Merge branch 'unstable' into stable

The script required few changes to adapt to the new output of lscpu & usage of lspci

lscpu
- Multiple Vendor ID fields (CPU & Bios) > We keep the first one tied to the CPU info
- No more CPU Speed displayed for virtual machines. We guess the CPU Speed with the CPU Name (Thanks intel puting it in the CPU Name). But that's not going to work with AMD CPUs. An alternative would be to have a peek at /proc/cpu

lspci
- Remove the "0x" prefix as it seems invalid with lscpi version on Debian 12. On older debian, vendor/device id are accepted with or without the "0x" prefix

CHANGELOG.md

@@ -21,6 +21,24 @@ The **patch** part changes is incremented if multiple releases happen the same m
 
 ### Security
 
+## [23.04] 2023-04-23
+
+### Added
+
+* graylog: new role
+* lxc-php: add support for PHP 8.2 container
+
+### Changed
+
+* Use FQCN (Fully Qualified Collection Name)
+* apt: with Debian 12, backports are installed but disabled by default
+* openvpn: updated the README file
+* pgbouncer: add handler to restart the service
+
+### Fixed
+
+* generate-ldif: Support for Debian 12
+
 ## [23.03.1] 2023-03-16
 
 ### Added

amavis/handlers/main.yml

@@ -1,5 +1,5 @@
 ---
 - name: restart amavis
-  service:
+  ansible.builtin.service:
     name: amavis
     state: restarted

amavis/tasks/main.yml

@@ -1,6 +1,6 @@
 ---
 - name: install Amavis
-  apt:
+  ansible.builtin.apt:
     name:
       - postgrey
       - amavisd-new
@@ -9,7 +9,7 @@
   - amavis
 
 - name: configure Amavis
-  template:
+  ansible.builtin.template:
     src: amavis.conf.j2
     dest: /etc/amavis/conf.d/49-evolinux-defaults
     mode: "0644"

amazon-ec2/amazon-ec2-evolinux.yml

@@ -9,10 +9,10 @@
     aws_region: ca-central-1
 
   tasks:
-    - include_role:
+    - ansible.builtin.include_role:
         name: evolix/amazon-ec2
         tasks_from: setup.yml
-    - include_role:
+    - ansible.builtin.include_role:
         name: evolix/amazon-ec2
         tasks_from: create-instance.yml
 
@@ -51,7 +51,7 @@
   - mysql
 
   post_tasks:
-  - include_role:
+  - ansible.builtin.include_role:
       name: evolix/etc-git
       tasks_from: commit.yml
     vars:

amazon-ec2/tasks/create-instance.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Launch new instance(s)
-  ec2:
+  amazon.aws.ec2:
     state: present
     aws_access_key: "{{ aws_access_key }}"
     aws_secret_key: "{{ aws_secret_key }}"
@@ -16,19 +16,19 @@
   register: ec2
 
 - name: Add newly created instance(s) to inventory
-  add_host:
+  ansible.builtin.add_host:
     hostname: "{{ item.public_dns_name }}"
     groupname: launched-instances
     ansible_user: admin
     ansible_ssh_common_args: "-o StrictHostKeyChecking=no"
   loop: "{{ ec2.instances }}"
 
-- debug:
+- ansible.builtin.debug:
     msg: "Your newly created instance is reachable at: {{ item.public_dns_name }}"
   loop: "{{ ec2.instances }}"
 
 - name: Wait for SSH to come up on all instances (give up after 2m)
-  wait_for:
+  ansible.builtin.wait_for:
     state: started
     host: "{{ item.public_dns_name }}"
     port: 22

amazon-ec2/tasks/post-install.yml

@@ -1,5 +1,5 @@
 ---
 - name: Remove admin user
-  user:
+  ansible.builtin.user:
     name: admin
     state: absent

amazon-ec2/tasks/setup.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Create default security group
-  ec2_group:
+  amazon.aws.ec2_group:
     name: "{{ ec2_security_group.name }}"
     state: present
     aws_access_key: "{{ aws_access_key }}"
@@ -12,7 +12,7 @@
     rules_egress: "{{ ec2_security_group.rules_egress }}"
 
 - name: Create key pair
-  ec2_key:
+  amazon.aws.ec2_key:
     name: "{{ ec2_keyname }}"
     state: present
     aws_access_key: "{{ aws_access_key }}"

apache/handlers/main.yml

@@ -1,15 +1,15 @@
 ---
 - name: restart apache
-  service:
+  ansible.builtin.service:
     name: apache2
     state: restarted
 
 - name: reload apache
-  service:
+  ansible.builtin.service:
     name: apache2
     state: reloaded
 
 - name: restart munin-node
-  service:
+  ansible.builtin.service:
     name: munin-node
     state: restarted

apache/tasks/auth.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Init ipaddr_whitelist.conf file
-  copy:
+  ansible.builtin.copy:
     src: ipaddr_whitelist.conf
     dest: /etc/apache2/ipaddr_whitelist.conf
     owner: root
@@ -12,10 +12,10 @@
     - apache
 
 - name: Load IP whitelist task
-  include: ip_whitelist.yml
+  ansible.builtin.import_tasks: ip_whitelist.yml
 
 - name: include private IP whitelist for server-status
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apache2/mods-available/status.conf
     line: "        include /etc/apache2/ipaddr_whitelist.conf"
     insertafter: 'SetHandler server-status'
@@ -24,7 +24,7 @@
     - apache
 
 - name: Copy private_htpasswd
-  copy:
+  ansible.builtin.copy:
     src: private_htpasswd
     dest: /etc/apache2/private_htpasswd
     owner: root
@@ -36,7 +36,7 @@
     - apache
 
 - name: add user:pwd to private htpasswd
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apache2/private_htpasswd
     line: "{{ item }}"
     state: present
@@ -46,7 +46,7 @@
     - apache
 
 - name: remove user:pwd from private htpasswd
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apache2/private_htpasswd
     line: "{{ item }}"
     state: absent

apache/tasks/ip_whitelist.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: add IP addresses to private IP whitelist
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apache2/ipaddr_whitelist.conf
     line: "Require ip {{ item }}"
     state: present
@@ -12,7 +12,7 @@
     - ips
 
 - name: remove IP addresses from private IP whitelist
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apache2/ipaddr_whitelist.conf
     line: "Require ip {{ item }}"
     state: absent

apache/tasks/log2mail.yml

@@ -1,14 +1,14 @@
 ---
 
 - name: log2mail is installed
-  apt:
+  ansible.builtin.apt:
     name: log2mail
     state: present
   tags:
     - apache
 
 - name: Add log2mail config for Apache segfaults
-  template:
+  ansible.builtin.template:
     src: log2mail-apache.j2
     dest: "/etc/log2mail/config/apache"
     owner: log2mail

apache/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: packages are installed (Debian 9 or later)
-  apt:
+  ansible.builtin.apt:
     name:
       - apache2
       - libapache2-mod-evasive
@@ -14,7 +14,7 @@
   when: ansible_distribution_major_version is version('9', '>=')
 
 - name: itk package is installed if required (Debian 9 or later)
-  apt:
+  ansible.builtin.apt:
     name:
       - libapache2-mpm-itk
     state: present
@@ -26,7 +26,7 @@
     - apache_mpm == "itk"
 
 - name: packages are installed (jessie)
-  apt:
+  ansible.builtin.apt:
     name:
       - apache2-mpm-itk
       - libapache2-mod-evasive
@@ -39,7 +39,7 @@
   when: ansible_distribution_release == "jessie"
 
 - name: basic modules are enabled
-  apache2_module:
+  community.general.apache2_module:
     name: '{{ item }}'
     state: present
   loop:
@@ -55,7 +55,7 @@
     - apache
 
 - name: basic modules are enabled
-  apache2_module:
+  community.general.apache2_module:
     name: '{{ item }}'
     state: present
   loop:
@@ -67,7 +67,7 @@
 
 
 - name: Copy Apache defaults config file
-  copy:
+  ansible.builtin.copy:
     src: evolinux-defaults.conf
     dest: "/etc/apache2/conf-available/z-evolinux-defaults.conf"
     owner: root
@@ -79,7 +79,7 @@
   - apache
 
 - name: Copy Apache custom config file
-  copy:
+  ansible.builtin.copy:
     src: evolinux-custom.conf
     dest: "/etc/apache2/conf-available/zzz-evolinux-custom.conf"
     owner: root
@@ -91,7 +91,7 @@
   - apache
 
