diff --git a/.gitignore b/.gitignore
index a806510..2fda708 100644
--- a/.gitignore
+++ b/.gitignore
@@ -3,3 +3,5 @@
 result
 result-*
 
+# ---> Ansible
+*.retry
diff --git a/flake.nix b/flake.nix
index 9552d18..d44d0a0 100644
--- a/flake.nix
+++ b/flake.nix
@@ -64,6 +64,7 @@
             })
             inputs.agenix.packages.${system}.default
             inputs.plasma-manager.packages.${system}.rc2nix
+            pkgs.ansible
           ];
         };
       };
diff --git a/inventory.yaml b/inventory.yaml
new file mode 100644
index 0000000..d000ff1
--- /dev/null
+++ b/inventory.yaml
@@ -0,0 +1,6 @@
+ovh:
+  hosts:
+    siberys:
+      ansible_host: siberys.qenya.tel
+  vars:
+    ansible_user: fedora
diff --git a/playbook.yaml b/playbook.yaml
new file mode 100644
index 0000000..1be005a
--- /dev/null
+++ b/playbook.yaml
@@ -0,0 +1,30 @@
+- name: Initial setup
+  hosts: ovh
+  tasks:
+  - name: Ensure hostname is correct
+    ansible.builtin.hostname:
+      name: '{{ inventory_hostname }}'
+    become: yes
+  - name: Ensure password authentication for SSH is disabled
+    ansible.builtin.lineinfile:
+      dest: /etc/ssh/sshd_config
+      regexp: '^#?PasswordAuthentication'
+      line: "PasswordAuthentication no"
+      state: present
+      backup: yes
+    become: yes
+    notify:
+      - restart ssh
+  - name: Update authorized SSH keys for Ansible user
+    ansible.builtin.copy:
+      dest: '/home/{{ ansible_user }}/.ssh/authorized_keys'
+      # TODO: template this from a separate config file
+      content: |
+        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJEmkV9arotms79lJPsLHkdzAac4eu3pYS08ym0sB/on qenya@tohru
+        ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFjBuuxo+w3yED0aPnsNb8S90p/GgBqFEG9K4ETZ5Wkq qenya@kilgharrah
+
+  handlers:
+  - name: restart ssh
+    service:
+      name: sshd
+      state: restarted