diff --git a/ansible/README.md b/ansible/README.md
new file mode 100644
index 0000000..374098a
--- /dev/null
+++ b/ansible/README.md
@@ -0,0 +1,2 @@
+Prerequisites on Ansible CONTROLLER:
+- python3-netaddr
diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg
index 4351528..a5de8d2 100644
--- a/ansible/ansible.cfg
+++ b/ansible/ansible.cfg
@@ -4,6 +4,7 @@ inventory=inventory
 vault_password_file=util/secret-service-client.sh
 interpreter_python=/usr/bin/python3
 host_key_checking = False
+remote_user = root
 
 [diff]
 always = True
diff --git a/ansible/atlas.yml b/ansible/hypervisors.yml
similarity index 81%
rename from ansible/atlas.yml
rename to ansible/hypervisors.yml
index 442434b..aea1f67 100644
--- a/ansible/atlas.yml
+++ b/ansible/hypervisors.yml
@@ -1,6 +1,5 @@
 ---
-- name: Setup Atlas
-  hosts: atlas
+- hosts: hypervisors
 
   handlers:
     - name: enable interfaces
@@ -12,12 +11,6 @@
       timezone:
         name: Europe/Amsterdam
 
-    - name: Copy interfaces configuration
-      copy:
-        src: dmz.conf
-        dest: /etc/network/interfaces.d/dmz.conf
-      notify: enable interfaces
-
     - name: Create data directory
       file:
         path: /data
@@ -27,9 +20,30 @@
   roles:
     - {role: setup_apt, tags: setup_apt}
     - {role: libvirt, tags: libvirt}
+
+- hosts: atlas
+
+  roles:
     - {role: postgresql, tags: postgresql}
-    - {role: wireguard, tags: wireguard}
     - {role: ssh_ca, tags: ssh_ca}
+
+- hosts: hypervisors
+  no_log: False
+
+  handlers:
+    - name: enable interfaces
+      command:
+        cmd: ifup -a
+
+  pre_tasks:
+    - name: Copy interfaces configuration
+      copy:
+        src: dmz.conf
+        dest: /etc/network/interfaces.d/dmz.conf
+      notify: enable interfaces
+
+  roles:
+    - {role: wireguard, tags: wireguard}
     - {role: ssh_ca_known_hosts, tags: ssh_ca_known_hosts}
     - {role: deploy_ssh_certificates, tags: deploy_ssh_certificates}
     - {role: borg, tags: borg}
diff --git a/ansible/inventory/host_vars/jefke/apt.yml b/ansible/inventory/host_vars/jefke/apt.yml
new file mode 100644
index 0000000..b1297d2
--- /dev/null
+++ b/ansible/inventory/host_vars/jefke/apt.yml
@@ -0,0 +1,5 @@
+apt_install_packages:
+  - qemu-kvm
+  - libvirt-daemon-system
+  - sudo
+  - bridge-utils
diff --git a/ansible/inventory/host_vars/jefke/ssh_certificates.yml b/ansible/inventory/host_vars/jefke/ssh_certificates.yml
new file mode 100644
index 0000000..1b096f4
--- /dev/null
+++ b/ansible/inventory/host_vars/jefke/ssh_certificates.yml
@@ -0,0 +1,12 @@
+deploy_ssh_certificates:
+  - name: ssh_user_ed25519_key
+    type: user
+    key_type: ed25519
+    signing_key: hyp_user
+    host: jefke.hyp
+    principals: hypervisor
+  - name: ssh_host_ed25519_key
+    type: host
+    key_type: ed25519
+    signing_key: hyp_host
+    host: jefke.hyp
diff --git a/ansible/inventory/host_vars/jefke/wireguard.yml b/ansible/inventory/host_vars/jefke/wireguard.yml
new file mode 100644
index 0000000..de09195
--- /dev/null
+++ b/ansible/inventory/host_vars/jefke/wireguard.yml
@@ -0,0 +1,18 @@
+wireguard_addresses:
+  - "10.42.1.1/32"
+wireguard_endpoint: "jefke.hyp"
+wireguard_private_key: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  36376161636365313033613362336239656164643430306437393866353036303938616136613933
+  6333613866643139653130393532613838353031613562350a663664633033353364303035353131
+  66363439353537323636313466303236393530653938393838373837366436316665343831623934
+  3234363066366235300a346636613930346466643566666265613733343266613030613765313161
+  63343133646566623264393533613733363735666432396366623737306232303761366465306164
+  3937653537316461376263613338373439313531383961623333
+wireguard_unmanaged_peers:
+  pim:
+    public_key: "xQ1hkwpIf5x7Wkx1leQHXx3RK8fjGWt2ZmG9XUN3V08="
+    allowed_ips: "10.42.1.2/32"
+  niels:
+    public_key: "WJO/DQUJyDp4rFW291F2Ai51lotU2IC+OATu+5P3Jio="
+    allowed_ips: "10.42.1.3/32"
diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml
index a92230d..bd1f90b 100644
--- a/ansible/inventory/hosts.yml
+++ b/ansible/inventory/hosts.yml
@@ -1,5 +1,8 @@
 all:
-  hosts:
-    atlas:
-      ansible_host: atlas.hyp
-      ansible_user: root
+  children:
+    hypervisors:
+      hosts:
+        atlas:
+          ansible_host: atlas.hyp
+        jefke:
+          ansible_host: jefke.hyp
diff --git a/ansible/roles/borg/files/backup.yml b/ansible/roles/borg/files/backup.yml
index f697231..5d89b16 100644
--- a/ansible/roles/borg/files/backup.yml
+++ b/ansible/roles/borg/files/backup.yml
@@ -2,7 +2,7 @@ location:
   source_directories:
     - /data
   repositories:
-    - 'ssh://root@lewis.hyp/mnt/kingston1TB/hosts/atlas'
+    - 'ssh://root@lewis.hyp/mnt/kingston1TB/hosts/{{ ansible_hostname }}'
 retention:
   keep_daily: 7
   keep_weekly: 4
diff --git a/ansible/util/secret-service-client.sh b/ansible/util/secret-service-client.sh
index 32d82a6..c2e5031 100755
--- a/ansible/util/secret-service-client.sh
+++ b/ansible/util/secret-service-client.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-pass=`secret-tool lookup ansible_vault atlas`
+pass=`secret-tool lookup ansible_vault hypervisors`
 retval=$?
 
 if [ $retval -ne 0 ]; then