Changelog
This project adheres to Semantic Versioning and human-readable changelog.
This file contains only general overview of the changes in the DebOps project. The detailed changelog can be seen using git log command.
You can read information about required changes between releases in the Upgrade notes documentation.
debops stable-3.0 - unreleased
debops v3.0.9 - 2024-10-07
Fixed
General
The debops.system_users and the debops.users roles will add the dotfiles repository cloned by the
root
UNIX account in the debops.yadm role to the list of trusted git repositories in the~/.gitconfig
configuration file of each user account managed by the role. This is needed to allow git to clone local repositories not owned by the UNIX account, required by the mitigation of the CVE-2022-24765 security vulnerability.The debops script will not try to download the required Ansible Collections during new project creation if the ansible-galaxy command is not available in the user's
$PATH
.
debops v3.0.8 - 2024-09-23
Added
debops.dovecot role
The role now supports iterate_filter for its LDAP configuration, allowing doveadm commands to iterate over all users. Note that you might have to adjust the defaults for the
dovecot__ldap_user_list_filter
variable if you use thedovecot__ldap_user_filter
variable.
Changed
General
The debops.root_account, debops.system_users and debops.users roles are now able to handle the symlinked
~/.ssh/authorized_keys
files correctly using optionalfollow
parameter.
Fixed
General
The debops.dropbear_initramfs role is now included in the DebOps Collection published on Ansible Galaxy, generated by the
lib/ansible-galaxy/make-collection
script.
debops.apache role
Fixed an issue with the vhost
state: "absent"
parameter not working correctly when theenabled: False
parameter was not set as well.
debops.dropbear_initramfs role
The role now supports both the old and the new location if the initramfs configuration files.
debops.owncloud role
The role will use a password for the PostgreSQL database, which fixes an issue with the occ command not being able to install ownCloud/Nextcloud applications correctly.
debops v3.0.7 - 2024-09-16
Added
General
The debops script can now log its operation to standard error and to the syslog service. Use the
--verbose
or-v
flag to enable log output on the console.Users can define "playbook sets" on the view level of the "modern" project directories. Playbook sets can be used as aliases to call multiple playbooks using a custom name. See Per-view playbook sets documentation for more details.
Users can now enable "read-only Fridays" functionality on a per project basis, to ensure that on Fridays, Ansible playbooks are run only in check mode, with
--check
and--diff
arguments automatically added to the ansible-playbook command options.
debops.apt_install role
The role will import the debops.secret role during execution to get access to the
secret/
directory. This permits use of stored passwords in Debconf answers configured via the debops.apt_install role.
debops.dnsmasq role
The role can optionally ignore IP addresses on a network interface and use only specified ones for dnsmasq configuration. This can help with Routing Advertisements issues on internal networks. See role documentation for more details.
debops.pki role
Add support for defining per-realm UNIX environment variables set during pki-realm script execution. These variables can be used to augment runtime environment, for example to define HTTP proxy to use inside internal networks with restricted access to the outside world.
debops.rabbitmq_server role
The role can manage much more RabbitMQ internal structures - exchanges, queues, bindings between them, as well as vhost and user limits.
debops.reprepro role
The reprepro internal repository path can be configured per-instance using the
basedir
parameter.
Changed
Updates of upstream application versions
In the debops.ipxe role, support for the Debian Bullseye netboot installer has been updated to v11.12; the Debian Bookworm installer has been updated to v12.7.
General
DebOps now uses pipx as the preferred installation method. This allows for easier maintenance of the DebOps virtual environment.
debops.elasticsearch role
The role now supports new Elasticsearch v8.x password management mechanism.
debops.lxc role
The role supports integration with the systemd-resolved DNS resolver. This permits use of the systemd-networkd service to manage networking on the LXC host.
LXC containers will be configured with AppArmor "unconfined" profile by default. This change allows startup of various services inside of the container without errors on Debian Bookwrom hosts.
debops.lxd role
The role supports integration with the systemd-resolved DNS resolver. This permits use of the systemd-networkd service to manage networking on the LXD host.
debops.nginx role
The
/index.html
and/index.htm
entries in the defaulttry_files
configuration option have been replaced with the$uri/index.html
entry. This change should ensure that any location not present on the server will return error 404 correctly, instead of falling back to the/index.html
file if it's present in the root of the website.
debops.postgresql_server role
The autopostgresqlbackup script was modified to have separate set of options for the psql command and the pg_dump command. This permits the use of the
--format=custom
option in pg_dump command, enabling more efficient database dumps.The extension of the backup files created by the autopostgresqlbackup script can be configured via a default variable. This change might cause existing installations to change the file extension used during backups.
debops.proc_hidepid role
The role will check if the host is in the
debops_service_libvirtd
Ansible inventory group, or if the debops.libvirtd role was applied on the host and will change thehidepid=
value to0
to avoid issues with Polkit subsystem.
debops.rsyslog role
The log rotation configuration for logs managed by rsyslog now has an upper size limit of 1 GB to trigger the rotation. This should help in cases when these logs are growing rapidly, but the rotation period is too large to avoid filling up disk space.
debops.sshd role
The
/etc/pam.d/sshd
configuration file can be templated using the DebOps override system via thetemplate_src
lookup plugin. This allows users to provide their own template for the generated file.
debops.zabbix_agent role
The fact script now supports both the old Zabbix Agent, and the new Zabbix Agent 2 configuration files.
Fixed
debops.dpkg_cleanup role
Various YAML lists used in the package removal script will be sorted at Jinja level to avoid constand reordering of list elements during Ansible execution which makes the role not idempotent.
debops.grub role
Fixed an issue with the
01_users
configuration file generating errors and resulting in an empty user section in the configuration generated by the update-grub command.
debops.ifupdown role
Fixed an issue with the
ifup-allow-boot.service
systemd unit not starting correctly on boot due to issues with the$
character escaping.
debops.lxc role
The role will by default disable NFtables integration within the lxc-net script, configurable via a default variable. This fixes usage of LXC containers on Debian Bookworm with the ferm service used by DebOps.
The role will use the
br0
bridge when systemd-networkd service is detected. This worked previously only with the ifupdown service.
debops.lxd role
Fixed an issue with the default LXD daemon preseed configuration by removing the unsupported
managed
parameter. This should allow the LXD daemon to be initialized correctly.Fixed an issue with the role trying to copy the source-built libraries when an APT-based installation is used. The role will check if the libraries exist before trying to copy them.
Fixed an issue on Debian Bookworm where the lxd-apparmor-load binary is not present where the APT-based LXD daemon expects it. The role will create a symlink for this binary when needed.
debops.nginx role
Fixed issue with
role::nginx:servers
Ansible tag not working correctly by adding tags to tasks included dynamically.
debops.rsyslog role
List of log files which should be managed by the logrotate service will be sorted to avoid constant reordering during role execution, which fixes role idempotency.
debops.swapfile role
Fixed an issue in the swapon task conditional logic where the task could not be executed correctly when the swap file was missing.
Ensure that the swap file is correctly disabled by the swapoff command before being removed with the
absent
state.
Removed
debops.ipxe role
Debian 8 (Jessie) and Debian 9 (Stretch) have been removed from Debian mirrors, therefore the role will no longer offer support for installing Debian Jessie and Stretch via PXE boot.
debops v3.0.6 - 2023-11-29
Added
General
The debops command will correctly handle project directories which don't have a default view defined in the configuration. In such cases, a view can be selected by entering its subdirectory via cd command or specifying its name using the
-V
or--view
option on the command line.DebOps scripts now support management of the project directories using git as VCS repositories. New project directories will use git by default. This also enables support for secrets encrypted using git-crypt.
The path to the default Ansible inventory located in the DebOps project directory is now exposed in environment variables as
$DEBOPS_ANSIBLE_INVENTORY
. This variable can be used for integration with third-party software, for example to automatically generate Ansible inventory contents based on data from external sources.
debops.apt role
The role now supports management of the "Deb822" format of the APT repository sources.
debops.python role
The
service/python_raw
playbook used during early bootstrap process can now inject host entries into the/etc/hosts
configuration file to permit DNS name resolution early during bootstrapping.
Changed
Updates of upstream application versions
In the debops.ipxe role, the Debian Bookworm release has been updated to 12.2.
General
The Debian 12 (Bookworm) has been released! Multiple DebOps roles have been updated and switched the "stable" release to Bookworm, with Bullseye becoming the "oldstable" release. The new Debian Testing release, "Trixie" has also been added in relevant places.
DebOps now supports using git in project directories - new projects will be initialized as git repositories by default. The git-crypt command is also supported, and can encrypt project secrets.
When a new DebOps project is created, the debops script will install Ansible Collections automatically by default. This can be controlled using the
--requirements
or--no-requirements
options.
debops.apt role
The role now supports the new
non-free-firmware
repository section introduced in Debian Bookworm.
debops.ifupdown role
Ensure that the
iface@.service
systemd unit starts afterapparmor.service
service.
debops.ipxe role
The Debian Installer Menu can now install Debian GNU/Linux 12 (Bookworm).
debops.preseed role
The role will install the
python3-debian
package by default, to enable support for Deb822-formatted APT repository configuration files.
debops.python role
The role will install the
python3-debian
package by default, to enable support for Deb822-formatted APT repository configuration files.
Fixed
debops.auth role
The
libpam-cracklib
APT package will be installed and configured conditionally. It has been removed in Debian Bookworm.
debops.ifupdown role
The interface names used in scripts will be escaped using the systemd-escape tool. This should fix problems with control over network interfaces which contain the hyphen character(s).
debops.lxc role
Fixed name of the
vfs_root
parameter in the call to thecommunity.general.lxc_container
Ansible module, which was renamed tozfs_root
.
debops.python role
The
python-apt
package has been renamed topython-apt-common
.
debops.secret role
Fixed an issue with the
secret
variable not being defined in other roles in newer Ansible versions.
debops.sysctl role
The
protect-links.conf
configuration file has been renamed to99-protect-links.conf
file in Debian Bookworm; this is handled conditionally in the role configuration. Users might need to remove the/etc/sysctl.d/protect-links.conf
file generated by the role manually on existing installations to fix this issue.
debops v3.0.5 - 2023-05-25
Added
General
The debops exec command can be used to execute Ansible modules against hosts in the project directory; this is a wrapper for the ansible command.
The debops run, debops check and debops exec commands can emit ASCII "bell" at the end of Ansible execution to notify user after long runs. Use the
-E
or--bell
option to enable this.
debops.nginx role
The server configuration files can now contain nginx configuration outside of the
server
andupstream
blocks using the newitem.toplevel_options
parameter.
debops.preseed role
Debian Installer will make sure that the
cdrom:
APT sources are disabled in/etc/apt/sources.list
configuration file. This might happen when preseeding is used in image building scenarios, for example with Hashicorp Packer.
debops.resources role
The debops.resources role can now be used to install pip library dependencies or virtual environments via the
ansible.builtin.pip
module.
Changed
Updates of upstream application versions
In the debops.ipxe role, the Debian Buster netboot installer version has been updated to the next point release, 10.13. Debian Bullseye has been updated to the next point release as well, 11.8.
General
The debops config command has been refactored and split into multiple subcommands to allow easier configuration introspection. See it's documentation page for more details.
The debops env command can be used to inspect the runtime environment variables present when other DebOps commands are used, as well as execute external commands inside of that runtime environment. This is handy for using various ansible-* commands within DebOps project directories.
DebOps monorepo now includes configuration for the pre-commit hook to verify changes before they are committed to the repository. Multiple checks are performed, notably codespell is used to find spelling mistakes. More checks will be enabled in the future.
New project directory layout called "modern" has been implemented in DebOps scripts. It can be created using the command:
debops project init -t modern <project>
The modern project layout supports multiple Ansible inventories encapsulated into infrastructure views.
Various roles which use the
shell
Ansible module will now use bash shell as the executable explicitly.
debops.apt role
The role will configure APT to use Debian Security repositories via the http://deb.debian.org/debian-security/ CDN.
debops.preseed role
The default guided partition recipe used by the Debian Installer is changed from
atomic
tomulti
. This should allow for easier changes in the partition layout via LVM due to separate partitions for/home
and/var
mount points.
debops.proc_hidepid role
The role will check if PolicyKit is installed on the host, in which case the default security level for access to the
/proc
filesystem will be more permissive.
debops.system_users role
The role will check remote user databases for local admin information using the getent passwd command if the user has not been found in the
/etc/passwd
local database.
Fixed
General
The
ipaddr
Ansible filter and its aliases used in various roles were renamed toansible.utils.ipaddr
and its corresponding alias names because Ansible requires use of FQCNs in filters. Theansible.utils
Ansible Collection is now a dependency of the DebOps Collection.Extrepo facts file did not detect a disabled repository as being disabled due to a change in the extrepo file format.
The debops run and debops check commands should now correctly recognize options of the ansible-playbook command which don't expect arguments and expand playbook names specified after them.
Installation of the DebOps script from the monorepo will use a version string compatible with PEP-440 specification.
debops.dnsmasq role
Fixed service configuration mistake when DHCPv6 mode is set to an empty string. The configuration template should take this into account and add a correct separator (or omit it) in the generated configuration file.
debops.dovecot role
Fixed a missed
template_src
lookup which didn't use a FQCN as a plugin name.Fixed an issue where an empty
dovecot__ssl_dh_file
variable resulted in Dovecot service refusing to start due to incorrect configuration value.
debops.etc_aliases role
Don't save dependent recipients on Ansible Controller if they are not defined. This should avoid creating unnecessary files in AWX job containers.
debops.libvirtd role
Fixed
qemu-kvm
package installation logic; the KVM packages should now be handled correctly on Debian Bullseye and newer releases.
debops.ntp role
The role will not try to purge installed NTP daemon packages when it is disabled through Ansible inventory.
debops.pki role
Use openssl x509 -inform PEM command to explicitly check for a PEM-formatted X.509 certificate file because the old openssl x509 -in option was changed to work with both DER and PEM files. This should fix an issue with Let's Encrypt certificate chains containing a DER-formatted certificate inside of them.
Users will need to remove existing PKI realms which use ACME/Let's Encrypt CA for the pki-realm script to rebuild the certificate chain correctly. After that re-run the debops.pki role on the host to re-create che realms.
debops.preseed role
Fixed an issue with the
d-i
keyboard preseed that resulted in thekeyboard-configuration
APT package not being installed and configured correctly. The default keymap is changed tous
and the option is no longer based on the system language which might be incorrect in this case.
Removed
General
The debops project status subcommand has been removed. Its functionality is now incorporated within the DebOps configuration tree accessible using the The debops config command command.
The debops-api code and Ansible role has been removed from the project, since it's not relevant anymore after separate git repositories were merged into a monorepo.
debops v3.0.4 - 2023-03-09
Added
debops.keyring role
The role can now download APT repository GPG keys to separate keyring files, which can be used to scope a given GPG key to specific APT repositories.
debops.pki role
The Let's Encrypt/ACME certificate renewal script will check if a Proxmox VE is present on the host, in which case it will attempt to update the certificates stored in the internal Proxmox certificate store.
debops.sshd role
The
sshd.fact
script now exposes the version number of installed sshd daemon via Ansible local facts.
debops.zabbix_agent role
The role now supports management of Zabbix Agent (written in C) as well as Zabbix Agent 2 (written in Go), available in Debian repositories. Only one flavor can be managed at a time, but role provides an easy way to switch between the two flavors.
Changed
Updates of upstream application versions
In the debops.owncloud role, the ownCloud support has been updated to
v10.10
.
General
The HTML documentation build process has been improved. The yaml2rst script will be invoked only when a defaults file is modified, significantly speeding up documentation rebuilds. Users can also modify the sphinx options specified in the Makefile via an environment variable if they wish.
The
ansible/playbooks/tools/dist-upgrade.yml
Ansible playbook now has MTA configuration exposed via variables in case the mail should be sent via a remote server instead of a local one.Multiple DebOps Collections on Ansible Galaxy have been merged into a single
debops.debops
Collection to prepare the project to switch role references to FQCNs. This is also a test to see if Ansible Galaxy allows >2 MB collection tarballs.
debops.apt_preferences role
The pin priorities for the Debian
-updates
and-security
APT repositories have been raised to 550 to match the raised priority of the primary repository. This should ensure that when the custom pin priorities are active, updates to Debian packages are correctly installed as well. Seeapt_preferences__debian_stable_default_preset_list
variable for details.
debops.docker_server role
The role will now recognize the
aarch64
architecture used on latest Apple computers and translate it toarm64
to allow installation of Docker Engine from upstream repositories.The role can now directly handle the daemon
log-driver
parameter.
debops.influxdata role
InfluxData has published a new APT repository GPG key, the role should refresh it automatically.
debops.postgresql_server role
The role has been updated to support configuration changes in PostgreSQL 14 and 15 versions.
debops.python role
The
/etc/pip.conf
configuration file template can be overridden via the DebOps template override mechanism.
debops.zabbix_agent role
The original Zabbix Agent configuration file will be diverted before a new one is generated (makes sense only on new installations).
The debops.etc_services role integration has been removed because
zabbix-agent
entry already exists in official/etc/services
database included in Debian.
Fixed
General
The
warn
parameter in theshell
andcommand
Ansible modules has been removed in Ansible 2.14. It has been removed in various DebOps roles to allow playbook execution to work correctly.Fixed all password lookups which used
chars=ascii
instead ofchars=ascii_letters
. This resulted in passwords which only contained the letters a,c,i,s instead of all lowercase and uppercase ASCII letters. Because all occurrences of this bug at least also included all digits in the character set and the password length was at least 20 characters, this did not result in weak passwords.The moved
dropbear_initramfs.yml
playbook is not included anymore in the "contrib" playbooks, because it was moved elsewhere.
debops.etesync role
The
etesync__http_psk_subpath_enabled
bool variable is used for conditions instead of the subpath itself.
debops.ferm role
Fixed an issue in the rule template that caused a templating type error where Jinja expected a string but found an int value instead.
debops.minio role
The role will use the default
/etc/skel/
directory instead of/dev/null
to create theminio
UNIX account, due to a bug in Ansibleuser
module that forbids use of/dev/null
as home skeleton.
debops.nginx role
Lists in different configuration templates are sorted to ensure stable order of elements and prevent random changes in order on subsequent role runs.
debops.proc_hidepid role
The fact script has been optimized for environments with large UNIX group databases, for example connected to ActiveDirectory domains.
debops.root_account role
The password length can now be set using a number, not just a string.
debops.sshd role
The role will make sure that the
/run/sshd/
directory exists on all hosts, to fix issues with sshd daemon not restarting properly.The role will now correctly handle hosts where sshd is launched via systemd socket activation mechanism.
debops.sysctl role
Fixed an issue in the configuration template that caused a templating type error where Jinja expected a string but found an int value instead.
debops v3.0.3 - 2022-09-02
Added
General
DebOps now includes a custom version of the
community.general.apache2_module
Ansible module, available asdebops.debops.apache2_module
. The custom module includes a fixed idempotency check for enabled Apache 2 modules that works on Debian or Ubuntu hosts. The debops.apache Ansible role will use this module instead of the original one.In the
site.yml
playbook, thesys.yml
andnet.yml
playbooks will be executed before thecommon.yml
playbook. This should ensure that configuration of certain resources like mount points or LVM pools is present before the system is prepared for general operation.DNS SRV resource records in various roles have been documented in central DNS Configuration documentation page for easier management.
debops.fhs role
The role can now create directories defined on the group or host inventory level if desired.
debops.icinga_web role
The role can now create host and service templates using Icinga Director API. This should improve the initial deployment experience, since users don't need to create basic host templates by hand before registering hosts in Icinga.
debops.mount role
The role can now create custom files which can be used to store credentials required to mount remote devices.
debops.netbox role
The role will enable LDAP support in NetBox if LDAP environment managed by the debops.ldap role is detected on the host. Currently only user authentication and Django ACL system is supported via LDAP groups.
debops.postfix role
The role can now install APT packages specified on the group and host level of Ansible inventory, for more flexibility.
debops.resources role
The debops.resources role can now be used to replace a line via the
ansible.builtin.replace
module.
debops.slapd role
The playbook can now be configured to skip the saslauthd role execution.
Changed
Updates of upstream application versions
In the debops.ipxe role, the Debian Bullseye has been updated to the next point release, 11.4.
General
The new Jinja2 3.x release changed the behaviour of the
to_json
Jinja filter - it doesn't accept YAML lists as input anymore, only YAML dictionaries. To fix this issue, the filters were switched toto_yaml
in various Ansible roles.The debops-contrib
dropbear_initramfs
playbook has been moved to the debops.dropbear_initramfs playbook. The role variabledropbear_initramfs__host_authorized_keys
now uses the same keys as theansible.posix.authorized_key
module.Various tasks that interact with the MariaDB/MySQL databases will now use the
/run/mysqld/mysqld.sock
UNIX socket to do so, due to changes in MariaDB restricting local connections for theroot
UNIX account.
debops.apt_install role
The kernel firmware Debian pakcages won't be installed on hosts which might be Proxmox hypervisors, to avoid issues with custom kernel dependencies.
debops.boxbackup
role
Role dependencies have been moved from the
meta/main.yml
file to the role playbook to avoid issues with ansible-lint checks.
debops.dhparam role
The
dhparam__openssl_options
variable will be used in the script maintaining the Diffie-Hellman parameters on the remote hosts, for consistency.
debops.dokuwiki role
The shell of the DokuWiki UNIX account is now configurable, set as
/bin/false
by default.
debops.dovecot role
Unused
dovecot__ldap_server_port
variable has been removed from role defaults.
debops.etckeeper role
The role will ignore GitLab Runner configuration as well as Docker keys and GitLab Omnibus secrets to avoid storing sensitive data in git repository.
debops.ferm role
All options in the
/etc/default/ferm
configuration file are now exposed as role default variables.
debops.influxdata role
The URL of the APT upstream repository has been updated.
debops.libvirtd role
The
qemu-kvm
package is not needed on newer Debian/Ubuntu releases, therefore it won't be installed by default.
debops.icinga role
New hosts will be added to Icinga Director using the
icinga-agent-host
template, created by default by the debops.icinga_web role. On existing installations, you should either create this template by hand, or run the debops.icinga_web role so that it gets added automatically.
debops.icinga_web role
The LDAP configuration used by the role to configure LDAP access will be based on the debops.ldap Ansible local facts instead of static values, to better support modified environments.
debops.minio role
The role has been updated to support newer MinIO features, like the embedded MinIO Console. Some of the instance parameters have been changed, for example access key and secret key have been replaced with root account and password. Check the role documentation for more details.
debops.nginx role
Configure the
nginx.service
systemd unit to start the nginx service after the network is configured. This way nginx should be able to resolve upstream services specified via DNS names at startup.
debops.pdns role
The SUID/SGID configuration is not needed anymore on PowerDNS >= v4.3.0; UNIX account and group is now managed by a systemd service unit.
debops.php role
The
libsodium23
APT package will be installed from Sury APT repository when it's enabled in the role.
debops.pki role
After the certbot script performs a certificate renewal operation, a deploy hook will update the PEM chains in a given PKI realm
private/
directory to include the new private key created by the certbot script.
debops.postgresql role
The tasks that execute PostgreSQL commands will use the
community.postgresql.*
Ansible modules explicitly via the FQCNs to benefit from bugfixes in these modules.
debops.postldap role
Unused
postldap__ldap_server_port
variable has been removed from role defaults.
debops.prosody role
The
compression
Prosody module will not be updated by default due to security concerns.
debops.python role
The role will enable Python 2.7 support via the fact script only when an existing Python 2.7 installation is detected. This change should help avoid installing Python 2.7 packages on newer OS releases when they might be unavailable.
debops.slapd role
The default log level used by OpenLDAP has been changed from
stats
tonone
to minimize log output in large environments. This can be modified using Ansible inventory in case that the authentication, accounting or search metrics are needed.The role will configure the
dc
equality index in the LDAP database to aid lookups of certain services like Postfix.
Fixed
General
The "shebang" scripts pointing to
#!/usr/bin/python
in various Ansible modules were removed to ensure that the remote host will execute them with the correct Python 3.x version.
debops.apt role
In the fact script, parse the
deb-src
configuration entries beforedeb
entries to ensure that there are no duplicates.The role no longer defaults to the
ansible_local.core.distribution
andansible_local.core.distribution_release
local facts for determining the Linux distribution and the distribution release, respectively. These facts were set later in the common playbook, meaning that the role would restore the previous distribution release in/etc/apt/sources.list
after a distribution upgrade.
debops.core role
Ensure that the
ansible_controllers
fact can be reset using thecore__remove_facts
variable to avoid infinitely growing list of Ansible Controllers.
debops.cron role
Fixed the order of job parameters applied by the role - now parameters from a specific job will override parameters specified for all jobs in a given configuration entry.
debops.dovecot role
Fixed the logic of the LDAP STARTTLS configuration parameter - the role should now correctly configure STARTTLS as disabled if it's not enabled in the LDAP environment.
The role's PKI hook script still referenced an old configuration file that was no longer being managed by debops.dovecot since the role redesign, resulting in the hook script failing to reload dovecot after a certificate or DH param change.
debops.environment role
Fixed issues with preserving environment variables across multiple role executions.
debops.ferm role
Don't include additional '{' or '}' characters in certain rules when the
domain_args
parameter is specified.
debops.grub role
The grub user passwords will be passed for encryption using a temporary file stored in the
secret/
directory on the Ansible Controller instead of directly on the command line, to avoid leaks through the process list.
debops.ldap role
Fixed an issue with role parsing the already parsed Ansible facts to extract IP/CIDR information which resulted in wrong output in certain cases. The role will now implicitly trust the Ansible facts to be correct when adding IP and prefix details to the LDAP database.
debops.netbase role
In the fact script, don't use
in
for matching IP addresses and DNS names where substring matching is undesirable.
debops.netbox role
The LDAP configuration file will generated only when LDAP environment is enabled.
debops.nullmailer role
The
nullmailer__smtp_srv_rr
variable will be defined only when the role is enabled. This avoids an issue where the needed DNS SRV records are not defined which might cause Ansible execution to fail even when the nullmailer configuration is disabled.
debops.owncloud role
The role is now compatible with Nextcloud 23 occ check command, which writes messages to stderr during initial installation.
debops.pdns role
On pdns installations with version >= 4.5.0 (e.g. on Bookworm systems), the role would cause a syntax error on the local-address configuration option.
debops.pki role
Fixed an issue where when a PKI realm was initialized for ACME/Let's Encrypt support, second level domains were not included in the generated X.509 certificate request.
debops.postldap role
Fixed the logic of the LDAP STARTTLS configuration parameter - the role should now correctly configure STARTTLS as disabled if it's not enabled in the LDAP environment.
debops.prosody role
The
prosdoy__pki_realm_path
variable has been renamed toprosody__pki_realm_path
to fix the typo in the variable name. You might need to update your inventory in this case so that the role gets correct value.
debops.python role
In the fact script, correctly parse the subprocess output to find out the version of installed Python executables.
debops.radvd role
Append the DNSSL parameters to the correct list variable in the generated configuration file.
debops.resolvconf role
Fixed an issue where the custom hook script did not add static resolvconf configuration after host was rebooted, when the
/run/resolvconf/
path did not exist. It will be created automatically if not found.
debops.roundcube role
Locked johndoh/contextmenu plugin to version 3.2.1 for Roundcube < 1.5 due to compatibility issues.
debops.sudo role
The fact script will check sudo version using the dpkg command to avoid running sudo on each Ansible fact gathering. This proved problematic when LDAP support is enabled and the LDAP directory is not available for any reason - sudo tries to connect to the directory and times out, slowing Ansible run into a crawl.
Removed
Federated Learning of Cohorts opt-out in the debops.apache and debops.nginx roles has been removed. Google abandoned the feature in favor of Topics API in web browsers.
debops.postconf role
The EHLO IP address check was removed. This check would reject a message if the EHLO hostname of the connecting mailserver resolved to a non-publicly routable IP address. However, rejecting messages for this reason is prohibited by RFC 5321 section 4.1.4, and sometimes caused deliverability issues for Office 365 users.
debops v3.0.2 - 2022-03-28
Added
debops.java role
The role will now configure the default security policy for Java applications. The additions will permit Java applications to access the system-wide CA certificate store in
/etc/ssl/certs/
directory as well as the PKI infrastructure managed by the debops.pki role, so that Java applications can use the existing X.509 certificates and private keys for TLS encryption support.
debops.kibana role
The role can now manage passwords and other confidential data stored in the Kibana keystore.
Changed
Updates of upstream application versions
In the debops.roundcube role, the Roundcube version installed by default has been updated to
1.5.2
.In the debops.ipxe role, the Debian Buster netboot installer version has been updated to the next point release, 10.12. Debian Bullseye has been updated to the next point release as well, 11.3.
General
Various roles that lookup SSH public keys on the Ansible Controller (debops.preseed, debops.reprepro, debops.system_users) will try to use the
~/.ssh/authorized_keys
file to find the keys if all other methods fail.Less important tasks in various roles that operate on files or directories that might not exist initially on new hosts will be skipped in Ansible
--check
mode to ensure that more important tasks might be evaluated.
debops.elasticsearch role
The configuration included in the role has been updated to work correctly with Elasticsearch v8.0.x release.
The role will check the status of the built-in user accounts via the HTTP API instead of relying on the Ansible local facts and create them if they don't exist. This should help with an upgrade of existing Elasticsearch clusters without TLS encrypted traffic and authentication.
debops.kibana role
The configuration included in the role has been updated to work correctly with Kibana v8.0.x release.
debops.pki role
The pki-realm script will call the certbot command with the certbot --authenticator <plugin> option explicitly to allow use with third-party authenticator plugins that might not support the certbot --<plugin> syntax.
Fixed
General
Ensure that the
tools/dist-upgrade.yml
playbook works without the${SUDO_USER}
environment variable set, for example if executed directly using theroot
UNIX account.Fixed an issue with custom Ansible plugins not working in "standalone" mode without the DebOps scripts installed on Ansible Controller.
debops.atd role
Fixed an issue with the role facts not being correctly defined when the role is executed with the
meta::facts
Ansible tag.
debops.boxbackup role
The role is not included in the DebOps Collection on Ansible Galaxy, therefore its playbook is no longer included in the main
site.yml
playbook. This fixes an issue with Ansible stopping the site playbook execution when it cannot find theboxbackup
role in the Collection.
debops.elasticsearch role
The internal Java security policy used by Elasticsearch will be configured only on Elasticsearch v7.x+ versions. Before them, Elasticsearch used the global Java security policy.
debops.gitlab_runner role
Fixed an error that could occur in the "Patch 'vagrant-libvirt' source code" task on systems other than Debian 9 or 10.
debops.grub role
The grub user passwords will be passed for encryption using environment variables instead of directly on the command line, to avoid leaks through the process list.
debops.kibana role
The role will use the correct path of the Kibana keystore depending on the installed version (versions <7.0.0 keep the keystore in the
/var/lib/kibana/
directory; newer versions use the/etc/kibana/
directory).The role will use different user account depending on Kibana version (either
kibana
, orkibana_system
used in newer installations of Elasticsearch). Depending on your installed version, you should check thekibana__elasticsearch_username
to verify that the correct account is used for access to Elasticsearch.The role will include the
server.publicBaseUrl
parameter depending on Kibana version, to avoid failures on older Kibana installations.
debops.ldap role
Fixed an issue with the role passing IP and MAC addresses to the LDAP directory as a nested YAML list which resulted in a wrong attribute values.
debops.logrotate role
Fixed formatting in the
/etc/logrotate.conf
configuration file to avoid adding vim fold markers from the DebOps role defaults.
debops.ntp role
Fix an issue where the role tried to manage the systemd-timesyncd service without it actually being present on the host. This should now be avoided by carefully checking the service status.
Removed
debops.apt_install role
The
ranger
APT package will not be installed by default. Themc
package can be used as an alternative. Or you can consider installingnnn
.
debops.root_account role
The role will no longer modify the
~/.profile
configuration file, the issue there was solved a few Debian releases ago and the custom fix no longer needed.
debops v3.0.1 - 2022-02-17
Fixed
General
Ensure that the custom Ansible plugins included in DebOps are present in the Ansible Collection build from the DebOps repository.
Provide a help message in case the
ansible.cfg
configuration file in the DebOps project directory does not include theinventory
option.
debops v3.0.0 - 2022-02-17
Added
New DebOps roles
The debops.minidlna role configures the MiniDLNA service that can be used to provide media (video, music, images) to other devices on the local network that support the DLNA protocol.
The debops.pdns role manages the PowerDNS Authoritative Server, which is an authoritative DNS server with support for DNSSEC, DNS UPDATE, geographical load balancing, and storing zone data and metadata in one or more backends like relational databases, LDAP databases, and plain text files.
The debops.telegraf role can be used to install and manage the Telegraf metrics server, which can send data to various other services.
The debops.lldpd role provides support for managing and configuring the lldpd service, which can be used to locate other network devices connected to a given host using the Link-Layer Discovery Protocol. The role is included in the
common.yml
playbook by default.The debops.zabbix_agent role can install and configure Zabbix Agent, used for monitoring and metrics.
The debops.keepalived role can be used to install and manage keepalived daemon, a lightweight load balancing and high availability service.
The debops.rspamd role can be used to install rspamd service, an anti-spam mail filter. The role automatically integrates with the debops.postfix role to provide anti-spam support.
The debops.imapproxy role can install and configure the IMAP Proxy service, useful for web mail applications that use IMAP to access the mail services.
General
New Jinja filters
from_toml
andto_toml
are available to DebOps roles, provided using a custom Ansible plugin. The filters require thetoml
Python package to be installed on the Ansible Controller.New Ansible custom lookup plugin
dig_srv
can be used in Ansible variables and tasks to simplify DNS SRV record parsing. The plugin can retrieve an existing SRV record or if none is found, fall back to a predefined default values for the hostname and port.A new Ansible tag,
meta::facts
has been added in all DebOps roles to the tasks that install Ansible local facts. This can be useful during initial provisioning to avoid issues with Ansible--check
mode when certain configurations depend on the presence of the local facts to gather details from the remote hosts.
debops.apt role
The role can now enable additional Debian architectures on a given host, which allows for Multiarch installations.
You can now purge specific APT packages along with their configuration and unused dependencies. This might be useful during bootstrap or provisioning process to remove unused or conflicting services installed by the provider.
The role can now configure
/etc/apt/auth.conf.d/
configuration files to enable access to restricted APT repositories that require HTTP Basic Authentication.
debops.dokuwiki role
The role now provides a set of variables and tasks which can be used to add or remove custom files in the DokuWiki installation, useful in certain setups.
debops.elasticsearch role
In a cluster deployment on hosts with PKI environment configured, the role will automatically enable the X-Pack plugin and configure TLS encryption for HTTP client and inter-cluster communication.
Elasticsearch user accounts and role definitions can be managed via Ansible using the API access, when the encrypted communication and X-Pack plugin is enabled. The role will initialize a set of built-in user accounts in the Elasticsearch cluster automatically.
debops.ferm role
The
arptables
andebtables
APT packages will be installed by default. This is needed so that various alternatives for iptables backends can be correctly synchronized.
debops.keyring role
The role can now configure
/etc/apt/auth.conf.d/
configuration files to enable access to restricted APT repositories that require HTTP Basic Authentication.
debops.kibana role
If the username and password for connection to the Elasticsearch service are provided, the role will configure Kibana to use TLS encryption for communication with the Elasticsearch cluster, based on the PKI environment managed by the debops.pki Ansible role.
debops.libvirtd role
The role will now install UEFI firmware for amd64 VMs, alongside traditional BIOS.
debops.lvm role
The role can now manage LVM Thin Pool Logical Volumes.
It is now possible to apply custom options to lvm__thin_pools and lvm__logical_volumes.
debops.lxc role
The role can define a list of SSH identities added to the
root
UNIX account in new LXC containers by default. This can be used to grant multiple system administrators access to the containers.
debops.netbase role
The hosts(5) database FQDN entries defined as strings will automatically create hostname aliases when the role uses a template to generate the
/etc/hosts
database.
debops.nginx role
The role can be used in "config-only" mode where the nginx packages are not installed but are expected to be present and in configuration compatible with DebOps.
The nginx server can now be configured to send logs to the syslog service via a
/dev/log
UNIX socket, instead of storing them in separate configuration files.
debops.pki role
The role gained support for Certbot tool as an alternative to acme-tiny script. Certbot provides Lets' Encrypt DNS-01 challenge functionality with wildcard and internal certificates. See role documentation for more details.
debops.rsyslog role
It is now possible to override the default
netstream_driver
,driver_mode
anddriver_authmode
parameters in every rsyslog__forward forwarding rule.
debops.sshd role
The
sshd__ferm_interface
variable can now be used to limit access to SSH via the host firewall based on interface.
debops.slapd role
The SCHema for ACademia (schac) LDAP schema has been added to the role to provide more LDAP attributes and object classes useful in university environments.
debops.sysctl role
The
systemd
Debian package in Debian Bullseye provides a sysctl configuration file which increases the maximum number of PIDs allowed by the kernel. The role will create a "masked" configuration file to ensure that sysctl configuration works in LXC containers, where thekernel.pid_max
parameter will be commented out since it cannot be modified from inside of a container. On hardware and VM hosts the configuration will be applied as expected.
Changed
Updates of upstream application versions
In the debops.ipxe role, the Debian Buster netboot installer version has been updated to the next point release, 10.11. Debian Bullseye has been updated to the next point release as well, 11.2.
Debian 11 (Bullseye) has been released. The debops.ipxe role will now prepare a netboot installer with this release and set Bullseye as the default Stable installation option.
The
lxc_ssh.py
Ansible connection plugin has been updated to include latest changes and bugfixes.The Elastic APT repository configured on new installations by debops.elastic_co has been updated to version 7.x. Updating the repository configuration on existing hosts requires that you manually update the local facts or to set the
elastic_co__version
variable to '7.x' before running the playbook.In the debops.netbox role, the NetBox version has been updated to
v3.1.6
. Note that you needv2.11.0
or later to upgrade tov3.0
.The Icinga Web 2 modules installed by debops.icinga_web have been updated to their latest versions. A quick database migration is needed after updating to get Director to work again. Just click the database migration button on the 'Icinga Director' -> 'Activities log' page.
In the debops.roundcube role, the Roundcube version installed by default has been updated to
1.4.13
.Drop Nextcloud 20 and 21 support because they are EOL. You need to upgrade Nextcloud manually if you are running version 21 or below. The role now defaults to Nextcloud 22 for new installations.
In the debops.wpcli role, the WpCli version has been updated to
2.5.0
.2.3.0
and2.4.0
can be installed by changingwpcli__version
General
DebOps tasks that import local SSH keys will now recognize FIDO U2F security keys used via the SSH agent.
The APT configuration by the debops.apt and debops.apt_proxy roles in the
common.yml
playbook has been moved to a separate play to ensure feature parity with the bootstrap playbooks.The debops Python scripts have been completely rewritten and reorganized. The UI has been redesigned to use subcommands rather than separate scripts. This pans the way for easy extension of the script functionality in the future and improvements for various tasks done on the Ansible Controller.
The DebOps monorepo can now be used as an "Ansible Collection" when path to the
ansible/collections/
subdirectory inside of the git repository is specified in the collections_paths variable in the Ansible configuration file.Note
The roles and plugins included in DebOps are not yet fully compatible with the Collection system. They will be converted at a later time.
The base Docker image used by DebOps Dockerfile has been changed from
debian:buster-slim
todebian:bullseye-slim
. The Dockerfile has been updated to build and install DebOps from the monorepo instead of installing a release from PyPI.The references for custom Ansible lookup and filter plugins have been modified to use the Fully Qualified Collection Name format to allow the DebOps monorepo to work as an Ansible Collection.
Custom Ansible plugins included in the debops.ansible_plugins role have been copied to the
ansible/plugins/
subdirectories to make them available through the Ansible Collection mechanisms.Multiple roles that use the DNS
SRV
Resource Records to find related services have been updated to utilize the newdig_srv
Ansible lookup plugin to find the records. This change should make the role code easier to maintain.Most of the DebOps roles now use
debops__no_log
variable in tasks with theno_log
Ansible keyword. This should provide an easier way to debug issues with various roles.Roles which use the dpkg-divert Debian utility to preserve original configuration files have been updated to use the
dpkg_divert
custom Ansible module included in the DebOps Collection instead of using thecommand
orshell
Ansible modules to manage the diversion and reversion.
Continuous Integration
The default box used by Vagrant for DebOps VMs has been updated from
debian/buster64
todebian/bullseye64
.
LDAP
The
ldap/init-directory.yml
playbook can now store the administrator credentials in thesecret/
directory managed by the debops.secret role. THe credentials can also be randomly generated if the playbook is used non-interactively.
debops.apt role
The role defaults have been updated, Bullseye is the new Stable.
debops.apt_install role
The
haveged
Debian package will not be installed in a virtual machine if the underlying hypervisor technology already provides access to the host's RNG device through virtualization.
debops.dhparam role
The role will no longer install the cron service directly; instead it depends on the debops.cron role to ensure that the service is present. This allows replacing the
cron
Debian package with a different backend, for examplesystemd-cron
package.
debops.docker_server role
The role now enables live restore by default.
debops.dovecot role
The role has been thoroughly refreshed and now uses the Universal Configuration format for the service configuration. All role variables have been renamed to put them in a separate namespace.
Warning
If you use a Dovecot installation in your environment, you should check the new role documentation and update the relevant configuration in the Ansible inventory before applying the new role on your infrastructure.
debops.elasticsearch role
The main configuration is reorganized, original contents of the configuration file are set in the
elasticsearch__original_configuration
variable and the options changed by the role are set in theelasticsearch__default_configuration
variable.
debops.etckeeper role
Add
etckeeper__gitattributes
option to be able to appended to the/etc/.gitattributes
file.
debops.ferm role
The backend configuration will now manage all relevant alternatives for arptables, ebtables, iptables and ip6tables commands to keep various parts of the firewall synchronized.
Warning
The variable which controls what backend is used has been renamed to
ferm__iptables_backend_type
due to value change. You might need to update your Ansible inventory to select the correct backend.The default backend for iptables is changed to
legacy
on newer OS releases, because there's no plans to support nftables backend by the ferm project. You might want to check if the firewall configuration is correctly applied after running the role against already configured hosts.
debops.grub role
The role now enables the serial console by default.
debops.ipxe role
You can now define what kernel parameters are used by default in the Debian Installer, using an iPXE variable.
debops.keyring role
The default keyserver used by the role has been changed to Ubuntu keyserver due to deprecation of the SKS Keyserver pool.
debops.logrotate role
The role will no longer install the cron service directly; instead it depends on the debops.cron role to ensure that the service is present. This allows replacing the
cron
Debian package with a different backend, for examplesystemd-cron
package.
debops.netbox role
Add
netbox__config_custom
option to be able to configure not explicitly supported options in a raw format.
debops.nginx role
The
item.location_list
entries in the server configuration can now define access policy for a specific location and use subnet ranges or password authentication to control access.Length and characters included in the passwords generated by the role for HTTP Basic Authentication can now be controlled using default variables.
debops.php role
php7.4 has been added to the
php__version_preference
list. This ensures that PHP-related packages are installed on Debian 11 (Bullseye) systems.
debops.pki role
The RootCA certificate for the Let's Encrypt ACME certificates has been changed to
mozilla/ISRG_Root_X1.crt
, the previous CA certificate is now expired. Existing PKI realms will not be modified, you might need to recreate them or replace theacme/root.pem
symlink manually.
debops.postldap role
A few changes to the Postfix LDAP lookup tables were made, most notably a better split between alias lookups (ldap_virtual_alias_maps.cf) and distribution list lookups (ldap_virtual_forward_maps.cf).
debops.preseed role
The role has been redesigned from the ground up and uses Universal Configuration to manage Preseed configuration files. Multiple "flavors" are provided to permit installation of Debian in a variety of environments. See the Upgrade notes for details about upgrading an existing installation.
debops.reprepro role
The role has been redesigned from scratch. It can now manage multiple APT repository instances on separate DNS domains, repositories can have access restrictions, the inoticoming service has been replaced by a systemd
.path
units. Repositories are now configured via the Universal Configuration system. See the new role documentation for details.
debops.rsyslog role
The default NetStream driver mode and authentication mode are now set based on whether the
gtls
driver is enabled.
debops.slapd role
The
mailservice.schema
LDAP schema has been modified to add new LDAP attributes,mailPrivateAddress
andmailContactAddress
. This change includes additional constraints on uniqueness and requires a rebuild of the OpenLDAP service. See Upgrade notes for details.The
sudoUser
attribute index in the OpenLDAP service has been changed tosudoHost,sudoUser eq,sub
to provide better search performance for the sssd service. This will have to be changed manually on existing OpenLDAP installations before the role is idempotent.
debops.sshd role
Keep the
SSH_CONNECTION
environment variable when running commands with sudo.
debops.sysctl role
The role will configure protection for FIFOs and regular files along with protection for symlinks and hardlinks, introduced in Debian Bullseye.
debops.system_users role
The role assumes that Ansible Controller has Python 3 available and will not check for Python 2.7 anymore while gathering local UNIX account details, to avoid issues with non-existent host facts.
debops.unattended_upgrades role
The role now defaults to the admin_private_email Ansible fact (as provided by debops.core) for the
unattended_upgrades__mail_to
variable.
Fixed
General
Fixed an issue with user and group management roles where the UNIX account home directories were created even if they were specifically disabled. Roles should now be more careful and respect the administrator wishes.
LDAP
The
ldap/init-directory.yml
playbook should now work better with non-local UNIX accounts and provide better defaults for standardized account names likeansible
.The
*__ldap_bindpw
variables in various roles have been modified to create the passwords only when LDAP support is enabled. This should fix an issue in non-LDAP environments where Ansible would stop playbook execution when a single password file for an LDAP object was created by multiple hosts, generating a race condition due to empty domain part of the Distinguished Name.
debops.apt role
The role no longer disables the backports repository of a Debian LTS or archive release.
debops.apt_cacher_ng role
The role no longer creates an unnecessary NGINX webroot directory.
debops.dhcpd role
host-identifier parameters are now always quoted in dhcpd6.conf. This is needed when the host-identifier contains periods (e.g. fully qualified domain names).
debops.dnsmasq role
Ensure that the configuration entries with
a
oraaaa
parameter are correctly recognized as host entries.
debops.ipxe role
Make sure that the correct Preseed flavor is used when the user changes it using the menu item.
debops.kmod role
Fixed an issue with role facts where the script ended with exception when the
kmod
package wasn't installed and the lsmod command was not available.
debops.ldap role
The role will refresh the local facts when the
/etc/ldap/ldap.conf
configuration changes to ensure that other roles have correct information available, for example when a new set of LDAP servers is used.
debops.libvirt role
The
virt-top
APT package is not part of the Debian Bullseye release, therefore the role will not try to install it by default.
debops.libvirtd role
The
virt-top
APT package is not part of the Debian Bullseye release, therefore the role will not try to install it by default.The root account will no longer be added to the 'libvirt' group by default.
debops.lxc role
Use the Ubuntu GPG keyserver by default to download LXC container signing keys when the container is created by the lxc-new-unprivileged script as well as through the
lxc_container
Ansible module (the SKS keyserver pool has been deprecated).Enable AppArmor nesting configuration in LXC v4.0.x version, used in Debian Bullseye. Without this, various systemd services inside of the LXC containers cannot start and SSH/console login is delayed ~25 seconds.
debops.netbase role
Fixed an issue where the fact script broke when it tried to find the host's IP address using DNS and the host does not have an entry in the DNS or in
/etc/hosts
database.Fixed an issue where the initial bootstrap and common playbook execution didn't provide the correct configuration for the debops.netbase role, resulting in a non-idempotent execution and wrong
/etc/hosts
database contents. The order of the debops.python role in bootstrap and common playbooks has been adjusted to ensure that the Python packages required by the debops.netbase role are installed before its execution.
debops.netbox role
Set
client_max_body_size
to25m
in Nginx as in the NetBox Nginx config example. Before, it was at the Nginx default of1m
which caused Nginx to reject larger picture uploads to NetBox.
debops.nginx role
Access to the ACME challenge directories is now always allowed, even if a server-wide allowlist configuration or HTTP basic authentication enforcement has been applied. This ensures that it is always possible to request and renew certificates through the ACME protocol.
Do not remove the whole PKI hook directory when the nginx hook script is removed by the role.
debops.owncloud role
Fixed an issue with the debops.nginx configuration where some Nextcloud pages (LDAP configuration, for example) did not work correctly.
debops.pki role
Ensure that the X.509 certificate requests generated by the pki-realm script to renew Let's Encrypt/ACME certificates include SubjectAltNames defined in the PKI realm.
debops.postfix role
Do not remove the whole PKI hook directory when the postfix hook script is removed by the role.
debops.proc_hidepid role
Add the
procadmins
UNIX group as a supplementary group in theuser@.service
systemd unit to fix an issue where the user service does not start when unified cgroupv2 hierarchy is used.
debops.prosody role
Do not remove the whole PKI hook directory when the prosody hook script is removed by the role.
debops.rabbitmq_server role
Correctly interpret the list of RabbitMQ user accounts to not create unwanted vhosts.
debops.redis_server role
Fixed an issue with facts not showing Redis instances correctly when password is empty.
debops.reprepro role
Added missing architectures (all expected architectures for Bookworm, and some missing architectures for older releases).
debops.resolvconf role
Ensure that the fact script correctly includes information about upstream nameservers when systemd-resolved service is used.
debops.rsyslog role
The rsyslog role always configured the streamDriverPermittedPeers option, even when the
anon
network driver authentication mode was selected.
debops.sshd role
The role will no longer create an LDAP account when it is not needed.
The default
sshd__login_grace_time
has been increased from 30 to 60 seconds. This mitigates a lock-out issue whensshd__use_dns
is enabled (the default) and your DNS resolvers are unreachable.The role will avoid leaking the LDAP bind password through the process list during password file creation on the remote host.
debops.sudo role
Fixed an issue in the fact script which resulted in a wrong string being picked up as the version number when sudo was configured to use LDAP, but the LDAP service was not available.
The role will now skip installing the
sudo-ldap
package and creating the LDAP account object ifsudo__ldap_enabled
isFalse
.
debops.sysctl role
The role's default of explicitly disabling packet forwarding conflicted with the sysctl configuration done by Docker Server. The role would disable essential (for Docker) packet forwarding, which would only be enabled again when the Docker daemon was manually restarted or the sysctl parameter was manually corrected. This has been fixed by letting the role default to enabling packet forwarding on Docker Server hosts.
debops.system_users role
The
create_home
parameter was not functional because of typos in the Ansible task.
Removed
General
The old DebOps scripts have been removed from the monorepo, they are replaced with new, cleaner scripts that support subcommands.
The debops-update script has been dropped from the project. Existing users should use git clone command to install the DebOps monorepo if they wish to use the rolling release. There's also no need to install the
debops
PyPI package; DebOps scripts can be installed directly from the monorepo in development mode if desired.The debops-task script has been dropped. You can use the ansible command directly to perform ad-hoc commands against the Ansible inventory.
The debops-defaults script has been removed from the project. Easy access to the role defaults will be implemented at a later date.
The debops-init script has been replaced with the debops project init subcommand.
The debops-padlock script has been removed from the project. It's functionality is now available via the debops project subcommands.
debops.nginx role
debops.preseed role
Support for installing and configuring Salt Minions during host provisioning has been removed.
debops.snmpd role
The tasks and other code which managed the lldpd daemon has been removed from the role. The debops.lldpd role now provides the LLDP support and automatically integrates with SNMP daemon when it is detected.
Security
General
Specific DebOps roles (debops.dovecot, debops.owncloud, debops.postldap) used password generation lookups with invalid parameters which might have resulted in a weaker passwords generated during their deployment. The parameters in the password lookups have been fixed; you might consider regenerating the passwords created by them by removing existing ones from the debops.secret storage on the Ansible Controller and re-running the roles.
debops v2.3.0 - 2021-06-04
Added
New DebOps roles
The debops.extrepo role provides an interface for the extrepo Debian package, an external APT source manager. It can be used to configure third-party APT repositories.
The debops.sssd role can be used to manage the System Security Services Daemon (
sssd
), an alternative approach to centralized credentials managed by remote databases like LDAP or Active Directory.
General
The new
bootstrap-sss.yml
Ansible playbook can be used to provision a new host with LDAP support based on the sssd service instead of the nslcd and nscd services.The debops.apache and debops.nginx roles will configure the managed websites to opt-out from the Federated Learning of Cohorts (FLoC) feature by default. This can be turned off on a site-by-site basis.
debops.etckeeper role
The etckeeper script can be configured to send e-mail messages with changes to the system administrator.
debops.ferm role
You can now configure the iptables backend (
nft
orlegacy
) after installing ferm service using the alternatives system. This might be needed on newer OS releases to keep ferm usable.
debops.netbox role
Added wrapper around
manage.py
callednetbox-manage
for NetBox power users.
debops.global_handlers role
New global handlers available to roles:
Refresh host facts
: re-gather host facts using thesetup
Ansible module, required to ensure that Ansible has accurate information about the current host state.Reload service manager
: update the init daemon runtime configuration, useful when new services are added or their systemd configuration changes.Create temporary files
: ensure that files and directories created at system boot by tools like systemd-tmpfiles are present on the host.
Changed
Updates of upstream application versions
In the debops.ipxe role, the Debian Buster netboot installer version has been updated to the next point release, 10.9.
In the debops.roundcube role, the Roundcube version installed by default has been updated to
1.4.11
.The debops.elasticsearch, debops.kibana and debops.filebeat roles were updated to use the debops.extrepo role to configure the Elastic.co APT repositories. This will result in installation of ES, Kibana and Filebeat 7.x versions by default on new installations; existing installations will not be automatically upgraded by the roles, but the packages themselves might be upgraded by other APT mechanisms.
In the debops.netbox role, the NetBox version has been updated to
v2.11.2
.In the debops.owncloud role, the Nextcloud version has been updated to
v20.0
.19.0
support has been dropped.The
lxc_ssh.py
connection plugin that enables management of LXC containers without the need of an sshd server installed inside of the containers has been refreshed to get latest changes in the upstream project and make it work correctly on newer Ansible releases.
Continuous Integration
The Vagrant provisioning script now installs Cryptography from the Debian archive instead of from PyPI.
The ansible-lint check will now use Ansible playbooks as the starting point to test the whole codebase. Roles and playbooks not included in the
site.yml
playbook can be tested manually if needed.
debops.boxbackup
role
Some of the default variables in the role have been renamed to aoid using uppercase letters in variables.
debops.dovecot role
The LDAP user filer has been changed to use the
mailRecipient
LDAP object class from the mailservice LDAP schema to lookup mail accounts. Ensure that your LDAP directory has correct information before applying the change in production.If the LDAP entry of a mail user has the
mailHomeDirectory
attribute, it will be used to specify the mail home directory relative to the mail root directory, instead of generating one which depends on the domain and username of a given account.
debops.lxc role
On hosts which use LXC v4.0.x, for example with Debian Bullseye as the operating system, the role will configure new LXC containers to not drop the
CAP_SYS_ADMIN
capability by default. This is required for correct container operation on this version of LXC.
debops.owncloud role
ownCloud is not supported in the latest version of DebOps due to lack of maintainers. Use DebOps v2.2.x if you need it and consider becoming a maintainer.
debops.postgresql_server role
The autopostgresqlbackup script will not be installed on Debian Bullseye because the package was dropped from that release.
debops.postldap role
The Postfix LDAP integration is redesigned to use the mailservice LDAP schema for account and mailbox management. There are extensive changes in how the Postfix service utilizes the LDAP directory; existing installations will have to update their LDAP directory entries. Please test these changes in a development environment before applying them in production.
debops.python role
The support for Python 2.7 environment will be enabled only when explicitly requested using the
python__v2
variable. This should avoid issues with installation of Python 2.7 packages on Debian Bullseye and later.
debops.roundcube role
The address autocompletion will show only a specific e-mail address instead of all available ones for a given recipient.
The role will configure Roundcube to search the LDAP directory for a given user's Distinguished Name when their LDAP entry uses a different attribute than
uid
as RDN. Directory will be searched using the Roundcube's own login credentials. See LDAP Directory Information Tree for details.The
new_user_identity
plugin will be re-enabled by default and adjusted to use themail
attribute to search for user identities. Roundcube v1.4.x installations might need to be patched for the plugin to work correctly with user-based LDAP logins.
debops.saslauthd role
The SMTPd service will search for
mailRecipient
LDAP Object Class instead of theinetOrgPerson
Object Class to authenticate mail senders.
Changes to DebOps Enhancement Proposals
DEP 3 - Sources of software used by DebOps now requires for roles that configure upstream APT repositories to use
debops.extrepo
instead of the previously used way of including the OpenPGP fingerprint and repo details in the role. This applies to all new roles. Existing roles will be updated over time.
Fixed
General
The debops-defaults script should now correctly display role defaults, without trying to add the
debops.
prefix to the role names.The debops-update script should now correctly detect cloned DebOps monorepo.
The debops script will no longer check Ansible version to work around an issue that was fixed in Ansible 2.0.
debops.ansible_plugins role
In the
parse_kv_config
custom Ansible filter, correctly skip configuration entries which have been marked with theignore
state.
debops.apt role
The role configured the Debian Bullseye security repository with the 'bullseye/updates' suite name. This is incorrect, the Bullseye security suite is called 'bullseye-security'.
debops.core role
Fixed local fact script execution on hosts without a defined DNS domain. You might need to remove the
core.fact
script from the remote host manually so that Ansible can gather facts correctly before the fixed version of the script can be installed. To do that on all affected hosts, execute the command:ansible all -b -m file -a 'path=/etc/ansible/facts.d/core.fact state=absent'
debops.cron role
Fix role execution on hosts without systemd as the service manager.
debops.etesync role
The EteSync playbook is now included in the default DebOps playbook.
debops.ferm role
The management of the iptables backend symlink using the 'alternatives' system is disabled on Debian 9, where it is unsupported.
debops.iscsi role
Fixed a typo that caused the iSCSI target discovery task to fail.
debops.netbox role
NetBox crashed when it tried to send Emails. For example when an exception occurred during page loading, the response was just "Internal Server Error". The service as a whole survives this. The bug in the configuration template has been fixed.
debops.opendkim role
Restored compatibility with Ansible versions prior to 2.10 by omitting the
regenerate
parameter of the openssl_privatekey module on those versions.
debops.pki role
The pki-realm script will now attempt another ACME certificate request in case the previous attempt failed and was more than two days ago. The previous situation was that the script would not perform any ACME requests if the acme/error.log file was present in the PKI realm, because performing multiple certificate issuance requests could easily trigger a rate limit. The downside of this was that the script would also completely give up on renewal attempts if the first attempt happened to fail (e.g. due to some issue at Let's Encrypt).
debops.php role
Fixed an issue where role did not have a list of PHP packages for an unknown OS release which stopped its execution. Now the role should fallback to a default list in this case.
debops.python role
Fixed an issue where the "raw" Python play used during host bootstrapping hanged indefinitely, stopping the playbook execution. The role will now reset the connection to the host after preparing the Python environment, allowing Ansible to re-estabilish the communication channel properly.
debops.saslauthd role
The saslauthd daemon should correctly use the local and realm parts in the
user@realm
logins for authentication using LDAP directory.
debops.sudo role
The role no longer adds a duplicate includedir line to /etc/sudoers. This was an issue with sudo 1.9.1 (and later), which changed the includedir syntax from '#includedir' to '@includedir'.
Use the English locale to read the sudo version information since the output differs in different languages.
debops.system_users role
Use the Python version detected on the Ansible Controller instead of the remote host to run the UNIX account fact gathering script.
Security
debops.hashicorp role
Due to a security incident, the existing Hashicorp release GPG key has been rotated. The role will remove the revoked GPG key and install new one when applied on a host.
debops v2.2.0 - 2021-01-31
Added
New DebOps roles
The debops.dhcrelay role can be used to manage the ISC DHCP Relay Agent, which forwards DHCP traffic between networks. This role replaces the dhcrelay functionality in debops.dhcpd.
The debops.global_handlers Ansible role provides a central place to maintain handlers for other Ansible roles. Keeping them centralized allows Ansible roles to use handlers from different roles without including them entirely in the playbook.
The debops.filebeat role can be used to install and configure Filebeat, a log shipping agent from Elastic, part of the Elastic Stack.
General
The
tools/reboot.yml
can be used to reboot DebOps hosts even if they are secured by themolly-guard
package.The code in the DebOps monorepo is now checked using GitHub Actions, which will replace Travis-CI. Thank you, Travis, for years of service. :)
LDAP
The next available UID and GID values can now be tracked using special LDAP objects in the directory. These can be used by the client-side account and group management applications to easily allocate unique UID/GID numbers for newly created accounts and groups.
The objects will be created automatically with the next available UID/GID values by the
ldap/init-directory.yml
playbook. In existing environments users might want to create them manually to ensure that the correctuidNumber
andgidNumber
values are stored instead of the default ones which might already be allocated.The
root
UNIX account will now have full write access to the main directory via theldapi://
external authentication and can create and modify the LDAP objects and their attributes. This is required so that the debops.slapd role can initialize the directory tree and create/remove the ACL test objects as needed.
debops.apt role
The role facts now include the main APT architecture (
amd64
, for example) and a list of foreign architectures if any are enabled. Theansible_local.apt.architecture
fact can be used in other roles that need that information.
debops.apt_install role
The role now installs CPU microcode packages on physical hosts by default. These firmware updates correct CPU behaviour and mitigate vulnerabilities like Spectre and Meltdown. You still need to take measures to protect your virtual machines; for this, take a look at the QEMU documentation.
debops.icinga role
The role can now create Icinga configuration on the Icinga "master" node via task delegation. This can be useful in centralized environments without Icinga Director support.
debops.lvm role
Default LVM2 configuration for Debian Stretch and Buster has been added.
debops.owncloud role
Drop Nextcloud 16, 17 and 18 support because it is EOL. You need to upgrade Nextcloud manually if you are running version 18 or below. The role now defaults to Nextcloud 19 for new installations.
debops.postgresql role
The role can now drop PostgreSQL databases and remove roles when their state is set to
absent
in the Ansible inventory.
debops.resources role
Support manipulating file privileges using the Linux capabilities(7) with the help of the Ansible capabilities module.
debops.roundcube role
The role will enable more plugins by default:
help
,markasjunk
,password
(only with LDAP).Roundcube will offer local spell checking support by default with
Enchant
library. English language is supported by default, more languages can be added via Ansible inventory.
debops.slapd role
Support for the dynamic LDAP groups maintained by the AutoGroup overlay has been implemented in the role. Debian Buster or newer is recommended for this feature to work properly.
