CHANGELOG.md

Change Log

All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog.

v1.3.0 - UNRELEASE

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles in your playbook to the latest release
• remove all vault_ prefixes from variables in vaulted/encrypted host variables, remove all variable_name: {{ vault_variable_name }} indirections from plaintext host variables.
• xsrv deploy to apply changes

Added:

• xsrv: add xsrv ls subcommand (list files in the playbooks directory (accepts a path))
• xsrv: add xsrv edit-group subcommand (edit variables for a group of hosts (default 'all'))
• monitoring/netdata: add netdata_x509_checks (list of x509 certificate checks, supports all x509check parameters)
• monitoring/netdata: allow roles to install their own HTTP/x509/modtime/port checks under /etc/netdata/{python,go}.d/$module_name.conf.d/
• all roles/monitoring: automatically configure HTTP/x509/modtime checks if the nodiscc.xsrv.monitoring role is enabled
• common: users: allow creation of users without a password (login as/sudo from these user accounts will be denied, login using SSH keys is still possible if the user is in the ssh group)
• common: ssh: lower maximum concurrent unauthenticated connections to 60
• common: cron: ensure only root can access cron job files and directories
• openldap: upgrade ldap-account-manager to 7.5
• homepage: add favicon
• all roles: automatically configure log aggregation to syslog, if the nodiscc.xsrv.monitoring role is enabled

Changed:

• monitoring/needrestart: automatically restart services that require it after an upgrade by default.needrestart_autorestart_services: yes can be removed from your host variables, or set to no if you want to disable this behavior
• removed support for check_x509 parameter in netdata_httpchecks. Please port any custom x509 checks to the new netdata_x509_checks syntax.
• all roles/remove {{ variable_name: vault_variable_name }} indirections, set values that need to be changed to *CHANGEME* (roles will not run if default values have not been changed)
• update documentation
• update ansible tags
• speed up Gtilab CI test suite (prebuild an image with all requireds tools)

Removed:

• default playbook: remove hardcoded monitoring configuration, netdata_modtime_checks and netdata_process_checks can be safely removed from your hopst_vars if you did not change the values provided by the default playbook
• monitoring/netdata: removed ability to configure git clone URLs (netdata_*_git_url) for netdata modules, always clone from upstream
• openldap: remove unused variable self_service_password_keyphrase (this can be safely removed from your host variables)

Fixed:

• common: fix linux_users creation for which no authorized_ssh_keys/sudo_nopasswd_commands are defined
• samba: fix default log level
• tools: Makefile: fix release procedure and ansible-galaxy collection publication

v1.2.2 - 2021-04-01

Upgrade procedure: xsrv upgrade to upgrade roles in your playbook to the latest release

Fixed:

• samba: fix nscd default log level, update samba default log level

v1.2.1 - 2021-04-01

Upgrade procedure: xsrv upgrade to upgrade roles in your playbook to the latest release

Fixed:

• tt_rss: fix initial tt-rss schema installation (file has moved)

samba: fix nscd default log level, update samba default log level

v1.2.0 - 2021-03-27

Added:

• homepage: add configurable message/paragraph to homepage (homepage_message)
• add ability to configure multiple aliases/valid domain names for the homepage virtualhost (homepage_vhost_aliases: [])
• nextcloud: improve performance (auto-add missing primary keys/indices in database, convert columns to bigint)

Removed:

• openldap: remove self_service_password_keyphrase variable, unused sice tokens/SMS/question based password resets are disabled
• common: ssh: cleanup/remove unused MatchGroup rsyncasroot directive

Changed:

• common: sysctl: enable logging of martian packets
• common: sysctl: ensure sysctl settings also apply to all network interfaces added in the future
• common: ssh: set loglevel to VERBOSE by default
• samba: increase log level, enable detailed authentication success/failure logs, clarify log prefix
• update documentation

Fixed:

• rocketchat: fix role idempotence (ownership of data directories)

Security:

• rocketchat: fix port 3001 exposed on 0.0.0.0 instead of localhost-only/firewall bypass
• gitea: update to v1.13.6

v1.1.0 - 2021-03-14

Added:

• xsrv: add self-upgrade command
• monitoring: add netdata-debsecan module
• common: ensure NTP service is started
• common: make timezone configurable (default to not touching the timezone)
• openldap: add Self Service Password password reset tool (fixes #401)
  • requires manual configuration of self_service_password_fqdn and vault_self_service_password_keyphrase
  • auto-configure apache and selfsigned or letsencrypt certificates + php-fpm.
  • by default only allow access from LAN/private addresses in self_service_password_allowed_hosts
  • when samba role is enabled, use the LDAP admin DN to access the directory (required to be able to change sambaNtPassword attribute)
  • make various settings configurable, add correctness checks for all variables
• openldap: make log level configurable
• homepage: add jellyfin/self-service-password links (when relevant roles/variables are enabled)
• jellyfin: add LDAP authentication documentation
• jellyfin: add fail2ban configuration/bruteforce prevention on jellyfin login attempts
• jellyfin/backup: add automatic backups (only backup db/metadata/configuration by default, allow enabling media directory backups with jellyfin_enable_media_backups)
• jellyfin: create subdirectories for each library type under the default media directory/jellyfin samba share
• samba/backup: allow disabling automatic backups of samba shares (samba_enable_backups)
• shaarli/monitoring: agregate data/log.txt to syslog using the imfile module

Changed:

• update documentation (upgrade procedure, example playbook, mirrors, TOC, links, ansible-collection installation, list of all variables, ansible.cfg, sysctl settings...)
• openldap: upgrade ldap-account-manager to v7.4 (https://www.ldap-account-manager.org/lamcms/changelog)
• openldap: prevent LDAP lookups for local user accounts
• openldap: decrease log verbosity
• gitea: upgrade to 1.13.3 - https://github.com/go-gitea/gitea/releases
• nextcloud: upgrade to 20.0.8 - https://nextcloud.com/changelog/

Fixed:

• xsrv: fix show-defaults command (by default display all role defaults for the default playbook)
• homepage: fix mumble and ldap-account-manager links
• samba: fix duplicate execution of the openldap role when samba uses LDAP passdb backend
• rocketchat: fix variable checks not being run before applying the role
• rocketchat: fix permissions/ownership of mongodb/rocketchat data directories
• tt_rss: fix error 'Please set SELF_URL_PATH to the correct value detected for your server'
• samba/jellyfin: fix automatic jellyfin samba share creation, fix permissions on jellyfin samba share
• monitoring: fix ansible --check mode when netdata is not installed yet
• shaarli: set apache directoryindex to index.php, prevent error messages in logs at every page access

Tools/maintenance:

• Makefile: add a make changelog target (print commits since last tag)
• Makefile: automate release procedure make release
• tt-rss: cleanup/grouping
• roles/*/defaults/main.yml: add header for all defaults files
• upgrade ansible to 2.10.7 - https://pypi.org/project/ansible/#history
• move TODOs to issues

---

v1.0.0 - 2021-02-12

This is a major rewrite of https://github.com/nodiscc/srv01. To upgrade/migrate from previous releases, you must redeploy services to a new instance, and restore user data from backups/exports.

This releases improves usability, portability, standards compliance, separation of concerns, performance, documentation, security, simplifies installation and usage, and adds new features to all roles/components. A summary of changes is included below. See README.md for more information.

xsrv command-line tool

• improve/simplify command-line usage, see xsrv help
• refactor main script/simplify/cleanup
• use pwgen (optional) to generate random passwords during host creation
• make installation to $PATH and use of sudo optional
• use ansible-galaxy collections for role upgrades method

example playbook: refactor:

• add examples for playbook, inventory, group_vars and host_vars (cleartext and vaulted) files
• disable all but essential roles by default. Additional roles should be enabled manually by the admin
• firewall: by default, allow incoming traffic for netdata dashboard from LAN (monitoring role is enabled by default)
• firewall: by default, allow incoming SSH from anywhere (key-based authentication is enabled so this is reasonably secure)
• firewall: by default, allow HTTP/HTTPS access from anywhere (required for let's encrypt http-01 challenge, and apache role is enabled by default)
• firewall: change the default policy for the 'global' firehol_network definition to RETURN (changes nothing in the default configuration, makes adding other network definitions easier)
• doc: add firewall examples for all services (only from LAN by default)
• doc: add example .gitlab-ci.yml
• ansible/all roles: use ansible-vault as default storage for sensitive values
• ansible: use .ansible-vault-password as vault password file
• ansible: speed up ansible SSH operations using controlmaster and pipelining SSH options
• host_vars: add a netdata check for successful daily backups
• host_vars: add netdata process checks for ssh, fail2ban, ntp, httpd, sql
• host_vars: auto-restart services by default when needrestart detects a restart is required
• remove unused directories, cleanup

common: refactor role:

• import from https://gitlab.com/nodiscc/ansible-xsrv-common
• unattended-upgrades: allow automatic upgrades from stable-updates repository
• unattended-upgrades: install apt-listchanges (mail with a summary of changes will be sent to the server admin)
• add ansible_user_allow_sudo_rsync_nopasswd option (allow ansible user to run sudo rsync without password)
• msmtp: require manual configuration of msmtp host/username/password (if msmtp installation is enabled)
• dns: add ability to configure multiple DNS nameservers in /etc/resolv.conf
• packages: enable haveged installation by default
• packages: don't install pwgen/secure-delete/autojump by default, add man package
• sshd: remove deprecated UsePrivilegeSeparation option
• sshd: make ssh server log level, PasswordAuthentication, AllowTcpForwarding and PermitRootLogin options configurable
• sshd: fix accepted environment variables LANG,LC_* accepted from the client
• sshd: explicitely deny AllowTcpForwarding, AllowAgentForwarding, GatewayPorts and X11Forwarding for the sftponly group
• sshd: add curve25519-sha256@libssh.org KexAlgorithm
• firewall: add an option to generate firewall rules compatible with docker swarm routing/port forwarding
• firewall: allow outgoing mail submission/port 587 by default
• firewall: make firewall config file only readable by root
• firewall: use an alias/variable to define LAN IP networks, templatize
• firewall/fail2ban: prevent firehol from overwriting fail2Ban rules, remove interaction/integration between services, split firewall/fail2ban configuration tasks, add ability to disable both
• fail2ban: make more settings configurable (destination e-mail, default findtime/maxretry/bantime)
• users: simplify management, remove remotebackup options/special remotebackup user/tasks
• users: linux_users is now compatible with ansible users module syntax, with added ssh_authorized_keys and sudo_nopasswd_commands parameters
• users: fix user password generation (use random salt, make task idempotent by setting update_password: on_create by default)
• users: ensure ansible user home is not world-readable

monitoring: refactor role:

• import from https://gitlab.com/nodiscc/ansible-xsrv-monitoring
• netdata: add ssl/x509 expiration checks, make http check timeout value optional, default to 1s)
• netdata: allow installation from deb packages/packagecloud APT repository, make it the default
• netdata: decrease frequency of apache status checks to 10 seconds (decrease log spam)
• netdata: disable access logs and debug logs by default (performance), add netdata_disable_*_log variables to configure it
• netdata: disable cloud/SaaS features by default, add netdata_cloud_enabled variable to configure it
• netdata: disable web server gzip compression since we only use ssl
• netdata: install and configure https://gitlab.com/nodiscc/netdata-logcountmodule, disable notifications by default
• netdata: install and configure https://gitlab.com/nodiscc/netdata-modtime module
• netdata: make dbengine disk space size and memory page cache size configurable
• netdata: monitor mysql server if mariadb role is enabled (add netdata mysql user)
• netdata: add default configuration for health notifications
• netdata: upgrade to latest stable release
• rsyslog: aggregate all log messages to /var/log/syslog by default
• rsyslog: monitor samba, gitea, mumble-server, openldap, nextcloud, unattended-upgrades and rsnapshot log files with imfile module (when corresponding roles are enabled)
• rsyslog: make agregation of apache access logs to syslog optional, disable by default
• rsyslog: disable aggregation of netdata logs to syslog by default (very noisy, many false-positive ERROR messages)
• rsyslog: discard apache access logs caused by netdata apche monitoring
• needrestart: don't auto-restart services by default
• extend list of command-line monitoring tools (lsof/strace)
• various fixes, reorder, cleanup, update documentation, fix role/certificate generation idempotence, make more components optional

backup role

• import from https://gitlab.com/nodiscc/ansible-xsrv-backup
• auto-load rsnapshot configuration from /etc/rsnapshot.d/.conf, remove hardcoded xsrv roles integration
• check rsnapshot configuration after copying files
• restrict access to backups directory to root only
• redirect cron job stdout to /dev/null, only send errors by mail
• write rsnapshot last success time to file (allows monitoring the time since last successful backup)
• store ssh public key to ansible facts (this will allow generating a human readable document/dashboard with hosts information)

lamp role: refactor:

• import from https://gitlab.com/nodiscc/ansible-xsrv-lamp
• split lamp role to separate apache and mariadb roles

apache role:

• import/refactor/split role from https://gitlab.com/nodiscc/ansible-xsrv-lamp
• use apache mod-md for Let's Encrypt certificate generation, remove certbot and associated ansible tasks
• switch to php-fpm interpreter, remove mod_php
• switch to mpm_event, disable mpm_worker
• switch to HTTP2
• remove ability to create custom virtualhosts
• remove automatic homepage generation feature (will be split to separate role)
• enforce fail2ban bans on HTTP basic auth failures
• set the default log format to vhost_combined (all vhosts to a single file)
• rename cert_mode variable to https_mode
• don't enable mod-deflate by default
• add variable apache_allow_robots (allow/disabllow robots globally, default no)
• add hard dependency on common role
• update doc, cleanup, formatting, add screenshot
• require manual configuration of the letsencrypt admin email address
• disable X-Frame-Options header as Content-Security-Policy frame-ancestors replaces/obsoletes it
• disable setting a default Content-Security-Policy, each application is responsible for setting an appropriate CSP
• mark HTTP->HTTPS redirects as permanent (HTTP code 301)
• exclude /server-status from automatic HTTP -> HTTPS redirects
• ensure the default/fallback vhost is always the first in load order, raise HTTP error 403 and autoindex:error when accessing the default vhost

nextcloud: refactor role:

• import from https://gitlab.com/nodiscc/ansible-xsrv-nextcloud
• determine appropriate setup procedure depending on whether nextcloud is already installed or not, installed version and current role version (installation/upgrades are now idempotent)
• add support for let's encrypt certificates (use mod_md when nextcloud_rss_https_mode: letsencrypt. else generate self-signed certificates)
• use ansible local fact file to store nextcloud installed version
• ensure correct/restrictive permissions are set
• support postgresql as database engine, make it the default
• move apache configuration steps to separate file, add full automatic virtualhost configuration for nextcloud
• reorder setup procedure (setup apache last)
• enable additional php modules https://docs.nextcloud.com/server/16/admin_manual/installation/source_installation.html#apache-web-server-configuration
• reload apache instead of restarting when possible
• make basic settings configurable through ansible (FQDN, install directory, full URL, share_folder...)
• require manual configuration of nextcloud FQDN
• enforce fail2ban bans on nextcloud login failures
• upgrade nextcloud to latest stable version (https://nextcloud.com/changelog)
• upgrade all nextcloud apps to latest compatible versions
• make installed/enabled applications configurable
• enable APCu memcache
• gallery app replaced with photos app
• optional integration with backup role, delegate database backups to the respective database role (mariadb/postgresql)
• add deck, notes, admin_audit and maps apps
• add php-fpm configuration
• run background jobs via cron every 5 minutes

Migrating Nextcloud data to Postgresql from a MySQL-based installation:

# migration is manual
# files: login nextcloud desktop client to your account on the old server, wait for complete file synchronization (eg. to ~/Nextcloud)
#        deploy the new server, create equivalent accounts
#        from nextcloud desktop, login a new/secondary account to the new server, synchronize to another directory (eg. ~/Nextcloud2)
#        from desktop, move files from ~/Nextcloud to ~/Nextcloud2
# calendar/tasks: from the old server's https://old.EXAMPLE.org/nextcloud/index.php/apps/calendar/, export calendars as ICS from the "..." menu
#                 from the new server's https://cloud.EXAMPLE.org/index.php/apps/calendar/, import ICS file from the "Import" menu
# contacts: from the old server's https://old.EXAMPLE.org/nextcloud/index.php/apps/contacts/, export contacts as VCF from the "..." menu
#           from the new server's https://cloud.EXAMPLE.org/index.php/apps/contacts/, import VCF file from the "Import" menu > Local file
# update all desktop/mobile clients to use the new URL/account (DAVx5, thunderbird...)

tt-rss: refactor role:

• import from https://gitlab.com/nodiscc/ansible-xsrv-tt-rss
• add support for postgresql databases, make it the default (config variable tt_rss_db_type)
• add support for postgresql backups/dumps
• make backup role fully optional, check rsnapshot configuration after copying config file
• delegate database backups to the respective database role (mariadb/postgresql)
• add support for let's encrypt certificates (use mod_md when tt_rss_https_mode: letsencrypt)
• make log destination configurable, default to blank/PHP/webserver logs
• update config.php template (remove deprecated feed_crypt_key setting)
• require manual configuration of admin username and tt-rss FQDN/URL
• standardize component installation order (backups/fail2ban/database first)
• simplify ansible_local.tt_rss.db_imported, always set to true
• do not use a temporary file to store admin user credentials, run mysql command directly from tasks
• add support for letsencrypt certificates/virtualhost configuration (mod_md). add tt_rss_https_mode: selfsigned/letsencrypt, move tasks to separate files
• mark plugins/themes setup tasks as unmaintained, move to separate yml files
• simplify file permissions setup/make idempotent
• update documentation
• simplify domain name/install directory/full URL templating
• rename role to tt_rss
• add php-fpm configuration
• various fixes, cleanup, reordering

Migrating tt-rss data to Postgresql from a MySQL-based installation:

# on the original machine
# OPML import/export (including filters and some settings). Must be done before data_migration plugin if you want to keep feed categories
sudo mkdir /var/www/tt-rss/export
sudo chown -R www-data:www-data /var/www/tt-rss/export/
sudo -u www-data php /var/www/tt-rss/update.php --opml-export "MYUSERNAME /var/www/tt-rss/export/export-2020-08-07.opml" # export feeds OPML
# migrate all articles from mysql to postgresql
git clone https://git.tt-rss.org/fox/ttrss-data-migration
sudo chown -R root:www-data ttrss-data-migration/
sudo mv ttrss-data-migration/ /var/www/tt-rss/plugins.local/data_migration
sudo nano /var/www/tt-rss/config.php # enable data_migration in the PLUGINS array
sudo -u www-data php /var/www/tt-rss/update.php --data_user MYUSERNAME --data_export /var/www/tt-rss/export/export-2020-08-07.zip # export articles to database-agnostic format

# on a client
xsrv deploy # deploy tt-rss role
rsync -avP my.original.machine.org:/var/www/tt-rss/export/export-2020-08-07.zip ./ # download zip export
rsync -avP export-2020-08-07.zip my.new.machine.org: # upload zip export
rsync -avP my.original.machine.org:/var/www/tt-rss/export/export-2020-08-07.opml ./ # download opml export
# login to the new tt-rss instance from a browser, go to Preferences > Feeds, import OPML file

# on the target machine
git clone https://git.tt-rss.org/fox/ttrss-data-migration
sudo chown -R root:www-data ttrss-data-migration/
sudo mv ttrss-data-migration/ /var/www/rss.example.org/plugins.local/data_migration
sudo nano /var/www/rss.example.org/config.php # enable data_migration in the PLUGINS array
sudo mkdir /var/www/rss.example.org/export
sudo mv export-2020-08-07.zip /var/www/rss.example.org/export
sudo chown -R root:www-data /var/www/rss.example.org/export
sudo chmod -R g+rX /var/www/rss.example.org/export/
sudo -u www-data php /var/www/rss.example.org/update.php --data_user MYUSERNAME --data_import /var/www/rss.example.org/export/export-2020-08-07.zip # it can take a while
sudo rm -r /var/www/rss.example.org/export/ # cleanup

gitea:

• add gitea self-hosted software forge role (https://gitea.io/en-us/)
• import from https://gitlab.com/nodiscc/ansible-xsrv-gitea
• make backup role fully optional, check rsnapshot configuration after copying config file
• delegate database backups to the respective database role (mariadb/postgresql)
• make common settings configurable through ansible variables
• simplify domain name/location/root URL templating
• require manual configuration of gitea instance FQDN/URL, JWT secrets and internal token
• LFS JWT secret must not contain /+= characters
• only configure a subset of gitea settings in the configuration file, let gitea use defaut values for other settings
• disable displaying gitea version in footer
• upgrade gitea to latest stable version (https://github.com/go-gitea/gitea/releases)
• download binary from github.com instea of gitea.io
• download uncompressed binary to avoid handling xz decompression
• update configuration file template
• add support for self-signed and let's encrypt certificates through gitea_https_mode variable
• update documentation

Migrating gitea data to Postgresql from a MySQL-based installation

# To save some backup/restoration time and if you don't care about keeping system notices,
# Access https://$OLD_DOMAIN/gitea/admin/notices and 'Delete all notices'
# on the original machine, do a backup, and upgrade gitea to the target version
# if source and target versions do not match you will have to correct the database
# dump by hand to match the expected schema...

# download the binary from github
wget https://github.com/go-gitea/gitea/releases/download/v1.12.4/gitea-1.12.4-linux-amd64
# stop gitea
sudo systemctl stop gitea
# replace the gitea binary with the new version
sudo mv gitea-1.12.4-linux-amd64 /usr/local/bin/gitea
sudo chmod a+x /usr/local/bin/gitea
# run migrations
sudo -u gitea gitea -c /etc/gitea/app.ini convert
sudo -u gitea gitea -c /etc/gitea/app.ini migrate

# the dump command must be run from gitea's home directory
sudo su
export TMPDIR=/var/backups/gitea/
cd /var/backups/gitea/
# remove any old dumps
rm -rf gitea-dump*zip
# backup gitea data + database as postgresql dump
sudo -u gitea gitea dump -d postgres --tempdir /var/backups/gitea/ -c /etc/gitea/app.ini
# ensure your normal user account can read the backup file
chown $MY_USER /var/backups/gitea/gitea-dump-*.zip

# on the ansible controller
# download the backup file
rsync -avP $OLD_MACHINE:/var/backups/gitea/gitea-dump-*.zip ./
# upload the zip to the new machine
rsync -avP gitea-dump-*.zip $NEW_MACHINE:
# make sure gitea is deployed to the new machine
TAGS=gitea xsrv deploy

# on the new machine
# stop gitea
sudo systemctl stop gitea

# unarchive the backup zip to gitea's directory
sudo mkdir /var/lib/gitea/dump
sudo unzip gitea-dump-*.zip -d /var/lib/gitea/dump/
sudo chown -R gitea:gitea /var/lib/gitea/dump

# make the database dump in a directory readable by postgresql user
sudo mv /var/lib/gitea/dump/gitea-db.sql /var/lib/postgresql/
sudo chown postgres /var/lib/postgresql/gitea-db.sql

# edit the db dump to skip index creations when they already exist
sudo sed -i 's/CREATE INDEX/CREATE INDEX IF NOT EXISTS/g' /var/lib/postgresql/gitea-db.sql
sudo sed -i 's/CREATE UNIQUE INDEX/CREATE UNIQUE INDEX IF NOT EXISTS/g' /var/lib/postgresql/gitea-db.sql

# delete the gitea admin user created by ansible
# since it will conflict with the admin user from the database dump
sudo -u gitea psql --command="delete from public.user where name = '$gitea_admin_username';"
# must return DELETE 1

# restore the database dump
sudo -u postgres psql --echo-all --set ON_ERROR_STOP=on gitea < /var/lib/postgresql/gitea-db.sql

# fix sequence values
# https://github.com/go-gitea/gitea/issues/740
# https://github.com/go-gitea/gitea/issues/12511
# get a list of tables
sudo -u gitea psql -c '\dt' | cut -d " " -f 4
echo $tables # check that the list is correct
for table in $tables; do sudo -u gitea psql --echo-all -c "SELECT setval('${table}_id_seq', COALESCE((SELECT MAX(id) FROM \"$table\"), 0) + 1, false);"; done

# extract repositories zip file
sudo -u gitea bash -c ' \
  cd /var/lib/gitea/dump && \
  unzip gitea-repo.zip && \
  mv repos/* /var/lib/gitea/repos/'
sudo chown -R gitea:gitea /var/lib/gitea/repos/

# remove the backup zip, psql dump, and temporary extraction directory
sudo rm -r gitea-dump-*.zip /var/lib/postgresql/gitea-db.sql /var/lib/gitea/dump

# regenerate hooks
sudo -u gitea gitea admin regenerate hooks -c /etc/gitea/app.ini

# start gitea and watch logs until it has finished starting up
sudo systemctl start gitea
sudo lnav /var/log/syslog

# on the controller
# log in to the new instance with your old admin account
# go to https://$NEW_DOMAIN/user/settings/ ->
#   change username and e-mail address to match values provided by ansible (gitea_admin_username/e-mail)
# go to https://$NEW_DOMAIN/user/settings/account
#   change password to match value provided by ansible (gitea_admin_password)

# re-apply the playbook and check that it finishes without error
TAGS=gitea xsrv deploy

# Check that all gitea funtionality works

shaarli: refactor role:

• detect installed version from ansible fact file and appropriate install/upgrade procedure depending on installed version
• add apache configuration for shaarli, including Content-Security Policy and SSL/TLS certificate management with mod_md
• allow generation of sel-signed certificates
• make shaarli fqdn and installation directory configurable
• harden file permissions
• add rsnapshot configuration for shaarli backups
• auto-configure shaarli from ansible variables (name/user/password/timezone) + compute hash during installation
• by default, don't overwrite shaarli config when it already exists (rely on configuration from the web interface) (idempotence)
• require manual generation of shaarli password salt (40 character string)
• add documentation, add backup restoration procedure
• add role to example playbook (disabled by default)
• add php-fpm configuration
• upgrade shaarli to latest stable release (https://github.com/shaarli/Shaarli/releases)

Migrating Shaarli data to a new installation

# deploy shaarli
make deploy
# access https://old.CHANGEME.org/links/?do=export and export ALL links as HTML (without prepending instance URL to notes)
# access the new instance at https://links.CHANGEME.org/?do=import and import your HTML file
# you can also resynchronize thumbnails a https://links.CHANGEME.org/?do=thumbs_update

transmission: refactor role:

