Thanks for your kind words and welcome to our forums! :)

I have had a little play with Bullseye, but as you note, we haven't yet set up our Bullseye repo properly. We do have keys generated (tkl-bullseye-main & tkl-bullseye-security; as well as tkl-bullseye-testing), but again as you note, bullseye-security (and bullseye-testing) are the only repos we've created so far.

I really hope to get to Bullseye (which will be the basis for our upcoming v17.x) soon, but I have been been blocked until relatively recently (key generation is outside my role) and since I've been unblocked, I've been busy with other stuff and am yet to circle back to it. Completing (and/or fixing) the Bullseye repos will be the first step when I do, but I have no ETA on when I might get to it (I really hope to get the repos working within the next few weeks, but can't promise).

As Buster (the basis of v16.x) is still getting full Debian security support (for 12 months; plus will almost certainly get LTS support for a few more years after that), I'd currently recommend that TurnKey v16.x users don't upgrade yet at all. That is at least until we have the repos set up (and even then, in the early stages, I'll likely only have packages in the 'bullseye-testing" repo). FYI as stability is generally king on a server, personally I rarely upgrade until Debian does their first point release at the earliest (i.e. Bullseye 11.1). FWIW, one of my colleagues is still running Stretch (it's still supported by LTS until June 30, 2022 - although I'm not saying that as a recommendation)!

As it sounds like you've already committed to the upgrade, then my next recommendation would be to just leave the TKL sources.list lines as they were (i.e. still pointing to 'buster' key & repo). I suspect that we probably won't be issuing any updates to those anyway. But if we do, they'll be just as compatible with Bullseye as the current Buster packages are. Just commenting them out (as it sounds you've done) is also a legitimate option.

As for the TKL Buster security repo, to date, we've never had any need to push security updates within the life of Buster (obviously Debian did, but none of our custom packages required it). So it's expected to be empty and that would explain your experience there.

As for your broken Lighty appliance, unfortunately, I'm not 100% sure on what might be required there (mostly because I'm yet to try any of this myself yet). Although having a heads up that it might require some tweaks is good info; so thanks for sharing. If you wish to proceed with that, please feel free to share more specifics (ideally the explicit error messages it's giving as it fails) and I'm happy to try assisting with that if you wish.

Whilst we aim to support "normal" Debian upgrades, it's also worth noting that many of our appliance tweaks and security hardening steps aren't packaged. So doing a Debian upgrade of a v16.x appliance, will not strictly give you a v17.x appliance (especially before we've released v17.0; but even after we have). Because of that, generally we have recommended migrating your data to a new server instead.

FYI TKLBAM was originally intended to fulfil the data migration role (the 'M' is for migration), although in more recent times we've had quite a few reports of more complex appliances requiring manually intervention (which I'm always happy to assist with). TKLBAM as it currently stands will be included in v17.x, but behind the scenes, we are looking at a full rewrite of that which we hope to release ASAP. Unfortunately though, I expect it will be quite some time away as the dev working on that has been temporarily poached. When he's back on board, he will likely assist with the v17.0 release before getting back to TKLBAM2.0 development.

I hope I've covered everything and it all makes sense... Please feel free to post back if it doesn't and/or I missed something and/or you have further questions...

Also I'll try to remember to post back here re v17.0 updates, but please keep an eye on the blog (and/or mailing list) for announcements...