diff --git a/dd-ctl b/dd-ctl
index fb9dfa8..f47bddf 100755
--- a/dd-ctl
+++ b/dd-ctl
@@ -1,40 +1,101 @@
-#!/bin/bash
-
-if [ ! -d "custom" ]; then echo "You need to copy custom.sample to custom folder and adapt it to your needs." && exit 1; fi
-if [ ! -f "digitaldemocratic.conf" ]; then echo "You need to copy digitaldemocratic.conf.sample to digitaldemocratic.conf and adapt" && exit 1; fi
+#!/usr/bin/env bash
 
 OPERATION="$1"
-if [ -z "$OPERATION" ]; then
-    set +x
-    echo "Missing command."
-	echo " Example: ./dd.ctl [operation]"
-	echo "                               Update repository: ./dd-ctl repo-update [branch-name] (defaults to master)"
-	echo "                    Bring the current project up: ./dd-ctl all"
-	echo "                         Build the compose files: ./dd-ctl build"
-	echo "         Regenerate docker-compose.yml from conf: ./dd-ctl yml"
-	echo "                   Build the devel compose files: ./dd-ctl build-devel"
-	echo "                  Start the project when stopped: ./dd-ctl up"
-	echo "                   Stop the project when started: ./dd-ctl down"
-	echo "                            Apply customizations: ./dd-ctl customize"
-	echo "                        Update SAML certificates: ./dd-ctl saml"
-	echo "                                 Upgrade plugins: ./dd-ctl upgrade-plugins"
-	echo "              Branding (custom/img, custom/menu): ./dd-ctl branding"
-	echo "    Restart api if changes applied (development): ./dd-ctl restart-api"
-	echo "              Generate adminer.yml to access DBs: ./dd-ctl adminer"
-	echo "                   Rescan nextcloud data folders: ./dd-ctl nextcloud-scan"
-    exit 1
+
+help() {
+	cat <<-EOF
+	 Example: ./dd.ctl [operation] [arguments]
+
+	  For a new installation, you usually will want to run:
+	    ./dd-ctl repo-update
+	    ./dd-ctl prerequisites
+	    ./dd-ctl securize
+	    ./dd-ctl all
+	    ./dd-ctl saml
+
+
+	              Generate adminer.yml to access DBs: ./dd-ctl adminer
+	                    Bring the current project up: ./dd-ctl all
+	              Branding (custom/img, custom/menu): ./dd-ctl branding
+	                         Build the compose files: ./dd-ctl build
+	                   Build the devel compose files: ./dd-ctl build-devel
+	                            Apply customizations: ./dd-ctl customize
+	                   Stop the project when started: ./dd-ctl down
+	                   Rescan nextcloud data folders: ./dd-ctl nextcloud-scan
+	      Install all prerequisites for installation: ./dd-ctl prerequisites
+	                               Update repository: ./dd-ctl repo-update [branch-name] (defaults to master)
+	    Restart api if changes applied (development): ./dd-ctl restart-api
+	                        Update SAML certificates: ./dd-ctl saml
+	  Set secure passwords in digitaldemocratic.conf: ./dd-ctl securize
+	 Set a config variable in digitaldemocratic.conf: ./dd-ctl setconf VARIABLE [VALUE]
+	                  Start the project when stopped: ./dd-ctl up
+	                                 Upgrade plugins: ./dd-ctl upgrade-plugins
+	         Regenerate docker-compose.yml from conf: ./dd-ctl yml
+	EOF
+}
+
+# Help messages
+if [ -z "$OPERATION" ] || [ "$OPERATION" = "-h" ] || [ "$OPERATION" = "--help" ]; then
+    test -n "$OPERATION" || printf "Missing command.\n\n"
+    help
+    exit
 fi
 
-BRANCH="$2"
-if [ -z "$BRANCH" ]; then
-    BRANCH="master"
+# Sanity checks
+if [ "$OPERATION" != "prerequisites" ]; then
+	if [ ! -d "custom" ]; then
+		echo "You need to copy custom.sample to custom folder and adapt it to your needs."
+		exit 1
+	fi
+	if [ ! -f "digitaldemocratic.conf" ]; then
+		echo "You need to copy digitaldemocratic.conf.sample to digitaldemocratic.conf and adapt"
+		exit 1
+	fi
 fi
 
+BRANCH="${2:-master}"
+
 
 cp digitaldemocratic.conf .env
 CUSTOM_PATH=$(pwd)
 . ./.env
 
+prerequisites_docker(){
+	# Remove uncompatible docker packages
+	for pkg in docker docker-engine docker.io containerd runc; do
+		if dpkg -s "${pkg}" >/dev/null; then
+			apt-get remove -y "${pkg}"
+		fi
+	done
+
+	# Install upstream-docker repo pre-requisites
+	apt-get install -y \
+		apt-transport-https \
+		ca-certificates \
+		curl \
+		gnupg-agent \
+		software-properties-common \
+		git \
+		unzip \
+		libffi-dev
+
+	curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
+	add-apt-repository \
+		"deb [arch=amd64] https://download.docker.com/linux/debian \
+		 $(lsb_release -cs) \
+		stable"
+	apt-get update -y
+	# docker-ce must be used instead of the one from the distro
+	apt-get install -y docker-ce docker-ce-cli containerd.io
+
+	apt-get install -y python3-pip
+	# docker-compose > 1.28 is required, latest will be installed
+	pip3 install docker-compose
+}
+prerequisites_pwd(){
+	apt-get install -y dictionaries-common wamerican
+}
+
 update_repo(){
 	git fetch && git checkout $BRANCH
 	git submodule update --init --recursive
@@ -483,117 +544,170 @@ configure_nextcloud_logo(){
 	docker exec -u www-data isard-apps-nextcloud-app php occ config:app:set theming cachebuster --value="$(expr $cachebuster + 1 )"
 }
 
-if [ "$OPERATION" = "repo-update" ]; then
-	update_repo
-fi
+genpwd() {
+	if [ ! -f /usr/share/dict/words ]; then
+		prerequisites_pwd > /dev/null
+	fi
+	shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'"
+}
 
-if [ "$OPERATION" = "build" ]; then
-	build
-fi
+securize() {
+	for dd_var in \
+			SMTP_PASSWORD \
+			ADMINAPP_PASSWORD \
+			DDADMIN_PASSWORD \
+			KEYCLOAK_PASSWORD \
+			KEYCLOAK_DB_PASSWORD \
+			POSTGRES_PASSWORD \
+			MARIADB_PASSWORD \
+			MOODLE_POSTGRES_PASSWORD \
+			MOODLE_ADMIN_PASSWORD \
+			NEXTCLOUD_POSTGRES_PASSWORD \
+			NEXTCLOUD_ADMIN_PASSWORD \
+			ETHERPAD_POSTGRES_PASSWORD \
+			ETHERPAD_ADMIN_PASSWORD \
+			WORDPRESS_MARIADB_PASSWORD \
+			WORDPRESS_ADMIN_PASSWORD \
+			IPA_ADMIN_PWD; do
+		setconf "${dd_var}" "$(genpwd)"
+	done
+}
 
-if [ "$OPERATION" = "yml" ]; then
-	cp digitaldemocratic.conf .env
-	CUSTOM_PATH=$(pwd)
-	. ./.env
-	build_compose
-fi
+setconf() {
+	dd_var="$(echo "$1" | tr "[:lower:]" "[:upper:]")"
+	dd_val="$2"
+	dd_line="$(printf '%s="%s"' "${dd_var:?}" "${dd_val}")"
+	if grep -qE "^${dd_var:?}=" digitaldemocratic.conf; then
+		# Found uncommented, replace in-place
+		sed -i'' -E "s!^${dd_var:?}=.*\$!${dd_line}!" digitaldemocratic.conf
+	elif grep -qE "^#[[:space:]]*${dd_var:?}=" digitaldemocratic.conf; then
+		# Found commented, replace in-place
+		sed -i'' -E "s!^#[[:space:]]*${dd_var:?}=.*\$!${dd_line}!" digitaldemocratic.conf
+	else
+		# Not found, append
+		echo "${dd_line}" >> digitaldemocratic.conf
+	fi
+}
 
-if [ "$OPERATION" = "build-devel" ]; then
-	build_compose_develop
-fi
+# Argument handling
+case "$OPERATION" in
+	build)
+		build
+	;;
+	build-devel)
+		build_compose_develop
+	;;
+	adminer)
+		extras_adminer
+	;;
+	all)
+		build
+		up
 
-if [ "$OPERATION" = "up" ]; then
-	up
-fi
+		wait_for_moodle
+		upgrade_plugins_moodle
+		upgrade_plugins_nextcloud
+		upgrade_plugins_wp
 
-if [ "$OPERATION" = "down" ]; then
-	down
-fi
+		setup_nextcloud
+		setup_wordpress
+		setup_moodle
 
