Firstly, a ringing endorsement for Ansible here. I've used Puppet before, and while that's useful for large fleets of machines which need to be policed on their configuration, it's not so great for ad-hoc machines.
My worry is the second part of your email where you mix several items into one block:
* Config files (managed with Ansible) under revision control (um, perhaps manage the Config files with Ansible, and your ansible scripts with Git) and convenient auto backup (Or, use etckeeper, and have a cronjob which does a git push to a central repo store?)
* All superuser actions fully logged (um, auditd is your friend here, so you'd then need a central syslogd to push those logs to it) and replayable (yehr, that's not going to happen... - the way to enforce this is to completely prevent all logins to the box, and manage it entirely with some automation tooling - like Ansible - but your ops teams [*] will HATE this)
* Nobody gets direct sudo access, but I can give out admin access (yep, ansible can change user groups and /etc/sudoers files)
Regarding that second item, my employer used
https://www.ssh.com/academy/iam/pam in the past which basically you put in front of your managed device, and it's the only box with SSH keys to access it, but it's got a service that records all the TTY while you're logged into the box. That said, it's a commercial service, and means you've got another device to manage too.
If this really is a one-off event, then disable password login from your host, and have it calling out every 30 minutes (to a github repo for playbook changes using ansible-pull) to enable it again. Your build process should be:
1. Install OS (any Linux distro will do, but I'd suggest one of the commercially supportable ones, like RHEL, Ubuntu, etc)
2. Set a LONG password for the root user. Sign in as root.
3. Remove your user account.
4. Install git and python3-pip then `pip install ansible`.
6. ansible-playbook /opt/OfficeHubMachinePlaybook/setup.yml
To create your OfficeHubMachinePlaybook, I'd suggest using Vagrant to rapidly provision and destroy a VM with the configuration on it. That way, if you want to see what the current state of your deployed host is, you can just issue `vagrant up` and then it'll be operating like your deployed node.
If you don't mind having a little bit of SSH access into the host - you could setup and run Ansible Tower (a commercial product from RedHat and requires a RHEL device to run Tower on) or AWX (the open source upstream project), as this will record your Ansible activities, including all the logs from your playbook. It will also schedule regular deployment activities (e.g. every day, run the security-updates playbook, or every week, run the full-upgrade playbook, or every time the git repo is updated, run the provision playbook)... but again, this is another machine you have to feed and water and manage and maintain. This gives you a friendly web interface, and as your ops [*] get more capable, they can be trusted to run more activities on this node, and it keeps all your "secrets".
[*] Obviously, if you don't have an ops team, then ... ignore this part :)