Merge pull request #117 from jackby03/feat/109-ansible-role

Author: jackby03

CHANGELOG.md

@@ -104,6 +104,8 @@ Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 - `cloud-azure` compliance profile — CIS Azure Foundations Benchmark v2.1, OS hardening for Azure VMs with Azure-specific annotations (NSG, Defender for Cloud, Azure Policy, Disk Encryption, AAD login); includes guidance for Defender for Cloud Secure Score validation ([#108](https://github.com/jackby03/hardbox/issues/108))
 - cloud-init user-data templates for AWS EC2, GCP Compute Engine, and Azure VMs — each template installs hardbox with checksum verification, applies the provider-matched compliance profile on first boot, uploads the HTML audit report to cloud-native object storage (S3 / GCS / Blob), and configures a daily systemd re-hardening timer ([#111](https://github.com/jackby03/hardbox/issues/111))
 - `docs/CLOUD-INIT.md` — usage guide covering quick-start commands, IAM/RBAC requirements, configuration reference, timer management, and troubleshooting for all three cloud-init templates
+- Ansible role (`ansible-role/hardbox/`) — Galaxy-compatible role wrapping the hardbox CLI; supports all profiles, audit-only mode, report fetching, rollback on failure, custom profile upload, and systemd re-hardening timer; includes Molecule integration tests for Ubuntu 22.04, Debian 12, and Rocky Linux 9 ([#109](https://github.com/jackby03/hardbox/issues/109))
+- `docs/ANSIBLE.md` — Ansible role documentation covering installation, variable reference, example playbooks, CI/CD integration, and Molecule test instructions
 
 ### Changed
 - `install.sh` now resolves release assets via GitHub API instead of hardcoded filenames, improving compatibility across release archive naming formats.
@@ -117,7 +119,6 @@ Versioning follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ### Planned for v0.3
 - `nist-800-53` profile
-- Ansible role integration
 - Terraform provisioner plugin
 - cloud-init support
 

ansible-role/hardbox/README.md

@@ -0,0 +1,109 @@
+# Ansible Role: hardbox
+
+[![Ansible Galaxy](https://img.shields.io/badge/galaxy-jackby03.hardbox-blue)](https://galaxy.ansible.com/jackby03/hardbox)
+[![License: MIT](https://img.shields.io/badge/License-MIT-green.svg)](../../LICENSE)
+
+Installs and runs [hardbox](https://github.com/jackby03/hardbox) — a Linux OS hardening tool with built-in compliance profiles.
+
+## Requirements
+
+- Ansible >= 2.14
+- Target hosts: Ubuntu 20.04/22.04, Debian 11/12, RHEL/Rocky/AlmaLinux 8/9
+- Become (sudo) access on target hosts
+
+## Role Variables
+
+See [`defaults/main.yml`](defaults/main.yml) for the full list with inline documentation.
+
+| Variable | Default | Description |
+|---|---|---|
+| `hardbox_version` | `"latest"` | Release tag or `"latest"` |
+| `hardbox_profile` | `"production"` | Compliance profile to apply |
+| `hardbox_apply` | `true` | Apply hardening (`true`) or audit-only (`false`) |
+| `hardbox_dry_run` | `false` | Dry-run mode — preview changes without applying |
+| `hardbox_report_format` | `"html"` | Report format: `html`, `json`, `text`, `markdown` |
+| `hardbox_report_dir` | `/var/lib/hardbox/reports` | Report directory on target host |
+| `hardbox_fetch_report` | `false` | Fetch report to Ansible controller |
+| `hardbox_fetch_report_dest` | `"{{ playbook_dir }}/hardbox-reports"` | Local report destination |
+| `hardbox_rollback_on_failure` | `true` | Roll back on apply failure |
+| `hardbox_timer_enabled` | `false` | Install systemd re-hardening timer |
+| `hardbox_timer_schedule` | `"daily"` | systemd OnCalendar schedule |
+| `hardbox_fail_on_critical` | `true` | Fail play on critical findings |
+| `hardbox_fail_on_high` | `true` | Fail play on high findings |
+
+## Example Playbooks
+
+### Minimal — apply CIS Level 1 baseline
+
+```yaml
+- hosts: all
+  become: true
+  roles:
+    - role: jackby03.hardbox
+      vars:
+        hardbox_profile: cis-level1
+```
+
+### Audit-only — check compliance without changing anything
+
+```yaml
+- hosts: production
+  become: true
+  roles:
+    - role: jackby03.hardbox
+      vars:
+        hardbox_profile: pci-dss
+        hardbox_apply: false
+        hardbox_fetch_report: true
+        hardbox_report_format: html
+```
+
+### Cloud AWS — harden and fetch report
+
+```yaml
+- hosts: aws_ec2
+  become: true
+  roles:
+    - role: jackby03.hardbox
+      vars:
+        hardbox_profile: cloud-aws
+        hardbox_report_format: json
+        hardbox_fetch_report: true
+        hardbox_timer_enabled: true
+        hardbox_timer_schedule: "daily"
+```
+
+### Pin version and use custom profile
+
+```yaml
+- hosts: all
+  become: true
+  roles:
+    - role: jackby03.hardbox
+      vars:
+        hardbox_version: "v0.3.0"
+        hardbox_custom_profile_src: files/my-profile.yaml
+        hardbox_fetch_report: true
+```
+
+## Galaxy Installation
+
+```bash
+ansible-galaxy role install jackby03.hardbox
+```
+
+Or add to `requirements.yml`:
+
+```yaml
+roles:
+  - name: jackby03.hardbox
+    version: ">=0.3.0"
+```
+
+```bash
+ansible-galaxy install -r requirements.yml
+```
+
+## License
+
+MIT — see [LICENSE](../../LICENSE).

