diff --git a/dolibarr/ansible/harden.yml b/dolibarr/ansible/harden.yml
new file mode 100644
index 0000000..1082960
--- /dev/null
+++ b/dolibarr/ansible/harden.yml
@@ -0,0 +1,32 @@
+# SPDX-FileCopyrightText: 2023 Aravinth Manivannan <realaravinth@batsense.net>
+#
+# SPDX-License-Identifier: AGPL-3.0-or-later
+
+---
+- name: Baseline security compliance
+  hosts: all
+  remote_user: debian
+  become: true
+  pre_tasks:
+    - name: Ensure all VMs are reachable
+      ansible.builtin.ping:
+  collections:
+    - devsec.hardening
+  roles:
+    - devsec.hardening.os_hardening
+    - ssh_hardening
+  vars:
+    - ssh_allow_tcp_forwarding: no
+    - ssh_allow_agent_forwarding: false
+    - ssh_x11_forwarding: false
+    - ssh_server_password_login: false
+    - os_filesystem_whitelist: vfat
+    - sysctl_overwrite:
+        - net.ipv6.conf.default.autoconf: 0
+        - net.ipv6.conf.all.autoconf: 0
+        - net.ipv6.conf.all.router_solicitations: 0
+        - net.bridge.bridge-nf-call-iptables: 1
+        - net.bridge.bridge-nf-call-ip6tables: 1
+        - net.ipv4.ip_forward: 1
+        - fs.protected_symlinks: 1
+        - fs.protected_hardlinks: 1