diff --git a/group_vars/lb.yml b/group_vars/lb.yml
index e9c9b11..b741dd0 100644
--- a/group_vars/lb.yml
+++ b/group_vars/lb.yml
@@ -5,6 +5,7 @@ haproxy:
           - cloud.badjware.dev
           - code.badjware.dev
           - drone.badjware.dev
+          - grafana.badjware.dev
         dst:
           - 192.168.20.20
           - 192.168.20.21
diff --git a/hosts b/hosts
index 3ee90e5..12157a9 100644
--- a/hosts
+++ b/hosts
@@ -21,6 +21,7 @@
           6139363534616231380a373931333530373339653132626238333566663362343663623532393330
           35616230643533363032623066376536366236353335373130643262613561396131
 
+# Actual config starts here
 all:
   hosts:
     pfsense:
@@ -30,8 +31,8 @@ all:
       hosts:
         router-0:
           ansible_host: 192.168.10.10
-      vars:
-        ansible_user: root
+      # vars:
+      #   ansible_user: root
     lb:
       hosts:
         lb:
@@ -50,13 +51,14 @@ all:
               ansible_host: 192.168.20.22
             k3s-w2:
               ansible_host: 192.168.20.23
-    ubuntu:
+    debian:
       hosts:
         ubiquiti:
           ansible_host: 192.168.10.2
         pihole:
           ansible_host: 192.168.20.2
       children:
+        proxmox:
         lb:
         k3s:
       vars:
diff --git a/playbook.yml b/playbook.yml
index 0153575..9700e78 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -1,4 +1,4 @@
-- hosts: ubuntu
+- hosts: debian
   roles:
     - common
 
diff --git a/roles/haproxy/templates/haproxy.cfg b/roles/haproxy/templates/haproxy.cfg
index e197002..54fb584 100644
--- a/roles/haproxy/templates/haproxy.cfg
+++ b/roles/haproxy/templates/haproxy.cfg
@@ -50,6 +50,10 @@ frontend https_in
     # set HSTS
     http-response set-header Strict-Transport-Security "max-age=15552000; includeSubDomains;"
 
+    # set X-Forwarded-Proto
+    http-request set-header X-Forwarded-Proto http if !{ ssl_fc }
+    http-request set-header X-Forwarded-Proto https if { ssl_fc }
+
     # request is ssl
     # tcp-request inspect-delay 5s
     # tcp-request content accept if { req.ssl_hello_type 1  }
diff --git a/roles/proxmox/tasks/main.yml b/roles/proxmox/tasks/main.yml
index 1d65c18..a6d8c98 100644
--- a/roles/proxmox/tasks/main.yml
+++ b/roles/proxmox/tasks/main.yml
@@ -5,6 +5,18 @@
     line: 'GRUB_CMDLINE_LINUX_DEFAULT="quiet intel_iommu=on"'
   notify: update grub
 
+- name: Enable PAM users
+  lineinfile:
+    path: /etc/pve/user.cfg
+    line: 'user:{{ item.key }}@pam:1:0::::::'
+  with_dict: '{{ users }}'
+
+- name: Enable PAM users admin access
+  lineinfile:
+    path: /etc/pve/user.cfg
+    line: 'acl:1:/:{{ item.key }}@pam:PVEAdmin:'
+  with_dict: '{{ users }}'
+
 - name: Copy pve-no-subscription.list
   copy:
     src: pve-no-subscription.list