diff --git a/data/hostname/kafka1.internal.softwareheritage.org.yaml b/data/hostname/kafka1.internal.softwareheritage.org.yaml
index 5b11f0de..9f94d047 100644
--- a/data/hostname/kafka1.internal.softwareheritage.org.yaml
+++ b/data/hostname/kafka1.internal.softwareheritage.org.yaml
@@ -1,56 +1,61 @@
 ---
 networks:
   ens1f0np0:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   ens1f1np1:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   bond0:
     type: manual
+    order: 20
     extras:
       mtu: "9000"
       bond-miimon: 100
       bond-mode: 802.3ad
       bond-xmit_hash_policy: layer3+4
       bond-slaves: ens1f0np0 ens1f1np1
       bond-lacp-rate: 1
   vlan440:
     type: private
+    order: 30
     address: 192.168.100.201
     netmask: 24
     gateway: 192.168.100.1
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
   vlan1300:
     type: static
+    order: 30
     address: 128.93.166.48
     netmask: 26
     gateway: 128.93.166.62
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
 
 backups::exclude:
   - srv/kafka
 
 swh::apt_config::enable_non_free: true
 packages:
   - intel-microcode
   - vlan
   - ifenslave
 
 swh::apt_config::backported_packages:
   buster:
     - linux-image-amd64
     - linux-headers-amd64
     - libnvpair1linux
     - libuutil1linux
     - libzfs2linux
     - libzpool2linux
     - zfs-dkms
     - zfsutils-linux
     - zfs-zed
diff --git a/data/hostname/kafka2.internal.softwareheritage.org.yaml b/data/hostname/kafka2.internal.softwareheritage.org.yaml
index 4f8b7288..0964a66d 100644
--- a/data/hostname/kafka2.internal.softwareheritage.org.yaml
+++ b/data/hostname/kafka2.internal.softwareheritage.org.yaml
@@ -1,56 +1,61 @@
 ---
 networks:
   ens1f0np0:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   ens1f1np1:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   bond0:
     type: manual
+    order: 20
     extras:
       mtu: "9000"
       bond-miimon: 100
       bond-mode: 802.3ad
       bond-xmit_hash_policy: layer3+4
       bond-slaves: ens1f0np0 ens1f1np1
       bond-lacp-rate: 1
   vlan440:
     type: private
+    order: 30
     address: 192.168.100.202
     netmask: 24
     gateway: 192.168.100.1
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
   vlan1300:
     type: static
+    order: 30
     address: 128.93.166.49
     netmask: 26
     gateway: 128.93.166.62
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
 
 backups::exclude:
   - srv/kafka
 
 swh::apt_config::enable_non_free: true
 packages:
   - intel-microcode
   - vlan
   - ifenslave
 
 swh::apt_config::backported_packages:
   buster:
     - linux-image-amd64
     - linux-headers-amd64
     - libnvpair1linux
     - libuutil1linux
     - libzfs2linux
     - libzpool2linux
     - zfs-dkms
     - zfsutils-linux
     - zfs-zed
diff --git a/data/hostname/kafka3.internal.softwareheritage.org.yaml b/data/hostname/kafka3.internal.softwareheritage.org.yaml
index 5fbaf7ce..a5f0890a 100644
--- a/data/hostname/kafka3.internal.softwareheritage.org.yaml
+++ b/data/hostname/kafka3.internal.softwareheritage.org.yaml
@@ -1,56 +1,61 @@
 ---
 networks:
   ens1f0np0:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   ens1f1np1:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   bond0:
     type: manual
+    order: 20
     extras:
       mtu: "9000"
       bond-miimon: 100
       bond-mode: 802.3ad
       bond-xmit_hash_policy: layer3+4
       bond-slaves: ens1f0np0 ens1f1np1
       bond-lacp-rate: 1
   vlan440:
     type: private
+    order: 30
     address: 192.168.100.203
     netmask: 24
     gateway: 192.168.100.1
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
   vlan1300:
     type: static
+    order: 30
     address: 128.93.166.50
     netmask: 26
     gateway: 128.93.166.62
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
 
 backups::exclude:
   - srv/kafka
 
 swh::apt_config::enable_non_free: true
 packages:
   - intel-microcode
   - vlan
   - ifenslave
 
 swh::apt_config::backported_packages:
   buster:
     - linux-image-amd64
     - linux-headers-amd64
     - libnvpair1linux
     - libuutil1linux
     - libzfs2linux
     - libzpool2linux
     - zfs-dkms
     - zfsutils-linux
     - zfs-zed
diff --git a/data/hostname/kafka4.internal.softwareheritage.org.yaml b/data/hostname/kafka4.internal.softwareheritage.org.yaml
index 692283b0..0ca4854a 100644
--- a/data/hostname/kafka4.internal.softwareheritage.org.yaml
+++ b/data/hostname/kafka4.internal.softwareheritage.org.yaml
@@ -1,56 +1,61 @@
 ---
 networks:
   ens1f0np0:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   ens1f1np1:
     type: manual
+    order: 10
     extras:
       mtu: "9000"
   bond0:
     type: manual
+    order: 20
     extras:
       mtu: "9000"
       bond-miimon: 100
       bond-mode: 802.3ad
       bond-xmit_hash_policy: layer3+4
       bond-slaves: ens1f0np0 ens1f1np1
       bond-lacp-rate: 1
   vlan440:
     type: private
+    order: 30
     address: 192.168.100.204
     netmask: 24
     gateway: 192.168.100.1
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
   vlan1300:
     type: static
+    order: 30
     address: 128.93.166.51
     netmask: 26
     gateway: 128.93.166.62
     mtu: "9000"
     extras:
       vlan-raw-device: bond0
 
