sandwich/Ansible-Bootstrap
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(configuration): enable per-family time-sync and skip sudo-rs lecture

Browse Source
This commit is contained in:
Sandwich
2026-05-31 12:30:26 +02:00
parent 579c499c02
commit 477c8379c4
3 changed files with 39 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

54
roles/configuration/tasks/banner.yml
View File

@@ -42,25 +42,37 @@
- name: Configure sudo banner - name: Configure sudo banner
when: system_cfg.features.banner.sudo | bool when: system_cfg.features.banner.sudo | bool
block: block:
- name: Create sudo lecture file - name: Detect the target sudo implementation
ansible.builtin.copy: ansible.builtin.command: "{{ chroot_command }} /usr/bin/sudo --version"
content: | register: configuration_sudo_version
I am Groot, and I know what I'm doing. changed_when: false
dest: /mnt/etc/sudo_lecture failed_when: false
mode: "0644"
owner: root
group: root
- name: Enable sudo lecture in sudoers # sudo-rs (Ubuntu 25.10+) implements neither `lecture` nor `lecture_file`
ansible.builtin.lineinfile: # and warns on every sudo call when they are set. It prints its version banner
path: /mnt/etc/sudoers # to stderr, not stdout, so match against both streams.
line: "{{ item }}" - name: Configure the sudo lecture
state: present when: "'sudo-rs' not in (configuration_sudo_version.stdout ~ configuration_sudo_version.stderr)"
create: true block:
mode: "0440" - name: Create sudo lecture file
owner: root ansible.builtin.copy:
group: root content: |
validate: "/usr/sbin/visudo --check --file=%s" I am Groot, and I know what I'm doing.
loop: dest: /mnt/etc/sudo_lecture
- "Defaults lecture=always" mode: "0644"
- "Defaults lecture_file=/etc/sudo_lecture" owner: root
group: root
- name: Enable sudo lecture in sudoers
ansible.builtin.lineinfile:
path: /mnt/etc/sudoers
line: "{{ item }}"
state: present
create: true
mode: "0440"
owner: root
group: root
validate: "/usr/sbin/visudo --check --file=%s"
loop:
- "Defaults lecture=always"
- "Defaults lecture_file=/etc/sudo_lecture"

12
roles/configuration/tasks/services.yml
View File

@@ -40,9 +40,9 @@
vars: vars:
configuration_systemd_services: >- configuration_systemd_services: >-
{{ {{
['NetworkManager'] ['NetworkManager', _configuration_platform.time_sync_service]
+ ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else []) + ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else [])
+ (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else []) + (['logrotate'] if os == 'archlinux' else [])
+ (['bluetooth'] if system_cfg.features.desktop.enabled | bool else []) + (['bluetooth'] if system_cfg.features.desktop.enabled | bool else [])
}} }}
ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}" ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
@@ -70,14 +70,6 @@
or 'No such file or directory' in (configuration_enable_dm_result.stderr | default('')) or 'No such file or directory' in (configuration_enable_dm_result.stderr | default(''))
or 'does not exist' in (configuration_enable_dm_result.stderr | default('')) or 'does not exist' in (configuration_enable_dm_result.stderr | default(''))
- name: Activate UFW firewall
when:
- system_cfg.features.firewall.backend == 'ufw'
- system_cfg.features.firewall.enabled | bool
ansible.builtin.command: "{{ chroot_command }} ufw --force enable"
register: _ufw_enable_result
changed_when: _ufw_enable_result.rc == 0
failed_when: false
- name: Enable ly on its tty - name: Enable ly on its tty
when: when:
- _configuration_platform.init_system == 'systemd' - _configuration_platform.init_system == 'systemd'

9
roles/configuration/vars/main.yml
View File

@@ -1,12 +1,11 @@
--- ---
# Platform-specific configuration values keyed by os_family. # Keyed by os_family; tasks read configuration_platform_config[os_family] as _configuration_platform.
# Consumed as _configuration_platform in tasks via:
# configuration_platform_config[os_family]
configuration_platform_config: configuration_platform_config:
RedHat: RedHat:
user_group: wheel user_group: wheel
sudo_group: "%wheel" sudo_group: "%wheel"
ssh_service: sshd ssh_service: sshd
time_sync_service: chronyd
efi_loader: shimx64.efi efi_loader: shimx64.efi
grub_install: false grub_install: false
initramfs_cmd: "/usr/bin/dracut --regenerate-all --force" initramfs_cmd: "/usr/bin/dracut --regenerate-all --force"
@@ -17,6 +16,7 @@ configuration_platform_config:
user_group: sudo user_group: sudo
sudo_group: "%sudo" sudo_group: "%sudo"
ssh_service: ssh ssh_service: ssh
time_sync_service: chrony
efi_loader: grubx64.efi efi_loader: grubx64.efi
grub_install: true grub_install: true
initramfs_cmd: >- initramfs_cmd: >-
@@ -29,6 +29,7 @@ configuration_platform_config:
user_group: wheel user_group: wheel
sudo_group: "%wheel" sudo_group: "%wheel"
ssh_service: sshd ssh_service: sshd
time_sync_service: systemd-timesyncd
efi_loader: grubx64.efi efi_loader: grubx64.efi
grub_install: true grub_install: true
initramfs_cmd: "/usr/sbin/mkinitcpio -P" initramfs_cmd: "/usr/sbin/mkinitcpio -P"
@@ -36,7 +37,6 @@ configuration_platform_config:
locale_gen: true locale_gen: true
init_system: systemd init_system: systemd
# Display manager auto-detection from desktop environment name.
configuration_desktop_dm_map: configuration_desktop_dm_map:
gnome: gdm gnome: gdm
kde: sddm kde: sddm
@@ -48,7 +48,6 @@ configuration_desktop_session_cmd_map:
sway: sway sway: sway
hyprland: Hyprland hyprland: Hyprland
# PipeWire user units enabled globally when a desktop is installed.
# pipewire/pipewire-pulse are socket-activated; wireplumber ships no socket. # pipewire/pipewire-pulse are socket-activated; wireplumber ships no socket.
configuration_desktop_audio_units: configuration_desktop_audio_units:
- pipewire.socket - pipewire.socket