1.25.1

v1.25.1 - 2024-10-19

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Fixed:

• moodist: fix variable name (moodist_https_mode)

Full changes since v1.25.0

1.25.0

v1.25.0 - 2024-10-19

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• add stirlingpdf role (PDF manipulation tools)
• add moodist role (ambient sound mixer)
• libvirt: enable KSM (VM memory deduplication)

Changed:

• shaarli: increase default max memory size for php-fpm pool to 256MB
• nextcloud: upgrade to v28.0.11 [1]
• gitea: upgrade to v1.22.3 [1] [2] [3] [4]
• ollama: upgrade to v0.3.5 [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] [15] [16] [17] [18] [19] [20] [21] [22] [23] [24] [25] [26] [27] [28] [29] [30] [31]
• ollama: upgrade ollama-ui to the latest version [1]
• matrix: update element-web to v1.11.77 [1] [1] [3] [4] [5] [6] [7] [8] [9] [10] [11]
• openldap: update ldap-account-manager to v8.8
• matrix: update synapse-admin to v0.10.3 [1]
• postgresql: update pgmetrics to v1.17.0
• goaccess: update IP to Country GeoIP database to v2024-09
• xsrv: update ansible to v10.5.0 [1 [2]
• netdata: install/upgrade netdata from new self-hosted repositories [1]
• netdata: make role compatible with Ubuntu 22.04
• improve test tools

Fixed:

• netdata: fix netdata not upgrading automatically from 1.45.6 to later versions
• jellyfin: fix jellyfin not upgrading automtically from 10.8.13 to 10.9.2
• wireguard: really delete peers from the configuration when wireguard_peers[*].state is set to absent
• wireguard: fix variable checks for wireguard_peers with state: absent and no public_key defined
• postgresql: rsyslog: fix postgresql log messages incorrectly tagged as mongodb in syslog
• openldap: fix ldap-account-manager download failing with urlopen error timed out
• gitea_act_runner: fix runner failing to register with [E] Deprecated config option [oauth2].ENABLE is present, please use [oauth2].ENABLED instead

Full changes since v1.24.0

1.24.0

v1.24.0 - 2024-05-09

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• add ollama role role (local Large Language Model (LLM) server and web interface)
• monitoring_utils: add bonnie++ disk benchmarking tool and automated report script (TAGS=utils-bonnie xsrv deploy)

Changed:

• nextcloud: upgrade to v28.0.5 [1] [2]
• gitea: update to v1.21.11 [1] [2] [3] [4]
• gitea_act_runner: update act-runner to v0.2.10 [1] [2] [3] [4]
• openldap: update ldap-account-manager to v8.7
• openldap: update self-service-password to v1.6.0
• matrix: update element-web to v1.11.66 [1] [2] [3] [4] [5] [6]
• shaarli: update stack template to v0.8 [1]
• matrix: update synapse-admin to v0.10.1 [1]
• xsrv: update ansible to v9.5.1

Fixed:

• handlers: fix recursion loop in handlers/meta/main.yml
• all roles/apache: ensure apache is restarted (not just reloaded) when new modules are loaded
• graylog: make syslog certificate generation idempotent (add graylog_cert_not_before/after variables)
• matrix: fix broken version number comparison leading to error 'matrix_synapse_admin_action' is undefined.

Full changes since v1.23.0

1.23.0

v1.23.0 - 2024-04-09

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• monitoring_netdata: netdata_log_to_syslog, netdata_disable_debug_log, netdata_disable_error_log, netdata_disable_access_log variables are no longer used and can be removed from your configuration, if you changed them from the defaults (xsrv edit-host/edit-group)
• monitoring_rsyslog: if rsyslog_enable_forwarding is set to yes in your host/group variables (xsrv edit-host/edit-group), set rsyslog_forward_to_inventory_hostname to the inventory hostname of the syslog/graylog server receiving the logs
• graylog: under Inputs, edit all syslog/TLS inputs to use the new paths for TLS cert file: /etc/ssl/syslog/ca.crt, TLS private key: /etc/ssl/syslog/ca.key, TLS client auth trusted certs: /etc/ssl/syslog/ca.crt. You may also delete data/certificates/*-graylog-ca.crt files in your project directory since they are no longer used.
• xsrv deploy to apply changes

Added:

• xsrv: add scan command (scan a project directory for cleartext secrets/passwords using trivy)
• xsrv: add show-groups command (list all groups a host is a member of)
• monitoring_rsyslog: allow receiving logs from syslog clients over the network on port 514/tcp (rsyslog_enable_receive: no/yes)

Removed:

• monitoring_netdata: remove configuration variables netdata_log_to_syslog, netdata_disable_debug_log, netdata_disable_error_log, netdata_disable_access_log

Changed:

• gitea_act_runner: disable automatic nightly prune of podman images/containers by default gitea_act_runner_daily_podman_prune: no/yes
• monitoring_netdata: send all logs to systemd-journald, except access log
• monitoring_netdata: disable machine learning/anomaly detection functionality when streaming to a parent node (when netdata_streaming_send_enabled is enabled)
• shaarli: allow setting the default view mode when using the stack template (shaarli_stack_default_ui: small/medium/large), change the default to medium
• monitoring_rsyslog/graylog: setup mutual TLS authentication between syslog clients and server, sign server and client certificates with server CA certificate - rsyslog_forward_to_inventory_hostname is now required on rsyslog clients
• common: apt: enable non-free-firmware section when apt_enable_nonfree: yes [1]
• gitea: update to v1.21.7 [1] [2]
• nextcloud: upgrade to v28.0.3 [1] [2]
• shaarli: update stack template to v0.7 [1] [2]
• matrix: update synapse-admin to v0.9.1
• matrix: update element-web to v1.11.59 [1] [2]
• xsrv: update ansible to v9.3.0
• cleanup: standardize task names, remove files from old versions of the roles, use community.crypto.x509_certificate instead of deprecated openssl_certificate modules
• update documentation, add Gitea/Github Actions example for secret scanning, add graylog backup restoration procedure
• improve automatic tests

Fixed:

• monitoring_netdata/rsyslog: fix netdata logs no longer being appended to syslog
• shaarli: fix stack theme favicon not being displayed
• postgresql: fix role execution when called with rsyslog ansible tag

Full changes since v1.22.0

1.22.0

v1.22.0 - 2024-02-03

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• add nmap command and role - run nmap network scanner against hosts from the inventory

Changed:

• graylog: support initial deployment of the role with graylog/mongodb/elasticsearch disabled
• gitea: update to v1.21.5 [1] [2]
• nextcloud: upgrade to v28.0.2 [1] [2]
• matrix: update element-web to v1.11.57 [1] [2]
• xsrv: update ansible to v9.2.0
• update documentation

Full changes since v1.21.0

1.21.0

v1.21.0 - 2024-01-17

Upgrade procedure:

• xsrv self-upgrade to upgrade the xsrv script
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• graylog: if you are using the graylog role, add the mongodb_admin_password and graylog_mongodb_password variables to your host variables (xsrv edit-vault) and set their values to strong random passwords
• To get rid of the deprecation warning collections_paths option does not fit var naming standard, rename collections_paths to collections_path in ansible.cfg (xsrv edit-cfg)
• xsrv deploy to apply changes

Added:

• add owncast role role (live video streaming and chat server)
• graylog/mongodb: require authentication to connect to mongodb (mongodb_admin_password, graylog_mongodb_password)
• jitsi: add an automated procedure to get the list of jitsi (prosody) registered users (TAGS=utils-jitsi-listusers xsrv deploy)
• gitea_act_runner: allow configuring how many tasks the runner can execute concurrently (gitea_act_runner_capacity: 1)
• postgresql: aggregate postgresql logs to syslog (when the monitoring_rsyslog role is deployed)
• wireguard/firewalld: allow configuring services to which wireguard clients can connect on the host (wireguard_firewalld_services)

Removed:

• postgresql: drop compatibility with Debian <12

Changed:

• python >=3.9 is now required on the controller (ansible 9.1.0)
• cleanup: postgresql: standardize/simplify pgmetrics report generation
• gitea_act_runner: update default image labels (use the node:21-bookworm when uses: ubuntu-latest is specified in the CI configuration file), add equivalent debian-latest label
• monitoring_netdata: debsecan: whitelist a few minor issues in debsecan reports by default
• wireguard: never return changed for wireguard client configuration file generation tasks
• tt_rss: hide changed status of set permissions on tt-rss files task
• gitea: update to v1.21.3 [1] [2]
• postgresql: explicitely install postgresql version 15
• openldap: update ldap-account-manager to v8.6
• matrix: update element-web to v1.11.52 [1] [2]
• xsrv: update ansible to v9.0.1
• monitoring_goaccess: update IP to Country database to v2024-01
• improve check mode support before first actual deployment
• update documentation

Fixed:

• graylog: mongodb: fix mongodb backups failing (authentication required)
• default playbook: fix goaccess_username/password/fqdn variables not being added to the correct file (username/password belong to encrypted variables)
• monitoring_utils: fix lynis warning MongoDB instance allows any user to access databases
• tt_rss: fix tt-rss installation failing when git was not previously installed
• tt_rss: fix error on first tt-rss installation Unsupported parameters for (postgresql_query) module: as_single_query, path_to_script.
• shaarli: fix shaarli zip extraction failing when the unzip package is not installed
• nextcloud: fix Nextcloud upgrades sometimes failing with Nextcloud is not installed - only a limited number of commands are available
• graylog: don't fail with 'graylog_mongodb_apt_repo_distribution' is undefined when running the mongodb tag alone
• dnsmasq: only attempt to update blocklists after network is online and dnsmasq has started

Full changes since v1.20.0

1.20.0

v1.20.0 - 2023-12-02

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Added:

• dnsmasq: allow loading custom DNS blocklists from an URL (dnsmasq_blocklist_url, dnsmasq_blocklist_mode, dnsmasq_blocklist_whitelist)
• shaarli: install stack custom theme/template and enable it by default
• shaarli: allow setting the theme/template via the (shaarli_theme) configuration variable
• dnsmasq: allow logging DNS queries processed by dnsmasq (dnsmasq_log_queries: no/yes)
• nextcloud: allow configuring outgoing mail settings (nextcloud_smtp_*)
• common: add automated procedures to reboot or shutdown hosts (TAGS=utils-shutdown,utils-reboot)
• netdata: debsecan: allow whitelisting vulnerabilities reported by debsecan by CVE number (debsecan_whitelist)
• act-runner: prune unused podman data automatically, nightly (volumes, networks, containers, images)
• goaccess: allow configuring IP to Country GeoIP database version (goaccess_geoip_db_version)
• apache: allow restricting access to individual web applications by IP address/network (shaarli_allowed_hosts, matrix_synapse/element_admin_allowed_hosts, goaccess_allowed_hosts, ldap_account_manager/self_service_password_allowed_hosts, nextcloud_allowed_hosts, transmission_allowed_hosts, tt_rss_allowed_hosts, jitsi_allowed_hosts, homepage_allowed_hosts, graylog_allowed_hosts, gotty_allowed_hosts, gitea_allowed_hosts)
• jellyfin: allow disabling the allowed IP list entirely (allow access from any IP) by setting an empty jellyfin_allowed_hosts list
• common: sysctl: add hardening measures against reading/writing files controlled by an attacker fs.protected_fifos/hardlinks/regular/symlinks
• podman: add podman-docker wrapper (execute docker commands through podman)

Removed:

• netdata: remove netdata_monitor_systemd_units variable (always enable monitoring of system unit states)
• common: remove residual support for Debian 11 in firewalld configuration

Changed:

• xsrv: init-vm-template: use the gateway IP address as DNS server (--nameservers) by default instead of Cloudflare public DNS
• netdata: when *_enable_service: no, disable HTTP checks entirely for this service (intead of accepting HTTP 503)
• netdata: debsecan: allow disabling daily debsecan mail reports (debsecan_enable_reports: yes/no)
• transmission/netdata: only accept HTTP 401 as valid return code for the HTTP check
• nextcloud: verify downloaded .zip using GPG signatures
• jellyfin: harden systemd service (systemd-analyze security exposure score down from 9.2 UNSAFE to 5.7 MEDIUM)
• shaarli: update to v0.13.0
• gitea: update to v1.21.1 [1] [2]
• nextcloud: upgrade to v27.1.4 [1] [3]
• openldap: update self-service-password to v1.5.4
• matrix: update element-web to v1.11.50 [1] [2] [3]
• xsrv: upgrade ansible to v8.6.1
• goaccess: update IP to Country GeoIP database to v2023-11
• cleanup: limit use of check_mode: no to tasks that do not change anything
• update documentation, add example usage through Gitea Actions/Github Actions

Fixed:

• openldap: fix deployment of ldap-account-manager failing on copy php-fpm configuration when deploying the apache tag in isolation
• jellyfin: fix internal Restart server function only terminating the server process without restarting
• gitea_act_runner: fix potentially insufficient UIDs or GIDs available in user namespace error when using podman backend
• readme_gen: fix netdata alarm badge URL for used swap alarm
• shaarli: make remove shaarli zip extraction directory task idempotent

Full changes since v1.19.0

1.19.0

v1.19.0 - 2023-11-03

Upgrade procedure:

• xsrv upgrade to upgrade roles/ansible environments to the latest release
• gitea_act_runner: if you changed it from the default value, rename the variable gitea_act_runner_gitea_instance_url to gitea_act_runner_gitea_instance_fqdn
• monitoring_utils: if your projects are under git version control, you may want to add data/duc-*.db to your .gitignore before using the utils-duc tag.
• common: if your projects are under git version control, you may want to add data/firewalld-info-*.log to your .gitignore before using the utils-firewalld-info tag.
• xsrv deploy to apply changes

Added:

• common: packages: automatically install qemu-guest-agent when the host is a KVM VM
• gitea_act_runner: allow running workflows directly on the host without containerization (gitea_act_runner_labels)
• monitoring_utils: allow analyzing disk usage by directory and visualizing it locally using duc (TAGS=utils-duc xsrv deploy default my.CHANGEME.org)
• backup: allow disabling specific rsnapshot backup intervals by setting rsnapshot_retain_daily/weekly/monthly to 0
• backup: allow disabling automatic/scheduled backups entirely rsnapshot_enable_cron: yes/no
• backup: allow disabling automatic creation of the backup storage directory rsnapshot_create_root: yes/no
• common: allow getting firewalld status information (TAGS=utils-firewalld-info xsrv deploy)
• netdata/shaarli/tt_rss/openldap/nextcloud: enable monitoring of PHP-FPM pools
• when generating self-signed certificates, download them to the controller in data/certificates/ under the project directory

Removed:

• netdata: remove variable netdata_self_monitoring_enabled (use netdata_disabled_plugins: ['netdata monitoring'] instead)
• monitoring_utils: remove logwatch from the list of default installed packages

Changed:

• netdata: disable all netdata self-monitoring by default
• netdata: update logs/db storage configuration for newer netdata versions, store 400MB of per-minute data and 200MB of per-hour data in addition to the amount of per-second data defined by netdata_dbengine_disk_space
• gitea_act_runner: don't run the runner as root but as dedicated act-runner user
• gitea_act_runner: force re-registering the runner when the .runner file is absent
• gitea_act_runner: rename variable gitea_act_runner_gitea_instance_url to gitea_act_runner_gitea_instance_fqdn
• gitea_act_runner: log runner registration attempts to syslog for easier debugging
• common: users/logind: don't lock auto-lock idle user sessions by default (systemd_logind_lock_after_idle_min: 0)
• jitsi/goaccess: only generate self-signed certificates when jitsi/goaccess_https_mode: selfsigned
• transmission: only generate self-signed certificates when apache is managed by xsrv
• nextcloud: upgrade to v27.1.3 [1] [2] [3] [4] [5] [6]
• matrix: update element-web to v1.11.47 [1]
• update documentation

Fixed:

• netdata: fix incorrect variable name in role defaults (netdata_api_key -> netdata_streaming_api_key)
• gitea_act_runner: fix temporary error when first enabling the podman socket in act-runner systemd user session
• gitea_act_runner: fix errors when enabling the systemd service manually
• gitea_act_runner: always try to restart the runner systemd service in case of failure
• monitoring_utils/graylog: fix debsums incorrectly reporting missing files in mongodb packages
• monitoring_netdata/debsecan: fix debsecan unable to send email reports
• default playbook: fix role ordering (podman must be deployed before gitea_act_runner)

Full changes since v1.18.0

1.18.0

v1.18.0 - 2023-10-11

Upgrade procedure:

• docker: if you want to keep using the docker role, update requirements.yml (xsrv edit-requirements) and playbook.yml (xsrv edit-playbook) to use the archived nodiscc.toolbox.docker role instead. nodiscc.xsrv.podman is now the recommended role for container management.
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• xsrv deploy to apply changes

Note: the collection will no longer be updated on https://galaxy.ansible.com/ui/repo/published/nodiscc/xsrv/ until ansible/galaxy#2438 is fixed, please use the git repository URL in your requirements.yml, as documented in https://xsrv.readthedocs.io/en/latest/usage.html#use-as-ansible-collection.

Added:

• add gitea_act_runner role (Gitea Actions CI/CD runner)
• add podman role (OCI container engine and management tools, replacement for docker)
• gitea: allow enabling built-in Gitea Actions CI/CD system (gitea_enable_actions: no/yes)
• common: allow running unattended-upgrade or apt upgrade immediately (TAGS=utils-apt-unattended-upgrade,utils-apt-upgrade)
• matrix: allow setting up LDAP authentication backend for synapse (matrix_synapse_ldap_*)
• netdata: allow aggregating netdata error/health alarm/collector logs to syslog (netdata_logs_to_syslog: no/yes)
• docker: add an automated procedure to uninstall docker role components (TAGS=utils-docker-uninstall)
• nextcloud: allow automatically checking the filesystem/data directory for changes made outside Nextcloud (nextcloud_filesystem_check_changes: no/yes)

Removed:

• docker: remove role, archive it to separate repository
• apache: remove remove ability to install/configure mod-evasive anti-DDoS module

Changed:

• common: datetime: replace ntpd time synchronization service by systemd-timesyncd
• common: ssh: don't accept locale/language-related environment variables set by the client by default (ssh_accept_locale_env: no/yes)
• graylog: don't perform mongodb backups when the graylog/mongodb service is disabled on the host configuration (graylog_enable_service: yes/no)
• gitea: update to v 1.20.5 [1]
• matrix: update element-web to v1.11.46 [1] [2] [3]
• graylog: update to v5.1 [1] [2] [3] [4] [5] [6] [7]
• openldap: update ldap-account-manager to v8.5
• postgresql: update pgmetrics to v1.16.0
• netdata: update netdata-apt to v1.1.2 [1]
• xsrv: upgrade ansible to v8.5.0

Fixed:

• jitsi: fixed jitsi-videobridge sometimes failing to connect to prosody (org.jivesoftware.smack.sasl.SASLErrorException: SASLError using SCRAM-SHA-1: not-authorized) - force updating jvb prosody password

Full changes since v1.17.0

1.17.0

v1.17.0 - 2023-09-21

Upgrade procedure:

• upgrade to v1.16.0 and deploy it first, if not already done
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• if you had changed it from its default value, rename the variable syslog_retention_days to rsyslog_retention_days in your hosts/groups configuration (xsrv edit-host/edit-group)
• (optional) xsrv check to simulate changes.
• xsrv deploy to apply changes
• TAGS=debian11to12 xsrv deploy && xsrv deploy to upgrade hosts still on Debian 11 "Bullseye" to Debian 12 "Bookworm" [1]. Debian 11 will no longer be supported after this release.

Added:

• add monitoring_goaccess role - real-time web log analyzer/interactive viewer
• netdata: allow enabling health alarms for charts received from "child" streaming nodes (netdata_streaming_receive_alarms: yes/no)
• netdata: allow enabling/disabling alarm notifications (netdata_enable_health_notifications: yes/no)
• apache: allow enabling HSTS for all applications/sites using Let's Encrypt certificates (apache_letsencrypt_enable_hsts: no/yes)
• apache/fail2ban: ban IP addresses doing requests on the default virtualhost
• monitoring_netdata: allow disabling the logcount module by setting netdata_logcount_update_interval to 0
• jellyfin: allow adding users to the jellyfin group (may read/write files inside the media directory), add the ansible user to this group by default (jellyfin_users)
• transmission: allow adding users to the debian-transmission group (may read/write files inside the downloads directory), add the ansible user to this group by default (transmission_users)

Removed:

• cleanup: remove all previous migration tasks
• netdata: remove default processes checks for sshd, ntpd, fail2ban (let systemd services module handle checks for these processes)
• tt_rss: remove ansible tags tt_rss-app, tt_rss-permissions, tt_rss-postgresql

Changed:

• nextcloud: enable the Polls app by default
• nextcloud: enable the Forms app by default
• nextcloud: disable the usage survey app by default
• apache: always redirect http:// to https:// for all applications/sites using Let's Encrypt (*_certificate_mode: letsencrypt) certificates
• apache: don't redirect requests to the default HTTP virtualhost to HTTPS
• jitsi: configure all components to listen only on loopback interfaces, disable IPv6 listening
• graylog: cleanup list of dependencies (graylog provides its own java environment)
• netdata: decrease apache server status collection frequency to 10s (decrease log spam caused by the collector)
• apache: log requests from localhost to the default vhost with the localhost: prefix (for example http://127.0.0.1/server-status requests from netdata)
• apache: log requests from other hosts to the default vhost with the default: prefix (for example bad bots and scanners accessing the server by IP address)
• apache: serve a 403 Forbidden response to for requests the default virtualhost (except those from localhost)
• common/fail2ban: increase the max number of banned IPs per jail to 1000000
• common/fail2ban: decrease the number of failed authentication attempts before triggering a ban from 5 to 3 (over 10 minutes)
• common/fail2ban: use values provided in fail2ban_default_maxretry (default 3), fail2ban_default_findtime (10min) and fail2ban_default_bantime (1 year) for all jails
• common/fail2ban: use DROP firewall rule instead of REJECT (drop connections from banned IPs instead of replying with TCP reset)
• common/fail2ban: do not enable the pam-generic jail by default as no service uses it
• common/fail2ban/all roles: only ban offenders on HTTP/HTTPS ports (not all ports) for authentication failures on web applications
• common/fail2ban: standardize permissions on fail2ban configuration files
• gitea/jellyfin/fail2ban: do not disable gitea/jellyfin jails if the corresponding service is disabled
• apache: cleanup: remove ServerAdmin directive from all virtualhost configuration files (this information is not used, displaying admin email in error messages is disabled)
• wireguard: write peer names as comments in the config file
• rsyslog: rename the variable syslog_retention_days to rsyslog_retention_days
• nextcloud: update to v26.0.6 [1]
• gitea: update to v 1.20.4 [1] [2] [3]
• matrix: update element-web to v1.11.43 [1] [2] [3] [4] [5] [6] [7]
• postgresql: update pgmetrics to v1.15.2
• xsrv: update ansible to v8.4.0
• netdata: harden/standardize permissions on postgres collector configuration file
• cleanup: common/fail2ban: standardize comments/task order, do not repeat jail options that are already defined in jail.conf, in jail.d/*conf
• cleanup: xsrv: init-vm-template: remove deprecated --os option to virt-install
• improve check mode support before first actual deployment
• update documentation

Fixed:

• apache: fix apache not loading new/updated Let's Encrypt/mod_md certificates automatically every minute
• apache: fix duplicated access logs to access.log/other_vhosts_access.log, only log to access.log
• common/fail2ban/all roles: prevent missing/not-yet-created log files from causing failban reloads/restart to fail (e.g. when a service is initially deployed with *_enable_service: no)
• common: fail2ban: fix Hash is full, cannot add more elements error when a fail2ban jail has mor than 65536 banned IPs
• monitoring_netdata/needrestart: fix automatic reboot not triggered by cron job when ABI-compatible kernel upgrades are pending
• nextcloud: fail2ban: fix Found a match but no valid date/time warning when a login failure is detected

Full changes since v1.16.0