This originally appeared on the Annexe.

If you use popular third-party Debian repos such as Sury, you need the apt-transport-https package first. If you use Ansible:

- name: Install dependencies
    name: apt-transport-https
    state: present
- name: Install sury repo key
    url: ""
    state: present
- name: Install sury repo
    repo: deb {{ ansible_distribution_release }} main
    update_cache: yes

And naturally you’re also filtering outbound firewall traffic too, because you’re competent. In which case, make sure you’re permitting https traffic too:

- name: Enable outbound https
    rule: allow
    direction: out
    port: https