diff --git a/ansible/README.md b/ansible/README.md
index 60d0c1f..8b8ce87 100644
--- a/ansible/README.md
+++ b/ansible/README.md
@@ -8,10 +8,6 @@ Assumes:
   - Passwordless sudo is enabled for the user ansible uses
   - Root and user pw is something memorable
 
-- Wireguard hosts:
-  - Secure boot is disabled (wireguard is an unsigned module)
-  - Wireguard is configured on 10.200.0.0/24; See https://wiki.debian.org/Wireguard
-
 - ZFS server:
   - ZFS is configured with a volume at /bigdata for sharing
 
diff --git a/ansible/files/dma.conf b/ansible/files/dma.conf
deleted file mode 100644
index 29bdcf4..0000000
--- a/ansible/files/dma.conf
+++ /dev/null
@@ -1,68 +0,0 @@
-# $DragonFly: src/etc/dma/dma.conf,v 1.2 2008/02/04 10:11:41 matthias Exp $
-#
-# Your smarthost (also called relayhost).  Leave blank if you don't want
-# smarthost support.
-# NOTE: on Debian systems this is handled via debconf!
-# Please use dpkg-reconfigure dma to change this value.
-SMARTHOST smtp.gmail.com
-
-# Use this SMTP port.  Most users will be fine with the default (25)
-PORT 587
-
-# Path to your alias file.  Just stay with the default.
-#ALIASES /etc/aliases
-
-# Path to your spooldir.  Just stay with the default.
-#SPOOLDIR /var/spool/dma
-
-# SMTP authentication
-AUTHPATH /etc/dma/auth.conf
-
-# Uncomment if yout want TLS/SSL support
-SECURETRANSFER
-
-# Uncomment if you want STARTTLS support (only used in combination with
-# SECURETRANSFER)
-STARTTLS
-
-# Uncomment if you have specified STARTTLS above and it should be allowed
-# to fail ("opportunistic TLS", use an encrypted connection when available
-# but allow an unencrypted one to servers that do not support it)
-#OPPORTUNISTIC_TLS
-
-# Path to your local SSL certificate
-#CERTFILE
-
-# If you want to use plain text SMTP login without using encryption, change
-# the SECURE entry below to INSECURE.  Otherwise plain login will only work
-# over a secure connection.  Use this option with caution.
-#SECURE
-
-# Uncomment if you want to defer your mails.  This is useful if you are
-# behind a dialup line.  You have to submit your mails manually with dma -q
-#DEFER
-
-# Uncomment if you want the bounce message to include the complete original
-# message, not just the headers.
-#FULLBOUNCE
-
-# The internet hostname dma uses to identify the host.
-# If not set or empty, the result of gethostname(2) is used.
-# If MAILNAME is an absolute path to a file, the first line of this file
-# will be used as the hostname.
-# NOTE: on Debian systems this is handled via debconf!
-# Please use dpkg-reconfigure dma to change this value.
-MAILNAME /etc/mailname
-
-# Masquerade envelope from addresses with this address/hostname.
-# Use this if mails are not accepted by destination mail servers because
-# your sender domain is invalid.
-# By default, MASQUERADE is not set.
-# Format: MASQUERADE [user@][host]
-# Examples:
-# MASQUERADE john@  on host "hamlet" will send all mails as john@hamlet
-# MASQUERADE percolator  will send mails as $username@percolator, e.g. fish@percolator
-# MASQUERADE herb@ert  will send all mails as herb@ert
-
-# Directly forward the mail to the SMARTHOST bypassing aliases and local delivery
-#NULLCLIENT
diff --git a/ansible/hosts.cfg b/ansible/hosts.cfg
index 0b22507..7ba1705 100644
--- a/ansible/hosts.cfg
+++ b/ansible/hosts.cfg
@@ -1,14 +1,14 @@
 [compute]
-fogcutter   interface=eno1
+fogcutter hostname=fogcutter.seaturtle.pw interface=eno1
 
 [daily]
-cabinet interface=enp9s0
+cabinet hostname=cabinet.seaturtle.pw interface=enp9s0
 
 [nfs]
-bigdummy    interface=enp2s0
+bigdummy hostname=bigdummy.seaturtle.pw interface=enp2s0
 
 [remote]
 joe@madone.seaturtle.pw interface=enp1s0
 
-[router]
-corsa
+[proxy]
+polyvalent hostname=polyvalent.seaturtle.pw interface=eth0
diff --git a/ansible/main.yml b/ansible/main.yml
index cab1363..3efacb1 100644
--- a/ansible/main.yml
+++ b/ansible/main.yml
@@ -1,12 +1,16 @@
 # All hosts are debian 10
 ---
 # Common
-- hosts: daily,compute,nfs,router
+- hosts: daily,compute,nfs,proxy
   become: yes
   handlers:
     - import_tasks: handlers.yml
   tasks:
     # Core
+    - name: Set hostname
+      hostname:
+        name: "{{ hostname }}"
+
     - name: Install common packages
       apt:
         name:
@@ -70,8 +74,8 @@
       notify: Restart systemd-logind service
 
     - name: Set chrony ntp servers
-      copy:
-        src: files/chrony.conf
+      template:
+        src: templates/chrony.conf.j2
         dest: /etc/chrony/chrony.conf
         owner: root
         group: root
@@ -79,7 +83,7 @@
       notify: Restart chrony service
 
     # Core networking
-    - name: Configure sshd_config to listen on 37121/2222/22 and disable password auth
+    - name: Configure sshd_config to listen on 22/2222/37121 and disable password auth
       copy:
         src: files/sshd_config
         dest: /etc/ssh/sshd_config
@@ -88,8 +92,7 @@
         mode: '0644'
       notify: Restart sshd service
 
-    ## Changes will take effect during next reboot
-    ## (determined by unattended-upgrades)
+    ## Changes will take effect during next reboot, does not effect static IPs
     - name: Configure sysctl with IPv6 privacy extensions
       template:
         src: templates/local.conf.j2
@@ -98,17 +101,6 @@
         group: root
         mode: '0644'
 
-    - name: Configure dma
-      copy:
-        src: files/dma.conf
-        dest: /etc/dma/dma.conf
-        owner: root
-        group: mail
-        mode: '0640'
-
-    - debug:
-        msg: 'Manually configure /etc/dma/auth.conf'
-
     - name: Configure smartd
       copy:
         src: files/smartd.conf
@@ -271,3 +263,16 @@
         msg:
           - Start/Configure haproxy manually
           - Start microk8s manually
+
+# Proxy config
+- hosts: proxy
+  become: yes
+  tasks:
+    ## Changes will take effect during next reboot
+    - name: Configure sysctl to reject RA acceptance
+      template:
+        src: templates/disablera.conf.j2
+        dest: /etc/sysctl.d/disablera.conf
+        owner: root
+        group: root
+        mode: '0644'
diff --git a/ansible/files/chrony.conf b/ansible/templates/chrony.conf.j2
similarity index 83%
rename from ansible/files/chrony.conf
rename to ansible/templates/chrony.conf.j2
index c95b259..4a56464 100644
--- a/ansible/files/chrony.conf
+++ b/ansible/templates/chrony.conf.j2
@@ -1,9 +1,16 @@
 # Welcome to the chrony configuration file. See chrony.conf(5) for more
 # information about usuable directives.
+{% if hostname == 'polyvalent.seaturtle.pw' %}
+server 0.us.pool.ntp.org iburst
+server 1.us.pool.ntp.org iburst
+server 2.us.pool.ntp.org iburst
+server 3.us.pool.ntp.org iburst
+{% else %}
 server ntp-1.vt.edu iburst
 server ntp-2.vt.edu iburst
 server ntp-3.vt.edu iburst
 server ntp-4.vt.edu iburst
+{% endif %}
 pool 2.debian.pool.ntp.org iburst
 
 # This directive specify the location of the file containing ID/key pairs for
diff --git a/ansible/templates/disablera.conf.j2 b/ansible/templates/disablera.conf.j2
new file mode 100644
index 0000000..9da8d9c
--- /dev/null
+++ b/ansible/templates/disablera.conf.j2
@@ -0,0 +1,2 @@
+net.ipv6.conf.{{ interface }}.accept_ra=0
+net.ipv6.conf.all.accept_ra=0