fix(bootstrap): resolve interface-only network, sshd penalties, dnf scriptlets, and EFI cleanup

roles/bootstrap/tasks/_dnf_family.yml

@@ -18,6 +18,9 @@
         groupinstall -y {{ _dnf_groups }}
       register: bootstrap_dnf_base_result
       changed_when: bootstrap_dnf_base_result.rc == 0
+      failed_when:
+        - bootstrap_dnf_base_result.rc != 0
+        - "'scriptlet' not in bootstrap_dnf_base_result.stderr"
 
     - name: Ensure chroot has DNS resolution
       ansible.builtin.file:

roles/cleanup/tasks/libvirt.yml

@@ -72,6 +72,12 @@
             | trim
           }}
 
+    - name: Ensure boot device is set to hard disk in VM XML
+      when: "'<boot ' not in cleanup_libvirt_domain_xml_clean"
+      ansible.builtin.set_fact:
+        cleanup_libvirt_domain_xml_clean: >-
+          {{ cleanup_libvirt_domain_xml_clean | regex_replace('(</type>)', '\1\n    <boot dev="hd"/>') }}
+
     - name: Update VM definition without installer media
       community.libvirt.virt:
         command: define

roles/environment/tasks/_detect_live.yml

@@ -68,6 +68,23 @@
       Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
     quiet: true
 
+- name: Harden sshd for Ansible automation
+  ansible.builtin.blockinfile:
+    path: /etc/ssh/sshd_config
+    marker: "# {mark} BOOTSTRAP ANSIBLE SETTINGS"
+    block: |
+      PerSourcePenalties no
+      MaxStartups 50:30:100
+      ClientAliveInterval 30
+      ClientAliveCountMax 10
+  register: _sshd_config_result
+
+- name: Restart sshd immediately if config was changed
+  when: _sshd_config_result is changed
+  ansible.builtin.service:
+    name: sshd
+    state: restarted
+
 - name: Abort if the host is not booted from the Arch install media
   when:
     - not (custom_iso | bool)

roles/environment/tasks/_prepare_installer.yml

@@ -25,6 +25,7 @@
     state: latest
   loop:
     - { name: glibc }
+    - { name: lua, os: [almalinux, fedora, rhel, rocky] }
     - { name: dnf, os: [almalinux, fedora, rhel, rocky] }
     - { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
     - { name: debian-archive-keyring, os: [debian] }

roles/global_defaults/tasks/system.yml

@@ -17,6 +17,27 @@
     - name: Normalize disk configuration
       ansible.builtin.include_tasks: _normalize_disks.yml
 
+- name: Populate primary network fields from first interface
+  when:
+    - system_cfg is defined
+    - system_cfg.network.interfaces | default([]) | length > 0
+    - system_cfg.network.ip | default('') | string | length == 0
+  vars:
+    _primary: "{{ system_cfg.network.interfaces[0] }}"
+  ansible.builtin.set_fact:
+    system_cfg: >-
+      {{
+        system_cfg | combine({
+          'network': system_cfg.network | combine({
+            'bridge': _primary.bridge | default(''),
+            'vlan': _primary.vlan | default(''),
+            'ip': _primary.ip | default(''),
+            'prefix': _primary.prefix | default(''),
+            'gateway': _primary.gateway | default('')
+          })
+        }, recursive=True)
+      }}
+
 - name: Check if pre-computed system_cfg needs enrichment
   when: system_cfg is defined
   ansible.builtin.set_fact:

roles/virtualization/tasks/delete.yml

@@ -40,10 +40,10 @@
       failed_when: false
 
     - name: Undefine libvirt VM
-      community.libvirt.virt:
-        name: "{{ hostname }}"
-        command: undefine
-        uri: "{{ libvirt_uri | default('qemu:///system') }}"
+      ansible.builtin.command:
+        cmd: "virsh -c {{ libvirt_uri | default('qemu:///system') }} undefine {{ hostname }} --nvram"
+      register: _libvirt_undefine_result
+      changed_when: _libvirt_undefine_result.rc == 0
       failed_when: false
 
     - name: Remove libvirt disk images