fix: encryption, partitioning, cis and virtualization hardening

roles/virtualization/defaults/main.yml

@@ -1,9 +1,9 @@
 ---
 # Cloud-init support matrix:
-#   libvirt  — cloud-init ISO attached as CDROM (user-data + network-config)
-#   proxmox  — cloud-init via Proxmox API (cicustom, ciuser, cipassword, etc.)
-#   vmware   — no cloud-init; configuration is applied post-install via chroot
-#   xen      — no cloud-init; configuration is applied post-install via chroot
+#   libvirt  - cloud-init ISO attached as CDROM (user-data + network-config)
+#   proxmox  - cloud-init via Proxmox API (cicustom, ciuser, cipassword, etc.)
+#   vmware   - no cloud-init; configuration is applied post-install via chroot
+#   xen      - no cloud-init; configuration is applied post-install via chroot
 virtualization_libvirt_image_dir: >-
   {{
     system_cfg.path
@@ -17,8 +17,18 @@ virtualization_libvirt_cloudinit_path: >-
 virtualization_xen_disk_path: /var/lib/xen/images
 
 virtualization_libvirt_machine_type: q35
-virtualization_libvirt_ovmf_code: /usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd
-virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd
+# Secboot OVMF firmware candidates, ordered Arch, Debian/Ubuntu, Fedora/RHEL.
+# libvirt.yml resolves these to the first file present on the controller.
+virtualization_libvirt_ovmf_code_candidates:
+  - /usr/share/edk2/x64/OVMF_CODE.secboot.4m.fd
+  - /usr/share/OVMF/OVMF_CODE_4M.secboot.fd
+  - /usr/share/edk2/ovmf/OVMF_CODE.secboot.fd
+  - /usr/share/OVMF/OVMF_CODE.secboot.fd
+virtualization_libvirt_ovmf_vars_candidates:
+  - /usr/share/edk2/x64/OVMF_VARS.4m.fd
+  - /usr/share/OVMF/OVMF_VARS_4M.fd
+  - /usr/share/edk2/ovmf/OVMF_VARS.fd
+  - /usr/share/OVMF/OVMF_VARS.fd
 
 virtualization_tpm2_enabled: >-
   {{

roles/virtualization/tasks/libvirt.yml

@@ -70,6 +70,19 @@
     - /tmp/cloud-user-data-{{ hostname }}.yml
     - /tmp/cloud-network-config-{{ hostname }}.yml
 
+# Resolve OVMF firmware to the first candidate present on the controller
+# unless the user pinned an explicit path. first_found needs the localhost
+# delegation since the candidates live on the libvirt host, not the target.
+- name: Resolve OVMF firmware paths
+  delegate_to: localhost
+  ansible.builtin.set_fact:
+    virtualization_libvirt_ovmf_code: >-
+      {{ virtualization_libvirt_ovmf_code if virtualization_libvirt_ovmf_code | default('', true) | length > 0
+         else lookup('ansible.builtin.first_found', virtualization_libvirt_ovmf_code_candidates) }}
+    virtualization_libvirt_ovmf_vars: >-
+      {{ virtualization_libvirt_ovmf_vars if virtualization_libvirt_ovmf_vars | default('', true) | length > 0
+         else lookup('ansible.builtin.first_found', virtualization_libvirt_ovmf_vars_candidates) }}
+
 # uri defaults to qemu:///system (local libvirtd)
 - name: Create VM using libvirt
   delegate_to: localhost

roles/virtualization/tasks/vmware.yml

@@ -36,7 +36,7 @@
         esxi_hostname: "{{ hypervisor_cfg.node if (hypervisor_cfg.node | default('') | length > 0) else omit }}"
         folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
         name: "{{ hostname }}"
-        # Generic guest ID — VMware auto-detects OS post-install
+        # Generic guest ID - VMware auto-detects OS post-install
         guest_id: otherLinux64Guest
         annotation: |
           {{ note if note is defined else '' }}