debian13

7509b85c · nanahira · 38f7509d · 7509b85c · 7509b85c · 7509b85c
Commit 7509b85c authored Aug 11, 2025 by nanahira
9 changed files
--- a/tasks/apt-key.yml
+++ b/tasks/apt-key.yml
+# tasks/create_keyring.yml
+# vars required:
+#   - name:  例如 "docker"
+#   - url:   例如 "https://download.docker.com/linux/debian/gpg"
+- name: apt_key {{ name }} -> Ensure /etc/apt/keyrings exists
+  become: true
+  file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: "0755"
+- name: apt_key {{ name }} -> Download key (armored or binary)
+  become: true
+  get_url:
+    url: "{{ url }}"
+    dest: "/etc/apt/keyrings/{{ name }}.asc"
+    mode: "0644"
+  register: key_download
+- name: apt_key {{ name }} -> Check if dearmored key exists
+  become: true
+  stat:
+    path: "/etc/apt/keyrings/{{ name }}.gpg"
+  register: keyring_gpg
+- name: apt_key {{ name }} -> Dearmor key to .gpg (idempotent on change or first run)
+  become: true
+  command: >
+    gpg --dearmor
+    -o /etc/apt/keyrings/{{ name }}.gpg
+       /etc/apt/keyrings/{{ name }}.asc
+  when: key_download.changed or not keyring_gpg.stat.exists
+- name: apt_key {{ name }} -> Ensure key permissions
+  become: true
+  file:
+    path: "/etc/apt/keyrings/{{ name }}.gpg"
+    state: file
+    mode: "0644"
--- a/tasks/docker-source.yml
+++ b/tasks/docker-source.yml
@@ -9,20 +9,21 @@
 - name: target distribution for non-sid
  set_fact:
    docker_distribution: '{{ target_distribution }}'
-  when: ansible_os_family == 'Debian' and ansible_distribution_release != 'sid' and target_distribution != 'bookworm'
+  when: ansible_os_family == 'Debian' and ansible_distribution_release != 'sid' and target_distribution != 'trixie'
 - name: target distribution for sid
  set_fact:
-    docker_distribution: bookworm
+    docker_distribution: trixie
-  when: ansible_os_family == 'Debian' and (ansible_distribution_release == 'sid' or target_distribution == 'bookworm')
+  when: ansible_os_family == 'Debian' and (ansible_distribution_release == 'sid' or target_distribution == 'trixie')
 - name: Docker apt 源公钥
-  become: true
+  include_tasks: ./apt-key.yml
-  apt_key:
+  vars:
+    name: docker
    url: '{{mirror_docker}}/linux/{{ ansible_distribution|lower }}/gpg'
  when: ansible_os_family == 'Debian'
 - name: Docker apt 源
  become: true
  copy:
-    content: 'deb {{mirror_docker}}/linux/{{ ansible_distribution|lower }} {{ docker_distribution }} stable'
+    content: 'deb [signed-by=/etc/apt/keyrings/docker.gpg] {{mirror_docker}}/linux/{{ ansible_distribution|lower }} {{ docker_distribution }} stable'
    dest: /etc/apt/sources.list.d/docker.list
  when: ansible_os_family == 'Debian'
 - name: docker yum 源

--- a/tasks/kernel/Debian.yml
+++ b/tasks/kernel/Debian.yml
@@ -9,7 +9,7 @@
 - name: install kernel
  become: true
  apt:
-    name: '{{install_kernel_name}} linux-base'
+    name: '{{install_kernel_name}},linux-base'
    state: latest
    update_cache: true
  when: ansible_distribution_release != 'sid'
--- a/tasks/kernel/xanmod.yml
+++ b/tasks/kernel/xanmod.yml
@@ -3,14 +3,15 @@
  apt:
    name: gnupg2
 - name: xanmod apt key
-  become: true
+  include_tasks: ../apt-key.yml
-  apt_key:
+  vars:
-    url: 'https://dl.xanmod.org/gpg.key'
+    name: xanmod
+    url: https://dl.xanmod.org/gpg.key
 - name: xanmod apt source
  become: true
-  apt_repository:
+  copy:
-    repo: 'deb http://deb.xanmod.org releases main'
+    content: 'deb [signed-by=/etc/apt/keyrings/xanmod.gpg] http://deb.xanmod.org releases main'
-    filename: xanmod-kernel
+    dist: /etc/apt/sources.list.d/xanmod-kernel.list
 - name: install xanmod kernel
  become: true
  apt:

--- a/tasks/nvidia-source.yml
+++ b/tasks/nvidia-source.yml
 - name: nvidia apt key
-  become: true
+  include_tasks: ./apt-key.yml
-  apt_key:
+  vars:
+    name: nvidia
    url: 'https://nvidia.github.io/libnvidia-container/gpgkey'
 - name: container runtime apt repo
  become: true
  copy:
    content: |
-      deb https://nvidia.github.io/libnvidia-container/stable/deb/$(ARCH) /
+      deb [signed-by=/etc/apt/keyrings/nvidia.gpg] https://nvidia.github.io/libnvidia-container/stable/deb/$(ARCH) /
    dest: /etc/apt/sources.list.d/nvidia-container-runtime.list
--- a/tasks/pip.yml
+++ b/tasks/pip.yml
@@ -66,6 +66,7 @@
    - '3.10'
    - '3.11'
    - '3.12'
+    - '3.13'
 - name: clean external managed flag
  become: true
  file:
@@ -81,6 +82,7 @@
    - '3.10'
    - '3.11'
    - '3.12'
+    - '3.13'
 - name: upgrade pip
  become: true
  pip:

--- a/tasks/railgun.yml
+++ b/tasks/railgun.yml
- name: railgun
+- name: railgun (curl only status)
-  uri:
+  command:
-    url: https://m.lv5.ac/api/select
+    argv:
-    method: 'POST'
+      - curl
-    body_format: json
+      - -sS
-    body: '{{railgun}}'
+      - -X
-    return_content: true
+      - POST
-    status_code:
+      - -H
-      - 200
+      - "Content-Type: application/json"
-      - 201
+      - -d
+      - "{{ railgun | to_json }}"
+      - -o
+      - /dev/null
+      - -w
+      - "%{http_code}"
+      - https://m.lv5.ac/api/select
+  register: railgun_result
  changed_when: false
+  failed_when: railgun_result.rc != 0 or (railgun_result.stdout | int not in [200, 201])
  ignore_errors: true
--- a/tasks/utility.yml
+++ b/tasks/utility.yml
@@ -81,10 +81,18 @@
  set_fact:
    target_distribution: 'noble'
  when: ansible_distribution == 'Ubuntu' and upgrade and not keep_distro and ansible_distribution_major_version|int < 24
- name: move to bookworm
+- name: move to trixie
  set_fact:
-    target_distribution: 'bookworm'
+    target_distribution: 'trixie'
  when: ansible_distribution == 'Debian' and upgrade and ansible_distribution_release != 'sid' and not keep_distro
+- name: set Debian sources.list tail
+  set_fact:
+    debian_sources_list_tail: main contrib non-free
+  when: ansible_distribution == 'Debian'
+- name: set Ubuntu sources.list tail for Debian >= 13
+  set_fact:
+    debian_sources_list_tail: '{{ debian_sources_list_tail }} non-free-firmware'
+  when: target_distribution == 'trixie'
 - name: 系统源 (apt)
  become: true
  template:

--- a/templates/sources.list.j2
+++ b/templates/sources.list.j2
@@ -17,17 +17,17 @@ deb {{mirror_ubuntu_ports}}/ubuntu-ports {{ target_distribution }}-updates main
 {% else %}
 # Debian
-deb {{mirror_debian}}/debian {{ target_distribution }} main contrib non-free
+deb {{mirror_debian}}/debian {{ target_distribution }} {{ debian_sources_list_tail }}
 {% if target_distribution != 'sid' %}
-deb {{mirror_debian}}/debian {{ target_distribution }}-updates main contrib non-free
+deb {{mirror_debian}}/debian {{ target_distribution }}-updates {{ debian_sources_list_tail }}
-{% if target_distribution == 'bullseye' or target_distribution == 'bookworm' or target_distribution == 'testing' %}
+{% if target_distribution == 'bullseye' or target_distribution == 'bookworm' or target_distribution == 'trixie' or target_distribution == 'testing' %}
-deb {{mirror_debian_security}}/debian-security {{ target_distribution }}-security main contrib non-free
+deb {{mirror_debian_security}}/debian-security {{ target_distribution }}-security {{ debian_sources_list_tail }}
 {% else %}
-deb {{mirror_debian_security}}/debian-security {{ target_distribution }}/updates main contrib non-free
+deb {{mirror_debian_security}}/debian-security {{ target_distribution }}/updates {{ debian_sources_list_tail }}
 {% endif %}
-deb {{mirror_debian}}/debian {{ target_distribution }}-backports main contrib non-free
+deb {{mirror_debian}}/debian {{ target_distribution }}-backports {{ debian_sources_list_tail }}
 {% else %}
-deb {{mirror_debian}}/debian experimental main contrib non-free
+deb {{mirror_debian}}/debian experimental {{ debian_sources_list_tail }}
 {% endif %}
 {% endif %}