diff --git a/ansible/inventory/group_vars/all/ipa b/ansible/inventory/group_vars/all/ipa
index d8542b929..0ace49f8f 100644
--- a/ansible/inventory/group_vars/all/ipa
+++ b/ansible/inventory/group_vars/all/ipa
@@ -7,6 +7,14 @@
 # Whether to build IPA images from source.
 ipa_build_images: False
 
+# Override the OS distribution used to build IPA images. Default is the host
+# distribution.
+ipa_build_distro: "{{ os_distribution }}"
+
+# Override the OS release used to build IPA images. Default is the host
+# release.
+ipa_build_release: "{{ os_release }}"
+
 # URL of IPA source repository.
 ipa_build_source_url: "https://opendev.org/openstack/ironic-python-agent"
 
@@ -24,11 +32,12 @@ ipa_build_dib_host_packages_extra: [ 'zstd' ]
 
 # List of default Diskimage Builder (DIB) elements to use when building IPA
 # images. Default is ["rocky-container", "dynamic-login",
-# "enable-serial-console", "ironic-python-agent-ramdisk"] when os_distribution
-# is "rocky", and ["ubuntu", "dynamic-login", "enable-serial-console",
-# "ironic-python-agent-ramdisk"] otherwise.
+# "enable-serial-console", "ironic-python-agent-ramdisk", "baremetal"] when
+# ipa_build_distro is "rocky", and [ipa_build_distro, "dynamic-login",
+# "enable-serial-console", "ironic-python-agent-ramdisk", "baremetal"]
+# otherwise.
 ipa_build_dib_elements_default:
-  - "{{ 'rocky-container' if os_distribution == 'rocky' else os_distribution }}"
+  - "{{ 'rocky-container' if ipa_build_distro == 'rocky' else ipa_build_distro }}"
   - dynamic-login
   - enable-serial-console
   - ironic-python-agent-ramdisk
@@ -48,7 +57,7 @@ ipa_build_dib_elements: >
 # Dictionary of default environment variables to provide to Diskimage Builder
 # (DIB) during IPA image build.
 ipa_build_dib_env_default:
-  DIB_RELEASE: "{{ os_release }}"
+  DIB_RELEASE: "{{ ipa_build_release }}"
   DIB_CONTAINERFILE_RUNTIME: "{{ container_engine }}"
   DIB_CONTAINERFILE_RUNTIME_ROOT: "{{ (container_engine == 'podman') | int }}"
   DIB_REPOLOCATION_ironic_python_agent: "{{ ipa_build_source_url }}"
@@ -86,9 +95,9 @@ ipa_build_dib_git_elements: >-
   {{ ipa_build_dib_git_elements_default + ipa_build_dib_git_elements_extra }}
 
 # List of DIB packages to install. Default is ["python3-yaml"] when
-# when os_distribution is "rocky", otherwise [].
+# when ipa_build_distro is "rocky", otherwise [].
 ipa_build_dib_packages: >-
-  {{ ["python3-yaml"] if os_distribution == 'rocky' else [] }}
+  {{ ["python3-yaml"] if ipa_build_distro == 'rocky' else [] }}
 
 # Upper constraints file for installing packages in the virtual environment
 # used for building IPA images. Default is {{ pip_upper_constraints_file }}.
diff --git a/etc/kayobe/ipa.yml b/etc/kayobe/ipa.yml
index bfe675d97..88e67476e 100644
--- a/etc/kayobe/ipa.yml
+++ b/etc/kayobe/ipa.yml
@@ -7,6 +7,14 @@
 # Whether to build IPA images from source.
 #ipa_build_images:
 
+# Override the OS distribution used to build IPA images. Default is the host
+# distribution.
+#ipa_build_distro:
+
+# Override the OS release used to build IPA images. Default is the host
+# release.
+#ipa_build_release:
+
 # URL of IPA source repository.
 #ipa_build_source_url:
 
@@ -24,9 +32,10 @@
 
 # List of default Diskimage Builder (DIB) elements to use when building IPA
 # images. Default is ["rocky-container", "dynamic-login",
-# "enable-serial-console", "ironic-python-agent-ramdisk"] when os_distribution
-# is "rocky", and ["ubuntu", "dynamic-login", "enable-serial-console",
-# "ironic-python-agent-ramdisk"] otherwise.
+# "enable-serial-console", "ironic-python-agent-ramdisk", "baremetal"] when
+# ipa_build_distro is "rocky", and [ipa_build_distro, "dynamic-login",
+# "enable-serial-console", "ironic-python-agent-ramdisk", "baremetal"]
+# otherwise.
 #ipa_build_dib_elements_default:
 
 # List of additional Diskimage Builder (DIB) elements to use when building IPA
@@ -65,7 +74,7 @@
 #ipa_build_dib_git_elements:
 
 # List of DIB packages to install. Default is ["python3-yaml"] when
-# when os_distribution is "rocky", otherwise [].
+# when ipa_build_distro is "rocky", otherwise [].
 #ipa_build_dib_packages:
 
 # Upper constraints file for installing packages in the virtual environment
diff --git a/playbooks/kayobe-overcloud-host-configure-base/run.yml b/playbooks/kayobe-overcloud-host-configure-base/run.yml
index bca6bc7f4..688166c32 100644
--- a/playbooks/kayobe-overcloud-host-configure-base/run.yml
+++ b/playbooks/kayobe-overcloud-host-configure-base/run.yml
@@ -34,6 +34,7 @@
       command: "{{ testinfra_venv }}/bin/py.test {{ test_path }} --html={{ logs_dir }}/test-results.html --self-contained-html"
       environment:
         SITE_MIRROR_FQDN: "{{ zuul_site_mirror_fqdn }}"
+        FAIL2BAN_ENABLED: "{{ fail2ban_enabled | default(false) }}"
 
     - name: Test bouncing interfaces
       shell:
diff --git a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
index 977fbc89e..1a7a083d5 100644
--- a/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
+++ b/playbooks/kayobe-overcloud-host-configure-base/tests/test_overcloud_host_configure.py
@@ -33,6 +33,10 @@ def _is_ubuntu_noble():
     return name == 'Ubuntu' and version == '24.04'
 
 
+def _is_fail2ban_enabled():
+    return os.environ.get('FAIL2BAN_ENABLED', 'false').lower() == 'true'
+
+
 def test_network_ethernet(host):
     interface = host.interface('dummy2')
     assert interface.exists
@@ -344,11 +348,13 @@ def test_firewalld_rules(host):
             assert expected_line in info
             assert expected_line in perm_info
 
+@pytest.mark.skipif(not _is_fail2ban_enabled(), reason="fail2ban not enabled")
 def test_fail2ban_running(host):
     assert host.package("fail2ban").is_installed
     assert host.service("fail2ban.service").is_enabled
     assert host.service("fail2ban.service").is_running
 
+@pytest.mark.skipif(not _is_fail2ban_enabled(), reason="fail2ban not enabled")
 def test_fail2ban_default_jail_config(host):
    # verify that sshd jail is enabled by default
     status = host.check_output("sudo fail2ban-client status sshd")
diff --git a/releasenotes/notes/override-ipa-distro-8fd2d786758e59e3.yaml b/releasenotes/notes/override-ipa-distro-8fd2d786758e59e3.yaml
new file mode 100644
index 000000000..e26e05dff
--- /dev/null
+++ b/releasenotes/notes/override-ipa-distro-8fd2d786758e59e3.yaml
@@ -0,0 +1,6 @@
+---
+features:
+  - |
+    The OS distribution and release used to build IPA images can now
+    be customised using the `ipa_build_distro` and `ipa_build_release`
+    overrides.
diff --git a/zuul.d/jobs.yaml b/zuul.d/jobs.yaml
index 042114e69..ee817b185 100644
--- a/zuul.d/jobs.yaml
+++ b/zuul.d/jobs.yaml
@@ -107,6 +107,7 @@
       is_slurp: "{{ 'slurp' in zuul.job }}"
       previous_release: "{{ '2025.1' if is_slurp else '2025.2' }}"
       tls_enabled: false
+      fail2ban_enabled: false
       container_engine: 'docker'
       ci_network_engine: default
       ironic_boot_mode: "bios"