Merge branch 'debian12' into unstable

2022-11-27 18:29:57 +01:00 · 2022-11-27 18:29:57 +01:00 · 08db230c29
parent 54dca82838 4156142c85
commit 08db230c29
53 changed files with 372 additions and 96 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -12,11 +12,15 @@ The **patch** part changes is incremented if multiple releases happen the same m

 ### Added

+* all: Use proper keyrings directory for APT version
+* all: Add signed-by option for additional APT sources
+* all: preliminary work to support Debian 12
 * evolinux-base: replace regular kernel by cloud kernel on virtual servers
-* nagios-nrpe: check_haproxy_stats supports DRAIN status
 * lxc-php: set php-fpm umask to 007
-* varnish: create special tmp directory for syntax validation
 * nagios-nrpe: check_ceph_*
+* nagios-nrpe: check_haproxy_stats supports DRAIN status
+* packweb-apache: enable log_forensic module
+* varnish: create special tmp directory for syntax validation

 ### Changed

@ -29,6 +33,7 @@ The **patch** part changes is incremented if multiple releases happen the same m
 * lxc-solr: download URL according to Solr Version
 * lxc-solr: set homedir and port at install
 * minifirewall: whitelist deb.freexian.com
+* packweb-apache: manual dependencies resolution
 * redis: some values should be quoted
 * redis: variable to disable transparent hugepage (default: do nothing)
 * squid: whitelist deb.freexian.com
--- a/apt/defaults/main.yml
+++ b/apt/defaults/main.yml
@ -25,3 +25,5 @@ apt_check_hold_cron_hour: "*/4"
 apt_check_hold_cron_weekday: "*"
 apt_check_hold_cron_day: "*"
 apt_check_hold_cron_month: "*"
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/apt/tasks/evolix_public.yml
+++ b/apt/tasks/evolix_public.yml
@ -19,7 +19,7 @@
 - name: Add Evolix GPG key
  copy:
    src: reg.asc
-    dest: /etc/apt/trusted.gpg.d/reg.asc
+    dest: "{{ apt_keyring_dir }}/reg.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/apt/templates/bookworm_basics.list.j2
+++ b/apt/templates/bookworm_basics.list.j2
@ -0,0 +1,5 @@
+# {{ ansible_managed }}
+
+deb http://mirror.evolix.org/debian bookworm {{ apt_basics_components | mandatory }}
+deb http://mirror.evolix.org/debian/ bookworm-updates {{ apt_basics_components | mandatory }} 
+deb http://security.debian.org/debian-security bookworm-security {{ apt_basics_components | mandatory }}
--- a/apt/templates/evolix_public.list.j2
+++ b/apt/templates/evolix_public.list.j2
@ -1,3 +1,7 @@
 # {{ ansible_managed }}

-deb http://pub.evolix.net/ {{ ansible_distribution_release }}/
+{% if ansible_distribution_release == "bookworm" %}
+deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye/
+{% else %}
+deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ {{ ansible_distribution_release }}/
+{% endif %}
--- a/docker-host/defaults/main.yml
+++ b/docker-host/defaults/main.yml
@ -28,3 +28,5 @@ docker_tls_ca_key: ca/ca-key.pem
 docker_tls_cert: server/cert.pem
 docker_tls_key: server/key.pem
 docker_tls_csr: server/server.csr
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/docker-host/tasks/main.yml
+++ b/docker-host/tasks/main.yml
@ -19,7 +19,7 @@
 - name: Add Docker's official GPG key
  copy:
    src: docker-debian.asc
-    dest: /etc/apt/trusted.gpg.d/docker-debian.asc
+    dest: "{{ apt_keyring_dir }}/docker-debian.asc"
    force: yes
    mode: "0644"
    owner: root
@ -27,7 +27,7 @@

 - name: Add Docker repository
  apt_repository:
-    repo: 'deb [arch=amd64] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
+    repo: 'deb [signed-by={{ apt_keyring_dir }}/docker-debian.asc] https://download.docker.com/linux/debian {{ ansible_distribution_release }} stable'
    state: present
    filename: docker.list

--- a/elasticsearch/defaults/main.yml
+++ b/elasticsearch/defaults/main.yml
@ -29,3 +29,5 @@ elasticsearch_plugin_head_clone_dir: "{{ elasticsearch_plugin_head_home }}/www"
 elasticsearch_plugin_head_tmp_dir: "{{ elasticsearch_plugin_head_home }}/tmp"

 elasticsearch_additional_scripts_dir: /usr/share/scripts
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/elasticsearch/tasks/packages.yml
+++ b/elasticsearch/tasks/packages.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
@ -40,7 +40,7 @@

 - name: Elastic sources list is available
  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
    filename: elastic
    state: present
    update_cache: yes
--- a/evolinux-base/defaults/main.yml
+++ b/evolinux-base/defaults/main.yml
@ -21,6 +21,8 @@ evolinux_apt_public_sources: True
 evolinux_apt_upgrade: True
 evolinux_apt_remove_aptitude: True

+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
+
 # etc-evolinux

 evolinux_etcevolinux_include: True
--- a/evolinux-base/tasks/hardware.yml
+++ b/evolinux-base/tasks/hardware.yml
@ -81,7 +81,7 @@
    - name: HPE GPG key is installed
      copy:
        src: hpePublicKey2048_key1.asc
-        dest: /etc/apt/trusted.gpg.d/hpePublicKey2048_key1.asc
+        dest: "{{ apt_keyring_dir }}/hpePublicKey2048_key1.asc"
        force: yes
        mode: "0644"
        owner: root
@ -91,7 +91,7 @@

    - name: Add HPE repository
      apt_repository:
-        repo: 'deb https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free'
+        repo: 'deb [signed-by={{ apt_keyring_dir }}/hpePublicKey2048_key1.asc] https://downloads.linux.hpe.com/SDR/repo/mcp {{ ansible_distribution_release }}/current non-free'
        state: present
      tags:
        - packages
@ -208,7 +208,7 @@
    - name: HWRaid GPG key is installed
      copy:
        src: hwraid.le-vert.net.asc
-        dest: /etc/apt/trusted.gpg.d/hwraid.le-vert.net.asc
+        dest: "{{ apt_keyring_dir }}/hwraid.le-vert.net.asc"
        force: yes
        mode: "0644"
        owner: root
@ -219,7 +219,7 @@

    - name: Add HW tool repository
      apt_repository:
-        repo: 'deb http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
+        repo: 'deb [signed-by={{ apt_keyring_dir }}/hwraid.le-vert.net.asc] http://hwraid.le-vert.net/debian {{ ansible_distribution_release }} main'
        state: present
      tags:
        - packages
--- a/filebeat/defaults/main.yml
+++ b/filebeat/defaults/main.yml
@ -22,3 +22,5 @@ filebeat_use_config_template: False
 filebeat_update_config: True
 filebeat_force_config: True
 filebeat_upgrade_package: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/filebeat/tasks/main.yml
+++ b/filebeat/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
@ -40,7 +40,7 @@

 - name: Elastic sources list is available
  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
    filename: elastic
    state: present
    update_cache: yes
--- a/fluentd/defaults/main.yml
+++ b/fluentd/defaults/main.yml
@ -10,3 +10,5 @@ fluentd_host_port:

 fluentd_flush_interval:
 fluentd_heartbeat_type:
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/fluentd/tasks/main.yml
+++ b/fluentd/tasks/main.yml
@ -21,7 +21,7 @@
 - name: Add Fluentd GPG key
  copy:
    src: fluentd.asc
-    dest: /etc/apt/trusted.gpg.d/fluentd.asc
+    dest: "{{ apt_keyring_dir }}/fluentd.asc"
    force: yes
    mode: "0644"
    owner: root
@ -32,7 +32,7 @@

 - name: Fluentd sources list is available
  apt_repository:
-    repo: "deb http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/fluentd.asc] http://packages.treasuredata.com/3/debian/{{ ansible_distribution_release }}/ {{ ansible_distribution_release }} contrib"
    filename: treasuredata
    update_cache: yes
    state: present
--- a/jenkins/defaults/main.yml
+++ b/jenkins/defaults/main.yml
@ -0,0 +1,3 @@
+---
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/jenkins/tasks/main.yml
+++ b/jenkins/tasks/main.yml
@ -20,7 +20,7 @@
 - name: Add Jenkins GPG key
  copy:
    src: jenkins.asc
-    dest: /etc/apt/trusted.gpg.d/jenkins.asc
+    dest: "{{ apt_keyring_dir }}/jenkins.asc"
    force: yes
    mode: "0644"
    owner: root
@ -28,7 +28,7 @@

 - name: Add jenkins APT repository
  apt_repository:
-    repo: deb http://pkg.jenkins-ci.org/debian-stable binary/
+    repo: deb [signed-by={{ apt_keyring_dir }}/jenkins.asc] http://pkg.jenkins-ci.org/debian-stable binary/
    filename: jenkins
    update_cache: yes

