1.17.0

v1.17.0 - 2023-09-21

Upgrade procedure:

• upgrade to v1.16.0 and deploy it first, if not already done
• xsrv upgrade to upgrade roles/ansible environments to the latest release
• if you had changed it from its default value, rename the variable syslog_retention_days to rsyslog_retention_days in your hosts/groups configuration (xsrv edit-host/edit-group)
• (optional) xsrv check to simulate changes.
• xsrv deploy to apply changes
• TAGS=debian11to12 xsrv deploy && xsrv deploy to upgrade hosts still on Debian 11 "Bullseye" to Debian 12 "Bookworm" [1]. Debian 11 will no longer be supported after this release.

Added:

• add monitoring_goaccess role - real-time web log analyzer/interactive viewer
• netdata: allow enabling health alarms for charts received from "child" streaming nodes (netdata_streaming_receive_alarms: yes/no)
• netdata: allow enabling/disabling alarm notifications (netdata_enable_health_notifications: yes/no)
• apache: allow enabling HSTS for all applications/sites using Let's Encrypt certificates (apache_letsencrypt_enable_hsts: no/yes)
• apache/fail2ban: ban IP addresses doing requests on the default virtualhost
• monitoring_netdata: allow disabling the logcount module by setting netdata_logcount_update_interval to 0
• jellyfin: allow adding users to the jellyfin group (may read/write files inside the media directory), add the ansible user to this group by default (jellyfin_users)
• transmission: allow adding users to the debian-transmission group (may read/write files inside the downloads directory), add the ansible user to this group by default (transmission_users)

Removed:

• cleanup: remove all previous migration tasks
• netdata: remove default processes checks for sshd, ntpd, fail2ban (let systemd services module handle checks for these processes)
• tt_rss: remove ansible tags tt_rss-app, tt_rss-permissions, tt_rss-postgresql

Changed:

• nextcloud: enable the Polls app by default
• nextcloud: enable the Forms app by default
• nextcloud: disable the usage survey app by default
• apache: always redirect http:// to https:// for all applications/sites using Let's Encrypt (*_certificate_mode: letsencrypt) certificates
• apache: don't redirect requests to the default HTTP virtualhost to HTTPS
• jitsi: configure all components to listen only on loopback interfaces, disable IPv6 listening
• graylog: cleanup list of dependencies (graylog provides its own java environment)
• netdata: decrease apache server status collection frequency to 10s (decrease log spam caused by the collector)
• apache: log requests from localhost to the default vhost with the localhost: prefix (for example http://127.0.0.1/server-status requests from netdata)
• apache: log requests from other hosts to the default vhost with the default: prefix (for example bad bots and scanners accessing the server by IP address)
• apache: serve a 403 Forbidden response to for requests the default virtualhost (except those from localhost)
• common/fail2ban: increase the max number of banned IPs per jail to 1000000
• common/fail2ban: decrease the number of failed authentication attempts before triggering a ban from 5 to 3 (over 10 minutes)
• common/fail2ban: use values provided in fail2ban_default_maxretry (default 3), fail2ban_default_findtime (10min) and fail2ban_default_bantime (1 year) for all jails
• common/fail2ban: use DROP firewall rule instead of REJECT (drop connections from banned IPs instead of replying with TCP reset)
• common/fail2ban: do not enable the pam-generic jail by default as no service uses it
• common/fail2ban/all roles: only ban offenders on HTTP/HTTPS ports (not all ports) for authentication failures on web applications
• common/fail2ban: standardize permissions on fail2ban configuration files
• gitea/jellyfin/fail2ban: do not disable gitea/jellyfin jails if the corresponding service is disabled
• apache: cleanup: remove ServerAdmin directive from all virtualhost configuration files (this information is not used, displaying admin email in error messages is disabled)
• wireguard: write peer names as comments in the config file
• rsyslog: rename the variable syslog_retention_days to rsyslog_retention_days
• nextcloud: update to v26.0.6 [1]
• gitea: update to v 1.20.4 [1] [2] [3]
• matrix: update element-web to v1.11.43 [1] [2] [3] [4] [5] [6] [7]
• postgresql: update pgmetrics to v1.15.2
• xsrv: update ansible to v8.4.0
• netdata: harden/standardize permissions on postgres collector configuration file
• cleanup: common/fail2ban: standardize comments/task order, do not repeat jail options that are already defined in jail.conf, in jail.d/*conf
• cleanup: xsrv: init-vm-template: remove deprecated --os option to virt-install
• improve check mode support before first actual deployment
• update documentation

Fixed:

• apache: fix apache not loading new/updated Let's Encrypt/mod_md certificates automatically every minute
• apache: fix duplicated access logs to access.log/other_vhosts_access.log, only log to access.log
• common/fail2ban/all roles: prevent missing/not-yet-created log files from causing failban reloads/restart to fail (e.g. when a service is initially deployed with *_enable_service: no)
• common: fail2ban: fix Hash is full, cannot add more elements error when a fail2ban jail has mor than 65536 banned IPs
• monitoring_netdata/needrestart: fix automatic reboot not triggered by cron job when ABI-compatible kernel upgrades are pending
• nextcloud: fail2ban: fix Found a match but no valid date/time warning when a login failure is detected

Full changes since v1.16.0