fix(configuration): skip grub-mkconfig for RedHat EFI systems

- Generate resolv.conf from inventory DNS settings instead of copying
  host file (Arch ISO has systemd-resolved stub 127.0.0.53)
- Add XFS compat options for GRUB 2.06 and kernel 5.14 across LVM
  volumes, /boot partition, and data disks
- Mount API filesystems (proc, sys, dev) into chroot for RPM scriptlets
- Bypass GPG Sequoia validation with _pkgverify_level none
- Tolerate grub2-common scriptlet warnings
- Handle libvirt VM destroy gracefully during cleanup

README.md

@@ -257,15 +257,7 @@ Users must be defined in inventory. The dict format enables additive merging acr
 | Key      | Type          | Default | Description                                    |
 | -------- | ------------- | ------- | ---------------------------------------------- |
 | `device` | string        | `auto`  | TPM2 device selector                           |
-| `pcrs`   | string/list   | --      | PCR binding policy (e.g. `"7"` or `"0+7"`); empty = no PCR binding |
+| `pcrs`   | string/list   | --      | PCR binding policy (e.g. `"7"` or `"0+7"`)    |
-
-**TPM2 auto-unlock:** Uses `systemd-cryptenroll` on all distros. The user-set passphrase
-remains as a backup unlock method. TPM2 enrollment runs in the chroot during bootstrap;
-if it fails (e.g. no TPM2 hardware), the system boots with passphrase-only unlock and
-TPM2 can be enrolled post-deployment via `systemd-cryptenroll --tpm2-device=auto <device>`.
-
-On Debian/Ubuntu, TPM2 auto-unlock requires dracut (initramfs-tools does not support `tpm2-device`).
-The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `features.initramfs.generator`.
 
 #### `system.features`
 
@@ -282,26 +274,6 @@ The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `
 | `banner.motd`      | bool   | `false`        | MOTD banner                          |
 | `banner.sudo`      | bool   | `true`         | Sudo banner                          |
 | `chroot.tool`      | string | `arch-chroot`  | `arch-chroot`, `chroot`, or `systemd-nspawn` |
-| `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) |
-| `desktop.*`        | dict   | see below      | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) |
-
-**Initramfs generator auto-detection:** RedHat → dracut, Arch → mkinitcpio, Debian/Ubuntu → initramfs-tools.
-Override with `dracut`, `mkinitcpio`, or `initramfs-tools`. When LUKS TPM2 auto-unlock is enabled and the
-native generator does not support `tpm2-device`, the generator is automatically upgraded to dracut.
-On distros with older dracut (no `tpm2-tss` module), clevis is used as a fallback for TPM2 binding.
-
-#### 4.2.5 `system.features.desktop`
-
-| Key               | Type   | Default        | Description                               |
-| ----------------- | ------ | -------------- | ----------------------------------------- |
-| `enabled`         | bool   | `false`        | Install desktop environment               |
-| `environment`     | string | --             | `gnome`, `kde`, `xfce`, `sway`, `hyprland`, `cinnamon`, `mate`, `lxqt`, `budgie` |
-| `display_manager` | string | auto-detected  | Override DM: `gdm`, `sddm`, `lightdm`, `ly`, `greetd` |
-
-When `enabled: true`, the bootstrap installs the desktop environment packages, enables the display manager
-and bluetooth services, and sets the systemd default target to `graphical.target`.
-
-Display manager auto-detection: gnome→gdm, kde→sddm, xfce→lightdm, sway→greetd, hyprland→ly.
 
 ### 4.3 `hypervisor` Dictionary
 

ansible.cfg

@@ -3,6 +3,3 @@ hash_behaviour = merge
 interpreter_python = auto_silent
 deprecation_warnings = False
 host_key_checking = False
-
-[ssh_connection]
-ssh_args = -C -o ControlMaster=auto -o ControlPersist=600s -o ServerAliveInterval=30 -o ServerAliveCountMax=10

roles/bootstrap/tasks/_desktop.yml

@@ -1,48 +0,0 @@
----
-- name: Load desktop package definitions
-  ansible.builtin.include_vars:
-    file: desktop.yml
-
-- name: Resolve desktop packages
-  vars:
-    _de: "{{ system_cfg.features.desktop.environment }}"
-    _family_pkgs: "{{ bootstrap_desktop_packages[os_family] | default({}) }}"
-    _de_config: "{{ _family_pkgs[_de] | default({}) }}"
-  ansible.builtin.set_fact:
-    _desktop_groups: "{{ _de_config.groups | default([]) }}"
-    _desktop_packages: "{{ _de_config.packages | default([]) }}"
-
-- name: Validate desktop environment is supported
-  ansible.builtin.assert:
-    that:
-      - (_desktop_groups | length > 0) or (_desktop_packages | length > 0)
-    fail_msg: >-
-      Desktop environment '{{ system_cfg.features.desktop.environment }}'
-      is not defined for os_family '{{ os_family }}'.
-      Supported: {{ (bootstrap_desktop_packages[os_family] | default({})).keys() | join(', ') }}
-    quiet: true
-
-- name: Install desktop package groups
-  when: _desktop_groups | length > 0
-  ansible.builtin.command: >-
-    {{ chroot_command }} dnf --releasever={{ os_version }}
-    --setopt=install_weak_deps=False group install -y {{ _desktop_groups | join(' ') }}
-  register: _desktop_group_result
-  changed_when: _desktop_group_result.rc == 0
-
-- name: Install desktop packages
-  when: _desktop_packages | length > 0
-  vars:
-    _install_commands:
-      RedHat: >-
-        {{ chroot_command }} dnf --releasever={{ os_version }}
-        --setopt=install_weak_deps=False install -y {{ _desktop_packages | join(' ') }}
-      Debian: >-
-        {{ chroot_command }} apt install -y {{ _desktop_packages | join(' ') }}
-      Archlinux: >-
-        pacstrap /mnt {{ _desktop_packages | join(' ') }}
-      Suse: >-
-        {{ chroot_command }} zypper install -y {{ _desktop_packages | join(' ') }}
-  ansible.builtin.command: "{{ _install_commands[os_family] }}"
-  register: _desktop_pkg_result
-  changed_when: _desktop_pkg_result.rc == 0

roles/bootstrap/tasks/_dnf_family.yml

@@ -18,9 +18,6 @@
         groupinstall -y {{ _dnf_groups }}
       register: bootstrap_dnf_base_result
       changed_when: bootstrap_dnf_base_result.rc == 0
-      failed_when:
-        - bootstrap_dnf_base_result.rc != 0
-        - "'scriptlet' not in bootstrap_dnf_base_result.stderr"
 
     - name: Ensure chroot has DNS resolution
       ansible.builtin.file:

roles/bootstrap/tasks/main.yml

@@ -34,10 +34,6 @@
     bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
   ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"
 
-- name: Install desktop environment packages
-  when: system_cfg.features.desktop.enabled | bool
-  ansible.builtin.include_tasks: _desktop.yml
-
 - name: Ensure chroot uses live environment DNS
   ansible.builtin.file:
     src: /run/NetworkManager/resolv.conf

roles/bootstrap/vars/desktop.yml

@@ -1,149 +0,0 @@
----
-# Per-family desktop environment package definitions.
-# Keyed by os_family -> environment -> groups (dnf groupinstall) / packages.
-# Kept intentionally minimal: base DE + essential tools, no full suites.
-bootstrap_desktop_packages:
-  RedHat:
-    gnome:
-      groups:
-        - workstation-product-environment
-      packages: []
-    kde:
-      groups: []
-      packages:
-        - plasma-desktop
-        - plasma-nm
-        - plasma-pa
-        - plasma-systemmonitor
-        - sddm
-        - konsole
-        - dolphin
-        - kate
-        - kscreen
-        - kde-gtk-config
-        - xdg-user-dirs
-        - xdg-desktop-portal-kde
-        - bluez
-        - pipewire
-        - wireplumber
-    xfce:
-      groups:
-        - xfce-desktop-environment
-      packages:
-        - lightdm
-  Debian:
-    gnome:
-      groups: []
-      packages:
-        - gnome-core
-        - gdm3
-        - gnome-tweaks
-        - xdg-user-dirs
-    kde:
-      groups: []
-      packages:
-        - plasma-desktop
-        - plasma-nm
-        - plasma-pa
-        - sddm
-        - konsole
-        - dolphin
-        - kate
-        - kscreen
-        - xdg-user-dirs
-        - xdg-desktop-portal-kde
-        - bluez
-        - pipewire
-        - wireplumber
-    xfce:
-      groups: []
-      packages:
-        - xfce4
-        - xfce4-goodies
-        - lightdm
-        - xdg-user-dirs
-  Archlinux:
-    gnome:
-      groups: []
-      packages:
-        - gnome
-        - gdm
-        - xdg-user-dirs
-    kde:
-      groups: []
-      packages:
-        - plasma-desktop
-        - plasma-nm
-        - plasma-pa
-        - sddm
-        - konsole
-        - dolphin
-        - kate
-        - kscreen
-        - kde-gtk-config
-        - xdg-user-dirs
-        - xdg-desktop-portal-kde
-        - bluez
-        - pipewire
-        - wireplumber
-    xfce:
-      groups: []
-      packages:
-        - xfce4
-        - xfce4-goodies
-        - lightdm
-        - xdg-user-dirs
-    sway:
-      groups: []
-      packages:
-        - sway
-        - waybar
-        - foot
-        - wofi
-        - greetd
-        - xdg-user-dirs
-        - xdg-desktop-portal-wlr
-        - bluez
-        - pipewire
-        - wireplumber
-    hyprland:
-      groups: []
-      packages:
-        - hyprland
-        - kitty
-        - wofi
-        - waybar
-        - ly
-        - xdg-user-dirs
-        - xdg-desktop-portal-hyprland
-        - polkit-kde-agent
-        - qt5-wayland
-        - qt6-wayland
-        - bluez
-        - pipewire
-        - wireplumber
-  Suse:
-    gnome:
-      groups: []
-      packages:
-        - patterns-gnome-gnome_basic
-        - gdm
-        - xdg-user-dirs
-    kde:
-      groups: []
-      packages:
-        - patterns-kde-kde_plasma
-        - sddm
-        - xdg-user-dirs
-
-# Display manager auto-detection from desktop environment.
-bootstrap_desktop_dm_map:
-  gnome: gdm
-  kde: sddm
-  xfce: lightdm
-  sway: greetd
-  hyprland: ly@tty2
-  cinnamon: lightdm
-  mate: lightdm
-  lxqt: sddm
-  budgie: gdm

roles/bootstrap/vars/main.yml

@@ -222,7 +222,6 @@ bootstrap_debian:
       + (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
       + (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
       + (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
-      + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
       + bootstrap_common_conditional
     }}
 
@@ -286,7 +285,6 @@ bootstrap_ubuntu:
   conditional: >-
     {{
       (['tldr'] if (os_version | default('') | string | length) > 0 else [])
-      + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
       + bootstrap_common_conditional
     }}
 
@@ -325,7 +323,6 @@ bootstrap_archlinux:
     {{
       (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
       + (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
-      + (['sbctl'] if system_cfg.features.secure_boot.enabled | bool else [])
       + (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
     }}
 

roles/cleanup/tasks/libvirt.yml

@@ -72,12 +72,6 @@
             | trim
           }}
 
-    - name: Ensure boot device is set to hard disk in VM XML
-      when: "'<boot ' not in cleanup_libvirt_domain_xml_clean"
-      ansible.builtin.set_fact:
-        cleanup_libvirt_domain_xml_clean: >-
-          {{ cleanup_libvirt_domain_xml_clean | regex_replace('(</type>)', '\1\n    <boot dev="hd"/>') }}
-
     - name: Update VM definition without installer media
       community.libvirt.virt:
         command: define
@@ -94,35 +88,6 @@
         state: destroyed
       failed_when: false
 
-    - name: Enroll Secure Boot keys in VM NVRAM
-      when:
-        - system_cfg.features.secure_boot.enabled | default(false) | bool
-        - os != 'archlinux'
-      block:
-        - name: Find VM NVRAM file path
-          ansible.builtin.shell:
-            cmd: >-
-              set -o pipefail &&
-              virsh -c {{ libvirt_uri | default('qemu:///system') }} dumpxml {{ hostname }}
-              | grep -oP '<nvram[^>]*>\K[^<]+'
-            executable: /bin/bash
-          register: _sb_nvram_path
-          changed_when: false
-          failed_when: false
-
-        - name: Enroll Secure Boot keys via virt-fw-vars
-          when: _sb_nvram_path.stdout | default('') | length > 0
-          ansible.builtin.command:
-            argv:
-              - virt-fw-vars
-              - --inplace
-              - "{{ _sb_nvram_path.stdout | trim }}"
-              - --enroll-redhat
-              - --secure-boot
-          register: _sb_enroll_result
-          changed_when: _sb_enroll_result.rc == 0
-          failed_when: false
-
     - name: Start the VM
       community.libvirt.virt:
         name: "{{ hostname }}"

roles/configuration/tasks/_resolve_platform.yml

@@ -14,12 +14,3 @@
 - name: Set platform configuration
   ansible.builtin.set_fact:
     _configuration_platform: "{{ configuration_platform_config[os_family] }}"
-
-- name: Override EFI loader to shim for Secure Boot
-  when:
-    - system_cfg.features.secure_boot.enabled | bool
-    - _configuration_platform.efi_loader != 'shimx64.efi'
-    - os != 'archlinux'
-  ansible.builtin.set_fact:
-    _configuration_platform: >-
-      {{ _configuration_platform | combine({'efi_loader': 'shimx64.efi'}) }}

roles/configuration/tasks/bootloader.yml

@@ -34,16 +34,6 @@
       register: configuration_efi_entry_result
       changed_when: configuration_efi_entry_result.rc == 0
 
-    - name: Set installed OS as first EFI boot entry
-      ansible.builtin.shell:
-        cmd: >-
-          set -o pipefail &&
-          efibootmgr | grep -i '{{ _efi_vendor }}' | grep -oP 'Boot\K[0-9A-F]+' | head -1
-          | xargs -I{} efibootmgr -o {}
-        executable: /bin/bash
-      register: _efi_bootorder_result
-      changed_when: _efi_bootorder_result.rc == 0
-
     - name: Ensure lvm2 for non btrfs filesystems
       when: os == "archlinux" and system_cfg.filesystem != "btrfs"
       ansible.builtin.lineinfile:
@@ -58,62 +48,8 @@
       register: configuration_initramfs_result
       changed_when: configuration_initramfs_result.rc == 0
 
-    - name: Generate grub config (RedHat)
+    - name: Generate grub config
-      when: os_family == 'RedHat'
-      ansible.builtin.command: >-
-        {{ chroot_command }} /usr/sbin/{{ _configuration_platform.grub_mkconfig_prefix }}
-        -o /boot/grub2/grub.cfg
-      register: configuration_grub_result
-      changed_when: configuration_grub_result.rc == 0
-
-    - name: Fix btrfs BLS boot variable in grub config
-      when:
-        - os_family == 'RedHat'
-        - system_cfg.filesystem == 'btrfs'
-      ansible.builtin.replace:
-        path: /mnt/boot/grub2/grub.cfg
-        regexp: 'search --no-floppy --fs-uuid --set=boot \S+'
-        replace: 'set boot=$root'
-
-    - name: Create EFI grub.cfg wrapper for RedHat
-      when: os_family == 'RedHat'
-      vars:
-        _grub2_path: >-
-          {{
-            '/grub2'
-            if (partitioning_separate_boot | bool)
-            else ('/@/boot/grub2' if system_cfg.filesystem == 'btrfs' else '/boot/grub2')
-          }}
-      ansible.builtin.shell:
-        cmd: |
-          set -o pipefail
-          uuid=$(grep -m1 'search.*--set=root' /mnt/boot/grub2/grub.cfg | grep -oP '[\da-f]{8}(-[\da-f]{4}){3}-[\da-f]{12}')
-          cat > /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grub.cfg <<GRUBEOF
-          search --no-floppy --fs-uuid --set=dev $uuid
-          set prefix=(\$dev){{ _grub2_path }}
-          export \$prefix
-          configfile \$prefix/grub.cfg
-          GRUBEOF
-        executable: /bin/bash
-      register: _grub_wrapper_result
-      changed_when: _grub_wrapper_result.rc == 0
-
-    - name: Generate grub config (non-RedHat)
       when: os_family != 'RedHat'
       ansible.builtin.command: "{{ chroot_command }} /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg"
       register: configuration_grub_result
       changed_when: configuration_grub_result.rc == 0
-
-    - name: Rebuild GRUB as standalone EFI for Secure Boot
-      when:
-        - system_cfg.features.secure_boot.enabled | default(false) | bool
-        - os == 'archlinux'
-      ansible.builtin.command: >-
-        {{ chroot_command }} grub-mkstandalone
-        -d /usr/lib/grub/x86_64-efi
-        -O x86_64-efi
-        --disable-shim-lock
-        -o {{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grubx64.efi
-        boot/grub/grub.cfg=/boot/grub/grub.cfg
-      register: _grub_standalone_result
-      changed_when: _grub_standalone_result.rc == 0

roles/configuration/tasks/encryption.yml

@@ -8,7 +8,7 @@
   block:
     - name: Set LUKS configuration facts
       vars:
-        _raw_pcrs: >-
+        luks_tpm2_pcrs: >-
           {{
             (
               system_cfg.luks.tpm2.pcrs
@@ -20,17 +20,6 @@
             | regex_replace('\\s+', '')
             | regex_replace('^\\+|\\+$', '')
           }}
-        _sb_pcr7_safe: >-
-          {{
-            system_cfg.features.secure_boot.enabled | bool
-            and system_cfg.type | default('virtual') != 'virtual'
-          }}
-        luks_tpm2_pcrs: >-
-          {{
-            _raw_pcrs
-            if _raw_pcrs | length > 0
-            else ('7' if (_sb_pcr7_safe | bool) else '')
-          }}
       ansible.builtin.set_fact:
         configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
         configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
@@ -47,12 +36,6 @@
         configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
         configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
         configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
-        configuration_luks_tpm2_token_lib: >-
-          {{
-            '/usr/lib/x86_64-linux-gnu/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
-            if os_family == 'Debian'
-            else '/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
-          }}
 
     - name: Validate LUKS UUID is available
       ansible.builtin.assert:
@@ -68,13 +51,8 @@
         fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
       no_log: true
 
-    - name: Detect TPM2 unlock method
+    - name: Enroll TPM2 for LUKS
-      ansible.builtin.include_tasks: encryption/initramfs_detect.yml
+      when: configuration_luks_auto_method == 'tpm2'
-
-    - name: Enroll TPM2 via systemd-cryptenroll
-      when:
-        - configuration_luks_auto_method == 'tpm2'
-        - _tpm2_method | default('systemd-cryptenroll') == 'systemd-cryptenroll'
       ansible.builtin.include_tasks: encryption/tpm2.yml
 
     - name: Configure LUKS keyfile auto-decrypt
@@ -100,7 +78,7 @@
           }}
         luks_tpm2_option_list: >-
           {{
-            (configuration_luks_auto_method == 'tpm2' and (_tpm2_method | default('systemd-cryptenroll')) == 'systemd-cryptenroll')
+            (configuration_luks_auto_method == 'tpm2')
             | ternary(
                 ['tpm2-device=' + configuration_luks_tpm2_device]
                 + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
@@ -144,16 +122,16 @@
         path: /mnt{{ configuration_luks_keyfile_path }}
         state: absent
 
-    - name: Configure initramfs for LUKS
-      ansible.builtin.include_tasks: encryption/initramfs.yml
-
     - name: Configure crypttab
       ansible.builtin.include_tasks: encryption/crypttab.yml
 
-    - name: Configure dracut for LUKS
+    - name: Configure initramfs
-      when: _initramfs_generator | default('') == 'dracut'
+      ansible.builtin.include_tasks: encryption/initramfs.yml
+
+    - name: Configure dracut
+      when: os_family == 'RedHat'
       ansible.builtin.include_tasks: encryption/dracut.yml
 
     - name: Configure GRUB for LUKS
-      when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat'
+      when: not os_family == 'RedHat'
       ansible.builtin.include_tasks: encryption/grub.yml

roles/configuration/tasks/encryption/dracut.yml

@@ -9,58 +9,48 @@
   ansible.builtin.copy:
     dest: /mnt/etc/dracut.conf.d/crypt.conf
     content: |
-      add_dracutmodules+=" crypt systemd "
+      add_dracutmodules+=" crypt "
-      {% if configuration_luks_keyfile_in_use | default(false) %}
+      {% if configuration_luks_keyfile_in_use %}
       install_items+=" {{ configuration_luks_keyfile_path }} "
       {% endif %}
-      {% if configuration_luks_auto_method == 'tpm2' %}
-      install_items+=" {{ configuration_luks_tpm2_token_lib | default('') }} "
-      {% endif %}
     mode: "0644"
 
-# --- Kernel cmdline: write rd.luks.* args for dracut ---
+- name: Read kernel cmdline defaults
-- name: Ensure kernel cmdline directory exists
-  ansible.builtin.file:
-    path: /mnt/etc/kernel
-    state: directory
-    mode: "0755"
-
-- name: Read existing kernel cmdline
   ansible.builtin.slurp:
     src: /mnt/etc/kernel/cmdline
-  register: _kernel_cmdline_slurp
+  register: configuration_kernel_cmdline_slurp
-  failed_when: false
 
 - name: Build kernel cmdline with LUKS args
   vars:
-    _cmdline_current: >-
+    kernel_cmdline_current: >-
-      {{ (_kernel_cmdline_slurp.content | default('') | b64decode | default('')) | trim }}
+      {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
-    _cmdline_list: >-
+    kernel_cmdline_list: >-
-      {{ _cmdline_current.split() if _cmdline_current | length > 0 else [] }}
-    _cmdline_filtered: >-
       {{
-        _cmdline_list
+        kernel_cmdline_current.split()
+        if kernel_cmdline_current | length > 0 else []
+      }}
+    kernel_cmdline_filtered: >-
+      {{
+        kernel_cmdline_list
         | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
         | list
       }}
-    _cmdline_new: >-
+    kernel_cmdline_new: >-
       {{
-        (_cmdline_filtered + configuration_luks_kernel_args.split())
+        (kernel_cmdline_filtered + configuration_luks_kernel_args.split())
         | unique
         | join(' ')
       }}
   ansible.builtin.set_fact:
-    _dracut_kernel_cmdline: "{{ _cmdline_new }}"
+    configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}"
 
 - name: Write kernel cmdline with LUKS args
   ansible.builtin.copy:
     dest: /mnt/etc/kernel/cmdline
     mode: "0644"
-    content: "{{ _dracut_kernel_cmdline }}\n"
+    content: "{{ configuration_kernel_cmdline_new }}\n"
 
-# --- BLS entries: RedHat-specific ---
 - name: Update BLS entries with LUKS kernel cmdline
-  when: os_family == 'RedHat'
   vars:
-    _bls_cmdline: "{{ _dracut_kernel_cmdline }}"
+    _bls_cmdline: "{{ configuration_kernel_cmdline_new }}"
   ansible.builtin.include_tasks: ../_bls_update.yml

roles/configuration/tasks/encryption/initramfs.yml

@@ -1,94 +1,8 @@
 ---
-# Initramfs configuration for LUKS auto-unlock.
+- name: Ensure keyfile pattern for initramfs-tools
-# Runs AFTER Build LUKS parameters (so configuration_luks_keyfile_in_use is set).
-# _initramfs_generator and _tpm2_method are set by initramfs_detect.yml.
-
-# --- clevis: install and bind TPM2 ---
-- name: Install clevis in target system
   when:
-    - configuration_luks_auto_method == 'tpm2'
+    - os_family == 'Debian'
-    - _tpm2_method | default('') == 'clevis'
+    - configuration_luks_keyfile_in_use
-  ansible.builtin.command: >-
-    {{ chroot_command }} apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools
-  register: _clevis_install_result
-  changed_when: _clevis_install_result.rc == 0
-
-- name: Install clevis on installer for LUKS binding
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _tpm2_method | default('') == 'clevis'
-  community.general.pacman:
-    name:
-      - clevis
-      - tpm2-tools
-    state: present
-  retries: 3
-  delay: 5
-
-- name: Create clevis passphrase file
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _tpm2_method | default('') == 'clevis'
-  ansible.builtin.copy:
-    dest: /mnt/root/.luks-enroll-key
-    content: "{{ configuration_luks_passphrase }}"
-    mode: "0600"
-  no_log: true
-
-- name: Ensure TPM device accessible for clevis
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _tpm2_method | default('') == 'clevis'
-  ansible.builtin.shell: >-
-    ls /mnt/dev/tpmrm0 2>/dev/null
-    || (ls /dev/tpmrm0 && cp -a /dev/tpmrm0 /mnt/dev/tpmrm0)
-  changed_when: false
-  failed_when: false
-
-- name: Bind LUKS to TPM2 via clevis
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _tpm2_method | default('') == 'clevis'
-  vars:
-    _clevis_config: >-
-      {{
-        '{"pcr_ids":"' + configuration_luks_tpm2_pcrs + '"}'
-        if configuration_luks_tpm2_pcrs | length > 0
-        else '{}'
-      }}
-  ansible.builtin.command: >-
-    clevis luks bind -f -k /mnt/root/.luks-enroll-key
-    -d {{ configuration_luks_device }} tpm2 '{{ _clevis_config }}'
-  register: _clevis_bind_result
-  changed_when: _clevis_bind_result.rc == 0
-  failed_when: false
-
-    # Initramfs regeneration is handled by the bootloader task which runs after
-    # encryption configuration. Clevis hooks are included automatically by
-    # update-initramfs when clevis-initramfs is installed.
-
-- name: Remove clevis passphrase file
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _tpm2_method | default('') == 'clevis'
-  ansible.builtin.file:
-    path: /mnt/root/.luks-enroll-key
-    state: absent
-
-- name: Report clevis binding result
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _tpm2_method | default('') == 'clevis'
-  ansible.builtin.debug:
-    msg: >-
-      {{ 'Clevis TPM2 binding succeeded' if (_clevis_bind_result.rc | default(1)) == 0
-         else 'Clevis TPM2 binding failed: ' + (_clevis_bind_result.stderr | default('unknown')) + '. System will require passphrase at boot.' }}
-
-# --- initramfs-tools: keyfile support (non-TPM2) ---
-- name: Configure initramfs-tools keyfile pattern
-  when:
-    - _initramfs_generator | default('') == 'initramfs-tools'
-    - configuration_luks_keyfile_in_use | default(false) | bool
   ansible.builtin.lineinfile:
     path: /mnt/etc/cryptsetup-initramfs/conf-hook
     regexp: "^KEYFILE_PATTERN="
@@ -96,9 +10,8 @@
     create: true
     mode: "0644"
 
-# --- mkinitcpio: systemd + sd-encrypt hooks ---
 - name: Configure mkinitcpio hooks for LUKS
-  when: _initramfs_generator | default('') == 'mkinitcpio'
+  when: os == 'archlinux'
   ansible.builtin.lineinfile:
     path: /mnt/etc/mkinitcpio.conf
     regexp: "^HOOKS="
@@ -107,13 +20,13 @@
       block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
 
 - name: Read mkinitcpio configuration
-  when: _initramfs_generator | default('') == 'mkinitcpio'
+  when: os == 'archlinux'
   ansible.builtin.slurp:
     src: /mnt/etc/mkinitcpio.conf
   register: configuration_mkinitcpio_slurp
 
 - name: Build mkinitcpio FILES list
-  when: _initramfs_generator | default('') == 'mkinitcpio'
+  when: os == 'archlinux'
   vars:
     mkinitcpio_files_list: >-
       {{
@@ -129,7 +42,7 @@
       {{
         (
           (mkinitcpio_files_list + [configuration_luks_keyfile_path])
-          if (configuration_luks_keyfile_in_use | default(false))
+          if configuration_luks_keyfile_in_use
           else (
             mkinitcpio_files_list
             | reject('equalto', configuration_luks_keyfile_path)
@@ -142,7 +55,7 @@
     configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
 
 - name: Configure mkinitcpio FILES list
-  when: _initramfs_generator | default('') == 'mkinitcpio'
+  when: os == 'archlinux'
   ansible.builtin.lineinfile:
     path: /mnt/etc/mkinitcpio.conf
     regexp: "^FILES="

roles/configuration/tasks/encryption/initramfs_detect.yml

@@ -1,98 +0,0 @@
----
-# Resolve initramfs generator and TPM2 unlock method.
-# Sets _initramfs_generator and _tpm2_method facts.
-#
-# Generator detection: derived from the platform's initramfs_cmd
-#   (dracut → dracut, mkinitcpio → mkinitcpio, else → initramfs-tools)
-# TPM2 method: systemd-cryptenroll when generator supports tpm2-device,
-#   clevis fallback otherwise. Non-native dracut installed automatically.
-
-- name: Resolve initramfs generator
-  vars:
-    _user_generator: "{{ system_cfg.features.initramfs.generator | default('') }}"
-    _native_generator: >-
-      {{
-        'dracut' if _configuration_platform.initramfs_cmd is search('dracut')
-        else ('mkinitcpio' if _configuration_platform.initramfs_cmd is search('mkinitcpio')
-        else 'initramfs-tools')
-      }}
-  ansible.builtin.set_fact:
-    _initramfs_generator: >-
-      {{ _user_generator if _user_generator | length > 0 else _native_generator }}
-    _initramfs_native_generator: "{{ _native_generator }}"
-
-# --- Install non-native dracut if overridden or needed ---
-- name: Install dracut in chroot when not native
-  when:
-    - _initramfs_generator == 'dracut'
-    - _initramfs_native_generator != 'dracut'
-  ansible.builtin.shell: >-
-    {{ chroot_command }} sh -c '
-      command -v apt >/dev/null 2>&1 && apt install -y dracut ||
-      command -v pacman >/dev/null 2>&1 && pacman -S --noconfirm dracut ||
-      command -v dnf >/dev/null 2>&1 && dnf install -y dracut
-    '
-  register: _dracut_install_result
-  changed_when: _dracut_install_result.rc == 0
-  failed_when: false
-
-- name: Override initramfs command to dracut
-  when:
-    - _initramfs_generator == 'dracut'
-    - _initramfs_native_generator != 'dracut'
-  vars:
-    # Generate dracut initramfs with output name matching what GRUB expects:
-    #   mkinitcpio native: /boot/initramfs-linux.img (Arch convention)
-    #   initramfs-tools native: /boot/initrd.img-<kver> (Debian convention)
-    _dracut_cmd: >-
-      {{
-        'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initramfs-linux.img $kver; done"'
-        if _initramfs_native_generator == 'mkinitcpio'
-        else 'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done"'
-      }}
-  ansible.builtin.set_fact:
-    _configuration_platform: >-
-      {{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }}
-
-# --- TPM2 method detection ---
-- name: Probe dracut for TPM2 module support
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _initramfs_generator != 'mkinitcpio'
-  ansible.builtin.command: "{{ chroot_command }} dracut --list-modules"
-  register: _dracut_modules_check
-  changed_when: false
-  failed_when: false
-
-- name: Resolve TPM2 unlock method
-  when: configuration_luks_auto_method == 'tpm2'
-  vars:
-    # mkinitcpio sd-encrypt supports tpm2-device natively
-    # dracut with tpm2-tss module supports tpm2-device natively
-    # everything else needs clevis
-    _supports_tpm2_native: >-
-      {{
-        _initramfs_generator == 'mkinitcpio'
-        or ('tpm2-tss' in (_dracut_modules_check.stdout | default('')))
-      }}
-  ansible.builtin.set_fact:
-    _tpm2_method: "{{ 'systemd-cryptenroll' if _supports_tpm2_native | bool else 'clevis' }}"
-
-# --- Auto-upgrade to dracut when tpm2-tss available but generator isn't dracut ---
-- name: Switch to dracut for TPM2 support
-  when:
-    - configuration_luks_auto_method == 'tpm2'
-    - _tpm2_method == 'systemd-cryptenroll'
-    - _initramfs_generator not in ['dracut', 'mkinitcpio']
-  vars:
-    _dracut_cmd: >-
-      bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done"
-  ansible.builtin.set_fact:
-    _initramfs_generator: dracut
-    _configuration_platform: >-
-      {{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }}
-
-- name: Report TPM2 configuration
-  when: configuration_luks_auto_method == 'tpm2'
-  ansible.builtin.debug:
-    msg: "TPM2 unlock: {{ _tpm2_method | default('none') }} | initramfs: {{ _initramfs_generator }}"

roles/configuration/tasks/encryption/tpm2.yml

@@ -1,35 +1,26 @@
 ---
-# TPM2 enrollment via systemd-cryptenroll.
-# Works with dracut and mkinitcpio (sd-encrypt). The user-set passphrase
-# remains as a backup unlock method — no auto-generated keyfiles.
 - name: Enroll TPM2 for LUKS
   block:
+    # Tempfile in chroot /tmp — accessible by both chroot and host commands
     - name: Create temporary passphrase file for TPM2 enrollment
       ansible.builtin.tempfile:
-        path: /mnt/root
+        path: /mnt/tmp
         prefix: luks-passphrase-
         state: file
-      register: _tpm2_passphrase_tempfile
+      register: configuration_luks_tpm2_passphrase_tempfile
 
-    - name: Write passphrase into temporary file
+    - name: Write passphrase into temporary file for TPM2 enrollment
       ansible.builtin.copy:
-        dest: "{{ _tpm2_passphrase_tempfile.path }}"
+        dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
         content: "{{ configuration_luks_passphrase }}"
         owner: root
         group: root
         mode: "0600"
       no_log: true
 
