diff --git a/example/init/vault-onlyoffice-docserver b/example/init/vault-database
similarity index 88%
rename from example/init/vault-onlyoffice-docserver
rename to example/init/vault-database
index 3447e14..19d0197 100755
--- a/example/init/vault-onlyoffice-docserver
+++ b/example/init/vault-database
@@ -2,7 +2,7 @@
 
 set -euo pipefail
 
-vault write database/roles/onlyoffice \
+vault write /database/roles/onlyoffice \
     db_name="postgres" \
     creation_statements="CREATE ROLE \"{{name}}\" WITH LOGIN PASSWORD '{{password}}' VALID UNTIL '{{expiration}}'; \
         GRANT \"onlyoffice\" TO \"{{name}}\"; \
diff --git a/example/onlyoffice-docserver.nomad.hcl b/example/onlyoffice-docserver.nomad.hcl
index a2fdb60..4b71d25 100644
--- a/example/onlyoffice-docserver.nomad.hcl
+++ b/example/onlyoffice-docserver.nomad.hcl
@@ -123,8 +123,8 @@ job "onlyoffice" {
       template {
         data        = <<_EOT
 LANG=fr_FR.utf8
-OO_JWT_TOKEN={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.jwt_token }}{{ end }}
-OO_STORAGE_SECRET={{ with secret "kv/service/onlyoffice" }}{{ .Data.data.storage_secret }}{{ end }}
+OO_JWT_TOKEN={{ with secret "/kv/service/onlyoffice" }}{{ .Data.data.jwt_token }}{{ end }}
+OO_STORAGE_SECRET={{ with secret "/kv/service/onlyoffice" }}{{ .Data.data.storage_secret }}{{ end }}
 TZ=Europe/Paris
 _EOT
         destination = "secrets/.env"
@@ -139,8 +139,8 @@ _EOT
 OO_DB_NAME='onlyoffice'
 OO_DB_HOST=127.0.0.1
 OO_DB_PORT=5432
-OO_DB_USER={{ with secret "database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
-OO_DB_PASS={{ with secret "database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
+OO_DB_USER={{ with secret "/database/creds/onlyoffice" }}{{ .Data.username }}{{ end }}
+OO_DB_PASS={{ with secret "/database/creds/onlyoffice" }}{{ .Data.password }}{{ end }}
 _EOT
         destination = "secrets/.db.env"
         uid         = 100000
diff --git a/example/prep.d/20-rand-keys.sh b/example/prep.d/20-rand-keys.sh
index 2495ef4..91035a4 100755
--- a/example/prep.d/20-rand-keys.sh
+++ b/example/prep.d/20-rand-keys.sh
@@ -2,17 +2,23 @@
 
 set -euo pipefail
 
-# Initialize random passwords if needed
+# vim: syntax=sh
+
+export LC_ALL=C
+VAULT_KV_PATH=/kv/service/onlyoffice
+RAND_CMD="tr -dc A-Za-z0-9\-_\/=~\.+ < /dev/urandom | head -c 50"
+if ! vault kv list $(dirname ${VAULT_KV_PATH}) 2>/dev/null | grep -q -E "^$(basename ${VAULT_KV_PATH})\$"; then
+  vault kv put ${VAULT_KV_PATH} \
+    jwt_token="$(sh -c "${RAND_CMD}")" \
+    storage_secret="$(sh -c "${RAND_CMD}")" \
 
-if ! vault kv list kv/service 2>/dev/null | grep -q -E '^onlyoffice$'; then
-  vault kv put kv/service/onlyoffice \
-    jwt_token=$(pwgen -s -n 50 1) \
-    storage_secret=$(pwgen -s -n 50 1)
 fi
-
-for PWD in jwt_token storage_secret; do
-  if ! vault kv get -field ${PWD} kv/service/onlyoffice >/dev/null 2>&1; then
-    vault kv patch kv/service/onlyoffice \
-      ${PWD}=$(pwgen -s -n 50 1)
+for SECRET in jwt_token storage_secret; do
+  if ! vault kv get -field ${SECRET} ${VAULT_KV_PATH} >/dev/null 2>&1; then
+    vault kv patch ${VAULT_KV_PATH} \
+      ${SECRET}=$(sh -c "${RAND_CMD}")
   fi
 done
+
+
+
diff --git a/example/vault/policies/onlyoffice.hcl b/example/vault/policies/onlyoffice.hcl
index cc7be4b..eb9e651 100644
--- a/example/vault/policies/onlyoffice.hcl
+++ b/example/vault/policies/onlyoffice.hcl
@@ -1,8 +1,8 @@
-path "kv/data/service/onlyoffice" {
+path "/kv/data/service/onlyoffice" {
   capabilities = ["read"]
 }
 
-path "database/creds/onlyoffice" {
+path "/database/creds/onlyoffice" {
   capabilities = ["read"]
 }
 
diff --git a/init/vault-database b/init/vault-database
new file mode 100755
index 0000000..54ef3ee
--- /dev/null
+++ b/init/vault-database
@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -euo pipefail
+
+[[ template "common/vault.mkpgrole.sh" merge .oo.ds . ]]
diff --git a/init/vault-onlyoffice-docserver b/init/vault-onlyoffice-docserver
deleted file mode 100755
index a44f309..0000000
--- a/init/vault-onlyoffice-docserver
+++ /dev/null
@@ -1,8 +0,0 @@
-#!/bin/sh
-
-set -euo pipefail
-
-[[- template "common/vault.mkpgrole.sh"
-  dict "ctx" .
-       "config" (dict "role" .instance "database" "postgres")
-]]
diff --git a/prep.d/20-rand-keys.sh b/prep.d/20-rand-keys.sh
index eb6c6f7..99345f9 100755
--- a/prep.d/20-rand-keys.sh
+++ b/prep.d/20-rand-keys.sh
@@ -2,17 +2,5 @@
 
 set -euo pipefail
 
-# Initialize random passwords if needed
+[[ template "common/vault.rand_secrets" merge .oo.ds . ]]
 
-if ! vault kv list [[ .vault.prefix ]]kv/service 2>/dev/null | grep -q -E '^[[ .instance ]]$'; then
-  vault kv put [[ .vault.prefix ]]kv/service/[[ .instance ]] \
-    jwt_token=$(pwgen -s -n 50 1) \
-    storage_secret=$(pwgen -s -n 50 1)
-fi
-
-for PWD in jwt_token storage_secret; do
-  if ! vault kv get -field ${PWD} [[ .vault.prefix ]]kv/service/[[ .instance ]] >/dev/null 2>&1; then
-    vault kv patch [[ .vault.prefix ]]kv/service/[[ .instance ]] \
-      ${PWD}=$(pwgen -s -n 50 1)
-  fi
-done
diff --git a/variables.yml b/variables.yml
index c16c62d..b65b002 100644
--- a/variables.yml
+++ b/variables.yml
@@ -24,18 +24,19 @@ oo:
     public_url: https://oods.example.org
 
     vault:
+      # Vault policies to attach to the task
       policies:
         - '[[ .instance ]][[ .consul.suffix ]]'
-
-    postgres:
-      database: '[[ .instance ]]'
-      user: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.username }}{{ end }}'
-      password: '{{ with secret "[[ .vault.prefix ]]database/creds/[[ .instance ]]" }}{{ .Data.password }}{{ end }}'
+      # Random secrets to generate
+      rand_secrets:
+        fields:
+          - jwt_token
+          - storage_secret
 
     # Additional env vars to set in the container
     env:
-      OO_STORAGE_SECRET: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
-      OO_JWT_TOKEN: '{{ with secret "[[ .vault.prefix ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
+      OO_STORAGE_SECRET: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.storage_secret }}{{ end }}'
+      OO_JWT_TOKEN: '{{ with secret "[[ .vault.root ]]kv/service/[[ .instance ]]" }}{{ .Data.data.jwt_token }}{{ end }}'
 
     # Controls how the service will be exposed with Traefik
     traefik:
diff --git a/vault/policies/onlyoffice.hcl b/vault/policies/onlyoffice.hcl
index 5a74329..a411aef 100644
--- a/vault/policies/onlyoffice.hcl
+++ b/vault/policies/onlyoffice.hcl
@@ -1,8 +1,8 @@
-path "[[ .vault.prefix ]]kv/data/service/[[ .instance ]]" {
+path "[[ .vault.root ]]kv/data/service/[[ .instance ]]" {
   capabilities = ["read"]
 }
 
-path "[[ .vault.prefix ]]database/creds/[[ .instance ]]" {
+path "[[ .vault.root ]]database/creds/[[ .instance ]]" {
   capabilities = ["read"]
 }