diff --git a/inventory/group_vars/all.yaml b/inventory/group_vars/all.yaml
index 18d2039..61a023d 100644
--- a/inventory/group_vars/all.yaml
+++ b/inventory/group_vars/all.yaml
@@ -2,3 +2,17 @@
 skylab_mgmt_keys:
 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP5TGKururOa1Y+cbv8AWXYI5zhfZCDV0fsBG+33IYUc enpaul@ansible.voyager
 - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBf7i/8hSJDYnoD95noCJJVtSxxCp9N5EmnshALufiwm enpaul@ansible.opportunity
+
+skylab_tfstate_backend:
+  hostname: cluster.lab.enp.one
+  username: terraform
+  schema: terraform
+  port: 32421
+  password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          30313365393065316563323363663135313438616461356439366632303636343735653033363930
+          6334613931376566363064663539643639326363663933610a306138616362376435386466306538
+          30626330613932363339363438356430613461313335333536623931343436353330393433373630
+          3631343463616631380a386661336534663033383637666538316665303962353034376232356235
+          65323339353563623431666535366465353133343137653232326534326436323661636536373564
+          3466633762303966366366653531613261336561356531636461
diff --git a/skylab/infra/galaxy.yml b/skylab/infra/galaxy.yml
index 6af986f..d981a4d 100644
--- a/skylab/infra/galaxy.yml
+++ b/skylab/infra/galaxy.yml
@@ -11,4 +11,6 @@ tags: []
 repository: https://vcs.enp.one/skylab/skylab-ansible/
 build_ignore: []
 
-dependencies: {}
+dependencies:
+  community.general: ">=6.5.0,<7.0"
+  ansible.posix: ">=1.5.1,<2.0"
diff --git a/skylab/infra/playbooks/cloud.yml b/skylab/infra/playbooks/cloud.yml
new file mode 100644
index 0000000..19b9df6
--- /dev/null
+++ b/skylab/infra/playbooks/cloud.yml
@@ -0,0 +1,39 @@
+---
+- name: Provision DigitalOcean cloud
+  hosts: localhost
+  vars:
+    terraform_backend: "postgres://{{ skylab_tfstate_backend.username }}:{{ skylab_tfstate_backend.password }}@{{ skylab_tfstate_backend.hostname }}:{{ skylab_tfstate_backend.port }}/{{ skylab_tfstate_backend.schema }}"
+  tasks:
+  - name: Deploy terraform config
+    block:
+    - name: Create temp plan file
+      changed_when: false
+      ansible.builtin.tempfile:
+        state: file
+        prefix: skylab
+        suffix: tfplan
+      register: _tfplan_tempfile
+
+    - name: Initialize terraform backend and generate plan file
+      community.general.terraform:
+        state: planned
+        project_path: terraform/
+        backend_config:
+          conn_str: "{{ terraform_backend }}"
+        force_init: true
+        init_reconfigure: true
+        plan_file: "{{ _tfplan_tempfile.path }}"
+
+    - name: Apply terraform plan
+      community.general.terraform:
+        state: present
+        project_path: terraform/
+        backend_config:
+          conn_str: "{{ terraform_backend }}"
+        plan_file: "{{ _tfplan_tempfile.path }}"
+    always:
+    - name: Remove temp plan file
+      changed_when: false
+      ansible.builtin.file:
+        path: "{{ _tfplan_tempfile.path }}"
+        state: absent