feat(configuration): add Debian/Ubuntu repository and apt configuration

roles/bootstrap/tasks/debian.yml

@@ -31,10 +31,30 @@
     - name: Install Debian base system
       ansible.builtin.command: >-
         debootstrap --include={{ bootstrap_debian_base_csv }}
-        {{ bootstrap_debian_release }} /mnt https://deb.debian.org/debian/
+        {{ bootstrap_debian_release }} /mnt {{ system_cfg.mirror }}
       register: bootstrap_debian_base_result
       changed_when: bootstrap_debian_base_result.rc == 0
 
+    - name: Write bootstrap sources.list
+      ansible.builtin.template:
+        src: debian.sources.list.j2
+        dest: /mnt/etc/apt/sources.list
+        mode: "0644"
+
+    - name: Configure apt performance tuning
+      ansible.builtin.copy:
+        dest: /mnt/etc/apt/apt.conf.d/99performance
+        content: |
+          Acquire::Retries "3";
+          Acquire::http::Pipeline-Depth "10";
+          APT::Install-Recommends "false";
+        mode: "0644"
+
+    - name: Update package lists
+      ansible.builtin.command: "{{ chroot_command }} apt update"
+      register: bootstrap_debian_update_result
+      changed_when: bootstrap_debian_update_result.rc == 0
+
     - name: Install extra packages
       when: bootstrap_debian_extra_args | trim | length > 0
       ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"

roles/bootstrap/tasks/ubuntu.yml

@@ -30,15 +30,24 @@
         --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg
         --include={{ bootstrap_ubuntu_base_csv }}
         {{ bootstrap_ubuntu_release }} /mnt
-        https://archive.ubuntu.com/ubuntu/
+        {{ system_cfg.mirror }}
       register: bootstrap_ubuntu_base_result
       changed_when: bootstrap_ubuntu_base_result.rc == 0
 
-    - name: Enable universe repository
-      ansible.builtin.replace:
-        path: /mnt/etc/apt/sources.list
-        regexp: '^(deb\s+\S+\s+\S+\s+main)$'
-        replace: '\1 universe'
+    - name: Write bootstrap sources.list
+      ansible.builtin.template:
+        src: ubuntu.sources.list.j2
+        dest: /mnt/etc/apt/sources.list
+        mode: "0644"
+
+    - name: Configure apt performance tuning
+      ansible.builtin.copy:
+        dest: /mnt/etc/apt/apt.conf.d/99performance
+        content: |
+          Acquire::Retries "3";
+          Acquire::http::Pipeline-Depth "10";
+          APT::Install-Recommends "false";
+        mode: "0644"
 
     - name: Update package lists
       ansible.builtin.command: "{{ chroot_command }} apt update"

roles/bootstrap/templates/debian.sources.list.j2

@@ -0,0 +1,15 @@
+# Managed by Ansible.
+{% set release = bootstrap_debian_release %}
+{% set mirror = system_cfg.mirror %}
+{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
+
+deb {{ mirror }} {{ release }} {{ components }}
+deb-src {{ mirror }} {{ release }} {{ components }}
+{% if release != 'sid' %}
+
+deb https://security.debian.org/debian-security {{ release }}-security {{ components }}
+deb-src https://security.debian.org/debian-security {{ release }}-security {{ components }}
+
+deb {{ mirror }} {{ release }}-updates {{ components }}
+deb-src {{ mirror }} {{ release }}-updates {{ components }}
+{% endif %}

roles/bootstrap/templates/ubuntu.sources.list.j2

@@ -0,0 +1,16 @@
+# Managed by Ansible.
+{% set release = bootstrap_ubuntu_release %}
+{% set mirror = system_cfg.mirror %}
+{% set components = 'main restricted universe multiverse' %}
+
+deb {{ mirror }} {{ release }} {{ components }}
+deb-src {{ mirror }} {{ release }} {{ components }}
+
+deb {{ mirror }} {{ release }}-updates {{ components }}
+deb-src {{ mirror }} {{ release }}-updates {{ components }}
+
+deb {{ mirror }} {{ release }}-security {{ components }}
+deb-src {{ mirror }} {{ release }}-security {{ components }}
+
+deb {{ mirror }} {{ release }}-backports {{ components }}
+deb-src {{ mirror }} {{ release }}-backports {{ components }}

roles/configuration/tasks/main.yml

@@ -6,6 +6,8 @@
   when: configuration_task.when | default(true)
   ansible.builtin.include_tasks: "{{ configuration_task.file }}"
   loop:
+    - file: repositories.yml
+      when: "{{ os_family == 'Debian' }}"
     - file: banner.yml
     - file: fstab.yml
     - file: locales.yml

roles/configuration/tasks/repositories.yml

@@ -0,0 +1,25 @@
+---
+- name: Write final sources.list
+  vars:
+    _debian_release_map:
+      "10": buster
+      "11": bullseye
+      "12": bookworm
+      "13": trixie
+      unstable: sid
+    _ubuntu_release_map:
+      ubuntu: questing
+      ubuntu-lts: noble
+  ansible.builtin.template:
+    src: "{{ os | replace('-lts', '') }}.sources.list.j2"
+    dest: /mnt/etc/apt/sources.list
+    mode: "0644"
+
+- name: Ensure apt performance configuration persists
+  ansible.builtin.copy:
+    dest: /mnt/etc/apt/apt.conf.d/99performance
+    content: |
+      Acquire::Retries "3";
+      Acquire::http::Pipeline-Depth "10";
+      APT::Install-Recommends "false";
+    mode: "0644"

roles/configuration/templates/debian.sources.list.j2

@@ -0,0 +1,15 @@
+# Managed by Ansible.
+{% set release = _debian_release_map[os_version | string] | default('trixie') %}
+{% set mirror = system_cfg.mirror %}
+{% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
+
+deb {{ mirror }} {{ release }} {{ components }}
+deb-src {{ mirror }} {{ release }} {{ components }}
+{% if release != 'sid' %}
+
+deb https://security.debian.org/debian-security {{ release }}-security {{ components }}
+deb-src https://security.debian.org/debian-security {{ release }}-security {{ components }}
+
+deb {{ mirror }} {{ release }}-updates {{ components }}
+deb-src {{ mirror }} {{ release }}-updates {{ components }}
+{% endif %}

roles/configuration/templates/ubuntu.sources.list.j2

@@ -0,0 +1,16 @@
+# Managed by Ansible.
+{% set release = _ubuntu_release_map[os] | default('noble') %}
+{% set mirror = system_cfg.mirror %}
+{% set components = 'main restricted universe multiverse' %}
+
+deb {{ mirror }} {{ release }} {{ components }}
+deb-src {{ mirror }} {{ release }} {{ components }}
+
+deb {{ mirror }} {{ release }}-updates {{ components }}
+deb-src {{ mirror }} {{ release }}-updates {{ components }}
+
+deb {{ mirror }} {{ release }}-security {{ components }}
+deb-src {{ mirror }} {{ release }}-security {{ components }}
+
+deb {{ mirror }} {{ release }}-backports {{ components }}
+deb-src {{ mirror }} {{ release }}-backports {{ components }}

roles/global_defaults/defaults/main.yml

@@ -82,6 +82,7 @@ system_defaults:
   timezone: "Europe/Vienna"
   locale: "en_US.UTF-8"
   keymap: "us"
+  mirror: ""
   packages: []
   disks: []
   users: []

roles/global_defaults/tasks/_normalize_system.yml

@@ -10,6 +10,10 @@
         if (system_raw.name | default('') | string | trim | length) > 0
         else inventory_hostname
       }}
+    _mirror_defaults:
+      debian: "https://deb.debian.org/debian/"
+      ubuntu: "http://mirror.ubuntu.com/ubuntu/"
+      ubuntu-lts: "http://mirror.ubuntu.com/ubuntu/"
   ansible.builtin.set_fact:
     system_cfg:
       # --- Identity & platform ---
@@ -67,6 +71,12 @@
       timezone: "{{ system_raw.timezone | string }}"
       locale: "{{ system_raw.locale | string }}"
       keymap: "{{ system_raw.keymap | string }}"
+      mirror: >-
+        {{
+          system_raw.mirror | string | trim
+          if (system_raw.mirror | default('') | string | trim | length) > 0
+          else _mirror_defaults[system_raw.os | default('') | string | lower] | default('')
+        }}
       path: "{{ system_raw.path | default('') | string }}"
       packages: >-
         {{