version = '1.6.0'

release = '1.6.0'

1.6.0

-----

GENERAL DESCRIPTION

Breaking changes:

* All roles

  * Previously a number of roles would modify permissions on the ``/srv``

    directory. This has now been fixed in order to prevent weird backup failures

    etc. Manual intervention is necessary on existing servers to fix the issue

    by changing the mode to ``0755`` (this is the usual default upon the OS

    installation).

* ``mail_server`` role

  * Since Postfix will now fall-back to using ``/etc/hosts`` if it cannot

    resovle a domain via DNS, some special care may be needed in case you have

    some unusual entries in ``/etc/hosts``. Normally this should not be an

    issue, though.

* ``backup_client`` role

  * Up to this point, if you had more than one additional encryption key

    specified in configuration, only the first one was taken into account. This

    is a major issue since it would render backups up to this point decryptable

    only with one of the keys. It is highly suggested to perform a full backup

    after upgrading to new version of Majic Ansible Roles via command::

      sudo duply main full

    This will ensure the most recent backup is decryptable with all additional

    keys!

New features/improvements:

* Added new documentation chapter dedicated to development.

* Added ``requirements.txt`` that can be used for installing the required

  packages in virtual environment (useful for development).

* Small fixes (mostly typos and such) throughout the documentation.

* All roles

  * Implemented tests using Molecule. See documentation for instructions on how

    to run tests.

  * Small internal refactorings to make things simpler and easier to maintain.

* ``common`` role

  * Added missing documentation for parameters ``pipreqcheck_uid`` and

    ``pipreqcheck_gid``.

* ``mail_server`` role

  * Updated Postfix configuration to fall-back to using ``/etc/hosts`` if DNS

    lookup fails. This allows for more flexibility when testing and deploying if

    proper DNS is not available.

Bug-fixes:

* All roles

  * Fixed how TLS key and certificate material is deployed in order to avoid

    mangling of tabs.

  * Fixed how file modes are specified in tasks to ensure correct permissions

    are applied.

  * Fixed missing ``become`` keyword in tasks that use ``become_user`` for

    consistent execution.

* ``backup_client`` role

  * Fixed configuration (and documentation) for specifying the backup server

    URI - previous implementation included too many forward slashes which could

    cause failures in case of custom SSH server being used for backup.

  * Fixed configuration of additional encryption keys to include all keys listed

    instead of just the first one.

  * Fixed issue with ``backup_server_port`` parameter being completely ignored

    in the configuration.

  * Fixed issue with missing ``/etc/duply/main/include`` configuration file in

    case no backup patterns are deployed.

* ``backup_server`` role

  * Fixed deployment of backup server SSH keys in order to avoid unusable

    ``ed25519`` keys.

* ``common`` role

  * Fixated version of ``pip`` installed for performing Pyhton requirements

    package upgrade checks.

  * Fixed incorrect documentation for parameter ``additional_groups``.

  * Fixed ownership setting for firewall configuration file.

  * Fixed script used for performing checks on pip requirementes files for

    availalbe package upgrades. False positives due to different sorting will

    not be reported anymore, and the script will actually make sure to check if

    upgrades are available (which was not the case before due ot missing

    paramter to pip-compile).

* ``ldap_server`` role

  * Fixed invalid configuration of LDAP server package via

    ``debconf-set-selections`` (wrong option was used for

    ``shared/organization``).

  * Fixed role documentation example for parameter ``ldap_entries`` (was using

    obsolete syntax of ``ldap_entry`` module).

  * When making changes to the LDAP server configuration, make sure to use Unix

    socket. This way the role does not depend on correct LDAP client

    configuration.

* ``mail_server`` role

  * Fixed Postfix main configuraiton file permissions set-up to be explicit.

  * Fixed issue where Postfix server is not restarted when the truststore (used

    for verifying the LDAP server certificate) is changed.

  * Fixed issue with Postfix configuration where the parameter ``mail_user`` was

    ignored when making deliveries to Dovecot (old implementation used fixed

    value of ``vmail`` instead of parameter).

* ``php_website`` role

  * Fixed Nginx configuration file to use correct parameter (``enforce_https``

    instead of ``default_enforce_https``) when configuring HSTS. Previously it

    was possible to set the parameter to ``no``, and still end-up with HSTS

    headers being set-up.

* ``wsgi_website`` role

  * Fixed Nginx configuration file to use correct parameter (``enforce_https``

    instead of ``default_enforce_https``) when configuring HSTS. Previously it

    was possible to set the parameter to ``no``, and still end-up with HSTS

    headers being set-up.

* ``xmpp_server`` role

  * Fixed invalid default value for paramerer ``xmpp_domains`` - it should be a

    list and not a simple string. Previously this would result in invalid domain

    set-up in Prosody configuration file.

  * Fixed issue with permissions not being set on Prosody configuration file,

    making it world-readable (the configuration file contains passwords).

1.5.1

-----

Small bug-fix release for misbehaving package upgrade checks.

Bug-fixes:

* ``common`` role

  * Fixed script used for performing checks on pip requirementes files for

    availalbe package upgrades. False positives due to different sorting will

    not be reported anymore, and the script will actually make sure to check if

    upgrades are available (which was not the case before due ot missing

    paramter to pip-compile).

-----

     git checkout -b 1.6.0 1.6.0