diff --git a/.env b/.env
index 186751e..4af6d1a 100644
--- a/.env
+++ b/.env
@@ -14,7 +14,7 @@
 # https://symfony.com/doc/current/best_practices.html#use-environment-variables-for-infrastructure-configuration
 
 # Main user is 1000 on Linux
-USER_UID=1000
+UID=1000
 PUBLIC_NGINX_PORT=8781
 PUBLIC_VARNISH_PORT=8784
 PUBLIC_PMA_PORT=8782
diff --git a/Dockerfile b/Dockerfile
index 0279b73..5f7d5d0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,8 +1,9 @@
 ARG PHP_VERSION=8.3.14
 ARG MYSQL_VERSION=8.0.40
+ARG NGINX_VERSION=1.27.2
 ARG SOLR_VERSION=9
 ARG VARNISH_VERSION=7.1
-ARG USER_UID=1000
+ARG UID=1000
 
 #######
 # PHP #
@@ -12,7 +13,7 @@ FROM php:${PHP_VERSION}-fpm-bookworm AS php
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
-ARG USER_UID
+ARG UID
 
 ARG COMPOSER_VERSION=2.8.1
 ARG PHP_EXTENSION_INSTALLER_VERSION=2.6.0
@@ -24,8 +25,6 @@ ENV APP_FFMPEG_PATH=/usr/bin/ffmpeg
 ENV MYSQL_HOST=db
 ENV MYSQL_PORT=3306
 
-HEALTHCHECK --start-period=30s --interval=1m --timeout=6s CMD bin/console monitor:health -q
-
 COPY --link docker/php/crontab.txt /crontab.txt
 COPY --link docker/php/wait-for-it.sh /wait-for-it.sh
 COPY --link docker/php/fpm.d/www.conf   ${PHP_INI_DIR}-fpm.d/zz-www.conf
@@ -42,13 +41,17 @@ apt-get --quiet --yes --no-install-recommends --verbose-versions install \
     ffmpeg
 rm -rf /var/lib/apt/lists/*
 
-usermod -u ${USER_UID} www-data
-groupmod -g ${USER_UID} www-data
-echo "www-data ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/www-data
+# User
+addgroup --gid ${UID} php
+adduser --home /home/php --shell /bin/bash --uid ${UID} --gecos php --ingroup php --disabled-password php
+echo "php ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/php
 
-/usr/bin/crontab -u www-data /crontab.txt
+# App
+install --verbose --owner php --group php --mode 0755 --directory /app
+
+/usr/bin/crontab -u php /crontab.txt
 chmod +x /wait-for-it.sh
-chown -R www-data:www-data /var/www/html
+chown -R php:php /app
 
 # Php extensions
 curl -sSLf  https://github.com/mlocati/docker-php-extension-installer/releases/latest/download/install-php-extensions \
@@ -75,7 +78,7 @@ install-php-extensions \
     redis-${PHP_EXTENSION_REDIS_VERSION}
 EOF
 
-WORKDIR /var/www/html
+WORKDIR /app
 
 ###################
 # PHP Development #
@@ -105,12 +108,12 @@ apt-get --quiet --yes --purge --autoremove upgrade
 apt-get --quiet --yes --no-install-recommends --verbose-versions install make
 rm -rf /var/lib/apt/lists/*
 # Prepare folder to install composer credentials
-install --owner=www-data --group=www-data --mode=755 --directory /var/www/.composer
+install --owner=php --group=php --mode=755 --directory /home/php/.composer
 EOF
 
-VOLUME /var/www/html
+VOLUME /app
 
-USER www-data
+USER php
 
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #RUN composer config --global gitlab-token.gitlab.rezo-zero.com ${COMPOSER_DEPLOY_TOKEN_USER} ${COMPOSER_DEPLOY_TOKEN}
@@ -138,17 +141,17 @@ COPY --link docker/php/conf.d/php.prod.ini ${PHP_INI_DIR}/conf.d/zz-app.ini
 COPY --link --chmod=755 docker/php/docker-php-entrypoint /usr/local/bin/docker-php-entrypoint
 COPY --link --chmod=755 docker/php/docker-cron-entrypoint /usr/local/bin/docker-cron-entrypoint
 
-USER www-data
+USER php
 
 # Composer
-COPY --link --chown=www-data:www-data composer.* symfony.* ./
+COPY --link --chown=php:php composer.* symfony.* ./
 RUN <<EOF
 # If you depend on private Gitlab repositories, you must use a deploy token and username
 #composer config gitlab-token.gitlab.rezo-zero.com ${COMPOSER_DEPLOY_TOKEN_USER} ${COMPOSER_DEPLOY_TOKEN}
 composer install --no-cache --prefer-dist --no-dev --no-autoloader --no-scripts --no-progress
 EOF
 
-COPY --link --chown=www-data:www-data . .
+COPY --link --chown=php:php . .
 
 RUN <<EOF
 composer dump-autoload --classmap-authoritative --no-dev
@@ -157,23 +160,83 @@ bin/console assets:install
 bin/console themes:assets:install Rozier
 EOF
 
-VOLUME /var/www/html/config/jwt \
-       /var/www/html/config/secrets \
-       /var/www/html/public/files \
-       /var/www/html/public/assets \
-       /var/www/html/var/files
+HEALTHCHECK --start-period=30s --interval=1m --timeout=6s CMD bin/console monitor:health -q
+
+VOLUME /app/config/jwt \
+       /app/config/secrets \
+       /app/public/files \
+       /app/public/assets \
+       /app/var/files
+
 
 
 #########
 # Nginx #
 #########
 
-FROM roadiz/nginx-alpine AS nginx-prod
+FROM nginx:${NGINX_VERSION}-bookworm AS nginx
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
-COPY --link --from=php-prod --chown=www-data:www-data /var/www/html/public /var/www/html/public
+ARG UID
+
+SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
+
+RUN <<EOF
+# Packages
+apt-get --quiet update
+apt-get --quiet --yes --purge --autoremove upgrade
+apt-get --quiet --yes --no-install-recommends --verbose-versions install \
+    less \
+    sudo
+rm -rf /var/lib/apt/lists/*
+
+# User
+groupmod --gid ${UID} nginx
+usermod --uid ${UID} nginx
+echo "nginx ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/nginx
+
+# App
+install --verbose --owner nginx --group nginx --mode 0755 --directory /app
+EOF
+
+ENV NGINX_ENTRYPOINT_QUIET_LOGS=1
+# Config
+COPY --link docker/nginx/nginx.conf               /etc/nginx/nginx.conf
+COPY --link docker/nginx/redirections.conf        /etc/nginx/redirections.conf
+COPY --link docker/nginx/mime.types               /etc/nginx/mime.types
+COPY --link docker/nginx/conf.d/_gzip.conf        /etc/nginx/conf.d/_gzip.conf
+COPY --link docker/nginx/conf.d/_security.conf    /etc/nginx/conf.d/_security.conf
+COPY --link docker/nginx/conf.d/default.conf  /etc/nginx/conf.d/default.conf
+
+WORKDIR /app
+
+
+
+##############
+# Nginx DEV  #
+##############
+
+FROM nginx AS nginx-dev
+
+# Silence entrypoint logs
+
+# Declare a volume for development
+VOLUME /app
+
+
+
+##############
+# Nginx PROD #
+##############
+
+FROM nginx AS nginx-prod
+# Copy public files from API
+COPY --link --from=php-prod --chown=${USER_UID}:${USER_UID} /app/public /app/public
 
+# Only enable healthcheck in production when the app is ready to serve requests on root path
+# This could prevent Traefik or an ingress controller to route traffic to the app
+#HEALTHCHECK --start-period=1m30s --interval=1m --timeout=6s CMD curl --fail -I http://localhost
 
 #########
 # MySQL #
@@ -183,14 +246,14 @@ FROM mysql:${MYSQL_VERSION} AS mysql
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
-ARG USER_UID
+ARG UID
 
 SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 
 RUN <<EOF
-usermod -u ${USER_UID} mysql
-groupmod -g ${USER_UID} mysql
-echo "USER_UID: ${USER_UID}\n"
+usermod -u ${UID} mysql
+groupmod -g ${UID} mysql
+echo "UID: ${UID}\n"
 EOF
 
 COPY --link docker/mysql/performances.cnf /etc/mysql/conf.d/performances.cnf
@@ -203,7 +266,7 @@ FROM solr:${SOLR_VERSION}-slim AS solr
 
 LABEL org.opencontainers.image.authors="ambroise@rezo-zero.com"
 
-ARG USER_UID
+ARG UID
 
 SHELL ["/bin/bash", "-e", "-o", "pipefail", "-c"]
 
@@ -211,10 +274,10 @@ USER root
 
 RUN <<EOF
 set -ex
-echo "USER_UID: ${USER_UID}\n"
-usermod -u ${USER_UID} "$SOLR_USER"
-groupmod -g ${USER_UID} "$SOLR_GROUP"
-chown -R ${USER_UID}:${USER_UID} /var/solr
+echo "UID: ${UID}\n"
+usermod -u ${UID} "$SOLR_USER"
+groupmod -g ${UID} "$SOLR_GROUP"
+chown -R ${UID}:${UID} /var/solr
 EOF
 
 COPY --link docker/solr/managed-schema.xml /opt/solr/server/solr/configsets/_default/conf/managed-schema
diff --git a/README.md b/README.md
index 68d4cab..4e31239 100644
--- a/README.md
+++ b/README.md
@@ -82,7 +82,7 @@ services:
     #app:
     #    build:
     #        args:
-    #            USER_UID: ${USER_UID}
+    #            UID: ${UID}
     #            COMPOSER_DEPLOY_TOKEN: xxxxxxxxxxxxx
     #            COMPOSER_DEPLOY_TOKEN_USER: "gitlab+deploy-token-1"
 
diff --git a/compose.override.yml.dist b/compose.override.yml.dist
index 1acd861..b9793a3 100644
--- a/compose.override.yml.dist
+++ b/compose.override.yml.dist
@@ -20,7 +20,7 @@ services:
     #app:
     #    build:
     #        args:
-    #            USER_UID: ${USER_UID}
+    #            UID: ${UID}
     #            COMPOSER_DEPLOY_TOKEN: xxxxxxxxxxxxx
     #            COMPOSER_DEPLOY_TOKEN_USER: "gitlab+deploy-token-1"
 
diff --git a/compose.prod.yml b/compose.prod.yml
index 7622545..283c36d 100644
--- a/compose.prod.yml
+++ b/compose.prod.yml
@@ -103,9 +103,9 @@ services:
         networks:
             - default
         volumes:
-            - ./robots.txt:/var/www/html/public/robots.txt:ro
-            - app_file_data:/var/www/html/public/files:ro
-            - app_assets_data:/var/www/html/public/assets:ro
+            - ./robots.txt:/app/public/robots.txt:ro
+            - app_file_data:/app/public/files:ro
+            - app_assets_data:/app/public/assets:ro
         labels:
             - "com.centurylinklabs.watchtower.enable=true"
             - "com.centurylinklabs.watchtower.depends-on=/skeleton-app-1"
@@ -118,24 +118,24 @@ services:
             - redis
             #- solr
         volumes:
-            - app_file_data:/var/www/html/public/files
-            - app_assets_data:/var/www/html/public/assets
-            - app_private_file_data:/var/www/html/var/files
-            - app_secret_data:/var/www/html/config/secrets
+            - app_file_data:/app/public/files
+            - app_assets_data:/app/public/assets
+            - app_private_file_data:/app/var/files
+            - app_secret_data:/app/config/secrets
             ## Use docker-compose env file as .env.local in container
-            - ./.env:/var/www/html/.env.local:ro
+            - ./.env:/app/.env.local:ro
             ## Generate JWT certificates on your host and share them to docker container
             ## openssl genpkey -out jwt_private.pem -aes256 -algorithm rsa -pkeyopt rsa_keygen_bits:4096; chmod 0644 jwt_private.pem;
-            - ./jwt_private.pem:/var/www/html/config/jwt/private.pem:ro
+            - ./jwt_private.pem:/app/config/jwt/private.pem:ro
             ## openssl pkey -in jwt_private.pem -out jwt_public.pem -pubout; chmod 0644 jwt_public.pem;
-            - ./jwt_public.pem:/var/www/html/config/jwt/public.pem:ro
+            - ./jwt_public.pem:/app/config/jwt/public.pem:ro
             ##
             ## Do not add volume for src/GeneratedEntity, they are versioned since Roadiz v2
             ## Uncomment these if you DO want to persist and edit node-types on production env
             ##
-            #- app_node_types_api:/var/www/html/config/api_resources
-            #- app_node_types_resource:/var/www/html/src/Resources
-            #- app_node_types_entities:/var/www/html/src/GeneratedEntity
+            #- app_node_types_api:/app/config/api_resources
+            #- app_node_types_resource:/app/src/Resources
+            #- app_node_types_entities:/app/src/GeneratedEntity
         networks:
             - default
         environment:
@@ -156,7 +156,7 @@ services:
             # Do not use more than 1 replica if you're using Varnish and need to purge/ban cache
             # from your workers. Varnish ACL hostnames won't be resolved correctly.
             replicas: 1
-        entrypoint: [ "php", "/var/www/html/bin/console", "messenger:consume", "async", "--time-limit=1800" ]
+        entrypoint: [ "php", "/app/bin/console", "messenger:consume", "async", "--time-limit=1800" ]
 
     cron:
         <<: *app_template
diff --git a/compose.yml b/compose.yml
index 1193e63..ca6a2ee 100644
--- a/compose.yml
+++ b/compose.yml
@@ -6,7 +6,7 @@ services:
             # Custom image for file permissions and performances
             target: mysql
             args:
-                USER_UID: ${USER_UID}
+                UID: ${UID}
         cap_add:
             - SYS_NICE  # CAP_SYS_NICE
         networks:
@@ -54,26 +54,29 @@ services:
         build:
             target: php-dev
             args:
-                USER_UID: ${USER_UID}
+                UID: ${UID}
         depends_on:
             - db
             - solr
             - redis
         volumes:
-            - ./:/var/www/html
+            - ./:/app
         networks:
             default:
         environment:
             TRUSTED_PROXIES: ${TRUSTED_PROXIES}
-            USER_UID: ${USER_UID}
+            UID: ${UID}
             DEFAULT_GATEWAY: ${DEFAULT_GATEWAY}
 
     nginx:
-        image: roadiz/nginx-alpine:latest
+        build:
+            target: nginx-dev
+            args:
+                UID: ${UID}
         depends_on:
             - app
         volumes:
-            - ./:/var/www/html
+            - ./:/app
         networks:
             default:
 #            frontproxynet:
@@ -110,7 +113,7 @@ services:
             replicas: 1
         # official php-fpm image uses SIGQUIT
         stop_signal: SIGTERM
-        entrypoint: [ "php", "/var/www/html/bin/console", "messenger:consume", "async", "--time-limit=600" ]
+        entrypoint: [ "php", "/app/bin/console", "messenger:consume", "async", "--time-limit=600" ]
         restart: unless-stopped
 
     cron:
@@ -127,12 +130,9 @@ services:
             # Custom image for file permissions
             target: solr
             args:
-                USER_UID: ${USER_UID}
+                UID: ${UID}
         volumes:
             - "solr:/var/solr"
-        environment:
-            SOLR_UID: ${USER_UID}
-            SOLR_GID: ${USER_UID}
         command:
             - solr-precreate
             - ${SOLR_CORE_NAME}
diff --git a/docker/nginx/conf.d/_gzip.conf b/docker/nginx/conf.d/_gzip.conf
new file mode 100644
index 0000000..d518883
--- /dev/null
+++ b/docker/nginx/conf.d/_gzip.conf
@@ -0,0 +1,14 @@
+gzip on;
+gzip_proxied any;
+gzip_vary on;
+gzip_comp_level 2;
+gzip_min_length 256;
+gzip_types application/atom+xml application/javascript application/json application/rss+xml
+            application/vnd.ms-fontobject application/x-font-opentype application/x-font-truetype
+            application/x-font-ttf application/x-javascript application/xhtml+xml application/xml
+            font/eot font/opentype font/otf font/truetype image/svg+xml image/vnd.microsoft.icon
+            image/x-icon image/x-win-bitmap text/css text/javascript text/plain text/xml;
+gzip_disable "MSIE [1-6]\.(?!.*SV1)";
+# make sure gzip does not lose large gzipped js or css files
+# see http://blog.leetsoft.com/2007/7/25/nginx-gzip-ssl
+gzip_buffers 16 8k;
diff --git a/docker/nginx/conf.d/_security.conf b/docker/nginx/conf.d/_security.conf
new file mode 100644
index 0000000..497d112
--- /dev/null
+++ b/docker/nginx/conf.d/_security.conf
@@ -0,0 +1,6 @@
+# Do not display nginx version
+server_tokens off;
+
+add_header X-Frame-Options "SAMEORIGIN";
+add_header X-XSS-Protection "1; mode=block";
+add_header X-Content-Type-Options "nosniff";
diff --git a/docker/nginx/conf.d/default.conf b/docker/nginx/conf.d/default.conf
new file mode 100644
index 0000000..2fef40c
--- /dev/null
+++ b/docker/nginx/conf.d/default.conf
@@ -0,0 +1,140 @@
+client_max_body_size 256m;
+
+map $sent_http_content_type $expires {
+    default                     1y;
+    "text/html"                 off;
+    "text/html; charset=utf-8"  off;
+}
+
+server {
+    listen 80;
+    server_name localhost;
+
+    root /app/public;
+
+    ## Only use this block if you are using Roadiz solo
+    index index.php index.html;
+
+    include /etc/nginx/redirections.conf;
+
+    # Kick wordpress brute force attack before it
+    # fills Roadiz logs with not-found resources.
+    location ~ ^/wp\-(includes|admin|login\.php) {
+        access_log off;
+        return 404;
+    }
+
+    # Enable Expire on Themes public assets
+    location ~* ^/(?:bundles|themes|files|assets|storage)/*.*\.(?:ico|pdf|css|js|woff2?|eot|ttf|otf|svg|gif|jpe?g|png|webp|avif|mp4|webm)$ {
+        # Serve not found files with PHP
+        try_files $uri $uri/ /index.php$is_args$args;
+
+        expires 1y;
+        access_log off;
+        add_header "Pragma" "public";
+        add_header "Cache-Control" "public";
+        add_header "Vary" "Accept-Encoding";
+        add_header "X-Frame-Options" "SAMEORIGIN";
+        add_header "X-XSS-Protection" "1; mode=block";
+        add_header "X-Content-Type-Options" "nosniff";
+        add_header 'Access-Control-Allow-Origin' '*';
+        add_header 'Access-Control-Allow-Methods' 'GET, OPTIONS';
+        add_header 'Access-Control-Allow-Headers' 'DNT,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
+
+        if ($request_method = 'OPTIONS') {
+            access_log off;
+            #
+            # Tell client that this pre-flight info is valid for 20 days
+            #
+            add_header 'Access-Control-Max-Age' 1728000;
+            add_header 'Content-Type' 'text/plain; charset=utf-8';
+            add_header 'Content-Length' 0;
+            return 204;
+        }
+    }
+
+    ### When using Roadiz solo
+    location / {
+        # First attempt to serve request as file, then
+        # as directory, then fall back to front-end controller
+        # (do not forget to pass GET parameters).
+        try_files $uri $uri/ /index.php$is_args$args;
+    }
+
+    ### When using Roadiz with Nuxt.js, uncomment these blocks
+    ### To enable monorepo routing
+
+    # Catch all Roadiz routes first
+    #location ~ ^/(rz\-admin|files|assets|themes|bundles|api|_wdt|_profiler|css\/main\-color\.css|custom\-form|css\/login\/image) {
+    #    try_files $uri $uri/ /index.php$is_args$args;
+    #}
+
+    #location ~* \.(ico|css|js|woff2?|eot|ttf|otf|svg|gif|jpe?g|png|webp|mp4|avif|webm)$ {
