diff --git a/roles/cleanup/tasks/xen.yml b/roles/cleanup/tasks/xen.yml
index edf1e13..aa69d5f 100644
--- a/roles/cleanup/tasks/xen.yml
+++ b/roles/cleanup/tasks/xen.yml
@@ -11,7 +11,7 @@
       ansible.builtin.set_fact:
         cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}"
       vars:
-        device_letter_map: "abcdefghijklmnopqrstuvwxyz"
+        device_letter_map: "{{ disk_letter_map }}"
         device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
         cleanup_xen_disk_cfg: >-
           {{
@@ -58,3 +58,8 @@
           - /tmp/xen-{{ hostname }}.cfg
       register: cleanup_xen_start_result
       changed_when: cleanup_xen_start_result.rc == 0
+
+    - name: Remove temporary Xen configuration file
+      ansible.builtin.file:
+        path: /tmp/xen-{{ hostname }}.cfg
+        state: absent
diff --git a/roles/configuration/tasks/encryption/tpm2.yml b/roles/configuration/tasks/encryption/tpm2.yml
index 664543e..5733879 100644
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -80,10 +80,11 @@
           host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
   rescue:
     - name: Warn about TPM2 enrollment failure
-      ansible.builtin.debug:
+      ansible.builtin.fail:
         msg: >-
-          TPM2 enrollment failed — falling back to keyfile auto-decrypt.
+          WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt.
           The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
+      ignore_errors: true
 
     - name: Fallback to keyfile auto-decrypt
       ansible.builtin.set_fact:
diff --git a/roles/configuration/tasks/extras.yml b/roles/configuration/tasks/extras.yml
index e777a4c..9b8bc37 100644
--- a/roles/configuration/tasks/extras.yml
+++ b/roles/configuration/tasks/extras.yml
@@ -12,6 +12,8 @@
     marker: "# {mark} CUSTOM VIM CONFIG"
   failed_when: false
 
+# Tuned for VM workloads: low swappiness, aggressive writeback, large page-cluster
+# for zram. Override post-bootstrap via the linux role or sysctl if needed.
 - name: Add memory tuning parameters
   ansible.builtin.blockinfile:
     path: /mnt/etc/sysctl.d/90-memory.conf
@@ -41,7 +43,7 @@
     mode: "0644"
 
 - name: Copy Custom Shell config
-  ansible.builtin.template:
-    src: custom.sh.j2
+  ansible.builtin.copy:
+    src: custom.sh
     dest: /mnt/etc/profile.d/custom.sh
     mode: "0644"
diff --git a/roles/configuration/tasks/selinux.yml b/roles/configuration/tasks/selinux.yml
index aaaa5ec..594f4e7 100644
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -11,6 +11,8 @@
       register: configuration_setfiles_result
       changed_when: configuration_setfiles_result.rc == 0
 
+    # Fedora: setfiles segfaults during bootstrap chroot relabeling, so SELinux
+    # is left permissive and expected to relabel on first boot.
     - name: Disable SELinux
       when: os == "fedora" or not system_cfg.features.selinux.enabled | bool
       ansible.builtin.lineinfile:
diff --git a/roles/configuration/tasks/ssh.yml b/roles/configuration/tasks/ssh.yml
index 8d56ef7..0d6754a 100644
--- a/roles/configuration/tasks/ssh.yml
+++ b/roles/configuration/tasks/ssh.yml
@@ -1,4 +1,6 @@
 ---
+# Bootstrap-only: permissive SSH for initial Ansible access.
+# Post-bootstrap hardening (key-only, no root login) is handled by the linux role.
 - name: Ensure SSH password authentication is enabled
   ansible.builtin.lineinfile:
     path: /mnt/etc/ssh/sshd_config