diff --git a/.githooks/pre-commit b/.githooks/pre-commit
deleted file mode 100755
index b3d9c7b3afd4411e57fd16cc41f27600448b5082..0000000000000000000000000000000000000000
--- a/.githooks/pre-commit
+++ /dev/null
@@ -1,36 +0,0 @@
-#!/bin/sh
-
-if git rev-parse --verify HEAD >/dev/null 2>&1; then
-        against=HEAD
-else
-        # Initial commit: diff against an empty tree object
-        against=$(git hash-object -t tree /dev/null)
-fi
-
-# Redirect output to stderr.
-exec 1>&2
-
-# Get changed files
-changed_files=$(git diff-index --name-only ${against})
-
-# Verify files content
-for file in ${changed_files}; do
-
-    if grep -qiE 'skyreach_(system|activation|api)_key' "${file}"; then
-    
-        # verify key
-        key=$(grep -iE 'skyreach_(system|activation|api)_key' "${file}" | grep -woiE '[a-z0-9]{32}')
-        if [ -n "${key}" ]; then
-            echo "Error: you are about to commit a secret key in file: ${file}"
-            echo "Please remove it before committing."
-            echo -
-            grep -iE 'skyreach_(system|activation|api)_key' "${file}" | grep -iE '[a-z0-9]{32}'
-            echo -
-            exit 1
-        fi
-    
-    fi
-
-done
-
-# vim:ft=sh
diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index f9a76e91715d66f0f26033409469cdf4d147b52c..59294b22b9c9f2fb0a32740f6fc4c0f242cd9717 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -1,4 +1,5 @@
 ---
+
 checkpf:
   # https://docs.gitlab.com/ee/ci/pipelines/multi_project_pipelines.html
   trigger:
@@ -36,3 +37,5 @@ lint:
   rules:
     # Only if push in a branch other than main
     - if: $CI_PIPELINE_SOURCE == "push" && $CI_COMMIT_BRANCH != "main"
+
+...
diff --git a/.lint/ansible-apt-block-check.sh b/.lint/ansible-apt-block-check.sh
index 2a2c78007f37fd2e83b8c876ceb0aa7b832fb8a8..d7864f823a6612dceacc23ff7d51b060d9f9f31e 100755
--- a/.lint/ansible-apt-block-check.sh
+++ b/.lint/ansible-apt-block-check.sh
@@ -1,3 +1,4 @@
+#!/usr/bin/env bash
 
 # config
 exclude_pattern=()
diff --git a/.lint/ansible-lint-prod.conf b/.lint/ansible-lint-prod.conf
index 43b5bbf531cec8c8e7a42bb93cf0b351249ee775..3092f304905dabe9d5de192242a5c1a5abc1f591 100644
--- a/.lint/ansible-lint-prod.conf
+++ b/.lint/ansible-lint-prod.conf
@@ -3,6 +3,7 @@
 profile: production  # min, basic, moderate, safety, shared, production
 
 exclude_paths:
+  - inventories/
   - ../playbooks/bench-monitoring.yml
   - .cache/
   - ${HOME}/.cache/
diff --git a/.lint/ansible-lint.conf b/.lint/ansible-lint.conf
index 06038ccca4d011e46fcd6f2bc49a944ac06bc97c..abddfbfabb7c8857daaa3fc21f14bb0be19430bf 100644
--- a/.lint/ansible-lint.conf
+++ b/.lint/ansible-lint.conf
@@ -3,14 +3,21 @@
 profile: basic  # min, basic, moderate, safety, shared, production
 
 exclude_paths:
-  - ../playbooks/bench-monitoring.yml
+  - inventories/
+  - playbooks/bench-monitoring.yml
+  - roles/bench-server
+  - roles/bench-worker
+  - roles/elastic
+  - roles/metricbeat
+  - roles/docker
   - .cache/
   - ${HOME}/.cache/
 
 skip_list:
-  - role-name                 # Skip role name pattern verification ("-" should not be used)
-  - name[play]                # Skip the rule dictating that all play should have a name
-  - name[casing]              # Skip the rule dictating that all task name should begin with uppercase
-  - name[template]            # Skip forcing to use jinja var at the end of a task name
+  - role-name                  # Skip role name pattern verification ("-" should not be used)
+  - name[play]                 # Skip the rule dictating that all play should have a name
+  - name[casing]               # Skip the rule dictating that all task name should begin with uppercase
+  - name[template]             # Skip forcing to use jinja var at the end of a task name
+  - var-naming[no-role-prefix] # Skip necessity to prefix role vars with role name
 
 ...
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 0000000000000000000000000000000000000000..201cb032959c49f6f3bf344d19418d887c57efa6
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,28 @@
+* Remove unused `server_live_host` variable
+* Remove unnecessary `manager_default_email_sender` variable
+* Replace `skyreach_activation_key` and `skyreach_system_key` with `ubicast_api_key`
+* Remove `conf_debug` variable and task
+* Remove unnecessary `letsencrypt_testing` variable
+* Set `netcapture_mm_url` to a default value
+* Set `init_locale` to a default value
+* Set `init_timezone` to a default value
+* Move `postfix_packages` from default to vars directory
+* Remove unused `cockpit` firewall rule
+* Move roles firewall rules from default to vars directory
+* Move munin nodes firewall rules from sysconfig to munin-node
+* Define package variable in vars directory where missing (mediaworker, msmonitor, munin-node, munin-server)
+* Remove unnecessary `postfix_default_email_sender` variable
+* Change default `celerity_server` value
+* Change default `letsencrypt_email` value
+* Rework celerity server and worker defaults variables to use nudgis frontend one
+* Rename `repos_skyreach_*` variables to `repos_ubicast_*`
+* Set `proxy_*` to a default value
+* Set `ntp_servers` to a default value
+* Remove unused `manager_testing` variable
+* Rename `manager_hostname` variable to `manager_domain`
+* Rename `server_*` variables to `nudgis_front_*`
+* Remove unnecessary `server_instances` variable
+* Rename `tmpfs_size` to `live_tmpfs_size`
+* Rename `f2b_` varibales to `fail2ban_`
+
+# TODO : add cache  
diff --git a/ansible.cfg b/ansible.cfg
index bf5567329f04d3bd48393a7aecb1d3c9c28e3f65..268ae138956167930e24d74e04a247de7f385120 100644
--- a/ansible.cfg
+++ b/ansible.cfg
@@ -18,10 +18,6 @@ remote_user = root
 
 # cutom path for roles
 roles_path = roles
-# custom path for modules
-library = library
-# custom path for action plugins
-action_plugins = plugins/action
 
 # improve output format (with line return)
 stdout_callback = debug
diff --git a/inventories/example-ha/group_vars/all.yml b/inventories/example-ha/group_vars/all.yml
deleted file mode 100644
index 93675cf11e1117a4f8b6606a0b09687ec7698714..0000000000000000000000000000000000000000
--- a/inventories/example-ha/group_vars/all.yml
+++ /dev/null
@@ -1,25 +0,0 @@
----
-# customer name
-customer_short_name: customer
-
-# enable letsencrypt certificate
-letsencrypt_enabled: false
-
-# update conf.sh
-conf_update: false
-
-# repmgr configuration
-repmgr_password: my top secret repmgr default password
-repmgr_primary_node: "{{ hostvars['pg1']['ansible_default_ipv4']['address'] }}"
-
-# ha proxy configuration
-hap_config_listen:
-  - name: pgsql-primary
-    content: |
-      bind localhost:54321
-      default-server inter 2s fall 3 rise 2 on-marked-down shutdown-sessions
-      option tcp-check
-      tcp-check expect string primary
-      maxconn 500
-      server pg1 192.168.122.1:5432 maxconn 500 check port 8543
-      server pg2 192.168.122.2:5432 maxconn 500 check port 8543 backup
diff --git a/inventories/example-ha/group_vars/mediavault.yml b/inventories/example-ha/group_vars/mediavault.yml
deleted file mode 100644
index 972f4bf36797941cbee041bca5ad15c03377dd62..0000000000000000000000000000000000000000
--- a/inventories/example-ha/group_vars/mediavault.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-# mediavault backup deployement
-# used by mediavault/add_backup.yml
-
-# mvt_base_dir: /backup
-# mvt_backups:
-#   - name: self-etc
-#     source: "/etc"
-#     dest: "{{ mvt_base_dir }}/self-etc"
-#   - name: data
-#     source: /data
-#     dest: "{{ mvt_base_dir }}/data"
-
-...
diff --git a/inventories/example-ha/host_vars/cs1.yml b/inventories/example-ha/host_vars/cs1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/cs1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/mi1.yml b/inventories/example-ha/host_vars/mi1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/mi1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/mm1.yml b/inventories/example-ha/host_vars/mm1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/mm1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/mo1.yml b/inventories/example-ha/host_vars/mo1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/mo1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/ms1.yml b/inventories/example-ha/host_vars/ms1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/ms1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/ms2.yml b/inventories/example-ha/host_vars/ms2.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/ms2.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/mv1.yml b/inventories/example-ha/host_vars/mv1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/mv1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/mw1.yml b/inventories/example-ha/host_vars/mw1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/mw1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/mw2.yml b/inventories/example-ha/host_vars/mw2.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/mw2.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/host_vars/pg1.yml b/inventories/example-ha/host_vars/pg1.yml
deleted file mode 100644
index a0748dde5abcf5c4ad4d0912a98afbc17a27a7a7..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/pg1.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-skyreach_system_key: changeme
-
-db_role: primary
-repmgr_node_id: 1
diff --git a/inventories/example-ha/host_vars/pg2.yml b/inventories/example-ha/host_vars/pg2.yml
deleted file mode 100644
index 662eda582498796eb03c14302d02d6d8b7671033..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/pg2.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-skyreach_system_key: changeme
-
-db_role: standby
-repmgr_node_id: 2
diff --git a/inventories/example-ha/host_vars/pg3.yml b/inventories/example-ha/host_vars/pg3.yml
deleted file mode 100644
index 7026628524a60ff0cad35a12ff164de906f40253..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/pg3.yml
+++ /dev/null
@@ -1,5 +0,0 @@
----
-skyreach_system_key: changeme
-
-db_role: witness
-repmgr_node_id: 3
diff --git a/inventories/example-ha/host_vars/ws1.yml b/inventories/example-ha/host_vars/ws1.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example-ha/host_vars/ws1.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example-ha/hosts b/inventories/example-ha/hosts
deleted file mode 100644
index fafead6a6b726b0ef55a2ee43bc4636f8514e67e..0000000000000000000000000000000000000000
--- a/inventories/example-ha/hosts
+++ /dev/null
@@ -1,68 +0,0 @@
-; For hosts parameters see:
-; https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#connecting-to-hosts-behavioral-inventory-parameters
-
-; hosts list
-
-ms1 ansible_host=10.0.0.1
-ms2 ansible_host=10.0.0.2
-mw1 ansible_host=10.0.0.3
-mw2 ansible_host=10.0.0.4
-pg1 ansible_host=192.168.122.1
-pg2 ansible_host=192.168.122.2
-pg3 ansible_host=192.168.122.3
-
-; groups list and their members
-
-[msmonitor]
-ms1
-
-[postgres]
-pg1
-pg2
-pg3
-
-[mirismanager]
-ms1
-
-[mediaserver]
-ms1
-ms2
-
-[live]
-ms1
-ms2
-
-[celerity]
-ms1
-
-[mediaworker]
-mw1
-mw2
-
-[mediaimport]
-ms1
-
-[msmonitor]
-ms1
-
-[munin_server]
-ms1
-
-[munin_node]
-ms1
-ms2
-mw1
-mw2
-pg1
-pg2
-pg3
-
-[mediavault]
-
-[netcapture]
-
-[bench_server]
-
-[bench_worker]
-
-; vim:ft=dosini
diff --git a/inventories/example/group_vars/all.yml b/inventories/example/group_vars/all.yml
deleted file mode 100644
index 0fa94b435ffb9e5517eed06d959ba24e4dd3f795..0000000000000000000000000000000000000000
--- a/inventories/example/group_vars/all.yml
+++ /dev/null
@@ -1,9 +0,0 @@
----
-# customer name
-customer_short_name: customer
-
-# enable letsencrypt certificate
-letsencrypt_enabled: false
-
-# update conf.sh
-conf_update: false
diff --git a/inventories/example/group_vars/mediavault.yml b/inventories/example/group_vars/mediavault.yml
deleted file mode 100644
index 972f4bf36797941cbee041bca5ad15c03377dd62..0000000000000000000000000000000000000000
--- a/inventories/example/group_vars/mediavault.yml
+++ /dev/null
@@ -1,15 +0,0 @@
----
-
-# mediavault backup deployement
-# used by mediavault/add_backup.yml
-
-# mvt_base_dir: /backup
-# mvt_backups:
-#   - name: self-etc
-#     source: "/etc"
-#     dest: "{{ mvt_base_dir }}/self-etc"
-#   - name: data
-#     source: /data
-#     dest: "{{ mvt_base_dir }}/data"
-
-...
diff --git a/inventories/example/ha/group_vars/all.yml b/inventories/example/ha/group_vars/all.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b1a89a3ce363bbe9e326f4c4cdd14f3da467445a
--- /dev/null
+++ b/inventories/example/ha/group_vars/all.yml
@@ -0,0 +1,55 @@
+---
+
+# munin_node:
+#   Short name of the customer, with no spaces. This name is used in munin to group the graphs under the same name.
+# munin_server:
+#   Short name of the customer, with no spaces. This name is used in munin to group the graphs under the same name.
+ubicast_customer_name: "UbiCast-HA"
+
+# mediaserver:
+#   Defines the default deployed Nudgis portal short name (and linked unix user)
+# mediaworker:
+#   Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key)
+# celerity:
+#   Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key)
+nudgis_front_system_user: "msuser"
+
+# mediaserver:
+#   Defines the default deployed Nudgis portal domain (will be the URL of the portal when adding the HTTP(S) prefix)
+# mediaworker:
+#   URL of the default Nudgis "msuser" portal used to populate the /etc/celerity/config.py file
+# mediacache:
+#   URL of Nudgis Front cluster
+nudgis_front_domain: "nudgis.ubica.st"
+
+# mediaserver:
+#   Defines the default deployed Nudgis portal linked mirismanager domain (correspond to the URL of the mirismanager portal when adding the HTTP(S) prefix)
+# mirismanager:
+#   Defines the default domain for the Nudgis Manager
+manager_domain: "manager.ubica.st"
+
+# mediaserver:
+#   Defines the default deployed Nudgis portal master API key
+# mediaworker:
+#   Nudgis API key, used to communicate with the nudgis portal
+# celerity:
+#   Nudgis API key, used to communicate with the nudgis portal
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+
+# mediaserver:
+#   IPv4 address used to join the celerity server
+# celerity:
+#   IP or domain on which the celerity server service can be joined
+celerity_server_domain: "{{ hostvars[groups['celerity'][0]]['ansible_default_ipv4']['address'] }}"
+
+# mediaserver:
+#   Key used to encrypt communications to and from celerity server
+celerity_signing_key: "my-signing-key"
+
+# live:
+#   Domain name of the live cluster (only if distinct live server(s) from MediaServer and live_ha variable is set to True)
+# mediacache:
+#   URL of the Nudgis Live cluster
+live_domain: "live.ubica.st"
+
+...
diff --git a/inventories/example/ha/group_vars/celerity.yml b/inventories/example/ha/group_vars/celerity.yml
new file mode 100644
index 0000000000000000000000000000000000000000..40d4de6246e33bd2048f7d1e69ff7f48763c3b96
--- /dev/null
+++ b/inventories/example/ha/group_vars/celerity.yml
@@ -0,0 +1,6 @@
+---
+
+# Secret key shared between celerity server and workers for communications (should be the same everywhere for communication)
+celerity_signing_key: "my-signing-key"
+
+...
diff --git a/inventories/example/ha/group_vars/fail2ban.yml b/inventories/example/ha/group_vars/fail2ban.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e7e3ea33a4d6926c6b8b8020559938069bb389e1
--- /dev/null
+++ b/inventories/example/ha/group_vars/fail2ban.yml
@@ -0,0 +1,21 @@
+---
+
+# IP addresses exceptions (no monitored by fail2ban)
+#fail2ban_ignoreip: "127.0.0.1/8 ::1"
+
+# Number of acceptable failures before banning an IP
+#fail2ban_maxretry: "5"
+
+# Duration of bans
+#fail2ban_bantime: "10m"
+
+# Email sender of the fail2ban reports
+#fail2ban_email_from: "root@localhost"
+
+# Email reciepient of the fail2ban reports
+#fail2ban_email_to: "noreply@example.com"
+
+# Define the default action to do when a ban occurs ("action_mwl" to send whois and logs via email or "action_" for default)
+#fail2ban_action: "action_mwl"
+
+...
diff --git a/inventories/example/ha/group_vars/ferm-install.yml b/inventories/example/ha/group_vars/ferm-install.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bc9282e5db13df0ee65298d69bf1c09d07a6e51f
--- /dev/null
+++ b/inventories/example/ha/group_vars/ferm-install.yml
@@ -0,0 +1,30 @@
+---
+
+# Input policy for the ferm firewall
+#ferm_input_policy: "DROP"
+
+# Activates the logs for input packets
+#ferm_input_log: False
+
+# Prefix for the input packets log lines
+#ferm_input_log_prefix: "{{ ferm_input_policy }} INPUT "
+
+# Output policy for the ferm firewall
+#ferm_output_policy: "ACCEPT"
+
+# Activates the logs for output packets
+#ferm_output_log: False
+
+# Prefix for the output packets log lines
+#ferm_output_log_prefix: "{{ ferm_output_policy }} OUTPUT "
+
+# Forward policy for the ferm firewall
+#ferm_forward_policy: "DROP"
+
+# Activates the logs for forward packets
+#ferm_forward_log: False
+
+# Prefix for the forward packets log lines
+#ferm_forward_log_prefix: "{{ ferm_forward_policy }} FORWARD "
+
+...
diff --git a/inventories/example/ha/group_vars/live.yml b/inventories/example/ha/group_vars/live.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a8095ed8e4d87ae49d8c6e7d49cfd1b01eef2ccd
--- /dev/null
+++ b/inventories/example/ha/group_vars/live.yml
@@ -0,0 +1,6 @@
+---
+
+# Define if the deployment is an HA architecture (i.e. live domain is not handle by nudgis frontend server)
+live_ha: True
+
+...
diff --git a/inventories/example/ha/group_vars/mediaserver.yml b/inventories/example/ha/group_vars/mediaserver.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d5b03ba477c95f3b6775d77d4537d43b4c5766ec
--- /dev/null
+++ b/inventories/example/ha/group_vars/mediaserver.yml
@@ -0,0 +1,24 @@
+---
+
+# Defines the address for the Nudgis Front emails sender
+#nudgis_front_email_from: "noreply@{{ nudgis_front_domain }}"
+
+# Defines the default deployed Nudgis portal "ubicast" user password
+nudgis_front_user_ubicast_password: "my-password"
+
+# Defines the default deployed Nudgis portal "admin" user password
+nudgis_front_user_admin_password: "my-password"
+
+# Domain to reach PostgreSQL database
+nudgis_front_database_domain: "127.0.0.1"
+
+# Port to reach PostgreSQL database
+nudgis_front_database_port: "54321"
+
+# Port to connect to PostgreSQL database with superuser rights
+nudgis_front_database_password: "my-password"
+
+# Directory to store nudgis portal
+#ndugis_front_instances_dir: "/data"
+
+...
diff --git a/inventories/example/ha/group_vars/mediavault.yml b/inventories/example/ha/group_vars/mediavault.yml
new file mode 100644
index 0000000000000000000000000000000000000000..1b08dd4171502f7b8fa7006ebcafe8eb9afd56aa
--- /dev/null
+++ b/inventories/example/ha/group_vars/mediavault.yml
@@ -0,0 +1,9 @@
+---
+
+# Boolean to activate the mail notifications
+#vault_email_enabled: True
+
+# Destination address for the Nudgis Vault emails
+#vault_email_to: "noreply@example.com"
+
+...
diff --git a/inventories/example/ha/group_vars/mediaworker.yml b/inventories/example/ha/group_vars/mediaworker.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7c1a919d3b6ff47595ce0eb283fc62cbc6473cfd
--- /dev/null
+++ b/inventories/example/ha/group_vars/mediaworker.yml
@@ -0,0 +1,9 @@
+---
+
+# IP or domain on which the celerity server service can be joined
+celerity_server_domain: "{{ hostvars[groups['celerity'][0]]['ansible_default_ipv4']['address'] }}"
+
+# Secret key shared between celerity server and workers for communications (should be the same everywhere for communication)
+celerity_signing_key: "my-signing-key"
+
+...
diff --git a/inventories/example/ha/group_vars/mirismanager.yml b/inventories/example/ha/group_vars/mirismanager.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ec8d2c41c46dc2df32dfdc4b74db4e4138c5dc72
--- /dev/null
+++ b/inventories/example/ha/group_vars/mirismanager.yml
@@ -0,0 +1,21 @@
+---
+
+# Defines the default address for the Nudgis Manager emails sender
+#manager_email_from: "noreply@{{ manager_domain }}"
+
+# Domain to reach PostgreSQL database
+manager_database_domain: "127.0.0.1"
+
+# Port to reach PostgreSQL database
+manager_database_port: "5432"
+
+# Port to connect to PostgreSQL database with superuser rights
+#manager_database_password: "changeit"
+
+# Application ubicast user password
+manager_user_ubicast_password: "my-password"
+
+# Application admin user password
+manager_user_admin_password: "my-password"
+
+...
diff --git a/inventories/example/ha/group_vars/msmonitor.yml b/inventories/example/ha/group_vars/msmonitor.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2a616c208d18bb79cf1cdd6dbe01df0824302ebd
--- /dev/null
+++ b/inventories/example/ha/group_vars/msmonitor.yml
@@ -0,0 +1,12 @@
+---
+
+# Defines the default domain for monitor
+monitor_domain: "monitor.ubica.st"
+
+# Password for the webmonitor ubicast user
+monitor_user_ubicast_password: "my-password"
+
+# Password for the webmonitor admin user
+monitor_user_admin_password: "my-password"
+
+...
diff --git a/inventories/example/ha/group_vars/netcapture.yml b/inventories/example/ha/group_vars/netcapture.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8dba0f85a78bd896c0546c43fcc62d0f526fba00
--- /dev/null
+++ b/inventories/example/ha/group_vars/netcapture.yml
@@ -0,0 +1,6 @@
+---
+
+# URL of the mirismanager to use for packages
+netcapture_mm_url: "https://skyreach.ubicast.net"
+
+...
diff --git a/inventories/example/ha/group_vars/postgres.yml b/inventories/example/ha/group_vars/postgres.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9e29092a0e14d6051e285ab457fe4eb39d5213a6
--- /dev/null
+++ b/inventories/example/ha/group_vars/postgres.yml
@@ -0,0 +1,56 @@
+---
+
+# PostgreSQL user/host connection file
+#database_host_authentification:
+#  - method: peer
+#    type: local
+#  - address: 127.0.0.1/32
+#    type: hostssl
+#  - address: ::1/128
+#    type: hostssl
+#  - database: replication
+#    method: peer
+#    type: local
+#  - address: 127.0.0.1/32
+#    database: replication
+#    type: hostssl
+#  - address: ::1/128
+#    database: replication
+#    type: hostssl
+
+# PostgreSQL configuration key/values
+#database_conf:
+#  - content: ''
+#    name: main
+
+# Dictionnary of extra databases to deploy (with `name` and `owner` keys)
+#database_databases: []
+
+# Password for the postgres admin account
+database_password: "my-password"
+
+# Dictionnary of extra PostgreSQL users to deploy (with `name`, `password`, `db`, `priv` and `roles` keys)
+#database_users: []
+
+# [HA only] Conninfo parameter populated in the repmgr configuration file
+#repmgr_conninfo: "host={{ ansible_default_ipv4.address }} dbname={{ repmgr_database }} user={{ repmgr_user }} connect_timeout={{ repmgr_timeout }}"
+
+# [HA only] Name of the repmgr database
+#repmgr_database: "repmgr"
+
+# [HA only] Password of the repmgr DB user
+repmgr_password: "my-password"
+
+# [HA only] Listening port for rephacheck
+#repmgr_repha_port: 8543
+
+# [HA only] List of roles for the repmgr user PostgreSQL pg_hba configuration
+#repmgr_roles: "LOGIN,REPLICATION,SUPERUSER"
+
+# [HA only] Timeout value for the repmgr connections
+#repmgr_timeout: 5
+
+# [HA only] Username of the repmgr DB user
+#repmgr_user: "repmgr"
+
+...
diff --git a/inventories/example/ha/group_vars/sysconfig.yml b/inventories/example/ha/group_vars/sysconfig.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a4f5ce3365be53231fe2b644777584c7c22433ab
--- /dev/null
+++ b/inventories/example/ha/group_vars/sysconfig.yml
@@ -0,0 +1,18 @@
+---
+
+# Debian distribution short name (example: "bullseye")
+#repos_release: "{{ ansible_distribution_release }}"
+
+# Value for the system locale
+init_locale: "en_GB.UTF-8"
+
+# Timezone to set on the servers (`timedatectl list-timezones` for the complete list)
+#init_timezone: "Europe/Paris"
+
+# Domain to use for the Debian repositories
+#repos_debian_packages_domain: "deb.debian.org"
+
+# Domain to use for the Debian security repositories
+#repos_debian_security_packages_domain: "security.debian.org"
+
+...
diff --git a/inventories/example/ha/group_vars/tester.yml b/inventories/example/ha/group_vars/tester.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ad08cd5ccc2144e0a5e790aa5ee2b504dce6050d
--- /dev/null
+++ b/inventories/example/ha/group_vars/tester.yml
@@ -0,0 +1,9 @@
+---
+
+# UbiCast admin reciever of the email report for premiums
+tester_email_admin: "my-email@domain.com"
+
+# Reciever of the email report
+tester_email_to: "noreply@domain.com"
+
+...
diff --git a/inventories/example/ha/host_vars/ha-cel.yml b/inventories/example/ha/host_vars/ha-cel.yml
new file mode 100644
index 0000000000000000000000000000000000000000..44ad4b92aba12f430035a4e8965de548ff5d2e6d
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-cel.yml
@@ -0,0 +1,93 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-db1.yml b/inventories/example/ha/host_vars/ha-db1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..71c3cd49ee4cf9a14679ce79ca0be3d17c61b4e5
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-db1.yml
@@ -0,0 +1,97 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# postgres:
+#   [HA only] Define database role on this host. Possible values: primary, standby or witness
+database_role: "primary"
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-db2.yml b/inventories/example/ha/host_vars/ha-db2.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fdbba032ce48561700194eda8ff508e0fc8145f1
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-db2.yml
@@ -0,0 +1,97 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# postgres:
+#   [HA only] Define database role on this host. Possible values: primary, standby or witness
+database_role: "standby"
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-dbw.yml b/inventories/example/ha/host_vars/ha-dbw.yml
new file mode 100644
index 0000000000000000000000000000000000000000..551a7c8d9db63a0920cabf2cf5b73df977cef9a0
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-dbw.yml
@@ -0,0 +1,97 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# postgres:
+#   [HA only] Define database role on this host. Possible values: primary, standby or witness
+database_role: "witness"
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-live1.yml b/inventories/example/ha/host_vars/ha-live1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..78a81936a4e06543f2976ce7410fd97c0c36ae60
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-live1.yml
@@ -0,0 +1,97 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# live:
+#   Size of the tmpfs storing the live chunks (unit g or m and only if distinct live server(s) from MediaServer)
+#live_tmpfs_size: "2048m"
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-live2.yml b/inventories/example/ha/host_vars/ha-live2.yml
new file mode 100644
index 0000000000000000000000000000000000000000..78a81936a4e06543f2976ce7410fd97c0c36ae60
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-live2.yml
@@ -0,0 +1,97 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# live:
+#   Size of the tmpfs storing the live chunks (unit g or m and only if distinct live server(s) from MediaServer)
+#live_tmpfs_size: "2048m"
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-misc1.yml b/inventories/example/ha/host_vars/ha-misc1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f309907c9f18531539202b982bde08de6d36b551
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-misc1.yml
@@ -0,0 +1,153 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# mediavault:
+#   From fields for email sending (as defined in RFC2822)
+#vault_email_from: "{{ ansible_fqdn }} <backup@{{ ansible_fqdn }}>"
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# mediacache:
+#   URL of the Nudgis Cache vhost
+cache_domain: "cache.ubica.st"
+
+# mediacache:
+#   Path of the folder to cache the VOD service data
+#cache_vod_folder: "/var/cache/nginx/mediacache-vod"
+
+# mediacache:
+#   Max size allowed for the VOD service data
+#cache_vod_size: "1"
+
+# mediacache:
+#   Path of the folder to cache the Live service data
+#cache_live_folder: "/var/cache/nginx/mediacache-live"
+
+# mediacache:
+#   Max size allowed for the Live service data
+#cache_live_size: "1"
+
+# netcapture:
+#   Password of the deployed netcapture miris API
+netcapture_miris_user_pwd: "my-password"
+
+# netcapture:
+#   Folder used to store the packages
+#netcapture_pkg_folder: "/data/netcapture/packages"
+
+# netcapture:
+#   Folder used to store the configurations
+#netcapture_conf_folder: "/etc/miris/conf"
+
+# netcapture:
+#   Folder used to store the medias
+#netcapture_media_folder: "/data/netcapture/media"
+
+# netcapture:
+#   Activates the SSL verification when calling the Nudgis Manager
+#netcapture_mm_ssl: True
+
+# netcapture:
+#   Activates the authentication for the deployed netcapture miris API
+#netcapture_miris_auth: True
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# nginx:
+#   Path of the SSL certificate for nginx configuration
+#nginx_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+
+# nginx:
+#   Path of the SSL key for nginx configuration
+#nginx_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+
+# nginx:
+#   IPv4 address of the reverse-proxy or loadbalancer above the server(s)
+#nginx_real_ip_from: ""
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-mm.yml b/inventories/example/ha/host_vars/ha-mm.yml
new file mode 100644
index 0000000000000000000000000000000000000000..0d983a3df7f5468778e435b7a570f2cc54c34ba6
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-mm.yml
@@ -0,0 +1,109 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# mirismanager:
+#   Mandatory proxy to use in apt-cacher-ng
+#http_proxy: ""
+
+# nginx:
+#   Path of the SSL certificate for nginx configuration
+#nginx_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+
+# nginx:
+#   Path of the SSL key for nginx configuration
+#nginx_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+
+# nginx:
+#   IPv4 address of the reverse-proxy or loadbalancer above the server(s)
+#nginx_real_ip_from: ""
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-ms1.yml b/inventories/example/ha/host_vars/ha-ms1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e783ed81ff4f5256ffeed52eecd2178d4ed10302
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-ms1.yml
@@ -0,0 +1,105 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# nginx:
+#   Path of the SSL certificate for nginx configuration
+#nginx_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+
+# nginx:
+#   Path of the SSL key for nginx configuration
+#nginx_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+
+# nginx:
+#   IPv4 address of the reverse-proxy or loadbalancer above the server(s)
+#nginx_real_ip_from: ""
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-ms2.yml b/inventories/example/ha/host_vars/ha-ms2.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e783ed81ff4f5256ffeed52eecd2178d4ed10302
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-ms2.yml
@@ -0,0 +1,105 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# nginx:
+#   Path of the SSL certificate for nginx configuration
+#nginx_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+
+# nginx:
+#   Path of the SSL key for nginx configuration
+#nginx_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+
+# nginx:
+#   IPv4 address of the reverse-proxy or loadbalancer above the server(s)
+#nginx_real_ip_from: ""
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-mw1.yml b/inventories/example/ha/host_vars/ha-mw1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..44ad4b92aba12f430035a4e8965de548ff5d2e6d
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-mw1.yml
@@ -0,0 +1,93 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/host_vars/ha-mw2.yml b/inventories/example/ha/host_vars/ha-mw2.yml
new file mode 100644
index 0000000000000000000000000000000000000000..44ad4b92aba12f430035a4e8965de548ff5d2e6d
--- /dev/null
+++ b/inventories/example/ha/host_vars/ha-mw2.yml
@@ -0,0 +1,93 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "my-email@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/ha/hosts b/inventories/example/ha/hosts
new file mode 100644
index 0000000000000000000000000000000000000000..22b31e0ac313fc63ebaa094bbfcd2c66f11ff131
--- /dev/null
+++ b/inventories/example/ha/hosts
@@ -0,0 +1,88 @@
+; -- Hosts --
+
+ha-ms1
+ha-ms2
+ha-db1
+ha-db2
+ha-dbw
+ha-mw1
+ha-mw2
+ha-live1
+ha-live2
+ha-cel
+ha-mm
+ha-misc1
+
+; -- Groups --
+
+[mediaserver]
+ha-ms1
+ha-ms2
+
+[postgres-ha]
+ha-db1
+ha-db2
+ha-dbw
+
+[postgres]
+ha-db1
+ha-db2
+ha-dbw
+
+[mediaworker]
+ha-mw1
+ha-mw2
+
+[live]
+ha-live1
+ha-live2
+
+[celerity]
+ha-cel
+
+[mirismanager]
+ha-mm
+
+[mediaimport]
+ha-misc1
+
+[mediavault]
+ha-misc1
+
+[mediacache]
+ha-misc1
+
+[netcapture]
+ha-misc1
+
+; -- Meta groups (do not edit) --
+
+[munin_server:children]
+mediaserver
+
+[msmonitor:children]
+munin_server
+
+[munin_node:children]
+celerity
+live
+mediacache
+mediaimport
+mediaserver
+mediavault
+mediaworker
+mirismanager
+msmonitor
+postgres
+
+[tester:children]
+celerity
+live
+mediacache
+mediaimport
+mediaserver
+mediavault
+mediaworker
+mirismanager
+msmonitor
+postgres
diff --git a/inventories/example/host_vars/mymediaserver.yml b/inventories/example/host_vars/mymediaserver.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example/host_vars/mymediaserver.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example/host_vars/mymediavault.yml b/inventories/example/host_vars/mymediavault.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example/host_vars/mymediavault.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example/host_vars/mymediaworker.yml b/inventories/example/host_vars/mymediaworker.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example/host_vars/mymediaworker.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example/host_vars/mynetcapture.yml b/inventories/example/host_vars/mynetcapture.yml
deleted file mode 100644
index ada1c36354c2589bbec076996eb3af64b4fbdd18..0000000000000000000000000000000000000000
--- a/inventories/example/host_vars/mynetcapture.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-skyreach_system_key: changeme
diff --git a/inventories/example/hosts b/inventories/example/hosts
deleted file mode 100644
index 929a7b322b6f712164b21aff258a4efdb0c5e254..0000000000000000000000000000000000000000
--- a/inventories/example/hosts
+++ /dev/null
@@ -1,50 +0,0 @@
-; For hosts parameters see:
-; https://docs.ansible.com/ansible/latest/user_guide/intro_inventory.html#connecting-to-hosts-behavioral-inventory-parameters
-
-; hosts list
-
-mymediaserver ansible_host=10.0.0.1
-mymediaworker ansible_host=10.0.0.2
-
-; groups list and their members
-
-[postgres]
-mymediaserver
-
-[mirismanager]
-mymediaserver
-
-[mediaserver]
-mymediaserver
-
-[live]
-mymediaserver
-
-[celerity]
-mymediaserver
-
-[mediaworker]
-mymediaworker
-
-[mediaimport]
-mymediaserver
-
-[msmonitor]
-mymediaserver
-
-[munin_server]
-mymediaserver
-
-[munin_node]
-mymediaserver
-mymediaworker
-
-[mediavault]
-
-[netcapture]
-
-[bench_server]
-
-[bench_worker]
-
-; vim:ft=dosini
diff --git a/inventories/example/std/group_vars/all.yml b/inventories/example/std/group_vars/all.yml
new file mode 100644
index 0000000000000000000000000000000000000000..62d166d0a57503fc1e4923ea61f34903693aeecc
--- /dev/null
+++ b/inventories/example/std/group_vars/all.yml
@@ -0,0 +1,55 @@
+---
+
+# munin_node:
+#   Short name of the customer, with no spaces. This name is used in munin to group the graphs under the same name.
+# munin_server:
+#   Short name of the customer, with no spaces. This name is used in munin to group the graphs under the same name.
+ubicast_customer_name: "UbiCast-Std"
+
+# celerity:
+#   Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key)
+# mediaserver:
+#   Defines the default deployed Nudgis portal short name (and linked unix user)
+# mediaworker:
+#   Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key)
+nudgis_front_system_user: "msuser"
+
+# celerity:
+#   Nudgis API key, used to communicate with the nudgis portal
+# mediaserver:
+#   Defines the default deployed Nudgis portal master API key
+# mediaworker:
+#   Nudgis API key, used to communicate with the nudgis portal
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+
+# celerity:
+#   IP or domain on which the celerity server service can be joined
+# mediaserver:
+#   IPv4 address used to join the celerity server
+celerity_server_domain: "{{ hostvars[groups['celerity'][0]]['ansible_default_ipv4']['address'] }}"
+
+# mediaserver:
+#   Defines the default deployed Nudgis portal domain (will be the URL of the portal when adding the HTTP(S) prefix)
+# mediaworker:
+#   URL of the default Nudgis "msuser" portal used to populate the /etc/celerity/config.py file
+# mediacache:
+#   URL of Nudgis Front cluster
+nudgis_front_domain: "nudgis.ubica.st"
+
+# mediaserver:
+#   Defines the default deployed Nudgis portal linked mirismanager domain (correspond to the URL of the mirismanager portal when adding the HTTP(S) prefix)
+# mirismanager:
+#   Defines the default domain for the Nudgis Manager
+manager_domain: "manager.ubica.st"
+
+# mediaserver:
+#   Key used to encrypt communications to and from celerity server
+celerity_signing_key: "my-signing-key"
+
+# live:
+#   Domain name of the live cluster (only if distinct live server(s) from MediaServer and live_ha variable is set to True)
+# mediacache:
+#   URL of the Nudgis Live cluster
+live_domain: "nudgis.ubica.st"
+
+...
diff --git a/inventories/example/std/group_vars/celerity.yml b/inventories/example/std/group_vars/celerity.yml
new file mode 100644
index 0000000000000000000000000000000000000000..40d4de6246e33bd2048f7d1e69ff7f48763c3b96
--- /dev/null
+++ b/inventories/example/std/group_vars/celerity.yml
@@ -0,0 +1,6 @@
+---
+
+# Secret key shared between celerity server and workers for communications (should be the same everywhere for communication)
+celerity_signing_key: "my-signing-key"
+
+...
diff --git a/inventories/example/std/group_vars/fail2ban.yml b/inventories/example/std/group_vars/fail2ban.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e7e3ea33a4d6926c6b8b8020559938069bb389e1
--- /dev/null
+++ b/inventories/example/std/group_vars/fail2ban.yml
@@ -0,0 +1,21 @@
+---
+
+# IP addresses exceptions (no monitored by fail2ban)
+#fail2ban_ignoreip: "127.0.0.1/8 ::1"
+
+# Number of acceptable failures before banning an IP
+#fail2ban_maxretry: "5"
+
+# Duration of bans
+#fail2ban_bantime: "10m"
+
+# Email sender of the fail2ban reports
+#fail2ban_email_from: "root@localhost"
+
+# Email reciepient of the fail2ban reports
+#fail2ban_email_to: "noreply@example.com"
+
+# Define the default action to do when a ban occurs ("action_mwl" to send whois and logs via email or "action_" for default)
+#fail2ban_action: "action_mwl"
+
+...
diff --git a/inventories/example/std/group_vars/ferm-install.yml b/inventories/example/std/group_vars/ferm-install.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bc9282e5db13df0ee65298d69bf1c09d07a6e51f
--- /dev/null
+++ b/inventories/example/std/group_vars/ferm-install.yml
@@ -0,0 +1,30 @@
+---
+
+# Input policy for the ferm firewall
+#ferm_input_policy: "DROP"
+
+# Activates the logs for input packets
+#ferm_input_log: False
+
+# Prefix for the input packets log lines
+#ferm_input_log_prefix: "{{ ferm_input_policy }} INPUT "
+
+# Output policy for the ferm firewall
+#ferm_output_policy: "ACCEPT"
+
+# Activates the logs for output packets
+#ferm_output_log: False
+
+# Prefix for the output packets log lines
+#ferm_output_log_prefix: "{{ ferm_output_policy }} OUTPUT "
+
+# Forward policy for the ferm firewall
+#ferm_forward_policy: "DROP"
+
+# Activates the logs for forward packets
+#ferm_forward_log: False
+
+# Prefix for the forward packets log lines
+#ferm_forward_log_prefix: "{{ ferm_forward_policy }} FORWARD "
+
+...
diff --git a/inventories/example/std/group_vars/live.yml b/inventories/example/std/group_vars/live.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d3f4d435b8dddcc4e73f219ca7c366c97bcebbbc
--- /dev/null
+++ b/inventories/example/std/group_vars/live.yml
@@ -0,0 +1,6 @@
+---
+
+# Define if the deployment is an HA architecture (i.e. live domain is not handle by nudgis frontend server)
+live_ha: False
+
+...
diff --git a/inventories/example/std/group_vars/mediaserver.yml b/inventories/example/std/group_vars/mediaserver.yml
new file mode 100644
index 0000000000000000000000000000000000000000..f5dc2494485a01638fb3c978ef9d2a463cd5ef10
--- /dev/null
+++ b/inventories/example/std/group_vars/mediaserver.yml
@@ -0,0 +1,24 @@
+---
+
+# Defines the address for the Nudgis Front emails sender
+#nudgis_front_email_from: "noreply@{{ nudgis_front_domain }}"
+
+# Defines the default deployed Nudgis portal "ubicast" user password
+nudgis_front_user_ubicast_password: "my-password"
+
+# Defines the default deployed Nudgis portal "admin" user password
+nudgis_front_user_admin_password: "my-password"
+
+# Domain to reach PostgreSQL database
+nudgis_front_database_domain: "127.0.0.1"
+
+# Port to reach PostgreSQL database
+nudgis_front_database_port: "5432"
+
+# Port to connect to PostgreSQL database with superuser rights
+nudgis_front_database_password: "my-password"
+
+# Directory to store nudgis portal
+#ndugis_front_instances_dir: "/data"
+
+...
diff --git a/inventories/example/std/group_vars/mediaworker.yml b/inventories/example/std/group_vars/mediaworker.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7c1a919d3b6ff47595ce0eb283fc62cbc6473cfd
--- /dev/null
+++ b/inventories/example/std/group_vars/mediaworker.yml
@@ -0,0 +1,9 @@
+---
+
+# IP or domain on which the celerity server service can be joined
+celerity_server_domain: "{{ hostvars[groups['celerity'][0]]['ansible_default_ipv4']['address'] }}"
+
+# Secret key shared between celerity server and workers for communications (should be the same everywhere for communication)
+celerity_signing_key: "my-signing-key"
+
+...
diff --git a/inventories/example/std/group_vars/mirismanager.yml b/inventories/example/std/group_vars/mirismanager.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a4422bfd2253f82400252a9fa1c43b72e32e4f66
--- /dev/null
+++ b/inventories/example/std/group_vars/mirismanager.yml
@@ -0,0 +1,21 @@
+---
+
+# Defines the default address for the Nudgis Manager emails sender
+#manager_email_from: "noreply@{{ manager_domain }}"
+
+# Domain to reach PostgreSQL database
+manager_database_domain: "127.0.0.1"
+
+# Port to reach PostgreSQL database
+manager_database_port: "5432"
+
+# Port to connect to PostgreSQL database with superuser rights
+manager_database_password: "my-password"
+
+# Application ubicast user password
+manager_user_ubicast_password: "my-password"
+
+# Application admin user password
+manager_user_admin_password: "my-password"
+
+...
diff --git a/inventories/example/std/group_vars/msmonitor.yml b/inventories/example/std/group_vars/msmonitor.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2a616c208d18bb79cf1cdd6dbe01df0824302ebd
--- /dev/null
+++ b/inventories/example/std/group_vars/msmonitor.yml
@@ -0,0 +1,12 @@
+---
+
+# Defines the default domain for monitor
+monitor_domain: "monitor.ubica.st"
+
+# Password for the webmonitor ubicast user
+monitor_user_ubicast_password: "my-password"
+
+# Password for the webmonitor admin user
+monitor_user_admin_password: "my-password"
+
+...
diff --git a/inventories/example/std/group_vars/netcapture.yml b/inventories/example/std/group_vars/netcapture.yml
new file mode 100644
index 0000000000000000000000000000000000000000..55cfeb4108409baa9259359a66e5ede589b3e9ea
--- /dev/null
+++ b/inventories/example/std/group_vars/netcapture.yml
@@ -0,0 +1,6 @@
+---
+
+# URL of the mirismanager to use for packages
+netcapture_mm_url: "manager.ubica.st"
+
+...
diff --git a/inventories/example/std/group_vars/postgres.yml b/inventories/example/std/group_vars/postgres.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d3d00a0eac056066e415b3285d519c8fbe419f58
--- /dev/null
+++ b/inventories/example/std/group_vars/postgres.yml
@@ -0,0 +1,56 @@
+---
+
+# PostgreSQL user/host connection file
+#database_host_authentification:
+#  - method: peer
+#    type: local
+#  - address: 127.0.0.1/32
+#    type: hostssl
+#  - address: ::1/128
+#    type: hostssl
+#  - database: replication
+#    method: peer
+#    type: local
+#  - address: 127.0.0.1/32
+#    database: replication
+#    type: hostssl
+#  - address: ::1/128
+#    database: replication
+#    type: hostssl
+
+# PostgreSQL configuration key/values
+#database_conf:
+#  - content: ''
+#    name: main
+
+# Dictionnary of extra databases to deploy (with `name` and `owner` keys)
+#database_databases: []
+
+# Password for the postgres admin account
+database_password: "my-password"
+
+# Dictionnary of extra PostgreSQL users to deploy (with `name`, `password`, `db`, `priv` and `roles` keys)
+#database_users: []
+
+# [HA only] Conninfo parameter populated in the repmgr configuration file
+#repmgr_conninfo: "host={{ ansible_default_ipv4.address }} dbname={{ repmgr_database }} user={{ repmgr_user }} connect_timeout={{ repmgr_timeout }}"
+
+# [HA only] Name of the repmgr database
+#repmgr_database: "repmgr"
+
+# [HA only] Password of the repmgr DB user
+#repmgr_password: ""
+
+# [HA only] Listening port for rephacheck
+#repmgr_repha_port: 8543
+
+# [HA only] List of roles for the repmgr user PostgreSQL pg_hba configuration
+#repmgr_roles: "LOGIN,REPLICATION,SUPERUSER"
+
+# [HA only] Timeout value for the repmgr connections
+#repmgr_timeout: 5
+
+# [HA only] Username of the repmgr DB user
+#repmgr_user: "repmgr"
+
+...
diff --git a/inventories/example/std/group_vars/sysconfig.yml b/inventories/example/std/group_vars/sysconfig.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a4f5ce3365be53231fe2b644777584c7c22433ab
--- /dev/null
+++ b/inventories/example/std/group_vars/sysconfig.yml
@@ -0,0 +1,18 @@
+---
+
+# Debian distribution short name (example: "bullseye")
+#repos_release: "{{ ansible_distribution_release }}"
+
+# Value for the system locale
+init_locale: "en_GB.UTF-8"
+
+# Timezone to set on the servers (`timedatectl list-timezones` for the complete list)
+#init_timezone: "Europe/Paris"
+
+# Domain to use for the Debian repositories
+#repos_debian_packages_domain: "deb.debian.org"
+
+# Domain to use for the Debian security repositories
+#repos_debian_security_packages_domain: "security.debian.org"
+
+...
diff --git a/inventories/example/std/group_vars/tester.yml b/inventories/example/std/group_vars/tester.yml
new file mode 100644
index 0000000000000000000000000000000000000000..ad08cd5ccc2144e0a5e790aa5ee2b504dce6050d
--- /dev/null
+++ b/inventories/example/std/group_vars/tester.yml
@@ -0,0 +1,9 @@
+---
+
+# UbiCast admin reciever of the email report for premiums
+tester_email_admin: "my-email@domain.com"
+
+# Reciever of the email report
+tester_email_to: "noreply@domain.com"
+
+...
diff --git a/inventories/example/std/host_vars/std-misc1.yml b/inventories/example/std/host_vars/std-misc1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8133a2ce6725248f10e72655b317140796c376df
--- /dev/null
+++ b/inventories/example/std/host_vars/std-misc1.yml
@@ -0,0 +1,149 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "admin@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# mediacache:
+#   URL of the Nudgis Cache vhost
+cache_domain: "cache.ubica.st"
+
+# mediacache:
+#   Path of the folder to cache the VOD service data
+#cache_vod_folder: "/var/cache/nginx/mediacache-vod"
+
+# mediacache:
+#   Max size allowed for the VOD service data
+#cache_vod_size: "1"
+
+# mediacache:
+#   Path of the folder to cache the Live service data
+#cache_live_folder: "/var/cache/nginx/mediacache-live"
+
+# mediacache:
+#   Max size allowed for the Live service data
+#cache_live_size: "1"
+
+# netcapture:
+#   Password of the deployed netcapture miris API
+netcapture_miris_user_pwd: "my-password"
+
+# netcapture:
+#   Folder used to store the packages
+#netcapture_pkg_folder: "/data/netcapture/packages"
+
+# netcapture:
+#   Folder used to store the configurations
+#netcapture_conf_folder: "/etc/miris/conf"
+
+# netcapture:
+#   Folder used to store the medias
+#netcapture_media_folder: "/data/netcapture/media"
+
+# netcapture:
+#   Activates the SSL verification when calling the Nudgis Manager
+#netcapture_mm_ssl: True
+
+# netcapture:
+#   Activates the authentication for the deployed netcapture miris API
+#netcapture_miris_auth: True
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# nginx:
+#   Path of the SSL certificate for nginx configuration
+#nginx_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+
+# nginx:
+#   Path of the SSL key for nginx configuration
+#nginx_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+
+# nginx:
+#   IPv4 address of the reverse-proxy or loadbalancer above the server(s)
+#nginx_real_ip_from: ""
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/std/host_vars/std-ms1.yml b/inventories/example/std/host_vars/std-ms1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..668411e3b0363681b75ae5562912d114b8aa6b36
--- /dev/null
+++ b/inventories/example/std/host_vars/std-ms1.yml
@@ -0,0 +1,117 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "admin@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# postgres:
+#   [HA only] Define database role on this host. Possible values: primary, standby or witness
+#database_role: ""
+
+# live:
+#   Size of the tmpfs storing the live chunks (unit g or m and only if distinct live server(s) from MediaServer)
+#live_tmpfs_size: "2048m"
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# mirismanager:
+#   Mandatory proxy to use in apt-cacher-ng
+#http_proxy: ""
+
+# nginx:
+#   Path of the SSL certificate for nginx configuration
+#nginx_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+
+# nginx:
+#   Path of the SSL key for nginx configuration
+#nginx_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+
+# nginx:
+#   IPv4 address of the reverse-proxy or loadbalancer above the server(s)
+#nginx_real_ip_from: ""
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/std/host_vars/std-mw1.yml b/inventories/example/std/host_vars/std-mw1.yml
new file mode 100644
index 0000000000000000000000000000000000000000..60b0de005b1179420d74e9e1e2c04c48dcebf017
--- /dev/null
+++ b/inventories/example/std/host_vars/std-mw1.yml
@@ -0,0 +1,93 @@
+---
+
+# tester:
+#   Name of the system in the reports
+#tester_system_name: "{{ inventory_hostname }}"
+
+# tester:
+#   Sender of the email report
+#tester_email_from: "ubicast.tester"
+
+# tester:
+#   List of tests to ignore when executing the ubicast-tester
+tester_tests_ignored:
+  - uptime.sh
+
+# postfix:
+#   Define the specified email address for the unix root account (in /etc/aliases)
+postfix_admin: "admin@domain.com"
+
+# postfix:
+#   Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+postfix_mailname: "ubica.st"
+
+# postfix:
+#   Email address used by postfix to send emails
+postfix_email_from: "noreply@domain.com"
+
+# postfix:
+#   SMTP host for the SASL account
+#postfix_relay_host: ""
+
+# postfix:
+#   User of the SMTP SASL account
+#postfix_relay_pass: ""
+
+# postfix:
+#   Password of the SMTP SASL account
+#postfix_relay_user: ""
+
+# sysuser:
+#   Do not configure any ubicast ssh public key
+# sysconfig:
+#   Do not configure any repository and use local repository
+#offline_mode: False
+
+# sysuser:
+#   Password for the system user ubicast
+sysuser_ubicast_password: "my-password"
+
+# sysuser:
+#   Password for the system user admin
+sysuser_admin_password: "my-password"
+
+# sysconfig:
+#   Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories.
+#repos_debian_prefix: "http://"
+
+# sysconfig:
+#   List of NTP servers to use on the systems
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+
+# sysconfig:
+#   Token used in the UbiCast debian repository URL
+repos_ubicast_packages_token: "UBICAST-APT-TOKEN"
+
+# sysconfig:
+#   Domain of the UbiCast debian packages repository URL
+repos_ubicast_packages_domain: "manager.ubica.st"
+
+# ferm-configure:
+#   Global settings to be put in ferm.d directory
+#ferm_global_settings: |
+
+
+# ferm-configure:
+#   List of input rules for the ferm firewall
+#ferm_input_rules: []
+
+# ferm-configure:
+#   List of output rules for the ferm firewall
+#ferm_output_rules: []
+
+# ferm-configure:
+#   Filename into which rules will be written
+#ferm_rules_filename: "default"
+
+# ferm-configure:
+#   List of forward rules for the ferm firewall
+#ferm_forward_rules: []
+
+...
diff --git a/inventories/example/std/hosts b/inventories/example/std/hosts
new file mode 100644
index 0000000000000000000000000000000000000000..8f20c060df6ec6887c4a1041f25eaa852b8ac95d
--- /dev/null
+++ b/inventories/example/std/hosts
@@ -0,0 +1,59 @@
+; -- Hosts --
+
+std-ms1
+std-mw1
+std-misc1
+
+; -- Groups --
+
+[celerity]
+std-ms1
+
+[mediaserver]
+std-ms1
+
+[postgres]
+std-ms1
+
+[live]
+std-ms1
+
+[mirismanager]
+std-ms1
+
+[mediaworker]
+std-mw1
+
+[mediacache]
+std-misc1
+
+[netcapture]
+std-misc1
+
+; -- Meta groups (do not edit) --
+
+[munin_server:children]
+mediaserver
+
+[msmonitor:children]
+munin_server
+
+[munin_node:children]
+celerity
+live
+mediacache
+mediaserver
+mediaworker
+mirismanager
+msmonitor
+postgres
+
+[tester:children]
+celerity
+live
+mediacache
+mediaserver
+mediaworker
+mirismanager
+msmonitor
+postgres
diff --git a/inventories/local-full/host_vars/localhost.dist.yml b/inventories/local-full/host_vars/localhost.dist.yml
deleted file mode 100644
index 64334eceaf738b4e5506792694af16ec28357c80..0000000000000000000000000000000000000000
--- a/inventories/local-full/host_vars/localhost.dist.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-# customer name
-customer_short_name: customer
-
-# enable letsencrypt certificate
-letsencrypt_enabled: false
-
-# auto update conf.sh
-conf_update: false
-
-# activation keys
-skyreach_system_key:
-skyreach_activation_key:
diff --git a/inventories/local-full/hosts b/inventories/local-full/hosts
deleted file mode 100644
index 2eadb1159ecf06213c3f3b3c015ef36fc3b479dc..0000000000000000000000000000000000000000
--- a/inventories/local-full/hosts
+++ /dev/null
@@ -1,33 +0,0 @@
-localhost ansible_connection=local
-
-[postgres]
-localhost
-
-[mirismanager]
-localhost
-
-[mediaserver]
-localhost
-
-[live]
-localhost
-
-[celerity]
-localhost
-
-[mediaworker]
-localhost
-
-[mediaimport]
-localhost
-
-[msmonitor]
-localhost
-
-[munin_server]
-localhost
-
-[munin_node]
-localhost
-
-; vim:ft=dosini
diff --git a/inventories/local-mediaimport/host_vars/localhost.dist.yml b/inventories/local-mediaimport/host_vars/localhost.dist.yml
deleted file mode 100644
index 55e2d8a4aadc7dd56064f452a939b59b7e5f2372..0000000000000000000000000000000000000000
--- a/inventories/local-mediaimport/host_vars/localhost.dist.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# activation keys
-skyreach_system_key:
-skyreach_activation_key:
diff --git a/inventories/local-mediaimport/hosts b/inventories/local-mediaimport/hosts
deleted file mode 100644
index 91de9635c10c8181b5e109ccefefdc12b82c7ad1..0000000000000000000000000000000000000000
--- a/inventories/local-mediaimport/hosts
+++ /dev/null
@@ -1,6 +0,0 @@
-localhost ansible_connection=local
-
-[mediaimport]
-localhost
-
-; vim:ft=dosini
diff --git a/inventories/local-mediaserver/host_vars/localhost.dist.yml b/inventories/local-mediaserver/host_vars/localhost.dist.yml
deleted file mode 100644
index 64334eceaf738b4e5506792694af16ec28357c80..0000000000000000000000000000000000000000
--- a/inventories/local-mediaserver/host_vars/localhost.dist.yml
+++ /dev/null
@@ -1,13 +0,0 @@
----
-# customer name
-customer_short_name: customer
-
-# enable letsencrypt certificate
-letsencrypt_enabled: false
-
-# auto update conf.sh
-conf_update: false
-
-# activation keys
-skyreach_system_key:
-skyreach_activation_key:
diff --git a/inventories/local-mediaserver/hosts b/inventories/local-mediaserver/hosts
deleted file mode 100644
index a04974401f23b5b313f88bcb4f97b537208746d3..0000000000000000000000000000000000000000
--- a/inventories/local-mediaserver/hosts
+++ /dev/null
@@ -1,30 +0,0 @@
-localhost ansible_connection=local
-
-[postgres]
-localhost
-
-[mirismanager]
-localhost
-
-[mediaserver]
-localhost
-
-[live]
-localhost
-
-[celerity]
-localhost
-
-[mediaimport]
-localhost
-
-[msmonitor]
-localhost
-
-[munin_server]
-localhost
-
-[munin_node]
-localhost
-
-; vim:ft=dosini
diff --git a/inventories/local-mediavault/host_vars/localhost.dist.yml b/inventories/local-mediavault/host_vars/localhost.dist.yml
deleted file mode 100644
index c4a35380be5381a18d5c6a742726492882fc66d6..0000000000000000000000000000000000000000
--- a/inventories/local-mediavault/host_vars/localhost.dist.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-skyreach_system_key:
-skyreach_activation_key:
diff --git a/inventories/local-mediavault/hosts b/inventories/local-mediavault/hosts
deleted file mode 100644
index 6dfe3095fa42adfea48681a0ff68a008aeba0bad..0000000000000000000000000000000000000000
--- a/inventories/local-mediavault/hosts
+++ /dev/null
@@ -1,6 +0,0 @@
-localhost ansible_connection=local
-
-[mediavault]
-localhost
-
-; vim:ft=dosini
diff --git a/inventories/local-mediaworker/host_vars/localhost.dist.yml b/inventories/local-mediaworker/host_vars/localhost.dist.yml
deleted file mode 100644
index c4a35380be5381a18d5c6a742726492882fc66d6..0000000000000000000000000000000000000000
--- a/inventories/local-mediaworker/host_vars/localhost.dist.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-skyreach_system_key:
-skyreach_activation_key:
diff --git a/inventories/local-mediaworker/hosts b/inventories/local-mediaworker/hosts
deleted file mode 100644
index 4b3a22ad384791913472451b37df48fcacba6d7b..0000000000000000000000000000000000000000
--- a/inventories/local-mediaworker/hosts
+++ /dev/null
@@ -1,6 +0,0 @@
-localhost ansible_connection=local
-
-[mediaworker]
-localhost
-
-; vim:ft=dosini
diff --git a/inventories/offline-mediaserver/host_vars/localhost.dist.yml b/inventories/offline-mediaserver/host_vars/localhost.dist.yml
deleted file mode 100644
index 9e688644ed1d322a5427aeb9a42430c73d008fc8..0000000000000000000000000000000000000000
--- a/inventories/offline-mediaserver/host_vars/localhost.dist.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-# customer name
-customer_short_name: customer
-
-# install in offline environment
-offline_mode: true
diff --git a/inventories/offline-mediaserver/hosts b/inventories/offline-mediaserver/hosts
deleted file mode 100644
index bfbca5e0ca8cce7cd3947dddda4bc0b5e4d1c68e..0000000000000000000000000000000000000000
--- a/inventories/offline-mediaserver/hosts
+++ /dev/null
@@ -1,31 +0,0 @@
-localhost ansible_connection=local
-
-[postgres]
-localhost
-
-[mirismanager]
-localhost
-
-[mediaserver]
-localhost
-
-;[live]
-;localhost
-
-[celerity]
-localhost
-
-[mediaimport]
-localhost
-
-[msmonitor]
-localhost
-
-[munin_server]
-localhost
-
-[munin_node]
-localhost
-
-
-; vim:ft=dosini
diff --git a/inventories/offline-mediaworker/host_vars/localhost.dist.yml b/inventories/offline-mediaworker/host_vars/localhost.dist.yml
deleted file mode 100644
index 742fb1fa4d53914b6eba0576d39a3d66cc674e88..0000000000000000000000000000000000000000
--- a/inventories/offline-mediaworker/host_vars/localhost.dist.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-# install in offline environment
-offline_mode: true
diff --git a/inventories/offline-mediaworker/hosts b/inventories/offline-mediaworker/hosts
deleted file mode 100644
index 4b3a22ad384791913472451b37df48fcacba6d7b..0000000000000000000000000000000000000000
--- a/inventories/offline-mediaworker/hosts
+++ /dev/null
@@ -1,6 +0,0 @@
-localhost ansible_connection=local
-
-[mediaworker]
-localhost
-
-; vim:ft=dosini
diff --git a/inventories/test-container/host_vars/ansibletest.yml b/inventories/test-container/host_vars/ansibletest.yml
deleted file mode 100644
index 55e2d8a4aadc7dd56064f452a939b59b7e5f2372..0000000000000000000000000000000000000000
--- a/inventories/test-container/host_vars/ansibletest.yml
+++ /dev/null
@@ -1,4 +0,0 @@
----
-# activation keys
-skyreach_system_key:
-skyreach_activation_key:
diff --git a/inventories/test-container/hosts b/inventories/test-container/hosts
deleted file mode 100644
index 48f47fee0e87be34b37e0d55f98b7ddf08ed89b5..0000000000000000000000000000000000000000
--- a/inventories/test-container/hosts
+++ /dev/null
@@ -1,29 +0,0 @@
-[postgres]
-ansibletest
-
-[mirismanager]
-ansibletest
-
-[mediaserver]
-ansibletest
-
-[live]
-ansibletest
-
-[celerity]
-ansibletest
-
-[mediaworker]
-ansibletest
-
-[mediaimport]
-ansibletest
-
-[msmonitor]
-ansibletest
-
-[munin_server]
-ansibletest
-
-[munin_node]
-ansibletest
diff --git a/library/source_file.py b/library/source_file.py
deleted file mode 100644
index 54e2600706a4a8ccd54b636b7aa945935fdc7387..0000000000000000000000000000000000000000
--- a/library/source_file.py
+++ /dev/null
@@ -1,154 +0,0 @@
-#!/usr/bin/python
-
-# Copyright: (c) 2019, Nicolas Karolak <nicolas.karolak@ubicast.eu>
-# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
-
-from __future__ import absolute_import, division, print_function
-
-__metaclass__ = type
-
-ANSIBLE_METADATA = {
-    "metadata_version": "1.1",
-    "status": ["preview"],
-    "supported_by": "community",
-}
-
-
-DOCUMENTATION = """
-module: source_file
-short_description: Source remote bash/dotenv file
-description:
-    - This module is used to register host variables from a remote bash/dotenv-like file.
-    - It handles boolean value (`MY_VAR=1`) and has a basic handling of list (`MY_VAR=one,two,three`) and dictionnary (`MY_VAR=a=1;b=2;c=3`).
-version_added: "2.8"
-author: "Nicolas Karolak (@nikaro)"
-options:
-    path:
-        description:
-            - Path to the file to source.
-        required: true
-        type: path
-    prefix:
-        description:
-            - Prefix to add to the registred variable name.
-        required: false
-        default: ""
-        type: str
-    lower:
-        description:
-            - Wether to lower or not the variable name.
-        required: false
-        default: false
-        type: bool
-notes:
-    - The `check_mode` is supported.
-"""
-
-EXAMPLES = """
-- name: source envsetup file
-  source_file:
-    prefix: envsetup_
-    path: /root/envsetup/conf.sh
-    lower: true
-"""
-
-RETURN = """
-ansible_facts:
-    description: Registred vairales.
-    returned: on success
-    type: dict
-    sample:
-        key: value
-"""
-
-import os  # noqa: E402
-import re  # noqa: E402
-
-from ansible.module_utils.basic import AnsibleModule  # noqa: E402
-from ansible.module_utils.parsing.convert_bool import BOOLEANS, boolean  # noqa: E402
-from ansible.module_utils.six import string_types  # noqa: E402
-
-
-def run_module():
-    module_args = {
-        "path": {"type": "path", "required": True},
-        "prefix": {"type": "str", "required": False, "default": ""},
-        "lower": {"type": "bool", "required": False, "default": False},
-    }
-
-    result = {"changed": False}
-
-    module = AnsibleModule(argument_spec=module_args, supports_check_mode=True)
-
-    path = module.params["path"]
-    prefix = module.params["prefix"]
-    lower = boolean(module.params["lower"])
-    variables = {}
-    regex_valid_name = re.compile(r"^[a-zA-Z][a-zA-Z0-9_-]*$")
-    regex_key_value = re.compile(
-        r"^(?!#)(?P<key>[a-zA-Z][a-zA-Z0-9_-]*)=(?:[\'\"])?(?P<value>(?:[^\'\"\n])*)(?:[\'\"])?$",
-        re.MULTILINE
-    )
-
-    if not os.path.isfile(path):
-        module.fail_json(msg="'%s' does not exist or is not a file" % path, **result)
-
-    if prefix and not regex_valid_name.match(prefix):
-        module.fail_json(
-            msg="'%s' is not a valid prefix it must starts with a letter or underscore"
-            " character, and contains only letters, numbers and underscores" % prefix,
-            **result
-        )
-
-    with open(path) as path_fh:
-        # load file content and get all "key=value"
-        content = path_fh.read()
-        content_match = regex_key_value.findall(content)
-
-        for key, value in content_match:
-            # merge prefix + key
-            if prefix:
-                key = "%s%s" % (prefix, key)
-
-            # lower key
-            if lower:
-                key = key.lower()
-
-            # check key validity
-            if not regex_valid_name.match(key):
-                module.fail_json(
-                    msg="'%s' is not a valid variable name it must starts with a letter or "
-                    "underscore character, and contains only letters, numbers and underscores"
-                    % key,
-                    **result
-                )
-
-            # handle list value
-            if "," in value:
-                value = re.split("[,\n]", value)
-
-            # handle dict value
-            if ";" in value and "=" in value:
-                value = {i.split("=")[0]: i.split("=")[1] for i in value.split(";")}
-
-            # handle bool value
-            if isinstance(value, string_types) and value.lower() in BOOLEANS:
-                value = boolean(value)
-
-            # build variables dict
-            variables[key] = value
-
-            result["changed"] = True
-
-            if not module.check_mode:
-                result["ansible_facts"] = variables
-
-    module.exit_json(**result)
-
-
-def main():
-    run_module()
-
-
-if __name__ == "__main__":
-    main()
diff --git a/playbooks/base.yml b/playbooks/base.yml
index 1f11bd108edc33870c71e22a0b45fa56e5fa5493..fdb0ed4c0528cdaf66cd63cfbb9c195cd4fd71f7 100755
--- a/playbooks/base.yml
+++ b/playbooks/base.yml
@@ -1,7 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: BASE
   hosts: all
   tags: all
   roles:
     - base
+
+...
diff --git a/playbooks/bench.yml b/playbooks/bench.yml
index a8fe110c39b502d4248c758c62cedea3f2550ccf..918d6de0ac7bb809434c6078f6cc58052712de03 100755
--- a/playbooks/bench.yml
+++ b/playbooks/bench.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: DEPLOY BENCHMARK SERVER
   hosts: bench_server
   pre_tasks:
@@ -32,3 +33,5 @@
       ansible.builtin.service:
         name: bench-worker
         state: restarted
+
+...
diff --git a/playbooks/celerity.yml b/playbooks/celerity.yml
index fad8f9971336a668bb9a96952ea3700bf616bd7c..62277e88887a3b23221ef0202242982ed2a31be5 100755
--- a/playbooks/celerity.yml
+++ b/playbooks/celerity.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: CELERITY SERVER
   hosts: celerity
   tags: celerity
@@ -10,3 +11,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/letsencrypt.yml b/playbooks/letsencrypt.yml
index 46e195295fe883d119e582658dfb13b3dfad7fb1..571d59282b9a0bc534ad935fa899d4d4cf98938f 100755
--- a/playbooks/letsencrypt.yml
+++ b/playbooks/letsencrypt.yml
@@ -1,7 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: Let's encrypt
   hosts: all
   tags: all
   roles:
     - letsencrypt
+
+...
diff --git a/playbooks/live/deploy-minimal.yml b/playbooks/live/deploy-minimal.yml
index dcbcbf39fced87343c88d76c02847de0ecd15b76..ab3afe3659ca058fee4b3a001232714d7b73b7d4 100644
--- a/playbooks/live/deploy-minimal.yml
+++ b/playbooks/live/deploy-minimal.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: LIVE
   hosts: live
   gather_facts: false
@@ -7,7 +8,11 @@
     - live
 
 - import_playbook: subplays/standard-case.yml
-  when: groups['live'] | d('') | length >= 1 and ( hostvars[groups['live'][0]].ip_live is undefined or hostvars[groups['live'][0]].ip_live == "127.0.0.1" )
+  # playbook target mediaserver and live hosts
+  when: groups['live'] | d('') | length >= 1 and ( hostvars[groups['live'][0]].live_ha is undefined or hostvars[groups['live'][0]].live_ha == false )
 
 - import_playbook: subplays/ha-case.yml
-  when: groups['live'] | d('') | length >= 1 and ( hostvars[groups['live'][0]].ip_live is defined and hostvars[groups['live'][0]].ip_live != "127.0.0.1" )
+  # playbook target mediaserver and live hosts
+  when: groups['live'] | d('') | length >= 1 and ( hostvars[groups['live'][0]].live_ha is defined and hostvars[groups['live'][0]].live_ha == true )
+
+...
diff --git a/playbooks/live/deploy-standalone.yml b/playbooks/live/deploy-standalone.yml
index 751da97be759d06447bf6a72944937433746177a..54ad20702a6285874ff7563a758beedbe3568041 100644
--- a/playbooks/live/deploy-standalone.yml
+++ b/playbooks/live/deploy-standalone.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: LIVE
   hosts: live
   tags: live
@@ -10,27 +11,27 @@
 - hosts: live
   tags: live
   vars:
-    server_firewall_enabled: true
-    server_ferm_rules_filename: live
-    server_ferm_input_rules:
+    live_ferm_rules_filename: live
+    live_ferm_input_rules:
       - proto:
           - tcp
         dport:
           - 80
           - 443
           - 1935
-    server_ferm_output_rules: []
-    server_ferm_global_settings:
+    live_ferm_output_rules: []
+    live_ferm_global_settings:
   tasks:
     - name: firewall
-      when: server_firewall_enabled
       vars:
-        ferm_rules_filename: "{{ server_ferm_rules_filename }}"
-        ferm_input_rules: "{{ server_ferm_input_rules }}"
-        ferm_output_rules: "{{ server_ferm_output_rules }}"
-        ferm_global_settings: "{{ server_ferm_global_settings }}"
+        ferm_rules_filename: "{{ live_ferm_rules_filename }}"
+        ferm_input_rules: "{{ live_ferm_input_rules }}"
+        ferm_output_rules: "{{ live_ferm_output_rules }}"
+        ferm_global_settings: "{{ live_ferm_global_settings }}"
       ansible.builtin.include_role:
         name: ferm-configure
 
 - import_playbook: deploy-minimal.yml
   tags: live
+
+...
diff --git a/playbooks/live/functions/create-live-app.yml b/playbooks/live/functions/create-live-app.yml
index f8b8b2fce978a4fc99c31954beb0f9a55dcfc66a..ed68a3f820a034d45a5add6a640249fa3f9c514a 100644
--- a/playbooks/live/functions/create-live-app.yml
+++ b/playbooks/live/functions/create-live-app.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: Checking the live(s) server(s) live configuration state
   hosts: live
   gather_facts: false
@@ -191,3 +192,5 @@
       ansible.builtin.systemd:
         name: mediaserver
         state: restarted
+
+...
diff --git a/playbooks/live/subplays/ha-case.yml b/playbooks/live/subplays/ha-case.yml
index 7a2482819633291ac66776e3d3a839cf14532a86..b02809ed01b7e53253bd5bbdd71167797157d2f3 100644
--- a/playbooks/live/subplays/ha-case.yml
+++ b/playbooks/live/subplays/ha-case.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: Live vhost setup
   hosts: live
   tags: live
@@ -53,3 +54,5 @@
       args:
         warn: false
       when: rtmp_conf_dir.stat.exists
+
+...
diff --git a/playbooks/live/subplays/standard-case.yml b/playbooks/live/subplays/standard-case.yml
index b0a637ef2ffc9bca4fd261bf1e2cf0dca52a4238..722b2e0cba4943bd6da2ad8e6ddb697b8e858aaf 100644
--- a/playbooks/live/subplays/standard-case.yml
+++ b/playbooks/live/subplays/standard-case.yml
@@ -5,3 +5,4 @@
     rtmp_hls_url: https://%(ms_host)s/streaming-rtmp/%(stream_id)s.m3u8
     rtmp_pub_url: rtmp://%(ms_host)s/%(rtmp_app)s/%(stream_id)s
     deploy_case: standard
+...
diff --git a/playbooks/mediacache.yml b/playbooks/mediacache.yml
index f3b0c45b5db28fac623c9ea4343ce67003d5bcf9..c17acc27baa336af666b5b7c0c615bac57e92c2b 100755
--- a/playbooks/mediacache.yml
+++ b/playbooks/mediacache.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MEDIACACHE
   hosts: mediacache
   tags: mediacache
@@ -14,3 +15,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/mediacache/deploy-minimal.yml b/playbooks/mediacache/deploy-minimal.yml
index 7f25e0416e2e90f7a467bf4e4c6411eececb749b..21ee8d0e8bbf85827ddaf5ee8adc75c05e2584d7 100644
--- a/playbooks/mediacache/deploy-minimal.yml
+++ b/playbooks/mediacache/deploy-minimal.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: MEDIACACHE
   hosts: mediacache
   tags: mediacache
@@ -27,3 +28,5 @@
       delegate_to: "{{ item }}"
       delegate_facts: true
       loop: "{{ groups['mediaserver'] }}"
+
+...
diff --git a/playbooks/mediacache/deploy-standalone.yml b/playbooks/mediacache/deploy-standalone.yml
index 6621c3d0c37a478fb35b9b6f15c0ec6a7f2af40a..318397a6d372e42d51e703783e2918586032a666 100644
--- a/playbooks/mediacache/deploy-standalone.yml
+++ b/playbooks/mediacache/deploy-standalone.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MEDIACACHE
   hosts: mediacache
   tags: mediacache
@@ -11,26 +12,26 @@
 - hosts: mediacache
   tags: mediacache
   vars:
-    server_firewall_enabled: true
-    server_ferm_rules_filename: mediacache
-    server_ferm_input_rules:
+    cache_ferm_rules_filename: mediacache
+    cache_ferm_input_rules:
       - proto:
           - tcp
         dport:
           - 80
           - 443
-    server_ferm_output_rules: []
-    server_ferm_global_settings:
+    cache_ferm_output_rules: []
+    cache_ferm_global_settings:
   tasks:
     - name: firewall
-      when: server_firewall_enabled
       vars:
-        ferm_rules_filename: "{{ server_ferm_rules_filename }}"
-        ferm_input_rules: "{{ server_ferm_input_rules }}"
-        ferm_output_rules: "{{ server_ferm_output_rules }}"
-        ferm_global_settings: "{{ server_ferm_global_settings }}"
+        ferm_rules_filename: "{{ cache_ferm_rules_filename }}"
+        ferm_input_rules: "{{ cache_ferm_input_rules }}"
+        ferm_output_rules: "{{ cache_ferm_output_rules }}"
+        ferm_global_settings: "{{ cache_ferm_global_settings }}"
       ansible.builtin.include_role:
         name: ferm-configure
 
 - import_playbook: deploy-minimal.yml
   tags: mediacache
+
+...
diff --git a/playbooks/mediaimport.yml b/playbooks/mediaimport.yml
index 3aa507ee53126c6f06abee0bf65a66bb895ae4de..60016ca70b48938ff035d3cfc80ff6c0998e445d 100755
--- a/playbooks/mediaimport.yml
+++ b/playbooks/mediaimport.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MEDIAIMPORT
   hosts: mediaimport
   tags: mediaimport
@@ -10,3 +11,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/mediaserver.yml b/playbooks/mediaserver.yml
index 5fe4d32631a8c1ff866c607e13d4ab8a068a8ed5..ab8b5d6db6b371877a2f196e4495ba0d33292349 100755
--- a/playbooks/mediaserver.yml
+++ b/playbooks/mediaserver.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MEDIASERVER
   hosts: mediaserver
   tags: mediaserver
@@ -14,3 +15,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/mediavault/add_backup.yml b/playbooks/mediavault/add_backup.yml
index d74166028d730221a9f24d64f08128ffb1598f29..519f9a80a5d19da220f47e323316c8a2fd34acff 100755
--- a/playbooks/mediavault/add_backup.yml
+++ b/playbooks/mediavault/add_backup.yml
@@ -1,9 +1,12 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MEDIAVAULT
   hosts: mediavault
   tags: mediavault
   tasks:
     - name: Add backup
       ansible.builtin.include_tasks: ressources/add_backup_task.yml
-      loop: "{{ mvt_backups }}"
+      loop: "{{ vault_backups }}"
+
+...
diff --git a/playbooks/mediavault/deploy.yml b/playbooks/mediavault/deploy.yml
index ea588cb4141d544625f31f354c43c3190adedb6b..8cee8d986be78c2ccee73444b0ff891fdb177e27 100755
--- a/playbooks/mediavault/deploy.yml
+++ b/playbooks/mediavault/deploy.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MEDIAVAULT
   hosts: mediavault
   tags: mediavault
@@ -10,3 +11,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/mediaworker.yml b/playbooks/mediaworker.yml
index 4d467e506e6e3e67862ac036610d8e2f4791905b..6649a6ffeecde04595d5938c2434252906aa866c 100755
--- a/playbooks/mediaworker.yml
+++ b/playbooks/mediaworker.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MEDIAWORKER
   hosts: mediaworker
   tags: mediaworker
@@ -10,3 +11,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/mirismanager.yml b/playbooks/mirismanager.yml
index 3b1420ebc861e0b291afeed16d872addc6f696e0..771fe6916d5c308e367db1c4bbc6f8bb0b534e55 100755
--- a/playbooks/mirismanager.yml
+++ b/playbooks/mirismanager.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: MIRIS MANAGER
   hosts: mirismanager
   tags: mirismanager
@@ -14,3 +15,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/munin/all.yml b/playbooks/monitor/all.yml
similarity index 60%
rename from playbooks/munin/all.yml
rename to playbooks/monitor/all.yml
index 1de5d53f17ea8d5751215ab09316f7592f112b21..22cadb0714cd403661093a1b7858df322e263187 100644
--- a/playbooks/munin/all.yml
+++ b/playbooks/monitor/all.yml
@@ -1,8 +1,11 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - import_playbook: msmonitor.yml
   tags: monitor
-- import_playbook: munin-node.yml
+- import_playbook: munin_node.yml
   tags: monitor
-- import_playbook: munin-server.yml
+- import_playbook: munin_server.yml
   tags: monitor
+
+...
diff --git a/playbooks/munin/msmonitor.yml b/playbooks/monitor/msmonitor.yml
similarity index 76%
rename from playbooks/munin/msmonitor.yml
rename to playbooks/monitor/msmonitor.yml
index b0036f1a67d4e4072a797b106a5da69138ae4863..ad334b19896b101e7aeff76218b258aa85cc210f 100644
--- a/playbooks/munin/msmonitor.yml
+++ b/playbooks/monitor/msmonitor.yml
@@ -1,7 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: msmonitor
   hosts: msmonitor
   tags: munin
   roles:
-    - munin/msmonitor
+    - monitor/msmonitor
+
+...
diff --git a/playbooks/munin/munin-node.yml b/playbooks/monitor/munin_node.yml
similarity index 75%
rename from playbooks/munin/munin-node.yml
rename to playbooks/monitor/munin_node.yml
index a395c88509600d75d69907f5099870406afbc0b8..785c5095a8a27e6ba495b2eaf55bcbbd86e02969 100644
--- a/playbooks/munin/munin-node.yml
+++ b/playbooks/monitor/munin_node.yml
@@ -1,7 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: Munin node
   hosts: munin_node
   tags: munin
   roles:
-    - munin/munin-node
+    - monitor/munin_node
+
+...
diff --git a/playbooks/munin/munin-server.yml b/playbooks/monitor/munin_server.yml
similarity index 89%
rename from playbooks/munin/munin-server.yml
rename to playbooks/monitor/munin_server.yml
index ff26894a4e0ff7d4223a8eeedae0adaaf9a2eca4..00f42013d2f3d36a46bb1033dbf3c7bdd94b2359 100644
--- a/playbooks/munin/munin-server.yml
+++ b/playbooks/monitor/munin_server.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: Munin server
   hosts: munin_server
   tags: munin
@@ -10,4 +11,6 @@
       delegate_facts: true
       with_items: "{{ groups['munin_node'] }}"
   roles:
-    - munin/munin-server
+    - monitor/munin_server
+
+...
diff --git a/playbooks/netcapture.yml b/playbooks/netcapture.yml
index 76fa87c148406a5edc94666641217a9bbf32f4ce..5bceaf40106cfec058bac5921e4792e67673c1a0 100755
--- a/playbooks/netcapture.yml
+++ b/playbooks/netcapture.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: NETCAPTURE
   hosts: netcapture
   tags: netcapture
@@ -10,3 +11,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/netcapture/deploy-minimal.yml b/playbooks/netcapture/deploy-minimal.yml
index 1dc1c0e33869cb64a1d90a335ee2117d1bcdc221..be79c389c76f774f3f204874ad526c82cf752ddb 100644
--- a/playbooks/netcapture/deploy-minimal.yml
+++ b/playbooks/netcapture/deploy-minimal.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: NETCAPTURE
   hosts: netcapture
   gather_facts: false
@@ -6,3 +7,5 @@
   roles:
     - lxc
     - netcapture
+
+...
diff --git a/playbooks/netcapture/deploy-standalone.yml b/playbooks/netcapture/deploy-standalone.yml
index 4d94cfbe55c5d2b55c00603f1fbb338d5da06b84..a4c93c4d270d10c2b55dbc68492527bece433b04 100644
--- a/playbooks/netcapture/deploy-standalone.yml
+++ b/playbooks/netcapture/deploy-standalone.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: NETCAPTURE
   hosts: netcapture
   tags: netcapture
@@ -25,3 +26,5 @@
 
 - import_playbook: deploy-minimal.yml
   tags: netcapture
+
+...
diff --git a/playbooks/postfix.yml b/playbooks/postfix.yml
index 606eeccf493226315b8b9467df6ff45ed4499ebb..719fba051f559046933342f416bab88ee0a94377 100755
--- a/playbooks/postfix.yml
+++ b/playbooks/postfix.yml
@@ -1,8 +1,11 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: POSTFIX
   hosts: all
   tags: all
   roles:
     - conf
     - postfix
+
+...
diff --git a/playbooks/postgres-ha.yml b/playbooks/postgres-ha.yml
index 858fad5592f65da951c02570adf8a422d5481929..0e79d651f07af20285b535d09cb877266d25b75c 100755
--- a/playbooks/postgres-ha.yml
+++ b/playbooks/postgres-ha.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: POSTGRES HA
   hosts: postgres
   tags: postgres
@@ -26,10 +27,12 @@
 - name: POSTGRES HA CLIENTS
   hosts: mediaserver
   tags: [postgres, mediaserver]
-  pre_tasks:
-    - name: check that haproxy is configured
-      ansible.builtin.assert:
-        that: hap_config_listen != ""
-        quiet: true
+  # pre_tasks:
+  #   - name: check that haproxy is configured
+  #     ansible.builtin.assert:
+  #       that: hap_config_listen != ""
+  #       quiet: true
   roles:
     - haproxy
+
+...
diff --git a/playbooks/postgres-maintenance.yml b/playbooks/postgres-maintenance.yml
index 65ac99cf63efbdd637d1fcc4e8c400801cd5b569..4fd236e494d46f706f1c5601fd58b9b9503526a0 100755
--- a/playbooks/postgres-maintenance.yml
+++ b/playbooks/postgres-maintenance.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - import_playbook: postgres-maintenance/rephacheck_status.yml
   tags: [always]
 - import_playbook: postgres-maintenance/fenced_to_standby.yml
@@ -8,3 +9,5 @@
   tags: [never, standby-to-primary]
 - import_playbook: postgres-maintenance/restart_repmgrd.yml
   tags: [never, restart-repmgrd, standby-to-primary]
+
+...
diff --git a/playbooks/postgres-maintenance/fenced_to_standby.yml b/playbooks/postgres-maintenance/fenced_to_standby.yml
index e5e9ec40f26f2ee71815142329826762fe6e86d5..ef85ed3644c4bd0f5830ea07a58f70608ffe23e5 100644
--- a/playbooks/postgres-maintenance/fenced_to_standby.yml
+++ b/playbooks/postgres-maintenance/fenced_to_standby.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: POSTGRESQL SWITCH CURRENT FENCED TO STANDBY
   hosts: postgres_fenced
   tasks:
@@ -15,13 +16,13 @@
 
     - name: delete postgresql data directory
       ansible.builtin.file:
-        path: /var/lib/postgresql/13/main/
+        path: /var/lib/postgresql/15/main/
         state: absent
         force: true
 
     - name: copy data from primary
       ansible.builtin.command: >
-        repmgr -f /etc/postgresql/13/main/repmgr.conf
+        repmgr -f /etc/postgresql/15/main/repmgr.conf
           --force --verbose
           standby clone
           -h {{ hostvars[groups['postgres_primary'][0]]['ansible_default_ipv4']['address'] }}
@@ -39,8 +40,10 @@
       when: copy_from_primary is succeeded
 
     - name: register node as standby
-      ansible.builtin.command: repmgr -f /etc/postgresql/13/main/repmgr.conf --force --verbose standby register
+      ansible.builtin.command: repmgr -f /etc/postgresql/15/main/repmgr.conf --force --verbose standby register
       become: true
       become_user: postgres
       changed_when: false
       when: copy_from_primary is succeeded
+
+...
diff --git a/playbooks/postgres-maintenance/rephacheck_status.yml b/playbooks/postgres-maintenance/rephacheck_status.yml
index c0ad7448c7acd9a7e67e1ed5b0084be3a1206e31..2f21c42b4b305212d2f00c5d939437c338bcbc0b 100644
--- a/playbooks/postgres-maintenance/rephacheck_status.yml
+++ b/playbooks/postgres-maintenance/rephacheck_status.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: REHACHECK STATUS
   hosts: postgres_primary:postgres_standby:postgres_fenced
   tasks:
@@ -12,3 +13,5 @@
       ansible.builtin.debug:
         msg: Current node {{ ansible_hostname }} status {{ rephacheck['stdout'] }}
       when: rephacheck['stdout'] | length > 0
+
+...
diff --git a/playbooks/postgres-maintenance/restart_repmgrd.yml b/playbooks/postgres-maintenance/restart_repmgrd.yml
index eca93c4a4516afafd166698cefdf295fa0be162e..8cc1dcfe75b7eb16e77877c7d0cedcf52e4e5c42 100644
--- a/playbooks/postgres-maintenance/restart_repmgrd.yml
+++ b/playbooks/postgres-maintenance/restart_repmgrd.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: REPMGRD RESTART
   hosts: postgres
   tasks:
@@ -13,3 +14,5 @@
       ansible.builtin.systemd:
         name: repmgrd
         state: restarted
+
+...
diff --git a/playbooks/postgres-maintenance/standby_to_primary.yml b/playbooks/postgres-maintenance/standby_to_primary.yml
index fa132296bcfba33cdef6443a9ade138f884e529b..6ec7bc4bf2df03bfe1ad59f2d29da433141238f9 100644
--- a/playbooks/postgres-maintenance/standby_to_primary.yml
+++ b/playbooks/postgres-maintenance/standby_to_primary.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: POSTGRESQL SWITCH CURRENT STANDBY TO PRIMARY
   hosts: postgres_standby
   tasks:
@@ -10,7 +11,7 @@
 
     - name: check if node is currently in standby
       ansible.builtin.command:
-        cmd: repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow --dry-run
+        cmd: repmgr standby switchover -f /etc/postgresql/15/main/repmgr.conf --siblings-follow --dry-run
       become: true
       become_user: postgres
       changed_when: false
@@ -19,10 +20,12 @@
 
     - name: switch standby node to primary
       ansible.builtin.command:
-        cmd: repmgr standby switchover -f /etc/postgresql/13/main/repmgr.conf --siblings-follow
+        cmd: repmgr standby switchover -f /etc/postgresql/15/main/repmgr.conf --siblings-follow
       become: true
       become_user: postgres
       changed_when: false
       when:
         - standby_dry_run is succeeded
         - rephacheck['stdout'] == "standby"
+
+...
diff --git a/playbooks/postgres.yml b/playbooks/postgres.yml
index e617b6608da4d6dc0fe9687f338922815d08752f..677d89418f4ccc6a3ffe14056f91cfcbf0522891 100755
--- a/playbooks/postgres.yml
+++ b/playbooks/postgres.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: POSTGRESQL
   hosts: postgres
   tags: postgres
@@ -10,3 +11,5 @@
       when: proxy_apply | d(false)
       ansible.builtin.include_role:
         name: proxy
+
+...
diff --git a/playbooks/site.yml b/playbooks/site.yml
index 9f18d8eeea0cd12e812821375140667d88b8f7af..f1eb69828533ed56827e9b18806632f4b4bf1deb 100755
--- a/playbooks/site.yml
+++ b/playbooks/site.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: PYTHON
   hosts: all
   gather_facts: false
@@ -44,8 +45,10 @@
 - import_playbook: bench.yml
   tags: bench
 
-- import_playbook: munin/all.yml
+- import_playbook: monitor/all.yml
   tags: monitor
 
 - import_playbook: tester.yml
   tags: tester
+
+...
diff --git a/playbooks/tester.yml b/playbooks/tester.yml
index f68bad3984a0fbf85ddb63c187da247019f63009..1b9dcae29bcb4b460566084e5479324ae4a4d88b 100755
--- a/playbooks/tester.yml
+++ b/playbooks/tester.yml
@@ -1,7 +1,10 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: Install UbiCast tester
   hosts: mediaserver:mediaworker:mirismanager:postgres:msmonitor:live:celerity:mediaimport:mediacache:mediavault
   tags: all
   roles:
     - tester
+
+...
diff --git a/playbooks/tests/data-partition.yml b/playbooks/tests/data-partition.yml
index 218479681ad36f56fac34d6237264dd62ee33746..f2c8c8abcbb9c83ad691a42b8c68245ce85bfa8f 100755
--- a/playbooks/tests/data-partition.yml
+++ b/playbooks/tests/data-partition.yml
@@ -44,7 +44,7 @@
             group: nogroup
           ignore_errors: true  # noqa ignore-errors
           become: true
-          become_method: sudo
+          become_method: ansible.builtin.sudo
           become_user: nobody
           changed_when: false
 
diff --git a/playbooks/tests/exec-tester.yml b/playbooks/tests/exec-tester.yml
index 2ac3069189887a5be1127e19545944e1f33a63a0..8c22df2f3f4df02368e9b47026b74057ef7e6114 100755
--- a/playbooks/tests/exec-tester.yml
+++ b/playbooks/tests/exec-tester.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: RUN TESTER
   hosts: all
   tags: tester
@@ -19,3 +20,5 @@
           python3 /root/envsetup/tests/tester.py 2>&1 | tee /root/envsetup/tests/logs/tester_pb.log
         creates: /root/envsetup/tests/logs/tester_pb.log
         executable: /bin/bash
+
+...
diff --git a/playbooks/tests/firewall-rules.yml b/playbooks/tests/firewall-rules.yml
index 1cc5e0952f2f4c57681e9494e66c233bba229dab..c1557f8d7d926f679b184a8bbfed82374a280788 100755
--- a/playbooks/tests/firewall-rules.yml
+++ b/playbooks/tests/firewall-rules.yml
@@ -1,5 +1,6 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: GATHER ALL FACTS
   hosts: all
   tasks:
@@ -42,3 +43,5 @@
         loop_var: outer_item
       # execute loop only when group exists and host is in listen.groupname_src
       when: (outer_item.groupname_src in groups) and (inventory_hostname in groups[outer_item.groupname_src])
+
+...
diff --git a/playbooks/tests/ressources/firewall/rules.yml b/playbooks/tests/ressources/firewall/rules.yml
index 44ed151182671140e8eece746619d44d64feb6e8..a4b8d9c1bb3f1ff18f9e6574e32dc4a99d601331 100644
--- a/playbooks/tests/ressources/firewall/rules.yml
+++ b/playbooks/tests/ressources/firewall/rules.yml
@@ -1,4 +1,5 @@
 ---
+
 listen:
   - groupname: mediaserver
     ports: ["80", "443"]
@@ -47,3 +48,5 @@ test:
   - groupname_src: localhost
     groupname_dst: mediaserver
     ports: ["80", "443"]
+
+...
diff --git a/playbooks/upgrade.yml b/playbooks/upgrade.yml
deleted file mode 100755
index c456648e83e8cc4ff17d0fcacbce1043457e11a3..0000000000000000000000000000000000000000
--- a/playbooks/upgrade.yml
+++ /dev/null
@@ -1,21 +0,0 @@
-#!/usr/bin/env ansible-playbook
----
-- name: UPGRADE SERVERS
-  hosts: all
-  tasks:
-    - name: apt-get dist-upgrade
-      when: ansible_os_family == "Debian"
-      ansible.builtin.apt:
-        force_apt_get: true
-        install_recommends: false
-        cache_valid_time: 3600
-        upgrade: dist
-      register: apt_status
-      retries: 60
-      until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
-
-    - name: yum upgrade
-      when: ansible_os_family == "RedHat"
-      ansible.builtin.yum:
-        name: "*"
-        state: latest
diff --git a/playbooks/users.yml b/playbooks/users.yml
index 74b9bf0eec619bce2f864f0125934f23a58d8ac8..5bbd75b39f5bd8048044444e0bdee33d33bfc1c8 100755
--- a/playbooks/users.yml
+++ b/playbooks/users.yml
@@ -1,8 +1,11 @@
 #!/usr/bin/env ansible-playbook
 ---
+
 - name: USERS
   hosts: all
   tags: all
   roles:
     - conf
-    - users
+    - sysuser
+
+...
diff --git a/plugins/action/source_file.py b/plugins/action/source_file.py
deleted file mode 100644
index d6088a2037ed3df08dca62952d34f84e00f2b6fe..0000000000000000000000000000000000000000
--- a/plugins/action/source_file.py
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/usr/bin/python
-
-from __future__ import absolute_import, division, print_function
-
-__metaclass__ = type
-
-from ansible.plugins.action import ActionBase
-
-
-class ActionModule(ActionBase):
-    """Plugin to set facts from variables sourced in `source_file` module."""
-
-    TRANSFERS_FILES = False
-
-    def run(self, tmp=None, task_vars=None):
-        self._supports_check_mode = True
-
-        result = super(ActionModule, self).run(tmp, task_vars)
-        del tmp  # tmp no longer has any effect
-
-        if self._task.args.get("path", None) is None:
-            result["failed"] = True
-            result["msg"] = "path arg needs to be provided"
-            return result
-
-        result.update(self._execute_module(task_vars=task_vars))
-
-        return result
diff --git a/requirements.txt b/requirements.txt
index 16ef0977cff246861034a7e4f776da40ba26b1d6..4d5515606e404332bc0a62bb6e681393155b6d78 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -1,6 +1,6 @@
-ansible<8.0.0
-passlib
+passlib  # deprecation of crypt module
+ansible>=8.0,<9.0
 netaddr
 pyyaml
-openstacksdk>=0.36,<0.99.0
-ovh
+openstacksdk>1.00 # ubicast-environment
+ovh               # ubicast-environment
diff --git a/requirements.yml b/requirements.yml
index 69f4b8f2428a100398e04abf540b9a3cdfe404fd..8c220f8a63c37a115b8e2a6310c07df9b1d7d8c0 100644
--- a/requirements.yml
+++ b/requirements.yml
@@ -1,3 +1,6 @@
 ---
+
 - src: elastic.elasticsearch
   version: 7.9.0
+
+...
diff --git a/roles/base/meta/main.yml b/roles/base/meta/main.yml
index 7c8be6e0fad0b8faa9b8a1869a469207f4763abd..eb7daa8fe6a32572792453f995d10baf7146ec6f 100644
--- a/roles/base/meta/main.yml
+++ b/roles/base/meta/main.yml
@@ -1,10 +1,13 @@
 ---
+
 dependencies:
   - role: conf
   - role: init
   - role: sysconfig
-  - role: users
+  - role: sysuser
   - role: postfix
   - role: ferm-install
   - role: ferm-configure
   - role: fail2ban
+
+...
diff --git a/roles/bench-server/defaults/main.yml b/roles/bench-server/defaults/main.yml
index 175757889e335bb9bde89a869fce4d362c48d517..feccdd5a25d91ced913e75b888c8dca74ec4ac2f 100644
--- a/roles/bench-server/defaults/main.yml
+++ b/roles/bench-server/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+
 bench_server_packages:
   - ubicast-benchmark
 
@@ -13,3 +14,5 @@ bench_dl_streams: false
 
 bench_stream_repo: https://git.ubicast.net/mediaserver/ms-testing-suite.git
 bench_host_api_key: "{{ envsetup_ms_api_key | d() }}"
+
+...
diff --git a/roles/bench-server/meta/main.yml b/roles/bench-server/meta/main.yml
index 152fcf1fab309ff8196530b1e4914a71fafef7d8..91d0a5d794147e734592ab2aab6005487dfd9bbc 100644
--- a/roles/bench-server/meta/main.yml
+++ b/roles/bench-server/meta/main.yml
@@ -1,5 +1,8 @@
 ---
+
 dependencies:
   - role: conf
   - role: init
   - role: sysconfig
+
+...
diff --git a/roles/bench-server/tasks/main.yml b/roles/bench-server/tasks/main.yml
index 4715f39af7264fdc5521a6aa334a65db58256a0a..07d984d69514fa8181c2b986442597deea46b411 100644
--- a/roles/bench-server/tasks/main.yml
+++ b/roles/bench-server/tasks/main.yml
@@ -1,11 +1,12 @@
 ---
+
 - name: install bench-server packages
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
     update_cache: true
     name: "{{ bench_server_packages }}"
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -87,7 +88,7 @@
     install_recommends: false
     update_cache: true
     name: docker-ce
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -101,3 +102,5 @@
     chdir: /usr/share/ms-testing-suite
   changed_when: false
   run_once: true
+
+...
diff --git a/roles/bench-worker/defaults/main.yml b/roles/bench-worker/defaults/main.yml
index f8e06f1f077e190aa4e1f672b1ca0124647c80fe..8e51cf19d09a0ab404db26c568c3a268de6a92f6 100644
--- a/roles/bench-worker/defaults/main.yml
+++ b/roles/bench-worker/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+
 bench_worker_packages:
   - ubicast-benchmark
 
@@ -10,3 +11,5 @@ bench_user: admin
 bench_password: "{{ envsetup_ms_admin_pwd | d() }}"
 bench_oid:
 bench_dl_streams: false
+
+...
diff --git a/roles/bench-worker/meta/main.yml b/roles/bench-worker/meta/main.yml
index 152fcf1fab309ff8196530b1e4914a71fafef7d8..91d0a5d794147e734592ab2aab6005487dfd9bbc 100644
--- a/roles/bench-worker/meta/main.yml
+++ b/roles/bench-worker/meta/main.yml
@@ -1,5 +1,8 @@
 ---
+
 dependencies:
   - role: conf
   - role: init
   - role: sysconfig
+
+...
diff --git a/roles/bench-worker/tasks/main.yml b/roles/bench-worker/tasks/main.yml
index 5f5f46de613e688cb03cd51fd3ac25427b15571d..6ae1f29009a0a60b340293460ee7c93f2206c43e 100644
--- a/roles/bench-worker/tasks/main.yml
+++ b/roles/bench-worker/tasks/main.yml
@@ -1,11 +1,12 @@
 ---
+
 - name: install bench-worker packages
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
     update_cache: true
     name: "{{ bench_worker_packages }}"
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -39,3 +40,5 @@
   ansible.builtin.systemd:
     name: bench-worker
     state: restarted
+
+...
diff --git a/roles/celerity/README.md b/roles/celerity/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..eed5b5cd72fe018a4f421cfe6d2ccabd29338499
--- /dev/null
+++ b/roles/celerity/README.md
@@ -0,0 +1,29 @@
+# Celerity
+
+The celerity group is used to configure the hosts that balance the transcoding tasks.  
+ * In a standard UbiCast case, the host is the same as the mediaserver.
+ * In a HA UbiCast case, the live is usually a dedicated server.
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`nudgis_front_system_user`: Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key) (Optional)
+```
+nudgis_front_system_user: "msuser"
+```
+
+`nudgis_front_api_key`: Nudgis API key, used to communicate with the nudgis portal
+```
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+```
+
+`celerity_server_domain`: IP or domain on which the celerity server service can be joined
+```
+celerity_server_domain: "celerity.example.com"
+```
+
+`celerity_signing_key`: Secret key shared between celerity server and workers for communications (should be the same everywhere for communication)
+```
+celerity_signing_key: "changeit"
+```
diff --git a/roles/celerity/defaults/main.yml b/roles/celerity/defaults/main.yml
index 377595af195484af31ab20015c5e1345068c9a63..27e5f6f691c48ed410ade32ab9f55839644ed594 100644
--- a/roles/celerity/defaults/main.yml
+++ b/roles/celerity/defaults/main.yml
@@ -1,21 +1,8 @@
 ---
-celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
-celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) | d('127.0.0.1', true) }}"
+celerity_signing_key: "changeit"
+celerity_server_domain: "celerity.example.com"
 
-celerity_ms_id: "{{ envsetup_ms_id | d() }}"
-celerity_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
-celerity_ms_hostname: "{{ envsetup_ms_server_name | d() }}"
-celerity_ms_instances:
-  - ms_id: "{{ celerity_ms_id }}"
-    ms_api_key: "{{ celerity_ms_api_key }}"
-    ms_server_name: "{{ celerity_ms_hostname }}"
-
-celerity_firewall_enabled: true
-celerity_ferm_rules_filename: celerity
-celerity_ferm_input_rules:
-  - proto:
-      - tcp
-    dport:
-      - 6200
-celerity_ferm_output_rules: []
-celerity_ferm_global_settings:
+nudgis_front_domain: "nudgis.example.com"
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+nudgis_front_system_user: "msuser"
+...
diff --git a/roles/celerity/handlers/main.yml b/roles/celerity/handlers/main.yml
index 77b9d81951cc9d33c219c2dc200d63b4fc8b8488..8b10bf7f7a1a79f73fe08402fe76727fcc32ce4e 100644
--- a/roles/celerity/handlers/main.yml
+++ b/roles/celerity/handlers/main.yml
@@ -3,3 +3,9 @@
   ansible.builtin.service:
     name: celerity-server
     state: restarted
+
+- name: restart celerity-workers
+  ansible.builtin.service:
+    name: celerity-workers
+    state: restarted
+...
diff --git a/roles/celerity/meta/main.yml b/roles/celerity/meta/main.yml
index 471eb65e53129fb19aa41af0c049719b93c0ef91..e45d692ae3567f856967cd6f66c91d13e2e94e4e 100644
--- a/roles/celerity/meta/main.yml
+++ b/roles/celerity/meta/main.yml
@@ -1,3 +1,6 @@
 ---
+
 dependencies:
   - role: base
+
+...
diff --git a/roles/celerity/tasks/celerity_base_config.yml b/roles/celerity/tasks/celerity_base_config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fde98bae52859161bb826e0b2dfaf1f77519a587
--- /dev/null
+++ b/roles/celerity/tasks/celerity_base_config.yml
@@ -0,0 +1,40 @@
+---
+
+- name: copy celerity example configuration
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.copy:
+    remote_src: true
+    src: /etc/celerity/config.example.py
+    dest: /etc/celerity/config.py
+    mode: preserve
+    force: false
+
+- name: celerity base configuration
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.replace:
+    path: /etc/celerity/config.py
+    regexp: '^(\s*)#?{{ item.name }}\s*=.*$'
+    replace: '\1{{ item.name }} = {{ item.value }}'
+  loop:
+    - { name: 'SERVER_URL',  value: '"https://{{ celerity_server_domain }}:6200"' } # noqa: yaml[commas]
+    - { name: 'SIGNING_KEY', value: '"{{ celerity_signing_key }}"' }
+  when: item.value != "" and item.value != '""'
+
+- name: celerity add nudgis portal
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.command:
+    cmd: >
+      celerity-configurator add-portal
+        'ms_id=1_{{ nudgis_front_system_user }}'
+        'url=https://{{ nudgis_front_domain }}'
+        'api_key={{ nudgis_front_api_key }}'
+  register: celerity_add_portal
+  changed_when: celerity_add_portal.stdout != 'The configuration file is already up to date.'
+
+- name: "ensure {{ _celerity_service }} is running"
+  ansible.builtin.service:
+    name: "{{ _celerity_service }}"
+    enabled: true
+    state: started
+
+...
diff --git a/roles/celerity/tasks/main.yml b/roles/celerity/tasks/main.yml
index 6595e32af2a2318dfc36c625422181b19815c1ca..8e5e3a58120b5856b5c0a944fc37cf7ab618de9e 100644
--- a/roles/celerity/tasks/main.yml
+++ b/roles/celerity/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: celerity server install
   ansible.builtin.apt:
     force_apt_get: true
@@ -8,23 +9,14 @@
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: config celerity server
-  notify: restart celerity-server
-  ansible.builtin.template:
-    src: celerity-config.py.j2
-    dest: /etc/celerity/config.py
-    mode: "644"
-
-- name: ensure celerity server is running
-  ansible.builtin.service:
-    name: celerity-server
-    enabled: true
-    state: started
+- name: configure celerity
+  ansible.builtin.include_tasks: celerity_base_config.yml
+  vars:
+    _celerity_service: "celerity-server"
 
 # FIREWALL
 
 - name: celerity firewall
-  when: celerity_firewall_enabled
   vars:
     ferm_rules_filename: "{{ celerity_ferm_rules_filename }}"
     ferm_input_rules: "{{ celerity_ferm_input_rules }}"
@@ -35,3 +27,5 @@
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
+
+...
diff --git a/roles/celerity/templates/celerity-config.py.j2 b/roles/celerity/templates/celerity-config.py.j2
deleted file mode 100644
index 49a974aed2211cc01ba80c4ebc3879896c4b2b3f..0000000000000000000000000000000000000000
--- a/roles/celerity/templates/celerity-config.py.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-SIGNING_KEY = '{{ celerity_signing_key }}'
-SERVER_URL = 'https://{{ celerity_server }}:6200'
-
-# Queues count, default: min(round(thread_count/2)-1,2)
-#QUEUES_PER_WORKER = 2
-
-# MediaServer interactions
-MEDIASERVERS = {
-{% if celerity_ms_id and celerity_ms_hostname and celerity_ms_api_key %}
-    '{{ celerity_ms_id }}': {'url': 'https://{{ celerity_ms_hostname }}', 'api_key': '{{ celerity_ms_api_key }}'},
-{% endif %}
-}
diff --git a/roles/celerity/vars/main.yml b/roles/celerity/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e16ea33d8b1212b3bdd1dd9a68fcd2d6b9092c3c
--- /dev/null
+++ b/roles/celerity/vars/main.yml
@@ -0,0 +1,10 @@
+---
+celerity_ferm_rules_filename: celerity
+celerity_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 6200
+celerity_ferm_output_rules: []
+celerity_ferm_global_settings:
+...
diff --git a/roles/conf/defaults/main.yml b/roles/conf/defaults/main.yml
index 7f3df0ade59248aa7d7caa6dfd532f912a1a8953..5c10c6169af967232993af024501e4495606bcd8 100644
--- a/roles/conf/defaults/main.yml
+++ b/roles/conf/defaults/main.yml
@@ -1,19 +1,3 @@
 ---
-conf_req_packages:
-  - ca-certificates
-  - openssh-client
-
-conf_req_packages_online:
-  - git
-
-conf_dir: /root/envsetup
-
-conf_host: "{{ skyreach_host | default('mirismanager.ubicast.eu', true) }}"
-conf_valid_cert: "{{ skyreach_valid_cert | default(true, true) }}"
-
-skyreach_activation_key: "{{ lookup('env', 'SKYREACH_ACTIVATION_KEY') }}"
-skyreach_system_key: "{{ lookup('env', 'SKYREACH_SYSTEM_KEY') }}"
-
-conf_update: false
-
-conf_debug: false
+# nothing
+...
diff --git a/roles/conf/tasks/main.yml b/roles/conf/tasks/main.yml
index 0497da29719296b3394ef75cb149f4c9c43f4b6c..188820bd303e2689b3dd702e56b92f8542d751e8 100644
--- a/roles/conf/tasks/main.yml
+++ b/roles/conf/tasks/main.yml
@@ -15,16 +15,6 @@
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: install online requirements
-  when: not offline_mode | d(false)
-  ansible.builtin.apt:
-    force_apt_get: true
-    install_recommends: false
-    name: "{{ conf_req_packages_online }}"
-  register: apt_status
-  retries: 60
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
-
 - name: generate root ssh key pair
   register: conf_root
   ansible.builtin.user:
@@ -32,99 +22,4 @@
     generate_ssh_key: true
     ssh_key_type: ed25519
     ssh_key_file: .ssh/id_ed25519
-
-- name: create conf dir
-  ansible.builtin.file:
-    path: "{{ conf_dir }}"
-    state: directory
-    mode: "0700"
-
-- name: check if auto-generated-conf.sh exists
-  check_mode: false
-  register: check_auto_conf
-  ansible.builtin.stat:
-    path: "{{ conf_dir }}/auto-generated-conf.sh"
-
-- name: download conf and update ssh public key with activation key
-  when: skyreach_activation_key | d(false)
-  register: conf_dl_ak
-  changed_when: conf_dl_ak.status == 200
-  failed_when:
-    - conf_dl_ak.status != 200
-    - not check_auto_conf.stat.exists
-    - not skyreach_system_key
-  ansible.builtin.uri:
-    url: https://{{ conf_host }}/erp/credentials/envsetup-conf.sh
-    method: POST
-    body_format: form-urlencoded
-    body:
-      key: "{{ skyreach_activation_key }}"
-      public_key: "{{ conf_root.ssh_public_key }}"
-    return_content: true
-    validate_certs: "{{ conf_valid_cert }}"
-
-- name: download conf and update ssh public key with system key
-  when:
-    - not check_auto_conf.stat.exists or conf_update
-    - skyreach_system_key | d(false)
-  register: conf_dl_sk
-  changed_when: conf_dl_sk.status == 200
-  failed_when:
-    - conf_dl_sk.status != 200
-    - not check_auto_conf.stat.exists
-  ansible.builtin.uri:
-    url: https://{{ conf_host }}/erp/credentials/envsetup-conf.sh
-    method: POST
-    body_format: form-urlencoded
-    body:
-      api_key: "{{ skyreach_system_key }}"
-      public_key: "{{ conf_root.ssh_public_key }}"
-    return_content: true
-    validate_certs: "{{ conf_valid_cert }}"
-
-- name: save generated conf # noqa no-handler
-  loop:
-    - "{{ conf_dl_ak }}"
-    - "{{ conf_dl_sk }}"
-  when: item is changed
-  ansible.builtin.copy:
-    content: "{{ item.content }}"
-    dest: "{{ conf_dir }}/auto-generated-conf.sh"
-    force: true
-    backup: true
-    mode: "644"
-
-- name: check if auto-generated-conf.sh exists
-  check_mode: false
-  register: check_auto_conf
-  ansible.builtin.stat:
-    path: "{{ conf_dir }}/auto-generated-conf.sh"
-
-- name: check if conf.sh exists
-  check_mode: false
-  register: check_local_conf
-  ansible.builtin.stat:
-    path: "{{ conf_dir }}/conf.sh"
-
-- name: load generated conf
-  when: check_auto_conf.stat.exists
-  changed_when: false
-  check_mode: false
-  source_file:
-    path: "{{ conf_dir }}/auto-generated-conf.sh"
-    prefix: envsetup_
-    lower: true
-
-- name: load local conf
-  when: check_local_conf.stat.exists
-  changed_when: false
-  check_mode: false
-  source_file:
-    path: "{{ conf_dir }}/conf.sh"
-    prefix: envsetup_
-    lower: true
-
-- name: debug variables
-  when: conf_debug
-  ansible.builtin.debug:
-    var: ansible_facts
+...
diff --git a/roles/conf/vars/main.yml b/roles/conf/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2fdd2bbbfe11963935b29ca6cf53bd51a6f78d7a
--- /dev/null
+++ b/roles/conf/vars/main.yml
@@ -0,0 +1,5 @@
+---
+conf_req_packages:
+  - ca-certificates
+  - openssh-client
+...
diff --git a/roles/docker/tasks/main.yml b/roles/docker/tasks/main.yml
index a5e3ed7322cef804e9abe452a71a2ebb8b1b2e8a..4d631d99de8439addc4b02a0491d5350ef81f557 100644
--- a/roles/docker/tasks/main.yml
+++ b/roles/docker/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: requirements install
   ansible.builtin.apt:
     force_apt_get: true
@@ -34,7 +35,7 @@
     - not offline_mode | d(false)
   ansible.builtin.apt:
     name: docker-ce
-    state: latest
+    state: present
     update_cache: true
   register: apt_status
   retries: 60
@@ -53,8 +54,10 @@
     - not offline_mode | d(false)
   ansible.builtin.apt:
     name: python3-docker
-    state: latest
+    state: present
     update_cache: true
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+
+...
diff --git a/roles/elastic/defaults/main.yml b/roles/elastic/defaults/main.yml
index 2aa7f00ede6f7a3e549262f65cf026b7ebe2c5a4..01d4c19a78556d8b8d798b60e9265c9bc69d375f 100644
--- a/roles/elastic/defaults/main.yml
+++ b/roles/elastic/defaults/main.yml
@@ -1,3 +1,6 @@
 ---
+
 kibana_default_port: 5601
 kibana_server_host: localhost
+
+...
diff --git a/roles/elastic/handlers/main.yml b/roles/elastic/handlers/main.yml
index ca0aed386a224646013f166ae48380f2928f1bea..011f6eaaec23ac834c760d0a68d9ba9e650f6812 100644
--- a/roles/elastic/handlers/main.yml
+++ b/roles/elastic/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: restart kibana
   ansible.builtin.service:
     name: kibana
@@ -8,3 +9,5 @@
   ansible.builtin.service:
     name: apm-server
     state: restarted
+
+...
diff --git a/roles/elastic/tasks/main.yml b/roles/elastic/tasks/main.yml
index a0cece5d8be421d7b655ae68a3e6f7f1fa037378..a02116e8fa3dbe569bc65ad756aee79679b4acb8 100644
--- a/roles/elastic/tasks/main.yml
+++ b/roles/elastic/tasks/main.yml
@@ -1,10 +1,11 @@
 ---
+
 - name: install kibana package
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
     name: kibana
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -21,7 +22,7 @@
     force_apt_get: true
     install_recommends: false
     name: apm-server
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -32,3 +33,5 @@
     dest: /etc/apm-server/apm-server.yml
     mode: "644"
   notify: restart apm-server
+
+...
diff --git a/roles/fail2ban/README.md b/roles/fail2ban/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..66c029c9ca8b2d839a1da86a74bf419a09b8e389
--- /dev/null
+++ b/roles/fail2ban/README.md
@@ -0,0 +1,35 @@
+# Fail2ban
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`fail2ban_ignoreip`: IP addresses exceptions (no monitored by fail2ban) (Optional)
+```
+fail2ban_ignoreip: "127.0.0.1/8 ::1"
+```
+
+`fail2ban_maxretry`: Number of acceptable failures before banning an IP (Optional)
+```
+fail2ban_maxretry: "5"
+```
+
+`fail2ban_bantime`: Duration of bans (Optional)
+```
+fail2ban_bantime: "10m"
+```
+
+`fail2ban_email_from`: Email sender of the fail2ban reports (Optional)
+```
+fail2ban_email_from: "root@localhost"
+```
+
+`fail2ban_email_to`: Email reciepient of the fail2ban reports (Optional)
+```
+fail2ban_email_to: "noreply@example.com"
+```
+
+`fail2ban_action`: Define the default action to do when a ban occurs ("action_mwl" to send whois and logs via email or "action_" for default) (Optional)
+```
+fail2ban_action: "action_mwl"
+```
diff --git a/roles/fail2ban/defaults/main.yml b/roles/fail2ban/defaults/main.yml
index 5cdd83796e1ae03f00408a8b3649c9f500993408..f444c35aa3c31d044d8a76675091ffa9f29bec9c 100644
--- a/roles/fail2ban/defaults/main.yml
+++ b/roles/fail2ban/defaults/main.yml
@@ -1,29 +1,8 @@
 ---
-f2b_packages:
-  - fail2ban
-  - rsyslog
-
-f2b_enabled: "{% if envsetup_fail2ban_enabled | default(false) %}true{% else %}false{% endif %}"
-f2b_ignoreip: 127.0.0.1/8 ::1
-f2b_maxretry: "{{ envsetup_fail2ban_maxretry | default('5', true) }}"
-f2b_bantime: "{{ envsetup_fail2ban_bantime | default('10m', true) }}"
-f2b_sender: "{{ envsetup_email_sender | default('root@localhost', true) }}"
-f2b_destemail: >
-  {% if envsetup_fail2ban_dest_email is defined %}
-    {% if envsetup_fail2ban_dest_email is string %}
-      {{ envsetup_fail2ban_dest_email }}
-    {% else %}
-      {{ envsetup_fail2ban_dest_email | join(',') }}
-    {% endif %}
-  {% endif %}
-
-f2b_destemail_admins: >
-  {% if envsetup_email_admins is defined %}
-    {% if envsetup_email_admins is string %}
-      {{ envsetup_email_admins }}
-    {% else %}
-      {{ envsetup_email_admins | join(',') }}
-    {% endif %}
-  {% endif %}"
-
-f2b_action: "{% if envsetup_fail2ban_send_email | default(false) %}action_mwl{% else %}action_{% endif %}"
+fail2ban_ignoreip: "127.0.0.1/8 ::1"
+fail2ban_maxretry: "5"
+fail2ban_bantime: "10m"
+fail2ban_email_from: "root@localhost"
+fail2ban_email_to: "noreply@example.com"
+fail2ban_action: "action_mwl"
+...
diff --git a/roles/fail2ban/handlers/main.yml b/roles/fail2ban/handlers/main.yml
index 6f6780a1d6d7ce7674b0334f22144ad34db9376a..191b0cc20b4f9a73bc30da5921c9a6c6f950adfd 100644
--- a/roles/fail2ban/handlers/main.yml
+++ b/roles/fail2ban/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart fail2ban
   ansible.builtin.systemd:
     name: fail2ban
     state: restarted
+
+...
diff --git a/roles/fail2ban/tasks/main.yml b/roles/fail2ban/tasks/main.yml
index 097142d649312f502046533d853ff0df1e570fa5..f6f94368e439bc55f78a25d189ee34ab99c70b47 100644
--- a/roles/fail2ban/tasks/main.yml
+++ b/roles/fail2ban/tasks/main.yml
@@ -1,14 +1,32 @@
 ---
+
 - name: packages
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    name: "{{ f2b_packages }}"
-    state: latest
+    name: "{{ fail2ban_packages }}"
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
+- name: create fail2ban path-overrides
+  notify: restart fail2ban
+  ansible.builtin.copy:
+    dest: /etc/fail2ban/paths-overrides.local
+    mode: "644"
+    force: false
+    content: |
+      [DEFAULT]
+
+- name: configure sshd jail backend
+  notify: restart fail2ban
+  ansible.builtin.lineinfile:
+    path: /etc/fail2ban/paths-overrides.local
+    regexp: '^sshd_backend'
+    insertafter: '[DEFAULT]'
+    line: 'sshd_backend = systemd'
+
 - name: jail defaults
   notify: restart fail2ban
   ansible.builtin.template:
@@ -21,3 +39,5 @@
     name: fail2ban
     enabled: true
     state: started
+
+...
diff --git a/roles/fail2ban/templates/jail.local.j2 b/roles/fail2ban/templates/jail.local.j2
index 71d2e3038895dbe2578485d8126f214dca2f0cc1..98180b9d02dc732d5d5f2b4cdfc448ed6e706a85 100644
--- a/roles/fail2ban/templates/jail.local.j2
+++ b/roles/fail2ban/templates/jail.local.j2
@@ -1,8 +1,8 @@
 [DEFAULT]
 
-ignoreip = {{ f2b_ignoreip }}
-bantime = {{ f2b_bantime }}
-maxretry = {{ f2b_maxretry }}
-destemail = {{ f2b_destemail | default(f2b_destemail_admins, true) }}
-sender = {{ f2b_sender }}
-action = %({{ f2b_action }})s
+ignoreip = {{ fail2ban_ignoreip }}
+bantime = {{ fail2ban_bantime }}
+maxretry = {{ fail2ban_maxretry }}
+destemail = {{ fail2ban_email_to }}
+sender = {{ fail2ban_email_from }}
+action = %({{ fail2ban_action }})s
diff --git a/roles/fail2ban/vars/main.yml b/roles/fail2ban/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..16534e5cf7aa6d4a74165e5464b1345591e8a516
--- /dev/null
+++ b/roles/fail2ban/vars/main.yml
@@ -0,0 +1,5 @@
+---
+fail2ban_packages:
+  - fail2ban
+  - python3-systemd  # used to read systemd journal
+...
diff --git a/roles/ferm-configure/README.md b/roles/ferm-configure/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..2238da732853963483de85ee0f40d3fb71bd923f
--- /dev/null
+++ b/roles/ferm-configure/README.md
@@ -0,0 +1,31 @@
+# Ferm-configure
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`ferm_global_settings`: Global settings to be put in ferm.d directory (Optional)
+```
+ferm_global_settings: |
+
+```
+
+`ferm_input_rules`: List of input rules for the ferm firewall (Optional)
+```
+ferm_input_rules: []
+```
+
+`ferm_output_rules`: List of output rules for the ferm firewall (Optional)
+```
+ferm_output_rules: []
+```
+
+`ferm_rules_filename`: Filename into which rules will be written (Optional)
+```
+ferm_rules_filename: "default"
+```
+
+`ferm_forward_rules`: List of forward rules for the ferm firewall (Optional)
+```
+ferm_forward_rules: []
+```
diff --git a/roles/ferm-configure/defaults/main.yml b/roles/ferm-configure/defaults/main.yml
index 133033a39a1099009770bc827000fdd736a53726..1dc4a60caf341f276de519a001d9b2ee323c3c5d 100644
--- a/roles/ferm-configure/defaults/main.yml
+++ b/roles/ferm-configure/defaults/main.yml
@@ -1,4 +1,5 @@
 ---
+
 # filename into which rules will be written
 # /etc/ferm/{ferm|input|output|forward}.d/<filename>.conf
 ferm_rules_filename: default
@@ -11,3 +12,5 @@ ferm_output_rules: []
 ferm_forward_rules: []
 # global settings to be put in ferm.d directory
 ferm_global_settings:
+
+...
diff --git a/roles/ferm-configure/handlers/main.yml b/roles/ferm-configure/handlers/main.yml
index da492c2d05d150b0765392b8fcff32813d02db62..cbf9b673b10f3088cc28da4cdd00a5bab000bf6f 100644
--- a/roles/ferm-configure/handlers/main.yml
+++ b/roles/ferm-configure/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: restart ferm
   when: ansible_facts.services['ferm.service'] is defined
   ansible.builtin.systemd:
@@ -10,3 +11,5 @@
   ansible.builtin.systemd:
     name: fail2ban
     state: started
+
+...
diff --git a/roles/ferm-configure/tasks/main.yml b/roles/ferm-configure/tasks/main.yml
index 0fc98bf57df2e9759fa7f70d3025706e6c5bcf59..5ab1dfef304240c2f5f3e114b8cecbac64b86a34 100644
--- a/roles/ferm-configure/tasks/main.yml
+++ b/roles/ferm-configure/tasks/main.yml
@@ -1,16 +1,7 @@
 ---
+
 - name: populate service facts
   ansible.builtin.service_facts:
-- name: directories
-  loop:
-    - /etc/ferm/ferm.d
-    - /etc/ferm/input.d
-    - /etc/ferm/output.d
-    - /etc/ferm/forward.d
-  ansible.builtin.file:
-    path: "{{ item }}"
-    state: directory
-    mode: "755"
 
 - name: global
   when: ferm_global_settings | d(false)
@@ -51,3 +42,5 @@
     src: ferm_rules_forward.conf.j2
     dest: /etc/ferm/forward.d/{{ ferm_rules_filename }}.conf
     mode: "644"
+
+...
diff --git a/roles/ferm-install/README.md b/roles/ferm-install/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..300d0ad5ad7bfee5751182242d48825875b6ce2a
--- /dev/null
+++ b/roles/ferm-install/README.md
@@ -0,0 +1,50 @@
+# Ferm-install
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`ferm_input_policy`: Input policy for the ferm firewall (Optional)
+```
+ferm_input_policy: "DROP"
+```
+
+`ferm_input_log`: Activates the logs for input packets (Optional)
+```
+ferm_input_log: False
+```
+
+`ferm_input_log_prefix`: Prefix for the input packets log lines (Optional)
+```
+ferm_input_log_prefix: "{{ ferm_input_policy }} INPUT "
+```
+
+`ferm_output_policy`: Output policy for the ferm firewall (Optional)
+```
+ferm_output_policy: "ACCEPT"
+```
+
+`ferm_output_log`: Activates the logs for output packets (Optional)
+```
+ferm_output_log: False
+```
+
+`ferm_output_log_prefix`: Prefix for the output packets log lines (Optional)
+```
+ferm_output_log_prefix: "{{ ferm_output_policy }} OUTPUT "
+```
+
+`ferm_forward_policy`: Forward policy for the ferm firewall (Optional)
+```
+ferm_forward_policy: "DROP"
+```
+
+`ferm_forward_log`: Activates the logs for forward packets (Optional)
+```
+ferm_forward_log: False
+```
+
+`ferm_forward_log_prefix`: Prefix for the forward packets log lines (Optional)
+```
+ferm_forward_log_prefix: "{{ ferm_forward_policy }} FORWARD "
+```
diff --git a/roles/ferm-install/defaults/main.yml b/roles/ferm-install/defaults/main.yml
index 9454c73dc2f3ef2355a47911b403247177b083a7..adb5bfdc2cb43c4bbe9ed6776c7af278cac765ac 100644
--- a/roles/ferm-install/defaults/main.yml
+++ b/roles/ferm-install/defaults/main.yml
@@ -1,7 +1,4 @@
 ---
-# packages to install
-ferm_packages:
-  - ferm
 
 # default filtering and logging policy for input traffic
 ferm_input_policy: DROP
@@ -20,3 +17,5 @@ ferm_forward_log_prefix: "{{ ferm_forward_policy }} FORWARD "
 
 # enable anti-lockout rule
 ferm_antilockout_enabled: true
+
+...
diff --git a/roles/ferm-install/handlers/main.yml b/roles/ferm-install/handlers/main.yml
index 956196934a5b26c10ace07b475411f8a78415f1c..cd10766d5ab5821f8baeee93e742eadd9ef0d6ab 100644
--- a/roles/ferm-install/handlers/main.yml
+++ b/roles/ferm-install/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart ferm
   ansible.builtin.systemd:
     name: ferm
     state: restarted
+
+...
diff --git a/roles/ferm-install/tasks/main.yml b/roles/ferm-install/tasks/main.yml
index a00a914f0049c7ecf5b9d895c7b7c414016c747c..10439a81070ccfdee127977e503baccc34ef3ced 100644
--- a/roles/ferm-install/tasks/main.yml
+++ b/roles/ferm-install/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: packages
   ansible.builtin.apt:
     force_apt_get: true
@@ -25,6 +26,17 @@
   register: cmd
   changed_when: "'using /usr/sbin/iptables-legacy to provide /usr/sbin/iptables (iptables) in manual mode' in cmd.stdout"
 
+- name: directories
+  loop:
+    - /etc/ferm/ferm.d
+    - /etc/ferm/input.d
+    - /etc/ferm/output.d
+    - /etc/ferm/forward.d
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "755"
+
 - name: configuration
   notify: restart ferm
   ansible.builtin.template:
@@ -39,3 +51,5 @@
     enabled: true
     masked: false
     state: started
+
+...
diff --git a/roles/ferm-install/vars/main.yml b/roles/ferm-install/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..effda6ad630df7bf939feb463a00995739cd7396
--- /dev/null
+++ b/roles/ferm-install/vars/main.yml
@@ -0,0 +1,4 @@
+---
+ferm_packages:
+  - ferm
+...
diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml
deleted file mode 100644
index 0cc08fbe01e9a7ce220a191f20d9417f208ddd4b..0000000000000000000000000000000000000000
--- a/roles/haproxy/defaults/main.yml
+++ /dev/null
@@ -1,52 +0,0 @@
----
-hap_packages:
-  - haproxy
-  - rsyslog
-  - logrotate
-
-hap_config: /etc/haproxy/haproxy.cfg
-
-hap_config_global: |
-  log /dev/log    local0 warning
-  log /dev/log    local1 warning
-  chroot /var/lib/haproxy
-  stats socket /run/haproxy/admin.sock mode 664 level admin
-  stats timeout 30s
-  user haproxy
-  group haproxy
-  daemon
-
-hap_config_defaults: |
-  log global
-  mode tcp
-  balance leastconn
-  retries 2
-  timeout tunnel 30m
-  timeout client 30m
-  timeout connect 5s
-  timeout server 30m
-  timeout check 15s
-  option tcplog
-  option tcpka
-  option clitcpka
-  option srvtcpka
-
-hap_stats_enabled: false
-hap_config_stats: |
-  bind :9000
-  mode http
-  stats enable
-  stats uri /
-  stats auth admin:password
-
-hap_config_listen:
-  - name: pgsql-primary
-    content: |
-      bind :54321
-      default-server inter 2s fall 3 rise 2 on-marked-down shutdown-sessions
-      option tcp-check
-      tcp-check expect string primary
-      maxconn 500
-      server {{ groups['postgres'][0] }} {{ hostvars[groups['postgres'][0]]['ansible_default_ipv4']['address'] }}:5432 maxconn 500 check port 8543
-      server {{ groups['postgres'][1] }} {{ hostvars[groups['postgres'][1]]['ansible_default_ipv4']['address'] }}:5432 maxconn 500 check port 8543 backup
-# hap_config_listen: []
diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml
index f7073fe4a8af1e38d27b46592a694f7fc38cac56..8c0e406861b2c586a396f64d18f3a4d00ca20f04 100644
--- a/roles/haproxy/handlers/main.yml
+++ b/roles/haproxy/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: reload haproxy
   ansible.builtin.systemd:
     name: haproxy
     state: reloaded
+
+...
diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml
index d39595fb0601c6d916b4f3307e28da17baed2dfb..571ae67790cf2e25c85057d023b4e4fc49e74f8f 100644
--- a/roles/haproxy/tasks/main.yml
+++ b/roles/haproxy/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: install packages
   ansible.builtin.apt:
     force_apt_get: true
@@ -17,3 +18,5 @@
     mode: "644"
 
 - ansible.builtin.meta: flush_handlers # noqa name[missing]
+
+...
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2
index 3de0cc3e39030fc671bb8f2386cd092d05068669..854f36069092ac1499c6b913646ac1e58251979d 100644
--- a/roles/haproxy/templates/haproxy.cfg.j2
+++ b/roles/haproxy/templates/haproxy.cfg.j2
@@ -1,15 +1,34 @@
 global
-{{ hap_config_global }}
+  log /dev/log    local0 warning
+  log /dev/log    local1 warning
+  chroot /var/lib/haproxy
+  stats socket /run/haproxy/admin.sock mode 664 level admin
+  stats timeout 30s
+  user haproxy
+  group haproxy
+  daemon
 
 defaults
-{{ hap_config_defaults }}
-{% if hap_stats_enabled %}
+  log global
+  mode tcp
+  balance leastconn
+  retries 2
+  timeout tunnel 30m
+  timeout client 30m
+  timeout connect 5s
+  timeout server 30m
+  timeout check 15s
+  option tcplog
+  option tcpka
+  option clitcpka
+  option srvtcpka
 
-listen stats
-{{ hap_config_stats }}
-{% endif %}
-{% for listen in hap_config_listen %}
+listen pgsql-primary
+  bind 127.0.0.1:54321
+  default-server inter 2s fall 3 rise 2 on-marked-down shutdown-sessions
+  option tcp-check
+  tcp-check expect string primary
+  maxconn 500
+  server {{ groups['postgres'][0] }} {{ hostvars[groups['postgres'][0]]['ansible_default_ipv4']['address'] }}:5432 maxconn 500 check port 8543
+  server {{ groups['postgres'][1] }} {{ hostvars[groups['postgres'][1]]['ansible_default_ipv4']['address'] }}:5432 maxconn 500 check port 8543 backup
 
-listen {{ listen.name }}
-{{ listen.content }}
-{% endfor %}
diff --git a/roles/haproxy/vars/main.yml b/roles/haproxy/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..7988cb1be98bd84357f86426a60be612d844a567
--- /dev/null
+++ b/roles/haproxy/vars/main.yml
@@ -0,0 +1,6 @@
+---
+hap_packages:
+  - haproxy
+  - rsyslog
+  - logrotate
+...
diff --git a/roles/init/tasks/main.yml b/roles/init/tasks/main.yml
index bf0cede5de41ff009a3e8acf55e6a48d010e206d..5f4c3895a3216e64cf00118d6d4f4be7d79480c3 100644
--- a/roles/init/tasks/main.yml
+++ b/roles/init/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: install initial packages
   ansible.builtin.apt:
     force_apt_get: true
@@ -13,3 +14,5 @@
   ansible.builtin.include_role:
     name: proxy
     allow_duplicates: true
+
+...
diff --git a/roles/init/defaults/main.yml b/roles/init/vars/main.yml
similarity index 94%
rename from roles/init/defaults/main.yml
rename to roles/init/vars/main.yml
index 51d63db7d93611705a3119fc5ca0ecf60cdc6859..d54a05b9f4b817197b57553c67d988e7096824bd 100644
--- a/roles/init/defaults/main.yml
+++ b/roles/init/vars/main.yml
@@ -4,3 +4,4 @@ init_packages:
   - gnupg
   - ssh-client
   - sudo
+...
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
index adf9796366aabc4493536c34aa28db5e5bd89b9f..344c36ec6552e835256ea26015bebcee9283b158 100644
--- a/roles/letsencrypt/defaults/main.yml
+++ b/roles/letsencrypt/defaults/main.yml
@@ -1,5 +1,7 @@
 ---
+
 letsencrypt_domains: []
-letsencrypt_webroot: /var/www/letsencrypt
-letsencrypt_email: sysadmin@ubicast.eu
-letsencrypt_testing: false
+letsencrypt_webroot: "/var/www/letsencrypt"
+letsencrypt_email: "admin@example.com"
+
+...
diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml
index 06947324ccfdfd28f5795805cbd51f9526f16624..8a97cff137ee67aeb5dd79f2058fa75ba8a28f00 100644
--- a/roles/letsencrypt/handlers/main.yml
+++ b/roles/letsencrypt/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart nginx
   ansible.builtin.service:
     name: nginx
     state: restarted
+
+...
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
index ca967104058314dfa2f6dfae6c6a970ad028d69c..711ebf43558323503a3a4a8afb2777a2492be882 100644
--- a/roles/letsencrypt/tasks/main.yml
+++ b/roles/letsencrypt/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: install certbot
   ansible.builtin.package:
     force_apt_get: true
@@ -101,7 +102,6 @@
   ansible.builtin.command:
     cmd: >
       certbot certonly
-        {% if letsencrypt_testing %}--staging{% endif %}
         -n --agree-tos -m {{ letsencrypt_email }}
         --webroot -w {{ letsencrypt_webroot }}
         --expand
@@ -129,3 +129,5 @@
     path: /etc/nginx/conf.d/ssl_certificate.conf
     regexp: 'ssl_certificate_key\s+([\w/\-\_\.]+);'
     line: ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem;
+
+...
diff --git a/roles/live/README.md b/roles/live/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..6e384b6cfec904732a0eb6b814e4fb20e526adc3
--- /dev/null
+++ b/roles/live/README.md
@@ -0,0 +1,24 @@
+# Live
+
+The live group is used to configure all hosts that will process lives streams.  
+ * In a standard Ubicast case, the host is the same as the mediaserver.
+ * In a HA Ubicast case, the live is usually a cluster of two dedicated servers behind a loadbalancer VIP setup in active/backup.
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`live_ha`: Define if the deployment is an HA architecture (i.e. live domain is not handle by nudgis frontend server)
+```
+live_ha: False
+```
+
+`live_domain`: Domain name of the live cluster (only if distinct live server(s) from MediaServer and live_ha variable is set to True) (Optional)
+```
+live_domain: "live.example.com"
+```
+
+`live_tmpfs_size`: Size of the tmpfs storing the live chunks (unit g or m and only if distinct live server(s) from MediaServer) (Optional)
+```
+live_tmpfs_size: "2048m"
+```
diff --git a/roles/live/defaults/main.yml b/roles/live/defaults/main.yml
index 4fddcbaa4f120d39580f42e80867d81fcc82b4e1..4ba88a44293618714d3f82599ddf935adfd06019 100644
--- a/roles/live/defaults/main.yml
+++ b/roles/live/defaults/main.yml
@@ -1,5 +1,5 @@
 ---
-debian_packages:
-  - ubicast-live
-
-role_tmpfs_size: "{{ tmpfs_size | d('2048m') }}"
+live_ha: false
+live_domain: "live.example.com"
+live_tmpfs_size: "2048m"
+...
diff --git a/roles/live/handlers/main.yml b/roles/live/handlers/main.yml
index abb7b115ab9c7d835c04a6320b219dd71fe3f789..b0abf18b3894fe1af147e0ca063f8e9e9a913d58 100644
--- a/roles/live/handlers/main.yml
+++ b/roles/live/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart nginx
   ansible.builtin.systemd:
     name: nginx
     state: restarted
+
+...
diff --git a/roles/live/tasks/main.yml b/roles/live/tasks/main.yml
index 743d5e92560a21717d8521870f1e5d6af7a7e002..d728577b9c8a9bc959790576e12a7a029136f743 100644
--- a/roles/live/tasks/main.yml
+++ b/roles/live/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
+
 - name: Live packages installation
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    name: "{{ debian_packages }}"
+    name: "{{ live_packages }}"
     state: present
   register: apt_status
   retries: 60
@@ -11,11 +12,11 @@
 
 - name: TMPFS creation to store the live chunks
   notify: restart nginx
-  mount:
+  ansible.posix.mount:
     path: /var/tmp/nginx-rtmp
     src: tmpfs
     fstype: tmpfs
-    opts: defaults,size={{ role_tmpfs_size }}
+    opts: defaults,size={{ live_tmpfs_size }}
     state: mounted
 
 - name: Changing the rights on the TMPFS directory
@@ -25,3 +26,5 @@
     owner: nginx
     group: root
     mode: "0700"
+
+...
diff --git a/roles/live/vars/main.yml b/roles/live/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..41515077c14e885868917a171649e36ff2813d0f
--- /dev/null
+++ b/roles/live/vars/main.yml
@@ -0,0 +1,4 @@
+---
+live_packages:
+  - ubicast-live
+...
diff --git a/roles/lxc/defaults/main.yml b/roles/lxc/defaults/main.yml
index d77c199eba13ee6a2f30f0ad26fabb6ffbccf654..4c7f5fdb72e2ee4fb9ead5c54e022411f9f8360e 100644
--- a/roles/lxc/defaults/main.yml
+++ b/roles/lxc/defaults/main.yml
@@ -1,5 +1,8 @@
 ---
+
 # lxc_network_type possible value:
 #  - masquerade_bridge => independent private bridge
 #  - host_bridge => host shared network bridge
 lxc_network_type: masquerade_bridge
+
+...
diff --git a/roles/lxc/handlers/main.yml b/roles/lxc/handlers/main.yml
index f5bddc8da042bca2d144ef8e30bd6f917d5e7eee..a237a6dbb4186d659b0a05546ba1bc5201a077ef 100644
--- a/roles/lxc/handlers/main.yml
+++ b/roles/lxc/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: restart lxc
   ansible.builtin.systemd:
     name: lxc
@@ -10,3 +11,5 @@
   ansible.builtin.systemd:
     name: lxc-net
     state: restarted
+
+...
diff --git a/roles/mediacache/README.md b/roles/mediacache/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..fcdb86a94e8959492ca5fb26c605466dffea5edb
--- /dev/null
+++ b/roles/mediacache/README.md
@@ -0,0 +1,42 @@
+# Mediacache
+
+The cache group is used to configure all hosts that will server as a proxy cache of live and/or vod.
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`cache_domain`: URL of the Nudgis Cache vhost (Optional)
+```
+cache_domain: "cache.example.com"
+```
+
+`nudgis_front_domain`: URL of Nudgis Front cluster (Optional)
+```
+nudgis_front_domain: "nudgis.example.com"
+```
+
+`live_domain`: URL of the Nudgis Live cluster (Optional)
+```
+live_domain: "live.example.com"
+```
+
+`cache_vod_folder`: Path of the folder to cache the VOD service data (Optional)
+```
+cache_vod_folder: "/var/cache/nginx/mediacache-vod"
+```
+
+`cache_vod_size`: Max size allowed for the VOD service data (Optional)
+```
+cache_vod_size: "1"
+```
+
+`cache_live_folder`: Path of the folder to cache the Live service data (Optional)
+```
+cache_live_folder: "/var/cache/nginx/mediacache-live"
+```
+
+`cache_live_size`: Max size allowed for the Live service data (Optional)
+```
+cache_live_size: "1"
+```
diff --git a/roles/mediacache/defaults/main.yml b/roles/mediacache/defaults/main.yml
index f4e4fa060158a0cffc5dda8b9b6d98beac055b07..09db9281787571d5cadb9e91b7f4ea926773bd60 100644
--- a/roles/mediacache/defaults/main.yml
+++ b/roles/mediacache/defaults/main.yml
@@ -1,10 +1,15 @@
 ---
+cache_domain: "cache.example.com"
+nudgis_front_domain: "nudgis.example.com"
+live_domain: "nudgis.example.com"
+
 # MediaCache data folder - for VOD
-role_mc_vod_folder: "{{ mediacache_vod_folder | d('/var/cache/nginx/mediacache-vod') }}"
+cache_vod_folder: "/var/cache/nginx/mediacache-vod"
 # MediaCache size in Gb - for VOD
-role_mc_vod_size: "{{ mediacache_vod_size }}"
+cache_vod_size: "1"
 
 # MediaCache data folder - for live
-role_mc_live_folder: "{{ mediacache_live_folder | d('/var/cache/nginx/mediacache-live') }}"
+cache_live_folder: "/var/cache/nginx/mediacache-live"
 # MediaCache size in Gb - for live
-role_mc_live_size: "{{ mediacache_live_size | d('1') }}"
+cache_live_size: "1"
+...
diff --git a/roles/mediacache/handlers/main.yml b/roles/mediacache/handlers/main.yml
index abb7b115ab9c7d835c04a6320b219dd71fe3f789..b0abf18b3894fe1af147e0ca063f8e9e9a913d58 100644
--- a/roles/mediacache/handlers/main.yml
+++ b/roles/mediacache/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart nginx
   ansible.builtin.systemd:
     name: nginx
     state: restarted
+
+...
diff --git a/roles/mediacache/meta/main.yml b/roles/mediacache/meta/main.yml
index dffb451ec1574450eec462a7f3d53003c2137d22..9c7711bb55dd2f0f0059aad32d2ac8d0f2050997 100644
--- a/roles/mediacache/meta/main.yml
+++ b/roles/mediacache/meta/main.yml
@@ -1,4 +1,7 @@
 ---
+
 dependencies:
   - role: base
   - role: nginx
+
+...
diff --git a/roles/mediacache/tasks/main.yml b/roles/mediacache/tasks/main.yml
index 0517815229945a1ab043efc0134cab72aa9effb4..be59be56b9495d4d1b2177b864ef764906406ae1 100644
--- a/roles/mediacache/tasks/main.yml
+++ b/roles/mediacache/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
+
 - name: MediaCache packages installation
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    name: "{{ debian_packages }}"
+    name: "{{ cache_packages }}"
     state: present
   register: apt_status
   retries: 60
@@ -12,12 +13,12 @@
 - name: resolve domain name to localhost
   ansible.builtin.lineinfile:
     path: /etc/hosts
-    line: 127.0.1.1 {{ mediacache_url }}
+    line: 127.0.1.1 {{ cache_domain }}
     backup: true
 
 - name: create mediacache VOD data directory
   ansible.builtin.file:
-    dest: "{{ role_mc_vod_folder }}"
+    dest: "{{ cache_vod_folder }}"
     state: directory
     owner: nginx
     group: root
@@ -25,58 +26,60 @@
 
 - name: create mediacache live data directory
   ansible.builtin.file:
-    dest: "{{ role_mc_live_folder }}"
+    dest: "{{ cache_live_folder }}"
     state: directory
     owner: nginx
     group: root
     mode: "0700"
-  when: live_url is defined
+  when: live_domain is defined
 
 - name: fill the vhost file
   notify: restart nginx
   ansible.builtin.replace:
     path: /etc/nginx/sites-available/mediacache.conf
     regexp: ^(\s+server_name)\s+.*(;)$
-    replace: \1 {{ mediacache_url }}\2
+    replace: \1 {{ cache_domain }}\2
 
 - name: fill the mediacache zones file - VOD folder
   notify: restart nginx
   ansible.builtin.replace:
     path: /etc/mediacache/nginx-zones.conf
     regexp: /var/cache/nginx/mediacache-vod
-    replace: "{{ role_mc_vod_folder }}"
+    replace: "{{ cache_vod_folder }}"
 
 - name: fill the mediacache zones file - Live folder
   notify: restart nginx
   ansible.builtin.replace:
     path: /etc/mediacache/nginx-zones.conf
     regexp: /var/cache/nginx/mediacache-live
-    replace: "{{ role_mc_live_folder }}"
+    replace: "{{ cache_live_folder }}"
 
 - name: fill the mediacache zones file - VOD folder size
   notify: restart nginx
   ansible.builtin.replace:
     path: /etc/mediacache/nginx-zones.conf
     regexp: (?P<key>keys_zone=mediacache-vod.*max_size=).*(?P<unit>g)
-    replace: \g<key>{{ role_mc_vod_size }}\g<unit>
+    replace: \g<key>{{ cache_vod_size }}\g<unit>
 
 - name: fill the mediacache zones file - Live folder size
   notify: restart nginx
   ansible.builtin.replace:
     path: /etc/mediacache/nginx-zones.conf
     regexp: (?P<key>keys_zone=mediacache-live.*max_size=).*(?P<unit>g)
-    replace: \g<key>{{ role_mc_live_size }}\g<unit>
+    replace: \g<key>{{ cache_live_size }}\g<unit>
 
 - name: fill the nginx VOD proxypass
   notify: restart nginx
   ansible.builtin.replace:
     path: /etc/mediacache/nginx-proxy-mediaserver.conf
     regexp: ^(proxy_pass)\s+.*(;)$
-    replace: \1 https://{{ ms_url }}\2
+    replace: \1 https://{{ nudgis_front_domain }}\2
 
 - name: fill the nginx Live proxypass
   notify: restart nginx
   ansible.builtin.replace:
     path: /etc/mediacache/nginx-proxy-live.conf
     regexp: ^(proxy_pass)\s+.*(;)$
-    replace: \1 https://{{ live_url }}\2
+    replace: \1 https://{{ live_domain }}\2
+
+...
diff --git a/roles/mediacache/vars/main.yml b/roles/mediacache/vars/main.yml
index 80fb5049e456f3164423ffc851ce96a715373932..562ef99014cd9db47bc72ec16ed7a6d9028f57cc 100644
--- a/roles/mediacache/vars/main.yml
+++ b/roles/mediacache/vars/main.yml
@@ -1,3 +1,6 @@
 ---
-debian_packages:
+
+cache_packages:
   - ubicast-mediacache
+
+...
diff --git a/roles/mediaimport/defaults/main.yml b/roles/mediaimport/defaults/main.yml
deleted file mode 100644
index f6bbd6624ad18fd97516ef97e14fede94f31a318..0000000000000000000000000000000000000000
--- a/roles/mediaimport/defaults/main.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-mediaimport_users:
-  - name: "{{ envsetup_mediaimport_user | d() }}"
-    passwd: "{{ envsetup_mediaimport_password | d() }}"
-
-mediaimport_packages:
-  - ssl-cert # for optionnal FTPS support (the mediaimport postinst will will use the snakeoil certificate for pure-ftpd)
-  - ubicast-mediaimport
-
-mediaimport_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
-mediaimport_ms_server_name: "{{ envsetup_ms_server_name | d() }}"
-
-mediaimport_fail2ban_enabled: "{{ envsetup_fail2ban_enabled | d(true) }}"
-
-mediaimport_firewall_enabled: true
-mediaimport_ferm_rules_filename: import
-mediaimport_ferm_input_rules:
-  - proto:
-      - tcp
-    dport:
-      - 21
-      - 22
-  - mod: helper
-    helper: ftp
-mediaimport_ferm_output_rules: []
-mediaimport_ferm_global_settings:
diff --git a/roles/mediaimport/handlers/main.yml b/roles/mediaimport/handlers/main.yml
index 3da4ab3289c646dd1aa2f778239882d0915d9cac..60e664ba04be31637362603611e5959415a35aff 100644
--- a/roles/mediaimport/handlers/main.yml
+++ b/roles/mediaimport/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: reload systemd
   ansible.builtin.systemd:
     daemon_reload: true
@@ -27,3 +28,5 @@
   ansible.builtin.systemd:
     name: fail2ban
     state: restarted
+
+...
diff --git a/roles/mediaimport/meta/main.yml b/roles/mediaimport/meta/main.yml
index 471eb65e53129fb19aa41af0c049719b93c0ef91..e45d692ae3567f856967cd6f66c91d13e2e94e4e 100644
--- a/roles/mediaimport/meta/main.yml
+++ b/roles/mediaimport/meta/main.yml
@@ -1,3 +1,6 @@
 ---
+
 dependencies:
   - role: base
+
+...
diff --git a/roles/mediaimport/tasks/main.yml b/roles/mediaimport/tasks/main.yml
index 8906c5ad5357505158970a052f5f386b6766b7dc..0d8bf8a2bc303bc416ba25fee05ca54c6c76e25f 100644
--- a/roles/mediaimport/tasks/main.yml
+++ b/roles/mediaimport/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
+
 - name: install packages
   ansible.builtin.package:
     force_apt_get: true
     install_recommends: false
-    name: "{{ mediaimport_packages }}"
+    name: "{{ import_packages }}"
 
 ## MEDIAIMPORT
 
@@ -14,10 +15,11 @@
     regexp: ^PasswordAuthentication no
     replace: "#PasswordAuthentication yes"
 
-- name: enable mediaimport service
+# mediaimport service failed without any account configured
+- name: disable mediaimport service
   ansible.builtin.systemd:
     name: mediaimport
-    enabled: true
+    enabled: false
 
 - name: enable mediaimport-cleanup timer
   ansible.builtin.systemd:
@@ -26,7 +28,7 @@
 
 - name: configure mediaimport admin emails
   when:
-    - envsetup_email_admins | d(false)
+    - import_email_to | d(false)
   notify: restart mediaimport
   ansible.builtin.template:
     src: mediaimport.json.j2
@@ -36,12 +38,22 @@
 
 # FAIL2BAN
 
-- name: deploy fail2ban jail
+- name: deploy fail2ban pure-ftpd jail
   notify: restart fail2ban
-  ansible.builtin.template:
-    src: fail2ban_ftpd.conf.j2
+  ansible.builtin.copy:
     dest: /etc/fail2ban/jail.d/pure-ftpd.conf
     mode: "0644"
+    content: |
+      [pure-ftpd]
+      enabled = true
+
+- name: configure pure-ftpd jail backend
+  notify: restart fail2ban
+  ansible.builtin.lineinfile:
+    path: /etc/fail2ban/paths-overrides.local
+    regexp: '^pureftpd_backend'
+    insertafter: '[DEFAULT]'
+    line: 'pureftpd_backend = systemd'
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
@@ -49,14 +61,15 @@
 # FIREWALL
 
 - name: firewall
-  when: mediaimport_firewall_enabled
   vars:
-    ferm_rules_filename: "{{ mediaimport_ferm_rules_filename }}"
-    ferm_input_rules: "{{ mediaimport_ferm_input_rules }}"
-    ferm_output_rules: "{{ mediaimport_ferm_output_rules }}"
-    ferm_global_settings: "{{ mediaimport_ferm_global_settings }}"
+    ferm_rules_filename: "{{ import_ferm_rules_filename }}"
+    ferm_input_rules: "{{ import_ferm_input_rules }}"
+    ferm_output_rules: "{{ import_ferm_output_rules }}"
+    ferm_global_settings: "{{ import_ferm_global_settings }}"
   ansible.builtin.include_role:
     name: ferm-configure
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
+
+...
diff --git a/roles/mediaimport/templates/fail2ban_ftpd.conf.j2 b/roles/mediaimport/templates/fail2ban_ftpd.conf.j2
deleted file mode 100644
index e8f463cc2eaa8462e626536cf1a298a6239b0b83..0000000000000000000000000000000000000000
--- a/roles/mediaimport/templates/fail2ban_ftpd.conf.j2
+++ /dev/null
@@ -1,2 +0,0 @@
-[pure-ftpd]
-enabled = {% if mediaimport_fail2ban_enabled | bool %}true{% else %}false{% endif %}
diff --git a/roles/mediaimport/templates/mediaimport.json.j2 b/roles/mediaimport/templates/mediaimport.json.j2
index 904e1d4c68b3a64566f91190b9ed7e75595666a2..b15798e8efeb91be500edfaf05bb6aa59273cfb9 100644
--- a/roles/mediaimport/templates/mediaimport.json.j2
+++ b/roles/mediaimport/templates/mediaimport.json.j2
@@ -1,4 +1,4 @@
 {
-  "email_to": "{{ envsetup_email_admins }}"
+  "email_to": "{{ import_email_to }}"
 }
 
diff --git a/roles/mediaimport/vars/main.yml b/roles/mediaimport/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d70537994597a3db8c7c1bee8e99baeb36459e37
--- /dev/null
+++ b/roles/mediaimport/vars/main.yml
@@ -0,0 +1,17 @@
+---
+import_packages:
+  - ssl-cert # for optionnal FTPS support (the mediaimport postinst will will use the snakeoil certificate for pure-ftpd)
+  - ubicast-mediaimport
+
+import_ferm_rules_filename: import
+import_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 21
+      - 22
+  - mod: helper
+    helper: ftp
+import_ferm_output_rules: []
+import_ferm_global_settings:
+...
diff --git a/roles/mediaserver/README.md b/roles/mediaserver/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..88240290a4f835ce98e6e8178c1b026f7c6f1479
--- /dev/null
+++ b/roles/mediaserver/README.md
@@ -0,0 +1,74 @@
+# Mediaserver
+
+The mediaserver group is used to configure all hosts with the UbiCast platform to handle and to broadcast media.  
+ * In a standard Ubicast case, the host is the same as other component (mirismanager, etc.)
+ * In a HA Ubicast case, the mediaserver is usually a cluster of two (or more) dedicated servers behind a loadbalancer VIP setup in active/active
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`nudgis_front_email_from`: Defines the address for the Nudgis Front emails sender (Optional)
+```
+nudgis_front_email_from: "noreply@{{ nudgis_front_domain }}"
+```
+
+`nudgis_front_system_user`: Defines the default deployed Nudgis portal short name (and linked unix user) (Optional)
+```
+nudgis_front_system_user: "msuser"
+```
+
+`nudgis_front_domain`: Defines the default deployed Nudgis portal domain (will be the URL of the portal when adding the HTTP(S) prefix) (Optional)
+```
+nudgis_front_domain: "nudgis.example.com"
+```
+
+`manager_domain`: Defines the default deployed Nudgis portal linked mirismanager domain (correspond to the URL of the mirismanager portal when adding the HTTP(S) prefix) (Optional)
+```
+manager_domain: "manager.example.com"
+```
+
+`nudgis_front_api_key`: Defines the default deployed Nudgis portal master API key (Optional)
+```
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+```
+
+`nudgis_front_user_ubicast_password`: Defines the default deployed Nudgis portal "ubicast" user password (Optional)
+```
+nudgis_front_user_ubicast_password: "changeit"
+```
+
+`nudgis_front_user_admin_password`: Defines the default deployed Nudgis portal "admin" user password (Optional)
+```
+nudgis_front_user_admin_password: "changeit"
+```
+
+`celerity_server_domain`: IPv4 address used to join the celerity server (Optional)
+```
+celerity_server_domain: "celerity.example.com"
+```
+
+`celerity_signing_key`: Key used to encrypt communications to and from celerity server (Optional)
+```
+celerity_signing_key: "changeit"
+```
+
+`nudgis_front_database_domain`: Domain to reach PostgreSQL database
+```
+nudgis_front_database_domain: "database.nudgis.example.com"
+```
+
+`nudgis_front_database_port`: Port to reach PostgreSQL database
+```
+nudgis_front_database_port: "5432"
+```
+
+`nudgis_front_database_password`: Port to connect to PostgreSQL database with superuser rights
+```
+nudgis_front_database_password: "changeit"
+```
+
+`ndugis_front_instances_dir`: Directory to store nudgis portal (Optional)
+```
+ndugis_front_instances_dir: "/data"
+```
diff --git a/roles/mediaserver/defaults/main.yml b/roles/mediaserver/defaults/main.yml
index 75ba0b051e1313dedc1d700db93cf2848284b4ef..2aaad700ab18093809e3342b24ed4dc13a81c0dc 100644
--- a/roles/mediaserver/defaults/main.yml
+++ b/roles/mediaserver/defaults/main.yml
@@ -1,45 +1,20 @@
 ---
-server_packages:
-  - postgresql-client
-  - cron
-  - memcached
-  - nginx
-  - postfix
-  - ubicast-mediaserver
-  - rsync  # used for HA only (copy of instance data)
 
-server_default_email_sender: noreply@{{ server_hostname }}
-server_email_sender: "{{ envsetup_email_sender | default(server_default_email_sender, true) }}"
+nudgis_front_domain: "nudgis.example.com"
+nudgis_front_email_from: "noreply@{{ nudgis_front_domain }}"
+nudgis_front_system_user: "msuser"
+manager_domain: "manager.example.com"
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+nudgis_front_user_ubicast_password: "changeit"
+nudgis_front_user_admin_password: "changeit"
 
-server_id: "{{ envsetup_ms_id | d() }}"
-server_instance_name: "{{ server_id.split('_')[-1] }}"
-server_hostname: "{{ envsetup_ms_server_name | d('mediaserver', true) }}"
-server_campusmanager: "{{ envsetup_cm_server_name | d() }}"
-server_api_key: "{{ envsetup_ms_api_key | d() }}"
-server_superuser_passwd: "{{ envsetup_ms_superuser_pwd | d() }}"
-server_admin_passwd: "{{ envsetup_ms_admin_pwd | d() }}"
-server_instances:
-  - name: "{{ server_instance_name }}"
-    ms_server_name: "{{ server_hostname }}"
-    ms_id: "{{ server_id }}"
-    ms_api_key: "{{ server_api_key }}"
-    cm_server_name: "{{ server_campusmanager }}"
-    ms_superuser_pwd: "{{ server_superuser_passwd }}"
-    ms_admin_pwd: "{{ server_admin_passwd }}"
+nudgis_front_database_domain: "database.nudgis.example.com"
+nudgis_front_database_port: "5432"
+nudgis_front_database_password: "changeit"
+nudgis_front_instances_dir: "/data"
 
-server_celerity_server_url: "{{ envsetup_celerity_server | d(hostvars[groups['celerity'][0]]['ansible_default_ipv4']['address']) }}"
-server_celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
+celerity_signing_key: "changeit"
+celerity_server_domain: "celerity.example.com"
 
-server_live_host: "{{ envsetup_live_host | d() }}"
-
-server_firewall_enabled: true
-server_ferm_rules_filename: server
-server_ferm_input_rules:
-  - proto:
-      - tcp
-    dport:
-      - 80
-      - 443
-server_ferm_output_rules: []
-server_ferm_global_settings:
 real_ip_from: "" # default for OVH LB is 10.108.0.0/14
+...
diff --git a/roles/mediaserver/files/install.example.ini b/roles/mediaserver/files/install.example.ini
new file mode 100644
index 0000000000000000000000000000000000000000..6c59a780f014161269ff3a621786600864c40d7f
--- /dev/null
+++ b/roles/mediaserver/files/install.example.ini
@@ -0,0 +1,28 @@
+# Configuration file for installation and post installation scripts.
+# IMPORTANT:
+# This file must be readable ONLY by root to avoid revealing passwords.
+
+[conf]
+# Database host.
+# Can be a hostname or an IP.
+# DB_HOST = 127.0.0.1
+
+# Database port.
+# DB_PORT = 5432
+
+# Database superuser account name.
+# This account is used during deployments and upgrades.
+# DB_ROOT_USER =
+
+# Database superuser account password.
+# This account is used during deployments and upgrades.
+# DB_ROOT_PWD =
+
+# Directories pattern for new instance creation.
+# Can contain a glob part, for example: `/data/nas*`.
+# DATA_NEW_DIRS = /data
+
+# Directories pattern for existing instances.
+# Can contain a glob part, for example: `/data/nas*`.
+# DATA_DIRS = /data
+
diff --git a/roles/mediaserver/handlers/main.yml b/roles/mediaserver/handlers/main.yml
index b7d5c45abb4fd6fe6bcfd252d1ca3148823720d4..44f108bc42bbb22e1f458cca3c5de48787198a3a 100644
--- a/roles/mediaserver/handlers/main.yml
+++ b/roles/mediaserver/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: restart nginx
   ansible.builtin.systemd:
     name: nginx
@@ -13,3 +14,5 @@
   ansible.builtin.systemd:
     name: systemd-sysusers
     state: restarted
+
+...
diff --git a/roles/mediaserver/meta/main.yml b/roles/mediaserver/meta/main.yml
index 4d40ad38c5820de6e0de9766693fa0cd21f0a1fe..7df51c65adafd6de167990df31675e097b5c4dc2 100644
--- a/roles/mediaserver/meta/main.yml
+++ b/roles/mediaserver/meta/main.yml
@@ -1,6 +1,9 @@
 ---
+
 dependencies:
   - role: base
   - role: nginx
   - when: groups['postgres'] | length > 1
     role: haproxy
+
+...
diff --git a/roles/mediaserver/tasks/main.yml b/roles/mediaserver/tasks/main.yml
index f68cd3da69d514caf22006474b0ffc9cdd5457c8..b0e61570faebffb38c86a69fe5056f815dfc35ef 100644
--- a/roles/mediaserver/tasks/main.yml
+++ b/roles/mediaserver/tasks/main.yml
@@ -1,9 +1,35 @@
 ---
+
+- name: ensure /etc/mediaserver directory exist
+  ansible.builtin.file:
+    path: /etc/mediaserver
+    state: directory
+    mode: "755"  # use mediaserver package post-install rights...
+- name: copy mediaserver install.ini file from sample
+  ansible.builtin.copy:
+    src: install.example.ini
+    dest: /etc/mediaserver/install.ini
+    force: false
+    mode: "640"  # use mediaserver package post-install rights...
+
+- name: prepare mediaserver variables in install.ini file
+  ansible.builtin.replace:
+    path: /etc/mediaserver/install.ini
+    regexp: '^(\s*)#?\s*{{ item.name }}\s*=.*$'
+    replace: '\1{{ item.name }} = {{ item.value }}'
+  loop:
+    - { name: 'DB_HOST',       value: '{{ nudgis_front_database_domain }}' }   # noqa: yaml[commas]
+    - { name: 'DB_PORT',       value: '{{ nudgis_front_database_port }}' }     # noqa: yaml[commas]
+    - { name: 'DB_ROOT_PWD',   value: '{{ nudgis_front_database_password }}' } # noqa: yaml[commas]
+    - { name: 'DATA_NEW_DIRS', value: '{{ nudgis_front_instances_dir }}' }     # noqa: yaml[commas]
+    - { name: 'DATA_DIRS',     value: '{{ nudgis_front_instances_dir }}' }     # noqa: yaml[commas]
+  when: item.value != "" and item.value != '""'
+
 - name: mediaserver install
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    name: "{{ server_packages }}"
+    name: "{{ nudgis_front_packages }}"
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -30,7 +56,7 @@
   ansible.builtin.lineinfile:
     path: /etc/mediaserver/msconf.py
     regexp: "^CELERITY_SERVER_URL = "
-    line: CELERITY_SERVER_URL = 'https://{{ server_celerity_server_url }}:6200'
+    line: CELERITY_SERVER_URL = 'https://{{ celerity_server_domain }}:6200'
     create: true
     owner: root
     group: root
@@ -42,7 +68,7 @@
   ansible.builtin.lineinfile:
     path: /etc/mediaserver/msconf.py
     regexp: "^CELERITY_SIGNING_KEY = "
-    line: CELERITY_SIGNING_KEY = '{{ server_celerity_signing_key }}'
+    line: CELERITY_SIGNING_KEY = '{{ celerity_signing_key }}'
     create: true
     owner: root
     group: root
@@ -50,20 +76,18 @@
     # The instances cannot be in a common group as of now => https://redmine.ubicast.net/issues/33046
     mode: "0644"
 
-- name: create instances
-  loop: "{{ server_instances }}"
+- name: create instance
   ansible.builtin.command:
     cmd: >
-      mscontroller.py add -u '{{ item.name }}' -t '{
-        "id": "{{ item.ms_id }}",
-        "domain": "{{ item.ms_server_name }}",
-        "api_key": "{{ item.ms_api_key }}",
-        "secret": "{{ envsetup_ms_secret | d("") }}",
-        "superuser_pwd": "{{ item.ms_superuser_pwd }}",
-        "admin_pwd": "{{ item.ms_admin_pwd }}",
-        "skyreach_url": "{{ item.cm_server_name }}"
+      mscontroller.py add -u "{{ nudgis_front_system_user }}" -t '{
+        "id": "1_{{ nudgis_front_system_user }}",
+        "domain": "{{ nudgis_front_domain }}",
+        "api_key": "{{ nudgis_front_api_key }}",
+        "superuser_pwd": "{{ nudgis_front_user_ubicast_password }}",
+        "admin_pwd": "{{ nudgis_front_user_admin_password }}",
+        "skyreach_url": "{{ manager_domain }}"
       }'
-    creates: /etc/nginx/sites-available/mediaserver-{{ item.name }}.conf
+    creates: "/etc/nginx/sites-available/mediaserver-{{ nudgis_front_system_user }}.conf"
   throttle: 1
 
 - name: synchronize configuration between servers # noqa command-instead-of-module
@@ -127,45 +151,32 @@
     # The instances cannot be in a common group as of now => https://redmine.ubicast.net/issues/33046
     mode: "0644"
     regexp: ^#? ?DEFAULT_FROM_EMAIL.*
-    line: DEFAULT_FROM_EMAIL = '{{ server_email_sender }}'
+    line: DEFAULT_FROM_EMAIL = '{{ nudgis_front_email_from }}'
     validate: python3 -m py_compile %s
 
 - name: configure domain name in nginx conf
   notify: restart nginx
-  loop: "{{ server_instances }}"
   ansible.builtin.replace:
-    path: /etc/nginx/sites-available/mediaserver-{{ item.name }}.conf
+    path: /etc/nginx/sites-available/mediaserver-{{ nudgis_front_system_user }}.conf
     regexp: ^(\s*server_name).*;$
-    replace: \1 {{ item.ms_server_name }};
+    replace: \1 {{ nudgis_front_domain }};
     backup: true
 
 - name: configure domain name in database
-  loop: "{{ server_instances }}"
   ansible.builtin.shell:
     cmd: |
-      python3 /usr/lib/python3/dist-packages/mediaserver/scripts/mssiteconfig.py {{ item.name }} site_url=https://{{ item.ms_server_name }} ;
-      mscontroller.py restart -u {{ item.name }} ;
-      touch /etc/mediaserver/.{{ item.ms_server_name }}.mssiteconfig.log ;
-    creates: /etc/mediaserver/.{{ item.ms_server_name }}.mssiteconfig.log
+      python3 /usr/lib/python3/dist-packages/mediaserver/scripts/mssiteconfig.py {{ nudgis_front_system_user }} site_url=https://{{ nudgis_front_domain }} ;
+      mscontroller.py restart -u {{ nudgis_front_system_user }} ;
+      touch /etc/mediaserver/.{{ nudgis_front_domain }}.mssiteconfig.log ;
+    creates: /etc/mediaserver/.{{ nudgis_front_domain }}.mssiteconfig.log
 
 - name: reset service resources
-  loop: "{{ server_instances }}"
   ansible.builtin.shell:
     cmd: |
-      python3 /usr/lib/python3/dist-packages/mediaserver/scripts/reset_service_resources.py {{ item.name }} local ;
-      mscontroller.py restart -u {{ item.name }} ;
-      touch /etc/mediaserver/.{{ item.ms_server_name }}.reset_service_resources.log ;
-    creates: /etc/mediaserver/.{{ item.ms_server_name }}.reset_service_resources.log
-
-- name: add realip configuration for LoadBalancer in HA configuration
-  notify: restart nginx
-  when:
-    - groups['mediaserver'] | length > 1
-    - real_ip_from | length > 0
-  ansible.builtin.template:
-    src: realip.conf.j2
-    dest: /etc/nginx/conf.d/realip.conf
-    mode: "644"
+      python3 /usr/lib/python3/dist-packages/mediaserver/scripts/reset_service_resources.py {{ nudgis_front_system_user }} local ;
+      mscontroller.py restart -u {{ nudgis_front_system_user }} ;
+      touch /etc/mediaserver/.{{ nudgis_front_domain }}.reset_service_resources.log ;
+    creates: /etc/mediaserver/.{{ nudgis_front_domain }}.reset_service_resources.log
 
 - name: ensure mediaserver is running
   ansible.builtin.service:
@@ -176,14 +187,15 @@
 # FIREWALL
 
 - name: firewall
-  when: server_firewall_enabled
   vars:
-    ferm_rules_filename: "{{ server_ferm_rules_filename }}"
-    ferm_input_rules: "{{ server_ferm_input_rules }}"
-    ferm_output_rules: "{{ server_ferm_output_rules }}"
-    ferm_global_settings: "{{ server_ferm_global_settings }}"
+    ferm_rules_filename: "{{ nudgis_front_ferm_rules_filename }}"
+    ferm_input_rules: "{{ nudgis_front_ferm_input_rules }}"
+    ferm_output_rules: "{{ nudgis_front_ferm_output_rules }}"
+    ferm_global_settings: "{{ nudgis_front_ferm_output_global_settings }}"
   ansible.builtin.include_role:
     name: ferm-configure
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
+
+...
diff --git a/roles/mediaserver/vars/main.yml b/roles/mediaserver/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..751fe6f833945577ea60c52c3816f54ea4892291
--- /dev/null
+++ b/roles/mediaserver/vars/main.yml
@@ -0,0 +1,20 @@
+---
+nudgis_front_packages:
+  - postgresql-client
+  - cron
+  - memcached
+  - nginx
+  - postfix
+  - ubicast-mediaserver
+  - rsync  # used for HA only (copy of instance data)
+
+nudgis_front_ferm_rules_filename: server
+nudgis_front_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 80
+      - 443
+nudgis_front_ferm_output_rules: []
+nudgis_front_ferm_output_global_settings:
+...
diff --git a/roles/mediavault/README.md b/roles/mediavault/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..55ab96d34abd6febc347e610de4533222cbcd3c4
--- /dev/null
+++ b/roles/mediavault/README.md
@@ -0,0 +1,22 @@
+# Mediavault
+
+The mediaserver group is used to configure all hosts with the UbiCast backup solution 
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`vault_email_enabled`: Boolean to activate the mail notifications (Optional)
+```
+vault_email_enabled: True
+```
+
+`vault_email_from`: From fields for email sending (as defined in RFC2822) (Optional)
+```
+vault_email_from: "{{ ansible_fqdn }} <backup@{{ ansible_fqdn }}>"
+```
+
+`vault_email_to`: Destination address for the Nudgis Vault emails (Optional)
+```
+vault_email_to: "noreply@example.com"
+```
diff --git a/roles/mediavault/defaults/main.yml b/roles/mediavault/defaults/main.yml
index 62505f147c614e47628d289de48fb85e6994daf5..50c0074cdf5b369d6bd03023c97b11a7dfd050b7 100644
--- a/roles/mediavault/defaults/main.yml
+++ b/roles/mediavault/defaults/main.yml
@@ -1,21 +1,5 @@
 ---
-mvt_packages:
-  - ubicast-mediavault
-
-mvt_mailer_enabled: true
-mvt_mailer_script_path: /usr/local/sbin/systemd-mailer
-mvt_mailer_from: "{{ ansible_fqdn }} <backup@{{ ansible_fqdn }}>"
-mvt_mailer_to: sysadmin+backup@ubicast.eu
-mvt_mailer_service_name: status-email-admin
-mvt_mailer_service_path: /etc/systemd/system/{{ mvt_mailer_service_name }}@.service
-
-# firewall rules
-mvt_firewall_enabled: true
-mvt_ferm_rules_filename: vault
-mvt_ferm_input_rules: []
-mvt_ferm_output_rules:
-  - proto:
-      - tcp
-    dport:
-      - 22
-mvt_ferm_global_settings:
+vault_email_enabled: true
+vault_email_from: "{{ ansible_fqdn }} <backup@{{ ansible_fqdn }}>"
+vault_email_to: "noreply@example.com"
+...
diff --git a/roles/mediavault/meta/main.yml b/roles/mediavault/meta/main.yml
index 471eb65e53129fb19aa41af0c049719b93c0ef91..e45d692ae3567f856967cd6f66c91d13e2e94e4e 100644
--- a/roles/mediavault/meta/main.yml
+++ b/roles/mediavault/meta/main.yml
@@ -1,3 +1,6 @@
 ---
+
 dependencies:
   - role: base
+
+...
diff --git a/roles/mediavault/tasks/mailer.yml b/roles/mediavault/tasks/mailer.yml
index 599733a7deb393b97511fd0a14a77acf34986294..ae90e1bbf39dbc4c7473cb2297ed90e49aa22c27 100644
--- a/roles/mediavault/tasks/mailer.yml
+++ b/roles/mediavault/tasks/mailer.yml
@@ -1,18 +1,19 @@
 ---
 
-- name: create mailer script
-  when: mvt_mailer_enabled
-  ansible.builtin.template:
-    src: systemd-mailer-script.j2
-    dest: "{{ mvt_mailer_script_path }}"
-    mode: "0755"
+- name: Configure mailer
+  when: vault_email_enabled
+  block:
+    - name: create mailer script
+      ansible.builtin.template:
+        src: systemd-mailer-script.j2
+        dest: "{{ vault_email_script_path }}"
+        mode: "0755"
 
-- name: create mailer service
-  when: mvt_mailer_enabled
-  notify: systemd daemon reload
-  ansible.builtin.template:
-    src: systemd-mailer-service.j2
-    dest: "{{ mvt_mailer_service_path }}"
-    mode: "0644"
+    - name: create mailer service
+      notify: systemd daemon reload
+      ansible.builtin.template:
+        src: systemd-mailer-service.j2
+        dest: "{{ vault_email_service_path }}"
+        mode: "0644"
 
 ...
diff --git a/roles/mediavault/tasks/main.yml b/roles/mediavault/tasks/main.yml
index 1c7a350c9fa845a5c1f35907e52d137443544a7f..b9a84731c4bfdd18457b4037321ce54c60c24a6e 100644
--- a/roles/mediavault/tasks/main.yml
+++ b/roles/mediavault/tasks/main.yml
@@ -1,9 +1,10 @@
 ---
+
 - name: install packages
   ansible.builtin.package:
     force_apt_get: true
     install_recommends: false
-    name: "{{ mvt_packages }}"
+    name: "{{ vault_packages }}"
     state: present
 
 - name: generate ssh keys pair
@@ -19,13 +20,14 @@
 
 # FIREWALL
 - name: firewall
-  when: mvt_firewall_enabled
   vars:
-    ferm_rules_filename: "{{ mvt_ferm_rules_filename }}"
-    ferm_input_rules: "{{ mvt_ferm_input_rules }}"
-    ferm_output_rules: "{{ mvt_ferm_output_rules }}"
-    ferm_global_settings: "{{ mvt_ferm_global_settings }}"
+    ferm_rules_filename: "{{ vault_ferm_rules_filename }}"
+    ferm_input_rules: "{{ vault_ferm_input_rules }}"
+    ferm_output_rules: "{{ vault_ferm_output_rules }}"
+    ferm_global_settings: "{{ vault_ferm_global_settings }}"
   ansible.builtin.include_role:
     name: ferm-configure
 
 - ansible.builtin.meta: flush_handlers # noqa name[missing]
+
+...
diff --git a/roles/mediavault/templates/systemd-mailer-script.j2 b/roles/mediavault/templates/systemd-mailer-script.j2
index 0067074b59587abca0c222c8b1e947ccf09127d1..4f25303c349f89b1f69766fbfefa7499ee556757 100644
--- a/roles/mediavault/templates/systemd-mailer-script.j2
+++ b/roles/mediavault/templates/systemd-mailer-script.j2
@@ -2,7 +2,7 @@
 
 sendmail -t <<ERRMAIL
 To: $1
-From: {{ mvt_mailer_from }}
+From: {{ vault_email_from }}
 Subject: ({{ ansible_fqdn }}) $2 status
 Content-Transfer-Encoding: 8bit
 Content-Type: text/plain; charset=UTF-8
diff --git a/roles/mediavault/templates/systemd-mailer-service.j2 b/roles/mediavault/templates/systemd-mailer-service.j2
index 209b1fe5628efbec3addb4ac85b8f3f0b01753e3..1acfce62d6aebb23031b909536a0fdf82849b6a4 100644
--- a/roles/mediavault/templates/systemd-mailer-service.j2
+++ b/roles/mediavault/templates/systemd-mailer-service.j2
@@ -1,8 +1,8 @@
 [Unit]
-Description=status email for %i to {{ mvt_mailer_to }}
+Description=status email for %i to {{ vault_email_to }}
 
 [Service]
 Type=oneshot
-ExecStart={{ mvt_mailer_script_path }} {{ mvt_mailer_to }} %i
+ExecStart={{ vault_email_script_path }} {{ vault_email_to }} %i
 User=nobody
 Group=systemd-journal
diff --git a/roles/mediavault/vars/main.yml b/roles/mediavault/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..3850ef5105717c925bb3b89c88bb2041156bc676
--- /dev/null
+++ b/roles/mediavault/vars/main.yml
@@ -0,0 +1,17 @@
+---
+vault_packages:
+  - ubicast-mediavault
+
+vault_email_service_name: "status-email-admin"
+vault_email_service_path: "/etc/systemd/system/{{ vault_email_service_name }}@.service"
+vault_email_script_path: "/usr/local/sbin/systemd-mailer"
+
+vault_ferm_rules_filename: vault
+vault_ferm_input_rules: []
+vault_ferm_output_rules:
+  - proto:
+      - tcp
+    dport:
+      - 22
+vault_ferm_global_settings:
+...
diff --git a/roles/mediaworker/README.md b/roles/mediaworker/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..61a1826e297369eef4eebdc382e9498972487fa2
--- /dev/null
+++ b/roles/mediaworker/README.md
@@ -0,0 +1,34 @@
+# Mediaworker
+
+The mediaorker group is used to configure the hosts treat the transcoding tasks.  
+ * In a standard UbiCast case, the host is a dedicated server
+ * In a HA UbiCast case, it is usually a cluster of two (or more) dedicated servers
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`nudgis_front_domain`: URL of the default Nudgis "msuser" portal used to populate the /etc/celerity/config.py file
+```
+nudgis_front_domain: "nudgis.example.com"
+```
+
+`nudgis_front_system_user`: Nudgis system username for the application portal, used as a JSON key in celerity config for nudgis API usage (see also nudgis_front_api_key) (Optional)
+```
+nudgis_front_system_user: "msuser"
+```
+
+`nudgis_front_api_key`: Nudgis API key, used to communicate with the nudgis portal
+```
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+```
+
+`celerity_server_domain`: IP or domain on which the celerity server service can be joined
+```
+celerity_server_domain: "celerity.example.com"
+```
+
+`celerity_signing_key`: Secret key shared between celerity server and workers for communications (should be the same everywhere for communication)
+```
+celerity_signing_key: "changeit"
+```
diff --git a/roles/mediaworker/defaults/main.yml b/roles/mediaworker/defaults/main.yml
index 6dfb346b6ff0d1ebcc8ce97aa2ad16c31489180e..27e5f6f691c48ed410ade32ab9f55839644ed594 100644
--- a/roles/mediaworker/defaults/main.yml
+++ b/roles/mediaworker/defaults/main.yml
@@ -1,26 +1,8 @@
 ---
-worker_celerity_signing_key: "{{ envsetup_celerity_signing_key | d('change-me', true) }}"
-worker_celerity_server: "{{ envsetup_celerity_server | d(envsetup_ms_server_name, true) | d('127.0.0.1', true) }}"
+celerity_signing_key: "changeit"
+celerity_server_domain: "celerity.example.com"
 
