fix: encryption, partitioning, cis and virtualization hardening

roles/virtualization/tasks/libvirt.yml

@@ -70,6 +70,19 @@
     - /tmp/cloud-user-data-{{ hostname }}.yml
     - /tmp/cloud-network-config-{{ hostname }}.yml
 
+# Resolve OVMF firmware to the first candidate present on the controller
+# unless the user pinned an explicit path. first_found needs the localhost
+# delegation since the candidates live on the libvirt host, not the target.
+- name: Resolve OVMF firmware paths
+  delegate_to: localhost
+  ansible.builtin.set_fact:
+    virtualization_libvirt_ovmf_code: >-
+      {{ virtualization_libvirt_ovmf_code if virtualization_libvirt_ovmf_code | default('', true) | length > 0
+         else lookup('ansible.builtin.first_found', virtualization_libvirt_ovmf_code_candidates) }}
+    virtualization_libvirt_ovmf_vars: >-
+      {{ virtualization_libvirt_ovmf_vars if virtualization_libvirt_ovmf_vars | default('', true) | length > 0
+         else lookup('ansible.builtin.first_found', virtualization_libvirt_ovmf_vars_candidates) }}
+
 # uri defaults to qemu:///system (local libvirtd)
 - name: Create VM using libvirt
   delegate_to: localhost

roles/virtualization/tasks/vmware.yml

@@ -36,7 +36,7 @@
         esxi_hostname: "{{ hypervisor_cfg.node if (hypervisor_cfg.node | default('') | length > 0) else omit }}"
         folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
         name: "{{ hostname }}"
-        # Generic guest ID — VMware auto-detects OS post-install
+        # Generic guest ID - VMware auto-detects OS post-install
         guest_id: otherLinux64Guest
         annotation: |
           {{ note if note is defined else '' }}