diff --git a/quick-test/deploy.yml b/quick-test/deploy.yml
index c01f27b..5c3f6b2 100644
--- a/quick-test/deploy.yml
+++ b/quick-test/deploy.yml
@@ -32,8 +32,8 @@
         region: "{{ region }}"
         image: linode/alpine3.18
         booted: true
-        authorized_keys:
-          - "{{ lookup('file', ssh_pubkey_path) }}"
+        metadata:
+          user_data: '{{ lookup("template", playbook_dir ~ "/harden.yaml.j2") }}'
         state: present
       register: create_inst
 
diff --git a/quick-test/harden.yaml.j2 b/quick-test/harden.yaml.j2
new file mode 100644
index 0000000..5dfd264
--- /dev/null
+++ b/quick-test/harden.yaml.j2
@@ -0,0 +1,36 @@
+#cloud-config
+hostname: dx-dev-vm
+
+package_update: true
+package_upgrade: true
+packages:
+  - fail2ban
+
+ssh_pwauth: false
+disable_root: true
+
+users:
+  - default
+  - name: linodedx
+    gecos: The primary account for development on this VM.
+    shell: /bin/bash
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    lock_passwd: true
+    ssh_authorized_keys:
+      - '{{ ssh_pubkey }}'
+
+write_files:
+  # Root login over SSH isn't fully disabled by disable_root
+  - path: /etc/ssh/sshd_config.d/51-disable-root.conf
+    permissions: "0600"
+    content: |
+      PermitRootLogin no
+
+runcmd:
+  - service ssh restart
+  - service fail2ban start --enable
+
+  - ufw default deny incoming
+  - ufw default allow outgoing
+  - ufw allow 80,443,21,22/tcp
+  - ufw enable
\ No newline at end of file