diff --git a/roles/bootstrap/vars/main.yml b/roles/bootstrap/vars/main.yml
index 3e10958..ce69854 100644
--- a/roles/bootstrap/vars/main.yml
+++ b/roles/bootstrap/vars/main.yml
@@ -3,10 +3,10 @@ bootstrap_rhel_base:
   - bind-utils
   - dhcp-client
   - efibootmgr
-  - "{{ 'firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}"
-  - "{{ 'ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}"
-  - "{{ 'iptables' if firewall_toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if firewall_toolkit == 'nftables' else '' }}"
+  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
+  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
   - glibc-langpack-de
   - glibc-langpack-en
   - lrzsz
@@ -17,10 +17,10 @@ bootstrap_rhel_base:
   - policycoreutils-python-utils
   - shim
   - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
   - vim
   - zram-generator
   - zstd
@@ -61,10 +61,10 @@ bootstrap_fedora:
   - duf
   - efibootmgr
   - entr
-  - "{{ 'firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}"
-  - "{{ 'ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}"
-  - "{{ 'iptables' if firewall_toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if firewall_toolkit == 'nftables' else '' }}"
+  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
+  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
   - fish
   - fzf
   - glibc-langpack-de
@@ -84,10 +84,10 @@ bootstrap_fedora:
   - ripgrep
   - shim
   - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
   - vim-default-editor
   - wget
   - zoxide
@@ -106,14 +106,14 @@ bootstrap_debian_base:
   - grub-efi
   - grub-efi-amd64-signed
   - grub2-common
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'cryptsetup-initramfs' if luks_enabled else '' }}"
+  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'cryptsetup-initramfs' if system_cfg.luks.enabled else '' }}"
   - locales
   - logrotate
   - lvm2
-  - "{{ 'iptables' if firewall_toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if firewall_toolkit == 'nftables' else '' }}"
-  - "{{ 'openssh-server' if ssh_enabled | bool else '' }}"
+  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
+  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
+  - "{{ 'openssh-server' if system_cfg.features.ssh.enabled | bool else '' }}"
   - python3
   - xfsprogs
 
@@ -124,8 +124,8 @@ bootstrap_debian_extra:
   - curl
   - duf
   - entr
-  - "{{ 'firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}"
-  - "{{ 'ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}"
+  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
   - fish
   - fzf
   - htop
@@ -146,9 +146,9 @@ bootstrap_debian_extra:
   - systemd-zram-generator
   - tcpd
   - tldr
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
   - vim
   - wget
   - zstd
@@ -185,10 +185,10 @@ bootstrap_archlinux:
   - dhcpcd
   - efibootmgr
   - fastfetch
-  - "{{ 'firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}"
-  - "{{ 'ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}"
-  - "{{ 'iptables' if firewall_toolkit == 'iptables' else '' }}"
-  - "{{ 'iptables-nft' if firewall_toolkit == 'nftables' else '' }}"
+  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
+  - "{{ 'iptables-nft' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
   - fish
   - fzf
   - grub
@@ -202,7 +202,7 @@ bootstrap_archlinux:
   - ncdu
   - networkmanager
   - nfs-utils
-  - "{{ 'openssh' if ssh_enabled | bool else '' }}"
+  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
   - ppp
   - prometheus-node-exporter
   - python-psycopg2
@@ -211,10 +211,10 @@ bootstrap_archlinux:
   - sudo
   - tldr
   - tmux
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
+  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
   - vim
   - wireguard-tools
   - zram-generator
@@ -222,36 +222,36 @@ bootstrap_archlinux:
 bootstrap_alpine:
   - alpine-base
   - vim
-  - "{{ 'openssh' if ssh_enabled | bool else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
-  - "{{ 'firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}"
-  - "{{ 'ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}"
-  - "{{ 'iptables' if firewall_toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if firewall_toolkit == 'nftables' else '' }}"
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
+  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
+  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
+  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
 
 bootstrap_opensuse:
   - vim
-  - "{{ 'openssh' if ssh_enabled | bool else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
-  - "{{ 'firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}"
-  - "{{ 'ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}"
-  - "{{ 'iptables' if firewall_toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if firewall_toolkit == 'nftables' else '' }}"
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
+  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
+  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
+  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
 
