diff --git a/ansible/libreddit.yml b/ansible/libreddit.yml
index 3d5ebce..48f64a4 100644
--- a/ansible/libreddit.yml
+++ b/ansible/libreddit.yml
@@ -8,45 +8,50 @@
   remote_user: atm
 
   tasks:
-    - name: Ensure all VMs are reachable
-      ansible.builtin.ping:
-
     - name: Create /etc/apt/keyrings dir
+      become: true
       ansible.builtin.file:
         path: /etc/apt/keyrings
         state: directory
         recurse: true
 
     - name: Add Docker GPG apt Key
+      become: true
       ansible.builtin.apt_key:
         url: https://download.docker.com/linux/debian/gpg
         state: present
 
     - name: Add Docker Repository
+      become: true
       ansible.builtin.apt_repository:
         repo: deb https://download.docker.com/linux/debian buster stable
         state: present
 
     - name: Update apt and install docker-ce
+      become: true
       ansible.builtin.apt:
         name: docker-ce
         update_cache: true
 
     - name: Install Docker Module for Python
+      become: true
       ansible.builtin.pip:
         name: docker
 
     - name: Ensure docker group is present
+      become: true
       ansible.builtin.group:
         name: docker
         state: present
 
     - name: Add user atm to docker group
+      become: true
       ansible.builtin.user:
         name: atm
         groups: docker,users,admin
 
     - name: Deploy libreddit
+      become: true
       ansible.builtin.docker_container:
         name: libreddit
         state: started
@@ -56,6 +61,7 @@
           - "8080:8080"
 
     - name: Allow port 8080
+      become: true
       community.general.ufw:
         state: enabled
         proto: tcp
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index ee2a154..dfa73c1 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -3,19 +3,22 @@
 # SPDX-License-Identifier: AGPL-3.0-or-later
 
 ---
-- name: Configure webservers
-  hosts: [bullseye_libreddit,bullseye_loadbalance]
-  remote_user: root
-
-  tasks:
+- name: Install and enable firewall
+  hosts: all
+  remote_user: atm
+  pre_tasks:
     - name: Ensure all VMs are reachable
       ansible.builtin.ping:
-    - name: Update package cache
+
+  tasks:
+    - name: Update all packages
+      become: true
       ansible.builtin.apt:
         update_cache: true
         upgrade: safe
 
     - name: Install git, zip, nginx, wget, curl & other utils
+      become: true
       ansible.builtin.apt:
         update_cache: true
         pkg:
@@ -24,6 +27,7 @@
           - curl
           - gpg
           - ca-certificates
+          - ntp
           - zip
           - python3-pip
           - virtualenv
@@ -32,10 +36,12 @@
 
 
     - name: Set logging
+      become: true
       community.general.ufw:
         logging: "on"
 
     - name: Allow port 22 and enable UFW
+      become: true
       community.general.ufw:
         state: enabled
         rule: allow
@@ -44,7 +50,15 @@
 
 
     - name: Enable and start ufw service
+      become: true
       ansible.builtin.service:
         name: ufw
         enabled: true
         state: started
+
+    - name: Enable and start ufw service
+      become: true
+      ansible.builtin.service:
+        name: ntp
+        enabled: true
+        state: started