ansible-role/hardbox/defaults/main.yml

@@ -0,0 +1,76 @@
+---
+# -------------------------------------------------------------------------
+# hardbox Ansible role — default variables
+# Override any of these in host_vars, group_vars, or the playbook vars block.
+# -------------------------------------------------------------------------
+
+# --- Installation ---
+# hardbox release to install. Use "latest" to always fetch the newest release,
+# or pin to a specific tag (e.g. "v0.3.0") for reproducible deployments.
+hardbox_version: "latest"
+
+# Directory where the hardbox binary is installed.
+hardbox_install_dir: /usr/local/bin
+
+# Temporary directory used during download and checksum verification.
+hardbox_tmp_dir: /tmp
+
+# --- Profile ---
+# Compliance profile to apply. Any profile shipped in configs/profiles/ is valid.
+# Common values: cis-level1, cis-level2, pci-dss, stig, hipaa, iso27001,
+#                nist-800-53, cloud-aws, cloud-gcp, cloud-azure,
+#                production, development
+hardbox_profile: production
+
+# Path to a custom profile YAML to copy to the target host.
+# When set, this file is uploaded and --profile is pointed at it.
+# Leave empty ("") to use one of the built-in profiles.
+hardbox_custom_profile_src: ""
+
+# --- Run mode ---
+# Whether to actually apply hardening (true) or only run an audit (false).
+hardbox_apply: true
+
+# Pass --dry-run to hardbox — show what would change without applying.
+hardbox_dry_run: false
+
+# Pass --non-interactive so hardbox never prompts (required in Ansible).
+hardbox_non_interactive: true
+
+# --- Reporting ---
+# Report output format: html | json | text | markdown
+hardbox_report_format: html
+
+# Directory on the target host where reports are stored.
+hardbox_report_dir: /var/lib/hardbox/reports
+
+# Fetch the generated report back to the Ansible controller.
+hardbox_fetch_report: false
+
+# Local directory on the Ansible controller to store fetched reports.
+hardbox_fetch_report_dest: "{{ playbook_dir }}/hardbox-reports"
+
+# --- Audit thresholds ---
+# Fail the play if hardbox exits with critical/high findings.
+# Mirrors the audit.fail_on_* settings in the profile YAML.
+hardbox_fail_on_critical: true
+hardbox_fail_on_high: true
+hardbox_fail_on_medium: false
+
+# --- Rollback ---
+# Run `hardbox rollback apply --last` on failure (via rescue block).
+hardbox_rollback_on_failure: true
+
+# --- Periodic re-hardening (systemd timer) ---
+# Install a systemd timer that re-runs hardbox apply on a schedule.
+hardbox_timer_enabled: false
+
+# OnCalendar value for the systemd timer (systemd time syntax).
+hardbox_timer_schedule: "daily"
+
+# OnBootSec — delay after boot before the first run.
+hardbox_timer_on_boot_sec: "5min"
+
+# --- Upgrade ---
+# Re-install hardbox even if the binary is already present at the target version.
+hardbox_force_reinstall: false

ansible-role/hardbox/handlers/main.yml

@@ -0,0 +1,17 @@
+---
+# hardbox Ansible role — handlers
+
+- name: Verify hardbox installation
+  ansible.builtin.command: "{{ _hardbox_bin }} version"
+  changed_when: false
+  become: true
+
+- name: Reload systemd daemon
+  ansible.builtin.systemd:
+    daemon_reload: true
+
+- name: Restart hardbox timer
+  ansible.builtin.systemd:
+    name: hardbox-harden.timer
+    state: restarted
+    enabled: true

ansible-role/hardbox/meta/main.yml

@@ -0,0 +1,36 @@
+---
+galaxy_info:
+  role_name: hardbox
+  author: jackby03
+  description: >
+    Ansible role to install, configure, and run hardbox — a Linux system
+    hardening tool with built-in compliance profiles (CIS, NIST, STIG,
+    PCI-DSS, HIPAA, ISO 27001, and cloud provider benchmarks).
+  license: MIT
+  min_ansible_version: "2.14"
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy       # 22.04 LTS
+        - focal       # 20.04 LTS
+    - name: Debian
+      versions:
+        - bullseye    # 11
+        - bookworm    # 12
+    - name: EL
+      versions:
+        - "8"
+        - "9"
+
+  galaxy_tags:
+    - security
+    - hardening
+    - compliance
+    - cis
+    - nist
+    - stig
+    - pci
+    - hipaa
+
+dependencies: []

ansible-role/hardbox/molecule/default/converge.yml

@@ -0,0 +1,14 @@
+---
+- name: Converge
+  hosts: all
+  become: true
+
+  pre_tasks:
+    - name: Update apt cache (Debian/Ubuntu)
+      ansible.builtin.apt:
+        update_cache: true
+        cache_valid_time: 3600
+      when: ansible_os_family == "Debian"
+
+  roles:
+    - role: hardbox

ansible-role/hardbox/molecule/default/molecule.yml

@@ -0,0 +1,57 @@
+---
+dependency:
+  name: galaxy
+
+driver:
+  name: docker
+
+platforms:
+  - name: hardbox-ubuntu-2204
+    image: geerlingguy/docker-ubuntu2204-ansible:latest
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    command: /lib/systemd/systemd
+
+  - name: hardbox-debian-12
+    image: geerlingguy/docker-debian12-ansible:latest
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    command: /lib/systemd/systemd
+
+  - name: hardbox-rockylinux-9
+    image: geerlingguy/docker-rockylinux9-ansible:latest
+    pre_build_image: true
+    privileged: true
+    volumes:
+      - /sys/fs/cgroup:/sys/fs/cgroup:rw
+    cgroupns_mode: host
+    command: /lib/systemd/systemd
+
+provisioner:
+  name: ansible
+  playbooks:
+    converge: converge.yml
+    verify: verify.yml
+  inventory:
+    group_vars:
+      all:
+        hardbox_profile: cis-level1
+        hardbox_apply: true
+        hardbox_dry_run: true         # use dry-run in CI to avoid kernel changes in containers
+        hardbox_fetch_report: false
+        hardbox_fail_on_critical: false  # containers lack some kernel features; relax thresholds
+        hardbox_fail_on_high: false
+
+verifier:
+  name: ansible
+
+lint: |
+  set -e
+  yamllint .
+  ansible-lint

ansible-role/hardbox/molecule/default/verify.yml

@@ -0,0 +1,53 @@
+---
+- name: Verify
+  hosts: all
+  become: true
+
+  tasks:
+    - name: Check hardbox binary is installed
+      ansible.builtin.stat:
+        path: /usr/local/bin/hardbox
+      register: _hardbox_bin_stat
+
+    - name: Assert hardbox binary exists and is executable
+      ansible.builtin.assert:
+        that:
+          - _hardbox_bin_stat.stat.exists
+          - _hardbox_bin_stat.stat.executable
+        fail_msg: "hardbox binary not found or not executable at /usr/local/bin/hardbox"
+
+    - name: Run hardbox version
+      ansible.builtin.command: /usr/local/bin/hardbox version
+      register: _hardbox_version_output
+      changed_when: false
+
+    - name: Assert hardbox version output is non-empty
+      ansible.builtin.assert:
+        that:
+          - _hardbox_version_output.rc == 0
+          - _hardbox_version_output.stdout | length > 0
+        fail_msg: "hardbox version command failed: {{ _hardbox_version_output.stderr }}"
+
+    - name: Check report directory exists
+      ansible.builtin.stat:
+        path: /var/lib/hardbox/reports
+      register: _hardbox_report_dir
+
+    - name: Assert report directory exists with correct permissions
+      ansible.builtin.assert:
+        that:
+          - _hardbox_report_dir.stat.exists
+          - _hardbox_report_dir.stat.isdir
+          - _hardbox_report_dir.stat.mode == "0750"
+        fail_msg: "Report directory /var/lib/hardbox/reports missing or has wrong permissions"
+
+    - name: Find generated report files
+      ansible.builtin.find:
+        paths: /var/lib/hardbox/reports
+        patterns: "hardbox-*.html"
+      register: _hardbox_reports
+
+    - name: Assert at least one report was generated
+      ansible.builtin.assert:
+        that: _hardbox_reports.matched >= 1
+        fail_msg: "No hardbox report files found in /var/lib/hardbox/reports"