I'm assume that we will be providing a note on how to upgrade as well as how to install from new and how to convert from Debian.
So I thought it might be useful to document my experience and any trip hazards I encountered.

I upgraded just over a week ago, using the same steps as described above.
Where it asked about if I wanted to accept new default config files I chose to keep those I already had.
I was already using the most recent backported 6.1 kernel prior to the upgrade.
A simple replace edit of sources list is however not entirely sufficient as you should add the 'non-free firmware' to each line.
With that change I had no problems in the upgrade as such.

I use unattended-upgrades to install any security package updates daily.
I had to change the line  "o=Devuan,n=chimaera-security" to  "o=Devuan,n=daedalus-security" in /etc/apt/apt.conf.d/50unattended-upgrades.

My motherboard (a MSI B550) use a custom chip to monitor fan speeds in particular.
There is a corresponding kernel module but it was not loaded. I ran

sudo modprobe nct6687.ko

to load it and then sensors could see it.

Grub no longer runs osprober by default. If you have been using it to create grub menu items to boot to alternative OS on your machine you will need to as root restore it in the file /etc/default/grub by un-commenting the line

#GRUB_DISABLE_OS_PROBER=false

and then run update-grub as root.

Also relating to grub the menu on my PC now works with my usb keyboard (it didn't on Chimaera).

rsyslog creates fewer log files, such as /var/log/mail.{info,warn,err}. The messages are still there in /var/log/mail.log.
If you have another program reading any of these, e.g. fail2ban, you will need to get it to read /var/log/mail.log instead.
Similarly /var/log/{messages,debug,daemon.log} are also no longer being updated. Their messages are still there in /var/log/syslog.
All these (and their log-rotated counterparts) can now be removed.
Logrotate itself is working as expected on my PC.

Just for info. I run Cinnamon. After the upgrade Gnome programs (such as Evolution and System Monitor) now duplicate the Max/Min/Close symbols and Title that are in the Window Title Bar in the top line of the program. Nothing fatal but it looks odd.

There are some changes in Bookworm (and hence Daedelus) that don't affect my PC but might others e.g. the packages that set the system clock and reduced accessibility support.
Changes to Bookworm (and by default Daedulus) are covered in the release notes' Chapter 5 Issues to be aware of for bookworm https://www.debian.org/releases/bookwor … on.en.html

From the user Desktop (I use Cinnamon) Synaptic is authorised to open a root graphics session (gtk) through pkexec (which is what pops up the authorisation requester) and behind that is polkit.
Might be worth having a look in /var/log/auth.log to see if it's throwing errors.

On my PC a recent synaptic session was logged in /var/log/auth.log like this:

Jul  3 17:33:18 grendel polkitd(authority=local): Operator of unix-session:1 successfully authenticated as unix-user:marjorie to gain ONE-SHOT authorization for action com.ubuntu.pkexec.synaptic for unix-process:13922:214554138 [/bin/sh /usr/bin/synaptic-pkexec] (owned by unix-user:marjorie)
Jul  3 17:33:18 grendel pkexec: pam_unix(polkit-1:session): session opened for user root(uid=0) by (uid=1000)
Jul  3 17:33:18 grendel pkexec[13925]: marjorie: Executing command [USER=root] [TTY=unknown] [CWD=/home/marjorie] [COMMAND=/usr/sbin/synaptic]

My software stack is:
Host: grendel
Kernel: 6.1.0-0.deb11.7-amd64 x86_64
compiler: gcc v: 10.2.1
Desktop: Cinnamon 4.8.6
tk: GTK 3.24.24
wm: muffin 4.8.1
dm: LightDM 1.26.0
Distro: Devuan GNU/Linux 4 (chimaera)

Hi,

You have posted the output of lshw as an image - the font is tiny and I, at least, find it unreadable, so it's hard to help you further.

This is my output of the same command on my PC posted  with code delimiters.

I'm running a AMD B550 motherboard with a AMD Ryzen 5 5600G with Radeon Graphics.

sudo lshw -C video
  *-display                 
       description: VGA compatible controller
       product: Cezanne
       vendor: Advanced Micro Devices, Inc. [AMD/ATI]
       physical id: 0
       bus info: pci@0000:30:00.0
       version: c9
       width: 64 bits
       clock: 33MHz
       capabilities: pm pciexpress msi msix vga_controller bus_master cap_list rom
       configuration: driver=amdgpu latency=0
       resources: irq:37 memory:d0000000-dfffffff memory:e0000000-e01fffff ioport:e000(size=256) memory:fcb00000-fcb7ffff memory:c0000-dffff

Can you do the same, please?

Also it would be helpful if you can say what you are aiming for in video,

Hi Ralph. Yes, perhaps I'm just not very good at expressing my understanding of this.

The Debian wiki says:

So I suspect that in the default installation the fail2ban configuration assumes that iptables is installed, calls iptables and uses iptables-nft to translate.
Not quite the same thing as going nftables native.

Hence it seems that the simplest solution for the OP is, as you have said, to reinstall iptables.

Wondering if you've ended up with some form of hybrid iptables/nftables fail2ban config.

can you post the contents of your  /etc/fail2ban/jail.conf and /etc/fail2ban/jail.local file?

I used this guide to set up my mail system (with apache2 and postfix/dovecot support)
https://workaround.org/bullseye/firewal … igation-2/
I just needed translate the usual systemd systemctl call to sysvintit service calls.

I have a 5600G running Chimaera.
AMD issued fixes for the integrated graphics in the 5600G in backported kernel 5.15, this also fixed an issue I had with the lack of a driver for the sensor (nct6687) on my MSI B550 motherboard.
I have since attempted to install more recent backport kernels but I found that they have issues. In particular Signal Desktop (from the repositories) and Zoom (from Zoom) often almost froze when starting. It seems to be a graphics issue.
This may well have been fixed in newer kernels than the ones I tried but if you are still having issues having followed Rolfie's advice I suggest you try 5.15 (LTS until at least October 2023).
I still get freeze issues with 5.15 if I try to suspend and resume. Hibernate and resume works fine.

You could try this nftables.conf.

This is based on mine, which works, the only changes are that I've pruned the additional ports I've opened on mine for email, ntp, dns, monitoring.

#!/usr/sbin/nft -f
flush ruleset
table inet filter {
  chain input {
    type filter hook input priority 0; policy drop;

    iifname lo accept
    ct state established,related accept
    tcp dport ssh ct state new accept
    tcp dport http ct state new accept
    tcp dport https ct state new accept
    
     # ICMP: errors, pings
     ip protocol icmp icmp type { echo-request, echo-reply, destination-unreachable, time-exceeded, parameter-problem, router-solicitation, router-advertisement } accept
     # ICMPv6: errors, pings, routing
     ip6 nexthdr icmpv6 counter accept comment "accept all ICMP types"

     # Reject other packets
     ip protocol tcp reject with tcp reset
  }
}

In order to run nvidia video drivers the init will have to insert the nvidia kernel module, done by a modprobe. I have a pc (not my main pc) with an nvidia card and it invariably came up with an insert nvidia kernel module fail message early in the boot process though it would go on and succeed subsequently 'tainting the kernel'.

If you have deleted some 'modprobe nvidia files' you may have disabled this insertion.

When you change the kernel version the nvidia kernel module also needs to be recompiled and to do so requires that you have the matching kernel headers as well as the new kernel itself. If everything is present it does this automatically, however the PC will then need to be rebooted.

AFAIK (I've only used it as a live disk to test compatibility with my PC and then switched to using the full installer as I need something more complicated)  the live installer just does a basic job of reproducing the configuration that comes on the live iso. It installs everything to a single partition on the target disk, complete with / and /home, Not sure what it does about swap.
If you have an existing /home on another disk it will know nothing about that. If /home is on another partition but on the same disk it will remove it when if formats the disk.
After installing you can go into the new installation and remap its /etc/fstab to point /home to your existing /home partition.

I think its optional. Although its in the main repository, lots of useful utilities are optional. If it's there you should find it be searching for it in synaptic. If you find it just install it.

When I searched for it in synaptic history (file/history) I see that I installed it myself.

I use unattended upgrades to install security upgrades on both my main PC and my mail server.

I didn't find it that difficult to get working.

1. Install package

2. Consult man page

man unattended-upgrades

read the lines

CONFIGURATION
       The  configuration  is  done  via  the  apt  configuration  mechanism.  The  default  configuration  file can be found at
       /etc/apt/apt.conf.d/50unattended-upgrades

3. Open (as root/sudo) the file  /etc/apt/apt.conf.d/50unattended-upgrades and configure.
The file is largely self-documenting.

This includes changing the default distribution and package.

This is my fixed/working version. I suspect its unchanged (apart from changing ascii to chimaera in line 43) since I used ascii.

// Unattended-Upgrade::Origins-Pattern controls which packages are
// upgraded.
//
// Lines below have the format format is "keyword=value,...".  A
// package will be upgraded only if the values in its metadata match
// all the supplied keywords in a line.  (In other words, omitted
// keywords are wild cards.) The keywords originate from the Release
// file, but several aliases are accepted.  The accepted keywords are:
//   a,archive,suite (eg, "stable")
//   c,component     (eg, "main", "contrib", "non-free")
//   l,label         (eg, "Devuan", "Devuan-Security")
//   o,origin        (eg, "Devuan")
//   n,codename      (eg, "ascii", "ascii-updates")
//     site          (eg, "deb.devuan.org")
// The available values on the system are printed by the command
// "apt-cache policy", and can be debugged by running
// "unattended-upgrades -d" and looking at the log file.
//
// Within lines unattended-upgrades allows 2 macros whose values are
// derived from /etc/debian_version:
//   ${distro_id}            Installed origin.
//   ${distro_codename}      Installed codename (eg, "ascii")
Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
//      "o=Devuan,n=ascii";
//      "o=Devuan,n=ascii-updates";
//      "o=Devuan,n=ascii-proposed-updates";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Devuan,a=stable";
//      "o=Devuan,a=stable-updates";
//      "o=Devuan,a=proposed-updates";

        // Activate *-security by default.
        // This will make it easier for Devuan derivatives.
        // "a=*-security";
	//
	"o=Devuan,n=chimaera-security";
};

// List of packages to not update (regexp are supported)
Unattended-Upgrade::Package-Blacklist {
//	"vim";
//	"libc6";
//	"libc6-dev";
//	"libc6-i686";
};

// This option allows you to control if on a unclean dpkg exit
// unattended-upgrades will automatically run 
//   dpkg --force-confold --configure -a
// The default is true, to ensure updates keep getting installed
//Unattended-Upgrade::AutoFixInterruptedDpkg "false";

// Split the upgrade into the smallest possible chunks so that
// they can be interrupted with SIGUSR1. This makes the upgrade
// a bit slower but it has the benefit that shutdown while a upgrade
// is running is possible (with a small delay)
//Unattended-Upgrade::MinimalSteps "true";

// Install all unattended-upgrades when the machine is shutting down
// instead of doing it in the background while the machine is running
// This will (obviously) make shutdown slower
//Unattended-Upgrade::InstallOnShutdown "true";

// Send email to this address for problems or packages upgrades
// If empty or unset then no email is sent, make sure that you
// have a working mail setup on your system. A package that provides
// 'mailx' must be installed. E.g. "user@example.com"
Unattended-Upgrade::Mail "root";

// Set this value to "true" to get emails only on errors. Default
// is to always send a mail if Unattended-Upgrade::Mail is set
//Unattended-Upgrade::MailOnlyOnError "true";

// Do automatic removal of new unused dependencies after the upgrade
// (equivalent to apt-get autoremove)
Unattended-Upgrade::Remove-Unused-Dependencies "true";

// Automatically reboot *WITHOUT CONFIRMATION* if
//  the file /var/run/reboot-required is found after the upgrade 
//Unattended-Upgrade::Automatic-Reboot "false";

// Automatically reboot even if there are users currently logged in.
//Unattended-Upgrade::Automatic-Reboot-WithUsers "true";

// If automatic reboot is enabled and needed, reboot at the specific
// time instead of immediately
//  Default: "now"
//Unattended-Upgrade::Automatic-Reboot-Time "02:00";

// Use apt bandwidth limit feature, this example limits the download
// speed to 70kb/sec
//Acquire::http::Dl-Limit "70";

// Enable logging to syslog. Default is False
Unattended-Upgrade::SyslogEnable "true";

// Specify syslog facility. Default is daemon
// Unattended-Upgrade::SyslogFacility "daemon";

It might be nicer if the Chimaera version included Devuan/Chimaera/security defaults (my line 43):

       "o=Devuan,n=chimaera-security"; 

But not sure its really worth pestering our admins to do this every time Debian change it upstream as there are other options in the config you might want to change anyway ( I don't do auto reboots or install non-security ungrades, I do ask it to email me when upgrades happen) though a mention in the release notes might help as at the very least you do need to change that line, or it's equivalent, to include 'chimaera' when upgrading.

I run apt both on my mail server and my main PC via 0anacron and apt-compat in /etc/cron.daily so it should check for updates daily. For a server you could just call it directly from cron, however as I often hibernate rather than reboot my main PC overnight I also get it to check for updates on resume (cron doesn't run jobs called when the computer is turned off at the designated time).

I always understood 'fake' RAID/bios RAID doesn't work with Linux.

I do use mdadm RAID1 on my desktop machine, but not on my html/email server and it can help to cover disk failure and some forms of corruption but I would strongly recommend that you do an actual backup of your /root as well as your /home directories regularly to somewhere else. You may choose different solutions/frequencies for /root and /home.

However as you had finally got your nginx htmp server working that is when I would have made a backup of both.

The brtfs filesystem allows for snapshoting of your live system. You can also snapshot a ext4 system if it's inside a LVM2. There are also offline backup solutions where you boot from an alternative root system e.g. from a recovery disk on a usb drive and then run a backup of your unmounted filesystem from that.