diff --git a/bank.yaml b/bank.yaml
index 837d27b..43c92b7 100644
--- a/bank.yaml
+++ b/bank.yaml
@@ -1,8 +1,8 @@
 ---
 
 - hosts: bank
+  roles:
+    - common
+    - bank
   vars:
     bank_revbank_git: https://github.com/bitlair/revbank.git
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "bank", tags: [ "bank" ] }
diff --git a/bar.yaml b/bar.yaml
index 919a4d8..5752cc3 100644
--- a/bar.yaml
+++ b/bar.yaml
@@ -4,6 +4,6 @@
   vars:
     raspi_rotate_display: "2"
   roles:
-    - { role: "raspi", tags: [ "raspi" ] }
-    - { role: "common", tags: [ "common" ] }
-    - { role: "bank-terminal", tags: [ "bank-terminal" ] }
+    - raspi
+    - common
+    - bank-terminal
diff --git a/bitlair.yaml b/bitlair.yaml
index 71e06f0..ec019e7 100644
--- a/bitlair.yaml
+++ b/bitlair.yaml
@@ -31,7 +31,6 @@
 - hosts: monitoring
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "monitoring", tags: [ "monitoring" ] }
 
 - hosts: mqtt
@@ -56,5 +55,4 @@
 - hosts: wiki
   roles:
     - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
     - { role: "www", tags: [ "www" ] }
diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml
index 1711b7d..b498398 100644
--- a/group_vars/pad.yaml
+++ b/group_vars/pad.yaml
@@ -1,7 +1 @@
----
-
 etherpad_domain: pad.bitlair.nl
-
-nginx_sites:
-  - server_name: "pad.bitlair.nl"
-    localproxy: "9001"
diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml
deleted file mode 100644
index e9a1937..0000000
--- a/group_vars/wiki.yaml
+++ /dev/null
@@ -1,21 +0,0 @@
-acme_bootstrap_certs: yes
-acme_san_domains:
-  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
-  - [ bitair.nl ]
-  - [ ravespace.nl ]
-
-nginx_sites:
-  - server_name: "bitlair.nl"
-    server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
-    snippets:
-      - "mqtt2web-nginx.j2"
-      - "spaceapi-nginx.j2"
-      - "www-nginx.j2"
-  - server_name: "bitair.nl"
-    server_alias: "www.bitair.nl"
-    snippets:
-      - "bitair-nginx.j2"
-  - server_name: "ravespace.nl"
-    server_alias: "www.ravespace.nl"
-    snippets:
-      - "ravespace-nginx.j2"
diff --git a/group_vars/www.yaml b/group_vars/www.yaml
new file mode 100644
index 0000000..e1db9d5
--- /dev/null
+++ b/group_vars/www.yaml
@@ -0,0 +1,5 @@
+acme_bootstrap_certs: yes
+acme_san_domains:
+  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
+  - [ bitair.nl ]
+  - [ ravespace.nl ]
diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml
index 4e106e0..bdf76a8 100644
--- a/mqtt-internal.yaml
+++ b/mqtt-internal.yaml
@@ -2,5 +2,5 @@
 
 - hosts: mqtt
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "mqtt-internal", tags: [ "mqtt", "mqtt-internal" ] }
+    - common
+    - mqtt-internal
diff --git a/music.yaml b/music.yaml
index e4ea70b..d12226c 100644
--- a/music.yaml
+++ b/music.yaml
@@ -2,8 +2,7 @@
 
 - hosts: music
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "go", tags: [ "go" ] }
-#    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "music", tags: [ "music" ] }
+    - common
+    - acme
+    - go
+    - music
diff --git a/pad.yaml b/pad.yaml
index 74638bf..90d227e 100644
--- a/pad.yaml
+++ b/pad.yaml
@@ -5,7 +5,6 @@
     acme_san_domains:
       - [ pad.bitlair.nl ]
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "etherpad", tags: [ "etherpad" ] }
+    - common
+    - acme
+    - etherpad
diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml
index 851cc02..2afe1f6 100644
--- a/roles/etherpad/tasks/main.yaml
+++ b/roles/etherpad/tasks/main.yaml
@@ -1,6 +1,9 @@
 ---
 - tags: etherpad
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
+
     - name: Install dependencies
       ansible.builtin.apt:
         name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml
index c5fb328..4a5bb3c 100644
--- a/roles/git-server/tasks/main.yaml
+++ b/roles/git-server/tasks/main.yaml
@@ -1,4 +1,6 @@
 ---
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
 
 - name: Install dependencies
   ansible.builtin.apt:
diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml
index 398bb5f..a13313c 100644
--- a/roles/monitoring/tasks/main.yaml
+++ b/roles/monitoring/tasks/main.yaml
@@ -2,6 +2,9 @@
 - name: monitoring
   tags: monitoring
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
+
     - name: Install nginx site
       ansible.builtin.template:
         src: nginx-site.conf
diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml
index cad6eb9..e91f146 100644
--- a/roles/music/tasks/main.yaml
+++ b/roles/music/tasks/main.yaml
@@ -17,6 +17,8 @@
 
 - tags: music
   block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
 
     - name: Install nginx config
       ansible.builtin.template:
diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml
index 3835eeb..52dfccf 100644
--- a/roles/www/tasks/mediawiki.yaml
+++ b/roles/www/tasks/mediawiki.yaml
@@ -4,6 +4,9 @@
     name: php-fpm
     state: present
 
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
+
 - name: Install security.txt
   ansible.builtin.template:
     src: security.txt
diff --git a/snippets/bitair-nginx.j2 b/snippets/bitair-nginx.j2
deleted file mode 100644
index bfb75d6..0000000
--- a/snippets/bitair-nginx.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-root /opt/bitair.nl/;
-index index.html;
diff --git a/snippets/common-nginx.yaml b/snippets/common-nginx.yaml
new file mode 100644
index 0000000..98aa02b
--- /dev/null
+++ b/snippets/common-nginx.yaml
@@ -0,0 +1,18 @@
+---
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+
+- name: Disable nginx server_tokens
+  lineinfile:
+    path: /etc/nginx/nginx.conf
+    line: "\tserver_tokens off;"
+    regexp: "server_tokens"
+  notify: reload nginx
+
+- name: Clear default nginx site
+  file:
+    state: absent
+    path: /etc/nginx/sites-enabled/default
+  notify: reload nginx
diff --git a/snippets/mqtt2web-nginx.j2 b/snippets/mqtt2web-nginx.j2
deleted file mode 100644
index f719780..0000000
--- a/snippets/mqtt2web-nginx.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-# mqtt2web nginx config snippet
-
-location /mqtt/ {
-        proxy_pass http://localhost:8080/mqtt;
-        include proxy_params;
-        proxy_buffering off;
-        proxy_cache off;
-        proxy_http_version 1.1;
-        proxy_set_header Connection '';
-        chunked_transfer_encoding off;
-}
diff --git a/snippets/ravespace-nginx.j2 b/snippets/ravespace-nginx.j2
deleted file mode 100644
index 492f366..0000000
--- a/snippets/ravespace-nginx.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-root /opt/ravespace.nl/;
-index index.html;
diff --git a/snippets/spaceapi-nginx.j2 b/snippets/spaceapi-nginx.j2
deleted file mode 100644
index ba6829a..0000000
--- a/snippets/spaceapi-nginx.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-# spaceapi nginx config snippet
-
-location = /statejson {
-    proxy_pass http://localhost:8888;
-    include proxy_params;
-    add_header 'Access-Control-Allow-Origin' '*';
-}
-
diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2
deleted file mode 100644
index 1ff42a9..0000000
--- a/snippets/www-nginx.j2
+++ /dev/null
@@ -1,89 +0,0 @@
-root /opt/mediawiki-1.41.1/;
-
-# Photo gallery
-location = /fotos {
-    return 302 $scheme://bitlair.nl/fotos/;
-}
-
-location ~* ^/fotos/(.*)$ {
-    proxy_pass http://204.2.68.2:4567/$1$is_args$args;
-}
-
-location ~ ^/state/(.+)$ {
-    alias /opt/spaceapi/assets/$1;
-}
-
-location = /events.ics {
-    alias /var/lib/bitlair-calendar/events.ics;
-}
-
-location ~ ^/(cache|maintenance|vendor|extensions)/ {
-    deny all;
-}
-
-# Legacy space API stuff.
-location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
-    root "/opt/legacy/";
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    include fastcgi.conf;
-}
-
-location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
-    root "/opt/legacy/";
-}
-
-location ~ ^/wp-content {
-    root "/opt/legacy/";
-}
-
-location = /statejson.php {
-    rewrite ^.+$ /statejson;
-}
-
-# Mediawiki
-location / {
-    try_files $uri $uri/ @rewrite;
-}
-
-location ~ \.php$ {
-    try_files $uri @rewrite;
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    fastcgi_index index.php;
-    include fastcgi.conf;
-}
-
-location @rewrite {
-#    rewrite ^/(.*)$ /index.php;
-    rewrite ^/(.*)$ /index.php?title=$1$args;
-}
-
-location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
-    try_files $uri @rewrite;
-    expires 1M;
-}
-
-location = /_.gif {
-    expires max;
-    empty_gif;
-}
-
-#location /dumps {
-#    root /opt/bitlair-wiki/local;
-#    autoindex on;
-#}
-
-# Legacy: redirect old prefix.
-location /Pages/ {
-    rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
-}
-
-# Matrix realm delegation
-location = /.well-known/matrix/server {
-    add_header "Content-Type" "application/json";
-    add_header "Access-Control-Allow-Origin" "*";
-    alias /opt/matrix-delegation.json;
-}
-
-location = /.well-known/security.txt {
-    alias /opt/security.txt;
-}
diff --git a/wiki.yaml b/wiki.yaml
deleted file mode 100644
index 0a7dc96..0000000
--- a/wiki.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-
-- hosts: wiki
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "www", tags: [ "www" ] }
diff --git a/www.yaml b/www.yaml
new file mode 100644
index 0000000..6a66f2d
--- /dev/null
+++ b/www.yaml
@@ -0,0 +1,7 @@
+---
+
+- hosts: wiki
+  roles:
+    - common
+    - acme
+    - www