Debian trixie upgrades, third batch

upgrade all those servers to Debian trixie.

20 TPA machines

• alberti.torproject.org (can be done before the YEC, ⭐ ) [@groente]
• arti-test-net-01.torproject.org (forgotten in Debian trixie upgrades, second batch (#42070 - closed), can be done any time, ⭐ )
• ci-runner-x86-14.torproject.org (forgotten in Debian trixie upgrades, second batch (#42070 - closed), can be done any time, ⭐ )
• crm-int-01.torproject.org (blocked by https://gitlab.torproject.org/tpo/web/civicrm/-/issues/196, wait until after the YEC, postponed to mid/end January, @anarcat)
• dal-node-01.torproject.org (see #42069 (comment 3245186) before doing the ganeti upgrade)
• dal-node-02.torproject.org
• dal-node-03.torproject.org
• fsn-node-01.torproject.org
• fsn-node-02.torproject.org
• fsn-node-03.torproject.org
• fsn-node-04.torproject.org
• fsn-node-05.torproject.org
• fsn-node-06.torproject.org
• fsn-node-07.torproject.org
• fsn-node-08.torproject.org
• gitlab-02.torproject.org (blocked by upstream #9225, waiting for GitLab 18.5, scheduled for October 16th, fix released, but will wait until January 2026, @zen)
• nevii.torproject.org (DO NOT DO THIS BEFORE DOING THE DNSSEC SWITCH FIRST, AKA blocked by #42268 (closed))
• pauli.torproject.org (wait until after the YEC and @lavamind)
• puppetdb-01.torproject.org (wait until after the YEC and @lavamind)
• snowflake-staging-01.torproject.org (forgotten in Debian trixie upgrades, second batch (#42070 - closed), can be done any time, ⭐)

11 tails servers

• isobuilder1.lizard → decommissioned (tails-sysadmin#18210 (closed))
• isobuilder2.lizard → decommissioned (tails-sysadmin#18210 (closed))
• isobuilder3.lizard → decommissioned (tails-sysadmin#18210 (closed))
• isobuilder4.lizard → decommissioned (tails-sysadmin#18210 (closed))
• isoworker1.dragon (running trixie, but currently shut down, return to production blocked by tails-sysadmin#18232 (closed))
• isoworker2.dragon (blocked by #42169 (closed), tails-sysadmin#18232 (closed) and tails-sysadmin#18175 (closed), requires coordination with tails team!) [@lelutin]
  • important note for all isoworker* servers: puppet will install a pin for squashfs-tools-ng to keep it at the bookworm version, but it might not enforce its downgrade. during OS upgrades after puppet was run in trixie, make sure that squashfs-tools-ng was downgraded to the bookworm version or run apt install squashfs-tools-ng to get it downgraded.
• isoworker3.dragon (blocked by #42169 (closed), tails-sysadmin#18232 (closed) and tails-sysadmin#18175 (closed), requires coordination with tails team!) [@lelutin]
• isoworker4.dragon (blocked by #42169 (closed), tails-sysadmin#18232 (closed) and tails-sysadmin#18175 (closed), requires coordination with tails team!) [@lelutin]
• isoworker5.dragon (blocked by #42169 (closed), tails-sysadmin#18232 (closed) and tails-sysadmin#18175 (closed), requires coordination with tails team!) [@lelutin]
• isoworker6.iguana (blocked by #42169 (closed), tails-sysadmin#18232 (closed) and tails-sysadmin#18175 (closed), requires coordination with tails team!) [@lelutin]
• isoworker7.iguana (blocked by #42169 (closed), tails-sysadmin#18232 (closed) and tails-sysadmin#18175 (closed), requires coordination with tails team!) [@lelutin]
• isoworker8.iguana (blocked by #42169 (closed), tails-sysadmin#18232 (closed) and tails-sysadmin#18175 (closed), requires coordination with tails team!) [@lelutin]
• isoworkers-mail.dragon (blocked by #42169 (closed)) [@lelutin]
• jenkins.dragon
• survey.lizard → decommissioned (#41945 (closed))
• translate.lizard

there's currently not set date for those upgrades, but we're hoping to complete those by the end of 2025. the due date is set as a reminder aligned to after the YEC.