (samba_enable_backups)
• shaarli/monitoring: agregate data/log.txt to syslog using the imfile module

Changed:

• update documentation (upgrade procedure, example playbook, mirrors, TOC, links, ansible-collection installation, list of all variables, ansible.cfg, sysctl settings...)
• openldap: upgrade ldap-account-manager to v7.4 (https://www.ldap-account-manager.org/lamcms/changelog)
• openldap: prevent LDAP lookups for local user accounts
• openldap: decrease log verbosity
• gitea: upgrade to 1.13.3 - https://github.com/go-gitea/gitea/releases
• nextcloud: upgrade to 20.0.8 - https://nextcloud.com/changelog/

Fixed:

• xsrv: fix show-defaults command (by default display all role defaults for the default playbook)
• homepage: fix mumble and ldap-account-manager links
• samba: fix duplicate execution of the openldap role when samba uses LDAP passdb backend
• rocketchat: fix variable checks not being run before applying the role
• rocketchat: fix permissions/ownership of mongodb/rocketchat data directories
• tt_rss: fix error 'Please set SELF_URL_PATH to the correct value detected for your server'
• samba/jellyfin: fix automatic jellyfin samba share creation, fix permissions on jellyfin samba share
• monitoring: fix ansible --check mode when netdata is not installed yet
• shaarli: set apache directoryindex to index.php, prevent error messages in logs at every page access

Tools/maintenance:

• Makefile: add a make changelog target (print commits since last tag)
• Makefile: automate release procedure make release
• tt-rss: cleanup/grouping
• roles/*/defaults/main.yml: add header for all defaults files
• upgrade ansible to 2.10.7 - https://pypi.org/project/ansible/#history
• move TODOs to issues

1.0.0

Initial stable release. See the CHANGELOG