feat(cleanup): enroll Secure Boot keys in VM NVRAM after OS installation

roles/configuration/tasks/encryption.yml

@@ -20,11 +20,16 @@
             | regex_replace('\\s+', '')
             | regex_replace('^\\+|\\+$', '')
           }}
+        _sb_pcr7_safe: >-
+          {{
+            system_cfg.features.secure_boot.enabled | bool
+            and system_cfg.type | default('virtual') != 'virtual'
+          }}
         luks_tpm2_pcrs: >-
           {{
             _raw_pcrs
             if _raw_pcrs | length > 0
-            else ('7' if (system_cfg.features.secure_boot.enabled | bool) else '')
+            else ('7' if (_sb_pcr7_safe | bool) else '')
           }}
       ansible.builtin.set_fact:
         configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"