initial commit

.gitignore

@@ -0,0 +1 @@
+*.swp

ansible.cfg

@@ -0,0 +1,59 @@
+# config file for ansible -- http://ansible.com/
+# ==============================================
+# exmaple:https://raw.github.com/ansible/ansible/devel/examples/ansible.cfg
+#
+# nearly all parameters can be overridden in ansible-playbook
+# or with command line flags. ansible will read ANSIBLE_CONFIG,
+# ansible.cfg in the current working directory, .ansible.cfg in
+# the home directory or /etc/ansible/ansible.cfg, whichever it
+# finds first
+
+
+[defaults]
+# [DEPRECATION WARNING] 'ansible_managed' used in ansible.cfg
+#
+# The `ansible_managed` variable can be set just like any other variable, or a different 
+# variable can be used.
+#
+# Alternatives: Set the `ansible_managed` variable, or use any custom variable in templates.
+#
+# This feature will be removed from ansible-core version 2.23.
+#
+#ansible_managed = *** [ Ansible managed file: DO NOT EDIT DIRECTLY ] ***
+
+# Use of 'ansible_managed' 
+# 
+#    + use with filter 'comment' - WITHOUT leading comment sign:
+#
+#         {{ ansible_managed | comment }}
+#
+#
+#    + use without filter 'comment' - WITH leading comment sign:
+#
+#         # {{ ansible_managed }}
+
+#gathering = smart
+#fact_caching = jsonfile
+#fact_caching_connection = ~/.cache/
+#fact_caching_timeout = 86400
+#forks = 20
+inventory = ./hosts
+remote_user = chris
+roles_path = ./roles
+vault_password_file = open_the_vault.sh
+#retry_files_enabled = False
+#allow_world_readable_tmpfiles = True
+#interpreter_python: auto
+interpreter_python: /usr/bin/python3
+
+[privilege_escalation]
+become=True
+become_method=sudo
+become_ask_pass=True
+
+[ssh_connection]
+
+# By default, this option is disabled to preserve compatibility with
+# sudoers configurations that have requiretty (the default on many distros).
+#
+#pipelining = True

group_vars/all.yml

@@ -0,0 +1,4 @@
+---
+
+ansible_managed: >
+  *** ANSIBLE MANAGED FILE - DO NOT EDIT ***

group_vars/debian_trixie.yml

@@ -0,0 +1,34 @@
+---
+
+
+target_release: trixie
+
+debian_mirror: "http://deb.debian.org/debian"
+
+security_mirror: "http://security.debian.org/debian-security"
+
+components: "main contrib non-free non-free-firmware"
+
+enable_backports: true         # auf false setzen, wenn du keine Backports willst
+
+pin_backports_low: true        # Backports nur auf Anfrage
+
+# Nur manuelle Installation/Upgrade aus Backports:
+#    backports_pin_priority: 100
+#
+# Automatische Updates für bereits installierte Backports-Pakete.
+#    backports_pin_priority: 500 (>= 500)
+#
+backports_pin_priority: 100    # 100 = nie automatisch bevorzugen
+
+apt_cache_valid_time: 3600
+
+# Für offizielle Debian-Repos brauchst es kein Signed-By, weil debian-archive-keyring 
+# ohnehin systemweit vertrauenswürdig ist.
+#
+use_signed_by: true  # oder false, wenn du Option A willst
+
+# Wenn Signed-By explizit gesetzt werden soll, dann nutze den Keyring-Pfad und stelle sicher, 
+# dass das Paket installiert ist.
+#
+signed_by_keyring: "/usr/share/keyrings/debian-archive-keyring.gpg"

hosts

@@ -0,0 +1,3 @@
+[debian_trixie]
+o17.oopen.de
+

open_the_vault.sh

@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+echoerr() { echo "$@" 1>&2; }
+
+PWFILE="$HOME/.private/ansible/ansible-server-management-vault-passphrase"
+
+if test ! -f "$PWFILE"
+then
+  echoerr "File doesn't exist!"
+  exit 1
+fi
+
+perm=$(/bin/ls -l "$PWFILE" | awk '{print $1}')
+owner=$(/bin/ls -l "$PWFILE" | awk '{print $3}')
+group=$(/bin/ls -l "$PWFILE" | awk '{print $4}')
+#not everyone is using debian based foo. get primary group of user and test file group permission against it
+pgroup=$(id -gn)
+
+if [[ "$perm" != "-rw-------" ]] && [[ "$perm" != "-r--------" ]]
+then
+  echoerr "Wrong permissions!"
+  exit 1
+fi
+
+if test "$USER" != "$owner"
+then
+  echoerr "Wrong owner!"
+  exit 1
+fi
+
+if test "$pgroup" != "$group"
+then
+  echoerr "Wrong group!"
+  exit 1
+fi
+
+cat "$PWFILE"
+exit 0

playbooks/apt-migrate-to-trixie.yml

@@ -0,0 +1,106 @@
+---
+
+# ---
+# deb822 ist das neue Konfigurationsformats für APT-Quellen (Repositories).
+# Es basiert auf der Debian Control Syntax nach RFC 822 – daher der Name
+# ---
+
+- name: Nur APT auf Debian 13 (Trixie) migrieren
+  hosts: all
+  become: true
+  gather_facts: true
+
+  pre_tasks:
+    - name: Sicherstellen, dass wir Debian sind
+      assert:
+        that:
+          - ansible_facts['os_family'] == "Debian"
+          - (
+              (ansible_facts.get('distribution_major_version') is defined
+               and (ansible_facts.get('distribution_major_version') | int) == 13)
+              or
+              (ansible_facts.get('lsb') is defined
+               and ansible_facts['lsb'].get('codename') == "trixie")
+            )
+        fail_msg: "Dieses Playbook darf nur auf Debian 13 (Trixie) laufen."
+        success_msg: "System ist Debian 13 (Trixie) - weiter geht's."
+
+  tasks:
+
+    - name: Keyring für Debian-Archive sicherstellen (falls Signed-By genutzt)
+      ansible.builtin.apt:
+        name: debian-archive-keyring
+        state: present
+      when: use_signed_by
+
+    - name: (Optional) Alte /etc/apt/sources.list sichern
+      ansible.builtin.copy:
+        src: /etc/apt/sources.list
+        dest: /etc/apt/sources.list.before-trixie
+        remote_src: true
+        force: false
+      ignore_errors: true
+
+    - name: Alte /etc/apt/sources.list deaktivieren (leere Kommentar-Datei)
+      ansible.builtin.copy:
+        dest: /etc/apt/sources.list
+        content: |
+          # Verwaltet via Ansible. Repositories liegen in /etc/apt/sources.list.d/*.sources (deb822).
+          # Zielrelease: {{ target_release }}
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Debian-Repo (deb + deb-src) als deb822 anlegen
+      ansible.builtin.template:
+        src: templates/apt-migrate-to-trixie/debian.sources.j2
+        dest: /etc/apt/sources.list.d/debian.sources
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Security-Repo (deb + deb-src) als deb822 anlegen
+      ansible.builtin.template:
+        src: templates/apt-migrate-to-trixie/security.sources.j2
+        dest: /etc/apt/sources.list.d/security.sources
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Backports-Repo (optional) als deb822 anlegen/entfernen
+      ansible.builtin.template:
+        src: templates/apt-migrate-to-trixie/backports.sources.j2
+        dest: /etc/apt/sources.list.d/backports.sources
+        owner: root
+        group: root
+        mode: "0644"
+      when: enable_backports
+    - name: Backports-Repo entfernen wenn deaktiviert
+      ansible.builtin.file:
+        path: /etc/apt/sources.list.d/backports.sources
+        state: absent
+      when: not enable_backports
+
+    - name: Optionales Backports-Pinning setzen
+      ansible.builtin.template:
+        src: templates/apt-migrate-to-trixie/99-backports.j2
+        dest: /etc/apt/preferences.d/99-backports
+        owner: root
+        group: root
+        mode: "0644"
+      when: enable_backports and pin_backports_low
+
+    - name: APT-Cache aktualisieren
+      ansible.builtin.apt:
+        update_cache: yes
+        cache_valid_time: "{{ apt_cache_valid_time }}"
+
+    - name: Verifikation - zeigen, ob Suites auf trixie stehen
+      ansible.builtin.command: apt-cache policy
+      register: apt_policy
+      changed_when: false
+
+    - name: Ausgabe anzeigen (nur Info)
+      ansible.builtin.debug:
+        msg: "{{ apt_policy.stdout.split('\n') | select('search', 'trixie') | list | join('\n') }}"
+

playbooks/templates/apt-migrate-to-trixie/99-backports.j2

@@ -0,0 +1,6 @@
+# {{ ansible_managed }}
+
+# Backports nicht automatisch bevorzugen
+Package: *
+Pin: release n={{ target_release }}-backports
+Pin-Priority: {{ backports_pin_priority }}

playbooks/templates/apt-migrate-to-trixie/backports.sources.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+# Verwaltet via Ansible - Backports für {{ target_release }}
+Types: deb deb-src
+URIs: {{ debian_mirror }}
+Suites: {{ target_release }}-backports
+Components: {{ components }}
+{% if use_signed_by %}
+Signed-By: {{ signed_by_keyring }}
+{% endif %}

playbooks/templates/apt-migrate-to-trixie/debian.sources.j2

@@ -0,0 +1,17 @@
+# {{ ansible_managed }}
+
+# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }}
+Types: deb deb-src
+URIs: {{ debian_mirror }}
+Suites: {{ target_release }} {{ target_release }}-updates
+Components: {{ components }}
+Signed-By: default
+EOF
+# Verwaltet via Ansible - Debian Basis & Updates für {{ target_release }}
+Types: deb deb-src
+URIs: {{ debian_mirror }}
+Suites: {{ target_release }} {{ target_release }}-updates
+Components: {{ components }}
+{% if use_signed_by %}
+Signed-By: {{ signed_by_keyring }}
+{% endif %}

playbooks/templates/apt-migrate-to-trixie/security.sources.j2

@@ -0,0 +1,10 @@
+# {{ ansible_managed }}
+
+# Verwaltet via Ansible - Security für {{ target_release }}
+Types: deb deb-src
+URIs: {{ security_mirror }}
+Suites: {{ target_release }}-security
+Components: {{ components }}
+{% if use_signed_by %}
+Signed-By: {{ signed_by_keyring }}
+{% endif %}