diff --git a/.builds/freebsd.yml b/.builds/freebsd.yml
index d0b1765..54b3569 100644
--- a/.builds/freebsd.yml
+++ b/.builds/freebsd.yml
@@ -6,7 +6,7 @@ packages:
 sources:
   - https://git.sr.ht/~crocmagnon/blog
 secrets:
-  - 78118477-73c2-4805-a613-c7aab23c92a8  # SSH config for blog
+  - ea931da1-9acd-47b0-b6c9-52b8b61c4647  # Ansible hosts file
   - 5c948915-48c2-4542-8fc1-a5676f4d7126  # Deploy SSH key
 environment:
   TESTING: true
@@ -23,6 +23,8 @@ tasks:
   - test: |
       cd blog
       poetry run ./docker/runtests.sh
+  - deploy: |
+      ansible-playbook -i ~/ansiblehosts blog/ansible/playbook.yml
 triggers:
   - action: email
     condition: failure
diff --git a/ansible/hosts b/ansible/hosts
new file mode 100644
index 0000000..c9c9e35
--- /dev/null
+++ b/ansible/hosts
@@ -0,0 +1 @@
+blognas ansible_host=192.168.0.54 ansible_port=22 ansible_python_interpreter=/usr/local/bin/python
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
new file mode 100644
index 0000000..2236fb4
--- /dev/null
+++ b/ansible/playbook.yml
@@ -0,0 +1,55 @@
+---
+- name: deploy blog
+  hosts: blognas
+  remote_user: root
+  environment:
+    PATH: /root/.poetry/bin:{{ ansible_env.PATH }}
+
+  tasks:
+  - name: upgrade packages
+    pkgng:
+      name: '*'
+      state: latest
+  - name: install dependencies
+    pkgng:
+      name: git,python38,py38-sqlite3,jpeg-turbo,nginx,curl,vim
+  - name: make python3.8 default
+    file:
+      path: /usr/local/bin/python3
+      src: /usr/local/bin/python3.8
+      state: link
+  - name: clone/update code
+    git:
+      repo: https://git.sr.ht/~crocmagnon/blog
+      dest: /srv/blog
+      force: yes
+  - name: install poetry
+    shell:
+      cmd: POETRY_VERSION=1.1.4 curl -sSL https://raw.githubusercontent.com/python-poetry/poetry/master/get-poetry.py | python
+      creates: /root/.poetry/bin/poetry
+  - name: create venv
+    shell:
+      cmd: python -m venv /srv/blogvenv
+      creates: /srv/blogvenv/bin/python
+  - name: install deps
+    shell:
+      chdir: /srv/blog
+      cmd: . /srv/blogvenv/bin/activate && poetry install --remove-untracked
+  - name: install service
+    copy:
+      remote_src: yes
+      src: /srv/blog/ansible/blog.service
+      dest: /usr/local/etc/rc.d/blog
+      owner: root
+      group: wheel
+      mode: 0755
+  - name: enable and restart blog service
+    service:
+      name: blog
+      state: restarted
+      enabled: yes
+#  - name: enable nginx service
+#    service:
+#      name: nginx
+#      state: started
+#      enabled: yes