[mirror] Install and manage self-hosted services/applications, on your own server(s) - ansible collection and utilities
Upgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasenetdata_log_to_syslog
, netdata_disable_debug_log
, netdata_disable_error_log
, netdata_disable_access_log
variables are no longer used and can be removed from your configuration, if you changed them from the defaults (xsrv edit-host/edit-group
)rsyslog_enable_forwarding
is set to yes
in your host/group variables (xsrv edit-host/edit-group
), set rsyslog_forward_to_inventory_hostname
to the inventory hostname of the syslog/graylog server receiving the logsInputs
, edit all syslog/TLS
inputs to use the new paths for TLS cert file: /etc/ssl/syslog/ca.crt
, TLS private key: /etc/ssl/syslog/ca.key
, TLS client auth trusted certs: /etc/ssl/syslog/ca.crt
. You may also delete data/certificates/*-graylog-ca.crt
files in your project directory since they are no longer used.xsrv deploy
to apply changesAdded:
scan
command (scan a project directory for cleartext secrets/passwords using trivy)show-groups
command (list all groups a host is a member of)514/tcp
(rsyslog_enable_receive: no/yes
)Removed:
netdata_log_to_syslog
, netdata_disable_debug_log
, netdata_disable_error_log
, netdata_disable_access_log
Changed:
gitea_act_runner_daily_podman_prune: no/yes
netdata_streaming_send_enabled
is enabled)stack
template (shaarli_stack_default_ui: small/medium/large
), change the default to medium
rsyslog_forward_to_inventory_hostname
is now required on rsyslog clientsapt_enable_nonfree: yes
[1]
community.crypto.x509_certificate
instead of deprecated openssl_certificate
modulesFixed:
rsyslog
ansible tagUpgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesAdded:
nmap
command and role - run nmap network scanner against hosts from the inventoryChanged:
Upgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasegraylog
role, add the mongodb_admin_password
and graylog_mongodb_password
variables to your host variables (xsrv edit-vault
) and set their values to strong random passwordscollections_paths option does not fit var naming standard
, rename collections_paths
to collections_path
in ansible.cfg
(xsrv edit-cfg
)xsrv deploy
to apply changesAdded:
owncast
role role (live video streaming and chat server)mongodb_admin_password
, graylog_mongodb_password
)TAGS=utils-jitsi-listusers xsrv deploy
)gitea_act_runner_capacity: 1
)monitoring_rsyslog
role is deployed)wireguard_firewalld_services
)Removed:
Changed:
node:21-bookworm
when uses: ubuntu-latest
is specified in the CI configuration file), add equivalent debian-latest
labelchanged
for wireguard client configuration file generation taskschanged
status of set permissions on tt-rss files
taskFixed:
goaccess_username/password/fqdn
variables not being added to the correct file (username/password belong to encrypted variables)MongoDB instance allows any user to access databases
git
was not previously installedUnsupported parameters for (postgresql_query) module: as_single_query, path_to_script.
unzip
package is not installedNextcloud is not installed - only a limited number of commands are available
'graylog_mongodb_apt_repo_distribution' is undefined
when running the mongodb
tag aloneUpgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesAdded:
dnsmasq_blocklist_url
, dnsmasq_blocklist_mode
, dnsmasq_blocklist_whitelist
)shaarli_theme
) configuration variablednsmasq_log_queries: no/yes
)nextcloud_smtp_*
)TAGS=utils-shutdown,utils-reboot
)debsecan_whitelist
)goaccess_geoip_db_version
)shaarli_allowed_hosts
, matrix_synapse/element_admin_allowed_hosts
, goaccess_allowed_hosts
, ldap_account_manager/self_service_password_allowed_hosts
, nextcloud_allowed_hosts
, transmission_allowed_hosts
, tt_rss_allowed_hosts
, jitsi_allowed_hosts
, homepage_allowed_hosts
, graylog_allowed_hosts
, gotty_allowed_hosts
, gitea_allowed_hosts
)jellyfin_allowed_hosts
listfs.protected_fifos/hardlinks/regular/symlinks
podman-docker
wrapper (execute docker
commands through podman)Removed:
netdata_monitor_systemd_units
variable (always enable monitoring of system unit states)Changed:
--nameservers
) by default instead of Cloudflare public DNS*_enable_service: no
, disable HTTP checks entirely for this service (intead of accepting HTTP 503)debsecan_enable_reports: yes/no
)systemd-analyze security
exposure score down from 9.2 UNSAFE
to 5.7 MEDIUM
)check_mode: no
to tasks that do not change anythingFixed:
copy php-fpm configuration
when deploying the apache
tag in isolationRestart server
function only terminating the server process without restartingpotentially insufficient UIDs or GIDs available in user namespace
error when using podman backendremove shaarli zip extraction directory
task idempotentUpgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasegitea_act_runner_gitea_instance_url
to gitea_act_runner_gitea_instance_fqdn
data/duc-*.db
to your .gitignore
before using the utils-duc
tag.data/firewalld-info-*.log
to your .gitignore
before using the utils-firewalld-info
tag.xsrv deploy
to apply changesAdded:
gitea_act_runner_labels
)TAGS=utils-duc xsrv deploy default my.CHANGEME.org
)rsnapshot_retain_daily/weekly/monthly
to 0
rsnapshot_enable_cron: yes/no
rsnapshot_create_root: yes/no
TAGS=utils-firewalld-info xsrv deploy
)data/certificates/
under the project directoryRemoved:
netdata_self_monitoring_enabled
(use netdata_disabled_plugins: ['netdata monitoring']
instead)logwatch
from the list of default installed packagesChanged:
netdata_dbengine_disk_space
.runner
file is absentgitea_act_runner_gitea_instance_url
to gitea_act_runner_gitea_instance_fqdn
systemd_logind_lock_after_idle_min: 0
)jitsi/goaccess_https_mode: selfsigned
Fixed:
netdata_api_key
-> netdata_streaming_api_key
)podman
must be deployed before gitea_act_runner
)Upgrade procedure:
docker
role, update requirements.yml
(xsrv edit-requirements
) and playbook.yml
(xsrv edit-playbook
) to use the archived nodiscc.toolbox.docker
role instead. nodiscc.xsrv.podman
is now the recommended role for container management.xsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesNote: the collection will no longer be updated on https://galaxy.ansible.com/ui/repo/published/nodiscc/xsrv/ until https://github.com/ansible/galaxy/issues/2438 is fixed, please use the git repository URL in your requirements.yml
, as documented in https://xsrv.readthedocs.io/en/latest/usage.html#use-as-ansible-collection.
Added:
gitea_act_runner
role (Gitea Actions CI/CD runner)podman
role (OCI container engine and management tools, replacement for docker
)gitea_enable_actions: no/yes
)unattended-upgrade
or apt upgrade
immediately (TAGS=utils-apt-unattended-upgrade,utils-apt-upgrade
)matrix_synapse_ldap_*
)netdata_logs_to_syslog: no/yes
)TAGS=utils-docker-uninstall
)nextcloud_filesystem_check_changes: no/yes
)Removed:
mod-evasive
anti-DDoS moduleChanged:
ntpd
time synchronization service by systemd-timesyncd
ssh_accept_locale_env: no/yes
)graylog_enable_service: yes/no
)Fixed:
org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized
) - force updating jvb prosody passwordUpgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasesyslog_retention_days
to rsyslog_retention_days
in your hosts/groups configuration (xsrv edit-host/edit-group
)xsrv check
to simulate changes.xsrv deploy
to apply changesTAGS=debian11to12 xsrv deploy && xsrv deploy
to upgrade hosts still on Debian 11 "Bullseye" to Debian 12 "Bookworm" [1]. Debian 11 will no longer be supported after this release.Added:
monitoring_goaccess
role - real-time web log analyzer/interactive viewernetdata_streaming_receive_alarms: yes/no
)netdata_enable_health_notifications: yes/no
)apache_letsencrypt_enable_hsts: no/yes
)netdata_logcount_update_interval
to 0jellyfin
group (may read/write files inside the media directory), add the ansible user to this group by default (jellyfin_users
)debian-transmission
group (may read/write files inside the downloads directory), add the ansible user to this group by default (transmission_users
)Removed:
tt_rss-app
, tt_rss-permissions
, tt_rss-postgresql
Changed:
http://
to https://
for all applications/sites using Let's Encrypt (*_certificate_mode: letsencrypt
) certificateslocalhost:
prefix (for example http://127.0.0.1/server-status
requests from netdata)default:
prefix (for example bad bots and scanners accessing the server by IP address)403 Forbidden
response to for requests the default virtualhost (except those from localhost)fail2ban_default_maxretry
(default 3), fail2ban_default_findtime
(10min) and fail2ban_default_bantime
(1 year) for all jailsDROP
firewall rule instead of REJECT
(drop connections from banned IPs instead of replying with TCP reset)pam-generic
jail by default as no service uses itServerAdmin
directive from all virtualhost configuration files (this information is not used, displaying admin email in error messages is disabled)syslog_retention_days
to rsyslog_retention_days
jail.conf
, in jail.d/*conf
--os
option to virt-install
Fixed:
mod_md
certificates automatically every minuteaccess.log
/other_vhosts_access.log
, only log to access.log
*_enable_service: no
)Hash is full, cannot add more elements
error when a fail2ban jail has mor than 65536 banned IPsFound a match but no valid date/time
warning when a login failure is detectedUpgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv check
to simulate changes.xsrv deploy && TAGS=debian11to12 xsrv deploy
to upgrade your hosts from Debian 11 "Bullseye" to Debian 12 "Bookworm" [1]
xsrv deploy
to apply changesYou must upgrade to this release and deploy it before deploying future versions (old migrations will be removed after this release.)
Added:
homepage_custom_links.*.compact: yes/no
)Removed:
Changed:
libvirt_users
)qemu:///system
connection URI by default (can manage libvirt VMs without sudo/without specifying --connect qemu:///system
)ansible_local.ssh.ansible_managed
local fact which can be used to detect whether SSH server is managed by xsrvFixed:
Oops, something unexpected happened
error on alerts tab'dict object' has no attribute 'distribution_release'
after successful upgradefail2ban.configreader: WARNING 'allowipv6' not defined in 'Definition'
in lynis reportspgrep: pattern that searches for process name longer than 15 characters will result in zero matches
message in reports (disable detection/suggestion of commerical/closed-source antivirus software)verify gitea GPG signatures
failing on hosts where gnupg is not installedcommon
role is not deployed (Group ssh-access does not exist
)gitea
on dovecot backup configuration tasksUpgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releaselinux_users
defined with ssh
as one of their groups:
, change the group name from ssh
to ssh-access
, for example:# xsrv edit-host
# host_vars/my.example.org/my.example.org.yml
linux_users:
- name: "rsnapshot"
- groups: [ "ssh", "sudo", "postgres", "nextcloud", "steam" ]
+ groups: [ "ssh-access", "sudo", "postgres", "nextcloud", "steam" ]
comment: "limited user account for remote backups"
ssh_authorized_keys: ['data/public_keys/[email protected]']
sudo_nopasswd_commands: ['/usr/bin/rsync', '/usr/bin/psql', '/usr/bin/pg_dump', '/usr/bin/pg_dumpall' ]
xsrv check
to simulate changes.xsrv deploy
to apply changesxsrv deploy && TAGS=debian11to12 xsrv deploy
to upgrade your host's distribution from Debian 11 "Bullseye" to Debian 12 "Bookworm" [1].
nextcloud_version: 25.0.9
manually in your host configuration (xsrv edit-host/edit-group
), as Nextcloud 26 requires PHP 8 which is only available in Debian 12. Don't forget to remove this override after upgrading to Debian 12.graylog
role is deployed to Debian 12, as it is not compatible with Debian 12 yet.The Debian 11 -> 12 upgrade procedure was only tested for hosts managed by xsrv
roles. If you have custom/third-party software installed, you should read Debian 12's release notes and/or execute the upgrade procedure manually. It is always advisable to do a full backup/snapshot before performing a distribution upgrade.
Added:
TAGS=utils-debian11to12 xsrv deploy
)TAGS=utils-fail2ban-get-banned xsrv deploy
)TAGS=utils-backup-now xsrv deploy
)graylog_root_timezone
)Changed:
graylog
) compatible with Debian 12 "Bookworm"init-vm-template
: use Debian 12 "Bookworm" as the base OS image [1]
ssh
to ssh-access
(ssh
is a reserved group name used for internal purposes)firewallcmd-ipset
ban action when firewalld is enabled and managed by xsrv (setup_firewall: yes
)systemd-analyze security
exposure score down from 9.2 UNSAFE
to 7.6 EXPOSED
)init-vm
: check that the user-provided value for --memory
has the M
or G
suffix.ssh,.git,.svn,.hg
directoriesphp-pgsql
package installationFixed:
immediate
and permanent
during configure firewalld zone sources
(default to permanent: yes, immediate: no
)python3-pip
required to install python-shaarli-client when shaarli_setup_python_client: yes
--memory
must have the M
or G
suffix)libvirt_vms
copy-pastable snippetUpgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesFailed to update apt cache: unknown reason
, this may be caused by the matrix/synapse APT repository signing key having expired. Deploying the matrix
tag alone should solve this problem (TAGS=matrix xsrv deploy
)wget https://gitlab.com/nodiscc/xsrv/-/raw/release/xsrv-completion.sh
sudo cp xsrv-completion.sh /etc/bash_completion.d/
Added:
jellyfin_setup_opensubtitles_plugin: no/yes
)homepage_custom_links
)nodiscc.xsrv.backup
role is deployednextcloud_apps
)mumble://
server URIs/links for hosts where the nodiscc.xsrv.mumble
role is deployednodiscc.xsrv.homepage
role is deployedreadme_gen_gtk_bookmarks: yes/no
)init-vm/init-vm-template
: validate that values of --ip
/--gateway
are valid IPv4 addressesRemoved:
ls
command (use bash completion instead, or manually cd
to your project directory)Changed:
Reboot of system is most likely needed
warning, let netdata/needrestart send notifications when a reboot is requiredFound one or more vulnerable packages
warning, let debsecan handle reporting of vulnerable packagesFixed:
Failed to update apt cache: unknown reason
/expired repository signing keylxml
python module, required for utils-libvirt-setmem
taskschanged
nodiscc.xsrv.apache
role (only run apache configuration tasks if the apache role is deployed). nodiscc.xsrv.apache
is still required in the standard configuration to act as a reverse proxy for web applications. If not deployed, you will need to provide your own reverse proxy configuration.