Xsrv Versions Save

[mirror] Install and manage self-hosted services/applications, on your own server(s) - ansible collection and utilities

1.23.0

2 months ago

v1.23.0 - 2024-04-09

Upgrade procedure:

  • xsrv self-upgrade to upgrade the xsrv script
  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • monitoring_netdata: netdata_log_to_syslog, netdata_disable_debug_log, netdata_disable_error_log, netdata_disable_access_log variables are no longer used and can be removed from your configuration, if you changed them from the defaults (xsrv edit-host/edit-group)
  • monitoring_rsyslog: if rsyslog_enable_forwarding is set to yes in your host/group variables (xsrv edit-host/edit-group), set rsyslog_forward_to_inventory_hostname to the inventory hostname of the syslog/graylog server receiving the logs
  • graylog: under Inputs, edit all syslog/TLS inputs to use the new paths for TLS cert file: /etc/ssl/syslog/ca.crt, TLS private key: /etc/ssl/syslog/ca.key, TLS client auth trusted certs: /etc/ssl/syslog/ca.crt. You may also delete data/certificates/*-graylog-ca.crt files in your project directory since they are no longer used.
  • xsrv deploy to apply changes

Added:

  • xsrv: add scan command (scan a project directory for cleartext secrets/passwords using trivy)
  • xsrv: add show-groups command (list all groups a host is a member of)
  • monitoring_rsyslog: allow receiving logs from syslog clients over the network on port 514/tcp (rsyslog_enable_receive: no/yes)

Removed:

  • monitoring_netdata: remove configuration variables netdata_log_to_syslog, netdata_disable_debug_log, netdata_disable_error_log, netdata_disable_access_log

Changed:

  • gitea_act_runner: disable automatic nightly prune of podman images/containers by default gitea_act_runner_daily_podman_prune: no/yes
  • monitoring_netdata: send all logs to systemd-journald, except access log
  • monitoring_netdata: disable machine learning/anomaly detection functionality when streaming to a parent node (when netdata_streaming_send_enabled is enabled)
  • shaarli: allow setting the default view mode when using the stack template (shaarli_stack_default_ui: small/medium/large), change the default to medium
  • monitoring_rsyslog/graylog: setup mutual TLS authentication between syslog clients and server, sign server and client certificates with server CA certificate - rsyslog_forward_to_inventory_hostname is now required on rsyslog clients
  • common: apt: enable non-free-firmware section when apt_enable_nonfree: yes [1]
  • gitea: update to v1.21.7 [1] [2]
  • nextcloud: upgrade to v28.0.3 [1] [2]
  • shaarli: update stack template to v0.7 [1] [2]
  • matrix: update synapse-admin to v0.9.1
  • matrix: update element-web to v1.11.59 [1] [2]
  • xsrv: update ansible to v9.3.0
  • cleanup: standardize task names, remove files from old versions of the roles, use community.crypto.x509_certificate instead of deprecated openssl_certificate modules
  • update documentation, add Gitea/Github Actions example for secret scanning, add graylog backup restoration procedure
  • improve automatic tests

Fixed:

  • monitoring_netdata/rsyslog: fix netdata logs no longer being appended to syslog
  • shaarli: fix stack theme favicon not being displayed
  • postgresql: fix role execution when called with rsyslog ansible tag

Full changes since v1.22.0

1.22.0

3 months ago

v1.22.0 - 2024-02-03

Upgrade procedure:

  • xsrv self-upgrade to upgrade the xsrv script
  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • xsrv deploy to apply changes

Added:

  • add nmap command and role - run nmap network scanner against hosts from the inventory

Changed:

  • graylog: support initial deployment of the role with graylog/mongodb/elasticsearch disabled
  • gitea: update to v1.21.5 [1] [2]
  • nextcloud: upgrade to v28.0.2 [1] [2]
  • matrix: update element-web to v1.11.57 [1] [2]
  • xsrv: update ansible to v9.2.0
  • update documentation

Full changes since v1.21.0

1.21.0

3 months ago

v1.21.0 - 2024-01-17

Upgrade procedure:

  • xsrv self-upgrade to upgrade the xsrv script
  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • graylog: if you are using the graylog role, add the mongodb_admin_password and graylog_mongodb_password variables to your host variables (xsrv edit-vault) and set their values to strong random passwords
  • To get rid of the deprecation warning collections_paths option does not fit var naming standard, rename collections_paths to collections_path in ansible.cfg (xsrv edit-cfg)
  • xsrv deploy to apply changes

Added:

  • add owncast role role (live video streaming and chat server)
  • graylog/mongodb: require authentication to connect to mongodb (mongodb_admin_password, graylog_mongodb_password)
  • jitsi: add an automated procedure to get the list of jitsi (prosody) registered users (TAGS=utils-jitsi-listusers xsrv deploy)
  • gitea_act_runner: allow configuring how many tasks the runner can execute concurrently (gitea_act_runner_capacity: 1)
  • postgresql: aggregate postgresql logs to syslog (when the monitoring_rsyslog role is deployed)
  • wireguard/firewalld: allow configuring services to which wireguard clients can connect on the host (wireguard_firewalld_services)

Removed:

  • postgresql: drop compatibility with Debian <12

Changed:

  • python >=3.9 is now required on the controller (ansible 9.1.0)
  • cleanup: postgresql: standardize/simplify pgmetrics report generation
  • gitea_act_runner: update default image labels (use the node:21-bookworm when uses: ubuntu-latest is specified in the CI configuration file), add equivalent debian-latest label
  • monitoring_netdata: debsecan: whitelist a few minor issues in debsecan reports by default
  • wireguard: never return changed for wireguard client configuration file generation tasks
  • tt_rss: hide changed status of set permissions on tt-rss files task
  • gitea: update to v1.21.3 [1] [2]
  • postgresql: explicitely install postgresql version 15
  • openldap: update ldap-account-manager to v8.6
  • matrix: update element-web to v1.11.52 [1] [2]
  • xsrv: update ansible to v9.0.1
  • monitoring_goaccess: update IP to Country database to v2024-01
  • improve check mode support before first actual deployment
  • update documentation

Fixed:

  • graylog: mongodb: fix mongodb backups failing (authentication required)
  • default playbook: fix goaccess_username/password/fqdn variables not being added to the correct file (username/password belong to encrypted variables)
  • monitoring_utils: fix lynis warning MongoDB instance allows any user to access databases
  • tt_rss: fix tt-rss installation failing when git was not previously installed
  • tt_rss: fix error on first tt-rss installation Unsupported parameters for (postgresql_query) module: as_single_query, path_to_script.
  • shaarli: fix shaarli zip extraction failing when the unzip package is not installed
  • nextcloud: fix Nextcloud upgrades sometimes failing with Nextcloud is not installed - only a limited number of commands are available
  • graylog: don't fail with 'graylog_mongodb_apt_repo_distribution' is undefined when running the mongodb tag alone
  • dnsmasq: only attempt to update blocklists after network is online and dnsmasq has started

Full changes since v1.20.0

1.20.0

5 months ago

v1.20.0 - 2023-12-02

Upgrade procedure:

  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • xsrv deploy to apply changes

Added:

Removed:

  • netdata: remove netdata_monitor_systemd_units variable (always enable monitoring of system unit states)
  • common: remove residual support for Debian 11 in firewalld configuration

Changed:

  • xsrv: init-vm-template: use the gateway IP address as DNS server (--nameservers) by default instead of Cloudflare public DNS
  • netdata: when *_enable_service: no, disable HTTP checks entirely for this service (intead of accepting HTTP 503)
  • netdata: debsecan: allow disabling daily debsecan mail reports (debsecan_enable_reports: yes/no)
  • transmission/netdata: only accept HTTP 401 as valid return code for the HTTP check
  • nextcloud: verify downloaded .zip using GPG signatures
  • jellyfin: harden systemd service (systemd-analyze security exposure score down from 9.2 UNSAFE to 5.7 MEDIUM)
  • shaarli: update to v0.13.0
  • gitea: update to v1.21.1 [1] [2]
  • nextcloud: upgrade to v27.1.4 [1] [3]
  • openldap: update self-service-password to v1.5.4
  • matrix: update element-web to v1.11.50 [1] [2] [3]
  • xsrv: upgrade ansible to v8.6.1
  • goaccess: update IP to Country GeoIP database to v2023-11
  • cleanup: limit use of check_mode: no to tasks that do not change anything
  • update documentation, add example usage through Gitea Actions/Github Actions

Fixed:

  • openldap: fix deployment of ldap-account-manager failing on copy php-fpm configuration when deploying the apache tag in isolation
  • jellyfin: fix internal Restart server function only terminating the server process without restarting
  • gitea_act_runner: fix potentially insufficient UIDs or GIDs available in user namespace error when using podman backend
  • readme_gen: fix netdata alarm badge URL for used swap alarm
  • shaarli: make remove shaarli zip extraction directory task idempotent

Full changes since v1.19.0

1.19.0

6 months ago

v1.19.0 - 2023-11-03

Upgrade procedure:

  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • gitea_act_runner: if you changed it from the default value, rename the variable gitea_act_runner_gitea_instance_url to gitea_act_runner_gitea_instance_fqdn
  • monitoring_utils: if your projects are under git version control, you may want to add data/duc-*.db to your .gitignore before using the utils-duc tag.
  • common: if your projects are under git version control, you may want to add data/firewalld-info-*.log to your .gitignore before using the utils-firewalld-info tag.
  • xsrv deploy to apply changes

Added:

  • common: packages: automatically install qemu-guest-agent when the host is a KVM VM
  • gitea_act_runner: allow running workflows directly on the host without containerization (gitea_act_runner_labels)
  • monitoring_utils: allow analyzing disk usage by directory and visualizing it locally using duc (TAGS=utils-duc xsrv deploy default my.CHANGEME.org)
  • backup: allow disabling specific rsnapshot backup intervals by setting rsnapshot_retain_daily/weekly/monthly to 0
  • backup: allow disabling automatic/scheduled backups entirely rsnapshot_enable_cron: yes/no
  • backup: allow disabling automatic creation of the backup storage directory rsnapshot_create_root: yes/no
  • common: allow getting firewalld status information (TAGS=utils-firewalld-info xsrv deploy)
  • netdata/shaarli/tt_rss/openldap/nextcloud: enable monitoring of PHP-FPM pools
  • when generating self-signed certificates, download them to the controller in data/certificates/ under the project directory

Removed:

Changed:

  • netdata: disable all netdata self-monitoring by default
  • netdata: update logs/db storage configuration for newer netdata versions, store 400MB of per-minute data and 200MB of per-hour data in addition to the amount of per-second data defined by netdata_dbengine_disk_space
  • gitea_act_runner: don't run the runner as root but as dedicated act-runner user
  • gitea_act_runner: force re-registering the runner when the .runner file is absent
  • gitea_act_runner: rename variable gitea_act_runner_gitea_instance_url to gitea_act_runner_gitea_instance_fqdn
  • gitea_act_runner: log runner registration attempts to syslog for easier debugging
  • common: users/logind: don't lock auto-lock idle user sessions by default (systemd_logind_lock_after_idle_min: 0)
  • jitsi/goaccess: only generate self-signed certificates when jitsi/goaccess_https_mode: selfsigned
  • transmission: only generate self-signed certificates when apache is managed by xsrv
  • nextcloud: upgrade to v27.1.3 [1] [2] [3] [4] [5] [6]
  • matrix: update element-web to v1.11.47 [1]
  • update documentation

Fixed:

  • netdata: fix incorrect variable name in role defaults (netdata_api_key -> netdata_streaming_api_key)
  • gitea_act_runner: fix temporary error when first enabling the podman socket in act-runner systemd user session
  • gitea_act_runner: fix errors when enabling the systemd service manually
  • gitea_act_runner: always try to restart the runner systemd service in case of failure
  • monitoring_utils/graylog: fix debsums incorrectly reporting missing files in mongodb packages
  • monitoring_netdata/debsecan: fix debsecan unable to send email reports
  • default playbook: fix role ordering (podman must be deployed before gitea_act_runner)

Full changes since v1.18.0

1.18.0

7 months ago

v1.18.0 - 2023-10-11

Upgrade procedure:

Note: the collection will no longer be updated on https://galaxy.ansible.com/ui/repo/published/nodiscc/xsrv/ until https://github.com/ansible/galaxy/issues/2438 is fixed, please use the git repository URL in your requirements.yml, as documented in https://xsrv.readthedocs.io/en/latest/usage.html#use-as-ansible-collection.