+    #    expires $expires;
+    #    add_header Pragma public;
+    #    add_header Cache-Control "public";
+    #    try_files $uri $uri/ @proxy;
+    #}
+
+    ## Then Nuxt.js routes
+    #location / {
+    #    expires $expires;
+    #    try_files $uri $uri/index.html @proxy;
+    #}
+
+    #
+    # PHP API entry point.
+    #
+    location ~ ^/index\.php(/|$) {
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_pass app:9000;
+        fastcgi_index index.php;
+        fastcgi_split_path_info ^(.+\.php)(.*)$;
+
+        # Bigger buffer size to handle cache invalidation headers expansion
+        # https://github.com/api-platform/docs/blob/2.3/extra/troubleshooting.md#upstream-sent-too-big-header-while-reading-response-header-from-upstream-502-error
+        fastcgi_buffer_size 32k;
+        fastcgi_buffers 8 16k;
+
+        include fastcgi_params;
+        try_files $uri =404;
+        # Prevents URIs that include the front controller. This will 404:
+        # http://domain.tld/app.php/some-path
+        # Remove the internal directive to allow URIs like this
+        internal;
+    }
+
+    ## Uncomment this block if you are using a Node.js server
+    #location @proxy {
+    #    add_header X-Frame-Options "SAMEORIGIN";
+    #    add_header X-Cache-Status $upstream_cache_status;
+    #    proxy_redirect                      off;
+    #    proxy_set_header Host               $host;
+    #    proxy_set_header X-Real-IP          $remote_addr;
+    #    proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
+    #    # Force HTTPS protocol because we are behind a reverse proxy
+    #    proxy_set_header X-Forwarded-Proto  https;
+    #    proxy_read_timeout          1m;
+    #    proxy_connect_timeout       1m;
+    #    proxy_pass                  http://node:3000;
+    #}
+
+    # deny access to .htaccess files, if Apache's document root
+    # concurs with nginx's one
+    #
+    location ~ /\.ht {
+        deny all;
+    }
+    location ~ /\.git {
+        deny all;
+    }
+    location = /README.md {
+        deny all;
+    }
+    location = /.nojekyll {
+        deny all;
+    }
+
+    # Don't log robots.txt or favicon.ico files
+    location = /favicon.ico { log_not_found off; access_log off; }
+}
diff --git a/docker/nginx/mime.types b/docker/nginx/mime.types
new file mode 100644
index 0000000..e390d97
--- /dev/null
+++ b/docker/nginx/mime.types
@@ -0,0 +1,116 @@
+
+types {
+    text/html                                        html htm shtml;
+    text/css                                         css;
+    text/xml                                         xml;
+    image/gif                                        gif;
+    image/jpeg                                       jpeg jpg;
+    application/javascript                           js;
+    application/atom+xml                             atom;
+    application/rss+xml                              rss;
+
+    text/mathml                                      mml;
+    text/plain                                       txt;
+    text/vnd.sun.j2me.app-descriptor                 jad;
+    text/vnd.wap.wml                                 wml;
+    text/x-component                                 htc;
+
+    image/avif                                       avif;
+    image/png                                        png;
+    image/svg+xml                                    svg svgz;
+    image/tiff                                       tif tiff;
+    image/vnd.wap.wbmp                               wbmp;
+    image/webp                                       webp;
+    image/x-icon                                     ico;
+    image/x-jng                                      jng;
+    image/x-ms-bmp                                   bmp;
+
+    font/woff                                        woff;
+    font/woff2                                       woff2;
+
+    application/java-archive                         jar war ear;
+    application/json                                 json;
+    application/mac-binhex40                         hqx;
+    application/msword                               doc;
+    application/pdf                                  pdf;
+    application/postscript                           ps eps ai;
+    application/rtf                                  rtf;
+    application/vnd.apple.mpegurl                    m3u8;
+    application/vnd.google-earth.kml+xml             kml;
+    application/vnd.google-earth.kmz                 kmz;
+    application/vnd.ms-excel                         xls;
+    application/vnd.ms-fontobject                    eot;
+    application/vnd.ms-powerpoint                    ppt;
+    application/vnd.oasis.opendocument.graphics      odg;
+    application/vnd.oasis.opendocument.presentation  odp;
+    application/vnd.oasis.opendocument.spreadsheet   ods;
+    application/vnd.oasis.opendocument.text          odt;
+    application/vnd.openxmlformats-officedocument.presentationml.presentation
+                                                     pptx;
+    application/vnd.openxmlformats-officedocument.spreadsheetml.sheet
+                                                     xlsx;
+    application/vnd.openxmlformats-officedocument.wordprocessingml.document
+                                                     docx;
+    application/vnd.wap.wmlc                         wmlc;
+    application/wasm                                 wasm;
+    application/x-7z-compressed                      7z;
+    application/x-cocoa                              cco;
+    application/x-java-archive-diff                  jardiff;
+    application/x-java-jnlp-file                     jnlp;
+    application/x-makeself                           run;
+    application/x-perl                               pl pm;
+    application/x-pilot                              prc pdb;
+    application/x-rar-compressed                     rar;
+    application/x-redhat-package-manager             rpm;
+    application/x-sea                                sea;
+    application/x-shockwave-flash                    swf;
+    application/x-stuffit                            sit;
+    application/x-tcl                                tcl tk;
+    application/x-x509-ca-cert                       der pem crt;
+    application/x-xpinstall                          xpi;
+    application/xhtml+xml                            xhtml;
+    application/xspf+xml                             xspf;
+    application/zip                                  zip;
+
+    application/octet-stream                         bin exe dll;
+    application/octet-stream                         deb;
+    application/octet-stream                         dmg;
+    application/octet-stream                         iso img;
+    application/octet-stream                         msi msp msm;
+
+    audio/midi                                       mid midi kar;
+    audio/mpeg                                       mp3;
+    audio/ogg                                        ogg;
+    audio/x-m4a                                      m4a;
+    audio/x-realaudio                                ra;
+
+    video/3gpp                                       3gpp 3gp;
+    video/mp2t                                       ts;
+    video/mp4                                        mp4;
+    video/mpeg                                       mpeg mpg;
+    video/quicktime                                  mov;
+    video/webm                                       webm;
+    video/x-flv                                      flv;
+    video/x-m4v                                      m4v;
+    video/x-mng                                      mng;
+    video/x-ms-asf                                   asx asf;
+    video/x-ms-wmv                                   wmv;
+    video/x-msvideo                                  avi;
+
+    application/x-bb-appworld                        bbaw;
+    application/x-bittorrent                         torrent;
+    application/x-chrome-extension                   crx;
+    application/x-opera-extension                    oex;
+    application/xslt+xml                             xsl;
+    application/yaml                                 yaml yml;
+    image/heif                                       heic heif;
+    image/vnd.radiance                               hdr;
+    model/gltf+json                                  gltf;
+    model/gltf-binary                                glb;
+    text/calendar                                    ics;
+    text/csv                                         csv;
+    text/markdown                                    md markdown;
+    text/vcard                                       vcard vcf;
+    text/vnd.rim.location.xloc                       xloc;
+    text/vtt                                         vtt;
+}
diff --git a/docker/nginx/nginx.conf b/docker/nginx/nginx.conf
new file mode 100644
index 0000000..c0252dd
--- /dev/null
+++ b/docker/nginx/nginx.conf
@@ -0,0 +1,31 @@
+
+user  nginx;
+worker_processes  auto;
+
+error_log  /var/log/nginx/error.log warn;
+pid        /var/run/nginx.pid;
+
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       /etc/nginx/mime.types;
+    default_type  application/octet-stream;
+
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+
+    access_log  /var/log/nginx/access.log  main;
+
+    sendfile        on;
+    #tcp_nopush     on;
+
+    keepalive_timeout  65;
+
+    #gzip  on;
+
+    include /etc/nginx/conf.d/*.conf;
+}
diff --git a/docker/nginx/nuxt_ip_filter.conf b/docker/nginx/nuxt_ip_filter.conf
new file mode 100644
index 0000000..5a16233
--- /dev/null
+++ b/docker/nginx/nuxt_ip_filter.conf
@@ -0,0 +1,3 @@
+## RZ VPN
+#allow 51.15.243.128;
+#deny all;
diff --git a/docker/nginx/redirections.conf b/docker/nginx/redirections.conf
new file mode 100644
index 0000000..bc10005
--- /dev/null
+++ b/docker/nginx/redirections.conf
@@ -0,0 +1 @@
+# All redirections
diff --git a/docker/php/conf.d/php.prod.ini b/docker/php/conf.d/php.prod.ini
index 5c1d718..4b7ce3c 100644
--- a/docker/php/conf.d/php.prod.ini
+++ b/docker/php/conf.d/php.prod.ini
@@ -13,8 +13,8 @@ opcache.interned_strings_buffer = 16
 ; Don't Check PHP Files Timestamps
 opcache.validate_timestamps = 0
 ; Class preloading
-opcache.preload_user = www-data
-opcache.preload = /var/www/html/config/preload.php
+opcache.preload_user = php
+opcache.preload = /app/config/preload.php
 
 ; Configure the PHP realpath Cache
 realpath_cache_size = 4096K
diff --git a/docker/php/crontab.txt b/docker/php/crontab.txt
index 1f694a1..0fb4d8d 100644
--- a/docker/php/crontab.txt
+++ b/docker/php/crontab.txt
@@ -1,15 +1,15 @@
 # Roadiz maintenance tasks
 
 ### Update Solr index
-0 0 * * *    /usr/local/bin/php -d memory_limit=-1 /var/www/html/bin/console solr:reindex --no-debug -n -q
+0 0 * * *    /usr/local/bin/php -d memory_limit=-1 /app/bin/console solr:reindex --no-debug -n -q
 
 ### Maintenance tasks: erase +6 months logs and keeps only 20 node-source versions
-0 8 * * 1    /usr/local/bin/php -d memory_limit=-1 /var/www/html/bin/console documents:file:size -q
-0 1 * * *    /usr/local/bin/php -d memory_limit=-1 /var/www/html/bin/console logs:cleanup --erase -n -q
-0 2 * * *    /usr/local/bin/php -d memory_limit=-1 /var/www/html/bin/console versions:purge -c 20 -n -q
-0 3 * * *    /usr/local/bin/php -d memory_limit=-1 /var/www/html/bin/console custom-form-answer:prune -n -q
+0 8 * * 1    /usr/local/bin/php -d memory_limit=-1 /app/bin/console documents:file:size -q
+0 1 * * *    /usr/local/bin/php -d memory_limit=-1 /app/bin/console logs:cleanup --erase -n -q
+0 2 * * *    /usr/local/bin/php -d memory_limit=-1 /app/bin/console versions:purge -c 20 -n -q
+0 3 * * *    /usr/local/bin/php -d memory_limit=-1 /app/bin/console custom-form-answer:prune -n -q
 ### Empty node trashcan every month
-0 0 1 * *    /usr/local/bin/php -d memory_limit=-1 /var/www/html/bin/console nodes:empty-trash -n -q
+0 0 1 * *    /usr/local/bin/php -d memory_limit=-1 /app/bin/console nodes:empty-trash -n -q
 
 ### Log last cron exec time
-0 4 * * *    /usr/local/bin/php -d memory_limit=-1 /var/www/html/bin/console cron:set-last-exec-date -n -q
+0 4 * * *    /usr/local/bin/php -d memory_limit=-1 /app/bin/console cron:set-last-exec-date -n -q
diff --git a/docker/php/docker-cron-entrypoint b/docker/php/docker-cron-entrypoint
index dc170dc..7e1cf77 100755
--- a/docker/php/docker-cron-entrypoint
+++ b/docker/php/docker-cron-entrypoint
@@ -14,18 +14,18 @@ echo "APP_ENV=${APP_ENV}";
 echo "APP_RUNTIME_ENV=${APP_RUNTIME_ENV}";
 echo "APP_DEBUG=${APP_DEBUG}";
 # Debug infos
-/usr/bin/sudo -E -u www-data -- bash -c "echo \"[sudo] APP_ENV=${APP_ENV}\"";
-/usr/bin/sudo -E -u www-data -- bash -c "echo \"[sudo] APP_RUNTIME_ENV=${APP_RUNTIME_ENV}\"";
-/usr/bin/sudo -E -u www-data -- bash -c "echo \"[sudo] APP_DEBUG=${APP_DEBUG}\"";
+/usr/bin/sudo -E -u php -- bash -c "echo \"[sudo] APP_ENV=${APP_ENV}\"";
+/usr/bin/sudo -E -u php -- bash -c "echo \"[sudo] APP_RUNTIME_ENV=${APP_RUNTIME_ENV}\"";
+/usr/bin/sudo -E -u php -- bash -c "echo \"[sudo] APP_DEBUG=${APP_DEBUG}\"";
 
-/bin/chown -R www-data:www-data /var/www/html/var || true;
-/bin/chown -R www-data:www-data /var/www/html/config || true;
+/bin/chown -R php:php /app/var || true;
+/bin/chown -R php:php /app/config || true;
 
 # Print local env vars to .env.xxx.php file for performances and crontab jobs
-/usr/bin/sudo -E -u www-data -- bash -c  "/usr/local/bin/composer dump-env prod"
+/usr/bin/sudo -E -u php -- bash -c  "/usr/local/bin/composer dump-env prod"
 # To improve performance (i.e. avoid decrypting secrets at runtime),
 # you can decrypt your secrets during deployment to the "local" vault:
-/usr/bin/sudo -E -u www-data -- bash -c "APP_RUNTIME_ENV=prod /var/www/html/bin/console secrets:decrypt-to-local --force"
+/usr/bin/sudo -E -u php -- bash -c "APP_RUNTIME_ENV=prod /app/bin/console secrets:decrypt-to-local --force"
 
 # Let cron take the wheel
 echo "Starting cron in foreground."
diff --git a/docker/php/docker-cron-entrypoint-dev b/docker/php/docker-cron-entrypoint-dev
index 6a70572..b2efd64 100755
--- a/docker/php/docker-cron-entrypoint-dev
+++ b/docker/php/docker-cron-entrypoint-dev
@@ -14,12 +14,12 @@ echo "APP_ENV=${APP_ENV}";
 echo "APP_RUNTIME_ENV=${APP_RUNTIME_ENV}";
 echo "APP_DEBUG=${APP_DEBUG}";
 # Debug infos
-/usr/bin/sudo -E -u www-data -- bash -c "echo \"[sudo] APP_ENV=${APP_ENV}\"";
-/usr/bin/sudo -E -u www-data -- bash -c "echo \"[sudo] APP_RUNTIME_ENV=${APP_RUNTIME_ENV}\"";
-/usr/bin/sudo -E -u www-data -- bash -c "echo \"[sudo] APP_DEBUG=${APP_DEBUG}\"";
+/usr/bin/sudo -E -u php -- bash -c "echo \"[sudo] APP_ENV=${APP_ENV}\"";
+/usr/bin/sudo -E -u php -- bash -c "echo \"[sudo] APP_RUNTIME_ENV=${APP_RUNTIME_ENV}\"";
+/usr/bin/sudo -E -u php -- bash -c "echo \"[sudo] APP_DEBUG=${APP_DEBUG}\"";
 
-/bin/chown -R www-data:www-data /var/www/html/var || true;
-/bin/chown -R www-data:www-data /var/www/html/config || true;
+/bin/chown -R php:php /app/var || true;
+/bin/chown -R php:php /app/config || true;
 
 # DO NOT Print local env vars to .env.xxx.php file in DEV mode
 
diff --git a/docker/php/docker-php-entrypoint b/docker/php/docker-php-entrypoint
index 1454fe1..348e041 100755
--- a/docker/php/docker-php-entrypoint
+++ b/docker/php/docker-php-entrypoint
@@ -13,12 +13,12 @@ echo "APP_DEBUG=${APP_DEBUG}";
 
 # Print local env vars to .env.xxx.php file for performances and crontab jobs
 /usr/local/bin/composer dump-env prod
-/var/www/html/bin/console assets:install -n
-/var/www/html/bin/console themes:assets:install -n Rozier
+/app/bin/console assets:install -n
+/app/bin/console themes:assets:install -n Rozier
 
 # To improve performance (i.e. avoid decrypting secrets at runtime),
 # you can decrypt your secrets during deployment to the "local" vault:
-#APP_RUNTIME_ENV=prod /var/www/html/bin/console secrets:decrypt-to-local --force
+#APP_RUNTIME_ENV=prod /app/bin/console secrets:decrypt-to-local --force
 
 #
 # Wait for database to be ready for next commands and migrations
@@ -29,13 +29,13 @@ echo "APP_DEBUG=${APP_DEBUG}";
 ## Uncomment following lines to enable automatic migration for your theme at each docker start
 ##
 ## Perform migrations directly as database should be ready thanks to wait-for-it.sh
-# /var/www/html/bin/console doctrine:migrations:migrate -n --allow-no-migration
-# /var/www/html/bin/console app:install -n
+# /app/bin/console doctrine:migrations:migrate -n --allow-no-migration
+# /app/bin/console app:install -n
 
 # Clear caches after migrations
-/var/www/html/bin/console cache:clear -n
+/app/bin/console cache:clear -n
 # Clear all cache pool on Symfony 5.4 https://symfony.com/doc/5.4/cache.html#clearing-the-cache
-/var/www/html/bin/console cache:pool:clear cache.global_clearer -n
+/app/bin/console cache:pool:clear cache.global_clearer -n
 
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then