Debops

Latest version: v3.1.0

Safety actively analyzes 613777 Python packages for vulnerabilities to keep your Python projects secure.

Scan your dependencies

Page 1 of 3

3.1.0

-----------------------------

.. _debops v3.1.0: https://github.com/debops/debops/compare/v3.0.0...v3.1.0

Added
~~~~~

New DebOps roles
''''''''''''''''

- The :ref:`debops.metricbeat` role, part of the Elastic stack, can be used to
install `Metricbeat`__, a service that can gather metrics and other non-log
data from other services and send them to Elasticsearch for processing.

.. __: https://www.elastic.co/beats/metricbeat

- The :ref:`debops.opensearch` role can be used to set up an unsecured,
local-only installation of `OpenSearch`__. OpenSearch is a fork of
Elasticsearch that continues to be released under a free software license.

.. __: https://opensearch.org/

- The :ref:`debops.reboot` role can be used to reboot, forcefully or only if
required, any DebOps host.

- The :ref:`debops.miniflux` role can install and manage Miniflux, a web-based,
minimalistic feed reader written in Go.

- The :ref:`debops.systemd` role is included in the common playbook by default.
It configures the :command:`systemd` system and service manager. Both
system-wide, as well as user services configured globally can be managed with
this role.

- The :ref:`debops.networkd` role can be used to configure the
:command:`systemd-networkd` service, part of the :command:`systemd` project
responsible for network interface configuration.

- The :ref:`debops.timesyncd` role is used to configure the
:command:`systemd-timesyncd` service, a minimal SNTP/NTP client. The role is
included in the :file:`layer/common.yml` playbook instead of the
:ref:`debops.ntp` role to provide NTP support by default.

- The :ref:`debops.resolved` role is included in the :file:`layer/common.yml`
playbook by default, replacing the :ref:`debops.resolvconf` role. It manages
the :command:`systemd-resolved` service, a local DNS resolver.

- The :ref:`debops.bind` role is responsible for installing and managing the
ISC BIND nameserver. It supports DNSSEC, key rollovers, multiple DNS zones,
views and many more features.

- The :ref:`debops.apparmor` role can be used to manage AppArmor configuration
and profiles. It will be included in the :file:`layer/common.yml` playbook in
the future.

- The :ref:`debops.apt_mirror` role can be used to create a mirror of one or
multiple APT repositories and publish them for other hosts to use as package
source.

General
'''''''

- DebOps now includes a custom version of the
``community.general.apache2_module`` Ansible module, available as
``debops.debops.apache2_module``. The custom module includes a fixed
idempotency check for enabled Apache 2 modules that works on Debian or Ubuntu
hosts. The :ref:`debops.apache` Ansible role will use this module instead of
the original one.

- The :command:`debops exec` command can be used to execute Ansible modules
against hosts in the project directory; this is a wrapper for the
:command:`ansible` command.

- The :command:`debops run`, :command:`debops check` and :command:`debops exec`
commands can emit ASCII "bell" at the end of Ansible execution to notify user
after long runs. Use the ``-E`` or ``--bell`` option to enable this.

- The :command:`debops env` command can be used to inspect the runtime
environment variables present when other DebOps commands are used, as well as
execute external commands inside of that runtime environment. This is handy
for using various :command:`ansible-*` commands within DebOps project
directories.

- DebOps monorepo now includes configuration for the `pre-commit`__ hook to
verify changes before they are committed to the repository. Multiple checks
are performed, notably `codespell`__ is used to find spelling mistakes. More
checks will be enabled in the future.

.. __: https://pre-commit.com/
.. __: https://github.com/codespell-project/codespell

- New project directory layout called "modern" has been implemented in DebOps
scripts. It can be created using the command:

.. code-block:: console

debops project init -t modern <project>

The modern project layout supports multiple Ansible inventories encapsulated
into :ref:`infrastructure views <project_infrastructure_views>`.

- DebOps scripts now support management of the project directories using
:command:`git` as VCS repositories. New project directories will use
:command:`git` by default. This also enables support for secrets encrypted
using :command:`git-crypt`.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role now supports management of the "Deb822" format of the APT repository
sources.

:ref:`debops.avahi` role
''''''''''''''''''''''''

- The role will ensure that the :command:`systemd-resolved` service Multicast
DNS support is disabled to avoid conflict with the :command:`avahi-daemon`
service.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- Multicast DNS traffic is accepted by default in the firewall to allow for the
``.local`` mDNS domain resolution by the :command:`systemd-resolved` service.
The role provides a set of variables to limit the traffic by subnet, or
disable it completely.

:ref:`debops.icinga_web` role
'''''''''''''''''''''''''''''

- The role can now create host and service templates using Icinga Director API.
This should improve the initial deployment experience, since users don't need
to create basic host templates by hand before registering hosts in Icinga.

:ref:`debops.ipxe` role
'''''''''''''''''''''''

- The Debian Installer Menu can now install Debian GNU/Linux 12 (Bookworm).

:ref:`debops.java` role
'''''''''''''''''''''''

- The role will now configure the default security policy for Java
applications. The additions will permit Java applications to access the
system-wide CA certificate store in :file:`/etc/ssl/certs/` directory as well
as the PKI infrastructure managed by the :ref:`debops.pki` role, so that Java
applications can use the existing X.509 certificates and private keys for TLS
encryption support.

:ref:`debops.keyring` role
''''''''''''''''''''''''''

- The role can now download APT repository GPG keys to separate keyring files,
which can be used to scope a given GPG key to specific APT repositories.

:ref:`debops.kibana` role
'''''''''''''''''''''''''

- The role can now manage passwords and other confidential data stored in the
Kibana keystore.

:ref:`debops.mount` role
''''''''''''''''''''''''

- The role can now create custom files which can be used to store credentials
required to mount remote devices.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- The role will enable LDAP support in NetBox if LDAP environment managed by
the :ref:`debops.ldap` role is detected on the host. Currently only user
authentication and Django ACL system is supported via LDAP groups.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- The server configuration files can now contain :command:`nginx` configuration
outside of the ``server`` and ``upstream`` blocks using the new
``item.toplevel_options`` parameter.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- Support to host the application on a subpath for security reasons.

:ref:`debops.python` role
'''''''''''''''''''''''''

- The :file:`service/python_raw` playbook used during early bootstrap process
can now inject host entries into the :file:`/etc/hosts` configuration file to
permit DNS name resolution early during bootstrapping.

:ref:`debops.resources` role
''''''''''''''''''''''''''''

- The :ref:`debops.resources` role can now be used to install pip library
dependencies or virtual environments via the ``ansible.builtin.pip``
module.

- The :ref:`debops.resources` role can now be used to replace a line via the
``ansible.builtin.replace`` module.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The playbook can now be configured to skip the saslauthd role execution.

:ref:`debops.zabbix_agent` role
'''''''''''''''''''''''''''''''

- The role now supports management of Zabbix Agent (written in C) as well as
Zabbix Agent 2 (written in Go), available in Debian repositories. Only one
flavor can be managed at a time, but role provides an easy way to switch
between the two flavors.

Changed
~~~~~~~

Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''

- In the :ref:`debops.roundcube` role, the Roundcube version installed by
default has been updated to ``1.6.0``.

- In the :ref:`debops.ipxe` role, the Debian Buster netboot installer version
has been updated to the next point release, 10.13. Debian Bullseye has been
updated to the next point release as well, 11.8. The Debian Bookworm release
has been updated to 12.2.

- In the :ref:`debops.netbox` role, the NetBox version has been updated to
``v3.4.2``.

- In the :ref:`debops.owncloud` role, the ownCloud support has been updated to
``v10.10``.

- In the :ref:`debops.owncloud` role, the Nextcloud support has been updated to
``v24.0`` and ``v25.0``.

General
~~~~~~~

- Tasks which use modules and plugins from the ``ansible.builtin`` Ansible
Collection have been updated to refer to them via their Fully Qualified
Collection Names (for example ``ansible.builtin.file`` instead of ``file``).
This is due to changing requirements of the :command:`ansible-lint` tool.

New submissions to the DebOps project will be required to use the FQCNs as
well.

- Various roles that lookup SSH public keys on the Ansible Controller
(:ref:`debops.preseed`, :ref:`debops.reprepro`, :ref:`debops.system_users`)
will try to use the :file:`~/.ssh/authorized_keys` file to find the keys if
all other methods fail.

- In the :file:`site.yml` playbook, the :file:`sys.yml` and :file:`net.yml`
playbooks will be executed before the :file:`common.yml` playbook. This
should ensure that configuration of certain resources like mount points or
LVM pools is present before the system is prepared for general operation.

- The :file:`ansible/playbooks/tools/reboot.yml` Ansible playbook has been
moved to :file:`ansible/playbooks/reboot.yml` file and uses the new
:ref:`debops.reboot` Ansible role to perform operations. To use it, you can
run the ``reboot`` playbook instead of ``tools/reboot``.

- The :file:`ansible/playbooks/tools/upgrade-reboot.yml` Ansible playbook has
been moved to :file:`ansible/playbooks/upgrade.yml` file and will no longer
reboot the host automatically. Users can chain the ``upgrade`` and ``reboot``
playbooks to achieve the previous behaviour, for example:

.. code-block:: console

debops run upgrade reboot -l <host>

- The debops-contrib :file:`dropbear_initramfs` playbook has been moved to
the :ref:`debops.dropbear_initramfs` playbook. The role variable
``dropbear_initramfs__host_authorized_keys`` now uses the same keys as
the ``ansible.posix.authorized_key`` module.

- Various tasks that interact with the MariaDB/MySQL databases will now use the
:file:`/run/mysqld/mysqld.sock` UNIX socket to do so, due to changes in
MariaDB restricting local connections for the ``root`` UNIX account.

- The HTML documentation build process has been improved. The
:command:`yaml2rst` script will be invoked only when a defaults file is
modified, significantly speeding up documentation rebuilds. Users can also
modify the :command:`sphinx` options specified in the Makefile via an
environment variable if they wish.

- The :file:`ansible/playbooks/tools/dist-upgrade.yml` Ansible playbook now has
MTA configuration exposed via variables in case the mail should be sent via
a remote server instead of a local one.

- DebOps playbooks have been reorganized to not use a large set of symlinks
inside of the repository. Instead different sections of the :file:`site.yml`
playbook have been organized into "layers", new playbooks are located under
the :file:`ansible/playbooks/layers/` subdirectory. See the new
:ref:`playbooks` documentation for more details.

- The new :ref:`debops.timesyncd` role has replaced the :ref:`debops.ntp` role
as the default NTP service provider in the :file:`layer/common.yml` playbook.
Existing hosts shouldn't be affected - the new role can automatically
recognize that a different time daemon package is installed on the host and
will not try to configure :command:`systemd-timesyncd` service in such case.
You might need to add your hosts to the ``[debops_service_ntp]`` Ansible
inventory group to keep using the old role.

- The new :ref:`debops.resolved` role has replaced the :ref:`debops.resolvconf`
role as the default DNS resolver in the :file:`layer/common.yml` and the
bootstrap playbooks. Existing hosts shouldn't be affected, the role detects
presence of the ``resolvconf`` APT package and does not modify the host
configuration in such case.

- Multiple DebOps Collections on Ansible Galaxy have been merged into a single
``debops.debops`` Collection to prepare the project to switch role references
to FQCNs. This is also a test to see if Ansible Galaxy allows >2 MB
collection tarballs.

- The :command:`debops config` command has been refactored and split into
multiple subcommands to allow easier configuration introspection. See
:ref:`it's documentation page <cmd_debops-config>` for more details.

- The Debian 12 (Bookworm) has been released! Multiple DebOps roles have been
updated and switched the "stable" release to Bookworm, with Bullseye becoming
the "oldstable" release. The new Debian Testing release, "Trixie" has also
been added in relevant places.

- DebOps now supports using :command:`git` in project directories - new
projects will be initialized as :command:`git` repositories by default. The
:command:`git-crypt` command is also supported, and can encrypt project
secrets.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role will configure APT to use Debian Security repositories via the
http://deb.debian.org/debian-security/ CDN.

- The role has been refreshed and management of the
:file:`/etc/apt/sources.list` file was redesigned to allow for better
flexibility in configuration. See role documentation for more details.

:ref:`debops.apt_preferences` role
''''''''''''''''''''''''''''''''''

- The pin priorities for the Debian ``-updates`` and ``-security`` APT
repositories have been raised to 550 to match the raised priority of the
primary repository. This should ensure that when the custom pin priorities
are active, updates to Debian packages are correctly installed as well. See
:envvar:`apt_preferences__debian_stable_default_preset_list` variable for
details.

:ref:`debops.docker_server` role
''''''''''''''''''''''''''''''''

- The role can now directly handle the daemon ``log-driver`` parameter.

- The role has been redesigned from scratch; Python :command:`virtualenv`
support has been removed since the :command:`docker-compose` is included in
Debian repositories directly, or is implemented as a Go plugin in upstream
repositories. The Docker configuration is now implemented via the
:ref:`universal_configuration` system, users will have to modify their
Ansible inventories. See the role documentation for details.

:ref:`debops.elasticsearch` role
''''''''''''''''''''''''''''''''

- The role will check the status of the built-in user accounts via the HTTP API
instead of relying on the Ansible local facts and create them if they don't
exist. This should help with an upgrade of existing Elasticsearch clusters
without TLS encrypted traffic and authentication.

:ref:`debops.gitlab` role
'''''''''''''''''''''''''

- The role has been rewritten from scratch and now can be used to deploy and
manage a `GitLab Omnibus`__ instance (managed internally by Chef) on Debian
or Ubuntu hosts. The role integrates with various DebOps services (firewall,
PKI infrastructure, LDAP environment) with GitLab Omnibus. Both Community
Edition (default) and Enterprise Edition are supported.

.. __: https://docs.gitlab.com/omnibus/

:ref:`debops.global_handlers` role
''''''''''''''''''''''''''''''''''

- The :command:`systemd` handlers have been moved to a separate
:file:`handlers/systemd.yml` configuration file.

:ref:`debops.icinga` role
'''''''''''''''''''''''''

- New hosts will be added to Icinga Director using the ``icinga-agent-host``
template, created by default by the :ref:`debops.icinga_web` role. On
existing installations, you should either create this template by hand, or
run the :ref:`debops.icinga_web` role so that it gets added automatically.

:ref:`debops.icinga_db` role
''''''''''''''''''''''''''''

- The role will manage Icinga databases directly instead of relying on
:command:`dbconfig` Debian subsystem. This improves support for remote Icinga
database deployments accessible over TLS.

:ref:`debops.icinga_web` role
'''''''''''''''''''''''''''''

- The LDAP configuration used by the role to configure LDAP access will be
based on the :ref:`debops.ldap` Ansible local facts instead of static values,
to better support modified environments.

:ref:`debops.influxdata` role
'''''''''''''''''''''''''''''

- InfluxData has published a new APT repository GPG key, the role should
refresh it automatically.

:ref:`debops.minio` role
''''''''''''''''''''''''

- The role has been updated to support newer MinIO features, like the embedded
MinIO Console. Some of the instance parameters have been changed, for example
access key and secret key have been replaced with root account and password.
Check the role documentation for more details.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- Configure the :file:`nginx.service` systemd unit to start the
:command:`nginx` service after the network is configured. This way
:command:`nginx` should be able to resolve upstream services specified via
DNS names at startup.

:ref:`debops.ntp` role
''''''''''''''''''''''

- The default NTP daemon used on hosts with the :command:`systemd` service
manager will be :command:`systemd-timesyncd`. Existing systems with
a different NTP server should not be affected by this change.

- The role should better detect Linux Container environment and not try to
install an NTP daemon inside of a container.

:ref:`debops.pki` role
''''''''''''''''''''''

- The :command:`pki-realm` script will call the :command:`certbot` command with
the :command:`certbot --authenticator <plugin>` option explicitly to allow
use with third-party authenticator plugins that might not support the
:command:`certbot --<plugin>` syntax.

:ref:`debops.preseed` role
''''''''''''''''''''''''''

- The default guided partition recipe used by the Debian Installer is changed
from ``atomic`` to ``multi``. This should allow for easier changes in the
partition layout via LVM due to separate partitions for :file:`/home` and
:file:`/var` mount points.

:ref:`debops.proc_hidepid` role
'''''''''''''''''''''''''''''''

- The role will check if PolicyKit is installed on the host, in which case the
default security level for access to the :file:`/proc` filesystem will be
more permissive.

:ref:`debops.python` role
'''''''''''''''''''''''''

- The role will enable Python 2.7 support via the fact script only when an
existing Python 2.7 installation is detected. This change should help avoid
installing Python 2.7 packages on newer OS releases when they might be
unavailable.

- The :file:`/etc/pip.conf` configuration file template can be overridden via
the DebOps template override mechanism.

:ref:`debops.resolvconf` role
'''''''''''''''''''''''''''''

- In the :ref:`debops.resolvconf` role, you can now write a fully static
:file:`/etc/resolv.conf` file without the ``resolvconf`` package.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The default log level used by OpenLDAP has been changed from ``stats`` to
``none`` to minimize log output in large environments. This can be modified
using Ansible inventory in case that the authentication, accounting or search
metrics are needed.

:ref:`debops.sshd` role
'''''''''''''''''''''''

- The management of the :file:`/etc/ssh/sshd_config` configuration file has
been redesigned and now uses :ref:`universal_configuration`. Multiple default
variables have been removed as a result. Any changes in configuration applied
through Ansible inventory might need to be converted to the new format. Check
the changes on existing hosts before applying new configuration.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- The role will check remote user databases for local admin information using
the :command:`getent passwd` command if the user has not been found in the
:file:`/etc/passwd` local database.

Fixed
~~~~~

