diff --git a/.ansible-lint b/.ansible-lint
deleted file mode 100644
index c6123e8..0000000
--- a/.ansible-lint
+++ /dev/null
@@ -1,14 +0,0 @@
-#warn_list:  # or 'skip_list' to silence them completely
-skip_list:
-  - experimental
-  - var-naming[no-role-prefix]
-  - name
-warn_list:
-  - '204'   # Lines should be no longer than 160 chars
-  - no-handler
-  - ignore-errors
-  - fqcn-builtins
-  - fqcn
-  - partial-become[task]
-  - template-instead-of-copy
-offline: true
diff --git a/.config/ansible-lint.yml b/.config/ansible-lint.yml
deleted file mode 100644
index 658acbd..0000000
--- a/.config/ansible-lint.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-skip_list:
-  - fqcn[action-core]
-  - name[casing]
-  - name[missing]
-
-exclude_paths:
-  - .forgejo
diff --git a/.forgejo/workflows/test.yaml b/.forgejo/workflows/test.yaml
deleted file mode 100644
index 52f8c18..0000000
--- a/.forgejo/workflows/test.yaml
+++ /dev/null
@@ -1,19 +0,0 @@
-name: Test
-
-on:
-  push:
-    branches:
-      - main
-
-jobs:
-
-  build:
-    runs-on: docker
-    container:
-      image: alpine:latest
-
-    steps:
-      - run: apk add nodejs ansible ansible-lint
-      - uses: actions/checkout@v4
-
-      - run: ansible-lint
diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 781c027..0000000
--- a/.gitignore
+++ /dev/null
@@ -1,3 +0,0 @@
-.password-store
-.gitignore
-.envrc
diff --git a/.yamllint.yaml b/.yamllint.yaml
deleted file mode 100644
index 2d3284c..0000000
--- a/.yamllint.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
----
-
-extends: relaxed
-
-rules:
-  # 80 chars should be enough, but don't fail if a line is longer
-  line-length:
-    max: 200
-    level: warning
-  empty-lines:
-    max: 2
-    max-start: 1
-    max-end: 1
-  colons:
-    max-spaces-after: -1
-  commas:
-    max-spaces-after: -1
-  comments:
-    min-spaces-from-content: 1
-  octal-values:
-    forbid-implicit-octal: true
-    forbid-explicit-octal: true
diff --git a/authorized_keys/ak.keys b/authorized_keys/ak.keys
index a257da2..75593c5 100644
--- a/authorized_keys/ak.keys
+++ b/authorized_keys/ak.keys
@@ -1,3 +1 @@
 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZ0ryG8LT5ryjc3tZggVP0cxjXoKOPzUIwmB9Yez+u3nDHc3RdLR0V/BdcVPCJl9vOQwsFaTE34ZEZ3A6qkcSaz2Npxqq0eFtcEAKTy9w41C6jE586jkwkednSK9ObFFZnlSA3ielYeB5bRuELHyvazHWSUGn+/nzuujAYpEABRGAlt0IV2eMugsb1aEs5v8/Hw3REGz6IeNBwlVOzDznGK4N0b1es270k2fpkD0XMRnga7x2eduD74gRYJHo41sKz6kqHFfXjvrH6Efrn5sNtTF7pIkPfeiX4ukDQYG6Ynxgkdbi1pMg5zGjjjRZ0iExKqNi+jtZhVewqFvj66vLX arjan@koopen.net
-ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAgEAhA2rt1rIpqWG5BzwTFCCRCEZViWNk3GGIVyIpKg0A0+btJxPu66AKcudP88nsdzp8rPVES1qLBpIt6QsHnoioF+MjUjrkodc0gNescE+7frlf0+wCwN7/OQjSTDURa0THwQQGuGJm4cWaMf7w/sfkU89KmuRPvxZGNn4ahSRkRVyKP09B3xI14CDpRSP4Xg9bCz7QYxLixXfk0zBMOgbrSzsNs2eO4YUUsHFX1x0nX6CK7fauO0l8UC1nYeFGNofbmpn0mnqSj0u1i+ikjiCv+8ruXuI0ufLjfcIQjsYmkrMEfwuf0nyOAha5U2z4U05J2Je4do0cYVoC4/kCoAod3nrX7fVur0RVdD7XEAzvtxZh87dOhM3TrYYVFs37jeDtt4ZO9XYRSrV2l/TgPdWoST/h69/10QhdS8lYQXTJWY8AgQs+MtIHj6z1lCsVbRZN/JKYulhXpGuHmNt/gBlMscFVDezmdGwuqPB8XdYHBVcDqgpynbvlaBXMX+hHIjPKC6ExLxmUtJYGetTKyEPWeIVjp6D1zs/aMVVEOxvKfjtGDLyByzUEnHt0YL2v+tAp1+oqmWr0i5RWgnWOtTuzzEkFaa99Y6SMbskWx4p/3Of5VTrgFcADMG7TFHAwQ4vnv6Ca5P0pBTFjWCR1tX4v7qNgx9lqax7bbWlNjxLODM= arjan@koopen.net SL
-
diff --git a/authorized_keys/foobar.keys b/authorized_keys/foobar.keys
index 057bbbf..6493dc3 100644
--- a/authorized_keys/foobar.keys
+++ b/authorized_keys/foobar.keys
@@ -1,4 +1,2 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5 Sig-I/O Beheer key
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C mark@x240-ed25519
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGc3py/K9wUSF86SIMv2AWtVAxEb1ZEy7BEz7VrGeZp/ sigio@t14
-
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDUIAkaRsvb6cD1XIGF80JpMH1mYE9XhCgptOkt9AfloZQlO7Ds5XeCwJk5/TsoidTcb/0yFUov8SMwaIVtrFfkNUqqeAsfm3luJ4JwOXeCwrXD6W7c5Wqg/FGNH0eZr0kEnxpNS10L72+oNBQgnlSNjqWS29lEmXApKQ3IKy6aP9cMwEh25fsH/2G7mHsZX2UMPK0tZPC6MPxY5P9PWLIulUpsX96c6OcAvGYIvsCnecsVsTdhK36w4Z/t7XoLFz5X6k3eXT7gG4SMGuBixjroTUhumWzgJJ6T1Nn/eESe7Im8krlzO/0hG/F8uBy3s04TAJuXFmygvtC4YLyq91U5
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICyKprIcR81+RFSBxU3iyW4vd0ctr0q1Pqifzxbro+0C
diff --git a/bank.yaml b/bank.yaml
index c820bc3..43c92b7 100644
--- a/bank.yaml
+++ b/bank.yaml
@@ -1,8 +1,8 @@
 ---
+
 - hosts: bank
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "nft", tags: [ "nft" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "bank", tags: [ "bank" ] }
+    - common
+    - bank
+  vars:
+    bank_revbank_git: https://github.com/bitlair/revbank.git
diff --git a/bar.yaml b/bar.yaml
index 919a4d8..5752cc3 100644
--- a/bar.yaml
+++ b/bar.yaml
@@ -4,6 +4,6 @@
   vars:
     raspi_rotate_display: "2"
   roles:
-    - { role: "raspi", tags: [ "raspi" ] }
-    - { role: "common", tags: [ "common" ] }
-    - { role: "bank-terminal", tags: [ "bank-terminal" ] }
+    - raspi
+    - common
+    - bank-terminal
diff --git a/bitlair.yaml b/bitlair.yaml
index d09757f..ec019e7 100644
--- a/bitlair.yaml
+++ b/bitlair.yaml
@@ -1,80 +1,58 @@
+
 ---
 
-- name: common
-  hosts: all
+- hosts: all
   gather_facts: true
   roles:
-    - { role: "common", tags: ["common"] }
-    - { role: "nft", tags: ["nft"] }
+    - { role: "common", tags: [ "common" ] }
 
-- name: bank
-  hosts: bank
+- hosts: bank
   roles:
-    - { role: "bank", tags: ["bank"] }
+    - { role: "bank", tags: [ "bank" ] }
 
-- name: homeassistant
-  hosts: homeassistant
+- hosts: raspi
   roles:
-    - { role: "acme", tags: ["acme"] }
-    - { role: "nginx", tags: ["nginx"] }
+    - { role: "raspi", tags: [ "raspi" ] }
+    - { role: "bank-terminal", tags: [ "bank-terminal" ] }
 
-- name: raspi
-  hosts: raspi
+- hosts: fotos
   roles:
-    - { role: "raspi", tags: ["raspi"] }
-    - { role: "bank-terminal", tags: ["bank-terminal"] }
+    - { role: "photos", tags: [ "photos" ] }
 
-- name: fotos
-  hosts: fotos
+- hosts: git-ci
   roles:
-    - { role: "photos", tags: ["photos"] }
+    - { role: "git-ci", tags: [ "git-ci" ] }
 
-- name: CI
-  hosts: git-ci
+- hosts: git
   roles:
-    - { role: "git-ci", tags: ["git-ci"] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "git-server", tags: [ "git-server" ] }
 
-- name: git
-  hosts: git
+- hosts: monitoring
   roles:
-    - { role: "acme", tags: ["acme"] }
-    - { role: "nginx", tags: ["nginx"] }
-    - { role: "git-server", tags: ["git-server"] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "monitoring", tags: [ "monitoring" ] }
 
-- name: monitoring
-  hosts: monitoring
+- hosts: mqtt
   roles:
-    - { role: "acme", tags: ["acme"] }
-    - { role: "nginx", tags: ["nginx"] }
-    - { role: "monitoring", tags: ["monitoring"] }
+    - { role: "mqtt-internal", tags: [ "mqtt-internal" ] }
 
-- name: mqtt
-  hosts: mqtt
+- hosts: music
   roles:
-    - { role: "mqtt", tags: ["mqtt"] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "go", tags: [ "go" ] }
+    - { role: "music", tags: [ "music" ] }
 
-- name: music
-  hosts: music
+- hosts: pad
   roles:
-    - { role: "acme", tags: ["acme"] }
-    - { role: "go", tags: ["go"] }
-    - { role: "music", tags: ["music"] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "etherpad", tags: [ "etherpad" ] }
 
-- name: pad
-  hosts: pad
+- hosts: services
   roles:
-    - { role: "acme", tags: ["acme"] }
-    - { role: "nginx", tags: ["nginx"] }
-    - { role: "etherpad", tags: ["etherpad"] }
+    - { role: "services", tags: [ "services" ] }
 
-- name: services
-  hosts: services
+- hosts: wiki
   roles:
-    - { role: "services", tags: ["services"] }
-
-- name: wiki
-  hosts: wiki
-  roles:
-    - { role: "acme", tags: ["acme"] }
-    - { role: "nginx", tags: ["nginx"] }
-    - { role: "www", tags: ["www"] }
+    - { role: "acme", tags: [ "acme" ] }
+    - { role: "www", tags: [ "www" ] }
diff --git a/common.yaml b/common.yaml
index dacc2ae..3e0cb27 100644
--- a/common.yaml
+++ b/common.yaml
@@ -3,5 +3,4 @@
 - hosts: debian
   gather_facts: true
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "nft", tags: [ "nft" ] }
+    - common
diff --git a/fotos.yaml b/fotos.yaml
index 7357e31..f0edd7b 100644
--- a/fotos.yaml
+++ b/fotos.yaml
@@ -2,5 +2,5 @@
 
 - hosts: fotos
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "photos", tags: [ "photos" ] }
+    - common
+    - photos
diff --git a/git-ci.yaml b/git-ci.yaml
index 711dac4..fa9f7b7 100644
--- a/git-ci.yaml
+++ b/git-ci.yaml
@@ -2,5 +2,5 @@
 
 - hosts: git-ci
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "git-ci", tags: [ "git-ci" ] }
+    - common
+    - git-ci
diff --git a/git.yaml b/git.yaml
index 0ae1811..2161a4c 100644
--- a/git.yaml
+++ b/git.yaml
@@ -2,7 +2,6 @@
 
 - hosts: git
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "git-server", tags: [ "git-server" ] }
+    - common
+    - acme
+    - git-server
diff --git a/group_vars/all.yaml b/group_vars/all.yaml
index 3deb227..bdafa45 100644
--- a/group_vars/all.yaml
+++ b/group_vars/all.yaml
@@ -3,26 +3,25 @@
 ansible_user: root
 ansible_python_interpreter: auto_silent
 notify_email: bestuur@bitlair.nl
+acme_bootstrap_certs: no
 trusted_ranges:
-  - { v: ipv4, cidr: "127.0.0.1/8", comment: "localhost" }
-  - { v: ipv4, cidr: "10.0.0.0/8", comment: "rfc1918" }
-  - { v: ipv4, cidr: "172.16.0.0/12", comment: "rfc1918" }
-  - { v: ipv4, cidr: "192.168.0.0/16", comment: "rfc1918" }
-  - { v: ipv4, cidr: "45.88.49.140", comment: "vihamij" }
-  - { v: ipv4, cidr: "204.2.64.0/20", comment: "eventinfra / bitlair" }
-  - { v: ipv4, cidr: "100.64.0.0/10", comment: "bitlair" }
-  - { v: ipv4, cidr: "185.205.52.194/32", comment: "bitlair A2B" } # kan weg ??
-  - { v: ipv4, cidr: "31.187.251.213/32", comment: "foobar thuis" }
-  - { v: ipv4, cidr: "185.205.53.40/32", comment: "ak / koopen.net" }
-#  - { v: ipv6, cidr: "::/0", comment: "ipv6 localhost" }
-#  - { v: ipv6, cidr: "fe80::/10", comment: "ipv6 link-local" }
-#  - { v: ipv6, cidr: "2a02:166b:92::/48", comment: "bitlair" } # /48's kunnen niet in de ipset
-  - { v: ipv6, cidr: "2001:678:814:68::/64", comment: "bitlair wifi" }
-  - { v: ipv6, cidr: "2a05:2d01:0:4042::/64", comment: "bitlair servers" }
-  - { v: ipv6, cidr: "2a05:2d01:1337::/48", comment: "bitlair space v6-range" }
-  - { v: ipv6, cidr: "2a0e:5700:4:2::/64", comment: "foobar ipv6" }
-trusted_ports:
-  - ssh
+    # localhost
+  - { v: ipv4, cidr: 127.0.0.1/8 }
+  - { v: ipv6, cidr: "::1" }
+    # rf1928
+  - { v: ipv4, cidr: 10.0.0.0/8 }
+  - { v: ipv4, cidr: 172.16.0.0/12 }
+  - { v: ipv4, cidr: 192.168.0.0/16 }
+    # v6 local
+  - { v: ipv6, cidr: "fe80::/10" }
+    # vihamij
+  - { v: ipv4, cidr: 45.88.49.140 }
+    # eventinfra
+  - { v: ipv4, cidr: 204.2.64.0/20 }
+
+  - { v: ipv4, cidr: 100.64.0.0/10 }
+  - { v: ipv4, cidr: 185.205.52.194/32 }
+  - { v: ipv6, cidr: "2a02:166b:92::/48" }
 
 root_access:
   - ak
diff --git a/group_vars/bank.yaml b/group_vars/bank.yaml
deleted file mode 100644
index 1684cfa..0000000
--- a/group_vars/bank.yaml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-deposit_hostname: deposit.bitlair.nl
-
-acme_domains:
- - "{{ deposit_hostname }}"
-
-nginx_sites:
-  - server_name: "{{ deposit_hostname }}"
-    config:
-      - |-
-        location / {
-          proxy_pass http://localhost:8000/;
-          include proxy_params;
-        }
-
-group_nft_input:
-  - "tcp dport { http, https } accept # Allow web-traffic from world"
diff --git a/group_vars/fotos.yaml b/group_vars/fotos.yaml
index 94751d2..5a9ca68 100644
--- a/group_vars/fotos.yaml
+++ b/group_vars/fotos.yaml
@@ -1,15 +1,6 @@
-
 root_access:
   - ak
   - foobar
   - linor
   - polyfloyd
   - wilco
-
-trusted_ports:
-  - ssh
-  - microsoft-ds
-
-group_nft_input:
-  - "ip saddr 204.2.64.19 tcp dport { 4567 } accept # Allow traffic from wiki"
-
diff --git a/group_vars/git-ci.yaml b/group_vars/git-ci.yaml
index e0bdaab..18ed638 100644
--- a/group_vars/git-ci.yaml
+++ b/group_vars/git-ci.yaml
@@ -1,5 +1 @@
----
-
 forgejo_url: https://git.bitlair.nl
-
-nft: false # Docker wil nog niet zo met nft
diff --git a/group_vars/git.yaml b/group_vars/git.yaml
index b938f18..ed549a9 100644
--- a/group_vars/git.yaml
+++ b/group_vars/git.yaml
@@ -1,18 +1,5 @@
----
-
 acme_domains:
   - "{{ git_server_domain }}"
 git_server_domain: git.bitlair.nl
 git_server_title: Gitlair
 git_server_bootstrap_cert: no
-
-group_nft_input:
-  - "tcp dport { ssh, http, https } accept # Allow ssh(git) + web-traffic from world"
-
-nginx_client_max_body_size: 4G
-
-nginx_sites:
-  - server_name: "git.bitlair.nl"
-    localproxy: "9001"
-    snippets: 
-      - "forgejo-nginx.j2"
diff --git a/group_vars/homeassistant.yaml b/group_vars/homeassistant.yaml
deleted file mode 100644
index 53b604a..0000000
--- a/group_vars/homeassistant.yaml
+++ /dev/null
@@ -1,12 +0,0 @@
-acme_san_domains:
-  - [ homeassistant.bitlair.nl ]
-
-group_nft_input:
-  - "tcp dport { http, https } accept # Allow web-traffic from world"
-  - "tcp dport { 1883 } accept # mqtt from world"
-
-nginx_sites:
-  - server_name: "homeassistant.bitlair.nl"
-    localproxy: "8123"
-    snippets: 
-      - "homeassistant-nginx.j2"
diff --git a/group_vars/kvm.yaml b/group_vars/kvm.yaml
deleted file mode 100644
index cd21505..0000000
--- a/group_vars/kvm.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-
diff --git a/group_vars/lights.yaml b/group_vars/lights.yaml
deleted file mode 100644
index cd21505..0000000
--- a/group_vars/lights.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-
diff --git a/group_vars/monitoring.yaml b/group_vars/monitoring.yaml
index 61c5cae..b692290 100644
--- a/group_vars/monitoring.yaml
+++ b/group_vars/monitoring.yaml
@@ -1,10 +1,7 @@
 monitoring_domain: dashboard.bitlair.nl
 monitoring_bootstrap_cert: no
 acme_san_domains:
-  - ["{{ monitoring_domain }}"]
-
-group_nft_input:
-  - "tcp dport { http, https } accept # Allow web-traffic from world"
+  - ["{{ monitoring_domain }}", monitoring.bitlair.nl]
 
 prometheus_scrape_configs:
   - job_name: "node"
@@ -20,7 +17,6 @@ prometheus_scrape_configs:
         - "lights.bitlair.nl:9100"
         - "music.bitlair.nl:9100"
         - "service.bitlair.nl:9100"
-        - "user.bitlair.nl:9100"
   - job_name: "mqtt"
     static_configs:
       - targets: [ "localhost:9883" ]
@@ -34,7 +30,6 @@ prometheus_scrape_configs:
         - https://bitlair.nl
         - https://git.bitlair.nl
         - https://pad.bitlair.nl
-        - https://user.bitlair.nl
           # Legacy
         - https://wiki.bitlair.nl
         - https://portal.bitlair.nl
@@ -45,9 +40,3 @@ prometheus_scrape_configs:
         target_label: instance
       - target_label: __address__
         replacement: "{{ blackbox_exporter_web_listen_address }}"
-
-nginx_sites:
-  - server_name: "dashboard.bitlair.nl"
-    localproxy: "9000"
-    snippets:
-      - "prometheus-nginx.j2"
diff --git a/group_vars/mqtt.yaml b/group_vars/mqtt.yaml
deleted file mode 100644
index af51b73..0000000
--- a/group_vars/mqtt.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-
-nft_group_rules:
-  - { version: "ip6", from: [ '2001:470:7f95::/48' ], port: "1883" }
-
-trusted_ports:
-  - ssh
-  - 1883
diff --git a/group_vars/music.yaml b/group_vars/music.yaml
index 8f0cc7c..ee9235b 100644
--- a/group_vars/music.yaml
+++ b/group_vars/music.yaml
@@ -1,8 +1,3 @@
----
-
-# Fixme, nog niet kunnen testen, was down
-nft: false
-
 root_access:
   - ak
   - bob
@@ -10,8 +5,6 @@ root_access:
   - foobar
   - polyfloyd
 
-nginx_client_max_body_size: 512M
-
 music_domain: music.bitlair.nl
 acme_san_domains:
   - [ music.bitlair.nl ]
diff --git a/group_vars/pad.yaml b/group_vars/pad.yaml
index 6f4babc..b498398 100644
--- a/group_vars/pad.yaml
+++ b/group_vars/pad.yaml
@@ -1,28 +1 @@
----
-
-acme_domains:
- - pad.bitlair.nl
-
 etherpad_domain: pad.bitlair.nl
-
-nginx_sites:
-  - server_name: "pad.bitlair.nl"
-#    localproxy: "9001"
-    pre_config:
-      - "# WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
-      - "map $http_upgrade $connection_upgrade {"
-      - "   default upgrade;"
-      - "   ''      close;"
-      - "}"
-    config:
-      - "location / {"
-      - "  proxy_pass http://localhost:9001/;"
-      - "  include proxy_params;"
-      - ""
-      - "  # WebSocket proxying - from https://nginx.org/en/docs/http/websocket.html"
-      - "  proxy_set_header  Upgrade $http_upgrade;"
-      - "  proxy_set_header  Connection $connection_upgrade;"
-      - "}"
-
-group_nft_input:
-  - "tcp dport { http, https } accept # Allow web-traffic from world"
diff --git a/group_vars/raspi.yaml b/group_vars/raspi.yaml
deleted file mode 100644
index 4b0461c..0000000
--- a/group_vars/raspi.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-
-# Nog niet kunnen testen / geen toegang
-nft: false
diff --git a/group_vars/services.yaml b/group_vars/services.yaml
deleted file mode 100644
index 7ab4b9c..0000000
--- a/group_vars/services.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-group_nft_input: []
-  # test
-
-nft_group_rules:
-  - { from: [ '204.2.64.29' ], port: "3306", comment: "Mysql vanaf eventinfra, verzoek AK" }
-  - { from: [ '100.64.0.14' ], port: "4000", proto: "udp", comment: "siahsd"}
-  - { from: [ '204.2.64.86' ], port: "31337", proto: "tcp", comment: "irc-say vanaf home assistant" }
-
-power_mqtt_targets:
-  - net: space
-    ip: 100.64.0.21
-  - net: unicorndept
-    ip: 100.64.0.187
diff --git a/group_vars/shell.yaml b/group_vars/shell.yaml
deleted file mode 100644
index 3d7c4b8..0000000
--- a/group_vars/shell.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-
-manage_sshd_config: false
-
-group_nft_input:
-  - "tcp dport { ssh } accept # Allow SSH from world"
diff --git a/group_vars/wiki.yaml b/group_vars/wiki.yaml
deleted file mode 100644
index 19dda0b..0000000
--- a/group_vars/wiki.yaml
+++ /dev/null
@@ -1,24 +0,0 @@
-acme_san_domains:
-  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
-  - [ bitair.nl ]
-  - [ ravespace.nl ]
-
-group_nft_input:
-  - "tcp dport { http, https } accept # Allow web-traffic from world"
-  - "tcp dport { 1883 } accept # mqtt from world"
-
-nginx_sites:
-  - server_name: "bitlair.nl"
-    server_alias: "wiki.bitlair.nl www.bitlair.nl cyber.bitlair.nl"
-    snippets:
-      - "mqtt2web-nginx.j2"
-      - "spaceapi-nginx.j2"
-      - "www-nginx.j2"
-  - server_name: "bitair.nl"
-    server_alias: "www.bitair.nl"
-    snippets:
-      - "bitair-nginx.j2"
-  - server_name: "ravespace.nl"
-    server_alias: "www.ravespace.nl"
-    snippets:
-      - "ravespace-nginx.j2"
diff --git a/group_vars/www.yaml b/group_vars/www.yaml
new file mode 100644
index 0000000..e1db9d5
--- /dev/null
+++ b/group_vars/www.yaml
@@ -0,0 +1,5 @@
+acme_bootstrap_certs: yes
+acme_san_domains:
+  - [ bitlair.nl, wiki.bitlair.nl, www.bitlair.nl ]
+  - [ bitair.nl ]
+  - [ ravespace.nl ]
diff --git a/inventory b/inventory
index c380b07..7e430e1 100644
--- a/inventory
+++ b/inventory
@@ -1,5 +1,4 @@
-# Bitlair inventory
-
+# Inventory
 
 [raspi]
 bank-pi.bitlair.nl
@@ -40,15 +39,6 @@ service.bitlair.nl
 [wiki]
 wiki.bitlair.nl
 
-[shell]
-shell.bitlair.nl
-
-[homeassistant]
-homeassistant.bitlair.nl
-
-[chat]
-chat.bitlair.nl
-
 [debian:children]
 bank
 fotos
@@ -61,6 +51,4 @@ monitoring
 music
 services
 wiki
-shell
-homeassistant
-chat
+
diff --git a/lint.sh b/lint.sh
deleted file mode 100755
index 296c955..0000000
--- a/lint.sh
+++ /dev/null
@@ -1,6 +0,0 @@
-#!/bin/bash
-
-j2lint `find ./ -type f -name '*.j2'`
-yamllint -c .yamllint.yaml .
-ansible-lint bitlair.yaml
-
diff --git a/monitoring.yaml b/monitoring.yaml
index 9e05df0..9ad8623 100644
--- a/monitoring.yaml
+++ b/monitoring.yaml
@@ -2,7 +2,6 @@
 
 - hosts: monitoring
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "monitoring", tags: [ "monitoring" ] }
+    - common
+    - acme
+    - monitoring
diff --git a/mqtt-internal.yaml b/mqtt-internal.yaml
new file mode 100644
index 0000000..1e941f8
--- /dev/null
+++ b/mqtt-internal.yaml
@@ -0,0 +1,6 @@
+---
+
+- hosts: mqtt_internal
+  roles:
+    - common
+    - mqtt-internal
diff --git a/mqtt.yaml b/mqtt.yaml
deleted file mode 100644
index 7b691f3..0000000
--- a/mqtt.yaml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-
-- hosts: mqtt
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "mqtt", tags: [ "mqtt", "mqtt" ] }
diff --git a/music.yaml b/music.yaml
index e4ea70b..d12226c 100644
--- a/music.yaml
+++ b/music.yaml
@@ -2,8 +2,7 @@
 
 - hosts: music
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "go", tags: [ "go" ] }
-#    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "music", tags: [ "music" ] }
+    - common
+    - acme
+    - go
+    - music
diff --git a/pad.yaml b/pad.yaml
index 380e790..90d227e 100644
--- a/pad.yaml
+++ b/pad.yaml
@@ -5,8 +5,6 @@
     acme_san_domains:
       - [ pad.bitlair.nl ]
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "nft", tags: [ "nft" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "etherpad", tags: [ "etherpad" ] }
+    - common
+    - acme
+    - etherpad
diff --git a/roles/acme/handlers/main.yaml b/roles/acme/handlers/main.yaml
index 7ff2509..508fc1a 100644
--- a/roles/acme/handlers/main.yaml
+++ b/roles/acme/handlers/main.yaml
@@ -1,9 +1,7 @@
----
-
 - name: update_contact_info
   ansible.builtin.command:
     cmd: dehydrated --account
 
-- name: run dehydrated
+- name: query_certificates
   ansible.builtin.command:
     cmd: dehydrated --cron
diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml
index 01bf029..653f49c 100644
--- a/roles/acme/tasks/main.yaml
+++ b/roles/acme/tasks/main.yaml
@@ -1,46 +1,82 @@
 ---
+- ansible.builtin.import_tasks:
+    file: remove_conflicting.yaml
+  tags: [ never, acme_remove_conflicting ]
 
 - name: Install Dehydrated
-  ansible.builtin.apt:
-    state: present
-    pkg:
-      - dehydrated
-  tags:
-    - acme
+  tags: [ acme, acme_install ]
+  block:
+    - name: Install dependencies
+      ansible.builtin.apt:
+        name: ssl-cert
+        state: present
 
-- name: Create Nginx snippet snippets dir
-  ansible.builtin.file:
-    state: "directory"
-    path: "/etc/nginx/snippets"
-    owner: "root"
-    group: "root"
-    mode: "0755"
+    - name: Install Dehydrated
+      ansible.builtin.apt:
+        name: dehydrated
+        state: present
 
-- name: Template dehydrated configfiles
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "{{ item.owner | default('root') }}"
-    group: "{{ item.group | default('root') }}"
-    mode: "{{ item.mode | default('0640') }}"
-  notify: "{{ item.notify | default([]) }}"
-  with_items:
-    - { src: "config.sh",          dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
-    - { src: "deploy.sh",          dest: "/etc/dehydrated/conf.d/deploy.sh",  mode: '0755' }
-    - { src: "cron",               dest: "/etc/cron.d/dehydrated" }
-    - { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
-    - { src: "domains.txt",        dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
+    - name: Install config file
+      ansible.builtin.template:
+        src: config.sh
+        dest: /etc/dehydrated/conf.d/ansible.sh
+        owner: root
+        group: root
+        mode: 0755
+      notify: update_contact_info
 
-- name: Register account
-  ansible.builtin.command:
-  args:
-    cmd: dehydrated --register --accept-terms
-    creates: /var/lib/dehydrated/accounts
+    - name: Install deploy hook
+      ansible.builtin.template:
+        src: deploy.sh
+        dest: /etc/dehydrated/conf.d/deploy.sh
+        owner: root
+        group: root
+        mode: 0755
 
-- name: Symlink SAN domains
-  ansible.builtin.include_tasks:
-    file: san_domains_loop.yaml
-  loop: "{{ acme_san_domains | default([]) }}"
-  loop_control:
-    loop_var: domains
+    - name: Install cronjob
+      ansible.builtin.template:
+        src: cron
+        dest: /etc/cron.d/dehydrated
+        owner: root
+        group: root
+        mode: 0644
 
+    - name: Create Nginx snippet snippets dir
+      ansible.builtin.file:
+        state: directory
+        path: /etc/nginx/snippets
+        owner: root
+        group: root
+        mode: 0755
+
+    - name: Install Nginx snippet
+      ansible.builtin.template:
+        src: nginx-snippet.conf
+        dest: /etc/nginx/snippets/acme.conf
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Register account
+      ansible.builtin.command:
+        cmd: dehydrated --register --accept-terms
+      args:
+        creates: /var/lib/dehydrated/accounts
+
+- tags: [ acme, acme_certs ]
+  block:
+    - name: Configure certificates
+      ansible.builtin.template:
+        src: domains.txt
+        dest: /etc/dehydrated/domains.txt
+        owner: root
+        group: root
+        mode: 0644
+      notify: query_certificates
+
+    - name: Symlink SAN domains
+      ansible.builtin.include_tasks:
+        file: san_domains_loop.yaml
+      loop: "{{ acme_san_domains|default([]) }}"
+      loop_control:
+        loop_var: domains
diff --git a/roles/acme/tasks/remove_conflicting.yaml b/roles/acme/tasks/remove_conflicting.yaml
index dcbb573..9c88555 100644
--- a/roles/acme/tasks/remove_conflicting.yaml
+++ b/roles/acme/tasks/remove_conflicting.yaml
@@ -1,4 +1,9 @@
 ---
+- name: Remove certbot from apt
+  ansible.builtin.apt:
+    name: [ letsencrypt, certbot ]
+    state: absent
+    autoremove: yes
 
 - name: Remove variable directories
   ansible.builtin.file:
diff --git a/roles/acme/tasks/san_domains_loop.yaml b/roles/acme/tasks/san_domains_loop.yaml
index 99d57b5..b878042 100644
--- a/roles/acme/tasks/san_domains_loop.yaml
+++ b/roles/acme/tasks/san_domains_loop.yaml
@@ -1,5 +1,4 @@
 ---
-
 - ansible.builtin.stat:
     path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
   register: cert_stat
diff --git a/roles/acme/templates/config.sh b/roles/acme/templates/config.sh
index 2dae219..f51455d 100644
--- a/roles/acme/templates/config.sh
+++ b/roles/acme/templates/config.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-# {{ ansible_managed }}
+# Managed by Ansible
 
 CONTACT_EMAIL={{ notify_email }}
diff --git a/roles/acme/templates/cron b/roles/acme/templates/cron
index c7d7c91..ecf8b99 100644
--- a/roles/acme/templates/cron
+++ b/roles/acme/templates/cron
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+# Managed by Ansible
 
 SHELL=/bin/sh
 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
diff --git a/roles/acme/templates/deploy.sh b/roles/acme/templates/deploy.sh
index cbcb1b1..3d962b6 100644
--- a/roles/acme/templates/deploy.sh
+++ b/roles/acme/templates/deploy.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 
-# {{ ansible_managed }}
+# Managed by Ansible
 
 systemctl reload nginx.service
diff --git a/roles/acme/templates/domains.txt b/roles/acme/templates/domains.txt
index eba6ded..632b12b 100644
--- a/roles/acme/templates/domains.txt
+++ b/roles/acme/templates/domains.txt
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+# Managed by Ansible
 
 {% for domain in acme_domains|default([]) %}
 {{ domain }}
diff --git a/roles/acme/templates/nginx-snippet.conf b/roles/acme/templates/nginx-snippet.conf
index 7425bc2..c57ac6a 100644
--- a/roles/acme/templates/nginx-snippet.conf
+++ b/roles/acme/templates/nginx-snippet.conf
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+# Managed by Ansible
 
 location /.well-known/acme-challenge {
 	allow all;
diff --git a/roles/bank/defaults/main.yaml b/roles/bank/defaults/main.yaml
index b0fea92..136726e 100644
--- a/roles/bank/defaults/main.yaml
+++ b/roles/bank/defaults/main.yaml
@@ -1,3 +1,3 @@
 bank_user: bank
-bank_revbank_git: https://git.bitlair.nl/bitlair/revbank.git
+bank_revbank_git: https://github.com/revspace/revbank.git
 bank_local_tty: no
diff --git a/roles/bank/handlers/main.yaml b/roles/bank/handlers/main.yaml
index a06cd29..e7a11ce 100644
--- a/roles/bank/handlers/main.yaml
+++ b/roles/bank/handlers/main.yaml
@@ -1,9 +1,3 @@
 ---
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
-
-- name: Restart revbank-deposit
-  ansible.builtin.systemd:
-    name: revbank-deposit
-    state: restarted
-    daemon_reload: true
diff --git a/roles/bank/tasks/inflatinator.yaml b/roles/bank/tasks/inflatinator.yaml
new file mode 100644
index 0000000..dc687a3
--- /dev/null
+++ b/roles/bank/tasks/inflatinator.yaml
@@ -0,0 +1,12 @@
+---
+- name: Install dependencies
+  ansible.builtin.apt:
+    name: [ links, python3-pyquery ]
+    state: present
+
+- name: Clone revbank-inflatinator source
+  ansible.builtin.git:
+    repo: https://github.com/bitlair/revbank-inflatinator.git
+    version: main
+    dest: /opt/revbank-inflatinator
+    accept_hostkey: yes
diff --git a/roles/bank/tasks/login.yaml b/roles/bank/tasks/login.yaml
index 7ed568e..cd0f9ba 100644
--- a/roles/bank/tasks/login.yaml
+++ b/roles/bank/tasks/login.yaml
@@ -11,7 +11,6 @@
   ansible.builtin.blockinfile:
     path: /etc/ssh/sshd_config
     insertafter: EOF
-    validate: "/usr/sbin/sshd -t -f %s"
     block: |-
       Match User bank
           PasswordAuthentication yes
diff --git a/roles/bank/tasks/main.yaml b/roles/bank/tasks/main.yaml
index fd9f58f..7ad90f6 100644
--- a/roles/bank/tasks/main.yaml
+++ b/roles/bank/tasks/main.yaml
@@ -7,6 +7,6 @@
   ansible.builtin.import_tasks:
     file: revbank.yaml
 
-- tags: [ bank, bank_revbank_deposit ]
+- tags: [ bank, bank_inflatinator ]
   ansible.builtin.import_tasks:
-    file: revbank-deposit.yaml
+    file: inflatinator.yaml
diff --git a/roles/bank/tasks/revbank-deposit.yaml b/roles/bank/tasks/revbank-deposit.yaml
deleted file mode 100644
index 1190a53..0000000
--- a/roles/bank/tasks/revbank-deposit.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
----
-- name: Clone source
-  ansible.builtin.git:
-    repo: https://git.bitlair.nl/bitlair/revbank-deposit.git
-    version: main
-    dest: /usr/local/lib/revbank-deposit
-    accept_hostkey: yes
-  notify: Restart revbank-deposit
-
-- name: Install apt dependencies
-  ansible.builtin.apt:
-    name:
-      - python3-pip
-      - python3-virtualenv
-
-- name: Install pip dependencies
-  ansible.builtin.pip:
-    chdir: /usr/local/lib/revbank-deposit
-    virtualenv: .venv
-    requirements: requirements.txt
-
-- name: Configure revbank-deposit
-  ansible.builtin.template:
-    src: revbank-deposit.conf
-    dest: /etc/revbank-deposit.conf
-    owner: root
-    group: root
-    mode: 0600
-  notify: Restart revbank-deposit
-
-- name: Install revbank-deposit service
-  ansible.builtin.template:
-    src: revbank-deposit.service
-    dest: /etc/systemd/system/revbank-deposit.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: Restart revbank-deposit
-
-- name: Start revbank-deposit
-  ansible.builtin.systemd:
-    daemon_reload: true
-    name: revbank-deposit
-    state: started
-    enabled: true
-
-- meta: flush_handlers
diff --git a/roles/bank/templates/git.cron b/roles/bank/templates/git.cron
index b703657..2290e43 100644
--- a/roles/bank/templates/git.cron
+++ b/roles/bank/templates/git.cron
@@ -1,4 +1,4 @@
 SHELL=/bin/bash
 
 #m   h  dom mon dow user             command
- 0   *  *   *   *   {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git pull -r && git push && git gc --auto && cp revbank.products ../revbank.products)
+ 0   *  *   *   *   {{ bank_user }} (cd /home/{{ bank_user }}/data.git && git push --mirror && git gc --auto)
diff --git a/roles/bank/templates/revbank-deposit.conf b/roles/bank/templates/revbank-deposit.conf
deleted file mode 100644
index 7e02359..0000000
--- a/roles/bank/templates/revbank-deposit.conf
+++ /dev/null
@@ -1,4 +0,0 @@
-# {{ ansible_managed }}
-
-PUBLIC_URL=https://{{ deposit_hostname }}
-MOLLIE_API_KEY={{ lookup('passwordstore', 'mollie subkey=apikey') }}
diff --git a/roles/bank/templates/revbank-deposit.service b/roles/bank/templates/revbank-deposit.service
deleted file mode 100644
index 83a93f5..0000000
--- a/roles/bank/templates/revbank-deposit.service
+++ /dev/null
@@ -1,18 +0,0 @@
-# {{ ansible_managed }}
-
-[Unit]
-Description=Revbank Deposit
-After=network.target
-
-[Service]
-Type=simple
-Restart=on-failure
-RestartSec=10s
-ExecStart=/usr/local/lib/revbank-deposit/.venv/bin/fastapi run main.py --host 127.0.0.1
-WorkingDirectory=/usr/local/lib/revbank-deposit
-EnvironmentFile=/etc/revbank-deposit.conf
-DynamicUser=true
-
-[Install]
-WantedBy=multi-user.target
-
diff --git a/roles/common/defaults/main.yaml b/roles/common/defaults/main.yaml
index 82c6bcf..5512d86 100644
--- a/roles/common/defaults/main.yaml
+++ b/roles/common/defaults/main.yaml
@@ -17,5 +17,3 @@ node_exporter: true
 
 debian_packages_unwanted:
   - netcat-traditional
-  - letsencrypt
-  - certbot
diff --git a/roles/common/handlers/main.yaml b/roles/common/handlers/main.yaml
index 3f6d5b8..b71cef9 100644
--- a/roles/common/handlers/main.yaml
+++ b/roles/common/handlers/main.yaml
@@ -1,29 +1,31 @@
 ---
-- name: Update grub
+- name: update grub
   ansible.builtin.command:
     cmd: update-grub
 
-- name: Apt update
+- name: reboot
+  ansible.builtin.reboot:
+
+- name: apt update
   ansible.builtin.apt:
     update_cache: true
 
-- name: Daemon reload
+- name: daemon reload
   ansible.builtin.systemd:
     daemon_reload: true
 
-- name: Reload sshd
+- name: reload sshd
   ansible.builtin.systemd:
     name: ssh
     state: reloaded
 
-- name: Reload nginx
+- name: reload nginx
   ansible.builtin.systemd:
     name: nginx
     state: reloaded
 
-- name: Persist iptables
+- name: persist iptables
   ansible.builtin.shell: "{{ item.c }}-save > /etc/iptables/rules.{{ item.ip }}"
   with_items:
     - { c: iptables, ip: v4 }
     - { c: ip6tables, ip: v6 }
-  when: not nft | bool
diff --git a/roles/common/tasks/debian-upgrade.yaml b/roles/common/tasks/debian-upgrade.yaml
index f986713..3ff5041 100644
--- a/roles/common/tasks/debian-upgrade.yaml
+++ b/roles/common/tasks/debian-upgrade.yaml
@@ -21,6 +21,9 @@
   ansible.builtin.apt:
     upgrade: full
 
+- name: Reboot
+  ansible.builtin.reboot:
+
 - name: autoremove
   ansible.builtin.apt:
     autoremove: yes
diff --git a/roles/common/tasks/main.yaml b/roles/common/tasks/main.yaml
index 29f7744..b0b39cf 100644
--- a/roles/common/tasks/main.yaml
+++ b/roles/common/tasks/main.yaml
@@ -15,12 +15,9 @@
     group: "{{ item.group | default('root') }}"
   with_items:
     - { src: "apt.conf.j2", dest: "/etc/apt/apt.conf" }
-    - { src: "apt-defaultrelease.j2", dest: "/etc/apt/apt.conf.d/09defaultrelease" }
-    - { src: "apt-preferences-stable.j2", dest: "/etc/apt/preferences.d/stableonly" }
     - { src: "sources.list.j2", dest: "/etc/apt/sources.list" }
     - { src: "apt-auto-upgrades.j2", dest: "/etc/apt/apt.conf.d/20auto-upgrades" }
     - { src: "apt-unattended-upgrades.j2", dest: "/etc/apt/apt.conf.d/50unattended-upgrades" }
-  register: aptconfig
   when:
     - ansible_os_family == "Debian"
   tags:
@@ -59,8 +56,6 @@
 
 - name: Install standard packages
   ansible.builtin.apt:
-    cache_valid_time: 3600
-    update_cache: "{{ aptconfig.changed | bool | default(false) }}"
     pkg:
       - curl
       - fzf
@@ -68,6 +63,8 @@
       - etckeeper
       - git
       - htop
+      - iptables
+      - iptables-persistent
       - jq
       - net-tools
       - netcat-openbsd
@@ -78,7 +75,6 @@
       - vim
       - unattended-upgrades
       - apt-listchanges
-      - sudo-ldap
 
 - name: Configure FZF for Bash
   ansible.builtin.lineinfile:
@@ -99,7 +95,7 @@
     path: /etc/default/grub
     regexp: '^GRUB_TIMEOUT='
     line: "GRUB_TIMEOUT=1 # Managed by Ansible"
-  notify: Update grub
+  notify: update grub
 
 - name: Configure cron email
   ansible.builtin.lineinfile:
@@ -112,7 +108,6 @@
     path: /etc/ssh/sshd_config
     regexp: "{{ item.regexp }}"
     line: "{{ item.line }}"
-    validate: "/usr/sbin/sshd -t -f %s"
   with_items:
     - regexp: '^#?Port'
       line: 'Port {{ ssh_port }}'
@@ -120,6 +115,58 @@
       line: 'PasswordAuthentication no'
     - regexp: '^#?DebianBanner'
       line: 'DebianBanner no'
-  when: manage_sshd_config | default(true)
-  notify: Reload sshd
+  notify: reload sshd
 
+- name: Allow SSH
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ ssh_port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item }}"
+  with_items:
+    - ipv4
+    - ipv6
+  notify: persist iptables
+
+- name: Allow ICMP
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: "{{ item.proto }}"
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+  with_items:
+    - { ip: ipv4, proto: icmp }
+    - { ip: ipv6, proto: ipv6-icmp }
+  notify: persist iptables
+
+- name: Allow related and established connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    ctstate: ESTABLISHED,RELATED
+    jump: ACCEPT
+    ip_version: "{{ item }}"
+  with_items:
+    - ipv4
+    - ipv6
+  notify: persist iptables
+
+- name: Allow local connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    source: "{{ item.cidr }}"
+    jump: ACCEPT
+    ip_version: "{{ item.v }}"
+  with_items: "{{ trusted_ranges }}"
+  notify: persist iptables
+
+- name: Deny inbound connections
+  ansible.builtin.iptables:
+    chain: INPUT
+    policy: DROP
+    ip_version: "{{ item }}"
+  with_items:
+    - ipv4
+    - ipv6
+  notify: persist iptables
diff --git a/roles/common/tasks/network.yaml b/roles/common/tasks/network.yaml
index 7e2a75b..9d5e471 100644
--- a/roles/common/tasks/network.yaml
+++ b/roles/common/tasks/network.yaml
@@ -13,6 +13,7 @@
   with_items:
     - { k: net.ipv4.ip_forward, v: "1" }
     - { k: net.ipv6.conf.all.forwarding, v: "1" }
+  notify: reboot
   when: network_br
 
 - name: Make network interfaces really predictable
@@ -21,7 +22,8 @@
     regexp: ^GRUB_CMDLINE_LINUX
     line: 'GRUB_CMDLINE_LINUX="net.ifnames=0 biosdevname=0" # Managed by Ansible'
   notify:
-    - Update grub
+    - update grub
+    - reboot
   when: network_br or network_dhcp or network_static
 
 - name: Configure network interfaces
@@ -31,6 +33,7 @@
     owner: root
     group: root
     mode: 0644
+  notify: reboot
   when: network_br or network_dhcp or network_static
 
 - ansible.builtin.meta: flush_handlers
diff --git a/roles/common/tasks/vm.yaml b/roles/common/tasks/vm.yaml
index f70850c..505c03f 100644
--- a/roles/common/tasks/vm.yaml
+++ b/roles/common/tasks/vm.yaml
@@ -10,8 +10,9 @@
   ansible.builtin.lineinfile:
     path: /etc/default/grub
     regexp: ^GRUB_CMDLINE_LINUX_DEFAULT
-    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet net.ifnames=0 console=ttyS0,115200n1 console=tty0"'
+    line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet console=ttyS0,115200n1 console=tty0"'
   notify:
-    - Update grub
+    - update grub
+    - reboot
   tags:
     - questagent
diff --git a/roles/common/templates/apt-defaultrelease.j2 b/roles/common/templates/apt-defaultrelease.j2
deleted file mode 100644
index 1bab7c5..0000000
--- a/roles/common/templates/apt-defaultrelease.j2
+++ /dev/null
@@ -1 +0,0 @@
-APT::Default-Release "{{ ansible_distribution_release }}";
diff --git a/roles/common/templates/apt-preferences-stable.j2 b/roles/common/templates/apt-preferences-stable.j2
deleted file mode 100644
index 8fc3cd0..0000000
--- a/roles/common/templates/apt-preferences-stable.j2
+++ /dev/null
@@ -1,19 +0,0 @@
-# Prefer packages from our release
-# Prevent auto-installation from testing/unstable/sid/whatever
-
-Package: *
-Pin: release n={{ ansible_distribution_release }}
-Pin-Priority: 900
-
-Package: *
-Pin: release n=sid
-Pin-Priority: -10
-
-Package: *
-Pin: release n=testing
-Pin-Priority: -10
-
-Package: *
-Pin: release n=unstable
-Pin-Priority: -10
-
diff --git a/roles/common/templates/authorized_keys.j2 b/roles/common/templates/authorized_keys.j2
index 9df7ff6..182dc36 100644
--- a/roles/common/templates/authorized_keys.j2
+++ b/roles/common/templates/authorized_keys.j2
@@ -2,5 +2,5 @@
 
 {% for name in root_access %}
 # {{ name }}
-{{ lookup('file', 'authorized_keys/' + name + '.keys') }}
+{{ lookup('file', 'authorized_keys/'+name+'.keys') }}
 {% endfor %}
diff --git a/roles/common/templates/sources.list.j2 b/roles/common/templates/sources.list.j2
index 2722b8f..9aac632 100644
--- a/roles/common/templates/sources.list.j2
+++ b/roles/common/templates/sources.list.j2
@@ -1,9 +1,9 @@
 # {{ ansible_managed }}
 
-{% if debian_source_repos | default(false) %}
-{%   set SRC = "" %}
+{% if debian_source_repos|default(false) %}
+{% set SRC = "" %}
 {% else %}
-{%   set SRC = "# " %}
+{% set SRC = "# " %}
 {% endif %}
 {% set components = "main contrib non-free-firmware" %}
 
@@ -20,8 +20,5 @@ deb {{ debian_repourl }} {{ ansible_distribution_release }}-backports {{ compone
 #
 # Security patches
 deb {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }}
-{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security {{ components }}
+{{ SRC }}deb-src {{ debian_securityurl }} {{ ansible_distribution_release }}-security main contrib non-  free
 
-# Testing/Unstable repos
-deb {{ debian_repourl }} testing {{ components }}
-deb {{ debian_repourl }} sid {{ components }}
diff --git a/roles/etherpad/handlers/main.yaml b/roles/etherpad/handlers/main.yaml
index 7aea6eb..82924a6 100644
--- a/roles/etherpad/handlers/main.yaml
+++ b/roles/etherpad/handlers/main.yaml
@@ -2,7 +2,7 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: Restart etherpad
+- name: restart etherpad
   ansible.builtin.systemd:
     name: etherpad
     state: restarted
diff --git a/roles/etherpad/tasks/main.yaml b/roles/etherpad/tasks/main.yaml
index 0f4beb5..2afe1f6 100644
--- a/roles/etherpad/tasks/main.yaml
+++ b/roles/etherpad/tasks/main.yaml
@@ -1,126 +1,140 @@
 ---
+- tags: etherpad
+  block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
 
-- name: Install dependencies
-  ansible.builtin.apt:
-    state: present
-    pkg: 
-      - gpg
-      - postgresql
-      - python3-psycopg2
-      - apt-transport-https
+    - name: Install dependencies
+      ansible.builtin.apt:
+        name: [ gpg, postgresql, python3-psycopg2, apt-transport-https ]
 
-- name: Import nodesource signing key
-  ansible.builtin.shell:
-    cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
-      -o /usr/share/keyrings/nodesource.gpg
-  args:
-    creates: /usr/share/keyrings/nodesource.gpg
-  notify: Apt update
+    - name: Import nodesource signing key
+      ansible.builtin.shell:
+        cmd: curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor
+          -o /usr/share/keyrings/nodesource.gpg
+      args:
+        creates: /usr/share/keyrings/nodesource.gpg
+      notify: apt update
 
-- name: Install nodesource source list
-  ansible.builtin.template:
-    src: nodesource.list
-    dest: /etc/apt/sources.list.d/nodesource.list
-    owner: root
-    group: root
-    mode: 0644
-  notify: Apt update
+    - name: Install nodesource source list
+      ansible.builtin.template:
+        src: nodesource.list
+        dest: /etc/apt/sources.list.d/nodesource.list
+        owner: root
+        group: root
+        mode: 0644
+      notify: apt update
 
-- name: Install nodejs apt preference
-  ansible.builtin.template:
-    src: nodejs-apt-pref
-    dest: /etc/apt/preferences.d/nodejs
-    owner: root
-    group: root
-    mode: 0644
-  notify: Apt update
+    - name: Install nodejs apt preference
+      ansible.builtin.template:
+        src: nodejs-apt-pref
+        dest: /etc/apt/preferences.d/nodejs
+        owner: root
+        group: root
+        mode: 0644
+      notify: apt update
 
-- ansible.builtin.meta: flush_handlers
+    - ansible.builtin.meta: flush_handlers
 
-- name: Install nodejs
-  ansible.builtin.apt:
-    name: nodejs
+    - name: Install nodejs
+      ansible.builtin.apt:
+        name: nodejs
 
-- name: Add database user
-  become: true
-  become_method: su
-  become_user: postgres
-  no_log: yes
-  community.postgresql.postgresql_user:
-    name: etherpad
-    password: "{{ etherpad_db_password }}"
+    - name: Add database user
+      become: true
+      become_method: su
+      become_user: postgres
+      no_log: yes
+      community.postgresql.postgresql_user:
+        name: etherpad
+        password: "{{ etherpad_db_password }}"
 
-- name: Add database
-  become: true
-  become_method: su
-  become_user: postgres
-  community.postgresql.postgresql_db:
-    name: "{{ etherpad_db_name }}"
-    owner: "{{ etherpad_db_user }}"
+    - name: Add database
+      become: true
+      become_method: su
+      become_user: postgres
+      community.postgresql.postgresql_db:
+        name: "{{ etherpad_db_name }}"
+        owner: "{{ etherpad_db_user }}"
 
-- name: Add etherpad user
-  ansible.builtin.user:
-    name: etherpad
-    home: /var/lib/etherpad
+    - name: Add etherpad user
+      ansible.builtin.user:
+        name: etherpad
+        home: /var/lib/etherpad
 
-- name: Create log file
-  ansible.builtin.file:
-    path: /var/log/etherpad.log
-    state: touch
-    owner: etherpad
-    group: etherpad
-    mode: 0644
+    - name: Create log file
+      ansible.builtin.file:
+        path: /var/log/etherpad.log
+        state: touch
+        owner: etherpad
+        group: etherpad
+        mode: 0644
 
-- name: Create source directory
-  ansible.builtin.file:
-    path: /opt/etherpad
-    state: directory
-    owner: etherpad
-    group: etherpad
-    mode: 0755
+    - name: Create source directory
+      ansible.builtin.file:
+        path: /opt/etherpad
+        state: directory
+        owner: etherpad
+        group: etherpad
+        mode: 0755
 
-- name: Clone etherpad source
-  become: yes
-  become_method: su
-  become_user: etherpad
-  ansible.builtin.git:
-    repo: https://github.com/ether/etherpad-lite.git
-    version: master
-    dest: /opt/etherpad
-    accept_hostkey: yes
-  notify: Restart etherpad
+    - name: Clone etherpad source
+      become: yes
+      become_method: su
+      become_user: etherpad
+      ansible.builtin.git:
+        repo: https://github.com/ether/etherpad-lite.git
+        version: master
+        dest: /opt/etherpad
+        accept_hostkey: yes
+      notify: restart etherpad
 
-- name: Install etherpad config
-  ansible.builtin.template:
-    src: settings.json
-    dest: /opt/etherpad/settings.json
-    owner: root
-    group: root
-    mode: 0644
-  notify: Restart etherpad
+    - name: Install etherpad config
+      ansible.builtin.template:
+        src: settings.json
+        dest: /opt/etherpad/settings.json
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart etherpad
 
-- name: Install etherpad service
-  ansible.builtin.template:
-    src: etherpad.service
-    dest: /etc/systemd/system/etherpad.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: Restart etherpad
+    - name: Install etherpad service
+      ansible.builtin.template:
+        src: etherpad.service
+        dest: /etc/systemd/system/etherpad.service
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart etherpad
 
-- name: Start etherpad
-  ansible.builtin.systemd:
-    daemon_reload: true
-    name: etherpad
-    state: started
-    enabled: true
+    - name: Start etherpad
+      ansible.builtin.systemd:
+        daemon_reload: true
+        name: etherpad
+        state: started
+        enabled: yes
 
-- name: Install nginx config
-  ansible.builtin.template:
-    src: nginx-site.conf
-    dest: /etc/nginx/sites-enabled/etherpad
-    owner: root
-    group: root
-    mode: 0644
-  notify: Reload nginx
+    - name: Install nginx config
+      ansible.builtin.template:
+        src: nginx-site.conf
+        dest: /etc/nginx/sites-enabled/etherpad
+        owner: root
+        group: root
+        mode: 0644
+      notify: reload nginx
 
+    - name: Allow HTTP and HTTPS
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ item.port }}"
+        ctstate: NEW
+        jump: ACCEPT
+        ip_version: "{{ item.ip }}"
+        action: insert
+      with_items:
+        - { ip: ipv4, port: 80 }
+        - { ip: ipv4, port: 443 }
+        - { ip: ipv6, port: 80 }
+        - { ip: ipv6, port: 443 }
+      notify: persist iptables
diff --git a/roles/etherpad/tasks/requirements.yml b/roles/etherpad/tasks/requirements.yml
index 0b8dbb8..060cde3 100644
--- a/roles/etherpad/tasks/requirements.yml
+++ b/roles/etherpad/tasks/requirements.yml
@@ -1,5 +1,3 @@
----
-
 collections:
   - name: community.postgresql
     version: 2.3.2
diff --git a/roles/git-ci/defaults/main.yaml b/roles/git-ci/defaults/main.yaml
index 2e805ee..82807d7 100644
--- a/roles/git-ci/defaults/main.yaml
+++ b/roles/git-ci/defaults/main.yaml
@@ -1,2 +1,2 @@
 runner_wd: /var/lib/forgejo-runner
-runner_version: 6.3.0
+runner_version: 3.4.1
diff --git a/roles/git-ci/tasks/main.yaml b/roles/git-ci/tasks/main.yaml
index d677a61..a01a11a 100644
--- a/roles/git-ci/tasks/main.yaml
+++ b/roles/git-ci/tasks/main.yaml
@@ -1,50 +1,50 @@
 ---
+- tags: forgejo_runner
+  block:
+    - name: Install dependencies
+      ansible.builtin.apt:
+        name: docker.io
 
-- name: Install dependencies
-  ansible.builtin.apt:
-    name: docker.io
+    - name: Download forgejo-runner
+      ansible.builtin.get_url:
+        url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
+        dest: /usr/local/bin/forgejo-runner
+        mode: 0755
+      notify: restart forgejo-runner
 
-- name: Download forgejo-runner
-  ansible.builtin.get_url:
-    url: "https://code.forgejo.org/forgejo/runner/releases/download/v{{ runner_version }}/forgejo-runner-{{ runner_version }}-linux-amd64"
-    dest: /usr/local/bin/forgejo-runner
-    mode: 0755
-  notify: restart forgejo-runner
+    - name: Create runner dir
+      ansible.builtin.file:
+        state: directory
+        path: "{{ runner_wd }}"
+        owner: root
+        group: root
+        mode: 0755
 
-- name: Create runner dir
-  ansible.builtin.file:
-    state: directory
-    path: "{{ runner_wd }}"
-    owner: root
-    group: root
-    mode: 0755
+    - name: Register runner
+      ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
+      args:
+        chdir: "{{ runner_wd }}"
+        creates: "{{ runner_wd }}/.runner"
 
-- name: Register runner
-  ansible.builtin.command: "forgejo-runner register --no-interactive --instance={{ forgejo_url }} --token={{ lookup('passwordstore', 'git/ci subkey=runner_token') }}"
-  args:
-    chdir: "{{ runner_wd }}"
-    creates: "{{ runner_wd }}/.runner"
+    - name: Install service file
+      ansible.builtin.template:
+        src: forgejo-runner.service
+        dest: /etc/systemd/system/forgejo-runner.service
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart forgejo-runner
 
-- name: Install service file
-  ansible.builtin.template:
-    src: forgejo-runner.service
-    dest: /etc/systemd/system/forgejo-runner.service
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart forgejo-runner
+    - name: Enable service
+      ansible.builtin.systemd:
+        name: forgejo-runner
+        enabled: yes
+        daemon_reload: true
 
-- name: Enable service
-  ansible.builtin.systemd:
-    name: forgejo-runner
-    enabled: true
-    daemon_reload: true
+    - name: Start service
+      ansible.builtin.systemd:
+        name: forgejo-runner
+        state: started
+        daemon_reload: true
 
-- name: Start service
-  ansible.builtin.systemd:
-    name: forgejo-runner
-    state: started
-    daemon_reload: true
-
-- name: Flush handlers
-  ansible.builtin.meta: flush_handlers
+    - ansible.builtin.meta: flush_handlers
diff --git a/roles/git-server/tasks/main.yaml b/roles/git-server/tasks/main.yaml
index 5104ef5..4a5bb3c 100644
--- a/roles/git-server/tasks/main.yaml
+++ b/roles/git-server/tasks/main.yaml
@@ -1,4 +1,6 @@
 ---
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
 
 - name: Install dependencies
   ansible.builtin.apt:
@@ -14,14 +16,14 @@
     owner: root
     group: root
     mode: 0644
-  notify: Reload nginx
+  notify: reload nginx
 
 - name: Enable nginx site
   ansible.builtin.file:
     src: /etc/nginx/sites-available/forgejo
     dest: /etc/nginx/sites-enabled/forgejo
     state: link
-  notify: Reload nginx
+  notify: reload nginx
 
 - name: Create user
   ansible.builtin.user:
@@ -38,6 +40,7 @@
     group: "{{ git_server_user }}"
     mode: 0755
 
+
 # TODO: Install initial config
 
 - name: Install service file
@@ -47,7 +50,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Reload forgejo
+  notify: reload forgejo
 
 - name: Install update script
   ansible.builtin.template:
@@ -61,12 +64,12 @@
   ansible.builtin.command: "{{ git_server_working_dir }}/update.sh"
   args:
     creates: "{{ git_server_working_dir }}/forgejo"
-  notify: Reload forgejo
+  notify: reload forgejo
 
 - name: Enable service
   ansible.builtin.systemd:
     name: forgejo
-    enabled: true
+    enabled: yes
     daemon_reload: true
 
 - name: Start service
@@ -80,6 +83,23 @@
     src: cronjob
     dest: /etc/cron.d/forgejo
 
-- name: Debug
-  ansible.builtin.debug:
-    msg: "If Forgejo has not been setup yet, please do so manually."
+- name: Allow Git SSH, HTTP and HTTPS
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+    action: insert
+  with_items:
+    - { ip: ipv4, port: 80 }
+    - { ip: ipv4, port: 22 }
+    - { ip: ipv4, port: 443 }
+    - { ip: ipv6, port: 80 }
+    - { ip: ipv6, port: 22 }
+    - { ip: ipv6, port: 443 }
+  notify: persist iptables
+
+- ansible.builtin.debug:
+    msg: If Forgejo has not been setup yet, please do so manually.
diff --git a/roles/go/tasks/main.yaml b/roles/go/tasks/main.yaml
index ab16901..b787d21 100644
--- a/roles/go/tasks/main.yaml
+++ b/roles/go/tasks/main.yaml
@@ -19,11 +19,11 @@
       register: go_latest_version_shell
 
     - name: Format Go latest version variable
-      ansible.builtin.set_fact:
+      set_fact:
         go_latest_version: "{{ go_latest_version_shell.stdout }}"
 
     - name: Detect installed Go version
-      ansible.builtin.shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
+      shell: "go version | grep --color=never -Po '\\d\\.\\d+(\\.\\d+)?' || echo none"
       register: go_installed_version_shell
       changed_when: false
 
@@ -31,20 +31,19 @@
       set_fact:
         go_installed_version: "{{ go_installed_version_shell.stdout }}"
 
-    - name: Debug
-      ansible.builtin.debug:
+    - debug:
         msg:
           - "Latest Go version: {{ go_latest_version}}"
           - "Installed Go version: {{ go_installed_version }}"
 
     - name: Remove installed go
-      ansible.builtin.file:
+      file:
         state: absent
         path: /usr/local/go
       when: go_installed_version != go_latest_version
 
     - name: Install Go
-      ansible.builtin.unarchive:
+      unarchive:
         src: https://go.dev/dl/go{{ go_latest_version }}.linux-{{ go_arch }}.tar.gz
         dest: /usr/local
         remote_src: yes
@@ -53,7 +52,7 @@
       when: go_installed_version != go_latest_version
 
     - name: Configure Go environment
-      ansible.builtin.template:
+      template:
         src: go.profile
         dest: /etc/profile.d/go.sh
         owner: root
@@ -61,7 +60,7 @@
         mode: 0644
 
     - name: Link go binary
-      ansible.builtin.file:
+      file:
         state: link
         src: /usr/local/go/bin/go
         dest: /usr/local/bin/go
diff --git a/roles/monitoring/tasks/main.yaml b/roles/monitoring/tasks/main.yaml
index 2017d5b..a13313c 100644
--- a/roles/monitoring/tasks/main.yaml
+++ b/roles/monitoring/tasks/main.yaml
@@ -1,26 +1,45 @@
 ---
+- name: monitoring
+  tags: monitoring
+  block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
 
-- name: Install nginx site
-  ansible.builtin.template:
-    src: nginx-site.conf
-    dest: /etc/nginx/sites-available/monitoring
-    owner: root
-    group: root
-    mode: 0644
-  notify: Reload nginx
+    - name: Install nginx site
+      ansible.builtin.template:
+        src: nginx-site.conf
+        dest: /etc/nginx/sites-available/monitoring
+        owner: root
+        group: root
+        mode: 0644
+      notify: reload nginx
 
-- name: Enable nginx site
-  ansible.builtin.file:
-    src: /etc/nginx/sites-available/monitoring
-    dest: /etc/nginx/sites-enabled/monitoring
-    state: link
-  notify: Reload nginx
+    - name: Enable nginx site
+      ansible.builtin.file:
+        src: /etc/nginx/sites-available/monitoring
+        dest: /etc/nginx/sites-enabled/monitoring
+        state: link
+      notify: reload nginx
 
-- name: Start nginx
-  ansible.builtin.systemd:
-    name: nginx
-    state: started
-    enabled: true
+    - name: Start nginx
+      ansible.builtin.systemd:
+        name: nginx
+        state: started
+        enabled: yes
+
+    - name: Allow HTTP/HTTPS
+      ansible.builtin.iptables:
+        chain: INPUT
+        protocol: tcp
+        destination_port: "{{ item.port }}"
+        ctstate: NEW
+        jump: ACCEPT
+        ip_version: "{{ item.ip }}"
+        action: insert
+      with_items:
+        - { ip: ipv6, port: 80 }
+        - { ip: ipv6, port: 443 }
+      notify: persist iptables
 
 - name: mqtt_exporter
   tags: mqtt_exporter
diff --git a/roles/monitoring/tasks/mqtt_exporter.yaml b/roles/monitoring/tasks/mqtt_exporter.yaml
index 0ae5d07..4fda9d9 100644
--- a/roles/monitoring/tasks/mqtt_exporter.yaml
+++ b/roles/monitoring/tasks/mqtt_exporter.yaml
@@ -10,7 +10,6 @@
 - name: Install apt dependencies
   ansible.builtin.apt:
     name:
-      - jq
       - python3-paho-mqtt
       - python3-prometheus-client
       - python3-yaml
@@ -24,7 +23,7 @@
     group: root
     mode: 0644
   notify:
-    - Daemon reload
+    - daemon reload
     - restart mqtt_exporter
 
 - name: Install config file
@@ -35,7 +34,7 @@
     group: root
     mode: 0644
   notify:
-    - Daemon reload
+    - daemon reload
     - restart mqtt_exporter
 
 - ansible.builtin.meta: flush_handlers
diff --git a/roles/monitoring/templates/grafana.ini b/roles/monitoring/templates/grafana.ini
index a954c62..be8c995 100644
--- a/roles/monitoring/templates/grafana.ini
+++ b/roles/monitoring/templates/grafana.ini
@@ -69,9 +69,6 @@ level = info
 [grafana_com]
 url = https://grafana.com
 
-[auth]
-oauth_allow_insecure_email_lookup=true
-
 [auth.anonymous]
 enabled = true
 org_name = Bitlair
diff --git a/roles/monitoring/templates/mqtt_exporter_config.yaml b/roles/monitoring/templates/mqtt_exporter_config.yaml
index 9767cdf..62a9690 100644
--- a/roles/monitoring/templates/mqtt_exporter_config.yaml
+++ b/roles/monitoring/templates/mqtt_exporter_config.yaml
@@ -15,8 +15,7 @@ export:
   - subscribe: bitlair/#
   - subscribe: bitlair/climate/+location/#
   - subscribe: bitlair/climate/+location/dust_mass/+size
-  - subscribe: bitlair/power/+net/+group/now_w
-  - subscribe: bitlair/power/+net/total_kwh
+  - subscribe: bitlair/power/+net/+group/#
   - subscribe: bitlair/wifi/+ssid/#
 
   - subscribe: bitlair/state
@@ -36,10 +35,10 @@ export:
     labels:
       product: payload
 
-  - subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24
+  - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
     metric_name: bitlair_internet_rx
     value_regex: "^.+:(.+):"
-  - subscribe: bitlair/collectd/bitlair4-sw-24p/snmp/if_octets-traffic.24
+  - subscribe: bitlair/collectd/bitlair-5406/snmp/if_octets-traffic.D15
     metric_name: bitlair_internet_tx
     value_regex: "^.+:.+:([\\d\\.]+)"
 
@@ -57,29 +56,3 @@ export:
   - subscribe: bitlair/power/shelly/+num/status/switch:0
     metric_name: bitlair_power_shelly
     value_json: .apower
-
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_nozzle_temperature
-    value_json: .print.nozzle_temper
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_nozzle_target_temperature
-    value_json: .print.nozzle_target_temper
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_bed_temperature
-    value_json: .print.bed_temper
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_bed_target_temperature
-    value_json: .print.bed_target_temper
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_chamber_temperature
-    value_json: .print.chamber_temper
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_ams_humidity
-    value_json: .print.ams.ams[0].humidity
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_print_progress
-    value_json: .print.mc_percent
-  - subscribe: bambulab/device/+serial/report
-    metric_name: bambulab_print_status
-    metric_type: info
-    value_json: .print.gcode_state
diff --git a/roles/mqtt/handlers/main.yaml b/roles/mqtt-internal/handlers/main.yaml
similarity index 100%
rename from roles/mqtt/handlers/main.yaml
rename to roles/mqtt-internal/handlers/main.yaml
diff --git a/roles/mqtt-internal/tasks/main.yaml b/roles/mqtt-internal/tasks/main.yaml
new file mode 100644
index 0000000..e468d01
--- /dev/null
+++ b/roles/mqtt-internal/tasks/main.yaml
@@ -0,0 +1,27 @@
+---
+- name: mqtt-internal
+  tags: mqtt_internal
+  block:
+    - name: Install dependencies
+      ansible.builtin.apt:
+        name:
+          - mosquitto
+          - avahi-daemon
+
+    - name: Configure Mosquitto
+      ansible.builtin.template:
+        src: "{{ item }}"
+        dest: "/etc/mosquitto/conf.d/{{ item }}"
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart mosquitto
+      with_items:
+        - internal.conf
+        - public-bridge.conf
+
+    - name: Start mosquitto
+      ansible.builtin.systemd:
+        name: mosquitto
+        state: started
+        enabled: yes
diff --git a/roles/mqtt/templates/internal.conf b/roles/mqtt-internal/templates/internal.conf
similarity index 72%
rename from roles/mqtt/templates/internal.conf
rename to roles/mqtt-internal/templates/internal.conf
index d3a6d10..eba205a 100644
--- a/roles/mqtt/templates/internal.conf
+++ b/roles/mqtt-internal/templates/internal.conf
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+# Managed by Ansible
 
 listener 1883 ::
 listener 1883 0.0.0.0
diff --git a/roles/mqtt/templates/public-bridge.conf b/roles/mqtt-internal/templates/public-bridge.conf
similarity index 92%
rename from roles/mqtt/templates/public-bridge.conf
rename to roles/mqtt-internal/templates/public-bridge.conf
index 6040c03..fb97159 100644
--- a/roles/mqtt/templates/public-bridge.conf
+++ b/roles/mqtt-internal/templates/public-bridge.conf
@@ -1,9 +1,8 @@
-# {{ ansible_managed }}
+# Managed by Ansible
 
 connection public-bridge
 address {{ mqtt_public_host }}
 
-topic bambulab/# out
 topic bitlair/alarm out
 topic bitlair/climate/# out
 topic bitlair/collectd/bitlair-5406/snmp/# out
diff --git a/roles/mqtt/defaults/main.yaml b/roles/mqtt/defaults/main.yaml
deleted file mode 100644
index 8cf4403..0000000
--- a/roles/mqtt/defaults/main.yaml
+++ /dev/null
@@ -1 +0,0 @@
-mqtt_bambulab_cafile: /etc/mosquitto/ca_certificates/bambulab.pem
diff --git a/roles/mqtt/tasks/main.yaml b/roles/mqtt/tasks/main.yaml
deleted file mode 100644
index 498f49c..0000000
--- a/roles/mqtt/tasks/main.yaml
+++ /dev/null
@@ -1,32 +0,0 @@
----
-
-- name: Install dependencies
-  ansible.builtin.apt:
-    name:
-      - mosquitto
-      - avahi-daemon
-
-- name: Install bambulab cafile
-  # openssl s_client -showcerts -connect <ip>:8883 </dev/null | sed -n -e '/-.BEGIN/,/-.END/ p'
-  ansible.builtin.copy:
-    dest: "{{ mqtt_bambulab_cafile }}"
-    content: "{{ lookup('passwordstore', 'bambulab subkey=cafile') }}"
-
-- name: Configure Mosquitto
-  ansible.builtin.template:
-    src: "{{ item }}"
-    dest: "/etc/mosquitto/conf.d/{{ item }}"
-    owner: root
-    group: root
-    mode: 0644
-  notify: restart mosquitto
-  with_items:
-    - bambulab.conf
-    - internal.conf
-    - public-bridge.conf
-
-- name: Start mosquitto
-  ansible.builtin.systemd:
-    name: mosquitto
-    state: started
-    enabled: true
diff --git a/roles/mqtt/templates/bambulab.conf b/roles/mqtt/templates/bambulab.conf
deleted file mode 100644
index c475585..0000000
--- a/roles/mqtt/templates/bambulab.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# {{ ansible_managed }}
-
-connection bambulab
-address {{ lookup('passwordstore', 'bambulab subkey=host') }}:8883
-bridge_cafile {{ mqtt_bambulab_cafile }}
-bridge_insecure true
-remote_username bblp
-remote_password {{ lookup('passwordstore', 'bambulab subkey=key') }}
-
-topic # in 2 bambulab/ ""
diff --git a/roles/music/handlers/main.yaml b/roles/music/handlers/main.yaml
index 2d77dbb..5ef0e4f 100644
--- a/roles/music/handlers/main.yaml
+++ b/roles/music/handlers/main.yaml
@@ -2,37 +2,37 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: Restart trollibox
+- name: restart trollibox
   ansible.builtin.systemd:
     name: trollibox
     state: restarted
     daemon_reload: true
 
-- name: Rebuild librespot
+- name: rebuild librespot
   ansible.builtin.command:
     cmd: /root/.cargo/bin/cargo build --release --features jackaudio-backend
   args:
     chdir: /opt/librespot
 
-- name: Restart librespot
+- name: restart librespot
   ansible.builtin.systemd:
     name: librespot
     state: restarted
     daemon_reload: true
 
-- name: Restart soundboard
+- name: restart soundboard
   ansible.builtin.systemd:
     name: soundboard
     state: restarted
     daemon_reload: true
 
-- name: Restart mpd-volume-to-mqtt
+- name: restart mpd-volume-to-mqtt
   ansible.builtin.systemd:
     name: mpd-volume-to-mqtt
     state: restarted
     daemon_reload: true
 
-- name: Restart skipbutton
+- name: restart skipbutton
   ansible.builtin.systemd:
     name: skipbutton
     state: restarted
diff --git a/roles/music/tasks/librespot.yaml b/roles/music/tasks/librespot.yaml
index 2a8d19b..9bf3154 100644
--- a/roles/music/tasks/librespot.yaml
+++ b/roles/music/tasks/librespot.yaml
@@ -11,8 +11,8 @@
     dest: /opt/librespot
     accept_hostkey: yes
   notify:
-    - Rebuild librespot
-    - Restart librespot
+    - rebuild librespot
+    - restart librespot
 
 - name: Install service file
   ansible.builtin.template:
@@ -21,7 +21,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart librespot
+  notify: restart librespot
 
 - name: Enable Librespot
   ansible.builtin.systemd:
diff --git a/roles/music/tasks/main.yaml b/roles/music/tasks/main.yaml
index e8a751c..e91f146 100644
--- a/roles/music/tasks/main.yaml
+++ b/roles/music/tasks/main.yaml
@@ -1,34 +1,30 @@
 ---
-
-- name: Import mpd
+- tags: music_mpd
   ansible.builtin.import_tasks:
     file: mpd.yaml
-  tags:
-    - music_mpd
 
-- name: Import trollibox
+- tags: music_trollibox
   ansible.builtin.import_tasks:
     file: trollibox.yaml
-  tags:
-    - music_trollibox
 
-- name: Librespot
+- tags: music_librespot
   ansible.builtin.import_tasks:
     file: librespot.yaml
-  tags:
-    - music_librespot
 
-- name: Soundboard
+- tags: music_soundboard
   ansible.builtin.import_tasks:
     file: soundboard.yaml
-  tags:
-    - music_soundboard
 
-- name: Install nginx config
-  ansible.builtin.template:
-    src: nginx-site.conf
-    dest: /etc/nginx/sites-enabled/trollibox
-    owner: root
-    group: root
-    mode: 0644
-  notify: Reload nginx
+- tags: music
+  block:
+    - ansible.builtin.import_tasks:
+        file: ../../../snippets/common-nginx.yaml
+
+    - name: Install nginx config
+      ansible.builtin.template:
+        src: nginx-site.conf
+        dest: /etc/nginx/sites-enabled/trollibox
+        owner: root
+        group: root
+        mode: 0644
+      notify: reload nginx
diff --git a/roles/music/tasks/mpd.yaml b/roles/music/tasks/mpd.yaml
index eb88133..d372d12 100644
--- a/roles/music/tasks/mpd.yaml
+++ b/roles/music/tasks/mpd.yaml
@@ -1,5 +1,4 @@
 ---
-
 - name: Install MPD
   ansible.builtin.apt:
     name:
@@ -16,7 +15,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart mpd-volume-to-mqtt
+  notify: restart mpd-volume-to-mqtt
 
 - name: Install mpd-volume-to-mqtt service
   ansible.builtin.template:
@@ -25,7 +24,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart mpd-volume-to-mqtt
+  notify: restart mpd-volume-to-mqtt
 
 - name: Enable mpd-volume-to-mqtt
   ansible.builtin.systemd:
@@ -40,7 +39,7 @@
     version: master
     dest: /opt/skipbutton
     accept_hostkey: yes
-  notify: Restart skipbutton
+  notify: restart skipbutton
 
 - name: Install skipbutton service
   ansible.builtin.template:
@@ -49,7 +48,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart skipbutton
+  notify: restart skipbutton
 
 - name: Enable skipbutton
   ansible.builtin.systemd:
diff --git a/roles/music/tasks/soundboard.yaml b/roles/music/tasks/soundboard.yaml
index a0ea558..6068976 100644
--- a/roles/music/tasks/soundboard.yaml
+++ b/roles/music/tasks/soundboard.yaml
@@ -10,7 +10,7 @@
     version: main
     dest: /opt/soundboard
     accept_hostkey: yes
-  notify: Restart soundboard
+  notify: restart soundboard
 
 - name: Create virtualenv
   ansible.builtin.command:
@@ -31,7 +31,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart soundboard
+  notify: restart soundboard
 
 - name: Install soundboard service file
   ansible.builtin.template:
@@ -40,7 +40,7 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart soundboard
+  notify: restart soundboard
 
 - name: Enable soundboard
   ansible.builtin.systemd:
diff --git a/roles/music/tasks/trollibox.yaml b/roles/music/tasks/trollibox.yaml
index 0b20b4a..29c544a 100644
--- a/roles/music/tasks/trollibox.yaml
+++ b/roles/music/tasks/trollibox.yaml
@@ -5,8 +5,8 @@
     dest: /etc/trollibox.yaml
     owner: root
     group: root
-    mode: "0644"
-  notify: Restart trollibox
+    mode: 0644
+  notify: restart trollibox
 
 - name: Get latest Trollibox version from Github API
   ansible.builtin.get_url:
@@ -25,8 +25,8 @@
     remote_src: yes
     dest: /usr/local/bin
     include: [ trollibox ]
-    mode: "0755"
-  notify: Restart trollibox
+    mode: 0755
+  notify: restart trollibox
 
 - name: Install service file
   ansible.builtin.template:
@@ -34,8 +34,8 @@
     dest: /etc/systemd/system/trollibox.service
     owner: root
     group: root
-    mode: "0644"
-  notify: Restart trollibox
+    mode: 0644
+  notify: restart trollibox
 
 - name: Enable Trollibox
   ansible.builtin.systemd:
diff --git a/roles/nft/defaults/main.yaml b/roles/nft/defaults/main.yaml
deleted file mode 100644
index 2d9c778..0000000
--- a/roles/nft/defaults/main.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-
-nft: true   # Overrule om geen nftables uit te rollen
-nft_main_config:            "/etc/nftables.conf"
-
-# Default policies per chain ( drop / reject / accept )
-nft_policy_input:           "drop"
-nft_policy_forward:         "accept"
-nft_policy_output:          "accept"
-# Same for nat traffic
-nft_policy_prerouting:  "accept"
-nft_policy_postrouting: "accept"
-
-# Host/Port allows
-nft_group_rules: []
-
-# And per host/group additions to rules:
-group_nft_input: []
-group_nft_forward: []
-group_nft_output: []
-
-host_nft_input: []
-host_nft_forward: []
-host_nft_output: []
-
-group_nft_postrouting: []
-host_nft_postrouting: []
-group_nft_prerouting: []
-host_nft_prerouting: []
-
-nft_defines: []
-nft_defines_group: []
-
diff --git a/roles/nft/handlers/main.yaml b/roles/nft/handlers/main.yaml
deleted file mode 100644
index dc77ef3..0000000
--- a/roles/nft/handlers/main.yaml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-
-- name: Reload nftables
-  ansible.builtin.systemd:
-    name: "nftables"
-    state: reloaded
-    enabled: true
-  tags:
-    - nft
-    - nftservice
-  when:
-    - nft|bool
-
diff --git a/roles/nft/tasks/main.yaml b/roles/nft/tasks/main.yaml
deleted file mode 100644
index e74dc58..0000000
--- a/roles/nft/tasks/main.yaml
+++ /dev/null
@@ -1,47 +0,0 @@
----
-
-- name: Install nftables related packages
-  ansible.builtin.apt:
-    state: present
-    pkg:
-      - nftables
-      - net-tools
-      - ipset
-
-- name: Template nftables.conf
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "root"
-    group: "root"
-    mode: "0700"
-    validate: "{{ item.validate | default() }}"
-  with_items:
-    - { src: "nftables.conf.j2", dest: "{{ nft_main_config }}",
-        backup: "yes", validate: "/usr/sbin/nft -c -f %s" }
-  tags:
-    - nft
-    - nftconfig
-  when:
-    - nft | bool
-  notify:
-    - Reload nftables
-
-- name: Cleanup netfilter packages
-  ansible.builtin.apt:
-    state: absent
-    pkg:
-      - netfilter-persistent
-  when:
-    - nft | bool
-
-- name: Cleanup iptables stuff
-  ansible.builtin.file:
-    state: absent
-    path: "{{ item }}"
-  with_items:
-    - "/etc/iptables/rules/v4"
-    - "/etc/iptables/rules/v6"
-    - "/etc/iptables"
-  when:
-    - nft | bool
diff --git a/roles/nft/templates/nftables.conf.j2 b/roles/nft/templates/nftables.conf.j2
deleted file mode 100644
index 583639b..0000000
--- a/roles/nft/templates/nftables.conf.j2
+++ /dev/null
@@ -1,182 +0,0 @@
-#!/usr/sbin/nft -f
-# {{ ansible_managed }}
-
-flush ruleset
-
-table inet filter {
-
-# Named sets
-set trusted4 {
-    type ipv4_addr
-    flags interval
-    elements = {
-{% for ip in trusted_ranges %}
-{%     if ip.v == 'ipv4' %}
-        {{ ip.cidr }}, # {{ ip.comment | default('') }}
-{%     endif %}
-{% endfor %}
-    }
-}
-
-set trusted6 {
-    type ipv6_addr
-    flags interval
-    elements = {
-{% for ip in trusted_ranges %}
-{%     if ip.v == 'ipv6' %}
-        {{ ip.cidr }}, # {{ ip.comment | default('') }}
-{%     endif %}
-{% endfor %}
-    }
-}
-
-
-# Firewall chains
-    chain input {
-        type filter hook input priority 0;
-        policy {{ nft_policy_input }};
-
-        # Established connections
-        ct state established,related accept
-        ct state invalid counter drop comment "drop invalid packets"
-
-        # Limit icmp echo/reply
-        ip protocol icmp icmp type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp-echo rate: " drop
-        # icmp6 from trusted ranges
-        ip6 nexthdr icmpv6 icmpv6 type echo-request accept
-        # icmpv6 from the rest of the world
-        ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 50 packets log prefix "high icmp6-echo rate: " drop
-
-        # Loopback traffic
-        iifname lo accept
-
-        # icmp
-        ip protocol icmp icmp type {
-            destination-unreachable,
-            echo-reply,
-            echo-request,
-            source-quench,
-            time-exceeded
-        } accept
-
-        # icmp6
-        ip6 nexthdr icmpv6 icmpv6 type {
-            destination-unreachable,
-            echo-reply,
-            echo-request,
-            nd-neighbor-solicit,
-            nd-router-advert,
-            nd-neighbor-advert,
-            packet-too-big,
-            parameter-problem,
-            time-exceeded
-        } accept
-
-        # Open ssh only for trusted machines
-        ip saddr @trusted4 tcp dport { {{ trusted_ports | join(', ') }} } accept
-        ip6 saddr @trusted6 tcp dport { {{ trusted_ports | join(', ') }} } accept
-
-        # Rules based on group-vars
-{% for custom in nft_group_rules %}
-{%     if custom.comment is defined %}
-        # {{ custom.comment | default('') }}
-{%     endif %}
-        {{ custom.version | default('ip') }} saddr { {{ custom.from | join(', ') }} } {{ custom.proto | default('tcp') }} dport { {{ custom.port }} } {{ custom.policy | default('accept') }}
-
-{% endfor %}
-
-{% for rule in group_nft_input %}
-        # Group input rules
-        {{ rule }}
-{% endfor %}
-{% for rule in host_nft_input %}
-        # Host input rules
-        {{ rule }}
-{% endfor %}
-    }
-    chain forward {
-        type filter hook forward priority 0;
-        policy {{ nft_policy_forward }};
-
-        ct state established,related accept
-
-{% for rule in group_nft_forward %}
-        # Group forward rules
-        {{ rule }}
-{% endfor %}
-{% for rule in host_nft_forward %}
-        # Host forward rules
-        {{ rule }}
-{% endfor %}
-
-        counter comment "count dropped incoming packets"
-    }
-    chain output {
-        type filter hook output priority 0;
-        policy {{ nft_policy_output }};
-
-        # Established connections
-        ct state established,related accept
-        ct state invalid counter drop comment "drop invalid packets"
-
-        # icmp
-        ip protocol icmp icmp type {
-            destination-unreachable,
-            echo-reply,
-            echo-request,
-            source-quench,
-            time-exceeded
-        } accept
-
-        # icmp6
-        ip6 nexthdr icmpv6 icmpv6 type {
-            destination-unreachable,
-            echo-reply,
-            echo-request,
-            nd-neighbor-solicit,
-            nd-router-advert,
-            nd-neighbor-advert,
-            packet-too-big,
-            parameter-problem,
-            time-exceeded
-        } accept
-
-{% for rule in group_nft_output %}
-        # Group output rules
-        {{ rule }}
-{% endfor %}
-{% for rule in host_nft_output %}
-        # Host output rules
-        {{ rule }}
-{% endfor %}
-        counter comment "count dropped outgoing packets"
-    }
-}
-
-table ip nat {
-    chain prerouting {
-        type nat hook prerouting priority 100
-        policy {{ nft_policy_prerouting }};
-{% for rule in group_nft_prerouting %}
-        # Group prerouting rules
-        {{ rule }}
-{% endfor %}
-{% for rule in host_nft_prerouting %}
-        # Host prerouting rules
-        {{ rule }}
-{% endfor %}
-    }
-    chain postrouting {
-        type nat hook postrouting priority 100
-        policy {{ nft_policy_postrouting }};
-
-{% for rule in group_nft_postrouting %}
-        # Group postrouting rules
-        {{ rule }}
-{% endfor %}
-{% for rule in host_nft_postrouting %}
-        # Host postrouting rules
-        {{ rule }}
-{% endfor %}
-    }
-}
diff --git a/roles/nginx/defaults/main.yaml b/roles/nginx/defaults/main.yaml
deleted file mode 100644
index 55f38e5..0000000
--- a/roles/nginx/defaults/main.yaml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-nginx_package:              "nginx-light"
-nginx_user:                 "www-data"
-nginx_modules_dir:          "/etc/nginx/modules-enabled"
-
-nginx_tls_version:          "TLSv1.2 TLSv1.3"
-nginx_tls_cipherlist:       "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:!SHA:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS"
-nginx_tls_curve:            "prime256v1:secp384r1"
-nginx_tls_cache_size:       "10m"
-nginx_tls_session_timeout:  "1h"
-nginx_ssl_stapling:         "on"
-nginx_ssl_stapling_verify:  "on"
-nginx_wk_acme:              "/var/lib/dehydrated/acme-challenges"
-nginx_client_max_body_size: "32m"
diff --git a/roles/nginx/handlers/main.yaml b/roles/nginx/handlers/main.yaml
deleted file mode 100644
index e9738d0..0000000
--- a/roles/nginx/handlers/main.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-
-- name: Reload nginx
-  ansible.builtin.systemd:
-    name: nginx
-    state: reloaded
-    enabled: true
-  listen: "Reload app-services"
-  when:
-    - nginx_sites is defined
-
diff --git a/roles/nginx/tasks/main.yaml b/roles/nginx/tasks/main.yaml
deleted file mode 100644
index 6afb741..0000000
--- a/roles/nginx/tasks/main.yaml
+++ /dev/null
@@ -1,87 +0,0 @@
----
-
-- name: Install nginx base package
-  ansible.builtin.apt:
-    name: "{{ nginx_package }}"
-    state: present
-  when:
-    - nginx_sites is defined
-
-- name: Install bootstrap cert
-  ansible.builtin.apt:
-    name: "ssl-cert"
-    state: present
-  when:
-    - nginx_bootstrap_certs is defined and nginx_bootstrap_certs
-
-- name: Create sites-available / sites-enabled directories
-  ansible.builtin.file:
-    state: directory
-    path: "{{ item.path }}"
-    owner: "{{ item.owner | default('root') }}"
-    group: "{{ item.group | default('root') }}"
-    mode: "{{ item.mode | default('0755') }}"
-  with_items:
-    - { path: "/etc/nginx/sites-available" }
-    - { path: "/etc/nginx/sites-enabled" }
-  notify: Reload nginx
-  when:
-    - nginx_sites is defined
-
-- name: Template default nginx config files
-  ansible.builtin.template:
-    src: "{{ item.src }}"
-    dest: "{{ item.dest }}"
-    owner: "{{ item.owner | default('root') }}"
-    group: "{{ item.group | default('root') }}"
-    mode: "{{ item.mode | default('0644') }}"
-    force: "{{ item.force | default('yes') }}"
-    backup: true
-  loop_control:
-    label: "{{ item.dest }}"
-  with_items:
-    - { src: "etc-nginx.conf.j2",   dest: "/etc/nginx/nginx.conf", notify: "Reload nginx" }
-    - { src: "tls_params.j2",       dest: "/etc/nginx/tls_params", notify: "Reload nginx" }
-    - { src: "default.j2",          dest: "/etc/nginx/sites-available/default", notify: "Reload nginx" }
-#    - { src: "dhparam.pem.j2", dest: "{{ nginx_dhparams_file }}", notify: "Reload nginx" }
-#    - { src: "check_nginx.j2", dest: "{{ nagios_plugin_location }}/check_nginx", mode: '755' }
-#    - { src: "nrpe-check_nginx.j2", dest: "/etc/nagios/nrpe.d/10-nginx.cfg", notify: "Restart nrpe" }
-  notify: "{{ item.notify | default(omit) }}"
-  when:
-    - nginx_sites is defined
-
-- name: Template site-specific configs
-  ansible.builtin.template:
-    src: "site.conf.j2"
-    dest: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
-    owner: "{{ site.owner | default('root') }}"
-    group: "{{ site.group | default('root') }}"
-    mode:  "{{ site.mode  | default('0644') }}"
-    force: "{{ site.force | default('yes') }}"
-    backup: true
-  loop: "{{ nginx_sites }}"
-  loop_control:
-    loop_var: site
-    label: "{{ site.server_name }}"
-  notify: Reload nginx
-  when:
-    - nginx_sites is defined
-  tags:
-    - nginxextra
-    - nginx_site
-
-- name: Enable nginx sites
-  ansible.builtin.file:
-    src: "/etc/nginx/sites-available/{{ site.server_name }}.conf"
-    path: "/etc/nginx/sites-enabled/{{ site.server_name }}.conf"
-    state: "{% if site.disabled | default(false) %}absent{% else %}link{% endif %}"
-    mode: "0644"
-  loop: "{{ nginx_sites }}"
-  loop_control:
-    loop_var: site
-    label: "{{ site.server_name }}"
-  notify: Reload nginx
-  when:
-    - nginx_sites is defined
-  ignore_errors: "{{ ansible_check_mode }}"
-
diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2
deleted file mode 100644
index ad388c9..0000000
--- a/roles/nginx/templates/default.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-# {{ ansible_managed }}
-
-server {
-    listen 80 default_server;
-    listen [::]:80;
-
-    server_name {{ inventory_hostname }};
-
-    # Accept ACME-Challenges over http
-    location ^~ /.well-known/acme-challenge/ {
-        alias {{ nginx_wk_acme }}/;
-    }
-
-    # Block .ht files
-    location ~ /\.ht {
-        deny all;
-    }
-
-    # Redirect everything to https by default
-    location / {
-        return 301 https://$host$request_uri;
-    }
-
-    location /server_status {
-        # Enable Nginx stats
-        stub_status on;
-        # Only allow access from localhost
-        allow 127.0.0.1;
-        # Other request should be denied
-        deny all;
-    }
-}
-
-{% for line in nginx_default_extra | default([]) %}
-{{ line }}
-{% endfor %}
-
diff --git a/roles/nginx/templates/etc-nginx.conf.j2 b/roles/nginx/templates/etc-nginx.conf.j2
deleted file mode 100644
index 3ef2e52..0000000
--- a/roles/nginx/templates/etc-nginx.conf.j2
+++ /dev/null
@@ -1,39 +0,0 @@
-# {{ ansible_managed }}
-
-user                {{ nginx_user }};
-worker_processes    auto;
-pid                 /run/nginx.pid;
-worker_rlimit_nofile 16384;
-include             {{ nginx_modules_dir }}/*.conf;
-
-events {
-       worker_connections 768;
-}
-
-http {
-    sendfile on;
-    tcp_nopush on;
-    tcp_nodelay on;
-    keepalive_timeout 65;
-    types_hash_max_size 2048;
-    server_tokens off;
-
-    include /etc/nginx/mime.types;
-    default_type application/octet-stream;
-
-    # Default nginx log format with $request time added
-    log_format bitlair '$remote_addr - $remote_user [$time_local] '
-                    '"$request" $status $body_bytes_sent '
-                    '"$http_referer" "$http_user_agent" $request_time';
-    access_log /var/log/nginx/access.log bitlair;
-
-    gzip on;
-    gzip_disable "msie6";
-
-{% for line in nginx_http_extra | default([]) %}
-    {{ line }}
-{% endfor %}
-
-    include /etc/nginx/conf.d/*.conf;
-    include /etc/nginx/sites-enabled/*;
-}
diff --git a/roles/nginx/templates/site.conf.j2 b/roles/nginx/templates/site.conf.j2
deleted file mode 100644
index 1fb5a1d..0000000
--- a/roles/nginx/templates/site.conf.j2
+++ /dev/null
@@ -1,47 +0,0 @@
-# {{ ansible_managed }}
-
-{% for line in site.pre_config | default([]) %}
-{{ line }}
-{% endfor %}
-
-server {
-    listen 443 ssl http2;
-    listen [::]:443 ssl http2;
-
-    server_name {{ site.server_name | default(inventory_hostname) }}{% if site.server_alias is defined %} {{ site.server_alias }}{% endif %};
-
-    include /etc/nginx/tls_params;
-    {% if nginx_bootstrap_certs | default(false) %}
-    include "snippets/snakeoil.conf";
-    {% else %}
-    ssl_certificate        /var/lib/dehydrated/certs/{{ site.server_name }}/fullchain.pem;
-    ssl_certificate_key    /var/lib/dehydrated/certs/{{ site.server_name }}/privkey.pem;
-    {% endif %}
-
-    index {{ nginx_index | default('index.php index.html index.htm') }};
-    client_max_body_size {{ nginx_client_max_body_size }};
-
-    location ~ /\.ht {
-        deny all;
-    }
-
-    access_log  /var/log/nginx/{{ site.server_name }}.access.log bitlair;
-    error_log   /var/log/nginx/{{ site.server_name }}.error.log;
-
-{% if site.localproxy is defined %}
-    location / {
-        proxy_pass http://localhost:{{ site.localproxy }}/;
-        include proxy_params;
-    }
-{% endif %}
-
-    # Include snippets
-{% for file in site.snippets | default([]) %}
-{%   include "snippets/" ~ file %}
-{% endfor %}
-
-    # Per site configuration
-{% for line in site.config | default([]) %}
-    {{ line }}
-{% endfor %}
-}
diff --git a/roles/nginx/templates/snippets b/roles/nginx/templates/snippets
deleted file mode 120000
index ce62fd7..0000000
--- a/roles/nginx/templates/snippets
+++ /dev/null
@@ -1 +0,0 @@
-../../../snippets/
\ No newline at end of file
diff --git a/roles/nginx/templates/tls_params.j2 b/roles/nginx/templates/tls_params.j2
deleted file mode 100644
index 7abe3b6..0000000
--- a/roles/nginx/templates/tls_params.j2
+++ /dev/null
@@ -1,22 +0,0 @@
-# {{ ansible_managed }}
-
-ssl_session_timeout         {{ nginx_tls_session_timeout }};
-ssl_session_tickets         off;
-
-ssl_prefer_server_ciphers   on;
-ssl_session_cache           shared:SSL:{{ nginx_tls_cache_size }};
-
-ssl_protocols               {{ nginx_tls_version }};
-ssl_ciphers                 {{ nginx_tls_cipherlist }};
-ssl_ecdh_curve              {{ nginx_tls_curve }};
-
-# HSTS (ngx_http_headers_module is required) (63072000 seconds)
-add_header                  Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;
-add_header                  X-Frame-Options "sameorigin";
-add_header                  X-Content-Type-Options "nosniff";
-add_header                  X-Robots-Tag noindex;
-
-# OCSP stapling
-ssl_stapling                {{ nginx_ssl_stapling }};
-ssl_stapling_verify         {{ nginx_ssl_stapling_verify }};
-
diff --git a/roles/photos/tasks/bambulab-fetch.yaml b/roles/photos/tasks/bambulab-fetch.yaml
index b050af9..ef2d351 100644
--- a/roles/photos/tasks/bambulab-fetch.yaml
+++ b/roles/photos/tasks/bambulab-fetch.yaml
@@ -33,5 +33,5 @@
   ansible.builtin.systemd:
     name: bambulab-fetch
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/photos/tasks/photo-gallery.yaml b/roles/photos/tasks/photo-gallery.yaml
index 5a6cfff..6551040 100644
--- a/roles/photos/tasks/photo-gallery.yaml
+++ b/roles/photos/tasks/photo-gallery.yaml
@@ -33,5 +33,5 @@
   ansible.builtin.systemd:
     name: photo-gallery
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/photos/tasks/photos2mqtt.yaml b/roles/photos/tasks/photos2mqtt.yaml
index d9f2e05..9f14cff 100644
--- a/roles/photos/tasks/photos2mqtt.yaml
+++ b/roles/photos/tasks/photos2mqtt.yaml
@@ -6,9 +6,8 @@
       - liblinux-inotify2-perl
 
 - name: Install mqtt-simple
-  ansible.builtin.apt:
-    pkg: libnet-mqtt-simple-perl
-    default_release: testing
+  ansible.builtin.command:
+    cmd: cpan Net::MQTT::Simple
 
 - name: Install photos2mqtt
   ansible.builtin.template:
@@ -32,5 +31,5 @@
   ansible.builtin.systemd:
     name: photos2mqtt
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/photos/templates/bambulab-fetch.sh b/roles/photos/templates/bambulab-fetch.sh
index d97bae1..1508ed3 100644
--- a/roles/photos/templates/bambulab-fetch.sh
+++ b/roles/photos/templates/bambulab-fetch.sh
@@ -4,8 +4,8 @@
 
 set -eu
 
-host={{ lookup('passwordstore', 'bambulab subkey=host') }}
-pass={{ lookup('passwordstore', 'bambulab subkey=key') }}
+host={{ lookup('passwordstore', 'fotos/bambulab subkey=host') }}
+pass={{ lookup('passwordstore', 'fotos/bambulab subkey=key') }}
 dir={{ photos_path }}
 
 files=$(curl -ksl "ftps://bblp:$pass@$host:990/timelapse/" | grep ^video_)
diff --git a/roles/raspi/tasks/main.yaml b/roles/raspi/tasks/main.yaml
index 1420e09..a787e5c 100644
--- a/roles/raspi/tasks/main.yaml
+++ b/roles/raspi/tasks/main.yaml
@@ -15,7 +15,7 @@
 - name: Enable sshd
   ansible.builtin.systemd:
     name: sshd
-    enabled: true
+    enabled: yes
     state: started
 
 - name: Rotate display
@@ -24,6 +24,7 @@
     line: "display_rotate={{ raspi_rotate_display }} # Managed by Ansible"
     regexp: "^#?display_rotate"
   when: raspi_rotate_display is defined
+  notify: reboot
 
 - name: Disable swap
   block:
@@ -44,3 +45,4 @@
     path: /etc/dhcpcd.conf
     line: "slaac hwaddr # Managed by Ansible"
     regexp: "^#?slaac"
+  notify: reboot
diff --git a/roles/services/handlers/main.yaml b/roles/services/handlers/main.yaml
index ed04c9f..125fc4d 100644
--- a/roles/services/handlers/main.yaml
+++ b/roles/services/handlers/main.yaml
@@ -2,57 +2,56 @@
 - ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: Restart irc-bot
+- name: restart irc-bot
   ansible.builtin.systemd:
     name: irc-bot
     state: restarted
     daemon_reload: true
 
-- name: Restart irc-photos
+- name: restart irc-photos
   ansible.builtin.systemd:
     name: irc-photos
     state: restarted
     daemon_reload: true
 
-- name: Restart irc-doorduino
+- name: restart irc-doorduino
   ansible.builtin.systemd:
     name: irc-doorduino
     state: restarted
     daemon_reload: true
 
-- name: Restart discord-bot
+- name: restart discord-bot
   ansible.builtin.systemd:
     name: discord-bot
     state: restarted
     daemon_reload: true
 
-- name: Restart siahsd
+- name: restart siahsd
   ansible.builtin.systemd:
     name: siahsd
     state: restarted
     daemon_reload: true
 
-- name: Restart spacestated
+- name: restart spacestated
   ansible.builtin.systemd:
     name: spacestated
     state: restarted
     daemon_reload: true
 
-- name: Restart mastodon-spacestate
+- name: restart mastodon-spacestate
   ansible.builtin.systemd:
     name: mastodon-spacestate
     state: restarted
     daemon_reload: true
 
-- name: Restart wifi-mqtt
+- name: restart wifi-mqtt
   ansible.builtin.systemd:
     name: wifi-mqtt
     state: restarted
     daemon_reload: true
 
-- name: Restart power-mqtt
+- name: restart power-mqtt
   ansible.builtin.systemd:
-    name: "power-mqtt@{{ item.net }}:{{ item.ip }}"
+    name: power-mqtt
     state: restarted
     daemon_reload: true
-  with_items: "{{ power_mqtt_targets }}"
diff --git a/roles/services/tasks/discord_bot.yaml b/roles/services/tasks/discord_bot.yaml
index 1889db4..16c20d6 100644
--- a/roles/services/tasks/discord_bot.yaml
+++ b/roles/services/tasks/discord_bot.yaml
@@ -1,5 +1,4 @@
 ---
-
 - name: Install dependencies
   ansible.builtin.apt:
     name:
@@ -25,8 +24,7 @@
     version: main
     dest: /var/lib/discord-bot
     accept_hostkey: yes
-  notify: Restart discord-bot
-  ignore_errors: true
+  notify: restart discord-bot
 
 - name: Install service file
   ansible.builtin.template:
@@ -34,12 +32,12 @@
     dest: /etc/systemd/system/discord-bot.service
     owner: root
     group: root
-    mode: "0644"
-  notify: Restart discord-bot
+    mode: 0644
+  notify: restart discord-bot
 
 - name: Start discord-bot
   ansible.builtin.systemd:
     name: discord-bot
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/services/tasks/ircbot.yaml b/roles/services/tasks/ircbot.yaml
index e635302..6d9462a 100644
--- a/roles/services/tasks/ircbot.yaml
+++ b/roles/services/tasks/ircbot.yaml
@@ -5,8 +5,7 @@
     version: master
     dest: /var/lib/irc-bot
     accept_hostkey: yes
-  ignore_errors: true
-  notify: Restart irc-bot
+  notify: restart irc-bot
 
 - name: Link irc-say
   ansible.builtin.file:
@@ -24,13 +23,13 @@
   vars:
     description: Bitlair IRC bot
     exec: /bin/bash /var/lib/irc-bot/irc-bot
-  notify: Restart irc-bot
+  notify: restart irc-bot
 
 - name: Start irc-bot
   ansible.builtin.systemd:
     name: irc-bot
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
 
 - name: Create helpers dir
@@ -45,7 +44,7 @@
     owner: root
     group: root
     mode: 0755
-  notify: Restart irc-photos
+  notify: restart irc-photos
 
 - name: Install photos notification service
   ansible.builtin.template:
@@ -58,13 +57,13 @@
     description: Bitlair IRC photos notification
     requires: irc-bot.service
     exec: /bin/bash /var/lib/irc-helpers/photos.sh
-  notify: Restart irc-photos
+  notify: restart irc-photos
 
 - name: Start irc-photos
   ansible.builtin.systemd:
     name: irc-photos
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
 
 - name: Install doorduino notification
@@ -74,7 +73,7 @@
     owner: root
     group: root
     mode: 0755
-  notify: Restart irc-doorduino
+  notify: restart irc-doorduino
 
 - name: Install doorduino notification service
   ansible.builtin.template:
@@ -87,11 +86,11 @@
     description: Bitlair IRC doorduino notification
     requires: irc-bot.service
     exec: /bin/bash /var/lib/irc-helpers/doorduino.sh
-  notify: Restart irc-doorduino
+  notify: restart irc-doorduino
 
 - name: Start irc-doorduino
   ansible.builtin.systemd:
     name: irc-doorduino
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/services/tasks/main.yaml b/roles/services/tasks/main.yaml
index e082c5f..5f17300 100644
--- a/roles/services/tasks/main.yaml
+++ b/roles/services/tasks/main.yaml
@@ -1,43 +1,22 @@
 ---
-
-- name: Import ircbot
+- tags: services_ircbot
   ansible.builtin.import_tasks:
     file: ircbot.yaml
-  tags:
-    - services_ircbot
 
-- name: Import services_discord_bot
-  ansible.builtin.import_tasks:
-    file: discord_bot.yaml
-  tags:
-    - services_discord_bot
+- tags: services_discord_bot
+  ansible.builtin.import_tasks: discord_bot.yaml
 
-- name: Import siahsd
-  ansible.builtin.import_tasks:
-    file: siahsd.yaml
-  tags:
-    - services_siahsd
+- tags: services_siahsd
+  import_tasks: siahsd.yaml
 
-- name: Import spacestated
-  ansible.builtin.import_tasks:
-    file: spacestated.yaml
-  tags:
-    - services_spacestated
+- tags: services_spacestated
+  import_tasks: spacestated.yaml
 
-- name: Import mastodon_spacestate.yaml
-  ansible.builtin.import_tasks:
-    file: mastodon_spacestate.yaml
-  tags:
-    - services_mastodon_spacestate
+- tags: services_mastodon_spacestate
+  import_tasks: mastodon_spacestate.yaml
 
-- name: import wifi_mqtt
-  ansible.builtin.import_tasks:
-    file: wifi_mqtt.yaml
-  tags:
-    - services_wifi_mqtt
+- tags: services_wifi_mqtt
+  import_tasks: wifi_mqtt.yaml
 
-- name: Import power_mqt
-  ansible.builtin.import_tasks:
-    file: power_mqtt.yaml
-  tags:
-    - services_power_mqtt
+- tags: services_power_mqtt
+  import_tasks: power_mqtt.yaml
diff --git a/roles/services/tasks/mastodon_spacestate.yaml b/roles/services/tasks/mastodon_spacestate.yaml
index 53f979e..47886de 100644
--- a/roles/services/tasks/mastodon_spacestate.yaml
+++ b/roles/services/tasks/mastodon_spacestate.yaml
@@ -11,8 +11,7 @@
     version: main
     dest: /var/lib/mastodon-spacestate
     accept_hostkey: yes
-  notify: Restart mastodon-spacestate
-  ignore_errors: true
+  notify: restart mastodon-spacestate
 
 - name: Install config
   ansible.builtin.template:
@@ -21,7 +20,7 @@
     owner: root
     group: root
     mode: 0655
-  notify: Restart mastodon-spacestate
+  notify: restart mastodon-spacestate
 
 - name: Install service file
   ansible.builtin.template:
@@ -30,11 +29,11 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart mastodon-spacestate
+  notify: restart mastodon-spacestate
 
 - name: Start mastodon-spacestate
   ansible.builtin.systemd:
     name: mastodon-spacestate
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/services/tasks/power_mqtt.yaml b/roles/services/tasks/power_mqtt.yaml
index 5c18589..3cc3e0f 100644
--- a/roles/services/tasks/power_mqtt.yaml
+++ b/roles/services/tasks/power_mqtt.yaml
@@ -10,7 +10,7 @@
     owner: root
     group: root
     mode: 0755
-  notify: Restart power-mqtt
+  notify: restart power-mqtt
 
 - name: Remove old service
   ansible.builtin.file:
@@ -27,12 +27,16 @@
   vars:
     description: "SMD630 to MQTT Probe"
     exec: "/var/lib/power-mqtt.py %i"
-  notify: Restart power-mqtt
+  notify: restart power-mqtt@
 
 - name: Enable power-mqtt
   ansible.builtin.systemd:
-    name: "power-mqtt@{{ item.net }}:{{ item.ip }}"
+    name: "power-mqtt@{{ item.net }}/{{ item.ip }}"
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
-  with_items: "{{ power_mqtt_targets }}"
+  with_items:
+    - net: space
+      ip: 0.0.0.0
+    - net: unicorndept
+      ip: 0.0.0.0
diff --git a/roles/services/tasks/siahsd.yaml b/roles/services/tasks/siahsd.yaml
index c7c3b0b..2d924c8 100644
--- a/roles/services/tasks/siahsd.yaml
+++ b/roles/services/tasks/siahsd.yaml
@@ -7,7 +7,6 @@
     state: directory
     owner: siahsd
     group: nogroup
-    mode: "0750"
   with_items:
     - /var/log/siahsd
     - /var/lib/siahsd
@@ -18,8 +17,8 @@
     dest: /etc/siahsd.conf
     owner: root
     group: root
-    mode: "0644"
-  notify: Restart siahsd
+    mode: 0644
+  notify: restart siahsd
 
 - name: Install service file
   ansible.builtin.template:
@@ -27,13 +26,23 @@
     dest: /etc/systemd/system/siahsd.service
     owner: root
     group: root
-    mode: "0644"
-  notify: Restart siahsd
+    mode: 0644
+  notify: restart siahsd
 
 - name: Start siahsd
   ansible.builtin.systemd:
     name: siahsd
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
 
+- name: Allow siahsd traffic
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: udp
+    destination_port: "4000"
+    jump: ACCEPT
+    ip_version: "{{ item }}"
+    action: insert
+  with_items: [ ipv4, ipv6 ]
+  notify: persist iptables
diff --git a/roles/services/tasks/spacestated.yaml b/roles/services/tasks/spacestated.yaml
index 92a0ace..7c00bfd 100644
--- a/roles/services/tasks/spacestated.yaml
+++ b/roles/services/tasks/spacestated.yaml
@@ -8,9 +8,8 @@
       - make
 
 - name: Install mqtt-simple
-  ansible.builtin.apt:
-    pkg: libnet-mqtt-simple-perl
-    default_release: testing
+  ansible.builtin.command:
+    cmd: cpan Net::MQTT::Simple
 
 - name: Add user
   ansible.builtin.user:
@@ -25,8 +24,7 @@
     version: main
     dest: /var/lib/spacestated/spacestated
     accept_hostkey: yes
-  notify: Restart spacestated
-  ignore_errors: true
+  notify: restart spacestated
 
 - name: Install service file
   ansible.builtin.template:
@@ -35,11 +33,11 @@
     owner: root
     group: root
     mode: 0644
-  notify: Restart spacestated
+  notify: restart spacestated
 
 - name: Start spacestated
   ansible.builtin.systemd:
     name: spacestated
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/services/tasks/wifi_mqtt.yaml b/roles/services/tasks/wifi_mqtt.yaml
index 8bb8353..4c76f05 100644
--- a/roles/services/tasks/wifi_mqtt.yaml
+++ b/roles/services/tasks/wifi_mqtt.yaml
@@ -7,26 +7,25 @@
       - make
 
 - name: Clone source
-  ansible.builtin.git:
+  git:
     repo: https://github.com/bitlair/wifi-mqtt.git
     version: main
     dest: /var/lib/wifi-mqtt
     accept_hostkey: yes
-  notify: Restart wifi-mqtt
-  ignore_errors: true
+  notify: restart wifi-mqtt
 
 - name: Install service file
-  ansible.builtin.template:
+  template:
     src: wifi-mqtt.service
     dest: /etc/systemd/system/wifi-mqtt.service
     owner: root
     group: root
-    mode: "0644"
-  notify: Restart wifi-mqtt
+    mode: 0644
+  notify: restart wifi-mqtt
 
 - name: Start wifi-mqtt
-  ansible.builtin.systemd:
+  systemd:
     name: wifi-mqtt
     state: started
-    enabled: true
+    enabled: yes
     daemon_reload: true
diff --git a/roles/services/templates/power-mqtt.py b/roles/services/templates/power-mqtt.py
index 2fcd038..db28aac 100644
--- a/roles/services/templates/power-mqtt.py
+++ b/roles/services/templates/power-mqtt.py
@@ -5,12 +5,12 @@
 import paho.mqtt.client as mqtt
 import paho.mqtt.subscribe as subscribe
 from time import sleep
-import sys
+import os
 import requests
 
 
 mqtt_host = '{{ mqtt_internal_host }}'
-(net, sdm630_host) = sys.argv[1].split(':')
+(net, sdm630_host) = os.argv[1].split('/')
 
 
 client = mqtt.Client()
@@ -21,7 +21,7 @@ while True:
     sleep(10)
     try:
         data = requests.get(f'http://{sdm630_host}/api/v1/data').json()
-        client.publish(f'bitlair/power/{net}/total_kwh', data['total_power_import_kwh'])
+        client.publish('bitlair/power/total_kwh', data['total_power_import_kwh'])
         client.publish(f'bitlair/power/{net}/All/now_w', data['active_power_w'])
         client.publish(f'bitlair/power/{net}/L1/now_w', data['active_power_l1_w'])
         client.publish(f'bitlair/power/{net}/L2/now_w', data['active_power_l2_w'])
diff --git a/roles/www/handlers/main.yaml b/roles/www/handlers/main.yaml
index dcafe97..d5296b9 100644
--- a/roles/www/handlers/main.yaml
+++ b/roles/www/handlers/main.yaml
@@ -1,15 +1,14 @@
 ---
-- name: Import handlers
-  ansible.builtin.import_tasks:
+- ansible.builtin.import_tasks:
     file: ../../common/handlers/main.yaml
 
-- name: Restart spaceapi
+- name: restart spaceapi
   ansible.builtin.systemd:
     name: spaceapi
     state: restarted
     daemon_reload: true
 
-- name: Restart mqtt2web
+- name: restart mqtt2web
   ansible.builtin.systemd:
     name: mqtt2web
     state: restarted
diff --git a/roles/www/tasks/main.yaml b/roles/www/tasks/main.yaml
index 382706a..114218a 100644
--- a/roles/www/tasks/main.yaml
+++ b/roles/www/tasks/main.yaml
@@ -1,25 +1,16 @@
 ---
-
-- name: Import calendar
+- tags: www_calendar
   ansible.builtin.import_tasks:
     file: calendar.yaml
-  tags:
-    - www_calendar
 
-- name: Import mediawiki
+- tags: www_mediawiki
   ansible.builtin.import_tasks:
     file: mediawiki.yaml
-  tags:
-    - www_mediawiki
 
-- name: Import mqtt
+- tags: www_mqtt
   ansible.builtin.import_tasks:
     file: mqtt.yaml
-  tags:
-    - www_mqtt
 
-- name: Import spaceapi
+- tags: www_spaceapi
   ansible.builtin.import_tasks:
     file: spaceapi.yaml
-  tags:
-    - www_spaceapi
diff --git a/roles/www/tasks/mediawiki.yaml b/roles/www/tasks/mediawiki.yaml
index 2eb69f4..52dfccf 100644
--- a/roles/www/tasks/mediawiki.yaml
+++ b/roles/www/tasks/mediawiki.yaml
@@ -1,10 +1,12 @@
 ---
-
 - name: Install dependencies
   ansible.builtin.apt:
     name: php-fpm
     state: present
 
+- ansible.builtin.import_tasks:
+    file: ../../../snippets/common-nginx.yaml
+
 - name: Install security.txt
   ansible.builtin.template:
     src: security.txt
@@ -13,3 +15,18 @@
     group: root
     mode: 0644
 
+- name: Allow HTTP/HTTPS
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+    action: insert
+  with_items:
+    - { ip: ipv4, port: 80 }
+    - { ip: ipv4, port: 443 }
+    - { ip: ipv6, port: 80 }
+    - { ip: ipv6, port: 443 }
+  notify: persist iptables
diff --git a/roles/www/tasks/mqtt.yaml b/roles/www/tasks/mqtt.yaml
index 63d1dee..88fa7f9 100644
--- a/roles/www/tasks/mqtt.yaml
+++ b/roles/www/tasks/mqtt.yaml
@@ -1,5 +1,4 @@
 ---
-
 - name: Install dependencies
   ansible.builtin.apt:
     name:
@@ -7,18 +6,31 @@
       - liblinux-epoll-perl
       - mosquitto
 
+- name: Allow MQTT
+  ansible.builtin.iptables:
+    chain: INPUT
+    protocol: tcp
+    destination_port: "{{ item.port }}"
+    ctstate: NEW
+    jump: ACCEPT
+    ip_version: "{{ item.ip }}"
+    action: insert
+  with_items:
+    - { ip: ipv4, port: 1883 }
+    - { ip: ipv6, port: 1883 }
+  notify: persist iptables
+
 - name: Install mqtt-simple
-  ansible.builtin.apt:
-    pkg: libnet-mqtt-simple-perl
-    default_release: testing
+  ansible.builtin.command:
+    cmd: cpan Net::MQTT::Simple
 
 - name: Clone mqtt2web source
   ansible.builtin.git:
     repo: https://github.com/bitlair/mqtt2web.git
     version: master
     dest: /opt/mqtt2web
-    accept_hostkey: true
-  notify: Restart mqtt2web
+    accept_hostkey: yes
+  notify: restart mqtt2web
 
 - name: Install mqtt2web service file
   ansible.builtin.template:
@@ -28,11 +40,10 @@
     group: root
     mode: 0644
   notify:
-    - Daemon reload
-    - Restart mqtt2web
+    - daemon reload
+    - restart mqtt2web
 
-- name: Flush handlers
-  ansible.builtin.meta: flush_handlers
+- ansible.builtin.meta: flush_handlers
 
 - name: Enable mqtt2web
   ansible.builtin.systemd:
diff --git a/roles/www/tasks/spaceapi.yaml b/roles/www/tasks/spaceapi.yaml
index 7c8a494..a819839 100644
--- a/roles/www/tasks/spaceapi.yaml
+++ b/roles/www/tasks/spaceapi.yaml
@@ -4,8 +4,8 @@
     repo: https://github.com/bitlair/spaceapi.git
     version: main
     dest: /opt/spaceapi
-    accept_hostkey: true
-  notify: Restart spaceapi
+    accept_hostkey: yes
+  notify: restart spaceapi
 
 - name: Install spaceapi service file
   ansible.builtin.template:
@@ -13,8 +13,8 @@
     dest: /etc/systemd/system/spaceapi.service
     owner: root
     group: root
-    mode: "0644"
-  notify: Restart spaceapi
+    mode: 0644
+  notify: restart spaceapi
 
 - name: Enable spaceapi
   ansible.builtin.systemd:
diff --git a/services.yaml b/services.yaml
index e66fc11..2a1bd65 100644
--- a/services.yaml
+++ b/services.yaml
@@ -2,5 +2,5 @@
 
 - hosts: services
   roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "services", tags: [ "services" ] }
+    - common
+    - services
diff --git a/snippets/bitair-nginx.j2 b/snippets/bitair-nginx.j2
deleted file mode 100644
index bfb75d6..0000000
--- a/snippets/bitair-nginx.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-root /opt/bitair.nl/;
-index index.html;
diff --git a/snippets/common-nginx.yaml b/snippets/common-nginx.yaml
new file mode 100644
index 0000000..98aa02b
--- /dev/null
+++ b/snippets/common-nginx.yaml
@@ -0,0 +1,18 @@
+---
+- name: Install nginx
+  apt:
+    name: nginx
+    state: present
+
+- name: Disable nginx server_tokens
+  lineinfile:
+    path: /etc/nginx/nginx.conf
+    line: "\tserver_tokens off;"
+    regexp: "server_tokens"
+  notify: reload nginx
+
+- name: Clear default nginx site
+  file:
+    state: absent
+    path: /etc/nginx/sites-enabled/default
+  notify: reload nginx
diff --git a/snippets/forgejo-nginx.j2 b/snippets/forgejo-nginx.j2
deleted file mode 100644
index 20d5d89..0000000
--- a/snippets/forgejo-nginx.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-location ~* \.keys$ {
-    deny all;
-}
diff --git a/snippets/homeassistant-nginx.j2 b/snippets/homeassistant-nginx.j2
deleted file mode 100644
index d46617e..0000000
--- a/snippets/homeassistant-nginx.j2
+++ /dev/null
@@ -1,14 +0,0 @@
-        location /api/ {
-                proxy_pass http://127.0.0.1:8123;
-                proxy_http_version 1.1;
-                proxy_set_header Upgrade $http_upgrade;
-                proxy_set_header Connection "Upgrade";
-                proxy_set_header Host $host;
-        }
-
-        location / {
-                proxy_pass http://127.0.0.1:8123;
-                proxy_http_version 1.1;
-                proxy_set_header Host $host;
-        }
-
diff --git a/snippets/mqtt2web-nginx.j2 b/snippets/mqtt2web-nginx.j2
deleted file mode 100644
index f719780..0000000
--- a/snippets/mqtt2web-nginx.j2
+++ /dev/null
@@ -1,11 +0,0 @@
-# mqtt2web nginx config snippet
-
-location /mqtt/ {
-        proxy_pass http://localhost:8080/mqtt;
-        include proxy_params;
-        proxy_buffering off;
-        proxy_cache off;
-        proxy_http_version 1.1;
-        proxy_set_header Connection '';
-        chunked_transfer_encoding off;
-}
diff --git a/snippets/prometheus-nginx.j2 b/snippets/prometheus-nginx.j2
deleted file mode 100644
index ca8ed55..0000000
--- a/snippets/prometheus-nginx.j2
+++ /dev/null
@@ -1,13 +0,0 @@
-# dashboard nginx config snippet
-
-location /prometheus/ {
-    proxy_pass http://localhost:9090/prometheus/;
-    include proxy_params;
-
-{% for host in trusted_ranges | default([]) %}
-    allow {{ host.cidr }};
-{% endfor %}
-    allow "127.0.0.0/8";
-    allow "::1";
-    deny all;
-}
diff --git a/snippets/ravespace-nginx.j2 b/snippets/ravespace-nginx.j2
deleted file mode 100644
index 492f366..0000000
--- a/snippets/ravespace-nginx.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-root /opt/ravespace.nl/;
-index index.html;
diff --git a/snippets/spaceapi-nginx.j2 b/snippets/spaceapi-nginx.j2
deleted file mode 100644
index ba6829a..0000000
--- a/snippets/spaceapi-nginx.j2
+++ /dev/null
@@ -1,8 +0,0 @@
-# spaceapi nginx config snippet
-
-location = /statejson {
-    proxy_pass http://localhost:8888;
-    include proxy_params;
-    add_header 'Access-Control-Allow-Origin' '*';
-}
-
diff --git a/snippets/www-nginx.j2 b/snippets/www-nginx.j2
deleted file mode 100644
index a831121..0000000
--- a/snippets/www-nginx.j2
+++ /dev/null
@@ -1,90 +0,0 @@
-root /opt/mediawiki-1.41.1/;
-index index.php index.html index.htm;
-
-# Photo gallery
-location = /fotos {
-    return 302 $scheme://bitlair.nl/fotos/;
-}
-
-location ~* ^/fotos/(.*)$ {
-    proxy_pass http://204.2.64.24:4567/$1$is_args$args;
-}
-
-location ~ ^/state/(.+)$ {
-    alias /opt/spaceapi/assets/$1;
-}
-
-location = /events.ics {
-    alias /var/lib/bitlair-calendar/events.ics;
-}
-
-location ~ ^/(cache|maintenance|vendor|extensions)/ {
-    deny all;
-}
-
-# Legacy space API stuff.
-location ~ ^/(putconfig|putjson|putstate|state|statejson)\.php$ {
-    root "/opt/legacy/";
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    include fastcgi.conf;
-}
-
-location ~ ^/(bitlair.svg|bitlair_closed.png|bitlair_open.png|state|statejson)$ {
-    root "/opt/legacy/";
-}
-
-location ~ ^/wp-content {
-    root "/opt/legacy/";
-}
-
-location = /statejson.php {
-    rewrite ^.+$ /statejson;
-}
-
-# Mediawiki
-location / {
-    try_files $uri $uri/ @rewrite;
-}
-
-location ~ \.php$ {
-    try_files $uri @rewrite;
-    fastcgi_pass unix:/run/php/php-fpm.sock;
-    fastcgi_index index.php;
-    include fastcgi.conf;
-}
-
-location @rewrite {
-#    rewrite ^/(.*)$ /index.php;
-    rewrite ^/(.*)$ /index.php?title=$1$args;
-}
-
-location ~ \.(png|css|ico|pdf|flv|jpe?g|gif|js|css)$ {
-    try_files $uri @rewrite;
-    expires 1M;
-}
-
-location = /_.gif {
-    expires max;
-    empty_gif;
-}
-
-#location /dumps {
-#    root /opt/bitlair-wiki/local;
-#    autoindex on;
-#}
-
-# Legacy: redirect old prefix.
-location /Pages/ {
-    rewrite ^/Pages/(.*) https://$server_name/$1$args redirect;
-}
-
-# Matrix realm delegation
-location = /.well-known/matrix/server {
-    add_header "Content-Type" "application/json";
-    add_header "Access-Control-Allow-Origin" "*";
-    alias /opt/matrix-delegation.json;
-}
-
-location = /.well-known/security.txt {
-    alias /opt/security.txt;
-}
diff --git a/wiki.yaml b/wiki.yaml
deleted file mode 100644
index 0a7dc96..0000000
--- a/wiki.yaml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-
-- hosts: wiki
-  roles:
-    - { role: "common", tags: [ "common" ] }
-    - { role: "acme", tags: [ "acme" ] }
-    - { role: "nginx", tags: [ "nginx" ] }
-    - { role: "www", tags: [ "www" ] }
diff --git a/www.yaml b/www.yaml
new file mode 100644
index 0000000..6a66f2d
--- /dev/null
+++ b/www.yaml
@@ -0,0 +1,7 @@
+---
+
+- hosts: wiki
+  roles:
+    - common
+    - acme
+    - www