diff --git a/README.md b/README.md
index a492204..503e1de 100644
--- a/README.md
+++ b/README.md
@@ -1,20 +1,10 @@
 # Raspberry Pi NAS
 
-Ansible configuration repository for my Raspberry Pi's.
+This repository contains all configuration I use to set up a Raspberry Pi 4B as
+a NAS and media storage server. This repository will most likely evolve a lot.
 
-## Initial setup for new systems
+The Pi is used to host the following:
 
-1. Flash [Debian Raspberry Pi](https://raspi.debian.net/) on the SD card.
-2. Configure `/boot/firmware/sysconf.txt`
-    1. Set `hostname` to the desired name
-    2. Set `root_authorized_key` to the contents of the current computer's
-      public SSH key
-3. Put SD card in Pi and boot
-4. Connect Pi to wired internet
-5. Determine IP address given to the new Pi
-6. Add this IP address to the `initial-hosts.ini` file, along with the
-   `static_ip` host var set to the desired static IP address
-8. Comment out `ansible_ssh_user` in `group_vars/all/vars.yml`, as this
-   overwrites the one set in the hosts file
-9. Run `ansible-playbook -i initial-hosts.ini first_run.yml`. This command will
-   hang at the `restart networking` step; at this point you can Ctrl-C.
+* Samba network share for access to family pictures
+* [Photoview](https://photoview.github.io/) instance for accessing image over the internet
+* [Jellyfin](https://jellyfin.org/) for accessing media library as well
diff --git a/first_run.yml b/first_run.yml
deleted file mode 100644
index 45cc231..0000000
--- a/first_run.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- name: Configure base system.
-  hosts: all
-  gather_facts: no
-  # Debian installs don't have Python by default
-  pre_tasks:
-  - name: Update package database
-    raw: apt update
-  - name: Install Python
-    raw: apt install -y python3
-  roles:
-    - base
diff --git a/group_vars/all.yml b/group_vars/all.yml
new file mode 100644
index 0000000..71505f7
--- /dev/null
+++ b/group_vars/all.yml
@@ -0,0 +1,30 @@
+---
+ansible_ssh_user: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          63363333613666383765643633393735396439386662346364643730373138333931303833393339
+          6430306434646562396134373433343439316133303931640a343536383539666132633636303031
+          65643735333839613636613963303433623933366532623037323963646462366464623739393461
+          3233613932616531360a326235346464333566633466633864343261663831336166313230306635
+          3265
+
+ansible_ssh_port: 22
+
+ansible_become_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38306565386265383731653936353766396630626163316335643261613561363030653561346239
+          3764363033386531623331616132643637353536326439620a356232626635626266656331643466
+          36343435646561643662373138613237626461373330346566356132636366623731643838383633
+          3765666163656264340a663138623535626161376666323862373131383637356231323737313564
+          6430
+
+lambroek_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          33373365393262643630646336323731376232646138613061363933366265393863636536303430
+          3738363338653035623039383463643761343261336366620a353532613132343439333563663664
+          61643135323936323362326365663366333864363735363438636361643734333930616566356563
+          3038373639646338380a393061376135353564373062353139366461383939333161333936613430