 - name: disable status.conf
-  file:
+  ansible.builtin.file:
     dest: /etc/apache2/mods-enabled/status.conf
     state: absent
   notify: reload apache
@@ -99,7 +99,8 @@
     - apache
 
 - name: Ensure Apache config files are enabled
-  command: "a2enconf {{ item }}"
+  ansible.builtin.command:
+    cmd: "a2enconf {{ item }}"
   register: command_result
   changed_when: "'Enabling' in command_result.stderr"
   loop:
@@ -109,12 +110,12 @@
   tags:
     - apache
 
-- include: auth.yml
+- ansible.builtin.include: auth.yml
   tags:
   - apache
 
 - name: default vhost is installed
-  template:
+  ansible.builtin.template:
     src: evolinux-default.conf.j2
     dest: /etc/apache2/sites-available/000-evolinux-default.conf
     mode: "0640"
@@ -124,7 +125,7 @@
     - apache
 
 - name: default vhost is enabled
-  file:
+  ansible.builtin.file:
     src: /etc/apache2/sites-available/000-evolinux-default.conf
     dest: /etc/apache2/sites-enabled/000-default.conf
     state: link
@@ -134,12 +135,13 @@
   tags:
     - apache
 
-- include: server_status.yml
+- ansible.builtin.include: server_status.yml
   tags:
     - apache
 
 - name: is umask already present?
-  command: "grep -E '^umask ' /etc/apache2/envvars"
+  ansible.builtin.command:
+    cmd: "grep -E '^umask ' /etc/apache2/envvars"
   failed_when: False
   changed_when: False
   register: envvar_grep_umask
@@ -148,7 +150,7 @@
     - apache
 
 - name: Add a mark in envvars for umask
-  blockinfile:
+  ansible.builtin.blockinfile:
     dest: /etc/apache2/envvars
     marker: "## {mark} ANSIBLE MANAGED BLOCK"
     block: |
@@ -159,13 +161,13 @@
   tags:
     - apache
 
-- include_role:
+- ansible.builtin.include_role:
     name: evolix/remount-usr
   tags:
     - apache
 
 - name: /usr/share/scripts exists
-  file:
+  ansible.builtin.file:
     dest: /usr/share/scripts
     mode: "0700"
     owner: root
@@ -175,7 +177,7 @@
     - apache
 
 - name: "Install save_apache_status.sh"
-  copy:
+  ansible.builtin.copy:
     src: save_apache_status.sh
     dest: /usr/share/scripts/save_apache_status.sh
     mode: "0755"
@@ -184,7 +186,7 @@
     - apache
 
 - name: "logrotate: {{ apache_logrotate_frequency }}"
-  replace:
+  ansible.builtin.replace:
     dest: /etc/logrotate.d/apache2
     regexp: "(daily|weekly|monthly)"
     replace: "{{ apache_logrotate_frequency }}"
@@ -192,19 +194,19 @@
     - apache
 
 - name: "logrotate: rotate {{ apache_logrotate_rotate }}"
-  replace:
+  ansible.builtin.replace:
     dest: /etc/logrotate.d/apache2
     regexp: '^(\s+rotate) \d+$'
     replace: '\1 {{ apache_logrotate_rotate }}'
   tags:
     - apache
 
-- include: log2mail.yml
+- ansible.builtin.include: log2mail.yml
   when: apache_log2mail_include
   tags:
     - apache
 
-- include: munin.yml
+- ansible.builtin.include: munin.yml
   when: apache_munin_include | bool
   tags:
     - apache

apache/tasks/munin.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: "Install munin-node and core plugins packages"
-  apt:
+  ansible.builtin.apt:
     name:
       - munin-node
       - munin-plugins-core
@@ -11,7 +11,7 @@
     - munin
 
 - name: "Enable Munin plugins"
-  file:
+  ansible.builtin.file:
     src: "/usr/share/munin/plugins/{{ item }}"
     dest: "/etc/munin/plugins/{{ item }}"
     state: link
@@ -25,7 +25,7 @@
     - munin
 
 - name: "Install fcgi packages for Munin graphs"
-  apt:
+  ansible.builtin.apt:
     name:
       - libapache2-mod-fcgid
       - libcgi-fast-perl
@@ -36,7 +36,8 @@
     - munin
 
 - name: "Enable libapache2-mod-fcgid"
-  command: a2enmod fcgid
+  ansible.builtin.command:
+    cmd: a2enmod fcgid
   register: cmd_enable_fcgid
   changed_when: "'Module fcgid already enabled' not in cmd_enable_fcgid.stdout"
   notify: restart apache
@@ -45,7 +46,7 @@
     - munin
 
 - name: "Apache has access to /var/log/munin/"
-  file:
+  ansible.builtin.file:
     path: /var/log/munin/
     group: www-data
   tags:

apache/tasks/server_status.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: server status dirname exists
-  file:
+  ansible.builtin.file:
     dest: "{{ apache_serverstatus_suffix_file | dirname }}"
     mode: "0700"
     owner: root
@@ -9,7 +9,7 @@
     state: directory
 
 - name: set apache serverstatus suffix if provided
-  copy:
+  ansible.builtin.copy:
     dest: "{{ apache_serverstatus_suffix_file }}"
     # The last character "\u000A" is a line feed (LF), it's better to keep it
     content: "{{ apache_serverstatus_suffix }}\u000A"
@@ -17,51 +17,53 @@
   when: apache_serverstatus_suffix | length > 0
 
 - name: generate random string for server-status suffix
-  shell: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
+  ansible.builtin.shell:
+    cmd: "apg -a 1 -M N -n 1 > {{ apache_serverstatus_suffix_file }}"
   args:
     creates: "{{ apache_serverstatus_suffix_file }}"
 
 - name: read apache server status suffix
-  command: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
+  ansible.builtin.command:
+    cmd: "tail -n 1 {{ apache_serverstatus_suffix_file }}"
   changed_when: False
   check_mode: no
   register: new_apache_serverstatus_suffix
 
 - name: overwrite apache_serverstatus_suffix
-  set_fact:
+  ansible.builtin.set_fact:
     apache_serverstatus_suffix: "{{ new_apache_serverstatus_suffix.stdout }}"
 
-- debug:
+- ansible.builtin.debug:
     var: apache_serverstatus_suffix
     verbosity: 1
 
 - name: replace server-status suffix in default site index
-  replace:
+  ansible.builtin.replace:
     dest: /var/www/index.html
     regexp: '__SERVERSTATUS_SUFFIX__'
     replace: "{{ apache_serverstatus_suffix }}"
 
 - name: add server-status suffix in default site index if missing
-  replace:
+  ansible.builtin.replace:
     dest: /var/www/index.html
     regexp: '"/server-status-?"'
     replace: '"/server-status-{{ apache_serverstatus_suffix }}"'
 
 - name: add server-status suffix in default VHost
-  replace:
+  ansible.builtin.replace:
     dest: /etc/apache2/sites-available/000-evolinux-default.conf
     regexp: '<Location /server-status-?>'
     replace: '<Location /server-status-{{ apache_serverstatus_suffix }}>'
   notify: reload apache
 
 - name: Munin configuration has a section for apache
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/munin/plugin-conf.d/munin-node
     line: "[apache_*]"
     create: no
 
 - name: apache-status URL is configured for Munin
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/munin/plugin-conf.d/munin-node
     line: "env.url http://{{ apache_serverstatus_host }}/server-status-{{ apache_serverstatus_suffix }}?auto"
     regexp: 'env.url http://[^\\/]+/server-status'
@@ -70,7 +72,7 @@
   notify: restart munin-node
 
 - name: add mailgraph URL in index.html
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /var/www/index.html
     state: present
     line: '            <li><a href="/mailgraph">Stats Mail</a></li>'

apt/defaults/main.yml

@@ -8,6 +8,8 @@ apt_upgrade: False
 apt_install_basics: True
 apt_basics_components: "main"
 
+# With Debian 12+ and the deb822 format of source files
+# backports are always installed but enabled according to `apt_install_backports`
 apt_install_backports: False
 apt_backports_components: "main"
 

apt/files/bookworm_backports_preferences

@@ -0,0 +1,3 @@
+Package: *
+Pin: release a=bookworm-backports
+Pin-Priority: 50

apt/files/deb822-migration.py

@@ -3,20 +3,36 @@
 import re
 import sys
 import os
+import select
+import apt
+import apt_pkg
 
-if len(sys.argv) > 1:
-    src_file = sys.argv[1]
-else:
-    print("You must provide a source file as first argument", file=sys.stderr)
-    sys.exit(1)
+# Order matters !
+destinations = {
+    "debian-security": "security.sources",
+    ".*-backports": "backports.sources",
+    ".debian.org": "system.sources",
+    "mirror.evolix.org": "system.sources",
+    "pub.evolix.net": "evolix_public_old.sources",
+    "pub.evolix.org": "evolix_public.sources",
+    "artifacts.elastic.co": "elastic.sources",
+    "download.docker.com": "docker.sources",
+    "downloads.linux.hpe.com": "hp.sources",
+    "pkg.jenkins-ci.org": "jenkins.sources",
+    "packages.sury.org": "sury.sources",
+    "repo.mongodb.org": "mongodb.sources",
+    "apt.newrelic.com": "newrelic.sources",
+    "deb.nodesource.com": "nodesource.sources",
+    "dl.yarnpkg.com": "yarn.sources",
+    "apt.postgresql.org": "postgresql.sources",
+    "packages.microsoft.com/repos/vscode": "microsoft-vscode.sources",
+    "packages.microsoft.com/repos/ms-teams": "microsoft-teams.sources",
+    "updates.signal.org": "signal.sources",
+    "downloads.1password.com/linux/debian": "1password.sources",
+    "download.virtualbox.org": "virtualbox.sources"
+}
 
-if not os.access(src_file, os.R_OK):
-    print(src_file, "is not readable", file=sys.stderr)
-    sys.exit(2)
-
-pattern = re.compile('^(?P<type>deb|deb-src) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
-
-sources = {}
+sources_parts = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
 
 def split_options(raw):
     table = str.maketrans({
@@ -27,25 +43,44 @@ def split_options(raw):
 
     return options
 
-with open(src_file,'r') as file:
-    for line in file:
-        matches = re.match(pattern, line)
-        if matches is not None:
-            # print(matches.groupdict())
-            uri = matches['uri']
+def auto_destination(uri):
+    basename = uri
+    basename = re.sub('\[[^\]]+\]', '', basename)
+    basename = re.sub('\w+://', '', basename)
+    basename = '_'.join(re.sub('[^a-zA-Z0-9]', ' ', basename).split())
+    return '%s.sources' % basename
 
+
+def destination(matches):
+    for search_str in destinations.keys():
+        search_pattern = re.compile(f'{search_str}(/|\s|$)')
+        if re.search(search_pattern, matches['uri']) or re.search(search_pattern, matches["suite"]):
+            return destinations[search_str]
+    # fallback if nothing matches
+    return auto_destination(matches['uri'])
+
+def prepare_sources(lines):
+    sources = {}
+    pattern = re.compile('^(?: *(?P<type>deb|deb-src)) +(?P<options>\[.+\] ?)*(?P<uri>\w+:\/\/\S+) +(?P<suite>\S+)(?: +(?P<components>.*))?$')
+
+    for line in lines:
+        matches = re.match(pattern, line)
+
+        if matches is not None:
+            dest = destination(matches)
             options = {}
+
             if matches.group('options'):
                 for option in split_options(matches['options']):
                     if "=" in option:
                         key, value = option.split("=")
                         options[key] = value
 
-            if uri in sources:
-                sources[uri]["Types"].add(matches["type"])
-                sources[uri]["URIs"] = matches["uri"]
-                sources[uri]["Suites"].add(matches["suite"])
-                sources[uri]["Components"].update(matches["components"].split(' '))
+            if dest in sources:
+                sources[dest]["Types"].add(matches["type"])
+                sources[dest]["URIs"] = matches["uri"]
+                sources[dest]["Suites"].add(matches["suite"])
+                sources[dest]["Components"].update(matches["components"].split(' '))
             else:
                 source = {
                     "Types": {matches['type']},
@@ -83,14 +118,35 @@ with open(src_file,'r') as file:
                     else:
                         source["Targets"] = {options["target"]}
 
-                sources[uri] = source
+                sources[dest] = source
+    return sources
 
-for i, (uri, source) in enumerate(sources.items()):
-    if i > 0:
-        print("")
-    for key, value in source.items():
-        if isinstance(value, str):
-            print("{}: {}".format(key, value) )
-        else:
-            print("{}: {}".format(key, ' '.join(value)) )
-    i += 1
+def save_sources(sources, output_dir):
+    # print(output_dir)
+    # print(sources)
+    for dest, source in sources.items():
+        source_path = output_dir + dest
+
+        with open(source_path, 'w') as file:
+            for key, value in source.items():
+                if isinstance(value, str):
+                    file.write("{}: {}\n".format(key, value))
+                else:
+                    file.write("{}: {}\n".format(key, ' '.join(value)))
+
+def main():
+    if select.select([sys.stdin, ], [], [], 0.0)[0]:
+        sources = prepare_sources(sys.stdin)
+    # elif len(sys.argv) > 1:
+    #     sources = prepare_sources([sys.argv[1]])
+    else:
+        print("You must provide source lines to stdin", file=sys.stderr)
+        sys.exit(1)
+
+    output_dir = apt_pkg.config.find_dir('Dir::Etc::sourceparts')
+    save_sources(sources, output_dir)
+
+if __name__ == "__main__":
+    main()
+
+sys.exit(0)

apt/files/deb822-migration.sh

@@ -10,39 +10,40 @@ if [ ! -x "${deb822_migrate_script}" ]; then
     exit 1
 fi
 
-dest_dir="/etc/apt/sources.list.d"
-rc=0
-
-migrate_file() {
-    legacy_file=$1
-    deb822_file=$2
-
-    if [ -f "${legacy_file}" ]; then
-        if [ -f "${deb822_file}" ]; then
-            >&2 echo "ERROR: '${deb822_file}' already exists"
-            rc=2
-        else
-            ${deb822_migrate_script} "${legacy_file}" > "${deb822_file}"
-            if [ $? -eq 0 ] && [ -f "${deb822_file}" ]; then
-                mv "${legacy_file}" "${legacy_file}.bak"
-                echo "Migrated ${legacy_file} to ${deb822_file} and renamed to ${legacy_file}.bak"
-            else
-                >&2 echo "ERROR: failed to convert '${legacy_file}' to '${deb822_file}'"
-                rc=2
-            fi
-        fi
-    else
-        >&2 echo "ERROR: '${legacy_file}' not found"
-        rc=2
-    fi
+sources_from_file() {
+    grep --extended-regexp "^\s*(deb|deb-src) " $1
 }
 
-migrate_file "/etc/apt/sources.list" "${dest_dir}/system.sources"
+rc=0
+count=0
 
-# shellcheck disable=SC2044
-for legacy_file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
-    deb822_file=$(basename "${legacy_file}" .list)
-    migrate_file "${legacy_file}" "${dest_dir}/${deb822_file}.sources"
+if [ -f /etc/apt/sources.list ]; then
+    sources_from_file /etc/apt/sources.list | ${deb822_migrate_script} 
+    python_rc=$?
+
+    if [ ${python_rc} -eq 0 ]; then
+        mv /etc/apt/sources.list /etc/apt/sources.list.bak
+        echo "OK: /etc/apt/sources.list"
+        count=$(( count + 1 ))
+    else
+        >&2 echo "ERROR: failed migration for /etc/apt/sources.list"
+        rc=1
+    fi
+fi
+
+for file in $(find /etc/apt/sources.list.d -mindepth 1 -maxdepth 1 -type f -name '*.list'); do
+    sources_from_file "${file}" | ${deb822_migrate_script}
+    python_rc=$?
+
+    if [ ${python_rc} -eq 0 ]; then
+        mv "${file}" "${file}.bak"
+        echo "OK: ${file}"
+        count=$(( count + 1 ))
+    else
+        >&2 echo "ERROR: failed migration for ${file}"
+        rc=1
+    fi
 done
 
+echo "${count} file(s) migrated"
 exit ${rc}

apt/tasks/backports.deb822.yml

@@ -0,0 +1,28 @@
+---
+
+- name: Backports deb822 sources list is installed
+  ansible.builtin.template:
+    src: '{{ ansible_distribution_release }}_backports.sources.j2'
+    dest: /etc/apt/sources.list.d/backports.sources
+    force: yes
+    mode: "0640"
+  register: apt_backports_sources
+  tags:
+    - apt
+
+- name: Backports configuration
+  ansible.builtin.copy:
+    src: '{{ ansible_distribution_release }}_backports_preferences'
+    dest: /etc/apt/preferences.d/0-backports-defaults
+    force: yes
+    mode: "0640"
+  register: apt_backports_config
+  tags:
+    - apt
+
+- name: Apt update
+  ansible.builtin.apt:
+    update_cache: yes
+  when: apt_backports_sources is changed or apt_backports_config is changed
+  tags:
+    - apt

