diff --git a/deploy/playbooks/deploy.yml b/deploy/playbooks/deploy.yml
index a39179c1..1b22c7c4 100644
--- a/deploy/playbooks/deploy.yml
+++ b/deploy/playbooks/deploy.yml
@@ -16,3 +16,4 @@
      repos_root: "/opt/repos"
      branch: "master"
      development_server: false
+     app_user: "nginx"
diff --git a/deploy/playbooks/deploy_vagrant.yml b/deploy/playbooks/deploy_vagrant.yml
index 0fa5d60a..afd74aa4 100644
--- a/deploy/playbooks/deploy_vagrant.yml
+++ b/deploy/playbooks/deploy_vagrant.yml
@@ -17,3 +17,4 @@
      repos_root: "/opt/repos"
      branch: "master"
      development_server: true
+     app_user: "nginx"
diff --git a/deploy/playbooks/roles/common/tasks/circus.yml b/deploy/playbooks/roles/common/tasks/circus.yml
index 8bacd548..a240c2d0 100644
--- a/deploy/playbooks/roles/common/tasks/circus.yml
+++ b/deploy/playbooks/roles/common/tasks/circus.yml
@@ -1,6 +1,7 @@
 ---
 
 - name: install circus in virtualenv
+  sudo: true
   pip: name={{ item }} state=present virtualenv={{ app_home }}
   with_items:
     - circus
@@ -11,7 +12,9 @@
   file:
     path: /etc/circus
     state: directory
-    owner: "{{ ansible_ssh_user }}"
+    owner: root
+    group: root
+    mode: 0755
     recurse: yes
   sudo: true
 
@@ -19,17 +22,29 @@
   file:
     path: /var/log/circus
     state: directory
-    owner: "{{ ansible_ssh_user }}"
+    owner: "{{ app_user }}"
+    group: root
+    mode: 0755
     recurse: yes
   sudo: true
 
 - name: ensure {{ app_home }}/log exists
-  file: path="{{ app_home }}/log" state=directory
+  sudo: true
+  file:
+    path: "{{ app_home }}/log"
+    state: directory
+    owner: "{{ app_user }}"
+    group: root
+    mode: 0755
+    recurse: yes
 
 - name: install circus.conf init file
   template:
     src: circus.conf
     dest: /etc/init/circus.conf
+    owner: root
+    group: root
+    mode: 0644
   sudo: true
   register: circus_service
 
diff --git a/deploy/playbooks/roles/common/tasks/main.yml b/deploy/playbooks/roles/common/tasks/main.yml
index 586d3662..79807baa 100644
--- a/deploy/playbooks/roles/common/tasks/main.yml
+++ b/deploy/playbooks/roles/common/tasks/main.yml
@@ -1,15 +1,25 @@
 ---
 
-- name: "ensure a home for {{ app_name }}"
-  sudo: yes
-  file: path={{ app_home }} owner={{ ansible_ssh_user }} group={{ ansible_ssh_user }} state=directory recurse=yes
-  register: app_home_created
-
 - name: Update apt cache
   apt:
     update_cache: yes
   sudo: yes
 
+- include: nginx.yml
+  tags:
+    - nginx
+
+- name: "ensure a home for {{ app_name }}"
+  sudo: yes
+  file:
+    path: "{{ app_home }}"
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+    recurse: yes
+  register: app_home_created
+
 - name: install ssl system requirements
   sudo: yes
   apt: name={{ item }} state=present
@@ -26,36 +36,47 @@
     - packages
 
 - name: Create a virtualenv with latest pip.
+  sudo: true
   pip: name=pip virtualenv={{ app_home }} extra_args='--upgrade'
 
 - name: "pip+git install {{ app_name }} into virtualenv."
+  sudo: true
   pip: name='git+https://github.com/ceph/chacra@{{ branch }}#egg=chacra' virtualenv={{ app_home }}
   changed_when: False
 
 - name: create the prod config file
-  action: template src=../templates/prod.py.j2 dest={{ app_home }}/src/{{ app_name }}/prod.py
+  sudo: true
+  template:
+    src: '../templates/prod.py.j2'
+    dest: "{{ app_home }}/src/{{ app_name }}/prod.py"
 
 - name: create the prod api credentials file
+  sudo: true
   template:
     src: prod_api_creds.py.j2
     dest: "{{ app_home }}/src/{{ app_name }}/prod_api_creds.py"
+    owner: root
+    group: "{{ app_user }}"
+    mode: 0640
   when: (api_key is defined or api_user is defined) or
         (app_home_created is defined and app_home_created|changed)
 
 - name: install python requirements in virtualenv
+  sudo: true
   pip:
     requirements: "{{ app_home }}/src/{{ app_name }}/requirements.txt"
     state: present
     virtualenv: "{{ app_home }}"
   notify: restart app
 
-- name: ensure file paths are set properly
+- name: ensure writable file paths are set properly
   sudo: true
   file:
     path: "{{ item }}"
     state: directory
-    owner: "{{ ansible_ssh_user }}"
-    group: "{{ ansible_ssh_user }}"
+    owner: "{{ app_user }}"
+    group: "{{ app_user }}"
+    mode: 0755
     recurse: yes
   with_items:
     - "{{ binary_root }}"
@@ -69,10 +90,6 @@
   tags:
     - circus
 
-- include: nginx.yml
-  tags:
-    - nginx
-
 # nginx should be up and running by now, there is a bug with Ubuntu 14.04 and
 # nginx where nginx is using the old init scripts and the 'service' command
 # returns a zero exit code which ansible interprets as all being OK.
diff --git a/deploy/playbooks/roles/common/tasks/nginx.yml b/deploy/playbooks/roles/common/tasks/nginx.yml
index ef9f9071..0d98157b 100644
--- a/deploy/playbooks/roles/common/tasks/nginx.yml
+++ b/deploy/playbooks/roles/common/tasks/nginx.yml
@@ -1,4 +1,13 @@
 ---
+
+- name: install nginx package
+  sudo: true
+  apt:
+    name: nginx
+    state: present
+  tags:
+    - packages
+
 - name: ensure sites-available for nginx
   file: path=/etc/nginx/sites-available state=directory
   sudo: true
@@ -55,10 +64,20 @@
 - name: make sure permissions are correct for crt
   file:
     path: /etc/ssl/certs/{{ ansible_fqdn }}-bundled.crt
-    mode: 0777
+    owner: root
+    group: root
+    mode: 0644
   when: development_server
   sudo: true
 
+- name: make sure permissions are correct for key
+  file:
+    path: /etc/ssl/private/{{ ansible_fqdn }}.key
+    owner: root
+    group: root
+    mode: 0600
+  sudo: true
+
 - name: ensure nginx is restarted
   sudo: true
   action: service name=nginx state=restarted
diff --git a/deploy/playbooks/roles/common/tasks/postgresql.yml b/deploy/playbooks/roles/common/tasks/postgresql.yml
index 70e76afb..5f493191 100644
--- a/deploy/playbooks/roles/common/tasks/postgresql.yml
+++ b/deploy/playbooks/roles/common/tasks/postgresql.yml
@@ -56,9 +56,13 @@
   sudo: yes
 
 - name: create the prod_db config file with the db password
+  sudo: yes
   template:
     src: ../templates/prod_db.py.j2
     dest: "{{ app_home }}/src/{{ app_name }}/prod_db.py"
+    owner: root
+    group: "{{ app_user }}"
+    mode: 0640
   notify:
     - restart app
     - restart celery
@@ -66,9 +70,13 @@
 
 # this needs to be here because it needs the new db password
 - name: create the prod alembic.ini file
+  sudo: yes
   template:
     src: ../templates/alembic-prod.ini.j2
     dest: "{{ app_home }}/src/{{ app_name }}/alembic-prod.ini"
+    owner: root
+    group: "{{ app_user }}"
+    mode: 0640
 
 - name: check if database for app needs populating
   # this should be configurable/optional in the playbook
@@ -80,6 +88,7 @@
   changed_when: "database_is_populated.rc != 0"
 
 - name: populate the database for {{ app_name }}
+  sudo: yes
   when: "database_is_populated.rc == 1"
   command: "{{ app_home }}/bin/pecan populate {{ app_home }}/src/{{ app_name }}/prod.py"
   environment:
diff --git a/deploy/playbooks/roles/common/templates/circus.conf b/deploy/playbooks/roles/common/templates/circus.conf
index 25e0ae61..11011619 100644
--- a/deploy/playbooks/roles/common/templates/circus.conf
+++ b/deploy/playbooks/roles/common/templates/circus.conf
@@ -1,3 +1,3 @@
 start on filesystem and net-device-up IFACE=lo
-setuid {{ ansible_ssh_user }}
+setuid {{ app_user }}
 exec {{ app_home }}/bin/circusd /etc/circus/circus.ini
diff --git a/deploy/playbooks/roles/common/vars/main.yml b/deploy/playbooks/roles/common/vars/main.yml
index c6406d95..e4251c8c 100644
--- a/deploy/playbooks/roles/common/vars/main.yml
+++ b/deploy/playbooks/roles/common/vars/main.yml
@@ -11,7 +11,6 @@ system_packages:
   - postgresql-common
   - postgresql-contrib
   - python-psycopg2
-  - nginx
   - vim
   # needed for the ansible apt_repository module
   - python-apt