AnsiblePilot — Master Ansible Automation

AnsiblePilot is the leading resource for learning Ansible automation, DevOps, and infrastructure as code. Browse over 1,400 tutorials covering Ansible modules, playbooks, roles, collections, and real-world examples. Whether you are a beginner or an experienced engineer, our step-by-step guides help you automate Linux, Windows, cloud, containers, and network infrastructure.

Popular Topics

About Luca Berton

Luca Berton is an Ansible automation expert, author of 8 Ansible books published by Apress and Leanpub including "Ansible for VMware by Examples" and "Ansible for Kubernetes by Example", and creator of the Ansible Pilot YouTube channel. He shares practical automation knowledge through tutorials, books, and video courses to help IT professionals and DevOps engineers master infrastructure automation.

Ansible on Debian 13 Trixie Automation Complete Guide

By Luca Berton · Published 2024-01-01 · Category: installation

Automate Debian 13 (Trixie) servers with Ansible: APT, AppArmor, nftables, systemd, Docker, Kubernetes, hardening, and patching.

Debian 13 (Trixie) released in mid-2025, replaces Debian 12 Bookworm as the latest stable. It ships Linux 6.12 LTS, OpenSSH 9.9, Python 3.13, systemd 256, and modernizes networking around nftables by default. Standard support runs through 2028 and LTS extends through 2030. This guide is the master overview for automating Trixie with Ansible.

Debian 13 release facts

| Item | Value | |---|---| | Code name | Trixie | | Release | 2025-08 (target) | | Standard support | until 2028 | | LTS | until 2030 | | Default kernel | 6.12 LTS | | Default Python | 3.13 | | Default OpenSSH | 9.9p1 | | Default firewall | nftables | | systemd | 256 |

See also: Ansible on Debian 12 Bookworm Automation Complete Guide

Ansible-core compatibility

Use ansible-core 2.20 (or current stable). Python 3.13 on managed nodes requires ansible-core >= 2.18.

Inventory

[debian13]
host-01.example.com
host-02.example.com

[debian13:vars]
ansible_user=admin
ansible_python_interpreter=/usr/bin/python3

See also: How to install Ansible in Debian 13 Trixie — Ansible install

Baseline playbook

---
- name: Debian 13 Trixie baseline
  hosts: debian13
  become: true
  tasks:
    - name: Update apt cache
      ansible.builtin.apt:
        update_cache: true
        cache_valid_time: 3600

- name: Install baseline packages
      ansible.builtin.apt:
        name:
          - vim
          - curl
          - htop
          - chrony
          - nftables
          - apparmor
          - apparmor-utils
          - unattended-upgrades
        state: present


- name: Enable nftables
      ansible.builtin.service: { name: nftables, enabled: true, state: started }


- name: Enable AppArmor
      ansible.builtin.service: { name: apparmor, enabled: true, state: started }

nftables firewall

- name: Configure nftables on Trixie
  hosts: debian13
  become: true
  handlers:
    - name: reload nftables
      ansible.builtin.service: { name: nftables, state: reloaded }
  tasks:
    - name: Drop ruleset
      ansible.builtin.copy:
        dest: /etc/nftables.conf
        owner: root
        mode: "0644"
        content: |
          #!/usr/sbin/nft -f
          flush ruleset
          table inet filter {
            chain input {
              type filter hook input priority 0; policy drop;
              ct state established,related accept
              iif "lo" accept
              tcp dport 22 accept
              tcp dport 443 accept
              icmp type echo-request accept
            }
            chain forward { type filter hook forward priority 0; policy drop; }
            chain output  { type filter hook output  priority 0; policy accept; }
          }
      notify: reload nftables

See also: How to install Ansible in Debian 13 Trixie

OpenSSH 9.9 hardening

- name: SSH hardening on Trixie
  hosts: debian13
  become: true
  handlers:
    - name: restart sshd
      ansible.builtin.service: { name: ssh, state: restarted }
  tasks:
    - name: Hardened SSH drop-in
      ansible.builtin.copy:
        dest: /etc/ssh/sshd_config.d/10-hardened.conf
        mode: "0644"
        content: |
          PasswordAuthentication no
          PermitRootLogin no
          KexAlgorithms sntrup761x25519-sha512@openssh.com,curve25519-sha256
          MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com
          Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com
          MaxAuthTries 3
        validate: 'sshd -tf %s'
      notify: restart sshd

Docker CE on Debian 13

- name: Install Docker CE on Trixie
  hosts: debian13
  become: true
  tasks:
    - name: Add Docker GPG key
      ansible.builtin.get_url:
        url: https://download.docker.com/linux/debian/gpg
        dest: /etc/apt/keyrings/docker.asc
        mode: "0644"

- name: Add Docker apt repo
      ansible.builtin.apt_repository:
        repo: "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/debian trixie stable"


- name: Install Docker
      ansible.builtin.apt:
        name: [docker-ce, docker-ce-cli, containerd.io, docker-compose-plugin]
        state: present
        update_cache: true

Kubernetes 1.32 on Trixie

- name: K8s 1.32 worker on Debian 13
  hosts: debian13
  become: true
  tasks:
    - name: Disable swap
      ansible.posix.mount: { name: swap, fstype: swap, state: absent }

- name: Add Kubernetes 1.32 repo
      ansible.builtin.apt_repository:
        repo: "deb [signed-by=/etc/apt/keyrings/kubernetes.gpg] https://pkgs.k8s.io/core:/stable:/v1.32/deb/ /"


- name: Install components
      ansible.builtin.apt:
        name: [kubelet, kubeadm, kubectl, containerd]
        state: present
        update_cache: true

Best practices

• Migrate UFW rules to nftables (the upstream default in Trixie). • Use post-quantum SSH KEX (sntrup761x25519) where peers support it. • Track upstream Debian security advisories; ESM is via Debian LTS, not commercial vendors. • Validate apt upgrades against snapshots/btrfs subvolumes if available.

Conclusion

Debian 13 Trixie modernizes the Debian stack around nftables, OpenSSH 9.9, and Python 3.13. Ansible playbooks from Bookworm need only minor edits — primarily replacing iptables/ufw with nftables rules — to run cleanly on Trixie.

Category: installation

Browse all Ansible tutorials · AnsiblePilot Home