diff --git a/single-host/server.tf b/single-host/server.tf
index 85ce6e6..ee81c0d 100644
--- a/single-host/server.tf
+++ b/single-host/server.tf
@@ -7,18 +7,7 @@ resource "hcloud_server" "single-server1" {
     type = "single"
   }
   ssh_keys    = [hcloud_ssh_key.default.id]
-  # TODO: user_data seems to have no effect on VM yet
-  user_data   = jsonencode({
-	"users": {
-		"name": "ansible",
-		"groups": ["users", "admin"],
-		"sudo": "ALL=(ALL) NOPASSWD:ALL",
-		"shell": "/bin/bash",
-		# TODO: have some sort of lookup for the pubkey (include from file?)
-		"ssh_authorized_keys": ["ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIE32LygGZyJonoWVjRgQ0Hq8iy39aLs+oH5Flmn9RhAj terraform melpomene"]
-	},
-	"package_update": true,
-	"package_upgrade": true
-  })
+  user_data   = templatefile("user-data.yaml.tpl",
+    {ssh_pubkey = file("../ssh-terraform-hetzner.pub")})
   firewall_ids = [hcloud_firewall.single-firewall.id]
 }
diff --git a/single-host/user-data.yaml.tpl b/single-host/user-data.yaml.tpl
new file mode 100644
index 0000000..5cba14f
--- /dev/null
+++ b/single-host/user-data.yaml.tpl
@@ -0,0 +1,11 @@
+#cloud-config
+users:
+  - name: "ansible"
+    groups: ["sudo"]
+    sudo: "ALL=(ALL) NOPASSWD:ALL"
+    shell: "/bin/bash"
+    ssh_authorized_keys:
+      - "${ssh_pubkey}"
+
+package_update: true
+package_upgrade: true