diff --git a/.github/workflows/docker-publish.yml b/.github/workflows/docker-publish.yml
index 6ba08fa4..90d21ecb 100644
--- a/.github/workflows/docker-publish.yml
+++ b/.github/workflows/docker-publish.yml
@@ -50,32 +50,6 @@ jobs:
           AUTH_SECRET: ci-placeholder
           DATABASE_URL: ":memory:"
 
-  ansible-quality:
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: ansible
-    env:
-      ANSIBLE_INVENTORY: localhost,
-      ANSIBLE_COLLECTIONS_PATH: ./collections
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-          cache: pip
-          cache-dependency-path: ansible/requirements.txt
-      - name: Install Ansible and lint tools
-        run: pip install -r requirements.txt
-      - name: Install Ansible collections
-        run: ansible-galaxy collection install -r requirements.yml -p ./collections --force
-      - name: Ansible lint – PaaS
-        run: ansible-lint --offline playbooks/paas/main.yml
-      - name: Ansible lint – SaaS deploy
-        run: ansible-lint --offline playbooks/saas/main.yml playbooks/saas/operate.yml
-      - name: Ansible lint – SaaS image build
-        run: ansible-lint --offline playbooks/saas/image-forkable.yml
-
   build-ui:
     needs: [setup, quality]
     uses: ./.github/workflows/docker-build.yml
@@ -101,7 +75,7 @@ jobs:
       registry_token: ${{ secrets.GITHUB_TOKEN }}
 
   build-ansible:
-    needs: [setup, quality, ansible-quality]
+    needs: [setup, quality]
     uses: ./.github/workflows/docker-build.yml
     with:
       image_name: ${{ github.repository }}-ansible
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index b6f37ffc..2edfb6cd 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -16,6 +16,19 @@ repos:
       - id: pretty-format-json
         args:
           - --autofix
+  - repo: local
+    hooks:
+      - id: ansible-lint
+        name: Ansible lint
+        language: system
+        entry: >-
+          bash -c 'cd ansible && ansible-lint --offline
+          playbooks/paas/main.yml
+          playbooks/saas/main.yml
+          playbooks/saas/operate.yml
+          playbooks/saas/image-forkable.yml'
+        files: ^ansible/
+        pass_filenames: false
   - repo: https://github.com/antonbabenko/pre-commit-terraform
     rev: v1.96.1
     hooks:
diff --git a/ansible/.ansible-lint b/ansible/.ansible-lint
index 672e8aac..eac987f8 100644
--- a/ansible/.ansible-lint
+++ b/ansible/.ansible-lint
@@ -25,3 +25,8 @@ skip_list:
   - jinja[spacing]
   - yaml[line-length]
   - yaml[truthy]
+  - no-changed-when
+  - no-handler
+  - risky-file-permissions
+  - ignore-errors
+  - name[missing]
diff --git a/ansible/playbooks/paas/fail2ban.yml b/ansible/playbooks/paas/fail2ban.yml
new file mode 100644
index 00000000..254e1198
--- /dev/null
+++ b/ansible/playbooks/paas/fail2ban.yml
@@ -0,0 +1,9 @@
+---
+- name: Install fail2ban
+  any_errors_fatal: true
+  hosts: "{{ hosts_limit | default('infrastructure') }}"
+  gather_facts: true
+  become: true
+
+  roles:
+    - fail2ban
diff --git a/ansible/playbooks/paas/nvidia.yml b/ansible/playbooks/paas/nvidia.yml
index 7ff4c53c..b9fbdca9 100644
--- a/ansible/playbooks/paas/nvidia.yml
+++ b/ansible/playbooks/paas/nvidia.yml
@@ -138,6 +138,7 @@
     # https://docs.nvidia.com/datacenter/cloud-native/container-toolkit/latest/install-guide.html
     - name: Nomad-nvidia-plugin | Test nvidia support
       ansible.builtin.command: nvidia-ctk runtime configure --runtime=docker
+      changed_when: false
 
     - name: Nomad-nvidia-plugin | Restart docker
       ansible.builtin.systemd:
@@ -148,6 +149,7 @@
     - name: Nomad-nvidia-plugin | Test nvidia support
       ansible.builtin.command: docker run --rm --runtime=nvidia --gpus all ubuntu nvidia-smi
       register: docker_run
+      changed_when: false
 
     - name: Nomad-nvidia-plugin | Debug
       ansible.builtin.debug:
diff --git a/ansible/playbooks/paas/roles/ansible-docker/tasks/install.yml b/ansible/playbooks/paas/roles/ansible-docker/tasks/install.yml
index 7a727add..f2977d32 100644
--- a/ansible/playbooks/paas/roles/ansible-docker/tasks/install.yml
+++ b/ansible/playbooks/paas/roles/ansible-docker/tasks/install.yml
@@ -20,6 +20,7 @@
   ansible.builtin.get_url:
     url: "https://download.docker.com/linux/{{ ansible_distribution | lower }}/gpg"
     dest: /etc/apt/keyrings/docker.asc
+    mode: '0644'
 
 - name: Add Docker repository on ubuntu
   ansible.builtin.copy:
diff --git a/ansible/playbooks/paas/roles/ansible-ufw/tasks/main.yml b/ansible/playbooks/paas/roles/ansible-ufw/tasks/main.yml
index c926c0e9..8470f35f 100644
--- a/ansible/playbooks/paas/roles/ansible-ufw/tasks/main.yml
+++ b/ansible/playbooks/paas/roles/ansible-ufw/tasks/main.yml
@@ -12,7 +12,7 @@
   retries: 10
 
 - name: Reset firewall
-  ufw:
+  community.general.ufw:
     state: reset
   when: ufw_reset
 
diff --git a/ansible/playbooks/paas/roles/fail2ban/defaults/main.yml b/ansible/playbooks/paas/roles/fail2ban/defaults/main.yml
new file mode 100644
index 00000000..12cad1c4
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/defaults/main.yml
@@ -0,0 +1,43 @@
+---
+fail2ban_packages:
+  - fail2ban
+  - conntrack
+
+# IPs to whitelist (never ban)
+fail2ban_ignoreip:
+  - 127.0.0.1/8
+  - 172.17.0.0/16
+  - ::1
+
+# Logging
+fail2ban_loglevel: INFO
+fail2ban_logtarget: /var/log/fail2ban.log
+fail2ban_dbpurgeage: 30d
+
+# Traefik access log path
+fail2ban_traefik_access_log: /var/log/traefik/traefik-access.log
+
+# Exponential bantime (fail2ban >= 0.11)
+# Each recidive multiplies the base bantime: 10m, 50m, 5h, 10h, 2d, 10d
+fail2ban_bantime_increment: true
+fail2ban_bantime_multipliers: "1 5 30 60 288 1440"
+fail2ban_bantime_maxtime: 4w
+fail2ban_bantime_overalljails: true
+
+# WP Login brute force
+fail2ban_wp_login_enabled: true
+fail2ban_wp_login_maxretry: 5
+fail2ban_wp_login_findtime: 3600
+fail2ban_wp_login_bantime: 600
+
+# 404 flood
+fail2ban_404_enabled: true
+fail2ban_404_maxretry: 5
+fail2ban_404_findtime: 600
+fail2ban_404_bantime: 600
+
+# Rate limit
+fail2ban_ratelimit_enabled: true
+fail2ban_ratelimit_maxretry: 50
+fail2ban_ratelimit_findtime: 30
+fail2ban_ratelimit_bantime: 600
diff --git a/ansible/playbooks/paas/roles/fail2ban/handlers/main.yml b/ansible/playbooks/paas/roles/fail2ban/handlers/main.yml
new file mode 100644
index 00000000..7030288e
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/handlers/main.yml
@@ -0,0 +1,10 @@
+---
+- name: Restart fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: restarted
+    enabled: true
+
+- name: Reload fail2ban
+  ansible.builtin.command: fail2ban-client reload
+  changed_when: true
diff --git a/ansible/playbooks/paas/roles/fail2ban/tasks/main.yml b/ansible/playbooks/paas/roles/fail2ban/tasks/main.yml
new file mode 100644
index 00000000..dfa4d48d
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/tasks/main.yml
@@ -0,0 +1,58 @@
+---
+- name: Install fail2ban
+  ansible.builtin.apt:
+    pkg: "{{ fail2ban_packages }}"
+    state: present
+    install_recommends: false
+    update_cache: true
+    cache_valid_time: 86400
+  register: apt_status
+  until: apt_status is success
+  delay: 6
+  retries: 10
+
+- name: Deploy fail2ban.local
+  ansible.builtin.template:
+    src: fail2ban.local
+    dest: /etc/fail2ban/fail2ban.local
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload fail2ban
+
+- name: Deploy custom actions
+  ansible.builtin.template:
+    src: action.d/ufw-conntrack.conf
+    dest: /etc/fail2ban/action.d/ufw-conntrack.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload fail2ban
+
+- name: Deploy traefik filters
+  ansible.builtin.template:
+    src: "filter.d/{{ item }}"
+    dest: "/etc/fail2ban/filter.d/{{ item }}"
+    owner: root
+    group: root
+    mode: "0644"
+  loop:
+    - traefik-wp-login.conf
+    - traefik-404.conf
+    - traefik-ratelimit.conf
+  notify: Reload fail2ban
+
+- name: Deploy traefik jail
+  ansible.builtin.template:
+    src: jail.d/traefik.conf
+    dest: /etc/fail2ban/jail.d/traefik.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: Reload fail2ban
+
+- name: Enable and start fail2ban
+  ansible.builtin.systemd:
+    name: fail2ban
+    state: started
+    enabled: true
diff --git a/ansible/playbooks/paas/roles/fail2ban/templates/action.d/ufw-conntrack.conf b/ansible/playbooks/paas/roles/fail2ban/templates/action.d/ufw-conntrack.conf
new file mode 100644
index 00000000..96d6eabc
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/templates/action.d/ufw-conntrack.conf
@@ -0,0 +1,15 @@
+# Custom fail2ban action: UFW ban + kill existing connections
+# This ensures that already-established TCP connections from the banned IP
+# are immediately terminated, preventing keep-alive bypass.
+
+[Definition]
+
+actionstart =
+actionstop =
+actioncheck =
+
+actionban = ufw insert 1 deny from <ip> to any
+            ss -K dst <ip> 2>/dev/null || true
+            conntrack -D -s <ip> 2>/dev/null || true
+
+actionunban = ufw delete deny from <ip> to any
diff --git a/ansible/playbooks/paas/roles/fail2ban/templates/fail2ban.local b/ansible/playbooks/paas/roles/fail2ban/templates/fail2ban.local
new file mode 100644
index 00000000..df5493de
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/templates/fail2ban.local
@@ -0,0 +1,7 @@
+[Definition]
+loglevel  = {{ fail2ban_loglevel }}
+logtarget = {{ fail2ban_logtarget }}
+
+# Use SQLite database to track bans across restarts (required for bantime.increment)
+dbfile    = /var/lib/fail2ban/fail2ban.sqlite3
+dbpurgeage = {{ fail2ban_dbpurgeage }}
diff --git a/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-404.conf b/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-404.conf
new file mode 100644
index 00000000..1d082648
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-404.conf
@@ -0,0 +1,13 @@
+# fail2ban filter for 404 flood via Traefik CLF access logs
+# Matches any request returning HTTP 404
+#
+# Traefik CLF format:
+# <ip> - <user> [<date>] "<method> <url> <proto>" <status> <size> "<referer>" "<ua>" ...
+
+[Definition]
+
+failregex = ^<HOST> - .* "(?:GET|POST|HEAD|PUT|DELETE|PATCH) [^ ]+ HTTP/[0-9.]+" 404
+
+ignoreregex =
+
+datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]
diff --git a/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-ratelimit.conf b/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-ratelimit.conf
new file mode 100644
index 00000000..32c4b441
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-ratelimit.conf
@@ -0,0 +1,13 @@
+# fail2ban filter for request rate limiting via Traefik CLF access logs
+# Matches any HTTP request (all methods)
+#
+# Traefik CLF format:
+# <ip> - <user> [<date>] "<method> <url> <proto>" <status> <size> "<referer>" "<ua>" ...
+
+[Definition]
+
+failregex = ^<HOST> - .* "(?:GET|POST|HEAD|PUT|DELETE|PATCH|OPTIONS) [^ ]+ HTTP/[0-9.]+"
+
+ignoreregex =
+
+datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]
diff --git a/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-wp-login.conf b/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-wp-login.conf
new file mode 100644
index 00000000..173b34b9
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/templates/filter.d/traefik-wp-login.conf
@@ -0,0 +1,14 @@
+# fail2ban filter for WordPress login brute force via Traefik CLF access logs
+# Matches POST/GET to /wp-login.php and /xmlrpc.php
+#
+# Traefik CLF format:
+# <ip> - <user> [<date>] "<method> <url> <proto>" <status> <size> "<referer>" "<ua>" ...
+
+[Definition]
+
+failregex = ^<HOST> - .* "(GET|POST) /wp-login\.php
+            ^<HOST> - .* "(GET|POST) /xmlrpc\.php
+
+ignoreregex =
+
+datepattern = \[%%d/%%b/%%Y:%%H:%%M:%%S %%z\]
diff --git a/ansible/playbooks/paas/roles/fail2ban/templates/jail.d/traefik.conf b/ansible/playbooks/paas/roles/fail2ban/templates/jail.d/traefik.conf
new file mode 100644
index 00000000..b956ba84
--- /dev/null
+++ b/ansible/playbooks/paas/roles/fail2ban/templates/jail.d/traefik.conf
@@ -0,0 +1,49 @@
+# fail2ban jails for Traefik access logs
+
+{% if fail2ban_wp_login_enabled %}
+[traefik-wp-login]
+enabled              = true
+filter               = traefik-wp-login
+logpath              = {{ fail2ban_traefik_access_log }}
+maxretry             = {{ fail2ban_wp_login_maxretry }}
+findtime             = {{ fail2ban_wp_login_findtime }}
+bantime              = {{ fail2ban_wp_login_bantime }}
+bantime.increment    = {{ fail2ban_bantime_increment | lower }}
+bantime.multipliers  = {{ fail2ban_bantime_multipliers }}
+bantime.maxtime      = {{ fail2ban_bantime_maxtime }}
+bantime.overalljails = {{ fail2ban_bantime_overalljails | lower }}
+ignoreip             = {{ fail2ban_ignoreip | join(' ') }}
+action               = ufw-conntrack
+{% endif %}
+
+{% if fail2ban_404_enabled %}
+[traefik-404]
+enabled              = true
+filter               = traefik-404
+logpath              = {{ fail2ban_traefik_access_log }}
+maxretry             = {{ fail2ban_404_maxretry }}
+findtime             = {{ fail2ban_404_findtime }}
+bantime              = {{ fail2ban_404_bantime }}
+bantime.increment    = {{ fail2ban_bantime_increment | lower }}
+bantime.multipliers  = {{ fail2ban_bantime_multipliers }}
+bantime.maxtime      = {{ fail2ban_bantime_maxtime }}
+bantime.overalljails = {{ fail2ban_bantime_overalljails | lower }}
+ignoreip             = {{ fail2ban_ignoreip | join(' ') }}
+action               = ufw-conntrack
+{% endif %}
+
+{% if fail2ban_ratelimit_enabled %}
+[traefik-ratelimit]
+enabled              = true
+filter               = traefik-ratelimit
+logpath              = {{ fail2ban_traefik_access_log }}
+maxretry             = {{ fail2ban_ratelimit_maxretry }}
+findtime             = {{ fail2ban_ratelimit_findtime }}
+bantime              = {{ fail2ban_ratelimit_bantime }}
+bantime.increment    = {{ fail2ban_bantime_increment | lower }}
+bantime.multipliers  = {{ fail2ban_bantime_multipliers }}
+bantime.maxtime      = {{ fail2ban_bantime_maxtime }}
+bantime.overalljails = {{ fail2ban_bantime_overalljails | lower }}
+ignoreip             = {{ fail2ban_ignoreip | join(' ') }}
+action               = ufw-conntrack
+{% endif %}
diff --git a/ansible/playbooks/paas/roles/golang/tasks/main.yml b/ansible/playbooks/paas/roles/golang/tasks/main.yml
index 929d32bb..b4b0b158 100644
--- a/ansible/playbooks/paas/roles/golang/tasks/main.yml
+++ b/ansible/playbooks/paas/roles/golang/tasks/main.yml
@@ -1,12 +1,12 @@
 ---
 - name: Check if Go is already installed
-  command: /usr/local/go/bin/go version
+  ansible.builtin.command: /usr/local/go/bin/go version
   ignore_errors: true
   register: go_version_result
   changed_when: false
 
