MAR-181: Increase memory for mail_server role test machines:
- ClamAV eats-up quite a bit of memory, and 1536MB is not enough. Most likely the memory usage will grow over time as the anti-virus database grows since it is loaded up into memory.
MAR-181: Drop support for Debian 9 Stretch from mail_server role:
- Switch to using IPs from VirtualBox default allowed host-only network subnets. - Use Debian Buster for helper machines. - Drop Stretch-specific code and tests.
MAR-181: Drop support for Debian 9 Stretch from the backup_client role:
- Provide more details on use of pexpect+sftp backed for Duplicity (backend has to be used on Debian 10 Buster as well, not just Debian 9 Stretch). - Switch to using IPs from VirtualBox default allowed host-only network subnets.
MAR-165: Deploy Diffie-Helman parameters for LDAP server in the ldap_server role:
- Not relevant for Debian Strech because of a bug in the OpenLDAP version it ships with. - This should allow use of DHE ciphers with LDAP server. - Generated DH parameters only help pick one of the parameters from RFC-7919 (based on the size of generated ones). - Make the cipher test lists distro-specific due to differences between supported algorithms in respective GnuTLS versions.
- The workaround was needed on Debian Jessie because the systemctl is-enabled command did not behave correctly for SysV init scripts. - Drop the installation of the rcconf package. - Use the "enabled" parameter in service module instead.
MAR-151: Fix The Bug Genie backup example in usage instructions:
- Properly set-up the directory where files are uplaoded. - Update instructions to mention what needs to be done in order to upload some files in The Bug Genie.
MAR-151: Fix authentication issues for backup client in usage instructions:
- Add warning about how Ansible file lookup can mess with trailing newlines. - Disable stripping of newlines when reading the backup client SSH private key.
MAR-151: Update usage instructions for setting-up PHP web application (The Bug Genie):
- Updated The Bug Genie to version 4.3.1. - Updated version of Composer used. Stay away from version 2.x due to idempotency problems in Ansible module (see https://github.com/ansible-collections/community.general/issues/1179). - Fix required version for lib-pcre since Debian Buster links agains lib-pcre 10. This should still work fine. - Instead of listing plaintext web URLs, list just the HTTPS ones.
MAR-151: Switch to Debian 10 Buster in usage instructions:
- Specify that Debian Buster should be used instead of Debian Stretch. - Switch to using https links where possible. - Minor fixes to wording/instructions. - Updated link towards Debian Buster preseed documentation appendix. - Use Python 3 when serving the preseed files. - Fixed DNS subject alternative name for the XMPP server (it should be the domain served by the XMPP server, not its canonical FQDN). - Added small note for database_server role and how it sets-up root account authentication, and update instructions for logging-in into database server as root.
- Include six as dependency for ipcalc (bug in packaging of ipcalc). - Updated requirements for the application. - Specify the wsgi_requirements_in parameter, and update the wsgi_requirements parameter.
MAR-151: Added support for Debian 10 Buster to xmpp_server role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Enable lower-level TLS protocols (1.0/1.1) in global OpenSSL configuration file on Buster in order to be able to test the xmpp_server_tls_protocol parameter (otherwise Prosody completely refuses to use them even if listed in its configuration). - Move stretch-specific tests into its own file (for backported lua-ldap library), and run them on Debian 9 Stretch machines only.
MAR-151: Added support for Debian 10 Buster to wsgi_website role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Replace the installation of libmariadbclient-dev-compat library with atftp - the actual package is differently named under Debian Stretch and Debian Buster (which would complicate the test without any benefits). - Drop the fix for root mail alias in Vagrant image - seems it's no longer a problem. - Split-up the test for web application user since it's not possible to keep it all under one parametrised test due to differences in assigned system UID numbers for Debian Stretch and Debian Buster. - Make the test for web application user less dependant on what the actual UID number is in case of default value. By default user should be created as system user, which means its UID number should be less than 1000.
MAR-151: Added support for Debian 10 Buster to php_website role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Refactor the code to take into account differences in PHP-related paths between Debian Stretch and Debian Buster. - Make the test for web application user less dependant on what the actual UID number is in case of default value. By default user should be created as system user, which means its UID number should be less than 1000. - Drop the installation of libmariadbclient-dev-compat library - the test is good enough without it, and the actual package is differently named under Debian Stretch and Debian Buster (which would complicate the test without any benefits).
MAR-151: Added support for Debian 10 Buster to web_server role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Refactor the code around handling of different directories and files for PHP 7.0 (Debian Stretch) and PHP 7.3 (Debian Buster). - Separate socket directory tests for WSGI and PHP applications (due to differences in paths for PHP in Debian Stretch and Debian Buster).
MAR-151: Added support for Debian 10 Buster to preseed role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Parametrise distribution release in one of the tests to cover both servers with custom overrides being tested.
MAR-151: Use 2048-bit DH parameter for IMAP server under Debian 10 Buster:
- Deploy a statically-generated DH parameter. - Set-up DH parameter configuration based on Debian version. - Implemented test for newly-generated file.
MAR-151: Fix tests that fail due to differences between Debian Stretch and Debian Buster:
- Update the regex patterns used to locate deliveries via Dovecot. - Enable verbose mode for gnutls-cli in one of the tests in order to show the DH key size. - Update the list of expected TLS ciphers for SMTP port 25 to account for inclusion of additional ciphers in Debian Buster. - Fix how the allowed relay IP is being fetched, because host.ansible.get_variables method fails to resolve dynamic variables.
MAR-151: Added support for Debian 10 Buster to mail_server role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Improve handling of configured IP in tests to avoid hard-coding the value in the relevant test for Postfix configuration file content.
MAR-151: Added support for Debian 10 Buster to mail_forwarder role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Set the smtpd_relay_restrictions configuration option for Postfix SMTP server in mail_forwarder role (required for version found in Debian 10 Buster).
MAR-151: Added support for Debian 10 Buster to database role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Fix test that produces different outputs during invocation on Stretch/Buster.
MAR-151: Added support for Debian 10 Buster to database_server role:
- Updated role reference documentaiton. - Updated role meta information. - Updated tests. - Deploy MariaDB client login configuration prior to setting-up users/passwords for deprecated feature testing to avoid errors when password gets changed in the middle of a task loop.
MAR-151: Added support for Debian 10 Buster to backup_server role:
- Updated role reference documentation. - Updated role meta information. - Updated tests. - Do not use distribution version-specific SSH configuration file for backup server SSH daemon.
MAR-151: Added support for Debian 10 Buster to common role:
- Updated tests. - Updated role reference documentation. - Updated role metadata information. - Refactored IP plan for the test machines for better separation between different types of machines and versions. - Parametrised tests for limited connectivity using the maintenance mode. - Don't use MariaDB compat package in tests - name differs between Debian 9 and Debian 10, and relevant parameter is already getting tested properly using the remaining packages.
MAR-163: Attach noqa directives to task names (if skipping is applicable on task level) for better uniformity:
- This way the indentation of comment describing the directive can always be on the same level everywhere (irrespective of how the rest of task arguments are listed).
MAR-163: Reformat multiple skip-QA directives and remove some unnecessary ones:
- Update codes used to identify the disabled QA checks. - Switch to using new syntax that disables only a specific QA check instead of all of them on a single task. - Drop disabling QA checks related to octal file permissions (this was most likely bug in older versions of ansible-lint).
MAR-163: Reformat skip-QA directives for ANSIBLE0012 (Commands should not change things if nothing needs doing):
- Update codes used to identify the disabled QA checks. - Switch to using new syntax that disables only a specific QA check instead of all of them on a single task. - Drop disabling QA checks on two command tasks, since they actually use the "creates" directive (therefore passing the QA check).
MAR-163: Refactor the connectivity test in mail_server role:
- Parametrise the test instead of looping within. Should help getting cleaner error messages on what port has failed while also running the test for every combination. - Use safer way to pass arguments to host.run invocation.
MAR-163: Refactor the test_imap_authentication_requires_tls test:
- Parametrise the tests. - Reduce code duplication. - Make the host.run invocation slightly safer (currently it does not matter, but it looks nicer this way).
MAR-160: Added maintenance and maintenance_allowed_hosts parameters to common role:
- Lets the user specify list of hosts for which the incoming connections should be allowed. - Defaults are not to limit connectivity. - Implemented the necessary tests. - Set-up the base ferm/firewall rules if maintenance mode is enabled.
MAR-160: Minor fixes while preparing the machines:
- Use the correct path for initialised CA hierarchy. - Remove the ss utility instead of renaming it in order to avoid issues when rerunning the prepare step during testing.
MAR-180: Do not pin pip/setuptools to specific versions when setting up Python virtual environment:
- Provided more details for the pkg-resources workaround. - Skip installing latest version of pip - it will get installed automatically via the virtualenv command already. - Do not pin the setuptools package when installing. - Updated release notes.
MAR-177: Do not pin pip/setuptools to specific versions when setting up Python virtual environment:
- Provided more details for the pkg-resources workaround. - Skip installing latest version of pip - it will get installed automatically via the virtualenv command already. - Do not pin the setuptools package when installing. - Updated release notes.
MAR-168: Drop the Debian system maintenance user if present:
- Drop the user itself from the MySQL database. - Update the Debian system maintenance configuration file if root is not specified as the user within. - Updated tests. - Updated release notes. - Updated role reference documentation.
MAR-168: Introduce additional machine in database_server tests for testing deprecated features:
- Updated Molecule configuration, defining an additional machine. - Set-up the new machine with pre-installed MariaDB server instance, root login with password, and separate Debian system maintenance user. - Set-up configuration files for root and Debian system maintenance user login. - Run the default set of tests on the deprecated machine group.
MAR-175: Mail server should be opportunistic in using TLS when delivering mail to remove servers:
- Previously the mail server would only deliver mails over plaintext. - Deploy a simple SMTP server on both client1/client2 machines. Servers are set-up to require/refuse the STARTTLS over SMTP. - Added tests for checking if STARTTLS is used when available for mail delivery. - Fixed the wrong configurtion (making sure the TLS security level is properly set for Postfix).
MAR-175: Update Postfix configuration, merging changes from Debian Buster stock installation and latest ISPmail tutorials:
- Added commented-out section for TLS parameters from Debian Buster default configuration. This should slightly help with handling the diff's in the future. - Added a number of "missing" configuration parameters from the Debian Buster stock configuration. - Separate relay-related restrictions from spam-related restrictions. - Updated configuration for RBLs. - Updated default service definitions in the master.cf configuration to be in-line with options defined in Debian Buster. This is primarily revolving around the change to the chroot option. Previously the default was to chroot the processes, while new default is not to do so. This required marking a number of services to be explicitly chroot'ed. - Updated the submission service definition in master.cf configuration file. Some minor changes were made, like switching to using the smtpd_relay_restrictions instead of smtpd_recipient_restrictions (better suited configuration option for this use-case since it's not spam-related), being more explicit around TLS being required for authentication.
MAR-174: Enable Message Carbons (XEP-0280) and Message Archive Management (XEP-0313) via xmpp_server role:
- Updated release notes. - Updated role reference documentation. - Enable the two modules via Prosody configuration file, and set the archive expiration configuration option for Prosody. - Updated tests.
MAR-164: Fix Prosody TLS configuration in xmpp_server role:
- Added warning to role reference documentation about what DNS names need to be included in the subject alternative name of issued certificate used for Prosody. - Added crontab with script that validates the certificate on daily basis. - Updated tests to include the proxy.DOMAIN and conference.DOMAIN DNS names in subject alternative name for generated test certificates. - Added and updated tests that cover new functionality. - Fixed the Prosody TLS configuration to have common parameters specified in general section, and any kind of overrides (mainly the ciphers) in more specific sections. - Updated release notes.