Introduction
You can use Items from the EWC Community Hub to configure, among other things, existing compute instances. This guide walks you through the steps needed to run an Item of the Ansible Playbook Technology from your local work environment, namely the SSH Bastion Flavour, as to convert a generic Rocky Linux VM into an SSH bastion server, with Fail2ban for added security.
Prerequisites
Before you begin:
Pre-existing VM: Rocky Linux 9.5 or 8.10, ≥4 GB RAM with a public IP address attached to it. You may create one via any of the available methods (order top to bottom from older to newer):
OR
OR
OR
- Comminity Hub Item (Terraform under the hood)
SSH access: In this example, by impersonating the default Linux account of EWC's Rocky Linux VM images via a valid SSH keypair (public key shared with the target VM):
- Create a keypair (if none available).
- Import SSH keys (public) (into OpenStack for automatic distribution upon VM creation).
Work environment equipped with:
- Git ≥ 2.0
- Python ≥ 3.9
- Ansible ≥ 2.15
You can verify versions installed in your workspace with:
$ git --versions
$ python3 --version
$ ansible --version
If any of the above raises an error, or the version is older than recommended, install/update via your package manager of preference. You can also follow the official Ansible documentation for OS-specific installation steps.
Step-by-Step Deployment
1. Download the Item
Find the Item's detail page on the EWC Community Hub Dashboard by visiting https://europeanweather.cloud/community-hub/ssh-bastion-flavour. Once on the detailed page, pay attention to the following:
- Item version:
1.0.0(as of Sep. 10th, 2025 ) - Item Repository: URL to the source (hosted on GitHub in this case)
By clicking on the "Repository" button (see Community Hub Dashboard Overview for a quick run down on an Item's detailed page layout), you'll get redirected to the source, GitHub in this case. Use the command documented on the home of the repository to clone it to your local work environment. In this example, we run:
$ git clone https://github.com/ewcloud/ewc-ansible-playbook-flavours-and-provisioning.git
Change to the root directory of the Item's source:
$ cd ewc-ansible-playbook-flavours-and-provisioning/playbooks/ssh-bastion-flavour
And checkout the correct version of the code to ensure you deploy the Item which has been vetted:
$ git checkout 1.0.0
2. Install Item Dependencies
Download any Ansible Roles required by the Item:
$ ansible-galaxy role install -r requirements.yml
In this example, the ewc-ansible-role-ssh-bastion dependency will become available on your working environment, under the ~/.ansible/roles subdirectory.
3. Define Your Target Host
While still on the root directory of the Item's source, create an inventory.yml file describing the VM you want to configure. Take the example below, but make sure to replace value with your own VM IP and SSH private key details.:
# inventory.yml
---
ewcloud:
hosts:
ssh_bastion:
ansible_python_interpreter: /usr/bin/python3
ansible_host: 135.196.111.255 # <- REPLACE WITH CORRECT PUBLIC IP OF TARGET HOST
ansible_ssh_private_key_file: ~/.ssh/id_rsa # <- REPLACE WITH CORRECT PATH TO PRIVATE KEY IN LOCALHOST
ansible_user: cloud-user
ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new
4. Run the Playbook
Always review the Items' documentation to learn about its specific inputs.
Copy and past the following command, and hit enter to execute:
$ ansible-playbook -i inventory.yml ssh-bastion-flavour.yml
You'll be prompted for user input, to whitelist any IP addresses from being affected by Fail2ban security measurements.
Upon successful completion, you will see an execution summary with zero failed tasks on your localhost or the target host (e.g. referred to as ssh_bastion in this example):
PLAY RECAP ******************************************************************************************************* localhost : ok=1 changed=0 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0 ssh_bastion : ok=14 changed=5 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
4.1. (Optional) Run in Non-interactive Mode
You can avoid input prompting altogether, by passing input variables inline at the time of running the playbook. Use the --extra-vars or -e argument flags. For the example at hand, one could add:
$ ansible-playbook -i inventory.yml -e '{"whitelisted_ip_ranges": ["10.0.0.0/24"]}' ssh-bastion-flavour.yml
4.2. (Optional) Update Inputs & Re-run
Well-developed Ansible Playbooks are idempotent and allow replay; subsequent runs apply only the changes that are needed, and bring the configuration into a desired state despite prior failed runs (caused due to transient errors like connection loss, out-of-memory issues, etc.).
As is the case for other Items open-sourced by the EWC, you can change the inputs of the SSH Bastion Flavour at any point in time, by simply re-running with the new values. Imagine the following scenario:
Your EWC tenant admin notifies you of a new security policy which implies Fail2Ban should not make exceptions for any IP addresses, regardless of whether they are internal or not.
In order to make changes needed to comply with the new policy, you can run:
$ ansible-playbook -i inventory.yml -e '{"whitelisted_ip_ranges": ""}' ssh-bastion-flavour.yml
This will trigger the reconfiguration of your target VM, to remove all IP addresses from the Fail2Ban whitelist.
Conclusion
That is all!🎊
With a working environment such as the one we've setup together in this step-by-step, you should be ready to configure you VMs to run any of the software stacks shared over the Community Hub, or perhaps those developed by yourself.
Best Practices
If unsure, leave
whitelisted_ip_rangesunset, or add only trusted networks.- Test on a staging VM before production rollout.
- Dry run before applying changes:
$ ansible-playbook --check ssh-bastion-flavour.yml
Troubleshooting
Checkout the troubleshooting documentation of the Item for information on common problems and how to troubleshoot them.
For unresolved issues, check the GitHub issues for a similar problem, ask the community on the peer support channel of the EWC discussion platform. You may also place a tickets at EWC Support Portal when dealing with EWC open-sourced Items.