diff --git a/tasks/cloud_setup_basic.yml b/tasks/cloud_setup_basic.yml
new file mode 100644
index 0000000000..6b1f0be239
--- /dev/null
+++ b/tasks/cloud_setup_basic.yml
@@ -0,0 +1,89 @@
+---
+- name: Install desired extra packages (yum)
+  package: state=present pkg={{ item }}
+  with_items:
+  - ntpdate
+  - ntp
+  - libsemanage-python
+  - libselinux-python
+  when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
+  tags:
+  - packages
+
+- name: Install desired extra packages (dnf)
+  dnf:
+    state: present
+    pkg: 
+    - ntpdate
+    - libselinux-python
+  when: ansible_distribution_major_version|int > 7 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
+  tags:
+  - packages
+
+- name: Include basessh
+  include_role: name=basessh
+
+#- name: edit hostname to be instance name - prefix hostbase var if it exists
+#  shell: hostname  {{ hostbase }}`curl -s http://169.254.169.254/latest/meta-data/instance-id`
+#  tags:
+#  - config
+
+- name: add ansible root key
+  authorized_key: user=root key="{{ item }}"
+  with_file:
+  - /srv/web/infra/ansible/roles/base/files/ansible-pub-key
+  tags:
+  - config
+  - sshkeys
+
+- name: add root keys for sysadmin-main and other allowed users
+  authorized_key: user=root key="{{ item }}"
+  with_lines:
+   - "/srv/web/infra/ansible/scripts/auth-keys-from-fas @sysadmin-main {{ root_auth_users }}"
+  tags:
+  - config
+  - sshkeys
+  ignore_errors: true
+
+- name: enable ssh_sysadm_login sebool
+  seboolean: name=ssh_sysadm_login state=yes persistent=yes
+  ignore_errors: true
+
+# note - kinda should be a handler - but handlers need args
+- name: restorecon
+  file: path=/root/.ssh setype=ssh_home_t recurse=yes
+  tags:
+  - config
+
+- name: update all
+  command: yum -y update creates=/etc/sysconfig/global-update-applied
+  register: updated
+  when: ansible_distribution_major_version|int < 8 and ansible_distribution == 'RedHat'
+  tags:
+  - packages
+
+- name: update all
+  command: dnf -y update creates=/etc/sysconfig/global-update-applied
+  register: updated
+  when: ansible_distribution_major_version|int > 7 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
+  tags:
+  - packages
+
+- name: update all
+  command: dnf -y update creates=/etc/sysconfig/global-update-applied
+  register: updated
+  when: ansible_distribution_major_version|int >= 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
+  tags:
+  - packages
+
+- name: write out global-update-applied file if we updated
+  copy: content="updated" dest=/etc/sysconfig/global-update-applied
+  when: updated is defined
+  tags:
+  - packages
+
+- name: ensure tmp.mount is not masked, logrotate start would fail
+  systemd:
+    name: tmp.mount
+    masked: no
+  when: ansible_distribution_major_version|int >= 30 and ansible_distribution == 'Fedora'