debian13

tasks/apt-key.yml

+# tasks/create_keyring.yml
+# vars required:
+#   - name:  例如 "docker"
+#   - url:   例如 "https://download.docker.com/linux/debian/gpg"
+
+- name: apt_key {{ name }} -> Ensure /etc/apt/keyrings exists
+  become: true
+  file:
+    path: /etc/apt/keyrings
+    state: directory
+    mode: "0755"
+
+- name: apt_key {{ name }} -> Download key (armored or binary)
+  become: true
+  get_url:
+    url: "{{ url }}"
+    dest: "/etc/apt/keyrings/{{ name }}.asc"
+    mode: "0644"
+  register: key_download
+
+- name: apt_key {{ name }} -> Check if dearmored key exists
+  become: true
+  stat:
+    path: "/etc/apt/keyrings/{{ name }}.gpg"
+  register: keyring_gpg
+
+- name: apt_key {{ name }} -> Dearmor key to .gpg (idempotent on change or first run)
+  become: true
+  command: >
+    gpg --dearmor
+    -o /etc/apt/keyrings/{{ name }}.gpg
+       /etc/apt/keyrings/{{ name }}.asc
+  when: key_download.changed or not keyring_gpg.stat.exists
+
+- name: apt_key {{ name }} -> Ensure key permissions
+  become: true
+  file:
+    path: "/etc/apt/keyrings/{{ name }}.gpg"
+    state: file
+    mode: "0644"

tasks/docker-source.yml

@@ -9,20 +9,21 @@
 - name: target distribution for non-sid
   set_fact:
     docker_distribution: '{{ target_distribution }}'
-  when: ansible_os_family == 'Debian' and ansible_distribution_release != 'sid' and target_distribution != 'bookworm'
+  when: ansible_os_family == 'Debian' and ansible_distribution_release != 'sid' and target_distribution != 'trixie'
 - name: target distribution for sid
   set_fact:
-    docker_distribution: bookworm
-  when: ansible_os_family == 'Debian' and (ansible_distribution_release == 'sid' or target_distribution == 'bookworm')
+    docker_distribution: trixie
+  when: ansible_os_family == 'Debian' and (ansible_distribution_release == 'sid' or target_distribution == 'trixie')
 - name: Docker apt 源公钥
-  become: true
-  apt_key:
+  include_tasks: ./apt-key.yml
+  vars:
+    name: docker
     url: '{{mirror_docker}}/linux/{{ ansible_distribution|lower }}/gpg'
   when: ansible_os_family == 'Debian'
 - name: Docker apt 源
   become: true
   copy:
-    content: 'deb {{mirror_docker}}/linux/{{ ansible_distribution|lower }} {{ docker_distribution }} stable'
+    content: 'deb [signed-by=/etc/apt/keyrings/docker.gpg] {{mirror_docker}}/linux/{{ ansible_distribution|lower }} {{ docker_distribution }} stable'
     dest: /etc/apt/sources.list.d/docker.list
   when: ansible_os_family == 'Debian'
 - name: docker yum 源

tasks/kernel/Debian.yml

@@ -9,7 +9,7 @@
 - name: install kernel
   become: true
   apt:
-    name: '{{install_kernel_name}} linux-base'
+    name: '{{install_kernel_name}},linux-base'
     state: latest
     update_cache: true
   when: ansible_distribution_release != 'sid'

tasks/kernel/xanmod.yml

@@ -3,14 +3,15 @@
   apt:
     name: gnupg2
 - name: xanmod apt key
-  become: true
-  apt_key:
-    url: 'https://dl.xanmod.org/gpg.key'
+  include_tasks: ../apt-key.yml
+  vars:
+    name: xanmod
+    url: https://dl.xanmod.org/gpg.key
 - name: xanmod apt source
   become: true
-  apt_repository:
-    repo: 'deb http://deb.xanmod.org releases main'
-    filename: xanmod-kernel
+  copy:
+    content: 'deb [signed-by=/etc/apt/keyrings/xanmod.gpg] http://deb.xanmod.org releases main'
+    dist: /etc/apt/sources.list.d/xanmod-kernel.list
 - name: install xanmod kernel
   become: true
   apt:

tasks/nvidia-source.yml

 - name: nvidia apt key
-  become: true
-  apt_key:
+  include_tasks: ./apt-key.yml
+  vars:
+    name: nvidia
     url: 'https://nvidia.github.io/libnvidia-container/gpgkey'
 - name: container runtime apt repo
   become: true
   copy:
     content: |
-      deb https://nvidia.github.io/libnvidia-container/stable/deb/$(ARCH) /
+      deb [signed-by=/etc/apt/keyrings/nvidia.gpg] https://nvidia.github.io/libnvidia-container/stable/deb/$(ARCH) /
     dest: /etc/apt/sources.list.d/nvidia-container-runtime.list

tasks/pip.yml

@@ -66,6 +66,7 @@
     - '3.10'
     - '3.11'
     - '3.12'
+    - '3.13'
 - name: clean external managed flag
   become: true
   file:
@@ -81,6 +82,7 @@
     - '3.10'
     - '3.11'
     - '3.12'
+    - '3.13'
 - name: upgrade pip
   become: true
   pip:

tasks/railgun.yml

-- name: railgun
-  uri:
-    url: https://m.lv5.ac/api/select
-    method: 'POST'
-    body_format: json
-    body: '{{railgun}}'
-    return_content: true
-    status_code:
-      - 200
-      - 201
+- name: railgun (curl only status)
+  command:
+    argv:
+      - curl
+      - -sS
+      - -X
+      - POST
+      - -H
+      - "Content-Type: application/json"
+      - -d
+      - "{{ railgun | to_json }}"
+      - -o
+      - /dev/null
+      - -w
+      - "%{http_code}"
+      - https://m.lv5.ac/api/select
+  register: railgun_result
   changed_when: false
+  failed_when: railgun_result.rc != 0 or (railgun_result.stdout | int not in [200, 201])
   ignore_errors: true

tasks/utility.yml

@@ -81,10 +81,18 @@
   set_fact:
     target_distribution: 'noble'
   when: ansible_distribution == 'Ubuntu' and upgrade and not keep_distro and ansible_distribution_major_version|int < 24
-- name: move to bookworm
+- name: move to trixie
   set_fact:
-    target_distribution: 'bookworm'
+    target_distribution: 'trixie'
   when: ansible_distribution == 'Debian' and upgrade and ansible_distribution_release != 'sid' and not keep_distro
+- name: set Debian sources.list tail
+  set_fact:
+    debian_sources_list_tail: main contrib non-free
+  when: ansible_distribution == 'Debian'
+- name: set Ubuntu sources.list tail for Debian >= 13
+  set_fact:
+    debian_sources_list_tail: '{{ debian_sources_list_tail }} non-free-firmware'
+  when: target_distribution == 'trixie'
 - name: 系统源 (apt)
   become: true
   template:

templates/sources.list.j2

@@ -17,17 +17,17 @@ deb {{mirror_ubuntu_ports}}/ubuntu-ports {{ target_distribution }}-updates main
 {% else %}
 
 # Debian
-deb {{mirror_debian}}/debian {{ target_distribution }} main contrib non-free
+deb {{mirror_debian}}/debian {{ target_distribution }} {{ debian_sources_list_tail }}
 {% if target_distribution != 'sid' %}
-deb {{mirror_debian}}/debian {{ target_distribution }}-updates main contrib non-free
-{% if target_distribution == 'bullseye' or target_distribution == 'bookworm' or target_distribution == 'testing' %}
-deb {{mirror_debian_security}}/debian-security {{ target_distribution }}-security main contrib non-free
+deb {{mirror_debian}}/debian {{ target_distribution }}-updates {{ debian_sources_list_tail }}
+{% if target_distribution == 'bullseye' or target_distribution == 'bookworm' or target_distribution == 'trixie' or target_distribution == 'testing' %}
+deb {{mirror_debian_security}}/debian-security {{ target_distribution }}-security {{ debian_sources_list_tail }}
 {% else %}
-deb {{mirror_debian_security}}/debian-security {{ target_distribution }}/updates main contrib non-free
+deb {{mirror_debian_security}}/debian-security {{ target_distribution }}/updates {{ debian_sources_list_tail }}
 {% endif %}
-deb {{mirror_debian}}/debian {{ target_distribution }}-backports main contrib non-free
+deb {{mirror_debian}}/debian {{ target_distribution }}-backports {{ debian_sources_list_tail }}
 {% else %}
-deb {{mirror_debian}}/debian experimental main contrib non-free
+deb {{mirror_debian}}/debian experimental {{ debian_sources_list_tail }}
 {% endif %}
 
 {% endif %}