---
- name: Validate Secure Boot is supported on this OS
  ansible.builtin.assert:
    that:
      - os in ['archlinux', 'debian', 'ubuntu', 'ubuntu-lts',
              'rhel', 'rocky', 'almalinux', 'fedora']
    fail_msg: >-
      Secure Boot is not supported on {{ os }} in this bootstrap. Supported:
      Arch (sbctl) and Debian/Ubuntu/RHEL/Rocky/Alma/Fedora (shim). Disable
      system.features.secure_boot.enabled or pick a supported OS.
    quiet: true

- name: Configure shim-based Secure Boot
  when: os != 'archlinux'
  ansible.builtin.include_tasks: secure_boot/shim.yml

- name: Configure sbctl Secure Boot
  when: os == 'archlinux'
  ansible.builtin.include_tasks: secure_boot/sbctl.yml