feat(cis): add selectable profile and per-rule hardening toggles

main.yml

@@ -62,6 +62,12 @@
             name: configuration
             public: true
 
+        # Past this point the OS is installed and configured; a CIS hardening or
+        # cleanup failure must not delete an otherwise-good VM.
+        - name: Mark base system complete
+          ansible.builtin.set_fact:
+            _bootstrap_base_complete: true
+
         - name: Apply CIS hardening
           when: system_cfg.features.cis.enabled | bool
           ansible.builtin.include_role:
@@ -75,11 +81,16 @@
             public: true
 
       rescue:
+        - name: Decide whether to delete the half-built VM
+          ansible.builtin.set_fact:
+            _delete_vm_on_rescue: >-
+              {{ _vm_absent_before_bootstrap | default(false) | bool
+                 and virtualization_vm_created_in_run | default(false) | bool
+                 and system_cfg.type == "virtual"
+                 and not (_bootstrap_base_complete | default(false) | bool) }}
+
         - name: Delete VM on bootstrap failure
-          when:
-            - _vm_absent_before_bootstrap | default(false) | bool
-            - virtualization_vm_created_in_run | default(false) | bool
-            - system_cfg.type == "virtual"
+          when: _delete_vm_on_rescue | bool
           ansible.builtin.include_role:
             name: virtualization
             tasks_from: delete
@@ -93,9 +104,8 @@
           ansible.builtin.fail:
             msg: >-
               Bootstrap failed for {{ hostname }}.
-              {{ 'VM was deleted to allow clean retry.'
-                 if (virtualization_vm_created_in_run | default(false))
-                 else 'VM was not created in this run (kept).' }}
+              {{ 'VM was deleted to allow clean retry.' if (_delete_vm_on_rescue | bool)
+                 else 'VM kept (base system installed or not created this run).' }}
 
   post_tasks:
     - name: Set post-reboot connection flags