diff --git a/cli/generate_playbook.py b/cli/generate_playbook.py
index 426a86fb..2a7cf66e 100644
--- a/cli/generate_playbook.py
+++ b/cli/generate_playbook.py
@@ -21,7 +21,7 @@ def load_run_after(meta_file):
 
 def load_application_id(role_path):
     """Load the application_id from the vars/main.yml of the role."""
-    vars_file = os.path.join(role_path, 'main', 'main.yml')
+    vars_file = os.path.join(role_path, 'vars', 'main.yml')
     if os.path.exists(vars_file):
         with open(vars_file, 'r') as f:
             data = yaml.safe_load(f) or {}
@@ -113,14 +113,21 @@ def generate_playbook_entries(roles_dir, prefix=None):
     entries = []
     for role_name in sorted_role_names:
         role = roles[role_name]
+
+        # --- new validation block ---
+        if role.get('application_id') is None:
+            raise ValueError(f"Role '{role_name}' is missing an application_id")
+        # ----------------------------
+
+        app_id = role['application_id']
         entries.append(
-            f"- name: setup {role['application_id']}\n"
-            f"  when: ('{role['application_id']}' | application_allowed(group_names, allowed_applications))\n"
+            f"- name: setup {app_id}\n"
+            f"  when: ('{app_id}' | application_allowed(group_names, allowed_applications))\n"
             f"  include_role:\n"
             f"    name: {role['role_name']}\n"
         )
         entries.append(
-            f"- name: flush handlers after {role['application_id']}\n"
+            f"- name: flush handlers after {app_id}\n"
             f"  meta: flush_handlers\n"
         )
 
diff --git a/cli/generate_users.py b/cli/generate_users.py
index b7ed7db4..8ad83255 100644
--- a/cli/generate_users.py
+++ b/cli/generate_users.py
@@ -110,7 +110,7 @@ def build_users(defs, primary_domain, start_id, become_pwd):
 
 def load_user_defs(roles_directory):
     """
-    Scan all roles/*/meta/users.yml files and merge any 'users:' sections.
+    Scan all roles/*/users/main.yml files and merge any 'users:' sections.
 
     Args:
         roles_directory (str): Path to the directory containing role subdirectories.
@@ -121,7 +121,7 @@ def load_user_defs(roles_directory):
     Raises:
         ValueError: On invalid format or conflicting override values.
     """
-    pattern = os.path.join(roles_directory, '*/meta/users.yml')
+    pattern = os.path.join(roles_directory, '*/users/main.yml')
     files = sorted(glob.glob(pattern))
     merged = OrderedDict()
 
@@ -165,11 +165,11 @@ def dictify(data):
 
