Deploy using Trellis with Dynamic IP to a server with Firewall

Hi guys!

I need to know if it’s possible to do this:

I have ssh access to a custom server which I will serve my website from. It has a firewall that allows ssh connections only to IPs in a whitelist. I don’t have root access to that server, as I’m not the Devops person.

I don’t have fixed IP as I’m working with my laptop everywhere (home, coffeshop, coworking…).

I usually connect to server’s like this using another server as a jumpgate (a DO droplet) as it has a fixed IP. Then the custom server has the jumpgate IP and connect to that server from my laptop using a ProxyCommand in my .ssh/config file like this: ssh -A jump -W %h:%p

The question is
¿How would I deploy to that server, using the jumpgate, with Trellis?
¿Is it possible? ¿What should I change to have it working from my laptop?

I only need Trellis to do deploys as the custom server is already provisioned. Think of it as a Kinsta server with a very strict Firewall enabled.

Connecting via jump host (aka bastion host aka jumpgate) is possible

# group_vars/all/main.yml

bastion_ip: '111.222.333.444'
# For OpenSSH >= 7.3
# ansible_ssh_extra_args: "-J {{ bastion_user }}@{{ bastion_ip }}"
# For OpenSSH <= 7.2
ansible_ssh_extra_args: '-o ProxyCommand="ssh -W %h:%p {{ bastion_user }}@{{ bastion_ip }}"'

And in the hosts files, use the static private IPs (or hostnames which jumphost could resolve to)


Great @TangRufus !! Thank you very much!!

Where do I declare bastion_user? Is it safe to declare it in the same file as bastion_ip?

Hardcoding bastion_user in yaml file is okay. But I recommend passing it as a $ ansible-playbook argument.
See --extra-vars at

Because different developers should have different jumpgate usernames.

1 Like

This topic was automatically closed after 42 days. New replies are no longer allowed.