diff --git a/dnet_user_services_perms/README.md b/dnet_user_services_perms/README.md
new file mode 100644
index 00000000..7c16a155
--- /dev/null
+++ b/dnet_user_services_perms/README.md
@@ -0,0 +1,3 @@
+This role sets acls that permit unprivileged users to:
+- write inside a list of directories
+- restart the tomcat instances
diff --git a/dnet_user_services_perms/defaults/main.yml b/dnet_user_services_perms/defaults/main.yml
new file mode 100644
index 00000000..368374e9
--- /dev/null
+++ b/dnet_user_services_perms/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+dnet_user: tomcat7
+dnet_group: dnet
+
+dnet_data_directories:
+  - /var/lib/dnet
diff --git a/dnet_user_services_perms/tasks/main.yml b/dnet_user_services_perms/tasks/main.yml
new file mode 100644
index 00000000..f4251003
--- /dev/null
+++ b/dnet_user_services_perms/tasks/main.yml
@@ -0,0 +1,30 @@
+---
+- name: Add the all the users to the dnet group
+  user: name={{ item.login }} groups={{ dnet_group }}
+  with_items: users_system_users
+  tags: [ 'dnet', 'users' ]
+
+- name: Install the sudoers config that permits the dnet users to restart tomcat
+  template: src=dnet-sudoers.j2 dest=/etc/sudoers.d/dnet-group owner=root group=root mode=0440
+  tags: [ 'tomcat', 'dnet', 'sudo', 'users' ]
+
+- name: Create the dnet data dirs
+  file: name={{ item }} state=directory owner={{ dnet_user }} group={{ dnet_group }} mode=0750
+  with_items: dnet_data_directories
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+# Note: the default is a default only. We need two commands to add acl effectively on the root dir and set the default
+- name: Set the read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present
+  with_items:
+#    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
+    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
+- name: Set the default read/write permissions on the tomcat webapps and common/classes directories and on a set of dnet data dirs
+  acl: name={{ item }} entity={{ dnet_group }} etype=group permissions=rwx state=present default=yes
+  with_items:
+#    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}', '{{ dnet_data_directories }}' ]
+    - [ '{{ tomcat_webapps_dir }}', '{{ tomcat_common_classes_dir }}' ]
+  tags: [ 'tomcat', 'dnet', 'users' ]
+
diff --git a/dnet_user_services_perms/templates/dnet-sudoers.j2 b/dnet_user_services_perms/templates/dnet-sudoers.j2
new file mode 100644
index 00000000..d37971d0
--- /dev/null
+++ b/dnet_user_services_perms/templates/dnet-sudoers.j2
@@ -0,0 +1,3 @@
+%{{ dnet_group }}  ALL=(ALL) NOPASSWD:   /etc/init.d/tomcat7, /etc/init.d/tomcat-instance-*
+
+
diff --git a/haproxy/handlers/main.yml b/haproxy/handlers/main.yml
new file mode 100644
index 00000000..59bf4330
--- /dev/null
+++ b/haproxy/handlers/main.yml
@@ -0,0 +1,9 @@
+---
+- name: Restart haproxy
+  service: name=haproxy state=restarted
+  when: haproxy_enabled
+
+- name: Reload haproxy
+  service: name=haproxy state=reloaded
+  when: haproxy_enabled
+
diff --git a/iptables/handlers/main.yml b/iptables/handlers/main.yml
index d8346c34..44293ea7 100644
--- a/iptables/handlers/main.yml
+++ b/iptables/handlers/main.yml
@@ -1,10 +1,6 @@
 ---
 - name: Start the iptables service
   service: name=iptables-persistent state=restarted enabled=yes
-  when:
-    - is_precise
-    - is_trusty
-    - is_debian7
   notify: Restart fail2ban
 
 - name: Start the netfilter service
diff --git a/iptables/tasks/main.yml b/iptables/tasks/main.yml
index 5dc7ec66..d9e0ec7b 100644
--- a/iptables/tasks/main.yml
+++ b/iptables/tasks/main.yml
@@ -22,10 +22,7 @@
   with_items:
     - rules.v4
     - rules.v6
-  when:
-    - is_precise
-    - is_trusty
-    - is_debian7
+  when: ( is_precise ) or ( is_trusty ) or ( is_debian7 )
   notify: Start the iptables service
   tags:
     - iptables
diff --git a/tomcat/defaults/main.yml b/tomcat/defaults/main.yml
index e47af9da..d993e23f 100644
--- a/tomcat/defaults/main.yml
+++ b/tomcat/defaults/main.yml
@@ -31,6 +31,7 @@ tomcat_catalina_home_dir: '/usr/share/tomcat{{ tomcat_version }}'
 tomcat_catalina_base_dir: '/var/lib/tomcat{{ tomcat_version }}'
 tomcat_conf_dir: '/etc/tomcat{{ tomcat_version }}'
 tomcat_webapps_dir: '{{ tomcat_catalina_base_dir }}/webapps'
+tomcat_common_classes_dir: '{{ tomcat_catalina_base_dir }}/common/classes'
 tomcat_tmp_dir: '{{ tomcat_catalina_base_dir }}/tmp/tomcat'
 
 # JMX and debugging
diff --git a/users/defaults/main.yml b/users/defaults/main.yml
index df1595c3..1b25e043 100644
--- a/users/defaults/main.yml
+++ b/users/defaults/main.yml
@@ -1,8 +1,14 @@
 ---
+#
+# This role adds users to a system
+# The users can access if their ssh key is provided
+# Users can have sudo privileges if the 'admin' property is 'true'
+# admin users can also directly log as root when 'user_admin_can_log_as_root' is set to 'true'
+
 users_sudoers_group: sudo
 users_sudoers_create_group: False
 users_sudoers_create_sudo_conf: False
 users_home_dir: /home
 #users_system_users:
-#  - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}, createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'True' }
+#  - { login: 'adellam', name: "Andrea Dell'Amico", home: '{{ users_home_dir }}', createhome: 'yes', ssh_key: '{{ adellam_ssh_key }}', shell: '/bin/bash', admin: 'False', log_as_root: 'False' }
 
diff --git a/users/tasks/main.yml b/users/tasks/main.yml
index 33c9149d..c270e78e 100644
--- a/users/tasks/main.yml
+++ b/users/tasks/main.yml
@@ -33,5 +33,17 @@
   with_items: users_system_users
   when:
     - users_system_users is defined
+    - item.admin == 'True'
   tags:
     - users
+
+- name: ensure that the users can login with their ssh keys as root if we want ensure direct access
+  authorized_key: user=root key="{{ item.ssh_key }}" state=present
+  with_items: users_system_users
+  when:
+    - users_system_users is defined
+    - item.ssh_key is defined
+    - item.log_as_root == 'True'
+  tags:
+    - users
+
diff --git a/varnish-cache/templates/varnish.service.systemd.j2 b/varnish-cache/templates/varnish.service.systemd.j2
new file mode 100644
index 00000000..21f63cb0
--- /dev/null
+++ b/varnish-cache/templates/varnish.service.systemd.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=Varnish HTTP accelerator
+After=network.target
+
+[Service]
+Type=forking
+EnvironmentFile=-/etc/default/varnish
+LimitNOFILE={{ varnish_n_files }}
+LimitMEMLOCK={{ varnish_memlock }}
+ExecStartPre=/usr/sbin/varnishd -C -f {{ varnish_vcl_conf }}
+ExecStart=/usr/sbin/varnishd  -u {{ varnish_user }} $DAEMON_OPTS
+ExecReload=/usr/share/varnish/reload-vcl
+
+[Install]
+WantedBy=multi-user.target