Skip to content

ewcloud/ewc-ansible-role-ssh-bastion

BranchesTags

Repository files navigation

SSH Bastion Ansible Role

This repository contains a configuration template (i.e. an Ansible Role) to customize your environment in the European Weather Cloud (EWC). The template is designed to:

  • Configure a pre-existing virtual machine running RockyLinux version 9 or 8, with public IP address, and a minimum recommended 4GB of RAM, as entrypoint for users who wish to reach private EWC networks, from the public internet, via SSH.

Copyright and License

Copyright © EUMETSAT 2025.

The provided code and instructions are licensed under the MIT license. They are intended to automate the setup of an environment that includes third-party software components. The usage and distribution terms of the resulting environment are subject to the individual licenses of those third-party libraries.

Users are responsible for reviewing and complying with the licenses of all third-party components included in the environment.

Contact EUMETSAT for details on the usage and distribution terms.

Usage

The step-by-step described below assume your local file system follows the example structure below, with ewc-ansible-role-ssh-bastion being a clone of this repository:

.
├── roles
│   └── ewc-ansible-role-ssh-bastion
├── inventory.yml
└── playbook.yml

1. Specify the target host and SSH credentials

Create an inventory file to specify address/credentials that Ansible should use to reach the virtual machine you wish to configure:

# inventory.yml
---
ewcloud:
  hosts:
    ssh_bastion:
      ansible_python_interpreter: /usr/bin/python3
      ansible_host: <add the IPV4 address of the target host>
      ansible_ssh_private_key_file: <add the path to local SSH RSA private key file>
      ansible_user: <add the username which owns the SSH RSA private key >

2. Customize the template

Edit input values for the template variables as needed (see Inputs section for details). Then, proceed to create an Ansible Playbook file to load your customizations:

# playbook.yml
---
- name: Setup SSH daemon on RockyLinux
  hosts: ssh_bastion
  become: true
  become_user: root
  become_method: ansible.builtin.sudo

  roles:
    - ewc-ansible-role-ssh-bastion

3. Apply the template

You can apply changes on the target host by running:

ansible-playbook -i inventory.yml playbook.yml

Inputs

Name Description Type Default Required
fail2ban_whitelist_ip_ranges IPv4 ranges (in CIDR format) to be whitelisted in Fail2ban configuration. When in doubt, set as an empty string. Example: ['10.0.0.0/24'] list(string) null no

Dependencies

💡 Upon execution, a SBOM (SPDX format) is auto-generated and stored in the VM's file system root directory (see /sbom.json).

The following third-party components will be included in the resulting environment:

Component Home URL
fail2ban https://www.fail2ban.org
xorg-x11-xauth https://www.x.org

Changelog

All notable changes (i.e. fixes, features and breaking changes) are documented in the CHANGELOG.md.

Contributing

Thanks for taking the time to join our community and start contributing! Please make sure to:

Authors

European Weather Cloud <support@europeanweather.cloud>

About

No description, website, or topics provided.

Resources

Readme

License

MIT license

Code of conduct

Code of conduct

Contributing

Contributing
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

8 tags

Packages

 
 
 

Contributors

Languages