diff --git a/debian/obs-api.dirs b/debian/obs-api.dirs
index b102b3368cf74d4d493a6f0e9971bd8e3ea4d689..8c4623c8f4871c17330fab1e9d1f0e563e1c3898 100644
--- a/debian/obs-api.dirs
+++ b/debian/obs-api.dirs
@@ -1,8 +1,7 @@
-/usr/share/obs
-/usr/share/obs/api
-/usr/share/obs/api/config
-/usr/share/obs/api/config/environments
-/usr/share/obs/api/config/initializers
-/usr/share/obs/api/files
-/usr/share/obs/overview
-/usr/share/obs/api/public/css
+/etc/obs/api/config
+/var/log/obs
+/var/cache/obs/tmp/cache
+/var/cache/obs/tmp/pids
+/var/cache/obs/tmp/sessions
+/var/cache/obs/tmp/sockets
+
diff --git a/debian/obs-api.install b/debian/obs-api.install
index 8a1802621efa51a782600e7327ef42677e48583c..e634904b3db73a20c78ff5013776e91b22225e09 100644
--- a/debian/obs-api.install
+++ b/debian/obs-api.install
@@ -1,7 +1,6 @@
 # Install all web and api parts. (Remove parts in rules file)
 # install apidocs
 # the html dir was not found in source.
-src/api                                /usr/share/obs/
 docs/api/api/*.rng        /usr/share/obs/docs/api/
 docs/api/api/*.xsd        /usr/share/obs/docs/api/
 etc/logrotate.d/obs-api
diff --git a/debian/obs-api.links b/debian/obs-api.links
index 192cb101f7213f61a781db51ef27401e1cccdf9a..dfa39ef117d956807bb039a5877a7bf15f50e464 100644
--- a/debian/obs-api.links
+++ b/debian/obs-api.links
@@ -1,3 +1,9 @@
-usr/share/obs/api/config			/etc/obs/api/config
+etc/obs/api/config/options.yml		/usr/share/obs/api/config/options.yml
+etc/obs/api/config/database.yml		/usr/share/obs/api/config/database.yml
+etc/obs/api/config/production.sphinx.conf /usr/share/obs/api/config/production.sphinx.conf
+etc/obs/api/config/thinking_sphinx.yml	/usr/share/obs/api/config/thinking_sphinx.yml
+etc/obs/api/config/secret.key		/usr/share/obs/api/config/secret.key
 usr/share/obs/docs/api                    /usr/share/obs/api/public/schema
 usr/share/javascript/bootstrap/css/bootstrap.min.css /usr/share/obs/api/public/css/bootstrap.min.css
+var/log/obs				/usr/share/obs/api/log
+var/cache/obs/tmp			/usr/share/obs/api/tmp
diff --git a/debian/obs-api.postinst b/debian/obs-api.postinst
index 79e1ebc48791a1cd6bc4b0602fe0cca42ba1617c..9e3737d8cf8ef207b57b8fe09884452af701763b 100644
--- a/debian/obs-api.postinst
+++ b/debian/obs-api.postinst
@@ -1,21 +1,17 @@
 #!/bin/sh -e
 
-. /usr/share/debconf/confmodule
-. /usr/share/dbconfig-common/dpkg/postinst.mysql
-dbc_generate_include=template:/etc/obs/api/config/database.yml
-dbc_generate_include_args="-o template_infile=/etc/obs/api/config/database.yml.example"
-dbc_generate_include_owner=www-data
-dbc_go obs-api $@
-
-chown www-data:root /etc/obs/api/config/environment.rb
-
-if [ ! -f /var/log/obs ] ; then
-  ln -fs /usr/share/obs/api/log /var/log/obs
+# Config secret.key
+if [ ! -e "/usr/share/obs/api/config/secret.key" ]; then
+  rm -f /usr/share/obs/api/config/secret.key
 fi
-if [ ! -f /var/cache/obs/tmp ] ; then
-  mkdir -p /var/cache/obs
-  ln -fs /usr/share/obs/api/tmp /var/cache/obs/tmp
+SECRET_KEY="/etc/obs/api/config/secret.key"
+if [ ! -e "$SECRET_KEY" ]; then
+    ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
+    ln -s $SECRET_KEY /usr/share/obs/api/config/secret.key
 fi
+  chmod 0640 $SECRET_KEY
+  chown nobody:www-data $SECRET_KEY
+
 # Generate log files
   touch /var/log/obs/access.log
   touch /var/log/obs/backend_access.log
@@ -27,21 +23,27 @@ fi
   touch /var/log/obs/production.searchd.query.log
   touch /var/log/obs/production.sphinx.pid
   touch /var/log/obs/clockworkd.clock.output
-  chown -R www-data:www-data /var/log/obs/ /var/cache/obs/tmp/
+
+# Config Database with dbconfig-common
+. /usr/share/debconf/confmodule
+. /usr/share/dbconfig-common/dpkg/postinst.mysql
+dbc_generate_include=template:/etc/obs/api/config/database.yml
+dbc_generate_include_args="-o template_infile=/usr/share/obs/api/config/database.yml.example"
+dbc_generate_include_owner=www-data
+dbc_go obs-api $@
+
+# Refine permissions for rails app.
+  chown www-data:root /usr/share/obs/api/config/environment.rb
+  chown -R www-data:www-data /var/log/obs/
+  chown -R www-data:www-data /var/cache/obs/tmp/
   chown -R www-data:www-data /usr/share/obs/api/db
   chown -R www-data:www-data /usr/share/obs/api/public
-  chown www-data:www-data /usr/share/obs/api/config/production.sphinx.conf
+  chown www-data:www-data /etc/obs/api/config/production.sphinx.conf
   chmod 664 /var/log/obs/*.log
   chown nobody:www-data /etc/obs/api/config/database.yml
   chmod 660 /etc/obs/api/config/database.yml
   chown nobody:www-data /var/log/obs/backend_access.log
-
-SECRET_KEY="/usr/share/obs/api/config/secret.key"
-if [ ! -e "$SECRET_KEY" ]; then
-    ( umask 0077; dd if=/dev/urandom bs=256 count=1 2>/dev/null |sha256sum| cut -d\  -f 1 >$SECRET_KEY )
-fi
-  chmod 0640 $SECRET_KEY
-  chown nobody:www-data $SECRET_KEY
+  chown nobody:www-data /var/log/obs/production.log
 
 # Generate Gemfile.lock file.
 cd /usr/share/obs/api
diff --git a/debian/obs-server.install b/debian/obs-server.install
index 83d3374db1e8a8417fc40e8acd9f4b2be4ef4e1d..205ca34dd3a16a89f46dea581a7faf5279beff32 100644
--- a/debian/obs-server.install
+++ b/debian/obs-server.install
@@ -7,7 +7,7 @@ dist/sysconfig.obs-server      /etc/default/
 # Config files
 etc/logrotate.d/obs-server
 etc/slp.reg.d/
-usr/lib/obs/server/BSConfig.pm
+usr/lib/obs/server/BSConfig.pm /etc/obs/
 
 usr/lib/obs/tests/appliance/
 usr/sbin/obs_admin
diff --git a/debian/options.yml.example b/debian/options.yml.example
deleted file mode 100644
index 68151b0d97a17835349f5ddaab65561af9d4c543..0000000000000000000000000000000000000000
--- a/debian/options.yml.example
+++ /dev/null
@@ -1,161 +0,0 @@
-#
-# This file contains the default configuration of the Open Build Service API.
-#
-
-#read_only_hosts: [ "build.opensuse.org", "software.opensuse.org" ]
-
-# Make use of mod_xforward module in apache
-#use_xforward: true
-
-# Make use of http://blog.lighttpd.net/articles/2006/07/22/x-sendfiles-new-friend-x-rewrite.
-# Note that you need to enable the proxy-core option to allow this.
-#x_rewrite_host: localhost
-
-# Make use of X-Accel-Redirect for Nginx.
-# http://kovyrin.net/2010/07/24/nginx-fu-x-accel-redirect-remote
-#use_nginx_redirect: /internal_redirect
-
-# Minimum count of rating votes a project/package needs to # be taken in account
-# for global statistics:
-min_votes_for_rating: 3
-
-# Set to true to verify XML reponses comply to the schema
-response_schema_validation: false
-
-# backend source server
-source_host: localhost
-source_port: 5352
-#source_protocol: https
-
-# api access to this instance
-frontend_host: localhost
-frontend_port: 443
-frontend_protocol: https
-# if your users access the hosts through a proxy (or just a different name, use this to
-# overwrite the settings for users)
-#external_frontend_host: api.opensuse.org
-#external_frontend_port: 443
-#external_frontend_protocol: https
-
-
-extended_backend_log: false
-
-# proxy_auth_mode can be :off, :on or :simulate
-proxy_auth_mode: :off
-
-# ATTENTION: If proxy_auth_mode'is :on, the frontend takes the user
-# name that is coming as headervalue X-username as a
-# valid user does no further authentication. So take care...
-proxy_auth_test_user: coolguy
-proxy_auth_test_email: coolguy@example.com
-
-# set this to enable auto cleanup requests after the given days
-auto_cleanup_after_days: 30
-
-#schema_location
-
-#version
-
-# if set to false, the API will only fake writes to backend (useful in testing)
-# global_write_through: true
-
-# see http://colszowka.heroku.com/2011/02/22/setting-up-your-custom-hoptoad-notifier-endpoint-for-free-using-errbit-on-heroku
-#errbit_api_key: api_key_of_your_app
-#errbit_host: installation.of.errbit.com
-
-##################
-# LDAP options
-##################
-
-ldap_mode: :off
-
-# LDAP Servers separated by ':'.
-# OVERRIDE with your company's ldap servers. Servers are picked randomly for
-# each connection to distribute load.
-ldap_servers: ldap1.mycompany.com:ldap2.mycompany.com
-
-# Max number of times to attempt to contact the LDAP servers
-ldap_max_attempts: 15
-
-# The attribute the user memberof is stored in
-ldap_user_memberof_attr: memberof
-
-# Perform the group_user search with the member attribute of group entry or memberof attribute of user entry
-# It depends on your ldap define
-# The attribute the group member is stored in
-ldap_group_member_attr: member
-
-# If you're using ldap_authenticate=:ldap then you should ensure that
-# ldaps is used to transfer the credentials over SSL or use the StartTLS extension
-ldap_ssl: :on
-
-# Use StartTLS extension of LDAP
-ldap_start_tls: :off
-
-# LDAP port defaults to 636 for ldaps and 389 for ldap and ldap with StartTLS
-#ldap_port:
-# Authentication with Windows 2003 AD requires
-ldap_referrals: :off
-
-# OVERRIDE with your company's ldap search base for the users who will use OBS
-ldap_search_base: OU=Organizational Unit,DC=Domain Component
-# Sam Account Name is the login name for LDAP
-ldap_search_attr: sAMAccountName
-# The attribute the users name is stored in
-ldap_name_attr: cn
-# The attribute the users email is stored in
-ldap_mail_attr: mail
-# Credentials to use to search ldap for the username
-ldap_search_user: ""
-ldap_search_auth: ""
-
-# By default any LDAP user can be used to authenticate to the OBS
-# In some deployments this may be too broad and certain criteria should
-# be met; eg group membership
-#
-# To allow only users in a specific group uncomment this line:
-#ldap_user_filter: memberof=CN=group,OU=Groups,DC=Domain Component)
-#
-# Note this is joined to the normal selection like so:
-# (&(#{dap_search_attr}=#{login})#{ldap_user_filter})
-# giving an ldap search of:
-#  (&(sAMAccountName=#{login})(memberof=CN=group,OU=Groups,DC=Domain Component))
-#
-# Also note that openLDAP must be configured to use the memberOf overlay
-
-# ldap_authenticate says how the credentials are verified:
-#   :ldap = attempt to bind to ldap as user using supplied credentials
-#   :local = compare the credentials supplied with those in
-#            LDAP using #{ldap_auth_attr} & #{ldap_auth_mech}
-#       if :local is used then ldap_auth_mech can be
-#       :md5
-#       :cleartext
-ldap_authenticate: :ldap
-ldap_auth_mech: :md5
-# This is a string
-ldap_auth_attr: userPassword
-
-# Whether to update the user info to LDAP server, it does not take effect
-# when ldap_mode is not set.
-# Since adding new entry operation are more depend on your slapd db define, it might not
-# compatiable with all LDAP server settings, you can use other LDAP client tools for your specific usage
-ldap_update_support: :off
-# ObjectClass, used for adding new entry
-ldap_object_class: inetOrgPerson
-# Base dn for the new added entry
-ldap_entry_base: ou=OBSUSERS,dc=EXAMPLE,dc=COM
-# Does sn attribute required, it is a necessary attribute for most of people objectclass,
-# used for adding new entry
-ldap_sn_attr_required: :on
-
-# Whether to search group info from ldap, it does not take effect
-# when LDAP_GROUP_SUPPOR is not set.
-# Please also set below LDAP_GROUP_* configs correctly to ensure the operation works properly
-ldap_group_support: :off
-# OVERRIDE with your company's ldap search base for groups
-ldap_group_search_base: ou=OBSGROUPS,dc=EXAMPLE,dc=COM
-# The attribute the group name is stored in
-ldap_group_title_attr: cn
-# The value of the group objectclass attribute, leave it as "" if objectclass attr doesn't exist
-ldap_group_objectclass_attr: groupOfNames
-
diff --git a/debian/rules b/debian/rules
index 1712be643276470a17abcd9f5903a252f5bd0512..2dbedc46548999dce705c7f392b924299d91c527 100755
--- a/debian/rules
+++ b/debian/rules
@@ -27,6 +27,18 @@ override_dh_install:
 
 	dh_installdebconf
 
+	# Move config files under /etc/obs/api/config/. And links with dh_link.
+	mv debian/obs-api/usr/share/obs/api/config/options.yml \
+			debian/obs-api/etc/obs/api/config/
+	mv debian/obs-api/usr/share/obs/api/config/production.sphinx.conf \
+			debian/obs-api/etc/obs/api/config/
+	mv debian/obs-api/usr/share/obs/api/config/thinking_sphinx.yml \
+			debian/obs-api/etc/obs/api/config/
+
+	# Remove log and tmp and create links under /var with dh_link.
+	rm -rf debian/obs-api/usr/share/obs/api/log
+	rm -rf debian/obs-api/usr/share/obs/api/tmp
+
 	# Rename dh_install installed web service config files.
 	# (new default since OBS 2.3)
 	mkdir -p debian/obs-api/etc/apache2/sites-available/
@@ -42,10 +54,6 @@ override_dh_install:
 	mv debian/obs-server/etc/default/sysconfig.obs-server \
 		debian/obs-server/etc/default/obs-server
 
-	# these config files must not be hard linked
-	install debian/options.yml.example \
-		debian/obs-api/usr/share/obs/api/config/options.yml
-
 	# turn duplicates into hard links
 	fdupes debian/obs-api/usr/share/obs/
 
@@ -53,7 +61,6 @@ override_dh_install:
 	find debian/obs-api -name '.gitignore' -type f | xargs rm -f
 
 	# fix permissions
-	chmod a-x debian/obs-api/usr/share/obs/api/config/options.yml
 	chmod a-x debian/obs-api/usr/share/obs/api/script/update_bento.sh
 	chmod a-x debian/obs-api/usr/share/obs/api/Rakefile
 	# Clean up "extra" license