General
'''''''

- Extrepo facts file did not detect a disabled repository as being disabled
due to a change in the extrepo file format.

- Ensure that the custom Ansible plugins included in DebOps are present in the
Ansible Collection build from the DebOps repository.

- Provide a help message in case the :file:`ansible.cfg` configuration file in
the DebOps project directory does not include the ``inventory`` option.

- Fixed an issue with custom Ansible plugins not working in "standalone" mode
without the DebOps scripts installed on Ansible Controller.

- The ``warn`` parameter in the ``shell`` and ``command`` Ansible modules has
been removed in Ansible 2.14. It has been removed in various DebOps roles to
allow playbook execution to work correctly.

- Fixed all password lookups which used ``chars=ascii`` instead of
``chars=ascii_letters``. This resulted in passwords which only contained the
letters a,c,i,s instead of all lowercase and uppercase ASCII letters. Because
all occurrences of this bug at least also included all digits in the character
set and the password length was at least 20 characters, this did not result
in weak passwords.

- The ``ipaddr`` Ansible filter and its aliases used in various roles were
renamed to ``ansible.utils.ipaddr`` and its corresponding alias names because
Ansible requires use of FQCNs in filters. The ``ansible.utils`` Ansible
Collection is now a dependency of the DebOps Collection.

- The :command:`debops run` and :command:`debops check` commands should now
correctly recognize options of the :command:`ansible-playbook` command which
don't expect arguments and expand playbook names specified after them.

:ref:`debops.apt` role
''''''''''''''''''''''

- In the fact script, parse the ``deb-src`` configuration entries before
``deb`` entries to ensure that there are no duplicates.

- The role no longer defaults to the ``ansible_local.core.distribution`` and
``ansible_local.core.distribution_release`` local facts for determining the
Linux distribution and the distribution release, respectively. These facts
were set later in the common playbook, meaning that the role would restore
the previous distribution release in ``/etc/apt/sources.list`` after a
distribution upgrade.

debops.boxbackup role
'''''''''''''''''''''

- The role is not included in the DebOps Collection on Ansible Galaxy,
therefore its playbook is no longer included in the main :file:`site.yml`
playbook. This fixes an issue with Ansible stopping the site playbook
execution when it cannot find the ``boxbackup`` role in the Collection.

:ref:`debops.core` role
'''''''''''''''''''''''

- Ensure that the ``ansible_controllers`` fact can be reset using the
:envvar:`core__remove_facts` variable to avoid infinitely growing list of
Ansible Controllers.

:ref:`debops.cron` role
'''''''''''''''''''''''

- Fixed the order of job parameters applied by the role - now parameters from
a specific job will override parameters specified for all jobs in a given
configuration entry.

:ref:`debops.dnsmasq` role
''''''''''''''''''''''''''

- Fixed service configuration mistake when DHCPv6 mode is set to an empty
string. The configuration template should take this into account and add
a correct separator (or omit it) in the generated configuration file.

:ref:`debops.dovecot` role
''''''''''''''''''''''''''

- The role's PKI hook script still referenced an old configuration file that
was no longer being managed by :ref:`debops.dovecot` since the role redesign,
resulting in the hook script failing to reload dovecot after a certificate or
DH param change.

:ref:`debops.elasticsearch` role
''''''''''''''''''''''''''''''''

- The internal Java security policy used by Elasticsearch will be configured
only on Elasticsearch v7.x+ versions. Before them, Elasticsearch used the
global Java security policy.

:ref:`debops.environment` role
''''''''''''''''''''''''''''''

- Fixed issues with preserving environment variables across multiple role
executions.

:ref:`debops.etc_aliases` role
''''''''''''''''''''''''''''''

- Don't save dependent recipients on Ansible Controller if they are not
defined. This should avoid creating unnecessary files in AWX job containers.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- Don't include additional '{' or '}' characters in certain rules when the
``domain_args`` parameter is specified.

- Fixed an issue in the rule template that caused a templating type error where
Jinja expected a string but found an int value instead.

:ref:`debops.gitlab_runner` role
''''''''''''''''''''''''''''''''

- Fixed an error that could occur in the "Patch 'vagrant-libvirt' source code"
task on systems other than Debian 9 or 10. The patch is not required since
the ``vagrant-libvirt`` v0.1.0 package.

:ref:`debops.grub` role
'''''''''''''''''''''''

- The :command:`grub` user passwords will be passed for encryption using
a temporary file stored in the :file:`secret/` directory on the Ansible
Controller instead of directly on the command line, to avoid leaks through
the process list.

:ref:`debops.ifupdown` role
'''''''''''''''''''''''''''

- The interface names used in scripts will be escaped using the
:command:`systemd-escape` tool. This should fix problems with control over
network interfaces which contain the hyphen character(s).

:ref:`debops.kibana` role
'''''''''''''''''''''''''

- The role will use the correct path of the Kibana keystore depending on the
installed version (versions <7.0.0 keep the keystore in the
:file:`/var/lib/kibana/` directory; newer versions use the
:file:`/etc/kibana/` directory).

- The role will use different user account depending on Kibana version (either
``kibana``, or ``kibana_system`` used in newer installations of
Elasticsearch). Depending on your installed version, you should check the
:envvar:`kibana__elasticsearch_username` to verify that the correct account
is used for access to Elasticsearch.

- The role will include the ``server.publicBaseUrl`` parameter depending on
Kibana version, to avoid failures on older Kibana installations.

:ref:`debops.ldap` role
'''''''''''''''''''''''

- Fixed an issue with the role passing IP and MAC addresses to the LDAP
directory as a nested YAML list which resulted in a wrong attribute values.

- Fixed an issue with role parsing the already parsed Ansible facts to extract
IP/CIDR information which resulted in wrong output in certain cases. The role
will now implicitly trust the Ansible facts to be correct when adding IP and
prefix details to the LDAP database.

:ref:`debops.libvirtd` role
'''''''''''''''''''''''''''

- Fixed ``qemu-kvm`` package installation logic; the KVM packages should now be
handled correctly on Debian Bullseye and newer releases.

:ref:`debops.logrotate` role
''''''''''''''''''''''''''''

- Fixed formatting in the :file:`/etc/logrotate.conf` configuration file to
avoid adding :command:`vim` fold markers from the DebOps role defaults.

:ref:`debops.lxc` role
''''''''''''''''''''''

- Fixed name of the ``vfs_root`` parameter in the call to the
``community.general.lxc_container`` Ansible module, which was renamed to
``zfs_root``.

:ref:`debops.netbase` role
''''''''''''''''''''''''''

- In the fact script, don't use ``in`` for matching IP addresses and DNS names
where substring matching is undesirable.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- Using boolean variables in :envvar:`netbox__config_plugins_config` for
example resulted in an error because the role used the ``to_nice_json``
Jinja2 filter internally to render Python configuration.
This is fixed for all uses of ``to_nice_json``

:ref:`debops.ntp` role
''''''''''''''''''''''

- Fix an issue where the role tried to manage the :command:`systemd-timesyncd`
service without it actually being present on the host. This should now be
avoided by carefully checking the service status.

- The role will not try to purge installed NTP daemon packages when it is
disabled through Ansible inventory.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- Access to static assets was not logged regardless of the
``owncloud__nginx_access_log_assets`` setting.

- Access to the ``/remote`` URI path was not configured in Nginx as proposed in
the upstream Nginx example in the Nextcloud docs.

:ref:`debops.pdns` role
'''''''''''''''''''''''

- On pdns installations with version >= 4.5.0 (e.g. on Bookworm systems), the
role would cause a syntax error on the local-address configuration option.

:ref:`debops.pki` role
''''''''''''''''''''''

- After the :command:`certbot` script performs a certificate renewal operation,
a deploy hook will update the PEM chains in a given PKI realm
:file:`private/` directory to include the new private key created by the
:command:`certbot` script.

- Fixed an issue where when a PKI realm was initialized for ACME/Let's Encrypt
support, second level domains were not included in the generated X.509
certificate request.

- Use :command:`openssl x509 -inform PEM` command to explicitly check for
a PEM-formatted X.509 certificate file because the old :command:`openssl x509
-in` option was changed to work with both DER and PEM files. This should fix
an issue with Let's Encrypt certificate chains containing a DER-formatted
certificate inside of them.

Users will need to remove existing PKI realms which use ACME/Let's Encrypt CA
for the :command:`pki-realm` script to rebuild the certificate chain
correctly. After that re-run the :ref:`debops.pki` role on the host to
re-create che realms.

:ref:`debops.postconf` role
'''''''''''''''''''''''''''

- The EHLO IP address check was removed. This check would reject a message if
the EHLO hostname of the connecting mailserver resolved to a non-publicly
routable IP address. However, rejecting messages for this reason is
prohibited by :rfc:`5321` section 4.1.4, and sometimes caused deliverability
issues for Office 365 users.

:ref:`debops.preseed` role
''''''''''''''''''''''''''

- Fixed an issue with the ``d-i`` keyboard preseed that resulted in the
``keyboard-configuration`` APT package not being installed and configured
correctly. The default keymap is changed to ``us`` and the option is no
longer based on the system language which might be incorrect in this case.

:ref:`debops.proc_hidepid` role
'''''''''''''''''''''''''''''''

- The fact script has been optimized for environments with large UNIX group
databases, for example connected to ActiveDirectory domains.

:ref:`debops.prosody` role
''''''''''''''''''''''''''

- The ``prosdoy__pki_realm_path`` variable has been renamed to
:envvar:`prosody__pki_realm_path` to fix the typo in the variable name. You
might need to update your inventory in this case so that the role gets
correct value.

:ref:`debops.python` role
'''''''''''''''''''''''''

- In the fact script, correctly parse the subprocess output to find out the
version of installed Python executables.

:ref:`debops.resolvconf` role
'''''''''''''''''''''''''''''

- Fixed an issue where the custom hook script did not add static
:command:`resolvconf` configuration after host was rebooted, when the
:file:`/run/resolvconf/` path did not exist. It will be created automatically
if not found.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- Locked ``johndoh/contextmenu`` plugin to version 3.2.1 for Roundcube < 1.5
due to compatibility issues.

:ref:`debops.secret` role
'''''''''''''''''''''''''

- Fixed an issue with the :envvar:`secret` variable not being defined in other
roles in newer Ansible versions.

:ref:`debops.sshd` role
'''''''''''''''''''''''

- The role will now correctly handle hosts where :command:`sshd` is launched
via :command:`systemd` socket activation mechanism.

:ref:`debops.sudo` role
'''''''''''''''''''''''

- The fact script will check :command:`sudo` version using the :command:`dpkg`
command to avoid running :command:`sudo` on each Ansible fact gathering. This
proved problematic when LDAP support is enabled and the LDAP directory is not
available for any reason - :command:`sudo` tries to connect to the directory
and times out, slowing Ansible run into a crawl.

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- Fixed an issue in the configuration template that caused a templating type
error where Jinja expected a string but found an int value instead.

- The :file:`protect-links.conf` configuration file has been renamed to
:file:`99-protect-links.conf` file in Debian Bookworm; this is handled
conditionally in the role configuration. Users might need to remove the
:file:`/etc/sysctl.d/protect-links.conf` file generated by the role manually
on existing installations to fix this issue.

Removed
~~~~~~~

General
'''''''

- Support for end-of-life Debian and Ubuntu releases has been removed from
Ansible roles included in the DebOps project. The releases dropped are:
"Debian Wheezy", "Debian Jessie", "Ubuntu Precise Pangolin". The support is
still available in stable DebOps releases up to v3.0.x if needed.

- Federated Learning of Cohorts opt-out in the :ref:`debops.apache` and
:ref:`debops.nginx` roles has been removed. Google `abandoned the feature`__
in favor of Topics API in web browsers.

.. __: https://blog.google/products/chrome/get-know-new-topics-api-privacy-sandbox/

- The :command:`debops project status` subcommand has been removed. Its
functionality is now incorporated within the DebOps configuration tree
accessible using the :ref:`cmd_debops-config` command.

- The :command:`debops-api` code and Ansible role has been removed from the
project, since it's not relevant anymore after separate :command:`git`
repositories were merged into a monorepo.

:ref:`debops.apt_install` role
''''''''''''''''''''''''''''''

- The ``ranger`` APT package will not be installed by default. The ``mc``
package can be used as an alternative. Or you can consider installing
``nnn``.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- Drop ownCloud full auto upgrade support. Was never fully supported. Strategy
of Nextcloud is Docker to provide auto upgrades. DebOps will not provide a
custom solution.

3.0.0

-----------------------------

.. _debops v3.0.0: https://github.com/debops/debops/compare/v2.3.0...v3.0.0

Added
~~~~~

New DebOps roles
''''''''''''''''

- The :ref:`debops.minidlna` role configures the MiniDLNA service that can be
used to provide media (video, music, images) to other devices on the local
network that support the DLNA protocol.

- The :ref:`debops.pdns` role manages the `PowerDNS Authoritative Server`__,
which is an authoritative DNS server with support for DNSSEC, DNS UPDATE,
geographical load balancing, and storing zone data and metadata in one or
more backends like relational databases, LDAP databases, and plain text
files.

.. __: https://www.powerdns.com/auth.html

- The :ref:`debops.telegraf` role can be used to install and manage the
`Telegraf`__ metrics server, which can send data to various other services.

.. __: https://www.influxdata.com/time-series-platform/telegraf/

- The :ref:`debops.lldpd` role provides support for managing and configuring
the :command:`lldpd` service, which can be used to locate other network
devices connected to a given host using the Link-Layer Discovery Protocol.
The role is included in the :file:`common.yml` playbook by default.

- The :ref:`debops.zabbix_agent` role can install and configure Zabbix Agent,
used for monitoring and metrics.

- The :ref:`debops.keepalived` role can be used to install and manage
:command:`keepalived` daemon, a lightweight load balancing and high
availability service.

- The :ref:`debops.rspamd` role can be used to install `rspamd`__ service, an
anti-spam mail filter. The role automatically integrates with the
:ref:`debops.postfix` role to provide anti-spam support.

.. __: https://rspamd.org/

- The :ref:`debops.imapproxy` role can install and configure the IMAP Proxy
service, useful for web mail applications that use IMAP to access the mail
services.

General
'''''''

- New Jinja filters ``from_toml`` and ``to_toml`` are available to DebOps
roles, provided using a custom Ansible plugin. The filters require the
``toml`` Python package to be installed on the Ansible Controller.

- New Ansible custom lookup plugin ``dig_srv`` can be used in Ansible variables
and tasks to simplify DNS SRV record parsing. The plugin can retrieve an
existing SRV record or if none is found, fall back to a predefined default
values for the hostname and port.

- A new Ansible tag, ``meta::facts`` has been added in all DebOps roles to the
tasks that install Ansible local facts. This can be useful during initial
provisioning to avoid issues with Ansible ``--check`` mode when certain
configurations depend on the presence of the local facts to gather details
from the remote hosts.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role can now enable additional Debian architectures on a given host,
which allows for `Multiarch`__ installations.

.. __: https://wiki.debian.org/Multiarch/HOWTO

- You can now purge specific APT packages along with their configuration and
unused dependencies. This might be useful during bootstrap or provisioning
process to remove unused or conflicting services installed by the provider.

- The role can now configure :file:`/etc/apt/auth.conf.d/` configuration files
to enable access to restricted APT repositories that require HTTP Basic
Authentication.

:ref:`debops.dokuwiki` role
'''''''''''''''''''''''''''

- The role now provides a set of variables and tasks which can be used to add
or remove custom files in the DokuWiki installation, useful in certain
setups.

:ref:`debops.elasticsearch` role
''''''''''''''''''''''''''''''''

- In a cluster deployment on hosts with PKI environment configured, the role
will automatically enable the X-Pack plugin and configure TLS encryption for
HTTP client and inter-cluster communication.

- Elasticsearch user accounts and role definitions can be managed via Ansible
using the API access, when the encrypted communication and X-Pack plugin is
enabled. The role will initialize a set of built-in user accounts in the
Elasticsearch cluster automatically.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- The ``arptables`` and ``ebtables`` APT packages will be installed by default.
This is needed so that various alternatives for :command:`iptables` backends
can be correctly synchronized.

:ref:`debops.keyring` role
''''''''''''''''''''''''''

- The role can now configure :file:`/etc/apt/auth.conf.d/` configuration files
to enable access to restricted APT repositories that require HTTP Basic
Authentication.

:ref:`debops.kibana` role
'''''''''''''''''''''''''

- If the username and password for connection to the Elasticsearch service are
provided, the role will configure Kibana to use TLS encryption for
communication with the Elasticsearch cluster, based on the PKI environment
managed by the :ref:`debops.pki` Ansible role.

:ref:`debops.libvirtd` role
'''''''''''''''''''''''''''

- The role will now install UEFI firmware for amd64 VMs, alongside traditional
BIOS.

:ref:`debops.lvm` role
''''''''''''''''''''''

- The role can now manage `LVM Thin Pool Logical Volumes`__.

.. __: https://man7.org/linux/man-pages/man7/lvmthin.7.html

- It is now possible to apply custom options to :ref:`lvm__thin_pools` and
:ref:`lvm__logical_volumes`.

:ref:`debops.lxc` role
''''''''''''''''''''''

- The role can define a list of SSH identities added to the ``root`` UNIX
account in new LXC containers by default. This can be used to grant multiple
system administrators access to the containers.

:ref:`debops.netbase` role
''''''''''''''''''''''''''

- The :man:`hosts(5)` database FQDN entries defined as strings will
automatically create hostname aliases when the role uses a template to
generate the :file:`/etc/hosts` database.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- The role can be used in "config-only" mode where the :command:`nginx`
packages are not installed but are expected to be present and in
configuration compatible with DebOps.

- The :command:`nginx` server can now be configured to send logs to the
:command:`syslog` service via a :file:`/dev/log` UNIX socket, instead of
storing them in separate configuration files.

:ref:`debops.pki` role
''''''''''''''''''''''

- The role gained support for `Certbot`__ tool as an alternative to
:command:`acme-tiny` script. Certbot provides `Lets' Encrypt DNS-01
challenge`__ functionality with wildcard and internal certificates. See role
documentation for more details.

.. __: https://certbot.eff.org/
.. __: https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- It is now possible to override the default ``netstream_driver``,
``driver_mode`` and ``driver_authmode`` parameters in every
:ref:`rsyslog__ref_forward` forwarding rule.

:ref:`debops.sshd` role
'''''''''''''''''''''''

- The ``sshd__ferm_interface`` variable can now be used to limit access to SSH
via the host firewall based on interface.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The `SCHema for ACademia`__ (schac) LDAP schema has been added to the role to
provide more LDAP attributes and object classes useful in university
environments.

.. __: https://wiki.refeds.org/display/STAN/SCHAC

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- The ``systemd`` Debian package in Debian Bullseye provides
a :command:`sysctl` configuration file which increases the maximum number of
PIDs allowed by the kernel. The role will create a "masked" configuration
file to ensure that :command:`sysctl` configuration works in LXC containers,
where the ``kernel.pid_max`` parameter will be commented out since it cannot
be modified from inside of a container. On hardware and VM hosts the
configuration will be applied as expected.

Changed
~~~~~~~

Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''

- In the :ref:`debops.ipxe` role, the Debian Buster netboot installer version
has been updated to the next point release, 10.11. Debian Bullseye has been
updated to the next point release as well, 11.2.

Debian 11 (Bullseye) has been released. The :ref:`debops.ipxe` role will now
prepare a netboot installer with this release and set Bullseye as the default
Stable installation option.

- The :file:`lxc_ssh.py` Ansible connection plugin has been updated to include
latest changes and bugfixes.

- The Elastic APT repository configured on new installations by
:ref:`debops.elastic_co` has been updated to version 7.x. Updating the
repository configuration on existing hosts requires that you manually update
the local facts or to set the ``elastic_co__version`` variable to '7.x' before
running the playbook.

- In the :ref:`debops.netbox` role, the NetBox version has been updated to
``v3.1.6``. Note that you need ``v2.11.0`` or later to upgrade to ``v3.0``.

- The Icinga Web 2 modules installed by :ref:`debops.icinga_web` have been
updated to their latest versions. A quick database migration is needed after
updating to get Director to work again. Just click the database migration
button on the 'Icinga Director' -> 'Activities log' page.

- In the :ref:`debops.roundcube` role, the Roundcube version installed by
default has been updated to ``1.4.13``.

- Drop Nextcloud 20 and 21 support because they are EOL. You need to upgrade
Nextcloud manually if you are running version 21 or below. The role now
defaults to Nextcloud 22 for new installations.

- In the :ref:`debops.wpcli` role, the WpCli version has been updated to
``2.5.0``. ``2.3.0`` and ``2.4.0`` can be installed by changing ``wpcli__version``

General
'''''''

- DebOps tasks that import local SSH keys will now recognize FIDO U2F security
keys used via the SSH agent.

- The APT configuration by the :ref:`debops.apt` and :ref:`debops.apt_proxy`
roles in the :file:`common.yml` playbook has been moved to a separate play to
ensure feature parity with the bootstrap playbooks.

- The :command:`debops` Python scripts have been completely rewritten and
reorganized. The UI has been redesigned to use subcommands rather than
separate scripts. This pans the way for easy extension of the script
functionality in the future and improvements for various tasks done on the
Ansible Controller.

- The DebOps monorepo can now be used as an "Ansible Collection" when path to
the :file:`ansible/collections/` subdirectory inside of the :command:`git`
repository is specified in the `collections_paths`__ variable in the Ansible
configuration file.

.. note:: The roles and plugins included in DebOps are not yet fully
compatible with the Collection system. They will be converted at
a later time.

.. __: https://docs.ansible.com/ansible/latest/reference_appendices/config.html#collections-paths

- The base Docker image used by DebOps Dockerfile has been changed from
``debian:buster-slim`` to ``debian:bullseye-slim``. The Dockerfile has been
updated to build and install DebOps from the monorepo instead of installing
a release from PyPI.

- The references for custom Ansible lookup and filter plugins have been
modified to use the Fully Qualified Collection Name format to allow the
DebOps monorepo to work as an Ansible Collection.

- Custom Ansible plugins included in the :ref:`debops.ansible_plugins` role
have been copied to the :file:`ansible/plugins/` subdirectories to make them
available through the Ansible Collection mechanisms.

- Multiple roles that use the DNS ``SRV`` Resource Records to find related
services have been updated to utilize the new ``dig_srv`` Ansible lookup
plugin to find the records. This change should make the role code easier to
maintain.

- Most of the DebOps roles now use :envvar:`debops__no_log` variable in tasks
with the ``no_log`` Ansible keyword. This should provide an easier way to
debug issues with various roles.

- Roles which use the :command:`dpkg-divert` Debian utility to preserve
original configuration files have been updated to use the ``dpkg_divert``
custom Ansible module included in the DebOps Collection instead of using the
``command`` or ``shell`` Ansible modules to manage the diversion and
reversion.

Continuous Integration
''''''''''''''''''''''

- The default box used by Vagrant for DebOps VMs has been updated from
``debian/buster64`` to ``debian/bullseye64``.

LDAP
''''

- The :file:`ldap/init-directory.yml` playbook can now store the administrator
credentials in the :file:`secret/` directory managed by the
:ref:`debops.secret` role. THe credentials can also be randomly generated if
the playbook is used non-interactively.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role defaults have been updated, Bullseye is the new Stable.

:ref:`debops.apt_install` role
''''''''''''''''''''''''''''''

- The ``haveged`` Debian package will not be installed in a virtual machine if
the underlying hypervisor technology already provides access to the host's
RNG device through virtualization.

:ref:`debops.dhparam` role
''''''''''''''''''''''''''

- The role will no longer install the :command:`cron` service directly; instead
it depends on the :ref:`debops.cron` role to ensure that the service is
present. This allows replacing the ``cron`` Debian package with a different
backend, for example ``systemd-cron`` package.

:ref:`debops.docker_server` role
''''''''''''''''''''''''''''''''

- The role now enables `live restore`__ by default.

.. __: https://docs.docker.com/config/containers/live-restore/

:ref:`debops.dovecot` role
''''''''''''''''''''''''''

- The role has been thoroughly refreshed and now uses the
:ref:`universal_configuration` format for the service configuration. All role
variables have been renamed to put them in a separate namespace.

.. warning:: If you use a Dovecot installation in your environment, you
should check the new role documentation and update the relevant configuration
in the Ansible inventory before applying the new role on your infrastructure.

:ref:`debops.elasticsearch` role
''''''''''''''''''''''''''''''''

- The main configuration is reorganized, original contents of the configuration
file are set in the :envvar:`elasticsearch__original_configuration` variable
and the options changed by the role are set in the
:envvar:`elasticsearch__default_configuration` variable.

:ref:`debops.etckeeper` role
''''''''''''''''''''''''''''

- Add ``etckeeper__gitattributes`` option to be able to appended to the
:file:`/etc/.gitattributes` file.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- The backend configuration will now manage all relevant alternatives for
:command:`arptables`, :command:`ebtables`, :command:`iptables` and
:command:`ip6tables` commands to keep various parts of the firewall
synchronized.

.. warning:: The variable which controls what backend is used has been
renamed to :envvar:`ferm__iptables_backend_type` due to value
change. You might need to update your Ansible inventory to select
the correct backend.

- The default backend for :command:`iptables` is changed to ``legacy`` on newer
OS releases, because `there's no plans`__ to support :command:`nftables`
backend by the :command:`ferm` project. You might want to check if the
firewall configuration is correctly applied after running the role against
already configured hosts.

.. __: https://github.com/MaxKellermann/ferm/issues/47

:ref:`debops.grub` role
'''''''''''''''''''''''

- The role now enables the serial console by default.

:ref:`debops.ipxe` role
'''''''''''''''''''''''

- You can now define what kernel parameters are used by default in the Debian
Installer, using an iPXE variable.

:ref:`debops.keyring` role
''''''''''''''''''''''''''

- The default keyserver used by the role has been changed to `Ubuntu
keyserver`__ due to deprecation of the SKS Keyserver pool.

.. __: https://keyserver.ubuntu.com/

:ref:`debops.logrotate` role
''''''''''''''''''''''''''''

- The role will no longer install the :command:`cron` service directly; instead
it depends on the :ref:`debops.cron` role to ensure that the service is
present. This allows replacing the ``cron`` Debian package with a different
backend, for example ``systemd-cron`` package.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- Add ``netbox__config_custom`` option to be able to configure not explicitly
supported options in a raw format.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- The ``item.location_list`` entries in the server configuration can now define
access policy for a specific location and use subnet ranges or password
authentication to control access.

- Length and characters included in the passwords generated by the role for
HTTP Basic Authentication can now be controlled using default variables.

:ref:`debops.php` role
''''''''''''''''''''''

- php7.4 has been added to the ``php__version_preference`` list. This ensures
that PHP-related packages are installed on Debian 11 (Bullseye) systems.

:ref:`debops.pki` role
''''''''''''''''''''''

- The RootCA certificate for the Let's Encrypt ACME certificates has been
changed to :file:`mozilla/ISRG_Root_X1.crt`, the previous CA certificate is
now expired. Existing PKI realms will not be modified, you might need to
recreate them or replace the :file:`acme/root.pem` symlink manually.

:ref:`debops.postldap` role
'''''''''''''''''''''''''''

- A few changes to the Postfix LDAP lookup tables were made, most notably a
better split between alias lookups (ldap_virtual_alias_maps.cf) and
distribution list lookups (ldap_virtual_forward_maps.cf).

:ref:`debops.preseed` role
''''''''''''''''''''''''''

- The role has been redesigned from the ground up and uses
:ref:`universal_configuration` to manage Preseed configuration files.
Multiple "flavors" are provided to permit installation of Debian in a variety
of environments. See the :ref:`upgrade_notes` for details about upgrading an
existing installation.

:ref:`debops.reprepro` role
'''''''''''''''''''''''''''

- The role has been redesigned from scratch. It can now manage multiple APT
repository instances on separate DNS domains, repositories can have access
restrictions, the :command:`inoticoming` service has been replaced by
a :command:`systemd` ``.path`` units. Repositories are now configured via the
:ref:`universal_configuration` system. See the new role documentation for
details.

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- The default NetStream driver mode and authentication mode are now set based
on whether the ``gtls`` driver is enabled.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The :file:`mailservice.schema` LDAP schema has been modified to add new LDAP
attributes, ``mailPrivateAddress`` and ``mailContactAddress``. This change
includes additional constraints on uniqueness and requires a rebuild of the
OpenLDAP service. See :ref:`upgrade_notes` for details.

- The ``sudoUser`` attribute index in the OpenLDAP service has been changed to
``sudoHost,sudoUser eq,sub`` to provide better search performance for the
:command:`sssd` service. This will have to be changed manually on existing
OpenLDAP installations before the role is idempotent.

:ref:`debops.sshd` role
'''''''''''''''''''''''

- Keep the ``SSH_CONNECTION`` environment variable when running commands with
sudo.

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- The role will configure protection for FIFOs and regular files along with
protection for symlinks and hardlinks, introduced in Debian Bullseye.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- The role assumes that Ansible Controller has Python 3 available and will not
check for Python 2.7 anymore while gathering local UNIX account details, to
avoid issues with non-existent host facts.

:ref:`debops.unattended_upgrades` role
''''''''''''''''''''''''''''''''''''''

- The role now defaults to the admin_private_email Ansible fact (as provided by
:ref:`debops.core`) for the :envvar:`unattended_upgrades__mail_to` variable.

Fixed
~~~~~

General
'''''''

- Fixed an issue with user and group management roles where the UNIX account
home directories were created even if they were specifically disabled. Roles
should now be more careful and respect the administrator wishes.

LDAP
''''

- The :file:`ldap/init-directory.yml` playbook should now work better with
non-local UNIX accounts and provide better defaults for standardized account
names like ``ansible``.

- The ``*__ldap_bindpw`` variables in various roles have been modified to
create the passwords only when LDAP support is enabled. This should fix an
issue in non-LDAP environments where Ansible would stop playbook execution
when a single password file for an LDAP object was created by multiple hosts,
generating a race condition due to empty domain part of the Distinguished
Name.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role no longer disables the backports repository of a Debian LTS or
archive release.

:ref:`debops.apt_cacher_ng` role
''''''''''''''''''''''''''''''''

- The role no longer creates an unnecessary NGINX webroot directory.

:ref:`debops.dhcpd` role
''''''''''''''''''''''''

- host-identifier parameters are now always quoted in dhcpd6.conf. This is
needed when the host-identifier contains periods (e.g. fully qualified
domain names).

:ref:`debops.dnsmasq` role
''''''''''''''''''''''''''

- Ensure that the configuration entries with ``a`` or ``aaaa`` parameter are
correctly recognized as host entries.

:ref:`debops.ipxe` role
'''''''''''''''''''''''

- Make sure that the correct Preseed flavor is used when the user changes it
using the menu item.

:ref:`debops.kmod` role
'''''''''''''''''''''''

- Fixed an issue with role facts where the script ended with exception when the
``kmod`` package wasn't installed and the :command:`lsmod` command was not
available.

:ref:`debops.ldap` role
'''''''''''''''''''''''

- The role will refresh the local facts when the :file:`/etc/ldap/ldap.conf`
configuration changes to ensure that other roles have correct information
available, for example when a new set of LDAP servers is used.

:ref:`debops.libvirt` role
''''''''''''''''''''''''''

- The ``virt-top`` APT package is not part of the Debian Bullseye release,
therefore the role will not try to install it by default.

:ref:`debops.libvirtd` role
'''''''''''''''''''''''''''

- The ``virt-top`` APT package is not part of the Debian Bullseye release,
therefore the role will not try to install it by default.

- The root account will no longer be added to the 'libvirt' group by default.

:ref:`debops.lxc` role
''''''''''''''''''''''

- Use the Ubuntu GPG keyserver by default to download LXC container signing
keys when the container is created by the :command:`lxc-new-unprivileged`
script as well as through the ``lxc_container`` Ansible module (the SKS
keyserver pool has been deprecated).

- Enable AppArmor nesting configuration in LXC v4.0.x version, used in Debian
Bullseye. Without this, various :command:`systemd` services inside of the
LXC containers cannot start and SSH/console login is delayed ~25 seconds.

:ref:`debops.netbase` role
''''''''''''''''''''''''''

- Fixed an issue where the fact script broke when it tried to find the host's
IP address using DNS and the host does not have an entry in the DNS or in
:file:`/etc/hosts` database.

- Fixed an issue where the initial bootstrap and common playbook execution
didn't provide the correct configuration for the :ref:`debops.netbase` role,
resulting in a non-idempotent execution and wrong :file:`/etc/hosts` database
contents. The order of the :ref:`debops.python` role in bootstrap and common
playbooks has been adjusted to ensure that the Python packages required by
the :ref:`debops.netbase` role are installed before its execution.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- Set ``client_max_body_size`` to ``25m`` in Nginx as in the NetBox Nginx
config example.
Before, it was at the Nginx default of ``1m`` which caused Nginx to reject
larger picture uploads to NetBox.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- Access to the ACME challenge directories is now always allowed, even if a
server-wide allowlist configuration or HTTP basic authentication enforcement
has been applied. This ensures that it is always possible to request and renew
certificates through the ACME protocol.

- Do not remove the whole PKI hook directory when the :command:`nginx` hook
script is removed by the role.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- Fixed an issue with the :ref:`debops.nginx` configuration where some
Nextcloud pages (LDAP configuration, for example) did not work correctly.

:ref:`debops.pki` role
''''''''''''''''''''''

- Ensure that the X.509 certificate requests generated by the
:command:`pki-realm` script to renew Let's Encrypt/ACME certificates include
SubjectAltNames defined in the PKI realm.

:ref:`debops.postfix` role
''''''''''''''''''''''''''

- Do not remove the whole PKI hook directory when the :command:`postfix` hook
script is removed by the role.

:ref:`debops.proc_hidepid` role
'''''''''''''''''''''''''''''''

- Add the ``procadmins`` UNIX group as a supplementary group in the
:file:`user.service` :command:`systemd` unit to fix an issue where the user
service does not start when unified cgroupv2 hierarchy is used.

:ref:`debops.prosody` role
''''''''''''''''''''''''''

- Do not remove the whole PKI hook directory when the :command:`prosody` hook
script is removed by the role.

:ref:`debops.rabbitmq_server` role
''''''''''''''''''''''''''''''''''

- Correctly interpret the list of RabbitMQ user accounts to not create unwanted
vhosts.

:ref:`debops.redis_server` role
'''''''''''''''''''''''''''''''

- Fixed an issue with facts not showing Redis instances correctly when password
is empty.

debops.reprepro role
''''''''''''''''''''

- Added missing architectures (all expected architectures for Bookworm, and
some missing architectures for older releases).

:ref:`debops.resolvconf` role
'''''''''''''''''''''''''''''

- Ensure that the fact script correctly includes information about upstream
nameservers when :command:`systemd-resolved` service is used.

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- The rsyslog role always configured the streamDriverPermittedPeers option,
even when the ``anon`` network driver authentication mode was selected.

:ref:`debops.sshd` role
'''''''''''''''''''''''

- The role will no longer create an LDAP account when it is not needed.

- The default ``sshd__login_grace_time`` has been increased from 30 to 60
seconds. This mitigates a lock-out issue when ``sshd__use_dns`` is
enabled (the default) and your DNS resolvers are unreachable.

- The role will avoid leaking the LDAP bind password through the process list
during password file creation on the remote host.

:ref:`debops.sudo` role
'''''''''''''''''''''''

- Fixed an issue in the fact script which resulted in a wrong string being
picked up as the version number when :command:`sudo` was configured to use
LDAP, but the LDAP service was not available.

- The role will now skip installing the ``sudo-ldap`` package and creating the
LDAP account object if :envvar:`sudo__ldap_enabled` is ``False``.

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- The role's default of explicitly disabling packet forwarding conflicted with
the sysctl configuration done by Docker Server. The role would disable
essential (for Docker) packet forwarding, which would only be enabled again
when the Docker daemon was manually restarted or the sysctl parameter was
manually corrected. This has been fixed by letting the role default to
enabling packet forwarding on Docker Server hosts.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- The ``create_home`` parameter was not functional because of typos in the
Ansible task.

Removed
~~~~~~~

General
'''''''

- The old DebOps scripts have been removed from the monorepo, they are replaced
with new, cleaner scripts that support subcommands.

- The :command:`debops-update` script has been dropped from the project.
Existing users should use :command:`git clone` command to install the DebOps
monorepo if they wish to use the rolling release. There's also no need to
install the ``debops`` PyPI package; DebOps scripts can be installed directly
from the monorepo in development mode if desired.

- The :command:`debops-task` script has been dropped. You can use the
:command:`ansible` command directly to perform ad-hoc commands against the
Ansible inventory.

- The :command:`debops-defaults` script has been removed from the project.
Easy access to the role defaults will be implemented at a later date.

- The :command:`debops-init` script has been replaced with the :command:`debops
project init` subcommand.

- The :command:`debops-padlock` script has been removed from the project. It's
functionality is now available via the :command:`debops project` subcommands.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- The support for `SPDY`__ protocol has been removed from the role; it has been
replaced in the technology stack by `HTTP/2`__ specification.

.. __: https://en.wikipedia.org/wiki/SPDY
.. __: https://en.wikipedia.org/wiki/HTTP/2

:ref:`debops.preseed` role
''''''''''''''''''''''''''

- Support for installing and configuring Salt Minions during host provisioning
has been removed.

:ref:`debops.snmpd` role
''''''''''''''''''''''''

- The tasks and other code which managed the :command:`lldpd` daemon has been
removed from the role. The :ref:`debops.lldpd` role now provides the LLDP
support and automatically integrates with SNMP daemon when it is detected.

Security
~~~~~~~~

General
'''''''

- Specific DebOps roles (:ref:`debops.dovecot`, :ref:`debops.owncloud`,
:ref:`debops.postldap`) used password generation lookups with invalid
parameters which might have resulted in a weaker passwords generated during
their deployment. The parameters in the password lookups have been fixed; you
might consider regenerating the passwords created by them by removing
existing ones from the :ref:`debops.secret` storage on the Ansible Controller
and re-running the roles.

2.3.0

Not secure
-----------------------------

.. _debops v2.3.0: https://github.com/debops/debops/compare/v2.2.0...v2.3.0

Added
~~~~~

New DebOps roles
''''''''''''''''

- The :ref:`debops.extrepo` role provides an interface for the `extrepo`__
Debian package, an external APT source manager. It can be used to configure
third-party APT repositories.

.. __: https://grep.be/blog/en/computer/debian/Announcing_extrepo/

- The :ref:`debops.sssd` role can be used to manage the System Security
Services Daemon (``sssd``), an alternative approach to centralized
credentials managed by remote databases like LDAP or Active Directory.

General
~~~~~~~

- The new :file:`bootstrap-sss.yml` Ansible playbook can be used to provision
a new host with LDAP support based on the :command:`sssd` service instead of
the :command:`nslcd` and :command:`nscd` services.

- The :ref:`debops.apache` and :ref:`debops.nginx` roles will configure the
managed websites to opt-out from the `Federated Learning of Cohorts`__ (FLoC)
feature by default. This can be turned off on a site-by-site basis.

.. __: https://github.com/WICG/floc

:ref:`debops.etckeeper` role
''''''''''''''''''''''''''''

- The :command:`etckeeper` script can be configured to send e-mail messages
with changes to the system administrator.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- You can now configure the :command:`iptables` backend (``nft`` or ``legacy``)
after installing :command:`ferm` service using the alternatives system. This
might be needed on newer OS releases to keep :command:`ferm` usable.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- Added wrapper around :file:`manage.py` called :file:`netbox-manage` for
NetBox power users.

:ref:`debops.global_handlers` role
''''''''''''''''''''''''''''''''''

- New global handlers available to roles:

- ``Refresh host facts``: re-gather host facts using the ``setup`` Ansible
module, required to ensure that Ansible has accurate information about the
current host state.

- ``Reload service manager``: update the :command:`init` daemon runtime
configuration, useful when new services are added or their
:command:`systemd` configuration changes.

- ``Create temporary files``: ensure that files and directories created at
system boot by tools like :command:`systemd-tmpfiles` are present on the
host.

Changed
~~~~~~~

Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''

- In the :ref:`debops.ipxe` role, the Debian Buster netboot installer version
has been updated to the next point release, 10.9.

- In the :ref:`debops.roundcube` role, the Roundcube version installed by
default has been updated to ``1.4.11``.

- The :ref:`debops.elasticsearch`, :ref:`debops.kibana` and
:ref:`debops.filebeat` roles were updated to use the :ref:`debops.extrepo`
role to configure the Elastic.co APT repositories. This will result in
installation of ES, Kibana and Filebeat 7.x versions by default on new
installations; existing installations will not be automatically upgraded by
the roles, but the packages themselves might be upgraded by other APT
mechanisms.

- In the :ref:`debops.netbox` role, the NetBox version has been updated to
``v2.11.2``.

- In the :ref:`debops.owncloud` role, the Nextcloud version has been updated to
``v20.0``. ``19.0`` support has been dropped.

- The ``lxc_ssh.py`` connection plugin that enables management of LXC
containers without the need of an :command:`sshd` server installed inside of
the containers has been refreshed to get latest changes in the upstream
project and make it work correctly on newer Ansible releases.

Continuous Integration
''''''''''''''''''''''

- The Vagrant provisioning script now installs Cryptography from the Debian
archive instead of from PyPI.

- The :command:`ansible-lint` check will now use Ansible playbooks as the
starting point to test the whole codebase. Roles and playbooks not included
in the :file:`site.yml` playbook can be tested manually if needed.

:ref:`debops.authorized_keys` role
''''''''''''''''''''''''''''''''''

- The management of the SSH public keys has been redesigned. Instead of
focusing on UNIX accounts with one or more keys, the role now focuses on
separate public keys as "SSH identities" that are configured on one or more
UNIX accounts. This should provide more flexibility in environments where
small number of users utilizes large number of UNIX accounts, for example
small development team with multiple applications deployed on separate
accounts.

``debops.boxbackup`` role
'''''''''''''''''''''''''

- Some of the default variables in the role have been renamed to aoid using
uppercase letters in variables.

:ref:`debops.dovecot` role
''''''''''''''''''''''''''

- The LDAP user filer has been changed to use the ``mailRecipient`` LDAP object
class from the :ref:`mailservice LDAP schema <slapd__ref_mailservice>` to
lookup mail accounts. Ensure that your LDAP directory has correct information
before applying the change in production.

- If the LDAP entry of a mail user has the ``mailHomeDirectory`` attribute, it
will be used to specify the mail home directory relative to the mail root
directory, instead of generating one which depends on the domain and username
of a given account.

:ref:`debops.lxc` role
''''''''''''''''''''''

- On hosts which use LXC v4.0.x, for example with Debian Bullseye as the
operating system, the role will configure new LXC containers to not drop the
``CAP_SYS_ADMIN`` capability by default. This is required for correct
container operation on this version of LXC.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- ownCloud is not supported in the latest version of DebOps due to lack of
maintainers. Use DebOps v2.2.x if you need it and consider becoming a
maintainer.

:ref:`debops.postgresql_server` role
''''''''''''''''''''''''''''''''''''

- The :command:`autopostgresqlbackup` script will not be installed on Debian
Bullseye because the package was dropped from that release.

:ref:`debops.postldap` role
'''''''''''''''''''''''''''

- The Postfix LDAP integration is redesigned to use the :ref:`mailservice LDAP
schema <slapd__ref_mailservice>` for account and mailbox management. There
are extensive changes in how the Postfix service utilizes the LDAP directory;
existing installations will have to update their LDAP directory entries.
Please test these changes in a development environment before applying them
in production.

:ref:`debops.python` role
'''''''''''''''''''''''''

- The support for Python 2.7 environment will be enabled only when explicitly
requested using the :envvar:`python__v2` variable. This should avoid issues
with installation of Python 2.7 packages on Debian Bullseye and later.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- The address autocompletion will show only a specific e-mail address instead
of all available ones for a given recipient.

- The role will configure Roundcube to search the LDAP directory for a given
user's Distinguished Name when their LDAP entry uses a different attribute
than ``uid`` as RDN. Directory will be searched using the Roundcube's own
login credentials. See :ref:`roundcube__ref_ldap_dit` for details.

- The ``new_user_identity`` plugin will be re-enabled by default and adjusted
to use the ``mail`` attribute to search for user identities. Roundcube v1.4.x
installations `might need to be patched`__ for the plugin to work correctly
with user-based LDAP logins.

.. __: https://github.com/roundcube/roundcubemail/issues/7667

:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

- The SMTPd service will search for ``mailRecipient`` LDAP Object Class instead
of the ``inetOrgPerson`` Object Class to authenticate mail senders.

Changes to DebOps Enhancement Proposals
'''''''''''''''''''''''''''''''''''''''

- DEP 3 - Sources of software used by DebOps now requires for roles that
configure upstream APT repositories to use ``debops.extrepo`` instead of the
previously used way of including the OpenPGP fingerprint and repo details in
the role. This applies to all new roles. Existing roles will be updated over
time.

Fixed
~~~~~

General
'''''''

- The :command:`debops-defaults` script should now correctly display role
defaults, without trying to add the ``debops.`` prefix to the role names.

- The :command:`debops-update` script should now correctly detect cloned DebOps
monorepo.

- The :command:`debops` script will no longer check Ansible version to work
around an issue that was fixed in Ansible 2.0.

:ref:`debops.ansible_plugins` role
''''''''''''''''''''''''''''''''''

- In the ``parse_kv_config`` custom Ansible filter, correctly skip
configuration entries which have been marked with the ``ignore`` state.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role configured the Debian Bullseye security repository with the
'bullseye/updates' suite name. This is incorrect, the Bullseye security suite
is called 'bullseye-security'.

:ref:`debops.core` role
'''''''''''''''''''''''

- Fixed local fact script execution on hosts without a defined DNS domain. You
might need to remove the :file:`core.fact` script from the remote host
manually so that Ansible can gather facts correctly before the fixed version
of the script can be installed. To do that on all affected hosts, execute the
command:

.. code-block:: console

ansible all -b -m file -a 'path=/etc/ansible/facts.d/core.fact state=absent'

:ref:`debops.cron` role
'''''''''''''''''''''''

- Fix role execution on hosts without :command:`systemd` as the service manager.

:ref:`debops.etesync` role
''''''''''''''''''''''''''

- The EteSync playbook is now included in the default DebOps playbook.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- The management of the :command:`iptables` backend symlink using the
'alternatives' system is disabled on Debian 9, where it is unsupported.

:ref:`debops.iscsi` role
''''''''''''''''''''''''

- Fixed a typo that caused the iSCSI target discovery task to fail.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- NetBox crashed when it tried to send Emails.
For example when an exception occurred during page loading, the response was
just "Internal Server Error". The service as a whole survives this.
The bug in the configuration template has been fixed.

:ref:`debops.opendkim` role
'''''''''''''''''''''''''''

- Restored compatibility with Ansible versions prior to 2.10 by omitting the
``regenerate`` parameter of the openssl_privatekey module on those versions.

:ref:`debops.pki` role
''''''''''''''''''''''

- The pki-realm script will now attempt another ACME certificate request in case
the previous attempt failed and was more than two days ago. The previous
situation was that the script would not perform any ACME requests if the
acme/error.log file was present in the PKI realm, because performing multiple
certificate issuance requests could easily trigger a rate limit. The downside
of this was that the script would also completely give up on renewal attempts
if the first attempt happened to fail (e.g. due to some issue at Let's
Encrypt).

:ref:`debops.php` role
''''''''''''''''''''''

- Fixed an issue where role did not have a list of PHP packages for an unknown
OS release which stopped its execution. Now the role should fallback to
a default list in this case.

:ref:`debops.python` role
'''''''''''''''''''''''''

- Fixed an issue where the "raw" Python play used during host bootstrapping
hanged indefinitely, stopping the playbook execution. The role will now reset
the connection to the host after preparing the Python environment, allowing
Ansible to re-estabilish the communication channel properly.

:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

- The :command:`saslauthd` daemon should correctly use the local and realm
parts in the ``userrealm`` logins for authentication using LDAP directory.

:ref:`debops.sudo` role
'''''''''''''''''''''''

- The role no longer adds a duplicate includedir line to /etc/sudoers. This was
an issue with sudo 1.9.1 (and later), which `changed`__ the includedir syntax
from 'includedir' to '\includedir'.

.. __: https://www.sudo.ws/stable.html#1.9.1

- Use the English locale to read the :command:`sudo` version information since
the output differs in different languages.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- Use the Python version detected on the Ansible Controller instead of the
remote host to run the UNIX account fact gathering script.

Security
~~~~~~~~

:ref:`debops.hashicorp` role
''''''''''''''''''''''''''''

- Due to a `security incident`__, the existing Hashicorp release GPG key has
been rotated. The role will remove the revoked GPG key and install new one
when applied on a host.

.. __: https://discuss.hashicorp.com/t/hcsec-2021-12-codecov-security-event-and-hashicorp-gpg-key-exposure/23512

2.2.0

Not secure
-----------------------------

.. _debops v2.2.0: https://github.com/debops/debops/compare/v2.1.0...v2.2.0

Added
~~~~~

New DebOps roles
''''''''''''''''

- The :ref:`debops.dhcrelay` role can be used to manage the ISC DHCP Relay
Agent, which forwards DHCP traffic between networks. This role replaces the
dhcrelay functionality in :ref:`debops.dhcpd`.

- The :ref:`debops.global_handlers` Ansible role provides a central place to
maintain handlers for other Ansible roles. Keeping them centralized allows
Ansible roles to use handlers from different roles without including them
entirely in the playbook.

- The :ref:`debops.filebeat` role can be used to install and configure
`Filebeat`__, a log shipping agent from Elastic, part of the Elastic Stack.

.. __: https://www.elastic.co/beats/filebeat

General
'''''''

- The :file:`tools/reboot.yml` can be used to reboot DebOps hosts even if they
are secured by the ``molly-guard`` package.

- The code in the DebOps monorepo is now checked using `GitHub Actions`__,
which will replace Travis-CI. Thank you, Travis, for years of service. :)

.. __: https://github.com/features/actions

LDAP
''''

- The :ref:`next available UID and GID values <ldap__ref_next_uid_gid>` can now
be tracked using special LDAP objects in the directory. These can be used by
the client-side account and group management applications to easily allocate
unique UID/GID numbers for newly created accounts and groups.

The objects will be created automatically with the next available UID/GID
values by the :file:`ldap/init-directory.yml` playbook. In existing
environments users might want to create them manually to ensure that the
correct ``uidNumber`` and ``gidNumber`` values are stored instead of the
default ones which might already be allocated.

- The ``root`` UNIX account will now have full write access to the main
directory via the ``ldapi://`` external authentication and can create and
modify the LDAP objects and their attributes. This is required so that the
:ref:`debops.slapd` role can initialize the directory tree and create/remove
the ACL test objects as needed.

:ref:`debops.apt` role
''''''''''''''''''''''

- The role facts now include the main APT architecture (``amd64``, for example)
and a list of foreign architectures if any are enabled. The
``ansible_local.apt.architecture`` fact can be used in other roles that need
that information.

:ref:`debops.apt_install` role
''''''''''''''''''''''''''''''

- The role now installs CPU microcode packages on physical hosts by default.
These firmware updates correct CPU behaviour and mitigate vulnerabilities like
Spectre and Meltdown. You still need to take measures to protect your virtual
machines; for this, take a look at the `QEMU documentation`__.

.. __: https://www.qemu.org/docs/master/system/target-i386.html#important-cpu-features-for-intel-x86-hosts

:ref:`debops.icinga` role
'''''''''''''''''''''''''

- The role can now create Icinga configuration on the Icinga "master" node via
task delegation. This can be useful in centralized environments without
Icinga Director support.

:ref:`debops.lvm` role
''''''''''''''''''''''

- Default LVM2 configuration for Debian Stretch and Buster has been added.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- Drop Nextcloud 16, 17 and 18 support because it is EOL. You need to upgrade Nextcloud
manually if you are running version 18 or below. The role now defaults to
Nextcloud 19 for new installations.

:ref:`debops.postgresql` role
'''''''''''''''''''''''''''''

- The role can now drop PostgreSQL databases and remove roles when their state
is set to ``absent`` in the Ansible inventory.

:ref:`debops.resources` role
''''''''''''''''''''''''''''

- Support manipulating file privileges using the Linux
:manpage:`capabilities(7)` with the help of the Ansible capabilities
module.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- The role will enable more plugins by default: ``help``, ``markasjunk``,
``password`` (only with LDAP).

- Roundcube will offer local spell checking support by default with ``Enchant``
library. English language is supported by default, more languages can be
added via Ansible inventory.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- Support for the dynamic LDAP groups maintained by the
:ref:`slapd__ref_autogroup_overlay` has been implemented in the role. Debian
Buster or newer is recommended for this feature to work properly.

- A set of `FreeRADIUS`__ LDAP schema has been added to the role. RADIUS
Profiles, Clients and FreeRADIUS DHCP configuration can be stored in the LDAP
directory managed by DebOps and used by the :ref:`debops.freeradius` Ansible
role.

.. __: https://freeradius.org/

- Support for empty LDAP groups has been added via the :ref:`groupfentries
schema <slapd__ref_groupofentries>` with a corresponding ``memberOf``
overlay. This change changes the order of existing overlays in the LDAP
database which means that the directory server will have to be rebuilt.

- New :ref:`orgstructure schema <slapd__ref_orgstructure_schema>` provides the
``organizationalStructure`` LDAP object class which is used to define the
base directory objects, such as ``ou=People``, ``ou=Groups``, etc.

- Members of the ``cn=LDAP Administrator`` LDAP role can now manage the server
configuration stored in the ``cn=config`` LDAP subtree.

:ref:`debops.sysctl` role
'''''''''''''''''''''''''

- The role can now be enabled or disabled conditionally via Ansible inventory.
This might be required in certain cases, for example LXD containers or
systems protected with AppArmor rules, which make the :file:`/proc/sys/`
directory read-only.

Changed
~~~~~~~

Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''

- In the :ref:`debops.ipxe` role, the Debian Stretch and Debian Buster netboot
installer versions have been updated to their next point releases, 9.13 and
10.7 respectively.

- In the :ref:`debops.roundcube` role, the Roundcube version installed by
default has been updated to ``1.4.10``.

- In the :ref:`debops.owncloud` role, the Nextcloud version installed by
default has been updated to ``v18.0``.

- In the :ref:`debops.phpipam` role, the phpIPAM version installed by default
has been updated to ``v1.4.1``.

- In the :ref:`debops.netbox` role, the NetBox version has been updated to
``v2.10.3``.
The plugin support added in ``v2.8.0`` can be configured from DebOps.
The NetBox Request Queue Worker service is configured to support background
jobs like reports to work.

- The :ref:`debops.mariadb` and :ref:`debops.mariadb_server` roles now support
installation of Percona Server/Client v8.0 from upstream APT repositories.

General
'''''''

- The ``debops.debops`` role has been renamed to the :ref:`debops.controller`
role to allow for the ``debops__`` variable namespace to be used for global
variables. All role variables have been renamed along with the role inventory
group, you will have to update your inventory.

- Most of the handers from different DebOps roles have been moved to the new
:ref:`debops.global_handlers` role to allow for easier cross-role handler
notification. The role has been imported in roles that rely on the handlers.

- The ``debops-contrib.*`` roles included in the DebOps monorepo have been
renamed to drop the prefix. This is enforced by the new release of the
:command:`ansible-lint` linter. These roles are not yet cleaned up and
integrated with the main playbook.

- The dependency on ``pyOpenSSL`` has been removed. This dependency was required
in Ansible < 2.8.0 because these versions were unable to use the
``cryptography`` module, but DebOps is nowadays developed against Ansible 2.9.
pyOpenSSL was used only to generate private RSA keys for the
:ref:`debops.opendkim` role. Switching to ``cryptography`` is also a security
precaution and the Python Cryptographic Authority
`recommends`__ doing so.

.. __: https://github.com/pyca/cryptography/blob/master/docs/faq.rst#why-use-cryptography)

LDAP
''''

- The :ref:`LDAP-POSIX integration <ldap__ref_posix>` can now be disabled using
a default variable. This will disable LDAP support in the POSIX environment
and specific services (user accounts, PAM, :command:`sshd`, :command:`sudo`)
while leaving higher-level services unaffected.

- The LDAP directory structure creation has been moved from a separate
:file:`ansible/playbooks/ldap/init-directory.yml` playbook into the
:ref:`debops.slapd` role to allow for better ACL testing. The playbook is
still used for administrator account creation.

- The base directory objects created by the :ref:`debops.slapd` role
(``ou=People``, ``ou=Groups``, etc.) as well as other DebOps roles
(:ref:`debops.dokuwiki`, :ref:`debops.ldap`, :ref:`debops.postldap`) changed
their structural object type from ``organizationalUnit`` to
``organizationalStructure``. Existing directories should not be affected by
this change, but users might want to update them using the :ref:`backup and
restore procedure <slapd__ref_backup_restore>` to allow for more extensive
ACL rules in the future.

:ref:`debops.core` role
'''''''''''''''''''''''

- The fact script will generate the list of private e-mail addresses used to
send administrative mail notifications based on the list of admin accounts
and the detected domain of the host; this can be overridden via the
:envvar:`core__admin_private_email` variable. The change is done to avoid
sending mail messages to 'account-only' addresses on hosts without local mail
support.

:ref:`debops.dhcpd` role
''''''''''''''''''''''''

- The ``debops.dhcpd`` role has been largely rewritten in order to support
both IPv4 and IPv6 on the same server, and to modernize many aspects of the
role.

- The DHCP Relay Agent functionality has been moved to :ref:`debops.dhcrelay`.

:ref:`debops.docker_server` role
''''''''''''''''''''''''''''''''

- The role's virtual environment is no longer created by default when
:envvar:`docker_server__upstream` is ``False``. This does not impact existing
virtualenvs. You can remove ``/usr/local/lib/docker/virtualenv`` yourself if
you like.

:ref:`debops.etckeeper` role
''''''''''''''''''''''''''''

- The role now installs etckeeper on all hosts by default, not just on hosts
that have a Python 2 environment. etckeeper is also installed from
buster-backports instead of the main Debian 10 repository.

:ref:`debops.fhs` role
''''''''''''''''''''''

- The role will create the :file:`/srv/www/` directory by default to allow for
home directories used by web applications.

:ref:`debops.gitlab` role
'''''''''''''''''''''''''

- The :command:`systemd` services no longer require Redis to be installed on
the same host as GitLab itself.

- Improved support for GitLab Pages, including optional access control and
fixed configuration of the :command:`systemd` service.

:ref:`debops.grub` role
'''''''''''''''''''''''

- The role will now activate both the serial console and the (previously
disabled) native platform console when ``grub__serial_console`` is ``True``.

:ref:`debops.icinga_web` role
'''''''''''''''''''''''''''''

- The role now automatically configures LDAP user and group support.

- The role will install and configure the `Icinga Certificate Monitoring`__
module.

.. __: https://icinga.com/docs/icinga-certificate-monitoring/latest/

:ref:`debops.lvm` role
''''''''''''''''''''''

- Linux Software RAID devices are now scanned by default.

:ref:`debops.lxd` role
''''''''''''''''''''''

- During installation, the role will enable trust for the GitHub's GPG signing
key to allow for verification of the LXD source code. Check the
:ref:`lxd__ref_install_details` for more information.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- The default SSL configuration used by the role has been updated to bring it
to the modern standards. By default only TLSv1.2 and TLSv1.3 protocols are
enabled, along with an improved set of ciphers. The HTTP Strict Transport
Security age has been increased from 6 months to 2 years. The configuration
is based on the `intermediate Mozilla SSL recommendations`__ to support wide
range of possible clients.

.. __: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.6

- The server can be configured to support TLSv1.3 protocol only using the
:envvar:`nginx_default_tls_protocols` variable, which will disable the use of
custom Diffie-Hellman parameters and allow the HTTPS clients to select their
own preferred ciphers to use for connections. The preferred set of ciphers
will also change to `Mozilla modern`__ variant. Keep in mind that not all
clients support this configuration.

.. __: https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=modern&openssl=1.1.1d&guideline=5.6

:ref:`debops.postfix` role
''''''''''''''''''''''''''

- Postfix :file:`main.cf` configuration overrides are now written to the
:file:`master.cf` configuration file using 'long form' notation supported
since Postfix 3.0. This allows specifying parameter values that contain
whitespace.

- The `DSN command`__ is now disabled by default. DSN (:rfc:`3464`) gives
senders control over successful and failed delivery status notifications. This
allows spammers to learn about an organization's internal mail infrastructure,
and gives them the ability to confirm that an address is in use. When DSN
support is disabled, Postfix will still let the SMTP client know that their
message has been received as part of the SMTP transaction; they just will not
get successful delivery notices from your internal systems.

.. __: http://www.postfix.org/DSN_README.html

- The `ETRN command`__ is now disabled by default. ETRN, also known as Remote
Message Queue Starting (:rfc:`1985`), was designed for sites that have
intermittent Internet connectivity, but is rarely used nowadays.

.. __: http://www.postfix.org/ETRN_README.html

:ref:`debops.resolvconf` role
'''''''''''''''''''''''''''''

- The 'domain', 'nameservers' and 'search' variables have been removed from the
resolvconf Ansible local facts script. You are encouraged to use the
`ansible_domain`, `ansible_dns.nameservers` and `ansible_dns.search` variables
instead.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The role will set up an additional instance of the ``memberof`` OpenLDAP
overlay to update role membership in the ``organizationalRole`` LDAP objects.
This change modifies the list of overlays and will require re-initialization
of the OpenLDAP directory.

- New equality indexes have been added to the :command:`slapd` service:
``roleOccupant``, ``memberOf`` and ``employeeNumber``.

- The :file:`eduperson.schema` LDAP schema has been extended with additional
attributes not present in the official specification. The new schema will not
be applied automatically on existing installations.

- In the OpenLDAP ACL rules, authenticated object owners can now
re-authenticate themselves using the ``userPassword`` attribute. This is
needed for the LDAP Password Modify Extended Operation (:rfc:`3062`) to work
correctly in Roundcube.

- In the :file:`mailservice.schema` LDAP schema, the ``mailACLGroups``
attribute has been renamed to ``mailGroupACL`` since this seems to be the
name used by different applications like Dovecot and Roundcube.

This change will not be applied automatically in an existing LDAP directories
- they will need to be rebuilt to apply new schema changes.

- The role will install a modified :ref:`OpenSSH-LPK schema
<slapd__ref_openssh_lpk>` instead of the version from the FusionDirectory
project, to add support for storing SSH public key fingerprints in the LDAP
directory. Existing installations shouldn't be affected.

- The :command:`slapacl` test map with additional object RDNs has been
redesigned into a list of test LDAP objects which can be created or removed
by the role as needed. They will not be added to the directory by default and
can be enabled via Ansible inventory.

- The support for OpenLDAP monitoring is improved. The ``root`` UNIX account as
well as members of the "LDAP Administrator" and "LDAP Monitor" roles can now
read the ``cn=Monitor`` information.

Removed
~~~~~~~

:ref:`debops.ldap` role
'''''''''''''''''''''''

- Creation of various LDAP directory objects (``ou=People``, ``ou=Groups``,
...) has been removed from the default list of LDAP tasks performed by the
role. These objects are now automatically created by the :ref:`debops.slapd`
role. The :ref:`debops.ldap` role will still ensure that all LDAP objects
needed to maintain the hosts' directory information are present.

