diff --git a/CHANGELOG.md b/CHANGELOG.md
index 15dc6d4..d101c8f 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -35,6 +35,7 @@ SSH_KEY
 * [#378] Script Backup BDD Vaultwarden
 * [#381] Variabiliser tous les scripts
 * [#384] Fix Correctif
+* [#391] Script Déploiement de Scripts
 ### Changed
 
 ### Fixed
diff --git a/Deployment/Deployment.sh b/Deployment/Deployment.sh
new file mode 100644
index 0000000..c4485c6
--- /dev/null
+++ b/Deployment/Deployment.sh
@@ -0,0 +1,964 @@
+#!/usr/bin/env bash
+set -Eeuo pipefail
+
+###############################################################################
+# bootstrap-backup-env.sh
+#
+# Prépare un environnement de déploiement pour :
+#   - backup-vaultwarden.sh
+#   - check-storage.sh
+#   - check-statut-recette.sh
+#   - backup-bdd-recette.sh
+#   - rebuild-bdd-recette.sh
+#
+# Fonctionnalités :
+#   - idempotent : relançable sans erreur ;
+#   - installation / mise à jour des dépendances ;
+#   - création des dossiers ;
+#   - permissions ;
+#   - génération des clés SSH si absentes ;
+#   - récupération depuis un dépôt Git privé volumineux via sparse-checkout ;
+#   - mise à jour du .env ;
+#   - injection des valeurs sensibles dans le .env si fournies ;
+#   - ajout automatique de la clé publique backup sur le serveur distant
+#     si un accès SSH bootstrap est disponible ;
+#   - questions interactives si lancé en local et que des variables obligatoires
+#     sont absentes ;
+#   - génération d'un fichier scripts.json pour un futur affichage web ;
+#   - exécutable en local ou envoyé via SSH sur un serveur distant.
+###############################################################################
+
+#######################################
+# Valeurs par défaut
+#######################################
+REPO_URL=""
+REPO_BRANCH="main"
+REPO_SUBDIR=""
+INSTALL_DIR="/opt/malio-backup"
+DEPLOY_USER="${SUDO_USER:-${USER}}"
+DEPLOY_GROUP=""
+ENV_FILE_NAME=".env"
+
+GIT_DIR_NAME="repo"
+SCRIPTS_DIR_NAME="scripts"
+CONFIG_DIR_NAME="config"
+LOG_DIR_NAME="logs"
+DATA_DIR_NAME="data"
+TMP_DIR_NAME="tmp"
+SSH_DIR_NAME="ssh"
+
+BACKUP_SSH_KEY_NAME="id_ed25519_backup"
+REPO_SSH_KEY_NAME="id_ed25519_repo"
+
+FORCE_CHOWN="false"
+NON_INTERACTIVE="false"
+
+# Paramètres fonctionnels
+ENV_NAME="RECETTE"
+PGHOST="localhost"
+PGPORT="5432"
+PGUSER_VALUE=""
+PGPASSWORD_VALUE=""
+DBS_VALUE="sirh inventory ferme"
+
+BACKUP_REMOTE_USER="backup"
+BACKUP_REMOTE_HOST=""
+BACKUP_REMOTE_DIR="/home/backup/backups/bdd-recette"
+SSH_CONNECT_TIMEOUT="10"
+RETENTION_DAYS="10"
+
+DISCORD_WEBHOOK_URL_VALUE=""
+DISCORD_PING_VALUE=""
+WEBHOOK_URL_VALUE=""
+VAULTWARDEN_DATA_DIR_VALUE="/var/lib/vaultwarden"
+CHECK_STORAGE_PATHS_VALUE="/ /var /home"
+
+APP_1_NAME_VALUE="ferme"
+APP_1_URL_VALUE="https://ferme.malio-dev.fr"
+APP_2_NAME_VALUE="sirh"
+APP_2_URL_VALUE="https://sirh.malio-dev.fr"
+APP_3_NAME_VALUE="inventory"
+APP_3_URL_VALUE="https://inventory.malio-dev.fr"
+
+# Bootstrap SSH vers le serveur de destination
+BOOTSTRAP_SSH_USER=""
+BOOTSTRAP_SSH_PORT="22"
+BOOTSTRAP_SSH_KEY=""
+BOOTSTRAP_SSH_STRICT="accept-new"
+INSTALL_BACKUP_KEY_ON_REMOTE="true"
+
+#######################################
+# Scripts attendus
+#######################################
+EXPECTED_SCRIPTS=(
+  "backup-vaultwarden.sh"
+  "check-storage.sh"
+  "check-statut-recette.sh"
+  "backup-bdd-recette.sh"
+  "rebuild-bdd-recette.sh"
+)
+
+#######################################
+# Journalisation
+#######################################
+timestamp() {
+  date '+%Y-%m-%d %H:%M:%S'
+}
+
+log() {
+  echo "[$(timestamp)] [INFO] $*"
+}
+
+warn() {
+  echo "[$(timestamp)] [WARN] $*" >&2
+}
+
+err() {
+  echo "[$(timestamp)] [ERROR] $*" >&2
+}
+
+die() {
+  err "$*"
+  exit 1
+}
+
+#######################################
+# Gestion erreurs
+#######################################
+on_error() {
+  local exit_code=$?
+  err "Échec ligne ${BASH_LINENO[0]} : ${BASH_COMMAND}"
+  exit "$exit_code"
+}
+trap on_error ERR
+
+#######################################
+# Aide
+#######################################
+usage() {
+  cat <<'EOF'
+Usage:
+  bootstrap-backup-env.sh [options]
+
+Options dépôt :
+  --repo-url URL
+  --repo-branch BRANCH
+  --repo-subdir PATH
+
+Options installation :
+  --install-dir PATH
+  --deploy-user USER
+  --deploy-group GROUP
+  --env-file-name NAME
+  --force-chown true|false
+  --non-interactive true|false
+
+Options configuration applicative :
+  --env-name NAME
+  --pghost HOST
+  --pgport PORT
+  --pguser USER
+  --pgpassword PASSWORD
+  --dbs "sirh inventory ferme"
+  --backup-remote-user USER
+  --backup-remote-host HOST
+  --backup-remote-dir PATH
+  --ssh-connect-timeout SECONDS
+  --retention-days DAYS
+  --discord-webhook-url URL
+  --discord-ping VALUE
+  --webhook-url URL
+  --vaultwarden-data-dir PATH
+  --check-storage-paths "/ /var /home"
+  --app-1-name NAME
+  --app-1-url URL
+  --app-2-name NAME
+  --app-2-url URL
+  --app-3-name NAME
+  --app-3-url URL
+
+Options bootstrap SSH distant :
+  --bootstrap-ssh-user USER
+  --bootstrap-ssh-port PORT
+  --bootstrap-ssh-key PATH
+  --bootstrap-ssh-strict accept-new|yes|no
+  --install-backup-key-on-remote true|false
+
+Divers :
+  --help
+
+Notes :
+  - si le script est lancé localement en mode interactif, il posera les
+    questions nécessaires pour compléter les champs obligatoires ;
+  - la clé publique backup peut être installée automatiquement sur le serveur
+    distant uniquement si un accès SSH bootstrap existe déjà ;
+  - le .env peut être rempli automatiquement si les valeurs sont passées en
+    arguments ou via variables d'environnement avant exécution.
+EOF
+}
+
+#######################################
+# Parsing arguments
+#######################################
+while [[ $# -gt 0 ]]; do
+  case "$1" in
+    --repo-url) REPO_URL="${2:-}"; shift 2 ;;
+    --repo-branch) REPO_BRANCH="${2:-}"; shift 2 ;;
+    --repo-subdir) REPO_SUBDIR="${2:-}"; shift 2 ;;
+    --install-dir) INSTALL_DIR="${2:-}"; shift 2 ;;
+    --deploy-user) DEPLOY_USER="${2:-}"; shift 2 ;;
+    --deploy-group) DEPLOY_GROUP="${2:-}"; shift 2 ;;
+    --env-file-name) ENV_FILE_NAME="${2:-}"; shift 2 ;;
+    --force-chown) FORCE_CHOWN="${2:-}"; shift 2 ;;
+    --non-interactive) NON_INTERACTIVE="${2:-}"; shift 2 ;;
+
+    --env-name) ENV_NAME="${2:-}"; shift 2 ;;
+    --pghost) PGHOST="${2:-}"; shift 2 ;;
+    --pgport) PGPORT="${2:-}"; shift 2 ;;
+    --pguser) PGUSER_VALUE="${2:-}"; shift 2 ;;
+    --pgpassword) PGPASSWORD_VALUE="${2:-}"; shift 2 ;;
+    --dbs) DBS_VALUE="${2:-}"; shift 2 ;;
+    --backup-remote-user) BACKUP_REMOTE_USER="${2:-}"; shift 2 ;;
+    --backup-remote-host) BACKUP_REMOTE_HOST="${2:-}"; shift 2 ;;
+    --backup-remote-dir) BACKUP_REMOTE_DIR="${2:-}"; shift 2 ;;
+    --ssh-connect-timeout) SSH_CONNECT_TIMEOUT="${2:-}"; shift 2 ;;
+    --retention-days) RETENTION_DAYS="${2:-}"; shift 2 ;;
+    --discord-webhook-url) DISCORD_WEBHOOK_URL_VALUE="${2:-}"; shift 2 ;;
+    --discord-ping) DISCORD_PING_VALUE="${2:-}"; shift 2 ;;
+    --webhook-url) WEBHOOK_URL_VALUE="${2:-}"; shift 2 ;;
+    --vaultwarden-data-dir) VAULTWARDEN_DATA_DIR_VALUE="${2:-}"; shift 2 ;;
+    --check-storage-paths) CHECK_STORAGE_PATHS_VALUE="${2:-}"; shift 2 ;;
+    --app-1-name) APP_1_NAME_VALUE="${2:-}"; shift 2 ;;
+    --app-1-url) APP_1_URL_VALUE="${2:-}"; shift 2 ;;
+    --app-2-name) APP_2_NAME_VALUE="${2:-}"; shift 2 ;;
+    --app-2-url) APP_2_URL_VALUE="${2:-}"; shift 2 ;;
+    --app-3-name) APP_3_NAME_VALUE="${2:-}"; shift 2 ;;
+    --app-3-url) APP_3_URL_VALUE="${2:-}"; shift 2 ;;
+
+    --bootstrap-ssh-user) BOOTSTRAP_SSH_USER="${2:-}"; shift 2 ;;
+    --bootstrap-ssh-port) BOOTSTRAP_SSH_PORT="${2:-}"; shift 2 ;;
+    --bootstrap-ssh-key) BOOTSTRAP_SSH_KEY="${2:-}"; shift 2 ;;
+    --bootstrap-ssh-strict) BOOTSTRAP_SSH_STRICT="${2:-}"; shift 2 ;;
+    --install-backup-key-on-remote) INSTALL_BACKUP_KEY_ON_REMOTE="${2:-}"; shift 2 ;;
+
+    --help|-h) usage; exit 0 ;;
+    *) die "Option inconnue : $1" ;;
+  esac
+done
+
+#######################################
+# Surcharge par variables d'environnement
+#######################################
+PGPASSWORD_VALUE="${PGPASSWORD_VALUE:-${PGPASSWORD:-}}"
+DISCORD_WEBHOOK_URL_VALUE="${DISCORD_WEBHOOK_URL_VALUE:-${DISCORD_WEBHOOK_URL:-}}"
+DISCORD_PING_VALUE="${DISCORD_PING_VALUE:-${DISCORD_PING:-}}"
+WEBHOOK_URL_VALUE="${WEBHOOK_URL_VALUE:-${WEBHOOK_URL:-}}"
+
+#######################################
+# Détection mode interactif local
+#######################################
+is_interactive() {
+  [[ -t 0 && -t 1 && "${NON_INTERACTIVE}" != "true" ]]
+}
+
+#######################################
+# Questions interactives
+#######################################
+prompt_value() {
+  local var_name="$1"
+  local prompt_label="$2"
+  local default_value="${3:-}"
+  local secret="${4:-false}"
+  local required="${5:-false}"
+
+  local current_value
+  current_value="${!var_name:-}"
+
+  if [[ -n "$current_value" ]]; then
+    return 0
+  fi
+
+  if ! is_interactive; then
+    if [[ "$required" == "true" ]]; then
+      die "Valeur obligatoire manquante : ${var_name}. Fournissez-la en argument ou variable d'environnement."
+    fi
+    return 0
+  fi
+
+  local input=""
+  while true; do
+    if [[ "$secret" == "true" ]]; then
+      if [[ -n "$default_value" ]]; then
+        read -r -s -p "${prompt_label} [valeur masquée, Entrée pour conserver la valeur par défaut] : " input
+      else
+        read -r -s -p "${prompt_label} : " input
+      fi
+      echo
+    else
+      if [[ -n "$default_value" ]]; then
+        read -r -p "${prompt_label} [${default_value}] : " input
+      else
+        read -r -p "${prompt_label} : " input
+      fi
+    fi
+
+    if [[ -z "$input" && -n "$default_value" ]]; then
+      input="$default_value"
+    fi
+
+    if [[ "$required" == "true" && -z "$input" ]]; then
+      warn "Cette valeur est obligatoire."
+      continue
+    fi
+
+    printf -v "$var_name" '%s' "$input"
+    break
+  done
+}
+
+ask_required_local_configuration() {
+  if ! is_interactive; then
+    return 0
+  fi
+
+  log "Mode interactif local détecté : collecte des données obligatoires."
+
+  prompt_value REPO_URL "URL SSH du dépôt Git privé" "$REPO_URL" false true
+  prompt_value REPO_BRANCH "Branche Git" "$REPO_BRANCH" false true
+  prompt_value REPO_SUBDIR "Sous-dossier du dépôt contenant les scripts" "$REPO_SUBDIR" false true
+  prompt_value INSTALL_DIR "Répertoire d'installation" "$INSTALL_DIR" false true
+  prompt_value DEPLOY_USER "Utilisateur propriétaire du déploiement" "$DEPLOY_USER" false true
+
+  if [[ -z "$DEPLOY_GROUP" ]]; then
+    local deploy_group_default=""
+    if id "$DEPLOY_USER" >/dev/null 2>&1; then
+      deploy_group_default="$(id -gn "$DEPLOY_USER")"
+    fi
+    prompt_value DEPLOY_GROUP "Groupe propriétaire" "$deploy_group_default" false true
+  fi
+
+  prompt_value ENV_NAME "Nom de l'environnement" "$ENV_NAME" false true
+  prompt_value PGHOST "Host PostgreSQL" "$PGHOST" false true
+  prompt_value PGPORT "Port PostgreSQL" "$PGPORT" false true
+
+  if [[ -z "$PGUSER_VALUE" ]]; then
+    prompt_value PGUSER_VALUE "Utilisateur PostgreSQL" "$DEPLOY_USER" false true
+  fi
+
+  prompt_value PGPASSWORD_VALUE "Mot de passe PostgreSQL (PGPASSWORD)" "" true true
+  prompt_value DBS_VALUE "Bases PostgreSQL à gérer (séparées par des espaces)" "$DBS_VALUE" false true
+
+  prompt_value BACKUP_REMOTE_USER "Utilisateur du serveur de sauvegarde" "$BACKUP_REMOTE_USER" false true
+  prompt_value BACKUP_REMOTE_HOST "Host/IP du serveur de sauvegarde" "$BACKUP_REMOTE_HOST" false true
+  prompt_value BACKUP_REMOTE_DIR "Répertoire distant de sauvegarde" "$BACKUP_REMOTE_DIR" false true
+
+  prompt_value SSH_CONNECT_TIMEOUT "Timeout SSH en secondes" "$SSH_CONNECT_TIMEOUT" false true
+  prompt_value RETENTION_DAYS "Rétention en jours" "$RETENTION_DAYS" false true
+
+  prompt_value VAULTWARDEN_DATA_DIR_VALUE "Répertoire des données Vaultwarden" "$VAULTWARDEN_DATA_DIR_VALUE" false true
+  prompt_value CHECK_STORAGE_PATHS_VALUE "Chemins à surveiller pour le stockage" "$CHECK_STORAGE_PATHS_VALUE" false true
+
+  prompt_value APP_1_NAME_VALUE "Nom application 1" "$APP_1_NAME_VALUE" false true
+  prompt_value APP_1_URL_VALUE "URL application 1" "$APP_1_URL_VALUE" false true
+  prompt_value APP_2_NAME_VALUE "Nom application 2" "$APP_2_NAME_VALUE" false true
+  prompt_value APP_2_URL_VALUE "URL application 2" "$APP_2_URL_VALUE" false true
+  prompt_value APP_3_NAME_VALUE "Nom application 3" "$APP_3_NAME_VALUE" false true
+  prompt_value APP_3_URL_VALUE "URL application 3" "$APP_3_URL_VALUE" false true
+
+  prompt_value DISCORD_WEBHOOK_URL_VALUE "Discord webhook URL (optionnel)" "$DISCORD_WEBHOOK_URL_VALUE" true false
+  prompt_value DISCORD_PING_VALUE "Discord ping (optionnel)" "$DISCORD_PING_VALUE" false false
+  prompt_value WEBHOOK_URL_VALUE "Webhook URL générique (optionnel)" "$WEBHOOK_URL_VALUE" true false
+
+  if [[ "$INSTALL_BACKUP_KEY_ON_REMOTE" == "true" ]]; then
+    prompt_value BOOTSTRAP_SSH_USER "Utilisateur SSH bootstrap pour installer la clé distante" "${BOOTSTRAP_SSH_USER:-$BACKUP_REMOTE_USER}" false true
+    prompt_value BOOTSTRAP_SSH_PORT "Port SSH bootstrap" "$BOOTSTRAP_SSH_PORT" false true
+    prompt_value BOOTSTRAP_SSH_KEY "Chemin de la clé SSH bootstrap (optionnel si agent SSH ou accès existant)" "$BOOTSTRAP_SSH_KEY" false false
+  fi
+}
+
+#######################################
+# Vérifications initiales
+#######################################
+validate_required_values() {
+  [[ -n "$REPO_URL" ]] || die "L'option --repo-url est obligatoire."
+  [[ -n "$REPO_SUBDIR" ]] || die "L'option --repo-subdir est obligatoire."
+  [[ -n "$BACKUP_REMOTE_HOST" ]] || die "L'option --backup-remote-host est obligatoire."
+  [[ -n "$DEPLOY_USER" ]] || die "L'utilisateur de déploiement est obligatoire."
+
+  if ! id "$DEPLOY_USER" >/dev/null 2>&1; then
+    die "Utilisateur inexistant : $DEPLOY_USER"
+  fi
+
+  if [[ -z "$DEPLOY_GROUP" ]]; then
+    DEPLOY_GROUP="$(id -gn "$DEPLOY_USER")"
+  fi
+
+  if [[ -z "$PGUSER_VALUE" ]]; then
+    PGUSER_VALUE="$DEPLOY_USER"
+  fi
+}
+
+#######################################
+# Chemins calculés
+#######################################
+compute_paths() {
+  BASE_DIR="$INSTALL_DIR"
+  REPO_DIR="$BASE_DIR/$GIT_DIR_NAME"
+  APP_SCRIPTS_DIR="$BASE_DIR/$SCRIPTS_DIR_NAME"
+  CONFIG_DIR="$BASE_DIR/$CONFIG_DIR_NAME"
+  LOG_DIR="$BASE_DIR/$LOG_DIR_NAME"
+  DATA_DIR="$BASE_DIR/$DATA_DIR_NAME"
+  TMP_DIR="$BASE_DIR/$TMP_DIR_NAME"
+  APP_SSH_DIR="$BASE_DIR/$SSH_DIR_NAME"
+  ENV_FILE="$BASE_DIR/$ENV_FILE_NAME"
+  SCRIPTS_JSON="$CONFIG_DIR/scripts.json"
+
+  BACKUP_SSH_KEY="$APP_SSH_DIR/$BACKUP_SSH_KEY_NAME"
+  REPO_SSH_KEY="$APP_SSH_DIR/$REPO_SSH_KEY_NAME"
+}
+
+#######################################
+# Wrapper sudo
+#######################################
+run_root() {
+  if [[ "$(id -u)" -eq 0 ]]; then
+    "$@"
+  else
+    sudo "$@"
+  fi
+}
+
+run_as_deploy_user() {
+  if [[ "$(id -un)" == "$DEPLOY_USER" ]]; then
+    "$@"
+  else
+    run_root sudo -u "$DEPLOY_USER" -H "$@"
+  fi
+}
+
+#######################################
+# Détection package manager
+#######################################
+detect_pkg_manager() {
+  if command -v apt-get >/dev/null 2>&1; then
+    echo "apt"
+  elif command -v dnf >/dev/null 2>&1; then
+    echo "dnf"
+  elif command -v yum >/dev/null 2>&1; then
+    echo "yum"
+  elif command -v apk >/dev/null 2>&1; then
+    echo "apk"
+  elif command -v pacman >/dev/null 2>&1; then
+    echo "pacman"
+  else
+    echo ""
+  fi
+}
+
+install_packages() {
+  local packages=("$@")
+  [[ ${#packages[@]} -gt 0 ]] || return 0
+
+  case "$PKG_MANAGER" in
+    apt)
+      run_root apt-get update -y
+      run_root apt-get install -y "${packages[@]}"
+      ;;
+    dnf)
+      run_root dnf install -y "${packages[@]}"
+      ;;
+    yum)
+      run_root yum install -y "${packages[@]}"
+      ;;
+    apk)
+      run_root apk add --no-cache "${packages[@]}"
+      ;;
+    pacman)
+      run_root pacman -Sy --noconfirm "${packages[@]}"
+      ;;
+    *)
+      die "Package manager non géré : $PKG_MANAGER"
+      ;;
+  esac
+}
+
+ensure_cmd() {
+  local cmd="$1"
+  shift
+  local packages=("$@")
+
+  if command -v "$cmd" >/dev/null 2>&1; then
+    log "Dépendance OK : $cmd"
+  else
+    warn "Dépendance absente : $cmd"
+    install_packages "${packages[@]}"
+  fi
+}
+
+install_dependencies() {
+  case "$PKG_MANAGER" in
+    apt)
+      ensure_cmd git git
+      ensure_cmd ssh openssh-client
+      ensure_cmd ssh-keygen openssh-client
+      ensure_cmd rsync rsync
+      ensure_cmd curl curl
+      ensure_cmd jq jq
+      ensure_cmd psql postgresql-client
+      install_packages ca-certificates
+      ;;
+    dnf|yum)
+      ensure_cmd git git
+      ensure_cmd ssh openssh-clients
+      ensure_cmd ssh-keygen openssh-clients
+      ensure_cmd rsync rsync
+      ensure_cmd curl curl
+      ensure_cmd jq jq
+      ensure_cmd psql postgresql
+      install_packages ca-certificates
+      ;;
+    apk)
+      ensure_cmd git git
+      ensure_cmd ssh openssh-client
+      ensure_cmd ssh-keygen openssh-keygen
+      ensure_cmd rsync rsync
+      ensure_cmd curl curl
+      ensure_cmd jq jq
+      ensure_cmd psql postgresql-client
+      install_packages ca-certificates
+      ;;
+    pacman)
+      ensure_cmd git git
+      ensure_cmd ssh openssh
+      ensure_cmd ssh-keygen openssh
+      ensure_cmd rsync rsync
+      ensure_cmd curl curl
+      ensure_cmd jq jq
+      ensure_cmd psql postgresql-libs
+      install_packages ca-certificates
+      ;;
+  esac
+}
+
+#######################################
+# Création dossiers
+#######################################
+ensure_dir() {
+  local dir="$1"
+  local mode="$2"
+
+  run_root mkdir -p "$dir"
+  run_root chmod "$mode" "$dir"
+}
+
+prepare_directories() {
+  ensure_dir "$BASE_DIR" 0755
+  ensure_dir "$REPO_DIR" 0755
+  ensure_dir "$APP_SCRIPTS_DIR" 0750
+  ensure_dir "$CONFIG_DIR" 0750
+  ensure_dir "$LOG_DIR" 0750
+  ensure_dir "$DATA_DIR" 0750
+  ensure_dir "$TMP_DIR" 0750
+  ensure_dir "$APP_SSH_DIR" 0700
+}
+
+#######################################
+# Permissions
+#######################################
+apply_ownership() {
+  if [[ "$FORCE_CHOWN" == "true" ]]; then
+    run_root chown -R "${DEPLOY_USER}:${DEPLOY_GROUP}" "$BASE_DIR"
+  else
+    run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" \
+      "$BASE_DIR" "$REPO_DIR" "$APP_SCRIPTS_DIR" "$CONFIG_DIR" \
+      "$LOG_DIR" "$DATA_DIR" "$TMP_DIR" "$APP_SSH_DIR"
+  fi
+}
+
+#######################################
+# SSH
+#######################################
+ensure_ssh_keypair() {
+  local private_key="$1"
+  local comment="$2"
+
+  if [[ -f "$private_key" && -f "${private_key}.pub" ]]; then
+    log "Clé SSH déjà présente : $private_key"
+    run_root chmod 600 "$private_key"
+    run_root chmod 644 "${private_key}.pub"
+    run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$private_key" "${private_key}.pub"
+    return 0
+  fi
+
+  log "Génération de la clé SSH : $private_key"
+  run_root ssh-keygen -t ed25519 -N "" -C "$comment" -f "$private_key" >/dev/null
+  run_root chmod 600 "$private_key"
+  run_root chmod 644 "${private_key}.pub"
+  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$private_key" "${private_key}.pub"
+}
+
+build_bootstrap_ssh_cmd() {
+  local target="$1"
+  local -a cmd=(ssh -p "$BOOTSTRAP_SSH_PORT" -o "StrictHostKeyChecking=$BOOTSTRAP_SSH_STRICT")
+
+  if [[ -n "$BOOTSTRAP_SSH_KEY" ]]; then
+    cmd+=(-i "$BOOTSTRAP_SSH_KEY" -o IdentitiesOnly=yes)
+  fi
+
+  cmd+=("$target")
+  printf '%q ' "${cmd[@]}"
+}
+
+install_backup_key_on_remote() {
+  [[ "$INSTALL_BACKUP_KEY_ON_REMOTE" == "true" ]] || {
+    log "Installation de la clé backup sur le serveur distant désactivée."
+    return 0
+  }
+
+  [[ -n "$BACKUP_REMOTE_HOST" ]] || {
+    warn "BACKUP_REMOTE_HOST vide, installation de la clé distante ignorée."
+    return 0
+  }
+
+  local bootstrap_user="${BOOTSTRAP_SSH_USER:-$BACKUP_REMOTE_USER}"
+  local remote_target="${bootstrap_user}@${BACKUP_REMOTE_HOST}"
+  local remote_auth_user="$BACKUP_REMOTE_USER"
+  local pubkey
+
+  pubkey="$(run_root cat "${BACKUP_SSH_KEY}.pub")"
+
+  log "Tentative d'installation de la clé publique backup sur ${remote_auth_user}@${BACKUP_REMOTE_HOST}"
+
+  local ssh_cmd
+  ssh_cmd="$(build_bootstrap_ssh_cmd "$remote_target")"
+
+  if ! eval "$ssh_cmd" "true" >/dev/null 2>&1; then
+    warn "Accès SSH bootstrap indisponible vers ${remote_target}. Clé backup non installée automatiquement."
+    return 0
+  fi
+
+  local escaped_pubkey
+  escaped_pubkey="$(printf '%q' "$pubkey")"
+
+  eval "$ssh_cmd" "sudo -u '$remote_auth_user' sh -c '
+    set -eu
+    umask 077
+    mkdir -p ~/.ssh
+    touch ~/.ssh/authorized_keys
+    chmod 700 ~/.ssh
+    chmod 600 ~/.ssh/authorized_keys
+    grep -qxF $escaped_pubkey ~/.ssh/authorized_keys || printf \"%s\n\" $escaped_pubkey >> ~/.ssh/authorized_keys
+  '" >/dev/null
+
+  log "Clé publique backup installée / vérifiée sur ${remote_auth_user}@${BACKUP_REMOTE_HOST}"
+}
+
+#######################################
+# .env
+#######################################
+ensure_env_file() {
+  if [[ ! -f "$ENV_FILE" ]]; then
+    log "Création du fichier : $ENV_FILE"
+    run_root touch "$ENV_FILE"
+  fi
+
+  run_root chmod 0640 "$ENV_FILE"
+  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$ENV_FILE"
+}
+
+set_env_value() {
+  local key="$1"
+  local value="$2"
+  local escaped
+
+  escaped="$(printf '%s' "$value" | sed 's/[\/&]/\\&/g')"
+
+  if run_root grep -qE "^${key}=" "$ENV_FILE"; then
+    run_root sed -i "s/^${key}=.*/${key}=${escaped}/" "$ENV_FILE"
+  else
+    printf '%s=%s\n' "$key" "$value" | run_root tee -a "$ENV_FILE" >/dev/null
+  fi
+}
+
+update_env_defaults() {
+  set_env_value "ENV_NAME" "$ENV_NAME"
+
+  set_env_value "BASE_DIR" "$BASE_DIR"
+  set_env_value "SCRIPTS_DIR" "$APP_SCRIPTS_DIR"
+  set_env_value "CONFIG_DIR" "$CONFIG_DIR"
+  set_env_value "LOG_DIR" "$LOG_DIR"
+  set_env_value "DATA_DIR" "$DATA_DIR"
+  set_env_value "TMP_DIR" "$TMP_DIR"
+
+  set_env_value "SSH_DIR" "$APP_SSH_DIR"
+  set_env_value "SSH_KEY" "$BACKUP_SSH_KEY"
+  set_env_value "REPO_SSH_KEY" "$REPO_SSH_KEY"
+
+  set_env_value "PGHOST" "$PGHOST"
+  set_env_value "PGPORT" "$PGPORT"
+  set_env_value "PGUSER" "$PGUSER_VALUE"
+  set_env_value "PGPASSWORD" "${PGPASSWORD_VALUE:-change_me}"
+  set_env_value "DBS" "\"$DBS_VALUE\""
+
+  set_env_value "BACKUP_REMOTE_USER" "$BACKUP_REMOTE_USER"
+  set_env_value "BACKUP_REMOTE_HOST" "$BACKUP_REMOTE_HOST"
+  set_env_value "BACKUP_REMOTE_DIR" "$BACKUP_REMOTE_DIR"
+
+  set_env_value "SSH_CONNECT_TIMEOUT" "$SSH_CONNECT_TIMEOUT"
+  set_env_value "RETENTION_DAYS" "$RETENTION_DAYS"
+
+  set_env_value "DISCORD_WEBHOOK_URL" "$DISCORD_WEBHOOK_URL_VALUE"
+  set_env_value "DISCORD_PING" "$DISCORD_PING_VALUE"
+  set_env_value "WEBHOOK_URL" "$WEBHOOK_URL_VALUE"
+
+  set_env_value "VAULTWARDEN_DATA_DIR" "$VAULTWARDEN_DATA_DIR_VALUE"
+  set_env_value "CHECK_STORAGE_PATHS" "\"$CHECK_STORAGE_PATHS_VALUE\""
+
+  set_env_value "APP_1_NAME" "$APP_1_NAME_VALUE"
+  set_env_value "APP_1_URL" "$APP_1_URL_VALUE"
+  set_env_value "APP_2_NAME" "$APP_2_NAME_VALUE"
+  set_env_value "APP_2_URL" "$APP_2_URL_VALUE"
+  set_env_value "APP_3_NAME" "$APP_3_NAME_VALUE"
+  set_env_value "APP_3_URL" "$APP_3_URL_VALUE"
+}
+
+#######################################
+# Git privé + sparse checkout
+#######################################
+write_git_ssh_wrapper() {
+  local wrapper="$TMP_DIR/git_ssh_wrapper.sh"
+
+  cat > /tmp/.git_ssh_wrapper.$$ <<EOF
+#!/usr/bin/env bash
+exec ssh -i "$REPO_SSH_KEY" -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new "\$@"
+EOF
+
+  run_root mv /tmp/.git_ssh_wrapper.$$ "$wrapper"
+  run_root chmod 0700 "$wrapper"
+  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$wrapper"
+
+  echo "$wrapper"
+}
+
+sync_repo() {
+  local wrapper
+  wrapper="$(write_git_ssh_wrapper)"
+
+  if [[ ! -d "$REPO_DIR/.git" ]]; then
+    log "Clone initial du dépôt"
+    run_root rm -rf "$REPO_DIR"
+    run_root mkdir -p "$REPO_DIR"
+    run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$REPO_DIR"
+
+    run_as_deploy_user env GIT_SSH_COMMAND="$wrapper" \
+      git clone \
+      --filter=blob:none \
+      --no-checkout \
+      --branch "$REPO_BRANCH" \
+      "$REPO_URL" \
+      "$REPO_DIR"
+
+    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout init --cone
+    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout set "$REPO_SUBDIR"
+    run_as_deploy_user git -C "$REPO_DIR" checkout "$REPO_BRANCH"
+  else
+    log "Mise à jour du dépôt existant"
+    run_as_deploy_user git -C "$REPO_DIR" remote set-url origin "$REPO_URL"
+    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout init --cone || true
+    run_as_deploy_user git -C "$REPO_DIR" sparse-checkout set "$REPO_SUBDIR"
+    run_as_deploy_user env GIT_SSH_COMMAND="$wrapper" \
+      git -C "$REPO_DIR" fetch origin "$REPO_BRANCH" --depth=1
+    run_as_deploy_user git -C "$REPO_DIR" checkout "$REPO_BRANCH"
+    run_as_deploy_user git -C "$REPO_DIR" reset --hard "origin/$REPO_BRANCH"
+    run_as_deploy_user git -C "$REPO_DIR" clean -fd
+  fi
+}
+
+#######################################
+# Déploiement scripts
+#######################################
+deploy_scripts() {
+  local source_dir="$REPO_DIR/$REPO_SUBDIR"
+  [[ -d "$source_dir" ]] || die "Sous-dossier introuvable : $source_dir"
+
+  local script
+  for script in "${EXPECTED_SCRIPTS[@]}"; do
+    [[ -f "$source_dir/$script" ]] || die "Script manquant dans le dépôt : $source_dir/$script"
+  done
+
+  for script in "${EXPECTED_SCRIPTS[@]}"; do
+    log "Déploiement : $script"
+    run_root install -m 0750 -o "$DEPLOY_USER" -g "$DEPLOY_GROUP" \
+      "$source_dir/$script" "$APP_SCRIPTS_DIR/$script"
+  done
+}
+
+verify_scripts() {
+  local script
+  for script in "${EXPECTED_SCRIPTS[@]}"; do
+    [[ -f "$APP_SCRIPTS_DIR/$script" ]] || die "Script absent après déploiement : $APP_SCRIPTS_DIR/$script"
+    [[ -x "$APP_SCRIPTS_DIR/$script" ]] || die "Script non exécutable : $APP_SCRIPTS_DIR/$script"
+  done
+}
+
+#######################################
+# Configuration web
+#######################################
+generate_scripts_json() {
+  local tmp_json
+  tmp_json="$(mktemp)"
+
+  cat > "$tmp_json" <<EOF
+{
+  "generated_at": "$(date -Iseconds)",
+  "base_dir": "$BASE_DIR",
+  "env_file": "$ENV_FILE",
+  "scripts": [
+    {
+      "id": "backup-vaultwarden",
+      "label": "Backup Vaultwarden",
+      "path": "$APP_SCRIPTS_DIR/backup-vaultwarden.sh",
+      "web_enabled": true,
+      "params": [
+        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
+        { "name": "dry_run", "type": "boolean", "required": false, "default": false },
+        { "name": "json", "type": "boolean", "required": false, "default": true }
+      ]
+    },
+    {
+      "id": "check-storage",
+      "label": "Vérification stockage",
+      "path": "$APP_SCRIPTS_DIR/check-storage.sh",
+      "web_enabled": true,
+      "params": [
+        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
+        { "name": "verbose", "type": "boolean", "required": false, "default": false },
+        { "name": "json", "type": "boolean", "required": false, "default": true }
+      ]
+    },
+    {
+      "id": "check-statut-recette",
+      "label": "Vérification statut recette",
+      "path": "$APP_SCRIPTS_DIR/check-statut-recette.sh",
+      "web_enabled": true,
+      "params": [
+        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
+        { "name": "timeout", "type": "integer", "required": false, "default": 10 },
+        { "name": "json", "type": "boolean", "required": false, "default": true }
+      ]
+    },
+    {
+      "id": "backup-bdd-recette",
+      "label": "Backup BDD recette",
+      "path": "$APP_SCRIPTS_DIR/backup-bdd-recette.sh",
+      "web_enabled": true,
+      "params": [
+        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
+        { "name": "db", "type": "select", "required": false, "values": ["sirh", "inventory", "ferme"] },
+        { "name": "dry_run", "type": "boolean", "required": false, "default": false },
+        { "name": "json", "type": "boolean", "required": false, "default": true }
+      ]
+    },
+    {
+      "id": "rebuild-bdd-recette",
+      "label": "Rebuild BDD recette",
+      "path": "$APP_SCRIPTS_DIR/rebuild-bdd-recette.sh",
+      "web_enabled": true,
+      "params": [
+        { "name": "env_file", "type": "string", "required": false, "default": "$ENV_FILE" },
+        { "name": "db", "type": "select", "required": true, "values": ["sirh", "inventory", "ferme"] },
+        { "name": "source", "type": "string", "required": false, "default": "latest" },
+        { "name": "force", "type": "boolean", "required": false, "default": false },
+        { "name": "json", "type": "boolean", "required": false, "default": true }
+      ]
+    }
+  ]
+}
+EOF
+
+  run_root mv "$tmp_json" "$SCRIPTS_JSON"
+  run_root chmod 0640 "$SCRIPTS_JSON"
+  run_root chown "${DEPLOY_USER}:${DEPLOY_GROUP}" "$SCRIPTS_JSON"
+}
+
+#######################################
+# Résumé
+#######################################
+print_summary() {
+  cat <<EOF
+
+========================================================================
+Bootstrap terminé
+========================================================================
+Utilisateur      : $DEPLOY_USER:$DEPLOY_GROUP
+Base             : $BASE_DIR
+Scripts          : $APP_SCRIPTS_DIR
+Config           : $CONFIG_DIR
+.env             : $ENV_FILE
+scripts.json     : $SCRIPTS_JSON
+Repo             : $REPO_DIR
+
+Clé SSH backup   : $BACKUP_SSH_KEY
+Clé SSH repo     : $REPO_SSH_KEY
+Remote backup    : ${BACKUP_REMOTE_USER}@${BACKUP_REMOTE_HOST}:${BACKUP_REMOTE_DIR}
+
+Clé publique repo :
+$(run_root cat "${REPO_SSH_KEY}.pub")
+
+Clé publique backup :
+$(run_root cat "${BACKUP_SSH_KEY}.pub")
+
+Vérifiez :
+  - la clé repo doit être ajoutée comme deploy key sur le dépôt Git privé ;
+  - la valeur PGPASSWORD dans $ENV_FILE ;
+  - les webhooks renseignés dans $ENV_FILE si nécessaires.
+========================================================================
+
+EOF
+}
+
+#######################################
+# Main
+#######################################
+main() {
+  ask_required_local_configuration
+  validate_required_values
+  compute_paths
+
+  PKG_MANAGER="$(detect_pkg_manager)"
+  [[ -n "$PKG_MANAGER" ]] || die "Gestionnaire de paquets non supporté."
+
+  log "Vérification / installation des dépendances"
+  install_dependencies
+
+  log "Création des répertoires"
+  prepare_directories
+
+  log "Préparation du .env"
+  ensure_env_file
+  update_env_defaults
+
+  log "Préparation des clés SSH"
+  ensure_ssh_keypair "$BACKUP_SSH_KEY" "${DEPLOY_USER}@backup-runtime"
+  ensure_ssh_keypair "$REPO_SSH_KEY" "${DEPLOY_USER}@repo-deploy"
+
+  log "Installation de la clé publique backup sur le serveur distant"
+  install_backup_key_on_remote
+
+  log "Synchronisation du dépôt Git privé"
+  sync_repo
+
+  log "Déploiement des scripts"
+  deploy_scripts
+  verify_scripts
+
+  log "Génération de la configuration web scripts.json"
+  generate_scripts_json
+
+  log "Application des permissions"
+  apply_ownership
+
+  print_summary
+}
+
+main "$@"
\ No newline at end of file
diff --git a/RecetteScripts/check-statut-recette.sh b/RecetteScripts/check-statut-recette.sh
index 23b1d65..4ba4908 100644
--- a/RecetteScripts/check-statut-recette.sh
+++ b/RecetteScripts/check-statut-recette.sh
@@ -126,11 +126,11 @@ send_discord_summary() {
     ping_prefix="${DISCORD_PING} "
   fi
 
-  local msg="**${ping_prefix}CHECK APP ${ENV_NAME} ${header_icon}**"
+  local msg="**${ping_prefix}CHECK APP ${ENV_NAME} ${header_icon}**"$'\n'
 
   local line
   for line in "${SUMMARY_LINES[@]}"; do
-    msg+=$'\n'"${line}"
+    msg+="${line}"$'\n'
   done
 
   local payload