fix(apt): Update Debian repo handling for Debian 13

We're now using the built-in deb822_repository module to handle Debian package repositories. We no longer need individual yml files per repo and instead perform just one loop call of the deb822_repository module. We also update repo content to Proxmox VE 9 and Debian 13.
feat(apt): Add non-free-firmware component to all repos
2025-08-11 02:51:07 +02:00 · 2025-08-10 23:46:48 +02:00 · 2025-08-06 00:11:06 +02:00
8 changed files with 120 additions and 99 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -0,0 +1,90 @@
 # SPDX-License-Identifier: MIT
 debian_codename: 'trixie'
 deb822_repos:
    - name: 'proxmox'
      description: 'Proxmox VE No-Subscription Repository'
      enabled: true
      state: 'present'
      types:
        - 'deb'
      uris:
       - 'http://download.proxmox.com/debian/pve'
      suites:
        - '{{ debian_codename }}'
      components:
        - 'pve-no-subscription'
      signed_by: '/usr/share/keyrings/proxmox-archive-keyring.gpg'
    - name: 'ceph'
      description: 'Ceph no-subscription repository for Proxmox VE 9'
      enabled: false
      state: 'present'
      types:
        - 'deb'
      uris:
       - 'http://download.proxmox.com/debian/ceph-squid'
      suites:
        - '{{ debian_codename }}'
      components:
        - 'no-subscription'
      signed_by: '/usr/share/keyrings/proxmox-archive-keyring.gpg'
    - name: 'pve-enterprise'
      description: 'Proxmox VE Enterprise Repository'
      enabled: false
      state: 'present'
      types:
        - 'deb'
      uris:
       - 'https://enterprise.proxmox.com/debian/pve'
      suites:
        - '{{ debian_codename }}'
      components:
        - 'pve-enterprise'
      signed_by: '/usr/share/keyrings/proxmox-archive-keyring.gpg'
    - name: 'debian'
      description: 'Debian {{ debian_codename }} default repo'
      enabled: true
      state: 'present'
      types:
        - 'deb'
      uris:
       - 'http://ftp.de.debian.org/debian/'
      suites:
        - '{{ debian_codename }}'
      components:
        - 'main'
        - 'contrib'
        - 'non-free'
        - 'non-free-firmware'
      signed_by: '/usr/share/keyrings/debian-archive-keyring.gpg'
    - name: 'debian-updates'
      description: 'Debian {{ debian_codename }}-updates default repo'
      enabled: true
      state: 'present'
      types:
        - 'deb'
      uris:
       - 'http://ftp.de.debian.org/debian/'
      suites:
        - '{{ debian_codename }}-updates'
      components:
        - 'main'
        - 'contrib'
        - 'non-free'
        - 'non-free-firmware'
      signed_by: '/usr/share/keyrings/debian-archive-keyring.gpg'
    - name: 'debian-security'
      description: 'Debian {{ debian_codename }}-security default repo'
      enabled: true
      state: 'present'
      types:
        - 'deb'
      uris:
       - 'http://security.debian.org/'
      suites:
        - '{{ debian_codename }}-security'
      components:
        - 'main'
        - 'contrib'
        - 'non-free'
        - 'non-free-firmware'
      signed_by: '/usr/share/keyrings/debian-archive-keyring.gpg'
--- a/files/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js.patch
+++ b/files/usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js.patch
@@ -1,14 +1,12 @@
 # SPDX-License-Identifier: MIT
--- proxmoxlib.js.orig	2024-11-19 12:40:04.000000000 +0100
+--- proxmoxlib.js.orig  2025-07-16 00:33:18.000000000 +0200
-+++ proxmoxlib.js		2024-12-25 08:54:10.283639449 +0100
+++ proxmoxlib.js       2025-08-06 00:01:50.479413166 +0200
