[mirror] Install and manage self-hosted services/applications, on your own server(s) - ansible collection and utilities
Upgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesFailed to update apt cache: unknown reason
, this may be caused by the matrix/synapse APT repository signing key having expired. Deploying the matrix
tag alone should solve this problem (TAGS=matrix xsrv deploy
)wget https://gitlab.com/nodiscc/xsrv/-/raw/release/xsrv-completion.sh
sudo cp xsrv-completion.sh /etc/bash_completion.d/
Added:
jellyfin_setup_opensubtitles_plugin: no/yes
)homepage_custom_links
)nodiscc.xsrv.backup
role is deployednextcloud_apps
)mumble://
server URIs/links for hosts where the nodiscc.xsrv.mumble
role is deployednodiscc.xsrv.homepage
role is deployedreadme_gen_gtk_bookmarks: yes/no
)init-vm/init-vm-template
: validate that values of --ip
/--gateway
are valid IPv4 addressesRemoved:
ls
command (use bash completion instead, or manually cd
to your project directory)Changed:
Reboot of system is most likely needed
warning, let netdata/needrestart send notifications when a reboot is requiredFound one or more vulnerable packages
warning, let debsecan handle reporting of vulnerable packagesFixed:
Failed to update apt cache: unknown reason
/expired repository signing keylxml
python module, required for utils-libvirt-setmem
taskschanged
nodiscc.xsrv.apache
role (only run apache configuration tasks if the apache role is deployed). nodiscc.xsrv.apache
is still required in the standard configuration to act as a reverse proxy for web applications. If not deployed, you will need to provide your own reverse proxy configuration.Upgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesFixed:
template error while templating string
)Upgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesnetdata_port_checks
, ensure the ports:
parameter is a list, even if it only contains a single port (e.g. ports: [64738]
)Added:
/var/www/maintenance/maintenance.html
)*_enable_service: yes/no
), redirect to the maintenance page when disableddovecot_enable_service: yes/no
)samba_enable_service: yes/no
)netdata_public_port
), and use it in mail notifications/nodiscc.xsrv.homepage
roleRemoved:
ensure /var/log/wtmp is not world-readable
readme_gen_netdata_public_port
variable (use netdata_public_port
instead)Changed:
init-vm
: make --gateway
optional, by default use the value of --ip
with the last octet replaced by .1
init-vm
: make --ssh-pubkey
optional, by default use the contents of ~/.ssh/id_rsa.pub
init-vm
: always dump VM XML definition to a file (--dumpxml
), by default to $projects_dir/VM_NAME.xml
netdata_disabled_plugins
)*_enable_service: no
rsyslog_custom_config
)rsyslog_custom_config
systemd-analyze security
exposure score down from 9.2 UNSAFE
to 1.9 OK
)fatal: detected dubious ownership in repository
when manipulating files/repos from a shell as the gitea user)0700
Fixed:
netdata_fping_hosts
/ping checks not displaying anymoreGo to chart
links in mail notifications pointing to Netdata Cloud/SaaS instead of the netdata instanceweb log unmatched
alarms/high excluded_requests
ratefile '/var/log/nscd.log' does not exist
when samba is configured with samba_passdb_backend: ldapsam
create initial shaarli log.txt
idempotentUpgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releaseproxmox
role, update requirements.yml
(xsrv edit-requirements
) and playbook.yml
(xsrv edit-playbook
) to use the archived nodiscc.toolbox.proxmox
role instead. nodiscc.xsrv.libvirt
includes more features and is now the recommended role for simplified management of hypervisors and virtual machines. Proxmox VE remains suitable for more complex setups where management through a Web interface is desirable.rsyslog_forward_to_hostname
variable and it is pointing to a graylog instance deployed with the graylog
role, update it to use the graylog instance FQDN instead of the graylog host inventory hostname (e.g. logs.example.org
instead of host1.example.org
)libvirt_port_forwards
, update them to use the new syntax.fatal: detected dubious ownership in repository
), run the playbook with the tt_rss-permissions
tag first (TAGS=tt_rss-permissions xsrv deploy
)jitsi_jvb_prosody_password
to a random 8 character string in your host configurationfact_caching_timeout = 1
is set in your project's ansible.cfg
(xsrv edit-cfg
) since long cache timeouts can cause problems with tasks that expect up-to-date factsxsrv deploy
to apply changes# old syntax
libvirt_port_forwards:
- vm_name: vm01.CHANGEME.org
host_ip: 1.2.3.4
vm_ip: 10.0.0.101
bridge: virbr1
host_port: 80
vm_port: 80
protocol: tcp
- vm_name: vm01.CHANGEME.org
host_ip: 1.2.3.4
vm_ip: 10.0.0.101
bridge: virbr1
host_port: 19101
vm_port: 19999
protocol: tcp
# new syntax
libvirt_port_forwards:
- vm_name: vm01.CHANGEME.org
vm_ip: 10.0.0.101
vm_bridge: virbr1
dnat:
- host_ip: 1.2.3.4
host_port: 80
vm_port: 80
protocol: tcp # tcp is now the default and can be omitted
- host_interface: eth0 # the outside network interface can now be specified instead of the IP
host_port: 19101
vm_port: 19999
# additional examples
- vm_name: vm201.CHANGEME.org
vm_ip: 10.2.0.100
vm_bridge: virbr2
dnat:
- host_interface: eth0
host_port: 30000-30100 # port ranges separated by - are now supported
vm_port: 30000-30100
protocol: udp
- host_interface: eth0 # host_interface/host_ip can be combined for finer control
host_ip: 192.168.12.0/24
host_port: 123
vm_port: 123
forward: # it is now possible to setup forwarding rules between interfaces/bridges without DNAT
- source_interface: virbr2
source_ip: 10.2.1.31
vm_port: 5140
Added:
apache_reverseproxies
)utils-libvirt-setmem
tag (update libvirt VMs current memory allocation immediately)libvirt_users
variable: users to add to the libvirt/libvirt-qemu/kvm
groups so that they can use virsh
without sudolibvirt_port_forwards
: allow forwarding port rangeslibvirt_port_forwards
: allow limiting DNAT rules to specific source IPs/networks (libvirt_port_forwards.*.dnat.*.source_ip
)libvirt_port_forwards
: allow forwarding ports between libvirt bridges/networks without DNAT (libvirt_port_forwards.*.forward
)xsrv shell
, xsrv logs
, xsrv fetch-backups
)Changed:
init-vm
: rename --dump
option to --dumpxml
, require an output file as argumentusers.*.sudo_nopasswd_commands
: allow using passwordless sudo as any user, not just rootssh
group automatically during initial setup, don't require manually adding the ansible user to the groupapt_unattended_upgrades_origins_patterns
)virt-manager
automatically since it requires a graphical/desktop environmentlibvirt_port_forwards
: add a dnat
list under each libvirt_port_forwards
entry, allowing to specify multiple port forwarding/DNAT rules (each one with its host_interface/host_ip,host_port,vm_port,protocol
)libvirt_port_forwards
: make tcp
the default protocol (allow omitting protocol: tcp
){{ graylog_fqdn }}-graylog-ca.crt
ansible.cfg
anymore, decrease the default value to 1sRemoved:
Fixed:
fatal: detected dubious ownership in repository
error when upgrading tt-rssUnable to determine version
in logsconfigure libvirt networks
failing if the network does not already existlibvirt_port_forwards
is changed (restart firewalld)error: peer name not authorized - not permitted to talk to it.
errorinit-vm-template
: fix unrecognized option '--preseed-file'
errorinit-vm/init-vm-template
: fix inconsistent libvirt connection URI, always connect to the qemu:///system
URIinit-vm/init-vm-template
: refuse to run if the current user is not part of required groupsinit-vm
: do not require --sudo-user
option, use the default value deploy
if not providedUpgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesFixed:
gitea_enable_api/gitea_api_max_results
not having any effectUpgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasenextcloud_apps
from its default value, remove files_videoplayer
from the list (xsrv edit-host/edit-group
)jitsi_prosody_password
in your host configuration variables (xsrv edit-vault
)gitea_mailer_enabled
is set to yes
, add the new gitea_mail_protocol/gitea_mail_port
settings to your host configuration.rss_bridge
role, update requirements.yml
(xsrv edit-requirements
) and playbook.yml
(xsrv edit-playbook
) to use the archived nodiscc.toolbox.rss_bridge
role instead. The primary goal for the RSS-Bridge role was to provide RSS feeds for Twitter accounts. This can be done by using https://nitter.net/ACCOUNT/rss instead (or one of the public Nitter instances).nextcloud
role, by enabling the spreed
app under nextcloud_apps
. If you want to keep using the rocketchat
role, update requirements.yml
(xsrv edit-requirements
) and playbook.yml
(xsrv edit-playbook
) to use the archived nodiscc.toolbox.rocketchat
role instead. Reasons for the deprecation can be found here.readme-gen
command, make sure fact_caching_timeout
is commented out in your project's ansible.cfg
(xsrv edit-cfg
) - or at least set to a large value like 86400
, and that your project's README.md
contains the markers <!-- BEGIN/END AUTOMATICALLY GENERATED CONTENT - README_GEN ROLE -->
Added:
matrix
role - real-time, secure communication server and web clientreadme-gen
command and role - generate a markdown inventory in the project's README.mdneedrestart_autorestart_cron
)gitea_repo_indexer_enabled, gitea_repo_indexer_exclude
)bash_timeout
, default 900s)packages_install
)Removed:
firewalld
(use firewall
instead)Changed:
files_videoplayer
app [1]
lynis_report_regex
)/var/log/wtmp
does not become world-readable again after log rotationxsrv help-tags
)Fixed:
Unfortunately something went wrong. We're trying to fix this. Reconnecting in...
)kernel_proc_hidepid
changes not being applied unless the host is rebootedcheck
modeinterface_config.js
mongodb-database-tools
gitea_db_password
Upgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasepublic_keys/
directory from the root of your project directory, under the data/
directory.certificates/
directory from the root of your project directory, under the data/
directory.os_security_kernel_enable_core_dump
from its default value in your hosts/groups configuration, rename it to kernel_enable_core_dump
*-graylog-ca.crt
file from the public_keys/
directory to the data/certificates/
directory (create it if it does not exist)self_service_password_allowed_hosts
from its default value in your host/groups configuration, update it to the new format (YAML list instead of a list of addresses separated by spaces):# old format
self_service_password_allowed_hosts: "10.0.0.0/8 192.168.0.0/16 172.16.0.0/12"
# new format
self_service_password_allowed_hosts:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
Added:
xsrv open
command (open the project directory in the default file manager)init-vm
: add --dump
option (display the VM XML definition after creation)nextcloud_loglevel
/nextcloud_defaultapp
)kernel_proc_hidepid: no/yes
)shaarli_setup_python_client: no/yes
) and export all shaarli data to a JSON file every hourwireguard_enable_service: yes/no
)netdata_fping_alarms_silent: yes/no
)apache_enable_service: yes/no
utils-autorestart
tag (reboot hosts if required after a kernel update, will only run if the utils-autorestart
tag is explicitly called)utils-samba-listusers
tag (list samba users)Removed:
Changed:
config.php
to the list of files to backup (may contain the encryption secret if encryption was enabled by the admin)self_service_password_allowed_hosts
(use a YAML list instead of space-separated list)os_security_kernel_enable_core_dump
-> kernel_enable_core_dump
vfat
squashfs
filesystems module by defaultdns_nameservers
custom.conf
init-vm-template
: make the --template
option optional, default to debian11-base
init-vm-template
: make the --sudo-user
option optional, default to deploy
init-vm/init-vm-template
: clarify use of units M
or G
for --memory
optionapt_key/apt_repository
modules, install all APT keys in /usr/share/keyrings/
Fixed:
vfat
module required by EFI bootmongodb-database-tools
192.168.0.0/16
to the internal
zone by default, not just 192.168.0.0/24
init-vm-template
: fix non-working options --sudo-password, --root-password, --sudo-user, --nameservers
init-vm
: fix an issue where VMs would be created with 1MB of memory when --memory 1024
was usedinit-vm-template
command not working unless xsrv self-upgrade
had already been runSecurity:
jellyfin_allowed_hosts
)kernel_enable_core_dump
not having any effectUpgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releasegitea_enable_git_hooks: yes
in the host configuration/vars file (xsrv edit-host
)xsrv deploy
to apply changesAdded:
xsrv init-vm-template
command (create a libvirt Debian VM template, unattended using a preconfiguration file)apt_listbugs: yes/no
)packages_install/remove
)gitea_enable_git_hooks/webhooks
)gitea_webhook_allowed_hosts
)gitea_ssh_url_port
)Removed:
setup_cli_utils
and setup_haveged
variables. Use packages_install/remove
instead.Changed:
shaarli
user account (don't use the default shared www-data
user)httpcheck_web_service_unreachable
), increase the timeout of the check to 3s/var/log/wtmp
is not world-readableansible-core>=2.12/ansible>=6.0.0
Fixed:
sftponly
user accounts when no groups are defined in the user definitionUpgrade procedure:
xsrv upgrade
to upgrade roles/ansible environments to the latest releasexsrv deploy
to apply changesFixed:
Upgrade procedure:
xsrv self-upgrade
to upgrade the xsrv scriptxsrv upgrade
to upgrade roles/ansible environments to the latest releaseapache
role or equivalent is explicitly deployed to the host before deploying any of these roles.samba
is deployed before jellyfin
(xsrv edit-playbook
)valheim_server
role, update requirements.yml
(xsrv edit-requirements
) and playbook.yml
(xsrv edit-playbook
) to use the archived nodiscc.toolbox.valheim_server
role instead.xsrv deploy
to apply changesAdded:
mail_dovecot
role - IMAP mailbox servernetdata_streaming_*
)xsrv ssh
subcommand (alias for shell
)setup_users: yes/no
)kernel_modules_blacklist
), disable unused network/firewire modules by defaultapt_purge_nightly: yes/no
)docker_iptables: no/yes
)*_ldap_url
)ldap_account_manager_ldaps_cert
)samba_log_full_audit_success_events
)shaarli_thumbnails_mode
) and default number of links per page (shaarli_links_per_page
, default 30)TAGS=utils-pgmetrics
xsrv help-tags
will now parse tag descriptions from custom roles in roles/
in addition to collectionsiputils-ping
package (ping utility)Removed:
Changed:
/dev
and /dev/shm
virtual filesystemsapache-access:
in syslog when apache_access_log_to_syslog: yes
ssh://
and sftp://
URIshomepage_message
lynis_skip_tests
)limits.conf
configuration filecheck
mode support, standardize task names, remove unused template files, make usage of ansible_facts consistent in all roles, clarify xsrv script, reorder functions by purpose/component, automate documentation generation, improve tests/release procedure, automate initial check mode/deployment/idempotence testsFixed:
init-project
: fix inventory not correctly initializedxsrv shell/fetch-backups
when a non-default XSRV_PROJECTS_DIR
is specified by the userAcceptEnv
and PermitUserEnvironment
settings--tags=monitoring
samba_passdb_backend: ldapsam
mode when openldap role is not part of the same playfetch-backups
: use the first host in alphabetical order, when no host is specifiedsyslog_retention_days
variableneedrestart_autorestart_services
value not taken into account when true*_https_mode
variable checksSecurity: