fix(bootstrap): deploy all non-EOL core distros (keyrings, repos, versions)

README.md

@@ -29,14 +29,14 @@ Non-Arch targets require the appropriate package manager available from the ISO
 
 | `system.os`  | Distribution             | `system.version`                      |
 | ------------ | ------------------------ | ------------------------------------- |
-| `almalinux`  | AlmaLinux                | `8`, `9`, `10`                        |
+| `almalinux`  | AlmaLinux                | `9`, `10`                             |
 | `archlinux`  | Arch Linux               | latest (rolling)                      |
-| `debian`     | Debian                   | `10`-`13`, `unstable`                 |
+| `debian`     | Debian                   | `12`, `13`, `unstable`                |
-| `fedora`     | Fedora                   | `38`-`45`                             |
+| `fedora`     | Fedora                   | `43`, `44`                            |
-| `rhel`       | Red Hat Enterprise Linux | `8`, `9`, `10`                        |
+| `rhel`       | Red Hat Enterprise Linux | `9`, `10`                             |
-| `rocky`      | Rocky Linux              | `8`, `9`, `10`                        |
+| `rocky`      | Rocky Linux              | `9`, `10`                             |
-| `ubuntu`     | Ubuntu (latest non-LTS)  | optional (e.g. `24.04`)              |
+| `ubuntu`     | Ubuntu (latest non-LTS)  | optional (tracks 25.10 `questing`)    |
-| `ubuntu-lts` | Ubuntu LTS               | optional (e.g. `24.04`)              |
+| `ubuntu-lts` | Ubuntu LTS               | optional (tracks 26.04 `resolute`)    |
 
 ### Hypervisors
 

roles/bootstrap/tasks/archlinux.yml

@@ -1,4 +1,9 @@
 ---
+- name: Refresh Arch keyring in the live environment
+  ansible.builtin.command: pacman -Sy --noconfirm archlinux-keyring
+  register: bootstrap_arch_keyring
+  changed_when: bootstrap_arch_keyring.rc == 0
+
 - name: Bootstrap ArchLinux
   vars:
     _config: "{{ lookup('vars', bootstrap_var_key) }}"

roles/bootstrap/tasks/debian.yml

@@ -3,9 +3,7 @@
   vars:
     bootstrap_debian_release: >-
       {{
-        'buster' if (os_version | string) == '10'
+        'bookworm' if (os_version | string) == '12'
-        else 'bullseye' if (os_version | string) == '11'
-        else 'bookworm' if (os_version | string) == '12'
         else 'trixie' if (os_version | string) == '13'
         else 'sid' if (os_version | string) == 'unstable'
         else 'trixie'
@@ -28,10 +26,24 @@
         fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys."
         quiet: true
 
+    - name: Check for a debootstrap script for the target release
+      ansible.builtin.stat:
+        path: "/usr/share/debootstrap/scripts/{{ bootstrap_debian_release }}"
+      register: bootstrap_debian_script
+
+    - name: Symlink a missing debootstrap script to the sid base
+      ansible.builtin.file:
+        src: sid
+        dest: "/usr/share/debootstrap/scripts/{{ bootstrap_debian_release }}"
+        state: link
+      when: not bootstrap_debian_script.stat.exists
+
     - name: Install Debian base system
       ansible.builtin.command: >-
-        debootstrap --include={{ bootstrap_debian_base_csv }}
+        debootstrap --keyring=/usr/share/keyrings/debian-archive-keyring.gpg
-        {{ bootstrap_debian_release }} /mnt {{ system_cfg.mirror }}
+        --include={{ bootstrap_debian_base_csv }}
+        {{ bootstrap_debian_release }} /mnt
+        {{ system_cfg.mirror | default('http://deb.debian.org/debian', true) }}
       register: bootstrap_debian_base_result
       changed_when: bootstrap_debian_base_result.rc == 0
 

roles/bootstrap/tasks/ubuntu.yml

@@ -4,8 +4,8 @@
     # ubuntu = latest non-LTS, ubuntu-lts = latest LTS
     bootstrap_ubuntu_release_map:
       ubuntu: questing
-      ubuntu-lts: noble
+      ubuntu-lts: resolute
-    bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}"
+    bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('resolute') }}"
     _config: "{{ lookup('vars', bootstrap_var_key) }}"
     bootstrap_ubuntu_base_csv: "{{ (['ca-certificates'] + _config.base) | unique | join(',') }}"
     bootstrap_ubuntu_extra_args: >-
@@ -24,13 +24,25 @@
         fail_msg: "{{ bootstrap_var_key }} must be a dict with base/extra/conditional keys."
         quiet: true
 
