feat(cleanup): enroll Secure Boot keys in VM NVRAM after OS installation

feat(virtualization): enable TPM2 emulation for Secure Boot VMs
feat(configuration): auto-bind PCR 7 when Secure Boot and FDE are both enabled
2026-04-02 17:03:07 +02:00 · 2026-04-02 17:03:01 +02:00 · 2026-04-02 17:02:56 +02:00 · 2026-04-02 17:02:56 +02:00 · 2026-04-02 04:34:47 +02:00 · 2026-04-02 04:34:16 +02:00
83 changed files with 2014 additions and 775 deletions
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,5 +1,6 @@
 skip_list:
  - run-once
  - var-naming[no-role-prefix] # user-facing API dicts (cis, system, hypervisor) are intentionally not role-prefixed
  - args[module] # false positives from variable-based module_defaults (_proxmox_auth, _vmware_auth)
 exclude_paths:
  - roles/global_defaults/
--- a/README.md
+++ b/README.md
@@ -91,7 +91,7 @@ all:
      username: root@pam
      password: !vault |
        $ANSIBLE_VAULT...
-      host: pve01
+      node: pve01
      storage: local-lvm
  children:
@@ -202,14 +202,29 @@ When `interfaces` is empty, the flat fields (`bridge`, `ip`, `prefix`, `gateway`
 #### `system.users`
 Dict keyed by username. At least one user must have a `password` (used for SSH access during bootstrap). Users without a password get locked accounts (key-only auth).
 ```yaml
 system:
  users:
    svcansible:
      password: "vault_lookup"
      keys:
        - "ssh-ed25519 AAAA..."
    appuser:
      sudo: "ALL=(ALL) NOPASSWD: ALL"
      keys:
        - "ssh-ed25519 BBBB..."
 ```
 | Key        | Type        | Default | Description                                        |
 | ---------- | ----------- | ------- | -------------------------------------------------- |
-| `name`     | string      | --      | Username (required)                                |
+| *(dict key)* | string    | --      | Username (required)                                |
-| `password` | string      | --      | User password (required for first user)            |
+| `password` | string      | --      | User password (required for at least one user)     |
 | `keys`     | list        | `[]`    | SSH public keys                                    |
 | `sudo`     | bool/string | --      | `true` for NOPASSWD ALL, or custom sudoers string  |
-The first user's credentials are prompted interactively via `vars_prompt` unless supplied in inventory or `-e`.
+Users must be defined in inventory. The dict format enables additive merging across inventory layers with `hash_behaviour=merge`.
 #### `system.root`
@@ -242,7 +257,15 @@ The first user's credentials are prompted interactively via `vars_prompt` unless
 | Key      | Type          | Default | Description                                    |
 | -------- | ------------- | ------- | ---------------------------------------------- |
 | `device` | string        | `auto`  | TPM2 device selector                           |
-| `pcrs`   | string/list   | --      | PCR binding policy (e.g. `"7"` or `"0+7"`)    |
+| `pcrs`   | string/list   | --      | PCR binding policy (e.g. `"7"` or `"0+7"`); empty = no PCR binding |
 **TPM2 auto-unlock:** Uses `systemd-cryptenroll` on all distros. The user-set passphrase
 remains as a backup unlock method. TPM2 enrollment runs in the chroot during bootstrap;
 if it fails (e.g. no TPM2 hardware), the system boots with passphrase-only unlock and
 TPM2 can be enrolled post-deployment via `systemd-cryptenroll --tpm2-device=auto <device>`.
 On Debian/Ubuntu, TPM2 auto-unlock requires dracut (initramfs-tools does not support `tpm2-device`).
 The bootstrap auto-switches to dracut when `method: tpm2` is set. Override via `features.initramfs.generator`.
 #### `system.features`
@@ -259,6 +282,26 @@ The first user's credentials are prompted interactively via `vars_prompt` unless
 | `banner.motd`      | bool   | `false`        | MOTD banner                          |
 | `banner.sudo`      | bool   | `true`         | Sudo banner                          |
 | `chroot.tool`      | string | `arch-chroot`  | `arch-chroot`, `chroot`, or `systemd-nspawn` |
 | `initramfs.generator` | string | auto-detected | Override initramfs generator (see below) |
 | `desktop.*`        | dict   | see below      | Desktop environment settings (see [4.2.5](#425-systemfeaturesdesktop)) |
 **Initramfs generator auto-detection:** RedHat → dracut, Arch → mkinitcpio, Debian/Ubuntu → initramfs-tools.
 Override with `dracut`, `mkinitcpio`, or `initramfs-tools`. When LUKS TPM2 auto-unlock is enabled and the
 native generator does not support `tpm2-device`, the generator is automatically upgraded to dracut.
 On distros with older dracut (no `tpm2-tss` module), clevis is used as a fallback for TPM2 binding.
 #### 4.2.5 `system.features.desktop`
 | Key               | Type   | Default        | Description                               |
 | ----------------- | ------ | -------------- | ----------------------------------------- |
 | `enabled`         | bool   | `false`        | Install desktop environment               |
 | `environment`     | string | --             | `gnome`, `kde`, `xfce`, `sway`, `hyprland`, `cinnamon`, `mate`, `lxqt`, `budgie` |
 | `display_manager` | string | auto-detected  | Override DM: `gdm`, `sddm`, `lightdm`, `ly`, `greetd` |
 When `enabled: true`, the bootstrap installs the desktop environment packages, enables the display manager
 and bluetooth services, and sets the systemd default target to `graphical.target`.
 Display manager auto-detection: gnome→gdm, kde→sddm, xfce→lightdm, sway→greetd, hyprland→ly.
 ### 4.3 `hypervisor` Dictionary
@@ -268,7 +311,7 @@ The first user's credentials are prompted interactively via `vars_prompt` unless
 | `url`        | string | --      | API host (Proxmox/VMware)                            |
 | `username`   | string | --      | API username                                         |
 | `password`   | string | --      | API password                                         |
-| `host`       | string | --      | Proxmox node name                                    |
+| `node`       | string | --      | Target compute node (Proxmox node / VMware ESXi host; mutually exclusive with `cluster` on VMware) |
 | `storage`    | string | --      | Storage identifier (Proxmox/VMware)                  |
 | `datacenter` | string | --      | VMware datacenter                                    |
 | `cluster`    | string | --      | VMware cluster                                       |
@@ -398,7 +441,7 @@ ansible-playbook -i inventory.yml main.yml
 ansible-playbook -i inventory.yml main.yml -e @vars.yml
 ```
-Credentials for the first user and root are prompted interactively via `vars_prompt` unless already set in inventory or passed via `-e`.
+All credentials (`system.users`, `system.root.password`) must be defined in inventory or passed via `-e`.
 Example inventory files are included:
@@ -408,7 +451,7 @@ Example inventory files are included:
 ## 7. Security
-Use **Ansible Vault** for all sensitive values (`hypervisor.password`, `system.luks.passphrase`, `system.users[].password`, `system.root.password`).
+Use **Ansible Vault** for all sensitive values (`hypervisor.password`, `system.luks.passphrase`, user passwords in `system.users`, `system.root.password`).
 ## 8. Safety
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -3,3 +3,6 @@ hash_behaviour = merge
 interpreter_python = auto_silent
 deprecation_warnings = False
 host_key_checking = False
 [ssh_connection]
 ssh_args = -C -o ControlMaster=auto -o ControlPersist=600s -o ServerAliveInterval=30 -o ServerAliveCountMax=10
--- a/inventory_example.yml
+++ b/inventory_example.yml
@@ -6,7 +6,7 @@ all:
      url: "pve01.example.com"
      username: "root@pam"
      password: "CHANGE_ME"
-      host: "pve01"
+      node: "pve01"
      storage: "local-lvm"
    boot_iso: "local:iso/archlinux-x86_64.iso"
  children:
--- a/main.yml
+++ b/main.yml
@@ -14,94 +14,7 @@
  strategy: free # noqa: run-once[play]
  gather_facts: false
  become: true
  vars_prompt:
    - name: user_name
      prompt: |
        What is your username?
      private: false
    - name: user_public_key
      prompt: |
        What is your ssh key?
      private: false
    - name: user_password
      prompt: |
        What is your password?
      confirm: true
    - name: root_password
      prompt: |
        What is your root password?
      confirm: true
  pre_tasks:
    - name: Apply prompted authentication values to system input
      no_log: true
      vars:
        system_input: "{{ system | default({}) }}"
        system_users_input: "{{ system_input.users | default([]) }}"
        system_first_user: >-
          {{
            system_users_input[0]
            if (system_users_input is iterable and system_users_input is not string
                and system_users_input is not mapping and system_users_input | length > 0)
            else {}
          }}
        system_root_input: "{{ (system_input.root | default({})) if (system_input.root is mapping) else {} }}"
        prompt_user_name: "{{ user_name | default(system_user_name | default(''), true) | string }}"
        prompt_user_key: "{{ user_public_key | default(user_key | default(system_user_key | default(''), true), true) | string | trim }}"
        prompt_user_password: "{{ user_password | default(system_user_password | default(''), true) | string }}"
        prompt_root_password: "{{ root_password | default(system_root_password | default(''), true) | string }}"
        resolved_user:
          name: >-
            {{
              system_first_user.name | string
              if (system_first_user.name | default('') | string | length) > 0
              else prompt_user_name
            }}
          keys: >-
            {{
              system_first_user['keys']
              if (system_first_user['keys'] is defined
                  and system_first_user['keys'] is iterable
                  and system_first_user['keys'] is not string
                  and system_first_user['keys'] | length > 0)
              else (
                [prompt_user_key]
                if (prompt_user_key | length > 0)
                else []
              )
            }}
          password: >-
            {{
              system_first_user.password | string
              if (system_first_user.password | default('') | string | length) > 0
              else prompt_user_password
            }}
      ansible.builtin.set_fact:
        system: >-
          {{
            system_input
            | combine(
                {
                  'users': (
                    [resolved_user]
                    + (system_users_input[1:]
                       if (system_users_input is sequence
                           and system_users_input is not string
                           and system_users_input | length > 1)
                       else [])
                  ),
                  'root': {
                    'password': (
                      (system_root_input.password | default('') | string | length) > 0
                    ) | ternary(system_root_input.password | string, prompt_root_password)
                  }
                },
                recursive=True
              )
          }}
    - name: Load global defaults
      ansible.builtin.import_role:
        name: global_defaults
@@ -110,32 +23,79 @@
      ansible.builtin.import_role:
        name: system_check
-  roles:
+  tasks:
-    - role: virtualization
+    - name: Bootstrap pipeline
      block:
        - name: Record that no pre-existing VM was found
          ansible.builtin.set_fact:
            _vm_absent_before_bootstrap: true
        - name: Create virtual machine
          when: system_cfg.type == "virtual"
-      become: false
+          ansible.builtin.include_role:
            name: virtualization
            public: true
          vars:
            ansible_connection: local
            ansible_become: false
-    - role: environment
+        - name: Configure environment
-      vars:
+          ansible.builtin.include_role:
-        ansible_connection: "{{ 'vmware_tools' if hypervisor_type == 'vmware' else 'ssh' }}"
+            name: environment
            public: true
-    - role: partitioning
+        - name: Partition disks
          ansible.builtin.include_role:
            name: partitioning
            public: true
          vars:
            partitioning_boot_partition_suffix: 1
            partitioning_main_partition_suffix: 2
-    - role: bootstrap
+        - name: Install base system
          ansible.builtin.include_role:
            name: bootstrap
            public: true
-    - role: configuration
+        - name: Apply system configuration
          ansible.builtin.include_role:
            name: configuration
            public: true
-    - role: cis
+        - name: Apply CIS hardening
          when: system_cfg.features.cis.enabled | bool
          ansible.builtin.include_role:
            name: cis
            public: true
-    - role: cleanup
+        - name: Clean up and finalize
          when: system_cfg.type in ["virtual", "physical"]
-      become: false
+          ansible.builtin.include_role:
            name: cleanup
            public: true
      rescue:
        - name: Delete VM on bootstrap failure
          when:
            - _vm_absent_before_bootstrap | default(false) | bool
            - virtualization_vm_created_in_run | default(false) | bool
            - system_cfg.type == "virtual"
          ansible.builtin.include_role:
            name: virtualization
            tasks_from: delete
          vars:
            ansible_connection: local
            ansible_become: false
          tags:
            - rescue_cleanup
        - name: Fail host after bootstrap rescue
          ansible.builtin.fail:
            msg: >-
              Bootstrap failed for {{ hostname }}.
              {{ 'VM was deleted to allow clean retry.'
                 if (virtualization_vm_created_in_run | default(false))
                 else 'VM was not created in this run (kept).' }}
  post_tasks:
    - name: Set post-reboot connection flags
@@ -159,10 +119,15 @@
      when:
        - post_reboot_can_connect | bool
      no_log: true
      vars:
        _primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
      ansible.builtin.set_fact:
-        ansible_user: "{{ system_cfg.users[0].name }}"
+        ansible_connection: ssh
-        ansible_password: "{{ system_cfg.users[0].password }}"
+        ansible_host: "{{ system_cfg.network.ip }}"
-        ansible_become_password: "{{ system_cfg.users[0].password }}"
+        ansible_port: 22
        ansible_user: "{{ _primary.key }}"
        ansible_password: "{{ _primary.value.password }}"
        ansible_become_password: "{{ _primary.value.password }}"
        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
        ansible_python_interpreter: /usr/bin/python3
--- a/roles/bootstrap/defaults/main.yml
+++ b/roles/bootstrap/defaults/main.yml
@@ -0,0 +1,15 @@
 ---
 # OS → task file mapping for bootstrap dispatch.
 # Each key matches a supported `os` value; value is the task file to include.
 bootstrap_os_task_map:
  almalinux: _dnf_family.yml
  alpine: alpine.yml
  archlinux: archlinux.yml
  debian: debian.yml
  fedora: _dnf_family.yml
  opensuse: opensuse.yml
  rocky: _dnf_family.yml
  rhel: rhel.yml
  ubuntu: ubuntu.yml
  ubuntu-lts: ubuntu.yml
  void: void.yml
--- a/roles/bootstrap/tasks/_desktop.yml
+++ b/roles/bootstrap/tasks/_desktop.yml
@@ -0,0 +1,48 @@
 ---
 - name: Load desktop package definitions
  ansible.builtin.include_vars:
    file: desktop.yml
 - name: Resolve desktop packages
  vars:
    _de: "{{ system_cfg.features.desktop.environment }}"
    _family_pkgs: "{{ bootstrap_desktop_packages[os_family] | default({}) }}"
    _de_config: "{{ _family_pkgs[_de] | default({}) }}"
  ansible.builtin.set_fact:
    _desktop_groups: "{{ _de_config.groups | default([]) }}"
    _desktop_packages: "{{ _de_config.packages | default([]) }}"
 - name: Validate desktop environment is supported
  ansible.builtin.assert:
    that:
      - (_desktop_groups | length > 0) or (_desktop_packages | length > 0)
    fail_msg: >-
      Desktop environment '{{ system_cfg.features.desktop.environment }}'
      is not defined for os_family '{{ os_family }}'.
      Supported: {{ (bootstrap_desktop_packages[os_family] | default({})).keys() | join(', ') }}
    quiet: true
 - name: Install desktop package groups
  when: _desktop_groups | length > 0
  ansible.builtin.command: >-
    {{ chroot_command }} dnf --releasever={{ os_version }}
    --setopt=install_weak_deps=False group install -y {{ _desktop_groups | join(' ') }}
  register: _desktop_group_result
  changed_when: _desktop_group_result.rc == 0
 - name: Install desktop packages
  when: _desktop_packages | length > 0
  vars:
    _install_commands:
      RedHat: >-
        {{ chroot_command }} dnf --releasever={{ os_version }}
        --setopt=install_weak_deps=False install -y {{ _desktop_packages | join(' ') }}
      Debian: >-
        {{ chroot_command }} apt install -y {{ _desktop_packages | join(' ') }}
      Archlinux: >-
        pacstrap /mnt {{ _desktop_packages | join(' ') }}
      Suse: >-
        {{ chroot_command }} zypper install -y {{ _desktop_packages | join(' ') }}
  ansible.builtin.command: "{{ _install_commands[os_family] }}"
  register: _desktop_pkg_result
  changed_when: _desktop_pkg_result.rc == 0
--- a/roles/bootstrap/tasks/_dnf_family.yml
+++ b/roles/bootstrap/tasks/_dnf_family.yml
@@ -18,6 +18,9 @@
        groupinstall -y {{ _dnf_groups }}
      register: bootstrap_dnf_base_result
      changed_when: bootstrap_dnf_base_result.rc == 0
      failed_when:
        - bootstrap_dnf_base_result.rc != 0
        - "'scriptlet' not in bootstrap_dnf_base_result.stderr"
    - name: Ensure chroot has DNS resolution
      ansible.builtin.file:
--- a/roles/bootstrap/tasks/_validate.yml
+++ b/roles/bootstrap/tasks/_validate.yml
@@ -0,0 +1,11 @@
 ---
 # Resolve the OS-specific variable namespace and task file for the bootstrap role.
 - name: Validate OS is supported for bootstrap
  ansible.builtin.assert:
    that:
      - os is defined
      - os in bootstrap_os_task_map
    fail_msg: >-
      Unsupported OS '{{ os | default("undefined") }}' for bootstrap.
      Supported: {{ bootstrap_os_task_map | dict2items | map(attribute='key') | join(', ') }}
    quiet: true
--- a/roles/bootstrap/tasks/debian.yml
+++ b/roles/bootstrap/tasks/debian.yml
@@ -31,10 +31,35 @@
    - name: Install Debian base system
      ansible.builtin.command: >-
        debootstrap --include={{ bootstrap_debian_base_csv }}
-        {{ bootstrap_debian_release }} /mnt https://deb.debian.org/debian/
+        {{ bootstrap_debian_release }} /mnt {{ system_cfg.mirror }}
      register: bootstrap_debian_base_result
      changed_when: bootstrap_debian_base_result.rc == 0
    - name: Write bootstrap sources.list
      ansible.builtin.template:
        src: debian.sources.list.j2
        dest: /mnt/etc/apt/sources.list
        mode: "0644"
    - name: Configure apt performance tuning
      ansible.builtin.copy:
        dest: /mnt/etc/apt/apt.conf.d/99performance
        content: |
          Acquire::Retries "3";
          Acquire::http::Pipeline-Depth "10";
          APT::Install-Recommends "false";
        mode: "0644"
    - name: Update package lists
      ansible.builtin.command: "{{ chroot_command }} apt update"
      register: bootstrap_debian_update_result
      changed_when: bootstrap_debian_update_result.rc == 0
    - name: Upgrade all packages to latest versions
      ansible.builtin.command: "{{ chroot_command }} apt full-upgrade -y"
      register: bootstrap_debian_upgrade_result
      changed_when: "'0 upgraded' not in bootstrap_debian_upgrade_result.stdout"
    - name: Install extra packages
      when: bootstrap_debian_extra_args | trim | length > 0
      ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_debian_extra_args }}"
--- a/roles/bootstrap/tasks/main.yml
+++ b/roles/bootstrap/tasks/main.yml
@@ -1,6 +1,9 @@
 ---
 - name: Validate bootstrap input
  ansible.builtin.import_tasks: _validate.yml
 - name: Create API filesystem mountpoints in installroot
-  when: is_rhel | bool
+  when: os_family == 'RedHat'
  ansible.builtin.file:
    path: "/mnt/{{ item }}"
    state: directory
@@ -11,7 +14,7 @@
    - sys
 - name: Mount API filesystems into installroot
-  when: is_rhel | bool
+  when: os_family == 'RedHat'
  ansible.posix.mount:
    src: "{{ item.src }}"
    path: "/mnt/{{ item.path }}"
@@ -28,21 +31,13 @@
 - name: Run OS-specific bootstrap process
  vars:
    bootstrap_os_task_map:
      almalinux: _dnf_family.yml
      alpine: alpine.yml
      archlinux: archlinux.yml
      debian: debian.yml
      fedora: _dnf_family.yml
      opensuse: opensuse.yml
      rocky: _dnf_family.yml
      rhel: rhel.yml
      ubuntu: ubuntu.yml
      ubuntu-lts: ubuntu.yml
      void: void.yml
    bootstrap_var_key: "{{ 'bootstrap_' + (os | replace('-lts', '') | replace('-', '_')) }}"
  ansible.builtin.include_tasks: "{{ bootstrap_os_task_map[os] }}"
 - name: Install desktop environment packages
  when: system_cfg.features.desktop.enabled | bool
  ansible.builtin.include_tasks: _desktop.yml
 - name: Ensure chroot uses live environment DNS
  ansible.builtin.file:
    src: /run/NetworkManager/resolv.conf
--- a/roles/bootstrap/tasks/rhel.yml
+++ b/roles/bootstrap/tasks/rhel.yml
@@ -13,7 +13,7 @@
  block:
    - name: Install base packages in chroot environment
      ansible.builtin.command: >-
-        dnf --releasever={{ os_version_major }} {{ _rhel_repos }}
+        dnf --releasever={{ os_version_major }} --best {{ _rhel_repos }}
        --installroot=/mnt
        --setopt=install_weak_deps=False --setopt=optional_metadata_types=filelists
        groupinstall -y {{ _rhel_groups }}
@@ -51,7 +51,7 @@
    - name: Install additional packages in chroot
      ansible.builtin.command: >-
-        {{ chroot_command }} dnf --releasever={{ os_version_major }}
+        {{ chroot_command }} dnf --releasever={{ os_version_major }} --best
        --setopt=install_weak_deps=False install -y {{ _rhel_extra }}
      register: bootstrap_result
      changed_when: bootstrap_result.rc == 0
--- a/roles/bootstrap/tasks/ubuntu.yml
+++ b/roles/bootstrap/tasks/ubuntu.yml
@@ -3,7 +3,7 @@
  vars:
    # ubuntu = latest non-LTS, ubuntu-lts = latest LTS
    bootstrap_ubuntu_release_map:
-      ubuntu: plucky
+      ubuntu: questing
      ubuntu-lts: noble
    bootstrap_ubuntu_release: "{{ bootstrap_ubuntu_release_map[os] | default('noble') }}"
    _config: "{{ lookup('vars', bootstrap_var_key) }}"
@@ -30,21 +30,35 @@
        --keyring=/usr/share/keyrings/ubuntu-archive-keyring.gpg
        --include={{ bootstrap_ubuntu_base_csv }}
        {{ bootstrap_ubuntu_release }} /mnt
-        https://archive.ubuntu.com/ubuntu/
+        {{ system_cfg.mirror }}
      register: bootstrap_ubuntu_base_result
      changed_when: bootstrap_ubuntu_base_result.rc == 0
-    - name: Enable universe repository
+    - name: Write bootstrap sources.list
-      ansible.builtin.replace:
+      ansible.builtin.template:
-        path: /mnt/etc/apt/sources.list
+        src: ubuntu.sources.list.j2
-        regexp: '^(deb\s+\S+\s+\S+\s+main)$'
+        dest: /mnt/etc/apt/sources.list
-        replace: '\1 universe'
+        mode: "0644"
    - name: Configure apt performance tuning
      ansible.builtin.copy:
        dest: /mnt/etc/apt/apt.conf.d/99performance
        content: |
          Acquire::Retries "3";
          Acquire::http::Pipeline-Depth "10";
          APT::Install-Recommends "false";
        mode: "0644"
    - name: Update package lists
      ansible.builtin.command: "{{ chroot_command }} apt update"
      register: bootstrap_ubuntu_update_result
      changed_when: bootstrap_ubuntu_update_result.rc == 0
    - name: Upgrade all packages to latest versions
      ansible.builtin.command: "{{ chroot_command }} apt full-upgrade -y"
      register: bootstrap_ubuntu_upgrade_result
      changed_when: "'0 upgraded' not in bootstrap_ubuntu_upgrade_result.stdout"
    - name: Install extra packages
      when: bootstrap_ubuntu_extra_args | trim | length > 0
      ansible.builtin.command: "{{ chroot_command }} apt install -y {{ bootstrap_ubuntu_extra_args }}"
--- a/roles/bootstrap/templates/debian.sources.list.j2
+++ b/roles/bootstrap/templates/debian.sources.list.j2
@@ -0,0 +1,15 @@
 # Managed by Ansible.
 {% set release = bootstrap_debian_release %}
 {% set mirror = system_cfg.mirror %}
 {% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
 deb {{ mirror }} {{ release }} {{ components }}
 deb-src {{ mirror }} {{ release }} {{ components }}
 {% if release != 'sid' %}
 deb https://security.debian.org/debian-security {{ release }}-security {{ components }}
 deb-src https://security.debian.org/debian-security {{ release }}-security {{ components }}
 deb {{ mirror }} {{ release }}-updates {{ components }}
 deb-src {{ mirror }} {{ release }}-updates {{ components }}
 {% endif %}
--- a/roles/bootstrap/templates/ubuntu.sources.list.j2
+++ b/roles/bootstrap/templates/ubuntu.sources.list.j2
@@ -0,0 +1,16 @@
 # Managed by Ansible.
 {% set release = bootstrap_ubuntu_release %}
 {% set mirror = system_cfg.mirror %}
 {% set components = 'main restricted universe multiverse' %}
 deb {{ mirror }} {{ release }} {{ components }}
 deb-src {{ mirror }} {{ release }} {{ components }}
 deb {{ mirror }} {{ release }}-updates {{ components }}
 deb-src {{ mirror }} {{ release }}-updates {{ components }}
 deb {{ mirror }} {{ release }}-security {{ components }}
 deb-src {{ mirror }} {{ release }}-security {{ components }}
 deb {{ mirror }} {{ release }}-backports {{ components }}
 deb-src {{ mirror }} {{ release }}-backports {{ components }}
--- a/roles/bootstrap/vars/desktop.yml
+++ b/roles/bootstrap/vars/desktop.yml
@@ -0,0 +1,149 @@
 ---
 # Per-family desktop environment package definitions.
 # Keyed by os_family -> environment -> groups (dnf groupinstall) / packages.
 # Kept intentionally minimal: base DE + essential tools, no full suites.
 bootstrap_desktop_packages:
  RedHat:
    gnome:
      groups:
        - workstation-product-environment
      packages: []
    kde:
      groups: []
      packages:
        - plasma-desktop
        - plasma-nm
        - plasma-pa
        - plasma-systemmonitor
        - sddm
        - konsole
        - dolphin
        - kate
        - kscreen
        - kde-gtk-config
        - xdg-user-dirs
        - xdg-desktop-portal-kde
        - bluez
        - pipewire
        - wireplumber
    xfce:
      groups:
        - xfce-desktop-environment
      packages:
        - lightdm
  Debian:
    gnome:
      groups: []
      packages:
        - gnome-core
        - gdm3
        - gnome-tweaks
        - xdg-user-dirs
    kde:
      groups: []
      packages:
        - plasma-desktop
        - plasma-nm
        - plasma-pa
        - sddm
        - konsole
        - dolphin
        - kate
        - kscreen
        - xdg-user-dirs
        - xdg-desktop-portal-kde
        - bluez
        - pipewire
        - wireplumber
    xfce:
      groups: []
      packages:
        - xfce4
        - xfce4-goodies
        - lightdm
        - xdg-user-dirs
  Archlinux:
    gnome:
      groups: []
      packages:
        - gnome
        - gdm
        - xdg-user-dirs
    kde:
      groups: []
      packages:
        - plasma-desktop
        - plasma-nm
        - plasma-pa
        - sddm
        - konsole
        - dolphin
        - kate
        - kscreen
        - kde-gtk-config
        - xdg-user-dirs
        - xdg-desktop-portal-kde
        - bluez
        - pipewire
        - wireplumber
    xfce:
      groups: []
      packages:
        - xfce4
        - xfce4-goodies
        - lightdm
        - xdg-user-dirs
    sway:
      groups: []
      packages:
        - sway
        - waybar
        - foot
        - wofi
        - greetd
        - xdg-user-dirs
        - xdg-desktop-portal-wlr
        - bluez
        - pipewire
        - wireplumber
    hyprland:
      groups: []
      packages:
        - hyprland
        - kitty
        - wofi
        - waybar
        - ly
        - xdg-user-dirs
        - xdg-desktop-portal-hyprland
        - polkit-kde-agent
        - qt5-wayland
        - qt6-wayland
        - bluez
        - pipewire
        - wireplumber
  Suse:
    gnome:
      groups: []
      packages:
        - patterns-gnome-gnome_basic
        - gdm
        - xdg-user-dirs
    kde:
      groups: []
      packages:
        - patterns-kde-kde_plasma
        - sddm
        - xdg-user-dirs
 # Display manager auto-detection from desktop environment.
 bootstrap_desktop_dm_map:
  gnome: gdm
  kde: sddm
  xfce: lightdm
  sway: greetd
  hyprland: ly@tty2
  cinnamon: lightdm
  mate: lightdm
  lxqt: sddm
  budgie: gdm
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -201,6 +201,7 @@ bootstrap_debian:
    - lrzsz
    - mtr
    - ncdu
    - needrestart
    - net-tools
    - network-manager
    - python-is-python3
@@ -221,6 +222,7 @@ bootstrap_debian:
      + (['software-properties-common'] if (os_version | string) not in ['13', 'unstable'] else [])
      + (['systemd-zram-generator'] if (os_version | string) not in ['10', '11'] else [])
      + (['tldr'] if (os_version | string) not in ['13', 'unstable'] else [])
      + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
      + bootstrap_common_conditional
    }}
@@ -262,6 +264,7 @@ bootstrap_ubuntu:
    - mtr
    - ncdu
    - ncurses-term
    - needrestart
    - net-tools
    - network-manager
    - python-is-python3
@@ -273,7 +276,6 @@ bootstrap_ubuntu:
    - syslog-ng
    - systemd-zram-generator
    - tcpd
    - tldr
    - traceroute
    - util-linux-extra
    - vim
@@ -281,7 +283,12 @@ bootstrap_ubuntu:
    - yq
    - zoxide
    - zstd
-  conditional: "{{ bootstrap_common_conditional }}"
+  conditional: >-
    {{
      (['tldr'] if (os_version | default('') | string | length) > 0 else [])
      + (['shim-signed'] if system_cfg.features.secure_boot.enabled | bool else [])
      + bootstrap_common_conditional
    }}
 bootstrap_archlinux:
  base:
@@ -318,6 +325,7 @@ bootstrap_archlinux:
    {{
      (['openssh'] if system_cfg.features.ssh.enabled | bool else [])
      + (['iptables-nft'] if system_cfg.features.firewall.toolkit == 'nftables' and system_cfg.features.firewall.enabled | bool else [])
      + (['sbctl'] if system_cfg.features.secure_boot.enabled | bool else [])
      + (bootstrap_common_conditional | reject('equalto', 'nftables') | list)
    }}
--- a/roles/cleanup/defaults/main.yml
+++ b/roles/cleanup/defaults/main.yml
@@ -3,13 +3,3 @@
 cleanup_verify_boot: true
 cleanup_boot_timeout: 300
 cleanup_remove_on_failure: true
 # Libvirt paths
 cleanup_libvirt_image_dir: >-
  {{
    system_cfg.path
    if system_cfg is defined and (system_cfg.path | string | length) > 0
    else '/var/lib/libvirt/images'
  }}
 cleanup_libvirt_cloudinit_path: >-
  {{ [cleanup_libvirt_image_dir, hostname ~ '-cloudinit.iso'] | ansible.builtin.path_join }}
--- a/roles/cleanup/tasks/libvirt.yml
+++ b/roles/cleanup/tasks/libvirt.yml
@@ -14,7 +14,6 @@
    - name: Initialize cleaned VM XML
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_get_xml.get_xml }}"
      changed_when: false
    - name: Remove boot ISO device from VM XML (source match)
      when: boot_iso is defined and boot_iso | length > 0
@@ -28,7 +27,6 @@
      when: boot_iso is defined and boot_iso | length > 0
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot_source.xmlstring }}"
      changed_when: false
    - name: Remove boot ISO device from VM XML (target fallback)
      community.general.xml:
@@ -40,7 +38,6 @@
    - name: Update cleaned VM XML after removing boot ISO
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_boot.xmlstring }}"
      changed_when: false
    - name: Remove cloud-init ISO device from VM XML (source match)
      community.general.xml:
@@ -52,7 +49,6 @@
    - name: Update cleaned VM XML after removing cloud-init ISO source match
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit_source.xmlstring }}"
      changed_when: false
    - name: Remove cloud-init ISO device from VM XML (target fallback)
      community.general.xml:
@@ -64,7 +60,6 @@
    - name: Update cleaned VM XML after removing cloud-init ISO
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml: "{{ cleanup_libvirt_xml_strip_cloudinit.xmlstring }}"
      changed_when: false
    - name: Strip XML declaration for libvirt define
      ansible.builtin.set_fact:
@@ -76,7 +71,12 @@
            | regex_replace("(?i)encoding=[\"'][^\"']+[\"']", "")
            | trim
          }}
-      changed_when: false
+
    - name: Ensure boot device is set to hard disk in VM XML
      when: "'<boot ' not in cleanup_libvirt_domain_xml_clean"
      ansible.builtin.set_fact:
        cleanup_libvirt_domain_xml_clean: >-
          {{ cleanup_libvirt_domain_xml_clean | regex_replace('(</type>)', '\1\n    <boot dev="hd"/>') }}
    - name: Update VM definition without installer media
      community.libvirt.virt:
@@ -85,7 +85,7 @@
    - name: Remove cloud-init disk
      ansible.builtin.file:
-        path: "{{ cleanup_libvirt_cloudinit_path }}"
+        path: "{{ virtualization_libvirt_cloudinit_path }}"
        state: absent
    - name: Ensure VM is powered off before restart
@@ -94,6 +94,35 @@
        state: destroyed
      failed_when: false
    - name: Enroll Secure Boot keys in VM NVRAM
      when:
        - system_cfg.features.secure_boot.enabled | default(false) | bool
        - os != 'archlinux'
      block:
        - name: Find VM NVRAM file path
          ansible.builtin.shell:
            cmd: >-
              set -o pipefail &&
              virsh -c {{ libvirt_uri | default('qemu:///system') }} dumpxml {{ hostname }}
              | grep -oP '<nvram[^>]*>\K[^<]+'
            executable: /bin/bash
          register: _sb_nvram_path
          changed_when: false
          failed_when: false
        - name: Enroll Secure Boot keys via virt-fw-vars
          when: _sb_nvram_path.stdout | default('') | length > 0
          ansible.builtin.command:
            argv:
              - virt-fw-vars
              - --inplace
              - "{{ _sb_nvram_path.stdout | trim }}"
              - --enroll-redhat
              - --secure-boot
          register: _sb_enroll_result
          changed_when: _sb_enroll_result.rc == 0
          failed_when: false
    - name: Start the VM
      community.libvirt.virt:
        name: "{{ hostname }}"
--- a/roles/cleanup/tasks/proxmox.yml
+++ b/roles/cleanup/tasks/proxmox.yml
@@ -4,15 +4,8 @@
  delegate_to: localhost
  become: false
  module_defaults:
-    community.proxmox.proxmox_disk:
+    community.proxmox.proxmox_disk: "{{ _proxmox_auth }}"
-      api_host: "{{ hypervisor_cfg.url }}"
+    community.proxmox.proxmox_kvm: "{{ _proxmox_auth_node }}"
      api_user: "{{ hypervisor_cfg.username }}"
      api_password: "{{ hypervisor_cfg.password }}"
    community.proxmox.proxmox_kvm:
      api_host: "{{ hypervisor_cfg.url }}"
      api_user: "{{ hypervisor_cfg.username }}"
      api_password: "{{ hypervisor_cfg.password }}"
      node: "{{ hypervisor_cfg.host }}"
  block:
    - name: Cleanup Setup Disks
      community.proxmox.proxmox_disk:
@@ -32,3 +25,4 @@
      community.proxmox.proxmox_kvm:
        vmid: "{{ system_cfg.id }}"
        state: restarted
      no_log: true
--- a/roles/cleanup/tasks/virtual.yml
+++ b/roles/cleanup/tasks/virtual.yml
@@ -88,11 +88,7 @@
          delegate_to: localhost
          become: false
          module_defaults:
-            community.proxmox.proxmox_kvm:
+            community.proxmox.proxmox_kvm: "{{ _proxmox_auth_node }}"
              api_host: "{{ hypervisor_cfg.url }}"
              api_user: "{{ hypervisor_cfg.username }}"
              api_password: "{{ hypervisor_cfg.password }}"
              node: "{{ hypervisor_cfg.host }}"
          no_log: true
          block:
            - name: Stop Proxmox VM
@@ -113,11 +109,7 @@
          delegate_to: localhost
          become: false
          module_defaults:
-            community.vmware.vmware_guest:
+            community.vmware.vmware_guest: "{{ _vmware_auth }}"
              hostname: "{{ hypervisor_cfg.url }}"
              username: "{{ hypervisor_cfg.username }}"
              password: "{{ hypervisor_cfg.password }}"
              validate_certs: "{{ hypervisor_cfg.certs | bool }}"
          no_log: true
          block:
            - name: Power off VMware VM
--- a/roles/cleanup/tasks/vmware.yml
+++ b/roles/cleanup/tasks/vmware.yml
@@ -4,18 +4,8 @@
  delegate_to: localhost
  become: false
  module_defaults:
-    community.vmware.vmware_guest:
+    community.vmware.vmware_guest: "{{ _vmware_auth }}"
-      hostname: "{{ hypervisor_cfg.url }}"
+    vmware.vmware.vm_powerstate: "{{ _vmware_auth }}"
      username: "{{ hypervisor_cfg.username }}"
      password: "{{ hypervisor_cfg.password }}"
      validate_certs: "{{ hypervisor_cfg.certs | bool }}"
      datacenter: "{{ hypervisor_cfg.datacenter }}"
    vmware.vmware.vm_powerstate:
      hostname: "{{ hypervisor_cfg.url }}"
      username: "{{ hypervisor_cfg.username }}"
      password: "{{ hypervisor_cfg.password }}"
      validate_certs: "{{ hypervisor_cfg.certs | bool }}"
      datacenter: "{{ hypervisor_cfg.datacenter }}"
  no_log: true
  block:
    - name: Remove CD-ROM from VM in vCenter
--- a/roles/cleanup/tasks/xen.yml
+++ b/roles/cleanup/tasks/xen.yml
@@ -7,34 +7,11 @@
    xen_installer_media_enabled: "{{ xen_installer_media_enabled | default(false) }}"
  block:
    - name: Ensure Xen disk definitions exist
-      when: virtualization_xen_disks is not defined
+      ansible.builtin.include_tasks: ../../virtualization/tasks/_xen_disks.yml
      ansible.builtin.set_fact:
        cleanup_xen_disks: "{{ cleanup_xen_disks | default([]) + [cleanup_xen_disk_cfg] }}"
      vars:
        device_letter_map: "{{ disk_letter_map }}"
        device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
        cleanup_xen_disk_cfg: >-
          {{
            {
              'path': (
                virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
                if ansible_loop.index0 == 0
                else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
              ),
              'target': 'xvd' ~ device_letter,
              'size': (item.size | float)
            }
          }}
      loop: "{{ system_cfg.disks }}"
      loop_control:
        label: "{{ item | to_json }}"
        extended: true
      changed_when: false
    - name: Render Xen VM configuration without installer media
      vars:
        xen_installer_media_enabled: false
        virtualization_xen_disks: "{{ virtualization_xen_disks | default(cleanup_xen_disks | default([])) }}"
      ansible.builtin.template:
        src: xen.cfg.j2
        dest: /tmp/xen-{{ hostname }}.cfg
--- a/roles/configuration/defaults/main.yml
+++ b/roles/configuration/defaults/main.yml
@@ -0,0 +1,7 @@
 ---
 # Network configuration dispatch — maps OS name to the task file
 # that writes network config. Default (NetworkManager) applies to
 # all OSes not explicitly listed.
 configuration_network_task_map:
  alpine: network_alpine.yml
  void: network_void.yml
--- a/roles/configuration/tasks/_bls_update.yml
+++ b/roles/configuration/tasks/_bls_update.yml
@@ -0,0 +1,19 @@
 ---
 # Shared task: update BLS (Boot Loader Specification) entries with kernel cmdline.
 # Expects variable: _bls_cmdline (the kernel command line string)
 - name: Find BLS entries
  ansible.builtin.find:
    paths: /mnt/boot/loader/entries
    patterns: "*.conf"
  register: _bls_entries
  changed_when: false
 - name: Update BLS options
  when: _bls_entries.files | length > 0
  ansible.builtin.lineinfile:
    path: "{{ item.path }}"
    regexp: "^options "
    line: "options {{ _bls_cmdline }}"
  loop: "{{ _bls_entries.files }}"
  loop_control:
    label: "{{ item.path }}"
--- a/roles/configuration/tasks/_resolve_platform.yml
+++ b/roles/configuration/tasks/_resolve_platform.yml
@@ -0,0 +1,25 @@
 ---
 # Resolve platform-specific configuration for the target OS family.
 # Sets _configuration_platform from configuration_platform_config[os_family].
 - name: Resolve platform-specific configuration
  ansible.builtin.assert:
    that:
      - os_family is defined
      - os_family in configuration_platform_config
    fail_msg: >-
      Unsupported os_family '{{ os_family | default("undefined") }}'.
      Extend configuration_platform_config in vars/main.yml.
    quiet: true
 - name: Set platform configuration
  ansible.builtin.set_fact:
    _configuration_platform: "{{ configuration_platform_config[os_family] }}"
 - name: Override EFI loader to shim for Secure Boot
  when:
    - system_cfg.features.secure_boot.enabled | bool
    - _configuration_platform.efi_loader != 'shimx64.efi'
    - os != 'archlinux'
  ansible.builtin.set_fact:
    _configuration_platform: >-
      {{ _configuration_platform | combine({'efi_loader': 'shimx64.efi'}) }}
--- a/roles/configuration/tasks/bootloader.yml
+++ b/roles/configuration/tasks/bootloader.yml
@@ -6,11 +6,10 @@
        "redhat" if os == "rhel"
        else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
      }}
-    _efi_loader: >-
+    _efi_loader: "{{ _configuration_platform.efi_loader }}"
      {{ "shimx64.efi" if is_rhel | bool else "grubx64.efi" }}
  block:
    - name: Install GRUB EFI binary
-      when: not (is_rhel | bool)
+      when: _configuration_platform.grub_install
      ansible.builtin.command: >-
        {{ chroot_command }} /usr/sbin/grub-install --target=x86_64-efi
        --efi-directory={{ partitioning_efi_mountpoint }}
@@ -35,6 +34,16 @@
      register: configuration_efi_entry_result
      changed_when: configuration_efi_entry_result.rc == 0
    - name: Set installed OS as first EFI boot entry
      ansible.builtin.shell:
        cmd: >-
          set -o pipefail &&
          efibootmgr | grep -i '{{ _efi_vendor }}' | grep -oP 'Boot\K[0-9A-F]+' | head -1
          | xargs -I{} efibootmgr -o {}
        executable: /bin/bash
      register: _efi_bootorder_result
      changed_when: _efi_bootorder_result.rc == 0
    - name: Ensure lvm2 for non btrfs filesystems
      when: os == "archlinux" and system_cfg.filesystem != "btrfs"
      ansible.builtin.lineinfile:
@@ -44,33 +53,67 @@
        backrefs: true
    - name: Regenerate initramfs
-      when: os not in ["alpine", "void"]
+      when: _configuration_platform.initramfs_cmd | length > 0
-      vars:
+      ansible.builtin.command: "{{ chroot_command }} {{ _configuration_platform.initramfs_cmd }}"
        configuration_initramfs_cmd: >-
          {{
            '/usr/sbin/mkinitcpio -P'
            if os == "archlinux"
            else (
              '/usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin '
              + '/usr/sbin/update-initramfs -u -k all'
              if is_debian | bool
              else '/usr/bin/dracut --regenerate-all --force'
            )
          }}
      ansible.builtin.command: "{{ chroot_command }} {{ configuration_initramfs_cmd }}"
      register: configuration_initramfs_result
      changed_when: configuration_initramfs_result.rc == 0
-    - name: Generate grub config
+    - name: Generate grub config (RedHat)
-      vars:
+      when: os_family == 'RedHat'
-        configuration_grub_cfg_cmd: >-
+      ansible.builtin.command: >-
-          {{
+        {{ chroot_command }} /usr/sbin/{{ _configuration_platform.grub_mkconfig_prefix }}
-            '/usr/sbin/grub2-mkconfig -o '
+        -o /boot/grub2/grub.cfg
            + partitioning_efi_mountpoint
            + '/EFI/' + _efi_vendor + '/grub.cfg'
            if is_rhel | bool
            else '/usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg'
          }}
      ansible.builtin.command: "{{ chroot_command }} {{ configuration_grub_cfg_cmd }}"
      register: configuration_grub_result
      changed_when: configuration_grub_result.rc == 0
    - name: Fix btrfs BLS boot variable in grub config
      when:
        - os_family == 'RedHat'
        - system_cfg.filesystem == 'btrfs'
      ansible.builtin.replace:
        path: /mnt/boot/grub2/grub.cfg
        regexp: 'search --no-floppy --fs-uuid --set=boot \S+'
        replace: 'set boot=$root'
    - name: Create EFI grub.cfg wrapper for RedHat
      when: os_family == 'RedHat'
      vars:
        _grub2_path: >-
          {{
            '/grub2'
            if (partitioning_separate_boot | bool)
            else ('/@/boot/grub2' if system_cfg.filesystem == 'btrfs' else '/boot/grub2')
          }}
      ansible.builtin.shell:
        cmd: |
          set -o pipefail
          uuid=$(grep -m1 'search.*--set=root' /mnt/boot/grub2/grub.cfg | grep -oP '[\da-f]{8}(-[\da-f]{4}){3}-[\da-f]{12}')
          cat > /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grub.cfg <<GRUBEOF
          search --no-floppy --fs-uuid --set=dev $uuid
          set prefix=(\$dev){{ _grub2_path }}
          export \$prefix
          configfile \$prefix/grub.cfg
          GRUBEOF
        executable: /bin/bash
      register: _grub_wrapper_result
      changed_when: _grub_wrapper_result.rc == 0
    - name: Generate grub config (non-RedHat)
      when: os_family != 'RedHat'
      ansible.builtin.command: "{{ chroot_command }} /usr/sbin/grub-mkconfig -o /boot/grub/grub.cfg"
      register: configuration_grub_result
      changed_when: configuration_grub_result.rc == 0
    - name: Rebuild GRUB as standalone EFI for Secure Boot
      when:
        - system_cfg.features.secure_boot.enabled | default(false) | bool
        - os == 'archlinux'
      ansible.builtin.command: >-
        {{ chroot_command }} grub-mkstandalone
        -d /usr/lib/grub/x86_64-efi
        -O x86_64-efi
        --disable-shim-lock
        -o {{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/grubx64.efi
        boot/grub/grub.cfg=/boot/grub/grub.cfg
      register: _grub_standalone_result
      changed_when: _grub_standalone_result.rc == 0
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -8,7 +8,7 @@
  block:
    - name: Set LUKS configuration facts
      vars:
-        luks_tpm2_pcrs: >-
+        _raw_pcrs: >-
          {{
            (
              system_cfg.luks.tpm2.pcrs
@@ -20,6 +20,17 @@
            | regex_replace('\\s+', '')
            | regex_replace('^\\+|\\+$', '')
          }}
        _sb_pcr7_safe: >-
          {{
            system_cfg.features.secure_boot.enabled | bool
            and system_cfg.type | default('virtual') != 'virtual'
          }}
        luks_tpm2_pcrs: >-
          {{
            _raw_pcrs
            if _raw_pcrs | length > 0
            else ('7' if (_sb_pcr7_safe | bool) else '')
          }}
      ansible.builtin.set_fact:
        configuration_luks_mapper_name: "{{ system_cfg.luks.mapper }}"
        configuration_luks_uuid: "{{ partitioning_luks_uuid | default('') }}"
@@ -36,6 +47,12 @@
        configuration_luks_tpm2_device: "{{ system_cfg.luks.tpm2.device }}"
        configuration_luks_tpm2_pcrs: "{{ luks_tpm2_pcrs }}"
        configuration_luks_keyfile_path: "/etc/cryptsetup-keys.d/{{ system_cfg.luks.mapper }}.key"
        configuration_luks_tpm2_token_lib: >-
          {{
            '/usr/lib/x86_64-linux-gnu/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
            if os_family == 'Debian'
            else '/usr/lib64/cryptsetup/libcryptsetup-token-systemd-tpm2.so'
          }}
    - name: Validate LUKS UUID is available
      ansible.builtin.assert:
@@ -51,8 +68,13 @@
        fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
      no_log: true
-    - name: Enroll TPM2 for LUKS
+    - name: Detect TPM2 unlock method
-      when: configuration_luks_auto_method == 'tpm2'
+      ansible.builtin.include_tasks: encryption/initramfs_detect.yml
    - name: Enroll TPM2 via systemd-cryptenroll
      when:
        - configuration_luks_auto_method == 'tpm2'
        - _tpm2_method | default('systemd-cryptenroll') == 'systemd-cryptenroll'
      ansible.builtin.include_tasks: encryption/tpm2.yml
    - name: Configure LUKS keyfile auto-decrypt
@@ -78,7 +100,7 @@
          }}
        luks_tpm2_option_list: >-
          {{
-            (configuration_luks_auto_method == 'tpm2')
+            (configuration_luks_auto_method == 'tpm2' and (_tpm2_method | default('systemd-cryptenroll')) == 'systemd-cryptenroll')
            | ternary(
                ['tpm2-device=' + configuration_luks_tpm2_device]
                + (['tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
@@ -122,230 +144,16 @@
        path: /mnt{{ configuration_luks_keyfile_path }}
        state: absent
-    - name: Write crypttab entry
+    - name: Configure initramfs for LUKS
-      ansible.builtin.lineinfile:
+      ansible.builtin.include_tasks: encryption/initramfs.yml
        path: /mnt/etc/crypttab
        regexp: "^{{ configuration_luks_mapper_name }}\\s"
        line: >-
          {{ configuration_luks_mapper_name }} UUID={{ configuration_luks_uuid }}
          {{ configuration_luks_crypttab_keyfile }} {{ configuration_luks_crypttab_options }}
        create: true
        mode: "0600"
-    - name: Ensure keyfile pattern for initramfs-tools
+    - name: Configure crypttab
-      when:
+      ansible.builtin.include_tasks: encryption/crypttab.yml
        - is_debian | bool
        - configuration_luks_keyfile_in_use
      ansible.builtin.lineinfile:
        path: /mnt/etc/cryptsetup-initramfs/conf-hook
        regexp: "^KEYFILE_PATTERN="
        line: "KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key"
        create: true
        mode: "0644"
    - name: Configure mkinitcpio hooks for LUKS
      when: os == 'archlinux'
      ansible.builtin.lineinfile:
        path: /mnt/etc/mkinitcpio.conf
        regexp: "^HOOKS="
        line: >-
          HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
          block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
    - name: Read mkinitcpio configuration
      when: os == 'archlinux'
      ansible.builtin.slurp:
        src: /mnt/etc/mkinitcpio.conf
      register: configuration_mkinitcpio_slurp
    - name: Build mkinitcpio FILES list
      when: os == 'archlinux'
      vars:
        mkinitcpio_files_list: >-
          {{
            (
              configuration_mkinitcpio_slurp.content | b64decode
              | regex_findall('^FILES=\\(([^)]*)\\)', multiline=True)
              | default([])
              | first
              | default('')
            ).split()
          }}
        mkinitcpio_files_list_new: >-
          {{
            (
              (mkinitcpio_files_list + [configuration_luks_keyfile_path])
              if configuration_luks_keyfile_in_use
              else (
                mkinitcpio_files_list
                | reject('equalto', configuration_luks_keyfile_path)
                | list
              )
            )
            | unique
          }}
      ansible.builtin.set_fact:
        configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
    - name: Configure mkinitcpio FILES list
      when: os == 'archlinux'
      ansible.builtin.lineinfile:
        path: /mnt/etc/mkinitcpio.conf
        regexp: "^FILES="
        line: >-
          FILES=({{
            configuration_mkinitcpio_files_list_new | join(' ')
          }})
    - name: Ensure dracut config directory exists
      when: is_rhel | bool
      ansible.builtin.file:
        path: /mnt/etc/dracut.conf.d
        state: directory
        mode: "0755"
    - name: Configure dracut for LUKS
-      when: is_rhel | bool
+      when: _initramfs_generator | default('') == 'dracut'
-      ansible.builtin.copy:
+      ansible.builtin.include_tasks: encryption/dracut.yml
        dest: /mnt/etc/dracut.conf.d/crypt.conf
        content: |
          add_dracutmodules+=" crypt "
          {% if configuration_luks_keyfile_in_use %}
          install_items+=" {{ configuration_luks_keyfile_path }} "
          {% endif %}
        mode: "0644"
-    - name: Read kernel cmdline defaults
+    - name: Configure GRUB for LUKS
-      when: is_rhel | bool
+      when: _initramfs_generator | default('') != 'dracut' or os_family != 'RedHat'
-      ansible.builtin.slurp:
+      ansible.builtin.include_tasks: encryption/grub.yml
        src: /mnt/etc/kernel/cmdline
      register: configuration_kernel_cmdline_slurp
    - name: Build kernel cmdline with LUKS args
      when: is_rhel | bool
      vars:
        kernel_cmdline_current: >-
          {{ configuration_kernel_cmdline_slurp.content | b64decode | trim }}
        kernel_cmdline_list: >-
          {{
            kernel_cmdline_current.split()
            if kernel_cmdline_current | length > 0 else []
          }}
        kernel_cmdline_filtered: >-
          {{
            kernel_cmdline_list
            | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
            | list
          }}
        kernel_cmdline_new: >-
          {{
            (kernel_cmdline_filtered + configuration_luks_kernel_args.split())
            | unique
            | join(' ')
          }}
      ansible.builtin.set_fact:
        configuration_kernel_cmdline_new: "{{ kernel_cmdline_new }}"
    - name: Write kernel cmdline with LUKS args
      when: is_rhel | bool
      ansible.builtin.copy:
        dest: /mnt/etc/kernel/cmdline
        mode: "0644"
        content: "{{ configuration_kernel_cmdline_new }}\n"
    - name: Find BLS entries for encryption kernel cmdline
      when: is_rhel | bool
      ansible.builtin.find:
        paths: /mnt/boot/loader/entries
        patterns: "*.conf"
      register: configuration_kernel_bls_entries
      changed_when: false
    - name: Update BLS options with LUKS args
      when:
        - is_rhel | bool
        - configuration_kernel_bls_entries.files | length > 0
      ansible.builtin.lineinfile:
        path: "{{ item.path }}"
        regexp: "^options "
        line: "options {{ configuration_kernel_cmdline_new }}"
      loop: "{{ configuration_kernel_bls_entries.files }}"
      loop_control:
        label: "{{ item.path }}"
    - name: Read grub defaults
      when: not is_rhel | bool
      ansible.builtin.slurp:
        src: /mnt/etc/default/grub
      register: configuration_grub_slurp
    - name: Build grub command lines with LUKS args
      when: not is_rhel | bool
      vars:
        grub_content: "{{ configuration_grub_slurp.content | b64decode }}"
        grub_cmdline_linux: >-
          {{
            grub_content
            | regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True)
            | default([])
            | first
            | default('')
          }}
        grub_cmdline_default: >-
          {{
            grub_content
            | regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True)
            | default([])
            | first
            | default('')
          }}
        grub_cmdline_linux_list: >-
          {{
            grub_cmdline_linux.split()
            if grub_cmdline_linux | length > 0 else []
          }}
        grub_cmdline_default_list: >-
          {{
            grub_cmdline_default.split()
            if grub_cmdline_default | length > 0 else []
          }}
        luks_kernel_args_list: "{{ configuration_luks_kernel_args.split() }}"
        grub_cmdline_linux_new: >-
          {{
            (
              (
                grub_cmdline_linux_list
                | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
                | list
              )
              + luks_kernel_args_list
            )
            | unique
            | join(' ')
          }}
        grub_cmdline_default_new: >-
          {{
            (
              (
                grub_cmdline_default_list
                | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
                | list
              )
              + luks_kernel_args_list
            )
            | unique
            | join(' ')
          }}
      ansible.builtin.set_fact:
        configuration_grub_content: "{{ grub_content }}"
        configuration_grub_cmdline_linux: "{{ grub_cmdline_linux }}"
        configuration_grub_cmdline_default: "{{ grub_cmdline_default }}"
        configuration_grub_cmdline_linux_new: "{{ grub_cmdline_linux_new }}"
        configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}"
    - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
      when: not is_rhel | bool
      ansible.builtin.lineinfile:
        path: /mnt/etc/default/grub
        regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
        line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"'
--- a/roles/configuration/tasks/encryption/crypttab.yml
+++ b/roles/configuration/tasks/encryption/crypttab.yml
@@ -0,0 +1,10 @@
 ---
 - name: Write crypttab entry
  ansible.builtin.lineinfile:
    path: /mnt/etc/crypttab
    regexp: "^{{ configuration_luks_mapper_name }}\\s"
    line: >-
      {{ configuration_luks_mapper_name }} UUID={{ configuration_luks_uuid }}
      {{ configuration_luks_crypttab_keyfile }} {{ configuration_luks_crypttab_options }}
    create: true
    mode: "0600"
--- a/roles/configuration/tasks/encryption/dracut.yml
+++ b/roles/configuration/tasks/encryption/dracut.yml
@@ -0,0 +1,66 @@
 ---
 - name: Ensure dracut config directory exists
  ansible.builtin.file:
    path: /mnt/etc/dracut.conf.d
    state: directory
    mode: "0755"
 - name: Configure dracut for LUKS
  ansible.builtin.copy:
    dest: /mnt/etc/dracut.conf.d/crypt.conf
    content: |
      add_dracutmodules+=" crypt systemd "
      {% if configuration_luks_keyfile_in_use | default(false) %}
      install_items+=" {{ configuration_luks_keyfile_path }} "
      {% endif %}
      {% if configuration_luks_auto_method == 'tpm2' %}
      install_items+=" {{ configuration_luks_tpm2_token_lib | default('') }} "
      {% endif %}
    mode: "0644"
 # --- Kernel cmdline: write rd.luks.* args for dracut ---
 - name: Ensure kernel cmdline directory exists
  ansible.builtin.file:
    path: /mnt/etc/kernel
    state: directory
    mode: "0755"
 - name: Read existing kernel cmdline
  ansible.builtin.slurp:
    src: /mnt/etc/kernel/cmdline
  register: _kernel_cmdline_slurp
  failed_when: false
 - name: Build kernel cmdline with LUKS args
  vars:
    _cmdline_current: >-
      {{ (_kernel_cmdline_slurp.content | default('') | b64decode | default('')) | trim }}
    _cmdline_list: >-
      {{ _cmdline_current.split() if _cmdline_current | length > 0 else [] }}
    _cmdline_filtered: >-
      {{
        _cmdline_list
        | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
        | list
      }}
    _cmdline_new: >-
      {{
        (_cmdline_filtered + configuration_luks_kernel_args.split())
        | unique
        | join(' ')
      }}
  ansible.builtin.set_fact:
    _dracut_kernel_cmdline: "{{ _cmdline_new }}"
 - name: Write kernel cmdline with LUKS args
  ansible.builtin.copy:
    dest: /mnt/etc/kernel/cmdline
    mode: "0644"
    content: "{{ _dracut_kernel_cmdline }}\n"
 # --- BLS entries: RedHat-specific ---
 - name: Update BLS entries with LUKS kernel cmdline
  when: os_family == 'RedHat'
  vars:
    _bls_cmdline: "{{ _dracut_kernel_cmdline }}"
  ansible.builtin.include_tasks: ../_bls_update.yml
--- a/roles/configuration/tasks/encryption/grub.yml
+++ b/roles/configuration/tasks/encryption/grub.yml
@@ -0,0 +1,74 @@
 ---
 - name: Read grub defaults
  ansible.builtin.slurp:
    src: /mnt/etc/default/grub
  register: configuration_grub_slurp
 - name: Build grub command lines with LUKS args
  vars:
    grub_content: "{{ configuration_grub_slurp.content | b64decode }}"
    grub_cmdline_linux: >-
      {{
        grub_content
        | regex_findall('^GRUB_CMDLINE_LINUX=\"(.*)\"', multiline=True)
        | default([])
        | first
        | default('')
      }}
    grub_cmdline_default: >-
      {{
        grub_content
        | regex_findall('^GRUB_CMDLINE_LINUX_DEFAULT=\"(.*)\"', multiline=True)
        | default([])
        | first
        | default('')
      }}
    grub_cmdline_linux_list: >-
      {{
        grub_cmdline_linux.split()
        if grub_cmdline_linux | length > 0 else []
      }}
    grub_cmdline_default_list: >-
      {{
        grub_cmdline_default.split()
        if grub_cmdline_default | length > 0 else []
      }}
    luks_kernel_args_list: "{{ configuration_luks_kernel_args.split() }}"
    grub_cmdline_linux_new: >-
      {{
        (
          (
            grub_cmdline_linux_list
            | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
            | list
          )
          + luks_kernel_args_list
        )
        | unique
        | join(' ')
      }}
    grub_cmdline_default_new: >-
      {{
        (
          (
            grub_cmdline_default_list
            | reject('match', '^rd\\.luks\\.(name|options|key)=' ~ configuration_luks_uuid ~ '=')
            | list
          )
          + luks_kernel_args_list
        )
        | unique
        | join(' ')
      }}
  ansible.builtin.set_fact:
    configuration_grub_content: "{{ grub_content }}"
    configuration_grub_cmdline_linux: "{{ grub_cmdline_linux }}"
    configuration_grub_cmdline_default: "{{ grub_cmdline_default }}"
    configuration_grub_cmdline_linux_new: "{{ grub_cmdline_linux_new }}"
    configuration_grub_cmdline_default_new: "{{ grub_cmdline_default_new }}"
 - name: Update GRUB_CMDLINE_LINUX_DEFAULT for LUKS
  ansible.builtin.lineinfile:
    path: /mnt/etc/default/grub
    regexp: "^GRUB_CMDLINE_LINUX_DEFAULT="
    line: 'GRUB_CMDLINE_LINUX_DEFAULT="{{ configuration_grub_cmdline_default_new }}"'
--- a/roles/configuration/tasks/encryption/initramfs.yml
+++ b/roles/configuration/tasks/encryption/initramfs.yml
@@ -0,0 +1,152 @@
 ---
 # Initramfs configuration for LUKS auto-unlock.
 # Runs AFTER Build LUKS parameters (so configuration_luks_keyfile_in_use is set).
 # _initramfs_generator and _tpm2_method are set by initramfs_detect.yml.
 # --- clevis: install and bind TPM2 ---
 - name: Install clevis in target system
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
  ansible.builtin.command: >-
    {{ chroot_command }} apt install -y clevis clevis-luks clevis-tpm2 clevis-initramfs tpm2-tools
  register: _clevis_install_result
  changed_when: _clevis_install_result.rc == 0
 - name: Install clevis on installer for LUKS binding
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
  community.general.pacman:
    name:
      - clevis
      - tpm2-tools
    state: present
  retries: 3
  delay: 5
 - name: Create clevis passphrase file
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
  ansible.builtin.copy:
    dest: /mnt/root/.luks-enroll-key
    content: "{{ configuration_luks_passphrase }}"
    mode: "0600"
  no_log: true
 - name: Ensure TPM device accessible for clevis
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
  ansible.builtin.shell: >-
    ls /mnt/dev/tpmrm0 2>/dev/null
    || (ls /dev/tpmrm0 && cp -a /dev/tpmrm0 /mnt/dev/tpmrm0)
  changed_when: false
  failed_when: false
 - name: Bind LUKS to TPM2 via clevis
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
  vars:
    _clevis_config: >-
      {{
        '{"pcr_ids":"' + configuration_luks_tpm2_pcrs + '"}'
        if configuration_luks_tpm2_pcrs | length > 0
        else '{}'
      }}
  ansible.builtin.command: >-
    clevis luks bind -f -k /mnt/root/.luks-enroll-key
    -d {{ configuration_luks_device }} tpm2 '{{ _clevis_config }}'
  register: _clevis_bind_result
  changed_when: _clevis_bind_result.rc == 0
  failed_when: false
    # Initramfs regeneration is handled by the bootloader task which runs after
    # encryption configuration. Clevis hooks are included automatically by
    # update-initramfs when clevis-initramfs is installed.
 - name: Remove clevis passphrase file
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
  ansible.builtin.file:
    path: /mnt/root/.luks-enroll-key
    state: absent
 - name: Report clevis binding result
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method | default('') == 'clevis'
  ansible.builtin.debug:
    msg: >-
      {{ 'Clevis TPM2 binding succeeded' if (_clevis_bind_result.rc | default(1)) == 0
         else 'Clevis TPM2 binding failed: ' + (_clevis_bind_result.stderr | default('unknown')) + '. System will require passphrase at boot.' }}
 # --- initramfs-tools: keyfile support (non-TPM2) ---
 - name: Configure initramfs-tools keyfile pattern
  when:
    - _initramfs_generator | default('') == 'initramfs-tools'
    - configuration_luks_keyfile_in_use | default(false) | bool
  ansible.builtin.lineinfile:
    path: /mnt/etc/cryptsetup-initramfs/conf-hook
    regexp: "^KEYFILE_PATTERN="
    line: "KEYFILE_PATTERN=/etc/cryptsetup-keys.d/*.key"
    create: true
    mode: "0644"
 # --- mkinitcpio: systemd + sd-encrypt hooks ---
 - name: Configure mkinitcpio hooks for LUKS
  when: _initramfs_generator | default('') == 'mkinitcpio'
  ansible.builtin.lineinfile:
    path: /mnt/etc/mkinitcpio.conf
    regexp: "^HOOKS="
    line: >-
      HOOKS=(base systemd autodetect microcode modconf kms keyboard sd-vconsole
      block sd-encrypt{{ ' lvm2' if system_cfg.filesystem != 'btrfs' else '' }} filesystems fsck)
 - name: Read mkinitcpio configuration
  when: _initramfs_generator | default('') == 'mkinitcpio'
  ansible.builtin.slurp:
    src: /mnt/etc/mkinitcpio.conf
  register: configuration_mkinitcpio_slurp
 - name: Build mkinitcpio FILES list
  when: _initramfs_generator | default('') == 'mkinitcpio'
  vars:
    mkinitcpio_files_list: >-
      {{
        (
          configuration_mkinitcpio_slurp.content | b64decode
          | regex_findall('^FILES=\\(([^)]*)\\)', multiline=True)
          | default([])
          | first
          | default('')
        ).split()
      }}
    mkinitcpio_files_list_new: >-
      {{
        (
          (mkinitcpio_files_list + [configuration_luks_keyfile_path])
          if (configuration_luks_keyfile_in_use | default(false))
          else (
            mkinitcpio_files_list
            | reject('equalto', configuration_luks_keyfile_path)
            | list
          )
        )
        | unique
      }}
  ansible.builtin.set_fact:
    configuration_mkinitcpio_files_list_new: "{{ mkinitcpio_files_list_new }}"
 - name: Configure mkinitcpio FILES list
  when: _initramfs_generator | default('') == 'mkinitcpio'
  ansible.builtin.lineinfile:
    path: /mnt/etc/mkinitcpio.conf
    regexp: "^FILES="
    line: >-
      FILES=({{
        configuration_mkinitcpio_files_list_new | join(' ')
      }})
--- a/roles/configuration/tasks/encryption/initramfs_detect.yml
+++ b/roles/configuration/tasks/encryption/initramfs_detect.yml
@@ -0,0 +1,98 @@
 ---
 # Resolve initramfs generator and TPM2 unlock method.
 # Sets _initramfs_generator and _tpm2_method facts.
 #
 # Generator detection: derived from the platform's initramfs_cmd
 #   (dracut → dracut, mkinitcpio → mkinitcpio, else → initramfs-tools)
 # TPM2 method: systemd-cryptenroll when generator supports tpm2-device,
 #   clevis fallback otherwise. Non-native dracut installed automatically.
 - name: Resolve initramfs generator
  vars:
    _user_generator: "{{ system_cfg.features.initramfs.generator | default('') }}"
    _native_generator: >-
      {{
        'dracut' if _configuration_platform.initramfs_cmd is search('dracut')
        else ('mkinitcpio' if _configuration_platform.initramfs_cmd is search('mkinitcpio')
        else 'initramfs-tools')
      }}
  ansible.builtin.set_fact:
    _initramfs_generator: >-
      {{ _user_generator if _user_generator | length > 0 else _native_generator }}
    _initramfs_native_generator: "{{ _native_generator }}"
 # --- Install non-native dracut if overridden or needed ---
 - name: Install dracut in chroot when not native
  when:
    - _initramfs_generator == 'dracut'
    - _initramfs_native_generator != 'dracut'
  ansible.builtin.shell: >-
    {{ chroot_command }} sh -c '
      command -v apt >/dev/null 2>&1 && apt install -y dracut ||
      command -v pacman >/dev/null 2>&1 && pacman -S --noconfirm dracut ||
      command -v dnf >/dev/null 2>&1 && dnf install -y dracut
    '
  register: _dracut_install_result
  changed_when: _dracut_install_result.rc == 0
  failed_when: false
 - name: Override initramfs command to dracut
  when:
    - _initramfs_generator == 'dracut'
    - _initramfs_native_generator != 'dracut'
  vars:
    # Generate dracut initramfs with output name matching what GRUB expects:
    #   mkinitcpio native: /boot/initramfs-linux.img (Arch convention)
    #   initramfs-tools native: /boot/initrd.img-<kver> (Debian convention)
    _dracut_cmd: >-
      {{
        'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initramfs-linux.img $kver; done"'
        if _initramfs_native_generator == 'mkinitcpio'
        else 'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done"'
      }}
  ansible.builtin.set_fact:
    _configuration_platform: >-
      {{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }}
 # --- TPM2 method detection ---
 - name: Probe dracut for TPM2 module support
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _initramfs_generator != 'mkinitcpio'
  ansible.builtin.command: "{{ chroot_command }} dracut --list-modules"
  register: _dracut_modules_check
  changed_when: false
  failed_when: false
 - name: Resolve TPM2 unlock method
  when: configuration_luks_auto_method == 'tpm2'
  vars:
    # mkinitcpio sd-encrypt supports tpm2-device natively
    # dracut with tpm2-tss module supports tpm2-device natively
    # everything else needs clevis
    _supports_tpm2_native: >-
      {{
        _initramfs_generator == 'mkinitcpio'
        or ('tpm2-tss' in (_dracut_modules_check.stdout | default('')))
      }}
  ansible.builtin.set_fact:
    _tpm2_method: "{{ 'systemd-cryptenroll' if _supports_tpm2_native | bool else 'clevis' }}"
 # --- Auto-upgrade to dracut when tpm2-tss available but generator isn't dracut ---
 - name: Switch to dracut for TPM2 support
  when:
    - configuration_luks_auto_method == 'tpm2'
    - _tpm2_method == 'systemd-cryptenroll'
    - _initramfs_generator not in ['dracut', 'mkinitcpio']
  vars:
    _dracut_cmd: >-
      bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done"
  ansible.builtin.set_fact:
    _initramfs_generator: dracut
    _configuration_platform: >-
      {{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }}
 - name: Report TPM2 configuration
  when: configuration_luks_auto_method == 'tpm2'
  ansible.builtin.debug:
    msg: "TPM2 unlock: {{ _tpm2_method | default('none') }} | initramfs: {{ _initramfs_generator }}"
--- a/roles/configuration/tasks/encryption/keyfile.yml
+++ b/roles/configuration/tasks/encryption/keyfile.yml
@@ -86,7 +86,6 @@
            device: "{{ configuration_luks_device }}"
            passphrase: "{{ configuration_luks_passphrase }}"
            new_keyfile: "/mnt{{ configuration_luks_keyfile_path }}"
          register: configuration_luks_addkey_retry
          failed_when: false
          no_log: true
--- a/roles/configuration/tasks/encryption/tpm2.yml
+++ b/roles/configuration/tasks/encryption/tpm2.yml
@@ -1,26 +1,35 @@
 ---
 # TPM2 enrollment via systemd-cryptenroll.
 # Works with dracut and mkinitcpio (sd-encrypt). The user-set passphrase
 # remains as a backup unlock method — no auto-generated keyfiles.
 - name: Enroll TPM2 for LUKS
  block:
    # Tempfile in chroot /tmp — accessible by both chroot and host commands
    - name: Create temporary passphrase file for TPM2 enrollment
      ansible.builtin.tempfile:
-        path: /mnt/tmp
+        path: /mnt/root
        prefix: luks-passphrase-
        state: file
-      register: configuration_luks_tpm2_passphrase_tempfile
+      register: _tpm2_passphrase_tempfile
-    - name: Write passphrase into temporary file for TPM2 enrollment
+    - name: Write passphrase into temporary file
      ansible.builtin.copy:
-        dest: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
+        dest: "{{ _tpm2_passphrase_tempfile.path }}"
        content: "{{ configuration_luks_passphrase }}"
        owner: root
        group: root
        mode: "0600"
      no_log: true
-    - name: Enroll TPM2 token
+    - name: Ensure TPM device is accessible in chroot
      ansible.builtin.shell: >-
        ls /mnt/dev/tpmrm0 2>/dev/null
        || (ls /dev/tpmrm0 && cp -a /dev/tpmrm0 /mnt/dev/tpmrm0)
      changed_when: false
      failed_when: false
    - name: Enroll TPM2 token via systemd-cryptenroll
      vars:
-        configuration_luks_enroll_args: >-
+        _enroll_args: >-
          {{
            [
              '/usr/bin/systemd-cryptenroll',
@@ -28,70 +37,28 @@
              '--tpm2-with-pin=false',
              '--wipe-slot=tpm2',
              '--unlock-key-file=' + (
-                configuration_luks_tpm2_passphrase_tempfile.path
+                _tpm2_passphrase_tempfile.path | regex_replace('^/mnt', '')
                | regex_replace('^/mnt', '')
              )
            ]
            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
               if configuration_luks_tpm2_pcrs | length > 0 else [])
            + [configuration_luks_device]
          }}
-        configuration_luks_enroll_chroot_cmd: >-
+      ansible.builtin.command: "{{ chroot_command }} {{ _enroll_args | join(' ') }}"
-          {{ chroot_command }} {{ configuration_luks_enroll_args | join(' ') }}
+      register: _tpm2_enroll_result
-      ansible.builtin.command: "{{ configuration_luks_enroll_chroot_cmd }}"
+      changed_when: _tpm2_enroll_result.rc == 0
      register: configuration_luks_tpm2_enroll_chroot
      changed_when: configuration_luks_tpm2_enroll_chroot.rc == 0
      failed_when: false
    - name: Retry TPM2 enrollment in installer environment
      when:
        - (configuration_luks_tpm2_enroll_chroot.rc | default(1)) != 0
      vars:
        configuration_luks_enroll_args: >-
          {{
            [
              '/usr/bin/systemd-cryptenroll',
              '--tpm2-device=' + configuration_luks_tpm2_device,
              '--tpm2-with-pin=false',
              '--wipe-slot=tpm2',
              '--unlock-key-file=' + configuration_luks_tpm2_passphrase_tempfile.path
            ]
            + (['--tpm2-pcrs=' + configuration_luks_tpm2_pcrs]
               if configuration_luks_tpm2_pcrs | length > 0 else [])
            + [configuration_luks_device]
          }}
      ansible.builtin.command:
        argv: "{{ configuration_luks_enroll_args }}"
      register: configuration_luks_tpm2_enroll_host
      changed_when: configuration_luks_tpm2_enroll_host.rc == 0
      failed_when: false
    - name: Validate TPM2 enrollment succeeded
      ansible.builtin.assert:
        that:
          - >-
            (configuration_luks_tpm2_enroll_chroot.rc | default(1)) == 0
            or (configuration_luks_tpm2_enroll_host.rc | default(1)) == 0
        fail_msg: >-
          TPM2 enrollment failed.
          chroot rc={{ configuration_luks_tpm2_enroll_chroot.rc | default('n/a') }},
          host rc={{ configuration_luks_tpm2_enroll_host.rc | default('n/a') }},
          chroot stderr={{ configuration_luks_tpm2_enroll_chroot.stderr | default('') }},
          host stderr={{ configuration_luks_tpm2_enroll_host.stderr | default('') }}
  rescue:
-    - name: Warn about TPM2 enrollment failure
+    - name: TPM2 enrollment failed
-      ansible.builtin.fail:
+      ansible.builtin.debug:
        msg: >-
-          WARNING: TPM2 enrollment failed — falling back to keyfile auto-decrypt.
+          TPM2 enrollment failed: {{ _tpm2_enroll_result.stderr | default('unknown') }}.
-          The system will use a keyfile instead of TPM2 for automatic LUKS unlock.
+          The system will require the passphrase for LUKS unlock on boot.
-      ignore_errors: true
+          TPM2 can be enrolled post-deployment via: systemd-cryptenroll --tpm2-device=auto {{ configuration_luks_device }}
    - name: Fallback to keyfile auto-decrypt
      ansible.builtin.set_fact:
        configuration_luks_auto_method: keyfile
  always:
-    - name: Remove TPM2 enrollment passphrase file
+    - name: Remove temporary passphrase file
-      when: configuration_luks_tpm2_passphrase_tempfile.path is defined
+      when: _tpm2_passphrase_tempfile.path is defined
      ansible.builtin.file:
-        path: "{{ configuration_luks_tpm2_passphrase_tempfile.path }}"
+        path: "{{ _tpm2_passphrase_tempfile.path }}"
        state: absent
--- a/roles/configuration/tasks/extras.yml
+++ b/roles/configuration/tasks/extras.yml
@@ -1,7 +1,7 @@
 ---
 - name: Append vim configurations to vimrc
  ansible.builtin.blockinfile:
-    path: "{{ '/mnt/etc/vim/vimrc' if is_debian | bool else '/mnt/etc/vimrc' }}"
+    path: "{{ '/mnt/etc/vim/vimrc' if os_family == 'Debian' else '/mnt/etc/vimrc' }}"
    block: |
      set encoding=utf-8
      set number
@@ -9,7 +9,7 @@
      set smartindent
      set mouse=a
    insertafter: EOF
-    marker: "# {mark} CUSTOM VIM CONFIG"
+    marker: "\" {mark} CUSTOM VIM CONFIG"
  failed_when: false
 # Tuned for VM workloads: low swappiness, aggressive writeback, large page-cluster
--- a/roles/configuration/tasks/grub.yml
+++ b/roles/configuration/tasks/grub.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure grub defaults
-  when: not is_rhel | bool
+  when: os_family != 'RedHat'
  ansible.builtin.lineinfile:
    dest: /mnt/etc/default/grub
    regexp: "{{ item.regexp }}"
@@ -14,7 +14,7 @@
    label: "{{ item.line }}"
 - name: Ensure grub defaults file exists for RHEL-based systems
-  when: is_rhel | bool
+  when: os_family == 'RedHat'
  block:
    - name: Build RHEL kernel command line defaults
      vars:
@@ -96,22 +96,10 @@
        mode: "0644"
        content: "{{ configuration_kernel_cmdline_base }}\n"
-    - name: Find BLS entries for GRUB configuration
+    - name: Update BLS entries with kernel cmdline defaults
-      ansible.builtin.find:
+      vars:
-        paths: /mnt/boot/loader/entries
+        _bls_cmdline: "{{ configuration_kernel_cmdline_base }}"
-        patterns: "*.conf"
+      ansible.builtin.include_tasks: _bls_update.yml
      register: configuration_grub_bls_entries
      changed_when: false
    - name: Update BLS options with kernel cmdline defaults
      when: configuration_grub_bls_entries.files | length > 0
      ansible.builtin.lineinfile:
        path: "{{ item.path }}"
        regexp: "^options "
        line: "options {{ configuration_kernel_cmdline_base }}"
      loop: "{{ configuration_grub_bls_entries.files }}"
      loop_control:
        label: "{{ item.path }}"
 - name: Enable GRUB cryptodisk for encrypted /boot
  when: partitioning_grub_enable_cryptodisk | bool
--- a/roles/configuration/tasks/locales.yml
+++ b/roles/configuration/tasks/locales.yml
@@ -14,7 +14,7 @@
 - name: Setup locales
  block:
    - name: Configure locale.gen
-      when: not is_rhel | bool
+      when: _configuration_platform.locale_gen
      ansible.builtin.lineinfile:
        dest: /mnt/etc/locale.gen
        regexp: "{{ item.regex }}"
@@ -25,7 +25,7 @@
        label: "{{ item.line }}"
    - name: Generate locales
-      when: not is_rhel | bool
+      when: _configuration_platform.locale_gen
      ansible.builtin.command: "{{ chroot_command }} /usr/sbin/locale-gen"
      register: configuration_locale_result
      changed_when: configuration_locale_result.rc == 0
--- a/roles/configuration/tasks/main.yml
+++ b/roles/configuration/tasks/main.yml
@@ -1,8 +1,13 @@
 ---
 - name: Resolve platform configuration
  ansible.builtin.import_tasks: _resolve_platform.yml
 - name: Include configuration tasks
  when: configuration_task.when | default(true)
  ansible.builtin.include_tasks: "{{ configuration_task.file }}"
  loop:
    - file: repositories.yml
      when: "{{ os_family == 'Debian' }}"
    - file: banner.yml
    - file: fstab.yml
    - file: locales.yml
@@ -12,12 +17,14 @@
    - file: encryption.yml
      when: "{{ system_cfg.luks.enabled | bool }}"
    - file: bootloader.yml
    - file: secure_boot.yml
      when: "{{ system_cfg.features.secure_boot.enabled | bool }}"
    - file: extras.yml
    - file: network.yml
    - file: users.yml
    - file: sudo.yml
    - file: selinux.yml
-      when: "{{ is_rhel | bool }}"
+      when: "{{ os_family == 'RedHat' }}"
  loop_control:
    loop_var: configuration_task
    label: "{{ configuration_task.file }}"
--- a/roles/configuration/tasks/network.yml
+++ b/roles/configuration/tasks/network.yml
@@ -29,9 +29,10 @@
      - configuration_detected_interfaces | length > 0
    fail_msg: Failed to detect any network interfaces.
 - name: Set DNS configuration facts
  ansible.builtin.set_fact:
    configuration_dns_list: "{{ system_cfg.network.dns.servers }}"
    configuration_dns_search: "{{ system_cfg.network.dns.search }}"
 - name: Configure networking
  vars:
    configuration_network_task_map:
      alpine: network_alpine.yml
      void: network_void.yml
  ansible.builtin.include_tasks: "{{ configuration_network_task_map[os] | default('network_nm.yml') }}"
--- a/roles/configuration/tasks/network_alpine.yml
+++ b/roles/configuration/tasks/network_alpine.yml
@@ -1,7 +1,5 @@
 ---
 - name: Write Alpine network interfaces
  vars:
    configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
  ansible.builtin.copy:
    dest: /mnt/etc/network/interfaces
    mode: "0644"
@@ -25,9 +23,6 @@
      {% endfor %}
 - name: Set Alpine DNS resolvers
  vars:
    configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
    configuration_dns_search: "{{ system_cfg.network.dns.search | default([]) }}"
  when: configuration_dns_list | length > 0 or configuration_dns_search | length > 0
  ansible.builtin.copy:
    dest: /mnt/etc/resolv.conf
--- a/roles/configuration/tasks/network_void.yml
+++ b/roles/configuration/tasks/network_void.yml
@@ -1,8 +1,5 @@
 ---
 - name: Write dhcpcd configuration
  vars:
    configuration_dns_list: "{{ system_cfg.network.dns.servers | default([]) }}"
    configuration_dns_search: "{{ system_cfg.network.dns.search | default([]) }}"
  ansible.builtin.copy:
    dest: /mnt/etc/dhcpcd.conf
    mode: "0644"
--- a/roles/configuration/tasks/repositories.yml
+++ b/roles/configuration/tasks/repositories.yml
@@ -0,0 +1,25 @@
 ---
 - name: Write final sources.list
  vars:
    _debian_release_map:
      "10": buster
      "11": bullseye
      "12": bookworm
      "13": trixie
      unstable: sid
    _ubuntu_release_map:
      ubuntu: questing
      ubuntu-lts: noble
  ansible.builtin.template:
    src: "{{ os | replace('-lts', '') }}.sources.list.j2"
    dest: /mnt/etc/apt/sources.list
    mode: "0644"
 - name: Ensure apt performance configuration persists
  ansible.builtin.copy:
    dest: /mnt/etc/apt/apt.conf.d/99performance
    content: |
      Acquire::Retries "3";
      Acquire::http::Pipeline-Depth "10";
      APT::Install-Recommends "false";
    mode: "0644"
--- a/roles/configuration/tasks/secure_boot.yml
+++ b/roles/configuration/tasks/secure_boot.yml
@@ -0,0 +1,8 @@
 ---
 - name: Configure shim-based Secure Boot
  when: os != 'archlinux'
  ansible.builtin.include_tasks: secure_boot/shim.yml
 - name: Configure sbctl Secure Boot
  when: os == 'archlinux'
  ansible.builtin.include_tasks: secure_boot/sbctl.yml
--- a/roles/configuration/tasks/secure_boot/sbctl.yml
+++ b/roles/configuration/tasks/secure_boot/sbctl.yml
@@ -0,0 +1,115 @@
 ---
 - name: Configure sbctl Secure Boot
  block:
    - name: Create Secure Boot signing keys
      ansible.builtin.command: "{{ chroot_command }} sbctl create-keys"
      register: _sbctl_create_keys
      changed_when: _sbctl_create_keys.rc == 0
      failed_when:
        - _sbctl_create_keys.rc != 0
        - "'already exists' not in (_sbctl_create_keys.stderr | default(''))"
    - name: Enroll Secure Boot keys in firmware
      ansible.builtin.command: "{{ chroot_command }} sbctl enroll-keys --microsoft"
      register: _sbctl_enroll
      changed_when: _sbctl_enroll.rc == 0
      failed_when: false
    - name: Install first-boot enrollment service if chroot enrollment failed
      when: _sbctl_enroll.rc | default(1) != 0
      block:
        - name: Create first-boot sbctl enrollment service
          ansible.builtin.copy:
            dest: /mnt/etc/systemd/system/sbctl-enroll.service
            mode: "0644"
            content: |
              [Unit]
              Description=Enroll Secure Boot keys via sbctl
              ConditionPathExists=!/var/lib/sbctl/.enrolled
              After=local-fs.target
              [Service]
              Type=oneshot
              ExecStart=/usr/bin/sbctl enroll-keys --microsoft
              ExecStartPost=/usr/bin/touch /var/lib/sbctl/.enrolled
              RemainAfterExit=yes
              [Install]
              WantedBy=multi-user.target
        - name: Enable first-boot enrollment service
          ansible.builtin.command: "{{ chroot_command }} systemctl enable sbctl-enroll.service"
          register: _sbctl_service_enable
          changed_when: _sbctl_service_enable.rc == 0
    - name: Find kernel images to sign
      ansible.builtin.find:
        paths: /mnt/boot
        patterns: "vmlinuz-*"
        file_type: file
      register: _sbctl_kernel_images
    - name: Sign kernel images
      ansible.builtin.command: >-
        {{ chroot_command }} sbctl sign -s {{ item.path | regex_replace('^/mnt', '') }}
      loop: "{{ _sbctl_kernel_images.files }}"
      loop_control:
        label: "{{ item.path | basename }}"
      register: _sbctl_sign_kernel
      changed_when: _sbctl_sign_kernel.rc == 0
      failed_when: false
    - name: Sign GRUB EFI binary
      vars:
        _grub_efi_path: "{{ partitioning_efi_mountpoint }}/EFI/archlinux/grubx64.efi"
      ansible.builtin.command: >-
        {{ chroot_command }} sbctl sign -s {{ _grub_efi_path }}
      register: _sbctl_sign_grub
      changed_when: _sbctl_sign_grub.rc == 0
      failed_when: false
    - name: Ensure pacman hooks directory exists
      ansible.builtin.file:
        path: /mnt/etc/pacman.d/hooks
        state: directory
        mode: "0755"
    - name: Install sbctl auto-signing pacman hook
      ansible.builtin.copy:
        dest: /mnt/etc/pacman.d/hooks/99-sbctl-sign.hook
        mode: "0644"
        content: |
          [Trigger]
          Operation = Install
          Operation = Upgrade
          Type = Path
          Target = boot/vmlinuz-*
          Target = usr/lib/modules/*/vmlinuz
          [Action]
          Description = Signing kernel images for Secure Boot...
          When = PostTransaction
          Exec = /usr/bin/sbctl sign-all
          Depends = sbctl
    - name: Verify sbctl signing status
      ansible.builtin.command: "{{ chroot_command }} sbctl verify"
      register: _sbctl_verify
      changed_when: false
      failed_when: false
    - name: Report sbctl Secure Boot status
      ansible.builtin.debug:
        msg: >-
          Secure Boot (sbctl):
          Enrollment={{ 'done' if (_sbctl_enroll.rc | default(1)) == 0 else 'deferred to first boot' }}.
          {{ _sbctl_verify.stdout | default('Verify not available') }}
  rescue:
    - name: Secure Boot setup failed
      ansible.builtin.debug:
        msg: >-
          sbctl Secure Boot setup failed.
          On VMs make sure the OVMF firmware is in Setup Mode (fresh NVRAM).
          On bare metal enter the firmware setup and switch to Setup Mode first.
          To recover manually: sbctl create-keys && sbctl enroll-keys --microsoft && sbctl sign-all
--- a/roles/configuration/tasks/secure_boot/shim.yml
+++ b/roles/configuration/tasks/secure_boot/shim.yml
@@ -0,0 +1,45 @@
 ---
 - name: Configure shim-based Secure Boot
  vars:
    _efi_vendor: >-
      {{
        "redhat" if os == "rhel"
        else ("ubuntu" if os in ["ubuntu", "ubuntu-lts"] else os)
      }}
  block:
    - name: Find shim binary in target system
      ansible.builtin.shell:
        cmd: >-
          set -o pipefail &&
          {{ chroot_command }} find /usr/lib/shim /boot/efi/EFI
          \( -name 'shimx64.efi.signed.latest' -o -name 'shimx64.efi.dualsigned'
          -o -name 'shimx64.efi.signed' -o -name 'shimx64.efi' \)
          -type f | sort -r | head -1
        executable: /bin/bash
      register: _shim_find_result
      changed_when: false
      failed_when: false
    - name: Copy shim to EFI vendor directory
      when:
        - _shim_find_result.stdout | default('') | length > 0
        - _configuration_platform.grub_install | bool
      ansible.builtin.command: >-
        cp /mnt{{ _shim_find_result.stdout_lines | first }}
        /mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi
      register: _shim_copy_result
      changed_when: _shim_copy_result.rc == 0
    - name: Verify shim is present
      ansible.builtin.stat:
        path: "/mnt{{ partitioning_efi_mountpoint }}/EFI/{{ _efi_vendor }}/shimx64.efi"
      register: _shim_stat
    - name: Report Secure Boot status
      ansible.builtin.debug:
        msg: >-
          Secure Boot (shim): {{
            'shimx64.efi installed at ' ~ partitioning_efi_mountpoint ~ '/EFI/' ~ _efi_vendor
            if (_shim_stat.stat.exists | default(false))
            else 'shimx64.efi not found, shim package may handle placement on first boot'
          }}
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -1,6 +1,6 @@
 ---
 - name: Fix SELinux
-  when: is_rhel | bool
+  when: os_family == 'RedHat'
  block:
    - name: Fix SELinux by pre-labeling the filesystem before first boot
      when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -1,22 +1,47 @@
 ---
 - name: Enable systemd services
-  when: os not in ['alpine', 'void']
+  when: _configuration_platform.init_system == 'systemd'
  vars:
    _desktop_dm: >-
      {{
        system_cfg.features.desktop.display_manager
        if (system_cfg.features.desktop.display_manager | length > 0)
        else (configuration_desktop_dm_map[system_cfg.features.desktop.environment] | default(''))
      }}
    configuration_systemd_services: >-
      {{
        ['NetworkManager']
        + (['firewalld'] if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else [])
        + (['ufw'] if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else [])
-        + ([('ssh' if is_debian | bool else 'sshd')] if system_cfg.features.ssh.enabled | bool else [])
+        + ([_configuration_platform.ssh_service] if system_cfg.features.ssh.enabled | bool else [])
        + (['logrotate', 'systemd-timesyncd'] if os == 'archlinux' else [])
        + ([_desktop_dm] if system_cfg.features.desktop.enabled | bool and _desktop_dm | length > 0 else [])
        + (['bluetooth'] if system_cfg.features.desktop.enabled | bool else [])
      }}
  ansible.builtin.command: "{{ chroot_command }} systemctl enable {{ item }}"
  loop: "{{ configuration_systemd_services }}"
  register: configuration_enable_service_result
  changed_when: configuration_enable_service_result.rc == 0
 - name: Activate UFW firewall
  when:
    - system_cfg.features.firewall.backend == 'ufw'
    - system_cfg.features.firewall.enabled | bool
  ansible.builtin.command: "{{ chroot_command }} ufw --force enable"
  register: _ufw_enable_result
  changed_when: _ufw_enable_result.rc == 0
  failed_when: false
 - name: Set default systemd target to graphical
  when:
    - _configuration_platform.init_system == 'systemd'
    - system_cfg.features.desktop.enabled | bool
  ansible.builtin.command: "{{ chroot_command }} systemctl set-default graphical.target"
  register: _desktop_target_result
  changed_when: _desktop_target_result.rc == 0
 - name: Enable OpenRC services
-  when: os == 'alpine'
+  when: _configuration_platform.init_system == 'openrc'
  vars:
    configuration_openrc_services: >-
      {{
@@ -48,7 +73,7 @@
      when: item.stat.exists
 - name: Enable runit services
-  when: os == 'void'
+  when: _configuration_platform.init_system == 'runit'
  vars:
    configuration_runit_services: >-
      {{
--- a/roles/configuration/tasks/sudo.yml
+++ b/roles/configuration/tasks/sudo.yml
@@ -9,21 +9,21 @@
 - name: Give sudo access to wheel group
  ansible.builtin.copy:
-    content: "{{ '%sudo ALL=(ALL) ALL\n' if is_debian | bool else '%wheel ALL=(ALL) ALL\n' }}"
+    content: "{{ _configuration_platform.sudo_group }} ALL=(ALL) ALL\n"
    dest: /mnt/etc/sudoers.d/01-wheel
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s
 - name: Deploy per-user sudoers rules
-  when: item.sudo | default(false)
+  when: item.value.sudo is defined and (item.value.sudo | string | length > 0)
  vars:
    configuration_sudoers_rule: >-
-      {{ item.sudo if item.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
+      {{ item.value.sudo if item.value.sudo is string else 'ALL=(ALL) NOPASSWD: ALL' }}
  ansible.builtin.copy:
-    content: "{{ item.name }} {{ configuration_sudoers_rule }}\n"
+    content: "{{ item.key }} {{ configuration_sudoers_rule }}\n"
-    dest: "/mnt/etc/sudoers.d/{{ item.name }}"
+    dest: "/mnt/etc/sudoers.d/{{ item.key }}"
    mode: "0440"
    validate: /usr/sbin/visudo --check --file=%s
-  loop: "{{ system_cfg.users }}"
+  loop: "{{ system_cfg.users | dict2items }}"
  loop_control:
-    label: "{{ item.name }}"
+    label: "{{ item.key }}"
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -1,5 +1,6 @@
 ---
 - name: Set root password
  when: (system_cfg.root.password | default('') | string | length) > 0
  ansible.builtin.shell: >-
    set -o pipefail &&
    echo 'root:{{ system_cfg.root.password | password_hash("sha512") }}' | {{ chroot_command }} /usr/sbin/chpasswd -e
@@ -9,54 +10,59 @@
  changed_when: configuration_root_result.rc == 0
  no_log: true
 - name: Lock root account when no password is set
  when: (system_cfg.root.password | default('') | string | length) == 0
  ansible.builtin.command: >-
    {{ chroot_command }} /usr/bin/passwd -l root
  register: configuration_root_lock_result
  changed_when: configuration_root_lock_result.rc == 0
 - name: Set root shell
  ansible.builtin.command: >-
-    {{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell | default('/bin/bash') }} root
+    {{ chroot_command }} /usr/sbin/usermod --shell {{ system_cfg.root.shell }} root
  register: configuration_root_shell_result
  changed_when: configuration_root_shell_result.rc == 0
 - name: Create user accounts
  vars:
-    configuration_user_group: >-
+    configuration_user_group: "{{ _configuration_platform.user_group }}"
      {{ "sudo" if is_debian | bool else "wheel" }}
    # UID starts at 1000; safe for fresh installs only
    configuration_useradd_cmd: >-
      {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
-      --uid {{ 1000 + ansible_loop.index0 }}
+      --uid {{ 1000 + _idx }}
-      --groups {{ configuration_user_group }} {{ item.name }}
+      --groups {{ configuration_user_group }} {{ item.key }}
-      --password {{ item.password | password_hash('sha512') }} --shell {{ item.shell | default('/bin/bash') }}
+      {{ ('--password ' ~ (item.value.password | password_hash('sha512'))) if (item.value.password | default('') | string | length > 0) else '' }}
      --shell {{ item.value.shell | default('/bin/bash') }}
  ansible.builtin.command: "{{ configuration_useradd_cmd }}"
-  loop: "{{ system_cfg.users }}"
+  loop: "{{ system_cfg.users | dict2items }}"
  loop_control:
-    extended: true
+    index_var: _idx
-    label: "{{ item.name }}"
+    label: "{{ item.key }}"
  register: configuration_user_result
  changed_when: configuration_user_result.rc == 0
  no_log: true
 - name: Ensure .ssh directory exists
-  when: item['keys'] | default([]) | length > 0
+  when: (item.value['keys'] | default([]) | length) > 0
  ansible.builtin.file:
-    path: "/mnt/home/{{ item.name }}/.ssh"
+    path: "/mnt/home/{{ item.key }}/.ssh"
    state: directory
-    owner: "{{ 1000 + ansible_loop.index0 }}"
+    owner: "{{ 1000 + _idx }}"
-    group: "{{ 1000 + ansible_loop.index0 }}"
+    group: "{{ 1000 + _idx }}"
    mode: "0700"
-  loop: "{{ system_cfg.users }}"
+  loop: "{{ system_cfg.users | dict2items }}"
  loop_control:
-    extended: true
+    index_var: _idx
-    label: "{{ item.name }}"
+    label: "{{ item.key }}"
- name: Add SSH public keys to authorized_keys
+- name: Deploy SSH authorized_keys
-  vars:
+  when: (item.value['keys'] | default([]) | length) > 0
-    configuration_uid: "{{ 1000 + (system_cfg.users | map(attribute='name') | list).index(item.0.name) }}"
+  ansible.builtin.copy:
-  ansible.builtin.lineinfile:
+    content: "{{ item.value['keys'] | join('\n') }}\n"
-    path: "/mnt/home/{{ item.0.name }}/.ssh/authorized_keys"
+    dest: "/mnt/home/{{ item.key }}/.ssh/authorized_keys"
-    line: "{{ item.1 }}"
+    owner: "{{ 1000 + _idx }}"
-    owner: "{{ configuration_uid }}"
+    group: "{{ 1000 + _idx }}"
    group: "{{ configuration_uid }}"
    mode: "0600"
-    create: true
+  loop: "{{ system_cfg.users | dict2items }}"
  loop: "{{ system_cfg.users | subelements('keys', skip_missing=True) }}"
  loop_control:
-    label: "{{ item.0.name }}: {{ item.1[:40] }}..."
+    index_var: _idx
    label: "{{ item.key }}"
--- a/roles/configuration/templates/debian.sources.list.j2
+++ b/roles/configuration/templates/debian.sources.list.j2
@@ -0,0 +1,15 @@
 # Managed by Ansible.
 {% set release = _debian_release_map[os_version | string] | default('trixie') %}
 {% set mirror = system_cfg.mirror %}
 {% set components = 'main contrib non-free' ~ (' non-free-firmware' if (os_version | string) not in ['10', '11'] else '') %}
 deb {{ mirror }} {{ release }} {{ components }}
 deb-src {{ mirror }} {{ release }} {{ components }}
 {% if release != 'sid' %}
 deb https://security.debian.org/debian-security {{ release }}-security {{ components }}
 deb-src https://security.debian.org/debian-security {{ release }}-security {{ components }}
 deb {{ mirror }} {{ release }}-updates {{ components }}
 deb-src {{ mirror }} {{ release }}-updates {{ components }}
 {% endif %}
--- a/roles/configuration/templates/network.j2
+++ b/roles/configuration/templates/network.j2
@@ -9,8 +9,8 @@ interface-name={{ configuration_iface_name }}
 [ipv4]
 {% set iface = configuration_iface %}
-{% set dns_list = system_cfg.network.dns.servers | default([]) %}
+{% set dns_list = configuration_dns_list %}
-{% set search_list = system_cfg.network.dns.search | default([]) %}
+{% set search_list = configuration_dns_search %}
 {% if iface.ip | default('') | string | length %}
 address1={{ iface.ip }}/{{ iface.prefix }}{{ (',' ~ iface.gateway) if (iface.gateway | default('') | string | length) else '' }}
 method=manual
--- a/roles/configuration/templates/ubuntu.sources.list.j2
+++ b/roles/configuration/templates/ubuntu.sources.list.j2
@@ -0,0 +1,16 @@
 # Managed by Ansible.
 {% set release = _ubuntu_release_map[os] | default('noble') %}
 {% set mirror = system_cfg.mirror %}
 {% set components = 'main restricted universe multiverse' %}
 deb {{ mirror }} {{ release }} {{ components }}
 deb-src {{ mirror }} {{ release }} {{ components }}
 deb {{ mirror }} {{ release }}-updates {{ components }}
 deb-src {{ mirror }} {{ release }}-updates {{ components }}
 deb {{ mirror }} {{ release }}-security {{ components }}
 deb-src {{ mirror }} {{ release }}-security {{ components }}
 deb {{ mirror }} {{ release }}-backports {{ components }}
 deb-src {{ mirror }} {{ release }}-backports {{ components }}
--- a/roles/configuration/vars/main.yml
+++ b/roles/configuration/vars/main.yml
@@ -0,0 +1,79 @@
 ---
 # Platform-specific configuration values keyed by os_family.
 # Consumed as _configuration_platform in tasks via:
 #   configuration_platform_config[os_family]
 configuration_platform_config:
  RedHat:
    user_group: wheel
    sudo_group: "%wheel"
    ssh_service: sshd
    efi_loader: shimx64.efi
    grub_install: false
    initramfs_cmd: "/usr/bin/dracut --regenerate-all --force"
    grub_mkconfig_prefix: grub2-mkconfig
    locale_gen: false
    init_system: systemd
  Debian:
    user_group: sudo
    sudo_group: "%sudo"
    ssh_service: ssh
    efi_loader: grubx64.efi
    grub_install: true
    initramfs_cmd: >-
      /usr/bin/env PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      /usr/sbin/update-initramfs -u -k all
    grub_mkconfig_prefix: grub-mkconfig
    locale_gen: true
    init_system: systemd
  Archlinux:
    user_group: wheel
    sudo_group: "%wheel"
    ssh_service: sshd
    efi_loader: grubx64.efi
    grub_install: true
    initramfs_cmd: "/usr/sbin/mkinitcpio -P"
    grub_mkconfig_prefix: grub-mkconfig
    locale_gen: true
    init_system: systemd
  Suse:
    user_group: wheel
    sudo_group: "%wheel"
    ssh_service: sshd
    efi_loader: grubx64.efi
    grub_install: true
    initramfs_cmd: "/usr/bin/dracut --regenerate-all --force"
    grub_mkconfig_prefix: grub-mkconfig
    locale_gen: true
    init_system: systemd
  Alpine:
    user_group: wheel
    sudo_group: "%wheel"
    ssh_service: sshd
    efi_loader: grubx64.efi
    grub_install: true
    initramfs_cmd: ""
    grub_mkconfig_prefix: grub-mkconfig
    locale_gen: false
    init_system: openrc
  Void:
    user_group: wheel
    sudo_group: "%wheel"
    ssh_service: sshd
    efi_loader: grubx64.efi
    grub_install: true
    initramfs_cmd: ""
    grub_mkconfig_prefix: grub-mkconfig
    locale_gen: false
    init_system: runit
 # Display manager auto-detection from desktop environment name.
 configuration_desktop_dm_map:
  gnome: gdm
  kde: sddm
  xfce: lightdm
  sway: greetd
  hyprland: ly@tty2
  cinnamon: lightdm
  mate: lightdm
  lxqt: sddm
  budgie: gdm
--- a/roles/environment/defaults/main.yml
+++ b/roles/environment/defaults/main.yml
@@ -0,0 +1,10 @@
 ---
 # Connection and timing
 environment_wait_timeout: 180
 environment_wait_delay: 5
 # Pacman installer settings
 environment_parallel_downloads: 20
 environment_pacman_lock_timeout: 120
 environment_pacman_retries: 4
 environment_pacman_retry_delay: 15
--- a/roles/environment/tasks/_configure_network.yml
+++ b/roles/environment/tasks/_configure_network.yml
@@ -13,6 +13,14 @@
        | default('')
      }}
 - name: Bring up network interface
  when:
    - hypervisor_type == "vmware"
    - environment_interface_name | default('') | length > 0
  ansible.builtin.command: "ip link set {{ environment_interface_name }} up"
  register: environment_link_result
  changed_when: environment_link_result.rc == 0
 - name: Set IP-Address
  when:
    - hypervisor_type == "vmware"
@@ -32,13 +40,31 @@
  register: environment_gateway_result
  changed_when: environment_gateway_result.rc == 0
 - name: Configure DNS resolvers
  when:
    - hypervisor_type == "vmware"
    - system_cfg.network.dns.servers | default([]) | length > 0
  ansible.builtin.copy:
    dest: /etc/resolv.conf
    content: |
      {% for server in system_cfg.network.dns.servers %}
      nameserver {{ server }}
      {% endfor %}
      {% if system_cfg.network.dns.search | default([]) | length > 0 %}
      search {{ system_cfg.network.dns.search | join(' ') }}
      {% endif %}
    mode: "0644"
 - name: Synchronize clock via NTP
  ansible.builtin.command: timedatectl set-ntp true
  register: environment_ntp_result
  changed_when: environment_ntp_result.rc == 0
 - name: Configure SSH for root login
-  when: hypervisor_type == "vmware" and hypervisor_cfg.ssh | bool
+  when:
    - hypervisor_type == "vmware"
    - hypervisor_cfg.ssh | default(false) | bool
    - system_cfg.network.ip is defined and system_cfg.network.ip | string | length > 0
  block:
    - name: Allow login
      ansible.builtin.replace:
@@ -58,7 +84,19 @@
        name: sshd
        state: reloaded
-    - name: Set SSH connection for VMware
+    - name: Switch to SSH connection
      ansible.builtin.set_fact:
        ansible_connection: ssh
        ansible_host: "{{ system_cfg.network.ip }}"
        ansible_port: 22
        ansible_user: root
        ansible_password: ""
        ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
    - name: Reset connection for SSH switchover
      ansible.builtin.meta: reset_connection
    - name: Verify SSH connectivity
      ansible.builtin.wait_for_connection:
        timeout: 30
        delay: 2
--- a/roles/environment/tasks/_detect_live.yml
+++ b/roles/environment/tasks/_detect_live.yml
@@ -1,8 +1,8 @@
 ---
 - name: Wait for connection
  ansible.builtin.wait_for_connection:
-    timeout: 180
+    timeout: "{{ environment_wait_timeout }}"
-    delay: 5
+    delay: "{{ environment_wait_delay }}"
 - name: Gather facts
  ansible.builtin.setup:
@@ -68,6 +68,23 @@
      Boot from a live installer (Arch, Debian, Ubuntu, etc.) and retry.
    quiet: true
 - name: Harden sshd for Ansible automation
  ansible.builtin.blockinfile:
    path: /etc/ssh/sshd_config
    marker: "# {mark} BOOTSTRAP ANSIBLE SETTINGS"
    block: |
      PerSourcePenalties no
      MaxStartups 50:30:100
      ClientAliveInterval 30
      ClientAliveCountMax 10
  register: _sshd_config_result
 - name: Restart sshd immediately if config was changed
  when: _sshd_config_result is changed
  ansible.builtin.service:
    name: sshd
    state: restarted
 - name: Abort if the host is not booted from the Arch install media
  when:
    - not (custom_iso | bool)
--- a/roles/environment/tasks/_prepare_installer.yml
+++ b/roles/environment/tasks/_prepare_installer.yml
@@ -4,14 +4,14 @@
  ansible.builtin.lineinfile:
    path: /etc/pacman.conf
    regexp: ^#ParallelDownloads =
-    line: ParallelDownloads = 20
+    line: "ParallelDownloads = {{ environment_parallel_downloads }}"
 - name: Wait for pacman lock to be released
  when: not (custom_iso | bool)
  ansible.builtin.wait_for:
    path: /var/lib/pacman/db.lck
    state: absent
-    timeout: 120
+    timeout: "{{ environment_pacman_lock_timeout }}"
  changed_when: false
 - name: Setup Pacman
@@ -25,14 +25,15 @@
    state: latest
  loop:
    - { name: glibc }
    - { name: lua, os: [almalinux, fedora, rhel, rocky] }
    - { name: dnf, os: [almalinux, fedora, rhel, rocky] }
    - { name: debootstrap, os: [debian, ubuntu, ubuntu-lts] }
    - { name: debian-archive-keyring, os: [debian] }
    - { name: ubuntu-keyring, os: [ubuntu, ubuntu-lts] }
  loop_control:
    label: "{{ item.name }}"
-  retries: 4
+  retries: "{{ environment_pacman_retries }}"
-  delay: 15
+  delay: "{{ environment_pacman_retry_delay }}"
 - name: Prepare /iso mount and repository for RHEL-based systems
  when: os == "rhel"
@@ -79,6 +80,13 @@
 # bootstrapping RHEL-family distros from the Arch ISO, where the
 # host rpm/dnf does not trust target distro GPG keys. Package
 # integrity is verified by the target system's own rpm after reboot.
 - name: Create RPM macros directory
  when: is_rhel | bool
  ansible.builtin.file:
    path: /etc/rpm
    state: directory
    mode: "0755"
 - name: Relax RPM Sequoia signature policy for RHEL bootstrap
  when: is_rhel | bool
  ansible.builtin.copy:
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: Configure work environment
-  become: "{{ hypervisor_type != 'vmware' }}"
+  become: "{{ (hypervisor_type | default('none')) != 'vmware' }}"
  block:
    - name: Detect and validate live environment
      ansible.builtin.include_tasks: _detect_live.yml
--- a/roles/global_defaults/defaults/main.yml
+++ b/roles/global_defaults/defaults/main.yml
@@ -9,6 +9,22 @@ os_family_debian:
  - debian
  - ubuntu
  - ubuntu-lts
 # OS → family mapping — aligns with the main project's ansible_os_family pattern.
 # Enables platform_config dict lookups per role instead of inline when: is_rhel chains.
 os_family_map:
  almalinux: RedHat
  alpine: Alpine
  archlinux: Archlinux
  debian: Debian
  fedora: RedHat
  opensuse: Suse
  rhel: RedHat
  rocky: RedHat
  ubuntu: Debian
  ubuntu-lts: Debian
  void: Void
 os_supported:
  - almalinux
  - alpine
@@ -30,13 +46,15 @@ hypervisor_defaults:
  url: ""
  username: ""
  password: ""
-  host: ""
+  node: ""
  storage: ""
  datacenter: ""
  cluster: ""
  folder: ""
  certs: false
  ssh: false
 physical_default_os: "archlinux"
 custom_iso: false
 thirdparty_tasks: "dropins/preparation.yml"
@@ -64,11 +82,13 @@ system_defaults:
  timezone: "Europe/Vienna"
  locale: "en_US.UTF-8"
  keymap: "us"
  mirror: ""
  packages: []
  disks: []
-  users: []
+  users: {}
  root:
    password: ""
    shell: "/bin/bash"
  luks:
    enabled: false
    passphrase: ""
@@ -109,17 +129,30 @@ system_defaults:
    rhel_repo:
      source: "iso" # iso|satellite|none — how RHEL systems get packages post-install
      url: ""       # Satellite/custom repo URL when source=satellite
    aur:
      enabled: false
      helper: "yay"  # yay|paru
      user: "_aur_builder"
    chroot:
      tool: "arch-chroot" # arch-chroot|chroot|systemd-nspawn
    initramfs:
      generator: "" # auto-detected; override: dracut|mkinitcpio|initramfs-tools
    desktop:
      enabled: false
      environment: ""       # gnome|kde|xfce|sway|hyprland|cinnamon|mate|lxqt|budgie
      display_manager: ""   # auto from environment when empty; override: gdm|sddm|lightdm|greetd
    secure_boot:
      enabled: false
      method: ""            # arch only: sbctl (default) or uki; ignored for other distros
 # Per-hypervisor required fields — drives data-driven validation.
 # All virtual types additionally require network bridge or interfaces.
 hypervisor_required_fields:
  proxmox:
-    hypervisor: [url, username, password, host, storage]
+    hypervisor: [url, username, password, node, storage]
    system: [id]
  vmware:
-    hypervisor: [url, username, password, datacenter, cluster, storage]
+    hypervisor: [url, username, password, datacenter, storage]
    system: []
  xen:
    hypervisor: []
--- a/roles/global_defaults/tasks/_normalize_system.yml
+++ b/roles/global_defaults/tasks/_normalize_system.yml
@@ -2,7 +2,7 @@
 - name: Build normalized system configuration
  vars:
    system_raw: "{{ system_defaults | combine(system, recursive=True) }}"
-    system_type: "{{ system_raw.type | string | lower }}"
+    system_type: "{{ 'virtual' if (system_raw.type | string | lower) in ['vm', 'virtual'] else (system_raw.type | string | lower) }}"
    system_os_input: "{{ system_raw.os | default('') | string | lower }}"
    system_name: >-
      {{
@@ -10,11 +10,15 @@
        if (system_raw.name | default('') | string | trim | length) > 0
        else inventory_hostname
      }}
    _mirror_defaults:
      debian: "https://deb.debian.org/debian/"
      ubuntu: "http://archive.ubuntu.com/ubuntu/"
      ubuntu-lts: "http://archive.ubuntu.com/ubuntu/"
  ansible.builtin.set_fact:
    system_cfg:
      # --- Identity & platform ---
      type: "{{ system_type }}"
-      os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
+      os: "{{ system_os_input if system_os_input | length > 0 else (physical_default_os if system_type == 'physical' else '') }}"
      version: "{{ system_raw.version | default('') | string }}"
      filesystem: "{{ system_raw.filesystem | default('') | string | lower }}"
      name: "{{ system_name }}"
@@ -64,10 +68,21 @@
            )
          }}
      # --- Locale & environment ---
-      timezone: "{{ system_raw.timezone | default('Europe/Vienna') | string }}"
+      timezone: "{{ system_raw.timezone | string }}"
-      locale: "{{ system_raw.locale | default('en_US.UTF-8') | string }}"
+      locale: "{{ system_raw.locale | string }}"
-      keymap: "{{ system_raw.keymap | default('us') | string }}"
+      keymap: "{{ system_raw.keymap | string }}"
-      path: "{{ system_raw.path | default('') | string }}"
+      mirror: >-
        {{
          system_raw.mirror | string | trim
          if (system_raw.mirror | default('') | string | trim | length) > 0
          else _mirror_defaults[system_raw.os | default('') | string | lower] | default('')
        }}
      path: >-
        {{
          (system_raw.path | default('') | string)
          if (system_raw.path | default('') | string | length > 0)
          else (hypervisor_cfg.folder | default('') | string)
        }}
      packages: >-
        {{
          (
@@ -81,9 +96,10 @@
        }}
      # --- Storage & accounts ---
      disks: "{{ system_raw.disks | default([]) }}"
-      users: "{{ system_raw.users | default([]) }}"
+      users: "{{ system_raw.users | default({}) }}"
      root:
        password: "{{ system_raw.root.password | string }}"
        shell: "{{ system_raw.root.shell | default('/bin/bash') | string }}"
      # --- LUKS disk encryption ---
      luks:
        enabled: "{{ system_raw.luks.enabled | bool }}"
@@ -128,27 +144,16 @@
          url: "{{ system_raw.features.rhel_repo.url | default('') | string }}"
        chroot:
          tool: "{{ system_raw.features.chroot.tool | string }}"
        initramfs:
          generator: "{{ system_raw.features.initramfs.generator | default('') | string | lower }}"
        desktop:
          enabled: "{{ system_raw.features.desktop.enabled | bool }}"
          environment: "{{ system_raw.features.desktop.environment | default('') | string | lower }}"
          display_manager: "{{ system_raw.features.desktop.display_manager | default('') | string | lower }}"
        secure_boot:
          enabled: "{{ system_raw.features.secure_boot.enabled | bool }}"
          method: "{{ system_raw.features.secure_boot.method | default('') | string | lower }}"
    hostname: "{{ system_name }}"
-    os: "{{ system_os_input if system_os_input | length > 0 else ('archlinux' if system_type == 'physical' else '') }}"
+    os: "{{ system_os_input if system_os_input | length > 0 else (physical_default_os if system_type == 'physical' else '') }}"
    os_version: "{{ system_raw.version | default('') | string }}"
  no_log: true
 - name: Populate primary network fields from first interface
  when:
    - system_cfg.network.interfaces | length > 0
    - system_cfg.network.bridge | default('') | string | length == 0
  vars:
    _primary: "{{ system_cfg.network.interfaces[0] }}"
  ansible.builtin.set_fact:
    system_cfg: >-
      {{
        system_cfg | combine({
          'network': system_cfg.network | combine({
            'bridge': _primary.bridge | default(''),
            'vlan': _primary.vlan | default(''),
            'ip': _primary.ip | default(''),
            'prefix': _primary.prefix | default(''),
            'gateway': _primary.gateway | default('')
          })
        }, recursive=True)
      }}
--- a/roles/global_defaults/tasks/_validate_input.yml
+++ b/roles/global_defaults/tasks/_validate_input.yml
@@ -8,11 +8,11 @@
    that:
      - system is mapping
      - system.network is not defined or system.network is mapping
-      - system.users is not defined or (system.users is iterable and system.users is not string and system.users is not mapping)
+      - system.users is not defined or system.users is mapping
      - system.root is not defined or system.root is mapping
      - system.luks is not defined or system.luks is mapping
      - system.features is not defined or system.features is mapping
-    fail_msg: "system and its nested keys (network, root, luks, features) must be dictionaries; system.users must be a list."
+    fail_msg: "system and its nested keys (network, root, luks, features, users) must be dictionaries."
    quiet: true
 - name: Validate DNS lists (not strings)
@@ -25,17 +25,17 @@
    quiet: true
 - name: Validate system.users entries
-  when: system.users is defined and system.users | length > 0
+  when: system.users is defined and system.users is mapping and system.users | length > 0
  ansible.builtin.assert:
    that:
-      - item is mapping
+      - item.value is mapping
-      - item.name is defined and (item.name | string | length) > 0
+      - item.key | string | length > 0
-      - item['keys'] is not defined or (item['keys'] is iterable and item['keys'] is not string)
+      - item.value['keys'] is not defined or (item.value['keys'] is iterable and item.value['keys'] is not string)
-    fail_msg: "Each system.users[] entry must be a dict with 'name'; 'keys' must be a list."
+    fail_msg: "Each system.users entry must be a dict keyed by username; 'keys' must be a list."
    quiet: true
-  loop: "{{ system.users }}"
+  loop: "{{ system.users | dict2items }}"
  loop_control:
-    label: "{{ item.name | default('(unnamed)') }}"
+    label: "{{ item.key }}"
 - name: Validate system features input types
  when: system.features is defined
--- a/roles/global_defaults/tasks/main.yml
+++ b/roles/global_defaults/tasks/main.yml
@@ -10,9 +10,41 @@
 - name: Normalize hypervisor inputs
  ansible.builtin.include_tasks: hypervisor.yml
 - name: Set VMware module auth defaults
  when: hypervisor_type == 'vmware'
  ansible.builtin.set_fact:
    _vmware_auth:
      hostname: "{{ hypervisor_cfg.url }}"
      username: "{{ hypervisor_cfg.username }}"
      password: "{{ hypervisor_cfg.password }}"
      validate_certs: "{{ hypervisor_cfg.certs | bool }}"
      datacenter: "{{ hypervisor_cfg.datacenter }}"
  no_log: true
 - name: Set Proxmox module auth defaults
  when: hypervisor_type == 'proxmox'
  ansible.builtin.set_fact:
    _proxmox_auth:
      api_host: "{{ hypervisor_cfg.url }}"
      api_user: "{{ hypervisor_cfg.username }}"
      api_password: "{{ hypervisor_cfg.password }}"
    _proxmox_auth_node:
      api_host: "{{ hypervisor_cfg.url }}"
      api_user: "{{ hypervisor_cfg.username }}"
      api_password: "{{ hypervisor_cfg.password }}"
      node: "{{ hypervisor_cfg.node }}"
  no_log: true
 - name: Normalize system inputs
  ansible.builtin.include_tasks: system.yml
 - name: Inherit folder from hypervisor when system path is empty
  when:
    - system_cfg.path | default('') | string | length == 0
    - hypervisor_cfg.folder | default('') | string | length > 0
  ansible.builtin.set_fact:
    system_cfg: "{{ system_cfg | combine({'path': hypervisor_cfg.folder | string}, recursive=True) }}"
 - name: Validate variables
  ansible.builtin.include_tasks: validation.yml
@@ -20,6 +52,7 @@
  ansible.builtin.set_fact:
    is_rhel: "{{ os in os_family_rhel }}"
    is_debian: "{{ os in os_family_debian }}"
    os_family: "{{ os_family_map[os] | default('Unknown') }}"
 - name: Normalize OS version for keying
  when:
@@ -48,10 +81,14 @@
  when:
    - system_cfg.type == "virtual"
    - hypervisor_type != "vmware"
  vars:
    _primary: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first) }}"
  ansible.builtin.set_fact:
-    ansible_user: "{{ system_cfg.users[0].name }}"
+    ansible_host: "{{ system_cfg.network.ip }}"
-    ansible_password: "{{ system_cfg.users[0].password }}"
+    ansible_port: 22
-    ansible_become_password: "{{ system_cfg.users[0].password }}"
+    ansible_user: "{{ _primary.key }}"
    ansible_password: "{{ _primary.value.password }}"
    ansible_become_password: "{{ _primary.value.password }}"
    ansible_ssh_extra_args: "-o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no"
  no_log: true
@@ -59,3 +96,12 @@
  when: hypervisor_type == "vmware"
  ansible.builtin.set_fact:
    ansible_connection: vmware_tools
    ansible_host: "{{ hypervisor_cfg.url }}"
    ansible_port: 443
    ansible_user: root
    ansible_password: ""
    ansible_vmware_user: "{{ hypervisor_cfg.username }}"
    ansible_vmware_password: "{{ hypervisor_cfg.password }}"
    ansible_vmware_guest_path: "/{{ hypervisor_cfg.datacenter }}/vm{{ system_cfg.path }}/{{ hostname }}"
    ansible_vmware_validate_certs: "{{ hypervisor_cfg.certs | bool }}"
  no_log: true
--- a/roles/global_defaults/tasks/system.yml
+++ b/roles/global_defaults/tasks/system.yml
@@ -17,6 +17,27 @@
    - name: Normalize disk configuration
      ansible.builtin.include_tasks: _normalize_disks.yml
 - name: Populate primary network fields from first interface
  when:
    - system_cfg is defined
    - system_cfg.network.interfaces | default([]) | length > 0
    - system_cfg.network.ip | default('') | string | length == 0
  vars:
    _primary: "{{ system_cfg.network.interfaces[0] }}"
  ansible.builtin.set_fact:
    system_cfg: >-
      {{
        system_cfg | combine({
          'network': system_cfg.network | combine({
            'bridge': _primary.bridge | default(''),
            'vlan': _primary.vlan | default(''),
            'ip': _primary.ip | default(''),
            'prefix': _primary.prefix | default(''),
            'gateway': _primary.gateway | default('')
          })
        }, recursive=True)
      }}
 - name: Check if pre-computed system_cfg needs enrichment
  when: system_cfg is defined
  ansible.builtin.set_fact:
@@ -29,6 +50,47 @@
  ansible.builtin.set_fact:
    system_cfg: "{{ system_defaults | combine(system | default({}), recursive=True) | combine(system_cfg, recursive=True) }}"
 - name: Apply mirror default for pre-computed system_cfg
  when:
    - system_cfg is defined
    - _bootstrap_needs_enrichment | default(false) | bool
    - system_cfg.mirror | default('') | string | trim | length == 0
  vars:
    # Same as _normalize_system.yml — kept in sync manually.
    _mirror_defaults:
      debian: "https://deb.debian.org/debian/"
      ubuntu: "http://archive.ubuntu.com/ubuntu/"
      ubuntu-lts: "http://archive.ubuntu.com/ubuntu/"
  ansible.builtin.set_fact:
    system_cfg: >-
      {{
        system_cfg | combine({
          'mirror': _mirror_defaults[system_cfg.os | default('') | string | lower] | default('')
        }, recursive=True)
      }}
 - name: Populate primary network fields from first interface (pre-computed)
  when:
    - system_cfg is defined
    - _bootstrap_needs_enrichment | default(false) | bool
    - system_cfg.network.interfaces | default([]) | length > 0
    - system_cfg.network.bridge | default('') | string | length == 0
  vars:
    _primary: "{{ system_cfg.network.interfaces[0] }}"
  ansible.builtin.set_fact:
    system_cfg: >-
      {{
        system_cfg | combine({
          'network': system_cfg.network | combine({
            'bridge': _primary.bridge | default(''),
            'vlan': _primary.vlan | default(''),
            'ip': _primary.ip | default(''),
            'prefix': _primary.prefix | default(''),
            'gateway': _primary.gateway | default('')
          })
        }, recursive=True)
      }}
 - name: Derive convenience facts from pre-computed system_cfg
  when:
    - system_cfg is defined
--- a/roles/global_defaults/tasks/validation.yml
+++ b/roles/global_defaults/tasks/validation.yml
@@ -123,7 +123,7 @@
        or (
          os == "debian" and (os_version | string) in ["10", "11", "12", "13", "unstable"]
        ) or (
-          os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 45
+          os == "fedora" and (os_version | int) >= 38 and (os_version | int) <= 43
        ) or (
          os in ["rocky", "almalinux"]
          and (os_version | string) is match("^(8|9|10)(\\.\\d+)?$")
@@ -166,6 +166,23 @@
    label: "hypervisor.{{ item }}"
  no_log: true
 - name: Validate VMware placement (cluster or node required, mutually exclusive)
  when:
    - system_cfg.type == "virtual"
    - hypervisor_type == "vmware"
  ansible.builtin.assert:
    that:
      - >-
        (hypervisor_cfg.cluster | default('') | string | length > 0)
        or (hypervisor_cfg.node | default('') | string | length > 0)
      - >-
        (hypervisor_cfg.cluster | default('') | string | length == 0)
        or (hypervisor_cfg.node | default('') | string | length == 0)
    fail_msg: >-
      VMware requires either hypervisor.cluster or hypervisor.node (mutually exclusive).
      cluster targets a vSphere cluster; node targets a specific ESXi host.
    quiet: true
 - name: Validate hypervisor-specific required system fields
  when:
    - system_cfg.type == "virtual"
@@ -206,6 +223,7 @@
      - system_cfg.features.firewall.toolkit is defined
      - system_cfg.features.firewall.toolkit in ["iptables", "nftables"]
      - system_cfg.features.firewall.enabled is defined
      - system_cfg.features.ssh.enabled is defined
      - system_cfg.features.banner.motd is defined
      - system_cfg.features.banner.sudo is defined
      - system_cfg.luks.enabled is defined
@@ -243,13 +261,16 @@
    fail_msg: "Invalid system sizing. Check system.cpus, system.memory, and system.disks[0].size."
    quiet: true
- name: Validate at least one user is defined
+- name: Validate at least one user with a password is defined
  vars:
    _pw_users: "{{ system_cfg.users | dict2items | selectattr('value.password', 'defined') | list }}"
  ansible.builtin.assert:
    that:
-      - system_cfg.users | default([]) | length > 0
+      - system_cfg.users | default({}) | length > 0
-      - system_cfg.users[0].name is defined and (system_cfg.users[0].name | string | length) > 0
+      - _pw_users | length > 0
-      - system_cfg.users[0].password is defined and (system_cfg.users[0].password | string | length) > 0
+      - _pw_users[0].key | string | length > 0
-    fail_msg: "At least one user with a name and password must be defined in system.users[]."
+      - _pw_users[0].value.password | string | length > 0
    fail_msg: "At least one user with a password must be defined in system.users."
    quiet: true
  no_log: true
@@ -292,8 +313,8 @@
    system_disk_mounts: >-
      {{
        (system_cfg.disks | default([]))
-        | map(attribute='mount')
+        | map(attribute='mount', default={})
-        | map(attribute='path')
+        | map(attribute='path', default='')
        | map('string')
        | map('trim')
        | reject('equalto', '')
@@ -347,8 +368,48 @@
    that:
      - item is mapping
      - item.bridge is defined and (item.bridge | string | length) > 0
-    fail_msg: "Each system.network.interfaces[] entry must be a dict with at least a 'bridge' key."
+      - >-
        (item.ip | default('') | string | length) == 0
        or (item.prefix | default('') | string | length) > 0
    fail_msg: "Each system.network.interfaces[] entry must have a 'bridge' key and 'prefix' when 'ip' is set."
    quiet: true
  loop: "{{ system_cfg.network.interfaces }}"
  loop_control:
    label: "{{ item | to_json }}"
 - name: Validate hostname format
  ansible.builtin.assert:
    that:
      - hostname is regex("^[a-zA-Z0-9]([a-zA-Z0-9._-]*[a-zA-Z0-9])?$")
    fail_msg: "hostname '{{ hostname }}' contains invalid characters. Use only alphanumeric, hyphens, dots, and underscores."
    quiet: true
 - name: Validate IP address format
  when: system_cfg.network.ip is defined and (system_cfg.network.ip | string | length) > 0
  ansible.builtin.assert:
    that:
      - system_cfg.network.ip is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
    fail_msg: "system.network.ip '{{ system_cfg.network.ip }}' is not a valid IPv4 address."
    quiet: true
 - name: Validate DNS server format
  when:
    - system_cfg.network.dns.servers is defined
    - system_cfg.network.dns.servers | length > 0
  ansible.builtin.assert:
    that:
      - item is regex("^([0-9]{1,3}\\.){3}[0-9]{1,3}$")
    fail_msg: "DNS server '{{ item }}' is not a valid IPv4 address."
    quiet: true
  loop: "{{ system_cfg.network.dns.servers }}"
 - name: Validate LUKS method
  when: system_cfg.luks.enabled | bool
  ansible.builtin.assert:
    that:
      - system_cfg.luks.method in ["tpm2", "keyfile"]
      - >-
        (system_cfg.luks.passphrase | string | length) > 0
    fail_msg: "system.luks.method must be 'tpm2' or 'keyfile', and luks.passphrase must be set when LUKS is enabled."
    quiet: true
  no_log: true
--- a/roles/partitioning/defaults/main.yml
+++ b/roles/partitioning/defaults/main.yml
@@ -1,5 +1,8 @@
 ---
 partitioning_btrfs_compress_opt: "{{ 'compress=zstd:15' if system_cfg.features.zstd.enabled | bool else '' }}"
 # Partition separator: 'p' for NVMe/mmcblk (device path ends in digit), empty for SCSI/virtio.
 # Examples: /dev/sda → /dev/sda1, /dev/nvme0n1 → /dev/nvme0n1p1
 partitioning_part_sep: "{{ 'p' if (install_drive | default('') | regex_search('\\d$')) else '' }}"
 partitioning_boot_partition_suffix: 1
 partitioning_main_partition_suffix: 2
 partitioning_efi_size_mib: 512
@@ -113,12 +116,12 @@ partitioning_grub_enable_cryptodisk: >-
    and not (partitioning_separate_boot | bool)
    and (partitioning_efi_mountpoint == '/boot/efi')
  }}
-partitioning_luks_device: "{{ install_drive ~ (partitioning_root_partition_suffix | string) }}"
+partitioning_luks_device: "{{ install_drive ~ partitioning_part_sep ~ (partitioning_root_partition_suffix | string) }}"
 partitioning_root_device: >-
  {{
    '/dev/mapper/' + system_cfg.luks.mapper
    if (system_cfg.luks.enabled | bool)
-    else install_drive ~ (partitioning_root_partition_suffix | string)
+    else install_drive ~ partitioning_part_sep ~ (partitioning_root_partition_suffix | string)
  }}
 partitioning_disk_size_gb: >-
  {{
--- a/roles/partitioning/tasks/_create_filesystems.yml
+++ b/roles/partitioning/tasks/_create_filesystems.yml
@@ -3,7 +3,7 @@
  block:
    - name: Create FAT32 filesystem in boot partition
      community.general.filesystem:
-        dev: "{{ install_drive }}{{ partitioning_boot_partition_suffix }}"
+        dev: "{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_partition_suffix }}"
        fstype: vfat
        opts: -F32 -n BOOT
        force: true
@@ -11,7 +11,7 @@
    - name: Create filesystem for /boot partition
      when: partitioning_separate_boot | bool
      community.general.filesystem:
-        dev: "{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
+        dev: "{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}"
        fstype: "{{ partitioning_boot_fs_fstype }}"
        opts: "{{ '-m bigtime=0 -i nrext64=0,exchange=0 -n parent=0' if (is_rhel | bool and partitioning_boot_fs_fstype == 'xfs') else omit }}"
        force: true
@@ -23,8 +23,7 @@
        - os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11')
      ansible.builtin.command: >-
        tune2fs -O "^orphan_file,^metadata_csum_seed"
-        "{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}"
+        "{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}"
      register: partitioning_boot_ext4_tune_result
      changed_when: false
    - name: Create swap filesystem
@@ -39,7 +38,7 @@
      ansible.builtin.include_tasks: "{{ system_cfg.filesystem }}.yml"
    - name: Get UUID for boot filesystem
-      ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_partition_suffix }}'
+      ansible.builtin.command: blkid -s UUID -o value '{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_partition_suffix }}'
      register: partitioning_boot_uuid
      changed_when: false
      failed_when: partitioning_boot_uuid.rc != 0 or (partitioning_boot_uuid.stdout | trim | length) == 0
@@ -47,7 +46,7 @@
    - name: Get UUID for /boot filesystem
      when: partitioning_separate_boot | bool
      ansible.builtin.command: >-
-        blkid -s UUID -o value '{{ install_drive }}{{ partitioning_boot_fs_partition_suffix }}'
+        blkid -s UUID -o value '{{ install_drive }}{{ partitioning_part_sep }}{{ partitioning_boot_fs_partition_suffix }}'
      register: partitioning_boot_fs_uuid
      changed_when: false
      failed_when: partitioning_boot_fs_uuid.rc != 0 or (partitioning_boot_fs_uuid.stdout | trim | length) == 0
@@ -77,7 +76,7 @@
    - name: Get UUID for LVM home filesystem
      when:
        - system_cfg.filesystem != 'btrfs'
-        - system_cfg.features.cis.enabled
+        - system_cfg.features.cis.enabled | bool
      ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/home
      register: partitioning_uuid_home_result
      changed_when: false
@@ -86,7 +85,7 @@
    - name: Get UUID for LVM var filesystem
      when:
        - system_cfg.filesystem != 'btrfs'
-        - system_cfg.features.cis.enabled
+        - system_cfg.features.cis.enabled | bool
      ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var
      register: partitioning_uuid_var_result
      changed_when: false
@@ -95,7 +94,7 @@
    - name: Get UUID for LVM var_log filesystem
      when:
        - system_cfg.filesystem != 'btrfs'
-        - system_cfg.features.cis.enabled
+        - system_cfg.features.cis.enabled | bool
      ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log
      register: partitioning_uuid_var_log_result
      changed_when: false
@@ -104,7 +103,7 @@
    - name: Get UUID for LVM var_log_audit filesystem
      when:
        - system_cfg.filesystem != 'btrfs'
-        - system_cfg.features.cis.enabled
+        - system_cfg.features.cis.enabled | bool
      ansible.builtin.command: blkid -s UUID -o value /dev/{{ partitioning_vg_name }}/var_log_audit
      register: partitioning_uuid_var_log_audit_result
      changed_when: false
@@ -123,24 +122,24 @@
        partitioning_uuid_home: >-
          {{
            partitioning_uuid_home_result.stdout_lines | default([])
-            if system_cfg.features.cis.enabled
+            if system_cfg.features.cis.enabled | bool
            else []
          }}
        partitioning_uuid_var: >-
          {{
            partitioning_uuid_var_result.stdout_lines | default([])
-            if system_cfg.features.cis.enabled
+            if system_cfg.features.cis.enabled | bool
            else []
          }}
        partitioning_uuid_var_log: >-
          {{
            partitioning_uuid_var_log_result.stdout_lines | default([])
-            if system_cfg.features.cis.enabled
+            if system_cfg.features.cis.enabled | bool
            else []
          }}
        partitioning_uuid_var_log_audit: >-
          {{
            partitioning_uuid_var_log_audit_result.stdout_lines | default([])
-            if system_cfg.features.cis.enabled
+            if system_cfg.features.cis.enabled | bool
            else []
          }}
--- a/roles/partitioning/tasks/_create_lvm.yml
+++ b/roles/partitioning/tasks/_create_lvm.yml
@@ -29,7 +29,7 @@
    - name: Create LVM logical volumes
      when:
-        - system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+        - system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
        - system_cfg.features.swap.enabled | bool or item.lv != 'swap'
      vars:
        partitioning_lvm_extent_reserve_count: 10
@@ -84,7 +84,7 @@
                (
                  (partitioning_disk_size_gb | float)
                  - (partitioning_reserved_gb | float)
-                  - (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0))
+                  - (system_cfg.features.cis.enabled | bool | ternary(partitioning_cis_reserved_gb | float, 0))
                  - partitioning_lvm_extent_reserve_gb
                  - 4
                ),
@@ -99,7 +99,7 @@
            (
              (partitioning_disk_size_gb | float)
              - (partitioning_reserved_gb | float)
-              - (system_cfg.features.cis.enabled | ternary(partitioning_cis_reserved_gb | float, 0))
+              - (system_cfg.features.cis.enabled | bool | ternary(partitioning_cis_reserved_gb | float, 0))
              - partitioning_lvm_extent_reserve_gb
              - partitioning_lvm_swap_target_limited_gb
            ) | float
@@ -160,7 +160,7 @@
                    + (partitioning_lvm_var_gb | float)
                    + (partitioning_lvm_var_log_gb | float)
                    + (partitioning_lvm_var_log_audit_gb | float)
-                    if system_cfg.features.cis.enabled
+                    if system_cfg.features.cis.enabled | bool
                    else 0
                  )
              ),
--- a/roles/partitioning/tasks/_create_partitions.yml
+++ b/roles/partitioning/tasks/_create_partitions.yml
@@ -65,9 +65,7 @@
          ansible.builtin.command: "{{ item }}"
          loop:
            - "partprobe {{ install_drive }}"
            - "blockdev --rereadpt {{ install_drive }}"
            - "udevadm settle"
          register: partitioning_partprobe_result
          changed_when: false
          failed_when: false
@@ -91,9 +89,7 @@
          ansible.builtin.command: "{{ item }}"
          loop:
            - "partprobe {{ install_drive }}"
            - "blockdev --rereadpt {{ install_drive }}"
            - "udevadm settle"
          register: partitioning_partprobe_retry
          changed_when: false
          failed_when: false
@@ -116,6 +112,5 @@
      loop:
        - "partprobe {{ install_drive }}"
        - "udevadm settle"
      register: partitioning_partprobe_settle
      changed_when: false
      failed_when: false
--- a/roles/partitioning/tasks/_mount.yml
+++ b/roles/partitioning/tasks/_mount.yml
@@ -7,14 +7,15 @@
    - name: Mount filesystems and subvolumes
      when:
        - >-
-          system_cfg.features.cis.enabled or (
+          system_cfg.features.cis.enabled | bool or (
-            not system_cfg.features.cis.enabled and (
+            not (system_cfg.features.cis.enabled | bool) and (
-              (system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log', '/var/cache/pacman/pkg'])
+              (system_cfg.filesystem == 'btrfs' and item.path in ['/home', '/var/log']
               + (['/var/cache/pacman/pkg'] if os == 'archlinux' else []))
              or (item.path not in ['/home', '/var', '/var/log', '/var/log/audit', '/var/cache/pacman/pkg'])
            )
          )
        - >-
-          not (item.path in ['/swap', '/var/cache/pacman/pkg'] and system_cfg.filesystem != 'btrfs')
+          not (item.path in ['/swap', '/var/cache/pacman/pkg'] and (system_cfg.filesystem != 'btrfs' or os != 'archlinux'))
        - system_cfg.features.swap.enabled | bool or item.path != '/swap'
      ansible.posix.mount:
        path: /mnt{{ item.path }}
--- a/roles/partitioning/tasks/_setup_luks.yml
+++ b/roles/partitioning/tasks/_setup_luks.yml
@@ -21,7 +21,6 @@
          algorithm: "{{ system_cfg.luks.pbkdf }}"
          iteration_time: "{{ (system_cfg.luks.iter | float) / 1000 }}"
        passphrase: "{{ system_cfg.luks.passphrase | string }}"
      register: partitioning_luks_format_result
      no_log: true
    - name: Force-close LUKS mapper
@@ -51,7 +50,6 @@
            name: "{{ system_cfg.luks.mapper }}"
            passphrase: "{{ system_cfg.luks.passphrase | string }}"
            allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
          register: partitioning_luks_open_result
          no_log: true
      rescue:
        - name: Force-close stale LUKS mapper
@@ -79,7 +77,6 @@
            name: "{{ system_cfg.luks.mapper }}"
            passphrase: "{{ system_cfg.luks.passphrase | string }}"
            allow_discards: "{{ 'discard' in (system_cfg.luks.options | lower) }}"
          register: partitioning_luks_open_retry
          no_log: true
    - name: Get LUKS UUID
--- a/roles/partitioning/tasks/btrfs.yml
+++ b/roles/partitioning/tasks/btrfs.yml
@@ -41,8 +41,9 @@
    - name: Make root subvolumes
      when:
-        - system_cfg.features.cis.enabled or item.subvol not in ['var_log_audit']
+        - system_cfg.features.cis.enabled | bool or item.subvol not in ['var_log_audit']
        - system_cfg.features.swap.enabled | bool or item.subvol != 'swap'
        - item.os is not defined or os in item.os
      ansible.builtin.command: btrfs su cr /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
      args:
        creates: /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
@@ -51,15 +52,21 @@
        - { subvol: swap }
        - { subvol: home }
        - { subvol: var }
-        - { subvol: pkg }
+        - { subvol: pkg, os: [archlinux] }
        - { subvol: var_log }
        - { subvol: var_log_audit }
      loop_control:
        label: "{{ item.subvol }}"
-      register: partitioning_btrfs_subvol_result
+
    - name: Set default btrfs subvolume to @
      ansible.builtin.shell: >-
        btrfs subvolume list /mnt | awk '/ path @$/ {print $2}'
        | xargs -I{} btrfs subvolume set-default {} /mnt
      register: partitioning_btrfs_default_result
      changed_when: partitioning_btrfs_default_result.rc == 0
    - name: Set quotas for subvolumes
-      when: system_cfg.features.cis.enabled
+      when: system_cfg.features.cis.enabled | bool
      ansible.builtin.command: btrfs qgroup limit {{ item.quota }} /mnt/{{ '@' if item.subvol == 'root' else '@' + item.subvol }}
      loop:
        - { subvol: home, quota: "{{ partitioning_btrfs_home_quota }}" }
@@ -74,7 +81,6 @@
        btrfs filesystem mkswapfile --size {{ partitioning_swap_size_gb }}g --uuid clear /mnt/@swap/swapfile
      args:
        creates: /mnt/@swap/swapfile
      register: partitioning_btrfs_swap_result
    - name: Unmount Partition
      ansible.posix.mount:
--- a/roles/partitioning/tasks/ext4.yml
+++ b/roles/partitioning/tasks/ext4.yml
@@ -1,6 +1,6 @@
 ---
 - name: Create and format ext4 logical volumes
-  when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+  when: system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
  community.general.filesystem:
    dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
    fstype: ext4
@@ -17,7 +17,7 @@
 - name: Remove Unsupported features for older Systems
  when: >
    (os in ['almalinux', 'rocky', 'rhel'] or (os == 'debian' and (os_version | string) == '11'))
-    and (system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
+    and (system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit'])
  ansible.builtin.command: tune2fs -O "^orphan_file,^metadata_csum_seed" "/dev/{{ partitioning_vg_name }}/{{ item.lv }}"
  loop:
    - { lv: root }
--- a/roles/partitioning/tasks/xfs.yml
+++ b/roles/partitioning/tasks/xfs.yml
@@ -1,6 +1,6 @@
 ---
 - name: Create and format XFS logical volumes
-  when: system_cfg.features.cis.enabled or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
+  when: system_cfg.features.cis.enabled | bool or item.lv not in ['home', 'var', 'var_log', 'var_log_audit']
  community.general.filesystem:
    dev: /dev/{{ partitioning_vg_name }}/{{ item.lv }}
    fstype: xfs
--- a/roles/system_check/tasks/main.yml
+++ b/roles/system_check/tasks/main.yml
@@ -45,7 +45,7 @@
      block:
        - name: Query Proxmox for existing VM
          community.proxmox.proxmox_vm_info:
-            node: "{{ hypervisor_cfg.host }}"
+            node: "{{ hypervisor_cfg.node }}"
            vmid: "{{ system_cfg.id }}"
            name: "{{ hostname }}"
            type: qemu
@@ -66,6 +66,7 @@
    - name: Check VM existence in vCenter
      when: hypervisor_type == "vmware"
      delegate_to: localhost
      become: false
      module_defaults:
        community.vmware.vmware_guest_info:
          hostname: "{{ hypervisor_cfg.url }}"
@@ -106,6 +107,7 @@
    - name: Check if VM already exists on Xen
      when: hypervisor_type == "xen"
      delegate_to: localhost
      become: false
      ansible.builtin.command:
        argv:
          - xl
--- a/roles/virtualization/defaults/main.yml
+++ b/roles/virtualization/defaults/main.yml
@@ -22,10 +22,10 @@ virtualization_libvirt_ovmf_vars: /usr/share/edk2/x64/OVMF_VARS.4m.fd
 virtualization_tpm2_enabled: >-
  {{
    (
      (system_cfg.luks.enabled | bool)
      and (system_cfg.luks.auto | bool)
-    and (
+      and (system_cfg.luks.method | lower == 'tpm2')
      (system_cfg.luks.method | lower)
      == 'tpm2'
    )
    or (system_cfg.features.secure_boot.enabled | default(false) | bool)
  }}
--- a/roles/virtualization/tasks/_xen_disks.yml
+++ b/roles/virtualization/tasks/_xen_disks.yml
@@ -0,0 +1,26 @@
 ---
 - name: Build Xen disk definitions
  when: virtualization_xen_disks is not defined
  block:
    - name: Compute Xen disk configuration
      ansible.builtin.set_fact:
        virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [_xen_disk_cfg] }}"
      vars:
        device_letter_map: "{{ disk_letter_map }}"
        device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
        _xen_disk_cfg: >-
          {{
            {
              'path': (
                virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
                if ansible_loop.index0 == 0
                else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
              ),
              'target': 'xvd' ~ device_letter,
              'size': (item.size | float)
            }
          }}
      loop: "{{ system_cfg.disks }}"
      loop_control:
        label: "{{ item | to_json }}"
        extended: true
--- a/roles/virtualization/tasks/delete.yml
+++ b/roles/virtualization/tasks/delete.yml
@@ -0,0 +1,80 @@
 ---
 - name: Delete VMware VM
  when: hypervisor_type == "vmware"
  delegate_to: localhost
  community.vmware.vmware_guest:
    hostname: "{{ hypervisor_cfg.url }}"
    username: "{{ hypervisor_cfg.username }}"
    password: "{{ hypervisor_cfg.password }}"
    validate_certs: "{{ hypervisor_cfg.certs | bool }}"
    datacenter: "{{ hypervisor_cfg.datacenter }}"
    name: "{{ hostname }}"
    folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
    state: absent
    force: true
  no_log: true
 - name: Delete Proxmox VM
  when: hypervisor_type == "proxmox"
  delegate_to: localhost
  community.proxmox.proxmox_kvm:
    api_host: "{{ hypervisor_cfg.url }}"
    api_user: "{{ hypervisor_cfg.username }}"
    api_password: "{{ hypervisor_cfg.password }}"
    node: "{{ hypervisor_cfg.node }}"
    vmid: "{{ system_cfg.id | default(omit, true) }}"
    name: "{{ hostname }}"
    state: absent
    force: true
  no_log: true
 - name: Destroy libvirt VM
  when: hypervisor_type == "libvirt"
  delegate_to: localhost
  block:
    - name: Stop libvirt VM
      community.libvirt.virt:
        name: "{{ hostname }}"
        state: destroyed
        uri: "{{ libvirt_uri | default('qemu:///system') }}"
      failed_when: false
    - name: Undefine libvirt VM
      ansible.builtin.command:
        cmd: "virsh -c {{ libvirt_uri | default('qemu:///system') }} undefine {{ hostname }} --nvram"
      register: _libvirt_undefine_result
      changed_when: _libvirt_undefine_result.rc == 0
      failed_when: false
    - name: Remove libvirt disk images
      ansible.builtin.file:
        path: "{{ item.path }}"
        state: absent
      loop: "{{ virtualization_libvirt_disks | default([]) }}"
      loop_control:
        label: "{{ item.path | default('unknown') }}"
    - name: Remove libvirt cloud-init disk
      ansible.builtin.file:
        path: "{{ virtualization_libvirt_cloudinit_path | default('/dev/null') }}"
        state: absent
      when: virtualization_libvirt_cloudinit_path is defined
 - name: Destroy Xen VM
  when: hypervisor_type == "xen"
  delegate_to: localhost
  block:
    - name: Stop Xen VM
      ansible.builtin.command:
        argv:
          - xl
          - destroy
          - "{{ hostname }}"
      changed_when: false
      failed_when: false
    - name: Remove Xen VM config
      ansible.builtin.file:
        path: "/etc/xen/{{ hostname }}.cfg"
        state: absent
      failed_when: false
--- a/roles/virtualization/tasks/proxmox.yml
+++ b/roles/virtualization/tasks/proxmox.yml
@@ -2,11 +2,7 @@
 - name: Deploy VM on Proxmox
  delegate_to: localhost
  module_defaults:
-    community.proxmox.proxmox_kvm:
+    community.proxmox.proxmox_kvm: "{{ _proxmox_auth_node }}"
      api_host: "{{ hypervisor_cfg.url }}"
      api_user: "{{ hypervisor_cfg.username }}"
      api_password: "{{ hypervisor_cfg.password }}"
      node: "{{ hypervisor_cfg.host }}"
  block:
    - name: Create VM on Proxmox
      vars:
@@ -39,8 +35,8 @@
          {%- endfor -%}
          {{ out }}
      community.proxmox.proxmox_kvm:
-        ciuser: "{{ system_cfg.users[0].name }}"
+        ciuser: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).key }}"
-        cipassword: "{{ system_cfg.users[0].password }}"
+        cipassword: "{{ (system_cfg.users | dict2items | selectattr('value.password', 'defined') | first).value.password }}"
        ciupgrade: false
        vmid: "{{ system_cfg.id }}"
        name: "{{ hostname }}"
--- a/roles/virtualization/tasks/vmware.yml
+++ b/roles/virtualization/tasks/vmware.yml
@@ -14,24 +14,9 @@
 - name: Deploy VM in vCenter
  delegate_to: localhost
  module_defaults:
-    community.vmware.vmware_guest:
+    community.vmware.vmware_guest: "{{ _vmware_auth }}"
-      hostname: "{{ hypervisor_cfg.url }}"
+    community.vmware.vmware_guest_tpm: "{{ _vmware_auth }}"
-      username: "{{ hypervisor_cfg.username }}"
+    vmware.vmware.vm_powerstate: "{{ _vmware_auth }}"
      password: "{{ hypervisor_cfg.password }}"
      validate_certs: "{{ hypervisor_cfg.certs | bool }}"
      datacenter: "{{ hypervisor_cfg.datacenter }}"
    community.vmware.vmware_guest_tpm:
      hostname: "{{ hypervisor_cfg.url }}"
      username: "{{ hypervisor_cfg.username }}"
      password: "{{ hypervisor_cfg.password }}"
      validate_certs: "{{ hypervisor_cfg.certs | bool }}"
      datacenter: "{{ hypervisor_cfg.datacenter }}"
    vmware.vmware.vm_powerstate:
      hostname: "{{ hypervisor_cfg.url }}"
      username: "{{ hypervisor_cfg.username }}"
      password: "{{ hypervisor_cfg.password }}"
      validate_certs: "{{ hypervisor_cfg.certs | bool }}"
      datacenter: "{{ hypervisor_cfg.datacenter }}"
  block:
    # community.vmware: full-featured guest management
    - name: Create VM in vCenter
@@ -47,7 +32,8 @@
          {%- endfor -%}
          {{ ns.out }}
      community.vmware.vmware_guest:
-        cluster: "{{ hypervisor_cfg.cluster }}"
+        cluster: "{{ hypervisor_cfg.cluster if (hypervisor_cfg.node | default('') | length == 0) else omit }}"
        esxi_hostname: "{{ hypervisor_cfg.node if (hypervisor_cfg.node | default('') | length > 0) else omit }}"
        folder: "{{ system_cfg.path if system_cfg.path | string | length > 0 else omit }}"
        name: "{{ hostname }}"
        # Generic guest ID — VMware auto-detects OS post-install
@@ -100,6 +86,17 @@
        name: "{{ hostname }}"
        state: present
      no_log: true
      register: virtualization_vmware_tpm2_result
    - name: Validate vTPM2 was added successfully
      when:
        - virtualization_tpm2_enabled | bool
        - virtualization_vmware_tpm2_result is defined
      ansible.builtin.assert:
        that:
          - virtualization_vmware_tpm2_result is not failed
        fail_msg: "Failed to add vTPM2 to VM '{{ hostname }}'. LUKS with TPM2 requires a virtual TPM device."
        quiet: true
    # vmware.vmware: modern collection for power operations
    - name: Start VM in vCenter
--- a/roles/virtualization/tasks/xen.yml
+++ b/roles/virtualization/tasks/xen.yml
@@ -2,28 +2,7 @@
 - name: Deploy VM on Xen
  block:
    - name: Build disk definitions
-      ansible.builtin.set_fact:
+      ansible.builtin.include_tasks: _xen_disks.yml
        virtualization_xen_disks: "{{ virtualization_xen_disks | default([]) + [virtualization_xen_disk_cfg] }}"
      vars:
        device_letter_map: "{{ disk_letter_map }}"
        device_letter: "{{ device_letter_map[ansible_loop.index0] }}"
        virtualization_xen_disk_cfg: >-
          {{
            {
              'path': (
                virtualization_xen_disk_path ~ '/' ~ hostname ~ '.qcow2'
                if ansible_loop.index0 == 0
                else virtualization_xen_disk_path ~ '/' ~ hostname ~ '-disk' ~ ansible_loop.index0 ~ '.qcow2'
              ),
              'target': 'xvd' ~ device_letter,
              'size': (item.size | float)
            }
          }}
      loop: "{{ system_cfg.disks }}"
      loop_control:
        label: "{{ item | to_json }}"
        extended: true
      changed_when: false
    - name: Create VM disks for Xen
      delegate_to: localhost
--- a/roles/virtualization/templates/cloud-user-data.yml.j2
+++ b/roles/virtualization/templates/cloud-user-data.yml.j2
@@ -4,17 +4,22 @@ ssh_pwauth: true
 package_update: false
 package_upgrade: false
 users:
-{% for user in system_cfg.users %}
+{% for username, attrs in system_cfg.users.items() %}
-  - name: "{{ user.name }}"
+  - name: "{{ username }}"
-    primary_group: "{{ user.name }}"
+    primary_group: "{{ username }}"
    groups: users
 {% if attrs.sudo | default(false) | bool %}
    sudo: "ALL=(ALL) NOPASSWD:ALL"
-    passwd: "{{ user.password | password_hash('sha512') }}"
+{% endif %}
 {% if attrs.password | default('') | length > 0 %}
    passwd: "{{ attrs.password | password_hash('sha512') }}"
    lock_passwd: false
-{% set ssh_keys = user['keys'] | default([]) %}
+{% else %}
-{% if ssh_keys | length > 0 %}
+    lock_passwd: true
 {% endif %}
 {% if 'keys' in attrs and attrs['keys'] is iterable and attrs['keys'] is not string and attrs['keys'] | length > 0 %}
    ssh_authorized_keys:
-{% for key in ssh_keys %}
+{% for key in attrs['keys'] %}
      - "{{ key }}"
 {% endfor %}
 {% endif %}
--- a/vars_example.yml
+++ b/vars_example.yml
@@ -7,7 +7,7 @@ hypervisor:
  url: "pve01.example.com"
  username: "root@pam"
  password: "CHANGE_ME"
-  host: "pve01"
+  node: "pve01"
  storage: "local-lvm"
  datacenter: "dc01"
  cluster: "cluster01"