diff --git a/debian-vm-setup.yml b/debian-vm-setup.yml
new file mode 100644
index 0000000..1585ceb
--- /dev/null
+++ b/debian-vm-setup.yml
@@ -0,0 +1,186 @@
+---
+- name: Provision a Debian server on a virtual machine
+  hosts: vms
+  become: true
+  tasks:
+    - name: Configure APT sources
+      ansible.builtin.blockinfile:
+        path: /etc/apt/sources.list
+        block: |
+          deb http://deb.debian.org/debian bookworm main contrib non-free non-free-firmware
+          deb http://deb.debian.org/debian bookworm-updates main contrib non-free non-free-firmware
+          deb http://deb.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Disable apt downloading translations
+      ansible.builtin.lineinfile:
+        path: /etc/apt/apt.conf.d/99translations
+        create: true
+        line: 'Acquire::Languages "none";'
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Update cache and all packages
+      register: updatesys
+      ansible.builtin.apt:
+        upgrade: dist
+        update_cache: true
+
+    - name: Display the last line of the previous task to check the stats
+      ansible.builtin.debug:
+        msg: "{{updatesys.stdout_lines|last}}"
+
+    - name: Install basic packages
+      ansible.builtin.apt:
+        update_cache: true
+        name:
+          - apt-file
+          - apt-listchanges
+          - apt-utils
+          - atop
+          - autoconf
+          - automake
+          - bat
+          - build-essential
+          - byobu
+          - cmake
+          - curl
+          - firewalld
+          - git
+          - htop
+          - jc
+          - jq
+          - less
+          - man-db
+          - manpages
+          - pipx
+          - python3-dev
+          - python3-pip
+          - rclone
+          - rsync
+          - sudo
+          - systemd-resolved
+          - unattended-upgrades
+          - vim
+          - wget
+          - zsh
+        state: present
+
+    - name: Ensure man-db.timer is enabled
+      ansible.builtin.systemd_service:
+        name: man-db.timer
+        enabled: true
+
+    - name: Copy 20auto-upgrades
+      ansible.builtin.copy:
+        src: etc/apt/apt.conf.d/20auto-upgrades
+        dest: /etc/apt/apt.conf.d/20auto-upgrades
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Copy 50unattended-upgrades
+      ansible.builtin.copy:
+        src: etc/apt/apt.conf.d/50unattended-upgrades
+        dest: /etc/apt/apt.conf.d/50unattended-upgrades
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Ensure unattended-upgrades is enabled
+      ansible.builtin.systemd_service:
+        name: unattended-upgrades
+        enabled: true
+        state: started
+
+    - name: Ensure firewalld is enabled
+      ansible.builtin.systemd_service:
+        name: firewalld
+        enabled: true
+        state: started
+
+    - name: Ensure sudo no password privileges for the user 'jas'
+      ansible.builtin.lineinfile:
+        path: /etc/sudoers.d/jas
+        create: true
+        state: present
+        line: "jas ALL=(ALL) NOPASSWD: ALL"
+        owner: root
+        group: root
+        mode: "0640"
+        validate: /usr/sbin/visudo -csf %s
+
+    - name: Ensure the shell is set to zsh for user
+      ansible.builtin.user:
+        name: jas
+        shell: /usr/bin/zsh
+
+    - name: Ensure ethernet interface is configured for systemd-networkd
+      ansible.builtin.blockinfile:
+        path: /etc/systemd/network/ens3.network
+        create: true
+        state: present
+        block: |
+          [Match]
+          Name=ens3
+
+          [Network]
+          DHCP=yes
+        owner: root
+        group: root
+        mode: "0644"
+
+    - name: Ensure systemd-networkd is enabled
+      ansible.builtin.systemd_service:
+        name: systemd-networkd
+        enabled: true
+
+    - name: Ensure systemd-resolved is enabled
+      ansible.builtin.systemd_service:
+        name: systemd-resolved
+        enabled: true
+
+    - name: Ensure default network.service is disabled
+      ansible.builtin.systemd_service:
+        name: networking
+        enabled: false
+
+    - name: Ensure glances systemd unit is in place for user
+      ansible.builtin.blockinfile:
+        path: /home/jas/.config/systemd/user/glances.service
+        create: true
+        state: present
+        block: |
+          [Unit]
+          Description=Glances
+          After=network.target
+
+          [Service]
+          ExecStart=/home/jas/.local/bin/glances -s
+          Restart=always
+          RemainAfterExit=no
+
+          [Install]
+          WantedBy=default.target
+        owner: jas
+        group: jas
+        mode: "0644"
+
+    - name: Ensure empty .zshrc is in place for user
+      ansible.builtin.file:
+        path: /home/jas/.zshrc
+        state: touch
+        owner: jas
+        group: jas
+        mode: "0644"
+
+    - name: Reboot the system
+      ansible.builtin.reboot:
+        reboot_timeout: 120
+
+    - name: Post-reboot confirmation
+      ansible.builtin.debug:
+        msg: "{{ ansible_host }} is now back up and running"
diff --git a/inventory.yml b/inventory.yml
index e7ee8ea..b3b1c55 100644
--- a/inventory.yml
+++ b/inventory.yml
@@ -28,3 +28,10 @@ vps:
       ansible_user: root
       ansible_host: hyperreal.coffee
       ansible_python_interpreter: /usr/bin/python3
+
+vms:
+  hosts:
+    hyperreal:
+      ansible_user: root
+      ansible_host: 10.0.0.26
+      ansible_python_interpreter: /usr/bin/python3