fix: encryption, partitioning, cis and virtualization hardening

roles/cis/defaults/main.yml

@@ -1,6 +1,6 @@
 ---
 # User-facing API: override via top-level `cis` dict in inventory.
-# Merged with these defaults in _normalize.yml → cis_cfg.
+# Merged with these defaults in _normalize.yml -> cis_cfg.
 cis_defaults:
   modules_blacklist:
     - freevxfs

roles/cis/tasks/modules.yml

@@ -1,7 +1,7 @@
 ---
 - name: Disable Kernel Modules
   vars:
-    # Ubuntu uses squashfs for snap packages — blacklisting it breaks snap entirely
+    # Ubuntu uses squashfs for snap packages - blacklisting it breaks snap entirely
     cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
     cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}"
   ansible.builtin.copy: