diff --git a/.gitignore b/.gitignore
index 426e8b7e0..2c54dfbba 100644
--- a/.gitignore
+++ b/.gitignore
@@ -4,9 +4,10 @@
 *.md.html
 *.vagrant
 *.pydevproject
+*.pyc
 *.retry
 *.swp
-.vault_pass.txt
+.vault_pass.txt*
 documentation/.~lock.UMCG Research IT HPC cluster technical design.docx#
 promtools/results/*
 roles/hpc-cloud
diff --git a/callback_plugins/homsaplog.py b/callback_plugins/homsaplog.py
new file mode 100644
index 000000000..f63160e88
--- /dev/null
+++ b/callback_plugins/homsaplog.py
@@ -0,0 +1,69 @@
+'''
+callback: homsaplog
+type: stdout
+short_description: Homo sapiens friendly formatted output.
+description: Use this callback to sort though extensive debug output.
+'''
+
+from __future__ import (absolute_import, division, print_function)
+from ansible.plugins.callback.default import CallbackModule as CallbackModule_default
+from ansible.plugins.callback import CallbackBase
+try:
+    # Ansible 2.3
+    from ansible.vars import strip_internal_keys
+except ImportError:
+    try:
+        # Anisble2.4
+        from ansible.vars.manager import strip_internal_keys
+    except ImportError:
+        # Ansible 2.5
+        from ansible.vars.clean import strip_internal_keys
+try:
+    import simplejson as json
+except ImportError:
+    import json
+import sys
+reload(sys).setdefaultencoding('utf-8')
+
+__metaclass__ = type
+
+class CallbackModule(CallbackModule_default):  # pylint: disable=too-few-public-methods,no-init
+    '''
+    Override for the default callback module.
+
+    Render std err/out outside of the rest of the result which it prints with
+    indentation.
+    '''
+    CALLBACK_VERSION = 2.0
+    CALLBACK_TYPE = 'stdout'
+    CALLBACK_NAME = 'homsaplog'
+
+    def _dump_results(self, result, indent=4, sort_keys=True, keep_invocation=False):
+        '''Return the text to output for a result.'''
+
+        if result.get('_ansible_no_log', False):
+            return json.dumps(dict(censored=
+                "The output has been hidden due to the fact that 'no_log: true' was specified for this result."))
+
+        # All result keys starting with _ansible_ are for internal use only,
+        # so remove them from the result before we output anything.
+        reformatted_result = strip_internal_keys(result)
+ 
+        # remove invocation unless specifically wanting it
+        if not keep_invocation and self._display.verbosity < 3 and 'invocation' in result:
+            del reformatted_result['invocation']
+
+        # remove diff information from screen output
+        if self._display.verbosity < 3 and 'diff' in result:
+            del reformatted_result['diff']
+ 
+        # remove exception from screen output
+        if 'exception' in reformatted_result:
+            del reformatted_result['exception']
+        
+        output = json.dumps(reformatted_result, indent=indent, ensure_ascii=False, sort_keys=sort_keys)
+        output = output.replace('\\r\\n\",', '",')
+        output = output.replace('\\r\\n', "\n\t")
+        output = output.replace('\\n\",', '",')
+        output = output.replace('\\n', "\n\t")
+        return output
diff --git a/cinder-controller.yml b/cinder-controller.yml
deleted file mode 100644
index 2ac183afc..000000000
--- a/cinder-controller.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: cinder-controller
-  become: True
-  roles:
-     - hpc-cloud/roles/cinder-controller
diff --git a/cinder-storage.yml b/cinder-storage.yml
deleted file mode 100644
index 577a2fdd5..000000000
--- a/cinder-storage.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: cinder-storage
-  become: True
-  roles:
-     - hpc-cloud/roles/cinder-storage
diff --git a/cluster.yml b/cluster.yml
index 7da05e880..c8ad37a9c 100644
--- a/cluster.yml
+++ b/cluster.yml
@@ -1,9 +1,41 @@
 ---
-- name: Sign host keys of all cluster hosts.
+- name: Sanity checks before we start.
+  hosts: all
+  pre_tasks:
+    - name: Verify Ansible version meets requirements.
+      assert:
+        that: "ansible_version.full | version_compare('2.4', '>=')"
+        msg: 'You must update Ansible to at least 2.4.x to use this playbook.'
+
+- import_playbook: local_admin_users.yml
+
+- name: Install roles needed for all virtual cluster components.
   hosts: all
   roles:
+    - logins
     - ssh_host_signer
     - ssh_known_hosts
+  tasks:
+    - cron:
+        #
+        # Silly workaround for bug in interaction dbus <-> logind
+        # Need DBus 1.11.10 for a fix, but CentOS 7.6 is stuck on dbus 1.10.24.
+        #
+        name: Restart systemd-logind
+        minute: "/10"
+        user: root
+        job: /bin/systemctl restart systemd-logind
+        cron_file: restart_logind
+      become: true
+
+- name: Mount the ceph volume
+  hosts:
+     - compute-vm
+     - sys-admin-interface
+     - deploy-admin-interface
+  become: True
+  roles:
+     - mount-volume
 
 - name: Install roles needed for all virtual cluster components except jumphosts.
   hosts: cluster
@@ -14,6 +46,8 @@
      - ldap
      - node_exporter
      - cluster
+     - resolver
+     - shared_storage
 
 - name: Install ansible on admin interfaces (DAI & SAI).
   hosts:
@@ -46,18 +80,21 @@
 - hosts: slurm
   become: true
   roles:
+     - slurm
      - prom_server
      - cadvisor
-     - slurm
+  vars:
+     # These variables are needed by the mariadb role.
+     # Which is a depencency of the slurm role.
+     # See roles/slurm/meta/main.yml
+     hostname_node0: "{{ ansible_hostname }}"
+     ip_node0: "{{ ansible_default_ipv4['address'] }}"
 
 - name: Install virtual compute nodes
   hosts: compute-vm
   become: true
   tasks:
   roles:
-     - compute-vm
-     - isilon
-     - datahandling
      - slurm-client
 
 - name: Install User Interface (UI)
@@ -66,19 +103,5 @@
   tasks:
   roles:
      - slurm_exporter
-     - user-interface
-     - datahandling
-     - isilon
      - slurm-client
-
-- name: Export /home on NFS server.
-  hosts: user-interface:&talos-cluster
-  roles:
-     - nfs_home_server
-
-- name: Mount /home on NFS clients.
-  hosts: compute-vm&talos-cluster
-  roles:
-     - nfs_home_client
-
-- import_playbook: users.yml
+...
diff --git a/documentation/Gearshift_technical_design.md b/documentation/Gearshift_technical_design.md
index de7334476..5c895e28b 100644
--- a/documentation/Gearshift_technical_design.md
+++ b/documentation/Gearshift_technical_design.md
@@ -103,7 +103,7 @@ Figure 4. Network design for gs-compute[0-9] node
 
 Figure 5. Network design for gs-vcompute[0-9] virtual compute node
 
- ![](./media/media/image6.jpg)
+ ![](./media/media/image6a.jpg)
 
 ### Compute cluster design
 
diff --git a/documentation/media/media/image6a.jpg b/documentation/media/media/image6a.jpg
new file mode 100644
index 000000000..a7820eca1
Binary files /dev/null and b/documentation/media/media/image6a.jpg differ
diff --git a/gearshift_hosts.ini b/gearshift_hosts.ini
index 07a7483d1..689b94092 100644
--- a/gearshift_hosts.ini
+++ b/gearshift_hosts.ini
@@ -1,43 +1,3 @@
-[databases]
-gs-openstack
-gs-compute10
-gs-compute11
-
-[keystone]
-gs-openstack
-
-[glance-controller]
-gs-openstack
-
-[heat]
-gs-openstack
-
-[horizon]
-gs-openstack
-
-[rabbitmq]
-gs-openstack
-gs-compute10
-gs-compute11
-
-[memcached]
-gs-openstack
-
-[neutron-controller]
-gs-openstack physical_interface_mappings=provider:enp130s0f0
-
-[nova-controller]
-gs-openstack
-
-[cinder-controller]
-gs-openstack
-
-[cinder-storage]
-gs-compute[01:11] storage_volume=/dev/sdb
-
-[nova-compute]
-gs-compute[01:11] physical_interface_mappings=provider:enp130s0f0
-
 [jumphost]
 airlock
 
@@ -68,7 +28,3 @@ administration
 [gearshift-cluster:children]
 cluster
 jumphost
-
-[metal]
-gs-openstack
-gs-compute[01:11]
diff --git a/glance-controller.yml b/glance-controller.yml
deleted file mode 100644
index 4d307f798..000000000
--- a/glance-controller.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: glance-controller
-  become: True
-  roles:
-     - hpc-cloud/roles/glance-controller
diff --git a/group_vars/administration.yml b/group_vars/administration.yml
new file mode 100644
index 000000000..abdea6dcb
--- /dev/null
+++ b/group_vars/administration.yml
@@ -0,0 +1,3 @@
+---
+
+volume_mount_point: "/apps"
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index caee5db9e..1a25ad9e6 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -5,4 +5,135 @@ ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/hpc-ca"
 ssh_host_signer_key_types: '.*(rsa|ed25519).*'
 ssh_host_signer_hostnames: "{{ ansible_fqdn }},{{ ansible_hostname }}{% for host in groups['jumphost'] %},{{ host }}+{{ ansible_hostname }}{% endfor %}"
 spacewalk_server_url: 'http://spacewalk.hpc.rug.nl/XMLRPC'
+slurm_table_name: "{{ stack_prefix }}_slurm_accounting"
+#
+# Configure allowed network ports for geerlingguy.firewall role
+#
+firewall_allowed_tcp_ports:
+  - '22'   # SSH
+#
+# Local user account specs.
+# Note:
+#  *  all local users are listed here.
+#  * In ../[name]-cluster/vars.yml we list which users are created locally on which cluster as regular and/or admin users.
+#  * Never ever change nor recycle a UID value here unless you are in for a surprise...
+#
+auth_users:
+  pieter:
+    comment: 'Pieter Neerincx'
+    uid: 1001
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx
+              ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzwniHWpMcGx0Pj3rZvXuaJbZa+iNbNpIhuARXW/GV0 pneerincx ED25519
+  gerben:
+    comment: 'Gerben van der Vries'
+    uid: 1002
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries
+  marieke:
+    comment: 'Marieke Bijlsma'
+    uid: 1003
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma
+  egon:
+    comment: 'Egon Rijpkema'
+    uid: 1004
+    pub_keys: |
+              ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUBdTEHUj6MxvfEU7KcI+UPAvqJ9jGJ7hHm3e7XFTb9 egon@egon-pc
+  morris:
+    comment: 'Morris Swertz'
+    uid: 1005
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfKxBNTqlsoTt1DloXbsRDqUyZgYbAGFsSOKhkHfjTD7zotloUwsd7388J/Ip9dOE5xPySWMSqmjcY8FLYIsEnKaC2LKJya6ck0sOrW+kynV+H9VxLsdnErw5bh8Uga3cGeHX+NKRw9dyNkvFB5B690PidBmSXRRTvXVUBvUeYAAdaoVGSQFtgV/lri2ojWR0yVpy2oCqI/eoXO13NJZS8hyoMDTI1QmnuqarNPIIvYmrAr/bO0fNJuzLqzoAcfw6I4rOw/iE8Zuo2Tl9Erjh1J9nJ91Q+78/VY1H7etltNZe4zxtipaB0HfjkHmhTW2xNMNi5D9FkzHbPhlpShzwsajP0xRpQ8JIgsOli/OHnVU0Mzd6WQf43CliNQMj5Qh50TUYdd0IW0ypjz/h2QEmh560R0NHbvRJ6BDHACceszAMPQjj4zlJLxZJejQ2GijWtvL2Yq2XyVlE7rPH3GA1x3Fy29yBNrgkWsH5CKLMudqBiQ6Js9rHJwQx/WjMA6hLiNqxbHW8t5UHNA4C/tppT12qLWvQkAUUOh9ij/aRnT69V4DlZ/nfbtcJWSjiIToCX++GATm1JrlmzGYoqZy5OMGp5SIdd6+CT+D8E01q9nZYkWokT2EeL3r6I1b8CwIVpmDb5cx6d60tOLjh09jeQMc0PcxeRs6Jo6lQj3L4sZw== m.a.swertz@rug.nl
+  roan:
+    comment: 'Roan Kanninga'
+    uid: 1006
+    pub_keys: |
+              # Revoked: key format not compliant with requirements.
+  wim:
+    comment: 'Wim Nap'
+    uid: 1007
+    pub_keys: |
+              ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEY6mVTXsbXOfN5FSYvTMgK8JnODeR7NB50Ilvz3eDd9 w.k.nap
+  ger:
+    comment: 'Ger Strikwerda'
+    uid: 1008
+    pub_keys: |
+              ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDvx1ebTndL/HitD30uNpvESXWUAxT3j0e0CzrBUZ8fHDv+vZTbWBRtWbnLgCnVDPa3GclA1lpnvJD9JBjBhUa8= ger@ger-pc
+  robin:
+    comment: 'Robin Teeninga'
+    uid: 1009
+    pub_keys: |
+              # Revoked: key format not compliant with requirements.
+
+  kees:
+    comment: 'Kees Visser'
+    uid: 1010
+    pub_keys: |
+              ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbGIEjuURXEI2rPUzLzQSsH/OvZJQwCPFO7w0Uls9Xy stealth@operator
+
+  gvdvries:
+    comment: 'Gerben van der Vries'
+    uid: 1011
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries
+  pneerincx:
+    comment: 'Pieter Neerincx'
+    uid: 1012
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx
+              ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBzwniHWpMcGx0Pj3rZvXuaJbZa+iNbNpIhuARXW/GV0 pneerincx ED25519
+  mbijlsma:
+    comment: 'Marieke Bijlsma'
+    uid: 1013
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma
+  mswertz:
+    comment: 'Morris Swertz'
+    uid: 1014
+    pub_keys: |
+              ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfKxBNTqlsoTt1DloXbsRDqUyZgYbAGFsSOKhkHfjTD7zotloUwsd7388J/Ip9dOE5xPySWMSqmjcY8FLYIsEnKaC2LKJya6ck0sOrW+kynV+H9VxLsdnErw5bh8Uga3cGeHX+NKRw9dyNkvFB5B690PidBmSXRRTvXVUBvUeYAAdaoVGSQFtgV/lri2ojWR0yVpy2oCqI/eoXO13NJZS8hyoMDTI1QmnuqarNPIIvYmrAr/bO0fNJuzLqzoAcfw6I4rOw/iE8Zuo2Tl9Erjh1J9nJ91Q+78/VY1H7etltNZe4zxtipaB0HfjkHmhTW2xNMNi5D9FkzHbPhlpShzwsajP0xRpQ8JIgsOli/OHnVU0Mzd6WQf43CliNQMj5Qh50TUYdd0IW0ypjz/h2QEmh560R0NHbvRJ6BDHACceszAMPQjj4zlJLxZJejQ2GijWtvL2Yq2XyVlE7rPH3GA1x3Fy29yBNrgkWsH5CKLMudqBiQ6Js9rHJwQx/WjMA6hLiNqxbHW8t5UHNA4C/tppT12qLWvQkAUUOh9ij/aRnT69V4DlZ/nfbtcJWSjiIToCX++GATm1JrlmzGYoqZy5OMGp5SIdd6+CT+D8E01q9nZYkWokT2EeL3r6I1b8CwIVpmDb5cx6d60tOLjh09jeQMc0PcxeRs6Jo6lQj3L4sZw== m.a.swertz@rug.nl
+  rkanninga:
+    comment: 'Roan Kanninga'
+    uid: 1015
+    pub_keys: |
+              # Revoked: key format not compliant with requirements.
+  henkjan:
+    comment: 'Henk-Jan Zilverberg'
+    uid: 1016
+    pub_keys: |
+              ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKOKgVel0GbF67zZaVR0TFo82e5XeZOP1e3Ld3gIdaER h.j.zilverberg
+  solve-rd-dm:
+    comment: 'Datamanager user of solve-rd group'
+    uid: 1018
+    pub_keys:
+  umcg-atd-dm:
+    comment: 'Datamanager user of umcg-atd group'
+    uid: 1019
+    pub_keys:
+  envsync:
+    comment: 'Environment Synchronizer'
+    uid: 1017
+    pub_keys: |
+              # No direct logins required: sudo only.
+#
+# Local group specs.
+# Note:
+#  *  all local groups are listed here.
+#  * In ../[name]-cluster/vars.yml we list which groups are created locally on which cluster.
+#  * Never ever change nor recycle a GID value here unless you are in for a surprise...
+#
+auth_groups:
+  admin:
+    gid: 20000
+  docker:
+    gid: 20001
+  users:
+    gid: 20002
+  depad:
+    gid: 20003
+  solve-rd:
+    gid: 20004
+  umcg-atd:
+    gid: 20005
 ...
diff --git a/group_vars/cluster.yml b/group_vars/cluster.yml
index 3c2df7ba2..5a2adf0b9 100644
--- a/group_vars/cluster.yml
+++ b/group_vars/cluster.yml
@@ -1,5 +1,11 @@
 ---
 ansible_python_interpreter: /usr/bin/python2.7
+#
+# Configure allowed network ports for geerlingguy.firewall role
+#
 firewall_allowed_tcp_ports:
-  - "22"
-  - "6818"  # slurmd
+  - '22'   # SSH
+  - '6817' # Slurm
+  - '6818' # Slurm
+  - '6819' # Slurm
+...
diff --git a/group_vars/gearshift-cluster/secrets.yml b/group_vars/gearshift-cluster/secrets.yml
index c3d2c0924..a534bb3bd 100644
--- a/group_vars/gearshift-cluster/secrets.yml
+++ b/group_vars/gearshift-cluster/secrets.yml
@@ -1,22 +1,23 @@
 $ANSIBLE_VAULT;1.1;AES256
-66366630663835306636383866396162373361353765323165356330653435616438393535633833
-3938343064333736633335373133313234386362666162660a633835636637326566633038326132
-30633735373366663933383963666634376536666266356238613530386633353037336537326334
-3465626531626132360a316361653864633863323533363930633639383133303365373230623639
-31613739316365663061663530356533613739626233316631616339383530666465633036636634
-36646237343563633534663431623264646237306563373436663332396534306335653963373161
-30633038316538623437653661616534313131373833663765326138333364326539663535306137
-31373433373637356435343735333963383265306433633532363937353332636636393237383733
-65646166383432636433363530653866363537303334393937333032386431353134343630333363
-35393231393132333033363338396334663033373565653130386335316361333232623138343430
-35616163393831363265373239363963393462613834663363666164653735666431316439376239
-61656133326665326361346630306436626130303665613630613231363865336164643765333235
-30373930386361663965333864303032386337336264336332643739353662643833326464356637
-33633462393064316664356631386131613434326437353739643265373733336633646565303439
-63353364653334613835373664646437643961623130643935303539323438313034303832313539
-37386130376238656236663930383261313330303532383263653839626436363838363862653363
-34393339666535343632643435613633333465623030663031633932313365663138336331393564
-62303132333030643633313939633332393438343338613766366232326231663238616339373737
-34633866306562613233666138316133333933313838336464366635653838303366653238373238
-65313636383863383665613133623265303531626163623262386633346132383133336631303061
-61366363333363366165613766643239386434356362303238333865613331373130
+37323464326535306263623264326333313336386432393265323939636436653965643730616230
+6666326235643761356666396138393662363734336131610a666235666234326136396630663037
+30336633626235333836666566373162646635353733306466373663393735616235373066386365
+6263356661383164300a326561623066323561356162336466323636343230666165303239303530
+39303633306266616239643933306165326233653830323933306635396433376164386336393934
+63303435633535343437356266633463326461346232353463303534346537323831363936333734
+33623366346566643736663834633266656334363961613464333063353330613266383838356439
+31613939363137613230373561376166626435323465636531303365393961333435396334383539
+38343264656461326563303562643163343562633737326434356536356138363339363733376262
+31373539636139313865353437393431613737343832303534373162663231316633643936306233
+35373066373464653565643637326234363738386635653231346638343431613762663837626136
+30323437613462646563343134653563396537316564353566623331636364656236363463643562
+63646162626564373163356536336136356631353734376462613331353830653637633436386233
+36616230663062656332633033326162643638633335633364346433643636623339633239383966
+34383432393335613439303065353865303631646361376337646634343730373465323838303964
+62343633393465623030323838616262313731313235646331636561356135373637623031633231
+62646135373539613965306139393466333964626665386431373861646163306138663563623033
+63643032663762613532646630373234343533376635633930636236663138396564666439326530
+63643665323838353433366364646133333863613134383366653163326263316461626435373565
+64386562303366303132306239383365623134333632363038353436613362633161613964363835
+35343333343533656161393964363961663734333137353436623730383139653535313535633932
+3631343435383561356538373962383664333961373665323430
diff --git a/group_vars/gearshift-cluster/vars.yml b/group_vars/gearshift-cluster/vars.yml
index f9cd8fb2f..3780e7ccd 100644
--- a/group_vars/gearshift-cluster/vars.yml
+++ b/group_vars/gearshift-cluster/vars.yml
@@ -2,6 +2,21 @@
 slurm_cluster_name: 'gearshift'
 slurm_cluster_domain: 'hpc.rug.nl'
 stack_prefix: 'gs'
+mailhub: '172.23.34.34'
+rewrite_domain: "imperator.{{ slurm_cluster_domain }}"
+motd: Vare, Vare, redde legiones!
+additional_etc_hosts: |
+  172.23.40.21       gs-compute01        gs-compute01.hpc.local
+  172.23.40.22       gs-compute02        gs-compute02.hpc.local
+  172.23.40.23       gs-compute03        gs-compute03.hpc.local
+  172.23.40.24       gs-compute04        gs-compute04.hpc.local
+  172.23.40.25       gs-compute05        gs-compute05.hpc.local
+  172.23.40.26       gs-compute06        gs-compute06.hpc.local
+  172.23.40.27       gs-compute07        gs-compute07.hpc.local
+  172.23.40.28       gs-compute08        gs-compute08.hpc.local
+  172.23.40.29       gs-compute09        gs-compute09.hpc.local
+  172.23.40.30       gs-compute10        gs-compute10.hpc.local
+  172.23.40.31       gs-compute11        gs-compute11.hpc.local
 vcompute_hostnames: "{{ stack_prefix }}-vcompute[01-11]"
 vcompute_sockets: 2
 vcompute_cores_per_socket: 14
@@ -10,17 +25,62 @@ vcompute_max_cpus_per_node: "{{ vcompute_sockets * vcompute_cores_per_socket - 2
 vcompute_max_mem_per_node: "{{ vcompute_real_memory - vcompute_sockets * vcompute_cores_per_socket * 512 }}"
 vcompute_local_disk: 2900
 vcompute_features: 'tmp01'
+vcompute_ethernet_interfaces:
+  - 'eth0'
+  - 'eth1'
+  - 'eth2'
 ui_hostnames: "{{ slurm_cluster_name }}"
 ui_sockets: 2
 ui_cores_per_socket: 2
 ui_real_memory: 8192
 ui_local_disk: 0
 ui_features: 'prm01,tmp01'
+ui_ethernet_interfaces:
+  - 'eth0'
+  - 'eth1'
+  - 'eth2'
 ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-ca"
 uri_ldap: 172.23.40.249
 uri_ldaps: comanage-in.id.rug.nl
 ldap_port: 389
 ldaps_port: 636
-ldap_base: ou=umcg,o=asds
+ldap_base: ou=research,o=asds
 ldap_binddn: cn=clusteradminumcg,o=asds
+filter_passwd: '(|(rugpersonentitlementvalue=scz)(rugpersonentitlementvalue=umcg))'
+filter_shadow: '(|(rugpersonentitlementvalue=scz)(rugpersonentitlementvalue=umcg))'
+pam_authz_search: '(|(&(objectClass=posixGroup)(cn=co_bbmri_g-GRP_Gearshift)(memberUid=$username))(&(cn=$username)(rugpersonentitlementvalue=umcg)))'
+nameservers: [
+  '172.23.40.244', # Order is important: local DNS for Isilon storage first!
+  '8.8.4.4',       # Google DNS.
+  '8.8.8.8',       # Google DNS.
+]
+local_admin_groups:
+  - 'admin'
+  - 'docker'
+local_admin_users:
+  - 'egon'
+  - 'henkjan'
+  - 'wim'
+envsync_user: 'umcg-envsync'
+envsync_group: 'umcg-depad'
+pfs_mounts: [
+  { pfs: 'umcgst10',
+    source: 'gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst10',
+    type: 'nfs4',
+    rw_options: 'defaults,_netdev,vers=4.0,noatime,nodiratime',
+    ro_options: 'defaults,_netdev,vers=4.0,noatime,nodiratime,ro' },
+]
+lfs_mounts: [
+  { lfs: 'home',
+    pfs: 'umcgst10' },
+  { lfs: 'groups/GROUP/tmp01',
+    pfs: 'umcgst10',
+    groups: ['umcg-atd', 'umcg-gcc'] },
+  { lfs: 'groups/GROUP/prm01',
+    pfs: 'umcgst10',
+    groups: ['umcg-atd', 'umcg-gcc'] },
+  { lfs: 'env01',
+    pfs: 'umcgst10',
+    machines: "{{ groups['compute-vm'] + groups['user-interface'] }}" },
+]
 ...
diff --git a/group_vars/hyperchicken-cluster/secrets.yml b/group_vars/hyperchicken-cluster/secrets.yml
index 6b72a27f5..1eed7a3fb 100644
--- a/group_vars/hyperchicken-cluster/secrets.yml
+++ b/group_vars/hyperchicken-cluster/secrets.yml
@@ -1,19 +1,22 @@
 $ANSIBLE_VAULT;1.1;AES256
-65663166613837656436313139396532613838346234303835366338623938623737636435623030
-3438356330643166383735633363623965383233356336330a353233663163353661626564643338
-61653138373230343832383139386637643432376231343237613835363731373837353363636439
-6137646633303661370a653762326165343039346237353964383165323339653535333762643830
-61633863356234383233393630353065363130353333343532373238306538356435643264343938
-36396366303765373862343338363534343763336534626363633763386130613833353961346535
-34353539313066666463623961353134616333326538366235333831316565346266313933376466
-32313533623162353535633964346630336266636162323864656530343131343663303339646339
-36623866663661666533363861663033373439643634363136343032343436396637373965316666
-35343236616335313164396463363461636338633030363837616231303230393138303531343739
-61643238356537646634343563323066396636323339396538313338346666386130636537343435
-31626133306530306566323137323361653065356437613937643830386330636361653935613961
-33373461363361316534353266613165373066633963363837366332326234663830353835646337
-36646263323234303261663861623139316131663763616134326263656236356165383333663564
-32306562366235386431623232336165653135376364323365353636373932323330306136656563
-39383038393133616236366137663035303863333836626462363836343538363438653633666264
-66643130313061633930303437353166653130356235356439373766313336363539376233323733
-3932323864356263353166353465623931666438323631303065
+37643739623137373937626163616339396636303734303334373166643532326565333139643935
+6265376364346265343031643261363830393833636233370a653233383235343739326137333663
+64323762313064366230663431373365623830616263306131333966643533646533316462333462
+3331626536623633300a646431653132343337633936326138363763643838633461613230656336
+36306563656432376539353839323865656566346431336266386665663764343262653130643164
+62323064646437666537626239663439666334303537623335343036303161643031373963333061
+65633837616239303663303138646431643165616639366362303161363231396166326131303562
+63616533633566666239303965326335373561313937636536356139623961306230646231643864
+61363632313737326564663930343061656336356634336631623839336531333564376133613835
+30363137613735326265346361313861626631396439633533303866343533313237346566356362
+62353037373735653061313233643732653030396134323132323135376131336535383664666131
+65323437306264616232303436363133373035326462653539653963663937656463663136346335
+66656634353730336461656161336536306362323533373261643338623865613863373164633266
+39656663316664326435316232313635373734303137333131646138336165346266613161353737
+34306333386532633066363164326161343338303831626361333333326235303861333633316561
+31326334316630626635313135323561643035316233653962353464363966303832663536666339
+33393439643637363963653234333561656234366362323962363530613439663236333935643138
+63633235653161373463393462643632306134346636343766646134663931336433353336633761
+31306362636564646534393662663266353731313133393636393866643661613664366636373464
+61626465373864636537363839383962623034636233656139656562623565393032336463633435
+32396434333330396332373339323132656438636137303162616665653230393262
diff --git a/group_vars/hyperchicken-cluster/vars.yml b/group_vars/hyperchicken-cluster/vars.yml
index b010e2cdf..4820a2c62 100644
--- a/group_vars/hyperchicken-cluster/vars.yml
+++ b/group_vars/hyperchicken-cluster/vars.yml
@@ -1,22 +1,31 @@
 ---
 slurm_cluster_name: 'hyperchicken'
-#slurm_cluster_domain: ''
+slurm_cluster_domain: 'gcc.rug.nl'
 stack_prefix: 'hc'
+mailhub: '192.168.0.5'
+rewrite_domain: "{{ stack_prefix }}-sai.{{ slurm_cluster_domain }}"
+motd: "To solve or not to solve, that's the question."
 vcompute_hostnames: "{{ stack_prefix }}-vcompute[01-05]"
-vcompute_sockets: 1
-vcompute_cores_per_socket: 9
-vcompute_real_memory: 20000
+vcompute_sockets: 16
+vcompute_cores_per_socket: 1
+vcompute_real_memory: 64264
 vcompute_max_cpus_per_node: "{{ vcompute_sockets * vcompute_cores_per_socket - 2 }}"
 vcompute_max_mem_per_node: "{{ vcompute_real_memory - vcompute_sockets * vcompute_cores_per_socket * 512 }}"
 vcompute_local_disk: 0
 vcompute_features: 'tmp07'
+vcompute_ethernet_interfaces:
+  - 'eth0'
+  - 'eth1'
 ui_hostnames: "{{ slurm_cluster_name }}"
-ui_sockets: 1
+ui_sockets: 4
 ui_cores_per_socket: 1
-ui_real_memory: 3000
+ui_real_memory: 7821
 ui_local_disk: 0
 ui_features: 'prm07,tmp07'
-ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-ca"
+ui_ethernet_interfaces:
+  - 'eth0'
+  - 'eth1'
+ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-development-ca"
 key_name: Gerben
 image_cirros: cirros-0.3.4-x86_64-disk.img
 image_centos7: centos7
@@ -32,4 +41,62 @@ security_group_id: SSH-and-ping-2
 slurm_ldap: false
 availability_zone: AZ_1
 local_volume_size: 1
+nameservers: [
+  '/em-isi-3126.ebi.ac.uk/10.35.126.201',  # Local DNS lookups for shared storage.
+  '8.8.4.4',  # Google DNS.
+  '8.8.8.8',  # Google DNS.
+]
+local_admin_groups:
+  - 'admin'
+  - 'docker'
+local_admin_users:
+  - 'egon'
+  - 'gerben'
+  - 'henkjan'
+  - 'marieke'
+  - 'morris'
+  - 'pieter'
+  - 'wim'
+  - 'umcg-atd-dm'
+  - 'solve-rd-dm'
+envsync_user: 'envsync'
+envsync_group: 'depad'
+local_regular_groups:
+  - 'users'
+  - 'depad'
+  - 'solve-rd'
+  - 'umcg-atd'
+local_regular_users:
+  - user: 'envsync'
+    groups: ['depad']
+  - user: 'gvdvries'
+    groups: ['users', 'depad','umcg-atd', 'solve-rd']
+  - user: 'mbijlsma'
+    groups: ['users', 'depad','umcg-atd', 'solve-rd']
+  - user: 'mswertz'
+    groups: ['users', 'depad','umcg-atd', 'solve-rd']
+  - user: 'pneerincx'
+    groups: ['users', 'depad','umcg-atd', 'solve-rd']
+  - user: 'rkanninga'
+    groups: ['users', 'depad','umcg-atd', 'solve-rd']
+pfs_mounts: [
+  { pfs: 'Solve-RD',
+    source: 'em-isi-3126.ebi.ac.uk:/ifs/Solve-RD',
+    type: 'nfs',
+    rw_options: 'defaults,_netdev,noatime,nodiratime',
+    ro_options: 'defaults,_netdev,noatime,nodiratime,ro' },
+]
+lfs_mounts: [
+  { lfs: 'home',
+    pfs: 'Solve-RD' },
+  { lfs: 'groups/GROUP/tmp09',
+    pfs: 'Solve-RD',
+    groups: ['umcg-atd', 'solve-rd'] },
+  { lfs: 'groups/GROUP/prm09',
+    pfs: 'Solve-RD',
+    groups: ['umcg-atd', 'solve-rd'] },
+  { lfs: 'env09',
+    pfs: 'Solve-RD',
+    machines: "{{ groups['compute-vm'] + groups['user-interface'] }}" },
+]
 ...
diff --git a/group_vars/talos-cluster/secrets.yml b/group_vars/talos-cluster/secrets.yml
index 91c1b90df..a169755c7 100644
--- a/group_vars/talos-cluster/secrets.yml
+++ b/group_vars/talos-cluster/secrets.yml
@@ -1,27 +1,26 @@
 $ANSIBLE_VAULT;1.1;AES256
-36363232356235643436383162303734376463343966373436646339303861326236666337633138
-6561663835303037373831383233333134366461653539360a643237333166393266656338613530
-66366266643264383761313831343934636261666366396539376130666465313662313537366332
-3235616432613462370a623130393439636466663734326136646139373962393331316663326662
-30643837373934343337646430373463623865383931383764366466376261663034306234356133
-64386666643562653664653933336236363462346134336534616166363561306235356463653963
-65656463663232626137613533316139623462653434666532343263316362656361623032333230
-33343630376437613033333263343439636666636365336263393938383264346138333364393832
-31613663303362353364663038366637303932353364333661303635623030323666346433393265
-36303739313338353932326139373038316130323639323938613764623833353631623539316663
-33653636653865323733383133653338303861313434383136653830393637636264363234303161
-38666363636563613464313362333839643631363333636137343231306433373235336165346438
-39643634383863333631313764303161333764623930343731353037326530633937646263326234
-38656236366665663737333235336632303835333530303236363336333766626666386330303138
-34636433316163376335656431613631646436386530363837366133383764326465303865343961
-63663833303732373762303034636465383639623232663664386334323931313034353631666366
-30336266616137373862316531646464336132363436396430373233316330343336346635646537
-36613439623561393365383539366435393235356434643937323733313462386430303832653635
-35663966356561383161386464396635353935623738333965336637613931383235336138393931
-32663066613062326231393865363137613932356237343762626536316266663332333566383737
-66663933313361653639336664653934303761363966373536623231366364666362393535663933
-30383166643366613230333739333165336364383637303236316137333865313762643361383363
-65666263343463353966353461616231623164393738373034396662616563306536616538346335
-35356238323965346639313063306365313031366563653866616534636538373534653233663535
-38633963323534616336353164333435616635373165623761363864666337353764636333303132
-3132333039393739303933646165343862306632613032336538
+66613933323735386131363439346137336232393232663961303536663131313835663266636638
+3137623638393635643937316366643733636665316666620a653435613333313336356137353164
+64636637613330633436666566316439343764373337333464366136333662313231616239353131
+3832383636396163380a643063653564656661376131376264303339376433613461323833633336
+39633832633631316165306432373766336638366261313238346163323963613264656336363031
+66363563333365363761333037383836633966303763356634613865326465383333323562303437
+61643837663034633439633334333833656136386332643166613563646230383635333639303464
+32343565323639373135393235363334383364313365343464323336646166303334333033303433
+62656238316233336462366334316561313634653639653865653834373764373762323432633562
+34616235363231383734663234616233346433373030386631613832313830343534346664303430
+34376332623236383934633131316636613233653766326538336631383962346165323736633363
+64386235663930313231313534343530366135656362383437656230646530653331353835653362
+61343839376631656165326338323364653734623961383534396432333761356665353636626433
+30383130313566646465663933353033343365396361326339346539323562633032316536323637
+32646330643632636366383931383234623061636430336135376130376462663137376263393438
+34363363343832623562303637376431323733326633336335313863643834393835623335656565
+66623363353738643966306164316164393235383631316161633635653662306664666263666633
+34623465376131323039383632643266346430636630363463623866363635353638363864666539
+30306135363038363730313938363366646135656636663132313835613435623639346434396534
+31386163646532373062633631373331656366613338623638313633636165323961346562323336
+39633866336266343634393964663635386635323663333665343663326662343233343931393964
+65646534393832353438383134666132613930326561336266353165636335396332333037653863
+31636237643837623066383033646362363638613333396663343630343834373436313332373233
+32643532616630633765633530313561313636366632373364393533356162633134326531646161
+3234
diff --git a/group_vars/talos-cluster/vars.yml b/group_vars/talos-cluster/vars.yml
index 74d738673..4774a8c2a 100644
--- a/group_vars/talos-cluster/vars.yml
+++ b/group_vars/talos-cluster/vars.yml
@@ -2,20 +2,29 @@
 slurm_cluster_name: 'talos'
 slurm_cluster_domain: 'hpc.rug.nl'
 stack_prefix: 'tl'
+mailhub: '172.23.34.34'
+rewrite_domain: "{{ stack_prefix }}-sai.{{ slurm_cluster_domain }}"
+motd: "It's highly addictive"
 vcompute_hostnames: "{{ stack_prefix }}-vcompute[01-03]"
-vcompute_sockets: 2
-vcompute_cores_per_socket: 2
-vcompute_real_memory: 8192
+vcompute_sockets: 4
+vcompute_cores_per_socket: 1
+vcompute_real_memory: 7822
 vcompute_max_cpus_per_node: "{{ vcompute_sockets * vcompute_cores_per_socket - 2 }}"
 vcompute_max_mem_per_node: "{{ vcompute_real_memory - vcompute_sockets * vcompute_cores_per_socket * 512 }}"
 vcompute_local_disk: 0
 vcompute_features: 'tmp08'
+vcompute_ethernet_interfaces:
+  - 'eth0'
+  - 'eth1'
 ui_hostnames: "{{ slurm_cluster_name }}"
-ui_sockets: 2
-ui_cores_per_socket: 2
-ui_real_memory: 8192
+ui_sockets: 4
+ui_cores_per_socket: 1
+ui_real_memory: 7822
 ui_local_disk: 0
 ui_features: 'prm08,tmp08'
+ui_ethernet_interfaces:
+  - 'eth0'
+  - 'eth1'
 ssh_host_signer_ca_private_key: "{{ ssh_host_signer_ca_keypair_dir }}/umcg-hpc-development-ca"
 uri_ldap: 172.23.40.249
 uri_ldaps: comanage-in.id.rug.nl
@@ -23,4 +32,42 @@ ldap_port: 389
 ldaps_port: 636
 ldap_base: ou=umcg,o=asds
 ldap_binddn: cn=clusteradminumcg,o=asds
+nameservers: [
+  '/gcc-storage001.stor.hpc.local/172.23.40.244',  # Local DNS lookups for shared storage.
+  '8.8.4.4',  # Google DNS.
+  '8.8.8.8',  # Google DNS.
+]
+local_admin_groups:
+  - 'admin'
+  - 'docker'
+local_admin_users:
+  - 'egon'
+  - 'gerben'
+  - 'henkjan'
+  - 'marieke'
+  - 'morris'
+  - 'pieter'
+  - 'wim'
+envsync_user: 'umcg-envsync'
+envsync_group: 'umcg-depad'
+pfs_mounts: [
+  { pfs: 'umcgst11',
+    source: 'gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst11',
+    type: 'nfs4',
+    rw_options: 'defaults,_netdev,vers=4.0,noatime,nodiratime',
+    ro_options: 'defaults,_netdev,vers=4.0,noatime,nodiratime,ro' },
+]
+lfs_mounts: [
+  { lfs: 'home',
+    pfs: 'umcgst11' },
+  { lfs: 'groups/GROUP/tmp08',
+    pfs: 'umcgst11',
+    groups: ['umcg-atd', 'umcg-gcc'] },
+  { lfs: 'groups/GROUP/prm08',
+    pfs: 'umcgst11',
+    groups: ['umcg-atd', 'umcg-gcc'] },
+  { lfs: 'env08',
+    pfs: 'umcgst11',
+    machines: "{{ groups['compute-vm'] + groups['user-interface'] }}" },
+]
 ...
\ No newline at end of file
diff --git a/hc-cluster.yml b/hc-cluster.yml
index d3cf02f53..307785433 100644
--- a/hc-cluster.yml
+++ b/hc-cluster.yml
@@ -1,4 +1,33 @@
 ---
+- name: Sanity checks before we start.
+  hosts: all
+  pre_tasks:
+    - name: Verify Ansible version meets requirements.
+      assert:
+        that: "ansible_version.full | version_compare('2.4', '>=')"
+        msg: 'You must update Ansible to at least 2.4.x to use this playbook.'
+
+- import_playbook: local_admin_users.yml
+
+- name: Install roles needed for all virtual cluster components.
+  hosts: all
+  roles:
+    - logins
+    - ssh_host_signer
+    - ssh_known_hosts
+  tasks:
+    - cron:
+        #
+        # Silly workaround for bug in interaction dbus <-> logind
+        # Need DBus 1.11.10 for a fix, but CentOS 7.6 is stuck on dbus 1.10.24.
+        #
+        name: Restart systemd-logind
+        minute: "/10"
+        user: root
+        job: /bin/systemctl restart systemd-logind
+        cron_file: restart_logind
+      become: true
+
 - name: Install roles needed for all virtual cluster components except jumphosts.
   hosts: cluster
   become: true
@@ -8,15 +37,28 @@
 #     - ldap
      - node_exporter
      - cluster
+     - resolver
+     - shared_storage
+
+- name: Install ansible on admin interfaces (DAI & SAI).
+  hosts:
+     - sys-admin-interface
+     - deploy-admin-interface
+  become: True
+  tasks:
+     - name: install Ansible
+       yum:
+          name: ansible-2.6.6-1.el7.umcg
 
 - name: Install roles needed for jumphosts.
   hosts: jumphost
   become: true
   roles:
-     - docker
+     - geerlingguy.repo-epel
+#     - ldap
      - cluster
      - node_exporter
-#     - geerlingguy.security
+     - geerlingguy.security
   tasks:
      - cron:
           name: Reboot to load new kernel.
@@ -40,8 +82,6 @@
   tasks:
   roles:
      - compute-vm
-   #  - isilon
-   #  - datahandling
      - slurm-client
 
 - name: Install User Interface (UI)
@@ -50,20 +90,7 @@
   tasks:
   roles:
      - slurm_exporter
-     - user-interface
-    # - datahandling
-    # - isilon
      - slurm-client
 
-#- name: Install ansible on admin interfaces (DAI & SAI).
-#  hosts:
-#     - imperator
-#     - sugarsnax
-#  become: True
-#  tasks:
-#     - name: install Ansible
-#       yum:
-#          name: ansible-2.6.6-1.el7.umcg
-
-- import_playbook: hc-users.yml
-  #- import_playbook: ssh-host-signer.yml
+- import_playbook: local_regular_users.yml
+...
diff --git a/hc-users.yml b/hc-users.yml
deleted file mode 100644
index 58739bf6e..000000000
--- a/hc-users.yml
+++ /dev/null
@@ -1,82 +0,0 @@
-# SSH keys of HPC colleagues.
-# for more advanced examples, see:
-# http://docs.ansible.com/ansible/latest/authorized_key_module.html
----
-- name: Initial setup
-  hosts: all
-  become: True
-
-  tasks:
-    - group:
-        name: admin
-        state: present
-
-    - name: Passwordless sudo for admins
-      lineinfile: dest=/etc/sudoers line="%admin  ALL=(ALL:ALL) NOPASSWD:ALL"
-
-    - user:
-        name: pieter
-        comment: "Pieter Neerincx"
-        group: admin
-
-    - authorized_key:
-        user: pieter
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx'
-        state: present
-
-- hosts:
-    - cluster
-  become: True
-  tasks:
-    - user:
-        name: pieter
-        comment: "Pieter Neerincx"
-        group: admin
-
-    - authorized_key:
-        user: pieter
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx'
-        state: present
-
-    - user:
-        name: gerben
-        comment: "Gerben van der Vries"
-        group: admin
-
-    - authorized_key:
-        user: gerben
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries@local.macbook'
-        state: present
-
-    - user:
-        name: marieke
-        comment: "Marieke Bijlsma"
-        group: admin
-
-    - authorized_key:
-        user: marieke
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma'
-        state: present
-
-    - user:
-        name: morris
-        comment: "Morris swertz"
-        group: admin
-
-    - authorized_key:
-        user: morris
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDfKxBNTqlsoTt1DloXbsRDqUyZgYbAGFsSOKhkHfjTD7zotloUwsd7388J/Ip9dOE5xPySWMSqmjcY8FLYIsEnKaC2LKJya6ck0sOrW+kynV+H9VxLsdnErw5bh8Uga3cGeHX+NKRw9dyNkvFB5B690PidBmSXRRTvXVUBvUeYAAdaoVGSQFtgV/lri2ojWR0yVpy2oCqI/eoXO13NJZS8hyoMDTI1QmnuqarNPIIvYmrAr/bO0fNJuzLqzoAcfw6I4rOw/iE8Zuo2Tl9Erjh1J9nJ91Q+78/VY1H7etltNZe4zxtipaB0HfjkHmhTW2xNMNi5D9FkzHbPhlpShzwsajP0xRpQ8JIgsOli/OHnVU0Mzd6WQf43CliNQMj5Qh50TUYdd0IW0ypjz/h2QEmh560R0NHbvRJ6BDHACceszAMPQjj4zlJLxZJejQ2GijWtvL2Yq2XyVlE7rPH3GA1x3Fy29yBNrgkWsH5CKLMudqBiQ6Js9rHJwQx/WjMA6hLiNqxbHW8t5UHNA4C/tppT12qLWvQkAUUOh9ij/aRnT69V4DlZ/nfbtcJWSjiIToCX++GATm1JrlmzGYoqZy5OMGp5SIdd6+CT+D8E01q9nZYkWokT2EeL3r6I1b8CwIVpmDb5cx6d60tOLjh09jeQMc0PcxeRs6Jo6lQj3L4sZw== m.a.swertz@rug.nl'
-        state: present
-
-    - user:
-        name: egon
-        comment: "Egon Rijpkema"
-        group: admin
-
-    - authorized_key:
-        user: egon
-        key: '{{ item }}'
-        state: present
-      with_items:
-          - 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKUBdTEHUj6MxvfEU7KcI+UPAvqJ9jGJ7hHm3e7XFTb9 egon@egon-pc'
-          - 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDStPUPXkcu81onUm/le54JCu174yXJJDsthDr96Mv8irBVBWuy5FxnaASuDpmC4QE4s0UAIg1iq/SWrr8qdBQ4OVuYFiW0S7ZJvcoKr/40Wh+T5MeltGQfmkDp6kBsfaMSo6M4tF1c8i+XgOgxb4fxHYb8mFhseztRLx6McxJJJLB0nu+T12WQ01nl0XtwD+3EsZWfxRH0KA59VHZSe3Anc5z+Fm7WU+1Vzy6/pkiIhVReI1L6VVhZsIdSu3fQK6fHQcujtfuw6RKEpisZQqnxMUviWQ98yeQXHk6Nx840WCh3vvKveEAoC4Y/UEZa1TMe6PczfUaLjaidUkpulJsP egon@egon-pc'
diff --git a/heat.yml b/heat.yml
deleted file mode 100644
index a5e7eecd5..000000000
--- a/heat.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: heat
-  become: True
-  roles:
-     - hpc-cloud/roles/heat
diff --git a/heat/heat_cluster.yml b/heat/heat_cluster.yml
index c08325158..043553a01 100644
--- a/heat/heat_cluster.yml
+++ b/heat/heat_cluster.yml
@@ -19,6 +19,10 @@ resources:
       networks:
         - network: vlan983
           fixed_ip: 172.23.40.33
+        - network: vlan985
+          fixed_ip: 172.23.34.33
+        - network: vlan985
+          fixed_ip: 172.23.57.33
 
   airlock:
     type: OS::Nova::Server
diff --git a/heat/talos.yml b/heat/talos.yml
index f36e754ae..e02e5a2ac 100644
--- a/heat/talos.yml
+++ b/heat/talos.yml
@@ -19,6 +19,8 @@ resources:
       networks:
         - network: vlan983
           fixed_ip: 172.23.40.92
+        - network: vlan985
+          fixed_ip: 172.23.34.92
 
   reception:
     type: OS::Nova::Server
diff --git a/horizon.yml b/horizon.yml
deleted file mode 100644
index 2ea928605..000000000
--- a/horizon.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: horizon
-  become: True
-  roles:
-     - hpc-cloud/roles/horizon
diff --git a/host_vars/hc-sai b/host_vars/hc-sai
deleted file mode 100644
index b13ae5593..000000000
--- a/host_vars/hc-sai
+++ /dev/null
@@ -1,3 +0,0 @@
----
-mailhub: 192.168.0.5
-rewrite_domain: hc-sai.gcc.rug.nl
diff --git a/host_vars/imperator b/host_vars/imperator
deleted file mode 100644
index 48ae6bd00..000000000
--- a/host_vars/imperator
+++ /dev/null
@@ -1,4 +0,0 @@
----
-mailhub: 172.23.34.34
-rewrite_domain: imperator.hpc.rug.nl
-motd: Vare, Vare, redde legiones!
diff --git a/host_vars/tl-sai b/host_vars/tl-sai
deleted file mode 100644
index 392efae47..000000000
--- a/host_vars/tl-sai
+++ /dev/null
@@ -1,5 +0,0 @@
----
-mailhub: 172.23.34.34
-rewrite_domain: tl-sai.hpc.rug.nl
-motd: It's highly addictive
-...
\ No newline at end of file
diff --git a/inventory.py b/inventory.py
index b258678e5..fd2bdf655 100755
--- a/inventory.py
+++ b/inventory.py
@@ -5,13 +5,15 @@
 External inventory script for Ansible
 =============================================================
 
-Generates Ansible inventory with hostnames from a static inventory file located in the same dir as this script.
-By default this script looks for an inventory named 
+Generates Ansible inventory with hostnames from a static inventory file located
+in the same dir as this script. By default this script looks for an inventory named
     inventory.ini
- (default) or alternatively from a file defined in
+or alternatively for an inventory file name as defined in
     export AI_INVENTORY='some_inventory.ini'
-Optionally the hostnames can be prefixed with one of our proxy/jumphost servers.
-Note we only use hostnames and not FQDN nor IP addresses as those are managed 
+
+The hostnames parsed from the static inventory file can be prefixed
+with the hostname of one of our proxy/jumphost servers.
+Note we only use hostnames and not FQDN nor IP addresses as those are managed
 together with usernames and other connection settings in
 our ~/.ssh/config files like this:
 
@@ -30,25 +32,52 @@
     ProxyCommand ssh -X -q prefix-youraccount@$(echo %h | sed 's/+[^+]*$//').hpc.rug.nl -W $(echo %h | sed 's/^[^+]*+//'):%p
 ########################################################################################################
 
-
 When the environment variable AI_PROXY is set like this:
     export AI_PROXY='lobby'
-then the hostname 'calculon' from inventory.ini will be prefixed with 'lobby' and a '+'
-resulting in:
+then the hostname 'calculon' from inventory.ini will be prefixed
+with 'lobby' and a '+' resulting in:
     lobby+calculon
 which will match the 'Host lobby+*' rule from the ~/.ssh/config file.
 =============================================================
 '''
-import os
 import argparse
-import ConfigParser
-import re
-import sys
+try:
+    # For Python >= 3.x
+    import configparser
+except:
+    # For Python 2.x
+    import ConfigParser as configparser
 try:
     import json
 except ImportError:
     import simplejson as json
-
+import os
+import re
+import sys
+from test.test_sax import start
+
+"""
+Modified ConfigParser that allows ':' in keys and only uses '=' as separator.
+We need the : to be able to specify groups of Ansible hosts like this: compute_nodes[01:16]
+"""
+class MyConfigParser(configparser.SafeConfigParser):
+    OPTCRE = re.compile(
+        r'(?P<option>[^=\s][^=]*)'      # very permissive!
+        r'\s*(?P<vi>[=])\s*'            # any number of space/tab,
+                                        # followed by separator
+                                        # (either : or =), followed
+                                        # by any # space/tab
+        r'(?P<value>.*)$'               # everything up to eol
+        )
+    OPTCRE_NV = re.compile(
+        r'(?P<option>[^=\s][^=]*)'      # very permissive!
+        r'\s*(?:'                       # any number of space/tab,
+        r'(?P<vi>[=])\s*'               # optionally followed by
+                                        # separator (only =)
+                                        # followed by any #
+                                        # space/tab
+        r'(?P<value>.*))?$'             # everything up to eol
+)
 
 class ProxiedInventory(object):
 
@@ -58,12 +87,9 @@ def __init__(self):
         self.inventory = dict()
 
         # Get proxy from ENV VAR.
+        self.proxy = '' # default when not specified.
         self.proxy = os.getenv('AI_PROXY')
-        if self.proxy:
-            self.proxy += '+'
-        else:
-            self.proxy = ''
-            
+
         # Get inventory file name from ENV VAR.
         self.inventory_file = os.getenv('AI_INVENTORY')
         if self.inventory_file:
@@ -71,10 +97,13 @@ def __init__(self):
         else:
             self.inventory_path = os.path.dirname(os.path.realpath(__file__)) + '/inventory.ini'
         if not (os.path.isfile(self.inventory_path) and os.access(self.inventory_path, os.R_OK)):
-            print 'FATAL: The static inventory file ' + self.inventory_path + ' is either missing or not readable: Check path and permissions.'
-            print '       You may need to export the AI_INVENTORY environment variable to point to a static inventory file in the same dir as where '
-            print '           ' + os.path.realpath(__file__)
-            print '       is located.'
+            print('FATAL: The static inventory file ' + self.inventory_path + "\n"
+                  '       is either missing or not readable: Check path and permissions.\n' +
+                  '       If your static inventory file has a different name,\n' +
+                  '       you need to export the AI_INVENTORY environment variable\n' +
+                  '       to point to a static inventory file in the same dir as where\n' +
+                  '           ' + os.path.realpath(__file__) + "\n" +
+                  '       is located.')
             sys.exit(1)
 
         # Read settings and parse CLI arguments.
@@ -92,20 +121,64 @@ def read_inventory_template(self):
          * in *.ini format and
          located in the same place as this script.
         """
-        _config = ConfigParser.SafeConfigParser(allow_no_value=True)
-        _config.optionxform = self.prepend_proxy
-        
+        #_config = ConfigParser.SafeConfigParser(allow_no_value=True)
+        #_config.optionxform = self.prepend_proxy
+        _config = MyConfigParser(allow_no_value=True)
         _config.read(os.path.dirname(os.path.realpath(__file__)) + '/' + self.inventory_file)
-
+        
         for _section in _config.sections():
-            for (_key, _value) in _config.items(_section):
-                self.push(self.inventory, _section, _key)
+            if re.search(':children', _section):
+                #
+                # We've got groups of machines instead of hostnames:
+                #  * Do not prefix values with name of proxy/jumphost
+                #  * and add them to a "children" section
+                #
+                #self.push(self.inventory, _section, _key)
+                _children = dict()
+                for (_key, _value) in _config.items(_section):
+                    self.push(_children, 'children', _key)
+                _section = _section.replace(':children', '')
+                self.add(self.inventory, _section, _children)
+            else:
+                #
+                # We've got actual machine hostnames:
+                #  * Prefix with name of proxy/jumphost unless it is the proxy/jumphost itself
+                #  * and add them to a 'hosts' section.
+                #
+                _hosts = dict()
+                for (_key, _value) in _config.items(_section):
+                    if _key != self.proxy:
+                        _key = self.prepend_proxy(_key)
+                    #
+                    # Check if we are dealing with a range or a single hostname.
+                    #
+                    _range_match = re.search('(.*)\[([0-9]+):([0-9]+)\](.*)', _key)
+                    if _range_match:
+                        #
+                        # It's a range -> expand the range into individual hostnames
+                        # and add them to the hosts section.
+                        #
+                        _pre_range = _range_match.group(1)
+                        _range_start = _range_match.group(2)
+                        _range_stop = _range_match.group(3)
+                        _post_range = _range_match.group(4)
+                        _range_start_length = len(_range_start)
+                        _format = '{:0' + str(_range_start_length) + 'd}'
+                        _range_items = [_format.format(i) for i in range(int(_range_start),int(_range_stop) + 1)]
+                        for _range_item in _range_items:
+                            self.push(_hosts, 'hosts', _pre_range + _range_item + _post_range)
+                    else:
+                        #
+                        # Add the single hostname to the hosts section.
+                        #
+                        self.push(_hosts, 'hosts', _key)
+                self.add(self.inventory, _section, _hosts)
 
     def prepend_proxy(self, _string):
         """
         Prepends proxy before host.
         """
-        return re.sub('^', self.proxy, _string)
+        return re.sub('^', self.proxy + '+', _string)
 
     def parse_cli_args(self):
         """
@@ -125,6 +198,12 @@ def push(self, _dict, _key, _element):
         else:
             _dict[_key] = [_element]
 
