diff --git a/roles/itop/defaults/main.yml b/roles/itop/defaults/main.yml
index 9b7dbcb..750897b 100644
--- a/roles/itop/defaults/main.yml
+++ b/roles/itop/defaults/main.yml
@@ -28,3 +28,6 @@ itop_db_user: itop_{{ itop_id }}
 #   - 192.168.7.0/24
 #   - 10.2.0.0/24
 
+# Cron task needs a user and a pass, so it won't be enabled until you set it
+# itop_cron_user: cron
+# itop_cron_pass: secret
diff --git a/roles/itop/tasks/conf.yml b/roles/itop/tasks/conf.yml
index e9cdbb7..871afeb 100644
--- a/roles/itop/tasks/conf.yml
+++ b/roles/itop/tasks/conf.yml
@@ -7,3 +7,6 @@
     - php_fpm_pool: "{{ itop_php_fpm_pool | default('') }}"
   tags: itop
 
+- name: Deploy cron param file
+  template: src=cron.param.j2 dest={{ itop_root_dir }}/etc/cron.params group={{ itop_php_user }} mode=640
+  tags: itop
diff --git a/roles/itop/tasks/directories.yml b/roles/itop/tasks/directories.yml
index 7d6e5ee..c4957c7 100644
--- a/roles/itop/tasks/directories.yml
+++ b/roles/itop/tasks/directories.yml
@@ -16,6 +16,9 @@
       mode: 700
     - dir: "{{ itop_root_dir }}/backup"
       mode: 700
+    - dir: "{{ itop_root_dir }}/etc"
+      group: "{{ itop_php_user }}"
+      mode: 750
     - dir: "{{ itop_root_dir }}/web/data"
     - dir: "{{ itop_root_dir }}/web/conf"
     - dir: "{{ itop_root_dir }}/web/env-production"
diff --git a/roles/itop/tasks/install.yml b/roles/itop/tasks/install.yml
index 5d3485d..34fb792 100644
--- a/roles/itop/tasks/install.yml
+++ b/roles/itop/tasks/install.yml
@@ -47,6 +47,7 @@
         - synchro
         - sources
         - documentation
+        - extensions
     
     - name: Install new version of iTop
       synchronize:
@@ -55,6 +56,13 @@
         recursive: True
       delegate_to: "{{ inventory_hostname }}"
 
+    - name: Install extensions
+      get_url:
+        url: "{{ itop_extensions[item].url }}"
+        checksum: sha1:{{ itop_extensions[item].sha1 }}
+        dest: "{{ itop_root_dir }}/tmp"
+      loop: "{{ itop_extensions.keys() | list }}"
+
   tags: itop
 
 - name: Ensure env-production directories exist
@@ -78,3 +86,23 @@
     - pre
     - post
   tags: itop
+
+- name: Install systemd units
+  template: src=itop.{{ item }}.j2 dest=/etc/systemd/system/itop_{{ itop_id }}.{{ item }}
+  loop:
+    - service
+    - timer
+  register: itop_units
+  tags: itop
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: itop_units.results | selectattr('changed','equalto',True) | list | length > 0
+  tags: itop
+
+- name: Enable iTop timer
+  systemd:
+    name: itop_{{ itop_id }}.timer
+    state: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary('started','stopped') }}"
+    enabled: "{{ (itop_cron_user is defined and itop_cron_pass is defined) | ternary(True,False) }}"
+  tags: itop
diff --git a/roles/itop/templates/cron.param.j2 b/roles/itop/templates/cron.param.j2
new file mode 100644
index 0000000..b97d96c
--- /dev/null
+++ b/roles/itop/templates/cron.param.j2
@@ -0,0 +1,7 @@
+{% if itop_cron_user is defined and itop_cron_pass is defined %}
+auth_user = {{ itop_cron_user }}
+auth_pwd = {{ itop_cron_pass }}
+{% endif %}
+
+size_min = 20 # in MB
+time_limit = 40 # in minutes
diff --git a/roles/itop/templates/httpd.conf.j2 b/roles/itop/templates/httpd.conf.j2
index d46b27a..ba72bfe 100644
--- a/roles/itop/templates/httpd.conf.j2
+++ b/roles/itop/templates/httpd.conf.j2
@@ -6,9 +6,7 @@ Alias /{{ itop_alias }} {{ itop_root_dir }}/web/
 
 RewriteEngine On
 # Upgrading DB schema can be very long, so makes sure httpd will wait for a response long enough
-<Proxy unix:/run/php-fpm/{{ itop_php_fpm_pool  | default('itop_' + itop_id | string) }}.sock|fcgi://localhost>
-  ProxySet timeout=1800
-</Proxy>
+ProxyTimeout 1800
 <Directory {{ itop_root_dir }}/web/>
   AllowOverride All
   Options FollowSymLinks
diff --git a/roles/itop/templates/itop.service.j2 b/roles/itop/templates/itop.service.j2
new file mode 100644
index 0000000..f8c8ed1
--- /dev/null
+++ b/roles/itop/templates/itop.service.j2
@@ -0,0 +1,14 @@
+[Unit]
+Description=iTop {{ itop_id }} background tasks
+
+[Service]
+Type=oneshot
+ExecStart=/bin/php{{ itop_php_version }} \
+            -d session.save_path={{ itop_root_dir }}/sessions \
+            {{ itop_root_dir }}/web/webservices/cron.php \
+            --param_file={{ itop_root_dir }}/etc/cron.params \
+            --verbose=1
+User={{ itop_php_user }}
+Group={{ itop_php_user }}
+
+
diff --git a/roles/itop/templates/itop.timer.j2 b/roles/itop/templates/itop.timer.j2
new file mode 100644
index 0000000..9f92025
--- /dev/null
+++ b/roles/itop/templates/itop.timer.j2
@@ -0,0 +1,8 @@
+[Unit]
+Description=iTop {{ itop_id }} background tasks
+
+[Timer]
+OnCalendar=*:0/5
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/itop/templates/perms.sh.j2 b/roles/itop/templates/perms.sh.j2
index 2762b69..9573733 100644
--- a/roles/itop/templates/perms.sh.j2
+++ b/roles/itop/templates/perms.sh.j2
@@ -1,9 +1,18 @@
 #!/bin/sh
 
 restorecon -R {{ itop_root_dir }}
+chown -R root:root {{ itop_root_dir }}/web/
+find {{ itop_root_dir }}/web/ -type d -exec chmod 755 "{}" \;
+find {{ itop_root_dir }}/web/ -type f -exec chmod 644 "{}" \;
 {% for dir in ['data', 'conf', 'log', 'env-production', 'env-production-build', 'extensions'] %}
+chmod 700 {{ itop_root_dir }}/web/{{ dir }}
 setfacl -k -b -R {{ itop_root_dir }}/web/{{ dir }}
-chown -R {{ itop_php_user }} {{ itop_root_dir }}/web/{{ dir }}
-setfacl -R -m u:{{ httpd_user | default('apache') }}:rX {{ itop_root_dir }}/web/{{ dir }}
+chown -R {{ itop_php_user }}:{{ itop_php_user }} {{ itop_root_dir }}/web/{{ dir }}
+{% if dir == 'conf' %}
+find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \;
+find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chown root:{{ itop_php_user }} "{}" \; -exec chmod 640 "{}" \;
+{% else %}
+find {{ itop_root_dir }}/web/{{ dir }} -type d -exec chmod 750 "{}" \;
+find {{ itop_root_dir }}/web/{{ dir }} -type f -exec chmod 640 "{}" \;
+{% endif %}
 {% endfor %}
-