From 3aaa4a306c117307136ddd7dff3c1d1a6160a3f3 Mon Sep 17 00:00:00 2001 From: Someone Date: Thu, 8 Jan 2026 21:27:49 +0100 Subject: [PATCH] [roles/base/apt] configure package manager + update pkg-cache + upgrade packages --- roles/base/apt/defaults/main.yml | 62 ++++++ roles/base/apt/files/default/apt-pinning.pref | 68 ++++++ roles/base/apt/files/default/apt-sources.list | 9 + .../apt/files/default/apt.conf.d/01autoremove | 40 ++++ .../apt/files/default/apt.conf.d/90somecustom | 22 ++ .../default/apt.sources-list.d/debian.sources | 28 +++ .../default/apt.sources-list.d/raspi.sources | 14 ++ .../apt/files/default/dpkg.cfg.d-90somecustom | 13 ++ roles/base/apt/files/default/ucf.conf | 50 +++++ .../apt/tasks/copy_sources_list_d_entries.yml | 19 ++ roles/base/apt/tasks/main.yml | 206 ++++++++++++++++++ roles/base/apt/templates/policy-rc.d.j2 | 34 +++ 12 files changed, 565 insertions(+) create mode 100644 roles/base/apt/defaults/main.yml create mode 100644 roles/base/apt/files/default/apt-pinning.pref create mode 100644 roles/base/apt/files/default/apt-sources.list create mode 100644 roles/base/apt/files/default/apt.conf.d/01autoremove create mode 100644 roles/base/apt/files/default/apt.conf.d/90somecustom create mode 100644 roles/base/apt/files/default/apt.sources-list.d/debian.sources create mode 100644 roles/base/apt/files/default/apt.sources-list.d/raspi.sources create mode 100644 roles/base/apt/files/default/dpkg.cfg.d-90somecustom create mode 100644 roles/base/apt/files/default/ucf.conf create mode 100644 roles/base/apt/tasks/copy_sources_list_d_entries.yml create mode 100644 roles/base/apt/tasks/main.yml create mode 100644 roles/base/apt/templates/policy-rc.d.j2 diff --git a/roles/base/apt/defaults/main.yml b/roles/base/apt/defaults/main.yml new file mode 100644 index 0000000..e7783a6 --- /dev/null +++ b/roles/base/apt/defaults/main.yml @@ -0,0 +1,62 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# +# If not overridden in inventory or as a parameter, this is the value that will be used +# +--- +is_bare_metal: True + +apt_cache_valid_time: 3600 +apt_helper_packages: + - "fasttrack-archive-keyring" + +apt_sources_list_d_entries: + - "debian" + +# purge old packages and cleanup downloaded package cache. +apt_cleanup: True + +apt_additional_pkg: + - "apparmor" + - "apparmor-utils" + - "aptitude" + - "bc" + - "btrfs-compsize" + - "btrfs-progs" + - "conntrack" + - "console-setup" + - "dbus" + - "dnsutils" + - "dstat" + - "fdisk" + - "gdisk" + - "git" + - "htop" + - "locales" + - "lshw" + - "lsof" + - "man" + - "plocate" + - "python3-pip" + - "rsync" + - "rsyslog" + - "sqlite3" + - "tmux" + - "vim" + - "zsh" + - "zstd" + - "pciutils" + +apt_additional_pkg_bare_metal: + - "efibootmgr" + - "fwupd" + - "fwupd-amd64-signed" + - "lm-sensors" + - "mdadm" + - "smartmontools" + - "usbutils" + +apt_additional_pkg_extra: [] diff --git a/roles/base/apt/files/default/apt-pinning.pref b/roles/base/apt/files/default/apt-pinning.pref new file mode 100644 index 0000000..7e3f6a4 --- /dev/null +++ b/roles/base/apt/files/default/apt-pinning.pref @@ -0,0 +1,68 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +# security +Package: * +Pin: release l=Debian-Security +Pin-Priority: 995 + +# raspi +Package: * +Pin: release l=Raspberry Pi Foundation +Pin-Priority: 996 + +# backports to stable +Package: * +Pin: release n=trixie-backports +Pin-Priority: 995 + +# fasttrack-backports to stable +Package: * +Pin: release n=trixie-backports-staging +Pin-Priority: 995 + +# fasttrack-backports to stable +Package: * +Pin: release n=trixie-fasttrack +Pin-Priority: 995 + +# stable +Package: * +Pin: release n=trixie +Pin-Priority: 995 + +# stable-updates +Package: * +Pin: release n=trixie-updates +Pin-Priority: 995 + + +## 0 < P < 100: causes a version to be installed only if there is no installed version of the package +# => Allow stable to catch up to these manually installed packages. + + +# testing +Package: * +Pin: release n=forky +Pin-Priority: 60 + +# unstable +Package: * +Pin: release a=unstable +Pin-Priority: 50 + +# experimental +Package: * +Pin: release a=experimental +Pin-Priority: 40 + + +## safeguard against misconfigured/unknown other packages +Package: * +Pin: release o=Debian +Pin-Priority: 10 diff --git a/roles/base/apt/files/default/apt-sources.list b/roles/base/apt/files/default/apt-sources.list new file mode 100644 index 0000000..e6c34ba --- /dev/null +++ b/roles/base/apt/files/default/apt-sources.list @@ -0,0 +1,9 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +# We moved to the new DEB822 Source Format. diff --git a/roles/base/apt/files/default/apt.conf.d/01autoremove b/roles/base/apt/files/default/apt.conf.d/01autoremove new file mode 100644 index 0000000..83fc060 --- /dev/null +++ b/roles/base/apt/files/default/apt.conf.d/01autoremove @@ -0,0 +1,40 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +APT +{ + NeverAutoRemove + { + "^firmware-linux.*"; + "^linux-firmware$"; + "^linux-image-[a-z0-9]*$"; + "^linux-image-[a-z0-9]*-[a-z0-9]*$"; + }; + + VersionedKernelPackages + { + # kernels + "linux-.*"; + "kfreebsd-.*"; + "gnumach-.*"; + # (out-of-tree) modules + ".*-modules"; + ".*-kernel"; + }; + + Never-MarkAuto-Sections + { +# "metapackages"; +# "tasks"; + }; + + Move-Autobit-Sections + { +# "oldlibs"; + }; +}; diff --git a/roles/base/apt/files/default/apt.conf.d/90somecustom b/roles/base/apt/files/default/apt.conf.d/90somecustom new file mode 100644 index 0000000..bddce7b --- /dev/null +++ b/roles/base/apt/files/default/apt.conf.d/90somecustom @@ -0,0 +1,22 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +APT::Install-Recommends "false"; +APT::Install-Suggests "false"; +APT::Get::Install-Recommends "false"; +APT::Get::Install-Suggests "false"; + +# The timers are disabled too by somesible. +APT::Periodic::Enable "0"; + +# Allow transparent codename changes. +# Somebody got really pissed off by that feature, see: http://pigeonsnest.co.uk/stuff/apt-get-codename-shite.html +Acquire::AllowReleaseInfoChange::Codename "true"; + +# this exists, but you should probably never use this. +# Acquire::https::Verify-Peer "false"; diff --git a/roles/base/apt/files/default/apt.sources-list.d/debian.sources b/roles/base/apt/files/default/apt.sources-list.d/debian.sources new file mode 100644 index 0000000..a07b696 --- /dev/null +++ b/roles/base/apt/files/default/apt.sources-list.d/debian.sources @@ -0,0 +1,28 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +Enabled: yes +Types: deb +URIs: http://deb.debian.org/debian-security/ +Suites: trixie-security +Components: main contrib non-free non-free-firmware +Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp + +Enabled: yes +Types: deb +URIs: http://deb.debian.org/debian/ +Suites: trixie trixie-updates forky unstable experimental +Components: main contrib non-free non-free-firmware +Signed-By: /usr/share/keyrings/debian-archive-keyring.pgp + +Enabled: yes +Types: deb +URIs: http://fasttrack.debian.net/debian-fasttrack/ +Suites: trixie-fasttrack trixie-backports-staging +Components: main contrib non-free +Signed-By: /usr/share/keyrings/fasttrack-archive-keyring.gpg diff --git a/roles/base/apt/files/default/apt.sources-list.d/raspi.sources b/roles/base/apt/files/default/apt.sources-list.d/raspi.sources new file mode 100644 index 0000000..0351486 --- /dev/null +++ b/roles/base/apt/files/default/apt.sources-list.d/raspi.sources @@ -0,0 +1,14 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +Enabled: yes +Types: deb +URIs: http://archive.raspberrypi.com/debian/ +Suites: trixie +Components: main +Signed-By: /usr/share/keyrings/raspberrypi-archive-keyring.pgp diff --git a/roles/base/apt/files/default/dpkg.cfg.d-90somecustom b/roles/base/apt/files/default/dpkg.cfg.d-90somecustom new file mode 100644 index 0000000..a20fec2 --- /dev/null +++ b/roles/base/apt/files/default/dpkg.cfg.d-90somecustom @@ -0,0 +1,13 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +# Use new configs. always. otherwise things like distupgrade can break. +#force-confdef +#force-confold +force-confnew +force-confmiss diff --git a/roles/base/apt/files/default/ucf.conf b/roles/base/apt/files/default/ucf.conf new file mode 100644 index 0000000..da01e80 --- /dev/null +++ b/roles/base/apt/files/default/ucf.conf @@ -0,0 +1,50 @@ +# +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# + +# +# This file is a POSIX shell snippet, and is sourced by the +# ucf script for configuration. +# + +# Debugging information: The default value is 0 (no debugging +# information is printed). To change the default behavior, uncomment +# the following line and set the value to 1. +# +# DEBUG=0 + +# Verbosity: The default value is 0 (quiet). To change the default +# behavior, uncomment the following line and set the value to 1. +# +# VERBOSE=0 + + +# The src directory. This is the directory where the historical +# md5sums for a file are looked for. Specifically, the historical +# md5sums are looked for in the subdirectory ${filename}.md5sum.d/ +# +# conf_source_dir=/some/path/ + +# Force the installed file to be retained. The default is have this +# variable unset, which makes the script ask in case of doubt. To +# change the default behavior, uncomment the following line and set +# the value to YES +# +# conf_force_conffold=YES + +# Force the installed file to be overridden. The default is have this +# variable unset, which makes the script ask in case of doubt. To +# change the default behavior, uncomment the following line and set +# the value to YES +# +conf_force_conffnew=YES + +# Please note that only one of conf_force_conffold and +# conf_force_conffnew should be set. + +# Force the re-creation of deleted config files. +conf_force_conffmiss=YES diff --git a/roles/base/apt/tasks/copy_sources_list_d_entries.yml b/roles/base/apt/tasks/copy_sources_list_d_entries.yml new file mode 100644 index 0000000..64aee9f --- /dev/null +++ b/roles/base/apt/tasks/copy_sources_list_d_entries.yml @@ -0,0 +1,19 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# +--- +- name: copy apt.sources-list.d entry {{source_name}} + copy: + src: "{{item}}" + dest: "/etc/apt/sources.list.d/{{source_name}}.sources" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/apt.sources-list.d/{{source_name}}.sources" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/apt.sources-list.d/{{source_name}}.sources" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/apt.sources-list.d/{{source_name}}.sources" + - "default/apt.sources-list.d/{{source_name}}.sources" diff --git a/roles/base/apt/tasks/main.yml b/roles/base/apt/tasks/main.yml new file mode 100644 index 0000000..baa9307 --- /dev/null +++ b/roles/base/apt/tasks/main.yml @@ -0,0 +1,206 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# +--- +- name: copy apt sources.list + copy: + src: "{{item}}" + dest: "/etc/apt/sources.list" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/apt-sources.list" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/apt-sources.list" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/apt-sources.list" + - "default/apt-sources.list" + + +- include_tasks: copy_sources_list_d_entries.yml + with_items: "{{apt_sources_list_d_entries}}" + loop_control: + loop_var: source_name + + +- name: copy apt package-pinning + copy: + src: "{{item}}" + dest: "/etc/apt/preferences.d/pinning.pref" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/apt-pinning.pref" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/apt-pinning.pref" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/apt-pinning.pref" + - "default/apt-pinning.pref" + + +- name: copy apt kernel autoremove settings + copy: + src: "{{item}}" + dest: "/etc/apt/apt.conf.d/01autoremove" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/apt.conf.d/01autoremove" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/01autoremove" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/01autoremove" + - "default/apt.conf.d/01autoremove" + + +- name: copy additional apt settings + copy: + src: "{{item}}" + dest: "/etc/apt/apt.conf.d/90somecustom" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/apt.conf.d/90somecustom" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/90somecustom" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/90somecustom" + - "default/apt.conf.d/90somecustom" + + +- name: copy additional dpkg settings + copy: + src: "{{item}}" + dest: "/etc/dpkg/dpkg.cfg.d/90somecustom" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/dpkg.cfg.d-90somecustom" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/dpkg.cfg.d-90somecustom" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/dpkg.cfg.d-90somecustom" + - "default/dpkg.cfg.d-90somecustom" + + +- name: copy ucf settings + copy: + src: "{{item}}" + dest: "/etc/ucf.conf" + mode: 0644 + owner: "root" + group: "root" + with_first_found: + - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/ucf.conf" + - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/ucf.conf" + - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/ucf.conf" + - "default/ucf.conf" + + +- name: disable and stop apt-daily.timer + systemd: + name: apt-daily.timer + daemon_reload: yes + enabled: no + state: stopped + + +- name: disable and stop apt-daily-upgrade.timer + systemd: + name: apt-daily-upgrade.timer + daemon_reload: yes + enabled: no + state: stopped + + +- name: update repository cache if older than {{apt_cache_valid_time}} sec + apt: + update_cache: yes + cache_valid_time: "{{apt_cache_valid_time}}" + tags: "online" + ignore_errors: True + + +- name: install apt helper packages + apt: + pkg: "{{apt_helper_packages}}" + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + register: temp + + +- name: update repository cache once more + apt: + update_cache: yes + tags: "online" + ignore_errors: True + when: temp.changed + + +# Use new configs. always. otherwise things like distupgrade can break. +- name: upgrade packages + apt: + upgrade: full + install_recommends: no + policy_rc_d: 101 + dpkg_options: 'force-confnew,force-confmiss' + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: remove dependencies that are no longer required + apt: + autoremove: yes + purge: yes + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + when: apt_cleanup | bool + + +- name: remove useless packages from the download cache + apt: + autoclean: yes + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + when: apt_cleanup | bool + + +- name: install additional packages + apt: + pkg: "{{ apt_additional_pkg + apt_additional_pkg_extra }}" + state: present + policy_rc_d: 101 + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +- name: install additional bare metal packages + apt: + pkg: "{{ apt_additional_pkg_bare_metal }}" + state: present + policy_rc_d: 101 + when: is_bare_metal | bool + tags: "online" + ignore_errors: "{{ignore_online_errors | bool}}" + + +# hacky, but sufficient for now: enablestart some installed services +- name: enable and start plocate-updatedb.timer + include_role: name="base/systemd/enable-and-start" + vars: + service_name: plocate-updatedb.timer + +- name: enable and start lm-sensors.service + include_role: name="base/systemd/enable-and-start" + vars: + service_name: lm-sensors.service + when: is_bare_metal | bool + + + # makes no sense on RPI, ignore error. +- name: enable and start smartmontools.service + include_role: name="base/systemd/enable-and-start" + vars: + service_name: smartmontools.service + when: is_bare_metal | bool + ignore_errors: True diff --git a/roles/base/apt/templates/policy-rc.d.j2 b/roles/base/apt/templates/policy-rc.d.j2 new file mode 100644 index 0000000..ee1b3d0 --- /dev/null +++ b/roles/base/apt/templates/policy-rc.d.j2 @@ -0,0 +1,34 @@ +#!/usr/bin/env -S python3 -Bu +################################################ +### Managed by someone's ansible provisioner ### +################################################ +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2026 by someone +# +# Prevent apt/dpkg from (re)starting services we manage. +# +############## +### UNUSED ### +### DELME? ### +############## +import datetime +import os +import re +import sys + +os.umask(0o077) + +MANAGED_SERVICES = set("{{apt_ansible_managed_services | join(' ')}} {{apt_ansible_managed_services_extra | join(' ')}}".replace(".service","").split(" ")) +SERVICE = re.sub(r"@.*", "", re.sub(r"\.service", "", sys.argv[1])) + + +if SERVICE in MANAGED_SERVICES: + with open("/tmp/policy-rc.d.log", "a") as fout: + fout.write(datetime.datetime.now().isoformat(timespec='seconds')+" -- managed, exit 101: " +str(sys.argv)+"\n") + sys.exit(101) + + +with open("/tmp/policy-rc.d.log", "a") as fout: + fout.write(datetime.datetime.now().isoformat(timespec='seconds')+" -- unmanaged, exit 0: " +str(sys.argv)+"\n") + +sys.exit(0) -- 2.47.3