refactor(configuration): consolidate firewall into one phase-aware path

roles/global_defaults/tasks/system.yml

@@ -50,7 +50,7 @@
   ansible.builtin.set_fact:
     system_cfg: "{{ system_defaults | combine(system | default({}), recursive=True) | combine(system_cfg, recursive=True) }}"
 
-- name: Apply content-source family defaults for pre-computed system_cfg
+- name: Apply family defaults (content source, firewall backend) for pre-computed system_cfg
   when:
     - system_cfg is defined
     - _bootstrap_needs_enrichment | default(false) | bool
@@ -64,14 +64,21 @@
   ansible.builtin.set_fact:
     system_cfg: >-
       {{
-        system_cfg | combine({'content': {
-          'source': system_cfg.content.source
-                    if (system_cfg.content.source | default('') | string | trim | length > 0)
-                    else ('dvd' if _os == 'rhel' else 'mirror'),
-          'url': system_cfg.content.url
-                 if (system_cfg.content.url | default('') | string | trim | length > 0)
-                 else (_mirror_defaults[_os] | default('')),
-        }}, recursive=True)
+        system_cfg | combine({
+          'content': {
+            'source': system_cfg.content.source
+                      if (system_cfg.content.source | default('') | string | trim | length > 0)
+                      else ('dvd' if _os == 'rhel' else 'mirror'),
+            'url': system_cfg.content.url
+                   if (system_cfg.content.url | default('') | string | trim | length > 0)
+                   else (_mirror_defaults[_os] | default('')),
+          },
+          'features': {'firewall': {'backend':
+            system_cfg.features.firewall.backend
+            if (system_cfg.features.firewall.backend | default('') | string | trim | length > 0)
+            else ('ufw' if _os in ['debian', 'ubuntu', 'ubuntu-lts'] else 'firewalld')
+          }},
+        }, recursive=True)
       }}
 
 - name: Populate primary network fields from first interface (pre-computed)