fix: encryption, partitioning, cis and virtualization hardening

roles/cis/tasks/modules.yml

@@ -1,7 +1,7 @@
 ---
 - name: Disable Kernel Modules
   vars:
-    # Ubuntu uses squashfs for snap packages — blacklisting it breaks snap entirely
+    # Ubuntu uses squashfs for snap packages - blacklisting it breaks snap entirely
     cis_modules_squashfs: "{{ [] if os in ['ubuntu', 'ubuntu-lts'] else ['squashfs'] }}"
     cis_modules_all: "{{ cis_cfg.modules_blacklist + cis_modules_squashfs }}"
   ansible.builtin.copy: