From 21c86b0e971b54dd4316983e1aea7234960ee7ad Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@silique.fr>
Date: Fri, 23 Jun 2023 08:12:05 +0200
Subject: [PATCH] ansible template

---
 seed/apache/dictionaries/20_web.xml           |    6 +-
 seed/apache/templates/risotto.conf            |   12 +-
 seed/apache/templates/ssl.conf                |    6 +-
 .../dictionaries/00_debian-bullseye.xml       |    2 +-
 .../templates/local.negative                  |    4 +-
 .../dictionaries/11_debian-base.xml           |    2 +-
 .../dictionaries/17_debian-base.xml           |    2 +-
 .../templates/update-ca-certificates.service  |    2 +-
 seed/base-fedora-38/applicationservice.yml    |    6 +
 .../dictionaries/11_fedora-version.xml        |   13 +
 .../image/postinstall/base_fedora_version.sh  |    7 +
 .../manual/image/preinstall/base_fedora_38.sh |    1 +
 .../image/preinstall/base_fedora_version.sh   |    1 +
 seed/base-fedora-38/templates/login           |   17 +
 .../dictionaries/11_fedora-base.xml           |    1 +
 .../dictionaries/17_fedora-base.xml           |    2 +-
 seed/base-machine/dictionaries/12_base.xml    |    5 +
 seed/base-machine/funcs/funcs.py              |    4 +
 seed/base/dictionaries/00_base.xml            |    1 +
 seed/base/funcs/base.py                       |   11 +-
 seed/dns-local/dictionaries/13_dns-local.xml  |    4 +-
 seed/dns-local/templates/dns-local.yml        |   45 +-
 seed/dovecot/dictionaries/26_dovecot.xml      |   41 +-
 seed/dovecot/templates/10-master.conf         |    2 +-
 seed/dovecot/templates/10-ssl.conf            |   22 +-
 seed/dovecot/templates/12-managesieve.conf    |   23 -
 seed/dovecot/templates/config-v1.1.xml        |   20 +-
 seed/dovecot/templates/dovecot-ldap.conf.ext  |   14 +-
 .../dovecot/templates/dovecot-oauth2.conf.ext |   10 +-
 seed/dovecot/templates/external_imap.crt      |    2 -
 seed/dovecot/templates/external_imap.key      |    1 -
 seed/dovecot/templates/imap.yml               |   22 +-
 seed/dovecot/templates/ldapsource.cf          |   16 +-
 seed/dovecot/templates/main.cf                |   26 +-
 seed/dovecot/templates/postfix_sni.pem        |    3 -
 seed/dovecot/templates/relay_passwd           |    2 +-
 seed/dovecot/templates/risotto_backup         |    6 +-
 seed/dovecot/templates/sni                    |    8 +-
 seed/forgejo/applicationservice.yml           |    2 +-
 seed/forgejo/dictionaries/31_forgejo.xml      |    6 +-
 seed/forgejo/templates/app.ini                |   49 +-
 seed/forgejo/templates/forgejo.service        |   22 +-
 seed/forgejo/templates/forgejo.yml            |   22 +-
 seed/grafana/DEBUG.md                         |    2 +
 seed/grafana/applicationservice.yml           |    9 +
 seed/grafana/dictionaries/31_grafana.xml      |   67 +
 .../manual/image/postinstall/grafana.sh       |   11 +
 .../manual/image/preinstall/grafana.sh        |    1 +
 seed/grafana/templates/grafana-server         |   30 +
 seed/grafana/templates/grafana-server.service |    5 +
 seed/grafana/templates/grafana.ini            | 1262 +++++++++++++++++
 seed/grafana/templates/tmpfile-grafana.conf   |    2 +
 .../dictionaries/21_machined.xml              |   54 +-
 .../extras/machined/00_machined.xml           |   15 +-
 seed/host-systemd-machined/funcs/machined.py  |   13 +
 .../templates/70-container.netdev             |    2 +-
 .../templates/70-container.network            |    4 +-
 .../templates/90-risotto.conf                 |    2 +-
 .../templates/RPM-GPG-KEY-fedora-38-x86_64    |   29 +
 .../templates/dhcp.network                    |   24 +-
 .../templates/directory-script                |   16 +
 .../templates/network-script                  |   32 +-
 seed/host-systemd-machined/templates/nspawn   |   49 +-
 .../templates/risotto-images.service          |    4 +-
 .../templates/risottofirewall.service         |   80 +-
 .../templates/systemd-nspawn@.conf            |    1 +
 .../templates/tls-script                      |   56 +-
 .../templates/vector.toml                     |   69 +
 seed/journald/applicationservice.yml          |    3 +
 seed/journald/dictionaries/20_journald.xml    |   26 +
 .../manual/image/preinstall/journald.sh       |    1 +
 seed/journald/templates/journal-upload.conf   |   25 +
 .../templates/systemd-journal-upload.service  |    2 +
 seed/journald_remote/applicationservice.yml   |    3 +
 .../dictionaries/21_journald.xml              |   11 +
 .../extras/accounts/00_accounts.xml           |   21 +
 seed/journald_remote/funcs/journald_remote.py |   20 +
 .../manual/image/preinstall/journald.sh       |    1 +
 .../templates/journal-remote.conf             |   26 +
 .../templates/systemd-journal-remote.service  |    3 +
 .../dictionaries/21_ldap-client.xml           |   26 +-
 seed/ldap-client/funcs/openldap_client.py     |   24 +-
 .../ldap-client/templates/ldap-client.service |    2 +-
 seed/ldap-client/templates/ldap.conf          |   14 +-
 seed/lemonldap/DEBUG.md                       |    4 +
 .../dictionaries/70_lemonldap_ng.xml          |   19 +-
 seed/lemonldap/extras/oauth2/00_oauth2.xml    |    1 +
 seed/lemonldap/templates/handler-nginx.conf   |   10 +-
 .../lemonldap/templates/interne_well_known.pl |    6 +-
 .../templates/lemonldap-ng-fastcgi-server     |    2 +-
 seed/lemonldap/templates/lemonldap.yml        |    6 +-
 seed/lemonldap/templates/lmConf-1.json        |  168 ++-
 seed/lemonldap/templates/portal-nginx.conf    |   30 +-
 seed/lemonldap/templates/wget.pl              |    4 +-
 seed/loki/applicationservice.yml              |    5 +
 seed/loki/dictionaries/20_loki.xml            |   16 +
 seed/loki/manual/image/postinstall/loki.sh    |   17 +
 seed/loki/templates/loki-local-config.yaml    |   55 +
 seed/loki/templates/loki.service              |   14 +
 seed/loki/templates/sysuser-loki.conf         |    2 +
 seed/loki/templates/tmpfile-loki.conf         |    1 +
 seed/mailman/dictionaries/31_mailman.xml      |   18 +-
 seed/mailman/templates/config-nginx.conf      |   18 +-
 seed/mailman/templates/gunicorn_config.py     |  221 ---
 seed/mailman/templates/mailman-web.py         |   38 +-
 seed/mailman/templates/mailman.cfg            |   14 +-
 seed/mailman/templates/mailman.yml            |   24 +-
 seed/mailman/templates/mailman3-web.service   |    6 +-
 seed/mailman/templates/mailman3.service       |   13 +-
 seed/mailman/templates/postorius.service      |    6 +-
 .../dictionaries/20_mariadb.xml               |   23 +-
 .../templates/mariadbclient.service           |    2 +-
 seed/mariadb/dictionaries/20_mariadb.xml      |   10 +-
 seed/mariadb/extras/accounts/00_accounts.xml  |    2 +
 seed/mariadb/templates/mariadb.service        |    2 +-
 seed/mariadb/templates/mariadb.sql            |   24 +-
 seed/mariadb/templates/mariadb.yml            |    4 +-
 seed/mariadb/templates/risotto_backup         |    7 +-
 seed/nextcloud/dictionaries/31_nextcloud.xml  |   12 +-
 seed/nextcloud/templates/nextcloud-config.php |   61 +-
 seed/nextcloud/templates/nextcloud.init       |   24 +-
 seed/nginx-common/dictionaries/21_nginx.xml   |   12 +-
 seed/nginx-common/templates/default           |   30 +-
 .../nginx-common/templates/default-nginx.conf |    2 +-
 seed/nginx-common/templates/nginx-common.yml  |   18 +-
 .../nginx-common/templates/nginx-options.conf |   25 +-
 seed/nginx-common/templates/nginx.conf.Fedora |   30 +-
 .../templates/tmpfiles.nginx.conf             |    2 +-
 seed/nginx-https/templates/nginx.key          |    1 -
 .../dictionaries/25_nginx.xml                 |   12 +-
 .../patches/revprox-nginx.conf.patch          |   14 +
 .../templates/ca_External.crt                 |    1 -
 seed/nginx-reverse-proxy/templates/nginx.key  |    1 -
 .../templates/nginx.service                   |   30 +-
 .../templates/reverse-proxy.yml               |   22 +-
 .../templates/revprox-nginx.conf              |  120 +-
 .../dictionaries/22_nginx_static.xml          |    4 +-
 .../templates/tmpfiles.nginx_static.conf      |    2 +-
 seed/nsd-local/applicationservice.yml         |    6 +
 seed/nsd-local/dictionaries/21_nsd-local.xml  |   33 +
 seed/nsd-local/extras/nsd/01_nsd-local.xml    |   25 +
 seed/nsd/dictionaries/20_nsd.xml              |   61 +-
 seed/nsd/extras/nsd/00_nsd.xml                |   21 +-
 seed/nsd/funcs/funcs.py                       |   61 +-
 seed/nsd/templates/nsd.reverse                |   44 +-
 seed/nsd/templates/nsd.signed                 |    4 +-
 seed/nsd/templates/nsd.yml                    |   22 +-
 seed/nsd/templates/nsd.zone                   |   30 +-
 seed/nsd/templates/risotto.conf               |   31 +-
 .../dictionaries/30_oauth2_client.xml         |    6 +-
 .../templates/oauth2-client.service           |    2 +-
 seed/odoo/DEBUG.md                            |    4 +-
 seed/odoo/dictionaries/40_odoo.xml            |   14 +-
 seed/odoo/templates/config-nginx.conf         |    6 +-
 seed/odoo/templates/config_odoo.py            |   64 +-
 seed/odoo/templates/hosts                     |    2 +-
 seed/odoo/templates/odoo.conf                 |   10 +-
 seed/odoo/templates/odoo.service              |   10 +-
 seed/openldap/applicationservice.yml          |    2 +-
 .../dictionaries/21_openldap-server.xml       |  171 ++-
 seed/openldap/funcs/ldap.py                   |   50 +
 seed/openldap/templates/DB_CONFIG             |   23 +-
 seed/openldap/templates/admin_ldap.pwd        |    2 +-
 seed/openldap/templates/config.ldif           |   20 +-
 seed/openldap/templates/config_acl.ldif       |   90 +-
 seed/openldap/templates/ldap.conf             |   44 +
 seed/openldap/templates/openldap.yml          |   94 +-
 seed/openldap/templates/replication.conf      |    1 -
 seed/openldap/templates/slapd.service         |   12 +-
 .../templates/tmpfile-openldap-server.conf    |    2 +-
 seed/openldap/templates/users.ldif            |  178 +--
 seed/openldap/templates/users_mod.ldif        |  108 +-
 seed/peertube/dictionaries/30_peertube.xml    |   10 +-
 seed/peertube/templates/nginx.peertube.conf   |   12 +-
 .../templates/nginx.peertube.conf.d.conf      |    2 +-
 seed/peertube/templates/peertube.service      |    6 +-
 seed/peertube/templates/production.yaml       |   33 +-
 seed/php-fpm/dictionaries/20_phpfpm.xml       |    4 +-
 seed/php-fpm/templates/tmpfile-phpfpm.conf    |    2 +-
 seed/php-fpm/templates/www.conf               |   20 +-
 seed/php/DEBUG.md                             |    2 +
 seed/php/dictionaries/20_php.xml              |    2 +-
 seed/php/templates/php.ini                    |   44 +-
 seed/piwigo/dictionaries/31_piwigo.xml        |   32 +-
 seed/piwigo/templates/config.inc.php          |   20 +-
 seed/piwigo/templates/database.inc.php        |   22 +-
 seed/piwigo/templates/piwigo.nginx.conf       |   16 +-
 seed/piwigo/templates/piwigo.sh               |   22 +-
 seed/piwigo/templates/tmpfile-piwigo.conf     |   10 +-
 seed/pki-tls/dictionaries/20_tls.xml          |    2 +-
 seed/pki-tls/templates/0certificate.conf      |   77 +-
 .../postfix-relay/dictionaries/30_postfix.xml |   36 +-
 .../templates/12-managesieve.conf             |   23 -
 seed/postfix-relay/templates/KeyTable         |    6 +-
 seed/postfix-relay/templates/SigningTable     |    6 +-
 seed/postfix-relay/templates/TrustedHosts     |    6 +-
 seed/postfix-relay/templates/lmtp             |   18 +-
 seed/postfix-relay/templates/main.cf          |   24 +-
 seed/postfix-relay/templates/opendkim.key     |    2 +-
 seed/postfix-relay/templates/opendmarc.conf   |    2 +-
 seed/postfix-relay/templates/postfix.service  |   12 +-
 seed/postfix-relay/templates/sni              |    8 +-
 seed/postfix-relay/templates/sni.pem          |    4 -
 .../dictionaries/23_postgresql.xml            |   14 +-
 .../templates/postgresql.pass                 |    2 +-
 .../templates/postgresql.pass2                |    2 +-
 .../templates/postgresqlclient.service        |   12 +-
 .../postgresql/dictionaries/22_postgresql.xml |   11 +-
 .../extras/accounts/00_accounts.xml           |    3 +-
 seed/postgresql/templates/config.yml          |    0
 seed/postgresql/templates/pg_hba.conf         |   14 +-
 seed/postgresql/templates/postgresql.conf     |   32 +-
 seed/postgresql/templates/postgresql.service  |   48 +-
 seed/postgresql/templates/postgresql.sql      |   28 +-
 seed/postgresql/templates/postgresql.yml      |    4 +-
 seed/postgresql/templates/risotto_backup      |   12 +
 seed/prometheus/DEBUG.md                      |    3 +
 seed/prometheus/applicationservice.yml        |    6 +
 .../prometheus/dictionaries/20_prometheus.xml |   26 +
 .../manual/image/preinstall/prometheus.sh     |    2 +
 seed/prometheus/templates/prometheus          |    5 +
 seed/prometheus/templates/prometheus.service  |    7 +
 seed/prometheus/templates/prometheus.yml      |   37 +
 .../templates/sysuser-prometheus.conf         |    2 +
 .../templates/tmpfile-prometheus.conf         |    1 +
 .../dictionaries/16_machined.xml              |   16 +-
 .../templates/no_risotto_backup               |    1 +
 .../dictionaries/20_smtp_client.xml           |   18 +-
 seed/relay-mail-client/funcs/relay_mail.py    |   12 +
 .../dictionaries/21_revprox_client.xml        |    2 +-
 .../templates/reverse-proxy.yml               |    2 +-
 seed/roundcube/dictionaries/31_roundcube.xml  |   10 +-
 seed/roundcube/funcs/roundcube.py             |    1 -
 seed/roundcube/templates/config.inc.php       |   41 +-
 seed/roundcube/templates/domain.inc.php       |   18 +-
 seed/roundcube/templates/roundcube.service    |    2 +-
 seed/roundcube/templates/roundcubemail.conf   |    4 +-
 .../dictionaries/40_speedtest-rs.xml          |    4 +-
 seed/speedtest-rs/templates/config.env        |    6 +-
 seed/systemd/applicationservice.yml           |    1 +
 seed/systemd/dictionaries/15_systemd.xml      |   81 +-
 seed/systemd/templates/30-swap.conf           |    4 +-
 seed/systemd/templates/40-tmp.conf            |    4 +-
 seed/systemd/templates/50-var.conf            |    4 +-
 seed/systemd/templates/60-srv.conf            |    4 +-
 seed/systemd/templates/include.mount          |    6 +-
 seed/systemd/templates/link                   |    6 +-
 seed/systemd/templates/network                |   33 +-
 seed/systemd/templates/root.pwd               |    2 +-
 seed/systemd/templates/srv.mount              |    6 +-
 .../templates/systemd-firstboot.service       |    2 +-
 ...efs@dev-disk-by\\x2dpartlabel-srv.service" |    8 +-
 ...fs@dev-disk-by\\x2dpartlabel-swap.service" |    9 +-
 ...dev-disk-by\\x2dpartlabel-var-tmp.service" |    8 +-
 ...efs@dev-disk-by\\x2dpartlabel-var.service" |    8 +-
 ...emd-makefs@dev-disk-byx2dpartlabel.service |   14 +-
 seed/systemd/templates/var-tmp.mount          |    6 +-
 seed/systemd/templates/var.mount              |    6 +-
 seed/tls/applicationservice.yml               |    2 +-
 seed/tls/dictionaries/26_tls.xml              |    6 +-
 seed/tls/manual/image/postinstall/autosign.py |   22 +-
 seed/tls/templates/certificates.yml           |   29 +-
 seed/tls/templates/configuration.yml          |    6 +-
 seed/unbound/dictionaries/20_unbound.xml      |    8 +-
 seed/unbound/templates/risotto.conf           |   36 +-
 seed/unbound/templates/unbound.conf           |   10 +-
 .../dictionaries/40_vaultwarden.xml           |    6 +-
 seed/vaultwarden/templates/vaultwarden.yml    |   16 +-
 .../templates/vaultwarden_config.env          |   24 +-
 seed/vector/DEBUG.md                          |    1 +
 seed/vector/applicationservice.yml            |    6 +
 seed/vector/dictionaries/20_vector.xml        |   28 +
 .../vector/manual/image/postinstall/vector.sh |   16 +
 seed/vector/manual/image/preinstall/vector.sh |    1 +
 seed/vector/templates/sysuser-vector.conf     |    4 +
 seed/vector/templates/tmpfile-vector.conf     |    1 +
 seed/vector/templates/vector.toml             |  112 ++
 seed/vector/templates/vector_journalctl       |    3 +
 seed/znc/dictionaries/40_znc.xml              |    8 +-
 seed/znc/templates/znc.conf                   |   33 +-
 seed/znc/templates/znc_passwords              |    6 +-
 281 files changed, 4341 insertions(+), 2136 deletions(-)
 create mode 100644 seed/base-fedora-38/applicationservice.yml
 create mode 100644 seed/base-fedora-38/dictionaries/11_fedora-version.xml
 create mode 100644 seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh
 create mode 100644 seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh
 create mode 100644 seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh
 create mode 100644 seed/base-fedora-38/templates/login
 delete mode 100644 seed/dovecot/templates/12-managesieve.conf
 delete mode 100644 seed/dovecot/templates/external_imap.crt
 delete mode 100644 seed/dovecot/templates/external_imap.key
 delete mode 100644 seed/dovecot/templates/postfix_sni.pem
 create mode 100644 seed/grafana/DEBUG.md
 create mode 100644 seed/grafana/applicationservice.yml
 create mode 100644 seed/grafana/dictionaries/31_grafana.xml
 create mode 100644 seed/grafana/manual/image/postinstall/grafana.sh
 create mode 100644 seed/grafana/manual/image/preinstall/grafana.sh
 create mode 100644 seed/grafana/templates/grafana-server
 create mode 100644 seed/grafana/templates/grafana-server.service
 create mode 100644 seed/grafana/templates/grafana.ini
 create mode 100644 seed/grafana/templates/tmpfile-grafana.conf
 create mode 100644 seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64
 create mode 100644 seed/host-systemd-machined/templates/directory-script
 create mode 100644 seed/host-systemd-machined/templates/vector.toml
 create mode 100644 seed/journald/applicationservice.yml
 create mode 100644 seed/journald/dictionaries/20_journald.xml
 create mode 100644 seed/journald/manual/image/preinstall/journald.sh
 create mode 100644 seed/journald/templates/journal-upload.conf
 create mode 100644 seed/journald/templates/systemd-journal-upload.service
 create mode 100644 seed/journald_remote/applicationservice.yml
 create mode 100644 seed/journald_remote/dictionaries/21_journald.xml
 create mode 100644 seed/journald_remote/extras/accounts/00_accounts.xml
 create mode 100644 seed/journald_remote/funcs/journald_remote.py
 create mode 100644 seed/journald_remote/manual/image/preinstall/journald.sh
 create mode 100644 seed/journald_remote/templates/journal-remote.conf
 create mode 100644 seed/journald_remote/templates/systemd-journal-remote.service
 create mode 100644 seed/loki/applicationservice.yml
 create mode 100644 seed/loki/dictionaries/20_loki.xml
 create mode 100644 seed/loki/manual/image/postinstall/loki.sh
 create mode 100644 seed/loki/templates/loki-local-config.yaml
 create mode 100644 seed/loki/templates/loki.service
 create mode 100644 seed/loki/templates/sysuser-loki.conf
 create mode 100644 seed/loki/templates/tmpfile-loki.conf
 delete mode 100644 seed/mailman/templates/gunicorn_config.py
 delete mode 100644 seed/nginx-https/templates/nginx.key
 create mode 100644 seed/nginx-reverse-proxy/patches/revprox-nginx.conf.patch
 delete mode 100644 seed/nginx-reverse-proxy/templates/ca_External.crt
 delete mode 100644 seed/nginx-reverse-proxy/templates/nginx.key
 create mode 100644 seed/nsd-local/applicationservice.yml
 create mode 100644 seed/nsd-local/dictionaries/21_nsd-local.xml
 create mode 100644 seed/nsd-local/extras/nsd/01_nsd-local.xml
 create mode 100644 seed/openldap/templates/ldap.conf
 delete mode 100644 seed/openldap/templates/replication.conf
 delete mode 100644 seed/postfix-relay/templates/12-managesieve.conf
 delete mode 100644 seed/postfix-relay/templates/sni.pem
 delete mode 100644 seed/postgresql/templates/config.yml
 create mode 100644 seed/postgresql/templates/risotto_backup
 create mode 100644 seed/prometheus/DEBUG.md
 create mode 100644 seed/prometheus/applicationservice.yml
 create mode 100644 seed/prometheus/dictionaries/20_prometheus.xml
 create mode 100644 seed/prometheus/manual/image/preinstall/prometheus.sh
 create mode 100644 seed/prometheus/templates/prometheus
 create mode 100644 seed/prometheus/templates/prometheus.service
 create mode 100644 seed/prometheus/templates/prometheus.yml
 create mode 100644 seed/prometheus/templates/sysuser-prometheus.conf
 create mode 100644 seed/prometheus/templates/tmpfile-prometheus.conf
 create mode 100644 seed/provider-systemd-machined/templates/no_risotto_backup
 create mode 100644 seed/relay-mail-client/funcs/relay_mail.py
 create mode 100644 seed/vector/DEBUG.md
 create mode 100644 seed/vector/applicationservice.yml
 create mode 100644 seed/vector/dictionaries/20_vector.xml
 create mode 100644 seed/vector/manual/image/postinstall/vector.sh
 create mode 100644 seed/vector/manual/image/preinstall/vector.sh
 create mode 100644 seed/vector/templates/sysuser-vector.conf
 create mode 100644 seed/vector/templates/tmpfile-vector.conf
 create mode 100644 seed/vector/templates/vector.toml
 create mode 100644 seed/vector/templates/vector_journalctl

diff --git a/seed/apache/dictionaries/20_web.xml b/seed/apache/dictionaries/20_web.xml
index afd56df..f995d8b 100644
--- a/seed/apache/dictionaries/20_web.xml
+++ b/seed/apache/dictionaries/20_web.xml
@@ -2,9 +2,9 @@
 <rougail version="0.10">
   <services>
     <service name="httpd" target="multi-user">
-      <file>/etc/httpd/conf/httpd.conf</file>
-      <file>/etc/httpd/conf.d/risotto.conf</file>
-      <file>/etc/httpd/conf.d/ssl.conf</file>
+      <file engine="none">/etc/httpd/conf/httpd.conf</file>
+      <file engine="ansible">/etc/httpd/conf.d/risotto.conf</file>
+      <file engine="ansible">/etc/httpd/conf.d/ssl.conf</file>
       <file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
       <file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
     </service>
diff --git a/seed/apache/templates/risotto.conf b/seed/apache/templates/risotto.conf
index 3ee7beb..d1aba91 100644
--- a/seed/apache/templates/risotto.conf
+++ b/seed/apache/templates/risotto.conf
@@ -1,15 +1,15 @@
 # Timeout
-Timeout %%apache_timeout
+Timeout {{ general.apache.apache_timeout }}
 
 # Keepalive
-%if %%apache_keepalive
+{% if general.apache.apache_keepalive %}
 KeepAlive On
-%else
+{% else %}
 KeepAlive Off
-%end if
+{% endif %}
 MaxKeepAliveRequests 50
-KeepAliveTimeout %%apache_timeout
+KeepAliveTimeout {{ general.apache.apache_timeout }}
 
 # RemoteIp
 RemoteIPHeader X-Forwarded-For
-RemoteIPInternalProxy %%revprox_client_server_ip
+RemoteIPInternalProxy {{ general.revprox.revprox_client_server_ip }}
diff --git a/seed/apache/templates/ssl.conf b/seed/apache/templates/ssl.conf
index d2ee87c..3d825ee 100644
--- a/seed/apache/templates/ssl.conf
+++ b/seed/apache/templates/ssl.conf
@@ -100,7 +100,7 @@ SSLProxyCipherSuite PROFILE=SYSTEM
 #   require an ECC certificate which can also be configured in
 #   parallel.
 # GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-SSLCertificateFile      %%tls_cert_directory/revprox.crt
+SSLCertificateFile      {{ general.tls_cert_directory }}/revprox.crt
 
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
@@ -109,7 +109,7 @@ SSLCertificateFile      %%tls_cert_directory/revprox.crt
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
 #   ECC keys, when in use, can also be configured in parallel
 # GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-SSLCertificateKeyFile   %%tls_key_directory/revprox.key
+SSLCertificateKeyFile   {{ general.tls_key_directory }}/revprox.key
 
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@@ -126,7 +126,7 @@ SSLCertificateKeyFile   %%tls_key_directory/revprox.key
 #   huge file containing all of them (file must be PEM encoded)
 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
 #>GNUNUX
-SSLCACertificateFile %%tls_ca_directory/InternalReverseProxy.crt
+SSLCACertificateFile {{ general.tls_ca_directory }}/InternalReverseProxy.crt
 #<GNUNUX
 
 #   Client Authentication (Type):
diff --git a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
index a5dd7cf..db8615f 100644
--- a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
+++ b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="dnssec" manage="False">
-      <file>/etc/dnssec-trust-anchors.d/local.negative</file>
+      <file engine="ansible">/etc/dnssec-trust-anchors.d/local.negative</file>
     </service>
   </services>
   <variables>
diff --git a/seed/base-debian-bullseye/templates/local.negative b/seed/base-debian-bullseye/templates/local.negative
index f571c67..5057710 100644
--- a/seed/base-debian-bullseye/templates/local.negative
+++ b/seed/base-debian-bullseye/templates/local.negative
@@ -1,2 +1,2 @@
-%set %%domain=%%domain_name_eth0.split('.', 1)[1]
-%%domain
+{% set domain = domain_name_eth0.split('.', 1)[1] %}
+{{ domain }}
diff --git a/seed/base-debian/dictionaries/11_debian-base.xml b/seed/base-debian/dictionaries/11_debian-base.xml
index 90a8ecf..d664df6 100644
--- a/seed/base-debian/dictionaries/11_debian-base.xml
+++ b/seed/base-debian/dictionaries/11_debian-base.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="systemd-networkd">
-      <override/>
+      <override engine="none"/>
     </service>
     <service name='logrotate' disabled="True"/>
     <service name="debian" manage="False">
diff --git a/seed/base-debian/dictionaries/17_debian-base.xml b/seed/base-debian/dictionaries/17_debian-base.xml
index d3a0e36..b1754b8 100644
--- a/seed/base-debian/dictionaries/17_debian-base.xml
+++ b/seed/base-debian/dictionaries/17_debian-base.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <services>
-    <service name="update-ca-certificates" engine="cheetah" target="multi-user"/>
+    <service name="update-ca-certificates" engine="ansible" target="multi-user"/>
   </services>
   <variables>
     <variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
diff --git a/seed/base-debian/templates/update-ca-certificates.service b/seed/base-debian/templates/update-ca-certificates.service
index 66bf60e..9da5fb5 100644
--- a/seed/base-debian/templates/update-ca-certificates.service
+++ b/seed/base-debian/templates/update-ca-certificates.service
@@ -4,7 +4,7 @@ Before=network-pre.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
+ExecStart=/usr/sbin/update-ca-certificates --localcertsdir {{ general.tls_ca_directory }}
 
 [Install]
 WantedBy=multi-user.target
diff --git a/seed/base-fedora-38/applicationservice.yml b/seed/base-fedora-38/applicationservice.yml
new file mode 100644
index 0000000..83bdbc3
--- /dev/null
+++ b/seed/base-fedora-38/applicationservice.yml
@@ -0,0 +1,6 @@
+format: '0.1'
+description: Base information of a Fedora 38
+website: https://getfedora.org/
+depends:
+  - base-fedora
+distribution: true
diff --git a/seed/base-fedora-38/dictionaries/11_fedora-version.xml b/seed/base-fedora-38/dictionaries/11_fedora-version.xml
new file mode 100644
index 0000000..9ba1346
--- /dev/null
+++ b/seed/base-fedora-38/dictionaries/11_fedora-version.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <!--services>
+    <service name="base">
+      <file engine="none">/etc/pam.d/login</file>
+    </service>
+  </services-->
+  <variables>
+    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
+      <value>38</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh b/seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh
new file mode 100644
index 0000000..f19a831
--- /dev/null
+++ b/seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh
@@ -0,0 +1,7 @@
+# ACTIVE NETWORKD
+mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
+chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
+ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"
diff --git a/seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh b/seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh
new file mode 100644
index 0000000..e1ae882
--- /dev/null
+++ b/seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh
@@ -0,0 +1 @@
+BASE_PKG="$BASE_PKG pam util-linux"
diff --git a/seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh b/seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh
new file mode 100644
index 0000000..0de907f
--- /dev/null
+++ b/seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh
@@ -0,0 +1 @@
+RELEASEVER=38
diff --git a/seed/base-fedora-38/templates/login b/seed/base-fedora-38/templates/login
new file mode 100644
index 0000000..84c2f83
--- /dev/null
+++ b/seed/base-fedora-38/templates/login
@@ -0,0 +1,17 @@
+#GNUNUX File from util-linux-*.x86_64 (not installed)
+#%PAM-1.0
+auth       substack     system-auth
+auth       include      postlogin
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      system-auth
+session    include      postlogin
+-session   optional     pam_ck_connector.so
diff --git a/seed/base-fedora/dictionaries/11_fedora-base.xml b/seed/base-fedora/dictionaries/11_fedora-base.xml
index bd5f06c..011eb79 100644
--- a/seed/base-fedora/dictionaries/11_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/11_fedora-base.xml
@@ -5,6 +5,7 @@
       <file engine="none">/tmpfiles.d/fedora.conf</file>
     </service>
     <service name='logrotate' disabled="True"/>
+    <service name='logrotate' disabled="True" type="timer"/>
   </services>
   <variables>
     <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
diff --git a/seed/base-fedora/dictionaries/17_fedora-base.xml b/seed/base-fedora/dictionaries/17_fedora-base.xml
index 0983237..f2df6f9 100644
--- a/seed/base-fedora/dictionaries/17_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/17_fedora-base.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <services>
-    <service name="update-ca-trust" engine="cheetah" target="multi-user"/>
+    <service name="update-ca-trust" engine="ansible" target="multi-user"/>
   </services>
   <variables>
     <variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
diff --git a/seed/base-machine/dictionaries/12_base.xml b/seed/base-machine/dictionaries/12_base.xml
index c03e7f8..97a2a80 100644
--- a/seed/base-machine/dictionaries/12_base.xml
+++ b/seed/base-machine/dictionaries/12_base.xml
@@ -12,6 +12,7 @@
     <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
     <family name="network" description="Réseau">
       <variable name="server_name" description="Nom de domaine du serveur" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
+      <variable name="last_server_name" type="domainname" hidden="True"/>
       <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
       <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
       <family name="interface_" description="Interface " dynamic="interfaces_list">
@@ -47,6 +48,10 @@
       <param name="index" type="suffix"/>
       <target>gateway_eth</target>
     </fill>
+    <fill name="get_last_server_name">
+      <param type="variable">domain_name_eth</param>
+      <target>last_server_name</target>
+    </fill>
   </constraints>
 </rougail>
 
diff --git a/seed/base-machine/funcs/funcs.py b/seed/base-machine/funcs/funcs.py
index 54fe475..8985994 100644
--- a/seed/base-machine/funcs/funcs.py
+++ b/seed/base-machine/funcs/funcs.py
@@ -83,3 +83,7 @@ def get_zone_name(zones: list,
                   ):
     if zones is not None:
         return zones[int(index)]
+
+
+def get_last_server_name(server_names):
+    return server_names[-1]
diff --git a/seed/base/dictionaries/00_base.xml b/seed/base/dictionaries/00_base.xml
index dd9f34d..d119d6c 100644
--- a/seed/base/dictionaries/00_base.xml
+++ b/seed/base/dictionaries/00_base.xml
@@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <variables>
+    <variable name="providers" hidden="True"/>
     <variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
   </variables>
   <constraints>
diff --git a/seed/base/funcs/base.py b/seed/base/funcs/base.py
index 3017cd1..5952af8 100644
--- a/seed/base/funcs/base.py
+++ b/seed/base/funcs/base.py
@@ -38,6 +38,7 @@ def get_zones_info(zones: dict,
                    zone_names: _List[str]=None,
                    zone_name: str=None,
                    index: int=None,
+                   uniq: bool=False,
                    ) -> str:
     if type == 'host_ip' and index != 0:
         return
@@ -47,4 +48,12 @@ def get_zones_info(zones: dict,
         if type == 'cidr':
             return zones[zone_name]['host_ip'] + '/' + zones[zone_name]['network'].split('/')[-1]
         return zones[zone_name][type]
-    return [data[type] for zone_name, data in zones.items() if not zone_names or zone_name in zone_names]
+    ret = []
+    for zone_name, data in zones.items():
+        if zone_names and zone_name not in zone_names:
+            continue
+        val = data[type]
+        if uniq and val in ret:
+            continue
+        ret.append(val)
+    return ret
diff --git a/seed/dns-local/dictionaries/13_dns-local.xml b/seed/dns-local/dictionaries/13_dns-local.xml
index aed74f0..320e0a9 100644
--- a/seed/dns-local/dictionaries/13_dns-local.xml
+++ b/seed/dns-local/dictionaries/13_dns-local.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="dns-local" manage="False">
-      <file filelist="copy_tests">/tests/dns-local.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/dns-local.yml</file>
     </service>
   </services>
   <variables>
@@ -22,5 +22,3 @@
     </fill>
   </constraints>
 </rougail>
-
-
diff --git a/seed/dns-local/templates/dns-local.yml b/seed/dns-local/templates/dns-local.yml
index dca8aa9..c4913da 100644
--- a/seed/dns-local/templates/dns-local.yml
+++ b/seed/dns-local/templates/dns-local.yml
@@ -1,25 +1,26 @@
-address: '%%domain_name_eth0'
+address: '{{ domain_name_eth0 }}'
 addresses:
-%if %%getVar('dns_client_address', None)
-- dns_address: '%%dns_client_address'
-  dns_ip: '%%ip_dns'
-%elif %%getVar('unbound_forward_address', None) is not None
-  %for %%authority in %%unbound_forward_address
-- dns_address: %%authority
-  dns_ip: %%authority.unbound_allowed_client
-  %end for
-%elif %%getVar('nsd_zones', None)
-  %for %%zone in %%nsd_zones
-    %set %%suffix = %%normalize_family(%%zone)
-    %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
-    %for %%hostname in %%hostnames
-- dns_address: %%{hostname}.%%zone
-  dns_ip: %%hostname["ip_" + %%suffix]
-    %end for
-  %end for
-%end if
-%if %%dns_is_only_local
+{% if 'dns_client_address' in general.network %}
+- dns_address: '{{ general.network.dns_client_address }}'
+  dns_ip: '{{ ip_dns }}'
+{% elif 'unbound_forward_address' in general.dns_resolver.forward_zones %}
+{% for authority in general.dns_resolver.forward_zones.unbound_forward_address %}
+- dns_address: {{ authority }}
+  dns_ip: {{ authority.unbound_allowed_client }}
+{% endfor %}
+{% elif 'nsd_zones' in general.dns_zone %}
+{%for zone in general.dns_zone.nsd_zones %}
+{% set suffix = zone|normalize_family %}
+{% set hostnames = nsd["nsd_zone_" + suffix]["hostname_" + suffix]["hostname_" + suffix] %}
+{% for hostname in hostnames %}
+- dns_address: {{ hostname }}.{{ zone }}
+  dns_ip: {{ hostname["ip_" + suffix] }}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if dns_is_only_local %}
 dns_is_only_local: true
-%else
+{% else %}
 dns_is_only_local: false
-%end if
+{% endif %}
diff --git a/seed/dovecot/dictionaries/26_dovecot.xml b/seed/dovecot/dictionaries/26_dovecot.xml
index d70b96d..9232814 100644
--- a/seed/dovecot/dictionaries/26_dovecot.xml
+++ b/seed/dovecot/dictionaries/26_dovecot.xml
@@ -2,49 +2,48 @@
 <rougail version="0.10">
   <services>
     <service name="postfix" target="multi-user">
-      <override/>
+      <override engine="none"/>
       <certificate format="pem" authority="External" type="server" domain="submission_domainname" provider="mail_crt_provider" certificate_type="variable">submission_domainname</certificate>
-      <certificate format="pem" authority="Mail" owner="postfix" type="server">postfixlocal</certificate>
+      <certificate format="pem" server="last_server_name" domain="last_server_name" authority="InternalMail" owner="postfix" type="server">postfixlocal</certificate>
       <certificate authority="Mail" owner="postfix" type="server">postfix</certificate>
       <certificate authority="LDAP" owner="postfix" server="ldap_server_address">postfix_ldap_client</certificate>
       <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
       <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
-      <file>/etc/postfix/main.cf</file>
-      <file>/etc/postfix/master.cf</file>
-      <file>/etc/postfix/relay_passwd</file>
-      <file>/etc/postfix/ldapsource.cf</file>
-      <file>/etc/postfix/sni</file>
-      <file mode="700">/sbin/risotto_backup</file>
+      <file engine="ansible">/etc/postfix/main.cf</file>
+      <file engine="none">/etc/postfix/master.cf</file>
+      <file engine="ansible">/etc/postfix/relay_passwd</file>
+      <file engine="ansible">/etc/postfix/ldapsource.cf</file>
+      <file engine="ansible">/etc/postfix/sni</file>
+      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
     </service>
     <service name='dovecot-init'>
-      <override/>
-      <file>/etc/nginx/default.d/autoconfig.conf</file>
+      <override engine="none"/>
+      <file engine="none">/etc/nginx/default.d/autoconfig.conf</file>
     </service>
     <service name='nginx'>
-      <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
+      <file engine="ansible" source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
     </service>
     <service name="dovecot" target="multi-user">
       <certificate authority="External" type="server" domain="imap_domainname" provider="mail_crt_provider" certificate_type="variable">imap_domainname</certificate>
-      <certificate authority="IMAP" owner="dovecot" type="server">dovecot</certificate>
+      <certificate authority="IMAP" domain="last_server_name" owner="dovecot" type="server">dovecot</certificate>
       <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
       <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
-      <file>/etc/dovecot/conf.d/10-master.conf</file>
-      <file>/etc/dovecot/conf.d/10-ssl.conf</file>
-      <!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
+      <file engine="ansible">/etc/dovecot/conf.d/10-master.conf</file>
+      <file engine="ansible">/etc/dovecot/conf.d/10-ssl.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
       <!--plain authentification-->
-      <file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
-      <file>/etc/dovecot/dovecot-ldap.conf.ext</file>
+      <file engine="none">/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
+      <file engine="ansible">/etc/dovecot/dovecot-ldap.conf.ext</file>
       <!--oauth2 authentification-->
-      <file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
-      <file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
+      <file engine="none">/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
+      <file engine="ansible">/etc/dovecot/dovecot-oauth2.conf.ext</file>
       <!--internal authentification-->
-      <file filelist="copy_tests">/tests/imap.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/imap.yml</file>
     </service>
   </services>
   <variables>
@@ -54,7 +53,7 @@
         <value>993</value>
       </variable>
     </family>
-    <family name="annuaire">
+    <family name="ldap">
       <family name="client">
         <variable name='ldapclient_family' redefine="True">
           <value>all</value>
diff --git a/seed/dovecot/templates/10-master.conf b/seed/dovecot/templates/10-master.conf
index 848ecf3..178041a 100644
--- a/seed/dovecot/templates/10-master.conf
+++ b/seed/dovecot/templates/10-master.conf
@@ -73,7 +73,7 @@ service lmtp {
   #}
 #>GNUNUX
   inet_listener lmtp {
-    address = %%ip_eth0
+    address = {{ general.smtp.smtp_client_ip }}
     port = 8024
   }
 #<GNUNUX
diff --git a/seed/dovecot/templates/10-ssl.conf b/seed/dovecot/templates/10-ssl.conf
index bcc0669..9c1b8aa 100644
--- a/seed/dovecot/templates/10-ssl.conf
+++ b/seed/dovecot/templates/10-ssl.conf
@@ -14,17 +14,17 @@ ssl = required
 #GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
 #GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
 #>GNUNUX
-ssl_cert = </etc/pki/tls/certs/dovecot.crt
-ssl_key = </etc/pki/tls/private/dovecot.key
-%for %%mail in %%mail_domains
-local_name %%mail.imap_domainname {
-    ssl_cert = %echo '<' + %%tls_cert_directory + '/' + %%mail.imap_domainname + '.crt'
-    ssl_key = %echo '<' + %%tls_key_directory + '/' + %%mail.imap_domainname + '.key'
+ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
+ssl_key = <{{ general.tls_key_directory }}/dovecot.key
+{% for mail in general.mail.domain.mail_domains %}
+local_name {{ mail.imap_domainname }} {
+    ssl_cert = <{{ general.tls_cert_directory }}/{{ mail.imap_domainname }}.crt
+    ssl_key = <{{ general.tls_key_directory }}/{{ mail.imap_domainname }}.key
 }
-%end for
-local_name %%domain_name_eth0 {
-    ssl_cert = %echo '<' + %%tls_cert_directory + '/dovecot.crt'
-    ssl_key = %echo '<' + %%tls_key_directory + '/dovecot.key'
+{% endfor %}
+local_name {{ general.network.last_server_name }} {
+    ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
+    ssl_key = <{{ general.tls_key_directory }}/dovecot.key
 }
 #<GNUNUX
 
@@ -50,7 +50,7 @@ local_name %%domain_name_eth0 {
 # large CA bundles, because it leads to excessive memory usage.
 #ssl_client_ca_dir =
 #ssl_client_ca_file =
-ssl_client_ca_file = %%tls_ca_directory/IMAP.crt
+ssl_client_ca_file = {{ general.tls_ca_directory }}/IMAP.crt
 
 # Require valid cert when connecting to a remote server
 #ssl_client_require_valid_cert = yes
diff --git a/seed/dovecot/templates/12-managesieve.conf b/seed/dovecot/templates/12-managesieve.conf
deleted file mode 100644
index c06febc..0000000
--- a/seed/dovecot/templates/12-managesieve.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Uncomment to enable managesieve protocol:
-protocols = $protocols sieve
-
-service managesieve-login {
-  inet_listener sieve {
-    port = 4190
-  }
-
-  #inet_listener sieve_deprecated {
-  #  port = 2000
-  #}
-
-  # Number of connections to handle before starting a new process. Typically
-  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
-  # is faster. <doc/wiki/LoginProcess.txt>
-  service_count = 1
-
-  # Number of processes to always keep waiting for more connections.
-  process_min_avail = 0
-
-  # If you set service_count=0, you probably need to grow this.
-  vsz_limit = 64M
-}
diff --git a/seed/dovecot/templates/config-v1.1.xml b/seed/dovecot/templates/config-v1.1.xml
index 305ee0e..f45092d 100644
--- a/seed/dovecot/templates/config-v1.1.xml
+++ b/seed/dovecot/templates/config-v1.1.xml
@@ -1,23 +1,23 @@
 <?xml version="1.0"?>
 # GNUNUX: from https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat -->
-%set %%domain = %%rougail_variable
-%set %%leader = %%mail_domains[%%mail_domains.index(%%domain)]
-%set %%imap_domain = %%leader.imap_domainname
-%set %%submission_domain = %%leader.submission_domainname
+{%set domain = rougail_variable %}
+{%set leader = general.mail.domain.mail_domains[mail_domains.index(domain)] %}
+{%set imap_domain = leader.imap_domainname %}
+{%set submission_domain = leader.submission_domainname %}
 <clientConfig version="1.1">
-  <emailProvider id="%%domain">
-    <domain>%%domain</domain>
-    <displayName>Services %%domain</displayName>
-    <displayShortName>%%domain</displayShortName>
+  <emailProvider id="{{ domain }}">
+    <domain>{{ domain }}</domain>
+    <displayName>Services {{ domain }}</displayName>
+    <displayShortName>{{ domain }}</displayShortName>
     <incomingServer type="imap">
-      <hostname>%%imap_domain</hostname>
+      <hostname>{{ imap_domain }}</hostname>
       <port>993</port>
       <socketType>SSL</socketType>
       <username>%EMAILADDRESS%</username>
       <authentication>password-cleartext</authentication>
     </incomingServer>
     <outgoingServer type="smtp">
-      <hostname>%%submission_domain</hostname>
+      <hostname>{{ submission_domain }}</hostname>
       <port>587</port>
       <socketType>STARTTLS</socketType>
       <username>%EMAILADDRESS%</username>
diff --git a/seed/dovecot/templates/dovecot-ldap.conf.ext b/seed/dovecot/templates/dovecot-ldap.conf.ext
index 0d497c9..c6c2589 100644
--- a/seed/dovecot/templates/dovecot-ldap.conf.ext
+++ b/seed/dovecot/templates/dovecot-ldap.conf.ext
@@ -24,7 +24,7 @@
 # setting isn't supported by all LDAP libraries.
 #uris = 
 #>GNUNUX
-uris = ldaps://%%ldap_server_address
+uris = ldaps://{{ general.ldap.server.ldap_server_address }}
 #<GNUNUX
 
 # Distinguished Name - the username used to login to the LDAP server.
@@ -34,8 +34,8 @@ uris = ldaps://%%ldap_server_address
 # Password for LDAP server, if dn is specified.
 #dnpass = 
 #>GNUNUX
-dn = %%ldapclient_user
-dnpass = %%ldapclient_user_password
+dn = {{ general.ldap.client.ldapclient_user }}
+dnpass = {{ general.ldap.client.ldapclient_user_password }}
 #<GNUNUX
 
 # Use SASL binding instead of the simple binding. Note that this changes
@@ -61,9 +61,9 @@ dnpass = %%ldapclient_user_password
 # Valid values: never, hard, demand, allow, try
 #tls_require_cert =
 #>GNUNUX
-tls_cert_file = %%tls_cert_directory/ldap_client.crt
-tls_key_file = %%tls_key_directory/ldap_client.key
-tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
+tls_cert_file = {{ general.tls_cert_directory }}/ldap_client.crt
+tls_key_file = {{ general.tls_key_directory }}/ldap_client.key
+tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
 tls_require_cert = hard
 #>GNUNUX
 
@@ -107,7 +107,7 @@ auth_bind = yes
 # LDAP base. %variables can be used here.
 # For example: dc=mail, dc=example, dc=org
 # GNUNUX base =
-base = %%ldapclient_search_dn
+base = {{ general.ldap.client.ldapclient_search_dn }}
 
 # Dereference: never, searching, finding, always
 #deref = never
diff --git a/seed/dovecot/templates/dovecot-oauth2.conf.ext b/seed/dovecot/templates/dovecot-oauth2.conf.ext
index a445d53..5fcdd48 100644
--- a/seed/dovecot/templates/dovecot-oauth2.conf.ext
+++ b/seed/dovecot/templates/dovecot-oauth2.conf.ext
@@ -4,7 +4,7 @@
 ## url for verifying token validity. Token is appended to the URL
 # tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
 #>GNUNUX
-tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
+tokeninfo_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/userinfo/?access_token=
 #<GNUNUX
 
 ## introspection endpoint, used to gather extra fields and other information.
@@ -21,7 +21,7 @@ tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?acces
 ## Set this to yes if you are using active_attribute
 # force_introspection = no
 #>GNUNUX
-introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
+introspection_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/introspect/
 introspection_mode = post
 force_introspection = no
 #<GNUNUX
@@ -57,7 +57,7 @@ username_attribute = email
 ## URL to RFC 7628 OpenID Provider Configuration Information schema
 # openid_configuration_url =
 #>GNUNUX
-openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
+openid_configuration_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration
 #<GNUNUX
 
 ## Extra fields to set in passdb response (in passdb static style)
@@ -79,8 +79,8 @@ openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known
 # rawlog_dir = /tmp/oauth2
 
 #>GNUNUX
-client_id = %%oauth2_client_id
-client_secret = %%oauth2_client_secret
+client_id = {{ general.oauth2_client.oauth2_client_id }}
+client_secret = {{ general.oauth2_client.oauth2_client_secret }}
 #<GNUNUX
 
 ## TLS settings
diff --git a/seed/dovecot/templates/external_imap.crt b/seed/dovecot/templates/external_imap.crt
deleted file mode 100644
index 58eb355..0000000
--- a/seed/dovecot/templates/external_imap.crt
+++ /dev/null
@@ -1,2 +0,0 @@
-%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
-
diff --git a/seed/dovecot/templates/external_imap.key b/seed/dovecot/templates/external_imap.key
deleted file mode 100644
index 1c195f4..0000000
--- a/seed/dovecot/templates/external_imap.key
+++ /dev/null
@@ -1 +0,0 @@
-%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
diff --git a/seed/dovecot/templates/imap.yml b/seed/dovecot/templates/imap.yml
index d90e4f4..08896ee 100644
--- a/seed/dovecot/templates/imap.yml
+++ b/seed/dovecot/templates/imap.yml
@@ -1,12 +1,12 @@
-%set %%username="rougail_test@silique.fr"
-%set %%username_family="rougail_test@gnunux.info"
-%set %%name_family="gnunux"
-address: %%ip_eth0
-dns: %%domain_name_eth0
-username: %%username
-password: %%get_password(server_name='test', username=%%username, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
-username_family: %%username_family
-password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
-name_family: %%name_family
-smtp: %%smtp_relay_ip
+{%set username="rougail_test@silique.fr" %}
+{%set username_family="rougail_test@gnunux.info" %}
+{%set name_family="gnunux" %}
+address: {{ general.network.interface_0.ip_eth0 }}
+dns: {{ general.network.interface_0.domain_name_eth0 }}
+username: {{ username }}
+password: {{ username|get_password(server_name='test', description="test", type="cleartext", hide=hide_secret, temporary=True) }}
+username_family: {{ username_family }}
+password_family: {{ username_family|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True)
+name_family: {{ name_family }}
+smtp: {{ general.smtp.smtp_relay_ip }}
 ext_username: 'test@example.net'
diff --git a/seed/dovecot/templates/ldapsource.cf b/seed/dovecot/templates/ldapsource.cf
index 76283fd..efe0114 100644
--- a/seed/dovecot/templates/ldapsource.cf
+++ b/seed/dovecot/templates/ldapsource.cf
@@ -1,13 +1,13 @@
-server_host = ldaps://%%ldap_server_address
-server_port = %%ldap_port
-tls_cert = %%tls_cert_directory/postfix_ldap_client.crt
-tls_key = %%tls_key_directory/postfix_ldap_client.key
-tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
+server_host = ldaps://{{ general.ldap.server.ldap_server_address }}
+server_port = {{ general.ldap.server.ldap_port }}
+tls_cert = {{ general.tls_cert_directory }}/postfix_ldap_client.crt
+tls_key = {{ general.tls_key_directory }}/postfix_ldap_client.key
+tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
 tls_require_cert = yes
 version = 3
 bind = yes
-bind_dn = %%ldapclient_user
-bind_pw = %%ldapclient_user_password
-search_base = %%ldapclient_search_dn
+bind_dn = {{ general.ldap.client.ldapclient_user }}
+bind_pw = {{ general.ldap.client.ldapclient_user_password }}
+search_base = {{ general.ldap.client.ldapclient_search_dn }}
 query_filter = (mailLocalAddress=%s)
 result_attribute = cn
diff --git a/seed/dovecot/templates/main.cf b/seed/dovecot/templates/main.cf
index 7619d05..e53872e 100644
--- a/seed/dovecot/templates/main.cf
+++ b/seed/dovecot/templates/main.cf
@@ -95,7 +95,7 @@ mail_owner = postfix
 #
 #myhostname = host.domain.tld
 #myhostname = virtual.domain.tld
-myhostname = %%domain_name_eth0
+myhostname = {{ general.network.interface_0.domain_name_eth0 }}
 
 # The mydomain parameter specifies the local internet domain name.
 # The default is to use $myhostname minus the first component.
@@ -119,7 +119,7 @@ myhostname = %%domain_name_eth0
 #
 #myorigin = $myhostname
 #myorigin = $mydomain
-myorigin = %%domain_name_eth0
+myorigin = {{ general.network.interface_0.domain_name_eth0 }}
 
 # RECEIVING MAIL
 
@@ -359,7 +359,7 @@ mynetworks = 127.0.0.0/8
 #relayhost = uucphost
 #relayhost = [an.ip.add.ress]
 #>GNUNUX
-relayhost = %%smtp_relay_address
+relayhost = {{ general.smtp.smtp_relay_address }}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
 smtp_sasl_security_options = noanonymous
@@ -742,15 +742,15 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # in PEM format. Intermediate certificates should be included in general,
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
-smtpd_tls_cert_file = %%tls_cert_directory/postfix.crt
+smtpd_tls_cert_file = {{ general.tls_cert_directory }}/postfix.crt
 
 # The full pathname of a file with the Postfix SMTP server RSA private key
 # in PEM format. The private key must be accessible without a pass-phrase,
 # i.e. it must not be encrypted.
 #
-smtpd_tls_key_file = %%tls_key_directory/postfix.key
+smtpd_tls_key_file = {{ general.tls_key_directory }}/postfix.key
 
-smtpd_tls_CApath = %%tls_ca_directory
+smtpd_tls_CApath = {{ general.tls_ca_directory }}
 #>GNUNUX
 tls_server_sni_maps = hash:/etc/postfix/sni
 #<GNUNUX
@@ -762,13 +762,13 @@ smtpd_tls_security_level = may
 # Directory with PEM format Certification Authority certificates that the
 # Postfix SMTP client uses to verify a remote SMTP server certificate.
 #
-smtp_tls_CApath = %%tls_ca_directory
+smtp_tls_CApath = {{ general.tls_ca_directory }}
 
 # The full pathname of a file containing CA certificates of root CAs
 # trusted to sign either remote SMTP server certificates or intermediate CA
 # certificates.
 #
-smtp_tls_CAfile = %%tls_ca_directory/Mail.crt
+smtp_tls_CAfile = {{ general.tls_ca_directory }}/Mail.crt
 
 # Use TLS if this is supported by the remote SMTP server, otherwise use
 # plaintext (opportunistic TLS outbound).
@@ -800,11 +800,11 @@ smtpd_sasl_path = /srv/dovecot/auth
 broken_sasl_auth_clients = yes
 
 dovecot_destination_recipient_limit = 1
-%set %%domains = []
-%for %%domain in %%mail_domains
-%%domains.append(%%str(%%domain))%slurp
-%end for
-virtual_mailbox_domains = %echo ', '.join(%%domains)
+{% set domains = [] %}
+{% for domain in general.mail.domain.mail_domains %}
+{{ domains.append(domain|string) }}
+{% endfor %}
+virtual_mailbox_domains = {{ domains|join(', ') }}
 virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
 virtual_minimum_uid = 1000
 #vmail uid
diff --git a/seed/dovecot/templates/postfix_sni.pem b/seed/dovecot/templates/postfix_sni.pem
deleted file mode 100644
index 7e5f219..0000000
--- a/seed/dovecot/templates/postfix_sni.pem
+++ /dev/null
@@ -1,3 +0,0 @@
-%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
-%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
-%%cert
diff --git a/seed/dovecot/templates/relay_passwd b/seed/dovecot/templates/relay_passwd
index b9d81ca..401f573 100644
--- a/seed/dovecot/templates/relay_passwd
+++ b/seed/dovecot/templates/relay_passwd
@@ -1,2 +1,2 @@
-%%smtp_relay_address	%%smtp_relay_user@%%ip_eth0:%%smtp_relay_password
+{{ general.smtp.smtp_relay_address }}	{{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}:{{ general.smtp.smtp_relay_password }}
 
diff --git a/seed/dovecot/templates/risotto_backup b/seed/dovecot/templates/risotto_backup
index 0af0b0c..53d8b16 100644
--- a/seed/dovecot/templates/risotto_backup
+++ b/seed/dovecot/templates/risotto_backup
@@ -1,6 +1,6 @@
-%echo "#!/bin/bash"
+#!/bin/bash
 
-BACKUP_DIR="%%backup_dir"
+BACKUP_DIR="{{ general.backup_dir }}"
 
 mkdir -p $BACKUP_DIR
 chown vmail: $BACKUP_DIR
@@ -14,7 +14,7 @@ done
 ls $BACKUP_DIR | while read $user; do
     if [ ! -f $BACKUP_DIR/$user.done ]; then
         rm -rf $BACKUP_DIR/$user
-    if
+    fi
 done
 rm -f $BACKUP_DIR/*.done
 
diff --git a/seed/dovecot/templates/sni b/seed/dovecot/templates/sni
index 039e1a0..fd4ec13 100644
--- a/seed/dovecot/templates/sni
+++ b/seed/dovecot/templates/sni
@@ -1,4 +1,4 @@
-%for %%name in %%mail_domains
-%%name.submission_domainname %%tls_key_directory/%%{name.submission_domainname}.pem
-%end for
-%%domain_name_eth0 %%tls_key_directory/postfixlocal.pem
+{% for name in general.mail.domain.mail_domains %}
+{{ name.submission_domainname }} {{ general.tls_key_directory }}/{{ name.submission_domainname }}.pem
+{% endfor %}
+{{ general.network.last_server_name }} {{ general.tls_key_directory }}/postfixlocal.pem
diff --git a/seed/forgejo/applicationservice.yml b/seed/forgejo/applicationservice.yml
index 94bafad..e918dc8 100644
--- a/seed/forgejo/applicationservice.yml
+++ b/seed/forgejo/applicationservice.yml
@@ -2,7 +2,7 @@ format: '0.1'
 description: Forgejo, a community managed lightweight code hosting solution
 website: https://forgejo.org/
 depends:
-  - base-fedora-37
+  - base-fedora-38
   - postgresql-client
   - reverse-proxy-client
   - relay-mail-client
diff --git a/seed/forgejo/dictionaries/31_forgejo.xml b/seed/forgejo/dictionaries/31_forgejo.xml
index 0526f16..290b6c4 100644
--- a/seed/forgejo/dictionaries/31_forgejo.xml
+++ b/seed/forgejo/dictionaries/31_forgejo.xml
@@ -1,11 +1,11 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="forgejo" target="multi-user" engine="cheetah">
+    <service name="forgejo" target="multi-user" engine="ansible">
       <file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
       <file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
-      <file>/etc/forgejo/app.ini</file>
-      <file filelist="copy_tests">/tests/forgejo.yml</file>
+      <file engine="ansible">/etc/forgejo/app.ini</file>
+      <file engine="ansible" filelist="copy_tests">/tests/forgejo.yml</file>
     </service>
   </services>
   <variables>
diff --git a/seed/forgejo/templates/app.ini b/seed/forgejo/templates/app.ini
index acd9426..0cc7e43 100644
--- a/seed/forgejo/templates/app.ini
+++ b/seed/forgejo/templates/app.ini
@@ -1,7 +1,4 @@
 #RISOTTO: https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/custom/conf/app.example.ini
-%compiler-settings
-commentStartToken = ;
-%end compiler-settings
 ; This file lists the default values used by Gitea
 ;; Copy required sections to your own app.ini (default is custom/conf/app.ini)
 ;; and modify as needed.
@@ -50,7 +47,7 @@ commentStartToken = ;
 ;; App name that shows in every page title
 ;>GNUNUX
 ;APP_NAME = ; Gitea: Git with a cup of tea
-APP_NAME = %%forgejo_title
+APP_NAME = {{ general.forgejo.forgejo_title }}
 ;<GNUNUX
 ;;
 ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
@@ -89,13 +86,13 @@ PROTOCOL         = https
 ;; Set the domain for the server
 ;DOMAIN = localhost
 ;>GNUNUX
-DOMAIN           = %%revprox_client_external_domainnames[0]
+DOMAIN           = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
 ;<GNUNUX
 ;;
 ;; Overwrite the automatically generated public URL. Necessary for proxies and docker.
 ;ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
 ;>GNUNUX
-ROOT_URL         = https://%%revprox_client_external_domainnames[0]%%revprox_client_external_domainnames[0]revprox_client_location
+ROOT_URL         = https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}{{ general.revprox.revprox_client.revprox_client_external_domainnames[0]['revprox_client_location'] }}
 ;<GNUNUX
 ;;
 ;; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
@@ -146,7 +143,7 @@ HTTP_PORT        = 3000
 ;; Do not set this variable if PROTOCOL is set to 'unix'.
 ;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
 ;>GNUNUX
-LOCAL_ROOT_URL   = https://%%domain_name_eth0:3000/
+LOCAL_ROOT_URL   = https://{{ general.network.interface_0.domain_name_eth0 }}:3000/
 ;<GNUNUX
 ;;
 ;; When making local connections pass the PROXY protocol header.
@@ -176,7 +173,7 @@ BUILTIN_SSH_SERVER_USER = "git"
 ;; Domain name to be exposed in clone URL
 ;SSH_DOMAIN = %(DOMAIN)s
 ;>GNUNUX
-SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
+SSH_DOMAIN       = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
 ;<GNUNUX
 ;;
 ;; SSH username displayed in clone URLs.
@@ -188,13 +185,13 @@ SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
 ;; Port number to be exposed in clone URL
 ;SSH_PORT = 22
 ;>GNUNUX
-SSH_PORT         = %%incoming_ports[0]
+SSH_PORT         = {{ general.network.incoming_ports[0] }}
 ;<GNUNUX
 ;;
 ;; The port number the builtin SSH server should listen on
 ;SSH_LISTEN_PORT = %(SSH_PORT)s
 ;>GNUNUX
-SSH_LISTEN_PORT  = %%incoming_ports[0]
+SSH_LISTEN_PORT  = {{ general.network.incoming_ports[0] }}
 ;<GNUNUX
 ;;
 ;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
@@ -319,8 +316,8 @@ OFFLINE_MODE     = true
 ;CERT_FILE = https/cert.pem
 ;KEY_FILE = https/key.pem
 ;>GNUNUX
-CERT_FILE        = %%tls_cert_directory/revprox.crt
-KEY_FILE         = %%tls_key_directory/revprox.key
+CERT_FILE        = {{ general.tls_cert_directory }}/revprox.crt
+KEY_FILE         = {{ general.tls_key_directory }}/revprox.key
 ;<GNUNUX
 ;;
 ;; Root directory containing templates and static files.
@@ -355,7 +352,7 @@ LFS_START_SERVER = true
 ;; LFS authentication secret, change this yourself
 ;>GNUNUX
 ;LFS_JWT_SECRET =
-LFS_JWT_SECRET   = %%forgejo_lfs_jwt_secret
+LFS_JWT_SECRET   = {{ general.forgejo.forgejo_lfs_jwt_secret }}
 ;<GNUNUX
 ;;
 ;; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
@@ -419,10 +416,10 @@ LFS_JWT_SECRET   = %%forgejo_lfs_jwt_secret
 ;SSL_MODE=disable ;either "disable" (default), "require", or "verify-full"
 ;>GNUNUX
 DB_TYPE  = postgres
-HOST     = %%pg_client_server_domainname:5432
-NAME     = %%pg_client_database
-USER     = %%pg_client_username
-PASSWD   = %%pg_client_password
+HOST     = {{ general.postgresql.pg_client_server_domainname }}:5432
+NAME     = {{ general.postgresql.pg_client_database }}
+USER     = {{ general.postgresql.pg_client_username }}
+PASSWD   = {{ general.postgresql.pg_client_password }}
 SCHEMA   =
 SSL_MODE = verify-full
 CHARSET  = utf8
@@ -492,7 +489,7 @@ INSTALL_LOCK = true
 ;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
 ;>GNUNUX
 ;SECRET_KEY =
-SECRET_KEY     = %%forgejo_secret_key
+SECRET_KEY     = {{ general.forgejo.forgejo_secret_key }}
 ;<GNUNUX
 ;;
 ;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
@@ -502,7 +499,7 @@ SECRET_KEY     = %%forgejo_secret_key
 ;; Secret used to validate communication within Gitea binary.
 ;>GNUNUX
 ;INTERNAL_TOKEN=
-INTERNAL_TOKEN     = %%forgejo_internal_token
+INTERNAL_TOKEN     = {{ general.forgejo.forgejo_internal_token }}
 ;<GNUNUX
 ;;
 ;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
@@ -671,7 +668,7 @@ ROUTER = console
 ;ACCESS = file
 ;;
 ;; Sets the template used to create the access log.
-;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"
+{#;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}" #}
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@@ -1760,7 +1757,7 @@ PROTOCOL  = smtp+starttls
 ;; (Before 1.18, see the notice, this was combined with SMTP_PORT as HOST.)
 ;SMTP_ADDR =
 ;>GNUNUX
-SMTP_ADDR = %%smtp_relay_address
+SMTP_ADDR = {{ smtp_relay_address }}
 ;<GNUNUX
 ;;
 ;; Mail server port. Common ports are:
@@ -1793,7 +1790,7 @@ SMTP_PORT = 25
 ;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
 ;FROM =
 ;>GNUNUX
-FROM      = %%forgejo_mail_sender
+FROM      = {{ general.forgejo.forgejo_mail_sender }}
 ;<GNUNUX
 ;;
 ;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
@@ -1802,13 +1799,13 @@ FROM      = %%forgejo_mail_sender
 ;; Mailer user name and password, if required by provider.
 ;USER =
 ;>GNUNUX
-USER      = %%smtp_relay_user@%%ip_eth0
+USER      = {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}
 ;<GNUNUX
 ;;
 ;; Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;PASSWD =
 ;>GNUNUX
-PASSWD    = %%smtp_relay_password
+PASSWD    = {{ general.smtp.smtp_relay_password }}
 ;<GNUNUX
 ;;
 ;; Send mails only in plain text, without HTML alternative
@@ -1857,7 +1854,7 @@ ADAPTER = redis
 ;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
 ;HOST =
 ;>GNUNUX
-HOST = network=tcp,addr=%%redis_client_server_domainname:6379,username=%%redis_client_username,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
+HOST = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,username={{ general.redis.redis_client_username }},password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
 ;<GNUNUX
 ;;
 ;; Time to keep items in cache if not used, default is 16 hours.
@@ -1904,7 +1901,7 @@ PROVIDER = redis
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
 ;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;>GNUNUX
-PROVIDER_CONFIG = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
+PROVIDER_CONFIG = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
 ;<GNUNUX
 ;;
 ;; Session cookie name
diff --git a/seed/forgejo/templates/forgejo.service b/seed/forgejo/templates/forgejo.service
index 136c221..5e8dce4 100644
--- a/seed/forgejo/templates/forgejo.service
+++ b/seed/forgejo/templates/forgejo.service
@@ -20,17 +20,17 @@ User=forgejo
 Group=forgejo
 WorkingDirectory=/srv/forgejo/lib/
 ExecStart=/usr/bin/forgejo web --config /etc/forgejo/app.ini
-ExecStartPre=/bin/bash -c '%slurp
-/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;%slurp
-if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then %slurp
-  echo "UPDATE";%slurp
-  id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");%slurp
-  /usr/bin/forgejo admin auth update-oauth --id $id --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
-else %slurp
-  echo "CONFIGURE";%slurp
-  /usr/bin/forgejo admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
-fi;%slurp
-sleep 2;%slurp
+ExecStartPre=/bin/bash -c '{% if True -%}{% endif -%}
+/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
+if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then {% if True -%}{% endif -%}
+  echo "UPDATE";{% if True -%}{% endif -%}
+  id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");{% if True -%}{% endif -%}
+  /usr/bin/forgejo admin auth update-oauth --id $id --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
+else {% if True -%}{% endif -%}
+  echo "CONFIGURE";{% if True -%}{% endif -%}
+  /usr/bin/forgejo admin auth add-oauth --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
+fi;{% if True -%}{% endif -%}
+sleep 2;{% if True -%}{% endif -%}
 echo "CONFIGURATION DONE"'
 Restart=always
 Environment=GITEA_WORK_DIR=/srv/forgejo/lib
diff --git a/seed/forgejo/templates/forgejo.yml b/seed/forgejo/templates/forgejo.yml
index 49d6943..4bd2311 100644
--- a/seed/forgejo/templates/forgejo.yml
+++ b/seed/forgejo/templates/forgejo.yml
@@ -1,11 +1,11 @@
-%set %%username="rougail_test@silique.fr"
-ip: %%ip_eth0
-revprox_ip: %%revprox_client_server_ip
-%set %%domain = %%revprox_client_external_domainnames[0]
-base_url: https://%%domain%%domain.revprox_client_location
-auth_url: %%oauth2_client_external[0]
-auth_server: %%oauth2_server_domainname
-username: %%username
-password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
-forgejo_title: "%%forgejo_title"
-git_url: "[%%domain]:%%incoming_ports[0]"
+{% set username="rougail_test@silique.fr" %}
+ip: {{ general.network.interface_0.ip_eth0 }}
+revprox_ip: {{ general.revprox.revprox_client.revprox_client_server_ip }}
+{% set domain = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
+base_url: https://{{ domain }}{{domain.revprox_client_location }}
+auth_url: {{ general.oauth2_client.oauth2_client_external[0] }}
+auth_server: {{ general.oauth2_client.oauth2_server_domainname }}
+username: {{ username }}
+password: {{ username|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True) }}
+forgejo_title: "{{ general.forgejo.forgejo_title }}"
+git_url: "[{{ domain] }}:{{ general.network.incoming_ports[0] }}"
diff --git a/seed/grafana/DEBUG.md b/seed/grafana/DEBUG.md
new file mode 100644
index 0000000..67c2c0a
--- /dev/null
+++ b/seed/grafana/DEBUG.md
@@ -0,0 +1,2 @@
+sed -i "s/;level = info/level = debug/g" /etc/grafana/grafana.ini 
+systemctl restart grafana-server
diff --git a/seed/grafana/applicationservice.yml b/seed/grafana/applicationservice.yml
new file mode 100644
index 0000000..e99772d
--- /dev/null
+++ b/seed/grafana/applicationservice.yml
@@ -0,0 +1,9 @@
+format: '0.1'
+description: Grafana is an analytics and interactive visualization web application
+website: https://grafana.com/
+depends:
+  - base-fedora-38
+  - postgresql-client
+  - oauth2-client
+  - reverse-proxy-client
+  - relay-mail-client
diff --git a/seed/grafana/dictionaries/31_grafana.xml b/seed/grafana/dictionaries/31_grafana.xml
new file mode 100644
index 0000000..6b63d30
--- /dev/null
+++ b/seed/grafana/dictionaries/31_grafana.xml
@@ -0,0 +1,67 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="grafana-server" target="multi-user">
+      <override engine="none"/>
+      <file engine="ansible">/etc/grafana/grafana.ini</file>
+      <file engine="ansible">/etc/sysconfig/grafana-server</file>
+      <file engine="none" source="tmpfile-grafana.conf">/tmpfiles.d/0grafana.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="grafana">
+      <variable name="admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
+    </family>
+    <family name="revprox">
+      <family name="revprox_client">
+        <variable name="revprox_client_local_location" redefine="True">
+          <value>/</value>
+        </variable>
+      </family>
+      <variable name="revprox_client_port" redefine="True">
+        <value>3000</value>
+      </variable>
+      <variable name="revprox_client_cert_owner" redefine="True">
+        <value>grafana</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>Grafana</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>Visualisation de données</value>
+      </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Administration</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_note.png</value>
+      </variable>
+      <variable name="oauth2_client_token_signature_algo" redefine="True">
+        <value>RS256</value>
+      </variable>
+      <variable name="oauth2_email_domain" type="domainname" description="Domain name allowed to log on Grafana" mandatory="True"/>
+    </family>
+    <family name="postgresql">
+      <variable name="pg_client_key_owner" redefine="True">
+        <value>grafana</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">admin</param>
+      <param name="description">admin</param>
+      <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>admin_password</target>
+    </fill>
+  </constraints>
+</rougail>
+
diff --git a/seed/grafana/manual/image/postinstall/grafana.sh b/seed/grafana/manual/image/postinstall/grafana.sh
new file mode 100644
index 0000000..f78a34b
--- /dev/null
+++ b/seed/grafana/manual/image/postinstall/grafana.sh
@@ -0,0 +1,11 @@
+mkdir -p $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/grafana/plugins
+#echo """#!/bin/bash -xe
+#grafana-cli plugins install grafana-image-renderer
+#mkdir -p /usr/lib/grafana
+#mv /var/lib/grafana/plugins/ /usr/lib/grafana/
+#""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
+#chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
+#mv $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf /tmp
+#echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
+#chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh
+#mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
diff --git a/seed/grafana/manual/image/preinstall/grafana.sh b/seed/grafana/manual/image/preinstall/grafana.sh
new file mode 100644
index 0000000..6e6c00f
--- /dev/null
+++ b/seed/grafana/manual/image/preinstall/grafana.sh
@@ -0,0 +1 @@
+PKG="$PKG grafana"
diff --git a/seed/grafana/templates/grafana-server b/seed/grafana/templates/grafana-server
new file mode 100644
index 0000000..3aa9e10
--- /dev/null
+++ b/seed/grafana/templates/grafana-server
@@ -0,0 +1,30 @@
+GRAFANA_USER=grafana
+
+GRAFANA_GROUP=grafana
+
+#>GNUNUX
+#GRAFANA_HOME=/usr/share/grafana
+GRAFANA_HOME=/srv/grafana/home
+#<GNUNUX
+
+LOG_DIR=/var/log/grafana
+
+#>GNUNUX
+#DATA_DIR=/var/lib/grafana
+DATA_DIR=/srv/grafana/var
+#<GNUNUX
+
+MAX_OPEN_FILES=10000
+
+CONF_DIR=/etc/grafana
+
+CONF_FILE=/etc/grafana/grafana.ini
+
+RESTART_ON_UPGRADE=true
+
+PLUGINS_DIR=/var/lib/grafana/plugins
+
+PROVISIONING_CFG_DIR=/etc/grafana/provisioning
+
+# Only used on systemd systems
+PID_FILE_DIR=/var/run/grafana
diff --git a/seed/grafana/templates/grafana-server.service b/seed/grafana/templates/grafana-server.service
new file mode 100644
index 0000000..d5cf401
--- /dev/null
+++ b/seed/grafana/templates/grafana-server.service
@@ -0,0 +1,5 @@
+[Unit]
+After=risotto.target
+
+[Service]
+GRAFANA_HOME=/srv/grafana/home
diff --git a/seed/grafana/templates/grafana.ini b/seed/grafana/templates/grafana.ini
new file mode 100644
index 0000000..045251c
--- /dev/null
+++ b/seed/grafana/templates/grafana.ini
@@ -0,0 +1,1262 @@
+##################### Grafana Configuration Example #####################
+#
+# Everything has defaults so you only need to uncomment things you want to
+# change
+
+# possible values : production, development
+;app_mode = production
+
+# instance name, defaults to HOSTNAME environment variable value or hostname if HOSTNAME var is empty
+;instance_name = ${HOSTNAME}
+
+# force migration will run migrations that might cause dataloss
+;force_migration = false
+
+#################################### Paths ####################################
+[paths]
+# Path to where grafana can store temp files, sessions, and the sqlite3 db (if that is used)
+data = /srv/grafana/var
+
+# Temporary files in `data` directory older than given duration will be removed
+;temp_data_lifetime = 24h
+
+# Directory where grafana can store logs
+;logs = /var/log/grafana
+
+# Directory where grafana will automatically scan and look for plugins
+;plugins = /var/lib/grafana/plugins
+#>GNUNUX
+plugins = /usr/lib/grafana/plugins
+#<GNUNUX
+
+# folder that contains provisioning config files that grafana will apply on startup and while running.
+;provisioning = conf/provisioning
+
+#################################### Server ####################################
+[server]
+# Protocol (http, https, h2, socket)
+;protocol = http
+#>GNUNUX
+protocol = https
+#<GNUNUX
+
+# The ip address to bind to, empty will bind to all interfaces
+;http_addr =
+
+# The http port  to use
+;http_port = 3000
+
+# The public facing domain name used to access grafana from a browser
+;domain = localhost
+
+# Redirect to correct domain if host header does not match domain
+# Prevents DNS rebinding attacks
+;enforce_domain = false
+
+# The full public facing url you use in browser, used for redirects and emails
+# If you use reverse proxy and sub path specify full url (with sub path)
+;root_url = %(protocol)s://%(domain)s:%(http_port)s/
+#>GNUNUX
+{% set location = general.revprox.revprox_client.revprox_client_external_domainnames[0].revprox_client_location %}
+{% if location.endswith('/') %}
+{% set location = location[:-1] %}
+{% endif %}
+root_url = https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}{{ location }}
+#<GNUNUX
+
+# Serve Grafana from subpath specified in `root_url` setting. By default it is set to `false` for compatibility reasons.
+;serve_from_sub_path = false
+
+# Log web requests
+;router_logging = false
+
+# the path relative working path
+;static_root_path = public
+
+# enable gzip
+;enable_gzip = false
+
+# https certs & key file
+;cert_file =
+;cert_key =
+#>GNUNUX
+cert_file = {{ tls_cert_directory }}/revprox.crt
+cert_key = {{ tls_key_directory }}/revprox.key;
+#<GNUNUX
+
+# Unix socket path
+;socket =
+
+# CDN Url
+;cdn_url =
+
+# Sets the maximum time using a duration format (5s/5m/5ms) before timing out read of an incoming request and closing idle connections.
+# `0` means there is no timeout for reading the request.
+;read_timeout = 0
+
+#################################### Database ####################################
+[database]
+# You can configure the database connection by specifying type, host, name, user and password
+# as separate properties or as on string using the url properties.
+
+# Either "mysql", "postgres" or "sqlite3", it's your choice
+;type = sqlite3
+;host = 127.0.0.1:3306
+;name = grafana
+;user = root
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+
+# Use either URL or the previous fields to configure the database
+# Example: mysql://user:secret@host:port/database
+;url =
+
+# For "postgres" only, either "disable", "require" or "verify-full"
+;ssl_mode = disable
+
+# Database drivers may support different transaction isolation levels.
+# Currently, only "mysql" driver supports isolation levels.
+# If the value is empty - driver's default isolation level is applied.
+# For "mysql" use "READ-UNCOMMITTED", "READ-COMMITTED", "REPEATABLE-READ" or "SERIALIZABLE".
+;isolation_level =
+
+;ca_cert_path =
+;client_key_path =
+;client_cert_path =
+;server_cert_name =
+
+# For "sqlite3" only, path relative to data_path setting
+;path = grafana.db
+
+# Max idle conn setting default is 2
+;max_idle_conn = 2
+
+# Max conn setting default is 0 (mean not set)
+;max_open_conn =
+
+# Connection Max Lifetime default is 14400 (means 14400 seconds or 4 hours)
+;conn_max_lifetime = 14400
+
+# Set to true to log the sql calls and execution times.
+;log_queries =
+
+# For "sqlite3" only. cache mode setting used for connecting to the database. (private, shared)
+;cache_mode = private
+
+# For "mysql" only if migrationLocking feature toggle is set. How many seconds to wait before failing to lock the database for the migrations, default is 0.
+;locking_attempt_timeout_sec = 0
+#>GNUNUX
+type = postgres
+host = {{ general.postgresql.pg_client_server_domainname }}:5432
+name = {{ general.postgresql.pg_client_database }}
+user = {{ general.postgresql.pg_client_username }}
+password = {{ general.postgresql.pg_client_password }}
+ssl_mode = verify-full
+ca_cert_path = {{ general.tls_ca_directory }}/PostgreSQL.crt
+client_key_path = {{ general.tls_key_directory }}/postgresql.key
+client_cert_path = {{ general.tls_cert_directory }}/postgresql.crt
+#<GNUNUX
+
+################################### Data sources #########################
+[datasources]
+# Upper limit of data sources that Grafana will return. This limit is a temporary configuration and it will be deprecated when pagination will be introduced on the list data sources API.
+;datasource_limit = 5000
+
+#################################### Cache server #############################
+[remote_cache]
+# Either "redis", "memcached" or "database" default is "database"
+;type = database
+
+# cache connectionstring options
+# database: will use Grafana primary database.
+# redis: config like redis server e.g. `addr=127.0.0.1:6379,pool_size=100,db=0,ssl=false`. Only addr is required. ssl may be 'true', 'false', or 'insecure'.
+# memcache: 127.0.0.1:11211
+;connstr =
+
+#################################### Data proxy ###########################
+[dataproxy]
+
+# This enables data proxy logging, default is false
+;logging = false
+
+# How long the data proxy waits to read the headers of the response before timing out, default is 30 seconds.
+# This setting also applies to core backend HTTP data sources where query requests use an HTTP client with timeout set.
+;timeout = 30
+
+# How long the data proxy waits to establish a TCP connection before timing out, default is 10 seconds.
+;dialTimeout = 10
+
+# How many seconds the data proxy waits before sending a keepalive probe request.
+;keep_alive_seconds = 30
+
+# How many seconds the data proxy waits for a successful TLS Handshake before timing out.
+;tls_handshake_timeout_seconds = 10
+
+# How many seconds the data proxy will wait for a server's first response headers after
+# fully writing the request headers if the request has an "Expect: 100-continue"
+# header. A value of 0 will result in the body being sent immediately, without
+# waiting for the server to approve.
+;expect_continue_timeout_seconds = 1
+
+# Optionally limits the total number of connections per host, including connections in the dialing,
+# active, and idle states. On limit violation, dials will block.
+# A value of zero (0) means no limit.
+;max_conns_per_host = 0
+
+# The maximum number of idle connections that Grafana will keep alive.
+;max_idle_connections = 100
+
+# How many seconds the data proxy keeps an idle connection open before timing out.
+;idle_conn_timeout_seconds = 90
+
+# If enabled and user is not anonymous, data proxy will add X-Grafana-User header with username into the request, default is false.
+;send_user_header = false
+
+# Limit the amount of bytes that will be read/accepted from responses of outgoing HTTP requests.
+;response_limit = 0
+
+# Limits the number of rows that Grafana will process from SQL data sources.
+;row_limit = 1000000
+
+#################################### Analytics ####################################
+[analytics]
+# Server reporting, sends usage counters to stats.grafana.org every 24 hours.
+# No ip addresses are being tracked, only simple counters to track
+# running instances, dashboard and error counts. It is very helpful to us.
+# Change this option to false to disable reporting.
+;reporting_enabled = false
+#>GNUNUX
+reporting_enabled = false
+#<GNUNUX
+
+# The name of the distributor of the Grafana instance. Ex hosted-grafana, grafana-labs
+;reporting_distributor = grafana-labs
+
+# Set to false to disable all checks to https://grafana.com
+# for new versions of grafana. The check is used
+# in some UI views to notify that a grafana update exists.
+# This option does not cause any auto updates, nor send any information
+# only a GET request to https://raw.githubusercontent.com/grafana/grafana/main/latest.json to get the latest version.
+;check_for_updates = false
+
+# Set to false to disable all checks to https://grafana.com
+# for new versions of plugins. The check is used
+# in some UI views to notify that a plugin update exists.
+# This option does not cause any auto updates, nor send any information
+# only a GET request to https://grafana.com to get the latest versions.
+;check_for_plugin_updates = true
+
+# Google Analytics universal tracking code, only enabled if you specify an id here
+;google_analytics_ua_id =
+
+# Google Tag Manager ID, only enabled if you specify an id here
+;google_tag_manager_id =
+
+# Rudderstack write key, enabled only if rudderstack_data_plane_url is also set
+;rudderstack_write_key =
+
+# Rudderstack data plane url, enabled only if rudderstack_write_key is also set
+;rudderstack_data_plane_url =
+
+# Rudderstack SDK url, optional, only valid if rudderstack_write_key and rudderstack_data_plane_url is also set
+;rudderstack_sdk_url =
+
+# Rudderstack Config url, optional, used by Rudderstack SDK to fetch source config
+;rudderstack_config_url =
+
+# Controls if the UI contains any links to user feedback forms
+;feedback_links_enabled = true
+
+#################################### Security ####################################
+[security]
+# disable creation of admin user on first start of grafana
+;disable_initial_admin_creation = false
+#>GNUNUX
+disable_initial_admin_creation = false
+admin_user = admin
+admin_password = {{ general.grafana.admin_password }}
+#<GNUNUX
+
+# default admin user, created on startup
+;admin_user = admin
+
+# default admin password, can be changed before first start of grafana,  or in profile settings
+;admin_password = admin
+
+# used for signing
+;secret_key = SW2YcwTIb9zpOOhoPsMm
+
+# current key provider used for envelope encryption, default to static value specified by secret_key
+;encryption_provider = secretKey.v1
+
+# list of configured key providers, space separated (Enterprise only): e.g., awskms.v1 azurekv.v1
+;available_encryption_providers =
+
+# disable gravatar profile images
+;disable_gravatar = false
+
+# data source proxy whitelist (ip_or_domain:port separated by spaces)
+;data_source_proxy_whitelist =
+
+# disable protection against brute force login attempts
+;disable_brute_force_login_protection = false
+
+# set to true if you host Grafana behind HTTPS. default is false.
+;cookie_secure = false
+
+# set cookie SameSite attribute. defaults to `lax`. can be set to "lax", "strict", "none" and "disabled"
+;cookie_samesite = lax
+
+# set to true if you want to allow browsers to render Grafana in a <frame>, <iframe>, <embed> or <object>. default is false.
+;allow_embedding = false
+
+# Set to true if you want to enable http strict transport security (HSTS) response header.
+# HSTS tells browsers that the site should only be accessed using HTTPS.
+;strict_transport_security = false
+
+# Sets how long a browser should cache HSTS. Only applied if strict_transport_security is enabled.
+;strict_transport_security_max_age_seconds = 86400
+
+# Set to true if to enable HSTS preloading option. Only applied if strict_transport_security is enabled.
+;strict_transport_security_preload = false
+
+# Set to true if to enable the HSTS includeSubDomains option. Only applied if strict_transport_security is enabled.
+;strict_transport_security_subdomains = false
+
+# Set to true to enable the X-Content-Type-Options response header.
+# The X-Content-Type-Options response HTTP header is a marker used by the server to indicate that the MIME types advertised
+# in the Content-Type headers should not be changed and be followed.
+;x_content_type_options = true
+
+# Set to true to enable the X-XSS-Protection header, which tells browsers to stop pages from loading
+# when they detect reflected cross-site scripting (XSS) attacks.
+;x_xss_protection = true
+
+# Enable adding the Content-Security-Policy header to your requests.
+# CSP allows to control resources the user agent is allowed to load and helps prevent XSS attacks.
+;content_security_policy = false
+
+# Set Content Security Policy template used when adding the Content-Security-Policy header to your requests.
+# $NONCE in the template includes a random nonce.
+# $ROOT_PATH is server.root_url without the protocol.
+;content_security_policy_template = """script-src 'self' 'unsafe-eval' 'unsafe-inline' 'strict-dynamic' $NONCE;object-src 'none';font-src 'self';style-src 'self' 'unsafe-inline' blob:;img-src * data:;base-uri 'self';connect-src 'self' grafana.com ws://$ROOT_PATH wss://$ROOT_PATH;manifest-src 'self';media-src 'none';form-action 'self';"""
+
+# Controls if old angular plugins are supported or not. This will be disabled by default in future release
+;angular_support_enabled = true
+
+[security.encryption]
+# Defines the time-to-live (TTL) for decrypted data encryption keys stored in memory (cache).
+# Please note that small values may cause performance issues due to a high frequency decryption operations.
+;data_keys_cache_ttl = 15m
+
+# Defines the frequency of data encryption keys cache cleanup interval.
+# On every interval, decrypted data encryption keys that reached the TTL are removed from the cache.
+;data_keys_cache_cleanup_interval = 1m
+
+#################################### Snapshots ###########################
+[snapshots]
+# snapshot sharing options
+;external_enabled = true
+;external_snapshot_url = https://snapshots.raintank.io
+;external_snapshot_name = Publish to snapshots.raintank.io
+
+# Set to true to enable this Grafana instance act as an external snapshot server and allow unauthenticated requests for
+# creating and deleting snapshots.
+;public_mode = false
+
+# remove expired snapshot
+;snapshot_remove_expired = true
+
+#################################### Dashboards History ##################
+[dashboards]
+# Number dashboard versions to keep (per dashboard). Default: 20, Minimum: 1
+;versions_to_keep = 20
+
+# Minimum dashboard refresh interval. When set, this will restrict users to set the refresh interval of a dashboard lower than given interval. Per default this is 5 seconds.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+min_refresh_interval = 1s
+
+# Path to the default home dashboard. If this value is empty, then Grafana uses StaticRootPath + "dashboards/home.json"
+;default_home_dashboard_path =
+
+#################################### Users ###############################
+[users]
+# disable user signup / registration
+;allow_sign_up = true
+#>GNUNUX
+allow_sign_up = false
+#<GNUNUX
+
+# Allow non admin users to create organizations
+;allow_org_create = true
+
+# Set to true to automatically assign new users to the default organization (id 1)
+;auto_assign_org = true
+
+# Set this value to automatically add new users to the provided organization (if auto_assign_org above is set to true)
+;auto_assign_org_id = 1
+
+# Default role new users will be automatically assigned (if disabled above is set to true)
+;auto_assign_org_role = Viewer
+
+# Require email validation before sign up completes
+;verify_email_enabled = false
+
+# Background text for the user field on the login page
+;login_hint = email or username
+;password_hint = password
+
+# Default UI theme ("dark" or "light")
+;default_theme = dark
+
+# Path to a custom home page. Users are only redirected to this if the default home dashboard is used. It should match a frontend route and contain a leading slash.
+; home_page =
+
+# External user management, these options affect the organization users view
+;external_manage_link_url =
+;external_manage_link_name =
+;external_manage_info =
+
+# Viewers can edit/inspect dashboard settings in the browser. But not save the dashboard.
+;viewers_can_edit = false
+
+# Editors can administrate dashboard, folders and teams they create
+;editors_can_admin = false
+
+# The duration in time a user invitation remains valid before expiring. This setting should be expressed as a duration. Examples: 6h (hours), 2d (days), 1w (week). Default is 24h (24 hours). The minimum supported duration is 15m (15 minutes).
+;user_invite_max_lifetime_duration = 24h
+
+# Enter a comma-separated list of users login to hide them in the Grafana UI. These users are shown to Grafana admins and themselves.
+; hidden_users =
+
+[auth]
+# Login cookie name
+;login_cookie_name = grafana_session
+
+# The maximum lifetime (duration) an authenticated user can be inactive before being required to login at next visit. Default is 7 days (7d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month). The lifetime resets at each successful token rotation.
+;login_maximum_inactive_lifetime_duration =
+
+# The maximum lifetime (duration) an authenticated user can be logged in since login time before being required to login. Default is 30 days (30d). This setting should be expressed as a duration, e.g. 5m (minutes), 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;login_maximum_lifetime_duration =
+
+# How often should auth tokens be rotated for authenticated users when being active. The default is each 10 minutes.
+;token_rotation_interval_minutes = 10
+
+# Set to true to disable (hide) the login form, useful if you use OAuth, defaults to false
+;disable_login_form = false
+
+# Set to true to disable the sign out link in the side menu. Useful if you use auth.proxy or auth.jwt, defaults to false
+;disable_signout_menu = false
+
+# URL to redirect the user to after sign out
+;signout_redirect_url =
+
+# Set to true to attempt login with OAuth automatically, skipping the login screen.
+# This setting is ignored if multiple OAuth providers are configured.
+;oauth_auto_login = false
+
+# OAuth state max age cookie duration in seconds. Defaults to 600 seconds.
+;oauth_state_cookie_max_age = 600
+
+# Skip forced assignment of OrgID 1 or 'auto_assign_org_id' for social logins
+;oauth_skip_org_role_update_sync = false
+
+# limit of api_key seconds to live before expiration
+;api_key_max_seconds_to_live = -1
+
+# Set to true to enable SigV4 authentication option for HTTP-based datasources.
+;sigv4_auth_enabled = false
+
+# Set to true to enable verbose logging of SigV4 request signing
+;sigv4_verbose_logging = false
+#>GNUNUX
+disable_login_form = false
+oauth_auto_login = true
+#<GNUNUX
+
+#################################### Anonymous Auth ######################
+[auth.anonymous]
+# enable anonymous access
+;enabled = false
+#>GNUNUX
+enabled = false
+#<GNUNUX
+
+# specify organization name that should be used for unauthenticated users
+;org_name = Main Org.
+
+# specify role for unauthenticated users
+;org_role = Viewer
+
+# mask the Grafana version number for unauthenticated users
+;hide_version = false
+
+#################################### GitHub Auth ##########################
+[auth.github]
+;enabled = false
+#>GNUNUX
+enabled = false
+#<GNUNUX
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;auth_url = https://github.com/login/oauth/authorize
+;token_url = https://github.com/login/oauth/access_token
+;api_url = https://api.github.com/user
+;allowed_domains =
+;team_ids =
+;allowed_organizations =
+
+#################################### GitLab Auth #########################
+[auth.gitlab]
+;enabled = false
+#>GNUNUX
+enabled = false
+#<GNUNUX
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = api
+;auth_url = https://gitlab.com/oauth/authorize
+;token_url = https://gitlab.com/oauth/token
+;api_url = https://gitlab.com/api/v4
+;allowed_domains =
+;allowed_groups =
+
+#################################### Google Auth ##########################
+[auth.google]
+;enabled = false
+#>GNUNUX
+enabled = false
+#<GNUNUX
+;allow_sign_up = true
+;client_id = some_client_id
+;client_secret = some_client_secret
+;scopes = https://www.googleapis.com/auth/userinfo.profile https://www.googleapis.com/auth/userinfo.email
+;auth_url = https://accounts.google.com/o/oauth2/auth
+;token_url = https://accounts.google.com/o/oauth2/token
+;api_url = https://www.googleapis.com/oauth2/v1/userinfo
+;allowed_domains =
+;hosted_domain =
+
+#################################### Grafana.com Auth ####################
+[auth.grafana_com]
+;enabled = false
+#>GNUNUX
+enabled = false
+#<GNUNUX
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email
+;allowed_organizations =
+
+#################################### Azure AD OAuth #######################
+[auth.azuread]
+;name = Azure AD
+#>GNUNUX
+enabled = false
+#<GNUNUX
+;enabled = false
+;allow_sign_up = true
+;client_id = some_client_id
+;client_secret = some_client_secret
+;scopes = openid email profile
+;auth_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize
+;token_url = https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
+;allowed_domains =
+;allowed_groups =
+;role_attribute_strict = false
+
+#################################### Okta OAuth #######################
+[auth.okta]
+;name = Okta
+;enabled = false
+#>GNUNUX
+enabled = false
+#<GNUNUX
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = openid profile email groups
+;auth_url = https://<tenant-id>.okta.com/oauth2/v1/authorize
+;token_url = https://<tenant-id>.okta.com/oauth2/v1/token
+;api_url = https://<tenant-id>.okta.com/oauth2/v1/userinfo
+;allowed_domains =
+;allowed_groups =
+;role_attribute_path =
+;role_attribute_strict = false
+
+#################################### Generic OAuth ##########################
+[auth.generic_oauth]
+;enabled = false
+;name = OAuth
+;allow_sign_up = true
+;client_id = some_id
+;client_secret = some_secret
+;scopes = user:email,read:org
+;empty_scopes = false
+;email_attribute_name = email:primary
+;email_attribute_path =
+;login_attribute_path =
+;name_attribute_path =
+;id_token_attribute_name =
+;auth_url = https://foo.bar/login/oauth/authorize
+;token_url = https://foo.bar/login/oauth/access_token
+;api_url = https://foo.bar/user
+;teams_url =
+;allowed_domains =
+;team_ids =
+;allowed_organizations =
+;role_attribute_path =
+;role_attribute_strict = false
+;groups_attribute_path =
+;team_ids_attribute_path =
+;tls_skip_verify_insecure = false
+;tls_client_cert =
+;tls_client_key =
+;tls_client_ca =
+;use_pkce = false
+#>GNUNUX
+enabled = true
+name = OAuth
+allow_sign_up = true
+client_id = {{ general.oauth2_client.oauth2_client_id }}
+client_secret = {{ general.oauth2_client.oauth2_client_secret }}
+scopes = openid,profile,email
+email_attribute_name = email
+auth_url = https://{{ general.oauth2_client.oauth2_server_domainname }}/oauth2/authorize
+token_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/token
+api_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/userinfo
+allowed_domains = {{ general.oauth2_client.oauth2_email_domain }}
+tls_skip_verify_insecure = false
+allow_assign_grafana_admin = true
+role_attribute_path = GrafanaAdmin
+#<GNUNUX
+
+#################################### Basic Auth ##########################
+[auth.basic]
+;enabled = true
+
+#################################### Auth Proxy ##########################
+[auth.proxy]
+;enabled = false
+;header_name = X-WEBAUTH-USER
+;header_property = username
+;auto_sign_up = true
+;sync_ttl = 60
+;whitelist = 192.168.1.1, 192.168.2.1
+;headers = Email:X-User-Email, Name:X-User-Name
+# Non-ASCII strings in header values are encoded using quoted-printable encoding
+;headers_encoded = false
+# Read the auth proxy docs for details on what the setting below enables
+;enable_login_token = false
+
+#################################### Auth JWT ##########################
+[auth.jwt]
+;enabled = true
+;header_name = X-JWT-Assertion
+;email_claim = sub
+;username_claim = sub
+;jwk_set_url = https://foo.bar/.well-known/jwks.json
+;jwk_set_file = /path/to/jwks.json
+;cache_ttl = 60m
+;expected_claims = {"aud": ["foo", "bar"]}
+;key_file = /path/to/key/file
+;auto_sign_up = false
+
+#################################### Auth LDAP ##########################
+[auth.ldap]
+;enabled = false
+;config_file = /etc/grafana/ldap.toml
+;allow_sign_up = true
+
+# LDAP background sync (Enterprise only)
+# At 1 am every day
+;sync_cron = "0 1 * * *"
+;active_sync_enabled = true
+
+#################################### AWS ###########################
+[aws]
+# Enter a comma-separated list of allowed AWS authentication providers.
+# Options are: default (AWS SDK Default), keys (Access && secret key), credentials (Credentials field), ec2_iam_role (EC2 IAM Role)
+; allowed_auth_providers = default,keys,credentials
+
+# Allow AWS users to assume a role using temporary security credentials.
+# If true, assume role will be enabled for all AWS authentication providers that are specified in aws_auth_providers
+; assume_role_enabled = true
+
+#################################### Azure ###############################
+[azure]
+# Azure cloud environment where Grafana is hosted
+# Possible values are AzureCloud, AzureChinaCloud, AzureUSGovernment and AzureGermanCloud
+# Default value is AzureCloud (i.e. public cloud)
+;cloud = AzureCloud
+
+# Specifies whether Grafana hosted in Azure service with Managed Identity configured (e.g. Azure Virtual Machines instance)
+# If enabled, the managed identity can be used for authentication of Grafana in Azure services
+# Disabled by default, needs to be explicitly enabled
+;managed_identity_enabled = false
+
+# Client ID to use for user-assigned managed identity
+# Should be set for user-assigned identity and should be empty for system-assigned identity
+;managed_identity_client_id =
+
+#################################### Role-based Access Control ###########
+[rbac]
+;enabled = true
+# If enabled, cache permissions in a in memory cache (Enterprise only)
+;permission_cache = true
+#################################### SMTP / Emailing ##########################
+[smtp]
+;enabled = false
+;host = localhost:25
+;user =
+# If the password contains # or ; you have to wrap it with triple quotes. Ex """#password;"""
+;password =
+;cert_file =
+;key_file =
+;skip_verify = false
+;from_address = admin@grafana.localhost
+;from_name = Grafana
+# EHLO identity in SMTP dialog (defaults to instance_name)
+;ehlo_identity = dashboard.example.com
+# SMTP startTLS policy (defaults to 'OpportunisticStartTLS')
+;startTLS_policy = NoStartTLS
+#>GNUNUX
+enabled = true
+host = {{ general.smtp.smtp_relay_address }}:25
+user = {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}
+password = {{ general.smtp.smtp_relay_password }}
+startTLS_policy = MandatoryStartTLS
+#<GNUNUX
+
+[emails]
+;welcome_email_on_sign_up = false
+;templates_pattern = emails/*.html, emails/*.txt
+;content_types = text/html
+
+#################################### Logging ##########################
+[log]
+# Either "console", "file", "syslog". Default is console and  file
+# Use space to separate multiple modes, e.g. "console file"
+;mode = console file
+#>GNUNUX
+mode = console
+#<GNUNUX
+
+# Either "debug", "info", "warn", "error", "critical", default is "info"
+;level = info
+
+# optional settings to set different levels for specific loggers. Ex filters = sqlstore:debug
+;filters =
+
+# For "console" mode only
+[log.console]
+;level =
+
+# log line format, valid options are text, console and json
+;format = console
+
+# For "file" mode only
+[log.file]
+;level =
+
+# log line format, valid options are text, console and json
+;format = text
+
+# This enables automated log rotate(switch of following options), default is true
+;log_rotate = true
+
+# Max line number of single file, default is 1000000
+;max_lines = 1000000
+
+# Max size shift of single file, default is 28 means 1 << 28, 256MB
+;max_size_shift = 28
+
+# Segment log daily, default is true
+;daily_rotate = true
+
+# Expired days of log file(delete after max days), default is 7
+;max_days = 7
+
+[log.syslog]
+;level =
+
+# log line format, valid options are text, console and json
+;format = text
+
+# Syslog network type and address. This can be udp, tcp, or unix. If left blank, the default unix endpoints will be used.
+;network =
+;address =
+
+# Syslog facility. user, daemon and local0 through local7 are valid.
+;facility =
+
+# Syslog tag. By default, the process' argv[0] is used.
+;tag =
+
+[log.frontend]
+# Should Sentry javascript agent be initialized
+;enabled = false
+
+# Sentry DSN if you want to send events to Sentry.
+;sentry_dsn =
+
+# Custom HTTP endpoint to send events captured by the Sentry agent to. Default will log the events to stdout.
+;custom_endpoint = /log
+
+# Rate of events to be reported between 0 (none) and 1 (all), float
+;sample_rate = 1.0
+
+# Requests per second limit enforced an extended period, for Grafana backend log ingestion endpoint (/log).
+;log_endpoint_requests_per_second_limit = 3
+
+# Max requests accepted per short interval of time for Grafana backend log ingestion endpoint (/log).
+;log_endpoint_burst_limit = 15
+
+#################################### Usage Quotas ########################
+[quota]
+; enabled = false
+
+#### set quotas to -1 to make unlimited. ####
+# limit number of users per Org.
+; org_user = 10
+
+# limit number of dashboards per Org.
+; org_dashboard = 100
+
+# limit number of data_sources per Org.
+; org_data_source = 10
+
+# limit number of api_keys per Org.
+; org_api_key = 10
+
+# limit number of alerts per Org.
+;org_alert_rule = 100
+
+# limit number of orgs a user can create.
+; user_org = 10
+
+# Global limit of users.
+; global_user = -1
+
+# global limit of orgs.
+; global_org = -1
+
+# global limit of dashboards
+; global_dashboard = -1
+
+# global limit of api_keys
+; global_api_key = -1
+
+# global limit on number of logged in users.
+; global_session = -1
+
+# global limit of alerts
+;global_alert_rule = -1
+
+#################################### Unified Alerting ####################
+[unified_alerting]
+#Enable the Unified Alerting sub-system and interface. When enabled we'll migrate all of your alert rules and notification channels to the new system. New alert rules will be created and your notification channels will be converted into an Alertmanager configuration. Previous data is preserved to enable backwards compatibility but new data is removed.```
+;enabled = true
+
+# Comma-separated list of organization IDs for which to disable unified alerting. Only supported if unified alerting is enabled.
+;disabled_orgs =
+
+# Specify the frequency of polling for admin config changes.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;admin_config_poll_interval = 60s
+
+# Specify the frequency of polling for Alertmanager config changes.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;alertmanager_config_poll_interval = 60s
+
+# Listen address/hostname and port to receive unified alerting messages for other Grafana instances. The port is used for both TCP and UDP. It is assumed other Grafana instances are also running on the same port. The default value is `0.0.0.0:9094`.
+;ha_listen_address = "0.0.0.0:9094"
+
+# Listen address/hostname and port to receive unified alerting messages for other Grafana instances. The port is used for both TCP and UDP. It is assumed other Grafana instances are also running on the same port. The default value is `0.0.0.0:9094`.
+;ha_advertise_address = ""
+
+# Comma-separated list of initial instances (in a format of host:port) that will form the HA cluster. Configuring this setting will enable High Availability mode for alerting.
+;ha_peers = ""
+
+# Time to wait for an instance to send a notification via the Alertmanager. In HA, each Grafana instance will
+# be assigned a position (e.g. 0, 1). We then multiply this position with the timeout to indicate how long should
+# each instance wait before sending the notification to take into account replication lag.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;ha_peer_timeout = "15s"
+
+# The interval between sending gossip messages. By lowering this value (more frequent) gossip messages are propagated
+# across cluster more quickly at the expense of increased bandwidth usage.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;ha_gossip_interval = "200ms"
+
+# The interval between gossip full state syncs. Setting this interval lower (more frequent) will increase convergence speeds
+# across larger clusters at the expense of increased bandwidth usage.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;ha_push_pull_interval = "60s"
+
+# Enable or disable alerting rule execution. The alerting UI remains visible. This option has a legacy version in the `[alerting]` section that takes precedence.
+;execute_alerts = true
+
+# Alert evaluation timeout when fetching data from the datasource. This option has a legacy version in the `[alerting]` section that takes precedence.
+# The timeout string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;evaluation_timeout = 30s
+
+# Number of times we'll attempt to evaluate an alert rule before giving up on that evaluation. This option has a legacy version in the `[alerting]` section that takes precedence.
+;max_attempts = 3
+
+# Minimum interval to enforce between rule evaluations. Rules will be adjusted if they are less than this value  or if they are not multiple of the scheduler interval (10s). Higher values can help with resource management as we'll schedule fewer evaluations over time. This option has a legacy version in the `[alerting]` section that takes precedence.
+# The interval string is a possibly signed sequence of decimal numbers, followed by a unit suffix (ms, s, m, h, d), e.g. 30s or 1m.
+;min_interval = 10s
+
+#################################### Alerting ############################
+[alerting]
+# Disable legacy alerting engine & UI features
+;enabled = false
+
+# Makes it possible to turn off alert execution but alerting UI is visible
+;execute_alerts = true
+
+# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
+;error_or_timeout = alerting
+
+# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
+;nodata_or_nullvalues = no_data
+
+# Alert notifications can include images, but rendering many images at the same time can overload the server
+# This limit will protect the server from render overloading and make sure notifications are sent out quickly
+;concurrent_render_limit = 5
+
+# Default setting for alert calculation timeout. Default value is 30
+;evaluation_timeout_seconds = 30
+
+# Default setting for alert notification timeout. Default value is 30
+;notification_timeout_seconds = 30
+
+# Default setting for max attempts to sending alert notifications. Default value is 3
+;max_attempts = 3
+
+# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
+;min_interval_seconds = 1
+
+# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;max_annotation_age =
+
+# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
+;max_annotations_to_keep =
+
+#################################### Annotations #########################
+[annotations]
+# Configures the batch size for the annotation clean-up job. This setting is used for dashboard, API, and alert annotations.
+;cleanupjob_batchsize = 100
+
+[annotations.dashboard]
+# Dashboard annotations means that annotations are associated with the dashboard they are created on.
+
+# Configures how long dashboard annotations are stored. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;max_age =
+
+# Configures max number of dashboard annotations that Grafana stores. Default value is 0, which keeps all dashboard annotations.
+;max_annotations_to_keep =
+
+[annotations.api]
+# API annotations means that the annotations have been created using the API without any
+# association with a dashboard.
+
+# Configures how long Grafana stores API annotations. Default is 0, which keeps them forever.
+# This setting should be expressed as a duration. Examples: 6h (hours), 10d (days), 2w (weeks), 1M (month).
+;max_age =
+
+# Configures max number of API annotations that Grafana keeps. Default value is 0, which keeps all API annotations.
+;max_annotations_to_keep =
+
+#################################### Explore #############################
+[explore]
+# Enable the Explore section
+;enabled = true
+
+#################################### Help #############################
+[help]
+# Enable the Help section
+;enabled = true
+
+#################################### Profile #############################
+[profile]
+# Enable the Profile section
+;enabled = true
+
+#################################### Query History #############################
+[query_history]
+# Enable the Query history
+;enabled = true
+
+#################################### Internal Grafana Metrics ##########################
+# Metrics available at HTTP URL /metrics and /metrics/plugins/:pluginId
+[metrics]
+# Disable / Enable internal metrics
+;enabled           = true
+# Graphite Publish interval
+;interval_seconds  = 10
+# Disable total stats (stat_totals_*) metrics to be generated
+;disable_total_stats = false
+
+#If both are set, basic auth will be required for the metrics endpoints.
+; basic_auth_username =
+; basic_auth_password =
+
+# Metrics environment info adds dimensions to the `grafana_environment_info` metric, which
+# can expose more information about the Grafana instance.
+[metrics.environment_info]
+#exampleLabel1 = exampleValue1
+#exampleLabel2 = exampleValue2
+
+# Send internal metrics to Graphite
+[metrics.graphite]
+# Enable by setting the address setting (ex localhost:2003)
+;address =
+;prefix = prod.grafana.%(instance_name)s.
+
+#################################### Grafana.com integration  ##########################
+# Url used to import dashboards directly from Grafana.com
+[grafana_com]
+;url = https://grafana.com
+
+#################################### Distributed tracing ############
+# Opentracing is deprecated use opentelemetry instead
+[tracing.jaeger]
+# Enable by setting the address sending traces to jaeger (ex localhost:6831)
+;address = localhost:6831
+# Tag that will always be included in when creating new spans. ex (tag1:value1,tag2:value2)
+;always_included_tag = tag1:value1
+# Type specifies the type of the sampler: const, probabilistic, rateLimiting, or remote
+;sampler_type = const
+# jaeger samplerconfig param
+# for "const" sampler, 0 or 1 for always false/true respectively
+# for "probabilistic" sampler, a probability between 0 and 1
+# for "rateLimiting" sampler, the number of spans per second
+# for "remote" sampler, param is the same as for "probabilistic"
+# and indicates the initial sampling rate before the actual one
+# is received from the mothership
+;sampler_param = 1
+# sampling_server_url is the URL of a sampling manager providing a sampling strategy.
+;sampling_server_url =
+# Whether or not to use Zipkin propagation (x-b3- HTTP headers).
+;zipkin_propagation = false
+# Setting this to true disables shared RPC spans.
+# Not disabling is the most common setting when using Zipkin elsewhere in your infrastructure.
+;disable_shared_zipkin_spans = false
+
+[tracing.opentelemetry.jaeger]
+# jaeger destination (ex http://localhost:14268/api/traces)
+; address = http://localhost:14268/api/traces
+# Propagation specifies the text map propagation format: w3c, jaeger
+; propagation = jaeger
+
+# This is a configuration for OTLP exporter with GRPC protocol
+[tracing.opentelemetry.otlp]
+# otlp destination (ex localhost:4317)
+; address = localhost:4317
+# Propagation specifies the text map propagation format: w3c, jaeger
+; propagation = w3c
+
+#################################### External image storage ##########################
+[external_image_storage]
+# Used for uploading images to public servers so they can be included in slack/email messages.
+# you can choose between (s3, webdav, gcs, azure_blob, local)
+;provider =
+
+[external_image_storage.s3]
+;endpoint =
+;path_style_access =
+;bucket =
+;region =
+;path =
+;access_key =
+;secret_key =
+
+[external_image_storage.webdav]
+;url =
+;public_url =
+;username =
+;password =
+
+[external_image_storage.gcs]
+;key_file =
+;bucket =
+;path =
+
+[external_image_storage.azure_blob]
+;account_name =
+;account_key =
+;container_name =
+
+[external_image_storage.local]
+# does not require any configuration
+
+[rendering]
+# Options to configure a remote HTTP image rendering service, e.g. using https://github.com/grafana/grafana-image-renderer.
+# URL to a remote HTTP image renderer service, e.g. http://localhost:8081/render, will enable Grafana to render panels and dashboards to PNG-images using HTTP requests to an external service.
+;server_url =
+# If the remote HTTP image renderer service runs on a different server than the Grafana server you may have to configure this to a URL where Grafana is reachable, e.g. http://grafana.domain/.
+;callback_url =
+# An auth token that will be sent to and verified by the renderer. The renderer will deny any request without an auth token matching the one configured on the renderer side.
+;renderer_token = -
+# Concurrent render request limit affects when the /render HTTP endpoint is used. Rendering many images at the same time can overload the server,
+# which this setting can help protect against by only allowing a certain amount of concurrent requests.
+;concurrent_render_request_limit = 30
+
+[panels]
+# If set to true Grafana will allow script tags in text panels. Not recommended as it enable XSS vulnerabilities.
+;disable_sanitize_html = false
+
+[plugins]
+;enable_alpha = false
+;app_tls_skip_verify_insecure = false
+# Enter a comma-separated list of plugin identifiers to identify plugins to load even if they are unsigned. Plugins with modified signatures are never loaded.
+allow_loading_unsigned_plugins = performancecopilot-pcp-app,pcp-redis-datasource,pcp-vector-datasource,pcp-bpftrace-datasource,pcp-flamegraph-panel,pcp-breadcrumbs-panel,pcp-troubleshooting-panel,performancecopilot-redis-datasource,performancecopilot-vector-datasource,performancecopilot-bpftrace-datasource,performancecopilot-flamegraph-panel,performancecopilot-breadcrumbs-panel,performancecopilot-troubleshooting-panel
+# Enable or disable installing / uninstalling / updating plugins directly from within Grafana.
+;plugin_admin_enabled = false
+;plugin_admin_external_manage_enabled = false
+;plugin_catalog_url = https://grafana.com/grafana/plugins/
+# Enter a comma-separated list of plugin identifiers to hide in the plugin catalog.
+;plugin_catalog_hidden_plugins =
+
+#################################### Grafana Live ##########################################
+[live]
+# max_connections to Grafana Live WebSocket endpoint per Grafana server instance. See Grafana Live docs
+# if you are planning to make it higher than default 100 since this can require some OS and infrastructure
+# tuning. 0 disables Live, -1 means unlimited connections.
+;max_connections = 100
+
+# allowed_origins is a comma-separated list of origins that can establish connection with Grafana Live.
+# If not set then origin will be matched over root_url. Supports wildcard symbol "*".
+;allowed_origins =
+
+# engine defines an HA (high availability) engine to use for Grafana Live. By default no engine used - in
+# this case Live features work only on a single Grafana server. Available options: "redis".
+# Setting ha_engine is an EXPERIMENTAL feature.
+;ha_engine =
+
+# ha_engine_address sets a connection address for Live HA engine. Depending on engine type address format can differ.
+# For now we only support Redis connection address in "host:port" format.
+# This option is EXPERIMENTAL.
+;ha_engine_address = "127.0.0.1:6379"
+
+#################################### Grafana Image Renderer Plugin ##########################
+[plugin.grafana-image-renderer]
+# Instruct headless browser instance to use a default timezone when not provided by Grafana, e.g. when rendering panel image of alert.
+# See ICU’s metaZones.txt (https://cs.chromium.org/chromium/src/third_party/icu/source/data/misc/metaZones.txt) for a list of supported
+# timezone IDs. Fallbacks to TZ environment variable if not set.
+;rendering_timezone =
+
+# Instruct headless browser instance to use a default language when not provided by Grafana, e.g. when rendering panel image of alert.
+# Please refer to the HTTP header Accept-Language to understand how to format this value, e.g. 'fr-CH, fr;q=0.9, en;q=0.8, de;q=0.7, *;q=0.5'.
+;rendering_language =
+
+# Instruct headless browser instance to use a default device scale factor when not provided by Grafana, e.g. when rendering panel image of alert.
+# Default is 1. Using a higher value will produce more detailed images (higher DPI), but will require more disk space to store an image.
+;rendering_viewport_device_scale_factor =
+
+# Instruct headless browser instance whether to ignore HTTPS errors during navigation. Per default HTTPS errors are not ignored. Due to
+# the security risk it's not recommended to ignore HTTPS errors.
+;rendering_ignore_https_errors =
+
+# Instruct headless browser instance whether to capture and log verbose information when rendering an image. Default is false and will
+# only capture and log error messages. When enabled, debug messages are captured and logged as well.
+# For the verbose information to be included in the Grafana server log you have to adjust the rendering log level to debug, configure
+# [log].filter = rendering:debug.
+;rendering_verbose_logging =
+
+# Instruct headless browser instance whether to output its debug and error messages into running process of remote rendering service.
+# Default is false. This can be useful to enable (true) when troubleshooting.
+;rendering_dumpio =
+
+# Additional arguments to pass to the headless browser instance. Default is --no-sandbox. The list of Chromium flags can be found
+# here (https://peter.sh/experiments/chromium-command-line-switches/). Multiple arguments is separated with comma-character.
+;rendering_args =
+
+# You can configure the plugin to use a different browser binary instead of the pre-packaged version of Chromium.
+# Please note that this is not recommended, since you may encounter problems if the installed version of Chrome/Chromium is not
+# compatible with the plugin.
+;rendering_chrome_bin =
+
+# Instruct how headless browser instances are created. Default is 'default' and will create a new browser instance on each request.
+# Mode 'clustered' will make sure that only a maximum of browsers/incognito pages can execute concurrently.
+# Mode 'reusable' will have one browser instance and will create a new incognito page on each request.
+;rendering_mode =
+
+# When rendering_mode = clustered, you can instruct how many browsers or incognito pages can execute concurrently. Default is 'browser'
+# and will cluster using browser instances.
+# Mode 'context' will cluster using incognito pages.
+;rendering_clustering_mode =
+# When rendering_mode = clustered, you can define the maximum number of browser instances/incognito pages that can execute concurrently. Default is '5'.
+;rendering_clustering_max_concurrency =
+# When rendering_mode = clustered, you can specify the duration a rendering request can take before it will time out. Default is `30` seconds.
+;rendering_clustering_timeout =
+
+# Limit the maximum viewport width, height and device scale factor that can be requested.
+;rendering_viewport_max_width =
+;rendering_viewport_max_height =
+;rendering_viewport_max_device_scale_factor =
+
+# Change the listening host and port of the gRPC server. Default host is 127.0.0.1 and default port is 0 and will automatically assign
+# a port not in use.
+;grpc_host =
+;grpc_port =
+
+[enterprise]
+# Path to a valid Grafana Enterprise license.jwt file
+;license_path =
+
+[feature_toggles]
+# there are currently two ways to enable feature toggles in the `grafana.ini`.
+# you can either pass an array of feature you want to enable to the `enable` field or
+# configure each toggle by setting the name of the toggle to true/false. Toggles set to true/false
+# will take presidence over toggles in the `enable` list.
+
+;enable = feature1,feature2
+
+;feature1 = true
+;feature2 = false
+
+[date_formats]
+# For information on what formatting patterns that are supported https://momentjs.com/docs/#/displaying/
+
+# Default system date format used in time range picker and other places where full time is displayed
+;full_date = YYYY-MM-DD HH:mm:ss
+
+# Used by graph and other places where we only show small intervals
+;interval_second = HH:mm:ss
+;interval_minute = HH:mm
+;interval_hour = MM/DD HH:mm
+;interval_day = MM/DD
+;interval_month = YYYY-MM
+;interval_year = YYYY
+
+# Experimental feature
+;use_browser_locale = false
+
+# Default timezone for user preferences. Options are 'browser' for the browser local timezone or a timezone name from IANA Time Zone database, e.g. 'UTC' or 'Europe/Amsterdam' etc.
+;default_timezone = browser
+
+[expressions]
+# Enable or disable the expressions functionality.
+;enabled = true
+
+[geomap]
+# Set the JSON configuration for the default basemap
+;default_baselayer_config = `{
+;  "type": "xyz",
+;  "config": {
+;    "attribution": "Open street map",
+;    "url": "https://tile.openstreetmap.org/{z}/{x}/{y}.png"
+;  }
+;}`
+
+# Enable or disable loading other base map layers
+;enable_custom_baselayers = true
diff --git a/seed/grafana/templates/tmpfile-grafana.conf b/seed/grafana/templates/tmpfile-grafana.conf
new file mode 100644
index 0000000..f0654ca
--- /dev/null
+++ b/seed/grafana/templates/tmpfile-grafana.conf
@@ -0,0 +1,2 @@
+d /srv/grafana 700 grafana grafana - -
+d /srv/grafana/home 700 grafana grafana - -
diff --git a/seed/host-systemd-machined/dictionaries/21_machined.xml b/seed/host-systemd-machined/dictionaries/21_machined.xml
index f97bf5d..c2da281 100644
--- a/seed/host-systemd-machined/dictionaries/21_machined.xml
+++ b/seed/host-systemd-machined/dictionaries/21_machined.xml
@@ -2,32 +2,37 @@
 <rougail version="0.10">
   <services>
     <service name="systemd-machined">
-      <file>/etc/systemd/network/80-container-vz.network</file>
-      <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
-      <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
+      <file engine="none">/etc/systemd/network/80-container-vz.network</file>
+      <file file_type="variable" source="70-container.network" variable="zone_name" engine="ansible">systemd_zone_filename</file>
+      <file file_type="variable" source="70-container.netdev" variable="zone_name" engine="ansible">systemd_netzone_filename</file>
     </service>
-    <service name="risotto-images" engine="cheetah" manage="False"/>
+    <service name="risotto-images" engine="ansible" manage="False"/>
     <service name="systemd-sysctl"/>
     <service name="systemd-networkd"/>
     <service name="systemd-resolved"/>
-    <service name="risotto-images" type="timer" engine="cheetah"/>
-    <service name="risottofirewall" engine="cheetah"/>
+    <service name="risotto-images" type="timer" engine="none"/>
+    <service name="risottofirewall" engine="ansible"/>
     <service name="systemd-nspawn@">
-      <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
-      <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
-      <file>/etc/distro.repos.d/boot.repo</file>
+      <file engine="none">/tmpfiles.d/0asystemd-nspawn.conf</file>
+      <file engine="none">/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
+      <file engine="none">/etc/distro.repos.d/boot.repo</file>
       <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
       <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
       <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
+      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-38-x86_64</file>
       <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
-      <file>/etc/sysctl.d/90-risotto.conf</file>
-      <file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
+      <file engine="ansible">/etc/sysctl.d/90-risotto.conf</file>
+      <file engine="ansible" file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
+    </service>
+    <service name="vector" servicelist="vector">
+      <file engine="ansible">/etc/vector/vector.toml</file>
     </service>
   </services>
   <variables>
     <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True" provider="global:host_install_dir"/>
     <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
     <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
+    <variable name="tls_server" type="domainname" description="tls domaine name" mandatory="True" provider="global:tls_server"/>
     <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
     <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
     <variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
@@ -80,6 +85,14 @@
       <variable name="zone_name" type="string" hidden="True" multi="True"/>
       <variable name="zone_cidr" type="cidr" hidden="True"/>
     </family>
+    <family name="vector">
+      <variable name="server_address" type="domainname" hidden="True" supplier="Vector"/>
+      <variable name="ip_address" type="ip" hidden="True"/>
+    </family>
+    <family name="prometheus">
+      <variable name="prometheus_server_address" type="domainname" hidden="True" supplier="Prometheus"/>
+      <variable name="prometheus_ip_address" type="ip" hidden="True" supplier="Prometheus:address"/>
+    </family>
   </variables>
   <constraints>
     <fill name="get_internal_zone_names">
@@ -120,6 +133,16 @@
       <param type="index"/>
       <target>first_interface</target>
     </fill>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="variable">server_address</param>
+      <target>ip_address</target>
+    </fill>
+    <fill name="get_host_ip">
+      <param type="information">zones</param>
+      <param type="variable">prometheus_server_address</param>
+      <target>prometheus_ip_address</target>
+    </fill>
     <condition name="disabled_if_not_in" source="interface_type">
       <param>ipv4</param>
       <target>interface_ip</target>
@@ -131,5 +154,14 @@
       <target>interface_gateway</target>
       <target>interface_domain_name_servers</target>
     </condition>
+    <condition name="disabled_if_in" source="server_address">
+      <param type="nil"/>
+      <target type="servicelist">vector</target>
+      <target type="variable">ip_address</target>
+    </condition>
+    <condition name="disabled_if_in" source="prometheus_server_address">
+      <param type="nil"/>
+      <target type="variable">prometheus_ip_address</target>
+    </condition>
   </constraints>
 </rougail>
diff --git a/seed/host-systemd-machined/extras/machined/00_machined.xml b/seed/host-systemd-machined/extras/machined/00_machined.xml
index 86bcdd8..5fdb810 100644
--- a/seed/host-systemd-machined/extras/machined/00_machined.xml
+++ b/seed/host-systemd-machined/extras/machined/00_machined.xml
@@ -2,9 +2,10 @@
 <rougail version="0.10">
   <services>
     <service name="systemd-nspawn@">
-      <file file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
-      <file file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
-      <file file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
+      <file engine="ansible" file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
+      <file engine="ansible" file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
+      <file engine="ansible" file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
+      <file engine="ansible" file_type="variable" source="directory-script" variable="machined.machines" mode="700">machined.nspawn_script_directory</file>
     </service>
   </services>
   <variables>
@@ -22,6 +23,7 @@
     <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
     <variable name="nspawn_script_network" type="filename" hidden="True" multi="True"/>
     <variable name="nspawn_script_tls" type="filename" hidden="True" multi="True"/>
+    <variable name="nspawn_script_directory" type="filename" hidden="True" multi="True"/>
   </variables>
   <constraints>
     <fill name="calc_value">
@@ -38,6 +40,13 @@
       <param name="multi" type="boolean">True</param>
       <target>machined.nspawn_script_tls</target>
     </fill>
+    <fill name="calc_value">
+      <param>/sbin/directory-</param>
+      <param type="variable">machined.machines</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>machined.nspawn_script_directory</target>
+    </fill>
     <fill name="calc_value">
       <param>/etc/systemd/nspawn/</param>
       <param type="variable">machined.machines</param>
diff --git a/seed/host-systemd-machined/funcs/machined.py b/seed/host-systemd-machined/funcs/machined.py
index 6ad4a17..4b0bc6c 100644
--- a/seed/host-systemd-machined/funcs/machined.py
+++ b/seed/host-systemd-machined/funcs/machined.py
@@ -9,3 +9,16 @@ def get_internal_zone_names(zones) -> _List[str]:
 
