[mirror] Install and manage self-hosted services/applications, on your own server(s) - ansible collection and utilities
Upgrade procedure:
xsrv self-upgrade to upgrade the xsrv scriptxsrv upgrade to upgrade roles/ansible environments to the latest releasexsrv deploy to apply changesFailed to update apt cache: unknown reason, this may be caused by the matrix/synapse APT repository signing key having expired. Deploying the matrix tag alone should solve this problem (TAGS=matrix xsrv deploy)wget https://gitlab.com/nodiscc/xsrv/-/raw/release/xsrv-completion.sh
sudo cp xsrv-completion.sh /etc/bash_completion.d/
Added:
jellyfin_setup_opensubtitles_plugin: no/yes)homepage_custom_links)nodiscc.xsrv.backup role is deployednextcloud_apps)mumble:// server URIs/links for hosts where the nodiscc.xsrv.mumble role is deployednodiscc.xsrv.homepage role is deployedreadme_gen_gtk_bookmarks: yes/no)init-vm/init-vm-template: validate that values of --ip/--gateway are valid IPv4 addressesRemoved:
ls command (use bash completion instead, or manually cd to your project directory)Changed:
Reboot of system is most likely needed warning, let netdata/needrestart send notifications when a reboot is requiredFound one or more vulnerable packages warning, let debsecan handle reporting of vulnerable packagesFixed:
Failed to update apt cache: unknown reason/expired repository signing keylxml python module, required for utils-libvirt-setmem taskschanged
nodiscc.xsrv.apache role (only run apache configuration tasks if the apache role is deployed). nodiscc.xsrv.apache is still required in the standard configuration to act as a reverse proxy for web applications. If not deployed, you will need to provide your own reverse proxy configuration.Upgrade procedure:
xsrv upgrade to upgrade roles/ansible environments to the latest releasexsrv deploy to apply changesFixed:
template error while templating string)Upgrade procedure:
xsrv self-upgrade to upgrade the xsrv scriptxsrv upgrade to upgrade roles/ansible environments to the latest releasexsrv deploy to apply changesnetdata_port_checks, ensure the ports: parameter is a list, even if it only contains a single port (e.g. ports: [64738])Added:
/var/www/maintenance/maintenance.html)*_enable_service: yes/no), redirect to the maintenance page when disableddovecot_enable_service: yes/no)samba_enable_service: yes/no)netdata_public_port), and use it in mail notifications/nodiscc.xsrv.homepage roleRemoved:
ensure /var/log/wtmp is not world-readable
readme_gen_netdata_public_port variable (use netdata_public_port instead)Changed:
init-vm: make --gateway optional, by default use the value of --ip with the last octet replaced by .1
init-vm: make --ssh-pubkey optional, by default use the contents of ~/.ssh/id_rsa.pub
init-vm: always dump VM XML definition to a file (--dumpxml), by default to $projects_dir/VM_NAME.xml
netdata_disabled_plugins)*_enable_service: no
rsyslog_custom_config)rsyslog_custom_config
systemd-analyze security exposure score down from 9.2 UNSAFE to 1.9 OK)fatal: detected dubious ownership in repository when manipulating files/repos from a shell as the gitea user)0700
Fixed:
netdata_fping_hosts/ping checks not displaying anymoreGo to chart links in mail notifications pointing to Netdata Cloud/SaaS instead of the netdata instanceweb log unmatched alarms/high excluded_requests ratefile '/var/log/nscd.log' does not exist when samba is configured with samba_passdb_backend: ldapsam
create initial shaarli log.txt idempotentUpgrade procedure:
xsrv self-upgrade to upgrade the xsrv scriptxsrv upgrade to upgrade roles/ansible environments to the latest releaseproxmox role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.proxmox role instead. nodiscc.xsrv.libvirt includes more features and is now the recommended role for simplified management of hypervisors and virtual machines. Proxmox VE remains suitable for more complex setups where management through a Web interface is desirable.rsyslog_forward_to_hostname variable and it is pointing to a graylog instance deployed with the graylog role, update it to use the graylog instance FQDN instead of the graylog host inventory hostname (e.g. logs.example.org instead of host1.example.org)libvirt_port_forwards, update them to use the new syntax.fatal: detected dubious ownership in repository), run the playbook with the tt_rss-permissions tag first (TAGS=tt_rss-permissions xsrv deploy)jitsi_jvb_prosody_password to a random 8 character string in your host configurationfact_caching_timeout = 1 is set in your project's ansible.cfg (xsrv edit-cfg) since long cache timeouts can cause problems with tasks that expect up-to-date factsxsrv deploy to apply changes# old syntax
libvirt_port_forwards:
- vm_name: vm01.CHANGEME.org
host_ip: 1.2.3.4
vm_ip: 10.0.0.101
bridge: virbr1
host_port: 80
vm_port: 80
protocol: tcp
- vm_name: vm01.CHANGEME.org
host_ip: 1.2.3.4
vm_ip: 10.0.0.101
bridge: virbr1
host_port: 19101
vm_port: 19999
protocol: tcp
# new syntax
libvirt_port_forwards:
- vm_name: vm01.CHANGEME.org
vm_ip: 10.0.0.101
vm_bridge: virbr1
dnat:
- host_ip: 1.2.3.4
host_port: 80
vm_port: 80
protocol: tcp # tcp is now the default and can be omitted
- host_interface: eth0 # the outside network interface can now be specified instead of the IP
host_port: 19101
vm_port: 19999
# additional examples
- vm_name: vm201.CHANGEME.org
vm_ip: 10.2.0.100
vm_bridge: virbr2
dnat:
- host_interface: eth0
host_port: 30000-30100 # port ranges separated by - are now supported
vm_port: 30000-30100
protocol: udp
- host_interface: eth0 # host_interface/host_ip can be combined for finer control
host_ip: 192.168.12.0/24
host_port: 123
vm_port: 123
forward: # it is now possible to setup forwarding rules between interfaces/bridges without DNAT
- source_interface: virbr2
source_ip: 10.2.1.31
vm_port: 5140
Added:
apache_reverseproxies)utils-libvirt-setmem tag (update libvirt VMs current memory allocation immediately)libvirt_users variable: users to add to the libvirt/libvirt-qemu/kvm groups so that they can use virsh without sudolibvirt_port_forwards: allow forwarding port rangeslibvirt_port_forwards: allow limiting DNAT rules to specific source IPs/networks (libvirt_port_forwards.*.dnat.*.source_ip)libvirt_port_forwards: allow forwarding ports between libvirt bridges/networks without DNAT (libvirt_port_forwards.*.forward)xsrv shell, xsrv logs, xsrv fetch-backups)Changed:
init-vm: rename --dump option to --dumpxml, require an output file as argumentusers.*.sudo_nopasswd_commands: allow using passwordless sudo as any user, not just rootssh group automatically during initial setup, don't require manually adding the ansible user to the groupapt_unattended_upgrades_origins_patterns)virt-manager automatically since it requires a graphical/desktop environmentlibvirt_port_forwards: add a dnat list under each libvirt_port_forwards entry, allowing to specify multiple port forwarding/DNAT rules (each one with its host_interface/host_ip,host_port,vm_port,protocol)libvirt_port_forwards: make tcp the default protocol (allow omitting protocol: tcp){{ graylog_fqdn }}-graylog-ca.crt
ansible.cfg anymore, decrease the default value to 1sRemoved:
Fixed:
fatal: detected dubious ownership in repository error when upgrading tt-rssUnable to determine version in logsconfigure libvirt networks failing if the network does not already existlibvirt_port_forwards is changed (restart firewalld)error: peer name not authorized - not permitted to talk to it. errorinit-vm-template: fix unrecognized option '--preseed-file' errorinit-vm/init-vm-template: fix inconsistent libvirt connection URI, always connect to the qemu:///system URIinit-vm/init-vm-template: refuse to run if the current user is not part of required groupsinit-vm: do not require --sudo-user option, use the default value deploy if not providedUpgrade procedure:
xsrv upgrade to upgrade roles/ansible environments to the latest releasexsrv deploy to apply changesFixed:
gitea_enable_api/gitea_api_max_results not having any effectUpgrade procedure:
xsrv self-upgrade to upgrade the xsrv scriptxsrv upgrade to upgrade roles/ansible environments to the latest releasenextcloud_apps from its default value, remove files_videoplayer from the list (xsrv edit-host/edit-group)jitsi_prosody_password in your host configuration variables (xsrv edit-vault)gitea_mailer_enabled is set to yes, add the new gitea_mail_protocol/gitea_mail_port settings to your host configuration.rss_bridge role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.rss_bridge role instead. The primary goal for the RSS-Bridge role was to provide RSS feeds for Twitter accounts. This can be done by using https://nitter.net/ACCOUNT/rss instead (or one of the public Nitter instances).nextcloud role, by enabling the spreed app under nextcloud_apps. If you want to keep using the rocketchat role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.rocketchat role instead. Reasons for the deprecation can be found here.readme-gen command, make sure fact_caching_timeout is commented out in your project's ansible.cfg (xsrv edit-cfg) - or at least set to a large value like 86400, and that your project's README.md contains the markers <!-- BEGIN/END AUTOMATICALLY GENERATED CONTENT - README_GEN ROLE -->
Added:
matrix role - real-time, secure communication server and web clientreadme-gen command and role - generate a markdown inventory in the project's README.mdneedrestart_autorestart_cron)gitea_repo_indexer_enabled, gitea_repo_indexer_exclude)bash_timeout, default 900s)packages_install)Removed:
firewalld (use firewall instead)Changed:
files_videoplayer app [1]
lynis_report_regex)/var/log/wtmp does not become world-readable again after log rotationxsrv help-tags)Fixed:
Unfortunately something went wrong. We're trying to fix this. Reconnecting in...)kernel_proc_hidepid changes not being applied unless the host is rebootedcheck modeinterface_config.js
mongodb-database-tools
gitea_db_password
Upgrade procedure:
xsrv upgrade to upgrade roles/ansible environments to the latest releasepublic_keys/ directory from the root of your project directory, under the data/ directory.certificates/ directory from the root of your project directory, under the data/ directory.os_security_kernel_enable_core_dump from its default value in your hosts/groups configuration, rename it to kernel_enable_core_dump
*-graylog-ca.crt file from the public_keys/ directory to the data/certificates/ directory (create it if it does not exist)self_service_password_allowed_hosts from its default value in your host/groups configuration, update it to the new format (YAML list instead of a list of addresses separated by spaces):# old format
self_service_password_allowed_hosts: "10.0.0.0/8 192.168.0.0/16 172.16.0.0/12"
# new format
self_service_password_allowed_hosts:
- 10.0.0.0/8
- 192.168.0.0/16
- 172.16.0.0/12
Added:
xsrv open command (open the project directory in the default file manager)init-vm: add --dump option (display the VM XML definition after creation)nextcloud_loglevel/nextcloud_defaultapp)kernel_proc_hidepid: no/yes)shaarli_setup_python_client: no/yes) and export all shaarli data to a JSON file every hourwireguard_enable_service: yes/no)netdata_fping_alarms_silent: yes/no)apache_enable_service: yes/no
utils-autorestart tag (reboot hosts if required after a kernel update, will only run if the utils-autorestart tag is explicitly called)utils-samba-listusers tag (list samba users)Removed:
Changed:
config.php to the list of files to backup (may contain the encryption secret if encryption was enabled by the admin)self_service_password_allowed_hosts (use a YAML list instead of space-separated list)os_security_kernel_enable_core_dump -> kernel_enable_core_dump
vfat squashfs filesystems module by defaultdns_nameservers
custom.conf
init-vm-template: make the --template option optional, default to debian11-base
init-vm-template: make the --sudo-user option optional, default to deploy
init-vm/init-vm-template: clarify use of units M or G for --memory optionapt_key/apt_repository modules, install all APT keys in /usr/share/keyrings/
Fixed:
vfat module required by EFI bootmongodb-database-tools
192.168.0.0/16 to the internal zone by default, not just 192.168.0.0/24
init-vm-template: fix non-working options --sudo-password, --root-password, --sudo-user, --nameservers
init-vm: fix an issue where VMs would be created with 1MB of memory when --memory 1024 was usedinit-vm-template command not working unless xsrv self-upgrade had already been runSecurity:
jellyfin_allowed_hosts)kernel_enable_core_dump not having any effectUpgrade procedure:
xsrv self-upgrade to upgrade the xsrv scriptxsrv upgrade to upgrade roles/ansible environments to the latest releasegitea_enable_git_hooks: yes in the host configuration/vars file (xsrv edit-host)xsrv deploy to apply changesAdded:
xsrv init-vm-template command (create a libvirt Debian VM template, unattended using a preconfiguration file)apt_listbugs: yes/no)packages_install/remove)gitea_enable_git_hooks/webhooks)gitea_webhook_allowed_hosts)gitea_ssh_url_port)Removed:
setup_cli_utils and setup_haveged variables. Use packages_install/remove instead.Changed:
shaarli user account (don't use the default shared www-data user)httpcheck_web_service_unreachable), increase the timeout of the check to 3s/var/log/wtmp is not world-readableansible-core>=2.12/ansible>=6.0.0
Fixed:
sftponly user accounts when no groups are defined in the user definitionUpgrade procedure:
xsrv upgrade to upgrade roles/ansible environments to the latest releasexsrv deploy to apply changesFixed:
Upgrade procedure:
xsrv self-upgrade to upgrade the xsrv scriptxsrv upgrade to upgrade roles/ansible environments to the latest releaseapache role or equivalent is explicitly deployed to the host before deploying any of these roles.samba is deployed before jellyfin (xsrv edit-playbook)valheim_server role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.valheim_server role instead.xsrv deploy to apply changesAdded:
mail_dovecot role - IMAP mailbox servernetdata_streaming_*)xsrv ssh subcommand (alias for shell)setup_users: yes/no)kernel_modules_blacklist), disable unused network/firewire modules by defaultapt_purge_nightly: yes/no)docker_iptables: no/yes)*_ldap_url)ldap_account_manager_ldaps_cert)samba_log_full_audit_success_events)shaarli_thumbnails_mode) and default number of links per page (shaarli_links_per_page, default 30)TAGS=utils-pgmetrics
xsrv help-tags will now parse tag descriptions from custom roles in roles/ in addition to collectionsiputils-ping package (ping utility)Removed:
Changed:
/dev and /dev/shm virtual filesystemsapache-access: in syslog when apache_access_log_to_syslog: yes
ssh:// and sftp:// URIshomepage_message
lynis_skip_tests)limits.conf configuration filecheck mode support, standardize task names, remove unused template files, make usage of ansible_facts consistent in all roles, clarify xsrv script, reorder functions by purpose/component, automate documentation generation, improve tests/release procedure, automate initial check mode/deployment/idempotence testsFixed:
init-project: fix inventory not correctly initializedxsrv shell/fetch-backups when a non-default XSRV_PROJECTS_DIR is specified by the userAcceptEnv and PermitUserEnvironment settings--tags=monitoring
samba_passdb_backend: ldapsam mode when openldap role is not part of the same playfetch-backups: use the first host in alphabetical order, when no host is specifiedsyslog_retention_days variableneedrestart_autorestart_services value not taken into account when true*_https_mode variable checksSecurity: