diff --git a/roles/custom/fvs/tasks/main.yml b/roles/custom/fvs/tasks/main.yml
index d374870..b5e1094 100644
--- a/roles/custom/fvs/tasks/main.yml
+++ b/roles/custom/fvs/tasks/main.yml
@@ -260,5 +260,12 @@
       KERNEL=="mmcblk[0-9]", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users"
       KERNEL=="mmcblk[0-9]p[0-9]*", ENV{ID_NAME}=="?*", ENV{ID_SERIAL}=="?*", GROUP="domain users"
 
+- name: Set KiCad 3Dmodel path
+  ansible.builtin.lineinfile:
+    path: /etc/environment.d/90lmn-kicad.conf
+    create: true
+    mode: '0644'
+    line: KICAD9_3DMODEL_DIR=/lmn/tools/KiCad/kicad-packages3D
+
 - name: Include sync
   ansible.builtin.include_tasks: sync.yml
diff --git a/roles/lmn_encrypt/tasks/main.yml b/roles/lmn_encrypt/tasks/main.yml
index 83196c8..6c81e7b 100644
--- a/roles/lmn_encrypt/tasks/main.yml
+++ b/roles/lmn_encrypt/tasks/main.yml
@@ -7,6 +7,7 @@
   when:
     - item.value.partitions is defined
     - item.value.partitions | dict2items | length > 0
+    - item.value.partitions | dict2items | selectattr('value.holders', 'search', 'luks|crypt') | length > 0
   loop: "{{ ansible_devices | dict2items }}"
 
 - name: Get luks slots
diff --git a/roles/lmn_exam/templates/no-way-out-nftable.j2 b/roles/lmn_exam/templates/no-way-out-nftable.j2
index 2c6efb8..93305a9 100644
--- a/roles/lmn_exam/templates/no-way-out-nftable.j2
+++ b/roles/lmn_exam/templates/no-way-out-nftable.j2
@@ -13,15 +13,17 @@ ${filterchain}
     chain filterin_${interface} {
         type filter hook ingress device ${interface} priority filter; policy drop;
         ip saddr \$allowed_ipv4 accept
-        ip saddr ${gateway} accept;
-        ip saddr 255.255.255.255 accept;
+        ip saddr ${gateway} accept
+        ip saddr 255.255.255.255 accept
+        ether type arp accept
     }
 
     chain filterout_${interface} {
         type filter hook egress device ${interface} priority filter; policy drop;
         ip daddr \$allowed_ipv4 accept
-        ip daddr ${gateway} accept;
-        ip daddr 255.255.255.255 accept;
+        ip daddr ${gateway} accept
+        ip daddr 255.255.255.255 accept
+        ether type arp accept
     }
 EOF
 )
diff --git a/roles/lmn_sssd/tasks/main.yml b/roles/lmn_sssd/tasks/main.yml
index 0ff5b60..6dcd0a0 100644
--- a/roles/lmn_sssd/tasks/main.yml
+++ b/roles/lmn_sssd/tasks/main.yml
@@ -27,8 +27,8 @@
       echo "{{ ad_passwd }}" | adcli join --stdin-password -U {{ ad_user }} {{ domain | upper }}
   no_log: true
   vars:
-    - ad_user: "{{ 'global-admin' if (adpw.user_input | default(ansible_cmdline.adpw) | default('') | length > 0) else sssd_domjoin_user }}"
-    - ad_passwd: "{{ adpw.user_input | default('') if  adpw.user_input | length > 0 else ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') }}"
+    ad_user: "{{ 'global-admin' if (adpw.user_input | default(ansible_cmdline.adpw) | default('') | length > 0) else sssd_domjoin_user }}"
+    ad_passwd: "{{ adpw.user_input | default('') if  adpw.user_input | length > 0 else ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') }}"
   when:
     - adpw.user_input | length > 0 or
       ansible_cmdline.adpw | default(sssd_domjoin_passwd) | default('') | length > 0