This project adheres to Semantic Versioning and human-readable changelog.
This file contains only general overview of the changes in the DebOps project. The detailed changelog can be seen using git log
command.
You can read information about required changes between releases in the upgrade_notes
documentation.
debops master - unreleased
- Add more entries to be ignored by default by the
git
command in the DebOps project directories:debops
: ignore DebOps monorepo cloned or symlinked into the project directory.roles
andplaybooks
: ignore roles and playbooks in development; production code should be put in theansible/roles/
and theansible/playbooks/
directories respectively.
- The
debops-init
script now also creates the .gitattributes file for use withgit-crypt
. It is commented out by default.
- The open-vm-tools APT package will be installed by default in VMware virtual machines.
- In the
debops.gitlab
role, GitLab version has been updated to12.1
. This is the last release that supports Ruby 2.5 which is included in Debian Buster.
- The role will install and configure
resolvconf
APT package only on hosts with more than one network interface (not countinglo
), or if local DNS services are also present on the host.
- The role will allow or deny access to the
root
account via password depending on the presence of the/root/.ssh/authorized_keys
file. Seesshd__ref_root_password
for more details. This requires updatedroot_account.fact
script from thedebops.root_account
role. - The role will use Ansible local facts to check if OpenSSH server package is installed to conditionally enable/disable its start on first install.
- In the
nfs_server__firewall_ports
variable, convert thedict_keys
view into a list due to change in Python 3 implementation of dictionaries.
debops v1.1.0 - 2019-08-25
- The
debops.keyring
role is designed to be used by other Ansible roles to manage the GPG keys, either in the APT keyring or the GPG keyrings of specific UNIX accounts. It replaces and centralizes the use of theapt_key
and theapt_repository
Ansible modules in separate roles and provides additional functionality, like GPG key lookup in a local key store on the Ansible Controller, or the Keybase service. - The
debops-contrib.neurodebian
Ansible role has been migrated to the main DebOps role namespace as thedebops.neurodebian
role. This role can be used to configure the NeuroDebian__ APT repository on Debian/Ubuntu hosts. - The
debops.wpcli
role can be used to install the WP-CLI framework to allow management of WordPress websites in a shared hosting environment. - The
debops.nscd
role configures the Name Service Cache Daemon, used to cache NSS entries from remote databases, for example LDAP, Active Directory or NIS. The role is included in thebootstrap-ldap.yml
playbook. - The
debops.backup2l
role configures the backup2l__ script which can create differential backups of a given host and store them on an external hard drive connected to that host. - The
debops.resolvconf
role fixes a few issues in theresolvconf
Debian package and modifies the interface order in the generated/etc/resolv.conf
configuration file depending on presence of a local DNS resolver likednsmasq
orunbound
. The role is included in the bootstrap and common playbooks.
- The Vagrant test environment will use the libeatmydata__ library to make specific commands like
apt-get
,rsync
,pip
, etc. faster by avoiding excessivefsync(2)
operations.
- The
pyopenssl
Python package has been added as a dependency of DebOps when the project is installed with Ansible included. This package is required by theopenssl_*
modules in Ansible 2.7; some of the DebOps roles likedebops.opendkim
use these modules on the Ansible Controller. - The
distro
Python package has been added as the DebOps dependency. The package is used by thedebops-init
script to detect the operating system used on the Ansible Controller, and is a replacement for the deprecatedplatform.linux_distribution()
function.
- The
ldap/init-directory.yml
Ansible playbook will create an LDAP group object for SSH users, equivalent to thesshusers
group created by thedebops.system_groups
role. LDAP accounts in this group will be able to access SSH service from any host. Existing installations might need to be updated manually to fix UID/GID or LDAP DN conflicts.
- If Avahi/mDNS support is present on a host, the
debops.ferm
role will allow access through themdns
UDP port by default. This will most likely happen on workstations and laptops with full desktop environments installed, but not on servers with minimal install. To configure Avahi service or enable it on servers, you can use thedebops.avahi
Ansible role.
- The role will configure the
libvirt
andlibvirt_guest
NSS modules in/etc/nsswitch.conf
database using thedebops.nsswitch
role to allow accessing the virtual machines or containers via their hostnames on the virtual machine host.
- The
lxc-prepare-ssh
script can now look up the SSH keys of the current user in LDAP if support for it is enabled on the LXC host.
- Add support to disable logging per Nginx server.
- If a
nginx
server configuration uses a domain withlxc.
prefix, for example inside of an internal LXC container, the role will include a redirect fromhost.lxc
"virtual" domain to the realhost.lxc.example.org
domain. This ensures that HTTP requests to thehttp://host.lxc/
URLs are redirected to the real LXC container hosts, depending on the DNS records and the HTTP client's resolver configuration.
- The role can now control on which ports and services OpenLDAP listens for connections. The
ldaps:///
service is enabled by default when support for thedebops.pki
role is enabled on the OpenLDAP host.
- The kernel protection for symlinks and hardlinks will be enabled by default on Debian/Ubuntu hosts.
- Don't use special configuration for containers to determine what kernel parameters can be modified. The role will rely on its own Ansible local facts for that.
- The
unbound
service will be configured to forward*.lxc.{{ ansible_domain }}
DNS queries to thednsmasq
service managed by thedebops.lxc
role (lxc-net
), if LXC configuration is detected via local Ansible facts. The*.consul
DNS queries will be forwarded to theconsul
service, if its Ansible facts are detected.
- Readd
users__default_shell
which was removed in debops v1.0.0.
The
debops.netbox
role has been updated to NetBox versionv2.6.1
. Redis service is now required for NetBox; it can be installed separately via thedebops.redis_server
Ansible role.The NetBox version installed by DebOps has been changed from using the
master
branch, to specific tags, with the latest release (v2.6.1
) set by default. Thegit
commit signature in the NetBox repository is also verified using the GitHub GPG key when the repository is cloned.- In the
debops.cran
role, the upstream APT repository suite for CRAN has been updated to<release>-cran35/
due to changes in APT repository structure. Existing APT repository URLs might need to be removed manually from/etc/apt/sources.lists.d/
directory to make the APT service work as expected. The
debops.nodejs
role will now install NodeJS, NPM and Yarn packages from the OS release repository by default. On the Debian Oldstable release, the packages backported from the Debian Stable release will be used by default. Installation of upstream NodeJS and NPM can be enabled using thenodejs__node_upstream
variable. Upstream Yarn can be enabled using thenodejs__yarn_upstream
variable.If the NodeJS upstream support is enabled, the NodeJS 8.x version will be installed on older Debian/Ubuntu releases, for exaple Debian Stretch and Ubuntu Bionic. Debian Buster and newer releases will use NodeJS 10.x version, to keep the Node version from upstream in sync with the one available in the OS repositories.
- In the
debops.etherpad
role, the default version installed by the role is changed from thedevelop
branch to thev1.7.0
version on older OS releases, and thev1.7.5
version on Debian Buster and newer, to not force installation of the upstream NPM package by default.
- DebOps now uses
xenial
as the default OS release used in Travis-CI tests. Thexenial
images on Travis use theshellcheck
v0.6.0 to test shell scripts; if you want to run thetest shell
command locally to check the script syntax, you will need to update yourshellcheck
installation to the v0.6.0 version to match the one on Travis-CI. This version is at present not available in Debian, therefore a custom install will be needed. See the ShellCheck install instructions__ for your preferred method. - The Travis-CI tests will be done using Python 3.7 only. Python 2.7 support will be dropped in 2020__, it's time to prepare.
- The GitLab CI tests are done using a
debian/buster64
Vagrant Box.
- Switch the base Docker image to debian:buster-slim__ and install Python 3.x environment instead of Python 2.7 in the DebOps Docker image.
- The
docker-entrypoint
script has been refreshed to account for the changes in DebOps roles. Thedebops.sshd
role takes care of the/run/sshd/
directory by itself, and running DebOps against the container requiressudo
access without password.
- Various DebOps roles have been modified to use the
debops.keyring
Ansible role to manage the APT repository keys, or GPG keys on UNIX accounts. If you are using them in custom playbooks, you might need to update them to include the new dependency. - The installation of APT and other packages in DebOps roles has been refactored to remove the use of the
with_items
/with_flattened
lookups. Support for package installation via task loops will be removed in Ansible 2.11. - The DebOps documentation generator now supports Ansible roles with multiple
defaults/main/*.yml
files. They are also correctly handled by thedebops-defaults
script. - Various DebOps roles will no longer use the hostname as a stand-in for an empty DNS domain when no DNS domain is detected - this resulted in the "standalone" hosts without a DNS domain to be misconfigured. Existing setups with a DNS domain shouldn't be affected, but configuration of standalone hosts that deploy webservices might require modifications.
- The
debops.resolvconf
role has been added as a dpendency in the Ansible playbooks of the roles that interact with theresolvconf
service in some way. The modified roles are:debops.dnsmasq
,debops.docker_server
,debops.ifupdown
,debops.lxc
,debops.unbound
. The installation of theresolvconf
APT package has been removed from the roles that contained it. - Run
debops.apt_proxy
from thebootstrap.yml
Ansible playbook to ensure that if a proxy is used, it is used all the time without disabling the proxy for a short while during bootstrapping. Thebootstrap-ldap.yml
Ansible playbook already includeddebops.apt_proxy
.
- The
zsh
shell APT package will be installed only if theroot account <debops.root_account>
,any system users <debops.system_users>
orregular users <debops.users>
managed by Ansible are using it as a login shell.
- The
avahi-alias
script has been imported into the role itself and will no longer be installed by cloning the upstreamgit
repository. Consequently, support for mDNS*.local
CNAME resource records will be enabled by default on hosts with Python 2.7 installed (support for Python 3.x is currently not available).
- The patchpanel DokuWiki plugin__ has been deprecated in favor of the switchpanel__ plugin. The role will remove the
patchpanel
plugin automatically on existing installations. You might need to update the wiki contents to render the patch panels correctly, see the plugin documentation for more details.
- The
debops.docker
role has been renamed todebops.docker_server
in preparation of adding a role that will provide client functionality like network and container management. - The Docker server no longer listens on a TCP port by default, even if
debops.pki
is enabled. The default storage driver used by the
debops.docker_server
has been changed tooverlay2
which is the default in upstream. The role checks the currently enabled storage driver via Ansible local facts, and should preserve the current configuration on existing installations.If needed, the storage driver in use can be overridden via the
docker_server__storage_driver
variable.
- The installation of
etckeeper
will be disabled by default in Python 3.x-only environments. Seerole documentation <etckeeper__ref_python3only>
for more details.
- The playbook will no longer force the installation of the upstream Node.js and Yarn packages via the
debops.nodejs
role. The upstream versions are currently not required on Debian Buster.
- The role will not install the
rdnssd
APT package if NetworkManager service is detected on the host, to avoid removing the NM service due to package conflict__. NetworkManager should gracefully handle adding IPv6 nameservers to/etc/resolv.conf
file, and on systems without NM installed therdnssd
script will perform this task as before.
- The role has been redesigned from scratch, and now supports multiple Debian Netboot installers; the iPXE scripts are defined in default variables instead of the file-based templates and can be easily modified via the Ansible inventory.
- The role will use the
debops.python
Ansible role to install thekmodpy
Python package in Python 2.7 environments. Because the package is not available in Debian as Python 3.x module, thekmod.fact
local fact script will use thelsmod
command to list the kernel modules in this case. - The role gained basic support for defining what kernel modules should be loaded on non-systemd hosts by adding them in the
/etc/modules
configuration file.
- The
virt-goodies
package will be installed only if the Python 2.7 environment is already present on the host.
- The role now checks the version of the installed LXC support and uses the old or new configuration keys accordingly. You can review the changed configuration keys__ between the old and new LXC version for comparsion.
New LXC containers will have the
CAP_SYS_TIME
POSIX capability dropped by default to ensure that time configuration is disabled inside of the container. This should fix an issue on Debian Buster where unprivileged LXC containers still have this capability enabled.On Debian Buster LXC hosts, the
CAP_SYS_ADMIN
POSIX capability will be dropped in new LXC containers by default.- On Debian Buster (specifically on LXC versions below 3.1.0) the AppArmor restrictions on unprivileged LXC containers will be relaxed to allow correct operation of the
systemd
service manager inside of a container. Check the Debian Bugs #916644__, #918839__ and #911806__ for reasoning behind this modification. - Restrict configuration of the
poweroff.conf
systemd
override to Debian Stretch and Ubuntu Xenial only. The containers correctly shut down usingSIGRTMIN+3
signal on Debian Buster and beyond.
The role will no longer set a custom MariaDB
root
password, because themysql_user
Ansible 2.8 module breaks access to the MariaDB database via the UNIXroot
account by removing theunix_socket
plugin access and not setting themysql_native_password
plugin. A password for the UNIXroot
account is not needed in the recent MariaDB releases in Debian, therefore this shouldn't impact the usage.The
mysql_user
Ansible module lacks a way to control the authentication plugin for a given MariaDB account__, therefore it's not advisable to mess with theroot
access to the database.
- Do not try to manage the hostname in LXC, Docker or OpenVZ containers by default. We assume that these containers are unprivileged and their hostname cannot be changed from the inside of the container.
- If a host does not have a proper domain, either defined locally or set via the DNS, don't generate a faux "domain" based on its hostname and assume that this is a standalone host. This might affect availability of some services, for example X.509 certificates managed by
debops.pki
or reachability of websites created on that host. In this case the host cannot have a FQDN defined in the Ansible inventory as the label oransible_host
variable, only a hostname. - Role will check if the configured FQDN of a host exists in the DNS database. If it does, the entry in the
/etc/hosts
file will be removed to allow the DNS to take over. If it doesn't, the configuration will be left intact with assumtion that the domain is configured locally.
- The role will no longer default to limiting the allowed HTTP request methods to
GET
,HEAD
andPOST
on PHP-enabled websites.
- If there is no domain set on the remote host, don't fallback to the hostname in the
pki_ca_domain
variable because the generated CA certificates don't make any sense. With this setup thedebops.pki
role requires to be run against a host with a valid DNS domain for the internal CA to be created.
- The role has been redesigned from the ground up. Instead of using Ansible inventory groups to define hosts to back up, role uses a list of YAML dictionaries with hosts defined explicitly; the old behaviour can be replicated if needed. The backup host itself can also be snapshotted, with support for snapshots on removable media.
- The local SNMPv3 username and password will be stored in a separate file and retrieved via Ansible local facts, to not break Ansible fact gathering on unprivileged accounts. The password file is protected by strict read permission and accessible only by the
root
UNIX account.
- Don't configure the
NOPASSWD:
tag for the%admins
and%wheel
UNIX groups insudo
by default when Ansible manages the local host. This allows local admin accounts to controlroot
access using a password.
- The role will set a custom shell based on the users' own shell for the dynamic UNIX account only if the shell is known by the role. This should avoid issues when Ansible users use non-standard shells on Ansible Controller.
- The role has been refreshed in conjunction with the updates to network boot services in preparation for Debian Buster. All of the role variables have been renamed to put them in their own
tftpd__*
namespace, and the role dependencies have been moved to the playbook.
- The role will enable remote control management of the
unbound
daemon via theloopback
network interface using theunbound-control
command.
- The
debops.openvz
role has been removed. OpenVZ is not supported in Debian natively since Wheezy__; a good replacement for it is LXC which can be managed using thedebops.lxc
role.
- The
core__keyserver
variable and its local fact have been removed from the role. They are replaced by thekeyring__keyserver
and the corresponding local fact in thedebops.keyring
role. - The
resolver.fact
script has been removed from the role. Its functionality is provided by theresolvconf.fact
script included in thedebops.resolvconf
role.
- Support for ferment__ has been removed from DebOps due to the upstream not being up to date anymore, both with Docker as well as with Python 3.x support. The
dockerd
daemon will be restarted on anyferm
restarts to update the firewall configuration with Docker rules.
- The
lxc-prepare-ssh
script will no longer install SSH keys from the LXC hostroot
account on the LXC containerroot
account. This can cause confusion and unintended security breaches when other services (for example backup scripts or remote command execution tools) install their own SSH keys on the LXC host and they are subsequently copied inside of the LXC containers created on that host.
- [debops.nodejs] Support for installing NPM from its
git
repository has been removed. NPM is included in the NodeSource upstreamnodejs
package, as well as the Debian archive since Debian Buster release in thenpm
package.
- Refactor the role to not use Jinja 'import' statements in looped tasks - this does not work on newer Jinja versions.
- Make sure logical volumes will only be shrinked when volume item defines
force: yes
.
- Don't restart the
systemd-logind
service on/etc/nsswitch.conf
file changes if DebOps is running againstlocalhost
, to avoid breaking the existing user session.
- The role should now correctly detect Python 3.x interpreter on the Ansible Controller and disable usage of Python 2.7 on the managed hosts.
debops v1.0.0 - 2019-05-22
- The
debops.docker_registry
role provides support for Docker Registry. The role can be used as standalone or as a backend for the GitLab Container Registry service, withdebops.gitlab
role. - The
debops.ldap
role sets up the system-wide LDAP configuration on a host, and is used as the API to the LDAP directory by other Ansible roles, playbooks, and users via Ansible inventory. The role is included in thecommon.yml
playbook, but is disabled by default. - The
debops.nslcd
role can be used to configure LDAP lookups for NSS and PAM services on a Linux host. - The
debops.pam_access
role manages PAM access control files located in the/etc/security/
directory. The role is designed to allow other Ansible roles to easily manage their own PAM access rules. - The
debops.yadm
role installs the Yet Another Dotfiles Manager__ script and ensures that additional shells are available. It can also mirror dotfiles locally. The role is included in the common playbook. - The
debops.system_users
role replaces thedebops.bootstrap
role and is used to manage the local system administrator accounts. It is included in thecommon.yml
playbook as well as the bootstrap playbooks.
- The DebOps project has been registered in the IANA Private Enterprise Numbers__ registry, with PEN number
53622
. The project documentation containsan OID registry <debops_oid_registry>
to track custom LDAP schemas, among other things. - Support for Ansible Collections managed by the Mazer__ Content Manager has been implemented in the repository. Ansible Collections will be usable after June 2019, when support for them is enabled in the Ansible Galaxy service.
- A new
bootstrap-ldap.yml
Ansible playbook can be used to bootstrap Debian/Ubuntu hosts with LDAP support enabled by default. The playbook will configure only the services required for secure LDAP access (PKI, SSH, PAM/NSS), the rest should be configured using the common playbook.
- A new
ldap_attrs
Ansible module has been added to the role. It's a replacement for theldap_attr
core Ansible module, that's more in line with theldap_entry
module. Used by thedebops.slapd
anddebops.ldap
roles to manage the LDAP directory contents.
Systems with the End of Life Debian releases (
wheezy
) installed will be configured to use the Debian Archive repository as the main APT sources instead of the normal Debian repository mirrors. These releases have been moved out of the main repositories and are not fully available through normal means. The periodic updates of the APT archive repositories on these systems will be disabled via thedebops.unattended_upgrades
role, since the EOL releases no longer receive updates.The Debian LTS release (
jessie
) APT repository sources will use only the main and security repositories, without updates or backports. See the information about the Debian LTS support__ for more details.
- Users can now disable default route advertisement in the
lxc-net
DHCP service. This is useful in cases where LXC containers have multiple network interfaces and the default route should go through a different gateway than the LXC host. - The
lxc-new-unprivileged
script will add missing network interface stanzas in the container's/etc/network/interfaces
file, by default with DHCP configuration. This will happen only on the initialization of the new container, when a given LXC container has multiple network interfaces defined in its configuration file.
- The role will automatically generate configuration which redirects short hostnames or subdomains to their FQDN equivalents. This allows HTTP clients to reach websites by specifying their short names via DNS suffixes from
/etc/resolv.conf
file, or using*.local
domain names managed by Avahi/mDNS to redirect HTTP clients to the correct FQDNs.
- Some lists can now configure ACL entries on the destination files or directories using the
item.acl
parameter. Take a look toresources__ref_acl
section to have the list of compatibles variables. - New
resources__ref_commands
variables can be used to define simple shell commands or scripts that will be executed at the end of thedebops.resources
role. Useful to start new services, but it shouldn't be used as a replacement for a fully-fledged Ansible roles.
- The role is now integrated with the
debops.ldap
Ansible role and can configure thesudo
service to readsudoers
configuration from the LDAP directory.
- The role can now configure UNIX accounts with access restricted to SFTP operations (SFTPonly) with the new
item.chroot
parameter. This is a replacement for thedebops.sftpusers
role.
- The
debops.gitlab
role will install GitLab 11.10 on supported platforms (Debian Buster, Ubuntu Bionic), existing installations will be upgraded. - In the
debops.phpipam
role, the relevant inventory variables have been renamed, check theupgrade_notes
for details. The role now uses the upstream phpIPAM repository and it installs version 1.3.2. - In the
debops.php
role, because of the PHP 7.0 release status changed to End of life__ at the beginning of 2019, Ondřej Surý APT repository with PHP 7.2 packages will be enabled by default on Debian Jessie and Stretch as well as Ubuntu Trusty and Xenial. Existingdebops.php
installations shouldn't be affected, but the role will not try to upgrade the PHP version either. Users should consider upgrading the packages manually or reinstalling services from scratch with the newer version used by default. - In the
debops.rstudio_server
role, the supported version has been updated to v1.2.1335. The role no longer installslibssl1.0.0
from Debian Jessie on Debian Stretch, since the current version of the RStudio Server works in the default Stretch environment. The downloaded.deb
package will be verified using the RStudio Inc. GPG signing key before installation. - In the
debops.docker_gen
role, the docker-gen version that this role installs by default has been updated to version 0.7.4. This release notably adds IPv6 and docker network support.
- The
debops.cron
role will be applied much earlier in thecommon.yml
playbook because thedebops.pki
role depends on presence of thecron
daemon on the host. - Bash scripts and
shell
/command
Ansible modules now use relativebash
interpreter instead of an absolute/bin/bash
. This should help make the DebOps roles more portable, and prepare the project for the merged/bin
and/usr/bin
directories in a future Debian release.
- The
/etc/mailname
configuration file will contain the DNS domain of a host instead of the FQDN address. This will result in the mail senders that don't specify the domain part to have the DNS domain, instead of the full host address, added by the Mail Transport Agent. This configuration should work better in clustered environments, where there is a central mail hub/MX that receives the mail and redirects it.
- The GitLab playbook will import the
debops.docker_registry
playbook to ensure that configuration related to Docker Registry defined in the GitLab service is properly applied during installation/management.
The
lxc-prepare-ssh
script will read the public SSH keys from specific files (root
key file, and the$SUDO_USER
key file) and will not accept any custom files to read from, to avoid possible security issues. Each public SSH key listed in the key files is validated before being added to the container'sroot
account.The
lxc-new-unprivileged
script will similarly not accept any custom files as initial LXC container configuration to fix any potential security holes when used viasudo
. The default LXC configuration file used by the script can be configured in/etc/lxc/lxc.conf
configuration file.
- The MariaDB user
root
is no longer dropped. This user is used for database maintenance and authenticates using theunix_auth
plugin. However, DebOps still maintains and sets a password for theroot
UNIX account, stored in the/root/.my.cnf
config file.
- The role will be disabled by default in Docker containers. In this environment, the
/etc/hosts
file is managed by Docker and cannot be modified from inside of the container.
- The role will not perform any tasks related to
occ
command if the automatic setup is disabled in theowncloud__autosetup
variable. In this mode, theocc
tasks cannot be performed by the role because the ownCloud/Nextcloud installation is not finished. The users are expected to perform necessary tasks themselves if they decide to opt-out from the automatic configuration.
- The PHP version detection has been redesigned to use the
apt-cache madison
command to find the available versions. The role will now check the current version of thephp
APT package to select the available stable PHP version. This unfortunately breaks support for thephp5
packages, but thephp5.6
packages from Ondřej Surý APT repository work fine. The role will install the
composer
command from the upstream GitHub repository on older OS releases, including Debian Stretch (current Stable release). This is due to incompatibility of thecomposer
APT package included in Debian Stretch and PHP 7.3.The custom
composer
command installation tasks have been removed from thedebops.roundcube
anddebops.librenms
roles, sincedebops.php
will take care of the installation.
- If the
debops.ldap
Ansible role has been applied on a host, thedebops.root_account
role will use the UID/GID ranges defined by it, which include UIDs/GIDs used in the LDAP directory, to define subUID/subGID range of theroot
account. This allows usage of the LDAP directory as a source of UNIX accounts and groups in unprivileged containers. Existing systems will not be changed. - Management of the
root
dotfiles has been removed from thedebops.users
role and is now done in thedebops.root_account
role, using theyadm
script. Users might need to clean out the existing dotfiles if they were managed as symlinks, otherwiseyadm
script will not be able to correctly deploy the new dotfiles.
The role has been redesigned from the ground up, with support for N-Way Multi-Master replication, custom LDAP schemas, Password Policy and other functionality. The role uses custom
ldap_attrs
Ansible module included in thedebops.ansible_plugins
role for OpenLDAP management.The OpenLDAP configuration will definitely break on existing installations. It's best to set up a new OpenLDAP server (or replicated cluster) and import the LDAP directory to it afterwards. See
role documentation <debops.slapd>
for more details.
- The access control based on UNIX groups defined in the
/etc/ssh/sshd_config
file has been removed. Instead, the OpenSSH server uses the PAM access control configuration, managed by thedebops.pam_access
Ansible role, to control access by users/groups/origins. OpenSSH service uses its own access control file, separate from the global/etc/security/access.conf
file. - The role will enable client address resolving using DNS by setting the
UseDNS yes
option in OpenSSH server configuration. This parameter is disabled by default in Debian and upstream, however it is required for the domain-based access control rules to work as expected. When the LDAP support is configured on a host by the
debops.ldap
role, thedebops.sshd
role will use the resulting infrastructure to connect to the LDAP directory and create thesshd
LDAP account object for each host, used for lookups of the SSH keys in the directory. The SSH host public keys will be automatically added or updated in the LDAP device object to allow for centralized generation of the~/.ssh/known_hosts
files based on the data stored in LDAP.The role will no longer create a separate
sshd-lookup
UNIX account to perform LDAP lookups; the existingsshd
UNIX account will be used instead. Theldapsearch
command used for lookups will default to LDAP over TLS connections instead of LDAPS.
- If the LDAP support is enabled on a host via the
debops.ldap
role, the UNIX system groups created by thedebops.system_groups
role by default will use a_
prefix to make them separate from any LDAP-based groups of the same name. Existing installations should be unaffected, as long as the updateddebops.system_groups
role was applied before thedebops.ldap
role.
- The packages from the
stable-updates
APT repository section will be automatically upgraded by default, the same as the packages from Debian Security repository. This should cover important non-security related upgrades, such as timezone changes, antivirus database changes, and similar. - If automatic reboots are enabled, VMs will not reboot all at the same time to avoid high load on the hypervisor host. Instead they will reboot at a particular minute in a 15 minute time window. For each host, a random but random-but-idempotent time is chosen. For hypervisor hosts good presets cannot be picked. You should ensure that hosts don’t reboot at the same time by defining different reboot times in inventory groups.
- The management of the user dotfiles in the
debops.users
role has been redesigned and now uses theyadm
script to perform the actual deployment. Seedebops.yadm
for details about installing the script and creating local dotfile mirrors. Theusers__ref_accounts
variable documentation contains examples of new dotfile definitions. The role now uses the
libuser
library via the Ansiblegroup
anduser
modules to manage local groups and accounts. This should avoid issues with groups and accounts created in the LDAP user/group ranges.The
libuser
library by default creates home directories with0700
permissions, which is probably too restrictive. Because of that, the role will automatically change the home directory permissions to0751
(defined in theusers__default_home_mode
variable). This also affects existing UNIX accounts managed by the role; the mode can be overriden using theitem.home_mode
parameter.- The
users__*_resources
variables have been reimplemented as theitem.resources
parameter of theusers__*_accounts
variables. This removes the unnecessary split between user account definitions and definitions of their files/directories.
- The
debops.sftpusers
Ansible role has been removed. Its functionality is now implemented by thedebops.users
role, custom bind mounts can be defined using thedebops.mount
role. - The
debops.bootstrap
Ansible role has been removed. Its replacement is thedebops.system_users
which is used to manage system administrator accounts, via thecommon.yml
playbook and the bootstrap playbooks.
- The
/etc/ldap/ldap.conf
file configuration,nslcd
service configuration and related variables have been removed from thedebops.auth
role. This functionality is now available in thedebops.ldap
anddebops.nslcd
roles, which manage the client-side LDAP support.
- The role will no longer install the historical
libssl1.0.0
APT package on Debian Stretch to support older RStudio Server releases. You should remove it on the existing installations after RStudio Server is upgraded to the newest release.
- Set the group for authorized_keys files to the primary group of the user instead of the group with the same name as the user. This is important because otherwise the readonly mode of the role does not work when the primary group of a user has a different name then the username.
- Make sure a file system is created by default when the
mount
parameter is defined in thelvm__logical_volumes
. - Stop and disable
lvm2-lvmetad.socket
systemd unit when disablinglvm__global_use_lvmetad
to avoid warning message when invoking LVM commands.
- Use the
redis.conf
file to lookup passwords via theredis-password
script. This file has theredis-auth
UNIX group and any accounts in this group should now be able to look up the Redis passwords correctly.
- The role will check if the X.509 certificate and the private key used for TLS communication were correctly configured in the OpenLDAP server. This fixes an issue where configuration of the private key and certificate was not performed at all, without any actual changes in the service, with subsequent task exiting with an error due to misconfiguration.
- Ondřej Surý created new APT signing keys__ for his Debian APT repository with PHP packages, due to security concerns. The
debops.php
role will remove the old APT GPG key and add the new one automatically.
debops v0.8.1 - 2019-02-02
- The
debops.redis_server
anddebops.redis_sentinel
roles, that replace the existingdebops.redis
Ansible role. The new roles support multiple Redis and Sentinel instances on a single host. - The
debops.freeradius
role can be used to manage FreeRADIUS service, used in network management. - The
debops.dhcp_probe
role can be used to install and configuredhcp_probe
service, which passively detects rogue DHCP servers. - The
debops.mount
role allows configuration of/etc/fstab
entries for local devices, bind mounts and can be used to create or modify directories, to permit access to resources by different applications. The role is included by default in thecommon.yml
playbook.
- Ansible roles included in DebOps are now checked using ansible-lint__ tool. All existing issues found by the script have been fixed.
- The hosts managed by the DebOps Vagrant environment will now use Avahi to detect multiple cluster nodes and generate host records in the
/etc/hosts
database on these nodes. This allows usage of real DNS FQDNs and hostnames in the test environment without reliance on an external DHCP/DNS services.
- DebOps roles are now tagged with
skip::<role_name>
Ansible tags. You can use these tags to skip roles without any side-effects; for example "<role_name>/env" sub-roles will still run so that roles that depend on them will work as expected. - You can use the
make versions
command in the root of the DebOps monorepo to check currently "pinned" and upstream versions of third-party software installed and managed by DebOps, usually viagit
repositories. This requires theuscan
command from the Debiandevscripts
APT package to be present.
- The role will now generate configuration for the
debops.sysctl
role and use it in the playbook as a dependency, to configure kernel parameters related to packet forwarding on managed network interfaces. This functionality replaces centralized configuration of packet forwarding on all network interfaces done by thedebops.ferm
role.
New
lxc-hwaddr-static
script can be used to easily generate random but predictable MAC addresses for LXC containers.The script can be run manually or executed as a "pre-start" LXC hook to configure static MAC addresses automatically - this usage is enabled by default via common LXC container configuration.
- The lxc_ssh.py Ansible connection plugin is now included by default in DebOps. This connection plugin can be used to manage remote LXC containers with Ansible via SSH and the
lxc-attach
command. This requires connection to the LXC host and the LXC container via theroot
account directly, which is supported by the DebOps playbooks and roles. - The role can now manage LXC containers, again. This time the functionality is implemented using the
lxc_container
Ansible module instead of a series of shell tasks. By default unprivileged LXC containers will be created, but users can change all parameters supported by the module. - The role will now configure a
lxcbr0
bridge with internal DNS/DHCP server for LXC containers, using thelxc-net
service. With this change, use of thedebops.ifupdown
role to prepare a default bridge for LXC containers is not required anymore.
- When a large number of hosts is defined for the
/etc/hosts
database, the role will switch to generating the file using thetemplate
Ansible module instead of managing individual lines using thelineinfile
module, to make the operation faster. As a result, custom modifications done by other tools in the host database will not be preserved. - The role can now configure the hostname in the
/etc/hostname
file, as well as the local domain configuration in/etc/hosts
database.
- The role will install the
composer
APT package on Debian Stretch, Ubuntu Xenial and their respective newer OS releases.
- The role will reserve a set of UID/GID ranges for subordinate UIDs/GIDs owned by the
root
account (they are not reserved by default). This can be used to create unprivileged LXC containers owned byroot
. See the release notes for potential issues on existing systems. - You can now configure the state and contents of the
/root/.ssh/authorized_keys
file using thedebops.root_account
role, with support for global, per inventory group and per host SSH keys.
- The role can now configure ACL entries of the user home directories using the
item.home_acl
parameter. This can be used for more elaborate access restrictions.
- The test suite will now check POSIX shell scripts along with Bash scripts for any issues via the
shellcheck
linter. Outstanding issues found in existing scripts have been fixed.
- The
debops.root_account
role will be executed earlier in thecommon.yml
Ansible playbook to ensure that theroot
UID/GID ranges are reserved without issues on the initial host configuration. - Various filter and lookup Ansible plugins have been migrated from the playbook directory to the
debops.ansible_plugins
role. This role can be used as hard dependency in other Ansible roles that rely on these plugins. - The order of the roles in the common playbook has been changed; the
debops.users
role will be applied before thedebops.resources
role to allow for resources owned by UNIX accounts/groups other thanroot
. - The
debops
Python package has dropped the hard dependency on Ansible. This allows DebOps to be installed in a separate environment than Ansible, allowing for example to mix Homebrew Ansible with DebOps from PyPI on macOS. The installation instructions have also been updated to reflect the change. - The
debops-init
script will now generate new Ansible inventory files using the hostname as well as a host FQDN to better promote the use of DNS records in Ansible inventory.
