From ac99a254c3fcc6f741dd6d9526ac1a141c563fbe Mon Sep 17 00:00:00 2001
From: hygienic-books <hygienic-books@tentic.net>
Date: Mon, 11 Aug 2025 02:51:07 +0200
Subject: [PATCH] fix(apt): Update Debian repo handling for Debian 13

We're now using the built-in deb822_repository module to handle
Debian package repositories. We no longer need individual yml files
per repo and instead perform just one loop call of the
deb822_repository module. We also update repo content to Proxmox VE 9
and Debian 13.
---
 defaults/main.yml                      | 90 ++++++++++++++++++++++++++
 tasks/main.yml                         |  5 +-
 tasks/repo-disable-ceph-enterprise.yml | 23 -------
 tasks/repo-disable-pve-enterprise.yml  | 23 -------
 tasks/repo-enable-free.yml             | 28 --------
 tasks/repo-enable-non-free.yml         |  8 ---
 tasks/repos.yml                        | 18 ++++++
 7 files changed, 109 insertions(+), 86 deletions(-)
 create mode 100644 defaults/main.yml
 delete mode 100644 tasks/repo-disable-ceph-enterprise.yml
 delete mode 100644 tasks/repo-disable-pve-enterprise.yml
 delete mode 100644 tasks/repo-enable-free.yml
 delete mode 100644 tasks/repo-enable-non-free.yml
 create mode 100644 tasks/repos.yml

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..d8d8d51
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,90 @@
+# SPDX-License-Identifier: MIT
+debian_codename: 'trixie'
+deb822_repos:
+    - name: 'proxmox'
+      description: 'Proxmox VE No-Subscription Repository'
+      enabled: true
+      state: 'present'
+      types:
+        - 'deb'
+      uris:
+       - 'http://download.proxmox.com/debian/pve'
+      suites:
+        - '{{ debian_codename }}'
+      components:
+        - 'pve-no-subscription'
+      signed_by: '/usr/share/keyrings/proxmox-archive-keyring.gpg'
+    - name: 'ceph'
+      description: 'Ceph no-subscription repository for Proxmox VE 9'
+      enabled: false
+      state: 'present'
+      types:
+        - 'deb'
+      uris:
+       - 'http://download.proxmox.com/debian/ceph-squid'
+      suites:
+        - '{{ debian_codename }}'
+      components:
+        - 'no-subscription'
+      signed_by: '/usr/share/keyrings/proxmox-archive-keyring.gpg'
+    - name: 'pve-enterprise'
+      description: 'Proxmox VE Enterprise Repository'
+      enabled: false
+      state: 'present'
+      types:
+        - 'deb'
+      uris:
+       - 'https://enterprise.proxmox.com/debian/pve'
+      suites:
+        - '{{ debian_codename }}'
+      components:
+        - 'pve-enterprise'
+      signed_by: '/usr/share/keyrings/proxmox-archive-keyring.gpg'
+    - name: 'debian'
+      description: 'Debian {{ debian_codename }} default repo'
+      enabled: true
+      state: 'present'
+      types:
+        - 'deb'
+      uris:
+       - 'http://ftp.de.debian.org/debian/'
+      suites:
+        - '{{ debian_codename }}'
+      components:
+        - 'main'
+        - 'contrib'
+        - 'non-free'
+        - 'non-free-firmware'
+      signed_by: '/usr/share/keyrings/debian-archive-keyring.gpg'
+    - name: 'debian-updates'
+      description: 'Debian {{ debian_codename }}-updates default repo'
+      enabled: true
+      state: 'present'
+      types:
+        - 'deb'
+      uris:
+       - 'http://ftp.de.debian.org/debian/'
+      suites:
+        - '{{ debian_codename }}-updates'
+      components:
+        - 'main'
+        - 'contrib'
+        - 'non-free'
+        - 'non-free-firmware'
+      signed_by: '/usr/share/keyrings/debian-archive-keyring.gpg'
+    - name: 'debian-security'
+      description: 'Debian {{ debian_codename }}-security default repo'
+      enabled: true
+      state: 'present'
+      types:
+        - 'deb'
+      uris:
+       - 'http://security.debian.org/'
+      suites:
+        - '{{ debian_codename }}-security'
+      components:
+        - 'main'
+        - 'contrib'
+        - 'non-free'
+        - 'non-free-firmware'
+      signed_by: '/usr/share/keyrings/debian-archive-keyring.gpg'
diff --git a/tasks/main.yml b/tasks/main.yml
index c5d569b..bfe28b3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,8 +1,5 @@
 # SPDX-License-Identifier: MIT
-- import_tasks: 'repo-enable-free.yml'
-- import_tasks: 'repo-enable-non-free.yml'
-- import_tasks: 'repo-disable-pve-enterprise.yml'
-- import_tasks: 'repo-disable-ceph-enterprise.yml'
+- import_tasks: 'repos.yml'
 - import_tasks: 'repo-remove-nag-screen.yml'
 - import_tasks: 'web-ui-get-git-repo-for-reloads.yml'
 - import_tasks: 'web-ui-port-443.yml'
diff --git a/tasks/repo-disable-ceph-enterprise.yml b/tasks/repo-disable-ceph-enterprise.yml
deleted file mode 100644
index f5a1a5d..0000000
--- a/tasks/repo-disable-ceph-enterprise.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-# SPDX-License-Identifier: MIT
-- name: 'Check if Ceph enterprise repo is present'
-  register: 'pve_apt_repo_files_with_ceph_enterprise_repo'
-  changed_when: false
-  ansible.builtin.shell: |
-    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("enterprise")) | .path'
-
-- name: 'If Ceph enterprise repo is present check if Ceph enterprise repo is enabled'
-  when: 'pve_apt_repo_files_with_ceph_enterprise_repo.stdout_lines | length > 0'
-  register: 'pve_apt_repo_files_ceph_enterprise_repo_enabled_state'
-  changed_when: false
-  ansible.builtin.shell: |
-    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("enterprise")) | .repositories[] | select(.Components | index("enterprise")) | .Enabled'
-
-- name: 'If Ceph enterprise repo is enabled disable Ceph enterprise repo'
-  when: 'pve_apt_repo_files_ceph_enterprise_repo_enabled_state.stdout == "1"'
-  loop_control:
-    loop_var: 'apt_repo_file'
-    label: 'Disable Ceph enterprise repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
-  loop: '{{ pve_apt_repo_files_with_ceph_enterprise_repo.stdout_lines }}'
-  ansible.builtin.shell: |
-    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("enterprise")) | index(0)')"
-    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'false'
diff --git a/tasks/repo-disable-pve-enterprise.yml b/tasks/repo-disable-pve-enterprise.yml
deleted file mode 100644
index ac9645a..0000000
--- a/tasks/repo-disable-pve-enterprise.yml
+++ /dev/null
@@ -1,23 +0,0 @@
-# SPDX-License-Identifier: MIT
-- name: 'Check if pve-enterprise repo is present'
-  register: 'pve_apt_repo_files_with_pve_enterprise_repo'
-  changed_when: false
-  ansible.builtin.shell: |
-    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-enterprise")) | .path'
-
-- name: 'If pve-enterprise repo is present check if pve-enterprise repo is enabled'
-  when: 'pve_apt_repo_files_with_pve_enterprise_repo.stdout_lines | length > 0'
-  register: 'pve_apt_repo_files_pve_enterprise_repo_enabled_state'
-  changed_when: false
-  ansible.builtin.shell: |
-    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-enterprise")) | .repositories[] | select(.Components | index("pve-enterprise")) | .Enabled'
-
-- name: 'If pve-enterprise repo is enabled disable pve-enterprise repo'
-  when: 'pve_apt_repo_files_pve_enterprise_repo_enabled_state.stdout == "1"'
-  loop_control:
-    loop_var: 'apt_repo_file'
-    label: 'Disable pve-enterprise repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
-  loop: '{{ pve_apt_repo_files_with_pve_enterprise_repo.stdout_lines }}'
-  ansible.builtin.shell: |
-    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("pve-enterprise")) | index(0)')"
-    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'false'
diff --git a/tasks/repo-enable-free.yml b/tasks/repo-enable-free.yml
deleted file mode 100644
index d2b63e4..0000000
--- a/tasks/repo-enable-free.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-# SPDX-License-Identifier: MIT
-- name: 'Check if pve-no-subscription repo is present'
-  register: 'pve_apt_repo_files_with_pve_free_repo'
-  changed_when: false
-  ansible.builtin.shell: |
-    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-no-subscription")) | .path'
-
-- name: 'If pve-no-subscription repo is present check if pve-no-subscription repo is enabled'
-  when: 'pve_apt_repo_files_with_pve_free_repo.stdout_lines | length > 0'
-  register: 'pve_apt_repo_files_free_repo_enabled_state'
-  changed_when: false
-  ansible.builtin.shell: |
-    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-no-subscription")) | .repositories[] | select(.Components | index("pve-no-subscription")) | .Enabled'
-
-- name: 'If pve-no-subscription repo is disabled enable pve-no-subscription repo'
-  when: 'pve_apt_repo_files_free_repo_enabled_state.stdout == "0"'
-  loop_control:
-    loop_var: 'apt_repo_file'
-    label: 'Enable pve-no-subscription repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
-  loop: '{{ pve_apt_repo_files_with_pve_free_repo.stdout_lines }}'
-  ansible.builtin.shell: |
-    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("pve-no-subscription")) | index(0)')"
-    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'true'
-
-- name: 'If pve-no-subscription repo is not present add pve-no-subscription repo'
-  when: 'pve_apt_repo_files_with_pve_free_repo.stdout_lines | length == 0'
-  ansible.builtin.shell: |
-    pvesh set /nodes/{{ inventory_hostname_short }}/apt/repositories -handle 'no-subscription'
diff --git a/tasks/repo-enable-non-free.yml b/tasks/repo-enable-non-free.yml
deleted file mode 100644
index 6d21ce2..0000000
--- a/tasks/repo-enable-non-free.yml
+++ /dev/null
@@ -1,8 +0,0 @@
-# SPDX-License-Identifier: MIT
-- name: 'In ''/etc/apt/sources.list'' enable non-free and non-free-firmware components in all Debian-native repos'
-  ansible.builtin.replace:
-    path: '/etc/apt/sources.list'
-    regexp: '^(.*?)( main contrib(?! non-free non-free-firmware))'
-    replace: '\g<1>\g<2> non-free non-free-firmware'
-  notify:
-    - 'apt-get update'
diff --git a/tasks/repos.yml b/tasks/repos.yml
new file mode 100644
index 0000000..65c3bbd
--- /dev/null
+++ b/tasks/repos.yml
@@ -0,0 +1,18 @@
+# SPDX-License-Identifier: MIT
+- name: 'Set correct repositories'
+  loop_control:
+    loop_var: 'repo'
+    index_var: 'i'
+    label: 'Make sure the ''{{ repo.name }}.source'' repo file is {% if repo.state == ''absent'' %}absent{% else %}present ({% if repo.enabled %}and enabled{% else %}but disabled{% endif %}){% endif %}, this has the {{ repo.description }}'
+  loop: '{{ deb822_repos }}'
+  ansible.builtin.deb822_repository:
+    name: '{{ repo.name }}'
+    enabled: '{{ repo.enabled }}'
+    state: '{{ repo.state | default(''present'') }}'
+    types: '{{ repo.types }}'
+    uris: '{{ repo.uris }}'
+    suites: '{{ repo.suites }}'
+    components: '{{ repo.components }}'
+    signed_by: '{{ repo.signed_by }}'
+  notify:
+    - 'apt-get update'