ansible-ops

Infrastructure automation and configuration management with Ansible, aligned with EU and Austrian regulatory requirements.

Regulatory Scope

This repository enforces technical controls required by:

Framework	Scope
NIS2 Directive (EU 2022/2555)	Art 20–23: risk management, incident handling, reporting
NISG 2026 (Austrian transposition)	National NIS2 implementation, effective 2026-10-01
Cyber Resilience Act (EU 2024/2847)	Annex I: secure-by-design, minimal attack surface
GDPR (EU 2016/679) / Austrian DSG	Art 5, 25, 32: data protection by design, security of processing
ISO/IEC 27001:2022	Annex A controls (A.5–A.8)

Controls and policies are defined in docs/compliance-controls.yml and mapped to the regulatory frameworks above.

Getting Started

Prerequisites

Ansible >= 2.15
Python >= 3.10

Setup

# Install Galaxy dependencies
ansible-galaxy install -r requirements.yml

Usage

# Dry-run a playbook
ansible-playbook -i inventories/<env>/hosts playbooks/site-common.yml --check --diff

# Run a playbook
ansible-playbook -i inventories/<env>/hosts playbooks/site-common.yml

# Run only compliance-tagged roles
ansible-playbook -i inventories/<env>/hosts playbooks/site-common.yml --tags compliance

# Run specific roles
ansible-playbook -i inventories/<env>/hosts playbooks/site-common.yml --tags ssh,firewall,audit

Roles

Role	Purpose	Key Compliance References
`common`	Base packages, timezone, sysctl, kernel/FS hardening, log retention	CTL-002, CTL-003, POL-004, NIS2 Art 21.2(a)(e), GDPR Art 25/32, CRA Annex I
`users`	User accounts, sudo, password policy, account lockout	CTL-001, POL-001, POL-003, NIS2 Art 21.2(i), GDPR Art 32
`ntp`	Chrony time synchronisation (Austrian/EU NTP pools, NTS)	CTL-003, POL-002, POL-003, ISO 27001 A.8.17
`ssh_hardening`	SSH server hardening, legal banner, approved ciphers	CTL-001, POL-001, POL-003, NIS2 Art 21.2(h)(i)
`ufw`	UFW firewall with default-deny, IPv6, rate limiting	POL-001, NIS2 Art 21.2(e), GDPR Art 32
`fail2ban`	Intrusion prevention with recidive jail	POL-002, NIS2 Art 21.2(b)
`aide`	File integrity monitoring (AIDE)	CTL-002, POL-002, POL-003, NIS2 Art 21.2(a), GDPR Art 32
`rkhunter`	Rootkit detection (hidden processes, kernel modules, signatures)	POL-002, NIS2 Art 21.2(a)(b), GDPR Art 32, ISO 27001 A.8.7
`log_forwarding`	Centralised log forwarding via rsyslog (TLS)	CTL-002, CTL-003, POL-002, POL-003, NIS2 Art 21.2(a), GDPR Art 5(2)
`auditd`	System audit logging (CIS + NIS2/GDPR rules)	CTL-002, CTL-003, POL-004, POL-005, GDPR Art 5(2), NIS2 Art 21.2(a)

Repository Structure

inventories/          Per-environment inventory (production, staging, development)
playbooks/            Top-level playbooks
roles/                Custom Ansible roles
  common/             Base system management and hardening
  users/              User management and access control
  ntp/                Time synchronisation (chrony)
  ssh_hardening/      SSH server hardening
  ufw/                UFW firewall
  fail2ban/           Intrusion prevention
  aide/               File integrity monitoring
  rkhunter/           Rootkit detection
  log_forwarding/     Centralised log forwarding
  auditd/             System audit logging
group_vars/           Global group variables
host_vars/            Global host-specific variables
plugins/              Custom filter, module, and lookup plugins
files/                Static files used by playbooks
templates/            Jinja2 templates used by playbooks

Evidence and Audit

Each role produces configuration artifacts that serve as compliance evidence:

Audit logs (/var/log/audit/) — CIS + NIS2/GDPR rules, immutable
AIDE reports (/var/log/aide/) — daily file integrity checks
rkhunter reports (/var/log/rkhunter.log) — daily rootkit scans
Auth logs — retained per common_log_retention.security_audit (365 days default)
SSH banner — legal monitoring notice per GDPR Art 5(2)
Sysctl hardening — kernel security parameters per CRA Annex I

Log retention tiers are aligned with CTL-002 evidence retention requirements (see docs/compliance-controls.yml):

governance: 10 years (3650 days)
incidents: 5 years (1825 days)
ci: 3 years (1095 days)
dr_tests: 5 years (1825 days)
security_audit: 1 year (365 days)
operational: 90 days

License

GNU General Public License v3 - see LICENSE.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

ansible-ops

Regulatory Scope

Getting Started

Prerequisites

Setup

Usage

Roles

Repository Structure

Evidence and Audit

License

About

Uh oh!

Uh oh!

Contributors

Uh oh!

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 33 Commits
.github		.github
docs		docs
files		files
group_vars		group_vars
host_vars		host_vars
inventories		inventories
playbooks		playbooks
plugins		plugins
roles		roles
templates		templates
.ansible-lint		.ansible-lint
.gitignore		.gitignore
.yamllint		.yamllint
CLAUDE.md		CLAUDE.md
LICENSE		LICENSE
README.md		README.md
ansible.cfg		ansible.cfg
requirements.yml		requirements.yml

Folders and files

Latest commit

History

Repository files navigation

ansible-ops

Regulatory Scope

Getting Started

Prerequisites

Setup

Usage

Roles

Repository Structure

Evidence and Audit

License

About

Topics

Resources

License

Security policy

Uh oh!

Stars

Watchers

Forks

Uh oh!

Contributors

Uh oh!

Languages