diff --git a/Bundler/icecast.xml b/Bundler/icecast.xml
new file mode 100644
index 0000000..61ebdf4
--- /dev/null
+++ b/Bundler/icecast.xml
@@ -0,0 +1,5 @@
+<Bundle name="icecast">
+  <Python name="/etc/icecast2/radio.xml"/>
+  <Service name="icecast2"/>
+  <Package name="icecast2"/>
+</Bundle>
diff --git a/Bundler/nginx.xml b/Bundler/nginx.xml
index 0cee506..9f0d29d 100644
--- a/Bundler/nginx.xml
+++ b/Bundler/nginx.xml
@@ -24,5 +24,11 @@
     <Group name="roundcube">
         <Path name="/etc/nginx/sites-available/roundcube"/>
     </Group>
+    <Group name="tv">
+        <Python name="/etc/nginx/sites-available/tv"/>
+    </Group>
+    <Group name="icecast">
+        <Python name="/etc/nginx/sites-available/tv"/>
+    </Group>
 </Bundle>
 
diff --git a/Bundler/secrets.xml b/Bundler/secrets.xml
index 3931548..87efa13 100644
--- a/Bundler/secrets.xml
+++ b/Bundler/secrets.xml
@@ -15,6 +15,7 @@
      <Python name="/etc/crans/secrets/trigger-generate"/>
      <Python name="/etc/crans/secrets/trigger-generate.pub"/>
      <Python name="/etc/crans/secrets/rabbitmq_trigger_password"/>
+     <Python name="/etc/crans/secrets/icecast-token"/>
      <Python name="/etc/crans/secrets/README"/>
      <!-- Il faut penser au setfacl sur le serveur de l'intranet2 (o2) -->
      <Group name="secrets-acl">
diff --git a/Cfg/etc/auto.ldapcert/auto.ldapcert b/Cfg/etc/auto.ldapcert/auto.ldapcert
index 6f89abd..3ddd1d3 100644
--- a/Cfg/etc/auto.ldapcert/auto.ldapcert
+++ b/Cfg/etc/auto.ldapcert/auto.ldapcert
@@ -1 +1 @@
-/etc/ssl/crans -fstype=fuse,allow_other,nodev,noatime :/usr/scripts/utils/ldapcertfs.py
+/etc/ssl/crans -fstype=fuse,allow_other,nodev,noatime :/usr/scripts/utils/ldapcertfs.py\#--decrypt
diff --git a/Metadata/groups.xml b/Metadata/groups.xml
index f901270..103accf 100644
--- a/Metadata/groups.xml
+++ b/Metadata/groups.xml
@@ -342,6 +342,7 @@
     <Group name="mumudvb"/>
     <Group name="crans-wheezy"/>
     <Group name="imprimeurs"/>
+    <Group name="tv"/>
     <Group name="radio"/>
   </Group>
 
@@ -604,6 +605,13 @@
     <Bundle name="home"/>
     <Group name="nfs"/>
   </Group>
+  <Group name="radio">
+    <Group name="icecast"/>
+  </Group>
+  <Group name="icecast">
+    <Group name="nginx"/>
+    <Bundle name="icecast"/>
+  </Group>
 
   <Group name="mail">
     <!-- envoi de mail -->
diff --git a/Python/etc/crans/secrets/icecast-token b/Python/etc/crans/secrets/icecast-token
new file mode 100644
index 0000000..fb1335d
--- /dev/null
+++ b/Python/etc/crans/secrets/icecast-token
@@ -0,0 +1,4 @@
+info["perms"] = 0440
+info["owner"] = "root"
+info["group"] = "adm"
+print file("/etc/crans/secrets/icecast-token").read()
diff --git a/Python/etc/icecast2/radio.xml b/Python/etc/icecast2/radio.xml
new file mode 100644
index 0000000..b16e02f
--- /dev/null
+++ b/Python/etc/icecast2/radio.xml
@@ -0,0 +1,59 @@
+# -*- mode: python; encoding: utf-8 -*-
+info["owner"] = "root"
+info["group"] = "root"
+info["perms"] = 0644
+
+import urlparse
+import urllib
+from tv.radio.config import *
+
+print """<![CDATA[
+Fichier générer par BCfg2
+Ne pas modifier à la main
+Ne pas faire service icecast2 reload mais service icecast2 restart
+sinon le fichier n'est pas pris en compte
+(je pense que c'est un bug de la libxml utilisé par icecast)
+
+Le fichier doit être inclus dans icecast.xml en plaçant
+ <!DOCTYPE icecast [
+ <!ENTITY radio SYSTEM "radio.xml">
+ ]>
+dans l'entête de icecast.xml puis
+ &radio;
+là où l'on souhaite effectivement include le fichier
+(quelque part dans <icecast></icecast>)
+]]>"""
+auth_template = """<mount>
+        <mount-name>/%s</mount-name>
+        <authentication type="url">
+            <option name="listener_add" value="https://intranet2.crans.org/tv/auth"/>
+            <option name="listener_remove" value="https://intranet2.crans.org/tv/auth"/>
+            <option name="mount_add" value="https://intranet2.crans.org/tv/auth"/>
+            <option name="mount_remove" value="https://intranet2.crans.org/tv/auth"/>
+            <option name="auth_header" value="icecast-auth-user: 1"/>
+            <option name="timelimit_header" value="icecast-auth-timelimit:"/>
+            <option name="headers" value="x-auth,x-real-ip,x-forwarded-for"/>
+            <option name="header_prefix" value="ClientHeader."/>
+        </authentication>
+</mount>"""
+i=0
+for group in multicast.keys():
+        for (title, (name,dst,port,sources)) in multicast[group].items():
+                p=urlparse.urlparse(sources[0])
+                if ':' in p.netloc:
+                        host=p.netloc.split(':')[0]
+                        port=p.netloc.split(':')[1]
+                else:
+                        host=p.netloc
+                        port = 80
+                print """
+<relay>
+        <server>%s</server>
+        <port>%s</port>
+        <mount>%s</mount>
+        <local-mount>/%s</local-mount>
+        <relay-shoutcast-metadata>1</relay-shoutcast-metadata>
+        <on-demand>1</on-demand>
+</relay>""" % (host, port, p.path, name)
+                print auth_template % name
+
diff --git a/Python/etc/nginx/sites-available/tv b/Python/etc/nginx/sites-available/tv
new file mode 100644
index 0000000..6c04bdf
--- /dev/null
+++ b/Python/etc/nginx/sites-available/tv
@@ -0,0 +1,61 @@
+# -*- mode: python; encoding: utf-8 -*-
+
+info["owner"] = "root"
+info["group"] = "root"
+info["perms"] = 0644
+
+comment_start = "#"
+
+import gestion.secrets_new as secrets_new
+
+base = """
+        root /var/www/;
+        index index.html index.htm;
+
+        server_name tv.crans.org;
+        location /sap.txt {
+                alias /var/www/sap.txt;
+        }
+        location /images/{
+                autoindex  on;
+                try_files $uri $uri/ =404;
+        }
+        location / {
+                try_files $uri $uri/ %s;
+                rewrite ^/$ https://intranet2.crans.org/tv/;
+        }
+""" % "@404" if has("icecast") else "=404"
+
+icecast = """location @404 {
+            proxy_set_header Host $host;
+            proxy_set_header X-Auth %s;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_pass http://127.0.0.1:8000;
+        }
+""" % secrets_new.get('icecast-token')
+
+if has("icecast"):
+    body = "%s\n        %s" % (base, icecast)
+else:
+    body = base
+
+print """server {
+        listen   80; ## listen for ipv4; this line is default and implied
+        listen   [::]:80 default_server ipv6only=on; ## listen for ipv6%s
+
+}""" % body
+
+
+print """# HTTPS server
+#
+server {
+        listen 443;
+        listen   [::]:443 default_server ipv6only=on;
+
+        ssl on;
+        ssl_certificate /etc/ssl/crans/cochon.ferme.crans.org/xid=33/cert_chain.pem;
+        ssl_certificate_key /etc/ssl/crans/cochon.ferme.crans.org/xid=33/key.pem;
+
+        ssl_session_timeout 5m;%s
+}""" % body
diff --git a/Rules/icecast.xml b/Rules/icecast.xml
new file mode 100644
index 0000000..a7ebcbc
--- /dev/null
+++ b/Rules/icecast.xml
@@ -0,0 +1,5 @@
+<Rules priority="1">
+  <Group name="icecast">
+    <Service type="deb" name="icecast2" status="on"/>
+  </Group>
+</Rules>
diff --git a/Rules/secrets.xml b/Rules/secrets.xml
index 4a829f3..5305f48 100644
--- a/Rules/secrets.xml
+++ b/Rules/secrets.xml
@@ -3,7 +3,9 @@
   <Group name="secrets-acl">
    <Action name="setfacl-secrets" timing="post"
      when="modified" status="check"
-     command="setfacl -m u:www-data:rx /etc/crans/secrets; setfacl -m u:www-data:r /etc/crans/secrets/secrets.py /etc/crans/secrets/dhcp.py"/>
+     command="
+setfacl -m u:www-data:rx /etc/crans/secrets;
+setfacl -m u:www-data:r /etc/crans/secrets/secrets.py /etc/crans/secrets/dhcp.py /etc/crans/secrets/icecast-token"/>
   </Group>
   <Action name="setfacl-secrets-freerad" timing="post"
      when="modified" status="check"