xsrv

v2.0.0 - 2026-04-02

[!IMPORTANT]
The mirror at https://gitlab.com/nodiscc/xsrv will no longer be maintained after this release.
Please use https://github.com/nodiscc/xsrv or https://codeberg.org/nodiscc/xsrv instead
Issues have been moved to https://codeberg.org/nodiscc/xsrv/issues

Upgrade procedure: Follow these steps in order:

0. Upgrade to v1.27.0 and deploy, if not already done

1. Update your playbook (xsrv edit-playbook):

• Remove the nodiscc.xsrv.monitoring and nodiscc.xsrv.monitoring_netdata roles from all your hosts
• Add the nodiscc.xsrv.monitoring.utils, nodiscc.xsrv.monitoring.rsyslog and nodiscc.xsrv.monitoring.exporters roles to all your hosts, early in the playbook
• Add the nodiscc.xsrv.monitoring.victoriametrics role to one of your hosts. This host will act as a central monitoring point and receive metrics from all hosts where nodiscc.xsrv.monitoring.exporters is deployed (via remote write)
• Add the nodiscc.xsrv.monitoring.grafana role to the same host as the victoriametrics role (but after the apache role). This will provide visualizations/dashboards for metrics collected by victoriametrics
• If present, rename nodiscc.xsrv.monitoring_goaccess to nodiscc.xsrv.monitoring.goaccess

2. Migrate variables (xsrv edit-host / xsrv edit-group):

Remove all variables named netdata_* and use these equivalents:

• netdata_allow_connections_from: grafana_allowed_hosts
• netdata_http_checks: victoriametrics_http_checks
• netdata_x509_checks: Removed - use victoriametrics_http_checks instead (includes automatic certificate validity/expiration checks)
• netdata_port_checks: Removed
• netdata_fping_hosts: Removed
• netdata_firewalld_zones: exporter_firewalld_zones
• rsnapshot_enable_cron: rsnapshot_enable_service

3. Add required variables for the new monitoring roles:

# xsrv edit-group default all
monitoring_victoriametrics_url: "https://my.CHANGEME.org:8428"

# xsrv edit-group-vault default all
victoriametrics_exporters_auth_password: CHANGEME
monitoring_exporters_auth_password: CHANGEME

# xsrv edit-host default my.CHANGEME.org
grafana_fqdn: grafana.CHANGEME.org

• Network/firewall: Remove all NAT/firewall rules allowing access to hosts on port 19999/tcp (netdata)
• Network/firewall: Ensure hosts where exporters are deployed can access the host where victoriametrics is deployed on port 8428/tcp (NAT, firewalls)
• The nodiscc.xsrv.monitoring.exporters role will uninstall netdata and remove all its configuration files/historical data unless you explicitly set netdata_uninstall: false

4. Other role-specific changes:

• libvirt: In libvirt_port_forwards, move *.dnat.*.host_interface to the top-level list (same level as vm_name)
• wireguard: remove the data/wireguard/ directory and its contents from your project directory (no longer used)
• wireguard: If you had custom routes defined under wireguard_peers, update them to use the new list syntax:

-#     routes: "1.2.3.4/32, 192.168.18.0/24"
+#     routes:
+#       - 1.2.3.4/32
+#       - 192.168.18.0/24

5. Deploy the changes:

xsrv self-upgrade # upgrade the xsrv script
xsrv upgrade  # upgrade roles/ansible environments to the latest release
xsrv check    # (optional) simulate changes that will be applied
xsrv deploy   # apply changes

Removed:

• monitoring_netdata: remove role, archive it to separate repository
• graylog: remove role, archive it to separate repository
• ollama: remove role, archive it to separate repository
• gotty: remove role, archive it to separate repository
• monitoring_utils: remove lynis, archive it to separate role/repository
• common/ssh: remove ability to revoke SSH keys globally using ssh_server_revoked_keys
• common/ssh: no longer look for/replace weak DH parameters
• libvirt: remove ability to route/forward ports between bridges (libvirt_port_forwards.*.forward)
• libvirt: remove ability to forward ports using host_ip (only host_interface must be used)
• gitea_act_runner: remove support for gitea_act_runner_container_engine: docker, only podman is supported
• nextcloud: remove support for external user authentication

Added:

• add monitoring.exporters role (monitoring agents/metrics exporters)
• add monitoring.victoriametrics role (monitoring metrics scraper and time-series database)
• add monitoring.grafana role (analytics and interactive visualization web application)
• add kiwix role (offline viewer for Wikipedia and other wikis)
• add llamacpp role (run Large Langue Models (LLM) locally)
• common/firewalld: allow defining a manual IP address/network blocklist (firewalld_blocklist)
• common: allow automatically putting mechanical/rotational hard drives in standby mode after 1 hour (hdparm_auto_standby_drives: false/true)
• searxng: allow protecting the web interface behind HTTP Basic authentication (searxng_auth_enabled/username/password)
• moodist/owncast/searxng/stirlingpdf: automatically remove unused podman images/containers, nightly (conserve disk space)
• wireguard: generate a QR code for each wireguard_peer containing the configuration (can be scanned with mobile apps such as WG Tunnel)
• backup: add rsnapshot_remote_backups[*].port option (default 22, allows backups over different SSH port)
• common/users: make the default system umask configurable
• common/sysctl: make the value of kernel.yama.ptrace_scope configurable
• add support for Debian 13 in all roles

Changed:

• rename monitoring_utils role to monitoring.utils
• rename monitoring_rsyslog role to monitoring.rsyslog
• rename monitoring_goaccess to monitoring.goaccess
• default playbook: only enable the common role by default, let user select which roles to enable
• common/firewalld: ensure ufw is removed before installing firewalld
• wireguard: allow specifying wireguard_peers without a public_key, in which case a private/public key pair will be generated automatically on the server
• libvirt: use firewalld to manage port forwarding to libvirt VMs, remove direct iptables management
• backup: migrate from cron to systemd timers/services
• wireguard: allow wireguard clients/peers traffic to flow out the default network interface by default (allows clients to tunnel all their internet traffic through the VPN)
• wireguard: allow wireguard peers to connect to the DNS service on the wireguard server by default
• wireguard: allow forwarding of wireguard peers network traffic to other zones by default (wireguard_allow_forwarding: yes/no)
• shaarli: preserve thumbnails cache during upgrades
• nextcloud: schedule start of maintenance window (resource intensive tasks) at 02:00
• searxng: allow returning results as JSON (add &format=json to URL parameters)
• searxng: increase sepiasearch search engine weight to 2
• searxng: increase wiby search engine weight to 1.2
• searxng: enable searchmysite search engine by default
• common: fail2ban: use hash:net ipset types instead of hash:ip
• common: ssh: ensure ssh is automatically started at boot, disable socket activation
• common: ensure cron is installed
• monitoring.rsyslog: ensure logrotate is installed
• libvirt: allow accessing VM SPICE graphical consoles remotely
• apache: set a fixed 30 day renewal threshold for SSL/TLS certificates obtained through mod_md
• kiwix: update rationalwiki download URL
• readme-gen: always write SSH client configuration and GTK bookmarks for all hosts to README.md, even for hosts that are not in readme_gen_limit
• doc: gitea actions: document manually triggering a workflow from the actions page (workflow_dispatch)
• xsrv: self-upgrade now also updates the bash completion script if it exists
• shaarli: update stack template to v0.12 [1] [1]
• shaarli: udpate to v0.16.0 [1
• nextcloud: update to 31.0.13 [1] [2] [3] [4]
• gitea: update to v1.25.5
• owncast: update to v0.2.4 [1] [2] [3]
• postgresql: update pgmetrics to v1.18.0 [1] [2]
• stirlingpdf: update to v2.7.1
• searxng: allow returning results as JSON (add &format=json to URL parameters)
• searxng: increase sepiasearch search engine weight to 2
• searxng: increase wiby search engine weight to 1.2
• monitoring_rsyslog: ensure logrotate is installed
• jellyfin: update opensubtitles plugin to v22.0.0
• searxng: enable searchmysite search engine by default, increase weight to 2
• matrix: update element-web to v1.12.12
• matrix: update synapse-admin to v0.11.4
• openldap: update ldap-account-manager to v9.5.1
• openldap: upgrade self-service-password to v1.7.3
• xsrv: update ansible to v12.3.0 [1] [1]
• xsrv: update trivy security scanner to v0.69.3
• xsrv: init-template: update installer image to Debian 13
• gitea_act_runner: update act-runner to v0.2.12 [1]
• gitea_act_runner: update debian-latest and ubuntu-latest base image aliases to use node:22-trixie
• gitea_act_runner: always enable nightly cleanup of podman volumes and containers created by act-runner, regardless of gitea_act_runner_daily_podman_prune
• goaccess: update IP to Country GeoIP database, adjust version number automatically base on current date
• common: ssh: ensure ssh is automatically started at boot, disable socket activation
• common: ensure cron is installed
• common/apt: make unattended-upgrades configuration and sources.list file compatible with Debian 13
• make all roles compatibles with debian 13, except jitsi
• doc: gitea actions: document manually triggering a workflow from the actions page (workflow_dispatch)
• doc: update comments in several files to reflect new documentation in Debian 13
• doc: migrate all gitlab.com/nodiscc/xsrv and gitlab.com/nodiscc/toolbox URLs to github, deprecate gitlab mirror
• doc: mark jitsi role as incompatible with Debian 13
• update documentation
• CI/CD: migrate from GitLab CI to GitHub Actions

Fixed:

• xsrv: fix fetch-backups failing with numeric ansible_ssh_port
• tt-rss: switch git repository to mirror on https://gitlab.com/nodiscc/tt-rss (upstream repository removed)
• tt-rss: clone/upgrade tt-rss task no longer always returns changed (pin version to latest commit from upstream)
• searxng: remove engines that no longer exist from config file, fix warnings in logs
• jitsi: fix apt prosody apt repository failing to update with The following signatures couldn't be verified because the public key is not available: NO_PUBKEY F7A37EB33D0B25D7
• matrix: update APT repository signing key (the previous key has expired)
• postgresql: fix 'postgresql_version' is undefined error when running the monitoring tag alone
• wireguard: really delete peers and associated keys/configuration when wireguard_peers[*].state is set to absent
• wireguard: fix missing /32 in generated client config files
• shaarli: fix missing php extension php-xml
• nextcloud: fix trusted_proxies is not correctly defined warning in admin area
• monitoring.utils: fix bonnie++ report generation
• tt_rss: fix DB update error on first deployment
• podman/owncast: fix "pasta": executable file not found

Full changes since v1.27.0