refactor(cis): align normalization with main project activation gate pattern

roles/cis/defaults/main.yml

@@ -84,6 +84,8 @@ cis_defaults:
 cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
 cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
 
+cis: {}
+
 cis_permission_targets:
   - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
   - { path: "/mnt/etc/cron.hourly", mode: "0700" }

roles/cis/tasks/_normalize.yml

@@ -1,4 +1,10 @@
 ---
-- name: Build cis_cfg from defaults and user overrides
+- name: Normalize CIS input
   ansible.builtin.set_fact:
-    cis_cfg: "{{ cis_defaults | combine(cis | default({}), recursive=true) }}"
+    cis_enabled: "{{ cis is defined and (cis is mapping or cis | bool) }}"
+    cis_input: "{{ cis if cis is mapping else {} }}"
+
+- name: Normalize CIS configuration
+  when: cis_enabled and cis_cfg is not defined
+  ansible.builtin.set_fact:
+    cis_cfg: "{{ cis_defaults | combine(cis_input, recursive=True) }}"

roles/cis/tasks/main.yml

@@ -1,17 +1,20 @@
 ---
 - name: Normalize CIS configuration
-  ansible.builtin.include_tasks: _normalize.yml
+  ansible.builtin.import_tasks: _normalize.yml
 
-- name: Include CIS hardening tasks
-  ansible.builtin.include_tasks: "{{ cis_task }}"
-  loop:
-    - modules.yml
-    - sysctl.yml
-    - auth.yml
-    - crypto.yml
-    - files.yml
-    - security_lines.yml
-    - permissions.yml
-    - sshd.yml
-  loop_control:
-    loop_var: cis_task
+- name: Apply CIS hardening
+  when: cis_enabled
+  block:
+    - name: Include CIS hardening tasks
+      ansible.builtin.include_tasks: "{{ cis_task }}"
+      loop:
+        - modules.yml
+        - sysctl.yml
+        - auth.yml
+        - crypto.yml
+        - files.yml
+        - security_lines.yml
+        - permissions.yml
+        - sshd.yml
+      loop_control:
+        loop_var: cis_task