The old preferred way is to run testing/unstable with apt-pin (testing repos with higher priority). This way, if a package causes breakage, it’s a quicker fix from unstable than from testing. Also, security patches come to unstable first.

Great job! Now it’s a good time to learn a bit of Ansible so you can keep your fleet up-to-date and configured. It would also come in handy in case you get a permit to do more conversions in the future.

A long lost host (a machine that’s been offline or in a closed off network etc.) can find its master (puppetserver) when it sees the daylight again with the regularily polling puppet agent service. This is not as straightforward with ansible’s push model.