fix: deep analysis audit — no_log, resolv.conf, service conflicts, lint

roles/configuration/tasks/bootloader.yml

@@ -21,19 +21,19 @@
 
     - name: Check existing EFI boot entries
       ansible.builtin.command: efibootmgr
-      register: _efi_entries
+      register: configuration_efi_entries
       changed_when: false
 
     - name: Ensure EFI boot entry exists
-      when: ('* ' + _efi_vendor) not in _efi_entries.stdout
+      when: ('* ' + _efi_vendor) not in configuration_efi_entries.stdout
       ansible.builtin.command: >-
         efibootmgr -c
         -L '{{ _efi_vendor }}'
         -d '{{ install_drive }}'
         -p 1
         -l '\EFI\{{ _efi_vendor }}\{{ _efi_loader }}'
-      register: _efi_entry_result
-      changed_when: _efi_entry_result.rc == 0
+      register: configuration_efi_entry_result
+      changed_when: configuration_efi_entry_result.rc == 0
 
     - name: Ensure lvm2 for non btrfs filesystems
       when: os == "archlinux" and system_cfg.filesystem != "btrfs"

roles/configuration/tasks/encryption.yml

@@ -142,7 +142,7 @@
         regexp: "^HOOKS="
         line: >-
           HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
-          block sd-encrypt lvm2 filesystems fsck)
+          block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
 
     - name: Read mkinitcpio configuration
       when: os == 'archlinux'

roles/configuration/tasks/services.yml

@@ -10,7 +10,7 @@
       if system_cfg.features.ssh.enabled | bool else ''
     }}
     {{
-      'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
+      ' logrotate systemd-timesyncd'
       if os == 'archlinux' else ''
     }}
   register: configuration_enable_services_result

roles/configuration/tasks/users.yml

@@ -7,6 +7,7 @@
   ansible.builtin.command: "{{ configuration_root_cmd }}"
   register: configuration_root_result
   changed_when: configuration_root_result.rc == 0
+  no_log: true
 
 - name: Create user accounts
   vars:
@@ -24,6 +25,7 @@
     label: "{{ item.name }}"
   register: configuration_user_result
   changed_when: configuration_user_result.rc == 0
+  no_log: true
 
 - name: Ensure .ssh directory exists
   when: item['keys'] | default([]) | length > 0