diff --git a/pam_url.conf.fed-cloud09.cloud.fedoraproject.org b/pam_url.conf.fed-cloud09.cloud.fedoraproject.org
new file mode 100644
index 0000000000..9ce7690b81
--- /dev/null
+++ b/pam_url.conf.fed-cloud09.cloud.fedoraproject.org
@@ -0,0 +1,21 @@
+pam_url:
+{
+	settings:
+	{
+		url = "https://fas-all.phx2.fedoraproject.org:8443/";	# URI to fetch
+		returncode = "OK";				# The remote script/cgi should return a 200 http code and this string as its only results
+		userfield = "user";				# userfield name to send
+		passwdfield = "token";				# passwdfield name to send
+		extradata = "&do=login";			# extradata to send
+		prompt = "Password+Token: ";			# password prompt
+	};
+
+	ssl:
+	{
+		verify_peer = true;				# Should we verify SSL ?
+		verify_host = true;				# Should we verify the CN in the SSL cert?
+		client_cert = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side certificate
+		client_key  = "/etc/pki/tls/private/totpcgi.pem"; # file to use as client-side key (can be same file as above if a single cert)
+                ca_cert     = "/etc/pki/tls/private/totpcgi-ca.cert";
+	};
+};
diff --git a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
index cea3e383b8..8814ec4831 100644
--- a/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
+++ b/playbooks/hosts/fed-cloud09.cloud.fedoraproject.org.yml
@@ -10,10 +10,24 @@
    - /srv/web/infra/ansible/vars/fedora-cloud.yml
    - /srv/private/ansible/files/openstack/passwords.yml
 
+  roles:
+  - rkhunter
+  - nagios_client
+  - hosts
+  - fas_client
+  - sudo
+
   tasks:
   - include: "{{ tasks }}/cloud_setup_basic.yml"
     vars:
       root_auth_users: msuchy
+  - include: "{{ tasks }}/motd.yml"
+  - include: "{{ tasks }}/2fa_client.yml"
+
+  - name: set root passwd
+    user: name=root password={{ cloud_rootpw }} state=present
+    tags:
+    - rootpw
 
   - name: Set the hostname
     action: hostname name=fed-cloud09.cloud.fedoraproject.org