diff --git a/munin.yml b/munin.yml
new file mode 100644
index 0000000..c04de27
--- /dev/null
+++ b/munin.yml
@@ -0,0 +1,7 @@
+- hosts: all:!baybay-ponay.mateu.be
+  roles:
+      - munin-client
+
+- hosts: muninservers
+  roles:
+      - munin-server
diff --git a/production/hosts b/production/hosts
index 6386119..5348946 100644
--- a/production/hosts
+++ b/production/hosts
@@ -17,7 +17,7 @@ borg_client
 edelgard.dmz.mateu.be
 
 [borg_client]
-baybay-ponay.mateu.be borg_backup_path="['/home', '/etc']" borg_backup_excluded_path="['/home/.snapshots']" borg_backup_hour=19 borg_backup_minute=30
+#baybay-ponay.mateu.be borg_backup_path="['/home', '/etc']" borg_backup_excluded_path="['/home/.snapshots']" borg_backup_hour=19 borg_backup_minute=30
 bt.dmz.mateu.be borg_backup_path="['/etc', '/var/lib/transmission-daemon']"
 web1.dmz.mateu.be
 web2.dmz.mateu.be
@@ -46,6 +46,7 @@ ror.dmz.mateu.be web_hostname="['m.nintendojo.fr']"
 jabber.dmz.mateu.be web_hostname="['libertus.eu', 'upload.libertus.eu', 'xmpp.libertus.eu']"
 voice3.dmz.mateu.be web_hostname="['radio.nintendojo.fr']"
 mail.dmz.mateu.be web_hostname="['imap.libertus.eu', 'smtp.libertus.eu', 'mm.pipoworld.fr', 'mm.nintendojo.fr']"
+munin.dmz.mateu.be web_hostname="['munin.mateu.be']"
 
 [phpservers]
 web1.dmz.mateu.be php_modules="['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'curl', 'gettext', 'imap', 'zip', 'apcu']"
@@ -81,3 +82,9 @@ voice3.dmz.mateu.be
 
 [rsyslogservers]
 syslog.dmz.mateu.be
+
+[muninservers]
+munin.dmz.mateu.be
+
+[disabled_munin]
+#baybay-ponay.mateu.be
diff --git a/roles/firewall/templates/firewall.j2 b/roles/firewall/templates/firewall.j2
index dc825db..ebc712d 100644
--- a/roles/firewall/templates/firewall.j2
+++ b/roles/firewall/templates/firewall.j2
@@ -397,6 +397,16 @@ config redirect
 	option dest_port '993'
 	option target 'DNAT'
 
+# Allow Munin traffic
+config rule
+	option name 'Allow-INPUT-Munin'
+	option src 'dmz'
+	option src_ip '{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'] }}'
+	option proto 'tcp'
+	option dest_port '4949'
+	option target 'ACCEPT'
+	option family 'ipv4'
+
 ## Default configuration
 config defaults
 	option syn_flood '1'
diff --git a/roles/munin-client/handlers/main.yml b/roles/munin-client/handlers/main.yml
new file mode 100644
index 0000000..5d25705
--- /dev/null
+++ b/roles/munin-client/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart munin-node
+  service:
+      name: munin-node
+      state: restarted
diff --git a/roles/munin-client/tasks/main.yml b/roles/munin-client/tasks/main.yml
new file mode 100644
index 0000000..37f8214
--- /dev/null
+++ b/roles/munin-client/tasks/main.yml
@@ -0,0 +1,68 @@
+- set_fact:
+    muninpkgs:
+        - muninlite
+    munin_need_reconfigure: False
+  when: ansible_facts['distribution'] == "LEDE" or ansible_facts['distribution'] == "OpenWRT"
+
+- set_fact:
+    muninpkgs:
+        - munin-node
+        - munin-plugins-core
+        - munin-plugins-extra
+    munin_need_reconfigure: True
+  when: ansible_facts['distribution'] == "Debian"
+
+- name: install munin node packages
+  package:
+      name: "{{ item }}"
+      state: present
+  loop: "{{ muninpkgs }}"
+
+- name: munin-node conf file
+  template:
+      src: munin-node.conf.j2
+      dest: /etc/munin/munin-node.conf
+  notify:
+      - restart munin-node
+  when: munin_need_reconfigure
+
+- name: install LWP::UserAgent
+  package:
+      name: libwww-perl
+      state: present
+  notify:
+      - restart munin-node
+  when: "'webservers' in group_names"
+
+- name: reconfigure munin-node
+  shell:
+      cmd: munin-node-configure --shell | sh
+  notify:
+      - restart munin-node
+  when: munin_need_reconfigure
+
+## Useless junks for LXC
+- name: delete diskstats from LXC machines
+  file:
+      path: /etc/munin/plugins/diskstats
+      state: absent
+  notify:
+      - restart munin-node
+  when: ansible_facts['virtualization_type'] == "lxc"
+
+## Useless junks for hypervisors
+- name: delete squid plugins
+  shell:
+      cmd: "rm -f /etc/munin/plugins/squid_*"
+      warn: False
+  notify:
+      - restart munin-node
+  when: "'hypervisors' in group_names"
+
+- name: delete lxc interfaces plugins
+  shell:
+      cmd: "rm -f /etc/munin/plugins/if_*veth* /etc/munin/plugins/if_*fw* /etc/munin/plugins/if_*vmbr*"
+      warn: False
+  notify:
+      - restart munin-node
+  when: "'hypervisors' in group_names"
diff --git a/roles/munin-client/templates/munin-node.conf.j2 b/roles/munin-client/templates/munin-node.conf.j2
new file mode 100644
index 0000000..e715b7e
--- /dev/null
+++ b/roles/munin-client/templates/munin-node.conf.j2
@@ -0,0 +1,64 @@
+#
+# Example config-file for munin-node
+#
+
+log_level 4
+log_file /var/log/munin/munin-node.log
+pid_file /var/run/munin/munin-node.pid
+
+background 1
+setsid 1
+
+user root
+group root
+
+# This is the timeout for the whole transaction.
