diff --git a/roles/configuration/tasks/banner.yml b/roles/configuration/tasks/banner.yml
index 18fcdc8..6eababd 100644
--- a/roles/configuration/tasks/banner.yml
+++ b/roles/configuration/tasks/banner.yml
@@ -42,25 +42,37 @@
 - name: Configure sudo banner
   when: system_cfg.features.banner.sudo | bool
   block:
-    - name: Create sudo lecture file
-      ansible.builtin.copy:
-        content: |
-          I am Groot, and I know what I'm doing.
-        dest: /mnt/etc/sudo_lecture
-        mode: "0644"
-        owner: root
-        group: root
+    - name: Detect the target sudo implementation
+      ansible.builtin.command: "{{ chroot_command }} /usr/bin/sudo --version"
+      register: configuration_sudo_version
+      changed_when: false
+      failed_when: false
 
-    - name: Enable sudo lecture in sudoers
-      ansible.builtin.lineinfile:
-        path: /mnt/etc/sudoers
-        line: "{{ item }}"
-        state: present
-        create: true
-        mode: "0440"
-        owner: root
-        group: root
-        validate: "/usr/sbin/visudo --check --file=%s"
-      loop:
-        - "Defaults lecture=always"
-        - "Defaults lecture_file=/etc/sudo_lecture"
+    # sudo-rs (Ubuntu 25.10+) implements neither `lecture` nor `lecture_file`
+    # and warns on every sudo call when they are set. It prints its version banner
+    # to stderr, not stdout, so match against both streams.
+    - name: Configure the sudo lecture
+      when: "'sudo-rs' not in (configuration_sudo_version.stdout ~ configuration_sudo_version.stderr)"
+      block:
+        - name: Create sudo lecture file
+          ansible.builtin.copy:
+            content: |
+              I am Groot, and I know what I'm doing.
+            dest: /mnt/etc/sudo_lecture
+            mode: "0644"
+            owner: root
+            group: root
+
+        - name: Enable sudo lecture in sudoers
+          ansible.builtin.lineinfile:
+            path: /mnt/etc/sudoers
+            line: "{{ item }}"
+            state: present
+            create: true
+            mode: "0440"
+            owner: root
+            group: root
+            validate: "/usr/sbin/visudo --check --file=%s"
+          loop:
+            - "Defaults lecture=always"
+            - "Defaults lecture_file=/etc/sudo_lecture"
diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml
index 4b13ec8..c58ec36 100644
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -40,9 +40,9 @@
   vars:
     configuration_systemd_services: >-
       {{
-        ['NetworkManager']
+        ['NetworkManager', _configuration_platform.time_sync_service]
         + ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else [])
-        + (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else [])
+        + (['logrotate'] if os == 'archlinux' else [])
         + (['bluetooth'] if system_cfg.features.desktop.enabled | bool else [])
       }}
   ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
@@ -70,14 +70,6 @@
     or 'No such file or directory' in (configuration_enable_dm_result.stderr | default(''))
     or 'does not exist' in (configuration_enable_dm_result.stderr | default(''))
 
-- name: Activate UFW firewall
-  when:
-    - system_cfg.features.firewall.backend == 'ufw'
-    - system_cfg.features.firewall.enabled | bool
-  ansible.builtin.command: "{{ chroot_command }} ufw --force enable"
-  register: _ufw_enable_result
-  changed_when: _ufw_enable_result.rc == 0
-  failed_when: false
 - name: Enable ly on its tty
   when:
     - _configuration_platform.init_system == 'systemd'
diff --git a/roles/configuration/vars/main.yml b/roles/configuration/vars/main.yml
index 03d79bc..e90f2a8 100644
--- a/roles/configuration/vars/main.yml
+++ b/roles/configuration/vars/main.yml
@@ -1,12 +1,11 @@
 ---
-# Platform-specific configuration values keyed by os_family.
-# Consumed as _configuration_platform in tasks via:
-#   configuration_platform_config[os_family]
+# Keyed by os_family; tasks read configuration_platform_config[os_family] as _configuration_platform.
 configuration_platform_config:
   RedHat:
     user_group: wheel
     sudo_group: "%wheel"
     ssh_service: sshd
+    time_sync_service: chronyd
     efi_loader: shimx64.efi
     grub_install: false
     initramfs_cmd: "/usr/bin/dracut --regenerate-all --force"
@@ -17,6 +16,7 @@ configuration_platform_config:
     user_group: sudo
     sudo_group: "%sudo"
     ssh_service: ssh
+    time_sync_service: chrony
     efi_loader: grubx64.efi
     grub_install: true
     initramfs_cmd: >-
@@ -29,6 +29,7 @@ configuration_platform_config:
     user_group: wheel
     sudo_group: "%wheel"
     ssh_service: sshd
+    time_sync_service: systemd-timesyncd
     efi_loader: grubx64.efi
     grub_install: true
     initramfs_cmd: "/usr/sbin/mkinitcpio -P"
@@ -36,7 +37,6 @@ configuration_platform_config:
     locale_gen: true
     init_system: systemd
 
-# Display manager auto-detection from desktop environment name.
 configuration_desktop_dm_map:
   gnome: gdm
   kde: sddm
@@ -48,7 +48,6 @@ configuration_desktop_session_cmd_map:
   sway: sway
   hyprland: Hyprland
 
-# PipeWire user units enabled globally when a desktop is installed.
 # pipewire/pipewire-pulse are socket-activated; wireplumber ships no socket.
 configuration_desktop_audio_units:
   - pipewire.socket