release v1.23.0

CHANGELOG.md

@@ -3,7 +3,7 @@
 All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/).
 
-#### [v1.23.0](https://gitlab.com/nodiscc/xsrv/-/releases#1.23.0) - UNRELEASED
+#### [v1.23.0](https://gitlab.com/nodiscc/xsrv/-/releases#1.23.0) - 2024-04-09
 
 **Upgrade procedure:**
 - `xsrv self-upgrade` to upgrade the xsrv script

README.md

@@ -8,7 +8,7 @@
 
 [![](https://gitlab.com/nodiscc/xsrv/badges/master/pipeline.svg)](https://gitlab.com/nodiscc/xsrv/-/pipelines)
 [![](https://bestpractices.coreinfrastructure.org/projects/3647/badge)](https://bestpractices.coreinfrastructure.org/projects/3647)
-[![](https://img.shields.io/badge/latest%20release-1.22.0-blue)](https://gitlab.com/nodiscc/xsrv/-/releases)
+[![](https://img.shields.io/badge/latest%20release-1.23.0-blue)](https://gitlab.com/nodiscc/xsrv/-/releases)
 [![](https://img.shields.io/badge/docs-readthedocs-%232980B9)](https://xsrv.readthedocs.io)
 
 **Install, manage and run self-hosted network services and applications on your own server(s).**

docs/TODO.md

@@ -2,22 +2,32 @@
 
 ### xsrv/xsrv
 
-- #1270 - WIP: netdata: disable ML functionality when streaming to a parent node is enabled - **`1.23.0`** `easy,enhancement,performance`
+- #1292 - netdata grafana source - **`1.25.0`** `feature,monitoring,upstream`
+- #1291 - debsecan: per-host dashboard - **`1.24.0`** `enhancement,monitoring,security`
+- #1290 - monitoring_rsyslog: use common name based authentication to authenticate peers - **`1.25.0`** `enhancement,security`
+- #1289 - graylog: enable TLS client authentication - **`1.24.0`** `documentation,enhancement,security`
+- #1288 - samba: ldapsam: better documentation of samba LDAP attributes - **`-`** `documentation`
+- #1286 - doc: graylog: add example stream setup - **`-`** `documentation`
+- #1285 - gotty: check sha256sums after download - **`-`** `enhancement,security`
+- #1282 - xsrv nmpa: allow output to SVG graph - **`-`** `feature`
+- #1279 - local LLM (Large Language Model) + web interface - **`1.24.0`** `feature`
+- #1276 - WIP: common: split role into sub-roles, make the common role a 'meta' role depending on all sub roles - **`1.25.0`** `maintenance`
+- #1275 - WIP: rsnapshot: allow automatic discovery of paths to backup from/commands to run on remote hosts - **`1.25.0`** `backups,enhancement`
 - #1269 - document getting ansible-vault-password from keepassxc - **`2.0.0`** `documentation,enhancement,security,upstream`
-- #1268 - backup: allow automatic discovery of paths to backup/commands to run for each host - **`2.0.0`** `backups,enhancement`
+- #1268 - backup: allow automatic discovery of paths to backup/commands to run for each host - **`1.24.0`** `backups,enhancement`
 - #1267 - xsrv self-upgrade: update the bash completion script as well - **`-`** `enhancement`
 - #1266 - homepage: allow displaying arbitrary netdata badges in the footer - **`-`** `easy,enhancement`
-- #1264 - WIP: mumble: allow uninstalling mumble server using the `utils-mumble-uninstall` ansible tag - **`1.23.0`** `enhancement`
-- #1259 - WIP:  wireguard: when peer.public_key is not defined, auto-generate a public/private key pair for this peer - **`1.23.0`** `enhancement`
-- #1257 - graylog: upgrade to v5.2.x - **`1.23.0`** `maintenance`
+- #1264 - WIP: mumble: allow uninstalling mumble server using the `utils-mumble-uninstall` ansible tag - **`1.24.0`** `enhancement`
