fix(encryption): add warning before silent TPM2-to-keyfile fallback

roles/configuration/tasks/encryption/tpm2.yml

@@ -79,6 +79,12 @@
           chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
           host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
   rescue:
+    - name: Warn about TPM2 enrollment failure
+      ansible.builtin.debug:
+        msg: >-
+          TPM2 enrollment failed — falling back to keyfile auto-decrypt.
+          The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
+
     - name: Fallback to keyfile auto-decrypt
       ansible.builtin.set_fact:
         configuration_luks_auto_method: keyfile