diff --git a/roles/debian_server/tasks/btrfs.yml b/roles/debian_server/tasks/btrfs.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f53ba7d67598d188b578902f6af98cc376af1dcc
--- /dev/null
+++ b/roles/debian_server/tasks/btrfs.yml
@@ -0,0 +1,40 @@
+---
+- name: Copy btrfs backup script
+  copy:
+    dest: /usr/local/sbin/btrfs-backup
+    group: root
+    mode: preserve
+    owner: root
+    src: btrfs-backup
+
+- name: Create btrfs scrub services
+  # yamllint disable rule:line-length
+  loop: &btrfs_devices |-
+    {{ ansible_mounts|selectattr("fstype", "equalto", "btrfs")|map(attribute="device")|unique }}
+  # yamllint enable rule:line-length
+  ansible.builtin.template:
+    dest: /etc/systemd/system/scrub{{ name }}.service
+    mode: 0o0644
+    src: scrub.service.j2
+  vars: &btrfs_vars
+    device: '{{ item }}'
+    name: '{{ item|replace("/", "_") }}'
+  tags: [scrub]
+
+- name: Create btrfs scrub timers
+  loop: *btrfs_devices
+  ansible.builtin.template:
+    dest: /etc/systemd/system/scrub{{ name }}.timer
+    mode: 0o0644
+    src: scrub.timer.j2
+  vars: *btrfs_vars
+  tags: [scrub]
+
+- name: Enable the btrfs scrub timers
+  loop: *btrfs_devices
+  ansible.builtin.systemd:
+    enabled: true
+    name: scrub{{ name }}.timer
+    state: started
+  vars: *btrfs_vars
+  tags: [scrub]
diff --git a/roles/debian_server/tasks/docker.yml b/roles/debian_server/tasks/docker.yml
new file mode 100644
index 0000000000000000000000000000000000000000..00836deede46cec8b9fbc688fd2741f77724ae77
--- /dev/null
+++ b/roles/debian_server/tasks/docker.yml
@@ -0,0 +1,56 @@
+---
+- name: Disable cgroup2 for Docker
+  lineinfile:
+    backup: true
+    line: |-
+      GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.unified_cgroup_hierarchy=0"
+    path: /etc/default/grub
+  notify:
+    - Update GRUB
+
+- name: Copy the script to start stopped container after a restart
+  copy:
+    dest: /usr/share/docker.io/restart-containers
+    mode: preserve
+    src: docker-restart
+
+- name: Create a drop-in directory for the Docker service
+  file:
+    path: /etc/systemd/system/docker.service.d
+    mode: 0o0755
+    state: directory
+
+- name: Restart stopped containers after a restart
+  copy:
+    content: |
+      [Service]
+      ExecStartPost=/usr/share/docker.io/restart-containers
+    dest: /etc/systemd/system/docker.service.d/restart-containers.conf
+    mode: 0o0644
+  notify:
+    - Systemd daemon reload
+
+- name: Allow default Docker network access to local services
+  community.general.ufw:
+    direction: in
+    interface: docker0
+    rule: allow
+
+- name: Set UID/GID mapping range
+  loop:
+    - /etc/subgid
+    - /etc/subuid
+  copy:
+    content: |
+      nimrod:100000:65536
+    dest: |-
+      {{ item }}
+    group: root
+    mode: 0o0644
+    owner: root
+
+- name: Allow unprivileged user namespaces
+  ansible.posix.sysctl:
+    name: kernel/unprivileged_userns_clone
+    state: present
+    value: "1"
diff --git a/roles/debian_server/tasks/main.yml b/roles/debian_server/tasks/main.yml
index 343a78a4122147ddb0d60e522272e1c91f175a18..93c20ded4490d0a026754ba7afbb8a05d0284374 100644
--- a/roles/debian_server/tasks/main.yml
+++ b/roles/debian_server/tasks/main.yml
@@ -6,15 +6,6 @@
       - ansible_distribution_major_version|int >= 10
       - ansible_service_mgr == "systemd"
 
-- name: Disable cgroup2 for Docker
-  lineinfile:
-    backup: true
-    line: |-
-      GRUB_CMDLINE_LINUX_DEFAULT="quiet systemd.unified_cgroup_hierarchy=0"
-    path: /etc/default/grub
-  notify:
-    - Update GRUB
-
 - name: Enable the backports repo
   loop:
     - deb
@@ -56,51 +47,17 @@
       - ufw
     state: present
 
-- name: Copy the script to start stopped container after a restart
-  copy:
-    dest: /usr/share/docker.io/restart-containers
-    mode: preserve
-    src: docker-restart
-
-- name: Create a drop-in directory for the Docker service
-  file:
-    path: /etc/systemd/system/docker.service.d
-    mode: 0o0755
-    state: directory
-
-- name: Restart stopped containers after a restart
-  copy:
-    content: |
-      [Service]
-      ExecStartPost=/usr/share/docker.io/restart-containers
-    dest: /etc/systemd/system/docker.service.d/restart-containers.conf
-    mode: 0o0644
-  notify:
-    - Systemd daemon reload
-
 - name: Rate limit SSH
   community.general.ufw:
     rule: limit
     port: ssh
     proto: tcp
 
-- name: Allow default Docker network access to local services
-  community.general.ufw:
-    direction: in
-    interface: docker0
-    rule: allow
-
 - name: Enable UFW
   community.general.ufw:
     default: reject
     state: enabled
 
-- name: Allow unprivileged user namespaces
-  ansible.posix.sysctl:
-    name: kernel/unprivileged_userns_clone
-    state: present
-    value: "1"
-
 - name: Allow more inotify watches
   ansible.posix.sysctl:
     name: fs.inotify.max_user_watches
@@ -128,80 +85,6 @@
     regexp: swap
     state: absent
 
-- name: Set UID/GID mapping range
-  loop:
-    - /etc/subgid
-    - /etc/subuid
-  copy:
-    content: |
-      nimrod:100000:65536
-    dest: |-
-      {{ item }}
-    group: root
-    mode: 0o0644
-    owner: root
-
-- name: Create my www directory
-  file:
-    group: www-data
-    mode: 0o0755
-    owner: www-data
-    path: /var/www
-    state: directory
-
-- name: Create an SSL directory under /var
-  file:
-    group: root
-    mode: 0o0755
-    owner: root
-    path: /var/ssl
-    state: directory
-
-# I know that I can use Ansible modules instead of calling OpenSSL directly, but
-# with the command module I can easily skip the task if the private key or the
-# certificate already exist. The point is to create an SSL and self-signed
-# certificate only as a bootstrap step. Once there is an existing (and assumed
-# valid) certificate, don't overwrite it.
-
-- name: Create private SSL key
-  command:
-    cmd: openssl genrsa -out /var/ssl/site.key 4096
-    creates: /var/ssl/site.key
-
-- name: Make sure the private key is accessible
-  file:
-    mode: 0o0444
-    path: /var/ssl/site.key
-    state: file
-
-- name: Create SSL certificate
-  command:
-    cmd: >-
-      openssl
-      req
-      -x509
-      -out /var/ssl/site.crt
-      -nodes
-      -key /var/ssl/site.key
-      -batch
-    creates: /var/ssl/site.crt
-
-- name: Create Diffie-Hellman Parameters file
-  community.crypto.openssl_dhparam:
-    force: false
-    mode: 0o0644
-    path: /var/ssl/dhparams
-    size: 4096
-    state: present
-
-- name: Copy btrfs backup script
-  copy:
-    dest: /usr/local/sbin/btrfs-backup
-    group: root
-    mode: preserve
-    owner: root
-    src: btrfs-backup
-
 - name: Mail aliases
   loop:
     - root
@@ -235,34 +118,14 @@
     name: update.timer
     state: started
 
-- name: Create btrfs scrub services
-  # yamllint disable rule:line-length
-  loop: &btrfs_devices |-
-    {{ ansible_mounts|selectattr("fstype", "equalto", "btrfs")|map(attribute="device")|unique }}
-  # yamllint enable rule:line-length
-  ansible.builtin.template:
-    dest: /etc/systemd/system/scrub{{ name }}.service
-    mode: 0o0644
-    src: scrub.service.j2
-  vars: &btrfs_vars
-    device: '{{ item }}'
-    name: '{{ item|replace("/", "_") }}'
-  tags: [scrub]
+- name: Include Docker tasks
+  ansible.builtin.include_tasks:
+    file: docker.yml
 
-- name: Create btrfs scrub timers
-  loop: *btrfs_devices
-  ansible.builtin.template:
-    dest: /etc/systemd/system/scrub{{ name }}.timer
-    mode: 0o0644
-    src: scrub.timer.j2
-  vars: *btrfs_vars
-  tags: [scrub]
+- name: Include web tasks
+  ansible.builtin.include_tasks:
+    file: web.yml
 
-- name: Enable the btrfs scrub timers
-  loop: *btrfs_devices
-  ansible.builtin.systemd:
-    enabled: true
-    name: scrub{{ name }}.timer
-    state: started
-  vars: *btrfs_vars
-  tags: [scrub]
+- name: Include btrfs tasks
+  ansible.builtin.include_tasks:
+    file: btrfs.yml
diff --git a/roles/debian_server/tasks/web.yml b/roles/debian_server/tasks/web.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3341ded21f613fa07f49099b1253bb030a7b2ee0
--- /dev/null
+++ b/roles/debian_server/tasks/web.yml
@@ -0,0 +1,53 @@
+---
+- name: Create my www directory
+  file:
+    group: www-data
+    mode: 0o0755
+    owner: www-data
+    path: /var/www
+    state: directory
+
+- name: Create an SSL directory under /var
+  file:
+    group: root
+    mode: 0o0755
+    owner: root
+    path: /var/ssl
+    state: directory
+
+# I know that I can use Ansible modules instead of calling OpenSSL directly, but
+# with the command module I can easily skip the task if the private key or the
+# certificate already exist. The point is to create an SSL and self-signed
+# certificate only as a bootstrap step. Once there is an existing (and assumed
+# valid) certificate, don't overwrite it.
+
+- name: Create private SSL key
+  command:
+    cmd: openssl genrsa -out /var/ssl/site.key 4096
+    creates: /var/ssl/site.key
+
+- name: Make sure the private key is accessible
+  file:
+    mode: 0o0444
+    path: /var/ssl/site.key
+    state: file
+
+- name: Create SSL certificate
+  command:
+    cmd: >-
+      openssl
+      req
+      -x509
+      -out /var/ssl/site.crt
+      -nodes
+      -key /var/ssl/site.key
+      -batch
+    creates: /var/ssl/site.crt
+
+- name: Create Diffie-Hellman Parameters file
+  community.crypto.openssl_dhparam:
+    force: false
+    mode: 0o0644
+    path: /var/ssl/dhparams
+    size: 4096
+    state: present