diff --git a/README.md b/README.md
new file mode 100644
index 0000000..c31cbc7
--- /dev/null
+++ b/README.md
@@ -0,0 +1,9 @@
+#hpc-cloud
+
+This repository will contain playbooks to bring up openstack components inside docker containers.
+
+It makes use of [/home/egon/projects/hpc-cloud/roles/common/tasks/users.yml](ansible roles).
+The roles can be set in the inventory file (hosts)
+
+Cirrently,Tue 25 Apr 2017 02:45:20 PM CEST, only mariadb and keystone are implemented. They can be brought up with
+ $ ansible-playbook main.yml
diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..3653316
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,2 @@
+[defaults]
+hostfile = hosts
diff --git a/docker-keystone/Dockerfile b/docker-keystone/Dockerfile
deleted file mode 100644
index ef5ba25..0000000
--- a/docker-keystone/Dockerfile
+++ /dev/null
@@ -1,20 +0,0 @@
-FROM python:2.7
-
-RUN git clone https://git.openstack.org/openstack/keystone.git
-WORKDIR /keystone
-RUN pip install MySQL-python==1.2.5 \
-                uWSGI==2.0.15 \
-                requests==2.12
-CMD tail -f /dev/null
-RUN pip install .
-
-RUN mkdir /etc/keystone
-RUN cp -R etc/* /etc/keystone/
-RUN sed  "s|database]|database]\nconnection = mysql://keystone:keystone@mariadb/keystone|g" /etc/keystone/keystone.conf.sample > /etc/keystone/keystone.conf
-RUN sed -i 's/#admin_token = ADMIN/admin_token = SuperSecreteKeystoneToken/g' /etc/keystone/keystone.conf
-RUN mkdir /etc/keystone/fernet-keys
-RUN keystone-manage db_sync
-RUN keystone-manage fernet_setup --keystone-user root --keystone-group root
-
-CMD uwsgi --http 127.0.0.1:35357 --wsgi-file /usr/local/bin/keystone-wsgi-admin
-
diff --git a/hosts b/hosts
new file mode 100644
index 0000000..cdf398c
--- /dev/null
+++ b/hosts
@@ -0,0 +1,6 @@
+[databases]
+ansible-test
+[keystone]
+ansible-test
+
+
diff --git a/main.yml b/main.yml
new file mode 100644
index 0000000..f8f9e75
--- /dev/null
+++ b/main.yml
@@ -0,0 +1,13 @@
+---
+# Run all plays as root.
+- hosts: databases
+  become: True
+  roles:
+     - common
+     - mariadb
+
+- hosts: keystone
+  become: True
+  roles:
+     - common
+     - keystone
diff --git a/mariadb.yml b/mariadb.yml
deleted file mode 100644
index 3952d18..0000000
--- a/mariadb.yml
+++ /dev/null
@@ -1,20 +0,0 @@
-# Install a docker based mariadb.
----
-- name: Install a mariadb server with databases in a persistent volume
-  hosts: all # Should be specified of course
-  become: True
-  tasks:
-    - include: tasks/docker.yml
-    - name: install service file.
-      template:
-        src: files/mysql.service
-        dest: /etc/systemd/system/mysql.service
-        mode: 644
-        owner: root
-        group: root
-    - name: install service file
-      command: systemctl daemon-reload
-    - name: make sure service is started
-      systemd:
-        name: mysql.service
-        state: started
diff --git a/roles/common/files/sshd_config b/roles/common/files/sshd_config
new file mode 100644
index 0000000..b544c52
--- /dev/null
+++ b/roles/common/files/sshd_config
@@ -0,0 +1,88 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin prohibit-password
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile	%h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+#PasswordAuthentication yes
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding yes
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
diff --git a/tasks/docker.yml b/roles/common/tasks/docker.yml
similarity index 68%
rename from tasks/docker.yml
rename to roles/common/tasks/docker.yml
index 6da4700..e258016 100644
--- a/tasks/docker.yml
+++ b/roles/common/tasks/docker.yml
@@ -8,5 +8,8 @@
     repo: deb https://apt.dockerproject.org/repo ubuntu-xenial main
     update_cache: yes
 
-- apt:
-    name: docker-engine
+- name: install docker
+  apt: pkg={{ item }} state=latest
+  with_items:
+     - docker-engine
+     - python-docker
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
new file mode 100644
index 0000000..0287ed1
--- /dev/null
+++ b/roles/common/tasks/main.yml
@@ -0,0 +1,28 @@
+- group:
+    name: admin
+    state: present
+
+- name: Passwordless sudo for admins
+  lineinfile: dest=/etc/sudoers line="%admin  ALL=(ALL:ALL) NOPASSWD:ALL"
+
+- include: users.yml
+
+- name: common | install packages
+  apt: pkg={{ item }} state=latest update_cache=yes
+  with_items:
+     - curl
+     - htop
+     - molly-guard
+     - sudo
+     - tree
+     - vim
+     - python-simplejson
+
+- name: sshd_config
+  file:
+    src: files/sshd_config
+    dest: /etc/ssh/sshd_config
+    mode: 0644
+    owner: root
+    group: root
+
diff --git a/roles/common/tasks/users.yml b/roles/common/tasks/users.yml
new file mode 100644
index 0000000..47e5979
--- /dev/null
+++ b/roles/common/tasks/users.yml
@@ -0,0 +1,21 @@
+---
+# Tasks to set users
+- user:
+    group: admin
+    name: "{{ item }}"
+  with_items:
+      - egon
+      - wim
+
+- name: wim key
+  authorized_key:
+    user: wim
+    key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDPcJbucOFOFrPZwM1DKOvscYpDGYXKsgeh3/6skmZn/IhLWYHY6oanm4ifmY3kU0oNXpKgHR43x3JdkIRKmrEpYULspwdlj/ZKPYxFWhVaSTjJvmSJEgy7ET1xk+eVoKV1xRWm/BugWpbseFAOcI9ZwfH++S8JhfX6GgCIy06RUpM8EcFAWb/GO699ZnQ67qMxNdSWYHtK1zu+9svWgEzPk4zc2TihJsc7DxcfQCNfQ4vKH1Im3+QfG5bRtdyVl9yjbE+o4EWhPEWsTBgBosJfbqfywsuzibhTgyybR0Zzm4JN6Wh5wVazvNutAB291dIJt22XEx5tCyOAjLPybLy3 wim@wim-HP-Compaq-Elite-8300-MT'
+    state: present
+
+- name: egon_key
+  authorized_key:
+    user: egon
+    key: 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUBdTEHUj6MxvfEU7KcI+UPAvqJ9jGJ7hHm3e7XFTb9 egon@egon-pc'
+    state: present
+
diff --git a/roles/keystone/files/Dockerfile b/roles/keystone/files/Dockerfile
new file mode 100644
index 0000000..3ad8e49
--- /dev/null
+++ b/roles/keystone/files/Dockerfile
@@ -0,0 +1,38 @@
+# Build keystone. It needs to be run with
+# --add-host=mariadb:<ip mariadb listens tp>
+# Wen starting with an initialized db,
+# run keystone-manage db_sync from this docker first:
+# $ docker run hpc/keystone --add-host=mariadb:<ip mariadb> "keystone-manage db_sync"
+
+FROM python:2.7
+
+# Clone the offical keystone repo and checkout ocata.
+RUN git clone https://git.openstack.org/openstack/keystone.git -b stable/ocata
+
+# all furter commands are done from /keystone directory.
+WORKDIR /keystone
+
+# Install python dependencies
+RUN pip install MySQL-python==1.2.5 \
+                uWSGI==2.0.15 \
+                requests==2.12
+
+# Install keystone.
+RUN pip install .
+
+#Install keystone settings files
+RUN mkdir /etc/keystone
+RUN cp -R etc/* /etc/keystone/
+
+# configure keystone to connect to mariadb host. 
+RUN sed  "s|database]|database]\nconnection = mysql://keystone:keystone@mariadb/keystone|g" /etc/keystone/keystone.conf.sample > /etc/keystone/keystone.conf
+
+# set admin token TODO: make this a secret
+RUN sed -i 's/#admin_token = ADMIN/admin_token = SuperSecreteKeystoneToken/g' /etc/keystone/keystone.conf
+
+RUN mkdir /etc/keystone/fernet-keys
+
+#RUN keystone-manage db_sync
+CMD keystone-manage fernet_setup --keystone-user root --keystone-group root && \
+    uwsgi --http 127.0.0.1:35357 --wsgi-file /usr/local/bin/keystone-wsgi-admin
+
diff --git a/roles/keystone/files/keystone.service b/roles/keystone/files/keystone.service
new file mode 100644
index 0000000..0c1ffcb
--- /dev/null
+++ b/roles/keystone/files/keystone.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Openstack Keystone Container
+After=docker.service
+Requires=docker.service
+ 
+[Service]
+TimeoutStartSec=0
+Restart=always
+ExecStartPre=-/usr/bin/docker stop %n
+ExecStartPre=-/usr/bin/docker rm %n
+ExecStart=/usr/bin/docker run --name %n --add-host="mariadb:172.29.236.13" hpc/keystone
+ 
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/keystone/tasks/main.yml b/roles/keystone/tasks/main.yml
new file mode 100644
index 0000000..c8a3a41
--- /dev/null
+++ b/roles/keystone/tasks/main.yml
@@ -0,0 +1,35 @@
+# Build and install a docker image for keystone.
+---
+- include: ../common/tasks/docker.yml
+
+- name: Make docker build dir
+  file:
+    path: /srv/keystone
+    state: directory
+    mode: 0755
+
+- name: install Dockerfile
+  copy:
+    src: files/Dockerfile
+    dest: /srv/keystone
+
+- name: build keystone image
+  docker_image:
+    path: /srv/keystone
+    name: hpc/keystone
+
+- name: install service file.
+  template:
+    src: files/keystone.service
+    dest: /etc/systemd/system/keystone.service
+    mode: 644
+    owner: root
+    group: root
+
+- name: install service file
+  command: systemctl daemon-reload
+
+- name: make sure service is started
+  systemd:
+    name: keystone.service
+    state: started
diff --git a/files/mysql.service b/roles/mariadb/files/mysql.service
similarity index 100%
rename from files/mysql.service
rename to roles/mariadb/files/mysql.service
diff --git a/roles/mariadb/tasks/main.yml b/roles/mariadb/tasks/main.yml
new file mode 100644
index 0000000..f3f448a
--- /dev/null
+++ b/roles/mariadb/tasks/main.yml
@@ -0,0 +1,16 @@
+# Install a docker based mariadb.
+---
+- include: ../common/tasks/docker.yml
+- name: install service file.
+  template:
+    src: files/mysql.service
+    dest: /etc/systemd/system/mysql.service
+    mode: 644
+    owner: root
+    group: root
+- name: install service file
+  command: systemctl daemon-reload
+- name: make sure service is started
+  systemd:
+    name: mysql.service
+    state: started