diff --git a/playbook.yml b/playbook.yml
index 68d4a1a..bf4b85d 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -53,10 +53,10 @@
       ansible.builtin.import_tasks: 'handlers.yml'
   vars_files:
     - 'vars/main.yml'
+    - 'vars/nginx.yml'
+    - 'vars/network.yml'
     - 'vars/vpn.yml'
     - 'vars/vpn_media.yml'
-    - 'vars/network.yml'
-    - 'vars/nginx.yml'
     - 'vars/transmission.yml'
     - 'vars/syncthing.yml'
     - 'vars/mpd.yml'
diff --git a/tasks/mpd.yml b/tasks/mpd.yml
index 61c69ab..07f9d02 100644
--- a/tasks/mpd.yml
+++ b/tasks/mpd.yml
@@ -1,4 +1,3 @@
-# TODO: use docker setup
 - name: create mpd directories
   become: true
   file:
diff --git a/tasks/network.yml b/tasks/network.yml
index 4a60382..166d982 100644
--- a/tasks/network.yml
+++ b/tasks/network.yml
@@ -1,49 +1,29 @@
-- name: Copy network configuration files
+- name: copy network configuration files
   become: true
-  ansible.builtin.template:
+  template:
     src: '{{ item.src }}'
     dest: '{{ item.dest }}'
     owner: root
     group: systemd-network
     mode: '0640'
   loop:
-    - src: 'templates/network/link1.link.j2'
-      dest: '/etc/systemd/network/98-link1.link'
-
-    - src: 'templates/network/link1.network.j2'
-      dest: '/etc/systemd/network/98-link1.network'
+    - {
+        src: 'templates/network/link1.link.j2',
+        dest: '/etc/systemd/network/98-link1.link'
+      }
+    - {
+        src: 'templates/network/link1.network.j2',
+        dest: '/etc/systemd/network/98-link1.network',
+      }
   notify:
     - restart systemd-networkd
     - regenerate initramfs # copies the files into the initramfs for when udev needs them
 
-- name: Set hostname
+- name: copy /etc/hosts template
   become: true
-  ansible.builtin.hostname:
-    name: '{{ hostname }}'
-    use: systemd
-
-- name: Copy hosts file
-  become: true
-  ansible.builtin.template:
-    src: 'network/hosts.j2'
+  template:
+    src: 'hosts.j2'
     dest: '/etc/hosts'
     mode: '0644'
     owner: root
-
-- name: Copy resolved.conf configuration
-  become: true
-  ansible.builtin.template:
-    src: 'network/resolved.j2'
-    dest: '/etc/systemd/resolved.conf'
-    mode: '0644'
-    owner: root
-
-- name: Copy firewall template
-  become: true
-  ansible.builtin.template:
-    src: 'templates/nftables.j2'
-    dest: '/etc/nftables.conf'
-    owner: root
-    group: root
-    mode: '0644'
-  notify: restart nftables
+  notify: restart systemd-networkd
diff --git a/tasks/radicale.yml b/tasks/radicale.yml
index dd28f6c..de50a16 100644
--- a/tasks/radicale.yml
+++ b/tasks/radicale.yml
@@ -1,4 +1,3 @@
-# TODO: use docker setup
 # TODO: update collection path, see https://radicale.org/3.0.html#tutorials/running-as-a-service
 
 - name: add radicale user
diff --git a/tasks/setup.yml b/tasks/setup.yml
index 547af4a..dcbe180 100644
--- a/tasks/setup.yml
+++ b/tasks/setup.yml
@@ -1,10 +1,12 @@
-- name: Copy nsswitch file
+- name: Copy firewall template
   become: true
   ansible.builtin.template:
-    src: 'nsswitch.j2'
-    dest: '/etc/nsswitch.conf'
-    mode: '0644'
+    src: 'templates/nftables.j2'
+    dest: '/etc/nftables.conf'
     owner: root
+    group: root
+    mode: '0644'
+  notify: restart nftables
 
