diff --git a/00-init.yaml b/00-init.yaml
index 526e9e9..71174f4 100644
--- a/00-init.yaml
+++ b/00-init.yaml
@@ -4,92 +4,92 @@
   hosts: all
 
   tasks:
-  - name: Copy conf
-    copy:
-      src: rootfs/
-      dest: /
+    - name: Copy conf
+      copy:
+        src: rootfs/
+        dest: /
 
-  - name: Restart sshd
-    service:
-      name: sshd.service
-      state: restarted
+    - name: Restart sshd
+      service:
+        name: sshd.service
+        state: restarted
 
-  - name: SSH port 40022
-    set_fact:
-      ansible_port: 40022
+    - name: SSH port 40022
+      set_fact:
+        ansible_port: 40022
 
-  - name: Add {{ codename }} repo
-    deb822_repository:
-      name: debian
-      types: deb
-      uris: http://deb.debian.org/debian
-      suites: "{{ codename }} {{ codename }}-updates {{ codename }}-backports"
-      components:
-        - main
-        - non-free-firmware
+    - name: Add {{ codename }} repo
+      deb822_repository:
+        name: debian
+        types: deb
+        uris: http://deb.debian.org/debian
+        suites: "{{ codename }} {{ codename }}-updates {{ codename }}-backports"
+        components:
+          - main
+          - non-free-firmware
 
-  - name: Add {{ codename }}-security repo
-    deb822_repository:
-      name: debian-security
-      types: deb
-      uris: http://security.debian.org/debian-security/
-      suites: "{{ codename }}-security"
-      components:
-        - main
-        - non-free-firmware
+    - name: Add {{ codename }}-security repo
+      deb822_repository:
+        name: debian-security
+        types: deb
+        uris: http://security.debian.org/debian-security/
+        suites: "{{ codename }}-security"
+        components:
+          - main
+          - non-free-firmware
 
-  - name: Add libcontainers repo (CRI-O)
-    deb822_repository:
-      name: libcontainers
-      types: deb
-      uris: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os }}/"
-      suites: /
-      signed_by: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os }}/Release.key"
+    - name: Add libcontainers repo (CRI-O)
+      deb822_repository:
+        name: libcontainers
+        types: deb
+        uris: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os }}/"
+        suites: /
+        signed_by: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ os }}/Release.key"
 
-  - name: Add libcontainers-crio repo (CRI-O)
-    deb822_repository:
-      name: libcontainers-crio
-      types: deb
-      uris: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_version }}/{{ os }}/"
-      suites: /
-      signed_by: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_version }}/{{ os }}/Release.key"
+    - name: Add libcontainers-crio repo (CRI-O)
+      deb822_repository:
+        name: libcontainers-crio
+        types: deb
+        uris: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_version }}/{{ os }}/"
+        suites: /
+        signed_by: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ k8s_version }}/{{ os }}/Release.key"
 
-  - name: Add k8s repo
-    deb822_repository:
-      name: k8s
-      types: deb
-      uris: "https://pkgs.k8s.io/core:/stable:/v{{ k8s_version }}/deb/"
-      suites: /
-      signed_by: "https://pkgs.k8s.io/core:/stable:/v{{ k8s_version }}/deb/Release.key"
+    - name: Add k8s repo
+      deb822_repository:
+        name: k8s
+        types: deb
+        uris: "https://pkgs.k8s.io/core:/stable:/v{{ k8s_version }}/deb/"
+        suites: /
+        signed_by: "https://pkgs.k8s.io/core:/stable:/v{{ k8s_version }}/deb/Release.key"
 
-  - name: Upgrade
-    apt:
-      update_cache: true
-      upgrade: dist
-      autoremove: true
-      purge: true
+    - name: Upgrade
+      apt:
+        update_cache: true
+        upgrade: dist
+        autoremove: true
+        purge: true
 
-  - name: Install pkgs
-    apt:
-      install_recommends: false
-      name:
-        - ceph
-        - ceph-common
-        - cri-o
-        - cri-o-runc
-        - cri-tools
-        - cron
-        - iptables-persistent
-        - kubeadm
-        - kubectl
-        - kubectx
-        - kubelet
-        - vim
+    - name: Install pkgs
+      apt:
+        install_recommends: false
+        name:
+          - ceph
+          - ceph-common
+          - cri-o
+          - cri-o-runc
+          - cri-tools
+          - cron
+          - iptables-persistent
+          - kubeadm
+          - kubectl
+          - kubectx
+          - kubelet
+          - vim
 
-  - name: Enable crio service
-    service:
-      name: crio.service
-      enabled: true
+    - name: Enable crio service
+      service:
+        name: crio.service
+        enabled: true
 
-  - name: Reboot
-    reboot:
+    - name: Reboot
+      reboot:
diff --git a/10-init-k8s.yaml b/10-init-k8s.yaml
index bdb9b5e..6bd77ad 100644
--- a/10-init-k8s.yaml
+++ b/10-init-k8s.yaml
@@ -7,15 +7,25 @@
     KUBECONFIG: /etc/kubernetes/admin.conf
 
   tasks:
-  - name: Init k8s
-    shell: kubeadm init --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint="{{ endpoint }}"
-  - name: Remove master node taint
-    shell: kubectl taint node --all node-role.kubernetes.io/control-plane:NoSchedule-
-  - name: Apply flannel
-    shell: kubectl apply -f https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml
-  - name: Apply nginx ingress
-    shell: kubectl apply -f "https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v{{ nginx_version }}/deploy/static/provider/baremetal/deploy.yaml"
-  - name: Apply cert-manager
-    shell: kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/download/v{{ certmanager_version }}/cert-manager.yaml"
-  - name: Reboot
-    reboot:
+    - name: Init k8s
+      shell: kubeadm init --pod-network-cidr=10.244.0.0/16 --control-plane-endpoint="{{ endpoint }}"
+    - name: Remove master node taint
+      shell: kubectl taint node --all node-role.kubernetes.io/control-plane:NoSchedule-
+    - name: Apply flannel
+      shell: kubectl apply -f "https://github.com/flannel-io/flannel/releases/latest/download/kube-flannel.yml"
+    - name: Apply metallb
+      shell: kubectl apply -f "https://raw.githubusercontent.com/metallb/metallb/v{{ mettallb_version }}/config/manifests/metallb-native.yaml"
+    - name: Apply nginx ingress
+      shell: kubectl apply -f "https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v{{ nginx_version }}/deploy/static/provider/baremetal/deploy.yaml"
+    - name: Apply cert-manager
+      shell: kubectl apply -f "https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml"
+    - name: Apply kubegres
+      shell: kubectl apply -f "https://raw.githubusercontent.com/reactive-tech/kubegres/v{{ kubegres_version }}/kubegres.yaml"
+    - name: Apply manifests
+      shell: |
+        kubectl apply -f - <<EOF
+        {{ lookup('template', '{{ item }}') }}
+        EOF
+      with_fileglob: 'manifests/*.yaml'
+    - name: Reboot
+      reboot:
diff --git a/get_kube_conf.sh b/get_kube_conf.sh
index d21882b..5d6d7bb 100755
--- a/get_kube_conf.sh
+++ b/get_kube_conf.sh
@@ -1,6 +1,6 @@
 #!/bin/bash -e
 
-endpoint="$(awk -F '[ \t]*:[ \t]*' '$1 == "endpoint" {print $NF}' group_vars/all)"
+endpoint="$(sed -n 's/^endpoint:\s*//p' group_vars/all)"
 
 ssh "$endpoint" sudo cat /etc/kubernetes/admin.conf > kubeconfig
 chmod 600 kubeconfig
diff --git a/group_vars/all b/group_vars/all
index 361eca4..907c0a3 100644
--- a/group_vars/all
+++ b/group_vars/all
@@ -5,6 +5,10 @@ arch: amd64
 os: Debian_12
 codename: bookworm
 k8s_version: 1.27           # https://kubernetes.io/releases/patch-releases/#detailed-release-history-for-active-branches
+metallb_version: 0.14.3     # https://github.com/metallb/metallb/releases
 nginx_version: 1.9.6        # https://github.com/kubernetes/ingress-nginx/releases
-certmanager_version: 1.14.2 # https://github.com/cert-manager/cert-manager/releases/
+kubegres_version: 1.17      # https://github.com/reactive-tech/kubegres/releases
+
+# TODO
 rook_version: 1.13.4        # https://github.com/rook/rook/releases
+nfs_version: 4.6.0          # https://github.com/kubernetes-csi/csi-driver-nfs/releases
diff --git a/manifests/cm-ingress-nginx-controller.yaml b/manifests/cm-ingress-nginx-controller.yaml
index daa3083..184259b 100644
--- a/manifests/cm-ingress-nginx-controller.yaml
+++ b/manifests/cm-ingress-nginx-controller.yaml
@@ -1,6 +1,7 @@
 apiVersion: v1
 data:
   use-proxy-protocol: "true"
+  allow-snippet-annotations: "true"
 kind: ConfigMap
 metadata:
   name: ingress-nginx-controller
diff --git a/manifests/ingress-nginx-controller.yaml b/manifests/ingress-nginx-controller.yaml
index d1b5e2e..5d56d27 100644
--- a/manifests/ingress-nginx-controller.yaml
+++ b/manifests/ingress-nginx-controller.yaml
@@ -7,7 +7,7 @@ metadata:
     app.kubernetes.io/instance: ingress-nginx
     app.kubernetes.io/name: ingress-nginx
     app.kubernetes.io/part-of: ingress-nginx
-    app.kubernetes.io/version: 1.9.6
+    app.kubernetes.io/version: "{{ nginx_version }}"
   name: ingress-nginx-controller
   namespace: ingress-nginx
 spec:
diff --git a/manifests/letsencrypt-prod.yaml b/manifests/letsencrypt-prod.yaml
index a622a48..29d616b 100644
--- a/manifests/letsencrypt-prod.yaml
+++ b/manifests/letsencrypt-prod.yaml
@@ -5,7 +5,7 @@ metadata:
   name: letsencrypt-prod
 spec:
   acme:
-    email: ange@yw5n.com
+    email: "{{ letsencrypt_email }}"
     privateKeySecretRef:
       name: letsencrypt-prod
     server: https://acme-v02.api.letsencrypt.org/directory
diff --git a/manifests/letsencrypt-staging.yaml b/manifests/letsencrypt-staging.yaml
index 434a939..f8311ab 100644
--- a/manifests/letsencrypt-staging.yaml
+++ b/manifests/letsencrypt-staging.yaml
@@ -5,7 +5,7 @@ metadata:
   name: letsencrypt-staging
 spec:
   acme:
-    email: ange@yw5n.com
+    email: "{{ letsencrypt_email }}"
     privateKeySecretRef:
       name: letsencrypt-staging
     server: https://acme-staging-v02.api.letsencrypt.org/directory