diff --git a/icecast2.yml b/icecast2.yml
new file mode 100644
index 0000000..04663ac
--- /dev/null
+++ b/icecast2.yml
@@ -0,0 +1,3 @@
+- hosts: icecastservers
+  roles:
+      - icecast2
diff --git a/mumble.yml b/mumble.yml
new file mode 100644
index 0000000..337f92f
--- /dev/null
+++ b/mumble.yml
@@ -0,0 +1,3 @@
+- hosts: mumbleservers
+  roles:
+      - mumble
diff --git a/production/hosts b/production/hosts
index 6ed2a1c..9210b87 100644
--- a/production/hosts
+++ b/production/hosts
@@ -24,6 +24,7 @@ web1.dmz.mateu.be
 web2.dmz.mateu.be
 mail.dmz.mateu.be borg_backup_path="['/home', '/etc', '/var/lib/mailman']"
 jabber.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/prosody']"
+voice1.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/mumble-server']"
 ror.dmz.mateu.be
 
 [nut:children]
@@ -45,6 +46,7 @@ web1.dmz.mateu.be web_hostname="['fav.libertus.eu', 'rss.libertus.eu', 'o.libert
 web2.dmz.mateu.be web_hostname="['analyse.nintendojo.fr', 'nintendojo.fr', 'www.nintendojo.fr', 'forum.nintendojo.fr', 'intendo.fr', 'www.intendo.fr']"
 ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']"
 jabber.dmz.mateu.be web_hostname="['libertus.eu', 'upload.libertus.eu', 'xmpp.libertus.eu']"
+voice3.dmz.mateu.be web_hostname="['radio.nintendojo.fr']"
 #mail.dmz.mateu.be
 
 [phpservers]
@@ -73,3 +75,8 @@ haproxy.dmz.mateu.be
 [transmission]
 bt.dmz.mateu.be
 
+[mumbleservers]
+voice1.dmz.mateu.be
+
+[icecastservers]
+voice3.dmz.mateu.be
diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2
index 1171f49..dcbf10d 100644
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -142,15 +142,15 @@ config rule
 #	option target 'ACCEPT'
 #	option family 'ipv6'
 
-config rule
-	option name 'n0box2-mumble'
-	option src 'wan'
-	option proto 'tcpudp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
-	option dest_port '64738'
-	option target 'ACCEPT'
-	option family 'ipv6'
+#config rule
+#	option name 'n0box2-mumble'
+#	option src 'wan'
+#	option proto 'tcpudp'
+#	option dest 'lan'
+#	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv6']['address'] }}'
+#	option dest_port '64738'
+#	option target 'ACCEPT'
+#	option family 'ipv6'
 
 config redirect
 	option name 'n0box2-SMTP'
@@ -232,15 +232,15 @@ config redirect
 #	option dest_port '9987'
 #	option target 'DNAT'
 
-config redirect
-	option name 'n0box2-mumble'
-	option src 'wan'
-	option src_dport '64738'
-	option proto 'tcpudp'
-	option dest 'lan'
-	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
-	option dest_port '64738'
-	option target 'DNAT'
+#config redirect
+#	option name 'n0box2-mumble'
+#	option src 'wan'
+#	option src_dport '64738'
+#	option proto 'tcpudp'
+#	option dest 'lan'
+#	option dest_ip '{{ hostvars['n0box2.mateu.be']['ansible_default_ipv4']['address'] }}'
+#	option dest_port '64738'
+#	option target 'DNAT'
 
 ### DMZ Rules
 ## General Rules
@@ -488,6 +488,27 @@ config rule
 	option target 'ACCEPT'
 	option family 'ipv6'
 
+# Allow Mumble traffic
+config rule
+	option name 'Allow-INPUT-mumble'
+	option src 'wan'
+	option proto 'tcpudp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv6']['address'] }}'
+	option dest_port '64738'
+	option target 'ACCEPT'
+	option family 'ipv6'
+
+config redirect
+	option name 'Allow-INPUT-mumble'
+	option src 'wan'
+	option src_dport '64738'
+	option proto 'tcpudp'
+	option dest 'dmz'
+	option dest_ip '{{ hostvars['voice1.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option dest_port '64738'
+	option target 'DNAT'
+
 ## Default configuration
 config defaults
 	option syn_flood '1'
diff --git a/roles/icecast2/defaults/main.yml b/roles/icecast2/defaults/main.yml
new file mode 100644
index 0000000..e1ca55a
--- /dev/null
+++ b/roles/icecast2/defaults/main.yml
@@ -0,0 +1,28 @@
+source_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36383738646636353839616365316537653865666335353136666166336137636635663062626265
+          6464633337633063326632303332623264336462383635360a336362623464623061666230366366
+          32366135323936386430333735666362303132623764646439316330666334333739306432616538
+          3836323434303637370a643864666439373934306439353030613266303139333732353138653238
+          6531
+relay_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61663166303239323862656262303332313365616132633765666264376234316630656330356333
+          6264646531643936616466653832656537316533303161630a393763303536356631666631393161
+          32393762366231386665633962613332333163323530313032343430383335643962336535366639
+          3366316330326363660a643664626461623833323531336134353233343235346631303765333066
+          6366
+admin_pass: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62353032653634373261396231393539393530313639613730386163383933313863306561336164
+          3632663966353336353330356230373038623037663665380a393038633039326261353266633331
+          63383237636536663036346335613933356161346166396331323863643731656661643934313835
+          6565303963393631310a666131313933623834313732633261633932326266376462333637356439
+          6238
+admin_user: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          39306532623732636431353461353062346464343630303438373935666338356566373538336264
+          6662376439323937663565353636343865366132623230620a336130313131656332313864383434
+          36643430616330363235373139333935383133376439353535363739376131303432333266626263
+          3638646466316361350a333533313134633762383535646164663364633633336439656538343333
+          3964
diff --git a/roles/icecast2/handlers/main.yml b/roles/icecast2/handlers/main.yml
new file mode 100644
index 0000000..1389b56
--- /dev/null
+++ b/roles/icecast2/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart icecast2
+  service:
+      name: icecast2
+      state: restarted
diff --git a/roles/icecast2/tasks/main.yml b/roles/icecast2/tasks/main.yml
new file mode 100644
index 0000000..604b6ab
--- /dev/null
+++ b/roles/icecast2/tasks/main.yml
@@ -0,0 +1,12 @@
+- name: install icecast2
+  package:
+      name: icecast2
+      state: present
+
+- name: configuration file
+  template:
+      src: icecast.xml.j2
+      dest: /etc/icecast2/icecast.xml
+  notify:
+      - restart icecast2
+
diff --git a/roles/icecast2/templates/icecast.xml.j2 b/roles/icecast2/templates/icecast.xml.j2
new file mode 100644
index 0000000..94c12c5
--- /dev/null
+++ b/roles/icecast2/templates/icecast.xml.j2
@@ -0,0 +1,174 @@
+<icecast>
+    <limits>
+        <clients>200</clients>
+        <sources>2</sources>
+        <threadpool>5</threadpool>
+        <queue-size>8192</queue-size>
+        <client-timeout>30</client-timeout>
+        <header-timeout>15</header-timeout>
+        <source-timeout>10</source-timeout>
+        <!-- If enabled, this will provide a burst of data when a client 
+             first connects, thereby significantly reducing the startup 
+             time for listeners that do substantial buffering. However,
+             it also significantly increases latency between the source
+             client and listening client.  For low-latency setups, you
+             might want to disable this. -->
+        <burst-on-connect>0</burst-on-connect>
+        <!-- same as burst-on-connect, but this allows for being more
+             specific on how much to burst. Most people won't need to
+             change from the default 64k. Applies to all mountpoints  -->
+        <burst-size>8192</burst-size>
+    </limits>
+
+    <authentication>
+        <!-- Sources log in with username 'source' -->
+        <source-password>{{ source_pass }}</source-password>
+        <!-- Relays log in username 'relay' -->
+        <relay-password>{{ relay_pass }}</relay-password>
+
+        <!-- Admin logs in with the username given below -->
+        <admin-user>{{ admin_user }}</admin-user>
+        <admin-password>{{ admin_pass }}</admin-password>
+    </authentication>
+
+    <!-- set the mountpoint for a shoutcast source to use, the default if not
+         specified is /stream but you can change it here if an alternative is
+         wanted or an extension is required
+    <shoutcast-mount>/live.nsv</shoutcast-mount>
+    -->
+
+    <!-- Uncomment this if you want directory listings -->
+    <!--
+    <directory>
+        <yp-url-timeout>15</yp-url-timeout>
+        <yp-url>http://dir.xiph.org/cgi-bin/yp-cgi</yp-url>
+    </directory>
+     -->
+
+    <!-- This is the hostname other people will use to connect to your server.
+    It affects mainly the urls generated by Icecast for playlists and yp
+    listings. -->
+    <hostname>localhost</hostname>
+
+    <!-- You may have multiple <listener> elements -->
+    <listen-socket>
+        <port>8000</port>
+        <!-- <bind-address>127.0.0.1</bind-address> -->
+        <!-- <shoutcast-mount>/stream</shoutcast-mount> -->
+    </listen-socket>
+    <!--
+    <listen-socket>
+        <port>8001</port>
+    </listen-socket>
+    -->
+
+    <!--<master-server>127.0.0.1</master-server>-->
+    <!--<master-server-port>8001</master-server-port>-->
+    <!--<master-update-interval>120</master-update-interval>-->
+    <!--<master-password>hackme</master-password>-->
+
+    <!-- setting this makes all relays on-demand unless overridden, this is
+         useful for master relays which do not have <relay> definitions here.
+         The default is 0 -->
+    <!--<relays-on-demand>1</relays-on-demand>-->
+
+    <!--
+    <relay>
+        <server>127.0.0.1</server>
+        <port>8001</port>
+        <mount>/example.ogg</mount>
+        <local-mount>/different.ogg</local-mount>
+        <on-demand>0</on-demand>
+
+        <relay-shoutcast-metadata>0</relay-shoutcast-metadata>
+    </relay>
+    -->
+
+    <!-- Only define a <mount> section if you want to use advanced options,
+         like alternative usernames or passwords
+    <mount>
+        <mount-name>/example-complex.ogg</mount-name>
+
+        <username>othersource</username>
+        <password>hackmemore</password>
+
+        <max-listeners>1</max-listeners>
+        <dump-file>/tmp/dump-example1.ogg</dump-file>
+        <burst-size>65536</burst-size>
+        <fallback-mount>/example2.ogg</fallback-mount>
+        <fallback-override>1</fallback-override>
+        <fallback-when-full>1</fallback-when-full>
+        <intro>/example_intro.ogg</intro>
+        <hidden>1</hidden>
+        <no-yp>1</no-yp>
+        <authentication type="htpasswd">
+                <option name="filename" value="myauth"/>
+                <option name="allow_duplicate_users" value="0"/>
+        </authentication>
+        <on-connect>/home/icecast/bin/stream-start</on-connect>
+        <on-disconnect>/home/icecast/bin/stream-stop</on-disconnect>
+    </mount>
+
+    <mount>
+        <mount-name>/auth_example.ogg</mount-name>
+        <authentication type="url">
+            <option name="mount_add"       value="http://myauthserver.net/notify_mount.php"/>
+            <option name="mount_remove"    value="http://myauthserver.net/notify_mount.php"/>
+            <option name="listener_add"    value="http://myauthserver.net/notify_listener.php"/>
+            <option name="listener_remove" value="http://myauthserver.net/notify_listener.php"/>
+        </authentication>
+    </mount>
+
+    -->
+
+    <fileserve>1</fileserve>
+
+    <paths>
+		<!-- basedir is only used if chroot is enabled -->
+        <basedir>/usr/share/icecast2</basedir>
+
+        <!-- Note that if <chroot> is turned on below, these paths must both
+             be relative to the new root, not the original root -->
+        <logdir>/var/log/icecast2</logdir>
+        <webroot>/usr/share/icecast2/web</webroot>
+        <adminroot>/usr/share/icecast2/admin</adminroot>
+        <!-- <pidfile>/usr/share/icecast2/icecast.pid</pidfile> -->
+
+        <!-- Aliases: treat requests for 'source' path as being for 'dest' path
+             May be made specific to a port or bound address using the "port"
+             and "bind-address" attributes.
+          -->
+        <!--
+        <alias source="/foo" dest="/bar"/>
+          -->
+        <!-- Aliases: can also be used for simple redirections as well,
+             this example will redirect all requests for http://server:port/ to
+             the status page
+          -->
+        <alias source="/" dest="/status.xsl"/>
+    </paths>
+
+    <logging>
+        <accesslog>access.log</accesslog>
+        <errorlog>error.log</errorlog>
+        <!-- <playlistlog>playlist.log</playlistlog> -->
+      	<loglevel>3</loglevel> <!-- 4 Debug, 3 Info, 2 Warn, 1 Error -->
+      	<logsize>10000</logsize> <!-- Max size of a logfile -->
+        <!-- If logarchive is enabled (1), then when logsize is reached
+             the logfile will be moved to [error|access|playlist].log.DATESTAMP,
+             otherwise it will be moved to [error|access|playlist].log.old.
+             Default is non-archive mode (i.e. overwrite)
+        -->
+        <!-- <logarchive>1</logarchive> -->
+    </logging>
+
+    <security>
+        <chroot>0</chroot>
+        <!--
+        <changeowner>
+            <user>nobody</user>
+            <group>nogroup</group>
+        </changeowner>
+        -->
+    </security>
+</icecast>
diff --git a/roles/mumble/files/mumble-server.ini b/roles/mumble/files/mumble-server.ini
new file mode 100644
index 0000000..b5fc0a6
--- /dev/null
+++ b/roles/mumble/files/mumble-server.ini
@@ -0,0 +1,97 @@
+# Path to database. If blank, will search for
+# murmur.sqlite in default locations or create it if not found.
+
+# If you wish to use something other than SQLite, you'll need to set the name
+# of the database above, and also uncomment the below.
+#
+database=/var/lib/mumble-server/mumble-server.sqlite
+
+# Murmur defaults to not using D-Bus. If you wish to use dbus, which is one of the
+# RPC methods available in murmur, please specify so here.
+#
+#dbus=system
+
+# Alternate service name. Only use if you are running distinct
+# murmurd processes connected to the same D-Bus daemon.
+#dbusservice=net.sourceforge.mumble.murmur
+
+# If you want to use ZeroC ICE to communicate with Murmur, you need
+# to specify the endpoint to use. Since there is no authentication
+# with ICE, you should only use it if you trust all the users who have
+# shell access to your machine.
+# Please see the ICE documentation on how to specify endpoints.
+#ice="tcp -h 127.0.0.1 -p 6502"
+
+# How many login attempts do we tolerate from one IP
+# inside a given timeframe before we ban the connection?
+# Note that this is global (shared between all virtual servers), and that
+# it counts both successfull and unsuccessfull connection attempts.
+# Set either Attempts or Timeframe to 0 to disable.
+#autobanAttempts = 10
+#autobanTimeframe = 120
+#autobanTime = 300
+
+# Murmur default to logging to murmur.log. If you leave this blank,
+# murmur will log to the console (linux) or through message boxes (win32).
+logfile=/var/log/mumble-server/mumble-server.log
+
+# Where Murmur should store it's .pid file. Leave blank to use current
+# directory. This option does nothing on Win32.
+pidfile=/var/run/mumble-server/mumble-server.pid
+
+# The below will be used as defaults for new configured servers.
+# If you're just running one server (the default), it's easier to
+# configure it here than through D-Bus or Ice.
+#
+# Welcome message sent to clients when they connect
+welcometext="<br />Welcome to this server running <b>Murmur</b>.<br />Enjoy your stay!<br />"
+
+# Port to bind TCP and UDP sockets to
+port=64738
+
+# Specific IP or hostname to bind to.
+# If this is left blank (default), murmur will bind to all available addresses.
+host=
+
+# Password to join server
+serverpassword=
+
+# Maximum bandwidth (in bytes per second) clients are allowed
+# to send speech at.
+bandwidth=100000
+
+# Maximum number of concurrent clients allowed.
+users=100
+
+# Murmur retains the per-server log entries in an internal database which
+# allows it to be accessed over D-Bus/ICE.
+# How many days should such entries be kept?
+#logdays=31
+
+# To enable public server registration, the serverpassword must be blank, and
+# this must all be filled out.
+# The password here is used to create a registry for the server name; subsequent
+# updates will need the same password. Don't lose your password.
+# The URL is your own website, and only set the registerHostname for static IP
+# addresses.
+#
+#registerName=Mumble Server
+#registerPassword=secret
+#registerUrl=http://mumble.sourceforge.net/
+#registerHostname=
+
+# If you have a proper SSL certificate, you can provide the filenames here.
+#sslCert=
+#sslKey=
+
+# To enable username registration through
+# http://webserver/cgi-bin/mumble-server/register.cgi
+# then this value must be set to a valid email
+# and you must be running a SMTP server on this
+# machine.
+# This option is only used for a pre-packaged system-wide installation,
+# and does nothing if you just start murmurd yourself.
+#emailfrom =
+
+# If murmur is started as root, which user should it switch to?
+# This option is ignored if murmur isn't started with root privileges.
diff --git a/roles/mumble/handlers/main.yml b/roles/mumble/handlers/main.yml
new file mode 100644
index 0000000..b6ca2af
--- /dev/null
+++ b/roles/mumble/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart mumble
+  service:
+      name: mumble-server
+      state: restarted
diff --git a/roles/mumble/tasks/main.yml b/roles/mumble/tasks/main.yml
new file mode 100644
index 0000000..cdac2c5
--- /dev/null
+++ b/roles/mumble/tasks/main.yml
@@ -0,0 +1,11 @@
+- name: install mumble
+  package:
+      name: mumble-server
+      state: present
+
+- name: configuration files
+  copy:
+      src: ./files/mumble-server.ini
+      dest: /etc/mumble-server.ini
+  notify:
+      - restart mumble
diff --git a/roles/nginx/templates/vhosts/radio.nintendojo.fr.conf.j2 b/roles/nginx/templates/vhosts/radio.nintendojo.fr.conf.j2
new file mode 100644
index 0000000..fd5d845
--- /dev/null
+++ b/roles/nginx/templates/vhosts/radio.nintendojo.fr.conf.j2
@@ -0,0 +1,7 @@
+server {
+{% include './templates/header.conf.j2' %}
+
+	location / {
+		proxy_pass http://127.0.0.1:8000;
+	}
+}
diff --git a/site.yml b/site.yml
index c2bd8cc..fe266b6 100644
--- a/site.yml
+++ b/site.yml
@@ -12,3 +12,5 @@
 - import_playbook: mariadb.yml
 - import_playbook: pgsql.yml
 - import_playbook: bittorrent.yml
+- import_playbook: mumble.yml
+- import_playbook: icecast2.yml