 bootstrap_void:
   - vim
-  - "{{ 'openssh' if ssh_enabled | bool else '' }}"
-  - "{{ 'qemu-guest-agent' if hypervisor | lower in ['libvirt', 'proxmox'] else '' }}"
-  - "{{ 'open-vm-tools' if hypervisor | lower == 'vmware' else '' }}"
-  - "{{ 'firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}"
-  - "{{ 'ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}"
-  - "{{ 'iptables' if firewall_toolkit == 'iptables' else '' }}"
-  - "{{ 'nftables' if firewall_toolkit == 'nftables' else '' }}"
-  - "{{ 'cryptsetup' if luks_enabled else '' }}"
-  - "{{ 'tpm2-tools' if luks_enabled else '' }}"
+  - "{{ 'openssh' if system_cfg.features.ssh.enabled | bool else '' }}"
+  - "{{ 'qemu-guest-agent' if hypervisor_type in ['libvirt', 'proxmox'] else '' }}"
+  - "{{ 'open-vm-tools' if hypervisor_type == 'vmware' else '' }}"
+  - "{{ 'firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}"
+  - "{{ 'iptables' if system_cfg.features.firewall.toolkit == 'iptables' else '' }}"
+  - "{{ 'nftables' if system_cfg.features.firewall.toolkit == 'nftables' else '' }}"
+  - "{{ 'cryptsetup' if system_cfg.luks.enabled else '' }}"
+  - "{{ 'tpm2-tools' if system_cfg.luks.enabled else '' }}"
diff --git a/roles/cis/tasks/crypto.yml b/roles/cis/tasks/crypto.yml
index 15bfcea..a3d58b1 100644
--- a/roles/cis/tasks/crypto.yml
+++ b/roles/cis/tasks/crypto.yml
@@ -7,6 +7,6 @@
 
 - name: Mask Systemd Services
   ansible.builtin.command: >
-    {{ chroot_command }} systemctl mask {{ 'nftables' if firewall_toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
+    {{ chroot_command }} systemctl mask {{ 'nftables' if system_cfg.features.firewall.toolkit == 'iptables' else 'iptables' }} bluetooth rpcbind
   register: cis_mask_services_result
   changed_when: cis_mask_services_result.rc == 0
diff --git a/roles/cleanup/tasks/main.yml b/roles/cleanup/tasks/main.yml
index db33ea4..9692284 100644
--- a/roles/cleanup/tasks/main.yml
+++ b/roles/cleanup/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
 - name: Cleanup physical install
-  when: install_type == "physical"
+  when: system_cfg.type == "physical"
   ansible.builtin.include_tasks: physical.yml
 
 - name: Cleanup virtual install
-  when: install_type == "virtual"
+  when: system_cfg.type == "virtual"
   ansible.builtin.include_tasks: virtual.yml
diff --git a/roles/cleanup/tasks/proxmox.yml b/roles/cleanup/tasks/proxmox.yml
index a53a6da..fc4406c 100644
--- a/roles/cleanup/tasks/proxmox.yml
+++ b/roles/cleanup/tasks/proxmox.yml
@@ -22,6 +22,6 @@
         api_host: "{{ hypervisor_cfg.url }}"
         api_user: "{{ hypervisor_cfg.username }}"
         api_password: "{{ hypervisor_cfg.password }}"
-        node: "{{ hypervisor_cfg.node }}"
+        node: "{{ hypervisor_cfg.host }}"
         vmid: "{{ system_cfg.id }}"
         state: restarted
diff --git a/roles/cleanup/tasks/virtual.yml b/roles/cleanup/tasks/virtual.yml
index 638f63f..9f0f093 100644
--- a/roles/cleanup/tasks/virtual.yml
+++ b/roles/cleanup/tasks/virtual.yml
@@ -28,7 +28,7 @@
             (ansible_connection | default('ssh')) != 'ssh'
             or ((system_cfg.ip | default('') | string | length) > 0)
             or (
-              install_type == 'physical'
+              system_cfg.type == 'physical'
               and (ansible_host | default('') | string | length) > 0
             )
           )
@@ -38,7 +38,7 @@
 
