diff --git a/README.md b/README.md
index 795d8e5..81ed421 100644
--- a/README.md
+++ b/README.md
@@ -51,6 +51,25 @@ $ screen -d
 $ screen -r
 ```
 
+#### Using separate domains for Serving and Identity
+
+It is possible to use one domain for serving (like social.example.com) and another for the user identities (like @user@example.com).
+In this installation simple set the Local Domain field with the relevant domain.
+If the Identity domain is locally managed and properly entered, appropriate redirects will be set up, otherwise you will need to set them up manually.
+
+Example of setting up the required redirect in nginx:
+```
+{
+  server example.com;
+  # Other example.com settings...
+  ### This is the relevant part:
+  location ~ ^/.well-known/(host-meta|nodeinfo|webfinger)/ {
+    return 301 https://__DOMAIN__$request_uri;
+  }
+  ### Until here is the relevant part
+}
+```
+
 ### Update
 
 #### Using *screen* highly recommended
diff --git a/conf/.env.production.sample b/conf/.env.production.sample
index 21cc8e5..09be4c1 100644
--- a/conf/.env.production.sample
+++ b/conf/.env.production.sample
@@ -14,7 +14,8 @@
 # ----------
 # This identifies your server and cannot be changed safely later
 # ----------
-LOCAL_DOMAIN=__DOMAIN__
+LOCAL_DOMAIN=__LOCAL_DOMAIN__
+WEB_DOMAIN=__DOMAIN__
 
 # Redis
 # -----
diff --git a/conf/well_known.conf b/conf/well_known.conf
new file mode 100644
index 0000000..19d3350
--- /dev/null
+++ b/conf/well_known.conf
@@ -0,0 +1,3 @@
+location ~ ^/.well-known/(host-meta|nodeinfo|webfinger) {
+  return 301 https://__DOMAIN__$request_uri;
+}
diff --git a/manifest.json b/manifest.json
index 871809b..7a41a6f 100644
--- a/manifest.json
+++ b/manifest.json
@@ -6,7 +6,7 @@
         "en": "Libre and federated social network",
         "fr": "Réseau social libre et fédéré"
     },
-    "version": "4.0.2~ynh2",
+    "version": "4.0.2~ynh3",
     "url": "https://github.com/mastodon/mastodon",
     "upstream": {
         "license": "AGPL-3.0-or-later",
@@ -42,6 +42,17 @@
                 "name": "domain",
                 "type": "domain"
             },
+            {
+                "name": "local_domain",
+                "type": "string",
+                "default": "Same as the domain",
+                "ask": {
+                    "en": "Local Domain: Set a different domain for user identity"
+                },
+                "help": {
+                    "en": "You can specify another domain so users are referred to @user@domain.tld instead of @user@social.domain.tld. URL redirects will automatically be created if the domain is locally managed."
+                }
+            },
             {
                 "name": "is_public",
                 "type": "boolean",
diff --git a/scripts/backup b/scripts/backup
index 96a895d..5551c29 100644
--- a/scripts/backup
+++ b/scripts/backup
@@ -29,6 +29,7 @@ app=$YNH_APP_INSTANCE_NAME
 
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 domain=$(ynh_app_setting_get --app=$app --key=domain)
+local_domain=$(ynh_app_setting_get --app=$app --key=local_domain)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 
 #=================================================
@@ -47,6 +48,9 @@ ynh_backup --src_path="$final_path"
 #=================================================
 
 ynh_backup --src_path="/etc/nginx/conf.d/$domain.d/$app.conf"
+if [[ "$domain" != "$local_domain" ]] && yunohost --output-as plain domain list | grep -q "^$local_domain$"; then
+  ynh_backup --src_path="/etc/nginx/conf.d/${local_domain}.d/${app}_well_known.conf"
+fi
 
 #=================================================
 # SPECIFIC BACKUP
diff --git a/scripts/install b/scripts/install
index 6df1759..c529270 100644
--- a/scripts/install
+++ b/scripts/install
@@ -26,6 +26,7 @@ ynh_abort_if_errors
 #=================================================
 
 domain=$YNH_APP_ARG_DOMAIN
+local_domain=$YNH_APP_ARG_LOCAL_DOMAIN
 path_url="/"
 is_public=$YNH_APP_ARG_IS_PUBLIC
 language=$YNH_APP_ARG_LANGUAGE
@@ -35,6 +36,11 @@ app=$YNH_APP_INSTANCE_NAME
 
 admin_mail=$(ynh_user_get_info --username=$admin --key=mail)
 
+# Serving domain is identical to Identity domain
+if [[ "$local_domain" == "Same as the domain" ]]; then
+  local_domain=$domain
+fi
+
 #=================================================
 # CHECK IF THE APP CAN BE INSTALLED WITH THESE ARGS
 #=================================================
@@ -52,6 +58,7 @@ ynh_webpath_register --app=$app --domain=$domain --path_url=$path_url
 ynh_script_progression --message="Storing installation settings..." --weight=1
 
 ynh_app_setting_set --app=$app --key=domain --value=$domain
+ynh_app_setting_set --app=$app --key=local_domain --value=$local_domain
 ynh_app_setting_set --app=$app --key=path --value=$path_url
 ynh_app_setting_set --app=$app --key=language --value=$language
 ynh_app_setting_set --app=$app --key=admin --value=$admin
@@ -120,6 +127,11 @@ chown -R $app:www-data "$final_path"
 #=================================================
 ynh_script_progression --message="Configuring NGINX web server..." --weight=1
 
+# Create .well-known redirection for access by federation, if Identity domain is different from Serving domain
+if [[ "$domain" != "$local_domain" ]] && yunohost --output-as plain domain list | grep -q "^$local_domain$"; then
+  ynh_add_config --template="well_known.conf" --destination="/etc/nginx/conf.d/${local_domain}.d/${app}_well_known.conf"
+fi
+
 # Create a dedicated NGINX config
 ynh_add_nginx_config
 
@@ -268,6 +280,13 @@ fi
 
 ynh_permission_create --permission="api" --url="/api" --allowed="visitors" --auth_header="false" --show_tile="false" --protected="true"
 
+# Create .well-known redirection for access by federation, if Identity domain is different from Serving domain
+if [[ "$domain" != "$local_domain" ]] && yunohost --output-as plain domain list | grep -q "^$local_domain$"; then
+  ynh_permission_create --permission=well_known --url=$local_domain/.well-known/webfinger \
+                        --additional_urls $local_domain/.well-known/host-meta $local_domain/.well-known/nodeinfo \
+                        --label="Well known path redirects" --show_tile=false --allowed=visitors --auth_header=false
+fi
+
 #=================================================
 # RELOAD NGINX
 #=================================================
diff --git a/scripts/remove b/scripts/remove
index 69fc9ec..af34ec5 100644
--- a/scripts/remove
+++ b/scripts/remove
@@ -19,6 +19,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
+local_domain=$(ynh_app_setting_get --app=$app --key=local_domain)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
 db_user=$(ynh_app_setting_get --app=$app --key=db_user)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
@@ -79,6 +80,9 @@ ynh_secure_remove --file="$final_path"
 #=================================================
 ynh_script_progression --message="Removing NGINX web server configuration..." --weight=1
 
+# Remove well known path redirects if installed
+ynh_secure_remove --file="/etc/nginx/conf.d/${local_domain}.d/${app}_well_known.conf"
+
 # Remove the dedicated NGINX config
 ynh_remove_nginx_config
 
diff --git a/scripts/restore b/scripts/restore
index be0e019..29a4ece 100644
--- a/scripts/restore
+++ b/scripts/restore
@@ -30,6 +30,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
+local_domain=$(ynh_app_setting_get --app=$app --key=local_domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 final_path=$(ynh_app_setting_get --app=$app --key=final_path)
 db_name=$(ynh_app_setting_get --app=$app --key=db_name)
diff --git a/scripts/upgrade b/scripts/upgrade
index 9be5f2f..d0b7fda 100644
--- a/scripts/upgrade
+++ b/scripts/upgrade
@@ -19,6 +19,7 @@ ynh_script_progression --message="Loading installation settings..." --weight=1
 app=$YNH_APP_INSTANCE_NAME
 
 domain=$(ynh_app_setting_get --app=$app --key=domain)
+local_domain=$(ynh_app_setting_get --app=$app --key=local_domain)
 path_url=$(ynh_app_setting_get --app=$app --key=path)
 language=$(ynh_app_setting_get --app=$app --key=language)
 admin=$(ynh_app_setting_get --app=$app --key=admin)
@@ -149,6 +150,19 @@ if [[ -z "$redis_namespace" ]]; then
 	ynh_app_setting_set --app=$app --key=redis_namespace --value=$redis_namespace
 fi
 
+# Update settings when upgrading from a setup with no local_domain
+if [[ -z $local_domain ]]; then
+  local_domain=$domain
+  ynh_app_setting_set --app=$app --key=local_domain --value=$domain
+fi
+
+# Create .well-known redirection for access by federation, if Identity domain is different from Serving domain
+if [[ "$domain" != "$local_domain" ]] && yunohost --output-as plain domain list | grep -q "^$local_domain$" && ! ynh_permission_exists --permission="well_known"; then
+  ynh_permission_create --permission=well_known --url=$local_domain/.well-known/webfinger \
+                        --additional_urls $local_domain/.well-known/host-meta $local_domain/.well-known/nodeinfo \
+                        --label="Well known path redirects" --show_tile=false --allowed=visitors --auth_header=false
+fi
+
 #Remove previous added repository
 ynh_remove_extra_repo
 
@@ -209,6 +223,11 @@ ynh_exec_warn_less ynh_install_extra_app_dependencies --repo="deb https://dl.yar
 #=================================================
 ynh_script_progression --message="Upgrading NGINX web server configuration..." --weight=1
 
+# Create .well-known redirection for access by federation, if Identity domain is different from Serving domain
+if [[ "$domain" != "$local_domain" ]] && yunohost --output-as plain domain list | grep -q "^$local_domain$"; then
+  ynh_add_config --template="well_known.conf" --destination="/etc/nginx/conf.d/${local_domain}.d/${app}_well_known.conf"
+fi
+
 # Create a dedicated NGINX config
 ynh_add_nginx_config