diff --git a/.gitignore b/.gitignore
index 5e15dbc..f1ee8b4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -2,3 +2,5 @@
 .terraform*
 terraform.tfstate*
 .infracost
+privkey.pem
+inventory.ini
diff --git a/Makefile b/Makefile
index d203d3c..75c9428 100644
--- a/Makefile
+++ b/Makefile
@@ -1,8 +1,20 @@
 
+SSH := ssh -o "StrictHostKeyChecking=no" -o UserKnownHostsFile=/dev/null -o ProxyCommand="sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p\"" -i privkey.pem -l ubuntu
 
+default: terraform ansible
 
-default:
+ssh_setup:
+	chmod 600 privkey.pem
+	$(eval INSTANCE := $(shell terraform output instance_id | sed -e 's/"//g'))
+
+ansible: ssh_setup
+	$(SSH) $(INSTANCE) "which -a ansible || (sudo apt-get update && sudo apt-get -y install ansible)"
+	sed -e 's/{{INSTANCE}}/$(INSTANCE)/' inventory.tmpl.ini > inventory.ini
+	ansible-playbook -i inventory.ini --private-key privkey.pem -l nextcloud site.yaml
+
+terraform:
 	terraform init
 	terraform apply
 
+.PHONY: ssh_setup ansible terraform
 
diff --git a/inventory.tmpl.ini b/inventory.tmpl.ini
new file mode 100644
index 0000000..9f3ef33
--- /dev/null
+++ b/inventory.tmpl.ini
@@ -0,0 +1,4 @@
+[nextcloud]
+nextcloud ansible_host={{INSTANCE}} ansible_user=ubuntu
+[nextcloud:vars]
+ansible_ssh_common_args=-o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ProxyCommand="sh -c \"aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p\""
diff --git a/nextcloud.tf b/nextcloud.tf
index 0693663..8af2263 100644
--- a/nextcloud.tf
+++ b/nextcloud.tf
@@ -30,7 +30,7 @@ module "vpc" {
   name = "nextcloud-vpc"
   cidr = "10.69.0.0/16"
 
-  azs             = ["us-west-1a"]
+  azs             = ["us-west-2a"]
 #  private_subnets = ["10.69.101.0/24"]
   private_subnets = []
   public_subnets  = ["10.69.1.0/24"]
@@ -44,10 +44,32 @@ module "vpc" {
 #  }
 }
 
+resource "tls_private_key" "n" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "aws_key_pair" "n" {
+  key_name   = "nextcloud"
+  public_key = tls_private_key.n.public_key_openssh
+}
+
+resource "local_file" "aws_key" {
+  content  = tls_private_key.n.private_key_pem
+  filename = "privkey.pem"
+}
+
 resource "aws_instance" "nextcloud" {
-  ami           = "ami-078278691222aee06"
-  instance_type = "t4g.micro"
-  subnet_id     = module.vpc.public_subnets.0
+  ami                  = "ami-078278691222aee06"
+  instance_type        = "t4g.micro"
+  subnet_id            = module.vpc.public_subnets.0
+  key_name             = aws_key_pair.n.key_name
+  iam_instance_profile = aws_iam_instance_profile.nextcloud.name
+
+  user_data = <<EOF
+#!/bin/bash
+sudo snap install amazon-ssm-agent --classic
+EOF
 
   tags = {
     Name = "nextcloud"
@@ -59,3 +81,51 @@ resource "aws_instance" "nextcloud" {
 #  instance = aws_instance.nextcloud.id
 #}
 
+resource "aws_iam_instance_profile" "nextcloud" {
+  name = "nextcloud"
+  role = aws_iam_role.nextcloud.name
+  path = "/"
+}
+
+resource "aws_iam_role" "nextcloud" {
+  name               = "nextcloud"
+  assume_role_policy = data.aws_iam_policy_document.assume_role_policy.json
+  path               = "/"
+  description        = "SSM permissions for Nextcloud"
+}
+
+data "aws_iam_policy_document" "assume_role_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+
+resource "aws_iam_policy" "nextcloud" {
+  name        = "nextcloud"
+  policy      = data.aws_iam_policy.nextcloud.policy
+  path        = "/"
+  description = "SSM permissions for Nextcloud"
+}
+
+resource "aws_iam_role_policy_attachment" "nextcloud" {
+  role       = aws_iam_role.nextcloud.name
+  policy_arn = aws_iam_policy.nextcloud.arn
+}
+
+locals {
+  iam_name   = "nextcloud-session-manager"
+}
+
+data "aws_iam_policy" "nextcloud" {
+  arn = "arn:aws:iam::aws:policy/service-role/AmazonEC2RoleforSSM"
+}
+
+output "instance_id" {
+  value = aws_instance.nextcloud.id
+}
+
diff --git a/roles/nextcloud/files/docker-compose.yaml b/roles/nextcloud/files/docker-compose.yaml
new file mode 100644
index 0000000..b9c96e6
--- /dev/null
+++ b/roles/nextcloud/files/docker-compose.yaml
@@ -0,0 +1,35 @@
+---
+
+version: '2'
+
+volumes:
+  nextcloud:
+  db:
+
+services:
+  db:
+    image: mariadb
+    restart: always
+    command: --transaction-isolation=READ-COMMITTED --binlog-format=ROW
+    volumes:
+      - db:/var/lib/mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=
+      - MYSQL_PASSWORD=
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+
+  app:
+    image: nextcloud
+    restart: always
+    ports:
+      - 8080:80
+    links:
+      - db
+    volumes:
+      - nextcloud:/var/www/html
+    environment:
+      - MYSQL_PASSWORD=
+      - MYSQL_DATABASE=nextcloud
+      - MYSQL_USER=nextcloud
+      - MYSQL_HOST=db
diff --git a/roles/nextcloud/tasks/main.yaml b/roles/nextcloud/tasks/main.yaml
new file mode 100644
index 0000000..03941d6
--- /dev/null
+++ b/roles/nextcloud/tasks/main.yaml
@@ -0,0 +1,10 @@
+---
+
+- name: create paths
+  file:
+    path: /srv/nextcloud/{item}
+    state: directory
+  with_items:
+    - db
+    - data
+
diff --git a/site.yaml b/site.yaml
new file mode 100644
index 0000000..a7be44b
--- /dev/null
+++ b/site.yaml
@@ -0,0 +1,10 @@
+---
+
+#- name: get environment
+#  ec2_metadata_facts:
+
+- name: setup nextcloud instance
+  hosts: nextcloud
+  roles:
+  - { role: nextcloud, become: yes }
+