diff --git a/group_vars/sshsign.yml b/group_vars/sshsign.yml
new file mode 100644
index 0000000..e479a50
--- /dev/null
+++ b/group_vars/sshsign.yml
@@ -0,0 +1,6 @@
+---
+datadisks:
+  - 10
+firewall_in:
+  - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 443}
diff --git a/host_vars/sshsign01.home.foo.sh.yml b/host_vars/sshsign01.home.foo.sh.yml
new file mode 100644
index 0000000..12efc17
--- /dev/null
+++ b/host_vars/sshsign01.home.foo.sh.yml
@@ -0,0 +1,6 @@
+---
+vmhost: vmhost01.home.foo.sh
+network_interfaces:
+  - device: vio0
+    vlan: 20
+    mac: 52:54:00:ac:dc:5b
diff --git a/host_vars/sshsign02.home.foo.sh.yml b/host_vars/sshsign02.home.foo.sh.yml
new file mode 100644
index 0000000..11748d5
--- /dev/null
+++ b/host_vars/sshsign02.home.foo.sh.yml
@@ -0,0 +1,6 @@
+---
+vmhost: vmhost02.home.foo.sh
+network_interfaces:
+  - device: vio0
+    vlan: 20
+    mac: 52:54:00:ac:dc:5c
diff --git a/hosts b/hosts
index 5cc552e..4726e8f 100644
--- a/hosts
+++ b/hosts
@@ -72,6 +72,10 @@ shell02.foo.sh
 [sqldb]
 sqldb02.home.foo.sh
 
+[sshsign]
+sshsign01.home.foo.sh
+sshsign02.home.foo.sh
+
 [static]
 static01.home.foo.sh
 static02.home.foo.sh
@@ -101,6 +105,7 @@ ns
 proxy
 relay
 shell
+sshsign
 static
 zm
 
@@ -121,8 +126,8 @@ vmhost
 zm
 
 [centos7:children]
-ldap
 collab
+ldap
 
 [fedora:children]
 registry
@@ -135,3 +140,4 @@ log
 ns
 proxy
 relay
+sshsign
diff --git a/playbooks/sshsign.yml b/playbooks/sshsign.yml
new file mode 100644
index 0000000..1df0581
--- /dev/null
+++ b/playbooks/sshsign.yml
@@ -0,0 +1,24 @@
+---
+- import_playbook: "include/deploy-kvm-guest.yml myhosts=sshsign"
+
+- name: configure instance
+  hosts: sshsign
+  user: root
+  gather_facts: true
+
+  vars_files:
+    - "{{ ansible_private }}/vars.yml"
+
+  pre_tasks:
+    - name: mount /export
+      mount:
+        name: /export
+        src: /dev/sd1a
+        fstype: ffs
+        opts: rw,softdep,noatime
+        passno: "1"
+        dump: "2"
+        state: mounted
+
+  roles:
+    - base