fix(configuration): enable per-family time-sync and skip sudo-rs lecture

2026-05-31 12:30:26 +02:00
parent 579c499c02
commit 477c8379c4
3 changed files with 39 additions and 36 deletions
--- a/roles/configuration/tasks/banner.yml
+++ b/roles/configuration/tasks/banner.yml
@@ -42,25 +42,37 @@
 - name: Configure sudo banner
  when: system_cfg.features.banner.sudo | bool
  block:
-    - name: Create sudo lecture file
-      ansible.builtin.copy:
-        content: |
-          I am Groot, and I know what I'm doing.
-        dest: /mnt/etc/sudo_lecture
-        mode: "0644"
-        owner: root
-        group: root
+    - name: Detect the target sudo implementation
+      ansible.builtin.command: "{{ chroot_command }} /usr/bin/sudo --version"
+      register: configuration_sudo_version
+      changed_when: false
+      failed_when: false

-    - name: Enable sudo lecture in sudoers
-      ansible.builtin.lineinfile:
-        path: /mnt/etc/sudoers
-        line: "{{ item }}"
-        state: present
-        create: true
-        mode: "0440"
-        owner: root
-        group: root
-        validate: "/usr/sbin/visudo --check --file=%s"
-      loop:
-        - "Defaults lecture=always"
-        - "Defaults lecture_file=/etc/sudo_lecture"
+    # sudo-rs (Ubuntu 25.10+) implements neither `lecture` nor `lecture_file`
+    # and warns on every sudo call when they are set. It prints its version banner
+    # to stderr, not stdout, so match against both streams.
+    - name: Configure the sudo lecture
+      when: "'sudo-rs' not in (configuration_sudo_version.stdout ~ configuration_sudo_version.stderr)"
+      block:
+        - name: Create sudo lecture file
+          ansible.builtin.copy:
+            content: |
+              I am Groot, and I know what I'm doing.
+            dest: /mnt/etc/sudo_lecture
+            mode: "0644"
+            owner: root
+            group: root
+
+        - name: Enable sudo lecture in sudoers
+          ansible.builtin.lineinfile:
+            path: /mnt/etc/sudoers
+            line: "{{ item }}"
+            state: present
+            create: true
+            mode: "0440"
+            owner: root
+            group: root
+            validate: "/usr/sbin/visudo --check --file=%s"
+          loop:
+            - "Defaults lecture=always"
+            - "Defaults lecture_file=/etc/sudo_lecture"
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -40,9 +40,9 @@
  vars:
    configuration_systemd_services: >-
      {{
-        ['NetworkManager']
+        ['NetworkManager', _configuration_platform.time_sync_service]
        + ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else [])
-        + (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else [])
+        + (['logrotate'] if os == 'archlinux' else [])
        + (['bluetooth'] if system_cfg.features.desktop.enabled | bool else [])
      }}
  ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
@@ -70,14 +70,6 @@
    or 'No such file or directory' in (configuration_enable_dm_result.stderr | default(''))
    or 'does not exist' in (configuration_enable_dm_result.stderr | default(''))

- name: Activate UFW firewall
-  when:
-    - system_cfg.features.firewall.backend == 'ufw'
-    - system_cfg.features.firewall.enabled | bool
-  ansible.builtin.command: "{{ chroot_command }} ufw --force enable"
-  register: _ufw_enable_result
-  changed_when: _ufw_enable_result.rc == 0
-  failed_when: false
 - name: Enable ly on its tty
  when:
    - _configuration_platform.init_system == 'systemd'