commited current state (new functions, may not work by now)

roles/os-updates/defaults/main.yml

@@ -1,9 +1,10 @@
 # Standardwerte, die überschrieben werden können
 os_update_auto_upgrade: true
-os_also_update_mirror: false # Can either be true or false | Use this to enable mirror changes. Useful for first runs.
+os_also_update_mirror: true # Can either be true or false | Use this to enable mirror changes. Useful for first runs.
 os_update_mirrors:
-  # Role needs two mirros to use for the sources.list.j2 Template
-  - "http://mirror.tinc.gmbh/debian" # Enter a main mirror here (not security)
-  - "http://mirror.tinc.gmbh/debian-security" # Enter a security mirror here
+  - mirror: "http://mirror.tinc.gmbh/debian" # Enter a main mirror here (not security)
+    type: "main"
+  - mirror: "http://mirror.tinc.gmbh/debian-security" # Enter a security mirror here
+    type: "security"
 os_update_major_version: false # Can either be true or false | To toggle if systems need to be upgraded to newer codename
-os_update_version_codename: "{{ ansible_distribution_release }}" # KEEP UNTOUCHED!! | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on
+os_update_version_codename: "bookworm" # Change to switch major release (e.g. bookworm or trixie) | Used for jinja2 Template fill in as it determines the current codename of system where ansible is run on

roles/os-updates/handlers/main.yml

@@ -2,10 +2,10 @@
   apt:
     clean: yes
     autoclean: yes
+    autoremove: yes
 
 - name: Reboot system
   command: /sbin/reboot
   async: 1
   poll: 0
-  ignore_errors: true
-  when: reboot_required.stdout == "yes"
+  ignore_errors: true

roles/os-updates/tasks/main.yml

@@ -2,9 +2,5 @@
   when: os_also_update_mirror|bool
   include_tasks: update_mirrors.yaml
 
-- name: Upgrade to new major version if enabled
-  when: os_update_major_version
-  include_tasks: update_major_version.yaml
-
 - name: Upgrade all packages
   include_tasks: upgrade_packages.yaml

roles/os-updates/tasks/update_major_version.yaml

@@ -1,34 +1,125 @@
+- name: Update mirrors if necessary
+  when: os_also_update_mirror|bool
+  include_tasks: update_mirrors.yaml
+
+# tasks/main.yml
+- name: Assert target codename provided
+  ansible.builtin.assert:
+    that:
+      - os_update_version_codename is defined
+      - os_update_version_codename | length > 0
+    fail_msg: "Setze die Variable 'os_update_version_codename' (z.B. 'trixie')."
+
+- name: Set current/target codenames
+  ansible.builtin.set_fact:
+    current_codename: "{{ ansible_distribution_release | lower }}"
+    target_codename:  "{{ os_update_version_codename | lower }}"
+
+- name: Stat /etc/apt/sources.list.d
+  ansible.builtin.stat:
+    path: /etc/apt/sources.list.d
+  register: sources_list_d_dir
+
+- name: Find *.list files in /etc/apt/sources.list.d
+  ansible.builtin.find:
+    paths: /etc/apt/sources.list.d
+    patterns: "*.list"
+    file_type: file
+  register: apt_lists
+  when: sources_list_d_dir.stat.exists | default(false)
+
+- name: Stat /etc/apt/sources.list
+  ansible.builtin.stat:
+    path: /etc/apt/sources.list
+  register: sources_list_stat
+
+- name: Build list of APT *.list paths
+  ansible.builtin.set_fact:
+    apt_list_paths: >-
+      {{
+        (vars.get('apt_lists', {}).get('files', [])
+         | map(attribute='path') | list)
+      }}
+
+- name: Build list of APT source files
+  ansible.builtin.set_fact:
+    apt_source_files: >-
+      {{
+        apt_list_paths
+        + ([sources_list_stat.stat.path] if (sources_list_stat.stat.exists | default(false)) else [])
+      }}
+
+# ---------- Backups ----------
 - name: Backup existing sources in /etc/apt
-  copy:
+  ansible.builtin.copy:
     src: "{{ item }}"
     dest: "{{ item }}.bak"
-    remote_src: yes
-  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') + ['/etc/apt/sources.list'] }}"
-  when: item | file
+    remote_src: true
+    force: true
+  loop: "{{ apt_source_files }}"
+  loop_control:
+    label: "{{ item }}"
 
