diff --git a/etc/kayobe/environments/stack-security/compute.yml b/etc/kayobe/environments/stack-security/compute.yml
new file mode 100644
index 000000000..286c86304
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/compute.yml
@@ -0,0 +1,23 @@
+---
+###############################################################################
+# Compute node firewalld configuration.
+
+# Whether to install and enable firewalld.
+compute_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+compute_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+compute_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+compute_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
diff --git a/etc/kayobe/environments/stack-security/controllers.yml b/etc/kayobe/environments/stack-security/controllers.yml
new file mode 100644
index 000000000..1a02bddef
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/controllers.yml
@@ -0,0 +1,23 @@
+---
+###############################################################################
+# Controller node firewalld configuration.
+
+# Whether to install and enable firewalld.
+controller_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+controller_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+controller_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+controller_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
diff --git a/etc/kayobe/environments/stack-security/infra-vms.yml b/etc/kayobe/environments/stack-security/infra-vms.yml
new file mode 100644
index 000000000..11f5ae395
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/infra-vms.yml
@@ -0,0 +1,23 @@
+---
+###############################################################################
+# Infrastructure VM node firewalld configuration
+
+# Whether to install and enable firewalld.
+infra_vm_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+infra_vm_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+infra_vm_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+infra_vm_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
diff --git a/etc/kayobe/environments/stack-security/inventory/group_vars/overcloud/proxy.yml b/etc/kayobe/environments/stack-security/inventory/group_vars/overcloud/proxy.yml
new file mode 100644
index 000000000..c76f33f7d
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/inventory/group_vars/overcloud/proxy.yml
@@ -0,0 +1,32 @@
+---
+# HTTP proxy URL (format: http(s)://[user:password@]proxy_name:port). By
+# default no proxy is used.
+http_proxy: "http://{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}:3128"
+
+# HTTPS proxy URL (format: http(s)://[user:password@]proxy_name:port). By
+# default no proxy is used.
+https_proxy: "{{ http_proxy }}"
+
+# List of domains, hostnames, IP addresses and networks for which no proxy is
+# used. Defaults to ["127.0.0.1", "localhost", "{{ ('http://' ~
+# docker_registry) | urlsplit('hostname') }}"] if docker_registry is set, or
+# ["127.0.0.1", "localhost"] otherwise. This is configured only if either
+# http_proxy or https_proxy is set.
+no_proxy:
+  - "127.0.0.1"
+  - "localhost"
+  - "{{ ('http://' ~ docker_registry) | urlsplit('hostname') if docker_registry else '' }}"
+  - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[groups.seed.0] }}"
+  - "{{ lookup('vars', admin_oc_net_name ~ '_ips')[inventory_hostname] }}"
+  - "{{ lookup('vars', internal_net_name ~ '_ips')[groups.controllers.0] }}"
+  - "{{ kolla_external_fqdn }}"
+  - "{{ kolla_internal_fqdn }}"
+
+# PyPI proxy URL (format: http(s)://[user:password@]proxy_name:port)
+pip_proxy: "{{ https_proxy }}"
+
+# Apt proxy URL for HTTP. Default is empty (no proxy).
+apt_proxy_http: "{{ http_proxy }}"
+
+# Apt proxy URL for HTTPS. Default is {{ apt_proxy_http }}.
+apt_proxy_https: "{{ https_proxy }}"
diff --git a/etc/kayobe/environments/stack-security/inventory/group_vars/overcloud/time.yml b/etc/kayobe/environments/stack-security/inventory/group_vars/overcloud/time.yml
new file mode 100644
index 000000000..b1b891e37
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/inventory/group_vars/overcloud/time.yml
@@ -0,0 +1,7 @@
+---
+# NTP services for overcloud hosts
+# During early initialisation we use the seed Node
+# Following deployment we include the OpenStack VIP
+
+chrony_ntp_servers:
+  - server: "{{ admin_oc_net_name | net_ip(inventory_hostname=groups['seed'][0]) }}"
diff --git a/etc/kayobe/environments/stack-security/inventory/hosts b/etc/kayobe/environments/stack-security/inventory/hosts
new file mode 100644
index 000000000..e69de29bb
diff --git a/etc/kayobe/environments/stack-security/kolla/globals.yml b/etc/kayobe/environments/stack-security/kolla/globals.yml
new file mode 100644
index 000000000..ae457b6a6
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/kolla/globals.yml
@@ -0,0 +1,3 @@
+---
+enable_external_api_firewalld: true
+external_api_firewalld_zone: "{{ public_net_name | net_zone }}"
diff --git a/etc/kayobe/environments/stack-security/monitoring.yml b/etc/kayobe/environments/stack-security/monitoring.yml
new file mode 100644
index 000000000..7057bb8fe
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/monitoring.yml
@@ -0,0 +1,23 @@
+---
+###############################################################################
+# Monitoring node firewalld configuration.
+
+# Whether to install and enable firewalld.
+monitoring_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+monitoring_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+monitoring_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+monitoring_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
diff --git a/etc/kayobe/environments/stack-security/networks.yml b/etc/kayobe/environments/stack-security/networks.yml
new file mode 100644
index 000000000..77f91c5d0
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/networks.yml
@@ -0,0 +1,11 @@
+---
+# Kayobe network configuration.
+
+###############################################################################
+# Network connectivity check configuration.
+
+# External IP address to check. Default is 8.8.8.8.
+nc_external_ip: 127.0.0.1
+
+# External hostname to check. Default is google.com.
+nc_external_hostname: localhost
diff --git a/etc/kayobe/environments/stack-security/pulp.yml b/etc/kayobe/environments/stack-security/pulp.yml
new file mode 100644
index 000000000..70e071d3d
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/pulp.yml
@@ -0,0 +1,19 @@
+---
+###############################################################################
+# Local Pulp server configuration
+
+# Whether to enable TLS for Pulp.
+pulp_enable_tls: true
+
+# Path to a TLS certificate to use when TLS is enabled.
+pulp_cert_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.crt' if pulp_enable_tls | bool else '' }}"
+
+# Path to a TLS key to use when TLS is enabled.
+pulp_key_path: "{{ kayobe_env_config_path ~ '/pulp/certificates/pulp.key' if pulp_enable_tls | bool else '' }}"
+
+###############################################################################
+# Local Pulp access credentials
+
+# Credentials for non-admin user within Pulp.
+pulp_stack_username: stack
+pulp_stack_password: "{{ notdefined | mandatory(msg='Please set a password for the stack pulp user') }}"
diff --git a/etc/kayobe/environments/stack-security/seed-hypervisor.yml b/etc/kayobe/environments/stack-security/seed-hypervisor.yml
new file mode 100644
index 000000000..4aa9b534b
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/seed-hypervisor.yml
@@ -0,0 +1,33 @@
+---
+###############################################################################
+# Seed hypervisor node firewalld configuration.
+
+# Whether to install and enable firewalld.
+seed_hypervisor_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+seed_hypervisor_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+seed_hypervisor_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+seed_hypervisor_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+
+###############################################################################
+# Seed hypervisor sysctl configuration.
+
+# Dict of sysctl parameters to set.
+seed_hypervisor_sysctl_parameters:
+  # By default this is 1, which causes layer 2 traffic flowing through Linux
+  # bridges to pass through iptables. This blocks traffic from VMs (seed, wazuh) to
+  # the Internet.
+  net.bridge.bridge-nf-call-iptables: 0
diff --git a/etc/kayobe/environments/stack-security/seed.yml b/etc/kayobe/environments/stack-security/seed.yml
new file mode 100644
index 000000000..939ded7d9
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/seed.yml
@@ -0,0 +1,30 @@
+---
+###############################################################################
+# Seed node firewalld configuration.
+
+# Whether to install and enable firewalld.
+seed_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+seed_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+seed_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+seed_firewalld_rules: "{{ stackhpc_firewalld_rules }}"
+
+###############################################################################
+# Seed node additional containers configuration
+
+# Seed container running a Squid caching proxy. This can be used to proxy
+# HTTP(S) requests from control plane hosts.
+seed_squid_container_enabled: true
diff --git a/etc/kayobe/environments/stack-security/stackhpc.yml b/etc/kayobe/environments/stack-security/stackhpc.yml
new file mode 100644
index 000000000..0b612b6a0
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/stackhpc.yml
@@ -0,0 +1,6 @@
+---
+###############################################################################
+# Feature flags
+
+# Whether or not to run CIS benchmark hardening playbooks. Default is false.
+stackhpc_enable_cis_benchmark_hardening_hook: true
diff --git a/etc/kayobe/environments/stack-security/storage.yml b/etc/kayobe/environments/stack-security/storage.yml
new file mode 100644
index 000000000..63c94d56a
--- /dev/null
+++ b/etc/kayobe/environments/stack-security/storage.yml
@@ -0,0 +1,23 @@
+---
+###############################################################################
+# Storage node firewalld configuration.
+
+# Whether to install and enable firewalld.
+storage_firewalld_enabled: true
+
+# A list of zones to create. Each item is a dict containing a 'zone' item.
+storage_firewalld_zones: "{{ stackhpc_firewalld_zones }}"
+
+# A firewalld zone to set as the default. Default is unset, in which case
+# the default zone will not be changed.
+# Predefined zones are listed here:
+# https://firewalld.org/documentation/zone/predefined-zones.html
+storage_firewalld_default_zone: trusted
+
+# A list of firewall rules to apply. Each item is a dict containing
+# arguments to pass to the firewalld module. Arguments are omitted if not
+# provided, with the following exceptions:
+# - offline: true
+# - permanent: true
+# - state: enabled
+storage_firewalld_rules: "{{ stackhpc_firewalld_rules }}"