This file contains only general overview of the changes in the DebOps project. The detailed changelog can be seen using git log command.
You can read information about required changes between releases in the Upgrade notes documentation.
debops stable-1.0 - unreleased¶
- The Vagrant provisioning script will install Ansible from PyPI by default. The version included in the current Debian Stable (Buster) is too old for the DebOps playbooks and roles.
- Various improvements in the Vagrant box environment have been backported from
debops v1.0.17 - 2020-02-24¶
- The role can now manage PostgreSQL log files in a separate, custom directory.
- Add support for the
modification_timeparameters of the Ansible file module to the role.
- Correctly refresh the pam_mkhomedir(8) configuration on changes by removing and installing the snippet again.
- In the autopostgresqlbackup script, use the
su - postgres command instead of the su postgres
command to start a login shell and switch to the correct home directory of
postgresuser instead of staying in the
/root/home directory. This avoids the issue during execution of the script via cron where it would emit errors about not being able to change to the
/root/home directory due to the permissions.
- In the debops.pki hook script, use the correct configuration file name and check the Prosody configuration using the prosodyctl command.
Move the Private Enterprise Number and LDAP namespace OIDs of the DebOps organization to a separate
debops.schemafile to avoid duplicated OIDs in the
Existing installations might need to be recreated to avoid warnings about duplicate OIDs emitted during OpenLDAP operations.
debops v1.0.16 - 2020-01-30¶
- The DebOps project directories can now include the
ansible/global-vars.ymlfile which can be used to define global Ansible variables that can affect playbook initialization.
docker_registry__basic_auth_except_getvariable allows to setup a simple authentication schema without the need to deploy a fully blown Docker Registry Token Authentication.
- The firewall will accept the initial DHCPv6 solicit packets on the multicast port when IPv6 support is enabled.
- The role now configures the Icinga REST API to also listen on IPv6 addresses.
It is possible to change the listen address and port through the
- The autopostgresqlbackup script can be configured to tell the
pg_dump command to compress the generated backup files on the fly
instead of creating a separate
.sqlfile and compressing it afterwards. This mode is currently disabled by default.
- On Debian with the rsyslog service in unprivileged mode, update
permissions of the
/var/log/directory reset by the systemd unit file on boot to allow writes by the
Mail Transport Agents¶
postfix__mailnamevariables will use the host's FQDN address instead of the DNS domain as the mailname. This was done to not include the hostnames in the e-mail addresses, however this is better handled by Postfix domain nasquerading done on the mail relay host, which allows for exceptions, supports multiple DNS domains and does not break mail delivery in subtle ways. See the debops.nullmailer role documentation for an example configuration.
- The role will use gunicorn3 binary by default if the Python 3.x runtime environment is available on the host.
- Chrony will not listen on udp control port on loopback anymore. Unix sockets are a better way for chronyc to talk to chronyd where local access is controlled by file permissions. This is suggested in the Chrony FAQ "How can I make chronyd more secure?".
- Chrony: Support
*to make transitioning away from
- Chrony: Reduce default NTP servers considered as time source from 4 pool addresses (from which Chrony used 4 NTP servers each – 16 in total) to just 1 pool address – 4 NTP time sources in total.
- If both Devecot and Cyrus
services are installed on a host, Postfix will be configured to prefer Cyrus
for SASL authentication. This permits mail relay via the authenticated
nullmailer Mail Transfer Agents with accounts in
the LDAP directory. The preference can be changed using the
- Fix issue with GitLab Runner failing test jobs due to the default
~/.bash_logoutscript wiping the terminal on logout. The role will skip copying the
/etc/skel/contents on the new installations; existing script will be removed.
- Fix version detection via Ansible local fact script in Python 3.x runtime environment.
- Again, redirect the e-mail messages for local recipients to the central
roote-mail account (but local to the SMTP relay). This fixes an issue where e-mail messages were left in the mail queue and filled the disk space.
debops v1.0.15 - 2020-01-09¶
bootstrap.ymlAnsible playbook to also work for systems freshly installed from CD. debops.apt needs to be run early to regenerate
/etc/apt/sources.listwhich might still contain a now not functional CD entry.
- Quote octal values in various roles to prevent wrong interpretation by Ansible modules.
debops v1.0.14 - 2019-12-01¶
- A new Ansible module,
dpkg_divert, can be used to divert the configuration files out of the way to preserve them and avoid issues with package upgrades. The module is available in the debops.ansible_plugins role.
- The execution time of the
monthlycron jobs will be randomized on a per-host basis to avoid large job execution spikes every morning. See the role documentation for more details.
- The role will install the
libsasl2-modulesAPT package to allow SASL authentication to the LDAP directory.
The access to the OpenLDAP service configured using the debops.slapd role now requires explicit firewall and TCP Wrappers configuration to allow access from trusted IP addresses and subnets. You can use the
slapd__*_allowvariables in the Ansible inventory to specify the IP addresses and subnets that can access the service.
To preserve the old behaviour of granting access by default from anywhere, you can set the
nullmailer__adminaddrlist is set to empty by default to not redirect all e-mail messages sent through the nullmailer service to the
rootaccount. This should be done on the relayhost instead.
smtpdLDAP profile will use the
authorizedServicevalues in the form of
<class>:<type>to be compatible with the new
debops.postldapAnsible role. The specific values have also been changed, you might need to update the LDAP attributes to match the new values.
- Users can now use their e-mail addresses specified in the
debops v1.0.13 - 2019-11-13¶
try_filesoption in the PHP location blocks can be overridden using the
- The role will install the
libsasl2-modulesAPT package when Postfix
authcapability is enabled, to allow for the SASL authentication to work.
- The Access Control List rules can now be tested using the slapacl(8) command via a generated test suite script.
- Enable Referential Integrity overlay for most of the LDAP attributes that use the Distinguished Names as values.
- New "SMS Gateway" LDAP role grants read-only access to the
mobileattribute by SMS gateways. This is needed for implementing 2-factor authentication via SMS messages.
The default Ansible callback plugin used by DebOps is changed to
yaml, which gives a cleaner look for various outputs and error messages. The callback plugin will be active by default in new DebOps project directories; in existing directories users can add:
[ansible defaults] stdout_callback = yaml
iputils-pingpackage in the
Dockerfilefor the ping command to be available in the Docker environment.
The DebOps files inside of the Docker container will be owned by the
ansibleunprivileged UNIX account to make runtime modification possible.
ldap/init-directory.ymlplaybook has been updated to use the new
ou=Roles,dc=example,dc=orgLDAP subtree, which will contain various
organizationalRoleobjects. After updating the OpenLDAP Access Control List using the debops.slapd role, you can use the playbook on an existing installation to create the missing objects.
cn=UNIX SSH usersLDAP objects will be created in the
ou=Groups,dc=example,dc=orgLDAP subtree. On existing installations, these objects need to be moved manually to the new subtree, otherwise the playbook will try to create them and fail due to duplicate UID/GID numbers which are enforced to be unique. You can move the objects using an LDAP client, for example Apache Directory Studio.
ou=System Groups,dc=example=dc,orgsubtree will not be created anymore. On existing installations this subtree will be left intact and can be safely removed after migration.
listen.backlogPHP-FPM option will be set to
511by default. It is also exposed as the
php__fpm_listen_backlogdefault variable and can be modified by the
- Support for the
465TCP port for message submission over Implicit TLS is no longer deprecated (status changed by the RFC 8314 document) and will be enabled by default with the
- The default primary group of the lookup tables has been changed to
postfix, default mode for new lookup tables will be set to
0640. This change helps secure lookup tables that utilize remote databases with authentication.
- Postfix lookup tables can now use shared connection configuration defined in a YAML dictionary to minimize data duplication. See the postfix__lookup_tables documentation for more details.
- Explicitly set the Postfix configuration state to ensure that it works from dependent role configuration stored on the Ansible Controller.
employeeNumberattribute in the
ou=People,dc=example,dc=orgLDAP subtree will be constrained to digits only, and the LDAP directory will enforce its uniqueness in the subtree. This allows the attribute to be used for correlation of personal LDAP objects to RDBMS-based databases.
ou=People,dc=example,dc=orgLDAP subtree to globally unique, due to its use for authentication purposes. The attribute will be indexed by default.
The default ACL rules have been overhauled to add support for the
ou=Roles,dc=example,dc=orgsubtree and use of the
organizationalRoleLDAP objects for authorization. The old set of rules is still active to ensure that the existing environments work as expected.
If you use a modified ACL configuration, you should include the new rules as well to ensure that changes in the debops.ldap support are working correctly.
You can now hide specific LDAP objects from unprivileged users by adding them to a special
cn=Hidden Objects,ou=Groups,dc=example,dc=orgLDAP group. The required ACL rule will be enabled by default; the objects used to control visibility will be created by the
Access to the
homePostalAddressattributes has been restricted to privileged accounts only (administrators, entry owner). The values cannot be seen by unprivileged and anonymous users.
Write access to the
ou=SUDOers,dc=example,dc=orgLDAP subtree has been restricted to the members of the "UNIX Administrators" LDAP group.
- Fix an issue in the
php.conf.j2server template when an
item.locationparameter is specified, overridding the default set of
locationblocks defined in the
default.conf.jtemplate. If the
/location is not specified in the
item.locationdictionary, a default one will be included by the role.
- Fix a "variable is undefined" issue when the
service/owncloud.ymlAnsible playbook is executed with the
- Disable the
smtpd_helo_restrictionsoption on the
smtpsTCP ports when the authentication and MX lookups are enabled. This should fix an issue where SMTP client sends the host's IP address as its HELO/EHLO response, which might not be configurable by the user.
debops v1.0.12 - 2019-10-25¶
- Better default value for dropbear_initramfs__network_device by
detecting the default network interface using Ansible facts instead of the
debops v1.0.11 - 2019-10-14¶
ldap/get-uuid.ymlAnsible playbook can be used to convert LDAP Distinguished Names to UUIDs to look up the password files if needed.
- Ensure that the
/run/network/directory exists, in case that the system is not configured by ifupdown package initially, e.g. recent Ubuntu releases.
Newly created PKI realms will have a new
public/full.pemfile which contains the full X.509 certificate chain, including the Root CA certificate, which might be required by some applications that rely on TLS.
Existing PKI realms will not be modified, but Ansible roles that use the PKI infrastructure might expect the new files to be present. It is advisable to recreate the PKI realms when possible, or create the missing files manually.
- The lastbind overlay will be enabled by default. This overlay records the timestamp of the last successful bind operation of a given LDAP object, which can be used to, for example, check the date of the last successful login of a given user account.
- Add support for nextcloud LDAP schema which provides attributes needed to define disk quotas for Nextcloud user accounts.
- Don't install the
php-mcryptpackage, it's not required by base DokuWiki installation.
The GitLab project has changed its codebase structure, because of that the Gitlab CE git repository has been moved to a new location, https://gitlab.com/gitlab-org/gitlab-foss/. The role has been updated accordingly. Existing installations should work fine after the new codebase is cloned, but if unsure, users should check the change first in a development environment.
- The role will reset the LDAP host attributes defined in the
ldap__device_attributesvariable on first configuration in case that the host has been reinstalled and some of their values changed (for example different IP addresses). This should avoid leaving the outdated attributes in the host LDAP object.
debops v1.0.10 - 2019-09-28¶
ldap/init-directory.ymlAnsible playbook will create the LDAP obejects
cn=Password Reset Agentsto allow other Ansible roles to utilize them without the need for the system administrator to define them by hand.
- The role can now be used to authenticate users of different services against the LDAP directory via integration with the debops.ldap role and its framework. Multiple LDAP profiles can be used to provide different access control for different services.
Updates of upstream application versions¶
- In the debops.owncloud role, the default Nextcloud version has been
15.0, because the
14.0release has reached End of Life.
debops v1.0.9 - 2019-09-08¶
- Add more entries to be ignored by default by the git command in
the DebOps project directories:
debops: ignore DebOps monorepo cloned or symlinked into the project directory.
playbooks: ignore roles and playbooks in development; production code should be put in the
- The debops-init script now also creates the .gitattributes file for use with git-crypt. It is commented out by default.
- The debops-defaults command will check what pagers (view, less, more) are available and use the best one automatically.
- The open-vm-tools APT package will be installed by default in VMware virtual machines.
$VAGRANT_HOSTNAMEvariable can be used to override the dynamically generated hostname of the Vagrant
- External commands used in the DebOps scripts have been defined as constants to allow easier changes of the command location in various operating systems, for example Guix.
- The mode of the dhcpd configuration files is changed from
0640to ensure that the DNS update keys are not world-readable.
- Enable substring index for the
sudoUserattribute from the sudo LDAP schema. Existing installations should be updated manually via the LDAP client, by setting the value of the
- Add indexes for the
hostattributes from the ldapns LDAP schema and the
gidattribute from the posixGroupId LDAP schema. This should improve performance in UNIX environments connected to the LDAP directory.
- On Ubuntu hosts, the role will fix the configuration installed by the
lxd package to use
bind-dynamicoption instead of
bind-interfaces. This allows the dnsmasq service to start correctly.
debops v1.0.8 - 2019-08-24¶
distroPython package has been added as the DebOps dependency. The package is used by the debops-init script to detect the operating system used on the Ansible Controller, and is a replacement for the deprecated
- Add a way to specify additional parameters for the openssl dhparam
command via the
- The debops-defaults script now supports Ansible roles with
- Ansible local fact scripts in multiple roles have been updated to work correctly in a Python 3.x environment.
- Fixed deprecation warning on Ansible 2.8 in the debops-task script.
- Fixed issues with debops-defaults script encoding output to
stdinof a different process vs output to a pipe.
ldap_attrsAnsible module has been fixed to work correctly in a Python 3.x environment.
- Don't open the
67/tcpport for BOOTP protocol, its definition has been removed from the
/etc/servicesfile in Debian Buster.
debops v1.0.7 - 2019-08-09¶
- Small code cleanup in the debops-init and setup.py scripts.
- Change the regexp pattern used to create the LDAP BaseDN value.
- Make git-based installation steps resilient by retrying failed repository clones in case of timeouts.
- Change the default mode of runtime directories from
755to avoid warning messages from systemd about mismatched directory mode.
- Don't set
UDebComponentsoptions if they are not explicitly defined in the configuration.
- Change the default value of the
map to guestoption from
neverwhich should help resolve issues when users connect to the Samba server with incorrect credentials.
- Set the
$USERvariable in Docker container environment. This variable is required by some DebOps roles but is not set by default by Docker.
- Make sure logical volumes will only be shrinked when volume item defines
- Don't restart systemd-logind service when the playbook is run
localhost, to avoid breaking existing user sessions, which might require a reboot to fix.
- Include missing "group' and "host" authorized keys
variables in the
- Don't stop the playbook if the host SSH keys don't exist yet (OpenSSH service
was not installed on
- Make sure that the
/run/sshddirectory exists on first install, otherwise the configuration test breaks.
- Fix off-by-one error in role tasks that manage the
debops v1.0.6 - 2019-07-26¶
- The Travis-CI tests will be done using Python 3.7 only. Python 2.7 support will be dropped in 2020, it's time to prepare.
- Add the
become: Trueparameter to the bootstrap playbooks to improve usability.
The role will no longer set a custom MariaDB
rootpassword, because the
mysql_userAnsible 2.8 module breaks access to the MariaDB database via the UNIX
rootaccount by removing the
unix_socketplugin access and not setting the
mysql_native_passwordplugin. A password for the UNIX
rootaccount is not needed in the recent MariaDB releases in Debian, therefore this shouldn't impact the usage.
mysql_userAnsible module lacks a way to control the authentication plugin for a given MariaDB account, therefore it's not advisable to mess with the
rootaccess to the database.
The role has been updated to NetBox version
v2.6.1. Redis service is now required for NetBox; it can be installed separately via the debops.redis_server Ansible role.
This change was backported because without it, the NetBox installation using DebOps
stable-1.0branch is broken.
- Change the default names of the PHP status and ping pages to
/ping.phpto make them compatible with the default PHP
- Expand the list of APT packages preferred from the Sury repository when it is enabled.
- Update Debian codenames and suites after Debian Buster release.
- Don't include the
/etc/icinga2/repository.d/directory in Icinga 2.8.0+ configuration.
- Ensure that when LDAP SRV record lookup returns
NODATA, role falls back to the static FQDN. This might happen when wildcard DNS records are configured on a given domain.
debops v1.0.5 - 2019-07-12¶
- The Debian and Raspbian suites have been updated to reflect the release of Debian Buster. Congratulations!
- Expose the configuration of the Sieve directory and configuration file via role default variables.
- Do not try to manage the hostname in LXC, Docker or OpenVZ containers by default. We assume that these containers are unprivileged and their hostname cannot be changed from the inside of the container.
- Remove comments from the PAM configuration file to stop the pam-auth-update script from complaining about them.
- Divert the sysctl configuration file that comes with the Elasticsearch .deb package to fix use of the sysctl --system command inside containers. The configuration will be applied by the debops.sysctl role instead.
- Avoid gathering MAC addresses from network interfaces that do not have them, for example interfaces with multiple IPv4 addresses.
debops v1.0.4 - 2019-06-25¶
ldap/init-directory.ymlAnsible playbook will create an LDAP group object for SSH users, equivalent to the
sshusersgroup created by the debops.system_groups role. LDAP accounts in this group will be able to access SSH service from any host. Existing installations might need to be updated manually to fix UID/GID or LDAP DN conflicts.
- The role dependencies defined in the
meta/main.ymlfiles in roles published in the Ansible Galaxy Collection will have their
debops.prefix removed to make the roles usable.
debops v1.0.3 - 2019-06-21¶
- The role will not disable needrestart kernel hints if the
needrestartAPT package installation is disabled. This fixes an issue with the
/etc/needrestart/conf.d/directory not being present on the host.
debops v1.0.2 - 2019-05-31¶
- Fix idempotency issue with yadm updating repositories on newer OS releases with changed git output. The roles will also work without yadm installed when user accounts have dotfiles enabled explicitly.
debops v1.0.1 - 2019-05-23¶
- Don't restart the systemd-logind service on
/etc/nsswitch.conffile changes if DebOps is running against
localhost, to avoid breaking the existing user session.
debops v1.0.0 - 2019-05-22¶
New DebOps roles¶
- The debops.docker_registry role provides support for Docker Registry. The role can be used as standalone or as a backend for the GitLab Container Registry service, with debops.gitlab role.
- The debops.ldap role sets up the system-wide LDAP configuration on
a host, and is used as the API to the LDAP directory by other Ansible roles,
playbooks, and users via Ansible inventory. The role is included in the
common.ymlplaybook, but is disabled by default.
- The debops.nslcd role can be used to configure LDAP lookups for NSS and PAM services on a Linux host.
- The debops.pam_access role manages PAM access control files located in
/etc/security/directory. The role is designed to allow other Ansible roles to easily manage their own PAM access rules.
- The debops.yadm role installs the Yet Another Dotfiles Manager script and ensures that additional shells are available. It can also mirror dotfiles locally. The role is included in the common playbook.
- The debops.system_users role replaces the
debops.bootstraprole and is used to manage the local system administrator accounts. It is included in the
common.ymlplaybook as well as the bootstrap playbooks.
- The DebOps project has been registered in the IANA Private Enterprise
Numbers registry, with PEN number
53622. The project documentation contains an OID registry to track custom LDAP schemas, among other things.
- Support for Ansible Collections managed by the Mazer Content Manager has been implemented in the repository. Ansible Collections will be usable after June 2019, when support for them is enabled in the Ansible Galaxy service.
- A new
bootstrap-ldap.ymlAnsible playbook can be used to bootstrap Debian/Ubuntu hosts with LDAP support enabled by default. The playbook will configure only the services required for secure LDAP access (PKI, SSH, PAM/NSS), the rest should be configured using the common playbook.
Systems with the End of Life Debian releases (
wheezy) installed will be configured to use the Debian Archive repository as the main APT sources instead of the normal Debian repository mirrors. These releases have been moved out of the main repositories and are not fully available through normal means. The periodic updates of the APT archive repositories on these systems will be disabled via the debops.unattended_upgrades role, since the EOL releases no longer receive updates.
The Debian LTS release (
jessie) APT repository sources will use only the main and security repositories, without updates or backports. See the information about the Debian LTS support for more details.
- Users can now disable default route advertisement in the
lxc-netDHCP service. This is useful in cases where LXC containers have multiple network interfaces and the default route should go through a different gateway than the LXC host.
- The lxc-new-unprivileged script will add missing network interface
stanzas in the container's
/etc/network/interfacesfile, by default with DHCP configuration. This will happen only on the initialization of the new container, when a given LXC container has multiple network interfaces defined in its configuration file.
- The role will automatically generate configuration which redirects short
hostnames or subdomains to their FQDN equivalents. This allows HTTP clients
to reach websites by specifying their short names via DNS suffixes from
/etc/resolv.conffile, or using
*.localdomain names managed by Avahi/mDNS to redirect HTTP clients to the correct FQDNs.
- Some lists can now configure ACL entries on the destination files or
directories using the
item.aclparameter. Take a look to ACL support section to have the list of compatibles variables.
- New resources__commands variables can be used to define simple shell commands or scripts that will be executed at the end of the debops.resources role. Useful to start new services, but it shouldn't be used as a replacement for a fully-fledged Ansible roles.
- The role is now integrated with the debops.ldap Ansible role and can
configure the sudo service to read
sudoersconfiguration from the LDAP directory.
Updates of upstream application versions¶
- The debops.gitlab role will install GitLab 11.10 on supported platforms (Debian Buster, Ubuntu Bionic), existing installations will be upgraded.
- In the debops.phpipam role, the relevant inventory variables have been renamed, check the Upgrade notes for details. The role now uses the upstream phpIPAM repository and it installs version 1.3.2.
- In the debops.php role, because of the PHP 7.0 release status changed to End of life at the beginning of 2019, Ondřej Surý APT repository with PHP 7.2 packages will be enabled by default on Debian Jessie and Stretch as well as Ubuntu Trusty and Xenial. Existing debops.php installations shouldn't be affected, but the role will not try to upgrade the PHP version either. Users should consider upgrading the packages manually or reinstalling services from scratch with the newer version used by default.
- In the debops.rstudio_server role, the supported version has been
updated to v1.2.1335. The role no longer installs
libssl1.0.0from Debian Jessie on Debian Stretch, since the current version of the RStudio Server works in the default Stretch environment. The downloaded
.debpackage will be verified using the RStudio Inc. GPG signing key before installation.
- In the debops.docker_gen role, the docker-gen version that this role installs by default has been updated to version 0.7.4. This release notably adds IPv6 and docker network support.
- The debops.cron role will be applied much earlier in the
common.ymlplaybook because the debops.pki role depends on presence of the cron daemon on the host.
- Bash scripts and
commandAnsible modules now use relative bash interpreter instead of an absolute
/bin/bash. This should help make the DebOps roles more portable, and prepare the project for the merged
/usr/bindirectories in a future Debian release.
Mail Transport Agents¶
/etc/mailnameconfiguration file will contain the DNS domain of a host instead of the FQDN address. This will result in the mail senders that don't specify the domain part to have the DNS domain, instead of the full host address, added by the Mail Transport Agent. This configuration should work better in clustered environments, where there is a central mail hub/MX that receives the mail and redirects it.
- The GitLab playbook will import the debops.docker_registry playbook to ensure that configuration related to Docker Registry defined in the GitLab service is properly applied during installation/management.
The lxc-prepare-ssh script will read the public SSH keys from specific files (
rootkey file, and the
$SUDO_USERkey file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container's
The lxc-new-unprivileged script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via sudo. The default LXC configuration file used by the script can be configured in
- The MariaDB user
rootis no longer dropped. This user is used for database maintenance and authenticates using the
unix_authplugin. However, DebOps still maintains and sets a password for the
rootUNIX account, stored in the
- The role will be disabled by default in Docker containers. In this
/etc/hostsfile is managed by Docker and cannot be modified from inside of the container.
- The role will not perform any tasks related to occ command if the
automatic setup is disabled in the
owncloud__autosetupvariable. In this mode, the occ tasks cannot be performed by the role because the ownCloud/Nextcloud installation is not finished. The users are expected to perform necessary tasks themselves if they decide to opt-out from the automatic configuration.
The PHP version detection has been redesigned to use the apt-cache madison command to find the available versions. The role will now check the current version of the
phpAPT package to select the available stable PHP version. This unfortunately breaks support for the
php5packages, but the
php5.6packages from Ondřej Surý APT repository work fine.
The role will install the composer command from the upstream GitHub repository on older OS releases, including Debian Stretch (current Stable release). This is due to incompatibility of the
composerAPT package included in Debian Stretch and PHP 7.3.
- If the debops.ldap Ansible role has been applied on a host, the
debops.root_account role will use the UID/GID ranges defined by it,
which include UIDs/GIDs used in the LDAP directory, to define subUID/subGID
range of the
rootaccount. This allows usage of the LDAP directory as a source of UNIX accounts and groups in unprivileged containers. Existing systems will not be changed.
- Management of the
rootdotfiles has been removed from the debops.users role and is now done in the debops.root_account role, using the yadm script. Users might need to clean out the existing dotfiles if they were managed as symlinks, otherwise yadm script will not be able to correctly deploy the new dotfiles.
The role has been redesigned from the ground up, with support for N-Way Multi-Master replication, custom LDAP schemas, Password Policy and other functionality. The role uses custom
ldap_attrsAnsible module included in the debops.ansible_plugins role for OpenLDAP management.
The OpenLDAP configuration will definitely break on existing installations. It's best to set up a new OpenLDAP server (or replicated cluster) and import the LDAP directory to it afterwards. See role documentation for more details.
The access control based on UNIX groups defined in the
/etc/ssh/sshd_configfile has been removed. Instead, the OpenSSH server uses the PAM access control configuration, managed by the debops.pam_access Ansible role, to control access by users/groups/origins. OpenSSH service uses its own access control file, separate from the global
The role will enable client address resolving using DNS by setting the
UseDNS yesoption in OpenSSH server configuration. This parameter is disabled by default in Debian and upstream, however it is required for the domain-based access control rules to work as expected.
When the LDAP support is configured on a host by the debops.ldap role, the debops.sshd role will use the resulting infrastructure to connect to the LDAP directory and create the
sshdLDAP account object for each host, used for lookups of the SSH keys in the directory. The SSH host public keys will be automatically added or updated in the LDAP device object to allow for centralized generation of the
~/.ssh/known_hostsfiles based on the data stored in LDAP.
The role will no longer create a separate
sshd-lookupUNIX account to perform LDAP lookups; the existing
sshdUNIX account will be used instead. The ldapsearch command used for lookups will default to LDAP over TLS connections instead of LDAPS.
- If the LDAP support is enabled on a host via the debops.ldap role, the
UNIX system groups created by the debops.system_groups role by default
will use a
_prefix to make them separate from any LDAP-based groups of the same name. Existing installations should be unaffected, as long as the updated debops.system_groups role was applied before the debops.ldap role.
- The packages from the
stable-updatesAPT repository section will be automatically upgraded by default, the same as the packages from Debian Security repository. This should cover important non-security related upgrades, such as timezone changes, antivirus database changes, and similar.
- If automatic reboots are enabled, VMs will not reboot all at the same time to avoid high load on the hypervisor host. Instead they will reboot at a particular minute in a 15 minute time window. For each host, a random but random-but-idempotent time is chosen. For hypervisor hosts good presets cannot be picked. You should ensure that hosts don’t reboot at the same time by defining different reboot times in inventory groups.
The management of the user dotfiles in the debops.users role has been redesigned and now uses the yadm script to perform the actual deployment. See debops.yadm for details about installing the script and creating local dotfile mirrors. The users__accounts variable documentation contains examples of new dotfile definitions.
The role now uses the
libuserlibrary via the Ansible
usermodules to manage local groups and accounts. This should avoid issues with groups and accounts created in the LDAP user/group ranges.
libuserlibrary by default creates home directories with
0700permissions, which is probably too restrictive. Because of that, the role will automatically change the home directory permissions to
0751(defined in the
users__default_home_modevariable). This also affects existing UNIX accounts managed by the role; the mode can be overriden using the
users__*_resourcesvariables have been reimplemented as the
item.resourcesparameter of the
users__*_accountsvariables. This removes the unnecessary split between user account definitions and definitions of their files/directories.
Roles removed from DebOps¶
debops.sftpusersAnsible role has been removed. Its functionality is now implemented by the debops.users role, custom bind mounts can be defined using the debops.mount role.
debops.bootstrapAnsible role has been removed. Its replacement is the debops.system_users which is used to manage system administrator accounts, via the
common.ymlplaybook and the bootstrap playbooks.
- Use the
redis.conffile to lookup passwords via the redis-password script. This file has the
redis-authUNIX group and any accounts in this group should now be able to look up the Redis passwords correctly.
- The role will check if the X.509 certificate and the private key used for TLS communication were correctly configured in the OpenLDAP server. This fixes an issue where configuration of the private key and certificate was not performed at all, without any actual changes in the service, with subsequent task exiting with an error due to misconfiguration.
debops v0.8.1 - 2019-02-02¶
New DebOps roles¶
- The debops.redis_server and debops.redis_sentinel roles, that
replace the existing
debops.redisAnsible role. The new roles support multiple Redis and Sentinel instances on a single host.
- The debops.freeradius role can be used to manage FreeRADIUS service, used in network management.
- The debops.dhcp_probe role can be used to install and configure dhcp_probe service, which passively detects rogue DHCP servers.
- The debops.mount role allows configuration of
/etc/fstabentries for local devices, bind mounts and can be used to create or modify directories, to permit access to resources by different applications. The role is included by default in the
- Ansible roles included in DebOps are now checked using ansible-lint tool. All existing issues found by the script have been fixed.
- The hosts managed by the DebOps Vagrant environment will now use Avahi to
detect multiple cluster nodes and generate host records in the
/etc/hostsdatabase on these nodes. This allows usage of real DNS FQDNs and hostnames in the test environment without reliance on an external DHCP/DNS services.
- DebOps roles are now tagged with
skip::<role_name>Ansible tags. You can use these tags to skip roles without any side-effects; for example "<role_name>/env" sub-roles will still run so that roles that depend on them will work as expected.
- You can use the make versions command in the root of the DebOps
monorepo to check currently "pinned" and upstream versions of third-party
software installed and managed by DebOps, usually via git
repositories. This requires the uscan command from the Debian
devscriptsAPT package to be present.
- The role will now generate configuration for the debops.sysctl role and use it in the playbook as a dependency, to configure kernel parameters related to packet forwarding on managed network interfaces. This functionality replaces centralized configuration of packet forwarding on all network interfaces done by the debops.ferm role.
New lxc-hwaddr-static script can be used to easily generate random but predictable MAC addresses for LXC containers.
The script can be run manually or executed as a "pre-start" LXC hook to configure static MAC addresses automatically - this usage is enabled by default via common LXC container configuration.
The lxc_ssh.py Ansible connection plugin is now included by default in DebOps. This connection plugin can be used to manage remote LXC containers with Ansible via SSH and the lxc-attach command. This requires connection to the LXC host and the LXC container via the
rootaccount directly, which is supported by the DebOps playbooks and roles.
The role can now manage LXC containers, again. This time the functionality is implemented using the
lxc_containerAnsible module instead of a series of shell tasks. By default unprivileged LXC containers will be created, but users can change all parameters supported by the module.
The role will now configure a
lxcbr0bridge with internal DNS/DHCP server for LXC containers, using the
lxc-netservice. With this change, use of the debops.ifupdown role to prepare a default bridge for LXC containers is not required anymore.
- When a large number of hosts is defined for the
/etc/hostsdatabase, the role will switch to generating the file using the
templateAnsible module instead of managing individual lines using the
lineinfilemodule, to make the operation faster. As a result, custom modifications done by other tools in the host database will not be preserved.
- The role can now configure the hostname in the
/etc/hostnamefile, as well as the local domain configuration in
- The role will install the
composerAPT package on Debian Stretch, Ubuntu Xenial and their respective newer OS releases.
- The role will reserve a set of UID/GID ranges for subordinate UIDs/GIDs owned
rootaccount (they are not reserved by default). This can be used to create unprivileged LXC containers owned by
root. See the release notes for potential issues on existing systems.
- You can now configure the state and contents of the
/root/.ssh/authorized_keysfile using the debops.root_account role, with support for global, per inventory group and per host SSH keys.
- The test suite will now check POSIX shell scripts along with Bash scripts for any issues via the shellcheck linter. Outstanding issues found in existing scripts have been fixed.
- The debops.root_account role will be executed earlier in the
common.ymlAnsible playbook to ensure that the
rootUID/GID ranges are reserved without issues on the initial host configuration.
- Various filter and lookup Ansible plugins have been migrated from the playbook directory to the debops.ansible_plugins role. This role can be used as hard dependency in other Ansible roles that rely on these plugins.
- The order of the roles in the common playbook has been changed; the
debops.users role will be applied before the debops.resources
role to allow for resources owned by UNIX accounts/groups other than
debopsPython package has dropped the hard dependency on Ansible. This allows DebOps to be installed in a separate environment than Ansible, allowing for example to mix Homebrew Ansible with DebOps from PyPI on macOS. The installation instructions have also been updated to reflect the change.
- The debops-init script will now generate new Ansible inventory files using the hostname as well as a host FQDN to better promote the use of DNS records in Ansible inventory.
If the Docker host uses a local nameserver, for example dnsmasq or unbound, Docker containers might have misconfigured DNS nameserver in
127.0.0.1. In these cases, the debops.docker role will configure Docker to use the upstream nameservers from the host, managed by the
If no upstream nameservers are available, the role will not configure any nameserver and search parameters, which will tell Docker to use the Google nameservers.
The role will now install GitLab 10.8 by default, on Debian Stretch and Ubuntu Xenial. The 11.x release now requires Ruby 2.4+, therefore it will only be installed on newer OS releases (Debian Buster, Ubuntu Bionic).
The role has been updated to use Ansible local facts managed by the debops.redis_server Ansible role. Redis Server support has been removed from the GitLab playbook and needs to be explicitly enabled in the inventory for GitLab to be installed correctly. This will allow to select between local Server or Sentinel instance, to support clustered environments.
Check the Upgrade notes for issues with upgrading Redis Server support on existing GitLab hosts.
- The GRUB configuration has been redesigned, role now uses merged variables to
make configuration via Ansible inventory or dependent role variables easier.
The GRUB configuration is now stored in the
/etc/default/grub.d/directory to allow for easier integration with other software. See the debops.grub documentation for more details.
- The user password storage path in
secret/directory has been changed to use the
inventory_hostnamevariable instead of the
ansible_fqdnvariable. This change will force regeneration of password hashes in existing installations, but shouldn't affect host access (passwords stay the same).
- The role depends on debops.python now to install the required packages. Please update your custom playbooks accordingly.
- The role will no longer install non-free firmware by default. This is done
to solve the connectivity issues with
- The default dashboard in LibreNMS is changed from the
pages/front/tiles.phpwhich allows for better customization.
- The role will configure the default subUIDs and subGIDs for unprivileged LXC
containers based on the configured subordinate UID/GID ranges for the
- The lxc-prepare-ssh script will now install SSH public keys from
the user account that is running the script via sudo instead of
rootaccount, which is usually what you want to do if other people manage their own LXC containers on a host.
- The LXC configuration managed by the role will use the systemd
lxc@.serviceinstances to manage the containers instead of using the lxc-* commands directly. This allows the containers to be shut down properly without hitting a timeout and forced killing of container processes.
- The role will now use Ansible facts managed by the debops.redis_server role to configure Redis support.
- Drop support for Nextcloud 12.0 which is EOF. Add support for Nextcloud 14.0 and 15.0 and make Nextcloud 14.0 the default Nextcloud version.
The hostname and domain configuration during bootstrapping is now done by the debops.netbase Ansible role. The default for this role is to remove the
127.0.1.1host entry from the
/etc/hostsfile to ensure that domain resolution relies on DNS.
If you are using local domain configured in
/etc/hostsfile, you should define the
netbase__domainvariable in the Ansible inventory with your desired domain.
The role is redesigned to use list variables instead of YAML dictionaries for the
/etc/hostsdatabase. This allows for adding the host IPv4 and/or IPv6 addresses defined by Ansible facts when the custom local domain is enabled. See netbase__hosts for details. The role has also been included in the
common.ymlplaybook to ensure that the host database is up to date as soon as possible.
- The role should now correctly revert custom patch to allow user
/etc/grub.d/10_linuxscript, when the user list is empty.
- The role should now work correctly in Ansible
--checkmode before the Ansible local fact script is installed.
Roles removed from DebOps¶
debops.redisAnsible role has been removed. It has been replaced by the debops.redis_server and debops.redis_sentinel Ansible roles. The new roles use their own Ansible inventory groups, therefore they will need to be explicitly enabled to affect existing hosts.
You can use the debops.debops_legacy Ansible role to clean up old configuration files, directories and diversions of
debops.redisrole from remote hosts.
ldap_attrAnsible modules have been removed. They are now included in Ansible core, there's no need to keep a separate copy in the playbook.
ansible_local.root.uuidlocal facts have been removed. They are replaced by
ansible_local.uuidlocal facts, respectively.
Automated configuration of packet forwarding with
FORWARDchain rules and sysctl configuration has been removed from the role. Per-interface packet forwarding is now configurable using the debops.ifupdown role, and you can still use the debops.ferm and debops.sysctl roles to design custom forwarding configuration.
debops v0.8.0 - 2018-08-06¶
New DebOps roles¶
- The debops.netbase role: manage local host and network database in
- The debops.sudo role: install and manage sudo
configuration on a host. The role is included in the
- The debops.system_groups role: configure UNIX system groups used on
DebOps hosts. The role is included in the
- The debops.debops_legacy role: clean up legacy files, directories, APT packages or dpkg-divert diversions created by DebOps but no longer used. This role needs to be executed manually, it's not included in the main playbook.
- The debops.python role: manage Python environment, with support for
multiple Python versions used at the same time. The role is included in the
- Icinga 2 support has been implemented with debops.icinga, debops.icinga_db and debops.icinga_web Ansible roles.
- The DebOps installation now depends on the dnspython Python library. This
allows usage of the
digAnsible lookup plugin in DebOps roles to gather data via DNS SRV records.
- The DebOps installation now depends on the future Python library which provides compatibility between Python 2.7 and Python 3.x environments. It is currently used in the custom Ansible filter plugin provided by DebOps, but its use will be extended to other scripts in the future to make the code more readable.
- The role will set up a systemd timer to regenerate Diffie-Hellman parameters periodically if it's available. The timer will use random delay time, up to 12h, to help with mass DHparam generation in multiple LXC containers/VMs.
defaultset of SSL ciphers can be specified using the
nginx_default_ssl_ciphersvariable. This disables the
ssl_ciphersoption in the nginx configuration and forces the server to use the defaults provided by the OS.
- The OpenNTPD service will now properly integrate the ifupdown hook script with systemd. During boot, NTP daemon will be started once network interfaces are configured and will not restart multiple times on each network interface change.
- The role can now generate custom files using templates, based on a directory structure. See resources__templates for more details.
- You can now manage configuration files located in the
/etc/sudoers.d/directory using sudo__*_sudoers inventory variables, with multiple level of conditional options.
- Some of the existing DebOps Policies and Guidelines have been reorganized and the concept of DebOps Enhancement Proposals (DEPs) is introduced, inspired by the Python Enhancement Proposals.
- The debops script can now parse multiple playbook names specified in any order instead of just looking at the first argument passed to it.
- The editor alternative symlink configuration has been moved from
debops.consolerole to the debops.apt_install role which also installs vim by default.
- The configuration of automatic removal of APT packages installed via
Suggests:dependencies has been moved from the debops.apt role to the debops.apt_mark role which more closely reflects its intended purpose. Variable names and their default values changed; see the Upgrade notes for more details.
- The role will add any new administrator accounts to the list of existing admin accounts instead of replacing them in the Ansible local fact script. This should allow for multiple administrators to easily coexist and run the DebOps playbooks/roles from their own accounts without issues.
- Redesign the GitLab version management to read the versions of various
components from the GitLab repository files instead of managing them manually
in a YAML dictionary. The new
gitlab__releasevariable is used to specify desired GitLab version to install/manage.
- The gitaly service will be installed using the
gitUNIX account instead of
root. Existing installations might require additional manual cleanup; see the Upgrade notes for details.
- The role now supports installation of GitLab 10.7.
- The usage of
gitlab__fqdnvariable is revamped a bit - it's now used as the main variable that defines the GitLab installation FQDN. You might need to update the Ansible inventory if you changed the value of the
gitlab_domainvariable used previously for this purpose.
- Redesign system-wide LXC configuration to use list of YAML dictionaries merged together instead of custom Jinja templates.
- Add lxc-prepare-ssh script on the LXC hosts that can be used to install OpenSSH and add the user's SSH authorized keys inside of the LXC containers. This is a new way to prepare the LXC containers for Ansible/DebOps management that doesn't require custom LXC template scripts and can be used with different LXC container types.
The NPM version installed by the role from GitHub is changed from
latestwhich seems to be an equivalent of a stable branch.
Recent versions of NPM require NodeJS 6.0.0+ and don't work with other releases. Because of that the newest NPM release is not installable on hosts that use NodeJS packages from older OS releases.
The debops.nodejs role will install NPM v5.10.0 version in this case to allow NPM to work correctly - on Debian Jessie, Stretch and Ubuntu Xenial. Otherwise, a NPM from the
latestbranch will be installed, as before.
Instead of NodeJS 6.x release, the role will now install NodeJS 8.x release upstream APT packages by default. This is due to the NodeJS 6.x release switching to a Maintenance LTS mode. NodeJS 8.x will be supported as a LTS release until April 2019.
The role will install upstream NodeSource APT packages by default. This is due to no security support in Debian Stable, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.
The existing installations shouldn't be affected, since the role will select OS/upstream package versions based on existing Ansible local facts.
- Support Nextcloud 13 and partially ownCloud 10. Nextcloud 11 and ownCloud 9.1 are EOL, you should update. The role can help you with the update to ensure that everything works smoothly with the new versions. Currently, the role can not do the update for you.
- The role will now check the debops.system_groups Ansible local facts to define what UNIX groups are allowed to connect to the host via the SSH service.
- Don't install the
sudopackage by default, this is now done via a separate debops.sudo role to easily support switching to the
- Remove configuration of UNIX system groups and accounts in the
adminsUNIX group. This is now done by the debops.system_groups Ansible role.
- The sudo configuration has been removed from the
bootstrap.ymlplaybook now includes the debops.sudo role which configures sudo service.
- The UNIX system group management has been removed from the role, the
bootstrap.ymlplaybook now uses the debops.system_groups role to create the UNIX groups used by DebOps during bootstrapping.
- Remove management of Python packages from the role. The
bootstrap.ymlplaybook uses the debops.python role to configure Python support on the host.
- Remove support for direct LXC container management from the role. This
functionality is better suited for other tools like lxc-* set of
commands, or the Ansible
lxc_containermodule which should be used in custom playbooks. The 'debops.lxc' role focus should be configuration of LXC support on a host.
- Remove custom LXC template support. The LXC containers can be created by the
normal templates provided by the
lxcpackage, and then configured using DebOps roles as usual.
- The tasks that modified the default
template1database and its schema have been removed to make the PostgreSQL installation more compatible with applications packaged in Debian that rely on the PostgreSQL service. See the relevant commit for more details. Existing installations shouldn't be affected.
debops v0.7.2 - 2018-03-28¶
debops v0.7.1 - 2018-03-28¶
New DebOps roles¶
- The debops.ansible role: install Ansible on a Debian/Ubuntu host using Ansible. The debops.debops role now uses the new role to install Ansible instead of doing it directly.
- The debops.apt_mark role: set install state of APT packages
(manual/auto) or specify that particular packages should be held in their
current state. The role is included in the
- The debops.kmod role: manage kernel module configuration and module
loading at boot time. This role replaces the
debops-contrib.etckeeperrole has been integrated into DebOps as debops.etckeeper. The new role is included in the
- The test suite used on Travis-CI now checks the syntax of the YAML files, as well as Python and shell scripts included in the repository. The syntax is checked using the yamllint, pycodestyle and shellcheck scripts, respectively. Tests can also be invoked separately via the make command.
- The role can now autodetect and use a PostgreSQL database as a backend database for Etherpad.
- The role should now correctly detect what Internet Protocols are available on a host (IPv4, IPv6) and configure firewall only for the protocols that are present.
- The role will now generate the
lxc-debopsLXC template script from different templates, based on an OS release. This change should help fix the issues with LXC container creation on Debian Stretch.
- The X.509 certificate included in the default
domainPKI realm will now have a SubjectAltName wildcard entry for the host's FQDN. This should allow for easy usage of services related to a particular host in the cluster over encrypted connections, for example host monitoring, service discovery, etc. which can be now published in the DNS zone at
- The role now supports Let's Encrypt ACMEv2 API via the acme-tiny Python script. The existing PKI realms will need to be re-created or updated for the new API to work, new PKI realms should work out of the box. Check the Upgrade notes for more details.
- The role now uses a static GID
procadminsgroup to synchronize the access permissions on a host and inside the LXC containers. You will need to remount the filesystems, restart services and LXC containers that rely on this functionality.
- The configuration of the kernel parameters has been redesigned, instead of being based on YAML dictionaries, is now based on YAML lists of dictionaries and can be easily changed via Ansible inventory. You will need to update your inventory for the new changes to take effect, refer to the role documentation for details.
- The debops command will now generate the
ansible.cfgconfiguration file with correct path to the Ansible roles provided with the DebOps Python package.
Roles removed from DebOps¶
debops-contrib.kernel_moduleAnsible role has been removed; it was replaced by the new debops.kmod Ansible role.
ferm-forwardhook script in the
/etc/network/if-pre-up.d/directory has been removed (existing instances will be cleaned up). Recent changes in the debops.ferm role broke idempotency with the debops.ifupdown role, and it was determined that the functionality provided by the hook is no longer needed, recent OS releases should deal with it adequately.
debops v0.7.0 - 2018-02-11¶
New DebOps roles¶
- New Ansible roles have been imported from the
x2go_server. They are not yet included in the main playbook and still need to be renamed to fit with the rest of the
- The debops.sysfs role: configuration of the Linux kernel attributes
/sysfilesystem. The role is not enabled by default.
- The debops.locales role: configure localization and internationalization on a given host or set of hosts.
- The debops.machine role: manage the
/etc/issuefile and a dynamic MOTD.
- The debops.proc_hidepid role: configure the
- The debops.roundcube role: manage RoundCube Webmail application.
- The debops.prosody role: configure an xmpp server on a given host.
- The debops.sysnews role: manage System News bulletin for UNIX accounts.
- DebOps roles and playbooks can now be tested using local or remote GitLab CI instance, with Vagrant, KVM and LXC technologies and some custom scripts.
- You can now use Vagrant to create an Ansible Controller based on Debian Stretch and use it to manage itself or other hosts over the network.
- You can now build an Ansible Controller with DebOps support as a Docker container. Official Docker image is also available, automatically rebuilt on every commit.
- You can now install DebOps on Arch Linux
using an included
- Add new playbook,
agent.yml. This playbook is executed at the end of the main playbook, and contains applications or services which act as "agents" of other services. They may contact their parent applications to report about the state of the host they are executed on, therefore the agents are installed and configured at the end of the main playbook.
- DebOps roles and playbooks will be included in the Python packages released on PyPI. This will allow for easier installation of DebOps via pip (no need to download the roles and playbooks separately) as well as simple stable releases. The DebOps monorepo can still be installed separately.
- The role can now detect if nested KVM is enabled in a particular virtual machine and install KVM support.
- The project repository is tested using pycodestyle for compliance with Python's PEP8 Style Guide.
The debops-update script will now install or update the DebOps monorepo instead of separate
debops-playbooksand DebOps roles git repositories. Existing installations shouldn't be affected.
The debops script will now include the DebOps monorepo roles and playbooks in the generated
ansible.cfgconfiguration. The monorepo roles and playbooks are preferred over the old
The script is backwards compatible and should work correctly with or without the
debops-playbooksrepository and roles installed.
Improved Python 3 support in the DebOps scripts and throughout the playbooks/roles. DebOps should now be compatible with both Python versions.
- The GitLab Runner playbook is moved to the
agent.ymlplaybook; it will be executed at the end of the main playbook and should that way include correct information about installed services.
- Update the role to work correctly on Debian Stretch and newer releases. The support for multiple gunicorn instances using custom Debian scripts has been removed in Debian Stretch, therefore the role replaces it with its own setup based on systemd instances.
- Remove the
ipaddr.pyAnsible filter plugin, it is now included in the Ansible core distribution.
- Remove the
localesconfiguration from the 'debops.console' role, this functionality has been moved to the new 'debops.locales' role. You will need to update the Ansible inventory variables to reflect the changes.
- Remove management of the
/etc/motdfiles from the
debops.consolerole. That functionality is now available in the debops.machine role. You will need to update the Ansible inventory variables to reflect the changes.
- Management of the
hidepid=option has been moved to a new role, debops.proc_hidepid. You will need to update the Ansible inventory variables to reflect the changes.
- Management of the System News using the
sysnewsDebian package has been removed from the role; it's now available as a separate debops.sysnews Ansible role. You will need to update the Ansible inventory variables related to System News due to this changes.