diff --git a/.gitignore b/.gitignore
index 8cbba92..08a6f72 100644
--- a/.gitignore
+++ b/.gitignore
@@ -216,3 +216,5 @@ cython_debug/
 # PyPI configuration file
 .pypirc
 
+*.key
+.ansible
diff --git a/.vscode/settings.json b/.vscode/settings.json
new file mode 100644
index 0000000..481a9a4
--- /dev/null
+++ b/.vscode/settings.json
@@ -0,0 +1,3 @@
+{
+  "ansible.python.interpreterPath": "/Users/max/Documents/GitHub/hetzner-cluster/.venv/bin/python"
+}
\ No newline at end of file
diff --git a/Taskfile.yml b/Taskfile.yml
new file mode 100644
index 0000000..32c4f00
--- /dev/null
+++ b/Taskfile.yml
@@ -0,0 +1,12 @@
+version: 3
+
+tasks:
+  vault: ansible-vault edit vault.yml {{.CLI_ARGS}}
+  tf:apply: ansible-playbook playbooks/provision.yml {{.CLI_ARGS}}
+  tf:destroy: ansible-playbook playbooks/destroy.yml {{.CLI_ARGS}}
+  
+  enter:
+    cmd: ssh -i {{.KEY}} -p 22 root@{{.IP}}
+    vars:
+      KEY: { sh: ansible-vault view vault.yml | yq -r .secret.private_key_file }
+      IP: { sh: "cat secrets/terraform_outputs.yml | jq -r '.box_ip.value[\"kthw-jumphost\"]'" }
\ No newline at end of file
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..63c126b
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,13 @@
+[defaults]
+callbacks_enabled = profile_tasks
+localhost_warning = False
+vault_password_file = vault.key
+interpreter_python = /usr/bin/python3.11
+
+[inventory]
+inventory_unparsed_warning = False
+
+[ssh_connection]
+ssh_args = -o ControlMaster=auto -o ControlPersist=60s -o ForwardAgent=yes -o IdentityAgent=none
+pipelining = True
+retries = 2
\ No newline at end of file
diff --git a/playbooks/destroy.yml b/playbooks/destroy.yml
new file mode 100644
index 0000000..4b1908a
--- /dev/null
+++ b/playbooks/destroy.yml
@@ -0,0 +1,15 @@
+- name: Deploy terraform infrastructure.
+  hosts: localhost
+  gather_facts: false
+  vars_files:
+    - ../vault.yml
+  tasks:
+    - name: Destroy
+      community.general.terraform:
+        project_path: '../terraform'
+        state: "absent"
+        init_reconfigure: true
+        force_init: true
+        backend_config: "{{ terraform.backend }}"
+        variables: "{{ terraform.variables }}"
+        complex_vars: true
diff --git a/playbooks/provision.yml b/playbooks/provision.yml
new file mode 100644
index 0000000..dcfb631
--- /dev/null
+++ b/playbooks/provision.yml
@@ -0,0 +1,40 @@
+- name: Deploy terraform infrastructure.
+  hosts: localhost
+  gather_facts: false
+  vars_files:
+    - ../vault.yml
+  tasks:
+    - name: Reconfigure and plan.
+      community.general.terraform:
+        project_path: '../terraform'
+        state: "planned"
+        plan_file: plan.out
+        init_reconfigure: true
+        force_init: true
+        backend_config: "{{ terraform.backend }}"
+        variables: "{{ terraform.variables }}"
+        complex_vars: true
+
+    - name: Apply.
+      community.general.terraform:
+        project_path: '../terraform'
+        state: "present"
+        plan_file: plan.out
+        backend_config: "{{ terraform.backend }}"
+        variables: "{{ terraform.variables }}"
+        complex_vars: true
+        no_color: false
+      register: terraform_apply
+
+    - name: Create secret directory.
+      ansible.builtin.file:
+        path: ../secrets
+        recurse: true
+        mode: "0755"
+        state: directory
+
+    - name: Send outputs to file.
+      ansible.builtin.copy:
+        content: "{{ terraform_apply.outputs }}"
+        dest: ../secrets/terraform_outputs.yml
+        mode: '0755'
diff --git a/requirements.txt b/requirements.txt
new file mode 100644
index 0000000..d74761d
--- /dev/null
+++ b/requirements.txt
@@ -0,0 +1,32 @@
+ansible==13.1.0
+ansible-compat==25.12.0
+ansible-core==2.20.1
+ansible-lint==25.12.1
+attrs==25.4.0
+black==25.12.0
+bracex==2.6
+cffi==2.0.0
+click==8.3.1
+cryptography==46.0.3
+distro==1.9.0
+filelock==3.20.1
+go-task-bin==3.46.3
+Jinja2==3.1.6
+jsonschema==4.25.1
+jsonschema-specifications==2025.9.1
+MarkupSafe==3.0.3
+mypy_extensions==1.1.0
+packaging==25.0
+pathspec==0.12.1
+platformdirs==4.5.1
+pycparser==2.23
+pytokens==0.3.0
+PyYAML==6.0.3
+referencing==0.37.0
+resolvelib==1.2.1
+rpds-py==0.30.0
+ruamel.yaml==0.18.17
+ruamel.yaml.clib==0.2.15
+subprocess-tee==0.4.2
+wcmatch==10.1
+yamllint==1.37.1
diff --git a/vault.yml b/vault.yml
new file mode 100644
index 0000000..257e0d4
--- /dev/null
+++ b/vault.yml
@@ -0,0 +1,6 @@
+$ANSIBLE_VAULT;1.1;AES256
+66386336613362316538646161323838613765646266313132363562306333373034383937373035
+3364306539353535313531613039376134383837663465320a356663313263346336646335613030
+39363864653437643032386534336166666233366162363334326631333361393435333339653332
+3533653139633830380a323635316266666564353537626430656436303634373334633130356339
+6232