diff --git a/.gitmodules b/.gitmodules
index ec3117b..01a0561 100644
--- a/.gitmodules
+++ b/.gitmodules
@@ -16,3 +16,6 @@
 [submodule "roles/matrix-bridge-telegram"]
 	path = roles/matrix-bridge-telegram
 	url = ssh://git@gitea.auro.re:2222/Pains-Perdus/matrix-bridge-telegram.git
+[submodule "roles/nginx"]
+	path = roles/nginx
+	url = ssh://git@gitea.auro.re:2222/Pains-Perdus/nginx.git
diff --git a/TODO.md b/TODO.md
index 1555688..a767ec7 100644
--- a/TODO.md
+++ b/TODO.md
@@ -42,6 +42,10 @@ setup:
 - disable cloud init
 - remove cloud init account and change the connenction variable for the vm
 
+## Network
+
+- Improve the networking role: cannot reload network interfaces without ifupdown2, but ifupdown2 causes lost of connectivity on some hosts because it lacks backward compatibility with ifupdown
+
 ## Matrix
 
 - Potgres role should be redone, it is currently called too many times that could be globalized I think. Also the setting of timezone and locale is not idempotent
diff --git a/books/matrix.yml b/books/matrix.yml
index b5db8dd..cbcaa85 100755
--- a/books/matrix.yml
+++ b/books/matrix.yml
@@ -8,7 +8,8 @@
     - matrix-bridge-signal
     - matrix-bridge-instagram
     - matrix-bridge-telegram
+    - nginx
 
 - hosts: proxy
   roles:
-    - rp_synapse
+    - nginx
diff --git a/books/proxy.yml b/books/proxy.yml
new file mode 100755
index 0000000..c73d36b
--- /dev/null
+++ b/books/proxy.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+
+- hosts: proxy
+  roles:
+    - nginx
+
diff --git a/group_vars/proxy/main.yml b/group_vars/proxy/main.yml
index 685f861..aa714b5 100644
--- a/group_vars/proxy/main.yml
+++ b/group_vars/proxy/main.yml
@@ -1,9 +1,25 @@
 ---
 
-reverse_proxy_sites:
-  - {from: hindley.pains-perdus.fr,       to: "http://127.0.0.1:5000"}
-  - {from: "{{ grafana_domain_name }}",   to: "http://127.0.0.1:3000"}
+ssl_reverse_proxy_upstream:
+  pterodactyl:
+    to: "10.7.10.103"
+    sni_server_name: "play.nyx.ovh"
+    to_port: 443
+  matrix:
+    to: "10.7.10.101"
+    sni_server_name: matrix.pains-perdus.fr
+    to_port: 443
 
-sharing_sites:
-  - {from: share.deso-palaiseau.fr,                 folder: "/home/histausse/www",            user: histausse,     group: histausse}
-  - {from: wiki.deso-palaiseau.fr,                  folder: "/home/histausse/wiki/public",    user: histausse,     group: histausse}
+http_sites:
+  "pains-perdus.fr":
+    root_snippets: # TODO: check if needed
+      - |
+        listen 8448 ssl http2;
+        listen [::]:8448 ssl http2;
+    locations:
+      "/.well-known/matrix/server":
+        config:
+          - |
+            return 200 '{"m.server": "matrix.pains-perdus.fr:443"}';
+            default_type application/json;
+            add_header Access-Control-Allow-Origin *;
diff --git a/group_vars/synapse/main.yml b/group_vars/synapse/main.yml
index 34bb740..fec228d 100644
--- a/group_vars/synapse/main.yml
+++ b/group_vars/synapse/main.yml
@@ -41,3 +41,17 @@ matrix_bridge_telegram_admins:
 matrix_bridge_telegram_allowed_external_user:
   - '@dorianx:matrix.rezel.net'
 
+## Nginx
+http_sites:
+  "matrix.pains-perdus.fr":
+    root_snippets: []
+    locations:
+      "~* ^(\/_matrix|\/_synapse\/client)":
+        config:
+          - |
+            # Nginx by default only allows file uploads up to 1M in size
+            # Increase client_max_body_size to match max_upload_size defined in homeserver.yaml
+            client_max_body_size {{ matrix_max_upload_size }};;
+        templates:
+          - proxy_pass.j2
+        to: "http://localhost:8008"
diff --git a/host_vars/nitrogen/main.yml b/host_vars/nitrogen/main.yml
new file mode 100644
index 0000000..306d200
--- /dev/null
+++ b/host_vars/nitrogen/main.yml
@@ -0,0 +1,12 @@
+---
+ansible_host: nitrogen.lan
+
+## Users
+users:
+  g33kex: sudo
+  histausse: sudo
+
+## Networking
+interfaces:
+  eth0:
+    type: dhcp
diff --git a/hosts b/hosts
index 083e8db..ff5d155 100644
--- a/hosts
+++ b/hosts
@@ -10,6 +10,7 @@ bismuth # BigBlueButton
 sulfur # Synapse
 technetium # Test
 iridium # Pterodactyl
+nitrogen # Nginx
 
 [container]
 
@@ -22,6 +23,7 @@ barium # Backup
 bismuth
 technetium
 iridium
+nitrogen
 
 # Groups
 [monitoring]
@@ -49,7 +51,7 @@ hindley
 sulfur
 
 [proxy]
-hindley
+nitrogen
 
 [prometheus]
 hindley
diff --git a/roles/cloudinit/tasks/main.yml b/roles/cloudinit/tasks/main.yml
index ddee5b3..cbe627d 100644
--- a/roles/cloudinit/tasks/main.yml
+++ b/roles/cloudinit/tasks/main.yml
@@ -10,6 +10,12 @@
     state: absent
   when: ansible_facts["lsb"]["id"] == "Ubuntu"
 
+- name: Remove cloudinit network configuration
+  file:
+    path: "/etc/network/interfaces.d/50-cloud-init"
+    state: absent
+  when: ansible_facts["lsb"]["id"] == "Debian"
+
 - name: Disable cloudinit
   file:
     path: "/etc/cloud/cloud-init.disabled"
diff --git a/roles/networking/handlers/main.yml b/roles/networking/handlers/main.yml
index db6d64c..e396d96 100644
--- a/roles/networking/handlers/main.yml
+++ b/roles/networking/handlers/main.yml
@@ -1,7 +1,8 @@
 ---
 - name: Reload network interfaces debian
-  become: true
-  command: /sbin/ifreload -a
+  systemd: 
+    name: networking
+    state: restarted
 
 - name: Restart dhcpcd raspbian
   systemd:
diff --git a/roles/networking/tasks/main.yml b/roles/networking/tasks/main.yml
index 9e54fd9..133d965 100644
--- a/roles/networking/tasks/main.yml
+++ b/roles/networking/tasks/main.yml
@@ -51,10 +51,12 @@
     name: net.ipv4.ip_forward
     value: "{{ ipv4_forwarding | int | default(0) }}"
     sysctl_set: true
+  when: ipv4_forwarding is defined
 
 - name: Set ipv6 forwarding
   ansible.posix.sysctl:
     name: net.ipv6.conf.all.forwarding
     value: "{{ ipv6_forwarding | int | default(0) }}"
     sysctl_set: true
+  when: ipv6_forwarding is defined
 
diff --git a/roles/nginx b/roles/nginx
new file mode 160000
index 0000000..eaf8320
--- /dev/null
+++ b/roles/nginx
@@ -0,0 +1 @@
+Subproject commit eaf8320201b61383631e7344b6a4f6b2f8189c4d