operating-automation/roles/os-updates/tasks/update_major_version.yaml

- name: Update mirrors if necessary
  when: os_also_update_mirror|bool
  include_tasks: update_mirrors.yaml

# tasks/main.yml
- name: Assert target codename provided
  ansible.builtin.assert:
    that:
      - os_update_version_codename is defined
      - os_update_version_codename | length > 0
    fail_msg: "Setze die Variable 'os_update_version_codename' (z.B. 'trixie')."

- name: Set current/target codenames
  ansible.builtin.set_fact:
    current_codename: "{{ ansible_distribution_release | lower }}"
    target_codename:  "{{ os_update_version_codename | lower }}"

- name: Stat /etc/apt/sources.list.d
  ansible.builtin.stat:
    path: /etc/apt/sources.list.d
  register: sources_list_d_dir

- name: Find *.list files in /etc/apt/sources.list.d
  ansible.builtin.find:
    paths: /etc/apt/sources.list.d
    patterns: "*.list"
    file_type: file
  register: apt_lists
  when: sources_list_d_dir.stat.exists | default(false)

- name: Stat /etc/apt/sources.list
  ansible.builtin.stat:
    path: /etc/apt/sources.list
  register: sources_list_stat

- name: Build list of APT *.list paths
  ansible.builtin.set_fact:
    apt_list_paths: >-
      {{
        (vars.get('apt_lists', {}).get('files', [])
         | map(attribute='path') | list)
      }}

- name: Build list of APT source files
  ansible.builtin.set_fact:
    apt_source_files: >-
      {{
        apt_list_paths
        + ([sources_list_stat.stat.path] if (sources_list_stat.stat.exists | default(false)) else [])
      }}

# ---------- Backups ----------
- name: Backup existing sources in /etc/apt
  ansible.builtin.copy:
    src: "{{ item }}"
    dest: "{{ item }}.bak"
    remote_src: true
    force: true
  loop: "{{ apt_source_files }}"
  loop_control:
    label: "{{ item }}"

# ---------- Update /etc/apt/sources.list ----------
- name: Update /etc/apt/sources.list from template
  ansible.builtin.template:
    src: sources.list.j2
    dest: /etc/apt/sources.list
    owner: root
    group: root
    mode: "0644"
  vars:
    target_codename: "{{ target_codename }}"

# ---------- Update additional *.list files ----------
# Ersetzt den Codename (inkl. optionaler Suite-Suffixe wie -security/-updates) in den .d-Dateien
- name: Update codename in /etc/apt/sources.list.d/*.list (keep suffix)
  ansible.builtin.replace:
    path: "{{ item }}"
    regexp: '(^\s*deb(?:-src)?(?:\s+\[.*?\])?\s+\S+\s+){{ current_codename | regex_escape }}(?P<suffix>-[a-z]+)?(\s+)'
    replace: '\1{{ target_codename }}\g<suffix>\3'
  loop: "{{ apt_list_paths }}"
  when: apt_list_paths | length > 0
  loop_control:
    label: "{{ item }}"


# ---- Prevent EXIM (Debian 13 only) ---------
- name: Block installation of Exim with APT Pinning
  become: true
  ansible.builtin.copy:
    dest: /etc/apt/preferences.d/block-exim.pref
    owner: root
    group: root
    mode: '0644'
    content: |
      Package: exim4*
      Pin: release *
      Pin-Priority: -1

- name: Remove existing Exim packages (purge + autoremove)
  become: true
  ansible.builtin.apt:
    name:
      - exim4
      - exim4-base
      - exim4-config
      - exim4-daemon-light
    state: absent
    purge: true
    autoremove: true
  register: exim_purge

# ---------- Upgrade ----------
- name: Update apt cache
  ansible.builtin.apt:
    update_cache: true
    cache_valid_time: 3600

- name: Perform distribution upgrade
  ansible.builtin.apt:
    upgrade: dist        # dist-upgrade
    allow_unauthenticated: false
  notify:
    - Reboot system
    - apt cleanup