diff --git a/bitwarden/metadata.yml b/bitwarden/metadata.yml
index 85d1599..d796d5e 100644
--- a/bitwarden/metadata.yml
+++ b/bitwarden/metadata.yml
@@ -1,6 +1,7 @@
 description: Bitwarden Server
 #docker-image: bitwardenrs/server:1.22.2-alpine
 docker-image: docker.0k.io/bitwarden:1.22.2
+docker-image: vaultwarden/server:latest
 data-resources:
   - /data
 uses:
diff --git a/keycloak/README.rst b/keycloak/README.rst
new file mode 100644
index 0000000..7058548
--- /dev/null
+++ b/keycloak/README.rst
@@ -0,0 +1,32 @@
+Description
+===========
+
+Using ``keycloak`` version 17.0
+
+
+Usage
+=====
+
+To start with ``keycloak``, just put this service in your
+``compose.yml``::
+
+    keycloak:
+      options:
+        admin-password: CHANGEME
+      relations:
+        web-proxy:
+          frontend:
+            domain: id.mydomain.fr
+
+Customize theme
+===============
+
+You can customize theme by putting your theme in
+``/srv/datastore/data/keycloak/opt/keycloak/themes``
+
+For example copy the material folder from
+https://github.com/MAXIMUS-DeltaWare/material-keycloak-theme and
+restart ``keycloak``.
+
+Then go to your admin console, log in and go to the realm/themes part
+to choose you new theme
diff --git a/keycloak/build/Dockerfile b/keycloak/build/Dockerfile
new file mode 100644
index 0000000..2fdd2cd
--- /dev/null
+++ b/keycloak/build/Dockerfile
@@ -0,0 +1,12 @@
+FROM docker.0k.io/keycloak:17.0.1 as builder
+
+ENV KC_METRICS_ENABLED=true
+ENV KC_FEATURES=token-exchange
+ENV KC_DB=postgres
+RUN /opt/keycloak/bin/kc.sh build
+
+FROM docker.0k.io/keycloak:17.0.0
+COPY --from=builder /opt/keycloak/lib/quarkus/ /opt/keycloak/lib/quarkus/
+WORKDIR /opt/keycloak
+ENV KC_LOG_LEVEL=INFO
+ENTRYPOINT ["/opt/keycloak/bin/kc.sh", "start"]
diff --git a/keycloak/hooks/post_deploy b/keycloak/hooks/post_deploy
deleted file mode 100755
index fa3546b..0000000
--- a/keycloak/hooks/post_deploy
+++ /dev/null
@@ -1,37 +0,0 @@
-#!/bin/bash
-
-## Init is run on host
-## For now it is run every time the script is launched, but
-## it should be launched only once after build.
-
-## Accessible variables are:
-## - SERVICE_NAME        Name of current service
-## - DOCKER_BASE_IMAGE   Base image from which this service might be built if any
-## - SERVICE_DATASTORE           Location on host of the DATASTORE of this service
-## - SERVICE_CONFIGSTORE         Location on host of the CONFIGSTORE of this service
-
-PASSWORD_SET_CONTROL="$SERVICE_CONFIGSTORE/.password-set-control"
-
-set -e
-
-if [ -e "$PASSWORD_SET_CONTROL" ]; then
-    exit 0
-fi
-
-containers=($(get_running_containers_for_service "$SERVICE_NAME"))
-if [ "${#containers[@]}" == 0 ]; then
-    err "no containers found for service ${DARKYELLOW}$SERVICE_NAME${NORMAL}"
-    exit 1
-fi
-
-## It is not possible at first glance to reset password, so we decided
-## to set to admin/admin. This means it is important to change the
-## admin password as soon as possible.
-
-## XXXvlab: taking the first container
-container_id="${containers[0]}"
-docker exec "$container_id" \
-       /opt/jboss/keycloak/bin/add-user-keycloak.sh \
-       -u "admin" -p "admin"
-docker restart "$container_id"
-mkdir -p "${PASSWORD_SET_CONTROL%/*}" && touch "$PASSWORD_SET_CONTROL"
diff --git a/keycloak/hooks/postgres_database-relation-joined b/keycloak/hooks/postgres_database-relation-joined
index 672cc74..1f5c177 100755
--- a/keycloak/hooks/postgres_database-relation-joined
+++ b/keycloak/hooks/postgres_database-relation-joined
@@ -10,9 +10,8 @@ config-add "\
 services:
   $MASTER_BASE_SERVICE_NAME:
     environment:
-      DB_VENDOR: postgres
-      DB_ADDR: \"$MASTER_TARGET_SERVICE_NAME\"
-      DB_DATABASE: \"$DBNAME\"
-      DB_PASSWORD: \"$PASSWORD\"
-      DB_USER: \"$USER\"
+      KC_DB_URL: \"jdbc:postgresql://$MASTER_TARGET_SERVICE_NAME:5432/$DBNAME\"
+      KC_DB_USERNAME: \"$USER\"
+      KC_DB_PASSWORD: \"$PASSWORD\"
+      KC_DB: \"postgres\"
 "
diff --git a/keycloak/hooks/web_proxy-relation-joined b/keycloak/hooks/web_proxy-relation-joined
index 461a335..cb7bd03 100755
--- a/keycloak/hooks/web_proxy-relation-joined
+++ b/keycloak/hooks/web_proxy-relation-joined
@@ -1,11 +1,16 @@
 #!/bin/bash
 
+DOMAIN=$(relation-get domain) || exit 1
+
 set -e
 
 config-add "\
 services:
   $MASTER_BASE_SERVICE_NAME:
     environment:
-      PROXY_ADDRESS_FORWARDING: \"true\"
+      KC_HOSTNAME: "$DOMAIN"
+      KC_PROXY: edge
+      KC_HTTP_ENABLED: \"true\"
+      KC_HOSTNAME_STRICT: \"false\"
 "
 
diff --git a/keycloak/metadata.yml b/keycloak/metadata.yml
index a2db5cb..9f3ad3f 100644
--- a/keycloak/metadata.yml
+++ b/keycloak/metadata.yml
@@ -1,4 +1,6 @@
-docker-image: docker.0k.io/keycloak:16.1.1  ## jboss/keycloak:16.1.1
+
+data-resources:
+  - /opt/keycloak/themes
 
 default-options:
 
diff --git a/mailhog/metadata.yml b/mailhog/metadata.yml
new file mode 100644
index 0000000..824e02b
--- /dev/null
+++ b/mailhog/metadata.yml
@@ -0,0 +1,31 @@
+docker-image: docker.0k.io/mailhog:1.0.1  ## from: mailhog/mailhog:v1.0.1
+data-resources:
+  - /home/mailhog
+
+default-options:
+
+uses:
+  web-proxy:
+    #constraint: required | recommended | optional
+    #auto: pair | summon | none ## default: pair
+    constraint: recommended
+    auto: pair
+    solves:
+      proxy: "Public access"
+    default-options:
+      target: !var-expand ${MASTER_BASE_SERVICE_NAME}:8025
+  backup:
+    constraint: recommended
+    auto: pair
+    solves:
+      backup: "Automatic regular backup"
+    default-options:
+      ## First pattern matching wins, no pattern matching includes.
+      ## include-patterns are checked first, then exclude-patterns
+      ## Patterns rules:
+      ##  - ending / for directory
+      ##  - '*' authorized
+      ##  - must start with a '/', will start from $SERVICE_DATASTORE
+      #exclude-patterns:
+      #  - "/var/lib/odoo/sessions/"
+
diff --git a/monujo/lib/common b/monujo/lib/common
index e0bd4a6..036f660 100644
--- a/monujo/lib/common
+++ b/monujo/lib/common
@@ -11,61 +11,85 @@ monujo:code_init() {
     mkdir -p "$LOCATION"
     if dir_is_empty "$LOCATION"; then
         cd "$LOCATION"
-        wget -q "$SOURCE_URL" -O file.tar.bz2
-        tar xjf file.tar.bz2
-        rm file.tar.bz2
+        info "First install, downloading '$SOURCE_URL'."
+        wget -q "$SOURCE_URL" -O file.tar.bz2 || {
+            err "Couldn't download '$SOURCE_URL'."
+            rm file.tar.bz2
+            return 1
+        }
+        tar xjf file.tar.bz2 &&
+        rm file.tar.bz2 &&
         chown root:root "$LOCATION" -R
     fi
 }
 
+export MONUJO_OPTIONS=(
+    lokapi-host:string
+    lokapi-db:string
+    map-url:string
+    local-password-retention-time:numeric
+    theme:struct\*
+)
 
-monujo:code_config_base() {
-
-    MONUJO_OPTIONS=(
-        lokapi-host:string
-        lokapi-db:string
-        map-url:string
-        local-password-retention-time:string
-    )
+export MONUJO_OPTIONS_CONCAT=" ${MONUJO_OPTIONS[*]} "
 
-    MONUJO_OPTIONS_CONCAT=" ${MONUJO_OPTIONS[*]} "
 
+monujo:code_config_base() {
+    local service_def
     service_def=$(get_compose_service_def "$SERVICE_NAME") || return 1
-    echo "{}" > "$CONFIGFILE"
+    options=$(e "$service_def" | shyaml get-value -y options) || true
+
+    e "$options" |
+    monujo:json-make > "$CONFIGFILE" || {
+        err "Failed to make 'config.json'."
+        return 1
+    }
+}
+
+monujo:json-make() {
+    local conv="$1" key val
     ## XXXvlab: Should probably offer some lib to do this
+    local sep=
     while read-0 key val; do
-        key_option=${key//-/_}
+        key=$(e "$key" | shyaml get-value)
         case "$MONUJO_OPTIONS_CONCAT" in
-            *" ${key_option}:bool "*)
+            *" ${key}:bool "*)
                 case "${val,,}" in
                     true|ok|yes|y)
-                        val=yes
+                        val=true
                         ;;
                     false|ko|nok|no|n)
-                        val=no
+                        val=false
                         ;;
                     *)
                         die "Invalid value for ${WHITE}$key$NORMAL, please use a boolean value."
                         ;;
                 esac
                 ;;
-            *" ${key_option}:numeric "*)
+            *" ${key}:numeric "*)
+                val=$(e "$val" | shyaml get-value)
                 if ! is_int "$val"; then
-                    die "Invalid value for ${WHITE}$key$NORMAL, please use numeric value."
+                    err "Invalid value for ${WHITE}$key$NORMAL, please use numeric value."
+                    return 1
                 fi
                 ;;
-            *" ${key_option}:string "*)
-                :
+            *" ${key}:struct* "*)
+                val=$(e "$val" | monujo:json-make noconv) || return 1
                 ;;
-            *)
-                key_option=$(echo "$key_option" | sed 's/_\([a-z0-9]\)/\U\1/g')
-                printf "%s %s\0" "$key_option" "$val"
+            *" ${key}:struct "*)
+                val=$(e "$val" | monujo:json-make) || return 1
+                ;;
+            *" ${key}:string "*|*)
+                val=$(e "$val" | shyaml get-value | jq -Rr tojson)
                 ;;
         esac
-    done < <(printf "%s" "$service_def" | shyaml key-values-0 options) |
-        jq -R 'split("\u0000")  | map(split(" ") | {key: .[0], value: .[1]}) | from_entries' > \
-           "$CONFIGFILE"
-
+        if [ -z "$conv" ]; then
+            key=$(echo "${key//-/_}" | sed 's/_\([a-z0-9]\)/\U\1/g')
+        fi
+        printf "$sep%s\0%s" "$key" "$val"
+        sep="\0\0"
+    done < <(shyaml key-values-0 -y) |
+        jq -sR 'split("\u0000\u0000")  | map(split("\u0000") | {key: .[0], value: .[1] | fromjson}) | from_entries'
 }
 
 
diff --git a/peertube/build/Dockerfile b/peertube/build/Dockerfile
index 6dc1ff6..f1c5984 100644
--- a/peertube/build/Dockerfile
+++ b/peertube/build/Dockerfile
@@ -13,7 +13,7 @@ FROM common AS builder
 ## Download target release
 ##
 
-ENV PEERTUBE_RELEASE=v3.3.0
+ENV PEERTUBE_RELEASE=v4.1.0
 
 
 RUN apk add wget
@@ -91,7 +91,10 @@ VOLUME /etc/peertube
 EXPOSE 9000
 
 RUN apk add nodejs npm
-
+## needed for plugins install
+RUN apk add yarn
+## needed for live chat plugin
+RUN apk add prosody
 ## runtime deps
 RUN apk add openssl
 
diff --git a/peertube/build/docker-compose.yml b/peertube/build/docker-compose.yml
index 1b0a28f..9dac879 100644
--- a/peertube/build/docker-compose.yml
+++ b/peertube/build/docker-compose.yml
@@ -1,4 +1,4 @@
-version: "3.3"
+version: "4.1"
 
 services:
 
diff --git a/postgres/hooks/postgres_database-relation-joined b/postgres/hooks/postgres_database-relation-joined
index 5dfc31a..9c23f8b 100755
--- a/postgres/hooks/postgres_database-relation-joined
+++ b/postgres/hooks/postgres_database-relation-joined
@@ -51,8 +51,15 @@ ensure_db_docker_running
 
 ## XXXvlab: should send all these into only one docker...
 if ! db_has_database "$DBNAME"; then
-    db_create "$DBNAME" || exit 1
-
+    INITDB_ARGS=(encoding lc-collate lc-ctype template)
+    CREATEDB_OPTS=()
+    for option in "${INITDB_ARGS[@]}"; do
+        value="$(relation-get "$option" 2>/dev/null)" || true
+        if [ -n "$value" ]; then
+            CREATEDB_OPTS+=("--$option=$value")
+        fi
+    done
+    db_create "$DBNAME" "${CREATEDB_OPTS[@]}" || exit 1
     if sql=$(relation-get init-sql); then
         ddb "$DBNAME" > /dev/null < <(e "$sql") || exit 1
     fi
diff --git a/postgres/lib/common b/postgres/lib/common
index a6feb29..20947b2 100644
--- a/postgres/lib/common
+++ b/postgres/lib/common
@@ -63,7 +63,8 @@ db_drop () {
 
 db_create () {
     local dbname="$1"
-    dcmd createdb "$dbname" || return 1
+    shift
+    dcmd createdb "$dbname" "$@" || return 1
     info "Database '$dbname' created."
 }