diff --git a/bank.yaml b/bank.yaml
index 7514be2..c77308d 100644
--- a/bank.yaml
+++ b/bank.yaml
@@ -1,6 +1,5 @@
 ---
 - hosts: bank
-  vars:
   roles:
     - common
     - bank
diff --git a/common.yaml b/common.yaml
new file mode 100644
index 0000000..2f2247e
--- /dev/null
+++ b/common.yaml
@@ -0,0 +1,4 @@
+---
+- hosts: debian
+  roles:
+    - common
diff --git a/group_vars/mqtt_internal.yaml b/group_vars/mqtt_internal.yaml
new file mode 100644
index 0000000..3ce5308
--- /dev/null
+++ b/group_vars/mqtt_internal.yaml
@@ -0,0 +1 @@
+mqtt_internal_public_host: bitlair.nl
diff --git a/group_vars/music.yaml b/group_vars/music.yaml
new file mode 100644
index 0000000..7106ebf
--- /dev/null
+++ b/group_vars/music.yaml
@@ -0,0 +1,3 @@
+music_domain: music.bitlair.nl
+acme_san_domains:
+  - [ music.bitlair.nl ]
diff --git a/hosts b/hosts
deleted file mode 100644
index 9a609b6..0000000
--- a/hosts
+++ /dev/null
@@ -1,11 +0,0 @@
-[bank]
-bank.bitlair.nl
-
-[bar]
-bank-pi.bitlair.nl
-
-[mqtt_internal]
-mqtt.bitlair.nl
-
-[music]
-music.bitlair.nl
diff --git a/hosts.yaml b/hosts.yaml
new file mode 100644
index 0000000..d3ebcdc
--- /dev/null
+++ b/hosts.yaml
@@ -0,0 +1,25 @@
+all:
+  children:
+    raspi:
+      hosts:
+        bank-pi.bitlair.nl:
+    debian:
+      children:
+        bank:
+          hosts:
+            bank.bitlair.nl:
+        git:
+          hosts:
+            git.bitlair.nl:
+        lights:
+          hosts:
+            lights.bitlair.nl:
+        mqtt_internal:
+          hosts:
+            mqtt.bitlair.nl:
+        music:
+          hosts:
+            music.bitlair.nl:
+        www:
+          hosts:
+            cyber.bitlair.nl:
diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml
index 102998a..20d0cb7 100644
--- a/mqtt-internal.yaml
+++ b/mqtt-internal.yaml
@@ -1,7 +1,5 @@
 ---
 - hosts: mqtt_internal
-  vars:
-    mqtt_internal_public_host: bitlair.nl
   roles:
     - common
     - mqtt-internal
diff --git a/music.yaml b/music.yaml
index 919aa71..b6fe086 100644
--- a/music.yaml
+++ b/music.yaml
@@ -1,9 +1,5 @@
 ---
 - hosts: music
-  vars:
-    music_domain: music.bitlair.nl
-    acme_san_domains:
-      - [ music.bitlair.nl ]
   roles:
     - common
     - acme
diff --git a/roles/acme/templates/nginx-snippet.conf b/roles/acme/templates/nginx-snippet.conf
index 4d988bd..c57ac6a 100644
--- a/roles/acme/templates/nginx-snippet.conf
+++ b/roles/acme/templates/nginx-snippet.conf
@@ -2,5 +2,6 @@
 
 location /.well-known/acme-challenge {
 	allow all;
+	auth_basic off;
 	alias /var/lib/dehydrated/acme-challenges;
 }
diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml
index 14c461f..a47b058 100644
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@@ -31,7 +31,7 @@
   lineinfile:
     path: /etc/bash.bashrc
     insertafter: EOF
-    regexp: "^source /usr/share/doc/fzf/{{ item }}"
+    regexp: "^source /usr/share/doc/fzf/examples/{{ item }}"
     line: "source /usr/share/doc/fzf/examples/{{ item }} # Managed by Ansible"
   with_items:
     - key-bindings.bash
@@ -77,12 +77,15 @@
     - ipv6
   notify: persist iptables
 
-- name: Allow IPv6 ICMP
+- name: Allow ICMP
   iptables:
     chain: INPUT
-    protocol: ipv6-icmp
+    protocol: "{{ item.proto }}"
     jump: ACCEPT
-    ip_version: ipv6
+    ip_version: "{{ item.ip }}"
+  with_items:
+    - { ip: ipv4, proto: icmp }
+    - { ip: ipv6, proto: ipv6-icmp }
   notify: persist iptables
 
 - name: Allow related and established connections
diff --git a/roles/common/tasks/network.yaml b/roles/common/tasks/network.yaml
index 29bf9c2..47053a9 100644
--- a/roles/common/tasks/network.yaml
+++ b/roles/common/tasks/network.yaml
@@ -5,17 +5,14 @@
     state: present
   when: network_br
 
-- lineinfile:
+- name: Configure sysctl.conf
+  lineinfile:
     path: /etc/sysctl.conf
-    regexp: ^#?net.ipv4.ip_forward
-    line: "net.ipv4.ip_forward=1 # Managed by Ansible"
-  notify: reboot
-  when: network_br
-
-- lineinfile:
-    path: /etc/sysctl.conf
-    regexp: ^#?net.ipv6.conf.all.forwarding
-    line: "net.ipv6.conf.all.forwarding=1 # Managed by Ansible"
+    regexp: "^#?{{ item.k }}"
+    line: "{{ item.k }}={{ item.v }} # Managed by Ansible"
+  with_items:
+    - { k: net.ipv4.ip_forward, v: "1" }
+    - { k: net.ipv6.conf.all.forwarding, v: "1" }
   notify: reboot
   when: network_br
 
diff --git a/roles/common/templates/network-interfaces b/roles/common/templates/network-interfaces
index b90590e..4799cd3 100644
--- a/roles/common/templates/network-interfaces
+++ b/roles/common/templates/network-interfaces
@@ -18,20 +18,20 @@ iface eth0 inet manual
 
 auto br0
 iface br0 inet static
-	address {{ network_static.address_v4 }}
-	gateway {{ network_static.gateway_v4 }}
+	address {{ network_address_v4 }}
+	gateway {{ network_gateway_v4 }}
 	bridge_ports eth0
 
 iface br0 inet6 auto
 	up echo -n 0 > /sys/devices/virtual/net/br0/bridge/multicast_snooping
-	up ip -6 addr add {{ network_static.address_v6 }} dev br0
-	up ip -6 route add default via {{ network_static.gateway_v6 }} dev br0
+	up ip -6 addr add {{ network_address_v6 }} dev br0
+	up ip -6 route add default via {{ network_gateway_v6 }} dev br0
 	bridge_stp on
 
 {% elif network_static %}
 iface eth0 inet static
-	address {{ network_static.address_v4 }}
-	gateway {{ network_static.gateway_v4 }}
+	address {{ network_address_v4 }}
+	gateway {{ network_gateway_v4 }}
 
 {% else %}
 iface eth0 inet dhcp
diff --git a/roles/music/handlers/main.yaml b/roles/music/handlers/main.yaml
index 11225a0..f3d692b 100644
--- a/roles/music/handlers/main.yaml
+++ b/roles/music/handlers/main.yaml
@@ -17,3 +17,9 @@
     name: librespot
     state: restarted
     daemon_reload: true
+
+- name: restart soundboard
+  systemd:
+    name: soundboard
+    state: restarted
+    daemon_reload: true
diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml
index 3a4eb8c..e7021de 100644
--- a/roles/music/tasks/main.yaml
+++ b/roles/music/tasks/main.yaml
@@ -8,6 +8,9 @@
 - tags: music_librespot
   import_tasks: librespot.yaml
 
+- tags: music_soundboard
+  import_tasks: soundboard.yaml
+
 - tags: music
   block:
     - name: Install nginx
diff --git a/roles/music/tasks/soundboard.yaml b/roles/music/tasks/soundboard.yaml
new file mode 100644
index 0000000..ae29422
--- /dev/null
+++ b/roles/music/tasks/soundboard.yaml
@@ -0,0 +1,72 @@
+---
+- name: Install dependencies
+  apt:
+    name: virtualenv
+    state: present
+
+- name: Clone soundboard source
+  git:
+    repo: https://github.com/polyfloyd/mqtt-soundboard.git
+    version: main
+    dest: /opt/soundboard
+    accept_hostkey: yes
+  notify: restart soundboard
+
+- name: Create virtualenv
+  command: virtualenv /opt/soundboard/.venv
+  args:
+    creates: /opt/soundboard/.venv
+
+- name: Install Python dependencies
+  shell: . .venv/bin/activate && pip install -r requirements.txt
+  args:
+    chdir: /opt/soundboard
+
+- name: Install soundboard config file
+  template:
+    src: soundboard.yaml
+    dest: /etc/soundboard.yaml
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart soundboard
+
+- name: Install soundboard service file
+  template:
+    src: soundboard.service
+    dest: /etc/systemd/system/soundboard.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: restart soundboard
+
+- name: Enable soundboard
+  systemd:
+    name: soundboard
+    state: started
+    enabled: true
+    daemon_reload: true
+
+- name: Install shutdown sound script
+  template:
+    src: shutdown-sound.sh
+    dest: /opt/shutdown-sound.sh
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Install shutdown sound service
+  template:
+    src: shutdown-sound.service
+    dest: /etc/systemd/system/shutdown-sound.service
+    owner: root
+    group: root
+    mode: 0644
+  notify: daemon reload
+
+- name: Enable shutdown-sound
+  systemd:
+    name: shutdown-sound
+    state: started
+    enabled: true
+    daemon_reload: true
diff --git a/roles/music/templates/shutdown-sound.service b/roles/music/templates/shutdown-sound.service
new file mode 100644
index 0000000..6c6de88
--- /dev/null
+++ b/roles/music/templates/shutdown-sound.service
@@ -0,0 +1,16 @@
+# Managed by Ansible
+
+[Unit]
+Description=Goodbye
+Requires=mpd.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/true
+ExecStop=/opt/shutdown.sh
+RemainAfterExit=true
+User=audio
+Group=audio
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/music/templates/shutdown-sound.sh b/roles/music/templates/shutdown-sound.sh
new file mode 100644
index 0000000..9346f74
--- /dev/null
+++ b/roles/music/templates/shutdown-sound.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+# Managed by Ansible
+
+systemctl stop trollibox.service
+mpc clear
+
+su audio -c 'mplayer -volume 10 -ao jack:name=MPlayer /opt/sounds/shutdown.mp3'
diff --git a/roles/music/templates/soundboard.service b/roles/music/templates/soundboard.service
new file mode 100644
index 0000000..6c74903
--- /dev/null
+++ b/roles/music/templates/soundboard.service
@@ -0,0 +1,15 @@
+# Managed by Ansible
+
+[Unit]
+Description=MQTT Soundboard
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/opt/soundboard/.venv/bin/python /opt/soundboard/soundboard.py /etc/soundboard.yaml
+Restart=always
+RestartSec=10
+User=root
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/music/templates/soundboard.yaml b/roles/music/templates/soundboard.yaml
new file mode 100644
index 0000000..5ef917f
--- /dev/null
+++ b/roles/music/templates/soundboard.yaml
@@ -0,0 +1,21 @@
+loglevel: INFO
+
+mqtt:
+  host: mqtt.bitlair.nl
+
+sounds:
+  directory: /opt/sounds
+  play_cmd: "mplayer -volume 10 -ao jack:name=MPlayer %s"
+  topic: bitlair/soundboard
+
+aliases:
+  - sound: space_open
+    topic: bitlair/state
+    value: open
+  - sound: space_close
+    topic: bitlair/state
+    value: close
+  - sound: doorbell
+    topic: bitlair/doorduino/doorbell
+  - sound: nomunnie
+    topic: bitlair/bank/shame