diff --git a/group_vars/dropbear.yml b/group_vars/dropbear.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d6a882c8820df2b586cfcdd90d637f21284b6274
--- /dev/null
+++ b/group_vars/dropbear.yml
@@ -0,0 +1,6 @@
+---
+glob_dropbear:
+  initramfs_ip: "::::{{ ansible_hostname }}:ens2f0:dhcp"
+  options: "-I 180 -j -k -p 80 -s"
+  authorized_keys:
+    - "{{ vault.surface.pubkey }}"
diff --git a/hosts b/hosts
index a934adcba65e653bae0b251340311eee4b5f8965..63e23322c975e75c0b0ade2a20fbae3659856377 100644
--- a/hosts
+++ b/hosts
@@ -56,6 +56,10 @@ constellation-dev.adm.crans.org
 [dhcp:children]
 routeurs_vm
 
+[dropbear]
+ft.adm.crans.org
+thot.adm.crans.org
+
 [docker:children]
 gitlab_runner
 
diff --git a/plays/dropbear.yml b/plays/dropbear.yml
new file mode 100755
index 0000000000000000000000000000000000000000..e2cf9c210a243dc312f61d6dca499048f6a63414
--- /dev/null
+++ b/plays/dropbear.yml
@@ -0,0 +1,7 @@
+#!/usr/bin/env ansible-playbook
+---
+- hosts: dropbear
+  vars:
+    dropbear: "{{ glob_dropbear | default({}) | combine(loc_dropbear | default({})) }}"
+  roles:
+    - dropbear
diff --git a/roles/dropbear/handlers/main.yml b/roles/dropbear/handlers/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1ef3879ab24d47445f5988922eb079900ebd1e4c
--- /dev/null
+++ b/roles/dropbear/handlers/main.yml
@@ -0,0 +1,3 @@
+---
+- name: Update initramfs
+  command: update-initramfs -u
diff --git a/roles/dropbear/tasks/main.yml b/roles/dropbear/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..80a2a69c8876ecfd8a7026c5b887fb97f5ab22c6
--- /dev/null
+++ b/roles/dropbear/tasks/main.yml
@@ -0,0 +1,36 @@
+---
+- name: Install dropbear
+  apt:
+    update_cache: true
+    install_recommends: false
+    name: dropbear-initramfs
+  register: apt_result
+  retries: 3
+  until: apt_result is succeeded
+
+- name: Configure initramfs network
+  template:
+    src: initramfs-tools/conf.d/10-network.j2
+    dest: /etc/initramfs-tools/conf.d/10-network
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
+
+- name: Deploy configuration
+  template:
+    src: dropbear-initramfs/config.j2
+    dest: /etc/dropbear-initramfs/config
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
+
+- name: Deploy authorized keys
+  template:
+    src: dropbear-initramfs/authorized_keys.j2
+    dest: /etc/dropbear-initramfs/authorized_keys
+    owner: root
+    group: root
+    mode: 0644
+  notify: Update initramfs
diff --git a/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2 b/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6e617e9214cf71f4f9392f9c13ff8e52112a78cc
--- /dev/null
+++ b/roles/dropbear/templates/dropbear-initramfs/authorized_keys.j2
@@ -0,0 +1,3 @@
+{% for key in dropbear.authorized_keys %}
+{{ key }}
+{% endfor %}
diff --git a/roles/dropbear/templates/dropbear-initramfs/config.j2 b/roles/dropbear/templates/dropbear-initramfs/config.j2
new file mode 100644
index 0000000000000000000000000000000000000000..470f0035a5483220852b026e94d2caed56c959ec
--- /dev/null
+++ b/roles/dropbear/templates/dropbear-initramfs/config.j2
@@ -0,0 +1,34 @@
+{{ ansible_header | comment }}
+
+#
+# Configuration options for the dropbear-initramfs boot scripts.
+# You must run update-initramfs(8) to effect changes to this file (like
+# for other files under the '/etc/dropbear-initramfs' directory).
+
+#
+# Command line options to pass to dropbear(8)
+#
+DROPBEAR_OPTIONS="{{ dropbear.options }}"
+
+#
+# On local (non-NFS) mounts, interfaces matching this pattern are
+# brought down before exiting the ramdisk to avoid dirty network
+# configuration in the normal kernel.
+# The special value 'none' keeps all interfaces up and preserves routing
+# tables and addresses.
+#
+#IFDOWN=*
+
+#
+# On local (non-NFS) mounts, the network stack and dropbear are started
+# asynchronously at init-premount stage.  This value specifies the
+# maximum number of seconds to wait (while the network/dropbear are
+# being configured) at init-bottom stage before terminating dropbear and
+# bringing the network down.
+# If the timeout is too short, and if the boot process is not blocking
+# on user input supplied via SSHd (ie no remote unlocking), then the
+# initrd might pivot to init(1) too early, thereby causing a race
+# condition between network configuration from initramfs vs from the
+# normal system.
+#
+#DROPBEAR_SHUTDOWN_TIMEOUT=60
diff --git a/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2 b/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2
new file mode 100644
index 0000000000000000000000000000000000000000..6f42ef4bee9bc5b8556a7e592f88b0ae3e385e61
--- /dev/null
+++ b/roles/dropbear/templates/initramfs-tools/conf.d/10-network.j2
@@ -0,0 +1,3 @@
+{{ ansible_header | comment }}
+
+IP={{ dropbear.initramfs_ip }}