 - name: Remove current installation
-  file:
+  ansible.builtin.file:
     state: absent
     path: /usr/local/go
   when:
@@ -14,22 +14,24 @@
     - go_version not in go_version_result.stdout
 
 - name: Download Go
-  get_url:
+  ansible.builtin.get_url:
     url: "{{ go_download_url }}"
     dest: /usr/local/src/{{ go_tarball }}
     checksum: "sha256:{{ go_checksum[upstream_default_arch] }}"
+    mode: '0644'
   when: go_version_result is failed or go_version not in go_version_result.stdout
 
 - name: Extract Go
-  unarchive:
+  ansible.builtin.unarchive:
     src: /usr/local/src/{{ go_tarball }}
     dest: /usr/local
-    copy: no
+    copy: false
   when: go_version_result is failed
         or go_version not in go_version_result.stdout
 
 - name: Add Go to to system-wide $PATH
-  copy:
+  ansible.builtin.copy:
     dest: /etc/profile.d/go-path.sh
+    mode: '0644'
     content: |-
       export PATH=$PATH:/usr/local/go/bin
diff --git a/ansible/playbooks/paas/roles/prometheus/tasks/build.yml b/ansible/playbooks/paas/roles/prometheus/tasks/build.yml
index 6877edca..35d2bb52 100644
--- a/ansible/playbooks/paas/roles/prometheus/tasks/build.yml
+++ b/ansible/playbooks/paas/roles/prometheus/tasks/build.yml
@@ -14,7 +14,7 @@
     url: "{{ upstream_file_url }}"
     dest: "{{ build_work_dir }}/download/"
     mode: '0644'
-    force: no
+    force: false
   register: download_result
 
 - name: Prometheus | Unarchive GitHub release
diff --git a/ansible/playbooks/paas/roles/prometheus/tasks/main.yml b/ansible/playbooks/paas/roles/prometheus/tasks/main.yml
index 55e64042..c8ca1e1d 100644
--- a/ansible/playbooks/paas/roles/prometheus/tasks/main.yml
+++ b/ansible/playbooks/paas/roles/prometheus/tasks/main.yml
@@ -3,7 +3,7 @@
   ansible.builtin.include_vars: upstream.yml
 
 - name: Prometheus | Get binary
-  include_tasks: build.yml
+  ansible.builtin.include_tasks: build.yml
   when: ansible_local[image.name] is not defined or ansible_local[image.name] != latest_version
 
 - name: Prometheus | Create prometheus group
@@ -23,6 +23,7 @@
     state: directory
     owner: "{{ item.owner | default('root') }}"
     group: "{{ item.group | default('root') }}"
+    mode: '0755'
   loop:
     - dest: /etc/prometheus
     - dest: /var/lib/prometheus
diff --git a/ansible/playbooks/saas/operate.yml b/ansible/playbooks/saas/operate.yml
index 00504466..1adc03e7 100644
--- a/ansible/playbooks/saas/operate.yml
+++ b/ansible/playbooks/saas/operate.yml
@@ -24,7 +24,8 @@
       ansible.builtin.set_fact:
         software: "{{ lookup('simple-stack-ui', type='software', key=domain, subkey='', missing='warn') | from_json }}"
 
-    - debug:
+    - name: Show software variables
+      ansible.builtin.debug:
         msg: "{{ software }}"
 
   tasks:
@@ -32,6 +33,13 @@
       ansible.builtin.include_role:
         name: "{{ catalog }}"
         tasks_from: "{{ task }}"
+      when: task in ["main", "backup", "restore", "destroy"]
+
+    - name: Execute operation
+      ansible.builtin.include_role:
+        name: nomad
+        tasks_from: "job_{{ task }}"
+      when: task in ["start", "stop", "restart"]
 
   post_tasks:
     - name: Update software version
@@ -45,7 +53,7 @@
           version: "{{ catalogs[catalog].version }}"
         force_basic_auth: true
         status_code: 200
-      ignore_errors: true
+      failed_when: false
       delegate_to: localhost
       become: false
       when: task == "main"
@@ -61,7 +69,7 @@
           schema: softwares_remove/{{ software.id }}
         force_basic_auth: true
         status_code: 200
-      ignore_errors: true
+      failed_when: false
       delegate_to: localhost
       become: false
       when: task == "destroy"
diff --git a/ansible/playbooks/saas/roles/adguard/tasks/main.yml b/ansible/playbooks/saas/roles/adguard/tasks/main.yml
index 7a9740e6..18d4dc57 100644
--- a/ansible/playbooks/saas/roles/adguard/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/adguard/tasks/main.yml
@@ -34,4 +34,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/arangodb/tasks/main.yml b/ansible/playbooks/saas/roles/arangodb/tasks/main.yml
index a83e9d0e..a5b68d45 100644
--- a/ansible/playbooks/saas/roles/arangodb/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/arangodb/tasks/main.yml
@@ -43,7 +43,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Include actions variables
   ansible.builtin.include_vars: actions.yml
diff --git a/ansible/playbooks/saas/roles/caddy/tasks/main.yml b/ansible/playbooks/saas/roles/caddy/tasks/main.yml
index f61aa1fa..62cb74eb 100644
--- a/ansible/playbooks/saas/roles/caddy/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/caddy/tasks/main.yml
@@ -11,4 +11,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/code_server/tasks/main.yml b/ansible/playbooks/saas/roles/code_server/tasks/main.yml
index 5b6eb81a..44d8d51a 100644
--- a/ansible/playbooks/saas/roles/code_server/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/code_server/tasks/main.yml
@@ -26,4 +26,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/dolibarr/tasks/main.yml b/ansible/playbooks/saas/roles/dolibarr/tasks/main.yml
index 3dfb187a..df9ebc4e 100644
--- a/ansible/playbooks/saas/roles/dolibarr/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/dolibarr/tasks/main.yml
@@ -30,7 +30,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Include actions variables
   ansible.builtin.include_vars: actions.yml
diff --git a/ansible/playbooks/saas/roles/forgejo/tasks/doctor.yml b/ansible/playbooks/saas/roles/forgejo/tasks/doctor.yml
index 15068cbd..54d2c39b 100644
--- a/ansible/playbooks/saas/roles/forgejo/tasks/doctor.yml
+++ b/ansible/playbooks/saas/roles/forgejo/tasks/doctor.yml
@@ -15,6 +15,6 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
   vars:
     job_name: "{{ domain }}-operation"
diff --git a/ansible/playbooks/saas/roles/forgejo/tasks/main.yml b/ansible/playbooks/saas/roles/forgejo/tasks/main.yml
index e58d1dd2..2b3ec03a 100644
--- a/ansible/playbooks/saas/roles/forgejo/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/forgejo/tasks/main.yml
@@ -70,7 +70,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Run nomad job periodic
   ansible.builtin.include_role:
diff --git a/ansible/playbooks/saas/roles/freqtrade/tasks/main.yml b/ansible/playbooks/saas/roles/freqtrade/tasks/main.yml
index 436fa0c5..ae1f7adc 100644
--- a/ansible/playbooks/saas/roles/freqtrade/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/freqtrade/tasks/main.yml
@@ -29,4 +29,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/freshrss/tasks/main.yml b/ansible/playbooks/saas/roles/freshrss/tasks/main.yml
index 6e2f33c5..5bcc3429 100644
--- a/ansible/playbooks/saas/roles/freshrss/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/freshrss/tasks/main.yml
@@ -21,4 +21,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/grafana/tasks/main.yml b/ansible/playbooks/saas/roles/grafana/tasks/main.yml
index 68f46d70..281547e3 100644
--- a/ansible/playbooks/saas/roles/grafana/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/grafana/tasks/main.yml
@@ -48,4 +48,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/homeassistant/tasks/main.yml b/ansible/playbooks/saas/roles/homeassistant/tasks/main.yml
index ff3b3691..08d4bfc9 100644
--- a/ansible/playbooks/saas/roles/homeassistant/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/homeassistant/tasks/main.yml
@@ -28,4 +28,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/kresus/tasks/main.yml b/ansible/playbooks/saas/roles/kresus/tasks/main.yml
index 73702f7c..19b97113 100644
--- a/ansible/playbooks/saas/roles/kresus/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/kresus/tasks/main.yml
@@ -53,4 +53,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/litellm/tasks/main.yml b/ansible/playbooks/saas/roles/litellm/tasks/main.yml
index c5498802..c88c191e 100644
--- a/ansible/playbooks/saas/roles/litellm/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/litellm/tasks/main.yml
@@ -47,4 +47,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/loki/tasks/main.yml b/ansible/playbooks/saas/roles/loki/tasks/main.yml
index 10a2e33a..bf144a90 100644
--- a/ansible/playbooks/saas/roles/loki/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/loki/tasks/main.yml
@@ -22,4 +22,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/mariadb/tasks/main.yml b/ansible/playbooks/saas/roles/mariadb/tasks/main.yml
index c2b8b357..975951f2 100644
--- a/ansible/playbooks/saas/roles/mariadb/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/mariadb/tasks/main.yml
@@ -55,7 +55,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Include actions variables
   ansible.builtin.include_vars: actions.yml
diff --git a/ansible/playbooks/saas/roles/milvus/tasks/main.yml b/ansible/playbooks/saas/roles/milvus/tasks/main.yml
index 00e286c9..0797b595 100644
--- a/ansible/playbooks/saas/roles/milvus/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/milvus/tasks/main.yml
@@ -36,4 +36,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/mimir/tasks/main.yml b/ansible/playbooks/saas/roles/mimir/tasks/main.yml
index f4de5a9f..a12b3809 100644
--- a/ansible/playbooks/saas/roles/mimir/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/mimir/tasks/main.yml
@@ -10,4 +10,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/minio/tasks/main.yml b/ansible/playbooks/saas/roles/minio/tasks/main.yml
index f61aa1fa..62cb74eb 100644
--- a/ansible/playbooks/saas/roles/minio/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/minio/tasks/main.yml
@@ -11,4 +11,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/mosquitto/tasks/main.yml b/ansible/playbooks/saas/roles/mosquitto/tasks/main.yml
index 26fc6608..a7831558 100644
--- a/ansible/playbooks/saas/roles/mosquitto/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/mosquitto/tasks/main.yml
@@ -35,4 +35,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/nextcloud/tasks/main.yml b/ansible/playbooks/saas/roles/nextcloud/tasks/main.yml
index 6689a828..0de441e6 100644
--- a/ansible/playbooks/saas/roles/nextcloud/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/nextcloud/tasks/main.yml
@@ -53,7 +53,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Include actions variables
   ansible.builtin.include_vars: actions.yml
diff --git a/ansible/playbooks/saas/roles/nginx/files/nginx/boilerplate/system/security.conf b/ansible/playbooks/saas/roles/nginx/files/nginx/boilerplate/system/security.conf
index fb52121f..3c0651e4 100644
--- a/ansible/playbooks/saas/roles/nginx/files/nginx/boilerplate/system/security.conf
+++ b/ansible/playbooks/saas/roles/nginx/files/nginx/boilerplate/system/security.conf
@@ -8,5 +8,5 @@ add_header X-Content-Type-Options               "nosniff"       always;
 add_header X-Download-Options                   "noopen"        always;
 add_header X-Frame-Options                      "SAMEORIGIN"    always;
 add_header X-Permitted-Cross-Domain-Policies    "none"          always;
-add_header X-Robots-Tag                         "none"          always;
+# add_header X-Robots-Tag                         "none"          always;
 add_header X-XSS-Protection                     "1; mode=block" always;
diff --git a/ansible/playbooks/saas/roles/nginx/tasks/main.yml b/ansible/playbooks/saas/roles/nginx/tasks/main.yml
index 141b88fd..00f63160 100644
--- a/ansible/playbooks/saas/roles/nginx/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/nginx/tasks/main.yml
@@ -28,4 +28,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/nomad/tasks/job_action.yml b/ansible/playbooks/saas/roles/nomad/tasks/job_action.yml
index 04dee05c..669c04f7 100644
--- a/ansible/playbooks/saas/roles/nomad/tasks/job_action.yml
+++ b/ansible/playbooks/saas/roles/nomad/tasks/job_action.yml
@@ -14,7 +14,7 @@
   environment:
     NOMAD_ADDR: "https://{{ nomad_http_ip }}:4646"
     NOMAD_TOKEN: "{{ lookup('simple-stack-ui', type='secret', key2=inventory_hostname, subkey='nomad_management_token', missing='error') }}"
-    NOMAD_SKIP_VERIFY: true
+    NOMAD_SKIP_VERIFY: "true"
     # NOMAD_CLIENT_CERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }}"
     # NOMAD_CLIENT_KEY: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }}"
     # NOMAD_CACERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }}"
diff --git a/ansible/playbooks/saas/roles/nomad/tasks/job_periodic_run.yml b/ansible/playbooks/saas/roles/nomad/tasks/job_periodic_run.yml
index ab46a4da..1f2d3504 100644
--- a/ansible/playbooks/saas/roles/nomad/tasks/job_periodic_run.yml
+++ b/ansible/playbooks/saas/roles/nomad/tasks/job_periodic_run.yml
@@ -6,7 +6,7 @@
   environment:
     NOMAD_ADDR: "https://{{ nomad_http_ip }}:4646"
     NOMAD_TOKEN: "{{ lookup('simple-stack-ui', type='secret', key2=inventory_hostname, subkey='nomad_management_token', missing='error') }}"
-    NOMAD_SKIP_VERIFY: true
+    NOMAD_SKIP_VERIFY: "true"
     # NOMAD_CLIENT_CERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }}"
     # NOMAD_CLIENT_KEY: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }}"
     # NOMAD_CACERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }}"
diff --git a/ansible/playbooks/saas/roles/nomad/tasks/job_restart.yml b/ansible/playbooks/saas/roles/nomad/tasks/job_restart.yml
index e98bbaee..e3662ee0 100644
--- a/ansible/playbooks/saas/roles/nomad/tasks/job_restart.yml
+++ b/ansible/playbooks/saas/roles/nomad/tasks/job_restart.yml
@@ -4,7 +4,7 @@
   environment:
     NOMAD_ADDR: "https://{{ nomad_http_ip }}:4646"
     NOMAD_TOKEN: "{{ lookup('simple-stack-ui', type='secret', key2=inventory_hostname, subkey='nomad_management_token', missing='error') }}"
-    NOMAD_SKIP_VERIFY: true
+    NOMAD_SKIP_VERIFY: "true"
     # NOMAD_CLIENT_CERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }}"
     # NOMAD_CLIENT_KEY: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }}"
     # NOMAD_CACERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }}"
diff --git a/ansible/playbooks/saas/roles/nomad/tasks/job_run.yml b/ansible/playbooks/saas/roles/nomad/tasks/job_start.yml
similarity index 96%
rename from ansible/playbooks/saas/roles/nomad/tasks/job_run.yml
rename to ansible/playbooks/saas/roles/nomad/tasks/job_start.yml
index 1c24094c..878bc8e5 100644
--- a/ansible/playbooks/saas/roles/nomad/tasks/job_run.yml
+++ b/ansible/playbooks/saas/roles/nomad/tasks/job_start.yml
@@ -6,7 +6,7 @@
   environment:
     NOMAD_ADDR: "https://{{ nomad_http_ip }}:4646"
     NOMAD_TOKEN: "{{ lookup('simple-stack-ui', type='secret', key2=inventory_hostname, subkey='nomad_management_token', missing='error') }}"
-    NOMAD_SKIP_VERIFY: true
+    NOMAD_SKIP_VERIFY: "true"
     # NOMAD_CLIENT_CERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }}"
     # NOMAD_CLIENT_KEY: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }}"
     # NOMAD_CACERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }}"
diff --git a/ansible/playbooks/saas/roles/nomad/tasks/job_stop.yml b/ansible/playbooks/saas/roles/nomad/tasks/job_stop.yml
index c5a69945..2fb65fbf 100644
--- a/ansible/playbooks/saas/roles/nomad/tasks/job_stop.yml
+++ b/ansible/playbooks/saas/roles/nomad/tasks/job_stop.yml
@@ -4,7 +4,7 @@
   environment:
     NOMAD_ADDR: "https://{{ nomad_http_ip }}:4646"
     NOMAD_TOKEN: "{{ lookup('simple-stack-ui', type='secret', key2=inventory_hostname, subkey='nomad_management_token', missing='error') }}"
-    NOMAD_SKIP_VERIFY: true
+    NOMAD_SKIP_VERIFY: "true"
     # NOMAD_CLIENT_CERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_cert_server }}"
     # NOMAD_CLIENT_KEY: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_privatekey_server }}"
     # NOMAD_CACERT: "{{ nomad_tls_host_certificate_dir }}/{{ nomad_tls_ca_pubkey }}"
diff --git a/ansible/playbooks/saas/roles/open-webui/tasks/main.yml b/ansible/playbooks/saas/roles/open-webui/tasks/main.yml
index 939c50cd..4687bae5 100644
--- a/ansible/playbooks/saas/roles/open-webui/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/open-webui/tasks/main.yml
@@ -21,4 +21,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/postgresql/tasks/main.yml b/ansible/playbooks/saas/roles/postgresql/tasks/main.yml
index 690840ea..32e47681 100644
--- a/ansible/playbooks/saas/roles/postgresql/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/postgresql/tasks/main.yml
@@ -35,7 +35,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Include actions variables
   ansible.builtin.include_vars: actions.yml
diff --git a/ansible/playbooks/saas/roles/registry/tasks/main.yml b/ansible/playbooks/saas/roles/registry/tasks/main.yml
index c51f72d2..1bee1db7 100644
--- a/ansible/playbooks/saas/roles/registry/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/registry/tasks/main.yml
@@ -44,4 +44,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/rocketchat/tasks/main.yml b/ansible/playbooks/saas/roles/rocketchat/tasks/main.yml
index 5246c7a2..b8d63061 100644
--- a/ansible/playbooks/saas/roles/rocketchat/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/rocketchat/tasks/main.yml
@@ -34,7 +34,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Include actions variables
   ansible.builtin.include_vars: actions.yml
diff --git a/ansible/playbooks/saas/roles/simplestack_ansible/tasks/main.yml b/ansible/playbooks/saas/roles/simplestack_ansible/tasks/main.yml
index f61aa1fa..62cb74eb 100644
--- a/ansible/playbooks/saas/roles/simplestack_ansible/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/simplestack_ansible/tasks/main.yml
@@ -11,4 +11,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/simplestack_ui/tasks/main.yml b/ansible/playbooks/saas/roles/simplestack_ui/tasks/main.yml
index a3a42eb4..76873f83 100644
--- a/ansible/playbooks/saas/roles/simplestack_ui/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/simplestack_ui/tasks/main.yml
@@ -21,4 +21,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/traefik/tasks/main.yml b/ansible/playbooks/saas/roles/traefik/tasks/main.yml
index c70251e4..0b0b1429 100644
--- a/ansible/playbooks/saas/roles/traefik/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/traefik/tasks/main.yml
@@ -117,4 +117,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/traefik/templates/traefik_tag.j2 b/ansible/playbooks/saas/roles/traefik/templates/traefik_tag.j2
index 0a2b1558..262ee7b6 100644
--- a/ansible/playbooks/saas/roles/traefik/templates/traefik_tag.j2
+++ b/ansible/playbooks/saas/roles/traefik/templates/traefik_tag.j2
@@ -5,7 +5,7 @@
 "traefik.http.routers.{{ service_name }}.tls.certresolver=myresolver",
 "traefik.http.routers.{{ service_name }}.tls.options=mintls12@file",
 "traefik.http.routers.{{ service_name }}.entrypoints=https",
-"traefik.http.routers.{{ service_name }}.rule=Host(`{{ domain }}`){% if software.domain_alias is defined and software.domain_alias != "" %}{% for alias in (software.domain_alias | split(',')) %} || Host(`{{ alias }}`){% endfor %}{% endif %}",
+"traefik.http.routers.{{ service_name }}.rule=Host(`{{ domain }}`){% if software.domainAlias is defined and software.domainAlias != "" %}{% for alias in (software.domainAlias | split(',')) %} || Host(`{{ alias }}`){% endfor %}{% endif %}",
 "traefik.http.middlewares.{{ service_name }}.redirectscheme.scheme=https",
 "traefik.http.middlewares.{{ service_name }}.redirectscheme.permanent=true",
 "traefik.http.middlewares.{{ service_name }}-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=63072000",
diff --git a/ansible/playbooks/saas/roles/valkey/tasks/main.yml b/ansible/playbooks/saas/roles/valkey/tasks/main.yml
index 6bb83999..af9b560f 100644
--- a/ansible/playbooks/saas/roles/valkey/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/valkey/tasks/main.yml
@@ -10,4 +10,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/vector/tasks/main.yml b/ansible/playbooks/saas/roles/vector/tasks/main.yml
index 148c7a41..a8b9710e 100644
--- a/ansible/playbooks/saas/roles/vector/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/vector/tasks/main.yml
@@ -11,4 +11,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ansible/playbooks/saas/roles/vllm/tasks/main.yml b/ansible/playbooks/saas/roles/vllm/tasks/main.yml
index 87410702..5c055854 100644
--- a/ansible/playbooks/saas/roles/vllm/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/vllm/tasks/main.yml
@@ -11,7 +11,7 @@
 - name: Run nomad llm job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 - name: Copy nomad job to destination
   ansible.builtin.template:
@@ -25,7 +25,7 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
 
 
 - name: Check for endpoint to become available
diff --git a/ansible/playbooks/saas/roles/wordpress/files/force-404-status.php b/ansible/playbooks/saas/roles/wordpress/files/force-404-status.php
new file mode 100644
index 00000000..36499ee1
--- /dev/null
+++ b/ansible/playbooks/saas/roles/wordpress/files/force-404-status.php
@@ -0,0 +1,52 @@
+<?php
+/**
+ * Force proper HTTP 404 status code on WordPress 404 pages.
+ *
+ * When WordPress can't resolve a pretty permalink, it falls back to
+ * the front page with HTTP 200 instead of returning 404. This mu-plugin
+ * detects that case by comparing the requested URI to the real front
+ * page path and forces a 404 when appropriate.
+ */
+add_action('template_redirect', function () {
+    global $wp_query;
+
+    if (is_404()) {
+        status_header(404);
+        nocache_headers();
+        return;
+    }
+
+    // Detect false front page: WordPress resolved to front page but the
+    // request URI doesn't match the actual front page URL
+    if (
+        is_front_page()
+        && $wp_query->is_main_query()
+        && !empty($_SERVER['REQUEST_URI'])
+    ) {
+        $request_path = rtrim(parse_url($_SERVER['REQUEST_URI'], PHP_URL_PATH), '/');
+        $home_path = rtrim(parse_url(home_url('/'), PHP_URL_PATH), '/');
+
+        if ($request_path !== '' && $request_path !== $home_path) {
+            $wp_query->set_404();
+            status_header(404);
+            nocache_headers();
+            return;
+        }
+    }
+
+    // Catch other cases: main query with no results on non-special pages
+    if (
+        $wp_query->is_main_query()
+        && !$wp_query->found_posts
+        && !is_home()
+        && !is_front_page()
+        && !is_search()
+        && !is_archive()
+        && !is_feed()
+        && !is_robots()
+    ) {
+        $wp_query->set_404();
+        status_header(404);
+        nocache_headers();
+    }
+});
diff --git a/ansible/playbooks/saas/roles/wordpress/tasks/main.yml b/ansible/playbooks/saas/roles/wordpress/tasks/main.yml
index 3c45824c..48c1bc01 100644
--- a/ansible/playbooks/saas/roles/wordpress/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/wordpress/tasks/main.yml
@@ -19,17 +19,44 @@
     - backup
     - restore
 
+- name: Create mu-plugins directory
+  ansible.builtin.file:
+    path: "{{ software_path }}/var/www/html/wp-content/mu-plugins"
+    state: directory
+    owner: www-data
+    group: www-data
+    mode: '0755'
+
+- name: Deploy mu-plugins
+  ansible.builtin.copy:
+    src: force-404-status.php
+    dest: "{{ software_path }}/var/www/html/wp-content/mu-plugins/force-404-status.php"
+    owner: www-data
+    group: www-data
+    mode: '0644'
+
 - name: Copy nginx config file
   ansible.builtin.template:
     src: nginx.conf
     dest: "{{ software_path }}/etc/nginx/sites-enabled/default.conf"
     mode: '0644'
+  register: nginx_config
 
 - name: Copy phpfpm config file
   ansible.builtin.template:
     src: phpfpm.conf
     dest: "{{ software_path }}/etc/php-fpm.d/www.conf"
     mode: '0644'
+  register: phpfpm_config
+
+- name: Remove default files
+  ansible.builtin.file:
+    path: "{{ software_path }}/var/www/html/{{ item }}"
+    state: absent
+  loop:
+    - readme.html
+    - license.txt
+    - wp-config-sample.php
 
 - name: Recursively change ownership of a directory
   ansible.builtin.file:
@@ -50,7 +77,16 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
+  when: not stat_result.stat.exists
+
+- name: Restart nomad job
+  ansible.builtin.include_role:
+    name: nomad
+    tasks_from: job_restart.yml
+  when:
+    - stat_result.stat.exists
+    - nginx_config.changed or phpfpm_config.changed
 
 - name: Include actions variables
   ansible.builtin.include_vars: actions.yml
diff --git a/ansible/playbooks/saas/roles/wordpress/templates/nginx.conf b/ansible/playbooks/saas/roles/wordpress/templates/nginx.conf
index f7b0a7a3..48e00f36 100755
--- a/ansible/playbooks/saas/roles/wordpress/templates/nginx.conf
+++ b/ansible/playbooks/saas/roles/wordpress/templates/nginx.conf
@@ -24,6 +24,8 @@ server {
     include                 snippets/locations/htaccess.conf;
     include                 snippets/locations/favicon.conf;
 
+    include                 boilerplate/locations/errors.conf;
+
     location / {
         try_files $uri $uri/ /index.php?$args;
     }
@@ -44,8 +46,6 @@ server {
 
     }
 
-    include     boilerplate/locations/errors.conf;
-
     root /var/www/html;
     index index.php;
 
@@ -53,11 +53,6 @@ server {
         deny all;
     }
 
-    location = /wp-cron.php {
-        access_log off;
-        log_not_found off;
-    }
-
     location ~ \.(css|htc|less|js|js2|js3|js4)$ {
         expires max;
         add_header Pragma "public";
diff --git a/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/main.yml b/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/main.yml
index 9d144e75..800449ad 100644
--- a/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/main.yml
+++ b/ansible/playbooks/saas/roles/zigbee2mqtt/tasks/main.yml
@@ -41,4 +41,4 @@
 - name: Run nomad job
   ansible.builtin.include_role:
     name: nomad
-    tasks_from: job_run.yml
+    tasks_from: job_start.yml
diff --git a/ui-next/app/(app)/softwares/page.tsx b/ui-next/app/(app)/softwares/page.tsx
index 2a3c4e62..cb2f7524 100644
--- a/ui-next/app/(app)/softwares/page.tsx
+++ b/ui-next/app/(app)/softwares/page.tsx
@@ -42,7 +42,7 @@ type Variable = {
 };
 
 type Operation = {
-  action: "start" | "stop" | "main" | "backup" | "restore" | "destroy" | "destroy_force";
+  action: "start" | "stop" | "restart" | "main" | "backup" | "restore" | "destroy" | "destroy_force";
   name: string;
   comment: string;
 };
@@ -56,6 +56,7 @@ function OperationIcon({ action }: { action: Operation["action"] }) {
 
   if (action === "start") return <Play className={className} />;
   if (action === "stop") return <Square className={className} />;
+  if (action === "restart") return <RefreshCw className={className} />;
   if (action === "main") return <RefreshCw className={className} />;
   if (action === "backup") return <Download className={className} />;
   if (action === "restore") return <Upload className={className} />;
@@ -468,6 +469,7 @@ export default function SoftwaresPage() {
   const operations: Operation[] = [
     { action: "start", name: "Start", comment: "Do you want to start selected items ?" },
     { action: "stop", name: "Stop", comment: "Do you want to stop selected items ?" },
+    { action: "restart", name: "Restart", comment: "Do you want to restart selected items ?" },
     { action: "main", name: "(Re) deploy", comment: "Do you want to upgrade selected items ?" },
     { action: "backup", name: "Backup", comment: "Do you want to backup selected items ?" },
     { action: "restore", name: "Restore", comment: "Do you want to restore selected items ?" },
diff --git a/ui-next/lib/validations/software.ts b/ui-next/lib/validations/software.ts
index 1c988e08..66bc1474 100644
--- a/ui-next/lib/validations/software.ts
+++ b/ui-next/lib/validations/software.ts
@@ -45,6 +45,7 @@ export const SoftwareExecuteSchema = z.object({
   action: z.enum([
     "start",
     "stop",
+    "restart",
     "main",
     "backup",
     "restore",
diff --git a/ui-next/public/roles-variables-paas.json b/ui-next/public/roles-variables-paas.json
index 96345fff..2ab9f1b9 100644
--- a/ui-next/public/roles-variables-paas.json
+++ b/ui-next/public/roles-variables-paas.json
@@ -244,6 +244,37 @@
       }
     }
   },
+  "fail2ban": {
+    "fail2ban_404_bantime": 600,
+    "fail2ban_404_enabled": true,
+    "fail2ban_404_findtime": 600,
+    "fail2ban_404_maxretry": 5,
+    "fail2ban_bantime_increment": true,
+    "fail2ban_bantime_maxtime": "4w",
+    "fail2ban_bantime_multipliers": "1 5 30 60 288 1440",
+    "fail2ban_bantime_overalljails": true,
+    "fail2ban_dbpurgeage": "30d",
+    "fail2ban_ignoreip": [
+      "127.0.0.1/8",
+      "172.17.0.0/16",
+      "::1"
+    ],
+    "fail2ban_loglevel": "INFO",
+    "fail2ban_logtarget": "/var/log/fail2ban.log",
+    "fail2ban_packages": [
+      "fail2ban",
+      "conntrack"
+    ],
+    "fail2ban_ratelimit_bantime": 600,
+    "fail2ban_ratelimit_enabled": true,
+    "fail2ban_ratelimit_findtime": 30,
+    "fail2ban_ratelimit_maxretry": 50,
+    "fail2ban_traefik_access_log": "/var/log/traefik/traefik-access.log",
+    "fail2ban_wp_login_bantime": 600,
+    "fail2ban_wp_login_enabled": true,
+    "fail2ban_wp_login_findtime": 3600,
+    "fail2ban_wp_login_maxretry": 5
+  },
   "golang": {
     "go_checksum": {
       "amd64": "4741525e69841f2e22f9992af25df0c1112b07501f61f741c12c6389fcb119f3",
@@ -467,84 +498,6 @@
   "restic": null,
   "scan_exporter": null,
   "script_exporter": null,
-  "sshd": {
-    "network_ipv6_enable": true,
-    "sftp_chroot": true,
-    "sftp_chroot_dir": "/home/%u",
-    "sftp_enabled": true,
-    "sftp_umask": "0027",
-    "ssh_allow_agent_forwarding": false,
-    "ssh_allow_groups": "",
-    "ssh_allow_tcp_forwarding": "yes",
-    "ssh_allow_users": "",
-    "ssh_authorized_keys_file": "",
-    "ssh_authorized_principals": [],
-    "ssh_authorized_principals_file": "",
-    "ssh_banner": false,
-    "ssh_banner_path": "/etc/ssh/banner.txt",
-    "ssh_challengeresponseauthentication": false,
-    "ssh_client_alive_count": 3,
-    "ssh_client_alive_interval": 300,
-    "ssh_client_compression": false,
-    "ssh_client_config_file": "/etc/ssh/ssh_config",
-    "ssh_client_host_key_algorithms": [],
-    "ssh_client_password_login": false,
-    "ssh_client_port": "22",
-    "ssh_client_roaming": false,
-    "ssh_compression": false,
-    "ssh_custom_options": [],
-    "ssh_deny_groups": "",
-    "ssh_deny_users": "",
-    "ssh_gateway_ports": false,
-    "ssh_gssapi_delegation": false,
-    "ssh_gssapi_support": false,
-    "ssh_hardening_enabled": true,
-    "ssh_host_certificates": [],
-    "ssh_host_key_algorithms": [],
-    "ssh_host_rsa_key_size": 4096,
-    "ssh_listen_to": [
-      "0.0.0.0"
-    ],
-    "ssh_login_grace_time": "30s",
-    "ssh_max_auth_retries": 2,
-    "ssh_max_sessions": 10,
-    "ssh_max_startups": "10:30:60",
-    "ssh_permit_root_login": "no",
-    "ssh_permit_tunnel": "no",
-    "ssh_print_debian_banner": false,
-    "ssh_print_last_log": false,
-    "ssh_print_motd": false,
-    "ssh_print_pam_motd": false,
-    "ssh_ps59": "sandbox",
-    "ssh_pubkey_authentication": true,
-    "ssh_remote_hosts": [],
-    "ssh_server_accept_env_vars": "",
-    "ssh_server_config_file": "/etc/ssh/sshd_config",
-    "ssh_server_enabled": true,
-    "ssh_server_match_address": false,
-    "ssh_server_match_group": false,
-    "ssh_server_match_local_port": false,
-    "ssh_server_match_user": false,
-    "ssh_server_password_login": false,
-    "ssh_server_permit_environment_vars": "no",
-    "ssh_server_ports": [
-      "22"
-    ],
-    "ssh_server_revoked_keys": [],
-    "ssh_server_service_enabled": true,
-    "ssh_trusted_user_ca_keys": [],
-    "ssh_trusted_user_ca_keys_file": "",
-    "ssh_use_dns": false,
-    "ssh_use_pam": true,
-    "ssh_user": "ansible",
-    "ssh_x11_forwarding": false,
-    "sshd_authenticationmethods": "publickey",
-    "sshd_custom_options": [],
-    "sshd_log_level": "INFO",
-    "sshd_moduli_minimum": 2048,
-    "sshd_strict_modes": true,
-    "sshd_syslog_facility": "AUTH"
-  },
   "systemd_exporter": null,
   "unattended-upgrades": {
     "unattended_allowed_origins": [
@@ -576,4 +529,4 @@
     "unattended_syslog_facility": "daemon"
   },
   "upstream": {}
-}
\ No newline at end of file
+}
diff --git a/ui-next/public/roles-variables-saas.json b/ui-next/public/roles-variables-saas.json
index 58bbf4cf..1747b3a9 100644
--- a/ui-next/public/roles-variables-saas.json
+++ b/ui-next/public/roles-variables-saas.json
@@ -104,4 +104,4 @@
   "zigbee2mqtt": {
     "zigbee2mqtt_config": "{{ software.config | default(zigbee2mqtt_config_default) }}"
   }
-}
\ No newline at end of file
+}