-if [ "$OPERATION" = "customize" ]; then
-	up
-	wait_for_moodle
-	setup_nextcloud
-	setup_wordpress
-	setup_moodle
-fi
+		setup_keycloak
+		saml_certificates
 
-if [ "$OPERATION" = "saml" ]; then
-	up
-	wait_for_moodle
-	setup_keycloak
-	saml_certificates
-fi
+		cat <<-EOF
 
-if [ "$OPERATION" = "all" ]; then
-	build
-	up
+		 #### After install ####
+		 - SSO in moodle should be active. You can go to: https://moodle.$DOMAIN
+		   If it fails, regenerate and lock certificate in moodle SAML2 connector as a local admin.
+		   After that run ./dd-ctl saml
+		 - SSO in nextcloud should be active. You can go to: https://nextcloud.$DOMAIN
+		 - SSO in wordpress should be active. You should go to https://wp.$DOMAIN/wp-admin//plugins.php
 
-	wait_for_moodle
-	upgrade_plugins_moodle
-	upgrade_plugins_nextcloud
-	upgrade_plugins_wp
-
-	setup_nextcloud
-	setup_wordpress
-	setup_moodle
-
-	setup_keycloak
-	saml_certificates
-
-	echo "\n\n"
-	echo " #### After install ####"
-	echo " - SSO in moodle should be active. You can go to: https://moodle.$DOMAIN"
-	echo "   If it fails, regenerate and lock certificate in moodle SAML2 connector as a local admin."
-	echo "   After that run ./dd-ctl saml"
-	echo " - SSO in nextcloud should be active. You can go to: https://nextcloud.$DOMAIN"
-	echo " - SSO in wordpress should be active. You should go to https://wp.$DOMAIN/wp-admin//plugins.php "
-
-	echo "\n\n"
-	echo " #### Update customizations ####"
-	echo " - ./dd-ctl customize"
-fi
-
-if [ "$OPERATION" = "branding" ]; then
-	up
-	wait_for_moodle
-	update_logos_and_menu
-fi
-
-if [ "$OPERATION" = "upgrade-plugins" ]; then
-	up
-	wait_for_moodle
-	upgrade_plugins_moodle
-	upgrade_plugins_nextcloud
-	upgrade_plugins_wp
-fi
-
-if [ "$OPERATION" = "restart-api" ]; then
-	up
-	wait_for_moodle
-	docker restart isard-sso-api
-fi
-
-if [ "$OPERATION" = "adminer" ]; then
-	extras_adminer
-fi
-
-if [ "$OPERATION" = "pgtuner" ]; then
-	extras_pgtuner
-fi
-
-if [ "$OPERATION" = "reset-1714" ]; then
-	echo "Resetting all but certificates"
-	down
-	rm -rf /opt/digitaldemocratic/backup
-	rm -rf /opt/digitaldemocratic/data/*
-	rm -rf /opt/digitaldemocratic/db/*
-	rm -rf $SRC_FOLDER/avatars
-	rm -rf $SRC_FOLDER/moodle
-	rm -rf $SRC_FOLDER/nextcloud
-	rm -rf $SRC_FOLDER/wordpress
-fi
-
-if [ "$OPERATION" = "nextcloud-scan" ]; then
-	nextcloud_scan
-fi
+		 #### Update customizations ####
+		 - ./dd-ctl customize
+		EOF
+	;;
+	branding)
+		up
+		wait_for_moodle
+		update_logos_and_menu
+	;;
+	customize)
+		up
+		wait_for_moodle
+		setup_nextcloud
+		setup_wordpress
+		setup_moodle
+	;;
+	down)
+		down
+	;;
+	nextcloud-scan)
+		nextcloud_scan
+	;;
+	pgtuner)
+		extras_pgtuner
+	;;
+	prerequisites)
+		prerequisites_docker
+		prerequisites_pwd
+	;;
+	repo-update)
+		update_repo
+	;;
+	reset-data|reset-1714)
+		cat <<-EOF
+		# Following commands RESET ALL DATA except for certificates
+		# execute them only if you know what you are doing
+		# This *will* result in DATA LOSS
+		 "$0" down
+		 rm -rf /opt/digitaldemocratic/backup
+		 rm -rf /opt/digitaldemocratic/data/*
+		 rm -rf /opt/digitaldemocratic/db/*
+		 rm -rf '$SRC_FOLDER/avatars'
+		 rm -rf '$SRC_FOLDER/moodle'
+		 rm -rf '$SRC_FOLDER/nextcloud'
+		 rm -rf '$SRC_FOLDER/wordpress'
+		EOF
+	;;
+	restart-api)
+		up
+		wait_for_moodle
+		docker restart isard-sso-api
+	;;
+	saml)
+		up
+		wait_for_moodle
+		setup_keycloak
+		saml_certificates
+	;;
+	securize)
+		securize
+	;;
+	setconf)
+		setconf "$2" "$3"
+	;;
+	up)
+		up
+	;;
+	upgrade-plugins)
+		up
+		wait_for_moodle
+		upgrade_plugins_moodle
+		upgrade_plugins_nextcloud
+		upgrade_plugins_wp
+	;;
+	yml)
+		cp digitaldemocratic.conf .env
+		CUSTOM_PATH=$(pwd)
+		. ./.env
+		build_compose
+	;;
+	*)
+		printf "Unknown command '%s'\n\n" "$OPERATION" >&2
+		help >&2
+		exit 1
+	;;
+esac
diff --git a/securize_conf.sh b/securize_conf.sh
index 002de78..9d7303c 100755
--- a/securize_conf.sh
+++ b/securize_conf.sh
@@ -1,50 +1,10 @@
-#!/bin/sh
-apt install dictionaries-common wamerican -y
+#!/bin/sh -eu
 
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^SMTP_PASSWORD=/c\SMTP_PASSWORD=$PWD" digitaldemocratic.conf
+cd "$(dirname "$0")"
+./dd-ctl securize
 
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^ADMINAPP_PASSWORD=/c\ADMINAPP_PASSWORD=$PWD" digitaldemocratic.conf
+cat >&2 <<EOF
 
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^DDADMIN_PASSWORD=/c\DDADMIN_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^KEYCLOAK_PASSWORD=/c\KEYCLOAK_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^KEYCLOAK_DB_PASSWORD=/c\KEYCLOAK_DB_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^POSTGRES_PASSWORD=/c\POSTGRES_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^MARIADB_PASSWORD=/c\MARIADB_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^MOODLE_POSTGRES_PASSWORD=/c\MOODLE_POSTGRES_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^MOODLE_ADMIN_PASSWORD=/c\MOODLE_ADMIN_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^NEXTCLOUD_POSTGRES_PASSWORD=/c\NEXTCLOUD_POSTGRES_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^NEXTCLOUD_ADMIN_PASSWORD=/c\NEXTCLOUD_ADMIN_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^ETHERPAD_POSTGRES_PASSWORD=/c\ETHERPAD_POSTGRES_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^ETHERPAD_ADMIN_PASSWORD=/c\ETHERPAD_ADMIN_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^WORDPRESS_MARIADB_PASSWORD=/c\WORDPRESS_MARIADB_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^WORDPRESS_ADMIN_PASSWORD=/c\WORDPRESS_ADMIN_PASSWORD=$PWD" digitaldemocratic.conf
-
-PWD=$(shuf -n3 /usr/share/dict/words | tr -d "\n" | tr -d "'")
-sed -i "/^IPA_ADMIN_PWD=/c\IPA_ADMIN_PWD=$PWD" digitaldemocratic.conf
+This script will be removed!
+Please run './dd-ctl securize' in the future.
+EOF
diff --git a/sysadm/debian_docker_and_compose.sh b/sysadm/debian_docker_and_compose.sh
index 341ee4b..a842594 100755
--- a/sysadm/debian_docker_and_compose.sh
+++ b/sysadm/debian_docker_and_compose.sh
@@ -1,21 +1,10 @@
-apt-get remove docker docker-engine docker.io containerd runc
-apt-get install -y \
-    apt-transport-https \
-    ca-certificates \
-    curl \
-    gnupg-agent \
-    software-properties-common \
-    git \
-    unzip 
-curl -fsSL https://download.docker.com/linux/debian/gpg | apt-key add -
-add-apt-repository \
-   "deb [arch=amd64] https://download.docker.com/linux/debian \
-    $(lsb_release -cs) \
-   stable"
-apt-get update -y
-apt-get install -y docker-ce docker-ce-cli containerd.io   
+#!/bin/sh -eu
 
-apt install python3-pip -y
-pip3 install docker-compose
+cd "$(dirname "$0")/.."
+./dd-ctl prerequisites
 
-apt install dictionaries-common wamerican -y
+cat >&2 <<EOF
+
+This script will be removed!
+Please run './dd-ctl prerequisites' in the future.
+EOF