diff --git a/cloud.cfg b/cloud-init/proxmox.cfg
similarity index 100%
rename from cloud.cfg
rename to cloud-init/proxmox.cfg
diff --git a/cloud-init/vps.cfg b/cloud-init/vps.cfg
new file mode 100644
index 0000000..28ae128
--- /dev/null
+++ b/cloud-init/vps.cfg
@@ -0,0 +1,13 @@
+# vim: ft=yaml
+
+#cloud-config
+ssh_pwauth: false
+
+users:
+  - name: ansible
+    gecos: Ansible User
+    sudo: ALL=(ALL) NOPASSWD:ALL
+    shell: /bin/bash
+    lock_passwd: true
+    ssh_authorized_keys:
+      - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDyAuOqh0vcpLMBa8FFbvrTOgw8N+bcImFzyBspfQDAf ansible"
diff --git a/host_vars/sapt-labc-pub01.yml b/host_vars/sapt-labc-pub01.yml
new file mode 100644
index 0000000..2bb5ee7
--- /dev/null
+++ b/host_vars/sapt-labc-pub01.yml
@@ -0,0 +1,7 @@
+# vim: ft=yaml.ansible
+# code: language=ansible
+---
+fqdn: sapt-labc-pub01.cloud.servers.sapti.me
+ansible_host: 168.119.158.106
+internal_ipv4: 10.2.3.2
+instance_type: vps
diff --git a/host_vars/sapt-labp-app01.yml b/host_vars/sapt-labp-app01.yml
index 71f6321..4343b09 100644
--- a/host_vars/sapt-labp-app01.yml
+++ b/host_vars/sapt-labp-app01.yml
@@ -4,4 +4,4 @@
 fqdn: sapt-labp-app01.prod.servers.sapti.me
 ansible_host: 192.168.23.30
 internal_ipv4: 10.2.16.10
-virt_type: qemu
+instance_type: qemu
diff --git a/host_vars/sapt-labp-db01.yml b/host_vars/sapt-labp-db01.yml
index 1cd6ed0..9a64647 100644
--- a/host_vars/sapt-labp-db01.yml
+++ b/host_vars/sapt-labp-db01.yml
@@ -4,4 +4,4 @@
 fqdn: sapt-labp-db01.prod.servers.sapti.me
 ansible_host: 192.168.23.40
 internal_ipv4: 10.2.16.20
-virt_type: qemu
+instance_type: qemu
diff --git a/host_vars/sapt-labp-mda01.yml b/host_vars/sapt-labp-mda01.yml
index c36bb41..2d1d557 100644
--- a/host_vars/sapt-labp-mda01.yml
+++ b/host_vars/sapt-labp-mda01.yml
@@ -4,4 +4,4 @@
 fqdn: sapt-labp-mda01.prod.servers.sapti.me
 ansible_host: 192.168.23.35
 internal_ipv4: 10.2.16.15
-virt_type: lxc
+instance_type: lxc
diff --git a/host_vars/sapt-labr-mon01.yml b/host_vars/sapt-labr-mon01.yml
deleted file mode 100644
index 9992bef..0000000
--- a/host_vars/sapt-labr-mon01.yml
+++ /dev/null
@@ -1,7 +0,0 @@
-# vim: ft=yaml.ansible
-# code: language=ansible
----
-fqdn: sapt-labr-mon01.shrd.servers.sapti.me
-ansible_host: 192.168.23.20
-internal_ipv4: 10.2.18.20
-virt_type: qemu
diff --git a/host_vars/sapt-labr-prx01.yml b/host_vars/sapt-labr-prx01.yml
index 97576ed..3d0d83d 100644
--- a/host_vars/sapt-labr-prx01.yml
+++ b/host_vars/sapt-labr-prx01.yml
@@ -4,4 +4,4 @@
 fqdn: sapt-labr-prx01.shrd.servers.sapti.me
 ansible_host: 192.168.23.10
 internal_ipv4: 10.2.18.10
-virt_type: qemu
+instance_type: qemu
diff --git a/host_vars/sapt-labs-app01.yml b/host_vars/sapt-labs-app01.yml
index 26ff6d3..885f1a9 100644
--- a/host_vars/sapt-labs-app01.yml
+++ b/host_vars/sapt-labs-app01.yml
@@ -4,4 +4,4 @@
 fqdn: sapt-labs-app01.stage.servers.sapti.me
 ansible_host: 192.168.23.50
 internal_ipv4: 10.2.19.10
-virt_type: qemu
+instance_type: qemu
diff --git a/host_vars/sapt-labs-db01.yml b/host_vars/sapt-labs-db01.yml
index aac67ae..b0e3571 100644
--- a/host_vars/sapt-labs-db01.yml
+++ b/host_vars/sapt-labs-db01.yml
@@ -4,4 +4,4 @@
 fqdn: sapt-labs-db01.stage.servers.sapti.me
 ansible_host: 192.168.23.60
 internal_ipv4: 10.2.19.20
-virt_type: qemu
+instance_type: qemu
diff --git a/host_vars/sapt-labs-mda01.yml b/host_vars/sapt-labs-mda01.yml
index 3bf41d6..7a4b050 100644
--- a/host_vars/sapt-labs-mda01.yml
+++ b/host_vars/sapt-labs-mda01.yml
@@ -4,4 +4,4 @@
 fqdn: sapt-labs-mda01.stage.servers.sapti.me
 ansible_host: 192.168.23.55
 internal_ipv4: 10.2.19.15
-virt_type: lxc
+instance_type: lxc
diff --git a/infra.ini b/infra.ini
deleted file mode 100644
index 4bbc01b..0000000
--- a/infra.ini
+++ /dev/null
@@ -1,8 +0,0 @@
-[control_infra]
-sapt-labx-ctl01
-
-[controlservers:children]
-control_infra
-
-[infrastructure:children]
-controlservers
diff --git a/infra.yml b/infra.yml
index f2ee307..f4f26be 100644
--- a/infra.yml
+++ b/infra.yml
@@ -2,7 +2,7 @@
 # code: language=ansible
 ---
 - name: Run playbook
-  hosts: all
+  hosts: infrastructure
   become: true
   gather_facts: true
   tasks:
diff --git a/inventory.ini b/inventory.ini
index e2769ac..b10cfaa 100644
--- a/inventory.ini
+++ b/inventory.ini
@@ -1,3 +1,32 @@
+# [control_infra]
+# sapt-labx-ctl01
+
+# [controlservers:children]
+# control_infra
+
+# [infrastructure:children]
+# controlservers
+
+[pub_cloud]
+sapt-labc-pub01
+
+# [mon_cloud]
+# sapt-labc-mon01
+
+# [sec_cloud]
+# sapt-labc-sec01
+
+[cloud:children]
+pub_cloud
+# mon_cloud
+# sec_cloud
+
+[prx_shrd]
+sapt-labr-prx01
+
+[shared:children]
+prx_shrd
+
 [app_prod]
 sapt-labp-app01
 
@@ -7,6 +36,11 @@ sapt-labp-db01
 # [mda_prod]
 # sapt-labp-mda01
 
+[production:children]
+app_prod
+db_prod
+# mda_prod
+
 [app_stage]
 sapt-labs-app01
 
@@ -16,25 +50,22 @@ sapt-labs-db01
 [mda_stage]
 sapt-labs-mda01
 
-[proxy_shrd]
-sapt-labr-prx01
-
-# [monitor_shrd]
-# sapt-labr-mon01
-
-[production:children]
-app_prod
-db_prod
-# mda_prod
-
 [staging:children]
 app_stage
 db_stage
 mda_stage
 
-[shared:children]
-proxy_shrd
-# monitor_shrd
+[publicservers:children]
+pub_cloud
+
+# [monitorservers:children]
+# mon_cloud
+
+# [securityservers:children]
+# sec_cloud
+
+[proxyservers:children]
+prx_shrd
 
 [appservers:children]
 app_prod
@@ -48,13 +79,11 @@ mda_stage
 db_prod
 db_stage
 
-[proxyservers:children]
-proxy_shrd
-
-# [monitorservers:children]
-# monitor_shrd
-
-[virtualservers:children]
+[home:children]
+shared
 production
 staging
-shared
+
+[virtualservers:children]
+cloud
+home
diff --git a/roles/virt-common/tasks/firewall.yml b/roles/virt-common/tasks/firewall.yml
index 03dc312..93a955a 100644
--- a/roles/virt-common/tasks/firewall.yml
+++ b/roles/virt-common/tasks/firewall.yml
@@ -10,6 +10,18 @@
         source: 192.168.0.0/16
         permanent: true
         state: enabled
+      when: instance_type != 'vps'
+
+    - name: Move home IP addresses to zone 'dmz'
+      ansible.posix.firewalld:
+        zone: dmz
+        source: "{{ item }}"
+        permanent: true
+        state: enabled
+      loop:
+        - '46.32.144.131'
+        - '2a06:4001:f02a::/48'
+      when: instance_type == 'vps'
 
     - name: Move internal network to zone 'internal'
       ansible.posix.firewalld:
@@ -43,8 +55,9 @@
         permanent: true
         state: enabled
 
-- name: Firewall rules for proxy servers
-  when: hostname in groups['proxyservers']
+- name: Firewall rules for proxy & public servers
+  when: hostname in groups['proxyservers'] or
+        hostname in groups['publicservers']
   notify: Reload firewalld
   block:
     - name: Allow incoming connections to HTTP port in zones 'public' and 'dmz'
diff --git a/roles/virt-common/tasks/main.yml b/roles/virt-common/tasks/main.yml
index 75a0d24..b80c99d 100644
--- a/roles/virt-common/tasks/main.yml
+++ b/roles/virt-common/tasks/main.yml
@@ -87,7 +87,7 @@
     - rsyslog
 
 - name: Packages for QEMU instances
-  when: virt_type == 'qemu'
+  when: instance_type == 'qemu'
   block:
     - name: Install haveged
       ansible.builtin.dnf:
@@ -100,5 +100,18 @@
         enabled: true
         state: started
 
+- name: Create directory '{{ data_fs }}'
+  ansible.builtin.file:
+    path: "{{ data_fs }}"
+    owner: root
+    group: root
+    mode: u=rwx,g=rx,o=rx
+    seuser: system_u
+    serole: object_r
+    setype: unlabeled_t
+    selevel: s0
+    state: directory
+  when: instance_type == 'vps'
+
 - name: Configure firewall
   ansible.builtin.import_tasks: firewall.yml
diff --git a/roles/virt-common/templates/hosts.j2 b/roles/virt-common/templates/hosts.j2
index 10141ae..4e6d575 100644
--- a/roles/virt-common/templates/hosts.j2
+++ b/roles/virt-common/templates/hosts.j2
@@ -12,7 +12,13 @@ ff02::1 ip6-allnodes
 ff02::2 ip6-allrouters
 ff02::3 ip6-allhosts
 
-# Static hostnames for VMs
-{% for host in groups['virtualservers']|sort %}
+# Static hostnames for servers
+{% if instance_type == 'vps' %}
+{% for host in groups['cloud']|sort %}
 {{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
 {% endfor %}
+{% else %}
+{% for host in groups['home']|sort %}
+{{ hostvars[host].internal_ipv4 }} {{ hostvars[host].fqdn }}
+{% endfor %}
+{% endif %}
diff --git a/roles/virt-common/templates/motd.j2 b/roles/virt-common/templates/motd.j2
index a249b08..d5b0549 100644
--- a/roles/virt-common/templates/motd.j2
+++ b/roles/virt-common/templates/motd.j2
@@ -3,8 +3,8 @@
  Welcome to {{ hostname }}
 ==============================================================
  - FQDN.............: {{ fqdn }}
- - LAN IPv4.........: {{ ansible_host }}
+ - Public IPv4......: {{ ansible_host }}
  - Internal IPv4....: {{ internal_ipv4 }}
- - Virtualization...: {{ virt_type | upper }}
+ - Instance type....: {{ instance_type | upper }}
 ==============================================================
 
diff --git a/site.yml b/site.yml
index 61b52ca..006248e 100644
--- a/site.yml
+++ b/site.yml
@@ -2,7 +2,7 @@
 # code: language=ansible
 ---
 - name: Run playbook
-  hosts: all
+  hosts: virtualservers
   become: true
   gather_facts: true
   tasks:
@@ -15,7 +15,8 @@
       ansible.builtin.include_role:
         name: docker
       when: hostname in groups['appservers'] or
-            hostname in groups['proxyservers']
+            hostname in groups['proxyservers'] or
+            hostname in groups['publicservers']
 
     - name: Include role 'apps'
       ansible.builtin.include_role: