diff --git a/inventories/hubs/README.md b/inventories/hubs/README.md
new file mode 100644
index 0000000..678c7b5
--- /dev/null
+++ b/inventories/hubs/README.md
@@ -0,0 +1 @@
+For the Planetary.name "hub" server which bundles a bunch of scuttlebutt services: a pub with graphql api, a room, and a custom frontend web viewer for content. See playbooks/planetary.name.yml
\ No newline at end of file
diff --git a/inventories/hubs/group_vars/vault.yml b/inventories/hubs/group_vars/vault.yml
new file mode 100644
index 0000000..f56f652
--- /dev/null
+++ b/inventories/hubs/group_vars/vault.yml
@@ -0,0 +1,20 @@
+$ANSIBLE_VAULT;1.1;AES256
+38663431323232333536633261626537356666643466333739623537326232353164393766333830
+3261623232646636303966656137303132363637373536650a366462353666323935616236663434
+34636634306262646262326435323362303235633136346334623133313061626238326539663364
+6562313265366539360a666539353662306565613863643962653536626162373436353534373565
+38373438386339623330353930636236646634343834613566393635633837663738333238636465
+30666163636432623266636161626335383062363266396336646166663536306530393530633430
+63306633353730633263316230626433343930393131623134313332363734383666303465366635
+61326361643831636662333233343939336463633035636361643031663039303261336462343437
+34343366383632623234356336356265356437636166306232373232313934366535383636613466
+35343934313930393939376532646265623865323034353433393232363133663238626465343732
+66623261623264366131396665316234326564316266376464653934303763656634303138613066
+34393262376239336435373065373733376535356637313436376138313162333231343330313938
+65636438643932343031386236316665393139336364646530646666366639373636623333656536
+62336230313137666337613562353538646263623239386339663566343063663463353238666536
+63396662313136643334626631313862653431353564396164353763663332626331303930643430
+61663732633366663130383163363163373630303331303462636234613831646235313734636465
+37666132356636623133353830623066626133653832626561336636383566326265363331386536
+30363937326236316262643965653937303565663662616462343462373637626163313466663139
+373936333563393831383261626466643231
diff --git a/inventories/hubs/inventory.yml b/inventories/hubs/inventory.yml
new file mode 100644
index 0000000..2bcf7b0
--- /dev/null
+++ b/inventories/hubs/inventory.yml
@@ -0,0 +1,13 @@
+---
+hubs:
+  hosts:
+    planetary.name:
+      # TODO: are we running this service on three different boxes? There are
+      # DO droplets named `planetary-graphql` and `room.planetary.name`.
+  vars:
+    admin_username: root # this server was built before the hardening playbook
+    ansible_user: root
+    domain: planetary.name
+    cloudflare_api_token: '{{ vault_cloudflare_api_token }}'
+    cert_email: ops@planetary.social
+    homedir: /root
diff --git a/playbooks/hubs.yml b/playbooks/hubs.yml
new file mode 100644
index 0000000..b9874aa
--- /dev/null
+++ b/playbooks/hubs.yml
@@ -0,0 +1,30 @@
+# A playbook to deploy Planetary.name which is an SSB room server with a custom frontend and graphql backend.
+#
+# ansible-playbook playbooks/planetary.name.yml -i inventories/hubs/inventory.yml
+- name: Planetary.name
+  hosts: hubs
+  gather_facts: no
+  pre_tasks:
+    # SSH Host key checking
+    # https://stackoverflow.com/a/54735937/982195
+    - name: Check known_hosts for {{ inventory_hostname }}
+      local_action: shell ssh-keygen -F {{ inventory_hostname }}
+      register: has_entry_in_known_hosts_file
+      failed_when: false
+      changed_when: false
+      ignore_errors: yes
+    - name: Ignore host key for {{ inventory_hostname }} on first run
+      when: has_entry_in_known_hosts_file.rc == 1
+      set_fact:
+        ansible_ssh_common_args: '-o StrictHostKeyChecking=no'
+    - name: Gather Facts
+      setup:
+  
+  roles: 
+    - common
+    - digital-ocean
+    - docker
+    - certbot-cloudflare
+    - planetary-graphql
+    - ssb-room
+    - rooms-frontend