-- name: Update sources.list for new major version
-  template:
+# ---------- Update /etc/apt/sources.list ----------
+- name: Update /etc/apt/sources.list from template
+  ansible.builtin.template:
     src: sources.list.j2
     dest: /etc/apt/sources.list
+    owner: root
+    group: root
+    mode: "0644"
   vars:
-    os_update_version_codename: "{{ new_version_codename }}" # Variable gets passed by main.yml task
+    target_codename: "{{ target_codename }}"
 
-- name: Update additional repositories in /etc/apt/sources.list.d
-  lineinfile:
+# ---------- Update additional *.list files ----------
+# Ersetzt den Codename (inkl. optionaler Suite-Suffixe wie -security/-updates) in den .d-Dateien
+- name: Update codename in /etc/apt/sources.list.d/*.list (keep suffix)
+  ansible.builtin.replace:
     path: "{{ item }}"
-    regexp: '^(deb .* )({{ os_update_version_codename }})'
-    line: '\1{{ new_version_codename }}'
-  loop: "{{ lookup('ansible.builtin.fileglob', '/etc/apt/sources.list.d/*.list') }}"
-  when: item | file
+    regexp: '(^\s*deb(?:-src)?(?:\s+\[.*?\])?\s+\S+\s+){{ current_codename | regex_escape }}(?P<suffix>-[a-z]+)?(\s+)'
+    replace: '\1{{ target_codename }}\g<suffix>\3'
+  loop: "{{ apt_list_paths }}"
+  when: apt_list_paths | length > 0
+  loop_control:
+    label: "{{ item }}"
 
+
+# ---- Prevent EXIM (Debian 13 only) ---------
+- name: Block installation of Exim with APT Pinning
+  become: true
+  ansible.builtin.copy:
+    dest: /etc/apt/preferences.d/block-exim.pref
+    owner: root
+    group: root
+    mode: '0644'
+    content: |
+      Package: exim4*
+      Pin: release *
+      Pin-Priority: -1
+
+- name: Remove existing Exim packages (purge + autoremove)
+  become: true
+  ansible.builtin.apt:
+    name:
+      - exim4
+      - exim4-base
+      - exim4-config
+      - exim4-daemon-light
+    state: absent
+    purge: true
+    autoremove: true
+  register: exim_purge
+
+# ---------- Upgrade ----------
 - name: Update apt cache
-  apt:
-    update_cache: yes
+  ansible.builtin.apt:
+    update_cache: true
+    cache_valid_time: 3600
 
 - name: Perform distribution upgrade
-  apt:
-    upgrade: yes
-    allow_unauthenticated: yes
+  ansible.builtin.apt:
+    upgrade: dist        # dist-upgrade
+    allow_unauthenticated: false
   notify:
     - Reboot system
     - apt cleanup

roles/os-updates/tasks/upgrade_packages.yaml

@@ -11,12 +11,11 @@
   register: latest_kernel
   changed_when: false
 
-- name: Check if running kernel matches the latest installed kernel
+- name: Check if running kernel matches the latest installed kernel and determine if reboot is required
   shell: uname -r
   register: running_kernel
   changed_when: false
-
-- name: Determine if reboot is required
-  set_fact:
-    reboot_required: "yes"
+  failed_when: false
+  notify:
+    - Reboot system
   when: running_kernel.stdout != latest_kernel.stdout

roles/os-updates/templates/sources.list.j2

@@ -1,5 +1,10 @@
 # {{ ansible_managed }}
-deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }} main contrib non-free non-free-firmware
-deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-updates main contrib non-free non-free-firmware
-deb {{ os_update_mirrors[0] }} {{ os_update_version_codename }}-backports main contrib non-free non-free-firmware
-deb {{ os_update_mirrors[1] }} {{ os_update_version_codename }}-security main contrib non-free non-free-firmware
+{% for mirror in os_update_mirrors %}
+{% if mirror.type == "main" %}
+deb {{ mirror.mirror }} {{ os_update_version_codename }} main contrib non-free non-free-firmware
+deb {{ mirror.mirror }} {{ os_update_version_codename }}-updates main contrib non-free non-free-firmware
+deb {{ mirror.mirror }} {{ os_update_version_codename }}-backports main contrib non-free non-free-firmware
+{% elif mirror.type == "security" %}
+deb {{ mirror.mirror }} {{ os_update_version_codename }}-security main contrib non-free non-free-firmware
+{% endif %}
+{% endfor %}