Introduction

You can use Items from the EWC Community Hub to configure, among other things, existing compute instances. This guide walks you through the steps needed to run an Item of the Ansible Playbook sort from your local work environment, namely the SSH Bastion Flavour, to configure a Rocky Linux VM as an SSH bastion server, with Fail2ban for added security.

Prerequisites

Before you begin:

Pre-existing VM: Rocky Linux 9.5 or 8.10, ≥4 GB RAM with a public IP address attached to it. You may create one via:
- Morpheus UI
OR
- OpenStack CLI
OR
- Terraform/OpenTofu

OR

- Comminity Hub Item (Terraform under the hood)

SSH access: In this example, by impersonating the default Linux account of EWC's Rocky Linux VM images via a valid SSH keypair (public key shared with the target VM).
Work environment equipped with:
- Git ≥ 2.0
- Python ≥ 3.9
- Ansible ≥ 2.15

You can verify versions installed in your workspace with:

git --versions
python3 --version
ansible --version

If any of the above raises an error, or the version is older than recommended, install/update via your package manager of preference. You can also follow the official Ansible documentation for OS-specific installation steps.

Step-by-Step Deployment

1. Download the Item

Find the Item's detail page on the EWC Community Hub Dashboard by visiting https://europeanweather.cloud/community-hub/ssh-bastion-flavour. Once on the detailed page, pay attention to the following:

Item version: 1.0.0 (as of Sep. 10th, 2025 )
Item Repository: URL to the source (hosted on GitHub in this case)

(Item Detailed Page)

By clicking on the "Repository" button, you'll get redirected to GitHub. Use the command documented on the home of the repository to clone it to your local work environment. In this example, we run:

git clone https://github.com/ewcloud/ewc-ansible-playbook-flavours-and-provisioning.git

Change to the root directory of the Item's source:

cd ewc-ansible-playbook-flavours-and-provisioning/playbooks/ssh-bastion-flavour

And checkout the correct version of the code to ensure you deploy the Item which has been vetted:

git checkout 1.0.0

2. Install Item Dependencies

Download any Ansible Roles required by the Item:

ansible-galaxy role install -r requirements.yml

In this example, the ewc-ansible-role-ssh-bastion dependency will become available on your working environment, under the ~/.ansible/roles subdirectory.

3. Define Your Target Host

While still on the root directory of the Item's source, create an inventory.yml file describing the VM you want to configure. Take the example below, but make sure to replace value with your own VM IP and SSH private key details.:

---
ewcloud:
  hosts:
    ssh_bastion:
      ansible_python_interpreter: /usr/bin/python3
      ansible_host: 135.196.111.255 # <- REPLACE WITH CORRECT PUBLIC IP OF TARGET HOST
      ansible_ssh_private_key_file: ~/.ssh/id_rsa # <- REPLACE WITH CORRECT PATH TO PRIVATE KEY IN LOCALHOST
      ansible_user: cloud-user
      ansible_ssh_common_args: -o StrictHostKeyChecking=accept-new

4. Run the Playbook

Always review the Items' documentation to learn about its specific inputs.

Copy and past the following command, and hit enter to execute:

ansible-playbook -i inventory.yml ssh-bastion-flavour.yml

You'll be prompted for user input, to whitelist any IP addresses from being affected by Fail2ban security measurements.
Upon successful completion, you will see an execution summary with zero failed tasks on your localhost or the target host (e.g. referred to as ssh_bastion in this example):

PLAY RECAP *******************************************************************************************************
localhost                  : ok=1    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   
ssh_bastion                : ok=14   changed=5    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

4.1. (Optional) Run in Non-interactive Mode

You can avoid input prompting altogether, by passing input variables inline at the time of running the playbook. Use the --extra-vars or -e argument flags. For the example at hand, one could add:

-e '{"whitelisted_ip_ranges": ["10.0.0.0/24"]}'

4.2. (Optional) Update Inputs & Re-run

Well-developed Items are idempotent and allow replay; subsequent runs apply only the changes that are needed, and bring the configuration into a desired state despite prior failed runs (caused due to transient errors like connection loss, out-of-memory issues, etc.).

As is the case for other Items open-sourced by the EWC, you can change the inputs of the SSH Bastion Flavour at any point in time, by simply re-running with the new values.
Imagine for example that you decide later on to apply Fail2Ban on all IP addresses, regardless of whether they are internal or not. To achieve this, simply run:

ansible-playbook \
  -i inventory.yml \
  --extra-vars "whitelisted_ip_ranges=''" \
  ssh-bastion-flavour.yml

This will trigger the reconfiguration of your target VM, to remove all IP addresses from the Fail2Ban whitelist.

Best Practices

If unsure, leave whitelisted_ip_ranges unset, or add only trusted networks.
Test on a staging VM before production rollout.
Dry run before applying changes:

ansible-playbook --check ssh-bastion-flavour.yml

Troubleshooting

Checkout the troubleshooting documentation of the Item for information on common problems and how to troubleshoot them.
For unresolved issues, check the GitHub issues for a similar problem, ask the community on the peer support channel of the EWC discussion platform. You may also place a tickets at EWC Support Portal when dealing with EWC open-sourced Items.