Bookworm was released on 2023-06-10, thus it's time to work on Fundraising environment support.

• import pxeboot kernel and get preseed working
• figure out puppet 7 changes, develop a v7 + v5.5 migration that allows us to support earlier Debian releases (see T338195)
• deprecated php-geoip package? we're almost positive it's a legacy thing, from pre-composer days
• update puppet CA directory to new location at /etc/puppet/puppetserver/ca
• work through each server role to find/fix puppet issues (add subtasks for this)
  • analytics - puppet runs, otherwise blocked on Superset which isn't bundled for bookworm yet
  • auth - dist-upgrade, kerberos and freeradius/yubikey works
  • backup - dist-upgraded
  • banner_logger - kafkatee needs patching/packaging see https://gerrit.wikimedia.org/r/c/analytics/kafkatee/+/961174
  • bastion - dist-upgraded
  • build - dist upgraded, seems to require a CA refresh, didn't try to move CA dir to /etc per recommendation
  • civicrm - dist-upgrade with post-reboot puppet run and mariadb upgrade
  • frdata - dist-upgrade with post-reboot puppet run and mariadb upgrade
  • frdev - python3-abba built, php config streamlined
  • frmx - dist-upgrade, basic SMTP works fine, SMTP TLS + letsencrypt cert still needs testing
  • fundraising_database, frdb_* - perccli repackaged, mariadb upgrade has to happen after a reboot then puppet run
  • logger - dist-upgrade, central logging works
  • monitoring - dist-upgrade, prometheus/grafana basic function tested
  • network_security - fresh install runs clean, with expected errors around cert install dirs vs manual nessus install
  • pay_lvs - blocked on pybal - see T200319 and proposed liberica project T332027
  • payments_listener
  • payments - dist-upgrade with post-reboot puppet run and mariadb upgrade
  • queue - redis v7, we should flush queues first, look at SSL and enable append-only files
  • siem - dist-upgraded, tested aiderator collection and reporting