diff --git a/group_vars/vmhost.yml b/group_vars/vmhost.yml
new file mode 100644
index 0000000..ec4ea73
--- /dev/null
+++ b/group_vars/vmhost.yml
@@ -0,0 +1,3 @@
+---
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
diff --git a/hosts b/hosts
index d5bfe43..275035f 100644
--- a/hosts
+++ b/hosts
@@ -24,8 +24,12 @@ log01.home.foo.sh
 proxy01.home.foo.sh
 proxy02.home.foo.sh
 
+[vmhost]
+vmhost02.home.foo.sh
+
 [centos8:children]
 adm
+vmhost
 
 [centos7:children]
 git
diff --git a/playbooks/vmhost.yml b/playbooks/vmhost.yml
new file mode 100644
index 0000000..e1edf4c
--- /dev/null
+++ b/playbooks/vmhost.yml
@@ -0,0 +1,11 @@
+---
+- name: configure instance
+  hosts: vmhost
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  roles:
+    - base