feat(configuration): add Secure Boot tasks for shim and sbctl

roles/configuration/tasks/secure_boot/shim.yml

@@ -0,0 +1,57 @@
+---
+- name: Configure shim-based Secure Boot
+  vars:
+    _efi_vendor: >-
+      {{
+        "redhat" if os == "rhel"
+        else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
+      }}
+  block:
+    - name: Find shim binary in target system
+      ansible.builtin.command: >-
+        {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
+        -name 'shimx64.efi*' -type f -print -quit
+      register: _shim_find_result
+      changed_when: false
+      failed_when: false
+
+    - name: Copy shim to EFI vendor directory
+      when:
+        - _shim_find_result.stdout | default('') | length > 0
+        - _configuration_platform.grub_install | bool
+      ansible.builtin.command: >-
+        cp {{ _shim_find_result.stdout_lines | first }}
+        /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
+      register: _shim_copy_result
+      changed_when: _shim_copy_result.rc == 0
+
+    - name: Enroll Secure Boot keys via efi-updatevar
+      when: system_cfg.type == 'virtual'
+      block:
+        - name: Check if efi-updatevar is available
+          ansible.builtin.command: which efi-updatevar
+          register: _efi_updatevar_check
+          changed_when: false
+          failed_when: false
+
+        - name: Enroll default UEFI Secure Boot keys
+          when: _efi_updatevar_check.rc == 0
+          ansible.builtin.command: >-
+            {{ chroot_command }} sbctl enroll-keys --microsoft
+          register: _sb_enroll_result
+          changed_when: _sb_enroll_result.rc == 0
+          failed_when: false
+
+    - name: Verify shim is present
+      ansible.builtin.stat:
+        path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
+      register: _shim_stat
+
+    - name: Report Secure Boot status
+      ansible.builtin.debug:
+        msg: >-
+          Secure Boot (shim): {{
+            'shimx64.efi installed'
+            if (_shim_stat.stat.exists | default(false))
+            else 'shimx64.efi not found, shim package may handle placement on first boot'
+          }}