diff --git a/cloud-init/hetzner-cloud.yml b/cloud-init/hetzner-cloud.yml
new file mode 100644
index 0000000..a4f3932
--- /dev/null
+++ b/cloud-init/hetzner-cloud.yml
@@ -0,0 +1,32 @@
+#cloud-config
+users:
+  - name: soeren
+    groups: users, admin
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_import_id:
+      - gh:kekskurse
+  - name: cloud
+    groups: users, admin
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    ssh_import_id:
+      - gh:kekskurse
+packages:
+  - ufw
+package_update: true
+package_upgrade: true
+runcmd:
+  - ufw allow 22522
+  - ufw enable
+  - sed -i -e '/^\(#\|\)PermitRootLogin/s/^.*$/PermitRootLogin no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)PasswordAuthentication/s/^.*$/PasswordAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)KbdInteractiveAuthentication/s/^.*$/KbdInteractiveAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)ChallengeResponseAuthentication/s/^.*$/ChallengeResponseAuthentication no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)MaxAuthTries/s/^.*$/MaxAuthTries 5/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowTcpForwarding/s/^.*$/AllowTcpForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)X11Forwarding/s/^.*$/X11Forwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AllowAgentForwarding/s/^.*$/AllowAgentForwarding no/' /etc/ssh/sshd_config
+  - sed -i -e '/^\(#\|\)AuthorizedKeysFile/s/^.*$/AuthorizedKeysFile .ssh\/authorized_keys/' /etc/ssh/sshd_config
+  - sed -i 's/^#Port 22/Port 22522/' /etc/ssh/sshd_config
+  - reboot
diff --git a/debian12-basic/playbook.yml b/debian12-basic/playbook.yml
index 8a4c34c..5f9a31f 100644
--- a/debian12-basic/playbook.yml
+++ b/debian12-basic/playbook.yml
@@ -26,6 +26,7 @@
       - ncdu
       - msmtp
       - msmtp-mta
+      - gcc
 
   - name: Remove "neovim" package
     ansible.builtin.apt: