Release notes ============= 1.5.0 ------- Minor bug-fixes, package upgrade checks, and better support for next Debian stable release (Stretch). New features/improvements: * ``backup_client`` role * Implemented support for next Debian stable release (*Debian Stretch*). This was needed due to changes in duplicity parameters and their syntax. * ``common`` role * Added parameter for configuring common backup patterns. Allows for better control over ``/root`` and ``/home`` directories. Backup of remaining directories is still hard-coded. * Added support for checking if package upgrades are available. Covers system packages out-of-the-box, and provides ability to perform checks on pip requirements files. * Added generic support for checking certificate expiration dates. Relevant roles need to deploy special configuration files to trigger the checks. * ``ldap_server`` role * Updated role to perform certificate expiration date check on LDAP server certificate. * ``mail_server`` role * Updated role to perform certificate expiration date check on all mail server certificates. * ``php_website`` role * Updated role to perform certificate expiration date check on website server certificate. * ``xmpp_server`` role * Updated role to perform certificate expiration date check on XMPP server certificate. * ``web_server`` role * Updated role to perform certificate expiration date check on default web server certificate. * ``wsgi_website`` role * Added alternative way to specify Gunicorn version to install in virtual environment (via separate parameter). If this parameter is in use, package upgrade checks will be done as well (against auto-assembled pip requirements file). See role reference documentation for details. * Updated role to perform certificate expiration date check on website server certificate. Bug-fixes: * ``mail_server`` role * Fixed incorrect mail name (FQDN) used for mails originating from the server. * ``web_server`` role * Fixed configuration of available TLS versions on the Nginx web server. Documentation: * Added release procedures and related information. * Added information about Debian release compatibility to role reference. 1.4.0 ----- Minor fixes and features allowing for more fine-tuning of installations. New features/improvements: * ``ldap_server`` role * TLS versions and ciphers supported by server are now configurable. * ``mail_server`` role * TLS versions and ciphers supported by SMTP and IMAP server are now configurable. * Number of allowed concurent IMAP connections for a single user from a single IP address is now configurable. * ``web_server`` role * TLS versions and ciphers supported by server are now configurable. 1.3.0 ----- IPv6 support in firewall rules, small bug fixes and improvements. New features/improvements: * All roles that deploy firewall rules * Set-up IPv6 firewall rules in addition to IPv4. * ``common`` role * Crontabs, operating system user passwords (``/etc/shadow``), and local user mails are now included in the backup. Bug-fixes: * ``wsgi_website`` role * Do not traverse static locations that have not been explicitly configured. Fixes issue where static location ends-up being served by Nginx instea of WSGI application. 1.2.0 ----- Minor fixes and features. New features: * ``wsgi_website`` role * Added support for providing custom proxy headers to pass on to Gunicorn server. Bug-fixes: * ``php_website`` role * Make sure the environment indicator is always shown on top by increasing its ``z-index`` value. * ``wsgi_website`` role * Make sure the environment indicator is always shown on top by increasing its ``z-index`` value. 1.1.0 ----- Minor bug fixes, enchancements, and features. New features/improvements: * ``common`` role * Added support for having user-defined ``/etc/profile.d`` style scripts (in ``~/.profile.d/``. * Disables Emacs ``electric-indent-mode`` globally if Emacs is installed. * Deploys symbolic link for ``mysql_config`` if package ``libmariadb-client-lgpl-dev-compat`` is installed (workaround for `Debian Bug 766996 `_) * Updates CA cache immediatelly so that roles depending on cache being up-to-date do not throw validation errors. * ``mail_server`` role * Added support for specifying local aliases. * Undeliverable bounces are now delivered to postmaster. * ``php_website`` role * Added support for specifying custom ``php-fpm`` pool configuration options. * Added support for having ribon/strip at bottom to identify website environment. Useful for testing/staging environments. * Deploys symbolic link for ``mysql_config`` if package ``libmariadb-client-lgpl-dev-compat`` is installed (workaround for `Debian Bug 766996 `_) * Forwards mails delivered to application or application administrator users to local ``root`` account (can be configured to deliver mails elsewhere). * Sets ``HSTS`` policy if TLS is enforced. * *Umask* for the operating system which runs the website is set to ``0007``. * When administrator user is created for the first time, its home directory is populated from ``/etc/skel``. This makes prompts etc look more uniform across the system. * ``wsgi_website`` role * Added support for having ribon/strip at bottom to identify website environment. Useful for testing/staging environments. * Added support for specifying environment variables that should be set when running the service, or when administering the installation (using application administrator operating system user). * Deploys symbolic link for ``mysql_config`` if package ``libmariadb-client-lgpl-dev-compat`` is installed (workaround for `Debian Bug 766996 `_) * Forwards mails delivered to application or application administrator users to local ``root`` account (can be configured to deliver mails elsewhere). * Sets ``HSTS`` policy if TLS is enforced. * *Umask* for the operating system which runs the website is set to ``0007``. * When administrator user is created for the first time, its home directory is populated from ``/etc/skel``. This makes prompts etc look more uniform across the system. Bug-fixes: * ``database_server`` role * Applies UTF-8 configuration immediatelly. This should fix issues during inital server set-up for roles that need to create database using UTF-8 character set. * ``wsgi_website`` role * Fixed virtualenv wrapper shell script to use proper escaping around arguments. * Website service is now restarted in case of package changes (system or virtual environment). * ``mail_forwarder`` role * Allows incoming SMTP connections from the SMTP relay server (if configured). This way the SMTP relay can deliver bounces. 1.0.1 ----- Minimal bugfix update to improve interoperability. Changes: * ``xmpp_server`` role no longer restricts TLS to version 1.2 and ciphers to PFS ciphers. Should solve ``s2s`` communication issues with old XMPP servers. 1.0.0 ----- Initial release of Majic Ansible Roles. New roles: * ``backup``, reusable role for specifying files to back-up. * ``backup_client``, base role for setting-up backup client on a server (Duplicity). * ``backup_server``, sets-up a backup server. * ``bootstrap``, sets-up server for Ansible management (bootstrapping it for subsequent Ansible runs). * ``common``, basic set-up of server, some hardening, creation of admin accounts etc. * ``database``, reusable role for creating MariaDB database and user for accessing the database. * ``database_server``, sets-up database server (MariaDB). * ``ldap_client``, sets-up LDAP client tools and configuration (OpenLDAP). * ``ldap_server``, sets-up and manages basic entries in an LDAP server (OpenLDAP). * ``mail_forwarder``, sets-up local SMTP server that forwards mail to the main mail server (Postfix). * ``mail_server``, sets-up a mail server with SMTP and IMAP services (Postfix, Dovecot). * ``php_website``, reusable role for creating PHP-based websites. Provides basic building block for PHP applications (Nginx). * ``preseed``, small role for generating Debian preseed files for automated OS installation. * ``web_server``, sets-up web server with basic welcome page (Nginx). * ``wsgi_website``, reusable role for creating WSGI-based websites. Provides basic building block for WSGI applications (Nginx). * ``xmpp_server``, sets-up an XMPP server for instant messaging services (Prosody). New features: * Usage (tutorial-like) instructions. * Test site, serving as an example and used for basic regression testing. * Role reference documentation.