diff --git a/authorized_keys/foobar.keys b/authorized_keys/foobar.keys
index f7fac20..6493dc3 100644
--- a/authorized_keys/foobar.keys
+++ b/authorized_keys/foobar.keys
@@ -1,2 +1,2 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C
diff --git a/bank.yaml b/bank.yaml
index 837d27b..43c92b7 100644
--- a/bank.yaml
+++ b/bank.yaml
@@ -1,8 +1,8 @@
 ---
 
 - hosts: bank
+  roles:
+    - common
+    - bank
   vars:
     bank_revbank_git: https://github.com/bitlair/revbank.git
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "bank", tags: [ "bank" ] }
diff --git a/bar.yaml b/bar.yaml
index 919a4d8..5752cc3 100644
--- a/bar.yaml
+++ b/bar.yaml
@@ -4,6 +4,6 @@
   vars:
     raspi_rotate_display: "2"
   roles:
-    - { role: "raspi", tags: [ "raspi" ] }
-    - { role: "common", tags: [ "common" ] }
-    - { role: "bank-terminal", tags: [ "bank-terminal" ] }
+    - raspi
+    - common
+    - bank-terminal
diff --git a/bitlair.yaml b/bitlair.yaml
index 1eed26c..ec019e7 100644
--- a/bitlair.yaml
+++ b/bitlair.yaml
@@ -26,13 +26,11 @@
 - hosts: git
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "git-server", tags: [ "git-server" ] }
 
 - hosts: monitoring
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "monitoring", tags: [ "monitoring" ] }
 
 - hosts: mqtt
@@ -48,7 +46,6 @@
 - hosts: pad
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "etherpad", tags: [ "etherpad" ] }
 
 - hosts: services
@@ -58,5 +55,4 @@
 - hosts: wiki
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "www", tags: [ "www" ] }
diff --git a/common.yaml b/common.yaml
index 0cbfe1b..3e0cb27 100644
--- a/common.yaml
+++ b/common.yaml
@@ -3,4 +3,4 @@
 - hosts: debian
   gather_facts: true
   roles:
-    - { role: "common", tags: [ "common" ] }
+    - common
diff --git a/fotos.yaml b/fotos.yaml
index 7357e31..f0edd7b 100644
--- a/fotos.yaml
+++ b/fotos.yaml
@@ -2,5 +2,5 @@
 
 - hosts: fotos
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "photos", tags: [ "photos" ] }
+    - common
+    - photos
diff --git a/git-ci.yaml b/git-ci.yaml
index 711dac4..fa9f7b7 100644
--- a/git-ci.yaml
+++ b/git-ci.yaml
@@ -2,5 +2,5 @@
 
 - hosts: git-ci
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "git-ci", tags: [ "git-ci" ] }
+    - common
+    - git-ci
diff --git a/git.yaml b/git.yaml
index 0ae1811..2161a4c 100644
--- a/git.yaml
+++ b/git.yaml
@@ -2,7 +2,6 @@
 
 - hosts: git
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "git-server", tags: [ "git-server" ] }
+    - common
+    - acme
+    - git-server
diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index fd209d8..bdafa45 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -6,25 +6,22 @@ notify_email: bestuur@bitlair.nl
 acme_bootstrap_certs: no
 trusted_ranges:
     # localhost
-  - { v: ipv4, cidr: "127.0.0.1/8" }
+  - { v: ipv4, cidr: 127.0.0.1/8 }
   - { v: ipv6, cidr: "::1" }
     # rf1928
-  - { v: ipv4, cidr: "10.0.0.0/8" }
-  - { v: ipv4, cidr: "172.16.0.0/12" }
-  - { v: ipv4, cidr: "192.168.0.0/16" }
+  - { v: ipv4, cidr: 10.0.0.0/8 }
+  - { v: ipv4, cidr: 172.16.0.0/12 }
+  - { v: ipv4, cidr: 192.168.0.0/16 }
     # v6 local
   - { v: ipv6, cidr: "fe80::/10" }
     # vihamij
-  - { v: ipv4, cidr: "45.88.49.140" }
+  - { v: ipv4, cidr: 45.88.49.140 }
     # eventinfra
-  - { v: ipv4, cidr: "204.2.64.0/20" }
-    # bitlair
-  - { v: ipv4, cidr: "100.64.0.0/10" }
-  - { v: ipv4, cidr: "185.205.52.194/32" }
+  - { v: ipv4, cidr: 204.2.64.0/20 }
+
+  - { v: ipv4, cidr: 100.64.0.0/10 }
+  - { v: ipv4, cidr: 185.205.52.194/32 }
   - { v: ipv6, cidr: "2a02:166b:92::/48" }
-    # foobar
-  - { v: ipv4, cidr: "31.187.251.213/32" }
-  - { v: ipv6, cidr: "2a0e:5700:4:2::/64" }
 
 root_access:
   - ak
diff --git a/group_vars/git.yaml b/group_vars/git.yaml
index dd039b3..ed549a9 100644
--- a/group_vars/git.yaml
+++ b/group_vars/git.yaml
@@ -1,15 +1,5 @@
----
-
 acme_domains:
   - "{{ git_server_domain }}"
 git_server_domain: git.bitlair.nl
 git_server_title: Gitlair
 git_server_bootstrap_cert: no
-
-nginx_client_max_body_size: 4G
-
-nginx_sites:
-  - server_name: "git.bitlair.nl"
-    localproxy: "9001"
-    snippets: 
-      - "forgejo-nginx.j2"
diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml
index 51d9b97..b692290 100644
--- a/group_vars/monitoring.yaml
+++ b/group_vars/monitoring.yaml
@@ -40,9 +40,3 @@ prometheus_scrape_configs:
         target_label: instance
       - target_label: __address__
         replacement: "{{ blackbox_exporter_web_listen_address }}"
-
-nginx_sites:
-  - server_name: "dashboard.bitlair.nl"
-    localproxy: "9000"
-    snippets:
-      - "prometheus-nginx.j2"
diff --git a/group_vars/music.yaml b/group_vars/music.yaml
index 8acdf4e..ee9235b 100644
--- a/group_vars/music.yaml
+++ b/group_vars/music.yaml
@@ -5,8 +5,6 @@ root_access:
   - foobar
   - polyfloyd
 
-nginx_client_max_body_size: 512M
-
 music_domain: music.bitlair.nl
 acme_san_domains:
   - [ music.bitlair.nl ]
diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml
index 1711b7d..b498398 100644
--- a/group_vars/pad.yaml
+++ b/group_vars/pad.yaml
@@ -1,7 +1 @@
----
-
 etherpad_domain: pad.bitlair.nl
-
-nginx_sites:
-  - server_name: "pad.bitlair.nl"
-    localproxy: "9001"
diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml
deleted file mode 100644
index e9a1937..0000000
--- a/group_vars/wiki.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-acme_bootstrap_certs: yes
-acme_san_domains:
-  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
-  - [ bitair.nl ]
-  - [ ravespace.nl ]
-
-nginx_sites:
-  - server_name: "bitlair.nl"
-    server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
-    snippets:
-      - "mqtt2web-nginx.j2"
-      - "spaceapi-nginx.j2"
-      - "www-nginx.j2"
-  - server_name: "bitair.nl"
-    server_alias: "www.bitair.nl"
-    snippets:
-      - "bitair-nginx.j2"
-  - server_name: "ravespace.nl"
-    server_alias: "www.ravespace.nl"
-    snippets:
-      - "ravespace-nginx.j2"
diff --git a/group_vars/www.yaml b/group_vars/www.yaml
new file mode 100644
index 0000000..e1db9d5
--- /dev/null
+++ b/group_vars/www.yaml
@@ -0,0 +1,5 @@
+acme_bootstrap_certs: yes
+acme_san_domains:
+  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
+  - [ bitair.nl ]
+  - [ ravespace.nl ]
diff --git a/monitoring.yaml b/monitoring.yaml
index 9e05df0..9ad8623 100644
--- a/monitoring.yaml
+++ b/monitoring.yaml
@@ -2,7 +2,6 @@
 
 - hosts: monitoring
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "monitoring", tags: [ "monitoring" ] }
+    - common
+    - acme
+    - monitoring
diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml
index 4e106e0..bdf76a8 100644
--- a/mqtt-internal.yaml
+++ b/mqtt-internal.yaml
@@ -2,5 +2,5 @@
 
 - hosts: mqtt
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] }
+    - common
+    - mqtt-internal
diff --git a/music.yaml b/music.yaml
index e4ea70b..d12226c 100644
--- a/music.yaml
+++ b/music.yaml
@@ -2,8 +2,7 @@
 
 - hosts: music
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "go", tags: [ "go" ] }
-#    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "music", tags: [ "music" ] }
+    - common
+    - acme
+    - go
+    - music
diff --git a/pad.yaml b/pad.yaml
index 74638bf..90d227e 100644
--- a/pad.yaml
+++ b/pad.yaml
@@ -5,7 +5,6 @@
     acme_san_domains:
       - [ pad.bitlair.nl ]
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "etherpad", tags: [ "etherpad" ] }
+    - common
+    - acme
+    - etherpad
diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml
index 0be3133..229f566 100644
--- a/roles/acme/tasks/main.yaml
+++ b/roles/acme/tasks/main.yaml
@@ -23,7 +23,7 @@
     owner: "{{ item.owner | default('root') }}"
     group: "{{ item.group | default('root') }}"
     mode: "{{ item.mode | default('0640') }}"
-  notify: "{{ item.notify | default([]) }}"
+    notify: "{{ item.notify | default([]) }}"
   with_items:
     - { src: "config.sh",          dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
     - { src: "deploy.sh",          dest: "/etc/dehydrated/conf.d/deploy.sh",  mode: '0755' }
diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml
index d20da44..10ce3a1 100644
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@@ -18,7 +18,6 @@
     - { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
     - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
     - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
-  register: aptconfig
   when:
     - ansible_os_family == "Debian"
   tags:
@@ -57,8 +56,6 @@
 
 - name: Install standard packages
   ansible.builtin.apt:
-    cache_valid_time: 3600
-    update_cache: "{{ aptconfig.changed | bool | default(false) }}"
     pkg:
       - curl
       - fzf
diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml
index cebeca2..2afe1f6 100644
--- a/roles/etherpad/tasks/main.yaml
+++ b/roles/etherpad/tasks/main.yaml
@@ -1,141 +1,140 @@
 ---
+- tags: etherpad
+  block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
 
-- name: Install dependencies
-  ansible.builtin.apt:
-    state: present
-    pkg: 
-      - gpg
-      - postgresql
-      - python3-psycopg2
-      - apt-transport-https
+    - name: Install dependencies
+      ansible.builtin.apt:
+        name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
 
-- name: Import nodesource signing key
-  ansible.builtin.shell:
-    cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-      -o /usr/share/keyrings/nodesource.gpg
-  args:
-    creates: /usr/share/keyrings/nodesource.gpg
-  notify: apt update
+    - name: Import nodesource signing key
+      ansible.builtin.shell:
+        cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
+          -o /usr/share/keyrings/nodesource.gpg
+      args:
+        creates: /usr/share/keyrings/nodesource.gpg
+      notify: apt update
 
-- name: Install nodesource source list
-  ansible.builtin.template:
-    src: nodesource.list
-    dest: /etc/apt/sources.list.d/nodesource.list
-    owner: root
-    group: root
-    mode: 0644
-  notify: apt update
+    - name: Install nodesource source list
+      ansible.builtin.template:
+        src: nodesource.list
+        dest: /etc/apt/sources.list.d/nodesource.list
+        owner: root
+        group: root
+        mode: 0644
+      notify: apt update
 
-- name: Install nodejs apt preference
-  ansible.builtin.template:
-    src: nodejs-apt-pref
-    dest: /etc/apt/preferences.d/nodejs
-    owner: root
-    group: root
-    mode: 0644
-  notify: apt update
+    - name: Install nodejs apt preference
+      ansible.builtin.template:
+        src: nodejs-apt-pref
+        dest: /etc/apt/preferences.d/nodejs
+        owner: root
+        group: root
+        mode: 0644
+      notify: apt update
 
-- ansible.builtin.meta: flush_handlers
+    - ansible.builtin.meta: flush_handlers
 
-- name: Install nodejs
-  ansible.builtin.apt:
-    name: nodejs
+    - name: Install nodejs
+      ansible.builtin.apt:
+        name: nodejs
 
-- name: Add database user
-  become: true
-  become_method: su
-  become_user: postgres
-  no_log: yes
-  community.postgresql.postgresql_user:
-    name: etherpad
-    password: "{{ etherpad_db_password }}"
+    - name: Add database user
+      become: true
+      become_method: su
+      become_user: postgres
+      no_log: yes
+      community.postgresql.postgresql_user:
+        name: etherpad
+        password: "{{ etherpad_db_password }}"
 
-- name: Add database
-  become: true
-  become_method: su
-  become_user: postgres
-  community.postgresql.postgresql_db:
-    name: "{{ etherpad_db_name }}"
-    owner: "{{ etherpad_db_user }}"
+    - name: Add database
+      become: true
+      become_method: su
+      become_user: postgres
+      community.postgresql.postgresql_db:
+        name: "{{ etherpad_db_name }}"
+        owner: "{{ etherpad_db_user }}"
 
-- name: Add etherpad user
-  ansible.builtin.user:
-    name: etherpad
-    home: /var/lib/etherpad
+    - name: Add etherpad user
+      ansible.builtin.user:
+        name: etherpad
+        home: /var/lib/etherpad
 
-- name: Create log file
-  ansible.builtin.file:
-    path: /var/log/etherpad.log
-    state: touch
-    owner: etherpad
-    group: etherpad
-    mode: 0644
+    - name: Create log file
+      ansible.builtin.file:
+        path: /var/log/etherpad.log
+        state: touch
+        owner: etherpad
+        group: etherpad
+        mode: 0644
 
-- name: Create source directory
-  ansible.builtin.file:
-    path: /opt/etherpad
-    state: directory
-    owner: etherpad
-    group: etherpad
-    mode: 0755
+    - name: Create source directory
+      ansible.builtin.file:
+        path: /opt/etherpad
+        state: directory
+        owner: etherpad
+        group: etherpad
+        mode: 0755
 
-- name: Clone etherpad source
-  become: yes
-  become_method: su
-  become_user: etherpad
-  ansible.builtin.git:
-    repo: https://github.com/ether/etherpad-lite.git
-    version: master
-    dest: /opt/etherpad
-    accept_hostkey: yes
-  notify: restart etherpad
+    - name: Clone etherpad source
+      become: yes
+      become_method: su
+      become_user: etherpad
+      ansible.builtin.git:
+        repo: https://github.com/ether/etherpad-lite.git
+        version: master
+        dest: /opt/etherpad
+        accept_hostkey: yes
+      notify: restart etherpad
 
-- name: Install etherpad config
-  ansible.builtin.template:
-    src: settings.json
-    dest: /opt/etherpad/settings.json
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart etherpad
+    - name: Install etherpad config
+      ansible.builtin.template:
+        src: settings.json
+        dest: /opt/etherpad/settings.json
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart etherpad
 
-- name: Install etherpad service
-  ansible.builtin.template:
-    src: etherpad.service
-    dest: /etc/systemd/system/etherpad.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart etherpad
+    - name: Install etherpad service
+      ansible.builtin.template:
+        src: etherpad.service
+        dest: /etc/systemd/system/etherpad.service
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart etherpad
 
-- name: Start etherpad
-  ansible.builtin.systemd:
-    daemon_reload: true
-    name: etherpad
-    state: started
-    enabled: yes
+    - name: Start etherpad
+      ansible.builtin.systemd:
+        daemon_reload: true
+        name: etherpad
+        state: started
+        enabled: yes
 
-- name: Install nginx config
-  ansible.builtin.template:
-    src: nginx-site.conf
-    dest: /etc/nginx/sites-enabled/etherpad
-    owner: root
-    group: root
-    mode: 0644
-  notify: reload nginx
+    - name: Install nginx config
+      ansible.builtin.template:
+        src: nginx-site.conf
+        dest: /etc/nginx/sites-enabled/etherpad
+        owner: root
+        group: root
+        mode: 0644
+      notify: reload nginx
 
-- name: Allow HTTP and HTTPS
-  ansible.builtin.iptables:
-    chain: INPUT
-    protocol: tcp
-    destination_port: "{{ item.port }}"
-    ctstate: NEW
-    jump: ACCEPT
-    ip_version: "{{ item.ip }}"
-    action: insert
-  with_items:
-    - { ip: ipv4, port: 80 }
-    - { ip: ipv4, port: 443 }
-    - { ip: ipv6, port: 80 }
-    - { ip: ipv6, port: 443 }
-  notify: persist iptables
+    - name: Allow HTTP and HTTPS
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ item.port }}"
+        ctstate: NEW
+        jump: ACCEPT
+        ip_version: "{{ item.ip }}"
+        action: insert
+      with_items:
+        - { ip: ipv4, port: 80 }
+        - { ip: ipv4, port: 443 }
+        - { ip: ipv6, port: 80 }
+        - { ip: ipv6, port: 443 }
+      notify: persist iptables
diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml
index c5fb328..4a5bb3c 100644
--- a/roles/git-server/tasks/main.yaml
+++ b/roles/git-server/tasks/main.yaml
@@ -1,4 +1,6 @@
 ---
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
 
 - name: Install dependencies
   ansible.builtin.apt:
diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml
index 398bb5f..a13313c 100644
--- a/roles/monitoring/tasks/main.yaml
+++ b/roles/monitoring/tasks/main.yaml
@@ -2,6 +2,9 @@
 - name: monitoring
   tags: monitoring
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
+
     - name: Install nginx site
       ansible.builtin.template:
         src: nginx-site.conf
diff --git a/roles/mqtt-internal/tasks/main.yaml b/roles/mqtt-internal/tasks/main.yaml
index 89f9064..371671c 100644
--- a/roles/mqtt-internal/tasks/main.yaml
+++ b/roles/mqtt-internal/tasks/main.yaml
@@ -1,32 +1,34 @@
 ---
+- name: mqtt-internal
+  tags: mqtt_internal
+  block:
+    - name: Install dependencies
+      ansible.builtin.apt:
+        name:
+          - mosquitto
+          - avahi-daemon
 
-- name: Install dependencies
-  ansible.builtin.apt:
-    name:
-      - mosquitto
-      - avahi-daemon
+    - name: Install bambulab cafile
+      # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
+      ansible.builtin.copy:
+        dest: "{{ mqtt_bambulab_cafile }}"
+        content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
 
-- name: Install bambulab cafile
-  # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
-  ansible.builtin.copy:
-    dest: "{{ mqtt_bambulab_cafile }}"
-    content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
+    - name: Configure Mosquitto
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "/etc/mosquitto/conf.d/{{ item }}"
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart mosquitto
+      with_items:
+        - bambulab.conf
+        - internal.conf
+        - public-bridge.conf
 
-- name: Configure Mosquitto
-  ansible.builtin.template:
-    src: "{{ item }}"
-    dest: "/etc/mosquitto/conf.d/{{ item }}"
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart mosquitto
-  with_items:
-    - bambulab.conf
-    - internal.conf
-    - public-bridge.conf
-
-- name: Start mosquitto
-  ansible.builtin.systemd:
-    name: mosquitto
-    state: started
-    enabled: yes
+    - name: Start mosquitto
+      ansible.builtin.systemd:
+        name: mosquitto
+        state: started
+        enabled: yes
diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml
index cad6eb9..e91f146 100644
--- a/roles/music/tasks/main.yaml
+++ b/roles/music/tasks/main.yaml
@@ -17,6 +17,8 @@
 
 - tags: music
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
 
     - name: Install nginx config
       ansible.builtin.template:
diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml
deleted file mode 100644
index b6fd46e..0000000
--- a/roles/nginx/defaults/main.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-nginx_package:              "nginx-light"
-nginx_user:                 "www-data"
-nginx_modules_dir:          "/etc/nginx/modules-enabled"
-
-
-nginx_tls_version:          "TLSv1.2 TLSv1.3"
-nginx_tls_cipherlist:       "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
-nginx_tls_curve:            "prime256v1:secp384r1"
-nginx_tls_cache_size:       "10m"
-nginx_tls_session_timeout:  "1h"
-nginx_ssl_stapling:         "on"
-nginx_ssl_stapling_verify:  "on"
-nginx_wk_acme:              "/var/lib/dehydrated/acme-challenges"
-nginx_client_max_body_size: "32m"
-
diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml
deleted file mode 100644
index e9738d0..0000000
--- a/roles/nginx/handlers/main.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Reload nginx
-  ansible.builtin.systemd:
-    name: nginx
-    state: reloaded
-    enabled: true
-  listen: "Reload app-services"
-  when:
-    - nginx_sites is defined
-
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
deleted file mode 100644
index 78f6f9b..0000000
--- a/roles/nginx/tasks/main.yaml
+++ /dev/null
@@ -1,80 +0,0 @@
----
-
-- name: Install nginx base package
-  ansible.builtin.apt:
-    name: "{{ nginx_package }}"
-    state: present
-  when:
-    - nginx_sites is defined
-
-- name: Create sites-available / sites-enabled directories
-  ansible.builtin.file:
-    state: directory
-    path: "{{ item.path }}"
-    owner: "{{ item.owner | default('root') }}"
-    group: "{{ item.group | default('root') }}"
-    mode: "{{ item.mode | default('0755') }}"
-  with_items:
-    - { path: "/etc/nginx/sites-available" }
-    - { path: "/etc/nginx/sites-enabled" }
-  notify: Reload nginx
-  when:
-    - nginx_sites is defined
-
-- name: Template default nginx config files
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "{{ item.owner | default('root') }}"
-    group: "{{ item.group | default('root') }}"
-    mode: "{{ item.mode | default('0644') }}"
-    force: "{{ item.force | default('yes') }}"
-    backup: true
-  loop_control:
-    label: "{{ item.dest }}"
-  with_items:
-    - { src: "etc-nginx.conf.j2",   dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" }
-    - { src: "tls_params.j2",       dest: "/etc/nginx/tls_params", notify: "Reload nginx" }
-    - { src: "default.j2",          dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" }
-#    - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" }
-#    - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' }
-#    - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" }
-  notify: "{{ item.notify | default(omit) }}"
-  when:
-    - nginx_sites is defined
-
-- name: Template site-specific configs
-  ansible.builtin.template:
-    src: "site.conf.j2"
-    dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
-    owner: "{{ site.owner | default('root') }}"
-    group: "{{ site.group | default('root') }}"
-    mode:  "{{ site.mode  | default('0644') }}"
-    force: "{{ site.force | default('yes') }}"
-    backup: true
-  loop: "{{ nginx_sites }}"
-  loop_control:
-    loop_var: site
-    label: "{{ site.server_name }}"
-  notify: Reload nginx
-  when:
-    - nginx_sites is defined
-  tags:
-    - nginxextra
-    - nginx_site
-
-- name: Enable nginx sites
-  ansible.builtin.file:
-    src: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
-    path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf"
-    state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}"
-    mode: "0644"
-  loop: "{{ nginx_sites }}"
-  loop_control:
-    loop_var: site
-    label: "{{ site.server_name }}"
-  notify: Reload nginx
-  when:
-    - nginx_sites is defined
-  ignore_errors: "{{ ansible_check_mode }}"
-
diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2
deleted file mode 100644
index b417134..0000000
--- a/roles/nginx/templates/default.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    listen 80 default_server;
-    listen [::]:80
-
-    server_name {{ inventory_hostname }};
-
-    # Accept ACME-Challenges over http
-    location ^~ /.well-known/acme-challenge/ {
