MAR-180: Do not pin pip/setuptools to specific versions when setting up Python virtual environment:
- Provided more details for the pkg-resources workaround. - Skip installing latest version of pip - it will get installed automatically via the virtualenv command already. - Do not pin the setuptools package when installing. - Updated release notes.
MAR-168: Drop the Debian system maintenance user if present:
- Drop the user itself from the MySQL database. - Update the Debian system maintenance configuration file if root is not specified as the user within. - Updated tests. - Updated release notes. - Updated role reference documentation.
MAR-168: Introduce additional machine in database_server tests for testing deprecated features:
- Updated Molecule configuration, defining an additional machine. - Set-up the new machine with pre-installed MariaDB server instance, root login with password, and separate Debian system maintenance user. - Set-up configuration files for root and Debian system maintenance user login. - Run the default set of tests on the deprecated machine group.
MAR-175: Mail server should be opportunistic in using TLS when delivering mail to remove servers:
- Previously the mail server would only deliver mails over plaintext. - Deploy a simple SMTP server on both client1/client2 machines. Servers are set-up to require/refuse the STARTTLS over SMTP. - Added tests for checking if STARTTLS is used when available for mail delivery. - Fixed the wrong configurtion (making sure the TLS security level is properly set for Postfix).
MAR-175: Update Postfix configuration, merging changes from Debian Buster stock installation and latest ISPmail tutorials:
- Added commented-out section for TLS parameters from Debian Buster default configuration. This should slightly help with handling the diff's in the future. - Added a number of "missing" configuration parameters from the Debian Buster stock configuration. - Separate relay-related restrictions from spam-related restrictions. - Updated configuration for RBLs. - Updated default service definitions in the master.cf configuration to be in-line with options defined in Debian Buster. This is primarily revolving around the change to the chroot option. Previously the default was to chroot the processes, while new default is not to do so. This required marking a number of services to be explicitly chroot'ed. - Updated the submission service definition in master.cf configuration file. Some minor changes were made, like switching to using the smtpd_relay_restrictions instead of smtpd_recipient_restrictions (better suited configuration option for this use-case since it's not spam-related), being more explicit around TLS being required for authentication.
MAR-174: Enable Message Carbons (XEP-0280) and Message Archive Management (XEP-0313) via xmpp_server role:
- Updated release notes. - Updated role reference documentation. - Enable the two modules via Prosody configuration file, and set the archive expiration configuration option for Prosody. - Updated tests.
MAR-164: Fix Prosody TLS configuration in xmpp_server role:
- Added warning to role reference documentation about what DNS names need to be included in the subject alternative name of issued certificate used for Prosody. - Added crontab with script that validates the certificate on daily basis. - Updated tests to include the proxy.DOMAIN and conference.DOMAIN DNS names in subject alternative name for generated test certificates. - Added and updated tests that cover new functionality. - Fixed the Prosody TLS configuration to have common parameters specified in general section, and any kind of overrides (mainly the ciphers) in more specific sections. - Updated release notes.
MAR-173: Switch to using Prosody 0.11 as default version in the xmpp_server role:
- Updated default value for the Prosody package parameters. - Configure the backports repository on the server, and pin the lua-ldap package to be installed from the backports repository (needed for Lua 5.2 support). - Drop the explicit installation of lua-sec library - it is already installed as pre-requisite for the Prosody package.
MAR-159: Drop the use futures_version and gunicorn_version parameters from the wsgi_website role:
- Remove related tasks, Gunicorn/Futures should instead be installed via the requirements file instead. - Restructure tasks, moving them from the requirements.yml into main.yml. - Small typo fix for one of the variables.
MAR-159: Set-up defaults for wsgi_requirements and update tests:
- Set defaults for the wsgi_requirements parameter (for running using Python 2). - Drop the use of futures_version and gunicorn_version from the Molecule tests. - Updated and deduplicated tests related to testing of installed/requested futures and gunicorn package versions.
MAR-161: Make the ldap_server_domain parameter in the ldap_server role mandatory:
- Updated the ldap_server role. - Removed default value for the parameter. - Updated tests. - Updated role reference documentation. - Updated release notes. - Dropped the .local from the Molecule instance names.
MAR-155: Make the ansible_key parameter in the bootstrap role mandatory:
- Updated the preseed role. - Removed default value for the parameter. - Updated tests. - Updated role reference documentation. - Updated release notes.
MAR-155: Make the ansible_key parameter in the preseed role mandatory:
- Updated the preseed role. - Removed default value for the parameter. - Updated tests. - Updated role reference documentation. - Updated release notes.
MAR-155: Make the preseed_directory parameter in the preseed role mandatory:
- Updated the preseed role. - Removed default value for the parameter. - Updated tests. - Updated role reference documentation. - Updated release notes.
MAR-164: Harden the c2s TLS configuration for the XMPP server role:
- Updated the xmpp_server role. - Added (optional) xmpp_server_tls_protocol and xmpp_server_tls_ciphers parameters for specifying the desired TLS protocol version and ciphers for the c2s connections. - Updated XMPP server configuration to introduce separate TLS configuration for the s2s and c2s (legacy included) connections. - Drop support for Prosody 0.9 since it is not possible to have separate TLS configuration for c2s and s2s connections. - Updated role reference documentation.
MAR-158: Update default TLS ciphers configuration in the mail_server role:
- Updated the default value for parameter mail_server_tls_ciphers. - Updated tests, making them explicitly test for enabled and disabled ciphers. - Refactored tests for TLS to use nmap ssl-enum-ciphers script for listing available TLS versions and ciphers. - Install nmap as part of preparation step. - Updated role reference documentation.
MAR-158: Refactor ldap_server TLS-related tests to use nmap:
- Updated requirements to include defusedxml for safe parsing of XML reports from nmap. - Install nmap as part of preparation step. - Refactored tests for TLS to use nmap ssl-enum-ciphers script for listing available TLS versions and ciphers.
MAR-158: Update default TLS ciphers configuration in the ldap_server role:
- Updated the default value for parameter ldap_tls_ciphers. - Updated tests, making them explicitly test for enabled and disabled ciphers - Updated role reference documentation.
MAR-158: Extended TLS cipher tests for web_server role for optional parameters:
- Extend the existing tests to cover both enabled and disabled ciphers. - Deduplicate list of all available ciphers for both testing of mandatory and optional parameters.
MAR-158: Update default TLS cipher configuration in the web_server role:
- Updated the default value for parameter web_server_tls_ciphers. - Updated tests, making them explicitly test for enabled and disabled ciphers. - Updated role reference documentation.
MAR-158: Split-up the TLS tests for web_server role:
- Better separation for testing individual properties of TLS configuration (whether it's enabled, what protocols are enabled, and finally enabled ciphers).
MAR-150: Use fixtures for X.509 artefacts in the xmpp_server role:
- Removed the statically generated artefacts. - Generate X.509 artefacts for tests using Gimmecert. - Updated paths to point to generated artefacts. - Introduced cleanup playbook for removing generated artefacts.
MAR-150: Use fixtures for X.509 artefacts in the wsgi_website role:
- Removed the statically generated artefacts. - Generate X.509 artefacts for tests using Gimmecert. - Updated paths to point to generated artefacts. - Introduced cleanup playbook for removing generated artefacts.
MAR-150: Use fixtures for X.509 artefacts in the web_server role:
- Removed the statically generated artefacts. - Generate X.509 artefacts for tests using Gimmecert. - Updated paths to point to generated artefacts. - Introduced cleanup playbook for removing generated artefacts.
MAR-150: Use fixtures for X.509 artefacts in the php_website role:
- Removed the statically generated artefacts. - Generate X.509 artefacts for tests using Gimmecert. - Updated paths to point to generated artefacts. - Introduced cleanup playbook for removing generated artefacts.
MAR-150: Use fixtures for X.509 artefacts in the mail_server role:
- Removed the statically generated artefacts. - Generate X.509 artefacts for tests using Gimmecert. - Updated paths to point to generated artefacts. - Introduced cleanup playbook for removing generated artefacts. - Increase allocated RAM for the mail server to avoid OOM and swapping.
MAR-150: Use fixtures for X.509 artefacts in the mail_forwarder role:
- Removed the statically generated artefacts. - Generate X.509 artefacts for tests using Gimmecert. - Updated paths to point to generated artefacts. - Introduced cleanup playbook for removing generated artefacts.
MAR-150: Use fixtures for X.509 artefacts in the ldap_server role:
- Removed the statically generated artefacts. - Generate X.509 artefacts for tests using Gimmecert. - Updated paths to point to generated artefacts. - Introduced cleanup playbook for removing generated artefacts.
MAR-150: Refactor the common role tests fixture handling:
- Use the cleanup playbook for removing the X.509 generated keys/certificates. - Drop the fixture.yml playbook, and include it inside of prepare playbook (reduce unnecessary nesting).
MAR-150: Use Gimmecert for X.509 test fixtures in the common role:
- Drop the statically-generated X.509 certificates used for testing. - Introduce fixture playbook in preparation phase that sets-up the necessary certificates. - Update the tests to use the fixture. - Dynamically calculate the OpenSSL hash for CA certificate instead of having the hard-coded value. - Add the fixture artefacts to .gitignore files.
- Create directory for storing TLS artefacts during base set-up of control machine. - Use full paths to TLS artefacts for parameters. - Fix the name of TLS parameters for the XMPP server role.
MAR-162: Make the smtp_relay_truststore parameter mandatory in mail_forwarder role:
- Dropped the defaults from mail_forwarder role. - Updated group variables in role tests. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameter. - Deduplicated tests for the TLS files.
MAR-162: Make the xmpp_tls_certificate and xmpp_tls_key parameters mandatory in xmpp_server role:
- Dropped the defaults from wsgi_server role. - Updated group variables in role tests. - Changed the key/certificate file extensions to be more descriptive. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameters. - Deduplicated tests for the TLS files.
MAR-162: Make the https_tls_certificate and https_tls_key parameters mandatory in wsgi_website role:
- Dropped the defaults from wsgi_server role. - Updated group variables in role tests. - Changed the key/certificate file extensions to be more descriptive. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameters.
MAR-162: Make the https_tls_certificate and https_tls_key parameters mandatory in php_website role:
- Dropped the defaults from php_server role. - Updated group variables in role tests. - Changed the key/certificate file extensions to be more descriptive. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameters.
MAR-162: Make the default_https_tls_certificate and default_https_tls_key parameters mandatory:
- Dropped the defaults from web_server role. - Updated group variables in role tests. - Changed the key/certificate file extensions to be more descriptive. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameters.
MAR-162: Make the mail_ldap_tls_truststore, imap_tls_key, imap_tls_certificate, smtp_tls_key, and smtp_tls_certificate parameters mandatory:
- Dropped the defaults from mail_server role. - Updated group variables in role tests. - Changed the key/certificate file extensions to be more descriptive. - Updated role reference documentation. - Updated usage instructions to include the mandatory parameters.
MAR-162: Deduplicate TLS private key/certificate tests for LDAP server role:
- Rename the key/certificate files to match the Ansible inventory name. - Move the tests into test_default.py. - Change the key/certificate extensions to be more descriptie.
MAR-162: Make the ldap_server_tls_certificate ldap_server_tls_key parameters mandatory:
- Updated release notes. - Updated role reference documentation. - Updated usage instructions to cover set-up of CA hierarchy earlier on in the process.