diff --git a/.ansible-lint b/.ansible-lint
index a85e701..d98efd4 100644
--- a/.ansible-lint
+++ b/.ansible-lint
@@ -1,7 +1,10 @@
 skip_list:
-  - '301'
+  - no-changed-when
+  - load-failure
+  - document-start
 
 warn_list:
-  - '305'  # Use shell only when shell functionality is required
-  - '503'  # Tasks that run when changed should likely be handlers
   - experimental  # all rules tagged as experimental
+
+exclude_paths:
+- group_vars/all/vault.yml
diff --git a/.drone.yml b/.drone.yml
index 416e400..eb6ce40 100644
--- a/.drone.yml
+++ b/.drone.yml
@@ -4,16 +4,9 @@ type: docker
 name: check
 
 steps:
-  - name: yamllint
-    image: python:3.9-alpine
+  - name: ansible and yaml linting
+    pull: never
+    image: aurore-ansible-lint-image
     commands:
-      - pip install yamllint==1.25.0
-      - yamllint -c .yamllint.yml .
-
-  - name: ansible-lint
-    image: python:3.9-alpine
-    commands:
-      - apk add --no-cache gcc libc-dev libffi-dev openssl-dev
-      - pip install ansible-lint==4.3.7
-      - ansible-lint *.yml
+      - ansible-lint
 ...
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
deleted file mode 100644
index c62f35b..0000000
--- a/.gitlab-ci.yml
+++ /dev/null
@@ -1,19 +0,0 @@
----
-image: python:3.9-alpine
-
-stages:
-  - lint
-
-yamllint:
-  stage: lint
-  script:
-    - pip install yamllint==1.25.0
-    - yamllint -c .yamllint.yml .
-
-ansible-lint:
-  stage: lint
-  script:
-    - apk add gcc libc-dev libffi-dev openssl-dev
-    - pip install ansible-lint==4.3.7
-    - ansible-lint *.yml
-...
diff --git a/.yamllint.yml b/.yamllint.yml
index c8666c8..af15be3 100644
--- a/.yamllint.yml
+++ b/.yamllint.yml
@@ -6,6 +6,5 @@ rules:
     max: 120
     level: warning
   document-start:
-    ignore: |
-      /groups_var/all/vault.yml
+    ignore: group_vars/all/vault.yml
 ...
diff --git a/README.md b/README.md
index 00897a4..cb8683f 100644
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
+[![Linter Status](https://drone.auro.re/api/badges/Aurore/ansible/status.svg)](https://drone.auro.re/Aurore/ansible)
+
 # Recettes Ansible d'Aurore
 
 Ensemble des recettes de déploiement Ansible pour les serveurs d'Aurore.
diff --git a/bdd.yml b/bdd.yml
new file mode 100644
index 0000000..7a0bf6c
--- /dev/null
+++ b/bdd.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+# Install and configure bdd servers at Saclay and at OVH
+- hosts: bdd
+  roles:
+    - postgresql_server
+...
diff --git a/deploy_postfix_non_mailhost.yml b/deploy_postfix_non_mailhost.yml
new file mode 100644
index 0000000..e335928
--- /dev/null
+++ b/deploy_postfix_non_mailhost.yml
@@ -0,0 +1,8 @@
+---
+# Deploy a correclty configured postfix on non mailhost servers
+- hosts: all,!unifi
+  vars:
+    local_network: 10.128.0.0/16
+    relay_host: proxy.adm.auro.re
+  roles:
+    - postfix_non_mailhost
diff --git a/docker-ansible-lint/Dockerfile b/docker-ansible-lint/Dockerfile
new file mode 100644
index 0000000..5d60549
--- /dev/null
+++ b/docker-ansible-lint/Dockerfile
@@ -0,0 +1,7 @@
+FROM python:3.9-alpine
+LABEL description="Aurore's docker image for ansible-lint"
+
+RUN apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev cargo
+RUN pip install "yamllint>=1.26.0,<2.0"
+RUN pip install "ansible-lint==5.0.0"
+RUN pip install "ansible>=2.10,<2.11"
diff --git a/docker-ansible-lint/README.md b/docker-ansible-lint/README.md
new file mode 100644
index 0000000..adabac3
--- /dev/null
+++ b/docker-ansible-lint/README.md
@@ -0,0 +1,18 @@
+# Ansible-lint image
+
+In order to build this image when a new version comes out, you need to
+1. ssh into the `drone.adm.auro.re` server
+2. git pull this repo to the lastest version
+3. optionally make the changes if it has not been done yet
+4. `sudo docker build -t aurore-ansible-lint-image docker-ansible-lint/`
+5. ???
+6. enjoy
+
+You can verify that the image was correclty built by running
+```
+# list the images present
+sudo docker image ls
+
+# run your image with an interactive shell
+sudo docker run -it --rm aurore-ansible-lint-image /bin/sh
+```
diff --git a/group_vars/all/vars.yml b/group_vars/all/vars.yml
index 599e834..282dfd5 100644
--- a/group_vars/all/vars.yml
+++ b/group_vars/all/vars.yml
@@ -20,6 +20,8 @@ ldap_admin_hashed_passwd: "{{ vault_ldap_admin_hashed_passwd }}"
 postgresql_services_url: 'services-bdd.adm.auro.re'
 postgresql_synapse_passwd: "{{ vault_postgresql_synapse_passwd }}"
 postgresql_codimd_passwd: "{{ vault_postgresql_codimd_passwd }}"
+postgresql_etherpad_passwd: "{{ vault_postgresql_etherpad_passwd }}"
+postgresql_kanboard_passwd: "{{ vault_postgresql_kanboard_passwd }}"
 
 # Scripts will tell users to go there to manage their account
 intranet_url: 'https://re2o.auro.re/'
diff --git a/group_vars/all/vault.yml b/group_vars/all/vault.yml
index b813ba3..db7cad5 100644
--- a/group_vars/all/vault.yml
+++ b/group_vars/all/vault.yml
@@ -1,174 +1,186 @@
 $ANSIBLE_VAULT;1.1;AES256
-34336231623938346631313932323131336439623837626366646338396137633436646365386639
-6332383765386235396331373836366230663563376665380a616436373136633933376435653230
-64333963663436393265666434653164643164616134353665306462326666623530383838343135
-3531343533656332350a343432336636316131386132306238653736633966363235623833343638
-38643061383963396466346536343061653034333037393664356661376565643765306462626231
-39326233363962373839303464333833306532343834306232653731326135653934643836323639
-36343937626536346331613263663865346634666534646266623061303639626636393230616261
-32336366356439353738633234326138656464656630303362623664616634306230623538373965
-32346439306337623737616666353830626630373562366436653131393532313035303836326430
-64613235646366616533313065396663366434363832333535336631323366336437396664303834
-30336466313064636565326564356435306136396363373464326534303366323262303732626661
-38326663313332633530353739346538343434316133343066313530366637376135323564306537
-65626261303231656432333364333965663065346436626631666466643934623064333163626339
-32633565303734303862326365336339346133393431636266303530626564326361653230626536
-32313231373037633134623761663832393666353732613965613436323939343233613433343538
-37326438383130303861316663396333376662386337353964633930353536653437653061356635
-35646232343535313130646237643835376162623639333961323964353830653366626438346237
-36343663346332656537363434396633336161373730663364306239306432343930643230656465
-37633537616232656661313764626232303535383563353861396431643735326162383866626231
-61383165613332666537656137636430323332326335323763303537386662646263353539613964
-37323966306364306436653033393931663239383435613836356164633135306233356364313036
-39356661613434633930633066646437636535313565356366303732613731333062643231313035
-65333461396131663764626665393562623030343561313136363964393664376136303839333664
-65313465623331333538393734373264313562643232666130303930333662616465656432363039
-66616530336666343861336434633063343561323931323931346132376263376565313366306639
-64646465303432333136353661323936633965666364356633653861363139616562653834313861
-63306133613066373462383236613939316130623937643939323134343936356638376335323836
-39383334656236633037633230313138326238303863623231353465346661663162623138353461
-33343738613137366364633730346261366564646161373837613865393233663431636361663962
-38313230363737306265636435353533666262333666383639343364633464396566333433333538
-39643934646537653234336361613664333434623739353831316531313666396638333136343638
-33653034366362363562633462303165626333306664326366353334363964663936616430643662
-30616334326638323133366632663237356238353934323361376237613632396134663536336364
-39363439326335363437373939353564646663616464663763353931323233316135656634343137
-34396130386134386331643534353461663963323435656337653032376565313635623231343135
-34303130316239303065386134663332393938636332363665643832326439653733633231346537
-63383634333034323434376237663932613638363835393837613632663265616363303233653539
-61333765313463616665613136303533343230303735626437343635303934613365326166333966
-66613538393466666630363333643730653239393435616634303430396635383631613439623433
-36646431393865666162373232343335356366366633633264326639643434396234313863333163
-63396534623931633833656565396635333133376165613031663831633564663061656131303564
-61303132666264636139313738643161313134643733633366376538366135663135333333333564
-64366262353837363061653663616265393264373230346330636465336439623063636639356136
-65383638643961326661396336373163643832366561363764626461623662333436373136616437
-30316537653432356133616338353165633462643634323563306366343965326635363863316232
-61633135643861333635383464383937306236626632366235363433313335663431366531356337
-37303465323638383930336138356665343966336137356137656564303733373565366162343330
-38326366653733376138356339313564616165626235356363343430353239616339656239323964
-31643734653263653461333135386261646265323134633334376262323330396634643764323635
-30336262323035613338333166353364333836623865393132613338393237363734616330366463
-64646163303337323531636532383438356237306337656439663565643032633462316366663164
-33613039326337353531303831313136653539353261373930613030383134653261363833653439
-31343662623035393238646263633066653362323434306137633339393330376462356139333362
-35363436356530363134663064653031376561343732346262383333353733363136396262643135
-31326566303535343833326562376464643632363434323839366366626134303830323563633237
-37313964353033316163303738636632346137353437333463303135323631383132623133663130
-32373163393861366137303138363134653534613236636439623731393837306130626638343134
-39313532386338343662333134353761653162663665396664366239633536613132313735373334
-37613161383633653861376433633632333163653439633938386137313632396137616337373465
-65383238396439666537313833663364333731613434333739393161363437306665363834653761
-34303464386633633163353636643964393233383232623765373239376633393139326630653765
-62646439646534376234323661383063656463313437323231333165626163626262626562376338
-62646362346261313738323830613037663035666361386139666432613230346334323063326239
-65303065343061613736343663363630336333623439383032313137616131623933323636306331
-34636130626338303039356137353532346562363531623936316162336663306437386532363236
-36333661316161613237343032623764396435346632363963643438316430666539393566353939
-33333234313839636537366465356364303438313830663261373563346538626432313139303030
-33333066626463663663643833323764643737386162663766356665643064313263376434353038
-37643630643737663566653562353261333734636262626437393239383063613661643166626630
-31313564346239396561326162333534376264616435313762623032636432363832383630343964
-30343663643935633465393465626131633931623930653962303830333065363435383237653566
-65646632376330306437663334313932653230653562356338663366616463303466366263366137
-64633934626339633235386630396561376130373763313137386531356637633863393035306634
-65353432323235363135633832373032623837376333346131303162303464616234313062316563
-64646634633963663032613533636665333335656539323238623362306363313835626632306236
-30663637356463363530316434316639326639633539333335633330333834643035353932313638
-64356565653065666131373538356462306633343161376537323762313666373235353236313963
-65613561633266306632616538616461626532666435663038646138386430376164663766363138
-35316262393065653739323035666531333330326235386133383834383865356635666537333533
-31376138353231313262646334386566376264323066373934666363313431643738383064666437
-36656437313039656666373530346534393735353163646635663839326366643333393665626464
-36616637303631653661373433653865323634363065303433386534363064356564636465366265
-31333064383233636538393032376234663663353162343530376631356533653231303730396465
-33366162376464633633313664303939306330613865663431653037303061633130626635653638
-66626264363333376463386666313663333964333137333231303361616533393236373861656534
-32326335306566623332396638383133353434363565316432353963353062313662326361336537
-34396632656234333263663831326566353434316234613365316132363730643665373761666562
-31393565653663653731633333633730326265376135666162656132623238333765333363653130
-61353632313532616266363139336162336565356365316531336364623930636430353831623233
-61616131313438306633333066613764313161333934316139633738623164623564646365663566
-66356464376133363137313036623930373362306166623838373131313330393837396261656561
-66396233313530643164353264656563383632363139333262626532376562613630643437666266
-66656335656634613138316138643666623430363833663035616138336461303035633731636262
-36393939333765346239666433323032323361343934656463396365333366623337316663396263
-36616431626633663963636135643833666234613830366434636532373031343263316436306162
-39356365376561643665323866656465313434623138326238353662653735613565623264333336
-61393763363862613766653064636130323732663466366133666361636339356464313037353462
-63633936653235656538383433393065393162643034393538666433616131343462346235393164
-39353663373338626665663563663162633430343330373430376336326432346233663365376533
-32656465343538643137326366653232343530363834383831386634366262303333636261353863
-32633437343432653936643766363338636535613532323362656435613363393238626466303861
-38633861333638613466306338613932353964393365356637306261626535323732316362623731
-33313963623439613939333639346461663338373334396165636231666266613065323731373964
-64313133383435333935376531313432663766633133633863356563663535333263636237386136
-61653963633166383135333436646465383536373039383538326366636634313061613730653962
-37623962643866396637336231363038373465393637356463656566666661313130313863383233
-37343636346535363832626365396262303862393535336565393635663637323730373564336634
-37363036323733306535336366373630356531353737303165376530656433626634343365626239
-64346136363030663862313431653761666432393933366665346361626361623039326434633835
-32666538653037613361343536383634643762356234366433663639653461303933306434333864
-37386436393465323139306161333738383265323436376536656264356230303163326134323864
-63396331666431666464656161633466333764653631623131646566303366333030653834333335
-31323365353239366232643863386365633861376235643034303563613363663661616564363663
-63326562613365653539383336383339646164623864323830653434623365393432666466323134
-33626330373361393734656632393232363866613863373135636537613934343065306265623964
-34643765636165393336356630353663343065333431656164363638646233663762346536343362
-65653364343537383336373933313464663464653465383830363631316336303464313731356230
-34336130323766386465373162346535396565346630353734303937396130656132376331326563
-36386339383338346533646331666262396432336434646333653664326635386238333763626637
-31363464306465666339316436323265623437636533643431363161323139653065323534636533
-64386334353439373133313937343234373963353331646233346432646430636530663336316134
-66303337313034396232643531643262343036313762633165353665653938313665386363353865
-66333166303636626565613136653365313763303263313239333033353638616566656134396131
-38356434343931303134303362313363343634613361353538636634336332373132356165326163
-30386130326239366532363962316435663862393836326439623862366166376234343439306465
-36346639623939353232366333643963646336383833386565643435393734653936313638663930
-32323065343737663564333961373034393261613862333431663562353964666561643831316432
-35313832356639333937333266306166656538643065386639346337306134613536356137316331
-38376434666332366531393639303561663934353130333161636530383932653236313530616531
-61656664626663373164343863333039356362343034326131376666623264663732303734366363
-30306430353732616131346637626332656434393163313661356465393263393235396662623962
-62643538623331646265643561623366383937313136383939366164613235666234663137653432
-34316138643139336331356663333632656539653632626136613431393736613630353237356164
-33623632643335663163656236633134343464353837346237316162346634633336663564656531
-39373730346130363963376463326238366235613539613466653139306237343164336462353236
-39323361636333353661633863663162633563343937366461346338363061623730633537626562
-30353938383664333861366431343033313961376436363065373430353736343563313531386663
-37313534303564333237616331396437376436383833373936376664666366373235613533663239
-64653863613531356666646233393533646131333961343730663461346235633961306263343831
-64386332653330323937643266373437633465363933653833343930616134626566363339366362
-36356163333730656233653431326430326566386264343330666131393166323537623137396237
-65386234653231666631366533383762643830333261363532666138386263643662633932626335
-66303363613035643931393933303035323566373634663037313338616132373162366334373962
-33666463613435396331326565353433336361303562326562663035313639333232333430373266
-65383235356132353838636565636436356361653831356430663935613766613237366564316566
-37396130393363386566306162346466326165353863636633306335383265306139396339383866
-34326335323962633032386162623033353036643437313832323166363764653339343638343964
-66626662326234306362656162336538353131366337643761643930306163333661653062663832
-61303963623433313565633235306132366663336662616232613339366363373934613631623431
-34323736383366333032343364373533363761323338346163323836653235653136646162306166
-65333734623663346233343961396566313838653036396430396134393839326535363237363638
-38333232333863396334366561303136333863356666656335633630616531363766343535616533
-35656166303837653365303436623431613931336331356531666665346562613263363666626238
-62626236323863383366643162356462306163653032626130333863656337623136646439316337
-33306432663134383038646133346131333732633932383239643733643138303434646565663266
-34616265383733343963323538656138656331396438616133393063356638633965323363653066
-65353837333363613762333839313631373137363064383830353565333832356162323862393030
-35373038613133643466636537626437393837633865363566343565626633376262373766613738
-39343334336238363131373762646564653839623531323066356430326263376534373664363331
-64373735383933303638303661333964333464306338613363326261623438336530636262373766
-35346339643939666162386232666236326131366366303432393838326239313730323431376231
-39363032616666393431326533643865643937363937356431623763363037373333653266376561
-63323462363063343234373534663063353865363037383932386231313338343239653131633561
-34623439396232633265616438623562666333303932396366663330326565363736633461333463
-66346537323061306662323062393061353565393165363532306439343262343632616465363364
-30376331346430313536313963333136663833323064633631653935326366633862336163316538
-33383434336666303434363236396662366664393637656462363331356631613332353766636663
-62323264336235306532343065323834313730353237616463373766303439663533336366363565
-35646461636263646633343634323735383235376330616334373937646165623639363663353361
-65613034353736633332663333616564356265323731613537393430633137333337643663323137
-31623732663331653935316337306433333633353565343265666333363864346562363961333439
-30656136636661396335623566386362333861616663393738626632633537613564636261383138
-3233
+65623030336636323834313162306633623333666663633162356162313233393137646365363161
+3334363038323835666431626538383433626162373330360a656162303733653437633637663535
+62626630663332373761656137633165666531303137303565313236663564623061643631373333
+3164306333653734350a333333653630616462386637613432623039303931393661393563306137
+37326564333837306230326637626131666232646564383130623137613939633163313532653836
+62393766623065376135343062346362623466336234633239343530366432313336653863346534
+34346563666638643136316236626561396534316332623730633936646631623866383631633763
+32306236316334626632393736643135306333363135333566353062653866313161653763646336
+34636465663639396335353562343936333263616363653535303934646361656135383938626134
+34376335303564623436643735363262346334316465366435373435343338373666383635393666
+36643032613636643138373432393739626230326437386366386132636535313137313765616464
+31623461373166613237356362663939323633653565623830303334353834363561373832623163
+35316137633630633736383265333666636436326433653134313038626132633537316162376539
+37323338333235333836326161396236666661636464373163333934376662636639356432366565
+63363266633266643332663934356564323466646666656530336662353336346333366639613130
+33633039343666633536616237386265313863323537353466363432303632323265656265323166
+33313135333932363934386432663863383836333862333162333935313562626430353663636335
+34653231343964376531306366313264363930613432343864396130653666636332366239636236
+33343431353737323534396235613931666262626430303637626236393134386136366164306138
+64396238363030616465303634366339353731363461383432353434373735336363656266316336
+66313064653233653965646630313632336536643530363562613039313439366437353663363265
+30386238363562326263303164366436653334316164646633356666366631653636303835303738
+39366163613434623861376138363134616662343231306536396531366433313963383234373764
+64326664343736663264626432643664326563383633353364383963353733343864373766666534
+34393638613864333265313732333632373565303537316463623337326363383539336566646664
+66363764323261323330346338336133346136623431616333373235313565643164613432613861
+61346137356133343063636562336633646537373666323763626430633439323632326635383562
+36373461623931613162663466333065336237656265366437663035663831616363383066623731
+62326462313238373631386362393737323731643865623763333833316637323533656562663536
+30326465323164356436326463386137336439326231623534326164323530303239363161643762
+61313261333265366631656631326366313464336264626163653363333565353137313863646631
+62636534346534336136643164383766323631353837326561616436633139653531356533303432
+32616434653237376664353134363464613231366136323330646439623132306464623138393162
+34613931633736633532346634303535366430323164313764653832336464303337626634313861
+37333863316666353935363663613531643039613534393539343762363732383362333639356435
+61303663363438383733636663346362373033383130636431386636616366666537393937396633
+33653836343865326433316233306661653831613239376561393834653032633462306238373730
+61336266333364616533633433383663363564373334313934633132626238303036326339313932
+37323435663537376563343336666262343065316436346663623432333064326136316630633763
+65343538313163346539346336643237663431623861653433616639333130643162366539633238
+61306335346366363935373438353765333238323037343033626132323730326437656163353765
+39343863363366343764613533346537363661353234646364663037623030306334653264386630
+36653030316134656236373336616435363337643637623539633865333963363137363433383338
+62636330626631393438326365396331656361646263343863326635393666383638636337343339
+64313462623564326462636131313163353036393938393634376436306163663863653462663431
+66363334353039303266333430316239646533653337383164303837396130333366353465643965
+35383939633336386537626662316263383331336565643237396334643737313232306464363638
+34393131656232323865333739666639346335646336376666643065353538653530323338356639
+64623965326161386430323337326433343334363435316237626666363161353362383361326438
+35336431653033333261396632393966653463366637636539663165356532616331633837343435
+66356536313037623139613966356139363737656437356238636433366635313137623639366230
+36373837383462623966343535383434633932656133326565353063343530363066343365323462
+32333666373263353063346535343639623230613733363832323636313830636234326436613438
+30363765356637626134353763663938376134653539336436336336303834633533616664376535
+32613061363262303839313062666261363032363364366662333364653532373163653434366261
+39336233313232393331303732333735346434656436353466313932656239306631383237626565
+63313166326538663732363438393263643533636536333665663038383739383334366136646564
+33383936393463323235623038393138386164656164623439393734656336343835313135393165
+37616232633036383237643730313061323563643163633662393334353133343730656630643762
+39333937303931666161613037313837343836643330356538343264633761343432373161393061
+63393933383238356235613663343362656466353330383333393636386438306161623434343836
+35313030383235663461306539663666393234306332306536653862616138656135393131343462
+61633735303134326639663061643935373533336430306538363365623063663536376234356363
+65653432636430333330303131633263386265386662656131353833393138643732356336376335
+31393438393734336465396633306565343139626135386432343061623232363337326664366632
+36613434616662373431613238326464396437363935646437306665313936323732396165633266
+33343166333665373937656338333930343338373061633639393463316538373630626561333761
+63323336643133323962613435303134613230343033666336646132303462323037383139656166
+31323038653738666463323164366662363138663833393637313437633861353462663935616632
+65653939353435653337353966373135333036653061333438353136616434643563393465323735
+65373230373036353466356338343835363035653031363864316232613232323365353932313061
+62626432303334646365616330626261633066306661303537353264653235643632386466336236
+30316261666461616337363562323865636234356638653661336261373761383365386639303638
+38663763313931323266373162303136323433656466393330646462643438336236613530363636
+35353763373463376531323536613563643865346334646164326561663962393034643438326437
+30306437343331346233383036656663613038623137363962626462613762653262633035623539
+31613932313237343263373333313434386562623465663365306433333635366339616333393430
+63626466333934336130313038626136626466323563323630373965303435626664633138333838
+37643538353138303332653435343139383265363933646134636236656131643932353932303135
+65353438656431613335653838656462333731316665303063623464316462633961656464313933
+36366161623661393865346162383966323531396432646432383663326231373162373462633539
+31303138626662326637376536303532393636326530366362336437633639306436366531313636
+31613332656466343832316632313161336135663661333739646136313137386634633066316535
+66613334303139353463613866323431613037333239353839623165356233653361613063646335
+33386263616164303631653162633330633136666635376635623437656263306466623462366563
+61636334616134376230343265623336373863303463623833663761333039333335626665613661
+62626133316338303333613863373663623166323438656566653936616532343065383232323437
+38353731643561663461336561313637656563333230353963366632396637333033303365626562
+65373463653735313732353165643530336232396562653030623037303463326565643465363764
+38316663356535373432656563336538633765393031663339666638366138346564366162303436
+66363164633432326632306561643662663265666465373537383335303432616138613939366133
+39396430386437353163323935366265306339326563343530366161333330376535313737396537
+39353330323938326662303863323738626535643465656438376339643437653639666133633663
+39303464326237653933616238663839313730343731383132613062613736376232646366346365
+37653136393335396338346536393865316134343365623338623761303661343637336332316535
+31633133356263336534643230383034383164396630343131396533313864333963316433366130
+38653461303736343861333161343832363934386230393662616463386534336264626363386562
+62633832316664323032353835663266653534393733343166303763333434323633616233656131
+37333266356337656532386336373563353634656265313061363063356637353366636236653333
+31643535373762353663613035316464323033303438623635336637636265363363393961396435
+33646438366139323230623235666630663863633961393036376463386538313633626163323365
+36633266646330623463336434363934376438326465303938316432643035373236626437663766
+36303737386132383261663764386333343532626334633961373666376232633739663164323132
+61323230316266333837363537316165376261363738363762373231356533666332376333663239
+30646161666434363236633432616163323530643766363533653733346436303461643235343038
+65663738633032643334303737666565666137616437613662363062636664326235663737613863
+37653164653437356136623563653238366236613964663337336132326232653762643363623664
+66656166346230643930653232323234653266393730323735636164303230623766393630393262
+63333661396231323430343462656339653466363562303830643233636164303162376631383733
+38346231623835333762656135663366616566313963323732663037323338326231613465343462
+65616432626432333538396336353965353636636339336239653536613865643265353939656333
+66663933343664366163323730336337356634656436326661336636313363663165336161396333
+31626163303863653332613733663666383234303164346564646531366261323262636263353036
+64666135336264343636396466396564303665623965346163373337376331396233396561613765
+32636331376665396132313839653232306535613737653936366438323962333235336530396338
+63633737633630646164376361363631623862643363363066376364653965313837373462393832
+66336138366132626536323766393832386261396436336537316661383633613065393032636530
+63323866643266666637363633616535613032653930663734636663363865336565663864356234
+34626262663363376436346463393164646534386135303065623462623861353133656437323861
+33623938366635343930633264303530323164396661393338303163386539353938373237633436
+35663762353762313935313832383338663430363865343537663530613761303239356563363533
+37306162663831663464316464303136396539343030303631613964313165396531303665653761
+61383061653364383962663138356366373039366139613536633936633739343133376337613038
+62393730636433613037383665303430663666363663646564343935313063386135323963623965
+35643734656336623961363432363362393132613432303239393761353136636265613334373634
+34396335663037383661663832373937653639633531653064303732656332643962643866306337
+34303232623963623562613162623562366539393464663966366464643639343432663338616331
+30323461396138663334396265313134646263613033353833656465633537356261366261393261
+39303764633636376438656435633737366464343630653735313630386539623462653133396161
+36353235343635386636646361623465323135323239613161346563343263646235326232353863
+62646434333866653830316166656439643464393337306132376433633439376131366664383464
+36393635343265333530653166306263383236656136313136376436393531653334323564663236
+30653235343233636334626330363031373433396565663439333033623062313261643632306164
+66616338633261356136313334313365356234316262313439623563383330356233363438313833
+63313131316461333438363939626636346463366665393433653036663931643537613162393561
+34626662303462343239313265653838313634323230656130373163313863313162383736363835
+39663337353638613836636263373136623266373732373665353164376534623732313532306366
+31353930343062653532386237616433373437663239636230386133393766376238353064656366
+61666637646433333366313661353438313337643861333932313662636462346463643664356165
+62373338313237353936636138666539643166626631646163653262343365326637626133353361
+33663961373334376137393036383833356361383539653362343866386438633366353439323832
+38663461313431636562613435303237363163323936323530393966663361326365623564633865
+66356433626637376238653865303236646433316164666366303131336331616562323865643566
+36643664363363323566353730303339666262663434393863376234656136643865653135383861
+61396366383939656130616661396263396331666137666662323932303032623162396633346335
+65326362353933663437356235656530343833313136313662643236626661653332613539393638
+62656232326238313333623263333366366533313335336330643666383033333038336164316135
+61346335633139303163326433353633616562363866396234636138386638356235343035363436
+35633737336262383264383065343234373534663564316133643738306638393539353136356630
+63613238663066666336626262343933346433393438356565646565613566386566336138386661
+30373162333837656131653238393533646663323730626538316437363865626335626635666437
+34366663636366303438373032343235333634666637666336313061663239316663613861646133
+30383639666362346634303437383035306661623735643139643062653836366631336261643137
+36393135633338646238653763613935366566363032343730313666656539353866643564336661
+61643261393134303362303666393465643933363962653734646664643033386263346566316332
+36633166356665666161616530356439653832323064633662656138356435386434336431396664
+34373737643936316133343364353165653130376434646639633866336536373534396235633035
+33333734343835323565323863316364613132656665356639623364376538613539626137353564
+66343833653435383465376332363533326661373333303435303562396366616231306463396562
+65353966613832386235646539643033653335376131333333646237393431363163643630353135
+35666264626564623732346565613662303938643034326130646332663530383136333865386266
+31313633613739633865363736646138353937306438646532363033383539613534666437663961
+61313632613433353437306233626463373335366564653661643038373338303937316366316332
+64386132326633306336653134333038316639363538653735383266366239663861333830656438
+34393734363665656337626461376234306632623937353863333531313231616365316431303732
+32323436663736396439396361663965653632333066373764353561303030666134383836393537
+65323038373363316537323533646566396431326634336564306562636232316563613734366339
+37326465623137303436346430333263373437656632373039303338626130333834663564633535
+39353865376134383637633866356536393766376132396666656235396363656635633630656165
+38303439626438623166326331373036386263393331366266356539333533323864613932643335
+36303537636131386231613062383163346664643261323263393264343862386562313931616261
+34666533613831343764663630623139616634636531393861306337636239346131323437396337
+61633064663938613135666334396330363463636166653966653333326235343563633834666634
+38353937646265363964626661343565306331646363303038666264613833653962663237353538
+64393465363061653837343131373566336139643632323461323635343535313164383766343233
+61393136636536366433333766303263663839383064323430366666646163663663316138663532
+66363061626363396561353435386266653832313430633337346234333430393338353632383335
+64323765636634303632663135306533366232333665383333383936653033373332333331656261
+37326164666235323538633963616562633938626131346266366531333133333832393966326637
+62376661383562633834353631393933626237316431366237613634356666343031623566666330
+61623137336433383139633233356263643237393966613366326632303865353866643332316662
+35343239643933313031656534336165666161393566636435663039653438643832636232386566
+34326266353631333731636433333639316638643162653234346365353762353333316138303861
+36353932656264336165363532313366636536386661663934363761653362623362346431336530
+63663064656539343361383963663366626566306431353238633832353335383535
diff --git a/group_vars/certbot.yml b/group_vars/certbot.yml
new file mode 100644
index 0000000..053e637
--- /dev/null
+++ b/group_vars/certbot.yml
@@ -0,0 +1,8 @@
+---
+glob_certbot:
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: auro.re
+    domains: "*.auro.re"
diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml
new file mode 100644
index 0000000..31adf3a
--- /dev/null
+++ b/group_vars/nginx.yml
@@ -0,0 +1,32 @@
+---
+glob_nginx:
+  contact: tech.aurore@lists.crans.org
+  who: "L'équipe technique d'Aurore"
+  service_name: service
+  ssl:
+    # Add adm.auro.re if necessary
+    - name: auro.re
+      cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+      cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
+  servers:
+    - ssl: false  # Replace by auro.re or adm.auro.re
+      default: true
+      server_name:
+        - "default"
+        - "_"
+      root: "/var/www/html"
+      locations:
+        - filter: "/"
+          params: []
+      additional_params: []
+  upstreams: []
+
+  auth_passwd: []
+  default_server:
+  default_ssl_server:
+  default_ssl_domain: auro.re
+  real_ip_from:
+    - "10.128.0.0/16"
+    - "2a09:6840:128::/64"
+  deploy_robots_file: false
diff --git a/group_vars/reverseproxy.yml b/group_vars/reverseproxy.yml
new file mode 100644
index 0000000..fdb4685
--- /dev/null
+++ b/group_vars/reverseproxy.yml
@@ -0,0 +1,11 @@
+loc_nginx:
+  servers: []
+
+glob_reverseproxy:
+  redirect_dnames:
+    - aurores.net
+    - fede-aurore.net
+
+  reverseproxy_sites: []
+
+  redirect_sites: []
diff --git a/host_vars/bdd-ovh.adm.auro.re.yml b/host_vars/bdd-ovh.adm.auro.re.yml
new file mode 100644
index 0000000..68faa14
--- /dev/null
+++ b/host_vars/bdd-ovh.adm.auro.re.yml
@@ -0,0 +1,50 @@
+---
+postgresql:
+  version: 13
+
+postgresql_hosts:
+  - database: etherpad
+    user: etherpad
+    net: 10.128.0.150/32
+    method: md5
+  - database: codimd
+    user: codimd
+    net: 10.128.0.150/32
+    method: md5
+  - database: synapse
+    user: synapse
+    net: 10.128.0.56/32
+    method: md5
+  - database: kanboard
+    user: kanboard
+    net: 10.128.0.150/32
+    method: md5
+
+postgresql_databases:
+  - synapse
+  - codimd
+  - etherpad
+  - kanboard
+
+postgresql_users:
+  - name: synapse
+    database: synapse
+    password: "{{ postgresql_synapse_passwd }}"
+    privs:
+      - ALL
+  - name: codimd
+    database: codimd
+    password: "{{ postgresql_codimd_passwd }}"
+    privs:
+      - ALL
+  - name: etherpad
+    database: etherpad
+    password: "{{ postgresql_etherpad_passwd }}"
+    privs:
+      - ALL
+  - name: kanboard
+    database: kanboard
+    password: "{{ postgresql_kanboard_passwd }}"
+    privs:
+      - ALL
+...
diff --git a/host_vars/bdd.adm.auro.re b/host_vars/bdd.adm.auro.re
new file mode 100644
index 0000000..d1e9353
--- /dev/null
+++ b/host_vars/bdd.adm.auro.re
@@ -0,0 +1,8 @@
+postgresql:
+  version: 11
+  hosts: # dbname, username, CIDR ip addr, auth method
+  - [ "nextcloud", "nextcloud", "10.128.0.58", "md5" ]
+  - [ "gitea", "gitea", "10.128.0.60", "md5" ]
+  - [ "drone", "drone", "10.128.0.64", "md5" ]
+  - [ "wikijs", "wikijs", "10.128.0.66", "md5" ]
+  - [ "vote", "vote", "10.128.0.81", "md5" ]
diff --git a/host_vars/portail.adm.auro.re.yml b/host_vars/portail.adm.auro.re.yml
new file mode 100644
index 0000000..d4845b7
--- /dev/null
+++ b/host_vars/portail.adm.auro.re.yml
@@ -0,0 +1,105 @@
+---
+loc_nginx:
+  service_name: captive_portal
+  default_server: '$server_addr'
+  default_ssl_server: '$server_addr'
+
+  servers:
+    - server_name:
+        - "10.13.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-fleming.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-fleming.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - 10.23.0.247
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-pacaterie.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-pacaterie.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - "10.33.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-rives.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-rives.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - "10.43.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-edc.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-edc.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - "10.53.0.247"
+      locations:
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"
+
+    - ssl: auro.re
+      server_name:
+        - portail-gs.auro.re
+      locations:
+        - filter: "~ /(potail|cotisations/comnpay|static|javascript|media|about|contact|logout|.*-autocomplete)"
+          params:
+            - "proxy_pass http://10.128.0.20"
+            - "include /etc/nginx/snippets/options-proxypass.conf"
+        - filter: "/"
+          params:
+            - "return 302 https://portail-gs.auro.re/portail/"
diff --git a/host_vars/proxy-ovh.adm.auro.re.yml b/host_vars/proxy-ovh.adm.auro.re.yml
index d68a483..13f0a1d 100644
--- a/host_vars/proxy-ovh.adm.auro.re.yml
+++ b/host_vars/proxy-ovh.adm.auro.re.yml
@@ -1,39 +1,13 @@
 ---
-certbot:
-  domains:
-    - auro.re
-    - chat.auro.re  # cname to riot.auro.re
-    - codimd.auro.re
-    - element.auro.re  # cname to riot.auro.re
-    - ehterpad.auro.re  # cname to pad.auro.re
-    - grafana.auro.re
-    - hedgedoc.auro.re  # cname to codimd.auro.re
-    - pad.auro.re
-    - passbolt.auro.re
-    - paste.auro.re  # cname to privatebin.auro.re
-    - phabricator.auro.re
-    - privatebin.auro.re
-    - riot.auro.re
-    - sharelatex.auro.re
-    - status.auro.re
-    - wiki.auro.re
-    - www.auro.re
-    - zero.auro.re  # cname to privatebin.auro.re
-  mail: tech.aurore@lists.crans.org
-  certname: auro.re
-
-nginx:
-  ssl:
-    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
-  redirect_dnames:
-    - aurores.net
-    - fede-aurore.net
-
-  redirect_tcp: {}
+loc_certbot:
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: auro.re
+    domains: "auro.re, *.auro.re"
 
+loc_reverseproxy:
   redirect_sites:
     - from: www.auro.re
       to: auro.re
diff --git a/host_vars/proxy.adm.auro.re.yml b/host_vars/proxy.adm.auro.re.yml
index b8fb2c3..6eb74f2 100644
--- a/host_vars/proxy.adm.auro.re.yml
+++ b/host_vars/proxy.adm.auro.re.yml
@@ -1,31 +1,31 @@
 ---
-certbot:
-  domains:
-    - bbb.auro.re
-    - drone.auro.re
-    - gitea.auro.re
-    - intranet.auro.re
-    - litl.auro.re
-    - nextcloud.auro.re
-    - re2o.auro.re
-    - vote.auro.re
-    - re2o-server.auro.re
-    - re2o-test.auro.re
-    - wikijs.auro.re
+loc_certbot:
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_adm_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_adm_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: adm.auro.re
+    domains: "*.adm.auro.re"
+  - dns_rfc2136_server: '10.128.0.30'
+    dns_rfc2136_name: certbot_challenge.
+    dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+    mail: tech.aurore@lists.crans.org
+    certname: auro.re
+    domains: "*.auro.re"
 
-  mail: tech.aurore@lists.crans.org
-  certname: auro.re
-
-nginx:
+loc_nginx:
+  servers: []
   ssl:
-    cert: /etc/letsencrypt/live/auro.re/fullchain.pem
-    cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
-    trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
-
-  redirect_dnames:
-    - aurores.net
-    - fede-aurore.net
+    - name: adm.auro.re
+      cert: /etc/letsencrypt/live/adm.auro.re/fullchain.pem
+      cert_key: /etc/letsencrypt/live/adm.auro.re/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/adm.auro.re/chain.pem
+    - name: auro.re
+      cert: /etc/letsencrypt/live/auro.re/fullchain.pem
+      cert_key: /etc/letsencrypt/live/auro.re/privkey.pem
+      trusted_cert: /etc/letsencrypt/live/auro.re/chain.pem
 
+loc_reverseproxy:
   redirect_tcp:
     - name: Gitea
       port: 2222
@@ -33,7 +33,7 @@ nginx:
 
   redirect_sites:
     - from: 45.66.111.61
-      to: auro.re
+      to: intranet.auro.re
 
   reverseproxy_sites:
     - from: re2o.auro.re
@@ -49,6 +49,9 @@ nginx:
 
     - from: gitea.auro.re
       to: "10.128.0.60:3000"
+    - from: git.adm.auro.re
+      to: "10.128.0.60:3000"
+      ssl: adm.auro.re
 
     - from: drone.auro.re
       to: "10.128.0.64:8000"
diff --git a/hosts b/hosts
index 98a435e..68488a0 100644
--- a/hosts
+++ b/hosts
@@ -29,13 +29,19 @@ stream.adm.auro.re
 re2o-server.adm.auro.re
 re2o-ldap.adm.auro.re
 re2o-db.adm.auro.re
-pendragon.adm.auro.re
-services-bdd-local.adm.auro.re
+#services-bdd-local.adm.auro.re
 backup.adm.auro.re
 services-web.adm.auro.re
 mail.adm.auro.re
 wikijs.adm.auro.re
+prometheus-aurore.adm.auro.re
+portail.adm.auro.re
+jitsi-aurore.adm.auro.re
+bdd.adm.auro.re
+bdd-ovh.adm.auro.re
 
+[aurore_testing_vm]
+pendragon.adm.auro.re
 
 ###############################################################################
 # OVH
@@ -45,7 +51,7 @@ horus.adm.auro.re
 
 [ovh_container]
 synapse.adm.auro.re
-services-bdd.adm.auro.re
+#services-bdd.adm.auro.re
 phabricator.adm.auro.re
 wiki.adm.auro.re
 www.adm.auro.re
@@ -59,6 +65,8 @@ vpn-ovh.adm.auro.re
 docker-ovh.adm.auro.re
 switchs-manager.adm.auro.re
 ldap-replica-ovh.adm.auro.re
+prometheus-ovh.adm.auro.re
+prometheus-federate.adm.auro.re
 
 [ovh_testing_vm]
 #re2o-test.adm.auro.re
@@ -263,6 +271,7 @@ ep-1-3.borne.auro.re
 ep-1-2.borne.auro.re
 ep-0-1.borne.auro.re
 eo-2-1.borne.auro.re
+ee-2-1.borne.auro.re
 
 ###############################################################################
 # George Sand
@@ -337,6 +346,7 @@ gf-5-1.borne.auro.re
 # Les Rives
 [rives_pve]
 thor.adm.auro.re
+loki.adm.auro.re
 
 [rives_vm]
 dhcp-rives-backup.adm.auro.re
@@ -345,6 +355,7 @@ dns-rives-backup.adm.auro.re
 radius-rives-backup.adm.auro.re
 routeur-rives-backup.adm.auro.re
 ldap-replica-rives.adm.auro.re
+prometheus-rives.adm.auro.re
 
 [rives_unifi]
 r3-4-4.borne.auro.re
@@ -396,29 +407,31 @@ ovh_vm
 [fleming:children]
 fleming_pve
 fleming_vm
-#fleming_unifi
+fleming_unifi
 
 # everything at pacaterie
 [pacaterie:children]
 pacaterie_pve
 pacaterie_vm
-#pacaterie_unifi
+pacaterie_unifi
 
 # everything at edc
 [edc:children]
 edc_pve
 edc_vm
+edc_unifi
 
 # everything at georgesand
 [gs:children]
 gs_pve
 gs_vm
+gs_unifi
 
 # everything at Les Rives
 [rives:children]
 rives_pve
 rives_vm
-
+rives_unifi
 
 ###############################################################################
 # Groups by type
@@ -482,3 +495,22 @@ ldap-replica-ovh.adm.auro.re
 [ldap_replica_rives]
 ldap-replica-rives.adm.auro.re
 
+[certbot]
+portail.adm.auro.re
+
+[certbot:children]
+reverseproxy
+
+[nginx]
+portail.adm.auro.re
+
+[nginx:children]
+reverseproxy
+
+[reverseproxy]
+proxy-ovh.adm.auro.re
+proxy.adm.auro.re
+
+[bdd]
+bdd.adm.auro.re
+bdd-ovh.adm.auro.re
diff --git a/monitoring.yml b/monitoring.yml
index 714baa6..76282b9 100755
--- a/monitoring.yml
+++ b/monitoring.yml
@@ -1,6 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
-- hosts: prometheus-fleming.adm.auro.re,prometheus-fleming-fo.adm.auro.re
+- hosts: prometheus-fleming.adm.auro.re
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@@ -14,7 +14,7 @@
   roles:
     - prometheus
 
-- hosts: prometheus-pacaterie.adm.auro.re,prometheus-pacaterie-fo.adm.auro.re
+- hosts: prometheus-pacaterie.adm.auro.re
   vars:
     prometheus_alertmanager: docker-ovh.adm.auro.re:9093
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
@@ -25,6 +25,8 @@
           {{ groups['pacaterie_pve'] + groups['pacaterie_vm'] | list | sort }}
     prometheus_unifi_snmp_targets:
       - targets: "{{ groups['pacaterie_unifi'] | list | sort }}"
+    prometheus_ups_snmp_targets:
+      - ups-pn-1.ups.auro.re
   roles:
     - prometheus
 
@@ -34,6 +36,9 @@
     snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
 
     # Prometheus targets.json
+    prometheus_ups_snmp_targets:
+      - ups-ec-1.ups.auro.re
+
     prometheus_targets:
       - targets: |
           {{ groups['edc_pve'] + groups['edc_vm'] | list | sort }}
@@ -53,10 +58,78 @@
           {{ groups['gs_pve'] + groups['gs_vm'] | list | sort }}
     prometheus_unifi_snmp_targets:
       - targets: "{{ groups['gs_unifi'] | list | sort }}"
+    prometheus_ups_snmp_targets:
+      - ups-gk-1.ups.auro.re
   roles:
     - prometheus
 
+- hosts: prometheus-rives.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_ups_snmp_targets:
+      - ups-r3-1.ups.auro.re
+
+    prometheus_targets:
+      - targets: |
+          {{ groups['rives_pve'] + groups['rives_vm'] | list | sort }}
+    prometheus_unifi_snmp_targets:
+      - targets: "{{ groups['rives_unifi'] | list | sort }}"
+  roles:
+    - prometheus
+
+- hosts: prometheus-aurore.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+    snmp_switch_community: "{{ vault_snmp_switch_community }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - targets: |
+          {{ groups['aurore_pve'] + groups['aurore_vm'] | list | sort }}
+    prometheus_switch_snmp_targets:
+      - targets:
+          - yggdrasil.switch.auro.re
+  roles:
+    - prometheus
+
+- hosts: prometheus-ovh.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - targets: |
+          {{ groups['ovh_pve'] + groups['ovh_vm'] | list | sort }}
+    prometheus_docker_targets:
+      - docker-ovh.adm.auro.re:8087
+  roles:
+    - prometheus
+
+
+- hosts: prometheus-federate.adm.auro.re
+  vars:
+    prometheus_alertmanager: docker-ovh.adm.auro.re:9093
+    snmp_unifi_password: "{{ vault_snmp_unifi_password }}"
+
+    # Prometheus targets.json
+    prometheus_targets:
+      - prometheus-edc.adm.auro.re
+      - prometheus-gs.adm.auro.re
+      - prometheus-fleming.adm.auro.re
+      - prometheus-pacaterie.adm.auro.re
+      - prometheus-rives.adm.auro.re
+      - prometheus-aurore.adm.auro.re
+      - prometheus-ovh.adm.auro.re
+  roles:
+    - prometheus_federate
+
+
 # Monitor all hosts
-- hosts: all,!unifi,!ovh
+- hosts: all,!edc_unifi,!fleming_unifi,!pacaterie_unifi,!gs_unifi,!rives_unifi,!aurore_testing_vm,!ovh_container
   roles:
     - prometheus_node
diff --git a/network.yml b/network.yml
index e64d8ff..50fde19 100755
--- a/network.yml
+++ b/network.yml
@@ -43,7 +43,7 @@
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
-#     - re2o-service
+#     - re2o_service
 
 
 # Deploy Unifi Controller
@@ -62,4 +62,4 @@
 #       username: service-user
 #       password: "{{ vault_serviceuser_passwd }}"
 #   roles:
-#     - re2o-service
+#     - re2o_service
diff --git a/roles/baseconfig/tasks/apt-unattended.yml b/roles/baseconfig/tasks/apt-unattended.yml
new file mode 100644
index 0000000..9251e17
--- /dev/null
+++ b/roles/baseconfig/tasks/apt-unattended.yml
@@ -0,0 +1,21 @@
+---
+- name: Install unattended-upgrades
+  when: ansible_os_family == "Debian"
+  apt:
+    name: unattended-upgrades
+    state: present
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure unattended-upgrades
+  template:
+    src: "apt/{{ item }}.j2"
+    dest: "/etc/apt/apt.conf.d/{{ item }}"
+    owner: root
+    mode: u=rw,g=r,o=r
+  loop:
+    - 50unattended-upgrades
+    - 20auto-upgrades
+...
diff --git a/roles/baseconfig/tasks/main.yml b/roles/baseconfig/tasks/main.yml
index 2455998..9210b5c 100644
--- a/roles/baseconfig/tasks/main.yml
+++ b/roles/baseconfig/tasks/main.yml
@@ -9,8 +9,6 @@
       - aptitude  # nice to have for Ansible
       - bash-completion  # because bash
       - curl  # better than wget
-      - emacs-nox  # for maman
-      - fish  # to motivate @edpibu
       - git  # code versioning
       - htop  # better than top
       - iotop  # monitor i/o
@@ -18,14 +16,14 @@
       - lsb-release
       - molly-guard  # prevent reboot
       - nano  # for vulcain
-      - net-tools
       - ntp  # network time sync
-      - oidentd  # postgresql identification
       - screen  # Vulcain asked for this
       - sudo
+      - tmux  # For shirenn
       - tree  # create a graphical tree of files
       - vim  # better than nano
       - zsh  # to be able to ssh @erdnaxe
+      - dnsutils  # dig
     update_cache: true
   register: apt_result
   retries: 3
@@ -74,6 +72,9 @@
 # APT-List Changes : send email with changelog
 - include_tasks: apt-listchanges.yml
 
+# APT Unattended upgrades
+- include_tasks: apt-unattended.yml
+
 # User skeleton
 - name: Configure user skeleton
   copy:
diff --git a/roles/baseconfig/templates/apt/20auto-upgrades.j2 b/roles/baseconfig/templates/apt/20auto-upgrades.j2
new file mode 100644
index 0000000..a1ba39e
--- /dev/null
+++ b/roles/baseconfig/templates/apt/20auto-upgrades.j2
@@ -0,0 +1,4 @@
+// {{ ansible_managed }}
+
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Unattended-Upgrade "1";
diff --git a/roles/baseconfig/templates/apt/50unattended-upgrades.j2 b/roles/baseconfig/templates/apt/50unattended-upgrades.j2
new file mode 100644
index 0000000..b2932b5
--- /dev/null
+++ b/roles/baseconfig/templates/apt/50unattended-upgrades.j2
@@ -0,0 +1,22 @@
+// {{ ansible_managed }}
+
+Unattended-Upgrade::Origins-Pattern {
+        "origin=Debian,codename=${distro_codename},label=Debian-Security";
+};
+
+Unattended-Upgrade::Package-Blacklist {};
+
+Unattended-Upgrade::MinimalSteps "true";
+Unattended-Upgrade::InstallOnShutdown "false";
+
+Unattended-Upgrade::Mail "{{ monitoring_mail }}";
+// Unattended-Upgrade::MailOnlyOnError "false";
+
+Unattended-Upgrade::Remove-Unused-Kernel-Packages "false";
+Unattended-Upgrade::Remove-New-Unused-Dependencies "false";
+Unattended-Upgrade::Remove-Unused-Dependencies "false";
+
+Unattended-Upgrade::Automatic-Reboot "false";
+
+Unattended-Upgrade::SyslogEnable "true";
+Unattended-Upgrade::SyslogFacility "daemon";
diff --git a/roles/certbot/handlers/main.yml b/roles/certbot/handlers/main.yml
deleted file mode 100644
index 82d2202..0000000
--- a/roles/certbot/handlers/main.yml
+++ /dev/null
@@ -1,8 +0,0 @@
----
-- name: Reload nginx
-  service:
-    name: nginx
-    state: reloaded
-
-- name: Generate certificates
-  command: "certbot certonly --non-interactive --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
index cbce286..8404b4d 100644
--- a/roles/certbot/tasks/main.yml
+++ b/roles/certbot/tasks/main.yml
@@ -1,13 +1,28 @@
 ---
-- name: Install certbot and nginx plugin
+- name: Install certbot and RFC2136 plugin
   apt:
     update_cache: true
     name:
       - certbot
-      - python3-certbot-nginx
-  register: pkg_result
+      - python3-certbot-dns-rfc2136
+    state: present
+  register: apt_result
   retries: 3
-  until: pkg_result is succeeded
+  until: apt_result is succeeded
+
+- name: Add DNS credentials
+  template:
+    src: letsencrypt/rfc2136.ini.j2
+    dest: "/etc/letsencrypt/rfc2136.{{ item.certname }}.ini"
+    mode: 0600
+    owner: root
+  loop: "{{ certbot }}"
+
+- name: Add dhparam
+  template:
+    src: "letsencrypt/dhparam.j2"
+    dest: "/etc/letsencrypt/dhparam"
+    mode: 0600
 
 - name: Create /etc/letsencrypt/conf.d
   file:
@@ -18,8 +33,19 @@
 - name: Add Certbot configuration
   template:
     src: "letsencrypt/conf.d/certname.ini.j2"
-    dest: "/etc/letsencrypt/conf.d/{{ certbot.certname }}.ini"
+    dest: "/etc/letsencrypt/conf.d/{{ item.certname }}.ini"
     mode: 0644
-  notify:
-    - Generate certificates
-    - Reload nginx
+  loop: "{{ certbot }}"
+
+- name: Run certbot
+  command: certbot --non-interactive --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
+  loop: "{{ certbot }}"
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/letsencrypt/options-ssl-nginx.conf"
+    - "/etc/letsencrypt/ssl-dhparams.pem"
+    - "/etc/letsencrypt/rfc2136.ini"
diff --git a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2 b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
index c23d930..b695166 100644
--- a/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
+++ b/roles/certbot/templates/letsencrypt/conf.d/certname.ini.j2
@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment(decoration='# ') }}
 
-# Pour appliquer cette conf et générer la conf de renewal :
-# certbot --config /etc/letsencrypt/conf.d/{{ certbot.certname }}.ini certonly
+# To generate the certificate, please use the following command
+# certbot --config /etc/letsencrypt/conf.d/{{ item.certname }}.ini certonly
 
 # Use a 4096 bit RSA key instead of 2048
 rsa-key-size = 4096
@@ -10,14 +10,19 @@ rsa-key-size = 4096
 # server = https://acme-staging.api.letsencrypt.org/directory
 
 # Uncomment and update to register with the specified e-mail address
-email = {{ certbot.mail }}
+email = {{ item.mail }}
 
 # Uncomment to use a text interface instead of ncurses
 text = True
 
-# Use nginx challenge
-authenticator = nginx
+# Yes I want to sell my soul and my guinea pig.
+agree-tos = True
+
+# Use DNS-01 challenge
+authenticator = dns-rfc2136
+dns-rfc2136-credentials = /etc/letsencrypt/rfc2136.{{ item.certname }}.ini
+dns-rfc2136-propagation-seconds = 30
 
 # Wildcard the domain
-cert-name = {{ certbot.certname }}
-domains = {{ ", ".join(certbot.domains) }}
+cert-name = {{ item.certname }}
+domains = {{ item.domains }}
diff --git a/roles/nginx_reverseproxy/templates/letsencrypt/dhparam.j2 b/roles/certbot/templates/letsencrypt/dhparam.j2
similarity index 100%
rename from roles/nginx_reverseproxy/templates/letsencrypt/dhparam.j2
rename to roles/certbot/templates/letsencrypt/dhparam.j2
diff --git a/roles/certbot/templates/letsencrypt/rfc2136.ini.j2 b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
new file mode 100644
index 0000000..e864958
--- /dev/null
+++ b/roles/certbot/templates/letsencrypt/rfc2136.ini.j2
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment(decoration='# ') }}
+
+dns_rfc2136_server = {{ item.dns_rfc2136_server }}
+dns_rfc2136_port = 53
+dns_rfc2136_name = {{ item.dns_rfc2136_name }}
+dns_rfc2136_secret = {{ item.dns_rfc2136_secret }}
+dns_rfc2136_algorithm = HMAC-SHA512
diff --git a/roles/debian-backports/tasks/main.yml b/roles/debian_backports/tasks/main.yml
similarity index 100%
rename from roles/debian-backports/tasks/main.yml
rename to roles/debian_backports/tasks/main.yml
diff --git a/roles/debian-backports/templates/backports.list.j2 b/roles/debian_backports/templates/backports.list.j2
similarity index 100%
rename from roles/debian-backports/templates/backports.list.j2
rename to roles/debian_backports/templates/backports.list.j2
diff --git a/roles/isc_dhcp_server/handlers/main.yml b/roles/isc_dhcp_server/handlers/main.yml
index 05b48c6..fd4dd48 100644
--- a/roles/isc_dhcp_server/handlers/main.yml
+++ b/roles/isc_dhcp_server/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: force run dhcp re2o-service
-  shell: /var/local/re2o-services/dhcp/main.py --force
+  command: /var/local/re2o-services/dhcp/main.py --force
   become_user: re2o-services
 
 - name: restart dhcpd
diff --git a/roles/isc_dhcp_server/tasks/main.yml b/roles/isc_dhcp_server/tasks/main.yml
index 57d2d25..9d69d63 100644
--- a/roles/isc_dhcp_server/tasks/main.yml
+++ b/roles/isc_dhcp_server/tasks/main.yml
@@ -1,7 +1,7 @@
 ---
 - name: Install dhcp (re2o-service)
   import_role:
-    name: re2o-service
+    name: re2o_service
   vars:
     service_repo: https://gitlab.federez.net/re2o/dhcp.git
     service_name: dhcp
@@ -18,7 +18,7 @@
     owner: re2o-services
     group: nogroup
     recurse: true
-    mode: 755
+    mode: 0755
 
 - name: Install isc-dhcp-server
   apt:
diff --git a/roles/ldap_client/tasks/main.yml b/roles/ldap_client/tasks/main.yml
index 8599950..968b42f 100644
--- a/roles/ldap_client/tasks/main.yml
+++ b/roles/ldap_client/tasks/main.yml
@@ -21,4 +21,4 @@
     user: root
     key: "{{ ssh_pub_keys }}"
     state: present
-#    exclusive: True
+    exclusive: true
diff --git a/roles/nginx_reverseproxy/handlers/main.yml b/roles/nginx/handlers/main.yml
similarity index 100%
rename from roles/nginx_reverseproxy/handlers/main.yml
rename to roles/nginx/handlers/main.yml
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
new file mode 100644
index 0000000..210c7f0
--- /dev/null
+++ b/roles/nginx/tasks/main.yml
@@ -0,0 +1,146 @@
+---
+- name: Install NGINX
+  apt:
+    update_cache: true
+    name: nginx
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Copy proxypass snippets
+  template:
+    src: "nginx/snippets/options-proxypass.conf.j2"
+    dest: "/etc/nginx/snippets/options-proxypass.conf"
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Copy SSL snippets
+  template:
+    src: "nginx/snippets/options-ssl.conf.j2"
+    dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
+    owner: root
+    group: root
+    mode: 0644
+  loop: "{{ nginx.ssl }}"
+
+- name: Disable default site
+  file:
+    dest: "/etc/nginx/sites-enabled/default"
+    state: absent
+
+- name: Copy reverse proxy sites
+  when: reverseproxy is defined
+  template:
+    src: "nginx/sites-available/{{ item }}.j2"
+    dest: "/etc/nginx/sites-available/{{ item }}"
+    owner: root
+    group: root
+    mode: 0644
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+
+- name: Activate reverse proxy sites
+  when: reverseproxy is defined
+  file:
+    src: "/etc/nginx/sites-available/{{ item }}"
+    dest: "/etc/nginx/sites-enabled/{{ item }}"
+    owner: root
+    group: root
+    state: link
+  loop:
+    - reverseproxy
+    - reverseproxy_redirect_dname
+    - redirect
+  notify: Reload nginx
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy forward modules
+  when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
+  template:
+    src: "nginx/modules-available/60-forward.conf.j2"
+    dest: "/etc/nginx/modules-available/60-forward.conf"
+    mode: 0644
+  notify: Reload nginx
+
+- name: Activate modules
+  when: reverseproxy.redirect_tcp is defined and reverseproxy.redirect_tcp|length > 0
+  file:
+    src: "/etc/nginx/modules-available/60-forward.conf"
+    dest: "/etc/nginx/modules-enabled/60-forward.conf"
+    state: link
+    mode: 0644
+  notify: Reload nginx
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy service nginx configuration
+  when: nginx.servers is defined and nginx.servers|length > 0
+  template:
+    src: "nginx/sites-available/service.j2"
+    dest: "/etc/nginx/sites-available/{{ nginx.service_name }}"
+    owner: root
+    group: root
+    mode: 0644
+  notify: Reload nginx
+
+- name: Activate local nginx service site
+  when: nginx.servers is defined and nginx.servers|length > 0
+  file:
+    src: "/etc/nginx/sites-available/{{ nginx.service_name }}"
+    dest: "/etc/nginx/sites-enabled/{{ nginx.service_name }}"
+    owner: root
+    group: root
+    state: link
+  notify: Reload nginx
+  ignore_errors: "{{ ansible_check_mode }}"
+
+- name: Copy 50x error page
+  template:
+    src: www/html/50x.html.j2
+    dest: /var/www/html/50x.html
+    owner: www-data
+    group: www-data
+    mode: 0644
+
+- name: Copy robots.txt file
+  when: nginx.deploy_robots_file
+  template:
+    src: www/html/robots.txt.j2
+    dest: /var/www/html/robots.txt
+    owner: www-data
+    group: www-data
+    mode: 0644
+
+- name: Install passwords
+  when: nginx.auth_passwd|length > 0
+  template:
+    src: nginx/passwd.j2
+    dest: /etc/nginx/passwd
+    mode: 0644
+
+- name: Copy 401 error page
+  when: nginx.auth_passwd|length > 0
+  template:
+    src: www/html/401.html.j2
+    dest: /var/www/html/401.html
+    owner: www-data
+    group: www-data
+    mode: 0644
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-nginx
+    mode: 0755
+
+- name: Clean old files
+  file:
+    path: "{{ item }}"
+    state: absent
+  loop:
+    - "/etc/nginx/snippets/options-ssl.conf"
+    - "/var/www/custom_401.html"
+    - "/var/www/robots.txt"
diff --git a/roles/nginx/templates/letsencrypt/dhparam.j2 b/roles/nginx/templates/letsencrypt/dhparam.j2
new file mode 100644
index 0000000..9b182b7
--- /dev/null
+++ b/roles/nginx/templates/letsencrypt/dhparam.j2
@@ -0,0 +1,8 @@
+-----BEGIN DH PARAMETERS-----
+MIIBCAKCAQEA//////////+t+FRYortKmq/cViAnPTzx2LnFg84tNpWp4TZBFGQz
++8yTnc4kmz75fS/jY2MMddj2gbICrsRhetPfHtXV/WVhJDP1H18GbtCFY2VVPe0a
+87VXE15/V8k1mE8McODmi3fipona8+/och3xWKE2rec1MKzKT0g6eXq8CrGCsyT7
+YdEIqUuyyOP7uWrat2DX9GgdT0Kj3jlN9K5W7edjcrsZCwenyO4KbXCeAvzhzffi
+7MA0BM0oNC9hkXL+nOmFg/+OTxIy7vKBg8P+OxtMb61zO7X8vC7CIAXFjvGDfRaD
+ssbzSibBsu/6iGtCOGEoXJf//////////wIBAg==
+-----END DH PARAMETERS-----
diff --git a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2 b/roles/nginx/templates/nginx/modules-available/60-forward.conf.j2
similarity index 72%
rename from roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2
rename to roles/nginx/templates/nginx/modules-available/60-forward.conf.j2
index 9a86a5d..f05b00d 100644
--- a/roles/nginx_reverseproxy/templates/nginx/modules-available/60-forward.conf.j2
+++ b/roles/nginx/templates/nginx/modules-available/60-forward.conf.j2
@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-{% for site in nginx.redirect_tcp %}
+{% for site in reverseproxy.redirect_tcp %}
 # Forward port {{ site.port }} to {{ site.name }}
 stream {
     server {
@@ -12,3 +12,4 @@ stream {
 }
 
 {% endfor %}
+
diff --git a/roles/nginx/templates/nginx/passwd.j2 b/roles/nginx/templates/nginx/passwd.j2
new file mode 100644
index 0000000..ed45d93
--- /dev/null
+++ b/roles/nginx/templates/nginx/passwd.j2
@@ -0,0 +1,4 @@
+{{ ansible_managed | comment }}
+{% for user, hash in nginx.auth_passwd.items() -%}
+{{ user }}:{{ hash }}
+{% endfor -%}
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2 b/roles/nginx/templates/nginx/sites-available/redirect.j2
similarity index 56%
rename from roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
rename to roles/nginx/templates/nginx/sites-available/redirect.j2
index 28e9b7d..2543400 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/redirect.j2
+++ b/roles/nginx/templates/nginx/sites-available/redirect.j2
@@ -1,6 +1,6 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-{% for site in nginx.redirect_sites %}
+{% for site in reverseproxy.redirect_sites %}
 # Redirect http://{{ site.from }} to http://{{ site.to }}
 server {
     listen 80;
@@ -8,6 +8,11 @@ server {
 
     server_name {{ site.from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ site.to }}$request_uri;
     }
@@ -21,7 +26,12 @@ server {
     server_name {{ site.from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
 
     location / {
         return 302 https://{{ site.to }}$request_uri;
@@ -31,8 +41,8 @@ server {
 {% endfor %}
 
 {# Also redirect for DNAMEs #}
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.redirect_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.redirect_sites %}
 {% set from = site.from | regex_replace('crans.org', dname) %}
 {% if from != site.from %}
 # Redirect http://{{ from }} to http://{{ site.to }}
@@ -42,6 +52,11 @@ server {
 
     server_name {{ from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ site.to }}$request_uri;
     }
@@ -55,7 +70,12 @@ server {
     server_name {{ from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
 
     location / {
         return 302 https://{{ site.to }}$request_uri;
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
similarity index 74%
rename from roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
rename to roles/nginx/templates/nginx/sites-available/reverseproxy.j2
index d29d13c..ae2d7a6 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 # Automatic Connection header for WebSocket support
 # See http://nginx.org/en/docs/http/websocket.html
@@ -7,7 +7,7 @@ map $http_upgrade $connection_upgrade {
     ''      close;
 }
 
-{% for site in nginx.reverseproxy_sites %}
+{% for site in reverseproxy.reverseproxy_sites %}
 # Redirect http://{{ site.from }} to https://{{ site.from }}
 server {
     listen 80;
@@ -15,6 +15,11 @@ server {
 
     server_name {{ site.from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 https://$host$request_uri;
     }
@@ -28,7 +33,7 @@ server {
     server_name {{ site.from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
 
     # Log into separate log files
     access_log      /var/log/nginx/{{ site.from }}.log;
@@ -43,8 +48,9 @@ server {
         root /var/www/html;
     }
 
-    set_real_ip_from 10.231.136.0/24;
-    set_real_ip_from 2a0c:700:0:2::/64;
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
     real_ip_header P-Real-Ip;
 
     location / {
diff --git a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2 b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
similarity index 55%
rename from roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
rename to roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
index bac615d..819fd7a 100644
--- a/roles/nginx_reverseproxy/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
+++ b/roles/nginx/templates/nginx/sites-available/reverseproxy_redirect_dname.j2
@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-{% for dname in nginx.redirect_dnames %}
-{% for site in nginx.reverseproxy_sites %}
+{% for dname in reverseproxy.redirect_dnames %}
+{% for site in reverseproxy.reverseproxy_sites %}
 {% set from = site.from | regex_replace('auro.re', dname) %}
 {% set to = site.from %}
 {% if from != site.from %}
@@ -12,6 +12,11 @@ server {
 
     server_name {{ from }};
 
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
     location / {
         return 302 http://{{ to }}$request_uri;
     }
@@ -25,7 +30,12 @@ server {
     server_name {{ from }};
 
     # SSL common conf
-    include "/etc/nginx/snippets/options-ssl.conf";
+    include "/etc/nginx/snippets/options-ssl.{{ site.ssl|default(nginx.default_ssl_domain) }}.conf";
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
 
     location / {
         return 302 https://{{ to }}$request_uri;
diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2
new file mode 100644
index 0000000..39f25eb
--- /dev/null
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -0,0 +1,132 @@
+{{ ansible_managed | comment }}
+
+# Automatic Connection header for WebSocket support
+# See http://nginx.org/en/docs/http/websocket.html
+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
+{% for upstream in nginx.upstreams -%}
+upstream {{ upstream.name }} {
+    # Path of the server
+    server {{ upstream.server }};
+}
+{% endfor -%}
+
+{% if nginx.default_ssl_server -%}
+# Redirect all services to the main site
+server {
+    listen 443 default_server ssl;
+    listen [::]:443 default_server ssl;
+    include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
+
+    server_name _;
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    location / {
+        return 302 https://{{ nginx.default_ssl_server }}$request_uri;
+    }
+}
+{% endif -%}
+
+{% if nginx.default_server -%}
+# Redirect all services to the main site
+server {
+    listen 80 default_server;
+    listen [::]:80 default_server;
+
+    server_name _;
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    location / {
+        return 302 http://{{ nginx.default_server }}$request_uri;
+    }
+}
+{% endif -%}
+
+{% for server in nginx.servers %}
+{% if server.ssl is defined and server.ssl -%}
+# Redirect HTTP to HTTPS
+server {
+    listen 80{% if server.default is defined and server.default %} default_server{% endif %};
+    listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
+
+    server_name {{ server.server_name|join(" ") }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    location / {
+        return 302 https://$host$request_uri;
+    }
+}
+{% endif -%}
+
+server {
+    {% if server.ssl is defined and server.ssl -%}
+    listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+    listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+    include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
+    {% else -%}
+    listen 80;
+    listen [::]:80;
+    {% endif -%}
+
+    server_name {{ server.server_name|join(" ") }};
+    charset utf-8;
+
+    # Hide Nginx version
+    server_tokens off;
+
+{% for realip in nginx.real_ip_from %}
+    set_real_ip_from {{ realip }};
+{% endfor %}
+    real_ip_header P-Real-Ip;
+
+    {% if server.root is defined %}root {{ server.root }};{% endif %}
+    {% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
+
+    {% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
+    {% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
+
+{% if server.additional_params is defined %}
+{% for param in server.additional_params %}
+    {{ param }};
+{% endfor %}
+{% endif %}
+
+{% if server.locations is defined %}
+{% for location in server.locations %}
+    location {{ location.filter }} {
+{% for param in location.params %}
+        {{ param }};
+{% endfor %}
+    }
+
+{% endfor %}
+{% endif %}
+}
+{% endfor %}
diff --git a/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2 b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
new file mode 100644
index 0000000..a173dea
--- /dev/null
+++ b/roles/nginx/templates/nginx/snippets/fastcgi.conf.j2
@@ -0,0 +1,18 @@
+{{ ansible_managed | comment }}
+
+# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+fastcgi_split_path_info (^/[^/]*)(.*)$;
+
+# check that the PHP script exists before passing it
+try_files $fastcgi_script_name =404;
+
+# Bypass the fact that try_files resets $fastcgi_path_info
+# see: http://trac.nginx.org/nginx/ticket/321
+set $path_info $fastcgi_path_info;
+fastcgi_param PATH_INFO $path_info;
+
+# Let NGINX handle errors
+fastcgi_intercept_errors on;
+
+include /etc/nginx/fastcgi.conf;
+fastcgi_pass unix:/var/run/fcgiwrap.socket;
diff --git a/roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2 b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2
similarity index 93%
rename from roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
rename to roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2
index 9515d81..7f8d4b8 100644
--- a/roles/nginx_reverseproxy/templates/nginx/snippets/options-proxypass.conf.j2
+++ b/roles/nginx/templates/nginx/snippets/options-proxypass.conf.j2
@@ -1,4 +1,4 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
 proxy_redirect off;
 proxy_set_header Host $host;
diff --git a/roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
similarity index 76%
rename from roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
rename to roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
index fee51c6..d665eaf 100644
--- a/roles/nginx_reverseproxy/templates/nginx/snippets/options-ssl.conf.j2
+++ b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
@@ -1,7 +1,7 @@
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 
-ssl_certificate {{ nginx.ssl.cert }};
-ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_certificate {{ item.cert }};
+ssl_certificate_key {{ item.cert_key }};
 ssl_session_timeout 1d;
 ssl_session_cache shared:MozSSL:10m;
 ssl_session_tickets off;
@@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
 # Enable OCSP Stapling, point to certificate chain
 ssl_stapling on;
 ssl_stapling_verify on;
-ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ssl_trusted_certificate {{ item.trusted_cert }};
 
diff --git a/roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2 b/roles/nginx/templates/update-motd.d/05-service.j2
similarity index 78%
rename from roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2
rename to roles/nginx/templates/update-motd.d/05-service.j2
index fdff0b8..c52c655 100755
--- a/roles/nginx_reverseproxy/templates/update-motd.d/05-service.j2
+++ b/roles/nginx/templates/update-motd.d/05-service.j2
@@ -1,3 +1,3 @@
 #!/usr/bin/tail +14
-# {{ ansible_managed }}
+{{ ansible_managed | comment }}
 > NGINX a été déployé sur cette machine. Voir /etc/nginx/.
diff --git a/roles/nginx/templates/www/html/401.html.j2 b/roles/nginx/templates/www/html/401.html.j2
new file mode 100644
index 0000000..93fc38a
--- /dev/null
+++ b/roles/nginx/templates/www/html/401.html.j2
@@ -0,0 +1,18 @@
+{{ ansible_header | comment('xml') }}
+
+<html>
+<head>
+  <title>Accès refusé</title>
+  <meta http-equiv="content-type" content="text/html; charset=UTF-8">
+</head>
+<body>
+  <h1>Accès refusé</h1>
+  <p>
+    Pour éviter le scan des adresses de diffusions par un robot, cette page demande un identifiant et mot de passe.
+  </p>
+  <ul>
+    <li>Identifiant : <em>Stop</em></li>
+    <li>Mot de passe : <em>Spam</em></li>
+  </ul>
+</body>
+</html>
diff --git a/roles/nginx_reverseproxy/templates/www/html/50x.html.j2 b/roles/nginx/templates/www/html/50x.html.j2
similarity index 92%
rename from roles/nginx_reverseproxy/templates/www/html/50x.html.j2
rename to roles/nginx/templates/www/html/50x.html.j2
index e5c8733..078e2de 100644
--- a/roles/nginx_reverseproxy/templates/www/html/50x.html.j2
+++ b/roles/nginx/templates/www/html/50x.html.j2
@@ -57,7 +57,7 @@
     <h1>502</h1>
     <p>Whoops, le service prend trop de temps à répondre…</p>
     <p>Essayez de rafraîchir la page. Si le problème persiste, pensez
-    à contacter <a href="mailto:tech.aurore@lists.crans.org">l'équipe technique d'Aurore</a>.</p>
+    à contacter <a href="mailto:{{ nginx.contact }}">{{ nginx.who }}</a>.</p>
 </body>
 </html>
 
diff --git a/roles/nginx/templates/www/html/robots.txt.j2 b/roles/nginx/templates/www/html/robots.txt.j2
new file mode 100644
index 0000000..1f53798
--- /dev/null
+++ b/roles/nginx/templates/www/html/robots.txt.j2
@@ -0,0 +1,2 @@
+User-agent: *
+Disallow: /
diff --git a/roles/nginx_reverseproxy/tasks/main.yml b/roles/nginx_reverseproxy/tasks/main.yml
deleted file mode 100644
index 497048d..0000000
--- a/roles/nginx_reverseproxy/tasks/main.yml
+++ /dev/null
@@ -1,73 +0,0 @@
----
-- name: Install NGINX
-  apt:
-    update_cache: true
-    name: nginx
-  register: apt_result
-  retries: 3
-  until: apt_result is succeeded
-
-- name: Copy snippets
-  template:
-    src: "nginx/snippets/{{ item }}.j2"
-    dest: "/etc/nginx/snippets/{{ item }}"
-    mode: 0644
-  loop:
-    - options-ssl.conf
-    - options-proxypass.conf
-
-- name: Copy dhparam
-  template:
-    src: letsencrypt/dhparam.j2
-    dest: /etc/letsencrypt/dhparam
-    mode: 0644
-
-- name: Copy reverse proxy sites
-  template:
-    src: "nginx/sites-available/{{ item }}.j2"
-    dest: "/etc/nginx/sites-available/{{ item }}"
-    mode: 0644
-  loop:
-    - reverseproxy
-    - reverseproxy_redirect_dname
-    - redirect
-  notify: Reload nginx
-
-- name: Activate sites
-  file:
-    src: "/etc/nginx/sites-available/{{ item }}"
-    dest: "/etc/nginx/sites-enabled/{{ item }}"
-    state: link
-    mode: 0644
-  loop:
-    - reverseproxy
-    - reverseproxy_redirect_dname
-    - redirect
-  notify: Reload nginx
-
-- name: Copy forward modules
-  template:
-    src: "nginx/modules-available/60-forward.conf.j2"
-    dest: "/etc/nginx/modules-available/60-forward.conf"
-    mode: 0644
-  notify: Reload nginx
-
-- name: Activate modules
-  file:
-    src: "/etc/nginx/modules-available/60-forward.conf"
-    dest: "/etc/nginx/modules-enabled/60-forward.conf"
-    state: link
-    mode: 0644
-  notify: Reload nginx
-
-- name: Copy 50x error page
-  template:
-    src: www/html/50x.html.j2
-    dest: /var/www/html/50x.html
-    mode: 0644
-
-- name: Indicate role in motd
-  template:
-    src: update-motd.d/05-service.j2
-    dest: /etc/update-motd.d/05-nginx
-    mode: 0755
diff --git a/roles/postfix_non_mailhost/handlers/main.yml b/roles/postfix_non_mailhost/handlers/main.yml
new file mode 100644
index 0000000..bc28f6e
--- /dev/null
+++ b/roles/postfix_non_mailhost/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: restart postfix
+  service:
+    name: postfix
+    state: restarted
+
+- name: reload postfix
+  service:
+    name: postfix
+    state: reloaded
diff --git a/roles/postfix_non_mailhost/tasks/main.yml b/roles/postfix_non_mailhost/tasks/main.yml
new file mode 100644
index 0000000..42f3482
--- /dev/null
+++ b/roles/postfix_non_mailhost/tasks/main.yml
@@ -0,0 +1,17 @@
+---
+- name: Install postfix
+  apt:
+    name: postfix
+    update_cache: true
+  register: result
+  retries: 3
+  until: result is succeeded
+
+- name: Configure postfix
+  template:
+    src: main.cf.j2
+    dest: /etc/postfix/main.cf
+    mode: 0644
+    owner: root
+    group: root
+  notify: restart postfix
diff --git a/roles/postfix_non_mailhost/templates/main.cf.j2 b/roles/postfix_non_mailhost/templates/main.cf.j2
new file mode 100644
index 0000000..d5f5166
--- /dev/null
+++ b/roles/postfix_non_mailhost/templates/main.cf.j2
@@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+# See /usr/share/postfix/main.cf.dist for a commented, more complete version
+# Template based on /usr/share/postfix/main.cf.debian
+
+smtpd_banner = $myhostname ESMTP $mail_name (Debian/GNU)
+biff = no
+
+# appending .domain is the MUA's job.
+append_dot_mydomain = no
+
+# Uncomment the next line to generate "delayed mail" warnings
+#delay_warning_time = 4h
+
+readme_directory = no
+
+# See http://www.postfix.org/COMPATIBILITY_README.html -- default to 2 on
+# fresh installs.
+compatibility_level = 2
+
+# Send mail as user@{{ ansible_fqdn }}
+myhostname = {{ ansible_fqdn }}
+myorigin = $myhostname
+mydomain = $myhostname
+
+# Specify the trusted networks
+mynetworks = 127.0.0.0/8 {{ local_network }}
+
+# This host does not relay mail from untrusted networks
+relay_domains =
+
+# This is needed if no direct Internet access is available
+relayhost = {{ relay_host }}
diff --git a/roles/postgresql_server/defaults/main.yml b/roles/postgresql_server/defaults/main.yml
new file mode 100644
index 0000000..8eb5639
--- /dev/null
+++ b/roles/postgresql_server/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+postgresql_hosts: []
+postgresql_databases: []
+postgresql_users: []
+...
diff --git a/roles/postgresql_server/handlers/main.yml b/roles/postgresql_server/handlers/main.yml
new file mode 100644
index 0000000..731acb9
--- /dev/null
+++ b/roles/postgresql_server/handlers/main.yml
@@ -0,0 +1,6 @@
+---
+- name: restart postgresql
+  service:
+    name: postgresql
+    state: restarted
+    enabled: true
diff --git a/roles/postgresql_server/tasks/main.yml b/roles/postgresql_server/tasks/main.yml
new file mode 100644
index 0000000..ed45e1a
--- /dev/null
+++ b/roles/postgresql_server/tasks/main.yml
@@ -0,0 +1,74 @@
+---
+- name: Install postgresql and psycopg2
+  apt:
+    update_cache: true
+    pkg:
+      - postgresql
+      - python3-psycopg2
+    state: present
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Ensure main postgresql directory exists
+  file:
+    path: /etc/postgresql/{{ postgresql.version }}/main/
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: 0755
+
+- name: Ensure configuration directory exists
+  file:
+    path: /etc/postgresql/{{ postgresql.version }}/main/conf.d
+    state: directory
+    owner: postgres
+    group: postgres
+    mode: 0755
+
+- name: Configuration of postgresql {{ postgresql.version }}
+  template:
+    src: postgresql/{{ item }}.j2
+    dest: /etc/postgresql/{{ postgresql.version }}/main/{{ item }}
+    mode: 0640
+    owner: postgres
+    group: postgres
+  loop:
+    - pg_hba.conf
+    - postgresql.conf
+  notify:
+    - restart postgresql
+
+- name: Create databases
+  become: true
+  become_user: postgres
+  postgresql_db:
+    name: "{{ item }}"
+    encoding: UTF-8
+    lc_collate: en_US.UTF-8
+    lc_ctype: en_US.UTF-8
+    template: template0
+  loop: "{{ postgresql_databases }}"
+
+- name: Create users
+  become: true
+  become_user: postgres
+  postgresql_user:
+    db: "{{ item.database }}"
+    name: "{{ item.name }}"
+    password: "{{ item.password }}"
+  no_log: true
+  loop: "{{ postgresql_users }}"
+
+- name: Grant privileges to users
+  become: true
+  become_user: postgres
+  postgresql_privs:
+    db: postgres
+    type: database
+    role: "{{ item.name }}"
+    privs: "{{ item.privs | join(',') }}"
+    obj: "{{ item.database }}"
+  no_log: true
+  loop: "{{ postgresql_users }}"
+...
diff --git a/roles/postgresql_server/templates/postgresql/pg_hba.conf.j2 b/roles/postgresql_server/templates/postgresql/pg_hba.conf.j2
new file mode 100644
index 0000000..3a56905
--- /dev/null
+++ b/roles/postgresql_server/templates/postgresql/pg_hba.conf.j2
@@ -0,0 +1,20 @@
+{{ ansible_managed | comment }}
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# DO NOT DISABLE!
+# If you change this first entry you will need to make sure that the
+# database superuser can access the database using some other method.
+# Noninteractive access to all databases is required during automatic
+# maintenance (custom daily cronjobs, replication, and similar tasks).
+#
+# Database administrative login by Unix domain socket
+local   all             postgres                                peer
+
+
+# "local" is for Unix domain socket connections only
+local   all             all                                     peer
+
+{% for host in postgresql_hosts %}  
+host "{{ host.database }}" "{{ host.user }}" {{ host.net }} {{ host.method }}
+{% endfor %}
diff --git a/roles/postgresql_server/templates/postgresql/postgresql.conf.j2 b/roles/postgresql_server/templates/postgresql/postgresql.conf.j2
new file mode 100644
index 0000000..f28c61e
--- /dev/null
+++ b/roles/postgresql_server/templates/postgresql/postgresql.conf.j2
@@ -0,0 +1,695 @@
+{{ ansible_managed | comment }}
+
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  kB = kilobytes        Time units:  ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+# All changes to this section REQUIRES restart
+
+# use data in another directory
+data_directory = '/var/lib/postgresql/{{ postgresql.version }}/main'	
+# host-based authentication file
+hba_file = '/etc/postgresql/{{ postgresql.version }}/main/pg_hba.conf'
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+external_pid_file = '/run/postgresql/{{ postgresql.version }}-main.pid'
+# write an extra PID file
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+listen_addresses = '0.0.0.0, ::'
+# listen_addresses = * # listen to all
+#listen_addresses = 'localhost'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+port = 5432				# (change requires restart)
+max_connections = 100			# (change requires restart)
+#superuser_reserved_connections = 3	# (change requires restart)
+unix_socket_directories = '/var/run/postgresql'	# comma-separated list of directories
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP Keepalives -
+# see "man 7 tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = ''
+#krb_caseins_users = off
+
+# - SSL -
+
+ssl = on
+#ssl_ca_file = ''
+ssl_cert_file = '/etc/ssl/certs/ssl-cert-snakeoil.pem'
+#ssl_crl_file = ''
+ssl_key_file = '/etc/ssl/private/ssl-cert-snakeoil.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = 128MB			# min 128kB
+					# (change requires restart)
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#max_stack_depth = 2MB			# min 100kB
+dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kB, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 25
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 512kB		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+max_wal_size = 1GB
+min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 256kB		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_segments = 0		# in logfile segments; 0 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'log'			# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+log_line_prefix = '%m [%p] %q%u@%d '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+log_timezone = 'Europe/Paris'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+cluster_name = '{{ postgresql.version }}/main'			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+stats_temp_directory = '/var/run/postgresql/{{ postgresql.version }}-main.pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+datestyle = 'iso, dmy'
+#intervalstyle = 'postgres'
+timezone = 'Europe/Paris'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+lc_messages = 'en_US.UTF-8'
+lc_monetary = 'en_US.UTF-8'
+lc_numeric = 'en_US.UTF-8'
+lc_time = 'en_US.UTF-8'
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.french'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#default_with_oids = off
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+include_dir = 'conf.d'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
diff --git a/roles/prometheus/tasks/main.yml b/roles/prometheus/tasks/main.yml
index 211aee3..a820190 100644
--- a/roles/prometheus/tasks/main.yml
+++ b/roles/prometheus/tasks/main.yml
@@ -55,6 +55,28 @@
     content: "{{ prometheus_unifi_snmp_targets | to_nice_json }}"
     dest: /etc/prometheus/targets_unifi_snmp.json
     mode: 0644
+  when: prometheus_unifi_snmp_targets is defined
+
+- name: Configure Prometheus Switchs
+  copy:
+    content: "{{ prometheus_switch_snmp_targets | to_nice_json }}"
+    dest: /etc/prometheus/targets_switch_snmp.json
+    mode: 0644
+  when: prometheus_switch_snmp_targets is defined
+
+- name: Configure Prometheus UPS SNMP devices
+  copy:
+    content: "{{ [{'targets': prometheus_ups_snmp_targets }] | to_nice_json }}\n"
+    dest: /etc/prometheus/targets_ups_snmp.json
+    mode: 0644
+  when: prometheus_ups_snmp_targets is defined
+
+- name: Configure Prometheus docker monitoring
+  copy:
+    content: "{{ [{'targets': prometheus_docker_targets }] | to_nice_json }}\n"
+    dest: /etc/prometheus/targets_docker.json
+    mode: 0644
+  when: prometheus_docker_targets is defined
 
 - name: Activate prometheus service
   systemd:
diff --git a/roles/prometheus/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus/templates/prometheus/alert.rules.yml.j2
index 2a10358..028d5d0 100644
--- a/roles/prometheus/templates/prometheus/alert.rules.yml.j2
+++ b/roles/prometheus/templates/prometheus/alert.rules.yml.j2
@@ -22,7 +22,7 @@ groups:
     labels:
       severity: warning
     annotations:
-      summary: "Mémoire libre de {{ $labels.instance }} à {{ $value }}%."
+      summary: "Mémoire libre de {{ $labels.instance }} à {{ humanize $value }}%."
 
   # Alert for out of disk space
   - alert: OutOfDiskSpace
@@ -31,7 +31,7 @@ groups:
     labels:
       severity: warning
     annotations:
-      summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ $value }}%."
+      summary: "Espace libre de {{ $labels.mountpoint }} sur {{ $labels.instance }} à {{ humanize $value }}%."
 
   # Alert for out of inode space on disk
   - alert: OutOfInodes
@@ -49,7 +49,7 @@ groups:
     labels:
       severity: warning
     annotations:
-      summary: "CPU sur {{ $labels.instance }} à {{ $value }}%."
+      summary: "CPU sur {{ $labels.instance }} à {{ humanize $value }}%."
 
   # Check systemd unit (> buster)
   - alert: SystemdServiceFailed
@@ -59,4 +59,80 @@ groups:
       severity: warning
     annotations:
       summary: "{{ $labels.name }} a échoué sur {{ $labels.instance }}"
+
+  # Check load of instance
+  - alert: LoadUsage
+    expr: node_load1 > 5
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      summary: "La charge de {{ $labels.instance }} est à {{ $value }} !"
+  
+  # Check UPS
+  - alert: UpsOutputSourceChanged
+    expr: upsOutputSource != 3
+    for: 1m
+    labels:
+      severity: warning
+    annotations:
+      summary: "La source d'alimentation de {{ $labels.instance }} a changé !"
+
+  - alert: UpsBatteryStatusWarning
+    expr: upsBatteryStatus == 3
+    for: 2m
+    labels:
+      severity: warning
+    annotations:
+      summary: "L'état de la batterie de {{ $labels.instance }} est faible !"
+
+  - alert: UpsBatteryStatusCritical
+    expr: upsBatteryStatus == 4
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "L'état de la batterie de {{ $labels.instance }} est affaibli !"
+
+  - alert: UpsHighLoad
+    expr: upsOutputPercentLoad > 70
+    for: 5m
+    labels:
+      severity: critical
+    annotations:
+      summary: "La charge de {{ $labels.instance }} est de {{ $value }}% !"    
+
+  - alert: UpsWrongInputVoltage
+    expr: (upsInputVoltage < 210) or (upsInputVoltage > 250)
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "La tension d'entrée de {{ $labels.instance }} est de {{ $value }}V."
+
+  - alert: UpsWrongOutputVoltage
+    expr: (upsOutputVoltage < 220) or (upsOutputVoltage > 240)
+    for: 10m
+    labels:
+      severity: warning
+    annotations:
+      summary: "La tension de sortie de {{ $labels.instance }} est de {{ $value }}V."  
+
+  - alert: UpsTimeRemainingWarning
+    expr: upsEstimatedMinutesRemaining < 15
+    for: 1m
+    labels:
+      severity: warning
+    annotations:
+      summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
+
+  - alert: UpsTimeRemainingCritical
+    expr: upsEstimatedMinutesRemaining < 5
+    for: 1m
+    labels:
+      severity: critical
+    annotations:
+      summary: "L'autonomie restante sur {{ $labels.instance }} est de {{ $value }} min."
+
+
 {% endraw %}
diff --git a/roles/prometheus/templates/prometheus/prometheus.yml.j2 b/roles/prometheus/templates/prometheus/prometheus.yml.j2
index 31df6bd..7399f48 100644
--- a/roles/prometheus/templates/prometheus/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus/prometheus.yml.j2
@@ -8,7 +8,7 @@ global:
   # Attach these labels to any time series or alerts when communicating with
   # external systems (federation, remote storage, Alertmanager).
   external_labels:
-      monitor: 'example'
+      federated_instance: '{{ inventory_hostname }}'
 
 # Alertmanager configuration
 # Use prometheus alertmanager installed on the same machine
@@ -65,3 +65,38 @@ scrape_configs:
     scheme: https
     static_configs:
     - targets: []
+
+  - job_name: ups_snmp
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets_ups_snmp.json'
+    metrics_path: /snmp
+    params:
+      module: [eatonups]
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - target_label: __address__
+        replacement: 127.0.0.1:9116
+
+  - job_name: switch_snmp
+    file_sd_configs:
+      - files:
+        - "/etc/prometheus/targets_switch_snmp.json"
+    metrics_path: /snmp
+    params:
+      module: [procurve_switch]
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: instance
+      - target_label: __address__
+        replacement: 127.0.0.1:9116
+
+  - job_name: docker
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets_docker.json'
diff --git a/roles/prometheus/templates/prometheus/snmp.yml.j2 b/roles/prometheus/templates/prometheus/snmp.yml.j2
index 84dcb65..8757d79 100644
--- a/roles/prometheus/templates/prometheus/snmp.yml.j2
+++ b/roles/prometheus/templates/prometheus/snmp.yml.j2
@@ -1,4 +1,6 @@
-# {{ ansible_managed }}
+---
+{{ ansible_managed | comment }}
+
 # TODOlist :
 # - Faire fonctionner le monitoring des switchs défini ici
 #   * Configurer tous les switchs avec un compte SNMPv3
@@ -6,48 +8,144 @@
 # - Optimiser les règles pour les bornes Unifi,
 #   on pourrait indexer avec les SSID
 
-procurve_switch:
+eatonups:
   walk:
-  - 1.3.6.1.2.1.31.1.1.1.10
-  - 1.3.6.1.2.1.31.1.1.1.6
+  - 1.3.6.1.2.1.33.1.2
+  - 1.3.6.1.2.1.33.1.3
+  - 1.3.6.1.2.1.33.1.4
+  - 1.3.6.1.4.1.534.1.6
   get:
   - 1.3.6.1.2.1.1.3.0
-  - 1.3.6.1.2.1.1.5.0
-  - 1.3.6.1.2.1.1.6.0
   metrics:
   - name: sysUpTime
     oid: 1.3.6.1.2.1.1.3
     type: gauge
     help: The time (in hundredths of a second) since the network management portion
       of the system was last re-initialized. - 1.3.6.1.2.1.1.3
-  - name: sysName
-    oid: 1.3.6.1.2.1.1.5
-    type: DisplayString
-    help: An administratively-assigned name for this managed node - 1.3.6.1.2.1.1.5
-  - name: sysLocation
-    oid: 1.3.6.1.2.1.1.6
-    type: DisplayString
-    help: The physical location of this node (e.g., 'telephone closet, 3rd floor')
-      - 1.3.6.1.2.1.1.6
-  - name: ifHCOutOctets
-    oid: 1.3.6.1.2.1.31.1.1.1.10
-    type: counter
-    help: The total number of octets transmitted out of the interface, including framing
-      characters - 1.3.6.1.2.1.31.1.1.1.10
+  - name: upsBatteryStatus
+    oid: 1.3.6.1.2.1.33.1.2.1
+    type: gauge
+    help: The indication of the capacity remaining in the UPS system's batteries -
+      1.3.6.1.2.1.33.1.2.1
+  - name: upsEstimatedMinutesRemaining
+    oid: 1.3.6.1.2.1.33.1.2.3
+    type: gauge
+    help: An estimate of the time to battery charge depletion under the present load
+      conditions if the utility power is off and remains off, or if it were to be
+      lost and remain off. - 1.3.6.1.2.1.33.1.2.3
+  - name: upsInputVoltage
+    oid: 1.3.6.1.2.1.33.1.3.3.1.3
+    type: gauge
+    help: The magnitude of the present input voltage. - 1.3.6.1.2.1.33.1.3.3.1.3
     indexes:
-    - labelname: ifIndex
+    - labelname: upsInputLineIndex
       type: gauge
-  - name: ifHCInOctets
-    oid: 1.3.6.1.2.1.31.1.1.1.6
-    type: counter
-    help: The total number of octets received on the interface, including framing
-      characters - 1.3.6.1.2.1.31.1.1.1.6
+  - name: upsOutputSource
+    oid: 1.3.6.1.2.1.33.1.4.1
+    type: gauge
+    help: The present source of output power - 1.3.6.1.2.1.33.1.4.1
+  - name: upsOutputVoltage
+    oid: 1.3.6.1.2.1.33.1.4.4.1.2
+    type: gauge
+    help: The present output voltage. - 1.3.6.1.2.1.33.1.4.4.1.2
     indexes:
-    - labelname: ifIndex
+    - labelname: upsOutputLineIndex
       type: gauge
-  version: 3
+  - name: upsOutputPower
+    oid: 1.3.6.1.2.1.33.1.4.4.1.4
+    type: gauge
+    help: The present output true power. - 1.3.6.1.2.1.33.1.4.4.1.4
+    indexes:
+    - labelname: upsOutputLineIndex
+      type: gauge
+  - name: upsOutputPercentLoad
+    oid: 1.3.6.1.2.1.33.1.4.4.1.5
+    type: gauge
+    help: The percentage of the UPS power capacity presently being used on this output
+      line, i.e., the greater of the percent load of true power capacity and the percent
+      load of VA. - 1.3.6.1.2.1.33.1.4.4.1.5
+    indexes:
+    - labelname: upsOutputLineIndex
+      type: gauge
+  - name: xupsEnvRemoteTemp
+    oid: 1.3.6.1.4.1.534.1.6.5
+    type: gauge
+    help: The reading of an EMP's temperature sensor. - 1.3.6.1.4.1.534.1.6.5
+  - name: xupsEnvRemoteHumidity
+    oid: 1.3.6.1.4.1.534.1.6.6
+    type: gauge
+    help: The reading of an EMP's humidity sensor. - 1.3.6.1.4.1.534.1.6.6
+  version: 1
   auth:
-    username: prometheus
+    community: public
+
+procurve_switch:
+  walk:
+    - 1.3.6.1.2.1.31.1.1.1.10
+    - 1.3.6.1.2.1.31.1.1.1
+    - 1.3.6.1.2.1.2.2.1.2
+    - 1.3.6.1.2.1.31.1.1.1.18
+  get:
+    - 1.3.6.1.2.1.1.3.0
+    - 1.3.6.1.2.1.1.5.0
+    - 1.3.6.1.2.1.1.6.0
+  metrics:
+    - name: sysUpTime
+      oid: 1.3.6.1.2.1.1.3
+      type: gauge
+      help: The time (in hundredths of a second) since the network management
+        portion of the system was last re-initialized. - 1.3.6.1.2.1.1.3
+    - name: sysName
+      oid: 1.3.6.1.2.1.1.5
+      type: DisplayString
+      help: An administratively-assigned name for this managed node
+        - 1.3.6.1.2.1.1.5
+    - name: sysLocation
+      oid: 1.3.6.1.2.1.1.6
+      type: DisplayString
+      help: The physical location of this node (e.g., 'telephone closet, 3rd
+        floor') - 1.3.6.1.2.1.1.6
+    - name: ifHCOutOctets
+      oid: 1.3.6.1.2.1.31.1.1.1.10
+      type: counter
+      help: The total number of octets transmitted out of the interface,
+        including framing characters - 1.3.6.1.2.1.31.1.1.1.10
+      indexes:
+        - labelname: ifIndex
+          type: gauge
+      lookups:
+        - labels:
+            - ifIndex
+          labelname: ifDescr
+          oid: 1.3.6.1.2.1.2.2.1.2
+          type: DisplayString
+        - labels:
+            - ifIndex
+          labelname: ifName
+          oid: 1.3.6.1.2.1.31.1.1.1.1
+          type: DisplayString
+    - name: ifHCInOctets
+      oid: 1.3.6.1.2.1.31.1.1.1.6
+      type: counter
+      help: The total number of octets received on the interface, including
+        framing characters - 1.3.6.1.2.1.31.1.1.1.6
+      indexes:
+        - labelname: ifIndex
+          type: gauge
+      lookups:
+        - labels:
+            - ifIndex
+          labelname: ifDescr
+          oid: 1.3.6.1.2.1.2.2.1.2
+          type: DisplayString
+        - labels:
+            - ifIndex
+          labelname: ifName
+          oid: 1.3.6.1.2.1.31.1.1.1.1
+          type: DisplayString
+  version: 2
+  auth:
+    community: "{{ snmp_switch_community }}"
 
 ubiquiti_unifi:
   walk:
@@ -90,13 +188,31 @@ ubiquiti_unifi:
     indexes:
     - labelname: unifiVapIndex
       type: gauge
-  - name: unifiVapNumStations
+  - name: unifi_vap_num_stations
     oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
     type: gauge
     help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
     indexes:
-    - labelname: unifiVapIndex
+    - labelname: unifi_vap_index
       type: gauge
+    lookups:
+    - labels: [unifi_vap_index]
+      labelname: unifi_vap_essid
+      oid: 1.3.6.1.4.1.41112.1.6.1.2.1.6
+      type: DisplayString
+    - labels: [unifi_vap_index]
+      labelname: unifi_vap_radio
+      oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
+      type: DisplayString
+    - labels: []
+      labelname: unifi_vap_index
+#  - name: unifiVapNumStations
+#    oid: 1.3.6.1.4.1.41112.1.6.1.2.1.8
+#    type: gauge
+#    help: ' - 1.3.6.1.4.1.41112.1.6.1.2.1.8'
+#    indexes:
+#    - labelname: unifiVapIndex
+#      type: gauge
   - name: unifiVapRadio
     oid: 1.3.6.1.4.1.41112.1.6.1.2.1.9
     type: DisplayString
@@ -295,3 +411,4 @@ ubiquiti_unifi:
     auth_protocol: SHA
     priv_protocol: AES
     priv_password: {{ snmp_unifi_password }}
+...
diff --git a/roles/prometheus_federate/handlers/main.yml b/roles/prometheus_federate/handlers/main.yml
new file mode 100644
index 0000000..4214def
--- /dev/null
+++ b/roles/prometheus_federate/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: Restart Prometheus
+  service:
+    name: prometheus
+    state: restarted
diff --git a/roles/prometheus_federate/tasks/main.yml b/roles/prometheus_federate/tasks/main.yml
new file mode 100644
index 0000000..f168f1f
--- /dev/null
+++ b/roles/prometheus_federate/tasks/main.yml
@@ -0,0 +1,46 @@
+---
+- name: Install Prometheus
+  apt:
+    update_cache: true
+    name:
+      - prometheus
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure Prometheus
+  template:
+    src: prometheus/prometheus.yml.j2
+    dest: /etc/prometheus/prometheus.yml
+    mode: 0644
+  notify: Restart Prometheus
+
+- name: Configure Prometheus alert rules
+  template:
+    src: "prometheus/{{ item }}.j2"
+    dest: "/etc/prometheus/{{ item }}"
+    mode: 0644
+  notify: Restart Prometheus
+  loop:
+    - alert.rules.yml
+
+# We don't need to restart Prometheus when updating nodes
+- name: Configure Prometheus Federate devices
+  copy:
+    content: "{{ [{'targets': prometheus_targets }] | to_nice_json }}"
+    dest: /etc/prometheus/targets.json
+    mode: 0644
+  when: prometheus_targets is defined
+
+- name: Activate prometheus service
+  systemd:
+    name: prometheus
+    enabled: true
+    state: started
+
+- name: Indicate role in motd
+  template:
+    src: update-motd.d/05-service.j2
+    dest: /etc/update-motd.d/05-prometheus
+    mode: 0755
+...
diff --git a/roles/prometheus_federate/templates/prometheus/alert.rules.yml.j2 b/roles/prometheus_federate/templates/prometheus/alert.rules.yml.j2
new file mode 100644
index 0000000..d30511f
--- /dev/null
+++ b/roles/prometheus_federate/templates/prometheus/alert.rules.yml.j2
@@ -0,0 +1,16 @@
+---
+{{ ansible_managed | comment }}
+
+groups:
+  - name: alert.rules
+    rules:
+      - alert: FederateInstanceDown
+        expr: up{job="federate"} == 0
+        for: 3m
+        labels:
+          severity: critical
+        annotations:
+          summary: >-
+            Federate : {{ "{{" }} $labels.instance {{ "}}" }} est invisible
+            depuis plus de 3 minutes !
+...
diff --git a/roles/prometheus_federate/templates/prometheus/prometheus.yml.j2 b/roles/prometheus_federate/templates/prometheus/prometheus.yml.j2
new file mode 100644
index 0000000..23e649b
--- /dev/null
+++ b/roles/prometheus_federate/templates/prometheus/prometheus.yml.j2
@@ -0,0 +1,41 @@
+---
+{{ ansible_managed | comment }}
+
+global:
+  external_labels:
+      monitor: '{{ ansible_fqdn }}'
+
+alerting:
+  alertmanagers:
+    - static_configs:
+      - targets: ['{{ prometheus_alertmanager }}']
+
+rule_files:
+  - 'alert.rules.yml'
+
+scrape_configs:
+  - job_name: federate
+    scrape_interval: 30s
+    metrics_path: '/federate'
+    honor_labels: true
+    honor_timestamps: true
+    file_sd_configs:
+      - files:
+        - '/etc/prometheus/targets.json'
+    relabel_configs:
+      - source_labels: [__address__]
+        target_label: __param_target
+      - source_labels: [__param_target]
+        target_label: __address__
+        replacement: '$1:9090'
+    params:
+      match[]:
+        - '{job="servers"}'
+        - '{job="prometheus"}'
+        - '{job="unifi_snmp"}'
+        - '{job="django"}'
+        - '{job="ups_snmp"}'
+        - '{job="django"}'
+        - '{job="docker"}'
+        - '{job="switch_snmp"}'
+...
diff --git a/roles/prometheus_federate/templates/update-motd.d/05-service.j2 b/roles/prometheus_federate/templates/update-motd.d/05-service.j2
new file mode 100755
index 0000000..f027dc4
--- /dev/null
+++ b/roles/prometheus_federate/templates/update-motd.d/05-service.j2
@@ -0,0 +1,4 @@
+#!/bin/sh
+# {{ ansible_managed }}
+echo "> prometheus a été déployé sur cette machine."
+echo "  Voir /etc/prometheus/"
diff --git a/roles/radius/tasks/main.yml b/roles/radius/tasks/main.yml
index 941f7c9..303a86f 100644
--- a/roles/radius/tasks/main.yml
+++ b/roles/radius/tasks/main.yml
@@ -106,12 +106,11 @@
 
 - name: Install radius requirements (except freeradius-python3)
   shell:
-    cmd: "{{ item }}"
+    cmd: "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
     chdir: /var/www/re2o/
-  loop:
-    - "cat apt_requirements_radius.txt | grep -v freeradius-python3 | xargs apt-get -y install"
-    - "pip3 install -r pip_requirements.txt"
 
+- name: Install PyPi requirements for radius
+  command: "pip3 install -r /var/www/re2o/pip_requirements.txt"
 
 # End of hideousness (hopefully).
 
diff --git a/roles/re2o-service/defaults/main.yml b/roles/re2o_service/defaults/main.yml
similarity index 100%
rename from roles/re2o-service/defaults/main.yml
rename to roles/re2o_service/defaults/main.yml
diff --git a/roles/re2o-service/tasks/main.yml b/roles/re2o_service/tasks/main.yml
similarity index 100%
rename from roles/re2o-service/tasks/main.yml
rename to roles/re2o_service/tasks/main.yml
diff --git a/roles/re2o-service/tasks/service_user.yml b/roles/re2o_service/tasks/service_user.yml
similarity index 100%
rename from roles/re2o-service/tasks/service_user.yml
rename to roles/re2o_service/tasks/service_user.yml
diff --git a/roles/re2o-service/templates/update-motd.d/05-service.j2 b/roles/re2o_service/templates/update-motd.d/05-service.j2
similarity index 100%
rename from roles/re2o-service/templates/update-motd.d/05-service.j2
rename to roles/re2o_service/templates/update-motd.d/05-service.j2
diff --git a/roles/router/tasks/main.yml b/roles/router/tasks/main.yml
index 2014572..87b0086 100644
--- a/roles/router/tasks/main.yml
+++ b/roles/router/tasks/main.yml
@@ -30,11 +30,19 @@
     mode: 0644
   when: "'routeur-aurore' in ansible_hostname"
 
+- name: Install ipset
+  apt:
+    name: ipset
+    update_cache: true
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
 - name: Install aurore-firewall (re2o-service)
   import_role:
-    name: re2o-service
+    name: re2o_service
   vars:
-    service_repo: https://gitlab.federez.net/aurore/aurore-firewall.git
+    service_repo: https://gitea.auro.re/Aurore/aurore-firewall.git
     service_name: aurore-firewall
     service_version: aurore
     service_config:
diff --git a/roles/router/templates/firewall_config.py b/roles/router/templates/firewall_config.py
index 4f6b755..9971765 100644
--- a/roles/router/templates/firewall_config.py
+++ b/roles/router/templates/firewall_config.py
@@ -31,7 +31,7 @@ role = ['routeur']
 ### Specify each interface role
 
 interfaces_type = {
-    'routable' : ['ens20', 'ens21'],
+    'routable' : ['ens20', 'ens21', 'ens23'],
     'sortie' : ['ens19'],
     'admin' : ['ens18']
 }
@@ -57,9 +57,53 @@ nat = [
         },
         'ip_sources' : '10.{{ subnet_ids.users_wired }}.0.0/16',
         'extra_nat' : {
-            '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
+            'ens19': {
+                '10.129.{{ apartment_block_id }}.{{ '1' if "backup" in inventory_hostname else '2' }}40' : '45.66.108.25{{
                 apartment_block_id }}',
-            '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}'
+                '10.129.{{ apartment_block_id }}.254' : '45.66.108.25{{ apartment_block_id }}',
+            },
         }
+    },
+    {
+        'name': 'Accueil',
+        'ip_sources': '10.{{ subnet_ids.users_accueil }}.0.0/16',
+        'extra_nat': {
+            'ens19': {
+                '10.{{ subnet_ids.users_accueil }}.1.0/24': '45.66.108.25{{ apartment_block_id }}',
+                '10.{{ subnet_ids.users_accueil }}.2.0/24': '45.66.108.25{{ apartment_block_id }}',
+            },
+            'ens23' : {
+                '10.{{ subnet_ids.users_accueil }}.1.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
+                '10.{{ subnet_ids.users_accueil }}.2.0/24': '10.{{ subnet_ids.users_accueil }}.0.240',
+            },
+        },
+        'extra_nat_group': {
+            'ens19': 'accueil_ens23_allowed',
+        },
+    },
+]
+
+# ATTENTION: on doit avoir retry ≥ grace
+# ATTENTION: il faut que ip_redirect gère tous les ports
+# autorisés dans le profile re2o, sinon on laisse sortir
+# du trafic
+accueils = [
+    {
+        'iface': 'ens23',
+        'grace_period': 1800,
+        'retry_period': 86400,
+        'ip_sources': [
+            '10.{{ subnet_ids.users_accueil }}.1.0/24',
+            '10.{{ subnet_ids.users_accueil }}.2.0/24',
+        ],
+        'ip_redirect': {
+            "tcp": {
+                "10.{{ subnet_ids.users_accueil }}.0.247": ["80", "443"],
+            }
+        },
+        'triggers': [
+            ('4', 'tcp', '46.255.53.35', 443),  # ComNPay
+            ('4', 'tcp', '46.255.53.35', 80),
+        ]
     }
 ]
diff --git a/roles/router/templates/firewall_config_aurore.py b/roles/router/templates/firewall_config_aurore.py
index c41fd92..9565e3b 100644
--- a/roles/router/templates/firewall_config_aurore.py
+++ b/roles/router/templates/firewall_config_aurore.py
@@ -41,9 +41,11 @@ nat = [
     {
         'name' : 'AdminVlans',
         'extra_nat' : {
-            '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
-            '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
-            '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}'
+            'ens18': {
+                '10.129.0.254/32' : '45.66.111.{{ router_hard_ip_suffix }}',
+                '10.128.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
+                '10.130.0.0/16' : '45.66.111.{{ router_hard_ip_suffix }}',
+            },
         }
     }
 ]
diff --git a/roles/router/templates/keepalived.conf b/roles/router/templates/keepalived.conf
index cd217f3..45f5661 100644
--- a/roles/router/templates/keepalived.conf
+++ b/roles/router/templates/keepalived.conf
@@ -50,6 +50,9 @@ vrrp_instance VI_ROUT_{{ apartment_block }}_IPv4 {
 
         # Wifi
         10.{{ subnet_ids.users_wifi }}.0.254/16 brd 10.{{ subnet_ids.users_wifi }}.255.255 dev ens21 scope global
+
+	# Accueil
+        10.{{ subnet_ids.users_accueil }}.0.254/16 brd 10.{{ subnet_ids.users_accueil }}.255.255 dev ens23 scope global
    }
 
 
diff --git a/roles/unbound/templates/recursive.conf.j2 b/roles/unbound/templates/recursive.conf.j2
index efdebe1..6956ae5 100644
--- a/roles/unbound/templates/recursive.conf.j2
+++ b/roles/unbound/templates/recursive.conf.j2
@@ -23,12 +23,14 @@ server:
     interface: 10.{{ subnet_ids.ap }}.0.{{ dns_host_suffix }}
     interface: 10.{{ subnet_ids.users_wired }}.0.{{ dns_host_suffix }}
     interface: 10.{{ subnet_ids.users_wifi }}.0.{{ dns_host_suffix }}
+    interface: 10.{{ subnet_ids.users_accueil }}.0.{{ dns_host_suffix }}
 
 
     # IPv6
     interface: {{ ipv6_base_prefix }}:{{ subnet_ids.ap }}::0:{{ dns_host_suffix }}
     interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wired }}::0:{{ dns_host_suffix }}
     interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_wifi }}::0:{{ dns_host_suffix }}
+    interface: {{ ipv6_base_prefix }}:{{ subnet_ids.users_accueil }}::0:{{ dns_host_suffix }}
 
  
     # By default, anything other than localhost is refused.
@@ -36,12 +38,11 @@ server:
     access-control: 10.{{ subnet_ids.ap }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wired }}.0.0/16 allow
     access-control: 10.{{ subnet_ids.users_wifi }}.0.0/16 allow
+    access-control: 10.{{ subnet_ids.users_accueil }}.0.0/16 allow
     access-control: {{ ipv6_base_prefix }}::/32 allow # Fuck it... :)
 
     num-threads: {{ ansible_processor_vcpus }}
 
-    private-address: 10.0.0.0/8
-
     # The host cache TTL affects blacklisting of supposedly bogus hosts.
     # The default was 900 (15 minutes).
     infra-host-ttl: 60
diff --git a/services_web.yml b/services_web.yml
index 6bc6a6d..00d5b7b 100755
--- a/services_web.yml
+++ b/services_web.yml
@@ -10,8 +10,19 @@
   roles:
     - passbolt
 
-# Deploy reverse proxy
-- hosts: proxy*.adm.auro.re
+- hosts: reverseproxy
+  vars:
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+    reverseproxy: '{{ glob_reverseproxy | default({}) | combine(loc_reverseproxy | default({})) }}'
   roles:
     - certbot
-    - nginx_reverseproxy
+    - nginx
+
+- hosts: nginx,!reverseproxy
+  vars:
+    certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
+    nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
+  roles:
+    - certbot
+    - nginx
diff --git a/test.sh b/test.sh
deleted file mode 100755
index 3e77d04..0000000
--- a/test.sh
+++ /dev/null
@@ -1,5 +0,0 @@
-#!/bin/bash
-for ip in `cat hosts|grep pacaterie.adm.auro.re`; do
-    ssh-copy-id $ip
-done
-
diff --git a/utils/README.md b/utils/README.md
new file mode 100644
index 0000000..651404b
--- /dev/null
+++ b/utils/README.md
@@ -0,0 +1,4 @@
+# Utils
+
+A repository of Ansible Playbooks that are useful, as little script or various
+utilities, but not used in production.
diff --git a/logrotate.yml b/utils/logrotate.yml
similarity index 100%
rename from logrotate.yml
rename to utils/logrotate.yml
diff --git a/nuke_radius_dbs.yml b/utils/nuke_radius_dbs.yml
similarity index 100%
rename from nuke_radius_dbs.yml
rename to utils/nuke_radius_dbs.yml
diff --git a/utils/re2o_mail_server.yml b/utils/re2o_mail_server.yml
new file mode 100755
index 0000000..79fd7ff
--- /dev/null
+++ b/utils/re2o_mail_server.yml
@@ -0,0 +1,13 @@
+---
+# Deploy Re2o mail service
+- hosts: mail.auro.re
+  vars:
+    service_repo: https://gitea.auro.re/aurore/re2o-mail-server.git
+    service_name: mail-server
+    service_version: aurore
+    service_config:
+      hostname: re2o-test.adm.auro.re  # use test instance for now, should be changed for prod!
+      username: service-user
+      password: "{{ vault_serviceuser_passwd }}"
+  roles:
+    - re2o-service
diff --git a/utils/reboot_needed_check.yml b/utils/reboot_needed_check.yml
new file mode 100755
index 0000000..631d496
--- /dev/null
+++ b/utils/reboot_needed_check.yml
@@ -0,0 +1,31 @@
+#!/usr/bin/env ansible-playbook
+---
+# Check if a reboot is required by the installation of some packages (ie kernel)
+- hosts: localhost
+  tasks:
+    - name: Make sure local file exist but is empty  # weird hack, I know
+      copy:
+        dest: /tmp/ansible_dump_reboot_needed.txt
+        content: ""
+        force: true
+        mode: 0644
+
+- hosts: all,!unifi,!escalope.adm.auro.re,!loki.adm.auro.re,!viviane.adm.auro.re,!vpn-ovh.adm.auro.re
+  tasks:
+    # Register the output of the file /var/run/reboot-required.pkgs
+    - name: Register if boot is required
+      shell: if [ -e /var/run/reboot-required.pkgs ]; then cat /var/run/reboot-required.pkgs; fi
+      register: result
+
+    - name: DEBUG
+      debug:
+        msg: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
+      when: result.stdout is defined
+
+    # Add info line by line
+    - name: Dump all info into the local file
+      delegate_to: localhost
+      lineinfile:
+        path: /tmp/ansible_dump_reboot_needed.txt
+        line: "{{ ansible_facts['nodename'] }} : {{ result.stdout }}"
+      when: result.stdout is defined
diff --git a/upgrade.yml b/utils/upgrade.yml
similarity index 100%
rename from upgrade.yml
rename to utils/upgrade.yml
diff --git a/utils/version_check.yml b/utils/version_check.yml
new file mode 100755
index 0000000..1a8a7c5
--- /dev/null
+++ b/utils/version_check.yml
@@ -0,0 +1,21 @@
+#!/usr/bin/env ansible-playbook
+---
+# Check for the distribution
+- hosts: localhost
+  tasks:
+    - name: Make sure local file exist but is empty  # weird hack, I know
+      copy:
+        dest: /tmp/ansible_dump_reboot_needed.txt
+        content: ""
+        force: true
+        mode: 0644
+
+- hosts: all,!unifi
+  tasks:
+    # Add info line by line
+    - name: Dump all info into the local file
+      delegate_to: localhost
+      lineinfile:
+        path: /tmp/ansible_dump_dist_version.txt
+        line: "[{{ ansible_facts['nodename'] }}] {{ ansible_fqdn }} : {{
+                ansible_distribution }} {{ ansible_distribution_version }}"