- The role has been redesigned from the ground up with new configuration pipeline, support for multiple subdomains and better default configuration. See the
debops.dnsmasq
role documentation as well as theupgrade_notes
for more details.
If the Docker host uses a local nameserver, for example
dnsmasq
orunbound
, Docker containers might have misconfigured DNS nameserver in/etc/resolv.conf
pointing to127.0.0.1
. In these cases, thedebops.docker_server
role will configure Docker to use the upstream nameservers from the host, managed by theresolvconf
APT package.If no upstream nameservers are available, the role will not configure any nameserver and search parameters, which will tell Docker to use the Google nameservers.
- The role will now install GitLab 10.8 by default, on Debian Stretch and Ubuntu Xenial. The 11.x release now requires Ruby 2.4+, therefore it will only be installed on newer OS releases (Debian Buster, Ubuntu Bionic).
The role has been updated to use Ansible local facts managed by the
debops.redis_server
Ansible role. Redis Server support has been removed from the GitLab playbook and needs to be explicitly enabled in the inventory for GitLab to be installed correctly. This will allow to select between local Server or Sentinel instance, to support clustered environments.Check the
upgrade_notes
for issues with upgrading Redis Server support on existing GitLab hosts.
- The GRUB configuration has been redesigned, role now uses merged variables to make configuration via Ansible inventory or dependent role variables easier. The GRUB configuration is now stored in the
/etc/default/grub.d/
directory to allow for easier integration with other software. See thedebops.grub
documentation for more details. - The user password storage path in
secret/
directory has been changed to use theinventory_hostname
variable instead of theansible_fqdn
variable. This change will force regeneration of password hashes in existing installations, but shouldn't affect host access (passwords stay the same).
- The role depends on
debops.python
now to install the required packages. Please update your custom playbooks accordingly.
- The role will no longer install non-free firmware by default. This is done to solve the connectivity issues with
cdimage.debian.org
host.
- The default dashboard in LibreNMS is changed from the
pages/front/default.php
topages/front/tiles.php
which allows for better customization.
- The role will configure the default subUIDs and subGIDs for unprivileged LXC containers based on the configured subordinate UID/GID ranges for the
root
account. - The
lxc-prepare-ssh
script will now install SSH public keys from the user account that is running the script viasudo
instead of the system'sroot
account, which is usually what you want to do if other people manage their own LXC containers on a host. - The LXC configuration managed by the role will use the
systemd
lxc@.service
instances to manage the containers instead of using thelxc-*
commands directly. This allows the containers to be shut down properly without hitting a timeout and forced killing of container processes.
- The role will now use Ansible facts managed by the
debops.redis_server
role to configure Redis support. - Drop support for Nextcloud 12.0 which is EOF. Add support for Nextcloud 14.0 and 15.0 and make Nextcloud 14.0 the default Nextcloud version.
The hostname and domain configuration during bootstrapping is now done by the
debops.netbase
Ansible role. The default for this role is to remove the127.0.1.1
host entry from the/etc/hosts
file to ensure that domain resolution relies on DNS.If you are using local domain configured in
/etc/hosts
file, you should define thenetbase__domain
variable in the Ansible inventory with your desired domain.- The role is redesigned to use list variables instead of YAML dictionaries for the
/etc/hosts
database. This allows for adding the host IPv4 and/or IPv6 addresses defined by Ansible facts when the custom local domain is enabled. Seenetbase__ref_hosts
for details. The role has also been included in thecommon.yml
playbook to ensure that the host database is up to date as soon as possible.
- Changed behaviour of used groups for templating. Now all groups the host is in, will be used to search for template files. Read the documentation about
resources__ref_templates
for more details on templating with debops.
- The role should now correctly revert custom patch to allow user authentication in
/etc/grub.d/10_linux
script, when the user list is empty.
- The role should now work correctly in Ansible
--check
mode before the Ansible local fact script is installed.
- The role should correctly handle nested lists in role dependent variables, which are now flattened before being passed to the configuration filter.
The old
debops.redis
Ansible role has been removed. It has been replaced by thedebops.redis_server
anddebops.redis_sentinel
Ansible roles. The new roles use their own Ansible inventory groups, therefore they will need to be explicitly enabled to affect existing hosts.You can use the
debops.debops_legacy
Ansible role to clean up old configuration files, directories and diversions ofdebops.redis
role from remote hosts.
- The
ldap_entry
andldap_attr
Ansible modules have been removed. They are now included in Ansible core, there's no need to keep a separate copy in the playbook.
- The
ansible_local.root.flags
andansible_local.root.uuid
local facts have been removed. They are replaced byansible_local.tags
andansible_local.uuid
local facts, respectively.
- Support for
dhcp_probe
has been removed from thedebops.dhcpd
Ansible role. It's now available as a separatedebops.dhcp_probe
role.
Automated configuration of packet forwarding with
FORWARD
chain rules andsysctl
configuration has been removed from the role. Per-interface packet forwarding is now configurable using thedebops.ifupdown
role, and you can still use thedebops.ferm
anddebops.sysctl
roles to design custom forwarding configuration.Support for this mechanism has also been removed from related roles like
debops.libvirtd
anddebops.lxc
.
- The hostname and domain configuration has been removed from the
debops.bootstrap
role. This functionality is now handled by thedebops.netbase
role, which has been included in the bootstrap playbook. The relevant inventory variables have been renamed, check theupgrade_notes
for details.
- The
resources__group_name
variable has been removed in favor of using all the groups the current hosts is in. This change has been reflected in the updated variableresources__group_templates
.
debops v0.8.0 - 2018-08-06
- The
debops.netbase
role: manage local host and network database in/etc/hosts
and/etc/networks
files. - The
debops.sudo
role: install and managesudo
configuration on a host. The role is included in thecommon.yml
playbook. - The
debops.system_groups
role: configure UNIX system groups used on DebOps hosts. The role is included in thecommon.yml
playbook. - The
debops.debops_legacy
role: clean up legacy files, directories, APT packages ordpkg-divert
diversions created by DebOps but no longer used. This role needs to be executed manually, it's not included in the main playbook. - The
debops.python
role: manage Python environment, with support for multiple Python versions used at the same time. The role is included in thecommon.yml
playbook. - Icinga 2 support has been implemented with
debops.icinga
,debops.icinga_db
anddebops.icinga_web
Ansible roles.
- The DebOps installation now depends on the dnspython__ Python library. This allows usage of the
dig
Ansible lookup plugin in DebOps roles to gather data via DNS SRV records. - The DebOps installation now depends on the future__ Python library which provides compatibility between Python 2.7 and Python 3.x environments. It is currently used in the custom Ansible filter plugin provided by DebOps, but its use will be extended to other scripts in the future to make the code more readable.
- The role will set up a
systemd
timer to regenerate Diffie-Hellman parameters periodically if it's available. The timer will use random delay time, up to 12h, to help with mass DHparam generation in multiple LXC containers/VMs.
- A
default
set of SSL ciphers can be specified using thenginx_default_ssl_ciphers
variable. This disables thessl_ciphers
option in thenginx
configuration and forces the server to use the defaults provided by the OS.
- The OpenNTPD service will now properly integrate the
ifupdown
hook script withsystemd
. During boot, NTP daemon will be started once network interfaces are configured and will not restart multiple times on each network interface change.
- The role can now generate custom files using templates, based on a directory structure. See
resources__ref_templates
for more details.
- You can now manage configuration files located in the
/etc/sudoers.d/
directory usingsudo__*_sudoers <sudo__ref_sudoers>
inventory variables, with multiple level of conditional options.
- Selected UNIX accounts can now be configured to linger when not logged in via the
item.linger
parameter. This allows these accounts to maintain long-running services when not logged in via their own privatesystemd
instances.
- Some of the existing DebOps Policies and Guidelines have been reorganized and the concept of DebOps Enhancement Proposals (DEPs) is introduced, inspired by the Python Enhancement Proposals__.
- The
debops
script can now parse multiple playbook names specified in any order instead of just looking at the first argument passed to it.
- The
editor
alternative symlink configuration has been moved from thedebops.console
role to thedebops.apt_install
role which also installsvim
by default.
- The configuration of automatic removal of APT packages installed via
Recommends:
orSuggests:
dependencies has been moved from thedebops.apt
role to thedebops.apt_mark
role which more closely reflects its intended purpose. Variable names and their default values changed; see theupgrade_notes
for more details.
- The role will add any new administrator accounts to the list of existing admin accounts instead of replacing them in the Ansible local fact script. This should allow for multiple administrators to easily coexist and run the DebOps playbooks/roles from their own accounts without issues.
- Redesign the GitLab version management to read the versions of various components from the GitLab repository files instead of managing them manually in a YAML dictionary. The new
gitlab__release
variable is used to specify desired GitLab version to install/manage. - The
gitaly
service will be installed using thegit
UNIX account instead ofroot
. Existing installations might require additional manual cleanup; see theupgrade_notes
for details. - The role now supports installation of GitLab 10.7.
- The usage of
gitlab__fqdn
variable is revamped a bit - it's now used as the main variable that defines the GitLab installation FQDN. You might need to update the Ansible inventory if you changed the value of thegitlab_domain
variable used previously for this purpose.
- The
debops.kmod
role is added as a dependency. Thedebops.ifupdown
role will generatemodprobe
configuration based on the type of configured network interfaces (bridges, VLANs, bonding) and the kernel modules will be automatically loaded if missing.
- Redesign system-wide LXC configuration to use list of YAML dictionaries merged together instead of custom Jinja templates.
- Add
lxc-prepare-ssh
script on the LXC hosts that can be used to install OpenSSH and add the user's SSH authorized keys inside of the LXC containers. This is a new way to prepare the LXC containers for Ansible/DebOps management that doesn't require custom LXC template scripts and can be used with different LXC container types.
- The MariaDB/MySQL server and
client <debops.mariadb>
will now use theutf8mb4
encoding by default instead of theutf8
which is an internal MySQL character encoding. This might impact existing databases, see theupgrade_notes
for details.
- The NPM version installed by the role from GitHub is changed from
v5.4.2
tolatest
which seems to be an equivalent of a stable branch. Recent versions of NPM require NodeJS 6.0.0+__ and don't work with other releases. Because of that the newest NPM release is not installable on hosts that use NodeJS packages from older OS releases.
The
debops.nodejs
role will install NPM v5.10.0 version in this case to allow NPM to work correctly - on Debian Jessie, Stretch and Ubuntu Xenial. Otherwise, a NPM from thelatest
branch will be installed, as before.- Instead of NodeJS 6.x release, the role will now install NodeJS 8.x release upstream APT packages by default. This is due to the NodeJS 6.x release switching to a Maintenance LTS mode__. NodeJS 8.x will be supported as a LTS release until April 2019.
The role will install upstream NodeSource APT packages by default. This is due to no security support in Debian Stable__, therefore an upstream packages should be considered more secure. The upstream NodeJS packages include a compatible NPM release, therefore it won't be separately installed from GitHub.
The existing installations shouldn't be affected, since the role will select OS/upstream package versions based on existing Ansible local facts.
- Support Nextcloud 13 and partially ownCloud 10. Nextcloud 11 and ownCloud 9.1 are EOL, you should update. The role can help you with the update to ensure that everything works smoothly with the new versions. Currently, the role can not do the update for you.
- The role will now check the
debops.system_groups
Ansible local facts to define what UNIX groups are allowed to connect to the host via the SSH service.
- On hosts without a domain set, the role enabled all upgrades, not just security updates. This will not happen anymore, the security updates are enabled everywhere by default, you need to enable all upgrades specifically via the
unattended_upgrades__release
variable.
- Don't install the
sudo
package by default, this is now done via a separatedebops.sudo
role to easily support switching to thesudo-ldap
APT package.
- Remove configuration of UNIX system groups and accounts in the
admins
UNIX group. This is now done by thedebops.system_groups
Ansible role.
- Remove support for copying custom files from the role. This functionality is covered better by the
debops.resources
role. - Remove support for managing entries in the
/etc/hosts
database. This is now covered by thedebops.netbase
Ansible role.
- The
sudo
configuration has been removed from thedebops.bootstrap
role. Thebootstrap.yml
playbook now includes thedebops.sudo
role which configuressudo
service. - The UNIX system group management has been removed from the role, the
bootstrap.yml
playbook now uses thedebops.system_groups
role to create the UNIX groups used by DebOps during bootstrapping. - Remove management of Python packages from the role. The
bootstrap.yml
playbook uses thedebops.python
role to configure Python support on the host.
- Remove support for direct LXC container management from the role. This functionality is better suited for other tools like
lxc-*
set of commands, or the Ansiblelxc_container
module which should be used in custom playbooks. The 'debops.lxc' role focus should be configuration of LXC support on a host. - Remove custom LXC template support. The LXC containers can be created by the normal templates provided by the
lxc
package, and then configured using DebOps roles as usual.
- The tasks that modified the default
template1
database and its schema have been removed to make the PostgreSQL installation more compatible with applications packaged in Debian that rely on the PostgreSQL service. See the relevant commit for more details. Existing installations shouldn't be affected.
debops v0.7.2 - 2018-03-28
- Add missing
python-ldap
dependency as an APT package in the Dockerfile.
debops v0.7.1 - 2018-03-28
- The
debops.ansible
role: install Ansible on a Debian/Ubuntu host using Ansible. Thedebops.debops
role now uses the new role to install Ansible instead of doing it directly. - The
debops.apt_mark
role: set install state of APT packages (manual/auto) or specify that particular packages should be held in their current state. The role is included in thecommon.yml
playbook. - The
debops.kmod
role: manage kernel module configuration and module loading at boot time. This role replaces thedebops-contrib.kernel_module
role. - The
debops-contrib.etckeeper
role has been integrated into DebOps asdebops.etckeeper
. The new role is included in thecommon.yml
playbook.
- The role has new tasks that manage custom hooks in other services. First hook is
ifupdown__ref_custom_hooks_filter_dhcp_options
which can be used to selectively apply DHCP options per network interface.
- The test suite used on Travis-CI now checks the syntax of the YAML files, as well as Python and shell scripts included in the repository. The syntax is checked using the
yamllint
,pycodestyle
andshellcheck
scripts, respectively. Tests can also be invoked separately via themake
command.
- The role can now autodetect and use a PostgreSQL database as a backend database for Etherpad.
- The role should now correctly detect what Internet Protocols are available on a host (IPv4, IPv6) and configure firewall only for the protocols that are present.
- The role will now generate the
lxc-debops
LXC template script from different templates, based on an OS release. This change should help fix the issues with LXC container creation on Debian Stretch.
- The X.509 certificate included in the default
domain
PKI realm will now have a SubjectAltName wildcard entry for the host's FQDN. This should allow for easy usage of services related to a particular host in the cluster over encrypted connections, for example host monitoring, service discovery, etc. which can be now published in the DNS zone at*.host.example.org
resource records. - The role now supports Let's Encrypt ACMEv2 API via the acme-tiny__ Python script. The existing PKI realms will need to be re-created or updated for the new API to work, new PKI realms should work out of the box. Check the
upgrade_notes
for more details.
- The role now uses a static GID
70
for theprocadmins
group to synchronize the access permissions on a host and inside the LXC containers. You will need to remount the filesystems, restart services and LXC containers that rely on this functionality.
- The configuration of the kernel parameters has been redesigned, instead of being based on YAML dictionaries, is now based on YAML lists of dictionaries and can be easily changed via Ansible inventory. You will need to update your inventory for the new changes to take effect, refer to the
role documentation <sysctl__ref_parameters>
for details.
- The
debops
command will now generate theansible.cfg
configuration file with correct path to the Ansible roles provided with the DebOps Python package.
- Fix a long standing bug in the role with Ansible failing during welcome page template generation with Jinja2 >= 2.9.4. It was related to non-backwards compatible change in Jinja__ that modified how variables are processed in a loop.
- The
debops-contrib.kernel_module
Ansible role has been removed; it was replaced by the newdebops.kmod
Ansible role.
- The
ferm-forward
hook script in the/etc/network/if-pre-up.d/
directory has been removed (existing instances will be cleaned up). Recent changes in thedebops.ferm
role broke idempotency with thedebops.ifupdown
role, and it was determined that the functionality provided by the hook is no longer needed, recent OS releases should deal with it adequately.
debops v0.7.0 - 2018-02-11
- New Ansible roles have been imported from the
debops-contrib
organization:apparmor
,bitcoind
,btrfs
,dropbear_initramfs
,etckeeper
,firejail
,foodsoft
,fuse
,homeassistant
,kernel_module
,kodi
,neurodebian
,snapshot_snapper
,tor
,volkszaehler
,x2go_server
. They are not yet included in the main playbook and still need to be renamed to fit with the rest of thedebops.*
roles. - The
debops.sysfs
role: configuration of the Linux kernel attributes through the/sys
filesystem. The role is not enabled by default. - The
debops.locales
role: configure localization and internationalization on a given host or set of hosts. - The
debops.machine
role: manage the/etc/machine-info
file, the/etc/issue
file and a dynamic MOTD. - The
debops.proc_hidepid
role: configure the/proc
hidepid=
options. - The
debops.roundcube
role: manage RoundCube Webmail application. - The
debops.prosody
role: configure an xmpp server on a given host. - The
debops.sysnews
role: manage System News bulletin for UNIX accounts.
- DebOps roles and playbooks can now be tested using local or remote GitLab CI instance, with Vagrant, KVM and LXC technologies and some custom scripts.
- You can now
use Vagrant <quick_start__vagrant>
to create an Ansible Controller based on Debian Stretch and use it to manage itself or other hosts over the network. - You can now build an Ansible Controller with DebOps support as a Docker container.
Official Docker image <quick_start__docker>
is also available, automatically rebuilt on every commit. - You can now install DebOps on Arch Linux using an included
PKGBUILD
file. - Add new playbook,
agent.yml
. This playbook is executed at the end of the main playbook, and contains applications or services which act as "agents" of other services. They may contact their parent applications to report about the state of the host they are executed on, therefore the agents are installed and configured at the end of the main playbook. - DebOps roles and playbooks will be included in the Python packages released on PyPI. This will allow for easier installation of DebOps via
pip
(no need to download the roles and playbooks separately) as well as simple stable releases. The DebOps monorepo can still be installed separately.
- The role can now detect if nested KVM is enabled in a particular virtual machine and install KVM support.
- The
debops.nodejs
role can now install Yarn package manager using its upstream APT repository (not enabled by default).
- The project repository is tested using
pycodestyle
for compliance with Python's PEP8 Style Guide.
- The
debops-update
script will now install or update the DebOps monorepo instead of separatedebops-playbooks
and DebOps roles git repositories. Existing installations shouldn't be affected. The
debops
script will now include the DebOps monorepo roles and playbooks in the generatedansible.cfg
configuration. The monorepo roles and playbooks are preferred over the olddebops-playbooks
ones.The script is backwards compatible and should work correctly with or without the
debops-playbooks
repository and roles installed.- Improved Python 3 support in the DebOps scripts and throughout the playbooks/roles. DebOps should now be compatible with both Python versions.
- The GitLab Runner playbook is moved to the
agent.yml
playbook; it will be executed at the end of the main playbook and should that way include correct information about installed services.
- Update the role to work correctly on Debian Stretch and newer releases. The support for multiple
gunicorn
instances using custom Debian scripts has been removed in Debian Stretch, therefore the role replaces it with its own setup based onsystemd
instances.
- The
npm
package has been removed from Debian Stable. The role will now install NPM using the GitHub source, unless upstream NodeJS is enabled, which includes its own NPM version.
- Remove the
ipaddr.py
Ansible filter plugin, it is now included in the Ansible core distribution.
- Remove the
locales
configuration from the 'debops.console' role, this functionality has been moved to the new 'debops.locales' role. You will need to update the Ansible inventory variables to reflect the changes. - Remove management of the
/etc/issue
and/etc/motd
files from thedebops.console
role. That functionality is now available in thedebops.machine
role. You will need to update the Ansible inventory variables to reflect the changes. - Management of the
/proc
hidepid=
option has been moved to a new role,debops.proc_hidepid
. You will need to update the Ansible inventory variables to reflect the changes. - Management of the System News using the
sysnews
Debian package has been removed from the role; it's now available as a separatedebops.sysnews
Ansible role. You will need to update the Ansible inventory variables related to System News due to this changes.
- Various repositories that comprise the DebOps project have been merged into a single monorepo which will be used as the main development repository. Check the
git
log for information about older releases of DebOps roles and/or playbooks.