A set of FreeRADIUS LDAP schema has been added to the role. RADIUS Profiles, Clients and FreeRADIUS DHCP configuration can be stored in the LDAP directory managed by DebOps and used by the debops.freeradius Ansible role.
Support for empty LDAP groups has been added via the groupfentries schema with a corresponding
memberOf
overlay. This change changes the order of existing overlays in the LDAP database which means that the directory server will have to be rebuilt.New orgstructure schema provides the
organizationalStructure
LDAP object class which is used to define the base directory objects, such asou=People
,ou=Groups
, etc.Members of the
cn=LDAP Administrator
LDAP role can now manage the server configuration stored in thecn=config
LDAP subtree.
debops.sysctl role
The role can now be enabled or disabled conditionally via Ansible inventory. This might be required in certain cases, for example LXD containers or systems protected with AppArmor rules, which make the
/proc/sys/
directory read-only.
Changed
Updates of upstream application versions
In the debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.13 and 10.7 respectively.
In the debops.roundcube role, the Roundcube version installed by default has been updated to
1.4.10
.In the debops.owncloud role, the Nextcloud version installed by default has been updated to
v18.0
.In the debops.phpipam role, the phpIPAM version installed by default has been updated to
v1.4.1
.In the debops.netbox role, the NetBox version has been updated to
v2.10.3
. The plugin support added inv2.8.0
can be configured from DebOps. The NetBox Request Queue Worker service is configured to support background jobs like reports to work.The debops.mariadb and debops.mariadb_server roles now support installation of Percona Server/Client v8.0 from upstream APT repositories.
General
The
debops.debops
role has been renamed to the debops.controller role to allow for thedebops__
variable namespace to be used for global variables. All role variables have been renamed along with the role inventory group, you will have to update your inventory.Most of the handers from different DebOps roles have been moved to the new debops.global_handlers role to allow for easier cross-role handler notification. The role has been imported in roles that rely on the handlers.
The
debops-contrib.*
roles included in the DebOps monorepo have been renamed to drop the prefix. This is enforced by the new release of the ansible-lint linter. These roles are not yet cleaned up and integrated with the main playbook.The dependency on
pyOpenSSL
has been removed. This dependency was required in Ansible < 2.8.0 because these versions were unable to use thecryptography
module, but DebOps is nowadays developed against Ansible 2.9. pyOpenSSL was used only to generate private RSA keys for the debops.opendkim role. Switching tocryptography
is also a security precaution and the Python Cryptographic Authority recommends doing so.
LDAP
The LDAP-POSIX integration can now be disabled using a default variable. This will disable LDAP support in the POSIX environment and specific services (user accounts, PAM, sshd, sudo) while leaving higher-level services unaffected.
The LDAP directory structure creation has been moved from a separate
ansible/playbooks/ldap/init-directory.yml
playbook into the debops.slapd role to allow for better ACL testing. The playbook is still used for administrator account creation.The base directory objects created by the debops.slapd role (
ou=People
,ou=Groups
, etc.) as well as other DebOps roles (debops.dokuwiki, debops.ldap, debops.postldap) changed their structural object type fromorganizationalUnit
toorganizationalStructure
. Existing directories should not be affected by this change, but users might want to update them using the backup and restore procedure to allow for more extensive ACL rules in the future.
debops.core role
The fact script will generate the list of private e-mail addresses used to send administrative mail notifications based on the list of admin accounts and the detected domain of the host; this can be overridden via the
core__admin_private_email
variable. The change is done to avoid sending mail messages to 'account-only' addresses on hosts without local mail support.
debops.dhcpd role
The
debops.dhcpd
role has been largely rewritten in order to support both IPv4 and IPv6 on the same server, and to modernize many aspects of the role.The DHCP Relay Agent functionality has been moved to debops.dhcrelay.
debops.docker_server role
The role's virtual environment is no longer created by default when
docker_server__upstream
isFalse
. This does not impact existing virtualenvs. You can remove/usr/local/lib/docker/virtualenv
yourself if you like.
debops.etckeeper role
The role now installs etckeeper on all hosts by default, not just on hosts that have a Python 2 environment. etckeeper is also installed from buster-backports instead of the main Debian 10 repository.
debops.fhs role
The role will create the
/srv/www/
directory by default to allow for home directories used by web applications.
debops.gitlab role
The systemd services no longer require Redis to be installed on the same host as GitLab itself.
Improved support for GitLab Pages, including optional access control and fixed configuration of the systemd service.
debops.grub role
The role will now activate both the serial console and the (previously disabled) native platform console when
grub__serial_console
isTrue
.
debops.icinga_web role
The role now automatically configures LDAP user and group support.
The role will install and configure the Icinga Certificate Monitoring module.
debops.lvm role
Linux Software RAID devices are now scanned by default.
debops.lxd role
During installation, the role will enable trust for the GitHub's GPG signing key to allow for verification of the LXD source code. Check the LXD installation details for more information.
debops.nginx role
The default SSL configuration used by the role has been updated to bring it to the modern standards. By default only TLSv1.2 and TLSv1.3 protocols are enabled, along with an improved set of ciphers. The HTTP Strict Transport Security age has been increased from 6 months to 2 years. The configuration is based on the intermediate Mozilla SSL recommendations to support wide range of possible clients.
The server can be configured to support TLSv1.3 protocol only using the
nginx_default_tls_protocols
variable, which will disable the use of custom Diffie-Hellman parameters and allow the HTTPS clients to select their own preferred ciphers to use for connections. The preferred set of ciphers will also change to Mozilla modern variant. Keep in mind that not all clients support this configuration.
debops.postfix role
Postfix
main.cf
configuration overrides are now written to themaster.cf
configuration file using 'long form' notation supported since Postfix 3.0. This allows specifying parameter values that contain whitespace.The DSN command is now disabled by default. DSN (RFC 3464) gives senders control over successful and failed delivery status notifications. This allows spammers to learn about an organization's internal mail infrastructure, and gives them the ability to confirm that an address is in use. When DSN support is disabled, Postfix will still let the SMTP client know that their message has been received as part of the SMTP transaction; they just will not get successful delivery notices from your internal systems.
The ETRN command is now disabled by default. ETRN, also known as Remote Message Queue Starting (RFC 1985), was designed for sites that have intermittent Internet connectivity, but is rarely used nowadays.
debops.resolvconf role
The 'domain', 'nameservers' and 'search' variables have been removed from the resolvconf Ansible local facts script. You are encouraged to use the ansible_domain, ansible_dns.nameservers and ansible_dns.search variables instead.
debops.slapd role
The role will set up an additional instance of the
memberof
OpenLDAP overlay to update role membership in theorganizationalRole
LDAP objects. This change modifies the list of overlays and will require re-initialization of the OpenLDAP directory.New equality indexes have been added to the slapd service:
roleOccupant
,memberOf
andemployeeNumber
.The
eduperson.schema
LDAP schema has been extended with additional attributes not present in the official specification. The new schema will not be applied automatically on existing installations.In the OpenLDAP ACL rules, authenticated object owners can now re-authenticate themselves using the
userPassword
attribute. This is needed for the LDAP Password Modify Extended Operation (RFC 3062) to work correctly in Roundcube.In the
mailservice.schema
LDAP schema, themailACLGroups
attribute has been renamed tomailGroupACL
since this seems to be the name used by different applications like Dovecot and Roundcube.This change will not be applied automatically in an existing LDAP directories - they will need to be rebuilt to apply new schema changes.
The role will install a modified OpenSSH-LPK schema instead of the version from the FusionDirectory project, to add support for storing SSH public key fingerprints in the LDAP directory. Existing installations shouldn't be affected.
The slapacl test map with additional object RDNs has been redesigned into a list of test LDAP objects which can be created or removed by the role as needed. They will not be added to the directory by default and can be enabled via Ansible inventory.
The support for OpenLDAP monitoring is improved. The
root
UNIX account as well as members of the "LDAP Administrator" and "LDAP Monitor" roles can now read thecn=Monitor
information.
Removed
debops.ldap role
Creation of various LDAP directory objects (
ou=People
,ou=Groups
, ...) has been removed from the default list of LDAP tasks performed by the role. These objects are now automatically created by the debops.slapd role. The debops.ldap role will still ensure that all LDAP objects needed to maintain the hosts' directory information are present.
Fixed
General
Fixed an issue where the debops scripts did not expand the
~/
prefix of the file and directory paths in user home directories.Fixed an issue with custom lookup plugins (
task_src
,file_src
,template_src
) which resulted in Ansible 2.10 not finding them correctly.
LDAP
The
ldap/init-directory.yml
playbook will correctly initialize the LDAP directory when the local UNIX account does not have any GECOS information.
debops.apt role
Fixed an issue where the role would attempt to add APT keys from a PGP keyserver without installing the gnupg package first.
debops.dokuwiki role
A few custom DokuWiki plugins will be removed if installed, otherwise they will not be installed anymore due to issues with newest DokuWiki release. Affected plugins:
advrack
,rst
,gitlab
,ghissues
.Ensure that the
authldap
DokuWiki plugin is enabled when LDAP support is configured by the role.
debops.etherpad role
Fixed the installation of Etherpad with the PostgreSQL backend by removing unused dependent variables.
debops.fail2ban role
Fixed the configuration support on Ubuntu Focal due to bantime feature changes in the fail2ban v0.11.
debops.fcgiwrap role
The role can now be used in check mode without throwing an AnsibleFilterError.
debops.gitlab role
Fixed an issue where the
git
UNIX account was not added to the_sshusers
local group when LDAP support was enabled on the host. This prevented the usage of GitLab via SSH.
debops.ifupdown role
Network configuration with bonded interfaces should now be correctly applied by the reconfiguration script.
debops.iscsi role
Fixed uninitialized local fact
ansible_local.iscsi.discovered_portals
.
debops.ldap role
Fixed multiple issues with adding and updating hosts to the LDAP directory when these hosts were configured for network bonding.
debops.lvm role
Fixed an issue where the role would fail in check mode. The role tries to simulate creating a filesystem, but this failed when the underlying LVM volume did not actually exist (which is to be expected when running in check mode).
Made default behaviour match the documentation: the role now automatically takes care of mounting a filesystem on an LVM volume if the mount point is specified with
item.mount
. This previously required setting theitem.fs
parameter toTrue
as well.
debops.nginx role
Disabled gzip compression of text/vcard MIME types. Vcards contain, by nature, sensitive information and should not be gzipped to prevent successful BREACH attacks.
debops.netbox role
Fixed initial superuser account creation.
debops.nslcd role
Enabled idle_timelimit to make sure that connections to the LDAP server are properly closed. A disabled or too high idle_timelimit causes the LDAP server to time out, resulting in nslcd errors like "ldap_result() failed: Can't contact LDAP server".
debops.nfs role
Ensure that with default mount options disabled, options specified by the user still are added in the configuration.
debops.ntp role
Don't try to disable or stop the
systemd-timesyncd
service when using an alternative NTP service implementation andsystemd-timesyncd
is not available.
debops.owncloud role
Fixed multiple issues which caused dry runs of the debops.owncloud role to incorrectly show pending changes or fail altogether.
debops.php role
Set correct APT preferences for the Backports or Sury APT repository to the
libapache2-mod-php*
APT packages to ensure that the selected repository is the same as thephp*
APT packages.
debops.pki role
The acme-tiny script will be installed from Debian/Ubuntu repositories on Debian Buster, Ubuntu Focal and newer OS releases. This solves the issue with
acme-tiny
script in upstream having#!/usr/bin/env python
shebang hard-coded which makes the script unusable on hosts without Python 2.7 installed.The installation location of the script from upstream is changed from
/usr/local/lib/pki/
to/usr/local/bin/
to leverage the$PATH
variable so that the OS version is used without issues. The script is now also symlinked into place instead of copied over.
debops.postgresql_server role
Rename the
wal_keep_segments
PostgreSQL configuration option towal_keep_size
on PostgreSQL 13 and later to avoid issues with starting the database service. You might need to update the inventory configuration if you use this parameter.Fixed an issue with the role always reporting "changed" state due to
postgresql_privs
Ansible module not detecting changes in thePUBLIC
PostgreSQL role.
debops.python role
The
python-pip
APT package will be installed only on older OS releases, since it has been removed from newer OS releases like Debian Bullseye and Ubuntu Focal.
debops.rsnapshot role
Fixed an issue which caused dry runs of the debops.rsnapshot role to fail.
debops.rsyslog role
Fixed the forgotten
rsyslog__send_permitted_peers
variable which defines what server is accepted by the client during TLS handshakes. The value will now be defined using thestreamDriverPermittedPeers
parameter in rsyslog configuration.
debops.saslauthd role
Fixed SMTP AUTH e-mail authentication for satellite hosts. Mail messages sent by nullmailer and authenticated using LDAP should now be accepted by the SMTP server.
debops.slapd role
Modify the
mailservice.schema
LDAP schema so that various mail-related attributes do not use themail
attribute as SUPerior attribute. This fixes an issue where searching formail
attribute values returned entries with the values present in related attributes, for examplemailForwardTo
, causing problems with account lookups.This change will require the rebuild of the OpenLDAP directory to be applied correctly. The role will not apply the changes on existing installations automatically due to the
mailservice.schema
being loaded into the database.The slapd-snapshot script will now correctly create database snapshots when the
cn=Monitor
database is disabled or not configured.
debops.snmpd role
Don't create or modify the home directory of the snmpd UNIX account to avoid issues on Ubuntu 20.04.
debops.system_users role
Fixed an issue where the role execution broke if the
system_users__self_name
variable was set to an UNIX account which does not exist on the Ansible Controller, for exampleansible
. The role will now correctly create such UNIX accounts on the remote hosts with default GECOS and shell values.
debops.tinc role
Fix issue with Tinc VPN interfaces starting before the general host networking is set up and failing to bind to the selected bridge interface. The Tinc systemd service will wait for the
network-online.target
unit to start up before activation.Fixed an issue with the role where setting
tinc__modprobe
variable toFalse
did not turn off support for loading required kernel modules.
debops v2.1.0 - 2020-06-21
Added
New DebOps roles
The debops.etesync role allows to setup a EteSync server. EteSync is a cross-platform project to provide secure, end-to-end encrypted, and privacy respecting sync for your contacts, calendars and tasks.
The debops.journald role can be used to manage the systemd-journald service, supports configuration of Forward Secure Sealing and can configure persistent storage of the log files. The role is included by default in the
common.yml
playbook.The debops.dpkg_cleanup role can create dpkg hooks that help clean up custom and diverted files created by other roles when a given Debian package is removed. This should aid in cases of multiple roles managing services that provide the same functionality.
The debops.influxdata role configures the APT repository and repository GPG keys of InfluxData company, creator of InfluxDB, Telegraf and other metric and time series tools.
The debops.influxdb_server and debops.influxdb roles can be used to install the InfluxDB time series database service and manage its databases and users, respectively.
The debops.fhs role will be used to define base directory hierarchy used by other DebOps roles (previously done by the debops.core role). The role is included in the
common.yml
playbook.The debops.tzdata role manages the host time zone configuration and provides the
ansible_local.tzdata.timezone
local fact with the time zone in theArea/Zone
format. The role is included in thecommon.yml
playbook.
debops.pki role
The role can now instruct acme-tiny to register an ACME account with one or more contact URLs. Let's Encrypt for example uses this information to notify you about expiring certificates and emergency revocation.
The debops.dovecot and debops.postfix roles now include the PKI hook scripts which will reload their corresponding services when the X.509 certificates used by them are changed.
debops.postconf role
The additional Postfix configuration managed by the role can now be added or removed conditionally, controlled by the
postconf__deploy_state
variable.
debops.python role
Introduce
python__pip_version_check
which defaults toFalse
to disable PIP update checks outside of the system package manager. Before, this was not configured by DebOps leaving it at PIP default which meant it would check for updates occasionally.
debops.resources role
Add support for the
access_time
andmodification_time
parameters of the Ansible file module to the role.
debops.roundcube role
The role can now be configured to install Roundcube from private or internal git repositories that might contain additional modifications to the application code required by some organizations. See the Deployment from private or internal git repository section in the documentation for details.
Changed
Updates of upstream application versions
In the debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.11 and 10.4 respectively.
In the debops.owncloud role, the Nextcloud version installed by default has been updated to
v17.0
. The ownCloud version has been updated tov10.4
.In the debops.roundcube role, the Roundcube version installed by default has been updated to
v1.4.4
.In the debops.lxd role, the LXD version installed by default has been changed to the
stable-4.0
branch, which is a LTS release. The role uses a git branch instead of a specific tagged release to bypass broken LXD build dependency which is not yet fixed in a tagged release.In the debops.gitlab role, the GitLab release installed on Debian Buster and newer OS releases is updated to
12-10-stable
.This release requires Golang packages from
buster-backports
APT repository, which will be installed by default via the debops.golang role. Existing installations need to upgrade the Golang packages before the playbook is applied.In the debops.ansible role, Ansible 2.9.x from the
buster-backports
repository will be installed on Debian Buster by default, when backports are enabled.The debops.mailman role has been redesigned and now installs and configures Mailman 3.x instead of Mailman 2.x. Read the Migration from Mailman 2.x to Mailman 3.x guide and the rest of the debops.mailman documentation for details.
Continuous Integration
The Vagrant provisioning script will install Ansible from PyPI by default. The version included in the current Debian Stable (Buster) is too old for the DebOps playbooks and roles.
General
The DebOps Collection published on Ansible Galaxy has been split into multiple Collections due to the number of Ansible roles present in DebOps. The
debops.debops
collection will install additionaldebops.rolesXY
collections automatically via collection dependencies. The playbooks have been updated to include new Collections.The DebOps repository is now compliant with the REUSE Specification. The SPDX License Identifiers have been added to the files contained in the repository and a valid copyright and license information will be required to pass the test suite.
In new DebOps environments, Ansible will ignore any missing inventory groups using the
host_pattern_mismatch
parameter. This will disable the "Could not match supplied host pattern" warning message present in most of the playbooks included in DebOps. To disable this message in an existing environment, add in the.debops.cfg
configuration file:[ansible inventory] host_pattern_mismatch = ignore
The debops script will now use the Ansible inventory path defined in the
.debops.cfg
configuration file[ansible defaults]
section instead of the staticansible/inventory/
path.The variables in various DebOps roles that define filesystem paths have been switched from using the
ansible_local.root.*
Ansible local facts to the newansible_local.fhs.*
facts defined by the debops.fhs role. The new facts use the same base paths as the old ones; there should be no issues if the variables have not been modified through Ansible inventory.If you have redefined any
core__root_*
variables in the Ansible inventory to modify the filesystem paths used by DebOps roles, you will need to update the configuration. See the debops.fhs role documentation for details.The use of
ansible_local.core.fqdn
andansible_local.core.domain
local facts in roles to define the host DNS domain and FQDN has been removed; the roles will use theansible_fqdn
andansible_domain
facts directly. This is due to issues with the debops.core local facts not updating when the host's domain is changed and causing the roles to use wrong domain names in configuration.
debops.cran role
The custom
cran
Ansible module used by the role has been moved to the debops.ansible_plugins role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.
debops.etc_aliases role
The custom filter plugin used by the role has been moved to the debops.ansible_plugins role to allow it to be used via Ansible Collection system, which requires all plugins to be centralized.
debops.golang role
On Debian Buster, Golang APT packages from the
buster-backports
APT repository will be preferred instead of their Buster version. This allows for installation of applications that depend on a newer Go runtime environment, like GitLab or MinIO.
debops.lxd role
The support for the LXC containers managed by the debops.lxc role will be applied on the host when the LXD is configured, due to the build dependency on the
lxc
APT package. In this case, thelxcbr0
network bridge will not be configured by default.
debops.mosquitto role
Update the role for Debian Buster. No need anymore to install Python packages outside of the system package management.
debops.nginx role
TLSv1.3 is now enabled by default for nginx version 1.13.0 and up.
debops.nullmailer role
The Nullmailer smtpd service can now listen on both IPv4 and IPv6 addresses. It listens on both loopback addresses by default, where it used to only listen on the IPv6 loopback address.
debops.owncloud role
Support has been added for Nextcloud 17.0 and 18.0.
debops.pki role
Use
inventory_hostname
variable instead of theansible_fqdn
variable in paths of the directories used to store data on Ansible Controller. This decouples the host FQDN and domain name from the certificate management tasks in the role.Note
The role will try to recreate existing X.509 certificates making the playbook execution idempotent. Removing the PKI realms and recreating them will fix this issue.
debops.postfix role
The persistent configuration stored on the Ansible Controller has been refactored and does not use multiple separate tasks to handle the JSON files.
debops.rsyslog role
The role has been refreshed and uses the custom Ansible filter plugins to manage the rsyslog configuration files. The default configuration was rearranged, the
/etc/rsyslog.conf
configuration file has the default contents that come with the Debian package and can be configured by the role. The configuration model has been redesigned; any changes in the configuration of the role set in the Ansible inventory need to be reviewed before applying the new version.The
rsyslog
APT package and its service can be cleanly removed from the host, either via the role or by uninstalling the package itself.
