diff --git a/ansible/group_vars/clickhouse/vars.yml b/ansible/group_vars/clickhouse/vars.yml
index aff2905..75b4ec8 100644
--- a/ansible/group_vars/clickhouse/vars.yml
+++ b/ansible/group_vars/clickhouse/vars.yml
@@ -7,6 +7,8 @@ nftables_clickhouse_allow:
     ip: 88.198.54.12
   - fqdn: data3.htz-fsn.prod.ooni.nu
     ip: 168.119.7.188
+  - fqdn: notebook.ooni.org
+    ip: 138.201.19.39
 
 nftables_zookeeper_allow:
   - fqdn: data1.htz-fsn.prod.ooni.nu
@@ -15,6 +17,8 @@ nftables_zookeeper_allow:
     ip: 88.198.54.12
   - fqdn: data3.htz-fsn.prod.ooni.nu
     ip: 168.119.7.188
+  - fqdn: notebook.ooni.org
+    ip: 138.201.19.39
 
 clickhouse_keeper:
   tcp_port: 9181
@@ -43,6 +47,12 @@ clickhouse_keeper:
     hostname: clickhouse3.prod.ooni.io
     port: 9234
 
+  - keeper_server:
+    server: notebook.ooni.org
+    id: 4
+    hostname: notebook.ooni.org
+    port: 9234
+
 clickhouse_remote_servers:
   - server:
     servername: oonidata_cluster
@@ -79,7 +89,8 @@ clickhouse_default_users:
     quota: default
   - user:
     name: write
-    password: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/clickhouse_write_password', profile='oonidevops_user_prod') }}"
+    password: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/clickhouse_write_password', profile='oonidevops_user_prod') | hash('sha256') }}"
+    password_type: "SHA256_PASSWORD"
     networks:
       - "0.0.0.0/0"
     profile: write
diff --git a/ansible/host_vars/notebook.ooni.org b/ansible/host_vars/notebook.ooni.org
index 029edcc..0ae1642 100644
--- a/ansible/host_vars/notebook.ooni.org
+++ b/ansible/host_vars/notebook.ooni.org
@@ -64,8 +64,31 @@ ssh_users:
     comment: "Ben Ginoe"
     keys:
         - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOWdWCATiHUAzoS3mn3pFMIYDmi3n4Ekuzv5cEtvV0W1 root@parrot"
-
 admin_usernames: [ art, agrabeli, majakomel, mehul, norbel ]
 non_admin_usernames: [ ain, siti, ingrid, joss, vasilis, michael, benginoe ]
 jupyterhub_allowed_users: "{{ ssh_users }}"
 admin_group_name: admin
+
+clickhouse_default_profiles:
+  default:
+    readonly: 1
+
+clickhouse_listen_hosts:
+  - "127.0.0.1"
+
+clickhouse_default_users:
+  - user:
+    name: default
+    password:
+    networks:
+      - "127.0.0.1"
+    profile: default
+    quota: default
+  - user:
+    name: write
+    password: "{{ lookup('amazon.aws.aws_secret', 'oonidevops/clickhouse_write_password', profile='oonidevops_user_prod') | hash('sha256') }}"
+    password_type: "SHA256_PASSWORD"
+    networks:
+      - "127.0.0.1"
+    profile: write
+    quota: default
diff --git a/ansible/playbook.yml b/ansible/playbook.yml
index 6170ee4..d9a53bf 100644
--- a/ansible/playbook.yml
+++ b/ansible/playbook.yml
@@ -22,24 +22,16 @@
   roles:
     - ssh_users
 
-- name: Deploy oonidata clickhouse hosts (ssd backed)
+- name: Deploy oonidata clickhouse hosts
   hosts:
     - data1.htz-fsn.prod.ooni.nu
     - data2.htz-fsn.prod.ooni.nu
-  become: true
-  roles:
-    - tailnet
-    - oonidata_clickhouse
-
-- name: Deploy oonidata clickhouse hosts (hdd backed)
-  hosts:
     - data3.htz-fsn.prod.ooni.nu
+    - notebook.ooni.org
   become: true
   roles:
     - tailnet
     - oonidata_clickhouse
-  vars:
-    clickhouse_data_directory: /data/clickhouse
 
 - name: Deploy notebook host
   hosts: notebook.ooni.org