diff --git a/docker-compose.yml b/docker-compose.yml
new file mode 100644
index 00000000..f47eeb36
--- /dev/null
+++ b/docker-compose.yml
@@ -0,0 +1,41 @@
+version: '3.1'
+
+services:
+
+  vm:
+    build:
+      context: ./docker/vm
+    container_name: vm
+    ports:
+      - 8000:8000
+      - 8080:8080
+      - 3306:3306
+      - 5432:5432
+      - 8983:8983
+      - 8161:8161
+    networks:
+      - islandora
+    privileged: true  
+    volumes:
+      - keys:/root/.ssh
+
+  ansible:
+    container_name: ansible
+    build:
+      context: ./docker/ansible
+    networks:
+      - islandora
+    depends_on: 
+      - vm
+    volumes:
+      - keys:/root/.ssh
+      - ./:/root/playbook:Z
+  
+networks:
+  islandora:
+    driver: bridge
+
+volumes:
+  keys:
+    driver: local
+    
diff --git a/docker/ansible/Dockerfile b/docker/ansible/Dockerfile
new file mode 100644
index 00000000..23e50d1e
--- /dev/null
+++ b/docker/ansible/Dockerfile
@@ -0,0 +1,17 @@
+FROM centos:7.6.1810
+
+ENV ISLANDORA_DISTRO="centos/7" \
+    ANSIBLE_CONFIG=/root/playbook/ansible.cfg 
+
+WORKDIR /root/playbook
+
+RUN yum -y install epel-release && \
+    yum -y install git openssl openssh-clients python-pip python-devel python
+
+RUN pip install ansible==2.8.7
+
+COPY entrypoint.sh /bin/
+
+RUN chmod 700 /bin/entrypoint.sh
+
+ENTRYPOINT [ "/bin/entrypoint.sh" ]
diff --git a/docker/ansible/entrypoint.sh b/docker/ansible/entrypoint.sh
new file mode 100644
index 00000000..c036caff
--- /dev/null
+++ b/docker/ansible/entrypoint.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+ssh-keyscan -H vm > /root/.ssh/known_hosts
+
+ansible-galaxy install --role-file=/root/playbook/requirements.yml --roles-path=roles/external
+
+ansible-playbook \
+    -u root \
+    -i ./inventory/vagrant/hosts \
+    -e '@./docker/extra-vars.yml' \
+    -e ansible_ssh_host='vm' \
+    -e int_host='vm' \
+    --private-key /root/.ssh/id_rsa \
+    ./playbook.yml \
+    -l default
+
+## Keeps the container running forever, after Ansible finishes
+tail -f /dev/null
\ No newline at end of file
diff --git a/docker/extra-vars.yml b/docker/extra-vars.yml
new file mode 100644
index 00000000..4515f5d6
--- /dev/null
+++ b/docker/extra-vars.yml
@@ -0,0 +1,57 @@
+---
+
+# used to override variables in the playbook via the extra vars commandline
+# option.  Add your site specific vars here.  If you need values from
+# the terraform script, we will need to template them correctly.
+# 
+# Thoughts on templating: 
+#   - add the vars here with a default value and use subsequent calls on the
+#     provisioner call in terraform to override.
+# 
+#   - can we use functions in this file to do filters/templating?  Needs 
+#     testing.
+
+
+# internal_hostname - "-e int_host='somedomain'" can be passed via the cmdline to template externaly
+internal_hostname: "{{ int_host | default('localhost') }}"
+
+# external_hostname - "-e ext_host='somedomain'" can be passed via the cmdline to template externally
+external_hostname: "{{ ext_host | default('localhost') }}"
+
+# ansible mods
+ansible_host: vm
+ansible_port: 22
+ansible_ssh_private_key_file: /root/.ssh/id_rsa
+
+# php mods
+php_upload_max_filesize: 1024M
+php_post_max_size: 1024M
+php_max_execution_time: 300
+
+# TODO: Needs templating, maybe.  localhost may be ok.
+openseadragon_iiiv_server: "http://{{internal_hostname}}:8080/cantaloupe/iiif/2"
+
+# apache stuff
+apache_listen_port: "{{ ext_port | default('8000')}}"
+apache_vhosts:
+  - servername: "{{external_hostname}}"
+    documentroot: "/var/www/html/drupal/web"
+    allow_override: All
+    options: -Indexes +FollowSymLinks
+
+# drupal stuff
+drupal_domain: "{{external_hostname}}"
+drupal_trusted_hosts: 
+  - ^localhost$
+  - "{{ hostvars[groups['webserver'][0]].ansible_host }}"
+  - "{{external_hostname}}"
+
+# crayfish stuff
+crayfish_drupal_base_url: "http://{{ internal_hostname }}:{{ apache_listen_port }}"
+crayfish_gemini_base_url: "http://{{ internal_hostname }}:{{ apache_listen_port }}/gemini"
+
+# karaf stuff
+alpaca_milliner_base_url: "http://{{ internal_hostname  }}:{{ apache_listen_port }}/milliner/"
+alpaca_gemini_base_url: "http://{{ internal_hostname  }}:{{ apache_listen_port }}/gemini/"
+alpaca_houdini_base_url: "http://{{ internal_hostname }}:{{ apache_listen_port }}/houdini"
+alpaca_homarus_base_url: "http://{{ internal_hostname  }}:{{ apache_listen_port }}/homarus"
diff --git a/docker/vm/Dockerfile b/docker/vm/Dockerfile
new file mode 100644
index 00000000..67511420
--- /dev/null
+++ b/docker/vm/Dockerfile
@@ -0,0 +1,40 @@
+FROM centos:7.6.1810
+
+ENV container docker
+
+COPY sestatus /bin/
+
+RUN chmod 700 /bin/sestatus
+
+RUN (cd /lib/systemd/system/sysinit.target.wants/; for i in *; do [ $i == systemd-tmpfiles-setup.service ] || rm -f $i; done); \
+	rm -f /lib/systemd/system/multi-user.target.wants/*;\
+	rm -f /etc/systemd/system/*.wants/*;\
+	rm -f /lib/systemd/system/local-fs.target.wants/*; \
+	rm -f /lib/systemd/system/sockets.target.wants/*udev*; \
+	rm -f /lib/systemd/system/sockets.target.wants/*initctl*; \
+	rm -f /lib/systemd/system/basic.target.wants/*;\
+	rm -f /lib/systemd/system/anaconda.target.wants/*;
+
+RUN yum -y install \
+	--setopt=tsflags=nodocs \
+	--disableplugin=fastestmirror \
+	openssh-clients \
+	openssh-server \
+	openssl \
+	sudo \
+	initscripts
+
+# Authorize SSH Host
+RUN mkdir -p /root/.ssh && \
+	chmod 0700 /root/.ssh
+
+
+# Add the keys and set permissions
+RUN cat /dev/zero | ssh-keygen -q -N "" && \
+	chmod 600 /root/.ssh/id_rsa && \
+	chmod 600 /root/.ssh/id_rsa.pub && \
+	cat /root/.ssh/id_rsa.pub > /root/.ssh/authorized_keys
+
+VOLUME [ "/sys/fs/cgroup" ]
+
+CMD ["/usr/sbin/init"]
\ No newline at end of file
diff --git a/docker/vm/sestatus b/docker/vm/sestatus
new file mode 100644
index 00000000..709c22a6
--- /dev/null
+++ b/docker/vm/sestatus
@@ -0,0 +1,3 @@
+#!/bin/sh
+
+echo "Current mode:                   permissive"