diff --git a/.gitignore b/.gitignore
index f6892c2..f7926cc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1,2 @@
 /hosts.ini
+/deploy.pub
diff --git a/README.md b/README.md
index 2c448f3..d733cc1 100644
--- a/README.md
+++ b/README.md
@@ -2,16 +2,11 @@
 
 This playbook installs webserver (Nginx, Mariadb, PHP)
 
-## Installation
-
-Copy init file and edit values
+## Usage
 
 ```shell
-cp hosts.example.ini hosts.ini
-```
+cp hosts.example.ini hosts.ini # change config values
+touch deploy.sub # paste your ssh pub key for www_user
 
-Then run playbook
-
-```shell
-ansible-playbook -i hosts.ini playbook.yml
+ansible-playbook -i hosts.ini playbook.yml # run playbook
 ```
diff --git a/hosts.example.ini b/hosts.example.ini
index e922cda..05fbca8 100644
--- a/hosts.example.ini
+++ b/hosts.example.ini
@@ -7,3 +7,7 @@ ansible_python_interpreter=/usr/bin/python3
 mysql_root_password='motdepasse'
 mysql_old_root_password='motdepasse'
 php_version='8.0'
+www_user=user
+www_group=group
+www_home=/home/user
+
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index df2e5ee..35b5c37 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -8,6 +8,33 @@
     state: present
     update_cache: yes
 
+- name: create web user
+  user:
+    name: "{{ www_user }}"
+    group: "{{ www_group }}"
+    comment: "Web user"
+    shell: /bin/bash
+    home: "{{ www_home }}"
+    system: true
+    state: present
+
+- name: authorize deployer ssh key to wwwuser
+  authorized_key:
+    user: "{{ www_user }}"
+    state: present
+    key: "{{ lookup('file', '../../../deploy.pub') }}"
+
+- name: define wwwuser as nginx's user
+  replace:
+    path: /etc/nginx/nginx.conf
+    regexp: '^user (.+);$'
+    replace: "user {{ www_user }};"
+
+- name: restart nginx
+  service:
+    name: nginx
+    state: restarted
+
 - name: create letsencrypt's challenge directory
   file:
     name: /var/www/letsencrypt
diff --git a/roles/php/tasks/main.yml b/roles/php/tasks/main.yml
index 1a59ac4..ff73d99 100644
--- a/roles/php/tasks/main.yml
+++ b/roles/php/tasks/main.yml
@@ -22,3 +22,19 @@
   alternatives:
     name: php
     path: /usr/bin/php{{ php_version }}
+
+- name: define wwwuser as php-fpm's user
+  replace:
+    path: "/etc/php/{{ php_version }}/fpm/pool.d/www.conf"
+    regexp: '{{ item.from }}'
+    replace: "{{ item.to }}"
+  with_items:
+    - {from: '^user = (.+)$', to: 'user = {{ www_user }}'}
+    - {from: '^group = (.+)$', to: 'group = {{ www_group }}'}
+    - {from: '^listen.owner = (.+)$', to: 'listen.owner = {{ www_user }}'}
+    - {from: '^listen.group = (.+)$', to: 'listen.group = {{ www_group }}'}
+
+- name: restart php-fpm
+  service:
+    name: php{{ php_version }}-fpm
+    state: restarted