diff --git a/PORTS b/PORTS
index 8cb4b00..6514d5d 100644
--- a/PORTS
+++ b/PORTS
@@ -1,52 +1,53 @@
 reserved-for-legacy-docker-migration-medium-priority
      3000   Mastodon public HTTP
      4000   Mastodon streaming HTTP
     15674   RabbitMQ
     41080   Nasqueron Tools HTTP
 
 reserved-for-legacy-docker-migration-low-priority
      4440   Rundeck HTTP
     21080   Drupal CRM HTTP
     22080   Zammad HTTP
     27080   Grafana HTTP
     28080   phragile HTTP
     29080   etcd HTTP
     32080   Discourse HTTP
     40080   RocketChat HTTP
 
 paas-docker
      5000   Docker registry HTTP
      9090   Openfire HTTP
+    16080   Orbeon HTTP
     17080   Penpot - back-end
     17300   Penpot - exporter
     19080   Nasqueron API - Datasources
     20080   Nasqueron API - Docker registry API
     22220   Phabricator Aphlict (client)
     22221   Phabricator Aphlict (admin)
     23080   Phabricator HTTP - River Sector
     24080   Tommy HTTP - CI
     24180   Tommy HTTP - CD
     25080   Auth Grove HTTP
     26080   Sentry HTTP
     26300   Sentry - Relay
     30080   Pixelfed HTTP
     31080   Phabricator HTTP - DevCentral
     33080   Bugzilla HTTP - Espace Win
     34080   Etherpad
     35080   Phabricator HTTP - Wolfplex
     36080   Phabricator HTTP - Zed
     37080   Notifications center HTTP
     38080   Jenkins HTTP - CD
     39080   Cachet HTTP
     41080   ACME DNS server HTTP
     42080   Jenkins HTTP - CI
     43080   Hauk
     44080   Hound
     # 45080 should be reserved for OpenGrok to compare with Hound
     46080   Airflow - HTTP
     46555   Airflow - Flower
     47080   Jenkins HTTP - Test
     48080   Vault - Notifications - Integration
     50000   Jenkins controller's port for JNLP-based Jenkins agents - CD
     52000   Jenkins controller's port for JNLP-based Jenkins agents - Test
     55000   Jenkins controller's port for JNKP-based Jenkins agents - CI
diff --git a/_modules/tomcat.py b/_modules/tomcat.py
new file mode 100644
index 0000000..e06b064
--- /dev/null
+++ b/_modules/tomcat.py
@@ -0,0 +1,16 @@
+#   -------------------------------------------------------------
+#   Salt — Tomcat execution module
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   License:        BSD-2-Clause
+#   -------------------------------------------------------------
+
+#   -------------------------------------------------------------
+#   Tomcat users and roles
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+
+def extract_roles_from_users(users):
+    return set(
+        role for _, args in users.items() if "roles" in args for role in args["roles"]
+    )
diff --git a/pillar/credentials/vault.sls b/pillar/credentials/vault.sls
index 5649bc7..5a8a613 100644
--- a/pillar/credentials/vault.sls
+++ b/pillar/credentials/vault.sls
@@ -1,259 +1,263 @@
 #   -------------------------------------------------------------
 #   Salt configuration for Nasqueron servers
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 #   Project:        Nasqueron
 #   License:        Trivial work, not eligible to copyright
 #   -------------------------------------------------------------
 
 #   -------------------------------------------------------------
 #   Vault configuration
 #
 #     :: vault_policies_path: path on vault server where to store policies
 #
 #     :: vault_policies_source: path to fetch policies from
 #                               if starting by salt://, from salt files server
 #
 #     :: vault_mount_paths: translates secrets paths in policies paths
 #
 #          Generally, Vault paths are the same for policies and data access.
 #
 #          For kv secrets engine, version 2, writing and reading versions
 #          of a kv value are prefixed with the data/ path.
 #
 #          credentials.build_policies_by_node will use this dictionary
 #          to be able to rewrite secrets paths in data paths.
 #
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 vault_policies_path: /srv/policies/vault
 vault_policies_source: /srv/policies/vault
 
 vault_mount_paths:
   ops/secrets: ops/data/secrets
   ops/privacy: ops/data/privacy
   apps: apps/data
 
 #   -------------------------------------------------------------
 #   Vault policies to deploy as-is, ie without templating.
 #
 #   Entries of vault_policies must match a .hcl file in
 #   roles/vault/policies/files folder.
 #
 #   If you need a template, create a new pillar entry instead
 #   and add the parsing logic either:
 #     - directly to roles/vault/policies/
 #
 #     - through _modules/credentials.py for policies to apply
 #       to Salt nodes, like e.g. vault_secrets_by_role
 #
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 vault_policies:
   - admin
   - salt-primary
   - sentry
   - vault_bootstrap
   - viperserv
 
 #   -------------------------------------------------------------
 #   Vault policies for Salt
 #
 #   Declare the extra policies each nodes need.
 #
 #   In adition of those extra policies, the vault_secrets_by_role
 #   will be parsed for the keys.
 #
 #   IMPORTANT: as grains['roles'] can be modified by the node,
 #              roles are extracted directly from the pillar.
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 vault_extra_policies_by_role:
   salt-primary:
     - salt-primary
 
