diff --git a/roles/backup_client/defaults/main.yml b/roles/backup_client/defaults/main.yml
index 350a361d734f23639f116d51064070e3d7cf0ff9..ed9ee5c50d1971b074a05e16fc75ea6a171025c3 100644
--- a/roles/backup_client/defaults/main.yml
+++ b/roles/backup_client/defaults/main.yml
@@ -4,3 +4,20 @@ backup_additional_encryption_keys: []
 backup_client_username: "bak-{{ ansible_fqdn | replace('.', '_') }}"
 backup_server_destination: /duplicity
 backup_server_port: 2222
+
+# Internal parameters.
+
+# GnuPG 2 binary in Debian Jessie and Debian Stretch is different. Additionally,
+# Debian Jessie duply configuration expects short keys, while Debian Stretch
+# expects long keys. We set-up parameters for this here in a bit of a workaround
+# way instead of setting facts within the playbook.
+backup_client_gnupg_details:
+  jessie:
+    binary: gpg2
+    cutoff: '{8}'
+  stretch:
+    binary: gpg
+    cutoff: '{0}'
+
+gnupg_binary: "{{ backup_client_gnupg_details[ansible_distribution_release]['binary'] }}"
+gnupg_key_cutoff: "{{ backup_client_gnupg_details[ansible_distribution_release]['cutoff'] }}"
diff --git a/roles/backup_client/molecule.yml b/roles/backup_client/molecule.yml
index 39ecbb1c7c267feecb68512715e1e3ea820b2ef5..d9f958fa9681b1b0149c0a1480d8c59155600f99 100644
--- a/roles/backup_client/molecule.yml
+++ b/roles/backup_client/molecule.yml
@@ -10,6 +10,8 @@ vagrant:
   platforms:
     - name: debian-jessie64
       box: debian/contrib-jessie64
+    - name: debian-stretch64
+      box: debian/stretch64
 
   providers:
     - name: virtualbox
diff --git a/roles/backup_client/playbook.yml b/roles/backup_client/playbook.yml
index f6d7d10a65e9f0e4fca5b834ed10ac1a83769af1..4ce25411af62e405d940ce0136fe0377e541249d 100644
--- a/roles/backup_client/playbook.yml
+++ b/roles/backup_client/playbook.yml
@@ -7,67 +7,79 @@
       apt:
         update_cache: yes
 
-- hosts: backup-server
-  roles:
-    - role: backup_server
-      backup_host_ssh_private_keys:
-        dsa: "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
-        rsa: "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
-        ed25519: "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
-        ecdsa: "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
-      backup_clients:
-        - server: parameters-mandatory
-          ip: 10.31.127.20
-          public_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
-        - server: parameters-mandatory
-          uid: 5001
-          ip: 10.31.127.21
-          public_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
-
-# Set-up custom user and port for testing optional parameters.
 - hosts: backup-server
   tasks:
-    - name: Set-up backup group
-      group:
-        name: backupuser
-    - name: Set-up backup user
-      user:
-        name: backupuser
-        group: backupuser
-    - name: Set-up firewall configuration for port forwarding
-      copy:
-        content: "domain (ip ip6) table nat chain PREROUTING { proto tcp dport 3333 REDIRECT to-ports 2222; }"
-        dest: /etc/ferm/conf.d/50-redirect_3333.conf
-        owner: root
-        group: root
-        mode: 0640
-      notify:
-        - Reload firewall
-    - name: Set-up firewall configuration to accept incoming connections to port 3333
+
+    - name: Deploy SSH server keys
       copy:
-        content: "domain (ip ip6) table filter chain INPUT { proto tcp dport 3333 ACCEPT; }"
-        dest: /etc/ferm/conf.d/55-accept_3333.conf
+        content: "{{ lookup('file', item.key) + '\n' }}"
+        dest: "{{ item.value }}"
         owner: root
         group: root
-        mode: 0640
+        mode: 0600
+      with_dict:
+        tests/data/ssh/server_dsa: /etc/ssh/ssh_host_dsa_key
+        tests/data/ssh/server_rsa: /etc/ssh/ssh_host_rsa_key
+        tests/data/ssh/server_ed25519: /etc/ssh/ssh_host_ed25519_key
+        tests/data/ssh/server_ecdsa: /etc/ssh/ssh_host_ecdsa_key
       notify:
-        - Reload firewall
+        - Restart ssh
+
+    - name: Set-up backup user groups
+      group:
+        name: "{{ item.name }}"
+      with_items: "{{ backup_users }}"
+
+    - name: Set-up backup users
+      user:
+        name: "{{ item.name }}"
+        group: "{{ item.name }}"
+      with_items: "{{ backup_users }}"
+
+    - name: Set-up authorised keys
+      authorized_key:
+        user: "{{ item.name }}"
+        key: "{{ item.key }}"
+      with_items: "{{ backup_users }}"
+
+    - name: Set-up port forwarding
+      command: "iptables -t nat -A PREROUTING -p tcp -m tcp --dport '{{ item }}' -j REDIRECT --to-ports 22"
+      changed_when: False
+      with_items:
+        - 2222
+        - 3333
+
+    - name: Set-up directory for parameters-mandatory backups
+      file:
+        path: /duplicity
+        state: directory
+        owner: bak-parameters-mandatory
+        group: bak-parameters-mandatory
+        mode: 0700
+
   handlers:
-    - name: Reload firewall
+    - name: Restart ssh
       service:
-        name: ferm
+        name: ssh
         state: restarted
 
+  vars:
+    backup_users:
+      - name: bak-parameters-mandatory
+        key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory.pub') }}"
+      - name: backupuser
+        key: "{{ lookup('file', 'tests/data/ssh/parameters-optional.pub') }}"
+
 - hosts: parameters-mandatory
   roles:
     - role: backup_client
       backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-mandatory.asc') }}"
-      backup_server: backup-server
+      backup_server: 10.31.127.10
       backup_server_host_ssh_public_keys:
-        - "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
-        - "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
-        - "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
-        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
       backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-mandatory' ) }}"
 
 - hosts: parameters-optional
@@ -79,12 +91,12 @@
         - "{{ lookup('file', 'tests/data/gnupg/additional_encryption_key_3.asc') }}"
       backup_client_username: backupuser
       backup_encryption_key: "{{ lookup('file', 'tests/data/gnupg/parameters-optional.asc') }}"
-      backup_server: backup-server
+      backup_server: 10.31.127.10
       backup_server_destination: "/home/backupuser"
       backup_server_host_ssh_public_keys:
-        - "{{ lookup('file', 'tests/data/ssh/server_dsa') }}"
-        - "{{ lookup('file', 'tests/data/ssh/server_rsa') }}"
-        - "{{ lookup('file', 'tests/data/ssh/server_ed25519') }}"
-        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_dsa.pub') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_rsa.pub') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_ed25519.pub') }}"
+        - "{{ lookup('file', 'tests/data/ssh/server_ecdsa.pub') }}"
       backup_server_port: 3333
       backup_ssh_key: "{{ lookup('file', 'tests/data/ssh/parameters-optional' ) }}"
diff --git a/roles/backup_client/tasks/facts.yml b/roles/backup_client/tasks/facts.yml
deleted file mode 100644
index b11a9f9a9d7b6bc3102db225140212da080fd136..0000000000000000000000000000000000000000
--- a/roles/backup_client/tasks/facts.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-
-# Determine how to invoke the GnuPG binary based on Debian version.
-- set_fact: gnupg_binary="gpg2"
-  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'"
-- set_fact: gnupg_binary="gpg"
-  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
-
-# Determine cut-off for the GnuPG key ID (long vs short) based on Debian
-# version.
-- set_fact: gnupg_key_cutoff="{8}"
-  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'jessie'"
-- set_fact: gnupg_key_cutoff="{0}"
-  when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
diff --git a/roles/backup_client/tasks/main.yml b/roles/backup_client/tasks/main.yml
index 1d0311f261be624db5000a9ca4dcffc8c64d0ba5..341f1f4fdad0ffb36ffbd987b767d3a1acfdf051 100644
--- a/roles/backup_client/tasks/main.yml
+++ b/roles/backup_client/tasks/main.yml
@@ -1,9 +1,5 @@
 ---
 
-- include: facts.yml
-  tags:
-    - handlers
-
 - name: Install pexpect for pexpect+sftp Duplicity backend (only on Stretch)
   apt: name="python-pexpect" state=installed
   when: "ansible_distribution == 'Debian' and ansible_distribution_release == 'stretch'"
@@ -87,4 +83,4 @@
   include: ../handlers/main.yml
   when: "handlers | default(False) | bool() == True"
   tags:
-    - handlers
\ No newline at end of file
+    - handlers
diff --git a/roles/backup_client/tests/data/ssh/server_dsa.pub b/roles/backup_client/tests/data/ssh/server_dsa.pub
new file mode 100644
index 0000000000000000000000000000000000000000..edccdf329b89854629222b2a5f6b7b5740cdb88f
--- /dev/null
+++ b/roles/backup_client/tests/data/ssh/server_dsa.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBALf+gfHQnAMOR4N/IjCZlniejPcAkdB6/E8YwiG26aKeRo3x2Q2budFWqJMtbtfcz0++hVAO2LvYYk2uVMe2WoVwWSZGQA4fcGUrs5B4CHTpOl/lHuu3GixNshCz+8ueQDqs/NYp/BdUcU4yIxvUII6+3hB/bkRz8LpczYJKJqVlAAAAFQD6yuMkAdrYcViFtbTciGEytGtBvwAAAIBFUdmJVFPPQd8NynBAkk+eKMUQFR2CcYgD1w/BfT0UP85hL/mYX1Eaiy+U3ylN6g8+RNalQX0IymIYMisXSRPF1gElVpbuCF9VV49c03q/9LfRogV1tRpZeEz9JK5xbBviEnI+kKP8o1ivmIjAVln72lnKdH+t4njma5CBpG9zJQAAAIAYAG/Udg4i/2q8Iemqs5TuP48ge1CxQcyFw4vVl2zr85MPZ24rBf+ZPGy1CsEBpJqHQ5agftMYR9CRcxlqAP44JpIPcSq1NsL59HnXDsdCe/IJjO4JmL1HL+VIcWkXgj0MxGds8hck+HC5lX7jGAKjZBea8ksBZD/Ma2WvYKXpgg==
diff --git a/roles/backup_client/tests/data/ssh/server_ecdsa.pub b/roles/backup_client/tests/data/ssh/server_ecdsa.pub
new file mode 100644
index 0000000000000000000000000000000000000000..cb8b45c7164d6af3659281f9c7b06ed2a6ac0344
--- /dev/null
+++ b/roles/backup_client/tests/data/ssh/server_ecdsa.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLaZb8xcw5PbzQ8Jo8xygcUaI6ziGLs+ZqsAqJSOIou9iN0zSKO9a4ujbeMgIbfZZPB5UWcv1CxNekTZ4tkrAaM=
diff --git a/roles/backup_client/tests/data/ssh/server_ed25519.pub b/roles/backup_client/tests/data/ssh/server_ed25519.pub
new file mode 100644
index 0000000000000000000000000000000000000000..28478f2c8fe9008595d1ca3b8652dcda2fd4762e
--- /dev/null
+++ b/roles/backup_client/tests/data/ssh/server_ed25519.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOQzNj16lZ3ucIJvwnFYzR/vZT3SuWiIVPNOhK5JGlq6
diff --git a/roles/backup_client/tests/data/ssh/server_rsa.pub b/roles/backup_client/tests/data/ssh/server_rsa.pub
new file mode 100644
index 0000000000000000000000000000000000000000..b2b4d8750eedff8cfa91ae676d573db4f16aa250
--- /dev/null
+++ b/roles/backup_client/tests/data/ssh/server_rsa.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC2SqbwZNanhTMM8wL1iGtNOR7nYbXcCQNbU65crXN43W1tz4GXoyluHEEXs0we7jmZZyow19X89Ve5w8ODL42KRDtNXoN8wjoLwZ1l7iGsrN1oUXJP7i6i9lH/0F+fudFB3Tm53ieBr0MEMdxAQBpk+MCi64G0iuvZeE0sKG5JfSky82ZZ26m5EchORJuiiKObB17EsUGl091S8eiLXIIiQQvg4d9933oAqNCLe0uxbNfJcbMJAdr+m9rYxyVoPXweUm1beb/6/vZQzAf0HL5+Ic/mbLu3z4httCh0dIlCqjRe/8llqF21psIlN8D8hZkzY6WEo7/v9wHAGFTFFFlJ