+          33383233336531663261373631363733323839353235613131363966643838373033373437613764
+          37306137366666663938616465393464653961643732636236636438396165623165653363623135
+          36386632303939646632393362373838663337663063326338623534326561656561633131376138
+          64376237373133333761313635346266306638383038663333366139303437323562303733373764
+          63316564393763643834643232663462333633373639633938663035633063356530
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
deleted file mode 100644
index 5579c57..0000000
--- a/group_vars/all/vars.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-ansible_ssh_user: debian
-ansible_ssh_port: 22
-
-# Values for static IP configuration
-broadcast_ip: 192.168.0.255
-router_ip: 192.168.0.1
-
-debian_pass: "{{ vault_debian_pass }}"
-
-ansible_become_pass: !vault |
-          $ANSIBLE_VAULT;1.1;AES256
-          38306565386265383731653936353766396630626163316335643261613561363030653561346239
-          3764363033386531623331616132643637353536326439620a356232626635626266656331643466
-          36343435646561643662373138613237626461373330346566356132636366623731643838383633
-          3765666163656264340a663138623535626161376666323862373131383637356231323737313564
-          6430
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
deleted file mode 100644
index f4da912..0000000
--- a/group_vars/all/vault.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-37303338366435366664333235623930303461666537326463613536303263353233303631653061
-3365613139333035616434376464386436653863366338650a366363336438313364646432626335
-32396334643064326531393930666263643163636163316430616434363139316665323262616538
-3665633530616432350a326439636231383765666365386433313432373432373938656638373636
-34323166343965616330366265353462626132356565316637313430343462363163
diff --git a/group_vars/nas/vars.yml b/group_vars/nas/vars.yml
deleted file mode 100644
index 29190e9..0000000
--- a/group_vars/nas/vars.yml
+++ /dev/null
@@ -1,6 +0,0 @@
-raid_uuid: '4d184875-19eb-4923-9b79-bf669c1f7978'
-lambroek_password: "{{ vault_lambroek_password }}"
-s3_access_key_id: "{{ vault_s3_access_key_id }}"
-s3_secret_access_key: "{{ vault_s3_secret_access_key }}"
-rclone_photos_obf_pass: "{{ vault_rclone_photos_obf_pass }}"
-rclone_photos_obf_pass2: "{{ vault_rclone_photos_obf_pass2 }}"
diff --git a/group_vars/nas/vault.yml b/group_vars/nas/vault.yml
deleted file mode 100644
index a06f383..0000000
--- a/group_vars/nas/vault.yml
+++ /dev/null
@@ -1,30 +0,0 @@
-$ANSIBLE_VAULT;1.1;AES256
-37323336656133626339366437393062613937366232613334643034363635623832333136313063
-3738353666646636323431663339623234306439323138650a373063376634333161666366303831
-34373963366334636238623134613863303464663133653262333064613863643362633531653061
-3934363435316636390a626531333463396137303132313363636163306464386138653538353633
-32663836316665376233346364383461323065383461623762323933316635336661363032333637
-30323831316239386365323266376439623761316330663063326539306339666362646138653537
-33663964353632613232653130653164303963386233626233313037653737663436373934303832
-66336466363465613839306662623631646531303865366536383030616139356539623730633033
-66353666396162316132663364373137646637353333623738393464366234643264303030393465
-38643734636336336563646361336165363133323738646531633835646262663637363964336134
-31346432643336613534396436353064373938386233353435386631373434633766363135653962
-35393230363735336436633033303465616362653734356235343261313464316138316539386238
-65346531613566643365336538663538353961333632623465636265613764373637333035623133
-62313564356534393338346631386365643736336138346532643638333737653835303862383863
-37336534646364643366376339656636613762323632613836323936326234663261386339333836
-36326334306136663638323738396337653663326539623936646437393537653538313439356636
-34366133353165346534366339306564323861386237333262633535646166343463663435396233
-35306533326234633133653336346161343735633364303662303637303534376337383539353165
-34313434323433363936623531393464303762616632666661323834303137383535303961333462
-64363635653039396464366663343661353665643534636464373333643438646536323330626366
-35636336626532663732393064626139306261306530653433633365326438396535333665616234
-33323566653634623364323663623833313063326438343766376436386430323834663031643135
-31326561353761396364343232386530356631636637643838376562346330303334626162646532
-35666132363939356263313834653836313033346439323765633364636236366234666333323663
-61323633666661316437643732383231303138666536313665373833383334383263613065666365
-32373536376461303762396535353733373630313966343431616337633334346565386263376666
-37633536363336373465383432656465373535393837623962303066366631643730326562626266
-38333337353062343562303534656166366136646232346364343134363436633436656165616538
-3236
diff --git a/hosts.ini b/hosts.ini
index cd752ae..e91633a 100644
--- a/hosts.ini
+++ b/hosts.ini
@@ -1,2 +1 @@
-[nas]
-192.168.0.3 static_ip=192.168.0.3
+192.168.0.3
diff --git a/initial-hosts.ini b/initial-hosts.ini
deleted file mode 100644
index 2574963..0000000
--- a/initial-hosts.ini
+++ /dev/null
@@ -1,5 +0,0 @@
-192.168.0.216 static_ip=192.168.0.3
-
-[all:vars]
-# These are expected to be the same
-ansible_ssh_user=root
diff --git a/main.yml b/main.yml
index 6c37399..955fd60 100644
--- a/main.yml
+++ b/main.yml
@@ -3,7 +3,7 @@
   hosts: all
   become: yes
   roles:
-    - base
+    - packages
     - net-security
   tags: base
 
diff --git a/nas.yml b/nas.yml
deleted file mode 100644
index 9cbb433..0000000
--- a/nas.yml
+++ /dev/null
@@ -1,43 +0,0 @@
----
-- name: Perform common tasks
-  hosts: nas
-  become: yes
-  roles:
-    - base
-    - common
-  tags: base
-
-- name: Configure BTRFS RAID
-  hosts: nas
-  become: yes
-  roles:
-    - raid
-  tags: raid
-
-- name: Set up Samba
-  hosts: nas
-  become: yes
-  roles:
-    - samba
-  tags: samba
-
-- name: Set up Jellyfin
-  hosts: nas
-  become: yes
-  roles:
-    - jellyfin
-  tags: jellyfin
-
-- name: Set up Caddy
-  hosts: nas
-  become: yes
-  roles:
-    - caddy
-  tags: caddy
-
-- name: Set up photo sync using Rclone
-  hosts: nas
-  become: yes
-  roles:
-    - rclone
-  tags: rclone
diff --git a/roles/base/files/authorized_keys b/roles/base/files/authorized_keys
deleted file mode 100644
index c63ff39..0000000
--- a/roles/base/files/authorized_keys
+++ /dev/null
@@ -1,5 +0,0 @@
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCkDjXuZn+blanbJAhte8KttrpeCPeT5CGcZ5mlAZv724wTa4qebpwCnf4SK4aFuDQEuCusnia3+X7YWAyCDReNURznAWCtq+b8LGxyIm2hTBbLA1m8sj0xidR/djlUtOwDp9VpSNamUWyiPWJ+WNsPd9xLJ6BK3qRsoFiMN87sO12L7DHHDaMze628Oc+IxFd+VZnH0dPVgitis31f+lXCr8w5qSiEepDJ8Nde8M+Ev1RrPQbR5Q5C+wYxlbY0oPNlGqSrs5i1jJl0BVMI4DlibxatTfuteU5IwcDMQObJr3xJGKNTPswSdzpfJFrLfUBZvsDs94BXEHR2CtxZ4aLQPeLfosWe4zuGvX22p7TzSPx1LkuqIF85Tw1PvK3f7u3l9sozHORAoEA8sFHG+DolqldgjuUgCGpfF/QOY1jkGpbEhq57kKFH+VlFI2XePGQ6299R9RN/Y4S88v14ChLwoLSNWgxK+CgYgB4lbquAIKTKsRla3gkEeziz+qoHPQkD5RcajrWOfSKU4alORpgQerSFZ9zMoz9N2rfTVEzCsVUj0Jiwtd5O7pCX9PWBhz1Nl1ItrRPuFiTSKB05dqsQ1CDZAZMDPJNqotd6QRS5+cKzFLgvU6k/gk08/qV00VM+BxlXkh8PwAhaxNPjMxjzqHx0+xC38FtacuhJiOV91Q== roosensjef@gmail.com
-
-ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCgHqW7mLuaW8XEFJrg031ES7v7y6Uk5QUp++axTd0wzvt5qfqTox9Hg1Xk5C9hdEfYzS5NCU+uoiInR0aHZ3Cl+yxqi3VqDfO20j6Irrt2SOBB86Gsyu9Brj62xtS0rY/e9rmyULJGUtJEz3UmFvn8fE5hUpGjDg7NByFs8f054pzifWw8F/wOvF5rKo9GqkWeXEUZ456FmowXCQLl5SypQliOsHJDs89NiTVvOxiKQXULBhj8o4c0MyCeFfPWqOutSSAetmbnegEjOTy7f/0IiqB+5713KOh1Bm1/u+3J2IVbRgeG1iTJdDVeIxBGmA1wMLvrBtBRIS0MaKa1Xabo3QTgYPHNGrf2w+GMnuoQ6/tdD6omPWGTHXqtHKEeIW1JrlDyhOo86oCl+l2aveMwhFFGW4nQmW7sfrowyLHdU3BpGl4m7pGa+5sTsHiOGEqEN/a7xikztXkuKacQ8E/y1C8gDXgaX8zFl6VOwR5EfMEMX390tz+R+ErDU81h47tSkwbY3KhunSKwPT8jSMldBttnCIexd+QuQgOlSwXkYVPPmXtPUkfp+4VzWSWeGKAa9k3HtVMIvKdVk9eXDVNnVdaAL+EkHyXOyFVVGa9gJ3ZOWhHMNi2/kHAwWMI9CwRxj7AVk30KGBhPN0wdS9Dt8/0Aa33hWuY2p9DxtNaiNw== roosensjef@gmail.com
-
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINkcCTP0IE/ANIXJJIMWEg4f5riS8uv3KuypkzQC47XN roosensjef@gmail.com
diff --git a/roles/base/handlers/main.yml b/roles/base/handlers/main.yml
deleted file mode 100644
index de4832e..0000000
--- a/roles/base/handlers/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: restart networking
-  service:
-    name: networking
-    state: restarted
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
deleted file mode 100644
index 8ec3e10..0000000
--- a/roles/base/tasks/main.yml
+++ /dev/null
@@ -1,44 +0,0 @@
----
-- name: Install sudo.
-  apt:
-    name: sudo
-    state: present
-
-- name: Create data group.
-  group:
-    name: data
-    gid: 1002
-
-- name: Create debian user.
-  user:
-    name: debian
-    groups:
-      - sudo
-      - data
-    append: true
-    create_home: yes
-    shell: /bin/bash
-    password: "{{ vault_debian_pass | password_hash('sha512') }}"
-    update_password: on_create
-
-- name: Create SSH directory.
-  file:
-    path: /home/debian/.ssh/
-    state: directory
-    owner: debian
-    group: debian
-    mode: '700'
-
-- name: Add authorized SSH keys.
-  copy:
-    src: authorized_keys
-    dest: /home/debian/.ssh/authorized_keys
-    owner: debian
-    group: debian
-    mode: '600'
-
-- name: Install networking config file.
-  template:
-    src: interfaces.j2
-    dest: /etc/network/interfaces.d/eth0
-  notify: restart networking
diff --git a/roles/base/templates/interfaces.j2 b/roles/base/templates/interfaces.j2
deleted file mode 100644
index 3afb5e2..0000000
--- a/roles/base/templates/interfaces.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-auto eth0
-iface eth0 inet static
-	address {{ static_ip }}
-	broadcast {{ broadcast_ip }}
-	netmask 255.255.255.0
-	gateway {{ router_ip }}
-	dns-nameservers {{ router_ip }} 8.8.8.8
diff --git a/roles/caddy/files/Caddyfile b/roles/caddy/files/Caddyfile
deleted file mode 100644
index fdb27ea..0000000
--- a/roles/caddy/files/Caddyfile
+++ /dev/null
@@ -1,16 +0,0 @@
-# The Caddyfile is an easy way to configure your Caddy web server.
-#
-# Unless the file starts with a global options block, the first
-# uncommented line is always the address of your site.
-#
-# To use your own domain name (with automatic HTTPS), first make
-# sure your domain's A/AAAA DNS records are properly pointed to
-# this machine's public IP, then replace ":80" below with your
-# domain name.
-
-media.roosens.me {
-	reverse_proxy localhost:8096
-}
-
-# Refer to the Caddy docs for more information:
-# https://caddyserver.com/docs/caddyfile
diff --git a/roles/caddy/handlers/main.yml b/roles/caddy/handlers/main.yml
deleted file mode 100644
index ddf490e..0000000
--- a/roles/caddy/handlers/main.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- name: reload-caddy
-  service:
-    name: caddy
-    state: reloaded
diff --git a/roles/caddy/tasks/main.yml b/roles/caddy/tasks/main.yml
index f3eb347..4f5faa3 100644
--- a/roles/caddy/tasks/main.yml
+++ b/roles/caddy/tasks/main.yml
@@ -1,4 +1,3 @@
----
 - name: Add Caddy GPG key
   apt_key:
     url: "https://dl.cloudsmith.io/public/caddy/stable/gpg.key"
@@ -17,19 +16,3 @@
   apt:
     name: caddy
     state: present
-
-- name: Copy over Caddyfile
-  copy:
-    src: Caddyfile
-    dest: '/etc/caddy/Caddyfile'
-    owner: root
-    group: root
-    mode: '644'
-  notify: reload-caddy
-
-- name: Ensure Caddy service is running & enabled
-  service:
-    name: caddy
-    state: started
-    enabled: true
-
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
deleted file mode 100644
index efe7bbf..0000000
--- a/roles/common/tasks/main.yml
+++ /dev/null
@@ -1,38 +0,0 @@
-- name: Install packages
-  apt:
-    name:
-      # Needed for handling GPG keys for repositories
-      - debian-keyring
-      - debian-archive-keyring
-      - apt-transport-https
-
-      # Easy to edit files
-      - vim
-      - tmux
-      - htop
-
-      # Spam prevention
-      - fail2ban
-
-      # Disk monitoring
-      - smartmontools
-    state: present
-
-- name: Install Vim config
-  get_url:
-    url: 'https://r8r.be/vim'
-    dest: '{{ item.dest }}'
-    owner: "{{ item.user }}"
-    group: "{{ item.user }}"
-    mode: '644'
-  with_items:
-    - user: debian
-      dest: "/home/debian/.vimrc"
-    - user: root
-      dest: "/root/.vimrc"
-
-- name: Enable fail2ban
-  service:
-    name: fail2ban
-    state: started
-    enabled: true
diff --git a/roles/jellyfin/tasks/main.yml b/roles/jellyfin/tasks/main.yml
index 48b969b..bea451e 100644
--- a/roles/jellyfin/tasks/main.yml
+++ b/roles/jellyfin/tasks/main.yml
@@ -5,7 +5,7 @@
 
 - name: Add Jellyfin repository
   apt_repository:
-    repo: "deb https://repo.jellyfin.org/debian bookworm main"
+    repo: "deb https://repo.jellyfin.org/debian bullseye main"
     filename: 'jellyfin'
     state: present
 
@@ -14,16 +14,6 @@
     name: jellyfin
     state: present
 
-- name: Create Jellyfin user
-  user:
-    name: jellyfin
-    groups:
-      - data
-    append: true
-    create_home: no
-    shell: /bin/nologin
-    update_password: on_create
-
 - name: Copy over service file
   copy:
     src: jellyfin.service.conf
diff --git a/roles/net-security/tasks/main.yml b/roles/net-security/tasks/main.yml
new file mode 100644
index 0000000..83332f2
--- /dev/null
+++ b/roles/net-security/tasks/main.yml
@@ -0,0 +1,14 @@
+- name: Install fail2ban.
+  apt:
+    name: fail2ban
+    state: present
+
+# TODO add proper fail2ban config
+
+- name: Ensure fail2ban is started & enabled.
+  service:
+    name: fail2ban
+    state: started
+    enabled: true
+
+# TODO install UFW
diff --git a/roles/packages/tasks/main.yml b/roles/packages/tasks/main.yml
new file mode 100644
index 0000000..612137b
--- /dev/null
+++ b/roles/packages/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: Install packages
+  apt:
+    name:
+      # Needed for handling GPG keys for repositories
+      - debian-keyring
+      - debian-archive-keyring
+      - apt-transport-https
+
+      # Easy to edit files
+      - vim
+    state: present
diff --git a/roles/raid/tasks/main.yml b/roles/raid/tasks/main.yml
deleted file mode 100644
index b0e10bf..0000000
--- a/roles/raid/tasks/main.yml
+++ /dev/null
@@ -1,20 +0,0 @@
----
-- name: Install BTRFS tools
-  apt:
-    name: btrfs-progs
-    state: present
-
-- name: Create mountpoint
-  file:
-    path: /mnt/data1
-    state: directory
-    mode: '0755'
-    owner: debian
-    group: debian
-
-- name: Mount RAID
-  mount:
-    path: /mnt/data1
-    src: "UUID={{ raid_uuid }}"
-    fstype: btrfs
-    state: mounted
diff --git a/roles/rclone/tasks/main.yml b/roles/rclone/tasks/main.yml
deleted file mode 100644
index 1cbbbd4..0000000
--- a/roles/rclone/tasks/main.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-- name: Ensure Rclone is installed
-  ansible.builtin.apt:
-    name: rclone
-    state: present
-
-- name: Ensure Rclone configuration file is present
-  ansible.builtin.template:
-    src: 'rclone.conf.j2'
-    dest: /etc/rclone.conf
-    owner: root
-    group: root
-    mode: '0644'
diff --git a/roles/rclone/templates/rclone.conf.j2 b/roles/rclone/templates/rclone.conf.j2
deleted file mode 100644
index 679b602..0000000
--- a/roles/rclone/templates/rclone.conf.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-# Copy the config entry below in your rclone configuration file.
-[ovh-s3]
-type = s3
-provider = Other
-env_auth = false
-access_key_id = {{ s3_access_key_id }}
-secret_access_key = {{ s3_secret_access_key }}
-acl = private
-region = gra
-location_constraint = gra
-# API endpoint
-# S3 standard endpoint
-endpoint = https://s3.gra.io.cloud.ovh.net/
-
-[photos-crypt]
-type = crypt
-remote = ovh-s3:pi-s3/photos
-password = {{ rclone_photos_obf_pass }}
-password2 = {{ rclone_photos_obf_pass2 }}
-
diff --git a/roles/samba/handlers/main.yml b/roles/samba/handlers/main.yml
index 48e1e38..e0b8a12 100644
--- a/roles/samba/handlers/main.yml
+++ b/roles/samba/handlers/main.yml
@@ -3,8 +3,3 @@
   service:
     name: smbd
     state: restarted
-
-- name: smbpasswd-lambroek
-  shell:
-    cmd: "smbpasswd -sa lambroek"
-    stdin: "{{ lambroek_password }}\n{{ lambroek_password }}"
diff --git a/roles/samba/tasks/main.yml b/roles/samba/tasks/main.yml
index 60ea3c3..b46817e 100644
--- a/roles/samba/tasks/main.yml
+++ b/roles/samba/tasks/main.yml
@@ -16,9 +16,10 @@
     create_home: false
     groups:
       - data
-    password: "{{ lambroek_password | password_hash('sha512') }}"
+    password: "{{ lambroek_password }}"
     shell: /sbin/nologin
-  notify: smbpasswd-lambroek
+
+# TODO run "smbpasswd -a lambroek"
 
 - name: Copy over smb config file
   copy: