1.26.0

v1.26.0 - 2025-01-06

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• monitoring_netdata: if you had changed the default value of netdata_dbengine_disk_space in your host/group configuration, remove this variable and configure netdata_dbengine_tier0/1/2_retention_days instead
• xsrv deploy to apply changes

Added:

• add searxng role (metasearch engine)

Changed:

• monitoring_netdata: define maximum metrics retention in days (netdata_dbengine_tier0/1/2_retention_days) instead of MB (default to 7 days of per-second data, 30 days of per-minute data, 730 days of per-hour data)
• gitea: make router logs less verbose (warnings only)
• gitea: upgrade to v1.22.6 [1] [2] [3]
• nextcloud: upgrade to v28.0.14 [1]
• shaarli: upgrade to v0.14.0
• stirlingpdf: pin version and upgrade to v0.36.6 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16]
• owncast: pin version to v0.1.3
• openldap: update self-service-password to v1.7.1 [1] [2]
• openldap: update ldap-account-manager to v8.9
• matrix: update element-web to v1.11.89 [1] [2] [3] [4] [4] [5] [6] [7] [8] [9] [10 [11]
• shaarli: update stack template to v0.10 [1] [2]
• goaccess: update IP to Country GeoIP database to v2024-11
• xsrv: update ansible to v11.1.0 [1 [2] [3]
• xsrv: update trivy security scanner to v0.58.0
• homepage: minor style tweaks
• update documentation

Fixed:

• jellyfin: fix jellyfin not upgrading automatically from v10.9 to v10.10
• podman: fix inability to restart systemd user services using systemctl
• owncast: fix deployment always restaring the service/always returning changed on generate systemd unit file for owncast container
• moodist, owncast, stirlingpdf: fix OCI image not updated to latest version on re-deployment
• owncast: fix container/service not restarting after upgrades
• netdata: fix netdata unable to determine podman container names

Full changes since v1.25.1

1.25.1

v1.25.1 - 2024-10-19

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Fixed:

• moodist: fix variable name (moodist_https_mode)

Full changes since v1.25.0

1.25.0

v1.25.0 - 2024-10-19

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• add stirlingpdf role (PDF manipulation tools)
• add moodist role (ambient sound mixer)
• libvirt: enable KSM (VM memory deduplication)

Changed:

• shaarli: increase default max memory size for php-fpm pool to 256MB
• nextcloud: upgrade to v28.0.11 [1]
• gitea: upgrade to v1.22.3 [1] [2] [3] [4]
• ollama: upgrade to v0.3.5 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31]
• ollama: upgrade ollama-ui to the latest version [1]
• matrix: update element-web to v1.11.77 [1] [1] [3] [4] [5] [6] [7] [8] [9] [10] [11]
• openldap: update ldap-account-manager to v8.8
• matrix: update synapse-admin to v0.10.3 [1]
• postgresql: update pgmetrics to v1.17.0
• goaccess: update IP to Country GeoIP database to v2024-09
• xsrv: update ansible to v10.5.0 [1 [2]
• netdata: install/upgrade netdata from new self-hosted repositories [1]
• netdata: make role compatible with Ubuntu 22.04
• improve test tools

Fixed:

• netdata: fix netdata not upgrading automatically from 1.45.6 to later versions
• jellyfin: fix jellyfin not upgrading automtically from 10.8.13 to 10.9.2
• wireguard: really delete peers from the configuration when wireguard_peers[*].state is set to absent
• wireguard: fix variable checks for wireguard_peers with state: absent and no public_key defined
• postgresql: rsyslog: fix postgresql log messages incorrectly tagged as mongodb in syslog
• openldap: fix ldap-account-manager download failing with urlopen error timed out
• gitea_act_runner: fix runner failing to register with [E] Deprecated config option [oauth2].ENABLE is present, please use [oauth2].ENABLED instead

Full changes since v1.24.0

1.24.0

v1.24.0 - 2024-05-09

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• add ollama role role (local Large Language Model (LLM) server and web interface)
• monitoring_utils: add bonnie++ disk benchmarking tool and automated report script (TAGS=utils-bonnie xsrv deploy)

Changed:

• nextcloud: upgrade to v28.0.5 [1] [2]
• gitea: update to v1.21.11 [1] [2] [3] [4]
• gitea_act_runner: update act-runner to v0.2.10 [1] [2] [3] [4]
• openldap: update ldap-account-manager to v8.7
• openldap: update self-service-password to v1.6.0
• matrix: update element-web to v1.11.66 [1] [2] [3] [4] [5] [6]
• shaarli: update stack template to v0.8 [1]
• matrix: update synapse-admin to v0.10.1 [1]
• xsrv: update ansible to v9.5.1

Fixed:

• handlers: fix recursion loop in handlers/meta/main.yml
• all roles/apache: ensure apache is restarted (not just reloaded) when new modules are loaded
• graylog: make syslog certificate generation idempotent (add graylog_cert_not_before/after variables)
• matrix: fix broken version number comparison leading to error 'matrix_synapse_admin_action' is undefined.

Full changes since v1.23.0

1.23.0

v1.23.0 - 2024-04-09

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• monitoring_netdata: netdata_log_to_syslog, netdata_disable_debug_log, netdata_disable_error_log, netdata_disable_access_log variables are no longer used and can be removed from your configuration, if you changed them from the defaults (xsrv edit-host/edit-group)
• monitoring_rsyslog: if rsyslog_enable_forwarding is set to yes in your host/group variables (xsrv edit-host/edit-group), set rsyslog_forward_to_inventory_hostname to the inventory hostname of the syslog/graylog server receiving the logs
• graylog: under Inputs, edit all syslog/TLS inputs to use the new paths for TLS cert file: /etc/ssl/syslog/ca.crt, TLS private key: /etc/ssl/syslog/ca.key, TLS client auth trusted certs: /etc/ssl/syslog/ca.crt. You may also delete data/certificates/*-graylog-ca.crt files in your project directory since they are no longer used.
• xsrv deploy to apply changes

Added:

• xsrv: add scan command (scan a project directory for cleartext secrets/passwords using trivy)
• xsrv: add show-groups command (list all groups a host is a member of)
• monitoring_rsyslog: allow receiving logs from syslog clients over the network on port 514/tcp (rsyslog_enable_receive: no/yes)

Removed:

• monitoring_netdata: remove configuration variables netdata_log_to_syslog, netdata_disable_debug_log, netdata_disable_error_log, netdata_disable_access_log

Changed:

• gitea_act_runner: disable automatic nightly prune of podman images/containers by default gitea_act_runner_daily_podman_prune: no/yes
• monitoring_netdata: send all logs to systemd-journald, except access log
• monitoring_netdata: disable machine learning/anomaly detection functionality when streaming to a parent node (when netdata_streaming_send_enabled is enabled)
• shaarli: allow setting the default view mode when using the stack template (shaarli_stack_default_ui: small/medium/large), change the default to medium
• monitoring_rsyslog/graylog: setup mutual TLS authentication between syslog clients and server, sign server and client certificates with server CA certificate - rsyslog_forward_to_inventory_hostname is now required on rsyslog clients
• common: apt: enable non-free-firmware section when apt_enable_nonfree: yes [1]
• gitea: update to v1.21.7 [1] [2]
• nextcloud: upgrade to v28.0.3 [1] [2]
• shaarli: update stack template to v0.7 [1] [2]
• matrix: update synapse-admin to v0.9.1
• matrix: update element-web to v1.11.59 [1] [2]
• xsrv: update ansible to v9.3.0
• cleanup: standardize task names, remove files from old versions of the roles, use community.crypto.x509_certificate instead of deprecated openssl_certificate modules
• update documentation, add Gitea/Github Actions example for secret scanning, add graylog backup restoration procedure
• improve automatic tests

Fixed:

• monitoring_netdata/rsyslog: fix netdata logs no longer being appended to syslog
• shaarli: fix stack theme favicon not being displayed
• postgresql: fix role execution when called with rsyslog ansible tag

Full changes since v1.22.0

1.22.0

v1.22.0 - 2024-02-03

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• add nmap command and role - run nmap network scanner against hosts from the inventory

Changed:

