From 0e9d3781e9e65adab3680d4f1b1d3f8cfc7c906c Mon Sep 17 00:00:00 2001 From: Christoph Date: Sun, 9 Nov 2025 23:29:21 +0100 Subject: [PATCH] initial commit --- .gitignore | 1 + ansible.cfg | 59 ++++++++++ group_vars/all.yml | 4 + group_vars/debian_trixie.yml | 34 ++++++ hosts | 3 + open_the_vault.sh | 38 +++++++ playbooks/apt-migrate-to-trixie.yml | 106 ++++++++++++++++++ .../apt-migrate-to-trixie/99-backports.j2 | 6 + .../backports.sources.j2 | 10 ++ .../apt-migrate-to-trixie/debian.sources.j2 | 17 +++ .../apt-migrate-to-trixie/security.sources.j2 | 10 ++ 11 files changed, 288 insertions(+) create mode 100644 .gitignore create mode 100644 ansible.cfg create mode 100644 group_vars/all.yml create mode 100644 group_vars/debian_trixie.yml create mode 100644 hosts create mode 100755 open_the_vault.sh create mode 100644 playbooks/apt-migrate-to-trixie.yml create mode 100644 playbooks/templates/apt-migrate-to-trixie/99-backports.j2 create mode 100644 playbooks/templates/apt-migrate-to-trixie/backports.sources.j2 create mode 100644 playbooks/templates/apt-migrate-to-trixie/debian.sources.j2 create mode 100644 playbooks/templates/apt-migrate-to-trixie/security.sources.j2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..1377554 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +*.swp diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..512282c --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,59 @@ +# config file for ansible -- http://ansible.com/ +# ============================================== +# exmaple:https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg +# +# nearly all parameters can be overridden in ansible-playbook +# or with command line flags. ansible will read ANSIBLE_CONFIG, +# ansible.cfg in the current working directory, .ansible.cfg in +# the home directory or /etc/ansible/ansible.cfg, whichever it +# finds first + + +[defaults] +# [DEPRECATION WARNING] 'ansible_managed' used in ansible.cfg +# +# The `ansible_managed` variable can be set just like any other variable, or a different +# variable can be used. +# +# Alternatives: Set the `ansible_managed` variable, or use any custom variable in templates. +# +# This feature will be removed from ansible-core version 2.23. +# +#ansible_managed = *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] *** + +# Use of 'ansible_managed' +# +# + use with filter 'comment' - WITHOUT leading comment sign: +# +# {{ ansible_managed | comment }} +# +# +# + use without filter 'comment' - WITH leading comment sign: +# +# # {{ ansible_managed }} + +#gathering = smart +#fact_caching = jsonfile +#fact_caching_connection = ~/.cache/ +#fact_caching_timeout = 86400 +#forks = 20 +inventory = ./hosts +remote_user = chris +roles_path = ./roles +vault_password_file = open_the_vault.sh +#retry_files_enabled = False +#allow_world_readable_tmpfiles = True +#interpreter_python: auto +interpreter_python: /usr/bin/python3 + +[privilege_escalation] +become=True +become_method=sudo +become_ask_pass=True + +[ssh_connection] + +# By default, this option is disabled to preserve compatibility with +# sudoers configurations that have requiretty (the default on many distros). +# +#pipelining = True diff --git a/group_vars/all.yml b/group_vars/all.yml new file mode 100644 index 0000000..e195216 --- /dev/null +++ b/group_vars/all.yml @@ -0,0 +1,4 @@ +--- + +ansible_managed: > + *** ANSIBLE MANAGED FILE - DO NOT EDIT *** diff --git a/group_vars/debian_trixie.yml b/group_vars/debian_trixie.yml new file mode 100644 index 0000000..ae57954 --- /dev/null +++ b/group_vars/debian_trixie.yml @@ -0,0 +1,34 @@ +--- + + +target_release: trixie + +debian_mirror: "http://deb.debian.org/debian" + +security_mirror: "http://security.debian.org/debian-security" + +components: "main contrib non-free non-free-firmware" + +enable_backports: true # auf false setzen, wenn du keine Backports willst + +pin_backports_low: true # Backports nur auf Anfrage + +# Nur manuelle Installation/Upgrade aus Backports: +# backports_pin_priority: 100 +# +# Automatische Updates für bereits installierte Backports-Pakete. +# backports_pin_priority: 500 (>= 500) +# +backports_pin_priority: 100 # 100 = nie automatisch bevorzugen + +apt_cache_valid_time: 3600 + +# Für offizielle Debian-Repos brauchst es kein Signed-By, weil debian-archive-keyring +# ohnehin systemweit vertrauenswürdig ist. +# +use_signed_by: true # oder false, wenn du Option A willst + +# Wenn Signed-By explizit gesetzt werden soll, dann nutze den Keyring-Pfad und stelle sicher, +# dass das Paket installiert ist. +# +signed_by_keyring: "/usr/share/keyrings/debian-archive-keyring.gpg" diff --git a/hosts b/hosts new file mode 100644 index 0000000..da67032 --- /dev/null +++ b/hosts @@ -0,0 +1,3 @@ +[debian_trixie] +o17.oopen.de + diff --git a/open_the_vault.sh b/open_the_vault.sh new file mode 100755 index 0000000..d0d119b --- /dev/null +++ b/open_the_vault.sh @@ -0,0 +1,38 @@ +#!/usr/bin/env bash + +echoerr() { echo "$@" 1>&2; } + +PWFILE="$HOME/.private/ansible/ansible-server-management-vault-passphrase" + +if test ! -f "$PWFILE" +then + echoerr "File doesn't exist!" + exit 1 +fi + +perm=$(/bin/ls -l "$PWFILE" | awk '{print $1}') +owner=$(/bin/ls -l "$PWFILE" | awk '{print $3}') +group=$(/bin/ls -l "$PWFILE" | awk '{print $4}') +#not everyone is using debian based foo. get primary group of user and test file group permission against it +pgroup=$(id -gn) + +if [[ "$perm" != "-rw-------" ]] && [[ "$perm" != "-r--------" ]] +then + echoerr "Wrong permissions!" + exit 1 +fi + +if test "$USER" != "$owner" +then + echoerr "Wrong owner!" + exit 1 +fi + +if test "$pgroup" != "$group" +then + echoerr "Wrong group!" + exit 1 +fi + +cat "$PWFILE" +exit 0 diff --git a/playbooks/apt-migrate-to-trixie.yml b/playbooks/apt-migrate-to-trixie.yml new file mode 100644 index 0000000..772e853 --- /dev/null +++ b/playbooks/apt-migrate-to-trixie.yml @@ -0,0 +1,106 @@ +--- + +# --- +# deb822 ist das neue Konfigurationsformats für APT-Quellen (Repositories). +# Es basiert auf der Debian Control Syntax nach RFC 822 – daher der Name +# --- + +- name: Nur APT auf Debian 13 (Trixie) migrieren + hosts: all + become: true + gather_facts: true + + pre_tasks: + - name: Sicherstellen, dass wir Debian sind + assert: + that: + - ansible_facts['os_family'] == "Debian" + - ( + (ansible_facts.get('distribution_major_version') is defined + and (ansible_facts.get('distribution_major_version') | int) == 13) + or + (ansible_facts.get('lsb') is defined + and ansible_facts['lsb'].get('codename') == "trixie") + ) + fail_msg: "Dieses Playbook darf nur auf Debian 13 (Trixie) laufen." + success_msg: "System ist Debian 13 (Trixie) - weiter geht's." + + tasks: + + - name: Keyring für Debian-Archive sicherstellen (falls Signed-By genutzt) + ansible.builtin.apt: + name: debian-archive-keyring + state: present + when: use_signed_by + + - name: (Optional) Alte /etc/apt/sources.list sichern + ansible.builtin.copy: + src: /etc/apt/sources.list + dest: /etc/apt/sources.list.before-trixie + remote_src: true + force: false + ignore_errors: true + + - name: Alte /etc/apt/sources.list deaktivieren (leere Kommentar-Datei) + ansible.builtin.copy: + dest: /etc/apt/sources.list + content: | + # Verwaltet via Ansible. Repositories liegen in /etc/apt/sources.list.d/*.sources (deb822). + # Zielrelease: {{ target_release }} + owner: root + group: root + mode: "0644" + + - name: Debian-Repo (deb + deb-src) als deb822 anlegen + ansible.builtin.template: + src: templates/apt-migrate-to-trixie/debian.sources.j2 + dest: /etc/apt/sources.list.d/debian.sources + owner: root + group: root + mode: "0644" + + - name: Security-Repo (deb + deb-src) als deb822 anlegen + ansible.builtin.template: + src: templates/apt-migrate-to-trixie/security.sources.j2 + dest: /etc/apt/sources.list.d/security.sources + owner: root + group: root + mode: "0644" + + - name: Backports-Repo (optional) als deb822 anlegen/entfernen + ansible.builtin.template: + src: templates/apt-migrate-to-trixie/backports.sources.j2 + dest: /etc/apt/sources.list.d/backports.sources + owner: root + group: root + mode: "0644" + when: enable_backports + - name: Backports-Repo entfernen wenn deaktiviert + ansible.builtin.file: + path: /etc/apt/sources.list.d/backports.sources + state: absent + when: not enable_backports + + - name: Optionales Backports-Pinning setzen + ansible.builtin.template: + src: templates/apt-migrate-to-trixie/99-backports.j2 + dest: /etc/apt/preferences.d/99-backports + owner: root + group: root + mode: "0644" + when: enable_backports and pin_backports_low + + - name: APT-Cache aktualisieren + ansible.builtin.apt: + update_cache: yes + cache_valid_time: "{{ apt_cache_valid_time }}" + + - name: Verifikation - zeigen, ob Suites auf trixie stehen + ansible.builtin.command: apt-cache policy + register: apt_policy + changed_when: false + + - name: Ausgabe anzeigen (nur Info) + ansible.builtin.debug: + msg: "{{ apt_policy.stdout.split('\n') | select('search', 'trixie') | list | join('\n') }}" + diff --git a/playbooks/templates/apt-migrate-to-trixie/99-backports.j2 b/playbooks/templates/apt-migrate-to-trixie/99-backports.j2 new file mode 100644 index 0000000..6dfe047 --- /dev/null +++ b/playbooks/templates/apt-migrate-to-trixie/99-backports.j2 @@ -0,0 +1,6 @@ +# {{ ansible_managed }} + +# Backports nicht automatisch bevorzugen +Package: * +Pin: release n={{ target_release }}-backports +Pin-Priority: {{ backports_pin_priority }} diff --git a/playbooks/templates/apt-migrate-to-trixie/backports.sources.j2 b/playbooks/templates/apt-migrate-to-trixie/backports.sources.j2 new file mode 100644 index 0000000..cc4c490 --- /dev/null +++ b/playbooks/templates/apt-migrate-to-trixie/backports.sources.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} + +# Verwaltet via Ansible - Backports für {{ target_release }} +Types: deb deb-src +URIs: {{ debian_mirror }} +Suites: {{ target_release }}-backports +Components: {{ components }} +{% if use_signed_by %} +Signed-By: {{ signed_by_keyring }} +{% endif %} diff --git a/playbooks/templates/apt-migrate-to-trixie/debian.sources.j2 b/playbooks/templates/apt-migrate-to-trixie/debian.sources.j2 new file mode 100644 index 0000000..573bdda --- /dev/null +++ b/playbooks/templates/apt-migrate-to-trixie/debian.sources.j2 @@ -0,0 +1,17 @@ +# {{ ansible_managed }} + +# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }} +Types: deb deb-src +URIs: {{ debian_mirror }} +Suites: {{ target_release }} {{ target_release }}-updates +Components: {{ components }} +Signed-By: default +EOF +# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }} +Types: deb deb-src +URIs: {{ debian_mirror }} +Suites: {{ target_release }} {{ target_release }}-updates +Components: {{ components }} +{% if use_signed_by %} +Signed-By: {{ signed_by_keyring }} +{% endif %} diff --git a/playbooks/templates/apt-migrate-to-trixie/security.sources.j2 b/playbooks/templates/apt-migrate-to-trixie/security.sources.j2 new file mode 100644 index 0000000..f3bddd0 --- /dev/null +++ b/playbooks/templates/apt-migrate-to-trixie/security.sources.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} + +# Verwaltet via Ansible - Security für {{ target_release }} +Types: deb deb-src +URIs: {{ security_mirror }} +Suites: {{ target_release }}-security +Components: {{ components }} +{% if use_signed_by %} +Signed-By: {{ signed_by_keyring }} +{% endif %}