 def parse_args():
     parser = argparse.ArgumentParser(
-        description='Generate a users.yml by merging all roles/*/meta/users.yml definitions.'
+        description='Generate a users.yml by merging all roles/*/users/main.yml definitions.'
     )
     parser.add_argument(
         '--roles-dir', '-r', required=True,
-        help='Directory containing roles (e.g., roles/*/meta/users.yml).'
+        help='Directory containing roles (e.g., roles/*/users/main.yml).'
     )
     parser.add_argument(
         '--output', '-o', required=True,
diff --git a/roles/docker-compose/meta/users.yml b/roles/docker-compose/users/main.yml
similarity index 100%
rename from roles/docker-compose/meta/users.yml
rename to roles/docker-compose/users/main.yml
diff --git a/roles/service-openldap/meta/users.yml b/roles/service-openldap/users/main.yml
similarity index 100%
rename from roles/service-openldap/meta/users.yml
rename to roles/service-openldap/users/main.yml
diff --git a/roles/user-administrator/meta/users.yml b/roles/user-administrator/users/main.yml
similarity index 100%
rename from roles/user-administrator/meta/users.yml
rename to roles/user-administrator/users/main.yml
diff --git a/roles/user/meta/users.yml b/roles/user/users/main.yml
similarity index 100%
rename from roles/user/meta/users.yml
rename to roles/user/users/main.yml
diff --git a/roles/web-app-bluesky/meta/users.yml b/roles/web-app-bluesky/users/main.yml
similarity index 100%
rename from roles/web-app-bluesky/meta/users.yml
rename to roles/web-app-bluesky/users/main.yml
diff --git a/roles/web-app-espocrm/meta/users.yml b/roles/web-app-espocrm/users/main.yml
similarity index 100%
rename from roles/web-app-espocrm/meta/users.yml
rename to roles/web-app-espocrm/users/main.yml
diff --git a/roles/web-app-keycloak/meta/users.yml b/roles/web-app-keycloak/users/main.yml
similarity index 100%
rename from roles/web-app-keycloak/meta/users.yml
rename to roles/web-app-keycloak/users/main.yml
diff --git a/roles/web-app-listmonk/meta/users.yml b/roles/web-app-listmonk/users/main.yml
similarity index 100%
rename from roles/web-app-listmonk/meta/users.yml
rename to roles/web-app-listmonk/users/main.yml
diff --git a/roles/web-app-mailu/meta/users.yml b/roles/web-app-mailu/users/main.yml
similarity index 100%
rename from roles/web-app-mailu/meta/users.yml
rename to roles/web-app-mailu/users/main.yml
diff --git a/roles/web-app-matrix/meta/users.yml b/roles/web-app-matrix/users/main.yml
similarity index 100%
rename from roles/web-app-matrix/meta/users.yml
rename to roles/web-app-matrix/users/main.yml
diff --git a/roles/web-app-moodle/meta/users.yml b/roles/web-app-moodle/users/main.yml
similarity index 100%
rename from roles/web-app-moodle/meta/users.yml
rename to roles/web-app-moodle/users/main.yml
diff --git a/roles/web-app-nextcloud/meta/users.yml b/roles/web-app-nextcloud/users/main.yml
similarity index 100%
rename from roles/web-app-nextcloud/meta/users.yml
rename to roles/web-app-nextcloud/users/main.yml
diff --git a/roles/web-app-pgadmin/meta/users.yml b/roles/web-app-pgadmin/users/main.yml
similarity index 100%
rename from roles/web-app-pgadmin/meta/users.yml
rename to roles/web-app-pgadmin/users/main.yml
diff --git a/roles/web-app-wordpress/meta/users.yml b/roles/web-app-wordpress/users/main.yml
similarity index 100%
rename from roles/web-app-wordpress/meta/users.yml
rename to roles/web-app-wordpress/users/main.yml
diff --git a/roles/web-app-yourls/meta/users.yml b/roles/web-app-yourls/users/main.yml
similarity index 100%
rename from roles/web-app-yourls/meta/users.yml
rename to roles/web-app-yourls/users/main.yml
diff --git a/templates/roles/web-app/users/main.yml b/templates/roles/web-app/users/main.yml
new file mode 100644
index 00000000..721c7636
--- /dev/null
+++ b/templates/roles/web-app/users/main.yml
@@ -0,0 +1,7 @@
+# Add here the users which your application needs e.g:
+users:
+  demo:
+    username: demo
+    email: "demo@{{ primary_domain }}"
+    roles: []
+    description: Demo User
\ No newline at end of file
diff --git a/tests/unit/cli/test_generate_users.py b/tests/unit/cli/test_generate_users.py
index 80cb4794..01e801ec 100644
--- a/tests/unit/cli/test_generate_users.py
+++ b/tests/unit/cli/test_generate_users.py
@@ -114,18 +114,18 @@ class TestGenerateUsers(unittest.TestCase):
         # create temp roles structure
         tmp = tempfile.mkdtemp()
         try:
-            os.makedirs(os.path.join(tmp, 'role1/meta'))
-            os.makedirs(os.path.join(tmp, 'role2/meta'))
+            os.makedirs(os.path.join(tmp, 'role1/users'))
+            os.makedirs(os.path.join(tmp, 'role2/users'))
             # role1 defines user x
-            with open(os.path.join(tmp, 'role1/meta/users.yml'), 'w') as f:
+            with open(os.path.join(tmp, 'role1/users/main.yml'), 'w') as f:
                 yaml.safe_dump({'users': {'x': {'email': 'x@a'}}}, f)
             # role2 defines same user x with same value
-            with open(os.path.join(tmp, 'role2/meta/users.yml'), 'w') as f:
+            with open(os.path.join(tmp, 'role2/users/main.yml'), 'w') as f:
                 yaml.safe_dump({'users': {'x': {'email': 'x@a'}}}, f)
             defs = generate_users.load_user_defs(tmp)
             self.assertIn('x', defs)
             # now conflict definition
-            with open(os.path.join(tmp, 'role2/meta/users.yml'), 'w') as f:
+            with open(os.path.join(tmp, 'role2/users/main.yml'), 'w') as f:
                 yaml.safe_dump({'users': {'x': {'email': 'x@b'}}}, f)
             with self.assertRaises(ValueError):
                 generate_users.load_user_defs(tmp)