diff --git a/roles/debian/tasks/firewall.yml b/roles/debian/tasks/firewall.yml
deleted file mode 100644
index 5247171..0000000
--- a/roles/debian/tasks/firewall.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-- name: Install nftables
-  package:
-    name: nftables
-
-- name: Set up generic firewall rules
-  copy:
-    dest: /etc/nftables.conf
-    src: nftables.conf
-  notify: reload nftables
-
-- name: Create nftables include directory
-  file:
-    path: /etc/nftables.d
-    state: directory
-
-- name: Set up local firewall rules
-  template:
-    dest: /etc/nftables.d/services.nft
-    src: services.nft.j2
-  notify: reload nftables
-
-- name: Enable firewall
-  service:
-    name: nftables
-    enabled: yes
-    state: started
diff --git a/roles/debian/tasks/main.yml b/roles/debian/tasks/main.yml
index 70f3e7d..a795319 100644
--- a/roles/debian/tasks/main.yml
+++ b/roles/debian/tasks/main.yml
@@ -5,12 +5,9 @@
 
 - name: Add rules to rename network interfaces
   template:
-    dest: "/etc/systemd/network/10-{{ item.name }}.link"
-    src: interface.link.j2
-    mode: "0644"
-  loop: "{{ interfaces | selectattr('mac_address') }}"
-  loop_control:
-    label: "{{ item.name }}"
+    dest: /etc/udev/rules.d/10-network.rules
+    src: 10-network.rules.j2
+    mode: 0644
   notify: reboot
 
 - name: Set hostname
@@ -30,6 +27,7 @@
     name:
       - git
       - ifupdown2
+      - nftables
       - rsync
       - vim
       - tmux
@@ -75,9 +73,28 @@
       value: 'prohibit-password'
   notify: reload sshd
 
-- name: Set up firewall
-  include_tasks: firewall.yml
-  when: is_virtual or cluster_type != 'proxmox' # proxmox has its own firewall configuration
+- name: Set up generic firewall rules
+  copy:
+    dest: /etc/nftables.conf
+    src: nftables.conf
+  notify: reload nftables
+
+- name: Create nftables include directory
+  file:
+    path: /etc/nftables.d
+    state: directory
+
+- name: Set up local firewall rules
+  template:
+    dest: /etc/nftables.d/services.nft
+    src: services.nft.j2
+  notify: reload nftables
+
+- name: Enable firewall
+  service:
+    name: nftables
+    enabled: yes
+    state: started
 
 - name: Install automatic upgrade package
   package:
diff --git a/roles/frr/templates/frr.conf.j2 b/roles/frr/templates/frr.conf.j2
index 98c1797..c185a68 100644
--- a/roles/frr/templates/frr.conf.j2
+++ b/roles/frr/templates/frr.conf.j2
@@ -16,7 +16,7 @@ router bgp {{ asn.asn }}
   neighbor fabric remote-as external
   neighbor fabric capability extended-nexthop
 
-{% for iface in interfaces | selectattr('enabled') | selectattr('name', 'match', '^lan') %}
+{% for iface in interfaces | selectattr('name', 'match', '^lan') %}
   neighbor {{ iface.name }} interface peer-group fabric
 {% endfor %}
 
diff --git a/roles/proxmox/handlers/main.yml b/roles/proxmox/handlers/main.yml
index 2da6a81..a48f969 100644
--- a/roles/proxmox/handlers/main.yml
+++ b/roles/proxmox/handlers/main.yml
@@ -1,3 +1,7 @@
+- name: reboot
+  reboot:
+  when: "'handler' not in ansible_skip_tags"
+
 - name: reload interfaces
   command: ifreload -a
   when: "'handler' not in ansible_skip_tags"
@@ -8,6 +12,12 @@
     state: reloaded
   when: "'handler' not in ansible_skip_tags"
 
+- name: reload sshd
+  service:
+    name: sshd
+    state: reloaded
+  when: "'handler' not in ansible_skip_tags"
+
 - name: update package cache
   package:
     update_cache: yes
diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml
index 98e02fd..1141b87 100644
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@@ -3,15 +3,44 @@
   set_fact:
     is_primary: '{{ nodes is defined and inventory_hostname == (nodes | map(attribute="inventory_hostname") | sort | first) }}'
 
+- name: Set hostname
+  hostname:
+    name: '{{ inventory_hostname }}'
+
 - name: Set up hosts file
   template:
     dest: /etc/hosts
     src: hosts.j2
 
+- name: Set up resolv.conf
+  template:
+    dest: /etc/resolv.conf
+    src: resolv.conf.j2
+    mode: 0644
+
+- name: Disable SSH password authentication
+  lineinfile:
+    path: /etc/ssh/sshd_config
+    regexp: '^#?{{ item.key }}'
+    line: '{{ item.key }} {{ item.value }}'
+  loop:
+    - key: PasswordAuthentication
+      value: 'no'
+    - key: PermitRootLogin
+      value: 'prohibit-password'
+  notify: reload sshd
+
 - include_tasks: network.yml
 
 - include_tasks: repositories.yml
 
+- name: Install essential packages
+  package:
+    name:
+      - git
+      - vim
+      - tmux
+
 - name: Set up sysctls
   copy:
     dest: /etc/sysctl.d/local.conf
diff --git a/roles/proxmox/tasks/network.yml b/roles/proxmox/tasks/network.yml
index d01656d..75d0fae 100644
--- a/roles/proxmox/tasks/network.yml
+++ b/roles/proxmox/tasks/network.yml
@@ -1,3 +1,13 @@
+- name: Add rules to rename network interfaces
+  template:
+    dest: "/etc/systemd/network/10-{{ item.name }}.link"
+    src: interface.link.j2
+    mode: "0644"
+  loop: "{{ interfaces | selectattr('mac_address') }}"
+  loop_control:
+    label: "{{ item.name }}"
+  notify: reboot
+
 - name: Set up bridges
   template:
     dest: /etc/network/interfaces
@@ -11,4 +21,34 @@
     src: loopback.intf.j2
   notify: reload interfaces
 
+- name: Set up physical interfaces
+  template:
+    dest: /etc/network/interfaces.d/ansible.intf
+    src: ansible.intf.j2
+    mode: 0644
+  notify: reload interfaces
+
+- name: Run SSH instance in management VRF
+  when: interfaces | selectattr('vrf') | selectattr('vrf.name', '==', 'mgmt')
+  block:
+    - name: Configure SSH instance in management VRF
+      copy:
+        dest: /etc/ssh/
+        src: sshd_config.mgmt
+        mode: 0644
+      notify: reboot
+
+    - name: Set up a SSH instance in management VRF
+      copy:
+        dest: /etc/systemd/system/
+        src: sshd@mgmt.service
+        mode: 0644
+      notify: reboot
+
+    - name: Enable management SSH
+      service:
+        name: sshd@mgmt
+        enabled: yes
+      notify: reboot
+
 - meta: flush_handlers