diff --git a/group_vars/adm.yml b/group_vars/adm.yml
index a06d51b..b12c642 100644
--- a/group_vars/adm.yml
+++ b/group_vars/adm.yml
@@ -2,11 +2,43 @@
 datadisks:
   - {size: 10, type: nvme}
 
+chrony_allow:
+  - 172.20.25.0/24
+
+unbound_zones:
+  - 25.20.172.in-addr.arpa
+  - oob.foo.sh
+dhcpd_template: dhcpd.conf.oob.j2
+dhcpd_ldap_filter: >-
+  (&(objectClass=ieee802Device)(objectClass=ipHost)(cn=*.oob.foo.sh))
+unbound_config: unbound.conf.oob.j2
+
+network_vip_interfaces:
+  - device: eth0
+    vhid: 11
+    ipaddr: 172.20.20.21
+    netmask: 255.255.240.0
+    pass: "{{ vip21_pass }}"
+  - device: eth1
+    vhid: 25
+    ipaddr: 172.20.25.1
+    netmask: 255.255.255.0
+    pass: "{{ vip25_pass }}"
+    priority: "{{ vip25_priority }}"
+
 firewall_in:
   - {proto: tcp, port: 22, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 25, from: [172.20.25.0/24]}
+  - {proto: tcp, port: 53, from: [172.20.25.0/24]}
+  - {proto: udp, port: 53, from: [172.20.25.0/24]}
   - {proto: tcp, port: 80, from: [172.20.20.0/22]}
-  - {proto: tcp, port: 443, from: [172.20.20.0/22]}
+  - {proto: udp, port: 123, from: [172.20.25.0/24]}
+  - {proto: tcp, port: 443, from: [172.20.20.0/22, 172.20.25.0/24]}
+  - {proto: udp, port: 514, from: [172.20.25.0/24]}
   - {proto: tcp, port: 9100, from: [172.20.20.0/22]}
+  - {proto: tcp, port: 9116, from: [172.20.20.0/22]}
+firewall_raw:
+  - "ip daddr 224.0.0.0/8 accept"
 
 sssd_allow_groups:
   - sysadm
diff --git a/host_vars/adm01.home.foo.sh.yml b/host_vars/adm01.home.foo.sh.yml
index f4095d3..fbab7fc 100644
--- a/host_vars/adm01.home.foo.sh.yml
+++ b/host_vars/adm01.home.foo.sh.yml
@@ -4,3 +4,16 @@ network_interfaces:
   - device: eth0
     vlan: 20
     mac: "52:54:00:ac:dc:0b"
+  - device: eth1
+    vlan: 25
+    ipaddr: 172.20.25.2
+    netmask: 255.255.255.0
+    proto: static
+    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
+  - device: eth2
+    vlan: 103
+    ipaddr: 192.168.100.2
+    netmask: 255.255.255.248
+    proto: static
+
+vip25_priority: 128
diff --git a/host_vars/adm02.home.foo.sh.yml b/host_vars/adm02.home.foo.sh.yml
index a55bf18..e8ea2f8 100644
--- a/host_vars/adm02.home.foo.sh.yml
+++ b/host_vars/adm02.home.foo.sh.yml
@@ -4,3 +4,16 @@ network_interfaces:
   - device: eth0
     vlan: 20
     mac: "52:54:00:ac:dc:0c"
+  - device: eth1
+    vlan: 25
+    ipaddr: 172.20.25.3
+    netmask: 255.255.255.0
+    proto: static
+    nameservers: [172.20.25.1, 172.20.25.2, 172.20.25.3]
+  - device: eth2
+    vlan: 103
+    ipaddr: 192.168.100.3
+    netmask: 255.255.255.248
+    proto: static
+
+vip25_priority: 1
diff --git a/hosts.yml b/hosts.yml
index eb9c2d8..37823e4 100644
--- a/hosts.yml
+++ b/hosts.yml
@@ -3,6 +3,8 @@ adm:
   hosts:
     adm01.home.foo.sh:
     adm02.home.foo.sh:
+  vars:
+    snmp_exporter_version: "0.29.0"
 audiobooks:
   hosts:
     audiobooks02.home.foo.sh:
diff --git a/playbooks/adm.yml b/playbooks/adm.yml
index 8028d9d..fbe2b96 100644
--- a/playbooks/adm.yml
+++ b/playbooks/adm.yml
@@ -28,6 +28,10 @@
     - ansible_host
     - certbot
     - cups
+    - nginx
+    - role: nginx_site
+      nginx_site_name: oob.foo.sh
+      nginx_site_plaintest: false
     - sshca
     - ssh_known_hosts
     - role: keytab
@@ -38,10 +42,36 @@
       autofs_home: false
     - sssd
     - mkhomedir
+    - aten_pdu
+    - routeros
     - rpm_build
+    - snmp_exporter
     - web_build
 
   tasks:
+    - name: Run handlers to get interfaces configured
+      ansible.builtin.meta: flush_handlers
+
+    - name: Enable UDP rsyslog server
+      ansible.builtin.import_role:
+        name: rsyslog
+        tasks_from: udp-listen
+
+    - name: Enable postfix mail relay
+      ansible.builtin.import_role:
+        name: postfix
+        tasks_from: relay
+      vars:
+        relay_domains: [foo.sh]
+
+    - name: Import unbound role
+      ansible.builtin.import_role:
+        name: unbound
+
+    - name: Import dhcpd role
+      ansible.builtin.import_role:
+        name: dhcpd
+
     - name: Install packages
       ansible.builtin.package:
         name: "{{ item }}"
@@ -150,3 +180,14 @@
         mode: "0755"
         owner: root
         group: "{{ ansible_wheel }}"
+
+    - name: Create sw-backup script
+      ansible.builtin.copy:
+        dest: /usr/local/bin/sw-backup
+        content: |
+          #!/bin/sh
+          set -eu
+          ssh "admin@${1}" /export > "/srv/backup/${1}.rsc"
+        mode: "0755"
+        owner: root
+        group: "{{ ansible_wheel }}"
diff --git a/roles/unbound/templates/unbound.conf.oob.j2 b/roles/unbound/templates/unbound.conf.oob.j2
new file mode 100644
index 0000000..f8a2e61
--- /dev/null
+++ b/roles/unbound/templates/unbound.conf.oob.j2
@@ -0,0 +1,38 @@
+
+server:
+    interface: eth1
+
+    access-control: 127.0.0.0/8 allow
+    access-control: ::1 allow
+    access-control: 172.20.25.1/32 allow
+    access-control: 172.20.25.2/32 allow
+    access-control: 172.20.25.3/32 allow
+    access-control: 172.20.25.0/24 refuse_non_local
+
+    extended-statistics: yes
+
+    hide-identity: yes
+    hide-version: yes
+
+    tls-upstream: yes
+    tls-cert-bundle: {{ tls_bundle }}
+
+    chroot: ""
+
+    unblock-lan-zones: yes
+
+remote-control:
+    control-enable: yes
+    control-interface: /var/run/unbound.sock
+
+forward-zone:
+    name: "."
+    forward-addr: 172.20.20.10@853#dns.home.foo.sh
+    forward-addr: 172.20.20.11@853#dns.home.foo.sh
+    forward-addr: 172.20.20.12@853#dns.home.foo.sh
+
+{% for zone in unbound_zones %}
+auth-zone:
+    name: "{{ zone }}"
+    zonefile: "{{ unbound_zonedir }}/{{ zone }}"
+{% endfor %}