diff --git a/build-debian-promox-template.yml b/build-debian-promox-template.yml
index 83c4295..3a5c6a2 100644
--- a/build-debian-promox-template.yml
+++ b/build-debian-promox-template.yml
@@ -3,12 +3,6 @@
   become: yes
 
   tasks:
-
-    - name: Write notify script
-      ansible.builtin.template:
-       src: scripts/notify.sh.j2
-       dest: /tmp/notify.sh
-
     - name: Delete existing template
       community.general.proxmox_kvm:
         api_host: "{{ api_host }}"
@@ -21,9 +15,9 @@
     - name: Download cloud-init image
       register: image
       ansible.builtin.get_url:
-        url: "https://cloud.debian.org/images/cloud/bookworm/latest/debian-12-generic-amd64.qcow2"
+        url: "https://cloud.debian.org/images/cloud/trixie/latest/debian-13-generic-amd64.qcow2"
         dest: /tmp
-        mode: '0644'
+        mode: "0644"
         force: true
 
     - name: Install Tools
@@ -36,11 +30,9 @@
         update_cache: true
         install_recommends: false
         state: present
-    
+
     - name: Install Tools to cloud-init image
       ansible.builtin.shell: |
-        virt-copy-in -a {{ image.dest }} /tmp/notify.sh /usr/local/bin
-        virt-customize -a {{ image.dest }} --run-command 'chmod +x /usr/local/bin/notify.sh'
         virt-customize -a {{ image.dest }} --run-command 'sed -i "s|primary.*|primary: https://deb.debian.org/debian|g" /etc/cloud/cloud.cfg'
         virt-customize -a {{ image.dest }} --run-command 'apt update'
         virt-customize -a {{ image.dest }} --install qemu-guest-agent
@@ -57,22 +49,22 @@
         name: "debian-12-generic-amd64"
         agent: "enabled=1"
         bios: ovmf
-        boot: 'order=scsi0'
+        boot: "order=scsi0"
         cores: 4
         sockets: 1
         machine: q35
         memory: 4096
         ostype: "l26"
         vga: std
-        scsihw: 'virtio-scsi-single'
+        scsihw: "virtio-scsi-single"
         net:
-          net0: 'virtio,bridge=vmbr0,firewall=1,tag=10'
+          net0: "virtio,bridge=vmbr0,firewall=1,tag=10"
         ipconfig:
-          ipconfig0: 'ip=dhcp'
+          ipconfig0: "ip=dhcp"
         template: true
         timeout: 600
         vmid: 10000
-       
+
     - name: Import HDD to Template
       command:
-        cmd: "qm set 10000 --scsi0 {{ storage_target }}:0,iothread=1,discard=on,import-from=/tmp/debian-12-generic-amd64.qcow2,format=raw"
+        cmd: "qm set 10000 --scsi0 {{ storage_target }}:0,iothread=1,discard=on,import-from=/tmp/debian-13-generic-amd64.qcow2,format=raw"
diff --git a/main.yml b/main.yml
index cce5fd7..4340fe0 100644
--- a/main.yml
+++ b/main.yml
@@ -1,17 +1,12 @@
 ---
 - hosts: all
   name: Configure all servers
-  tasks:
-    - name: Gather facts if run with tags
-      ansible.builtin.setup:
-      when: (ansible_run_tags | length) > 0
-  tags: always
-
-- hosts: jellyfin
   become: yes
-  tasks:
-    - include_tasks: tasks/base.yml
-  tags: base_install
+  gather_facts: yes
+
+  roles:
+    - role: base
+      tags: base_install
 
 - hosts: cloud
   become: yes
@@ -72,10 +67,12 @@
           path: /mnt/nfs/data
           src: truenas.comprofix.xyz:/mnt/datapool/data
       tags: nfs_install
+
     - role: traefik
       vars:
         traefik_host: traefik02.comprofix.xyz
       tags: traefik_install
+
   tasks:
     - name: Deploy comprofix.com website
       import_tasks: tasks/comprofix.com.yml
@@ -97,10 +94,6 @@
       import_tasks: tasks/homepage.yml
       tags: homepage_install
 
-    # - name: Deploy osTicket
-    #   import_tasks: tasks/osticket.yml
-    #   tags: osticket_install
-
     - name: Deploy speedtest-tracker
       import_tasks: tasks/speedtest.yml
       tags: speedtest_install
@@ -125,10 +118,6 @@
       import_tasks: tasks/radarr.yml
       tags: radarr_install
 
-    # - name: Deploy readarr
-    #   import_tasks: tasks/readarr.yml
-    #   tags: readarr_install
-
     - name: Deploy sonarr
       import_tasks: tasks/sonarr.yml
       tags: sonarr_install
@@ -162,9 +151,12 @@
 - hosts: omada
   become: yes
   pre_tasks:
-    - name: Update packages
-      import_tasks: tasks/base.yml
 
