diff --git a/cloudbox.yml b/cloudbox.yml
new file mode 100644
index 0000000..31dd692
--- /dev/null
+++ b/cloudbox.yml
@@ -0,0 +1,35 @@
+---
+# This playbook deploys the cloudbox on a minimal installation.
+
+- name: apply configuration to the cloudbox
+  hosts: cloudboxes
+  remote_user: ansible
+  become: yes
+  vars:
+    if_lan: "enp1s0"
+    ipaddr: "192.168.2.50/24"
+    gateway: "192.168.2.1"
+    DNS: "192.168.2.1"
+    #ddns_domain: "something.ddnss.de"
+    ddns_domain: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30653335326332666539326461623064383432653133383832313065386231663366383862393961
+          3339356432643139653939323832633839626631396431340a623438333335333765383035666133
+          34313631663938386432326665313331383865616361633465336333613534626262633864613133
+          3934376631343736380a353337303937656638633035666331646563326562363130633534376335
+          6636
+    #ddns_updkey: "138638.some.key.here.635620"
+    ddns_updkey: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35333062366532643235343839313962393038313631663239336138393566643433326535313132
+          3761303730653339616333623534343131333838303036310a343634623739623663623566336233
+          37666466356363646464323335643261346563643564333631626432323963396136643039336531
+          3662653436373564310a663061613032343332373031613831343365643039313034353636613938
+          31663437393564656334663336633234666237386662323661623266396166616235306531333861
+          3831656434613434333337376262396631363336643766323932
+  roles:
+    - up2date-debian
+    - systemd-networkd
+    - web-server
+    - ddns-update
+    - low-power
diff --git a/roles/ddns-update/files/ddns-update b/roles/ddns-update/files/ddns-update
new file mode 100755
index 0000000..3285250
--- /dev/null
+++ b/roles/ddns-update/files/ddns-update
@@ -0,0 +1,30 @@
+#!/bin/bash
+set -eu
+
+. /etc/ddns-update/ddns-update.conf
+
+DDHOST="https://www.ddnss.de/upd.php"
+
+if ! DNSRESULT="$(host $DDNSNAME)" ; then
+    echo "Could not resolve IP address for '$DDNSNAME', no update."
+    exit 0
+fi
+
+DNSIP4="$(echo \\"$DNSRESULT\\" | grep -m 1 -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}$' || true )"
+DNSIP6="$(echo \\"$DNSRESULT\\" | grep -m 1 -oE '[0-9a-f]{1,4}:.+:[0-9a-f]{1,4}' || true )"
+
+REALIP4="$(wget -q -O - https://ip4.ddnss.de/meineip.php | \
+               grep -m 1 -oE '[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3}' || true )"
+REALIP6="$(wget -q -O - https://ip6.ddnss.de/meineip.php | \
+                grep -m 1 -oE '[0-9a-f]{1,4}:.+:[0-9a-f]{1,4}' || true )"
+
+echo "Current DNS: IPv4=$DNSIP4, IPv6=$DNSIP6."
+echo "Detected:    IPv4=$REALIP4, IPv6=$REALIP6."
+
+if [ "$REALIP4" == "$DNSIP4" -a "$REALIP6" == "$DNSIP6" ] ; then
+    echo "IP address unchanged, no update."
+else
+    echo "IP address changed: $DNSIP4 → ${REALIP4}, $DNSIP6 → ${REALIP6}, updating ddns."
+    wget -q -O - $DDHOST'?key='$KEYAUTH'&host='$DDNSNAME'&ip='$REALIP4'&ip6='$REALIP6 \
+        | grep -oE "Updated .+ hostname." || echo "Update not confirmed, it might have failed."
+fi
diff --git a/roles/ddns-update/files/ddns-update.service b/roles/ddns-update/files/ddns-update.service
new file mode 100644
index 0000000..6c1da59
--- /dev/null
+++ b/roles/ddns-update/files/ddns-update.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Update ddns
+
+[Service]
+Type=oneshot
+ExecStart=/usr/local/bin/ddns-update
diff --git a/roles/ddns-update/files/ddns-update.timer b/roles/ddns-update/files/ddns-update.timer
new file mode 100644
index 0000000..28e8e2a
--- /dev/null
+++ b/roles/ddns-update/files/ddns-update.timer
@@ -0,0 +1,11 @@
+[Unit]
+Description=Update ddns IP-address
+
+[Timer]
+OnBootSec=0
+OnUnitActiveSec=15min
+AccuracySec=3min
+
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/ddns-update/handlers/main.yml b/roles/ddns-update/handlers/main.yml
new file mode 100644
index 0000000..a1700e2
--- /dev/null
+++ b/roles/ddns-update/handlers/main.yml
@@ -0,0 +1,7 @@
+- name: enable ddns-update timer
+  systemd:
+    name: ddns-update.timer
+    state: restarted
+    daemon_reload: yes
+    enabled: yes
+  listen: "enable ddns-update timer"
diff --git a/roles/ddns-update/tasks/main.yml b/roles/ddns-update/tasks/main.yml
new file mode 100644
index 0000000..54e3412
--- /dev/null
+++ b/roles/ddns-update/tasks/main.yml
@@ -0,0 +1,24 @@
+- name: make sure /etc/ddns-update/ exists
+  file: path=/etc/ddns-update/ state=directory recurse=yes
+
+- name: install ddns-update config
+  template:
+    src: ddns-update.conf.j2
+    dest: /etc/ddns-update/ddns-update.conf
+
+- name: install ddns-update script
+  copy:
+    src: ddns-update
+    dest: /usr/local/bin/ddns-update
+    mode: 0755
+
+- name: install ddns-update.service
+  copy:
+    src: ddns-update.service
+    dest: /etc/systemd/system/ddns-update.service
+
+- name: install ddns-update.timer
+  copy:
+    src: ddns-update.timer
+    dest: /etc/systemd/system/ddns-update.timer
+  notify: enable ddns-update timer
diff --git a/roles/ddns-update/templates/ddns-update.conf.j2 b/roles/ddns-update/templates/ddns-update.conf.j2
new file mode 100644
index 0000000..cd84e74
--- /dev/null
+++ b/roles/ddns-update/templates/ddns-update.conf.j2
@@ -0,0 +1,2 @@
+DDNSNAME="{{ ddns_domain }}"
+KEYAUTH="{{ ddns_updkey }}"
diff --git a/roles/low-power/files/powertop.service b/roles/low-power/files/powertop.service
new file mode 100644
index 0000000..150c2ff
--- /dev/null
+++ b/roles/low-power/files/powertop.service
@@ -0,0 +1,6 @@
+[Unit]
+Description=Run powertop --auto-tune
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/powertop --auto-tune
diff --git a/roles/low-power/files/powertop.timer b/roles/low-power/files/powertop.timer
new file mode 100644
index 0000000..4cd5f71
--- /dev/null
+++ b/roles/low-power/files/powertop.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run powertop --auto-tune after boot
+
+[Timer]
+OnBootSec=1min
+AccuracySec=1min
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/low-power/handlers/main.yml b/roles/low-power/handlers/main.yml
new file mode 100644
index 0000000..601c75f
--- /dev/null
+++ b/roles/low-power/handlers/main.yml
@@ -0,0 +1,5 @@
+- name: enable powertop timer
+  systemd:
+    name: powertop.timer
+    enabled: yes
+  listen: "enable powertop timer"
diff --git a/roles/low-power/tasks/main.yml b/roles/low-power/tasks/main.yml
new file mode 100644
index 0000000..7a2edd8
--- /dev/null
+++ b/roles/low-power/tasks/main.yml
@@ -0,0 +1,15 @@
+- name: install some packages
+  apt: name={{ item }} state=latest
+  with_items:
+    - powertop
+
+- name: install powertop.service
+  copy:
+    src: powertop.service
+    dest: /etc/systemd/system/powertop.service
+
+- name: install powertop.timer
+  copy:
+    src: powertop.timer
+    dest: /etc/systemd/system/powertop.timer
+  notify: enable powertop timer
diff --git a/roles/systemd-networkd/files/10-dhcp.network b/roles/systemd-networkd/files/10-dhcp.network
new file mode 100644
index 0000000..aec1849
--- /dev/null
+++ b/roles/systemd-networkd/files/10-dhcp.network
@@ -0,0 +1,5 @@
+[Match]
+Name=en*
+
+[Network]
+DHCP=yes
diff --git a/roles/systemd-networkd/handlers/main.yml b/roles/systemd-networkd/handlers/main.yml
new file mode 100644
index 0000000..8d3068c
--- /dev/null
+++ b/roles/systemd-networkd/handlers/main.yml
@@ -0,0 +1,13 @@
+- name: enable systemd-networkd
+  systemd:
+    name: systemd-networkd
+    enabled: yes
+    daemon_reload: yes
+  listen: "enable systemd-networkd"
+
+- name: enable systemd-resolved
+  systemd:
+    name: systemd-resolved
+    enabled: yes
+    daemon_reload: yes
+  listen: "enable systemd-resolved"
diff --git a/roles/systemd-networkd/tasks/main.yml b/roles/systemd-networkd/tasks/main.yml
new file mode 100644
index 0000000..28426e6
--- /dev/null
+++ b/roles/systemd-networkd/tasks/main.yml
@@ -0,0 +1,19 @@
+- name: install dynamic configuration for networkd
+  copy:
+    src: 10-dhcp.network
+    dest: /etc/systemd/network/10-dhcp.network
+  notify: "enable systemd-networkd"
+
+#- name: install static configuration for networkd
+#  template:
+#    src: 20-static.network.j2
+#    dest: /etc/systemd/network/20-static.network
+#  notify: "enable systemd-networkd"
+
+- name: prepare systemd-resolved
+  file:
+    src: /run/systemd/resolve/resolv.conf
+    dest: /etc/resolv.conf
+    state: link
+    force: yes
+  notify: "enable systemd-resolved"
diff --git a/roles/systemd-networkd/templates/20-static.network.j2 b/roles/systemd-networkd/templates/20-static.network.j2
new file mode 100644
index 0000000..04195a9
--- /dev/null
+++ b/roles/systemd-networkd/templates/20-static.network.j2
@@ -0,0 +1,7 @@
+[Match]
+Name={{ if_lan }}
+
+[Network]
+Address={{ ipaddr }}
+Gateway={{ gateway }}
+DNS={{ DNS }}
diff --git a/roles/web-server/tasks/main.yml b/roles/web-server/tasks/main.yml
new file mode 100644
index 0000000..c0d073c
--- /dev/null
+++ b/roles/web-server/tasks/main.yml
@@ -0,0 +1,6 @@
+- name: install some packages
+  apt: name={{ item }} state=latest
+  with_items:
+    - unattended-upgrades
+    - screen
+    - python-certbot-apache