diff --git a/ansible/environments/laptop/host_vars/odofreebsd b/ansible/environments/laptop/host_vars/odofreebsd
index 294c60b..fd2fc3a 100644
--- a/ansible/environments/laptop/host_vars/odofreebsd
+++ b/ansible/environments/laptop/host_vars/odofreebsd
@@ -35,3 +35,8 @@ users:
     gitconfig: "gitconfig_home"
 # devfs_rules: "odo_devfs.rules"
 # devfs_system_ruleset: "localrules"
+# jail_conf: "jail.conf"
+jail_zfs_dataset: zroot/freebsd/release/jails
+jail_zfs_dataset_mountpoint: /jail/main
+jail_list:
+  - name: cloak
diff --git a/ansible/playbook.yaml b/ansible/playbook.yaml
index d6bbd97..6e7fb63 100644
--- a/ansible/playbook.yaml
+++ b/ansible/playbook.yaml
@@ -2,24 +2,25 @@
   vars:
     ansible_become: True
   roles:
-    - sudo
-    - users
-    - package_manager
-    - zrepl
-    - zsh
-    - network
-    - sshd
-    - base
-    - firewall
-    - cpu
-    - ntp
-    - build
-    - graphics
-    - gpg
-    - fonts
-    - alacritty
-    - sway
-    - emacs
-    - firefox
-    - devfs
-    - ssh_client
+    # - sudo
+    # - users
+    # - package_manager
+    # - zrepl
+    # - zsh
+    # - network
+    # - sshd
+    # - base
+    # #    - firewall
+    # - cpu
+    # - ntp
+    # - build
+    # - graphics
+    # - gpg
+    # - fonts
+    # - alacritty
+    # - sway
+    # - emacs
+    # - firefox
+    # - devfs
+    # - ssh_client
+    - jail
diff --git a/ansible/roles/jail/tasks/common.yaml b/ansible/roles/jail/tasks/common.yaml
new file mode 100644
index 0000000..d7c1735
--- /dev/null
+++ b/ansible/roles/jail/tasks/common.yaml
@@ -0,0 +1,14 @@
+- import_tasks: tasks/freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/linux.yaml
+  when: 'os_flavor == "linux"'
+
+- include_tasks:
+    file: tasks/peruser.yaml
+    apply:
+      become: yes
+      become_user: "{{ initialize_user }}"
+  loop: "{{ users | dict2items | community.general.json_query('[?value.initialize==`true`].key') }}"
+  loop_control:
+    loop_var: initialize_user
diff --git a/ansible/roles/jail/tasks/freebsd.yaml b/ansible/roles/jail/tasks/freebsd.yaml
new file mode 100644
index 0000000..92d5b5e
--- /dev/null
+++ b/ansible/roles/jail/tasks/freebsd.yaml
@@ -0,0 +1,42 @@
+- name: Create common zfs datasets
+  zfs:
+    name: "{{ item }}"
+    state: present
+    extra_zfs_properties:
+      mountpoint: "none"
+  loop: "{{ ((jail_list | community.general.json_query('[*].dataset')) + [jail_zfs_dataset]) | product(['', '/persistent', '/jails']) | map('join', '') }}"
+
+- name: Create jail zfs datasets
+  zfs:
+    name: "{{ item.dataset|default(jail_zfs_dataset) }}/jails/{{ item.name }}"
+    state: present
+    extra_zfs_properties: '{{ {''mountpoint'': item.dataset_mountpoint|default(jail_zfs_dataset_mountpoint) + "/jails/" + item.name}|combine(item.properties|default({})) }}'
+
+  loop: "{{ jail_list }}"
+
+- name: Create persistent jail zfs datasets
+  zfs:
+    name: "{{ item.dataset|default(jail_zfs_dataset) }}/persistent/{{ item.name }}"
+    state: present
+    extra_zfs_properties:
+      mountpoint: "none"
+  when: item.persist|default([])|length > 0
+  loop: "{{ jail_list }}"
+
+- name: Create jail specific zfs datasets
+  zfs:
+    name: "{{ item.0.dataset|default(jail_zfs_dataset) }}/persistent/{{ item.0.name }}/{{ item.1.name }}"
+    state: present
+    extra_zfs_properties: '{{ {''mountpoint'': item.0.dataset_mountpoint|default(jail_zfs_dataset_mountpoint) + "/jails/" + item.0.name + item.1.mount }|combine(item.1.properties|default({})) }}'
+  loop: "{{ jail_list|subelements('persist', skip_missing=True) }}"
+
+- name: Install scripts
+  template:
+    src: "templates/{{ item.src }}.j2"
+    dest: "{{ item.dest }}"
+    mode: 0755
+    owner: root
+    group: wheel
+  loop:
+    - src: new_jail.bash
+      dest: /usr/local/bin/new_jail
diff --git a/ansible/roles/jail/tasks/linux.yaml b/ansible/roles/jail/tasks/linux.yaml
new file mode 100644
index 0000000..e1835f0
--- /dev/null
+++ b/ansible/roles/jail/tasks/linux.yaml
@@ -0,0 +1,6 @@
+# - name: Install packages
+#   pacman:
+#     name:
+#       - foo
+#     state: present
+#     update_cache: true
diff --git a/ansible/roles/jail/tasks/main.yaml b/ansible/roles/jail/tasks/main.yaml
new file mode 100644
index 0000000..b7fbdd3
--- /dev/null
+++ b/ansible/roles/jail/tasks/main.yaml
@@ -0,0 +1,2 @@
+- import_tasks: tasks/common.yaml
+  when: jail_zfs_dataset is defined and jail_zfs_dataset_mountpoint is defined
diff --git a/ansible/roles/jail/tasks/peruser.yaml b/ansible/roles/jail/tasks/peruser.yaml
new file mode 100644
index 0000000..111e886
--- /dev/null
+++ b/ansible/roles/jail/tasks/peruser.yaml
@@ -0,0 +1,29 @@
+- include_role:
+    name: per_user
+
+# - name: Create directories
+#   file:
+#     name: "{{ account_homedir.stdout }}/{{ item }}"
+#     state: directory
+#     mode: 0700
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - ".config/foo"
+
+# - name: Copy files
+#   copy:
+#     src: "files/{{ item.src }}"
+#     dest: "{{ account_homedir.stdout }}/{{ item.dest }}"
+#     mode: 0600
+#     owner: "{{ account_name.stdout }}"
+#     group: "{{ group_name.stdout }}"
+#   loop:
+#     - src: foo.conf
+#       dest: .config/foo/foo.conf
+
+- import_tasks: tasks/peruser_freebsd.yaml
+  when: 'os_flavor == "freebsd"'
+
+- import_tasks: tasks/peruser_linux.yaml
+  when: 'os_flavor == "linux"'
diff --git a/ansible/roles/jail/tasks/peruser_freebsd.yaml b/ansible/roles/jail/tasks/peruser_freebsd.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/jail/tasks/peruser_linux.yaml b/ansible/roles/jail/tasks/peruser_linux.yaml
new file mode 100644
index 0000000..e69de29
diff --git a/ansible/roles/jail/templates/new_jail.bash.j2 b/ansible/roles/jail/templates/new_jail.bash.j2
new file mode 100644
index 0000000..619fa38
--- /dev/null
+++ b/ansible/roles/jail/templates/new_jail.bash.j2
@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+#
+# Create a new jail
+set -euo pipefail
+IFS=$'\n\t'
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+: ${JAIL_MOUNTPOINT:="{{ jail_zfs_dataset_mountpoint }}/jails"}
+
+function die {
+    echo >&2 "$@"
+    exit 1
+}
+
+[ "$#" -eq 2 ] || die "1 argument required, $# provided"
+
+JAIL_NAME="$2"
+export DESTDIR="${JAIL_MOUNTPOINT}/$JAIL_NAME"
+
+function by_src {
+    cd /usr/src
+    make -j 16 buildworld
+    make installworld DESTDIR=$DESTDIR
+    make distribution DESTDIR=$DESTDIR
+}
+
+function by_bin {
+    DESTRELEASE=13.1-RELEASE
+    DESTARCH=`uname -m`
+    SOURCEURL=http://ftp.freebsd.org/pub/FreeBSD/releases/$DESTARCH/$DESTRELEASE/
+    for component in base ports; do fetch $SOURCEURL/$component.txz -o - | tar -xf - -C "$DESTDIR" ; done
+}
+
+if [ "$1" = "src" ]; then
+    by_src
+elif [ "$1" = "bin" ]; then
+    by_bin
+else
+    die "First argument must be either 'src' or 'bin', got $1"
+fi