diff --git a/inventory/group_vars/all b/inventory/group_vars/all
index f42d5e8fe6..879263a5d3 100644
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@@ -148,6 +148,15 @@ nagios_Check_Services:
   sshd: true
   swap: true
 nat_rules: []
+# default network block device encryption settings for linux-system-roles/nbde_client
+nbde_client_bindings:
+  - device: /dev/md2
+    encryption_password: "{{ nbde_password }}"
+    password_temporary: no
+    threshold: 1
+    servers:
+      - http://tang01.iad2.fedoraproject.org
+      - http://tang02.iad2.fedoraproject.org
 # usually we do not want to enable nested virt, only on some virthosts
 nested: false
 network_connections:
diff --git a/playbooks/groups/buildhw.yml b/playbooks/groups/buildhw.yml
index 388115feec..23fd4ffd27 100644
--- a/playbooks/groups/buildhw.yml
+++ b/playbooks/groups/buildhw.yml
@@ -59,7 +59,7 @@
 
   - koji_builder
   - { role: bkernel, when: inventory_hostname.startswith('bkernel') }
-  - { role: clevis, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" }
+  - { role: linux-system-roles.nbde_client, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" }
   - { role: serial-console, when: "inventory_hostname.startswith(('bkernel', 'buildhw-x86'))" }
   - hosts
   - ipa/client
diff --git a/playbooks/groups/openqa-workers.yml b/playbooks/groups/openqa-workers.yml
index 959e5f7dab..ef0c204a96 100644
--- a/playbooks/groups/openqa-workers.yml
+++ b/playbooks/groups/openqa-workers.yml
@@ -21,7 +21,7 @@
    - { role: collectd/base, tags: ['collectd_base'] }
    - { role: sudo, tags: ['sudo'] }
    - { role: openqa/worker, tags: ['openqa_worker'] }
-   - { role: clevis, tags: ['clevis'], when: datacenter == 'iad2'}
+   - { role: linux-system-roles.nbde_client, tags: ['nbde_client'], when: datacenter = 'iad2' }
    - apache
 
   tasks:
diff --git a/playbooks/groups/virthost.yml b/playbooks/groups/virthost.yml
index 86824a1818..09f18761e7 100644
--- a/playbooks/groups/virthost.yml
+++ b/playbooks/groups/virthost.yml
@@ -14,14 +14,6 @@
    - "/srv/private/ansible/vars.yml"
    - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
 
-  vars:
-    nbde_client_bindings:
-      - device: /dev/md2
-        encryption_password: "{{ nbde_password }}"
-        servers:
-          - http://tang01.iad2.fedoraproject.org
-          - http://tang02.iad2.fedoraproject.org
-
   pre_tasks:
   - include_vars: dir=/srv/web/infra/ansible/vars/all/ ignore_files=README
   - import_tasks: "{{ tasks_path }}/yumrepos.yml"
@@ -38,8 +30,7 @@
   - { role: iscsi_client, when: "inventory_hostname.startswith(('bvmhost-x86-06', 'bvmhost-x86-07')) and datacenter == 'iad2'" }
   - sudo
   - virthost
-  - { role: clevis, when: datacenter == 'iad2' and not inventory_hostname.startswith('bvmhost-x86-04.stg') }
-  - { role: linux-system-roles.nbde_client, when: inventory_hostname.startswith('bvmhost-x86-04.stg') }
+  - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' }
   - { role: serial-console, when: datacenter == 'iad2' and not inventory_hostname.startswith('buildvmhost-s390x') }
 
   tasks:
diff --git a/playbooks/manual/autosign.yml b/playbooks/manual/autosign.yml
index edc40480b2..b804ca50fc 100644
--- a/playbooks/manual/autosign.yml
+++ b/playbooks/manual/autosign.yml
@@ -73,7 +73,7 @@
     owner_user: robosignatory
     owner_group: robosignatory
 
-  - { role: clevis, when: datacenter == 'iad2'}
+  - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' }
   - { role: serial-console, when: datacenter == 'iad2'}
 
   pre_tasks:
diff --git a/playbooks/manual/sign-vault.yml b/playbooks/manual/sign-vault.yml
index c4f09eb428..824cb45727 100644
--- a/playbooks/manual/sign-vault.yml
+++ b/playbooks/manual/sign-vault.yml
@@ -35,7 +35,7 @@
   roles:
   - base
   - rkhunter
-  - { role: clevis, when: datacenter == 'iad2'}
+  - { role: linux-system-roles.nbde_client, when: datacenter = 'iad2' }
   - { role: serial-console, when: datacenter == 'iad2'}
   - sigul/server
 
diff --git a/roles/clevis/files/flush-dracut-network@.service b/roles/clevis/files/flush-dracut-network@.service
deleted file mode 100644
index 49c22c7412..0000000000
--- a/roles/clevis/files/flush-dracut-network@.service
+++ /dev/null
@@ -1,15 +0,0 @@
-# Remove Dracut's network configuration
-# https://access.redhat.com/solutions/3017441
-# https://unix.stackexchange.com/questions/506331/networkmanager-doesnt-change-ip-address-when-dracut-cmdline-provided-static-ip
-
-[Unit]
-Description=Remove dracut's network configuration for %I
-Before=network-pre.target
-Wants=network-pre.target
-
-[Service]
-ExecStartPre=/usr/sbin/ip address show %i
-ExecStart=/usr/sbin/ip -statistics address flush dev %i
-
-[Install]
-WantedBy=default.target
diff --git a/roles/clevis/tasks/main.yml b/roles/clevis/tasks/main.yml
deleted file mode 100644
index 71c97d5709..0000000000
--- a/roles/clevis/tasks/main.yml
+++ /dev/null
@@ -1,40 +0,0 @@
----
-- name: copy in dracut config for clevis
-  template:
-   src: 99-clevis-fix.conf 
-   dest: /etc/dracut.conf.d/99-clevis-fix.conf
-  tags:
-  - clevis
-
-- name: copy in the systemd unit file to wipe dracut networking
-  copy:
-   src=flush-dracut-network@.service
-   dest=/etc/systemd/system/flush-dracut-network@.service
-  notify:
-   reload systemd
-  tags:
-   - clevis
-
-- name: enable the systemd unit to wipe dracut networking (br0)
-  systemd:
-   name: flush-dracut-network@{{ br0_dev }}
-   enabled: true
-  when: br0_dev is defined
-  tags:
-   - clevis
-
-- name: enable the systemd unit to wipe dracut networking (eno1)
-  systemd:
-   name: flush-dracut-network@eno1
-   enabled: true
-  when: eno1_ip is defined
-  tags:
-   - clevis
-
-- name: enable the systemd unit to wipe dracut networking (eth0)
-  systemd:
-   name: flush-dracut-network@eth0
-   enabled: true
-  when: eth0_ip is defined
-  tags:
-   - clevis
diff --git a/roles/clevis/templates/99-clevis-fix.conf b/roles/clevis/templates/99-clevis-fix.conf
deleted file mode 100644
index 0f416a9311..0000000000
--- a/roles/clevis/templates/99-clevis-fix.conf
+++ /dev/null
@@ -1,13 +0,0 @@
-# DHCP for talking to tang server
-{% if br0_ip is defined %}
-kernel_cmdline="ip={{ br0_ip }}::{{ br0_gw }}:{{ br0_nm }}::{{ br0_dev }}:none:{{ dns }}"
-{% elif eth0_ip is defined %}
-kernel_cmdline="ip={{ eth0_ip }}::{{ gw }}:{{ nm }}::eth0:none:{{ dns }}"
-{% elif eth0_ipv4 is defined %}
-kernel_cmdline="ip={{ eth0_ipv4 }}::{{ eth0_ipv4_gw }}:{{ eth0_ipv4_nm }}::eth0:none:{{ dns1 }}"
-{% elif eno1_ip is defined %}
-kernel_cmdline="ip={{ eno1_ip }}::{{ gw }}:{{ nm }}::eno1:none:{{ dns }}"
-{% endif %}
-
-# Don't create /etc/sysconfig/network-scripts/ifcfg-* files during boot
-omit_dracutmodules+=" ifcfg "