diff --git a/deploy.py b/deploy.py
new file mode 100644
index 0000000..dc7572c
--- /dev/null
+++ b/deploy.py
@@ -0,0 +1,137 @@
+from pyinfra import host
+from pyinfra.operations import apt, server, files, systemd
+
+SUDO = True
+
+server.user(
+    name='Add user benpro',
+    user='benpro',
+    groups=['sudo'],
+    public_keys='ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFs7yO0auvwFL8HTLMUq6lET6DMYLhqhd32rqFfZUsjL openpgp:0xA32E99AD',
+    shell='/bin/bash',
+    present=True,
+)
+
+server.hostname(
+   name='Set the hostname',
+   hostname='dns.benpro.fr',
+)
+
+apt.update(
+    name='Update apt repositories',
+)
+
+apt.upgrade(
+    name='Upgrade apt packages',
+)
+
+apt.packages(
+    name='Install ufw',
+    packages=['ufw'],
+    update=False,
+)
+
+server.shell(
+    name='Add ufw rules',
+    commands=['ufw limit 22', 'ufw allow 80', 'ufw allow 443', 'ufw allow 853'],
+)
+
+server.shell(
+    name='Enable ufw',
+    commands=['yes | ufw enable'],
+)
+
+apt.packages(
+    name='Install certbot',
+    packages=['certbot'],
+    update=False,
+)
+
+if not host.fact.directory('/etc/letsencrypt/live/dns.benpro.fr'):
+    server.shell(
+        name='Add certificate',
+        commands=['certbot certonly --non-interactive --email certbot@benpro.fr --agree-tos --standalone -d dns.benpro.fr'],
+    )
+
+server.group(
+    name='Add group adguard',
+    group=host.data.app_user,
+    system=True,
+    present=True,
+)
+
+server.user(
+    name='Add user adguard',
+    user=host.data.app_user,
+    group=host.data.app_user,
+    home=host.data.app_dir,
+    ensure_home=True,
+    system=True,
+    present=True,
+)
+
+for items in ['fullchain.pem', 'privkey.pem']:
+    server.shell(
+        name='Make certificate available for Adguard ({})'.format(items),
+        chdir=host.data.app_dir,
+        commands=['cp -L /etc/letsencrypt/live/dns.benpro.fr/{} .'.format(items), 'chown adguard: {}'.format(items)]
+    )
+
+files.download(
+    name='Download AdGuard',
+    src='https://static.adguard.com/adguardhome/release/AdGuardHome_linux_amd64.tar.gz',
+    dest='/home/adguard/AdGuardHome_linux_amd64.tar.gz',
+    user=host.data.app_user,
+    group=host.data.app_user,
+    mode='750',
+    cache_time=604800,
+)
+
+server.shell(
+    name='Extract Adguard release file',
+    chdir=host.data.app_dir,
+    commands=['tar zxf AdGuardHome_linux_amd64.tar.gz','chown -R adguard: AdGuardHome'],
+)
+
+server.shell(
+    name='Setcap on Adguard binary',
+    chdir=host.data.app_dir,
+    commands=['setcap \'CAP_NET_BIND_SERVICE=+eip CAP_NET_RAW=+eip\' AdGuardHome/AdGuardHome'],
+)
+
+if host.fact.systemd_enabled['AdGuardHome.service'] == False:
+    server.shell(
+        name='Install Adguard systemd service file',
+        chdir=host.data.app_dir,
+        commands=['AdGuardHome/AdGuardHome -s install'],
+    )
+
+files.put(
+    name='Update systemd service file',
+    src='files/AdGuardHome.service',
+    dest='/etc/systemd/system/AdGuardHome.service',
+    mode='644',
+)
+
+files.template(
+    name='Push AdGuardHome config',
+    src='templates/AdGuardHome.yaml.j2',
+    dest='/home/adguard/AdGuardHome/AdGuardHome.yaml',
+    mode='640',
+    user='adguard',
+    group='adguard',
+)
+
+systemd.daemon_reload(
+    name='Reload systemd',
+    user_mode=False,
+)
+
+systemd.service(
+    name='Restart and enable adguard service',
+    service='AdGuardHome.service',
+    running=True,
+    restarted=True,
+    enabled=True,
+)
+
diff --git a/files/AdGuardHome.service b/files/AdGuardHome.service
new file mode 100644
index 0000000..3d817ee
--- /dev/null
+++ b/files/AdGuardHome.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=AdGuard Home: Network-level blocker
+ConditionFileIsExecutable=/home/adguard/AdGuardHome/AdGuardHome
+After=syslog.target network-online.target
+
+[Service]
+User=adguard
+Group=adguard
+StartLimitInterval=5
+StartLimitBurst=10
+ExecStart=/home/adguard/AdGuardHome/AdGuardHome "-s" "run"
+
+WorkingDirectory=/home/adguard/AdGuardHome
+
+
+
+StandardOutput=file:/var/log/AdGuardHome.out
+StandardError=file:/var/log/AdGuardHome.err
+Restart=always
+RestartSec=10
+EnvironmentFile=-/etc/sysconfig/AdGuardHome
+
+[Install]
+WantedBy=multi-user.target
diff --git a/group_data/all.py b/group_data/all.py
new file mode 100644
index 0000000..aa3e6c5
--- /dev/null
+++ b/group_data/all.py
@@ -0,0 +1,12 @@
+from getpass import getpass
+
+import privy
+
+def get_secret(adguard_password):
+    password = getpass('Please provide the secret password: ')
+    return privy.peek(adguard_password, password)
+
+b_app_password = get_secret(b'1$2$LlFa8G5qg1DQqboBzagJywm5bayJ5CRDbVOeXrTPPKU=$Z0FBQUFBQmdDQlotZmYtd183cEE1MHpsbl9IaWlLNUlOdXBkMzhsdzQ0SUNhNXhiMDEwbUJfeUJIT2ctM1JFWm5oMW9IN1pocVFDSDIxN0dSSVRaSzdJdzJNQURPM3hyYVlWOUwxR09aOU9ubU1GbjNvNS1NdFNkWFhsS2tjcTNES0ZRYURjUkhWRGVpQkVuMmo0NTdrck9VTWRfaVVHUmZ3PT0=')
+app_password = b_app_password.decode('utf-8')
+app_user = 'adguard'
+app_dir = '/home/adguard'
diff --git a/inventory.py b/inventory.py
new file mode 100644
index 0000000..28d51a6
--- /dev/null
+++ b/inventory.py
@@ -0,0 +1 @@
+my_hosts = ['dns.benpro.fr']
diff --git a/templates/AdGuardHome.yaml.j2 b/templates/AdGuardHome.yaml.j2
new file mode 100644
index 0000000..bfa738d
--- /dev/null
+++ b/templates/AdGuardHome.yaml.j2
@@ -0,0 +1,154 @@
+bind_host: 0.0.0.0
+bind_port: 80
+users:
+- name: benpro
+  password: {{ host.data.app_password }}
+http_proxy: ""
+language: ""
+rlimit_nofile: 0
+debug_pprof: false
+web_session_ttl: 720
+dns:
+  bind_host: 0.0.0.0
+  port: 1053
+  statistics_interval: 90
+  querylog_enabled: true
+  querylog_file_enabled: true
+  querylog_interval: 90
+  querylog_size_memory: 1000
+  anonymize_client_ip: true
+  protection_enabled: true
+  blocking_mode: nxdomain
+  blocking_ipv4: ""
+  blocking_ipv6: ""
+  blocked_response_ttl: 10
+  parental_block_host: family-block.dns.adguard.com
+  safebrowsing_block_host: standard-block.dns.adguard.com
+  ratelimit: 20
+  ratelimit_whitelist: []
+  refuse_any: true
+  upstream_dns:
+  - https://dns10.quad9.net/dns-query
+  - https://dns.cloudflare.com/dns-query
+  - https://dns.google/dns-query
+  - quic://dns-unfiltered.adguard.com:784
+  upstream_dns_file: ""
+  bootstrap_dns:
+  - 9.9.9.10
+  - 149.112.112.10
+  - 2620:fe::10
+  - 2620:fe::fe:10
+  all_servers: true
+  fastest_addr: false
+  allowed_clients: []
+  disallowed_clients: []
+  blocked_hosts:
+  - version.bind
+  - id.server
+  - hostname.bind
+  cache_size: 4194304
+  cache_ttl_min: 0
+  cache_ttl_max: 0
+  bogus_nxdomain: []
+  aaaa_disabled: false
+  enable_dnssec: true
+  edns_client_subnet: true
+  max_goroutines: 50
+  ipset: []
+  filtering_enabled: true
+  filters_update_interval: 24
+  parental_enabled: false
+  safesearch_enabled: false
+  safebrowsing_enabled: false
+  safebrowsing_cache_size: 1048576
+  safesearch_cache_size: 1048576
+  parental_cache_size: 1048576
+  cache_time: 30
+  rewrites: []
+  blocked_services:
+  - facebook
+  - twitter
+  - snapchat
+  - origin
+  - epic_games
+  - vk
+  - mail_ru
+  - discord
+  - ok
+  - tiktok
+tls:
+  enabled: true
+  server_name: dns.benpro.fr
+  force_https: true
+  port_https: 443
+  port_dns_over_tls: 853
+  port_dns_over_quic: 784
+  allow_unencrypted_doh: false
+  strict_sni_check: false
+  certificate_chain: ""
+  private_key: ""
+  certificate_path: /home/adguard/fullchain.pem
+  private_key_path: /home/adguard/privkey.pem
+filters:
+- enabled: true
+  url: https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
+  name: AdGuard DNS filter
+  id: 1
+- enabled: true
+  url: https://www.malwaredomainlist.com/hostslist/hosts.txt
+  name: MalwareDomainList.com Hosts List
+  id: 4
+- enabled: true
+  url: https://280blocker.net/files/280blocker_domain.txt
+  name: 'JPN: 280blocker adblock domain lists'
+  id: 1598087712
+- enabled: true
+  url: https://raw.githubusercontent.com/AdAway/adaway.github.io/master/hosts.txt
+  name: AdAway default blocklist
+  id: 1598087713
+- enabled: true
+  url: https://raw.githubusercontent.com/notracking/hosts-blocklists/master/adblock/adblock.txt
+  name: notracking
+  id: 1598087714
+- enabled: true
+  url: https://logroid.github.io/adaway-hosts/hosts.txt
+  name: AdAway Blocking Hosts File for Japan
+  id: 1598087715
+- enabled: true
+  url: https://sebsauvage.net/hosts/hosts-adguard
+  name: Sebsauvage
+  id: 1598087716
+whitelist_filters: []
+user_rules:
+- '@@||links.eml.atlassian.com^$important'
+- '@@||t.paypal.com^$important'
+- '@@||email.strava.com^$important'
+- '||disqus.com^$important'
+- '@@||api2.branch.io^$important'
+- '@@||www.navitime.co.jp^$important'
+- ""
+dhcp:
+  enabled: false
+  interface_name: ""
+  dhcpv4:
+    gateway_ip: ""
+    subnet_mask: ""
+    range_start: ""
+    range_end: ""
+    lease_duration: 86400
+    icmp_timeout_msec: 1000
+    options: []
+  dhcpv6:
+    range_start: ""
+    lease_duration: 86400
+    ra_slaac_only: false
+    ra_allow_slaac: false
+clients: []
+log_compress: false
+log_localtime: false
+log_max_backups: 0
+log_max_size: 100
+log_max_age: 3
+log_file: ""
+verbose: false
+schema_version: 7