diff --git a/Makefile b/Makefile
index b7d92f8..9517d80 100644
--- a/Makefile
+++ b/Makefile
@@ -1,4 +1,4 @@
-.PHONY: all deploy check clean create debug editvars
+.PHONY: all deploy check clean create debug editvars test
 
 
 VARS = group_vars/all/vars.yaml
@@ -19,8 +19,6 @@ DEBUG_COMMAND = ansible-playbook debug.yaml $(OPTIONS)
 
 ENV = HCLOUD_TOKEN="$(TOKEN)" SNAPSHOT="$(SNAPSHOT)" ANSIBLE_VERBOSITY=$(verbose)
 
-test:
-	@echo SNAPSHOT="$(SNAPSHOT)"
 
 all: create deploy
 
diff --git a/TODO.md b/TODO.md
index d3b6a8a..253a7be 100644
--- a/TODO.md
+++ b/TODO.md
@@ -25,7 +25,6 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
 
 ### Cleanup release snapshot
 
-- remove /home symlink
 - remove pkg function from root .bashrc
 
 
@@ -33,4 +32,6 @@ or using e3 using wrapper script around `jaildk exec dns knotc ...`
 
 ## Add quota config and enable/configure rctl
 
-## Fix jail DNS, doesn't work yet (pf missing?)
+## Setup sshd_config for jail
+
+Using Bastillefile CP?
diff --git a/deploy.yaml b/deploy.yaml
index 898523d..56ff359 100644
--- a/deploy.yaml
+++ b/deploy.yaml
@@ -6,7 +6,7 @@
   user: root
   roles:
     - role: server
-    #- role: network
+    - role: network
     - role: firewall
     - role: ssh
     - role: jails
diff --git a/group_vars/all/all.yaml b/group_vars/all/all.yaml
index 74612bd..1e98052 100644
--- a/group_vars/all/all.yaml
+++ b/group_vars/all/all.yaml
@@ -90,3 +90,17 @@ permissions:
     owner: root
     group: wheel
     mode: '0711'
+
+jails:
+  pubnix:
+    pkgs:
+      - bash
+      - zsh
+      - vim
+      - git
+      - htop
+      - tmux
+      - bind-tools
+      - coreutils
+      - emacs-nox
+      - fzf
diff --git a/roles/firewall/templates/pf.conf.j2 b/roles/firewall/templates/pf.conf.j2
index 67bc7fb..35f0fae 100644
--- a/roles/firewall/templates/pf.conf.j2
+++ b/roles/firewall/templates/pf.conf.j2
@@ -8,6 +8,7 @@
 #   pfctl -t bad_hosts -T delete $ip  
 
 ext_if="{{ ansible_default_ipv6.interface }}"
+jail_net="{{ jailnet.stdout }}"
 
 ### Default block policy is to return a reset packet
 set block-policy drop
@@ -30,6 +31,11 @@ block in log all
 ### Allow outgoing, skip others rules if match, and track connections
 pass out quick keep state
 pass out inet6 keep state
+pass out quick on $ext_if keep state
+pass out on $ext_if inet6 keep state
+
+### Allow traffic coming from jails
+pass in on $ext_if inet6 from $jail_net keep state
 
 ### Block all incoming traffic from the $ext_if subnet which is not from $ext_if interface
 ### And block incoming traffic from $ext_if IP on $ext_if interface
@@ -42,5 +48,8 @@ pass in quick on $ext_if inet6 proto tcp from any to any port ssh \
      (max-src-conn-rate 10/60, \
      overload <bad_hosts> flush global) label ServicesTCP
 
+# allow ansible answers
+pass out on $ext_if proto tcp from port 22 to any flags any
+     
 # ipv6 icmp
 pass in quick inet6 proto icmp6 all keep state
diff --git a/roles/jails/tasks/main.yaml b/roles/jails/tasks/main.yaml
index 80737bb..0a430be 100644
--- a/roles/jails/tasks/main.yaml
+++ b/roles/jails/tasks/main.yaml
@@ -37,10 +37,6 @@
     regexp: '^(.*)quarterly(.*)$'
     replace: '\1latest\2'
 
