From 756597668cb9772adec32505238ba4f52a8e0c82 Mon Sep 17 00:00:00 2001
From: Kevin Veen-Birkenbach <kevin@veen.world>
Date: Sun, 13 Jul 2025 15:11:38 +0200
Subject: [PATCH] Semi bsr for applications[] to prevent heavy to debug bugs in
 j2 - part 1

---
 cli/fix/replace_by_get_app_config.sh          |  0
 .../templates/extensions_policy.json.j2       |  8 ++++----
 roles/desk-firefox/templates/policies.json.j2 |  2 +-
 roles/desk-gnome-extensions/tasks/main.yml    |  2 +-
 .../templates/vhost/basic.conf.j2             |  2 +-
 roles/svc-db-openldap/handlers/main.yml       | 10 +++++-----
 roles/svc-db-openldap/tasks/main.yml          |  8 ++++----
 .../tasks/reset_admin_passwords.yml           | 12 +++++------
 .../templates/docker-compose.yml.j2           |  6 +++---
 roles/svc-db-openldap/templates/env.j2        |  6 +++---
 roles/svc-db-openldap/vars/main.yml           |  4 ++--
 roles/svc-db-postgres/tasks/init_database.yml | 14 ++++++-------
 roles/svc-db-postgres/tasks/main.yml          | 12 +++++------
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-akaunting/templates/env.j2      |  6 +++---
 .../templates/docker-compose.yml.j2           |  4 ++--
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-bigbluebutton/tasks/main.yml    |  4 ++--
 roles/web-app-bigbluebutton/templates/env.j2  | 14 ++++++-------
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-discourse/handlers/main.yml     |  6 +++---
 roles/web-app-discourse/tasks/main.yml        | 12 +++++------
 roles/web-app-discourse/tasks/reset.yml       |  2 +-
 .../templates/discourse_application.yml.j2    |  2 +-
 roles/web-app-discourse/vars/main.yml         |  6 +++---
 .../templates/docker-compose.yml.j2           |  6 +++---
 roles/web-app-espocrm/templates/env.j2        |  6 +++---
 roles/web-app-friendica/tasks/main.yml        |  6 +++---
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-friendica/vars/main.yml         |  2 +-
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-funkwhale/templates/env.j2      |  2 +-
 .../web-app-fusiondirectory/templates/env.j2  |  2 +-
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-gitea/templates/env.j2          |  8 ++++----
 .../templates/docker-compose.yml.j2           |  2 +-
 .../templates/docker-compose.yml.j2           |  2 +-
 .../templates/docker-compose.yml.j2           |  4 ++--
 roles/web-app-keycloak/templates/env.j2       |  8 ++++----
 .../templates/import/realm.json.j2            | 18 ++++++++---------
 roles/web-app-keycloak/vars/main.yml          |  2 +-
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-lam/templates/env.j2            |  2 +-
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-listmonk/tasks/main.yml         |  6 +++---
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-listmonk/templates/env.j2       |  4 ++--
 roles/web-app-listmonk/vars/main.yml          |  4 ++--
 .../tasks/generate-and-read-dkim.yml          |  2 +-
 roles/web-app-mailu/templates/env.j2          |  4 ++--
 roles/web-app-mailu/vars/mailu-dns.yml        |  6 +++---
 .../templates/docker-compose.yml.j2           |  6 +++---
 roles/web-app-matomo/config/main.yml          |  6 +++---
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-matomo/vars/main.yml            |  4 ++--
 .../templates/vars.yml.j2                     |  2 +-
 roles/web-app-matrix/Administration.md        |  2 +-
 roles/web-app-matrix/Installation.md          |  2 +-
 roles/web-app-matrix/tasks/main.yml           | 10 +++++-----
 .../templates/docker-compose.yml.j2           | 18 ++++++++---------
 .../templates/mautrix/facebook.config.yml.j2  | 12 +++++------
 .../templates/mautrix/imessage.config.yml.j2  |  2 +-
 .../templates/mautrix/instagram.config.yml.j2 | 12 +++++------
 .../templates/mautrix/signal.config.yml.j2    | 12 +++++------
 .../templates/mautrix/slack.config.yml.j2     | 12 +++++------
 .../templates/mautrix/telegram.config.yml.j2  | 20 +++++++++----------
 .../templates/mautrix/whatsapp.config.yml.j2  | 12 +++++------
 .../templates/synapse/homeserver.yaml.j2      |  8 ++++----
 roles/web-app-matrix/vars/bridges.yml         | 12 +++++------
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-mobilizon/templates/env.j2      |  6 +++---
 roles/web-app-moodle/templates/Dockerfile.j2  |  4 ++--
 roles/web-app-moodle/templates/env.j2         |  8 ++++----
 roles/web-app-nextcloud/tasks/main.yml        |  2 +-
 .../templates/config/oidc.config.php.j2       |  4 ++--
 roles/web-app-nextcloud/templates/env.j2      | 10 +++++-----
 .../vars/plugins/user_ldap.yml                |  2 +-
 roles/web-app-nextcloud/vars/system.yml       |  4 ++--
 roles/web-app-openproject/tasks/main.yml      |  2 +-
 roles/web-app-openproject/vars/main.yml       |  4 ++--
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-peertube/templates/env.j2       |  2 +-
 roles/web-app-pgadmin/tasks/main.yml          |  2 +-
 .../templates/docker-compose.yml.j2           |  4 ++--
 roles/web-app-pgadmin/templates/env.j2        |  8 ++++----
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-phpmyadmin/templates/env.j2     |  2 +-
 .../templates/docker-compose.yml.j2           |  4 ++--
 roles/web-app-pixelfed/templates/env.j2       |  2 +-
 .../lookup_plugins/docker_cards.py            |  2 +-
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-snipe-it/tasks/ldap.yml         |  8 ++++----
 .../templates/docker-compose.yml.j2           |  2 +-
 roles/web-app-snipe-it/templates/env.j2       |  2 +-
 roles/web-app-snipe-it/vars/main.yml          |  2 +-
 .../templates/docker-compose.yml.j2           |  6 +++---
 roles/web-app-taiga/tasks/main.yml            |  2 +-
 .../templates/docker-compose.yml.j2           |  8 ++++----
 roles/web-app-taiga/templates/env.j2          |  8 ++++----
 roles/web-app-taiga/vars/main.yml             |  4 ++--
 roles/web-app-wordpress/tasks/install.yml     |  8 ++++----
 roles/web-app-wordpress/tasks/main.yml        |  4 ++--
 .../web-app-wordpress/templates/Dockerfile.j2 |  2 +-
 roles/web-app-yourls/templates/env.j2         |  2 +-
 roles/web-svc-asset/vars/main.yml             |  2 +-
 tasks/utils/debug/docker-compose.yml          |  2 +-
 .../templates/docker-compose.yml.j2.j2        |  2 +-
 107 files changed, 277 insertions(+), 277 deletions(-)
 mode change 100644 => 100755 cli/fix/replace_by_get_app_config.sh

diff --git a/cli/fix/replace_by_get_app_config.sh b/cli/fix/replace_by_get_app_config.sh
old mode 100644
new mode 100755
diff --git a/roles/desk-chromium/templates/extensions_policy.json.j2 b/roles/desk-chromium/templates/extensions_policy.json.j2
index eac276fc..5d24a615 100644
--- a/roles/desk-chromium/templates/extensions_policy.json.j2
+++ b/roles/desk-chromium/templates/extensions_policy.json.j2
@@ -1,14 +1,14 @@
 {
   "ExtensionInstallForcelist": [
-    {% for plugin in applications[application_id].chromium.plugins -%}
+    {% for plugin in applications | get_app_conf(application_id, 'chromium.plugins', True) -%}
     "{{ plugin.id }};{{ plugin.update_url }}"{% if not loop.last %},{% endif %}
     {% endfor %}
   ],
   "ExtensionSettings": {
     "*": {
-      "installation_mode": "{{ applications[application_id].default_installation_mode }}"
+      "installation_mode": "{{ applications | get_app_conf(application_id, 'default_installation_mode', True) }}"
     }
-    {% for plugin in applications[application_id].chromium.plugins -%},
+    {% for plugin in applications | get_app_conf(application_id, 'chromium.plugins', True) -%},
     "{{ plugin.id }}": {
       "installation_mode": "{{ plugin.installation_mode }}",
       "update_url": "{{ plugin.update_url }}",
@@ -16,5 +16,5 @@
     }
     {% endfor %}
   },
-  "PasswordManagerEnabled": {{ applications[application_id].password_manager_enabled }}
+  "PasswordManagerEnabled": {{ applications | get_app_conf(application_id, 'password_manager_enabled', True) }}
 }
diff --git a/roles/desk-firefox/templates/policies.json.j2 b/roles/desk-firefox/templates/policies.json.j2
index f9c80a0e..58608edd 100644
--- a/roles/desk-firefox/templates/policies.json.j2
+++ b/roles/desk-firefox/templates/policies.json.j2
@@ -2,7 +2,7 @@
     "policies": {
       "Extensions": {
         "Install": [
-          {% for plugin in applications[application_id].plugins -%}
+          {% for plugin in applications | get_app_conf(application_id, 'plugins', True) -%}
             "{{ plugin }}"{% if not loop.last %},{% endif %}
           {% endfor %}
         ]
diff --git a/roles/desk-gnome-extensions/tasks/main.yml b/roles/desk-gnome-extensions/tasks/main.yml
index 6b42c889..f9db467d 100644
--- a/roles/desk-gnome-extensions/tasks/main.yml
+++ b/roles/desk-gnome-extensions/tasks/main.yml
@@ -10,5 +10,5 @@
 
 - name: Execute CLI GNOME Extension manager script
   ansible.builtin.shell: cli-gnome-extension-manager "{{ item[0] }}" "{{ item[1] }}" "{{ item[2] }}"
-  loop: "{{ applications[application_id].plugins }}"
+  loop: "{{ applications | get_app_conf(application_id, 'plugins', True) }}"
   become: false
\ No newline at end of file
diff --git a/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2 b/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
index d7c75c68..445d001b 100644
--- a/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
+++ b/roles/srv-proxy-7-4-core/templates/vhost/basic.conf.j2
@@ -16,7 +16,7 @@ server
   {% include 'roles/srv-web-7-7-letsencrypt/templates/ssl_header.j2' %}
 
   {% if applications | is_feature_enabled('oauth2', application_id) %}
-    {% set acl = applications[application_id].oauth2_proxy.acl | default({}) %}
+    {% set acl = applications | get_app_conf(application_id, 'oauth2_proxy.acl', True) | default({}) %}
 
     {% if acl.blacklist is defined %}
       {# 1. Expose everything by default, then protect blacklisted paths #}
diff --git a/roles/svc-db-openldap/handlers/main.yml b/roles/svc-db-openldap/handlers/main.yml
index b019970e..8900ee22 100644
--- a/roles/svc-db-openldap/handlers/main.yml
+++ b/roles/svc-db-openldap/handlers/main.yml
@@ -1,6 +1,6 @@
 - name: Load memberof module from file in OpenLDAP container
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/01_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/01_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -10,7 +10,7 @@
 
 - name: Refint Module Activation for OpenLDAP
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/02_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/02_member_of_configuration.ldif
   listen: 
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -22,7 +22,7 @@
 
 - name: "Import schemas"
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -Y EXTERNAL -H ldapi:/// -f "{{ldif_docker_path}}schema/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 80]
@@ -33,7 +33,7 @@
 
 - name: Refint Overlay Configuration for OpenLDAP
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/03_member_of_configuration.ldif
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// -f {{ldif_docker_path}}configuration/03_member_of_configuration.ldif
   listen:
     - "Import configuration LDIF files"
     - "Import all LDIF files"
@@ -45,7 +45,7 @@
 
 - name: "Import users, groups, etc. to LDAP"
   shell: >
-    docker exec -i {{ applications[application_id].hostname }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapadd -x -D "{{ldap.dn.administrator.data}}" -w "{{ldap.bind_credential}}" -c -f "{{ldif_docker_path}}data/{{ item | basename | regex_replace('\.j2$', '') }}"
   register: ldapadd_result
   changed_when: "'adding new entry' in ldapadd_result.stdout"
   failed_when: ldapadd_result.rc not in [0, 20, 68]
diff --git a/roles/svc-db-openldap/tasks/main.yml b/roles/svc-db-openldap/tasks/main.yml
index 1010622a..cdf8a629 100644
--- a/roles/svc-db-openldap/tasks/main.yml
+++ b/roles/svc-db-openldap/tasks/main.yml
@@ -9,17 +9,17 @@
     src:  "nginx.stream.conf.j2" 
     dest: "{{nginx.directories.streams}}{{domains | get_domain(application_id)}}.conf"
   notify: restart nginx
-  when: applications[application_id].network.public | bool
+  when: applications | get_app_conf(application_id, 'network.public', True) | bool
 
 - name: Remove {{domains | get_domain(application_id)}}.conf if LDAP is not exposed to internet
   file:
     path: "{{ nginx.directories.streams }}{{ domains | get_domain(application_id) }}.conf"
     state: absent
-  when: not applications[application_id].network.public | bool
+  when: not applications | get_app_conf(application_id, 'network.public', True) | bool
 
 - name: create docker network for LDAP, so that other applications can access it
   docker_network:
-    name: "{{ applications[application_id].network.name }}"
+    name: "{{ applications | get_app_conf(application_id, 'network', True).name }}"
     state: present
     ipam_config:
       - subnet: "{{ networks.local['svc-db-openldap'].subnet }}"
@@ -36,7 +36,7 @@
 
 - name: "Reset LDAP admin passwords"
   include_tasks: reset_admin_passwords.yml
-  when: applications[application_id].network.local
+  when: applications | get_app_conf(application_id, 'network.local', True)
 
 - name: "create directory {{ldif_host_path}}{{item}}"
   file:
diff --git a/roles/svc-db-openldap/tasks/reset_admin_passwords.yml b/roles/svc-db-openldap/tasks/reset_admin_passwords.yml
index e1d84a2d..e07d3458 100644
--- a/roles/svc-db-openldap/tasks/reset_admin_passwords.yml
+++ b/roles/svc-db-openldap/tasks/reset_admin_passwords.yml
@@ -3,7 +3,7 @@
 
 - name: "Query available LDAP databases"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
       ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config "(olcDatabase=*)" dn
   register: ldap_databases
 
@@ -27,13 +27,13 @@
 
 - name: "Generate hash for Database Admin password"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
       slappasswd -s "{{ ldap.bind_credential }}"
   register: database_admin_pw_hash
 
 - name: "Reset Database Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ data_backend_dn }}
     changetype: modify
     replace: olcRootPW
@@ -42,13 +42,13 @@
 
 - name: "Generate hash for Configuration Admin password"
   shell: |
-    docker exec {{ applications[application_id].hostname }} \
-      slappasswd -s "{{ applications[application_id].credentials.administrator_password }}"
+    docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} \
+      slappasswd -s "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
   register: config_admin_pw_hash
 
 - name: "Reset Configuration Admin password in LDAP (olcRootPW)"
   shell: |
-    docker exec -i {{ applications[application_id].hostname }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
+    docker exec -i {{ applications | get_app_conf(application_id, 'hostname', True) }} ldapmodify -Y EXTERNAL -H ldapi:/// <<EOF
     dn: {{ config_backend_dn }}
     changetype: modify
     replace: olcRootPW
diff --git a/roles/svc-db-openldap/templates/docker-compose.yml.j2 b/roles/svc-db-openldap/templates/docker-compose.yml.j2
index bbb21b25..f192c304 100644
--- a/roles/svc-db-openldap/templates/docker-compose.yml.j2
+++ b/roles/svc-db-openldap/templates/docker-compose.yml.j2
@@ -1,10 +1,10 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.openldap }}"
-    container_name: {{ applications[application_id].hostname }}
+    image: "{{ applications | get_app_conf(application_id, 'images.openldap', True) }}"
+    container_name: {{ applications | get_app_conf(application_id, 'hostname', True) }}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-{% if applications[application_id].network.public | bool or applications[application_id].network.local | bool %}
+{% if applications | get_app_conf(application_id, 'network.public', True) | bool or applications | get_app_conf(application_id, 'network.local', True) | bool %}
     ports:
       - 127.0.0.1:{{ports.localhost.ldap['svc-db-openldap']}}:{{ldap_docker_port}}
 {% endif %}
diff --git a/roles/svc-db-openldap/templates/env.j2 b/roles/svc-db-openldap/templates/env.j2
index 8ac42abb..11acce1e 100644
--- a/roles/svc-db-openldap/templates/env.j2
+++ b/roles/svc-db-openldap/templates/env.j2
@@ -3,7 +3,7 @@
       
 # GENERAL
 ## Admin (Data)
-LDAP_ADMIN_USERNAME=        {{applications[application_id].users.administrator.username}} # LDAP database admin user.
+LDAP_ADMIN_USERNAME=        {{applications | get_app_conf(application_id, 'users.administrator.username', True)}} # LDAP database admin user.
 LDAP_ADMIN_PASSWORD=        {{ldap.bind_credential}}                                      # LDAP database admin password.
 
 ## Users
@@ -14,8 +14,8 @@ LDAP_ROOT=                  {{ldap.dn.root}}                # LDAP baseDN (or su
 ## Admin (Config)
 LDAP_ADMIN_DN=              {{ldap.dn.administrator.data}}
 LDAP_CONFIG_ADMIN_ENABLED=  yes
-LDAP_CONFIG_ADMIN_USERNAME= {{applications[application_id].users.administrator.username}}
-LDAP_CONFIG_ADMIN_PASSWORD= {{applications[application_id].credentials.administrator_password}}
+LDAP_CONFIG_ADMIN_USERNAME= {{applications | get_app_conf(application_id, 'users.administrator.username', True)}}
+LDAP_CONFIG_ADMIN_PASSWORD= {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}
   
 # Network
 LDAP_PORT_NUMBER=           {{ldap_docker_port}}            # Route to default port
diff --git a/roles/svc-db-openldap/vars/main.yml b/roles/svc-db-openldap/vars/main.yml
index 05bdbb00..3393f084 100644
--- a/roles/svc-db-openldap/vars/main.yml
+++ b/roles/svc-db-openldap/vars/main.yml
@@ -4,9 +4,9 @@ application_id:     "svc-db-openldap"
 ldaps_docker_port:  636
 ldap_docker_port:   389
 ldap_server_uri:    "ldap://127.0.0.1:{{ ports.localhost.ldap['svc-db-openldap'] }}"
-ldap_hostname:      "{{ applications[application_id].hostname }}"
+ldap_hostname:      "{{ applications | get_app_conf(application_id, 'hostname', True) }}"
 ldap_bind_dn:       "{{ ldap.dn.administrator.configuration }}"
-ldap_bind_pw:       "{{ applications[application_id].credentials.administrator_password }}"
+ldap_bind_pw:       "{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
 
 # LDIF Variables
 ldif_host_path:     "{{docker_compose.directories.volumes}}ldif/"
diff --git a/roles/svc-db-postgres/tasks/init_database.yml b/roles/svc-db-postgres/tasks/init_database.yml
index df5073da..df734cfe 100644
--- a/roles/svc-db-postgres/tasks/init_database.yml
+++ b/roles/svc-db-postgres/tasks/init_database.yml
@@ -13,7 +13,7 @@
     name: "{{ database_name }}"
     state: present
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
 
@@ -25,7 +25,7 @@
     db:             "{{ database_name }}"
     state:          present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -34,7 +34,7 @@
   postgresql_query:
     db: postgres
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
     query: |
@@ -52,7 +52,7 @@
     schema: public
     state:  present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -65,7 +65,7 @@
     privs: ALL
     state: present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
 
@@ -74,7 +74,7 @@
   postgresql_query:
     db: "{{ database_name }}"
     login_user: postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host: 127.0.0.1
     login_port: "{{ database_port }}"
     query: |
@@ -90,7 +90,7 @@
     ext:        "{{ item }}"
     state:      present
     login_user:     postgres
-    login_password: "{{ applications[application_id].credentials.postgres_password }}"
+    login_password: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
     login_host:     127.0.0.1
     login_port:     "{{ database_port }}"
   loop:
diff --git a/roles/svc-db-postgres/tasks/main.yml b/roles/svc-db-postgres/tasks/main.yml
index 324327ed..b726667f 100644
--- a/roles/svc-db-postgres/tasks/main.yml
+++ b/roles/svc-db-postgres/tasks/main.yml
@@ -1,6 +1,6 @@
 - name: Create Docker network for PostgreSQL
   docker_network:
-    name: "{{ applications[application_id].network }}"
+    name: "{{ applications | get_app_conf(application_id, 'network', True) }}"
     state: present
     ipam_config:
       - subnet: "{{ networks.local['svc-db-postgres'].subnet }}"
@@ -8,16 +8,16 @@
 
 - name: Install PostgreSQL
   docker_container:
-    name: "{{ applications[application_id].hostname }}"
+    name: "{{ applications | get_app_conf(application_id, 'hostname', True) }}"
     image: "{{ applications | get_docker_image(application_id) }}"
     detach: yes
     env:
-      POSTGRES_PASSWORD: "{{ applications[application_id].credentials.postgres_password }}"
+      POSTGRES_PASSWORD: "{{ applications | get_app_conf(application_id, 'credentials.postgres_password', True) }}"
       POSTGRES_INITDB_ARGS: "--encoding=UTF8 --locale=C" # Necessary for web-app-matrix
     networks:
-      - name: "{{ applications[application_id].network }}"
+      - name: "{{ applications | get_app_conf(application_id, 'network', True) }}"
     published_ports:
-      - "127.0.0.1:{{ applications[application_id].port }}:5432"
+      - "127.0.0.1:{{ applications | get_app_conf(application_id, 'port', True) }}:5432"
     volumes:
       - "{{ applications['svc-db-postgres'].volume }}:/var/lib/postgresql/data"
     restart_policy: "{{ docker_restart_policy }}"
@@ -31,7 +31,7 @@
   when: run_once_docker_postgres is not defined
 
 - name: Wait for Postgres inside the container
-  shell: "docker exec {{ applications[application_id].hostname }} pg_isready -U postgres"
+  shell: "docker exec {{ applications | get_app_conf(application_id, 'hostname', True) }} pg_isready -U postgres"
   register: pg_ready
   until: pg_ready.rc == 0
   retries: 30
diff --git a/roles/web-app-akaunting/templates/docker-compose.yml.j2 b/roles/web-app-akaunting/templates/docker-compose.yml.j2
index e8ab3b79..dab3fc83 100644
--- a/roles/web-app-akaunting/templates/docker-compose.yml.j2
+++ b/roles/web-app-akaunting/templates/docker-compose.yml.j2
@@ -3,7 +3,7 @@
 
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     build:
       context: .
     ports:
diff --git a/roles/web-app-akaunting/templates/env.j2 b/roles/web-app-akaunting/templates/env.j2
index b317903f..81f0088d 100644
--- a/roles/web-app-akaunting/templates/env.j2
+++ b/roles/web-app-akaunting/templates/env.j2
@@ -14,9 +14,9 @@ DB_PASSWORD={{database_password}}
 DB_PREFIX=asd_
 
 # These define the first company to exist on this instance. They are only used during setup.
-COMPANY_NAME={{applications[application_id].company_name}}
-COMPANY_EMAIL={{applications[application_id].company_email}}
+COMPANY_NAME={{applications | get_app_conf(application_id, 'company_name', True)}}
+COMPANY_EMAIL={{applications | get_app_conf(application_id, 'company_email', True)}}
 
 # This will be the first administrative user created on setup.
 ADMIN_EMAIL={{applications.akaunting.setup_admin_email}}
-ADMIN_PASSWORD={{applications[application_id].credentials.setup_admin_password}}
+ADMIN_PASSWORD={{applications | get_app_conf(application_id, 'credentials.setup_admin_password', True)}}
diff --git a/roles/web-app-attendize/templates/docker-compose.yml.j2 b/roles/web-app-attendize/templates/docker-compose.yml.j2
index 24888834..00625a23 100644
--- a/roles/web-app-attendize/templates/docker-compose.yml.j2
+++ b/roles/web-app-attendize/templates/docker-compose.yml.j2
@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   web:
-    image: "{{ applications[application_id].images.web }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.web', True) }}"
     ports:
     - "{{ports.localhost.http[application_id]}}:80"
     volumes:
@@ -15,7 +15,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
   worker:
-    image: "{{ applications[application_id].images.worker }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.worker', True) }}"
 {% include 'roles/docker-container/templates/depends_on/dmbs_incl.yml.j2' %}
       maildev:
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
diff --git a/roles/web-app-baserow/templates/docker-compose.yml.j2 b/roles/web-app-baserow/templates/docker-compose.yml.j2
index 6abef7bf..e369fc48 100644
--- a/roles/web-app-baserow/templates/docker-compose.yml.j2
+++ b/roles/web-app-baserow/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
 
   application:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.baserow }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.baserow', True) }}"
     container_name: baserow-application
     volumes:
       - data:/baserow/data
diff --git a/roles/web-app-bigbluebutton/tasks/main.yml b/roles/web-app-bigbluebutton/tasks/main.yml
index ee9c55cf..5b52b7f4 100644
--- a/roles/web-app-bigbluebutton/tasks/main.yml
+++ b/roles/web-app-bigbluebutton/tasks/main.yml
@@ -5,7 +5,7 @@
     name: docker-compose
   vars:
     database_instance:  "{{ application_id }}"
-    database_password:  "{{ applications[application_id].credentials.postgresql_secret }}"
+    database_password:  "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret', True) }}"
     database_username:  "postgres"
     database_name:      ""                              # Multiple databases
 
@@ -13,7 +13,7 @@
   include_tasks:        "{{ playbook_dir }}/roles/sys-bkp-docker-to-local/tasks/seed-database-to-backup.yml"
   vars:
     database_instance:  "{{ application_id }}"
-    database_password:  "{{ applications[application_id].credentials.postgresql_secret }}"
+    database_password:  "{{ applications | get_app_conf(application_id, 'credentials.postgresql_secret', True) }}"
     database_username:  "postgres"
     database_name:      ""                              # Multiple databases
 
diff --git a/roles/web-app-bigbluebutton/templates/env.j2 b/roles/web-app-bigbluebutton/templates/env.j2
index 83d7405e..dfc98acb 100644
--- a/roles/web-app-bigbluebutton/templates/env.j2
+++ b/roles/web-app-bigbluebutton/templates/env.j2
@@ -1,7 +1,7 @@
 ENABLE_COTURN=true
 COTURN_TLS_CERT_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/fullchain.pem
 COTURN_TLS_KEY_PATH={{ certbot_cert_path }}/{{ ssl_cert_folder }}/privkey.pem
-ENABLE_GREENLIGHT={{applications[application_id].enable_greenlight}}
+ENABLE_GREENLIGHT={{applications | get_app_conf(application_id, 'enable_greenlight', True)}}
 
 # Enable Webhooks
 # used by some integrations
@@ -27,11 +27,11 @@ RECORDING_MAX_AGE_DAYS=365
 # SECRETS
 # ====================================
 # important! change these to any random values
-SHARED_SECRET={{applications[application_id].credentials.shared_secret}}
-ETHERPAD_API_KEY={{applications[application_id].credentials.etherpad_api_key}}
-RAILS_SECRET={{applications[application_id].credentials.rails_secret}}
-POSTGRESQL_SECRET={{applications[application_id].credentials.postgresql_secret}}
-FSESL_PASSWORD={{applications[application_id].credentials.fsesl_password}}
+SHARED_SECRET={{applications | get_app_conf(application_id, 'credentials.shared_secret', True)}}
+ETHERPAD_API_KEY={{applications | get_app_conf(application_id, 'credentials.etherpad_api_key', True)}}
+RAILS_SECRET={{applications | get_app_conf(application_id, 'credentials.rails_secret', True)}}
+POSTGRESQL_SECRET={{applications | get_app_conf(application_id, 'credentials.postgresql_secret', True)}}
+FSESL_PASSWORD={{applications | get_app_conf(application_id, 'credentials.fsesl_password', True)}}
 
 # ====================================
 # CONNECTION
@@ -51,7 +51,7 @@ STUN_PORT={{ ports.public.stun[application_id] }}
 # TURN SERVER
 # uncomment and adjust following two lines to add an external TURN server
 TURN_SERVER=turns:{{domains | get_domain(application_id)}}:{{ ports.public.turn[application_id] }}?transport=tcp
-TURN_SECRET={{applications[application_id].credentials.turn_secret}}
+TURN_SECRET={{applications | get_app_conf(application_id, 'credentials.turn_secret', True)}}
 
 # Allowed SIP IPs
 # due to high traffic caused by bots, by default the SIP port is blocked.
diff --git a/roles/web-app-bluesky/templates/docker-compose.yml.j2 b/roles/web-app-bluesky/templates/docker-compose.yml.j2
index cfdc18de..041ae7ea 100644
--- a/roles/web-app-bluesky/templates/docker-compose.yml.j2
+++ b/roles/web-app-bluesky/templates/docker-compose.yml.j2
@@ -3,7 +3,7 @@
   pds:
 {% set container_port = 3000 %}
 {% set container_healthcheck = 'xrpc/_health' %}
-    image: "{{ applications[application_id].images.pds }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.pds', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
         - pds_data:/opt/pds
diff --git a/roles/web-app-discourse/handlers/main.yml b/roles/web-app-discourse/handlers/main.yml
index e3476d49..5259feb3 100644
--- a/roles/web-app-discourse/handlers/main.yml
+++ b/roles/web-app-discourse/handlers/main.yml
@@ -1,14 +1,14 @@
 ---
 - name: "stop and remove discourse container if it exist"
   docker_container:
-    name: "{{applications[application_id].container}}"
+    name: "{{applications | get_app_conf(application_id, 'container', True)}}"
     state: absent
   register: container_action
   failed_when: container_action.failed and 'No such container' not in container_action.msg
   listen: recreate discourse
   
 - name: "add central database temporary to {{application_id}}_default"
-  command: docker network connect {{applications[application_id].network}} {{ database_host }}
+  command: docker network connect {{applications | get_app_conf(application_id, 'network', True)}} {{ database_host }}
   failed_when: >
     result.rc != 0 and
     'already exists in network' not in result.stderr
@@ -17,7 +17,7 @@
   listen: recreate discourse
 
 - name: rebuild discourse
-  shell: ./launcher rebuild {{applications[application_id].container}}
+  shell: ./launcher rebuild {{applications | get_app_conf(application_id, 'container', True)}}
   args:
     executable: /bin/bash  
     chdir: "{{docker_repository_directory }}"
diff --git a/roles/web-app-discourse/tasks/main.yml b/roles/web-app-discourse/tasks/main.yml
index 270c6a9e..fe1b40c8 100644
--- a/roles/web-app-discourse/tasks/main.yml
+++ b/roles/web-app-discourse/tasks/main.yml
@@ -43,26 +43,26 @@
   meta: flush_handlers
   when: run_once_docker_discourse is not defined
 
-- name: "Connect {{ applications[application_id].container }} to network {{ applications['svc-db-postgres'].network }}"
+- name: "Connect {{ applications | get_app_conf(application_id, 'container', True) }} to network {{ applications['svc-db-postgres'].network }}"
   command: >
-    docker network connect {{ applications['svc-db-postgres'].network }} {{ applications[application_id].container }}
+    docker network connect {{ applications['svc-db-postgres'].network }} {{ applications | get_app_conf(application_id, 'container', True) }}
   register: network_connect
   failed_when: >
     network_connect.rc != 0 and
-    'Error response from daemon: endpoint with name {{ applications[application_id].container }} already exists in network {{ applications["svc-db-postgres"].network }}'
+    'Error response from daemon: endpoint with name {{ applications | get_app_conf(application_id, 'container', True) }} already exists in network {{ applications["svc-db-postgres"].network }}'
     not in network_connect.stderr
   changed_when: network_connect.rc == 0
   when:
     - applications | is_feature_enabled('central_database', application_id)
     - run_once_docker_discourse is not defined
 
-- name: "Remove {{ applications[application_id].network }} from {{ database_host }}"
+- name: "Remove {{ applications | get_app_conf(application_id, 'network', True) }} from {{ database_host }}"
   command: >
-    docker network disconnect {{ applications[application_id].network }} {{ database_host }}
+    docker network disconnect {{ applications | get_app_conf(application_id, 'network', True) }} {{ database_host }}
   register: network_disconnect
   failed_when: >
     network_disconnect.rc != 0 and
-    'is not connected to network {{ applications[application_id].network }}' not in network_disconnect.stderr
+    'is not connected to network {{ applications | get_app_conf(application_id, 'network', True) }}' not in network_disconnect.stderr
   changed_when: network_disconnect.rc == 0
   when:
     - applications | is_feature_enabled('central_database', application_id)
diff --git a/roles/web-app-discourse/tasks/reset.yml b/roles/web-app-discourse/tasks/reset.yml
index 2bb59f20..1484c8ac 100644
--- a/roles/web-app-discourse/tasks/reset.yml
+++ b/roles/web-app-discourse/tasks/reset.yml
@@ -3,7 +3,7 @@
 
 - name: "cleanup central database from {{application_id}}_default network"
   command:
-    cmd: "docker network disconnect {{applications[application_id].network}} {{ database_host }}"
+    cmd: "docker network disconnect {{applications | get_app_conf(application_id, 'network', True)}} {{ database_host }}"
   ignore_errors: true
 
 - name: "destroy container discourse_application"
diff --git a/roles/web-app-discourse/templates/discourse_application.yml.j2 b/roles/web-app-discourse/templates/discourse_application.yml.j2
index 4e64eab0..8c5dee70 100644
--- a/roles/web-app-discourse/templates/discourse_application.yml.j2
+++ b/roles/web-app-discourse/templates/discourse_application.yml.j2
@@ -178,4 +178,4 @@ run:
 
 docker_args:
   - --network={{application_id}}_default
-  - --name={{applications[application_id].container}}
+  - --name={{applications | get_app_conf(application_id, 'container', True)}}
diff --git a/roles/web-app-discourse/vars/main.yml b/roles/web-app-discourse/vars/main.yml
index 82dbcc98..382c6026 100644
--- a/roles/web-app-discourse/vars/main.yml
+++ b/roles/web-app-discourse/vars/main.yml
@@ -1,6 +1,6 @@
 application_id:                         "discourse"
-database_password:                      "{{ applications[application_id].credentials.database_password }}"
+database_password:                      "{{ applications | get_app_conf(application_id, 'credentials.database_password', True) }}"
 database_type:                          "postgres"
-docker_repository_directory :           "{{docker_compose.directories.services}}{{applications[application_id].repository}}/"
-discourse_application_yml_destination:  "{{docker_repository_directory }}containers/{{applications[application_id].container}}.yml"
+docker_repository_directory :           "{{docker_compose.directories.services}}{{applications | get_app_conf(application_id, 'repository', True)}}/"
+discourse_application_yml_destination:  "{{docker_repository_directory }}containers/{{applications | get_app_conf(application_id, 'container', True)}}.yml"
 docker_compose_flush_handlers:          false
\ No newline at end of file
diff --git a/roles/web-app-espocrm/templates/docker-compose.yml.j2 b/roles/web-app-espocrm/templates/docker-compose.yml.j2
index 6962234b..cb6f08bf 100644
--- a/roles/web-app-espocrm/templates/docker-compose.yml.j2
+++ b/roles/web-app-espocrm/templates/docker-compose.yml.j2
@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   web:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
 {% include 'roles/docker-container/templates/healthcheck/curl.yml.j2' %}
     ports:
@@ -11,7 +11,7 @@
       - data:/var/www/html
 
   daemon:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
     restart: {{docker_restart_policy}}
     logging:
       driver: journald
@@ -21,7 +21,7 @@
       - data:/var/www/html
 
   websocket:
-    image: "{{ applications[application_id].images.espocrm }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.espocrm', True) }}"
     restart: {{docker_restart_policy}}
     logging:
       driver: journald
diff --git a/roles/web-app-espocrm/templates/env.j2 b/roles/web-app-espocrm/templates/env.j2
index 587ca37c..b1a7aee0 100644
--- a/roles/web-app-espocrm/templates/env.j2
+++ b/roles/web-app-espocrm/templates/env.j2
@@ -19,8 +19,8 @@ CRON_DISABLED=true
 # ------------------------------------------------
 # Initial admin account
 # ------------------------------------------------
-ESPOCRM_ADMIN_USERNAME={{ applications[application_id].users.administrator.username }}
-ESPOCRM_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}
+ESPOCRM_ADMIN_USERNAME={{ applications | get_app_conf(application_id, 'users.administrator.username', True) }}
+ESPOCRM_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
 
 # Public base URL of the EspoCRM instance
 ESPOCRM_SITE_URL={{ domains | get_url(application_id, web_protocol) }}
@@ -54,7 +54,7 @@ ESPOCRM_CONFIG_SMTP_SECURITY={{ "TLS" if system_email.start_tls else "SSL"}}
 ESPOCRM_CONFIG_SMTP_AUTH=true
 ESPOCRM_CONFIG_SMTP_USERNAME={{ users['contact'].email }}
 ESPOCRM_CONFIG_SMTP_PASSWORD={{ users['contact'].mailu_token }}
-ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications[application_id].email.from_name}}
+ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_NAME={{ applications | get_app_conf(application_id, 'email.from_name', True)}}
 ESPOCRM_CONFIG_OUTBOUND_EMAIL_FROM_ADDRESS={{ users['contact'].email }}
 
 # ------------------------------------------------
diff --git a/roles/web-app-friendica/tasks/main.yml b/roles/web-app-friendica/tasks/main.yml
index 456064ae..a09505a0 100644
--- a/roles/web-app-friendica/tasks/main.yml
+++ b/roles/web-app-friendica/tasks/main.yml
@@ -22,15 +22,15 @@
         + [{
             'name': item.key,
             'enabled': (
-              applications[application_id].features.oidc
+              applications | get_app_conf(application_id, 'features.oidc', True)
                 if item.key == 'keycloakpassword'
-              else applications[application_id].features.ldap
+              else applications | get_app_conf(application_id, 'features.ldap', True)
                 if item.key == 'ldapauth'
               else (item.value.enabled if item.value is mapping and 'enabled' in item.value else False)
             )
           }]
       }}
-  loop: "{{ applications[application_id].addons | dict2items }}"
+  loop: "{{ applications | get_app_conf(application_id, 'addons', True) | dict2items }}"
   loop_control:
     label: "{{ item.key }}"
 
diff --git a/roles/web-app-friendica/templates/docker-compose.yml.j2 b/roles/web-app-friendica/templates/docker-compose.yml.j2
index 031dfbf4..efc7ce02 100644
--- a/roles/web-app-friendica/templates/docker-compose.yml.j2
+++ b/roles/web-app-friendica/templates/docker-compose.yml.j2
@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images.friendica }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.friendica', True) }}"
     {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - html:{{ friendica_application_base }}
diff --git a/roles/web-app-friendica/vars/main.yml b/roles/web-app-friendica/vars/main.yml
index 105b517c..2c930c33 100644
--- a/roles/web-app-friendica/vars/main.yml
+++ b/roles/web-app-friendica/vars/main.yml
@@ -1,7 +1,7 @@
 application_id:     "friendica"
 database_type:      "mariadb"
 
-friendica_no_validation:       "{{ applications[application_id].features.oidc }}" # Email validation is not neccessary if OIDC is active
+friendica_no_validation:       "{{ applications | get_app_conf(application_id, 'features.oidc', True) }}" # Email validation is not neccessary if OIDC is active
 friendica_application_base:    "/var/www/html"
 friendica_docker_ldap_config:  "{{friendica_application_base}}/config/ldapauth.config.php"
 friendica_host_ldap_config:    "{{ docker_compose.directories.volumes }}ldapauth.config.php"
diff --git a/roles/web-app-funkwhale/templates/docker-compose.yml.j2 b/roles/web-app-funkwhale/templates/docker-compose.yml.j2
index 82e01a34..c3008b07 100644
--- a/roles/web-app-funkwhale/templates/docker-compose.yml.j2
+++ b/roles/web-app-funkwhale/templates/docker-compose.yml.j2
@@ -53,7 +53,7 @@
   
   typesense:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].docker.images.typesense }}"
+    image: "{{ applications | get_app_conf(application_id, 'docker.images.typesense', True) }}"
     volumes:
       - ./typesense/data:/data
     command: --data-dir /data --enable-cors
diff --git a/roles/web-app-funkwhale/templates/env.j2 b/roles/web-app-funkwhale/templates/env.j2
index c4d38278..0cb67558 100644
--- a/roles/web-app-funkwhale/templates/env.j2
+++ b/roles/web-app-funkwhale/templates/env.j2
@@ -97,7 +97,7 @@ STATIC_ROOT={{funkwhale_static_root}}
 DJANGO_SETTINGS_MODULE=config.settings.production
 
 # Generate one using `openssl rand -base64 45`, for example
-DJANGO_SECRET_KEY={{applications[application_id].credentials.django_secret}}
+DJANGO_SECRET_KEY={{applications | get_app_conf(application_id, 'credentials.django_secret', True)}}
 
 {% if applications | is_feature_enabled('ldap',application_id) %}
 # LDAP settings
diff --git a/roles/web-app-fusiondirectory/templates/env.j2 b/roles/web-app-fusiondirectory/templates/env.j2
index e505b556..161b077e 100644
--- a/roles/web-app-fusiondirectory/templates/env.j2
+++ b/roles/web-app-fusiondirectory/templates/env.j2
@@ -2,7 +2,7 @@
 # https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
       
 # Basic Configuration   
-LAM_PASSWORD=               {{applications[application_id].credentials.administrator_password}}    # LAM configuration master password and password for server profile "lam
+LAM_PASSWORD=               {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}    # LAM configuration master password and password for server profile "lam
      
 # Database
 LAM_CONFIGURATION_DATABASE= files                                               # configuration database (files or mysql) @todo implement mariadb
diff --git a/roles/web-app-gitea/templates/docker-compose.yml.j2 b/roles/web-app-gitea/templates/docker-compose.yml.j2
index 17221b45..20e61b2d 100644
--- a/roles/web-app-gitea/templates/docker-compose.yml.j2
+++ b/roles/web-app-gitea/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
 
   application:
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.gitea }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.gitea', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
       - "{{ports.public.ssh[application_id]}}:22"
diff --git a/roles/web-app-gitea/templates/env.j2 b/roles/web-app-gitea/templates/env.j2
index 70602e5a..d307e079 100644
--- a/roles/web-app-gitea/templates/env.j2
+++ b/roles/web-app-gitea/templates/env.j2
@@ -5,7 +5,7 @@
 DOMAIN={{domains | get_domain(application_id)}}
 RUN_MODE="{{ 'dev' if (CYMAIS_ENVIRONMENT | lower) == 'development' else 'prod' }}"
 ROOT_URL="{{ domains | get_url(application_id, web_protocol) }}/"
-APP_NAME="{{ applications[application_id].title }}"
+APP_NAME="{{ applications | get_app_conf(application_id, 'title', True) }}"
 USER_UID=1000
 USER_GID=1000
 
@@ -38,9 +38,9 @@ GITEA__mailer__PASSWD={{ users['no-reply'].mailu_token }}
 
 # Allow push creation
 # @see https://github.com/go-gitea/gitea/issues/17619
-GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications[application_id].configuration.repository.enable_push_create_user | lower }}
-GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications[application_id].configuration.repository.default_private | lower }}
-GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications[application_id].configuration.repository.default_push_create_private | lower }}
+GITEA__REPOSITORY__ENABLE_PUSH_CREATE_USER={{ applications | get_app_conf(application_id, 'configuration.repository.enable_push_create_user', True) | lower }}
+GITEA__REPOSITORY__DEFAULT_PRIVATE={{ applications | get_app_conf(application_id, 'configuration.repository.default_private', True) | lower }}
+GITEA__REPOSITORY__DEFAULT_PUSH_CREATE_PRIVATE={{ applications | get_app_conf(application_id, 'configuration.repository.default_push_create_private', True) | lower }}
 
 GITEA__security__INSTALL_LOCK=true # Locks the installation page
 
diff --git a/roles/web-app-gitlab/templates/docker-compose.yml.j2 b/roles/web-app-gitlab/templates/docker-compose.yml.j2
index 8e7bbf1d..c78da171 100644
--- a/roles/web-app-gitlab/templates/docker-compose.yml.j2
+++ b/roles/web-app-gitlab/templates/docker-compose.yml.j2
@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   web:
-    image: "{{ applications[application_id].images.gitlab }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.gitlab', True) }}"
     hostname: '{{domains | get_domain(application_id)}}'
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
diff --git a/roles/web-app-joomla/templates/docker-compose.yml.j2 b/roles/web-app-joomla/templates/docker-compose.yml.j2
index ec205843..85155597 100644
--- a/roles/web-app-joomla/templates/docker-compose.yml.j2
+++ b/roles/web-app-joomla/templates/docker-compose.yml.j2
@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images.joomla }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.joomla', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - data:/var/www/html
diff --git a/roles/web-app-keycloak/templates/docker-compose.yml.j2 b/roles/web-app-keycloak/templates/docker-compose.yml.j2
index 8eb0a301..064a6c4d 100644
--- a/roles/web-app-keycloak/templates/docker-compose.yml.j2
+++ b/roles/web-app-keycloak/templates/docker-compose.yml.j2
@@ -1,9 +1,9 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.keycloak }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.keycloak', True) }}"
     container_name: {{container_name}}
-    command: start {% if applications[application_id].import_realm | bool %}--import-realm{% endif %}
+    command: start {% if applications | get_app_conf(application_id, 'import_realm', True) | bool %}--import-realm{% endif %}
     {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
       - "{{ keycloak_server_host }}:8080"
diff --git a/roles/web-app-keycloak/templates/env.j2 b/roles/web-app-keycloak/templates/env.j2
index edc6465e..ff7b4040 100644
--- a/roles/web-app-keycloak/templates/env.j2
+++ b/roles/web-app-keycloak/templates/env.j2
@@ -11,8 +11,8 @@ KC_HEALTH_ENABLED=              true
 KC_METRICS_ENABLED=             true
 
 # Administrator
-KEYCLOAK_ADMIN=                 "{{applications[application_id].users.administrator.username}}"
-KEYCLOAK_ADMIN_PASSWORD=        "{{applications[application_id].credentials.administrator_password}}"
+KEYCLOAK_ADMIN=                 "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
+KEYCLOAK_ADMIN_PASSWORD=        "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"
 
 # Database
 KC_DB=                          postgres
@@ -21,5 +21,5 @@ KC_DB_USERNAME=                 {{database_username}}
 KC_DB_PASSWORD=                 {{database_password}}
 
 # If the initial administrator already exists and the environment variables are still present at startup, an error message stating the failed creation of the initial administrator is shown in the logs. Keycloak ignores the values and starts up correctly.
-KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications[application_id].users.administrator.username}}"
-KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications[application_id].credentials.administrator_password}}"
\ No newline at end of file
+KC_BOOTSTRAP_ADMIN_USERNAME=    "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
+KC_BOOTSTRAP_ADMIN_PASSWORD=    "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"
\ No newline at end of file
diff --git a/roles/web-app-keycloak/templates/import/realm.json.j2 b/roles/web-app-keycloak/templates/import/realm.json.j2
index 021ef2d7..cc5f89bf 100644
--- a/roles/web-app-keycloak/templates/import/realm.json.j2
+++ b/roles/web-app-keycloak/templates/import/realm.json.j2
@@ -890,8 +890,8 @@
         "organization",
         "offline_access",
         "microprofile-jwt",
-        "{{ applications[application_id].scopes.rbac_roles }}",
-        "{{ applications[application_id].scopes.nextcloud }}"
+        "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
+        "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
 
       ]
     }
@@ -1197,7 +1197,7 @@
     },
     {
       "id": "15dd4961-5b4f-4635-a3f1-a21e1fa7bf3a",
-      "name": "{{ applications[application_id].scopes.nextcloud }}",
+      "name": "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}",
       "description": "Optimized mappers for nextcloud oidc_login with ldap.",
       "protocol": "openid-connect",
       "attributes": {
@@ -1249,7 +1249,7 @@
     },
     {
       "id": "59917c48-a7ef-464a-a8b0-ea24316db18e",
-      "name": "{{ applications[application_id].scopes.rbac_roles }}",
+      "name": "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
       "description": "RBAC Groups",
       "protocol": "openid-connect",
       "attributes": {
@@ -1675,8 +1675,8 @@
     "phone",
     "microprofile-jwt",
     "organization",
-    "{{ applications[application_id].scopes.rbac_roles }}",
-    "{{ applications[application_id].scopes.nextcloud }}"
+    "{{ applications | get_app_conf(application_id, 'scopes.rbac_roles', True) }}",
+    "{{ applications | get_app_conf(application_id, 'scopes.nextcloud', True) }}"
   ],
   "browserSecurityHeaders": {
     "contentSecurityPolicyReportOnly": "",
@@ -1994,7 +1994,7 @@
                   "false"
                 ],
                 "groups.path": [
-                  "{{ applications[application_id].rbac_groups }}"
+                  "{{ applications | get_app_conf(application_id, 'rbac_groups', True) }}"
                 ]
               }
             },
@@ -2920,8 +2920,8 @@
         "action": "register",
         "useRecaptchaNet": "false",
         "recaptcha.v3": "true",
-        "secret.key": "{{ applications[application_id].credentials.recaptcha.secret_key }}",
-        "site.key": "{{ applications[application_id].credentials.recaptcha.website_key }}"
+        "secret.key": "{{ applications | get_app_conf(application_id, 'credentials.recaptcha.secret_key', True) }}",
+        "site.key": "{{ applications | get_app_conf(application_id, 'credentials.recaptcha.website_key', True) }}"
       }
     },
 {%- endif %}
diff --git a/roles/web-app-keycloak/vars/main.yml b/roles/web-app-keycloak/vars/main.yml
index 43d03244..b80bf0db 100644
--- a/roles/web-app-keycloak/vars/main.yml
+++ b/roles/web-app-keycloak/vars/main.yml
@@ -4,7 +4,7 @@ container_name:                   "{{application_id}}_application"
 import_directory_host:            "{{docker_compose.directories.volumes}}import/"           # Directory in which keycloack import files are placed on the host
 import_directory_docker:          "/opt/keycloak/data/import/"                              # Directory in which keycloack import files are placed in the running docker container
 keycloak_realm:                   "{{ primary_domain}}"                                     # This is the name of the default realm which is used by the applications
-keycloak_administrator:           "{{ applications[application_id].users.administrator }}"  # Master Administrator
+keycloak_administrator:           "{{ applications | get_app_conf(application_id, 'users.administrator', True) }}"  # Master Administrator
 keycloak_administrator_username:  "{{ keycloak_administrator.username}}"                    # Master Administrator Username
 keycloak_administrator_password:  "{{ keycloak_administrator.password}}"                    # Master Administrator Password
 keycloak_kcadm_path:              "docker exec -i {{ container_name }} /opt/keycloak/bin/kcadm.sh"
diff --git a/roles/web-app-lam/templates/docker-compose.yml.j2 b/roles/web-app-lam/templates/docker-compose.yml.j2
index 3276ddde..5d2b2a98 100644
--- a/roles/web-app-lam/templates/docker-compose.yml.j2
+++ b/roles/web-app-lam/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
 
   application:
     container_name: {{ application_id }}
-    image: "{{ applications[application_id].images.lam }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.lam', True) }}"
     ports:
       - 127.0.0.1:{{ports.localhost.http[application_id]}}:80 
 {% include 'roles/docker-container/templates/base.yml.j2' %}
diff --git a/roles/web-app-lam/templates/env.j2 b/roles/web-app-lam/templates/env.j2
index e505b556..161b077e 100644
--- a/roles/web-app-lam/templates/env.j2
+++ b/roles/web-app-lam/templates/env.j2
@@ -2,7 +2,7 @@
 # https://github.com/LDAPAccountManager/lam/blob/develop/lam-packaging/docker/.env  
       
 # Basic Configuration   
-LAM_PASSWORD=               {{applications[application_id].credentials.administrator_password}}    # LAM configuration master password and password for server profile "lam
+LAM_PASSWORD=               {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}    # LAM configuration master password and password for server profile "lam
      
 # Database
 LAM_CONFIGURATION_DATABASE= files                                               # configuration database (files or mysql) @todo implement mariadb
diff --git a/roles/web-app-libretranslate/templates/docker-compose.yml.j2 b/roles/web-app-libretranslate/templates/docker-compose.yml.j2
index 57b7ba59..179ac6d4 100644
--- a/roles/web-app-libretranslate/templates/docker-compose.yml.j2
+++ b/roles/web-app-libretranslate/templates/docker-compose.yml.j2
@@ -3,7 +3,7 @@ services:
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes: []
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
diff --git a/roles/web-app-listmonk/tasks/main.yml b/roles/web-app-listmonk/tasks/main.yml
index a9c765bc..400b4af5 100644
--- a/roles/web-app-listmonk/tasks/main.yml
+++ b/roles/web-app-listmonk/tasks/main.yml
@@ -1,8 +1,8 @@
 ---
-- name: Set proxy_extra_configuration based on applications[application_id].public_api_activated
+- name: Set proxy_extra_configuration based on applications | get_app_conf(application_id, 'public_api_activated', True)
   set_fact:
     proxy_extra_configuration: >-
-      {% if not applications[application_id].public_api_activated %}
+      {% if not applications | get_app_conf(application_id, 'public_api_activated', True) %}
       {{ lookup('file', '{{ role_path }}/files/deactivate-public-api.conf') }}
       {% else %}
       ""
@@ -50,7 +50,7 @@
       -d {{ database_name }} << 'EOSQL'
     UPDATE users
     SET email = '{{ users.administrator.email }}',
-        password_login = {{ 'false' if applications[application_id].features.oidc else 'true' }}
+        password_login = {{ 'false' if applications | get_app_conf(application_id, 'features.oidc', True) else 'true' }}
     WHERE username = 'administrator';
     EOSQL
   args:
diff --git a/roles/web-app-listmonk/templates/docker-compose.yml.j2 b/roles/web-app-listmonk/templates/docker-compose.yml.j2
index bd636bdf..e676a92f 100644
--- a/roles/web-app-listmonk/templates/docker-compose.yml.j2
+++ b/roles/web-app-listmonk/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
   application:
 {% set container_healthcheck = 'health' %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images.listmonk }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.listmonk', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
     volumes:
diff --git a/roles/web-app-listmonk/templates/env.j2 b/roles/web-app-listmonk/templates/env.j2
index 835cacfd..45989f86 100644
--- a/roles/web-app-listmonk/templates/env.j2
+++ b/roles/web-app-listmonk/templates/env.j2
@@ -2,5 +2,5 @@ TZ={{ HOST_TIMEZONE }}
 
 # Administrator setup
 
-LISTMONK_ADMIN_USER={{ applications[application_id].users.administrator.username }}
-LISTMONK_ADMIN_PASSWORD={{ applications[application_id].credentials.administrator_password }}
\ No newline at end of file
+LISTMONK_ADMIN_USER={{ applications | get_app_conf(application_id, 'users.administrator.username', True) }}
+LISTMONK_ADMIN_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
\ No newline at end of file
diff --git a/roles/web-app-listmonk/vars/main.yml b/roles/web-app-listmonk/vars/main.yml
index fce94aec..1f812550 100644
--- a/roles/web-app-listmonk/vars/main.yml
+++ b/roles/web-app-listmonk/vars/main.yml
@@ -25,10 +25,10 @@ listmonk_settings:
     value: 'true'
 
   - key: "security.captcha_key"
-    value: '"{{ applications[application_id].credentials.hcaptcha_site_key }}"'
+    value: '"{{ applications | get_app_conf(application_id, "credentials.hcaptcha_site_key", True) }}"'
 
   - key: "security.captcha_secret"
-    value: '"{{ applications[application_id].credentials.hcaptcha_secret }}"'
+    value: '"{{ applications | get_app_conf(application_id, "credentials.hcaptcha_secret", True) }}"'
 
   # SMTP servers
   - key: "smtp"
diff --git a/roles/web-app-mailu/tasks/generate-and-read-dkim.yml b/roles/web-app-mailu/tasks/generate-and-read-dkim.yml
index 8f6d4b19..73e71947 100644
--- a/roles/web-app-mailu/tasks/generate-and-read-dkim.yml
+++ b/roles/web-app-mailu/tasks/generate-and-read-dkim.yml
@@ -11,7 +11,7 @@
 - name: Generate DKIM key
   command: >
     docker compose exec -T antispam
-    rspamadm dkim_keygen -s dkim -d {{ applications[application_id].domain }} -k {{ mailu_dkim_key_path }}
+    rspamadm dkim_keygen -s dkim -d {{ applications | get_app_conf(application_id, 'domain', True) }} -k {{ mailu_dkim_key_path }}
   register: dkim_keygen_output
   when: dkim_key_file_stat.rc != 0
   args:
diff --git a/roles/web-app-mailu/templates/env.j2 b/roles/web-app-mailu/templates/env.j2
index 28fef70d..878c4843 100644
--- a/roles/web-app-mailu/templates/env.j2
+++ b/roles/web-app-mailu/templates/env.j2
@@ -189,7 +189,7 @@ OIDC_CHANGE_PASSWORD_REDIRECT_ENABLED=True
 # Redirect URL for password change. Defaults to provider issuer url appended by /.well-known/change-password
 OIDC_CHANGE_PASSWORD_REDIRECT_URL={{oidc.client.change_credentials}}
 
-{% if applications[application_id].oidc.email_by_username | bool %}
+{% if applications | get_app_conf(application_id, 'oidc.email_by_username', True) | bool %}
 
 # The OIDC claim used as the username. If the selected claim contains an email address, it will be used as is. If it is not an email (e.g., sub), the email address will be constructed as <OIDC_USERNAME_CLAIM>@<OIDC_USER_DOMAIN>. Defaults to email.
 OIDC_USERNAME_CLAIM={{oidc.attributes.username}}
@@ -199,5 +199,5 @@ OIDC_USER_DOMAIN={{primary_domain}}
 {% endif %}
 
 # If enabled, users who authenticate successfully but do not yet have an account will have one created for them. If disabled, only existing users can log in, and authentication will fail for users without a pre-existing account. Defaults to True.
-OIDC_ENABLE_USER_CREATION={{ applications[application_id].oidc.enable_user_creation | string | capitalize }}
+OIDC_ENABLE_USER_CREATION={{ applications | get_app_conf(application_id, 'oidc.enable_user_creation', True) | string | capitalize }}
 {% endif %}
\ No newline at end of file
diff --git a/roles/web-app-mailu/vars/mailu-dns.yml b/roles/web-app-mailu/vars/mailu-dns.yml
index 91cf4a80..05ce39a0 100644
--- a/roles/web-app-mailu/vars/mailu-dns.yml
+++ b/roles/web-app-mailu/vars/mailu-dns.yml
@@ -1,13 +1,13 @@
 # vars/mailu-dns.yml
 
-mailu_dns_zone: "{{ applications[application_id].domain }}"
+mailu_dns_zone: "{{ applications | get_app_conf(application_id, 'domain', True) }}"
 mailu_dns_ip:   "{{ networks.internet.ip4 }}"
 
 cloudflare_record_api_token: "{{ certbot_dns_api_token }}"
 
-mailu_dmarc_ruf:    "{{ applications[application_id].users.administrator.email }}"
+mailu_dmarc_ruf:    "{{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}"
 
-mailu_dkim_key_file: "{{ applications[application_id].domain }}.dkim.key"
+mailu_dkim_key_file: "{{ applications | get_app_conf(application_id, 'domain', True) }}.dkim.key"
 mailu_dkim_key_path: "/dkim/{{ mailu_dkim_key_file }}"
 
 mailu_dns_srv_records:
diff --git a/roles/web-app-mastodon/templates/docker-compose.yml.j2 b/roles/web-app-mastodon/templates/docker-compose.yml.j2
index c7345f4c..1154d339 100644
--- a/roles/web-app-mastodon/templates/docker-compose.yml.j2
+++ b/roles/web-app-mastodon/templates/docker-compose.yml.j2
@@ -3,7 +3,7 @@
   web:
 {% set container_port = 3000 %}
 {% set container_healthcheck = 'health' %}
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: bash -c "rm -f /mastodon/tmp/pids/server.pid; bundle exec rails s -p {{ container_port }}"
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -17,7 +17,7 @@
   streaming:
 {% set container_port = 4000 %}
 {% set container_healthcheck = 'api/v1/streaming/health' %}
-    image: "{{ applications[application_id].images.streaming }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.streaming', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: node ./streaming
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
@@ -27,7 +27,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 
   sidekiq:
-    image: "{{ applications[application_id].images.mastodon }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.mastodon', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     command: bundle exec sidekiq
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
diff --git a/roles/web-app-matomo/config/main.yml b/roles/web-app-matomo/config/main.yml
index 84b555cb..4486699d 100644
--- a/roles/web-app-matomo/config/main.yml
+++ b/roles/web-app-matomo/config/main.yml
@@ -1,5 +1,3 @@
-images:
-  matomo:             "matomo:latest"
 features:
   # If you want to use Matomo on the Matomo page, you 
   # have to set it here manual to true. 
@@ -7,7 +5,7 @@ features:
   # itself wouldn't be possible 
   matomo:             false 
   css:                false
-  port-ui-desktop:   true
+  port-ui-desktop:    true
   central_database:   true
   oauth2:             false
 csp:
@@ -34,6 +32,8 @@ excluded_ips: "{{ networks.internet.values() | list }}"
 
 docker:
   services:
+    matomo:
+      image:  "matomo:latest"
     database:
       enabled: true
     redis:
diff --git a/roles/web-app-matomo/templates/docker-compose.yml.j2 b/roles/web-app-matomo/templates/docker-compose.yml.j2
index 10749996..ae6ff575 100644
--- a/roles/web-app-matomo/templates/docker-compose.yml.j2
+++ b/roles/web-app-matomo/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
   application:
 {% set container_port = 80 %}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
-    image: "{{ applications[application_id].images['matomo'] }}"
+    image: "{{ applications | get_app_conf(application_id, 'docker.services.matomo.image']', True) }}"
     ports:
       - "127.0.0.1:{{ports.localhost.http[application_id]}}:{{ container_port }}"
     volumes:
diff --git a/roles/web-app-matomo/vars/main.yml b/roles/web-app-matomo/vars/main.yml
index 4b30df38..39f3d56d 100644
--- a/roles/web-app-matomo/vars/main.yml
+++ b/roles/web-app-matomo/vars/main.yml
@@ -1,9 +1,9 @@
 ---
 application_id:       "web-app-matomo"
 database_type:        "mariadb"
-matomo_excluded_ips:  "{{ applications[application_id].excluded_ips }}"
+matomo_excluded_ips:  "{{ applications | get_app_conf(application_id, 'excluded_ips', True) }}"
 matomo_index_php_url: "{{ domains | get_url(application_id, web_protocol) }}/index.php"
-matomo_auth_token:    "{{ applications[application_id].credentials.auth_token }}"
+matomo_auth_token:    "{{ applications | get_app_conf(application_id, 'credentials.auth_token', True) }}"
 
 
 # I don't know if this is still necessary
diff --git a/roles/web-app-matrix-deprecated/templates/vars.yml.j2 b/roles/web-app-matrix-deprecated/templates/vars.yml.j2
index 01c3ba7c..4f33a1eb 100644
--- a/roles/web-app-matrix-deprecated/templates/vars.yml.j2
+++ b/roles/web-app-matrix-deprecated/templates/vars.yml.j2
@@ -18,7 +18,7 @@ matrix_homeserver_implementation: synapse
 
 # A secret used as a base, for generating various other secrets.
 # You can put any string here, but generating a strong one is preferred (e.g. `pwgen -s 64 1`).
-matrix_homeserver_generic_secret_key: "{{applications[application_id].credentials.generic_secret_key}}"
+matrix_homeserver_generic_secret_key: "{{applications | get_app_conf(application_id, 'credentials.generic_secret_key', True)}}"
 
 # By default, the playbook manages its own Traefik (https://doc.traefik.io/traefik/) reverse-proxy server.
 # It will retrieve SSL certificates for you on-demand and forward requests to all other components.
diff --git a/roles/web-app-matrix/Administration.md b/roles/web-app-matrix/Administration.md
index 77a125b3..e8a3805a 100644
--- a/roles/web-app-matrix/Administration.md
+++ b/roles/web-app-matrix/Administration.md
@@ -3,7 +3,7 @@
 ## Cleanup 
 ```
 # Cleanup Database
-for db in matrix applications[application_id].credentials.mautrix_whatsapp_bridge applications[application_id].credentials.mautrix_telegram_bridge applications[application_id].credentials.mautrix_signal_bridge applications[application_id].credentials.mautrix_slack_bridge; do python reset-database-in-central-postgres.py $db; done
+for db in matrix applications | get_app_conf(application_id, 'credentials.mautrix_whatsapp_bridge', True) applications | get_app_conf(application_id, 'credentials.mautrix_telegram_bridge', True) applications | get_app_conf(application_id, 'credentials.mautrix_signal_bridge', True) applications | get_app_conf(application_id, 'credentials.mautrix_slack_bridge', True); do python reset-database-in-central-postgres.py $db; done
 # Cleanup Docker and Volumes
 docker compose down -v
 ```
\ No newline at end of file
diff --git a/roles/web-app-matrix/Installation.md b/roles/web-app-matrix/Installation.md
index ff8e9e43..06b939ff 100644
--- a/roles/web-app-matrix/Installation.md
+++ b/roles/web-app-matrix/Installation.md
@@ -15,7 +15,7 @@ For login with Token checkout [this guide](https://docs.mau.fi/bridges/go/slack/
 
 ### ChatGPT
 - Create API Token: https://platform.openai.com/api-keys
-- Set ``applications[application_id].credentials.chatgpt_bridge_access_token`` 
+- Set ``applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_access_token', True)`` 
 
 ## Debug:
 - https://federationtester.matrix.org/
\ No newline at end of file
diff --git a/roles/web-app-matrix/tasks/main.yml b/roles/web-app-matrix/tasks/main.yml
index f584e407..0a08af9d 100644
--- a/roles/web-app-matrix/tasks/main.yml
+++ b/roles/web-app-matrix/tasks/main.yml
@@ -5,7 +5,7 @@
 
 - name: Filter enabled bridges and register as fact
   set_fact:
-    bridges: "{{ bridges_configuration | filter_enabled_bridges(applications[application_id].plugins) }}"
+    bridges: "{{ bridges_configuration | filter_enabled_bridges(applications | get_app_conf(application_id, 'plugins', True)) }}"
   changed_when: false
 
 - name: "load docker and db for {{application_id}}"
@@ -143,14 +143,14 @@
 
 - name: create admin account
   command:
-    cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications[application_id].users.administrator.username}} -p {{applications[application_id].credentials.administrator_password}} -a -c /data/homeserver.yaml http://localhost:8008
+    cmd: docker compose exec -it synapse register_new_matrix_user -u {{applications | get_app_conf(application_id, 'users.administrator.username', True)}} -p {{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}} -a -c /data/homeserver.yaml http://localhost:8008
     chdir: "{{ docker_compose.directories.instance }}"
   ignore_errors: true
-  when: applications[application_id].setup | bool
+  when: applications | get_app_conf(application_id, 'setup', True) | bool
 
 - name: create chatgpt bot
   command:
-    cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications[application_id].credentials.chatgpt_bridge_user_password}} -a -c /data/homeserver.yaml http://localhost:8008
+    cmd: docker compose exec -it synapse register_new_matrix_user -u chatgptbot -p {{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True)}} -a -c /data/homeserver.yaml http://localhost:8008
     chdir: "{{ docker_compose.directories.instance }}"
   ignore_errors: true
-  when: applications[application_id].setup | bool
\ No newline at end of file
+  when: applications | get_app_conf(application_id, 'setup', True) | bool
\ No newline at end of file
diff --git a/roles/web-app-matrix/templates/docker-compose.yml.j2 b/roles/web-app-matrix/templates/docker-compose.yml.j2
index a25b9fc5..da708072 100644
--- a/roles/web-app-matrix/templates/docker-compose.yml.j2
+++ b/roles/web-app-matrix/templates/docker-compose.yml.j2
@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   synapse:
 {% set container_port = 8008 %}
-    image: "{{ applications[application_id].images.synapse }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.synapse', True) }}"
     container_name: matrix-synapse
     restart: {{docker_restart_policy}}
     logging:
@@ -30,7 +30,7 @@
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
   element:
 {% set container_port = 80 %}
-    image: "{{ applications[application_id].images.element }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.element', True) }}"
     container_name: matrix-element
     restart: {{docker_restart_policy}}
     volumes:
@@ -54,7 +54,7 @@
       retries: 3
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
 {% endfor %}
-{% if applications[application_id].plugins.chatgpt | bool %}
+{% if applications | get_app_conf(application_id, 'plugins', True).chatgpt | bool %}
   matrix-chatgpt-bot:
     restart: {{docker_restart_policy}}
     container_name: matrix-chatgpt
@@ -62,7 +62,7 @@
     volumes:
       - chatgpt_data:/storage
     environment:
-      OPENAI_API_KEY: '{{applications[application_id].credentials.chatgpt_bridge_openai_api_key}}'
+      OPENAI_API_KEY: '{{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_openai_api_key', True)}}'
       # Uncomment the next two lines if you are using Azure OpenAI API
       # OPENAI_AZURE: 'false'
       # CHATGPT_REVERSE_PROXY: 'your-completion-endpoint-here'
@@ -82,13 +82,13 @@
       KEYV_BOT_ENCRYPTION: 'false'
       KEYV_BOT_STORAGE: 'true'
       MATRIX_HOMESERVER_URL: 'https://{{domains.matrix.synapse}}'
-      MATRIX_BOT_USERNAME: '@chatgptbot:{{applications[application_id].server_name}}'
-      MATRIX_ACCESS_TOKEN: '{{ applications[application_id].credentials.chatgpt_bridge_access_token | default('') }}'
-      MATRIX_BOT_PASSWORD: '{{applications[application_id].credentials.chatgpt_bridge_user_password}}'
+      MATRIX_BOT_USERNAME: '@chatgptbot:{{applications | get_app_conf(application_id, 'server_name', True)}}'
+      MATRIX_ACCESS_TOKEN: '{{ applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_access_token', True) | default('') }}'
+      MATRIX_BOT_PASSWORD: '{{applications | get_app_conf(application_id, 'credentials.chatgpt_bridge_user_password', True)}}'
       MATRIX_DEFAULT_PREFIX: '!chatgpt'
       MATRIX_DEFAULT_PREFIX_REPLY: 'false'
       #MATRIX_BLACKLIST: ''
-      MATRIX_WHITELIST: ':{{applications[application_id].server_name}}'
+      MATRIX_WHITELIST: ':{{applications | get_app_conf(application_id, 'server_name', True)}}'
       MATRIX_AUTOJOIN: 'true'
       MATRIX_ENCRYPTION: 'true'
       MATRIX_THREADS: 'true'
@@ -98,7 +98,7 @@
 
 {% include 'roles/docker-compose/templates/volumes.yml.j2' %}
   synapse_data:
-{% if applications[application_id].plugins.chatgpt | bool %}
+{% if applications | get_app_conf(application_id, 'plugins', True).chatgpt | bool %}
     chatgpt_data:
 {% endif %}
 
diff --git a/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2
index 8d3ed9dd..7a938224 100644
--- a/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/facebook.config.yml.j2
@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     # Whether or not to verify the SSL certificate of the homeserver.
     # Only applies if address starts with https://
     verify_ssl: true
@@ -39,7 +39,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_facebook_bridge:{{applications[application_id].credentials.mautrix_facebook_bridge_database_password}}@{{database_host}}/mautrix_facebook_bridge
+    database: postgres://mautrix_facebook_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_facebook_bridge_database_password', True)}}@{{database_host}}/mautrix_facebook_bridge
     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -143,7 +143,7 @@ bridge:
     sync_direct_chat_list: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: {{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -154,7 +154,7 @@ bridge:
     # If using this for other servers than the bridge's server,
     # you must also set the URL in the double_puppet_server_map.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Should presence from Facebook be bridged? This doesn't use the same API as the Android app,
     # so it might be more suspicious to Facebook.
     presence_from_facebook: false
@@ -380,8 +380,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
     relay:
         # Whether relay mode should be allowed. If allowed, `!fb set-relay` can be used to turn any
diff --git a/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2
index 0977c8d6..3ec82eb5 100644
--- a/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/imessage.config.yml.j2
@@ -10,7 +10,7 @@ homeserver:
     # How often should the websocket be pinged? Pinging will be disabled if this is zero.
     ping_interval_seconds: 0
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
diff --git a/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2
index f5655e80..14f0527e 100644
--- a/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/instagram.config.yml.j2
@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     # Whether or not to verify the SSL certificate of the homeserver.
     # Only applies if address starts with https://
     verify_ssl: true
@@ -42,7 +42,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_instagram_bridge:{{applications[application_id].credentials.mautrix_instagram_bridge_database_password}}@{{database_host}}/mautrix_instagram_bridge
+    database: postgres://mautrix_instagram_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_instagram_bridge_database_password', True)}}@{{database_host}}/mautrix_instagram_bridge
     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -134,7 +134,7 @@ bridge:
     double_puppet_allow_discovery: false
     # Servers to allow double puppeting from, even if double_puppet_allow_discovery is false.
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Shared secret for https://github.com/devture/matrix-synapse-shared-secret-auth
     #
     # If set, custom puppets will be enabled automatically for local users
@@ -143,7 +143,7 @@ bridge:
     # If using this for other servers than the bridge's server,
     # you must also set the URL in the double_puppet_server_map.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Whether or not created rooms should have federation enabled.
     # If false, created portal rooms will never be federated.
     federate_rooms: true
@@ -359,8 +359,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
     relay:
         # Whether relay mode should be allowed. If allowed, `!ig set-relay` can be used to turn any
diff --git a/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2
index efa3ac98..dc9d20d4 100644
--- a/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/signal.config.yml.j2
@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
@@ -43,7 +43,7 @@ appservice:
         #           https://github.com/mattn/go-sqlite3#connection-string
         #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
         #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_signal_bridge:{{applications[application_id].credentials.mautrix_signal_bridge_database_password}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable
+        uri: postgres://mautrix_signal_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_signal_bridge_database_password', True)}}@{{database_host}}/mautrix_signal_bridge?sslmode=disable
         # Maximum number of connections. Mostly relevant for Postgres.
         max_open_conns: 20
         max_idle_conns: 2
@@ -141,7 +141,7 @@ bridge:
     federate_rooms: true
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -150,7 +150,7 @@ bridge:
     # instead of users having to find an access token and run `login-matrix`
     # manually.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
 
     # Maximum time for handling Matrix events. Duration strings formatted for https://pkg.go.dev/time#ParseDuration
     # Null means there's no enforced timeout.
@@ -274,8 +274,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
     # Settings for relay mode
     relay:
diff --git a/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2
index 68ec6e3e..b19fee2c 100644
--- a/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/slack.config.yml.j2
@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
 
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
@@ -43,7 +43,7 @@ appservice:
         #           https://github.com/mattn/go-sqlite3#connection-string
         #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
         #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_slack_bridge:{{applications[application_id].credentials.mautrix_slack_bridge_database_password}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable
+        uri: postgres://mautrix_slack_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_slack_bridge_database_password', True)}}@{{database_host}}/mautrix_slack_bridge?sslmode=disable
         # Maximum number of connections. Mostly relevant for Postgres.
         max_open_conns: 20
         max_idle_conns: 2
@@ -118,7 +118,7 @@ bridge:
 
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -127,7 +127,7 @@ bridge:
     # instead of users having to find an access token and run `login-matrix`
     # manually.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
 
     message_handling_timeout:
         # Send an error message after this timeout, but keep waiting for the response until the deadline.
@@ -278,8 +278,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
 
 # Logging config. See https://github.com/tulir/zeroconfig for details.
 logging:
diff --git a/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2
index 26c33bbb..84a6c459 100644
--- a/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/telegram.config.yml.j2
@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     # Whether or not to verify the SSL certificate of the homeserver.
     # Only applies if address starts with https://
     verify_ssl: true
@@ -42,7 +42,7 @@ appservice:
     # Format examples:
     #   SQLite:   sqlite:filename.db
     #   Postgres: postgres://username:password@hostname/dbname
-    database: postgres://mautrix_telegram_bridge:{{applications[application_id].credentials.mautrix_telegram_bridge_database_password}}@{{database_host}}/mautrix_telegram_bridge
+    database: postgres://mautrix_telegram_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_telegram_bridge_database_password', True)}}@{{database_host}}/mautrix_telegram_bridge
     # Additional arguments for asyncpg.create_pool() or sqlite3.connect()
     # https://magicstack.github.io/asyncpg/current/api/index.html#asyncpg.pool.create_pool
     # https://docs.python.org/3/library/sqlite3.html#sqlite3.connect
@@ -62,7 +62,7 @@ appservice:
         prefix: /public
         # The base URL where the public-facing endpoints are available. The prefix is not added
         # implicitly.
-        external: https://{{applications[application_id].server_name}}/public
+        external: https://{{applications | get_app_conf(application_id, 'server_name', True)}}/public
 
     # Provisioning API part of the web server for automated portal creation and fetching information.
     # Used by things like mautrix-manager (https://github.com/tulir/mautrix-manager).
@@ -198,7 +198,7 @@ bridge:
     sync_direct_chat_list: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -209,7 +209,7 @@ bridge:
     # If using this for other servers than the bridge's server,
     # you must also set the URL in the double_puppet_server_map.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Set to false to disable link previews in messages sent to Telegram.
     telegram_link_preview: true
     # Whether or not the !tg join command should do a HTTP request
@@ -530,9 +530,9 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": "relaybot"
-        "public.{{applications[application_id].server_name}}": "user"
-        "{{applications[application_id].server_name}}": "full"
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": "admin"
+        "public.{{applications | get_app_conf(application_id, 'server_name', True)}}": "user"
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": "full"
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": "admin"
 
     # Options related to the message relay Telegram bot.
     relaybot:
@@ -564,8 +564,8 @@ bridge:
 # Telegram config
 telegram:
     # Get your own API keys at https://my.telegram.org/apps
-    api_id: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_id}}
-    api_hash: {{applications[application_id].credentials.mautrix_telgegram_bridge_api_pin}}
+    api_id: {{applications | get_app_conf(application_id, 'credentials.mautrix_telgegram_bridge_api_id', True)}}
+    api_hash: {{applications | get_app_conf(application_id, 'credentials.mautrix_telgegram_bridge_api_pin', True)}}
     # (Optional) Create your own bot at https://t.me/BotFather
     bot_token: disabled
 
diff --git a/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2 b/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2
index 701583cb..e8713718 100644
--- a/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2
+++ b/roles/web-app-matrix/templates/mautrix/whatsapp.config.yml.j2
@@ -3,7 +3,7 @@ homeserver:
     # The address that this appservice can use to connect to the homeserver.
     address: http://synapse:8008
     # The domain of the homeserver (also known as server_name, used for MXIDs, etc).
-    domain: {{applications[application_id].server_name}}
+    domain: {{applications | get_app_conf(application_id, 'server_name', True)}}
     
     # What software is the homeserver running?
     # Standard Matrix homeservers like Synapse, Dendrite and Conduit should just use "standard" here.
@@ -42,7 +42,7 @@ appservice:
         #           https://github.com/mattn/go-sqlite3#connection-string
         #   Postgres: Connection string. For example, postgres://user:password@host/database?sslmode=disable
         #             To connect via Unix socket, use something like postgres:///dbname?host=/var/run/postgresql
-        uri: postgres://mautrix_whatsapp_bridge:{{applications[application_id].credentials.mautrix_whatsapp_bridge_database_password}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable
+        uri: postgres://mautrix_whatsapp_bridge:{{applications | get_app_conf(application_id, 'credentials.mautrix_whatsapp_bridge_database_password', True)}}@{{database_host}}/mautrix_whatsapp_bridge?sslmode=disable
         # Maximum number of connections. Mostly relevant for Postgres.
         max_open_conns: 20
         max_idle_conns: 2
@@ -236,7 +236,7 @@ bridge:
     force_active_delivery_receipts: false
     # Servers to always allow double puppeting from
     double_puppet_server_map:
-        {{applications[application_id].server_name}}: https://{{domains.matrix.synapse}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: https://{{domains.matrix.synapse}}
     # Allow using double puppeting from any server with a valid client .well-known file.
     double_puppet_allow_discovery: false
     # Shared secrets for https://github.com/devture/matrix-synapse-shared-secret-auth
@@ -245,7 +245,7 @@ bridge:
     # instead of users having to find an access token and run `login-matrix`
     # manually.
     login_shared_secret_map:
-        {{applications[application_id].server_name}}: {{applications[application_id].credentials.registration_shared_secret}}
+        {{applications | get_app_conf(application_id, 'server_name', True)}}: {{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}
     # Whether to explicitly set the avatar and room name for private chat portal rooms.
     # If set to `default`, this will be enabled in encrypted rooms and disabled in unencrypted rooms.
     # If set to `always`, all DM rooms will have explicit names and avatars set.
@@ -434,8 +434,8 @@ bridge:
     #     mxid - Specific user
     permissions:
         "*": relay
-        "{{applications[application_id].server_name}}": user
-        "@{{applications[application_id].users.administrator.username}}:{{applications[application_id].server_name}}": admin
+        "{{applications | get_app_conf(application_id, 'server_name', True)}}": user
+        "@{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}:{{applications | get_app_conf(application_id, 'server_name', True)}}": admin
     
     # Settings for relay mode
     relay:
diff --git a/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2 b/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2
index 275bb7d6..b9555195 100644
--- a/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2
+++ b/roles/web-app-matrix/templates/synapse/homeserver.yaml.j2
@@ -1,4 +1,4 @@
-server_name: "{{applications[application_id].server_name}}"
+server_name: "{{applications | get_app_conf(application_id, 'server_name', True)}}"
 pid_file: /data/homeserver.pid
 listeners:
   - port: 8008
@@ -19,10 +19,10 @@ database:
     cp_max: 10
 log_config:                     "/data/{{domains.matrix.synapse}}.log.config"
 media_store_path:               "/data/media_store"
-registration_shared_secret:     "{{applications[application_id].credentials.registration_shared_secret}}"
+registration_shared_secret:     "{{applications | get_app_conf(application_id, 'credentials.registration_shared_secret', True)}}"
 report_stats:                   true
-macaroon_secret_key:            "{{applications[application_id].credentials.macaroon_secret_key}}"
-form_secret:                    "{{applications[application_id].credentials.form_secret}}"
+macaroon_secret_key:            "{{applications | get_app_conf(application_id, 'credentials.macaroon_secret_key', True)}}"
+form_secret:                    "{{applications | get_app_conf(application_id, 'credentials.form_secret', True)}}"
 signing_key_path:               "/data/{{domains.matrix.synapse}}.signing.key"
 web_client_location:            "{{ web_protocol }}://{{domains.matrix.element}}"
 public_baseurl:                 "{{ web_protocol }}://{{domains.matrix.synapse}}"
diff --git a/roles/web-app-matrix/vars/bridges.yml b/roles/web-app-matrix/vars/bridges.yml
index 1f950cdd..f874a023 100644
--- a/roles/web-app-matrix/vars/bridges.yml
+++ b/roles/web-app-matrix/vars/bridges.yml
@@ -1,30 +1,30 @@
 bridges_configuration:
-  - database_password: "{{ applications[application_id].credentials.mautrix_whatsapp_bridge_database_password }}"
+  - database_password: "{{ applications | get_app_conf(application_id, 'credentials.mautrix_whatsapp_bridge_database_password', True) }}"
     database_username:  "mautrix_whatsapp_bridge"
     database_name:      "mautrix_whatsapp_bridge"
     bridge_name:        "whatsapp"   
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_telegram_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_telegram_bridge_database_password', True) }}"
     database_username:  "mautrix_telegram_bridge"
     database_name:      "mautrix_telegram_bridge"
     bridge_name:        "telegram"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_signal_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_signal_bridge_database_password', True) }}"
     database_username:  "mautrix_signal_bridge"
     database_name:      "mautrix_signal_bridge"
     bridge_name:        "signal"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_slack_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_slack_bridge_database_password', True) }}"
     database_username:  "mautrix_slack_bridge"
     database_name:      "mautrix_slack_bridge"
     bridge_name:        "slack"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_facebook_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_facebook_bridge_database_password', True) }}"
     database_username:  "mautrix_facebook_bridge"
     database_name:      "mautrix_facebook_bridge"
     bridge_name:        "facebook"
 
-  - database_password:  "{{ applications[application_id].credentials.mautrix_instagram_bridge_database_password }}"
+  - database_password:  "{{ applications | get_app_conf(application_id, 'credentials.mautrix_instagram_bridge_database_password', True) }}"
     database_username:  "mautrix_instagram_bridge"
     database_name:      "mautrix_instagram_bridge"
     bridge_name:        "instagram"
\ No newline at end of file
diff --git a/roles/web-app-mobilizon/templates/docker-compose.yml.j2 b/roles/web-app-mobilizon/templates/docker-compose.yml.j2
index bfe7e0c7..21c39b5c 100644
--- a/roles/web-app-mobilizon/templates/docker-compose.yml.j2
+++ b/roles/web-app-mobilizon/templates/docker-compose.yml.j2
@@ -1,6 +1,6 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes:
       - uploads:/var/lib/mobilizon/uploads
       - {{ mobilizon_host_conf_exs_file }}:/etc/mobilizon/config.exs:ro
diff --git a/roles/web-app-mobilizon/templates/env.j2 b/roles/web-app-mobilizon/templates/env.j2
index 011a4aa7..a2fb2826 100644
--- a/roles/web-app-mobilizon/templates/env.j2
+++ b/roles/web-app-mobilizon/templates/env.j2
@@ -6,7 +6,7 @@
 ######################################################
 
 # The name for your instance
-MOBILIZON_INSTANCE_NAME={{ applications[application_id].titel }}
+MOBILIZON_INSTANCE_NAME={{ applications | get_app_conf(application_id, 'titel', True) }}
 
 # Your domain
 MOBILIZON_INSTANCE_HOST={{ domains | get_domain(application_id) }}
@@ -67,12 +67,12 @@ MOBILIZON_DATABASE_PORT={{ database_port }}
 # A secret key used as a base to generate secrets for encrypting and signing data.
 # Make sure it's long enough (~64 characters should be fine)
 # You can run `openssl rand -base64 48` to generate such a secret
-MOBILIZON_INSTANCE_SECRET_KEY_BASE={{ applications[application_id].credentials.secret_key_base }}
+MOBILIZON_INSTANCE_SECRET_KEY_BASE={{ applications | get_app_conf(application_id, 'credentials.secret_key_base', True) }}
 
 # A secret key used as a base to generate JWT tokens
 # Make sure it's long enough (~64 characters should be fine)
 # You can run `openssl rand -base64 48` to generate such a secret
-MOBILIZON_INSTANCE_SECRET_KEY={{ applications[application_id].credentials.secret_key }}
+MOBILIZON_INSTANCE_SECRET_KEY={{ applications | get_app_conf(application_id, 'credentials.secret_key', True) }}
 
 
 ######################################################
diff --git a/roles/web-app-moodle/templates/Dockerfile.j2 b/roles/web-app-moodle/templates/Dockerfile.j2
index 7c8adc38..0e20e485 100644
--- a/roles/web-app-moodle/templates/Dockerfile.j2
+++ b/roles/web-app-moodle/templates/Dockerfile.j2
@@ -1,10 +1,10 @@
-FROM bitnami/moodle:{{ applications[application_id].version }}
+FROM bitnami/moodle:{{ applications | get_app_conf(application_id, 'version', True) }}
 
 {% if applications | is_feature_enabled('oidc', application_id) %}
 RUN install_packages unzip curl jq \
  && VERSION=$(curl -s https://api.github.com/repos/microsoft/moodle-auth_oidc/tags \
       | jq -r '.[].name' \
-      | grep v{{ applications[application_id].version }} \
+      | grep v{{ applications | get_app_conf(application_id, 'version', True) }} \
       | sort -Vr \
       | head -n1) \
  && echo "Using version $VERSION" \
diff --git a/roles/web-app-moodle/templates/env.j2 b/roles/web-app-moodle/templates/env.j2
index bc9aafb5..5e99067c 100644
--- a/roles/web-app-moodle/templates/env.j2
+++ b/roles/web-app-moodle/templates/env.j2
@@ -1,12 +1,12 @@
 
 # General 
-MOODLE_SITE_NAME="{{applications[application_id].site_titel}}"
+MOODLE_SITE_NAME="{{applications | get_app_conf(application_id, 'site_titel', True)}}"
 MOODLE_HOST="{{ domains | get_domain(application_id) }}"
 MOODLE_SSLPROXY=yes
 MOODLE_REVERSE_PROXY=yes
-MOODLE_USERNAME={{applications[application_id].users.administrator.username}}
-MOODLE_PASSWORD={{applications[application_id].credentials.user_password}}
-MOODLE_EMAIL={{applications[application_id].users.administrator.email}}
+MOODLE_USERNAME={{applications | get_app_conf(application_id, 'users.administrator.username', True)}}
+MOODLE_PASSWORD={{applications | get_app_conf(application_id, 'credentials.user_password', True)}}
+MOODLE_EMAIL={{applications | get_app_conf(application_id, 'users.administrator.email', True)}}
 BITNAMI_DEBUG={% if enable_debug | bool %}true{% else %}false{% endif %}
 
 # Database
diff --git a/roles/web-app-nextcloud/tasks/main.yml b/roles/web-app-nextcloud/tasks/main.yml
index ec0530ac..a9ab1759 100644
--- a/roles/web-app-nextcloud/tasks/main.yml
+++ b/roles/web-app-nextcloud/tasks/main.yml
@@ -43,7 +43,7 @@
 
 - name: Setup Nextcloud Plugins
   include_tasks: plugin.yml
-  loop: "{{applications[application_id].plugins | dict2items }}"
+  loop: "{{applications | get_app_conf(application_id, 'plugins', True) | dict2items }}"
   loop_control:
     loop_var: plugin_item
   vars:
diff --git a/roles/web-app-nextcloud/templates/config/oidc.config.php.j2 b/roles/web-app-nextcloud/templates/config/oidc.config.php.j2
index ba6b7aa8..fdcb5208 100644
--- a/roles/web-app-nextcloud/templates/config/oidc.config.php.j2
+++ b/roles/web-app-nextcloud/templates/config/oidc.config.php.j2
@@ -1,7 +1,7 @@
 <?php
 # Implementing OICD configuration
 
-{% if applications[application_id].oidc.flavor == "oidc_login" %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == "oidc_login" %}
 
 # Check out: https://github.com/pulsejet/nextcloud-oidc-login
 
@@ -33,7 +33,7 @@ return array (
     //
     // NOTE: If you want to allow NextCloud to manage quotas, omit this option. Do not set it to
     // zero or -1 or ''.
-    'oidc_login_default_quota' => '{{applications[application_id].default_quota}}',
+    'oidc_login_default_quota' => '{{applications | get_app_conf(application_id, 'default_quota', True)}}',
 
     // Login button text
     'oidc_login_button_text' => '{{oidc.button_text}}',
diff --git a/roles/web-app-nextcloud/templates/env.j2 b/roles/web-app-nextcloud/templates/env.j2
index 6b69fb44..42cff2bf 100644
--- a/roles/web-app-nextcloud/templates/env.j2
+++ b/roles/web-app-nextcloud/templates/env.j2
@@ -8,9 +8,9 @@ MYSQL_PASSWORD=                 "{{database_password}}"
 MYSQL_HOST=                     "{{database_host}}:{{database_port}}"
       
 # PHP
-PHP_MEMORY_LIMIT=               "{{applications[application_id].performance.php.memory_limit}}"
-PHP_UPLOAD_LIMIT=               "{{applications[application_id].performance.php.upload_limit}}"
-PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications[application_id].performance.php.opcache_memory_consumption}}"
+PHP_MEMORY_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.memory_limit', True)}}"
+PHP_UPLOAD_LIMIT=               "{{applications | get_app_conf(application_id, 'performance.php.upload_limit', True)}}"
+PHP_OPCACHE_MEMORY_CONSUMPTION= "{{applications | get_app_conf(application_id, 'performance.php.opcache_memory_consumption', True)}}"
       
 # Email Configuration
 SMTP_HOST=                      {{system_email.host}}
@@ -24,8 +24,8 @@ MAIL_FROM_ADDRESS=              "{{ users['no-reply'].username }}"
 MAIL_DOMAIN=                    "{{system_email.domain}}"
 
 # Initial Admin Data
-NEXTCLOUD_ADMIN_USER=           "{{applications[application_id].users.administrator.username}}"
-NEXTCLOUD_ADMIN_PASSWORD=       "{{applications[application_id].credentials.administrator_password}}"
+NEXTCLOUD_ADMIN_USER=           "{{applications | get_app_conf(application_id, 'users.administrator.username', True)}}"
+NEXTCLOUD_ADMIN_PASSWORD=       "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"
 
 # Security
 
diff --git a/roles/web-app-nextcloud/vars/plugins/user_ldap.yml b/roles/web-app-nextcloud/vars/plugins/user_ldap.yml
index eda8d215..d0269e35 100644
--- a/roles/web-app-nextcloud/vars/plugins/user_ldap.yml
+++ b/roles/web-app-nextcloud/vars/plugins/user_ldap.yml
@@ -164,7 +164,7 @@ plugin_configuration:
     appid: "user_ldap"
     configkey: "s01ldap_userlist_filter"
     configvalue: |-
-      {% if applications[application_id].plugins.user_ldap.user_directory.enabled %}
+      {% if applications | get_app_conf(application_id, 'plugins', True).user_ldap.user_directory.enabled %}
       {{ ldap.filters.users.all }}
       {% else %}
       ()
diff --git a/roles/web-app-nextcloud/vars/system.yml b/roles/web-app-nextcloud/vars/system.yml
index 02aec9e4..b2fe9940 100644
--- a/roles/web-app-nextcloud/vars/system.yml
+++ b/roles/web-app-nextcloud/vars/system.yml
@@ -1,11 +1,11 @@
 nextcloud_system_config:
   - parameter: "hide_login_form"
     type: "boolean"
-    value: "{{ (not applications[application_id].legacy_login_mask.enabled) | lower }}"
+    value: "{{ (not applications | get_app_conf(application_id, 'legacy_login_mask.enabled', True)) | lower }}"
 
   - parameter: "auth.webauthn.enabled"
     type: "boolean"
-    value: "{{ applications[application_id].legacy_login_mask.enabled | lower }}"
+    value: "{{ applications | get_app_conf(application_id, 'legacy_login_mask.enabled', True) | lower }}"
 
   - parameter: "maintenance_window_start"
     type: "integer"
diff --git a/roles/web-app-openproject/tasks/main.yml b/roles/web-app-openproject/tasks/main.yml
index 8c66d847..3962134c 100644
--- a/roles/web-app-openproject/tasks/main.yml
+++ b/roles/web-app-openproject/tasks/main.yml
@@ -35,4 +35,4 @@
 
 - name: Setup LDAP
   include_tasks: ldap.yml
-  when: applications[application_id].features.ldap | bool
\ No newline at end of file
+  when: applications | get_app_conf(application_id, 'features.ldap', True) | bool
\ No newline at end of file
diff --git a/roles/web-app-openproject/vars/main.yml b/roles/web-app-openproject/vars/main.yml
index 498a7f07..df45a936 100644
--- a/roles/web-app-openproject/vars/main.yml
+++ b/roles/web-app-openproject/vars/main.yml
@@ -21,8 +21,8 @@ openproject_rails_settings:
 openproject_filters:
   administrators: >-
     {{ '(memberOf=cn=openproject-admins,' ~ ldap.dn.ou.roles ~ ')' 
-       if applications[application_id].ldap.filters.administrators else '' }}
+       if applications | get_app_conf(application_id, 'ldap.filters.administrators', True) else '' }}
 
   users: >-
     {{ '(memberOf=cn=openproject-users,' ~ ldap.dn.ou.roles ~ ')' 
-       if applications[application_id].ldap.filters.users else '' }}
+       if applications | get_app_conf(application_id, 'ldap.filters.users', True) else '' }}
diff --git a/roles/web-app-peertube/templates/docker-compose.yml.j2 b/roles/web-app-peertube/templates/docker-compose.yml.j2
index a1928286..8d457d86 100644
--- a/roles/web-app-peertube/templates/docker-compose.yml.j2
+++ b/roles/web-app-peertube/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
 
   application:
 {% set container_port = 9000 %}
-    image: chocobozzz/peertube:production-{{ applications[application_id].version }}
+    image: chocobozzz/peertube:production-{{ applications | get_app_conf(application_id, 'version', True) }}
     container_name: {{ container_name }}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
diff --git a/roles/web-app-peertube/templates/env.j2 b/roles/web-app-peertube/templates/env.j2
index 195bd082..a378a0dd 100644
--- a/roles/web-app-peertube/templates/env.j2
+++ b/roles/web-app-peertube/templates/env.j2
@@ -11,7 +11,7 @@ PEERTUBE_DB_HOSTNAME={{database_host}}
 PEERTUBE_WEBSERVER_HOSTNAME={{domains | get_domain(application_id)}}
 PEERTUBE_TRUST_PROXY=["127.0.0.1", "loopback"]
 
-PEERTUBE_SECRET={{applications[application_id].credentials.secret}}
+PEERTUBE_SECRET={{applications | get_app_conf(application_id, 'credentials.secret', True)}}
 
 # E-mail configuration
 PEERTUBE_SMTP_USERNAME={{ users['no-reply'].email }}
diff --git a/roles/web-app-pgadmin/tasks/main.yml b/roles/web-app-pgadmin/tasks/main.yml
index 55b1486b..528603d2 100644
--- a/roles/web-app-pgadmin/tasks/main.yml
+++ b/roles/web-app-pgadmin/tasks/main.yml
@@ -5,4 +5,4 @@
 
 - name: "configure pgadmin servers"
   include_tasks: configuration.yml
-  when: applications[application_id].server_mode | bool
\ No newline at end of file
+  when: applications | get_app_conf(application_id, 'server_mode', True) | bool
\ No newline at end of file
diff --git a/roles/web-app-pgadmin/templates/docker-compose.yml.j2 b/roles/web-app-pgadmin/templates/docker-compose.yml.j2
index 527febff..3f689a33 100644
--- a/roles/web-app-pgadmin/templates/docker-compose.yml.j2
+++ b/roles/web-app-pgadmin/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
 
   application:
 {% set container_port = 80 %}
-    image: dpage/pgadmin4:{{applications[application_id].version}}
+    image: dpage/pgadmin4:{{applications | get_app_conf(application_id, 'version', True)}}
     container_name: pgadmin
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     ports:
@@ -12,7 +12,7 @@
 {% include 'roles/docker-container/templates/healthcheck/wget.yml.j2' %}
     volumes:
       - "data:/var/lib/pgadmin"
-{% if applications[application_id].server_mode | bool %}
+{% if applications | get_app_conf(application_id, 'server_mode', True) | bool %}
       - "{{ pgadmin_host_server_file }}:{{ pgadmin_docker_server_file }}"
       - "{{ pgadmin_host_password_file }}:{{ pgadmin_docker_password_file }}"
 {% endif %}
diff --git a/roles/web-app-pgadmin/templates/env.j2 b/roles/web-app-pgadmin/templates/env.j2
index 8a50caba..a03cff03 100644
--- a/roles/web-app-pgadmin/templates/env.j2
+++ b/roles/web-app-pgadmin/templates/env.j2
@@ -4,12 +4,12 @@
 PGADMIN_DISABLE_POSTFIX=True
 
 # Default login email for server mode
-PGADMIN_DEFAULT_EMAIL={{ applications[application_id].users.administrator.email }}
+PGADMIN_DEFAULT_EMAIL={{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}
 
 # Default login password for server mode
-PGADMIN_DEFAULT_PASSWORD={{ applications[application_id].credentials.administrator_password }}
+PGADMIN_DEFAULT_PASSWORD={{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}
 
-{% if applications[application_id].server_mode | bool %}
+{% if applications | get_app_conf(application_id, 'server_mode', True) | bool %}
 # Load server connection settings from this JSON file
 PGADMIN_SERVER_JSON_FILE={{ pgadmin_docker_server_file }}
 
@@ -17,5 +17,5 @@ PGADMIN_SERVER_JSON_FILE={{ pgadmin_docker_server_file }}
 PGADMIN_CONFIG_SERVER_MODE=False
 
 # Disable master password prompt for stored credentials
-PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED={{ applications[application_id].master_password_required | capitalize }}
+PGADMIN_CONFIG_MASTER_PASSWORD_REQUIRED={{ applications | get_app_conf(application_id, 'master_password_required', True) | capitalize }}
 {% endif %}
\ No newline at end of file
diff --git a/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2 b/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2
index 35757bf0..5378d6ee 100644
--- a/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2
+++ b/roles/web-app-phpldapadmin/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
 
   application:
     container_name: {{ application_id }}
-    image: leenooks/phpldapadmin:{{applications[application_id].version}}
+    image: leenooks/phpldapadmin:{{applications | get_app_conf(application_id, 'version', True)}}
     ports:
       - 127.0.0.1:{{ports.localhost.http[application_id]}}:8080
 {% include 'roles/docker-container/templates/base.yml.j2' %}
diff --git a/roles/web-app-phpmyadmin/templates/env.j2 b/roles/web-app-phpmyadmin/templates/env.j2
index 35766e11..5c73114f 100644
--- a/roles/web-app-phpmyadmin/templates/env.j2
+++ b/roles/web-app-phpmyadmin/templates/env.j2
@@ -1,7 +1,7 @@
 # Configuration @see https://hub.docker.com/_/phpmyadmin
 
 PMA_HOST={{applications['svc-db-mariadb'].hostname}}
-{% if applications[application_id].autologin | bool %}
+{% if applications | get_app_conf(application_id, 'autologin', True) | bool %}
 PMA_USER= root
 PMA_PASSWORD= "{{applications['svc-db-mariadb'].credentials.root_password}}"
 {% endif %}
\ No newline at end of file
diff --git a/roles/web-app-pixelfed/templates/docker-compose.yml.j2 b/roles/web-app-pixelfed/templates/docker-compose.yml.j2
index 9b242e45..8ae0b32e 100644
--- a/roles/web-app-pixelfed/templates/docker-compose.yml.j2
+++ b/roles/web-app-pixelfed/templates/docker-compose.yml.j2
@@ -1,7 +1,7 @@
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images.pixelfed }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.pixelfed', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - "data:/var/www/storage"
@@ -11,7 +11,7 @@
 {% include 'roles/docker-container/templates/depends_on/dmbs_excl.yml.j2' %}
 {% include 'roles/docker-container/templates/networks.yml.j2' %}
   worker:
-    image: "{{ applications[application_id].images.pixelfed }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.pixelfed', True) }}"
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - "data:/var/www/storage"
diff --git a/roles/web-app-pixelfed/templates/env.j2 b/roles/web-app-pixelfed/templates/env.j2
index 4a832d03..b7c6c982 100644
--- a/roles/web-app-pixelfed/templates/env.j2
+++ b/roles/web-app-pixelfed/templates/env.j2
@@ -1,5 +1,5 @@
 ## Crypto
-APP_KEY={{applications[application_id].credentials.app_key}}
+APP_KEY={{applications | get_app_conf(application_id, 'credentials.app_key', True)}}
 
 ## General Settings
 APP_NAME="{{applications.pixelfed.titel}}"
diff --git a/roles/web-app-port-ui/lookup_plugins/docker_cards.py b/roles/web-app-port-ui/lookup_plugins/docker_cards.py
index bfd2424a..673d99f0 100644
--- a/roles/web-app-port-ui/lookup_plugins/docker_cards.py
+++ b/roles/web-app-port-ui/lookup_plugins/docker_cards.py
@@ -22,7 +22,7 @@ class LookupModule(LookupBase):
           - Retrieves the icon class from galaxy_info.logo.class
           - Retrieves the tags from galaxy_info.galaxy_tags
           - Builds the URL using the 'domains' variable
-          - Sets the iframe flag from applications[application_id].features.port-ui-desktop
+          - Sets the iframe flag from applications | get_app_conf(application_id, 'features.port-ui-desktop', True)
 
         Only cards whose application_id is included in the variable group_names are returned.
         """
diff --git a/roles/web-app-pretix/templates/docker-compose.yml.j2 b/roles/web-app-pretix/templates/docker-compose.yml.j2
index 25f0c306..83b62280 100644
--- a/roles/web-app-pretix/templates/docker-compose.yml.j2
+++ b/roles/web-app-pretix/templates/docker-compose.yml.j2
@@ -4,7 +4,7 @@ services:
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes: []
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"
diff --git a/roles/web-app-snipe-it/tasks/ldap.yml b/roles/web-app-snipe-it/tasks/ldap.yml
index 9973f14e..4251be5b 100644
--- a/roles/web-app-snipe-it/tasks/ldap.yml
+++ b/roles/web-app-snipe-it/tasks/ldap.yml
@@ -17,7 +17,7 @@
     docker-compose exec -T \
       -u www-data \
       -e XDG_CONFIG_HOME=/tmp \
-      -e APP_KEY='{{ applications[application_id].credentials.app_key }}' \
+      -e APP_KEY='{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}' \
       application \
       sh -c 'echo "SHELL sees APP_KEY=$APP_KEY"'
   args:
@@ -27,7 +27,7 @@
   shell: |
     docker-compose exec -T -u www-data \
     -e XDG_CONFIG_HOME=/tmp \
-    -e APP_KEY="{{ applications[application_id].credentials.app_key }}" \
+    -e APP_KEY="{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}" \
     application \
     php artisan tinker --execute="echo 'CONFIG app.key: ' . config('app.key') . PHP_EOL;"
   args:
@@ -36,7 +36,7 @@
 - name: "Set all LDAP settings via Laravel Setting model (inside container as www-data)"
   shell: |
     docker-compose exec -T \
-    -e APP_KEY='{{ applications[application_id].credentials.app_key }}' \ 
+    -e APP_KEY='{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}' \ 
     -e XDG_CONFIG_HOME=/tmp \ 
     -u www-data application \ 
     sh -c 'php artisan tinker << "EOF"
@@ -75,7 +75,7 @@
   shell: |
     docker-compose exec -T \
       -u www-data \
-      -e APP_KEY="{{ applications[application_id].credentials.app_key }}" \
+      -e APP_KEY="{{ applications | get_app_conf(application_id, 'credentials.app_key', True) }}" \
       -e XDG_CONFIG_HOME=/tmp \
       application \
       php artisan tinker --execute="
diff --git a/roles/web-app-snipe-it/templates/docker-compose.yml.j2 b/roles/web-app-snipe-it/templates/docker-compose.yml.j2
index eda05762..417983b0 100644
--- a/roles/web-app-snipe-it/templates/docker-compose.yml.j2
+++ b/roles/web-app-snipe-it/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
 
   application:
 {% set container_port = 80 %}
-    image: grokability/snipe-it:{{applications[application_id].version}}
+    image: grokability/snipe-it:{{applications | get_app_conf(application_id, 'version', True)}}
 {% include 'roles/docker-container/templates/base.yml.j2' %}
     volumes:
       - data:/var/lib/snipeit
diff --git a/roles/web-app-snipe-it/templates/env.j2 b/roles/web-app-snipe-it/templates/env.j2
index faedb6e1..1f555142 100644
--- a/roles/web-app-snipe-it/templates/env.j2
+++ b/roles/web-app-snipe-it/templates/env.j2
@@ -3,7 +3,7 @@
 # --------------------------------------------
 APP_ENV={{ CYMAIS_ENVIRONMENT | lower }}
 APP_DEBUG={{enable_debug | string | lower }}
-APP_KEY={{ applications[application_id].credentials.app_key}}
+APP_KEY={{ applications | get_app_conf(application_id, 'credentials.app_key', True)}}
 APP_URL={{ snipe_it_url }}
 # https://en.wikipedia.org/wiki/List_of_tz_database_time_zones - TZ identifier
 APP_TIMEZONE='{{ HOST_TIMEZONE }}'
diff --git a/roles/web-app-snipe-it/vars/main.yml b/roles/web-app-snipe-it/vars/main.yml
index cd58a298..685eaae1 100644
--- a/roles/web-app-snipe-it/vars/main.yml
+++ b/roles/web-app-snipe-it/vars/main.yml
@@ -1,4 +1,4 @@
 application_id:     "snipe-it"
-database_password:  "{{ applications[application_id].credentials.database_password }}"
+database_password:  "{{ applications | get_app_conf(application_id, 'credentials.database_password', True) }}"
 database_type:      "mariadb"
 snipe_it_url:       "{{ domains | get_url(application_id, web_protocol) }}"
\ No newline at end of file
diff --git a/roles/web-app-syncope/templates/docker-compose.yml.j2 b/roles/web-app-syncope/templates/docker-compose.yml.j2
index 03a4afea..3249ac64 100644
--- a/roles/web-app-syncope/templates/docker-compose.yml.j2
+++ b/roles/web-app-syncope/templates/docker-compose.yml.j2
@@ -2,7 +2,7 @@
    application: 
      depends_on:
        - db
-     image: apache/syncope:{{ applications[application_id].version }}
+     image: apache/syncope:{{ applications | get_app_conf(application_id, 'version', True) }}
      ports:
        - "18080:8080"
      restart: always
@@ -16,7 +16,7 @@
    console: 
      depends_on:
        - syncope
-     image: apache/syncope-console:{{ applications[application_id].version }}
+     image: apache/syncope-console:{{ applications | get_app_conf(application_id, 'version', True) }}
      ports:
        - "28080:8080"
      restart: always
@@ -27,7 +27,7 @@
    enduser: 
      depends_on:
        - syncope
-     image: apache/syncope-enduser:{{ applications[application_id].version }}
+     image: apache/syncope-enduser:{{ applications | get_app_conf(application_id, 'version', True) }}
      ports:
        - "38080:8080"
      restart: always
diff --git a/roles/web-app-taiga/tasks/main.yml b/roles/web-app-taiga/tasks/main.yml
index 3a702239..ef509746 100644
--- a/roles/web-app-taiga/tasks/main.yml
+++ b/roles/web-app-taiga/tasks/main.yml
@@ -7,7 +7,7 @@
   template:
     src:  "taiga/{{item}}.py.j2"
     dest: "{{ docker_compose.directories.config }}taiga-{{item}}.py"
-  when:   applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'taigaio'
+  when:   applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio'
   notify: docker compose up
   loop:   "{{ settings_files }}"
 
diff --git a/roles/web-app-taiga/templates/docker-compose.yml.j2 b/roles/web-app-taiga/templates/docker-compose.yml.j2
index 0d47101c..117f1ada 100644
--- a/roles/web-app-taiga/templates/docker-compose.yml.j2
+++ b/roles/web-app-taiga/templates/docker-compose.yml.j2
@@ -9,7 +9,7 @@
       - media-data:/taiga-back/media
       # - ./config.py:/taiga-back/settings/config.py
 
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
 
       - {{ docker_compose.directories.config }}taiga-local.py:/taiga-back/settings/local.py:ro
 
@@ -22,7 +22,7 @@
         condition: service_started
       taiga-async-rabbitmq:
         condition: service_started
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
     
     command: >
       /bin/sh -c "
@@ -42,7 +42,7 @@
       - media-data:/taiga-back/media
       # - ./config.py:/taiga-back/settings/config.py
 
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
 
 {% for item in settings_files %}
       - {{ docker_compose.directories.config }}taiga-{{ item }}.py:/taiga-back/settings/{{ item }}.py:ro
@@ -57,7 +57,7 @@
         condition: service_started
       taiga-async-rabbitmq:
         condition: service_started
-{% if applications | is_feature_enabled('oidc',application_id) and applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | is_feature_enabled('oidc',application_id) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
     
     command: >
       /bin/sh -c "
diff --git a/roles/web-app-taiga/templates/env.j2 b/roles/web-app-taiga/templates/env.j2
index 4f7eafa3..ae55fbc3 100644
--- a/roles/web-app-taiga/templates/env.j2
+++ b/roles/web-app-taiga/templates/env.j2
@@ -6,8 +6,8 @@ TAIGA_SUBPATH       =   ""  # it'll be appended to the TAIGA_DOMAIN (use either
 WEBSOCKETS_SCHEME   =   wss # events connection protocol (use either "ws" or "wss")
 
 # Taiga's Secret Key - Variable to provide cryptographic signing
-TAIGA_SECRET_KEY    =   "{{applications[application_id].credentials.secret_key}}"
-SECRET_KEY          =   "{{applications[application_id].credentials.secret_key}}"
+TAIGA_SECRET_KEY    =   "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}"
+SECRET_KEY          =   "{{applications | get_app_conf(application_id, 'credentials.secret_key', True)}}"
 
 # Taiga's Database settings - Variables to create the Taiga database and connect to it
 POSTGRES_USER       =   "{{database_username}}"       # user to connect to PostgreSQL
@@ -49,7 +49,7 @@ ENABLE_TELEMETRY    =   True
 
 {% if applications | is_feature_enabled('oidc',application_id) %}
 
-{% if applications[application_id].oidc.flavor == 'taigaio' %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'taigaio' %}
 
 # OIDC via taigaio official contrib
 # @See https://github.com/taigaio/taiga-contrib-oidc-auth
@@ -65,7 +65,7 @@ OIDC_OP_JWKS_ENDPOINT="{{ oidc.client.certs }}"
 
 {% endif %}
 
-{% if applications[application_id].oidc.flavor == 'robrotheram' %}
+{% if applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram' %}
 
 # OIDC via robrotheram
 # @see https://github.com/robrotheram/taiga-contrib-openid-auth
diff --git a/roles/web-app-taiga/vars/main.yml b/roles/web-app-taiga/vars/main.yml
index d0fed633..118efae9 100644
--- a/roles/web-app-taiga/vars/main.yml
+++ b/roles/web-app-taiga/vars/main.yml
@@ -4,10 +4,10 @@ docker_repository_address:  "https://github.com/taigaio/taiga-docker"
 email_backend:              "smtp"                                      ## use an SMTP server or display the emails in the console (either "smtp" or "console")
 docker_compose_init:        "{{docker_compose.directories.instance}}docker-compose-inits.yml.j2"
 taiga_image_backend: >-
-  {{ 'robrotheram/taiga-back-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
+  {{ 'robrotheram/taiga-back-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram'
      else 'taigaio/taiga-back' }}
 taiga_image_frontend: >-
-  {{ 'robrotheram/taiga-front-openid' if applications[application_id].features.oidc and applications[application_id].oidc.flavor == 'robrotheram'
+  {{ 'robrotheram/taiga-front-openid' if applications | get_app_conf(application_id, 'features.oidc', True) and applications | get_app_conf(application_id, 'oidc.flavor', True) == 'robrotheram'
      else 'taigaio/taiga-front' }}
 taiga_frontend_conf_path:   "{{docker_compose.directories.config}}conf.json"
 docker_repository:          true
diff --git a/roles/web-app-wordpress/tasks/install.yml b/roles/web-app-wordpress/tasks/install.yml
index 3b937ffa..d0a9e0f2 100644
--- a/roles/web-app-wordpress/tasks/install.yml
+++ b/roles/web-app-wordpress/tasks/install.yml
@@ -3,10 +3,10 @@
     docker-compose exec -T -u www-data application
     wp core install
       --url="{{ domains | get_url(application_id, web_protocol) }}"
-      --title="{{ applications[application_id].title }}"
-      --admin_user="{{ applications[application_id].users.administrator.username }}"
-      --admin_password="{{ applications[application_id].credentials.administrator_password }}"
-      --admin_email="{{ applications[application_id].users.administrator.email }}"
+      --title="{{ applications | get_app_conf(application_id, 'title', True) }}"
+      --admin_user="{{ applications | get_app_conf(application_id, 'users.administrator.username', True) }}"
+      --admin_password="{{ applications | get_app_conf(application_id, 'credentials.administrator_password', True) }}"
+      --admin_email="{{ applications | get_app_conf(application_id, 'users.administrator.email', True) }}"
       --path="{{ wordpress_docker_html_path }}"
   args:
     chdir: "{{ docker_compose.directories.instance }}"
diff --git a/roles/web-app-wordpress/tasks/main.yml b/roles/web-app-wordpress/tasks/main.yml
index 6eb635ea..f10ab962 100644
--- a/roles/web-app-wordpress/tasks/main.yml
+++ b/roles/web-app-wordpress/tasks/main.yml
@@ -6,7 +6,7 @@
 - name: "Include role srv-proxy-6-6-domain for {{ application_id }}"
   include_role:
     name: srv-proxy-6-6-domain
-  loop: "{{ applications[application_id].domains.canonical }}"
+  loop: "{{ applications | get_app_conf(application_id, 'domain', True)s.canonical }}"
   loop_control:
     loop_var: domain
   vars:
@@ -33,7 +33,7 @@
   block:
     - name: "Iterate through WordPress plugins"
       include_tasks: plugin.yml
-      loop: "{{ applications[application_id].plugins | dict2items }}"
+      loop: "{{ applications | get_app_conf(application_id, 'plugins', True) | dict2items }}"
       loop_control:
         label: "{{ item.key }}"
       vars:
diff --git a/roles/web-app-wordpress/templates/Dockerfile.j2 b/roles/web-app-wordpress/templates/Dockerfile.j2
index 196a07ca..3a20f634 100644
--- a/roles/web-app-wordpress/templates/Dockerfile.j2
+++ b/roles/web-app-wordpress/templates/Dockerfile.j2
@@ -1,4 +1,4 @@
-FROM wordpress:{{applications[application_id].version}}
+FROM wordpress:{{applications | get_app_conf(application_id, 'version', True)}}
 
 # Install msmtp and update system
 RUN apt-get update && \
diff --git a/roles/web-app-yourls/templates/env.j2 b/roles/web-app-yourls/templates/env.j2
index 51711fa8..cc765b2b 100644
--- a/roles/web-app-yourls/templates/env.j2
+++ b/roles/web-app-yourls/templates/env.j2
@@ -4,6 +4,6 @@ YOURLS_DB_PASS: "{{database_password}}"
 YOURLS_DB_NAME: "{{database_name}}"
 YOURLS_SITE:    "{{ domains | get_url(application_id, web_protocol) }}"
 YOURLS_USER:    "{{applications.yourls.users.administrator.username}}"
-YOURLS_PASS:    "{{applications[application_id].credentials.administrator_password}}"
+YOURLS_PASS:    "{{applications | get_app_conf(application_id, 'credentials.administrator_password', True)}}"
 # The following deactivates the login mask for admins, if the oauth2 proxy is activated 
 YOURLS_PRIVATE: "{{not (applications | is_feature_enabled('oauth2', application_id))}}" 
\ No newline at end of file
diff --git a/roles/web-svc-asset/vars/main.yml b/roles/web-svc-asset/vars/main.yml
index 25904c74..2d7b578d 100644
--- a/roles/web-svc-asset/vars/main.yml
+++ b/roles/web-svc-asset/vars/main.yml
@@ -1,3 +1,3 @@
 application_id:     "web-svc-asset"                                         # Application identifier
-source_directory:   "{{ applications[application_id].source_directory }}/"  # Source directory from which the files are coming from
+source_directory:   "{{ applications | get_app_conf(application_id, 'source_directory', True) }}/"  # Source directory from which the files are coming from
 target_directory:   "{{ nginx.directories.data.files }}assets"              # Directory to which the files will be copied
diff --git a/tasks/utils/debug/docker-compose.yml b/tasks/utils/debug/docker-compose.yml
index f73d30bd..07774f2f 100644
--- a/tasks/utils/debug/docker-compose.yml
+++ b/tasks/utils/debug/docker-compose.yml
@@ -17,7 +17,7 @@
         missing_keys: "{{ missing_keys + ['applications.{}.docker.services.redis.enabled'.format(application_id)] }}"
       when: applications[application_id].docker.services.redis is not defined
 
-    - name: Check if applications[application_id].images[application_id] exists
+    - name: Check if applications | get_app_conf(application_id, 'images.' ~ application_id, True) exists
       set_fact:
         missing_keys: "{{ missing_keys + ['applications.{}.images.{}'.format(application_id, application_id)] }}"
       when: applications[application_id].images is not defined or applications[application_id].images.get(application_id) is not defined
diff --git a/templates/roles/web-app/templates/docker-compose.yml.j2.j2 b/templates/roles/web-app/templates/docker-compose.yml.j2.j2
index 0e9b1e23..f4e955cf 100644
--- a/templates/roles/web-app/templates/docker-compose.yml.j2.j2
+++ b/templates/roles/web-app/templates/docker-compose.yml.j2.j2
@@ -4,7 +4,7 @@ services:
 {% include 'roles/docker-compose/templates/base.yml.j2' %}
 
   application:
-    image: "{{ applications[application_id].images[application_id] }}"
+    image: "{{ applications | get_app_conf(application_id, 'images.' ~ application_id, True) }}"
     volumes: []
     ports:
       - "127.0.0.1:{{ ports.localhost.http[application_id] }}:{{ container_port }}"