apt/tasks/backports.oneline.yml

@@ -0,0 +1,45 @@
+---
+- name: No backports config in default sources.list
+  ansible.builtin.lineinfile:
+    dest: /etc/apt/sources.list
+    regexp: "backports"
+    state: absent
+  tags:
+    - apt
+
+- name: Backports sources list is installed
+  ansible.builtin.template:
+    src: '{{ ansible_distribution_release }}_backports.list.j2'
+    dest: /etc/apt/sources.list.d/backports.list
+    force: yes
+    mode: "0640"
+  register: apt_backports_list
+  tags:
+    - apt
+
+- name: Backports configuration
+  ansible.builtin.copy:
+    src: '{{ ansible_distribution_release }}_backports_preferences'
+    dest: /etc/apt/preferences.d/0-backports-defaults
+    force: yes
+    mode: "0640"
+  register: apt_backports_config
+  tags:
+    - apt
+
+- name: Archived backport are accepted (jessie)
+  ansible.builtin.lineinfile:
+    dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
+    line: 'Acquire::Check-Valid-Until no;'
+    create: yes
+    state: present
+  tags:
+    - apt
+  when: ansible_distribution_release == "jessie"
+
+- name: Apt update
+  ansible.builtin.apt:
+    update_cache: yes
+  tags:
+    - apt
+  when: apt_backports_list is changed or apt_backports_config is changed

apt/tasks/backports.yml

@@ -1,45 +1,13 @@
 ---
-- name: No backports config in default sources.list
-  lineinfile:
-    dest: /etc/apt/sources.list
-    regexp: "backports"
-    state: absent
-  tags:
-    - apt
 
-- name: Backports sources list is installed
-  template:
-    src: '{{ ansible_distribution_release }}_backports.list.j2'
-    dest: /etc/apt/sources.list.d/backports.list
-    force: yes
-    mode: "0640"
-  register: apt_backports_list
-  tags:
-    - apt
+# Backward compatibility task file
 
-- name: Backports configuration
-  copy:
-    src: '{{ ansible_distribution_release }}_backports_preferences'
-    dest: /etc/apt/preferences.d/0-backports-defaults
-    force: yes
-    mode: "0640"
-  register: apt_backports_config
-  tags:
-    - apt
+- name: Install backports repositories (Debian <12)
+  ansible.builtin.import_tasks: backports.oneline.yml
+  when:
+    - ansible_distribution_major_version is version('12', '<')
 
-- name: Archived backport are accepted (jessie)
-  lineinfile:
-    dest: '/etc/apt/apt.conf.d/99no-check-valid-until'
-    line: 'Acquire::Check-Valid-Until no;'
-    create: yes
-    state: present
-  when: ansible_distribution_release == "jessie"
-  tags:
-    - apt
-
-- name: Apt update
-  apt:
-    update_cache: yes
-  when: apt_backports_list is changed or apt_backports_config is changed
-  tags:
-    - apt
+- name: Install backports repositories (Debian >=12)
+  ansible.builtin.import_tasks: backports.deb822.yml
+  when:
+    - ansible_distribution_major_version is version('12', '>=')

apt/tasks/basics.deb822.yml

@@ -0,0 +1,45 @@
+---
+
+- name: Change basics repositories
+  ansible.builtin.template:
+    src: "{{ ansible_distribution_release }}_basics.sources.j2"
+    dest: /etc/apt/sources.list.d/system.sources
+    mode: "0644"
+    force: yes
+  register: apt_basic_sources
+  tags:
+    - apt
+
+- name: Change security repositories
+  ansible.builtin.template:
+    src: "{{ ansible_distribution_release }}_security.sources.j2"
+    dest: /etc/apt/sources.list.d/security.sources
+    mode: "0644"
+    force: yes
+  register: apt_security_sources
+  tags:
+    - apt
+
+- name: Find one-line APT sources
+  ansible.builtin.find:
+    paths: /etc/apt
+    patterns: '*.list'
+  register: list_files
+
+- name: Disable one-line-formatted sources
+  ansible.builtin.command:
+    cmd: "mv --verbose {{ item.path }} {{ item.path }}.bak"
+  environment:
+    LC_ALL: C
+  loop: "{{ list_files.files }}"
+  register: rename_cmd
+  changed_when: "'renamed' in rename_cmd.stdout"
+  tags:
+    - apt
+
+- name: Apt update
+  ansible.builtin.apt:
+    update_cache: yes
+  tags:
+    - apt
+  when: apt_basic_list is changed or apt_security_sources is changed