 - name: Copy ssh template
   become: true
diff --git a/tasks/syncthing.yml b/tasks/syncthing.yml
index 615d823..40d48e1 100644
--- a/tasks/syncthing.yml
+++ b/tasks/syncthing.yml
@@ -1,4 +1,3 @@
-# TODO: use docker setup
 - name: create syncthing directory
   file:
     path: '{{ ansible_env.HOME }}/.config/syncthing'
diff --git a/tasks/wireguard.yml b/tasks/wireguard.yml
index dd39333..a187b69 100644
--- a/tasks/wireguard.yml
+++ b/tasks/wireguard.yml
@@ -19,13 +19,13 @@
     path: '{{ item }}'
     owner: root
     group: systemd-network
-    mode: '0750'
+    mode: '0640'
     state: directory
     recurse: true
   loop:
     - '{{ vpn_config_dir }}'
-    - '{{ vpn_server_public_key_path | dirname }}'
-    - '{{ vpn_server_key_path | dirname }}'
+    - '{{ vpn_media_server_public_key_path | dirname }}'
+    - '{{ vpn_media_server_key_path | dirname }}'
 
 - name: Copy Wireguard server credentials
   become: true
diff --git a/tasks/wireguard_media.yml b/tasks/wireguard_media.yml
index 17d9b26..24039ae 100644
--- a/tasks/wireguard_media.yml
+++ b/tasks/wireguard_media.yml
@@ -19,13 +19,13 @@
     path: '{{ item }}'
     owner: root
     group: systemd-network
-    mode: '0750'
+    mode: '0640'
     state: directory
     recurse: true
   loop:
     - '{{ vpn_config_dir }}'
-    - '{{ vpn_media_server_public_key_path | dirname }}'
-    - '{{ vpn_media_server_key_path | dirname }}'
+    - '{{ vpn_server_public_key_path | dirname }}'
+    - '{{ vpn_server_private_key_path | dirname }}'
 
 - name: Copy Wireguard server media credentials
   become: true
diff --git a/templates/network/hosts.j2 b/templates/hosts.j2
similarity index 53%
rename from templates/network/hosts.j2
rename to templates/hosts.j2
index 3e3c6cd..70f3e67 100644
--- a/templates/network/hosts.j2
+++ b/templates/hosts.j2
@@ -1,10 +1,8 @@
 # {{ ansible_managed }}
 
 127.0.0.1 	localhost
-127.0.1.1 	{{ hostname }}
-{{ lan_ip }} 	{{ domain_name }} {{ hostname }}
-{{ vpn_listen_address }}    {{ vpn_domain }}
-{{ vpn_media_listen_address }}    {{ vpn_media_domain }}
+127.0.1.1 	zeus
+{{ lan_ip }} 	{{ domain_name }}
 
 # The following lines are desirable for IPv6 capable hosts
 #::1     localhost ip6-localhost ip6-loopback
diff --git a/templates/network/resolved.j2 b/templates/network/resolved.j2
deleted file mode 100644
index 1d87caf..0000000
--- a/templates/network/resolved.j2
+++ /dev/null
@@ -1,37 +0,0 @@
-# {{ ansible_managed }}
-#
-#  This file is part of systemd.
-#
-#  systemd is free software; you can redistribute it and/or modify it under the
-#  terms of the GNU Lesser General Public License as published by the Free
-#  Software Foundation; either version 2.1 of the License, or (at your option)
-#  any later version.
-#
-# Entries in this file show the compile time defaults. Local configuration
-# should be created by either modifying this file, or by creating "drop-ins" in
-# the resolved.conf.d/ subdirectory. The latter is generally recommended.
-# Defaults can be restored by simply deleting this file and all drop-ins.
-#
-# Use 'systemd-analyze cat-config systemd/resolved.conf' to display the full config.
-#
-# See resolved.conf(5) for details.
-
-[Resolve]
-# Some examples of DNS servers which may be used for DNS= and FallbackDNS=:
-# Cloudflare: 1.1.1.1#cloudflare-dns.com 1.0.0.1#cloudflare-dns.com 2606:4700:4700::1111#cloudflare-dns.com 2606:4700:4700::1001#cloudflare-dns.com
-# Google:     8.8.8.8#dns.google 8.8.4.4#dns.google 2001:4860:4860::8888#dns.google 2001:4860:4860::8844#dns.google
-# Quad9:      9.9.9.9#dns.quad9.net 149.112.112.112#dns.quad9.net 2620:fe::fe#dns.quad9.net 2620:fe::9#dns.quad9.net
-#DNS=
-#FallbackDNS=
-#Domains=
-#DNSSEC=no
-#DNSOverTLS=no
-#MulticastDNS=yes
-#LLMNR=yes
-#Cache=yes
-#CacheFromLocalhost=no
-#DNSStubListener=yes
-DNSStubListenerExtra={{ vpn_listen_address }}
-DNSStubListenerExtra={{ vpn_media_listen_address }}
-#ReadEtcHosts=yes
-#ResolveUnicastSingleLabel=no
diff --git a/templates/network/wireguard/default/mobile.wireguard.j2 b/templates/network/wireguard/default/mobile.wireguard.j2
index 65ab6c1..2f9773b 100644
--- a/templates/network/wireguard/default/mobile.wireguard.j2
+++ b/templates/network/wireguard/default/mobile.wireguard.j2
@@ -2,7 +2,6 @@
 
 [Interface]
 Address={{ vpn_peers.mobile.ip }}/24
-DNS={{ vpn_listen_address }}
 PrivateKey={{ lookup("file", vpn_peers.mobile.private_key_source_path) }}
 
 [Peer]
diff --git a/templates/network/wireguard/media/mobile_1.wireguard.j2 b/templates/network/wireguard/media/mobile_1.wireguard.j2
index fc6459d..f0bbc55 100644
--- a/templates/network/wireguard/media/mobile_1.wireguard.j2
+++ b/templates/network/wireguard/media/mobile_1.wireguard.j2
@@ -2,7 +2,6 @@
 
 [Interface]
 Address={{ vpn_media_peers.mobile_peer_1.ip }}/24
-DNS={{ vpn_media_listen_address }}
 PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_1.private_key_source_path) }}
 
 [Peer]
diff --git a/templates/network/wireguard/media/mobile_2.wireguard.j2 b/templates/network/wireguard/media/mobile_2.wireguard.j2
index 1c88376..4550c5c 100644
--- a/templates/network/wireguard/media/mobile_2.wireguard.j2
+++ b/templates/network/wireguard/media/mobile_2.wireguard.j2
@@ -2,7 +2,6 @@
 
 [Interface]
 Address={{ vpn_media_peers.mobile_peer_2.ip }}/24
-DNS={{ vpn_media_listen_address }}
 PrivateKey={{ lookup('file', vpn_media_peers.mobile_peer_2.private_key_source_path) }}
 
 [Peer]
diff --git a/templates/network/wireguard/media/tv.wireguard.j2 b/templates/network/wireguard/media/tv.wireguard.j2
index 104bd16..3506780 100644
--- a/templates/network/wireguard/media/tv.wireguard.j2
+++ b/templates/network/wireguard/media/tv.wireguard.j2
@@ -2,7 +2,6 @@
 
 [Interface]
 Address={{ vpn_media_peers.tv.ip }}/24
-DNS={{ vpn_media_listen_address }}
 PrivateKey={{ lookup('file', vpn_media_peers.tv.private_key_source_path) }}
 
 [Peer]
diff --git a/templates/nftables.j2 b/templates/nftables.j2
index 4014dad..90151be 100644
--- a/templates/nftables.j2
+++ b/templates/nftables.j2
@@ -27,10 +27,6 @@ table ip filter {
     iifname "{{ network_interface }}" udp dport {{ vpn_port }} accept comment "Wireguard"
     iifname "{{ network_interface }}" udp dport {{ vpn_media_port }} accept comment "Wireguard media"
 
-    # TODO: create combined rule
-    iifname "{{ vpn_interface }}" tcp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS TCP"
-    iifname "{{ vpn_interface }}" udp dport 53 ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "DNS UDP"
-
     iifname "{{ vpn_interface }}" tcp dport { {{ http_port }}, {{ https_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "HTTP/HTTPS"
     iifname "{{ vpn_interface }}" tcp dport {{ transmission_web_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Transmission Web"
     iifname "{{ vpn_interface }}" tcp dport { {{ syncthing_gui_port }}, {{ syncthing_protocol_port }} } ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "Syncthing"
@@ -39,10 +35,6 @@ table ip filter {
     iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP stream"
     iifname "{{ vpn_interface }}" tcp dport {{ mpd_http_mobile_stream_port }} ip saddr {{ vpn_source_range }} ip daddr {{ vpn_destination_range }} accept comment "MPD HTTP mobile stream"
 
-    # TODO: create combined rule
-    iifname "{{ vpn_media_interface }}" tcp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS TCP"
-    iifname "{{ vpn_media_interface }}" udp dport 53 ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "DNS UDP"
-
     iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_http_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin HTTP"
     iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_service_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin service discovery"
     iifname "{{ vpn_media_interface }}" tcp dport {{ jellyfin_client_port }} ip saddr {{ vpn_media_source_range }} ip daddr {{ vpn_media_destination_range }} accept comment "Jellyfin client discovery"
diff --git a/templates/nsswitch.j2 b/templates/nsswitch.j2
deleted file mode 100644
index c02078d..0000000
--- a/templates/nsswitch.j2
+++ /dev/null
@@ -1,20 +0,0 @@
-# {{ ansible_managed }}
-#
-# If you have the `glibc-doc-reference' and `info' packages installed, try:
-# `info libc "Name Service Switch"' for information about this file.
-# See /usr/share/libc-bin/nsswitch.conf for an example of a configuration file.
-
-passwd:         files
-group:          files
-shadow:         files
-gshadow:        files
-
-hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
-networks:       files
-
-protocols:      db files
-services:       db files
-ethers:         db files
-rpc:            db files
-
-netgroup:       nis
diff --git a/vars/main.yml b/vars/main.yml
index 8ee9bb3..455a55f 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -12,6 +12,4 @@ packages:
   - certbot
   - unattended-upgrades
 
-vpn_config_dir: '/etc/wireguard'
-
-hostname: 'fudiggity'
+vpn_config_dir: '/etc/wireguard/keys'
diff --git a/vars/nginx.yml b/vars/nginx.yml
index 6b1ed93..273534f 100644
--- a/vars/nginx.yml
+++ b/vars/nginx.yml
@@ -1,3 +1,4 @@
+domain_name: 'fudiggity.nl'
 forgejo_domain: 'forgejo.fudiggity.nl'
 woodpecker_domain: 'woodpecker.fudiggity.nl'
 glitchtip_domain: 'glitchtip.fudiggity.nl'
diff --git a/vars/vpn.yml b/vars/vpn.yml
index c170ddf..2ac4ae4 100644
--- a/vars/vpn.yml
+++ b/vars/vpn.yml
@@ -1,5 +1,4 @@
 vpn_listen_address: '10.0.0.1'
-vpn_domain: 'vpn.{{ domain_name }}'
 vpn_subnet: '24'
 vpn_port: '51902'
 vpn_interface: 'wg0'
diff --git a/vars/vpn_media.yml b/vars/vpn_media.yml
index 03ce582..6631508 100644
--- a/vars/vpn_media.yml
+++ b/vars/vpn_media.yml
@@ -1,5 +1,4 @@
 vpn_media_listen_address: '10.0.1.1'
-vpn_media_domain: 'media-vpn.{{ domain_name }}'
 vpn_media_subnet: '24'
 vpn_media_port: '51903'
 vpn_media_interface: 'wg1'