diff --git a/books/base.yml b/books/base.yml
index 2896714..23c0daf 100644
--- a/books/base.yml
+++ b/books/base.yml
@@ -9,6 +9,7 @@
   roles:
     - networking
     - base_config
+    - prometheus-node-exporter
 
 - hosts: all, !tests, !no_user,
   roles:
diff --git a/books/monitoring.yml b/books/monitoring.yml
new file mode 100644
index 0000000..1265a5b
--- /dev/null
+++ b/books/monitoring.yml
@@ -0,0 +1,12 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: prometheus_servers
+  roles:
+    - prometheus
+    - prometheus-alert-manager
+    - grafana
+    - prometheus-blackbox-exporter
+
+- hosts: all, !tests,
+  roles:
+    - prometheus-node-exporter
diff --git a/group_vars/all/ca.yml b/group_vars/all/ca.yml
new file mode 100644
index 0000000..6c4c46a
--- /dev/null
+++ b/group_vars/all/ca.yml
@@ -0,0 +1,57 @@
+---
+ca_passphrase: "{{ vault_ca_passphrase }}"
+ca_key: "{{ vault_ca_key }}"
+ca_cert: |
+  -----BEGIN CERTIFICATE-----
+  MIIFhzCCA2+gAwIBAgIUP+ptXLNUBVsZm5oYpynQd5mhB60wDQYJKoZIhvcNAQEL
+  BQAwUzELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxFTATBgNVBAoM
+  DFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0EgUGFpbnMtUGVyZHVzMB4XDTIxMDky
+  MTE0NDUxNloXDTMxMDkxOTE0NDUxNlowUzELMAkGA1UEBhMCRlIxEzARBgNVBAgM
+  ClNvbWUtU3RhdGUxFTATBgNVBAoMDFBhaW5zLVBlcmR1czEYMBYGA1UEAwwPQ0Eg
+  UGFpbnMtUGVyZHVzMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA4jG+
+  8N5YN91KghYjYTOBQ+lRYJ45X5S9mfcwwf8OIMGe+NyNkXx2GX4uYpZOitYOApI4
+  rGnAjhll7tdZevzfdqpUDCYUDT6iR4BzL32k22mIN+iW6zQPaZetOU7VIA9V5TsM
+  WbDsftqh6fj3N4SwVMpHiuiajMkX8CIELxoXDAJULvwyreWOONlwDMObtVCHBIhM
+  uf1Jbx2DfRNS/w6lbHPCrZefMCea1FrSaotOANXxNgQfptX3fLZbhH5RiZQLDU8k
+  ZChAUoW9hE4+uiSOUMd2hl9XgCWHcGEMcKyWG+/lx8UUw3Zl+oOrfb+IWo5IByVZ
+  8nV5aiTMCuRlcTcMHUuedRaPcWfl5ZaEOVzhYXIYM4Oa8ShqXuWqW0WZ8oIhI2ya
+  hTE03mIPV1nX3ucE9GsDZpnrj7t+qd8etiZXFGVihKEqVFfhzKRsPh4wgUKH/gwG
+  AJshPA9NyJ0JpzUaWQ2acUjo3Hg9WPSTaMb46FS7hUdZUcZZiwSq9JjHDNAUKjNY
+  zudKjTyqJXkqwhNvMfKWFIGYjldvZgQXzuT8XmSHYSKuLfH9Ko28FX0Aujye1TTH
+  MPljXruyO04Q7NUg/jqtxdsWRpH/qCt12PmRuIiXsNCAeLjSuc75H+AOPbNudJLT
+  w2AUTkfn3mw/XTwEBfemHAo6GAdtCDKo6GxBqvcCAwEAAaNTMFEwHQYDVR0OBBYE
+  FIh4sxxlmesmbVKPWKo81BXMFVqVMB8GA1UdIwQYMBaAFIh4sxxlmesmbVKPWKo8
+  1BXMFVqVMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAKipx6Nu
+  QwnYmwYPd3kUVBOj9ia0PVeE4LoUSRapzRTF2HilSIo9Sa7qD1HVxbWrghUPLjW/
+  Ru04k82hxvAm26gc1XeqIBzpgZmxwF0QibCeuj1vDXsndACXVHd6Atvnl0rW4bEI
+  pVCqerXNu0T4STk2V/xNqndGMRp/vZX67BlyHAHD4el957R9RYlyxW6fADrHDKqk
+  tC1eTeQtEi5W7v9X3dNGdtFS+exDrYpUTHPDwM81u25oCGUFGsH3RlG7LUEQ5mYW
+  SsJ3EKpIkMxSZB3/GqttCIHi+yEMtwDDL3dN8UnVaTkRjVNQxraOUwe66QByGqnJ
+  9YeQNpUfZxWFW/GW2fBAvD/RaLrLZ4ywhUze38ks4jsLnAIduawjQ8GlNg9i2MqD
+  zvDat41LWSCDjRUOfCp7fc9lMlI5blTafozrAddMV8YUs3bQ6XD0H31pP59jb7nc
+  5kmwqH6RivbFZZYBquQVujiiI7d+9m+X9OfTZJTCpRPCGYZcLuqH7txyPhixxrZd
+  a8lWJ+5jHOdncV/ZWSB5JnjKbaMMEPcaTo3puEPt/yl74CR7UOJXr5oM0bVFKjas
+  90hY5U+jPAcneCk2oc44R4NWuQ7qbsjPRfcxxi27DoLbhlmPp9jQwYQEqmdflcZ0
+  zCTEq81KO2mAbJgTc/ahhcvAV/huJ5d8c9R1
+  -----END CERTIFICATE-----
+crl_distribution_points:
+  - full_name: "URI:https://ca.deso-palaiseau.fr/revocations.crl"
+    reasons:
+      - key_compromise
+      - ca_compromise
+      - affiliation_changed
+      - superseded
+      - cessation_of_operation
+      - certificate_hold
+      - privilege_withdrawn
+      - aa_compromise
+  - full_name: "URI:https://ca-pains-perdus.intra/revocations.crl"
+    reasons:
+      - key_compromise
+      - ca_compromise
+      - affiliation_changed
+      - superseded
+      - cessation_of_operation
+      - certificate_hold
+      - privilege_withdrawn
+      - aa_compromise
diff --git a/group_vars/all/revers_proxy.yml b/group_vars/all/revers_proxy.yml
new file mode 100644
index 0000000..34aea68
--- /dev/null
+++ b/group_vars/all/revers_proxy.yml
@@ -0,0 +1,9 @@
+---
+
+reverse_proxy_sites:
+  - {from: wiki.pains-perdus.fr,          to: "https://azerty.fil.sand.auro.re:2443"}
+  - {from: hindley.pains-perdus.fr,       to: "http://127.0.0.1:5000"}
+  - {from: "{{ grafana_domain_name }}",   to: "http://127.0.0.1:3000"}
+
+sharing_sites:
+  - {from: share.deso-palaiseau.fr,                 folder: "/home/histausse/www",            user: histausse,     group: histausse}
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index f1e582e..90d7b95 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -2,3 +2,14 @@
 # Use python 3
 ansible_python_interpreter: /usr/bin/python3
 dns_resolve_server: 1.1.1.1
+
+# Default prometheus serveur, to overide in host_vars or something
+appointed_prometheus_server: hindley
+
+grafana_admin_password: "{{ vault_grafana_admin_password }}"
+grafana_domain_name: monitoring.deso-palaiseau.fr
+
+kassandra_username: cassandre
+kassandra_password: "{{ vault_kassandra_password }}"
+alert_rooms:
+  - "#monitoring:pains-perdus.fr"
diff --git a/group_vars/all/vault b/group_vars/all/vault
index ecd6b1c..67d3aba 100644
--- a/group_vars/all/vault
+++ b/group_vars/all/vault
@@ -1,81 +1,272 @@
 $ANSIBLE_VAULT;1.1;AES256
-38386365383032383336346430353334613639636464383235646565306161323463363466383934
-3636386138346634386634373266643937356339373734370a366435343137643330393939353664
-39386432396430306339326435323862373135323263663139373032646136333064373365313161
-6130343436313762620a633064326538393135626536343062383862366536646239656133366133
-38616531393837313365643734303062353030333763303132646231376363386239336631643231
-38303230643135653238333132633739363333656534643765623836333936363062613132316339
-31646365623030343433623264633665353432623839393638643039653561623361366630393631
-38333636316432323165316261323337306238633237653733376539323136663231376462623035
-30336463353738373061346431333435626362383134306661343562633437656462333430653663
-30396231336336353535373337343434366536333865623065653238333637383332613338613361
-61653566303962626534636530313238363662316163336532353738313962623835343032643930
-37333864366539363131333538643963353531663132353964306263316437323866666664633435
-39636663383831393534623639343839343931363834383839363837623636643838623536396563
-35396663326661386532303238353461636435366564366534393162663834363539363335393336
-62636465666665643165653130326437393162616433386637613430623466666364333334663132
-35356364646263653131363863303532633562306661636530313766636262386361623630326633
-62653866383864366666663963643138363264363965346538306135386633626439313961623735
-62363864373266333038333430613535633636343631316439353837376331666336326432663135
-33356630353862386166306536643538643163346532663439303764396565323661373136366133
-32373765376331323431386464396137666431613365363866323438663062386365326131616264
-39616632613565323238323133343061303433653539653833653264383165333364323239643466
-32613731393065323066396563363530393264323930653839396438356164356333333137656236
-31346133343336666337633637613064666533613631313335616637653735363462663864636330
-63646163383337323933323664303961346461613065356332383531333336326632316634656231
-64346565363636363066646533303238633465653830613264663963326630366564336330343236
-32623438306238396166666539363539646137643363666332366563663231326632363230666465
-36656662313335656462386463366432656230616232663637303235646664343066363563666261
-32393536666265663038353439623536633363386335326138383565643337353031356432396339
-31323464353338326237646263366262346265643363343761313436396332646237346339346333
-66323636336537303839653962306531643762366230303963636535633537613062366236613131
-39376162363134376135656463626366343537626438656362343838323435316266656637636161
-38623134386532383862303234666338306234646538623464613362623331396339613931653262
-62633364363230353666343562343661316431333664646161616632643736646664396532303633
-62336233316435626230386565383264313062646637313234626135626566343932343563653130
-38313137306331636436633536396539373032393135393336303731633030393139616136366536
-31633936613663303837306632643730613062663262616239343263636463386230313336363237
-31626531303639666464376335366135623063343266663265393635316338306633363561376234
-63653039313532376230626533353136666262663761376432633763636131653162386131366366
-36396534303230353133306331626539623832323462393237633233393865363864656531646632
-36613137366262393163386465656233373365636437616133393862663632636131393563613763
-62376133356430303838386634363963653865336138303831636164626538633066316637643732
-30363561393862623037616232653135663765336134383037346439373335393466646530616166
-33646462313463346535346236363830643130313632366162633866373362653162623035306366
-39623734306636356135393965646534313961306632623531303830343564393361343464653961
-31623562396435616466653232623163393161336434623631313233353736303834333935626138
-35613764633564313961316236623265353037636635656331363937356363323630646537393335
-36396632383865336639393033653738323739396236383535333332396361306131303864616130
-33613762643438393261353335383565316231623963386536653334666634623136343833613137
-37396261623035353038636337323536346334613837343935386132656338633335643265616138
-36663937376231333233646466633162346630653532336536373262313337373261656130643632
-66613534363130313230323665613163356366386664653436363132356664306231356135383266
-66376336323062323863616434323465356439343434646531373365313039303639343735323836
-35613234343563356162326466366638343439333464656434643332663432393730643130623032
-65663237333338323939616565333738306634383038643630376164306530623733623933333064
-62623131323736643832616334383338383634393664653338663436626434306631643966613031
-33616362313039666130613538306561343135626235343765396335396339373630373135313832
-38383062366262663832343563613334623336343639316435386664353636643162636634653535
-39623039643336393733626634363466353437353533373764313565653766663630386234626661
-61393161383565386131636563323038373236663861363339333361646464613836623139366435
-35363463623431343634653565363066623464653961313661343963363464386361306137393763
-64616135633935393566356561363038613134363964356136643734366232366166643564653264
-36613066366266646434323862643735643333613163666334363337643263626639623433663733
-39383562363531656433633033313961303837643765626530383665316433353634396463333662
-38353936633034636461303863356564653939393239316538663838643336346331363230616630
-62353237353733326132646138373737306135653634383032363433663063613430373935653131
-38646664393133363365303130623532373438313831643230396431363333386463643031653262
-64396261303235326530636565353764316236643466623666623165383536333565633064333262
-37316237643863626561613036303061346265613730626137316136623338626564666464333862
-35393831656533616365316334633538626166616263306636313231313234306532636633646665
-33336138333632396530333363613866376535316430656134613339626262666133666264376439
-64303964633165333161613663343438393539643839366331303563613436613730383837356165
-32363231653233346438313262393462313135636566343063626436326166373866356434656561
-65386562666331316232336463373336623733393161666430616165306238616531306266626363
-66636234333231666637616163353361306331393562393938353733303139393930633965373638
-36336266343231366662643134613662643037373638316362653030383866373636386339346466
-64396639353266316264653264343036616634343964646237363036313937323833633863316231
-35363964393863346132373830383032646536356261616265353439316637396563336536373363
-37313936393662353665653134613535393865333362636262656439326331336366303139653034
-35626566333965616162663465613335316462326130396330383236396133383039636335343565
-65386630653033376163
+66653939356531646231633866643664343439626466393835366664643239356166353639656466
+3731653736323063643664616534393834666637623438610a653265313233663738326166366234
+64393862363239636533343139663166643331363133343230633032656633663033313032353630
+3666666439346332350a323239376135383262376661366632363963303433666362316535323664
+31336635356137646565396131396461653630363362356638346266316231383036323632653366
+33323430663863346664653562326330376639623131323936386639303065313738356665613535
+64633663393963666363336265383661366264643931313939666561646134303130353034376530
+63383064373633326263383332303632316135353862333365326439636131366165663636626337
+63383566653331346536626138653733613666356162336163643566623737653337396436313134
+36343535363331366463306335386465643464336339663933323733396437663332303231363237
+39313663656136336466393737323965336430306437336530306361343631396132653230353137
+64316538373532333332643638613736393661336565346364313961613736383063316433623634
+62373137326336663236323463313462313739666162386333653235373763356335393039356638
+64646131313930313438613264303535633137663662613163653165393835303032366462326564
+33386134636231353762363563313137626134393563383838313834396235346364303731653136
+34363964386165323561633138306137613632616437643632656334653138373330346434386262
+65383662366135613939393266633062663665303935663634313735663361333862356565393265
+33373036623232663830623962363139626436616339393863326130333163353038373530643566
+33393733623635333931363932376663613364393832646231616133366264646230633033643062
+37336335383732613837303035376563653638306437393336383565623264316166653437386432
+61336433316531346636356262313534653037336139633839613163356365643466636662616462
+35323135636337353930636463613437326538303736643262663262633330396663303064313933
+32346437643938303265353363353735373862383761326333306138386266363566386336366436
+32386436323564323964346332313363373534626162613033363564646264376662323366353939
+64303663383031613634333333353563333761363134393637633031306561373339663031366466
+63396634396535366461396262663739383861656461383435323936636166623862663130356630
+33646365343564633662663438613338356131383638363930626338393739326336396361356232
+34366363646432316431656439656136633838663066626436383238323165393836386636373039
+64653930666334326237363261666364663531623535373265623638396334636439346465313238
+64356335313731353939313364363534393762616634326262653366303234633338626661663165
+36346430326431656639346161363861396438626661663930396334646339663333366535303438
+65346136396334376530366438613737386535353431396531316265393036623430383735623237
+64663634666564656633643462653962386332623539623933653966323066376536386463336361
+32353732663366643438343862613863373564383638336332353039643833653563396136626131
+63306635386163313131623738363533313131613537363735333337323334353462383039336433
+66636137356462383538303336363439313938666165366434333030396561613833613539383737
+33613332633763343865363034653730336364653461666331353837653637663139306366313663
+61633133633563353132643066366633626435303363616661353138343363363139386232386464
+33636432306366313234373861633762646661333836386462383761643865383231656664646265
+38653266613365366435643934623139336666343265363632386166336433626634656238366663
+32663664336162386336326566396336653831373364383033643331623834643838336635656438
+64393936366238616666333565353530643563656338323763336436636461353963343130666634
+65386430313463623539616537333134323134373836663036663830353435393365653136363566
+66356431663466666562653338623839363438396530653031373538663039353638623838633831
+64636534343263356166373561373864643736653530323530323833356539316232363564616135
+32643138313537356565306433326137623535373963353361393439383030646262393538626636
+37373336313132396465343561363635643633363638356365363935653931316263323261356531
+36636239323362663935356464663737386462306162373336333264333963653537353563383361
+34663030386331643361353033613564363236303364646430313866323836383238366535376230
+38616165626535343939323162303735656630666262336536626334313834333730626433643835
+39353963323364386430366339393162303031643865333839326533333961393036636365353637
+31353863633065306230353665623335353331366333323039646435613537336436373962626137
+39393461373938613432303565323763653130313334313637306534666235643337383333333837
+39353834373666646561626535386239303030633062633565356332653664343337636263363631
+32636264353165343637633436373564313065643236396631366334633365386234636261383066
+35373433353539626661336430663037303839353134613230633363373664363962316630386265
+35663535353466613265616637646130316531643461393965643232366432313561303238393432
+32353266336533633064363039343431333331646132363833303433363632613632646461666366
+31613764313237636236303432613864336532323537333062363066633463393666366331653936
+31653133313862356632383066353361636334303138666361333939646536333137343734343731
+31636130623666386236393462646236393933383235313036383932336665616430333330316634
+62623631373631383434333363376331643664336536636430393962626165646662636637313633
+37316166343834373865353730343733613736643038366233623661636237633136356338356564
+31363139666630656530616334386362393638343331396436633862393031343331613438373236
+66336338623264306237333334623063626431326366643835373832383165663864613530386639
+37303064643034376135303066396164623237623239663962636563353130626332316333396331
+36646238386634623761643135353132326438303566316232653630353332363262643964666561
+32363534653261396136643765613237633761353337376338666238663039656666386137633538
+39373662336231613364393238663566303662643333633532613866643036356163313033313933
+62346532393032323432316361633162373664393363306239366433333766396438633730353533
+39306338303238356638336636306565366339336630643934323665363261303930313435633735
+65363732623666306631613465633034393536326237346639356566643736303937333239626531
+62313061383266316361326339623436373262633238366234353461306432396133383330616432
+30666235646238663631326636396364313565393966373533323464356337326138363233346430
+61393438383737393839653039633762613137353932323730613537653939613861346636653738
+39336331333237613838656531363766343235383938353165653662653439643861323436393833
+65303565356330633764663633613231336166323134653937636133343031343938366639656161
+38666136633564646131333038326237393861326564623338333438313063303661303132323938
+37303162316236666162396363626133306365666533306639383139336330616130313635353034
+65623934323930383763383466323338373561643538343564303331653961653230643863323937
+35306636376530356631303362396439643963363937633266313935343262396565383163353630
+32396132316239366231303532306436623330643732393737343636646234656662646366376265
+36343034396562633634633663623133396636643634663932393739306435653034333164656336
+62373633333938356261663261356161663937366239356464383335613431396339333761323062
+32616333656533653939336338393431366439346433396232373934353235653730616230633762
+35656533326163316132373038306239663966366465393231646331646333383932336461306438
+65636434333433366637663139656630363464663564303166393931363032323633336661326164
+36633132363161616466333134343730636166653962623632366535663366653139343230363363
+66373432343961393437663466363063333561353637316438653961383966623134336537376130
+61353031386435336236346564643064613433666137633437376362626661653733343734346438
+35646332643462643631323835376231656464626536393562616466636363386339336564613539
+33316637313862356131633636626238633961363065323964353634633462663132653864373365
+61306163396532656636346532326131633134346139323566326361323664376633636339643539
+64323939336264346638653365663162356365653536333738383064326463313662356266373239
+39613439313866333735366639306166336261643938313133633633303432396662373862653736
+62313438633063343938313965616337363961303730386432333862383265653061333832306565
+66373663643435613639623735373066616236353739333538616535616435643964653936356431
+30363364323434376365393639643731663866396163636665626537343433663863363130303866
+38356565613334613931343431663862346263643330646263613166636561303038376238656430
+66316330326662616634396561366563316632663166383564343935633532633034333138653665
+37613964616162373262383338613434663166613862653963636135616265613634323438613463
+61393730396164643730393636646630386561303534363731623433363631666561313065373163
+63663164383335613565666262383162363732616534363637323566353064343162383231303064
+35373765376533383339353339636432633562333730386463633534353639656634636438303163
+36653061303036653535643933663131616166666631393836383531643165363265626562623533
+65363739663461356565313136663763333630643035383132323335333931333661376166326531
+34316166623630386365386632373433383735313563643463333662366335616237303633653763
+39633465353166313930353731376639336634633463346334643330646430313039613461333766
+65633965613962376637353131373966383034333536616361326364633532353138326535663866
+31336664333936393834346138653531313862323938373736383162386633383061373561306338
+39626634653338356330373338376332623638336537373932653539353734636336616232306132
+33323338653265666262383039393935616366623661653530623662373637356339653565323962
+63626461396264356564363238663331653662613337343236333763363461623865636564373037
+62376633616131313439343866336363653135363035386534386665323433653366653630646138
+30666330363835303664336162343432653235386631616433613262646336626331336532393438
+63313737353531316261353437663163383964663561313235393338306362376137383330656162
+32373363643466336231633136323264383934666634363933393137323032366564313137356262
+62333533363638616639633863663931376364373061323732343934643337383239303631626537
+37393032656231303366396233396162626236663230383966306361633233633430623135376132
+66393765363931386662326236393865353161633036666465653236393366363534343764316565
+66646166656437373231623133303662393461323830363261373566646163626334306265356436
+64353930303966303364396166663535336265383536373139396137396130333138393561616632
+36393732326136396534366630353731653331636333663965323433643931653033383039363638
+66373161326430363831343238656632626564306338636361363530663463363232373139366537
+37393162666464353662383564383665343334363463626231316535353738373333313738316138
+66383537663363633161346630323330653933356565616639353536386136666265383432646233
+65303163393635616539323762633962633165323661663561313061616239373834633937623064
+37373864303336323437303563656163303137656230336562336431623665323731326565626238
+64656232663363663065636239313030656132396333623332333637303537653534356662353838
+34303364636537623735656537613735393334616661373532363935363534356466663134613138
+38373437646135356165333336636639313134636136313637333364396335636335313361353265
+32396236643133396663383165653131316339616330373034393331373831626339313466363132
+34386266363637363562663764393133653732623039663034393539363061633237363737613336
+61323538633263666431346532346564353235643037383535373366613831373066636138626366
+36356563663339646534353962376436613566666165346135333264373334626530616332333961
+34386536666338306632306362343435346666303737613238373863366331646438386538373861
+63626361623932326334626630663336323439643666623332613262346535663462643834353231
+38303766366461323532356139306264326264343536386535303331376262376431666538626464
+61666235643939643334646463623337316565346263613862616263333335613736303366613430
+38303461366438363534633036373264303633613964363561346336653136353132666663376363
+38633235316666356464636538636337323432643037613762303735333836643861363464366337
+33366138396262623530663138353963306164306163303663623438353130646566656332373938
+61336337316334303135646461373463643365623235343834636164396366636639633933366561
+31386533336261326439386661326462353831393733643065316266376230383839333733396233
+63393935306331376336393937616336326263643631353764386164363639626334663032613133
+33633436376534373138316466353838663835336634306538313334643036333537653864323162
+39663565376331346532656130306632393638663139626334323261643733376636623961323533
+32653066326235346130333732396231346136336134383863383864613830313031646664386234
+30656333303234663630633237633161393966623562633964393161336335616362323535656136
+38666162306162366461303663346562306638353334383630306231346234396566343162323135
+35376136346138626130323765626464613537623530616235353537373932626535316566363332
+38336533333162643666376232646330613166633535383961666264373530313563386535353434
+38333062376634323933336239656138393961633863633537396364333039333262616166613832
+30373632333062663730343731663162376238313930376631643163353063663838326434633435
+65323465343839616166386435636233306136306563666535633164633430386332323266323038
+63653061396662336362646331353062326261376161363662346639373965356266333239613137
+35393665636238663262646130356664343033633363303536663538306139336139383864636236
+38313834393733316636313862383930343839653662623335393637396363333434646262383465
+38313231353862373935316236383135396639643761623035313834353730396330613237316465
+66646131326462383662303563646366333630343934376339323936363966393939623031343833
+63366333623332623666643932343739363735326361636536656164303365363163633934633730
+31306264656535396665386133353366653064363036656135663135373931636566646638356662
+39393433363633613437346637383837663864643734643332393833363830616536623933623239
+35366530636235643333336261633661636330633535393030313134633834633261363635376234
+63643139306632613330346264656434326238383061633837653064663334323762613636353339
+38363861356131376230613032353738356134316261613030353932303635383564333664386338
+63363033613232386431633531356532653035343466616664626363643734306233393566356663
+31643039336332636461366266343865383666356166333566386531626134373038663362306533
+34306534623166393561633266333366653261653365326337613436633137373234366234326564
+30316231636339366434396131623064353961336666626563613234303034376537646130323637
+33386532393339646437366337626463393066653831646337346463356437386333656464393233
+64333036663330373662646534653239303831323536346138393939383861303331336630353738
+33383838663939393038386438636135396361316438363234313864343731616363336533393738
+65343166343335623665653936396362363861636231643432313962333034383337656634666633
+61333161643464323562343539633130373065666363393337636664376662313834656232616164
+37613062346439326665633236323661646331336333313034306133353732336163656339373335
+65303662633039316439343363306637303530323235663261386162363930623233616639333264
+62303965636463303166323461376531393031343464663562353537613034613033346336393638
+63373165663931346566626437393166626539393866646535393330323335333737353633633764
+36643132336430303264633032316634663531666165613037313264303962663337653233346561
+63646162343930356464623431333031613464323333323162323265633637313538363963633338
+64393566643131666333333263626435613465303862663166303034313430616165656666646432
+63363634366434666461613337353765663466396330613230663737613030323531663432363465
+61623661666664366664303434373362303431623234393862633639336332316333303664323937
+31653462326432633966353138626333306136623735633932323666656632383034633662333635
+36303437343361343437643963663536646636626232633063636332353037396264366361336631
+39353638643930326166393666663262336232663661383862363731393733336665326637653434
+38343362386430363666666239623333623339623862613630663762353835303837663061303432
+39366138383263653338393131393532663965666164353963373461373263616565373166303530
+64306333343764363264363934393739316133313536353065326632316365396132326235626232
+37353562363139386633656437623165623530636138313139643764613230633133386666366437
+62333634356362343633643235643537383837343731303036396566396238623939643466373630
+64633161636638393732656534346139343230313132613737313565393665613265353562313037
+62313362363362623934663564626265363463396366336633313839643134653962656332653639
+36353238353264326139386438363438363066396537633963343839616462373838393232333932
+63353566663363373636336665393763323237383337343137623063653265393264396361383166
+34666332616164633639626537393234316530626461653161393036386161396666386538316366
+39393762626663373430646666653233376134343838313034313136303837333233353761353530
+31623364333033643035363735396562623965636437613661663736376665393037363966633430
+31376334333139613466613238303938663337313239643066353532383132336539353861396538
+33333664393764666635326461383737653661643731323935353531653735613263383435366533
+61333436386335383634376366666233633833643738646436373664306338643366643035613138
+66643661336633666333366438303136316332616638336261353162383266623933316631396232
+35306437643133346538323364616638636464613536323334646637333061343332376433346634
+31356333633832636437316466343034633266613263336132383336326532363137303861656138
+35356635343232313631613638366164303164623530663862653138633065306163343132626430
+31633739653666646564323365663961396562333336366130636530393463383461623934343164
+36316264363065343563636331373635343638373864646465306566646234643732306530353636
+38316437393264643533623338656663343633646265613531623933666432663334646136356265
+32326530343938653761333734323563643532363330326531313335323764653239626137613164
+61306437663537303561393039623330626530393363653165366236343737653137616539646332
+32656363383631393438336434323032343632393736376132656439663962323232336630623466
+64373939323832373934373531363838333565396236383661633134303338373030313436303130
+37663438336262346164633632653739613766343938303138653330656431396336376461633339
+66396565646661346461643035646432643432343435333861366531316265306530653034386265
+39303239366633613431333863663034633864373439646236633434333738383662643063373835
+31626134323462353965653131656336316265376364636533333631373966306631613566663133
+30616162636138303139306436653834366233616631303037393538633735323133346562383736
+66306265346266393566613137326132366132366463353330306539653732393963366165353139
+66643663643339666137343930633637396263346264643561383162666461346431346532353733
+38303863303537646130363066303439623664316666373039613639653133666635356165303831
+66653238643265386161393062393763383263656161666162633833336166333538386566323732
+63303962313365363939323630386532373938313630633532613331306164356338633137346262
+37376665373131316338383265363335646463663534623334303839383965376362643061376133
+36323830323938636636356561616238636134616263323633626662396239373531646363336566
+65383938656530396361663631613532316262396562323034663763653230646336633263336538
+34333866306564313562303930616330653638313031656138343565653161323931356561633264
+33313066643461343636623235376636646537663263313234356133376532663439386364326264
+30356238613761363638376431623431366131373230373239643066343035356462326533613533
+64623438363138636435333963376366656232313435373131313235636265323062333562323436
+66313532616131623836373134363033646238313861616334313033326330616631633439613332
+32393134643464363337653138336332353531316261316562393532346365666261346534653037
+33363363393563636638343265393135663838393263623364366561623934316439306663396665
+34323838366463653032303337323434643461323732623464373564613365663037383834353266
+66376537623464653433393638623337353233363932656637363661323862663930633931626138
+32613436303533353261666131636231353835666138663235386430323161623565333934383364
+65393730636438306132663464313331663966346330346437383231646439366631323865376530
+37343534616239373739353930313331303537303131653433393338396136313161306432303937
+31333535623562656662613762626365306632626461333835346431343766393135653536356536
+34653137303162656164373738373264613536663831363662373964306231343239656533353832
+32643232333339316539323132663239613731393939316466653464373835303632313436323163
+61383338333739363730633162373530626563393938323131323538326430323431623931393030
+63353264626465323061663531656131633834353233643962666333383530376233636166636666
+30393534613466623031346236643333316336333633646630643164653834353536333461353537
+62613038323730363638616437393536636333323237626633343165386230393064666638396332
+62653736353238653235356462656266616635613861623762336139656139363966386237393538
+62616661613537633232636134373763376465386361313266663133643364356231636232386261
+38653935663231323833626635663730623438306134636363633062373738396334393435373632
+39343862646464633934643735363332353064396464663761393836353137313536383930653765
+64643766616139306335313965376434643637613836373663663131663065663961376661363239
+39373563313737396131323465333462346138316131303663336638303838346565633136343964
+63633161326361303232613163316434343565623863363662623765376365663337653239376263
+61336566336239643033666566316232623966643662386233396438343366303838363661653364
+64323065396531363363393433316538386366623839626639373266393432313730646261333830
+38383964633036333139383131326361353461346337353436333730656161326361306330373636
+31303438356633363332633839616237383334396137623263363030373361623032663363656330
+31653464353737336333356635326366316533663839366636393263343963356530663135366435
+66656365396565306635656663666434646632353035653138616161383434316232386333623162
+30363964666239373361656437363263646239366362316331313234623562363434613137326536
+30356436356436333263656338303566356133383034353161383663356236353361623539653466
+63663033393733366630356432613238633936306537333136366430303033336532306239336133
+35343432633663396165663466626263316434646265363363316436636433656165333839356433
+33313838313833333565653233623732316161316566343135323065313166376466613264616163
+61383062346235643033363866643838626537363534383162353435343835643563316535663533
+33623630383835353339656430633135393364346432663662663934393534366534326137666236
+62356136346333653538626433333139353566313831643063626165343437333265633537313261
+39613933653362353731353261373230313432303536316664636663396238643665633937623837
+38373761663538653232646365333331396565343831343534383230323032373166663033333837
+36353163353732313735663065663531646366326332663831623039366566386237333134616638
+32323639326431303335396265333539643935613062326438343834376365313565666262623465
+363230303264613965363966303463356363
diff --git a/host_vars/azerty/networking.yml b/host_vars/azerty/networking.yml
index 04d24d7..52a91b9 100644
--- a/host_vars/azerty/networking.yml
+++ b/host_vars/azerty/networking.yml
@@ -12,3 +12,5 @@ interfaces:
 
 ipv4_forwarding: false
 ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.azerty.ipv4 }}"
diff --git a/host_vars/hellman/networking.yml b/host_vars/hellman/networking.yml
index 17eeafe..c4a499e 100644
--- a/host_vars/hellman/networking.yml
+++ b/host_vars/hellman/networking.yml
@@ -22,3 +22,5 @@ interfaces:
 
 ipv4_forwarding: true
 ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.hellman.ipv4 }}"
diff --git a/host_vars/hindley/networking.yml b/host_vars/hindley/networking.yml
index 6826896..efdd3e5 100644
--- a/host_vars/hindley/networking.yml
+++ b/host_vars/hindley/networking.yml
@@ -10,3 +10,5 @@ interfaces:
 
 ipv4_forwarding: true
 ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.hindley.ipv4 }}"
diff --git a/host_vars/matrix_server/networking.yml b/host_vars/matrix_server/networking.yml
index 3da7101..de2694d 100644
--- a/host_vars/matrix_server/networking.yml
+++ b/host_vars/matrix_server/networking.yml
@@ -9,3 +9,5 @@ interfaces:
 
 ipv4_forwarding: false
 ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.matrix.ipv4 }}"
diff --git a/host_vars/rossum/networking.yml b/host_vars/rossum/networking.yml
index 6bcc4ed..a34b62e 100644
--- a/host_vars/rossum/networking.yml
+++ b/host_vars/rossum/networking.yml
@@ -1,10 +1,7 @@
 ---
 interfaces:
   eth0:
-    ipv4: 192.168.0.50
-    netmaskv4: 24
-    type: static
-    gateway: 192.168.0.1
+    type: dhcp
   wg0:
     ipv4: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
     netmaskv4: "{{ intranet.netmaskv4 }}"
@@ -12,3 +9,5 @@ interfaces:
 
 ipv4_forwarding: false
 ipv6_forwarding: false
+
+lan_address: "{{ intranet.subnets.physical.subnets.rossum.ipv4 }}"
diff --git a/host_vars/vm1/ansible.yml b/host_vars/vm1/ansible.yml
deleted file mode 100644
index 7827357..0000000
--- a/host_vars/vm1/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm1"
diff --git a/host_vars/vm1/networking.yml b/host_vars/vm1/networking.yml
deleted file mode 100644
index 3ac5ae7..0000000
--- a/host_vars/vm1/networking.yml
+++ /dev/null
@@ -1,24 +0,0 @@
----
-interfaces:
-  enp0s3:
-    type: void
-  br0:
-    ipv4: 10.0.2.5
-    netmaskv4: 24
-    type: static
-    bridge: true
-    gateway: 10.0.2.1
-    interfaces:
-      - enp0s3
-  br1:
-    type: manual
-    bridge: true
-    interfaces:
-      - enp0s3.42
-  wg0:
-    ipv4: "{{ intranet.subnets.test.subnets.vm1.ipv4 }}"
-    netmaskv4: "{{ intranet.netmaskv4 }}"
-    type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm1/vpn.yml b/host_vars/vm1/vpn.yml
deleted file mode 100644
index 349ec5a..0000000
--- a/host_vars/vm1/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
-  wg0:
-    ip: "{{ interfaces.wg0.ipv4 }}"
-    private_key: "{{ vpn_vault_vm1_key }}"
-    public_key: "uccS/p19vinH/S2GpVarDTYah4oRiSIABue8uEqKzRs="
-    keepalive: true
-    peers:
-    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
-      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ips:
-        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
-      comment: "hindley"
diff --git a/host_vars/vm2/ansible.yml b/host_vars/vm2/ansible.yml
deleted file mode 100644
index da11026..0000000
--- a/host_vars/vm2/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm2"
diff --git a/host_vars/vm2/networking.yml b/host_vars/vm2/networking.yml
deleted file mode 100644
index f05677f..0000000
--- a/host_vars/vm2/networking.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-interfaces:
-  enp0s3:
-    type: dhcp
-  wg0:
-    ipv4: "{{ intranet.subnets.test.subnets.vm2.ipv4 }}"
-    netmaskv4: "{{ intranet.netmaskv4 }}"
-    type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm2/vpn.yml b/host_vars/vm2/vpn.yml
deleted file mode 100644
index cce5491..0000000
--- a/host_vars/vm2/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
-  wg0:
-    ip: "{{ interfaces.wg0.ipv4 }}"
-    private_key: "{{ vpn_vault_vm2_key }}"
-    public_key: "pxsYnL8N3VVVLlkXA8NOkqWsrSMrgdL1vj/VnZfKdRo="
-    keepalive: true
-    peers:
-    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
-      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ips:
-        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
-      comment: "hindley"
diff --git a/host_vars/vm3/ansible.yml b/host_vars/vm3/ansible.yml
deleted file mode 100644
index bd11ecb..0000000
--- a/host_vars/vm3/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm3"
diff --git a/host_vars/vm3/networking.yml b/host_vars/vm3/networking.yml
deleted file mode 100644
index 71acd30..0000000
--- a/host_vars/vm3/networking.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-interfaces:
-  enp0s3:
-    ipv4: 10.0.2.7
-    netmaskv4: 24
-    type: static
-    gateway: 10.0.2.1
-  wg0:
-    ipv4: "{{ intranet.subnets.test.subnets.vm3.ipv4 }}"
-    netmaskv4: "{{ intranet.netmaskv4 }}"
-    type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm3/vpn.yml b/host_vars/vm3/vpn.yml
deleted file mode 100644
index f6cf0a9..0000000
--- a/host_vars/vm3/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
-  wg0:
-    ip: "{{ interfaces.wg0.ipv4 }}"
-    private_key: "{{ vpn_vault_vm3_key }}"
-    public_key: "Cj3HAjXXr9DcmJoOkQkHvLWujZm8h6tBt2d54g0pqEg="
-    keepalive: true
-    peers:
-    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
-      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ips: 
-        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
-      comment: "hindley"
diff --git a/host_vars/vm4/ansible.yml b/host_vars/vm4/ansible.yml
deleted file mode 100644
index 131eced..0000000
--- a/host_vars/vm4/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm4"
diff --git a/host_vars/vm4/networking.yml b/host_vars/vm4/networking.yml
deleted file mode 100644
index 1e9e9b4..0000000
--- a/host_vars/vm4/networking.yml
+++ /dev/null
@@ -1,14 +0,0 @@
----
-interfaces:
-  enp0s3:
-    ipv4: 10.0.2.8
-    netmaskv4: 24
-    type: static
-    gateway: 10.0.2.1
-  wg0:
-    ipv4: "{{ intranet.subnets.test.subnets.vm4.ipv4 }}"
-    netmaskv4: "{{ intranet.netmaskv4 }}"
-    type: wireguard
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/host_vars/vm4/vpn.yml b/host_vars/vm4/vpn.yml
deleted file mode 100644
index ccd2acb..0000000
--- a/host_vars/vm4/vpn.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-vpn_interfaces:
-  wg0:
-    ip: "{{ interfaces.wg0.ipv4 }}"
-    private_key: "{{ vpn_vault_vm4_key }}"
-    public_key: "5M84IO6uobYkMPupCI9h9y3iJXVIXAyDY8wkrMPcaRw="
-    keepalive: true
-    peers:
-    - endpoint: "{{ hostvars['hindley'].interfaces.enp2s0.ipv4 }}"
-      public_key: "{{ hostvars['hindley'].vpn_interfaces.wg0.public_key }}"
-      allowed_ips:
-        - "{{ hostvars['hindley'].vpn_interfaces.wg0.ip }}/{{ interfaces.wg0.netmaskv4 }}"
-      comment: "hindley"
diff --git a/host_vars/vm5/ansible.yml b/host_vars/vm5/ansible.yml
deleted file mode 100644
index 30c6274..0000000
--- a/host_vars/vm5/ansible.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-ansible_host: "vm5"
diff --git a/host_vars/vm5/networking.yml b/host_vars/vm5/networking.yml
deleted file mode 100644
index 5753321..0000000
--- a/host_vars/vm5/networking.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-interfaces:
-  enp0s3:
-    type: void
-  br0:
-    ipv4: 10.0.2.9
-    netmaskv4: 24
-    type: static
-    bridge: true
-    gateway: 10.0.2.1
-    interfaces:
-      - enp0s3
-
-ipv4_forwarding: false
-ipv6_forwarding: false
diff --git a/hosts b/hosts
index d96d57e..9b60703 100644
--- a/hosts
+++ b/hosts
@@ -4,17 +4,12 @@ all:
     ubuntu:
       hosts:
         hindley:
-        vm5:
     debian_buster:
       hosts:
         azerty:
-        vm1:
-        vm2:
-        vm3:
     debian_bullseye:
       hosts:
         matrix_server:
-        vm4:
     proxmox_buster:
       hosts:
         hellman:
@@ -34,26 +29,22 @@ all:
           server_hostname: azerty.fil.sand.auro.re
     tests:
       hosts:
-        vm1:
-        vm2:
-        vm3:
-        vm4:
-        vm5:
         rossum:
+        azerty:
+        hellman:
     vpn:
       hosts:
         azerty:
         hindley:
         hellman:
         rossum:
-        vm1:
-        vm2:
-        vm3:
-        vm4:
         matrix_server:
     apt_proxies:
       hosts:
         hindley:
+    prometheus_servers:
+      hosts:
+        hindley:
     matrix:
       hosts:
         matrix_server:
diff --git a/roles/base_config/tasks/main.yml b/roles/base_config/tasks/main.yml
index 7e0525b..6338f03 100644
--- a/roles/base_config/tasks/main.yml
+++ b/roles/base_config/tasks/main.yml
@@ -16,6 +16,7 @@
       - unzip
       - tcpdump
       - net-tools
+      - acl
     state: latest
     update_cache: true
   register: apt_result
diff --git a/roles/generate-cert/LICENSE b/roles/generate-cert/LICENSE
new file mode 100644
index 0000000..f234cd5
--- /dev/null
+++ b/roles/generate-cert/LICENSE
@@ -0,0 +1,167 @@
+                   GNU LESSER GENERAL PUBLIC LICENSE
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <https://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+
+  This version of the GNU Lesser General Public License incorporates
+the terms and conditions of version 3 of the GNU General Public
+License, supplemented by the additional permissions listed below.
+
+  0. Additional Definitions.
+
+  As used herein, "this License" refers to version 3 of the GNU Lesser
+General Public License, and the "GNU GPL" refers to version 3 of the GNU
+General Public License.
+
+  "The Library" refers to a covered work governed by this License,
+other than an Application or a Combined Work as defined below.
+
+  An "Application" is any work that makes use of an interface provided
+by the Library, but which is not otherwise based on the Library.
+Defining a subclass of a class defined by the Library is deemed a mode
+of using an interface provided by the Library.
+
+  A "Combined Work" is a work produced by combining or linking an
+Application with the Library.  The particular version of the Library
+with which the Combined Work was made is also called the "Linked
+Version".
+
+  The "Minimal Corresponding Source" for a Combined Work means the
+Corresponding Source for the Combined Work, excluding any source code
+for portions of the Combined Work that, considered in isolation, are
+based on the Application, and not on the Linked Version.
+
+  The "Corresponding Application Code" for a Combined Work means the
+object code and/or source code for the Application, including any data
+and utility programs needed for reproducing the Combined Work from the
+Application, but excluding the System Libraries of the Combined Work.
+
+  1. Exception to Section 3 of the GNU GPL.
+
+  You may convey a covered work under sections 3 and 4 of this License
+without being bound by section 3 of the GNU GPL.
+
+  2. Conveying Modified Versions.
+
+  If you modify a copy of the Library, and, in your modifications, a
+facility refers to a function or data to be supplied by an Application
+that uses the facility (other than as an argument passed when the
+facility is invoked), then you may convey a copy of the modified
+version:
+
+   a) under this License, provided that you make a good faith effort to
+   ensure that, in the event an Application does not supply the
+   function or data, the facility still operates, and performs
+   whatever part of its purpose remains meaningful, or
+
+   b) under the GNU GPL, with none of the additional permissions of
+   this License applicable to that copy.
+
+  3. Object Code Incorporating Material from Library Header Files.
+
+  The object code form of an Application may incorporate material from
+a header file that is part of the Library.  You may convey such object
+code under terms of your choice, provided that, if the incorporated
+material is not limited to numerical parameters, data structure
+layouts and accessors, or small macros, inline functions and templates
+(ten or fewer lines in length), you do both of the following:
+
+   a) Give prominent notice with each copy of the object code that the
+   Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the object code with a copy of the GNU GPL and this license
+   document.
+
+  4. Combined Works.
+
+  You may convey a Combined Work under terms of your choice that,
+taken together, effectively do not restrict modification of the
+portions of the Library contained in the Combined Work and reverse
+engineering for debugging such modifications, if you also do each of
+the following:
+
+   a) Give prominent notice with each copy of the Combined Work that
+   the Library is used in it and that the Library and its use are
+   covered by this License.
+
+   b) Accompany the Combined Work with a copy of the GNU GPL and this license
+   document.
+
+   c) For a Combined Work that displays copyright notices during
+   execution, include the copyright notice for the Library among
+   these notices, as well as a reference directing the user to the
+   copies of the GNU GPL and this license document.
+
+   d) Do one of the following:
+
+       0) Convey the Minimal Corresponding Source under the terms of this
+       License, and the Corresponding Application Code in a form
+       suitable for, and under terms that permit, the user to
+       recombine or relink the Application with a modified version of
+       the Linked Version to produce a modified Combined Work, in the
+       manner specified by section 6 of the GNU GPL for conveying
+       Corresponding Source.
+
+       1) Use a suitable shared library mechanism for linking with the
+       Library.  A suitable mechanism is one that (a) uses at run time
+       a copy of the Library already present on the user's computer
+       system, and (b) will operate properly with a modified version
+       of the Library that is interface-compatible with the Linked
+       Version.
+
+   e) Provide Installation Information, but only if you would otherwise
+   be required to provide such information under section 6 of the
+   GNU GPL, and only to the extent that such information is
+   necessary to install and execute a modified version of the
+   Combined Work produced by recombining or relinking the
+   Application with a modified version of the Linked Version. (If
+   you use option 4d0, the Installation Information must accompany
+   the Minimal Corresponding Source and Corresponding Application
+   Code. If you use option 4d1, you must provide the Installation
+   Information in the manner specified by section 6 of the GNU GPL
+   for conveying Corresponding Source.)
+
+  5. Combined Libraries.
+
+  You may place library facilities that are a work based on the
+Library side by side in a single library together with other library
+facilities that are not Applications and are not covered by this
+License, and convey such a combined library under terms of your
+choice, if you do both of the following:
+
+   a) Accompany the combined library with a copy of the same work based
+   on the Library, uncombined with any other library facilities,
+   conveyed under the terms of this License.
+
+   b) Give prominent notice with the combined library that part of it
+   is a work based on the Library, and explaining where to find the
+   accompanying uncombined form of the same work.
+
+  6. Revised Versions of the GNU Lesser General Public License.
+
+  The Free Software Foundation may publish revised and/or new versions
+of the GNU Lesser General Public License from time to time. Such new
+versions will be similar in spirit to the present version, but may
+differ in detail to address new problems or concerns.
+
+  Each version is given a distinguishing version number. If the
+Library as you received it specifies that a certain numbered version
+of the GNU Lesser General Public License "or any later version"
+applies to it, you have the option of following the terms and
+conditions either of that published version or of any later version
+published by the Free Software Foundation. If the Library as you
+received it does not specify a version number of the GNU Lesser
+General Public License, you may choose any version of the GNU Lesser
+General Public License ever published by the Free Software Foundation.
+
+  If the Library as you received it specifies that a proxy can decide
+whether future versions of the GNU Lesser General Public License shall
+apply, that proxy's public statement of acceptance of any version is
+permanent authorization for you to choose that version for the
+Library.
+
+
diff --git a/roles/generate-cert/README.md b/roles/generate-cert/README.md
new file mode 100644
index 0000000..ce5aeca
--- /dev/null
+++ b/roles/generate-cert/README.md
@@ -0,0 +1,9 @@
+# generate-cert
+
+This role is part of the project [Ansible Hacky PKI](https://gitea.auro.re/histausse/ansible_hacky_pki) licenced under the LGPL 3.
+
+You can use it to generate certificate and manage de small pki, but keep it mind that this program is distributed **WITHOUT ANY WARRANTY**.
+In particular, the **security** of the pki generated and the process of generated the pki **is not guaranteed**. If you find any vulnerability,
+please contact me to see if we can find a patch.
+
+Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>
diff --git a/roles/generate-cert/defaults/main.yml b/roles/generate-cert/defaults/main.yml
new file mode 100644
index 0000000..b104186
--- /dev/null
+++ b/roles/generate-cert/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+key_usage:
+  - digitalSignature
+  - keyEncipherment
+validity_duration: "+365d"
+time_before_expiration_for_renewal: "+30d" # need a better name
+force_renewal: no
+store_directory: /etc/hackypky
diff --git a/roles/generate-cert/tasks/main.yml b/roles/generate-cert/tasks/main.yml
new file mode 100644
index 0000000..afd91c7
--- /dev/null
+++ b/roles/generate-cert/tasks/main.yml
@@ -0,0 +1,165 @@
+---
+- name: Ensure the directories used to store certs exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    group: root
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+  loop:
+    - "{{ store_directory }}"
+    - "{{ store_directory }}/crts"
+    - "{{ store_directory }}/keys"
+
+- name: Ensure the directory containing the cert exist
+  file:
+    path: "{{ directory }}"
+    state: directory
+
+- name: Test if the key already exist
+  stat:
+    path: "{{ store_directory}}/keys/{{ cname }}.key"
+  register: key_file
+
+- name: Test if the cert already exist
+  stat:
+    path: "{{ store_directory}}/crts/{{ cname }}.crt"
+  register: cert_file
+
+- name: Test if we need to renew the certificate
+  openssl_certificate_info:
+    path: "{{ store_directory }}/crts/{{ cname }}.crt"
+    valid_at:
+      renewal: "{{ time_before_expiration_for_renewal }}"
+  register: validity
+  when: cert_file.stat.exists
+
+- name:  Generate the certificate
+  block:
+    - name: Generate private key
+      become: false
+      openssl_privatekey:
+        path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+        mode: u=rw,g=,o=
+        size: "{{ key_size | default(omit) }}"
+      delegate_to: localhost
+    
+    - name: Generate a Certificate Signing Request
+      become: false
+      openssl_csr:
+        path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+        privatekey_path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+        common_name: "{{ cname }}"
+        country_name: "{{ country_name | default(omit) }}"
+        locality_name: "{{ locality_name | default(omit) }}"
+        state_or_province_name: "{{ state_or_province_name | default(omit) }}"
+        organization_name: "{{ organization_name | default(omit) }}"
+        organizational_unit_name: "{{ organizational_unit_name | default(omit) }}"
+        email_address: "{{ email_address | default(omit) }}"
+        basic_constraints:
+          - CA:FALSE # syntax?
+        basic_constraints_critical: yes
+        key_usage: "{{ key_usage }}"
+        key_usage_critical: yes
+        subject_alt_name: "{{ subject_alt_name | default(omit) }}"
+        crl_distribution_points: "{{ crl_distribution_points | default(omit) }}"
+      delegate_to: localhost
+    
+    - name: Put the CA in a file
+      become: false
+      copy:
+        content: "{{ ca_cert }}"
+        dest: "/tmp/ansible_hacky_pki_ca.crt"
+      delegate_to: localhost
+    
+    - name: Put the CA key in a file
+      become: false
+      copy:
+        content: "{{ ca_key }}"
+        dest: "/tmp/ansible_hacky_pki_ca.key"
+        mode: u=rw,g=,o=
+      delegate_to: localhost
+      no_log: yes
+    
+    - name: Sign the certificate
+      become: false
+      openssl_certificate:
+        path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
+        csr_path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+        ownca_not_after: "{{ validity_duration }}"
+        ownca_path: /tmp/ansible_hacky_pki_ca.crt
+        ownca_privatekey_passphrase: "{{ ca_passphrase }}"
+        ownca_privatekey_path: /tmp/ansible_hacky_pki_ca.key
+        provider: ownca
+      delegate_to: localhost
+    
+    - name: Send private key to the server
+      copy:
+        src: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+        dest: "{{ store_directory }}/keys/{{ cname }}.key"
+        owner: "{{ owner | default('root') }}"
+        group: "{{ group | default('root') }}"
+        mode: "{{ key_mode | default('u=rw,g=,o=') }}"
+      no_log: yes
+    
+    - name: Send certificate to the server
+      copy:
+        src: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
+        dest: "{{ store_directory }}/crts/{{ cname }}.crt"
+        owner: "{{ owner | default('root') }}"
+        group: "{{ group | default('root') }}"
+        mode: "{{ key_mode | default('u=rw,g=r,o=r') }}"
+    
+    # Clean up
+    - name: Remove the local cert key
+      become: false
+      file:
+        path: "/tmp/ansible_hacky_pki_{{ cname }}.key"
+        state: absent
+      delegate_to: localhost
+    
+    - name: Remove the CSR
+      become: false
+      file:
+        path: "/tmp/ansible_hacky_pki_{{ cname }}.csr"
+        state: absent
+      delegate_to: localhost
+    
+    - name: Remove the local certificate
+      become: false
+      file:
+        path: "/tmp/ansible_hacky_pki_{{ cname }}.crt"
+        state: absent
+      delegate_to: localhost
+    
+    - name: Remove the CA certificate
+      become: false
+      file:
+        path: /tmp/ansible_hacky_pki_ca.crt
+        state: absent
+      delegate_to: localhost
+    
+    - name: Remove the CA key
+      become: false
+      file:
+        path: /tmp/ansible_hacky_pki_ca.key
+        state: absent
+      delegate_to: localhost
+  when: force_renewal or (not key_file.stat.exists) or (not cert_file.stat.exists) or (not validity.valid_at.renewal)
+
+- name: Create the link to cert
+  file:
+    src: "{{ store_directory }}/crts/{{ cname }}.crt"
+    dest: "{{ directory }}/{{ cname }}.crt"
+    owner: "{{ owner | default('root') }}"
+    group: "{{ group | default('root') }}"
+    state: link
+
+- name: Create the link to key
+  file:
+    src: "{{ store_directory }}/keys/{{ cname }}.key"
+    dest: "{{ directory }}/{{ cname }}.key"
+    owner: "{{ owner | default('root') }}"
+    group: "{{ group | default('root') }}"
+    state: link
+
diff --git a/roles/grafana/handlers/main.yml b/roles/grafana/handlers/main.yml
new file mode 100644
index 0000000..cfedf9f
--- /dev/null
+++ b/roles/grafana/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart Grafana
+  systemd:
+    name: grafana-server
+    state: restarted
diff --git a/roles/grafana/tasks/main.yml b/roles/grafana/tasks/main.yml
new file mode 100644
index 0000000..98c4d41
--- /dev/null
+++ b/roles/grafana/tasks/main.yml
@@ -0,0 +1,79 @@
+---
+- name: Install apt transport https
+  apt:
+    name:
+      - apt-transport-https
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Add Graphana Repo Key
+  apt_key:
+    url: https://packages.grafana.com/gpg.key
+    state: present
+
+- name: Add Grafana Repository
+  apt_repository:
+    repo: deb https://packages.grafana.com/oss/deb stable main
+    state: present
+
+- name: Install Grafana
+  apt:
+    name:
+      - grafana
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure Grafana
+  template:
+    src: grafana.ini
+    dest: /etc/grafana/grafana.ini
+    owner: grafana
+    group: grafana
+    mode: u=rw,g=r,o=
+  no_log: true
+  notify: Restart Grafana
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/grafana/ca.crt
+  notify: Restart prometheus
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/grafana/
+    cname: "grafana-{{ lan_address }}"
+    owner: grafana
+    group: grafana
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+## THIS CERT CANNOT BE MONITORED BECAUSE IT IS A CLIENT CERT :'(
+#- name: Ensured the certificate is monitored
+#  import_tasks: register-cert-to-monitoring.yml
+#  vars:
+#    target: "{{ lan_address }}:<PORT>|grafana-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
+
+- name: Add Prometheus data source
+  template:
+    src: prometheus_datasource.yaml
+    dest: /etc/grafana/provisioning/datasources/prometheus_datasource.yaml
+    owner: grafana
+    group: grafana
+    mode: u=rw,g=r,o=
+  notify: Restart Grafana
+
+- name: Enable Grafana
+  systemd:
+    name: grafana-server
+    enabled: true
+    state: started
diff --git a/roles/grafana/tasks/register-cert-to-monitoring.yml b/roles/grafana/tasks/register-cert-to-monitoring.yml
new file mode 100644
index 0000000..82d550a
--- /dev/null
+++ b/roles/grafana/tasks/register-cert-to-monitoring.yml
@@ -0,0 +1,23 @@
+---
+- name: Get the list of targets of the server
+  slurp:
+    src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+  register: server_tls_targets_file
+  delegate_to: "{{ appointed_prometheus_server }}"
+
+- name: Set target variable from file
+  set_fact:
+    server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
+
+- name: Register the endpoint to the prometheus server
+  block:
+    - name: Add the target
+      set_fact:
+        new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
+
+    - name: Put the new target list
+      copy:
+        content: "{{ new_server_tls_targets | to_nice_json }}"
+        dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+      delegate_to: "{{ appointed_prometheus_server }}"
+  when: target not in server_tls_targets.0.targets
diff --git a/roles/grafana/templates/grafana.ini b/roles/grafana/templates/grafana.ini
new file mode 100644
index 0000000..8acbf7e
--- /dev/null
+++ b/roles/grafana/templates/grafana.ini
@@ -0,0 +1,1008 @@
+{{ ansible_managed | comment }}
+
+##################### Grafana Configuration Example #####################
+#
+# Everything has defaults so you only need to uncomment things you want to
+# change
+
+# possible values : production, development
+;app_mode = production
+
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+;instance_name = ${HOSTNAME}
+
+#################################### Paths ####################################
+[paths]
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+;data = /var/lib/grafana
+
+# Temporary files in `data` directory older than given duration will be removed
+;temp_data_lifetime = 24h
+
+# Directory where grafana can store logs
+;logs = /var/log/grafana
+
+# Directory where grafana will automatically scan and look for plugins
+;plugins = /var/lib/grafana/plugins
+
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+;provisioning = conf/provisioning
+
+#################################### Server ####################################
+[server]
+# Protocol (http, https, h2, socket)
+;protocol = http
+
+# The ip address to bind to, empty will bind to all interfaces
+http_addr = 127.0.0.1
+
+# The http port  to use
+;http_port = 3000
+
+# The public facing domain name used to access grafana from a browser
+domain = {{ grafana_domain_name }}
+
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+;enforce_domain = false
+
+# The full public facing url you use in browser, used for redirects and emails
+# If you use reverse proxy and sub path specify full url (with sub path)
+root_url = %(protocol)s://%(domain)s/
+
+# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
+;serve_from_sub_path = false
+
+# Log web requests
+router_logging = true
+
+# the path relative working path
+;static_root_path = public
+
+# enable gzip
+enable_gzip = true
+
+# https certs & key file
+;cert_file =
+;cert_key =
+
+# Unix socket path
+;socket =
+
+# CDN Url
+;cdn_url =
+
+# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
+# `0` means there is no timeout for reading the request.
+;read_timeout = 0
+
+#################################### Database ####################################
+[database]
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url properties.
+
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+;type = sqlite3
+;host = 127.0.0.1:3306
+;name = grafana
+;user = root
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+;url =
+
+# For "postgres" only, either "disable", "require" or "verify-full"
+;ssl_mode = disable
+
+# Database drivers may support different transaction isolation levels.
+# Currently, only "mysql" driver supports isolation levels.
+# If the value is empty - driver's default isolation level is applied.
+# For "mysql" use "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE".
+;isolation_level =
+
+;ca_cert_path =
+;client_key_path =
+;client_cert_path =
+;server_cert_name =
+
+# For "sqlite3" only, path relative to data_path setting
+;path = grafana.db
+
+# Max idle conn setting default is 2
+;max_idle_conn = 2
+
+# Max conn setting default is 0 (mean not set)
+;max_open_conn =
+
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+;conn_max_lifetime = 14400
+
+# Set to true to log the sql calls and execution times.
+;log_queries =
+
+# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
+;cache_mode = private
+
+################################### Data sources #########################
+[datasources]
+# Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API.
+;datasource_limit = 5000
+
+#################################### Cache server #############################
+[remote_cache]
+# Either "redis", "memcached" or "database" default is "database"
+;type = database
+
+# cache connectionstring options
+# database: will use Grafana primary database.
+# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
+# memcache: 127.0.0.1:11211
+;connstr =
+
+#################################### Data proxy ###########################
+[dataproxy]
+
+# This enables data proxy logging, default is false
+;logging = false
+
+# How long the data proxy waits to read the headers of the response before timing out, default is 30 seconds.
+# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
+;timeout = 30
+
+# How long the data proxy waits to establish a TCP connection before timing out, default is 10 seconds.
+;dialTimeout = 10
+
+# How many seconds the data proxy waits before sending a keepalive probe request.
+;keep_alive_seconds = 30
+
+# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
+;tls_handshake_timeout_seconds = 10
+
+# How many seconds the data proxy will wait for a server's first response headers after
+# fully writing the request headers if the request has an "Expect: 100-continue"
+# header. A value of 0 will result in the body being sent immediately, without
+# waiting for the server to approve.
+;expect_continue_timeout_seconds = 1
+
+# Optionally limits the total number of connections per host, including connections in the dialing,
+# active, and idle states. On limit violation, dials will block.
+# A value of zero (0) means no limit.
+;max_conns_per_host = 0
+
+# The maximum number of idle connections that Grafana will keep alive.
+;max_idle_connections = 100
+
+# How many seconds the data proxy keeps an idle connection open before timing out.
+;idle_conn_timeout_seconds = 90
+
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
+;send_user_header = false
+
+#################################### Analytics ####################################
+[analytics]
+# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+;reporting_enabled = true
+
+# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
+;reporting_distributor = grafana-labs
+
+# Set to false to disable all checks to https://grafana.net
+# for new versions (grafana itself and plugins), check is used
+# in some UI views to notify that grafana or plugin update exists
+# This option does not cause any auto updates, nor send any information
+# only a GET request to http://grafana.com to get latest versions
+;check_for_updates = true
+
+# Google Analytics universal tracking code, only enabled if you specify an id here
+;google_analytics_ua_id =
+
+# Google Tag Manager ID, only enabled if you specify an id here
+;google_tag_manager_id =
+
+#################################### Security ####################################
+[security]
+# disable creation of admin user on first start of grafana
+;disable_initial_admin_creation = false
+
+# default admin user, created on startup
+;admin_user = admin
+
+# default admin password, can be changed before first start of grafana,  or in profile settings
+admin_password = {{ grafana_admin_password }}
+
+# used for signing
+;secret_key = SW2YcwTIb9zpOOhoPsMm
+
+# disable gravatar profile images
+;disable_gravatar = false
+
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+;data_source_proxy_whitelist =
+
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+
+# set to true if you host Grafana behind HTTPS. default is false.
+;cookie_secure = false
+
+# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
+;cookie_samesite = lax
+
+# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
+;allow_embedding = false
+
+# Set to true if you want to enable http strict transport security (HSTS) response header.
+# This is only sent when HTTPS is enabled in this configuration.
+# HSTS tells browsers that the site should only be accessed using HTTPS.
+;strict_transport_security = false
+
+# Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
+;strict_transport_security_max_age_seconds = 86400
+
+# Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
+;strict_transport_security_preload = false
+
+# Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
+;strict_transport_security_subdomains = false
+
+# Set to true to enable the X-Content-Type-Options response header.
+# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
+# in the Content-Type headers should not be changed and be followed.
+;x_content_type_options = true
+
+# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
+# when they detect reflected cross-site scripting (XSS) attacks.
+;x_xss_protection = true
+
+# Enable adding the Content-Security-Policy header to your requests.
+# CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+;content_security_policy = false
+
+# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+# $NONCE in the template includes a random nonce.
+# $ROOT_PATH is server.root_url without the protocol.
+;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
+
+#################################### Snapshots ###########################
+[snapshots]
+# snapshot sharing options
+;external_enabled = true
+;external_snapshot_url = https://snapshots-origin.raintank.io
+;external_snapshot_name = Publish to snapshot.raintank.io
+
+# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
+# creating and deleting snapshots.
+;public_mode = false
+
+# remove expired snapshot
+;snapshot_remove_expired = true
+
+#################################### Dashboards History ##################
+[dashboards]
+# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
+;versions_to_keep = 20
+
+# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;min_refresh_interval = 5s
+
+# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
+;default_home_dashboard_path =
+
+#################################### Users ###############################
+[users]
+# disable user signup / registration
+;allow_sign_up = true
+
+# Allow non admin users to create organizations
+;allow_org_create = true
+
+# Set to true to automatically assign new users to the default organization (id 1)
+;auto_assign_org = true
+
+# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
+;auto_assign_org_id = 1
+
+# Default role new users will be automatically assigned (if disabled above is set to true)
+;auto_assign_org_role = Viewer
+
+# Require email validation before sign up completes
+;verify_email_enabled = false
+
+# Background text for the user field on the login page
+login_hint = email or username (or credit card number)
+password_hint = Your super duper mega secure password
+
+# Default UI theme ("dark" or "light")
+;default_theme = dark
+
+# Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.
+; home_page =
+
+# External user management, these options affect the organization users view
+;external_manage_link_url =
+;external_manage_link_name =
+;external_manage_info =
+
+# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
+;viewers_can_edit = false
+
+# Editors can administrate dashboard, folders and teams they create
+;editors_can_admin = false
+
+# The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
+;user_invite_max_lifetime_duration = 24h
+
+# Enter a comma-separated list of users login to hide them in the Grafana UI. These users are shown to Grafana admins and themselves.
+; hidden_users =
+
+[auth]
+# Login cookie name
+;login_cookie_name = grafana_session
+
+# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation.
+;login_maximum_inactive_lifetime_duration =
+
+# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;login_maximum_lifetime_duration =
+
+# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
+;token_rotation_interval_minutes = 10
+
+# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
+;disable_login_form = false
+
+# Set to true to disable the sign out link in the side menu. Useful if you use auth.proxy or auth.jwt, defaults to false
+;disable_signout_menu = false
+
+# URL to redirect the user to after sign out
+;signout_redirect_url =
+
+# Set to true to attempt login with OAuth automatically, skipping the login screen.
+# This setting is ignored if multiple OAuth providers are configured.
+;oauth_auto_login = false
+
+# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
+;oauth_state_cookie_max_age = 600
+
+# limit of api_key seconds to live before expiration
+;api_key_max_seconds_to_live = -1
+
+# Set to true to enable SigV4 authentication option for HTTP-based datasources.
+;sigv4_auth_enabled = false
+
+#################################### Anonymous Auth ######################
+[auth.anonymous]
+# enable anonymous access
+;enabled = false
+
+# specify organization name that should be used for unauthenticated users
+;org_name = Main Org.
+
+# specify role for unauthenticated users
+;org_role = Viewer
+
+# mask the Grafana version number for unauthenticated users
+;hide_version = false
+
+#################################### GitHub Auth ##########################
+[auth.github]
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;auth_url = https://github.com/login/oauth/authorize
+;token_url = https://github.com/login/oauth/access_token
+;api_url = https://api.github.com/user
+;allowed_domains =
+;team_ids =
+;allowed_organizations =
+
+#################################### GitLab Auth #########################
+[auth.gitlab]
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = api
+;auth_url = https://gitlab.com/oauth/authorize
+;token_url = https://gitlab.com/oauth/token
+;api_url = https://gitlab.com/api/v4
+;allowed_domains =
+;allowed_groups =
+
+#################################### Google Auth ##########################
+[auth.google]
+;enabled = false
+;allow_sign_up = true
+;client_id = some_client_id
+;client_secret = some_client_secret
+;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+;auth_url = https://accounts.google.com/o/oauth2/auth
+;token_url = https://accounts.google.com/o/oauth2/token
+;api_url = https://www.googleapis.com/oauth2/v1/userinfo
+;allowed_domains =
+;hosted_domain =
+
+#################################### Grafana.com Auth ####################
+[auth.grafana_com]
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email
+;allowed_organizations =
+
+#################################### Azure AD OAuth #######################
+[auth.azuread]
+;name = Azure AD
+;enabled = false
+;allow_sign_up = true
+;client_id = some_client_id
+;client_secret = some_client_secret
+;scopes = openid email profile
+;auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
+;token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
+;allowed_domains =
+;allowed_groups =
+
+#################################### Okta OAuth #######################
+[auth.okta]
+;name = Okta
+;enabled = false
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = openid profile email groups
+;auth_url = https://<tenant-id>.okta.com/oauth2/v1/authorize
+;token_url = https://<tenant-id>.okta.com/oauth2/v1/token
+;api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo
+;allowed_domains =
+;allowed_groups =
+;role_attribute_path =
+;role_attribute_strict = false
+
+#################################### Generic OAuth ##########################
+[auth.generic_oauth]
+;enabled = false
+;name = OAuth
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;empty_scopes = false
+;email_attribute_name = email:primary
+;email_attribute_path =
+;login_attribute_path =
+;name_attribute_path =
+;id_token_attribute_name =
+;auth_url = https://foo.bar/login/oauth/authorize
+;token_url = https://foo.bar/login/oauth/access_token
+;api_url = https://foo.bar/user
+;allowed_domains =
+;team_ids =
+;allowed_organizations =
+;role_attribute_path =
+;role_attribute_strict = false
+;groups_attribute_path =
+;tls_skip_verify_insecure = false
+;tls_client_cert =
+;tls_client_key =
+;tls_client_ca =
+
+#################################### Basic Auth ##########################
+[auth.basic]
+;enabled = true
+
+#################################### Auth Proxy ##########################
+[auth.proxy]
+;enabled = false
+;header_name = X-WEBAUTH-USER
+;header_property = username
+;auto_sign_up = true
+;sync_ttl = 60
+;whitelist = 192.168.1.1, 192.168.2.1
+;headers = Email:X-User-Email, Name:X-User-Name
+# Read the auth proxy docs for details on what the setting below enables
+;enable_login_token = false
+
+#################################### Auth JWT ##########################
+[auth.jwt]
+;enabled = true
+;header_name = X-JWT-Assertion
+;email_claim = sub
+;username_claim = sub
+;jwk_set_url = https://foo.bar/.well-known/jwks.json
+;jwk_set_file = /path/to/jwks.json
+;cache_ttl = 60m
+;expected_claims = {"aud": ["foo", "bar"]}
+;key_file = /path/to/key/file
+
+#################################### Auth LDAP ##########################
+[auth.ldap]
+;enabled = false
+;config_file = /etc/grafana/ldap.toml
+;allow_sign_up = true
+
+# LDAP background sync (Enterprise only)
+# At 1 am every day
+;sync_cron = "0 0 1 * * *"
+;active_sync_enabled = true
+
+#################################### AWS ###########################
+[aws]
+# Enter a comma-separated list of allowed AWS authentication providers.
+# Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_iam_role (EC2 IAM Role)
+; allowed_auth_providers = default,keys,credentials
+
+# Allow AWS users to assume a role using temporary security credentials.
+# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
+; assume_role_enabled = true
+
+#################################### Azure ###############################
+[azure]
+# Azure cloud environment where Grafana is hosted
+# Possible values are AzureCloud, AzureChinaCloud, AzureUSGovernment and AzureGermanCloud
+# Default value is AzureCloud (i.e. public cloud)
+;cloud = AzureCloud
+
+# Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance)
+# If enabled, the managed identity can be used for authentication of Grafana in Azure services
+# Disabled by default, needs to be explicitly enabled
+;managed_identity_enabled = false
+
+# Client ID to use for user-assigned managed identity
+# Should be set for user-assigned identity and should be empty for system-assigned identity
+;managed_identity_client_id =
+
+#################################### SMTP / Emailing ##########################
+[smtp]
+;enabled = false
+;host = localhost:25
+;user =
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+;cert_file =
+;key_file =
+;skip_verify = false
+;from_address = admin@grafana.localhost
+;from_name = Grafana
+# EHLO identity in SMTP dialog (defaults to instance_name)
+;ehlo_identity = dashboard.example.com
+# SMTP startTLS policy (defaults to 'OpportunisticStartTLS')
+;startTLS_policy = NoStartTLS
+
+[emails]
+;welcome_email_on_sign_up = false
+;templates_pattern = emails/*.html, emails/*.txt
+;content_types = text/html
+
+#################################### Logging ##########################
+[log]
+# Either "console", "file", "syslog". Default is console and  file
+# Use space to separate multiple modes, e.g. "console file"
+;mode = console file
+
+# Either "debug", "info", "warn", "error", "critical", default is "info"
+;level = info
+
+# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
+;filters =
+
+# For "console" mode only
+[log.console]
+;level =
+
+# log line format, valid options are text, console and json
+;format = console
+
+# For "file" mode only
+[log.file]
+;level =
+
+# log line format, valid options are text, console and json
+;format = text
+
+# This enables automated log rotate(switch of following options), default is true
+;log_rotate = true
+
+# Max line number of single file, default is 1000000
+;max_lines = 1000000
+
+# Max size shift of single file, default is 28 means 1 << 28, 256MB
+;max_size_shift = 28
+
+# Segment log daily, default is true
+;daily_rotate = true
+
+# Expired days of log file(delete after max days), default is 7
+;max_days = 7
+
+[log.syslog]
+;level =
+
+# log line format, valid options are text, console and json
+;format = text
+
+# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
+;network =
+;address =
+
+# Syslog facility. user, daemon and local0 through local7 are valid.
+;facility =
+
+# Syslog tag. By default, the process' argv[0] is used.
+;tag =
+
+[log.frontend]
+# Should Sentry javascript agent be initialized
+;enabled = false
+
+# Sentry DSN if you want to send events to Sentry.
+;sentry_dsn =
+
+# Custom HTTP endpoint to send events captured by the Sentry agent to. Default will log the events to stdout.
+;custom_endpoint = /log
+
+# Rate of events to be reported between 0 (none) and 1 (all), float
+;sample_rate = 1.0
+
+# Requests per second limit enforced an extended period, for Grafana backend log ingestion endpoint (/log).
+;log_endpoint_requests_per_second_limit = 3
+
+# Max requests accepted per short interval of time for Grafana backend log ingestion endpoint (/log).
+;log_endpoint_burst_limit = 15
+
+#################################### Usage Quotas ########################
+[quota]
+; enabled = false
+
+#### set quotas to -1 to make unlimited. ####
+# limit number of users per Org.
+; org_user = 10
+
+# limit number of dashboards per Org.
+; org_dashboard = 100
+
+# limit number of data_sources per Org.
+; org_data_source = 10
+
+# limit number of api_keys per Org.
+; org_api_key = 10
+
+# limit number of alerts per Org.
+;org_alert_rule = 100
+
+# limit number of orgs a user can create.
+; user_org = 10
+
+# Global limit of users.
+; global_user = -1
+
+# global limit of orgs.
+; global_org = -1
+
+# global limit of dashboards
+; global_dashboard = -1
+
+# global limit of api_keys
+; global_api_key = -1
+
+# global limit on number of logged in users.
+; global_session = -1
+
+# global limit of alerts
+;global_alert_rule = -1
+
+#################################### Alerting ############################
+[alerting]
+# Disable alerting engine & UI features
+;enabled = true
+# Makes it possible to turn off alert rule execution but alerting UI is visible
+;execute_alerts = true
+
+# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
+;error_or_timeout = alerting
+
+# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
+;nodata_or_nullvalues = no_data
+
+# Alert notifications can include images, but rendering many images at the same time can overload the server
+# This limit will protect the server from render overloading and make sure notifications are sent out quickly
+;concurrent_render_limit = 5
+
+
+# Default setting for alert calculation timeout. Default value is 30
+;evaluation_timeout_seconds = 30
+
+# Default setting for alert notification timeout. Default value is 30
+;notification_timeout_seconds = 30
+
+# Default setting for max attempts to sending alert notifications. Default value is 3
+;max_attempts = 3
+
+# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
+;min_interval_seconds = 1
+
+# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;max_annotation_age =
+
+# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
+;max_annotations_to_keep =
+
+#################################### Annotations #########################
+[annotations]
+# Configures the batch size for the annotation clean-up job. This setting is used for dashboard, API, and alert annotations.
+;cleanupjob_batchsize = 100
+
+[annotations.dashboard]
+# Dashboard annotations means that annotations are associated with the dashboard they are created on.
+
+# Configures how long dashboard annotations are stored. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;max_age =
+
+# Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.
+;max_annotations_to_keep =
+
+[annotations.api]
+# API annotations means that the annotations have been created using the API without any
+# association with a dashboard.
+
+# Configures how long Grafana stores API annotations. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;max_age =
+
+# Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.
+;max_annotations_to_keep =
+
+#################################### Explore #############################
+[explore]
+# Enable the Explore section
+;enabled = true
+
+#################################### Internal Grafana Metrics ##########################
+# Metrics available at HTTP API Url /metrics
+[metrics]
+# Disable / Enable internal metrics
+;enabled           = true
+# Graphite Publish interval
+;interval_seconds  = 10
+# Disable total stats (stat_totals_*) metrics to be generated
+;disable_total_stats = false
+
+#If both are set, basic auth will be required for the metrics endpoint.
+; basic_auth_username =
+; basic_auth_password =
+
+# Metrics environment info adds dimensions to the `grafana_environment_info` metric, which
+# can expose more information about the Grafana instance.
+[metrics.environment_info]
+#exampleLabel1 = exampleValue1
+#exampleLabel2 = exampleValue2
+
+# Send internal metrics to Graphite
+[metrics.graphite]
+# Enable by setting the address setting (ex localhost:2003)
+;address =
+;prefix = prod.grafana.%(instance_name)s.
+
+#################################### Grafana.com integration  ##########################
+# Url used to import dashboards directly from Grafana.com
+[grafana_com]
+;url = https://grafana.com
+
+#################################### Distributed tracing ############
+[tracing.jaeger]
+# Enable by setting the address sending traces to jaeger (ex localhost:6831)
+;address = localhost:6831
+# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
+;always_included_tag = tag1:value1
+# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
+;sampler_type = const
+# jaeger samplerconfig param
+# for "const" sampler, 0 or 1 for always false/true respectively
+# for "probabilistic" sampler, a probability between 0 and 1
+# for "rateLimiting" sampler, the number of spans per second
+# for "remote" sampler, param is the same as for "probabilistic"
+# and indicates the initial sampling rate before the actual one
+# is received from the mothership
+;sampler_param = 1
+# sampling_server_url is the URL of a sampling manager providing a sampling strategy.
+;sampling_server_url =
+# Whether or not to use Zipkin propagation (x-b3- HTTP headers).
+;zipkin_propagation = false
+# Setting this to true disables shared RPC spans.
+# Not disabling is the most common setting when using Zipkin elsewhere in your infrastructure.
+;disable_shared_zipkin_spans = false
+
+#################################### External image storage ##########################
+[external_image_storage]
+# Used for uploading images to public servers so they can be included in slack/email messages.
+# you can choose between (s3, webdav, gcs, azure_blob, local)
+;provider =
+
+[external_image_storage.s3]
+;endpoint =
+;path_style_access =
+;bucket =
+;region =
+;path =
+;access_key =
+;secret_key =
+
+[external_image_storage.webdav]
+;url =
+;public_url =
+;username =
+;password =
+
+[external_image_storage.gcs]
+;key_file =
+;bucket =
+;path =
+
+[external_image_storage.azure_blob]
+;account_name =
+;account_key =
+;container_name =
+
+[external_image_storage.local]
+# does not require any configuration
+
+[rendering]
+# Options to configure a remote HTTP image rendering service, e.g. using https://github.com/grafana/grafana-image-renderer.
+# URL to a remote HTTP image renderer service, e.g. http://localhost:8081/render, will enable Grafana to render panels and dashboards to PNG-images using HTTP requests to an external service.
+;server_url =
+# If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, e.g. http://grafana.domain/.
+;callback_url =
+# Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server,
+# which this setting can help protect against by only allowing a certain amount of concurrent requests.
+;concurrent_render_request_limit = 30
+
+[panels]
+# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
+;disable_sanitize_html = false
+
+[plugins]
+;enable_alpha = false
+;app_tls_skip_verify_insecure = false
+# Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded.
+;allow_loading_unsigned_plugins =
+# Enable or disable installing plugins directly from within Grafana.
+;plugin_admin_enabled = false
+;plugin_admin_external_manage_enabled = false
+;plugin_catalog_url = https://grafana.com/grafana/plugins/
+
+#################################### Grafana Live ##########################################
+[live]
+# max_connections to Grafana Live WebSocket endpoint per Grafana server instance. See Grafana Live docs
+# if you are planning to make it higher than default 100 since this can require some OS and infrastructure
+# tuning. 0 disables Live, -1 means unlimited connections.
+;max_connections = 100
+
+# allowed_origins is a comma-separated list of origins that can establish connection with Grafana Live.
+# If not set then origin will be matched over root_url. Supports wildcard symbol "*".
+;allowed_origins =
+
+# engine defines an HA (high availability) engine to use for Grafana Live. By default no engine used - in
+# this case Live features work only on a single Grafana server. Available options: "redis".
+# Setting ha_engine is an EXPERIMENTAL feature.
+;ha_engine =
+
+# ha_engine_address sets a connection address for Live HA engine. Depending on engine type address format can differ.
+# For now we only support Redis connection address in "host:port" format.
+# This option is EXPERIMENTAL.
+;ha_engine_address = "127.0.0.1:6379"
+
+#################################### Grafana Image Renderer Plugin ##########################
+[plugin.grafana-image-renderer]
+# Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert.
+# See ICU’s metaZones.txt (https://cs.chromium.org/chromium/src/third_party/icu/source/data/misc/metaZones.txt) for a list of supported
+# timezone IDs. Fallbacks to TZ environment variable if not set.
+;rendering_timezone =
+
+# Instruct headless browser instance to use a default language when not provided by Grafana, e.g. when rendering panel image of alert.
+# Please refer to the HTTP header Accept-Language to understand how to format this value, e.g. 'fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5'.
+;rendering_language =
+
+# Instruct headless browser instance to use a default device scale factor when not provided by Grafana, e.g. when rendering panel image of alert.
+# Default is 1. Using a higher value will produce more detailed images (higher DPI), but will require more disk space to store an image.
+;rendering_viewport_device_scale_factor =
+
+# Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to
+# the security risk it's not recommended to ignore HTTPS errors.
+;rendering_ignore_https_errors =
+
+# Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and will
+# only capture and log error messages. When enabled, debug messages are captured and logged as well.
+# For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure
+# [log].filter = rendering:debug.
+;rendering_verbose_logging =
+
+# Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service.
+# Default is false. This can be useful to enable (true) when troubleshooting.
+;rendering_dumpio =
+
+# Additional arguments to pass to the headless browser instance. Default is --no-sandbox. The list of Chromium flags can be found
+# here (https://peter.sh/experiments/chromium-command-line-switches/). Multiple arguments is separated with comma-character.
+;rendering_args =
+
+# You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.
+# Please note that this is not recommended, since you may encounter problems if the installed version of Chrome/Chromium is not
+# compatible with the plugin.
+;rendering_chrome_bin =
+
+# Instruct how headless browser instances are created. Default is 'default' and will create a new browser instance on each request.
+# Mode 'clustered' will make sure that only a maximum of browsers/incognito pages can execute concurrently.
+# Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
+;rendering_mode =
+
+# When rendering_mode = clustered you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
+# and will cluster using browser instances.
+# Mode 'context' will cluster using incognito pages.
+;rendering_clustering_mode =
+# When rendering_mode = clustered you can define maximum number of browser instances/incognito pages that can execute concurrently..
+;rendering_clustering_max_concurrency =
+
+# Limit the maximum viewport width, height and device scale factor that can be requested.
+;rendering_viewport_max_width =
+;rendering_viewport_max_height =
+;rendering_viewport_max_device_scale_factor =
+
+# Change the listening host and port of the gRPC server. Default host is 127.0.0.1 and default port is 0 and will automatically assign
+# a port not in use.
+;grpc_host =
+;grpc_port =
+
+[enterprise]
+# Path to a valid Grafana Enterprise license.jwt file
+;license_path =
+
+[feature_toggles]
+# enable features, separated by spaces
+;enable =
+
+[date_formats]
+# For information on what formatting patterns that are supported https://momentjs.com/docs/#/displaying/
+
+# Default system date format used in time range picker and other places where full time is displayed
+;full_date = YYYY-MM-DD HH:mm:ss
+
+# Used by graph and other places where we only show small intervals
+;interval_second = HH:mm:ss
+;interval_minute = HH:mm
+;interval_hour = MM/DD HH:mm
+;interval_day = MM/DD
+;interval_month = YYYY-MM
+;interval_year = YYYY
+
+# Experimental feature
+;use_browser_locale = false
+
+# Default timezone for user preferences. Options are 'browser' for the browser local timezone or a timezone name from IANA Time Zone database, e.g. 'UTC' or 'Europe/Amsterdam' etc.
+;default_timezone = browser
+
+[expressions]
+# Enable or disable the expressions functionality.
+;enabled = true
+
+[geomap]
+# Set the JSON configuration for the default basemap
+;default_baselayer_config = `{
+;  "type": "xyz",
+;  "config": {
+;    "attribution": "Open street map",
+;    "url": "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
+;  }
+;}`
+
+# Enable or disable loading other base map layers
+;enable_custom_baselayers = true
diff --git a/roles/grafana/templates/prometheus_datasource.yaml b/roles/grafana/templates/prometheus_datasource.yaml
new file mode 100644
index 0000000..b78e1b2
--- /dev/null
+++ b/roles/grafana/templates/prometheus_datasource.yaml
@@ -0,0 +1,17 @@
+{{ ansible_managed | comment }}
+apiVersion: 1
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    # Access mode - proxy (server in the UI) or direct (browser in the UI).
+    access: proxy
+    url: https://{{ lan_address }}:9090
+    jsonData:
+      httpMethod: POST
+      tlsAuth: true
+      tlsAuthWithCACert: true
+    secureJsonData: 
+      tlsCACert: $__file{/etc/grafana/ca.crt}
+      tlsClientCert: $__file{/etc/grafana/grafana-{{ lan_address }}.crt}
+      tlsClientKey: $__file{/etc/grafana/grafana-{{ lan_address }}.key}
diff --git a/roles/prometheus-alert-manager/handlers/main.yml b/roles/prometheus-alert-manager/handlers/main.yml
new file mode 100644
index 0000000..3d05bca
--- /dev/null
+++ b/roles/prometheus-alert-manager/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart Alertmanager
+  systemd:
+    name: prometheus-alertmanager.service
+    state: restarted
+
+- name: Restart kassandra
+  systemd:
+    name: kassandra.service
+    state: restarted
diff --git a/roles/prometheus-alert-manager/meta/main.yml b/roles/prometheus-alert-manager/meta/main.yml
new file mode 100644
index 0000000..ff0926f
--- /dev/null
+++ b/roles/prometheus-alert-manager/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx
diff --git a/roles/prometheus-alert-manager/tasks/kassandra.yml b/roles/prometheus-alert-manager/tasks/kassandra.yml
new file mode 100644
index 0000000..6136298
--- /dev/null
+++ b/roles/prometheus-alert-manager/tasks/kassandra.yml
@@ -0,0 +1,73 @@
+---
+- name: Install dependencies
+  apt:
+    name:
+      - python3.9
+      - python3.9-venv
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Create the kassandra user
+  user:
+    name: kassandra
+    home: /opt/kassandra
+    password_lock: yes
+    system: yes
+
+- name: Install kassandra
+  become: yes
+  become_user: kassandra
+  pip:
+    name:
+      - wheel
+      - "kassandra @ git+https://gitea.auro.re/histausse/kassandra.git"
+    virtualenv: /opt/kassandra
+    virtualenv_command: "python3.9 -m venv"
+
+- name: Configure kassandra
+  template:
+    src: kassandra-config.yaml
+    dest: /opt/kassandra/config.yaml
+    owner: kassandra
+    group: nogroup
+    mode: '0600'
+  notify:  Restart kassandra
+  no_log: true
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /opt/kassandra/ca.crt
+  notify: Restart kassandra
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /opt/kassandra/
+    cname: "kassandra-{{ lan_address }}"
+    owner: kassandra
+    group:  nogroup
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+- name: Ensured the certificate is monitored
+  import_tasks: register-cert-to-monitoring.yml
+  vars:
+    target: "{{ lan_address }}:8000|kassandra-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
+
+- name: Copy the daemon configuration
+  template:
+    src: kassandra.service
+    dest: /etc/systemd/system/kassandra.service
+  notify: Restart kassandra
+
+- name: Enable the daemon
+  systemd:
+    name: kassandra
+    state: started
+    enabled: yes
diff --git a/roles/prometheus-alert-manager/tasks/main.yml b/roles/prometheus-alert-manager/tasks/main.yml
new file mode 100644
index 0000000..be60549
--- /dev/null
+++ b/roles/prometheus-alert-manager/tasks/main.yml
@@ -0,0 +1,75 @@
+---
+- name: Install Prometheus Alert Manager
+  apt:
+    name:
+      - prometheus-alertmanager
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Setup the arguments for alertmanager
+  template:
+    src: prometheus-alertmanager
+    dest: /etc/default/prometheus-alertmanager
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart Alertmanager 
+  vars:
+    args:
+      - name: web.listen-address
+        value: "127.0.0.1:9093"
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/prometheus/ca.crt
+  notify: 
+   - Restart Alertmanager
+   - Reload nginx
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/prometheus/
+    cname: "alertmanager-{{ lan_address }}"
+    owner: prometheus
+    group: prometheus
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+- name: Ensured the certificate is monitored
+  import_tasks: register-cert-to-monitoring.yml
+  vars:
+    target: "{{ lan_address }}:9093|alertmanager-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
+
+- name: Setup the alertmanager config
+  template:
+    src: alertmanager.yml
+    dest: /etc/prometheus/alertmanager.yml
+    owner: prometheus
+    group: prometheus
+    mode: '0640'
+  notify: Restart Alertmanager
+
+# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
+# Think prometheus, think!
+- name: Copy the nginx config
+  template:
+    src: atrocious_nginx_stub
+    dest: "/etc/nginx/sites-available/internal-alertmanager"
+  notify: Reload nginx
+
+- name: Activate the config
+  file:
+    src: "/etc/nginx/sites-available/internal-alertmanager"
+    dest: "/etc/nginx/sites-enabled/internal-alertmanager"
+    state: link
+    force: yes
+
+- name: Setup the matrix bot
+  import_tasks: kassandra.yml
diff --git a/roles/prometheus-alert-manager/tasks/register-cert-to-monitoring.yml b/roles/prometheus-alert-manager/tasks/register-cert-to-monitoring.yml
new file mode 100644
index 0000000..82d550a
--- /dev/null
+++ b/roles/prometheus-alert-manager/tasks/register-cert-to-monitoring.yml
@@ -0,0 +1,23 @@
+---
+- name: Get the list of targets of the server
+  slurp:
+    src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+  register: server_tls_targets_file
+  delegate_to: "{{ appointed_prometheus_server }}"
+
+- name: Set target variable from file
+  set_fact:
+    server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
+
+- name: Register the endpoint to the prometheus server
+  block:
+    - name: Add the target
+      set_fact:
+        new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
+
+    - name: Put the new target list
+      copy:
+        content: "{{ new_server_tls_targets | to_nice_json }}"
+        dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+      delegate_to: "{{ appointed_prometheus_server }}"
+  when: target not in server_tls_targets.0.targets
diff --git a/roles/prometheus-alert-manager/templates/alertmanager.yml b/roles/prometheus-alert-manager/templates/alertmanager.yml
new file mode 100644
index 0000000..d7be71c
--- /dev/null
+++ b/roles/prometheus-alert-manager/templates/alertmanager.yml
@@ -0,0 +1,32 @@
+{{ ansible_managed | comment }}
+# See https://prometheus.io/docs/alerting/configuration/ for documentation.
+
+global:
+  # Config used by default by the receivers
+  http_config:
+    tls_config:
+      ca_file: "/etc/prometheus/ca.crt"
+      cert_file: "/etc/prometheus/alertmanager-{{ lan_address }}.crt"
+      key_file: "/etc/prometheus/alertmanager-{{ lan_address }}.key"
+
+# The directory from which notification templates are read.
+templates: 
+- "/etc/prometheus/alertmanager_templates/*.tmpl"
+
+# The root route on which each incoming alert enters.
+route:
+  repeat_interval: 6h 
+
+  # A default receiver
+  receiver: kassandra
+
+# Inhibition rules allow to mute a set of alerts given that another alert is
+# firing.
+# We use this to mute any warning-level notifications if the same alert is 
+# already critical.
+inhibit_rules:
+
+receivers:
+- name: kassandra
+  webhook_configs:
+  - url: "https://{{ lan_address }}:8000/webhook"
diff --git a/roles/prometheus-alert-manager/templates/atrocious_nginx_stub b/roles/prometheus-alert-manager/templates/atrocious_nginx_stub
new file mode 100644
index 0000000..e45ab96
--- /dev/null
+++ b/roles/prometheus-alert-manager/templates/atrocious_nginx_stub
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ lan_address }}:9093 ssl;
+    ssl_certificate /etc/prometheus/alertmanager-{{ lan_address }}.crt;
+    ssl_certificate_key /etc/prometheus/alertmanager-{{ lan_address }}.key;
+    ssl_client_certificate /etc/prometheus/ca.crt;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass http://127.0.0.1:9093;
+    }
+}
diff --git a/roles/prometheus-alert-manager/templates/kassandra-config.yaml b/roles/prometheus-alert-manager/templates/kassandra-config.yaml
new file mode 100644
index 0000000..8f41cce
--- /dev/null
+++ b/roles/prometheus-alert-manager/templates/kassandra-config.yaml
@@ -0,0 +1,16 @@
+---
+{{ ansible_managed | comment }}
+username: {{ kassandra_username }}
+homeserver: https://{{ matrix_server_name}}
+password: {{ kassandra_password }}
+tls: yes
+tls_auth: yes
+host: {{ lan_address }}
+tls_crt: kassandra-{{ lan_address }}.crt
+tls_key: kassandra-{{ lan_address }}.key
+ca_crt: ca.crt
+alert_rooms:
+{% for room in alert_rooms %}
+  - "{{ room }}"
+{% endfor %}
+...
diff --git a/roles/prometheus-alert-manager/templates/kassandra.service b/roles/prometheus-alert-manager/templates/kassandra.service
new file mode 100644
index 0000000..88943c7
--- /dev/null
+++ b/roles/prometheus-alert-manager/templates/kassandra.service
@@ -0,0 +1,12 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Kassandra bot for alertmanager
+
+[Service]
+WorkingDirectory=/opt/kassandra
+ExecStart=/opt/kassandra/bin/kassandra
+User=kassandra
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/prometheus-alert-manager/templates/prometheus-alertmanager b/roles/prometheus-alert-manager/templates/prometheus-alertmanager
new file mode 100644
index 0000000..ff797fc
--- /dev/null
+++ b/roles/prometheus-alert-manager/templates/prometheus-alertmanager
@@ -0,0 +1,75 @@
+{{ ansible_managed | comment }}
+
+# Set the command-line arguments to pass to the server.
+{% if not args %}
+ARGS=""
+{% else %}
+ARGS="\
+{% for arg in args %}
+      --{{ arg.name }}={{ arg.value }} \
+{% endfor %}
+"
+{% endif %}
+
+# The alert manager supports the following options:
+
+#  --config.file="/etc/prometheus/alertmanager.yml"
+#       Alertmanager configuration file name.
+#  --storage.path="/var/lib/prometheus/alertmanager/"
+#       Base path for data storage.
+#  --data.retention=120h
+#       How long to keep data for.
+#  --alerts.gc-interval=30m
+#       Interval between alert GC.
+#  --log.level=info
+#       Only log messages with the given severity or above.
+#  --web.external-url=WEB.EXTERNAL-URL
+#       The URL under which Alertmanager is externally reachable (for example,
+#       if Alertmanager is served via a reverse proxy). Used for generating
+#       relative and absolute links back to Alertmanager itself. If the URL has
+#       a path portion, it will be used to prefix all HTTP endpoints served by
+#       Alertmanager. If omitted, relevant URL components will be derived
+#       automatically.
+#  --web.route-prefix=WEB.ROUTE-PREFIX
+#       Prefix for the internal routes of web endpoints. Defaults to path of
+#       --web.external-url.
+#  --web.listen-address=":9093"
+#       Address to listen on for the web interface and API.
+#  --web.ui-path="/usr/share/prometheus/alertmanager/ui/"
+#       Path to static UI directory.
+#  --template.default="/usr/share/prometheus/alertmanager/default.tmpl"
+#       Path to default notification template.
+#  --cluster.listen-address="0.0.0.0:9094"
+#       Listen address for cluster.
+#  --cluster.advertise-address=CLUSTER.ADVERTISE-ADDRESS
+#       Explicit address to advertise in cluster.
+#  --cluster.peer=CLUSTER.PEER ...
+#       Initial peers (may be repeated).
+#  --cluster.peer-timeout=15s
+#       Time to wait between peers to send notifications.
+#  --cluster.gossip-interval=200ms
+#       Interval between sending gossip messages. By lowering this value (more
+#       frequent) gossip messages are propagated across the cluster more
+#       quickly at the expense of increased bandwidth.
+#  --cluster.pushpull-interval=1m0s
+#       Interval for gossip state syncs. Setting this interval lower (more
+#       frequent) will increase convergence speeds across larger clusters at
+#       the expense of increased bandwidth usage.
+#  --cluster.tcp-timeout=10s  Timeout for establishing a stream connection
+#       with a remote node for a full state sync, and for stream read and write
+#       operations.
+#  --cluster.probe-timeout=500ms
+#       Timeout to wait for an ack from a probed node before assuming it is
+#       unhealthy. This should be set to 99-percentile of RTT (round-trip time)
+#       on your network.
+#  --cluster.probe-interval=1s
+#       Interval between random node probes. Setting this lower (more frequent)
+#       will cause the cluster to detect failed nodes more quickly at the
+#       expense of increased bandwidth usage.
+#  --cluster.settle-timeout=1m0s
+#       Maximum time to wait for cluster connections to settle before
+#       evaluating notifications.
+#  --cluster.reconnect-interval=10s
+#       Interval between attempting to reconnect to lost peers.
+#  --cluster.reconnect-timeout=6h0m0s
+#       Length of time to attempt to reconnect to a lost peer.
diff --git a/roles/prometheus-blackbox-exporter/files/alerts-blackbox.yml b/roles/prometheus-blackbox-exporter/files/alerts-blackbox.yml
new file mode 100644
index 0000000..33508b6
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/files/alerts-blackbox.yml
@@ -0,0 +1,47 @@
+---
+groups:
+- name: BlackBoxAllInstances
+  rules:
+
+  - alert: SiteUp
+    expr: probe_success{job="blackbox http-down"} == 1
+    annotations:
+      title: '{{ $labels.instance }} is UP!'
+      description: '{{ $labels.instance }} is now up!'
+    labels:
+      value: "{{ $value }}"
+      severity: 'critical'
+
+  - alert: SiteDown
+    expr: probe_success{job="blackbox http-up"} == 0
+    for: 5m
+    annotations:
+      title: '{{ $labels.instance }} is Down'
+      description: >-
+        {{ $labels.instance }} has been down for more than 5 minutes.
+    labels:
+      value: "{{ $value }}"
+      severity: 'warning'
+
+  - alert: CertExpLess30daysProb
+    expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 2592000
+    annotations:
+      title: '{{ $labels.cname }} will expire soon'
+      description: >-
+        The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
+        {{ $value | humanizeDuration }}, it's time to renew it.
+    labels:
+      value: "{{ $value }}"
+      severity: 'warning'
+
+  - alert: CertExpLess10daysProb
+    expr: (probe_ssl_earliest_cert_expiry{job="blackbox internal tls"}-time()) < 864000
+    annotations:
+      title: '{{ $labels.cname }} expiracy is imminent!'
+      description: >-
+        The certificate {{ $labels.cname }} on {{ $labels.instance }} will expire in
+        {{ $value | humanizeDuration }}!
+    labels:
+      value: "{{ $value }}"
+      severity: 'critical'
+...
diff --git a/roles/prometheus-blackbox-exporter/handlers/main.yml b/roles/prometheus-blackbox-exporter/handlers/main.yml
new file mode 100644
index 0000000..eda96a7
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart blackbox-exporter
+  systemd:
+    name: prometheus-blackbox-exporter.service
+    state: restarted
+
+- name: Restart prometheus
+  systemd:
+    name: prometheus
+    state: restarted
diff --git a/roles/prometheus-blackbox-exporter/meta/main.yml b/roles/prometheus-blackbox-exporter/meta/main.yml
new file mode 100644
index 0000000..ff0926f
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx
diff --git a/roles/prometheus-blackbox-exporter/tasks/main.yml b/roles/prometheus-blackbox-exporter/tasks/main.yml
new file mode 100644
index 0000000..caf3464
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/tasks/main.yml
@@ -0,0 +1,96 @@
+---
+- name: Install Prometheus Components
+  apt:
+    name:
+      - prometheus-blackbox-exporter
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/prometheus/ca.crt
+  notify:
+   - Restart blackbox-exporter
+   - Reload nginx
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/prometheus/
+    cname: "blackbox-{{ lan_address }}"
+    owner: prometheus
+    group: prometheus
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+- name: Ensured the certificate is monitored
+  import_tasks: register-cert-to-monitoring.yml
+  vars:
+    target: "{{ lan_address }}:9115|blackbox-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
+
+- name: Setup the blackbox config
+  template:
+    src: blackbox.yml
+    dest: /etc/prometheus/blackbox.yml
+    owner: prometheus
+    group: prometheus
+    mode: '0640'
+  notify: Restart blackbox-exporter
+  no_log: true
+
+#- name: Copy the web-config folder
+#  template:
+#    src: web-config.yaml
+#    dest: /etc/prometheus/web-config-blackbox.yaml
+#    group: prometheus
+#    owner: prometheus
+#    mode: u=rw,g=r,o=r
+#  notify: Restart blackbox-exporter
+
+- name: Setup the arguments for prometheus
+  template:
+    src: prometheus-blackbox-exporter
+    dest: /etc/default/prometheus-blackbox-exporter
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart blackbox-exporter
+  vars:
+    args:
+      - name: web.listen-address
+        value: "127.0.0.1:9115"
+#        value: "{{ lan_address }}:9115"
+      - name: config.file
+        value: /etc/prometheus/blackbox.yml
+#      - name: web.config.file 
+#        value: /etc/prometheus/web-config.yaml
+
+## Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
+# Think prometheus, think!
+- name: Copy the nginx config
+  template:
+    src: atrocious_nginx_stub
+    dest: "/etc/nginx/sites-available/internal-blackbox"
+  notify: Reload nginx
+
+- name: Activate the config
+  file:
+    src: "/etc/nginx/sites-available/internal-blackbox"
+    dest: "/etc/nginx/sites-enabled/internal-blackbox"
+    state: link
+    force: yes
+
+- name: Add alert rules for node on the prometheus server
+  copy:
+    src: alerts-blackbox.yml
+    dest: /etc/prometheus/alertsblackbox.yml
+    owner: prometheus
+    group: prometheus
+    mode: u=rw,g=r,o=r
+  notify: Restart prometheus
diff --git a/roles/prometheus-blackbox-exporter/tasks/register-cert-to-monitoring.yml b/roles/prometheus-blackbox-exporter/tasks/register-cert-to-monitoring.yml
new file mode 100644
index 0000000..82d550a
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/tasks/register-cert-to-monitoring.yml
@@ -0,0 +1,23 @@
+---
+- name: Get the list of targets of the server
+  slurp:
+    src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+  register: server_tls_targets_file
+  delegate_to: "{{ appointed_prometheus_server }}"
+
+- name: Set target variable from file
+  set_fact:
+    server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
+
+- name: Register the endpoint to the prometheus server
+  block:
+    - name: Add the target
+      set_fact:
+        new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
+
+    - name: Put the new target list
+      copy:
+        content: "{{ new_server_tls_targets | to_nice_json }}"
+        dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+      delegate_to: "{{ appointed_prometheus_server }}"
+  when: target not in server_tls_targets.0.targets
diff --git a/roles/prometheus-blackbox-exporter/templates/atrocious_nginx_stub b/roles/prometheus-blackbox-exporter/templates/atrocious_nginx_stub
new file mode 100644
index 0000000..5478895
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/templates/atrocious_nginx_stub
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ lan_address }}:9115 ssl;
+    ssl_certificate /etc/prometheus/blackbox-{{ lan_address }}.crt;
+    ssl_certificate_key /etc/prometheus/blackbox-{{ lan_address }}.key;
+    ssl_client_certificate /etc/prometheus/ca.crt;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass http://127.0.0.1:9115;
+    }
+}
diff --git a/roles/prometheus-blackbox-exporter/templates/blackbox.yml b/roles/prometheus-blackbox-exporter/templates/blackbox.yml
new file mode 100644
index 0000000..7f4c7df
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/templates/blackbox.yml
@@ -0,0 +1,23 @@
+{{ ansible_managed | comment }}
+
+modules:
+  http_2xx:
+    prober: http
+    http:
+  http_post_2xx:
+    prober: http
+    http:
+      method: POST
+  tcp_connect:
+    prober: tcp
+  icmp:
+    prober: icmp
+  internal_tls_connect:
+    prober: tcp
+    timeout: 10s
+    tcp:
+      tls: true
+      tls_config:
+        ca_file: '/etc/prometheus/ca.crt'
+        cert_file: '/etc/prometheus/blackbox-{{ lan_address }}.crt'
+        key_file: '/etc/prometheus/blackbox-{{ lan_address }}.key'
diff --git a/roles/prometheus-blackbox-exporter/templates/prometheus-blackbox-exporter b/roles/prometheus-blackbox-exporter/templates/prometheus-blackbox-exporter
new file mode 100644
index 0000000..43aed1e
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/templates/prometheus-blackbox-exporter
@@ -0,0 +1,21 @@
+{{ ansible_managed | comment }}
+
+# Set the command-line arguments to pass to the server.
+{% if not args %}
+ARGS=""
+{% else %}
+ARGS="\
+{% for arg in args %}
+      --{{ arg.name }}={{ arg.value }} \
+{% endfor %}
+"
+{% endif %}
+
+# Usage of prometheus-blackbox-exporter:
+#   --config.file="blackbox.yml"
+#                         Blackbox exporter configuration file.
+#   --web.listen-address=":9115"
+#                         The address to listen on for HTTP requests.
+#   --timeout-offset=0.5  Offset to subtract from timeout in seconds.
+#   --log.level=info      Only log messages with the given severity or above.
+#                         One of: [debug, info, warn, error]
diff --git a/roles/prometheus-blackbox-exporter/templates/targets.json b/roles/prometheus-blackbox-exporter/templates/targets.json
new file mode 100644
index 0000000..64d12f6
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/templates/targets.json
@@ -0,0 +1,6 @@
+[
+    {
+        "targets": [
+        ]
+    }
+]
diff --git a/roles/prometheus-blackbox-exporter/templates/web-config.yaml b/roles/prometheus-blackbox-exporter/templates/web-config.yaml
new file mode 100644
index 0000000..1c4eb72
--- /dev/null
+++ b/roles/prometheus-blackbox-exporter/templates/web-config.yaml
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+tls_server_config:
+  cert_file: "/etc/prometheus/blackbox-{{ lan_address }}.crt"
+  key_file: "/etc/prometheus/blackbox-{{ lan_address }}.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "/etc/prometheus/ca.crt"
diff --git a/roles/prometheus-node-exporter/files/alerts-node.yml b/roles/prometheus-node-exporter/files/alerts-node.yml
new file mode 100644
index 0000000..84c0195
--- /dev/null
+++ b/roles/prometheus-node-exporter/files/alerts-node.yml
@@ -0,0 +1,181 @@
+---
+groups:
+- name: NodeAllInstances
+  rules:
+
+  - alert: InstanceDown
+    expr: up{job='node'} == 0
+    for: 5m
+    annotations:
+      title: 'Instance {{ $labels.instance }} down'
+      description: >-
+        {{ $labels.instance }} has been down for more than 5 minutes.
+    labels:
+      value: "{{ $value }}"
+      severity: critical
+
+  - alert: OutOfDiskSpace
+    expr: (100 - node_filesystem_avail_bytes{} *100 / node_filesystem_size_bytes{}) > 80
+    for: 1m
+    annotations:
+      title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of space'
+      description: >-
+         Partition `{{ $labels.mountpoint }}` (`{{ $labels.device }}`) of {{ $labels.instance }}
+         uses {{ $value | printf "%.1f" }}% of its capacity.
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: OutOfMemory
+    expr: >-
+      (
+          node_memory_MemTotal_bytes
+          - node_memory_MemFree_bytes
+          - node_memory_Cached_bytes
+          - node_memory_Buffers_bytes
+        ) / node_memory_MemTotal_bytes * 100 > 80
+    for: 1m
+    annotations:
+      title: '{{ $labels.instance }} is out of memory'
+      description: >-
+         {{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: OutOfInode
+    expr: >-
+      (
+         node_filesystem_files
+         - node_filesystem_files_free
+       ) / node_filesystem_files * 100 >= 90
+    for: 5m
+    annotations:
+      title: '`{{ $labels.instance }}:{{ $labels.mountpoint }}` is out of Inodes'
+      description: >-
+         Partition {{ $labels.mountpoint }} ({{ $labels.device }}) of {{ $labels.instance }}
+         uses {{ $value | printf "%.1f" }}% of its Inodes.
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: Swapping
+    expr: >-
+      (
+         node_memory_SwapTotal_bytes
+         - node_memory_SwapFree_bytes
+       ) / node_memory_SwapTotal_bytes * 100 >= 50
+    for: 5m
+    annotations:
+      title: '{{ $labels.instance }} is using a lot of swap'
+      description: >-
+         {{ $labels.instance }} uses {{ $value | printf "%.1f" }}% of its memory capacity.
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: PhysicalComponentTooHot
+    expr: node_hwmon_temp_celsius > 79
+    for: 5m
+    annotations:
+      title: '{{ $labels.instance }} is heating up'
+      description: >-
+        The internal temperature of {{ $labels.instance }} is {{ $value }}°C!
+    labels:
+      value: "{{ $value }}"
+      severity: critical
+
+  - alert: PhysicalComponentHeatAlarm
+    expr: node_hwmon_temp_crit_alarm_celsius == 1
+    for: 0m
+    annotations:
+      title: 'The temperature alarm of {{ $labels.instance }} is up'
+      description: >-
+        Do something!
+    labels:
+      value: "{{ $value }}"
+      severity: critical
+
+  - alert: OOMKill
+    expr: increase(node_vmstat_oom_kill[1m]) > 0
+    for: 0m
+    annotations:
+      title: 'The kernel is killing processes'
+      description: >-
+        The kernel killed {{ $value }} proccesses (OOM killer)
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: CorrectableErrorDetected
+    expr: increase(node_edac_correctable_errors_total[1m]) > 0
+    for: 0m
+    annotations:
+      title: 'Memory errors have been corrected'
+      description: >-
+        {{ $value | printf "%.1f" }} error(s) have been corrected (EDAC)
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: UncorrectableErrorDetected
+    expr: increase(node_edac_uncorrectable_errors_total[1m]) > 0
+    for: 0m
+    annotations:
+      title: 'Memory errors could not be corrected'
+      description: >-
+        {{ $value | printf "%.1f" }} error(s) could not be corrected (EDAC)
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: UnhealthyDisk
+    expr: >-
+      (
+        smartmon_device_smart_healthy
+          and on (instance, disk)
+        smartmon_device_info{product!="QEMU HARDDISK"}
+      ) < 1
+    for: 10m
+    annotations:
+      title: '`{{ $labels.instance }}:{{ $labels.disk }}` is unhealthy'
+      description: >-
+        Smartools detected that `{{ $labels.disk }}` on {{ $labels.instance }} is unhealthy
+        and will probably need to be changed.
+    labels:
+      value: "{{ $value }}"
+      severity: critical
+
+  - alert: ServiceFailed
+    expr: node_systemd_unit_state{state="failed"}==1
+    for: 10m
+    annotations:
+      title: '{{ $labels.name }} failed'
+      description: >-
+        The systemd service {{ $labels.name }} failed on {{ $labels.instance }}
+    labels:
+      value: "{{ $value }}"
+      severity: warning
+
+  - alert: CertExpLess30days
+    expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 2592000
+    annotations:
+      title: '{{ $labels.cname }} will expire soon'
+      description: >-
+        The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
+        will expire in  {{ $value | humanizeDuration }}, it's time to renew it.
+    labels:
+      value: "{{ $value }}"
+      severity: 'warning'
+
+  - alert: CertExpLess10days
+    expr: (local_x509_expiry_date{job="blackbox internal tls"}-time()) < 864000
+    annotations:
+      title: '{{ $labels.cname }} expiracy is imminent!'
+      description: >-
+        The certificate {{ $labels.cname }} on {{ $labels.instance }} at {{ $labels.file }}
+        will expire in  {{ $value | humanizeDuration }}, RENEW IT!!!
+    labels:
+      value: "{{ $value }}"
+      severity: 'critical'
+...
diff --git a/roles/prometheus-node-exporter/files/local_x509.sh b/roles/prometheus-node-exporter/files/local_x509.sh
new file mode 100755
index 0000000..d7dce10
--- /dev/null
+++ b/roles/prometheus-node-exporter/files/local_x509.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+sanitize() {
+    while read -r data; do
+        set -- $data
+        printf %q "$1" | sed -e 's/\\ / /g'
+    done
+}
+
+print_metric() {
+    while read -r data; do
+        set -- $data
+		if [ -f "$1" ]; then
+            exp_date=`openssl x509 -enddate --noout -in "$1" | sed -e 's/notAfter=//g'`
+            exp_date_unixtime=`date -d "$exp_date" -u +%s`
+            cname=`openssl x509 -subject --noout -in "$1" | sed -e 's/^.*CN = //' | sed -e 's/,.*$//' | sanitize`
+            filename=`realpath "$1" | sanitize`
+            echo "local_x509_expiry_date{cname=\"$cname\",file=\"$filename\"} $exp_date_unixtime"
+		fi
+    done
+}
+
+echo '# HELP local_x509_expiry_date The cert expiry date in unixtime'
+echo '# TYPE local_x509_expiry_date gauge'
+printf '%s\n' "$@" | print_metric
diff --git a/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509 b/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509
new file mode 100644
index 0000000..24cd9e1
--- /dev/null
+++ b/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509
@@ -0,0 +1,5 @@
+# The list of certs to monitor
+ARGS="
+    /etc/letsencrypt/live/**/cert.pem
+    /etc/hackypky/crts/*.crt
+"
diff --git a/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.service b/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.service
new file mode 100644
index 0000000..8dc3982
--- /dev/null
+++ b/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.service
@@ -0,0 +1,8 @@
+[Unit]
+Description=Collect local x509 certificate metrics for prometheus-node-exporter
+
+[Service]
+Type=oneshot
+EnvironmentFile=/etc/default/prometheus-node-exporter-local_x509
+Environment=TMPDIR=/var/lib/prometheus/node-exporter
+ExecStart=/bin/bash -c "/usr/share/prometheus-node-exporter-collectors/local_x509.sh $ARGS | sponge /var/lib/prometheus/node-exporter/local_x509.prom"
diff --git a/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.timer b/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.timer
new file mode 100644
index 0000000..87f65a5
--- /dev/null
+++ b/roles/prometheus-node-exporter/files/prometheus-node-exporter-local_x509.timer
@@ -0,0 +1,9 @@
+[Unit]
+Description=Run local x509  metrics collection every 15 minutes
+
+[Timer]
+OnBootSec=0
+OnUnitActiveSec=15min
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/prometheus-node-exporter/handlers/main.yml b/roles/prometheus-node-exporter/handlers/main.yml
new file mode 100644
index 0000000..e2be9c1
--- /dev/null
+++ b/roles/prometheus-node-exporter/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart prometheus-node-exporter
+  systemd:
+    name: prometheus-node-exporter
+    state: restarted
+- name: Restart appointed_prometheus_server
+  systemd:
+    name: prometheus
+    state: restarted
+  delegate_to: "{{ appointed_prometheus_server }}"
diff --git a/roles/prometheus-node-exporter/tasks/local_x509_collector.yml b/roles/prometheus-node-exporter/tasks/local_x509_collector.yml
new file mode 100644
index 0000000..e7c896b
--- /dev/null
+++ b/roles/prometheus-node-exporter/tasks/local_x509_collector.yml
@@ -0,0 +1,69 @@
+---
+- name: Install moreutils # we need the sponge command
+  apt:
+    name:
+      - moreutils
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Ensure /usr/share/prometheus-node-exporter exist
+  file:
+    path: /usr/share/prometheus-node-exporter/
+    state: directory
+    group: root
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+
+# Optionnal, but used with the hacky_pki role
+- name: Ensure /etc/hackypky/crts/ exist
+  file:
+    path: "{{ item }}"
+    state: directory
+    group: root
+    owner: root
+    mode: u=rwx,g=rx,o=rx
+  loop:
+    - /etc/hackypky
+    - /etc/hackypky/crts
+
+- name: Add the script
+  copy:
+    src: local_x509.sh
+    dest: /usr/share/prometheus-node-exporter-collectors/local_x509.sh
+    group: root
+    owner: root
+    mode: u=rwx,g=,o=
+
+- name: Add the env file
+  copy:
+    src: prometheus-node-exporter-local_x509
+    dest: /etc/default/prometheus-node-exporter-local_x509
+    group: root
+    owner: root
+    force: no
+    mode: u=rwx,g=r,o=r
+
+- name: Add the timer
+  copy:
+    src: prometheus-node-exporter-local_x509.timer
+    dest: /lib/systemd/system/prometheus-node-exporter-local_x509.timer
+    group: root
+    owner: root
+    mode: u=rw,g=r,o=r
+
+- name: Add the service
+  copy:
+    src: prometheus-node-exporter-local_x509.service
+    dest: /lib/systemd/system/prometheus-node-exporter-local_x509.service
+    group: root
+    owner: root
+    mode: u=rw,g=r,o=r
+
+- name: Enable the timer
+  systemd:
+    name: prometheus-node-exporter-local_x509.timer
+    enabled: true
+    state: started
diff --git a/roles/prometheus-node-exporter/tasks/main.yml b/roles/prometheus-node-exporter/tasks/main.yml
new file mode 100644
index 0000000..db8b2a8
--- /dev/null
+++ b/roles/prometheus-node-exporter/tasks/main.yml
@@ -0,0 +1,130 @@
+---
+- name: Use a newer version of Node exporter for ubuntu 20.04
+  block:
+    - name: Set the default release
+      lineinfile:
+        path: /etc/apt/apt.conf.d/01-vendor-ubuntu
+        regexp: '^APT::Default-Release '
+        line: "APT::Default-Release \"{{ ansible_facts['lsb']['codename'] }}\";"
+    - name: Pin node exporter
+      copy:
+        dest: /etc/apt/preferences.d/pin-prometheus-node-exporter
+        content: |
+          Package: prometheus-node-exporter
+          Pin: release n={{ ansible_facts['lsb']['codename'] }}
+          Pin-Priority: -10
+          
+          Package: prometheus-node-exporter
+          Pin: release n=groovy
+          Pin-Priority: 900
+    - name: Add the repo from groovy
+      apt_repository:
+        repo: deb http://fr.archive.ubuntu.com/ubuntu groovy universe
+        state: present
+  when: ansible_facts['lsb']['id'] == 'Ubuntu' and ansible_facts['lsb']['codename'] == 'focal'
+
+- name: Install Prometheus Node exporter
+  apt:
+    name:
+      - prometheus-node-exporter
+      - prometheus-node-exporter-collectors
+    state: latest
+    update_cache: true
+    install_recommends: false  # Do not install smartmontools
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+
+- name: Install the local_x509 exporter
+  import_tasks: local_x509_collector.yml
+
+- name: Ensure /etc/node_exporter exist
+  file:
+    path: /etc/node_exporter
+    state: directory
+    group: prometheus
+    owner: prometheus
+    mode: u=rwx,g=rx,o=rx
+
+- name: Copy the config folder
+  template:
+    src: config.yaml
+    dest: /etc/node_exporter/config.yaml
+    group: prometheus
+    owner: prometheus
+    mode: u=rw,g=r,o=r
+  notify: Restart prometheus-node-exporter
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/node_exporter/ca.crt
+  notify: Restart prometheus-node-exporter
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/node_exporter/
+    cname: "node-exp-{{ lan_address }}"
+    owner: prometheus
+    group: prometheus
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+- name: Ensured the certificate is monitored
+  import_tasks: register-cert-to-monitoring.yml
+  vars:
+    target: "{{ lan_address }}:9100|node-exp-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
+
+- name: Setup the arguments for node-exporter
+  template:
+    src: prometheus-node-exporter
+    dest: /etc/default/prometheus-node-exporter
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: Restart prometheus-node-exporter
+  vars:
+    args:
+      - name: web.listen-address
+        value: "{{ lan_address }}:9100"
+      - name: web.config
+        value: /etc/node_exporter/config.yaml
+
+- name: Add the node to the server targets
+  block:
+    - name: Get the list of targets of the server
+      slurp:
+        src: /etc/prometheus/targets/node-targets.json
+      register: server_node_target_file
+      delegate_to: "{{ appointed_prometheus_server }}"
+    
+    - name: Set target variable
+      set_fact:
+        server_node_target: "{{ server_node_target_file['content'] | b64decode | from_json }}"
+    
+    - name: Register the node to the prometheus server
+      block:
+        - name: Add the node to the targets
+          set_fact:
+            new_server_node_target: "[{{ server_node_target[0] | combine({'targets': [lan_address + '|' + ansible_facts['nodename']]}, list_merge='append_rp') }}]"
+        
+        - name: Put the new target list
+          copy:
+            content: "{{ new_server_node_target | to_nice_json }}"
+            dest: /etc/prometheus/node-targets.json
+          delegate_to: "{{ appointed_prometheus_server }}"
+      when: (lan_address + '|' + ansible_facts['nodename']) not in server_node_target.0.targets
+
+- name: Add alert rules for node on the prometheus server
+  copy:
+    src: alerts-node.yml
+    dest: /etc/prometheus/alerts/node.yml
+    owner: prometheus
+    group: prometheus
+    mode: u=rw,g=r,o=r
+  delegate_to: "{{ appointed_prometheus_server }}"
+  notify: Restart appointed_prometheus_server
diff --git a/roles/prometheus-node-exporter/tasks/register-cert-to-monitoring.yml b/roles/prometheus-node-exporter/tasks/register-cert-to-monitoring.yml
new file mode 100644
index 0000000..82d550a
--- /dev/null
+++ b/roles/prometheus-node-exporter/tasks/register-cert-to-monitoring.yml
@@ -0,0 +1,23 @@
+---
+- name: Get the list of targets of the server
+  slurp:
+    src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+  register: server_tls_targets_file
+  delegate_to: "{{ appointed_prometheus_server }}"
+
+- name: Set target variable from file
+  set_fact:
+    server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
+
+- name: Register the endpoint to the prometheus server
+  block:
+    - name: Add the target
+      set_fact:
+        new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
+
+    - name: Put the new target list
+      copy:
+        content: "{{ new_server_tls_targets | to_nice_json }}"
+        dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+      delegate_to: "{{ appointed_prometheus_server }}"
+  when: target not in server_tls_targets.0.targets
diff --git a/roles/prometheus-node-exporter/templates/config.yaml b/roles/prometheus-node-exporter/templates/config.yaml
new file mode 100644
index 0000000..978919e
--- /dev/null
+++ b/roles/prometheus-node-exporter/templates/config.yaml
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+tls_server_config:
+  cert_file: "/etc/node_exporter/node-exp-{{ lan_address }}.crt"
+  key_file: "/etc/node_exporter/node-exp-{{ lan_address }}.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "/etc/node_exporter/ca.crt"
diff --git a/roles/prometheus-node-exporter/templates/prometheus-node-exporter b/roles/prometheus-node-exporter/templates/prometheus-node-exporter
new file mode 100644
index 0000000..a42b81f
--- /dev/null
+++ b/roles/prometheus-node-exporter/templates/prometheus-node-exporter
@@ -0,0 +1,138 @@
+{{ ansible_managed | comment }}
+
+# Set the command-line arguments to pass to the server.
+# Due to shell scaping, to pass backslashes for regexes, you need to double
+# them (\\d for \d). If running under systemd, you need to double them again
+# (\\\\d to mean \d), and escape newlines too.
+{% if not args %}
+ARGS=""
+{% else %}
+ARGS="\
+{% for arg in args %}
+      --{{ arg.name }}={{ arg.value }} \
+{% endfor %}
+"
+{% endif %}
+
+# Prometheus-node-exporter supports the following options:
+#
+#  --collector.diskstats.ignored-devices="^(ram|loop|fd|(h|s|v|xv)d[a-z]|nvme\\d+n\\d+p)\\d+$"
+#                            Regexp of devices to ignore for diskstats.
+#  --collector.filesystem.ignored-mount-points="^/(dev|proc|run|sys|mnt|media|var/lib/docker)($|/)"
+#                            Regexp of mount points to ignore for filesystem
+#                            collector.
+#  --collector.filesystem.ignored-fs-types="^(autofs|binfmt_misc|cgroup|configfs|debugfs|devpts|devtmpfs|fusectl|hugetlbfs|mqueue|overlay|proc|procfs|pstore|rpc_pipefs|securityfs|sysfs|tracefs)$"
+#                            Regexp of filesystem types to ignore for
+#                            filesystem collector.
+#  --collector.netdev.ignored-devices="^lo$"
+#                            Regexp of net devices to ignore for netdev
+#                            collector.
+#  --collector.netstat.fields="^(.*_(InErrors|InErrs)|Ip_Forwarding|Ip(6|Ext)_(InOctets|OutOctets)|Icmp6?_(InMsgs|OutMsgs)|TcpExt_(Listen.*|Syncookies.*)|Tcp_(ActiveOpens|PassiveOpens|RetransSegs|CurrEstab)|Udp6?_(InDatagrams|OutDatagrams|NoPorts))$"
+#                            Regexp of fields to return for netstat
+#                            collector.
+#  --collector.ntp.server="127.0.0.1"
+#                            NTP server to use for ntp collector
+#  --collector.ntp.protocol-version=4
+#                            NTP protocol version
+#  --collector.ntp.server-is-local
+#                            Certify that collector.ntp.server address is the
+#                            same local host as this collector.
+#  --collector.ntp.ip-ttl=1  IP TTL to use while sending NTP query
+#  --collector.ntp.max-distance=3.46608s
+#                            Max accumulated distance to the root
+#  --collector.ntp.local-offset-tolerance=1ms
+#                            Offset between local clock and local ntpd time
+#                            to tolerate
+#  --path.procfs="/proc"     procfs mountpoint.
+#  --path.sysfs="/sys"       sysfs mountpoint.
+#  --collector.qdisc.fixtures=""
+#                            test fixtures to use for qdisc collector
+#                            end-to-end testing
+#  --collector.runit.servicedir="/etc/service"
+#                            Path to runit service directory.
+#  --collector.supervisord.url="http://localhost:9001/RPC2"
+#                            XML RPC endpoint.
+#  --collector.systemd.unit-whitelist=".+"
+#                            Regexp of systemd units to whitelist. Units must
+#                            both match whitelist and not match blacklist to
+#                            be included.
+#  --collector.systemd.unit-blacklist=".+(\\.device|\\.scope|\\.slice|\\.target)"
+#                            Regexp of systemd units to blacklist. Units must
+#                            both match whitelist and not match blacklist to
+#                            be included.
+#  --collector.systemd.private
+#                            Establish a private, direct connection to
+#                            systemd without dbus.
+#  --collector.textfile.directory="/var/lib/prometheus/node-exporter"
+#                            Directory to read text files with metrics from.
+#  --collector.vmstat.fields="^(oom_kill|pgpg|pswp|pg.*fault).*"
+#                            Regexp of fields to return for vmstat collector.
+#  --collector.wifi.fixtures=""
+#                            test fixtures to use for wifi collector metrics
+#  --collector.arp           Enable the arp collector (default: enabled).
+#  --collector.bcache        Enable the bcache collector (default: enabled).
+#  --collector.bonding       Enable the bonding collector (default: enabled).
+#  --collector.buddyinfo     Enable the buddyinfo collector (default:
+#                            disabled).
+#  --collector.conntrack     Enable the conntrack collector (default:
+#                            enabled).
+#  --collector.cpu           Enable the cpu collector (default: enabled).
+#  --collector.diskstats     Enable the diskstats collector (default:
+#                            enabled).
+#  --collector.drbd          Enable the drbd collector (default: disabled).
+#  --collector.edac          Enable the edac collector (default: enabled).
+#  --collector.entropy       Enable the entropy collector (default: enabled).
+#  --collector.filefd        Enable the filefd collector (default: enabled).
+#  --collector.filesystem    Enable the filesystem collector (default:
+#                            enabled).
+#  --collector.hwmon         Enable the hwmon collector (default: enabled).
+#  --collector.infiniband    Enable the infiniband collector (default:
+#                            enabled).
+#  --collector.interrupts    Enable the interrupts collector (default:
+#                            disabled).
+#  --collector.ipvs          Enable the ipvs collector (default: enabled).
+#  --collector.ksmd          Enable the ksmd collector (default: disabled).
+#  --collector.loadavg       Enable the loadavg collector (default: enabled).
+#  --collector.logind        Enable the logind collector (default: disabled).
+#  --collector.mdadm         Enable the mdadm collector (default: enabled).
+#  --collector.meminfo       Enable the meminfo collector (default: enabled).
+#  --collector.meminfo_numa  Enable the meminfo_numa collector (default:
+#                            disabled).
+#  --collector.mountstats    Enable the mountstats collector (default:
+#                            disabled).
+#  --collector.netdev        Enable the netdev collector (default: enabled).
+#  --collector.netstat       Enable the netstat collector (default: enabled).
+#  --collector.nfs           Enable the nfs collector (default: enabled).
+#  --collector.nfsd          Enable the nfsd collector (default: enabled).
+#  --collector.ntp           Enable the ntp collector (default: disabled).
+#  --collector.qdisc         Enable the qdisc collector (default: disabled).
+#  --collector.runit         Enable the runit collector (default: disabled).
+#  --collector.sockstat      Enable the sockstat collector (default:
+#                            enabled).
+#  --collector.stat          Enable the stat collector (default: enabled).
+#  --collector.supervisord   Enable the supervisord collector (default:
+#                            disabled).
+#  --collector.systemd       Enable the systemd collector (default: enabled).
+#  --collector.tcpstat       Enable the tcpstat collector (default:
+#                            disabled).
+#  --collector.textfile      Enable the textfile collector (default:
+#                            enabled).
+#  --collector.time          Enable the time collector (default: enabled).
+#  --collector.uname         Enable the uname collector (default: enabled).
+#  --collector.vmstat        Enable the vmstat collector (default: enabled).
+#  --collector.wifi          Enable the wifi collector (default: enabled).
+#  --collector.xfs           Enable the xfs collector (default: enabled).
+#  --collector.zfs           Enable the zfs collector (default: enabled).
+#  --collector.timex         Enable the timex collector (default: enabled).
+#  --web.listen-address=":9100"
+#                            Address on which to expose metrics and web
+#                            interface.
+#  --web.telemetry-path="/metrics"
+#                            Path under which to expose metrics.
+#  --log.level="info"        Only log messages with the given severity or
+#                            above. Valid levels: [debug, info, warn, error,
+#                            fatal]
+#  --log.format="logger:stderr"
+#                            Set the log target and format. Example:
+#                            "logger:syslog?appname=bob&local=7" or
+#                            "logger:stdout?json=true"
diff --git a/roles/prometheus/handlers/main.yml b/roles/prometheus/handlers/main.yml
new file mode 100644
index 0000000..7939649
--- /dev/null
+++ b/roles/prometheus/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart prometheus
+  systemd:
+    name: prometheus
+    state: restarted
diff --git a/roles/prometheus/meta/main.yml b/roles/prometheus/meta/main.yml
new file mode 100644
index 0000000..ff0926f
--- /dev/null
+++ b/roles/prometheus/meta/main.yml
@@ -0,0 +1,2 @@
+dependencies:
+  - role: install_nginx
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
new file mode 100644
index 0000000..2acae58
--- /dev/null
+++ b/roles/prometheus/tasks/main.yml
@@ -0,0 +1,117 @@
+---
+- name: Install Prometheus Components
+  apt:
+    name:
+      - prometheus
+      - prometheus-pushgateway
+    state: latest
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Ensure the alert folder exist
+  file:
+    path: /etc/prometheus/alerts
+    state: directory
+    group: prometheus
+    owner: prometheus
+    mode: u=rwx,g=rx,o=rx
+
+- name: Ensure the target folder exist
+  file:
+    path: /etc/prometheus/targets
+    state: directory
+    group: prometheus
+    owner: prometheus
+    mode: u=rwx,g=rx,o=rx
+
+- name: Copy the CA cert
+  copy:
+    content: "{{ ca_cert }}"
+    dest: /etc/prometheus/ca.crt
+  notify:
+   - Restart prometheus
+   - Reload nginx
+
+- name: Generate certificate
+  include_role:
+    name: generate-cert
+  vars:
+    directory: /etc/prometheus/
+    cname: "prometheus-{{ lan_address }}"
+    owner: prometheus
+    group: prometheus
+    key_mode: u=rw,g=,o=
+    subject_alt_name: "IP:{{ lan_address }}"
+# Need an equivalent to notify here
+
+- name: Ensured the certificate is monitored
+  import_tasks: register-cert-to-monitoring.yml
+  vars:
+    target: "{{ lan_address }}:9090|prometheus-{{ lan_address }}|{{ ansible_facts['nodename'] }}"
+
+- name: Setup the prometheus config
+  template:
+    src: prometheus.yml
+    dest: /etc/prometheus/prometheus.yml
+    owner: prometheus
+    group: prometheus
+    mode: '0640'
+  notify: Restart prometheus
+  no_log: true
+
+- name: Add node targets file
+  template:
+    src: node-targets.json
+    dest: "/etc/prometheus/targets/{{ item }}-targets.json"
+    owner: prometheus
+    group: prometheus
+    mode: '0640'
+    force: no
+  notify: Restart prometheus
+  loop:
+    - blackbox-http-down
+    - blackbox-http-up
+    - blackbox-tls-internal
+    - node
+
+- name: Copy the web-config folder
+  template:
+    src: web-config.yaml
+    dest: /etc/prometheus/web-config.yaml
+    group: prometheus
+    owner: prometheus
+    mode: u=rw,g=r,o=r
+  notify: Restart prometheus
+
+- name: Setup the arguments for prometheus
+  template:
+    src: prometheus
+    dest: /etc/default/prometheus
+    owner: root
+    group: root
+    mode: '0644'
+  notify: Restart prometheus
+  vars:
+    args:
+      - name: web.listen-address
+        value: "127.0.0.1:9090"
+#        value: "{{ lan_address }}:9090"
+#      - name: web.config.file # Not available before 2.24, and it sucks
+#        value: /etc/prometheus/web-config.yaml
+
+# Here we go, using nginx to add mSSL to prometheus... because who need to authentication on the server with ALL the jucy data?
+# Think prometheus, think!
+- name: Copy the nginx config
+  template:
+    src: atrocious_nginx_stub
+    dest: "/etc/nginx/sites-available/internal-prometheus"
+  notify: Reload nginx
+
+- name: Activate the config
+  file:
+    src: "/etc/nginx/sites-available/internal-prometheus"
+    dest: "/etc/nginx/sites-enabled/internal-prometheus"
+    state: link
+    force: yes
diff --git a/roles/prometheus/tasks/register-cert-to-monitoring.yml b/roles/prometheus/tasks/register-cert-to-monitoring.yml
new file mode 100644
index 0000000..82d550a
--- /dev/null
+++ b/roles/prometheus/tasks/register-cert-to-monitoring.yml
@@ -0,0 +1,23 @@
+---
+- name: Get the list of targets of the server
+  slurp:
+    src: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+  register: server_tls_targets_file
+  delegate_to: "{{ appointed_prometheus_server }}"
+
+- name: Set target variable from file
+  set_fact:
+    server_tls_targets: "{{ server_tls_targets_file['content'] | b64decode | from_json }}"
+
+- name: Register the endpoint to the prometheus server
+  block:
+    - name: Add the target
+      set_fact:
+        new_server_tls_targets: "[{{ server_tls_targets[0] | combine({'targets': [target]}, list_merge='append_rp') }}]"
+
+    - name: Put the new target list
+      copy:
+        content: "{{ new_server_tls_targets | to_nice_json }}"
+        dest: /etc/prometheus/targets/blackbox-tls-internal-targets.json
+      delegate_to: "{{ appointed_prometheus_server }}"
+  when: target not in server_tls_targets.0.targets
diff --git a/roles/prometheus/templates/atrocious_nginx_stub b/roles/prometheus/templates/atrocious_nginx_stub
new file mode 100644
index 0000000..c28eefb
--- /dev/null
+++ b/roles/prometheus/templates/atrocious_nginx_stub
@@ -0,0 +1,13 @@
+{{ ansible_managed | comment }}
+
+server {
+    listen {{ lan_address }}:9090 ssl;
+    ssl_certificate /etc/prometheus/prometheus-{{ lan_address }}.crt;
+    ssl_certificate_key /etc/prometheus/prometheus-{{ lan_address }}.key;
+    ssl_client_certificate /etc/prometheus/ca.crt;
+    ssl_verify_client on;
+
+    location / {
+        proxy_pass http://127.0.0.1:9090;
+    }
+}
diff --git a/roles/prometheus/templates/node-targets.json b/roles/prometheus/templates/node-targets.json
new file mode 100644
index 0000000..64d12f6
--- /dev/null
+++ b/roles/prometheus/templates/node-targets.json
@@ -0,0 +1,6 @@
+[
+    {
+        "targets": [
+        ]
+    }
+]
diff --git a/roles/prometheus/templates/prometheus b/roles/prometheus/templates/prometheus
new file mode 100644
index 0000000..f9b387f
--- /dev/null
+++ b/roles/prometheus/templates/prometheus
@@ -0,0 +1,67 @@
+{{ ansible_managed | comment }}
+
+# Set the command-line arguments to pass to the server.
+{% if not args %}
+ARGS=""
+{% else %}
+ARGS="\
+{% for arg in args %}
+      --{{ arg.name }}={{ arg.value }} \
+{% endfor %}
+"
+{% endif %}
+
+# Prometheus supports the following options:
+#  --config.file="/etc/prometheus/prometheus.yml"
+#                             Prometheus configuration file path.
+#  --web.listen-address="0.0.0.0:9090"
+#                             Address to listen on for UI, API, and telemetry.
+#  --web.read-timeout=5m      Maximum duration before timing out read of the
+#                             request, and closing idle connections.
+#  --web.max-connections=512  Maximum number of simultaneous connections.
+#  --web.external-url=<URL>   The URL under which Prometheus is externally
+#                             reachable (for example, if Prometheus is served
+#                             via a reverse proxy). Used for generating
+#                             relative and absolute links back to Prometheus
+#                             itself. If the URL has a path portion, it will
+#                             be used to prefix all HTTP endpoints served by
+#                             Prometheus. If omitted, relevant URL components
+#                             will be derived automatically.
+#  --web.route-prefix=<path>  Prefix for the internal routes of web endpoints.
+#                             Defaults to path of --web.external-url.
+#  --web.local-assets="/usr/share/prometheus/web/"
+#                             Path to static asset/templates directory.
+#  --web.user-assets=<path>   Path to static asset directory, available at
+#                             /user.
+#  --web.enable-lifecycle     Enable shutdown and reload via HTTP request.
+#  --web.enable-admin-api     Enables API endpoints for admin control actions.
+#  --web.console.templates="/etc/prometheus/consoles"
+#                             Path to the console template directory,
+#                             available at /consoles.
+#  --web.console.libraries="/etc/prometheus/console_libraries"
+#                             Path to the console library directory.
+#  --storage.tsdb.path="/var/lib/prometheus/metrics2/"
+#                             Base path for metrics storage.
+#  --storage.tsdb.min-block-duration=2h
+#                             Minimum duration of a data block before being
+#                             persisted.
+#  --storage.tsdb.max-block-duration=<duration>
+#                             Maximum duration compacted blocks may span.
+#                             (Defaults to 10% of the retention period)
+#  --storage.tsdb.retention=15d
+#                             How long to retain samples in the storage.
+#  --storage.tsdb.use-lockfile
+#                             Create a lockfile in data directory.
+#  --alertmanager.notification-queue-capacity=10000
+#                             The capacity of the queue for pending alert
+#                             manager notifications.
+#  --alertmanager.timeout=10s
+#                             Timeout for sending alerts to Alertmanager.
+#  --query.lookback-delta=5m  The delta difference allowed for retrieving
+#                             metrics during expression evaluations.
+#  --query.timeout=2m         Maximum time a query may take before being
+#                             aborted.
+#  --query.max-concurrency=20
+#                             Maximum number of queries executed concurrently.
+#  --log.level=info           Only log messages with the given severity or
+#                             above. One of: [debug, info, warn, error]
diff --git a/roles/prometheus/templates/prometheus.yml b/roles/prometheus/templates/prometheus.yml
new file mode 100644
index 0000000..bcecce5
--- /dev/null
+++ b/roles/prometheus/templates/prometheus.yml
@@ -0,0 +1,117 @@
+{{ ansible_managed | comment }}
+
+global:
+  # scrape_interval:     15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+  # evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  # scrape_timeout is set to the global default (10s).
+
+  # Attach these labels to any time series or alerts when communicating with
+  # external systems (federation, remote storage, Alertmanager).
+  external_labels:
+  #  monitor: 'example'
+
+# Alertmanager configuration
+alerting:
+  alertmanagers:
+  - static_configs:
+    - targets: ['{{ lan_address }}:9093']
+    scheme: https
+    tls_config:
+      ca_file: '/etc/prometheus/ca.crt'
+      cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
+      key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files:
+  - "alerts/*.yml"
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+  - job_name: 'prometheus'
+
+    # metrics_path defaults to '/metrics'
+    # scheme defaults to 'http'.
+
+    static_configs:
+      - targets: ['{{ lan_address }}:9090']
+    scheme: https
+    tls_config:
+      ca_file: '/etc/prometheus/ca.crt'
+      cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
+      key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
+
+  - job_name: node
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets/node-targets.json'
+    relabel_configs:
+      # Use hostnames instead of ip for the instance label
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+        regex: '.*\|(.*)'
+        replacement: '$1'
+      - source_labels: [__param_target]
+        target_label: __address__
+        regex: '(.*)\|.*'
+        replacement: '$1:9100'
+    scheme: https
+    tls_config:
+      ca_file: '/etc/prometheus/ca.crt'
+      cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
+      key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
+
+{% for target_type in ('http-up', 'http-down') %}
+  - job_name: blackbox {{ target_type }}
+    metrics_path: /probe
+    params:
+      module: [http_2xx]
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets/blackbox-{{ target_type }}-targets.json'
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - target_label: __address__
+        replacement: {{ lan_address }}:9115
+    scheme: https
+    tls_config:
+      ca_file: '/etc/prometheus/ca.crt'
+      cert_file: '/etc/prometheus/prometheus-{{ lan_address }}.crt'
+      key_file: '/etc/prometheus/prometheus-{{ lan_address }}.key'
+
+{% endfor %}
+  - job_name: blackbox internal tls
+    metrics_path: /probe
+    params:
+      module: [internal_tls_connect]
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets/blackbox-tls-internal-targets.json'
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __tmp_address
+      - source_labels: [__tmp_address]
+        target_label: __param_target
+        regex: '(.*)\|.*\|.*'
+        replacement: '$1'
+      - source_labels: [__tmp_address]
+        target_label: cname
+        regex: '.*\|(.*)\|.*'
+        replacement: '$1'
+      - source_labels: [__tmp_address]
+        target_label: instance
+        regex: '.*\|.*\|(.*)'
+        replacement: '$1'
+      - target_label: __address__
+        replacement: 172.20.1.1:9115
+    scheme: https
+    tls_config:
+      ca_file: '/etc/prometheus/ca.crt'
+      cert_file: '/etc/prometheus/prometheus-172.20.1.1.crt'
+      key_file: '/etc/prometheus/prometheus-172.20.1.1.key'
diff --git a/roles/prometheus/templates/web-config.yaml b/roles/prometheus/templates/web-config.yaml
new file mode 100644
index 0000000..15147f6
--- /dev/null
+++ b/roles/prometheus/templates/web-config.yaml
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+tls_server_config:
+  cert_file: "/etc/prometheus/prometheus-{{ lan_address }}.crt"
+  key_file: "/etc/prometheus/prometheus-{{ lan_address }}.key"
+  client_auth_type: "RequireAndVerifyClientCert"
+  client_ca_file: "/etc/prometheus/ca.crt"