fix(configuration): disambiguate BLS task names and clean up misc noise

roles/configuration/tasks/encryption.yml

@@ -246,7 +246,7 @@
         mode: "0644"
         content: "{{ configuration_kernel_cmdline_new }}\n"
 
-    - name: Find BLS entries
+    - name: Find BLS entries for encryption kernel cmdline
       when: is_rhel | bool
       ansible.builtin.find:
         paths: /mnt/boot/loader/entries

roles/configuration/tasks/encryption/tpm2.yml

@@ -1,6 +1,7 @@
 ---
 - name: Enroll TPM2 for LUKS
   block:
+    # Tempfile in chroot /tmp — accessible by both chroot and host commands
     - name: Create temporary passphrase file for TPM2 enrollment
       ansible.builtin.tempfile:
         path: /mnt/tmp
@@ -87,4 +88,3 @@
       ansible.builtin.file:
         path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
         state: absent
-      changed_when: false

roles/configuration/tasks/grub.yml

@@ -95,7 +95,7 @@
         mode: "0644"
         content: "{{ configuration_kernel_cmdline_base }}\n"
 
-    - name: Find BLS entries
+    - name: Find BLS entries for GRUB configuration
       ansible.builtin.find:
         paths: /mnt/boot/loader/entries
         patterns: "*.conf"

roles/configuration/tasks/services.yml

@@ -1,4 +1,5 @@
 ---
+# Single systemctl enable — atomic; individual failures abort the command
 - name: Enable Systemd Services
   when: os not in ['alpine', 'void']
   ansible.builtin.command: >
@@ -37,7 +38,6 @@
         path: "/mnt/etc/init.d/{{ item }}"
       loop: "{{ configuration_openrc_services }}"
       register: configuration_openrc_service_stats
-      changed_when: false
 
     - name: Enable OpenRC services
       ansible.builtin.file:
@@ -68,7 +68,6 @@
         path: "/mnt/etc/sv/{{ item }}"
       loop: "{{ configuration_runit_services }}"
       register: configuration_runit_service_stats
-      changed_when: false
 
     - name: Enable runit services
       ansible.builtin.file: