diff --git a/install.sh b/install.sh
index 94fc15548..777dba12c 100755
--- a/install.sh
+++ b/install.sh
@@ -15,6 +15,7 @@ usage(){
   /usr/bin/echo '--user: Ansible controller user (default: controller)'
   /usr/bin/echo '--config: Git URL to your ce-provision Ansible config repository (default: https://github.com/codeenigma/ce-provision-config-example.git)'
   /usr/bin/echo '--config-branch: branch of your Ansible config repository to use (default: 2.x)'
+  /usr/bin/echo '--hostname: the server hostname to set (default: depends on system or provider)'
   /usr/bin/echo '--no-firewall: skip installing iptables with ports 22, 80 and 443 open'
   /usr/bin/echo '--gitlab: install GitLab CE on this server (default: no, set to desired GitLab address to install, e.g. gitlab.example.com)'
   /usr/bin/echo '--letsencrypt: try to create an SSL certificate with LetsEncrypt (requires DNS pointing at this server for provided GitLab URL)'
@@ -43,6 +44,10 @@ parse_options(){
           shift
           CONFIG_REPO_BRANCH="$1"
         ;;
+      "--hostname")
+          shift
+          SERVER_HOSTNAME="$1"
+        ;;
       "--gitlab")
           shift
           GITLAB_URL="$1"
@@ -83,11 +88,6 @@ SERVER_HOSTNAME=$(hostname)
 # Parse options.
 parse_options "$@"
 
-# Set the hostname for Git email to our GitLab URL, if set.
-if [ "$GITLAB_URL" != "no" ]; then
-  SERVER_HOSTNAME=$GITLAB_URL
-fi
-
 # Check root user.
 if [ "$(id -u)" -ne 0 ]
   then echo "Please run this script as root or using sudo!"
@@ -175,6 +175,10 @@ fi
   vars_files:
     - vars.yml
   tasks:
+    - name: Configure system hosts file.
+      ansible.builtin.import_role:
+        name: debian/hosts
+      when: not is_local
     - name: Install ce-provision.
       ansible.builtin.import_role:
         name: debian/ce_provision
@@ -188,6 +192,10 @@ EOL
 _domain_name: ${SERVER_HOSTNAME}
 _ce_provision_data_dir: /home/${CONTROLLER_USER}/ce-provision/data
 _ce_provision_username: ${CONTROLLER_USER}
+hosts_hostname: ${SERVER_HOSTNAME}
+hosts_entries:
+  - name: ${SERVER_HOSTNAME}
+    ip: 127.0.0.1
 ce_provision:
   venv_path: /home/${CONTROLLER_USER}/ce-python
   venv_command: /usr/bin/python3 -m venv
@@ -197,8 +205,8 @@ ce_provision:
   new_user: ${CONTROLLER_USER}
   username: ${CONTROLLER_USER}
   ssh_key_bits: "521"
-  ssh_key_type: ecdsa
-  public_key_name: id_ecdsa.pub
+  ssh_key_type: ed25519
+  public_key_name: id_ed25519.pub
   own_repository: "https://github.com/codeenigma/ce-provision.git"
   own_repository_branch: "${VERSION}"
   own_repository_skip_checkout: false
@@ -231,7 +239,7 @@ user_provision:
   groups:
     - bypass2fa
   ssh_keys:
-    - "{{ lookup('file', '/home/${CONTROLLER_USER}/ce-provision/data/localhost/home/${CONTROLLER_USER}/.ssh/id_ecdsa.pub') }}"
+    - "{{ lookup('file', '/home/${CONTROLLER_USER}/ce-provision/data/localhost/home/${CONTROLLER_USER}/.ssh/id_ed25519.pub') }}"
   ssh_private_keys: []
   known_hosts: []
   known_hosts_hash: true
@@ -296,6 +304,10 @@ if [ "$GITLAB_URL" != "no" ]; then
   vars_files:
     - vars.yml
   tasks:
+    - name: Configure system hosts file.
+      ansible.builtin.import_role:
+        name: debian/hosts
+      when: not is_local
     - name: Install GitLab Runner.
       ansible.builtin.import_role:
         name: debian/gitlab_runner
@@ -307,6 +319,12 @@ EOL
   /bin/cat >"/home/$CONTROLLER_USER/ce-provision/vars.yml" << EOL
 ---
 _domain_name: ${SERVER_HOSTNAME}
+hosts_hostname: ${SERVER_HOSTNAME}
+hosts_entries:
+  - name: ${SERVER_HOSTNAME}
+    ip: 127.0.0.1
+    aliases:
+      - ${GITLAB_URL}
 gitlab_runner:
   apt_origin: "origin=packages.gitlab.com/runner/gitlab-runner,codename=\${distro_codename},label=gitlab-runner" # used by apt_unattended_upgrades
   apt_signed_by: https://packages.gitlab.com/runner/gitlab-runner/gpgkey
@@ -341,7 +359,7 @@ gitlab:
   private_projects: true
   unicorn_worker_processes: 2
   puma_worker_processes: 2
-  initial_root_password: "Ch@ng3m3"
+  initial_root_password: "{{ lookup('password', '/tmp/passwordfile chars=ascii_letters,digits') }}"
   ldap:
     enable: false
   mattermost: false
diff --git a/roles/_init/defaults/main.yml b/roles/_init/defaults/main.yml
index 5a106ce4c..cfee2615b 100644
--- a/roles/_init/defaults/main.yml
+++ b/roles/_init/defaults/main.yml
@@ -12,6 +12,7 @@ _ce_ansible_timer_name: upgrade_ansible
 # Generally it is recommended to place these in your ce-provision-config repository under hosts/group_vars/all
 #_aws_profile: example # boto profile name
 #_aws_region: eu-west-1
+_aws_vpc_cidr_base: 10.0
 
 # AWS tags
 _aws_resource_name: "" # Name
diff --git a/roles/aws/aws_ami/defaults/main.yml b/roles/aws/aws_ami/defaults/main.yml
index c828adaec..64908bacf 100644
--- a/roles/aws/aws_ami/defaults/main.yml
+++ b/roles/aws/aws_ami/defaults/main.yml
@@ -9,7 +9,7 @@ aws_ami:
   ami_name: "example"
   owner: "136693071363" # Global AWS account ID of owner, defaults to Debian official
   ssh_username: "admin"
-  public_key_name: id_ecdsa.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated
+  public_key_name: id_ed25519.pub # from Debian 12 (Bookworm) onwards RSA keys, i.e. id_rsa.pub, are deprecated
   encrypt_boot: false
   # EBS volume options
   device_name: /dev/xvda # default for Debian AMIs
diff --git a/roles/aws/aws_vpc/defaults/main.yml b/roles/aws/aws_vpc/defaults/main.yml
index cc2ae84be..0642713d2 100644
--- a/roles/aws/aws_vpc/defaults/main.yml
+++ b/roles/aws/aws_vpc/defaults/main.yml
@@ -2,20 +2,129 @@ aws_vpc:
   aws_profile: "{{ _aws_profile }}"
   region: "{{ _aws_region }}"
   name: example-vpc-2
-  cidr_block: "10.0.0.0/16"
+  cidr_block: "{{ _aws_vpc_cidr_base }}.0.0/16"
   # ipv6_cidr: true # uncomment to request an Amazon-provided IPv6 CIDR block with /56 prefix length.
   tags: {}
     #Type: "util"
   state: present
   assign_instances_ipv6: false
-  security_groups:
-    []
-    # - name: web - open
-    #   description: Allow all incoming traffic on ports 80 and 443
-    #   rules:
-    #     - proto: tcp
-    #       ports:
-    #         - 80
-    #         - 443
-    #       cidr_ip: 0.0.0.0/0
-    #       rule_desc: Allow all incoming traffic on ports 80 and 443
+  # List of security groups to create in this VPC, see below for example structure.
+  security_groups: "{{ _security_groups_defaults }}"
+
+# Load common security groups below into a list to use with the aws_vpc.security_groups variable.
+_security_groups_defaults:
+  - "{{ _common_security_groups.common_network }}"
+  - "{{ _common_security_groups.ssh_open }}"
+  - "{{ _common_security_groups.web_open }}"
+  - "{{ _common_security_groups.mailpit_open }}"
+  - "{{ _common_security_groups.ftp_open }}"
+  - "{{ _common_security_groups.sftp_open }}"
+  - "{{ _common_security_groups.ossec }}"
+  - "{{ _common_security_groups.openvpn }}"
+
+# Here is a set of example and commonly required security groups.
+# This closely follows our common firewall rules in roles/debian/firewall_config.
+_common_security_groups:
+  common_network:
+    name: common_network
+    description: Common network access configuration for all servers.
+    rules:
+      - proto: icmp
+        from_port: 8 # ICMP type (8 is IPv4 echo)
+        to_port: -1 # ICMP subtype (-1 for any)
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow ICMP IPv4 ping.
+      - proto: icmp
+        from_port: 128 # ICMP type (128 is IPv6 echo)
+        to_port: -1 # ICMP subtype (-1 for any)
+        cidr_ipv6: "::/0"
+        rule_desc: Allow ICMP IPv6 ping.
+      - proto: tcp
+        cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16" # see _init - 10.0.0.0/16 by default
+        ports:
+          - 0-65535
+        rule_desc: Allow all tcp traffic on internal network.
+      - proto: udp
+        cidr_ip: "{{ _aws_vpc_cidr_base }}.0.0/16"
+        ports:
+          - 0-65535
+        rule_desc: Allow all udp traffic on internal network.
+    rules_egress:
+      - proto: tcp
+        cidr_ip: 0.0.0.0/0
+        ports:
+          - 1-1024
+          - 2049
+        rule_desc: Allow ports 1-1024 and 2049 for NFS over tcp as standard.
+      - proto: udp
+        cidr_ip: 0.0.0.0/0
+        ports:
+          - 1-1024
+        rule_desc: Allow ports 1-1024 over udp as standard.
+  ssh_open:
+    name: ssh_open
+    description: Allow all incoming traffic on port 22.
+    rules:
+      - proto: tcp
+        ports:
+          - 22
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow all incoming tcp traffic on port 22.
+  web_open:
+    name: web_open
+    description: Allow all incoming web traffic on ports 80 and 443.
+    rules:
+      - proto: tcp
+        ports:
+          - 80
+          - 443
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow all incoming tcp traffic on ports 80 and 443.
+  mailpit_open:
+    name: mailpit_open
+    description: Allow all incoming traffic on port 8025 for Mailpit.
+    rules:
+      - proto: tcp
+        ports:
+          - 8025
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow all incoming tcp traffic on port 8025.
+  ftp_open:
+    name: ftp_open
+    description: Allow all incoming traffic on ports 20 and 21 for FTP.
+    rules:
+      - proto: tcp
+        ports:
+          - 20
+          - 21
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow all incoming tcp traffic on ports 20 and 21.
+  sftp_open:
+    name: sftp_open
+    description: Allow all incoming traffic on ports 989 and 990 for sFTP.
+    rules:
+      - proto: tcp
+        ports:
+          - 898
+          - 990
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow all incoming tcp traffic on ports 989 and 990.
+  ossec:
+    name: ossec
+    description: Allow all incoming traffic on ports 1514 and 1515 for OSSEC.
+    rules:
+      - proto: udp
+        ports:
+          - 1514
+          - 1515
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow all incoming udp traffic on ports 1514 and 1515.
+  openvpn:
+    name: openvpn
+    description: Allow all incoming traffic on port 1194 for OpenVPN.
+    rules:
+      - proto: udp
+        ports:
+          - 1194
+        cidr_ip: 0.0.0.0/0
+        rule_desc: Allow all incoming udp traffic on port 1194.
diff --git a/roles/debian/ce_deploy/defaults/main.yml b/roles/debian/ce_deploy/defaults/main.yml
index b4af9748b..c54c30192 100644
--- a/roles/debian/ce_deploy/defaults/main.yml
+++ b/roles/debian/ce_deploy/defaults/main.yml
@@ -12,9 +12,9 @@ ce_deploy:
   # Other ce-deploy settings.
   aws_support: true # installs boto3
   new_user: true # set to false if user already exists or is ephemeral, e.g. an LDAP user
-  ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys
-  ssh_key_type: ecdsa # set to rsa to create an RSA key
-  public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name
+  ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys
+  ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key
+  public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name
   username: "{{ _ce_deploy.username }}"
   own_repository: "https://github.com/codeenigma/ce-deploy.git"
   own_repository_branch: "master"
diff --git a/roles/debian/ce_provision/defaults/main.yml b/roles/debian/ce_provision/defaults/main.yml
index a0048a3bf..121244dee 100644
--- a/roles/debian/ce_provision/defaults/main.yml
+++ b/roles/debian/ce_provision/defaults/main.yml
@@ -12,9 +12,9 @@ ce_provision:
   new_user: "{{ _init.ce_provision_new_user }}" # see _init defaults, set to false if user already exists or is ephemeral, e.g. an LDAP user
   username: "{{ _ce_provision_username }}" # see _init defaults
   #uid: "{{ _init.ce_provision_uid }}" # see _init defaults, optionally hardcode the UID for this user
-  ssh_key_bits: "521" # recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys
-  ssh_key_type: ecdsa # set to rsa to create an RSA key
-  public_key_name: id_ecdsa.pub # this might be id_rsa.pub for RSA keys, existing users may have a key of a different name
+  ssh_key_bits: "521" # ignored for ED25519 keys, recommended to use 4096 for RSA keys, 521 is the maximum for ECDSA keys
+  ssh_key_type: ed25519 # set to rsa to create an RSA key or ecdsa to create an ECDSA key
+  public_key_name: id_ed25519.pub # this might be id_rsa.pub for RSA keys or id_ecdsa.pub for ECDSA keys, existing users may have a key of a different name
   # Main repo.
   own_repository: "https://github.com/codeenigma/ce-provision.git"
   own_repository_branch: "master"
diff --git a/roles/debian/hosts/tasks/main.yml b/roles/debian/hosts/tasks/main.yml
index fc8d9b80f..6d902fbfc 100644
--- a/roles/debian/hosts/tasks/main.yml
+++ b/roles/debian/hosts/tasks/main.yml
@@ -23,14 +23,10 @@
     path: "{{ cloud_init_file.stat.path }}"
     regexp: "manage_etc_hosts: true"
     line: "manage_etc_hosts: false"
-  when:
-    - cloud_init_file.stat.exists
+  when: cloud_init_file.stat.exists
 
 - name: Set system hostname.
-  ansible.builtin.template:
-    src: hostname.j2
-    dest: /etc/hostname
-    owner: root
-    group: root
-    mode: 0644
+  ansible.builtin.hostname:
+    name: "{{ hosts_hostname }}"
+    use: systemd
   when: hosts_hostname | length > 0
diff --git a/roles/debian/hosts/templates/hostname.j2 b/roles/debian/hosts/templates/hostname.j2
deleted file mode 100644
index 6c9f6f6d9..000000000
--- a/roles/debian/hosts/templates/hostname.j2
+++ /dev/null
@@ -1 +0,0 @@
-{{ hosts_hostname }}