diff --git a/roles/cis/tasks/modules.yml b/roles/cis/tasks/modules.yml
index 281fb89..b2801a2 100644
--- a/roles/cis/tasks/modules.yml
+++ b/roles/cis/tasks/modules.yml
@@ -1,6 +1,7 @@
 ---
 - name: Disable Kernel Modules
   vars:
+    # Ubuntu uses squashfs for snap packages — blacklisting it breaks snap entirely
     cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
     cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}"
   ansible.builtin.copy: