2.3.5

Commits

• Update squid_dnf_mirrors script to use "libdnf5". (jgoutin)
• Fix dnf-automatic-on-shutdown for DNF5. (jgoutin)

2.3.4

This version is intended to be used with Fedora 41 and upper because of breaking changes in this Fedora version (DNF is replaced by DNF5, Redis is replaced by Valkey).

Commits

• Add Netdata agent (Monitoring tool). (jgoutin)
• Ensure /home/nextcloud/.cache is reachable from services (jgoutin)
• Add sensors to Netdata (jgoutin)
• remove a useless Nginx configuration section based on Nginx warning (jgoutin)
• Enable HTTP/3 (jgoutin)
• Fix SELinux issues (jgoutin)
• Add netdata collectors. (jgoutin)
• ba9ee06: php-fpm: Add netdata collectors. (jgoutin)
• Add Netdata collector. (jgoutin)
• Fix idempotency (jgoutin)
• Add netdata collector (jgoutin)
• Deny traffic to local network, localhost, link local by default (jgoutin)
• Always end with "http_access deny all" (jgoutin)
• Drop "X-Forwarded-For" & "Via" headers. (jgoutin)
• Ensure logrotate is installed and enabled (jgoutin)
• Add Netdata collectors (jgoutin)
• Remove manager from access log (jgoutin)
• Remove CONNECT from access log (jgoutin)
• Handle "repodata/repomd.xml.asc" case (jgoutin)
• Add redis_log_level parameter and reduce default verbosity. (jgoutin)
• 41b0dd9: php-fpm: Add php_fpm_log_level parameter and reduce default verbosity. (jgoutin)
• Add nextcloud_log_level parameter and reduce default verbosity. (jgoutin)
• 3fd28f2: php-fpm: Enable PHP 8 Jit. (jgoutin)
• Move cache and updater directories out of data directory. (jgoutin)
• Ensure logrotate is configured. (jgoutin)
• Restrict access to status pages. (jgoutin)
• Add host domain to /etc/hosts (jgoutin)
• Add timeout to cron service. (jgoutin)
• add common_grub_save_default (jgoutin)
• Use GRUB_TIMEOUT_STYLE=hidden when common_grub_auto_hide=true (jgoutin)
• Add FS-Cache. (jgoutin)
• Fix Fedora 41 DNF5 support. (jgoutin)
• 566841d: php-fpm: Fix Fedora 41 DNF5 support. (jgoutin)
• 1a8cb35: redis/nexctloud: Migrate to Valkey (jgoutin)
• a200307: Update Fedora/Ansible compatible versions (jgoutin)
• Fix "squid_dnf_mirrors" DNS error. (jgoutin)
• Ensure "python3-libdnf" is installed ("squid_dnf_mirrors" requirement until migrated to "libdnf5"). (jgoutin)

2.3.2

Commits

• 9ed6484: php-fpm: Add pm.max_requests & request_terminate_timeout parameters (jgoutin)
• Update "requires_ansible" (jgoutin)
• ensure /etc/squid/dnf_mirrors exists (jgoutin)
• Add SELinux module (jgoutin)
• Ensure collation version is refreshed (jgoutin)
• remove richdocuments + richdocumentscode because global performance issue (jgoutin)
• Update /var/www/nextcloud globally (jgoutin)
• Fix error encryption already enabled. (jgoutin)
• Set permissions directly on install from archive. (jgoutin)
• Add option to install glibc-langpack for a non-english database. (jgoutin)
• Add option to install Qemu gest agent (jgoutin)
• Add config.php restoration options. (jgoutin)

2.3.1

Commits

• ed50c41: Remove vagrant/macos based Github actions molecules tests (Was not really reliable) (jgoutin)

2.3.0

Commits

• 9219e5e: Create FUNDING.yml (Jérémy Goutin)
• Fix "stime" not valid in auditd configuration for 64 bits OS. (jgoutin)
• Ensure SELinux binaries execution is logged by auditd. (jgoutin)
• Ensure Systemd debug-shell service is disabled. (jgoutin)
• Set Sysctl "kernel.perf_event_paranoid=2", the maximum value for recent kernel versions. (jgoutin)
• b60c58e: Fix badges links. (jgoutin)
• Fix invalid conditions. (jgoutin)
• Fix grub.cfg paths. (jgoutin)
• e832b9f: .gitignore: Add poetry (jgoutin)
• Add rpm-ostree support. (jgoutin)
• Allow enabling Thunderbolt with hardening. (jgoutin)
• Add random MAC address option. (jgoutin)
• Upgrade PHP to 8.3 (jgoutin)
• Fix missing grub countdown (jgoutin)
• Fix error caused by missing log file when logging with journald. (jgoutin)
• 282d6cd: php-fpm,nextcloud: Improve systemd sandboxing of /var. (jgoutin)
• Add option to disable kernel ia32 emulation. (jgoutin)
• Add missing AF_UNIX in RestrictAddressFamilies (jgoutin)
• Update doc to use "yescrypt", the current Fedora password hashing algorithm. (jgoutin)
• Add musicplayer_gtk_theme option (jgoutin)
• Remove Pipewire packages, with opt-out option. (jgoutin)
• Add option to fully disable HDMI sound. (jgoutin)
• Add rpm-ostree "commitmeta" (jgoutin)
• remove no more required "mesa_glthread=false" (jgoutin)
• Deprecate X-XSS-Protection. (jgoutin)
• Keep X-XSS-Protection to avoid warning. (jgoutin)
• Disable "logreader" default app until compatible with syslog. (jgoutin)
• Ensure "admin_audit" log in syslog. (jgoutin)
• Set maintenance_window_start (jgoutin)
• c4a2476: Update Github actions (jgoutin)

2.2.0

Commits

• e1cdcfa: Ensure secrets are hidden in Ansible logs. (jgoutin)
• Ensure logs in syslog (jgoutin)
• Fix certificate permission. (jgoutin)
• Ensure Firewalld allows alternate ports. (jgoutin)
• Ensure Nextcloud Talk use TLS for TURN server. (jgoutin)
• Allow configuring cryptography policies to use FIPS (Can be useful for compliance). (jgoutin)
• Configure DNF and DNF-automatic to pass openSCAP checks. (jgoutin)
• Ensure Empty passwords are disabled with SSH. (jgoutin)
• Ensure audit is enabled in kernel. (jgoutin)
• Add more kernel use-after-free mitigation. (jgoutin)
• Basic Auditd configuration. (jgoutin)
• Fully disable systemd coredump service and socket. (jgoutin)
• Ensure Chrony is in client mode only. (jgoutin)
• Ensure interactive timeout is set. (jgoutin)
• Ensure rngd is enabled (Hardware RNG Entropy Gatherer Service) (jgoutin)
• Ensure SSH Kerberos authentication is disabled. (jgoutin)
• Ensure SSH force frequent session key renegotiation. (jgoutin)
• Ensure RPM operations are logged in auditd. (jgoutin)
• Remove ambient capabilities when not required. (jgoutin)
• c690bbe: php-fpm: Add Remi repository as source + add "php-snuffleupagus" security hardening module. (jgoutin)
• Add audit rules to fix OpenSCAP reports. (jgoutin)
• Fix SSHd configuration order + Add SSH banner. (jgoutin)
• Add password complexity policy. (jgoutin)
• Add a generic login banner. (jgoutin)
• Use hardware accelerated drivers from RPMFusion. (jgoutin)
• Add missing Kodi extra packages. (jgoutin)
• Allow installing PVR plugins packages. (jgoutin)
• Ensure common fonts are installed (To add non latin symbols support). (jgoutin)
• Allow the use of Wayland instead of GBM (jgoutin)
• Fix screen tearing with AMD hardware. (jgoutin)
• Remove lirc if IR is disabled. (jgoutin)
• Install "crypto-policies-scripts" if required (jgoutin)
• Ignore error if "systemd-coredump" is missing (jgoutin)
• Ensure "localpkg_gpgcheck" can be disabled (Required for "akmods"). (jgoutin)
• Add option to install xpadneo (Bluetooth Xbox controllers driver) (jgoutin)
• Update for Nextcloud 27 / Nextcloud Hub 5 (jgoutin)

2.1.1

Commits

• Fix "community.postgresql.postgresql_user.priv" deprecation. Fix #72. (jgoutin)
• Use 308 status code for HTTP to HTTPS redirection instead of 301 (jgoutin)
• 737f5c9: Add Documentation deployment workflow. Fix #71 (jgoutin)
• 557410f: Fix ansible lint (jgoutin)
• 017b893: Set the collection version in galaxy.yml automatically. (jgoutin)

2.1.0

Commits

• Rename empty file. (jgoutin)
• Add Grub password option. (jgoutin)
• Linux kernel hardening (jgoutin)
• 458147d: Fix Ansible formatting, and fix GitHub actions. (jgoutin)
• Allow to change "opcache.interned_strings_buffer" value. (jgoutin)
• Add "php-sodium" module and increase "opcache.interned_strings_buffer" as recommended in recent Nextcloud versions. (jgoutin)
• Use GBM instead of X11, start Kodi using systemd directly instead of getty and add minimal systemd hardening. (jgoutin)
• Clean up Anaconda files. (jgoutin)
• Add upgrade information in readme. (jgoutin)
• Fix invalid ExecStartPre systemd parameter. (jgoutin)
• musicplayer_serial_display, fix device detection + add device re-connection + add start indicator + Python typing (jgoutin)
• 4cd9f36: Ansible lint fix. (jgoutin)
• 40c4e19: Update Github actions tasks. (jgoutin)
• Improve service unit to not use getty (jgoutin)
• 66d1615: Fix linters. (jgoutin)
• 2d6f9f4: coturn/nginx/mail: Use EC p256 for self-signed certificates instead of RSA. (jgoutin)
• Fail2ban logs in systemd journal (jgoutin)
• e834132: nextcloud/nginx/php-fpm/coturn/redis: Logs in systemd journal (jgoutin)
• 02174c8: Fix Ansible lint (jgoutin)
• Allow configuring journal memory/disk max size. (jgoutin)
• Add "richdocuments" with builtin server to default apps + Add featured security apps. (jgoutin)
• Logs in Systemd journal. (jgoutin)
• 08aac0f: nginx,nextcloud: Configure nginx_client_max_body_size via Nginx role. (jgoutin)
• 669d586: php-fpm,nextcloud: "php.ini" hardening (jgoutin)
• Change X-Robots-Tag header value. (jgoutin)
• Update Nginx configuration based on latest doc + Improve dependencies selection based on installed apps and features. (jgoutin)
• Enforce TLS1.3 and add security options. (jgoutin)
• Allow to disable kernel user namespaces. (jgoutin)
• Add ProcSubset and ProtectProc to systemd sandboxing. (jgoutin)
• Add ProcSubset and ProtectProc to systemd sandboxing. (jgoutin)
• Add ProcSubset and ProtectProc to systemd sandboxing. (jgoutin)
• b9d3ea0: php-fpm: Add ProcSubset and ProtectProc to systemd sandboxing. (jgoutin)
• Add ProcSubset and ProtectProc to systemd sandboxing. (jgoutin)
• Add ProcSubset and ProtectProc to systemd sandboxing. (jgoutin)
• Add PrivateUsers=true to systemd sandboxing. (jgoutin)
• Add ProcSubset and ProtectProc to systemd sandboxing. (jgoutin)
• "RemoveIPC=" requires "User=/DynamicUser=". (jgoutin)
• "RemoveIPC=" requires "User=/DynamicUser=". (jgoutin)
• 6157d7a: php-fpm: "RemoveIPC=" requires "User=/DynamicUser=". (jgoutin)
• Add "PrivateIPC=true" to systemd sandbox. (jgoutin)
• Add "PrivateIPC=true" to systemd sandbox. (jgoutin)
• Add "PrivateIPC=true" to systemd sandbox. (jgoutin)
• "RemoveIPC=" requires "User=/DynamicUser=". (jgoutin)
• Allow to remove power button confirmation + Modify "advancedsettings.xml" without overwriting it. (jgoutin)
• c0decd9: Fix readme.md table format. (jgoutin)
• Allow Postfix service to write "/etc/aliases.db" and "/var/lib/misc/postfix.aliasesdb-stamp". (jgoutin)
• Update config using "rpmnew" files. (jgoutin)
• Update config using "rpmnew" files. (jgoutin)
• Use touche to create /etc/securetty (jgoutin)
• Update config using "rpmnew" files. (jgoutin)
• Update config using "rpmnew" files. (jgoutin)
• Update config using "rpmnew" files. (jgoutin)
• Update config using "rpmnew" files. (jgoutin)
• a1beaa0: php-fpm: Update config using "rpmnew" files. (jgoutin)
• Ignore "rpmnew", config is fully generated from template. (jgoutin)
• Ignore "rpmnew", config is fully generated from template. (jgoutin)
• Disable coredump using limits. (jgoutin)
• Restrict "su" to "wheel" group. (jgoutin)
• Improve systemd sandboxing. (jgoutin)
• Ensure services are restarted after modification. (jgoutin)
• Sandbox fail2ban and postfix services. (jgoutin)
• add SystemCallFilter=~@resources (jgoutin)
• Improve extra services systemd sandboxing. (jgoutin)
• add SystemCallFilter=~@resources (jgoutin)
• 98730a1: php-fpm: add SystemCallFilter=~@resources (jgoutin)
• Improve systemd sandboxing. (jgoutin)
• Use built-in DNF automatic reboot feature. (jgoutin)
• b059aa8: Update collection version, Fedora versions and tags. (jgoutin)
• Deprecate role because not used by any other role and not maintained. (jgoutin)
• Rewording, typo, ... (jgoutin)
• Handle root CA certificate generation if no CA specified. (jgoutin)
• Fix redirection loop. (jgoutin)
• Fix caching of ""*.xml.zck" 206 partial content (jgoutin)
• 7685a90: Fix lint workflow trigger + Warn only for some Ansible-lint checks (jgoutin)
• Denying only for store ID internal domain seems to not work. ([jgoutin](a6ac80c...

2.0.1

Commits

• use "twofactor_webauthn" application instead of "twofactor_u2f" and migration. (jgoutin)
• Run on Fedora 36 with official Fedora Cloud image (jgoutin)
• Fix Ansible configuration. (jgoutin)
• 55c978a: Fix firewalld package that may be missing (jgoutin)
• 45d883b: v2.0.1 (jgoutin)

2.0.0

Full Changelog: 1.3.2...2.0.0