diff --git a/roles/sys-service/tasks/05_service.yml b/roles/sys-service/tasks/05_service.yml
index 9e5cd549..24814e7f 100644
--- a/roles/sys-service/tasks/05_service.yml
+++ b/roles/sys-service/tasks/05_service.yml
@@ -32,6 +32,9 @@
   template:
     src:  "{{ system_service_template_src }}"
     dest: "{{ [ PATH_SYSTEM_SERVICE_DIR, system_service_id | get_service_name(SOFTWARE_NAME) ] | path_join }}"
+    owner: root
+    group: root
+    mode: '0644'
   notify: "{{ 'reload system daemon' if system_service_uses_at else 'refresh systemctl service' }}"
 
 - name: refresh systemctl service when SYS_SERVICE_ALL_ENABLE
diff --git a/roles/web-svc-collabora/config/main.yml b/roles/web-svc-collabora/config/main.yml
index 84f8f2a0..08451964 100644
--- a/roles/web-svc-collabora/config/main.yml
+++ b/roles/web-svc-collabora/config/main.yml
@@ -6,6 +6,9 @@ server:
     whitelist:
       frame-ancestors:
         - "{{ WEB_PROTOCOL }}://*.{{ PRIMARY_DOMAIN }}"
+    flags:
+      style-src:
+        unsafe-inline:  true
 docker:
   services:
     redis:
diff --git a/roles/web-svc-collabora/tasks/01_core.yml b/roles/web-svc-collabora/tasks/01_core.yml
index 99e998fe..cdd35672 100644
--- a/roles/web-svc-collabora/tasks/01_core.yml
+++ b/roles/web-svc-collabora/tasks/01_core.yml
@@ -1,7 +1,14 @@
-- name: "generate {{ domains | get_domain(application_id) }}.conf"
+- name: "load docker, proxy for '{{ application_id }}'"
+  include_role:
+    name: cmp-docker-proxy
+    public: true
+  vars:
+    docker_compose_flush_handlers: true
+    
+- name: "generate {{ domain }}.conf"
   template:
     src: "nginx.conf.j2"
-    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domains | get_domain(application_id) }}.conf"
+    dest: "{{ NGINX.DIRECTORIES.HTTP.SERVERS }}{{ domain }}.conf"
   notify: restart openresty
 
 - name: Update Collabora systemplate to include new fonts
diff --git a/roles/web-svc-collabora/tasks/main.yml b/roles/web-svc-collabora/tasks/main.yml
index 9c768869..25a9b9bf 100644
--- a/roles/web-svc-collabora/tasks/main.yml
+++ b/roles/web-svc-collabora/tasks/main.yml
@@ -1,9 +1,4 @@
 - block:
-  - name: "load docker, proxy for '{{ application_id }}'"
-    include_role:
-      name: cmp-docker-proxy
-    vars:
-      docker_compose_flush_handlers: true
   - name: "Load core functions for '{{ application_id }}'"
     include_tasks: 01_core.yml
   - include_tasks: utils/run_once.yml
diff --git a/roles/web-svc-collabora/vars/main.yml b/roles/web-svc-collabora/vars/main.yml
index a3f541d4..a7f62888 100644
--- a/roles/web-svc-collabora/vars/main.yml
+++ b/roles/web-svc-collabora/vars/main.yml
@@ -1,9 +1,14 @@
 ---
 # General 
-application_id:         web-svc-collabora
+application_id:             web-svc-collabora
+
+# @todo in a later step it makes sense to refactor the use of them, but they are used atm in the role
+domain:                     "{{ domains | get_domain(application_id) }}"
+http_port:                  "{{ ports.localhost.http[application_id] }}"
+
 # Container
-container_port:         9980
-container_healthcheck:  "/hosting/discovery"
+container_port:             9980
+container_healthcheck:      "/hosting/discovery"
 
 # Collabora
 COLLABORA_CONTAINER:        "{{ applications | get_app_conf(application_id, 'docker.services.collabora.name') }}"