 - name: Check VM accessibility after reboot
   when:
-    - install_type == "virtual"
+    - system_cfg.type == "virtual"
     - cleanup_post_reboot_can_connect | bool
   block:
     - name: Attempt to connect to VM
@@ -114,7 +114,7 @@
             api_host: "{{ hypervisor_cfg.url }}"
             api_user: "{{ hypervisor_cfg.username }}"
             api_password: "{{ hypervisor_cfg.password }}"
-            node: "{{ hypervisor_cfg.node }}"
+            node: "{{ hypervisor_cfg.host }}"
             name: "{{ hostname }}"
             vmid: "{{ system_cfg.id }}"
             state: stopped
@@ -129,7 +129,7 @@
             api_host: "{{ hypervisor_cfg.url }}"
             api_user: "{{ hypervisor_cfg.username }}"
             api_password: "{{ hypervisor_cfg.password }}"
-            node: "{{ hypervisor_cfg.node }}"
+            node: "{{ hypervisor_cfg.host }}"
             name: "{{ hostname }}"
             vmid: "{{ system_cfg.id }}"
             state: absent
diff --git a/roles/configuration/defaults/main.yml b/roles/configuration/defaults/main.yml
index e45ed38..07a3524 100644
--- a/roles/configuration/defaults/main.yml
+++ b/roles/configuration/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-configuration_motd_enabled: "{{ motd_enabled | bool }}"
-configuration_sudo_banner_enabled: "{{ sudo_banner_enabled | bool }}"
-configuration_firewall_enabled: "{{ firewall_enabled | bool }}"
-configuration_luks_enabled: "{{ luks_enabled | bool }}"
+configuration_motd_enabled: "{{ system_cfg.features.banner.motd | bool }}"
+configuration_sudo_banner_enabled: "{{ system_cfg.features.banner.sudo | bool }}"
+configuration_firewall_enabled: "{{ system_cfg.features.firewall.enabled | bool }}"
+configuration_luks_enabled: "{{ system_cfg.luks.enabled | bool }}"
diff --git a/roles/configuration/tasks/encryption.yml b/roles/configuration/tasks/encryption.yml
index 0852860..499031a 100644
--- a/roles/configuration/tasks/encryption.yml
+++ b/roles/configuration/tasks/encryption.yml
@@ -57,7 +57,7 @@
       ansible.builtin.assert:
         that:
           - configuration_luks_passphrase_effective | length > 0
-        fail_msg: luks_passphrase (or partitioning_luks_passphrase) must be set for LUKS auto-decrypt.
+        fail_msg: system.luks.passphrase must be set for LUKS auto-decrypt.
       no_log: true
 
     - name: Enroll TPM2 for LUKS
diff --git a/roles/configuration/tasks/extras.yml b/roles/configuration/tasks/extras.yml
index 316aefc..7242246 100644
--- a/roles/configuration/tasks/extras.yml
+++ b/roles/configuration/tasks/extras.yml
@@ -29,13 +29,13 @@
   when:
     - (os != "debian" or (os_version | string) != "11") and os != "rhel"
     - os | lower not in ["alpine", "void"]
-    - swap_enabled | bool
+    - system_cfg.features.swap.enabled | bool
   ansible.builtin.copy:
     dest: /mnt/etc/systemd/zram-generator.conf
     content: |
       [zram0]
       zram-size  = ram / 2
-      compression-algorithm = {{ 'zstd' if zstd_enabled | bool else 'lz4' }}
+      compression-algorithm = {{ 'zstd' if system_cfg.features.zstd.enabled | bool else 'lz4' }}
       swap-priority = 100
       fs-type = swap
     mode: "0644"
diff --git a/roles/configuration/tasks/grub.yml b/roles/configuration/tasks/grub.yml
index ed45d9b..e793feb 100644
--- a/roles/configuration/tasks/grub.yml
+++ b/roles/configuration/tasks/grub.yml
@@ -32,7 +32,7 @@
               ['rd.lvm.lv=sys/root']
               + (
                 ['rd.lvm.lv=sys/swap', 'resume=/dev/mapper/sys-swap']
-                if swap_enabled | bool
+                if system_cfg.features.swap.enabled | bool
                 else []
               )
             )
diff --git a/roles/configuration/tasks/locales.yml b/roles/configuration/tasks/locales.yml
index 1122eab..89f100f 100644
--- a/roles/configuration/tasks/locales.yml
+++ b/roles/configuration/tasks/locales.yml
@@ -31,13 +31,14 @@
 
     - name: Set hostname
       vars:
+        configuration_dns_domain: "{{ (system_cfg.dns.search | default([]) | first | default('')) | string }}"
         configuration_hostname_fqdn: >-
           {{
             hostname
             if '.' in hostname
             else (
-              hostname + '.' + system_cfg.dns_search
-              if system_cfg.dns_search is defined and system_cfg.dns_search | length
+              hostname + '.' + configuration_dns_domain
+              if configuration_dns_domain | length > 0
               else hostname
             )
           }}
@@ -48,13 +49,14 @@
 
     - name: Add host entry to /etc/hosts
       vars:
+        configuration_dns_domain: "{{ (system_cfg.dns.search | default([]) | first | default('')) | string }}"
         configuration_hostname_fqdn: >-
           {{
             hostname
             if '.' in hostname
             else (
-              hostname + '.' + system_cfg.dns_search
-              if system_cfg.dns_search is defined and system_cfg.dns_search | length
+              hostname + '.' + configuration_dns_domain
+              if configuration_dns_domain | length > 0
               else hostname
             )
           }}
diff --git a/roles/configuration/tasks/network.yml b/roles/configuration/tasks/network.yml
index c686011..944d18e 100644
--- a/roles/configuration/tasks/network.yml
+++ b/roles/configuration/tasks/network.yml
@@ -101,15 +101,7 @@
 - name: Configure Alpine networking
   when: os | lower == "alpine"
   vars:
-    configuration_dns_value: "{{ system_cfg.dns_servers if system_cfg.dns_servers is defined else '' }}"
-    configuration_dns_list_raw: >-
-      {{
-        configuration_dns_value
-        if configuration_dns_value is iterable and configuration_dns_value is not string
-        else configuration_dns_value.split(',')
-      }}
-    configuration_dns_list: >-
-      {{ configuration_dns_list_raw | map('trim') | reject('equalto', '') | list }}
+    configuration_dns_list: "{{ system_cfg.dns.servers | default([]) }}"
     configuration_alpine_static: >-
       {{
         system_cfg.ip is defined
@@ -148,15 +140,7 @@
 - name: Configure Void networking
   when: os | lower == "void"
   vars:
-    configuration_dns_value: "{{ system_cfg.dns_servers if system_cfg.dns_servers is defined else '' }}"
-    configuration_dns_list_raw: >-
-      {{
-        configuration_dns_value
-        if configuration_dns_value is iterable and configuration_dns_value is not string
-        else configuration_dns_value.split(',')
-      }}
-    configuration_dns_list: >-
-      {{ configuration_dns_list_raw | map('trim') | reject('equalto', '') | list }}
+    configuration_dns_list: "{{ system_cfg.dns.servers | default([]) }}"
     configuration_void_static: >-
       {{
         system_cfg.ip is defined
diff --git a/roles/configuration/tasks/selinux.yml b/roles/configuration/tasks/selinux.yml
index 806694f..fcc8b32 100644
--- a/roles/configuration/tasks/selinux.yml
+++ b/roles/configuration/tasks/selinux.yml
@@ -3,7 +3,7 @@
   when: is_rhel | bool
   block:
     - name: Fix SELinux by pre-labeling the filesystem before first boot
-      when: os in ['almalinux', 'rocky', 'rhel'] and selinux | bool
+      when: os in ['almalinux', 'rocky', 'rhel'] and system_cfg.features.selinux.enabled | bool
       ansible.builtin.command: >
         {{ chroot_command }} /sbin/setfiles -v -F
         -e /dev -e /proc -e /sys -e /run
@@ -12,7 +12,7 @@
       changed_when: configuration_setfiles_result.rc == 0
 
