diff --git a/bootstrap-new-client.yml b/bootstrap-new-client.yml
new file mode 100644
index 0000000..31a9eab
--- /dev/null
+++ b/bootstrap-new-client.yml
@@ -0,0 +1,34 @@
+---
+- name: Bootstrap local known_hosts from inventory
+  hosts: localhost
+  gather_facts: false
+
+  tasks:
+    - name: Ensure local ~/.ssh directory exists
+      ansible.builtin.file:
+        path: "{{ lookup('env', 'HOME') }}/.ssh"
+        state: directory
+        mode: "0700"
+
+    - name: Add VM host keys to local known_hosts
+      ansible.builtin.known_hosts:
+        path: "{{ lookup('env', 'HOME') }}/.ssh/known_hosts"
+        name: "{{ hostvars[item][\"ansible_host\"] }}"
+        key: "{{ lookup('pipe', 'ssh-keyscan -H ' ~ hostvars[item][\"ansible_host\"]) }}"
+        state: present
+      loop: "{{ groups[\"proxmox_vms\"] }}"
+
+- name: Add this client SSH public key to VM user
+  hosts: proxmox_vms
+  gather_facts: false
+
+  vars:
+    target_user: vrubel
+    key_file: "{{ lookup('env', 'HOME') }}/.ssh/id_ed25519.pub"
+
+  tasks:
+    - name: Add public key to authorized_keys
+      ansible.posix.authorized_key:
+        user: "{{ target_user }}"
+        state: present
+        key: "{{ lookup('file', key_file) }}"