diff --git a/installing/debootstrap_ordis_portables.sh b/installing/debootstrap_ordis_portables.sh
index a5dd8a5..aa29e15 100755
--- a/installing/debootstrap_ordis_portables.sh
+++ b/installing/debootstrap_ordis_portables.sh
@@ -74,6 +74,9 @@ usage[I]="Interractive mode. Ask questions if needed."
 varia[I]=interractive
 interractive=false
 
+usage[D]="Data Device. Will be encrypted."
+varia[D]=data_device
+data_device=
 
 . driglibash-args
 
@@ -181,7 +184,7 @@ echo "$repos" >> "$mnt/etc/apt/sources.list"
 run chroot "$mnt" <<EOF
   export DEBIAN_FRONTEND=noninteractive
   apt-get update  -q -y 
-  apt-get install -q -y $install
+  apt-get install -q -y cryptsetup $install
 EOF
 # TODO watershed ?
 
@@ -191,6 +194,11 @@ echo -e "$locale" > "$mnt/etc/locale.gen"
 chroot_run locale-gen
 
 
+if [ -n "$data_device" ] ; then
+	section "Mounting data dir"
+	cryptsetup create --type plain dmcrypt-jeancloud "$data_device"	
+fi
+
 
 section "Configuring new system"
 uuid=$(blkid | grep "$root_device" | cut -d ' ' -f 2)
@@ -201,10 +209,12 @@ line_in_file "proc /proc proc defaults" "$mnt/etc/fstab"
 # Set hostname
 run echo "$hostname" > "$mnt/etc/hostname"
 
+# Prenvent suspend on lid close
+line_in_file HandleLidSwitch=ignore /etc/systemd/logind.conf
+
 # Fix path and remove noisy beep
 run cat > "$mnt/root/.bashrc" <<EOF
 PATH=$PATH:/usr/bin:/bin:/sbin:/usr/sbin:/sbin
-/usr/bin/setterm -blength 0
 EOF
 # Be sure this fucking beep is gone
 echo 'set bell-style none' >> "$mnt/etc/inputrc"
@@ -253,7 +263,7 @@ if [ -n "$(ls -A $secret_dir)" ]; then
   #die "Secret dir '$secret_dir' is not empty"
   yell "Secret dir is not empty. May erase key."
 fi
-run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P ''
+run export HOSTNAME="$hostname" && ssh-keygen -b 4096 -f "$secret_dir/id_rsa" -P '' -C "access@$hostname"
 run mkdir -p "$mnt/root/.ssh/"
 cat "$secret_dir/id_rsa.pub" >> "$mnt/root/.ssh/authorized_keys"
 chroot_run systemctl enable ssh
diff --git a/provisioning/roles/deploy_all/files/bin/deploy_service.sh b/provisioning/roles/deploy_all/files/bin/deploy_service.sh
new file mode 100755
index 0000000..4bc0e29
--- /dev/null
+++ b/provisioning/roles/deploy_all/files/bin/deploy_service.sh
@@ -0,0 +1,156 @@
+#!/bin/bash
+. driglibash-base
+. /etc/jeancloud.env
+
+set -euo pipefail
+
+noreload=false
+deploy=true
+if [ "$#" -ge 2 ] && [ "$2" = noreload ] ; then
+	noreload=true
+elif [ "$#" -ge 3 ] && [ "$3" = undeploy ] ; then
+	deploy=false
+else
+	die "Usage: $0 <service> [no]reload [un]deploy"
+fi
+
+
+if [ -d "/docker/$1" ] ; then
+	service="$1"
+elif [ -d "$1" ] && [[ "$service" = /docker/* ]] ; then
+	service="$(basename "$1")"
+else
+	die "/docker/$service not found"
+fi
+
+if [ ! -d "$new_nginx_conf_path" ] ; then
+	die "Can’t deploy service in degraded state. $new_nginx_conf_path dir is missing, please run deployer.sh first"
+fi
+
+
+docker_service="$(echo "$service" | tr '.' '_')"
+driglibash_section_prefix="[$service] "
+
+cd "/docker/$service"
+[ -f .env ] && . .env
+
+
+###############################################################################
+#							Useful directories
+###############################################################################
+
+if "$deploy" ; then
+	mkdir -p "$DATA_DIR" "$HTTP_DIR"
+	# Try running podman as non-root first…
+	chown www-data:www-data -R "$HTTP_DIR"
+else
+    [ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
+fi
+
+
+###############################################################################
+#							Run scripts
+###############################################################################
+
+if "$deploy" ; then
+	[ -x deploy.sh ] && ./deploy.sh
+	[ -x deploy_http.sh ] && sudo -u www-data ./deploy_http.sh
+else
+	[ -x undeploy.sh ] && ./undeploy.sh
+fi
+
+
+###############################################################################
+#							Docker containers
+###############################################################################
+
+# If there is a docker-compose file and it has services in it
+if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep  '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
+    section "-------------------- $service"
+	if $deploy ; then
+    	section "Logging to registry"
+    	# XXX Login to docker registry
+
+    	section "Pulling images"
+    	run docker-compose pull
+
+    	section "Starting service"
+    	run docker-compose up -d --remove-orphans
+	else
+		section "Removing containers"
+    	docker-compose down --rmi all --remove-orphans
+	fi
+fi
+
+if ! "$deploy" ; then
+	section "Remove stray containers"
+	while read container ; do
+		echo "Removing $container"
+		run docker rm "$container"
+	done <<< "$(docker ps | grep "$docker_service" | cut -d ' ' -f 1)"
+fi
+
+
+
+###############################################################################
+#							wireguard interface
+###############################################################################
+
+# If there is a wireguard vpn script
+for file in $( find "/docker/$service" -name "wg-*.sh") ; do
+	section "Managing wg interface $(basename "$file")"
+    if [ -x "$file" ] ; then
+        wgif="$(basename "$file")"
+        wgif="${wgif:3:-3}"
+        "$file" $wgif > "/etc/wireguard/$wgif.conf"
+		if "$deploy" ; then
+        	systemctl enable "wg-quick@$wgif"
+        	startwg.sh "$wgif"
+		else
+			if [ -z "$(ip a | grep "$wgif")" ] ; then
+				wg-quick down "$wgif"
+			fi
+		fi
+    fi
+done
+
+
+###############################################################################
+#							Nginx conf
+###############################################################################
+
+# If there is a nginx conf file
+if [ -f "/docker/$service/nginx_server.conf" ] ; then
+    section "Copy nginx conf"
+    run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
+
+    section "Template nginx conf with vars from '.env' file"
+    run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
+fi
+
+# Do we need dummy cert?
+if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
+    section "Create cert dir"
+    run mkdir -p "$certs_path/$service"
+
+    section "Link dummy to cert"
+    run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
+    run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
+fi
+
+section "Testing nginx conf"
+run nginx -t -c /etc/nginx/new_nginx.conf
+
+if [ "$noreload" == false ] ; then
+	restart_nginx.sh
+fi
+
+section "Cleaning"
+if [ -z "$(ls -A "$DATA_DIR")" ] ; then
+	run rmdir "$DATA_DIR"
+fi
+if [ -z "$(ls -A "$HTTP_DIR")" ] ; then
+	run rmdir "$HTTP_DIR"
+fi
+
+
diff --git a/provisioning/roles/deploy_all/files/bin/deployer.sh b/provisioning/roles/deploy_all/files/bin/deployer.sh
index 0d6e11e..d2577ab 100755
--- a/provisioning/roles/deploy_all/files/bin/deployer.sh
+++ b/provisioning/roles/deploy_all/files/bin/deployer.sh
@@ -4,51 +4,29 @@ driglibash_run_retry=true
 . driglibash-base
 set -euo pipefail
 
