diff --git a/roles/arch/vars/main.yml b/roles/arch/defaults/main.yml
similarity index 72%
rename from roles/arch/vars/main.yml
rename to roles/arch/defaults/main.yml
index 48b25d1..b8f7564 100644
--- a/roles/arch/vars/main.yml
+++ b/roles/arch/defaults/main.yml
@@ -6,10 +6,10 @@ packages:
   - gimp
   - nftables
   - mpd
-  - nfs
+  - nfs-utils
   - openvpn
   - okular
-  - postgres
+  - postgresql
   - plasma-meta
   - syncthing
   - tmux
@@ -22,3 +22,7 @@ packages:
   - curl
   - cantata
   - reflector
+
+platform: "desktop"
+platform_packages: []
+skip_common_setup: true
diff --git a/roles/arch/meta/main.yml b/roles/arch/meta/main.yml
new file mode 100644
index 0000000..360c542
--- /dev/null
+++ b/roles/arch/meta/main.yml
@@ -0,0 +1,13 @@
+dependencies:
+  - common
+
+galaxy_info:
+  author: sonny
+  description: "Sets up an arch environment"
+  license: "license GPLv3"
+  min_ansible_version: 2.7
+  issue_tracker_url: "https://git.fudiggity.nl/ansible/arch-setup/issues"
+  platforms:
+    - name: Archlinux
+  galaxy_tags:
+    - system
diff --git a/roles/arch/tasks/main.yml b/roles/arch/tasks/main.yml
index b174ca8..3d32a43 100644
--- a/roles/arch/tasks/main.yml
+++ b/roles/arch/tasks/main.yml
@@ -1,26 +1,39 @@
 - name: load desktop specific vars
   include_vars: desktop.yml
-  when: not platform or platform == "desktop"
+  when: platform == "desktop"
 
 - name: load laptop specific vars
   include_vars: laptop.yml
-  when: platform and platform == "laptop"
+  when: platform == "laptop"
 
 - name: install shared packages
+  become: yes
   pacman:
     name: "{{ packages }}"
 
 - name: install platform specific packages
+  become: yes
   pacman:
     name: "{{ platform_packages }}"
 
+- name: copy firewall template
+  become: yes
+  template:
+    src: "{{ platform }}/nftables.j2"
+    dest: "/etc/nftables.conf"
+    owner: root
+    group: root
+    mode: "0600"
+  notify: restart nftables
+
 # TODO
-# - (systemd networkd/iwl) network setup
-# - nftables setup depending on platform
+# - network setup (laptop)
 # - daily systemd-timer
 # - weekly systemd-timer
 # - reflector setup
+# - pacman setup depending on platform (see include section for common options)
 
+- include_tasks: network.yml
 - include_tasks: mpv.yml # TODO
 - include_tasks: mpd.yml # TODO
 - include_tasks: nfs.yml # TODO
diff --git a/roles/arch/tasks/network.yml b/roles/arch/tasks/network.yml
new file mode 100644
index 0000000..65bad0e
--- /dev/null
+++ b/roles/arch/tasks/network.yml
@@ -0,0 +1,12 @@
+- name: setup desktop systemd networkd
+  become: yes
+  template:
+    src: "desktop/network.j2"
+    dest:  "/etc/systemd/network/20-wired.network"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart systemd-networkd
+  when: platform == "desktop"
+
+# TODO add laptop setup
diff --git a/roles/arch/templates/desktop/network.j2 b/roles/arch/templates/desktop/network.j2
new file mode 100644
index 0000000..3329399
--- /dev/null
+++ b/roles/arch/templates/desktop/network.j2
@@ -0,0 +1,7 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+
+[Match]
+Name=enp*
+
+[Network]
+DHCP=yes
diff --git a/roles/arch/templates/desktop/nftables.j2 b/roles/arch/templates/desktop/nftables.j2
new file mode 100644
index 0000000..5d3e23f
--- /dev/null
+++ b/roles/arch/templates/desktop/nftables.j2
@@ -0,0 +1,65 @@
+# {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
+#!/usr/bin/nft -f
+# vim:set ts=2 sw=2 et:
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+
+    # allow established/related connections
+    ct state { established, related } accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow ssh
+    tcp dport ssh accept
+
+    # syncthing
+    ip saddr 10.8.1.1 tcp dport 22000 accept
+
+    # allow dhcp requests for bridget connections
+    iifname "vmbr0" udp dport { 53, 67 } accept
+
+    # everything else
+    reject with icmpx type port-unreachable
+  }
+
+  chain forward {
+    type filter hook forward priority security; policy drop;
+
+    ct state { established, related } accept;
+
+    mark 1 accept
+
+    iifname "vmbr0" oifname "enp34s0" accept
+    iifname "enp34s0" oifname "vmbr0" accept
+  }
+}
+
+table ip filter {
+  chain DOCKER-USER {
+    mark set 1
+  }
+}
+
+table ip nat {
+  chain prerouting {
+    type nat hook prerouting priority 0; policy accept;
+
+    # iifname "enp34s0" tcp dport { http } dnat to 10.4.0.243
+  }
+
+  chain postrouting {
+    type nat hook postrouting priority 0; policy accept;
+    oifname "enp34s0" masquerade
+  }
+}
diff --git a/roles/arch/templates/input.j2 b/roles/arch/templates/input.j2
index 147b593..8fd6c5e 100644
--- a/roles/arch/templates/input.j2
+++ b/roles/arch/templates/input.j2
@@ -1,4 +1,5 @@
 # {{ ansible_managed }} {{ ansible_date_time.time }} {{ ansible_date_time.date }}
+#
 ## Seek units are in seconds, but note that these are limited by keyframes
 RIGHT seek  5
 LEFT  seek -5
diff --git a/roles/arch/vars/desktop.yml b/roles/arch/vars/desktop.yml
new file mode 100644
index 0000000..28d4ccb
--- /dev/null
+++ b/roles/arch/vars/desktop.yml
@@ -0,0 +1 @@
+platform_packages: []
diff --git a/roles/arch/vars/laptop.yml b/roles/arch/vars/laptop.yml
new file mode 100644
index 0000000..28d4ccb
--- /dev/null
+++ b/roles/arch/vars/laptop.yml
@@ -0,0 +1 @@
+platform_packages: []