Rebuild any node in the lab from code. This repo holds the inventory, roles, and playbooks that configure every host: baseline hardening, Wazuh agent deployment, and common lab setup. Goal: a freshly installed VM becomes a fully configured, monitored, hardened lab member with one command.
Manually configured systems drift. Code-defined systems are repeatable, auditable, and recoverable. This repo demonstrates:
- CM-2 / CM-3 — configuration baselines defined in code, changes tracked in git
- CM-6 — security configuration enforced idempotently (re-running converges drift back to baseline)
- Disaster recovery: any node can be rebuilt from a clean OS install in minutes
inventory/hosts.yml # all lab nodes, grouped by role
playbooks/site.yml # the "configure everything" entry point
playbooks/new-node.yml # bootstrap a fresh VM into the lab
roles/common_hardening/ # baseline: SSH, updates, firewall, banners
roles/wazuh_agent/ # deploy + enroll the Wazuh agent
# Configure everything (idempotent — safe to re-run):
ansible-playbook -i inventory/hosts.yml playbooks/site.yml
# Bootstrap one new VM:
ansible-playbook -i inventory/hosts.yml playbooks/new-node.yml --limit new-vm-name
# Check mode (what WOULD change — drift detection):
ansible-playbook -i inventory/hosts.yml playbooks/site.yml --check --diffThat last command is quietly the most valuable: run on a schedule, --check --diff is a free configuration-drift report.
- Add the DISA STIG role (ansible-lockdown) as a tagged optional layer
- Windows hosts via WinRM (domain join, GPO-adjacent settings)
- Proxmox VM provisioning (community.general.proxmox) so node creation is code too
- CI: run ansible-lint + --check in GitLab CI on every commit
Roles here are starters, not a complete hardening standard. The common_hardening role covers obvious basics; real STIG coverage comes from layering the ansible-lockdown roles on top.