+    - name: Run base role to update packages
+      import_role:
+        name: base
+      tags: base_install
+    
     - name: Create directories
       file:
         path: "{{ item }}"
@@ -176,6 +168,7 @@
       tags: docker_install
     - role: nfs
       mounts:
+  
         - name: Data share
           path: /data
           src: truenas.comprofix.xyz:/mnt/datapool/docker
diff --git a/roles/base/defaults/main.yml b/roles/base/defaults/main.yml
new file mode 100644
index 0000000..ce6ad6b
--- /dev/null
+++ b/roles/base/defaults/main.yml
@@ -0,0 +1,26 @@
+---
+install_packages: # Add addition packages here
+  - rsyslog
+  - htop
+  - vim-nox
+  - git
+  - zsh
+  - curl
+  - wget
+  - apt-transport-https
+  - ca-certificates
+  - gnupg2
+  - python3
+  - python3-pip
+  - nfs-common
+  - cron
+  - jq
+  - sudo
+  - logwatch
+  - sendemail
+  - libio-socket-ssl-perl
+  - libnet-ssleay-perl
+  - iptables-persistent
+  - rclone
+  - parted
+  - open-iscsi
diff --git a/roles/base/tasks/bookworm_to_trixie.yml b/roles/base/tasks/bookworm_to_trixie.yml
new file mode 100644
index 0000000..e46e79a
--- /dev/null
+++ b/roles/base/tasks/bookworm_to_trixie.yml
@@ -0,0 +1,26 @@
+---
+- name: Replace sources.list entries for Trixie
+  lineinfile:
+    path: /etc/apt/sources.list
+    regexp: "^deb "
+    line: "deb https://deb.debian.org/debian trixie main"
+  become: yes
+
+- name: Update cache for Trixie
+  apt:
+    update_cache: yes
+    force_apt_get: yes
+
+- name: Dist-upgrade to Trixie
+  apt:
+    upgrade: dist
+    force_apt_get: yes
+  register: trixie_upgrade
+
+- name: Reboot after Trixie upgrade
+  reboot:
+    reboot_timeout: 600
+    test_command: whoami
+  when:
+    - ansible_virtualization_type != "lxc"
+    - trixie_upgrade.changed
diff --git a/roles/base/tasks/main.yml b/roles/base/tasks/main.yml
new file mode 100644
index 0000000..4802c87
--- /dev/null
+++ b/roles/base/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+# Gather initial facts
+- name: Gather facts
+  ansible.builtin.setup:
+
+# Update system and install packages
+- import_tasks: system_update.yml
+
+# Upgrade Bookworm -> Trixie if applicable
+- import_tasks: bookworm_to_trixie.yml
+  when: ansible_distribution_release == "bookworm"
+
+# Move to Trixie sources.list.d layout
+- import_tasks: sources_list.yml
+
+# Remove EXTERNALLY-MANAGED files
+- import_tasks: python_cleanup.yml
diff --git a/roles/base/tasks/python_cleanup.yml b/roles/base/tasks/python_cleanup.yml
new file mode 100644
index 0000000..b073730
--- /dev/null
+++ b/roles/base/tasks/python_cleanup.yml
@@ -0,0 +1,17 @@
+---
+- name: Find all EXTERNALLY-MANAGED files under /usr/lib/python*
+  find:
+    paths: /usr/lib
+    patterns: "EXTERNALLY-MANAGED"
+    file_type: file
+    recurse: yes
+  register: externally_managed_files
+  become: yes
+
+- name: Delete EXTERNALLY-MANAGED files
+  file:
+    path: "{{ item.path }}"
+    state: absent
+  loop: "{{ externally_managed_files.files }}"
+  when: externally_managed_files.matched > 0
+  become: yes
diff --git a/roles/base/tasks/sources_list.yml b/roles/base/tasks/sources_list.yml
new file mode 100644
index 0000000..ad5eba8
--- /dev/null
+++ b/roles/base/tasks/sources_list.yml
@@ -0,0 +1,42 @@
+---
+- name: Remove old sources.list and sources.list.d
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - /etc/apt/sources.list
+    - /etc/apt/sources.list.d
+  become: yes
+
+- name: Ensure sources.list.d directory exists
+  file:
+    path: /etc/apt/sources.list.d
+    state: directory
+    mode: 0755
+  become: yes
+
+- name: Create Trixie sources.list.d
+  copy:
+    dest: /etc/apt/sources.list.d/debian.sources
+    content: |
+      Types: deb deb-src
+      URIs: https://deb.debian.org/debian
+      Suites: trixie trixie-updates trixie-backports
+      Components: main
+      Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+
+      Types: deb deb-src
+      URIs: https://deb.debian.org/debian-security
+      Suites: trixie-security
+      Components: main
+      Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
+    owner: root
+    group: root
+    mode: 0644
+  become: yes
+
+- name: Update APT cache after sources.list.d
+  apt:
+    update_cache: yes
+    force_apt_get: yes
+  become: yes
diff --git a/roles/base/tasks/system_update.yml b/roles/base/tasks/system_update.yml
new file mode 100644
index 0000000..77537ce
--- /dev/null
+++ b/roles/base/tasks/system_update.yml
@@ -0,0 +1,48 @@
+---
+- name: Ensure debian-archive-keyring is installed
+  apt:
+    name: debian-archive-keyring
+    state: present
+    update_cache: yes
+  become: yes
+
+- name: Update APT cache
+  apt:
+    update_cache: yes
+    force_apt_get: yes
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+
+- name: Upgrade all packages to latest
+  apt:
+    name: "*"
+    state: latest
+    force_apt_get: yes
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+  register: upgrade_result
+
+- name: Dist-upgrade packages
+  apt:
+    upgrade: dist
+    force_apt_get: yes
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+  register: dist_upgrade_result
+
+- name: Install required packages
+  apt:
+    name: "{{ install_packages }}"
+    state: present
+  become: yes
+  when: ansible_distribution in ['Debian', 'Ubuntu']
+  register: install_result
+
+- name: Reboot if required after updates
+  reboot:
+    reboot_timeout: 600
+    test_command: whoami
+  when:
+    - upgrade_result.changed or dist_upgrade_result.changed or install_result.changed
+    - ansible_virtualization_type != "lxc"
+  become: yes
+
+- name: Gather facts after reboot
+  setup: