diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
new file mode 100644
index 0000000..3b02ec3
--- /dev/null
+++ b/ansible/ansible.cfg
@@ -0,0 +1,4 @@
+[defaults]
+hostfile = hosts
+stdout_callback=debug
+stderr_callback=debug
diff --git a/ansible/hosts b/ansible/hosts
new file mode 100644
index 0000000..fd2171f
--- /dev/null
+++ b/ansible/hosts
@@ -0,0 +1,2 @@
+[madlambda]
+127.0.0.1
diff --git a/ansible/madlambda.yml b/ansible/madlambda.yml
new file mode 100644
index 0000000..fe40fbd
--- /dev/null
+++ b/ansible/madlambda.yml
@@ -0,0 +1,120 @@
+---
+- hosts: all
+  connection: local
+  tasks:
+  - name: create madlambda group
+    group:
+      name: madlambda
+
+  - name: create i4k user
+    user:
+      name: i4k
+      uid: 1337
+      groups: madlambda
+      append: yes
+
+  - name: prepare src dir
+    file:
+      path: /root/src
+      state: directory
+      mode: '0755'
+
+  - name: clean unit source
+    file:
+      path: /root/src/unit
+      state: absent
+
+  - name: install basic dependencies
+    apt:
+      update_cache: yes
+      state: latest
+      pkg:
+        - mercurial
+        - git
+        - build-essential
+        - libssl-dev
+        - python-dev
+        - php-dev
+        - libphp-embed
+        - golang-go
+        - jq
+        - certbot
+        - wget
+
+  - name: configure mercurial
+    copy:
+      dest: /root/.hgrc
+      content: |
+        [ui]
+        username = root <devnull@madlambda.io>
+
+        color =
+
+        [extensions]
+        mq =
+        purge =
+
+        [diff]
+        showfunc = True
+
+  - name: clone unit
+    shell: hg clone http://hg.nginx.org/unit/
+    args:
+      chdir: /root/src
+
+  - name: apply unit TLS patch
+    shell: |
+      wget -O tls-config.patch https://gist.githubusercontent.com/tiago4orion/a3a993c96813f691b9a417193a3ad54e/raw/280459007c2ee21b4b2895812cd9cb2652455530/tls-config.patch
+      hg qimport -n tls-config tls-config.patch
+      hg qpush
+    args:
+      chdir: /root/src/unit
+
+  - name: build unit (php, python and go)
+    shell: |
+      make clean || true
+      ./configure --cc-opt="-O3" --prefix=/usr/local/unit --tests --openssl
+      ./configure php
+      ./configure python
+      GOPATH=/root/src/unit/build/go ./configure go
+      make tests
+      ./build/tests
+      make
+      python3 ./test/run.py
+      make install
+    args:
+      chdir: /root/src/unit
+
+  - name: init i4k dir
+    become_user: i4k
+    file:
+      path: /home/i4k/src
+      state: directory
+      mode: '0755'
+
+  - name: remove i4k sources
+    become_user: i4k
+    file:
+      path: /home/i4k/src/i4k.madlambda.io
+      state: absent
+
+  - name: install i4k stuff
+    become_user: i4k
+    shell: git clone https://github.com/tiago4orion/i4k.madlambda.io.git
+    args:
+      chdir: /home/i4k/src
+
+  - name: install madlambda.io
+    shell: ./install.sh
+    args:
+      chdir: /root/src/madlambda.io
+
+  - name: stop && start unit
+    shell: |
+      systemctl stop unit || true
+      systemctl start unit
+
+  - name: configure madlambda.io
+    shell: ./unit/apply.sh
+    args:
+      chdir: /root/src/madlambda.io
diff --git a/unit/apply.sh b/unit/apply.sh
index 217488c..fd6b646 100755
--- a/unit/apply.sh
+++ b/unit/apply.sh
@@ -47,13 +47,23 @@ if ! $CURL -XGET 127.0/certificates/madlambda.io | jq -e ".chain" >/dev/null; th
 	fi
 fi
 
+cat > tls.json << EOF
+{
+	"certificate": "madlambda.io",
+	"protocols": ["SSLv2", "SSLv3", "TLSv1.2", "TLSv1.3"],
+	"ciphers": "HIGH:!aNULL:!MD5"
+}
+EOF
+
 if ! $CURL -XPUT '127.0/config/listeners/*:443/tls' \
-	--data-binary '{"certificate": "madlambda.io"}' | jq -e ".success"; then
+		--data-binary @tls.json | jq -e ".success"; then
 
 	echo "failed to apply certificate to listener *:443"
 	exit 1
 fi
 
+rm -f tls.json
+
 cd unit/apps
 
 for name in $(ls); do
diff --git a/unit/apps/container-example/config.json b/unit/apps/container-example/config.json
deleted file mode 100644
index bf4a6f1..0000000
--- a/unit/apps/container-example/config.json
+++ /dev/null
@@ -1,24 +0,0 @@
-{
-        "type": "external",
-        "working_directory": "/home/i4k/src/unit-container-tests",
-        "executable": "/home/i4k/src/unit-container-tests/container-example",
-	"user": "root",
-	"group": "root",
-        "isolation": {
-                "namespaces": {
-                        "credential": true,
-                        "mount": true,
-                        "uname": true,
-                        "network": true,
-                        "cgroup": true,
-                        "pid": true
-                },
-                "uidmap": [
-                        {"container": 0, "host": 65534, "size": 1}
-                ],
-                "gidmap": [
-                        {"container": 0, "host": 65534, "size": 1}
-                ]
-        }
-}
-
diff --git a/unit/config.json b/unit/config.json
index fb5e84b..b1891c2 100644
--- a/unit/config.json
+++ b/unit/config.json
@@ -14,7 +14,7 @@
 			"user": "root",
 			"group": "root",
 			"module": "wsgi",
-			"path": "/root/madlambda.io/apps/redirect-to-https"
+			"path": "/root/src/madlambda.io/apps/redirect-to-https"
 		}
 	},
 	"settings": {
diff --git a/unit/routes.d/container.json b/unit/routes.d/container.json
deleted file mode 100644
index 4d7db8a..0000000
--- a/unit/routes.d/container.json
+++ /dev/null
@@ -1,9 +0,0 @@
-{
-	"match": {
-		"host": "i4k.madlambda.io",
-		"uri": "/container"
-	},
-	"action": {
-		"pass": "applications/container-example"
-	}
-}
diff --git a/unit/routes.d/i4k.json b/unit/routes.d/i4k.json
index 97683d4..3eeb8d4 100644
--- a/unit/routes.d/i4k.json
+++ b/unit/routes.d/i4k.json
@@ -3,6 +3,6 @@
 		"host": "i4k.madlambda.io"
 	},
 	"action": {
-		"share": "/home/i4k/i4k.madlambda.io/www"
+		"share": "/home/i4k/src/i4k.madlambda.io/www"
 	}
 }