     - name: Disable SELinux
-      when: os | lower == "fedora" or not selinux | bool
+      when: os | lower == "fedora" or not system_cfg.features.selinux.enabled | bool
       ansible.builtin.lineinfile:
         path: /mnt/etc/selinux/config
         regexp: ^SELINUX=
diff --git a/roles/configuration/tasks/services.yml b/roles/configuration/tasks/services.yml
index 2ed1e05..3b28754 100644
--- a/roles/configuration/tasks/services.yml
+++ b/roles/configuration/tasks/services.yml
@@ -3,11 +3,11 @@
   when: os | lower not in ['alpine', 'void']
   ansible.builtin.command: >
     {{ chroot_command }} systemctl enable NetworkManager
-    {{ ' firewalld' if firewall_backend == 'firewalld' and firewall_enabled | bool else '' }}
-    {{ ' ufw' if firewall_backend == 'ufw' and firewall_enabled | bool else '' }}
+    {{ ' firewalld' if system_cfg.features.firewall.backend == 'firewalld' and system_cfg.features.firewall.enabled | bool else '' }}
+    {{ ' ufw' if system_cfg.features.firewall.backend == 'ufw' and system_cfg.features.firewall.enabled | bool else '' }}
     {{
       (' ssh' if is_debian | bool else ' sshd')
-      if ssh_enabled | bool else ''
+      if system_cfg.features.ssh.enabled | bool else ''
     }}
     {{
       'logrotate systemd-resolved systemd-timesyncd systemd-networkd'
@@ -22,8 +22,8 @@
     configuration_openrc_services: >-
       {{
         ['networking']
-        + (['sshd'] if ssh_enabled | bool else [])
-        + ([firewall_backend] if firewall_enabled | bool else [])
+        + (['sshd'] if system_cfg.features.ssh.enabled | bool else [])
+        + ([system_cfg.features.firewall.backend] if system_cfg.features.firewall.enabled | bool else [])
       }}
   block:
     - name: Ensure OpenRC runlevel directory exists
@@ -53,8 +53,8 @@
     configuration_runit_services: >-
       {{
         ['dhcpcd']
-        + (['sshd'] if ssh_enabled | bool else [])
-        + ([firewall_backend] if firewall_enabled | bool else [])
+        + (['sshd'] if system_cfg.features.ssh.enabled | bool else [])
+        + ([system_cfg.features.firewall.backend] if system_cfg.features.firewall.enabled | bool else [])
       }}
   block:
     - name: Ensure runit service directory exists
diff --git a/roles/configuration/tasks/users.yml b/roles/configuration/tasks/users.yml
index 1b290c8..24f0066 100644
--- a/roles/configuration/tasks/users.yml
+++ b/roles/configuration/tasks/users.yml
@@ -5,11 +5,11 @@
       {{ "sudo" if is_debian | bool else "wheel" }}
     configuration_useradd_cmd: >-
       {{ chroot_command }} /usr/sbin/useradd --create-home --user-group
-      --groups {{ configuration_user_group }} {{ user_name }}
-      --password {{ user_password | password_hash('sha512') }} --shell /bin/bash
+      --groups {{ configuration_user_group }} {{ system_cfg.user.name }}
+      --password {{ system_cfg.user.password | password_hash('sha512') }} --shell /bin/bash
     configuration_root_cmd: >-
       {{ chroot_command }} /usr/sbin/usermod --password
-      '{{ root_password | password_hash('sha512') }}' root --shell /bin/bash
+      '{{ system_cfg.root.password | password_hash('sha512') }}' root --shell /bin/bash
   ansible.builtin.command: "{{ item }}"
   loop:
     - "{{ configuration_useradd_cmd }}"
@@ -18,19 +18,19 @@
   changed_when: configuration_user_result.rc == 0
 
 - name: Ensure .ssh directory exists
-  when: user_public_key | length > 0
+  when: system_cfg.user.public_key | length > 0
   ansible.builtin.file:
-    path: /mnt/home/{{ user_name }}/.ssh
+    path: /mnt/home/{{ system_cfg.user.name }}/.ssh
     state: directory
     owner: 1000
     group: 1000
     mode: "0700"
 
 - name: Add SSH public key to authorized_keys
-  when: user_public_key | length > 0
+  when: system_cfg.user.public_key | length > 0
   ansible.builtin.lineinfile:
-    path: /mnt/home/{{ user_name }}/.ssh/authorized_keys
-    line: "{{ user_public_key }}"
+    path: /mnt/home/{{ system_cfg.user.name }}/.ssh/authorized_keys
+    line: "{{ system_cfg.user.public_key }}"
     owner: 1000
     group: 1000
     mode: "0600"
diff --git a/roles/configuration/templates/network.j2 b/roles/configuration/templates/network.j2
index 4582537..e07317f 100644
--- a/roles/configuration/templates/network.j2
+++ b/roles/configuration/templates/network.j2
@@ -4,12 +4,8 @@ uuid={{ configuration_net_uuid }}
 type=ethernet
 
 [ipv4]
-{% set dns_value = system_cfg.dns_servers if system_cfg.dns_servers is defined else '' %}
-{% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
-{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
-{% set search_value = system_cfg.dns_search if system_cfg.dns_search is defined else '' %}
-{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
-{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
+{% set dns_list = system_cfg.dns.servers | default([]) %}
+{% set search_list = system_cfg.dns.search | default([]) %}
 {% if system_cfg.ip is defined and system_cfg.ip | string | length %}
 address1={{ system_cfg.ip }}/{{ system_cfg.prefix }}{{ (',' ~ system_cfg.gateway) if (system_cfg.gateway is defined and system_cfg.gateway | string | length) else '' }}
 method=manual
diff --git a/roles/environment/tasks/main.yml b/roles/environment/tasks/main.yml
index ad2b3ee..816b803 100644
--- a/roles/environment/tasks/main.yml
+++ b/roles/environment/tasks/main.yml
@@ -120,7 +120,7 @@
       changed_when: false
 
     - name: Configure SSH for root login
-      when: hypervisor_type == "vmware" and vmware_ssh | bool
+      when: hypervisor_type == "vmware" and hypervisor_cfg.ssh | bool
       block:
         - name: Allow login
           ansible.builtin.replace:
diff --git a/roles/system_check/tasks/main.yml b/roles/system_check/tasks/main.yml
index 781dd48..46932fc 100644
--- a/roles/system_check/tasks/main.yml
+++ b/roles/system_check/tasks/main.yml
@@ -79,7 +79,7 @@
         quiet: true
 
 - name: VM existence protection check
-  when: install_type == "virtual"
+  when: system_cfg.type == "virtual"
   block:
     - name: Check if VM already exists on libvirt
       when: hypervisor_type == "libvirt"
@@ -110,7 +110,7 @@
         api_host: "{{ hypervisor_cfg.url }}"
         api_user: "{{ hypervisor_cfg.username }}"
         api_password: "{{ hypervisor_cfg.password }}"
-        node: "{{ hypervisor_cfg.node }}"
+        node: "{{ hypervisor_cfg.host }}"
         vmid: "{{ system_cfg.id }}"
         name: "{{ hostname }}"
         type: qemu
diff --git a/roles/virtualization/tasks/proxmox.yml b/roles/virtualization/tasks/proxmox.yml
index fef56cd..437adf0 100644
--- a/roles/virtualization/tasks/proxmox.yml
+++ b/roles/virtualization/tasks/proxmox.yml
@@ -2,24 +2,6 @@
 - name: Deploy VM on Proxmox
   delegate_to: localhost
   vars:
-    virtualization_dns_value: "{{ system_cfg.dns_servers if system_cfg.dns_servers is defined else '' }}"
-    virtualization_dns_list_raw: >-
-      {{
-        virtualization_dns_value
-        if virtualization_dns_value is iterable and virtualization_dns_value is not string
-        else virtualization_dns_value.split(',')
-      }}
-    virtualization_dns_list: >-
-      {{ virtualization_dns_list_raw | map('trim') | reject('equalto', '') | list }}
-    virtualization_search_value: "{{ system_cfg.dns_search if system_cfg.dns_search is defined else '' }}"
-    virtualization_search_list_raw: >-
-      {{
-        virtualization_search_value
-        if virtualization_search_value is iterable and virtualization_search_value is not string
-        else virtualization_search_value.split(',')
-      }}
-    virtualization_search_list: >-
-      {{ virtualization_search_list_raw | map('trim') | reject('equalto', '') | list }}
     virtualization_proxmox_scsi: >-
       {%- set out = {} -%}
       {%- for disk in system_cfg.disks -%}
@@ -30,16 +12,16 @@
     api_host: "{{ hypervisor_cfg.url }}"
     api_user: "{{ hypervisor_cfg.username }}"
     api_password: "{{ hypervisor_cfg.password }}"
-    ciuser: "{{ user_name }}"
-    cipassword: "{{ user_password }}"
+    ciuser: "{{ system_cfg.user.name }}"
+    cipassword: "{{ system_cfg.user.password }}"
     ciupgrade: false
-    node: "{{ hypervisor_cfg.node }}"
+    node: "{{ hypervisor_cfg.host }}"
     vmid: "{{ system_cfg.id }}"
     name: "{{ hostname }}"
     cpu: host
     cores: "{{ system_cfg.cpus }}"
-    memory: "{{ system_cfg.memory_mb }}"
-    balloon: "{{ system_cfg.balloon_mb if system_cfg.balloon_mb is defined and system_cfg.balloon_mb | int > 0 else omit }}"
+    memory: "{{ system_cfg.memory }}"
+    balloon: "{{ system_cfg.balloon if system_cfg.balloon is defined and system_cfg.balloon | int > 0 else omit }}"
     numa_enabled: true
     hotplug: network,disk
     update: "{{ virtualization_tpm2_enabled | bool }}"
@@ -75,8 +57,8 @@
           if system_cfg.ip is defined and system_cfg.ip | string | length
           else 'ip=dhcp'
         }}
-    nameservers: "{{ virtualization_dns_list if virtualization_dns_list | length else omit }}"
-    searchdomains: "{{ virtualization_search_list if virtualization_search_list | length else omit }}"
+    nameservers: "{{ system_cfg.dns.servers if system_cfg.dns.servers | length else omit }}"
+    searchdomains: "{{ system_cfg.dns.search if system_cfg.dns.search | length else omit }}"
     onboot: true
     state: present
 
@@ -86,7 +68,7 @@
     api_host: "{{ hypervisor_cfg.url }}"
     api_user: "{{ hypervisor_cfg.username }}"
     api_password: "{{ hypervisor_cfg.password }}"
-    node: "{{ hypervisor_cfg.node }}"
+    node: "{{ hypervisor_cfg.host }}"
     name: "{{ hostname }}"
     vmid: "{{ system_cfg.id }}"
     state: started
diff --git a/roles/virtualization/tasks/vmware.yml b/roles/virtualization/tasks/vmware.yml
index f1ea894..a7f1590 100644
--- a/roles/virtualization/tasks/vmware.yml
+++ b/roles/virtualization/tasks/vmware.yml
@@ -29,7 +29,7 @@
     state: "{{ 'poweredoff' if virtualization_tpm2_enabled | bool else 'poweredon' }}"
     disk: "{{ virtualization_vmware_disks }}"
     hardware:
-      memory_mb: "{{ system_cfg.memory_mb }}"
+      memory_mb: "{{ system_cfg.memory }}"
       num_cpus: "{{ system_cfg.cpus }}"
       boot_firmware: efi
       secure_boot: false
diff --git a/roles/virtualization/templates/cloud-network-config.yml.j2 b/roles/virtualization/templates/cloud-network-config.yml.j2
index 584eb3f..14f9bf0 100644
--- a/roles/virtualization/templates/cloud-network-config.yml.j2
+++ b/roles/virtualization/templates/cloud-network-config.yml.j2
@@ -5,12 +5,8 @@ network:
       match:
         macaddress: "{{ virtualization_mac_address }}"
 {% set has_static = system_cfg.ip is defined and system_cfg.ip | string | length %}
-{% set dns_value = system_cfg.dns_servers if system_cfg.dns_servers is defined else '' %}
-{% set dns_list_raw = dns_value if dns_value is iterable and dns_value is not string else dns_value.split(',') %}
-{% set dns_list = dns_list_raw | map('trim') | reject('equalto', '') | list %}
-{% set search_value = system_cfg.dns_search if system_cfg.dns_search is defined else '' %}
-{% set search_list_raw = search_value if search_value is iterable and search_value is not string else search_value.split(',') %}
-{% set search_list = search_list_raw | map('trim') | reject('equalto', '') | list %}
+{% set dns_list = system_cfg.dns.servers | default([]) %}
+{% set search_list = system_cfg.dns.search | default([]) %}
 {% if has_static %}
       addresses:
         - "{{ system_cfg.ip }}/{{ system_cfg.prefix }}"
@@ -19,12 +15,12 @@ network:
 {% endif %}
 {% else %}
       dhcp4: true
-{% if (system_cfg.dns_servers is defined and system_cfg.dns_servers | length) or (system_cfg.dns_search is defined and system_cfg.dns_search | length) %}
+{% if dns_list | length or search_list | length %}
       dhcp4-overrides:
-{% if system_cfg.dns_servers is defined and system_cfg.dns_servers | length %}
+{% if dns_list | length %}
         use-dns: false
 {% endif %}
-{% if system_cfg.dns_search is defined and system_cfg.dns_search | length %}
+{% if search_list | length %}
         use-domains: false
 {% endif %}
 {% endif %}
diff --git a/roles/virtualization/templates/cloud-user-data.yml.j2 b/roles/virtualization/templates/cloud-user-data.yml.j2
index 6f28dde..977c3f3 100644
--- a/roles/virtualization/templates/cloud-user-data.yml.j2
+++ b/roles/virtualization/templates/cloud-user-data.yml.j2
@@ -4,9 +4,9 @@ ssh_pwauth: true
 package_update: false
 package_upgrade: false
 users:
-  - name: "{{ user_name }}"
-    primary_group: "{{ user_name }}"
+  - name: "{{ system_cfg.user.name }}"
+    primary_group: "{{ system_cfg.user.name }}"
     groups: users
     sudo: ALL=(ALL) NOPASSWD:ALL
-    passwd: "{{ user_password | password_hash('sha512') }}"
+    passwd: "{{ system_cfg.user.password | password_hash('sha512') }}"
     lock_passwd: False
diff --git a/roles/virtualization/templates/vm.xml.j2 b/roles/virtualization/templates/vm.xml.j2
index de2953f..d04dd95 100644
--- a/roles/virtualization/templates/vm.xml.j2
+++ b/roles/virtualization/templates/vm.xml.j2
@@ -1,7 +1,7 @@
 <domain type='kvm'>
   <name>{{ hostname }}</name>
-  <memory>{{ system_cfg.memory_mb | int * 1024 }}</memory>
-  {% if system_cfg.balloon_mb is defined and system_cfg.balloon_mb | int > 0 %}<currentMemory>{{ system_cfg.balloon_mb | int * 1024 }}</currentMemory>{% endif %}
+  <memory>{{ system_cfg.memory | int * 1024 }}</memory>
+  {% if system_cfg.balloon is defined and system_cfg.balloon | int > 0 %}<currentMemory>{{ system_cfg.balloon | int * 1024 }}</currentMemory>{% endif %}
   <vcpu placement='static'>{{ system_cfg.cpus }}</vcpu>
   <os>
     <type arch='x86_64' machine="pc-q35-8.0">hvm</type>
diff --git a/templates/xen.cfg.j2 b/templates/xen.cfg.j2
index 1931b37..ec21861 100644
--- a/templates/xen.cfg.j2
+++ b/templates/xen.cfg.j2
@@ -1,6 +1,6 @@
 builder = "hvm"
 name = "{{ hostname }}"
-memory = "{{ system_cfg.memory_mb }}"
+memory = "{{ system_cfg.memory }}"
 vcpus = "{{ system_cfg.cpus }}"
 disk = [
 {%- for disk in virtualization_xen_disks | default([]) -%}