--- a/kibana/defaults/main.yml
+++ b/kibana/defaults/main.yml
@ -9,3 +9,5 @@ kibana_proxy_nginx: False
 kibana_proxy_domain: "kibana.{{ ansible_fqdn }}"
 kibana_proxy_ssl_cert: "/etc/ssl/certs/{{ ansible_fqdn }}.crt"
 kibana_proxy_ssl_key: "/etc/ssl/private/{{ ansible_fqdn }}.key"
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/kibana/tasks/main.yml
+++ b/kibana/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
@ -40,7 +40,7 @@

 - name: Elastic sources list is available
  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
    filename: elastic
    state: present
    update_cache: yes
--- a/logstash/defaults/main.yml
+++ b/logstash/defaults/main.yml
@ -7,4 +7,6 @@ logstash_log_rotate_days: 365
 logstash_custom_tmpdir: Null
 logstash_default_tmpdir: /var/lib/logstash/tmp
 logstash_log_syslog_enabled: True
-logstash_config_force: True
+logstash_config_force: True
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/logstash/tasks/main.yml
+++ b/logstash/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
@ -40,7 +40,7 @@

 - name: Elastic sources list is available
  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
    filename: elastic
    state: present
    update_cache: yes
--- a/lxc-php/defaults/main.yml
+++ b/lxc-php/defaults/main.yml
@ -30,4 +30,4 @@ lxc_php_services:
  php80: 'php8.0-fpm.service'
  php81: 'php8.1-fpm.service'

-
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/lxc-php/tasks/php80.yml
+++ b/lxc-php/tasks/php80.yml
@ -19,13 +19,13 @@
    create: yes
    mode: "0644"
  loop:
-    - "deb https://packages.sury.org/php/ bullseye main"
-    - "deb http://pub.evolix.net/ bullseye-php80/"
+    - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
+    - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php80/"

 - name: copy pub.evolix.net GPG key
  copy:
    src: reg.asc
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
    mode: "0644"
    owner: root
    group: root
@ -33,7 +33,7 @@
 - name: copy packages.sury.org GPG Key
  copy:
    src: sury.gpg
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg
    mode: "0644"
    owner: root
    group: root
--- a/lxc-php/tasks/php81.yml
+++ b/lxc-php/tasks/php81.yml
@ -19,13 +19,13 @@
    create: yes
    mode: "0644"
  loop:
-    - "deb https://packages.sury.org/php/ bullseye main"
-    - "deb http://pub.evolix.net/ bullseye-php81/"
+    - "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ bullseye main"
+    - "deb [signed-by={{ apt_keyring_dir }}/reg.asc] http://pub.evolix.net/ bullseye-php81/"

 - name: copy pub.evolix.net GPG key
  copy:
    src: reg.asc
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/reg.asc
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/reg.asc
    mode: "0644"
    owner: root
    group: root
@ -33,7 +33,7 @@
 - name: copy packages.sury.org GPG Key
  copy:
    src: sury.gpg
-    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs/etc/apt/trusted.gpg.d/sury.gpg
+    dest: /var/lib/lxc/{{ lxc_php_version }}/rootfs{{ apt_keyring_dir }}/sury.gpg
    mode: "0644"
    owner: root
    group: root
--- a/metricbeat/defaults/main.yml
+++ b/metricbeat/defaults/main.yml
@ -28,3 +28,5 @@ metricbeat_tags: Null
 # metricbeat_fields:
 #   - "env: staging"
 metricbeat_fields: Null
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/metricbeat/tasks/main.yml
+++ b/metricbeat/tasks/main.yml
@ -29,7 +29,7 @@
 - name: Elastic GPG key is installed
  copy:
    src: elastic.asc
-    dest: /etc/apt/trusted.gpg.d/elastic.asc
+    dest: "{{ apt_keyring_dir }}/elastic.asc"
    force: yes
    mode: "0644"
    owner: root
@ -40,7 +40,7 @@

 - name: Elastic sources list is available
  apt_repository:
-    repo: "deb https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/elastic.asc] https://artifacts.elastic.co/packages/{{ elastic_stack_version | mandatory }}/apt stable main"
    filename: elastic
    state: present
    update_cache: yes
--- a/mongodb/defaults/main.yml
+++ b/mongodb/defaults/main.yml
@ -7,4 +7,6 @@ mongodb_bind: 127.0.0.1
 # otherwise it can disable important settings, like authorization :/
 mongodb_force_config: False

-mongodb_version: 4.4
+mongodb_version: 4.4
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/mongodb/tasks/main_bullseye.yml
+++ b/mongodb/tasks/main_bullseye.yml
@ -21,7 +21,7 @@
 - name: Add MongoDB GPG key
  copy:
    src: "server-{{mongodb_version}}.asc"
-    dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
+    dest: "{{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc"
    force: yes
    mode: "0644"
    owner: root
@ -29,7 +29,7 @@

 - name: enable APT sources list
  apt_repository:
-    repo: "deb http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{mongodb_version}}.asc] http://repo.mongodb.org/apt/debian bullseye/mongodb-org/{{mongodb_version}} main"
    state: present
    filename: "mongodb-org-{{mongodb_version}}"
    update_cache: yes
--- a/mongodb/tasks/main_buster.yml
+++ b/mongodb/tasks/main_buster.yml
@ -15,7 +15,7 @@
 - name: Add MongoDB GPG key
  copy:
    src: "server-{{mongodb_version}}.asc"
-    dest: "/etc/apt/trusted.gpg.d/mongodb-server-{{mongodb_version}}.asc"
+    dest: "{{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc"
    force: yes
    mode: "0644"
    owner: root
@ -23,7 +23,7 @@

 - name: enable APT sources list
  apt_repository:
-    repo: "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/{{mongodb_version}} main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/mongodb-server-{{ mongodb_version }}.asc] http://repo.mongodb.org/apt/debian buster/mongodb-org/{{ mongodb_version }} main"
    state: present
    filename: "mongodb-org-{{mongodb_version}}"
    update_cache: yes
--- a/mysql/tasks/main.yml
+++ b/mysql/tasks/main.yml
@ -4,44 +4,44 @@
  set_fact:
    mysql_restart_handler_name: "{{ mysql_restart_if_needed | bool | ternary('restart mysql', 'restart mysql (noop)') }}"

- include: packages_stretch.yml
+- include_tasks: packages_stretch.yml
  when: ansible_distribution_major_version is version('9', '>=')

- include: packages_jessie.yml
+- include_tasks: packages_jessie.yml
  when: ansible_distribution_release == "jessie"

-## There is nothing to do with users on Debian 11 - yet we need a /root/.my.cnf for compatibility
- include: users_bullseye.yml
-  when: ansible_distribution_release == "bullseye"
+## There is nothing to do with users on Debian 11+ - yet we need a /root/.my.cnf for compatibility
+- include_tasks: users_bullseye.yml
+  when: ansible_distribution_major_version is version('11', '>=')

- include: users_buster.yml
+- include_tasks: users_buster.yml
  when: ansible_distribution_release == "buster"

- include: users_stretch.yml
+- include_tasks: users_stretch.yml
  when: ansible_distribution_release == "stretch"

- include: users_jessie.yml
+- include_tasks: users_jessie.yml
  when: ansible_distribution_release == "jessie"

- include: config_stretch.yml
+- include_tasks: config_stretch.yml
  when: ansible_distribution_major_version is version('9', '>=')

- include: config_jessie.yml
+- include_tasks: config_jessie.yml
  when: ansible_distribution_release == "jessie"

- include: replication.yml
+- include_tasks: replication.yml
  when: mysql_replication | bool

- include: datadir.yml
+- include_tasks: datadir.yml

- include: logdir.yml
+- include_tasks: logdir.yml

- include: tmpdir.yml
+- include_tasks: tmpdir.yml

- include: nrpe.yml
+- include_tasks: nrpe.yml

- include: munin.yml
+- include_tasks: munin.yml

- include: log2mail.yml
+- include_tasks: log2mail.yml

- include: utils.yml
+- include_tasks: utils.yml
--- a/mysql/tasks/utils.yml
+++ b/mysql/tasks/utils.yml
@ -17,7 +17,7 @@

 # mytop

- name: "Install mytop (Debian 9)"
+- name: "Install mytop (Debian 8)"
  apt:
    name: mytop
    state: present
@ -43,14 +43,23 @@
      - libterm-readkey-perl
  when: ansible_distribution_release == "buster"

- name: "Install dependencies for mytop (Debian 11 or later)"
+- name: "Install dependencies for mytop (Debian 11)"
  apt:
    name:
      - mariadb-client-10.5
      - libconfig-inifiles-perl
      - libterm-readkey-perl
      - libdbd-mariadb-perl
-  when: ansible_distribution_major_version is version('11', '>=')
+  when: ansible_distribution_release == "bullseye"
+
+- name: "Install dependencies for mytop (Debian 12 or later)"
+  apt:
+    name:
+      - mariadb-client-10.6
+      - libconfig-inifiles-perl
+      - libterm-readkey-perl
+      - libdbd-mariadb-perl
+  when: ansible_distribution_major_version is version('12', '=')

 - name: Read debian-sys-maint password (Debian < 11)
  shell: 'cat /etc/mysql/debian.cnf | grep -m1 "password = .*" | cut -d" " -f3'
--- a/newrelic/defaults/main.yml
+++ b/newrelic/defaults/main.yml
@ -5,3 +5,5 @@ newrelic_php: False

 newrelic_license: ""
 newrelic_appname: ""
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/newrelic/tasks/sources.yml
+++ b/newrelic/tasks/sources.yml
@ -15,7 +15,7 @@
 - name: Add NewRelic GPG key
  copy:
    src: newrelic.asc
-    dest: /etc/apt/trusted.gpg.d/newrelic.asc
+    dest: "{{ apt_keyring_dir }}/newrelic.asc"
    force: yes
    mode: "0644"
    owner: root
@ -23,7 +23,7 @@

 - name: Install NewRelic repository
  apt_repository:
-    repo: "deb http://apt.newrelic.com/debian/ newrelic non-free"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/newrelic.asc] http://apt.newrelic.com/debian/ newrelic non-free"
    state: present
    filename: newrelic
    update_cache: yes
--- a/nodejs/defaults/main.yml
+++ b/nodejs/defaults/main.yml
@ -4,3 +4,5 @@
 nodejs_apt_version: 'node_16.x'

 nodejs_install_yarn: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/nodejs/tasks/main.yml
+++ b/nodejs/tasks/main.yml
@ -32,7 +32,7 @@
 - name: NodeJS GPG key is installed
  copy:
    src: nodesource.asc
-    dest: /etc/apt/trusted.gpg.d/nodesource.asc
+    dest: "{{ apt_keyring_dir }}/nodesource.asc"
    mode: "0644"
    owner: root
    group: root
@ -43,7 +43,7 @@

 - name: NodeJS sources list ({{ nodejs_apt_version }}) is available
  apt_repository:
-    repo: "deb https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/nodesource.asc] https://deb.nodesource.com/{{ nodejs_apt_version }} {{ ansible_distribution_release }} main"
    filename: nodesource
    update_cache: yes
    state: present
--- a/nodejs/tasks/yarn.yml
+++ b/nodejs/tasks/yarn.yml
@ -25,7 +25,7 @@
 - name: Yarn GPG key is installed
  copy:
    src: yarn.asc
-    dest: /etc/apt/trusted.gpg.d/yarn.asc
+    dest: "{{ apt_keyring_dir }}/yarn.asc"
    mode: "0644"
    owner: root
    group: root
@ -37,7 +37,7 @@

 - name: Yarn sources list is available
  apt_repository:
-    repo: "deb https://dl.yarnpkg.com/debian/ stable main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/yarn.asc] https://dl.yarnpkg.com/debian/ stable main"
    filename: yarn
    update_cache: yes
    state: present
--- a/packweb-apache/meta/main.yml
+++ b/packweb-apache/meta/main.yml
@ -26,18 +26,5 @@ galaxy_info:

 allow_duplicates: true

-dependencies:
-  - { role: evolix/apache }
-  - { role: evolix/php, php_apache_enable: True, when: packweb_apache_modphp }
-  - { role: evolix/php, php_fpm_enable: True, when: packweb_apache_fpm }
-  - { role: evolix/squid, squid_localproxy_enable: True }
-  - { role: evolix/mysql,        when: packweb_mysql_variant == "debian" }
-  - { role: evolix/mysql-oracle, when: packweb_mysql_variant == "oracle" }
-  - { role: evolix/lxc-php, lxc_php_version: php56, lxc_php_create_mysql_link: True, when: "'php56' in packweb_multiphp_versions" }
-  - { role: evolix/lxc-php, lxc_php_version: php70, lxc_php_create_mysql_link: True, when: "'php70' in packweb_multiphp_versions" }
-  - { role: evolix/lxc-php, lxc_php_version: php73, lxc_php_create_mysql_link: True, when: "'php73' in packweb_multiphp_versions" }
-  - { role: evolix/lxc-php, lxc_php_version: php74, lxc_php_create_mysql_link: True, when: "'php74' in packweb_multiphp_versions" }
-  - { role: evolix/lxc-php, lxc_php_version: php80, lxc_php_create_mysql_link: True, when: "'php80' in packweb_multiphp_versions" }
-  - { role: evolix/lxc-php, lxc_php_version: php81, lxc_php_create_mysql_link: True, when: "'php81' in packweb_multiphp_versions" }
-  - { role: evolix/webapps/evoadmin-web, evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}", evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}" }
-  - { role: evolix/evoacme }
+dependencies: []
+
--- a/packweb-apache/tasks/apache.yml
+++ b/packweb-apache/tasks/apache.yml
@ -33,6 +33,7 @@
    - include
    - negotiation
    - alias
+    - log_forensic

 - name: Copy Apache settings for modules
  copy:
--- a/packweb-apache/tasks/dependencies.yml
+++ b/packweb-apache/tasks/dependencies.yml
@ -0,0 +1,80 @@
+---
+
+- import_role:
+    name: evolix/apache
+
+- import_role:
+    name: evolix/php
+  vars:
+    php_apache_enable: True
+  when: packweb_apache_modphp
+
+- import_role:
+    name: evolix/php
+  vars:
+    php_fpm_enable: True
+  when: packweb_apache_fpm
+
+- import_role:
+    name: evolix/squid
+  vars:
+    squid_localproxy_enable: True
+
+- import_role:
+    name: evolix/mysql
+  when: packweb_mysql_variant == "debian"
+
+- import_role:
+    name: evolix/mysql-oracle
+  when: packweb_mysql_variant == "oracle"
+
+- import_role:
+    name: evolix/lxc-php
+  vars:
+    lxc_php_version: php56
+    lxc_php_create_mysql_link: True
+  when: "'php56' in packweb_multiphp_versions"
+
+- import_role:
+    name: evolix/lxc-php
+  vars:
+    lxc_php_version: php70
+    lxc_php_create_mysql_link: True
+  when: "'php70' in packweb_multiphp_versions"
+
+- import_role:
+    name: evolix/lxc-php
+  vars:
+    lxc_php_version: php73
+    lxc_php_create_mysql_link: True
+  when: "'php73' in packweb_multiphp_versions"
+
+- import_role:
+    name: evolix/lxc-php
+  vars:
+    lxc_php_version: php74
+    lxc_php_create_mysql_link: True
+  when: "'php74' in packweb_multiphp_versions"
+
+- import_role:
+    name: evolix/lxc-php
+  vars:
+    lxc_php_version: php80
+    lxc_php_create_mysql_link: True
+  when: "'php80' in packweb_multiphp_versions"
+
+- import_role:
+    name: evolix/lxc-php
+  vars:
+    lxc_php_version: php81
+    lxc_php_create_mysql_link: True
+  when: "'php81' in packweb_multiphp_versions"
+
+- import_role:
+    name: evolix/webapps/evoadmin-web
+  vars:
+    evoadmin_enable_vhost: "{{ packweb_enable_evoadmin_vhost }}"
+    evoadmin_multiphp_versions: "{{ packweb_multiphp_versions }}"
+
+- import_role:
+    name: evolix/evoacme
--- a/packweb-apache/tasks/main.yml
+++ b/packweb-apache/tasks/main.yml
@ -1,5 +1,8 @@
 ---

+- name: Dependencies are satisfied
+  include_tasks: dependencies.yml
+
 - fail:
    msg: only compatible with Debian >= 8
  when:
--- a/percona/defaults/main.yml
+++ b/percona/defaults/main.yml
@ -2,3 +2,5 @@

 percona__install_xtrabackup: True
 percona__xtrabackup_package_name: percona-xtrabackup-24
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/percona/tasks/main.yml
+++ b/percona/tasks/main.yml
@ -18,7 +18,7 @@
 - name: Add Percona GPG key
  copy:
    src: percona.asc
-    dest: /etc/apt/trusted.gpg.d/percona.asc
+    dest: "{{ apt_keyring_dir }}/percona.asc"
    force: yes
    mode: "0644"
    owner: root
--- a/php/defaults/main.yml
+++ b/php/defaults/main.yml
@ -8,3 +8,5 @@ php_symfony_requirements: False
 php_modules_mysqlnd: False

 php_fpm_remove_default_pool: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/php/handlers/main.yml
+++ b/php/handlers/main.yml
@ -19,3 +19,8 @@
  service:
    name: php7.4-fpm
    state: restarted
+
+- name: restart php8.1-fpm
+  service:
+    name: php8.1-fpm
+    state: restarted
--- a/php/tasks/main.yml
+++ b/php/tasks/main.yml
@ -4,17 +4,20 @@
    that:
      - ansible_distribution == "Debian"
      - ansible_distribution_major_version is version('8', '>=')
-      - ansible_distribution_major_version is version('11', '<=')
-    msg: This is only compatible with Debian 8 → 11
+      - ansible_distribution_major_version is version('12', '<=')
+    msg: This is only compatible with Debian 8 → 12

- include: main_jessie.yml
+- include_tasks: main_jessie.yml
  when: ansible_distribution_release == "jessie"

- include: main_stretch.yml
+- include_tasks: main_stretch.yml
  when: ansible_distribution_release == "stretch"

- include: main_buster.yml
+- include_tasks: main_buster.yml
  when: ansible_distribution_release == "buster"

