diff --git a/Makefile b/Makefile
index 8c742b7..8fa5240 100644
--- a/Makefile
+++ b/Makefile
@@ -38,6 +38,7 @@ configure:
 		$(TAGS_ARGS) \
 		--inventory="$(INVENTORY)" \
 		--extra-vars='ansible_python_interpreter=/usr/bin/python3' \
+		-vvv \
 		$(PLAYBOOK)
 
 configure-prod:
@@ -46,6 +47,9 @@ configure-prod:
 configure-apps:
 	$(MAKE) configure TAGS="webserver,apps,env"
 
+configure-users:
+	$(MAKE) configure TAGS="apps,env"
+
 dry-run:
 	ANSIBLE_HOST_KEY_CHECKING=$(ANSIBLE_HOST_KEY_CHECKING) \
 	ansible-playbook \
diff --git a/ansible/configuration.yml b/ansible/configuration.yml
index 48339c1..301462c 100644
--- a/ansible/configuration.yml
+++ b/ansible/configuration.yml
@@ -19,6 +19,7 @@
         packages:
           - git
           - python3-pip
+          - acl
 
     - import_role:
         name: yatesr.timezone
diff --git a/ansible/roles/docker-app/files/yandex-docker-registry-auth.sh b/ansible/roles/docker-app/files/yandex-docker-registry-auth.sh
new file mode 100644
index 0000000..457cb3e
--- /dev/null
+++ b/ansible/roles/docker-app/files/yandex-docker-registry-auth.sh
@@ -0,0 +1,11 @@
+#!/usr/bin/env sh
+
+# See https://cloud.yandex.ru/docs/container-registry/tutorials/run-docker-on-vm#run
+
+set -eu
+
+curl --silent --show-error -H Metadata-Flavor:Google 169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token | \
+    cut -f1 -d',' | \
+    cut -f2 -d':' | \
+    tr -d '"' | \
+    docker login --username iam --password-stdin cr.yandex
diff --git a/ansible/roles/docker-app/tasks/main.yml b/ansible/roles/docker-app/tasks/main.yml
index 068eb67..7f97c8a 100644
--- a/ansible/roles/docker-app/tasks/main.yml
+++ b/ansible/roles/docker-app/tasks/main.yml
@@ -16,3 +16,9 @@
     owner: '{{ username }}'
     group: '{{ username }}'
     recurse: True
+
+- name: 'Login to yandex docker registry.'
+  ansible.builtin.script:
+    cmd: 'files/yandex-docker-registry-auth.sh'
+  become: yes
+  become_user: '{{ username }}'