theforeman · evgeni · Sep 22, 2025 · Oct 16, 2025 · Sep 22, 2025 · Sep 23, 2025
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -82,6 +82,11 @@ jobs:
             security: none
             database: internal
             box: centos/stream9
+          - certificate_source: default
+            security: none
+            database: internal
+            iop: disabled
+            box: debian/trixie64
     runs-on: ubuntu-24.04
     env:
       FOREMANCTL_BASE_BOX: ${{ matrix.box }}
@@ -143,10 +148,14 @@ jobs:
             --tuning development \
             --content-import-path /custom/import \
             --content-export-path /custom/export
-      - name: Deploy features
+      - name: Deploy hammer
+        if: contains(matrix.box, 'centos')
         run: |
           ./foremanctl deploy \
             --add-feature hammer \
+      - name: Deploy features
+        run: |
+          ./foremanctl deploy \
             --add-feature foreman-proxy \
             --add-feature azure-rm \
             --add-feature google \

diff --git a/Vagrantfile b/Vagrantfile
@@ -1,7 +1,7 @@
 DOMAIN = ENV.fetch('VAGRANT_DOMAIN', 'example.com'.freeze)
 
 Vagrant.configure("2") do |config|
-  config.vm.synced_folder ".", "/vagrant"
+  config.vm.synced_folder ".", "/vagrant", disabled: true
 
   config.vm.provision("etc_hosts", type: 'ansible') do |ansible|
     ansible.playbook = "development/playbooks/etc_host.yml"

diff --git a/development/playbooks/setup-repositories/setup-repositories.yaml b/development/playbooks/setup-repositories/setup-repositories.yaml
@@ -29,3 +29,9 @@
         chroot: rhel-10-x86_64
       when:
         - ansible_distribution_major_version == '10'
+
+    - name: Refresh package cache
+      ansible.builtin.package:
+        update_cache: true
+      when:
+        - ansible_os_family == 'Debian'
diff --git a/development/playbooks/test/test.yaml b/development/playbooks/test/test.yaml
@@ -8,6 +8,7 @@
       ansible.builtin.package:
         name:
           - nmap
+          - curl
 
 - name: Execute tests
   gather_facts: false

diff --git a/src/roles/httpd/defaults/main.yml b/src/roles/httpd/defaults/main.yml
@@ -17,6 +17,6 @@ httpd_listen_backlog: 511
 # External authentication configuration
 httpd_external_authentication: "{{ external_authentication | default(None) }}"
 httpd_ipa_manage_sssd: true
-httpd_ipa_keytab: /etc/httpd/conf/http.keytab
+httpd_ipa_keytab: "{{ httpd_etc_path }}/conf/http.keytab"
 httpd_ipa_pam_service: "{{ external_authentication_pam_service | default('foreman') }}"
 httpd_ipa_gssapi_local_name: true
diff --git a/src/roles/httpd/handlers/main.yml b/src/roles/httpd/handlers/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Restart httpd
   ansible.builtin.systemd:
-    name: httpd
+    name: "{{ httpd_service }}"
     state: restarted
 
 - name: Restart sssd

diff --git a/src/roles/httpd/tasks/external_auth/cleanup.yml b/src/roles/httpd/tasks/external_auth/cleanup.yml
@@ -1,7 +1,7 @@
 ---
 - name: Remove external authentication configuration
   ansible.builtin.file:
-    path: "/etc/httpd/conf.d/05-{{ item }}.d/external_auth.conf"
+    path: "{{ httpd_conf_path}}/05-{{ item }}.d/external_auth.conf"
     state: absent
   notify:
     - Restart httpd
@@ -11,7 +11,7 @@
 
 - name: Remove Apache module configuration files for IPA authentication
   ansible.builtin.file:
-    path: /etc/httpd/conf.modules.d/55-{{ item }}.conf
+    path: "{{ httpd_modules_path }}/55-{{ item }}.conf"
     state: absent
   loop:
     - authnz_pam

diff --git a/src/roles/httpd/tasks/external_auth/ipa.yml b/src/roles/httpd/tasks/external_auth/ipa.yml
@@ -10,13 +10,13 @@
 
 - name: Create directory for Apache module configuration
   ansible.builtin.file:
-    path: /etc/httpd/conf.modules.d
+    path: "{{ httpd_modules_path }}"
     state: directory
     mode: "0755"
 
 - name: Load Apache modules for IPA authentication
   ansible.builtin.copy:
-    dest: /etc/httpd/conf.modules.d/55-{{ item }}.conf
+    dest: "{{ httpd_modules_path }}/55-{{ item }}.conf"
     content: |
       LoadModule {{ item }}_module modules/mod_{{ item }}.so
     mode: "0644"
@@ -66,13 +66,13 @@
 - name: Set keytab file permissions
   ansible.builtin.file:
     path: "{{ httpd_ipa_keytab }}"
-    owner: apache
-    group: apache
+    owner: "{{ httpd_user }}"
+    group: "{{ httpd_group }}"
     mode: "0600"
 
 - name: Create directory for Apache configuration fragments
   ansible.builtin.file:
-    path: /etc/httpd/conf.d/05-{{ item }}.d
+    path: "{{ httpd_conf_path }}/05-{{ item }}.d"
     state: directory
     mode: "0755"
   loop:
@@ -82,7 +82,7 @@
 - name: Deploy external authentication configuration
   ansible.builtin.template:
     src: external_auth.conf.j2
-    dest: /etc/httpd/conf.d/05-{{ item }}.d/external_auth.conf
+    dest: "{{ httpd_conf_path }}/05-{{ item }}.d/external_auth.conf"
     mode: "0644"
   notify:
     - Restart httpd

diff --git a/src/roles/httpd/tasks/main.yml b/src/roles/httpd/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
+- name: Set OS dependent variables
+  ansible.builtin.include_vars: "{{ ansible_facts['os_family'] }}.yaml"
+
 - name: Install Apache httpd
   ansible.builtin.package:
-    name:
-      - httpd
-      - mod_ssl
+    name: "{{ httpd_packages }}"
     state: present
 
 - name: Set httpd_can_network_connect so Apache can connect to Puma and Gunicorn
@@ -13,9 +14,14 @@
     persistent: true
   when: ansible_facts['selinux']['status'] == "enabled"
 
+- name: Enable required modules
+  community.general.apache2_module:
+    name: "{{ item }}"
+  loop: "{{ httpd_modules }}"
+
 - name: Disable welcome page
   ansible.builtin.file:
-    path: /etc/httpd/conf.d/welcome.conf
+    path: "{{ httpd_conf_path }}/welcome.conf"
     state: absent
 
 - name: Create cert directories
@@ -31,8 +37,8 @@
   ansible.builtin.file:
     path: "{{ httpd_pub_dir }}"
     state: directory
-    group: apache
-    owner: apache
+    group: "{{ httpd_group }}"
+    owner: "{{ httpd_user }}"
     mode: "0755"
 
 - name: Deploy certificates
@@ -63,7 +69,7 @@
 - name: Configure MPM event module
   ansible.builtin.template:
     src: event.conf.j2
-    dest: /etc/httpd/conf.modules.d/event.conf
+    dest: "{{ httpd_modules_path }}/event.conf"
     mode: "0644"
   notify:
     - Restart httpd
@@ -79,28 +85,28 @@
 - name: Configure foreman vhost
   ansible.builtin.template:
     src: foreman-vhost.conf.j2
-    dest: /etc/httpd/conf.d/foreman.conf
+    dest: "{{ httpd_conf_path }}/foreman.conf"
     mode: "0644"
   notify:
     - Restart httpd
 
 - name: Configure foreman-ssl vhost
   ansible.builtin.template:
     src: foreman-ssl-vhost.conf.j2
-    dest: /etc/httpd/conf.d/foreman-ssl.conf
+    dest: "{{ httpd_conf_path }}/foreman-ssl.conf"
     mode: "0644"
   notify:
     - Restart httpd
 
 - name: Create systemd drop-in directory for httpd
   ansible.builtin.file:
-    path: /etc/systemd/system/httpd.service.d
+    path: /etc/systemd/system/{{ httpd_service }}.service.d
     state: directory
     mode: "0755"
 
 - name: Add httpd to foreman.target
   ansible.builtin.copy:
-    dest: /etc/systemd/system/httpd.service.d/foreman-target.conf
+    dest: /etc/systemd/system/{{ httpd_service }}.service.d/foreman-target.conf
     mode: "0644"
     content: |
       [Install]
@@ -117,6 +123,6 @@
 
 - name: Start Apache httpd
   ansible.builtin.service:
-    name: httpd
+    name: "{{ httpd_service }}"
     state: started
     enabled: true
diff --git a/src/roles/httpd/tasks/sssd.yml b/src/roles/httpd/tasks/sssd.yml
@@ -39,7 +39,7 @@
     path: /etc/sssd/sssd.conf
     section: ifp
     option: allowed_uids
-    value: "root, apache"
+    value: "root, {{ httpd_user }}"
     mode: "0600"
   notify:
     - Restart sssd

diff --git a/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2 b/src/roles/httpd/templates/foreman-ssl-vhost.conf.j2
@@ -2,12 +2,12 @@
   ServerName {{ ansible_facts['fqdn'] }}
 
   ## Load additional static includes
-  IncludeOptional "/etc/httpd/conf.d/05-foreman-ssl.d/*.conf"
+  IncludeOptional "{{ httpd_conf_path }}/05-foreman-ssl.d/*.conf"
 
   ## Logging
-  ErrorLog "/var/log/httpd/foreman-ssl_error_ssl.log"
+  ErrorLog "{{ httpd_log_path }}/foreman-ssl_error_ssl.log"
   ServerSignature Off
-  CustomLog "/var/log/httpd/foreman-ssl_access_ssl.log" combined
+  CustomLog "{{ httpd_log_path }}/foreman-ssl_access_ssl.log" combined
 
   ## Request header rules
   ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader

diff --git a/src/roles/httpd/templates/foreman-vhost.conf.j2 b/src/roles/httpd/templates/foreman-vhost.conf.j2
@@ -2,12 +2,12 @@
   ServerName {{ ansible_facts['fqdn'] }}
 
   ## Load additional static includes
-  IncludeOptional "/etc/httpd/conf.d/05-foreman.d/*.conf"
+  IncludeOptional "{{ httpd_conf_path }}/05-foreman.d/*.conf"
 
   ## Logging
-  ErrorLog "/var/log/httpd/foreman_error.log"
+  ErrorLog "{{ httpd_log_path }}/foreman_error.log"
   ServerSignature Off
-  CustomLog "/var/log/httpd/foreman_access.log" combined
+  CustomLog "{{ httpd_log_path }}/foreman_access.log" combined
 
   ## Request header rules
   ## as per http://httpd.apache.org/docs/2.4/mod/mod_headers.html#requestheader

diff --git a/src/roles/httpd/vars/Debian.yaml b/src/roles/httpd/vars/Debian.yaml
@@ -0,0 +1,15 @@
+---
+httpd_packages:
+  - apache2
+httpd_etc_path: /etc/apache2
+httpd_conf_path: "{{ httpd_etc_path }}/conf-enabled"
+httpd_modules_path: "{{ httpd_etc_path }}/mods-enabled"
+httpd_service: apache2
+httpd_log_path: /var/log/apache2
+httpd_user: www-data
+httpd_group: www-data
+httpd_modules:
+  - ssl
+  - headers
+  - proxy
+  - proxy_http
diff --git a/src/roles/httpd/vars/RedHat.yaml b/src/roles/httpd/vars/RedHat.yaml
@@ -0,0 +1,12 @@
+---
+httpd_packages:
+  - httpd
+  - mod_ssl
+httpd_etc_path: /etc/httpd
+httpd_conf_path: "{{ httpd_etc_path }}/conf.d"
+httpd_modules_path: "{{ httpd_etc_path }}/conf.modules.d"
+httpd_service: httpd
+httpd_log_path: /var/log/httpd
+httpd_user: apache
+httpd_group: apache
+httpd_modules: []
diff --git a/src/roles/images/tasks/deploy_image.yaml b/src/roles/images/tasks/deploy_image.yaml
@@ -7,7 +7,7 @@
     quadlet_filename: "{{ images_definition.name }}"
     quadlet_file_mode: "0644"
     quadlet_options:
-      - "Policy=missing"
+      - "{{ 'Policy=missing' if ansible_facts['os_family'] != 'Debian' else '' }}"
       - |
         [Service]
         Environment=REGISTRY_AUTH_FILE={{ images_registry_auth_file }}

diff --git a/src/roles/images/tasks/pull.yaml b/src/roles/images/tasks/pull.yaml
@@ -9,6 +9,8 @@
           Policy=always
         mode: "0644"
       loop: "{{ images_deployed_names | default([]) }}"
+      when:
+        - ansible_facts['os_family'] != 'Debian'
 
     - name: Run daemon reload
       ansible.builtin.systemd:

diff --git a/src/roles/pre_install/tasks/main.yaml b/src/roles/pre_install/tasks/main.yaml
@@ -7,13 +7,14 @@
   ansible.builtin.package:
     name:
       - podman
+      - netavark
 
 - name: Install other dependencies
   ansible.builtin.package:
     name:
       - bash-completion
       - python3-cryptography
-      - python3-libsemanage
+      - "{{ 'python3-semanage' if ansible_facts['os_family'] == 'Debian' else 'python3-libsemanage' }}"
       - python3-psycopg2
       - python3-requests
       - python3-requests-oauthlib
diff --git a/tests/hammer_test.py b/tests/hammer_test.py
@@ -1,8 +1,15 @@
+import pytest
+
+
 def test_hammer_ping(server):
+    if server.system_info.distribution == 'debian':
+        pytest.xfail('Hammer is not properly set up on Debian yet')
     hammer = server.run("hammer ping")
     assert hammer.succeeded
 
 
 def test_hammer_organizations_list(server):
+    if server.system_info.distribution == 'debian':
+        pytest.xfail('Hammer is not properly set up on Debian yet')
     hammer = server.run("hammer organization list")
     assert hammer.succeeded
-Original file line number
+Diff line change
@@ Expand Up / @@ -8,6 +8,7 @@ @@
           ansible.builtin.package:
             name:
               - nmap
+              - curl
     - name: Execute tests
       gather_facts: false
@@ Expand Down @@