diff --git a/image/imgen.tf b/image/imgen.tf
new file mode 100644
index 0000000000000000000000000000000000000000..c5116e6325a5f5a47979eba2913b736616596d79
--- /dev/null
+++ b/image/imgen.tf
@@ -0,0 +1,143 @@
+#
+# Terraform recipe for machine generating Hadoop image.
+#
+# Review variables before apply (*_network, ssh).
+#
+# Manual post steps:
+#
+# * tune security groups (not handled here)
+# * copy in cloud credentials to ~debian/terraform/image/clouds.yaml
+# * setup automatic image build and upload, something like:
+#
+#   cd ~debian/terraform/image; rm -fv *.raw; ./build.sh && ./upload.sh *.raw debian-9-x86_64_hadoop_rc
+#
+
+provider "openstack" {
+	cloud="openstack"
+}
+
+terraform {
+	required_providers {
+		openstack = {
+			source= "terraform-provider-openstack/openstack"
+		}
+	}
+}
+
+variable "local_network" {
+	description = "Local network name"
+	default = "group-project-network"
+	# default = "auto_allocated_network"
+}
+
+variable "public_network" {
+	description = "Public network name"
+	default = "public-muni-147-251-21-GROUP"
+	# default = "public-cesnet-78-128-250-PERSONAL"
+}
+
+variable "ssh" {
+	description = "SSH key name"
+	default = "openstack"
+}
+
+data "template_cloudinit_config" "ctx" {
+	part {
+		content = <<EOT
+#cloud-config
+
+manage_etc_hosts: false
+
+timezone: Europe/Prague
+
+packages:
+  - cron-apt
+  - fail2ban
+  - rsync
+  - wget
+  - mc
+  - git
+  - openstack-debian-images
+  - python-openstackclient
+
+write_files:
+- path: /usr/local/sbin/set-hostname.sh
+  permissions: 0755
+  content: |
+    #! /bin/sh
+    
+    #
+    # script to set the hostname (except /etc/hosts)
+    #
+    
+    if [ -z "$1" ]; then
+    	echo "Usage: $0 HOSTNAME [DOMAIN]"
+    	exit 0
+    fi
+    h="$1"
+    d="$2"
+    
+    sed -e "s/^\(manage_etc_hosts\):.*/\1: False/" -i /etc/cloud/cloud.cfg
+    echo "$h" > /etc/hostname
+    hostname "$h"
+    if [ -n "$d" ]; then
+    	domainname "$d"
+    fi
+    line="$h.$d $h.$d. $h"
+    ips=`ip address show scope global up | grep '\<inet6\?\>\s' | awk '{print $2}' | cut -d'/' -f1`
+    for ip in $ips; do
+    	echo "$ip $line" >> /etc/hosts
+    done
+- path: /etc/cron-apt/action.d/9-upgrade
+  permissions: 0644
+  content: |
+    -q -q dist-upgrade
+- path: /etc/cron-apt/config
+  permissions: 0644
+  content: |
+    #MAILTO=
+    MAILON=upgrade
+    RUNSEEP=1200
+- path: /etc/fail2ban/jail.d/age.conf
+  permissions: 0644
+  content: |
+    [Definition]
+    dbpurgeage = 16w
+    
+    [DEFAULT]
+    bantime = 8w
+
+runcmd:
+  - apt-get purge -y joe nano
+  - ln -sv /usr/lib/mc/mc.* /etc/profile.d/
+  - /usr/local/sbin/set-hostname.sh imgen terra
+  - su - debian -c 'git clone https://gitlab.meta.zcu.cz/HADOOP/terraform'
+EOT
+	}
+}
+
+resource "openstack_compute_instance_v2" "server" {
+	name = "imgen.terra"
+	flavor_name = "standard.tiny"
+	image_name = "debian-10-x86_64"
+	key_pair = var.ssh
+	user_data = data.template_cloudinit_config.ctx.rendered
+	network {
+		name = var.local_network
+	}
+}
+
+resource "openstack_networking_floatingip_v2" "floatip" {
+	pool = var.public_network
+}
+
+resource "openstack_compute_floatingip_associate_v2" "server-fip-1" {
+	floating_ip = openstack_networking_floatingip_v2.floatip.address
+	instance_id = openstack_compute_instance_v2.server.id
+}
+
+output "public_hosts" {
+	value = {
+		imgen = openstack_compute_floatingip_associate_v2.server-fip-1.floating_ip
+	}
+}