+    - name: Check for a debootstrap script for the target release
+      ansible.builtin.stat:
+        path: "/usr/share/debootstrap/scripts/{{ bootstrap_ubuntu_release }}"
+      register: bootstrap_ubuntu_script
+
+    - name: Symlink a missing debootstrap script to the ubuntu base
+      ansible.builtin.file:
+        src: gutsy
+        dest: "/usr/share/debootstrap/scripts/{{ bootstrap_ubuntu_release }}"
+        state: link
+      when: not bootstrap_ubuntu_script.stat.exists
+
     - name: Install Ubuntu base system
       ansible.builtin.command: >-
         debootstrap
         --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg
         --include={{ bootstrap_ubuntu_base_csv }}
         {{ bootstrap_ubuntu_release }} /mnt
-        {{ system_cfg.mirror }}
+        {{ system_cfg.mirror | default('http://archive.ubuntu.com/ubuntu', true) }}
       register: bootstrap_ubuntu_base_result
       changed_when: bootstrap_ubuntu_base_result.rc == 0
 

roles/bootstrap/templates/debian.sources.list.j2

@@ -1,7 +1,7 @@
 # Managed by Ansible.
 {% set release = bootstrap_debian_release %}
-{% set mirror = system_cfg.mirror %}
+{% set mirror = system_cfg.mirror | default('http://deb.debian.org/debian', true) %}
-{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
+{% set components = 'main contrib non-free non-free-firmware' %}
 
 deb {{ mirror }} {{ release }} {{ components }}
 deb-src {{ mirror }} {{ release }} {{ components }}

roles/bootstrap/vars/main.yml

@@ -23,6 +23,7 @@ bootstrap_common_conditional: >-
 bootstrap_rhel:
   repos:
     - "rhel{{ os_version_major }}-baseos"
+    - "rhel{{ os_version_major }}-appstream"
   base:
     - core
     - base
@@ -285,8 +286,7 @@ bootstrap_ubuntu:
     - zstd
   conditional: >-
     {{
-      (['tldr'] if (os_version | default('') | string | length) > 0 else [])
+      (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
-      + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
       + bootstrap_common_conditional
     }}
 

roles/configuration/tasks/repositories.yml

@@ -2,14 +2,12 @@
 - name: Write final sources.list
   vars:
     _debian_release_map:
-      "10": buster
-      "11": bullseye
       "12": bookworm
       "13": trixie
       unstable: sid
     _ubuntu_release_map:
       ubuntu: questing
-      ubuntu-lts: noble
+      ubuntu-lts: resolute
   ansible.builtin.template:
     src: "{{ os | replace('-lts', '') }}.sources.list.j2"
     dest: /mnt/etc/apt/sources.list

roles/configuration/templates/debian.sources.list.j2

@@ -1,7 +1,7 @@
 # Managed by Ansible.
 {% set release = _debian_release_map[os_version | string] | default('trixie') %}
-{% set mirror = system_cfg.mirror %}
+{% set mirror = system_cfg.mirror | default('http://deb.debian.org/debian', true) %}
-{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
+{% set components = 'main contrib non-free non-free-firmware' %}
 
 deb {{ mirror }} {{ release }} {{ components }}
 deb-src {{ mirror }} {{ release }} {{ components }}

roles/configuration/templates/ubuntu.sources.list.j2

@@ -1,5 +1,5 @@
 # Managed by Ansible.
-{% set release = _ubuntu_release_map[os] | default('noble') %}
+{% set release = _ubuntu_release_map[os] | default('resolute') %}
 {% set mirror = system_cfg.mirror %}
 {% set components = 'main restricted universe multiverse' %}
 

roles/environment/templates/almalinux.repo.j2

@@ -1,9 +1,10 @@
+# gpgcheck off: bootstrap-time only; the Arch live env has no AlmaLinux key.
 [appstream]
 name=AlmaLinux $releasever - AppStream
 mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/appstream
 # baseurl=https://repo.almalinux.org/almalinux/$releasever/AppStream/$basearch/os/
 enabled=1
-gpgcheck=1
+gpgcheck=0
 countme=1
 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
 metadata_expire=86400
@@ -14,7 +15,7 @@ name=AlmaLinux $releasever - BaseOS
 mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/baseos
 # baseurl=https://repo.almalinux.org/almalinux/$releasever/BaseOS/$basearch/os/
 enabled=1
-gpgcheck=1
+gpgcheck=0
 countme=1
 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
 metadata_expire=86400
@@ -25,7 +26,7 @@ name=AlmaLinux $releasever - Extras
 mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/extras
 # baseurl=https://repo.almalinux.org/almalinux/$releasever/extras/$basearch/os/
 enabled=1
-gpgcheck=1
+gpgcheck=0
 countme=1
 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
 metadata_expire=86400
@@ -36,7 +37,7 @@ name=AlmaLinux $releasever - HighAvailability
 mirrorlist=https://mirrors.almalinux.org/mirrorlist/$releasever/highavailability
 # baseurl=https://repo.almalinux.org/almalinux/$releasever/HighAvailability/$basearch/os/
 enabled=1
-gpgcheck=1
+gpgcheck=0
 countme=1
 gpgkey=https://repo.almalinux.org/almalinux/RPM-GPG-KEY-AlmaLinux-$releasever
 metadata_expire=86400

roles/environment/templates/rocky.repo.j2

@@ -1,8 +1,9 @@
+# gpgcheck off: bootstrap-time only; the Arch live env has no Rocky key.
 [baseos]
 name=Rocky Linux $releasever - BaseOS
 mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=BaseOS-$releasever
 #baseurl=http://dl.rockylinux.org/$contentdir/$releasever/BaseOS/$basearch/os/
-gpgcheck=1
+gpgcheck=0
 enabled=1
 countme=1
 gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever
@@ -13,7 +14,7 @@ enabled_metadata=1
 name=Rocky Linux $releasever - AppStream
 mirrorlist=https://mirrors.rockylinux.org/mirrorlist?arch=$basearch&repo=AppStream-$releasever
 #baseurl=http://dl.rockylinux.org/$contentdir/$releasever/AppStream/$basearch/os/
-gpgcheck=1
+gpgcheck=0
 enabled=1
 countme=1
 gpgkey=https://dl.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-$releasever

roles/global_defaults/tasks/validation.yml

@@ -121,18 +121,18 @@
       - >-
         os_version is not defined or (os_version | string | length) == 0
         or (
-          os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"]
+          os == "debian" and (os_version | string) in ["12", "13", "unstable"]
         ) or (
-          os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 45
+          os == "fedora" and (os_version | int) >= 43 and (os_version | int) <= 44
         ) or (
           os in ["rocky", "almalinux"]
-          and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$")
+          and (os_version | string) is match("^(9|10)(\\.\\d+)?$")
         ) or (
           os == "rhel"
-          and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$")
+          and (os_version | string) is match("^(9|10)(\\.\\d+)?$")
         ) or (
           os == "ubuntu"
-          and (os_version | string) is match("^(2[0-9])\\.04$")
+          and (os_version | string) is match("^(2[0-9])\\.(04|10)$")
         ) or (
           os == "ubuntu-lts"
           and (os_version | string) is match("^(2[0-9])\\.04$")
@@ -262,7 +262,7 @@
         or os_family_map[os] | default('') == "Archlinux"
       - >-
         system_cfg.features.desktop.display_manager | default('') | length == 0
-        or system_cfg.features.desktop.display_manager in ["gdm", "sddm", "greetd"]
+        or system_cfg.features.desktop.display_manager in ["gdm", "sddm", "greetd", "plasma-login-manager"]
       - >-
         system_cfg.features.desktop.display_manager | default('') != "greetd"
         or system_cfg.features.desktop.environment in ["sway", "hyprland"]
@@ -271,15 +271,19 @@
         or system_cfg.features.desktop.display_manager | default('') in ["", "gdm"]
       - >-
         system_cfg.features.desktop.environment != "kde"
-        or system_cfg.features.desktop.display_manager | default('') in ["", "sddm"]
+        or system_cfg.features.desktop.display_manager | default('') in ["", "sddm", "plasma-login-manager"]
+      - >-
+        system_cfg.features.desktop.display_manager | default('') != "plasma-login-manager"
+        or os == "archlinux" or (os == "fedora" and (os_version | int) >= 44)
     fail_msg: >-
       Invalid desktop config: environment '{{ system_cfg.features.desktop.environment }}'
       for os_family '{{ os_family_map[os] | default('Unknown') }}',
       display_manager '{{ system_cfg.features.desktop.display_manager | default('') }}'.
       gnome and kde are available on all families; sway and hyprland are Archlinux only.
       display_manager must be empty (auto) or match the environment's native DM:
-      gnome->gdm, kde->sddm, sway/hyprland->greetd. Only that DM's package is
+      gnome->gdm, kde->plasma-login-manager on Arch/Fedora44+ else sddm,
-      installed, so a mismatched override fails at enable time.
+      sway/hyprland->greetd. Only that DM's package is installed, so a mismatched
+      override fails at enable time.
     quiet: true
 
 - name: Validate desktop autologin