-- name: determine ipv6 address
-  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { print $2 }}'
-  register: primaryip
-
 - name: setup bastille.conf
   template:
     src: bastille.conf.j2
diff --git a/roles/jails/templates/bastille.conf.j2 b/roles/jails/templates/bastille.conf.j2
index dfdc0af..242ae00 100644
--- a/roles/jails/templates/bastille.conf.j2
+++ b/roles/jails/templates/bastille.conf.j2
@@ -57,7 +57,7 @@ bastille_network_pf_ext_if="ext_if"                                   ## default
 bastille_network_pf_table="jails"                                     ## default: "jails"
 bastille_network_shared=""                                            ## default: ""
 bastille_network_gateway=""                                           ## default: ""
-bastille_network_gateway6="{{ primaryip.stdout }}"        ## default: ""
+bastille_network_gateway6="{{ jailip.stdout }}"        ## default: ""
 
 ## Default Templates
 bastille_template_base="default/base"                                 ## default: "default/base"
diff --git a/roles/network/tasks/main.yaml b/roles/network/tasks/main.yaml
index 956cd80..c1dd567 100644
--- a/roles/network/tasks/main.yaml
+++ b/roles/network/tasks/main.yaml
@@ -1,29 +1,8 @@
 ---
-- name: Add bridge interface
-  community.general.sysrc:
-    name: cloned_interfaces
-    state: value_present
-    value: "bridge0"
+- name: determine ipv6 address
+  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
+  register: jailip
 
-- name: Setup bridge interface
-  community.general.sysrc:
-    name: ifconfig_bridge0
-    state: value_present
-    value: "up"
-  notify: netif cloneup
-
-- name: Setup bridge interface
-  community.general.sysrc:
-    name: ifconfig_bridge0
-    state: value_present
-    value: "addm vtnet0"
-  notify: netif cloneup
-  
-- name: Setup bridge interface ipv6
-  community.general.sysrc:
-    name: ifconfig_bridge0_ipv6
-    state: value_present
-    value: "inet6 auto_linklocal"
-  notify: netif cloneup
-  
-- meta: flush_handlers
+- name: determine ipv6 net
+  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::", $2); print $2"/64" }}'
+  register: jailnet
diff --git a/roles/pubnix/files/Bastillefile b/roles/pubnix/files/Bastillefile
deleted file mode 100644
index 013310c..0000000
--- a/roles/pubnix/files/Bastillefile
+++ /dev/null
@@ -1,6 +0,0 @@
-PKG bash
-SYSRC sshd_enable=YES
-CMD mkdir -p /data/home
-SERVICE nginx restart
-FSTAB /data/home data/home nullfs ro 0 0
-RDR tcp 22 22
diff --git a/roles/pubnix/tasks/main.yaml b/roles/pubnix/tasks/main.yaml
index ab73dd0..feaf940 100644
--- a/roles/pubnix/tasks/main.yaml
+++ b/roles/pubnix/tasks/main.yaml
@@ -6,9 +6,9 @@
     recurse: yes
 
 - name: copy template config files
-  copy:
-    src: Bastillefile
-    dest: "/usr/local/bastille/templates/services/{{ role_name }}/"
+  template:
+    src: Bastillefile.j2
+    dest: "/usr/local/bastille/templates/services/{{ role_name }}/Bastillefile"
 
 - name: create config path
   file:
@@ -21,17 +21,14 @@
     src: sshd_config
     dest: "/usr/local/bastille/templates/services/{{ role_name }}/etc/ssh/"
 
-- name: create data/home dataset
-  community.general.zfs:
-    name: zroot/home
-    state: present
-    extra_zfs_properties:
-      mountpoint: /data/home
+# - name: create data/home dataset
+#   community.general.zfs:
+#     name: zroot/home
+#     state: present
+#     extra_zfs_properties:
+#       mountpoint: /data/home
+
 
-- name: determine ipv6 address
-  shell: ifconfig {{ netif.primary }} inet6 | awk '{ if (/2a01/) { sub(/::.$/, "::2", $2); print $2 }}'
-  register: jailip
-      
 - name: create jail
   shell: "bastille create -B {{ role_name }} {{ release }} {{ jailip.stdout }}/64 bridge0"
   args:
diff --git a/roles/pubnix/templates/Bastillefile.j2 b/roles/pubnix/templates/Bastillefile.j2
new file mode 100644
index 0000000..1eb0f8d
--- /dev/null
+++ b/roles/pubnix/templates/Bastillefile.j2
@@ -0,0 +1,14 @@
+PKG {{ jails.pubnix.pkgs | join(' ') }}
+
+SYSRC sshd_enable=YES
+SYSRC sendmail_enable=NONE
+SYSRC tmpsize="500m"
+SYSRC tmpmfs="AUTO"
+SYSRC clear_tmp_enable="YES"
+
+CMD rm /home
+CMD mkdir -p /home
+
+FSTAB /home home nullfs rw 0 0
+
+SERVICE sshd start