diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml
index 3fe66da..3a7624a 100644
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -34,6 +34,7 @@ hypervisor_defaults:
   storage: ""
   datacenter: ""
   cluster: ""
+  folder: ""
   certs: false
   ssh: false
 
diff --git a/roles/global_defaults/tasks/validation.yml b/roles/global_defaults/tasks/validation.yml
index f211a5b..b246d9c 100644
--- a/roles/global_defaults/tasks/validation.yml
+++ b/roles/global_defaults/tasks/validation.yml
@@ -347,8 +347,48 @@
     that:
       - item is mapping
       - item.bridge is defined and (item.bridge | string | length) > 0
-    fail_msg: "Each system.network.interfaces[] entry must be a dict with at least a 'bridge' key."
+      - >-
+        (item.ip | default('') | string | length) == 0
+        or (item.prefix | default('') | string | length) > 0
+    fail_msg: "Each system.network.interfaces[] entry must have a 'bridge' key and 'prefix' when 'ip' is set."
     quiet: true
   loop: "{{ system_cfg.network.interfaces }}"
   loop_control:
     label: "{{ item | to_json }}"
+
+- name: Validate hostname format
+  ansible.builtin.assert:
+    that:
+      - hostname is regex("^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$")
+    fail_msg: "hostname '{{ hostname }}' contains invalid characters. Use only alphanumeric, hyphens, dots, and underscores."
+    quiet: true
+
+- name: Validate IP address format
+  when: system_cfg.network.ip is defined and (system_cfg.network.ip | string | length) > 0
+  ansible.builtin.assert:
+    that:
+      - system_cfg.network.ip is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
+    fail_msg: "system.network.ip '{{ system_cfg.network.ip }}' is not a valid IPv4 address."
+    quiet: true
+
+- name: Validate DNS server format
+  when:
+    - system_cfg.network.dns.servers is defined
+    - system_cfg.network.dns.servers | length > 0
+  ansible.builtin.assert:
+    that:
+      - item is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
+    fail_msg: "DNS server '{{ item }}' is not a valid IPv4 address."
+    quiet: true
+  loop: "{{ system_cfg.network.dns.servers }}"
+
+- name: Validate LUKS method
+  when: system_cfg.luks.enabled | bool
+  ansible.builtin.assert:
+    that:
+      - system_cfg.luks.method in ["tpm2", "keyfile"]
+      - >-
+        (system_cfg.luks.passphrase | string | length) > 0
+    fail_msg: "system.luks.method must be 'tpm2' or 'keyfile', and luks.passphrase must be set when LUKS is enabled."
+    quiet: true
+  no_log: true