• install and configure transmission (most settings are left to their defaults)
• add ansible variables for username/password, service status, download directory, FQDN
• only let transmission web interface listen on 127.0.0.1
• settings.json is updates by the daemon on exit with current/user-defined settings, hence the role is not always idempotent
• configure an apache virtualhost for transmission
• add transmission_https_mode variable to configure SSL certificate generation (selfsigned/letsencrypt)
• add checks for required variables
• delegate HTTP basic auth to apache, pass credentials to the backend tranmission service (proxy-chain-auth)
• add rsnapshot configuration (backup transmission downloads and torrents cache)

mumble: refactor role:

• setup mumble-server (murmur)
• make server password, superuser password, allowping, max users, max bandwidth per client, server port and welcome text and service state configurable through ansible variables
• update documentation, add screenshot
• add rsnapshot configuration for automatic backups of mumble server data
• add fail2ban configuration for failed mumble logins

postgresql role:

• add basic postgresql role
• add optional integration with the backup role (automatic database backups)

samba role:

• add samba file sharing server role (standalone mode)

• make log level configurable

• add support for internal (tdbsam) and LDAP user/group/password backends

• make shares configurable through samba_shares variable

• make tdbsam users configurable through samba_users variable

• add rsnapshot backup configuration for samba

• make shares available/browseable state configurable (default to yes)

• update documentation

docker role:

• add docker role (install and configure Docker container platform)
• add ability to configure a docker swarm orchestrator (default to initialize a new swarm)

homepage role:

• add a role to generate a basic webserver homepage listing URLs/commands to access deployed services
• automatic apache virtualhost configuration and let's encrypt/self-signed certificate generation

rocketchat role:

• add a role to deploy the rocket.chat instant messaging/communication software
• deploy rocket.chat as a stack of docker swarm services
• add apache cofiguration to proxy traffic from the host's apache instance, add let's encrypt/self-signed certificate generation tasks

openldap role:

• add a role to install openldap server and optionally ldap-account-manager
• preconfigure base DN, users and groups OUs,
• add rsnapshot backup configuration
• add apache configuration/host for ldap-account-managaer, add let's encrypt/self-signed certificate generation tasks
• make ldap-account-manager configuration read-only (must be configured through ansible)
• only allow access to ldap-account-manager from private IP addresses by default
• add optional support for Samba domain/users/groups

jellyfin role:

• add a role to install the jellyfin media server
• require manual configuration of admin username/password and initial media directory
• create a default media directory in /var/lib/jellyfin/media + symlink from home directory to media directory

tools, documentation, misc:

• refactor and update documentation (clarify/cleanup/update/reorder/reword/simplify/deduplicate/move), add screenshots, add full setup guide
• manage all components from a single git repository
• publish roles and default playbook as ansible collection (https://galaxy.ansible.com/nodiscc/xsrv - use make publish_collection to build)
• add automated tests (ansible-lint, yamllint, shellcheck) for all roles, add ansible-playbook --syntax-check test
• add a test suite, add automatic tests with Gitlab CI (https://gitlab.com/nodiscc/xsrv/-/pipelines)
• remove pip install requirements (performed by xsrv script)
• change release/branching model to 'release" (latest stable release), 'X.Y.Z' (semantic versioning), 'master' (development version)
• automate TODO.md updates and version headers updates
• fully working ansible-playbook --check mode
• add checks for all mandatory variables
• explicitely define file permissions for all file copy/templating tasks
• add checks/assertions for all mandatory variables
• remove .gitignore, clean files generated by tests using 'make clean'
• improve/clarify logging, program output and help messages
• generate HTML documentation with sphinx+recommonmark, host on https://xsrv.readthedocs.io
• various fixes, cleanup, formatting
• update roles metadata
• upgrade ansible to latest stable version (https://github.com/ansible/ansible/blob/stable-2.10/changelogs/CHANGELOG-v2.10.rst)