diff --git a/roles/global_defaults/defaults/main.yml b/roles/global_defaults/defaults/main.yml
index b7e7f40..7725cad 100644
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -144,6 +144,19 @@ system_defaults:
     secure_boot:
       enabled: false
       method: ""            # arch only: sbctl (default) or uki; ignored for other distros
+    firmware:
+      enabled: "auto"       # auto = on for physical, off for virtual
+      microcode: "auto"
+    gpu:
+      enabled: false
+      nvidia_driver: "auto" # auto | open | proprietary | nouveau
+    peripherals:
+      enabled: "auto"       # auto = follows desktop.enabled
+      fingerprint: "auto"
+      webcam: "auto"
+      displaylink: false
+    hardware:
+      profile: {}           # empty = autodetect; set to override (golden image)
 
 # Per-hypervisor required fields — drives data-driven validation.
 # All virtual types additionally require network bridge or interfaces.
diff --git a/roles/global_defaults/tasks/_normalize_system.yml b/roles/global_defaults/tasks/_normalize_system.yml
index 5c2e525..980a7d5 100644
--- a/roles/global_defaults/tasks/_normalize_system.yml
+++ b/roles/global_defaults/tasks/_normalize_system.yml
@@ -153,6 +153,50 @@
         secure_boot:
           enabled: "{{ system_raw.features.secure_boot.enabled | bool }}"
           method: "{{ system_raw.features.secure_boot.method | default('') | string | lower }}"
+        firmware:
+          enabled: >-
+            {{
+              (system_type == 'physical')
+              if (system_raw.features.firmware.enabled | string | lower) == 'auto'
+              else (system_raw.features.firmware.enabled | bool)
+            }}
+          microcode: >-
+            {{
+              (
+                (system_type == 'physical')
+                if (system_raw.features.firmware.enabled | string | lower) == 'auto'
+                else (system_raw.features.firmware.enabled | bool)
+              )
+              if (system_raw.features.firmware.microcode | string | lower) == 'auto'
+              else (system_raw.features.firmware.microcode | bool)
+            }}
+        gpu:
+          enabled: "{{ system_raw.features.gpu.enabled | bool }}"
+          nvidia_driver: "{{ system_raw.features.gpu.nvidia_driver | default('auto') | string | lower }}"
+        peripherals:
+          enabled: >-
+            {{
+              (system_raw.features.desktop.enabled | bool)
+              if (system_raw.features.peripherals.enabled | string | lower) == 'auto'
+              else (system_raw.features.peripherals.enabled | bool)
+            }}
+          # fingerprint/webcam stay tri-state ('auto'|'true'|'false') because the
+          # 'auto' branch is resolved at install time using detection results.
+          fingerprint: >-
+            {{
+              'auto'
+              if (system_raw.features.peripherals.fingerprint | string | lower) == 'auto'
+              else (system_raw.features.peripherals.fingerprint | bool | string | lower)
+            }}
+          webcam: >-
+            {{
+              'auto'
+              if (system_raw.features.peripherals.webcam | string | lower) == 'auto'
+              else (system_raw.features.peripherals.webcam | bool | string | lower)
+            }}
+          displaylink: "{{ system_raw.features.peripherals.displaylink | bool }}"
+        hardware:
+          profile: "{{ system_raw.features.hardware.profile | default({}) }}"
     hostname: "{{ system_name }}"
     os: "{{ system_os_input if system_os_input | length > 0 else (physical_default_os if system_type == 'physical' else '') }}"
     os_version: "{{ system_raw.version | default('') | string }}"
diff --git a/roles/global_defaults/tasks/validation.yml b/roles/global_defaults/tasks/validation.yml
index 4682a38..4fea2e4 100644
--- a/roles/global_defaults/tasks/validation.yml
+++ b/roles/global_defaults/tasks/validation.yml
@@ -232,6 +232,26 @@
     fail_msg: Invalid feature flags were specified, please check your inventory/vars.
     quiet: true
 
+- name: Validate hardware feature flags
+  ansible.builtin.assert:
+    that:
+      - system_cfg.features.firmware.enabled is defined
+      - system_cfg.features.firmware.microcode is defined
+      - system_cfg.features.gpu.enabled is defined
+      - system_cfg.features.gpu.nvidia_driver in ["auto", "open", "proprietary", "nouveau"]
+      - system_cfg.features.peripherals.enabled is defined
+      - system_cfg.features.peripherals.fingerprint in ["auto", "true", "false"]
+      - system_cfg.features.peripherals.webcam in ["auto", "true", "false"]
+      - system_cfg.features.peripherals.displaylink is defined
+      - system_cfg.features.hardware.profile is mapping
+    fail_msg: >-
+      Invalid hardware feature flags. firmware.enabled/microcode,
+      peripherals.enabled and peripherals.displaylink must be bool (or 'auto'
+      sentinel for firmware); gpu.nvidia_driver in
+      [auto|open|proprietary|nouveau]; peripherals.fingerprint and
+      peripherals.webcam in [auto|true|false]; hardware.profile must be a dict.
+    quiet: true
+
 - name: Validate virtual system sizing
   when: system_cfg.type == "virtual"
   ansible.builtin.assert: