diff --git a/procedures/ansible-playbook/inventory.yml b/procedures/ansible-playbook/inventory.yml
index f27c9a9..72fb03e 100644
--- a/procedures/ansible-playbook/inventory.yml
+++ b/procedures/ansible-playbook/inventory.yml
@@ -113,15 +113,6 @@ all:
           - src: "192.168.16.254:/mnt/Ice/Repo"
             path: "/home/jarvis/repo"
 
-    # ──────────────────────────────────────────
-    # Managed nodes (apt update/upgrade target)
-    # Physical agents + core services, NOT PVE, NOT Neo, NOT igor, NOT ephemeral LXCs
-    # ──────────────────────────────────────────
-    managed_nodes:
-      children:
-        physical_agents:
-        core_services:
-
     # Tailscale fallback aliases (uncomment if LAN fails)
     # tailscale_fallback:
     #   hosts:
diff --git a/procedures/ansible-playbook/main.yml b/procedures/ansible-playbook/main.yml
index 29b4dd9..afa7003 100644
--- a/procedures/ansible-playbook/main.yml
+++ b/procedures/ansible-playbook/main.yml
@@ -1,27 +1,59 @@
-- name: Prepare Systems
-  hosts: physical_agents:core_services
+- name: Install nfs-common
+  ansible.builtin.apt:
+    name: nfs-common
+    state: present
   become: true
-  roles:
-    - prepare
+  when: ansible_os_family == "Debian"
 
-- name: Install NFS client
-  hosts: fleet_nodes:!pve_hosts:!igor
-  become: false
-  roles:
-    - nfs_client
-
-- name: Fleet update (apt update + upgrade)
-  hosts: managed_nodes
+- name: Ensure NFS mount directories exists
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    state: directory
+    mode: '0755'
+    owner: jarvis
+    group: jarvis
   become: true
-  tags:
-    - fleet_update
-  roles:
-    - prepare
+  loop: "{{ nfs_shares }}"
+  loop_control:
+    label: "Directory: {{ item.path }}"
+  when: ansible_os_family == "Debian"
 
-- name: LXC common provisioning (git + ansible)
-  hosts: lxcs
+- name: Create local repogroup matching TrueNAS GID 568
+  ansible.builtin.group:
+    name: repogroup
+    gid: 568
+    state: present
   become: true
-  tags:
-    - lxc_common
-  roles:
-    - lxc_common
+
+- name: Add jarvis to repogroup
+  ansible.builtin.user:
+    name: jarvis
+    groups:
+      - repogroup
+    append: true
+  become: true
+
+- name: Mount an NFS volume (root, because kernel mount)
+  ansible.posix.mount:
+    src: "{{ item.src }}"
+    path: "{{ item.path }}"
+    opts: "vers=4.2,proto=tcp,_netdev"
+    state: mounted
+    fstype: nfs
+  become: true
+  loop: "{{ nfs_shares }}"
+  loop_control:
+    label: "Mounted: {{ item.src }}"
+  when: ansible_os_family == "Debian"
+
+- name: Set mount permissions so jarvis (repogroup member) can write
+  ansible.builtin.file:
+    path: "{{ item.path }}"
+    mode: '0770'
+    owner: root
+    group: repogroup
+  become: true
+  loop: "{{ nfs_shares }}"
+  loop_control:
+    label: "Permission fix: {{ item.path }}"
+  when: ansible_os_family == "Debian"
diff --git a/procedures/ansible-playbook/roles/lxc_common/tasks/main.yml b/procedures/ansible-playbook/roles/lxc_common/tasks/main.yml
deleted file mode 100644
index fc603b9..0000000
--- a/procedures/ansible-playbook/roles/lxc_common/tasks/main.yml
+++ /dev/null
@@ -1,69 +0,0 @@
-- name: Ensure apt cache is updated
-  ansible.builtin.apt:
-    update_cache: yes
-    cache_valid_time: 3600
-  become: true
-  no_log: true
-  when: ansible_os_family == "Debian"
-
-- name: Install git
-  ansible.builtin.apt:
-    name: git
-    state: present
-  become: true
-  no_log: true
-  when: ansible_os_family == "Debian"
-
-- name: Install Python pip (needed for ansible via pip)
-  ansible.builtin.apt:
-    name: python3-pip
-    state: present
-  become: true
-  no_log: true
-  when: ansible_os_family == "Debian"
-
-- name: Create jarvis user with UID 1000
-  ansible.builtin.user:
-    name: jarvis
-    uid: 1000
-    shell: /bin/bash
-    create_home: true
-    groups: sudo
-    append: true
-  become: true
-
-- name: Ensure jarvis .ssh directory exists
-  ansible.builtin.file:
-    path: /home/jarvis/.ssh
-    state: directory
-    owner: jarvis
-    group: jarvis
-    mode: "0700"
-  become: true
-
-- name: Copy root authorized_keys to jarvis
-  ansible.builtin.copy:
-    src: /root/.ssh/authorized_keys
-    dest: /home/jarvis/.ssh/authorized_keys
-    owner: jarvis
-    group: jarvis
-    mode: "0600"
-    remote_src: true
-  become: true
-
-- name: Ensure jarvis has passwordless sudo
-  ansible.builtin.lineinfile:
-    path: /etc/sudoers.d/jarvis
-    line: "jarvis ALL=(ALL) NOPASSWD:ALL"
-    create: true
-    mode: "0440"
-    validate: "visudo -cf %s"
-  become: true
-
-- name: Install ansible via pip as jarvis
-  ansible.builtin.pip:
-    name: ansible
-    state: present
-    break_system_packages: true
-  become: true
-  no_log: true
diff --git a/procedures/ansible-playbook/roles/prepare/tasks/main.yml b/procedures/ansible-playbook/roles/prepare/tasks/main.yml
deleted file mode 100644
index afa6e76..0000000
--- a/procedures/ansible-playbook/roles/prepare/tasks/main.yml
+++ /dev/null
@@ -1,12 +0,0 @@
-- name: Run "apt update"
-  ansible.builtin.apt:
-    update_cache: yes
-    cache_valid_time: 3600
-  when: ansible_os_family == "Debian"
-
-- name: Upgrade the OS (apt-get dist-upgrade)
-  ansible.builtin.apt:
-    upgrade: dist
-  when:
-    - ansible_os_family == "Debian"
-    - not (gpu | default(false))