diff --git a/ansible.cfg b/ansible.cfg
new file mode 100644
index 0000000..3da96d0
--- /dev/null
+++ b/ansible.cfg
@@ -0,0 +1,7 @@
+[defaults]
+inventory = tools/ansible/hosts.yml
+nocows = True
+private_key_file = .vagrant/machines/dransible/virtualbox/private_key
+remote_user = vagrant
+retry_files_enabled = False
+vault_password_file = tools/ansible/vault-password.txt
diff --git a/config/sync/.gitkeep b/config/sync/.gitkeep
deleted file mode 100644
index e69de29..0000000
diff --git a/tools/ansible/deploy.yml b/tools/ansible/deploy.yml
new file mode 100644
index 0000000..17ccf90
--- /dev/null
+++ b/tools/ansible/deploy.yml
@@ -0,0 +1,24 @@
+---
+- hosts: webservers
+  become: true
+
+  roles:
+    - ansistrano.deploy
+
+  vars_files:
+    - vars/provision_vault.yml
+    - vars/deploy_vault.yml
+    - vars/vars.yml
+    - vars/provision_vars.yml
+    - vars/deploy_vars.yml
+
+  vars:
+    ansistrano_deploy_via: "rsync"
+    ansistrano_deploy_from: "{{ playbook_dir }}/../../"
+    ansistrano_deploy_to: "{{ project_deploy_path }}"
+    ansistrano_keep_releases: 5
+    ansistrano_after_symlink_shared_tasks_file: "{{ playbook_dir }}/deploy/after-symlink-shared.yml"
+    ansistrano_after_symlink_tasks_file: "{{ playbook_dir }}/deploy/after-symlink.yml"
+    ansistrano_after_update_code_tasks_file: "{{ playbook_dir }}/deploy/after-update-code.yml"
+    ansistrano_shared_paths:
+      - "{{ project_web_root }}/sites/default/files"
diff --git a/tools/ansible/deploy/after-symlink-shared.yml b/tools/ansible/deploy/after-symlink-shared.yml
new file mode 100644
index 0000000..4d4e320
--- /dev/null
+++ b/tools/ansible/deploy/after-symlink-shared.yml
@@ -0,0 +1,12 @@
+---
+- name: Install Drupal
+  command: |
+    {{ release_drush_path }} site-install config_installer -y
+    --account-pass=admin123
+  args:
+    chdir: '{{ release_drupal_path }}'
+
+- name: Rebuild cache
+  command: '{{ release_drush_path }} cache-rebuild'
+  args:
+    chdir: '{{ release_drupal_path }}'
diff --git a/tools/ansible/deploy/after-symlink.yml b/tools/ansible/deploy/after-symlink.yml
new file mode 100644
index 0000000..887a33c
--- /dev/null
+++ b/tools/ansible/deploy/after-symlink.yml
@@ -0,0 +1,22 @@
+---
+- name: Update directory permissions
+  file:
+    path: '{{ item.path }}'
+    mode: '{{ item.mode }}'
+    state: directory
+    owner: vagrant
+    group: www-data
+    recurse: true
+  loop:
+    - path: '{{ release_drupal_path }}'
+      mode: u=rwX,g=rX,o=
+    - path: '{{ ansistrano_shared_path }}/{{ project_web_root }}/sites/default/files'
+      mode: ug=rwX,o=
+
+- name: Update file permissions
+  file:
+    path: '{{ release_drupal_path }}/sites/default/settings.php'
+    mode: ug=r,o=
+    state: file
+    owner: vagrant
+    group: www-data
diff --git a/tools/ansible/deploy/after-update-code.yml b/tools/ansible/deploy/after-update-code.yml
new file mode 100644
index 0000000..f5ba334
--- /dev/null
+++ b/tools/ansible/deploy/after-update-code.yml
@@ -0,0 +1,9 @@
+---
+- name: Install Composer dependencies
+  composer:
+    command: install
+    working_dir: '{{ ansistrano_release_path.stdout }}'
+
+- name: Generate settings.php file
+  include_role:
+    name: './roles/drupal-settings'
diff --git a/tools/ansible/hosts.yml b/tools/ansible/hosts.yml
new file mode 100644
index 0000000..37dc3ac
--- /dev/null
+++ b/tools/ansible/hosts.yml
@@ -0,0 +1,5 @@
+all:
+  hosts:
+    webservers:
+      ansible_ssh_host: 192.168.33.10
+      ansible_ssh_port: 22
diff --git a/tools/ansible/provision.yml b/tools/ansible/provision.yml
new file mode 100644
index 0000000..d42001e
--- /dev/null
+++ b/tools/ansible/provision.yml
@@ -0,0 +1,36 @@
+---
+- hosts: webservers
+  name: Provision the webserver machines
+  become: true
+
+  roles:
+    - role: geerlingguy.apache
+      tags: [web]
+    - role: geerlingguy.mysql
+      tags: [mysql]
+    - role: geerlingguy.php-versions
+      tags: [php]
+    - role: geerlingguy.php
+      tags: [php]
+    - role: geerlingguy.php-mysql
+      tags: [php, mysql]
+    - role: geerlingguy.composer
+      tags: [php, composer]
+
+  vars_files:
+    - vars/provision_vault.yml
+    - vars/vars.yml
+    - vars/provision_vars.yml
+
+  tasks:
+    - name: Create a database
+      mysql_db:
+        name: '{{ database_name }}'
+        state: present
+
+    - name: Add the database user
+      mysql_user:
+        name: '{{ database_user }}'
+        password: '{{ database_password }}'
+        priv: '*.*:ALL'
+        state: present
diff --git a/tools/ansible/requirements.yml b/tools/ansible/requirements.yml
new file mode 100644
index 0000000..c041b3f
--- /dev/null
+++ b/tools/ansible/requirements.yml
@@ -0,0 +1,17 @@
+---
+- src: ansistrano.deploy
+  version: 3.0.1
+- src: ansistrano.rollback
+  version: 3.0.0
+- src: geerlingguy.apache
+  version: 3.0.3
+- src: geerlingguy.composer
+  version: 1.7.3
+- src: geerlingguy.mysql
+  version: 2.9.4
+- src: geerlingguy.php
+  version: 3.7.0
+- src: geerlingguy.php-versions
+  version: 4.0.2
+- src: geerlingguy.php-mysql
+  version: 2.0.2
diff --git a/tools/ansible/roles/drupal-settings/LICENSE b/tools/ansible/roles/drupal-settings/LICENSE
new file mode 100644
index 0000000..53f4980
--- /dev/null
+++ b/tools/ansible/roles/drupal-settings/LICENSE
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2019 Oliver Davies
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
diff --git a/tools/ansible/roles/drupal-settings/README.md b/tools/ansible/roles/drupal-settings/README.md
new file mode 100644
index 0000000..f3cd913
--- /dev/null
+++ b/tools/ansible/roles/drupal-settings/README.md
@@ -0,0 +1,27 @@
+# Ansible Role: Drupal settings
+
+```yaml
+drupal_settings:
+  - drupal_root: /var/www/web
+    sites:
+      - name: default
+        filename: settings.php # Optional, defaults to 'settings.php'
+        settings:
+          base_url: https://www.example.com # Optional, Drupal 7
+          hash_salt: '' # Optional
+          databases:
+            default: # The database key
+              default: # The database target
+                driver: mysql # Optional, defaults to 'mysql'
+                host: localhost # Optional, defaults to 'localhost'
+                database: mydatabase
+                username: user
+                password: secret
+          config_directories: # Optional, Drupal 8
+            sync: path/to/config
+          trusted_hosts: # Optional, Drupal 8
+            - '^example\.com$'
+            - '^.+\.example\.com$'
+            - '^example\.org$'
+            - '^.+\.example\.org$'
+```
diff --git a/tools/ansible/roles/drupal-settings/defaults/main.yml b/tools/ansible/roles/drupal-settings/defaults/main.yml
new file mode 100644
index 0000000..cfd76d5
--- /dev/null
+++ b/tools/ansible/roles/drupal-settings/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+drupal_settings: []
diff --git a/tools/ansible/roles/drupal-settings/tasks/main.yml b/tools/ansible/roles/drupal-settings/tasks/main.yml
new file mode 100644
index 0000000..71ebba5
--- /dev/null
+++ b/tools/ansible/roles/drupal-settings/tasks/main.yml
@@ -0,0 +1,18 @@
+---
+- name: Ensure directory exists
+  file:
+    state: directory
+    path: '{{ item.0.drupal_root }}/sites/{{ item.1.name|default("default") }}'
+  with_subelements:
+    - '{{ drupal_settings }}'
+    - sites
+  no_log: true
+
+- name: Create settings files
+  template:
+    src: settings.php.j2
+    dest: '{{ item.0.drupal_root }}/sites/{{ item.1.name|default("default") }}/{{ item.1.filename|default("settings.php") }}'
+  with_subelements:
+    - '{{ drupal_settings }}'
+    - sites
+  no_log: true
diff --git a/tools/ansible/roles/drupal-settings/templates/settings.php.j2 b/tools/ansible/roles/drupal-settings/templates/settings.php.j2
new file mode 100644
index 0000000..22c4344
--- /dev/null
+++ b/tools/ansible/roles/drupal-settings/templates/settings.php.j2
@@ -0,0 +1,42 @@
+<?php
+
+// {{ ansible_managed }}
+
+{% for key, values in item.1.settings.databases.items() %}
+{% for target, values in values.items() %}
+$databases['{{ key }}']['{{ target }}'] = array(
+  'driver' => '{{ values.driver|default('mysql') }}',
+  'host' => '{{ values.host|default('localhost') }}',
+  'database' => '{{ values.database }}',
+  'username' => '{{ values.username }}',
+  'password' => '{{ values.password }}',
+);
+
+{% endfor %}
+{% endfor %}
+
+{% if item.1.settings.base_url is defined %}
+$base_url = '{{ item.1.settings.base_url }}';
+{% endif %}
+
+{% if item.1.settings.hash_salt is defined %}
+$settings['hash_salt'] = '{{ item.1.settings.hash_salt }}';
+{% endif %}
+
+{% if item.1.settings.config_directories is defined %}
+{% for name, value in item.1.settings.config_directories.items() %}
+$config_directories['{{ name }}'] = '{{ value }}';
+{% endfor %}
+{% endif %}
+
+{% if item.1.settings.trusted_hosts is defined %}
+$settings['trusted_host_patterns'] = array(
+{% for host in item.1.settings.trusted_hosts %}
+  '{{ host }}',
+{% endfor %}
+);
+{% endif %}
+
+{% if item.1.settings.extra_parameters is defined %}
+  {{ item.1.settings.extra_parameters|indent(0) }}
+{% endif %}
diff --git a/tools/ansible/rollback.yml b/tools/ansible/rollback.yml
new file mode 100644
index 0000000..ecd0255
--- /dev/null
+++ b/tools/ansible/rollback.yml
@@ -0,0 +1,12 @@
+---
+- hosts: webservers
+  become: true
+
+  roles:
+    - ansistrano.rollback
+
+  vars_files:
+    - vars/vars.yml
+
+  vars:
+    ansistrano_deploy_to: "{{ project_deploy_path }}"
diff --git a/tools/ansible/vars/deploy_vars.yml b/tools/ansible/vars/deploy_vars.yml
new file mode 100644
index 0000000..ef99b18
--- /dev/null
+++ b/tools/ansible/vars/deploy_vars.yml
@@ -0,0 +1,27 @@
+---
+ansistrano_allow_anonymous_stats: false
+
+release_drupal_path: "{{ ansistrano_release_path.stdout }}/{{ project_web_root }}"
+release_drush_path: "{{ ansistrano_release_path.stdout }}/vendor/bin/drush"
+
+hash_salt: "{{ vault_hash_salt }}"
