feat(cis): add selectable profile and per-rule hardening toggles

roles/cis/tasks/_normalize.yml

@@ -1,10 +1,25 @@
 ---
-- name: Normalize CIS input
+- name: Determine CIS profile
   ansible.builtin.set_fact:
-    cis_enabled: "{{ cis is defined and (cis is mapping or cis | bool) }}"
-    cis_input: "{{ cis if cis is mapping else {} }}"
+    cis_profile: "{{ system_cfg.features.cis.profile | default('default') }}"
 
-- name: Normalize CIS configuration
-  when: cis_enabled and cis_cfg is not defined
+- name: Validate CIS profile selection
+  ansible.builtin.assert:
+    that: cis_profile in cis_profiles
+    fail_msg: >-
+      system.features.cis.profile '{{ cis_profile }}' is unknown
+      (valid: {{ cis_profiles.keys() | list | join(', ') }}).
+    quiet: true
+
+- name: Resolve CIS rules and parameters
+  vars:
+    _cis: "{{ system_cfg.features.cis | default({}) }}"
   ansible.builtin.set_fact:
-    cis_cfg: "{{ cis_defaults | combine(cis_input, recursive=True) }}"
+    cis_effective_rules: "{{ cis_profiles[cis_profile] | combine(_cis.rules | default({})) }}"
+    cis_cfg: >-
+      {{ cis_param_defaults
+         | combine(cis_profile_params[cis_profile] | default({}), recursive=True)
+         | combine(_cis.params | default({}), recursive=True) }}
+    # l1/l2 add the stricter CIS-server controls on top of the legacy `default`
+    # baseline; gate those tasks on this so `default` stays byte-for-byte unchanged.
+    cis_strict: "{{ cis_profile in ['l1', 'l2'] }}"