Release notes

=============

NEXT RELEASE

------------

Upgrade to Ansible 2.9.x, dropping support for Debian 8 Jessie,

upgrade to Python 3.x, dropping support for Python 2.7.

Breaking changes:

* Switched to Ansible 2.9.x, removing support for older versions. All

  documentation has been updated.

* Switched to using Python 3 on both controller and managed server

  side. Python 2.7 can no longer be used for this purpose. Support for

  WSGI applications running on Python 2.7 remains.

* All roles

  * Support for Debian 8 Jessie has been dropped.

  * TLS private key and certificate parameters are now mandatory.

* ``mail_forwarder`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older

    clients/servers trying to connect to the SMTP server.

* ``mail_server`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older

    clients/servers trying to connect to the SMTP/IMAP server.

* ``web_server`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older clients

    trying to connect to the web server.

* ``xmpp_server`` role

  * Use 2048-bit Diffie-Hellman parameters for relevant TLS

    ciphers. This could introduce incompatibility with older

    clients/servers trying to connect to the XMPP server.

Bug fixes:

* ``common`` role

  * Run apticron at least once during initial installation to avoid

    accidental locking later on during the same playbook run.

New features/improvements:

* Tests have been updated to work with latest Molecule/Testinfra as

  part of the Ansible upgrade process.

* ``mail_forwader`` role

  * The role now supports specifying the maximum mail message size

    limit for the SMTP server to accept via

    ``mail_message_size_limit`` role parameter.

* ``mail_server`` role

  * The role now supports specifying the maximum mail message size

    limit for the SMTP server to accept via

    ``mail_message_size_limit`` role parameter.

Deprecations:

* ``backup_server`` and ``backup_client`` role

  * Officially dropped support for DSA keys (this was mainly remnant

    from Debian 8 Jessie support, on Debian 9 Stretch and upwards the

    DSA keys were not supported at all).

4.0.0

-----

A couple of smaller bug-fixes, and introduction of (minor) breaking

change related to handling of pip requirements upgrade checks in the

``common`` role (see below).

Breaking changes:

* ``common`` role:

  * Added separate parameter (``pip_check_requirements_py3``) for

    specifying dedicated Python 3 virtual environment package

    requirements used for package upgrade checks on (other

    user-provided) Python 3 virtual environments. If the existing

    ``pip_check_requirements`` parameter has been overridden, the new

    parameter will most likely need to be overridden in your site

    configuration as well. Take note that the new requirements will

    differ between Debian Jessie and Debian Stretch due to differnece

    in Python 3 minor version releases.

Bug fixes:

* ``backup_client`` role

  * Avoid errors related to lack of ``tty`` when invoking the GnuPG

    utility by using the ``--no-tty`` option.

* ``common`` role

  * Fixed problem with pip requirements upgrades checks outputting

    package list to stderr, causing the cron job to report outdated

    packages to administrator even though nothing is outdated (cron

    job treats anything output to stderr as worthy of notification).

3.1.0

.. _rolereference:

Role Reference

==============

Common parameters

-----------------

A number of common parameters are used by all of the roles during

deployment. This section lists such parameters.

**enable_backup** (boolean, optional, ``False``)

  If set to ``True``, and the role supports backups, server will be configured

  for back-up of role's data. See role description for more details on what is

  backed-up and if the option is available. Just keep in mind that if you enable

  this globally, all the roles will be running backup-specific tasks. If the

  option has been enabled, the ``backup_client`` role will be included

  automatically (see the role reference for details on parameters that need to

  be provided in the case).

Preseed

-------

The ``preseed`` role can be used for generating simple preseed files for Debian

Wheezy installations.

The generated preseed files allow simplified installation, with a single root

partition. There is a number of parameters that allow for customising the

content of preseed files.

It is possible to specify parameter values that should be used for all servers,

as well for individual servers. It is also possible to combine this approach,

defining global parameters that get overridden per server.

The role will by default process all hosts from the inventory, generating one

preseed file per server.

Parameters

~~~~~~~~~~

**ansible_key** (string, optional, ``{{ lookup('file', '~/.ssh/id_rsa.pub') }}``)

  SSH public key that should be deployed to authorized_keys truststore for

  operating system user ``root``. This is necessary for the bootstrap process

  to work since Debian does not allow password-based logins for root.

**preseed_country** (string, optional, ``SE``)

  Country.

**preseed_directory** (string, optional, ``../preseed_files/``)

  Destination directory where the preseed files should be stored.

  .. warning::

     Do not name this directory ``preseed`` if it lies on a path where Ansible

     would normally look-up the roles (it will conflict with the role name).

**preseed_dns** (string, mandatory if **preseed_network_auto** is ``no``)

  Comma-separated list of DNS servers.

**preseed_domain** (string, mandatory if **preseed_network_auto** is ``no``)

  Server domain.

**preseed_gateway** (string, mandatory if **preseed_network_auto** is ``no``)

  Default gateway for the server.

**preseed_hostname** (string, mandatory if **preseed_network_auto** is ``no``)

  Server hostname.

**preseed_ip** (string, mandatory if **preseed_network_auto** is ``no``)

  IP address for the server network interface.

**preseed_keymap** (string, optional, ``us``)

  Keymap.

**preseed_language** (string, optional, ``en``)

  Language.

**preseed_locale** (string, optional, ``en_US.UTF-8``)

  Locale.

**preseed_mirror_directory** (string, optional, ``/debian``)

  Directory under which the Debian apt repositories can be found on the

  specified mirror.

**preseed_mirror_hostname** (string, optional, ``ftp.se.debian.org``)

  Resolvable hostname of FQDN where the Debian apt repositories can be

  found. Only HTTP mirrors are supported.

**preseed_mirror_proxy** (string, optional, ``None``)

  An HTTP proxy that should be used for accessing the Debian apt

  repositories.

**preseed_netmask** (string, mandatory if **preseed_network_auto** is ``no``)

  Netmask for the server network interface.

**preseed_network_auto** (boolean, optional, ``yes``)

  Specifies whether the network configuration should be automatic (using DHCP)

  or manual. If manual configuration is selected a number of additional options

  needs to be specified: ``preseed_hostname``, ``preseed_domain``,

  ``preseed_ip``, ``preseed_netmask``, ``preseed_gateway``,

  ``preseed_dns``. For some of these values you may want to use per-server

  overrides - see parameter ``preseed_server_overrides``.

**preseed_network_interface** (string, optional, ``eth0``)

  Name of network interface (for example ``eth0``, ``eth1`` etc) that should be

  configured.

**preseed_root_password** (string, optional, ``root``)

  Initial password that should be set for the server during the installation.

**preseed_server_overrides** (string, optional, ``{}``)

  A dictionary consisting out of one or more entries where individual values for

  preseed files can be overridden per-server. Each entry's key should be the

  name of the server, as specified in the inventory. Each value should also be a

  dictionary, where valid keys are: ``country``, ``dns``, ``domain``,