• graylog: support initial deployment of the role with graylog/mongodb/elasticsearch disabled
• gitea: update to v1.21.5 [1] [2]
• nextcloud: upgrade to v28.0.2 [1] [2]
• matrix: update element-web to v1.11.57 [1] [2]
• xsrv: update ansible to v9.2.0
• update documentation

Full changes since v1.21.0

1.21.0

v1.21.0 - 2024-01-17

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• graylog: if you are using the graylog role, add the mongodb_admin_password and graylog_mongodb_password variables to your host variables (xsrv edit-vault) and set their values to strong random passwords
• To get rid of the deprecation warning collections_paths option does not fit var naming standard, rename collections_paths to collections_path in ansible.cfg (xsrv edit-cfg)
• xsrv deploy to apply changes

Added:

• add owncast role role (live video streaming and chat server)
• graylog/mongodb: require authentication to connect to mongodb (mongodb_admin_password, graylog_mongodb_password)
• jitsi: add an automated procedure to get the list of jitsi (prosody) registered users (TAGS=utils-jitsi-listusers xsrv deploy)
• gitea_act_runner: allow configuring how many tasks the runner can execute concurrently (gitea_act_runner_capacity: 1)
• postgresql: aggregate postgresql logs to syslog (when the monitoring_rsyslog role is deployed)
• wireguard/firewalld: allow configuring services to which wireguard clients can connect on the host (wireguard_firewalld_services)

Removed:

• postgresql: drop compatibility with Debian <12

Changed:

• python >=3.9 is now required on the controller (ansible 9.1.0)
• cleanup: postgresql: standardize/simplify pgmetrics report generation
• gitea_act_runner: update default image labels (use the node:21-bookworm when uses: ubuntu-latest is specified in the CI configuration file), add equivalent debian-latest label
• monitoring_netdata: debsecan: whitelist a few minor issues in debsecan reports by default
• wireguard: never return changed for wireguard client configuration file generation tasks
• tt_rss: hide changed status of set permissions on tt-rss files task
• gitea: update to v1.21.3 [1] [2]
• postgresql: explicitely install postgresql version 15
• openldap: update ldap-account-manager to v8.6
• matrix: update element-web to v1.11.52 [1] [2]
• xsrv: update ansible to v9.0.1
• monitoring_goaccess: update IP to Country database to v2024-01
• improve check mode support before first actual deployment
• update documentation

Fixed:

• graylog: mongodb: fix mongodb backups failing (authentication required)
• default playbook: fix goaccess_username/password/fqdn variables not being added to the correct file (username/password belong to encrypted variables)
• monitoring_utils: fix lynis warning MongoDB instance allows any user to access databases
• tt_rss: fix tt-rss installation failing when git was not previously installed
• tt_rss: fix error on first tt-rss installation Unsupported parameters for (postgresql_query) module: as_single_query, path_to_script.
• shaarli: fix shaarli zip extraction failing when the unzip package is not installed
• nextcloud: fix Nextcloud upgrades sometimes failing with Nextcloud is not installed - only a limited number of commands are available
• graylog: don't fail with 'graylog_mongodb_apt_repo_distribution' is undefined when running the mongodb tag alone
• dnsmasq: only attempt to update blocklists after network is online and dnsmasq has started

Full changes since v1.20.0

1.20.0

v1.20.0 - 2023-12-02

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• dnsmasq: allow loading custom DNS blocklists from an URL (dnsmasq_blocklist_url, dnsmasq_blocklist_mode, dnsmasq_blocklist_whitelist)
• shaarli: install stack custom theme/template and enable it by default
• shaarli: allow setting the theme/template via the (shaarli_theme) configuration variable
• dnsmasq: allow logging DNS queries processed by dnsmasq (dnsmasq_log_queries: no/yes)
• nextcloud: allow configuring outgoing mail settings (nextcloud_smtp_*)
• common: add automated procedures to reboot or shutdown hosts (TAGS=utils-shutdown,utils-reboot)
• netdata: debsecan: allow whitelisting vulnerabilities reported by debsecan by CVE number (debsecan_whitelist)
• act-runner: prune unused podman data automatically, nightly (volumes, networks, containers, images)
• goaccess: allow configuring IP to Country GeoIP database version (goaccess_geoip_db_version)
• apache: allow restricting access to individual web applications by IP address/network (shaarli_allowed_hosts, matrix_synapse/element_admin_allowed_hosts, goaccess_allowed_hosts, ldap_account_manager/self_service_password_allowed_hosts, nextcloud_allowed_hosts, transmission_allowed_hosts, tt_rss_allowed_hosts, jitsi_allowed_hosts, homepage_allowed_hosts, graylog_allowed_hosts, gotty_allowed_hosts, gitea_allowed_hosts)
• jellyfin: allow disabling the allowed IP list entirely (allow access from any IP) by setting an empty jellyfin_allowed_hosts list
• common: sysctl: add hardening measures against reading/writing files controlled by an attacker fs.protected_fifos/hardlinks/regular/symlinks
• podman: add podman-docker wrapper (execute docker commands through podman)

