diff --git a/group_vars/default/base.yml b/group_vars/default/base.yml
index 6a45f25..cd35292 100644
--- a/group_vars/default/base.yml
+++ b/group_vars/default/base.yml
@@ -9,7 +9,7 @@ timezone_location: Canada/Eastern
 # Cluster domain for node FQDNs
 local_domain: upstream.local
 
-# Cluster hardware model, used in pvc_user_configuration below
+# Cluster hardware model, used in pvc_user_configuration and grub_configuration below
 cluster_hardware: default
 
 # Debian package repository URL
@@ -21,6 +21,14 @@ debian_pvc_repository: https://repo.bonifacelabs.net/debian
 # > Use pwgen to generate
 root_password: ""
 
+# GRUB configuration
+# > Generally this is a good default, though some systems use console 1 for serial-over-IPMI
+#   consoles, so set this based on your actual hardware.
+grub:
+  serial_console:
+    "default":
+      console: 0
+
 # IPMI configuration
 # > For the "pvc" user password, use pwgen to generate.
 # > Set the "pvc"user with permissions in IPMI to reboot the host as this user will be use for
diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml
index 663af4f..1badc57 100644
--- a/roles/base/defaults/main.yml
+++ b/roles/base/defaults/main.yml
@@ -1,4 +1,8 @@
 ---
+grub_cmdline: "console=tty0 console=ttyS{{ grub.serial_console[cluster_hardware].console }},115200"
+grub_serial: "serial --unit={{ grub.serial_console[cluster_hardware].console }} --speed=115200"
+
 deploy_username: "deploy"
+
 fail2ban_ignorelist:
   - 10.0.0.0/8
diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml
index d722357..63215de 100644
--- a/roles/base/handlers/main.yml
+++ b/roles/base/handlers/main.yml
@@ -34,3 +34,6 @@
 
 - name: newaliases
   command: newaliases
+
+- name: update grub
+  command: update-grub
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
index dae921b..fb9963b 100644
--- a/roles/base/tasks/main.yml
+++ b/roles/base/tasks/main.yml
@@ -230,6 +230,7 @@
       - xz-utils
       - haveged
       - ipmitool
+      - grub-efi
       - linux-image-amd64
       - linux-headers-amd64
   tags: base-packages
@@ -572,6 +573,14 @@
     - "pvc"
   tags: base-ipmi
 
+# GRUB bootloader
+- name: install GRUB configuration
+  template:
+    src: etc/default/grub.j2
+    dest: /etc/default/grub
+  notify:
+    - update grub
+
 #
 # Configure users
 #
diff --git a/roles/base/templates/etc/default/grub.j2 b/roles/base/templates/etc/default/grub.j2
new file mode 100644
index 0000000..a01cc1c
--- /dev/null
+++ b/roles/base/templates/etc/default/grub.j2
@@ -0,0 +1,9 @@
+# GRUB configuration
+# {{ ansible_managed }}
+GRUB_DEFAULT=0
+GRUB_TIMEOUT=5
+GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
+GRUB_CMDLINE_LINUX="{{ grub_cmdline }}"
+GRUB_TERMINAL_INPUT="console serial"
+GRUB_TERMINAL_OUTPUT="gfxterm serial"
+GRUB_SERIAL_COMMAND="{{ grub_serial }}"