Added:

Removed:

  • docker: remove role, archive it to separate repository
  • apache: remove remove ability to install/configure mod-evasive anti-DDoS module

Changed:

  • common: datetime: replace ntpd time synchronization service by systemd-timesyncd
  • common: ssh: don't accept locale/language-related environment variables set by the client by default (ssh_accept_locale_env: no/yes)
  • graylog: don't perform mongodb backups when the graylog/mongodb service is disabled on the host configuration (graylog_enable_service: yes/no)
  • gitea: update to v 1.20.5 [1]
  • matrix: update element-web to v1.11.46 [1] [2] [3]
  • graylog: update to v5.1 [1] [2] [3] [4] [5] [6] [7]
  • openldap: update ldap-account-manager to v8.5
  • postgresql: update pgmetrics to v1.16.0
  • netdata: update netdata-apt to v1.1.2 [1]
  • xsrv: upgrade ansible to v8.5.0

Fixed:

  • jitsi: fixed jitsi-videobridge sometimes failing to connect to prosody (org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized) - force updating jvb prosody password

Full changes since v1.17.0

1.17.0

7 months ago

v1.17.0 - 2023-09-21

Upgrade procedure:

  • upgrade to v1.16.0 and deploy it first, if not already done
  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • if you had changed it from its default value, rename the variable syslog_retention_days to rsyslog_retention_days in your hosts/groups configuration (xsrv edit-host/edit-group)
  • (optional) xsrv check to simulate changes.
  • xsrv deploy to apply changes
  • TAGS=debian11to12 xsrv deploy && xsrv deploy to upgrade hosts still on Debian 11 "Bullseye" to Debian 12 "Bookworm" [1]. Debian 11 will no longer be supported after this release.

Added:

Removed:

  • cleanup: remove all previous migration tasks
  • netdata: remove default processes checks for sshd, ntpd, fail2ban (let systemd services module handle checks for these processes)
  • tt_rss: remove ansible tags tt_rss-app, tt_rss-permissions, tt_rss-postgresql

Changed:

  • nextcloud: enable the Polls app by default
  • nextcloud: enable the Forms app by default
  • nextcloud: disable the usage survey app by default
  • apache: always redirect http:// to https:// for all applications/sites using Let's Encrypt (*_certificate_mode: letsencrypt) certificates
  • apache: don't redirect requests to the default HTTP virtualhost to HTTPS
  • jitsi: configure all components to listen only on loopback interfaces, disable IPv6 listening
  • graylog: cleanup list of dependencies (graylog provides its own java environment)
  • netdata: decrease apache server status collection frequency to 10s (decrease log spam caused by the collector)
  • apache: log requests from localhost to the default vhost with the localhost: prefix (for example http://127.0.0.1/server-status requests from netdata)
  • apache: log requests from other hosts to the default vhost with the default: prefix (for example bad bots and scanners accessing the server by IP address)
  • apache: serve a 403 Forbidden response to for requests the default virtualhost (except those from localhost)
  • common/fail2ban: increase the max number of banned IPs per jail to 1000000
  • common/fail2ban: decrease the number of failed authentication attempts before triggering a ban from 5 to 3 (over 10 minutes)
  • common/fail2ban: use values provided in fail2ban_default_maxretry (default 3), fail2ban_default_findtime (10min) and fail2ban_default_bantime (1 year) for all jails
  • common/fail2ban: use DROP firewall rule instead of REJECT (drop connections from banned IPs instead of replying with TCP reset)
  • common/fail2ban: do not enable the pam-generic jail by default as no service uses it
  • common/fail2ban/all roles: only ban offenders on HTTP/HTTPS ports (not all ports) for authentication failures on web applications
  • common/fail2ban: standardize permissions on fail2ban configuration files
  • gitea/jellyfin/fail2ban: do not disable gitea/jellyfin jails if the corresponding service is disabled
  • apache: cleanup: remove ServerAdmin directive from all virtualhost configuration files (this information is not used, displaying admin email in error messages is disabled)
  • wireguard: write peer names as comments in the config file
  • rsyslog: rename the variable syslog_retention_days to rsyslog_retention_days
  • nextcloud: update to v26.0.6 [1]
  • gitea: update to v 1.20.4 [1] [2] [3]
  • matrix: update element-web to v1.11.43 [1] [2] [3] [4] [5] [6] [7]
  • postgresql: update pgmetrics to v1.15.2
  • xsrv: update ansible to v8.4.0
  • netdata: harden/standardize permissions on postgres collector configuration file
  • cleanup: common/fail2ban: standardize comments/task order, do not repeat jail options that are already defined in jail.conf, in jail.d/*conf
  • cleanup: xsrv: init-vm-template: remove deprecated --os option to virt-install
  • improve check mode support before first actual deployment
  • update documentation

Fixed:

  • apache: fix apache not loading new/updated Let's Encrypt/mod_md certificates automatically every minute
  • apache: fix duplicated access logs to access.log/other_vhosts_access.log, only log to access.log
  • common/fail2ban/all roles: prevent missing/not-yet-created log files from causing failban reloads/restart to fail (e.g. when a service is initially deployed with *_enable_service: no)
  • common: fail2ban: fix Hash is full, cannot add more elements error when a fail2ban jail has mor than 65536 banned IPs
  • monitoring_netdata/needrestart: fix automatic reboot not triggered by cron job when ABI-compatible kernel upgrades are pending
  • nextcloud: fail2ban: fix Found a match but no valid date/time warning when a login failure is detected

Full changes since v1.16.0

1.16.0

9 months ago

v1.16.0 - 2023-07-29

Upgrade procedure:

  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • (optional) xsrv check to simulate changes.
  • (optional) xsrv deploy && TAGS=debian11to12 xsrv deploy to upgrade your hosts from Debian 11 "Bullseye" to Debian 12 "Bookworm" [1]
  • xsrv deploy to apply changes

You must upgrade to this release and deploy it before deploying future versions (old migrations will be removed after this release.)

Added:

Removed:

  • drop support for Debian 10 Buster [1]

Changed:

  • libvirt: add the ansible user to the libvirt group by default (can manage libvirt VMs without sudo) (libvirt_users)
  • libvirt: configure non-root user accounts to use qemu:///system connection URI by default (can manage libvirt VMs without sudo/without specifying --connect qemu:///system)
  • gitea: update to v1.20.1 [1] [2]
  • nextcloud: update to v26.0.4 [1]
  • nextcloud: enable the Maps app again by default (now compatible with Nextcloud 26)
  • graylog: make role compatible with Debian 12 (upgrade to mongodb v6.0)
  • matrix: update element-web to v1.11.36
  • postgresql: update pgmetrics to v1.15.1
  • xsrv: update ansible to v8.2.0
  • common/ssh: add ansible_local.ssh.ansible_managed local fact which can be used to detect whether SSH server is managed by xsrv
  • improve check mode support before first actual deployment
  • update documentation

Fixed:

  • netdata: fix Oops, something unexpected happened error on alerts tab
  • netdata: fix role idempotence/configuration tasks always returning changed and needlessly restarting netdata
  • common: utils-debian11to12: fix upgrade procedure sometimes freezing/failing without logs
  • common: utils-debian11to12: fix error 'dict object' has no attribute 'distribution_release' after successful upgrade
  • common/monitoring_utils: fail2ban/lynis: fix warning fail2ban.configreader: WARNING 'allowipv6' not defined in 'Definition' in lynis reports
  • monitoring_utils: lynis: fix pgrep: pattern that searches for process name longer than 15 characters will result in zero matches message in reports (disable detection/suggestion of commerical/closed-source antivirus software)
  • gitea: fix task verify gitea GPG signatures failing on hosts where gnupg is not installed
  • gitea: fix role failing to deploy on hosts where the common role is not deployed (Group ssh-access does not exist)
  • common/firewalld/libvirt: ensure libvirtd is restarted when firewalld is restarted/reloaded (re-apply port forwarding rules), fix looping libvirt restarts
  • monitoring_utils/graylog: fix debsums incorrectly reporting missing files in mongodb packages (definitive fix)
  • mail_dovecot/gitea/backup: fix wrong ansible tag gitea on dovecot backup configuration tasks

Full changes since v1.15.0

1.15.0

10 months ago

v1.15.0 - 2023-07-16

Upgrade procedure:

  • xsrv self-upgrade to upgrade the xsrv script
  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • common: if you had custom linux_users defined with ssh as one of their groups:, change the group name from ssh to ssh-access, for example:
# xsrv edit-host
# host_vars/my.example.org/my.example.org.yml
 linux_users:
   - name: "rsnapshot"
-    groups: [ "ssh", "sudo", "postgres", "nextcloud", "steam" ]
+    groups: [ "ssh-access", "sudo", "postgres", "nextcloud", "steam" ]
     comment: "limited user account for remote backups"
     ssh_authorized_keys: ['data/public_keys/[email protected]']
     sudo_nopasswd_commands: ['/usr/bin/rsync', '/usr/bin/psql', '/usr/bin/pg_dump', '/usr/bin/pg_dumpall' ]
  • (optional) xsrv check to simulate changes.
  • xsrv deploy to apply changes
  • (optional) xsrv deploy && TAGS=debian11to12 xsrv deploy to upgrade your host's distribution from Debian 11 "Bullseye" to Debian 12 "Bookworm" [1].
    • nextcloud: if you want to postpone upgrading your Debian 11 hosts to Debian 12, set nextcloud_version: 25.0.9 manually in your host configuration (xsrv edit-host/edit-group), as Nextcloud 26 requires PHP 8 which is only available in Debian 12. Don't forget to remove this override after upgrading to Debian 12.
    • graylog: do not upgrade hosts where the graylog role is deployed to Debian 12, as it is not compatible with Debian 12 yet.

The Debian 11 -> 12 upgrade procedure was only tested for hosts managed by xsrv roles. If you have custom/third-party software installed, you should read Debian 12's release notes and/or execute the upgrade procedure manually. It is always advisable to do a full backup/snapshot before performing a distribution upgrade.

Added:

  • common: add an automated procedure to upgrade Debian 11 hosts to Debian 12 (TAGS=utils-debian11to12 xsrv deploy)
  • common: fail2ban: allow downloading the list of banned IPs to the controller (TAGS=utils-fail2ban-get-banned xsrv deploy)
  • backup: allow taking a snapshot immediately (TAGS=utils-backup-now xsrv deploy)
  • graylog: allow setting the admin user account timezone (graylog_root_timezone)

Changed:

  • make all roles (except graylog) compatible with Debian 12 "Bookworm"
  • xsrv: init-vm-template: use Debian 12 "Bookworm" as the base OS image [1]
  • common: ssh: change the group name allowed to access the SSH server from ssh to ssh-access (ssh is a reserved group name used for internal purposes)
  • common: fail2ban: use firewallcmd-ipset ban action when firewalld is enabled and managed by xsrv (setup_firewall: yes)
  • common: firewalld: allow SSH connections from both the internal and public zones by default
  • apache: harden systemd service (systemd-analyze security exposure score down from 9.2 UNSAFE to 7.6 EXPOSED)
  • xsrv: init-vm: check that the user-provided value for --memory has the M or G suffix
  • nextcloud: disable the Maps app by default (incompatible with Nextcloud 26)
  • nextcloud: disable the Music app by default (makes it impossible to delete directories)
  • nextcloud: update to v26.0.3 [1] [2] [3]
  • gitea: update to v1.19.4
  • openldap: update ldap-account-manager to v8.4
  • matrix: update element-web to v1.11.35 [1] [2] [3] [3]
  • postgresql: update pgmetrics to v1.15.0
  • xsrv: update ansible to v8.1.0 [1] [2]
  • apache: simplify syntax of configuration used to forbid access to .ssh,.git,.svn,.hg directories
  • monitoring_rsyslog: drop remaining compatibility with Debian 10 "Stretch"
  • cleanup: gitea: remove unneeded php-pgsql package installation
  • cleanup: shaarli: simplify handling of conditions in installation/upgrade procedure
  • tests: improve ansible-lint coverage
  • improve check mode support, fix errors in check mode when running before first actual deployment
  • update documentation

Fixed:

  • common: firewalld: fix conflicting default values for immediate and permanent during configure firewalld zone sources (default to permanent: yes, immediate: no)
  • shaarli: fix missing package python3-pip required to install python-shaarli-client when shaarli_setup_python_client: yes
  • monitoring_utils/graylog: fix debsums incorrectly reporting missing files in mongodb packages
  • xsrv: init-vm: fix help text (the value for --memory must have the M or G suffix)
  • xsrv: init-vm: fix the VM XML filename printed out in the libvirt_vms copy-pastable snippet
  • monitoring_utils/graylog: fix debsums incorrectly reporting missing files in mongodb packages
  • graylog: decouple role from the apache role, skip apache configuration tasks when apache is not managed by ansible
  • nextcloud: fix mysql ansible module arguments

Full changes since v1.14.0

1.14.0

11 months ago

v1.14.0 - 2023-05-17

Upgrade procedure:

  • xsrv self-upgrade to upgrade the xsrv script
  • xsrv upgrade to upgrade roles/ansible environments to the latest release
  • xsrv deploy to apply changes
  • matrix: synapse: if you are getting the error Failed to update apt cache: unknown reason, this may be caused by the matrix/synapse APT repository signing key having expired. Deploying the matrix tag alone should solve this problem (TAGS=matrix xsrv deploy)
  • (optional) download and install the tab/auto-completion script:
wget https://gitlab.com/nodiscc/xsrv/-/raw/release/xsrv-completion.sh
sudo cp xsrv-completion.sh /etc/bash_completion.d/

Added:

  • matrix: add synapse-admin user/room administration web interface
  • xsrv: add (optional) bash completion script (installation)
  • jellyfin: allow installing and configuring OpenSubtitles plugin (jellyfin_setup_opensubtitles_plugin: no/yes)
  • homepage: allow adding custom links to the homepage (homepage_custom_links)
  • graylog: setup automatic local backups of graylog configuration when the nodiscc.xsrv.backup role is deployed
  • nextcloud add the Tables app to the list of default disabled apps (nextcloud_apps)
  • readme-gen: show mumble:// server URIs/links for hosts where the nodiscc.xsrv.mumble role is deployed
  • readme-gen: show homepage URL/link for hosts where the nodiscc.xsrv.homepage role is deployed
  • readme-gen: display a list of storage devices with size, for each host
  • readme-gen: allow adding SFTP bookmarks for GTK-based file managers to the output markdown file (readme_gen_gtk_bookmarks: yes/no)
  • xsrv: init-vm/init-vm-template: validate that values of --ip/--gateway are valid IPv4 addresses

Removed:

  • xsrv: remove ls command (use bash completion instead, or manually cd to your project directory)

Changed:

  • monitoring_utils: lynis: disable Reboot of system is most likely needed warning, let netdata/needrestart send notifications when a reboot is required
  • monitoring_utils: lynis: disable Found one or more vulnerable packages warning, let debsecan handle reporting of vulnerable packages
  • homepage: display descriptions for each applications/services, improve layout
  • xsrv: init-vm-template: remove the temporary preseed file after template creation
  • nextcloud: update to v25.0.6
  • gitea: update to v1.19.3 [1] [2]
  • matrix: update element-web to v1.11.31 [1] [2]
  • xsrv: update ansible to v7.5.0
  • cleanup/internal changes: improve separation of tasks/files, clarify variable naming, remove unused/duplicate variables/tasks
  • update documentation

Fixed:

  • matrix: synapse: fix Failed to update apt cache: unknown reason/expired repository signing key
  • xsrv: install lxml python module, required for utils-libvirt-setmem tasks
  • gitea: fix fail2ban restart failing on first installation of gitea
  • jellyfin: fix idempotence/opensubtitles plugin installation always returning changed
  • decouple web aplication roles from the nodiscc.xsrv.apache role (only run apache configuration tasks if the apache role is deployed). nodiscc.xsrv.apache is still required in the standard configuration to act as a reverse proxy for web applications. If not deployed, you will need to provide your own reverse proxy configuration.

Full changes since v1.13.1