 backups::exclude:
   - srv/kafka
 
 swh::apt_config::enable_non_free: true
 packages:
   - intel-microcode
   - vlan
   - ifenslave
 
 swh::apt_config::backported_packages:
   buster:
     - linux-image-amd64
     - linux-headers-amd64
     - libnvpair1linux
     - libuutil1linux
     - libzfs2linux
     - libzpool2linux
     - zfs-dkms
     - zfsutils-linux
     - zfs-zed
diff --git a/site-modules/profile/manifests/network.pp b/site-modules/profile/manifests/network.pp
index 35c0a027..b6e6c6a1 100644
--- a/site-modules/profile/manifests/network.pp
+++ b/site-modules/profile/manifests/network.pp
@@ -1,84 +1,103 @@
 # Network configuration for Software Heritage servers.
 
 # This class is enabled when the `networks` hiera variable returns a value that
 # is not empty.
 
 class profile::network {
-  debnet::iface::loopback { 'lo': }
+  debnet::iface::loopback { 'lo':  }
 
   # The `networks` hiera variable is a dict mapping interface names to a
   # settings dict. Entries of the settings dict with undefined values are not
   # output in the interface configuration.
   # The settings dict has the following keys:
   # - type (defaults to 'static'): the type of the interface as used by
   #     ifupdown. A special type, 'private', generates a static configuration
   #     with a separate routing table for the networks defined in the
   #     `networks::private_routes` hiera variable (e.g. the OpenVPN and azure
   #     machines).
+  # - order (int, defaults to 0): allows to control what order the interface blocks
+  #     are in the /etc/network/interfaces file
   # - address (ip address): ip address to set on the
   #     interface
   # - netmask (int or netmask): netmask for the network (e.g. 26 or 255.255.255.192)
   # - gateway (ip address): address of the gateway to use for the network
   # - mtu (int): MTU to set for the interface
   # - extras (dict): extra configuration entries to pass to ifupdown directly
   # - ups (list[str]): Instructions to run after the interface is brought up
   # - downs (list[str]): instructions to run when the interface is torn down
 
   $interfaces = lookup('networks')
   $private_routes = lookup('networks::private_routes', Hash, 'deep')
+
   each($interfaces) |$interface, $data| {
 
     $interface_type = pick($data['type'], 'static')
 
     if $interface_type == 'private' {
       file_line {'private route table':
         ensure => 'present',
         line   => '42 private',
         path   => '/etc/iproute2/rt_tables',
       }
 
       $filtered_routes = $private_routes.filter |$route_label, $route_data| { pick($route_data['enabled'], true) }
 
       $routes_up = $filtered_routes.map |$route_label, $route_data| {
         "ip route add ${route_data['network']} via ${route_data['gateway']}"
       }
 
       $routes_down = $filtered_routes.map |$route_label, $route_data| {
         "ip route del ${route_data['network']} via ${route_data['gateway']}"
       }.reverse
 
       $_ups = $routes_up + [
         "ip rule add from ${data['address']} table private",
         "ip route add 192.168.100.0/24 src ${data['address']} dev ${interface} table private",
         "ip route add default via ${data['gateway']} dev ${interface} table private",
         'ip route flush cache',
       ]
 
       $_downs = [
         "ip route del default via ${data['gateway']} dev ${interface} table private",
         "ip route del 192.168.100.0/24 src ${data['address']} dev ${interface} table private",
         "ip rule del from ${data['address']} table private",
       ] + $routes_down + [
         'ip route flush cache',
       ]
       $method = 'static'
       $gateway = undef
     } else {
       $method = $interface_type
       $gateway = $data['gateway']
       $_ups = []
       $_downs = []
     }
 
+    # These offsets are set by trepasi-debnet
+    $order_offsets = {
+      manual   => 50,
+      static   => 40,
+      dhcp     => 30,
+      loopback => 20,
+      wvdial   => 60,
+    }
+
+    $order = (
+      25                                 # Base order to be inserted after the loopback interface which is order = 20
+      - $order_offsets[$method]          # counteract the built-in offsets
+      + pick_default($data['order'], 0)  # get the order set in the interface stanza
+    )
+
     debnet::iface { $interface:
       method  => $method,
+      order   => $order,
       address => $data['address'],
       netmask => $data['netmask'],
       mtu     => $data['mtu'],
       gateway => $gateway,
       ups     => pick_default($data['ups'], $_ups, []),
       downs   => pick_default($data['downs'], $_downs, []),
       aux_ops => pick_default($data['extras'], {}),
     }
   }
 }