diff --git a/beta-deployment b/beta-deployment
new file mode 100644
index 0000000000000000000000000000000000000000..5fdda276ec068a6bfd143a1196ddbab8e29a8f5e
--- /dev/null
+++ b/beta-deployment
@@ -0,0 +1,216 @@
+# Software
+
+`$ apt install dnsutils`, which provides dig
+
+resolvconf
+
+
+# Firewall
+
+## front-web
+
+`/etc/iptables/rules.v4`
+
+```
+*filter
+:INPUT DROP [0:0]
+-A INPUT -s 192.168.0.0/24 -j ACCEPT -m comment --comment "FULL ACCESS LAN"
+-A INPUT -i lo -j ACCEPT -m comment --comment "FULL ACCESS LOOPBACK"
+
+-A INPUT -s 217.182.252.78/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH neogeo-ansible"
+-A INPUT -s 80.12.88.99/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH neogeo-bureau"
+-A INPUT -s 213.245.116.190/32 -p tcp --dport 22 -j ACCEPT -m comment --comment "SSH erasmes"
+
+-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT -m comment --comment "in order to receive responses to outgoing requests"
+-A INPUT -i ens3 -p tcp -m tcp --dport 443 -d 51.83.13.51 -j ACCEPT
+-A INPUT -i ens3 -p tcp -m tcp --dport 80  -d 51.83.13.51 -j ACCEPT
+:FORWARD ACCEPT [0:0]
+
+```
+
+
+# Domain Name Resolution
+
+## `/etc/hosts`
+
+By default, the /etc/hosts file is managed by the system. Hence, user modifications as deleted at each reboot. In order to prevent that from happening, a line has to be modified in the `/etc/cloud/cloud.cfg` file:
+
+`manage_etc_hosts: false`
+
+## `dnsmasq`
+
+Installed in the front-web machine, with the following configuration (`/etc/dnsmasq.conf`): 
+
+```
+domain-needed
+bogus-priv
+server=213.186.33.99
+listen-address=192.168.0.59
+no-dhcp-interface=ens4
+bind-interfaces
+```
+
+The following lines are appended to the `/etc/hosts` file in the front-web machine:
+
+```
+51.83.13.51     front-web.wan
+192.168.0.59    front-web.lan
+
+51.83.15.2      back-office.wan 
+192.168.0.146   back-office.lan
+
+51.68.115.202   es-1.wan
+192.168.0.74    es-1.lan
+
+51.77.229.85    es-2.wan
+192.168.0.65    es-2.lan
+
+51.83.13.94     es-3.wan
+192.168.0.236   es-3.lan
+
+```
+
+The other machines will use front-web as DNS.
+
+
+# Routing
+
+In order for the front-web machine to be usable as a router, we need to apply the following modifications within **front-web**:
+
+1. In `/etc/sysctl.conf` -> `net.ipv4.ip_forward=1`.
+
+2. In `/etc/iptables/rules.v4`,
+`
+*nat
+-I POSTROUTING -s 192.168.0.0/24 -o ens3 -j MASQUERADE
+`
+
+Once that it is done, the other machines can be setup as follows:
+
+`/etc/network/interfaces`
+
+```
+[...]
+iface ens4 inet static
+	address 192.168.0.XXX
+	netmask 255.255.255.0
+	gateway 192.168.0.59
+        dns-nameservers 192.168.0.59
+[...]
+```
+
+In case the default gateway is not taken into account, the following command has to be issued:
+
+`
+$ route add default gw 192.168.0.59 ens4
+`
+
+The line `auto ens3` can be commented out in the file `/etc/network/interfaces.d/50-cloud-init.cfg`, in order to prevent the ens3 from being "upped" at reboot.
+
+In order for the modification to be persisten, we need to disable cloud-init's network configuration capabilities, by editing the file /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following content:
+
+```
+network: {config: disabled}
+```
+
+
+
+# Postfix, OpenDKIM
+
+cf. [https://wiki.debian.org/opendkim](https://wiki.debian.org/opendkim)
+
+```
+$ sudp mkdir /etc/postfix/dkim/ 
+$ sudo opendkim-genkey -D /etc/postfix/dkim/ -d data.beta.grandlyon.com -s mail
+```
+
+## `/etc/opendkim.conf`
+
+* the line "Mode sv" is uncommented (why?)
+* the following lines are appended
+
+```
+# Specify the list of keys
+KeyTable file:/etc/postfix/dkim/keytable
+
+# Match keys and domains. To use regular expressions in the file, use refile: instead of file:
+SigningTable refile:/etc/postfix/dkim/signingtable
+
+# Match a list of hosts whose messages will be signed. By default, only localhost is considered as internal host.
+InternalHosts refile:/etc/postfix/dkim/trustedhosts
+```
+
+The 'Socket' line is setup as follows:
+
+```
+Socket                  inet:8892@localhost
+```
+
+## `/etc/postfix/dkim/keytable`
+
+```mail._domainkey.data.beta.grandlyon.com data.beta.grandlyon.com:mail:/etc/postfix/dkim/mail.private```
+
+## `/etc/postfix/dkim/signingtable`
+
+```
+# Domain data.beta.grandlyon.com
+*@data.beta.grandlyon.com mail._domainkey.data.beta.grandlyon.com
+```
+
+## `/etc/postfix/dkim/trustedhosts`
+
+```
+127.0.0.1
+192.168.0.0/24
+```
+
+### Note
+
+```
+$ sudo chgrp opendkim /etc/postfix/dkim/*
+$ sudo chmod o= /etc/postfix/dkim/*
+```
+
+## `/etc/postfix/main.cf`
+
+```
+[...]
+myhostname = data.beta.grandlyon.com
+alias_maps = hash:/etc/aliases
+alias_database = hash:/etc/aliases
+myorigin = /etc/mailname
+mydestination = $myhostname, data.beta.grandlyon.com, front-web.localdomain, localhost.localdomain, localhost
+relayhost = 
+mynetworks = 127.0.0.0/8 [::ffff:127.0.0.0]/104 [::1]/128 192.168.0.0/24
+mailbox_size_limit = 0
+recipient_delimiter = +
+inet_interfaces = all
+inet_protocols = ipv4
+[...]
+```
+
+The following lines are appended:
+
+```
+milter_default_action = accept
+milter_protocol = 6
+smtpd_milters = inet:127.0.0.1:8892
+non_smtpd_milters = $smtpd_milters
+```
+
+## DNS
+
+The DNS records needs to be updated as follows:
+
+```
+data.beta.grandlyon.com. 86400	IN	TXT	"v=spf1 +ip4:51.83.13.51 ~all"
+```
+
+```
+mail._domainkey.data.beta.grandlyon.com. 86400 IN TXT "v=DKIM1; h=sha256; k=rsa; " "p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzzoL8dvkfhm3xCpGxW8COUIgmw4r0PV/5GSUekCA8sLGPiqNh8//Jj4tFpLK6eUMacKYPbL4goUdRyTF5gqh/MdEWwafodZczELETRcp3a7mGdmM2nDhD6lk2Xtdf+nS+HWobYN18a3abNFchcF62LJWGTd4fwKV8gOIIuvTiakVxFuC7eIBUO+7m0JU0EnnivLUabphFSL3yV" "hEdpCD3csRGedSnG6+ocpZw25ll8/5f6WZnobU2d5KKqk7MVgOFXfuJMhdjmd6UvSGPaxR+/E+PsxQCU0f9vLG4R8fLPLh0ngNGGiyNYGHB5Sn8VxIrxqpH2pQKaJsfHLK/IgRJwIDAQAB"
+
+```
+
+# Remote API for Dockerd (-> Portainer) 
+
+cf. https://success.docker.com/article/how-do-i-enable-the-remote-api-for-dockerd