diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000..329b634
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "ansible/files/ssh"]
+	path = ansible/files/ssh
+	url = https://github.com/RealOrangeOne/ansible-ssh-bastion
diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint
index 7782652..7fadcd3 100644
--- a/ansible/.ansible-lint
+++ b/ansible/.ansible-lint
@@ -2,3 +2,4 @@ skip_list:
   - 305
   - 401
   - 301
+  - 503
diff --git a/ansible/files/ssh b/ansible/files/ssh
new file mode 160000
index 0000000..9f8159f
--- /dev/null
+++ b/ansible/files/ssh
@@ -0,0 +1 @@
+Subproject commit 9f8159f1e6e468b9293e4c00d76aadf18aac6af5
diff --git a/ansible/hosts b/ansible/hosts
index e69de29..449ab01 100644
--- a/ansible/hosts
+++ b/ansible/hosts
@@ -0,0 +1,2 @@
+[casey]
+108.61.221.88
diff --git a/ansible/main.yml b/ansible/main.yml
index e69de29..7a34eb0 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -0,0 +1,8 @@
+- hosts: all
+  tasks:
+    - name: Ping
+      ping:
+
+- hosts: casey
+  roles:
+    - ssh-bastion
diff --git a/ansible/roles/ssh-bastion/tasks/main.yml b/ansible/roles/ssh-bastion/tasks/main.yml
new file mode 100644
index 0000000..a1dc524
--- /dev/null
+++ b/ansible/roles/ssh-bastion/tasks/main.yml
@@ -0,0 +1,20 @@
+- name: Define context
+  set_fact:
+    user: jake
+    enable_root: true
+
+- name: SSH config
+  template:
+    src: files/ssh/sshd_config_bastion
+    dest: /etc/ssh/sshd_config
+    validate: /usr/sbin/sshd -t -f %s
+    backup: yes
+  become: true
+  become_user: root
+  register: sshd_config
+
+- name: Restart SSH config
+  service:
+    name: sshd
+    state: reloaded
+  when: sshd_config.changed
diff --git a/ansible/vars.yml b/ansible/vars.yml
new file mode 100644
index 0000000..1d4d15d
--- /dev/null
+++ b/ansible/vars.yml
@@ -0,0 +1,2 @@
+user: jake
+enable_root: false
diff --git a/scripts/ansible.sh b/scripts/ansible.sh
index d20015d..fbaa86f 100755
--- a/scripts/ansible.sh
+++ b/scripts/ansible.sh
@@ -4,4 +4,4 @@ set -e
 
 PATH=env/bin:${PATH}
 
-ansible-playbook -i ansible/hosts ansible/main.yml
+ansible-playbook -i ansible/hosts ansible/main.yml -k -K