- include: main_bullseye.yml
+- include_tasks: main_bullseye.yml
  when: ansible_distribution_release == "bullseye"
+
+- include_tasks: main_bookworm.yml
+  when: ansible_distribution_release == "bookworm"
--- a/php/tasks/main_bookworm.yml
+++ b/php/tasks/main_bookworm.yml
@ -0,0 +1,108 @@
+---
+
+- name: "Set php version to 8.1 (Debian 12)"
+  set_fact:
+    php_version: "8.1"
+
+- name: "Set php config directories (Debian 12)"
+  set_fact:
+    php_cli_conf_dir: "/etc/php/{{ php_version }}/cli/conf.d"
+    php_apache_conf_dir: "/etc/php/{{ php_version }}/apache2/conf.d"
+    php_fpm_conf_dir: "/etc/php/{{ php_version }}/fpm/conf.d"
+    php_fpm_pool_dir: "/etc/php/{{ php_version }}/fpm/pool.d"
+
+- name: "Set php config files (Debian 12)"
+  set_fact:
+    php_cli_defaults_ini_file: "{{ php_cli_conf_dir }}/z-evolinux-defaults.ini"
+    php_cli_custom_ini_file: "{{ php_cli_conf_dir }}/zzz-evolinux-custom.ini"
+    php_apache_defaults_ini_file: "{{ php_apache_conf_dir }}/z-evolinux-defaults.ini"
+    php_apache_custom_ini_file: "{{ php_apache_conf_dir }}/zzz-evolinux-custom.ini"
+    php_fpm_defaults_ini_file: "{{ php_fpm_conf_dir }}/z-evolinux-defaults.ini"
+    php_fpm_custom_ini_file: "{{ php_fpm_conf_dir }}/zzz-evolinux-custom.ini"
+    php_fpm_debian_default_pool_file: "{{ php_fpm_pool_dir}}/www.conf"
+    php_fpm_default_pool_file: "{{ php_fpm_pool_dir}}/www-evolinux-defaults.conf"
+    php_fpm_default_pool_custom_file: "{{ php_fpm_pool_dir}}/www-evolinux-zcustom.conf"
+    php_fpm_default_pool_socket: "/var/run/php/php{{ php_version }}-fpm.sock"
+    php_fpm_service_name: "php{{ php_version }}-fpm"
+
+# Packages
+
+- name: "Set package list (Debian 12)"
+  set_fact:
+    php_stretch_packages:
+      - php-cli
+      - php-gd
+      - php-intl
+      - php-imap
+      - php-ldap
+      - php-mysql
+      # php-mcrypt is no longer packaged for PHP 7.2
+      - php-pgsql
+      - php-sqlite3
+      - php-curl
+      - php-ssh2
+      - php-xml
+      - php-zip
+      - composer
+      - libphp-phpmailer
+
+- include: sury_pre.yml
+  when: php_sury_enable
+
+- name: "Install PHP packages (Debian 12)"
+  apt:
+    name: '{{ php_stretch_packages }}'
+    state: present
+
+- name: "Install mod_php packages (Debian 12)"
+  apt:
+    name:
+      - libapache2-mod-php
+      - php
+    state: present
+  when: php_apache_enable
+
+- name: "Install PHP FPM packages (Debian 12)"
+  apt:
+    name:
+      - php-fpm
+      - php
+    state: present
+  when: php_fpm_enable
+
+# Configuration
+
+- name: "Enforce permissions on PHP directory (Debian 12)"
+  file:
+    dest: "{{ item }}"
+    mode: "0755"
+  with_items:
+    - /etc/php
+    - /etc/php/{{ php_version }}
+
+- include: config_cli.yml
+- name: "Enforce permissions on PHP cli directory (Debian 12)"
+  file:
+    dest: /etc/php/{{ php_version }}/cli
+    mode: "0755"
+
+- include: config_fpm.yml
+  when: php_fpm_enable
+
+- name: "Enforce permissions on PHP fpm directory (Debian 12)"
+  file:
+    dest: /etc/php/{{ php_version }}/fpm
+    mode: "0755"
+  when: php_fpm_enable
+
+- include: config_apache.yml
+  when: php_apache_enable
+
+- name: "Enforce permissions on PHP apache2 directory (Debian 12)"
+  file:
+    dest: /etc/php/{{ php_version }}/apache2
+    mode: "0755"
+  when: php_apache_enable
+
+- include: sury_post.yml
+  when: php_sury_enable
--- a/php/tasks/sury_pre.yml
+++ b/php/tasks/sury_pre.yml
@ -3,7 +3,7 @@
 - name: Setup deb.sury.org repository - Add GPG key
  copy:
    src: sury.gpg
-    dest: /etc/apt/trusted.gpg.d/sury.gpg
+    dest: "{{ apt_keyring_dir }}/sury.gpg"
    mode: "0644"
    owner: root
    group: root
@ -20,7 +20,7 @@

 - name: Setup deb.sury.org repository - Add source list
  apt_repository:
-    repo: "deb https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/sury.gpg] https://packages.sury.org/php/ {{ ansible_distribution_release }} main"
    filename: sury
    state: present

--- a/postgresql/defaults/main.yml
+++ b/postgresql/defaults/main.yml
@ -20,3 +20,5 @@ locales_default: fr_FR.UTF-8

 # PostGIS
 postgresql_install_postgis: False
+
+apt_keyring_dir: "{{ ansible_distribution_major_version is version('12', '<') | ternary('/etc/apt/trusted.gpg.d', '/etc/apt/keyrings') }}"
--- a/postgresql/tasks/packages_bookworm.yml
+++ b/postgresql/tasks/packages_bookworm.yml
@ -0,0 +1,16 @@
+---
+  
+- name: "Set variables (Debian 12)"
+  set_fact:
+    postgresql_version: '15'
+  when: postgresql_version is none or postgresql_version | length == 0
+
+- include: pgdg-repo.yml
+  when: postgresql_version != '15'
+
+- name: Install postgresql package
+  apt:
+    name:
+      - "postgresql-{{postgresql_version}}"
+      - pgtop
+      - libdbd-pg-perl
--- a/postgresql/tasks/pgdg-repo.yml
+++ b/postgresql/tasks/pgdg-repo.yml
@ -23,7 +23,7 @@
 - name: Add PGDG GPG key
  copy:
    src: postgresql.asc
-    dest: /etc/apt/trusted.gpg.d/postgresql.asc
+    dest: "{{ apt_keyring_dir }}/postgresql.asc"
    force: yes
    mode: "0644"
    owner: root
@ -31,7 +31,7 @@

 - name: Add PGDG repository
  apt_repository:
-    repo: "deb http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
+    repo: "deb [signed-by={{ apt_keyring_dir }}/postgresql.asc] http://apt.postgresql.org/pub/repos/apt/ {{ansible_distribution_release}}-pgdg main"
    update_cache: yes

 - name: Add APT preference file
--- a/rabbitmq/tasks/nrpe.yml
+++ b/rabbitmq/tasks/nrpe.yml
@ -34,7 +34,7 @@
    group: root
    mode: "0755"
    force: yes
-  when: ansible_distribution_major_version is version('11', '==')
+  when: ansible_distribution_major_version is version('11', '>=')

 - name: check_rabbitmq is available for NRPE
  lineinfile:
--- a/webapps/evoadmin-web/tasks/packages.yml
+++ b/webapps/evoadmin-web/tasks/packages.yml
@ -17,6 +17,14 @@
    - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.12.9-2_all.deb'
  when: ansible_distribution_major_version is version('10', '=')

+- name: Install PHP packages from sid (Debian 12)
+  apt:
+    deb: '{{ item }}'
+    state: present
+  loop:
+    - 'http://mirror.evolix.org/debian/pool/main/p/php-log/php-log_1.13.2-1_all.deb'
+  when: ansible_distribution_major_version is version('12', '=')
+
 - name: Install PHP packages
  apt:
    name:
--- a/webapps/evoadmin-web/tasks/web.yml
+++ b/webapps/evoadmin-web/tasks/web.yml
@ -16,7 +16,7 @@
    option: "disable_functions"
    value: "shell-exec,system,passthru,putenv,popen"
  notify: reload apache2
-  when: ansible_distribution_major_version is version('9', '=')
+  when: ansible_distribution_release == "stretch"

 - name: "Set custom values for PHP config (Debian 10)"
  ini_file:
@ -25,7 +25,7 @@
    option: "disable_functions"
    value: "shell-exec,system,passthru,putenv,popen"
  notify: reload apache2
-  when: ansible_distribution_major_version is version('10', '=')
+  when: ansible_distribution_release == "buster"

 - name: "Set custom values for PHP config (Debian 11)"
  ini_file:
@ -34,7 +34,16 @@
    option: "disable_functions"
    value: "shell-exec,system,passthru,putenv,popen"
  notify: reload apache2
-  when: ansible_distribution_major_version is version('11', '=')
+  when: ansible_distribution_release == "bullseye"
+
+- name: "Set custom values for PHP config (Debian 11)"
+  ini_file:
+    dest: /etc/php/8.1/apache2/conf.d/zzz-evolinux-custom.ini
+    section: PHP
+    option: "disable_functions"
+    value: "shell-exec,system,passthru,putenv,popen"
+  notify: reload apache2
+  when: ansible_distribution_release == "bookworm"

 - name: Install evoadmin VHost
  template: