Getting started
Default configuration
The non-free and non-free-firmware sections of the Debian Archive will
be enabled automatically on hardware-based hosts in case any non-free firmware
is required. Otherwise, only the main and universe (on Ubuntu)
repositories are enabled. Users can control this using the
apt__nonfree and apt__nonfree_firmware boolean variables.
"Signing key is not bound" error
SHA1 algorithm used in old GPG signatures is considered not secure after 2026-02-01. This can cause an error message during APT update and can result in an error during Ansible execution. Fixing this issue requires updated APT repository keys that can only be done by third parties.
There are two ways to mitigate the issue in the meantime, described in an
Ansible forum post. First one is to override the default APT Sequoia
configuration stored in /usr/share/apt/default-sequoia.config
configuration file to change the cutoff date for specific signature algorithms.
This method is not implemented in DebOps at the moment.
The other way is to mark specific APT repositories as trusted, using
[trusted=yes] option in APT repository configuration. This way is more
granular and visible to the system administrator, therefore it will be used in
APT repositories managed by DebOps when needed.
Example inventory
The debops.apt role is included by default in the layer/common.yml
DebOps playbook; you don't need to do anything to have it executed.
If you don’t want to let debops.apt manage APT, you can do this with the
following setting in your inventory:
apt__enabled: False
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.apt role:
---
- name: Manage Advanced Package Manager
collections: [ 'debops.debops' ]
hosts: [ 'debops_all_hosts', 'debops_service_apt' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: apt
tags: [ 'role::apt', 'skip::apt' ]