-    - name: Ensure TPM device is accessible in chroot
+    - name: Enroll TPM2 token
-      ansible.builtin.shell: >-
-        ls /mnt/dev/tpmrm0 2>/dev/null
-        || (ls /dev/tpmrm0 && cp -a /dev/tpmrm0 /mnt/dev/tpmrm0)
-      changed_when: false
-      failed_when: false
-
-    - name: Enroll TPM2 token via systemd-cryptenroll
       vars:
-        _enroll_args: >-
+        configuration_luks_enroll_args: >-
           {{
             [
               '/usr/bin/systemd-cryptenroll',
@@ -37,28 +28,69 @@
               '--tpm2-with-pin=false',
               '--wipe-slot=tpm2',
               '--unlock-key-file=' + (
-                _tpm2_passphrase_tempfile.path | regex_replace('^/mnt', '')
+                configuration_luks_tpm2_passphrase_tempfile.path
+                | regex_replace('^/mnt', '')
               )
             ]
             + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
                if configuration_luks_tpm2_pcrs | length > 0 else [])
             + [configuration_luks_device]
           }}
-      ansible.builtin.command: "{{ chroot_command }} {{ _enroll_args | join(' ') }}"
+        configuration_luks_enroll_chroot_cmd: >-
-      register: _tpm2_enroll_result
+          {{ chroot_command }} {{ configuration_luks_enroll_args | join(' ') }}
-      changed_when: _tpm2_enroll_result.rc == 0
+      ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
+      register: configuration_luks_tpm2_enroll_chroot
+      changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
+      failed_when: false
 
+    - name: Retry TPM2 enrollment in installer environment
+      when:
+        - (configuration_luks_tpm2_enroll_chroot.rc | default(1)) != 0
+      vars:
+        configuration_luks_enroll_args: >-
+          {{
+            [
+              '/usr/bin/systemd-cryptenroll',
+              '--tpm2-device=' + configuration_luks_tpm2_device,
+              '--tpm2-with-pin=false',
+              '--wipe-slot=tpm2',
+              '--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
+            ]
+            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
+               if configuration_luks_tpm2_pcrs | length > 0 else [])
+            + [configuration_luks_device]
+          }}
+      ansible.builtin.command:
+        argv: "{{ configuration_luks_enroll_args }}"
+      register: configuration_luks_tpm2_enroll_host
+      changed_when: configuration_luks_tpm2_enroll_host.rc == 0
+      failed_when: false
+
+    - name: Validate TPM2 enrollment succeeded
+      ansible.builtin.assert:
+        that:
+          - >-
+            (configuration_luks_tpm2_enroll_chroot.rc | default(1)) == 0
+            or (configuration_luks_tpm2_enroll_host.rc | default(1)) == 0
+        fail_msg: >-
+          TPM2 enrollment failed.
+          chroot rc={{ configuration_luks_tpm2_enroll_chroot.rc | default('n/a') }},
+          host rc={{ configuration_luks_tpm2_enroll_host.rc | default('n/a') }},
+          chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
+          host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
   rescue:
-    - name: TPM2 enrollment failed
+    - name: Warn about TPM2 enrollment failure
       ansible.builtin.debug:
         msg: >-
-          TPM2 enrollment failed: {{ _tpm2_enroll_result.stderr | default('unknown') }}.
+          WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt.
-          The system will require the passphrase for LUKS unlock on boot.
+          The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
-          TPM2 can be enrolled post-deployment via: systemd-cryptenroll --tpm2-device=auto {{ configuration_luks_device }}
 
+    - name: Fallback to keyfile auto-decrypt
+      ansible.builtin.set_fact:
+        configuration_luks_auto_method: keyfile
   always:
-    - name: Remove temporary passphrase file
+    - name: Remove TPM2 enrollment passphrase file
-      when: _tpm2_passphrase_tempfile.path is defined
+      when: configuration_luks_tpm2_passphrase_tempfile.path is defined
       ansible.builtin.file:
-        path: "{{ _tpm2_passphrase_tempfile.path }}"
+        path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
         state: absent

roles/configuration/tasks/main.yml

@@ -17,8 +17,6 @@
     - file: encryption.yml
       when: "{{ system_cfg.luks.enabled | bool }}"
     - file: bootloader.yml
-    - file: secure_boot.yml
-      when: "{{ system_cfg.features.secure_boot.enabled | bool }}"
     - file: extras.yml
     - file: network.yml
     - file: users.yml

roles/configuration/tasks/secure_boot.yml

@@ -1,8 +0,0 @@
----
-- name: Configure shim-based Secure Boot
-  when: os != 'archlinux'
-  ansible.builtin.include_tasks: secure_boot/shim.yml
-
-- name: Configure sbctl Secure Boot
-  when: os == 'archlinux'
-  ansible.builtin.include_tasks: secure_boot/sbctl.yml

roles/configuration/tasks/secure_boot/sbctl.yml

@@ -1,115 +0,0 @@
----
-- name: Configure sbctl Secure Boot
-  block:
-    - name: Create Secure Boot signing keys
-      ansible.builtin.command: "{{ chroot_command }} sbctl create-keys"
-      register: _sbctl_create_keys
-      changed_when: _sbctl_create_keys.rc == 0
-      failed_when:
-        - _sbctl_create_keys.rc != 0
-        - "'already exists' not in (_sbctl_create_keys.stderr | default(''))"
-
-    - name: Enroll Secure Boot keys in firmware
-      ansible.builtin.command: "{{ chroot_command }} sbctl enroll-keys --microsoft"
-      register: _sbctl_enroll
-      changed_when: _sbctl_enroll.rc == 0
-      failed_when: false
-
-    - name: Install first-boot enrollment service if chroot enrollment failed
-      when: _sbctl_enroll.rc | default(1) != 0
-      block:
-        - name: Create first-boot sbctl enrollment service
-          ansible.builtin.copy:
-            dest: /mnt/etc/systemd/system/sbctl-enroll.service
-            mode: "0644"
-            content: |
-              [Unit]
-              Description=Enroll Secure Boot keys via sbctl
-              ConditionPathExists=!/var/lib/sbctl/.enrolled
-              After=local-fs.target
-
-              [Service]
-              Type=oneshot
-              ExecStart=/usr/bin/sbctl enroll-keys --microsoft
-              ExecStartPost=/usr/bin/touch /var/lib/sbctl/.enrolled
-              RemainAfterExit=yes
-
-              [Install]
-              WantedBy=multi-user.target
-
-        - name: Enable first-boot enrollment service
-          ansible.builtin.command: "{{ chroot_command }} systemctl enable sbctl-enroll.service"
-          register: _sbctl_service_enable
-          changed_when: _sbctl_service_enable.rc == 0
-
-    - name: Find kernel images to sign
-      ansible.builtin.find:
-        paths: /mnt/boot
-        patterns: "vmlinuz-*"
-        file_type: file
-      register: _sbctl_kernel_images
-
-    - name: Sign kernel images
-      ansible.builtin.command: >-
-        {{ chroot_command }} sbctl sign -s {{ item.path | regex_replace('^/mnt', '') }}
-      loop: "{{ _sbctl_kernel_images.files }}"
-      loop_control:
-        label: "{{ item.path | basename }}"
-      register: _sbctl_sign_kernel
-      changed_when: _sbctl_sign_kernel.rc == 0
-      failed_when: false
-
-    - name: Sign GRUB EFI binary
-      vars:
-        _grub_efi_path: "{{ partitioning_efi_mountpoint }}/EFI/archlinux/grubx64.efi"
-      ansible.builtin.command: >-
-        {{ chroot_command }} sbctl sign -s {{ _grub_efi_path }}
-      register: _sbctl_sign_grub
-      changed_when: _sbctl_sign_grub.rc == 0
-      failed_when: false
-
-    - name: Ensure pacman hooks directory exists
-      ansible.builtin.file:
-        path: /mnt/etc/pacman.d/hooks
-        state: directory
-        mode: "0755"
-
-    - name: Install sbctl auto-signing pacman hook
-      ansible.builtin.copy:
-        dest: /mnt/etc/pacman.d/hooks/99-sbctl-sign.hook
-        mode: "0644"
-        content: |
-          [Trigger]
-          Operation = Install
-          Operation = Upgrade
-          Type = Path
-          Target = boot/vmlinuz-*
-          Target = usr/lib/modules/*/vmlinuz
-
-          [Action]
-          Description = Signing kernel images for Secure Boot...
-          When = PostTransaction
-          Exec = /usr/bin/sbctl sign-all
-          Depends = sbctl
-
-    - name: Verify sbctl signing status
-      ansible.builtin.command: "{{ chroot_command }} sbctl verify"
-      register: _sbctl_verify
-      changed_when: false
-      failed_when: false
-
-    - name: Report sbctl Secure Boot status
-      ansible.builtin.debug:
-        msg: >-
-          Secure Boot (sbctl):
-          Enrollment={{ 'done' if (_sbctl_enroll.rc | default(1)) == 0 else 'deferred to first boot' }}.
-          {{ _sbctl_verify.stdout | default('Verify not available') }}
-
-  rescue:
-    - name: Secure Boot setup failed
-      ansible.builtin.debug:
-        msg: >-
-          sbctl Secure Boot setup failed.
-          On VMs make sure the OVMF firmware is in Setup Mode (fresh NVRAM).
-          On bare metal enter the firmware setup and switch to Setup Mode first.
-          To recover manually: sbctl create-keys && sbctl enroll-keys --microsoft && sbctl sign-all

roles/configuration/tasks/secure_boot/shim.yml

@@ -1,45 +0,0 @@
----
-- name: Configure shim-based Secure Boot
-  vars:
-    _efi_vendor: >-
-      {{
-        "redhat" if os == "rhel"
-        else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
-      }}
-  block:
-    - name: Find shim binary in target system
-      ansible.builtin.shell:
-        cmd: >-
-          set -o pipefail &&
-          {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
-          \( -name 'shimx64.efi.signed.latest' -o -name 'shimx64.efi.dualsigned'
-          -o -name 'shimx64.efi.signed' -o -name 'shimx64.efi' \)
-          -type f | sort -r | head -1
-        executable: /bin/bash
-      register: _shim_find_result
-      changed_when: false
-      failed_when: false
-
-    - name: Copy shim to EFI vendor directory
-      when:
-        - _shim_find_result.stdout | default('') | length > 0
-        - _configuration_platform.grub_install | bool
-      ansible.builtin.command: >-
-        cp /mnt{{ _shim_find_result.stdout_lines | first }}
-        /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
-      register: _shim_copy_result
-      changed_when: _shim_copy_result.rc == 0
-
-    - name: Verify shim is present
-      ansible.builtin.stat:
-        path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
-      register: _shim_stat
-
-    - name: Report Secure Boot status
-      ansible.builtin.debug:
-        msg: >-
-          Secure Boot (shim): {{
-            'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
-            if (_shim_stat.stat.exists | default(false))
-            else 'shimx64.efi not found, shim package may handle placement on first boot'
-          }}

roles/configuration/tasks/services.yml

@@ -2,12 +2,6 @@
 - name: Enable systemd services
   when: _configuration_platform.init_system == 'systemd'
   vars:
-    _desktop_dm: >-
-      {{
-        system_cfg.features.desktop.display_manager
-        if (system_cfg.features.desktop.display_manager | length > 0)
-        else (configuration_desktop_dm_map[system_cfg.features.desktop.environment] | default(''))
-      }}
     configuration_systemd_services: >-
       {{
         ['NetworkManager']
@@ -15,31 +9,12 @@
         + (['ufw'] if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else [])
         + ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else [])
         + (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else [])
-        + ([_desktop_dm] if system_cfg.features.desktop.enabled | bool and _desktop_dm | length > 0 else [])
-        + (['bluetooth'] if system_cfg.features.desktop.enabled | bool else [])
       }}
   ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
   loop: "{{ configuration_systemd_services }}"
   register: configuration_enable_service_result
   changed_when: configuration_enable_service_result.rc == 0
 
-- name: Activate UFW firewall
-  when:
-    - system_cfg.features.firewall.backend == 'ufw'
-    - system_cfg.features.firewall.enabled | bool
-  ansible.builtin.command: "{{ chroot_command }} ufw --force enable"
-  register: _ufw_enable_result
-  changed_when: _ufw_enable_result.rc == 0
-  failed_when: false
-
-- name: Set default systemd target to graphical
-  when:
-    - _configuration_platform.init_system == 'systemd'
-    - system_cfg.features.desktop.enabled | bool
-  ansible.builtin.command: "{{ chroot_command }} systemctl set-default graphical.target"
-  register: _desktop_target_result
-  changed_when: _desktop_target_result.rc == 0
-
 - name: Enable OpenRC services
   when: _configuration_platform.init_system == 'openrc'
   vars:

roles/configuration/vars/main.yml

@@ -65,15 +65,3 @@ configuration_platform_config:
     grub_mkconfig_prefix: grub-mkconfig
     locale_gen: false
     init_system: runit
-
-# Display manager auto-detection from desktop environment name.
-configuration_desktop_dm_map:
-  gnome: gdm
-  kde: sddm
-  xfce: lightdm
-  sway: greetd
-  hyprland: ly@tty2
-  cinnamon: lightdm
-  mate: lightdm
-  lxqt: sddm
-  budgie: gdm

roles/environment/tasks/_detect_live.yml

@@ -68,23 +68,6 @@
       Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
     quiet: true
 
-- name: Harden sshd for Ansible automation
-  ansible.builtin.blockinfile:
-    path: /etc/ssh/sshd_config
-    marker: "# {mark} BOOTSTRAP ANSIBLE SETTINGS"
-    block: |
-      PerSourcePenalties no
-      MaxStartups 50:30:100
-      ClientAliveInterval 30
-      ClientAliveCountMax 10
-  register: _sshd_config_result
-
-- name: Restart sshd immediately if config was changed
-  when: _sshd_config_result is changed
-  ansible.builtin.service:
-    name: sshd
-    state: restarted
-
 - name: Abort if the host is not booted from the Arch install media
   when:
     - not (custom_iso | bool)

roles/environment/tasks/_prepare_installer.yml

@@ -25,7 +25,6 @@
     state: latest
   loop:
     - { name: glibc }
-    - { name: lua, os: [almalinux, fedora, rhel, rocky] }
     - { name: dnf, os: [almalinux, fedora, rhel, rocky] }
     - { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
     - { name: debian-archive-keyring, os: [debian] }

roles/global_defaults/defaults/main.yml

@@ -135,15 +135,6 @@ system_defaults:
       user: "_aur_builder"
     chroot:
       tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn
-    initramfs:
-      generator: "" # auto-detected; override: dracut|mkinitcpio|initramfs-tools
-    desktop:
-      enabled: false
-      environment: ""       # gnome|kde|xfce|sway|hyprland|cinnamon|mate|lxqt|budgie
-      display_manager: ""   # auto from environment when empty; override: gdm|sddm|lightdm|greetd
-    secure_boot:
-      enabled: false
-      method: ""            # arch only: sbctl (default) or uki; ignored for other distros
 
 # Per-hypervisor required fields — drives data-driven validation.
 # All virtual types additionally require network bridge or interfaces.

roles/global_defaults/tasks/_normalize_system.yml

@@ -144,16 +144,27 @@
           url: "{{ system_raw.features.rhel_repo.url | default('') | string }}"
         chroot:
           tool: "{{ system_raw.features.chroot.tool | string }}"
-        initramfs:
-          generator: "{{ system_raw.features.initramfs.generator | default('') | string | lower }}"
-        desktop:
-          enabled: "{{ system_raw.features.desktop.enabled | bool }}"
-          environment: "{{ system_raw.features.desktop.environment | default('') | string | lower }}"
-          display_manager: "{{ system_raw.features.desktop.display_manager | default('') | string | lower }}"
-        secure_boot:
-          enabled: "{{ system_raw.features.secure_boot.enabled | bool }}"
-          method: "{{ system_raw.features.secure_boot.method | default('') | string | lower }}"
     hostname: "{{ system_name }}"
     os: "{{ system_os_input if system_os_input | length > 0 else (physical_default_os if system_type == 'physical' else '') }}"
     os_version: "{{ system_raw.version | default('') | string }}"
   no_log: true
+
+- name: Populate primary network fields from first interface
+  when:
+    - system_cfg.network.interfaces | length > 0
+    - system_cfg.network.bridge | default('') | string | length == 0
+  vars:
+    _primary: "{{ system_cfg.network.interfaces[0] }}"
+  ansible.builtin.set_fact:
+    system_cfg: >-
+      {{
+        system_cfg | combine({
+          'network': system_cfg.network | combine({
+            'bridge': _primary.bridge | default(''),
+            'vlan': _primary.vlan | default(''),
+            'ip': _primary.ip | default(''),
+            'prefix': _primary.prefix | default(''),
+            'gateway': _primary.gateway | default('')
+          })
+        }, recursive=True)
+      }}

roles/global_defaults/tasks/system.yml

@@ -17,27 +17,6 @@
     - name: Normalize disk configuration
       ansible.builtin.include_tasks: _normalize_disks.yml
 
-- name: Populate primary network fields from first interface
-  when:
-    - system_cfg is defined
-    - system_cfg.network.interfaces | default([]) | length > 0
-    - system_cfg.network.ip | default('') | string | length == 0
-  vars:
-    _primary: "{{ system_cfg.network.interfaces[0] }}"
-  ansible.builtin.set_fact:
-    system_cfg: >-
-      {{
-        system_cfg | combine({
-          'network': system_cfg.network | combine({
-            'bridge': _primary.bridge | default(''),
-            'vlan': _primary.vlan | default(''),
-            'ip': _primary.ip | default(''),
-            'prefix': _primary.prefix | default(''),
-            'gateway': _primary.gateway | default('')
-          })
-        }, recursive=True)
-      }}
-
 - name: Check if pre-computed system_cfg needs enrichment
   when: system_cfg is defined
   ansible.builtin.set_fact:

roles/partitioning/tasks/_mount.yml

@@ -9,13 +9,12 @@
         - >-
           system_cfg.features.cis.enabled | bool or (
             not (system_cfg.features.cis.enabled | bool) and (
-              (system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log']
+              (system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
-               + (['/var/cache/pacman/pkg'] if os == 'archlinux' else []))
               or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
             )
           )
         - >-
-          not (item.path in ['/swap', '/var/cache/pacman/pkg'] and (system_cfg.filesystem != 'btrfs' or os != 'archlinux'))
+          not (item.path in ['/swap', '/var/cache/pacman/pkg'] and system_cfg.filesystem != 'btrfs')
         - system_cfg.features.swap.enabled | bool or item.path != '/swap'
       ansible.posix.mount:
         path: /mnt{{ item.path }}

roles/partitioning/tasks/btrfs.yml

@@ -43,7 +43,6 @@
       when:
         - system_cfg.features.cis.enabled | bool or item.subvol not in ['var_log_audit']
         - system_cfg.features.swap.enabled | bool or item.subvol != 'swap'
-        - item.os is not defined or os in item.os
       ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
       args:
         creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
@@ -52,19 +51,12 @@
         - { subvol: swap }
         - { subvol: home }
         - { subvol: var }
-        - { subvol: pkg, os: [archlinux] }
+        - { subvol: pkg }
         - { subvol: var_log }
         - { subvol: var_log_audit }
       loop_control:
         label: "{{ item.subvol }}"
 
-    - name: Set default btrfs subvolume to @
-      ansible.builtin.shell: >-
-        btrfs subvolume list /mnt | awk '/ path @$/ {print $2}'
-        | xargs -I{} btrfs subvolume set-default {} /mnt
-      register: partitioning_btrfs_default_result
-      changed_when: partitioning_btrfs_default_result.rc == 0
-
     - name: Set quotas for subvolumes
       when: system_cfg.features.cis.enabled | bool
       ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}

roles/virtualization/defaults/main.yml

@@ -22,10 +22,10 @@ virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd
 
 virtualization_tpm2_enabled: >-
   {{
-    (
+    (system_cfg.luks.enabled | bool)
-      (system_cfg.luks.enabled | bool)
+    and (system_cfg.luks.auto | bool)
-      and (system_cfg.luks.auto | bool)
+    and (
-      and (system_cfg.luks.method | lower == 'tpm2')
+      (system_cfg.luks.method | lower)
+      == 'tpm2'
     )
-    or (system_cfg.features.secure_boot.enabled | default(false) | bool)
   }}

roles/virtualization/tasks/delete.yml

@@ -40,10 +40,10 @@
       failed_when: false
 
     - name: Undefine libvirt VM
-      ansible.builtin.command:
+      community.libvirt.virt:
-        cmd: "virsh -c {{ libvirt_uri | default('qemu:///system') }} undefine {{ hostname }} --nvram"
+        name: "{{ hostname }}"
-      register: _libvirt_undefine_result
+        command: undefine
-      changed_when: _libvirt_undefine_result.rc == 0
+        uri: "{{ libvirt_uri | default('qemu:///system') }}"
       failed_when: false
 
     - name: Remove libvirt disk images