diff --git a/roles/setup/files/exim4.conf.localmacros b/roles/setup/files/exim4.conf.localmacros
new file mode 100644
index 0000000..07fb376
--- /dev/null
+++ b/roles/setup/files/exim4.conf.localmacros
@@ -0,0 +1 @@
+AUTH_CLIENT_ALLOW_NOTLS_PASSWORDS = 1
diff --git a/roles/setup/handlers/main.yml b/roles/setup/handlers/main.yml
new file mode 100644
index 0000000..c12fc3c
--- /dev/null
+++ b/roles/setup/handlers/main.yml
@@ -0,0 +1,20 @@
+---
+- name: restart ntp
+  service:
+    name: ntp
+    state: restarted
+
+- name: restart cron
+  service:
+    name: cron
+    state: restarted
+
+- name: restart fail2ban
+  service:
+    name: fail2ban
+    state: restarted
+
+- name: restart exim4
+  service:
+    name: exim4
+    state: restarted
diff --git a/roles/setup/tasks/main.yml b/roles/setup/tasks/main.yml
index a1fbe1e..6878948 100644
--- a/roles/setup/tasks/main.yml
+++ b/roles/setup/tasks/main.yml
@@ -1,5 +1,5 @@
 - name: Initial server setup
-  tags: setup
+  tags: [setup, server]
   block:
     - name: Create default user
       user:
@@ -30,3 +30,80 @@
     - name: Install apt packages
       apt:
         name: "{{ packages_to_install }}"
+
+    - name: Add Debian backports
+      include_role:
+        name: jnv.debian-backports
+
+    - name: Add unattended-upgrades
+      include_role:
+        name: jnv.unattended-upgrades
+
+    - name: Install mozilla/sops
+      get_url:
+        url: https://github.com/mozilla/sops/releases/download/v3.5.0/sops-v3.5.0.linux
+        dest: /usr/bin/sops
+        mode: "0755"
+        owner: root
+        group: root
+
+    - name: Enable dm_crypt module
+      modprobe:
+        name: dm_crypt
+        state: present
+
+    - name: Enable compress on logrotate
+      lineinfile:
+        dest: /etc/logrotate.conf
+        regexp: "^#?compress"
+        line: "compress"
+        state: present
+
+    - name: Configure timezone
+      timezone:
+        name: "{{ timezone }}"
+
+    - name: Configure ntp client and restart it
+      template:
+        src: ntp.conf.j2
+        dest: /etc/ntp.conf
+      notify:
+        - restart ntp
+        - restart cron
+
+    - name: Set up exim4 conf
+      template:
+        src: update-exim4.conf.conf.j2
+        dest: /etc/exim4/update-exim4.conf.conf
+        owner: root
+        group: root
+        mode: 0644
+
+    - name: Set up exim4 password file
+      template:
+        src: passwd.client.j2
+        dest: /etc/exim4/passwd.client
+        owner: root
+        group: Debian-exim
+        mode: 0640
+
+    - name: Set up exim4 localmacros
+      copy:
+        src: exim4.conf.localmacros
+        dest: /etc/exim4/exim4.conf.localmacros
+        owner: root
+        group: root
+        mode: 0644
+      notify: restart exim4
+
+    - name: Make fail2ban work with ufw
+      lineinfile:
+        dest: "{{ item }}"
+        regexp: "^banaction"
+        line: "banaction = ufw"
+        state: present
+      with_items:
+        - /etc/fail2ban/jail.conf
+        - /etc/fail2ban/jail.local
+      notify:
+        - restart fail2ban
diff --git a/roles/setup/templates/ntp.conf.j2 b/roles/setup/templates/ntp.conf.j2
new file mode 100644
index 0000000..e3cbcda
--- /dev/null
+++ b/roles/setup/templates/ntp.conf.j2
@@ -0,0 +1,8 @@
+driftfile /var/lib/ntp/drift
+
+restrict 127.0.0.1
+restrict -6 ::1
+
+restrict source notrap nomodify noquery
+
+server {{ntpserver}}
diff --git a/roles/setup/templates/passwd.client.j2 b/roles/setup/templates/passwd.client.j2
new file mode 100644
index 0000000..53d804c
--- /dev/null
+++ b/roles/setup/templates/passwd.client.j2
@@ -0,0 +1,8 @@
+# password file used when the local exim is authenticating to a remote
+# host as a client.
+#
+# see exim4_passwd_client(5) for more documentation
+#
+# Example:
+### target.mail.server.example:login:password
+*:{{smtp_auth_user}}:{{smtp_auth_pass}}
diff --git a/roles/setup/templates/update-exim4.conf.conf.j2 b/roles/setup/templates/update-exim4.conf.conf.j2
new file mode 100644
index 0000000..dcb6cb7
--- /dev/null
+++ b/roles/setup/templates/update-exim4.conf.conf.j2
@@ -0,0 +1,31 @@
+# /etc/exim4/update-exim4.conf.conf
+#
+# Edit this file and /etc/mailname by hand and execute update-exim4.conf
+# yourself or use 'dpkg-reconfigure exim4-config'
+#
+# Please note that this is _not_ a dpkg-conffile and that automatic changes
+# to this file might happen. The code handling this will honor your local
+# changes, so this is usually fine, but will break local schemes that mess
+# around with multiple versions of the file.
+#
+# update-exim4.conf uses this file to determine variable values to generate
+# exim configuration macros for the configuration file.
+#
+# Most settings found in here do have corresponding questions in the
+# Debconf configuration, but not all of them.
+#
+# This is a Debian specific file
+
+dc_eximconfig_configtype='satellite'
+dc_other_hostnames='{{ansible_host}}'
+dc_local_interfaces='127.0.0.1 ; ::1'
+dc_readhost='{{ansible_host}}'
+dc_relay_domains=''
+dc_minimaldns='false'
+dc_relay_nets=''
+dc_smarthost='{{smtp_hostname}}::{{smtp_port}}'
+CFILEMODE='644'
+dc_use_split_config='false'
+dc_hide_mailname='true'
+dc_mailname_in_oh='true'
+dc_localdelivery='mail_spool'