From fa78edf2e2c999efa2d2d5bc085386501ad795c5 Mon Sep 17 00:00:00 2001
From: Sandwich <sandwich@archworks.co>
Date: Sat, 21 Feb 2026 02:56:39 +0100
Subject: [PATCH] refactor(cis): align normalization with main project
 activation gate pattern

---
 roles/cis/defaults/main.yml    |  2 ++
 roles/cis/tasks/_normalize.yml | 10 ++++++++--
 roles/cis/tasks/main.yml       | 31 +++++++++++++++++--------------
 3 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/roles/cis/defaults/main.yml b/roles/cis/defaults/main.yml
index 15d2ff7..a742e62 100644
--- a/roles/cis/defaults/main.yml
+++ b/roles/cis/defaults/main.yml
@@ -84,6 +84,8 @@ cis_defaults:
 cis_fusermount_binary: "{{ 'fusermount3' if is_rhel | default(false) | bool else 'fusermount' }}"
 cis_write_binary: "{{ 'write' if is_rhel | default(false) | bool else 'wall' }}"
 
+cis: {}
+
 cis_permission_targets:
   - { path: "/mnt/etc/ssh/sshd_config", mode: "0600" }
   - { path: "/mnt/etc/cron.hourly", mode: "0700" }
diff --git a/roles/cis/tasks/_normalize.yml b/roles/cis/tasks/_normalize.yml
index 020cac0..9ba731b 100644
--- a/roles/cis/tasks/_normalize.yml
+++ b/roles/cis/tasks/_normalize.yml
@@ -1,4 +1,10 @@
 ---
-- name: Build cis_cfg from defaults and user overrides
+- name: Normalize CIS input
   ansible.builtin.set_fact:
-    cis_cfg: "{{ cis_defaults | combine(cis | default({}), recursive=true) }}"
+    cis_enabled: "{{ cis is defined and (cis is mapping or cis | bool) }}"
+    cis_input: "{{ cis if cis is mapping else {} }}"
+
+- name: Normalize CIS configuration
+  when: cis_enabled and cis_cfg is not defined
+  ansible.builtin.set_fact:
+    cis_cfg: "{{ cis_defaults | combine(cis_input, recursive=True) }}"
diff --git a/roles/cis/tasks/main.yml b/roles/cis/tasks/main.yml
index 7cab50c..5f85e06 100644
--- a/roles/cis/tasks/main.yml
+++ b/roles/cis/tasks/main.yml
@@ -1,17 +1,20 @@
 ---
 - name: Normalize CIS configuration
-  ansible.builtin.include_tasks: _normalize.yml
+  ansible.builtin.import_tasks: _normalize.yml
 
-- name: Include CIS hardening tasks
-  ansible.builtin.include_tasks: "{{ cis_task }}"
-  loop:
-    - modules.yml
-    - sysctl.yml
-    - auth.yml
-    - crypto.yml
-    - files.yml
-    - security_lines.yml
-    - permissions.yml
-    - sshd.yml
-  loop_control:
-    loop_var: cis_task
+- name: Apply CIS hardening
+  when: cis_enabled
+  block:
+    - name: Include CIS hardening tasks
+      ansible.builtin.include_tasks: "{{ cis_task }}"
+      loop:
+        - modules.yml
+        - sysctl.yml
+        - auth.yml
+        - crypto.yml
+        - files.yml
+        - security_lines.yml
+        - permissions.yml
+        - sshd.yml
+      loop_control:
+        loop_var: cis_task