Changes:

  • Upgraded base distribution to Debian 11.1/Bullseye.
  • Configuration console (confconsole):
    • Minor packaging changes for Debian Bullseye.
    • Fix warnings on Confconsole when upgrading to Python3.9 - resolved by swapping identity check for equality check - closes #1634.
    • Remove dhparams generation - part of #1653.
    • Move Secupdates_adv_conf.py (confconsole plugin) from "common" into confconsole package. Should have no end user impact.
    • Bugfix & improvements to Let's Encrypt plugin:
      • Fix cert not being used on stand-alone Tomcat appliance - closes #1712.
      • Update to support changed systemd output (fixes stunnel not restarted on Bullseye).
    • Improvements in Keyboard setting plugin - not sure if this is enough to fix it, but it should at least be closer. Related to #1695.
    • General code and documentation improvements.
  • Firstboot Initialization (inithooks):
    • Minor packaging changes for Debian Bullseye.
    • Bugfix typo in firstboot.d/15regen-sslcert.
    • Update the init-fence default html.
    • Update simplehttpd.py cyphers.
    • Remove dhparams generation - part of #1653.
    • Code refactor to provide inithook_lib. [ Stefan Davis ]
  • Web management console (webmin):
    • Upgraded webmin to v1.990.
    • Bugfix, refactor and improve TKLBAM Webmin module. Closes #178, #190, #288, #1065, #1260 & #1680. [ Jeremy Davis ]
    • Include webmin-firewall6 (firewall UI for IPv6) by default - part of #1658. [ Richard van Dijk ]
    • Update individual Webmin stunnel config to support IPv6 - part of #1658. [ Richard van Dijk ]
  • Web shell (shellinabox):
    • Update individual Webshell stunnel config to support IPv6 - part of #1658. [ Richard van Dijk ]
  • Backup (tklbam):
    • Change default NTPSERVER to one that also supports IPv6 - part of #1658. [ Richard van Dijk ]
    • Build specific py2 dependencies previously provided by Debian for Bullseye base (TKLBAM still py2). Ideally it should be updated to py3 (or rewritten) but we don't want to block v17.0 release any further.
    • No longer include live* related packages (e.g. di-live, live-tools, etc) in TKLBAM default package list (pkgs only in ISO and uninstalled on install). Closes #1681.
  • Security hardening & improvements:
    • Generate and use new TurnKey Bullseye keys.
    • Provide predefined dh_params (via 'turnkey-make-ssl-cert' where relevant) as per RFC7919 - part of #1653.
    • Enable TLS by default for use with Postfix.
    • Servers which include Apache|LigHHTTPd|Nginx now have HSTS and OCSP stapling configuration (not fully enabled by default - as requires valid SSL/TLS cert).
  • Misc bugfixes & feature implementations:
    • Remove redundant autologin, singleuser_shell & ssh_emptypw scripts from default common overlay.
    • Cleanup/tweak MOTD.
    • Update vim default conf path (for new version of vim in Bullseye).
    • Move Nginx & LigHTTPd apps from FastCGI to PHP-FPM (apps with Nginx/LigHTTPd only) - closes #1589.

Links