+run gen_env.sh
+
 ###############################################################################
 #                       Variables
 ###############################################################################
 
-proxy_dir="/etc/nginx"
-nginx_conf_path="$proxy_dir/sites-enabled"
-new_nginx_conf_path="$proxy_dir/new-sites-enabled"
+export proxy_dir="/etc/nginx"
+export nginx_conf_path="$proxy_dir/sites-enabled"
+export new_nginx_conf_path="$proxy_dir/new-sites-enabled"
 
-certs_path="/etc/letsencrypt/live"
-dummy_cert_path="$certs_path/dummy"
+export certs_path="/etc/letsencrypt/live"
+export dummy_cert_path="$certs_path/dummy"
 
 ###############################################################################
 #                       Helpers
 ###############################################################################
 
-# Returns the public IP4 address of a domain name
-function ipof {
-	resolv.sh "$1"
-}
-
-function jcservice {
-	if [ "$#" -ne 2 ] ; then
-		echo "usage: $0 <action> <service>"
-		echo "action is start/stop/reload/restart"
-		echo "service is a jc service name"
-		exit 1
-	fi
-	action="$1"
-	service="$2"
-	if [ -f "/docker/$service/install.sh" ] ; then
-	    section "Running install script"
-		. "/docker/$service/install.sh"
-		# Is $action a bash function?
-		if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
-			"$action"
-		fi
-		unset -f start stop reload restart "$action"
-	fi
-}
-
 # Path to this directory
 here="$(where 'follow_links')"
 
 # Ip4 address
-my_ip="$(ipof "$(cat /etc/hostname)")"
+#my_ip="$(resolv.sh "$(cat /etc/hostname)")"
+my_ip="$(curl -4 ifconfig.me 2>/dev/null)"
 [ -z "$my_ip" ] && yell "Unable to find my IP" && exit 1
 
 
@@ -57,7 +35,7 @@ my_ip="$(ipof "$(cat /etc/hostname)")"
 ###############################################################################
 
 driglibash_section_prefix="[Prepare nginx] "
-section "Delete new conf directory (to recover)"
+section "Delete new conf directory (to start from scratch)"
 run rm -rf "$new_nginx_conf_path"
 
 section "Create new conf file (for tests purposes)"
@@ -85,121 +63,22 @@ run mkdir -p "$new_nginx_conf_path"
 #                       Deploy services
 ###############################################################################
 
+section "Start docker"
+run systemctl start docker docker.socket
+
+section "Deploy mandatory services"
+deploy_service.sh deployer.jean-cloud.org noreload
+
 for dir in /docker/* ; do
     service="$(basename "$dir")"
     # Ignore _ prefixed directories
     [ "${service::1}" == '_' ] && continue
     [ ! -d "$dir" ] && continue
-
-    docker_service="$(echo "$service" | tr '.' '_')"
-    driglibash_section_prefix="[$service] "
-	export DATA_DIR="/data/$service"
-	export HTTP_DIR="/srv/http/$service"
-	export JC_SERVICE="$service"
-	line_in_file "HTTP_DIR='$HTTP_DIR'" "/docker/$service/.env"
-	line_in_file "DATA_DIR='$DATA_DIR'" "/docker/$service/.env"
-	line_in_file "JC_SERVICE='$JC_SERVICE'" "/docker/$service/.env"
-
-    cd "/docker/$service"
-
-    # Is service meant to be on this server?
-    ip="$(ipof "$service")"
-	[ -z "$ip" ] && echo "No ip found for $service"
-
-    if [[ "$ip" != *"$my_ip"* ]] ; then
-        if [ -n "$(docker ps | grep "$docker_service")" ] ; then
-    	    section "--------------------"
-            section "Removing service"
-            docker-compose down --rmi all --remove-orphans
-			[ -d "$HTTP_DIR" ] && rm -r "$HTTP_DIR"
-        fi
-		
-		jcservice stop "$service"
-
-		# TODO check for leftover wg interfaces
-        continue
-    fi
-
-	mkdir -p "$DATA_DIR" "$HTTP_DIR"
-
-
-    # If there is a docker-compose file and it has services in it
-    if [ -f "/docker/$service/docker-compose.yml" ] && [ -n "$(grep  '^[^#]*services' "/docker/$service/docker-compose.yml")" ] ; then
-    	section "-------------------- $service"
-
-        section "Logging to registry"
-        # XXX Login to docker registry
-
-        section "Pulling images"
-        run docker-compose pull
-
-        section "Starting service"
-        run docker-compose up -d --remove-orphans
-    fi
-
-	jcservice start "$service"
-
-
-	# If there is a wireguard vpn script
-	for file in "/docker/$service/"wg-*.sh ; do
-        section "Starting wg interface"
-		if [ -x "$file" ] ; then
-			wgif="$(basename "$file")"
-			wgif="${wgif:3:-3}"
-			"$file" $wgif > "/etc/wireguard/$wgif.conf"
-			systemctl enable "wg-quick@$wgif"
-			startwg.sh $wgif
-		fi
-	done
-
-
-    # If there is a nginx conf file
-    if [ -f "/docker/$service/nginx_server.conf" ] ; then
-        section "Copy nginx conf"
-        run cp "/docker/$service/nginx_server.conf" "$new_nginx_conf_path/$service"
-
-        section "Template nginx conf with vars from '.env' file"
-		run template.sh "/docker/$service/.env" < "/docker/$service/nginx_server.conf" > "$new_nginx_conf_path/$service"
-    fi
-
-    # Do we need dummy cert?
-    if [ ! -e "$certs_path/$service/fullchain.pem" ] ; then
-        section "Create cert dir"
-        run mkdir -p "$certs_path/$service"
-
-        section "Link dummy to cert"
-        run ln -s "$dummy_cert_path/fullchain.pem" "$certs_path/$service"
-        run ln -s "$dummy_cert_path/privkey.pem" "$certs_path/$service"
-    fi
-
-    section "Testing nginx conf"
-    run nginx -t -c /etc/nginx/new_nginx.conf
+	[[ "$(resolv.sh $service)" != *$my_ip* ]] && continue
+    deploy_service.sh "$service" "noreload"
 
 done
 
-###############################################################################
-#                       Nginx restart
-###############################################################################
-
-driglibash_section_prefix="[Restart nginx] "
-
-section "Test if nginx conf is ok"
-run nginx -t -c "$proxy_dir/new_nginx.conf"
-
-section "Update nginx conf"
-run rm -rf "$nginx_conf_path"
-run mv "$new_nginx_conf_path" "$nginx_conf_path"
-run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
-
-section "Test nginx conf to be sure"
-run nginx -t
-
-if [ -z "$(cat /var/run/nginx.pid)" ] ; then
-    section "Start nginx"
-    run nginx
-else
-    section "Reload nginx"
-    run nginx -s reload
-fi
+restart_nginx.sh
 
 clean
diff --git a/provisioning/roles/deploy_all/files/bin/driglibash-base b/provisioning/roles/deploy_all/files/bin/driglibash-base
index d9bb9ea..5f7d430 100755
--- a/provisioning/roles/deploy_all/files/bin/driglibash-base
+++ b/provisioning/roles/deploy_all/files/bin/driglibash-base
@@ -48,11 +48,11 @@ section(){
   fi
 
   repeat '=' "$left"
+  echo -ne " $text "
   if [ "$right" -ge 1 ] ; then
-    echo -ne " $text "
     repeat '=' "$right"
-    echo
   fi
+  echo
 
   if "$driglibash_step_by_step" ; then
     echo "Press enter to proceed"
diff --git a/provisioning/roles/deploy_all/files/bin/gen_env.sh b/provisioning/roles/deploy_all/files/bin/gen_env.sh
new file mode 100755
index 0000000..24c4db2
--- /dev/null
+++ b/provisioning/roles/deploy_all/files/bin/gen_env.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+
+. driglibash-base
+
+JC_ENV=/etc/jeancloud.env
+
+certs_path=/etc/letsencrypt/live
+proxy_dir=/etc/nginx
+
+cat > "$JC_ENV" <<EOF
+my_ip=$(resolv.sh "$(cat /etc/hostname)")
+proxy_dir='$proxy_dir'
+nginx_conf_path='$proxy_dir/sites-enabled'
+new_nginx_conf_path='$proxy_dir/new-sites-enabled'
+certs_path='$certs_path'
+dummy_cert_path='$certs_path/dummy'
+EOF
+	
+for dir in /docker/* ; do
+	service="$(basename "$dir")"
+    [ ! -d "$dir" ] && continue    
+
+	line_in_file "HTTP_DIR='/srv/http/$service'" "/docker/$service/.env"
+	line_in_file "DATA_DIR='/data/$service'" "/docker/$service/.env"
+	line_in_file "DOCKER_DIR='/docker/$service'" "/docker/$service/.env"
+	line_in_file "JC_SERVICE='$service'" "/docker/$service/.env"
+done
diff --git a/provisioning/roles/deploy_all/files/bin/git_update.sh b/provisioning/roles/deploy_all/files/bin/git_update.sh
new file mode 100755
index 0000000..c78f0d8
--- /dev/null
+++ b/provisioning/roles/deploy_all/files/bin/git_update.sh
@@ -0,0 +1,42 @@
+#!/bin/bash
+
+declare -A usage
+declare -A varia
+
+summary="$0 [options] <repo>"
+
+usage[b]="Branch of git repo"
+varia[b]=branch
+branch=master
+
+usage[d]="Destination of clone"
+varia[d]=dst
+dst='.'
+
+usage[i]="privkey used to ssh pull"
+varia[i]=privkey
+privkey=''
+
+
+. driglibash-args
+
+# Some SSH options
+ssh_opt='ssh'
+if [ -n "$privkey" ] ; then
+	ssh_opt="$ssh_opt -i $privkey"
+fi
+
+repo="$1"
+if [ -z "$repo" ] ; then
+	die "$0: Empty repo given\n$summary"
+fi
+
+cd "$dst"
+
+if [ -d .git ] ; then
+    git reset --hard HEAD && git pull --depth 1 --ff-only --rebase --config core.sshCommand="$ssh_opt"
+    git submodule update --recursive --remote --recommend-shallow
+else
+    git clone --single-branch --recurse-submodules --shallow-submodules --depth 1 --config core.sshCommand="$ssh_opt" "$repo" .
+fi
+
diff --git a/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh b/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
new file mode 100644
index 0000000..5ff5858
--- /dev/null
+++ b/provisioning/roles/deploy_all/files/bin/hugo_rclone.sh
@@ -0,0 +1,14 @@
+#!/bin/bash
+set -euo pipefail
+
+. "$DOCKER_DIR/.env"
+. "$DATA_DIR/.env"
+
+webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"    
+webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"    
+webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"    
+
+git_update.sh "$GIT_SOURCE_REPO"    
+rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --      webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: "$CLOUD_LOCAL_PATH"
+hugo    
+
diff --git a/provisioning/roles/deploy_all/files/bin/jcservice.sh b/provisioning/roles/deploy_all/files/bin/jcservice.sh
new file mode 100755
index 0000000..2564f13
--- /dev/null
+++ b/provisioning/roles/deploy_all/files/bin/jcservice.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+
+. driglibash-base
+
+if [ "$#" -ne 2 ] ; then
+    echo "usage: $0 <action> <service>"
+    echo "action is start/stop/reload/restart"
+    echo "service is a jc service name"
+    exit 1
+fi
+action="$1"
+service="$2"
+if [ -f "/docker/$service/install.sh" ] ; then
+    section "Running install script"
+    . "/docker/$service/install.sh"
+    # Is $action a bash function?
+    if [ -n "$(LC_ALL=C type "$action" | head -n 1 | grep 'function')" ] ; then
+        (source "/docker/$service/.env" && "$action")
+	else
+		die "$0 no action $action found for service $service"
+    fi
+fi
diff --git a/provisioning/roles/deploy_all/files/bin/restart_nginx.sh b/provisioning/roles/deploy_all/files/bin/restart_nginx.sh
new file mode 100755
index 0000000..843581d
--- /dev/null
+++ b/provisioning/roles/deploy_all/files/bin/restart_nginx.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+. driglibash-base
+. /etc/jeancloud.env
+
+driglibash_section_prefix="[Restart nginx] "
+
+section "Test if nginx conf is ok"
+run nginx -t -c "$proxy_dir/new_nginx.conf"
+
+section "Update nginx conf"
+run rm -rf "$nginx_conf_path"
+run cp -r "$new_nginx_conf_path" "$nginx_conf_path"
+run cp "/docker/_proxy/nginx.conf" "$proxy_dir/nginx.conf"
+
+section "Test nginx conf to be sure"
+run nginx -t
+
+if [ -z "$(cat /var/run/nginx.pid)" ] ; then
+    section "Start nginx"
+    run nginx
+else
+    section "Reload nginx"
+    run nginx -s reload
+fi
diff --git a/provisioning/roles/deploy_all/files/bind/db.etrevivant.net b/provisioning/roles/deploy_all/files/bind/db.etrevivant.net
index b33a5cb..c991d10 100644
--- a/provisioning/roles/deploy_all/files/bind/db.etrevivant.net
+++ b/provisioning/roles/deploy_all/files/bind/db.etrevivant.net
@@ -1,6 +1,6 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
-                    2023062300          ; Serial
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
+                    2023082700          ; Serial
                           7200          ; Refresh
                           7200          ; Retry
                         2419200         ; Expire
@@ -23,6 +23,8 @@ _dmarc 86400 IN TXT v=DMARC1; p=quarantine;
 
 
 ; web
-@						IN		A		51.255.33.248
-@						IN		A		82.65.204.254
+@						IN		A		51.195.40.128
+@						IN		A		109.18.84.200
 
+www						IN		A		51.195.40.128
+www						IN		A		109.18.84.200
diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
index 81407b9..29cbd4a 100644
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.net
@@ -1,13 +1,13 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
-                    2023061500          ; Serial
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
+                    2023082700          ; Serial
                           7200          ; Refresh
                           7200          ; Retry
                         2419200         ; Expire
                          7200 ) ; Negative Cache TTL
 
 ; NS
-@                       IN      NS      max.jean-cloud.org.
+;@                       IN      NS      max.jean-cloud.org.
 @                       IN      NS      tetede.jean-cloud.org.
 @                       IN      NS      ns1.he.net.
 @                       IN      NS      ns2.he.net.
@@ -16,7 +16,7 @@ $TTL    604800
 @                       IN      NS      ns5.he.net.
 
 @						IN		A		51.255.33.248
-@						IN		A		82.65.204.254
+@						IN		A		109.18.84.200
 
 
 @ 10800 IN MX 10 spool.mail.gandi.net.
@@ -26,7 +26,7 @@ $TTL    604800
 
 ; Resolving nameserver
 ns2                       IN      A       51.255.33.248
-ns1                       IN      A       82.65.204.254
+;ns1                       IN      A       82.65.204.254
 
 ;mail                                   IN      CNAME   vandamme
 webmail                         IN      CNAME   vandamme
@@ -49,8 +49,8 @@ tetede                          IN      A       51.195.40.128
 
 heart							IN		A		109.18.84.200
 
-max                             IN      A       82.65.204.254
-max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
+;max                             IN      A       82.65.204.254
+;max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
 
 montbonnot                      IN      A       188.114.97.2
 montbonnot                      IN      A       188.114.96.2
@@ -129,17 +129,18 @@ tracker                         IN      CNAME   tetede.jean-cloud.org.
 
 raplacgr                        IN      CNAME   tetede.jean-cloud.org.
 
-walou                           IN      CNAME   dumbcluster.jean-cloud.org.
-
 nc-backup                       IN      CNAME   blatte.jean-cloud.org.
 
 gypsy                           IN      CNAME   tetede.jean-cloud.org.
 
 shlago.wireguard.jean-cloud.net IN      CNAME   tetede.jean-cloud.org.
 
-lexicographe					IN		CNAME	max.jean-cloud.org.
+lexicographe					IN		CNAME	tetede.jean-cloud.org.
 
 chahut							IN		CNAME	max.jean-cloud.org.
 www.chahut						IN		CNAME	max.jean-cloud.org.
 wordpress.chahut				IN		CNAME	max.jean-cloud.org.
 www.wordpress.chahut			IN		CNAME	max.jean-cloud.org.
+grapes.chahut					IN		CNAME	max.jean-cloud.org.
+
+louixel							IN		CNAME	raku.jean-cloud.org.
diff --git a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
index 96848ba..fe5a744 100644
--- a/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
+++ b/provisioning/roles/deploy_all/files/bind/db.jean-cloud.org
@@ -1,6 +1,6 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
-                     2023061500         ; Serial
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
+                     2023082700         ; Serial
                          604800         ; Refresh
                           86400         ; Retry
                         2419200         ; Expire
@@ -9,12 +9,12 @@ $TTL    604800
 @                       IN      NS      max
 @                       IN      NS      tetede
 
+@                       IN      A       109.18.84.200
 @                       IN      A       51.255.33.248
-@                       IN      A       82.65.204.254
 
 ; NS
 ;ns1                     IN      CNAME   vandamme
-ns2                     IN      A   82.65.204.254
+;ns2                     IN      A   82.65.204.254
 ns3                     IN      A   51.195.40.128
 
 ; Mails
@@ -46,8 +46,8 @@ tetede                          IN      AAAA    2001:41d0:701:1100::31f
 
 heart                           IN      A       109.18.84.200
 
-max                             IN      A       82.65.204.254
-max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
+max                             IN      A       109.18.84.200
+;max                             IN      AAAA    2a01:e0a:c9d:81d0:a2b3:ccff:fe85:af97
 
 montbonnot                      IN      A       188.114.97.2
 montbonnot                      IN      A       188.114.96.2
@@ -55,3 +55,7 @@ montbonnot                      IN      AAAA    2a06:98c1:3120::2
 montbonnot                      IN      AAAA    2a06:98c1:3121::2
 
 blatte							IN		A		10.98.1.2
+
+
+;raku							IN		A		37.65.25.194
+raku							IN		AAAA	2a02:842a:39a:4d01:b283:feff:fe4c:5dee
diff --git a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
index 75a6cf9..4bab8d0 100644
--- a/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
+++ b/provisioning/roles/deploy_all/files/bind/db.karnaval.fr
@@ -15,7 +15,7 @@ $TTL    604800
 @                       IN      NS      ns4.he.net.
 @                       IN      NS      ns5.he.net.
 
-@                       IN      A       82.65.204.254
+@                       IN      A       213.186.33.40
 ;@						IN		AAAA	2001:41d0:701:1100::31f
 
 
@@ -23,6 +23,6 @@ $TTL    604800
 ns1                             IN      A       51.255.33.248
 ns2                             IN      A       172.104.154.21
 
-benevoles                       IN      CNAME		max.jean-cloud.org.
-benevoles31                     IN      CNAME       max.jean-cloud.org.
+;benevoles                       IN      CNAME		max.jean-cloud.org.
+;benevoles31                     IN      CNAME       max.jean-cloud.org.
 
diff --git a/provisioning/roles/deploy_all/files/bind/db.lalis.fr b/provisioning/roles/deploy_all/files/bind/db.lalis.fr
deleted file mode 100644
index 35317e7..0000000
--- a/provisioning/roles/deploy_all/files/bind/db.lalis.fr
+++ /dev/null
@@ -1,15 +0,0 @@
-$TTL    604800
-@       IN      SOA     ns1.jean-cloud.net. contact.jean-cloud.org. (
-                     2023042100         ; Serial
-                         604800         ; Refresh
-                          86400         ; Retry
-                        2419200         ; Expire
-                           7200 )       ; Negative Cache TTL (min before refresh)
-
-@                       IN      NS      ns1.jean-cloud.net.
-@                       IN      NS      ns2.he.net.
-@                       IN      NS      ns3.he.net.
-@                       IN      NS      ns4.he.net.
-@                       IN      NS      ns5.he.net.
-
-@			IN	A	51.255.33.248
diff --git a/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr b/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr
index 23fcb7a..205422d 100644
--- a/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr
+++ b/provisioning/roles/deploy_all/files/bind/db.oma-radio.fr
@@ -1,6 +1,6 @@
 $TTL    604800
-@       IN      SOA     max.jean-cloud.org. contact.jean-cloud.org. (
-                     2023060100         ; Serial
+@       IN      SOA     tetede.jean-cloud.org. contact.jean-cloud.org. (
+                     2023082700         ; Serial
                          604800         ; Refresh
                            7200         ; Retry
                         2419200         ; Expire
@@ -8,7 +8,7 @@ $TTL    604800
 
 ; NS
 
-@                       IN      NS      max.jean-cloud.org.
+;@                       IN      NS      max.jean-cloud.org.
 @                       IN      NS      tetede.jean-cloud.org.
 
 
diff --git a/provisioning/roles/deploy_all/files/bind/named.conf.local b/provisioning/roles/deploy_all/files/bind/named.conf.local
index 70453a8..0e21805 100644
--- a/provisioning/roles/deploy_all/files/bind/named.conf.local
+++ b/provisioning/roles/deploy_all/files/bind/named.conf.local
@@ -58,11 +58,6 @@ zone "inurbe.fr"{
     type master;
     file "/etc/bind/db.inurbe.fr";
 };
-zone "lalis.fr"{
-    allow-update { none; }; # We are primary DNS
-    type master;
-    file "/etc/bind/db.lalis.fr";
-};
 zone "leida.fr"{
     allow-update { none; }; # We are primary DNS
     type master;
diff --git a/provisioning/roles/deploy_all/tasks/main.yml b/provisioning/roles/deploy_all/tasks/main.yml
index a72b27d..33911b6 100644
--- a/provisioning/roles/deploy_all/tasks/main.yml
+++ b/provisioning/roles/deploy_all/tasks/main.yml
@@ -8,11 +8,16 @@
     archive: false
     recursive: true
 
+
 - name: Add binaries
   ansible.posix.synchronize:
     src: "{{ role_path }}/files/bin/"
     dest: "/usr/local/bin"
 
+- name: Gen env vars
+  command: gen_env.sh
+
+
 - name: Add bind conf
   ansible.posix.synchronize:
     src: "{{ role_path }}/files/bind/"
diff --git a/provisioning/roles/jean-cloud-common/tasks/main.yml b/provisioning/roles/jean-cloud-common/tasks/main.yml
index 5b92dc9..b99751e 100644
--- a/provisioning/roles/jean-cloud-common/tasks/main.yml
+++ b/provisioning/roles/jean-cloud-common/tasks/main.yml
@@ -29,7 +29,7 @@
 
 - name: Install some softwares
   apt:
-      name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'netcat-openbsd', 'nginx', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
+      name: ['bind9', 'certbot', 'curl', 'dnsutils', 'git', 'gnupg2', 'htop', 'hugo', 'netcat-openbsd', 'nginx', 'podman', 'rclone', 'rsync', 'screen', 'sshfs', 'sudo', 'traceroute', 'vim', 'wget', 'zip']
       state: latest
 
 # TODO disable certbot and certbot.timer services. We are using our own
@@ -40,6 +40,7 @@
     state: directory
   with_items:
     - /docker
+    - /srv/http
     - /data
     - /etc/letsencrypt
 
@@ -81,3 +82,12 @@
       HISTTIMEFORMAT="%Y%m%d-%T "
       export HISTSIZE HISTFILESIZE HISTTIMEFORMAT
 
+
+- name : Disable docker service
+  service:
+      name: "{{ item }}"
+      state: stopped
+      enabled: false
+  with_items:
+    - docker
+    - docker.socket
diff --git a/readme.md b/readme.md
index acc1123..94b99d4 100644
--- a/readme.md
+++ b/readme.md
@@ -18,13 +18,16 @@ Le script deployer.sh va pour chaque service
 - Démarrer docker-compose si besoin
 - Copier le fichier nginx.conf dans sites-enabled si besoin (en remplaçant certaines variables) (en créant un faux certificat ssl si besoin)
 - Démarrer et activer une interface wg si un fichier `wg-*.conf` est présent.
-- Exécuter le script install.sh du service s’il existe
+- Exécuter le script deploy.sh du service s’il existe
+- Exécuter le script deploy_http.sh en tant que www-data s’il existe. Ce script peut également être éxécuter par nginx pour mettre à jour le site web.
 
 Le script letsencrypt.sh va renouveler tous les certificats dont le serveur a besoin (il va lire dans /etc/nginx/sites-enabled).
 
 ## Variables
 Le script deployer.sh crée les variables
 - DATA_DIR : là où sauvegarder des données
+- DOCKER_DIR : dossier contenant les fichiers de déploiement du service
 - HTTP_DIR : là où mettre les fichiers web si ils sont statiques. Ce dossier peut être détruit à tout moment, il n’est pas sauvegardé.
 - JC_SERVICE : le nom du dossier service. Correspond souvent à l’adresse du service.
 Ces variables sont ajoutées au ficher .env du service. (écrasées si existantes donc).
+
diff --git a/services/deployer.jean-cloud.org/deploy.sh b/services/deployer.jean-cloud.org/deploy.sh
new file mode 100644
index 0000000..b910ecb
--- /dev/null
+++ b/services/deployer.jean-cloud.org/deploy.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+chmod +x server.sh
diff --git a/services/deployer.jean-cloud.org/nginx.conf b/services/deployer.jean-cloud.org/nginx_server.conf
similarity index 58%
rename from services/deployer.jean-cloud.org/nginx.conf
rename to services/deployer.jean-cloud.org/nginx_server.conf
index 5ab23df..680ed5a 100644
--- a/services/deployer.jean-cloud.org/nginx.conf
+++ b/services/deployer.jean-cloud.org/nginx_server.conf
@@ -1,12 +1,15 @@
+limit_req_zone global zone=deployer_limit:100k rate=3r/m;
+
 server {    
         listen 443;    
         listen [::]:443;    
 		server_name $SERVER_HOST;
         ssl_certificate /etc/letsencrypt/live/deployer.jean-cloud.org/fullchain.pem;
         ssl_certificate_key /etc/letsencrypt/live/deployer.jean-cloud.org/privkey.pem;           
-        location /reload {
-                fastcgi_param SCRIPT_FILENAME /var/www/html/test.sh;
+        location / {
+				limit_req zone=deployer_limit;
+			    include /etc/nginx/fastcgi_params;
+                fastcgi_param SCRIPT_FILENAME /docker/deployer.jean-cloud.org/server.sh;
                 fastcgi_pass unix:/var/run/fcgiwrap.socket;
         }
 }
-
diff --git a/services/deployer.jean-cloud.org/server.sh b/services/deployer.jean-cloud.org/server.sh
new file mode 100755
index 0000000..fb45b81
--- /dev/null
+++ b/services/deployer.jean-cloud.org/server.sh
@@ -0,0 +1,38 @@
+#!/bin/bash
+echo "Content-type: text/html"
+echo ""
+
+service="$(echo "$DOCUMENT_URI" | tr -d '/\;!&<>?#[]()"*')"
+path="/docker/$service/deploy_http.sh"
+. /etc/jeancloud.env
+
+echo '<html><head><title>Rechargement d’un site web</title><meta charset="utf-8" /></head>'
+echo '<body>'
+echo "<h2>Rechargement d’un site web : $service</h2>"
+echo "<h3> Résultat local</h3>"
+if [ -x "$path" ] ; then
+	echo "<pre>"
+	"$path"
+	ret="$?"
+	echo "</pre>"
+	if [ "$ret" -ne 0 ] ; then
+		echo '<p style="color:red;">Une erreur a été détectée. Contactez Jean-Cloud.</p>'
+	else
+		while read ip ; do
+			echo curl http://deployer.jean-cloud.org/ --resolve "*:80:$ip"
+			if [ "$?" -eq 0 ] ; then
+				echo "$ip ok"
+			else
+				echo "$ip ERREUR"
+			fi
+		done < <(getent hosts deployer.jean-cloud.org | cut -d ' ' -f 1 | grep -v "$my_ip")
+	fi
+
+	echo '<p>Les informations précédentes peuvent vous être utiles (erreurs dans un document, fichier absent…). Prenez le temps de les lire pour avoir un site dont toutes les pages fonctionnent !</p>'
+else
+	echo "<p>Échec. Contactez Jean-Cloud</p>"
+fi
+
+echo '</body>'
+echo '</html>
+
diff --git a/services/etrevivant.net/.env b/services/etrevivant.net/.env
index 7d98583..817b5e9 100644
--- a/services/etrevivant.net/.env
+++ b/services/etrevivant.net/.env
@@ -1 +1,2 @@
 GIT_SOURCE_REPO="https://git.jean-cloud.net/adrian/etrevivant"
+CLOUD_LOCAL_PATH=content
diff --git a/services/etrevivant.net/deploy_http.sh b/services/etrevivant.net/deploy_http.sh
new file mode 100755
index 0000000..6be3832
--- /dev/null
+++ b/services/etrevivant.net/deploy_http.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+set -euo pipefail
+
+. /docker/etrevivant.net/.env
+. /data/etrevivant.net/.env
+webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
+webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
+webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
+
+cd "$HTTP_DIR"
+if [ -d .git ] ; then
+	git reset --hard origin/master
+	git pull --depth 1 --rebase
+else
+	git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" .
+fi
+rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
+hugo
diff --git a/services/etrevivant.net/install.sh b/services/etrevivant.net/install.sh
deleted file mode 100755
index 9c41c3a..0000000
--- a/services/etrevivant.net/install.sh
+++ /dev/null
@@ -1,25 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-start() {
-	. /docker/etrevivant.net/.env
-	. /data/etrevivant.net/.env
-	webdav_url="$(echo "$NC_SHARE_LINK" | sed 's#/s/.*#/public.php/webdav/#')"
-	webdav_user="$(echo "$NC_SHARE_LINK"  |sed 's#.*/s/##')"
-	webdav_pass="$(rclone obscure "$NC_SHARE_PASSWORD")"
-	sudo -u www-data bash <<EOF
-		set -euo pipefail
-		cd "$HTTP_DIR"
-		[ -d .git ] || git clone --single-branch --depth 1 "$GIT_SOURCE_REPO" . || (git checkout -- * && git pull --depth 1)
-		rclone sync --webdav-url="$webdav_url" --webdav-user="$webdav_user" --webdav-pass="$webdav_pass" --webdav-vendor=nextcloud :webdav: content/
-		hugo
-EOF
-}
-
-restart () {
-	start
-}
-
-stop () {
-	:
-}
diff --git a/services/grapes.chahut.jean-cloud.net/.env b/services/grapes.chahut.jean-cloud.net/.env
new file mode 100644
index 0000000..8820615
--- /dev/null
+++ b/services/grapes.chahut.jean-cloud.net/.env
@@ -0,0 +1,2 @@
+JC_NET=172.29.19
+GIT_SOURCE_REPO=https://git.jean-cloud.net/adrian/grapesjs
diff --git a/services/grapes.chahut.jean-cloud.net/deploy.sh b/services/grapes.chahut.jean-cloud.net/deploy.sh
new file mode 100755
index 0000000..6cd537c
--- /dev/null
+++ b/services/grapes.chahut.jean-cloud.net/deploy.sh
@@ -0,0 +1,6 @@
+#!/bin/bash
+set -euo pipefail
+
+mkdir -p "$HTTP_DIR"
+chown www-data:www-data "$HTTP_DIR"
+sudo -u www-data git_update.sh -d "$HTTP_DIR" "$GIT_SOURCE_REPO" 
diff --git a/services/grapes.chahut.jean-cloud.net/docker-compose.yml b/services/grapes.chahut.jean-cloud.net/docker-compose.yml
new file mode 100755
index 0000000..cf13358
--- /dev/null
+++ b/services/grapes.chahut.jean-cloud.net/docker-compose.yml
@@ -0,0 +1,19 @@
+version: '3'
+services:
+  json_server:
+    image: jeancloud/json-server
+    volumes:
+      - "$DATA_DIR:/usr/lib/json-server"
+    networks:
+      default:
+        ipv4_address: $JC_NET.100
+    deploy:
+      resources:
+        limits:
+          cpus: '0.50'
+          memory: 100M
+networks:
+  default:
+    ipam:
+      config:
+        - subnet: $JC_NET.0/24
diff --git a/services/grapes.chahut.jean-cloud.net/nginx_server.conf b/services/grapes.chahut.jean-cloud.net/nginx_server.conf
new file mode 100755
index 0000000..0e4f334
--- /dev/null
+++ b/services/grapes.chahut.jean-cloud.net/nginx_server.conf
@@ -0,0 +1,35 @@
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  ssl_certificate /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/grapes.chahut.jean-cloud.net/privkey.pem;
+  server_name grapes.chahut.jean-cloud.net;
+  root $HTTP_DIR;
+
+  # Security headers
+  # We can create a file with the base security headers and include it.
+  # Will it be possible to overload them then ?
+  add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
+  #add_header Content-Security-Policy "default-src 'self' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ;frame-ancestors 'none'; script-src 'self' 'unsafe-eval' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; img-src 'self'; object-src 'none'; style-src 'self' 'unsafe-inline' https://cdnjs.cloudflare.com/ajax/libs/font-awesome/ ; base-uri 'self'; form-action 'self';" always;
+  add_header X-Content-Type-Options "nosniff";
+  add_header X-Frame-Options SAMEORIGIN always;
+  add_header X-XSS-Protection "1; mode=block" always;
+  #add_header Referrer-Policy "strict-origin-when-cross-origin";
+  add_header Permissions-Policy "geolocation='none';midi='none';notifications='none';push='none';sync-xhr='https://mailer.jean-cloud.net';microphone='none';camera='none';magnetometer='none';gyroscope='none';speaker='self';vibrate='none';fullscreen='self';payment='none';";
+
+  auth_basic           "Mot de passe !";
+  auth_basic_user_file $DATA_DIR/pass.txt;
+
+  location / {
+    index index.html;
+    try_files $uri $uri/ =404;
+  }
+
+  location /projects {
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Forwarded-Proto https;
+	proxy_pass http://$JC_NET.100:3000;
+    proxy_redirect off;
+
+  }
+}
diff --git a/services/jean-cloud.net/deploy.sh b/services/jean-cloud.net/deploy.sh
new file mode 100755
index 0000000..42eb75f
--- /dev/null
+++ b/services/jean-cloud.net/deploy.sh
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
diff --git a/services/jean-cloud.net/install.sh b/services/jean-cloud.net/install.sh
deleted file mode 100755
index abe1df3..0000000
--- a/services/jean-cloud.net/install.sh
+++ /dev/null
@@ -1,14 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-start() {
-	podman run -i --rm -e GIT_SOURCE_REPO='https://git.jean-cloud.net/adrian/jean-cloud_website' -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
-}
-
-restart () {
-	start
-}
-
-stop () {
-	:
-}
diff --git a/services/jean-cloud.net/nginx_server.conf b/services/jean-cloud.net/nginx_server.conf
index da5dc7f..1043fb7 100755
--- a/services/jean-cloud.net/nginx_server.conf
+++ b/services/jean-cloud.net/nginx_server.conf
@@ -10,7 +10,7 @@ server {
   # We can create a file with the base security headers and include it.
   # Will it be possible to overload them then ?
   add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
-  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self' https://unpkg.jean-cloud.net; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self' https://unpkg.jean-cloud.net; base-uri 'self'; form-action 'self' 'https://mailer.jean-cloud.net';" always;
+  add_header Content-Security-Policy "default-src 'none';frame-ancestors 'none'; script-src 'self'; img-src 'self'; font-src 'self'; object-src 'none'; style-src 'self'; base-uri 'self'; form-action 'self';" always;
   add_header X-Content-Type-Options "nosniff";
   add_header X-Frame-Options SAMEORIGIN always;
   add_header X-XSS-Protection "1; mode=block" always;
diff --git a/services/lexicographe.jean-cloud.net/deploy.sh b/services/lexicographe.jean-cloud.net/deploy.sh
new file mode 100755
index 0000000..034fcab
--- /dev/null
+++ b/services/lexicographe.jean-cloud.net/deploy.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -euo pipefail
+
+podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
diff --git a/services/lexicographe.jean-cloud.net/install.sh b/services/lexicographe.jean-cloud.net/install.sh
deleted file mode 100755
index 1e14f13..0000000
--- a/services/lexicographe.jean-cloud.net/install.sh
+++ /dev/null
@@ -1,16 +0,0 @@
-#!/bin/bash
-set -euo pipefail
-
-start() {
-	mkdir -p "$DATA_DIR/git"
-	podman pull docker.io/jeancloud/pelican-rclone-builder
-	podman run -i --rm --env-file "$DATA_DIR/.env" -v "$HTTP_DIR:/usr/local/app" docker.io/jeancloud/pelican-rclone-builder
-}
-
-restart () {
-	start
-}
-
-stop () {
-	:
-}
diff --git a/services/list_ips.sh b/services/list_ips.sh
index fb432f4..52065ee 100755
--- a/services/list_ips.sh
+++ b/services/list_ips.sh
@@ -1,2 +1,2 @@
 #!/bin/bash
-grep -ho '172.29.[^.]' . -r | sort -u
+grep -ho '172.29.[^.]\+' . -r | sort -u
diff --git a/services/pa1.studios.oma-radio.fr/wg-pa1.sh b/services/pa1.studios.oma-radio.fr/wg-pa1.sh
index ea630f6..f5aafc5 100755
--- a/services/pa1.studios.oma-radio.fr/wg-pa1.sh
+++ b/services/pa1.studios.oma-radio.fr/wg-pa1.sh
@@ -15,10 +15,8 @@ Address = 10.100.1.254/32
 [Peer] # adrian
 PublicKey = 14yKNmSfD2lrWU+d/RJBPNvh9pZ/nW4bK27F9nTgvk0=
 AllowedIPs = 10.100.1.253/32
-PersistentKeepalive = 25
 
 [Peer] # Passerelle
 PublicKey = ZTKOW5DE8jPO8oMh5hAw/c1MQSlUaVxInMPz9Zdwzwo=
 AllowedIPs = 10.100.1.0/24,192.168.100.0/24
-PersistentKeepalive = 25
 "
diff --git a/services/radiodemo.oma-radio.fr/docker-compose.yml b/services/radiodemo.oma-radio.fr/docker-compose.yml
deleted file mode 100644
index 6bdf591..0000000
--- a/services/radiodemo.oma-radio.fr/docker-compose.yml
+++ /dev/null
@@ -1 +0,0 @@
-version: '3'
diff --git a/services/radiodemo.oma-radio.fr/nginx_server.conf b/services/radiodemo.oma-radio.fr/nginx_server.conf
index 39af513..1c302fd 100644
--- a/services/radiodemo.oma-radio.fr/nginx_server.conf
+++ b/services/radiodemo.oma-radio.fr/nginx_server.conf
@@ -28,6 +28,7 @@ server {
     ssl_certificate_key /etc/letsencrypt/live/$RADIO_HOST/privkey.pem;
 
 	location / {
+		client_max_body_size 0;
 		proxy_pass http://$ENDPOINT;
 		proxy_set_header Host            $host;
     	proxy_set_header X-Forwarded-For $remote_addr;
diff --git a/services/radiodemo.oma-radio.fr/wg-radiodemo.sh b/services/radiodemo.oma-radio.fr/wg-radiodemo.sh
index a0dec50..e030808 100755
--- a/services/radiodemo.oma-radio.fr/wg-radiodemo.sh
+++ b/services/radiodemo.oma-radio.fr/wg-radiodemo.sh
@@ -24,10 +24,15 @@ PostDown = iptables -t nat -D PREROUTING -p tcp --dport $TELECOM_SERVER_PORT -j
 
 # packet masquerading
 PreUp = iptables -t nat -A POSTROUTING -o $wgif -j MASQUERADE
-PostDown = iptables -t nat -D POSTROUTING -o $wgif-j MASQUERADE
+PostDown = iptables -t nat -D POSTROUTING -o $wgif -j MASQUERADE
 
 # remote settings for the private server
 [Peer]
 PublicKey = 1YIpMhZGrZRnZPlrTjtCfjvXXGk8j0Ug2AfcHEtN/hE=
 AllowedIPs = 10.29.0.1/32,$NET.0/24
+
+# test separation PA
+[Peer]
+PublicKey = todo
+AllowedlIPs = 10.29.0.2
 "