diff --git a/inventory/host_vars/bt.dmz.mateu.be.yml b/inventory/host_vars/bt.dmz.mateu.be.yml
index 516c034..e360ed6 100644
--- a/inventory/host_vars/bt.dmz.mateu.be.yml
+++ b/inventory/host_vars/bt.dmz.mateu.be.yml
@@ -1,9 +1,20 @@
 ---
 web_hostname:
-  - sonarr.mateu.be
-  - jackett.mateu.be
-  - bt.mateu.be
-  - btf.mateu.be
+  - host: sonarr.mateu.be
+  - host: jackett.mateu.be
+  - host: bt.mateu.be
+  - host: btf.mateu.be
+    allowlistv4:
+      - 88.175.123.77/32
+    allowlistv6:
+      - 2a01:e0a:9bd:2811::/64
+      - 2a01:e0a:9bd:2810::/64
+      - 2a01:e0a:fc:ebc0::/64
+      - 2a01:cb00:8a0a:b700::/64
+      - 2a01:e0a:d19:ef90::/64
+      - 2001:910:13c8::/48
+      - 2a01:e0a:bde:d350::/64
+      - 2a01:cb00:f55:2d00::/64
 nginx_extra_mods:
   - fancyindex
 
diff --git a/inventory/host_vars/garage1.dmz.mateu.be.yml b/inventory/host_vars/garage1.dmz.mateu.be.yml
index 017b8eb..4d1cf08 100644
--- a/inventory/host_vars/garage1.dmz.mateu.be.yml
+++ b/inventory/host_vars/garage1.dmz.mateu.be.yml
@@ -1,15 +1,15 @@
 ---
 web_hostname:
-  - garage.mateu.be
-  - mastodon-ndfr.garage.mateu.be
-  - medias.m.nintendojo.fr
-  - nextcloud-libertus.garage.mateu.be
-  - peertube-videos-ndfr.garage.mateu.be
-  - videos.p.nintendojo.fr
-  - peertube-playlists-ndfr.garage.mateu.be
-  - playlists.p.nintendojo.fr
-  - peertube-original-ndfr.garage.mateu.be
-  - original.p.nintendojo.fr
+  - host: garage.mateu.be
+  - host: mastodon-ndfr.garage.mateu.be
+  - host: medias.m.nintendojo.fr
+  - host: nextcloud-libertus.garage.mateu.be
+  - host: peertube-videos-ndfr.garage.mateu.be
+  - host: videos.p.nintendojo.fr
+  - host: peertube-playlists-ndfr.garage.mateu.be
+  - host: playlists.p.nintendojo.fr
+  - host: peertube-original-ndfr.garage.mateu.be
+  - host: original.p.nintendojo.fr
 
 restic_backup_path:
   - /etc
diff --git a/inventory/host_vars/jabber.dmz.mateu.be.yml b/inventory/host_vars/jabber.dmz.mateu.be.yml
index 1af4bb7..71dc45c 100644
--- a/inventory/host_vars/jabber.dmz.mateu.be.yml
+++ b/inventory/host_vars/jabber.dmz.mateu.be.yml
@@ -1,8 +1,8 @@
 ---
 web_hostname:
-  - libertus.eu
-  - upload.libertus.eu
-  - xmpp.libertus.eu
+  - host: libertus.eu
+  - host: upload.libertus.eu
+  - host: xmpp.libertus.eu
 
 restic_backup_path:
   - /etc
diff --git a/inventory/host_vars/mail.dmz.mateu.be.yml b/inventory/host_vars/mail.dmz.mateu.be.yml
index d68f149..c979011 100644
--- a/inventory/host_vars/mail.dmz.mateu.be.yml
+++ b/inventory/host_vars/mail.dmz.mateu.be.yml
@@ -1,7 +1,7 @@
 ---
 web_hostname:
-  - imap.libertus.eu
-  - smtp.libertus.eu
+  - host: imap.libertus.eu
+  - host: smtp.libertus.eu
 
 restic_backup_path:
   - /home
diff --git a/inventory/host_vars/masto1.dmz.mateu.be.yml b/inventory/host_vars/masto1.dmz.mateu.be.yml
index f29b97e..1973824 100644
--- a/inventory/host_vars/masto1.dmz.mateu.be.yml
+++ b/inventory/host_vars/masto1.dmz.mateu.be.yml
@@ -1,6 +1,6 @@
 ---
 web_hostname:
-  - m.nintendojo.fr
+  - host: m.nintendojo.fr
 
 restic_backup_path:
   - /srv
diff --git a/inventory/host_vars/munin.dmz.mateu.be.yml b/inventory/host_vars/munin.dmz.mateu.be.yml
index 333656e..0134cfd 100644
--- a/inventory/host_vars/munin.dmz.mateu.be.yml
+++ b/inventory/host_vars/munin.dmz.mateu.be.yml
@@ -1,6 +1,6 @@
 ---
 web_hostname:
-  - munin.mateu.be
+  - host: munin.mateu.be
 
 mikrotik_unitary_scripts:
   - mikrotikcpu_
diff --git a/inventory/host_vars/pt1.dmz.mateu.be.yml b/inventory/host_vars/pt1.dmz.mateu.be.yml
index c59ed24..c4fd4b2 100644
--- a/inventory/host_vars/pt1.dmz.mateu.be.yml
+++ b/inventory/host_vars/pt1.dmz.mateu.be.yml
@@ -1,3 +1,3 @@
 ---
 web_hostname:
-  - p.nintendojo.fr
+  - host: p.nintendojo.fr
diff --git a/inventory/host_vars/voice3.dmz.mateu.be.yml b/inventory/host_vars/voice3.dmz.mateu.be.yml
index 353a1cb..8517183 100644
--- a/inventory/host_vars/voice3.dmz.mateu.be.yml
+++ b/inventory/host_vars/voice3.dmz.mateu.be.yml
@@ -1,3 +1,3 @@
 ---
 web_hostname:
-  - radio.nintendojo.fr
+  - host: radio.nintendojo.fr
diff --git a/inventory/host_vars/web1.dmz.mateu.be.yml b/inventory/host_vars/web1.dmz.mateu.be.yml
index 5c3f0dd..d2f0872 100644
--- a/inventory/host_vars/web1.dmz.mateu.be.yml
+++ b/inventory/host_vars/web1.dmz.mateu.be.yml
@@ -3,14 +3,14 @@ php_modules: ['opcache', 'pgsql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', '
 php_memory_limit: "512M"
 
 web_hostname:
-  - fav.libertus.eu
-  - rss.libertus.eu
-  - o.libertus.eu
-  - blog.libertus.eu
-  - mail.libertus.eu
-  - perso.nintendojo.fr
-  - perso.libertus.eu
-  - r.mateu.be
+  - host: fav.libertus.eu
+  - host: rss.libertus.eu
+  - host: o.libertus.eu
+  - host: blog.libertus.eu
+  - host: mail.libertus.eu
+  - host: perso.nintendojo.fr
+  - host: perso.libertus.eu
+  - host: r.mateu.be
 
 mariadb_root_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
diff --git a/inventory/host_vars/web2.dmz.mateu.be.yml b/inventory/host_vars/web2.dmz.mateu.be.yml
index a382f57..f4be6e5 100644
--- a/inventory/host_vars/web2.dmz.mateu.be.yml
+++ b/inventory/host_vars/web2.dmz.mateu.be.yml
@@ -2,13 +2,13 @@
 php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
 
 web_hostname:
-  - nintendojo.fr
-  - www.nintendojo.fr
-  - wwwdev.nintendojo.fr
-  - forum.nintendojo.fr
-  - nintendojofr.com
-  - www.nintendojofr.com
-  - forum.nintendojofr.com
+  - host: nintendojo.fr
+  - host: www.nintendojo.fr
+  - host: wwwdev.nintendojo.fr
+  - host: forum.nintendojo.fr
+  - host: nintendojofr.com
+  - host: www.nintendojofr.com
+  - host: forum.nintendojofr.com
 
 mariadb_root_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
diff --git a/inventory/host_vars/web3.dmz.mateu.be.yml b/inventory/host_vars/web3.dmz.mateu.be.yml
index 6c11a48..310929b 100644
--- a/inventory/host_vars/web3.dmz.mateu.be.yml
+++ b/inventory/host_vars/web3.dmz.mateu.be.yml
@@ -2,8 +2,8 @@
 php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
 
 web_hostname:
-  - sebicomics.com
-  - www.sebicomics.com
+  - host: sebicomics.com
+  - host: www.sebicomics.com
 
 mariadb_root_pass: !vault |
           $ANSIBLE_VAULT;1.1;AES256
diff --git a/playbooks/webservers.yml b/playbooks/webservers.yml
index 4348728..fcf31cd 100644
--- a/playbooks/webservers.yml
+++ b/playbooks/webservers.yml
@@ -1,5 +1,12 @@
 ---
 
+- name: Retrieve network info
+  hosts: loadbalancers
+  gather_facts: true
+  gather_subset:
+    - network
+  tasks: []
+
 - name: Deploy web servers
   hosts: webservers
   diff: true
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 6456e8a..8d25947 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -42,10 +42,10 @@ frontend http
 	acl letsencrypt path_beg /.well-known/acme-challenge
 	redirect scheme https code 301 if !letsencrypt
 {% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
-{% for hostname in hostvars[server]['web_hostname'] | sort %}
-	## {{ hostname }} configuration
-	acl host_{{ hostname }} hdr(host) -i {{ hostname }}
-	use_backend http_{{ server }} if letsencrypt host_{{ hostname }}
+{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
+	## {{ hostname.host }} configuration
+	acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }}
+	use_backend http_{{ server }} if letsencrypt host_{{ hostname.host }}
 
 {% endfor %}
 {% endfor %}
@@ -57,13 +57,14 @@ frontend https
 	tcp-request inspect-delay 3s
 	tcp-request content accept if { req.ssl_hello_type 1 }
 {% for server in groups['webservers'] | difference(groups['disabled_loadbalanced_webservers']) | sort %}
-{% for hostname in hostvars[server]['web_hostname'] | sort %}
-	## {{ hostname }} configuration
-	acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
-{% if hostname == "btf.mateu.be" %}
-	acl network_allowed_{{ hostname }} src 88.175.123.77
+{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %}
+	## {{ hostname.host }} configuration
+	acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }}
+{% if hostname.allowlistv4 is defined %}
+	acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %}
+
 {% endif %}
-	use_backend https_{{ server }} if host_{{ hostname }}{% if hostname == "btf.mateu.be" %} network_allowed_{{ hostname }}{% endif %}
+	use_backend https_{{ server }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %}
 
 
 {% endfor %}
diff --git a/roles/nginx/tasks/vhosts.yml b/roles/nginx/tasks/vhosts.yml
index 3a48859..41d388a 100644
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@@ -2,8 +2,8 @@
 
 - name: Symlink vhosts
   ansible.builtin.file:
-    src: "/etc/nginx/sites-available/{{ item }}.conf"
-    dest: "/etc/nginx/sites-enabled/{{ item }}.conf"
+    src: "/etc/nginx/sites-available/{{ item.host }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ item.host }}.conf"
     force: true
     follow: false
     state: link
@@ -13,8 +13,8 @@
 
 - name: Install vhosts
   ansible.builtin.template:
-    src: "vhosts/{{ item }}.conf.j2"
-    dest: "/etc/nginx/sites-available/{{ item }}.conf"
+    src: "vhosts/{{ item.host }}.conf.j2"
+    dest: "/etc/nginx/sites-available/{{ item.host }}.conf"
     mode: "0o644"
   notify:
     - Restart nginx
diff --git a/roles/nginx/templates/header.conf.j2 b/roles/nginx/templates/header.conf.j2
index 60b1420..257337d 100644
--- a/roles/nginx/templates/header.conf.j2
+++ b/roles/nginx/templates/header.conf.j2
@@ -1,10 +1,21 @@
 	listen *:443 ssl http2;
 	listen [::]:443 ssl http2;
 	
-	ssl_certificate /etc/x509/{{ item }}/fullchain.cer;
-	ssl_certificate_key /etc/x509/{{ item }}/{{ item }}.key;
-	server_name {{ item }};
-	access_log /var/log/nginx/{{ item }}.access.log combined;
+	ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
+	ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
+	server_name {{ item.host }};
+	access_log /var/log/nginx/{{ item.host }}.access.log combined;
 	access_log syslog:server=unix:/dev/log combined;
-	error_log /var/log/nginx/{{ item }}.error.log;
+	error_log /var/log/nginx/{{ item.host }}.error.log;
 	error_log syslog:server=unix:/dev/log;
+{% if item.allowlistv4 is defined %}
+	allow {{ hostvars['haproxy.dmz.mateu.be'].ansible_default_ipv4.address }};
+{% endif %}
+{% if item.allowlistv6 is defined %}
+{% for addrv6 in item.allowlistv6 %}
+	allow {{ addrv6 }};
+{% endfor %}
+{% endif %}
+{% if item.allowlistv4 is defined or item.allowlistv6 is defined %}
+	deny all;
+{% endif %}
diff --git a/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2
index 9523376..761313f 100644
--- a/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2
+++ b/roles/nginx/templates/vhosts/btf.mateu.be.conf.j2
@@ -1,4 +1,3 @@
-{% set allowed_ips=['10.233.212.2/32','10.233.212.64/27', '2a01:e0a:9bd:2811::/64', '2a01:e0a:9bd:2810::/64', '2a01:e0a:fc:ebc0::/64', '2a01:cb00:8a0a:b700::/64', '2a01:e0a:d19:ef90::/64', '2001:910:13c8::/48', '2a01:e0a:bde:d350::/64', '2a01:cb00:f55:2d00::/64'] -%}
 server {
 {% include './templates/header.conf.j2' %}
 
@@ -6,10 +5,6 @@ server {
 		root /net/;
 		fancyindex on;
 		fancyindex_exact_size off;
-		{% for allowed_ip in allowed_ips -%}
-		allow {{ allowed_ip }};
-		{% endfor -%}
-		deny all;
 	}
 }
 
diff --git a/roles/nginx/templates/vhosts/garage.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/garage.mateu.be.conf.j2
index ce4bc14..3a8a432 100644
--- a/roles/nginx/templates/vhosts/garage.mateu.be.conf.j2
+++ b/roles/nginx/templates/vhosts/garage.mateu.be.conf.j2
@@ -2,7 +2,7 @@ server {
 {% include './templates/header.conf.j2' %}
 
 	location / {
-		proxy_pass http://s3_backend_{{ item.split('.')|join('_') }};
+		proxy_pass http://s3_backend_{{ item.host.split('.')|join('_') }};
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header Host $host;
 		# Disable buffering to a temporary file.
@@ -10,7 +10,7 @@ server {
 	}
 }
 
-upstream s3_backend_{{ item.split('.')|join('_') }} {
+upstream s3_backend_{{ item.host.split('.')|join('_') }} {
 	# If you have a garage instance locally.
 	server [::1]:3900;
 }
diff --git a/roles/nginx/templates/vhosts/web.garage.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/web.garage.mateu.be.conf.j2
index 2be9be1..7506820 100644
--- a/roles/nginx/templates/vhosts/web.garage.mateu.be.conf.j2
+++ b/roles/nginx/templates/vhosts/web.garage.mateu.be.conf.j2
@@ -2,13 +2,13 @@ server {
 {% include './templates/header.conf.j2' %}
 
 	location / {
-		proxy_pass http://web_backend_{{ item.split('.')|join('_') }};
+		proxy_pass http://web_backend_{{ item.host.split('.')|join('_') }};
 		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 		proxy_set_header Host $host;
 	}
 }
 
-upstream web_backend_{{ item.split('.')|join('_') }} {
+upstream web_backend_{{ item.host.split('.')|join('_') }} {
 	# If you have a garage instance locally.
 	server [::1]:3902;
 }
diff --git a/roles/nsd/tasks/zones.yml b/roles/nsd/tasks/zones.yml
index 1e373bf..aad7c59 100644
--- a/roles/nsd/tasks/zones.yml
+++ b/roles/nsd/tasks/zones.yml
@@ -11,8 +11,8 @@
     dns_serial: "{{ ansible_date_time.epoch }}"
     web_hostname_block: |-
       {% for webserver in groups['webservers'] | sort -%}
-      {% for web_hostname in (hostvars[webserver]['web_hostname'] | select('match', '.+' ~ item.name) | sort) -%}
-      {{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }}		IN CNAME {{ webserver }}.
+      {% for web_hostname in (hostvars[webserver]['web_hostname'] | selectattr('host', 'match', '.+' ~ item.name) | sort(attribute='host')) -%}
+      {{ web_hostname.host | regex_replace('\.' ~ item.name ~ '$', '') }}		IN CNAME {{ webserver }}.
       {% endfor %}
       {% endfor %}