diff --git a/Makefile b/Makefile
index 9b5a29292..051c2ec2a 100644
--- a/Makefile
+++ b/Makefile
@@ -65,11 +65,17 @@ plan:
 apply:
 	terraform -chdir=terraform apply
 
+# Docker
 images:
 	- docker image build . --file=docker/newsblur_base_image.Dockerfile --tag=newsblur/newsblur_python3
 	- docker image build . --file=docker/node/node_prod.Dockerfile --tag=newsblur/node_prod
 	- docker push newsblur/newsblur_python3
 	- docker push newsblur/node_prod
 
+# Tasks
 deploy:
 	- docker stack deploy --with-registry-auth -c stack-compose.yml dev-stack
+
+firewall:
+	- ansible-playbook ansible/provision.yml --tags firewallx -l db
+
diff --git a/ansible.cfg b/ansible.cfg
index 9e7602cc6..7bf765cbc 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -4,8 +4,6 @@ remote_user = nb
 retry_files_enabled = False
 inventory = /srv/newsblur/ansible/inventories/digital_ocean.ini, /srv/newsblur/ansible/inventories/digital_ocean.yml
 private_key_file = /srv/secrets-newsblur/keys/docker.key
-publickey = /srv/secrets-newsblur/keys/docker.key.pub 
-# private_key_file = /srv/secrets-newsblur/keys/newsblur.key
 remote_tmp = ~/.ansible/tmp
 forks = 20
 
diff --git a/ansible.old.cfg b/ansible.old.cfg
index 17627754b..7d913e697 100644
--- a/ansible.old.cfg
+++ b/ansible.old.cfg
@@ -7,6 +7,7 @@ private_key_file = /srv/secrets-newsblur/keys/newsblur.key
 publickey = /srv/secrets-newsblur/keys/newsblur.key.pub 
 remote_tmp = ~/.ansible/tmp
 forks = 20
+deprecation_warnings=False
 
 [inventory]
 enable_plugins = ini, constructed
diff --git a/ansible/group_vars/NewsBlur.yml b/ansible/group_vars/NewsBlur.yml
new file mode 100644
index 000000000..22c2cb653
--- /dev/null
+++ b/ansible/group_vars/NewsBlur.yml
@@ -0,0 +1,3 @@
+---
+ansible_ssh_private_key_file: /srv/secrets-newsblur/keys/newsblur.key
+ansible_ssh_user: sclay
diff --git a/ansible/group_vars/NewsBlur_Docker.yml b/ansible/group_vars/NewsBlur_Docker.yml
new file mode 100644
index 000000000..d9616467b
--- /dev/null
+++ b/ansible/group_vars/NewsBlur_Docker.yml
@@ -0,0 +1,3 @@
+---
+ansible_ssh_private_key_file: /srv/secrets-newsblur/keys/docker.key
+ansible_ssh_user: nb
diff --git a/ansible/inventories/all.yml b/ansible/inventories/all.yml
index 1d6ef6875..75a51b46a 100644
--- a/ansible/inventories/all.yml
+++ b/ansible/inventories/all.yml
@@ -1,3 +1,5 @@
-[oldandnew]
-NewsBlur
-NewsBlur_Docker
+plugin: constructed
+strict: False
+
+groups:
+  oldandnew: group_names | intersect(["NewsBlur", "NewsBlur_Docker"])
diff --git a/ansible/inventories/digital_ocean.old.yml b/ansible/inventories/digital_ocean.old.yml
index 05de7c414..45faa3577 100644
--- a/ansible/inventories/digital_ocean.old.yml
+++ b/ansible/inventories/digital_ocean.old.yml
@@ -7,9 +7,8 @@ groups:
   node: inventory_hostname.startswith('node')
   db: inventory_hostname.startswith('db')
   task: inventory_hostname.startswith('task')
-  search: inventory_hostname.startswith('db-elasticsearch')
-  elasticsearch: inventory_hostname.startswith('db-elasticsearch')
-  redis: inventory_hostname.startswith('db-redis')
-  postgres: inventory_hostname.startswith('db01')
-  mongo: inventory_hostname in ['db20d', 'db22', 'db23a', 'db30']
-  consul: inventory_hostname.startswith('db-consul')
+  search: inventory_hostname.startswith('search')
+  elasticsearch: inventory_hostname.startswith('search')
+  redis: inventory_hostname.startswith('db4')
+  postgres: inventory_hostname.startswith('db0')
+  mongo: inventory_hostname.startswith('db2') or inventory_hostname.startswith('db3')
diff --git a/ansible/inventories/digital_ocean.yml b/ansible/inventories/digital_ocean.yml
index dcacdbd1c..514657ef7 100644
--- a/ansible/inventories/digital_ocean.yml
+++ b/ansible/inventories/digital_ocean.yml
@@ -4,7 +4,7 @@ strict: False
 groups:
   web: inventory_hostname.startswith('app')
   app: inventory_hostname.startswith('app')
-  work: inventory_hostname.startswith('work') and inventory_hostname != "work"
+  # work: inventory_hostname.startswith('work') and inventory_hostname != "work"
   node: inventory_hostname.startswith('node')
   # debug: inventory_hostname.startswith('debug')
   db: inventory_hostname.startswith('db')
diff --git a/ansible/provision.yml b/ansible/provision.yml
index f0ccb5c87..395c55064 100644
--- a/ansible/provision.yml
+++ b/ansible/provision.yml
@@ -1,19 +1,19 @@
 ---
 - import_playbook: setup_app.yml
-  when: "'app' in inventory_hostname"
+  when: "'app' in group_names"
 - import_playbook: setup_www.yml
-  when: "'www' in inventory_hostname"
+  when: "'www' in group_names"
 - import_playbook: setup_node.yml
-  when: "'node' in inventory_hostname"
+  when: "'node' in group_names"
 - import_playbook: setup_postgres.yml
-  when: "'postgres' in inventory_hostname"
+  when: "'postgres' in group_names"
 - import_playbook: setup_mongo.yml
-  when: "'mongo' in inventory_hostname"
+  when: "'mongo' in group_names"
 - import_playbook: setup_redis.yml
-  when: "'redis' in inventory_hostname"
+  when: "'redis' in group_names"
 - import_playbook: setup_elasticsearch.yml
-  when: "'elasticsearch' in inventory_hostname"
+  when: "'elasticsearch' in group_names"
 - import_playbook: setup_task.yml
-  when: "'task' in inventory_hostname"
+  when: "'task' in group_names"
 - import_playbook: setup_consul_manager.yml
-  when: "'consul' in inventory_hostname"
+  when: "'consul' in group_names"
diff --git a/ansible/roles/base/tasks/ufw.yml b/ansible/roles/base/tasks/ufw.yml
index 1d7c33d16..04d3ae16c 100644
--- a/ansible/roles/base/tasks/ufw.yml
+++ b/ansible/roles/base/tasks/ufw.yml
@@ -31,13 +31,17 @@
   with_items:
     - 10.0.0.0/8
 
+- debug:
+    msg: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
+  tags: firewallx
+  
 - name: Allow all access from inventory hosts
   become: yes
   ufw:
     rule: allow
     src: '{{ item }}'
   with_items: "{{ groups['oldandnew'] | map('extract', hostvars, ['ansible_host']) }}"
-  tags: ufwall
+  tags: firewall
 
 - name: Start ufw
   ufw: state=enabled
diff --git a/ansible/setup_app.yml b/ansible/setup_app.yml
index cfd79b481..d8a92cc3c 100644
--- a/ansible/setup_app.yml
+++ b/ansible/setup_app.yml
@@ -1,11 +1,11 @@
 ---
 - name: SETUP -> app containers
   hosts: app
+  vars_files:
+    - env_vars/base.yml
   vars:
     - update_apt_cache: yes
     - motd_role: app
-  vars_files:
-    - env_vars/base.yml
     
   roles:
     - {role: 'base', tags: 'base'}
diff --git a/ansible/setup_postgres.yml b/ansible/setup_postgres.yml
index cdc172458..7c4b81901 100644
--- a/ansible/setup_postgres.yml
+++ b/ansible/setup_postgres.yml
@@ -1,12 +1,12 @@
 ---
 - name: SETUP -> postgresql containers
   hosts: postgres
-  become: true
   vars_files:
     - env_vars/base.yml
   vars:
     - update_apt_cache: yes
     - motd_role: db
+
   roles:
     - {role: 'base', tags: 'base'}
     - {role: 'docker', tags: 'docker'}