diff --git a/README.md b/README.md
index 5bd9eea..cdc2cd6 100644
--- a/README.md
+++ b/README.md
@@ -76,6 +76,9 @@ The easiest way to get an Algo server running is to run it on your local system
       source .env/bin/activate &&
       python3 -m pip install -U pip virtualenv &&
       python3 -m pip install -r requirements.txt
+
+      ansible-galaxy install dev-sec.os-hardening
+      ansible-galaxy install dev-sec.ssh-hardening
     ```
     On Fedora add the option `--system-site-packages` to the first command above. On macOS install the C compiler if prompted.
 
diff --git a/input.yml b/input.yml
index 8dd5ae7..8e8eecb 100644
--- a/input.yml
+++ b/input.yml
@@ -10,6 +10,7 @@
       dns_adblocking: false
       ssh_tunneling: false
       store_pki: false
+      armbian: false
     providers_map:
       - { name: DigitalOcean, alias: digitalocean }
       - { name: Amazon Lightsail, alias: lightsail }
@@ -52,6 +53,7 @@
         when:
           - server_name is undefined
           - algo_provider != "local"
+
       - block:
         - name: Cellular On Demand prompt
           pause:
@@ -138,5 +140,6 @@
             {% if ipsec_enabled %}{%- if store_pki is defined %}{{ store_pki | bool }}
             {%- elif _store_pki.user_input is defined  %}{{ booleans_map[_store_pki.user_input] | default(defaults['store_pki']) }}
             {%- else %}false{% endif %}{% endif %}
+
       rescue:
         - include_tasks: playbooks/rescue.yml
diff --git a/playbooks/cloud-post.yml b/playbooks/cloud-post.yml
index 1495473..ec91de1 100644
--- a/playbooks/cloud-post.yml
+++ b/playbooks/cloud-post.yml
@@ -19,6 +19,7 @@
     algo_dns_adblocking: "{{ algo_dns_adblocking }}"
     algo_ssh_tunneling: "{{ algo_ssh_tunneling }}"
     algo_store_pki: "{{ algo_store_pki }}"
+    algo_armbian: "{{ algo_armbian }}"
     IP_subject_alt_name: "{{ IP_subject_alt_name }}"
     cloudinit: "{{ cloudinit|default(false) }}"
 
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 0233096..2ebf19e 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -18,7 +18,7 @@
 
 - name: Sysctl tuning
   sysctl: name="{{ item.item }}" value="{{ item.value }}"
-  when: item.item
+  when: item and item.item
   with_items:
     - "{{ sysctl|default([]) }}"
   tags:
diff --git a/roles/common/tasks/ubuntu.yml b/roles/common/tasks/ubuntu.yml
index 97c8616..4b3c48d 100644
--- a/roles/common/tasks/ubuntu.yml
+++ b/roles/common/tasks/ubuntu.yml
@@ -36,6 +36,32 @@
       become: false
   when: algo_provider != "local"
 
+# the dev-sec.os-hardening role overwrites our users fact in 'Get user accounts | os-09'.  It's not clear why this is
+# happening, but as a workaround, save a temporary copy of the users variable so that it can be restored afterwards
+
+- name: save a temporary copy of users
+  set_fact:
+    algo_users: "{{ users }}"
+
+- name: dev-sec.os-hardening
+  import_role:
+    name: dev-sec.os-hardening
+  vars:
+    sysctl_overwrite:
+      net.ipv4.ip_forward: 1
+      net.ipv4.conf.all.forwarding: 1
+      net.ipv6.conf.all.forwarding: "{{ '1' if ipv6_support else '0' }}"
+  tags: os-hardening
+
+- name: restore users variable to its proper value
+  set_fact:
+    users: "{{ algo_users }}"
+
+- name: dev-sec.ssh-hardening
+  import_role:
+    name: dev-sec.ssh-hardening
+  tags: ssh-hardening
+
 - name: Include unatteded upgrades configuration
   import_tasks: unattended-upgrades.yml
 
@@ -72,8 +98,7 @@
 
 - name: Set fact if apparmor enabled
   set_fact:
-    apparmor_enabled: true
-  when: '"profiles are in enforce mode" in apparmor_status.stdout'
+    apparmor_enabled: "{{ not apparmor_status.failed and 'profiles are in enforce mode' in apparmor_status.stdout }} "
 
 - name: Gather additional facts
   import_tasks: facts.yml
@@ -110,7 +135,9 @@
       - linux-headers-generic
       - "linux-headers-{{ ansible_kernel }}"
     state: present
-  when: install_headers
+  when:
+    - not algo_armbian
+    - install_headers
 
 - include_tasks: iptables.yml
   tags: iptables
diff --git a/roles/dns/tasks/ubuntu.yml b/roles/dns/tasks/ubuntu.yml
index dfe172d..39a6c6e 100644
--- a/roles/dns/tasks/ubuntu.yml
+++ b/roles/dns/tasks/ubuntu.yml
@@ -8,6 +8,7 @@
   until: result is succeeded
   retries: 10
   delay: 3
+  when: not algo_armbian
 
 - name: Install dnscrypt-proxy
   apt:
@@ -22,6 +23,7 @@
     owner: root
     group: root
     mode: 0644
+  when: not algo_armbian
 
 - block:
   - name: Ubuntu | Configure AppArmor policy for dnscrypt-proxy
diff --git a/roles/local/tasks/prompts.yml b/roles/local/tasks/prompts.yml
index fa085ec..bd69ee9 100644
--- a/roles/local/tasks/prompts.yml
+++ b/roles/local/tasks/prompts.yml
@@ -21,12 +21,23 @@
     register: _algo_ssh_user
     when: ssh_user is undefined
 
+  - name: Armbian prompt
+    pause:
+      prompt: |
+        Is this an Armbian host?
+        [y/N]
+    register: _armbian
+    when:
+      - armbian is undefined
+      - algo_provider == "local"
+
   - name: Set the facts
     set_fact:
       ansible_ssh_user: >-
         {% if ssh_user is defined %}{{ ssh_user }}
         {%- elif _algo_ssh_user.user_input %}{{ _algo_ssh_user.user_input }}
         {%- else %}root{% endif %}
+
   when: cloud_instance_ip != "localhost"
 
 - pause:
@@ -42,3 +53,7 @@
       {% if endpoint is defined %}{{ endpoint }}
       {%- elif _endpoint.user_input %}{{ _endpoint.user_input }}
       {%- else %}{{ cloud_instance_ip }}{% endif %}
+    algo_armbian: >-
+      {% if armbian is defined %}{{ armbian | bool }}
+      {%- elif _armbian.user_input is defined %}{{ booleans_map[_armbian.user_input] | default(defaults['armbian']) }}
+      {%- else %}false{% endif %}
diff --git a/roles/wireguard/tasks/armbian.yml b/roles/wireguard/tasks/armbian.yml
new file mode 100644
index 0000000..6df7164
--- /dev/null
+++ b/roles/wireguard/tasks/armbian.yml
@@ -0,0 +1,16 @@
+---
+- name: WireGuard installed
+  apt:
+    name: wireguard-tools
+    state: present
+    update_cache: true
+
+- name: WireGuard reload-module-on-update
+  file:
+    dest: /etc/wireguard/.reload-module-on-update
+    state: touch
+
+- name: Set OS specific facts
+  set_fact:
+    service_name: "wg-quick@{{ wireguard_interface }}"
+  tags: always
diff --git a/roles/wireguard/tasks/main.yml b/roles/wireguard/tasks/main.yml
index 4e38762..0576b23 100644
--- a/roles/wireguard/tasks/main.yml
+++ b/roles/wireguard/tasks/main.yml
@@ -12,9 +12,14 @@
   delegate_to: localhost
   become: false
 
+- name: Include tasks for Armbian
+  include_tasks: armbian.yml
+  when: algo_armbian and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
+  tags: always
+
 - name: Include tasks for Ubuntu
   include_tasks: ubuntu.yml
-  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+  when: not algo_armbian and (ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu')
   tags: always
 
 - name: Include tasks for FreeBSD
diff --git a/server.yml b/server.yml
index 782d713..eae4864 100644
--- a/server.yml
+++ b/server.yml
@@ -83,6 +83,7 @@
               algo_dns_adblocking: {{ algo_dns_adblocking }}
               algo_ssh_tunneling: {{ algo_ssh_tunneling }}
               algo_store_pki: {{ algo_store_pki }}
+              algo_armbian: {{ algo_armbian }}
               IP_subject_alt_name: {{ IP_subject_alt_name }}
               ipsec_enabled: {{ ipsec_enabled }}
               wireguard_enabled: {{ wireguard_enabled }}