diff --git a/hosts.yml b/hosts.yml
index ca45b5c..0385d61 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -1,41 +1,85 @@
-# Public Servers
-
-hatoria.banananet.work:
-  - hetzner_server
-  - os_debian
-  - bootstrap
-  - public_available
-  - wireguard_backbones
-
-nvak.banananet.work:
-  - contabo_vserver
-  - os_debian
-  - bootstrap
-  - public_available
-  - wireguard_backbones
-
-morska.banananet.work:
-  - bwcloud_vserver
-  - os_debian
-  - bootstrap
-  - public_available
-  - wireguard_backbones
-
-rurapenthe.banananet.work:
-  - bwcloud_vserver
-  - os_debian
-  - bootstrap
-  - public_available
-  - wireguard_backbones
-
-# Location Eridon
-
-## Local Servers
-hardie.eridon.banananet.work:
-  - bootstrap
-
-## Embedded Devices
-wgpanel.eridon.banananet.work:
-  - dev_surface3
-  - os_debian
-  - bootstrap
+version: 2
+
+groups: # a:b meaning b is a, can be nested
+
+  # hardware structure
+  dev_known:
+    barebones:
+      - rented_barebones # sub group
+      # list of all known barebone device groups
+      - dev_surface3 # Microsoft Surface 3
+    virtual:
+      - rented_vserver # sub group
+  dev_unknown: # for unknown device kinds
+
+  # structure of rented servers
+  rented:
+    rented_barebones:
+      - hetzner_server # https://robot.your-server.de/server
+    rented_vserver:
+      - bwcloud_vserver # https://portal.bw-cloud.org/
+      - contabo_vserver # https://my.contabo.com/vps
+
+  # OS structure
+  os_known: # list of all known OS derivates
+    - os_debian
+    - os_raspbian
+
+  # applications
+
+  bootstrapable: # which OSes/hosts can be bootstraped
+    - os_debian
+    - os_raspbian
+
+
+group_aliasses: # a:b meaning a equals b, should only depend on groups not defined here
+
+  # unknown groups
+  dev_unknown: "!dev_known"
+  os_unknown: "!os_known"
+
+  # applications
+  bootstrap: "bootstrapable:!no_bootstrap" # which hosts should be bootstraped
+  common_roles: "!no_common_roles"
+  wireguard_backbones: "public_available:!no_wireguard_automatic"
+  wireguard_clients: "!public_available:!no_wireguard_automatic"
+
+
+host_groups: # group: host: [*groups]
+
+  no_defaults: # do not include in all default playbooks / roles
+    _all:
+      - no_bootstrap # do not setup sudo bootstrap
+      - no_common_roles # do not include in common roles
+      - no_wireguard_automatic # do not assign wireguard role automatic, hosts may be excluded from wireguard or assigned to their wireguard role manually
+
+  rented:
+    _all:
+      - public_available # rented are public available
+
+  # to group similar devices together
+
+  common_server: # public common servers
+    _all:
+      - os_debian
+    hatoria.banananet.work:
+      - hetzner_server
+    nvak.banananet.work:
+      - contabo_vserver
+    morska.banananet.work:
+      - bwcloud_vserver
+    rurapenthe.banananet.work:
+      - bwcloud_vserver
+
+
+single_hosts: # a:b meaning a is b, cannot be nested
+
+  # Local Servers
+  hardie.eridon.banananet.work:
+    - os_debian
+
+  # Embedded Devices
+  wgpanel.eridon.banananet.work:
+    - dev_surface3
+    - os_debian
+    - no_wireguard_automatic # no wireguard
diff --git a/site.yml b/site.yml
index a7b0379..6996e30 100644
--- a/site.yml
+++ b/site.yml
@@ -12,7 +12,7 @@
     - role: bootstrap
 
 - name: Configure common roles expected by others
-- hosts: all
+  hosts: common_roles
   roles:
     - role: hostname
       fqdn: "{{ inventory_hostname }}"
@@ -27,7 +27,7 @@
       sudo: yes
 
 # Enroll certain features not on ansible test/debug servers
-- hosts: all:!ansible_debug
+- hosts: common_roles:!ansible_debug
   roles:
     - role: misc/ssh_tg_notify
       recipient_id: "{{ zocker_telegram_id }}"