DebOps Changelog

April 20, 2019

DebOps

Merge branch 'bitsoffreedom-add-python-openssl-package-to-opendkim'

Merge branch 'bitsoffreedom-add-python-openssl-package-to-opendkim'

by drybjed at April 20, 2019 05:51 PM

Revert "[debops.opendkim] Add pyOpenSSL"

Revert "[debops.opendkim] Add pyOpenSSL"

This reverts commit 5f83b4a0afaaf1c39776ea4e130776aab20ed593.

by imrejonk at April 20, 2019 07:28 AM

April 18, 2019

DebOps

[debops.opendkim] Add pyOpenSSL

[debops.opendkim] Add pyOpenSSL

I was greeted with an error when I tried out the debops.opendkim role on a Debian 9 box (with Ansible 2.7.5) this morning:

```
failed: [myhostname -> localhost] (item={u'name': u'mail'}) => {"changed": false, "item": {"name": "mail"}, "msg": "the python pyOpenSSL module is required"}
```

Turns out the 'python-openssl' package was missing. This package contains the pyOpenSSL module needed to generate the DKIM keys. These changes add this package to the `opendkim__base_packages` variable.

by imrejonk at April 18, 2019 11:46 AM

April 17, 2019

DebOps

[debops.icinga_web] Prefer packages from backports

[debops.icinga_web] Prefer packages from backports

The 'icingaweb2*' APT packages in Debian Stretch are broken on systems
with PHP 7.3. The packages in the 'stretch-backports' repository have
been fixed and work fine in this environment.

by drybjed at April 17, 2019 11:34 AM

April 16, 2019

DebOps

Merge branch 'php-composer-upstream' of https://github.com/drybjed/de…

Merge branch 'php-composer-upstream' of https://github.com/drybjed/debops into drybjed-php-composer-upstream

by drybjed at April 16, 2019 08:41 PM

[debops.php] Support PHP Composer from upstream

[debops.php] Support PHP Composer from upstream

The 'debops.php' role can now conditionally install PHP Composer using
the upstream package, via checksumed GitHub releases. Composer from
upstream will be installed on older OS releases, including Debian
Stretch, because older versions break with PHP 7.3.

Custom Composer installation tasks from other DebOps roles have been
removed, installation is now centralized in the 'debops.php' role.

by drybjed at April 16, 2019 08:23 PM

April 15, 2019

DebOps

[debops.pam_access] Fix regex issues @ Python 3.7

[debops.pam_access] Fix regex issues @ Python 3.7

The Python 3.7 changed the behaviour of the regexes to be more in line
with other programming languages. This patch fixes the UNIX group
manging in the 'access.conf.j2' template file to support the changes in
the Python 3.7 and older releases.

by drybjed at April 15, 2019 09:05 PM

[debops.roundcube] Use upstream composer @ Stretch

[debops.roundcube] Use upstream composer @ Stretch

The version of the 'composer' package in Debian Stretch and similar OS
releases is too old for current Roundcube deployments. The role will
switch to the upstream 'composer' installation on these OS releases for
the time being.

by drybjed at April 15, 2019 09:03 PM

Merge branch 'refactoring-python-roles' of https://github.com/innobyt…

Merge branch 'refactoring-python-roles' of https://github.com/innobyte/debops into innobyte-refactoring-python-roles

by drybjed at April 15, 2019 10:30 AM

April 14, 2019

DebOps

April 13, 2019

DebOps

April 12, 2019

DebOps

[debops.logrotate] Clean up config templates

[debops.logrotate] Clean up config templates

This patch should fix issues with logrotate configuration differences in
environments that use different Jinja versions.

by drybjed at April 12, 2019 08:39 PM

Merge branch 'fix-logrotate-newlines' of https://github.com/ciphermai…

Merge branch 'fix-logrotate-newlines' of https://github.com/ciphermail/debops into test-logrotate

by drybjed at April 12, 2019 06:46 PM

[debops.apt] Filter '/' at end in original sources

[debops.apt] Filter '/' at end in original sources

Removing '/' from the end of original APT source URLs should ensure that
there are no duplicates in the generated '/etc/apt/sources.list' file.

by drybjed at April 12, 2019 02:22 PM

[debops.unattended_upgrades] Move 'stable-updates'

[debops.unattended_upgrades] Move 'stable-updates'

The packages from the 'stable-updates' repository section will be
upgraded automatically, the same as Debian Security repository updates.

by drybjed at April 12, 2019 01:49 PM

[debops.logrotate] keep newlines in config

[debops.logrotate] keep newlines in config

These changes remove the Jinja 'strip' operations from the logrotate templates. Logrotate does not like missing newlines and presented us with errors like these:

```
/etc/cron.daily/logrotate:
error: php7.0-fpm:prerotate, postrotate or preremove without endscript
error: found error in file php7.0-fpm, skipping
error: rsyslog:prerotate, postrotate or preremove without endscript
error: found error in file rsyslog, skipping
error: rsyslog-remote:prerotate, postrotate or preremove without endscript
error: found error in file rsyslog-remote, skipping
error: /etc/logrotate.conf:14 bad rotation count '1}'
error: found error in /var/log/wtmp , skipping
```

These errors were all caused by missing newlines. For example, 'endscript' and the curly bracket after the '1' must be on new lines.
I'm not sure why the 'strip' operation was in the templates in the first place. Maybe I'm overlooking something, but this seems to work for us.

by imrejonk at April 12, 2019 09:17 AM

April 11, 2019

DebOps

[debops.sshd] Support for 'authorizedService: *'

[debops.sshd] Support for 'authorizedService: *'

The default LDAP filter configuration will allow for use of the '*'
value in the 'authorizedService' LDAP attribute, in addition to 'sshd'.

by drybjed at April 11, 2019 10:17 AM

[debops.sshd] Implement PAM access control rules

[debops.sshd] Implement PAM access control rules

The OpenSSH service configured by the 'debops.sshd' role will use PAM
access control rules to manage what UNIX accounts and groups can connect
to the hosts via SSH.

by drybjed at April 11, 2019 07:24 AM

April 10, 2019

DebOps

Merge branch 'add-pam_access' of https://github.com/drybjed/debops in…

Merge branch 'add-pam_access' of https://github.com/drybjed/debops into drybjed-add-pam_access

by drybjed at April 10, 2019 12:20 PM

[debops.nsswitch] Don't show 'shadow' LDAP data

[debops.nsswitch] Don't show 'shadow' LDAP data

The 'shadow' database LDAP information shouldn't be needed on the hosts.
Showing LDAP entries via the 'getent shadow' command can be confusing on
unprivileged accounts, therefore the database will not be included in
NSS switch table by default.

by drybjed at April 10, 2019 11:52 AM

[LDAP] Add more object classes to admin account

[LDAP] Add more object classes to admin account

The initial administrator account in the LDAP directory will have
'authorizedServiceObject' and 'hostObject' object classes, which allow
inclusion of the 'authorizedService' and 'host' attributes.

by drybjed at April 10, 2019 11:49 AM

[ci] Force LDAP in certain tests

[ci] Force LDAP in certain tests

The 'debops.ldap' and 'debops.nslcd' roles will be tested with the
'ldap__enabled' variable set to True, to force the LDAP configuration.

by drybjed at April 10, 2019 11:48 AM

[debops.nslcd] Don't generate wrong configuration

[debops.nslcd] Don't generate wrong configuration

The 'debops.nslcd' role will not generate the '/etc/nslcd.conf'
configuration file if the LDAP information is not available, for example
when the 'debops.ldap' role was not applied on the host previously.

by drybjed at April 10, 2019 11:46 AM

April 05, 2019

DebOps

Fix apt loop deprecation warning

Fix apt loop deprecation warning

This change resolves the following deprecation warning: 'Invoking "apt"
only once while using a loop via squash_actions is deprecated.'  The
change implements the resolution suggested by Ansible.

by timfreund at April 05, 2019 03:23 AM

April 04, 2019

DebOps

Merge branch 'ldap-improvements' of https://github.com/drybjed/debops…

Merge branch 'ldap-improvements' of https://github.com/drybjed/debops into drybjed-ldap-improvements

by drybjed at April 04, 2019 10:19 AM

April 03, 2019

DebOps

[debops.auth] Remove nslcd/NSS/PAM configuration

[debops.auth] Remove nslcd/NSS/PAM configuration

The configuration of the 'nslcd' service has been moved to the
'debops.nslcd' Ansible role.

by drybjed at April 03, 2019 08:42 PM