diff --git a/bitlair.yaml b/bitlair.yaml
index 9f249d8..a2923fc 100644
--- a/bitlair.yaml
+++ b/bitlair.yaml
@@ -48,7 +48,6 @@
 
 - hosts: pad
   roles:
-    - { role: "nft", tags: [ "nft" ] }
     - { role: "acme", tags: [ "acme" ] }
     - { role: "nginx", tags: [ "nginx" ] }
     - { role: "etherpad", tags: [ "etherpad" ] }
diff --git a/common.yaml b/common.yaml
index 0cbfe1b..dacc2ae 100644
--- a/common.yaml
+++ b/common.yaml
@@ -4,3 +4,4 @@
   gather_facts: true
   roles:
     - { role: "common", tags: [ "common" ] }
+    - { role: "nft", tags: [ "nft" ] }
diff --git a/group_vars/bank.yaml b/group_vars/bank.yaml
index 29bf37c..cd21505 100644
--- a/group_vars/bank.yaml
+++ b/group_vars/bank.yaml
@@ -1,3 +1,2 @@
 ---
 
-nft: true
diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml
index c69812c..9ab05d7 100644
--- a/group_vars/fotos.yaml
+++ b/group_vars/fotos.yaml
@@ -5,5 +5,3 @@ root_access:
   - linor
   - polyfloyd
   - wilco
-
-nft: true
diff --git a/group_vars/git-ci.yaml b/group_vars/git-ci.yaml
index 1e5fdac..e0bdaab 100644
--- a/group_vars/git-ci.yaml
+++ b/group_vars/git-ci.yaml
@@ -2,4 +2,4 @@
 
 forgejo_url: https://git.bitlair.nl
 
-nft: false
+nft: false # Docker wil nog niet zo met nft
diff --git a/group_vars/git.yaml b/group_vars/git.yaml
index 8705b22..2aaa490 100644
--- a/group_vars/git.yaml
+++ b/group_vars/git.yaml
@@ -6,7 +6,6 @@ git_server_domain: git.bitlair.nl
 git_server_title: Gitlair
 git_server_bootstrap_cert: no
 
-nft: true
 group_nft_input:
   - "# Allow web-traffic from world"
   - "tcp dport { http, https } accept"
diff --git a/group_vars/kvm.yaml b/group_vars/kvm.yaml
new file mode 100644
index 0000000..9eed925
--- /dev/null
+++ b/group_vars/kvm.yaml
@@ -0,0 +1,4 @@
+---
+
+# FIXME: nog niet kunnen testen, en mogelijk non-default config nodig ;)
+nft: false
diff --git a/group_vars/lights.yaml b/group_vars/lights.yaml
index 29bf37c..cd21505 100644
--- a/group_vars/lights.yaml
+++ b/group_vars/lights.yaml
@@ -1,3 +1,2 @@
 ---
 
-nft: true
diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml
index f788245..248d854 100644
--- a/group_vars/monitoring.yaml
+++ b/group_vars/monitoring.yaml
@@ -3,7 +3,6 @@ monitoring_bootstrap_cert: no
 acme_san_domains:
   - ["{{ monitoring_domain }}", monitoring.bitlair.nl]
 
-nft: true
 group_nft_input:
   - "# Allow web-traffic from world"
   - "tcp dport { http, https } accept"
diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml
index dd9db4a..3b2167b 100644
--- a/group_vars/mqtt.yaml
+++ b/group_vars/mqtt.yaml
@@ -1,6 +1,4 @@
 ---
 
-nft: true
-
 nft_group_rules:
   - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }
diff --git a/group_vars/music.yaml b/group_vars/music.yaml
index 8acdf4e..8f0cc7c 100644
--- a/group_vars/music.yaml
+++ b/group_vars/music.yaml
@@ -1,3 +1,8 @@
+---
+
+# Fixme, nog niet kunnen testen, was down
+nft: false
+
 root_access:
   - ak
   - bob
diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml
index e0a3ff1..fd642a9 100644
--- a/group_vars/pad.yaml
+++ b/group_vars/pad.yaml
@@ -6,7 +6,6 @@ nginx_sites:
   - server_name: "pad.bitlair.nl"
     localproxy: "9001"
 
-nft: true
 group_nft_input:
   - "# Allow web-traffic from world"
   - "tcp dport { http, https } accept"
diff --git a/group_vars/raspi.yaml b/group_vars/raspi.yaml
new file mode 100644
index 0000000..4b0461c
--- /dev/null
+++ b/group_vars/raspi.yaml
@@ -0,0 +1,4 @@
+---
+
+# Nog niet kunnen testen / geen toegang
+nft: false
diff --git a/group_vars/services.yaml b/group_vars/services.yaml
index 2fdfaaf..e76affe 100644
--- a/group_vars/services.yaml
+++ b/group_vars/services.yaml
@@ -1,5 +1,4 @@
 ---
 
-nft: true
 group_nft_input: []
 #  - "udp dport 4000 accept  # FIXME, werkt op dit moment toch niet hoor ik van AK
diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml
index 6c517e7..1f2bd2c 100644
--- a/group_vars/wiki.yaml
+++ b/group_vars/wiki.yaml
@@ -4,8 +4,6 @@ acme_san_domains:
   - [ bitair.nl ]
   - [ ravespace.nl ]
 
-nft: true
-
 group_nft_input:
   - "# Allow web-traffic from world"
   - "tcp dport { http, https } accept"
diff --git a/roles/nft/defaults/main.yaml b/roles/nft/defaults/main.yaml
index 6538cf0..2d9c778 100644
--- a/roles/nft/defaults/main.yaml
+++ b/roles/nft/defaults/main.yaml
@@ -1,6 +1,6 @@
 ---
 
-nft: false  # totdat alles om is
+nft: true   # Overrule om geen nftables uit te rollen
 nft_main_config:            "/etc/nftables.conf"
 
 # Default policies per chain ( drop / reject / accept )