 #   -------------------------------------------------------------
 #   Vault secrets by role
 #
 #   Paths of the keys the specified role needs access to.
 #
 #   Avoid * notation as this namespace is shared between Vault
 #   and the applications. As such, only secrets the Salt nodes
 #   needs in a state they need to deploy should be listed here.
 #
 #   Use %%node%% as variable for node name.
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 vault_secrets_by_role:
 
   devserver:
     - ops/secrets/nasqueron/notifications/notifications-cli/%%node%%
 
     - ops/secrets/nasqueron/deploy/deploy_keys/alken-orin
     - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/dereckson/www
     - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/bitbucket/ewosp/www
     - ops/secrets/nasqueron/deploy/deploy_keys/by_repo/github/wolfplex/api-www
 
   opensearch:
     - ops/secrets/nasqueron.opensearch.infra-logs.internal_users.admin
     - ops/secrets/nasqueron.opensearch.infra-logs.internal_users.dashboards
 
   paas-docker-prod:
 
     #
     # Personal data or personally identifiable information (PII)
     # related to Nasqueron Operations SIG members.
     #
 
     - ops/privacy/ops-cidr
 
     #
     # Credentials used by Nasqueron services
     # Format: ops/secrets/nasqueron/service/<...>
     #
 
     - ops/secrets/nasqueron/airflow/admin_account
     - ops/secrets/nasqueron/airflow/fernet
     - ops/secrets/nasqueron/airflow/sentry
     - ops/secrets/dbserver/cluster-A/users/airflow
 
     - ops/secrets/nasqueron/etherpad/mysql
     - ops/secrets/nasqueron/etherpad/users/dereckson
 
     - ops/secrets/nasqueron/penpot/github
     - ops/secrets/nasqueron/penpot/postgresql
     - ops/secrets/nasqueron/penpot/secret_key
 
     - ops/secrets/nasqueron/rabbitmq/white-rabbit/erlang-cookie
     - ops/secrets/nasqueron/rabbitmq/white-rabbit/root
 
     - ops/secrets/nasqueron/sentry/geoipupdate
 
     #
     # Credentials used by Nasqueron services
     # Format: ops/secrets/nasqueron.<service>.<type>
     #
 
     - ops/secrets/nasqueron.acquisitariat.mysql
 
     - ops/secrets/nasqueron.auth-grove.mysql
 
     - ops/secrets/nasqueron.cachet.app_key
     - ops/secrets/nasqueron.cachet.mysql
 
     - ops/secrets/nasqueron.etherpad.api
 
     - ops/secrets/nasqueron.notifications.broker
     - ops/secrets/nasqueron.notifications.mailgun
     - ops/secrets/nasqueron.notifications.sentry
 
     - ops/secrets/nasqueron.notifications.credentials_github_nasqueron
     - ops/secrets/nasqueron.notifications.credentials_github_wolfplex
     - ops/secrets/nasqueron.notifications.credentials_github_keruald
     - ops/secrets/nasqueron.notifications.credentials_github_trustspace
     - ops/secrets/nasqueron.notifications.credentials_github_eglide
     - ops/secrets/nasqueron.notifications.credentials_phabricator_nasqueron
 
     - apps/notifications-center/dockerhub/notifications
     - apps/notifications-center/dockerhub/auth-grove
 
     - ops/secrets/nasqueron.pixelfed.app_key
     - ops/secrets/nasqueron.pixelfed.mailgun
     - ops/secrets/nasqueron.pixelfed.mysql
 
     - ops/secrets/nasqueron.sentry.app_key
     - ops/secrets/nasqueron.sentry.postgresql
     - ops/secrets/nasqueron.sentry.vault
 
     #
     # Credentials used by Nasqueron members private services
     # Format: <username>.<service>.<type>
     #
 
     - ops/secrets/dereckson.phabricator.mysql
 
     #
     # Credentials used by projects hosted by Nasqueron
     # Format: <project name>.<service>.<type>
     #
 
     - ops/secrets/espacewin.phpbb.mysql_root
 
     - ops/secrets/wolfplex.phabricator.mailgun
     - ops/secrets/wolfplex.phabricator.mysql
 
     - ops/secrets/zed.phabricator.mysql
     - ops/secrets/zed.phabricator.sendgrid
 
   paas-docker-dev:
 
     #
     # Credentials used by Nasqueron services
     # Format: ops/secrets/nasqueron/service/<...>
     #
 
     - ops/secrets/nasqueron/airflow/admin_account
     - ops/secrets/nasqueron/airflow/fernet
     - ops/secrets/nasqueron/airflow/sentry
     - ops/secrets/dbserver/cluster-A/users/airflow
 
+    - ops/secrets/nasqueron/orbeon/oxf.crypto.password
+    - ops/secrets/nasqueron/orbeon/users/dereckson
+    - ops/secrets/dbserver/cluster-A/users/orbeon
+
     - ops/secrets/nasqueron/rabbitmq/orange-rabbit/erlang-cookie
     - ops/secrets/nasqueron/rabbitmq/orange-rabbit/root
 
     - ops/secrets/nasqueron/rabbitmq/orange-rabbit/notifications
     - ops/secrets/nasqueron.notifications.sentry
 
     #
     # Credentials used by projects hosted by Nasqueron
     # Format: <project name>.<service>.<type>
     #
 
     - ops/secrets/espacewin.bugzilla.mysql
     - ops/secrets/espacewin.bugzilla.mysql_root
 
   saas-mediawiki:
     - ops/secrets/dbserver/cluster-B/users/saas-mediawiki
     - ops/secrets/nasqueron/mediawiki/secret_key
 
   saas-wordpress:
     - ops/secrets/dbserver/cluster-B/users/dereckson_blog
 
     - ops/secrets/dereckson/wordpress/secrets
 
   viperserv:
     - ops/secrets/nasqueron.viperserv.vault
 
   webserver-alkane:
     - ops/secrets/dbserver/cluster-B/users/dereckson_www
     - ops/secrets/dbserver/cluster-B/users/zed
 
     - ops/secrets/zed/hypership/secret_key
 
     #
     # Wolfplex credentials
     #
 
     - ops/secrets/nasqueron.etherpad.api
 
   webserver-legacy:
 
     #
     # Wolfplex credentials
     #
 
     - ops/secrets/nasqueron.etherpad.api
 
 #   -------------------------------------------------------------
 #   Vault secrets by dbserver cluster
 #
 #   Paths of the keys the specified role needs access to.
 #   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
 
 vault_secrets_by_dbserver_cluster:
 
   # Main PostgreSQL cluster
   A:
     - ops/secrets/dbserver/cluster-A/users/*
 
   # Main MariaDB cluster - Alkane PaaS, ViperServ
   B:
     - ops/secrets/dbserver/cluster-B/users/*
diff --git a/pillar/paas/docker/dwellers/orbeon.sls b/pillar/paas/docker/dwellers/orbeon.sls
new file mode 100644
index 0000000..e6b94fa
--- /dev/null
+++ b/pillar/paas/docker/dwellers/orbeon.sls
@@ -0,0 +1,41 @@
+#   -------------------------------------------------------------
+#   Salt — Provision Docker engine
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   License:        Trivial work, not eligible to copyright
+#   Service:        Orbeon
+#   -------------------------------------------------------------
+
+docker_networks:
+  orbeon:
+    subnet: 172.18.5.0/24
+
+docker_images:
+  - nasqueron/orbeon
+  - tianon/exim4
+
+docker_containers:
+  exim:
+    orbeon_smtp:
+      mailname: forms.nasqueron.org
+      network: orbeon
+
+  orbeon:
+    nasqueron_forms:
+      host: forms.nasqueron.org
+      app_port: 16080
+      network: orbeon
+      db:
+        service: db-A
+        database: forms
+        credential: dbserver/cluster-A/users/orbeon
+      secret_key: nasqueron/orbeon/oxf.crypto.password
+      tomcat:
+        users:
+          dereckson: nasqueron/orbeon/users/dereckson
+      smtp: orbeon_smtp
+
+      # Published forms are categorized by apps.
+      # List of forapps so nginx can proxy /<app>/
+      apps:
+        - nasqueron-join
diff --git a/roles/paas-docker/containers/files/_tomcat/tomcat-users.xml b/roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
new file mode 100644
index 0000000..e6f0f87
--- /dev/null
+++ b/roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Tomcat :: Users configuration
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Project:      Nasqueron
+    License:      Trivial enough, not eligible to copyright
+    Source file:  roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
+    _____________________________________________________________
+
+    <auto-generated>
+        This file is managed by our rOPS SaltStack repository.
+
+        Changes to this file may cause incorrect behavior
+        and will be lost if the state is redeployed.
+    </auto-generated>
+-->
+<tomcat-users xmlns="http://tomcat.apache.org/xml"
+              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
+              version="1.0">
+
+    {% if roles is defined %}
+    {% for role, role_args in roles.items() %}
+    <role rolename="{{ role }}" description="{{ role_args.description }}" />
+    {% endfor %}
+    {% else %}
+    {% for role in salt["tomcat.extract_roles_from_users"](users) %}
+    <role rolename="{{ role }}" />
+    {% endfor %}
+    {% endif %}
+
+    {% for username, user_args in users.items() %}
+    <user
+        username="{{ username }}"
+        password="{{ user_args.password }}"
+        roles="{{ user_args.roles | join(' ') }}"
+    />
+    {% endfor %}
+</tomcat-users>
diff --git a/roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml
new file mode 100644
index 0000000..d6d5a25
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml
@@ -0,0 +1,21 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Orbeon :: Configuration
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Project:      Nasqueron
+    License:      Trivial work, not eligible to copyright
+    Source file:  roles/paas-docker/containers/files/orbeon/nasqueron_forms/form-builder-permissions.xml
+    _____________________________________________________________
+
+    <auto-generated>
+        This file is managed by our rOPS SaltStack repository.
+
+        Changes to this file may cause incorrect behavior
+        and will be lost if the state is redeployed.
+    </auto-generated>
+-->
+
+<roles>
+    <role name="orbeon-admin" app="*" form="*"/>
+</roles>
diff --git a/roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
new file mode 100644
index 0000000..4dad89f
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Orbeon :: Configuration
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Project:      Nasqueron
+    License:      Trivial work, not eligible to copyright
+    Source file:  roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
+    _____________________________________________________________
+
+    <auto-generated>
+        This file is managed by our rOPS SaltStack repository.
+
+        Changes to this file may cause incorrect behavior
+        and will be lost if the state is redeployed.
+    </auto-generated>
+-->
+
+<properties xmlns:xs="http://www.w3.org/2001/XMLSchema"
+            xmlns:oxf="http://www.orbeon.com/oxf/processors"
+            xmlns:fr="http://orbeon.org/oxf/xml/form-runner">
+
+    <!-- URL -->
+
+    <property as="xs:anyURI" name="oxf.url-rewriting.service.base-uri"
+        value="http://localhost:8080/orbeon"/>
+
+
+    <!-- Crypto -->
+
+    <property as="xs:string" name="oxf.crypto.password">
+        <![CDATA[{{ secret_key }}]]>
+    </property>
+
+    <property as="xs:integer" name="oxf.crypto.key-length"
+        value="256"/>
+
+    <property as="xs:string" name="oxf.crypto.hash-algorithm"
+        value="SHA-256"/>
+
+
+    <!-- Authentication -->
+
+    <property as="xs:string" name="oxf.fr.authentication.method"
+        value="container"/>
+
+    <property as="xs:string" name="oxf.fr.authentication.container.roles"
+        value="orbeon-admin"/>
+
+    <property as="xs:boolean" name="oxf.fr.authentication.user-menu.enable"
+        value="true"/>
+
+
+    <!-- Database configuration -->
+
+    <property as="xs:string" name="oxf.fr.persistence.provider.*.*.*"
+        value="postgresql"/>
+
+    <property as="xs:string" name="oxf.fr.persistence.postgresql.datasource"
+        value="postgresql" />
+
+    <property as="xs:boolean" name="oxf.fr.persistence.postgresql.create-flat-view"
+        value="true"/>
+
+    <property as="xs:boolean" name="oxf.fr.persistence.exist.active"
+        value="false"/>
+
+
+    <!-- SMTP -->
+
+    <property as="xs:string" name="oxf.fr.email.smtp.host.*.*"
+        value="{{ smtp }}" />
+
+    <property as="xs:string" name="oxf.fr.email.from.*.*"
+        value="no-reply@{{ host }}"/>
+
+
+    <!-- Static resources -->
+
+    <property as="xs:string" name="oxf.fr.css.custom.uri.*.*">
+        https://assets.nasqueron.org/css/forms/nasqueron-forms.css
+    </property>
+
+    <property as="xs:anyURI" name="oxf.fr.default-logo.uri.*.*">
+        https://assets.nasqueron.org/logos/logo-white-32px.png
+    </property>
+
+
+    <!-- Form properties :: nasqueron-join :: contact -->
+
+    <property as="xs:string" name="oxf.fr.detail.buttons.nasqueron-join.contact">
+        save-progress send
+    </property>
+
+    <property as="xs:string" name="oxf.fr.detail.process.send.nasqueron-join.contact"
+        value='require-valid
+               then email
+               then navigate("https://join.nasqueron.org/contact-success.html")
+               recover navigate("https://join.nasqueron.org/contact-failure.html")' />
+
+    <property as="xs:string" name="oxf.fr.email.to.nasqueron-join.*"
+        value="dereckson+nasqueron+join@espace-win.org" />
+
+
+</properties>
diff --git a/roles/paas-docker/containers/files/orbeon/nasqueron_forms/web.xml b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/web.xml
new file mode 100644
index 0000000..dbee43a
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/nasqueron_forms/web.xml
@@ -0,0 +1,409 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Orbeon :: Configuration
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Project:      Nasqueron
+    License:      Trivial work, not eligible to copyright
+    Source file:  roles/paas-docker/containers/files/orbeon/nasqueron_forms/properties-local.xml
+    _____________________________________________________________
+
+    <auto-generated>
+        This file is managed by our rOPS SaltStack repository.
+
+        Changes to this file may cause incorrect behavior
+        and will be lost if the state is redeployed.
+    </auto-generated>
+-->
+
+<web-app
+    xmlns="http://xmlns.jcp.org/xml/ns/javaee"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee http://xmlns.jcp.org/xml/ns/javaee/web-app_3_1.xsd"
+    version="3.1">
+
+    <display-name>Nasqueron Forms</display-name>
+    <description>
+        Nasqueron Forms is an Orbeon Forms, a XForms web forms solutions
+        to create and fill complex forms.
+    </description>
+    <distributable/>
+    <!--Initialize main resource manager-->
+    <context-param>
+        <param-name>oxf.resources.factory</param-name>
+        <param-value>org.orbeon.oxf.resources.PriorityResourceManagerFactory</param-value>
+    </context-param>
+    <!--Web application resource manager for resources-->
+    <context-param>
+        <param-name>oxf.resources.priority.2</param-name>
+        <param-value>org.orbeon.oxf.resources.WebAppResourceManagerFactory</param-value>
+    </context-param>
+    <context-param>
+        <param-name>oxf.resources.priority.2.oxf.resources.webapp.rootdir</param-name>
+        <param-value>/WEB-INF/resources</param-value>
+    </context-param>
+    <!--Classloader resource manager-->
+    <context-param>
+        <param-name>oxf.resources.priority.6</param-name>
+        <param-value>org.orbeon.oxf.resources.ClassLoaderResourceManagerFactory</param-value>
+    </context-param>
+    <!--Set run mode ("dev" or "prod")-->
+    <context-param>
+        <param-name>oxf.run-mode</param-name>
+        <param-value>prod</param-value>
+    </context-param>
+    <!--Set location of properties.xml-->
+    <context-param>
+        <param-name>oxf.properties</param-name>
+        <param-value>oxf:/config/properties-${oxf.run-mode}.xml</param-value>
+    </context-param>
+    <!--Determine whether logging initialization must take place-->
+    <context-param>
+        <param-name>oxf.initialize-logging</param-name>
+        <param-value>true</param-value>
+    </context-param>
+    <!--Set context listener processors-->
+    <!-- Uncomment this for the context listener processors -->
+    <!--
+    <context-param>
+        <param-name>oxf.context-initialized-processor.name</param-name>
+        <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+    </context-param>
+    <context-param>
+        <param-name>oxf.context-initialized-processor.input.config</param-name>
+        <param-value>oxf:/apps/context/context-initialized.xpl</param-value>
+    </context-param>
+    <context-param>
+        <param-name>oxf.context-destroyed-processor.name</param-name>
+        <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+    </context-param>
+    <context-param>
+        <param-name>oxf.context-destroyed-processor.input.config</param-name>
+        <param-value>oxf:/apps/context/context-destroyed.xpl</param-value>
+    </context-param>-->
+    <!-- End context listener processors -->
+    <!--Set session listener processors-->
+    <!-- Uncomment this for the session listener processors -->
+    <!--
+    <context-param>
+        <param-name>oxf.session-created-processor.name</param-name>
+        <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+    </context-param>
+    <context-param>
+        <param-name>oxf.session-created-processor.input.config</param-name>
+        <param-value>oxf:/apps/context/session-created.xpl</param-value>
+    </context-param>
+    <context-param>
+        <param-name>oxf.session-destroyed-processor.name</param-name>
+        <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+    </context-param>
+    <context-param>
+        <param-name>oxf.session-destroyed-processor.input.config</param-name>
+        <param-value>oxf:/apps/context/session-destroyed.xpl</param-value>
+    </context-param>-->
+    <!-- End session listener processors -->
+    <!--Security filter for eXist-->
+    <filter>
+        <filter-name>orbeon-exist-filter</filter-name>
+        <filter-class>org.orbeon.oxf.servlet.TokenSecurityFilter</filter-class>
+    </filter>
+    <filter-mapping>
+        <filter-name>orbeon-exist-filter</filter-name>
+        <url-pattern>/exist/*</url-pattern>
+        <dispatcher>REQUEST</dispatcher>
+        <dispatcher>FORWARD</dispatcher>
+    </filter-mapping>
+    <!--Limit concurrent access to Form Runner-->
+    <filter>
+        <filter-name>orbeon-limiter-filter</filter-name>
+        <filter-class>org.orbeon.oxf.servlet.LimiterFilter</filter-class>
+        <!--Include Form Runner pages and XForms Ajax requests-->
+        <init-param>
