I need a seasoned Ansible engineer to translate security-compliance standards into clean, reusable Infrastructure-as-Code. We have no existing policies, so you’ll start from a blank slate: shape the baseline, write the roles, and wire everything into version control. Scope • Analyse our Linux fleet (mostly RHEL, CentOS and Ubuntu) and pinpoint the controls we must meet—CIS benchmarks, NIST 800-53 or similar. • Draft a security baseline proposal for sign-off, then codify it as Ansible roles, playbooks and variables. • Build idempotent tasks for hardening, user and group governance, privileged escalation restrictions, patch enforcement, log/audit configuration, encryption settings and firewall rules—prioritising compliance over simple configuration. • Create a staging inventory and Molecule tests so every change is verifiable in CI/CD (GitLab CI preferred, but open to alternatives). • Deliver human-readable documentation covering what each role does, how to run it, and how to roll back. Acceptance criteria 1. All roles run cleanly with ansible-lint and yamllint. 2. Molecule test suite passes against at least two major OS images. 3. A demo run produces no “changed” tasks on the second pass. 4. Compliance scan (OpenSCAP or your suggested tool) shows the defined benchmark at ≥ 95 % score. Hand-off items • Git repo (playbooks, roles, tests, README). • PDF/Markdown summary mapping each control to its Ansible implementation. If you thrive on security automation and can back up each task with solid tests, let’s talk timelines and milestones.