diff --git a/.gitmodules b/.gitmodules
new file mode 100644
index 0000000000000000000000000000000000000000..d35a1afe932131a654da056d24ce4ee8eb9cb7be
--- /dev/null
+++ b/.gitmodules
@@ -0,0 +1,3 @@
+[submodule "ansible/playbooks/pma"]
+	path = ansible/playbooks/pma
+	url = https://git.code.tecnalia.com/piacere/public/agents/pma-playbook.git
diff --git a/ansible/playbooks/pma b/ansible/playbooks/pma
new file mode 160000
index 0000000000000000000000000000000000000000..76fb3507d97846509eafa3a3bcdbdf0d787dec41
--- /dev/null
+++ b/ansible/playbooks/pma
@@ -0,0 +1 @@
+Subproject commit 76fb3507d97846509eafa3a3bcdbdf0d787dec41
diff --git a/main.tf b/main.tf
index eab78bc1da497b854d969fa9486ba20e2c85f990..4af4980770c7e0949b57f8a91d907dcf13fe0a01 100644
--- a/main.tf
+++ b/main.tf
@@ -96,6 +96,21 @@ resource "openstack_compute_instance_v2" "nginx" {
   network {
     port = openstack_networking_port_v2.nginx.id
   }
+
+  # this is subject to be moved to IEM as part of its baseline
+    provisioner "local-exec" {
+    command = "ansible-galaxy collection install community.general"
+  }
+  
+  # this is subject to be moved to IEM as part of its baseline
+  provisioner "local-exec" {
+    command = "ansible-playbook ansible/playbooks/pma/site_requirements.yaml"
+  }
+
+  # secrets can be taken from environment variables at IEM but these security issues I will leave them to y2, the user can also be problematic ubuntu/root/centos/...
+  provisioner "local-exec" {
+    command = "ansible-playbook -u root -i '${openstack_networking_floatingip_v2.nginx.address},' ansible/playbooks/pma/site.yaml --extra-vars '{\"pma_deployment_id\": \"123e4567-e89b-12d3-a456-426614174002\", \"pma_influxdb_bucket\": \"bucket\", \"pma_influxdb_token\": \"piacerePassword\", \"pma_influxdb_org\": \"piacere\", \"pma_influxdb_addr\": \"https://influxdb.pm.ci.piacere.digital.tecnalia.dev\" }'"
+  }
 }
 
 # Create network port