+    def add(self, _dict, _key, _element):
+        """
+        Add a key to a dict.
+        """
+        _dict[_key] = _element
+
     def dict_to_json(self, _data, _pretty=False):
         """
         Convert a dict into a string in JSON format.
diff --git a/keystone.yml b/keystone.yml
deleted file mode 100644
index 1c930b30f..000000000
--- a/keystone.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: databases
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: keystone
-  become: True
-  roles:
-     - hpc-cloud/roles/keystone
diff --git a/local_admin_users.yml b/local_admin_users.yml
new file mode 100644
index 000000000..507f7f978
--- /dev/null
+++ b/local_admin_users.yml
@@ -0,0 +1,44 @@
+---
+- name: 'Create local admin groups & users and allow admin group to use sudo on all hosts.'
+  hosts: all
+  become: True
+  tasks:
+    - name: Check if required groups are present.
+      group:
+        name: "{{ item }}"
+        gid: "{{ auth_groups[item].gid }}"
+        state: present
+      with_items: "{{ local_admin_groups }}"
+    - name: 'Allow passwordless sudo for local admin users.'
+      lineinfile: dest=/etc/sudoers line="%admin  ALL=(ALL:ALL) NOPASSWD:ALL"
+    - name: "Check if required private groups for user's home dir are present."
+      group:
+        name: "{{ item }}"                 # Use same name as user's account name for user's private group.
+        gid: "{{ auth_users[item].uid }}"  # Use same GID as user's UID for user's private group.
+        state: present
+      with_items: "{{ local_admin_users }}"
+    - name: 'Create /admin root dir for the home dirs of admin users.'
+      file:
+        path: '/admin'
+        owner: 'root'
+        group: 'root'
+        mode: 0755
+        state: 'directory'
+    - name: Create local admin users and append them to relevant groups.
+      user:
+        name: "{{ item }}"
+        uid: "{{ auth_users[item].uid }}"
+        comment: "{{ auth_users[item].comment }}"
+        group: 'admin'
+        groups: "{{ local_admin_groups }}"
+        home: "/admin/{{ item }}"
+        append: no
+      with_items: "{{ local_admin_users }}"
+    - name: 'Deploy authorized keys for admins.'
+      authorized_key:
+        user: "{{ item }}"
+        key: "{{ auth_users[item].pub_keys }}"
+        state: present
+        exclusive: yes
+      with_items: "{{ local_admin_users }}"
+...
diff --git a/local_regular_users.yml b/local_regular_users.yml
new file mode 100644
index 000000000..c46e3cd24
--- /dev/null
+++ b/local_regular_users.yml
@@ -0,0 +1,35 @@
+---
+- name: 'Create local regular users & groups.'
+  hosts: all
+  become: True
+  tasks:
+    - name: 'Check if required groups are present.'
+      group:
+        name: "{{ item }}"
+        gid: "{{ auth_groups[item].gid }}"
+        state: present
+      with_items: "{{ local_regular_groups }}"
+    - name: "Check if required private groups for user's home dir are present."
+      group:
+        name: "{{ item.user }}"                 # Use same name as user's account name for user's private group.
+        gid: "{{ auth_users[item.user].uid }}"  # Use same GID as user's UID for user's private group.
+        state: present
+      with_items: "{{ local_regular_users }}"
+    - name: 'Create local regular users and append them to relevant groups.'
+      user:
+        name: "{{ item.user }}"
+        uid: "{{ auth_users[item.user].uid }}"
+        comment: "{{ auth_users[item.user].comment }}"
+        group: "{{ item.user }}"
+        groups: "{{ item.groups }}"
+        home: "/home/{{ item.user }}"
+        append: no
+      with_items: "{{ local_regular_users }}"
+    - name: 'Deploy authorized keys for local regular users.'
+      authorized_key:
+        user: "{{ item.user }}"
+        key: "{{ auth_users[item.user].pub_keys }}"
+        state: present
+        exclusive: yes
+      with_items: "{{ local_regular_users }}"
+...
diff --git a/mariadb.yml b/mariadb.yml
deleted file mode 100644
index b0143909f..000000000
--- a/mariadb.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-# Run all plays as root.
-- hosts: databases
-  become: True
-  roles:
-      - hpc-cloud/roles/mariadb
-  vars:
-      hostname_node0: "{{ hostvars[groups['databases'][0]]['ansible_hostname'] }}"
-      hostname_node1: "{{ hostvars[groups['databases'][1]]['ansible_hostname'] }}"
-      hostname_node2: "{{ hostvars[groups['databases'][2]]['ansible_hostname'] }}"
-      ip_node0: "{{ hostvars[groups['databases'][0]]['listen_ip'] | default(hostvars[groups['databases'][0]]['ansible_default_ipv4']['address']) }}"
-      ip_node1: "{{ hostvars[groups['databases'][1]]['listen_ip'] | default(hostvars[groups['databases'][1]]['ansible_default_ipv4']['address']) }}"
-      ip_node2: "{{ hostvars[groups['databases'][2]]['listen_ip'] | default(hostvars[groups['databases'][2]]['ansible_default_ipv4']['address']) }}"
diff --git a/memcached.yml b/memcached.yml
deleted file mode 100644
index af6c17b11..000000000
--- a/memcached.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-- hosts: memcached
-  become: True
-  roles:
-     - hpc-cloud/roles/memcached
diff --git a/neutron-controller.yml b/neutron-controller.yml
deleted file mode 100644
index 3992b6f0e..000000000
--- a/neutron-controller.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: neutron-controller
-  become: True
-  roles:
-     - hpc-cloud/roles/neutron-controller
diff --git a/nova-compute.yml b/nova-compute.yml
deleted file mode 100644
index 308d32683..000000000
--- a/nova-compute.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: nova-compute
-  become: True
-  roles:
-     - hpc-cloud/roles/nova-compute
diff --git a/nova-controller.yml b/nova-controller.yml
deleted file mode 100644
index 87a1db7f9..000000000
--- a/nova-controller.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-- hosts: all
-  name: Dummy to gather facts
-  tasks: []
-
-- hosts: nova-controller
-  become: True
-  roles:
-     - hpc-cloud/roles/nova-controller
diff --git a/rabbitmq.yml b/rabbitmq.yml
deleted file mode 100644
index 0dc8cf16a..000000000
--- a/rabbitmq.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-- hosts: rabbitmq
-  become: True
-  roles:
-      - hpc-cloud/roles/rabbitmq
-  vars:
-      hostname_node0: "{{ hostvars[groups['rabbitmq'][0]]['ansible_hostname'] }}"
diff --git a/requirements.yml b/requirements.yml
index bf8562e51..27b5324eb 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,10 +1,4 @@
 ---
-# pull down common roles from the HPC cloud repo
-- src: ssh://git@git.webhosting.rug.nl:222/HPC/hpc-cloud.git
-  name: hpc-cloud
-  version: umcg-0.2
-  scm: git
-
 # Mostly user accounts of hpc playbooks.
 - src: ssh://git@git.webhosting.rug.nl:222/HPC/HPCplaybooks.git
   name: HPCplaybooks
diff --git a/roles/cluster/handlers/main.yml b/roles/cluster/handlers/main.yml
new file mode 100644
index 000000000..6a3f8639e
--- /dev/null
+++ b/roles/cluster/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+
+- name: Restart sshd service.
+  service:
+    name: sshd
+    state: restarted
+  become: yes
+  listen: restart_sshd
+...
diff --git a/roles/cluster/tasks/main.yml b/roles/cluster/tasks/main.yml
index 70fecadb6..6b02a04fc 100644
--- a/roles/cluster/tasks/main.yml
+++ b/roles/cluster/tasks/main.yml
@@ -10,9 +10,22 @@
   become: true
   tags: ['etc_hosts']
 
+- name: Set /etc/skel/.bashrc .screenrc
+  template:
+    src: templates/{{ item }}
+    dest: /etc/skel/
+    mode: 0644
+    owner: root
+    group: root
+    backup: yes
+  become: true
+  with_items:
+    - '.bashrc'
+    - '.screenrc'
+
 - name: Set hostname to inventory_hostname
   hostname:
-    name: '{{ inventory_hostname }}'
+    name: "{{ inventory_hostname | regex_replace('^' + groups['jumphost'] | first + '\\+','') }}"
 
 - name: Set selinux in permissive mode
   selinux:
@@ -24,21 +37,31 @@
     state: latest
     update_cache: yes
     name:
+      - bzip2
       - curl
+      - figlet
       - git
       - git-core
+      - lsof
       - nano
       - ncdu
+      - ncurses-static
+      - readline-static
       - screen
+      - tcl-devel
       - telnet
       - tmux
       - tree
       - vim
-      - bzip2
-      - ncurses-static
-      - readline-static
-      - tcl-devel
-      - figlet
+      - wget
   tags:
     - software
+
+- name: Deploy sshd config.
+  template:
+    src: templates/sshd_config
+    dest: /etc/ssh/sshd_config
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: restart_sshd
+
 ...
diff --git a/roles/cluster/templates/.bashrc b/roles/cluster/templates/.bashrc
new file mode 100644
index 000000000..3d4d77dc5
--- /dev/null
+++ b/roles/cluster/templates/.bashrc
@@ -0,0 +1,20 @@
+# .bashrc
+
+#
+# Source global definitions. (DO NOT EDIT!)
+#
+if [ -f /etc/bashrc ]; then
+  . /etc/bashrc
+fi
+
+#
+# Shared HPC environment. (DO NOT EDIT!)
+#
+if [ -f /apps/modules/modules.bashrc ]; then
+  . /apps/modules/modules.bashrc
+fi
+
+#
+# User specific personal settings, aliases and functions below this comment.
+# Do *not* edit the global settings above!
+#
diff --git a/roles/cluster/templates/.screenrc b/roles/cluster/templates/.screenrc
new file mode 100644
index 000000000..17664a06a
--- /dev/null
+++ b/roles/cluster/templates/.screenrc
@@ -0,0 +1,6 @@
+#
+# Enable scrolling using mouse or shift-PgUp and shift-PgDn.
+#
+termcapinfo xterm*|vt* ti@:te@
+
+altscreen on
\ No newline at end of file
diff --git a/roles/cluster/templates/gearshift_hosts b/roles/cluster/templates/gearshift_hosts
index 733248fd4..c6f25a089 100644
--- a/roles/cluster/templates/gearshift_hosts
+++ b/roles/cluster/templates/gearshift_hosts
@@ -77,3 +77,7 @@
 195.169.22.247          calculon.gcc.rug.nl
 195.169.22.95           leucine-zipper.gcc.rug.nl
 195.169.22.8            zinc-finger.gcc.rug.nl
+
+{% if additional_etc_hosts is defined %}
+{{ additional_etc_hosts }}
+{% endif %}
diff --git a/roles/cluster/templates/sshd_config b/roles/cluster/templates/sshd_config
new file mode 100644
index 000000000..5541fee71
--- /dev/null
+++ b/roles/cluster/templates/sshd_config
@@ -0,0 +1,100 @@
+Port 22
+UseDNS no
+
+#
+# Disable protocol version 1
+#
+Protocol 2
+
+#
+# Supported (Host)Key algorithms by order of preference.
+# Do not use (EC)DSA keys!
+#
+HostKey /etc/ssh/ssh_host_ed25519_key
+HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
+HostKey /etc/ssh/ssh_host_rsa_key
+HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
+HostKeyAlgorithms      ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+PubkeyAcceptedKeyTypes ssh-ed25519,ssh-ed25519-cert-v01@openssh.com,ssh-rsa,ssh-rsa-cert-v01@openssh.com
+
+#
+# Supported KEX (Key Exchange) algorithms.
+#
+KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
+
+#
+# ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long
+#       See also man moduli. Moduli are stored in file: /etc/ssh/moduli
+#       The 5th column of this file contains the length of the moduli.
+#       To remove short moduli:
+# if [[ ! -e /etc/ssh/moduli.original ]]; then
+#     cp /etc/ssh/moduli > /etc/ssh/moduli.original
+# fi
+# awk '$5 >= 3071' /etc/ssh/moduli.original > /etc/ssh/moduli
+#
+
+#
+# Supported ciphers.
+#
+Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
+#RekeyLimit default none
+
+#
+# Supported MAC (message authentication code) algorithms.
+# Ciphers and MACs can be combined in multiple ways,
+# but only Encrypt-then-MAC (EtM) should be used.
+#
+MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com
+
+#
+# Logging
+#
+# LogLevel VERBOSE logs user's key fingerprint on login.
+# Required to have a clear audit trail of which key was used to log in.
+#
+SyslogFacility AUTHPRIV
+LogLevel VERBOSE
+
+#
+# Authentication methods.
+#
+#  * Never allow direct root login: We have admin users who can sudo.
+#    (see users.yml in the league-of-robots repo)
+#  * Disable password based auth.
+#  * Enable key pair based auth.
+#    * Fetch public keys from LDAP
+#    * Disable local keys stored in ~/.ssh/ folders except for local admin accounts.
+#
+UsePAM yes
+PermitRootLogin no
+PasswordAuthentication no
+PermitEmptyPasswords no
+ChallengeResponseAuthentication no
+GSSAPIAuthentication no
+GSSAPICleanupCredentials no
+PubkeyAuthentication yes
+AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
+AuthorizedKeysCommandUser root
+
+{% if hostvars.ssh_use_ldap %}
+AuthorizedKeysFile /dev/null
+Match Group admin
+    AuthorizedKeysFile .ssh/authorized_keys
+Match all
+{% else %}
+AuthorizedKeysFile .ssh/authorized_keys
+{% endif %}
+
+#
+# Connection settings.
+#
+X11Forwarding no
+ClientAliveInterval 300
+
+#
+# Override default of no subsystems
+# and log sftp level file access that would not be easily logged otherwise.
+#
+Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
+
+
diff --git a/roles/compute-vm/tasks/main.yml b/roles/compute-vm/tasks/main.yml
deleted file mode 100644
index ae185e9d4..000000000
--- a/roles/compute-vm/tasks/main.yml
+++ /dev/null
@@ -1,33 +0,0 @@
----
-- name: Make local mountpoint
-  file:
-    path: "/local"
-    mode: 0777
-    state: directory
-
-- name: "check mount point /local"
-  command: mountpoint /local
-  register: mount_local
-  failed_when: false
-
-- name: Create an ext4 filesystem on /dev/vdb
-  filesystem:
-    fstype: ext4
-    dev: /dev/vdb
-  when:
-    mount_local.rc == 1
-
-- name: Mount /dev/vdb on /local
-  mount:
-    path: /local
-    src: /dev/vdb
-    fstype: ext4
-    opts: rw,relatime
-    state: present
-
-- name: mount all mountpoints in fstab
-  command: mount -a
-  args:
-    warn: false
-  when:
-    mount_local.rc == 1
diff --git a/roles/isilon/tasks/main.yml b/roles/isilon/tasks/main.yml
deleted file mode 100644
index ea252312c..000000000
--- a/roles/isilon/tasks/main.yml
+++ /dev/null
@@ -1,38 +0,0 @@
----
-- name: make endpoints to mount isilon storage on.
-  file:
-    path: "{{ item }}"
-    mode: 0751
-    state: directory
-  with_items:
-    - /apps
-    - /.envsync/umcgst10/apps
-    - /home
-  # When it's already mounted this may result in errors.
-  # To make this idempotent errors are ignored.
-  ignore_errors:
-    yes
-
-    # Mount point that seems to work is incosistent across nodes. Even between compute nodes.
-    #- name: Mount isilon apps
-    #  mount:
-    #    path: /apps
-    #    src: gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst10/apps
-    #    src: gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst10/.envsync/tmp01
-    #    fstype: nfs
-    #    opts: defaults,_netdev,nolock,vers=4.0,noatime,nodiratime
-    #    state: present
-
-
-- name: Mount isilon home
-  mount:
-    path: /home
-    src: gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst10/home
-    fstype: nfs
-    opts: defaults,_netdev,nolock,vers=4.0,noatime,nodiratime
-    state: present
-
-- name: mount all mountpoints in fstab
-  command: mount -a
-  args:
-    warn: false
diff --git a/roles/ldap/defaults/main.yml b/roles/ldap/defaults/main.yml
index 89105e686..95696fbac 100644
--- a/roles/ldap/defaults/main.yml
+++ b/roles/ldap/defaults/main.yml
@@ -1,10 +1,9 @@
 ---
-firewall_allowed_tcp_ports:
-  - "22"
 ldap_port: 389
 ldaps_port: 636
 uri_ldap: ''
 uri_ldaps: ''
 ldap_base: ''
 ldap_binddn: ''
+sshd_moduli_minimum: 3072
 ...
diff --git a/roles/ldap/files/ssh-ldap-wrapper b/roles/ldap/files/ssh-ldap-wrapper
new file mode 100755
index 000000000..84fa93245
--- /dev/null
+++ b/roles/ldap/files/ssh-ldap-wrapper
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+#
+# Custom ssh-ldap-wrapper script.
+#  * Fetches public keys from LDAP using default ssh-ldap-helper and
+#  * Filters the public keys by dropping unsupported key types or short key sizes considered weak.
+#    We accept fixed size ed25519 keys and >= 4096 bits rsa keys.
+#
+declare user="${1}"
+declare regex='^([0-9][0-9]*) .* \((.*)\)$'
+declare ssh_ldap_helper='/usr/libexec/openssh/ssh-ldap-helper'
+declare ssh_keygen='/usr/bin/ssh-keygen'
+declare rsa_key_size='4096'
+declare -a authorized_keys=()
+
+while read -r public_keys_line; do
+    test -z "${public_keys_line:-}" && continue
+    declare fingerprint="$("${ssh_keygen}" -l -f /dev/stdin <<< "${public_keys_line}")"
+    if [[ "${fingerprint}" =~ ${regex} ]]; then
+        declare key_size="${BASH_REMATCH[1]}"
+        declare key_type="${BASH_REMATCH[2]}"
+        if [[ "${key_type}" == 'ED25519' ]]; then
+            authorized_keys=("${authorized_keys[@]}" "${public_keys_line}")
+        elif [[ "${key_type}" == 'RSA' ]]; then
+            if [[ "${key_size}" -ge ${rsa_key_size} ]]; then
+                authorized_keys=("${authorized_keys[@]}" "${public_keys_line}")
+            else
+                echo "WARN: Skipping key with unsupported key size ${key_size}. "${key_type}" key size must be >= ${rsa_key_size}." 1>&2
+            fi
+        else
+            echo "WARN: Skipping unsupported key type ${key_type}." 1>&2
+        fi
+    else
+        echo "ERROR: Failed to parse key fingerprint ${fingerprint:-}." 1>&2
+    fi
+done < <("${ssh_ldap_helper}" -s "${user}")
+
+for authorized_key in "${authorized_keys[@]}"; do
+    printf '%s\n' "${authorized_key}"
+done
\ No newline at end of file
diff --git a/roles/ldap/handlers/main.yml b/roles/ldap/handlers/main.yml
new file mode 100644
index 000000000..955eefa5c
--- /dev/null
+++ b/roles/ldap/handlers/main.yml
@@ -0,0 +1,20 @@
+---
+#
+# Important: maintain correct handler order.
+# Handlers are executed in the order in which they are defined 
+# and not in the order in whch they are listed in a "notify: handler_name" statement!
+#
+- name: Restart nslcd service.
+  service:
+    name: nslcd
+    state: restarted
+  become: yes
+  listen: restart_nslcd
+
+- name: Restart sshd service.
+  service:
+    name: sshd
+    state: restarted
+  become: yes
+  listen: restart_sshd
+...
diff --git a/roles/ldap/meta/main.yml b/roles/ldap/meta/main.yml
deleted file mode 100644
index 050e08555..000000000
--- a/roles/ldap/meta/main.yml
+++ /dev/null
@@ -1,7 +0,0 @@
----
-dependencies:
-  - role: geerlingguy.firewall
-    vars:
-      firewall_allowed_tcp_ports:
-        - "22"
-...
diff --git a/roles/ldap/tasks/main.yml b/roles/ldap/tasks/main.yml
index 5b5eefd97..e01d379e0 100644
--- a/roles/ldap/tasks/main.yml
+++ b/roles/ldap/tasks/main.yml
@@ -8,8 +8,9 @@
       - openldap-clients
       - nss-pam-ldapd
       - openssh-ldap
-      - pam_script
-      - oddjob-mkhomedir
+  notify:
+    - restart_nslcd
+    - restart_sshd
 
 - name: Deploy nslcd.conf
   template:
@@ -18,6 +19,8 @@
     owner: root
     group: root
     mode: '0600'
+  notify:
+    - restart_nslcd
 
 - name: Deploy ldap.conf
   template:
@@ -26,6 +29,8 @@
     owner: root
     group: root
     mode: '0644'
+  notify:
+    - restart_nslcd
 
 - name: Deploy nsswitch.conf
   copy:
@@ -34,76 +39,49 @@
     owner: root
     group: root
     mode: '0644'
+  notify:
+    - restart_nslcd
 
-- name: Create /etc/pam-script.d/ dir.
-  file:
-    name: /etc/pam-script.d
-    state: directory
+- name: Signal that sshd should use ldap.
+  set_fact:
+    ssh_use_ldap: true
 
-- name: Install login_checks.sh script.
-  copy:
-    src: login_checks.sh
-    dest: /etc/pam-script.d/login_checks.sh
-    owner: root
-    group: root
-    mode: '0755'
+- name: Deploy sshd config.
+  template:
+    src: templates/sshd_config
+    dest: /etc/ssh/sshd_config
+    validate: '/usr/sbin/sshd -T -f %s'
+  notify: restart_sshd
 
-- name: Enable pam_script.
-  file:
-    src: pam_script
-    dest: "/etc/{{ item }}"
-    owner: root
-    group: root
-    state: link
-  with_items:
-    - pam_script_acct
-    - pam_script_auth
-    - pam_script_passwd
-    - pam_script_ses_close
-    - pam_script_ses_open
+- name: Check if /etc/ssh/moduli contains weak (small) values.
+  shell: awk '$5 < {{ sshd_moduli_minimum }}' /etc/ssh/moduli
+  register: sshd_register_moduli
+  changed_when: false
+  check_mode: no
 
-- name: Enable login_checks.sh script for ses_open.
-  file:
-    src: login_checks.sh
-    dest: "/etc/pam-script.d/{{ item }}"
-    owner: root
-    group: root
-    state: link
-  with_items:
-    - login_checks.sh_ses_open
+- name: Remove weak (small) values from /etc/ssh/moduli.
+  shell: awk '$5 >= {{ sshd_moduli_minimum }}' /etc/ssh/moduli > /etc/ssh/moduli.new ;
+         [ -r /etc/ssh/moduli.new -a -s /etc/ssh/moduli.new ] && mv /etc/ssh/moduli.new /etc/ssh/moduli || true
+  when: sshd_register_moduli.stdout
+  notify: restart_sshd
 
-- name: Deploy password-auth-ac for PAM.
+- name: Deploy custom ssh-ldap-wrapper.
   copy:
-    src: password-auth-ac
-    dest: /etc/pam.d/password-auth-ac
+    src: ssh-ldap-wrapper
+    dest: /usr/libexec/openssh/ssh-ldap-wrapper
     owner: root
     group: root
-    mode: '0600'
-
-- name: Deploy sshd config.
-  template:
-    src: templates/sshd_config
-    dest: /etc/ssh/sshd_config
+    mode: '0755'
 
 - name: Enable services.
   systemd:
     name: "{{ item }}"
     enabled: yes
+    state: started
   with_items:
     - nslcd
-    - dbus.service
-    - oddjobd.service
+  notify:
+    - restart_nslcd
 
-- name: Run authconfig update.
-  shell: "authconfig --enablemkhomedir --update"
-
-- name: Reload services.
-  service:
-    name: "{{item}}"
-    state: reloaded
-  with_items:
-    - nslcd
-    - dbus
-    - oddjobd
-    - sshd
-...
\ No newline at end of file
+- meta: flush_handlers
+...
diff --git a/roles/ldap/templates/ldap.conf b/roles/ldap/templates/ldap.conf
index c345e32f6..7d7792f65 100644
--- a/roles/ldap/templates/ldap.conf
+++ b/roles/ldap/templates/ldap.conf
@@ -6,7 +6,7 @@
 #
 
 uri ldap://{{ uri_ldap }}
-base ou=umcg,o=asds
+base {{ ldap_base }}
 ssl no
 tls_cacertdir /etc/openldap/cacerts
 binddn {{ ldap_binddn }}
diff --git a/roles/ldap/templates/nslcd.conf b/roles/ldap/templates/nslcd.conf
index f34cf703a..f797b196a 100644
--- a/roles/ldap/templates/nslcd.conf
+++ b/roles/ldap/templates/nslcd.conf
@@ -4,5 +4,14 @@ ssl no
 tls_cacertdir /etc/openldap/cacerts
 uri ldap://{{ uri_ldap }}
 base {{ ldap_base }}
+{% if filter_passwd is defined %}
+filter passwd {{ filter_passwd }}
+{% endif %}
+{% if filter_shadow is defined %}
+filter shadow {{ filter_shadow }}
+{% endif %}
+{% if pam_authz_search is defined %}
+pam_authz_search  {{ pam_authz_search }}
+{% endif %}
 binddn {{ ldap_binddn }}
 bindpw {{ bindpw }}
diff --git a/roles/ldap/templates/sshd_config b/roles/ldap/templates/sshd_config
deleted file mode 100644
index 4cd5cb55a..000000000
--- a/roles/ldap/templates/sshd_config
+++ /dev/null
@@ -1,93 +0,0 @@
-Port 22
-UseDNS no
-
-#
-# Disable protocol version 1
-#
-Protocol 2
-
-#
-# Supported HostKey algorithms by order of preference.
-# Do not use (EC)DSA keys!
-#
-HostKey /etc/ssh/ssh_host_ed25519_key
-HostCertificate /etc/ssh/ssh_host_ed25519_key-cert.pub
-HostKey /etc/ssh/ssh_host_rsa_key
-HostCertificate /etc/ssh/ssh_host_rsa_key-cert.pub
-
-#
-# Supported KEX (Key Exchange) algorithms.
-#
-KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256
-
-# ToDo: All Diffie-Hellman moduli used for diffie-hellman-group-exchange-sha256 should be at least 3072-bit-long
-#       See also man moduli. Moduli are stored in file: /etc/ssh/moduli
-#       The 5th column od this file contains the length of the moduli.
-#       To remove short moduli:
-# if [[ ! -e /etc/ssh/moduli.original ]]; then
-#     cp /etc/ssh/moduli > /etc/ssh/moduli.original
-# fi
-# awk '$5 >= 3071' /etc/ssh/moduli.original > /etc/ssh/moduli
-#
-
-#
-# Supported ciphers.
-#
-Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr
-#RekeyLimit default none
-
-#
-# Supported MAC (message authentication code) algorithms.
-# Ciphers and MACs can be combined in multiple ways,
-# but only Encrypt-then-MAC (EtM) should be used.
-#
-MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
-
-#
-# Logging
-#
-# LogLevel VERBOSE logs user's key fingerprint on login.
-# Required to have a clear audit trail of which key was used to log in.
-#
-SyslogFacility AUTHPRIV
-LogLevel VERBOSE
-
-# Authentication:
-#
-# Never allow this. We have admin users who can sudo
-# (see users.yml in the gearshift repo)
-PermitRootLogin no
-
-# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2,
-# but we disable this by default as public keys for regular users come from LDAP.
-AuthorizedKeysFile /dev/null
-
-PasswordAuthentication no
-PermitEmptyPasswords no
-
-ChallengeResponseAuthentication no
-
-GSSAPIAuthentication yes
-GSSAPICleanupCredentials no
-
-UsePAM yes
-
-X11Forwarding yes
-ClientAliveInterval 300
-
-#
-# Override default of no subsystems
-# and log sftp level file access that would not be easily logged otherwise.
-#
-Subsystem sftp /usr/libexec/openssh/sftp-server -f AUTHPRIV -l INFO
-
-PubkeyAuthentication yes
-
-AuthorizedKeysCommand /usr/libexec/openssh/ssh-ldap-wrapper
-AuthorizedKeysCommandUser root
-#
-# 129.125.249.0/24   # RUG BeheersWerkPlek
-# 172.23.40.1/24     # Management VLAN 983
-#
-Match Group admin
-    AuthorizedKeysFile .ssh/authorized_keys
diff --git a/roles/ldap/templates/sshd_config b/roles/ldap/templates/sshd_config
new file mode 120000
index 000000000..634936566
--- /dev/null
+++ b/roles/ldap/templates/sshd_config
@@ -0,0 +1 @@
+../../cluster/templates/sshd_config
\ No newline at end of file
diff --git a/roles/ldap/files/login_checks.sh b/roles/logins/files/login_checks.sh
similarity index 88%
rename from roles/ldap/files/login_checks.sh
rename to roles/logins/files/login_checks.sh
index adefcd1f1..9f17a375e 100644
--- a/roles/ldap/files/login_checks.sh
+++ b/roles/logins/files/login_checks.sh
@@ -85,9 +85,12 @@ login_actions () {
 # but in the first case there are no SLURM related environment variables defined.
 #
 
-# SOURCE_HPC_ENV variable checking disabled (it is not set ) Egon 30-10-2018
-#if [ ${TERM} == 'dumb' ] && [ -z ${SOURCE_HPC_ENV} ]; then
-if [ ${TERM} == 'dumb' ]; then
+#
+# ToDo: fix this. As of CentOS 7.x interactive session that eventually report ${TERM} == 'bash'
+# report ${TERM} == 'dumb' at the point where this script is executed in the PAM stack :(.
+# Makes it impossible to determine the difference between an SFTP session versus a Bash session.
+#
+if [ ${TERM} == 'dumb' ] && [ -z "${SOURCE_HPC_ENV:-}" ]; then
     $LOGGER "debug: exiting because of dumb terminal"
     exit 0
 fi
diff --git a/roles/ldap/files/password-auth-ac b/roles/logins/files/password-auth-ac
similarity index 93%
rename from roles/ldap/files/password-auth-ac
rename to roles/logins/files/password-auth-ac
index 7420f07a5..b7036a578 100644
--- a/roles/ldap/files/password-auth-ac
+++ b/roles/logins/files/password-auth-ac
@@ -21,7 +21,7 @@ password    required      pam_deny.so
 session     optional      pam_keyinit.so revoke
 session     required      pam_limits.so
 session     optional      pam_oddjob_mkhomedir.so umask=0077 skel=/etc/skel
-session     optional      pam_script.so onsessionopen=/usr/local/libexec/login_checks.sh
+session     optional      pam_script.so
 session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
 session     required      pam_unix.so
 session     optional      pam_ldap.so
diff --git a/roles/logins/handlers/main.yml b/roles/logins/handlers/main.yml
new file mode 100644
index 000000000..c694046f4
--- /dev/null
+++ b/roles/logins/handlers/main.yml
@@ -0,0 +1,30 @@
+---
+#
+# Important: maintain correct handler order.
+# Handlers are executed in the order in which they are defined 
+# and not in the order in whch they are listed in a "notify: handler_name" statement!
+#
+- name: Run authconfig update.
+  shell: "authconfig --enablemkhomedir --update"
+  become: yes
+  listen: authconfig_update
+
+#
+# Notes:
+# * OddJob has a dependency on DBus.
+# * Due to a bug systemd-logind may enter a broken state when DBus is restarted
+#   making logins via SSH and or sudo commands very slow.
+#   https://bugzilla.redhat.com/show_bug.cgi?id=1532105
+#   Workaround for now is to always restart systemd-logind after DBus is restarted.
+#
+- name: Restart oddjobd service and its dependencies.
+  service:
+    name: "{{item}}"
+    state: restarted
+  with_items:
+    - dbus
+    - systemd-logind
+    - oddjobd
+  become: yes
+  listen: restart_oddjobd
+...
diff --git a/roles/logins/tasks/main.yml b/roles/logins/tasks/main.yml
new file mode 100644
index 000000000..1a8a3e4e6
--- /dev/null
+++ b/roles/logins/tasks/main.yml
@@ -0,0 +1,94 @@
+---
+- name: Install yum dependencies
+  yum:
+    state: latest
+    update_cache: yes
+    name:
+      - pam_script
+      - oddjob-mkhomedir
+  notify:
+    - authconfig_update
+    - restart_oddjobd
+  become: true
+
+- name: Deploy password-auth-ac for PAM.
+  copy:
+    src: password-auth-ac
+    dest: /etc/pam.d/password-auth-ac
+    owner: root
+    group: root
+    mode: '0600'
+  notify:
+    - authconfig_update
+    - restart_oddjobd
+  become: true
+
+- name: Enable pam_script.
+  file:
+    src: pam_script
+    dest: "/etc/{{ item }}"
+    owner: root
+    group: root
+    state: link
+  with_items:
+    - pam_script_acct
+    - pam_script_auth
+    - pam_script_passwd
+    - pam_script_ses_close
+    - pam_script_ses_open
+  become: true
+
+- name: Create /etc/pam-script.d/ dir.
+  file:
+    name: /etc/pam-script.d
+    state: directory
+    owner: root
+    group: root
+    mode: '0755'
+  become: true
+
+- name: Install login_checks.sh script.
+  copy:
+    src: login_checks.sh
+    dest: /etc/pam-script.d/login_checks.sh
+    owner: root
+    group: root
+    mode: '0755'
+  when: inventory_hostname in groups['cluster']
+  become: true
+
+- name: Enable login_checks.sh script for ses_open.
+  file:
+    src: login_checks.sh
+    dest: "/etc/pam-script.d/{{ item }}"
+    owner: root
+    group: root
+    #
+    # Login checks currently disabled,
+    # because error handling/reporting no longer works on CentOS >= 7.x,
+    # due to changes in the PAM stack.
+    # Login checks were only used to create Slurm accounts in the Slurm accounting DB.
+    # This functionality has been relocated to the Slurm job_submit.lua plugin,
+    # which will now automatically create account, users and associations of slurm users to slurm accounts
+    # upon job submission when they do not already exist.
+    #
+    # state: link
+    state: absent
+  with_items:
+    - login_checks.sh_ses_open
+  when: inventory_hostname in groups['cluster']
+  become: true
+
+- name: Enable services.
+  systemd:
+    name: "{{ item }}"
+    enabled: yes
+    state: started
+  with_items:
+    - dbus.service
+    - oddjobd.service
+  notify:
+    - authconfig_update
+    - restart_oddjobd
+  become: true
+...
diff --git a/roles/mount-volume/defaults/main.yml b/roles/mount-volume/defaults/main.yml
new file mode 100644
index 000000000..aa66dc580
--- /dev/null
+++ b/roles/mount-volume/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+
+volume_mount_point: "/local"
diff --git a/roles/mount-volume/tasks/main.yml b/roles/mount-volume/tasks/main.yml
new file mode 100644
index 000000000..aa5eec15e
--- /dev/null
+++ b/roles/mount-volume/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: Make mount point for the cinder volume.
+  file:
+    path: "{{volume_mount_point}}"
+    mode: 0755
+    state: directory
+    owner: root
+    group: root
+
+- name: Check the local mount point.
+  command: mountpoint {{volume_mount_point}}
+  register: mount_local
+  failed_when: false
+
+- name: Create an ext4 filesystem on /dev/vdb.
+  filesystem:
+    fstype: ext4
+    dev: /dev/vdb
+  when:
+    mount_local.rc == 1
+
+- name: Mount the volume.
+  mount:
+    path: "{{volume_mount_point}}"
+    src: /dev/vdb
+    fstype: ext4
+    opts: rw,relatime
+    state: present
+
+- name: Mount all mountpoints from fstab.
+  command: mount -a
+  args:
+    warn: false
+  when:
+    mount_local.rc == 1
+...
diff --git a/roles/nfs_home_server/tasks/main.yml b/roles/nfs_home_server/tasks/main.yml
index 7612f1205..0dc7dee9b 100644
--- a/roles/nfs_home_server/tasks/main.yml
+++ b/roles/nfs_home_server/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
-- name: install nfs utils
+- name: 'Install NFS utils.'
   yum:
     name: nfs-utils
 
-- name: Add fstab entry
+- name: 'Add share entry to NFS exports.'
   lineinfile:
     path: /etc/exports
     line: /home  {{network_range}}(rw,sync,no_root_squash,no_subtree_check)
+...
diff --git a/roles/resolver/handlers/main.yml b/roles/resolver/handlers/main.yml
new file mode 100644
index 000000000..c7154496a
--- /dev/null
+++ b/roles/resolver/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+#
+# Important: maintain correct handler order.
+# Handlers are executed in the order in which they are defined 
+# and not in the order in whch they are listed in a "notify: handler_name" statement!
+#
+- name: Restart dnsmasq service.
+  service:
+    name: dnsmasq
+    state: restarted
+  become: true
+  listen: restart_dnsmasq
+...
\ No newline at end of file
diff --git a/roles/resolver/tasks/main.yml b/roles/resolver/tasks/main.yml
new file mode 100644
index 000000000..600578c80
--- /dev/null
+++ b/roles/resolver/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Install dnsmasq
+  yum:
+    state: latest
+    update_cache: yes
+    name:
+      - dnsmasq
+  become: true
+  notify: restart_dnsmasq
+
+- name: Configure /etc/dnsmasq.conf to use nameservers as listed in group_vars for this cluster.
+  template:
+    dest: '/etc/dnsmasq.conf'
+    src: 'templates/dnsmasq.conf.j2'
+    owner: root
+    group: root
+    mode: 0644
+  become: true
+  notify: restart_dnsmasq
+
+- name: Configure /etc/resolv.conf to use dnsmasq on localhost.
+  copy:
+    dest: '/etc/resolv.conf'
+    content: nameserver 127.0.0.1
+    owner: root
+    group: root
+    mode: 0644
+  become: true
+  notify: restart_dnsmasq
+  
+- name: Enable dnsmasq service.
+  systemd:
+    name: 'dnsmasq.service'
+    enabled: yes
+  become: true
+  notify: restart_dnsmasq
+
+- meta: flush_handlers
+...
\ No newline at end of file
diff --git a/roles/resolver/templates/dnsmasq.conf.j2 b/roles/resolver/templates/dnsmasq.conf.j2
new file mode 100644
index 000000000..5f774b96e
--- /dev/null
+++ b/roles/resolver/templates/dnsmasq.conf.j2
@@ -0,0 +1,3 @@
+{% for nameserver in nameservers %}
+server={{ nameserver }}
+{% endfor %}
diff --git a/roles/shared_storage/tasks/main.yml b/roles/shared_storage/tasks/main.yml
new file mode 100644
index 000000000..82440a585
--- /dev/null
+++ b/roles/shared_storage/tasks/main.yml
@@ -0,0 +1,156 @@
+---
+- name: 'Show the content of the group_vars/[cluster]/vars.yml lfs_mounts variable for debugging purposes.'
+  debug:
+    msg: "{{ lfs_mounts }}"
+
+- name: 'Show the content of the group_vars/[cluster]/vars.yml pfs_mounts variable for debugging purposes.'
+  debug:
+    msg: "pfs: {{ item.pfs }} | source: {{ item.source }} | type: {{ item.type }} | rw_options: {{ item.rw_options }}."
+  with_items: "{{ pfs_mounts }}"
+  when: inventory_hostname in groups['sys-admin-interface']
+
+- name: 'Mount complete Physical File Systems (PFS-ses) on SAIs.'
+  mount:
+    path: "/mnt/{{ item.pfs }}"
+    src: "{{ item.source }}"
+    fstype: "{{ item.type }}"
+    opts: "{{ item.rw_options }}"
+    state: 'mounted'
+  with_items: "{{ pfs_mounts }}"
+  when: inventory_hostname in groups['sys-admin-interface']
+  become: True
+
+- name: 'Create "home" Logical File System (LFS) on Physical File Systems (PFSs) mounted on SAIs.'
+  file:
+    path: "/mnt/{{ item.pfs }}/{{ item.lfs }}"
+    owner: 'root'
+    group: 'root'
+    mode: 0755
+    state: 'directory'
+  with_items: "{{ lfs_mounts | selectattr('lfs', 'match', '^home$') | list }}"
+  when: inventory_hostname in groups['sys-admin-interface']
+  become: True
+
+- name: 'Create root groups folder for "tmp" and "prm" Logical File Systems (LFSs) on Physical File Systems (PFSs) mounted on SAIs.'
+  file:
+    path: "/mnt/{{ item.pfs }}/{{ item.lfs | regex_replace('GROUP.*', '') }}"
+    owner: 'root'
+    group: 'root'
+    mode: 0755
+    state: 'directory'
+  with_items:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', '(tmp)|(prm)[0-9]+$') | list }}"
+  when: inventory_hostname in groups['sys-admin-interface']
+  become: True
+
+- name: 'Create folder for each group on Physical File Systems (PFSs) mounted on SAIs.'
+  file:
+    path: "/mnt/{{ item.0.pfs }}/{{ item.0.lfs | regex_replace('GROUP', item.1) | regex_replace('((tmp)|(prm))[0-9]+$', '') }}"
+    owner: 'root'
+    group: "{{ item.1 }}"
+    mode: 0750
+    state: 'directory'
+  with_subelements:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', '((tmp)|(prm))[0-9]+$') | list }}"
+    - 'groups'
+  when: inventory_hostname in groups['sys-admin-interface']
+  become: True
+
+- name: 'Create "tmp" Logical File Systems (LFSs) for each group on Physical File Systems (PFSs) mounted on SAIs.'
+  file:
+    path: "/mnt/{{ item.0.pfs }}/{{ item.0.lfs | regex_replace('GROUP', item.1) }}"
+    owner: 'root'
+    group: "{{ item.1 }}"
+    mode: 0770
+    state: 'directory'
+  with_subelements:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', 'tmp[0-9]+$') | list }}"
+    - 'groups'
+  when: inventory_hostname in groups['sys-admin-interface']
+  become: True
+
+- name: 'Create "prm" Logical File Systems (LFSs) for each group on Physical File Systems (PFSs) mounted on SAIs.'
+  file:
+    path: "/mnt/{{ item.0.pfs }}/{{ item.0.lfs | regex_replace('GROUP', item.1) }}"
+    owner: "{{ item.1 }}-dm"
+    group: "{{ item.1 }}"
+    mode: 0750
+    state: 'directory'
+  with_subelements:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', 'prm[0-9]+$') | list }}"
+    - 'groups'
+  when: inventory_hostname in groups['sys-admin-interface']
+  become: True
+
+- name: 'Create "apps" Logical File Systems (LFSs) on Physical File Systems (PFSs) mounted on SAIs.'
+  file:
+    path: "/mnt/{{ item.pfs }}/{{ item.lfs }}/apps"
+    owner: "{{ envsync_user }}"
+    group: "{{ envsync_group }}"
+    mode: 0755
+    state: 'directory'
+  with_items:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', 'env[0-9]+$') | list }}"
+  when: inventory_hostname in groups['sys-admin-interface']
+  become: True
+
+- name: 'Mount "home" Logical File System (LFS) from shared storage.'
+  mount:
+    path: "/{{ item.lfs }}"
+    src: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='source') | first }}/{{ item.lfs }}"
+    fstype: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='type') | first }}"
+    opts: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='rw_options') | first }}"
+    state: 'mounted'
+  with_items: "{{ lfs_mounts | selectattr('lfs', 'match', '^home$') | list }}"
+  when: inventory_hostname in groups['cluster']
+  become: True
+
+- name: 'Mount "tmp" Logical File Systems (LFSs) per group from shared storage.'
+  mount:
+    path: "/{{ item.0.lfs | regex_replace('GROUP', item.1) }}"
+    src: "{{ pfs_mounts | selectattr('pfs', 'match', item.0.pfs) | map(attribute='source') | first }}/{{ item.0.lfs | regex_replace('GROUP', item.1) }}"
+    fstype: "{{ pfs_mounts | selectattr('pfs', 'match', item.0.pfs) | map(attribute='type') | first }}"
+    opts: "{{ pfs_mounts | selectattr('pfs', 'match', item.0.pfs) | map(attribute='rw_options') | first }}"
+    state: 'mounted'
+  with_subelements:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', 'tmp[0-9]+$') | list }}"
+    - 'groups'
+  when: inventory_hostname in groups['compute-vm'] or inventory_hostname in groups['user-interface'] or inventory_hostname in groups['deploy-admin-interface']
+  become: True
+
+- name: 'Mount "prm" Logical File Systems (LFSs) per group from shared storage.'
+  mount:
+    path: "/{{ item.0.lfs | regex_replace('GROUP', item.1) }}"
+    src: "{{ pfs_mounts | selectattr('pfs', 'match', item.0.pfs) | map(attribute='source') | first }}/{{ item.0.lfs | regex_replace('GROUP', item.1) }}"
+    fstype: "{{ pfs_mounts | selectattr('pfs', 'match', item.0.pfs) | map(attribute='type') | first }}"
+    opts: "{{ pfs_mounts | selectattr('pfs', 'match', item.0.pfs) | map(attribute='rw_options') | first }}"
+    state: 'mounted'
+  with_subelements:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', 'prm[0-9]+$') | list }}"
+    - 'groups'
+  when: inventory_hostname in groups['user-interface']
+  become: True
+
+- name: 'Mount "env" Logical File Systems (LFSs) from shared storage read-write on DAIs.'
+  mount:
+    path: "/mnt/{{ item.lfs }}"
+    src: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='source') | first }}/{{ item.lfs }}"
+    fstype: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='type') | first }}"
+    opts: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='rw_options') | first }}"
+    state: 'mounted'
+  with_items: "{{ lfs_mounts | selectattr('lfs', 'search', 'env[0-9]+$') | list}}"
+  when: inventory_hostname in groups['deploy-admin-interface']
+  become: True
+
+- name: 'Mount "apps" from one "env" Logical File System (LFS) from shared storage read-only as /apps on UIs and vcompute nodes.'
+  mount:
+   path: '/apps'
+   src: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='source') | first }}/{{ item.lfs }}/apps"
+   fstype: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='type') | first }}"
+   opts: "{{ pfs_mounts | selectattr('pfs', 'match', item.pfs) | map(attribute='ro_options') | first }}"
+   state: 'mounted'
+  with_items:
+    - "{{ lfs_mounts | selectattr('lfs', 'search', 'env[0-9]+$') | list }}"
+  when: inventory_hostname in item.machines
+  become: True
+...
\ No newline at end of file
diff --git a/roles/slurm-client/tasks/main.yml b/roles/slurm-client/tasks/main.yml
index 382591840..8c54cc54e 100644
--- a/roles/slurm-client/tasks/main.yml
+++ b/roles/slurm-client/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: 'Gather facts from servers in "slurm" group.'
+  setup:
+  delegate_to: "{{ item }}"
+  delegate_facts: True
+  with_items: "{{ groups['slurm'] }}"
+
 - name: Include Slurm vars.
   include_vars:
     file: ../../slurm/defaults/main.yml
@@ -61,9 +67,9 @@
       group: root
       mode: '0750'
     - name: /var/spool/slurmd
-      owner: slurm
+      owner: root
       group: root
-      mode: '0750'
+      mode: '0755'
 
 - name: Deploy slurm.conf
   template:
@@ -95,18 +101,30 @@
     mode: 0600
     dest: /etc/munge/munge.key
 
-- name: Deploy nhc.conf
+- name: Deploy UI nhc.conf
+  template:
+    src: templates/user-interface_nhc.conf
+    dest: /etc/nhc/nhc.conf
+    owner: root
+    group: root
+    mode: 0644
+  when: inventory_hostname in groups['user-interface']
+
+- name: Deploy compute-vm nhc.conf
   template:
-    src: templates/nhc.conf
+    src: templates/compute-vm_nhc.conf
     dest: /etc/nhc/nhc.conf
     owner: root
     group: root
     mode: 0644
+  when: inventory_hostname in groups['compute-vm']
 
 - name: Start slurm and munge services
   systemd:
     name: "{{ item }}"
+    enabled: yes
     state: started
   with_items:
     - slurmd
     - munge
+...
diff --git a/roles/slurm-client/templates/nhc.conf b/roles/slurm-client/templates/compute-vm_nhc.conf
similarity index 83%
rename from roles/slurm-client/templates/nhc.conf
rename to roles/slurm-client/templates/compute-vm_nhc.conf
index b0f057923..aa128c699 100644
--- a/roles/slurm-client/templates/nhc.conf
+++ b/roles/slurm-client/templates/compute-vm_nhc.conf
@@ -53,14 +53,10 @@
 # Check for some sort of free memory of either type.
    * || check_hw_mem_free 2GB
 
-# Checks for an active ethernet interface named "eth0."
-   * || check_hw_eth eth0
-
-# Checks for an active ethernet interface named "eth1."
-   * || check_hw_eth eth1
-
-# Checks for an active ethernet interface named "eth2."
-   * || check_hw_eth eth2
+# Checks for an active ethernet interfaces.
+{% for ethernet_interface in vcompute_ethernet_interfaces %}
+   * || check_hw_eth {{ ethernet_interface }}
+{% endfor %}
 
 # Check the mcelog daemon for any pending errors.
    * || check_hw_mcelog
@@ -93,9 +89,6 @@
 
 # The following illustrates how to assert an NFSv3 mount (or any other specific mount option).
 #   * || check_fs_mount -s bluearc0:/home -t nfs -o '/(^|,)vers=3(,|$)/' -f /home
-#* || check_fs_mount -s gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst10/home  -t nfs -o '/(^|,)vers=4(,|$)/' -f /home
-#* || check_fs_mount -s gcc-storage001.stor.hpc.local:/ifs/rekencluster/tmp01 -t nfs -o '/(^|,)vers=4(,|$)/' -f /mnt/tmp01
-#* || check_fs_mount -s gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst10/.envsync/tmp01 /apps -t nfs -o '/(^|,)vers=4(,|$)/' -f /apps
 
 # All nodes should have their home filesystem mounted read/write 
 # and not on the local system disk, but from a shared storage system instead.
@@ -106,10 +99,11 @@
    * || check_fs_mount_ro -f /apps -t '/(gpfs|lustre|nfs)/'
 
 # All nodes should have their tmp filesystems mounted read/write.
-# We do not check the mounts for each and every group, because the list of groups changes regularly.
-# Instead we check only the Analysis Team Development (atd) group: 
-   * || check_fs_mount_rw -f /groups/umcg-atd/tmp01      -t '/(gpfs|lustre|nfs)/'
-
+{% for lfs_mount in lfs_mounts | selectattr('lfs', 'search', 'tmp[0-9]+$') | list %}
+{% for group in lfs_mount.groups %}
+   * || check_fs_mount_rw -f /{{ lfs_mount.lfs | regex_replace('GROUP', group) }}      -t '/(gpfs|lustre|nfs)/'
+{% endfor %}
+{% endfor %}
 
 #######################################################################
 ###
diff --git a/roles/slurm-client/templates/user-interface_nhc.conf b/roles/slurm-client/templates/user-interface_nhc.conf
new file mode 100644
index 000000000..617ae6bce
--- /dev/null
+++ b/roles/slurm-client/templates/user-interface_nhc.conf
@@ -0,0 +1,148 @@
+# NHC Configuration File
+#
+# Lines are in the form "<hostmask>||<check>"
+# Hostmask is a glob, /regexp/, or {noderange}
+# Comments begin with '#'
+#
+
+
+#######################################################################
+###
+### NHC Configuration Variables
+###
+# Explicitly instruct NHC to assume PBS (TORQUE, PBSPro) is the Resource Manager
+   * || export NHC_RM=slurm
+
+# Do not mark nodes offline
+#   * || export MARK_OFFLINE=0
+
+# Activate debugging mode
+#   * || export DEBUG=1
+
+# Set watchdog timer to 15 seconds
+#   * || export TIMEOUT=15
+
+# In out-of-band contexts, enable all checks
+#   * || export NHC_CHECK_ALL=1
+
+# Run df only for local file systems of type ext4.
+# This prevents running df for large shared file systems resulting in
+# "NHC: Watchdog timer unable to terminate hung NHC process" errors.
+   * || export DFI_FLAGS='-Tiltext4'
+   * || export DF_FLAGS='-Tkltext4'
+
+# Use short hostname instead of FQDN to mark nodes online/offline.
+# This prevents the
+#     "Not sure how to handle node state "" on ..."
+# error when machines have FQDN hostnames, but are listed with short names in the SLURM config.
+   * || HOSTNAME="$HOSTNAME_S"
+
+#######################################################################
+###
+### Hardware checks
+###
+# Set these to your correct socket, core, and thread counts.
+   * || check_hw_cpuinfo {{ ui_sockets }} {{ ui_sockets * ui_cores_per_socket }} {{ ui_sockets * ui_cores_per_socket }}
+
+# Set these to the amount of physical RAM you have (leave the fudge factor).
+   * || check_hw_physmem {{ ui_real_memory }}MB {{ ui_real_memory }}MB 5%
+
+# Check specifically for free physical memory.
+   * || check_hw_physmem_free 1MB
+
+# Check for some sort of free memory of either type.
+   * || check_hw_mem_free 2GB
+
+# Checks for an active ethernet interfaces.
+{% for ethernet_interface in ui_ethernet_interfaces %}
+   * || check_hw_eth {{ ethernet_interface }}
+{% endfor %}
+
+# Check the mcelog daemon for any pending errors.
+   * || check_hw_mcelog
+
+
+#######################################################################
+###
+### Filesystem checks
+###
+# All nodes should have their root filesystem mounted read/write.
+   * || check_fs_mount_rw -f /
+
+# Controlling TTYs are a good thing!
+   * || check_fs_mount_rw -t devpts -s '/(none|devpts)/' -f /dev/pts
+
+# Make sure the root filesystem doesn't get too full.
+   * || check_fs_free / 10%
+
+# Make sure the root filesystem has enough free inodes.
+   * || check_fs_ifree / 1k
+
+# Make sure the /var volume doesn't get too full.
+   * || check_fs_free /var 5%
+
+# Make sure the /var filesystem has enough free inodes.
+   * || check_fs_ifree /var 1k
+
+# The following illustrates how to assert an NFSv3 mount (or any other specific mount option).
+#   * || check_fs_mount -s bluearc0:/home -t nfs -o '/(^|,)vers=3(,|$)/' -f /home
+
+# All UIs should have their home filesystem mounted read/write 
+# and not on the local system disk, but from a shared storage system instead.
+   * || check_fs_mount_rw -f /home -t '/(ext4|gpfs|lustre|nfs)/'
+
+# All UIs should have their apps filesystem mounted read only 
+# and not on the local system disk, but from a shared storage system instead.
+   * || check_fs_mount_ro -f /apps -t '/(gpfs|lustre|nfs)/'
+
+# All UIs should have their tmp filesystems mounted read/write.
+{% for lfs_mount in lfs_mounts | selectattr('lfs', 'search', 'tmp[0-9]+$') | list %}
+{% for group in lfs_mount.groups %}
+   * || check_fs_mount_rw -f /{{ lfs_mount.lfs | regex_replace('GROUP', group) }}      -t '/(gpfs|lustre|nfs)/'
+{% endfor %}
+{% endfor %}
+
+# All UIs should have their prm filesystems mounted read/write.
+{% for lfs_mount in lfs_mounts | selectattr('lfs', 'search', 'prm[0-9]+$') | list %}
+{% for group in lfs_mount.groups %}
+   * || check_fs_mount_rw -f /{{ lfs_mount.lfs | regex_replace('GROUP', group) }}      -t '/(gpfs|lustre|nfs)/'
+{% endfor %}
+{% endfor %}
+
+#######################################################################
+###
+### File/metadata checks
+###
+# These should always be directories and always be read/write/execute and sticky.
+   * || check_file_test -r -w -x -d -k /tmp /var/tmp
+
+# These should always be readable and should never be empty.
+   * || check_file_test -r -s /etc/passwd /etc/group
+
+# Assert common properties for /dev/null (which occasionally gets clobbered).
+   * || check_file_test -c -r -w /dev/null /dev/zero
+   * || check_file_stat -m 0666 -u 0 -g 0 -t 1 -T 3 /dev/null
+
+# Make sure there's relatively recent activity from the syslog.
+   * || check_file_stat -n 7200 /var/log/messages
+
+# Validate a couple important accounts in the passwd file.
+   * || check_file_contents /etc/passwd "/^root:x:0:0:/" "sshd:*"
+
+
+#######################################################################
+###
+### Process checks
+###
+# Everybody needs sshd running, right?  But don't use -r (restart)!
+   * || check_ps_service -u root -S sshd
+
+# The cron daemon is another useful critter...
+   * || check_ps_service -r crond
+
+# This is only valid for RHEL6 and similar/newer systems.
+   * || check_ps_service -d rsyslogd -r rsyslog
+
+# Double your core count is a good rule of thumb for load average max.
+# This should work if you place it after one of the check_hw_*() checks.
+   * || check_ps_loadavg $((2*HW_CORES))
diff --git a/roles/slurm/files/configure_slurm_accounting_db.bash b/roles/slurm/files/configure_slurm_accounting_db.bash
index 97fc90792..9fdc2d60c 100644
--- a/roles/slurm/files/configure_slurm_accounting_db.bash
+++ b/roles/slurm/files/configure_slurm_accounting_db.bash
@@ -5,7 +5,7 @@
 ### Create Slurm DB for the accounting info of this cluster.
 ##
 #
-sacctmgr add cluster {{ slurm_cluster_name }}
+sacctmgr -i add cluster {{ slurm_cluster_name }}
 
 #
 ##
diff --git a/roles/slurm/files/hyperchicken_qos_level.bash b/roles/slurm/files/hyperchicken_qos_level.bash
deleted file mode 100644
index 40fe75330..000000000
--- a/roles/slurm/files/hyperchicken_qos_level.bash
+++ /dev/null
@@ -1,238 +0,0 @@
-#!/bin/bash
-
-# create the Cluster
-sacctmgr add cluster hyperchicken
-
-# max cores + ram per node
-#
-# cpu=5,mem=10000   #  .5 node 
-# cpu=10,mem=20000   # 1.0 node
-# cpu=20,mem=40000   # 2.0 nodes
-# cpu=40,mem=80000  # 4.0 nodes
-
-#
-##
-### Create Quality of Service (QoS) levels.
-##
-#
-
-#
-# QoS leftover
-#
-yes | sacctmgr -i create qos set \
-        Name='leftover' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='Go Dutch: Quality of Service level for cheapskates with zero priority, but resources consumed do not impact your Fair Share.' \
-        GrpSubmit=30000 MaxSubmitJobsPU=10000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='leftover-short' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='leftover-short' \
-        GrpSubmit=30000 MaxSubmitJobsPU=10000 MaxWall=06:00:00
-
-yes | sacctmgr -i create qos set \
-        Name='leftover-medium' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='leftover-medium' \
-        GrpSubmit=30000 MaxSubmitJobsPU=10000 MaxWall=1-00:00:00
-
-yes | sacctmgr -i create qos set \
-        Name='leftover-long' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='leftover-long' \
-        GrpSubmit=3000 MaxSubmitJobsPU=1000  MaxWall=7-00:00:00
-
-#
-# QoS regular
-#
-yes | sacctmgr -i create qos set \
-        Name='regular' \
-        Priority=10 \
-        Description='Standard Quality of Service level with default priority and corresponding impact on your Fair Share.' \
-        GrpSubmit=30000 MaxSubmitJobsPU=5000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='regular-short' \
-        Priority=10 \
-        Description='regular-short' \
-        GrpSubmit=30000 MaxSubmitJobsPU=5000  MaxWall=06:00:00 
-
-yes | sacctmgr -i create qos set \
-        Name='regular-medium' \
-        Priority=10 \
-        Description='regular-medium' \
-        GrpSubmit=30000 MaxSubmitJobsPU=5000  MaxWall=1-00:00:00 \
-        MaxTRESPU=cpu=4,mem=10000
-
-yes | sacctmgr -i create qos set \
-        Name='regular-long' \
-        Priority=10 \
-        Description='regular-long' \
-        GrpSubmit=3000 MaxSubmitJobsPU=1000  MaxWall=7-00:00:00 \
-        GrpTRES=cpu=2,mem=5000 \
-        MaxTRESPU=cpu=2,mem=5000
-
-#
-# QoS priority
-#
-yes | sacctmgr -i create qos set \
-        Name='priority' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='High priority Quality of Service level with corresponding higher impact on your Fair Share.' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='priority-short' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='priority-short' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000   MaxWall=06:00:00 \
-        GrpTRES=cpu=10,mem=20000
-
-yes | sacctmgr -i create qos set \
-        Name='priority-medium' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='priority-medium' \
-        GrpSubmit=2500  MaxSubmitJobsPU=500   MaxWall=1-00:00:00 \
-        GrpTRES=cpu=8,mem=18000 \
-        MaxTRESPU=cpu=8,mem=18000
-
-yes | sacctmgr -i create qos set \
-        Name='priority-long' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='priority-long' \
-        GrpSubmit=250   MaxSubmitJobsPU=50   MaxWall=7-00:00:00 \
-        GrpTRES=cpu=4,mem=10000 \
-        MaxTRESPU=cpu=4,mem=10000
-
-#
-# QoS ds
-#
-yes | sacctmgr -i create qos set \
-        Name='ds' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='Data Staging Quality of Service level for jobs with access to prm storage.' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='ds-short' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='ds-short' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000   MaxWall=06:00:00 \
-        MaxTRESPU=cpu=4,mem=4096
-
-yes | sacctmgr -i create qos set \
-        Name='ds-medium' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='ds-medium' \
-        GrpSubmit=2500  MaxSubmitJobsPU=500   MaxWall=1-00:00:00 \
-        GrpTRES=cpu=2,mem=2048 \
-        MaxTRESPU=cpu=2,mem=2048
-
-yes | sacctmgr -i create qos set \
-        Name='ds-long' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='ds-long' \
-        GrpSubmit=250   MaxSubmitJobsPU=50   MaxWall=7-00:00:00 \
-        GrpTRES=cpu=1,mem=1024 \
-        MaxTRESPU=cpu=1,mem=1024
-
-#
-# List all QoS.
-#
-#sacctmgr show qos format=Name%15,Priority,UsageFactor,GrpTRES%30,GrpSubmit,GrpJobs,MaxTRESPerUser%30,MaxSubmitJobsPerUser,MaxJobsPerUser,MaxTRESPerJob,MaxWallDurationPerJob
-
-#
-##
-### Create accounts and assign QoS to accounts.
-##
-#
-
-#
-# Create 'users' account in addition to the default 'root' account.
-#
-sacctmgr -i create account users \
-         Descr=scientists Org=various
-
-#
-# Assign QoS to the root account.
-#
-yes | sacctmgr -i modify account root set \
-         QOS=priority,priority-short,priority-medium,priority-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=leftover,leftover-short,leftover-medium,leftover-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=regular,regular-short,regular-medium,regular-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=dev,dev-short,dev-medium,dev-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=ds,ds-short,ds-medium,ds-long
-
-yes | sacctmgr -i modify account root set \
-         DefaultQOS=priority
-
-#
-# Assign QoS to the users account.
-#
-yes | sacctmgr -i modify account users set \
-         QOS=regular,regular-short,regular-medium,regular-long
-
-yes | sacctmgr -i modify account users set \
-         QOS+=priority,priority-short,priority-medium,priority-long
-
-yes | sacctmgr -i modify account users set \
-         QOS+=leftover,leftover-short,leftover-medium,leftover-long      
-
-yes | sacctmgr -i modify account users set \
-         QOS+=dev,dev-short,dev-medium,dev-long
-
-yes | sacctmgr -i modify account users set \
-         QOS+=ds,ds-short,ds-medium,ds-long
-
-yes | sacctmgr -i modify account users set \
-         DefaultQOS=regular
-
-#
-# List all associations to verify the required accounts exist and the right (default) QoS.
-#
-#sacctmgr show assoc tree format=Cluster%8,Account,User%-30,Share%5,QOS%-222,DefaultQOS%-8
-
-#
-# Allow QoS priority to pre-empt jobs in QoS leftover.
-#
-yes | sacctmgr -i modify qos Name='priority-short'  set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='priority-medium' set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='priority-long'   set Preempt='leftover-short,leftover-medium,leftover-long'
-
-#
-# Allow QoS regular to pre-empt jobs in QoS leftover.
-#
-yes | sacctmgr -i modify qos Name='regular-short'   set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='regular-medium'  set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='regular-long'    set Preempt='leftover-short,leftover-medium,leftover-long'
-
-#
-# List all QoS and verify pre-emption settings.
-#
-#sacctmgr show qos format=Name%15,Priority,UsageFactor,GrpTRES%30,GrpSubmit,GrpJobs,MaxTRESPerUser%30,MaxSubmitJobsPerUser,Preempt%45,MaxWallDurationPerJob
-
diff --git a/roles/slurm/files/job_submit.lua b/roles/slurm/files/job_submit.lua
index 7960bfd37..1c7c23baf 100644
--- a/roles/slurm/files/job_submit.lua
+++ b/roles/slurm/files/job_submit.lua
@@ -51,12 +51,112 @@ QOS_TIME_LIMITS = {
 --
 --DEFAULT_WALLTIME = '1'
 
+--
+-- Check if the user submitting the job is associated to a Slurm account in the Slurm accounting database and
+-- create the relevant Slurm account and/or Slurm user and/or association if it does not already exist.
+--
+function ensure_user_has_slurm_association(uid, user, group)
+    --
+    -- Skip root user.
+    --
+    if uid == 0 then
+        return true
+    end
+    
+    slurm.log_debug("Checking assoc for user %s (uid=%u) in account for group %s...", user, uid, group)
+    if association_exists(user, group) then
+        slurm.log_debug("Association of user %s to account %s already exists.", user, group)
+        return true
+    else
+        if account_exists(group) then
+            slurm.log_debug("Account %s already exists.", group)
+        else
+            slurm.log_info("Account %s does not exist; creating one...", group)
+            if not create_account(group) then
+                return false
+            end
+        end
+        slurm.log_info("Association of user %s to account %s does not exist; creating one...", user, group)
+        if not create_association(user,group) then
+            return false
+        end
+    end
+    return true
+end
+
+function account_exists(group)
+    --
+    -- Unfortunately, filehandles returned by io.popen() don't have a way to return their exitstatuses in <= lua 5.2.
+    -- Should be reasonably safe here, since if we erroneously conclude the association doesn't exist,
+    -- then we'll just try to add it.
+    -- http://lua-users.org/lists/lua-l/2012-01/msg00364.html
+    --
+    local query = io.popen(string.format(
+        "sacctmgr --parsable2 --noheader list accounts format=account account='%s'", group))
+    for line in query:lines() do
+        if line == group then
+            return true
+        end
+    end
+    return false
+end
+
+function create_account(group)
+    local retval = os.execute(string.format(
+        "sacctmgr -i create account '%s' descr=scientists org=various parent=users fairshare=parent", group))
+    if retval ~= 0 then
+        slurm.log_error("Failed to create account %s (exit status = %d).", group, retval)
+        slurm.log_user("Failed to create account %s (exit status = %d). Contact an admin.", group, retval)
+        return false
+    else
+        slurm.log_info("Created account for group %s.", group)
+        return true
+    end
+end
+
+function association_exists(user, group)
+    --
+    -- Unfortunately, filehandles returned by io.popen() don't have a way to return their exitstatuses in <= lua 5.2.
+    -- Should be reasonably safe here, since if we erroneously conclude the association doesn't exist,
+    -- then we'll just try to add it.
+    -- http://lua-users.org/lists/lua-l/2012-01/msg00364.html
+    --
+    local query = io.popen(string.format(
+        "sacctmgr --parsable2 --noheader list associations format=user,account user='%s' account='%s'", user, group))
+    for line in query:lines() do
+        if line == user .. '|' .. group then
+            return true
+        end
+    end
+    return false
+end
+
+function create_association(user,group)
+    local retval = os.execute(string.format(
+        "sacctmgr -i create user name='%s' account='%s' fairshare=parent", user, group))
+    if retval ~= 0 then
+        slurm.log_error("Failed to create association of user %s to account %s (exit status = %d).", user, group, retval)
+        slurm.log_user("Failed to create association of user %s to account %s (exit status = %d). Contact an admin.", user, group, retval)
+        return false
+    else
+        slurm.log_info("Created association of user %s to account %s.", user, group)
+        return true
+    end
+end
+
 function slurm_job_submit(job_desc, part_list, submit_uid)
     -- 
     -- Get details for the user who is trying to submit a job.
     --
     submit_user = posix.getpasswd(submit_uid)
     
+    --
+    -- Force jobs to share nodes when they don't consume all resources on a node.
+    --
+    if job_desc.shared == 0 then
+        job_desc.shared = 1
+    end
+    
     --
     -- Check if the job does have a time limit specified.
     -- For some reason (bug?), the nil value is passed as 4294967294.
@@ -87,6 +187,8 @@ function slurm_job_submit(job_desc, part_list, submit_uid)
     --slurm.log_debug("Path to job *.err  = %s.", tostring(job_desc.std_err))
     --slurm.log_debug("Job's working dir  = %s.", tostring(job_desc.work_dir))
     local job_metadata = {job_desc.std_out, job_desc.std_err, job_desc.work_dir}
+    local group = nil
+    local lfs = nil
     for inx,job_metadata_value in ipairs(job_metadata) do
         if string.match(tostring(job_metadata_value), '^/home/') then
             slurm.log_error(
@@ -99,23 +201,13 @@ function slurm_job_submit(job_desc, part_list, submit_uid)
                 "Rejecting job named %s from user %s (uid=%u).", tostring(job_desc.name), tostring(submit_user.name), job_desc.user_id)
             return slurm.ERROR
         end
-        local entitlement, group, lfs = string.match(tostring(job_metadata_value), '^/groups/([^/-]+)-([^/]+)/(tmp%d%d)/?')
-        if lfs == nil then
-            -- Temporary workaround for tmp02, which uses a symlink in /groups/..., that is resolved to the physical path by SLURM.
-            entitlement, group, lfs = string.match(tostring(job_metadata_value), '^/target/gpfs2/groups/([^/-]+)-([^/]+)/(tmp%d%d)/?')
-        end
-        if entitlement ~= nil and group ~= nill and lfs ~= nil then
-            slurm.log_debug("Found entitlement '%s' and LFS '%s' in job's metadata.", tostring(entitlement), tostring(lfs))
+        group, lfs = string.match(tostring(job_metadata_value), '^/groups/([^/]+)/(tmp%d%d)/?')
+        if group ~= nil and lfs ~= nil then
+            slurm.log_debug("Found group '%s' and LFS '%s' in job's metadata.", tostring(group), tostring(lfs))
             if job_desc.features == nil or job_desc.features == '' then
-                job_desc.features = entitlement .. '&' .. lfs
-                slurm.log_debug("Job had no features yet; Assigned entitlement and LFS as first features: %s.", tostring(job_desc.features))
+                job_desc.features = lfs
+                slurm.log_debug("Job had no features yet; Assigned LFS as first feature: %s.", tostring(job_desc.features))
             else
-                if not string.match(tostring(job_desc.features), entitlement) then
-                    job_desc.features = job_desc.features .. '&' .. entitlement
-                    slurm.log_debug("Appended entitlement %s to job's features.", tostring(entitlement))
-                else
-                    slurm.log_debug("Job's features already contained entitlement %s.", tostring(entitlement))
-                end
                 if not string.match(tostring(job_desc.features), lfs) then
                     job_desc.features = job_desc.features .. '&' .. lfs
                     slurm.log_debug("Appended LFS %s to job's features.", tostring(lfs))
@@ -123,7 +215,6 @@ function slurm_job_submit(job_desc, part_list, submit_uid)
                     slurm.log_debug("Job's features already contained LFS %s.", tostring(lfs))
                 end
             end
-            slurm.log_info("Job's features now contains: %s.", tostring(job_desc.features))
         else
             slurm.log_error(
                  "Job's working dir, *.err file or *.out file is not located in /groups/${group}/tmp*/...\n" ..
@@ -138,6 +229,20 @@ function slurm_job_submit(job_desc, part_list, submit_uid)
             return slurm.ERROR
         end
     end
+    slurm.log_debug("Job's features contains: %s.", tostring(job_desc.features))
+    --
+    -- Check if the user submitting the job is associated to a Slurm account in the Slurm accounting database and
+    -- create the relevant Slurm account and/or Slurm user and/or association if it does not already exist.
+    -- Note: as slurm account we use the group that was found last while parsing job_metadata above.
+    --
+    if not ensure_user_has_slurm_association(submit_uid, tostring(submit_user.name), tostring(group)) then
+        slurm.log_error("Failed to create association in the Slurm accounting database for user %s in account/group %s", tostring(submit_user.name), tostring(group))
+        slurm.log_error("Rejecting job named %s from user %s (uid=%u).", tostring(job_desc.name), tostring(submit_user.name), job_desc.user_id)
+        slurm.log_user(
+                 "Failed to create association in the Slurm accounting database. Contact an admin.\n" ..
+                 "Rejecting job named %s from user %s (uid=%u).", tostring(job_desc.name), tostring(submit_user.name), job_desc.user_id)
+        return slurm.ERROR
+    end
     
     --
     -- Process final list of features:
@@ -161,7 +266,7 @@ function slurm_job_submit(job_desc, part_list, submit_uid)
             job_desc.qos = 'ds'
         end
     end
-      
+    
     --
     -- Make sure we have a sanity checked base-QoS.
     --
@@ -218,16 +323,6 @@ function slurm_job_submit(job_desc, part_list, submit_uid)
         slurm.log_info("Assigned QoS %s to job named %s from user %s (uid=%u).", new_qos, job_desc.name, tostring(submit_user.name), job_desc.user_id)
     end
     
-    --
-    -- Check if the user submitting the job is associated to a Slurm account in the Slurm accounting database and
-    -- create the relevant Slurm account and/or Slurm user and/or association if it does not already exist.
-    -- Skip this check for the root user.
-    --
-    if job_desc.user_id ~= 0 then
-        --submit_user_primary_group = posix.getgroup(submit_user.gid).name
-        --ensure_assoc_exists(submit_user.name, entitlement .. '-' .. group)
-    end
-    
     return slurm.SUCCESS
     
 end
diff --git a/roles/slurm/files/talos_qos_level.bash b/roles/slurm/files/talos_qos_level.bash
deleted file mode 100644
index 7a973cb5d..000000000
--- a/roles/slurm/files/talos_qos_level.bash
+++ /dev/null
@@ -1,235 +0,0 @@
-#!/bin/bash
-
-# max cores + ram per node
-#
-# cpu=5,mem=10000   #  .5 node 
-# cpu=10,mem=20000   # 1.0 node
-# cpu=20,mem=40000   # 2.0 nodes
-# cpu=40,mem=80000  # 4.0 nodes
-
-#
-##
-### Create Quality of Service (QoS) levels.
-##
-#
-
-#
-# QoS leftover
-#
-yes | sacctmgr -i create qos set \
-        Name='leftover' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='Go Dutch: Quality of Service level for cheapskates with zero priority, but resources consumed do not impact your Fair Share.' \
-        GrpSubmit=30000 MaxSubmitJobsPU=10000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='leftover-short' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='leftover-short' \
-        GrpSubmit=30000 MaxSubmitJobsPU=10000 MaxWall=06:00:00
-
-yes | sacctmgr -i create qos set \
-        Name='leftover-medium' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='leftover-medium' \
-        GrpSubmit=30000 MaxSubmitJobsPU=10000 MaxWall=1-00:00:00
-
-yes | sacctmgr -i create qos set \
-        Name='leftover-long' \
-        Priority=0 \
-        UsageFactor=0 \
-        Description='leftover-long' \
-        GrpSubmit=3000 MaxSubmitJobsPU=1000  MaxWall=7-00:00:00
-
-#
-# QoS regular
-#
-yes | sacctmgr -i create qos set \
-        Name='regular' \
-        Priority=10 \
-        Description='Standard Quality of Service level with default priority and corresponding impact on your Fair Share.' \
-        GrpSubmit=30000 MaxSubmitJobsPU=5000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='regular-short' \
-        Priority=10 \
-        Description='regular-short' \
-        GrpSubmit=30000 MaxSubmitJobsPU=5000  MaxWall=06:00:00 
-
-yes | sacctmgr -i create qos set \
-        Name='regular-medium' \
-        Priority=10 \
-        Description='regular-medium' \
-        GrpSubmit=30000 MaxSubmitJobsPU=5000  MaxWall=1-00:00:00 \
-        MaxTRESPU=cpu=4,mem=10000
-
-yes | sacctmgr -i create qos set \
-        Name='regular-long' \
-        Priority=10 \
-        Description='regular-long' \
-        GrpSubmit=3000 MaxSubmitJobsPU=1000  MaxWall=7-00:00:00 \
-        GrpTRES=cpu=2,mem=5000 \
-        MaxTRESPU=cpu=2,mem=5000
-
-#
-# QoS priority
-#
-yes | sacctmgr -i create qos set \
-        Name='priority' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='High priority Quality of Service level with corresponding higher impact on your Fair Share.' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='priority-short' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='priority-short' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000   MaxWall=06:00:00 \
-        GrpTRES=cpu=10,mem=20000
-
-yes | sacctmgr -i create qos set \
-        Name='priority-medium' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='priority-medium' \
-        GrpSubmit=2500  MaxSubmitJobsPU=500   MaxWall=1-00:00:00 \
-        GrpTRES=cpu=8,mem=18000 \
-        MaxTRESPU=cpu=8,mem=18000
-
-yes | sacctmgr -i create qos set \
-        Name='priority-long' \
-        Priority=20 \
-        UsageFactor=2 \
-        Description='priority-long' \
-        GrpSubmit=250   MaxSubmitJobsPU=50   MaxWall=7-00:00:00 \
-        GrpTRES=cpu=4,mem=10000 \
-        MaxTRESPU=cpu=4,mem=10000
-
-#
-# QoS ds
-#
-yes | sacctmgr -i create qos set \
-        Name='ds' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='Data Staging Quality of Service level for jobs with access to prm storage.' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000 \
-        GrpTRES=cpu=0,mem=0
-
-yes | sacctmgr -i create qos set \
-        Name='ds-short' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='ds-short' \
-        GrpSubmit=5000  MaxSubmitJobsPU=1000   MaxWall=06:00:00 \
-        MaxTRESPU=cpu=4,mem=4096
-
-yes | sacctmgr -i create qos set \
-        Name='ds-medium' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='ds-medium' \
-        GrpSubmit=2500  MaxSubmitJobsPU=500   MaxWall=1-00:00:00 \
-        GrpTRES=cpu=2,mem=2048 \
-        MaxTRESPU=cpu=2,mem=2048
-
-yes | sacctmgr -i create qos set \
-        Name='ds-long' \
-        Priority=10 \
-        UsageFactor=1 \
-        Description='ds-long' \
-        GrpSubmit=250   MaxSubmitJobsPU=50   MaxWall=7-00:00:00 \
-        GrpTRES=cpu=1,mem=1024 \
-        MaxTRESPU=cpu=1,mem=1024
-
-#
-# List all QoS.
-#
-#sacctmgr show qos format=Name%15,Priority,UsageFactor,GrpTRES%30,GrpSubmit,GrpJobs,MaxTRESPerUser%30,MaxSubmitJobsPerUser,MaxJobsPerUser,MaxTRESPerJob,MaxWallDurationPerJob
-
-#
-##
-### Create accounts and assign QoS to accounts.
-##
-#
-
-#
-# Create 'users' account in addition to the default 'root' account.
-#
-sacctmgr -i create account users \
-         Descr=scientists Org=various
-
-#
-# Assign QoS to the root account.
-#
-yes | sacctmgr -i modify account root set \
-         QOS=priority,priority-short,priority-medium,priority-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=leftover,leftover-short,leftover-medium,leftover-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=regular,regular-short,regular-medium,regular-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=dev,dev-short,dev-medium,dev-long
-
-yes | sacctmgr -i modify account root set \
-         QOS+=ds,ds-short,ds-medium,ds-long
-
-yes | sacctmgr -i modify account root set \
-         DefaultQOS=priority
-
-#
-# Assign QoS to the users account.
-#
-yes | sacctmgr -i modify account users set \
-         QOS=regular,regular-short,regular-medium,regular-long
-
-yes | sacctmgr -i modify account users set \
-         QOS+=priority,priority-short,priority-medium,priority-long
-
-yes | sacctmgr -i modify account users set \
-         QOS+=leftover,leftover-short,leftover-medium,leftover-long      
-
-yes | sacctmgr -i modify account users set \
-         QOS+=dev,dev-short,dev-medium,dev-long
-
-yes | sacctmgr -i modify account users set \
-         QOS+=ds,ds-short,ds-medium,ds-long
-
-yes | sacctmgr -i modify account users set \
-         DefaultQOS=regular
-
-#
-# List all associations to verify the required accounts exist and the right (default) QoS.
-#
-#sacctmgr show assoc tree format=Cluster%8,Account,User%-30,Share%5,QOS%-222,DefaultQOS%-8
-
-#
-# Allow QoS priority to pre-empt jobs in QoS leftover.
-#
-yes | sacctmgr -i modify qos Name='priority-short'  set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='priority-medium' set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='priority-long'   set Preempt='leftover-short,leftover-medium,leftover-long'
-
-#
-# Allow QoS regular to pre-empt jobs in QoS leftover.
-#
-yes | sacctmgr -i modify qos Name='regular-short'   set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='regular-medium'  set Preempt='leftover-short,leftover-medium,leftover-long'
-yes | sacctmgr -i modify qos Name='regular-long'    set Preempt='leftover-short,leftover-medium,leftover-long'
-
-#
-# List all QoS and verify pre-emption settings.
-#
-#sacctmgr show qos format=Name%15,Priority,UsageFactor,GrpTRES%30,GrpSubmit,GrpJobs,MaxTRESPerUser%30,MaxSubmitJobsPerUser,Preempt%45,MaxWallDurationPerJob
-
diff --git a/roles/slurm/tasks/main.yml b/roles/slurm/tasks/main.yml
index c780f0046..7ddc33712 100644
--- a/roles/slurm/tasks/main.yml
+++ b/roles/slurm/tasks/main.yml
@@ -162,7 +162,7 @@
 - name: Make services reload their configs.
   command: systemctl daemon-reload
 
-- name: Make sure servcies are started.
+- name: Make sure services are started.
   systemd:
     name: "{{item}}"
     state: restarted
diff --git a/roles/spacewalk_client/handlers/main.yml b/roles/spacewalk_client/handlers/main.yml
new file mode 100644
index 000000000..f0db8780e
--- /dev/null
+++ b/roles/spacewalk_client/handlers/main.yml
@@ -0,0 +1,13 @@
+---
+#
+# Important: maintain correct handler order.
+# Handlers are executed in the order in which they are defined 
+# and not in the order in whch they are listed in a "notify: handler_name" statement!
+#
+- name: Restart spacewalk service.
+  service:
+    name: rhnsd
+    state: restarted
+  become: yes
+  listen: restart_rhnsd
+...
\ No newline at end of file
diff --git a/roles/spacewalk_client/tasks/main.yml b/roles/spacewalk_client/tasks/main.yml
index b0471e951..4f31b1fcf 100644
--- a/roles/spacewalk_client/tasks/main.yml
+++ b/roles/spacewalk_client/tasks/main.yml
@@ -13,11 +13,20 @@
      - rhnsd
      - m2crypto
      - yum-rhn-plugin
+  notify:
+    - restart_rhnsd
 
-- name: Restart spacewalk daemon.
+- name: Enable spacewalk service.
   systemd:
-   name: rhnsd.service
-   state: restarted
+    name: "{{ item }}"
+    enabled: yes
+    state: started
+  with_items:
+    - rhnsd.service
+  notify:
+    - restart_rhnsd
+
+- meta: flush_handlers
 
 - name: Register client at the spacewalk server.
   rhn_register:
@@ -32,12 +41,13 @@
   ignore_errors: yes
   no_log: True
 
-- name: Disable gpgcheck.
-  command: sed -i 's/gpgcheck = 1/gpgcheck = 0/g' /etc/yum/pluginconf.d/rhnplugin.conf
-  args:
-    warn: false
+- name: Disable gpgcheck for spacewalk repo.
+  lineinfile:
+    path: '/etc/yum/pluginconf.d/rhnplugin.conf'
+    regexp: '^gpgcheck = [0-9].*'
+    line: 'gpgcheck = 0'
 
-- name: Remove all current repo config files.
+- name: Remove all (non-spacewalk) repo config files from /etc/yum.repos.d/.
   shell: "rm -rf /etc/yum.repos.d/*"
   args:
     warn: false
@@ -52,3 +62,4 @@
   yum:
    name: '*'
    state: latest
+...
diff --git a/roles/user-interface/tasks/main.yml b/roles/user-interface/tasks/main.yml
deleted file mode 100644
index ed97d539c..000000000
--- a/roles/user-interface/tasks/main.yml
+++ /dev/null
@@ -1 +0,0 @@
----
diff --git a/settings.yml b/settings.yml
deleted file mode 100644
index 1017c9443..000000000
--- a/settings.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- allocation_pool:
-    start: 172.23.40.38
-    end: 172.23.40.50
-
-- dns_nameserver: 129.125.4.6
-
-- gateway: 172.23.40.250
-
-- subnet_range: 172.23.40.0/24
-
-- rsa_pub: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDStPUPXkcu81onUm/le54JCu174yXJJDsthDr96Mv8irBVBWuy5FxnaASuDpmC4QE4s0UAIg1iq/SWrr8qdBQ4OVuYFiW0S7ZJvcoKr/40Wh+T5MeltGQfmkDp6kBsfaMSo6M4tF1c8i+XgOgxb4fxHYb8mFhseztRLx6McxJJJLB0nu+T12WQ01nl0XtwD+3EsZWfxRH0KA59VHZSe3Anc5z+Fm7WU+1Vzy6/pkiIhVReI1L6VVhZsIdSu3fQK6fHQcujtfuw6RKEpisZQqnxMUviWQ98yeQXHk6Nx840WCh3vvKveEAoC4Y/UEZa1TMe6PczfUaLjaidUkpulJsP egon@egon-pc
diff --git a/single_role_playbooks/callback_plugins b/single_role_playbooks/callback_plugins
new file mode 120000
index 000000000..3de65f901
--- /dev/null
+++ b/single_role_playbooks/callback_plugins
@@ -0,0 +1 @@
+../callback_plugins/
\ No newline at end of file
diff --git a/dai.yml b/single_role_playbooks/dai.yml
similarity index 89%
rename from dai.yml
rename to single_role_playbooks/dai.yml
index 7e11107a0..d4bc7602e 100644
--- a/dai.yml
+++ b/single_role_playbooks/dai.yml
@@ -53,6 +53,8 @@
           #
           - rdma-core-devel
           - libxml2-devel
+          - libXext-devel
+          - libX11-devel
 
     - name: Set lustre client source url.
       set_fact:
@@ -76,11 +78,3 @@
           command: rpmbuild --rebuild --without servers /tmp/{{ lustre_src_rpm_name }}
           become: true
       when: remote_file.stat.exists == false
-
-    - name: Mount isilon apps
-      mount:
-        path: /apps
-        src: gcc-storage001.stor.hpc.local:/ifs/rekencluster/umcgst10/.envsync/tmp01
-        fstype: nfs
-        opts: defaults,_netdev,nolock,vers=4.0,noatime,nodiratime
-        state: present
diff --git a/figlet.yml b/single_role_playbooks/figlet.yml
similarity index 100%
rename from figlet.yml
rename to single_role_playbooks/figlet.yml
diff --git a/firewall.yml b/single_role_playbooks/firewall.yml
similarity index 72%
rename from firewall.yml
rename to single_role_playbooks/firewall.yml
index 322c68231..41461a124 100644
--- a/firewall.yml
+++ b/single_role_playbooks/firewall.yml
@@ -1,7 +1,7 @@
 ---
 - name: Install the common role from the hpc-cloud repo.
-  hosts: airlock.hpc.rug.nl
+  hosts: all
   become: true
   roles:
-  - firewall
+#  - firewall
   - geerlingguy.firewall
diff --git a/single_role_playbooks/ldap.yml b/single_role_playbooks/ldap.yml
new file mode 100644
index 000000000..bf5ba02e0
--- /dev/null
+++ b/single_role_playbooks/ldap.yml
@@ -0,0 +1,8 @@
+---
+
+- name: Install ldap role.
+  hosts: cluster
+  become: true
+  tasks:
+  roles:
+     - ldap
diff --git a/monitoring.yml b/single_role_playbooks/monitoring.yml
similarity index 100%
rename from monitoring.yml
rename to single_role_playbooks/monitoring.yml
diff --git a/single_role_playbooks/mount-volume.yml b/single_role_playbooks/mount-volume.yml
new file mode 100644
index 000000000..a10cef0da
--- /dev/null
+++ b/single_role_playbooks/mount-volume.yml
@@ -0,0 +1,8 @@
+- name: Mount the ceph volume
+  hosts:
+     - compute-vm
+     - sys-admin-interface
+     - deploy-admin-interface
+  become: True
+  roles:
+     - mount-volume
diff --git a/single_role_playbooks/nfs_home_dirs.yml b/single_role_playbooks/nfs_home_dirs.yml
new file mode 100644
index 000000000..2dc465ff7
--- /dev/null
+++ b/single_role_playbooks/nfs_home_dirs.yml
@@ -0,0 +1,16 @@
+#
+# Example to use NFS based home dirs exported from the UI and mounted on the compute nodes.
+#
+---
+- name: Export /home on NFS server.
+  hosts: user-interface
+  become: true
+  roles:
+     - nfs_home_server
+
+- name: Mount /home on NFS clients.
+  hosts: compute-vm
+  become: true
+  roles:
+     - nfs_home_client
+...
\ No newline at end of file
diff --git a/single_role_playbooks/resolver.yml b/single_role_playbooks/resolver.yml
new file mode 100644
index 000000000..ab99aeb74
--- /dev/null
+++ b/single_role_playbooks/resolver.yml
@@ -0,0 +1,5 @@
+---
+- hosts: cluster
+  roles:
+    - resolver
+...
\ No newline at end of file
diff --git a/single_role_playbooks/roles b/single_role_playbooks/roles
new file mode 120000
index 000000000..7b9ade87e
--- /dev/null
+++ b/single_role_playbooks/roles
@@ -0,0 +1 @@
+../roles/
\ No newline at end of file
diff --git a/rsyslog.yml b/single_role_playbooks/rsyslog.yml
similarity index 100%
rename from rsyslog.yml
rename to single_role_playbooks/rsyslog.yml
diff --git a/single_role_playbooks/shared_storage.yml b/single_role_playbooks/shared_storage.yml
new file mode 100644
index 000000000..e02cd1604
--- /dev/null
+++ b/single_role_playbooks/shared_storage.yml
@@ -0,0 +1,5 @@
+---
+- hosts: cluster
+  roles:
+    - shared_storage
+...
\ No newline at end of file
diff --git a/slurm-client.yml b/single_role_playbooks/slurm-client.yml
similarity index 98%
rename from slurm-client.yml
rename to single_role_playbooks/slurm-client.yml
index 0d0396f61..17a856e7f 100644
--- a/slurm-client.yml
+++ b/single_role_playbooks/slurm-client.yml
@@ -16,3 +16,4 @@
   tasks:
   roles:
     - slurm-client
+...
\ No newline at end of file
diff --git a/slurm.yml b/single_role_playbooks/slurm.yml
similarity index 100%
rename from slurm.yml
rename to single_role_playbooks/slurm.yml
diff --git a/ssh_host_signer.yml b/single_role_playbooks/ssh_host_signer.yml
similarity index 100%
rename from ssh_host_signer.yml
rename to single_role_playbooks/ssh_host_signer.yml
diff --git a/site.yml b/site.yml
deleted file mode 100644
index fe79d8726..000000000
--- a/site.yml
+++ /dev/null
@@ -1,16 +0,0 @@
----
-- import_playbook: hpc-cloud/common.yml
-- import_playbook: hpc-cloud/rabbitmq.yml
-- import_playbook: hpc-cloud/memcached.yml
-- import_playbook: hpc-cloud/mariadb.yml
-- import_playbook: hpc-cloud/keystone.yml
-- import_playbook: hpc-cloud/glance-controller.yml
-- import_playbook: hpc-cloud/nova-controller.yml
-- import_playbook: hpc-cloud/neutron-controller.yml
-- import_playbook: hpc-cloud/cinder-controller.yml
-- import_playbook: hpc-cloud/cinder-storage.yml
-- import_playbook: hpc-cloud/nova-compute.yml
-- import_playbook: hpc-cloud/horizon.yml
-- import_playbook: hpc-cloud/heat.yml
-- import_playbook: hpc-cloud/post-install.yml
-...
diff --git a/users.yml b/users.yml
deleted file mode 100644
index 9d74d9834..000000000
--- a/users.yml
+++ /dev/null
@@ -1,104 +0,0 @@
-# SSH keys of HPC colleagues.
-# for more advanced examples, see:
-# http://docs.ansible.com/ansible/latest/authorized_key_module.html
----
-# Team HPC players.
-- import_playbook: roles/HPCplaybooks/users.yml
-
-- name: Initial setup
-  hosts: all
-  become: True
-
-  tasks:
-    - name: Determine available groups
-      getent:
-        database: group
-
-    - user:
-        name: remco
-        comment: "Remco Rohde"
-        group: admin
-        groups: "{{ item }}"
-        append: yes
-      when: item in ansible_facts.getent_group
-      with_items:
-        - admin
-        - docker
-
-    - authorized_key:
-        user: remco
-        key: 'ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAA+J5Kn81H0o8tr8W+m31E6OOmPpEqH5/48XRKy/qa6x1phGwobFAdLO8VtnsidjVEb1fpbHCArPQM3T2xjRBnCPAF7XNTm6S/nyrBk522yYOz1dTYUc7mTKACvKTqwEPwtA7sUZz61u+joFY4UajcVszJAuaLZCNRaSzLO1vx3ML571w== remco@tnt7'
-        state: present
-
-- hosts: sugarsnax
-  become: True
-  tasks:
-    - user:
-        name: pieter
-        comment: "Pieter Neerincx"
-        group: admin
-        groups: "{{ item }}"
-        append: yes
-      when: item in ansible_facts.getent_group
-      with_items:
-        - admin
-        - docker
-
-    - authorized_key:
-        user: pieter
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx'
-        state: present
-
-- hosts:
-    - talos-cluster
-    - imperator
-    - reception
-  become: True
-  tasks:
-    - user:
-        name: pieter
-        comment: "Pieter Neerincx"
-        group: admin
-        groups: "{{ item }}"
-        append: yes
-      when: item in ansible_facts.getent_group
-      with_items:
-        - admin
-        - docker
-
-    - authorized_key:
-        user: pieter
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCdOt9U8m3oa/ka8vRTOWxU9uh13hR9F5FoW7SRbrQMWX3XYCEF1mFSTU0WHqYlkOm5atbkqRnR2WUOuG2YjCDJ6KqvpYGjITqHilBCINkWuXozoT5HkGbMtcN1nYDh4b+lGhg3ttfTBKBPusLz0Mca68EL6MjmSsgbRSIceNqFrfbjcc/YhJo7Kn769RW6W/ToClVHNHqgC47ZGXDc5acUrcfiaPNFSlyUjqCMKyO7sGOm/o4TTLffznH4A4iNn+/IX+7dGZRlwcmPjsBlpMk8zjQQqDE6l/UykbwKgYBJRO02PeNg3bqDAwSGR5+e4raJ3/mN3tkQqC/cAD3h4eWaRTBJdnLltkOFFeXux4jvuMFCjLYslxHK/LH//GziarA0OQVqA+9LWkwtLx1rKtNW6OaZd45iandwUuDVzlbADxwXtqjjnoy1ZUsAR83YVyhN/fqgOe2i34Q48h27rdkwRwAINuqnoJLufaXyZdYi4QintKOScp3ps/lSXUJq+zn7yh54JCz2l/MhDNUBpBWvZevJTXxqQBszAp5gv0KE2VuPOyrmzo+QeBxKqglMSonguoVolfb9sEYT5Xhu1zR6thRtoBT813kzpeVSzMUAr/KOD+ILSjWKUNT0JuiCXsEDD7Zqx/kspTsHpi/+2irAdcXgAEA+fiJqxsNfV4cpQw== pneerincx'
-        state: present
-
-    - user:
-        name: gerben
-        comment: "Gerben van der Vries"
-        group: admin
-        groups: "{{ item }}"
-        append: yes
-      when: item in ansible_facts.getent_group
-      with_items:
-        - admin
-        - docker
-
-    - authorized_key:
-        user: gerben
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCUfwAhBD4vCDYgsr04Kxn1e+vIcx7EzOEJrwi4Bv1Fc329TAifMTLeXXjPlehNvDvxq1Eb6I0v0CA01OwtD2QH+jnKGK7/RXwOfKHZQDsfZ1qL725So8z2rLfTOiIBn01zwSZTPoMC0NoDEj1H7RUpuSTSWazRmZJAi4S9aWU7DK+aWp0vR4UzvxWNFuzhhSJPOrHBx0O6st67oVRyhhIFo67dIfgI/fDwuT7+hAfAzGtuWAW1SI33ucDtaSSs3CT6ndPIU1jzRwrK/Xoq2vzyso6ptj9N/qJfauVUtwhQs//9hGjIP7H2m4maUDR60qDveUy4QNbRoJQuT28FrZxdYjEWyU7E3/yuBSX5Lggk9GuolpGBTj3EDLth0LUsB/hjjGNSebNL/pF5wQR9Usu9omXf4f3dPfU/X0SaWjeY1ukU4saRefn9FIu1ZV3w6TQUybM/2ZcHzbS2JDieirMTZ2uGUVZyAX4TID40Pc84bcFbfQULkqBGPmp2X3rrfJgg8GmmX92qT/OEEPQ6tsA909dxvXGMYzb/7B5MjiAjdkhhIlRzjFz8zy0dkTAMopxwHPI4Fr1z/LhP8Or7pv31HfG/RIW8pOcanvvRRzqoSohDrfxobzczce42S/qrD0sE2gQdwbnAh0JlPmB7erSrqhxEjw0pHXd8CWx4yH3oJQ== gvdvries@local.macbook'
-        state: present
-
-    - user:
-        name: marieke
-        comment: "Marieke Bijlsma"
-        group: admin
-        groups: "{{ item }}"
-        append: yes
-      when: item in ansible_facts.getent_group
-      with_items:
-        - admin
-        - docker
-
-    - authorized_key:
-        user: marieke
-        key: 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDb8ulPLVGL78KJ8Egg7i2V9JLsge4m4+G6kdCuX7p7T7WRFH54DjaBl52UnkgbuTML/2r6c1gk3pXF2wlOtyHKqhD4AyvY1l/NyLSn1kkgY3XaWp64pFmmEydqOOrPX6L9cMGEyPjnfjr/GWbihzFn7E9Hc0kkp7CPbbdAlmwnKTk1m87CtKHVVV7rg7t7tI+pwoBhAGq1KpwxvNyKQT9Duwo+0eP/xZPZ/b12j7edxjjgpEtV+mCldsbXS+JyMVAScJXYV6TYcSyZhNhLnhzZIikjvV8/LcFxt4sURMeWLkiw3EqQOpDazJT6p6zo0KFfglvYG7ps8ijsnYuz4BkvMGx5bJQZVT4RdzQASisEUhJY1t0ZLGfs4bix2yMNmwCkypNZq72G2p/e2A9n1NhVSyOXfzHonQBFbL5xUX/1PNKXt027wTCbnl0OA/gLdez0NeanRzVjfDJGLOueC93rAJRIAWk+UOUBWAmHvL7XdnrgPq2puxk3sKCijUgxEkh1xqgMST5MTq3DMzese4jeuAQErhs5WnkOiythn4i4ydJ0oUwAjZhSFnGBSzol0Iar6chxfsp2U/pcl97QKXGLXkIvlZ7vMtYdbxopJ8uYQaOdkDycU1upR6pylZ6LnP8mF+iTqcHry4rmQ5rp46m2L5Cbp3eJZ7LFPXTVLUvWWw== mbijlsma'
-        state: present
diff --git a/vnode.yml b/vnode.yml
deleted file mode 100644
index 2caed3adb..000000000
--- a/vnode.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-- name: Install Roles that are needed for the virtual cluster.
-  hosts:
-    - cluster
-  become: True
-  roles:
-      #- spacewalk_client
-    - cluster
-      #- ldap
-
-# - import_playbook: users.yml