From e0ecf628cd721204cd80b2f2cdd14428279f68d8 Mon Sep 17 00:00:00 2001 From: Sandwich Date: Mon, 25 May 2026 03:52:44 +0200 Subject: [PATCH] fix(bootstrap): deploy all non-EOL core distros (keyrings, repos, versions) --- README.md | 14 ++++++------ roles/bootstrap/tasks/archlinux.yml | 5 +++++ roles/bootstrap/tasks/debian.yml | 22 ++++++++++++++----- roles/bootstrap/tasks/ubuntu.yml | 18 ++++++++++++--- .../templates/debian.sources.list.j2 | 4 ++-- roles/bootstrap/vars/main.yml | 4 ++-- roles/configuration/tasks/repositories.yml | 4 +--- .../templates/debian.sources.list.j2 | 4 ++-- .../templates/ubuntu.sources.list.j2 | 2 +- roles/environment/templates/almalinux.repo.j2 | 9 ++++---- roles/environment/templates/rocky.repo.j2 | 5 +++-- roles/global_defaults/tasks/validation.yml | 22 +++++++++++-------- 12 files changed, 73 insertions(+), 40 deletions(-) diff --git a/README.md b/README.md index f2593d1..cb179e9 100644 --- a/README.md +++ b/README.md @@ -29,14 +29,14 @@ Non-Arch targets require the appropriate package manager available from the ISO | `system.os` | Distribution | `system.version` | | ------------ | ------------------------ | ------------------------------------- | -| `almalinux` | AlmaLinux | `8`, `9`, `10` | +| `almalinux` | AlmaLinux | `9`, `10` | | `archlinux` | Arch Linux | latest (rolling) | -| `debian` | Debian | `10`-`13`, `unstable` | -| `fedora` | Fedora | `38`-`45` | -| `rhel` | Red Hat Enterprise Linux | `8`, `9`, `10` | -| `rocky` | Rocky Linux | `8`, `9`, `10` | -| `ubuntu` | Ubuntu (latest non-LTS) | optional (e.g. `24.04`) | -| `ubuntu-lts` | Ubuntu LTS | optional (e.g. `24.04`) | +| `debian` | Debian | `12`, `13`, `unstable` | +| `fedora` | Fedora | `43`, `44` | +| `rhel` | Red Hat Enterprise Linux | `9`, `10` | +| `rocky` | Rocky Linux | `9`, `10` | +| `ubuntu` | Ubuntu (latest non-LTS) | optional (tracks 25.10 `questing`) | +| `ubuntu-lts` | Ubuntu LTS | optional (tracks 26.04 `resolute`) | ### Hypervisors diff --git a/roles/bootstrap/tasks/archlinux.yml b/roles/bootstrap/tasks/archlinux.yml index 6cbca32..1683d6f 100644 --- a/roles/bootstrap/tasks/archlinux.yml +++ b/roles/bootstrap/tasks/archlinux.yml @@ -1,4 +1,9 @@ --- +- name: Refresh Arch keyring in the live environment + ansible.builtin.command: pacman -Sy --noconfirm archlinux-keyring + register: bootstrap_arch_keyring + changed_when: bootstrap_arch_keyring.rc == 0 + - name: Bootstrap ArchLinux vars: _config: "{{ lookup('vars', bootstrap_var_key) }}" diff --git a/roles/bootstrap/tasks/debian.yml b/roles/bootstrap/tasks/debian.yml index 55e3c14..012c80a 100644 --- a/roles/bootstrap/tasks/debian.yml +++ b/roles/bootstrap/tasks/debian.yml @@ -3,9 +3,7 @@ vars: bootstrap_debian_release: >- {{ - 'buster' if (os_version | string) == '10' - else 'bullseye' if (os_version | string) == '11' - else 'bookworm' if (os_version | string) == '12' + 'bookworm' if (os_version | string) == '12' else 'trixie' if (os_version | string) == '13' else 'sid' if (os_version | string) == 'unstable' else 'trixie' @@ -28,10 +26,24 @@ fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys." quiet: true + - name: Check for a debootstrap script for the target release + ansible.builtin.stat: + path: "/usr/share/debootstrap/scripts/{{ bootstrap_debian_release }}" + register: bootstrap_debian_script + + - name: Symlink a missing debootstrap script to the sid base + ansible.builtin.file: + src: sid + dest: "/usr/share/debootstrap/scripts/{{ bootstrap_debian_release }}" + state: link + when: not bootstrap_debian_script.stat.exists + - name: Install Debian base system ansible.builtin.command: >- - debootstrap --include={{ bootstrap_debian_base_csv }} - {{ bootstrap_debian_release }} /mnt {{ system_cfg.mirror }} + debootstrap --keyring=/usr/share/keyrings/debian-archive-keyring.gpg + --include={{ bootstrap_debian_base_csv }} + {{ bootstrap_debian_release }} /mnt + {{ system_cfg.mirror | default('http://deb.debian.org/debian', true) }} register: bootstrap_debian_base_result changed_when: bootstrap_debian_base_result.rc == 0 diff --git a/roles/bootstrap/tasks/ubuntu.yml b/roles/bootstrap/tasks/ubuntu.yml index d6b4a87..aa6a75d 100644 --- a/roles/bootstrap/tasks/ubuntu.yml +++ b/roles/bootstrap/tasks/ubuntu.yml @@ -4,8 +4,8 @@ # ubuntu = latest non-LTS, ubuntu-lts = latest LTS bootstrap_ubuntu_release_map: ubuntu: questing - ubuntu-lts: noble - bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}" + ubuntu-lts: resolute + bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('resolute') }}" _config: "{{ lookup('vars', bootstrap_var_key) }}" bootstrap_ubuntu_base_csv: "{{ (['ca-certificates'] + _config.base) | unique | join(',') }}" bootstrap_ubuntu_extra_args: >- @@ -24,13 +24,25 @@ fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys." quiet: true + - name: Check for a debootstrap script for the target release + ansible.builtin.stat: + path: "/usr/share/debootstrap/scripts/{{ bootstrap_ubuntu_release }}" + register: bootstrap_ubuntu_script + + - name: Symlink a missing debootstrap script to the ubuntu base + ansible.builtin.file: + src: gutsy + dest: "/usr/share/debootstrap/scripts/{{ bootstrap_ubuntu_release }}" + state: link + when: not bootstrap_ubuntu_script.stat.exists + - name: Install Ubuntu base system ansible.builtin.command: >- debootstrap --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg --include={{ bootstrap_ubuntu_base_csv }} {{ bootstrap_ubuntu_release }} /mnt - {{ system_cfg.mirror }} + {{ system_cfg.mirror | default('http://archive.ubuntu.com/ubuntu', true) }} register: bootstrap_ubuntu_base_result changed_when: bootstrap_ubuntu_base_result.rc == 0 diff --git a/roles/bootstrap/templates/debian.sources.list.j2 b/roles/bootstrap/templates/debian.sources.list.j2 index 5364a46..8bee0f5 100644 --- a/roles/bootstrap/templates/debian.sources.list.j2 +++ b/roles/bootstrap/templates/debian.sources.list.j2 @@ -1,7 +1,7 @@ # Managed by Ansible. {% set release = bootstrap_debian_release %} -{% set mirror = system_cfg.mirror %} -{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %} +{% set mirror = system_cfg.mirror | default('http://deb.debian.org/debian', true) %} +{% set components = 'main contrib non-free non-free-firmware' %} deb {{ mirror }} {{ release }} {{ components }} deb-src {{ mirror }} {{ release }} {{ components }} diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml index 18db7c0..d8cbd52 100644 --- a/roles/bootstrap/vars/main.yml +++ b/roles/bootstrap/vars/main.yml @@ -23,6 +23,7 @@ bootstrap_common_conditional: >- bootstrap_rhel: repos: - "rhel{{ os_version_major }}-baseos" + - "rhel{{ os_version_major }}-appstream" base: - core - base @@ -285,8 +286,7 @@ bootstrap_ubuntu: - zstd conditional: >- {{ - (['tldr'] if (os_version | default('') | string | length) > 0 else []) - + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else []) + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else []) + bootstrap_common_conditional }} diff --git a/roles/configuration/tasks/repositories.yml b/roles/configuration/tasks/repositories.yml index 391a621..5802a93 100644 --- a/roles/configuration/tasks/repositories.yml +++ b/roles/configuration/tasks/repositories.yml @@ -2,14 +2,12 @@ - name: Write final sources.list vars: _debian_release_map: - "10": buster - "11": bullseye "12": bookworm "13": trixie unstable: sid _ubuntu_release_map: ubuntu: questing - ubuntu-lts: noble + ubuntu-lts: resolute ansible.builtin.template: src: "{{ os | replace('-lts', '') }}.sources.list.j2" dest: /mnt/etc/apt/sources.list diff --git a/roles/configuration/templates/debian.sources.list.j2 b/roles/configuration/templates/debian.sources.list.j2 index 9a29a77..0de043a 100644 --- a/roles/configuration/templates/debian.sources.list.j2 +++ b/roles/configuration/templates/debian.sources.list.j2 @@ -1,7 +1,7 @@ # Managed by Ansible. {% set release = _debian_release_map[os_version | string] | default('trixie') %} -{% set mirror = system_cfg.mirror %} -{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %} +{% set mirror = system_cfg.mirror | default('http://deb.debian.org/debian', true) %} +{% set components = 'main contrib non-free non-free-firmware' %} deb {{ mirror }} {{ release }} {{ components }} deb-src {{ mirror }} {{ release }} {{ components }} diff --git a/roles/configuration/templates/ubuntu.sources.list.j2 b/roles/configuration/templates/ubuntu.sources.list.j2 index 8f6a89f..795d7c8 100644 --- a/roles/configuration/templates/ubuntu.sources.list.j2 +++ b/roles/configuration/templates/ubuntu.sources.list.j2 @@ -1,5 +1,5 @@ # Managed by Ansible. -{% set release = _ubuntu_release_map[os] | default('noble') %} +{% set release = _ubuntu_release_map[os] | default('resolute') %} {% set mirror = system_cfg.mirror %} {% set components = 'main restricted universe multiverse' %} diff --git a/roles/environment/templates/almalinux.repo.j2 b/roles/environment/templates/almalinux.repo.j2 index 2879dfd..8146114 100644 --- a/roles/environment/templates/almalinux.repo.j2 +++ b/roles/environment/templates/almalinux.repo.j2 @@ -1,9 +1,10 @@ +# gpgcheck off: bootstrap-time only; the Arch live env has no AlmaLinux key. [appstream] name=AlmaLinux $releasever - AppStream mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream # baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/ enabled=1 -gpgcheck=1 +gpgcheck=0 countme=1 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever metadata_expire=86400 @@ -14,7 +15,7 @@ name=AlmaLinux $releasever - BaseOS mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos # baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/ enabled=1 -gpgcheck=1 +gpgcheck=0 countme=1 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever metadata_expire=86400 @@ -25,7 +26,7 @@ name=AlmaLinux $releasever - Extras mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras # baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/ enabled=1 -gpgcheck=1 +gpgcheck=0 countme=1 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever metadata_expire=86400 @@ -36,7 +37,7 @@ name=AlmaLinux $releasever - HighAvailability mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability # baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/ enabled=1 -gpgcheck=1 +gpgcheck=0 countme=1 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever metadata_expire=86400 diff --git a/roles/environment/templates/rocky.repo.j2 b/roles/environment/templates/rocky.repo.j2 index 50a1f18..1f1639b 100644 --- a/roles/environment/templates/rocky.repo.j2 +++ b/roles/environment/templates/rocky.repo.j2 @@ -1,8 +1,9 @@ +# gpgcheck off: bootstrap-time only; the Arch live env has no Rocky key. [baseos] name=Rocky Linux $releasever - BaseOS mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever #baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/ -gpgcheck=1 +gpgcheck=0 enabled=1 countme=1 gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever @@ -13,7 +14,7 @@ enabled_metadata=1 name=Rocky Linux $releasever - AppStream mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever #baseurl=http://dl.rockylinux.org/$contentdir/$releasever/AppStream/$basearch/os/ -gpgcheck=1 +gpgcheck=0 enabled=1 countme=1 gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever diff --git a/roles/global_defaults/tasks/validation.yml b/roles/global_defaults/tasks/validation.yml index 037d4ba..e143480 100644 --- a/roles/global_defaults/tasks/validation.yml +++ b/roles/global_defaults/tasks/validation.yml @@ -121,18 +121,18 @@ - >- os_version is not defined or (os_version | string | length) == 0 or ( - os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"] + os == "debian" and (os_version | string) in ["12", "13", "unstable"] ) or ( - os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 45 + os == "fedora" and (os_version | int) >= 43 and (os_version | int) <= 44 ) or ( os in ["rocky", "almalinux"] - and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$") + and (os_version | string) is match("^(9|10)(\\.\\d+)?$") ) or ( os == "rhel" - and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$") + and (os_version | string) is match("^(9|10)(\\.\\d+)?$") ) or ( os == "ubuntu" - and (os_version | string) is match("^(2[0-9])\\.04$") + and (os_version | string) is match("^(2[0-9])\\.(04|10)$") ) or ( os == "ubuntu-lts" and (os_version | string) is match("^(2[0-9])\\.04$") @@ -262,7 +262,7 @@ or os_family_map[os] | default('') == "Archlinux" - >- system_cfg.features.desktop.display_manager | default('') | length == 0 - or system_cfg.features.desktop.display_manager in ["gdm", "sddm", "greetd"] + or system_cfg.features.desktop.display_manager in ["gdm", "sddm", "greetd", "plasma-login-manager"] - >- system_cfg.features.desktop.display_manager | default('') != "greetd" or system_cfg.features.desktop.environment in ["sway", "hyprland"] @@ -271,15 +271,19 @@ or system_cfg.features.desktop.display_manager | default('') in ["", "gdm"] - >- system_cfg.features.desktop.environment != "kde" - or system_cfg.features.desktop.display_manager | default('') in ["", "sddm"] + or system_cfg.features.desktop.display_manager | default('') in ["", "sddm", "plasma-login-manager"] + - >- + system_cfg.features.desktop.display_manager | default('') != "plasma-login-manager" + or os == "archlinux" or (os == "fedora" and (os_version | int) >= 44) fail_msg: >- Invalid desktop config: environment '{{ system_cfg.features.desktop.environment }}' for os_family '{{ os_family_map[os] | default('Unknown') }}', display_manager '{{ system_cfg.features.desktop.display_manager | default('') }}'. gnome and kde are available on all families; sway and hyprland are Archlinux only. display_manager must be empty (auto) or match the environment's native DM: - gnome->gdm, kde->sddm, sway/hyprland->greetd. Only that DM's package is - installed, so a mismatched override fails at enable time. + gnome->gdm, kde->plasma-login-manager on Arch/Fedora44+ else sddm, + sway/hyprland->greetd. Only that DM's package is installed, so a mismatched + override fails at enable time. quiet: true - name: Validate desktop autologin