-worker_ms_id: "{{ envsetup_ms_id | d() }}"
-worker_ms_api_key: "{{ envsetup_ms_api_key | d() }}"
-worker_ms_hostname: "{{ envsetup_ms_server_name | d() }}"
-worker_ms_instances:
-  - ms_id: "{{ worker_ms_id }}"
-    ms_api_key: "{{ worker_ms_api_key }}"
-    ms_server_name: "{{ worker_ms_hostname }}"
-
-worker_firewall_enabled: true
-worker_ferm_rules_filename: worker
-worker_ferm_input_rules: []
-worker_ferm_output_rules:
-  - proto:
-      - tcp
-    dport:
-      - 80
-      - 443
-  - proto:
-      - tcp
-    dport:
-      - 6200
-worker_ferm_global_settings:
+nudgis_front_domain: "nudgis.example.com"
+nudgis_front_api_key: "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
+nudgis_front_system_user: "msuser"
+...
diff --git a/roles/mediaworker/handlers/main.yml b/roles/mediaworker/handlers/main.yml
index 3e54611b77aaf83afac5e9990767cdd580125ebe..8b10bf7f7a1a79f73fe08402fe76727fcc32ce4e 100644
--- a/roles/mediaworker/handlers/main.yml
+++ b/roles/mediaworker/handlers/main.yml
@@ -1,5 +1,11 @@
 ---
+- name: restart celerity-server
+  ansible.builtin.service:
+    name: celerity-server
+    state: restarted
+
 - name: restart celerity-workers
   ansible.builtin.service:
     name: celerity-workers
     state: restarted
+...
diff --git a/roles/mediaworker/meta/main.yml b/roles/mediaworker/meta/main.yml
index 471eb65e53129fb19aa41af0c049719b93c0ef91..e45d692ae3567f856967cd6f66c91d13e2e94e4e 100644
--- a/roles/mediaworker/meta/main.yml
+++ b/roles/mediaworker/meta/main.yml
@@ -1,3 +1,6 @@
 ---
+
 dependencies:
   - role: base
+
+...
diff --git a/roles/mediaworker/tasks/celerity_base_config.yml b/roles/mediaworker/tasks/celerity_base_config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fde98bae52859161bb826e0b2dfaf1f77519a587
--- /dev/null
+++ b/roles/mediaworker/tasks/celerity_base_config.yml
@@ -0,0 +1,40 @@
+---
+
+- name: copy celerity example configuration
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.copy:
+    remote_src: true
+    src: /etc/celerity/config.example.py
+    dest: /etc/celerity/config.py
+    mode: preserve
+    force: false
+
+- name: celerity base configuration
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.replace:
+    path: /etc/celerity/config.py
+    regexp: '^(\s*)#?{{ item.name }}\s*=.*$'
+    replace: '\1{{ item.name }} = {{ item.value }}'
+  loop:
+    - { name: 'SERVER_URL',  value: '"https://{{ celerity_server_domain }}:6200"' } # noqa: yaml[commas]
+    - { name: 'SIGNING_KEY', value: '"{{ celerity_signing_key }}"' }
+  when: item.value != "" and item.value != '""'
+
+- name: celerity add nudgis portal
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.command:
+    cmd: >
+      celerity-configurator add-portal
+        'ms_id=1_{{ nudgis_front_system_user }}'
+        'url=https://{{ nudgis_front_domain }}'
+        'api_key={{ nudgis_front_api_key }}'
+  register: celerity_add_portal
+  changed_when: celerity_add_portal.stdout != 'The configuration file is already up to date.'
+
+- name: "ensure {{ _celerity_service }} is running"
+  ansible.builtin.service:
+    name: "{{ _celerity_service }}"
+    enabled: true
+    state: started
+
+...
diff --git a/roles/mediaworker/tasks/main.yml b/roles/mediaworker/tasks/main.yml
index 059bc8c7d6a1f9303758ea07c1c0f1060512a21c..30dc1df8055862c88a3df152b5e85fab452f84b9 100644
--- a/roles/mediaworker/tasks/main.yml
+++ b/roles/mediaworker/tasks/main.yml
@@ -1,30 +1,22 @@
 ---
+
 - name: install celerity worker
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    name: ubicast-celerity-workers
+    name: "{{ worker_packages }}"
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: config celerity worker
-  notify: restart celerity-workers
-  ansible.builtin.template:
-    src: celerity-config.py.j2
-    dest: /etc/celerity/config.py
-    mode: "644"
-
-- name: ensure celerity worker is running
-  ansible.builtin.service:
-    name: celerity-workers
-    enabled: true
-    state: started
+- name: configure celerity
+  ansible.builtin.include_tasks: celerity_base_config.yml
+  vars:
+    _celerity_service: "celerity-workers"
 
 # FIREWALL
 
 - name: firewall
-  when: worker_firewall_enabled
   vars:
     ferm_rules_filename: "{{ worker_ferm_rules_filename }}"
     ferm_input_rules: "{{ worker_ferm_input_rules }}"
@@ -35,3 +27,5 @@
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
+
+...
diff --git a/roles/mediaworker/templates/celerity-config.py.j2 b/roles/mediaworker/templates/celerity-config.py.j2
deleted file mode 100644
index cf17f88ab380fb66932437a97ee467edd3073b41..0000000000000000000000000000000000000000
--- a/roles/mediaworker/templates/celerity-config.py.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-#!/usr/bin/env python3
-# -*- coding: utf-8 -*-
-
-SIGNING_KEY = '{{ worker_celerity_signing_key }}'
-SERVER_URL = 'https://{{ worker_celerity_server }}:6200'
-
-# Queues count, default: min(round(thread_count/2)-1,2)
-#QUEUES_PER_WORKER = 2
-
-# MediaServer interactions
-MEDIASERVERS = {
-{% for instance in worker_ms_instances %}
-    '{{ instance.ms_id }}': {'url': 'https://{{ instance.ms_server_name }}', 'api_key': '{{ instance.ms_api_key }}'},
-{% endfor %}
-}
diff --git a/roles/mediaworker/vars/main.yml b/roles/mediaworker/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6f447e8ff91089f471ee9f68ad78460fe67807e5
--- /dev/null
+++ b/roles/mediaworker/vars/main.yml
@@ -0,0 +1,18 @@
+---
+worker_packages:
+  - ubicast-celerity-workers
+
+worker_ferm_rules_filename: worker
+worker_ferm_input_rules: []
+worker_ferm_output_rules:
+  - proto:
+      - tcp
+    dport:
+      - 80
+      - 443
+  - proto:
+      - tcp
+    dport:
+      - 6200
+worker_ferm_global_settings:
+...
diff --git a/roles/metricbeat/defaults/main.yml b/roles/metricbeat/defaults/main.yml
index 5d388213b6a2e5240688a53ba5ef0bf0d4e49a95..19a994aa71704788333f1d5380c65ca40038cdb4 100644
--- a/roles/metricbeat/defaults/main.yml
+++ b/roles/metricbeat/defaults/main.yml
@@ -1,4 +1,7 @@
 ---
+
 elastic_host: localhost
 elastic_port: 9200
 kibana_server_host: localhost
+
+...
diff --git a/roles/metricbeat/handlers/main.yml b/roles/metricbeat/handlers/main.yml
index 5236104415be8b4c7a18d28b310504c462eb9549..10bdcfddb8905a54cd0c8c65fda5b0639a517278 100644
--- a/roles/metricbeat/handlers/main.yml
+++ b/roles/metricbeat/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart metricbeat
   ansible.builtin.service:
     name: metricbeat
     state: restarted
+
+...
diff --git a/roles/metricbeat/tasks/main.yml b/roles/metricbeat/tasks/main.yml
index 28d413c21bb17e140fccc056fb3209c9a4018802..6d9d18e091ecdd5d30f85207133554f5dfe596a4 100644
--- a/roles/metricbeat/tasks/main.yml
+++ b/roles/metricbeat/tasks/main.yml
@@ -1,10 +1,11 @@
 ---
+
 - name: install apt-transport-https
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
     name: apt-transport-https
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -23,7 +24,7 @@
     force_apt_get: true
     install_recommends: false
     name: metricbeat
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -54,3 +55,5 @@
     name: metricbeat
     enabled: true
     state: started
+
+...
diff --git a/roles/mirismanager/README.md b/roles/mirismanager/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..42bb3ea61ce008555fc8e1462d74a4a51522a4a6
--- /dev/null
+++ b/roles/mirismanager/README.md
@@ -0,0 +1,49 @@
+# Mirismanager
+
+The mediaserver group is used to configure all hosts with the UbiCast platform to control and manage video recorders.  
+ * In a standard Ubicast case, the host is the same as mediaserver
+ * In a HA Ubicast case, it is usually a dedicated server
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`manager_domain`: Defines the default domain for the Nudgis Manager (Optional)
+```
+manager_domain: "manager.example.com"
+```
+
+`manager_email_from`: Defines the default address for the Nudgis Manager emails sender (Optional)
+```
+manager_email_from: "noreply@{{ manager_domain }}"
+```
+
+`http_proxy`: Mandatory proxy to use in apt-cacher-ng (Optional)
+```
+http_proxy: ""
+```
+
+`manager_database_domain`: Domain to reach PostgreSQL database
+```
+manager_database_domain: "database.manager.example.com"
+```
+
+`manager_database_port`: Port to reach PostgreSQL database
+```
+manager_database_port: "5432"
+```
+
+`manager_database_password`: Port to connect to PostgreSQL database with superuser rights (Optional)
+```
+manager_database_password: "changeit"
+```
+
+`manager_user_ubicast_password`: Application ubicast user password
+```
+manager_user_ubicast_password: "changeit"
+```
+
+`manager_user_admin_password`: Application admin user password
+```
+manager_user_admin_password: "changeit"
+```
diff --git a/roles/mirismanager/defaults/main.yml b/roles/mirismanager/defaults/main.yml
index 17e07d35392635e07ce3fc9e5f8ef22e2c21954b..0f9b91673ef12b46cf4dfe4493e39af7070c50c5 100644
--- a/roles/mirismanager/defaults/main.yml
+++ b/roles/mirismanager/defaults/main.yml
@@ -1,32 +1,12 @@
 ---
-# ubicast-skyreach-runtime packages: todo: manage the database in inventory (/!\ can be idenpendent of the MS database)
-dependencies_packages:
-  - apt-cacher-ng
-  - cron
-  - nginx
-  - postfix
-  - postgresql
+manager_domain: "manager.example.com"
+manager_email_from: "noreply@{{ manager_domain }}"
+proxy_http: ""
 
-manager_packages:
-  - ubicast-skyreach
+manager_database_domain: "database.manager.example.com"
+manager_database_port: "5432"
+manager_database_password: "changeit"
 
-manager_testing: false
-manager_hostname: "{{ envsetup_cm_server_name | d('mirismanager', true) }}"
-manager_default_email_sender: noreply@{{ manager_hostname }}
-manager_email_sender: "{{ envsetup_email_sender | default(manager_default_email_sender, true) }}"
-manager_proxy_http: "{{ envsetup_proxy_http | d() }}"
-
-manager_firewall_enabled: true
-manager_ferm_rules_filename: manager
-manager_ferm_input_rules:
-  - proto:
-      - tcp
-    dport:
-      - 80
-      - 443
-  - proto:
-      - tcp
-    dport:
-      - 3142
-manager_ferm_output_rules: []
-manager_ferm_global_settings:
+manager_user_ubicast_password: "changeit"
+manager_user_admin_password: "changeit"
+...
diff --git a/roles/mirismanager/files/install.example.ini b/roles/mirismanager/files/install.example.ini
new file mode 100644
index 0000000000000000000000000000000000000000..4c2879ee749281bf6ab7d06b0eaac34a33effbd3
--- /dev/null
+++ b/roles/mirismanager/files/install.example.ini
@@ -0,0 +1,32 @@
+# Configuration file for installation and post installation scripts.
+# IMPORTANT:
+# This file must be readable ONLY by root to avoid revealing passwords.
+
+[conf]
+# Database host.
+# Can be a hostname or an IP.
+# DB_HOST = 127.0.0.1
+
+# Database port.
+# DB_PORT = 5432
+
+# Database postgres account password.
+# DB_ROOT_PWD =
+
+# Domain to use for the application.
+# DOMAIN = skyreach.example.com
+
+# Superuser account (ubicast) password.
+# SUPERUSER_PWD = changeit
+
+# Admin account password.
+# ADMIN_PWD =
+
+# API key of this skyreach site.
+# This key is used to be able to synchronize packages and systems with the upstream skyreach.
+# API_KEY =
+
+# Secret key of this skyreach site.
+# This key is used to be able to synchronize packages and systems with the upstream skyreach.
+# SECRET_KEY =
+
diff --git a/roles/mirismanager/handlers/main.yml b/roles/mirismanager/handlers/main.yml
index b84c28ab94874e8bac3cc52e4af671167add1c39..90192c9b7a29fbd47b74cb3f6522433505e13028 100644
--- a/roles/mirismanager/handlers/main.yml
+++ b/roles/mirismanager/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: restart nginx
   ansible.builtin.service:
     name: nginx
@@ -13,3 +14,5 @@
   ansible.builtin.service:
     name: apt-cacher-ng
     state: restarted
+
+...
diff --git a/roles/mirismanager/meta/main.yml b/roles/mirismanager/meta/main.yml
index 9ab21e04b40be9b7a81c45464ae84dba2afe4d34..c4cc4780bdd8beed15375c59565a39585cff6b22 100644
--- a/roles/mirismanager/meta/main.yml
+++ b/roles/mirismanager/meta/main.yml
@@ -1,6 +1,9 @@
 ---
+
 dependencies:
   - role: base
   - role: nginx
   - when: "'postgres' in group_names"
     role: postgres
+
+...
diff --git a/roles/mirismanager/tasks/main.yml b/roles/mirismanager/tasks/main.yml
index 6ff87d4209d4fcbabe9cac2910e097099341c392..d9a905420f8c9cb80b3c766f040eb9add9d32845 100644
--- a/roles/mirismanager/tasks/main.yml
+++ b/roles/mirismanager/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: mirismanager dependencies install
   ansible.builtin.apt:
     force_apt_get: true
@@ -13,6 +14,38 @@
     name: postgresql
     state: started
 
+- name: ensure /etc/skyreach directory exist
+  ansible.builtin.file:
+    path: /etc/skyreach
+    state: directory
+    mode: "750"  # use skyreach postinstall rights...
+# TOFIX: There is a problem with postgres password (mediaserver and mirismanager)
+- name: replace default database password with empty one
+  when: manager_database_password == "changeit"
+  ansible.builtin.set_fact:
+    manager_database_password: ""
+
+- name: copy mirismanager install.ini file from sample
+  ansible.builtin.copy:
+    src: install.example.ini
+    dest: /etc/skyreach/install.ini
+    force: false
+    mode: "640"  # use skyreach package post-install rights...
+
+- name: prepare mirismanager variables in install.ini file
+  ansible.builtin.replace:
+    path: /etc/skyreach/install.ini
+    regexp: '^(\s*)#?\s*{{ item.name }}\s*=.*$'
+    replace: '\1{{ item.name }} = {{ item.value }}'
+  loop:
+    - { name: 'DB_HOST',       value: '{{ manager_database_domain }}' }       # noqa: yaml[commas]
+    - { name: 'DB_PORT',       value: '{{ manager_database_port }}' }         # noqa: yaml[commas]
+    - { name: 'DB_ROOT_PWD',   value: '{{ manager_database_password }}' }     # noqa: yaml[commas]
+    - { name: 'DOMAIN'     ,   value: '{{ manager_domain }}' }                # noqa: yaml[commas]
+    - { name: 'SUPERUSER_PWD', value: '{{ manager_user_ubicast_password }}' } # noqa: yaml[commas]
+    - { name: 'ADMIN_PWD',     value: '{{ manager_user_admin_password }}' }   # noqa: yaml[commas]
+  when: item.value != "" and item.value != '""'
+
 - name: mirismanager install
   ansible.builtin.apt:
     force_apt_get: true
@@ -27,7 +60,7 @@
   ansible.builtin.lineinfile:
     path: /home/skyreach/skyreach_data/private/settings_override.py
     regexp: ^#? ?DEFAULT_FROM_EMAIL.*
-    line: DEFAULT_FROM_EMAIL = '{{ manager_email_sender }}'
+    line: DEFAULT_FROM_EMAIL = '{{ manager_email_from }}'
     backup: true
 
 - name: ensure skyreach is running
@@ -44,12 +77,12 @@
 - name: configure apt-cacher-ng
   when:
     - manager_apt_cacher_conf.stat.exists
-    - manager_proxy_http | d(false)
+    - proxy_http | d(false)
   notify: restart apt-cacher-ng
   ansible.builtin.lineinfile:
     path: /etc/apt-cacher-ng/acng.conf
     regexp: "^Proxy: .*"
-    line: "Proxy: {{ manager_proxy_http }}"
+    line: "Proxy: {{ proxy_http }}"
 
 - name: ensure apt-cacher-ng is running
   ansible.builtin.service:
@@ -60,7 +93,6 @@
 # FIREWALL
 
 - name: firewall
-  when: manager_firewall_enabled
   vars:
     ferm_rules_filename: "{{ manager_ferm_rules_filename }}"
     ferm_input_rules: "{{ manager_ferm_input_rules }}"
@@ -71,3 +103,5 @@
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
+
+...
diff --git a/roles/mirismanager/vars/main.yml b/roles/mirismanager/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e92a0a7892fa547c3847e9c62b77109a7b34965a
--- /dev/null
+++ b/roles/mirismanager/vars/main.yml
@@ -0,0 +1,28 @@
+---
+# ubicast-skyreach-runtime packages: todo: manage the database in inventory (/!\ can be idenpendent of the MS database)
+dependencies_packages:
+  - apt-cacher-ng
+  - cron
+  - nginx
+  - postfix
+  - postgresql
+
+manager_packages:
+  - ubicast-skyreach
+
+manager_ferm_rules_filename: manager
+manager_ferm_input_rules:
+  # http + https rules
+  - proto:
+      - tcp
+    dport:
+      - 80
+      - 443
+  # apt-cacher rules
+  - proto:
+      - tcp
+    dport:
+      - 3142
+manager_ferm_output_rules: []
+manager_ferm_global_settings:
+...
diff --git a/roles/monitor/msmonitor/README.md b/roles/monitor/msmonitor/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..2cfa07fab0e1a1d4af05b570e12fcbe26f653de2
--- /dev/null
+++ b/roles/monitor/msmonitor/README.md
@@ -0,0 +1,23 @@
+# Msmonitor
+
+The msmonitor group is used to configure all hosts to allow to access to monitoring data through a secure web interface.  
+ * In a standard and HA Ubicast case, the host(s) is(are) the same as mediaserver
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`monitor_domain`: Defines the default domain for monitor (Optional)
+```
+monitor_domain: "monitor.example.com"
+```
+
+`monitor_user_ubicast_password`: Password for the webmonitor ubicast user (Optional)
+```
+monitor_user_ubicast_password: "changeit"
+```
+
+`monitor_user_admin_password`: Password for the webmonitor admin user (Optional)
+```
+monitor_user_admin_password: "changeit"
+```
diff --git a/roles/monitor/msmonitor/defaults/main.yml b/roles/monitor/msmonitor/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..71373ae9fad9c5b94d559f68bdf77956857f51f2
--- /dev/null
+++ b/roles/monitor/msmonitor/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+monitor_domain: "monitor.example.com"
+monitor_user_ubicast_password: "changeit"
+monitor_user_admin_password: "changeit"
+...
diff --git a/roles/monitor/msmonitor/files/install.example.ini b/roles/monitor/msmonitor/files/install.example.ini
new file mode 100644
index 0000000000000000000000000000000000000000..b6bf05da9defb91317b2560e94b729c6c115824a
--- /dev/null
+++ b/roles/monitor/msmonitor/files/install.example.ini
@@ -0,0 +1,16 @@
+# Configuration file for installation and post installation scripts.
+# IMPORTANT:
+# This file must be readable ONLY by root to avoid revealing passwords.
+# After any change, please reinstall the package to trigger the reconfiguration.
+
+[conf]
+# Domain to use for the application.
+# DOMAIN = monitor.example.com
+
+# Superuser account (ubicast) password.
+# SUPERUSER_PWD = changeit
+
+# Admin account (admin) password.
+# The account will not be able to log in if no password is set.
+# ADMIN_PWD =
+
diff --git a/roles/munin/msmonitor/handlers/main.yml b/roles/monitor/msmonitor/handlers/main.yml
similarity index 93%
rename from roles/munin/msmonitor/handlers/main.yml
rename to roles/monitor/msmonitor/handlers/main.yml
index 06947324ccfdfd28f5795805cbd51f9526f16624..8a97cff137ee67aeb5dd79f2058fa75ba8a28f00 100644
--- a/roles/munin/msmonitor/handlers/main.yml
+++ b/roles/monitor/msmonitor/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart nginx
   ansible.builtin.service:
     name: nginx
     state: restarted
+
+...
diff --git a/roles/munin/msmonitor/meta/main.yml b/roles/monitor/msmonitor/meta/main.yml
similarity index 96%
rename from roles/munin/msmonitor/meta/main.yml
rename to roles/monitor/msmonitor/meta/main.yml
index c56295711751b70094d2d899b083d9a1801d0742..2e6be4f31fe4f842ef04ceb9bb8ba9f3d12b3f19 100644
--- a/roles/munin/msmonitor/meta/main.yml
+++ b/roles/monitor/msmonitor/meta/main.yml
@@ -1,4 +1,5 @@
 ---
+
 dependencies:
   - role: conf # get conf.sh
   - role: init # setup keys
@@ -6,3 +7,5 @@ dependencies:
   - role: ferm-install
   - role: ferm-configure
   - role: nginx
+
+...
diff --git a/roles/monitor/msmonitor/tasks/main.yml b/roles/monitor/msmonitor/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d9212df42ff0b953be74f04bfbff1a132dcaa908
--- /dev/null
+++ b/roles/monitor/msmonitor/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+
+- name: ensure /etc/webmonitor directory exist
+  ansible.builtin.file:
+    path: /etc/webmonitor
+    state: directory
+    mode: "750"  # use webmonitor package post-install rights...
+- name: deploy monitor install.ini file
+  ansible.builtin.copy:
+    src: install.example.ini
+    dest: /etc/webmonitor/install.ini
+    force: false
+    mode: "640"  # use webmonitor package post-install rights...
+
+- name: prepare webmonitor variables in install.ini file
+  ansible.builtin.replace:
+    path: /etc/webmonitor/install.ini
+    regexp: '^(\s*)#?\s*{{ item.name }}\s*=.*$'
+    replace: '\1{{ item.name }} = {{ item.value }}'
+  loop:
+    - { name: 'DOMAIN',        value: '{{ monitor_domain }}' }                # noqa: yaml[commas]
+    - { name: 'ADMIN_PWD',     value: '{{ monitor_user_admin_password }}' }   # noqa: yaml[commas]
+    - { name: 'SUPERUSER_PWD', value: '{{ monitor_user_ubicast_password }}' } # noqa: yaml[commas]
+  when: item.value != "" and item.value != '""'
+
+- name: install ubicast msmonitor
+  ansible.builtin.apt:
+    force_apt_get: true
+    install_recommends: false
+    state: present
+    name: "{{ msmonitor_packages }}"
+  register: apt_status
+  retries: 60
+  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+
+- name: ensure msmonitor is running
+  ansible.builtin.service:
+    name: webmonitor
+    enabled: true
+    state: started
+
+# FIREWALL
+
+- name: firewall
+  vars:
+    ferm_rules_filename: "{{ monitor_ferm_rules_filename }}"
+    ferm_input_rules: "{{ monitor_ferm_input_rules }}"
+    ferm_output_rules: "{{ monitor_ferm_output_rules }}"
+    ferm_global_settings: "{{ monitor_ferm_global_settings }}"
+  ansible.builtin.include_role:
+    name: ferm-configure
+
+...
diff --git a/roles/monitor/msmonitor/vars/main.yml b/roles/monitor/msmonitor/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..de9e24c264556acacf90429d7d4fbfb7f79b649f
--- /dev/null
+++ b/roles/monitor/msmonitor/vars/main.yml
@@ -0,0 +1,15 @@
+---
+msmonitor_packages:
+  - ubicast-webmonitor
+  - ubicast-webmonitor-runtime
+
+monitor_ferm_rules_filename: monitor
+monitor_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 80
+      - 443
+monitor_ferm_output_rules: []
+monitor_ferm_global_settings:
+...
diff --git a/roles/monitor/munin_node/README.md b/roles/monitor/munin_node/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..adf54c264e20a648f75007b6a3cf8e3efb3079d1
--- /dev/null
+++ b/roles/monitor/munin_node/README.md
@@ -0,0 +1,13 @@
+# Munin_node
+
+The munin_node group is used to configure all hosts to send monitoring data back to the monitoring server (munin_server group).  
+   * In a standard and HA Ubicast case, the hosts are all those that compose the UbiCast platform
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`ubicast_customer_name`: Short name of the customer, with no spaces. This name is used in munin to group the graphs under the same name.
+```
+ubicast_customer_name: "example"
+```
diff --git a/roles/monitor/munin_node/defaults/main.yml b/roles/monitor/munin_node/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e8e946e783efd5911df75ff93247a1641af1ae13
--- /dev/null
+++ b/roles/monitor/munin_node/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+ubicast_customer_name: "example"
+...
diff --git a/roles/munin/munin-node/handlers/main.yml b/roles/monitor/munin_node/handlers/main.yml
similarity index 51%
rename from roles/munin/munin-node/handlers/main.yml
rename to roles/monitor/munin_node/handlers/main.yml
index 5ca5295a86983fb9374c74c8aff1aa34bb9de7fb..2938b153481dbeb60e90ad4d8f37637fd8e1957b 100644
--- a/roles/munin/munin-node/handlers/main.yml
+++ b/roles/monitor/munin_node/handlers/main.yml
@@ -1,5 +1,9 @@
 ---
-- name: restart munin-node
+
+- name: restart munin-node service
   ansible.builtin.service:
     name: munin-node
     state: restarted
+  listen: restart munin-node
+
+...
diff --git a/roles/munin/munin-node/meta/main.yml b/roles/monitor/munin_node/meta/main.yml
similarity index 97%
rename from roles/munin/munin-node/meta/main.yml
rename to roles/monitor/munin_node/meta/main.yml
index abeb01c5ebe3bb839d52b380fe06093a2911ad7b..5ebef5cff109c3ef0fb7b770963c03fa94b4d600 100644
--- a/roles/munin/munin-node/meta/main.yml
+++ b/roles/monitor/munin_node/meta/main.yml
@@ -1,4 +1,5 @@
 ---
+
 dependencies:
   - role: conf # get conf.sh
   - role: init # setup keys pkgs
@@ -9,3 +10,5 @@ dependencies:
 # - only need :
 #     * ubicast repo
 #     * firewall input 4949
+
+...
diff --git a/roles/munin/munin-node/tasks/main.yml b/roles/monitor/munin_node/tasks/main.yml
similarity index 55%
rename from roles/munin/munin-node/tasks/main.yml
rename to roles/monitor/munin_node/tasks/main.yml
index f5c8b977877499361322fb8c42d884a7255908fd..18e330d3ca1188b66c5e013d5490b566e91e6a81 100644
--- a/roles/munin/munin-node/tasks/main.yml
+++ b/roles/monitor/munin_node/tasks/main.yml
@@ -3,25 +3,35 @@
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    state: latest
-    name:
-      - munin-node
-      - ubicast-munin
+    state: present
+    name: "{{ munin_node_packages }}"
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: copy munin-node configuration
+- name: copy munin_node configuration
   notify: restart munin-node
   ansible.builtin.template:
-    src: munin-node.conf.j2
+    src: munin_node.conf.j2
     dest: /etc/munin/munin-node.conf
     mode: "644"
 
 - name: setup munin-node plugins link
   notify: restart munin-node
   ansible.builtin.shell:
-    munin-node-configure --shell --remove-also 2>&1 || true | sh -x  # noqa risky-shell-pipe
+    munin_node-configure --shell --remove-also 2>&1 || true | sh -x  # noqa risky-shell-pipe
   # sh -x print executed cmd to stderr
   register: munin_plugin_linked
   changed_when: munin_plugin_linked.stderr | length > 0
+
+# FIREWALL
+
+- name: firewall
+  vars:
+    ferm_rules_filename: "{{ munin_node_ferm_rules_filename }}"
+    ferm_input_rules: "{{ munin_node_ferm_input_rules }}"
+    ferm_output_rules: "{{ munin_node_ferm_output_rules }}"
+    ferm_global_settings: "{{ munin_node_ferm_global_settings }}"
+  ansible.builtin.include_role:
+    name: ferm-configure
+...
diff --git a/roles/munin/munin-node/templates/munin-node.conf.j2 b/roles/monitor/munin_node/templates/munin_node.conf.j2
similarity index 90%
rename from roles/munin/munin-node/templates/munin-node.conf.j2
rename to roles/monitor/munin_node/templates/munin_node.conf.j2
index 77c781a7a0df9b6c5622be449e9f395834c48a7b..f3a88dc3c2360551d2b333602de7480801288889 100644
--- a/roles/munin/munin-node/templates/munin-node.conf.j2
+++ b/roles/monitor/munin_node/templates/munin_node.conf.j2
@@ -20,7 +20,7 @@ ignore_file \.rpm(save|new)$
 ignore_file \.pod$
 ignore_file ^if_(err_)*(veth|docker|br|lxcbr)
 
-host_name {{ inventory_hostname }}.{{ customer_short_name }}
+host_name {{ inventory_hostname }}.{{ ubicast_customer_name }}
 
 {% for host in groups['munin_server'] %}
 allow ^{{ hostvars[host]['ansible_facts']['default_ipv4']['address'] | replace('.','\.') }}$
diff --git a/roles/monitor/munin_node/vars/main.yml b/roles/monitor/munin_node/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..a267fa3969d1ed1164af037bcee98c537fd32583
--- /dev/null
+++ b/roles/monitor/munin_node/vars/main.yml
@@ -0,0 +1,19 @@
+---
+
+munin_node_packages:
+  - munin-node
+  - ubicast-munin
+
+munin_node_logfile: /var/log/munin/munin_node.log
+munin_node_pidfile: /var/run/munin/munin_node.pid
+
+munin_node_ferm_rules_filename: munin_node
+munin_node_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 4949
+munin_node_ferm_output_rules: []
+munin_node_ferm_global_settings:
+
+...
diff --git a/roles/monitor/munin_server/README.md b/roles/monitor/munin_server/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..3e21fc5a0953b24900f9efa57163fd6b20413cbf
--- /dev/null
+++ b/roles/monitor/munin_server/README.md
@@ -0,0 +1,13 @@
+# Munin_server
+
+The munin_server group is used to configure all hosts for publishing monitoring data  
+ * In a standard and HA Ubicast case, the host(s) is(are) the same as mediaserver
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`ubicast_customer_name`: Short name of the customer, with no spaces. This name is used in munin to group the graphs under the same name.
+```
+ubicast_customer_name: "example"
+```
diff --git a/roles/monitor/munin_server/defaults/main.yml b/roles/monitor/munin_server/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e8e946e783efd5911df75ff93247a1641af1ae13
--- /dev/null
+++ b/roles/monitor/munin_server/defaults/main.yml
@@ -0,0 +1,3 @@
+---
+ubicast_customer_name: "example"
+...
diff --git a/roles/munin/munin-server/handlers/main.yml b/roles/monitor/munin_server/handlers/main.yml
similarity index 87%
rename from roles/munin/munin-server/handlers/main.yml
rename to roles/monitor/munin_server/handlers/main.yml
index c6ff6638197039117fd127ffe3afdc97bd269aff..d9a776c8d068e850cccc6bce49ce6a03ca50c040 100644
--- a/roles/munin/munin-server/handlers/main.yml
+++ b/roles/monitor/munin_server/handlers/main.yml
@@ -6,7 +6,7 @@
     state: absent
   listen: "restart munin-server"
 
-- name: restart munin-server service
+- name: restart munin_server service
   ansible.builtin.service:
     name: munin
     state: restarted
diff --git a/roles/munin/munin-server/tasks/main.yml b/roles/monitor/munin_server/tasks/main.yml
similarity index 73%
rename from roles/munin/munin-server/tasks/main.yml
rename to roles/monitor/munin_server/tasks/main.yml
index 743e81a4191c23e2075b86306eeffb9d6acb4f0a..371bbd1a4b79a35a24dd128255b2ebed29a7b388 100644
--- a/roles/munin/munin-server/tasks/main.yml
+++ b/roles/monitor/munin_server/tasks/main.yml
@@ -1,23 +1,23 @@
 ---
-- name: install required packages for munin-server
+
+- name: install required packages for munin server
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    state: latest
-    name:
-      - munin
+    state: present
+    name: "{{ munin_server_packages }}"
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: copy munin-server configuration
+- name: copy munin_server configuration
   notify: restart munin-server
   ansible.builtin.template:
     src: munin.conf.j2
     dest: /etc/munin/munin.conf
     mode: "644"
 
-# Force munin-server restart to avoid default localdomain graph creation after remove
+# Force munin_server restart to avoid default localdomain graph creation after remove
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
 
@@ -25,3 +25,5 @@
   ansible.builtin.file:
     path: /var/cache/munin/www/localdomain
     state: absent
+
+...
diff --git a/roles/munin/munin-server/templates/munin.conf.j2 b/roles/monitor/munin_server/templates/munin.conf.j2
similarity index 87%
rename from roles/munin/munin-server/templates/munin.conf.j2
rename to roles/monitor/munin_server/templates/munin.conf.j2
index 00d59b69e8857942a8302218555bea7ef29aeed9..630db9fb15a71815f81047f0f1e10fd8317b35ad 100644
--- a/roles/munin/munin-server/templates/munin.conf.j2
+++ b/roles/monitor/munin_server/templates/munin.conf.j2
@@ -5,7 +5,7 @@
 includedir /etc/munin/munin-conf.d
 
 {% for host in groups['munin_node'] %}
-[{{ host }}.{{ customer_short_name }}]
+[{{ host }}.{{ ubicast_customer_name }}]
     address {{hostvars[host]['ansible_facts']['default_ipv4']['address']}}
     use_node_name yes
 
diff --git a/roles/monitor/munin_server/vars/main.yml b/roles/monitor/munin_server/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..2b2d0be891482bc11e3fc506f1fbc6959f92cc9f
--- /dev/null
+++ b/roles/monitor/munin_server/vars/main.yml
@@ -0,0 +1,4 @@
+---
+munin_server_packages:
+  - munin
+...
diff --git a/roles/munin/msmonitor/defaults/main.yml b/roles/munin/msmonitor/defaults/main.yml
deleted file mode 100644
index f47297ab5b3e4db3fe9460cc97e2e4780b70568d..0000000000000000000000000000000000000000
--- a/roles/munin/msmonitor/defaults/main.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-monitor_shell_pwd: "{{ envsetup_monitor_shell_pwd | d() }}"
-monitor_admin_pwd: "{{ envsetup_monitor_admin_pwd | d() }}"
-monitor_superuser_pwd: "{{ envsetup_monitor_superuser_pwd | d() }}"
-ssh_maintenance_port: "{{ envsetup_ssh_maintenance_port | d() }}"
-monitor_hostname: "{{ envsetup_monitor_server_name | d('monitor', true) }}"
-
-monitor_firewall_enabled: true
-monitor_ferm_rules_filename: monitor
-monitor_ferm_input_rules:
-  - proto:
-      - tcp
-    dport:
-      - 80
-      - 443
-monitor_ferm_output_rules: []
-monitor_ferm_global_settings:
diff --git a/roles/munin/msmonitor/tasks/main.yml b/roles/munin/msmonitor/tasks/main.yml
deleted file mode 100644
index a131f2fd1027ee79ad8c148375042d2c3c641fad..0000000000000000000000000000000000000000
--- a/roles/munin/msmonitor/tasks/main.yml
+++ /dev/null
@@ -1,30 +0,0 @@
----
-- name: install ubicast msmonitor
-  ansible.builtin.apt:
-    force_apt_get: true
-    install_recommends: false
-    state: latest
-    name:
-      - ubicast-webmonitor
-      - ubicast-webmonitor-runtime
-  register: apt_status
-  retries: 60
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
-
-- name: ensure msmonitor is running
-  ansible.builtin.service:
-    name: webmonitor
-    enabled: true
-    state: started
-
-# FIREWALL
-
-- name: firewall
-  when: monitor_firewall_enabled
-  vars:
-    ferm_rules_filename: "{{ monitor_ferm_rules_filename }}"
-    ferm_input_rules: "{{ monitor_ferm_input_rules }}"
-    ferm_output_rules: "{{ monitor_ferm_output_rules }}"
-    ferm_global_settings: "{{ monitor_ferm_global_settings }}"
-  ansible.builtin.include_role:
-    name: ferm-configure
diff --git a/roles/munin/munin-node/defaults/main.yml b/roles/munin/munin-node/defaults/main.yml
deleted file mode 100644
index 57b76bedc49714660da1b3efed2c4b16bb9e1cb9..0000000000000000000000000000000000000000
--- a/roles/munin/munin-node/defaults/main.yml
+++ /dev/null
@@ -1,3 +0,0 @@
----
-munin_node_logfile: /var/log/munin/munin-node.log
-munin_node_pidfile: /var/run/munin/munin-node.pid
diff --git a/roles/netcapture/defaults/main.yml b/roles/netcapture/defaults/main.yml
index 4faa6797e4d85eaab06f8073d81911437646dd84..1e2e031ce863629812af7ecbed0343b428a48e64 100644
--- a/roles/netcapture/defaults/main.yml
+++ b/roles/netcapture/defaults/main.yml
@@ -1,9 +1,9 @@
 ---
-netcapture_mm_url: https://{{ envsetup_cm_server_name | default('mirismanager.ubicast.eu', true) }}
+netcapture_mm_url: "mirismanager.example.com"
 netcapture_mm_ssl: true
-netcapture_conf_folder: /etc/miris/conf
-netcapture_media_folder: /data/netcapture/media
-netcapture_pkg_folder: /data/netcapture/packages
-netcapture_hw_acceleration: false
-netcapture_miris_user_pwd: "{{ lookup('password', '/tmp/passwordfile length=12 chars=ascii_letters,digits') }}"
+netcapture_conf_folder: "/etc/miris/conf"
+netcapture_media_folder: "/data/netcapture/media"
+netcapture_pkg_folder: "/data/netcapture/packages"
+netcapture_miris_user_pwd: "changeme"
 netcapture_miris_auth: true
+...
diff --git a/roles/netcapture/tasks/main.yml b/roles/netcapture/tasks/main.yml
index 471772d6b41408373813744258c0e0c080c442cf..18d8be224a7c51bb0ffa478cf3b46dee0efaa23f 100644
--- a/roles/netcapture/tasks/main.yml
+++ b/roles/netcapture/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: netcapture install
   ansible.builtin.apt:
     force_apt_get: true
@@ -45,3 +46,5 @@
     path: "{{ netcapture_pkg_folder }}"
     mode: u=rwX,g=rwX,o=rx
     state: directory
+
+...
diff --git a/roles/nginx/README.md b/roles/nginx/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..dc25b471746f79c36769d16e7650b8ce89357538
--- /dev/null
+++ b/roles/nginx/README.md
@@ -0,0 +1,20 @@
+# Nginx
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`nginx_ssl_certificate`: Path of the SSL certificate for nginx configuration (Optional)
+```
+nginx_ssl_certificate: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+```
+
+`nginx_ssl_certificate_key`: Path of the SSL key for nginx configuration (Optional)
+```
+nginx_ssl_certificate_key: "/etc/ssl/private/ssl-cert-snakeoil.key"
+```
+
+`nginx_real_ip_from`: IPv4 address of the reverse-proxy or loadbalancer above the server(s) (Optional)
+```
+nginx_real_ip_from: ""
+```
diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index f1ac547180fd5365484bfa5a922e6e0846d2322e..6901a16c2ac6c09e0b128902b2befccf05399fc9 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -1,8 +1,5 @@
 ---
-nginx_packages:
-  - nginx
-  - uwsgi
-  - uwsgi-plugin-python3
-
 nginx_ssl_certificate: /etc/ssl/certs/ssl-cert-snakeoil.pem
 nginx_ssl_certificate_key: /etc/ssl/private/ssl-cert-snakeoil.key
+nginx_real_ip_from: ''
+...
diff --git a/roles/nginx/handlers/main.yml b/roles/nginx/handlers/main.yml
index abb7b115ab9c7d835c04a6320b219dd71fe3f789..b0abf18b3894fe1af147e0ca063f8e9e9a913d58 100644
--- a/roles/nginx/handlers/main.yml
+++ b/roles/nginx/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart nginx
   ansible.builtin.systemd:
     name: nginx
     state: restarted
+
+...
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 2f126a7612bfe5860e04078e5adfbad6e4a85bba..ae07f894b67f26a08d883c2274cad4c6e7675a57 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: nginx install
   ansible.builtin.apt:
     force_apt_get: true
@@ -57,3 +58,14 @@
     path: /etc/nginx/conf.d/ssl_certificate.conf
     regexp: ssl_certificate_key\s+([\w/\-\_\.]+);
     line: ssl_certificate_key {{ nginx_ssl_certificate_key }};
+
+- name: add realip configuration (for LoadBalancer in HA configuration)
+  notify: restart nginx
+  when:
+    - nginx_real_ip_from | length > 0
+  ansible.builtin.template:
+    src: realip.conf.j2
+    dest: /etc/nginx/conf.d/realip.conf
+    mode: "644"
+
+...
diff --git a/roles/mediaserver/templates/realip.conf.j2 b/roles/nginx/templates/realip.conf.j2
similarity index 100%
rename from roles/mediaserver/templates/realip.conf.j2
rename to roles/nginx/templates/realip.conf.j2
diff --git a/roles/nginx/vars/main.yml b/roles/nginx/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..98f55a38c7b1bc2dc5e22a15cbe7d67caee24904
--- /dev/null
+++ b/roles/nginx/vars/main.yml
@@ -0,0 +1,6 @@
+---
+nginx_packages:
+  - nginx
+  - uwsgi
+  - uwsgi-plugin-python3
+...
diff --git a/roles/postfix/README.md b/roles/postfix/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..f523e19b95aec9aa778aeb49443e6eba6a2a86db
--- /dev/null
+++ b/roles/postfix/README.md
@@ -0,0 +1,37 @@
+# Postfix
+
+The postfix group is used to configure all hosts to send email.  
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`postfix_admin`: Define the specified email address for the unix root account (in /etc/aliases)
+```
+postfix_admin: "admin@example.com"
+```
+
+`postfix_mailname`: Default sender domain, used to complete both postfix configuration and the /etc/mailname content
+```
+postfix_mailname: "domain.example.com"
+```
+
+`postfix_email_from`: Email address used by postfix to send emails
+```
+postfix_email_from: "noreply@{{ postfix_mailname }}"
+```
+
+`postfix_relay_host`: SMTP host for the SASL account (Optional)
+```
+postfix_relay_host: ""
+```
+
+`postfix_relay_pass`: User of the SMTP SASL account (Optional)
+```
+postfix_relay_pass: ""
+```
+
+`postfix_relay_user`: Password of the SMTP SASL account (Optional)
+```
+postfix_relay_user: ""
+```
diff --git a/roles/postfix/defaults/main.yml b/roles/postfix/defaults/main.yml
index e31952669f8403785d91ce1ac49d9a6f71f20060..2eea927cc93830d932844b9d3b9f42baa658acec 100644
--- a/roles/postfix/defaults/main.yml
+++ b/roles/postfix/defaults/main.yml
@@ -1,12 +1,8 @@
 ---
-postfix_packages:
-  - postfix
-  - bsd-mailx
-
-postfix_mailname: "{{ envsetup_ms_server_name | d() }}"
-postfix_default_email_sender: noreply@{{ postfix_mailname }}
-postfix_email_sender: "{{ envsetup_email_sender | default(postfix_default_email_sender, true) }}"
-postfix_relay_host: "{{ envsetup_email_smtp_server | d() }}"
-postfix_relay_user: "{{ envsetup_email_smtp_user | d() }}"
-postfix_relay_pass: "{{ envsetup_email_smtp_pwd | d() }}"
-postfix_admin: sysadmin@ubicast.eu
+postfix_mailname: "domain.example.com"
+postfix_email_from: "noreply@{{ postfix_mailname }}"
+postfix_relay_host: ""
+postfix_relay_user: ""
+postfix_relay_pass: ""
+postfix_admin: "admin@example.com"
+...
diff --git a/roles/postfix/handlers/main.yml b/roles/postfix/handlers/main.yml
index a92f8494650204fe8ee6f6f7e203225d94d59970..ad545a82dbe4721bb95fa6f68af77918fb5c2479 100644
--- a/roles/postfix/handlers/main.yml
+++ b/roles/postfix/handlers/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: postmap sasl
   ansible.builtin.command: postmap hash:/etc/postfix/sasl-passwords
   # we want to generate db file at every execution
@@ -23,3 +24,5 @@
   ansible.builtin.service:
     name: postfix
     state: restarted
+
+...
diff --git a/roles/postfix/meta/main.yml b/roles/postfix/meta/main.yml
index 13aee63ee90c4187d44ad6da8185d0468e43f6d3..e8c55ae416ea2a478accac6868dbe270825cf1b2 100644
--- a/roles/postfix/meta/main.yml
+++ b/roles/postfix/meta/main.yml
@@ -1,3 +1,6 @@
 ---
+
 dependencies:
   - role: conf
+
+...
diff --git a/roles/postfix/tasks/main.yml b/roles/postfix/tasks/main.yml
index aee1a72c70b7af7a479a399fcf9934774fe20676..a9fc2da1403d6ee3c3195a38d91d5718a54b272b 100644
--- a/roles/postfix/tasks/main.yml
+++ b/roles/postfix/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: create postfix dir
   ansible.builtin.file:
     path: /etc/postfix
@@ -56,11 +57,11 @@
     dest: /etc/postfix/generic
     mode: "644"
     content: |
-      root@localhost {{ postfix_email_sender }}
-      root@{{ postfix_mailname }} {{ postfix_email_sender }}
-      root@{{ ansible_hostname }} {{ postfix_email_sender }}
-      @{{ postfix_mailname }} {{ postfix_email_sender }}
-      @{{ ansible_hostname }} {{ postfix_email_sender }}
+      root@localhost {{ postfix_email_from }}
+      root@{{ postfix_mailname }} {{ postfix_email_from }}
+      root@{{ ansible_hostname }} {{ postfix_email_from }}
+      @{{ postfix_mailname }} {{ postfix_email_from }}
+      @{{ ansible_hostname }} {{ postfix_email_from }}
 
 - name: postfix authentication
   when:
@@ -91,3 +92,5 @@
     name: postfix
     enabled: true
     state: started
+
+...
diff --git a/roles/postfix/vars/main.yml b/roles/postfix/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..e78b6b719ce37cb01bd070fd92c22cef81b80477
--- /dev/null
+++ b/roles/postfix/vars/main.yml
@@ -0,0 +1,5 @@
+---
+postfix_packages:
+  - postfix
+  - bsd-mailx
+...
diff --git a/roles/postgres-ha/defaults/main.yml b/roles/postgres-ha/defaults/main.yml
index 304c9db92aaeb006dfee2df48985e7e37a1e8c96..25b077d3263b7590773f13c5f69a015b62e5ae73 100644
--- a/roles/postgres-ha/defaults/main.yml
+++ b/roles/postgres-ha/defaults/main.yml
@@ -1,44 +1,9 @@
 ---
-repmgr_packages:
-  - repmgr
-  # rephacheck:
-  - python3
-  - python3-psycopg2
-  - python3-toml
-
-repmgr_pg_version: "{{ pg_version | default('13') }}"
-repmgr_pg_cluster: "{{ pg_cluster | default('main') }}"
-repmgr_pg_data: /var/lib/postgresql/{{ repmgr_pg_version }}/{{ repmgr_pg_cluster }}
-
-repmgr_config: /etc/postgresql/{{ repmgr_pg_version }}/{{ repmgr_pg_cluster }}/repmgr.conf
-
+repmgr_database: repmgr
 repmgr_user: repmgr
 repmgr_password:
-repmgr_db: repmgr
 repmgr_roles: LOGIN,REPLICATION,SUPERUSER
-
-repmgr_primary_node: "{{ hostvars[groups['postgres'][0]]['ansible_default_ipv4']['address'] }}"
-
 repmgr_timeout: 5
-
-repmgr_node_id: "{{ (groups['postgres'].index(inventory_hostname)) + 1 | int }}"
-repmgr_node_name: "{{ ansible_hostname }}"
-repmgr_conninfo: host={{ ansible_default_ipv4.address }} dbname={{ repmgr_db }} user={{ repmgr_user }} connect_timeout={{ repmgr_timeout }}
-
 repmgr_repha_port: 8543
-
-pg_firewall_enabled: true
-pg_ferm_rules_filename: postgres_ha
-pg_ferm_input_rules:
-  - proto:
-      - tcp
-    dport:
-      - 5432
-      - 8543
-pg_ferm_output_rules:
-  - proto:
-      - tcp
-    dport:
-      - 54321
-      - 54322
-pg_ferm_global_settings:
+repmgr_conninfo: host={{ ansible_default_ipv4.address }} dbname={{ repmgr_database }} user={{ repmgr_user }} connect_timeout={{ repmgr_timeout }}
+...
diff --git a/roles/postgres-ha/handlers/main.yml b/roles/postgres-ha/handlers/main.yml
index 8d59175c43fce4b4292263dfc69ce2dc50b24367..868e7910dcdfa95fe8c5c4c15a12a73e194572b0 100644
--- a/roles/postgres-ha/handlers/main.yml
+++ b/roles/postgres-ha/handlers/main.yml
@@ -1,11 +1,12 @@
 ---
+
 - name: reload systemd
   ansible.builtin.systemd:
     daemon_reload: true
 
 - name: restart postgresql
   ansible.builtin.systemd:
-    name: postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}
+    name: postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}
     state: restarted
 
 - name: restart repmgrd
@@ -17,3 +18,5 @@
   ansible.builtin.systemd:
     name: rephacheck.socket
     state: restarted
+
+...
diff --git a/roles/postgres-ha/tasks/main.yml b/roles/postgres-ha/tasks/main.yml
index e42b2a336b973b2454277ec55f4a164a78be807b..d9860bb23158ac8cf9e1d472b8875df59243dd3b 100644
--- a/roles/postgres-ha/tasks/main.yml
+++ b/roles/postgres-ha/tasks/main.yml
@@ -14,7 +14,7 @@
 
 - name: postgresql
   vars:
-    pg_hba:
+    database_host_authentification:
       - type: local
         method: peer
       - type: hostssl
@@ -40,21 +40,21 @@
       - type: hostssl
         database: replication
         address: ::/0
-    pg_conf:
+    database_conf:
       - name: main
         content: |
           listen_addresses = '*'
       - name: modules
         content: |
           shared_preload_libraries = 'repmgr'
-    pg_users:
+    database_users:
       - name: "{{ repmgr_user }}"
         password: "{{ repmgr_password }}"
         roles: "{{ repmgr_roles }}"
-    pg_databases:
-      - name: "{{ repmgr_db }}"
+    database_databases:
+      - name: "{{ repmgr_database }}"
         owner: "{{ repmgr_user }}"
-    pg_ferm_input_rules:
+    database_ferm_input_rules:
       - proto:
           - tcp
         dport:
@@ -69,7 +69,7 @@
   notify: restart repmgrd
   ansible.builtin.template:
     src: repmgr.conf.j2
-    dest: "{{ repmgr_config }}"
+    dest: "{{ repmgr_conf_file }}"
     owner: postgres
     group: postgres
     mode: "644"
@@ -80,7 +80,7 @@
     - key: REPMGRD_ENABLED
       value: "yes"
     - key: REPMGRD_CONF
-      value: "{{ repmgr_config }}"
+      value: "{{ repmgr_conf_file }}"
   ansible.builtin.replace:
     path: /etc/default/repmgrd
     regexp: ^#?{{ item.key }}=.*$
@@ -94,10 +94,10 @@
     content: |
       Defaults:postgres !requiretty
       postgres ALL=NOPASSWD: \
-        /bin/systemctl start postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}, \
-        /bin/systemctl stop postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}, \
-        /bin/systemctl restart postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}, \
-        /bin/systemctl reload postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}
+        /bin/systemctl start postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}, \
+        /bin/systemctl stop postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}, \
+        /bin/systemctl restart postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}, \
+        /bin/systemctl reload postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}
 
 # SSH
 
@@ -137,7 +137,10 @@
 # REGISTER PRIMARY
 
 - name: setup primary
-  when: (db_role is defined and db_role == "primary") or (db_role is undefined and inventory_hostname == groups['postgres'][0])
+  when: >
+    (database_role is defined and database_role == "primary") or
+    (database_role is undefined and inventory_hostname == groups['postgres'][0]) or
+    (database_role is defined and database_role == "" and inventory_hostname == groups['postgres'][0])
   block:
     - name: check if primary already joined
       become: true
@@ -154,14 +157,17 @@
       when: repmgr_check_primary.query_result | length == 0
       notify: restart repmgrd
       ansible.builtin.command:
-        cmd: repmgr --config-file={{ repmgr_config }} primary register
+        cmd: repmgr --config-file={{ repmgr_conf_file }} primary register
 
 - ansible.builtin.meta: flush_handlers # noqa name[missing]
 
 # REGISTER STANDBY
 
 - name: setup standby
-  when: (db_role is defined and db_role == "standby") or (db_role is undefined and inventory_hostname == groups['postgres'][1])
+  when: >
+    (database_role is defined and database_role == "standby") or
+    (database_role is undefined and inventory_hostname == groups['postgres'][1]) or
+    (database_role is defined and database_role == "" and inventory_hostname == groups['postgres'][1])
   block:
     - name: check if standby already joined
       become: true
@@ -174,14 +180,14 @@
     - name: stop postgresql service
       when: repmgr_check_standby.query_result | length == 0
       ansible.builtin.systemd:
-        name: postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}
+        name: postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}
         state: stopped
 
     - name: remove existing pgdata
       when: repmgr_check_standby.query_result | length == 0
       ansible.builtin.command:
-        cmd: mv -vf {{ repmgr_pg_data }} {{ repmgr_pg_data }}.save
-        removes: "{{ repmgr_pg_data }}"
+        cmd: mv -vf {{ repmgr_database_data_dir }} {{ repmgr_database_data_dir }}.save
+        removes: "{{ repmgr_database_data_dir }}"
 
     - name: clone from primary to standby
       become: true
@@ -193,36 +199,36 @@
       ansible.builtin.shell:
         cmd: |
           repmgr \
-            --config-file={{ repmgr_config }} \
+            --config-file={{ repmgr_conf_file }} \
             --force \
-            --dbname={{ repmgr_db }} \
+            --dbname={{ repmgr_database }} \
             --host={{ repmgr_primary_node }} \
             --port=5432 \
             --username={{ repmgr_user }} \
-            --pgdata={{ repmgr_pg_data }} \
+            --pgdata={{ repmgr_database_data_dir }} \
             standby clone --fast-checkpoint
 
     - name: remove pgdata backup
       when: repmgr_clone_standby is succeeded
       ansible.builtin.file:
-        path: "{{ repmgr_pg_data }}.save"
+        path: "{{ repmgr_database_data_dir }}.save"
         state: absent
 
     - name: remove failed clone pgdata
       when: repmgr_clone_standby is failed
       ansible.builtin.file:
-        path: "{{ repmgr_pg_data }}"
+        path: "{{ repmgr_database_data_dir }}"
         state: absent
 
     - name: restore pgdata backup
       when: repmgr_clone_standby is failed
       ansible.builtin.command:
-        cmd: mv -vf {{ repmgr_pg_data }}.save {{ repmgr_pg_data }}
-        removes: "{{ repmgr_pg_data }}.save"
+        cmd: mv -vf {{ repmgr_database_data_dir }}.save {{ repmgr_database_data_dir }}
+        removes: "{{ repmgr_database_data_dir }}.save"
 
     - name: start postgresql service
       ansible.builtin.systemd:
-        name: postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}
+        name: postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}
         state: started
 
     - name: standby clone failed
@@ -237,14 +243,17 @@
       when: repmgr_check_standby.query_result | length == 0
       notify: restart repmgrd
       ansible.builtin.command:
-        cmd: repmgr --config-file={{ repmgr_config }} standby register
+        cmd: repmgr --config-file={{ repmgr_conf_file }} standby register
 
 - ansible.builtin.meta: flush_handlers # noqa name[missing]
 
 # REGISTER WITNESS
 
 - name: setup witness
-  when: (db_role is defined and db_role == "witness") or (db_role is undefined and inventory_hostname == groups['postgres'][2])
+  when: >
+    (database_role is defined and database_role == "witness") or
+    (database_role is undefined and inventory_hostname == groups['postgres'][2]) or
+    (database_role is defined and database_role == "" and inventory_hostname == groups['postgres'][2])
   block:
     - name: check if witness already joined
       become: true
@@ -261,7 +270,7 @@
       when: repmgr_check_witness.query_result | length == 0
       notify: restart repmgrd
       ansible.builtin.command:
-        cmd: repmgr --config-file={{ repmgr_config }} --host={{ repmgr_primary_node }} witness register
+        cmd: repmgr --config-file={{ repmgr_conf_file }} --host={{ repmgr_primary_node }} witness register
 
 - ansible.builtin.meta: flush_handlers # noqa name[missing]
 
@@ -281,7 +290,7 @@
 - name: configure rephacheck
   ansible.builtin.template:
     src: rephacheck.conf.j2
-    dest: /etc/postgresql/{{ repmgr_pg_version }}/{{ repmgr_pg_cluster }}/rephacheck.conf
+    dest: /etc/postgresql/{{ repmgr_database_version }}/{{ repmgr_database_cluster }}/rephacheck.conf
     owner: postgres
     group: postgres
     mode: "0644"
@@ -328,12 +337,11 @@
     enabled: true
 
 - name: firewall
-  when: pg_firewall_enabled
   vars:
-    ferm_rules_filename: "{{ pg_ferm_rules_filename }}"
-    ferm_input_rules: "{{ pg_ferm_input_rules }}"
-    ferm_output_rules: "{{ pg_ferm_output_rules }}"
-    ferm_global_settings: "{{ pg_ferm_global_settings }}"
+    ferm_rules_filename: "{{ database_ferm_rules_filename }}"
+    ferm_input_rules: "{{ database_ferm_input_rules }}"
+    ferm_output_rules: "{{ database_ferm_output_rules }}"
+    ferm_global_settings: "{{ database_ferm_global_settings }}"
   ansible.builtin.include_role:
     name: ferm-configure
 
diff --git a/roles/postgres-ha/templates/rephacheck.conf.j2 b/roles/postgres-ha/templates/rephacheck.conf.j2
index afc1e6bd23492826d2698b6456b3913c7a87b010..f9fc0fa0abadaa259b67be6298aad03461d0e7b7 100644
--- a/roles/postgres-ha/templates/rephacheck.conf.j2
+++ b/roles/postgres-ha/templates/rephacheck.conf.j2
@@ -10,6 +10,6 @@ node_id = {{ hostvars[node]['repmgr_node_id'] }}
 {% endfor %}
 
 [conninfo]
-dbname = "{{ repmgr_db }}"
+dbname = "{{ repmgr_database }}"
 user = "{{ repmgr_user }}"
 password = "{{ repmgr_password }}"
diff --git a/roles/postgres-ha/templates/rephacheck.py.j2 b/roles/postgres-ha/templates/rephacheck.py.j2
index 7ec6cfea94d9197c1b28ecbb5432c21fbb5ec706..6bcede2cd2817a87b1e84cadf9e689faddd384a3 100644
--- a/roles/postgres-ha/templates/rephacheck.py.j2
+++ b/roles/postgres-ha/templates/rephacheck.py.j2
@@ -50,7 +50,7 @@ def get_quorum_state(node_id):
 
 
 if __name__ == '__main__':
-    with open('/etc/postgresql/{{ repmgr_pg_version }}/{{ repmgr_pg_cluster }}/rephacheck.conf') as rephaconf:
+    with open('/etc/postgresql/{{ repmgr_database_version }}/{{ repmgr_database_cluster }}/rephacheck.conf') as rephaconf:
         conf = toml.load(rephaconf)
 
     NODES = conf.get('nodes')
diff --git a/roles/postgres-ha/templates/repmgr.conf.j2 b/roles/postgres-ha/templates/repmgr.conf.j2
index 62012de04746f230e1b5bcecde995cec9e53381d..ceee2a205867ebce30221572e2d0b4c5d41787e2 100644
--- a/roles/postgres-ha/templates/repmgr.conf.j2
+++ b/roles/postgres-ha/templates/repmgr.conf.j2
@@ -8,7 +8,7 @@ node_name={{ repmgr_node_name }}
 # database connection information
 conninfo='{{ repmgr_conninfo }}'
 # repmgr data directory
-data_directory='/var/lib/postgresql/{{ repmgr_pg_version }}/{{ repmgr_pg_cluster }}'
+data_directory='/var/lib/postgresql/{{ repmgr_database_version }}/{{ repmgr_database_cluster }}'
 # log level
 log_level='INFO'
 # log to file
@@ -30,15 +30,15 @@ use_replication_slots=1
 #------------------------------------------------------------------------------
 # Environment/command settings
 #------------------------------------------------------------------------------
-# path to PostgreSQL binary directory ((location of pg_ctl, pg_basebackup etc.) 
-pg_bindir='/usr/lib/postgresql/{{ repmgr_pg_version }}/bin/'
+# path to PostgreSQL binary directory ((location of database_ctl, database_basebackup etc.) 
+pg_bindir='/usr/lib/postgresql/{{ repmgr_database_version }}/bin/'
 
 #------------------------------------------------------------------------------
 # external command options
 #------------------------------------------------------------------------------
-# options to append to "pg_ctl"
+# options to append to "database_ctl"
 pg_ctl_options='-s'
-# options to append to "pg_basebackup"
+# options to append to "database_basebackup"
 pg_basebackup_options='--label=repmgr_backup'
 
 #------------------------------------------------------------------------------
@@ -55,16 +55,16 @@ reconnect_attempts=6
 # Interval between attempts to reconnect to an unreachable primary (or other upstream node)
 reconnect_interval=5
 # command repmgrd executes when promoting a new primary
-promote_command='repmgr -f {{ repmgr_config }} standby promote'
+promote_command='repmgr -f {{ repmgr_conf_file }} standby promote'
 # command repmgrd executes when instructing a standby to follow a new primary
-follow_command='repmgr -f {{ repmgr_config }} standby follow -W'
+follow_command='repmgr -f {{ repmgr_conf_file }} standby follow -W'
 
 #------------------------------------------------------------------------------
 # service control commands
 #------------------------------------------------------------------------------
-# override the default pg_ctl commands used to stop, start, restart, reload and promote the PostgreSQL cluster
-service_start_command='sudo systemctl start postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}'
-service_stop_command='sudo systemctl stop postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}'
-service_restart_command='sudo systemctl restart postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}'
-service_reload_command='sudo systemctl reload postgresql@{{ repmgr_pg_version }}-{{ repmgr_pg_cluster }}'
+# override the default database_ctl commands used to stop, start, restart, reload and promote the PostgreSQL cluster
+service_start_command='sudo systemctl start postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}'
+service_stop_command='sudo systemctl stop postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}'
+service_restart_command='sudo systemctl restart postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}'
+service_reload_command='sudo systemctl reload postgresql@{{ repmgr_database_version }}-{{ repmgr_database_cluster }}'
 
diff --git a/roles/postgres-ha/vars/main.yml b/roles/postgres-ha/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..67249ab636b1954ba0854ddd9f4a506f2194da87
--- /dev/null
+++ b/roles/postgres-ha/vars/main.yml
@@ -0,0 +1,34 @@
+---
+repmgr_packages:
+  - repmgr
+  # rephacheck:
+  - python3
+  - python3-psycopg2
+  - python3-toml
+
+repmgr_database_version: "{{ database_version | default('15') }}"
+repmgr_database_cluster: "{{ database_cluster | default('main') }}"
+repmgr_database_data_dir: /var/lib/postgresql/{{ repmgr_database_version }}/{{ repmgr_database_cluster }}
+repmgr_conf_file: /etc/postgresql/{{ repmgr_database_version }}/{{ repmgr_database_cluster }}/repmgr.conf
+
+repmgr_primary_node: "{{ hostvars[groups['postgres'][0]]['ansible_default_ipv4']['address'] }}"
+repmgr_node_id: "{{ (groups['postgres'].index(inventory_hostname)) + 1 | int }}"
+repmgr_node_name: "{{ ansible_hostname }}"
+
+repmgr_conninfo: host={{ ansible_default_ipv4.address }} dbname={{ repmgr_database }} user={{ repmgr_user }} connect_timeout={{ repmgr_timeout }}
+
+database_ferm_rules_filename: postgres_ha
+database_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 5432
+      - 8543
+database_ferm_output_rules:
+  - proto:
+      - tcp
+    dport:
+      - 54321
+      - 54322
+database_ferm_global_settings:
+...
diff --git a/roles/postgres/README.md b/roles/postgres/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..b935ecf912ea2e45b9e15f72ca5c582ca636b6ff
--- /dev/null
+++ b/roles/postgres/README.md
@@ -0,0 +1,91 @@
+# Postgres
+
+The postgres group is used to configure the host with a postgresql database.  
+ The database can be deployed in standard mode or HA mode (3 servers, 2 configured in active/passive with an automatic switchover and witness).
+ The group will determine whether to deploy standard or HA depending on the number of servers in the group (>=2 for the HA case).
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`database_host_authentification`: PostgreSQL user/host connection file (Optional)
+```
+database_host_authentification:
+  - method: peer
+    type: local
+  - address: 127.0.0.1/32
+    type: hostssl
+  - address: ::1/128
+    type: hostssl
+  - database: replication
+    method: peer
+    type: local
+  - address: 127.0.0.1/32
+    database: replication
+    type: hostssl
+  - address: ::1/128
+    database: replication
+    type: hostssl
+```
+
+`database_conf`: PostgreSQL configuration key/values (Optional)
+```
+database_conf:
+  - content: ''
+    name: main
+```
+
+`database_databases`: Dictionnary of extra databases to deploy (with `name` and `owner` keys) (Optional)
+```
+database_databases: []
+```
+
+`database_password`: Password for the postgres admin account
+```
+database_password: "changeit"
+```
+
+`database_users`: Dictionnary of extra PostgreSQL users to deploy (with `name`, `password`, `db`, `priv` and `roles` keys) (Optional)
+```
+database_users: []
+```
+
+`database_role`: [HA only] Define database role on this host. Possible values: primary, standby or witness (Optional)
+```
+database_role: ""
+```
+
+`repmgr_conninfo`: [HA only] Conninfo parameter populated in the repmgr configuration file (Optional)
+```
+repmgr_conninfo: "host={{ ansible_default_ipv4.address }} dbname={{ repmgr_database }} user={{ repmgr_user }} connect_timeout={{ repmgr_timeout }}"
+```
+
+`repmgr_database`: [HA only] Name of the repmgr database (Optional)
+```
+repmgr_database: "repmgr"
+```
+
+`repmgr_password`: [HA only] Password of the repmgr DB user (Optional)
+```
+repmgr_password: ""
+```
+
+`repmgr_repha_port`: [HA only] Listening port for rephacheck (Optional)
+```
+repmgr_repha_port: 8543
+```
+
+`repmgr_roles`: [HA only] List of roles for the repmgr user PostgreSQL pg_hba configuration (Optional)
+```
+repmgr_roles: "LOGIN,REPLICATION,SUPERUSER"
+```
+
+`repmgr_timeout`: [HA only] Timeout value for the repmgr connections (Optional)
+```
+repmgr_timeout: 5
+```
+
+`repmgr_user`: [HA only] Username of the repmgr DB user (Optional)
+```
+repmgr_user: "repmgr"
+```
diff --git a/roles/postgres/defaults/main.yml b/roles/postgres/defaults/main.yml
index a23a4b63adf9b291cd8ab137d0177e9f7d468e54..b047120bc0228aaffcdeeda0c3993b8c6c7dbd2b 100644
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@@ -1,20 +1,13 @@
 ---
-pg_packages:
-  - acl
-  - postgresql
+database_password: "changeit"
+database_users: []
+database_databases: []
 
-pg_version: 13
-pg_cluster: main
-
-pg_password: "{{ envsetup_db_pg_root_pwd | d() }}"
-
-pg_conf_dir: /etc/postgresql/{{ pg_version }}/{{ pg_cluster }}
-
-pg_conf:
+database_conf:
   - name: main
     content:
 
-pg_hba:
+database_host_authentification:
   - type: local
     method: peer
   - type: hostssl
@@ -30,15 +23,4 @@ pg_hba:
   - type: hostssl
     database: replication
     address: ::1/128
-
-pg_users: []
-pg_databases: []
-pg_firewall_enabled: true
-pg_ferm_rules_filename: postgres
-pg_ferm_input_rules:
-  - proto:
-      - tcp
-    dport:
-      - 5432
-pg_ferm_output_rules: []
-pg_ferm_global_settings:
+...
diff --git a/roles/postgres/handlers/main.yml b/roles/postgres/handlers/main.yml
index 0d04643c9c1ead30c100dfa9f5094ab968846b9e..cd8a2b9634be7b4efd614ae558f96ba93f77ed21 100644
--- a/roles/postgres/handlers/main.yml
+++ b/roles/postgres/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart postgresql
   ansible.builtin.systemd:
-    name: postgresql@{{ pg_version }}-{{ pg_cluster }}
+    name: postgresql@{{ database_version }}-{{ database_cluster }}
     state: restarted
+
+...
diff --git a/roles/postgres/meta/main.yml b/roles/postgres/meta/main.yml
index 471eb65e53129fb19aa41af0c049719b93c0ef91..aeda1603f3e8585771df98971308dde97f0e2972 100644
--- a/roles/postgres/meta/main.yml
+++ b/roles/postgres/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: base
+...
diff --git a/roles/postgres/tasks/main.yml b/roles/postgres/tasks/main.yml
index b5a27803a867ade41359b6ecc75ee0597ba90949..56126dc2831eeecab4a0a4a053fa70e36bb87ca5 100644
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@@ -1,18 +1,10 @@
 ---
-- name: ansible postgresql requirements install
-  ansible.builtin.apt:
-    force_apt_get: true
-    install_recommends: false
-    name: python3-psycopg2
-  register: apt_status
-  retries: 60
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
 - name: install packages
   ansible.builtin.apt:
     force_apt_get: true
     install_recommends: false
-    name: "{{ pg_packages }}"
+    name: "{{ database_packages }}"
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -30,7 +22,7 @@
 
 - name: ensure conf directory exists
   ansible.builtin.file:
-    path: "{{ pg_conf_dir }}/conf.d"
+    path: "{{ database_conf_dir }}/conf.d"
     owner: postgres
     group: postgres
     state: directory
@@ -38,25 +30,17 @@
 
 - name: ensure conf directory is included
   ansible.builtin.replace:
-    path: "{{ pg_conf_dir }}/postgresql.conf"
+    path: "{{ database_conf_dir }}/postgresql.conf"
     backup: true
     regexp: ^#?include_dir = '[A-Za-z\.]+'(\s+.*)$
     replace: include_dir = 'conf.d'\1
 
-- name: change max connections value
-  ansible.builtin.replace:
-    path: "{{ pg_conf_dir }}/postgresql.conf"
-    backup: true
-    regexp: ^#?max_connections = [0-9]+
-    replace: max_connections = {{ pg_conf_max_connections }}
-  when: pg_conf_max_connections is defined
-
 - name: configure custom settings
   notify: restart postgresql
-  loop: "{{ pg_conf }}"
+  loop: "{{ database_conf }}"
   when: item.content | d(false)
   ansible.builtin.copy:
-    dest: "{{ pg_conf_dir }}/conf.d/{{ item.name }}.conf"
+    dest: "{{ database_conf_dir }}/conf.d/{{ item.name }}.conf"
     owner: postgres
     group: postgres
     backup: true
@@ -67,7 +51,7 @@
   notify: restart postgresql
   ansible.builtin.template:
     src: pg_hba.conf.j2
-    dest: "{{ pg_conf_dir }}/pg_hba.conf"
+    dest: "{{ database_conf_dir }}/pg_hba.conf"
     owner: postgres
     group: postgres
     mode: "0640"
@@ -75,7 +59,7 @@
 
 - name: ensure service is enabled and running
   ansible.builtin.systemd:
-    name: postgresql@{{ pg_version }}-{{ pg_cluster }}
+    name: postgresql@{{ database_version }}-{{ database_cluster }}
     enabled: true
     state: started
 
@@ -87,13 +71,13 @@
   no_log: true
   community.general.postgresql_user:
     name: postgres
-    password: "{{ pg_password | d(omit) }}"
+    password: "{{ database_password | d(omit) }}"
 
 - name: manage users
   become: true
   become_user: postgres
   no_log: true
-  loop: "{{ pg_users }}"
+  loop: "{{ database_users }}"
   community.general.postgresql_user:
     name: "{{ item.name }}"
     password: "{{ item.password | d(omit) }}"
@@ -102,7 +86,7 @@
     role_attr_flags: "{{ item.roles | d(omit) }}"
 
 - name: set .pgpass to allow passwordless connection
-  loop: "{{ query('nested', ['root', 'postgres'], pg_users) }}"
+  loop: "{{ query('nested', ['root', 'postgres'], database_users) }}"
   ansible.builtin.blockinfile:
     path: ~{{ item.0 }}/.pgpass
     block: "*:*:*:{{ item.1.name }}:{{ item.1.password }}"
@@ -117,22 +101,23 @@
 - name: create databases
   become: true
   become_user: postgres
-  loop: "{{ pg_databases }}"
-  postgresql_db:
+  loop: "{{ database_databases }}"
+  community.general.postgresql_db:
     name: "{{ item.name }}"
     owner: "{{ item.owner | d(omit) }}"
 
 # FIREWALL
 
 - name: firewall
-  when: pg_firewall_enabled
   vars:
-    ferm_rules_filename: "{{ pg_ferm_rules_filename }}"
-    ferm_input_rules: "{{ pg_ferm_input_rules }}"
-    ferm_output_rules: "{{ pg_ferm_output_rules }}"
-    ferm_global_settings: "{{ pg_ferm_global_settings }}"
+    ferm_rules_filename: "{{ database_ferm_rules_filename }}"
+    ferm_input_rules: "{{ database_ferm_input_rules }}"
+    ferm_output_rules: "{{ database_ferm_output_rules }}"
+    ferm_global_settings: "{{ database_ferm_global_settings }}"
   ansible.builtin.include_role:
     name: ferm-configure
 
 - name: flush handlers
   ansible.builtin.meta: flush_handlers
+
+...
diff --git a/roles/postgres/templates/pg_hba.conf.j2 b/roles/postgres/templates/pg_hba.conf.j2
index 4d5a5bc478978a21e390378ed47efa6b2f06034f..d84f82c149dce9df77653821d26180a2b53ecf82 100644
--- a/roles/postgres/templates/pg_hba.conf.j2
+++ b/roles/postgres/templates/pg_hba.conf.j2
@@ -3,7 +3,7 @@
 # PostgreSQL Client Authentication Configuration File
 # ===================================================
 
-{% for connection in pg_hba %}
+{% for connection in database_host_authentification %}
 {% if connection.comment is defined %}
 # {{ connection.comment }}
 {% endif %}
diff --git a/roles/postgres/vars/main.yml b/roles/postgres/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..075892be9ce10ae8502d9440552ac5e89fb4e688
--- /dev/null
+++ b/roles/postgres/vars/main.yml
@@ -0,0 +1,19 @@
+---
+database_packages:
+  - acl
+  - postgresql
+  - python3-psycopg2 # required by ansible
+
+database_version: 15
+database_cluster: main
+database_conf_dir: /etc/postgresql/{{ database_version }}/{{ database_cluster }}
+
+database_ferm_rules_filename: postgres
+database_ferm_input_rules:
+  - proto:
+      - tcp
+    dport:
+      - 5432
+database_ferm_output_rules: []
+database_ferm_global_settings:
+...
diff --git a/roles/proxy/defaults/main.yml b/roles/proxy/defaults/main.yml
index 77cb8136d9678e2b4444ae8d02f8e081c3f1682e..a6c7f8e11039d889fadf7b21db8a7314cae8f835 100644
--- a/roles/proxy/defaults/main.yml
+++ b/roles/proxy/defaults/main.yml
@@ -1,11 +1,13 @@
 ---
-proxy_http: "{{ envsetup_proxy_http | d() }}"
-proxy_https: "{{ envsetup_proxy_https | d() }}"
+
+proxy_http: ""
+proxy_https: ""
 proxy_exclude:
   - localhost
   - 127.0.0.1
   - ::1
-  - "{{ envsetup_proxy_exclude | d() }}"
-  - "{{ envsetup_ms_server_name | d() }}"
-  - "{{ envsetup_monitor_server_name | d() }}"
-  - "{{ envsetup_cm_server_name | d() }}"
+  - nudgis.example.com
+  - mirismanager.example.com
+  - monitor.example.com
+
+...
diff --git a/roles/proxy/tasks/main.yml b/roles/proxy/tasks/main.yml
index 2c766899da6a0823c843d7c1f153e89bd5252bed..79d7549043f18ba8815609b2361fa78985fc68bd 100644
--- a/roles/proxy/tasks/main.yml
+++ b/roles/proxy/tasks/main.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: if proxy settings are set
   when:
     - proxy_http | d(false)
@@ -52,8 +53,10 @@
           value: "{{ proxy_http }}"
         - name: https.proxy
           value: "{{ proxy_https }}"
-      git_config:
+      community.general.git_config:
         name: "{{ item.name }}"
         scope: global
         value: "{{ item.value }}"
         state: present
+
+...
diff --git a/roles/shared/handlers/celerity.yml b/roles/shared/handlers/celerity.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8b10bf7f7a1a79f73fe08402fe76727fcc32ce4e
--- /dev/null
+++ b/roles/shared/handlers/celerity.yml
@@ -0,0 +1,11 @@
+---
+- name: restart celerity-server
+  ansible.builtin.service:
+    name: celerity-server
+    state: restarted
+
+- name: restart celerity-workers
+  ansible.builtin.service:
+    name: celerity-workers
+    state: restarted
+...
diff --git a/roles/shared/tasks/celerity_base_config.yml b/roles/shared/tasks/celerity_base_config.yml
new file mode 100644
index 0000000000000000000000000000000000000000..fde98bae52859161bb826e0b2dfaf1f77519a587
--- /dev/null
+++ b/roles/shared/tasks/celerity_base_config.yml
@@ -0,0 +1,40 @@
+---
+
+- name: copy celerity example configuration
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.copy:
+    remote_src: true
+    src: /etc/celerity/config.example.py
+    dest: /etc/celerity/config.py
+    mode: preserve
+    force: false
+
+- name: celerity base configuration
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.replace:
+    path: /etc/celerity/config.py
+    regexp: '^(\s*)#?{{ item.name }}\s*=.*$'
+    replace: '\1{{ item.name }} = {{ item.value }}'
+  loop:
+    - { name: 'SERVER_URL',  value: '"https://{{ celerity_server_domain }}:6200"' } # noqa: yaml[commas]
+    - { name: 'SIGNING_KEY', value: '"{{ celerity_signing_key }}"' }
+  when: item.value != "" and item.value != '""'
+
+- name: celerity add nudgis portal
+  notify: "restart {{ _celerity_service }}"
+  ansible.builtin.command:
+    cmd: >
+      celerity-configurator add-portal
+        'ms_id=1_{{ nudgis_front_system_user }}'
+        'url=https://{{ nudgis_front_domain }}'
+        'api_key={{ nudgis_front_api_key }}'
+  register: celerity_add_portal
+  changed_when: celerity_add_portal.stdout != 'The configuration file is already up to date.'
+
+- name: "ensure {{ _celerity_service }} is running"
+  ansible.builtin.service:
+    name: "{{ _celerity_service }}"
+    enabled: true
+    state: started
+
+...
diff --git a/roles/sysconfig/README.md b/roles/sysconfig/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..f571c53d81c7357a6a423eac0419596aefec76a8
--- /dev/null
+++ b/roles/sysconfig/README.md
@@ -0,0 +1,59 @@
+# Sysconfig
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`offline_mode`: Do not configure any repository and use local repository (Optional)
+```
+offline_mode: False
+```
+
+`repos_release`: Debian distribution short name (example: "bullseye") (Optional)
+```
+repos_release: "{{ ansible_distribution_release }}"
+```
+
+`repos_debian_prefix`: Prefix of the debian repositories, with the protocol (example: "http://"). Used when the apt-cacher-ng of the Nudgis Manager proxifies the debian repositories. (Optional)
+```
+repos_debian_prefix: "http://"
+```
+
+`init_locale`: Value for the system locale (Optional)
+```
+init_locale: "en_GB.UTF-8"
+```
+
+`ntp_servers`: List of NTP servers to use on the systems (Optional)
+```
+ntp_servers:
+  - 0.debian.pool.ntp.org
+  - 1.debian.pool.ntp.org
+  - 2.debian.pool.ntp.org
+  - 3.debian.pool.ntp.org
+```
+
+`repos_ubicast_packages_token`: Token used in the UbiCast debian repository URL
+```
+repos_ubicast_packages_token: "XXXX-XXXX-XXXX-XXXX-XXXX"
+```
+
+`repos_ubicast_packages_domain`: Domain of the UbiCast debian packages repository URL (Optional)
+```
+repos_ubicast_packages_domain: "manager.example.com"
+```
+
+`init_timezone`: Timezone to set on the servers (`timedatectl list-timezones` for the complete list) (Optional)
+```
+init_timezone: "Europe/Paris"
+```
+
+`repos_debian_packages_domain`: Domain to use for the Debian repositories (Optional)
+```
+repos_debian_packages_domain: "deb.debian.org"
+```
+
+`repos_debian_security_packages_domain`: Domain to use for the Debian security repositories (Optional)
+```
+repos_debian_security_packages_domain: "security.debian.org"
+```
diff --git a/roles/sysconfig/defaults/main.yml b/roles/sysconfig/defaults/main.yml
index e2277cd094fbe161fd02d284793ccf476868af59..c75c20c193dede3f791592508b26bcecd7189ffe 100644
--- a/roles/sysconfig/defaults/main.yml
+++ b/roles/sysconfig/defaults/main.yml
@@ -1,49 +1,14 @@
 ---
-repos_prefix: "{{ envsetup_apt_cache_url | d('http://', true) }}"
-repos_deb: deb.debian.org
-repos_deb_sec: security.debian.org
-repos_release: "{{ ansible_distribution_release }}"
-
-repos_skyreach_token: "{{ envsetup_skyreach_apt_token | d('') }}"
-repos_skyreach_host: "{{ envsetup_skyreach_host | d('mirismanager.ubicast.eu', true) }}"
 
-sysconfig_packages:
-  - openssh-server
-  - bash-completion
-  - man
-  - sudo
-  - vim
-  - ifupdown
-  - lm-sensors
-  - smartmontools
-  - curl
-  - host
-  - htop
+offline_mode: false
 
-sysconfig_firewall_enabled: true
-sysconfig_ferm_rules_filename: sysutils
-sysconfig_ferm_input_rules:
-  # munin
-  - proto:
-      - tcp
-    dport:
-      - 4949
-  # cockpit
-  - proto:
-      - tcp
-    dport:
-      - 9090
-sysconfig_ferm_output_rules: []
-sysconfig_ferm_global_settings:
-locale_packages:
-  - locales
-  - tzdata
-
-init_locale: "{{ envsetup_locale | d('C.UTF-8', true) }}"
+repos_release: "{{ ansible_distribution_release }}"
+repos_ubicast_packages_domain: "manager.example.com"
+repos_ubicast_packages_token: "XXXX-XXXX-XXXX-XXXX-XXXX"
 
-init_timezone: "{{ envsetup_timezone | d('Etc/UTC', true) }}"
+init_locale: 'en_GB.UTF-8'
+init_timezone: "Europe/Paris"
 
-sysconfig_logs_packages:
-  - rsyslog
+ntp_servers: "0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org"
 
-ntp_servers: "{{ envsetup_ntp_server | d('0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org', true) }}"
+...
diff --git a/roles/sysconfig/handlers/main.yml b/roles/sysconfig/handlers/main.yml
index fbb96d462b417d204f62da5edf5dd8caa542c8c1..fdd91e45e7e7bd9ad76b881ed1622b753e8450f5 100644
--- a/roles/sysconfig/handlers/main.yml
+++ b/roles/sysconfig/handlers/main.yml
@@ -34,7 +34,7 @@
 
 - name: restart ntp
   ansible.builtin.service:
-    name: ntp
+    name: systemd-timesyncd
     state: restarted
 
 - name: update cache
@@ -45,3 +45,4 @@
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+...
diff --git a/roles/sysconfig/tasks/locale.yml b/roles/sysconfig/tasks/locale.yml
index 250b143ba9f70980130452d981b08cdd72629cb1..2edcf1bd690995bf5964c752f13417b7a4a687ee 100644
--- a/roles/sysconfig/tasks/locale.yml
+++ b/roles/sysconfig/tasks/locale.yml
@@ -1,4 +1,5 @@
 ---
+
 - name: install locale packages
   ansible.builtin.apt:
     force_apt_get: true
@@ -10,7 +11,7 @@
 
 - name: generate locale
   when: init_locale != 'C.UTF-8'
-  locale_gen:
+  community.general.locale_gen:
     name: "{{ init_locale }}"
 
 - name: set locale
@@ -31,7 +32,18 @@
     backrefs: true
     line: \1
 
-- name: set timezone
-  notify: restart cron
-  timezone:
+- name: set timezone (part.1)
+  # in order to execute cron task at new set timezone
+  # TODO: fix when there is no cron service
+  # notify: restart cron
+  community.general.timezone:
     name: "{{ init_timezone }}"
+
+- name: set timezone (part.2)
+  # https://unix.stackexchange.com/questions/451709/timedatectl-set-timezone-doesnt-update-etc-timezone
+  # timedatectl do not update the /etc/timzone file...
+  ansible.builtin.command:
+    cmd: dpkg-reconfigure --frontend noninteractive tzdata
+  changed_when: false
+
+...
diff --git a/roles/sysconfig/tasks/logs.yml b/roles/sysconfig/tasks/logs.yml
index 1c9aa618d43bce5395f7b7ce39ff2c34f482742d..d56e8541ac1ff87725a2b0f99c6b9c820a080031 100644
--- a/roles/sysconfig/tasks/logs.yml
+++ b/roles/sysconfig/tasks/logs.yml
@@ -1,21 +1,7 @@
 ---
-- name: install logs packages
-  ansible.builtin.apt:
-    force_apt_get: true
-    install_recommends: false
-    name: "{{ sysconfig_logs_packages }}"
-  register: apt_status
-  retries: 60
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
-
-- name: start rsyslog
-  ansible.builtin.systemd:
-    name: rsyslog
-    enabled: true
-    state: started
-
 - name: ensure journald logs persistence is enabled
   ansible.builtin.file:
     path: /var/log/journal
     state: directory
     mode: "755"
+...
diff --git a/roles/sysconfig/tasks/main.yml b/roles/sysconfig/tasks/main.yml
index f88f8f65bf1d03826351152cb919c077987a366d..928c2cfcd9c26cbfb2c4ef9361c95319f08b90e2 100644
--- a/roles/sysconfig/tasks/main.yml
+++ b/roles/sysconfig/tasks/main.yml
@@ -42,7 +42,7 @@
     force_apt_get: true
     install_recommends: false
     name: "{{ sysconfig_packages }}"
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -69,7 +69,7 @@
     force_apt_get: true
     install_recommends: false
     name: unattended-upgrades
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -112,7 +112,7 @@
   ansible.builtin.replace:
     dest: /etc/ssh/sshd_config
     regexp: ^#?PermitRootLogin.*
-    replace: PermitRootLogin without-password
+    replace: PermitRootLogin prohibit-password
   notify: restart sshd
 
 - name: remove disabled root login
@@ -134,18 +134,6 @@
     dest: /etc/issue
     mode: "644"
 
-# FIREWALL
-
-- name: firewall
-  when: sysconfig_firewall_enabled
-  vars:
-    ferm_rules_filename: "{{ sysconfig_ferm_rules_filename }}"
-    ferm_input_rules: "{{ sysconfig_ferm_input_rules }}"
-    ferm_output_rules: "{{ sysconfig_ferm_output_rules }}"
-    ferm_global_settings: "{{ sysconfig_ferm_global_settings }}"
-  ansible.builtin.include_role:
-    name: ferm-configure
-
 - name: LOGS
   ansible.builtin.include_tasks: logs.yml
 
@@ -154,3 +142,5 @@
 
 - name: NTP
   ansible.builtin.include_tasks: ntp.yml
+
+...
diff --git a/roles/sysconfig/tasks/ntp.yml b/roles/sysconfig/tasks/ntp.yml
index 7337589475859de2622a4165c3a10aa65a78ae0f..4724f0174904ec246f16a48e8996ba3601eef492 100644
--- a/roles/sysconfig/tasks/ntp.yml
+++ b/roles/sysconfig/tasks/ntp.yml
@@ -1,35 +1,27 @@
 ---
-- name: gathering services
-  ansible.builtin.service_facts:
-- name: ntp disable systemd-timesyncd service
-  notify: restart ntp
-  ansible.builtin.systemd:
-    name: systemd-timesyncd
-    enabled: false
-    daemon_reload: true
-    state: stopped
-  when: ('systemd-timesyncd.service' in ansible_facts.services) and (ansible_facts.services['systemd-timesyncd.service'].status != 'not-found')
 
-- name: ntp install
-  ansible.builtin.apt:
-    force_apt_get: true
-    install_recommends: false
-    name: ntp
-    state: present
-  register: apt_status
-  retries: 60
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+- name: verify systemd-timesyncd presence
+  ansible.builtin.stat:
+    path: /etc/systemd/timesyncd.conf
+  register: timesyncd_config
 
-- name: ntp config
-  notify: restart ntp
-  ansible.builtin.template:
-    backup: true
-    src: ntp.conf.j2
-    dest: /etc/ntp.conf
-    mode: "644"
+- name: verify ntp variable
+  when:
+    - timesyncd_config.stat.exists
+    - ntp_servers is defined
+    - ntp_servers | type_debug == 'list'
+    - ntp_servers | length > 0
+  block:
+    - name: configure systemd-timesyncd
+      notify: restart ntp
+      ansible.builtin.replace:
+        path: /etc/systemd/timesyncd.conf
+        regexp: '^(\s*)#?{{ item.name }}\s*=.*$'
+        replace: '\1{{ item.name }}={{ item.value }}'
+      loop:
+        - { name: 'NTP', value: '{{ ntp_servers | join(" ") }}' }
+      when:
+        - item.value != ""
+        - item.value != '""'
 
-- name: ensure ntp is running
-  ansible.builtin.service:
-    name: ntp
-    enabled: true
-    state: started
+...
diff --git a/roles/sysconfig/tasks/repos.yml b/roles/sysconfig/tasks/repos.yml
index 31b417ad55adbb5be1361e0afad19c744efd5d09..5ad425446ccab65e73c47250b25a8914471964eb 100644
--- a/roles/sysconfig/tasks/repos.yml
+++ b/roles/sysconfig/tasks/repos.yml
@@ -1,75 +1,53 @@
 ---
-- name: debian 10 apt repo sources list
-  when:
-    - not offline_mode | d(false)
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version == '10'
-  notify: update cache
-  ansible.builtin.copy:
-    dest: /etc/apt/sources.list
-    mode: "644"
-    content: |
-      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }} main contrib non-free
-      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }}-updates main contrib non-free
-      deb {{ repos_prefix }}{{ repos_deb_sec }}/debian-security {{ repos_release }}/updates main contrib non-free
 
-- name: debian 11 apt repo sources list
+- name: configure UbiCast repositories
   when:
     - not offline_mode | d(false)
     - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version == '11'
-  notify: update cache
-  ansible.builtin.copy:
-    dest: /etc/apt/sources.list
-    mode: "644"
-    content: |
-      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }} main contrib non-free
-      deb {{ repos_prefix }}{{ repos_deb }}/debian {{ repos_release }}-updates main contrib non-free
-      deb {{ repos_prefix }}{{ repos_deb_sec }}/debian-security {{ repos_release }}-security main contrib non-free
+  block:
+    - name: "Install repos packages"
+      ansible.builtin.apt:
+        force_apt_get: true
+        install_recommends: false
+        name: "{{ sysconfig_repos_packages }}"
+      register: apt_status
+      retries: 60
+      until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
 
-- name: add ubicast apt repo key
-  when: not offline_mode | d(false)
-  ansible.builtin.apt_key:
-    url: https://{{ repos_skyreach_host }}/media/public.gpg
+    - name: "Ensure {{ sysconfig_repos_keyrings_dir }} directory exist"
+      ansible.builtin.file:
+        path: "{{ sysconfig_repos_keyrings_dir }}"
+        state: directory
+        mode: "755"
 
-- name: add ubicast apt repo
-  when:
-    - not offline_mode | d(false)
-    - repos_skyreach_token | d(false)
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version == '10'
-  ansible.builtin.apt_repository:
-    repo: deb https://{{ repos_skyreach_host }} packaging/apt/{{ repos_skyreach_token }}/
-    filename: ubicast
-    update_cache: true
+    - name: "Add UbiCast repository public key"
+      ansible.builtin.get_url:
+        url: "https://{{ repos_ubicast_packages_domain }}/media/public.gpg"
+        dest: "{{ sysconfig_repos_keyrings_dir }}/{{ repos_ubicast_packages_domain }}.asc"
+        mode: "644"
 
-- name: add ubicast apt repo
-  when:
-    - not offline_mode | d(false)
-    - repos_skyreach_token | d(false)
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version == '11'
-  ansible.builtin.apt_repository:
-    repo: deb https://{{ repos_skyreach_host }} packaging/apt/{{ repos_skyreach_token }}/bullseye/
-    filename: ubicast
-    update_cache: true
+    - name: "Add UbiCast repository public key"
+      ansible.builtin.get_url:
+        url: "https://{{ repos_ubicast_packages_domain }}/media/public.gpg"
+        dest: "{{ sysconfig_repos_keyrings_dir }}/{{ repos_ubicast_packages_domain }}.asc"
+        mode: "644"
 
-- name: add ubicast security apt repo
-  when:
-    - not offline_mode | d(false)
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version == '10'
-  ansible.builtin.apt_repository:
-    repo: deb https://{{ repos_skyreach_host }} packaging/apt/ubicast-security-updates/
-    filename: ubicast-secu
-    update_cache: true
+    - name: "Add UbiCast security repository"
+      ansible.builtin.deb822_repository:
+        name: "ubicast-security"
+        types: "deb"
+        uris: "https://{{ repos_ubicast_packages_domain }}"
+        suites: "packaging/apt/ubicast-security-updates/{{ repos_release }}/"
+        signed_by: "{{ sysconfig_repos_keyrings_dir }}/{{ repos_ubicast_packages_domain }}.asc"
 
-- name: add ubicast security apt repo
-  when:
-    - not offline_mode | d(false)
-    - ansible_distribution == 'Debian'
-    - ansible_distribution_major_version == '11'
-  ansible.builtin.apt_repository:
-    repo: deb https://{{ repos_skyreach_host }} packaging/apt/ubicast-security-updates/bullseye/
-    filename: ubicast-secu
-    update_cache: true
+    - name: "Add UbiCast solutions repository"
+      when:
+        - repos_ubicast_packages_token | d(false)
+      ansible.builtin.deb822_repository:
+        name: "ubicast"
+        types: "deb"
+        uris: "https://{{ repos_ubicast_packages_domain }}"
+        suites: "packaging/apt/{{ repos_ubicast_packages_token }}/{{ repos_release }}/"
+        signed_by: "{{ sysconfig_repos_keyrings_dir }}/{{ repos_ubicast_packages_domain }}.asc"
+
+...
diff --git a/roles/sysconfig/vars/main.yml b/roles/sysconfig/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..8ecbba9223998a99b811aa1cdd0a0a49f590ab0f
--- /dev/null
+++ b/roles/sysconfig/vars/main.yml
@@ -0,0 +1,23 @@
+---
+sysconfig_packages:
+  - openssh-server
+  - bash-completion
+  - man
+  - sudo
+  - vim
+  - ifupdown
+  - lm-sensors
+  - smartmontools
+  - curl
+  - host
+  - htop
+
+locale_packages:
+  - locales
+  - tzdata
+
+sysconfig_repos_packages:
+  - python3-debian
+
+sysconfig_repos_keyrings_dir: '/usr/local/share/keyrings'
+...
diff --git a/roles/sysuser/README.md b/roles/sysuser/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..6af64d18990acc98eb9b1c08977f1cb123e08e3e
--- /dev/null
+++ b/roles/sysuser/README.md
@@ -0,0 +1,20 @@
+# Sysuser
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`offline_mode`: Do not configure any ubicast ssh public key (Optional)
+```
+offline_mode: False
+```
+
+`sysuser_ubicast_password`: Password for the system user ubicast
+```
+sysuser_ubicast_password: "changeit"
+```
+
+`sysuser_admin_password`: Password for the system user admin
+```
+sysuser_admin_password: "changeit"
+```
diff --git a/roles/sysuser/defaults/main.yml b/roles/sysuser/defaults/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..bdfb1e2146353286e16ce2b841a1cd074759dedb
--- /dev/null
+++ b/roles/sysuser/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+offline_mode: false
+sysuser_ubicast_password: "changeit"
+sysuser_admin_password: "changeit"
+...
diff --git a/roles/users/files/.bashrc b/roles/sysuser/files/.bashrc
similarity index 100%
rename from roles/users/files/.bashrc
rename to roles/sysuser/files/.bashrc
diff --git a/roles/users/files/.vimrc b/roles/sysuser/files/.vimrc
similarity index 100%
rename from roles/users/files/.vimrc
rename to roles/sysuser/files/.vimrc
diff --git a/roles/users/handlers/main.yml b/roles/sysuser/handlers/main.yml
similarity index 93%
rename from roles/users/handlers/main.yml
rename to roles/sysuser/handlers/main.yml
index 77e6bcc744a0cf82fbc11b2a7293ff4c5a6c65c3..cbc6f332ac43dd2b59fe05cc1eadd3472a872924 100644
--- a/roles/users/handlers/main.yml
+++ b/roles/sysuser/handlers/main.yml
@@ -1,5 +1,8 @@
 ---
+
 - name: restart sshd
   ansible.builtin.service:
     name: sshd
     state: restarted
+
+...
diff --git a/roles/sysuser/tasks/copy_dotfiles.yml b/roles/sysuser/tasks/copy_dotfiles.yml
new file mode 100644
index 0000000000000000000000000000000000000000..6c153ae1af527868c435095d45cb25fd0c353f6f
--- /dev/null
+++ b/roles/sysuser/tasks/copy_dotfiles.yml
@@ -0,0 +1,13 @@
+---
+- name: "({{ item }}) copy .bashrc"
+  ansible.builtin.copy:
+    src: .bashrc
+    dest: ~{{ item }}/.bashrc
+    mode: "644"
+
+- name: "({{ item }}) copy .vimrc"
+  ansible.builtin.copy:
+    src: .vimrc
+    dest: ~{{ item }}/.vimrc
+    mode: "644"
+...
diff --git a/roles/sysuser/tasks/create_user.yml b/roles/sysuser/tasks/create_user.yml
new file mode 100644
index 0000000000000000000000000000000000000000..d3dabe8422b41d66b533313a7a8bd5eb423a61ca
--- /dev/null
+++ b/roles/sysuser/tasks/create_user.yml
@@ -0,0 +1,27 @@
+---
+
+- name: "({{ item }}) create user group"
+  ansible.builtin.group:
+    name: "{{ item }}"
+    state: present
+
+- name: "({{ item }}) create user"
+  ansible.builtin.user:
+    name: "{{ item }}"
+    group: "{{ item }}"
+    shell: /bin/bash
+    generate_ssh_key: true
+    ssh_key_type: ed25519
+    ssh_key_file: .ssh/id_ed25519
+    append: true
+    groups:
+      - sudo
+    state: present
+
+- name: "({{ item }}) set password"
+  ansible.builtin.user:
+    name: "{{ item }}"
+    password: "{{ lookup('vars', 'sysuser_' + item + '_password') | password_hash('sha512', 'ubicastsalt') }}"
+    update_password: always
+
+...
diff --git a/roles/sysuser/tasks/main.yml b/roles/sysuser/tasks/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..190d1d60533b70965ff4e2302442b28676f999d4
--- /dev/null
+++ b/roles/sysuser/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+
+- name: create users
+  ansible.builtin.include_tasks: create_user.yml
+  loop:
+    - ubicast
+    - admin
+
+- name: copy dotfiles
+  ansible.builtin.include_tasks: copy_dotfiles.yml
+  loop:
+    - ubicast
+    - admin
+    - root
+
+- name: sudoers without password
+  ansible.builtin.copy:
+    dest: /etc/sudoers.d/nopasswd
+    validate: visudo -cf %s
+    mode: "440"
+    content: |
+      %sudo ALL=(ALL) NOPASSWD: ALL
+
+- name: install ubicast ssh access
+  when: not offline_mode | d(false)
+  ansible.builtin.apt:
+    force_apt_get: true
+    install_recommends: false
+    name: "{{ users_packages }}"
+    state: present
+  register: apt_status
+  retries: 60
+  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
+
+...
diff --git a/roles/sysuser/vars/main.yml b/roles/sysuser/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..b12bf3b90e2609b45888c1f11b895eda80f16ca0
--- /dev/null
+++ b/roles/sysuser/vars/main.yml
@@ -0,0 +1,5 @@
+---
+users_packages:
+  - ubicast-ssh-access-manager
+  - ubicast-ssh-access-support
+...
diff --git a/roles/tester/README.md b/roles/tester/README.md
new file mode 100644
index 0000000000000000000000000000000000000000..057e22315f1028c549e87d25e854d89cab665fd6
--- /dev/null
+++ b/roles/tester/README.md
@@ -0,0 +1,33 @@
+# Tester
+
+The tester group is used to configure all hosts with the UbiCast tester solution  
+ * In a standard and HA Ubicast case, the hosts are all those that compose the UbiCast platform
+
+## Role Variables
+
+Available variables are listed below, along with the descriptions and the default values.
+
+`tester_system_name`: Name of the system in the reports (Optional)
+```
+tester_system_name: "{{ inventory_hostname }}"
+```
+
+`tester_email_admin`: UbiCast admin reciever of the email report for premiums
+```
+tester_email_admin: "sysadmin+premium@ubicast.eu"
+```
+
+`tester_email_from`: Sender of the email report (Optional)
+```
+tester_email_from: "ubicast.tester"
+```
+
+`tester_email_to`: Reciever of the email report
+```
+tester_email_to: "example@example.com"
+```
+
+`tester_tests_ignored`: List of tests to ignore when executing the ubicast-tester (Optional)
+```
+tester_tests_ignored: []
+```
diff --git a/roles/tester/defaults/main.yml b/roles/tester/defaults/main.yml
index 342a1b6d9454002491a89257275a7d4e4eb1a443..347a1bbe461df3169a0ddb9e9a3d33def037837a 100644
--- a/roles/tester/defaults/main.yml
+++ b/roles/tester/defaults/main.yml
@@ -1,26 +1,19 @@
 ---
 
-# Packages needed for the UbiCast tester installation
-tester_packages:
-  - ubicast-env
-  - ubicast-tester
-  - ubicast-tester-nudgis
-  - ubicast-tester-system
-
 # Name of the system in the reports
-# tester_system_name: "hostname"
+tester_system_name: "{{ inventory_hostname }}"
 
 # Sender of the email report
-# tester_email_from: "ubicast.tester"
+tester_email_from: "ubicast.tester"
 
 # Reciever of the email report
-# tester_email_to: "customer@email.com"
+tester_email_to: "example@example.com"
 
 # UbiCast admin reciever of the email report for premiums
-# tester_email_admin: "sysadmin+premium@ubicast.eu"
+tester_email_admin: "sysadmin+premium@ubicast.eu"
 
 # List of tests to ignore when executing the ubicast-tester
-# tester_tests_ignored:
+tester_tests_ignored: []
 #   - ntp.sh
 #   - email.sh
 
diff --git a/roles/tester/tasks/main.yml b/roles/tester/tasks/main.yml
index fb923d7eafebc0e1930c7f6bb1f75ccda1f90fe2..093a88bf059a590eeece290c7418bd8c7a211656 100644
--- a/roles/tester/tasks/main.yml
+++ b/roles/tester/tasks/main.yml
@@ -5,7 +5,7 @@
     force_apt_get: true
     install_recommends: false
     name: "{{ tester_packages }}"
-    state: latest
+    state: present
   register: apt_status
   retries: 60
   until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)
@@ -16,10 +16,10 @@
     regexp: '^(\s*)#?{{ item.name }}:(\s*).*$'
     replace: '\1{{ item.name }}:\2{{ item.value }}'
   loop:
-    - { name: 'name', value: '"{{ tester_system_name | d() }}"' }
-    - { name: 'from', value: '"{{ tester_email_from | d() }}"' }
-    - { name: 'to', value: '"{{ tester_email_to | d() }}"' }
-    - { name: 'admin', value: '"{{ tester_email_admin | d() }}"' }
+    - { name: 'name',    value: '"{{ tester_system_name | d() }}"' } # noqa: yaml[commas]
+    - { name: 'from',    value: '"{{ tester_email_from | d() }}"' }  # noqa: yaml[commas]
+    - { name: 'to',      value: '"{{ tester_email_to | d() }}"' }    # noqa: yaml[commas]
+    - { name: 'admin',   value: '"{{ tester_email_admin | d() }}"' } # noqa: yaml[commas]
     - { name: 'ignored', value: '{{ tester_tests_ignored | d() }}' }
   when: item.value != "" and item.value != '""'
 
diff --git a/roles/tester/vars/main.yml b/roles/tester/vars/main.yml
new file mode 100644
index 0000000000000000000000000000000000000000..10375a5b3425e856a516ef768f184cf707ddb978
--- /dev/null
+++ b/roles/tester/vars/main.yml
@@ -0,0 +1,6 @@
+---
+tester_packages:
+  - ubicast-tester
+  - ubicast-tester-nudgis
+  - ubicast-tester-system
+...
diff --git a/roles/users/defaults/main.yml b/roles/users/defaults/main.yml
deleted file mode 100644
index 5af3f048635067201b41ed9db69f70830147a0b1..0000000000000000000000000000000000000000
--- a/roles/users/defaults/main.yml
+++ /dev/null
@@ -1,11 +0,0 @@
----
-users:
-  - name: ubicast
-    passwd: "{{ envsetup_shell_ubicast_pwd | password_hash('sha512', 'ubicastsalt') }}"
-  - name: admin
-    passwd: "{{ envsetup_shell_admin_pwd | password_hash('sha512', 'ubicastsalt') }}"
-
-users_ssh_authorized_keys:
-  - "{{ envsetup_ssh_allowed_keys | d('') }}"
-
-users_root_change: true
diff --git a/roles/users/tasks/main.yml b/roles/users/tasks/main.yml
deleted file mode 100644
index 271a3936c8d7ee37108f2113ff210a98e34eb5e0..0000000000000000000000000000000000000000
--- a/roles/users/tasks/main.yml
+++ /dev/null
@@ -1,86 +0,0 @@
----
-- name: create users groups
-  loop: "{{ users }}"
-  ansible.builtin.group:
-    name: "{{ item.name }}"
-    state: present
-
-- name: create users
-  loop: "{{ users }}"
-  ansible.builtin.user:
-    name: "{{ item.name }}"
-    group: "{{ item.name }}"
-    shell: /bin/bash
-    generate_ssh_key: true
-    ssh_key_type: ed25519
-    ssh_key_file: .ssh/id_ed25519
-    append: true
-    groups:
-      - sudo
-    state: present
-
-- name: set users passwords
-  loop: "{{ users }}"
-  ansible.builtin.user:
-    name: "{{ item.name }}"
-    password: "{{ item.passwd }}"
-    update_password: always
-
-- name: copy .bashrc
-  loop: "{{ users }}"
-  ansible.builtin.copy:
-    src: .bashrc
-    dest: ~{{ item.name }}/.bashrc
-    mode: "644"
-
-- name: copy .vimrc
-  loop: "{{ users }}"
-  ansible.builtin.copy:
-    src: .vimrc
-    dest: ~{{ item.name }}/.vimrc
-    mode: "644"
-
-- name: copy .bashrc for root
-  when: users_root_change
-  ansible.builtin.copy:
-    src: .bashrc
-    dest: ~root/.bashrc
-    mode: "644"
-
-- name: copy .vimrc for root
-  when: users_root_change
-  ansible.builtin.copy:
-    src: .vimrc
-    dest: ~root/.vimrc
-    mode: "644"
-
-- name: set users allowed ssh keys
-  loop: "{{ users | product(users_ssh_authorized_keys) | list }}"
-  ansible.posix.authorized_key:
-    user: "{{ item[0].name }}"
-    key: "{{ item[1] }}"
-
-- name: set root allowed ssh keys
-  loop: "{{ users_ssh_authorized_keys }}"
-  ansible.posix.authorized_key:
-    user: root
-    key: "{{ item }}"
-
-- name: sudoers without password
-  ansible.builtin.copy:
-    dest: /etc/sudoers.d/nopasswd
-    validate: visudo -cf %s
-    mode: "440"
-    content: |
-      %sudo ALL=(ALL) NOPASSWD: ALL
-
-- name: install ubicast ssh access
-  when: not offline_mode | d(false)
-  ansible.builtin.apt:
-    force_apt_get: true
-    install_recommends: false
-    name: ubicast-ssh-access
-    state: latest
-  register: apt_status
-  retries: 60
-  until: apt_status is success or ('Failed to lock apt for exclusive operation' not in apt_status.msg and '/var/lib/dpkg/lock' not in apt_status.msg)