update..

roles/common/tasks/nis-install-server.yml

@@ -37,6 +37,48 @@
     - nis-install-client
 
 
+# ---
+# Since Debian 11 (bullseye) password hashing uses 'yescrypt' by default. 
+#
+# Note:
+#    'yescrypt' is not supported by Debian 10 (buster) nor by Ubuntu 18.04 and smaller
+#
+# ---
+
+- name: (nis-install-server.yml) Check if file '/etc/pam.d/common-password' exists 
+  stat:
+    path: /etc/pam.d/common-password
+  register: file_etc_pam_d_common_password
+  tags:
+    - nis-install
+    - nis-install-server
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+
+- name: (nis-install-server.yml) Check if default hash for password is 'yescrypt'
+  shell: "grep -i -q -E  '^password.+yescrypt' /etc/pam.d/common-password"
+  register: presence_of_passwprd_hashing_yescrypt
+  changed_when: 
+    - presence_of_passwprd_hashing_yescrypt.rc < 1
+  failed_when:
+    - presence_of_passwprd_hashing_yescrypt.rc >= 2
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_distribution_major_version|int >= 11
+    - ansible_distribution_major_version|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+
+- name: (nis-install-server.yml) Change default password hash for local system accounts from SHA-512 to yescrypt
+  shell: perl -i -n -p -e "s/^(password.+)yescrypt/\1sha512/" /etc/pam.d/common-password
+  when:
+    - ansible_facts['distribution'] == "Debian"
+    - ansible_facts['distribution_major_version']|int >= 11
+    - ansible_facts['distribution_major_version']|int <= 12
+    - file_etc_pam_d_common_password.stat.exists == True
+    - presence_of_passwprd_hashing_yescrypt is changed
+
+
 # ---
 # /etc/default/nis
 # ---

roles/common/templates/etc/apt/sources.list.Debian.j2

@@ -3,8 +3,24 @@
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_lsb.codename }} main
 
-deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
-{{ '# ' if not apt_src_enable else '' }}deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% if not apt_src_enable %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+#deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+#deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% else %}
+{% if ansible_facts['distribution_major_version'] | int >= 11 %}
+deb-src http://security.debian.org/debian-security {{ ansible_lsb.codename }}-security main contrib non-free
+{% else %}
+deb-src http://security.debian.org/ {{ ansible_lsb.codename }}/updates main contrib non-free
+{% endif %}
+{% endif %}
 
 # {{ ansible_lsb.codename }}-updates, previously known as 'volatile'
 deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates main

roles/common/templates/etc/apt/sources.list.Ubuntu.j2

@@ -0,0 +1,11 @@
+# {{ ansible_managed }}
+
+deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }} main restricted universe multiverse
+deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-updates main restricted universe multiverse
+
+deb http://security.ubuntu.com/ubuntu {{ ansible_lsb.codename }}-security main restricted universe multiverse
+
+{% if apt_backports_enable %}
+deb {{ apt_ubuntu_mirror }} {{ ansible_lsb.codename }}-backports main restricted universe multiverse
+{% endif %}
+