Release notes

=============

7.0.0

-----

Dropped support for Debian 9 (Stretch), moved away from using

non-Debian project repositories (like Prosody ones).

**Breaking changes:**

* All roles

  * Dropped support for Debian 9 (Stretch).

* ``xmpp_server`` role

  * Parameter ``xmpp_prosody_package`` has been dropped.

**New features/improvements**

* ``common`` role

  * Added parameters ``pip_check_requirements_in`` and

    ``pip_check_requirements_py3_in`` that can be used for specifying

    input requirements when checking for available package upgrades

    for Python virtual environments that are used for the checks

    themselves. This is particularly helpful in cases where Python

    version gets deprecated and some packages do not correctly declare

    the minimum version required, allowing to be more specific to

    avoid unnecessary warning mails being sent out.

  * Updated default package pins for virtual environments used to

    check for available pip package upgrades.

* ``mail_server`` role

  * Added parameter ``mail_server_smtp_additional_configuration`` that

    provides ability to include additional configuration directives

    for the SMTP server.

* ``xmpp_server`` role

  * Drop dependency on the external (Prosody) package

    repository. Install everything using official Debian

    repositories. This should help avoid future issues with Prosody

    project removing older versions of packages or dropping entire

    repository archives for older Debian releases.

  * Prosody package and some of its dependencies are installed from

    Debian backports to get more featureful release installed.

  * Role no longer depends on fetching external Prosody modules from

    project code repository, and instead relies on the prosody-modules

    package for LDAP authentication module.

6.0.0

-----

Added support for Debian 10 (Buster), alongside a couple of minor

changes and features/improvements.

**Breaking changes:**

* ``ldap_server`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older

    clients/servers trying to connect to the LDAP server. This change

    is applicable only under Debian Buster.

**New features/improvements:**

* All roles

  * Added support for Debian 10 (Buster).

* ``common`` role

  * Added parameters ``maintenance`` and ``maintenance_allowed_hosts``

    for enabling maintenance mode. In maintenance mode only the listed

    hosts are allowed to connect to the server.

**Bug fixes:**

* ``ldap_server`` role

  * Allow use of DHE TLS ciphers by generating the necessary

    Diffie-Hellman parameters. This bug fix is applicable only under

    Debian Buster.

* ``wsgi_website_`` role

  * When the virtual environment is created, the ``setuptools`` and

    ``pip`` packages will not get pinned to any specific version,

    allowing roles that are based on ``wsgi_website`` to easily

    install preferred versions, and avoid idempotence problems in the

    process.

5.0.0

-----

Upgrade to Ansible 2.9.x, dropping support for Debian 8 Jessie,

upgrade to Python 3.x, dropping support for Python 2.7. A number of

parameters have been made mandatory or deprecated. Security has been

slightly improved in a number of roles, and there is plenty of

bug-fixes and minor improvements throughout as well.

**Breaking changes:**

* Switched to Ansible 2.9.x, removing support for older versions. All

  documentation has been updated.

* Switched to using Python 3 on both controller and managed server

  side. Python 2.7 can no longer be used for this purpose. Support for

  WSGI applications running on Python 2.7 remains.

* All roles

  * Support for Debian 8 Jessie has been dropped.

  * Common parameters ``tls_private_key_dir`` and

    ``tls_certificate_dir`` are no longer used.

  * TLS private key and certificate parameters are now mandatory.

* ``bootstrap`` role

  * Parameter ``ansible_key`` is now mandatory.

* ``common`` role``

  * Minimum version of ``pip-tools`` in the ``pip_check_requirements``

    and ``pip_check_requirements_py3`` is now 5.3.0. This change was

    required in order to fix the deprecation warnings being sent out

    when the ``pip_check_requirements_upgrades.sh`` script is run.

* ``database_server`` role

  * Parameter ``db_root_password`` has been deprecated. The root user

    can now login into the database (as the root database user) via

    unix socket authentication.

  * Role will drop the use of Debian system maintenance user

    (``debian-sys-maint``) in favour of using the root account with

    UNIX socket authentication if the database server has not already

    been set-up in that manner. This is the default behaviour starting

    from Debian Stretch, and the ``debian-sys-main`` will be present

    only if the server has been upgraded from older releases.

* ``ldap_server`` role

  * Parameter ``ldap_server_domain`` is now mandatory.

  * Updated default set of TLS ciphers used by server

    (``ldap_tls_ciphers`` parameter). All CBC ciphers have been

    dropped. This could introduce incompatibility with older clients

    trying to connect to the LDAP server.

* ``mail_forwarder`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older

    clients/servers trying to connect to the SMTP server.

* ``mail_server`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older

    clients/servers trying to connect to the SMTP/IMAP server.

  * Updated default set of TLS ciphers used by IMAP/SMTP servers

    (``mail_server_tls_ciphers`` parameter). All CBC ciphers have been

    dropped. This could introduce incompatibility with older clients

    trying to connect to the IMAP/SMTP server.

  * Dropped the use of ``procmail`` for local mail deliveries.

* ``php_website`` role

  * Parameter ``enforce_https`` has been deprecated and

    removed. HTTPS is now mandatory in all cases.

* ``preseed`` role

  * Parameter ``ansible_key`` is now mandatory.

  * Parameter ``preseed_directory`` is now mandatory.

* ``web_server`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older clients

    trying to connect to the web server.

  * Updated default set of TLS ciphers used by the server

---

- name: Set-up fixtures

  hosts: localhost

  connection: local

  gather_facts: false

  tasks:

    - name: Initialise CA hierarchy

      command: "gimmecert init"

      args:

        creates: ".gimmecert/ca/level1.cert.pem"

        chdir: "tests/data/"

    - name: Generate server private keys and certificates

      command:

      args:

        chdir: "tests/data/"

        creates: ".gimmecert/server/{{ item.name }}.cert.pem"

        argv: "{{ ['gimmecert', 'server', item.name] + item.fqdn }}"

      with_items:

        - name: ldap-server_ldap

          fqdn:

            - ldap-server

        - name: parameters-mandatory-buster64_xmpp

          fqdn:

            - parameters-mandatory

            - domain1

            - proxy.domain1

            - conference.domain1

        - name: parameters-optional-buster64_xmpp

          fqdn:

            - parameters-optional

            - domain2

            - proxy.domain2

            - conference.domain2

            - domain3

            - proxy.domain3

            - conference.domain3

        - name: deprecated-buster64_xmpp

          fqdn:

            - deprecated

            - domain4

            - proxy.domain4

            - conference.domain4

    - name: Set-up link to generated X.509 material

      file:

        src: ".gimmecert"

        dest: "tests/data/x509"

        state: link

- name: Prepare

  hosts: all

  gather_facts: false

  tasks:

    - name: Install python for Ansible

      raw: test -e /usr/bin/python3 || (apt -y update && apt install -y python3-minimal)

      become: true

      changed_when: false

- hosts: all

  become: true

  tasks:

    - name: Update all caches to avoid errors due to missing remote archives

      apt:

        update_cache: true

      changed_when: false

    - name: Install tools for testing

      apt:

        name:

          - gnutls-bin

          - nmap

        state: present

    - name: Use name provided via CLI when running STARTTLS handshake for XMPP via nmap

      replace:

        path: "/usr/share/nmap/nselib/sslcert.lua"

        regexp: "host\\.name\\)"

        replace: "host.targetname)"

- hosts: buster

  become: true

  tasks:

    - name: Set-up the hosts file

      lineinfile:

        path: /etc/hosts

        regexp: "^{{ item.key }}"

        line: "{{ item.key }} {{ item.value }}"

        owner: root

        group: root

        mode: 0644

        state: present

      with_dict:

        192.168.56.10: "ldap-server backup-server"

        192.168.56.20: "client-buster"

        192.168.56.30: "parameters-mandatory domain1 proxy.domain1 conference.domain1"

        192.168.56.31: "parameters-optional domain2 proxy.domain2 conference.domain2 domain3 proxy.domain3 conference.domain3"

        192.168.56.32: "deprecated domain4 proxy.domain4 conference.domain4"

    - name: Enable TLSv1.0+ in global OpenSSL configuration file in order to be able to test the xmpp_server_tls_protocol parameter

      lineinfile:

        path: "/etc/ssl/openssl.cnf"

        regexp: "^MinProtocol ="

        line: "MinProtocol = TLSv1.0"

        owner: root

        group: root

        mode: 0644

        state: present

    # @WORKAROUND: Prosody repository override

    #

    # Prosody project has killed off Debian Buster repositories. Trick

    # the system to install packages from custom repository location

    # instead.

    - name: Override server IP for Prosody repository via hosts file

      lineinfile:

        path: /etc/hosts

        regexp:

        line: "{{ lookup('dig', 'prosody.repo.majic.rs') }} packages.prosody.im"

        owner: root

        group: root

        mode: 0644

        state: present

      tags:

        - workaround:prosody_repository_override

    - name: Add workaround Prosody repository signing key

      apt_key:

        data: "{{ lookup('file', 'workaround_prosody_repository_signing_key.asc') }}"

        state: present

      tags:

        - workaround:prosody_repository_override

- hosts: deprecated

  become: true

  tasks:

    - name: Add Prosody repository signing key

      apt_key:

        data: "{{ lookup('file', 'prosody-debian-gpg-key.asc') }}"

        state: present

    - name: Add Prosody repository

      apt_repository:

        repo: "deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"

        state: present

    - name: Install Prosody (from Prosody repository)

      apt:

        name: prosody-0.11

        state: present

    - name: Set-up directory for storing additional Prosody modules

      file:

        path: "/usr/local/lib/prosody/modules/"

        state: directory

        owner: root

        group: root

        mode: 0755

- hosts: clients

  become: true

  tasks:

    - name: Install tool for testing TCP connectivity

      apt:

        name: hping3

        state: present

    - name: Deploy CA certificate

      copy:

        src: tests/data/x509/ca/level1.cert.pem

        dest: /usr/local/share/ca-certificates/testca.crt

        owner: root

        group: root

        mode: 0644

      notify:

        - Update CA certificate cache

    - name: Install console-based XMPP client (for interactive testing)

      apt:

        name: mcabber

        state: present

    - name: Install console-based XMPP tool (for non-interactive testing)

      apt:

        name: sendxmpp

        state: present

    - name: Create dedicated group for testing

      group:

        name: user

        state: present

    - name: Create dedicated user for testing

      user:

        name: user

        group: user

        shell: /bin/bash

    - name: Deploy mcabber configuration files

      template:

        src: tests/data/mcabber.cfg.j2

        dest: "~user/{{ item.jid }}.cfg"

        owner: user

        group: user

        mode: 0600

      with_items:

        - jid: john.doe@domain1

          password: johnpassword

          server: domain1

          security: tls

          nickname: john.doe

        - jid: jane.doe@domain2

          password: janepassword

          server: domain2

          security: ssl

          nickname: jane.doe

        - jid: mick.doe@domain3

          password: mickpassword

          server: domain3

          security: tls

          nickname: mick.doe

        - jid: noxmpp@domain1

          password: noxmpppassword

          server: domain1

          security: tls

          nickname: noxmpp

        - jid: eve.doe@domain4

          password: evepassword

          server: domain4

          security: tls

          nickname: eve.doe

  handlers:

    - name: Update CA certificate cache

      command: /usr/sbin/update-ca-certificates --fresh

- hosts: ldap-server

  become: true

  roles:

    - ldap_server

    - backup_server

- hosts: ldap-server

  become: true

  tasks:

    - name: Create LDAP accounts for testing

      ldap_entry:

        dn: "{{ item.dn }}"

        objectClass: "{{ item.objectClass }}"

        attributes: "{{ item.attributes }}"

      with_items:

        - dn: uid=john,ou=people,dc=local

          objectClass:

            - inetOrgPerson

            - simpleSecurityObject

          attributes:

            userPassword: johnpassword

            uid: john

            cn: John Doe

            sn: Doe

            mail: john.doe@domain1

        - dn: uid=jane,ou=people,dc=local

          objectClass:

            - inetOrgPerson

            - simpleSecurityObject

          attributes:

            userPassword: janepassword

            uid: jane

            cn: Jane Doe

            sn: Doe

            mail: jane.doe@domain2

        - dn: uid=mick,ou=people,dc=local

          objectClass:

            - inetOrgPerson

            - simpleSecurityObject

          attributes:

            userPassword: mickpassword

            uid: mick

            cn: Mick Doe

            sn: Doe

            mail: mick.doe@domain3

        - dn: uid=noxmpp,ou=people,dc=local

          objectClass:

            - inetOrgPerson

            - simpleSecurityObject

          attributes:

            userPassword: noxmpppassword

            uid: noxmpp

            cn: No XMPP

            sn: XMPP

            mail: noxmpp@domain1

        - dn: uid=eve,ou=people,dc=local

          objectClass:

            - inetOrgPerson

            - simpleSecurityObject

          attributes:

            userPassword: evepassword

            uid: eve

            cn: Eve Doe

            sn: Doe

            mail: eve.doe@domain4

    - name: Add test accounts to correct group

      ldap_attr:

        dn: "cn=xmpp,ou=groups,dc=local"

        name: uniqueMember

        state: exact

        values:

          - uid=john,ou=people,dc=local

          - uid=jane,ou=people,dc=local

          - uid=mick,ou=people,dc=local

          - uid=eve,ou=people,dc=local

- hosts: parameters-mandatory,parameters-optional,deprecated

  become: true

  tasks:

    - name: Install console-based XMPP tool (for non-interactive testing)

      apt:

        name: sendxmpp

        state: present

    - name: Deploy small Lua script for listing the enabled modules in Prosody

      copy:

        src: list_prosody_modules.lua

        dest: "/usr/local/bin/list_prosody_modules.lua"

        owner: root

        group: root

        mode: 0755

---

- name: Install Python apt bindings

  apt:

    name: python-apt

  file:

    path: "/usr/local/lib/prosody/"

    state: absent

  notify:

    - Restart Prosody

- name: Collect information about installed packages

  package_facts:

- name: Uninstall Prosody from project-provided repository

  apt:

    name: prosody

    state: absent

  when:

    - "ansible_facts.packages['prosody'] is defined"

    - "'nightly' in ansible_facts.packages['prosody'][0].version"

- name: Uninstall Prosody dependencies from project-provided repository

  apt:

    name:

      - lua-expat

      - lua-filesystem

      - lua-sec

      - lua-socket

    state: absent

  when: >-

    (ansible_facts.packages['lua-expat'] is defined and 'prosody' in ansible_facts.packages['lua-expat'][0].version)

    or (ansible_facts.packages['lua-filesystem'] is defined and 'prosody' in ansible_facts.packages['lua-filesystem'][0].version)

    or (ansible_facts.packages['lua-sec'] is defined and 'prosody' in ansible_facts.packages['lua-sec'][0].version)

    or (ansible_facts.packages['lua-socket'] is defined and 'prosody' in ansible_facts.packages['lua-socket'][0].version)

- name: Remove Prosody project-provided apt key

  apt_key:

    id: "{{ item }}"

    state: absent

  with_items:

    - "107D65A0A148C237FDF00AB47393D7E674D9DBB5"

    - "44AB6DD06DA46979CFAF997F9B1B82786C8F28BA"

- name: Remove Prosody project-provided repository

  apt_repository:

    repo: "deb http://packages.prosody.im/debian {{ ansible_distribution_release }} main"

    state: absent

- name: Install additional Prosody dependencies

  apt:

    name:

      - lua-ldap

      - prosody-modules

    state: present

  notify:

    - Restart Prosody

- name: Install Prosody

  apt:

    name: prosody

    state: present

  notify:

    - Restart Prosody

- name: Allow Prosody user to traverse the directory with TLS private keys

  user:

    name: prosody

    append: true

    groups: ssl-cert

- name: Deploy XMPP TLS private key

  copy:

    dest: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.key"

    content: "{{ xmpp_tls_key }}"

    owner: root

    group: prosody

    mode: 0640

  notify:

    - Restart Prosody

- name: Deploy XMPP TLS certificate

  copy:

    dest: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem"

    content: "{{ xmpp_tls_certificate }}"

    owner: root

    group: root

    mode: 0644

  notify:

    - Restart Prosody

- name: Generate the XMPP server Diffie-Hellman parameter

  openssl_dhparam:

    owner: root

    group: prosody

    mode: 0640

    path: "/etc/ssl/private/{{ ansible_fqdn }}_xmpp.dh.pem"

    size: 2048

  notify:

    - Restart Prosody

- name: Deploy configuration file for checking certificate validity via cron

  copy:

    content: "/etc/ssl/certs/{{ ansible_fqdn }}_xmpp.pem"

    dest: "/etc/check_certificate/{{ ansible_fqdn }}_xmpp.conf"

    owner: root

    group: root

    mode: 0644

- name: Deploy script for validating Prosody certificate

  copy:

    src: "check_prosody_certificate.sh"

    dest: "/usr/local/bin/check_prosody_certificate.sh"

    owner: root

    group: root

    mode: 0755

- name: Set-up crontab task that runs the Prosody certificate checker script once a day

  copy:

    src: "cron_check_prosody_certificate"

    dest: "/etc/cron.d/check_prosody_certificate"

    owner: root

    group: root

    mode: 0644

- name: Deploy Prosody configuration file

  template:

    src: "prosody.cfg.lua.j2"

    dest: "/etc/prosody/prosody.cfg.lua"

    owner: root

    group: prosody

    mode: 0640

  notify:

    - Restart Prosody

- name: Enable and start Prosody service

  service:

    name: prosody

    state: started

    enabled: true

- name: Deploy firewall configuration for XMPP server

  copy:

    src: "ferm_xmpp.conf"

    dest: "/etc/ferm/conf.d/30-xmpp.conf"

    owner: root

    group: root

    mode: 0640

  notify:

    - Restart ferm

- name: Explicitly run all handlers

  include: ../handlers/main.yml

  when: "run_handlers | default(False) | bool()"

  tags:

    - handlers