diff --git a/.gitignore b/.gitignore
index 87384650b50891e260386c3c54fd100de4938ec3..10e4b116c98b938b664dbb61a3cb4a043e293456 100644
--- a/.gitignore
+++ b/.gitignore
@@ -10,6 +10,7 @@ public_hosts
 secrets.auto.tfvars
 site.pp
 site2.pp
+site.yaml
 terraform
 terraform.tfstate
 terraform.tfstate.backup
diff --git a/orchestrate.py b/orchestrate.py
index 36cb1ef41fac976b2b228954505ac8e2525da6f0..37092810297fcd4c963d7dd76cb31c832339e104 100755
--- a/orchestrate.py
+++ b/orchestrate.py
@@ -103,6 +103,17 @@ ff02::2 ip6-allrouters
 %s ansible_user=%s ansible_become=true ansible_host=%s ansible_ssh_common_args=\'\
 -o ForwardAgent=yes -o ProxyCommand="ssh -W %s:22 -q %s@%s"\'\n' % (h, user, ip, ip, user,
                                                                     master_ip))
+
+    print('-> site.yaml')
+    if not args.dry_run:
+        with open('site.yaml', 'w') as f:
+            f.write('''\
+- hosts: all
+  roles:
+    - role: certgen
+      certgen_master: %s
+''' % master_hostname)
+
     if component:
         component.action('files')
 
@@ -184,5 +195,7 @@ if 'wait' in args.actions:
 
 if 'deployment' in args.actions:
     print('== deployment ==')
-    commands = []
+    commands = [
+        ['ansible-playbook', '-i', 'inventory', './site.yaml']
+    ]
     perform_action('deployment', commands)