diff --git a/base.yml b/base.yml
index df62e113342e5b3367e31fce251117909952671b..d9d47d1c81179f9543c84a87c5b898d4d111127c 100644
--- a/base.yml
+++ b/base.yml
@@ -4,6 +4,9 @@
   vars:
     # Debian mirror on adm
     debian_mirror: http://mirror.adm.crans.org/debian
+    debian_components: |
+      main{% if ansible_system_vendor != 'QEMU' %} non-free{% endif %}
+    # TODO: non free should only be for SMTP and microcode on non VM/LXC
 
     # Backup password
     backuppc_rsyncd_passwd: "{{ vault_backuppc_rsyncd_passwd }}"
diff --git a/roles/debian-apt-sources/templates/apt/sources.list.j2 b/roles/debian-apt-sources/templates/apt/sources.list.j2
index e3eb66e4d3635abd938444852cecc6b385f2a09e..361a5d1d7cb0beddfe1c84539db66cdae409dab1 100644
--- a/roles/debian-apt-sources/templates/apt/sources.list.j2
+++ b/roles/debian-apt-sources/templates/apt/sources.list.j2
@@ -1,10 +1,10 @@
 # {{ ansible_managed }}
 
 # Mises à jour de sécurité
-deb     {{ debian_mirror }}-security {{ ansible_lsb.codename }}/updates main contrib non-free
+deb     {{ debian_mirror }}-security {{ ansible_lsb.codename }}/updates {{ debian_components }}
 
 # Dépôt classique
-deb     {{ debian_mirror }} {{ ansible_lsb.codename }} main contrib non-free
+deb     {{ debian_mirror }} {{ ansible_lsb.codename }} {{ debian_components }}
 
 # Dépôt pour mises à jour fréquentes (volatile)
-deb     {{ debian_mirror }} {{ ansible_lsb.codename }}-updates main contrib non-free
+deb     {{ debian_mirror }} {{ ansible_lsb.codename }}-updates {{ debian_components }}