diff --git a/inventories/client_royal_pizza/group_vars/firewalls.yml b/inventories/client_royal_pizza/group_vars/firewalls.yml
new file mode 100644
index 0000000..e69de29
diff --git a/playbooks/opensense_manage.yml b/playbooks/opensense_manage.yml
new file mode 100644
index 0000000..687d232
--- /dev/null
+++ b/playbooks/opensense_manage.yml
@@ -0,0 +1,82 @@
+---
+- name: OPNsense Advanced MSP Management
+  hosts: firewalls
+  gather_facts: false
+  vars:
+    # Managed via Semaphore Environment Variables or group_vars
+    admin_accounts:
+      - { name: "msp_admin", pwd: "{{ vault_msp_admin_password }}", groups: ["admins"], state: "present" }
+      - { name: "decommissioned_user", state: "absent" } # Auto-purges old accounts
+
+    critical_services: ["unbound", "dhcpd", "configd"]
+    expected_interfaces:
+      - { device: "wan", speed: "1000" }
+      - { device: "lan", speed: "1000" }
+
+  tasks:
+    # --- TASK: BACKUP ---
+    - name: Export configuration
+      ansibleguy.opnsense.system_backup:
+        destination: "./backups/{{ inventory_hostname }}.xml"
+      tags: backup
+
+    # --- TASK: UPDATES ---
+    - name: Check firmware status
+      ansibleguy.opnsense.firmware_info:
+      register: fw_info
+      tags: upgrade_check
+
+    - name: Apply updates if reboot is required
+      ansibleguy.opnsense.firmware:
+        upgrade: true
+        reboot: true
+      when: fw_info.needs_reboot | default(false)
+      tags: upgrade_apply
+
+    # --- TASK: MONITORING ---
+    - name: Audit critical services
+      ansibleguy.opnsense.service:
+        name: "{{ item }}"
+        state: started
+      loop: "{{ critical_services }}"
+      tags: monitoring
+
+    - name: Audit SSL certificates
+      ansibleguy.opnsense.certificate_info:
+      register: cert_info
+      tags: monitoring
+
+    - name: Alert on expiring certs
+      debug:
+        msg: "CERT WARNING: {{ item.descr }} expires in {{ item.enddate_days }} days"
+      loop: "{{ cert_info.certificates }}"
+      when: item.enddate_days | int < 30
+      tags: monitoring
+
+    # --- TASK: AUDIT ---
+    - name: Verify interface link state
+      ansibleguy.opnsense.interface_info:
+      register: int_info
+      tags: audit
+
+    - name: Fail if interface is DOWN
+      assert:
+        that: "int_info.interfaces[item.device].status == 'up'"
+        fail_msg: "ALERT: Interface {{ item.device }} is DOWN!"
+      loop: "{{ expected_interfaces }}"
+      tags: audit
+
+    # --- TASK: USER/SETTINGS MANAGEMENT ---
+    - name: Manage Admin Accounts
+      ansibleguy.opnsense.user:
+        name: "{{ item.name }}"
+        password: "{{ item.pwd | default(omit) }}"
+        groups: "{{ item.groups | default(omit) }}"
+        state: "{{ item.state | default('present') }}"
+      loop: "{{ admin_accounts }}"
+      tags: users
+
+    - name: Apply Granular Settings
+      ansibleguy.opnsense.system_settings:
+        settings: "{{ opnsense_custom_settings }}"
+      tags: settings
\ No newline at end of file