+install_drupal: true
+
+drupal_settings:
+  - drupal_root: '{{ release_drupal_path }}'
+    sites:
+      - name: default
+        settings:
+          databases:
+            default:
+              default:
+                driver: mysql
+                host: localhost
+                database: '{{ database_name }}'
+                username: '{{ database_user }}'
+                password: '{{ database_password }}'
+          hash_salt: '{{ hash_salt }}'
+          config_directories:
+            sync: ../config/sync
+          trusted_hosts:
+            - '^dransible$'
diff --git a/tools/ansible/vars/deploy_vault.yml b/tools/ansible/vars/deploy_vault.yml
new file mode 100644
index 0000000..9ab7a95
--- /dev/null
+++ b/tools/ansible/vars/deploy_vault.yml
@@ -0,0 +1,7 @@
+$ANSIBLE_VAULT;1.1;AES256
+63373634663964363330343938303439626535386239363766353635663066383035343433356365
+3563326664646666636436636462326436363964306439300a653630656239653566353666383764
+30373163303633356361653436393135666131346430383766646261373636396138623636343238
+3366616233323863370a666566383163303135313134656637393233366664303031663133343363
+63343866643163393961323238623866366636363136373932303366346433343530373139373733
+3738346466643464356663313637333331656163613433663930
diff --git a/tools/ansible/vars/provision_vars.yml b/tools/ansible/vars/provision_vars.yml
new file mode 100644
index 0000000..704ac4c
--- /dev/null
+++ b/tools/ansible/vars/provision_vars.yml
@@ -0,0 +1,11 @@
+---
+server_document_root: '{{ project_deploy_path }}/{{ ansistrano_current_dir }}/{{ project_web_root }}'
+
+apache_vhosts:
+  - servername: dransible
+    documentroot: '{{ server_document_root }}'
+
+php_version: '7.4'
+php_packages_extra:
+  - libapache2-mod-php{{ php_version }}
+  - libpcre3-dev
diff --git a/tools/ansible/vars/provision_vault.yml b/tools/ansible/vars/provision_vault.yml
new file mode 100644
index 0000000..b4b8ef3
--- /dev/null
+++ b/tools/ansible/vars/provision_vault.yml
@@ -0,0 +1,10 @@
+$ANSIBLE_VAULT;1.1;AES256
+33373134393232666463613136333836646334376361306630643432373161373363306433633932
+6637626266313264303734353136376439633939653837390a613631306563666663313361623136
+33383463333062643331376530393964356161346164336434346366333061373166636531336436
+3862316230366364630a616437356235626536376562303738653633316364353034636432666266
+33346639373931396237333636656637663861386530373965323037633636373330353061666465
+35313539343165643564376335303334353662346130343330343238623139386665363864386530
+30633562396666633464666565626437343039636136653032323035333662666664656162326539
+37363233646463363132343835656137343139613535323237346162636363396162343038303062
+3132
diff --git a/tools/ansible/vars/vars.yml b/tools/ansible/vars/vars.yml
new file mode 100644
index 0000000..cf04561
--- /dev/null
+++ b/tools/ansible/vars/vars.yml
@@ -0,0 +1,9 @@
+---
+ansistrano_current_dir: current
+
+database_name: "{{ vault_database_name }}"
+database_password: "{{ vault_database_password }}"
+database_user: "{{ vault_database_user }}"
+
+project_deploy_path: /app
+project_web_root: web
diff --git a/tools/ansible/vault-password.txt b/tools/ansible/vault-password.txt
new file mode 100644
index 0000000..59a4e88
--- /dev/null
+++ b/tools/ansible/vault-password.txt
@@ -0,0 +1 @@
+dransible