diff --git a/group_vars/all/02_email.yml b/group_vars/all/02_email.yml
index 3c092303..3a533473 100644
--- a/group_vars/all/02_email.yml
+++ b/group_vars/all/02_email.yml
@@ -5,4 +5,4 @@ DEFAULT_SYSTEM_EMAIL:
   PORT:      465
   TLS:       true   # true for TLS and false for SSL
   START_TLS: false
-  SMTP:      true  
\ No newline at end of file
+  SMTP:      true
diff --git a/roles/docker-compose/handlers/main.yml b/roles/docker-compose/handlers/main.yml
index ab99babb..9752577d 100644
--- a/roles/docker-compose/handlers/main.yml
+++ b/roles/docker-compose/handlers/main.yml
@@ -10,6 +10,7 @@
     - docker compose up
     - docker compose restart
     - docker compose just up
+  when: MODE_ASSERT | bool
 
 - name: docker compose pull
   shell: |
diff --git a/roles/sys-svc-docker/tasks/03_cleanup.yml b/roles/sys-svc-docker/tasks/03_cleanup.yml
index 7d7cf640..78c7b1de 100644
--- a/roles/sys-svc-docker/tasks/03_cleanup.yml
+++ b/roles/sys-svc-docker/tasks/03_cleanup.yml
@@ -4,4 +4,4 @@
 
 - name: Prune Docker resources
   become: true
-  ansible.builtin.command: docker system prune -f
\ No newline at end of file
+  ansible.builtin.command: docker system prune -f
diff --git a/roles/web-app-mailu/tasks/01_core.yml b/roles/web-app-mailu/tasks/01_core.yml
index 11aa7f0e..a3dc82e5 100644
--- a/roles/web-app-mailu/tasks/01_core.yml
+++ b/roles/web-app-mailu/tasks/01_core.yml
@@ -8,6 +8,21 @@
     success_msg: "MAILU_HOSTNAMES is valid."
   when: MODE_ASSERT | bool
 
+- name: "load variables from {{ DOCKER_VARS_FILE }}"
+  include_vars: "{{ DOCKER_VARS_FILE }}"
+
+- name: Ensure Rspamd overrides directory exists (host)
+  file:
+    path: "{{ MAILU_RSPAMD_HOST_DIR }}"
+    state: directory
+    mode: "0755"
+
+- name: Render ratelimit.conf
+  template:
+    src: ratelimit.conf.j2
+    dest: "{{ MAILU_RSPAMD_HOST_FILE }}"
+    mode: "0644"
+
 - name: "Mailu Docker and Webserver Setup"
   block:
   - name: "load docker, db and proxy for {{ application_id }}"
diff --git a/roles/web-app-mailu/templates/docker-compose.yml.j2 b/roles/web-app-mailu/templates/docker-compose.yml.j2
index 2aa96943..5f06d976 100644
--- a/roles/web-app-mailu/templates/docker-compose.yml.j2
+++ b/roles/web-app-mailu/templates/docker-compose.yml.j2
@@ -97,7 +97,7 @@
     volumes:
       - "filter:/var/lib/rspamd"
       - "dkim:/dkim"
-      - "{{ docker_compose.directories.volumes }}overrides/rspamd:/overrides:ro"
+      - "{{ MAILU_RSPAMD_HOST_DIR }}:/overrides:ro"
     depends_on:
       - front
       - redis
diff --git a/roles/web-app-mailu/templates/ratelimit.conf.j2 b/roles/web-app-mailu/templates/ratelimit.conf.j2
new file mode 100644
index 00000000..79178d5b
--- /dev/null
+++ b/roles/web-app-mailu/templates/ratelimit.conf.j2
@@ -0,0 +1,24 @@
+# AUTOGENERATED by Ansible – Rspamd ratelimits
+# Mount path in container: /overrides/ratelimit.conf  (read-only)
+
+rates {
+  {# Optional global defaults for authenticated SMTP senders #}
+  authenticated = {
+    bucket = [{
+      burst = {{ MAILU_RSPAMD_LIMITS_DEFAULTS.BURST | int }};
+      rate  = "{{ MAILU_RSPAMD_LIMITS_DEFAULTS.RATE }}";
+    }];
+  }
+
+  {# Per-user limits: require both .limits.rate and .limits.burst #}
+  {% for uname, u in users.items() %}
+    {% if (u.limits.rate | default(false) and u.limits.burst | default(false)) %}
+  "user={{ u.email }}" = {
+    bucket = [{
+      burst = {{ u.limits.burst | int }};
+      rate  = "{{ u.limits.rate }}";
+    }];
+  };
+    {% endif %}
+  {% endfor %}
+}
diff --git a/roles/web-app-mailu/vars/main.yml b/roles/web-app-mailu/vars/main.yml
index b1dd0f7e..93e3cdd8 100644
--- a/roles/web-app-mailu/vars/main.yml
+++ b/roles/web-app-mailu/vars/main.yml
@@ -58,3 +58,10 @@ MAILU_DMARC_RUF:                      "{{ applications | get_app_conf(applicatio
 
 MAILU_DKIM_KEY_FILE:                  "{{ MAILU_DOMAIN }}.dkim.key"
 MAILU_DKIM_KEY_PATH:                  "/dkim/{{ MAILU_DKIM_KEY_FILE }}"
+
+## Rspamd
+MAILU_RSPAMD_HOST_DIR:                "{{ [ docker_compose.directories.volumes, 'overrides/rspamd' ] | path_join }}"
+MAILU_RSPAMD_HOST_FILE:               "{{ [ MAILU_RSPAMD_HOST_DIR,'ratelimit.conf' ] | path_join }}"
+MAILU_RSPAMD_LIMITS_DEFAULTS:
+  RATE:   "30 / 1min"
+  BURST:  50        
diff --git a/roles/web-app-matrix/templates/element.config.json.j2 b/roles/web-app-matrix/templates/element.config.json.j2
index ce928dd9..fc8701ee 100644
--- a/roles/web-app-matrix/templates/element.config.json.j2
+++ b/roles/web-app-matrix/templates/element.config.json.j2
@@ -5,9 +5,10 @@
             "server_name": "{{ MATRIX_SYNAPSE_DOMAIN }}"
         },
         "m.identity_server": {
-            "base_url": "{{ WEB_PROTOCOL }}://{{ PRIMARY_DOMAIN }}"
+            "base_url": "{{ MATRIX_BASE_URL }}"
         }
     },
+    "logout_redirect_url": "{{ OIDC.CLIENT.LOGOUT_URL if MATRIX_OIDC_ENABLED else MATRIX_BASE_URL }}",
     "brand": "Element",
     "integrations_ui_url": "https://scalar.vector.im/",
     "integrations_rest_url": "https://scalar.vector.im/api",
diff --git a/roles/web-app-matrix/templates/nginx.conf.j2 b/roles/web-app-matrix/templates/nginx.conf.j2
index a3bd5bb0..98522a4e 100644
--- a/roles/web-app-matrix/templates/nginx.conf.j2
+++ b/roles/web-app-matrix/templates/nginx.conf.j2
@@ -3,8 +3,8 @@ server {
     {% include 'roles/srv-letsencrypt/templates/ssl_header.j2' %}
     
     # For the federation port
-    listen {{ FEDERATION_PORT }} ssl default_server;
-    listen [::]:{{ FEDERATION_PORT }} ssl default_server;
+    listen {{ MATRIX_FEDERATION_PORT }} ssl default_server;
+    listen [::]:{{ MATRIX_FEDERATION_PORT }} ssl default_server;
 
     {% include 'roles/sys-srv-web-inj-compose/templates/server.conf.j2'%}
 
diff --git a/roles/web-app-matrix/vars/main.yml b/roles/web-app-matrix/vars/main.yml
index 0421edb5..a3613528 100644
--- a/roles/web-app-matrix/vars/main.yml
+++ b/roles/web-app-matrix/vars/main.yml
@@ -17,7 +17,9 @@ MATRIX_WELL_KNOWN_FILE:               "{{ MATRIX_WELL_KNOWN_DIRECTORY }}server"
 MATRIX_PROJECT:                       "{{ application_id | get_entity_name }}"
 MATRIX_REGISTRATION_FILE_FOLDER:      "/data/"
 MATRIX_REGISTRATION_SHARED_SECRET:    "{{ applications | get_app_conf(application_id, 'credentials.registration_shared_secret') }}"
-FEDERATION_PORT:                      "{{ ports.public.federation['web-app-matrix_synapse'] }}"
+MATRIX_FEDERATION_PORT:               "{{ ports.public.federation['web-app-matrix_synapse'] }}"
+MATRIX_OIDC_ENABLED:                  "{{ applications | get_app_conf(application_id, 'features.oidc', False) }}"
+MATRIX_BASE_URL:                      "{{ WEB_PROTOCOL }}://{{ PRIMARY_DOMAIN }}"
 
 ## Synapse
 MATRIX_SYNAPSE_VERSION:               "{{ applications | get_app_conf(application_id, 'docker.services.synapse.version') }}"
@@ -38,4 +40,4 @@ MATRIX_ELEMENT_IMAGE:                 "{{ applications | get_app_conf(applicatio
 MATRIX_ELEMENT_NAME:                  "{{ applications | get_app_conf(application_id, 'docker.services.element.name') }}"
 MATRIX_ELEMENT_DOMAIN:                "{{ domains[application_id].element }}"
 MATRIX_ELEMENT_PORT:                  "{{ ports.localhost.http['web-app-matrix_element'] }}"
-MATRIX_ELEMENT_CONFIG_PATH_HOST:      "{{ docker_compose.directories.config }}element-config.json"
\ No newline at end of file
+MATRIX_ELEMENT_CONFIG_PATH_HOST:      "{{ docker_compose.directories.config }}element-config.json"
diff --git a/roles/web-app-nextcloud/templates/nginx/host.conf.j2 b/roles/web-app-nextcloud/templates/nginx/host.conf.j2
index 00abe54a..bc7ec963 100644
--- a/roles/web-app-nextcloud/templates/nginx/host.conf.j2
+++ b/roles/web-app-nextcloud/templates/nginx/host.conf.j2
@@ -1,5 +1,3 @@
-{# This is the nginx configuration file for the proxy server #}
-
 server
 {
   server_name {{ domain }};
diff --git a/roles/web-app-nextcloud/users/main.yml b/roles/web-app-nextcloud/users/main.yml
index fc7cdca1..fdc9d871 100644
--- a/roles/web-app-nextcloud/users/main.yml
+++ b/roles/web-app-nextcloud/users/main.yml
@@ -1,7 +1,17 @@
 users:      
   administrator:
-    username:               "administrator"
+    username:     "administrator"
   no-reply:
-    username:               "no-reply"
+    username:     "no-reply"
     roles:
-      - mail-bot
\ No newline at end of file
+      - mail-bot
+    limits:
+      rate:  "60 / 1min"
+      burst: 3600
+  test12345:
+    username:     "treset12345"
+    roles:
+      - mail-bot
+    limits:
+      rate:  "60 / 1min"
+      burst: 3600
\ No newline at end of file
diff --git a/roles/web-app-syncope/templates/proxy.conf b/roles/web-app-syncope/templates/proxy.conf
index e02f180d..cba2936e 100644
--- a/roles/web-app-syncope/templates/proxy.conf
+++ b/roles/web-app-syncope/templates/proxy.conf
@@ -1,6 +1,8 @@
 server
 {
   server_name {{ domain }};
+  {# Include buffers for OIDC #}
+  {% include 'roles/srv-proxy-core/templates/headers/buffers.conf.j2' %}
 
   {% if applications | get_app_conf(application_id, 'features.oauth2', False) %}
     {% include 'roles/web-app-oauth2-proxy/templates/endpoint.conf.j2'%}
diff --git a/templates/roles/web-app/users/main.yml b/templates/roles/web-app/users/main.yml
index cac2eac4..d2955952 100644
--- a/templates/roles/web-app/users/main.yml
+++ b/templates/roles/web-app/users/main.yml
@@ -4,4 +4,7 @@ users:
     username: demo
     email: "demo@{{ PRIMARY_DOMAIN }}"
     roles: []
-    description: Demo User
\ No newline at end of file
+    description: Demo User
+    limits:
+      rate:  "60 / 1min"   # token fill rate (N per window)
+      burst: 3600          # max immediate tokens
\ No newline at end of file