+            <param-name>include</param-name>
+            <param-value>(/fr/.*)|(/xforms-server)</param-value>
+        </init-param>
+        <!--Exclude resources not produced by services-->
+        <init-param>
+            <param-name>exclude</param-name>
+            <param-value>(?!/([^/]+)/service/).+\.(gif|css|pdf|json|js|coffee|map|png|jpg|xsd|htc|ico|swf|html|htm|txt)</param-value>
+        </init-param>
+        <!--Minimum, requested, and maximum number of concurrent threads allowed-->
+        <!--The `x` prefix specifies a multiple of the number of CPU cores reported by the JVM-->
+        <init-param>
+            <param-name>min-threads</param-name>
+            <param-value>1</param-value>
+        </init-param>
+        <init-param>
+            <param-name>num-threads</param-name>
+            <param-value>x1</param-value>
+        </init-param>
+        <init-param>
+            <param-name>max-threads</param-name>
+            <param-value>x1</param-value>
+        </init-param>
+    </filter>
+    <filter-mapping>
+        <filter-name>orbeon-limiter-filter</filter-name>
+        <url-pattern>/*</url-pattern>
+        <dispatcher>REQUEST</dispatcher>
+    </filter-mapping>
+    <!--Add internal Orbeon-* headers for auth-->
+    <filter>
+        <filter-name>orbeon-form-runner-auth-servlet-filter</filter-name>
+        <filter-class>org.orbeon.oxf.servlet.FormRunnerAuthFilter</filter-class>
+        <!--
+        <init-param>
+            <param-name>content-security-policy</param-name>
+            <param-value>default-src 'self'; img-src 'self' data:</param-value>
+        </init-param>
+        -->
+    </filter>
+    <filter-mapping>
+        <filter-name>orbeon-form-runner-auth-servlet-filter</filter-name>
+        <url-pattern>/*</url-pattern>
+        <dispatcher>REQUEST</dispatcher>
+        <dispatcher>FORWARD</dispatcher>
+    </filter-mapping>
+    <!--All JSP files under /xforms-jsp go through the XForms filter-->
+    <filter>
+        <filter-name>orbeon-xforms-filter</filter-name>
+        <filter-class>org.orbeon.oxf.servlet.OrbeonXFormsFilter</filter-class>
+        <!-- Uncomment this for the separate WAR deployment -->
+        <!--
+    <init-param>
+        <param-name>oxf.xforms.renderer.context</param-name>
+        <param-value>/orbeon</param-value>
+    </init-param>
+    <init-param>
+        <param-name>oxf.xforms.renderer.default-encoding</param-name>
+        <param-value>UTF-8</param-value>
+    </init-param>-->
+        <!-- End separate WAR deployment -->
+    </filter>
+    <filter-mapping>
+        <filter-name>orbeon-xforms-filter</filter-name>
+        <url-pattern>/xforms-jsp/*</url-pattern>
+        <!--Servlet 2.4 configuration allowing the filter to run upon forward in addition to request-->
+        <dispatcher>REQUEST</dispatcher>
+        <dispatcher>FORWARD</dispatcher>
+    </filter-mapping>
+    <!--Orbeon context listener-->
+    <listener>
+        <listener-class>org.orbeon.oxf.webapp.OrbeonServletContextListener</listener-class>
+    </listener>
+    <!--Context listener for deployment with replication-->
+    <listener>
+        <listener-class>org.orbeon.oxf.xforms.ReplicationServletContextListener</listener-class>
+    </listener>
+    <!--XForms session listener-->
+    <listener>
+        <listener-class>org.orbeon.oxf.xforms.XFormsServletContextListener</listener-class>
+    </listener>
+    <!--General-purpose session listener-->
+    <listener>
+        <listener-class>org.orbeon.oxf.webapp.OrbeonSessionListener</listener-class>
+    </listener>
+    <!--Ehcache shutdown listener-->
+    <listener>
+        <listener-class>net.sf.ehcache.constructs.web.ShutdownListener</listener-class>
+    </listener>
+    <!--This is the main Orbeon Forms servlet-->
+    <servlet>
+        <servlet-name>orbeon-main-servlet</servlet-name>
+        <servlet-class>org.orbeon.oxf.servlet.OrbeonServlet</servlet-class>
+        <!--Set main processor-->
+        <init-param>
+            <param-name>oxf.main-processor.name</param-name>
+            <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+        </init-param>
+        <init-param>
+            <param-name>oxf.main-processor.input.config</param-name>
+            <param-value>oxf:/config/prologue-servlet.xpl</param-value>
+        </init-param>
+        <!--Set error processor-->
+        <init-param>
+            <param-name>oxf.error-processor.name</param-name>
+            <param-value>{http://www.orbeon.com/oxf/processors}page-flow</param-value>
+        </init-param>
+        <init-param>
+            <param-name>oxf.error-processor.input.controller</param-name>
+            <param-value>oxf:/config/error-page-flow.xml</param-value>
+        </init-param>
+        <!--Set supported methods-->
+        <init-param>
+            <param-name>oxf.http.accept-methods</param-name>
+            <param-value>get,post,head,put,delete,lock,unlock</param-value>
+        </init-param>
+        <!--Set servlet initialization and destruction listeners-->
+        <!-- Uncomment this for the servlet listener processors -->
+        <!--
+    <init-param>
+        <param-name>oxf.servlet-initialized-processor.name</param-name>
+        <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+    </init-param>
+    <init-param>
+        <param-name>oxf.servlet-initialized-processor.input.config</param-name>
+        <param-value>oxf:/apps/context/servlet-initialized.xpl</param-value>
+    </init-param>
+    <init-param>
+        <param-name>oxf.servlet-destroyed-processor.name</param-name>
+        <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+    </init-param>
+    <init-param>
+        <param-name>oxf.servlet-destroyed-processor.input.config</param-name>
+        <param-value>oxf:/apps/context/servlet-destroyed.xpl</param-value>
+    </init-param>-->
+        <!-- End servlet listener processors -->
+    </servlet>
+    <!--This is the XForms Renderer servlet, used to deploy Orbeon Forms as a separate WAR-->
+    <servlet>
+        <servlet-name>orbeon-renderer-servlet</servlet-name>
+        <servlet-class>org.orbeon.oxf.servlet.OrbeonServlet</servlet-class>
+        <!--Set main processor-->
+        <init-param>
+            <param-name>oxf.main-processor.name</param-name>
+            <param-value>{http://www.orbeon.com/oxf/processors}page-flow</param-value>
+        </init-param>
+        <init-param>
+            <param-name>oxf.main-processor.input.controller</param-name>
+            <param-value>oxf:/ops/xforms/xforms-renderer-page-flow.xml</param-value>
+        </init-param>
+        <!--Set error processor-->
+        <init-param>
+            <param-name>oxf.error-processor.name</param-name>
+            <param-value>{http://www.orbeon.com/oxf/processors}pipeline</param-value>
+        </init-param>
+        <init-param>
+            <param-name>oxf.error-processor.input.config</param-name>
+            <param-value>oxf:/config/error.xpl</param-value>
+        </init-param>
+    </servlet>
+    <!-- Uncomment this for the eXist XMLRPC support -->
+    <!--
+    <servlet>
+        <servlet-name>exist-xmlrpc-servlet</servlet-name>
+        <servlet-class>org.exist.xmlrpc.RpcServlet</servlet-class>
+    </servlet>-->
+    <!-- End eXist XMLRPC support -->
+    <servlet>
+        <servlet-name>exist-rest-servlet</servlet-name>
+        <servlet-class>org.exist.http.servlets.EXistServlet</servlet-class>
+        <init-param>
+            <param-name>basedir</param-name>
+            <param-value>WEB-INF/</param-value>
+        </init-param>
+        <init-param>
+            <param-name>configuration</param-name>
+            <param-value>exist-conf.xml</param-value>
+        </init-param>
+        <init-param>
+            <param-name>start</param-name>
+            <param-value>true</param-value>
+        </init-param>
+    </servlet>
+    <servlet-mapping>
+        <servlet-name>orbeon-main-servlet</servlet-name>
+        <url-pattern>/</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>orbeon-renderer-servlet</servlet-name>
+        <url-pattern>/xforms-renderer</url-pattern>
+    </servlet-mapping>
+    <servlet-mapping>
+        <servlet-name>exist-rest-servlet</servlet-name>
+        <url-pattern>/exist/rest/*</url-pattern>
+    </servlet-mapping>
+    <!-- Uncomment this for the eXist XMLRPC support -->
+    <!--
+    <servlet-mapping>
+        <servlet-name>exist-xmlrpc-servlet</servlet-name>
+        <url-pattern>/exist/xmlrpc/*</url-pattern>
+    </servlet-mapping>-->
+    <!-- End eXist XMLRPC support -->
+    <!-- Uncomment this for the relational persistence, and change oracle if necessary -->
+    <!--
+    <resource-ref>
+        <description>DataSource</description>
+        <res-ref-name>jdbc/oracle</res-ref-name>
+        <res-type>javax.sql.DataSource</res-type>
+        <res-auth>Container</res-auth>
+    </resource-ref>-->
+    <!-- End relational persistence, and change oracle if necessary -->
+
+    <!-- Form Runner authentication -->
+    <!-- Require the security role on /fr/auth by default. To protect everything this must be changed. -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Form Runner</web-resource-name>
+            <url-pattern>/fr/auth</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>orbeon-user</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <!-- The following pages and services are allowed without constraints by default -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Form Runner services and public pages and resources</web-resource-name>
+            <url-pattern>/fr/service/*</url-pattern>
+            <url-pattern>/fr/style/*</url-pattern>
+            <url-pattern>/fr/not-found</url-pattern>
+            <url-pattern>/fr/error</url-pattern>
+            <url-pattern>/fr/login</url-pattern>
+            <url-pattern>/fr/login-error</url-pattern>
+        </web-resource-collection>
+    </security-constraint>
+
+    <!-- Form builder requires authentication -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Form Builder</web-resource-name>
+            <url-pattern>/fr/orbeon/builder/*</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>orbeon-admin</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <!-- Form admin requires authentication -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Form Administration</web-resource-name>
+            <url-pattern>/fr/admin</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>orbeon-admin</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <!-- Landing pages requires authentication -->
+    <security-constraint>
+        <web-resource-collection>
+            <web-resource-name>Form landing pages</web-resource-name>
+            <url-pattern>/fr/</url-pattern>
+            <url-pattern>/fr/forms</url-pattern>
+        </web-resource-collection>
+        <auth-constraint>
+            <role-name>orbeon-admin</role-name>
+        </auth-constraint>
+    </security-constraint>
+
+    <!-- Default security role -->
+    <security-role>
+        <role-name>orbeon-user</role-name>
+    </security-role>
+
+    <!-- Use the form-based method by default -->
+    <login-config>
+        <auth-method>FORM</auth-method>
+        <form-login-config>
+            <form-login-page>/fr/login</form-login-page>
+            <form-error-page>/fr/login-error</form-error-page>
+        </form-login-config>
+    </login-config>
+
+    <session-config>
+        <session-timeout>60</session-timeout>
+    </session-config>
+</web-app>
diff --git a/roles/paas-docker/containers/files/orbeon/server.xml b/roles/paas-docker/containers/files/orbeon/server.xml
new file mode 100644
index 0000000..3b0db71
--- /dev/null
+++ b/roles/paas-docker/containers/files/orbeon/server.xml
@@ -0,0 +1,40 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Tomcat :: Orbeon configuration
+    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+    Project:      Nasqueron
+    License:      Trivial enough, not eligible to copyright
+    Source file:  roles/paas-docker/containers/files/orbeon/server.xml
+    _____________________________________________________________
+
+    <auto-generated>
+        This file is managed by our rOPS SaltStack repository.
+
+        Changes to this file may cause incorrect behavior
+        and will be lost if the state is redeployed.
+    </auto-generated>
+-->
+
+<Context path="/orbeon">
+ <Resource
+     name="jdbc/postgresql"
+     driverClassName="org.postgresql.Driver"
+
+     auth="Container"
+     type="javax.sql.DataSource"
+
+     initialSize="3"
+     maxActive="10"
+     maxIdle="10"
+     maxWait="30000"
+
+     poolPreparedStatements="true"
+
+     validationQuery="select 1"
+     testOnBorrow="true"
+
+     username="{{ db.user }}"
+     password="{{ db.pass }}"
+     url="jdbc:postgresql://{{ db.host }}:5432/{{ db.database }}?useUnicode=true&amp;characterEncoding=UTF8&amp;socketTimeout=30&amp;tcpKeepAlive=true"/>
+</Context>
diff --git a/roles/paas-docker/containers/orbeon.sls b/roles/paas-docker/containers/orbeon.sls
new file mode 100644
index 0000000..4af4886
--- /dev/null
+++ b/roles/paas-docker/containers/orbeon.sls
@@ -0,0 +1,103 @@
+#   -------------------------------------------------------------
+#   Salt — Provision Docker engine
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Project:        Nasqueron
+#   License:        Trivial work, not eligible to copyright
+#   -------------------------------------------------------------
+
+{% set has_selinux = salt['grains.get']('selinux:enabled', False) %}
+
+{% for instance, container in pillar['docker_containers']['orbeon'].items() %}
+
+#   -------------------------------------------------------------
+#   Storage directory
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/orbeon/{{ instance }}:
+  file.directory:
+    - makedirs: True
+
+{% if has_selinux %}
+selinux_context_{{ instance }}_data:
+  selinux.fcontext_policy_present:
+    - name: /srv/orbeon/{{ instance }}
+    - sel_type: container_file_t
+
+selinux_context_{{ instance }}_data_applied:
+  selinux.fcontext_policy_applied:
+    - name: /srv/orbeon/{{ instance }}
+{% endif %}
+
+#   -------------------------------------------------------------
+#   Configuration files
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+/srv/orbeon/{{ instance }}/conf/tomcat-users.xml:
+  file.managed:
+    - source: salt://roles/paas-docker/containers/files/_tomcat/tomcat-users.xml
+    - mode: 400
+    - makedirs: True
+    - template: jinja
+    - show_changes: False
+    - context:
+        users:
+          {% for user, credential in container["tomcat"]["users"].items() %}
+          {{ user }}:
+            password: {{ salt["credentials.get_password"](credential) | yaml_dquote }}
+            roles:
+              - orbeon-admin
+          {% endfor %}
+
+/srv/orbeon/{{ instance }}/conf/properties-local.xml:
+  file.managed:
+    - source: salt://roles/paas-docker/containers/files/orbeon/{{ instance }}/properties-local.xml
+    - mode: 400
+    - template: jinja
+    - show_changes: False
+    - context:
+        secret_key: {{ salt["credentials.get_password"](container["secret_key"]) | yaml_dquote }}
+        host: {{ container["host"] }}
+        smtp: {{ container["smtp"] }}
+
+/srv/orbeon/{{ instance }}/conf/orbeon.xml:
+  file.managed:
+    - source: salt://roles/paas-docker/containers/files/orbeon/server.xml
+    - mode: 400
+    - template: jinja
+    - show_changes: False
+    - context:
+        db:
+          host: {{ pillar["nasqueron_services"][container["db"]["service"]] }}
+          database: {{ container["db"]["database"] }}
+          user: {{ salt["credentials.get_username"](container["db"]["credential"]) }}
+          pass: {{ salt["credentials.get_password"](container["db"]["credential"]) | yaml_dquote }}
+
+{% for config_file in ["web.xml", "form-builder-permissions.xml"] %}
+/srv/orbeon/{{ instance }}/conf/{{ config_file }}:
+  file.managed:
+    - source: salt://roles/paas-docker/containers/files/orbeon/{{ instance }}/{{ config_file }}
+{% endfor %}
+
+#   -------------------------------------------------------------
+#   Container
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+
+{{ instance }}:
+  docker_container.running:
+    - detach: True
+    - interactive: True
+    - image: nasqueron/orbeon
+    - binds:
+      - /srv/orbeon/{{ instance }}/conf/tomcat-users.xml:/usr/local/tomcat/conf/tomcat-users.xml
+      - /srv/orbeon/{{ instance }}/conf/orbeon.xml:/usr/local/tomcat/conf/Catalina/localhost/orbeon.xml
+      - /srv/orbeon/{{ instance }}/conf/web.xml:/usr/local/tomcat/webapps/orbeon/WEB-INF/web.xml
+      - /srv/orbeon/{{ instance }}/conf/form-builder-permissions.xml:/usr/local/tomcat/webapps/orbeon/WEB-INF/resources/config/form-builder-permissions.xml
+      - /srv/orbeon/{{ instance }}/conf/properties-local.xml:/usr/local/tomcat/webapps/orbeon/WEB-INF/resources/config/properties-local.xml
+    - ports:
+      - 8080
+    - port_bindings:
+      - {{ container['app_port'] }}:8080
+    - networks:
+      - {{ container['network'] }}
+
+{% endfor %}
diff --git a/roles/paas-docker/nginx/files/vhosts/orbeon.conf b/roles/paas-docker/nginx/files/vhosts/orbeon.conf
new file mode 100644
index 0000000..9f76cb4
--- /dev/null
+++ b/roles/paas-docker/nginx/files/vhosts/orbeon.conf
@@ -0,0 +1,53 @@
+#   -------------------------------------------------------------
+#   Configuration for Docker PaaS front-end nginx
+#   - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
+#   Source file:    roles/paas-docker/nginx/files/vhosts/orbeon.conf
+#   -------------------------------------------------------------
+#
+#   <auto-generated>
+#       This file is managed by our rOPS SaltStack repository.
+#
+#       Changes to this file may cause incorrect behavior
+#       and will be lost if the state is redeployed.
+#   </auto-generated>
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ fqdn }};
+
+    include includes/letsencrypt;
+
+    return 301 https://$host$request_uri;
+}
+
+server {
+    server_name {{ fqdn }};
+
+    include includes/tls;
+    ssl_certificate /srv/letsencrypt/etc/live/{{ fqdn }}/fullchain.pem;
+    ssl_certificate_key /srv/letsencrypt/etc/live/{{ fqdn }}/privkey.pem;
+
+    include includes/letsencrypt;
+
+    {% for app in args["apps"] %}
+    location /{{ app }}/ {
+        proxy_pass http://localhost:16080/orbeon/fr/{{ app }}/;
+        proxy_redirect http://localhost:16080/orbeon/fr/{{ app }}/ /{{ app }}/;
+
+        include includes/proxy_params;
+    }
+    {% endfor %}
+
+    location /orbeon {
+        proxy_pass http://localhost:{{ app_port }};
+        proxy_redirect off;
+
+        include includes/proxy_params;
+    }
+
+    root /var/wwwroot-502/$server_name;
+
+    error_page 502 /502.html;
+    location /502.html {}
+}