Removed:

• netdata: remove netdata_monitor_systemd_units variable (always enable monitoring of system unit states)
• common: remove residual support for Debian 11 in firewalld configuration

Changed:

• xsrv: init-vm-template: use the gateway IP address as DNS server (--nameservers) by default instead of Cloudflare public DNS
• netdata: when *_enable_service: no, disable HTTP checks entirely for this service (intead of accepting HTTP 503)
• netdata: debsecan: allow disabling daily debsecan mail reports (debsecan_enable_reports: yes/no)
• transmission/netdata: only accept HTTP 401 as valid return code for the HTTP check
• nextcloud: verify downloaded .zip using GPG signatures
• jellyfin: harden systemd service (systemd-analyze security exposure score down from 9.2 UNSAFE to 5.7 MEDIUM)
• shaarli: update to v0.13.0
• gitea: update to v1.21.1 [1] [2]
• nextcloud: upgrade to v27.1.4 [1] [3]
• openldap: update self-service-password to v1.5.4
• matrix: update element-web to v1.11.50 [1] [2] [3]
• xsrv: upgrade ansible to v8.6.1
• goaccess: update IP to Country GeoIP database to v2023-11
• cleanup: limit use of check_mode: no to tasks that do not change anything
• update documentation, add example usage through Gitea Actions/Github Actions

Fixed:

• openldap: fix deployment of ldap-account-manager failing on copy php-fpm configuration when deploying the apache tag in isolation
• jellyfin: fix internal Restart server function only terminating the server process without restarting
• gitea_act_runner: fix potentially insufficient UIDs or GIDs available in user namespace error when using podman backend
• readme_gen: fix netdata alarm badge URL for used swap alarm
• shaarli: make remove shaarli zip extraction directory task idempotent

Full changes since v1.19.0

1.19.0

v1.19.0 - 2023-11-03

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• gitea_act_runner: if you changed it from the default value, rename the variable gitea_act_runner_gitea_instance_url to gitea_act_runner_gitea_instance_fqdn
• monitoring_utils: if your projects are under git version control, you may want to add data/duc-*.db to your .gitignore before using the utils-duc tag.
• common: if your projects are under git version control, you may want to add data/firewalld-info-*.log to your .gitignore before using the utils-firewalld-info tag.
• xsrv deploy to apply changes

Added:

• common: packages: automatically install qemu-guest-agent when the host is a KVM VM
• gitea_act_runner: allow running workflows directly on the host without containerization (gitea_act_runner_labels)
• monitoring_utils: allow analyzing disk usage by directory and visualizing it locally using duc (TAGS=utils-duc xsrv deploy default my.CHANGEME.org)
• backup: allow disabling specific rsnapshot backup intervals by setting rsnapshot_retain_daily/weekly/monthly to 0
• backup: allow disabling automatic/scheduled backups entirely rsnapshot_enable_cron: yes/no
• backup: allow disabling automatic creation of the backup storage directory rsnapshot_create_root: yes/no
• common: allow getting firewalld status information (TAGS=utils-firewalld-info xsrv deploy)
• netdata/shaarli/tt_rss/openldap/nextcloud: enable monitoring of PHP-FPM pools
• when generating self-signed certificates, download them to the controller in data/certificates/ under the project directory

Removed:

• netdata: remove variable netdata_self_monitoring_enabled (use netdata_disabled_plugins: ['netdata monitoring'] instead)
• monitoring_utils: remove logwatch from the list of default installed packages

