diff --git a/manifests/swh/deploy/deposit.pp b/manifests/swh/deploy/deposit.pp
index 1b4d0ab..8657da1 100644
--- a/manifests/swh/deploy/deposit.pp
+++ b/manifests/swh/deploy/deposit.pp
@@ -1,93 +1,111 @@
 # Deployment of the swh.deposit server
 
 class profile::swh::deploy::deposit {
   $conf_directory = hiera('swh::deploy::deposit::conf_directory')
-  $conf_file = hiera('swh::deploy::deposit::conf_file')
+
+  $swh_conf_file = hiera('swh::deploy::deposit::swh_conf_file')
   $user = hiera('swh::deploy::deposit::user')
   $group = hiera('swh::deploy::deposit::group')
+  $swh_conf_raw = hiera('swh::deploy::deposit::config')
 
-  $deposit_config = hiera('swh::deploy::deposit::config')
+  $swh_setting_file = hiera('swh::deploy::deposit::settings_conf_file')
+  $db_host = hiera('swh::deploy::deposit::db::host')
+  $db_port = hiera('swh::deploy::deposit::db::port')
+  $db_user = hiera('swh::deploy::deposit::db::user')
+  $db_password = hiera('swh::deploy::deposit::db::password')
+  $runtime_secret_key = hiera('swh::deploy::deposit::runtime_secret_key')
 
   $swh_packages = ['python3-swh.deposit']
 
   $backend_listen_host = hiera('swh::deploy::deposit::backend::listen::host')
   $backend_listen_port = hiera('swh::deploy::deposit::backend::listen::port')
   $backend_listen_address = "${backend_listen_host}:${backend_listen_port}"
 
   $backend_workers = hiera('swh::deploy::deposit::backend::workers')
   $backend_http_keepalive = hiera('swh::deploy::deposit::backend::http_keepalive')
   $backend_http_timeout = hiera('swh::deploy::deposit::backend::http_timeout')
   $backend_reload_mercy = hiera('swh::deploy::deposit::backend::reload_mercy')
 
   include ::gunicorn
 
   package {$swh_packages:
     ensure  => latest,
     require => Apt::Source['softwareheritage'],
   }
 
   file {$conf_directory:
     ensure => directory,
     owner  => 'root',
     group  => $group,
     mode   => '0750',
   }
 
-  file {$conf_file:
+  # swh's configuration part (upload size, etc...)
+  file {$swh_conf_file:
     ensure  => present,
     owner   => 'root',
     group   => $group,
     mode    => '0640',
-    content => inline_template("<%= @deposit_config.to_yaml %>\n"),
+    content => inline_template("<%= @swh_conf_raw.to_yaml %>\n"),
+    notify  => Service['gunicorn-swh-deposit'],
+  }
+
+  # django settings part (db, template, etc...)
+  file {$swh_settings_file:
+    ensure => present,
+    owner  => 'root'
+    group   => $group,
+    mode    => '0640',
+    content => template('profile/swh/deploy/deposit/settings.py.erb'),
     notify  => Service['gunicorn-swh-deposit'],
   }
 
   ::gunicorn::instance {'swh-deposit':
     ensure     => enabled,
     user       => $user,
     group      => $group,
-    executable => 'swh.deposit.server:make_app_from_configfile()',
+    executable => 'swh.deposit.wsgi',
     settings   => {
       bind             => $backend_listen_address,
       workers          => $backend_workers,
-      worker_class     => 'aiohttp.worker.GunicornWebWorker',
+      worker_class     => 'sync',
       timeout          => $backend_http_timeout,
       graceful_timeout => $backend_reload_mercy,
       keepalive        => $backend_http_keepalive,
     }
   }
 
   $icinga_checks_file = '/etc/icinga2/conf.d/exported-checks.conf'
 
   @@::icinga2::object::service {"swh-deposit api (localhost on ${::fqdn})":
     service_name     => 'swh-deposit api (localhost)',
     import           => ['generic-service'],
     host_name        => $::fqdn,
     check_command    => 'http',
     command_endpoint => $::fqdn,
     vars             => {
       http_address => '127.0.0.1',
       http_port    => $backend_listen_port,
       http_uri     => '/',
       http_string  => 'SWH Deposit Server',
     },
     target           => $icinga_checks_file,
     tag              => 'icinga2::exported',
   }
 
   if $backend_listen_host != '127.0.0.1' {
     @@::icinga2::object::service {"swh-deposit api (remote on ${::fqdn})":
       service_name  => 'swh-deposit api (remote)',
       import        => ['generic-service'],
       host_name     => $::fqdn,
       check_command => 'http',
       vars          => {
         http_port   => $backend_listen_port,
         http_uri    => '/',
         http_string => 'SWH Deposit Server',
       },
       target        => $icinga_checks_file,
       tag           => 'icinga2::exported',
     }
   }
 }
diff --git a/templates/swh/deploy/deposit/settings.py.erb b/templates/swh/deploy/deposit/settings.py.erb
new file mode 100644
index 0000000..8e5ae2a
--- /dev/null
+++ b/templates/swh/deploy/deposit/settings.py.erb
@@ -0,0 +1,108 @@
+import os
+
+# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
+BASE_DIR = os.path.dirname(os.path.dirname(os.path.abspath(__file__)))
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = '<%= @runtime_secret_key %>'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+# WIP so on
+DEBUG = True
+
+ALLOWED_HOSTS = []
+
+
+# Application definition
+
+INSTALLED_APPS = [
+    'swh.deposit.apps.DepositConfig',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.staticfiles',
+    'django.contrib.postgres',     # for JSONField
+]
+
+MIDDLEWARE = [
+    'django.middleware.security.SecurityMiddleware',
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+]
+
+ROOT_URLCONF = 'swh.deposit.urls'
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'swh.deposit.wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/1.10/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.postgresql',
+        'NAME': '<%= db_name %>',
+        'USER': '<%= db_user %>',
+        'PASSWORD': '<%= db_password %>',
+        'HOST': '<%= db_host %>',
+        'PORT': '<%= db_port %>',
+    }
+}
+
+
+# Password validation
+# https://docs.djangoproject.com/en/1.10/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+
+# Internationalization
+# https://docs.djangoproject.com/en/1.10/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/1.10/howto/static-files/
+
+STATIC_URL = '/static/'