refactor(standardize): fix sudoers lecture syntax, extract ssh config, remove redundant os filters

roles/configuration/tasks/banner.yml

@@ -26,30 +26,25 @@
 - name: Configure sudo banner
   when: system_cfg.features.banner.sudo | bool
   block:
-    - name: Create sudoers banner directory
-      ansible.builtin.file:
-        path: /mnt/etc/sudoers.d
-        state: directory
-        mode: "0755"
-        owner: root
-        group: root
-
-    - name: Create sudo banner file
+    - name: Create sudo lecture file
       ansible.builtin.copy:
         content: |
           I am Groot, and I know what I'm doing.
-        dest: /mnt/etc/sudoers.d/banner
+        dest: /mnt/etc/sudo_lecture
         mode: "0644"
         owner: root
         group: root
 
-    - name: Enable sudo banner in sudoers
+    - name: Enable sudo lecture in sudoers
       ansible.builtin.lineinfile:
         path: /mnt/etc/sudoers
-        line: "Defaults lecture=@/etc/sudoers.d/banner"
+        line: "{{ item }}"
         state: present
         create: true
         mode: "0440"
         owner: root
         group: root
         validate: "/usr/sbin/visudo --check --file=%s"
+      loop:
+        - "Defaults lecture=always"
+        - "Defaults lecture_file=/etc/sudo_lecture"

roles/configuration/tasks/bootloader.yml

@@ -6,9 +6,9 @@
         configuration_use_efibootmgr: "{{ is_rhel | bool }}"
         configuration_efi_dir: "{{ partitioning_efi_mountpoint }}"
         configuration_bootloader_id: >-
-          {{ "ubuntu" if os | lower in ["ubuntu", "ubuntu-lts"] else os }}
+          {{ "ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os }}
         configuration_efi_vendor: >-
-          {{ "redhat" if os | lower == "rhel" else os | lower }}
+          {{ "redhat" if os == "rhel" else os }}
         configuration_efibootmgr_cmd: >-
           /usr/sbin/efibootmgr -c -L '{{ os }}' -d "{{ install_drive }}" -p 1
           -l '\efi\EFI\{{ configuration_efi_vendor }}\shimx64.efi'
@@ -23,7 +23,7 @@
       changed_when: configuration_bootloader_result.rc == 0
 
     - name: Ensure lvm2 for non btrfs filesystems
-      when: os | lower == "archlinux" and system_cfg.filesystem != "btrfs"
+      when: os == "archlinux" and system_cfg.filesystem != "btrfs"
       ansible.builtin.lineinfile:
         path: /mnt/etc/mkinitcpio.conf
         regexp: "^(HOOKS=.*block)(?!.*lvm2)(.*)"
@@ -31,12 +31,12 @@
         backrefs: true
 
     - name: Regenerate initramfs
-      when: os | lower not in ["alpine", "void"]
+      when: os not in ["alpine", "void"]
       vars:
         configuration_initramfs_cmd: >-
           {{
             '/usr/sbin/mkinitcpio -P'
-            if os | lower == "archlinux"
+            if os == "archlinux"
             else (
               '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
               + '/usr/sbin/update-initramfs -u -k all'
@@ -51,7 +51,7 @@
     - name: Generate grub config
       vars:
         configuration_efi_vendor: >-
-          {{ "redhat" if os | lower == "rhel" else os | lower }}
+          {{ "redhat" if os == "rhel" else os }}
         configuration_grub_cfg_cmd: >-
           {{
             '/usr/sbin/grub2-mkconfig -o '

roles/configuration/tasks/encryption.yml

@@ -136,7 +136,7 @@
         mode: "0644"
 
     - name: Configure mkinitcpio hooks for LUKS
-      when: os | lower == 'archlinux'
+      when: os == 'archlinux'
       ansible.builtin.lineinfile:
         path: /mnt/etc/mkinitcpio.conf
         regexp: "^HOOKS="
@@ -145,13 +145,13 @@
           block sd-encrypt lvm2 filesystems fsck)
 
     - name: Read mkinitcpio configuration
-      when: os | lower == 'archlinux'
+      when: os == 'archlinux'
       ansible.builtin.slurp:
         src: /mnt/etc/mkinitcpio.conf
       register: configuration_mkinitcpio_slurp
 
     - name: Build mkinitcpio FILES list
-      when: os | lower == 'archlinux'
+      when: os == 'archlinux'
       vars:
         mkinitcpio_files_list: >-
           {{
@@ -180,7 +180,7 @@
         configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
 
     - name: Configure mkinitcpio FILES list
-      when: os | lower == 'archlinux'
+      when: os == 'archlinux'
       ansible.builtin.lineinfile:
         path: /mnt/etc/mkinitcpio.conf
         regexp: "^FILES="

roles/configuration/tasks/extras.yml

@@ -28,7 +28,7 @@
 - name: Create zram config
   when:
     - (os != "debian" or (os_version | string) != "11") and os != "rhel"
-    - os | lower not in ["alpine", "void"]
+    - os not in ["alpine", "void"]
     - system_cfg.features.swap.enabled | bool
   ansible.builtin.copy:
     dest: /mnt/etc/systemd/zram-generator.conf

roles/configuration/tasks/grub.yml

@@ -20,7 +20,7 @@
           {{
             (
               partitioning_main_uuid.stdout
-              if (system_cfg.filesystem | lower) == 'btrfs'
+              if system_cfg.filesystem == 'btrfs'
               else (partitioning_uuid_root | default([]) | first | default(''))
             )
             | default('')
@@ -36,11 +36,11 @@
                 else []
               )
             )
-            if (system_cfg.filesystem | lower) != 'btrfs'
+            if system_cfg.filesystem != 'btrfs'
             else []
           }}
         grub_root_flags: >-
-          {{ ['rootflags=subvol=@'] if (system_cfg.filesystem | lower) == 'btrfs' else [] }}
+          {{ ['rootflags=subvol=@'] if system_cfg.filesystem == 'btrfs' else [] }}
         grub_cmdline_linux_base: >-
           {{
             (['crashkernel=auto'] + grub_lvm_args)

roles/configuration/tasks/locales.yml

@@ -78,15 +78,3 @@
         content: "LANG={{ system_cfg.locale }}"
         dest: /mnt/etc/locale.conf
         mode: "0644"
-
-- name: Ensure SSH password authentication is enabled
-  ansible.builtin.lineinfile:
-    path: /mnt/etc/ssh/sshd_config
-    regexp: "^#?PasswordAuthentication\\s+"
-    line: "PasswordAuthentication yes"
-
-- name: SSH permit root login
-  ansible.builtin.replace:
-    path: /mnt/etc/ssh/sshd_config
-    regexp: "^#?PermitRootLogin.*"
-    replace: "PermitRootLogin yes"

roles/configuration/tasks/main.yml

@@ -5,6 +5,7 @@
     - banner.yml
     - fstab.yml
     - locales.yml
+    - ssh.yml
     - services.yml
     - grub.yml
     - encryption.yml

roles/configuration/tasks/network.yml

@@ -30,7 +30,7 @@
     fail_msg: Failed to detect any network interfaces.
 
 - name: Configure NetworkManager profiles
-  when: os | lower not in ["alpine", "void"]
+  when: os not in ["alpine", "void"]
   block:
     - name: Copy NetworkManager keyfile per interface
       vars:
@@ -47,14 +47,14 @@
         label: "LAN-{{ idx }}"
 
     - name: Fix Ubuntu unmanaged devices
-      when: os | lower in ["ubuntu", "ubuntu-lts"]
+      when: os in ["ubuntu", "ubuntu-lts"]
       ansible.builtin.file:
         path: /mnt/etc/NetworkManager/conf.d/10-globally-managed-devices.conf
         state: touch
         mode: "0644"
 
 - name: Configure Alpine networking
-  when: os | lower == "alpine"
+  when: os == "alpine"
   vars:
     configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
   block:
@@ -90,7 +90,7 @@
           {% endfor %}
 
 - name: Configure Void networking
-  when: os | lower == "void"
+  when: os == "void"
   vars:
     configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
   block:

roles/configuration/tasks/selinux.yml

@@ -12,7 +12,7 @@
       changed_when: configuration_setfiles_result.rc == 0
 
     - name: Disable SELinux
-      when: os | lower == "fedora" or not system_cfg.features.selinux.enabled | bool
+      when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
       ansible.builtin.lineinfile:
         path: /mnt/etc/selinux/config
         regexp: ^SELINUX=

roles/configuration/tasks/services.yml

@@ -1,6 +1,6 @@
 ---
 - name: Enable Systemd Services
-  when: os | lower not in ['alpine', 'void']
+  when: os not in ['alpine', 'void']
   ansible.builtin.command: >
     {{ chroot_command }} systemctl enable NetworkManager
     {{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}
@@ -11,13 +11,13 @@
     }}
     {{
       'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
-      if os | lower == 'archlinux' else ''
+      if os == 'archlinux' else ''
     }}
   register: configuration_enable_services_result
   changed_when: configuration_enable_services_result.rc == 0
 
 - name: Enable OpenRC services
-  when: os | lower == 'alpine'
+  when: os == 'alpine'
   vars:
     configuration_openrc_services: >-
       {{
@@ -48,7 +48,7 @@
       when: item.stat.exists
 
 - name: Enable runit services
-  when: os | lower == 'void'
+  when: os == 'void'
   vars:
     configuration_runit_services: >-
       {{

roles/configuration/tasks/ssh.yml

@@ -0,0 +1,12 @@
+---
+- name: Ensure SSH password authentication is enabled
+  ansible.builtin.lineinfile:
+    path: /mnt/etc/ssh/sshd_config
+    regexp: "^#?PasswordAuthentication\\s+"
+    line: "PasswordAuthentication yes"
+
+- name: SSH permit root login
+  ansible.builtin.replace:
+    path: /mnt/etc/ssh/sshd_config
+    regexp: "^#?PermitRootLogin.*"
+    replace: "PermitRootLogin yes"

roles/configuration/tasks/sudo.yml

@@ -1,4 +1,12 @@
 ---
+- name: Ensure sudoers.d directory exists
+  ansible.builtin.file:
+    path: /mnt/etc/sudoers.d
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+
 - name: Give sudo access to wheel group
   ansible.builtin.copy:
     content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}"