diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml
index 040393b..a688320 100644
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -1,15 +1,18 @@
 ---
-# Common conditional packages shared across distributions.
-# Arch overrides nftables with iptables-nft; SSH package names vary per distro.
-bootstrap_common_conditional:
-  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else '' }}"
-  - "{{ 'cryptsetup' if system_cfg.luks.enabled | bool else '' }}"
-  - "{{ 'tpm2-tools' if system_cfg.luks.enabled | bool else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
+# Common feature-gated packages. Built as a clean list (no empty strings).
+# Arch overrides nftables → iptables-nft; SSH package names vary per distro.
+bootstrap_common_conditional: >-
+  {{
+    (
+      (['firewalld'] if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else [])
+      + (['ufw'] if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else [])
+      + (['iptables'] if system_cfg.features.firewall.toolkit == 'iptables' and system_cfg.features.firewall.enabled | bool else [])
+      + (['nftables'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
+      + (['cryptsetup', 'tpm2-tools'] if system_cfg.luks.enabled | bool else [])
+      + (['qemu-guest-agent'] if hypervisor_type in ['libvirt', 'proxmox'] else [])
+      + (['open-vm-tools'] if hypervisor_type == 'vmware' else [])
+    )
+  }}
 
 bootstrap_rhel_base: >-
   {{
@@ -20,13 +23,15 @@ bootstrap_rhel_base: >-
     + bootstrap_common_conditional
   }}
 
-bootstrap_rhel_versioned:
-  - grub2
-  - "{{ 'grub2-efi-x64' if os_version_major | default('') == '8' else 'grub2-efi' }}"
-  - "{{ 'grub2-tools-extra' if os_version_major | default('') in ['8', '9'] else '' }}"
-  - "{{ 'python39' if os_version_major | default('') == '8' else 'python' }}"
-  - "{{ 'kernel' if os_version_major | default('') == '10' else '' }}"
-  - "{{ 'zram-generator' if os_version_major | default('') in ['9', '10'] else '' }}"
+bootstrap_rhel_versioned: >-
+  {{
+    ['grub2']
+    + (['grub2-efi-x64'] if os_version_major | default('') == '8' else ['grub2-efi'])
+    + (['grub2-tools-extra'] if os_version_major | default('') in ['8', '9'] else [])
+    + (['python39'] if os_version_major | default('') == '8' else ['python'])
+    + (['kernel'] if os_version_major | default('') == '10' else [])
+    + (['zram-generator'] if os_version_major | default('') in ['9', '10'] else [])
+  }}
 
 bootstrap_rhel: "{{ bootstrap_rhel_base + bootstrap_rhel_versioned }}"
 
@@ -56,20 +61,13 @@ bootstrap_fedora: >-
     + bootstrap_common_conditional
   }}
 
-bootstrap_debian_base_common:
-  - btrfs-progs
-  - cron
-  - gnupg
-  - grub-efi
-  - grub-efi-amd64-signed
-  - grub2-common
-  - "{{ 'cryptsetup-initramfs' if system_cfg.luks.enabled | bool else '' }}"
-  - locales
-  - logrotate
-  - lvm2
-  - "{{ 'openssh-server' if system_cfg.features.ssh.enabled | bool else '' }}"
-  - python3
-  - xfsprogs
+bootstrap_debian_base_common: >-
+  {{
+    ['btrfs-progs', 'cron', 'gnupg', 'grub-efi', 'grub-efi-amd64-signed',
+     'grub2-common', 'locales', 'logrotate', 'lvm2', 'python3', 'xfsprogs']
+    + (['cryptsetup-initramfs'] if system_cfg.luks.enabled | bool else [])
+    + (['openssh-server'] if system_cfg.features.ssh.enabled | bool else [])
+  }}
 
 bootstrap_debian_extra_common:
   - apparmor-utils
@@ -98,14 +96,16 @@ bootstrap_debian_extra_common:
   - wget
   - zstd
 
-bootstrap_debian_extra_versioned:
-  - linux-image-amd64
-  - "{{ 'duf' if (os_version | string) not in ['10', '11'] else '' }}"
-  - "{{ 'fastfetch' if (os_version | string) in ['13', 'unstable'] else '' }}"
-  - "{{ 'neofetch' if (os_version | string) == '12' else '' }}"
-  - "{{ 'software-properties-common' if (os_version | string) not in ['13', 'unstable'] else '' }}"
-  - "{{ 'systemd-zram-generator' if (os_version | string) not in ['10', '11'] else '' }}"
-  - "{{ 'tldr' if (os_version | string) not in ['13', 'unstable'] else '' }}"
+bootstrap_debian_extra_versioned: >-
+  {{
+    ['linux-image-amd64']
+    + (['duf'] if (os_version | string) not in ['10', '11'] else [])
+    + (['fastfetch'] if (os_version | string) in ['13', 'unstable'] else [])
+    + (['neofetch'] if (os_version | string) == '12' else [])
+    + (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
+    + (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
+    + (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
+  }}
 
 bootstrap_debian:
   base: "{{ bootstrap_debian_base_common }}"
@@ -137,8 +137,8 @@ bootstrap_archlinux: >-
      'lrzsz', 'lsof', 'lvm2', 'ncdu', 'networkmanager', 'nfs-utils',
      'ppp', 'python', 'reflector',
      'rsync', 'sudo', 'tldr', 'tmux', 'vim', 'zram-generator']
-    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
-    + [('iptables-nft' if system_cfg.features.firewall.toolkit == 'nftables' else '')]
+    + (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
+    + (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
     + (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
   }}
 
@@ -147,7 +147,7 @@ bootstrap_alpine: >-
     ['alpine-base', 'btrfs-progs', 'chrony', 'curl', 'e2fsprogs',
      'linux-lts', 'logrotate', 'lvm2', 'python3', 'rsync', 'sudo',
      'util-linux', 'vim', 'xfsprogs']
-    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+    + (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
     + bootstrap_common_conditional
   }}
 
@@ -156,7 +156,7 @@ bootstrap_opensuse: >-
     ['btrfs-progs', 'chrony', 'curl', 'e2fsprogs',
      'glibc-locale', 'kernel-default', 'logrotate', 'lvm2', 'NetworkManager',
      'python3', 'rsync', 'sudo', 'vim', 'xfsprogs']
-    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+    + (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
     + bootstrap_common_conditional
   }}
 
@@ -165,6 +165,6 @@ bootstrap_void: >-
     ['btrfs-progs', 'chrony', 'curl', 'dhcpcd', 'e2fsprogs',
      'logrotate', 'lvm2', 'python3', 'rsync', 'sudo',
      'vim', 'xfsprogs']
-    + [('openssh' if system_cfg.features.ssh.enabled | bool else '')]
+    + (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
     + bootstrap_common_conditional
   }}