Goal: Idempotent Ansible hardening for Ubuntu servers that applies security baselines (SSH, updates, firewall, audit, kernel/sysctl) with safe defaults and easy overrides.
Scope: Ubuntu 22.04 LTS (target), 24.04 LTS (stretch). Server edition; non-destructive.
Highlights:
- CIS-inspired controls (documented in a mapping table)
- Role-based structure; variable-driven;
--checkand--difffriendly - Built-in tests (Molecule + Testinfra) and GitHub Actions CI
- Rollback safety (backups of touched configs)
- Clear “what changed” reporting
# Dry-run first
ansible-playbook playbooks/harden.yml --check --diff
# Apply
ansible-playbook playbooks/harden.yml
# Rollback if needed
ansible-playbook playbooks/rollback.yml -e "target=ssh" # exampleubuntu-ansible-hardening/
├─ README.md
├─ LICENSE
├─ ansible.cfg
├─ inventories/
│ ├─ dev/hosts.ini
│ └─ prod/hosts.ini
├─ group_vars/
│ ├─ all.yml
│ └─ dev.yml
├─ roles/
│ ├─ common/
│ ├─ updates/
│ ├─ ssh/
│ ├─ firewall/
│ ├─ sysctl/
│ ├─ audit/
│ ├─ fail2ban/
│ └─ monitoring/
├─ playbooks/
│ ├─ site.yml
│ ├─ harden.yml
│ └─ rollback.yml
├─ templates/
│ ├─ sshd_config.j2
│ ├─ 50-ansible-hardening.conf.j2
│ └─ audit.rules.j2
├─ files/
│ └─ motd/issue.net
├─ molecule/
│ └─ default/
│ ├─ converge.yml
│ ├─ verify.yml
│ ├─ molecule.yml
│ └─ tests/test_default.py
├─ .github/workflows/
│ └─ ci.yml
└─ docs/
├─ cis-mapping.md
├─ quickstart.md
└─ troubleshooting.md
See docs/cis-mapping.md for a table of controls covered.