diff --git a/TODO b/TODO
index 37c9bb3..9a6bc91 100644
--- a/TODO
+++ b/TODO
@@ -5,3 +5,4 @@
     - secure files
 - setup fstab with sshfs, noatime
 - add smartmontools & conf
+- auto-add ssh hosts to known_hosts
diff --git a/collections/ansible_collections/nullified/infrastructure/playbooks/main_desktop.yml b/collections/ansible_collections/nullified/infrastructure/playbooks/main_desktop.yml
deleted file mode 100644
index 47104d7..0000000
--- a/collections/ansible_collections/nullified/infrastructure/playbooks/main_desktop.yml
+++ /dev/null
@@ -1,18 +0,0 @@
----
-- hosts: main_desktop
-  tasks:
-    - name: include common role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.common
-    - name: include workstation role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.workstation
-    - name: include development role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.development
-    - name: include security role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.security
-    - name: include gaming role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.gaming
diff --git a/collections/ansible_collections/nullified/infrastructure/playbooks/server.yml b/collections/ansible_collections/nullified/infrastructure/playbooks/server.yml
deleted file mode 100644
index d80e8ae..0000000
--- a/collections/ansible_collections/nullified/infrastructure/playbooks/server.yml
+++ /dev/null
@@ -1,12 +0,0 @@
----
-- hosts: server
-  tasks:
-    - name: include common role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.common
-    - name: include security role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.security
-    - name: include server role
-      ansible.builtin.include_role:
-        name: nullified.infrastructure.server
diff --git a/playbooks/external.yml b/playbooks/external.yml
index 8d83055..255f0a9 100644
--- a/playbooks/external.yml
+++ b/playbooks/external.yml
@@ -5,5 +5,16 @@
   vars_files: ../inventory/vault.yml
   tasks:
     - include_vars: ../inventory/vault.yml
+    - name: include common role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.common
+    - name: include security role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.security
 
-- ansible.builtin.import_playbook: nullified.infrastructure.server
+- name: setup servers
+  hosts: external:&server
+  tasks:
+    - name: include server role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.server
diff --git a/playbooks/internal.yml b/playbooks/internal.yml
index 5297e84..dd66eaf 100644
--- a/playbooks/internal.yml
+++ b/playbooks/internal.yml
@@ -5,5 +5,33 @@
   vars_files: ../inventory/vault.yml
   tasks:
     - include_vars: ../inventory/vault.yml
+    - name: include common role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.common
+    - name: include security role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.security
 
-- ansible.builtin.import_playbook: nullified.infrastructure.main_desktop
+- name: setup servers
+  hosts: internal:&server
+  tasks:
+    - name: include server role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.server
+
+- name: setup workstations
+  hosts: internal:&workstation
+  tasks:
+    - name: include workstation role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.workstation
+    - name: include development role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.development
+
+- name: setup gaming tools
+  hosts: internal:&gaming
+  tasks:
+    - name: include gaming role
+      ansible.builtin.include_role:
+        name: nullified.infrastructure.gaming