Fixed
~~~~~

General
'''''''

- Fixed an issue where the :command:`debops` scripts did not expand the
:file:`~/` prefix of the file and directory paths in user home directories.

- Fixed an issue with custom lookup plugins (:file:`task_src`,
:file:`file_src`, :file:`template_src`) which resulted in Ansible 2.10 not
finding them correctly.

LDAP
''''

- The :file:`ldap/init-directory.yml` playbook will correctly initialize the
LDAP directory when the local UNIX account does not have any GECOS
information.

:ref:`debops.apt` role
''''''''''''''''''''''

- Fixed an issue where the role would attempt to add APT keys from a PGP
keyserver without installing the :command:`gnupg` package first.

:ref:`debops.dokuwiki` role
'''''''''''''''''''''''''''

- A few custom DokuWiki plugins will be removed if installed, otherwise they
will not be installed anymore due to issues with newest DokuWiki release.
Affected plugins: ``advrack``, ``rst``, ``gitlab``, ``ghissues``.

- Ensure that the ``authldap`` DokuWiki plugin is enabled when LDAP support is
configured by the role.

:ref:`debops.etherpad` role
'''''''''''''''''''''''''''

- Fixed the installation of Etherpad with the PostgreSQL backend by removing
unused dependent variables.

:ref:`debops.fail2ban` role
'''''''''''''''''''''''''''

- Fixed the configuration support on Ubuntu Focal due to bantime feature
changes in the :command:`fail2ban` v0.11.

:ref:`debops.fcgiwrap` role
'''''''''''''''''''''''''''

- The role can now be used in check mode without throwing an AnsibleFilterError.

:ref:`debops.gitlab` role
'''''''''''''''''''''''''

- Fixed an issue where the ``git`` UNIX account was not added to the
``_sshusers`` local group when LDAP support was enabled on the host. This
prevented the usage of GitLab via SSH.

:ref:`debops.ifupdown` role
'''''''''''''''''''''''''''

- Network configuration with bonded interfaces should now be correctly applied
by the reconfiguration script.

:ref:`debops.iscsi` role
''''''''''''''''''''''''

- Fixed uninitialized local fact ``ansible_local.iscsi.discovered_portals``.

:ref:`debops.ldap` role
'''''''''''''''''''''''

- Fixed multiple issues with adding and updating hosts to the LDAP directory
when these hosts were configured for network bonding.

:ref:`debops.lvm` role
''''''''''''''''''''''

- Fixed an issue where the role would fail in check mode. The role tries to
simulate creating a filesystem, but this failed when the underlying LVM volume
did not actually exist (which is to be expected when running in check mode).

- Made default behaviour match the documentation: the role now automatically
takes care of mounting a filesystem on an LVM volume if the mount point is
specified with ``item.mount``. This previously required setting the
``item.fs`` parameter to ``True`` as well.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- Disabled gzip compression of text/vcard MIME types. Vcards contain, by nature,
sensitive information and should not be gzipped to prevent successful BREACH
attacks.

:ref:`debops.netbox` role
'''''''''''''''''''''''''

- Fixed initial superuser account creation.

:ref:`debops.nslcd` role
''''''''''''''''''''''''

- Enabled idle_timelimit to make sure that connections to the LDAP server are
properly closed. A disabled or too high idle_timelimit causes the LDAP server
to time out, resulting in nslcd errors like "ldap_result() failed: Can't
contact LDAP server".

:ref:`debops.nfs` role
''''''''''''''''''''''

- Ensure that with default mount options disabled, options specified by the
user still are added in the configuration.

:ref:`debops.ntp` role
''''''''''''''''''''''

- Don't try to disable or stop the ``systemd-timesyncd`` service when using an
alternative NTP service implementation and ``systemd-timesyncd`` is not
available.

:ref:`debops.owncloud` role
''''''''''''''''''''''''''''

- Fixed multiple issues which caused dry runs of the :ref:`debops.owncloud` role
to incorrectly show pending changes or fail altogether.

:ref:`debops.php` role
''''''''''''''''''''''

- Set correct APT preferences for the Backports or Sury APT repository to
the ``libapache2-mod-php*`` APT packages to ensure that the selected
repository is the same as the ``php*`` APT packages.

:ref:`debops.pki` role
''''''''''''''''''''''

- The :command:`acme-tiny` script will be installed from Debian/Ubuntu
repositories on Debian Buster, Ubuntu Focal and newer OS releases. This
solves the issue with ``acme-tiny`` script in upstream having
``!/usr/bin/env python`` shebang hard-coded which makes the script unusable
on hosts without Python 2.7 installed.

The installation location of the script from upstream is changed from
:file:`/usr/local/lib/pki/` to :file:`/usr/local/bin/` to leverage the
``$PATH`` variable so that the OS version is used without issues. The script
is now also symlinked into place instead of copied over.

:ref:`debops.postgresql_server` role
''''''''''''''''''''''''''''''''''''

- Rename the ``wal_keep_segments`` PostgreSQL configuration option to
``wal_keep_size`` on PostgreSQL 13 and later to avoid issues with starting
the database service. You might need to update the inventory configuration if
you use this parameter.

- Fixed an issue with the role always reporting "changed" state due to
``postgresql_privs`` Ansible module not detecting changes in the ``PUBLIC``
PostgreSQL role.

:ref:`debops.python` role
'''''''''''''''''''''''''

- The ``python-pip`` APT package will be installed only on older OS releases,
since it has been removed from newer OS releases like Debian Bullseye and
Ubuntu Focal.

:ref:`debops.rsnapshot` role
''''''''''''''''''''''''''''

- Fixed an issue which caused dry runs of the :ref:`debops.rsnapshot` role to
fail.

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- Fixed the forgotten :envvar:`rsyslog__send_permitted_peers` variable which
defines what server is accepted by the client during TLS handshakes. The
value will now be defined using the ``streamDriverPermittedPeers`` parameter
in :command:`rsyslog` configuration.

:ref:`debops.saslauthd` role
''''''''''''''''''''''''''''

- Fixed SMTP AUTH e-mail authentication for satellite hosts. Mail messages sent
by :command:`nullmailer` and authenticated using LDAP should now be accepted
by the SMTP server.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- Modify the :file:`mailservice.schema` LDAP schema so that various
mail-related attributes do not use the ``mail`` attribute as SUPerior
attribute. This fixes an issue where searching for ``mail`` attribute values
returned entries with the values present in related attributes, for example
``mailForwardTo``, causing problems with account lookups.

This change will require the rebuild of the OpenLDAP directory to be applied
correctly. The role will not apply the changes on existing installations
automatically due to the :file:`mailservice.schema` being loaded into the
database.

- The :command:`slapd-snapshot` script will now correctly create database
snapshots when the ``cn=Monitor`` database is disabled or not configured.

:ref:`debops.snmpd` role
''''''''''''''''''''''''

- Don't create or modify the home directory of the :command:`snmpd` UNIX
account to avoid issues on Ubuntu 20.04.

:ref:`debops.system_users` role
'''''''''''''''''''''''''''''''

- Fixed an issue where the role execution broke if the
:envvar:`system_users__self_name` variable was set to an UNIX account which
does not exist on the Ansible Controller, for example ``ansible``. The role
will now correctly create such UNIX accounts on the remote hosts with default
GECOS and shell values.

:ref:`debops.tinc` role
'''''''''''''''''''''''

- Fix issue with Tinc VPN interfaces starting before the general host
networking is set up and failing to bind to the selected bridge interface.
The Tinc :command:`systemd` service will wait for the
``network-online.target`` unit to start up before activation.

- Fixed an issue with the role where setting :envvar:`tinc__modprobe` variable
to ``False`` did not turn off support for loading required kernel modules.

2.1.0

Not secure
-----------------------------

.. _debops v2.1.0: https://github.com/debops/debops/compare/v2.0.0...v2.1.0

Added
~~~~~

New DebOps roles
''''''''''''''''

- The :ref:`debops.etesync` role allows to setup a EteSync__ server.
EteSync is a cross-platform project to provide secure, end-to-end encrypted,
and privacy respecting sync for your contacts, calendars and tasks.

.. __: https://www.etesync.com/

- The :ref:`debops.journald` role can be used to manage the
:command:`systemd-journald` service, supports configuration of Forward Secure
Sealing and can configure persistent storage of the log files. The role is
included by default in the :file:`common.yml` playbook.

- The :ref:`debops.dpkg_cleanup` role can create :command:`dpkg` hooks that
help clean up custom and diverted files created by other roles when a given
Debian package is removed. This should aid in cases of multiple roles
managing services that provide the same functionality.

- The :ref:`debops.influxdata` role configures the APT repository and
repository GPG keys of `InfluxData`__ company, creator of InfluxDB, Telegraf
and other metric and time series tools.

.. __: https://influxdata.com/

- The :ref:`debops.influxdb_server` and :ref:`debops.influxdb` roles can be
used to install the InfluxDB time series database service and manage its
databases and users, respectively.

- The :ref:`debops.fhs` role will be used to define base directory hierarchy
used by other DebOps roles (previously done by the :ref:`debops.core` role).
The role is included in the :file:`common.yml` playbook.

- The :ref:`debops.tzdata` role manages the host time zone configuration and
provides the ``ansible_local.tzdata.timezone`` local fact with the time zone
in the ``Area/Zone`` format. The role is included in the :file:`common.yml`
playbook.

:ref:`debops.pki` role
''''''''''''''''''''''

- The role can now instruct acme-tiny to register an ACME account with one or
more contact URLs. Let's Encrypt for example uses this information to notify
you about expiring certificates and emergency revocation.

- The :ref:`debops.dovecot` and :ref:`debops.postfix` roles now include the PKI
hook scripts which will reload their corresponding services when the X.509
certificates used by them are changed.

:ref:`debops.postconf` role
'''''''''''''''''''''''''''

- The additional Postfix configuration managed by the role can now be added or
removed conditionally, controlled by the :envvar:`postconf__deploy_state`
variable.

:ref:`debops.python` role
'''''''''''''''''''''''''

- Introduce :envvar:`python__pip_version_check` which defaults to ``False`` to
disable PIP update checks outside of the system package manager.
Before, this was not configured by DebOps leaving it at PIP default which
meant it would check for updates occasionally.

:ref:`debops.resources` role
''''''''''''''''''''''''''''

- Add support for the ``access_time`` and ``modification_time`` parameters of
the Ansible file module to the role.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- The role can now be configured to install Roundcube from private or internal
:command:`git` repositories that might contain additional modifications to
the application code required by some organizations. See the
:ref:`roundcube__ref_private_repo` section in the documentation for details.

Changed
~~~~~~~

Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''

- In the :ref:`debops.ipxe` role, the Debian Stretch and Debian Buster netboot
installer versions have been updated to their next point releases, 9.11 and
10.4 respectively.

- In the :ref:`debops.owncloud` role, the Nextcloud version installed by
default has been updated to ``v17.0``. The ownCloud version has been updated
to ``v10.4``.

- In the :ref:`debops.roundcube` role, the Roundcube version installed by
default has been updated to ``v1.4.4``.

- In the :ref:`debops.lxd` role, the LXD version installed by default has been
changed to the ``stable-4.0`` branch, which is a LTS release. The role uses
a :command:`git` branch instead of a specific tagged release to bypass
`broken LXD build dependency`__ which is not yet fixed in a tagged release.

.. __: https://github.com/lxc/lxd/issues/7357

- In the :ref:`debops.gitlab` role, the GitLab release installed on Debian
Buster and newer OS releases is updated to ``12-10-stable``.

This release requires Golang packages from ``buster-backports`` APT
repository, which will be installed by default via the :ref:`debops.golang`
role. Existing installations need to upgrade the Golang packages before the
playbook is applied.

- In the :ref:`debops.ansible` role, Ansible 2.9.x from the
``buster-backports`` repository will be installed on Debian Buster by
default, when backports are enabled.

- The :ref:`debops.mailman` role has been redesigned and now installs and
configures Mailman 3.x instead of Mailman 2.x. Read the
:ref:`mailman__ref_mailman2_migration` guide and the rest of the
:ref:`debops.mailman` documentation for details.

Continuous Integration
''''''''''''''''''''''

- The Vagrant provisioning script will install Ansible from PyPI by default.
The version included in the current Debian Stable (Buster) is too old for the
DebOps playbooks and roles.

General
'''''''

- The DebOps Collection published on Ansible Galaxy has been split into
multiple Collections due to the number of Ansible roles present in DebOps.
The ``debops.debops`` collection will install additional ``debops.rolesXY``
collections automatically via collection dependencies. The playbooks have
been updated to include new Collections.

- The DebOps repository is now compliant with the `REUSE Specification`__. The
`SPDX License Identifiers`__ have been added to the files contained in the
repository and a valid copyright and license information will be required to
pass the test suite.

.. __: https://reuse.software/spec/
.. __: https://spdx.org/ids

- In new DebOps environments, Ansible will ignore any missing inventory groups
using the ``host_pattern_mismatch`` parameter. This will disable the "Could
not match supplied host pattern" warning message present in most of the
playbooks included in DebOps. To disable this message in an existing
environment, add in the :file:`.debops.cfg` configuration file:

.. code-block:: ini

[ansible inventory]
host_pattern_mismatch = ignore

- The :command:`debops` script will now use the Ansible inventory path defined
in the :file:`.debops.cfg` configuration file ``[ansible defaults]`` section
instead of the static :file:`ansible/inventory/` path.

- The variables in various DebOps roles that define filesystem paths have been
switched from using the ``ansible_local.root.*`` Ansible local facts to the
new ``ansible_local.fhs.*`` facts defined by the :ref:`debops.fhs` role.
The new facts use the same base paths as the old ones; there should be no
issues if the variables have not been modified through Ansible inventory.

If you have redefined any ``core__root_*`` variables in the Ansible inventory
to modify the filesystem paths used by DebOps roles, you will need to update
the configuration. See the :ref:`debops.fhs` role documentation for details.

- The use of ``ansible_local.core.fqdn`` and ``ansible_local.core.domain``
local facts in roles to define the host DNS domain and FQDN has been removed;
the roles will use the ``ansible_fqdn`` and ``ansible_domain`` facts
directly. This is due to issues with the :ref:`debops.core` local facts not
updating when the host's domain is changed and causing the roles to use wrong
domain names in configuration.

:ref:`debops.cran` role
'''''''''''''''''''''''

- The custom ``cran`` Ansible module used by the role has been moved to the
:ref:`debops.ansible_plugins` role to allow it to be used via Ansible
Collection system, which requires all plugins to be centralized.

:ref:`debops.etc_aliases` role
''''''''''''''''''''''''''''''

- The custom filter plugin used by the role has been moved to the
:ref:`debops.ansible_plugins` role to allow it to be used via Ansible
Collection system, which requires all plugins to be centralized.

:ref:`debops.golang` role
'''''''''''''''''''''''''

- On Debian Buster, Golang APT packages from the ``buster-backports`` APT
repository will be preferred instead of their Buster version. This allows for
installation of applications that depend on a newer Go runtime environment,
like GitLab or MinIO.

:ref:`debops.lxd` role
''''''''''''''''''''''

- The support for the LXC containers managed by the :ref:`debops.lxc` role will
be applied on the host when the LXD is configured, due to the build
dependency on the ``lxc`` APT package. In this case, the ``lxcbr0`` network
bridge will not be configured by default.

:ref:`debops.mosquitto` role
''''''''''''''''''''''''''''

- Update the role for Debian Buster. No need anymore to install Python packages
outside of the system package management.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- TLSv1.3 is now enabled by default for nginx version 1.13.0 and up.

:ref:`debops.nullmailer` role
'''''''''''''''''''''''''''''

- The Nullmailer smtpd service can now listen on both IPv4 and IPv6 addresses.
It listens on both loopback addresses by default, where it used to only
listen on the IPv6 loopback address.

:ref:`debops.owncloud` role
'''''''''''''''''''''''''''

- Support has been added for Nextcloud 17.0 and 18.0.

:ref:`debops.pki` role
''''''''''''''''''''''

- Use ``inventory_hostname`` variable instead of the ``ansible_fqdn`` variable
in paths of the directories used to store data on Ansible Controller. This
decouples the host FQDN and domain name from the certificate management tasks
in the role.

.. note:: The role will try to recreate existing X.509 certificates making
the playbook execution idempotent. Removing the PKI realms and
recreating them will fix this issue.

:ref:`debops.postfix` role
''''''''''''''''''''''''''

- The persistent configuration stored on the Ansible Controller has been
refactored and does not use multiple separate tasks to handle the JSON files.

:ref:`debops.rsyslog` role
''''''''''''''''''''''''''

- The role has been refreshed and uses the custom Ansible filter plugins to
manage the :command:`rsyslog` configuration files. The default configuration
was rearranged, the :file:`/etc/rsyslog.conf` configuration file has the
default contents that come with the Debian package and can be configured by
the role. The configuration model has been redesigned; any changes in the
configuration of the role set in the Ansible inventory need to be reviewed
before applying the new version.

- The ``rsyslog`` APT package and its service can be cleanly removed from the
host, either via the role or by uninstalling the package itself.

Removed
~~~~~~~

:ref:`debops.console` role
''''''''''''''''''''''''''

- The local and NFS mount support has been removed from the
:ref:`debops.console` role. Local mounts can be managed using the
:ref:`debops.mount` role; NFS mounts can be managed by the :ref:`debops.nfs`
role.

:ref:`debops.core` role
'''''''''''''''''''''''

- The ``ansible_local.uuid`` local fact and corresponding variables and tasks
have been removed from the role. A replacement fact, ``ansible_machine_id``
is an Ansible built-in.

- The ``ansible_local.init`` fact has been removed from the role. A native
``ansible_service_mgr`` Ansible fact is it's replacement.

- The ``ansible_local.cap12s`` fact has been removed from the role. A native
set of Ansible facts (``ansible_system_capabilities``,
``ansible_system_capabilities_enforced`` is be used as a replacement.

- The :file:`root.fact` script, corresponding variables and documentation have
been removed from the role. This functionality is now managed by the
:ref:`debops.fhs` role.

- The ``ansible_local.core.fqdn`` and ``ansible_local.core.domain`` local facts
and their corresponding default variables have been removed from the role. In
their place, ``ansible_fqdn`` and ``ansible_domain`` facts should be used
instead.

:ref:`debops.ntp` role
''''''''''''''''''''''

- The timezone configuration has been moved from the :ref:`debops.ntp` role to
the :ref:`debops.tzdata` role.

:ref:`debops.nullmailer` role
'''''''''''''''''''''''''''''

- The script and :command:`dpkg` hook that cleaned up the additional files
maintained by the role has been removed; the :ref:`debops.dpkg_cleanup` role
will be used for this purpose instead.

Fixed
~~~~~

General
'''''''

- Fix `an issue with Ansible Collections`__ where roles used via the
``include_role`` Ansible module broke due to the split into multiple
collections. All roles will now have the ``debops.debops`` collection
included by default in the :file:`meta/main.yml` file to tell Ansible where
to look for dependent roles.

.. __: https://github.com/ansible/ansible/issues/67723

- Fix an issue with the collection creation script where the role files that
contained multiple uses of a particular custom Ansible plugin, for example
``template_src`` or ``file_src``, were modified multiple times by the script.

:ref:`debops.apt` role
''''''''''''''''''''''

- Fix BeagleBoards detection with Debian 10 image.
Tested with a BeagleBoards Black.

:ref:`debops.cron` role
'''''''''''''''''''''''

- Fix creation of empty environment variables in :command:`cron` configuration
files managed by Ansible.

:ref:`debops.dnsmasq` role
''''''''''''''''''''''''''

- :envvar:`dnsmasq__public_dns` did not create a firewall allow rule when no
interfaces where specified.

:ref:`debops.ferm` role
'''''''''''''''''''''''

- Fixed incorrect removal of the ferm rule set by :ref:`debops.avahi` on
IPv6-enabled systems.

:ref:`debops.gitlab_runner` role
''''''''''''''''''''''''''''''''

- Don't re-create removed :file:`/etc/machine-id` contents during Vagrant box
creation. This should fix issues with IP addresses received from DHCP by the
Vagrant machines.

.. warning:: This fix is applied using the :command:`patch` command on the
files packaged by APT. Existing installations will have to be
updated manually, alternatively the changes applied previously
should be removed from the affected files before the role is
applied. See the patch files in the role :file:`files/patches/`
directory for more information.

- The GitLab package repository signing key has been replaced with the new key
that has been in use since 2020-04-06, allowing APT to update package lists
again. See the `GitLab.com blog`__ for more information about this change.

.. __: https://about.gitlab.com/releases/2020/03/30/gpg-key-for-gitlab-package-repositories-metadata-changing/

:ref:`debops.minio` role
''''''''''''''''''''''''

- Fix an issue during installation of recent MinIO releases, where during an
initial restart the MinIO service would switch into "safe mode" when
a problem with configuration is detected; this would prevent the service to
be restarted correctly. Now the service should be properly stopped by
:command:`systemd` after a stop timeout.

:ref:`debops.netbase` role
''''''''''''''''''''''''''

- Use short timeout for DNS queries performed by the Ansible local fact script,
in case that the DNS infrastructure is not configured. This avoids 60s
timeouts during Ansible fact gathering in such cases.

:ref:`debops.nginx` role
''''''''''''''''''''''''

- The role now always sets the HTTP Strict Transport Security header when it is
enabled, regardless of the response code.

:ref:`debops.postgresql_server` role
''''''''''''''''''''''''''''''''''''

- In the :command:`autopostgresqlbackup` script, use the
:command:`su - postgres` command instead of the :command:`su postgres`
command to start a login shell and switch to the correct home directory of
the ``postgres`` user instead of staying in the :file:`/root/` home
directory. This avoids the issue during execution of the script via
:command:`cron` where it would emit errors about not being able to change to
the :file:`/root/` home directory due to the permissions.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- Use the Roundcube version from Ansible local facts instead of the one defined
in role default variables to detect if a database migration is required after
Roundcube :command:`git` repository is updated.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- Move the Private Enterprise Number and LDAP namespace OIDs of the DebOps
organization to a separate :file:`debops.schema` file to avoid duplicated
OIDs in the ``cn=schema`` LDAP subtree.

Existing installations might need to be recreated to avoid warnings about
duplicate OIDs emitted during OpenLDAP operations.

2.0.0

Not secure
-----------------------------

.. _debops v2.0.0: https://github.com/debops/debops/compare/v1.2.0...v2.0.0

Added
~~~~~

New DebOps roles
''''''''''''''''

- The :ref:`debops.lxd` role brings support for LXD on Debian hosts by building
the Go binaries from source, without Snap installation.

General
'''''''

- The DebOps Python package now includes the ``debops.<role>(5)`` manual pages
for most of the DebOps roles with details about role usage, variable
definition and the like. The manual pages are based on the existing role
documentation.

- The DebOps project directories can now include the
:file:`ansible/global-vars.yml` file which can be used to define :ref:`global
Ansible variables <global_vars>` that can affect playbook initialization.

:ref:`debops.docker_registry` role
''''''''''''''''''''''''''''''''''

- The :envvar:`docker_registry__basic_auth_except_get` variable allows to setup
a simple authentication schema without the need to deploy a fully blown
Docker Registry Token Authentication.

:ref:`debops.docker_server` role
''''''''''''''''''''''''''''''''

- Add `docker_server__install_virtualenv` setting to disable python virtualenv installation.

:ref:`debops.gitlab_runner` role
''''''''''''''''''''''''''''''''

- The role can now use DNS SRV resource records to find the GitLab API host
address. Additionally, GitLab Runner token can be stored in the
:file:`secret/` directory in a predetermined location to avoid exposing it
via the Ansible inventory. See the role documentation for details.

:ref:`debops.icinga` role
'''''''''''''''''''''''''

- The role now configures the Icinga REST API to also listen on IPv6 addresses.
It is possible to change the listen address and port through the
``icinga__api_listen`` and ``icinga__api_port`` variables.

:ref:`debops.nslcd` role
''''''''''''''''''''''''

- The role will now use a LDAP host filter by default, to allow for easy
control over what UNIX accounts and UNIX groups are present on which hosts
using the ``host`` LDAP attribute.

:ref:`debops.postgresql_server` role
''''''''''''''''''''''''''''''''''''

- A given PostgreSQL server cluster can be configured to enable `standby
replication mode`__, and receive streaming replication data from a master
PostgreSQL server. See role documentation for examples.

.. __: https://www.postgresql.org/docs/current/warm-standby.html

- The :command:`autopostgresqlbackup` script can be configured to tell the
:command:`pg_dump` command to compress the generated backup files on the fly
instead of creating a separate ``.sql`` file and compressing it afterwards.
This mode is currently disabled by default.

:ref:`debops.resolvconf` role
'''''''''''''''''''''''''''''

- The role can now define static DNS configuration to be merged with other DNS
data sources in the :file:`/etc/resolv.conf` configuration file.

:ref:`debops.roundcube` role
''''''''''''''''''''''''''''

- The Roundcube installation is now more integrated with the DebOps
environment. The role will automatically configure :ref:`Redis
<debops.redis_server>` and :ref:`memcached <debops.memcached>` support if
they are detected on the Roundcube host, which should improve application
performance.

- If LDAP infrastructure is detected on the host, Roundcube will be configured
to use the LDAP directory managed by DebOps as an address book.

- The ManageSieve Roundcube plugin will be enabled by default to allow
configuration of Sieve filter scripts. The role will use the DNS SRV resource
records to find the Sieve service host and port to use.

- The role can now use PostgreSQL as a database backend. The database server
can be managed with the :ref:`debops.postgresql_server` role.

:ref:`debops.slapd` role
''''''''''''''''''''''''

- The :ref:`mailservice <slapd__ref_mailservice>` LDAP schema has been added to
the :ref:`debops.slapd` role. It provides a set of object classes and
attributes useful for defining e-mail recipients and simple mail distribution
lists in the LDAP directory.

Changed
~~~~~~~

General
'''''''

- Reorder :file:`bootstrap.yml` Ansible playbook to also work for systems freshly
installed from CD. :ref:`debops.apt` needs to be run early to regenerate
:file:`/etc/apt/sources.list` which might still contain a now not functional
CD entry.

- Most of the role dependencies have been moved either to the playbooks or to
the role task lists using the ``import_role`` Ansible module.

- The official DebOps roles have been renamed and the ``debops.`` prefix has
been dropped from the directory names to better support Ansible Collections.
Custom playbooks and role dependencies which use the DebOps roles have to be
updated to work again.

- The :file:`<role_name>/env` "sub-roles" in various DebOps roles have been
redesigned for use via the ``import_role`` Ansible module to improve support
for Ansible Collections. Existing Ansible playbooks that use such "sub-roles"
will have to be updated; check the playbooks included in DebOps for the new
usage examples.

- The ``collections:`` keyword was added in all DebOps playbooks to support
usage with roles, modules and other plugins in an Ansible Collection. Due to
this, Ansible 2.8+ is required to use DebOps playbooks.

- The paths to the passwords stored in the :file:`secret/` directory by various
roles have been changed to use the ``inventory_hostname`` variable instead of
the ``ansible_fqdn`` variable. This change will result in passwords set in
various services to be regenerated, which might have an impact on service
availability. See :ref:`upgrade_notes` for details.

Updates of upstream application versions
''''''''''''''''''''''''''''''''''''''''

- The RoundCube version installed by the :ref:`debops.roundcube` role has been
updated to the `1.4.1 release`__, which includes a new "Elastic" theme
compatible with mobile devices, and other improvements.

Page 1 of 3

© 2024 Safety CLI Cybersecurity Inc. All Rights Reserved.