-@@ -575,8 +575,8 @@
+@@ -614,7 +614,7 @@
- 		    let res = response.result;
+                         !res ||
- 		    if (res === null || res === undefined || !res || res
+                         res.data.status.toLowerCase() !== 'active'
- 			.data.status.toLowerCase() !== 'active') {
+                     ) {
-			Ext.Msg.show({
+-                        Ext.Msg.show({
-			    title: gettext('No valid subscription'),
+                    void({
-+			void({
+                             title: gettext('No valid subscription'),
-+				title: gettext('No valid subscription'),
+                             icon: Ext.Msg.WARNING,
- 			    icon: Ext.Msg.WARNING,
+                             message: Proxmox.Utils.getNoSubKeyHtml(res.data.url),
 			    message: Proxmox.Utils.getNoSubKeyHtml(res.data.url),
 			    buttons: Ext.Msg.OK,
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,8 +1,5 @@
 # SPDX-License-Identifier: MIT
- import_tasks: 'repo-enable-free.yml'
+- import_tasks: 'repos.yml'
 - import_tasks: 'repo-enable-non-free.yml'
 - import_tasks: 'repo-disable-pve-enterprise.yml'
 - import_tasks: 'repo-disable-ceph-enterprise.yml'
 - import_tasks: 'repo-remove-nag-screen.yml'
 - import_tasks: 'web-ui-get-git-repo-for-reloads.yml'
 - import_tasks: 'web-ui-port-443.yml'
--- a/tasks/repo-disable-ceph-enterprise.yml
+++ b/tasks/repo-disable-ceph-enterprise.yml
@@ -1,23 +0,0 @@
 # SPDX-License-Identifier: MIT
 - name: 'Check if Ceph enterprise repo is present'
  register: 'pve_apt_repo_files_with_ceph_enterprise_repo'
  changed_when: false
  ansible.builtin.shell: |
    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("enterprise")) | .path'
 - name: 'If Ceph enterprise repo is present check if Ceph enterprise repo is enabled'
  when: 'pve_apt_repo_files_with_ceph_enterprise_repo.stdout_lines | length > 0'
  register: 'pve_apt_repo_files_ceph_enterprise_repo_enabled_state'
  changed_when: false
  ansible.builtin.shell: |
    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("enterprise")) | .repositories[] | select(.Components | index("enterprise")) | .Enabled'
 - name: 'If Ceph enterprise repo is enabled disable Ceph enterprise repo'
  when: 'pve_apt_repo_files_ceph_enterprise_repo_enabled_state.stdout == "1"'
  loop_control:
    loop_var: 'apt_repo_file'
    label: 'Disable Ceph enterprise repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
  loop: '{{ pve_apt_repo_files_with_ceph_enterprise_repo.stdout_lines }}'
  ansible.builtin.shell: |
    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("enterprise")) | index(0)')"
    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'false'
--- a/tasks/repo-disable-pve-enterprise.yml
+++ b/tasks/repo-disable-pve-enterprise.yml
@@ -1,23 +0,0 @@
 # SPDX-License-Identifier: MIT
 - name: 'Check if pve-enterprise repo is present'
  register: 'pve_apt_repo_files_with_pve_enterprise_repo'
  changed_when: false
  ansible.builtin.shell: |
    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-enterprise")) | .path'
 - name: 'If pve-enterprise repo is present check if pve-enterprise repo is enabled'
  when: 'pve_apt_repo_files_with_pve_enterprise_repo.stdout_lines | length > 0'
  register: 'pve_apt_repo_files_pve_enterprise_repo_enabled_state'
  changed_when: false
  ansible.builtin.shell: |
    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-enterprise")) | .repositories[] | select(.Components | index("pve-enterprise")) | .Enabled'
 - name: 'If pve-enterprise repo is enabled disable pve-enterprise repo'
  when: 'pve_apt_repo_files_pve_enterprise_repo_enabled_state.stdout == "1"'
  loop_control:
    loop_var: 'apt_repo_file'
    label: 'Disable pve-enterprise repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
  loop: '{{ pve_apt_repo_files_with_pve_enterprise_repo.stdout_lines }}'
  ansible.builtin.shell: |
    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("pve-enterprise")) | index(0)')"
    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'false'
--- a/tasks/repo-enable-free.yml
+++ b/tasks/repo-enable-free.yml
@@ -1,28 +0,0 @@
 # SPDX-License-Identifier: MIT
 - name: 'Check if pve-no-subscription repo is present'
  register: 'pve_apt_repo_files_with_pve_free_repo'
  changed_when: false
  ansible.builtin.shell: |
    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-no-subscription")) | .path'
 - name: 'If pve-no-subscription repo is present check if pve-no-subscription repo is enabled'
  when: 'pve_apt_repo_files_with_pve_free_repo.stdout_lines | length > 0'
  register: 'pve_apt_repo_files_free_repo_enabled_state'
  changed_when: false
  ansible.builtin.shell: |
    pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.repositories[].Components | index("pve-no-subscription")) | .repositories[] | select(.Components | index("pve-no-subscription")) | .Enabled'
 - name: 'If pve-no-subscription repo is disabled enable pve-no-subscription repo'
  when: 'pve_apt_repo_files_free_repo_enabled_state.stdout == "0"'
  loop_control:
    loop_var: 'apt_repo_file'
    label: 'Enable pve-no-subscription repo in {{ apt_repo_file | regex_replace(''"'', "''") }}'
  loop: '{{ pve_apt_repo_files_with_pve_free_repo.stdout_lines }}'
  ansible.builtin.shell: |
    index_in_file="$(pvesh get /nodes/{{ inventory_hostname_short }}/apt/repositories --output-format=json | jq '.files[] | select(.path=={{ apt_repo_file }}) | .repositories | map(.Components | index("pve-no-subscription")) | index(0)')"
    pvesh create /nodes/{{ inventory_hostname_short }}/apt/repositories -index "${index_in_file}" -path {{ apt_repo_file }} -enabled 'true'
 - name: 'If pve-no-subscription repo is not present add pve-no-subscription repo'
  when: 'pve_apt_repo_files_with_pve_free_repo.stdout_lines | length == 0'
  ansible.builtin.shell: |
    pvesh set /nodes/{{ inventory_hostname_short }}/apt/repositories -handle 'no-subscription'
--- a/tasks/repo-enable-non-free.yml
+++ b/tasks/repo-enable-non-free.yml
@@ -1,8 +0,0 @@
 # SPDX-License-Identifier: MIT
 - name: 'In ''/etc/apt/sources.list'' enable non-free component in all Debian-native repos'
  ansible.builtin.replace:
    path: '/etc/apt/sources.list'
    regexp: '^(.*?)( main contrib(?! non-free))'
    replace: '\g<1>\g<2> non-free'
  notify:
    - 'apt-get update'
--- a/tasks/repos.yml
+++ b/tasks/repos.yml
@@ -0,0 +1,18 @@
 # SPDX-License-Identifier: MIT
 - name: 'Set correct repositories'
  loop_control:
    loop_var: 'repo'
    index_var: 'i'
    label: 'Make sure the ''{{ repo.name }}.source'' repo file is {% if repo.state == ''absent'' %}absent{% else %}present ({% if repo.enabled %}and enabled{% else %}but disabled{% endif %}){% endif %}, this has the {{ repo.description }}'
  loop: '{{ deb822_repos }}'
  ansible.builtin.deb822_repository:
    name: '{{ repo.name }}'
    enabled: '{{ repo.enabled }}'
    state: '{{ repo.state | default(''present'') }}'
    types: '{{ repo.types }}'
    uris: '{{ repo.uris }}'
    suites: '{{ repo.suites }}'
    components: '{{ repo.components }}'
    signed_by: '{{ repo.signed_by }}'
  notify:
    - 'apt-get update'