This is an Ansible collection that automates security hardening for Linux operating systems, databases, web servers, and SSH services. It provides a declarative, modular architecture that enforces idempotent security configurations, ensuring that each task only applies changes when the current system state deviates from the desired security baseline.
The collection organizes security configurations into reusable Ansible roles, each targeting a specific system component. It includes roles for hardening OpenSSH with key-only authentication and disabled root login, securing MySQL and MariaDB installations with strong authentication and local binding, and configuring Nginx and Apache web servers by disabling server tokens and restricting cipher suites. The roles are designed to work across multiple Linux families, using distribution-specific conditionals and package managers.
The collection maps hardening tasks to established security standards such as CIS benchmarks, grouping controls into role-specific conditional logic. It generates configuration files from Jinja2 templates with variables, enabling customization across different Linux distributions without duplicating code. The final hardened state of a system is defined in YAML inventory variables, allowing Ansible to converge any machine toward that state through continuous application.