apt/tasks/basics.oneline.yml

@@ -0,0 +1,18 @@
+---
+
+- name: Change basics repositories
+  ansible.builtin.template:
+    src: "{{ ansible_distribution_release }}_basics.list.j2"
+    dest: /etc/apt/sources.list
+    mode: "0644"
+    force: yes
+  register: apt_basic_list
+  tags:
+    - apt
+
+- name: Apt update
+  ansible.builtin.apt:
+    update_cache: yes
+  tags:
+    - apt
+  when: apt_basic_list is changed

apt/tasks/basics.yml

@@ -1,33 +1,13 @@
 ---
 
-- name: Change basics repositories
-  template:
-    src: "{{ ansible_distribution_release }}_basics.list.j2"
-    dest: /etc/apt/sources.list
-    mode: "0644"
-    force: yes
-  register: apt_basic_list
-  tags:
-    - apt
+# Backward compatibility task file
 
-- name: Clean GANDI sources.list.d/debian-security.list
-  file:
-    path: '{{ item }}'
-    state: absent
-  loop:
-    - /etc/apt/sources.list.d/debian-security.list
-    - /etc/apt/sources.list.d/debian-jessie.list
-    - /etc/apt/sources.list.d/debian-stretch.list
-    - /etc/apt/sources.list.d/debian-buster.list
-    - /etc/apt/sources.list.d/debian-bullseye.list
-    - /etc/apt/sources.list.d/debian-update.list
-  when: apt_clean_gandi_sourceslist | bool
-  tags:
-    - apt
+- name: Install basics repositories (Debian <12)
+  ansible.builtin.import_tasks: basics.oneline.yml
+  when:
+    - ansible_distribution_major_version is version('12', '<')
 
-- name: Apt update
-  apt:
-    update_cache: yes
-  when: apt_basic_list is changed
-  tags:
-    - apt
+- name: Install basics repositories (Debian >=12)
+  ansible.builtin.import_tasks: basics.deb822.yml
+  when:
+    - ansible_distribution_major_version is version('12', '>=')

apt/tasks/config.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Evolinux config for APT
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apt/apt.conf.d/z-evolinux.conf
     line: "{{ item.line }}"
     regexp: "{{ item.regexp }}"
@@ -12,12 +12,12 @@
     - { line: "APT::Install-Recommends \"false\";", regexp: 'APT::Install-Recommends' }
     - { line: "APT::Install-Suggests \"false\";",   regexp: 'APT::Install-Suggests' }
     - { line: "APT::Periodic::Enable \"0\";",   regexp: 'APT::Periodic::Enable' }
-  when: apt_evolinux_config | bool
   tags:
     - apt
+  when: apt_evolinux_config | bool
 
 - name: DPkg invoke hooks
-  lineinfile:
+  ansible.builtin.lineinfile:
     dest: /etc/apt/apt.conf.d/z-evolinux.conf
     line: "{{ item }}"
     create: yes
@@ -28,14 +28,14 @@
     - "DPkg::Pre-Invoke { \"df /usr | grep -q /usr && mount -oremount,rw /usr || true\"; };"
     - "DPkg::Post-Invoke { \"df /tmp | grep -q /tmp && mount -oremount /tmp || true\"; };"
     - "DPkg::Post-Invoke { \"df /usr | grep -q /usr && mount -oremount /usr || true\"; };"
-  when: apt_hooks | bool
   tags:
     - apt
+  when: apt_hooks | bool
 
 - name: Remove Aptitude
-  apt:
+  ansible.builtin.apt:
     name: aptitude
     state: absent
-  when: apt_remove_aptitude | bool
   tags:
     - apt
+  when: apt_remove_aptitude | bool

apt/tasks/evolix_public.deb822.yml

@@ -0,0 +1,45 @@
+---
+
+- name: Look for legacy apt keyring
+  ansible.builtin.stat:
+    path: /etc/apt/trusted.gpg
+  register: _trusted_gpg_keyring
+  tags:
+    - apt
+