diff --git a/README.md b/README.md
index e024115..8bb0c05 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,11 @@
 # Hermes
 
-Hermes is the VM that runs Dnsmasq for DHCP and DNS in our DMZ.
+Hermes is the virtual machine that performs DHCP and DNS on our DMZ network.
+It also acts as a SSH certificate authority.
+
+The VM is provisioned using Terraform and configured using Ansible.
+
+## Motivation
 
 The VMs on our DMZ might like to contact eachother.
 For example, one VM wants to clone a repository from the git server.
@@ -12,9 +17,9 @@ However, then the router needs to operate on the DMZ vlan, which is not ideal in
 Additionally, it would be nice to define the DNS in the DMZ in terms of infrastructure as code.
 
 This solution creates a seperate VM on the DMZ that acts as the DNS and DHCP server.
-Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames.
+Concretely, Dnsmasq does DHCPv4 and assigns DNS names according to hostnames and MAC addresses.
 Additionally, it tries to match IPv6 addresses using the SLAAC algorithm in order to incorporate them as AAAA records in DNS as well (using `ra-names`).
-Dnsmasq also overwrites the public IP address to `192.168.30.3`.
+Dnsmasq also overwrites the public IP address to `192.168.30.3` to solve the above problem.
 
 What is needed from the router:
 - Static IPv4 addresses on the DMZ interface (`192.168.30.1/24`).
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
new file mode 100644
index 0000000..65e6c38
--- /dev/null
+++ b/ansible/ansible.cfg
@@ -0,0 +1,9 @@
+[defaults]
+roles_path=roles
+inventory=inventory
+vault_password_file=util/secret-service-client.sh
+interpreter_python=/usr/bin/python3
+host_key_checking = False
+
+[diff]
+always = True
diff --git a/ansible/hermes.yml b/ansible/hermes.yml
new file mode 100644
index 0000000..49ff96d
--- /dev/null
+++ b/ansible/hermes.yml
@@ -0,0 +1,45 @@
+---
+- hosts: all
+  gather_facts: no
+
+  pre_tasks:
+    - name: Wait for host to come up
+      tags: always
+      block:
+      - name: Wait for SSH connection
+        wait_for:
+          state: started
+          port: 22
+          host: "192.168.30.7"
+          timeout: 300
+          connect_timeout: 300
+          search_regex: OpenSSH
+        delegate_to: localhost
+      - name: Wait for cloud-init to finish
+        command:
+          cmd: cloud-init status --wait
+        register: cloudinit
+        changed_when: "'..' in cloudinit.stdout"
+      - name: Gather facts
+        setup:
+      - name: Copy resolv.conf
+        copy:
+          src: resolv.conf
+          dest: /etc/resolv.conf
+      - name: Update repositories
+        apt:
+          autoremove: true
+          upgrade: yes
+          state: latest
+          update_cache: yes
+          cache_valid_time: 86400 # One day
+      - name: Install packages
+        apt:
+          pkg:
+            - qemu-guest-agent
+            - dnsutils
+
+  roles:
+    - {role: 'dnsmasq', tags: 'dnsmasq'}
+    - {role: 'nsd', tags: 'nsd'}
+    - {role: 'ca', tags: 'ca'}
diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml
new file mode 100644
index 0000000..e7e7ab1
--- /dev/null
+++ b/ansible/inventory/hosts.yml
@@ -0,0 +1,5 @@
+all:
+  hosts:
+    hermes:
+      ansible_user: root
+      ansible_host: 192.168.30.7
diff --git a/resolv.conf b/ansible/resolv.conf
similarity index 100%
rename from resolv.conf
rename to ansible/resolv.conf
diff --git a/roles/ssh/files/ca.sh b/ansible/roles/ca/files/ca.sh
similarity index 100%
rename from roles/ssh/files/ca.sh
rename to ansible/roles/ca/files/ca.sh
diff --git a/roles/ssh/files/keys/host_ca_key b/ansible/roles/ca/files/keys/host_ca_key
similarity index 100%
rename from roles/ssh/files/keys/host_ca_key
rename to ansible/roles/ca/files/keys/host_ca_key
diff --git a/roles/ssh/files/keys/host_ca_key.pub b/ansible/roles/ca/files/keys/host_ca_key.pub
similarity index 100%
rename from roles/ssh/files/keys/host_ca_key.pub
rename to ansible/roles/ca/files/keys/host_ca_key.pub
diff --git a/roles/ssh/files/keys/user_ca_key b/ansible/roles/ca/files/keys/user_ca_key
similarity index 100%
rename from roles/ssh/files/keys/user_ca_key
rename to ansible/roles/ca/files/keys/user_ca_key
diff --git a/roles/ssh/files/keys/user_ca_key.pub b/ansible/roles/ca/files/keys/user_ca_key.pub
similarity index 100%
rename from roles/ssh/files/keys/user_ca_key.pub
rename to ansible/roles/ca/files/keys/user_ca_key.pub
diff --git a/roles/ssh/tasks/main.yml b/ansible/roles/ca/tasks/main.yml
similarity index 100%
rename from roles/ssh/tasks/main.yml
rename to ansible/roles/ca/tasks/main.yml
diff --git a/roles/dnsmasq/files/dnsmasq.conf b/ansible/roles/dnsmasq/files/dnsmasq.conf
similarity index 100%
rename from roles/dnsmasq/files/dnsmasq.conf
rename to ansible/roles/dnsmasq/files/dnsmasq.conf
diff --git a/roles/dnsmasq/tasks/main.yml b/ansible/roles/dnsmasq/tasks/main.yml
similarity index 100%
rename from roles/dnsmasq/tasks/main.yml
rename to ansible/roles/dnsmasq/tasks/main.yml
diff --git a/roles/nsd/files/nsd.conf b/ansible/roles/nsd/files/nsd.conf
similarity index 100%
rename from roles/nsd/files/nsd.conf
rename to ansible/roles/nsd/files/nsd.conf
diff --git a/roles/nsd/files/zones/geokunis2.nl b/ansible/roles/nsd/files/zones/geokunis2.nl
similarity index 100%
rename from roles/nsd/files/zones/geokunis2.nl
rename to ansible/roles/nsd/files/zones/geokunis2.nl
diff --git a/roles/nsd/files/zones/pim.kunis.nl b/ansible/roles/nsd/files/zones/pim.kunis.nl
similarity index 100%
rename from roles/nsd/files/zones/pim.kunis.nl
rename to ansible/roles/nsd/files/zones/pim.kunis.nl
diff --git a/roles/nsd/files/zones/pizzapim.nl b/ansible/roles/nsd/files/zones/pizzapim.nl
similarity index 100%
rename from roles/nsd/files/zones/pizzapim.nl
rename to ansible/roles/nsd/files/zones/pizzapim.nl
diff --git a/roles/nsd/tasks/main.yml b/ansible/roles/nsd/tasks/main.yml
similarity index 100%
rename from roles/nsd/tasks/main.yml
rename to ansible/roles/nsd/tasks/main.yml
diff --git a/util/secret-service-client.sh b/ansible/util/secret-service-client.sh
similarity index 100%
rename from util/secret-service-client.sh
rename to ansible/util/secret-service-client.sh
diff --git a/cloud_init.cfg.tftpl b/cloud_init.cfg.tftpl
deleted file mode 100644
index cc2f07a..0000000
--- a/cloud_init.cfg.tftpl
+++ /dev/null
@@ -1,9 +0,0 @@
-#cloud-config
-hostname: "${name}"
-manage_etc_hosts: true
-ssh_pwauth: false
-disable_root: false
-ssh_authorized_keys:
-%{ for key in admin_authorized_keys ~}
-  - "${key}"
-%{ endfor ~}
diff --git a/hermes.yml b/hermes.yml
deleted file mode 100644
index d6541a9..0000000
--- a/hermes.yml
+++ /dev/null
@@ -1,42 +0,0 @@
----
-- hosts: all
-  gather_facts: no
-
-  pre_tasks:
-    - name: Wait for host to come up
-      wait_for:
-        state: started
-        port: 22
-        host: "192.168.30.7"
-        timeout: 300
-        connect_timeout: 300
-        search_regex: OpenSSH
-      delegate_to: localhost
-    - name: Wait for cloud-init to finish
-      command:
-        cmd: cloud-init status --wait
-      register: cloudinit
-      changed_when: "'..' in cloudinit.stdout"
-    - name: Gather facts
-      setup:
-    - name: Copy resolv.conf
-      copy:
-        src: resolv.conf
-        dest: /etc/resolv.conf
-    - name: Update repositories
-      apt:
-        autoremove: true
-        upgrade: yes
-        state: latest
-        update_cache: yes
-        cache_valid_time: 86400 # One day
-    - name: Install packages
-      apt:
-        pkg:
-          - qemu-guest-agent
-          - dnsutils
-
-  roles:
-    - dnsmasq
-    - nsd
-    - ssh
diff --git a/network_config.cfg.tftpl b/network_config.cfg.tftpl
deleted file mode 100644
index 762f752..0000000
--- a/network_config.cfg.tftpl
+++ /dev/null
@@ -1,9 +0,0 @@
-version: 2
-ethernets:
-  ens3:
-    dhcp4: false
-    addresses:
-      - "${internal_ip}/24"
-    routes:
-      - to: 0.0.0.0/0
-        via: 192.168.30.1
diff --git a/main.tf b/terraform/main.tf
similarity index 64%
rename from main.tf
rename to terraform/main.tf
index 078b50b..6ca4267 100644
--- a/main.tf
+++ b/terraform/main.tf
@@ -18,23 +18,10 @@ provider "libvirt" {
   uri = "qemu+ssh://root@atlas.lan/system"
 }
 
-locals {
-  ansible_command = join(" ", [
-    "ANSIBLE_ROLES_PATH=roles",
-    "ANSIBLE_HOST_KEY_CHECKING=False",
-    "ANSIBLE_VAULT_PASSWORD_FILE=util/secret-service-client.sh",
-    "ansible-playbook",
-    "-u root",
-    "-i '192.168.30.7,'",
-    "hermes.yml"
-  ])
-}
-
 module "vm" {
   source          = "git::https://git.pim.kunis.nl/home/tf-modules.git//debian"
   name            = "hermes"
   use_host_cert   = false
   fixed_address   = "192.168.30.7/24"
-  ansible_command = local.ansible_command
   mac             = "CA:FE:C0:FF:EE:07"
 }
diff --git a/variables.tf b/variables.tf
deleted file mode 100644
index 305b50c..0000000
--- a/variables.tf
+++ /dev/null
@@ -1,32 +0,0 @@
-variable "name" {
-  default = "hermes"
-}
-
-variable "libvirt_endpoint" {
-  type    = string
-  default = "qemu+ssh://root@atlas.lan/system"
-}
-
-variable "admin_authorized_keys" {
-  type    = list(string)
-  default = [
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOodpLr+FDRyKyHjucHizNLVFHZ5AQmE9GmxMnOsSoaw pimkunis@thinkpadpim",
-    "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINUZp4BCxf7uLa1QWonx/Crf8tYZ5MKIZ+EuaBa82LrV user@user-laptop"
-  ]
-}
-
-variable "internal_ip" {
-  default = "192.168.30.7"
-}
-
-variable "ansible_inventory" {
-  default = "ansible/inventory"
-}
-
-variable "ansible_playbook" {
-  default = "ansible/hermes.yml"
-}
-
-variable "ansible_cfg" {
-  default = "ansible/ansible.cfg"
-}