fix: encryption, partitioning, cis and virtualization hardening

roles/configuration/defaults/main.yml

@@ -1,7 +1,5 @@
 ---
-# Network configuration dispatch — maps OS name to the task file
+# Network configuration dispatch - maps OS name to the task file
 # that writes network config. Default (NetworkManager) applies to
 # all OSes not explicitly listed.
-configuration_network_task_map:
-  alpine: network_alpine.yml
-  void: network_void.yml
+configuration_network_task_map: {}

roles/configuration/tasks/encryption/initramfs.yml

@@ -16,9 +16,9 @@
       RedHat: >-
         {{ chroot_command }} dnf install -y
         clevis clevis-luks clevis-systemd tpm2-tools
-      Suse: >-
-        {{ chroot_command }} zypper install -y
-        clevis clevis-systemd tpm2.0-tools
+      Archlinux: >-
+        {{ chroot_command }} pacman -S --noconfirm --needed
+        clevis tpm2-tools
   ansible.builtin.command: "{{ _clevis_install_cmd[os_family] }}"
   register: _clevis_install_result
   changed_when: _clevis_install_result.rc == 0

roles/configuration/tasks/encryption/initramfs_detect.yml

@@ -3,7 +3,7 @@
 # Sets _initramfs_generator and _tpm2_method facts.
 #
 # Generator detection: derived from the platform's initramfs_cmd
-#   (dracut → dracut, mkinitcpio → mkinitcpio, else → initramfs-tools)
+#   (dracut -> dracut, mkinitcpio -> mkinitcpio, else -> initramfs-tools)
 # TPM2 method: systemd-cryptenroll when generator supports tpm2-device,
 #   clevis fallback otherwise. Non-native dracut installed automatically.
 

roles/configuration/tasks/encryption/keyfile.yml

@@ -107,7 +107,7 @@
       when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
       ansible.builtin.debug:
         msg: >-
-          LUKS keyfile enrollment failed — falling back to manual unlock at boot.
+          LUKS keyfile enrollment failed - falling back to manual unlock at boot.
           The system will prompt for the LUKS passphrase during startup.
 
     - name: Fallback to manual LUKS unlock if keyfile enrollment failed

roles/configuration/tasks/encryption/tpm2.yml

@@ -1,7 +1,7 @@
 ---
 # TPM2 enrollment via systemd-cryptenroll.
 # Works with dracut and mkinitcpio (sd-encrypt). The user-set passphrase
-# remains as a backup unlock method — no auto-generated keyfiles.
+# remains as a backup unlock method - no auto-generated keyfiles.
 - name: Enroll TPM2 for LUKS
   block:
     - name: Create temporary passphrase file for TPM2 enrollment

roles/configuration/tasks/extras.yml

@@ -30,7 +30,6 @@
 - name: Create zram config
   when:
     - (os != "debian" or (os_version | string) != "11") and os != "rhel"
-    - os not in ["alpine", "void"]
     - system_cfg.features.swap.enabled | bool
   ansible.builtin.copy:
     dest: /mnt/etc/systemd/zram-generator.conf

roles/configuration/tasks/sudo.yml

@@ -15,7 +15,8 @@
     validate: /usr/sbin/visudo --check --file=%s
 
 - name: Deploy per-user sudoers rules
-  when: item.value.sudo is defined and (item.value.sudo | string | length > 0)
+  # Jinja truthiness: bool true / a rule string => deploy; false / '' / unset => skip.
+  when: item.value.sudo | default(false)
   vars:
     configuration_sudoers_rule: >-
       {{ item.value.sudo if item.value.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}