Removed
debops.console role
The local and NFS mount support has been removed from the debops.console role. Local mounts can be managed using the debops.mount role; NFS mounts can be managed by the debops.nfs role.
debops.core role
The
ansible_local.uuid
local fact and corresponding variables and tasks have been removed from the role. A replacement fact,ansible_machine_id
is an Ansible built-in.The
ansible_local.init
fact has been removed from the role. A nativeansible_service_mgr
Ansible fact is it's replacement.The
ansible_local.cap12s
fact has been removed from the role. A native set of Ansible facts (ansible_system_capabilities
,ansible_system_capabilities_enforced
is be used as a replacement.The
root.fact
script, corresponding variables and documentation have been removed from the role. This functionality is now managed by the debops.fhs role.The
ansible_local.core.fqdn
andansible_local.core.domain
local facts and their corresponding default variables have been removed from the role. In their place,ansible_fqdn
andansible_domain
facts should be used instead.
debops.ntp role
The timezone configuration has been moved from the debops.ntp role to the debops.tzdata role.
debops.nullmailer role
The script and dpkg hook that cleaned up the additional files maintained by the role has been removed; the debops.dpkg_cleanup role will be used for this purpose instead.
Fixed
General
Fix an issue with Ansible Collections where roles used via the
include_role
Ansible module broke due to the split into multiple collections. All roles will now have thedebops.debops
collection included by default in themeta/main.yml
file to tell Ansible where to look for dependent roles.Fix an issue with the collection creation script where the role files that contained multiple uses of a particular custom Ansible plugin, for example
template_src
orfile_src
, were modified multiple times by the script.
debops.apt role
Fix BeagleBoards detection with Debian 10 image. Tested with a BeagleBoards Black.
debops.cron role
Fix creation of empty environment variables in cron configuration files managed by Ansible.
debops.dnsmasq role
dnsmasq__public_dns
did not create a firewall allow rule when no interfaces where specified.
debops.ferm role
Fixed incorrect removal of the ferm rule set by debops.avahi on IPv6-enabled systems.
debops.gitlab_runner role
Don't re-create removed
/etc/machine-id
contents during Vagrant box creation. This should fix issues with IP addresses received from DHCP by the Vagrant machines.Warning
This fix is applied using the patch command on the files packaged by APT. Existing installations will have to be updated manually, alternatively the changes applied previously should be removed from the affected files before the role is applied. See the patch files in the role
files/patches/
directory for more information.The GitLab package repository signing key has been replaced with the new key that has been in use since 2020-04-06, allowing APT to update package lists again. See the GitLab.com blog for more information about this change.
debops.minio role
Fix an issue during installation of recent MinIO releases, where during an initial restart the MinIO service would switch into "safe mode" when a problem with configuration is detected; this would prevent the service to be restarted correctly. Now the service should be properly stopped by systemd after a stop timeout.
debops.netbase role
Use short timeout for DNS queries performed by the Ansible local fact script, in case that the DNS infrastructure is not configured. This avoids 60s timeouts during Ansible fact gathering in such cases.
debops.nginx role
The role now always sets the HTTP Strict Transport Security header when it is enabled, regardless of the response code.
debops.postgresql_server role
In the autopostgresqlbackup script, use the su - postgres command instead of the su postgres command to start a login shell and switch to the correct home directory of the
postgres
user instead of staying in the/root/
home directory. This avoids the issue during execution of the script via cron where it would emit errors about not being able to change to the/root/
home directory due to the permissions.
debops.roundcube role
Use the Roundcube version from Ansible local facts instead of the one defined in role default variables to detect if a database migration is required after Roundcube git repository is updated.
debops.slapd role
Move the Private Enterprise Number and LDAP namespace OIDs of the DebOps organization to a separate
debops.schema
file to avoid duplicated OIDs in thecn=schema
LDAP subtree.Existing installations might need to be recreated to avoid warnings about duplicate OIDs emitted during OpenLDAP operations.
debops v2.0.0 - 2020-01-30
Added
New DebOps roles
The debops.lxd role brings support for LXD on Debian hosts by building the Go binaries from source, without Snap installation.
General
The DebOps Python package now includes the
debops.<role>(5)
manual pages for most of the DebOps roles with details about role usage, variable definition and the like. The manual pages are based on the existing role documentation.The DebOps project directories can now include the
ansible/global-vars.yml
file which can be used to define global Ansible variables that can affect playbook initialization.
debops.docker_registry role
The
docker_registry__basic_auth_except_get
variable allows to setup a simple authentication schema without the need to deploy a fully blown Docker Registry Token Authentication.
debops.docker_server role
Add docker_server__install_virtualenv setting to disable python virtualenv installation.
debops.gitlab_runner role
The role can now use DNS SRV resource records to find the GitLab API host address. Additionally, GitLab Runner token can be stored in the
secret/
directory in a predetermined location to avoid exposing it via the Ansible inventory. See the role documentation for details.
debops.icinga role
The role now configures the Icinga REST API to also listen on IPv6 addresses. It is possible to change the listen address and port through the
icinga__api_listen
andicinga__api_port
variables.
debops.nslcd role
The role will now use a LDAP host filter by default, to allow for easy control over what UNIX accounts and UNIX groups are present on which hosts using the
host
LDAP attribute.
debops.postgresql_server role
A given PostgreSQL server cluster can be configured to enable standby replication mode, and receive streaming replication data from a master PostgreSQL server. See role documentation for examples.
The autopostgresqlbackup script can be configured to tell the pg_dump command to compress the generated backup files on the fly instead of creating a separate
.sql
file and compressing it afterwards. This mode is currently disabled by default.
debops.resolvconf role
The role can now define static DNS configuration to be merged with other DNS data sources in the
/etc/resolv.conf
configuration file.
debops.roundcube role
The Roundcube installation is now more integrated with the DebOps environment. The role will automatically configure Redis and memcached support if they are detected on the Roundcube host, which should improve application performance.
If LDAP infrastructure is detected on the host, Roundcube will be configured to use the LDAP directory managed by DebOps as an address book.
The ManageSieve Roundcube plugin will be enabled by default to allow configuration of Sieve filter scripts. The role will use the DNS SRV resource records to find the Sieve service host and port to use.
The role can now use PostgreSQL as a database backend. The database server can be managed with the debops.postgresql_server role.
debops.slapd role
The mailservice LDAP schema has been added to the debops.slapd role. It provides a set of object classes and attributes useful for defining e-mail recipients and simple mail distribution lists in the LDAP directory.
Changed
General
Reorder
bootstrap.yml
Ansible playbook to also work for systems freshly installed from CD. debops.apt needs to be run early to regenerate/etc/apt/sources.list
which might still contain a now not functional CD entry.Most of the role dependencies have been moved either to the playbooks or to the role task lists using the
import_role
Ansible module.The official DebOps roles have been renamed and the
debops.
prefix has been dropped from the directory names to better support Ansible Collections. Custom playbooks and role dependencies which use the DebOps roles have to be updated to work again.The
<role_name>/env
"sub-roles" in various DebOps roles have been redesigned for use via theimport_role
Ansible module to improve support for Ansible Collections. Existing Ansible playbooks that use such "sub-roles" will have to be updated; check the playbooks included in DebOps for the new usage examples.The
collections:
keyword was added in all DebOps playbooks to support usage with roles, modules and other plugins in an Ansible Collection. Due to this, Ansible 2.8+ is required to use DebOps playbooks.The paths to the passwords stored in the
secret/
directory by various roles have been changed to use theinventory_hostname
variable instead of theansible_fqdn
variable. This change will result in passwords set in various services to be regenerated, which might have an impact on service availability. See Upgrade notes for details.
Updates of upstream application versions
The RoundCube version installed by the debops.roundcube role has been updated to the 1.4.1 release, which includes a new "Elastic" theme compatible with mobile devices, and other improvements.
The Nextcloud version installed by the debops.owncloud role is updated to Nextcloud 16.0 release. The ownCloud version has been updated to 10.3.
The Icinga Director version installed by the debops.icinga_web role has been updated to the v1.7.2 release. Notable changes in v1.7.x are new German and Japanese translations, side-by-side sync previews, a new background daemon to replace the job runner and new module dependencies. Other Icinga Web modules have also been updated to their latest versions.
LDAP
The
authorizedService
andhost
LDAP attribute values used for access control in various DebOps roles and theldap/init-directory.yml
playbook have been updated and made consistent with the LDAP Access Control documentation. You need to update the LDAP entries that use them before applying these changes on the hosts managed by DebOps. See Upgrade notes for detailed list of changed values.
Mail Transport Agents
The
nullmailer__mailname
and thepostfix__mailname
variables will use the host's FQDN address instead of the DNS domain as the mailname. This was done to not include the hostnames in the e-mail addresses, however this is better handled by Postfix domain masquerading done on the mail relay host, which allows for exceptions, supports multiple DNS domains and does not break mail delivery in subtle ways. See the debops.nullmailer role documentation for an example configuration.
debops.docker_server role
Replace the deprecated docker_server__graph variable with the
docker_server__data_root
variable.
debops.dovecot role
The role gained support for mail accounts stored in the LDAP directory, based on the DebOps LDAP infrastructure. When the LDAP environment is detected on the host, the LDAP support will be enabled automatically, and mail accounts based on POSIX accounts will be disabled.
The default mailbox format used by Dovecot has been changed from
mbox
to Maildir; the user mailboxes will be stored by default in the~/Maildir/
subdirectory of a given user account. On existing installations, the mailboxes might need to be converted and moved manually.Dovecot will use the host DNS domain as the default SASL realm when users will not specify their domain in their login username.
The role should better integrate with the DebOps PKI environment and gracefully disable TLS support when it has not been configured.
The firewall configuration has been redesigned and the debops.dovecot role no longer generates the ferm configuration files directly, instead using the debops.ferm role as a dependency.
Add option to enable ManageSieve by default without the need to update the config_maps, to allow configuration of Sieve filter scripts.
Restored
dovecot__mail_location
to original value of maildir:~/Maildir. It was wrongfully changed to /var/vmail/%d/%n/mailbox if LDAP was enabled. See alsodovecot__vmail_home
.If the LDAP support is enabled, the role will no longer configure Postfix via the debops.postfix role to deliver local mail via Dovecot LMTP service; this breaks mail delivery to local UNIX accounts (for example
root
) which might not have corresponding aliases in the virtual mail database. Instead,virtual_transport
option will be configured to pass mail via LMTP to Dovecot, which then will deliver it to the virtual mailboxes in/var/vmail/
subdirectories.
debops.icinga_web role
The
icinga2-director-jobs.service
systemd service has been replaced withicinga-director.service
. This service manages a new daemon that is required for Icinga Director v1.7.0+.
debops.memcached role
All variables in the role have been renamed from
memcached_*
tomemcached__*
to create the role namespace. You need to update the inventory accordingly.
debops.nullmailer role
The upstream SMTP relay will be detected automatically using DNS SRV resource records, if they are defined.
debops.owncloud role
Drop Nextcloud 15 support because it is EOL. You need to upgrade Nextcloud manually if you are running version 15 or below. The role now defaults to Nextcloud 16 for new installations.
debops.postconf role
If both Dovecot and Cyrus services are installed on a host, Postfix will be configured to prefer Cyrus for SASL authentication. This permits mail relay via the authenticated nullmailer Mail Transfer Agents with accounts in the LDAP directory. The preference can be changed using the
postconf__sasl_auth_method
variable.
debops.roundcube role
The variable that defines the FQDN address of the RoundCube installation has been changed from
roundcube__domain
toroundcube__fqdn
. The default subdomain has also been changed fromroundcube
towebmail
to offer a more widely used name for the application.The default RoundCube installation path defined in the
roundcube__git_dest
variable has been changed and no longer uses the web application FQDN. This should make changing the web application address independent from the installation directory.Due to this change, existing installations will be re-installed in the new deployment path. Checking the changes in a development environment is recommended before deploying them in production environment.
The role will use DNS SRV resource records to find the IMAP and/or SMTP (submission) services to use in the RoundCube Webmail configuration, with a fallback to static subdomains. See IMAP, SMTP and Sieve server detection for more details.
RoundCube will use the user login and password credentials to authenticate to the SMTP (submission) service before sending e-mail messages. This allows the SMTP server to check the message details, block mail with forged sender address, etc. The default configuration uses encrypted connections to the IMAP and SMTP services to ensure confidentiality and security.
User logins that don't specify a domain will have the host domain automatically appended to them during authentication. This solves an issue where use of logins with or without domain for authentication would result in separate RoundCube profiles created in the database.
The Roundcube configuration has been redesigned and now uses the custom Ansible filter plugins to generate the
config/config.inc.php
configuration file. The format of the configuration variables has been changed, you will need to update the Ansible inventory. See roundcube__configuration for more details.Roundcube installation tasks have been cleaned up and the old method of keeping track of the git checkout is replaced by new functionality of the
git
Ansible module. This requires full reinstallation of Roundcube application; see Upgrade notes for more details.Support for Roundcube plugins has been redesigned and now uses custom Ansible filters included in DebOps to manage plugins. The role can install plugins from the Roundcube plugin repository and manage their configuration files. A
set of default plugins
has been defined to make the default Roundcube installation a bit more user-friendly.
debops.ntp role
Chrony will not listen on udp control port on loopback anymore. Unix sockets are a better way for chronyc to talk to chronyd where local access is controlled by file permissions. This is suggested in the Chrony FAQ "How can I make chronyd more secure?".
Chrony: Support
ntp__listen
value*
to make transitioning away fromntpd
easier.Chrony: Reduce default NTP servers considered as time source from 4 pool addresses (from which Chrony used 4 NTP servers each – 16 in total) to just 1 pool address – 4 NTP time sources in total.
Removed
General
Old
[debops_<role_name>]
Ansible inventory groups have been removed from DebOps playbooks. Users should use the[debops_service_<role_name>]
group names instead.
Fixed
debops.docker_server role
Do not add empty entries from docker_server__listen to daemon.json. This causes the docker daemon to not parse the config and crash.
debops.ferm role
The
dmz
firewall configuration will now not interpret the port as part of a IPv6 address anymore. We now protect the IPv6 address by surrounding it by[]
.
debops.gitlab_runner role
Fix issue with GitLab Runner failing test jobs due to the default
~/.bash_logout
script wiping the terminal on logout. The role will skip copying the/etc/skel/
contents on the new installations; existing script will be removed.
debops.nullmailer role
Again, redirect the e-mail messages for local recipients to the central
root
e-mail account (but local to the SMTP relay). This fixes an issue where e-mail messages were left in the mail queue and filled the disk space.
debops.php role
Change the default list of preferred PHP versions to include PHP 7.3 as the preferred version. This should ensure that on hosts with the Ondřej Surý PHP repositories enabled, PHP 7.3 will be installed by default even though newer versions are available. This should solve installation issues with many PHP applications that don't have full support for PHP 7.4+ release yet.
debops v1.2.0 - 2019-12-01
Added
New DebOps roles
Add debops.postldap Ansible role to configure and enable debops.postfix to host multiple (virtual) domains,and thus provide email service to several domains with just one mail server. Currently the Virtual Mail support works only with LDAP enabled, in the future mariaDB could be enabled.
The debops.minio and debops.mcli Ansible roles can be used to install and configure MinIO object storage service and its corresponding client binary.
The debops.tinyproxy role can be used to set up a lightweight HTTP/HTTPS proxy for an upstream server.
The debops.libuser Ansible role configures the libuser library and related commands. This library is used by some of the other DebOps roles to manage local UNIX accounts and groups on LDAP-enabled hosts.
General
Add more entries to be ignored by default by the git command in the DebOps project directories:
debops
: ignore DebOps monorepo cloned or symlinked into the project directory.roles
andplaybooks
: ignore roles and playbooks in development; production code should be put in theansible/roles/
and theansible/playbooks/
directories respectively.
The debops-init script now also creates the .gitattributes file for use with git-crypt. It is commented out by default.
The debops-defaults command will check what pagers (view, less, more) are available and use the best one automatically.
A new Ansible module,
dpkg_divert
, can be used to divert the configuration files out of the way to preserve them and avoid issues with package upgrades. The module is available in the debops.ansible_plugins role.
LDAP
The
ldap/init-directory.yml
Ansible playbook will create the LDAP objectscn=LDAP Replicators
andcn=Password Reset Agents
to allow other Ansible roles to utilize them without the need for the system administrator to define them by hand.The
ldap/get-uuid.yml
Ansible playbook can be used to convert LDAP Distinguished Names to UUIDs to look up the password files if needed.
debops.apt_install role
The open-vm-tools APT package will be installed by default in VMware virtual machines.
debops.dnsmasq role
The role will tell the client applications to disable DNS-over-HTTPS support using the
use-application-dns.net
DNS record. This should allow connections to internal sites and preserve the split-DNS functionality.
debops.dokuwiki role
The role will configure LDAP support in DokuWiki when LDAP environment managed by the debops.ldap Ansible role is detected. Read the LDAP support chapter in the documentation for more details.
debops.cron role
The execution time of the
hourly
,daily
,weekly
andmonthly
cron jobs will be randomized on a per-host basis to avoid large job execution spikes every morning. See the role documentation for more details.
debops.nullmailer role
When the LDAP environment is configured on a host, the debops.nullmailer role will create the service account in the LDAP directory and configure the nullmailer service to use SASL authentication with its LDAP credentials to send e-mails to the relayhost.
debops.pki role
Newly created PKI realms will have a new
public/full.pem
file which contains the full X.509 certificate chain, including the Root CA certificate, which might be required by some applications that rely on TLS.Existing PKI realms will not be modified, but Ansible roles that use the PKI infrastructure might expect the new files to be present. It is advisable to recreate the PKI realms when possible, or create the missing files manually.
debops.saslauthd role
The role can now be used to authenticate users of different services against the LDAP directory via integration with the debops.ldap role and its framework. Multiple LDAP profiles can be used to provide different access control for different services.
debops.slapd role
Add support for eduPerson LDAP schema with updated schema file included in the role.
The role will configure SASL authentication in the OpenLDAP service using the debops.saslauthd Ansible role. Both humans and machines can authenticate to the OpenLDAP directory using their respective LDAP objects.
The lastbind overlay will be enabled by default. This overlay records the timestamp of the last successful bind operation of a given LDAP object, which can be used to, for example, check the date of the last successful login of a given user account.
Add support for nextcloud LDAP schema which provides attributes needed to define disk quotas for Nextcloud user accounts.
The Access Control List rules can now be tested using the slapacl(8) command via a generated test suite script.
The default ACL rules have been overhauled to add support for the
ou=Roles,dc=example,dc=org
subtree and use of theorganizationalRole
LDAP objects for authorization. The old set of rules is still active to ensure that the existing environments work as expected.If you use a modified ACL configuration, you should include the new rules as well to ensure that changes in the debops.ldap support are working correctly.
You can now hide specific LDAP objects from unprivileged users by adding them to a special
cn=Hidden Objects,ou=Groups,dc=example,dc=org
LDAP group. The required ACL rule will be enabled by default; the objects used to control visibility will be created by theldap/init-directory.yml
playbook.New "SMS Gateway" LDAP role grants read-only access to the
mobile
attribute by SMS gateways. This is needed for implementing 2-factor authentication via SMS messages.
debops.unbound role
The role will tell the client applications to disable DNS-over-HTTPS support using the
use-application-dns.net
DNS record. This should allow connections to internal sites and preserve the split-DNS functionality.The role will configure the unbound daemon to allow non-recursive access to DNS queries when a host is managed by Ansible locally, with assumption that it's an Ansible Controller host. This change unblocks use of the dig +trace and similar commands.
Changed
Updates of upstream application versions
In the debops.gitlab role, GitLab version has been updated to
12.2
. This is the last release that supports Ruby 2.5 which is included in Debian Buster.In the debops.ipxe role, the Debian Stretch and Debian Buster netboot installer versions have been updated to their next point releases, 9.10 and 10.2 respectively.
In the debops.netbox role, the NetBox version has been updated to
v2.6.3
.
Continuous Integration
The
$DEBOPS_FROM
environment variable can be used to select how DebOps scripts should be installed in the Vagrant environment: eitherdevel
(local build) orpypi
(installation from PyPI repository). This makes Vagrant environment more useful on Windows hosts, where/vagrant
directory is not mounted due to issues with symlinks.The make test command will not run the Docker tests anymore, to make the default tests faster. To run the Docker tests with all other tests, you can use the make test docker command.
General
External commands used in the DebOps scripts have been defined as constants to allow easier changes of the command location in various operating systems, for example Guix.
The default Ansible callback plugin used by DebOps is changed to
yaml
, which gives a cleaner look for various outputs and error messages. The callback plugin will be active by default in new DebOps project directories; in existing directories users can add:[ansible defaults] stdout_callback = yaml
in the
.debops.cfg
configuration file.
LDAP
The
ldap/init-directory.yml
playbook has been updated to use the newou=Roles,dc=example,dc=org
LDAP subtree, which will contain variousorganizationalRole
objects. After updating the OpenLDAP Access Control List using the debops.slapd role, you can use the playbook on an existing installation to create the missing objects.The
cn=UNIX Administrators
andcn=UNIX SSH users
LDAP objects will be created in theou=Groups,dc=example,dc=org
LDAP subtree. On existing installations, these objects need to be moved manually to the new subtree, otherwise the playbook will try to create them and fail due to duplicate UID/GID numbers which are enforced to be unique. You can move the objects using an LDAP client, for example Apache Directory Studio.The
ou=System Groups,dc=example=dc,org
subtree will not be created anymore. On existing installations this subtree will be left intact and can be safely removed after migration.The access to the OpenLDAP service configured using the debops.slapd role now requires explicit firewall and TCP Wrappers configuration to allow access from trusted IP addresses and subnets. You can use the
slapd__*_allow
variables in the Ansible inventory to specify the IP addresses and subnets that can access the service.To preserve the old behaviour of granting access by default from anywhere, you can set the
slapd__accept_any
variable toTrue
.
debops.apt_preferences role
Support Debian Buster in apt_preferences__list.
debops.gitlab role
The LDAP support in GitLab has been converted to use the debops.ldap infrastructure and not configure LDAP objects directly. LDAP support in GitLab will be enabled automatically if it's enabled on the host. Some of the configuration variables have been changed; see the Upgrade notes for more details.
The default LDAP filter configured in the
gitlab__ldap_user_filter
variable has been modified to limit access to the service to objects with specific attributes. See the GitLab LDAP access control documentation page for details about the required attributes and their values.The GitLab project has changed its codebase structure, because of that the Gitlab CE git repository has been moved to a new location, https://gitlab.com/gitlab-org/gitlab-foss/. The role has been updated accordingly. Existing installations should work fine after the new codebase is cloned, but if unsure, users should check the change first in a development environment.
More details can be found in GitLab blog posts here and here, as well as the Frequently Asked Questions page.
debops.golang role
The role has been redesigned from the ground up, and can be used to install Go applications either from APT packages, build them from source, or download precompiled binaries from remote resources. See the role documentation for more details.
debops.ldap role
The role will reset the LDAP host attributes defined in the
ldap__device_attributes
variable on first configuration in case that the host has been reinstalled and some of their values changed (for example different IP addresses). This should avoid leaving the outdated attributes in the host LDAP object.
debops.nginx role
The role will create the webroot directory specified in the
item.root
parameter even if theitem.owner
anditem.group
parameters are not defined. This might have idempotency issues if the debops.nginx role configuration and the application role configuration try to modify the same directory attributes. To disable the webroot creation, you can set theitem.webroot_create
parameter toFalse
. Alternatively, you should specify the intended owner, group and directory mode in the nginx server configuration.
debops.nullmailer role
The
nullmailer__adminaddr
list is set to empty by default to not redirect all e-mail messages sent through the nullmailer service to theroot
account. This should be done on the relayhost instead.
debops.owncloud role
Drop Nextcloud 14 support because it is EOL. You need to upgrade Nextcloud manually if you are running 14 or below. Add Nextcloud 16 support. Now default to Nextcloud 15 for new installations.
The LDAP support in Nextcloud has been converted to use the debops.ldap infrastructure and not configure LDAP objects directly. LDAP support in Nextcloud will be enabled automatically if it's enabled on the host. Some of the configuration variables have been changed; see the Upgrade notes for more details.
The default LDAP filter configured in the
owncloud__ldap_login_filter
variable has been modified to limit access to the service to objects with specific attributes. See the Nextcloud LDAP access control documentation page for details about the required attributes and their values.The default LDAP group filter configured in the
owncloud__ldap_group_filter
variable has been modified to limit the available set ofgroupOfNames
LDAP objects to only those that have thenextcloudEnabled
attribute set totrue
.Support for disk quotas for LDAP users has been added in the default configuration, based on the nextcloud LDAP schema. The default disk quota is set to 10 GB and can be changed using the
nextcloudQuota
LDAP attribute.
debops.postconf role
Support for the
465
TCP port for message submission over Implicit TLS is no longer deprecated (status changed by the RFC 8314 document) and will be enabled by default with theauth
capability.The role will configure Postfix to check the sender address of authenticated mail messages and block those that don't belong to the authenticated user. This will be enabled with the
auth
and theunauth-sender
capabilities, and requires an user database to work correctly.
debops.postfix role
The default primary group of the lookup tables has been changed to
postfix
, default mode for new lookup tables will be set to0640
. This change helps secure lookup tables that utilize remote databases with authentication.Postfix lookup tables can now use shared connection configuration defined in a YAML dictionary to minimize data duplication. See the postfix__lookup_tables documentation for more details.
debops.resolvconf role
The role will install and configure resolvconf APT package only on hosts with more than one network interface (not counting
lo
), or if local DNS services are also present on the host.
debops.slapd role
Enable substring index for the
sudoUser
attribute from the sudo LDAP schema. Existing installations should be updated manually via the LDAP client, by setting the value of thesudoUser
index toeq,sub
.Add indexes for the
authorizedService
andhost
attributes from the ldapns LDAP schema and thegid
attribute from the posixGroupId LDAP schema. This should improve performance in UNIX environments connected to the LDAP directory.The number of rounds in SHA-512 password hashes has been increased from 5000 (default) to 100001. Existing password hashes will be unaffected.
The
employeeNumber
attribute in theou=People,dc=example,dc=org
LDAP subtree will be constrained to digits only, and the LDAP directory will enforce its uniqueness in the subtree. This allows the attribute to be used for correlation of personal LDAP objects to RDBMS-based databases.The
mail
attribute is changed from unique for objects in theou=People,dc=example,dc=org
LDAP subtree to globally unique, due to its use for authentication purposes. The attribute will be indexed by default.Access to the
carLicense
,homePhone
andhomePostalAddress
attributes has been restricted to privileged accounts only (administrators, entry owner). The values cannot be seen by unprivileged and anonymous users.Write access to the
ou=SUDOers,dc=example,dc=org
LDAP subtree has been restricted to the members of the "UNIX Administrators" LDAP group.
debops.sshd role
The role will allow or deny access to the
root
account via password depending on the presence of the/root/.ssh/authorized_keys
file. See Access to the root account via password for more details. This requires updatedroot_account.fact
script from the debops.root_account role.The role will use Ansible local facts to check if OpenSSH server package is installed to conditionally enable/disable its start on first install.
debops-contrib.dropbear_initramfs role
Better default value for dropbear_initramfs__network_device by detecting the default network interface using Ansible facts instead of the previously hard-coded
eth0
.
Removed
debops.ansible_plugins role
The
ldappassword
Ansible filter plugin has been removed as it is no longer used in DebOps roles. The preferred method for storing passwords in LDAP is to pass them in plaintext (over TLS) and let the directory server store them in a hashed form. See also: RFC 3062.
debops.ldap role
The use of the
params
option in theldap_attrs
andldap_entry
Ansible modules is deprecated due to their insecure nature. As a consequence, the debops.ldap role has been updated to not use this option and theldap__admin_auth_params
variable has been removed.
debops.nginx role
Set nginx_upstream_php5_www_data to absent. If you are still using that Nginx upstream which was enabled by default then update your Ansible role and switch to a supported PHP release.
Fixed
General
The "Edit on GitHub" links on the role default variable pages in the documentation have been fixed and now point to the correct source files on GitHub.
debops.dnsmasq role
On Ubuntu hosts, the role will fix the configuration installed by the lxd package to use
bind-dynamic
option instead ofbind-interfaces
. This allows the dnsmasq service to start correctly.
debops.ferm role
The
dmz
firewall configuration will use thedport
parameter instead ofport
, otherwise filtering rules will not work as expected.
debops.nfs_server role
In the
nfs_server__firewall_ports
variable, convert thedict_keys
view into a list due to change in Python 3 implementation of dictionaries.
debops.nginx role
Fix an issue in the
php.conf.j2
server template when anitem.location
parameter is specified, overriding the default set oflocation
blocks defined in thedefault.conf.j
template. If the/
location is not specified in theitem.location
dictionary, a default one will be included by the role.
debops.postconf role
Disable the
smtpd_helo_restrictions
option on thesubmission
andsmtps
TCP ports when the authentication and MX lookups are enabled. This should fix an issue where SMTP client sends the host's IP address as its HELO/EHLO response, which might not be configurable by the user.
Security
debops.nginx role
Mitigation for the CVE-2019-11043 vulnerability has been applied in the nginx
php
andphp5
configuration templates. The mitigation is based on the suggested workaround from the PHP Bug Tracker.
debops.owncloud role
Security patch for the CVE-2019-11043 vulnerability has been applied in the Nextcloud configuration for the debops.nginx role. The patch is based on the fix suggested by upstream.
debops v1.1.0 - 2019-08-25
Added
New DebOps roles
The debops.keyring role is designed to be used by other Ansible roles to manage the GPG keys, either in the APT keyring or the GPG keyrings of specific UNIX accounts. It replaces and centralizes the use of the
apt_key
and theapt_repository
Ansible modules in separate roles and provides additional functionality, like GPG key lookup in a local key store on the Ansible Controller, or the Keybase service.The
debops-contrib.neurodebian
Ansible role has been migrated to the main DebOps role namespace as the debops.neurodebian role. This role can be used to configure the NeuroDebian APT repository on Debian/Ubuntu hosts.The debops.wpcli role can be used to install the WP-CLI framework to allow management of WordPress websites in a shared hosting environment.
The debops.nscd role configures the Name Service Cache Daemon, used to cache NSS entries from remote databases, for example LDAP, Active Directory or NIS. The role is included in the
bootstrap-ldap.yml
playbook.The debops.backup2l role configures the backup2l script which can create differential backups of a given host and store them on an external hard drive connected to that host.
The debops.resolvconf role fixes a few issues in the
resolvconf
Debian package and modifies the interface order in the generated/etc/resolv.conf
configuration file depending on presence of a local DNS resolver likednsmasq
orunbound
. The role is included in the bootstrap and common playbooks.
Continuous Integration
The Vagrant test environment will use the libeatmydata library to make specific commands like apt-get, rsync, pip, etc. faster by avoiding excessive fsync(2) operations.
General
The
pyopenssl
Python package has been added as a dependency of DebOps when the project is installed with Ansible included. This package is required by theopenssl_*
modules in Ansible 2.7; some of the DebOps roles like debops.opendkim use these modules on the Ansible Controller.The
distro
Python package has been added as the DebOps dependency. The package is used by the debops-init script to detect the operating system used on the Ansible Controller, and is a replacement for the deprecatedplatform.linux_distribution()
function.
LDAP
The
ldap/init-directory.yml
Ansible playbook will create an LDAP group object for SSH users, equivalent to thesshusers
group created by the debops.system_groups role. LDAP accounts in this group will be able to access SSH service from any host. Existing installations might need to be updated manually to fix UID/GID or LDAP DN conflicts.
debops.ferm role
If Avahi/mDNS support is present on a host, the debops.ferm role will allow access through the
mdns
UDP port by default. This will most likely happen on workstations and laptops with full desktop environments installed, but not on servers with minimal install. To configure Avahi service or enable it on servers, you can use the debops.avahi Ansible role.
debops.libvirtd role
The role will configure the
libvirt
andlibvirt_guest
NSS modules in/etc/nsswitch.conf
database using the debops.nsswitch role to allow accessing the virtual machines or containers via their hostnames on the virtual machine host.
debops.lxc role
The lxc-prepare-ssh script can now look up the SSH keys of the current user in LDAP if support for it is enabled on the LXC host.
debops.nginx role
Add support to disable logging per Nginx server.
If a nginx server configuration uses a domain with
lxc.
prefix, for example inside of an internal LXC container, the role will include a redirect fromhost.lxc
"virtual" domain to the realhost.lxc.example.org
domain. This ensures that HTTP requests to thehttp://host.lxc/
URLs are redirected to the real LXC container hosts, depending on the DNS records and the HTTP client's resolver configuration.
debops.slapd role
The role can now control on which ports and services OpenLDAP listens for connections. The
ldaps:///
service is enabled by default when support for the debops.pki role is enabled on the OpenLDAP host.
debops.sysctl role
The kernel protection for symlinks and hardlinks will be enabled by default on Debian/Ubuntu hosts.
Don't use special configuration for containers to determine what kernel parameters can be modified. The role will rely on its own Ansible local facts for that.
debops.unbound role
The unbound service will be configured to forward
*.lxc.{{ ansible_domain }}
DNS queries to the dnsmasq service managed by the debops.lxc role (lxc-net
), if LXC configuration is detected via local Ansible facts. The*.consul
DNS queries will be forwarded to the consul service, if its Ansible facts are detected.
debops.users role
Read
users__default_shell
which was removed in debops v1.0.0.
Changed
Updates of upstream application versions
The debops.netbox role has been updated to NetBox version
v2.6.1
. Redis service is now required for NetBox; it can be installed separately via the debops.redis_server Ansible role.The NetBox version installed by DebOps has been changed from using the
master
branch, to specific tags, with the latest release (v2.6.1
) set by default. The git commit signature in the NetBox repository is also verified using the GitHub GPG key when the repository is cloned.In the debops.cran role, the upstream APT repository suite for CRAN has been updated to
<release>-cran35/
due to changes in APT repository structure. Existing APT repository URLs might need to be removed manually from/etc/apt/sources.lists.d/
directory to make the APT service work as expected.The debops.nodejs role will now install NodeJS, NPM and Yarn packages from the OS release repository by default. On the Debian Oldstable release, the packages backported from the Debian Stable release will be used by default. Installation of upstream NodeJS and NPM can be enabled using the
nodejs__node_upstream
variable. Upstream Yarn can be enabled using thenodejs__yarn_upstream
variable.If the NodeJS upstream support is enabled, the NodeJS 8.x version will be installed on older Debian/Ubuntu releases, for example Debian Stretch and Ubuntu Bionic. Debian Buster and newer releases will use NodeJS 10.x version, to keep the Node version from upstream in sync with the one available in the OS repositories.
In the debops.etherpad role, the default version installed by the role is changed from the
develop
branch to thev1.7.0
version on older OS releases, and thev1.7.5
version on Debian Buster and newer, to not force installation of the upstream NPM package by default.
Continuous Integration
DebOps now uses
xenial
as the default OS release used in Travis-CI tests. Thexenial
images on Travis use the shellcheck v0.6.0 to test shell scripts; if you want to run the test shell command locally to check the script syntax, you will need to update your shellcheck installation to the v0.6.0 version to match the one on Travis-CI. This version is at present not available in Debian, therefore a custom install will be needed. See the ShellCheck install instructions for your preferred method.The Travis-CI tests will be done using Python 3.7 only. Python 2.7 support will be dropped in 2020, it's time to prepare.
The GitLab CI tests are done using a
debian/buster64
Vagrant Box.
Docker
Switch the base Docker image to debian:buster-slim and install Python 3.x environment instead of Python 2.7 in the DebOps Docker image.
The docker-entrypoint script has been refreshed to account for the changes in DebOps roles. The debops.sshd role takes care of the
/run/sshd/
directory by itself, and running DebOps against the container requires sudo access without password.
General
Various DebOps roles have been modified to use the debops.keyring Ansible role to manage the APT repository keys, or GPG keys on UNIX accounts. If you are using them in custom playbooks, you might need to update them to include the new dependency.
The installation of APT and other packages in DebOps roles has been refactored to remove the use of the
with_items
/with_flattened
lookups. Support for package installation via task loops will be removed in Ansible 2.11.The DebOps documentation generator now supports Ansible roles with multiple
defaults/main/*.yml
files. They are also correctly handled by the debops-defaults script.Various DebOps roles will no longer use the hostname as a stand-in for an empty DNS domain when no DNS domain is detected - this resulted in the "standalone" hosts without a DNS domain to be misconfigured. Existing setups with a DNS domain shouldn't be affected, but configuration of standalone hosts that deploy webservices might require modifications.
The debops.resolvconf role has been added as a dpendency in the Ansible playbooks of the roles that interact with the
resolvconf
service in some way. The modified roles are: debops.dnsmasq, debops.docker_server, debops.ifupdown, debops.lxc, debops.unbound. The installation of theresolvconf
APT package has been removed from the roles that contained it.Run debops.apt_proxy from the
bootstrap.yml
Ansible playbook to ensure that if a proxy is used, it is used all the time without disabling the proxy for a short while during bootstrapping. Thebootstrap-ldap.yml
Ansible playbook already included debops.apt_proxy.
User management
The zsh shell APT package will be installed only if the root account, any system users or regular users managed by Ansible are using it as a login shell.
debops.avahi role
The avahi-alias script has been imported into the role itself and will no longer be installed by cloning the upstream git repository. Consequently, support for mDNS
*.local
CNAME resource records will be enabled by default on hosts with Python 2.7 installed (support for Python 3.x is currently not available).
debops.dokuwiki role
The patchpanel DokuWiki plugin has been deprecated in favor of the switchpanel plugin. The role will remove the
patchpanel
plugin automatically on existing installations. You might need to update the wiki contents to render the patch panels correctly, see the plugin documentation for more details.
debops.docker_server role
The
debops.docker
role has been renamed to debops.docker_server in preparation of adding a role that will provide client functionality like network and container management.The Docker server no longer listens on a TCP port by default, even if debops.pki is enabled.
The default storage driver used by the debops.docker_server has been changed to
overlay2
which is the default in upstream. The role checks the currently enabled storage driver via Ansible local facts, and should preserve the current configuration on existing installations.If needed, the storage driver in use can be overridden via the
docker_server__storage_driver
variable.
debops.etckeeper role
The installation of etckeeper will be disabled by default in Python 3.x-only environments.
debops.gitlab role
The playbook will no longer force the installation of the upstream Node.js and Yarn packages via the debops.nodejs role. The upstream versions are currently not required on Debian Buster.
debops.ifupdown role
The role will not install the
rdnssd
APT package if NetworkManager service is detected on the host, to avoid removing the NM service due to package conflict. NetworkManager should gracefully handle adding IPv6 nameservers to/etc/resolv.conf
file, and on systems without NM installed the rdnssd script will perform this task as before.
debops.ipxe role
The role has been redesigned from scratch, and now supports multiple Debian Netboot installers; the iPXE scripts are defined in default variables instead of the file-based templates and can be easily modified via the Ansible inventory.
debops.kmod role
The role will use the debops.python Ansible role to install the
kmodpy
Python package in Python 2.7 environments. Because the package is not available in Debian as Python 3.x module, thekmod.fact
local fact script will use the lsmod command to list the kernel modules in this case.The role gained basic support for defining what kernel modules should be loaded on non-systemd hosts by adding them in the
/etc/modules
configuration file.
debops.libvirt role
The
virt-goodies
package will be installed only if the Python 2.7 environment is already present on the host.
debops.lxc role
The role now checks the version of the installed LXC support and uses the old or new configuration keys accordingly. You can review the changed configuration keys between the old and new LXC version for comparison.
New LXC containers will have the
CAP_SYS_TIME
POSIX capability dropped by default to ensure that time configuration is disabled inside of the container. This should fix an issue on Debian Buster where unprivileged LXC containers still have this capability enabled.On Debian Buster LXC hosts, the
CAP_SYS_ADMIN
POSIX capability will be dropped in new LXC containers by default.On Debian Buster (specifically on LXC versions below 3.1.0) the AppArmor restrictions on unprivileged LXC containers will be relaxed to allow correct operation of the systemd service manager inside of a container. Check the Debian Bugs #916644, #918839 and #911806 for reasoning behind this modification.
Restrict configuration of the
poweroff.conf
systemd override to Debian Stretch and Ubuntu Xenial only. The containers correctly shut down usingSIGRTMIN+3
signal on Debian Buster and beyond.
debops.mariadb_server role
The role will no longer set a custom MariaDB
root
password, because themysql_user
Ansible 2.8 module breaks access to the MariaDB database via the UNIXroot
account by removing theunix_socket
plugin access and not setting themysql_native_password
plugin. A password for the UNIXroot
account is not needed in the recent MariaDB releases in Debian, therefore this shouldn't impact the usage.The
mysql_user
Ansible module lacks a way to control the authentication plugin for a given MariaDB account, therefore it's not advisable to mess with theroot
access to the database.
debops.netbase role
Do not try to manage the hostname in LXC, Docker or OpenVZ containers by default. We assume that these containers are unprivileged and their hostname cannot be changed from the inside of the container.
