diff --git a/roles/tftp-server/defaults/main.yml b/roles/tftp-server/defaults/main.yml
index ae67b9c..fcb9ae5 100644
--- a/roles/tftp-server/defaults/main.yml
+++ b/roles/tftp-server/defaults/main.yml
@@ -1,6 +1,5 @@
 ---
 netboot_image: https://deb.debian.org/debian/dists/stretch/main/installer-amd64/current/images/netboot/netboot.tar.gz
-late_command_url: https://anonscm.debian.org/cgit/debconf-video/ansible.git/plain/setup_ansible.sh
 
 time_zone: UTC
 domain: video.debconf.org
@@ -12,3 +11,11 @@ apt_proxy: false
 user_name: videoteam
 # Defaults to not setting a password
 #user_password_crypted: changeme
+
+# Git repos:
+playbook_repo: https://anonscm.debian.org/cgit/debconf-video/ansible.git
+playbook_branch: master
+
+# To replace the stock inventory with your own, point at your own github repo
+#inventory_repo: https://gitlab.com/yourname/ansible-inventory
+#inventory_branch: master
diff --git a/roles/tftp-server/files/pxe b/roles/tftp-server/files/pxe
new file mode 100644
index 0000000..927e0c4
--- /dev/null
+++ b/roles/tftp-server/files/pxe
@@ -0,0 +1,15 @@
+server {
+	listen 80 default_server;
+	listen [::]:80 default_server;
+
+	root /srv/pxe;
+
+	server_name {{ inventory_hostname }}.{{ video.debconf.org }};
+
+	location / {
+		fancyindex on;
+	}
+
+	access_log /var/log/nginx/pxe-access.log;
+	error_log /var/log/nginx/pxe-error.log;
+}
diff --git a/roles/tftp-server/handlers/main.yml b/roles/tftp-server/handlers/main.yml
new file mode 100644
index 0000000..79f7f57
--- /dev/null
+++ b/roles/tftp-server/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: systemctl restart nginx
+  command: systemctl restart nginx
diff --git a/roles/tftp-server/tasks/d-i.yml b/roles/tftp-server/tasks/d-i.yml
new file mode 100644
index 0000000..c63c189
--- /dev/null
+++ b/roles/tftp-server/tasks/d-i.yml
@@ -0,0 +1,43 @@
+---
+- name: download TFTP boot image
+  get_url:
+    url: "{{ netboot_image }}"
+    dest: /srv/tftp/netboot.tar.gz
+
+- name: extract TFTP boot image
+  unarchive:
+    src: /srv/tftp/netboot.tar.gz
+    dest: /srv/tftp
+    remote_src: true
+    creates: /srv/tftp/pxelinux.0
+
+- name: inject preseed into menu (find files)
+  find:
+    paths: /srv/tftp
+    recurse: true
+    patterns: txt.cfg
+  register: menus
+
+- name: inject preseed into menu (do injection)
+  lineinfile:
+    dest: "{{ item.path }}"
+    regexp: (\s+append\s+.*\s+initrd=\S+)\s+(?!auto=true)(.*)
+    backrefs: true
+    line: \1 auto=true interface=auto url={{ inventory_hostname }} \2
+  with_items: "{{ menus.files }}"
+
+- name: create d-i directory
+  file:
+    path: /srv/pxe/d-i/{{ debian_version }}
+    state: directory
+    recurse: true
+
+- name: write preseed.cfg
+  template:
+    src: preseed.cfg.j2
+    dest: /srv/pxe/d-i/{{ debian_version }}/preseed.cfg
+
+- name: generate late_command.sh
+  template:
+    src: late_command.sh.j2
+    dest: /srv/pxe/d-i/late_command.sh
diff --git a/roles/tftp-server/tasks/main.yml b/roles/tftp-server/tasks/main.yml
index 5b4156e..29c1af3 100644
--- a/roles/tftp-server/tasks/main.yml
+++ b/roles/tftp-server/tasks/main.yml
@@ -1,32 +1,3 @@
 ---
-- name: download TFTP boot image
-  get_url:
-    url: "{{ netboot_image }}"
-    dest: /srv/tftp/netboot.tar.gz
-
-- name: extract TFTP boot image
-  unarchive:
-    src: /srv/tftp/netboot.tar.gz
-    dest: /srv/tftp
-    remote_src: true
-    creates: /srv/tftp/pxelinux.0
-
-- name: write preseed.cfg
-  template:
-    src: preseed.cfg.j2
-    dest: /srv/tftp/preseed.cfg
-
-- name: inject preseed into menu (find files)
-  find:
-    paths: /srv/tftp
-    recurse: true
-    patterns: txt.cfg
-  register: menus
-
-- name: inject preseed into menu (do injection)
-  lineinfile:
-    dest: "{{ item.path }}"
-    regexp: (\s+append\s+.*\s+initrd=\S+)\s+(?!auto=true)(.*)
-    backrefs: true
-    line: \1 auto=true interface=auto url=tftp://10.20.0.1/preseed.cfg \2
-  with_items: "{{ menus.files }}"
+- include: webserver.yml
+- include: d-i.yml
diff --git a/roles/tftp-server/tasks/webserver.yml b/roles/tftp-server/tasks/webserver.yml
new file mode 100644
index 0000000..684ae0e
--- /dev/null
+++ b/roles/tftp-server/tasks/webserver.yml
@@ -0,0 +1,22 @@
+---
+- name: install nginx
+  apt:
+    name: nginx-extras
+
+- name: remove default nginx vhost
+  file: /etc/nginx/sites-available/default
+    state: absent
+  notify: systemctl restart nginx
+
+- name: place pxe nginx vhost
+  copy:
+    src: files/pxe
+    dest: /etc/nginx/sites-available/pxe
+  notify: systemctl restart nginx
+
+- name: enable pxe nginx vhost
+  file:
+    state: link
+    src: /etc/nginx/sites-available/pxe
+    dest: /etc/nginx/sites-enabled/pxe
+  notify: systemctl restart nginx
diff --git a/roles/tftp-server/templates/late_command.sh.j2 b/roles/tftp-server/templates/late_command.sh.j2
new file mode 100644
index 0000000..45929e3
--- /dev/null
+++ b/roles/tftp-server/templates/late_command.sh.j2
@@ -0,0 +1,52 @@
+#!/bin/sh
+
+set -eufx
+
+# This script setups ansible and runs it
+# It should be ran at the end of the basic installation of a machine
+
+apt install -y ansible git eatmydata
+
+# We clone our ansible repository and copy the ansible config files
+
+git clone {{ playbook_repo }} /root/playbook-repo
+(cd /root/playbook-repo; git checkout {{ playbook_branch }})
+INVENTORY=/root/playbook-repo/inventory/hosts
+PLAYBOOKS=/root/playbook-repo/site.yml
+
+{% if inventory_repo is defined %}
+git clone {{ inventory_repo }} /root/inventory-repo
+(cd /root/inventory-repo; git checkout {{ inventory_branch }})
+INVENTORY=/root/inventory-repo/inventory/hosts
+if [ -e /root/inventory-repo/site.yml ]; then
+	PLAYBOOKS="$PLAYBOOKS /root/inventory-repo/site.yml"
+fi
+{% endif %}
+
+cat > /usr/local/sbin/ansible-up <<EOF
+#!/bin/sh
+
+set -euf
+
+cd /root/
+
+(cd playbook-repo; git pull)
+{% if inventory_repo is defined %}
+(cd inventory-repo; git pull)
+{% endif %}
+
+exec ansible-playbook \
+	--inventory-file=$INVENTORY \
+	--connection=local \
+	--limit=\$(hostname) \
+	$PLAYBOOKS \
+	"\$@"
+EOF
+chmod +x /usr/local/sbin/ansible-up
+
+eatmydata ansible-playbook \
+	-vvvv \
+	--inventory-file=$INVENTORY \
+	--connection=local \
+	--limit=$(hostname) \
+	$PLAYBOOKS
diff --git a/roles/tftp-server/templates/preseed.cfg.j2 b/roles/tftp-server/templates/preseed.cfg.j2
index 6583841..aa61da2 100644
--- a/roles/tftp-server/templates/preseed.cfg.j2
+++ b/roles/tftp-server/templates/preseed.cfg.j2
@@ -438,11 +438,7 @@ d-i finish-install/reboot_in_progress note
 # still a usable /target directory. You can chroot to /target and use it
 # directly, or use the apt-install and in-target commands to easily install
 # packages and run commands in the target system.
-{% if late_command_url.startswith('tftp://') %}
-d-i preseed/late_command string in-target sh -c "curl -o penultimate_setup.sh '{{ late_command_url }}' && ANSIBLE_UNDER_DI=1 sh penultimate_setup.sh && rm penultimate_setup.sh"
-{% else %}
-d-i preseed/late_command string in-target sh -c "wget -O penultimate_setup.sh '{{ late_command_url }}' && ANSIBLE_UNDER_DI=1 sh penultimate_setup.sh && rm penultimate_setup.sh"
-{% endif %}
+d-i preseed/late_command string in-target sh -c "curl -o late_command.sh 'http://{{ inventory_hostname }}/d-i/late_command.sh' && ANSIBLE_UNDER_DI=1 sh late_command.sh && rm late_command.sh"
 
 # don't ask for extra firmare
 d-i hw-detect/load_firmware boolean false