-        alias {{ nginx_wk_acme }}/;
-    }
-
-    # Block .ht files
-    location ~ /\.ht {
-        deny all;
-    }
-
-    # Redirect everything to https by default
-    location / {
-        return 301 https://$host$request_uri;
-    }
-
-    location /server_status {
-        # Enable Nginx stats
-        stub_status on;
-        # Only allow access from localhost
-        allow 127.0.0.1;
-        # Other request should be denied
-        deny all;
-    }
-}
-
-{% for line in nginx_default_extra | default([]) %}
-{{ line }}
-{% endfor %}
-
diff --git a/roles/nginx/templates/etc-nginx.conf.j2 b/roles/nginx/templates/etc-nginx.conf.j2
deleted file mode 100644
index 3ef2e52..0000000
--- a/roles/nginx/templates/etc-nginx.conf.j2
+++ /dev/null
@@ -1,39 +0,0 @@
-# {{ ansible_managed }}
-
-user                {{ nginx_user }};
-worker_processes    auto;
-pid                 /run/nginx.pid;
-worker_rlimit_nofile 16384;
-include             {{ nginx_modules_dir }}/*.conf;
-
-events {
-       worker_connections 768;
-}
-
-http {
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 2048;
-    server_tokens off;
-
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    # Default nginx log format with $request time added
-    log_format bitlair '$remote_addr - $remote_user [$time_local] '
-                    '"$request" $status $body_bytes_sent '
-                    '"$http_referer" "$http_user_agent" $request_time';
-    access_log /var/log/nginx/access.log bitlair;
-
-    gzip on;
-    gzip_disable "msie6";
-
-{% for line in nginx_http_extra | default([]) %}
-    {{ line }}
-{% endfor %}
-
-    include /etc/nginx/conf.d/*.conf;
-    include /etc/nginx/sites-enabled/*;
-}
diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2
deleted file mode 100644
index 6a4dfb7..0000000
--- a/roles/nginx/templates/site.conf.j2
+++ /dev/null
@@ -1,38 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name {{ site.server_name|default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
-
-    include /etc/nginx/tls_params;
-    ssl_certificate        /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
-    ssl_certificate_key    /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
-
-    client_max_body_size {{ nginx_client_max_body_size }};
-
-    location ~ /\.ht {
-        deny all;
-    }
-
-    access_log  /var/log/nginx/{{ site.server_name }}.access.log bitlair;
-    error_log   /var/log/nginx/{{ site.server_name }}.error.log;
-
-{% if site.localproxy is defined %}
-    location / {
-        proxy_pass http://localhost:{{ site.localproxy }}/;
-        include proxy_params;
-    }
-{% endif %}
-
-    # Include snippets
-{% for file in site.snippets | default([]) %}
-{% include "snippets/" ~ file %}
-{% endfor %}
-
-    # Per site configuration
-{% for line in site.config | default([]) %}
-    {{ line }}
-{% endfor %}
-}
diff --git a/roles/nginx/templates/snippets b/roles/nginx/templates/snippets
deleted file mode 120000
index ce62fd7..0000000
--- a/roles/nginx/templates/snippets
+++ /dev/null
@@ -1 +0,0 @@
-../../../snippets/
\ No newline at end of file
diff --git a/roles/nginx/templates/tls_params.j2 b/roles/nginx/templates/tls_params.j2
deleted file mode 100644
index 7abe3b6..0000000
--- a/roles/nginx/templates/tls_params.j2
+++ /dev/null
@@ -1,22 +0,0 @@
-# {{ ansible_managed }}
-
-ssl_session_timeout         {{ nginx_tls_session_timeout }};
-ssl_session_tickets         off;
-
-ssl_prefer_server_ciphers   on;
-ssl_session_cache           shared:SSL:{{ nginx_tls_cache_size }};
-
-ssl_protocols               {{ nginx_tls_version }};
-ssl_ciphers                 {{ nginx_tls_cipherlist }};
-ssl_ecdh_curve              {{ nginx_tls_curve }};
-
-# HSTS (ngx_http_headers_module is required) (63072000 seconds)
-add_header                  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-add_header                  X-Frame-Options "sameorigin";
-add_header                  X-Content-Type-Options "nosniff";
-add_header                  X-Robots-Tag noindex;
-
-# OCSP stapling
-ssl_stapling                {{ nginx_ssl_stapling }};
-ssl_stapling_verify         {{ nginx_ssl_stapling_verify }};
-
diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml
index 3835eeb..52dfccf 100644
--- a/roles/www/tasks/mediawiki.yaml
+++ b/roles/www/tasks/mediawiki.yaml
@@ -4,6 +4,9 @@
     name: php-fpm
     state: present
 
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
+
 - name: Install security.txt
   ansible.builtin.template:
     src: security.txt
diff --git a/services.yaml b/services.yaml
index e66fc11..2a1bd65 100644
--- a/services.yaml
+++ b/services.yaml
@@ -2,5 +2,5 @@
 
 - hosts: services
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "services", tags: [ "services" ] }
+    - common
+    - services
diff --git a/snippets/bitair-nginx.j2 b/snippets/bitair-nginx.j2
deleted file mode 100644
index bfb75d6..0000000
--- a/snippets/bitair-nginx.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-root /opt/bitair.nl/;
-index index.html;
diff --git a/snippets/common-nginx.yaml b/snippets/common-nginx.yaml
new file mode 100644
index 0000000..98aa02b
--- /dev/null
+++ b/snippets/common-nginx.yaml
@@ -0,0 +1,18 @@
+---
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+
+- name: Disable nginx server_tokens
+  lineinfile:
+    path: /etc/nginx/nginx.conf
+    line: "\tserver_tokens off;"
+    regexp: "server_tokens"
+  notify: reload nginx
+
+- name: Clear default nginx site
+  file:
+    state: absent
+    path: /etc/nginx/sites-enabled/default
+  notify: reload nginx
diff --git a/snippets/forgejo-nginx.j2 b/snippets/forgejo-nginx.j2
deleted file mode 100644
index 20d5d89..0000000
--- a/snippets/forgejo-nginx.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-location ~* \.keys$ {
-    deny all;
-}
diff --git a/snippets/mqtt2web-nginx.j2 b/snippets/mqtt2web-nginx.j2
deleted file mode 100644
index f719780..0000000
--- a/snippets/mqtt2web-nginx.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-# mqtt2web nginx config snippet
-
-location /mqtt/ {
-        proxy_pass http://localhost:8080/mqtt;
-        include proxy_params;
-        proxy_buffering off;
-        proxy_cache off;
-        proxy_http_version 1.1;
-        proxy_set_header Connection '';
-        chunked_transfer_encoding off;
-}
diff --git a/snippets/prometheus-nginx.j2 b/snippets/prometheus-nginx.j2
deleted file mode 100644
index ca8ed55..0000000
--- a/snippets/prometheus-nginx.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-# dashboard nginx config snippet
-
-location /prometheus/ {
-    proxy_pass http://localhost:9090/prometheus/;
-    include proxy_params;
-
-{% for host in trusted_ranges | default([]) %}
-    allow {{ host.cidr }};
-{% endfor %}
-    allow "127.0.0.0/8";
-    allow "::1";
-    deny all;
-}
diff --git a/snippets/ravespace-nginx.j2 b/snippets/ravespace-nginx.j2
deleted file mode 100644
index 492f366..0000000
--- a/snippets/ravespace-nginx.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-root /opt/ravespace.nl/;
-index index.html;
diff --git a/snippets/spaceapi-nginx.j2 b/snippets/spaceapi-nginx.j2
deleted file mode 100644
index ba6829a..0000000
--- a/snippets/spaceapi-nginx.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-# spaceapi nginx config snippet
-
-location = /statejson {
-    proxy_pass http://localhost:8888;
-    include proxy_params;
-    add_header 'Access-Control-Allow-Origin' '*';
-}
-
diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2
deleted file mode 100644
index 1ff42a9..0000000
--- a/snippets/www-nginx.j2
+++ /dev/null
@@ -1,89 +0,0 @@
-root /opt/mediawiki-1.41.1/;
-
-# Photo gallery
-location = /fotos {
-    return 302 $scheme://bitlair.nl/fotos/;
-}
-
-location ~* ^/fotos/(.*)$ {
-    proxy_pass http://204.2.68.2:4567/$1$is_args$args;
-}
-
-location ~ ^/state/(.+)$ {
-    alias /opt/spaceapi/assets/$1;
-}
-
-location = /events.ics {
-    alias /var/lib/bitlair-calendar/events.ics;
-}
-
-location ~ ^/(cache|maintenance|vendor|extensions)/ {
-    deny all;
-}
-
-# Legacy space API stuff.
-location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
-    root "/opt/legacy/";
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    include fastcgi.conf;
-}
-
-location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
-    root "/opt/legacy/";
-}
-
-location ~ ^/wp-content {
-    root "/opt/legacy/";
-}
-
-location = /statejson.php {
-    rewrite ^.+$ /statejson;
-}
-
-# Mediawiki
-location / {
-    try_files $uri $uri/ @rewrite;
-}
-
-location ~ \.php$ {
-    try_files $uri @rewrite;
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    fastcgi_index index.php;
-    include fastcgi.conf;
-}
-
-location @rewrite {
-#    rewrite ^/(.*)$ /index.php;
-    rewrite ^/(.*)$ /index.php?title=$1$args;
-}
-
-location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
-    try_files $uri @rewrite;
-    expires 1M;
-}
-
-location = /_.gif {
-    expires max;
-    empty_gif;
-}
-
-#location /dumps {
-#    root /opt/bitlair-wiki/local;
-#    autoindex on;
-#}
-
-# Legacy: redirect old prefix.
-location /Pages/ {
-    rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
-}
-
-# Matrix realm delegation
-location = /.well-known/matrix/server {
-    add_header "Content-Type" "application/json";
-    add_header "Access-Control-Allow-Origin" "*";
-    alias /opt/matrix-delegation.json;
-}
-
-location = /.well-known/security.txt {
-    alias /opt/security.txt;
-}
diff --git a/wiki.yaml b/wiki.yaml
deleted file mode 100644
index 0a7dc96..0000000
--- a/wiki.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-
-- hosts: wiki
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "www", tags: [ "www" ] }
diff --git a/www.yaml b/www.yaml
new file mode 100644
index 0000000..6a66f2d
--- /dev/null
+++ b/www.yaml
@@ -0,0 +1,7 @@
+---
+
+- hosts: wiki
+  roles:
+    - common
+    - acme
+    - www