If a host does not have a proper domain, either defined locally or set via the DNS, don't generate a faux "domain" based on its hostname and assume that this is a standalone host. This might affect availability of some services, for example X.509 certificates managed by debops.pki or reachability of websites created on that host. In this case the host cannot have a FQDN defined in the Ansible inventory as the label or
ansible_host
variable, only a hostname.Role will check if the configured FQDN of a host exists in the DNS database. If it does, the entry in the
/etc/hosts
file will be removed to allow the DNS to take over. If it doesn't, the configuration will be left intact with assumption that the domain is configured locally.
debops.nginx role
The role will no longer default to limiting the allowed HTTP request methods to
GET
,HEAD
andPOST
on PHP-enabled websites.
debops.pki role
If there is no domain set on the remote host, don't fallback to the hostname in the
pki_ca_domain
variable because the generated CA certificates don't make any sense. With this setup the debops.pki role requires to be run against a host with a valid DNS domain for the internal CA to be created.
debops.rsnapshot role
The role has been redesigned from the ground up. Instead of using Ansible inventory groups to define hosts to back up, role uses a list of YAML dictionaries with hosts defined explicitly; the old behaviour can be replicated if needed. The backup host itself can also be snapshotted, with support for snapshots on removable media.
debops.snmpd role
The local SNMPv3 username and password will be stored in a separate file and retrieved via Ansible local facts, to not break Ansible fact gathering on unprivileged accounts. The password file is protected by strict read permission and accessible only by the
root
UNIX account.
debops.system_groups role
Don't configure the
NOPASSWD:
tag for the%admins
and%wheel
UNIX groups in sudo by default when Ansible manages the local host. This allows local admin accounts to controlroot
access using a password.
debops.system_users role
The role will set a custom shell based on the users' own shell for the dynamic UNIX account only if the shell is known by the role. This should avoid issues when Ansible users use non-standard shells on Ansible Controller.
debops.tftpd role
The role has been refreshed in conjunction with the updates to network boot services in preparation for Debian Buster. All of the role variables have been renamed to put them in their own
tftpd__*
namespace, and the role dependencies have been moved to the playbook.
debops.unbound role
The role will enable remote control management of the unbound daemon via the
loopback
network interface using the unbound-control command.
Removed
Roles removed from DebOps
The
debops.openvz
role has been removed. OpenVZ is not supported in Debian natively since Wheezy; a good replacement for it is LXC which can be managed using the debops.lxc role.
debops.core role
The
core__keyserver
variable and its local fact have been removed from the role. They are replaced by thekeyring__keyserver
and the corresponding local fact in the debops.keyring role.The resolver.fact script has been removed from the role. Its functionality is provided by the resolvconf.fact script included in the debops.resolvconf role.
debops.docker_server role
Support for ferment has been removed from DebOps due to the upstream not being up to date anymore, both with Docker as well as with Python 3.x support. The dockerd daemon will be restarted on any ferm restarts to update the firewall configuration with Docker rules.
debops.lxc role
The lxc-prepare-ssh script will no longer install SSH keys from the LXC host
root
account on the LXC containerroot
account. This can cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.
debops.nodejs role
[debops.nodejs] Support for installing NPM from its git repository has been removed. NPM is included in the NodeSource upstream
nodejs
package, as well as the Debian archive since Debian Buster release in thenpm
package.
Fixed
debops.apache role
Refactor the role to not use Jinja 'import' statements in looped tasks - this does not work on newer Jinja versions.
debops.lvm role
Make sure logical volumes will only be shrunk when volume item defines
force: yes
.
debops.nsswitch role
Don't restart the systemd-logind service on
/etc/nsswitch.conf
file changes if DebOps is running againstlocalhost
, to avoid breaking the existing user session.
debops.python role
The role should now correctly detect Python 3.x interpreter on the Ansible Controller and disable usage of Python 2.7 on the managed hosts.
debops v1.0.0 - 2019-05-22
Added
New DebOps roles
The debops.docker_registry role provides support for Docker Registry. The role can be used as standalone or as a backend for the GitLab Container Registry service, with debops.gitlab role.
The debops.ldap role sets up the system-wide LDAP configuration on a host, and is used as the API to the LDAP directory by other Ansible roles, playbooks, and users via Ansible inventory. The role is included in the
common.yml
playbook, but is disabled by default.The debops.nslcd role can be used to configure LDAP lookups for NSS and PAM services on a Linux host.
The debops.pam_access role manages PAM access control files located in the
/etc/security/
directory. The role is designed to allow other Ansible roles to easily manage their own PAM access rules.The debops.yadm role installs the Yet Another Dotfiles Manager script and ensures that additional shells are available. It can also mirror dotfiles locally. The role is included in the common playbook.
The debops.system_users role replaces the
debops.bootstrap
role and is used to manage the local system administrator accounts. It is included in thecommon.yml
playbook as well as the bootstrap playbooks.
General
The DebOps project has been registered in the IANA Private Enterprise Numbers registry, with PEN number
53622
. The project documentation contains an OID registry to track custom LDAP schemas, among other things.Support for Ansible Collections managed by the Mazer Content Manager has been implemented in the repository. Ansible Collections will be usable after June 2019, when support for them is enabled in the Ansible Galaxy service.
LDAP
A new
bootstrap-ldap.yml
Ansible playbook can be used to bootstrap Debian/Ubuntu hosts with LDAP support enabled by default. The playbook will configure only the services required for secure LDAP access (PKI, SSH, PAM/NSS), the rest should be configured using the common playbook.
debops.ansible_plugins role
A new
ldap_attrs
Ansible module has been added to the role. It's a replacement for theldap_attr
core Ansible module, that's more in line with theldap_entry
module. Used by the debops.slapd and debops.ldap roles to manage the LDAP directory contents.
debops.apt role
Systems with the End of Life Debian releases (
wheezy
) installed will be configured to use the Debian Archive repository as the main APT sources instead of the normal Debian repository mirrors. These releases have been moved out of the main repositories and are not fully available through normal means. The periodic updates of the APT archive repositories on these systems will be disabled via the debops.unattended_upgrades role, since the EOL releases no longer receive updates.The Debian LTS release (
jessie
) APT repository sources will use only the main and security repositories, without updates or backports. See the information about the Debian LTS support for more details.
debops.lxc role
Users can now disable default route advertisement in the
lxc-net
DHCP service. This is useful in cases where LXC containers have multiple network interfaces and the default route should go through a different gateway than the LXC host.The lxc-new-unprivileged script will add missing network interface stanzas in the container's
/etc/network/interfaces
file, by default with DHCP configuration. This will happen only on the initialization of the new container, when a given LXC container has multiple network interfaces defined in its configuration file.
debops.nginx role
The role will automatically generate configuration which redirects short hostnames or subdomains to their FQDN equivalents. This allows HTTP clients to reach websites by specifying their short names via DNS suffixes from
/etc/resolv.conf
file, or using*.local
domain names managed by Avahi/mDNS to redirect HTTP clients to the correct FQDNs.
debops.resources role
Some lists can now configure ACL entries on the destination files or directories using the
item.acl
parameter. Take a look to ACL support section to have the list of compatibles variables.New resources__commands variables can be used to define simple shell commands or scripts that will be executed at the end of the debops.resources role. Useful to start new services, but it shouldn't be used as a replacement for a fully-fledged Ansible roles.
debops.sudo role
The role is now integrated with the debops.ldap Ansible role and can configure the sudo service to read
sudoers
configuration from the LDAP directory.
debops.users role
The role can now configure UNIX accounts with access restricted to SFTP operations (SFTPonly) with the new
item.chroot
parameter. This is a replacement for thedebops.sftpusers
role.
Changed
Updates of upstream application versions
The debops.gitlab role will install GitLab 11.10 on supported platforms (Debian Buster, Ubuntu Bionic), existing installations will be upgraded.
In the debops.phpipam role, the relevant inventory variables have been renamed, check the Upgrade notes for details. The role now uses the upstream phpIPAM repository and it installs version 1.3.2.
In the debops.php role, because of the PHP 7.0 release status changed to End of life at the beginning of 2019, Ondřej Surý APT repository with PHP 7.2 packages will be enabled by default on Debian Jessie and Stretch as well as Ubuntu Trusty and Xenial. Existing debops.php installations shouldn't be affected, but the role will not try to upgrade the PHP version either. Users should consider upgrading the packages manually or reinstalling services from scratch with the newer version used by default.
In the debops.rstudio_server role, the supported version has been updated to v1.2.1335. The role no longer installs
libssl1.0.0
from Debian Jessie on Debian Stretch, since the current version of the RStudio Server works in the default Stretch environment. The downloaded.deb
package will be verified using the RStudio Inc. GPG signing key before installation.In the debops.docker_gen role, the docker-gen version that this role installs by default has been updated to version 0.7.4. This release notably adds IPv6 and docker network support.
General
The debops.cron role will be applied much earlier in the
common.yml
playbook because the debops.pki role depends on presence of the cron daemon on the host.Bash scripts and
shell
/command
Ansible modules now use relative bash interpreter instead of an absolute/bin/bash
. This should help make the DebOps roles more portable, and prepare the project for the merged/bin
and/usr/bin
directories in a future Debian release.
Mail Transport Agents
The
/etc/mailname
configuration file will contain the DNS domain of a host instead of the FQDN address. This will result in the mail senders that don't specify the domain part to have the DNS domain, instead of the full host address, added by the Mail Transport Agent. This configuration should work better in clustered environments, where there is a central mail hub/MX that receives the mail and redirects it.
debops.gitlab role
The GitLab playbook will import the debops.docker_registry playbook to ensure that configuration related to Docker Registry defined in the GitLab service is properly applied during installation/management.
debops.lxc role
The lxc-prepare-ssh script will read the public SSH keys from specific files (
root
key file, and the$SUDO_USER
key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container'sroot
account.The lxc-new-unprivileged script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used via sudo. The default LXC configuration file used by the script can be configured in
/etc/lxc/lxc.conf
configuration file.
debops.mariadb_server role
The MariaDB user
root
is no longer dropped. This user is used for database maintenance and authenticates using theunix_auth
plugin. However, DebOps still maintains and sets a password for theroot
UNIX account, stored in the/root/.my.cnf
config file.
debops.netbase role
The role will be disabled by default in Docker containers. In this environment, the
/etc/hosts
file is managed by Docker and cannot be modified from inside of the container.
debops.owncloud role
The role will not perform any tasks related to occ command if the automatic setup is disabled in the
owncloud__autosetup
variable. In this mode, the occ tasks cannot be performed by the role because the ownCloud/Nextcloud installation is not finished. The users are expected to perform necessary tasks themselves if they decide to opt-out from the automatic configuration.
debops.php role
The PHP version detection has been redesigned to use the apt-cache madison command to find the available versions. The role will now check the current version of the
php
APT package to select the available stable PHP version. This unfortunately breaks support for thephp5
packages, but thephp5.6
packages from Ondřej Surý APT repository work fine.The role will install the composer command from the upstream GitHub repository on older OS releases, including Debian Stretch (current Stable release). This is due to incompatibility of the
composer
APT package included in Debian Stretch and PHP 7.3.The custom
composer
command installation tasks have been removed from the debops.roundcube and debops.librenms roles, since debops.php will take care of the installation.
debops.root_account role
If the debops.ldap Ansible role has been applied on a host, the debops.root_account role will use the UID/GID ranges defined by it, which include UIDs/GIDs used in the LDAP directory, to define subUID/subGID range of the
root
account. This allows usage of the LDAP directory as a source of UNIX accounts and groups in unprivileged containers. Existing systems will not be changed.Management of the
root
dotfiles has been removed from the debops.users role and is now done in the debops.root_account role, using the yadm script. Users might need to clean out the existing dotfiles if they were managed as symlinks, otherwise yadm script will not be able to correctly deploy the new dotfiles.
debops.slapd role
The role has been redesigned from the ground up, with support for N-Way Multi-Master replication, custom LDAP schemas, Password Policy and other functionality. The role uses custom
ldap_attrs
Ansible module included in the debops.ansible_plugins role for OpenLDAP management.The OpenLDAP configuration will definitely break on existing installations. It's best to set up a new OpenLDAP server (or replicated cluster) and import the LDAP directory to it afterwards. See role documentation for more details.
debops.sshd role
The access control based on UNIX groups defined in the
/etc/ssh/sshd_config
file has been removed. Instead, the OpenSSH server uses the PAM access control configuration, managed by the debops.pam_access Ansible role, to control access by users/groups/origins. OpenSSH service uses its own access control file, separate from the global/etc/security/access.conf
file.The role will enable client address resolving using DNS by setting the
UseDNS yes
option in OpenSSH server configuration. This parameter is disabled by default in Debian and upstream, however it is required for the domain-based access control rules to work as expected.When the LDAP support is configured on a host by the debops.ldap role, the debops.sshd role will use the resulting infrastructure to connect to the LDAP directory and create the
sshd
LDAP account object for each host, used for lookups of the SSH keys in the directory. The SSH host public keys will be automatically added or updated in the LDAP device object to allow for centralized generation of the~/.ssh/known_hosts
files based on the data stored in LDAP.The role will no longer create a separate
sshd-lookup
UNIX account to perform LDAP lookups; the existingsshd
UNIX account will be used instead. The ldapsearch command used for lookups will default to LDAP over TLS connections instead of LDAPS.
debops.system_groups role
If the LDAP support is enabled on a host via the debops.ldap role, the UNIX system groups created by the debops.system_groups role by default will use a
_
prefix to make them separate from any LDAP-based groups of the same name. Existing installations should be unaffected, as long as the updated debops.system_groups role was applied before the debops.ldap role.
debops.unattended_upgrades role
The packages from the
stable-updates
APT repository section will be automatically upgraded by default, the same as the packages from Debian Security repository. This should cover important non-security related upgrades, such as timezone changes, antivirus database changes, and similar.If automatic reboots are enabled, VMs will not reboot all at the same time to avoid high load on the hypervisor host. Instead they will reboot at a particular minute in a 15 minute time window. For each host, a random-but-idempotent time is chosen. For hypervisor hosts good presets cannot be picked. You should ensure that hosts don’t reboot at the same time by defining different reboot times in inventory groups.
debops.users role
The management of the user dotfiles in the debops.users role has been redesigned and now uses the yadm script to perform the actual deployment. See debops.yadm for details about installing the script and creating local dotfile mirrors. The users__accounts variable documentation contains examples of new dotfile definitions.
The role now uses the
libuser
library via the Ansiblegroup
anduser
modules to manage local groups and accounts. This should avoid issues with groups and accounts created in the LDAP user/group ranges.The
libuser
library by default creates home directories with0700
permissions, which is probably too restrictive. Because of that, the role will automatically change the home directory permissions to0751
(defined in theusers__default_home_mode
variable). This also affects existing UNIX accounts managed by the role; the mode can be overridden using theitem.home_mode
parameter.The
users__*_resources
variables have been reimplemented as theitem.resources
parameter of theusers__*_accounts
variables. This removes the unnecessary split between user account definitions and definitions of their files/directories.
Removed
Roles removed from DebOps
The
debops.sftpusers
Ansible role has been removed. Its functionality is now implemented by the debops.users role, custom bind mounts can be defined using the debops.mount role.The
debops.bootstrap
Ansible role has been removed. Its replacement is the debops.system_users which is used to manage system administrator accounts, via thecommon.yml
playbook and the bootstrap playbooks.
debops.auth role
The
/etc/ldap/ldap.conf
file configuration, nslcd service configuration and related variables have been removed from the debops.auth role. This functionality is now available in the debops.ldap and debops.nslcd roles, which manage the client-side LDAP support.
debops.rstudio_server role
The role will no longer install the historical
libssl1.0.0
APT package on Debian Stretch to support older RStudio Server releases. You should remove it on the existing installations after RStudio Server is upgraded to the newest release.
Fixed
debops.authorized_keys role
Set the group for authorized_keys files to the primary group of the user instead of the group with the same name as the user. This is important because otherwise the readonly mode of the role does not work when the primary group of a user has a different name then the username.
debops.lvm role
Make sure a file system is created by default when the
mount
parameter is defined in thelvm__logical_volumes
.Stop and disable
lvm2-lvmetad.socket
systemd unit when disablinglvm__global_use_lvmetad
to avoid warning message when invoking LVM commands.
debops.redis_server role
Use the
redis.conf
file to lookup passwords via the redis-password script. This file has theredis-auth
UNIX group and any accounts in this group should now be able to look up the Redis passwords correctly.
debops.slapd role
The role will check if the X.509 certificate and the private key used for TLS communication were correctly configured in the OpenLDAP server. This fixes an issue where configuration of the private key and certificate was not performed at all, without any actual changes in the service, with subsequent task exiting with an error due to misconfiguration.
Security
debops.php role
Ondřej Surý created new APT signing keys for his Debian APT repository with PHP packages, due to security concerns. The debops.php role will remove the old APT GPG key and add the new one automatically.
debops v0.8.1 - 2019-02-02
Added
New DebOps roles
The debops.redis_server and debops.redis_sentinel roles, that replace the existing
debops.redis
Ansible role. The new roles support multiple Redis and Sentinel instances on a single host.The debops.freeradius role can be used to manage FreeRADIUS service, used in network management.
The debops.dhcp_probe role can be used to install and configure dhcp_probe service, which passively detects rogue DHCP servers.
The debops.mount role allows configuration of
/etc/fstab
entries for local devices, bind mounts and can be used to create or modify directories, to permit access to resources by different applications. The role is included by default in thecommon.yml
playbook.
Continuous Integration
Ansible roles included in DebOps are now checked using ansible-lint tool. All existing issues found by the script have been fixed.
The hosts managed by the DebOps Vagrant environment will now use Avahi to detect multiple cluster nodes and generate host records in the
/etc/hosts
database on these nodes. This allows usage of real DNS FQDNs and hostnames in the test environment without reliance on an external DHCP/DNS services.
General
DebOps roles are now tagged with
skip::<role_name>
Ansible tags. You can use these tags to skip roles without any side-effects; for example "<role_name>/env" sub-roles will still run so that roles that depend on them will work as expected.You can use the make versions command in the root of the DebOps monorepo to check currently "pinned" and upstream versions of third-party software installed and managed by DebOps, usually via git repositories. This requires the uscan command from the Debian
devscripts
APT package to be present.
debops.ifupdown role
The role will now generate configuration for the debops.sysctl role and use it in the playbook as a dependency, to configure kernel parameters related to packet forwarding on managed network interfaces. This functionality replaces centralized configuration of packet forwarding on all network interfaces done by the debops.ferm role.
debops.lxc role
New lxc-hwaddr-static script can be used to easily generate random but predictable MAC addresses for LXC containers.
The script can be run manually or executed as a "pre-start" LXC hook to configure static MAC addresses automatically - this usage is enabled by default via common LXC container configuration.
The lxc_ssh.py Ansible connection plugin is now included by default in DebOps. This connection plugin can be used to manage remote LXC containers with Ansible via SSH and the lxc-attach command. This requires connection to the LXC host and the LXC container via the
root
account directly, which is supported by the DebOps playbooks and roles.The role can now manage LXC containers, again. This time the functionality is implemented using the
lxc_container
Ansible module instead of a series of shell tasks. By default unprivileged LXC containers will be created, but users can change all parameters supported by the module.The role will now configure a
lxcbr0
bridge with internal DNS/DHCP server for LXC containers, using thelxc-net
service. With this change, use of the debops.ifupdown role to prepare a default bridge for LXC containers is not required anymore.
debops.netbase role
When a large number of hosts is defined for the
/etc/hosts
database, the role will switch to generating the file using thetemplate
Ansible module instead of managing individual lines using thelineinfile
module, to make the operation faster. As a result, custom modifications done by other tools in the host database will not be preserved.The role can now configure the hostname in the
/etc/hostname
file, as well as the local domain configuration in/etc/hosts
database.
debops.php role
The role will install the
composer
APT package on Debian Stretch, Ubuntu Xenial and their respective newer OS releases.
debops.root_account role
The role will reserve a set of UID/GID ranges for subordinate UIDs/GIDs owned by the
root
account (they are not reserved by default). This can be used to create unprivileged LXC containers owned byroot
. See the release notes for potential issues on existing systems.You can now configure the state and contents of the
/root/.ssh/authorized_keys
file using the debops.root_account role, with support for global, per inventory group and per host SSH keys.
debops.users role
The role can now configure ACL entries of the user home directories using the
item.home_acl
parameter. This can be used for more elaborate access restrictions.
Changed
Continuous Integration
The test suite will now check POSIX shell scripts along with Bash scripts for any issues via the shellcheck linter. Outstanding issues found in existing scripts have been fixed.
General
The debops.root_account role will be executed earlier in the
common.yml
Ansible playbook to ensure that theroot
UID/GID ranges are reserved without issues on the initial host configuration.Various filter and lookup Ansible plugins have been migrated from the playbook directory to the debops.ansible_plugins role. This role can be used as hard dependency in other Ansible roles that rely on these plugins.
The order of the roles in the common playbook has been changed; the debops.users role will be applied before the debops.resources role to allow for resources owned by UNIX accounts/groups other than
root
.The
debops
Python package has dropped the hard dependency on Ansible. This allows DebOps to be installed in a separate environment than Ansible, allowing for example to mix Homebrew Ansible with DebOps from PyPI on macOS. The installation instructions have also been updated to reflect the change.The debops-init script will now generate new Ansible inventory files using the hostname as well as a host FQDN to better promote the use of DNS records in Ansible inventory.
debops.dnsmasq role
The role has been redesigned from the ground up with new configuration pipeline, support for multiple subdomains and better default configuration. See the debops.dnsmasq role documentation as well as the Upgrade notes for more details.
debops.docker_server role
If the Docker host uses a local nameserver, for example dnsmasq or unbound, Docker containers might have misconfigured DNS nameserver in
/etc/resolv.conf
pointing to127.0.0.1
. In these cases, the debops.docker_server role will configure Docker to use the upstream nameservers from the host, managed by theresolvconf
APT package.If no upstream nameservers are available, the role will not configure any nameserver and search parameters, which will tell Docker to use the Google nameservers.
debops.gitlab role
The role will now install GitLab 10.8 by default, on Debian Stretch and Ubuntu Xenial. The 11.x release now requires Ruby 2.4+, therefore it will only be installed on newer OS releases (Debian Buster, Ubuntu Bionic).
The role has been updated to use Ansible local facts managed by the debops.redis_server Ansible role. Redis Server support has been removed from the GitLab playbook and needs to be explicitly enabled in the inventory for GitLab to be installed correctly. This will allow to select between local Server or Sentinel instance, to support clustered environments.
Check the Upgrade notes for issues with upgrading Redis Server support on existing GitLab hosts.
debops.grub role
The GRUB configuration has been redesigned, role now uses merged variables to make configuration via Ansible inventory or dependent role variables easier. The GRUB configuration is now stored in the
/etc/default/grub.d/
directory to allow for easier integration with other software. See the debops.grub documentation for more details.The user password storage path in
secret/
directory has been changed to use theinventory_hostname
variable instead of theansible_fqdn
variable. This change will force regeneration of password hashes in existing installations, but shouldn't affect host access (passwords stay the same).
debops.gunicorn role
The role depends on debops.python now to install the required packages. Please update your custom playbooks accordingly.
debops.ipxe role
The role will no longer install non-free firmware by default. This is done to solve the connectivity issues with
cdimage.debian.org
host.
debops.librenms role
The default dashboard in LibreNMS is changed from the
pages/front/default.php
topages/front/tiles.php
which allows for better customization.
debops.lxc role
The role will configure the default subUIDs and subGIDs for unprivileged LXC containers based on the configured subordinate UID/GID ranges for the
root
account.The lxc-prepare-ssh script will now install SSH public keys from the user account that is running the script via sudo instead of the system's
root
account, which is usually what you want to do if other people manage their own LXC containers on a host.The LXC configuration managed by the role will use the systemd
lxc@.service
instances to manage the containers instead of using the lxc-* commands directly. This allows the containers to be shut down properly without hitting a timeout and forced killing of container processes.
debops.owncloud role
The role will now use Ansible facts managed by the debops.redis_server role to configure Redis support.
Drop support for Nextcloud 12.0 which is EOF. Add support for Nextcloud 14.0 and 15.0 and make Nextcloud 14.0 the default Nextcloud version.
debops.netbase role
The hostname and domain configuration during bootstrapping is now done by the debops.netbase Ansible role. The default for this role is to remove the
127.0.1.1
host entry from the/etc/hosts
file to ensure that domain resolution relies on DNS.If you are using local domain configured in
/etc/hosts
file, you should define thenetbase__domain
variable in the Ansible inventory with your desired domain.The role is redesigned to use list variables instead of YAML dictionaries for the
/etc/hosts
database. This allows for adding the host IPv4 and/or IPv6 addresses defined by Ansible facts when the custom local domain is enabled. See netbase__hosts for details. The role has also been included in thecommon.yml
playbook to ensure that the host database is up to date as soon as possible.
debops.resources role
Changed behaviour of used groups for templating. Now all groups the host is in, will be used to search for template files. Read the documentation about resources__templates for more details on templating with debops.
Fixed
debops.grub role
The role should now correctly revert custom patch to allow user authentication in
/etc/grub.d/10_linux
script, when the user list is empty.
debops.kmod role
The role should now work correctly in Ansible
--check
mode before the Ansible local fact script is installed.
debops.sysctl role
The role should correctly handle nested lists in role dependent variables, which are now flattened before being passed to the configuration filter.
Removed
Roles removed from DebOps
The old
debops.redis
Ansible role has been removed. It has been replaced by the debops.redis_server and debops.redis_sentinel Ansible roles. The new roles use their own Ansible inventory groups, therefore they will need to be explicitly enabled to affect existing hosts.You can use the debops.debops_legacy Ansible role to clean up old configuration files, directories and diversions of
debops.redis
role from remote hosts.
General
The
ldap_entry
andldap_attr
Ansible modules have been removed. They are now included in Ansible core, there's no need to keep a separate copy in the playbook.
debops.core role
The
ansible_local.root.flags
andansible_local.root.uuid
local facts have been removed. They are replaced byansible_local.tags
andansible_local.uuid
local facts, respectively.
debops.dhcpd role
Support for dhcp_probe has been removed from the debops.dhcpd Ansible role. It's now available as a separate debops.dhcp_probe role.
debops.ferm role
Automated configuration of packet forwarding with
FORWARD
chain rules and sysctl configuration has been removed from the role. Per-interface packet forwarding is now configurable using the debops.ifupdown role, and you can still use the debops.ferm and debops.sysctl roles to design custom forwarding configuration.Support for this mechanism has also been removed from related roles like debops.libvirtd and debops.lxc.
debops.netbase role
The hostname and domain configuration has been removed from the
debops.bootstrap
role. This functionality is now handled by the debops.netbase role, which has been included in the bootstrap playbook. The relevant inventory variables have been renamed, check the Upgrade notes for details.
debops.resources role
The
resources__group_name
variable has been removed in favor of using all the groups the current hosts is in. This change has been reflected in the updated variableresources__group_templates
.
debops v0.8.0 - 2018-08-06
Added
New DebOps roles
The debops.netbase role: manage local host and network database in
/etc/hosts
and/etc/networks
files.The debops.sudo role: install and manage sudo configuration on a host. The role is included in the
common.yml
playbook.The debops.system_groups role: configure UNIX system groups used on DebOps hosts. The role is included in the
common.yml
playbook.The debops.debops_legacy role: clean up legacy files, directories, APT packages or dpkg-divert diversions created by DebOps but no longer used. This role needs to be executed manually, it's not included in the main playbook.
The debops.python role: manage Python environment, with support for multiple Python versions used at the same time. The role is included in the
common.yml
playbook.Icinga 2 support has been implemented with debops.icinga, debops.icinga_db and debops.icinga_web Ansible roles.
General
The DebOps installation now depends on the dnspython Python library. This allows usage of the
dig
Ansible lookup plugin in DebOps roles to gather data via DNS SRV records.The DebOps installation now depends on the future Python library which provides compatibility between Python 2.7 and Python 3.x environments. It is currently used in the custom Ansible filter plugin provided by DebOps, but its use will be extended to other scripts in the future to make the code more readable.
debops.dhparam role
The role will set up a systemd timer to regenerate Diffie-Hellman parameters periodically if it's available. The timer will use random delay time, up to 12h, to help with mass DHparam generation in multiple LXC containers/VMs.
debops.nginx role
A
default
set of SSL ciphers can be specified using thenginx_default_ssl_ciphers
variable. This disables thessl_ciphers
option in the nginx configuration and forces the server to use the defaults provided by the OS.
debops.ntp role
The OpenNTPD service will now properly integrate the ifupdown hook script with systemd. During boot, NTP daemon will be started once network interfaces are configured and will not restart multiple times on each network interface change.
debops.resources role
The role can now generate custom files using templates, based on a directory structure. See resources__templates for more details.
debops.sudo role
You can now manage configuration files located in the
/etc/sudoers.d/
directory using sudo__*_sudoers inventory variables, with multiple level of conditional options.
debops.users role
Selected UNIX accounts can now be configured to linger when not logged in via the
item.linger
parameter. This allows these accounts to maintain long-running services when not logged in via their own private systemd instances.
Changed
General
Some of the existing DebOps Policies and Guidelines have been reorganized and the concept of DebOps Enhancement Proposals (DEPs) is introduced, inspired by the Python Enhancement Proposals.
The debops script can now parse multiple playbook names specified in any order instead of just looking at the first argument passed to it.
debops.apt_install role
The editor alternative symlink configuration has been moved from the
debops.console
role to the debops.apt_install role which also installs vim by default.
debops.apt_mark role
The configuration of automatic removal of APT packages installed via
Recommends:
orSuggests:
dependencies has been moved from the debops.apt role to the debops.apt_mark role which more closely reflects its intended purpose. Variable names and their default values changed; see the Upgrade notes for more details.
debops.core role
The role will add any new administrator accounts to the list of existing admin accounts instead of replacing them in the Ansible local fact script. This should allow for multiple administrators to easily coexist and run the DebOps playbooks/roles from their own accounts without issues.
debops.gitlab role
Redesign the GitLab version management to read the versions of various components from the GitLab repository files instead of managing them manually in a YAML dictionary. The new
gitlab__release
variable is used to specify desired GitLab version to install/manage.The gitaly service will be installed using the
git
UNIX account instead ofroot
. Existing installations might require additional manual cleanup; see the Upgrade notes for details.The role now supports installation of GitLab 10.7.
The usage of
gitlab__fqdn
variable is revamped a bit - it's now used as the main variable that defines the GitLab installation FQDN. You might need to update the Ansible inventory if you changed the value of thegitlab_domain
variable used previously for this purpose.
debops.ifupdown role
The debops.kmod role is added as a dependency. The debops.ifupdown role will generate modprobe configuration based on the type of configured network interfaces (bridges, VLANs, bonding) and the kernel modules will be automatically loaded if missing.
debops.lxc role
Redesign system-wide LXC configuration to use list of YAML dictionaries merged together instead of custom Jinja templates.
Add lxc-prepare-ssh script on the LXC hosts that can be used to install OpenSSH and add the user's SSH authorized keys inside of the LXC containers. This is a new way to prepare the LXC containers for Ansible/DebOps management that doesn't require custom LXC template scripts and can be used with different LXC container types.
debops.mariadb_server role
The MariaDB/MySQL server and client will now use the
utf8mb4
encoding by default instead of theutf8
which is an internal MySQL character encoding. This might impact existing databases, see the Upgrade notes for details.
debops.nodejs role
The NPM version installed by the role from GitHub is changed from
v5.4.2
tolatest
which seems to be an equivalent of a stable branch.Recent versions of NPM require NodeJS 6.0.0+ and don't work with other releases. Because of that the newest NPM release is not installable on hosts that use NodeJS packages from older OS releases.
The debops.nodejs role will install NPM v5.10.0 version in this case to allow NPM to work correctly - on Debian Jessie, Stretch and Ubuntu Xenial. Otherwise, a NPM from the
latest
branch will be installed, as before.Instead of NodeJS 6.x release, the role will now install NodeJS 8.x release upstream APT packages by default. This is due to the NodeJS 6.x release switching to a Maintenance LTS mode. NodeJS 8.x will be supported as a LTS release until April 2019.
The role will install upstream NodeSource APT packages by default. This is due to no security support in Debian Stable, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.
The existing installations shouldn't be affected, since the role will select OS/upstream package versions based on existing Ansible local facts.
debops.owncloud role
Support Nextcloud 13 and partially ownCloud 10. Nextcloud 11 and ownCloud 9.1 are EOL, you should update. The role can help you with the update to ensure that everything works smoothly with the new versions. Currently, the role can not do the update for you.
debops.sshd role
The role will now check the debops.system_groups Ansible local facts to define what UNIX groups are allowed to connect to the host via the SSH service.
debops.unattended_upgrades role
On hosts without a domain set, the role enabled all upgrades, not just security updates. This will not happen anymore, the security updates are enabled everywhere by default, you need to enable all upgrades specifically via the
unattended_upgrades__release
variable.
Removed
debops.apt_install role
Don't install the
sudo
package by default, this is now done via a separate debops.sudo role to easily support switching to thesudo-ldap
APT package.
debops.auth role
Remove configuration of UNIX system groups and accounts in the
admins
UNIX group. This is now done by the debops.system_groups Ansible role.
debops.console
role
Remove support for copying custom files from the role. This functionality is covered better by the debops.resources role.
Remove support for managing entries in the
/etc/hosts
database. This is now covered by the debops.netbase Ansible role.
debops.bootstrap
role
The sudo configuration has been removed from the
debops.bootstrap
role. Thebootstrap.yml
playbook now includes the debops.sudo role which configures sudo service.The UNIX system group management has been removed from the role, the
bootstrap.yml
playbook now uses the debops.system_groups role to create the UNIX groups used by DebOps during bootstrapping.Remove management of Python packages from the role. The
bootstrap.yml
playbook uses the debops.python role to configure Python support on the host.
debops.lxc role
Remove support for direct LXC container management from the role. This functionality is better suited for other tools like lxc-* set of commands, or the Ansible
lxc_container
module which should be used in custom playbooks. The 'debops.lxc' role focus should be configuration of LXC support on a host.Remove custom LXC template support. The LXC containers can be created by the normal templates provided by the
lxc
package, and then configured using DebOps roles as usual.
debops.postgresql_server role
The tasks that modified the default
template1
database and its schema have been removed to make the PostgreSQL installation more compatible with applications packaged in Debian that rely on the PostgreSQL service. See the relevant commit for more details. Existing installations shouldn't be affected.
debops v0.7.2 - 2018-03-28
Fixed
General
Add missing
python-ldap
dependency as an APT package in the Dockerfile.
debops v0.7.1 - 2018-03-28
Added
New DebOps roles
The debops.ansible role: install Ansible on a Debian/Ubuntu host using Ansible. The
`debops.debops
role now uses the new role to install Ansible instead of doing it directly.The debops.apt_mark role: set install state of APT packages (manual/auto) or specify that particular packages should be held in their current state. The role is included in the
common.yml
playbook.The debops.kmod role: manage kernel module configuration and module loading at boot time. This role replaces the
debops-contrib.kernel_module
role.The
debops-contrib.etckeeper
role has been integrated into DebOps as debops.etckeeper. The new role is included in thecommon.yml
playbook.
debops.ifupdown role
The role has new tasks that manage custom hooks in other services. First hook is The filter-dhcp-options hook which can be used to selectively apply DHCP options per network interface.
Changed
Continuous Integration
The test suite used on Travis-CI now checks the syntax of the YAML files, as well as Python and shell scripts included in the repository. The syntax is checked using the yamllint, pycodestyle and shellcheck scripts, respectively. Tests can also be invoked separately via the make command.
debops.etherpad role
The role can now autodetect and use a PostgreSQL database as a backend database for Etherpad.
debops.ferm role
The role should now correctly detect what Internet Protocols are available on a host (IPv4, IPv6) and configure firewall only for the protocols that are present.
debops.lxc role
The role will now generate the
lxc-debops
LXC template script from different templates, based on an OS release. This change should help fix the issues with LXC container creation on Debian Stretch.
debops.pki role
The X.509 certificate included in the default
domain
PKI realm will now have a SubjectAltName wildcard entry for the host's FQDN. This should allow for easy usage of services related to a particular host in the cluster over encrypted connections, for example host monitoring, service discovery, etc. which can be now published in the DNS zone at*.host.example.org
resource records.The role now supports Let's Encrypt ACMEv2 API via the acme-tiny Python script. The existing PKI realms will need to be re-created or updated for the new API to work, new PKI realms should work out of the box. Check the Upgrade notes for more details.
debops.proc_hidepid role
The role now uses a static GID
70
for theprocadmins
group to synchronize the access permissions on a host and inside the LXC containers. You will need to remount the filesystems, restart services and LXC containers that rely on this functionality.
debops.sysctl role
The configuration of the kernel parameters has been redesigned, instead of being based on YAML dictionaries, is now based on YAML lists of dictionaries and can be easily changed via Ansible inventory. You will need to update your inventory for the new changes to take effect, refer to the role documentation for details.
Fixed
General
The debops command will now generate the
ansible.cfg
configuration file with correct path to the Ansible roles provided with the DebOps Python package.
debops.nginx role
Fix a long standing bug in the role with Ansible failing during welcome page template generation with Jinja2 >= 2.9.4. It was related to non-backwards compatible change in Jinja that modified how variables are processed in a loop.
Removed
Roles removed from DebOps
The
debops-contrib.kernel_module
Ansible role has been removed; it was replaced by the new debops.kmod Ansible role.
debops.ferm role
The
ferm-forward
hook script in the/etc/network/if-pre-up.d/
directory has been removed (existing instances will be cleaned up). Recent changes in the debops.ferm role broke idempotency with the debops.ifupdown role, and it was determined that the functionality provided by the hook is no longer needed, recent OS releases should deal with it adequately.
debops v0.7.0 - 2018-02-11
Added
New DebOps roles
New Ansible roles have been imported from the
debops-contrib
organization:apparmor
,bitcoind
,btrfs
,dropbear_initramfs
,etckeeper
,firejail
,foodsoft
,fuse
,homeassistant
,kernel_module
,kodi
,neurodebian
,snapshot_snapper
,tor
,volkszaehler
,x2go_server
. They are not yet included in the main playbook and still need to be renamed to fit with the rest of thedebops.*
roles.The debops.sysfs role: configuration of the Linux kernel attributes through the
/sys
filesystem. The role is not enabled by default.The debops.locales role: configure localization and internationalization on a given host or set of hosts.
The debops.machine role: manage the
/etc/machine-info
file, the/etc/issue
file and a dynamic MOTD.The debops.proc_hidepid role: configure the
/proc
hidepid=
options.The debops.roundcube role: manage RoundCube Webmail application.
The debops.prosody role: configure an xmpp server on a given host.
The debops.sysnews role: manage System News bulletin for UNIX accounts.
Continuous Integration
DebOps roles and playbooks can now be tested using local or remote GitLab CI instance, with Vagrant, KVM and LXC technologies and some custom scripts.
General
You can now use Vagrant to create an Ansible Controller based on Debian Stretch and use it to manage itself or other hosts over the network.
You can now build an Ansible Controller with DebOps support as a Docker container. Official Docker image is also available, automatically rebuilt on every commit.
You can now install DebOps on Arch Linux using an included
PKGBUILD
file.Add new playbook,
agent.yml
. This playbook is executed at the end of the main playbook, and contains applications or services which act as "agents" of other services. They may contact their parent applications to report about the state of the host they are executed on, therefore the agents are installed and configured at the end of the main playbook.DebOps roles and playbooks will be included in the Python packages released on PyPI. This will allow for easier installation of DebOps via pip (no need to download the roles and playbooks separately) as well as simple stable releases. The DebOps monorepo can still be installed separately.
debops.libvirtd role
The role can now detect if nested KVM is enabled in a particular virtual machine and install KVM support.
debops.nodejs role
The debops.nodejs role can now install Yarn package manager using its upstream APT repository (not enabled by default).
Changed
Continuous Integration
The project repository is tested using pycodestyle for compliance with Python's PEP8 Style Guide.
General
The debops-update script will now install or update the DebOps monorepo instead of separate
debops-playbooks
and DebOps roles git repositories. Existing installations shouldn't be affected.The debops script will now include the DebOps monorepo roles and playbooks in the generated
ansible.cfg
configuration. The monorepo roles and playbooks are preferred over the olddebops-playbooks
ones.The script is backwards compatible and should work correctly with or without the
debops-playbooks
repository and roles installed.Improved Python 3 support in the DebOps scripts and throughout the playbooks/roles. DebOps should now be compatible with both Python versions.
debops.gitlab_runner role
The GitLab Runner playbook is moved to the
agent.yml
playbook; it will be executed at the end of the main playbook and should that way include correct information about installed services.
debops.gunicorn role
Update the role to work correctly on Debian Stretch and newer releases. The support for multiple gunicorn instances using custom Debian scripts has been removed in Debian Stretch, therefore the role replaces it with its own setup based on systemd instances.
debops.nodejs role
The
npm
package has been removed from Debian Stable. The role will now install NPM using the GitHub source, unless upstream NodeJS is enabled, which includes its own NPM version.
Removed
General
Remove the
ipaddr.py
Ansible filter plugin, it is now included in the Ansible core distribution.
debops.console
role
Remove the
locales
configuration from the 'debops.console' role, this functionality has been moved to the new 'debops.locales' role. You will need to update the Ansible inventory variables to reflect the changes.Remove management of the
/etc/issue
and/etc/motd
files from thedebops.console
role. That functionality is now available in the debops.machine role. You will need to update the Ansible inventory variables to reflect the changes.Management of the
/proc
hidepid=
option has been moved to a new role, debops.proc_hidepid. You will need to update the Ansible inventory variables to reflect the changes.Management of the System News using the
sysnews
Debian package has been removed from the role; it's now available as a separate debops.sysnews Ansible role. You will need to update the Ansible inventory variables related to System News due to this changes.
debops v0.6.0 - 2017-10-21
Added
General
Various repositories that comprise the DebOps project have been merged into a single monorepo which will be used as the main development repository. Check the git log for information about older releases of DebOps roles and/or playbooks.