Changed:

• netdata: disable all netdata self-monitoring by default
• netdata: update logs/db storage configuration for newer netdata versions, store 400MB of per-minute data and 200MB of per-hour data in addition to the amount of per-second data defined by netdata_dbengine_disk_space
• gitea_act_runner: don't run the runner as root but as dedicated act-runner user
• gitea_act_runner: force re-registering the runner when the .runner file is absent
• gitea_act_runner: rename variable gitea_act_runner_gitea_instance_url to gitea_act_runner_gitea_instance_fqdn
• gitea_act_runner: log runner registration attempts to syslog for easier debugging
• common: users/logind: don't lock auto-lock idle user sessions by default (systemd_logind_lock_after_idle_min: 0)
• jitsi/goaccess: only generate self-signed certificates when jitsi/goaccess_https_mode: selfsigned
• transmission: only generate self-signed certificates when apache is managed by xsrv
• nextcloud: upgrade to v27.1.3 [1] [2] [3] [4] [5] [6]
• matrix: update element-web to v1.11.47 [1]
• update documentation

Fixed:

• netdata: fix incorrect variable name in role defaults (netdata_api_key -> netdata_streaming_api_key)
• gitea_act_runner: fix temporary error when first enabling the podman socket in act-runner systemd user session
• gitea_act_runner: fix errors when enabling the systemd service manually
• gitea_act_runner: always try to restart the runner systemd service in case of failure
• monitoring_utils/graylog: fix debsums incorrectly reporting missing files in mongodb packages
• monitoring_netdata/debsecan: fix debsecan unable to send email reports
• default playbook: fix role ordering (podman must be deployed before gitea_act_runner)

Full changes since v1.18.0

1.18.0

v1.18.0 - 2023-10-11

Upgrade procedure:

• docker: if you want to keep using the docker role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.docker role instead. nodiscc.xsrv.podman is now the recommended role for container management.
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Note: the collection will no longer be updated on https://galaxy.ansible.com/ui/repo/published/nodiscc/xsrv/ until ansible/galaxy#2438 is fixed, please use the git repository URL in your requirements.yml, as documented in https://xsrv.readthedocs.io/en/latest/usage.html#use-as-ansible-collection.

Added:

• add gitea_act_runner role (Gitea Actions CI/CD runner)
• add podman role (OCI container engine and management tools, replacement for docker)
• gitea: allow enabling built-in Gitea Actions CI/CD system (gitea_enable_actions: no/yes)
• common: allow running unattended-upgrade or apt upgrade immediately (TAGS=utils-apt-unattended-upgrade,utils-apt-upgrade)
• matrix: allow setting up LDAP authentication backend for synapse (matrix_synapse_ldap_*)
• netdata: allow aggregating netdata error/health alarm/collector logs to syslog (netdata_logs_to_syslog: no/yes)
• docker: add an automated procedure to uninstall docker role components (TAGS=utils-docker-uninstall)
• nextcloud: allow automatically checking the filesystem/data directory for changes made outside Nextcloud (nextcloud_filesystem_check_changes: no/yes)

Removed:

• docker: remove role, archive it to separate repository
• apache: remove remove ability to install/configure mod-evasive anti-DDoS module

Changed:

• common: datetime: replace ntpd time synchronization service by systemd-timesyncd
• common: ssh: don't accept locale/language-related environment variables set by the client by default (ssh_accept_locale_env: no/yes)
• graylog: don't perform mongodb backups when the graylog/mongodb service is disabled on the host configuration (graylog_enable_service: yes/no)
• gitea: update to v 1.20.5 [1]
• matrix: update element-web to v1.11.46 [1] [2] [3]
• graylog: update to v5.1 [1] [2] [3] [4] [5] [6] [7]
• openldap: update ldap-account-manager to v8.5
• postgresql: update pgmetrics to v1.16.0
• netdata: update netdata-apt to v1.1.2 [1]
• xsrv: upgrade ansible to v8.5.0

Fixed:

• jitsi: fixed jitsi-videobridge sometimes failing to connect to prosody (org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized) - force updating jvb prosody password

Full changes since v1.17.0