update..

roles/common/templates/etc/apt/sources.list.Debian.j2

@@ -62,9 +62,12 @@ deb {{ apt_debian_mirror }} {{ ansible_lsb.codename }}-updates contrib non-free
 {% if ansible_facts['distribution_major_version'] | int >= 12 %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free non-free-firmware
-{% else %}
+{% elif ansible_facts['distribution_major_version'] | int == 11 %}
 deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {{ '# ' if not apt_src_enable else '' }}deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+{% else %}
+#deb {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
+#deb-src {{ apt_debian_mirror }} {{ ansible_distribution_release }}-backports main contrib non-free
 {% endif %}
 {% endif %}
 

roles/common/templates/etc/ssh/sshd_config.j2

@@ -30,8 +30,8 @@ ListenAddress {{ item }}
 {% endif %}
 
 # Specifies the protocol versions sshd(8) supports.
-# The possible values are ‘1’ , `2' and ‘1,2’.
-# The default is ‘2’.
+# The possible values are '1' , `2' and '1,2'.
+# The default is '2'.
 Protocol 2
 
 # HostKeys for protocol version 2
@@ -208,11 +208,42 @@ UsePAM {{ sshd_use_pam }}
 # Cryptography
 #-----------------------------
 
+# PubkeyAcceptedAlgorithms
+#
+# Specifies the signature algorithms that will be accepted for public key authentication as a list of
+# comma-separated patterns.  Alternately if the specified list begins with a '+' character, then the spec‐
+# ified algorithms will be appended to the default set instead of replacing them.  If the specified list
+# begins with a '-' character, then the specified algorithms (including wildcards) will be removed from
+# the default set instead of replacing them.  If the specified list begins with a '^' character, then the
+# specified algorithms will be placed at the head of the default set.  The default for this option is:
+#
+#      ssh-ed25519-cert-v01@openssh.com,
+#      ecdsa-sha2-nistp256-cert-v01@openssh.com,
+#      ecdsa-sha2-nistp384-cert-v01@openssh.com,
+#      ecdsa-sha2-nistp521-cert-v01@openssh.com,
+#      sk-ssh-ed25519-cert-v01@openssh.com,
+#      sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
+#      rsa-sha2-512-cert-v01@openssh.com,
+#      rsa-sha2-256-cert-v01@openssh.com,
+#      ssh-ed25519,
+#      ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+#      sk-ssh-ed25519@openssh.com,
+#      sk-ecdsa-sha2-nistp256@openssh.com,
+#      rsa-sha2-512,rsa-sha2-256
+#
+
+{% if (fact_sshd_pubkey_accepted_algorithms is defined) and fact_sshd_pubkey_accepted_algorithms %}
+PubkeyAcceptedAlgorithms {{ fact_sshd_pubkey_accepted_algorithms }}
+{% else %}
+#PubkeyAcceptedAlgorithms ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,sk-ssh-ed25519-cert-v01@openssh.com,sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ssh-ed25519@openssh.com,sk-ecdsa-sha2-nistp256@openssh.com,rsa-sha2-512,rsa-sha2-256
+{% endif %}
+
+
 # KexAlgorithms
 #
 # Specifies the available KEX (Key Exchange) algorithms.  Multiple algorithms must be comma-separated.
-# Alternately if the specified value begins with a ‘+’ character, then the specified methods will be ap‐
-# pended to the default set instead of replacing them.  If the specified value begins with a ‘-’ charac‐
+# Alternately if the specified value begins with a '+' character, then the specified methods will be ap‐
+# pended to the default set instead of replacing them.  If the specified value begins with a '-' charac‐
 # ter, then the specified methods (including wildcards) will be removed from the default set instead of
 # replacing them.  The supported algorithms are:
 #
@@ -248,8 +279,8 @@ KexAlgorithms {{ fact_sshd_kexalgorithms }}
 # Ciphers
 #
 # Specifies the ciphers allowed.  Multiple ciphers must be comma-separated.  If the specified value begins
-# with a ‘+’ character, then the specified ciphers will be appended to the default set instead of replac‐
-# ing them.  If the specified value begins with a ‘-’ character, then the specified ciphers (including
+# with a '+' character, then the specified ciphers will be appended to the default set instead of replac‐
+# ing them.  If the specified value begins with a '-' character, then the specified ciphers (including
 # wildcards) will be removed from the default set instead of replacing them.
 #
 # The supported ciphers are:
@@ -283,8 +314,8 @@ Ciphers {{ fact_sshd_ciphers }}
 #
 # Specifies the available MAC (message authentication code) algorithms.  The MAC algorithm is used for
 # data integrity protection.  Multiple algorithms must be comma-separated.  If the specified value begins
-# with a ‘+’ character, then the specified algorithms will be appended to the default set instead of re‐
-# placing them.  If the specified value begins with a ‘-’ character, then the specified algorithms (in‐
+# with a '+' character, then the specified algorithms will be appended to the default set instead of re‐
+# placing them.  If the specified value begins with a '-' character, then the specified algorithms (in‐
 # cluding wildcards) will be removed from the default set instead of replacing them.
 #
 # The algorithms that contain "-etm" calculate the MAC after encryption (encrypt-then-mac).  These are

roles/common/templates/etc/sudoers.d/50-user.j2

@@ -36,6 +36,11 @@ back {{ item }}
 {% endfor -%}
 
 
+{%- for item in sudoers_file_user_back_mount_privileges | default([]) %}
+back {{ item }}
+{% endfor -%}
+
+
 {%- if ansible_virtualization_role == 'host' %}
 
 {% for item in sudoers_file_user_back_disk_privileges | default([]) %}