diff --git a/inventory/host_vars/masto1.dmz.mateu.be.yml b/inventory/host_vars/masto1.dmz.mateu.be.yml
index 1f0bf29..7cd91f9 100644
--- a/inventory/host_vars/masto1.dmz.mateu.be.yml
+++ b/inventory/host_vars/masto1.dmz.mateu.be.yml
@@ -1,12 +1,112 @@
 ---
 web_hostname:
   - host: m.nintendojo.fr
+    type: mastodon
 
 restic_backup_path:
   - /srv
   - /etc
   - /var/lib/oolatoocs
 
+# Mastodon PostgreSQL secrets
+mastodon_pg_role: "mastodon_ndfr"
+mastodon_pg_database: "mastodon_prod_ndfr"
+mastodon_pg_password: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          38326531306236336139326565623536623134303733303266613337303965313335376435623266
+          6234316132666139323162313065646631386162333938660a366238666433343062373861366463
+          37633239626230646633633830396161313838626238636633626466333639616637636535333530
+          3935373066306663640a643064383934326431383937353964316635623266666538336631303161
+          3939
+
+# Mastodon secrets
+## General secrets
+mastodon_paperclip_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62356639646630613338316435613639623164636130333739613136363162396132383261376166
+          3834333636663930383839376532323066613433626534620a633066616534346537643166663937
+          62623637333131653766646661306631613838373063626534373439373931366432383932623436
+          6134343133343132350a303134613830383162306233353833353839373033663061316236656236
+          36666539333265383463333137356136316436663638653462313335303034656661626262653836
+          32363765376665666264623632356261323262613131363330336536353933616462613863633233
+          66333562383530313238313032623338626133646465656531323237343234363864366132306266
+          39363632336538306136343861303734623165663665633464656431363462333563663635663733
+          35613234363336653538626631353961333062653032343035323030303865643365313738393461
+          39373237633231386234643330346530373630356165613564386339373830363261653532393362
+          353136396366646434663336366663666631
+mastodon_secret_key_base: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          36356264653537343438663134343130363464636133396662613039376633316464613764383930
+          3331623836383834643165643161646566306136613838650a366535306462643830656364373637
+          66653130343236336338323461613232636662353138643937336361636434306465373832636539
+          6139373430633664640a353536633235633330333331326137626432366536623735313633613965
+          34633362366431343232383566633961356536383438643539333235656432316138663038653136
+          66666230303130623237393638343831366431663564646263383832666138616462653061376138
+          38383032356233623834623332356361643739383933653530323463343963343239373363616434
+          37643135356431613661666438376333336339636266653161353632656365633665643039346665
+          33333539313864343634646361333233643239333064663537356265633836313262333136313933
+          64396265616531326339356236376465373464313435643436336530333835313633653132643536
+          623662336563353038353231613465633632
+mastodon_otp_secret: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          64346433636437366464346363386162613732636163653138346265633063643034396166663461
+          3539623238636239343563336134633138393536656665330a323433306530383937333534343430
+          65643538373564653031323330343634616630666130663565366137303965323834393333366137
+          3132303135323632630a616130383333313731633738646233613038333465366663313332303865
+          66356130653761646137616361313366323337343035303732613865373836613732383330616664
+          36303165623135396464633632366432623562646439383062373963346264393834303739373735
+          38623037616434626134353264663430323036393464353838343765353166313334323839626461
+          65336638386464643639333862396438643039396533386336376664373966316538393762643132
+          61366464383366363764656238663232663762313661623637663963373331313337636234386130
+          64333337353464653235316432393139346131346565633330666134623937633066313963323733
+          326335343265393532646566613831363962
+mastodon_vapid_private_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          62346439353134323539326165363165616530396138643138306364646436623233386165616666
+          3732653661313734646438653864356662323835613463610a373137366266303432643938663639
+          66633036343165363966343936343565336662393433313331373065663530356238363965653763
+          6539626132356365300a303533666265613231306438393436376630303131386138643036383461
+          38366162666333363735373532643664383163333538383066633733656538376462636532356364
+          6435653564373236383165303265353037633864376636323535
+## Mastodon S3 secrets
+mastodon_aws_access_key_id: "GK311623e87df4af45e1058dbc"
+mastodon_aws_secret_access_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          35346263663163633261626239363333356534646231353132346336336435313362356137383830
+          3033643135353530653264386537343135306666313438620a323863353935653530353966623766
+          38353339303661633761376362663834353861386533326333333238356564663365636437393431
+          6362393032373236620a316439616131643533346635333336366266323566306631386434363665
+          32316563373365306462393634336665633362356637663264353065353132373937343764363539
+          33303836613466306631386137643436386566376363646430323062646537656637633064353338
+          38313030393431626230613231633761646265363161363665323134663135346236333937666362
+          30636665323134363666
+## Mastodon encryption secrets
+mastodon_active_record_encryption_deterministic_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61643236343164626332383932636664323337346464363131623532346561646666323961313139
+          3931353234646134636439346462643162316434616338640a613264343562313531666664333730
+          61623035613931643664323865396664386439343630363766643035353565333835623831613830
+          3638366232333539300a386233366536633236396239666232343366613165356538326435666161
+          63653435626530356135353363383462316663663330393233633562636530663066663165613530
+          3039333032376636386366633562396662613331383539383931
+mastodon_active_record_encryption_key_derivation_salt: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          66633965356337393533313030666265656537663665623165663530393333633133646661643531
+          3338333266663163333334643437393331343763363964320a383661373933333333366466653265
+          34323231336161663330383961333333666463666535343632333361323736656632626538333639
+          3165303531613364650a623965643266653265396235316539383231363762323532343430343865
+          30633631653964316335303661333332336265663063386535613537653633656234383938366362
+          6566316231343430643363666635633530643737333036313637
+mastodon_active_record_encryption_primary_key: !vault |
+          $ANSIBLE_VAULT;1.1;AES256
+          61613635373366333265646163346336653235323935313363323965336331303630666438633134
+          3563306536623539653365656564663139396537376134320a623336636164626332346431643764
+          63653564386136623138376233386136613730633830616236663964366539333536616435653232
+          3765356536396538320a343032666362323663383739643036646138333161613536613066626564
+          34653636333063663166613734396134333532393631333131366639653138376363343331643730
+          6435316130633937313962303864626466366365386664386238
+
+# Oolatoocs secrets
 oolatoocs_mastodon_client_id: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           33376330656465393935313536363662303237613035633333303230353565386463336230383537
@@ -15,7 +115,6 @@ oolatoocs_mastodon_client_id: !vault |
           3836663461363334320a613461393030353363373036633638333765353966326365613161633736
           36353661376664613564376137343833633433663231633631333638616533366366326330616363
           3535393939396462306335373661353766306564333463306363
-
 oolatoocs_mastodon_client_secret: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           32656635353435643736373365333833336563356166343466653536333832366533303665383736
@@ -24,7 +123,6 @@ oolatoocs_mastodon_client_secret: !vault |
           3136396635393730640a326265373031373334616466346130303162353561663037313761303863
           39333064386333626463613962613337313337383539613064376238613535663261326638656666
           6637363263653363353632633135306465646638643030373031
-
 oolatoocs_mastodon_token: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           33373734653834616330386266303939353133646231643862363136353739316462633264316433
@@ -33,7 +131,6 @@ oolatoocs_mastodon_token: !vault |
           3965653432336431320a666634666634366365653633643233623934653536666538656662626364
           65313464303962396564313964393035316134643438346465613863646531633166613735656635
           3430333662323936363534666262383262646337306164616162
-
 oolatoocs_bluesky_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
           36663061363036393565333636356336633361376563383630323632323635636465633231333532
diff --git a/roles/mastodon/handlers/main.yml b/roles/mastodon/handlers/main.yml
new file mode 100644
index 0000000..1ae9e4d
--- /dev/null
+++ b/roles/mastodon/handlers/main.yml
@@ -0,0 +1,12 @@
+---
+
+- name: Restart mastodon
+  ansible.builtin.systemd:
+    name: "{{ item }}"
+    daemon_reload: true
+    state: restarted
+    enabled: true
+  loop:
+    - "mastodon-sidekiq.service"
+    - "mastodon-streaming@4000.service"
+    - "mastodon-web.service"
diff --git a/roles/mastodon/tasks/db.yml b/roles/mastodon/tasks/db.yml
new file mode 100644
index 0000000..1569023
--- /dev/null
+++ b/roles/mastodon/tasks/db.yml
@@ -0,0 +1,15 @@
+---
+
+- name: Create mastodon db role
+  become_user: postgres
+  become: true
+  community.postgresql.postgresql_user:
+    name: "{{ mastodon_pg_role }}"
+    password: "{{ mastodon_pg_password }}"
+
+- name: Create mastodon db
+  become_user: postgres
+  become: true
+  community.postgresql.postgresql_db:
+    name: "{{ mastodon_pg_database }}"
+    owner: "{{ mastodon_pg_role }}"
diff --git a/roles/mastodon/tasks/main.yml b/roles/mastodon/tasks/main.yml
index 6f7a9a3..f828710 100644
--- a/roles/mastodon/tasks/main.yml
+++ b/roles/mastodon/tasks/main.yml
@@ -1,5 +1,8 @@
 ---
 
+- name: Init db
+  ansible.builtin.include_tasks: db.yml
+
 - name: Create mastodon user
   ansible.builtin.user:
     name: mastodon
@@ -63,5 +66,15 @@
 - name: Install mastodon
   ansible.builtin.include_tasks: mastodon.yml
 
+- name: Put env file
+  ansible.builtin.template:
+    src: "env.production.j2"
+    dest: "{{ mastodon_home }}/live/.env.production"
+    user: mastodon
+    group: mastodon
+    mode: "0o600"
+  notify:
+    - Restart mastodon
+
 - name: Install tootctl cron
   ansible.builtin.include_tasks: cron.yml
diff --git a/roles/mastodon/templates/env.production.j2 b/roles/mastodon/templates/env.production.j2
new file mode 100644
index 0000000..7403c09
--- /dev/null
+++ b/roles/mastodon/templates/env.production.j2
@@ -0,0 +1,48 @@
+# Service dependencies
+REDIS_HOST=localhost
+REDIS_PORT=6379
+DB_HOST=/var/run/postgresql
+DB_USER={{ mastodon_pg_role }}
+DB_NAME={{ mastodon_pg_database }}
+DB_PASS={{ mastodon_pg_password }}
+DB_PORT=5432
+DB_POOL=5
+
+# Federation
+LOCAL_DOMAIN={{ mastodon_access_url }}
+LOCAL_HTTPS=true
+
+# Application secrets
+PAPERCLIP_SECRET={{ mastodon_paperclip_secret }}
+SECRET_KEY_BASE={{ mastodon_secret_key_base }}
+OTP_SECRET={{ mastodon_otp_secret }}
+VAPID_PRIVATE_KEY={{ mastodon_vapid_private_key }}
+VAPID_PUBLIC_KEY=BCSXQli-mN6ociCWZ900DcLEgxz0J533PjltXn25PgwAV7CVuySi_mrwr5ldd5rzEUHh3U7opcUxG8iSRV7Ohqo=
+
+# E-mail configuration
+SMTP_SERVER=127.0.0.1
+SMTP_PORT=25
+SMTP_AUTH_METHOD=none
+SMTP_OPENSSL_VERIFY_MODE=none
+SMTP_FROM_ADDRESS=mastodon@nintendojo.fr
+SMTP_ENABLE_STARTTLS=auto
+
+# S3 storage configuration
+S3_ENABLED=true
+S3_BUCKET=mastodon-ndfr
+AWS_ACCESS_KEY_ID={{ mastodon_aws_access_key_id }}
+AWS_SECRET_ACCESS_KEY={{ mastodon_aws_secret_access_key }}
+S3_ALIAS_HOST=medias.m.nintendojo.fr
+S3_REGION=garage
+S3_ENDPOINT=https://garage.mateu.be
+
+# ES
+ES_ENABLED=true
+ES_HOST=es1.dmz.mateu.be
+ES_PORT=9200
+ES_PREFIX=ndfr
+
+# Encryption
+ACTIVE_RECORD_ENCRYPTION_DETERMINISTIC_KEY={{ mastodon_active_record_encryption_deterministic_key }}
+ACTIVE_RECORD_ENCRYPTION_KEY_DERIVATION_SALT={{ mastodon_active_record_encryption_key_derivation_salt }}
+ACTIVE_RECORD_ENCRYPTION_PRIMARY_KEY={{ mastodon_active_record_encryption_primary_key }}
diff --git a/roles/mastodon/vars/main.yml b/roles/mastodon/vars/main.yml
index dbdbe21..d63d2be 100644
--- a/roles/mastodon/vars/main.yml
+++ b/roles/mastodon/vars/main.yml
@@ -11,3 +11,4 @@ mastodon_yarn_key_path: "/usr/share/keyrings/yarnkey.gpg"
 mastodon_ruby_version: "3.3.5"
 
 mastodon_home: "/srv/mastodon"
+mastodon_access_url: "{{ web_hostname | selectattr('type', 'defined') | selectattr('type', '==', 'mastodon') | map(attribute='host') | first }}"