diff --git a/config/automatrop/roles/extensions/tasks/main.yml b/config/automatrop/roles/extensions/tasks/main.yml
index 5345d1f..d81f30b 100644
--- a/config/automatrop/roles/extensions/tasks/main.yml
+++ b/config/automatrop/roles/extensions/tasks/main.yml
@@ -1,6 +1,8 @@
-- include_role:
+- name: Load extensions
+  include_role:
     name: "geoffreyfrogeye.{{ item }}automatrop.entry"
   loop: "{{ extensions }}"
+  tags: always
 
 - name: Configure extensions rc sourcing
   template:
diff --git a/config/automatrop/roles/software/templates/snippets/pm_system.j2 b/config/automatrop/roles/software/templates/snippets/pm_system.j2
index 9192a68..726dbec 100644
--- a/config/automatrop/roles/software/templates/snippets/pm_system.j2
+++ b/config/automatrop/roles/software/templates/snippets/pm_system.j2
@@ -1,5 +1,5 @@
 etckeeper
-{% if has_batttery %}
+{% if has_battery %}
 tlp
 {% endif %}
 dhcpcd
@@ -8,3 +8,9 @@ chrony
 {% if encrypt_home_stacked_fs %}
 ecryptfs-utils
 {% endif %}
+kexec-tools
+openvpn
+{% if arch_based %}
+openvpn-update-resolv-conf-git
+{# TODO Other distributions #}
+{% endif %}
diff --git a/config/automatrop/roles/system/files/openvpn-client.service b/config/automatrop/roles/system/files/openvpn-client.service
new file mode 100644
index 0000000..616c8f3
--- /dev/null
+++ b/config/automatrop/roles/system/files/openvpn-client.service
@@ -0,0 +1,10 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/openvpn --suppress-timestamps --nobind --config %i.conf --script-security 2 --up /etc/openvpn/update-resolv-conf --down /etc/openvpn/update-resolv-conf
+# The part before --script-security 2 might need upgrading from
+# /usr/lib/systemd/system/openvpn-client@.service if it was upgraded
+Restart=on-failure
+User=
+AmbiantCapabilities=
+# It's not pretty, but other script only work with systemd or call resolvconf with -p,
+# which doesn't work without a local DNS resolver
diff --git a/config/automatrop/roles/system/tasks/main.yml b/config/automatrop/roles/system/tasks/main.yml
index 56a11ae..8e6d264 100644
--- a/config/automatrop/roles/system/tasks/main.yml
+++ b/config/automatrop/roles/system/tasks/main.yml
@@ -65,6 +65,27 @@
   become: yes
   when: extlinux.stat.exists
 
+- name: Remove bootsplash packages (Arch based)
+  pacman:
+    name:
+      - bootsplash-systemd
+      - bootsplash-theme-manjaro
+    state: absent
+  become: yes
+  when: arch_based
+
+
+# Display Manager
+
+- name: Remove display manager packages (Arch based)
+  pacman:
+    name:
+      - sddm
+      - sddm-breath2-theme
+    state: absent
+  become: yes
+  when: arch_based
+
 # Xorg configuration
 
 - name: Check if there is nvidia-xrun is installed
@@ -262,6 +283,15 @@
   notify:
     - wifi setup changed
 
+- name: Mask systemd-networkd
+  systemd:
+    name: systemd-networkd
+    state: stopped
+    enabled: no
+    masked: yes
+  become: yes
+  notify: etc changed
+
 # Time synchronisation
 
 - name: Mask systemd-timesyncd
@@ -272,7 +302,6 @@
     masked: yes
   become: yes
   notify: etc changed
-  when: arch_based
 
 - name: Configure chrony
   copy:
@@ -309,6 +338,24 @@
   notify:
     - etc changed
 
+# VPN configuration
+
+- name: Prepare directory for openvpn-client service override
+  file:
+    path: /etc/systemd/system/openvpn-client@.service.d
+    state: directory
+    mode: "u=rwx,g=rx,o=rx"
+  become: yes
+
+- name: Make openvpn use hooks for resolvconf
+  copy:
+    src: openvpn-client.service
+    dest: /etc/systemd/system/openvpn-client@.service.d/override.conf
+  become: yes
+  notify:
+    - etc changed
+    - systemd changed
+
 # TODO Hibernation, if that's relevant
 # $ sudo blkid | grep 'TYPE="swap"'
 # $ sudoedit /etc/default/grub