fix(configuration): enable per-family time-sync and skip sudo-rs lecture

roles/configuration/tasks/banner.yml

@@ -41,6 +41,18 @@
 
 - name: Configure sudo banner
   when: system_cfg.features.banner.sudo | bool
+  block:
+    - name: Detect the target sudo implementation
+      ansible.builtin.command: "{{ chroot_command }} /usr/bin/sudo --version"
+      register: configuration_sudo_version
+      changed_when: false
+      failed_when: false
+
+    # sudo-rs (Ubuntu 25.10+) implements neither `lecture` nor `lecture_file`
+    # and warns on every sudo call when they are set. It prints its version banner
+    # to stderr, not stdout, so match against both streams.
+    - name: Configure the sudo lecture
+      when: "'sudo-rs' not in (configuration_sudo_version.stdout ~ configuration_sudo_version.stderr)"
       block:
         - name: Create sudo lecture file
           ansible.builtin.copy:

roles/configuration/tasks/services.yml

@@ -40,9 +40,9 @@
   vars:
     configuration_systemd_services: >-
       {{
-        ['NetworkManager']
+        ['NetworkManager', _configuration_platform.time_sync_service]
         + ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else [])
-        + (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else [])
+        + (['logrotate'] if os == 'archlinux' else [])
         + (['bluetooth'] if system_cfg.features.desktop.enabled | bool else [])
       }}
   ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
@@ -70,14 +70,6 @@
     or 'No such file or directory' in (configuration_enable_dm_result.stderr | default(''))
     or 'does not exist' in (configuration_enable_dm_result.stderr | default(''))
 
-- name: Activate UFW firewall
-  when:
-    - system_cfg.features.firewall.backend == 'ufw'
-    - system_cfg.features.firewall.enabled | bool
-  ansible.builtin.command: "{{ chroot_command }} ufw --force enable"
-  register: _ufw_enable_result
-  changed_when: _ufw_enable_result.rc == 0
-  failed_when: false
 - name: Enable ly on its tty
   when:
     - _configuration_platform.init_system == 'systemd'

roles/configuration/vars/main.yml

@@ -1,12 +1,11 @@
 ---
-# Platform-specific configuration values keyed by os_family.
-# Consumed as _configuration_platform in tasks via:
-#   configuration_platform_config[os_family]
+# Keyed by os_family; tasks read configuration_platform_config[os_family] as _configuration_platform.
 configuration_platform_config:
   RedHat:
     user_group: wheel
     sudo_group: "%wheel"
     ssh_service: sshd
+    time_sync_service: chronyd
     efi_loader: shimx64.efi
     grub_install: false
     initramfs_cmd: "/usr/bin/dracut --regenerate-all --force"
@@ -17,6 +16,7 @@ configuration_platform_config:
     user_group: sudo
     sudo_group: "%sudo"
     ssh_service: ssh
+    time_sync_service: chrony
     efi_loader: grubx64.efi
     grub_install: true
     initramfs_cmd: >-
@@ -29,6 +29,7 @@ configuration_platform_config:
     user_group: wheel
     sudo_group: "%wheel"
     ssh_service: sshd
+    time_sync_service: systemd-timesyncd
     efi_loader: grubx64.efi
     grub_install: true
     initramfs_cmd: "/usr/sbin/mkinitcpio -P"
@@ -36,7 +37,6 @@ configuration_platform_config:
     locale_gen: true
     init_system: systemd
 
-# Display manager auto-detection from desktop environment name.
 configuration_desktop_dm_map:
   gnome: gdm
   kde: sddm
@@ -48,7 +48,6 @@ configuration_desktop_session_cmd_map:
   sway: sway
   hyprland: Hyprland
 
-# PipeWire user units enabled globally when a desktop is installed.
 # pipewire/pipewire-pulse are socket-activated; wireplumber ships no socket.
 configuration_desktop_audio_units:
   - pipewire.socket