+- #1259 - WIP:  wireguard: when peer.public_key is not defined, auto-generate a public/private key pair for this peer - **`1.24.0`** `enhancement`
+- #1257 - graylog: upgrade to v5.2.x - **`1.24.0`** `maintenance`
 - #1256 - wireguard: web interface? - **`-`** `enhancement,question`
-- #1253 - wireguard: add QR code to auto-generated client config files - **`-`** `enhancement`
+- #1253 - wireguard: add QR code to auto-generated client config files - **`1.24.0`** `enhancement`
 - #1251 - WIP: xsrv: don't require sudo during xsrv init-vm-template - **`-`** `difficult,enhancement`
-- #1245 - gitea: use unix socket instead of HTTP socket? - **`1.23.0`** `enhancement,question,security`
+- #1245 - gitea: use unix socket instead of HTTP socket? - **`1.24.0`** `enhancement,question,security`
 - #1235 - gitea_act_runner: do not log job output to syslog by default - **`-`** `enhancement,monitoring,upstream`
-- #1230 - podman: add docker-compose? - **`1.23.0`** `enhancement,question`
-- #1226 - postgresql: allow enabling pg_stat_statements extension - **`1.23.0`** `easy,enhancement,monitoring,performance`
-- #1215 - WIP: tests: add tests for deploying individual roles to a host - **`1.23.0`** `tools`
+- #1230 - podman: add docker-compose? - **`1.24.0`** `enhancement,question`
+- #1226 - postgresql: allow enabling pg_stat_statements extension - **`1.24.0`** `easy,enhancement,monitoring,performance`
+- #1215 - WIP: tests: add tests for deploying individual roles to a host - **`1.24.0`** `tools`
 - #1214 - nextcloud: enable machine learning (AI) related features? - **`-`** `feature,question`
 - #1212 - nextcloud: allow enabling/disabling file locking? - **`-`** `enhancement,question`
 - #1211 - nextcloud: warning about opcache incorrect configuration - **`-`** `enhancement,performance`
@@ -31,7 +41,7 @@
 - #1134 - Lemmy role? - **`-`** `feature,question`
 - #1127 - xsrv: help-tags: outputs duplicate tags when running on non-default playbook - **`-`** `bug`
 - #1122 - nextcloud: install memories app? - **`-`** `feature,question`
-- #1119 - WIP: common/firewalld: allow defining a manual IP address/network blacklist (firewalld_bad_ips) - **`1.23.0`** `enhancement,security`
+- #1119 - WIP: common/firewalld: allow defining a manual IP address/network blacklist (firewalld_bad_ips) - **`1.24.0`** `enhancement,security`
 - #1108 - matrix/element: Cross-Origin Request Blocked: .well-known/matrix/client - **`-`** `question`
 - #1103 - xsrv: bash completion: auto-complete init-vm/init-vm-template options? - **`-`** `enhancement,question`
 - #1099 - graylog: document backup restoration procedure - **`-`** `backups,documentation`
@@ -100,7 +110,7 @@
 - #522 - openldap: performance optimizations? - **`-`** `enhancement,performance,question`
 - #517 - allow configuration of a custom MOTD? - **`-`** `feature,question`
 - #497 - nextcloud: allow enabling 2-factor authentication? - **`-`** `configuration,enhancement,question,security`
-- #475 - ACME certificate authority role? - **`-`** `feature,question,security`
+- #475 - ACME certificate authority role/PKI? - **`-`** `feature,question,security`
 - #451 - Document management system? - **`-`** `feature,question`
 - #445 - bookstack role? - **`2.0.0`** `feature,question`
 - #441 - openldap: allow restricting application access to groups/setup MemberOf overlay - **`-`** `enhancement,security`
@@ -111,14 +121,15 @@
 - #344 - nextcloud: replace onlyoffice integration with collabora/nextcloud office? - **`-`** `feature,question`
 - #323 - prometheus role? - **`-`** `feature,monitoring,question`
 - #322 - Frontail role? - **`-`** `feature,monitoring,question`
-- #317 - monitoring_utils: lynis: suggestion[]=BOOT-5264|Consider hardening system services - **`1.23.0`** `enhancement,security`
+- #317 - monitoring_utils: lynis: suggestion[]=BOOT-5264|Consider hardening system services - **`1.24.0`** `enhancement,security`
 - #310 - samba: ability to whitelist/blacklist files by extension? - **`-`** `enhancement,question,security`
 - #309 - apply postgresqltuner recommended settings? - **`-`** `enhancement,performance,question`
 - #280 - Samba Directory Controller or other Identity Management solution? - **`-`** `feature,question`
 - #274 - Samba: advertise samba server over avahi/zeroconf? - **`-`** `enhancement,question`
 - #267 - apache: make disabled modules list configurable, disable more modules by default? - **`-`** `enhancement,performance,question,security`
 - #265 - apache: provide custom error pages? - **`-`** `enhancement,question`
 - #256 - CAS, SAML or Oauth Single Sign On (SSO)? - **`-`** `feature,question`
+- #202 - netdata: monitoring network bandwidth per application with ebpf - **`1.25.0`** `enhancement,monitoring,upstream`
 - #200 - roles for other monitoring software? - **`-`** `feature,monitoring,question`
 - #193 - netdata: graph tiger warnings? - **`-`** `feature,monitoring,question,security`
 - #184 - monitoring_utils: add Mozilla observatory module? - **`-`** `feature,monitoring,question,security`
@@ -142,9 +153,9 @@
 - #96 - grafana role? - **`-`** `feature,monitoring,question`
 - #93 - VNC/other remote desktop server role? - **`-`** `feature,question`
 - #86 - Peertube role? - **`-`** `feature,question`
-- #78 - Adminer role - **`1.23.0`** `feature`
+- #78 - Adminer role - **`1.24.0`** `feature`
 - #70 - common: ssh: allow setting up endlessh? - **`-`** `feature,question,security`
-- #69 - IDS/IPS role? - **`1.23.0`** `question,security`
+- #69 - IDS/IPS role? - **`1.25.0`** `question,security`
 - #64 - RAID role? - **`-`** `feature,question`
 - #63 - pfSense role? - **`-`** `feature,question,wontfix`
 - #61 - GDPR compliance? - **`-`** `feature,question`
@@ -159,15 +170,15 @@
 - #43 - OSM routing service role? - **`-`** `feature,question`
 - #42 - OpenStreetMap/maps tileserver role? - **`-`** `feature,question`
 - #41 - network scanner (SANE) server role? - **`-`** `feature,question`
-- #40 - SearxNG role - **`1.23.0`** `feature`
+- #40 - SearxNG role - **`1.24.0`** `feature`
 - #39 - wallabag role? - **`-`** `feature,question`
 - #37 - Replace `ntp` with `chrony`? - **`2.0.0`** `question`
 - #35 - simple git server role? - **`-`** `feature,question,wontfix`
 - #34 - CentOS compatibility? - **`-`** `feature,question,wontfix`
-- #33 - Minecraft server role? - **`1.23.0`** `feature,question`
+- #33 - Minecraft server role? - **`1.25.0`** `feature,question`
 - #30 - Gitlab role? - **`-`** `feature,question`
 - #26 - dynamic DNS updater role? - **`2.0.0`** `feature`
 - #24 - DHCP/TFTP/PXE server role? - **`-`** `feature,question`
 - #22 - Add molecule tests? - **`-`** `difficult,enhancement,question,tools`
-- #10 - xsrv init-vm: use cloud-init images? - **`-`** `feature,question`
+- #10 - xsrv init-vm: use cloud-init images - **`1.25.0`** `enhancement`
 - #3 - Mail server role? - **`-`** `feature,question`

docs/conf.py

@@ -5,8 +5,8 @@
 
 project = 'xsrv'
 author = '[email protected]'
-version = '1.22.0'
-release = '1.22.0'
+version = '1.23.0'
+release = '1.23.0'
 html_show_copyright = True
 
 # -- General configuration ---------------------------------------------------

docs/configuration-variables.md

@@ -210,7 +210,7 @@ kernel_modules_blacklist:
 ### PACKAGE MANAGEMENT ###
 # yes/no: setup APT sources (security, backports) and automatic security upgrades
 setup_apt: yes
-# yes/no: enable 'contrib' and 'non-free' software sections in debian APT repositories
+# yes/no: enable contrib non-free and non-free-firmware software sections in debian APT repositories
 apt_enable_nonfree: no
 # clean downloaded package archives (apt clean) every n-days (0=disable)
 apt_clean_days: 7
@@ -312,6 +312,11 @@ apt_listbugs_ignore_list:
   - 1051003 # https://bugs.debian.org/1051003 - only affects pam_shield
   - 1030284 # https://bugs.debian.org/1030284 - only affects arm64 architecture
   - 1057715 # https://bugs.debian.org/1057715 - only affects i386 architecture
+  - 1061776 # https://bugs.debian.org/1061776 - only affects ssh jail on systems without rsyslog
+  - 1037437 # https://bugs.debian.org/1037437 - only affects ssh jail on systems without rsyslog
+  - 770171 # https://bugs.debian.org/770171 - only affects ssh jail on systems without rsyslog
+  - 862348 # https://bugs.debian.org/862348 - only affects ssh jail on systems without rsyslog
+  - 1058777 # https://bugs.debian.org/1058777 - licensing problem, fix available
 
 ### DATE/TIME ###
 # yes/no: setup ntp time service
@@ -601,7 +606,7 @@ dnsmasq_blocklist_whitelist: []
 ```yaml
 ##### GITEA ACTIONS RUNNER #####
 # FQDN of the gitea instance to register the runner on
-gitea_act_runner_gitea_instance_fqdn: "{{ gitea_fqdn | default('git.CHANGEME.org') }}" # TODO rename to _domain
+gitea_act_runner_gitea_instance_fqdn: "{{ gitea_fqdn | default('git.CHANGEME.org') }}"
 # inventory hostname of the gitea host to register the runner on (if different from the runner host)
 # gitea_act_runner_gitea_instance_hostname: "CHANGEME"
 # how many tasks the runner can execute concurrently at the same time (integer)
@@ -625,6 +630,8 @@ gitea_act_runner_labels:
   - "ubuntu-22.04:docker://node:16-bullseye"
   - "ubuntu-20.04:docker://node:16-bullseye"
   - "ubuntu-18.04:docker://node:16-buster"
+# prune act-runner's podman downloaded images/stopped containers nightly at 03:30 to save disk space (no/yes)
+gitea_act_runner_daily_podman_prune: no
 # act-runner version (https://gitea.com/gitea/act_runner/releases, remove leading v)
 gitea_act_runner_version: "0.2.6"
 # start/stop the gitea actions runner service, enable/disable it on boot (yes/no)
@@ -666,7 +673,7 @@ gitea_db_host: "/run/postgresql/" # /run/postgresql/ for a local postgresql data
 gitea_db_password: "" # leave empty for local postgresql database/peer authentication
 gitea_db_port: 5432 # usually 5432 for PostgreSQL, 3306 for MySQL
 # gitea version to install - https://github.com/go-gitea/gitea/releases.atom; remove leading v
-gitea_version: "1.21.5"
+gitea_version: "1.21.7"
 # HTTPS and SSL/TLS certificate mode for the gitea webserver virtualhost
 #   letsencrypt: acquire a certificate from letsencrypt.org
 #   selfsigned: generate a self-signed certificate
@@ -1188,7 +1195,7 @@ matrix_synapse_ldap_validate_certs: yes
 # enable/disable the synapse-admin virtualhost (redirect users to maintenance page if disabled)
 matrix_synapse_admin_enable_service: yes
 # synapse-admin version (https://github.com/Awesome-Technologies/synapse-admin/releases)
-matrix_synapse_admin_version: "0.8.7"
+matrix_synapse_admin_version: "0.9.1"
 # list of IP addresses allowed to access synapse-admin and synapse admin API endpoints (IP or IP/netmask format)
 # set to empty list [] to allow access from any IP address
 matrix_synapse_admin_allowed_hosts: []
@@ -1204,7 +1211,7 @@ matrix_element_jitsi_preferred_domain: "meet.element.io"
 # when matrix_element_video_rooms_mode = 'element_call', domain of the Element Call instance to use for video calls
 matrix_element_call_domain: "call.element.io"
 # matrix element web client version (https://github.com/vector-im/element-web/releases)
-matrix_element_version: "1.11.57"
+matrix_element_version: "1.11.59"
 # element installation directory
 element_install_dir: "/var/www/{{ matrix_element_fqdn }}"
 # HTTPS and SSL/TLS certificate mode for the matrix-element webserver virtualhost
@@ -1268,10 +1275,6 @@ netdata_dbengine_disk_space: 800
 netdata_allow_connections_from: '10.* 192.168.* 172.16.* 172.17.* 172.18.* 172.19.* 172.20.* 172.21.* 172.22.* 172.23.* 172.24.* 172.25.* 172.26.* 172.27.* 172.28.* 172.29.* 172.30.* 172.31.*'
 # enable netdata cloud/SaaS features (yes/no)
 netdata_cloud_enabled: no
-# enable/disable netdata debug/error/access logs (yes/no)
-netdata_disable_debug_log: yes
-netdata_disable_error_log: no
-netdata_disable_access_log: yes
 # public port (i.e. outside NAT) used to access netdata, used for links in mail notifications, and the xsrv.homepage role
 netdata_public_port: 19999
 # netdata plugins to disable
@@ -1399,8 +1402,6 @@ netdata_fping_ping_every: 5000
 netdata_fping_update_every: 10
 # Do not send notifications on ping check failures (yes/no)
 netdata_fping_alarms_silent: no
-# aggregate netdata error/health/collector logs to syslog (very verbose) (if nodiscc.xsrv.monitoring_rsyslog role is deployed) (yes/no)
-netdata_log_to_syslog: no
 
 ## NETDATA STREAMING ##
 # stream charts to a "parent" netdata instance (yes/no)
@@ -1460,18 +1461,37 @@ setup_netdata_apt: yes
 ##### RSYSLOG LOG PROCESSING SYSTEM #####
 # number of daily /var/log/syslog archives to retain
 rsyslog_retention_days: 186
-# yes/no: enable forwarding of syslog logs to a syslog server (over TLS/TCP)
+# enable forwarding of syslog logs to a syslog server over TLS/TCP (no/yes)
 rsyslog_enable_forwarding: no
-# if forwarding is enabled, hostname/port to forward logs to (e.g. host with the nodiscc.xsrv.graylog role)
+# if forwarding is enabled, hostname/port to forward logs to
 rsyslog_forward_to_hostname: "logs.CHANGEME.org"
 rsyslog_forward_to_port: 5140
+# if forwarding is enabled, inventory hostname of the host to forward logs to
+rsyslog_forward_to_inventory_hostname: "my.CHANGEME.org"
+# enable receiving logs from other hosts over TLS/TCP port 514 (no/yes)
+# log collectors must be deployed before clients in the playbook execution order
+rsyslog_enable_receive: no
+# if rsyslog_enable_receive is enabled, DNS name of this syslog server/collector
+rsyslog_fqdn: "logs.CHANGEME.org"
+# if rsyslog_enable_receive is enabled, path to the directory to write remote hosts logs to
+rsyslog_remote_logs_path: /var/log/rsyslog/hosts
+# when rsyslog_enable_forwarding or rsyslog_enable_receive is enabled, start and end validity dates for TLS certificates (YYYYMMDDHHMMSSZ)
+rsyslog_cert_not_before: "20240219000000Z"
+rsyslog_cert_not_after: "20340219000000Z"
 # custom rsyslog configuration directives, applied before forwarding/single-file aggregation (list)
 # Example:
 # rsyslog_custom_config:
 #   - ':msg, contains, "failed to read Temperature" stop' # discard messages containing this string
 #   - 'if $programname == "apache" and re_match($msg, ".* 127.0.0.1 - - .* \"GET /server-status\?auto HTTP/1.1\" 200") then stop' # discard messages matching this program name and regular expression
 #   - 'if $programname == "CRON" and re_match($msg, "cron:session): session (opened|closed) for user .*") then stop'
 rsyslog_custom_config: []
+# firewall zones from which to allow incoming logs (zone, state), if rsyslog_enable_receive: yes and nodiscc.xsrv.common/firewalld role is deployed
+# 'zone:' is one of firewalld zones, set 'state:' to 'disabled' to remove the rule (the default is state: enabled)
+rsyslog_firewalld_zones:
+  - zone: internal
+    state: enabled
+  - zone: public
+    state: enabled
 ```
 
 
@@ -1587,7 +1607,7 @@ nextcloud_install_dir: "/var/www/{{ nextcloud_fqdn }}"
 # full public URL of your nextcloud installation (update this if you changed the install location to a subdirectory)
 nextcloud_full_url: "https://{{ nextcloud_fqdn }}/"
 # nextcloud version to install
-nextcloud_version: "28.0.2"
+nextcloud_version: "28.0.3"
 # base folder for shared files from other users
 nextcloud_share_folder: '/SHARED/'
 # default app to open on login. You can use comma-separated list of app names, so if the first  app is not enabled for a user then Nextcloud will try the second one, and so on.
@@ -2036,8 +2056,10 @@ shaarli_version: 'v0.13.0'
 # list of IP addresses allowed to access shaarli (IP or IP/netmask format)
 # set to empty list [] to allow access from any IP address
 shaarli_allowed_hosts: []
+# default view mode when using the stack template (small/medium/large)
+shaarli_stack_default_ui: "medium"
 # shaarli stack template version (https://github.com/RolandTi/shaarli-stack/releases.atom)
-shaarli_stack_version: "0.5"
+shaarli_stack_version: "0.7"
 # php-fpm: Maximum amount of memory a script may consume (K, M, G)
 shaarli_php_memory_limit: '128M'
 # php_fpm: Maximum execution time of each script (seconds)

docs/index.md

@@ -8,7 +8,7 @@
 
 [![](https://gitlab.com/nodiscc/xsrv/badges/master/pipeline.svg)](https://gitlab.com/nodiscc/xsrv/-/pipelines)
 [![](https://bestpractices.coreinfrastructure.org/projects/3647/badge)](https://bestpractices.coreinfrastructure.org/projects/3647)
-[![](https://img.shields.io/badge/latest%20release-1.22.0-blue)](https://gitlab.com/nodiscc/xsrv/-/releases)
+[![](https://img.shields.io/badge/latest%20release-1.23.0-blue)](https://gitlab.com/nodiscc/xsrv/-/releases)
 [![](https://img.shields.io/badge/docs-readthedocs-%232980B9)](https://xsrv.readthedocs.io)
 
 **Install, manage and run self-hosted network services and applications on your own server(s).**

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: nodiscc
 name: xsrv
-version: 1.22.0
+version: 1.23.0
 readme: README.md
 authors:
   - nodiscc <[email protected]>