+# Units are in sec. Default is 15 min
+#
+# global_timeout 900
+
+# This is the timeout for each plugin.
+# Units are in sec. Default is 1 min
+#
+# timeout 60
+
+# Regexps for files to ignore
+ignore_file [\#~]$
+ignore_file DEADJOE$
+ignore_file \.bak$
+ignore_file %$
+ignore_file \.dpkg-(tmp|new|old|dist)$
+ignore_file \.rpm(save|new)$
+ignore_file \.pod$
+
+# Set this if the client doesn't report the correct hostname when
+# telnetting to localhost, port 4949
+#
+host_name {{ inventory_hostname }}
+
+# A list of addresses that are allowed to connect.  This must be a
+# regular expression, since Net::Server does not understand CIDR-style
+# network notation unless the perl module Net::CIDR is installed.  You
+# may repeat the allow line as many times as you'd like
+
+allow ^{{ hostvars['munin.dmz.mateu.be']['ansible_default_ipv4']['address'].split('.')|join('\.') }}
+allow ^127\.0\.0\.1$
+allow ^::1$
+
+# If you have installed the Net::CIDR perl module, you can use one or more
+# cidr_allow and cidr_deny address/mask patterns.  A connecting client must
+# match any cidr_allow, and not match any cidr_deny.  Note that a netmask
+# *must* be provided, even if it's /32
+#
+# Example:
+#
+# cidr_allow 127.0.0.1/32
+# cidr_allow 192.0.2.0/24
+# cidr_deny  192.0.2.42/32
+
+# Which address to bind to;
+host *
+# host 127.0.0.1
+
+# And which port
+port 4949
diff --git a/roles/munin-server/tasks/main.yml b/roles/munin-server/tasks/main.yml
new file mode 100644
index 0000000..b0e0b39
--- /dev/null
+++ b/roles/munin-server/tasks/main.yml
@@ -0,0 +1,10 @@
+- name: install munin packages
+  package:
+      name: munin
+      state: present
+
+- name: munin conf file
+  template:
+      src: munin.conf.j2
+      dest: /etc/munin/munin.conf
+
diff --git a/roles/munin-server/templates/munin.conf.j2 b/roles/munin-server/templates/munin.conf.j2
new file mode 100644
index 0000000..27d4d12
--- /dev/null
+++ b/roles/munin-server/templates/munin.conf.j2
@@ -0,0 +1,147 @@
+# Example configuration file for Munin, generated by 'make build'
+
+# The next three variables specifies where the location of the RRD
+# databases, the HTML output, logs and the lock/pid files.  They all
+# must be writable by the user running munin-cron.  They are all
+# defaulted to the values you see here.
+#
+#dbdir	/var/lib/munin
+#htmldir /var/cache/munin/www
+#logdir /var/log/munin
+#rundir  /var/run/munin
+
+# Where to look for the HTML templates
+#
+#tmpldir	/etc/munin/templates
+
+# Where to look for the static www files
+#
+#staticdir /etc/munin/static
+
+# temporary cgi files are here. note that it has to be writable by 
+# the cgi user (usually nobody or httpd).
+#
+# cgitmpdir /var/lib/munin/cgi-tmp
+
+# (Exactly one) directory to include all files from.
+includedir /etc/munin/munin-conf.d
+
+# You can choose the time reference for "DERIVE" like graphs, and show
+# "per minute", "per hour" values instead of the default "per second"
+#
+#graph_period second
+
+# Graphics files are generated either via cron or by a CGI process.
+# See http://munin-monitoring.org/wiki/CgiHowto2 for more
+# documentation.
+# Since 2.0, munin-graph has been rewritten to use the cgi code. 
+# It is single threaded *by design* now.
+#
+#graph_strategy cron
+
+# munin-cgi-graph is invoked by the web server up to very many times at the
+# same time.  This is not optimal since it results in high CPU and memory
+# consumption to the degree that the system can thrash.  Again the default is
+# 6.  Most likely the optimal number for max_cgi_graph_jobs is the same as
+# max_graph_jobs.
+#
+#munin_cgi_graph_jobs 6
+
+# If the automatic CGI url is wrong for your system override it here:
+#
+#cgiurl_graph /munin-cgi/munin-cgi-graph
+
+# max_size_x and max_size_y are the max size of images in pixel.
+# Default is 4000. Do not make it too large otherwise RRD might use all
+# RAM to generate the images.
+# 
+#max_size_x 4000
+#max_size_y 4000
+
+# HTML files are normally generated by munin-html, no matter if the
+# files are used or not. You can change this to on-demand generation
+# by following the instructions in http://munin-monitoring.org/wiki/CgiHowto2
+# 
+# Notes: 
+# - moving to CGI for HTML means you cannot have graph generated by cron.
+# - cgi html has some bugs, mostly you still have to launch munin-html by hand
+# 
+#html_strategy cron
+
+# munin-update runs in parallel.
+#
+# The default max number of processes is 16, and is probably ok for you.
+#
+# If set too high, it might hit some process/ram/filedesc limits.
+# If set too low, munin-update might take more than 5 min.
+#
+# If you want munin-update to not be parallel set it to 0.
+#
+#max_processes 16
+
+# RRD updates are per default, performed directly on the rrd files.
+# To reduce IO and enable the use of the rrdcached, uncomment it and set it to
+# the location of the socket that rrdcached uses.
+#
+#rrdcached_socket /var/run/rrdcached.sock
+
+# Drop somejuser@fnord.comm and anotheruser@blibb.comm an email everytime
+# something changes (OK -> WARNING, CRITICAL -> OK, etc)
+#contact.someuser.command mail -s "Munin notification" somejuser@fnord.comm
+#contact.anotheruser.command mail -s "Munin notification" anotheruser@blibb.comm
+#
+# For those with Nagios, the following might come in handy. In addition,
+# the services must be defined in the Nagios server as well.
+#contact.nagios.command /usr/bin/send_nsca nagios.host.comm -c /etc/nsca.conf
+
+# a simple host tree
+
+{% for host in groups['all'] | difference(groups['disabled_munin']) %}
+[{{ host }}]
+	address {{ hostvars[host]['ansible_default_ipv4']['address'] }}
+{% endfor %}
+
+#
+# A more complex example of a host tree
+#
+## First our "normal" host.
+# [fii.foo.com]
+#       address foo
+#
+## Then our other host...
+# [fay.foo.com]
+#       address fay
+#
+## IPv6 host. note that the ip adress has to be in brackets
+# [ip6.foo.com]
+#       address [2001::1234:1]
+#
+## Then we want totals...
+# [foo.com;Totals] #Force it into the "foo.com"-domain...
+#       update no   # Turn off data-fetching for this "host".
+#
+#   # The graph "load1". We want to see the loads of both machines...
+#   # "fii=fii.foo.com:load.load" means "label=machine:graph.field"
+#       load1.graph_title Loads side by side
+#       load1.graph_order fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#
+#   # The graph "load2". Now we want them stacked on top of each other.
+#       load2.graph_title Loads on top of each other
+#       load2.dummy_field.stack fii=fii.foo.com:load.load fay=fay.foo.com:load.load
+#       load2.dummy_field.draw AREA # We want area instead the default LINE2.
+#       load2.dummy_field.label dummy # This is needed. Silly, really.
+#
+#   # The graph "load3". Now we want them summarised into one field
+#       load3.graph_title Loads summarised
+#       load3.combined_loads.sum fii.foo.com:load.load fay.foo.com:load.load
+#       load3.combined_loads.label Combined loads # Must be set, as this is
+#                                                 # not a dummy field!
+#
+## ...and on a side note, I want them listen in another order (default is
+## alphabetically)
+#
+# # Since [foo.com] would be interpreted as a host in the domain "com", we
+# # specify that this is a domain by adding a semicolon.
+# [foo.com;]
+#       node_order Totals fii.foo.com fay.foo.com
+#
diff --git a/roles/nginx/templates/default.j2 b/roles/nginx/templates/default.j2
index 7e5de81..d1f936b 100644
--- a/roles/nginx/templates/default.j2
+++ b/roles/nginx/templates/default.j2
@@ -6,6 +6,7 @@ server {
 		stub_status on;
 		access_log   off;
 		allow 127.0.0.1;
+		allow ::1;
 		deny all;
 	}
 }
diff --git a/roles/nginx/templates/vhosts/munin.mateu.be.conf.j2 b/roles/nginx/templates/vhosts/munin.mateu.be.conf.j2
new file mode 100644
index 0000000..000053d
--- /dev/null
+++ b/roles/nginx/templates/vhosts/munin.mateu.be.conf.j2
@@ -0,0 +1,7 @@
+server {
+{% include './header.conf.j2' %}
+
+	location / {
+		root /var/cache/munin/www;
+	}
+}
diff --git a/site.yml b/site.yml
index dc8e10e..db45f05 100644
--- a/site.yml
+++ b/site.yml
@@ -16,3 +16,4 @@
 - import_playbook: bittorrent.yml
 - import_playbook: mumble.yml
 - import_playbook: icecast2.yml
+- import_playbook: munin.yml