fix(configuration): add explicit LUKS auto-decrypt fallback state tracking and logging

roles/configuration/tasks/encryption.yml

@@ -59,6 +59,14 @@
       when: configuration_luks_auto_method == 'keyfile'
       ansible.builtin.include_tasks: encryption/keyfile.yml
 
+    - name: Record final LUKS auto-decrypt method
+      ansible.builtin.set_fact:
+        configuration_luks_final_method: "{{ configuration_luks_auto_method }}"
+
+    - name: Report LUKS auto-decrypt configuration
+      ansible.builtin.debug:
+        msg: "LUKS auto-decrypt method: {{ configuration_luks_final_method }}"
+
     - name: Build LUKS parameters
       vars:
         luks_keyfile_in_use: "{{ configuration_luks_auto_method == 'keyfile' }}"

roles/configuration/tasks/encryption/keyfile.yml

@@ -104,6 +104,13 @@
       failed_when: false
       no_log: true
 
+    - name: Warn about keyfile enrollment failure
+      when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
+      ansible.builtin.debug:
+        msg: >-
+          LUKS keyfile enrollment failed — falling back to manual unlock at boot.
+          The system will prompt for the LUKS passphrase during startup.
+
     - name: Fallback to manual LUKS unlock if keyfile enrollment failed
       when: (configuration_luks_keyfile_unlock_test_after.rc | default(1)) != 0
       ansible.builtin.set_fact: