diff --git a/ansible.cfg b/ansible.cfg
index c7c2814..d2e9b25 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -3,6 +3,5 @@ ask_vault_pass = True
 inventory = inventory.ini
 interpreter_python = /usr/bin/python3
 remote_user = ansible
-remote_tmp = /tmp/.ansible
 use_persistent_connections = True
 forks = 10
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index e418ec6..e4e4ba9 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -8,7 +8,7 @@ users:
   - name: lab_admin
     comment: System administrator
     groups:
-      - sudo
+      - wheel
     ssh_keys:
       - sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIFWZGLov8wPBNxuvnaPK+8vv6wK5hHUVEFzXKsN9QeuBAAAADHNzaDpzYW1zYXB0aQ== ssh:samsapti
       - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPd/4fQV7CL8/KVwbo/phiV5UdXFBIDlkZ+ps8C7FeRf cardno:14 336 332
diff --git a/inventory.ini b/inventory.ini
index e3f73aa..40e5732 100644
--- a/inventory.ini
+++ b/inventory.ini
@@ -38,7 +38,7 @@ db_stage
 
 [shared:children]
 proxy_shrd
-monitoring_shrd
+monitor_shrd
 
 [appservers:children]
 app_prod
diff --git a/roles/postgresql/tasks/database.yml b/roles/postgresql/tasks/database.yml
index 0127515..49d1d7c 100644
--- a/roles/postgresql/tasks/database.yml
+++ b/roles/postgresql/tasks/database.yml
@@ -6,8 +6,6 @@
     name: "{{ db_vars.username }}"
     password: "{{ db_vars.password }}"
     state: present
-  environment:
-    PGOPTIONS: '-c password_encryption=scram-sha-256'
 
 - name: Create database '{{ db_name }}'
   community.postgresql.postgresql_db:
@@ -21,5 +19,6 @@
   community.postgresql.postgresql_privs:
     database: "{{ db_name }}"
     roles: "{{ db_vars.username }}"
+    type: database
     privs: ALL
     state: present
diff --git a/roles/postgresql/tasks/main.yml b/roles/postgresql/tasks/main.yml
index 1190105..cf74e7e 100644
--- a/roles/postgresql/tasks/main.yml
+++ b/roles/postgresql/tasks/main.yml
@@ -1,27 +1,26 @@
 # vim: ft=yaml.ansible
 # code: language=ansible
 ---
+- name: Import RPM key for PostgreSQL repository
+  ansible.builtin.rpm_key:
+    key: https://download.postgresql.org/pub/repos/yum/RPM-GPG-KEY-PGDG
+    state: present
+
 - name: Add PostgreSQL repository
   ansible.builtin.dnf:
     name: https://download.postgresql.org/pub/repos/yum/reporpms/EL-9-x86_64/pgdg-redhat-repo-latest.noarch.rpm
     state: present
 
 - name: Disable built-in PostgreSQL module
-  community.general.ini_file:
-    path: /etc/dnf/modules.d/postgresql.module
-    section: postgresql
-    option: state
-    value: disabled
-    no_extra_spaces: true
-    create: false
-    state: present
+  ansible.builtin.command:
+    cmd: dnf -qy module disable postgresql
+    creates: /etc/dnf/modules.d/postgresql.module
 
 - name: Install PostgreSQL {{ postgresql_version }}
   ansible.builtin.dnf:
     name:
       - postgresql{{ postgresql_version }}-server
       - python{{ ansible_python.version.major }}-psycopg2
-      - python{{ ansible_python.version.major }}-ipaddress
     update_cache: true
     state: present
 
@@ -46,7 +45,7 @@
 - name: Create PGDATA folder
   ansible.builtin.file:
     path: "{{ postgresql_pgdata }}"
-    owner: root
+    owner: postgres
     mode: u=rwx,g=rx,o=rx
     state: directory
 
@@ -54,8 +53,6 @@
   ansible.builtin.command:
     cmd: /usr/pgsql-{{ postgresql_version }}/bin/postgresql-{{ postgresql_version }}-setup initdb
     creates: "{{ postgresql_pgdata }}/base"
-  become: true
-  become_user: postgres
 
 - name: Copy postgresql.conf
   ansible.builtin.template:
@@ -73,6 +70,9 @@
     mode: u=rw,go=
   notify: Reload PostgreSQL
 
+- name: Flush handlers
+  ansible.builtin.meta: flush_handlers
+
 - name: Ensure PostgreSQL is enabled and running
   ansible.builtin.service:
     name: "{{ postgresql_service }}"
@@ -80,8 +80,13 @@
     state: started
 
 - name: Set up databases
-  ansible.builtin.include_tasks: database.yml
+  ansible.builtin.include_tasks:
+    file: database.yml
+    apply:
+      become: true
+      become_user: postgres
   vars:
     db_name: "{{ item.key }}"
     db_vars: "{{ item.value }}"
   loop: "{{ databases | dict2items }}"
+  no_log: true
diff --git a/roles/postgresql/templates/pg_hba.conf.j2 b/roles/postgresql/templates/pg_hba.conf.j2
index 0985468..7c4b19a 100644
--- a/roles/postgresql/templates/pg_hba.conf.j2
+++ b/roles/postgresql/templates/pg_hba.conf.j2
@@ -2,8 +2,8 @@
 # code: language=ansible-jinja
 
 # TYPE  DATABASE        USER                    ADDRESS                 METHOD
-local   all             all                                             scram-sha-256
 local   all             postgres                                        peer
+local   all             all                                             scram-sha-256
 host    all             all                     127.0.0.1/32            scram-sha-256
 host    all             all                     ::1/128                 scram-sha-256
 
diff --git a/roles/virt-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml
index 722b814..f16e8e0 100644
--- a/roles/virt-common/tasks/firewall.yml
+++ b/roles/virt-common/tasks/firewall.yml
@@ -24,12 +24,15 @@
         - 192.168.1.0/24
         - 192.168.8.0/24
 
-    - name: Move Lab LAN network to zone 'public'
+    - name: Move Secure LAN and Lab LAN networks to zone 'public'
       ansible.posix.firewalld:
         zone: public
-        source: 192.168.17.0/24
+        source: "{{ item }}"
         permanent: true
         state: enabled
+      loop:
+        - 192.168.17.0/24
+        - 192.168.23.0/24
 
     - name: Move internal network to zone 'internal'
       ansible.posix.firewalld:
@@ -46,7 +49,7 @@
         state: disabled
       loop:
         - drop
-        - dmz
+        # - dmz
         - public
         - internal
 
@@ -62,26 +65,23 @@
     # - name: Allow incoming connections from control machines to SSH port in zone 'public'
     #   ansible.posix.firewalld:
     #     zone: public
-    #     source: "{{ hostvars[item].ansible_host }}"
     #     service: ssh
     #     permanent: true
     #     state: enabled
-    #   loop: "{{ groups['control_infra'] }}"
 
 - name: Firewall rules for database servers
   when: hostname in groups['dbservers']
   notify: Reload firewalld
   block:
-    - name: Allow incoming connections from internal subnet to PostgreSQL port in zone 'internal'
+    - name: Allow incoming connections to PostgreSQL port in zone 'internal'
       ansible.posix.firewalld:
         zone: internal
-        source: "{{ internal_subnet }}"
         service: postgresql
         permanent: true
         state: enabled
 
 - name: Firewall rules for proxy servers
-  when: hostname in group['proxyservers']
+  when: hostname in groups['proxyservers']
   notify: Reload firewalld
   block:
     - name: Allow incoming connections to HTTP port in zones 'drop' and 'dmz'
diff --git a/roles/virt-common/tasks/main.yml b/roles/virt-common/tasks/main.yml
index c66eeb4..b211ff4 100644
--- a/roles/virt-common/tasks/main.yml
+++ b/roles/virt-common/tasks/main.yml
@@ -35,7 +35,7 @@
 - name: Allow passwordless sudo
   community.general.sudoers:
     name: passwordless
-    group: sudo
+    group: wheel
     host: ALL
     commands: ALL
     nopassword: true
diff --git a/roles/virt-common/templates/hosts.j2 b/roles/virt-common/templates/hosts.j2
index 563758b..60fb87c 100644
--- a/roles/virt-common/templates/hosts.j2
+++ b/roles/virt-common/templates/hosts.j2
@@ -2,7 +2,7 @@
 # code: language=ansible-jinja
 
 127.0.0.1 localhost
-127.0.1.1 {{ hostname }} {{ fqdn }}
+{{ ansible_host }} {{ fqdn }} {{ hostname }}
 
 # The following lines are desirable for IPv6 capable hosts
 ::1 ip6-localhost ip6-loopback
@@ -13,6 +13,6 @@ ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts
 
 # Static hostnames for VMs
-{% for host in groups['virtualservers'] %}
+{% for host in groups['virtualservers']|sort %}
 {{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
 {% endfor %}