 def is_first_interface(index) -> bool:
     return index == 0
+
+
+@_multi_function
+def get_host_ip(zones: dict,
+                server_name: str,
+                ):
+    host_name, domain_name = server_name.split('.', 1)
+    for zone in zones.values():
+        if domain_name == zone['domain_name']:
+            break
+    else:
+        raise ValueError(f'cannot find IP in domain name "{domain_name}" (for "{server_name}")')
+    return zone['host_ip']
diff --git a/seed/host-systemd-machined/templates/70-container.netdev b/seed/host-systemd-machined/templates/70-container.netdev
index 30ecb7f..760a3f2 100644
--- a/seed/host-systemd-machined/templates/70-container.netdev
+++ b/seed/host-systemd-machined/templates/70-container.netdev
@@ -1,3 +1,3 @@
 [NetDev]
-Name=%%rougail_variable
+Name={{ rougail_variable }}
 Kind=bridge
diff --git a/seed/host-systemd-machined/templates/70-container.network b/seed/host-systemd-machined/templates/70-container.network
index a7557d7..5f58e67 100644
--- a/seed/host-systemd-machined/templates/70-container.network
+++ b/seed/host-systemd-machined/templates/70-container.network
@@ -1,6 +1,6 @@
 [Match]
-Name=%%rougail_variable
+Name={{ rougail_variable }}
 
 [Network]
-Address=%%zone_name[%%rougail_index].zone_cidr
+Address={{ general.zones.zone_name[rougail_index].zone_cidr }}
 EmitLLDP=customer-bridge
diff --git a/seed/host-systemd-machined/templates/90-risotto.conf b/seed/host-systemd-machined/templates/90-risotto.conf
index 4eeb7a3..5d49ff1 100644
--- a/seed/host-systemd-machined/templates/90-risotto.conf
+++ b/seed/host-systemd-machined/templates/90-risotto.conf
@@ -1,3 +1,3 @@
 net.ipv4.ip_forward = 1
 fs.inotify.max_user_instances = 1024
-vm.swappiness = %%vm_swappiness
+vm.swappiness = {{ general.vm_swappiness }}
diff --git a/seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64 b/seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64
new file mode 100644
index 0000000..ac2db41
--- /dev/null
+++ b/seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGIC2cYBEADJye1aE0AR17qwj6wsHWlCQlcihmqkL8s4gbOk1IevBbH4iXJx
+lu6bN+NhTcCCX6eHmaL5Pwb/bpkMmLR+/r1D2cLDK24YzvN6kJnwRQUTf2dbqYmg
+mNBgIMm+kAabBZPwUHUzyQ9CT/WJpYr1OYu8JIkdxF35nrPewnnOUUqxqbi8fXRQ
+gskSLF8UveiOjFIqmWwlPwT1UtnevAaF80UGQlkwFvqjjh4b9vKY2gHMAQwt+wg5
+HFFCSwSrnd88ZoDb3pKvDMeurYUiPzF5f2r+ziVkMuaSNckvp58uge7HvyqQPAdJ
+ZRswCCxhUAo9VqkNfB4Ud25ASyalk9jOE3HB8E35gFfPXvuX1n15THXNcwMEiybk
+Omne2YwXL8ShGNr5otjqywThMrrqcl2g/pJVTcpDHTR5Hn9YRp+GHlYLjyEr+/x7
+xM19y9ca9GUiJqDbEREHcKKIhYiGmcIjjcJvei/3C/aM4pqeGFJBbVSnw3qeMxH/
+6ArAMA1sAdShCkv2YjlcF0r4uoCjXdS3xrKLz9PSCquot7RySnOE9TZ7flfJll7Z
+q+lNaSeJg7FK8VWSUb9Lit6VEYVbzWKzespDDbujrHbFpydyq8gXurk7bSR2w0te
+gsmytQqT/w1z2bydgGF6SfY9Px0wuA8GQKr48l5Bhdc6+vHHFqPKzz0PVQARAQAB
+tDFGZWRvcmEgKDM4KSA8ZmVkb3JhLTM4LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
+cmc+iQJOBBMBCAA4FiEEalG7q7o9VGe2FxIhgJqNfOsQtGQFAmIC2cYCGw8FCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQgJqNfOsQtGScyw/7BLmD4Fwi4QZY94zl
+vlJdNufZRavOemSIVVDHoCr8pQBAdrvoMypxJd5zM4ODIqFsjdYpFti+Tkeq4/4U
+25UoLPEOtU8UDt2uq7LqfdCxspaj7VyXAJIkpf7wEvLS4Jzo+YaMIlsd0dCrMXTM
+vhu4gKpBFW6C+gGlmuDyTJbyrf7ilytgVzVtIfRrT7XffylviIlZHwKm43UDjvzX
+YEl3EAFR1RjATwXMy2aJh7GCNsz+fKs+7YRKQUhpMF5un/2pyNJO+LbVGGwGZvga
+K9Kfsg/4r1ync4nDDD1dadKIHhobDeiJ9uZLoBvvVDz7Ywu7q/vv4zIPxstYBNq4
+6fLKDtYXuJCK0EV9Qy4ox67t0UGlaRGH8y5YUqOI10xH7iQej0xWlSc8w2dKhPz8
+z9XLv2OMK+PvqvflhFHhWkqEoQRqTu0TVD0fLLe4lqieJlqZcJqW0F9G/vNSSWmf
+POLa/Nim71gL2fPjCJOIRV4K/cJSyBmu5NchG7dHD5sUtJxZ4TFSuepaBZ8cPK1x
+e26TaCBqoUWgUXWmw+P89aOpYOJYEFfT/VAm2Ywn+c1EFUmD+30wQ7aP/RUFl94z
+n0BjqsWDnCKVFHydZ0TZSpeADmXMg2VYZPcp/cQR1KjoBoDxAscis7b1XPQUg7CB
+zquq5jBVAnsNIhs7g47GWKyDUJM=
+=aCLl
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/seed/host-systemd-machined/templates/dhcp.network b/seed/host-systemd-machined/templates/dhcp.network
index 53b91e9..2a08b66 100644
--- a/seed/host-systemd-machined/templates/dhcp.network
+++ b/seed/host-systemd-machined/templates/dhcp.network
@@ -1,17 +1,17 @@
 [Match]
-Name=%%rougail_variable
+Name={{ rougail_variable }}
 
 [Network]
-%set %%leader = %%interface_names[%%rougail_index]
-%if %%leader.interface_type == 'dhcp'
+{% set leader = general.network.interfaces.interface_names[rougail_index] %}
+{% if leader.interface_type == 'dhcp' %}
 DHCP=ipv4
-%else
+{% else %}
 DHCP=no
-Address=%%leader.interface_ip
-  %if %%leader.first_interface
-Gateway=%%leader.interface_gateway
-    %for %%dns in %%leader.interface_domain_name_servers
-DNS=%%dns
-    %end for
-  %end if
-%end if
+Address={{ leader.interface_ip }}
+{% if leader.first_interface %}
+Gateway={{ leader.interface_gateway }}
+{% for dns in leader.interface_domain_name_servers %}
+DNS={{ dns }}
+{% endfor %}
+{% endif %}
+{% endif %}
diff --git a/seed/host-systemd-machined/templates/directory-script b/seed/host-systemd-machined/templates/directory-script
new file mode 100644
index 0000000..6f6daaf
--- /dev/null
+++ b/seed/host-systemd-machined/templates/directory-script
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -e
+
+{% set family = rougail_variable|normalize_family %}
+{% set srv_dir = machined['machine_' + family]['srv_dir_' + family] %}
+{% if srv_dir %}
+mkdir -p {{ srv_dir }}
+chmod 755 {{ srv_dir }}
+{% endif %}
+
+{% set journal_dir = machined['machine_' + family]['journal_dir_' + family] %}
+mkdir -p {{ journal_dir }}
+chmod 755 {{ journal_dir }}
+
+exit 0
diff --git a/seed/host-systemd-machined/templates/network-script b/seed/host-systemd-machined/templates/network-script
index ed6290c..a6256c0 100644
--- a/seed/host-systemd-machined/templates/network-script
+++ b/seed/host-systemd-machined/templates/network-script
@@ -1,18 +1,18 @@
-%echo "#!/bin/bash"
+#!/bin/bash
 
 set -e
-%set %%name = %%normalize_family(%%rougail_variable)
-%set %%container = %%machined['machine_' + %%name]
-%set zones = %%container['zones_' + %%name]
-%if %%len(%%zones) > 1
- %for %%idx, %%zone in %%enumerate(%%zones)
-  %if not %%idx
-    %continue
-  %end if
-  %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
-echo "configuration de %intname"
-/usr/sbin/ip link set dev %%intname[:15] master %%zone
-/usr/sbin/ip link set dev %%intname[:15] up
- %end for
-%end if
-exit 0
+{% set name = rougail_variable|normalize_family %}
+{% set container = machined['machine_' + name] %}
+{% set zones = container['zones_' + name] %}
+{% if zones| length > 1 %}
+{% for zone in zones %}
+{% set idx = loop.index - 1 %}
+{% if idx %}
+{% set intname = "vc-" + idx|string + rougail_variable %}
+echo "configuration de {{ intname }}"
+/usr/sbin/ip link set dev {{ intname[:15] }} master {{ zone }}
+/usr/sbin/ip link set dev {{ intname[:15] }} up
+{% endif %}
+{% endfor %}
+{% endif %}
+exit 0  
diff --git a/seed/host-systemd-machined/templates/nspawn b/seed/host-systemd-machined/templates/nspawn
index 67395c0..d968d49 100644
--- a/seed/host-systemd-machined/templates/nspawn
+++ b/seed/host-systemd-machined/templates/nspawn
@@ -1,31 +1,32 @@
 [Files]
 Volatile=true
 PrivateUsersChown=false
-%set %%name = %%normalize_family(%%rougail_variable)
-%set %%container = %%machined['machine_' + %%name]
-%if %%container['srv_dir_' + %%name]
-Bind=%%container['srv_dir_' + %%name]:/srv
-%end if
-Bind=%%container['journal_dir_' + %%name]:/var/log/journal/
-BindReadOnly=%%container['config_dir_' + %%name]:/usr/local/lib
-%if %%container['tls_dir_' + %%name]
-Bind=%%container['tls_dir_' + %%name]:/srv/tls
-%end if
-%set zones = %%container['zones_' + %%name]
-%if %%zones
+{% set name = rougail_variable|normalize_family %}
+{% set container = machined['machine_' + name] %}
+{% if container['srv_dir_' + name] %}
+Bind={{ container['srv_dir_' + name] }}:/srv
+{% endif %}
+Bind={{ container['journal_dir_' + name] }}:/var/log/journal/
+BindReadOnly={{ container['config_dir_' + name] }}:/usr/local/lib
+{% if container['tls_dir_' + name] %}
+Bind={{ container['tls_dir_' + name] }}:/srv/tls
+{% endif %}
+{% set zones = container['zones_' + name] %}
+{% if zones %}
 
 [Network]
 Private=yes
 VirtualEthernet=yes
- %for %%idx, %%zone in %%enumerate(%%zones)
-  %if %%idx == 0
-Bridge=%%zones[0]
-  %else
-   %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
-VirtualEthernetExtra=%%intname[:15]:host%%idx
-  %end if
- %end for
-%end if
-%for %%port in %%container['incoming_ports_' + %%name]
-Port=tcp:%%port:%%port
-%end for
+{% for zone in zones %}
+{% set index = loop.index - 1 %}
+{% if index == 0 %}
+Bridge={{ zones[0] }}
+{% else %}
+{% set intname = "vc-" + index|string + rougail_variable %}
+VirtualEthernetExtra={{ intname[:15] }}:host{{ index }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% for port in container['incoming_ports_' + name] %}
+Port=tcp:{{ port }}:{{ port }}
+{% endfor %}
diff --git a/seed/host-systemd-machined/templates/risotto-images.service b/seed/host-systemd-machined/templates/risotto-images.service
index 4cd70f6..68f5729 100644
--- a/seed/host-systemd-machined/templates/risotto-images.service
+++ b/seed/host-systemd-machined/templates/risotto-images.service
@@ -4,8 +4,8 @@ After=network.target local-fs.target systemd-logind.service
 
 [Service]
 Type=oneshot
-ExecStart=/usr/local/sbin/backup_images no
-ExecStart=/usr/local/sbin/update_images
+ExecStart=/usr/local/sbin/backup_images
+ExecStart=/usr/local/sbin/update_images {{ tls_server }} "" reboot_every_monday
 
 [Install]
 WantedBy=multi-user.target
diff --git a/seed/host-systemd-machined/templates/risottofirewall.service b/seed/host-systemd-machined/templates/risottofirewall.service
index 379d21b..7386ce6 100644
--- a/seed/host-systemd-machined/templates/risottofirewall.service
+++ b/seed/host-systemd-machined/templates/risottofirewall.service
@@ -1,11 +1,3 @@
-%def %%get_protocol_port(%%port)
-  %if ':' in %%port
-    %set %%protocol, %%port = %%port.split(':')
-  %else
-    %set %%protocol = 'tcp'
-  %end if
-  %return %%protocol, %%port
-%end def
 [Unit]
 Description=Firewall for Risotto
 After=network.target
@@ -13,32 +5,54 @@ After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-%set %%has_rules = False
-%set %%incoming_ports = {'tcp': {}, 'udp': {}}
-%for %%dns in %%machined.machines
-  %set %%machine = %%normalize_family(%%dns)
-  %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
-  %if %%outgoing
-    %set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
-    %for %%port in %%outgoing
-       %set %%protocol, %%port = %%get_protocol_port(%%port)
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
-ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
-       %set %%has_rules = False
-    %end for
-  %end if
-  %set %%incoming = %%machined['machine_' + %%machine]['incoming_ports_' + %%machine]
-  %for %%port in %%incoming
-     %set %%protocol, %%port = %%get_protocol_port(%%port)
-     %if %%port in %%incoming_ports[%%protocol]
-       %raise Exception('the port "' + %%port + '" cannot be deployed for multiple machines: "' + %%dns + '" and "' + %%incoming_ports[%%protocol][%%port] + '"')
-     %end if
-     %set %%incoming_ports[%%protocol][%%port] = %%dns
-  %end for
-%end for
-%if not %%has_rules
+{% set ns = namespace(has_rules=False, incoming_ports={"tcp": {}, "udp": {}}) %}
+{% for dns in machined.machines %}
+{% set machine = dns|normalize_family %}
+{% set outgoing = machined["machine_" + machine]["outgoing_ports_" + machine] %}
+{% if outgoing %}
+{% set ip = machined["machine_" + machine]["ip_" + machine] %}
+{% for port in outgoing %}
+{% if ":" in port %}
+{% set protocol, port = port.split(":") %}
+{% else %}
+{% set protocol = "tcp" %}
+{% endif %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
+ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
+{% set ns.has_rules = True %}
+{% endfor %}
+{% endif %}
+{% set incoming = machined["machine_" + machine]["incoming_ports_" + machine] %}
+{% for port in incoming %}
+{% if ":" in port %}
+{% set protocol, port = port.split(":") %}
+{% else %}
+{% set protocol = "tcp" %}
+{% endif %}
+{% if port in ns.incoming_ports[protocol] %}
+{% set msg = 'the port "' + port + '" cannot be deployed for multiple machines: "' + dns + '" and "' + ns.incoming_ports[protocol][port] + '"' %}
+{{ msg|raise }}
+{% endif %}
+{% set x=ns.incoming_ports.__getitem__(protocol).__setitem__(port, dns) %}
+{% endfor %}
+{% endfor %}
+{% if not ns.has_rules %}
 ExecStart=/usr/bin/echo "No rule"
-%end if
+{% endif %}
+#FIXME
+ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
+ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
+ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
+ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
+ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
+#FIXME
 
 [Install]
 WantedBy=multi-user.target
diff --git a/seed/host-systemd-machined/templates/systemd-nspawn@.conf b/seed/host-systemd-machined/templates/systemd-nspawn@.conf
index 958657b..c99377a 100644
--- a/seed/host-systemd-machined/templates/systemd-nspawn@.conf
+++ b/seed/host-systemd-machined/templates/systemd-nspawn@.conf
@@ -1,3 +1,4 @@
 [Service]
+ExecStartPre=/usr/local/lib/sbin/directory-%i
 ExecStartPre=/usr/local/lib/sbin/tls-%i
 ExecStartPost=/usr/local/lib/sbin/network-%i
diff --git a/seed/host-systemd-machined/templates/tls-script b/seed/host-systemd-machined/templates/tls-script
index 9141a91..1e92dc0 100644
--- a/seed/host-systemd-machined/templates/tls-script
+++ b/seed/host-systemd-machined/templates/tls-script
@@ -1,29 +1,29 @@
-%echo "#!/bin/bash"
+#!/bin/bash
 
 set -e
-%for %%machine in %%machined.machines
-  %set %%nor_machine = %%normalize_family(%%machine)
-  %set tls_dir = %%machined['machine_' + %%nor_machine]['tls_dir_' + %%nor_machine]
-  %if %%tls_dir
-%break
-  %end if
-%end for
-%if %%tls_dir
-  %set %%dst_dir = %%machined['machine_' + %%normalize_family(%%rougail_variable)]['config_dir_' +  %%normalize_family(%%rougail_variable)]
-  %set %%src_dir = %%tls_dir + "/machines/" + %%rougail_variable
-  %if 'certificates' in %%extra_variables and %%rougail_variable in %%extra_variables['certificates']
-if [ -d "%%dst_dir" ] && [ -d "%%src_dir" ]; then
-    %for %%certificate in %%extra_variables['certificates'][%%rougail_variable]
-      %set %%files = [%%certificate.name]
-	  %if %%certificate.provider == 'autosigne'
-	    %%files.append(%%certificate.authority)
-	  %end if
-      %if 'private' in %%certificate
-        %%files.append(%%certificate.private)
-      %end if
-      %for %%file in %%files
-    src_file="%%{src_dir}%%file"
-    dst_file="%%{dst_dir}%%file"
+{% set ns = namespace(tls_dir=None) %}  
+{% for machine in machined.machines %}
+{% if not ns.tls_dir %}
+{% set nor_machine = machine|normalize_family %}
+{% set ns.tls_dir = machined['machine_' + nor_machine]['tls_dir_' + nor_machine] %}
+{% endif %}
+{% endfor %}
+{% if ns.tls_dir %}
+{% set dst_dir = machined['machine_' + rougail_variable|normalize_family]['config_dir_' + rougail_variable|normalize_family] %}
+{% set src_dir = ns.tls_dir + "/machines/" + rougail_variable %}
+{% if 'certificates' in extra_variables and rougail_variable in extra_variables['certificates'] %}
+if [ -d "{{ dst_dir }}" ] && [ -d "{{ src_dir }}" ]; then
+{% for certificate in extra_variables['certificates'][rougail_variable] %}
+{% set files = [certificate.name] %}
+{% if certificate.provider == 'autosigne' %}
+{{ files.append(certificate.authority) }}
+{% endif %}
+{% if 'private' in certificate %}
+{{ files.append(certificate.private) }}
+{% endif %}
+{% for file in files %}
+    src_file="{{ src_dir }}{{ file}}"
+    dst_file="{{dst_dir}}{{ file }}"
     dst_dir=$(dirname "$dst_file")
     mkdir -p "$dst_dir"
 # ne fonctionne pas avec revprox :/
@@ -39,9 +39,9 @@ if [ -d "%%dst_dir" ] && [ -d "%%src_dir" ]; then
     chown root: "$dst_file"
     chmod 700 "$dst_file"
 
-      %end for
-    %end for
+{% endfor %}
+{% endfor %}
 fi
-  %end if
-%end if
+{% endif %}
+{% endif %}
 exit 0
diff --git a/seed/host-systemd-machined/templates/vector.toml b/seed/host-systemd-machined/templates/vector.toml
new file mode 100644
index 0000000..94692b6
--- /dev/null
+++ b/seed/host-systemd-machined/templates/vector.toml
@@ -0,0 +1,69 @@
+#                                    __   __  __
+#                                    \ \ / / / /
+#                                     \ V / / /
+#                                      \_/  \/
+#
+#                                    V E C T O R
+#                                   Configuration
+#
+# ------------------------------------------------------------------------------
+# Website: https://vector.dev
+# Docs: https://vector.dev/docs
+# Chat: https://chat.vector.dev
+# ------------------------------------------------------------------------------
+
+# Change this to use a non-default directory for Vector data storage:
+# data_dir = "/var/lib/vector"
+
+# Random Syslog-formatted logs
+#>GNUNUX
+#[sources.dummy_logs]
+#type = "demo_logs"
+#format = "syslog"
+#interval = 1
+[sources.journal]
+type = "journald"
+
+{% if general.prometheus.prometheus_server_address %}
+[sources.metrics]
+type = "host_metrics"
+{% endif %}
+#<GNUNUX
+
+# Parse Syslog logs
+# See the Vector Remap Language reference for more info: https://vrl.dev
+#>GNUNUX
+#[transforms.parse_logs]
+#type = "remap"
+#inputs = ["dummy_logs"]
+#source = '''
+#. = parse_syslog!(string!(.message))
+#'''
+#<GNUNUX
+
+# Print parsed logs to stdout
+#>GNUNUX
+[sinks.vector]
+type = "vector"
+inputs = ["journal"]
+address = "{{ general.vector.ip_address }}:8686"
+
+{% if general.prometheus.prometheus_server_address %}
+[sinks.prometheus]
+type = "prometheus_exporter"
+inputs = ["metrics"]
+address = "{{ general.prometheus.prometheus_ip_address }}:9090"
+#{% endif %}
+#<GNUNUX
+
+# Vector's GraphQL API (disabled by default)
+# Uncomment to try it out with the `vector top` command or
+# in your browser at http://localhost:8686
+#[api]
+#enabled = true
+#address = "127.0.0.1:8686"
+#>GNUNUX
+[api]
+enabled = true
+address = "127.0.0.1:8686"
+#<GNUNUX
diff --git a/seed/journald/applicationservice.yml b/seed/journald/applicationservice.yml
new file mode 100644
index 0000000..0a1e96f
--- /dev/null
+++ b/seed/journald/applicationservice.yml
@@ -0,0 +1,3 @@
+format: '0.1'
+description: Journald
+website: https://systemd.io/
diff --git a/seed/journald/dictionaries/20_journald.xml b/seed/journald/dictionaries/20_journald.xml
new file mode 100644
index 0000000..690bfaa
--- /dev/null
+++ b/seed/journald/dictionaries/20_journald.xml
@@ -0,0 +1,26 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="systemd-journal-upload" target="multi-user" servicelist="journald">
+      <override engine="none"/>
+      <certificate authority="Journald" server="journal_client_server_domainname" group="systemd-journal">journald</certificate>
+      <file engine="ansible">/etc/systemd/journal-upload.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="journald" description="systemd-journald">
+      <variable name="journal_client_server_domainname" type="domainname" supplier="Journald"/>
+      <variable name="journal_host_name" type="domainname" supplier="Journald:host"/>
+    </family>
+  </variables>
+  <constraints>
+    <condition name="disabled_if_in" source="journal_client_server_domainname">
+      <param type="nil"/>
+      <target type="servicelist">journald</target>
+    </condition>
+    <fill name="calc_value">
+      <param type="variable">domain_name_eth0</param>
+      <target>journal_host_name</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/journald/manual/image/preinstall/journald.sh b/seed/journald/manual/image/preinstall/journald.sh
new file mode 100644
index 0000000..c260d01
--- /dev/null
+++ b/seed/journald/manual/image/preinstall/journald.sh
@@ -0,0 +1 @@
+PKG="$PKG systemd-journal-remote"
diff --git a/seed/journald/templates/journal-upload.conf b/seed/journald/templates/journal-upload.conf
new file mode 100644
index 0000000..6508d01
--- /dev/null
+++ b/seed/journald/templates/journal-upload.conf
@@ -0,0 +1,25 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file, or by creating "drop-ins" in
+# the journal-upload.conf.d/ subdirectory. The latter is generally recommended.
+# Defaults can be restored by simply deleting this file and all drop-ins.
+#
+# See journal-upload.conf(5) for details.
+
+[Upload]
+# URL=
+# ServerKeyFile=/etc/ssl/private/journal-upload.pem
+# ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
+# TrustedCertificateFile=/etc/ssl/ca/trusted.pem
+#>GNUNUX
+URL=https://{{ journal_client_server_domainname }}:19532
+ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
+ServerKeyFile={{ general.tls_key_directory }}/journald.key
+TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
+#<GNUNUX
diff --git a/seed/journald/templates/systemd-journal-upload.service b/seed/journald/templates/systemd-journal-upload.service
new file mode 100644
index 0000000..f48cf18
--- /dev/null
+++ b/seed/journald/templates/systemd-journal-upload.service
@@ -0,0 +1,2 @@
+[Unit]
+After=risotto.target
diff --git a/seed/journald_remote/applicationservice.yml b/seed/journald_remote/applicationservice.yml
new file mode 100644
index 0000000..4b6acfb
--- /dev/null
+++ b/seed/journald_remote/applicationservice.yml
@@ -0,0 +1,3 @@
+format: '0.1'
+description: Journald remote
+website: https://systemd.io/
diff --git a/seed/journald_remote/dictionaries/21_journald.xml b/seed/journald_remote/dictionaries/21_journald.xml
new file mode 100644
index 0000000..d3afbb5
--- /dev/null
+++ b/seed/journald_remote/dictionaries/21_journald.xml
@@ -0,0 +1,11 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="systemd-journal-remote" target="multi-user">
+      <override engine="none"/>
+      <certificate certificatelist="journald" authority="Journald" type="server" owner="systemd-journal-remote">journald</certificate>
+      <file engine="ansible" filelist="journald">/etc/systemd/journal-remote.conf</file>
+    </service>
+  </services>
+</rougail>
+
diff --git a/seed/journald_remote/extras/accounts/00_accounts.xml b/seed/journald_remote/extras/accounts/00_accounts.xml
new file mode 100644
index 0000000..a43a205
--- /dev/null
+++ b/seed/journald_remote/extras/accounts/00_accounts.xml
@@ -0,0 +1,21 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <variable name="remotes" description="Remote journald" type="domainname" provider="Journald" mandatory="True" multi="True"/>
+    <family name="remote_" description="Account for " dynamic="accounts.remotes">
+      <variable name="host_" description="Remote host" type="domainname" mandatory="True" provider="Journald:host"/>
+      <variable name="messages_" multi="True" provider="Journald:message" unique="False"/>
+      <variable name="services_" multi="True" provider="Journald:service" unique="False"/>
+      <variable name="functions_" multi="True" provider="Journald:function" mandatory="False" unique="False"/>
+    </family>
+    <variable name="vector_conditions" hidden="True"/>
+  </variables>
+  <constraints>
+    <fill name="calc_vector_conditions">
+      <param type="variable">accounts.remote_.messages_</param>
+      <param type="variable">accounts.remote_.services_</param>
+      <param type="variable">accounts.remote_.functions_</param>
+      <target>accounts.vector_conditions</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/journald_remote/funcs/journald_remote.py b/seed/journald_remote/funcs/journald_remote.py
new file mode 100644
index 0000000..9d29c50
--- /dev/null
+++ b/seed/journald_remote/funcs/journald_remote.py
@@ -0,0 +1,20 @@
+from itertools import chain as _chain
+
+
+def calc_vector_conditions(messages, services, functions):
+    mes = _chain(*messages)
+    ser = list(_chain(*services))
+    fun = list(_chain(*functions))
+    conditions = []
+    for idx, message in enumerate(mes):
+        service = ser[idx]
+        function = fun[idx]
+        condition = '(.SYSLOG_IDENTIFIER == "' + service + '" && '
+        if not function:
+            condition += '.message == "' + message + '"'
+        else:
+            condition += function + '(to_string(.message) ?? "", "' + message + '")'
+        condition += ')'
+        if condition not in conditions:
+            conditions.append(condition)
+    return '!(' + ' || '.join(conditions) + ')'
diff --git a/seed/journald_remote/manual/image/preinstall/journald.sh b/seed/journald_remote/manual/image/preinstall/journald.sh
new file mode 100644
index 0000000..c260d01
--- /dev/null
+++ b/seed/journald_remote/manual/image/preinstall/journald.sh
@@ -0,0 +1 @@
+PKG="$PKG systemd-journal-remote"
diff --git a/seed/journald_remote/templates/journal-remote.conf b/seed/journald_remote/templates/journal-remote.conf
new file mode 100644
index 0000000..9d568d6
--- /dev/null
+++ b/seed/journald_remote/templates/journal-remote.conf
@@ -0,0 +1,26 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it under the
+#  terms of the GNU Lesser General Public License as published by the Free
+#  Software Foundation; either version 2.1 of the License, or (at your option)
+#  any later version.
+#
+# Entries in this file show the compile time defaults. Local configuration
+# should be created by either modifying this file, or by creating "drop-ins" in
+# the journal-remote.conf.d/ subdirectory. The latter is generally recommended.
+# Defaults can be restored by simply deleting this file and all drop-ins.
+#
+# See journal-remote.conf(5) for details.
+
+[Remote]
+# Seal=false
+# SplitMode=host
+# ServerKeyFile=/etc/ssl/private/journal-remote.pem
+# ServerCertificateFile=/etc/ssl/certs/journal-remote.pem
+# TrustedCertificateFile=/etc/ssl/ca/trusted.pem
+#>GNUNUX
+SplitMode=none
+ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
+ServerKeyFile={{ general.tls_key_directory }}/journald.key
+TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
+#<GNUNUX
diff --git a/seed/journald_remote/templates/systemd-journal-remote.service b/seed/journald_remote/templates/systemd-journal-remote.service
new file mode 100644
index 0000000..1126a0a
--- /dev/null
+++ b/seed/journald_remote/templates/systemd-journal-remote.service
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/lib/systemd/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/risotto.journal
diff --git a/seed/ldap-client/dictionaries/21_ldap-client.xml b/seed/ldap-client/dictionaries/21_ldap-client.xml
index c7355dc..c156b33 100644
--- a/seed/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/ldap-client/dictionaries/21_ldap-client.xml
@@ -1,22 +1,25 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <services>
-    <service name="ldap-client" target="risotto" engine="cheetah">
+    <service name="ldap-client" target="risotto" engine="ansible">
       <certificate authority="LDAP" owner="ldap_key_file_owner" owner_type="variable" server="ldap_server_address">ldap_client</certificate>
-      <file source="ldap.conf" file_type="variable">ldap_client_file</file>
+      <file engine="ansible" source="ldap.conf" file_type="variable">ldap_client_file</file>
     </service>
   </services>
   <variables>
-    <family name="annuaire" description="Annuaire OpenLDAP">
+    <family name="ldap" description="Annuaire OpenLDAP">
       <family name="server" description="Serveur">
         <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True' supplier="LDAP"/>
+        <variable name="ldap_server_ip" type="ip" hidden="True"/>
         <variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
           <value>636</value>
         </variable>
+        <variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
       </family>
       <family name="client" description="Client">
         <variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP" supplier="LDAP:family"/>
         <variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True" supplier="LDAP:dn"/>
+        <variable name='ldapclient_address' hidden="True"/>
         <variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True" supplier="LDAP:password"/>
         <variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" supplier="LDAP:base_dn"/>
         <variable name='ldapclient_search_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
@@ -25,7 +28,7 @@
         <variable name="ldap_key_file_owner" type="unix_user" description="Propriétaire du fichier de la clef privée LDAP" hidden="True">
           <value>root</value>
         </variable>
-	<variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True"/>
+        <variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True"/>
       </family>
     </family>
   </variables>
@@ -33,8 +36,13 @@
     <check name='valid_base_dn'>
       <target>ldapclient_base_dn</target>
     </check>
-    <fill name='get_default_base_dn'>
+    <fill name="get_ip">
+      <param type="information">zones</param>
       <param type="variable">ldap_server_address</param>
+      <target>ldap_server_ip</target>
+    </fill>
+    <fill name='get_default_base_dn'>
+      <param type="variable">prefix_domain_name</param>
       <target>ldapclient_base_dn</target>
     </fill>
     <fill name='calc_value'>
@@ -45,12 +53,18 @@
     </fill>
     <fill name='calc_value'>
       <param>cn=</param>
-      <param type='variable'>domain_name_eth0</param>
+      <param type='variable'>ldapclient_address</param>
       <param>,</param>
       <param type='variable'>ldapclient_base_dn</param>
       <param name="join"></param>
       <target>ldapclient_user</target>
     </fill>
+    <fill name="get_client_address">
+      <param type='variable'>ldap_server_ip</param>
+      <param type='variable'>domain_name_eth</param>
+      <param type='variable'>network_eth</param>
+      <target>ldapclient_address</target>
+    </fill>
     <fill name="get_password">
       <param name="server_name" type="variable">ldap_server_address</param>
       <param name="username" type="variable">ldapclient_user</param>
diff --git a/seed/ldap-client/funcs/openldap_client.py b/seed/ldap-client/funcs/openldap_client.py
index e67591b..3fafde9 100644
--- a/seed/ldap-client/funcs/openldap_client.py
+++ b/seed/ldap-client/funcs/openldap_client.py
@@ -1,4 +1,8 @@
+from ipaddress import ip_network as _ip_network, ip_address as _ip_address
+
+
 def valid_base_dn(base_dn: str) -> None:
+    # copied from openldap
     for att in ['o', 'dc', 'ou']:
         if base_dn.startswith(att + '='):
             break
@@ -11,6 +15,7 @@ def calc_ldapclient_base_dn(ldap_base_dn: str,
                             base: bool=False,
                             group: bool=False,
                             ) -> str:
+    # copied from openldap
     if ldap_base_dn is None:
         return
     if family_name == 'all':
@@ -39,14 +44,23 @@ class _Undefined:
 _undefined = _Undefined()
 
 
-def get_default_base_dn(server_name: str) -> str:
-    if not server_name or '.' not in server_name:
+def get_default_base_dn(prefix: str) -> str:
+    # copied from openldap
+    if not prefix or '.' not in prefix:
         return None
-    values = server_name.split('.')
-    # cannot calculated base dn should be server.domain.tld
+    values = prefix.split('.')
+    # cannot calculated base dn should be subdomain.domain.tld
     # remove 'server' in dn
     if len(values) < 3:
         return None
-    domain = ['ou=' + domain for domain in values[1:-2]]
+    domain = ['ou=' + domain for domain in values[0:-2]]
     domain.append(f'o={values[-2]},o={values[-1]}')
     return ','.join(domain)
+
+
+def get_client_address(ip, infos, network_eth):
+    ip_mail = _ip_address(ip)
+    for idx, net in enumerate(network_eth):
+        if ip_mail in _ip_network(net):
+            val = infos[idx]
+            return val
diff --git a/seed/ldap-client/templates/ldap-client.service b/seed/ldap-client/templates/ldap-client.service
index f0d1194..7a086a4 100644
--- a/seed/ldap-client/templates/ldap-client.service
+++ b/seed/ldap-client/templates/ldap-client.service
@@ -4,4 +4,4 @@ Before=risotto.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/{{ ldap_server_address }}/{{ ldap_port }}; do sleep 1; done'
diff --git a/seed/ldap-client/templates/ldap.conf b/seed/ldap-client/templates/ldap.conf
index 80e9235..45f02ff 100644
--- a/seed/ldap-client/templates/ldap.conf
+++ b/seed/ldap-client/templates/ldap.conf
@@ -8,8 +8,8 @@
 #BASE	dc=example,dc=com
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
 #>GNUNUX
-BASE %%ldapclient_search_dn
-URI ldaps://%%ldap_server_address:%%ldap_port
+BASE {{ ldapclient_search_dn }}
+URI ldaps://{{ ldap_server_address }}:{{ ldap_port }}
 #<GNUNUX
 
 #SIZELIMIT	12
@@ -21,9 +21,9 @@ URI ldaps://%%ldap_server_address:%%ldap_port
 # by TLS_CACERTDIR one has to include them explicitly:
 #TLS_CACERT	/etc/pki/tls/cert.pem
 #>GNUNUX
-TLS_CERT %%tls_cert_directory/ldap_client.crt
-TLS_KEY %%tls_key_directory/ldap_client.key
-TLS_CACERT %%tls_ca_directory/LDAP.crt
+TLS_CERT {{ tls_cert_directory }}/ldap_client.crt
+TLS_KEY {{ tls_key_directory }}/ldap_client.key
+TLS_CACERT {{ tls_ca_directory }}/LDAP.crt
 #<GNUNUX
 
 # System-wide Crypto Policies provide up to date cipher suite which should
@@ -36,9 +36,9 @@ TLS_CACERT %%tls_ca_directory/LDAP.crt
 SASL_NOCANON	on
 
 #>GNUNUX
-BINDDN %%ldapclient_user
+BINDDN {{ ldapclient_user }}
 TIMELIMIT 10
 NETWORK_TIMEOUT 10
 TIMEOUT 10
-BINDPW %%ldapclient_user_password
+BINDPW {{ ldapclient_user_password }}
 #<GNUNUX
diff --git a/seed/lemonldap/DEBUG.md b/seed/lemonldap/DEBUG.md
index e786356..d6ffbc1 100644
--- a/seed/lemonldap/DEBUG.md
+++ b/seed/lemonldap/DEBUG.md
@@ -3,3 +3,7 @@ Log level to DEBUG
 
 sed -i "s/logLevel     = info/logLevel     = debug/g" /etc/lemonldap-ng/lemonldap-ng.ini
 systemctl restart lemonldap-ng-fastcgi-server.service
+
+sed -i 's/log error/log debug/g' /etc/nginx/nginx.conf
+systemctl restart nginx
+
diff --git a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
index ff3fc6e..d24097a 100644
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="lemonldap-ng-fastcgi-server">
-      <override/>
+      <override engine="none"/>
       <file engine="none">/static/logo.png</file>
       <file engine="none">/static/demo.png</file>
       <file engine="none">/static/silique_email.png</file>
@@ -11,16 +11,15 @@
       <file engine="none">/static/silique_video.png</file>
       <file engine="none">/static/silique_image.png</file>
       <file engine="none">/static/risotto.css</file>
-      <file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
+      <file engine="ansible">/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
       <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
-      <!--file>/etc/lemonldap-ng/handler-nginx.conf</file-->
-      <file>/etc/lemonldap-ng/portal-nginx.conf</file>
-      <file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
-      <file>/etc/default/lemonldap-ng-fastcgi-server</file>
-      <file mode="750">/sbin/interne_well_known.pl</file>
-      <file mode="750">/sbin/wget.pl</file>
+      <file engine="ansible">/etc/lemonldap-ng/portal-nginx.conf</file>
+      <file engine="none">/etc/lemonldap-ng/nginx-lmlog.conf</file>
+      <file engine="ansible">/etc/default/lemonldap-ng-fastcgi-server</file>
+      <file engine="ansible" mode="750">/sbin/interne_well_known.pl</file>
+      <file engine="ansible" mode="750">/sbin/wget.pl</file>
       <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
-      <file filelist="copy_tests">/tests/lemonldap.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/lemonldap.yml</file>
     </service>
   </services>
   <variables>
@@ -36,7 +35,7 @@
       </variable>
       <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
     </family>
-    <family name="annuaire">
+    <family name="ldap">
       <family name="client">
         <variable name='ldapclient_family' redefine="True">
           <value>all</value>
diff --git a/seed/lemonldap/extras/oauth2/00_oauth2.xml b/seed/lemonldap/extras/oauth2/00_oauth2.xml
index 2f4a1c9..0f88116 100644
--- a/seed/lemonldap/extras/oauth2/00_oauth2.xml
+++ b/seed/lemonldap/extras/oauth2/00_oauth2.xml
@@ -3,6 +3,7 @@
   <variables>
     <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="OAuth2"/>
     <family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
+      <variable name="client_id_" description="Remote client id for " mandatory="True" hidden="True" provider="OAuth2:client_id"/>
       <variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="OAuth2:secret"/>
       <variable name="name_" description="Remote name for " hidden="True" provider="OAuth2:name"/>
       <variable name="description_" description="Remote description for " hidden="True" provider="OAuth2:description"/>
diff --git a/seed/lemonldap/templates/handler-nginx.conf b/seed/lemonldap/templates/handler-nginx.conf
index 0107654..78d4687 100644
--- a/seed/lemonldap/templates/handler-nginx.conf
+++ b/seed/lemonldap/templates/handler-nginx.conf
@@ -21,10 +21,10 @@ server {
   # GNUNUX server_name reload.example.com;
 #>GNUNUX
   listen 443 ssl;
-  server_name %%lemon_reload_web_name;
-  ssl_certificate         %%tls_cert_directory/revprox.crt;
-  ssl_certificate_key     %%tls_key_directory/revprox.key;
-  ssl_client_certificate  %%tls_ca_directory/InternalReverseProxy.crt;
+  server_name {{ general.lemonldap.lemon_reload_web_name }};
+  ssl_certificate         {{ general.tls_cert_directory }}/revprox.crt;
+  ssl_certificate_key     {{ general.tls_key_directory }}/revprox.key;
+  ssl_client_certificate  {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
 #<GNUNUX
   root /var/www/html;
 
@@ -55,7 +55,7 @@ server {
 
   # Client requests
   location / {
-    allow %%revprox_client_server_ip;
+    allow {{ general.revprox.revprox_client.revprox_client_server_ip }};
     deny all;
 
     # Uncomment this if you use https only
diff --git a/seed/lemonldap/templates/interne_well_known.pl b/seed/lemonldap/templates/interne_well_known.pl
index 586d053..10cc2cb 100644
--- a/seed/lemonldap/templates/interne_well_known.pl
+++ b/seed/lemonldap/templates/interne_well_known.pl
@@ -1,17 +1,17 @@
-%echo "#!/usr/bin/env perl"
+#!/usr/bin/env perl
 # retrieve and modify (if no argument) well-known file
 
 use HTTP::Tiny;
 use JSON qw(from_json to_json);
 
-my $baseUrl = 'https://%%domain_name_eth0/';
+my $baseUrl = 'https://{{ general.network.interface_0.domain_name_eth0 }}/';
 
 my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configuration');
 
 die "Failed!\n" unless $response->{success};
 
 my $json = from_json($response->{content});
-%echo "$num_args = $#ARGV + 1;"
+$num_args = $#ARGV + 1;
 
 if ($num_args == 0) {
     $json->{token_endpoint} = $baseUrl . 'oauth2/token';
diff --git a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server
index 277d740..c95b33e 100644
--- a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server
+++ b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server
@@ -1,7 +1,7 @@
 # Number of process (default: 7)
 #NPROC = 7
 #>GNUNUX
-NPROC=%%lemon_proc
+NPROC={{ general.lemonldap.lemon_proc }}
 #<GNUNUX
 
 # Unix socket to listen to
diff --git a/seed/lemonldap/templates/lemonldap.yml b/seed/lemonldap/templates/lemonldap.yml
index 07bd77a..2c5e12f 100644
--- a/seed/lemonldap/templates/lemonldap.yml
+++ b/seed/lemonldap/templates/lemonldap.yml
@@ -1,3 +1,3 @@
-address: %%revprox_client_external_domainnames[0]
-internal_address: %%domain_name_eth0
-ip: %%ip_eth0
+address: {{ revprox_client_external_domainnames[0] }}
+internal_address: {{ domain_name_eth0 }}
+ip: {{ ip_eth0 }}
diff --git a/seed/lemonldap/templates/lmConf-1.json b/seed/lemonldap/templates/lmConf-1.json
index 2a08498..db48c7a 100644
--- a/seed/lemonldap/templates/lmConf-1.json
+++ b/seed/lemonldap/templates/lmConf-1.json
@@ -1,19 +1,16 @@
-%compiler-settings
-commentStartToken = §
-%end compiler-settings
 {
-   "mailFrom" : "%%lemon_mail_admin",
+   "mailFrom" : "{{ general.lemonldap.lemon_mail_admin }}",
    "mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
    "portalSkinBackground" : "",
    "portalCustomCss": "risotto/risotto.css",
    "authentication" : "LDAP",
    "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
-   "managerDn" : "%%ldapclient_user",
-   "managerPassword" : "%%ldapclient_user_password",
+   "managerDn" : "{{ general.ldap.client.ldapclient_user }}",
+   "managerPassword" : "{{ general.ldap.client.ldapclient_user_password }}",
    "ldapPpolicyControl" : 1,
    "ldapAllowResetExpiredPassword" : 1,
    "ldapChangePasswordAsUser" : 1,
-   "ldapBase" : "%%ldapclient_search_dn",
+   "ldapBase" : "{{ general.ldap.client.ldapclient_search_dn }}",
    "ldapExportedVars" : {
       "uid" : "uid",
       "cn" : "cn",
@@ -22,7 +19,7 @@ commentStartToken = §
       "givenName" : "givenName",
       "home" : "homeDirectory"
    },
-   "ldapGroupBase" : "%%ldapclient_group_dn",
+   "ldapGroupBase" : "{{ general.ldap.client.ldapclient_group_dn }}",
    "ldapGroupAttributeName" : "member",
    "ldapGroupAttributeNameUser" : "cn",
    "ldapGroupAttributeNameGroup" : "dn",
@@ -30,7 +27,7 @@ commentStartToken = §
    "ldapGroupAttributeNameUser" : "dn",
    "ldapGroupObjectClass" : "groupOfNames",
    "ldapPort" : "636",
-   "ldapServer" : "ldaps://%%ldap_server_address",
+   "ldapServer" : "ldaps://{{ general.ldap.server.ldap_server_address }}",
    "ldapVerify" : "required",
    "ldapTimeout" : 120,
    "cfgAuthor" : "Risotto",
@@ -41,7 +38,7 @@ commentStartToken = §
       "mail" : "mail",
       "uid" : "uid"
    },
-   "domain" : "%%revprox_client_external_domainnames[0]",
+   "domain" : "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}",
    "exportedVars" : {
        "UA" : "HTTP_USER_AGENT",
        "cn" : "cn",
@@ -60,23 +57,22 @@ commentStartToken = §
       "namespace" : "lemonldap-ng-sessions"
   },
    "locationRules" : {
-      "%%revprox_client_external_domainnames[0]" : {
+      "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}" : {
          "default" : "accept"
-%set %%domains = []
-%for %%app in %%oauth2.remotes
-  %set %%key = %%normalize_family(%%app)
-  § somethink like ['https://domain/']
-  %for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
-    %set %%domain = %%str(%%external).split('/', 3)[-2]
-    %if %%domain not in %%domains
+{% set domains = [] %}
+{% for app in oauth2.remotes %}
+{% set key = app|normalize_family %}
+{% for external in oauth2['oauth2_' + key]['external_' + key]['hosts_' + key] %}
+{% set domain = (external|string).split('/', 3)[-2] %}
+{% if domain not in domains %}
      },
-     "%%domain" : {
+     "{{ domain }}" : {
         "^/logout" : "logout_sso",
-        "default" : "$groups eq \"%%external['family_' + %%key]\""
-%%domains.append(%%domain)%slurp
-    %end if
-  %end for
-%end for
+        "default" : "$groups eq \"{{ external['family_' + key] }}\""
+{{ domains.append(domain) }}
+{% endif %}
+{% endfor %}
+{% endfor %}
       }
    },
    "loginHistoryEnabled" : 1,
@@ -84,7 +80,7 @@ commentStartToken = §
       "UA" : "$ENV{HTTP_USER_AGENT}",
       "_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
    },
-   "mailUrl" : "https://%%revprox_client_external_domainnames[0]/resetpwd",
+   "mailUrl" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/resetpwd",
    "mySessionAuthorizedRWKeys" : [
       "_appsListOrder",
       "_oidcConnectedRP",
@@ -95,53 +91,50 @@ commentStartToken = §
        "dirName" : "/srv/lemonldap-ng/notifications"
    },
    "oidcRPMetaDataExportedVars" : {
-%set %%len_app = %%len(%%oauth2.remotes)
-%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
-  %set %%key = %%normalize_family(%%app)
-  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
-      "%%app" : {
+{% set len_app = oauth2.remotes|length %}
+{% for app in oauth2.remotes %}
+{% set key = app|normalize_family %}
+{% set description = oauth2['oauth2_' + key]['description_' + key] %}
+      "{{ app }}" : {
          "email" : "mail",
          "family_name" : "sn",
          "name" : "cn",
 	 "nickname" : "uid",
 	 "home" : "home"
-  %if %%len_app - 1 == %%idx
+{% if len_app == loop.index %}
       }
-  %else
+{% else %}
       },
-  %end if
-%end for
+{% endif %}
+{% endfor %}
    },
    "oidcRPMetaDataOptions" : {
-%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
-  %set %%key = %%normalize_family(%%app)
-  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
-      "%%app" : {
+{% for app in oauth2.remotes %}
+{% set key = app|normalize_family %}
+{% set description = oauth2['oauth2_' + key]['description_' + key] %}
+      "{{ app }}" : {
          "oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
          "oidcRPMetaDataOptionsAllowOffline" : 1,
          "oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
          "oidcRPMetaDataOptionsBypassConsent" : 1,
-         "oidcRPMetaDataOptionsClientID" : "%%key",
-         "oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]",
+         "oidcRPMetaDataOptionsClientID" : "{{ oauth2['oauth2_' + key]['client_id_' + key] }}",
+         "oidcRPMetaDataOptionsClientSecret" : "{{ oauth2['oauth2_' + key]['secret_' + key] }}",
          "oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
-         "oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]",
+         "oidcRPMetaDataOptionsIDTokenSignAlg" : "{{ oauth2['oauth2_' + key]['token_signature_algo_' + key] }}",
          "oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
          "oidcRPMetaDataOptionsLogoutType" : "front",
-§         "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout",
-§FIXME
-         "oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow",
          "oidcRPMetaDataOptionsPublic" : 0,
-  %if %%oauth2['oauth2_' + %%key]['login_' + %%key] 
-         "oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]",
-  %end if
+{% if oauth2['oauth2_' + key]['login_' + key] %}
+         "oidcRPMetaDataOptionsRedirectUris" : "{{ oauth2['oauth2_' + key]['login_' + key] }}",
+{% endif %}
          "oidcRPMetaDataOptionsRefreshToken" : 0,
          "oidcRPMetaDataOptionsRequirePKCE" : 0
-  %if %%len_app - 1 == %%idx
+{% if len_app == loop.index %}
       }
-  %else
+{% else %}
       },
-  %end if
-%end for
+{% endif %}
+{% endfor %}
    },
    "oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
    "oidcServiceMetaDataAuthnContext" : {
@@ -151,62 +144,63 @@ commentStartToken = §
       "loa-4" : 4,
       "loa-5" : 5
    },
-%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
-   "oidcServicePublicKeySig" : "%%pub",
-%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
-   "oidcServicePrivateKeySig" : "%%priv",
+{% set tpub = domain_name_eth0|get_public_key(hide=hide_secret) %}
+{% set pub = tpub.split("\n")|join('\\n') %}
+   "oidcServicePublicKeySig" : "{{ pub }}",
+{% set tpriv = domain_name_eth0|get_private_key(hide=hide_secret) %}
+{% set priv = tpriv.split("\n")|join('\\n') %}
+   "oidcServicePrivateKeySig" : "{{ priv }}",
    "passwordDB" : "LDAP",
    "persistentStorage" : "Apache::Session::File",
    "persistentStorageOptions" : {
       "Directory": "/srv/lemonldap-ng/psessions",
       "LockDirectory": "/srv/lemonldap-ng/psessions/lock"
    },
-   "portal" : "https://%%revprox_client_external_domainnames[0]/",
+   "portal" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/",
    "portalCheckLogins": 0,
    "portalDisplayRegister": 0,
    "portalDisplayResetPassword": 0,
    "portalMainLogo": "risotto/logo.png",
    "showLanguages": 0,
-   "requireToken": "$env->{REMOTE_ADDR} ne '%%gateway_eth0'",
+   "requireToken": "$env->{REMOTE_ADDR} ne '{{ gateway_eth0 }}'",
    "whatToTrace" : "_whatToTrace",
-%set %%remotes = {}
-%for %%index, %%app in %%enumerate(%%oauth2.remotes)
- %set %%key = %%normalize_family(%%app)
- %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
- %if not %%description
-  %continue
- %end if
- %set %%dico = {'key': %%key,
-                'description': %%description,
-                'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
-                'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
-                'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
-%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
-%end for
+{% set remotes = {} %}
+{% for app in oauth2.remotes %}
+{% set key = app|normalize_family %}
+{% set description = oauth2['oauth2_' + key]['description_' + key] %}
+{% if description %}
+{% set dico = {'key': key,
+               'description': description,
+               'logo': "risotto/" + oauth2['oauth2_' + key]['logo_' + key],
+               'name': oauth2['oauth2_' + key]['name_' + key],
+               'uri': oauth2['oauth2_' + key]['external_' + key]['hosts_' + key]} %}
+{{ remotes.setdefault(oauth2['oauth2_' + key]['category_' + key], []).append(dico) }}
+{% endif %}
+{% endfor %}
    "applicationList" : {
-%for %%index, %%cat in %%enumerate(%%remotes)
- %if %%index != 0
+{% for cat in remotes %}
+{% if loop.index != 1 %}
 ,
- %end if
-      "cat_%%index" : {
-         "catname" : "%%cat",
- %for %%dico in %%remotes[%%cat]
-  %for %%idx, %%uri in %%enumerate(%%dico['uri'])
-         "%%{dico['key']}_%%idx" : {
+{% endif %}
+      "cat_{{ loop.index - 1 }}" : {
+         "catname" : "{{ cat }}",
+{% for dico in remotes[cat] %}
+{% for uri in dico['uri'] %}
+         "{{ dico['key'] }}_{{ loop.index - 1 }}" : {
             "options" : {
-               "description" : "%%dico['description']",
+               "description" : "{{ dico['description'] }}",
                "display" : "auto",
-               "logo" : "%%dico['logo']",
-               "name" : "%%dico['name']",
-               "uri" : "%%uri"
+               "logo" : "{{ dico['logo'] }}",
+               "name" : "{{ dico['name'] }}",
+               "uri" : "{{ uri }}"
             },
             "type" : "application"
          },
-  %end for
- %end for
+{% endfor %}
+{% endfor %}
          "type" : "category"
-      }%slurp
-%end for
+      }
+{%- endfor -%}
 
    }
 }
diff --git a/seed/lemonldap/templates/portal-nginx.conf b/seed/lemonldap/templates/portal-nginx.conf
index 87dfd99..09a8e33 100644
--- a/seed/lemonldap/templates/portal-nginx.conf
+++ b/seed/lemonldap/templates/portal-nginx.conf
@@ -26,7 +26,7 @@ server {
     include /etc/nginx/fastcgi_params;
     fastcgi_pass llng_portal_upstream;
     fastcgi_param REQUEST_URI /.well-known/openid-configuration;
-    fastcgi_param HTTP_HOST %%domain_name_eth0;
+    fastcgi_param HTTP_HOST {{ general.network.interface_0.domain_name_eth0 }};
     fastcgi_param LLTYPE psgi;
     fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
     fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
@@ -37,8 +37,10 @@ server {
 #>GNUNUX
 geo $zone_name {
   default ext;
-  %%gateway_eth0 ext;
-  %%network_eth0 int;
+  {{ general.network.interface_0.gateway_eth0 }} ext;
+{% for interface in range(zones_list|length) %}
+  {{ general.network['interface_' + interface|string]['network_eth' + interface|string] }} int;
+{% endfor %}
 }
 #<GNUNUX
 
@@ -47,11 +49,11 @@ server {
   # GNUNUX listen [::]:80;
   # GNUNUX server_name auth.example.com;
 #>GNUNUX
-  listen 443 ssl;
-  server_name %%{revprox_client_external_domainnames[0]};
-  ssl_certificate %%tls_cert_directory/revprox.crt;
-  ssl_certificate_key %%tls_key_directory/revprox.key;
-  ssl_client_certificate %%tls_ca_directory/InternalReverseProxy.crt;
+  listen {{ general.network.interface_0.domain_name_eth0 }}:443 ssl;
+  server_name {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
+  ssl_certificate {{ general.tls_cert_directory }}/revprox.crt;
+  ssl_certificate_key {{ general.tls_key_directory }}/revprox.key;
+  ssl_client_certificate {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
   ssl_session_cache shared:SSL:10m;
 #<GNUNUX
   root /usr/share/lemonldap-ng/portal/htdocs/;
@@ -67,7 +69,7 @@ server {
   #set_real_ip_from  127.0.0.1;
   #real_ip_header    X-Forwarded-For;
 #>GNUNUX
-  set_real_ip_from  %%revprox_client_server_ip;
+  set_real_ip_from  {{ general.revprox.revprox_client_server_ip }};
   real_ip_header    X-Forwarded-For;
 #<GNUNUX
 
@@ -106,35 +108,35 @@ server {
     # REST/SOAP functions for sessions management (disabled by default)
     location ~ ^/index.psgi/adminSessions {
       fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
       deny all;
     }
 
     # REST/SOAP functions for proxy auth and password reset (disabled by default)
     location ~ ^/index.psgi/proxy {
       fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
       deny all;
     }
 
     # REST/SOAP functions for sessions access (disabled by default)
     location ~ ^/index.psgi/sessions {
       fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
       deny all;
     }
 
     # REST/SOAP functions for configuration access (disabled by default)
     location ~ ^/index.psgi/config {
       fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
       deny all;
     }
 
     # REST/SOAP functions for notification insertion (disabled by default)
     location ~ ^/index.psgi/notification {
       fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
       deny all;
     }
 
diff --git a/seed/lemonldap/templates/wget.pl b/seed/lemonldap/templates/wget.pl
index ca4eda7..32bce63 100644
--- a/seed/lemonldap/templates/wget.pl
+++ b/seed/lemonldap/templates/wget.pl
@@ -1,8 +1,8 @@
-%echo "#!/usr/bin/env perl"
+#!/usr/bin/env perl
 
 use HTTP::Tiny;
 
-my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
+my $response = HTTP::Tiny->new->get('https://{{ general.network.interface_0.domain_name_eth0 }}/.well-known/openid-configuration');
 
 die "Failed!\n" unless $response->{success};
 
diff --git a/seed/loki/applicationservice.yml b/seed/loki/applicationservice.yml
new file mode 100644
index 0000000..6af3d8d
--- /dev/null
+++ b/seed/loki/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Loki, a log aggregation platform
+website: https://grafana.com/
+depends:
+  - base-fedora-38
diff --git a/seed/loki/dictionaries/20_loki.xml b/seed/loki/dictionaries/20_loki.xml
new file mode 100644
index 0000000..5b5fb9e
--- /dev/null
+++ b/seed/loki/dictionaries/20_loki.xml
@@ -0,0 +1,16 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="loki" target="multi-user" engine="ansible">
+      <file engine="ansible" source="loki-local-config.yaml">/etc/loki/loki.yaml</file>
+      <file engine="none" source="sysuser-loki.conf">/sysusers.d/loki.conf</file>
+      <file engine="none" source="tmpfile-loki.conf">/tmpfiles.d/0loki.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="loki" description="loki">
+      <variable name="remotes" description="Remote loki client" type="domainname" provider="Loki" mandatory="True" multi="True"/>
+    </family>
+  </variables>
+</rougail>
+
diff --git a/seed/loki/manual/image/postinstall/loki.sh b/seed/loki/manual/image/postinstall/loki.sh
new file mode 100644
index 0000000..d2bd659
--- /dev/null
+++ b/seed/loki/manual/image/postinstall/loki.sh
@@ -0,0 +1,17 @@
+set -ex
+
+#FIXME unsign?
+
+mkdir -p ~/loki/
+URL=$(wget https://api.github.com/repos/grafana/loki/releases/latest -q -O - | jq -r '.assets[].browser_download_url'|grep loki-linux-amd64)
+VERS=$(echo "$URL" | awk -F'/' '{ print $8 }')
+
+if [ ! -f ~/"loki/loki-$VERS-linux-amd64.zip" ]; then
+    rm -rf ~/"loki/loki-*-linux-amd64.zip"
+    wget "$URL" -O ~/"loki/loki-$VERS-linux-amd64.zip"
+fi
+
+cp -a ~/"loki/loki-$VERS-linux-amd64.zip" .
+unzip "loki-$VERS-linux-amd64.zip"
+mv "loki-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"
+chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"
diff --git a/seed/loki/templates/loki-local-config.yaml b/seed/loki/templates/loki-local-config.yaml
new file mode 100644
index 0000000..ecebb64
--- /dev/null
+++ b/seed/loki/templates/loki-local-config.yaml
@@ -0,0 +1,55 @@
+#RISOTTO: https://raw.githubusercontent.com/grafana/loki/main/cmd/loki/loki-local-config.yaml
+auth_enabled: false
+
+server:
+  http_listen_port: 3100
+  grpc_listen_port: 9096
+
+common:
+  instance_addr: 127.0.0.1
+  path_prefix: /srv/loki
+  storage:
+    filesystem:
+      chunks_directory: /srv/loki/chunks
+      rules_directory: /srv/loki/rules
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+schema_config:
+  configs:
+    - from: 2020-10-24
+      store: boltdb-shipper
+      object_store: filesystem
+      schema: v11
+      index:
+        prefix: index_
+        period: 24h
+
+ruler:
+  alertmanager_url: http://localhost:9093
+
+# By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
+# analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
+#
+# Statistics help us better understand how Loki is used, and they show us performance
+# levels for most users. This helps us prioritize features and documentation.
+# For more information on what's sent, look at
+# https://github.com/grafana/loki/blob/main/pkg/usagestats/stats.go
+# Refer to the buildReport method to see what goes into a report.
+#
+# If you would like to disable reporting, uncomment the following lines:
+#analytics:
+#  reporting_enabled: false
+#>GNUNUX
+analytics:
+  reporting_enabled: false
+#<GNUNUX
diff --git a/seed/loki/templates/loki.service b/seed/loki/templates/loki.service
new file mode 100644
index 0000000..5717107
--- /dev/null
+++ b/seed/loki/templates/loki.service
@@ -0,0 +1,14 @@
+[Unit]
+Description=Loki Grafana
+Wants=risotto.target
+After=risotto.target
+
+[Service]
+Type=simple
+User=loki
+Group=loki
+ExecStart=/usr/bin/loki -config.file=/etc/loki/loki.yaml
+Restart=always
+
+[Install]
+WantedBy=multi-user.target
diff --git a/seed/loki/templates/sysuser-loki.conf b/seed/loki/templates/sysuser-loki.conf
new file mode 100644
index 0000000..d55832d
--- /dev/null
+++ b/seed/loki/templates/sysuser-loki.conf
@@ -0,0 +1,2 @@
+g loki 997 -
+u loki 997:997     "Loki Grafana" /tmp /sbin/nologin
diff --git a/seed/loki/templates/tmpfile-loki.conf b/seed/loki/templates/tmpfile-loki.conf
new file mode 100644
index 0000000..61a65ee
--- /dev/null
+++ b/seed/loki/templates/tmpfile-loki.conf
@@ -0,0 +1 @@
+d /srv/loki 700 loki loki - -
diff --git a/seed/mailman/dictionaries/31_mailman.xml b/seed/mailman/dictionaries/31_mailman.xml
index 0e48c78..8920b5f 100644
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ b/seed/mailman/dictionaries/31_mailman.xml
@@ -2,25 +2,21 @@
 <rougail version="0.10">
   <services>
     <service name="mailman3"> <!-- target="multi-user">-->
-      <override/>
-      <file owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
+      <override engine="ansible"/>
+      <file engine="ansible" owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
       <file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
-      <file filelist="copy_tests">/tests/mailman.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/mailman.yml</file>
       <!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
     </service>
     <service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->
-      <override/>
+      <override engine="ansible"/>
       <certificate authority="PostgreSQL" owner="www-data" server="pg_client_server_domainname">postgresql_postorius</certificate>
       <!--file engine="none">/etc/postorius/gunicorn_config.py</file>
       <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file-->
-      <file source="config-nginx.conf">/etc/mailman3/nginx.conf</file>
-      <file>/etc/mailman3/mailman-web.py</file>
-      <file>/etc/mailman3/uwsgi.ini</file>
+      <file engine="ansible" source="config-nginx.conf">/etc/mailman3/nginx.conf</file>
+      <file engine="ansible">/etc/mailman3/mailman-web.py</file>
+      <file engine="none">/etc/mailman3/uwsgi.ini</file>
     </service>
-    <!--service name="postgresqlclient" target="multi-user" engine="cheetah"-->
-      <!-- mailman and postorius have differents username -->
-      <!--file owner="postorius" mode="400" source="postgresql.key">/etc/pki/tls/private/postgresql_postorius.key</file-->
-    <!--/service-->
   </services>
   <variables>
     <family name="mailman" description="Gestionnaire de liste">
diff --git a/seed/mailman/templates/config-nginx.conf b/seed/mailman/templates/config-nginx.conf
index d6f5f90..cb911a1 100644
--- a/seed/mailman/templates/config-nginx.conf
+++ b/seed/mailman/templates/config-nginx.conf
@@ -54,9 +54,9 @@ server {
     ## Strong SSL Security
     ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
 #    ssl on;
-    ssl_certificate              %%tls_cert_directory/revprox.crt;
-    ssl_certificate_key          %%tls_key_directory/revprox.key;
-    ssl_client_certificate       %%tls_ca_directory/InternalReverseProxy.crt;
+    ssl_certificate              {{ general.tls_cert_directory }}/revprox.crt;
+    ssl_certificate_key          {{ general.tls_key_directory }}/revprox.key;
+    ssl_client_certificate       {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
 
     ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
@@ -69,15 +69,15 @@ server {
         include /etc/nginx/uwsgi_params;
     }
 
-%set %%location = %%revprox_client_external_domainnames[0].revprox_client_location
-%if not %%location.endswith('/')
-%%location += '/'
-%end if
-    location %%{location}static {
+{% set location = general.revprox.revprox_client.revprox_client_external_domainnames[0].revprox_client_location %}
+{% if not location.endswith('/') %}
+{% set location = location + '/' %}
+{% endif %}
+    location {{ location }}static {
         alias /var/lib/mailman3/web/static;
     }
 
-    location %%{location}static/favicon.ico {
+    location {{ location }}static/favicon.ico {
         alias /var/lib/mailman3/web/static/postorius/img/favicon.ico;
     }
 #
diff --git a/seed/mailman/templates/gunicorn_config.py b/seed/mailman/templates/gunicorn_config.py
deleted file mode 100644
index a061de9..0000000
--- a/seed/mailman/templates/gunicorn_config.py
+++ /dev/null
@@ -1,221 +0,0 @@
-# FORK of https://raw.githubusercontent.com/benoitc/gunicorn/master/examples/example_config.py
-# Sample Gunicorn configuration file.
-
-#
-# Server socket
-#
-#   bind - The socket to bind.
-#
-#       A string of the form: 'HOST', 'HOST:PORT', 'unix:PATH'.
-#       An IP is a valid HOST.
-#
-#   backlog - The number of pending connections. This refers
-#       to the number of clients that can be waiting to be
-#       served. Exceeding this number results in the client
-#       getting an error when attempting to connect. It should
-#       only affect servers under significant load.
-#
-#       Must be a positive integer. Generally set in the 64-2048
-#       range.
-#
-
-bind = '127.0.0.1:8002'
-backlog = 2048
-
-#
-# Worker processes
-#
-#   workers - The number of worker processes that this server
-#       should keep alive for handling requests.
-#
-#       A positive integer generally in the 2-4 x $(NUM_CORES)
-#       range. You'll want to vary this a bit to find the best
-#       for your particular application's work load.
-#
-#   worker_class - The type of workers to use. The default
-#       sync class should handle most 'normal' types of work
-#       loads. You'll want to read
-#       http://docs.gunicorn.org/en/latest/design.html#choosing-a-worker-type
-#       for information on when you might want to choose one
-#       of the other worker classes.
-#
-#       A string referring to a Python path to a subclass of
-#       gunicorn.workers.base.Worker. The default provided values
-#       can be seen at
-#       http://docs.gunicorn.org/en/latest/settings.html#worker-class
-#
-#   worker_connections - For the eventlet and gevent worker classes
-#       this limits the maximum number of simultaneous clients that
-#       a single process can handle.
-#
-#       A positive integer generally set to around 1000.
-#
-#   timeout - If a worker does not notify the master process in this
-#       number of seconds it is killed and a new worker is spawned
-#       to replace it.
-#
-#       Generally set to thirty seconds. Only set this noticeably
-#       higher if you're sure of the repercussions for sync workers.
-#       For the non sync workers it just means that the worker
-#       process is still communicating and is not tied to the length
-#       of time required to handle a single request.
-#
-#   keepalive - The number of seconds to wait for the next request
-#       on a Keep-Alive HTTP connection.
-#
-#       A positive integer. Generally set in the 1-5 seconds range.
-#
-
-workers = 1
-worker_class = 'sync'
-worker_connections = 1000
-# GNUNUX timeout = 30
-#>GNUNUX
-timeout = 120
-#>GNUNUX
-keepalive = 2
-
-#
-#   spew - Install a trace function that spews every line of Python
-#       that is executed when running the server. This is the
-#       nuclear option.
-#
-#       True or False
-#
-
-spew = False
-
-#
-# Server mechanics
-#
-#   daemon - Detach the main Gunicorn process from the controlling
-#       terminal with a standard fork/fork sequence.
-#
-#       True or False
-#
-#   raw_env - Pass environment variables to the execution environment.
-#
-#   pidfile - The path to a pid file to write
-#
-#       A path string or None to not write a pid file.
-#
-#   user - Switch worker processes to run as this user.
-#
-#       A valid user id (as an integer) or the name of a user that
-#       can be retrieved with a call to pwd.getpwnam(value) or None
-#       to not change the worker process user.
-#
-#   group - Switch worker process to run as this group.
-#
-#       A valid group id (as an integer) or the name of a user that
-#       can be retrieved with a call to pwd.getgrnam(value) or None
-#       to change the worker processes group.
-#
-#   umask - A mask for file permissions written by Gunicorn. Note that
-#       this affects unix socket permissions.
-#
-#       A valid value for the os.umask(mode) call or a string
-#       compatible with int(value, 0) (0 means Python guesses
-#       the base, so values like "0", "0xFF", "0022" are valid
-#       for decimal, hex, and octal representations)
-#
-#   tmp_upload_dir - A directory to store temporary request data when
-#       requests are read. This will most likely be disappearing soon.
-#
-#       A path to a directory where the process owner can write. Or
-#       None to signal that Python should choose one on its own.
-#
-
-daemon = False
-raw_env = [
-    'DJANGO_SECRET_KEY=something',
-    'SPAM=eggs',
-]
-pidfile = None
-umask = 0
-user = None
-group = None
-tmp_upload_dir = None
-
-#
-#   Logging
-#
-#   logfile - The path to a log file to write to.
-#
-#       A path string. "-" means log to stdout.
-#
-#   loglevel - The granularity of log output
-#
-#       A string of "debug", "info", "warning", "error", "critical"
-#
-
-errorlog = '-'
-loglevel = 'info'
-accesslog = '-'
-access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
-
-#
-# Process naming
-#
-#   proc_name - A base to use with setproctitle to change the way
-#       that Gunicorn processes are reported in the system process
-#       table. This affects things like 'ps' and 'top'. If you're
-#       going to be running more than one instance of Gunicorn you'll
-#       probably want to set a name to tell them apart. This requires
-#       that you install the setproctitle module.
-#
-#       A string or None to choose a default of something like 'gunicorn'.
-#
-
-proc_name = None
-
-#
-# Server hooks
-#
-#   post_fork - Called just after a worker has been forked.
-#
-#       A callable that takes a server and worker instance
-#       as arguments.
-#
-#   pre_fork - Called just prior to forking the worker subprocess.
-#
-#       A callable that accepts the same arguments as after_fork
-#
-#   pre_exec - Called just prior to forking off a secondary
-#       master process during things like config reloading.
-#
-#       A callable that takes a server instance as the sole argument.
-#
-
-def post_fork(server, worker):
-    server.log.info("Worker spawned (pid: %s)", worker.pid)
-
-def pre_fork(server, worker):
-    pass
-
-def pre_exec(server):
-    server.log.info("Forked child, re-executing.")
-
-def when_ready(server):
-    server.log.info("Server is ready. Spawning workers")
-
-def worker_int(worker):
-    worker.log.info("worker received INT or QUIT signal")
-
-    ## get traceback info
-    import threading, sys, traceback
-    id2name = {th.ident: th.name for th in threading.enumerate()}
-    code = []
-    for threadId, stack in sys._current_frames().items():
-        code.append("\n# Thread: %s(%d)" % (id2name.get(threadId,""),
-            threadId))
-        for filename, lineno, name, line in traceback.extract_stack(stack):
-            code.append('File: "%s", line %d, in %s' % (filename,
-                lineno, name))
-            if line:
-                code.append("  %s" % (line.strip()))
-    worker.log.debug("\n".join(code))
-
-def worker_abort(worker):
-    worker.log.info("worker received SIGABRT signal")
-
diff --git a/seed/mailman/templates/mailman-web.py b/seed/mailman/templates/mailman-web.py
index b2ea643..bc0a3a9 100644
--- a/seed/mailman/templates/mailman-web.py
+++ b/seed/mailman/templates/mailman-web.py
@@ -3,7 +3,7 @@
 
 # SECURITY WARNING: keep the secret key used in production secret!
 #>GNUNUX
-SECRET_KEY = '%%postorius_secret_key'
+SECRET_KEY = '{{ general.mailman.postorius_secret_key }}'
 #<GNUNUX
 
 
@@ -22,7 +22,7 @@ ALLOWED_HOSTS = [
     # Add here all production URLs you may have.
 #>GNUNUX
     #'*'
-    '%%{revprox_client_external_domainnames[0]}'
+    '{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}'
 #<GNUNUX
 ]
 
@@ -99,10 +99,10 @@ DATABASES = {
         #'HOST': '',
         'ENGINE': 'django.db.backends.postgresql_psycopg2',
 #FIXME same database has mailman?
-        'NAME': '%%pg_client_database',
-        'USER': '%%pg_client_username',               # PostgreSQL username
-        'PASSWORD': '%%pg_client_password',           # PostgreSQL password
-        'HOST': '%%pg_client_server_domainname',      # Database server
+        'NAME': '{{ general.postgresql.pg_client_database }}',
+        'USER': '{{ general.postgresql.pg_client_username }}',               # PostgreSQL username
+        'PASSWORD': '{{ general.postgresql.pg_client_password }}',           # PostgreSQL password
+        'HOST': '{{ general.postgresql.pg_client_server_domainname }}',      # Database server
         #        'CONN_MAX_AGE': 300,
 #>GNUNUX
         # PORT: set to empty string for default.
@@ -115,9 +115,9 @@ DATABASES = {
             #'init_command': "SET sql_mode='STRICT_TRANS_TABLES'",
 #>GNUNUX
             'sslmode': 'verify-full',
-            'sslcert': '%%tls_cert_directory/postgresql_postorius.crt',
-            'sslkey': '%%tls_key_directory/postgresql_postorius.key',
-            'sslrootcert': '%%tls_ca_directory/PostgreSQL.crt',
+            'sslcert': '{{ general.tls_cert_directory }}/postgresql_postorius.crt',
+            'sslkey': '{{ general.tls_key_directory }}/postgresql_postorius.key',
+            'sslrootcert': '{{ general.tls_ca_directory }}/PostgreSQL.crt',
 #<GNUNUX
         },
     }
@@ -177,7 +177,7 @@ SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
 # CSRF_COOKIE_HTTPONLY = True
 # X_FRAME_OPTIONS = 'DENY'
 #>GNUNUX
-CSRF_TRUSTED_ORIGINS = ['%%{revprox_client_external_domainnames[0]}']
+CSRF_TRUSTED_ORIGINS = ['{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}']
 #<GNUNUX
 
 # Internationalization
@@ -206,7 +206,7 @@ EMAILNAME = 'localhost.local'
 # DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org"
 #>GNUNUX
 #DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME)
-DEFAULT_FROM_EMAIL = '%%mailman_mail_owner'
+DEFAULT_FROM_EMAIL = '{{ general.mailman.mailman_mail_owner }}'
 #<GNUNUX
 
 # If you enable email reporting for error messages, this is where those emails
@@ -216,11 +216,11 @@ DEFAULT_FROM_EMAIL = '%%mailman_mail_owner'
 # SERVER_EMAIL = 'root@your-domain.org'
 #>GNUNUX
 #SERVER_EMAIL = 'root@{}'.format(EMAILNAME)
-SERVER_EMAIL = '%%mailman_mail_owner'
-EMAIL_HOST = "%%smtp_relay_address"
+SERVER_EMAIL = '{{ general.mailman.mailman_mail_owner }}'
+EMAIL_HOST = "{{ general.smtp.smtp_relay_address }}"
 EMAIL_PORT = 25
-EMAIL_HOST_USER = "%%smtp_relay_user@%%ip_eth0"
-EMAIL_HOST_PASSWORD = "%%smtp_relay_password"
+EMAIL_HOST_USER = "{{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}"
+EMAIL_HOST_PASSWORD = "{{ general.smtp.smtp_relay_password }}"
 EMAIL_USE_TLS = True
 #FIXME
 EMAIL_SUBJECT_PREFIX = '[Django] '
@@ -264,8 +264,8 @@ SOCIALACCOUNT_PROVIDERS = {
     #},
     'risotto': {
         'LEMONLDAP_NAME': 'Authentification centralisée',
-        'LEMONLDAP_URL': 'https://%%oauth2_server_domainname',
-        'LEMONLDAP_LOCAL_URL': 'https://%%oauth2_client_server_domainname',
+        'LEMONLDAP_URL': 'https://{{ general.oauth2_client.oauth2_server_domainname }}',
+        'LEMONLDAP_LOCAL_URL': 'https://{{ general.oauth2_client.oauth2_client_server_domainname }}',
         'ACCOUNT_EMAIL_REQUIRED': True,
         'ACCOUNT_UNIQUE_EMAIL': True,
         'ACCOUNT_USERNAME_REQUIRED': False,
@@ -287,6 +287,6 @@ COMPRESS_OFFLINE = True
 
 #>GNUNUX
 #POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/'
-%set %%location = %%revprox_client_external_domainnames[0].revprox_client_location
-POSTORIUS_TEMPLATE_BASE_URL = 'https://%%{revprox_client_external_domainnames[0]}/%%location'
+{% set location = general.revprox.revprox_client.revprox_client_external_domainnames[0].revprox_client_location %}
+POSTORIUS_TEMPLATE_BASE_URL = 'https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/{{ location }}'
 #<GNUNUX
diff --git a/seed/mailman/templates/mailman.cfg b/seed/mailman/templates/mailman.cfg
index 23ec860..4e1a340 100644
--- a/seed/mailman/templates/mailman.cfg
+++ b/seed/mailman/templates/mailman.cfg
@@ -27,7 +27,7 @@
 # a human.
 #>GNUNUX
 #site_owner: changeme@example.com
-site_owner: %%mailman_mail_owner
+site_owner: {{ general.mailman.mailman_mail_owner }}
 #<GNUNUX
 
 # This is the local-part of an email address used in the From field whenever a
@@ -192,7 +192,7 @@ class: mailman.database.postgresql.PostgreSQLDatabase
 #url: mysql+pymysql://mailman3:mmpass@localhost/mailman3?charset=utf8&use_unicode=1
 #url: postgres://mailman3:mmpass@localhost/mailman3
 #>GNUNUX
-url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%tls_cert_directory/postgresql.crt&sslkey=%%tls_key_directory/postgresql.key&sslrootcert=%%tls_ca_directory/PostgreSQL.crt
+url: postgresql://{{ general.postgresql.pg_client_username }}:{{ general.postgresql.pg_client_password }}@{{ general.postgresql.pg_client_server_domainname }}/{{ general.postgresql.pg_client_database }}?sslmode=verify-full&sslcert={{ general.tls_cert_directory }}/postgresql.crt&sslkey={{ general.tls_key_directory }}/postgresql.key&sslrootcert={{ general.tls_ca_directory }}/PostgreSQL.crt
 #<GNUNUX
 
 debug: no
@@ -244,7 +244,7 @@ debug: no
 # The hostname at which admin web service resources are exposed.
 #>GNUNUX
 #hostname: localhost
-hostname: %%mailman_domains
+hostname: {{ general.mailman.mailman_domains }}
 #<GNUNUX
 
 # The port at which the admin web service resources are exposed.
@@ -289,12 +289,12 @@ outgoing: mailman.mta.deliver.deliver
 # then Mailman will attempt to log into the MTA when making a new connection.
 #>GNUNUX
 #smtp_host: localhost
-smtp_host: %%smtp_relay_address
+smtp_host: {{ general.smtp.smtp_relay_address }}
 smtp_port: 25
 #smtp_user:
-smtp_user: %%smtp_relay_user@%%ip_eth0
+smtp_user: {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}
 #smtp_pass:
-smtp_pass: %%smtp_relay_password
+smtp_pass: {{ general.smtp.smtp_relay_password }}
 smtp_secure_mode: starttls
 smtp_verify_cert: yes
 smtp_verify_hostname: yes
@@ -305,7 +305,7 @@ smtp_verify_hostname: yes
 # (e.g. not /etc/hosts).
 #>GNUNUX
 #lmtp_host: 127.0.0.1
-lmtp_host: %%ip_eth0
+lmtp_host: {{ general.network.interface_0.ip_eth0 }}
 #<GNUNUX
 lmtp_port: 8024
 
diff --git a/seed/mailman/templates/mailman.yml b/seed/mailman/templates/mailman.yml
index 2c96daf..3cbadc1 100644
--- a/seed/mailman/templates/mailman.yml
+++ b/seed/mailman/templates/mailman.yml
@@ -1,12 +1,12 @@
-%set %%username="rougail_test@silique.fr"
-ip: %%ip_eth0
-revprox_ip: %%revprox_client_server_ip
-%set %%domain = %%revprox_client_external_domainnames[0]
-domain_name: %%domain
-base_url: https://%%domain%%domain.revprox_client_location
-auth_url: %%oauth2_client_external[0]
-auth_server: %%oauth2_server_domainname
-username: %%username
-password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
-mailman_domain: %%mailman_domains[0]
-internal_address: %%domain_name_eth0
+{% set username="rougail_test@silique.fr" %}
+ip: {{ general.network.interface_0.ip_eth0 }}
+revprox_ip: {{ general.revprox.revprox_client.revprox_client_server_ip }}
+{% set domain = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
+domain_name: {{ domain }}
+base_url: https://{{ domain }}{{ domain.revprox_client_location }}
+auth_url: {{ general.oauth2_client.oauth2_client_external[0] }}
+auth_server: {{ general.oauth2_client.oauth2_server_domainname }}
+username: {{ username }}
+password: username|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True)
+mailman_domain: {{ general.mailman.mailman_domains[0] }}
+internal_address: {{ general.network.interface_0.domain_name_eth0 }}
diff --git a/seed/mailman/templates/mailman3-web.service b/seed/mailman/templates/mailman3-web.service
index b5efba9..a110ff0 100644
--- a/seed/mailman/templates/mailman3-web.service
+++ b/seed/mailman/templates/mailman3-web.service
@@ -1,7 +1,7 @@
 [Service]
 WorkingDirectory=/usr/share/mailman3-web
 ExecStartPre=/usr/bin/python3 manage.py migrate
-ExecStartPre=/usr/bin/python3 manage.py shell -c 'from django.contrib.sites.models import Site; site=Site.objects.first(); site.name="%%{revprox_client_external_domainnames[0]}"; site.domain="%%{revprox_client_external_domainnames[0]}"; site.save()'
-ExecStartPre=/usr/bin/python3 manage.py shell -c 'from allauth.socialaccount.models import SocialApp; SocialApp.objects.create() if SocialApp.objects.count() == 0 else print("social app already exists"); a=SocialApp.objects.first(); a.name = "%%domain_name_eth0"; a.provider = "risotto"; a.client_id = "%%oauth2_client_id"; a.secret = "%%oauth2_client_secret"; a.sites.set([1]); a.save()'
-ExecStartPre=-/usr/bin/python3 manage.py createsuperuser --username "%%mailman_mail_owner" --email "%%mailman_mail_owner" --noinput
+ExecStartPre=/usr/bin/python3 manage.py shell -c 'from django.contrib.sites.models import Site; site=Site.objects.first(); site.name="{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}"; site.domain="{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}"; site.save()'
+ExecStartPre=/usr/bin/python3 manage.py shell -c 'from allauth.socialaccount.models import SocialApp; SocialApp.objects.create() if SocialApp.objects.count() == 0 else print("social app already exists"); a=SocialApp.objects.first(); a.name = "{{ general.network.interface_0.domain_name_eth0 }}"; a.provider = "risotto"; a.client_id = "{{ general.oauth2_client.oauth2_client_id }}"; a.secret = "{{ general.oauth2_client.oauth2_client_secret }}"; a.sites.set([1]); a.save()'
+ExecStartPre=-/usr/bin/python3 manage.py createsuperuser --username "{{ general.mailman.mailman_mail_owner }}" --email "{{ general.mailman.mailman_mail_owner }}" --noinput
 
diff --git a/seed/mailman/templates/mailman3.service b/seed/mailman/templates/mailman3.service
index d09b2ee..f3115be 100644
--- a/seed/mailman/templates/mailman3.service
+++ b/seed/mailman/templates/mailman3.service
@@ -1,11 +1,10 @@
 [Unit]
-Description=Postorius WSGI Service
 After=risotto.target
 
 [Service]
-%for %%domain in %%mailman_domains
- %set %%key = %%normalize_family(%%domain)
- %for %%name in %%mailman['list_' + %%key]['name_' + %%key]
-ExecStartPre=-/usr/bin/mailman create --language fr -o %%mailman_mail_owner -N -d %%name@%%domain
- %end for
-%end for
+{% for domain in general.mailman.mailman_domains %}
+{% set key = domain|normalize_family %}
+{% for name in mailman['list_' + key]['name_' + key] %}
+ExecStartPre=-/usr/bin/mailman create --language fr -o {{ general.mailman.mailman_mail_owner }} -N -d {{ name }}@{{ domain }}
+{% endfor %}
+{% endfor %}
diff --git a/seed/mailman/templates/postorius.service b/seed/mailman/templates/postorius.service
index 83374d6..6be38ce 100644
--- a/seed/mailman/templates/postorius.service
+++ b/seed/mailman/templates/postorius.service
@@ -19,9 +19,9 @@ RestrictRealtime=yes
 PrivateMounts=yes
 Environment="MAILMAN_WEB_CONFIG=/usr/share/postorius/m_postorius/settings.py"
 ExecStartPre=/usr/share/postorius/manage.py migrate
-ExecStartPre=/usr/share/postorius/manage.py shell -c 'from django.contrib.sites.models import Site; site=Site.objects.first(); site.name="%%{revprox_client_external_domainnames[0]}"; site.domain="%%{revprox_client_external_domainnames[0]}"; site.save()'
-ExecStartPre=/usr/share/postorius/manage.py shell -c 'from allauth.socialaccount.models import SocialApp; SocialApp.objects.create() if SocialApp.objects.count() == 0 else print("social app already exists"); a=SocialApp.objects.first(); a.name = "%%domain_name_eth0"; a.provider = "risotto"; a.client_id = "%%oauth2_client_id"; a.secret = "%%oauth2_client_secret"; a.sites.set([1]); a.save()'
-ExecStartPre=-/usr/share/postorius/manage.py createsuperuser --username "%%mailman_mail_owner" --email "%%mailman_mail_owner" --noinput
+ExecStartPre=/usr/share/postorius/manage.py shell -c 'from django.contrib.sites.models import Site; site=Site.objects.first(); site.name="{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}"; site.domain="{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}"; site.save()'
+ExecStartPre=/usr/share/postorius/manage.py shell -c 'from allauth.socialaccount.models import SocialApp; SocialApp.objects.create() if SocialApp.objects.count() == 0 else print("social app already exists"); a=SocialApp.objects.first(); a.name = "{{ general.network.interface_0.domain_name_eth0 }}"; a.provider = "risotto"; a.client_id = "{{ general.oauth2_client.oauth2_client_id }}"; a.secret = "{{ general.oauth2_client.oauth2_client_secret }}"; a.sites.set([1]); a.save()'
+ExecStartPre=-/usr/share/postorius/manage.py createsuperuser --username "{{ general.mailman.mailman_mail_owner }}" --email "{{ general.mailman.mailman_mail_owner }}" --noinput
 ExecStart=/usr/bin/gunicorn --config /etc/postorius/gunicorn_config.py m_postorius.wsgi
 ExecReload=/bin/kill -s HUP $MAINPID
 KillMode=mixed
diff --git a/seed/mariadb-client/dictionaries/20_mariadb.xml b/seed/mariadb-client/dictionaries/20_mariadb.xml
index 10af8f1..6d3f721 100644
--- a/seed/mariadb-client/dictionaries/20_mariadb.xml
+++ b/seed/mariadb-client/dictionaries/20_mariadb.xml
@@ -1,19 +1,32 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="mariadbclient" target="risotto" engine="cheetah"/>
+    <service name="mariadbclient" target="risotto" engine="ansible"/>
   </services>
   <variables>
     <family name="mariadb" description="MariaDB">
       <variable name="mariadb_client_server_domainname" type="domainname" description="Nom de domaine du serveur MariaDB" mandatory="True" supplier="MariaDB"/>
-      <variable name="mariadb_client_username" description="Database username" mandatory="True" hidden="True"/>
+      <variable name="mariadb_client_server_ip" type="ip" hidden="True"/>
+      <variable name="mariadb_client_username" description="Database username" mandatory="True" hidden="True" supplier="MariaDB:username"/>
       <variable name="mariadb_client_password" type="secret" description="Database password" mandatory="True" hidden="True" supplier="MariaDB:password"/>
-      <variable name="mariadb_client_database" description="Database name" mandatory="True" hidden="True"/>
+      <variable name="mariadb_client_database" description="Database name" mandatory="True" hidden="True" supplier="MariaDB:database"/>
+      <variable name='mariadb_client_address' hidden="True"/>
     </family>
   </variables>
   <constraints>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="variable">mariadb_client_server_domainname</param>
+      <target>mariadb_client_server_ip</target>
+    </fill>
+    <fill name="get_client_address">
+      <param type='variable'>mariadb_client_server_ip</param>
+      <param type='variable'>domain_name_eth</param>
+      <param type='variable'>network_eth</param>
+      <target>mariadb_client_address</target>
+    </fill>
     <fill name="normalize_family">
-      <param type="variable">domain_name_eth0</param>
+      <param type="variable">server_name</param>
       <target>mariadb_client_username</target>
     </fill>
     <fill name="calc_value">
@@ -22,7 +35,7 @@
     </fill>
     <fill name="get_password">
       <param name="server_name" type="variable">mariadb_client_server_domainname</param>
-      <param name="username" type="variable">domain_name_eth0</param>
+      <param name="username" type="variable">mariadb_client_address</param>
       <param name="description">remote</param>
       <param name="type">cleartext</param>
       <param name="hide" type="variable">hide_secret</param>
diff --git a/seed/mariadb-client/templates/mariadbclient.service b/seed/mariadb-client/templates/mariadbclient.service
index 007e422..40370dd 100644
--- a/seed/mariadb-client/templates/mariadbclient.service
+++ b/seed/mariadb-client/templates/mariadbclient.service
@@ -5,4 +5,4 @@ Before=risotto.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/{{ general.mariadb.mariadb_client_server_domainname }}/3306; do sleep 1; done; echo "MARIADB STARTED"'
diff --git a/seed/mariadb/dictionaries/20_mariadb.xml b/seed/mariadb/dictionaries/20_mariadb.xml
index 896094b..346f98a 100644
--- a/seed/mariadb/dictionaries/20_mariadb.xml
+++ b/seed/mariadb/dictionaries/20_mariadb.xml
@@ -2,12 +2,12 @@
 <rougail version="0.10">
   <services>
     <service name="mariadb" target="multi-user">
-      <override/>
-      <file>/etc/my.cnf.d/risotto.cnf</file>
+      <override engine="ansible"/>
+      <file engine="none">/etc/my.cnf.d/risotto.cnf</file>
       <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
-      <file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
-      <file filelist="copy_tests">/tests/mariadb.yml</file>
-      <file mode="700">/sbin/risotto_backup</file>
+      <file engine="ansible" mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
+      <file engine="ansible" filelist="copy_tests">/tests/mariadb.yml</file>
+      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
     </service>
   </services>
   <variables>
diff --git a/seed/mariadb/extras/accounts/00_accounts.xml b/seed/mariadb/extras/accounts/00_accounts.xml
index 63f1451..e5a3eeb 100644
--- a/seed/mariadb/extras/accounts/00_accounts.xml
+++ b/seed/mariadb/extras/accounts/00_accounts.xml
@@ -3,6 +3,8 @@
   <variables>
     <variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="MariaDB"/>
     <family name="remote_" description="Account for " dynamic="accounts.remotes">
+      <variable name="database_" description="Remote database " auto_save="False" hidden="True" mandatory="True" provider="MariaDB:database"/>
+      <variable name="username_" description="Remote username " auto_save="False" hidden="True" mandatory="True" provider="MariaDB:username"/>
       <variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="MariaDB:password"/>
     </family>
   </variables>
diff --git a/seed/mariadb/templates/mariadb.service b/seed/mariadb/templates/mariadb.service
index fcfd36f..dba66da 100644
--- a/seed/mariadb/templates/mariadb.service
+++ b/seed/mariadb/templates/mariadb.service
@@ -1,3 +1,3 @@
 [Service]
-ExecStartPost=-/usr/bin/mysql -e "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('%%mariadb_root_password')) WHERE User='root';" -e "FLUSH PRIVILEGES;"
+ExecStartPost=-/usr/bin/mysql -e "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('{{ general.mariadb.mariadb_root_password }}')) WHERE User='root';" -e "FLUSH PRIVILEGES;"
 ExecStartPost=-/usr/bin/mysql -e "source /etc/mariadb.sql;"
diff --git a/seed/mariadb/templates/mariadb.sql b/seed/mariadb/templates/mariadb.sql
index 7c3f065..674a27c 100644
--- a/seed/mariadb/templates/mariadb.sql
+++ b/seed/mariadb/templates/mariadb.sql
@@ -1,12 +1,14 @@
-%set %%new_accounts = [('_gateway', 'rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
-%for %%server in %%accounts.remotes
- %set %%name = %%normalize_family(%%server)
- %set %%password = %%accounts['remote_' + %%name]['password_' + %%name]
- %%new_accounts.append((%%str(%%server), %%name, %%password))
-%end for
-%for %%server, %%name, %%password in %%new_accounts
-CREATE USER IF NOT EXISTS '%%name'@'%%server' IDENTIFIED BY '%%password';
-CREATE DATABASE IF NOT EXISTS %%name CHARACTER SET utf8;
-GRANT ALL PRIVILEGES ON %%name.* TO '%%name'@'%%server' IDENTIFIED BY '%%password';
-%end for
+{% set new_accounts = [('_gateway', 'rougail_test', 'rougail_test', 'rougail_test'|get_password(server_name=domain_name_eth0, description="remote", type="cleartext", hide=hide_secret, temporary=True))] %}
+{% for server in accounts.remotes %}
+{% set name = server|normalize_family %}
+{% set database = accounts["remote_" + name]["database_" + name] %}
+{% set username = accounts["remote_" + name]["username_" + name] %}
+{% set password = accounts["remote_" + name]["password_" + name] %}
+{{ new_accounts.append((server|string, database, username, password)) }}
+{% endfor %}
+{% for server, database, username, password in new_accounts %}
+CREATE USER IF NOT EXISTS '{{ database}}'@'{{ server }}' IDENTIFIED BY '{{ password }}';
+CREATE DATABASE IF NOT EXISTS {{ database }} CHARACTER SET utf8;
+GRANT ALL PRIVILEGES ON {{ username }}.* TO '{{ database }}'@'{{ server }}' IDENTIFIED BY '{{password }}';
+{% endfor %}
 FLUSH PRIVILEGES;
diff --git a/seed/mariadb/templates/mariadb.yml b/seed/mariadb/templates/mariadb.yml
index 471b4cd..c841b12 100644
--- a/seed/mariadb/templates/mariadb.yml
+++ b/seed/mariadb/templates/mariadb.yml
@@ -1,4 +1,4 @@
-address: %%ip_eth0
+address: {{ general.network.interface_0.ip_eth0 }}
 user: rougail_test
-password: %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True)
+password: {{ 'rougail_test'|get_password(server_name=domain_name_eth0, description="remote", type="cleartext", hide={{ hide_secret }}, temporary=True) }}
 dbname: rougail_test
diff --git a/seed/mariadb/templates/risotto_backup b/seed/mariadb/templates/risotto_backup
index e0d34a1..a76b0f7 100644
--- a/seed/mariadb/templates/risotto_backup
+++ b/seed/mariadb/templates/risotto_backup
@@ -1,6 +1,7 @@
-%echo "#!/bin/bash -e"
+#!/bin/bash -e
 
-mkdir -p %%backup_dir
-mariabackup --backup --target-dir=%%backup_dir --user=root --password=%%mariadb_root_password
+rm -rf {{ general.backup_dir }}
+mkdir -p {{ general.backup_dir }}
+mariabackup --backup --target-dir={{ general.backup_dir }} --user=root --password={{ general.mariadb.mariadb_root_password }}
 
 exit 0
diff --git a/seed/nextcloud/dictionaries/31_nextcloud.xml b/seed/nextcloud/dictionaries/31_nextcloud.xml
index 1e5b666..ed3f6db 100644
--- a/seed/nextcloud/dictionaries/31_nextcloud.xml
+++ b/seed/nextcloud/dictionaries/31_nextcloud.xml
@@ -3,12 +3,12 @@
   <services>
     <service name="nextcloudcron" engine="none"/>
     <service name="nextcloudcron" type="timer" engine="none" target="timers"/>
-    <service name="nextcloud" engine="cheetah" target="multi-user">
-      <file owner="apache" group="apache" mode="440" source="nextcloud-config.php">/etc/nextcloud/config.php</file>
-      <file owner="root" group="root" mode="755">/sbin/nextcloud.init</file>
-      <file>/etc/httpd/conf.d/a-nextcloud-access.conf</file>
-      <file>/etc/httpd/conf.d/z-nextcloud-access.conf</file>
-      <file>/etc/php.d/20-pgsql.ini</file>
+    <service name="nextcloud" engine="ansible" target="multi-user">
+      <file engine="ansible" owner="apache" group="apache" mode="440" source="nextcloud-config.php">/etc/nextcloud/config.php</file>
+      <file engine="ansible" owner="root" group="root" mode="755">/sbin/nextcloud.init</file>
+      <file engine="ansible">/etc/httpd/conf.d/a-nextcloud-access.conf</file>
+      <file engine="none">/etc/httpd/conf.d/z-nextcloud-access.conf</file>
+      <file engine="none">/etc/php.d/20-pgsql.ini</file>
       <file engine="none" source="tmpfile-nextcloud.conf">/tmpfiles.d/0nextcloud.conf</file>
     </service>
   </services>
diff --git a/seed/nextcloud/templates/nextcloud-config.php b/seed/nextcloud/templates/nextcloud-config.php
index 4e92675..24fbe6b 100644
--- a/seed/nextcloud/templates/nextcloud-config.php
+++ b/seed/nextcloud/templates/nextcloud-config.php
@@ -11,7 +11,7 @@ $CONFIG = array (
   'trusted_domains' => 
   array (
     0 => 'localhost',
-    1 => '%%revprox_client_external_domainnames[0]',
+    1 => '{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}',
   ),
   'apps_paths' => 
   array (
@@ -29,24 +29,24 @@ $CONFIG = array (
     ),
   ),
   'dbtype' => 'pgsql',
-  'version' => '{{VERSION}}',
+  'version' => '##VERSION##',
   'overwrite.cli.url' => 'http://localhost',
-  'dbname' => '%%pg_client_database',
-  'dbhost' => '%%pg_client_server_domainname',
+  'dbname' => '{{ general.postgresql.pg_client_database }}',
+  'dbhost' => '{{ general.postgresql.pg_client_server_domainname }}',
   'dbport' => '',
   'dbtableprefix' => 'oc_',
-  'dbuser' => '%%pg_client_username',
-  'dbpassword' => '%%pg_client_password',
+  'dbuser' => '{{ general.postgresql.pg_client_username }}',
+  'dbpassword' => '{{ general.postgresql.pg_client_password }}',
   'dbdriveroptions' => 
   array (
     'sslmode' => 'verify-full',
-    'sslcert' => '%%tls_cert_directory/postgresql.crt',
-    'sslkey' => '%%tls_key_directory/postgresql.key',
-    'sslrootcert' => '%%tls_ca_directory/PostgreSQL.crt',
+    'sslcert' => '{{ general.tls_cert_directory }}/postgresql.crt',
+    'sslkey' => '{{ general.tls_key_directory }}/postgresql.key',
+    'sslrootcert' => '{{ general.tls_ca_directory }}/PostgreSQL.crt',
   ),
-  'passwordsalt' => '{{SALT}}',
-  'secret' => '{{SECRET}}',
-  'instanceid' => '%%nextcloud_instance_id',
+  'passwordsalt' => '##SALT##',
+  'secret' => '##SECRET##',
+  'instanceid' => '{{ general.nextcloud.nextcloud_instance_id }}',
   'config_is_read_only' => true,
   'installed' => false,
   'maintenance' => false,
@@ -54,30 +54,30 @@ $CONFIG = array (
   'appcodechecker' => false,
 #  'memcache.distributed' => '\\OC\\Memcache\\Redis',
 #  'memcache.locking' => '\\OC\\Memcache\\Redis',
-  'trusted_proxies' => '%%revprox_client_server_ip',
-  'overwritehost' => '%%revprox_client_external_domainnames[0]',
+  'trusted_proxies' => '{{ general.revprox.revprox_client_server_ip }}',
+  'overwritehost' => '{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}',
   'filelocking.enabled' => true,
   'redis' => 
   array (
-    'host' => '%%redis_client_server_domainname',
+    'host' => '{{ general.redis.redis_client_server_domainname }}',
     'port' => 6380,
-    'user' => '%%redis_client_username',
-    'password' => '%%redis_client_password',
-    'dbindex' => 0,
+    'user' => '{{ general.redis.redis_client_username }}',
+    'password' => '{{ general.redis.redis_client_password }}',
+    'dbindex' => {{ general.redis.redis_client_index }},
     'ssl_context' => 
     array (
-      'local_cert' => '%%tls_cert_directory/redis.crt',
-      'local_pk' => '%%tls_key_directory/redis.key',
-      'cafile' => '%%tls_ca_directory/Redis.crt',
+      'local_cert' => '{{ general.tls_cert_directory }}/redis.crt',
+      'local_pk' => '{{ general.tls_key_directory }}/redis.key',
+      'cafile' => '{{ general.tls_ca_directory }}/Redis.crt',
     ),
   ),
   'default_phone_region' => 'FR',
 # OIDC login
   'allow_user_to_change_display_name' => false,
   'lost_password_link' => 'disabled',
-  'oidc_login_provider_url' => 'https://%%oauth2_client_server_domainname',
-  'oidc_login_client_id' => '%%oauth2_client_id',
-  'oidc_login_client_secret' => '%%oauth2_client_secret',
+  'oidc_login_provider_url' => 'https://{{ general.oauth2_client.oauth2_client_server_domainname }}',
+  'oidc_login_client_id' => '{{ general.oauth2_client.oauth2_client_id }}',
+  'oidc_login_client_secret' => '{{ general.oauth2_client.oauth2_client_secret }}',
   'oidc_login_auto_redirect' => true,
 # FIXME 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
 # FIXME to true
@@ -118,14 +118,15 @@ $CONFIG = array (
   'mail_smtpmode' => 'smtp',
   'mail_smtpsecure' => 'tls',
   'mail_sendmailmode' => 'smtp',
-%set %%mailfrom, %%maildomain = %%nextcloud_mail_admin.split("@")
-  'mail_from_address' => '%%mailfrom',
-  'mail_domain' => '%%maildomain',
+{% set mailfrom, maildomain = general.nextcloud.nextcloud_mail_admin.split("@") %}
+  'mail_from_address' => '{{ mailfrom }}',
+  'mail_domain' => '{{ maildomain }}',
   'mail_smtpauthtype' => 'PLAIN',
   'mail_smtpauth' => 1,
-  'mail_smtphost' => '%%smtp_relay_address',
+  'mail_smtphost' => '{{ general.smtp.smtp_relay_address }}',
   'mail_smtpport' => '25',
-  'mail_smtpname' => '%%smtp_relay_user@%%ip_eth0',
-  'mail_smtppassword' => '%%smtp_relay_password',
+  'mail_smtpname' => '{{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}',
+  'mail_smtppassword' => '{{ general.smtp.smtp_relay_password }}',
   'loglevel' => 2,
+  'trashbin_retention_obligation' => 'auto, 14',
 );
diff --git a/seed/nextcloud/templates/nextcloud.init b/seed/nextcloud/templates/nextcloud.init
index 5df91ef..65ab220 100644
--- a/seed/nextcloud/templates/nextcloud.init
+++ b/seed/nextcloud/templates/nextcloud.init
@@ -1,8 +1,8 @@
-%echo "#!/bin/bash -ex"
+#!/bin/bash -ex
 
 if [ ! -f /srv/nextcloud/keys/secret.txt ]; then
     sed -i "s/'config_is_read_only' => true,/'config_is_read_only' => false,/g" /etc/nextcloud/config.php
-    /usr/bin/php /usr/share/nextcloud/occ maintenance:install --no-interaction --data-dir /srv/nextcloud/data/ --database "pgsql" --database-host "%%pg_client_server_domainname" --database-name "%%pg_client_database"  --database-user "%%pg_client_username" --database-pass "%%pg_client_password" --admin-user "admin" --admin-pass "%%nextcloud_admin_password"
+    /usr/bin/php /usr/share/nextcloud/occ maintenance:install --no-interaction --data-dir /srv/nextcloud/data/ --database "pgsql" --database-host "{{ general.postgresql.pg_client_server_domainname }}" --database-name "{{ general.postgresql.pg_client_database }}"  --database-user "{{ general.postgresql.pg_client_username }}" --database-pass "{{ general.postgresql.pg_client_password }}" --admin-user "admin" --admin-pass "{{ general.nextcloud.nextcloud_admin_password }}"
     sed -i "s/'config_is_read_only' => false,/'config_is_read_only' => true,/g" /etc/nextcloud/config.php
     umask 027
     /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get passwordsalt > /srv/nextcloud/keys/passwordsalt.txt
@@ -14,9 +14,9 @@ if [ ! -f /srv/nextcloud/keys/secret.txt ]; then
     /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
     /usr/bin/php /usr/share/nextcloud/occ ldap:create-empty-config -q
 else
-    sed -i "s'{{SECRET}}'$(cat /srv/nextcloud/keys/secret.txt)'g" /etc/nextcloud/config.php
-    sed -i "s'{{SALT}}'$(cat /srv/nextcloud/keys/passwordsalt.txt)'g" /etc/nextcloud/config.php
-    sed -i "s'{{VERSION}}'$(cat /srv/nextcloud/keys/version.txt)'g" /etc/nextcloud/config.php
+    sed -i "s'##SECRET##'$(cat /srv/nextcloud/keys/secret.txt)'g" /etc/nextcloud/config.php
+    sed -i "s'##SALT##'$(cat /srv/nextcloud/keys/passwordsalt.txt)'g" /etc/nextcloud/config.php
+    sed -i "s'##VERSION##'$(cat /srv/nextcloud/keys/version.txt)'g" /etc/nextcloud/config.php
     sed -i "s/'installed' => false,/'installed' => true,/g" /etc/nextcloud/config.php
     # Upgrade
     cp -f /etc/nextcloud/config.php /srv/nextcloud/keys/config.ORI.php
@@ -41,13 +41,13 @@ fi
 /usr/bin/php /usr/share/nextcloud/occ app:enable tasks
 # LDAP
 /usr/bin/php /usr/share/nextcloud/occ config:app:set user_ldap bgjRefreshInterval --value=300 -q
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapHost "ldaps://%%ldap_server_address"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_user"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_user_password"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_search_dn"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_user_dn"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_group_dn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapHost "ldaps://{{ general.ldap.server.ldap_server_address }}"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "{{ general.ldap.server.ldap_port }}"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "{{ general.ldap.client.ldapclient_user }}"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "{{ general.ldap.client.ldapclient_user_password }}"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "{{ general.ldap.client.ldapclient_search_dn }}"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "{{ general.ldap.client.ldapclient_user_dn }}"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "{{ general.ldap.client.ldapclient_group_dn }}"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"
diff --git a/seed/nginx-common/dictionaries/21_nginx.xml b/seed/nginx-common/dictionaries/21_nginx.xml
index 077cab3..2d98e5f 100644
--- a/seed/nginx-common/dictionaries/21_nginx.xml
+++ b/seed/nginx-common/dictionaries/21_nginx.xml
@@ -2,13 +2,13 @@
 <rougail version="0.10">
   <services>
     <service name='nginx' target='multi-user'>
-      <file source="nginx_source_conf" source_type="variable">/etc/nginx/nginx.conf</file>
-      <file filelist="nginx_debian">/etc/nginx/sites-available/default</file>
-      <file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
-      <file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
+      <file engine="ansible" source="nginx_source_conf" source_type="variable">/etc/nginx/nginx.conf</file>
+      <file engine="ansible" filelist="nginx_debian">/etc/nginx/sites-available/default</file>
+      <file engine="ansible" filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
+      <file engine="ansible" source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
       <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
-      <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
-      <file filelist="copy_tests">/tests/nginx-common.yml</file>
+      <file engine="ansible" source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
+      <file engine="ansible" filelist="copy_tests">/tests/nginx-common.yml</file>
     </service>
   </services>
   <variables>
diff --git a/seed/nginx-common/templates/default b/seed/nginx-common/templates/default
index 494ba87..4382626 100644
--- a/seed/nginx-common/templates/default
+++ b/seed/nginx-common/templates/default
@@ -18,7 +18,7 @@
 
 # Default server configuration
 #
-%if %%nginx_default_http
+{% if general.nginx.nginx_default_http %}
 server {
 	listen 80 default_server;
 	listen [::]:80 default_server;
@@ -41,7 +41,7 @@ server {
 
 #>GNUNUX
 	#root /var/www/html;
-    root         %%nginx_root;
+    root         {{ general.nginx.nginx_root }};
 #<GNUNUX
 
 	# Add index.php to the list if you are using PHP
@@ -73,7 +73,7 @@ server {
 	#	deny all;
 	#}
 }
-%end if
+{% endif %}
 
 
 # Virtual Host configuration for example.com
@@ -95,24 +95,24 @@ server {
 #	}
 #}
 
-%if %%nginx_default_https
+{% if general.nginx.nginx_default_https %}
 # Settings for a TLS enabled server.
 server {
     listen       443 ssl http2;
- %if %%getVar('revprox_client_external_domainnames', None)
-  %for %%domain in %%revprox_client_external_domainnames
-    server_name %%domain;
-  %end for
- %else
+{% if 'revprox_client_external_domainnames' in general.revprox.revprox_client %}
+{% for domain in general.revprox.revprox_client.revprox_client_external_domainnames %}
+    server_name {{ domain }};
+{% endfor %}
+{% else %}
     server_name  _;
- %end if
-    root         %%nginx_root;
+{% endif %}
+    root         {{ general.nginx.nginx_root }};
 
     # ssl_certificate "/etc/pki/nginx/server.crt";
     # ssl_certificate_key "/etc/pki/nginx/private/server.key";
-    ssl_certificate              %%tls_cert_directory/revprox.crt;
-    ssl_certificate_key          %%tls_key_directory/revprox.key;
-    ssl_client_certificate       %%tls_ca_directory/InternalReverseProxy.crt;
+    ssl_certificate              {{ tls_cert_directory }}/revprox.crt;
+    ssl_certificate_key          {{ tls_key_directory }}/revprox.key;
+    ssl_client_certificate       {{ tls_ca_directory }}/InternalReverseProxy.crt;
 
     ssl_session_cache shared:SSL:1m;
     ssl_session_timeout  10m;
@@ -120,4 +120,4 @@ server {
     # Load configuration files for the default server block.
 #    include /etc/nginx/default.d/*.conf;
 }
-%end if
+{% endif %}
diff --git a/seed/nginx-common/templates/default-nginx.conf b/seed/nginx-common/templates/default-nginx.conf
index 66089b7..7ffd32a 100644
--- a/seed/nginx-common/templates/default-nginx.conf
+++ b/seed/nginx-common/templates/default-nginx.conf
@@ -1,3 +1,3 @@
 #RISOTTO: do not compare
-        rewrite ^(.*) http://%%nginx_default$1;
+        rewrite ^(.*) http://{{ nginx_default }}$1;
         break;
diff --git a/seed/nginx-common/templates/nginx-common.yml b/seed/nginx-common/templates/nginx-common.yml
index 4680042..0c34e07 100644
--- a/seed/nginx-common/templates/nginx-common.yml
+++ b/seed/nginx-common/templates/nginx-common.yml
@@ -1,13 +1,13 @@
-address: %%ip_eth0
-nginx_default_http: %slurp
-%if %%getVar('nginx_default_http', False) and not %%getVar('revprox_client_external_domainnames', None)
+address: {{ ip_eth0 }}
+nginx_default_http: 
+{%- if 'nginx_default_http' in general.nginx and general.nginx.nginx_default_http and not 'revprox_client_external_domainnames' in general.revprox.revprox_client -%}
 true
-%else
+{% else %}
 false
-%end if
-nginx_default_https: %slurp
-%if %%getVar('nginx_default_https', False) and not %%getVar('revprox_client_external_domainnames', None)
+{% endif %}
+nginx_default_https: 
+{%- if 'nginx_default_https' in general.nginx and general.nginx.nginx_default_https and not 'revprox_client_external_domainnames' in general.revprox.revprox_client -%}
 true
-%else
+{% else %}
 false
-%end if
+{% endif %}
diff --git a/seed/nginx-common/templates/nginx-options.conf b/seed/nginx-common/templates/nginx-options.conf
index 3c7b781..5b1c1bc 100644
--- a/seed/nginx-common/templates/nginx-options.conf
+++ b/seed/nginx-common/templates/nginx-options.conf
@@ -1,13 +1,8 @@
 #RISOTTO: do not compare
-client_max_body_size %%{nginx_post_max_size}M;
+client_max_body_size {{ nginx_post_max_size }}M;
 client_body_buffer_size 128k;
 
-# Always trust ourself
-%for %%interface in %%range(%%len(%%zones_list))
-set_real_ip_from %%getVar('ip_eth{0}'.format(%%interface));
-%end for
-
-server_names_hash_bucket_size %%{nginx_hash_bucket_size};
+server_names_hash_bucket_size {{ nginx_hash_bucket_size }};
 proxy_buffer_size   16k;
 proxy_buffers   6 32k;
 proxy_busy_buffers_size   32k;
@@ -18,12 +13,14 @@ proxy_temp_path /var/tmp/proxy;
 fastcgi_temp_path /var/tmp/fastcgi;
 uwsgi_temp_path /var/tmp/uwsgi;
 scgi_temp_path /var/tmp/scgi;
-#FIXME
-%if %%getVar('activer_web_behind_revproxy', 'non') == 'oui'
+
+
+# Always trust ourself
+{% for interface in range(zones_list|length) %}
+set_real_ip_from {{ general.network['interface_' + interface|string]['ip_eth' + interface|string] }};
+{% endfor %}
+{% if 'revprox' in general %}
 # Define globally trusted reverse proxy
-set_real_ip_from %%web_behind_revproxy_ip;
-# The original client address that matches one of the trusted
-# addresses is replaced by the last non-trusted address sent in the
-# request header field
+set_real_ip_from {{ general.revprox.revprox_client_server_ip }};
+{% endif %}
 real_ip_recursive on;
-%end if
diff --git a/seed/nginx-common/templates/nginx.conf.Fedora b/seed/nginx-common/templates/nginx.conf.Fedora
index 3c06f53..c95c33d 100644
--- a/seed/nginx-common/templates/nginx.conf.Fedora
+++ b/seed/nginx-common/templates/nginx.conf.Fedora
@@ -43,12 +43,12 @@ http {
     # for more information.
     include /etc/nginx/conf.d/*.conf;
 
-%if %%nginx_default_http
+{% if general.nginx.nginx_default_http %}
     server {
         listen       80;
         listen       [::]:80;
         server_name  _;
-        root         %%nginx_root;
+        root         {{ general.nginx.nginx_root }};
 
         # Load configuration files for the default server block.
         include /etc/nginx/default.d/*.conf;
@@ -61,29 +61,29 @@ http {
         location = /50x.html {
         }
     }
-%end if
+{% endif %}
 
 # Settings for a TLS enabled server.
 #
-%if %%nginx_default_https
+{% if general.nginx.nginx_default_https %}
     server {
         listen       443 ssl http2;
 	#listen       [::]:443 ssl http2;
- %if %%getVar('revprox_client_external_domainnames', None)
-  %for %%domain in %%revprox_client_external_domainnames
-        server_name %%domain;
-  %end for
- %else
+{% if 'revprox_client_external_domainnames' in general.revprox.revprox_client %}
+{% for domain in general.revprox.revprox_client.revprox_client_external_domainnames %}
+        server_name {{ domain }};
+{% endfor %}
+{% else %}
         server_name  _;
- %end if
-        root         %%nginx_root;
+{% endif %}
+        root         {{ general.nginx.nginx_root }};
 
 #>GNUNUX
         #ssl_certificate "/etc/pki/nginx/server.crt";
         #ssl_certificate_key "/etc/pki/nginx/private/server.key";
-        ssl_certificate              %%tls_cert_directory/revprox.crt;
-        ssl_certificate_key          %%tls_key_directory/revprox.key;
-        ssl_client_certificate       %%tls_ca_directory/InternalReverseProxy.crt;
+        ssl_certificate              {{ tls_cert_directory }}/revprox.crt;
+        ssl_certificate_key          {{ tls_key_directory }}/revprox.key;
+        ssl_client_certificate       {{ tls_ca_directory }}/InternalReverseProxy.crt;
  #<GNUNUX
 
         ssl_session_cache shared:SSL:1m;
@@ -103,6 +103,6 @@ http {
         }
     }
 
-%end if
+{% endif %}
 }
 
diff --git a/seed/nginx-common/templates/tmpfiles.nginx.conf b/seed/nginx-common/templates/tmpfiles.nginx.conf
index b8b1e47..909e833 100644
--- a/seed/nginx-common/templates/tmpfiles.nginx.conf
+++ b/seed/nginx-common/templates/tmpfiles.nginx.conf
@@ -1,2 +1,2 @@
 # this directory is not used, but must be created
-d /var/log/nginx/ 0750 %%nginx_owner %%nginx_group -
+d /var/log/nginx/ 0750 {{ nginx_owner }} {{ nginx_group }} -
diff --git a/seed/nginx-https/templates/nginx.key b/seed/nginx-https/templates/nginx.key
deleted file mode 100644
index 56d50e1..0000000
--- a/seed/nginx-https/templates/nginx.key
+++ /dev/null
@@ -1 +0,0 @@
-%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server', hide=%%hide_secret)
diff --git a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
index e8f3317..ad2bbd8 100644
--- a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
@@ -2,14 +2,14 @@
 <rougail version="0.10">
   <services>
     <service name='nginx'>
-      <override engine="cheetah"/>
+      <override engine="ansible"/>
       <!--certificate authority="External" owner="nginx" type="server">nginx</certificate-->
       <certificate authority="External" owner="nginx" type="server" domain="nginx.revprox_domainnames" provider="nginx_certificates_provider" certificate_type="variable">nginx.revprox_domainnames</certificate>
-      <certificate authority="InternalReverseProxy">revprox</certificate>
-      <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
-      <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
-      <file filelist="copy_tests">/tests/reverse-proxy.yml</file>
-      <file>/var/www/html/error.html</file>
+      <certificate server="last_server_name" authority="InternalReverseProxy">revprox</certificate>
+      <file engine="none" source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
+      <file engine="ansible" source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
+      <file engine="ansible" filelist="copy_tests">/tests/reverse-proxy.yml</file>
+      <file engine="none">/var/www/html/error.html</file>
     </service>
   </services>
   <variables>
diff --git a/seed/nginx-reverse-proxy/patches/revprox-nginx.conf.patch b/seed/nginx-reverse-proxy/patches/revprox-nginx.conf.patch
new file mode 100644
index 0000000..0606ce8
--- /dev/null
+++ b/seed/nginx-reverse-proxy/patches/revprox-nginx.conf.patch
@@ -0,0 +1,14 @@
+--- templates/revprox-nginx.conf	2023-02-03 16:10:11.582687659 +0100
++++ modif/revprox-nginx.conf	2023-02-03 16:40:02.232096923 +0100
+@@ -55,6 +55,11 @@
+ {% endfor %}
+ {% endfor %}
+ {% endfor %}
++ {% if domainname == 'cloud.silique.fr' %}
++   location /gitea {
++       rewrite ^/gitea(.*)$ https://forge.cloud.silique.fr$1 last;
++   }
++ {% endif %}
+ {% endmacro %}
+ # Add default HTTP entries if useful
+ # Not for HTTPs because there is no certificate
diff --git a/seed/nginx-reverse-proxy/templates/ca_External.crt b/seed/nginx-reverse-proxy/templates/ca_External.crt
deleted file mode 100644
index a5b08ba..0000000
--- a/seed/nginx-reverse-proxy/templates/ca_External.crt
+++ /dev/null
@@ -1 +0,0 @@
-%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)
diff --git a/seed/nginx-reverse-proxy/templates/nginx.key b/seed/nginx-reverse-proxy/templates/nginx.key
deleted file mode 100644
index 4d393c6..0000000
--- a/seed/nginx-reverse-proxy/templates/nginx.key
+++ /dev/null
@@ -1 +0,0 @@
-%%get_private_key(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type='server', hide=%%hide_secret)
diff --git a/seed/nginx-reverse-proxy/templates/nginx.service b/seed/nginx-reverse-proxy/templates/nginx.service
index 7a32799..f9beabd 100644
--- a/seed/nginx-reverse-proxy/templates/nginx.service
+++ b/seed/nginx-reverse-proxy/templates/nginx.service
@@ -1,19 +1,19 @@
-%set %%domains = set()
-%for %%domainname in %%nginx.remotes
- %set %%family = %%normalize_family(%%domainname)
- %set %%revprox = %%nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family]
- %for %%domain in %%revprox['revprox_domainnames_' + family]
-  %set %%domain = %%domain['revprox_url_' + family].split('/', 3)[2].split(':')[0]
-%%domains.add(%%domain)%slurp
- %end for
-%end for
-%set %%domains = %%list(%%domains)
-%%domains.sort()
-%if %%domains
- %set %%domains_str = " ".join(%%domains)
+{% set domains = [] %}
+{% for domainname in nginx.remotes %}
+{% set family = domainname|normalize_family %}
+{% set revprox = nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family] %}
+{% for domain in revprox['revprox_domainnames_' + family] %}
+{% set domain = domain['revprox_url_' + family].split('/', 3)[2].split(':')[0] %}
+{% if domain not in domains %}
+{{ domains.append(domain) }}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% if domains %}
+{% set domains_str = " ".join(domains) %}
 [Service]
 ExecStartPre=
-ExecStartPre=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/resolvectl query %%domains_str; do sleep 1; done'
+ExecStartPre=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/resolvectl query {{ domains_str }}; do sleep 1; done'
 ExecStartPre=/usr/bin/rm -f /run/nginx.pid
 ExecStartPre=/usr/sbin/nginx -t
-%end if
+{% endif %}
diff --git a/seed/nginx-reverse-proxy/templates/reverse-proxy.yml b/seed/nginx-reverse-proxy/templates/reverse-proxy.yml
index c0b8d65..6ba4f6b 100644
--- a/seed/nginx-reverse-proxy/templates/reverse-proxy.yml
+++ b/seed/nginx-reverse-proxy/templates/reverse-proxy.yml
@@ -1,13 +1,13 @@
-address: %%ip_eth0
+address: {{ ip_eth0 }}
 urls:
-%for %%domain in %%nginx.remotes
-  %set %%suffix = %%normalize_family(%%domain)
-  %for %%revprox in %%nginx['reverse_proxy_for_' + %%suffix]['reverse_proxy_' + %%suffix]['revprox_domainnames_' + %%suffix]
-    %for %%loc_idx, %%location in %%enumerate(%%revprox['revprox_location_' + %%suffix])
-      %if not %%revprox['revprox_is_websocket_' + %%suffix][%%loc_idx]
-- %%revprox%%location
-      %end if
-    %end for
-  %end for
-%end for
+{% for domain in nginx.remotes }}
+{% set suffix = domain|normalize_family %}
+{% for revprox in nginx['reverse_proxy_for_' + suffix]['reverse_proxy_' + suffix]['revprox_domainnames_' + suffix] %}
+{% for location in revprox['revprox_location_' + suffix] %}
+{% if not revprox['revprox_is_websocket_' + suffix][loop.index - 1] %}
+- {{ revprox }}{{ location }}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endfor %}
 ca_certificate: ../etc/pki/ca-trust/source/anchors/ca_External.crt
diff --git a/seed/nginx-reverse-proxy/templates/revprox-nginx.conf b/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
index f431465..6a434d3 100644
--- a/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
+++ b/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
@@ -1,12 +1,12 @@
 #RISOTTO: do not compare
-%def %%add_location(%%rp_domainname, %%family, %%loc_idx, %%location, %%http)
-    location %%location {
-        proxy_pass              %%rp_domainname['revprox_url_' + %%family];
-  %if %%rp_domainname['revprox_is_websocket_' + %%family][%%loc_idx]
+{% macro add_location(rp_domainname, family, loc_idx, location, http) %}
+    location {{ location }} {
+        proxy_pass              {{ rp_domainname['revprox_url_' + family] }};
+{% if loc_idx in rp_domainname['revprox_is_websocket_' + family] and rp_domainname['revprox_is_websocket_' + family][loc_idx] %}
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
-  %else
+{% else %}
         proxy_set_header        Host                    $http_host;
         proxy_set_header        X-Real-IP               $remote_addr;
         proxy_set_header        X-Forwarded-Host        $host;
@@ -15,93 +15,89 @@
         proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
         proxy_set_header        X-Forwarded-Proto       $scheme;
         proxy_set_header        Destination             $dest;
-  %end if
-  %if not %%http
-        proxy_ssl_trusted_certificate %%tls_ca_directory/InternalReverseProxy.crt;
+{% endif %}
+{%if not http %}
+        proxy_ssl_trusted_certificate {{ tls_ca_directory }}/InternalReverseProxy.crt;
         proxy_ssl_verify       on;
         proxy_ssl_verify_depth 2;
         proxy_ssl_session_reuse on;
         # SNI support
         proxy_ssl_server_name on;
-  %end if
-  %set %%maxbody = %%rp_domainname['revprox_max_body_size_' + %%family]
-  %if %%maxbody
-        client_max_body_size %%maxbody;
-  %end if
+{% endif %}
+{% set maxbody = rp_domainname['revprox_max_body_size_' + family] %}
+{% if maxbody %}
+        client_max_body_size {{ maxbody }};
+{% endif %}
         set                     $dest  $http_destination;
         index  error.html;
         root /var/www/html;
     }
 # If user missing '/'
-  %if %%location != '/' and %%location.endswith('/')
-    location %%location[:-1] {
-        rewrite ^(%%location[:-1])$ $1/ permanent;
+{% if location != '/' and location.endswith('/') %}
+    location {{ location[:-1] }} {
+        rewrite ^({{ location[:-1] }})$ $1/ permanent;
     }
-  %end if
-%end def
-%def %%add_locations(%%domainname, %%http)
-  %for %%remote in %%nginx.remotes
-    %set %%family = %%normalize_family(%%remote)
-    %set %%revprox = %%nginx['reverse_proxy_for_' + %%family]['reverse_proxy_' + %%family]
-    %for %%rp_domainname in %%revprox['revprox_domainnames_' + %%family]
-      %if %%rp_domainname['revprox_http_' + %%family] != %%http
-        %continue
-      %end if
-      %if %%str(%%rp_domainname) != 'None' and %%domainname != %%str(%%rp_domainname)
-        %continue
-      %end if
-      %for %%loc_idx, %%location in %%enumerate(%%rp_domainname['revprox_location_' + %%family])
-%%add_location(%%rp_domainname, %%family, %%loc_idx, %%location, %%http)
-      %end for
-    %end for
-  %end for
-%end def
+{% endif %}
+{% endmacro %}
+{% macro add_locations(domainname, http) %}
+{% for remote in nginx.remotes %}
+{% set family = remote|normalize_family %}
+{% set revprox = nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family] %}
+{% for rp_domainname in revprox['revprox_domainnames_' + family] %}
+{% if rp_domainname['revprox_http_' + family] == http and (rp_domainname|string == 'None' or domainname == rp_domainname|string) %}
+{% for location in rp_domainname['revprox_location_' + family] %}
+{{ add_location(rp_domainname, family, loop.index - 1, location, http) }}
+{% endfor %}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endmacro %}
 # Add default HTTP entries if useful
 # Not for HTTPs because there is no certificate
-%set %%default_http_location = []
-%for %%remote in %%nginx.remotes
-  %set %%family = %%normalize_family(%%remote)
-  %for %%rp_domainname in %%nginx['reverse_proxy_for_' + %%family]['reverse_proxy_' + %%family]['revprox_domainnames_' + %%family]
-    %if %%str(%%rp_domainname) == 'None' and %%rp_domainname['revprox_http_' + %%family]
-%%default_http_location.append((%%family, %%rp_domainname))
-    %end if
-  %end for
-%end for
-%if %%default_http_location
+{% set default_http_location = [] %}
+{% for remote in nginx.remotes %}
+{% set family = remote|normalize_family %}
+{% for rp_domainname in nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family]['revprox_domainnames_' + family] %}
+{% if rp_domainname|string == 'None' and rp_domainname['revprox_http_' + family] %}
+{{ default_http_location.append((family, rp_domainname)) }}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% if default_http_location %}
 server {
     listen 80;
     server_name _ default;
-  %for %%family, %%rp_domainname in %%default_http_location
-    %for %%loc_idx, %%location in %%enumerate(%%rp_domainname['revprox_location_' + %%family])
-%%add_location(%%rp_domainname, %%family, %%loc_idx, %%location, True)
-    %end for
-  %end for
+{% for family, rp_domainname in default_http_location %}
+{% for location in rp_domainname['revprox_location_' + family] %}
+{{ add_location(rp_domainname, family, loop.index - 1, location, True) }}
+{% endfor %}
+{% endfor %}
     break;
 }
-%end if
-%for %%domainname in %%nginx.revprox_domainnames
-# Configuration HTTP %%domainname
+{% endif %}
+{% for domainname in nginx.revprox_domainnames %}
+# Configuration HTTP {{ domainname }}
 server {
     listen 80;
-    server_name %%domainname;
-%%add_locations(%%domainname, True)%slurp
+    server_name {{ domainname }};
+{{ add_locations(domainname, True) }}
     location / {
-        return 301 https://%%domainname$request_uri;
+        return 301 https://{{ domainname }}$request_uri;
     }
 }
 
-# Configuration HTTPS %%domainname
+# Configuration HTTPS {{ domainname }}
 server {
     listen 443 ssl http2;
-    ssl_certificate    %%tls_cert_directory/%%{domainname}.crt;
-    ssl_certificate_key     %%tls_key_directory/%%{domainname}.key;
-    server_name %%domainname;
+    ssl_certificate    {{ tls_cert_directory }}/{{ domainname }}.crt;
+    ssl_certificate_key     {{ tls_key_directory }}/{{ domainname }}.key;
+    server_name {{ domainname }};
     error_page   403 404 502 503 504  /error.html;
     location = /error.html {
         root /var/www/html;
     }
 
-%%add_locations(%%domainname, False)%slurp
+{{ add_locations(domainname, False) }}
 }
 
-%end for
+{% endfor %}
diff --git a/seed/nginx-static/dictionaries/22_nginx_static.xml b/seed/nginx-static/dictionaries/22_nginx_static.xml
index b663673..1efe1b6 100644
--- a/seed/nginx-static/dictionaries/22_nginx_static.xml
+++ b/seed/nginx-static/dictionaries/22_nginx_static.xml
@@ -2,8 +2,8 @@
 <rougail version="0.10">
   <services>
     <service name='nginx' target='multi-user'>
-      <file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
-      <file source="index.html" file_type="variable">nginx_index_file</file>
+      <file engine="ansible" source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
+      <file engine="none" source="index.html" file_type="variable">nginx_index_file</file>
     </service>
   </services>
   <variables>
diff --git a/seed/nginx-static/templates/tmpfiles.nginx_static.conf b/seed/nginx-static/templates/tmpfiles.nginx_static.conf
index 16f668b..a068ebd 100644
--- a/seed/nginx-static/templates/tmpfiles.nginx_static.conf
+++ b/seed/nginx-static/templates/tmpfiles.nginx_static.conf
@@ -1 +1 @@
-d %%nginx_root 0750 root %%nginx_owner -
+d {{ general.nginx.nginx_root }} 0750 root {{ general.nginx.nginx_owner }} -
diff --git a/seed/nsd-local/applicationservice.yml b/seed/nsd-local/applicationservice.yml
new file mode 100644
index 0000000..985cc62
--- /dev/null
+++ b/seed/nsd-local/applicationservice.yml
@@ -0,0 +1,6 @@
+format: '0.1'
+description: NSD, an authoritative DNS name server for local resolution
+website: https://www.nlnetlabs.nl/projects/nsd/about/
+service: true
+depends:
+  - nsd
diff --git a/seed/nsd-local/dictionaries/21_nsd-local.xml b/seed/nsd-local/dictionaries/21_nsd-local.xml
new file mode 100644
index 0000000..74e6a03
--- /dev/null
+++ b/seed/nsd-local/dictionaries/21_nsd-local.xml
@@ -0,0 +1,33 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="dns_server" description="Serveur DNS">
+      <variable name="nsd_allowed_client" type="domainname" description="Clients" multi="True" hidden="True" provider="LocalDNS"/>
+      <variable name="nsd_allowed_client_ip" type="ip" description="Clients" multi="True" hidden="True"/>
+      <variable name="nsd_resolver" redefine="True" supplier="ExternalDNS"/>
+      <variable name="nsd_resolve_ip" type="ip" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="variable">nsd_allowed_client</param>
+      <target>nsd_allowed_client_ip</target>
+    </fill>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="variable">nsd_resolver</param>
+      <target>nsd_resolve_ip</target>
+    </fill>
+    <fill name="get_internal_zones">
+      <param type="information">zones</param>
+      <target>nsd_zones</target>
+    </fill>
+    <fill name="get_zones_info">
+      <param type="information">zones</param>
+      <param>network</param>
+      <param name="uniq" type="boolean">True</param>
+      <target>nsd_reverse_network</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/nsd-local/extras/nsd/01_nsd-local.xml b/seed/nsd-local/extras/nsd/01_nsd-local.xml
new file mode 100644
index 0000000..c38a13c
--- /dev/null
+++ b/seed/nsd-local/extras/nsd/01_nsd-local.xml
@@ -0,0 +1,25 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="nsd_zone_" hidden="True"/>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param type="variable">domain_name_eth</param>
+      <target>nsd.nsd_zone_.ns_</target>
+    </fill>
+    <fill name="get_internal_info_in_zone">
+      <param type="information">zones</param>
+      <param type="suffix"/>
+      <param>host</param>
+      <target>nsd.nsd_zone_.hostname_.hostname_</target>
+    </fill>
+    <fill name="get_internal_info_in_zone">
+      <param type="information">zones</param>
+      <param type="suffix"/>
+      <param>ip</param>
+      <param type="index"/>
+      <target>nsd.nsd_zone_.hostname_.ip_</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/nsd/dictionaries/20_nsd.xml b/seed/nsd/dictionaries/20_nsd.xml
index 8fc663d..74736b1 100644
--- a/seed/nsd/dictionaries/20_nsd.xml
+++ b/seed/nsd/dictionaries/20_nsd.xml
@@ -2,16 +2,16 @@
 <rougail version="0.10">
   <services>
     <service name="nsd" target="multi-user">
-      <override/>
+      <override engine="none"/>
       <ip ip_type="variable">nsd_allowed_all_client</ip>
-      <file>/etc/nsd/conf.d/risotto.conf</file>
-      <file file_type="variable" source="nsd.zone" variable="nsd_zones" included="content">nsd_zone_filenames</file>
-      <file file_type="variable" source="nsd.signed" variable="nsd_zone_filenames">nsd_zone_filenames_signed</file>
-      <file file_type="variable" source="nsd.reverse" variable="nsd_reverse_name" included="content">nsd_reverse_filenames</file>
-      <file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
+      <file engine="ansible">/etc/nsd/conf.d/risotto.conf</file>
+      <file engine="ansible" file_type="variable" source="nsd.zone" variable="nsd_zones" included="content">nsd_zone_filenames</file>
+      <file engine="ansible" file_type="variable" source="nsd.signed" variable="nsd_zone_filenames">nsd_zone_filenames_signed</file>
+      <file engine="ansible" file_type="variable" source="nsd.reverse" variable="nsd_reverse_names" included="content">nsd_reverse_filenames</file>
+      <file engine="ansible" file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
       <file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
       <file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
-      <file filelist="copy_tests">/tests/nsd.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/nsd.yml</file>
     </service>
   </services>
   <variables>
@@ -20,19 +20,19 @@
       <variable name="ip_dns" redefine="True" remove_fill="True"/>
     </family>
     <family name="dns_server" description="Serveur DNS">
-      <variable name="nsd_allowed_client" type="domainname" description="Clients" multi="True" mandatory="True" hidden="True" provider="LocalDNS"/>
-      <variable name="nsd_allowed_client_ip" type="ip" description="Clients" multi="True" mandatory="True" hidden="True"/>
-      <variable name="nsd_resolver" type="domainname" description="Nom de domaine du résolveur DNS associé" supplier="ExternalDNS"/>
-      <variable name="nsd_resolve_ip" type="ip" hidden="True"/>
-      <variable name="nsd_allowed_all_client" type="ip" description="All autorised IP" multi="True" hidden="True"/>
+      <variable name="nsd_allowed_client_cidr" type="network_cidr" description="Clients autorisés à interroger le serveur DNS" multi="True"/>
+      <variable name="nsd_resolver" type="domainname" description="Nom de domaine du résolveur DNS associé"/>
+      <variable name="nsd_allowed_all_client" type="network_cidr" description="All autorised IP" multi="True" hidden="True"/>
     </family>
     <family name="dns_zone" description="Zone DNS">
-      <variable name="nsd_zones" type="domainname" description="Zones DNS" multi="True"/>
+      <variable name="nsd_zones" type="domainname" description="Zones DNS" multi="True" mandatory="True"/>
     </family>
     <family name="dns_reverses" description="Zone DNS reverse" leadership="True">
       <variable name="nsd_reverse_network" description="Réseau pour la résolution reverse" type="network_cidr" multi="True"/>
       <variable name="nsd_reverse_name" description="Nom de la zone" hidden="True"/>
     </family>
+    <variable name="nsd_reverse_networks" description="Réseaux pour la résolution inverse" hidden="True" multi="True"/>
+    <variable name="nsd_reverse_names" description="Nom des zones" hidden="True" multi="True"/>
     <variable name="nsd_zones_all" type="domainname" multi="True" supplier="ExternalDNS:authority_zones" hidden="True"/>
     <variable name="nsd_zone_filenames" type="filename" description="Nom des fichiers de zone" multi="True" hidden="True"/>
     <variable name="nsd_zone_filenames_signed" type="filename" description="Nom des fichiers de zone signé" multi="True" hidden="True"/>
@@ -44,11 +44,6 @@
       <param type="variable">ip_eth0</param>
       <target>ip_dns</target>
     </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">nsd_allowed_client</param>
-      <target>nsd_allowed_client_ip</target>
-    </fill>
     <fill name="nsd_concat_lists">
       <param type="variable">nsd_zones</param>
       <param type="variable">nsd_reverse_name</param>
@@ -56,24 +51,24 @@
     </fill>
     <fill name="nsd_concat_lists">
       <param type="variable">ip_eth</param>
-      <param type="variable">nsd_allowed_client_ip</param>
-      <param type="variable">nsd_resolve_ip</param>
+      <param type="variable">nsd_allowed_client_cidr</param>
+      <param type="variable" optional="True">nsd_allowed_client_ip</param>
+      <param type="variable" name="ip" optional="True">nsd_resolve_ip</param>
+      <param type="boolean" name="cidr">True</param>
       <target>nsd_allowed_all_client</target>
     </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">nsd_resolver</param>
-      <target>nsd_resolve_ip</target>
-    </fill>
-    <fill name="get_internal_zones">
-      <param type="variable">zones_list</param>
-      <param type="information">zones</param>
-      <target>nsd_zones</target>
-    </fill>
     <fill name="get_reverse_name">
       <param type="variable">nsd_reverse_network</param>
       <target>nsd_reverse_name</target>
     </fill>
+    <fill name="calc_reverse_networks">
+      <param type="variable">nsd_reverse_network</param>
+      <target>nsd_reverse_networks</target>
+    </fill>
+    <fill name="calc_reverse_names">
+      <param type="variable">nsd_reverse_name</param>
+      <target>nsd_reverse_names</target>
+    </fill>
     <fill name="calc_value">
       <param>/etc/nsd/</param>
       <param type="variable">nsd_zones</param>
@@ -105,11 +100,5 @@
       <param name="multi" type="boolean">True</param>
       <target>nsd_reverse_filenames_signed</target>
     </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>network</param>
-      <param type="variable" name="zone_names">zones_list</param>
-      <target>nsd_reverse_network</target>
-    </fill>
   </constraints>
 </rougail>
diff --git a/seed/nsd/extras/nsd/00_nsd.xml b/seed/nsd/extras/nsd/00_nsd.xml
index 846c9cd..40368ff 100644
--- a/seed/nsd/extras/nsd/00_nsd.xml
+++ b/seed/nsd/extras/nsd/00_nsd.xml
@@ -1,9 +1,9 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <variables>
-    <family name="nsd_zone_" description="Zone " dynamic="nsd_zones" hidden="True">
+    <family name="nsd_zone_" description="Zone " dynamic="nsd_zones">
       <family name="hostname_" description="Nom d'hôte pour " leadership="True">
-        <variable name="hostname_" description="Nom d'hôte pour " type="hostname" multi="True" mandatory="True"/>
+        <variable name="hostname_" description="Nom d'hôte pour " type="string" multi="True" mandatory="True"/>
         <variable name="type_" description="Type pour " type="choice">
           <choice type="string">A</choice>
           <choice type="string">CNAME</choice>
@@ -12,22 +12,10 @@
         <variable name="ip_" description="Adresse IP a renvoyer pour " type="ip" mandatory="True"/>
         <variable name="cname_" description="Nom de domaine a renvoyer pour " type="domainname" mandatory="True"/>
       </family>
+      <variable name="ns_" description="Nom des serveurs de nom de la zone " type="domainname" mandatory="True" multi="True"/>
     </family>
   </variables>
   <constraints>
-    <fill name="get_internal_info_in_zone">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <param>host</param>
-      <target>nsd.nsd_zone_.hostname_.hostname_</target>
-    </fill>
-    <fill name="get_internal_info_in_zone">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <param>ip</param>
-      <param type="index"/>
-      <target>nsd.nsd_zone_.hostname_.ip_</target>
-    </fill>
     <condition name="disabled_if_in" source="nsd.nsd_zone_.hostname_.type_">
       <param>A</param>
       <target type="variable">nsd.nsd_zone_.hostname_.cname_</target>
@@ -36,5 +24,8 @@
       <param>CNAME</param>
       <target type="variable">nsd.nsd_zone_.hostname_.ip_</target>
     </condition>
+    <check name="valid_dns_hostname">
+      <target>nsd.nsd_zone_.hostname_.hostname_</target>
+    </check>
   </constraints>
 </rougail>
diff --git a/seed/nsd/funcs/funcs.py b/seed/nsd/funcs/funcs.py
index 1cf4c33..0ec142f 100644
--- a/seed/nsd/funcs/funcs.py
+++ b/seed/nsd/funcs/funcs.py
@@ -8,6 +8,9 @@ from shutil import rmtree as _rmtree, copy2 as _copy2
 from glob import glob as _glob
 from filecmp import cmp as _cmp
 
+from tiramisu import DomainnameOption
+from risotto.utils import multi_function as _multi_function
+
 
 _PKI_DIR = _abspath('pki/dnssec')
 _ALGO = 'ECDSAP256SHA256'
@@ -28,13 +31,23 @@ def value_in(value: str,
     return False
 
 
-def nsd_concat_lists(list1: _List[str],
-                     list2: _List[str],
-                     str1: str=None,
+def nsd_concat_lists(*args,
+                     ip: str=None,
+                     cidr: bool=False
                      ) -> _List[str]:
-    ret = set(list1 + list2)
-    if str1:
-        ret.add(str1)
+    ret = set()
+    for lst in args:
+        if cidr:
+            for l in lst:
+                if '/' not in l:
+                    l = l + '/32'
+                ret.add(l)
+        else:
+            ret.update(lst)
+    if ip:
+        if cidr:
+            ip = f'{ip}/32'
+        ret.add(ip)
     ret = list(ret)
     ret.sort()
     return ret
@@ -103,7 +116,7 @@ def sign(zone_filename: str,
     authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
     copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename))
     signed_filename = f'{copy_file}.signed'
-    if not _isfile(copy_file) or not _cmp(zone_filename, copy_file):
+    if not _isfile(copy_file) or not _isfile(signed_filename) or not _cmp(zone_filename, copy_file):
         zsk, ksk = _gen_keys(cn, authority_cn)
         _copy2(zone_filename, copy_file)
         cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
@@ -136,5 +149,35 @@ def get_internal_info_in_zone(zones: list,
     return list(zone['hosts'].values())[index]
     
                                                                                   
-def get_internal_zones(zones_name, zones) -> _List[str]: 
-    return [zone['domain_name'] for zone_name, zone in zones.items() if zone_name in zones_name]
+def get_internal_zones(zones) -> _List[str]: 
+    return [zone['domain_name'] for zone_name, zone in zones.items()]
+
+
+@_multi_function
+def calc_reverse_names(names):
+    ret = []
+    for name in names:
+        if name in ret:
+            continue
+        ret.append(name)
+    return ret
+
+
+@_multi_function
+def calc_reverse_networks(names):
+    ret = []
+    for name in names:
+        name = name.rsplit('.', 1)[0]
+        if name in ret:
+            continue
+        ret.append(name)
+    return ret
+
+
+def valid_dns_hostname(hostname):
+    if hostname != '*':
+        try:
+            DomainnameOption('a', '', hostname, type='hostname', allow_ip=False)
+        except ValueError as err:
+            err.prefix = ''
+            raise err from err
diff --git a/seed/nsd/templates/nsd.reverse b/seed/nsd/templates/nsd.reverse
index 077d41e..3ea89de 100644
--- a/seed/nsd/templates/nsd.reverse
+++ b/seed/nsd/templates/nsd.reverse
@@ -1,17 +1,17 @@
-%set %%name = None
-%set %%network = %%str(%%nsd_reverse_network[%%rougail_index]).rsplit('.', 1)[0]
-%for %%zone in %%nsd_zones
-  %set %%suffix = %%normalize_family(%%zone)
-  %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
-  %for %%hostname in %%hostnames
-    %set %%type = %%hostname['type_' + %%suffix]
-    %if %%type == 'A'
-      %if not %%name
-%set %%name = %%str(%%zone)
-$ORIGIN %%rougail_variable
+{% set name = None %}
+{% set network = nsd_reverse_networks[rougail_index]|string %}
+{% for zone in nsd_zones %}
+{% set suffix = zone|normalize_family %}
+{% set hostnames = nsd["nsd_zone_" + suffix]["hostname_" + suffix]["hostname_" + suffix] %}
+{% for hostname in hostnames %}
+{% set type = hostname['type_' + suffix] %}
+{% if type == 'A' %}
+{% if not name %}
+{% set name = zone|string %}
+$ORIGIN {{ rougail_variable }}
 $TTL 1800
 
-@       IN      SOA     %%domain_name_eth0.      admin.%%name. (
+@       IN      SOA     {{ domain_name_eth0 }}.      admin.{{ name }}. (
                         0000000000              ; serial number
                         3600                    ; refresh
                         900                     ; retry
@@ -20,13 +20,13 @@ $TTL 1800
                         )
 ; Name servers
 
-        IN      NS      %%domain_name_eth0.
-      %end if
-      %set %%ip = %%hostname['ip_' + %%suffix]
-      %if %%ip.startswith(%%network)
-%set %%id = %%ip.rsplit('.', 1)[1]
-%%id       PTR %%hostname.%%{zone}.
-      %end if
-    %end if
-  %end for
-%end for
+        IN      NS      {{ domain_name_eth0 }}.
+{% endif %}
+{% set ip = hostname['ip_' + suffix] %}
+{% if ip.startswith(network) %}
+{% set id = ip.rsplit('.', 1)[1] %}
+{{ id }}       PTR {{ hostname }}.{{zone}}.
+{% endif %}
+{% endif %}
+{% endfor %}
+{% endfor %}
diff --git a/seed/nsd/templates/nsd.signed b/seed/nsd/templates/nsd.signed
index 2cd6b12..07b999a 100644
--- a/seed/nsd/templates/nsd.signed
+++ b/seed/nsd/templates/nsd.signed
@@ -1,2 +1,2 @@
-#RISOTTO: do not compare
-%%sign(%%rougail_destination_dir + %%rougail_variable, %%domain_name_eth0)
+{% set filename = rougail_destination_dir + rougail_variable %}
+{{ filename|sign(domain_name_eth0) }}
diff --git a/seed/nsd/templates/nsd.yml b/seed/nsd/templates/nsd.yml
index ac42006..1da3626 100644
--- a/seed/nsd/templates/nsd.yml
+++ b/seed/nsd/templates/nsd.yml
@@ -1,12 +1,12 @@
-address: '%%ip_eth0'
+address: '{{ ip_eth0 }}'
 records:
-%for %%domain in %%nsd_zones
-  %set %%suffix = %%normalize_family(%%domain)
-  %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
-  %for %%hostname in %%hostnames
-    %set %%type = %%hostname['type_' + %%suffix]
-    %if %%type == 'A'
-  %%{hostname}.%%domain: '%%hostname['ip_' + %%suffix]'
-    %end if
-  %end for
-%end for
+{% for domain in nsd_zones %}
+{% set suffix = domain|normalize_family
+{% set hostnames = nsd["nsd_zone_" + suffix]["hostname_" + suffix]["hostname_" + suffix] %}
+{% for hostname in hostnames %}
+{% set type = hostname['type_' + suffix] %}
+{% if type == 'A' %}
+{{ hostname }}.{{ domain }}: '{{ hostname['ip_' + suffix] }}'
+{% endif %}
+{% endfor %}
+{% endfor %}
diff --git a/seed/nsd/templates/nsd.zone b/seed/nsd/templates/nsd.zone
index d1e187b..a41a021 100644
--- a/seed/nsd/templates/nsd.zone
+++ b/seed/nsd/templates/nsd.zone
@@ -1,7 +1,7 @@
-$ORIGIN %%rougail_variable.
+$ORIGIN {{ rougail_variable }}.
 $TTL 1800
 
-@       IN      SOA     %%domain_name_eth0.      admin.%%rougail_variable. (
+@       IN      SOA     {{ domain_name_eth0 }}.      admin.{{ rougail_variable }}. (
                         0000000000              ; serial number
                         3600                    ; refresh
                         900                     ; retry
@@ -10,16 +10,18 @@ $TTL 1800
                         )
 ; Name servers
 
-        NS      %%domain_name_eth0.
+{% set suffix = rougail_variable|normalize_family %}
+{% for ns in nsd["nsd_zone_" + suffix]["ns_" + suffix] %}
+        NS      {{ ns }}.
+{% endfor %}
 
-%set %%suffix = %%normalize_family(%%rougail_variable)
-%set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
-%for %%nsd in %%hostnames
-  %set %%type = %%nsd['type_' + %%suffix]
-  %if %%type == 'A'
-    %set %%value = %%nsd['ip_' + %%suffix]
-  %else
-    %set %%value = %%nsd['cname_' + %%suffix] + '.'
-  %end if
-%%nsd       %%type %%value
-%end for
+{% set hostnames = nsd["nsd_zone_" + suffix]["hostname_" + suffix]["hostname_" + suffix] %}
+{% for nsd in hostnames %}
+{% set type = nsd['type_' + suffix] %}
+{% if type == 'A' %}
+{% set value = nsd['ip_' + suffix] %}
+{% else %}
+{% set value = nsd['cname_' + suffix] + '.' %}
+{% endif %}
+{{ nsd }}       {{ type }} {{ value }}
+{% endfor %}
diff --git a/seed/nsd/templates/risotto.conf b/seed/nsd/templates/risotto.conf
index 12d81a7..16fdbac 100644
--- a/seed/nsd/templates/risotto.conf
+++ b/seed/nsd/templates/risotto.conf
@@ -1,9 +1,9 @@
 #RISOTTO: do not compare
 server:
     interface: 127.0.0.1
-%for %%interface in %%range(%%len(%%zones_list))
-    interface: %%getVar('ip_eth' + %%str(%%interface))
-%end for
+{% for interface in range(zones_list|length) %}
+    interface: {{ general.network['interface_' + interface|string]['ip_eth' + interface|string] }}
+{% endfor %}
     do-ip4: yes
     do-ip6: no
     log-only-syslog: no
@@ -11,20 +11,19 @@ server:
 
 remote-control:
     control-enable: no
-%for %%zone in %%nsd_zones
+{% for zone in nsd_zones %}
 
 zone:
-    name: "%%zone"
-    zonefile: "%%{zone}.zone.signed"
-%end for
-%set %%reversed = []
-%for %%reverse in %%nsd_reverse_network
-  %if %%reverse.nsd_reverse_name in %%reversed
-    %continue
-  %end if
+    name: "{{ zone }}"
+    zonefile: "{{ zone }}.zone.signed"
+{% endfor %}
+{% set reversed = [] %}
+{% for reverse in nsd_reverse_network %}
+{% if reverse.nsd_reverse_name not in reversed %}
 
-%%reversed.append(%%reverse.nsd_reverse_name)%slurp
+{{ reversed.append(reverse.nsd_reverse_name) }}
 zone:
-    name: "%%reverse.nsd_reverse_name"
-    zonefile: "%%{reverse.nsd_reverse_name.replace('/', '-')}reverse.signed"
-%end for
+    name: "{{ reverse.nsd_reverse_name }}"
+    zonefile: "{{ reverse.nsd_reverse_name.replace('/', '-') }}reverse.signed"
+{% endif %}
+{% endfor %}
diff --git a/seed/oauth2-client/dictionaries/30_oauth2_client.xml b/seed/oauth2-client/dictionaries/30_oauth2_client.xml
index c7a87e1..53a1eb4 100644
--- a/seed/oauth2-client/dictionaries/30_oauth2_client.xml
+++ b/seed/oauth2-client/dictionaries/30_oauth2_client.xml
@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="oauth2-client" target="risotto" engine="cheetah"/>
+    <service name="oauth2-client" target="risotto" engine="ansible"/>
   </services>
   <variables>
     <family name="oauth2_client" description="OAuth2 client">
@@ -24,14 +24,14 @@
       <variable name="oauth2_client_logo" description="OAuth2 logo" mandatory='True' supplier="OAuth2:logo">
         <value>demo.png</value>
       </variable>
-      <variable name="oauth2_client_id" description="OAuth2 ID" mandatory='True' hidden='True'/>
+      <variable name="oauth2_client_id" description="OAuth2 ID" mandatory='True' hidden='True' supplier="OAuth2:client_id"/>
       <variable name="oauth2_client_secret" type="password" description="OAuth2 secret" mandatory='True' hidden='True' supplier="OAuth2:secret"/>
       <variable name="oauth2_client_token_signature_algo" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden='True' supplier="OAuth2:token_signature_algo">
         <value>HS512</value>
         <choice>HS512</choice>
         <choice>RS256</choice>
       </variable>
-      <variable name="oauth2_clients" description="Remote clients" type="domainname" multi="True" provider="OAuth2Client"/>
+      <variable name="oauth2_client" description="Remote clients" type="domainname" provider="OAuth2Client"/>
       <variable name="oauth2_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True' provider="OAuth2Client:external_domain"/>
     </family>
   </variables>
diff --git a/seed/oauth2-client/templates/oauth2-client.service b/seed/oauth2-client/templates/oauth2-client.service
index 775aeb1..2f4ecb6 100644
--- a/seed/oauth2-client/templates/oauth2-client.service
+++ b/seed/oauth2-client/templates/oauth2-client.service
@@ -4,4 +4,4 @@ Before=risotto.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://%%oauth2_client_server_domainname/.well-known/openid-configuration)" = 200 ]; do /usr/bin/curl https://%%oauth2_client_server_domainname/.well-known/openid-configuration; sleep 1; done;'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration)" = 200 ]; do /usr/bin/curl https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration; sleep 1; done;'
diff --git a/seed/odoo/DEBUG.md b/seed/odoo/DEBUG.md
index 6039fbd..d78fd99 100644
--- a/seed/odoo/DEBUG.md
+++ b/seed/odoo/DEBUG.md
@@ -1,5 +1,5 @@
-echo "log_level = debug" > /etc/odoo/odoo.conf
-echo "log_db= debug" > /etc/odoo/odoo.conf
+echo "log_level = debug" >> /etc/odoo/odoo.conf
+echo "log_db= debug" >> /etc/odoo/odoo.conf
 
 systemctl restart odoo
 
diff --git a/seed/odoo/dictionaries/40_odoo.xml b/seed/odoo/dictionaries/40_odoo.xml
index 6906baa..a2aa1a1 100644
--- a/seed/odoo/dictionaries/40_odoo.xml
+++ b/seed/odoo/dictionaries/40_odoo.xml
@@ -2,14 +2,14 @@
 <rougail version="0.10">
   <services>
     <service name="odoo" target="multi-user">
-      <override/>
+      <override engine="ansible"/>
       <file engine="none" source="sysuser-odoo.conf">/sysusers.d/1odoo.conf</file>
       <file engine="none" source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
-      <file mode="755">/sbin/config_odoo.py</file>
-      <file mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
-      <file mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>
-      <file>/etc/hosts</file>
-      <file source="config-nginx.conf">/etc/nginx/sites-enabled/odoo.conf</file>
+      <file engine="ansible" mode="755">/sbin/config_odoo.py</file>
+      <file engine="ansible" mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
+      <file engine="ansible" mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>
+      <file engine="ansible">/etc/hosts</file>
+      <file engine="ansible" source="config-nginx.conf">/etc/nginx/sites-enabled/odoo.conf</file>
     </service>
   </services>
   <variables>
@@ -71,7 +71,7 @@
 	<variable name="oauth2_client_family" redefine="True" multi="True"/>
       </family>
     </family>
-    <family name="annuaire">
+    <family name="ldap">
       <family name="client">
         <variable name="ldap_key_file_owner" redefine="True">
           <value>odoo</value>
diff --git a/seed/odoo/templates/config-nginx.conf b/seed/odoo/templates/config-nginx.conf
index 2772e05..e5033f0 100644
--- a/seed/odoo/templates/config-nginx.conf
+++ b/seed/odoo/templates/config-nginx.conf
@@ -7,9 +7,9 @@ server {
     ## Strong SSL Security
     ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
 #    ssl on;
-    ssl_certificate              %%tls_cert_directory/revprox.crt;
-    ssl_certificate_key          %%tls_key_directory/revprox.key;
-    ssl_client_certificate       %%tls_ca_directory/InternalReverseProxy.crt;
+    ssl_certificate              {{ general.tls_cert_directory }}/revprox.crt;
+    ssl_certificate_key          {{ general.tls_key_directory }}/revprox.key;
+    ssl_client_certificate       {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
 
     ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
diff --git a/seed/odoo/templates/config_odoo.py b/seed/odoo/templates/config_odoo.py
index f2f8ae3..44f939b 100644
--- a/seed/odoo/templates/config_odoo.py
+++ b/seed/odoo/templates/config_odoo.py
@@ -1,4 +1,4 @@
-%echo '#!/usr/bin/env python3'
+#!/usr/bin/env python3
 
 from os import environ
 environ['ODOO_RC'] = '/etc/odoo/odoo.conf'
@@ -7,69 +7,69 @@ from odoo import registry, SUPERUSER_ID
 from odoo.api import Environment
 
 
-with registry('%%pg_client_database').cursor() as cr:
+with registry('{{ general.postgresql.pg_client_database }}').cursor() as cr:
     ctx = Environment(cr, SUPERUSER_ID, {})["res.users"].context_get()
     env = Environment(cr, SUPERUSER_ID, ctx)
     # Company
-    env.company.name = '%%odoo_company_name'
-    env.company.street = '%%odoo_company_street'
-    env.company.city = '%%odoo_company_city'
-    env.company.zip = '%%odoo_company_zip'
-    env.company.vat = '%%odoo_company_vat'
-    env.company.company_registry = '%%odoo_company_registry'
-    env.company.phone = '%%odoo_company_phone'
-    env.company.mobile = '%%odoo_company_mobile'
-    env.company.email = '%%odoo_company_email'
-    env.company.website = '%%odoo_company_website'
-    env.company.logo = %%get_logo(%%odoo_company_logo)
-    env.company.report_footer = '%%odoo_company_footer'
-    env.company.external_report_layout_id = env.ref('web.external_layout_%%odoo_company_layout').id
+    env.company.name = '{{ general.odoo.odoo_company_name }}'
+    env.company.street = '{{ general.odoo.odoo_company_street }}'
+    env.company.city = '{{ general.odoo.odoo_company_city }}'
+    env.company.zip = '{{ general.odoo.odoo_company_zip }}'
+    env.company.vat = '{{ general.odoo.odoo_company_vat }}'
+    env.company.company_registry = '{{ general.odoo.odoo_company_registry }}'
+    env.company.phone = '{{ general.odoo.odoo_company_phone }}'
+    env.company.mobile = '{{ general.odoo.odoo_company_mobile }}'
+    env.company.email = '{{ general.odoo.odoo_company_email }}'
+    env.company.website = '{{ general.odoo.odoo_company_website }}'
+    env.company.logo = '{{ general.odoo.odoo_company_logo|get_logo }}'
+    env.company.report_footer = '{{ general.odoo.odoo_company_footer }}'
+    env.company.external_report_layout_id = env.ref('web.external_layout_{{ general.odoo.odoo_company_layout }}').id
     doc = env['base.document.layout'].create({'company_id': env.company.id})
     doc._onchange_company_id()
     # Admin
     admin = env['res.users'].search([('name', '=', 'Administrator')])
-    admin.email = "%%odoo_admin_email"
-    admin.password = '%%odoo_admin_password'
+    admin.email = "{{ general.odoo.odoo_admin_email }}"
+    admin.password = '{{ general.odoo.odoo_admin_password }}'
     # URL
-    env['ir.config_parameter'].set_param('web.base.url', 'https://%%revprox_client_external_domainnames[0]')
+    env['ir.config_parameter'].set_param('web.base.url', 'https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}')
     env['ir.config_parameter'].set_param('web.base.url.freeze', True)
     # LDAP
     env['res.config.settings'].create({'module_auth_ldap': True}).execute()
     ldaps = env.company.ldaps
     if ldaps:
         ldap = ldaps[0]
-        ldap.ldap_server = '%%ldap_server_address'
+        ldap.ldap_server = '{{ general.ldap.server.ldap_server_address }}'
         ldap.ldap_server_port = '636'
-        ldap.ldap_binddn = '%%ldapclient_user'
-        ldap.ldap_password = '%%ldapclient_user_password'
+        ldap.ldap_binddn = '{{ general.ldap.client.ldapclient_user }}'
+        ldap.ldap_password = '{{ general.ldap.client.ldapclient_user_password }}'
         ldap.ldap_filter = 'cn=%s'
-        ldap.ldap_base = '%%ldapclient_user_dn'
+        ldap.ldap_base = '{{ general.ldap.client.ldapclient_user_dn }}'
     else:
         ldap = env['res.company.ldap'].create({'company': env.company.id,
-                                               'ldap_server': '%%ldap_server_address',
+                                               'ldap_server': '{{ general.ldap.server.ldap_server_address }}',
                                                'ldap_server_port': '636',
-                                               'ldap_binddn': '%%ldapclient_user',
-                                               'ldap_password': '%%ldapclient_user_password',
+                                               'ldap_binddn': '{{ general.ldap.client.ldapclient_user }}',
+                                               'ldap_password': '{{ general.ldap.client.ldapclient_user_password }}',
                                                'ldap_filter': 'cn=%s',
-                                               'ldap_base': '%%ldapclient_user_dn',
+                                               'ldap_base': '{{ general.ldap.client.ldapclient_user_dn }}',
                                                })
         env.company.ldaps = ldap
     # SMTP
     mail = env['ir.mail_server'].search([('name', '=', 'Silique')])
     if mail.id is False:
         env['ir.mail_server'].create({'name': 'Silique',
-                                      'smtp_host': '%%smtp_relay_address',
+                                      'smtp_host': '{{ general.smtp.smtp_relay_address }}',
                                       'smtp_port': '25',
                                       'smtp_authentication': 'login',
-                                      'smtp_user': '%%smtp_relay_user@%%ip_eth0',
-                                      'smtp_pass': '%%smtp_relay_password',
+                                      'smtp_user': '{{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}',
+                                      'smtp_pass': '{{ general.smtp.smtp_relay_password }}',
                                       'smtp_encryption': 'starttls',
                                       })
     else:
-        mail.smtp_host = '%%smtp_relay_address'
+        mail.smtp_host = '{{ general.smtp.smtp_relay_address }}'
         mail.smtp_port = '25'
         mail.smtp_authentication = 'login'
-        mail.smtp_user = '%%smtp_relay_user@%%ip_eth0'
-        mail.smtp_pass = '%%smtp_relay_password'
+        mail.smtp_user = '{{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}'
+        mail.smtp_pass = '{{ general.smtp.smtp_relay_password }}'
         mail.smtp_encryption = 'starttls'
     env['ir.config_parameter'].set_param('base_setup.default_external_email_server', True)
diff --git a/seed/odoo/templates/hosts b/seed/odoo/templates/hosts
index 9d6dcb7..eeba48a 100644
--- a/seed/odoo/templates/hosts
+++ b/seed/odoo/templates/hosts
@@ -1,4 +1,4 @@
-127.0.0.1	localhost  %%revprox_client_external_domainnames[0]
+127.0.0.1	localhost  {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
 ::1		localhost ip6-localhost ip6-loopback
 ff02::1		ip6-allnodes
 ff02::2		ip6-allrouters
diff --git a/seed/odoo/templates/odoo.conf b/seed/odoo/templates/odoo.conf
index 9565b72..1ecfeb4 100644
--- a/seed/odoo/templates/odoo.conf
+++ b/seed/odoo/templates/odoo.conf
@@ -1,11 +1,11 @@
 [options]
 ; This is the password that allows database operations:
-admin_passwd = %%odoo_admin_password
-db_host = %%pg_client_server_domainname
+admin_passwd = {{ general.odoo.odoo_admin_password }}
+db_host = {{ general.postgresql.pg_client_server_domainname }}
 db_port = 5432
-db_user = %%pg_client_username
-db_password = %%pg_client_password
-db_name = %%pg_client_database
+db_user = {{ general.postgresql.pg_client_username }}
+db_password = {{ general.postgresql.pg_client_password }}
+db_name = {{ general.postgresql.pg_client_database }}
 # FIXME db_sslmode = verify-full 
 db_sslmode = require
 no_database_list = True
diff --git a/seed/odoo/templates/odoo.service b/seed/odoo/templates/odoo.service
index 093ce85..fbe9cb0 100644
--- a/seed/odoo/templates/odoo.service
+++ b/seed/odoo/templates/odoo.service
@@ -2,14 +2,14 @@
 After=risotto.target
 
 [Service]
-Environment="PGSSLROOTCERT=%%tls_cert_directory/postgresql.crt"
-Environment="PGSSLCERT=%%tls_cert_directory/postgresql.crt"
-Environment="PGSSLKEY=%%tls_key_directory/postgresql.key"
+Environment="PGSSLROOTCERT={{ general.tls_cert_directory }}/postgresql.crt"
+Environment="PGSSLCERT={{ general.tls_cert_directory }}/postgresql.crt"
+Environment="PGSSLKEY={{ general.tls_key_directory }}/postgresql.key"
 Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
 
 #if database not imported, imported it active addons
-%set %%addons = ','.join(%%odoo_addons)
-ExecStartPre=/usr/bin/bash -c '/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\dt account_account" 2>&1 | grep -vq "not find" || (echo "INIT DATABASE"; /usr/bin/odoo --config /etc/odoo/odoo.conf -i %%addons --stop-after-init; echo "OK")'
+{% set addons = odoo_addons|join(',') %}
+ExecStartPre=/usr/bin/bash -c '/usr/bin/psql --set=sslmode=verify-full -h {{ general.postgresql.pg_client_server_domainname }} -U {{ general.postgresql.pg_client_username }} {{ general.postgresql.pg_client_database }} -c "\dt account_account" 2>&1 | grep -vq "not find" || (echo "INIT DATABASE"; /usr/bin/odoo --config /etc/odoo/odoo.conf -i {{ addons }} --stop-after-init; echo "OK")'
 #change default values in database
 ExecStartPre=/usr/local/lib/sbin/config_odoo.py
 
diff --git a/seed/openldap/applicationservice.yml b/seed/openldap/applicationservice.yml
index 7f1752a..e2ac780 100644
--- a/seed/openldap/applicationservice.yml
+++ b/seed/openldap/applicationservice.yml
@@ -2,5 +2,5 @@ format: '0.1'
 description: OpenLDAP, a LDAP server
 website: https://www.openldap.org/
 depends:
-  - ldap-client
+  #  - ldap-client
   - base-fedora-37
diff --git a/seed/openldap/dictionaries/21_openldap-server.xml b/seed/openldap/dictionaries/21_openldap-server.xml
index 0db4ccf..10007e8 100644
--- a/seed/openldap/dictionaries/21_openldap-server.xml
+++ b/seed/openldap/dictionaries/21_openldap-server.xml
@@ -2,104 +2,127 @@
 <rougail version="0.10">
   <services>
     <service name="slapd" target="multi-user">
-      <override/>
+      <override engine="ansible"/>
       <certificate authority="LDAP" owner="ldap" type="server">openldap</certificate>
-      <file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
-      <file owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
-      <file owner="ldap" mode="400">/etc/ldap/secrets/users.ldif</file>
-      <file>/secrets/users_mod.ldif</file>
-      <file>/secrets/config_acl.ldif</file>
-      <file mode="400">/secrets/admin_ldap.pwd</file>
+      <file engine="ansible" owner="ldap">/var/lib/ldap/DB_CONFIG</file>
+      <file engine="ansible" owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
+      <file engine="ansible" owner="ldap" mode="400">/etc/ldap/secrets/users.ldif</file>
+      <file engine="ansible">/secrets/users_mod.ldif</file>
+      <file engine="ansible">/secrets/config_acl.ldif</file>
+      <file engine="ansible" mode="400">/secrets/admin_ldap.pwd</file>
       <file engine="none">/sysusers.d/risotto-openldap.conf</file>
-      <file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
-      <file filelist="copy_tests">/tests/openldap.yml</file>
+      <file engine="ansible">/etc/openldap/ldap.conf</file>
+      <file engine="ansible" source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
+      <file engine="ansible" filelist="copy_tests">/tests/openldap.yml</file>
     </service>
   </services>
 
   <variables>
-    <family name="annuaire">
-      <family name="server">
-        <variable name='ldap_server_address' redefine="True" hidden="True"/>
-        <variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
-          <value>/etc/openldap/schema/cosine.ldif</value>
-          <value>/etc/openldap/schema/inetorgperson.ldif</value>
-          <value>/etc/openldap/schema/nis.ldif</value>
-          <value>/etc/openldap/schema/misc.ldif</value>
+    <family name="ldap">
+      <!--variable name='ldap_server_address' redefine="True" hidden="True"/-->
+      <variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
+      <variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
+        <value>/etc/openldap/schema/cosine.ldif</value>
+        <value>/etc/openldap/schema/inetorgperson.ldif</value>
+        <value>/etc/openldap/schema/nis.ldif</value>
+        <value>/etc/openldap/schema/misc.ldif</value>
+      </variable>
+      <family name='limits' description='Limites' mode='expert'>
+        <variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
+          <value>0</value>
+        </variable>
+        <variable name='ldap_sizelimit' type='number' description="Nombre maximum d'entrées à retourner lors d'une requête" mode="expert">
+          <value>5000</value>
+        </variable>
+        <variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
+          <value>3600</value>
         </variable>
-        <family name='limits' description='Limites' mode='expert'>
-          <variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
-            <value>0</value>
-          </variable>
-          <variable name='ldap_sizelimit' type='number' description="Nombre maximum d'entrées à retourner lors d'une requête" mode="expert">
-            <value>5000</value>
-          </variable>
-          <variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
-            <value>3600</value>
-          </variable>
-        </family>
-        <family name='db_environment' description='DB environment' mode='expert'>
-          <variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
-            <value>0</value>
-          </variable>
-          <variable name='db_cache_size_o' description="Quantité d'octets à utiliser pour le cache HDB" type="number">
-            <value>268435456</value>
-          </variable>
-          <variable name='db_cache_chunks' description="Nombre de fichiers ou écrire le cache HDB" type="number">
-            <value>1</value>
-          </variable>
-          <variable name='db_log_region_max' type='number' description="Quantité de fichier de cache mis en cache mémoire">
-            <value>262144</value>
-          </variable>
-          <variable name='db_log_max' type='number' description="Quantité d'informations de journalisation conservé jusqu'à rotation">
-            <value>10485760</value>
-          </variable>
-          <variable name='db_log_bsize' type='number' description="Quantité d'informations de journalisation du cache reporté sur le disque">
-            <value>2097152</value>
-          </variable>
-          <variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
-            <value>/srv/openldap/log</value>
-          </variable>
-          <variable name='db_lk_max_objects' type='number' description="Nombre d'objet qui peuvent être verrouillés simultanément ">
-            <value>5000</value>
-          </variable>
-          <variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
-            <value>5000</value>
-          </variable>
-          <variable name='db_lk_max_lockers' type='number' description='Nombre de verroulleur maximal'>
-            <value>5000</value>
-          </variable>
-          <variable name="openldap_key_file" type="filename" hidden="True"/>
-        </family>
       </family>
-      <family name="client">
-        <variable name='ldapclient_user' redefine="True"/>
-        <!--variable name='ldapclient_user_password' redefine="True"/-->
+      <family name='db_environment' description='DB environment' mode='expert'>
+        <variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
+          <value>0</value>
+        </variable>
+        <variable name='db_cache_size_o' description="Quantité d'octets à utiliser pour le cache HDB" type="number">
+          <value>268435456</value>
+        </variable>
+        <variable name='db_cache_chunks' description="Nombre de fichiers ou écrire le cache HDB" type="number">
+          <value>1</value>
+        </variable>
+        <variable name='db_log_region_max' type='number' description="Quantité de fichier de cache mis en cache mémoire">
+          <value>262144</value>
+        </variable>
+        <variable name='db_log_max' type='number' description="Quantité d'informations de journalisation conservé jusqu'à rotation">
+          <value>10485760</value>
+        </variable>
+        <variable name='db_log_bsize' type='number' description="Quantité d'informations de journalisation du cache reporté sur le disque">
+          <value>2097152</value>
+        </variable>
+        <variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
+          <value>/srv/openldap/log</value>
+        </variable>
+        <variable name='db_lk_max_objects' type='number' description="Nombre d'objet qui peuvent être verrouillés simultanément ">
+          <value>5000</value>
+        </variable>
+        <variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
+          <value>5000</value>
+        </variable>
+        <variable name='db_lk_max_lockers' type='number' description='Nombre de verroulleur maximal'>
+          <value>5000</value>
+        </variable>
+        <variable name="openldap_key_file" type="filename" hidden="True"/>
+      </family>
+      <variable name='ldap_user' mandatory="True" hidden="True"/>
+      <variable name='ldap_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True"/>
+      <variable name='ldap_base_dn' mandatory="True" description="Base DN" hidden="True"/>
+      <variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True" hidden="True"/>
+      <variable name='ldap_user_dn' type='string' description="Base DN de l'annuaire des utilisateurs n'appartenant à une famille" mandatory="True" hidden="True"/>
+      <variable name='ldap_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="True" hidden="True"/>
+      <!--family name="client">
         <variable name='ldapclient_family' redefine="True" disabled="True"/>
-        <variable name='ldapclient_base_dn' redefine="True" mandatory="True" description="Base DN"/>
-        <variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
         <variable name='ldapclient_search_dn' redefine="True"/>
-      </family>
+      </family-->
     </family>
   </variables>
   <constraints>
-    <fill name='calc_value'>
-      <param type='variable'>domain_name_eth0</param>
-      <target>ldap_server_address</target>
+    <check name='valid_base_dn'>
+      <target>ldap_base_dn</target>
+    </check>
+    <fill name='get_default_base_dn'>
+      <param type="variable">prefix_domain_name</param>
+      <target>ldap_base_dn</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type="variable">ldap_user</param>
+      <param name="description">remote account</param>
+      <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>ldap_user_password</target>
     </fill>
     <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldapclient_base_dn</param>
+      <param type="variable">ldap_base_dn</param>
       <param name="base" type="boolean">True</param>
       <target>ldap_account_dn</target>
     </fill>
     <fill name='calc_value'>
       <param>cn=admin</param>
-      <param type='variable'>ldapclient_base_dn</param>
+      <param type='variable'>ldap_base_dn</param>
       <param name="join">,</param>
-      <target>ldapclient_user</target>
+      <target>ldap_user</target>
     </fill>
-    <fill name='calc_value'>
+    <!--fill name='calc_value'>
       <param type="variable">ldapclient_base_dn</param>
       <target>ldapclient_search_dn</target>
+    </fill-->
+    <fill name="calc_ldapclient_base_dn">
+      <param type="variable">ldap_base_dn</param>
+      <target>ldap_user_dn</target>
+    </fill>
+    <fill name="calc_ldapclient_base_dn">
+      <param type="variable">ldap_base_dn</param>
+      <param name="group" type="boolean">True</param>
+      <target>ldap_group_dn</target>
     </fill>
   </constraints>
 </rougail>
diff --git a/seed/openldap/funcs/ldap.py b/seed/openldap/funcs/ldap.py
index ea7b8c3..14f65b8 100644
--- a/seed/openldap/funcs/ldap.py
+++ b/seed/openldap/funcs/ldap.py
@@ -29,3 +29,53 @@ def ssha_encode(password):
     with open(_SSHA_PASSWORD_DIR, 'w') as fh:
         _dump(passwords, fh)
     return ret
+
+
+def calc_ldapclient_base_dn(ldap_base_dn: str,
+                            family_name: str=None,
+                            base: bool=False,
+                            group: bool=False,
+                            ) -> str:
+    # copied from ldap-client
+    if ldap_base_dn is None:
+        return
+    if family_name == 'all':
+        family_name = None
+        base = True
+    if group:
+        return f'ou=groups,{ldap_base_dn}'
+    if not ldap_base_dn.startswith('ou=accounts,'):
+        base_name = f'ou=accounts,{ldap_base_dn}'
+    else:
+        base_name = ldap_base_dn
+    if base:
+        return base_name
+    if not family_name:
+        return f'ou=users,{base_name}'
+    base_name = f'ou=families,{base_name}'
+    if family_name != '-':
+        base_name = f'ou={family_name},{base_name}'
+    return base_name
+
+
+def get_default_base_dn(prefix: str) -> str:
+    # copied from ldap-client
+    if not prefix or '.' not in prefix:
+        return None
+    values = prefix.split('.')
+    # cannot calculated base dn should be subdomain.domain.tld
+    # remove 'server' in dn
+    if len(values) < 3:
+        return None
+    domain = ['ou=' + domain for domain in values[0:-2]]
+    domain.append(f'o={values[-2]},o={values[-1]}')
+    return ','.join(domain)
+
+
+def valid_base_dn(base_dn: str) -> None:
+    # copied from ldap-client
+    for att in ['o', 'dc', 'ou']:
+        if base_dn.startswith(att + '='):
+            break
+    else:
+        raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
diff --git a/seed/openldap/templates/DB_CONFIG b/seed/openldap/templates/DB_CONFIG
index bdfb237..7ecf914 100644
--- a/seed/openldap/templates/DB_CONFIG
+++ b/seed/openldap/templates/DB_CONFIG
@@ -28,11 +28,7 @@
 #          0 or 1 then Berkeley DB will try to allocate one contiguous section
 #          of memory for the cache. If this value is greater than 1, the cache
 #          will be split into that number of segments.
-%if %%getVar('import_slapadd', 'no') != 'no'
-set_cachesize   2       0        1
-%else
-set_cachesize   %%db_cache_size_g   %%db_cache_size_o    %%db_cache_chunks
-%end if
+set_cachesize   {{ db_cache_size_g }}   {{ db_cache_size_o }}    {{ db_cache_chunks }}
 
 # Sets the database startup flags.
 #
@@ -42,9 +38,6 @@ set_cachesize   %%db_cache_size_g   %%db_cache_size_o    %%db_cache_chunks
 #   Setting this flag can help speed up database access during periods of
 #   database write activity BUT at expense of data safety. Enable it only
 #   to load data with slapadd, while slapd is not running.
-%if %%getVar('import_slapadd', 'no') != 'no'
-set_flags       DB_TXN_NOSYNC
-%end if
 
 # Data Directory
 #set_data_dir db
@@ -54,7 +47,7 @@ set_flags       DB_TXN_NOSYNC
 # set_lg_regionmax <bytes>
 #   This value should be increased as the number of database files increases
 #   (tables and indexes).
-set_lg_regionmax %%db_log_region_max
+set_lg_regionmax {{ db_log_region_max }}
 #
 # Set the maximum size of log files in <bytes>.
 #
@@ -63,14 +56,14 @@ set_lg_regionmax %%db_log_region_max
 #   one log file. This value should be at least four times the size of
 #   set_lg_bsize.
 #set_lg_max              10485760
-set_lg_max   %%db_log_max
+set_lg_max   {{ db_log_max }}
 
 # Set the in memory cache for log information.
 #
 # set_lg_bsize <bytes>
 #   When <bytes> amount of logging information have been written to this
 #   cache it will be flushed to disk.
-set_lg_bsize %%db_log_bsize
+set_lg_bsize {{ db_log_bsize }}
 
 # Set the log file directory to <directory>.
 #
@@ -78,14 +71,14 @@ set_lg_bsize %%db_log_bsize
 #   Log files should preferably be on a different disk than the
 #   database files. This both improves reliability (for disastrous
 #   recovery) and speed of the database.
-set_lg_dir %%db_log_directory
+set_lg_dir {{ db_log_directory }}
 
 # Number of objects that can be locked at the same time.
-set_lk_max_objects %%db_lk_max_objects
+set_lk_max_objects {{ db_lk_max_objects }}
 # Number of locks (both requested and granted)
-set_lk_max_locks %%db_lk_max
+set_lk_max_locks {{ db_lk_max }}
 # Number of lockers
-set_lk_max_lockers %%db_lk_max_lockers
+set_lk_max_lockers {{ db_lk_max_lockers }}
 
 # Purge automatique des logs
 set_flags       DB_LOG_AUTOREMOVE
diff --git a/seed/openldap/templates/admin_ldap.pwd b/seed/openldap/templates/admin_ldap.pwd
index 22610d3..ec77e5c 100644
--- a/seed/openldap/templates/admin_ldap.pwd
+++ b/seed/openldap/templates/admin_ldap.pwd
@@ -1 +1 @@
-%%ldapclient_user_password%slurp
+{{- ldap_user_password -}}
\ No newline at end of file
diff --git a/seed/openldap/templates/config.ldif b/seed/openldap/templates/config.ldif
index b39fdc8..8506da0 100644
--- a/seed/openldap/templates/config.ldif
+++ b/seed/openldap/templates/config.ldif
@@ -1,10 +1,10 @@
 #RISOTTO: do not compare
 dn: cn=config
 objectClass: olcGlobal
-#olcLogLevel: %%ldap_loglevel
-olcTLSCertificateFile: %%tls_cert_directory/openldap.crt
-olcTLSCertificateKeyFile: %%tls_key_directory/openldap.key
-olcTLSCACertificateFile: %%tls_ca_directory/LDAP.crt
+#olcLogLevel: {{ ldap_loglevel }}
+olcTLSCertificateFile: {{ tls_cert_directory }}/openldap.crt
+olcTLSCertificateKeyFile: {{ tls_key_directory }}/openldap.key
+olcTLSCACertificateFile: {{ tls_ca_directory }}/LDAP.crt
 #FIXME olcTLSVerifyClient: demand
 cn: config
 
@@ -102,7 +102,7 @@ olcDatabase: {-1}frontend
 dn: olcDatabase={0}config,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: {0}config
-olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldapclient_user" write by * none
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="{{ ldap_user }}" write by * none
 
 dn: olcDatabase={1}monitor,cn=config
 objectClass: olcDatabaseConfig
@@ -114,11 +114,11 @@ objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: {2}mdb
 olcDbDirectory: /srv/openldap
-olcRootDN: %%ldapclient_user
-olcRootPW:: %%ssha_encode(%%ldapclient_user_password)
-olcSuffix: %%ldapclient_base_dn
-olcSizeLimit: %%ldap_sizelimit
-olcTimeLimit: %%ldap_timelimit
+olcRootDN: {{ ldap_user }}
+olcRootPW:: {{ ldap_user_password|ssha_encode }}
+olcSuffix: {{ ldap_base_dn }}
+olcSizeLimit: {{ ldap_sizelimit }}
+olcTimeLimit: {{ ldap_timelimit }}
 olcDbIndex: objectClass eq,pres
 olcDbIndex: uid eq,pres
 olcDbIndex: cn eq,pres
diff --git a/seed/openldap/templates/config_acl.ldif b/seed/openldap/templates/config_acl.ldif
index b60c795..39df7ce 100644
--- a/seed/openldap/templates/config_acl.ldif
+++ b/seed/openldap/templates/config_acl.ldif
@@ -1,25 +1,20 @@
 #RISOTTO: do not compare
-%set %%name_family = 'gnunux'
-%set %%dns = {}
-%set %%groups = []
-%%groups.append('cn=remote_test0,' + %%ldapclient_base_dn)%slurp
-%%groups.append('cn=remote_test1,' + %%ldapclient_base_dn)%slurp
-%%groups.append('cn=remote_test2,' + %%ldapclient_base_dn)%slurp
-%%dns.setdefault(None, []).append(('cn=remote_test0,' + %%ldapclient_base_dn, 'read'))%slurp
-%%dns.setdefault('all', []).append(('cn=remote_test1,' + %%ldapclient_base_dn, 'read'))%slurp
-%%dns.setdefault(%%name_family, []).append(('cn=remote_test2,' + %%ldapclient_base_dn, 'read'))%slurp
-%for %%remote in %%accounts.remotes
- %set %%name = %%normalize_family(%%remote)
- %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
-%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
-%set %%right = 'read'
-# %if %%accounts['remote_' + %%name]['read_only_' + %%name]
-#  %set %%right = 'read'
-# %else
-#  %set %%right = 'write'
-# %end if
-%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%right))%slurp
-%end for
+{% set name_family = 'gnunux' %}
+{% set dns = {} %}
+{% set groups = [] %}
+{{ groups.append('cn=remote_test0,' + ldap_base_dn) }}
+{{ groups.append('cn=remote_test1,' + ldap_base_dn) }}
+{{ groups.append('cn=remote_test2,' + ldap_base_dn) }}
+{{ dns.setdefault(None, []).append(('cn=remote_test0,' + ldap_base_dn, 'read')) }}
+{{ dns.setdefault('all', []).append(('cn=remote_test1,' + ldap_base_dn, 'read')) }}
+{{ dns.setdefault(name_family, []).append(('cn=remote_test2,' + ldap_base_dn, 'read')) }}
+{% for remote in accounts.remotes %}
+{% set name = remote|normalize_family %}
+{% set family = accounts['remote_' + name]['family_' + name] %}
+{{ groups.append(accounts['remote_' + name]['dn_' + name]) }}
+{% set right = 'read' %}
+{{ dns.setdefault(family, []).append((accounts['remote_' + name]['dn_' + name], right)) }}
+{% endfor %}
 dn: olcDatabase={2}mdb,cn=config
 changetype:modify
 replace: olcAccess
@@ -27,36 +22,33 @@ olcAccess: {0}to attrs=userPassword
     by self write
     by anonymous auth
     by * none
-olcAccess: {1}to dn.subtree="%%ldapclient_group_dn"
-%for group in %%groups
-    by dn="%%group" read
-%end for
+olcAccess: {1}to dn.subtree="{{ ldap_group_dn }}"
+{% for group in groups %}
+    by dn="{{ group }}" read
+{% endfor %}
     by * none
-%set %%aclidx = 2
-%for %%family, %%remotes in %%dns.items()
- %if %%family == 'all'
-  %continue
- %end if
-olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
+{% set acl = {'idx': 2} %}
+{% for family, remotes in dns.items() %}
+{% if family != 'all' %}
+olcAccess: { {{- acl['idx'] -}} }to dn.subtree="{{ ldap_base_dn|calc_ldapclient_base_dn(family) }}"
     by self read
- %for %%remote in %%remotes
-    by dn="%%remote[0]" %%remote[1]
- %end for
- %if %%family != 'all' and 'all' in %%dns
-  %for %%remote in  %%dns['all']
-    by dn="%%remote[0]" %%remote[1]
-  %end for
- %end if
- %set %%aclidx += 1
- %if %%family != 'all'
+{% for remote in remotes %}
+    by dn="{{ remote[0] }}" {{ remote[1] }}
+{% endfor %}
+{% if 'all' in dns %}
+{% for remote in dns['all'] %}
+    by dn="{{ remote[0] }}" {{ remote[1] }}
+{% endfor %}
+{% endif %}
+{% set x=acl.__setitem__('idx', acl['idx'] + 1) %}
     by * none
- %end if
-%end for
-%if 'all' in %%dns
-olcAccess: {%%aclidx}to dn.subtree="%%ldap_account_dn"
+{% endif %}
+{% endfor %}
+{% if 'all' in dns %}
+olcAccess: { {{- acl['idx'] -}} }to dn.subtree="{{ ldap_account_dn }}"
     by self read
- %for %%remote in %%dns['all']
-    by dn="%%remote[0]" %%remote[1]
- %end for
+{% for remote in dns['all'] %}
+    by dn="{{ remote[0] }}" {{ remote[1] }}
+{% endfor %}
     by * none
-%end if
+{% endif %}
diff --git a/seed/openldap/templates/ldap.conf b/seed/openldap/templates/ldap.conf
new file mode 100644
index 0000000..3d7061b
--- /dev/null
+++ b/seed/openldap/templates/ldap.conf
@@ -0,0 +1,44 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+#>GNUNUX
+BASE {{ general.ldap.ldap_base_dn}}
+URI ldaps://{{ general.network.interface_0.domain_name_eth0 }}:636
+#<GNUNUX
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem
+#>GNUNUX
+TLS_CERT {{ general.tls_cert_directory }}/openldap.crt
+TLS_KEY {{ general.tls_key_directory }}/openldap.key
+TLS_CACERT {{ general.tls_ca_directory }}/LDAP.crt
+#<GNUNUX
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on
+
+#>GNUNUX
+BINDDN {{ general.ldap.ldap_user }}
+TIMELIMIT 10
+NETWORK_TIMEOUT 10
+TIMEOUT 10
+BINDPW {{ general.ldap.ldap_user_password }}
+#<GNUNUX
diff --git a/seed/openldap/templates/openldap.yml b/seed/openldap/templates/openldap.yml
index 572308b..13758cc 100644
--- a/seed/openldap/templates/openldap.yml
+++ b/seed/openldap/templates/openldap.yml
@@ -1,54 +1,54 @@
-%set %%username = "rougail_test@silique.fr"
-%set %%username_family = "rougail_test@gnunux.info"
-%set %%name_family = 'gnunux'
-%set %%familydn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
-%set %%userdn = 'cn=' + %%username + ',' +  %%calc_ldapclient_base_dn(%%ldapclient_base_dn)
-%set %%userfamilydn = 'cn=' + %%username_family + ',' + %%familydn
-address: %%ip_eth0
-admin_dn: %%ldapclient_user
-admin_password: %%ldapclient_user_password
-user_dn: %%userdn
-user_password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
-user_family_dn: %%userfamilydn
-user_family_password: %%get_password(server_name='test', username=%%username_family, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
-base_account_dn: %%ldap_account_dn
-base_user_dn: %%ldapclient_user_dn
-base_family_dn: %%familydn
-base_group_dn: %%ldapclient_group_dn
-%for %%idx in %%range(3)
-  %set %%name = 'remote_test' + %%str(%%idx)
-remote%%idx: cn=%%name,%%ldapclient_base_dn
-remote_password%%idx: %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)
-%end for
+{% set username = "rougail_test@silique.fr" %}
+{% set username_family = "rougail_test@gnunux.info" %}
+{% set name_family = 'gnunux' %}
+{% set familydn = ldapclient_base_dn|calc_ldapclient_base_dn(family_name=name_family) %}
+{% set userdn = 'cn=' + username + ',' +  ldapclient_base_dn|calc_ldapclient_base_dn %}
+{% set userfamilydn = 'cn=' + username_family + ',' + familydn %}
+address: {{ general.network.ip_eth0 }}
+admin_dn: {{ ldapclient_user }}
+admin_password: {{ general.ldap.client.ldapclient_user_password }}
+user_dn: {{ userdn }}
+user_password: {{ username|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True) }}
+user_family_dn: {{ userfamilydn }}
+user_family_password: {{ username_family|get_password(server_name='test', description="test", type="cleartext", hide=hide_secret, temporary=True)
+base_account_dn: {{ ldap_account_dn }}
+base_user_dn: {{ ldapclient_user_dn }}
+base_family_dn: {{ familydn }}
+base_group_dn: {{ ldapclient_group_dn }}
+{% for idx in range(3) %}
+{% set name = 'remote_test' + idx|string %}
+remote{{ idx }}: cn={{ name }},{{ ldapclient_base_dn }}
+remote_password{{ idx }}: {{ name|get_password(server_name=domain_name_eth0, description="remote account", type="cleartext", hide=hide_secret, temporary=True) }}
+{% endfor %}
 users:
-  %%username: %%userdn
-  %%username_family: %%userfamilydn
-%for %%user in %%accounts.users.ldap_user_mail
-  %%user: cn=%%user,%%ldapclient_user_dn
-%end for
-%for %%family in %%accounts.families
-  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
-  %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
-  %%user: cn=%%user,%%families
-  %end for
-%end for
+  {{ username }}: {{ userdn }}
+  {{ username_family }}: {{ userfamilydn }}
+{% for user in accounts.users.ldap_user_mail %}
+{{ user }}: cn={{ user }},{{ ldapclient_user_dn }}
+{% endfor %}
+{% for family in accounts.families %}
+{% set families = ldapclient_base_dn|calc_ldapclient_base_dn(family) %}
+{% for user in accounts['family_' + family]['users_' + family]['ldap_user_mail_' + family] %}
+  {{ user }}: cn={{ user }},{{ families }}
+{% endfor %}
+{% endfor %}
 groups:
   users:
-    - %%userdn
-%for %%user in %%accounts.users.ldap_user_mail
-    - cn=%%user,%%ldapclient_user_dn
-%end for
-%for %%family in %%accounts.families
-  %%family:
-  %if %%family == %%name_family
-    - %%userfamilydn
-  %end if
-  %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
-    - cn=%%user,%%families
+    - {{ userdn }}
+{% for user in accounts.users.ldap_user_mail %}
+    - cn={{ user }},{{ ldapclient_user_dn }}
+{% endfor %}
+{% for family in accounts.families
+  {{ family }}:
+  {% if family == name_family }
+    - {{ userfamilydn }}
+  {% endif %}
+  {% for user in accounts['family_' + family]['users_' + family]['ldap_user_mail_' + family] %}
+    - cn={{ user }},{{ families }}
   %end for
 %end for
-%if 'gnunux' not in %%accounts.families
-  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, 'gnunux')
+{% if 'gnunux' not in accounts.families %}
+{% set families = ldapclient_base_dn|calc_ldapclient_base_dn('gnunux') %}
   gnunux:
-    - cn=rougail_test@gnunux.info,%%families
+    - cn=rougail_test@gnunux.info,{{ families }}
 %end if
diff --git a/seed/openldap/templates/replication.conf b/seed/openldap/templates/replication.conf
deleted file mode 100644
index 792d600..0000000
--- a/seed/openldap/templates/replication.conf
+++ /dev/null
@@ -1 +0,0 @@
-#
diff --git a/seed/openldap/templates/slapd.service b/seed/openldap/templates/slapd.service
index 4b9a639..49a5d7f 100644
--- a/seed/openldap/templates/slapd.service
+++ b/seed/openldap/templates/slapd.service
@@ -1,9 +1,9 @@
 [Service]
 ExecStartPre=
 ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l /etc/ldap/secrets/config.ldif
-%for %%schema in %%ldap_schemas
-ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l %%schema
-%end for
+{% for schema in ldap_schemas %}
+ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l {{ schema }}
+{% endfor %}
 ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -c -v -l /etc/ldap/secrets/users.ldif
 User=ldap
 Group=ldap
@@ -11,6 +11,6 @@ ExecStart=
 # remove none tls port
 ExecStart=+/usr/sbin/slapd -u ldap -h ldaps:///
 #waiting for ldap server...
-ExecStartPost=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
-ExecStartPost=+-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
-ExecStartPost=+-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
+ExecStartPost=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/localhost/636; do sleep 1; done'
+ExecStartPost=+-/usr/bin/ldapmodify -D {{ ldap_user }} -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
+ExecStartPost=+-/usr/bin/ldapmodify -D {{ ldap_user }} -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
diff --git a/seed/openldap/templates/tmpfile-openldap-server.conf b/seed/openldap/templates/tmpfile-openldap-server.conf
index 97c2bc1..40b2157 100644
--- a/seed/openldap/templates/tmpfile-openldap-server.conf
+++ b/seed/openldap/templates/tmpfile-openldap-server.conf
@@ -1,3 +1,3 @@
 d /srv/openldap 700 ldap ldap - -
-d %%db_log_directory 700 ldap ldap - -
+d {{ general.ldap.db_environment.db_log_directory }} 700 ldap ldap - -
 d /etc/openldap/slapd.d 750 ldap ldap - -
diff --git a/seed/openldap/templates/users.ldif b/seed/openldap/templates/users.ldif
index c0af69f..3cef508 100644
--- a/seed/openldap/templates/users.ldif
+++ b/seed/openldap/templates/users.ldif
@@ -1,108 +1,108 @@
-%set %%add_test = True
-%set %%username="rougail_test@silique.fr"
-%set %%username_family="rougail_test@gnunux.info"
-%set %%name_family="gnunux"
+{% set add_test = True %}
+{% set username="rougail_test@silique.fr" %}
+{% set username_family="rougail_test@gnunux.info" %}
+{% set name_family="gnunux" %}
 # BaseDN
-%set groups = {}
-dn: %%ldapclient_base_dn
-%set %%attribute, %%organization = %%ldapclient_base_dn.split(',', 1)[0].split('=')
-%%attribute: %%organization
+{% set groups = {} %}
+dn: {{ general.ldap.ldap_base_dn }}
+{% set attribute, organization = ldap_base_dn.split(',', 1)[0].split('=') %}
+{{ attribute }}: {{ organization }}
 objectClass: top
-%if %%attribute == 'o'
+{% if attribute == 'o' %}
 objectClass: organization
-%else
+{% else %}
 objectClass: organizationalUnit
-%end if
+{% endif %}
 
 # Remote
-%set %%acc = []
-%for %%idx in %%range(3)
-  %set %%name = 'remote_test' + %%str(%%idx)
-%%acc.append(('cn=' + %%name + ',' + %%ldapclient_base_dn, %%name, %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)))%slurp
-%end for
-%for %%remote in %%accounts.remotes
- %set %%name = %%normalize_family(%%remote)
-%%acc.append((%%accounts['remote_' + %%name]['dn_' + %%name], %%remote, %%accounts['remote_' + %%name]['password_' + %%name]))%slurp
-%end for
-%for %%dn, %%remote, %%password in %%acc
-dn: %%dn
-cn: %%remote
-sn: %%remote
-uid: %%remote
-userPassword:: %%ssha_encode(%%password)
+{% set acc = [] %}
+{% for idx in range(3) %}
+{% set name = 'remote_test' + idx|string %}
+{{ acc.append(('cn=' + name + ',' + ldap_base_dn, name, name|get_password(server_name=domain_name_eth0, description="remote account", type="cleartext", hide=hide_secret, temporary=True))) }}
+{% endfor %}
+{% for remote in accounts.remotes %}
+{% set name = remote|normalize_family %}
+{{ acc.append((accounts['remote_' + name]['dn_' + name], remote, accounts['remote_' + name]['password_' + name])) }}
+{% endfor %}
+{% for dn, remote, password in acc %}
+dn: {{ dn }}
+cn: {{ remote }}
+sn: {{ remote }}
+uid: {{ remote }}
+userPassword:: {{ password|ssha_encode }}
 objectClass: top
 objectClass: inetOrgPerson
 
-%end for
+{% endfor %}
 # Accounts
-dn: %%ldap_account_dn
+dn: {{ ldap_account_dn }}
 ou: accounts
 objectClass: top
 objectClass: organizationalUnit
 
 ## Accounts users
-%set %%users = %%ldapclient_user_dn
-dn: %%users
+{% set users = ldap_user_dn %}
+dn: {{ users }}
 ou: users
 objectClass: top
 objectClass: organizationalUnit
 
-%set %%userdn = 'cn=' + %%username + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn)
-%set %%userfamilydn = 'cn=' + %%username_family + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
-%set %%acc = [(%%userdn, %%username, %%get_password(server_name='test', username=%%username, description="test", type="cleartext", hide=%%hide_secret, temporary=True), 'Rougail', 'Test', 'rougail_test', [], 'users'),
-              (%%userfamilydn, %%username_family, %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True), 'Rougail', 'Test', 'rougail_test_gnunux', [], %%name_family),
-              ]
-%set %%groups['users'] = [%%userdn]
-%set %%groups[%%name_family] = [%%userfamilydn]
-%for %%user in %%accounts.users.ldap_user_mail
-%set %%userdn = "cn=" + %%user + "," + %%users
-%%acc.append((%%userdn, %%user, %%user.ldap_user_password, %%user.ldap_user_sn, %%user.ldap_user_gn, %%user.ldap_user_uid, %%user.ldap_user_aliases, 'users'))%slurp
-%%groups.setdefault('users', []).append(%%userdn)%slurp
-%end for
+{% set userdn = 'cn=' + username + ',' + ldap_base_dn|calc_ldapclient_base_dn %}
+{% set userfamilydn = 'cn=' + username_family + ',' + ldap_base_dn|calc_ldapclient_base_dn(family_name=name_family) %}
+{% set acc = [(userdn, username, username|get_password(server_name='test', description="test", type="cleartext", hide=hide_secret, temporary=True), 'Rougail', 'Test', 'rougail_test', [], 'users'),
+              (userfamilydn, username_family, username_family|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True), 'Rougail', 'Test', 'rougail_test_gnunux', [], name_family),
+              ] %}
+{% set x=groups.__setitem__('users', [userdn]) %}
+{% set x=groups.__setitem__(name_family, [userfamilydn]) %}
+{% for user in accounts.users.ldap_user_mail %}
+{% set userdn = "cn=" + user + "," + users %}
+{{ acc.append((userdn, user, user.ldap_user_password, user.ldap_user_sn, user.ldap_user_gn, user.ldap_user_uid, user.ldap_user_aliases, 'users')) }}
+{{ groups.setdefault('users', []).append(userdn) }}
+{% endfor %}
 ## Families
-dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='-')
+dn: {{ ldap_base_dn|calc_ldapclient_base_dn(family_name='-') }}
 ou: families
 objectClass: top
 objectClass: organizationalUnit
 
-%def add_family(%%family, %%families)
-dn: %%families
-ou: %%family
+{% macro add_family(family, families) %}
+dn: {{ families }}
+ou: {{ family }}
 objectClass: top
 objectClass: organizationalUnit
-%end def
-%if %%add_test and 'gnunux' not in %%accounts.families
-  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
-%%add_family('gnunux', %%families)
-%end if
-%for %%family in %%accounts.families
-  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
-%%add_family(%%family, %%families)
-  %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
-%set %%userdn = "cn=" + %%user + "," + %%families
-%%groups.setdefault(%%family, []).append(%%userdn)%slurp
-%%acc.append((%%userdn, %%user, %%user['ldap_user_password_' + %%family], %%user['ldap_user_sn_' + %%family], %%user['ldap_user_gn_' + %%family], %%user['ldap_user_uid_' + %%family], %%user['ldap_user_aliases_' + %%family], %%family))%slurp
-  %end for
-%end for
-%for %%userdn, %%user, %%password, %%sn, %%gn, %%uid, %%aliases, %%family in %%acc
-dn: %%userdn
-cn: %%user
-mail: %%user
-sn: %%sn
-givenName: %%gn
-uid: %%uid
-userPassword:: %%ssha_encode(%%password)
-%if %%family == 'users'
-homeDirectory: /srv/home/users/%%user
-%else
-homeDirectory: /srv/home/families/%%family/%%user
-%end if
-mailLocalAddress: %%user
-  %if %%aliases
-    %for %%alias in %%aliases
-mailLocalAddress: %%alias
-    %end for
-  %end if
+{% endmacro %}
+{% if add_test and 'gnunux' not in accounts.families %}
+{% set families = ldap_base_dn|calc_ldapclient_base_dn(family_name='gnunux') %}
+{{ add_family('gnunux', families) }}
+{% endif %}
+{% for family in accounts.families %}
+{% set families = ldap_base_dn|calc_ldapclient_base_dn(family_name=family) %}
+{{ add_family(family, families) }}
+{% for user in accounts['family_' + family]['users_' + family]['ldap_user_mail_' + family] %}
+{% set userdn = "cn=" + user + "," + families %}
+{{ groups.setdefault(family, []).append(userdn) }}
+{{ acc.append((userdn, user, user['ldap_user_password_' + family], user['ldap_user_sn_' + family], user['ldap_user_gn_' + family], user['ldap_user_uid_' + family], user['ldap_user_aliases_' + family], family)) }}
+{% endfor %}
+{% endfor %}
+{% for userdn, user, password, sn, gn, uid, aliases, family in acc %}
+dn: {{ userdn }}
+cn: {{ user }}
+mail: {{ user }}
+sn: {{ sn }}
+givenName: {{ gn }}
+uid: {{ uid }}
+userPassword:: {{ password|ssha_encode }}
+{% if family == 'users' %}
+homeDirectory: /srv/home/users/{{ user }}
+{% else %}
+homeDirectory: /srv/home/families/{{ family }}/{{ user }}
+{% endif %}
+mailLocalAddress: {{ user }}
+{% if aliases %}
+{% for alias in aliases %}
+mailLocalAddress: {{ alias }}
+{% endfor %}
+{% endif %}
 uidNumber: 0
 gidNumber: 0
 objectClass: top
@@ -110,21 +110,21 @@ objectClass: inetOrgPerson
 objectClass: posixAccount
 objectClass: inetLocalMailRecipient
 
-%end for
+{% endfor %}
 ## Groups
-%set %%groupdn = %%ldapclient_group_dn
-dn: %%groupdn
+{% set groupdn = ldap_group_dn %}
+dn: {{ groupdn }}
 ou: groups
 objectClass: top
 objectClass: organizationalUnit
 
-%for %%group, %%members in %%groups.items()
-dn: cn=%%group,%%groupdn
-cn: %%group
+{% for group, members in groups.items() %}
+dn: cn={{ group }},{{ groupdn }}
+cn: {{ group }}
 objectclass: top
 objectclass: groupOfNames
- %for %%member in %%members
-member: %%member
- %end for
+{% for member in members %}
+member: {{ member }}
+{% endfor %}
 
-%end for
+{% endfor %}
diff --git a/seed/openldap/templates/users_mod.ldif b/seed/openldap/templates/users_mod.ldif
index 2d702fa..32fe73a 100644
--- a/seed/openldap/templates/users_mod.ldif
+++ b/seed/openldap/templates/users_mod.ldif
@@ -1,69 +1,69 @@
-%set %%username="rougail_test@silique.fr"
-%set %%username_family="rougail_test@gnunux.info"
-%set %%name_family="gnunux"
+{% set username="rougail_test@silique.fr" %}
+{% set username_family="rougail_test@gnunux.info" %}
+{% set name_family="gnunux" %}
 # Remote
-%set %%acc = []
-%for %%idx in %%range(3)
-  %set %%name = 'remote_test' + %%str(%%idx)
-%%acc.append(('cn=' + %%name + ',' + %%ldapclient_base_dn, %%get_password(server_name=%%domain_name_eth0, username=%%name, description="remote account", type="cleartext", hide=%%hide_secret, temporary=True)))%slurp
-%end for
-%for %%remote in %%accounts.remotes
- %set %%name = %%normalize_family(%%remote)
-%%acc.append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['password_' + %%name]))%slurp
-%end for
-%for %%dn, %%password in %%acc
-dn: %%dn
+{% set acc = [] %}
+{% for idx in range(3) %}
+{% set name = 'remote_test' + idx|string %}
+{{ acc.append(('cn=' + name + ',' + ldap_base_dn, name|get_password(server_name=domain_name_eth0, description="remote account", type="cleartext", hide=hide_secret, temporary=True))) }}
+{% endfor %}
+{% for remote in accounts.remotes %}
+{% set name = remote|normalize_family %}
+{{ acc.append((accounts['remote_' + name]['dn_' + name], accounts['remote_' + name]['password_' + name])) }}
+{% endfor %}
+{% for dn, password in acc %}
+dn: {{ dn }}
 changetype: modify
 replace: userPassword
-userPassword:: %%ssha_encode(%%password)
+userPassword:: {{ password|ssha_encode }}
 
-%end for
+{% endfor %}
 # Users
-%set %%userdn = 'cn=' + %%username + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn)
-%set %%userfamilydn = 'cn=' + %%username_family + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
-%set %%acc = [(%%userdn, %%username, ['alias_' + %%username]),
-              (%%userfamilydn, %%username_family, ['alias_' + %%username_family]),
-              ]
-%set groups = {'users': [%%userdn],
-               %%name_family: [%%userfamilydn],
-			   }
-%set %%users = %%ldapclient_user_dn
-%for %%user in %%accounts.users.ldap_user_mail
-%set %%userdn = 'cn=' + %%user + ',' + %%users
-%%groups['users'].append(%%userdn)%slurp
-%%acc.append((%%userdn, %%user, %%user.ldap_user_aliases))%slurp
-%end for
-%for %%family in %%accounts.families
-  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
-  %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
-%set %%userdn = 'cn=' + %%user + ',' + %%families
-%%groups.setdefault(%%family, []).append(%%userdn)%slurp
-%%acc.append((%%userdn, %%user, %%user['ldap_user_aliases_' + %%family]))%slurp
-  %end for
-%end for
-%for %%userdn, %%user, %%aliases in %%acc
-dn: %%userdn
+{% set userdn = 'cn=' + username + ',' + ldap_base_dn|calc_ldapclient_base_dn %}
+{% set userfamilydn = 'cn=' + username_family + ',' + ldap_base_dn|calc_ldapclient_base_dn(family_name=name_family) %}
+{% set acc = [(userdn, username, ['alias_' + username]),
+              (userfamilydn, username_family, ['alias_' + username_family]),
+              ] %}
+{% set groups = {'users': [userdn],
+                 name_family: [userfamilydn],
+  	             } %}
+{% set users = ldap_user_dn %}
+{% for user in accounts.users.ldap_user_mail %}
+{% set userdn = 'cn=' + user + ',' + users %}
+{{ groups['users'].append(userdn) }}
+{{ acc.append((userdn, user, user.ldap_user_aliases)) }}
+{% endfor %}
+{% for family in accounts.families %}
+{% set families = ldap_base_dn|calc_ldapclient_base_dn(family) %}
+{% for user in accounts['family_' + family]['users_' + family]['ldap_user_mail_' + family] %}
+{% set userdn = 'cn=' + user + ',' + families %}
+{{ groups.setdefault(family, []).append(userdn) }}
+{{ acc.append((userdn, user, user['ldap_user_aliases_' + family])) }}
+{% endfor %}
+{% endfor %}
+{% for userdn, user, aliases in acc %}
+dn: {{ userdn }}
 changetype: modify
 #add: objectClass
 #objectClass: inetLocalMailRecipient
 #-
 replace: mailLocalAddress
-mailLocalAddress: %%user
-  %if %%aliases
-    %for %%alias in %%aliases
-mailLocalAddress: %%alias
-    %end for
-  %end if
+mailLocalAddress: {{ user }}
+{% if aliases %}
+{% for alias in aliases %}
+mailLocalAddress: {{ alias }}
+{% endfor %}
+{% endif %}
 
-%end for
+{% endfor %}
 # Groups
-%set %%groupdn = %%ldapclient_group_dn
-%for %%group, %%members in %%groups.items()
-dn: cn=%%group,%%groupdn
+{% set groupdn = ldap_group_dn %}
+{% for group, members in groups.items() %}
+dn: cn={{ group }},{{ groupdn }}
 changetype: modify
 replace: member
- %for %%member in %%members
-member: %%member
- %end for
+{% for member in members %}
+member: {{ member }}
+{% endfor %}
 
-%end for
+{% endfor %}
diff --git a/seed/peertube/dictionaries/30_peertube.xml b/seed/peertube/dictionaries/30_peertube.xml
index 32e85b9..13e7000 100644
--- a/seed/peertube/dictionaries/30_peertube.xml
+++ b/seed/peertube/dictionaries/30_peertube.xml
@@ -2,12 +2,12 @@
 <rougail version="0.10">
   <services>
     <service name="peertube" target="multi-user">
-      <override/>
+      <override engine="ansible"/>
       <file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file>
       <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
-      <file>/etc/peertube/production.yaml</file>
-      <file source="nginx.peertube.conf">/etc/nginx/default.d/peertube.conf</file>
-      <file source="nginx.peertube.conf.d.conf">/etc/nginx/conf.d/peertube.conf</file>
+      <file engine="ansible">/etc/peertube/production.yaml</file>
+      <file engine="ansible" source="nginx.peertube.conf">/etc/nginx/default.d/peertube.conf</file>
+      <file engine="ansible" source="nginx.peertube.conf.d.conf">/etc/nginx/conf.d/peertube.conf</file>
     </service>
   </services>
   <variables>
@@ -47,7 +47,7 @@
     </family>
     <family name="nginx">
       <variable name="nginx_root" redefine='True'>
-	<value>/usr/share/peertube</value>
+        <value>/usr/share/peertube</value>
       </variable>
     </family>
     <family name="revprox">
diff --git a/seed/peertube/templates/nginx.peertube.conf b/seed/peertube/templates/nginx.peertube.conf
index 0f1fcf9..70ffe08 100644
--- a/seed/peertube/templates/nginx.peertube.conf
+++ b/seed/peertube/templates/nginx.peertube.conf
@@ -16,14 +16,14 @@
 # GNUNUX   location / { return 301 https://$host$request_uri; }
 # GNUNUX }
 
-# GNUNUX upstream %%domain_name_eth0 {
+# GNUNUX upstream {{ general.network.interface_0.domain_name_eth0 }} {
 # GNUNUX   server ${PEERTUBE_HOST};
 # GNUNUX }
 
 # GNUNUX server {
 # GNUNUX   listen 443 ssl http2;
 # GNUNUX   listen [::]:443 ssl http2;
-# GNUNUX   server_name %%domain_name_eth0;
+# GNUNUX   server_name {{ general.network.interface_0.domain_name_eth0 }};
 
 # GNUNUX  access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
 # GNUNUX  error_log  /var/log/nginx/peertube.error.log;
@@ -62,7 +62,7 @@
 
   location @api {
 #    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header Host            %%revprox_client_external_domainnames[0];
+    proxy_set_header Host            {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
 #    proxy_set_header X-Real-IP       $remote_addr;
 
     client_max_body_size  100k; # default is 1M
@@ -72,7 +72,7 @@
     proxy_read_timeout    10m;
     send_timeout          10m;
 
-    proxy_pass http://%%domain_name_eth0;
+    proxy_pass http://{{ general.network.interface_0.domain_name_eth0 }};
   }
 
   location / {
@@ -113,12 +113,12 @@
   location @api_websocket {
     proxy_http_version 1.1;
 #    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header   Host            %%revprox_client_external_domainnames[0];
+    proxy_set_header   Host            {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
 #    proxy_set_header   X-Real-IP       $remote_addr;
 #    proxy_set_header   Upgrade         $http_upgrade;
 #    proxy_set_header   Connection      "upgrade";
 
-    proxy_pass http://%%domain_name_eth0;
+    proxy_pass http://{{ general.network.interface_0.domain_name_eth0 }};
   }
 
   location /socket.io {
diff --git a/seed/peertube/templates/nginx.peertube.conf.d.conf b/seed/peertube/templates/nginx.peertube.conf.d.conf
index f4183bb..768776c 100644
--- a/seed/peertube/templates/nginx.peertube.conf.d.conf
+++ b/seed/peertube/templates/nginx.peertube.conf.d.conf
@@ -1,4 +1,4 @@
-upstream %%domain_name_eth0 {
+upstream {{ general.network.interface_0.domain_name_eth0 }} {
 # GNUNUX  server ${PEERTUBE_HOST};
   server localhost:9000;
 }
diff --git a/seed/peertube/templates/peertube.service b/seed/peertube/templates/peertube.service
index 510d9fa..5a9cf53 100644
--- a/seed/peertube/templates/peertube.service
+++ b/seed/peertube/templates/peertube.service
@@ -1,5 +1,5 @@
 [Service]
 Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
-ExecStartPost=+/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "SELECT * FROM plugin;"; do sleep 1; done'
-ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "DELETE FROM plugin;"
-ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "INSERT INTO plugin (name, type, version, enabled, uninstalled, \"peertubeEngine\", description, homepage, settings, \"createdAt\", \"updatedAt\") VALUES ('auth-openid-connect', '1', '0.1.0', true, false, '>=2.2.0', 'Add OpenID connect support to login form in PeerTube.', 'https://framagit.org/framasoft/peertube/official-plugins/tree/master/peertube-plugin-auth-openid-connect', '{\"scope\": \"openid email profile\", \"client-id\": \"%%oauth2_client_id\", \"discover-url\": \"https://%%oauth2_client_server_domainname/.well-known/openid-configuration\", \"client-secret\": \"%%oauth2_client_secret\", \"mail-property\": \"email\", \"auth-display-name\": \"OpenID Connect\", \"username-property\": \"nickname\", \"signature-algorithm\": \"%%oauth2_client_token_signature_algo\", \"display-name-property\": \"email\"}', '2022-04-05 18:12:34.832+02', '2022-04-05 18:12:34.832+02')"
+ExecStartPost=+/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h {{ general.postgresql.pg_client_server_domainname }} -U {{ general.postgresql.pg_client_username }} {{ general.postgresql.pg_client_database }} -c "SELECT * FROM plugin;"; do sleep 1; done'
+ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h {{ general.postgresql.pg_client_server_domainname }} -U {{ general.postgresql.pg_client_username }} {{ general.postgresql.pg_client_database }} -c "DELETE FROM plugin;"
+ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h {{ general.postgresql.pg_client_server_domainname }} -U {{ general.postgresql.pg_client_username }} {{ general.postgresql.pg_client_database }} -c "INSERT INTO plugin (name, type, version, enabled, uninstalled, \"peertubeEngine\", description, homepage, settings, \"createdAt\", \"updatedAt\") VALUES ('auth-openid-connect', '1', '0.1.0', true, false, '>=2.2.0', 'Add OpenID connect support to login form in PeerTube.', 'https://framagit.org/framasoft/peertube/official-plugins/tree/master/peertube-plugin-auth-openid-connect', '{\"scope\": \"openid email profile\", \"client-id\": \"{{ general.oauth2_client.oauth2_client_id }}\", \"discover-url\": \"https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration\", \"client-secret\": \"{{ general.oauth2_client.oauth2_client_secret }}\", \"mail-property\": \"email\", \"auth-display-name\": \"OpenID Connect\", \"username-property\": \"nickname\", \"signature-algorithm\": \"{{ general.oauth2_client.oauth2_client_token_signature_algo }}\", \"display-name-property\": \"email\"}', '2022-04-05 18:12:34.832+02', '2022-04-05 18:12:34.832+02')"
diff --git a/seed/peertube/templates/production.yaml b/seed/peertube/templates/production.yaml
index a51e9c9..7de3219 100644
--- a/seed/peertube/templates/production.yaml
+++ b/seed/peertube/templates/production.yaml
@@ -1,6 +1,3 @@
-%compiler-settings
-commentStartToken = §
-%end compiler-settings
 listen:
   hostname: 'localhost'
   port: 9000
@@ -8,7 +5,7 @@ listen:
 # Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
 webserver:
   https: true
-  hostname: '%%revprox_client_external_domainnames[0]'
+  hostname: '{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}'
   port: 443
 
 rates_limit:
@@ -41,13 +38,13 @@ trust_proxy:
 
 # Your database name will be database.name OR 'peertube'+database.suffix
 database:
-  hostname: '%%pg_client_server_domainname'
+  hostname: '{{ general.postgresql.pg_client_server_domainname }}'
   port: 5432
   ssl: true
   suffix: '_prod'
-  name: '%%pg_client_database'
-  username: '%%pg_client_username'
-  password: '%%pg_client_password'
+  name: '{{ general.postgresql.pg_client_database }}'
+  username: '{{ general.postgresql.pg_client_username }}'
+  password: '{{ general.postgresql.pg_client_password }}'
   pool:
     max: 5
 
@@ -55,9 +52,9 @@ database:
 # You can also specify a 'socket' path to a unix socket but first need to
 # set 'hostname' and 'port' to null
 redis:
-  hostname: '%%redis_client_server_domainname'
+  hostname: '{{ general.redis.redis_client_server_domainname }}'
   port: 6379
-  auth: '%%redis_client_password'
+  auth: '{{ general.redis.redis_client_password }}'
   db: 0
 
 # SMTP server to send emails
@@ -66,14 +63,14 @@ smtp:
   transport: smtp
   # Path to sendmail command. Required if you use sendmail transport
   sendmail: null
-  hostname: '%%smtp_relay_address'
+  hostname: '{{ general.smtp.smtp_relay_address }}'
   port: 25 # If you use StartTLS: 587
-  username: '%%smtp_relay_user'
-  password: '%%smtp_relay_password'
+  username: '{{ general.smtp.smtp_relay_user }}'
+  password: '{{ general.smtp.smtp_relay_password }}'
   tls: false # If you use StartTLS: false
   disable_starttls: false
-  ca_file: '%%tls_ca_directory/InternalMail.crt' # Used for self signed certificates
-  from_address: '%%peertube_admin_email'
+  ca_file: '{{ general.tls_ca_directory }}/InternalMail.crt' # Used for self signed certificates
+  from_address: '{{ general.peertube.peertube_admin_email }}'
 
 email:
   body:
@@ -374,7 +371,7 @@ cache:
 admin:
   # Used to generate the root user at first startup
   # And to receive emails from the contact form
-  email: '%%peertube_admin_email'
+  email: '{{ general.peertube.peertube_admin_email }}'
 
 contact_form:
   enabled: true
@@ -598,8 +595,8 @@ auto_blacklist:
 # Instance settings
 instance:
   name: 'PeerTube'
-  short_description: '%%peertube_short_description'
-  description: '%%peertube_description' # Support markdown
+  short_description: '{{ general.peertube.peertube_short_description }}'
+  description: '{{ general.peertube.peertube_description }}' # Support markdown
   terms: 'No terms for now.' # Support markdown
   code_of_conduct: '' # Supports markdown
 
diff --git a/seed/php-fpm/dictionaries/20_phpfpm.xml b/seed/php-fpm/dictionaries/20_phpfpm.xml
index 6eab830..7856d6b 100644
--- a/seed/php-fpm/dictionaries/20_phpfpm.xml
+++ b/seed/php-fpm/dictionaries/20_phpfpm.xml
@@ -3,9 +3,9 @@
   <services>
     <service name="php-fpm">
       <file engine="none">/etc/php-fpm.conf</file>
-      <file>/etc/php-fpm.d/www.conf</file>
+      <file engine="ansible">/etc/php-fpm.d/www.conf</file>
       <file engine="none" source="sysuser-phpfpm.conf">/sysusers.d/phpfpm.conf</file>
-      <file source="tmpfile-phpfpm.conf">/tmpfiles.d/0phpfpm.conf</file>
+      <file engine="ansible" source="tmpfile-phpfpm.conf">/tmpfiles.d/0phpfpm.conf</file>
     </service>
   </services>
   <variables>
diff --git a/seed/php-fpm/templates/tmpfile-phpfpm.conf b/seed/php-fpm/templates/tmpfile-phpfpm.conf
index 702c861..d223eb8 100644
--- a/seed/php-fpm/templates/tmpfile-phpfpm.conf
+++ b/seed/php-fpm/templates/tmpfile-phpfpm.conf
@@ -1 +1 @@
-d /var/lib/php/session 770 root %%php_fpm_user - -
+d /srv/session 770 root {{ general.nginx.php_fpm_user }} - -
diff --git a/seed/php-fpm/templates/www.conf b/seed/php-fpm/templates/www.conf
index 4234882..5569da4 100644
--- a/seed/php-fpm/templates/www.conf
+++ b/seed/php-fpm/templates/www.conf
@@ -23,12 +23,12 @@
 ; RPM: apache user chosen to provide access to the same directories as httpd
 ;>GNUNUX
 ;user = apache
-user = %%php_fpm_user
+user = {{ general.nginx.php_fpm_user }}
 ;<GNUNUX
 ; RPM: Keep a group allowed to write in log dir.
 ;>GNUNUX
 ;group = apache
-group = %%php_fpm_user
+group = {{ general.nginx.php_fpm_user }}
 ;<GNUNUX
 
 ; The address on which to accept FastCGI requests.
@@ -60,7 +60,7 @@ listen = /run/php-fpm/www.sock
 ; When set, listen.owner and listen.group are ignored
 ;>GNUNUX
 ;listen.acl_users = apache,nginx
-listen.acl_users = %%php_fpm_user
+listen.acl_users = {{ general.nginx.php_fpm_user }}
 ;<GNUNUX
 ;listen.acl_groups =
 
@@ -317,12 +317,12 @@ pm.max_spare_servers = 35
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;      e.g. for a ISO8601 formatted timestring, use: %{ %Y-%m-%dT%H:%M:%S%z}t
 ;  %T: time the log has been written (the request has finished)
 ;      it can accept a strftime(3) format:
 ;      %d/%b/%Y:%H:%M:%S %z (default)
 ;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
-;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;      e.g. for a ISO8601 formatted timestring, use: %{ %Y-%m-%dT%H:%M:%S%z}t
 ;  %u: remote user
 ;
 ; Default: "%R - %u %t \"%m %r\" %s"
@@ -448,13 +448,13 @@ php_admin_flag[log_errors] = on
 ; See warning about choosing the location of these directories on your system
 ; at http://php.net/session.save-path
 ;<GNUNUX
-%if not %%getVar('redis_client_server_domainname', None)
+{% if not 'redis' in general %}
 php_value[session.save_handler] = files
-php_value[session.save_path]    = /var/lib/php/session
-%else
+php_value[session.save_path]    = /srv/session
+{% else %}
 php_value[session.save_handler] = redis
-;php_value[session.save_path]    = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password"
-%end if
+;php_value[session.save_path]    = "tcp://{{ general.redis.redis_client_server_domainname }}:6379?auth[user]={{ general.redis.redis_client_username }}&auth[pass]={{ general.redis.redis_client_password }}&auth[database]={{ general.redis.redis_client_index }}"
+{% endif %}
 ;>GNUNUX
 php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
 ;php_value[opcache.file_cache]  = /var/lib/php/opcache
diff --git a/seed/php/DEBUG.md b/seed/php/DEBUG.md
index 0282a15..b51c138 100644
--- a/seed/php/DEBUG.md
+++ b/seed/php/DEBUG.md
@@ -1,6 +1,8 @@
 Test une session avec redis
 ============================
 
+Devrait être incrémental :
+
 <?php
 session_id('jlnp3nfrq92ffquipn4534ojbe');
 session_start();
diff --git a/seed/php/dictionaries/20_php.xml b/seed/php/dictionaries/20_php.xml
index 7246925..026882e 100644
--- a/seed/php/dictionaries/20_php.xml
+++ b/seed/php/dictionaries/20_php.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="php" manage="False">
-      <file>/etc/php.ini</file>
+      <file engine="ansible">/etc/php.ini</file>
     </service>
   </services>
   <variables>
diff --git a/seed/php/templates/php.ini b/seed/php/templates/php.ini
index b1015ba..3657cbb 100644
--- a/seed/php/templates/php.ini
+++ b/seed/php/templates/php.ini
@@ -226,9 +226,9 @@ precision = 14
 ; Development Value: 4096
 ; Production Value: 4096
 ; https://php.net/output-buffering
-%if %%php_enable_output_buffering
+{% if general.php.php_enable_output_buffering %}
 output_buffering = 4096
-%end if
+{% endif %}
 
 ; You can redirect all of the output of your scripts to a function.  For
 ; example, if you set output_handler to "mb_output_handler", character
@@ -325,11 +325,11 @@ serialize_precision = -1
 ; This directive allows you to disable certain functions.
 ; It receives a comma-delimited list of function names.
 ; https://php.net/disable-functions
-%if %%php_disable_pcntl
+{% if general.php.php_disable_pcntl %}
 disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
-%else
+{% else %}
 disable_functions =
-%end if
+{% endif %}
 
 ; This directive allows you to disable certain classes.
 ; It receives a comma-delimited list of class names.
@@ -420,7 +420,7 @@ expose_php = Off
 ; Note: This directive is hardcoded to 0 for the CLI SAPI
 ;>GNUNUX
 ;max_execution_time = 30
-max_execution_time = %%php_max_execution_time
+max_execution_time = {{ general.php.php_max_execution_time }}
 ;<GNUNUX
 
 ; Maximum amount of time each script may spend parsing request data. It's a good
@@ -433,7 +433,7 @@ max_execution_time = %%php_max_execution_time
 ; https://php.net/max-input-time
 ;>GNUNUX
 ;max_input_time = 60
-max_input_time = %%php_max_input_time
+max_input_time = {{ general.php.php_max_input_time }}
 ;<GNUNUX
 
 ; Maximum input variable nesting level
@@ -447,7 +447,7 @@ max_input_time = %%php_max_input_time
 ; https://php.net/memory-limit
 ;>GNUNUX
 ;memory_limit = 128M
-memory_limit = %%{php_memory_limit}M
+memory_limit = {{ general.php.php_memory_limit }}M
 ;<GNUNUX
 
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@@ -521,11 +521,11 @@ error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
 ; Development Value: On
 ; Production Value: Off
 ; https://php.net/display-errors
-%if %%php_display_errors
+{% if general.php.php_display_errors %}
 display_errors = On
-%else
+{% else %}
 display_errors = Off
-%end if
+{% endif %}
 
 ; The display of errors which occur during PHP's startup sequence are handled
 ; separately from display_errors. We strongly recommend you set this to 'off'
@@ -725,7 +725,7 @@ auto_globals_jit = On
 ; https://php.net/post-max-size
 ;>GNUNUX
 ;post_max_size = 8M
-post_max_size = %%{php_post_max_size}M
+post_max_size = {{ general.php.php_post_max_size }}M
 ;<GNUNUX
 
 ; Automatically add files before PHP document.
@@ -880,7 +880,7 @@ file_uploads = On
 ; https://php.net/upload-max-filesize
 ;>GNUNUX
 ;upload_max_filesize = 2M
-upload_max_filesize = %%{php_upload_max_filesize}M
+upload_max_filesize = {{ general.php.php_upload_max_filesize }}M
 ;<GNUNUX
 
 ; Maximum number of files that can be uploaded via a single request
@@ -963,7 +963,7 @@ cli_server.color = On
 ; https://php.net/date.timezone
 ;date.timezone =
 ;>GNUNUX
-date.timezone = "%%time_zone"
+date.timezone = "{{ general.php.time_zone }}"
 ;<GNUNUX
 
 ; https://php.net/date.default-latitude
@@ -1258,22 +1258,22 @@ bcmath.scale = 0
 [browscap]
 ; https://php.net/browscap
 ;browscap = extra/browscap.ini
-%if %%php_browscap
+{% if general.php.php_browscap %}
 browscap = /etc/php/extra/browscap.ini
-%end if
+{% endif %}
 
 [Session]
 ; Handler used to store/retrieve data.
 ; https://php.net/session.save-handler
 ;>GNUNUX
-%if not %%getVar('redis_client_server_domainname', None)
+{% if not 'redis' in general %}
 session.save_handler = files
-%else
+{% else %}
 session.save_handler = redis
-session.save_path    = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password"
+session.save_path    = "tcp://{{ general.redis.redis_client_server_domainname }}:6379?auth[user]={{ general.redis.redis_client_username }}&auth[pass]={{ general.redis.redis_client_password }}&auth[database]={{ general.redis.redis_client_index }}"
 ;GNUNUX https://github.com/phpredis/phpredis/issues/2062
-;session.save_path    = "tls://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password&stream[verify_peer]=1&stream[cafile]=/etc/pki/ca-trust/source/anchors/ca_Redis.crt&stream[local_cert]=/etc/pki/tls/certs/redis.crt&stream[local_pk]=/etc/pki/tls/private/redis.key"
-%end if
+;session.save_path    = "tls://{{ general.redis.redis_client_server_domainname }}:6379?auth[user]={{ general.redis.redis_client_username }}&auth[pass]={{ general.redis.redis_client_password }}&stream[verify_peer]=1&stream[cafile]=/etc/pki/ca-trust/source/anchors/ca_Redis.crt&stream[local_cert]=/etc/pki/tls/certs/redis.crt&stream[local_pk]=/etc/pki/tls/private/redis.key"
+{% endif %}
 ;<GNUNUX
 
 ; Argument passed to save_handler.  In the case of files, this is the path
@@ -1391,7 +1391,7 @@ session.gc_divisor = 1000
 ; https://php.net/session.gc-maxlifetime
 ;>GNUNUX
 ;session.gc_maxlifetime = 1440
-session.gc_maxlifetime = %%php_session_gc_maxlifetime
+session.gc_maxlifetime = {{ general.php.php_session_gc_maxlifetime }}
 ;<GNUNUX
 
 ; NOTE: If you are using the subdirectory option for storing session files
diff --git a/seed/piwigo/dictionaries/31_piwigo.xml b/seed/piwigo/dictionaries/31_piwigo.xml
index c9bdd69..af8a7ae 100644
--- a/seed/piwigo/dictionaries/31_piwigo.xml
+++ b/seed/piwigo/dictionaries/31_piwigo.xml
@@ -1,25 +1,27 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="piwigo" engine="cheetah" target="multi-user">
-      <file source="tmpfile-piwigo.conf">/tmpfiles.d/0piwigo.conf</file>
-      <file>/etc/piwigo/config.inc.php</file>
-      <file>/etc/piwigo/database.inc.php</file>
-      <file mode="755">/sbin/piwigo.sh</file>
+    <service name="piwigo" engine="none" target="multi-user">
+      <file engine="ansible" source="tmpfile-piwigo.conf">/tmpfiles.d/0piwigo.conf</file>
+      <file engine="ansible">/etc/piwigo/config.inc.php</file>
+      <file engine="ansible">/etc/piwigo/database.inc.php</file>
+      <file engine="ansible" mode="755">/sbin/piwigo.sh</file>
       <file engine="none">/etc/php-fpm.d/piwigo.conf</file>
-      <file source="piwigo.nginx.conf">/etc/nginx/default.d/piwigo.conf</file>
+      <file engine="ansible" source="piwigo.nginx.conf">/etc/nginx/default.d/piwigo.conf</file>
     </service>
   </services>
   <variables>
-    <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
-    <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
-    <variable name="piwigo_locations" type="filename" multi="True" mandatory="True" hidden="True"/>
-    <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
-      <value>Album photographique</value>
-    </variable>
-    <family name="users" description="Piwigo users" leadership="True">
-      <variable name="piwigo_users" type="unix_user" description="Utilisateur ayant un album" multi="True" mandatory="True"/>
-      <variable name="piwigo_email" type="mail" description="Adresse courriel" mandatory="True"/>
+    <family name="piwigo" description="Piwigo">
+      <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
+      <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
+      <variable name="piwigo_locations" type="filename" multi="True" mandatory="True" hidden="True"/>
+      <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
+        <value>Album photographique</value>
+      </variable>
+      <family name="users" description="Piwigo users" leadership="True">
+        <variable name="piwigo_users" type="unix_user" description="Utilisateur ayant un album" multi="True" mandatory="True"/>
+        <variable name="piwigo_email" type="mail" description="Adresse courriel" mandatory="True"/>
+      </family>
     </family>
     <family name="oauth2_client">
       <variable name="oauth2_is_client_application" redefine='True'>
diff --git a/seed/piwigo/templates/config.inc.php b/seed/piwigo/templates/config.inc.php
index f845436..6e5bc05 100644
--- a/seed/piwigo/templates/config.inc.php
+++ b/seed/piwigo/templates/config.inc.php
@@ -4,20 +4,20 @@ if(!isset($_SERVER) && isset($_ENV) && isset($_ENV['REQUEST_URI']))
   $_SERVER = Array('REQUEST_URI' => $_ENV['REQUEST_URI']);
 }
 
-%for %%idx, %%user in %%enumerate(%%piwigo_users)
-%if %%idx != 0
+{% for user in piwigo_users %}
+{%if loop.index != 1 %}
 }
-else %slurp
-%end if
-if(str_starts_with($_SERVER['REQUEST_URI'], '/%%user/')) {
-  $prefixe = '%%{user}';
-%end for
+else {% if True -%}{% endif -%}
+{%- endif -%}
+if(str_starts_with($_SERVER['REQUEST_URI'], '/{{ user }}/')) {
+  $prefixe = '{{ user }}';
+{% endfor %}
 }
 else
 {
-  $conf['OIDC'] = Array('issuer_url' => 'https://%%oauth2_client_server_domainname/',
-                        'client_id' => '%%oauth2_client_id',
-                        'client_secret' => '%%oauth2_client_secret',
+  $conf['OIDC'] = Array('issuer_url' => 'https://{{ general.oauth2_client.oauth2_client_server_domainname }}/',
+                        'client_id' => '{{ general.oauth2_client.oauth2_client_id }}',
+                        'client_secret' => '{{ general.oauth2_client.oauth2_client_secret }}',
                         'scope' => 'openid profile email',
                         );
   require_once(PHPWG_ROOT_PATH . 'plugins/OpenIdConnect/oidc.php');
diff --git a/seed/piwigo/templates/database.inc.php b/seed/piwigo/templates/database.inc.php
index 546f810..16e6438 100644
--- a/seed/piwigo/templates/database.inc.php
+++ b/seed/piwigo/templates/database.inc.php
@@ -1,23 +1,23 @@
 <?php
 $conf['dblayer'] = 'mysqli';
-$conf['db_base'] = '%%mariadb_client_database';
-$conf['db_user'] = '%%mariadb_client_username';
-$conf['db_password'] = '%%mariadb_client_password';
-$conf['db_host'] = '%%mariadb_client_server_domainname';
+$conf['db_base'] = '{{ general.mariadb.mariadb_client_database }}';
+$conf['db_user'] = '{{ general.mariadb.mariadb_client_username }}';
+$conf['db_password'] = '{{ general.mariadb.mariadb_client_password }}';
+$conf['db_host'] = '{{ general.mariadb.mariadb_client_server_domainname }}';
 
 if(!isset($_SERVER) && isset($_ENV) && isset($_ENV['REQUEST_URI']))
 {        
   $_SERVER = Array('REQUEST_URI' => $_ENV['REQUEST_URI']);
 }       
 
-%for %%idx, %%user in %%enumerate(%%piwigo_users)
-%if %%idx != 0
+{% for user in piwigo_users %}
+{%if loop.index != 1 %}
 }
-else %slurp
-%end if
-if(str_starts_with($_SERVER['REQUEST_URI'], '/%%user/')) {
-  $prefixeTable = 'piwigo_%%{user}_';
-%end for
+else {% if True -%}{% endif -%}
+{%- endif -%}
+if(str_starts_with($_SERVER['REQUEST_URI'], '/{{ user }}/')) {
+  $prefixeTable = 'piwigo_{{ user }}_';
+{% endfor %}
 }
 else
 {
diff --git a/seed/piwigo/templates/piwigo.nginx.conf b/seed/piwigo/templates/piwigo.nginx.conf
index 1ba02a3..371d977 100644
--- a/seed/piwigo/templates/piwigo.nginx.conf
+++ b/seed/piwigo/templates/piwigo.nginx.conf
@@ -9,13 +9,13 @@ add_header                    X-Permitted-Cross-Domain-Policies none;
 add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
 add_header                    Referrer-Policy no-referrer always;
     
-%for %%location in %%piwigo_locations
-location %%location {
-  %if %%location == '/'
-  root                        %slurp
-  %else
-  alias                       %slurp
-  %end if
+{% for location in general.piwigo.piwigo_locations %}
+location {{ location }} {
+{% if location == '/' %}
+  root                        {% if True -%}{% endif -%}
+{% else %}
+  alias                       {% if True -%}{% endif -%}
+{% endif %}
   /usr/local/share/piwigo;
   index                       index.php;
   location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
@@ -25,4 +25,4 @@ location %%location {
     include                   fastcgi_params;
   }
 }
-%end for
+{% endfor %}
diff --git a/seed/piwigo/templates/piwigo.sh b/seed/piwigo/templates/piwigo.sh
index 4b0e815..eb00136 100644
--- a/seed/piwigo/templates/piwigo.sh
+++ b/seed/piwigo/templates/piwigo.sh
@@ -1,14 +1,14 @@
-%echo "#!/bin/bash"
+#!/bin/bash
 
 set -x
 
 cd /usr/local/share/piwigo
-%for %%user in %%piwigo_users
-export REQUEST_URI="/%%user/"
+{% for user in general.piwigo.users.piwigo_users %}
+export REQUEST_URI="/{{ user }}/"
 /usr/bin/php piwigo_cli.php -c db:install --language fr_FR
 IMPORTED=$?
 if [ "$IMPORTED" = "0" ]; then
-  /usr/bin/php piwigo_cli.php -c user:admin:create --login admin --admin_pass %%piwigo_admin_password --mail_address %%piwigo_admin_email --language fr_FR
+  /usr/bin/php piwigo_cli.php -c user:admin:create --login admin --admin_pass {{ general.piwigo.piwigo_admin_password }} --mail_address {{ general.piwigo.piwigo_admin_email }} --language fr_FR
 fi
 #
 /usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key author --value false --type boolean
@@ -16,8 +16,8 @@ fi
 /usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key visits --value false --type boolean
 /usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key categories --value false --type boolean
 /usr/bin/php piwigo_cli.php -c config:modify:array --conf_name picture_informations --key posted_on --value false --type boolean
-/usr/bin/php piwigo_cli.php -c config:modify --conf_name gallery_title --value "%%piwigo_title" --type string
-/usr/bin/php piwigo_cli.php -c config:modify --conf_name page_banner --value "%%piwigo_title" --type string
+/usr/bin/php piwigo_cli.php -c config:modify --conf_name gallery_title --value "{{ general.piwigo.piwigo_title }}" --type string
+/usr/bin/php piwigo_cli.php -c config:modify --conf_name page_banner --value "{{ general.piwigo.piwigo_title }}" --type string
 /usr/bin/php piwigo_cli.php -c config:modify --conf_name allow_user_registration --value false --type boolean
 /usr/bin/php piwigo_cli.php -c config:modify --conf_name allow_user_customization --value false --type boolean
 /usr/bin/php piwigo_cli.php -c config:modify --conf_name nb_categories_page --value 40 --type string
@@ -53,9 +53,9 @@ fi
 /usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name gvideo
 #
 /usr/bin/php piwigo_cli.php -c plugin:activate --plugin_name OpenIdConnect
-/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key issuer_url --value https://%%oauth2_client_server_domainname/ --type string
-/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_id --value %%oauth2_client_id --type string
-/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_secret --value %%oauth2_client_secret --type string
+/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key issuer_url --value https://{{ general.oauth2_client.oauth2_client_server_domainname }}/ --type string
+/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_id --value {{ general.oauth2_client.oauth2_client_id }} --type string
+/usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key client_secret --value {{ general.oauth2_client.oauth2_client_secret }} --type string
 /usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key verify_host --value true --type boolean
 /usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key verify_peer --value true --type boolean
 /usr/bin/php piwigo_cli.php -c config:modify:array --conf_name OIDC --key register_new_users --value false --type boolean
@@ -80,6 +80,6 @@ fi
 /usr/bin/php piwigo_cli.php -c config:modify:json --conf_name bootstrap_darkroom --key social_enabled --value false --type boolean
 #
 if [ "$IMPORTED" = "0" ]; then
-  /usr/bin/php piwigo_cli.php -c user:create --login %%user --mail_address %%user.piwigo_email --oidc
+  /usr/bin/php piwigo_cli.php -c user:create --login {{ user }} --mail_address {{ user.piwigo_email }} --oidc
 fi
-%end for
+{% endfor %}
diff --git a/seed/piwigo/templates/tmpfile-piwigo.conf b/seed/piwigo/templates/tmpfile-piwigo.conf
index 55b6e7f..9d3236e 100644
--- a/seed/piwigo/templates/tmpfile-piwigo.conf
+++ b/seed/piwigo/templates/tmpfile-piwigo.conf
@@ -1,6 +1,6 @@
-%for %%user in %%piwigo_users
-d /srv/piwigo/logs/%%user 770 root nginx - -
-d /srv/piwigo/upload/%%user 770 root nginx - -
-d /srv/piwigo/data/%%user 770 root nginx - -
-%end for
+{% for user in general.piwigo.users.piwigo_users %}
+d /srv/piwigo/logs/{{ user }} 770 root nginx - -
+d /srv/piwigo/upload/{{ user }} 770 root nginx - -
+d /srv/piwigo/data/{{ user }} 770 root nginx - -
+{% endfor %}
 d /srv/piwigo/bootstrap_darkroom 770 root nginx - -
diff --git a/seed/pki-tls/dictionaries/20_tls.xml b/seed/pki-tls/dictionaries/20_tls.xml
index d1f54fb..0ed8083 100644
--- a/seed/pki-tls/dictionaries/20_tls.xml
+++ b/seed/pki-tls/dictionaries/20_tls.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="tls">
-      <file source="0certificate.conf">/tmpfiles.d/0certificate.conf</file>
+      <file engine="ansible" source="0certificate.conf">/tmpfiles.d/0certificate.conf</file>
     </service>
   </services>
 </rougail>
diff --git a/seed/pki-tls/templates/0certificate.conf b/seed/pki-tls/templates/0certificate.conf
index 3ad146a..0986744 100644
--- a/seed/pki-tls/templates/0certificate.conf
+++ b/seed/pki-tls/templates/0certificate.conf
@@ -1,35 +1,42 @@
-%set %%cas = []
-%for %%service in %%services
-  %if %%service.activate is True and %%hasattr(%%service, 'certificates')
-    %for %%certificate in %%service.certificates
-      %if "owner" in %%certificate
-        %set %%owner = %%certificate['owner']
-      %else
-        %set %%owner = 'root'
-      %end if
-      %if %%certificate['format'] == 'cert_key'
-        %if %%isinstance(%%certificate['name'], list)
-          %for %%cert in %%certificate['name']
-C %%tls_cert_directory/%%{cert}.crt 444 root root - /usr/local/lib%%tls_cert_directory/%%{cert}.crt
-C %%tls_key_directory/%%{cert}.key 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{cert}.key
-          %end for
-        %else
-C %%tls_cert_directory/%%{certificate['name']}.crt 444 root root - /usr/local/lib%%tls_cert_directory/%%{certificate['name']}.crt
-C %%tls_key_directory/%%{certificate['name']}.key 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{certificate['name']}.key
-        %end if
-      %else
-        %if %%isinstance(%%certificate['name'], list)
-          %for %%cert in %%certificate['name']
-C %%tls_key_directory/%%{cert}.pem 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{cert}.pem
-          %end for
-        %else
-C %%tls_key_directory/%%{certificate['name']}.pem 400 %%owner root - /usr/local/lib%%tls_key_directory/%%{certificate['name']}.pem
-        %end if
-      %end if
-      %if %%certificate['authority'] not in %%cas and ('provider' not in %%certificate or %%certificate['provider'] == 'autosigne')
-%%cas.append(%%certificate['authority'])%slurp
-C %%tls_ca_directory/%%{certificate['authority']}.crt 444 root root - /usr/local/lib%%tls_ca_directory/%%{certificate['authority']}.crt
-      %end if
-    %end for
-  %end if
-%end for
+{% set cas = [] %}
+{% for service in services %}
+{% if service.activate is true and 'certificates' in service %}
+{% for certificate in service.certificates %}
+{% if "owner" in certificate %}
+{% set owner = certificate['owner'] %}
+{% else %}
+{% set owner = 'root' %}
+{% endif %}
+{% if "group" in certificate %}
+{% set group = certificate['group'] %}
+{% set mode = 440 %}
+{% else %}
+{% set group = 'root' %}
+{% set mode = 400 %}
+{% endif %}
+{% if certificate['format'] == 'cert_key' %}
+{% if certificate['name'] is string %}
+C {{ tls_cert_directory }}/{{ certificate['name'] }}.crt 444 root root - /usr/local/lib{{ tls_cert_directory }}/{{ certificate['name'] }}.crt
+C {{ tls_key_directory }}/{{ certificate['name'] }}.key {{ mode }} {{ owner }} {{ group }} - /usr/local/lib{{ tls_key_directory }}/{{ certificate['name'] }}.key
+{% else %}
+{% for cert in certificate['name'] %}
+C {{ tls_cert_directory }}/{{ cert }}.crt 444 root root - /usr/local/lib{{ tls_cert_directory }}/{{ cert }}.crt
+C {{ tls_key_directory }}/{{ cert }}.key {{ mode }} {{ owner }} {{ group }} - /usr/local/lib{{ tls_key_directory }}/{{ cert }}.key
+{% endfor %}
+{% endif %}
+{% else %}
+{% if certificate['name'] is string %}
+C {{ tls_key_directory }}/{{ certificate['name'] }}.pem {{ mode }} {{ owner }} {{ group }} - /usr/local/lib{{ tls_key_directory }}/{{ certificate['name'] }}.pem
+{% else %}
+{% for cert in certificate['name'] %}
+C {{ tls_key_directory }}/{{ cert }}.pem {{ mode }} {{ owner }} {{ group }} - /usr/local/lib{{ tls_key_directory }}/{{ cert }}.pem
+{% endfor %}
+{% endif %}
+{% endif %}
+{% if certificate['authority'] not in cas and ('provider' not in certificate or certificate['provider'] == 'autosigne') %}
+{{ cas.append(certificate['authority']) }}
+C {{ tls_ca_directory }}/{{ certificate['authority'] }}.crt 444 root root - /usr/local/lib{{ tls_ca_directory }}/{{ certificate['authority'] }}.crt
+{% endif %}
+{% endfor %}
+{% endif %}
+{% endfor %}
diff --git a/seed/postfix-relay/dictionaries/30_postfix.xml b/seed/postfix-relay/dictionaries/30_postfix.xml
index cd8a32c..cdf05b2 100644
--- a/seed/postfix-relay/dictionaries/30_postfix.xml
+++ b/seed/postfix-relay/dictionaries/30_postfix.xml
@@ -2,31 +2,31 @@
 <rougail version="0.10">
   <services>
     <service name="postfix" target="multi-user">
-      <override/>
+      <override engine="ansible"/>
       <certificate authority="Mail" owner="postfix" type="server" domain="postfix_mail_hostname" provider="postfix_crt_provider">postfix</certificate>
       <certificate authority="InternalMail" type="server" domain="domain_name_eth" certificate_type="variable" format="pem">domain_name_eth</certificate>
       <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
       <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
-      <file>/etc/postfix/main.cf</file>
-      <file>/etc/postfix/lmtp</file>
-      <file>/etc/postfix/sni</file>
+      <file engine="ansible">/etc/postfix/main.cf</file>
+      <file engine="ansible">/etc/postfix/lmtp</file>
+      <file engine="ansible">/etc/postfix/sni</file>
       <file engine="none">/etc/postfix/master.cf</file>
     </service>
     <service name="saslauthd">
-      <file>/etc/sasl2/smtpd.conf</file>
+      <file engine="none">/etc/sasl2/smtpd.conf</file>
     </service>
     <service name="opendkim" target="multi-user">
       <file engine="none" source="sysuser-opendkim.conf">/sysusers.d/0opendkim.conf</file>
-      <file>/etc/opendkim.conf</file>
-      <file>/etc/opendkim/KeyTable</file>
-      <file>/etc/opendkim/SigningTable</file>
-      <file>/etc/opendkim/TrustedHosts</file>
-      <file file_type="variable" owner="opendkim" mode="400" source="opendkim.key" variable="postfix_relay_domains">opendkim_keys</file>
+      <file engine="none">/etc/opendkim.conf</file>
+      <file engine="ansible">/etc/opendkim/KeyTable</file>
+      <file engine="ansible">/etc/opendkim/SigningTable</file>
+      <file engine="ansible">/etc/opendkim/TrustedHosts</file>
+      <file engine="ansible" file_type="variable" owner="opendkim" mode="400" source="opendkim.key" variable="postfix_relay_domains">opendkim_keys</file>
     </service>
     <service name="opendmarc" target="multi-user">
       <file engine="none" source="sysuser-opendmarc.conf">/sysusers.d/0opendmarc.conf</file>
       <file engine="none" source="tmpfile-opendmarc.conf">/tmpfiles.d/0opendmarc.conf</file>
-      <file>/etc/opendmarc.conf</file>
+      <file engine="ansible">/etc/opendmarc.conf</file>
     </service>
   </services>
   <variables>
@@ -34,12 +34,10 @@
       <variable name="outgoing_ports" redefine="True">
         <value>25</value>
       </variable>
-      <variable name="incoming_ports" redefine="True">
-        <value>25</value>
-      </variable>
+      <variable name="incoming_ports" redefine="True" mandatory="False"/>
     </family>
     <family name="postfix" description="Postfix mail server">
-      <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
+      <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" help="Cette variable est obligatoire pour recevoir des courriels depuis l'extérieur"/>
       <variable name="postfix_crt_provider" type="choice" description="Autorité de certification signant le certificat du domaine extérieur" mandatory="True">
         <value>autosigne</value>
         <choice>autosigne</choice>
@@ -70,5 +68,13 @@
       <param type="suffix"/>
       <target>postfix_relay_ip_</target>
     </fill>
+    <fill name="calc_value">
+      <param type="nil"/>
+      <param name="default">25</param>
+      <param name="condition" type="variable">postfix_mail_hostname</param>
+      <param name="expected" type="nil"/>
+      <param name="multi">True</param>
+      <target>incoming_ports</target>
+    </fill>
   </constraints>
 </rougail>
diff --git a/seed/postfix-relay/templates/12-managesieve.conf b/seed/postfix-relay/templates/12-managesieve.conf
deleted file mode 100644
index c06febc..0000000
--- a/seed/postfix-relay/templates/12-managesieve.conf
+++ /dev/null
@@ -1,23 +0,0 @@
-# Uncomment to enable managesieve protocol:
-protocols = $protocols sieve
-
-service managesieve-login {
-  inet_listener sieve {
-    port = 4190
-  }
-
-  #inet_listener sieve_deprecated {
-  #  port = 2000
-  #}
-
-  # Number of connections to handle before starting a new process. Typically
-  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
-  # is faster. <doc/wiki/LoginProcess.txt>
-  service_count = 1
-
-  # Number of processes to always keep waiting for more connections.
-  process_min_avail = 0
-
-  # If you set service_count=0, you probably need to grow this.
-  vsz_limit = 64M
-}
diff --git a/seed/postfix-relay/templates/KeyTable b/seed/postfix-relay/templates/KeyTable
index 5b1114b..e240082 100644
--- a/seed/postfix-relay/templates/KeyTable
+++ b/seed/postfix-relay/templates/KeyTable
@@ -4,6 +4,6 @@
 # name, then restart OpenDKIM. Additional keys may be added on separate lines.
 
 #default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
-%for %%idx, %%domain in %%enumerate(%%postfix_relay_domains)
-default._domainkey.%%domain %%domain:default:%%opendkim_keys[%%idx]
-%end for
+{% for domain in general.postfix.postfix_relay_domains %}
+default._domainkey.{{ domain }} {{ domain }}:default:{{ general.opendkim.opendkim_keys[loop.index - 1] }}
+{% endfor %}
diff --git a/seed/postfix-relay/templates/SigningTable b/seed/postfix-relay/templates/SigningTable
index 2def8dd..ac29d71 100644
--- a/seed/postfix-relay/templates/SigningTable
+++ b/seed/postfix-relay/templates/SigningTable
@@ -23,6 +23,6 @@
 # "SigningTable" for more details.
 
 #example.com default._domainkey.example.com
-%for %%domain in %%postfix_relay_domains
-*@%%domain default._domainkey.%%domain
-%end for
+{% for domain in general.postfix.postfix_relay_domains %}
+*@{{ domain }} default._domainkey.{{ domain }}
+{% endfor %}
diff --git a/seed/postfix-relay/templates/TrustedHosts b/seed/postfix-relay/templates/TrustedHosts
index 09824c2..3bf62bd 100644
--- a/seed/postfix-relay/templates/TrustedHosts
+++ b/seed/postfix-relay/templates/TrustedHosts
@@ -7,6 +7,6 @@
 ::1
 #host.example.com
 #192.168.1.0/24
-%for %%domain in %%postfix_relay_domains
-*.%%domain
-%end for
+{% for domain in general.postfix.postfix_relay_domains %}
+*.{{ domain }}
+{% endfor %}
diff --git a/seed/postfix-relay/templates/lmtp b/seed/postfix-relay/templates/lmtp
index a7dea3c..059293c 100644
--- a/seed/postfix-relay/templates/lmtp
+++ b/seed/postfix-relay/templates/lmtp
@@ -1,9 +1,9 @@
-%for %%domain in %%lmtp.server_lmtp
-  %set %%name=%%normalize_family(%%domain)
-  %for %%lst in %%lmtp['lmtp_' + name]['criteria_' + %%name]
-%if '@' not in %%lst
-%set %%lst = '.*@' + %%lst
-%end if
-/^%%lst$/                       lmtp:[%%domain]:8024
-  %end for
-%end for
+{% for domain in lmtp.server_lmtp %}
+{% set name=domain|normalize_family %}
+{% for lst in lmtp['lmtp_' + name]['criteria_' + name] %}
+{% if '@' not in lst %}
+{% set lst = '.*@' + lst %}
+{% endif %}
+/^{{ lst }}$/                       lmtp:[{{ domain }}]:8024
+{% endfor %}
+{% endfor %}
diff --git a/seed/postfix-relay/templates/main.cf b/seed/postfix-relay/templates/main.cf
index 65becac..5d3838a 100644
--- a/seed/postfix-relay/templates/main.cf
+++ b/seed/postfix-relay/templates/main.cf
@@ -99,7 +99,7 @@ mail_owner = postfix
 #
 #myhostname = host.domain.tld
 #myhostname = virtual.domain.tld
-myhostname = %%postfix_mail_hostname
+myhostname = {{ general.postfix.postfix_mail_hostname }}
 
 # The mydomain parameter specifies the local internet domain name.
 # The default is to use $myhostname minus the first component.
@@ -123,7 +123,7 @@ myhostname = %%postfix_mail_hostname
 #
 #myorigin = $myhostname
 #myorigin = $mydomain
-myorigin = %%postfix_mail_hostname
+myorigin = {{ general.postfix.postfix_mail_hostname }}
 
 # RECEIVING MAIL
 
@@ -256,7 +256,7 @@ unverified_recipient_reject_code = 550
 
 smtpd_recipient_restrictions =
         permit_mynetworks,
-        permit_sasl_authenticated,  # FIXME needed? and other sasl_ options!
+        permit_sasl_authenticated,
         reject_sender_login_mismatch,
         reject_unauth_destination,
         reject_unknown_client,
@@ -270,7 +270,7 @@ smtpd_recipient_restrictions =
         reject_non_fqdn_helo_hostname,
         reject_rbl_client zen.spamhaus.org,
         reject_non_fqdn_sender,
-        reject_unknown_sender_domain,
+        reject_unknown_sender_domain
         #reject_unauth_pipelining
 # FIXME        check_sender_access hash:/etc/postfix/sender_access,
 # FIXME        check_recipient_access hash:/etc/postfix/recv_access,
@@ -350,10 +350,10 @@ mynetworks = 127.0.0.0/8
 #
 #relay_domains = $mydestination
 #>GNUNUX
-relay_domains = %echo ', '.join(%%postfix_relay_domains)
-%if %%lmtp.server_lmtp
+relay_domains = {{ general.postfix.postfix_relay_domains|join(', ') }}
+{% if lmtp.server_lmtp %}
 transport_maps = regexp:/etc/postfix/lmtp
-%end if
+{% endif %}
 #<GNUNUX
 
 # INTERNET OR INTRANET
@@ -748,15 +748,15 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # in PEM format. Intermediate certificates should be included in general,
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
-smtpd_tls_cert_file = %%tls_cert_directory/postfix.crt
+smtpd_tls_cert_file = {{ tls_cert_directory }}/postfix.crt
 
 # The full pathname of a file with the Postfix SMTP server RSA private key
 # in PEM format. The private key must be accessible without a pass-phrase,
 # i.e. it must not be encrypted.
 #
-smtpd_tls_key_file = %%tls_key_directory/postfix.key
+smtpd_tls_key_file = {{ tls_key_directory }}/postfix.key
 
-smtpd_tls_CApath = %%tls_ca_directory
+smtpd_tls_CApath = {{ tls_ca_directory }}
 #smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/Mail.crt
 #>GNUNUX
 tls_server_sni_maps = hash:/etc/postfix/sni
@@ -771,14 +771,14 @@ smtpd_tls_security_level = may
 #
 #>GNUNUX
 #smtp_tls_CApath = /etc/pki/tls/certs
-smtp_tls_CApath = %%tls_ca_directory
+smtp_tls_CApath = {{ tls_ca_directory }}
 #<GNUNUX
 
 # The full pathname of a file containing CA certificates of root CAs
 # trusted to sign either remote SMTP server certificates or intermediate CA
 # certificates.
 #
-#smtp_tls_CAfile = %%tls_ca_directory/Mail.crt
+#smtp_tls_CAfile = {{ tls_ca_directory }}/Mail.crt
 
 # Use TLS if this is supported by the remote SMTP server, otherwise use
 # plaintext (opportunistic TLS outbound).
diff --git a/seed/postfix-relay/templates/opendkim.key b/seed/postfix-relay/templates/opendkim.key
index f791249..2038399 100644
--- a/seed/postfix-relay/templates/opendkim.key
+++ b/seed/postfix-relay/templates/opendkim.key
@@ -1 +1 @@
-%%get_dkim_key(%%domain_name_eth0, %%rougail_variable)
+{{ domain_name_eth0|get_dkim_key(rougail_variable) }}
diff --git a/seed/postfix-relay/templates/opendmarc.conf b/seed/postfix-relay/templates/opendmarc.conf
index 37022db..a5f4ac3 100644
--- a/seed/postfix-relay/templates/opendmarc.conf
+++ b/seed/postfix-relay/templates/opendmarc.conf
@@ -426,7 +426,7 @@ Syslog true
 #
 # TrustedAuthservIDs HOSTNAME
 #>GNUNUX
-TrustedAuthservIDs %%postfix_mail_hostname
+TrustedAuthservIDs {{ general.postfix.postfix_mail_hostname }}
 #>GNUNUX
 
 ##  UMask mask
diff --git a/seed/postfix-relay/templates/postfix.service b/seed/postfix-relay/templates/postfix.service
index c38325e..54ca4a3 100644
--- a/seed/postfix-relay/templates/postfix.service
+++ b/seed/postfix-relay/templates/postfix.service
@@ -1,11 +1,11 @@
 [Service]
 ExecStartPre=/usr/sbin/postmap /etc/postfix/lmtp
 ExecStartPre=/usr/sbin/postmap -F /etc/postfix/sni
-%for %%local in %%postfix_relay_authentifications
-  %set %%user = %%normalize_family(%%local)
-  %set %%password = %%getVar('local_authentification_password_' + %%user)
-  %set %%ip = %%getVar('postfix_relay_ip_' + %%user)
-ExecStartPre=-/usr/bin/bash -c "echo %%password | /usr/sbin/saslpasswd2 -u %%ip %%user -p"
-%end for
+{% for local in general.postfix.postfix_relay_authentifications %}
+{% set user = local|normalize_family %}
+{% set password = general.postfix['local_authentification_' + user]['local_authentification_password_' + user] %}
+{% set ip = general.postfix['local_authentification_' + user]['postfix_relay_ip_' + user] %}
+ExecStartPre=-/usr/bin/bash -c "echo {{ password }} | /usr/sbin/saslpasswd2 -u {{ ip }} {{ user }} -p"
+{% endfor %}
 ExecStartPre=/usr/bin/chown postfix: /etc/sasl2/sasldb2
 PIDFile=/srv/postfix/spool/pid/master.pid
diff --git a/seed/postfix-relay/templates/sni b/seed/postfix-relay/templates/sni
index 90df9ab..1b7c53f 100644
--- a/seed/postfix-relay/templates/sni
+++ b/seed/postfix-relay/templates/sni
@@ -1,5 +1,5 @@
-%for %%idx in %%range(%%len(%%zones_list))
-  %set %%domain = %%getVar('domain_name_eth' + %%str(%%idx))
-%%domain /etc/postfix/certs/%%{domain}.pem
-%end for
+{% for idx in range(zones_list|length) %}
+{% set domain = general.network['interface_' + idx|string]['domain_name_eth' + idx|string] %}
+{{ domain }} {{ tls_key_directory }}/{{ domain }}.pem
+{% endfor %}
 
diff --git a/seed/postfix-relay/templates/sni.pem b/seed/postfix-relay/templates/sni.pem
deleted file mode 100644
index beb29d0..0000000
--- a/seed/postfix-relay/templates/sni.pem
+++ /dev/null
@@ -1,4 +0,0 @@
-%set %%chain = %%get_chain(cn=%%rougail_variable, authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret)
-%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
-%%get_private_key(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
-%%cert
diff --git a/seed/postgresql-client/dictionaries/23_postgresql.xml b/seed/postgresql-client/dictionaries/23_postgresql.xml
index 8672638..d70417a 100644
--- a/seed/postgresql-client/dictionaries/23_postgresql.xml
+++ b/seed/postgresql-client/dictionaries/23_postgresql.xml
@@ -1,19 +1,19 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="postgresqlclient" target="risotto" engine="cheetah">
+    <service name="postgresqlclient" target="risotto" engine="ansible">
       <certificate authority="PostgreSQL" owner="pg_client_key_owner" owner_type="variable" server="pg_client_server_domainname">postgresql</certificate>
-      <file mode="400">/secrets/postgresql.pass</file>
-      <file mode="400">/secrets/postgresql.pass2</file>
+      <file engine="ansible" mode="400">/secrets/postgresql.pass</file>
+      <file engine="ansible" mode="400">/secrets/postgresql.pass2</file>
       <file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
     </service>
   </services>
   <variables>
     <family name="postgresql" description="PostgreSQL">
-      <variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql" hidden="True"/>
-      <variable name="pg_client_username" description="Client username" mandatory="True" hidden="True" supplier="Postgresql:username"/>
-      <variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True" supplier="Postgresql:password"/>
-      <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True" supplier="Postgresql:database"/>
+      <variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql"/>
+      <variable name="pg_client_username" description="Client username" mandatory="True" supplier="Postgresql:username"/>
+      <variable name="pg_client_password" type="password" description="Client password" mandatory="True" supplier="Postgresql:password"/>
+      <variable name="pg_client_database" description="Client database" mandatory="True" supplier="Postgresql:database"/>
       <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
         <value>apache</value>
       </variable>
diff --git a/seed/postgresql-client/templates/postgresql.pass b/seed/postgresql-client/templates/postgresql.pass
index ac136a6..3a67354 100644
--- a/seed/postgresql-client/templates/postgresql.pass
+++ b/seed/postgresql-client/templates/postgresql.pass
@@ -1 +1 @@
-%%pg_client_server_domainname:5432:%%pg_client_database:%%pg_client_username:%%pg_client_password
+{{ general.postgresql.pg_client_server_domainname }}:5432:{{ general.postgresql.pg_client_database }}:{{ general.postgresql.pg_client_username }}:{{ general.postgresql.pg_client_password }}
diff --git a/seed/postgresql-client/templates/postgresql.pass2 b/seed/postgresql-client/templates/postgresql.pass2
index 8648fbd..e0af5f2 100644
--- a/seed/postgresql-client/templates/postgresql.pass2
+++ b/seed/postgresql-client/templates/postgresql.pass2
@@ -1 +1 @@
-PGPASSWORD=%%pg_client_password
+PGPASSWORD={{ general.postgresql.pg_client_password }}
diff --git a/seed/postgresql-client/templates/postgresqlclient.service b/seed/postgresql-client/templates/postgresqlclient.service
index a9f05a2..8451617 100644
--- a/seed/postgresql-client/templates/postgresqlclient.service
+++ b/seed/postgresql-client/templates/postgresqlclient.service
@@ -5,10 +5,10 @@ Before=risotto.target
 
 [Service]
 Type=oneshot
-%if %%pg_client_key_owner != 'root'
-User=%%pg_client_key_owner
-%end if
+{% if general.postgresql.pg_client_key_owner != 'root' %}
+User={{ general.postgresql.pg_client_key_owner }}
+{% endif %}
 EnvironmentFile=/usr/local/lib/secrets/postgresql.pass2
-ExecStart=/usr/bin/timeout 300 bash -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! %slurp
-/usr/bin/psql "sslmode=verify-full sslrootcert=%%tls_ca_directory/PostgreSQL.crt sslcert=%%tls_cert_directory/postgresql.crt sslkey=%%tls_key_directory/postgresql.key host=%%pg_client_server_domainname user=%%pg_client_username dbname=%%pg_client_database" -c "\dt"; do sleep 1; done; echo "POSTGRESQL READY"'
+ExecStart=/usr/bin/timeout 300 bash -c 'while ! 3<> /dev/tcp/{{ general.postgresql.pg_client_server_domainname }}/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! {% if True -%}{% endif -%}
+/usr/bin/psql "sslmode=verify-full sslrootcert={{ general.tls_ca_directory }}/PostgreSQL.crt sslcert={{ general.tls_cert_directory }}/postgresql.crt sslkey={{ general.tls_key_directory }}/postgresql.key host={{ general.postgresql.pg_client_server_domainname }} user={{ general.postgresql.pg_client_username }} dbname={{ general.postgresql.pg_client_database }}" -c "\dt"; do sleep 1; done; echo "POSTGRESQL READY"'
diff --git a/seed/postgresql/dictionaries/22_postgresql.xml b/seed/postgresql/dictionaries/22_postgresql.xml
index b500d20..73ea7a3 100644
--- a/seed/postgresql/dictionaries/22_postgresql.xml
+++ b/seed/postgresql/dictionaries/22_postgresql.xml
@@ -2,17 +2,18 @@
 <rougail version="0.10">
   <services>
     <service name="postgresql" target="multi-user">
-      <override/>
+      <override engine="ansible"/>
       <certificate authority="PostgreSQL" owner="postgres" type="server">postgresql</certificate>
       <ip ip_type='variable'>accounts.remote_.remote_ip_</ip>
-      <file>/etc/postgresql/postgresql.conf</file>
-      <file>/etc/postgresql/pg_hba.conf</file>
-      <file mode="600" owner="postgres" group="postgres">/etc/postgresql/postgresql.sql</file>
+      <file engine="ansible">/etc/postgresql/postgresql.conf</file>
+      <file engine="ansible">/etc/postgresql/pg_hba.conf</file>
+      <file engine="ansible" mode="600" owner="postgres" group="postgres">/etc/postgresql/postgresql.sql</file>
       <file engine="none">/etc/postgresql/pg_ident.conf</file>
       <file engine="none" mode="755">/sbin/postgresql_init</file>
       <file engine="none" source="sysuser-postgresql.conf">/sysusers.d/0postgresql.conf</file>
       <file engine="none" source="tmpfiles.postgresql.conf">/tmpfiles.d/0postgresql.conf</file>
-      <file filelist="copy_tests">/tests/postgresql.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/postgresql.yml</file>
+      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
     </service>
   </services>
   <variables>
diff --git a/seed/postgresql/extras/accounts/00_accounts.xml b/seed/postgresql/extras/accounts/00_accounts.xml
index 3bd0bd5..ff655c4 100644
--- a/seed/postgresql/extras/accounts/00_accounts.xml
+++ b/seed/postgresql/extras/accounts/00_accounts.xml
@@ -5,7 +5,7 @@
     <family name="remote_" description="Account for " dynamic="accounts.remotes">
       <variable name="remote_ip_" description="Remote IP " type="ip" mandatory="True"/>
       <variable name="database_" description="Remote database " auto_save="False" hidden="True" mandatory="True" provider="Postgresql:database"/>
-      <variable name="username_" description="Remote username " auto_save="False" hidden="True" type="unix_user" mandatory="True" provider="Postgresql:username"/>
+      <variable name="username_" description="Remote username " auto_save="False" hidden="True" mandatory="True" provider="Postgresql:username"/>
       <variable name="password_" description="Remote password " auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
     </family>
   </variables>
@@ -17,4 +17,3 @@
     </fill>
   </constraints>
 </rougail>
-
diff --git a/seed/postgresql/templates/config.yml b/seed/postgresql/templates/config.yml
deleted file mode 100644
index e69de29..0000000
diff --git a/seed/postgresql/templates/pg_hba.conf b/seed/postgresql/templates/pg_hba.conf
index 4cdebd7..cec58fc 100644
--- a/seed/postgresql/templates/pg_hba.conf
+++ b/seed/postgresql/templates/pg_hba.conf
@@ -90,13 +90,13 @@ local   all         postgres	ident	map=pg_map
 # IPv4 local connections:
 #>GNUNUX
 #host    all             all             127.0.0.1/32            @authmethodhost@
-hostssl	rougail_test	rougail_test	%%gateway_eth0/32	md5
-%for %%server in %%accounts.remotes
- %set %%name = %%normalize_family(%%server)
- %set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
- %set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
-hostssl	%%database	%%username	%%server	md5
-%end for
+hostssl	rougail_test	rougail_test	{{ general.network.interface_0.gateway_eth0 }}/32	md5
+{% for server in accounts.remotes %}
+{% set name = server|normalize_family %}
+{% set database = accounts["remote_" + name]["database_" + name] %}
+{% set username = accounts["remote_" + name]["username_" + name] %}
+hostssl	{{ database }}	{{ username }}	{{ server }}	md5
+{% endfor %}
 #<GNUNUX
 # IPv6 local connections:
 #GNUNUX host    all             all             ::1/128                 @authmethodhost@
diff --git a/seed/postgresql/templates/postgresql.conf b/seed/postgresql/templates/postgresql.conf
index 38fa40a..7331607 100644
--- a/seed/postgresql/templates/postgresql.conf
+++ b/seed/postgresql/templates/postgresql.conf
@@ -1,8 +1,4 @@
 #RISOTTO: file://usr/share/pgsql/postgresql.conf.sample
-%compiler-settings
-cheetahVarStartToken = §§
-directiveStartToken = §
-%end compiler-settings
 #GNUNUX: encoding is present in source so try to convert it
 #encoding: utf8
 # -----------------------------
@@ -80,7 +76,7 @@ listen_addresses = '*'
 #port = 5432				# (change requires restart)
 #max_connections = 100			# (change requires restart)
 #>GNUNUX
-max_connections = §§pg_max_connections
+max_connections = {{ general.postgresql.pg_max_connections }}
 #<GNUNUX
 #superuser_reserved_connections = 3	# (change requires restart)
 #unix_socket_directories = '/tmp'	# comma-separated list of directories
@@ -116,7 +112,7 @@ unix_socket_directories = '/var/run/postgresql'
 
 #authentication_timeout = 1min		# 1s-600s
 #>GNUNUX
-authentication_timeout = §§{pg_authentication_timeout}s
+authentication_timeout = {{ general.postgresql.pg_authentication_timeout }}s
 #<GNUNUX
 #password_encryption = scram-sha-256	# scram-sha-256 or md5
 #db_user_namespace = off
@@ -143,9 +139,9 @@ authentication_timeout = §§{pg_authentication_timeout}s
 #ssl_passphrase_command_supports_reload = off
 #>GNUNUX
 ssl = true				# (change requires restart)
-ssl_cert_file = '§§tls_cert_directory/postgresql.crt'		# (change requires restart)
-ssl_key_file = '§§tls_key_directory/postgresql.key'		# (change requires restart)
-ssl_ca_file = '§§tls_ca_directory/PostgreSQL.crt'
+ssl_cert_file = '{{ general.tls_cert_directory }}/postgresql.crt'		# (change requires restart)
+ssl_key_file = '{{ general.tls_key_directory }}/postgresql.key'		# (change requires restart)
+ssl_ca_file = '{{ general.tls_ca_directory }}/PostgreSQL.crt'
 #<GNUNUX
 
 
@@ -158,7 +154,7 @@ ssl_ca_file = '§§tls_ca_directory/PostgreSQL.crt'
 #shared_buffers = 32MB			# min 128kB
 					# (change requires restart)
 #>GNUNUX
-shared_buffers = §§{pg_shared_buffers}§§pg_shared_buffers_unit
+shared_buffers = {{ general.postgresql.pg_shared_buffers }}{{ general.postgresql.pg_shared_buffers_unit }}
 #<GNUNUX
 #huge_pages = try			# on, off, or try
 					# (change requires restart)
@@ -175,8 +171,8 @@ shared_buffers = §§{pg_shared_buffers}§§pg_shared_buffers_unit
 #autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
 #logical_decoding_work_mem = 64MB	# min 64kB
 #>GNUNUX
-work_mem = §§{pg_work_mem}§§pg_work_mem_unit	# min 64kB
-maintenance_work_mem = §§{pg_maintenance_work_mem}§§pg_maintenance_work_mem_unit	# min 1MB
+work_mem = {{ general.postgresql.pg_work_mem }}{{ general.postgresql.pg_work_mem_unit }}	# min 64kB
+maintenance_work_mem = {{ general.postgresql.pg_maintenance_work_mem }}{{ general.postgresql.pg_maintenance_work_mem_unit }}	# min 1MB
 #<GNUNUX
 #max_stack_depth = 2MB			# min 100kB
 #shared_memory_type = mmap		# the default is the first option
@@ -262,7 +258,7 @@ maintenance_work_mem = §§{pg_maintenance_work_mem}§§pg_maintenance_work_mem_
 #wal_recycle = on			# recycle WAL files
 #wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
 #>GNUNUX
-wal_buffers = §§pg_wal_buffers
+wal_buffers = {{ general.postgresql.pg_wal_buffers }}
 #<GNUNUX
 					# (change requires restart)
 #wal_writer_delay = 200ms		# 1-10000 milliseconds
@@ -281,7 +277,7 @@ wal_buffers = §§pg_wal_buffers
 #max_wal_size = 1GB
 #min_wal_size = 80MB
 #>GNUNUX
-max_wal_size = §§{pg_max_wal_size}§§pg_max_wal_size_unit
+max_wal_size = {{ general.postgresql.pg_max_wal_size }}{{ general.postgresql.pg_max_wal_size_unit }}
 min_wal_size = 80MB
 #<GNUNUX
 
@@ -437,7 +433,7 @@ min_wal_size = 80MB
 #min_parallel_index_scan_size = 512kB
 #effective_cache_size = 4GB
 #>GNUNUX
-effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_unit
+effective_cache_size = {{ general.postgresql.pg_effective_cache_size }}{{ general.postgresql.pg_effective_cache_size_unit }}
 #<GNUNUX
 
 #jit_above_cost = 100000		# perform JIT compilation if available
@@ -675,11 +671,11 @@ log_timezone = 'Europe/Paris'
 #autovacuum = on			# Enable autovacuum subprocess?  'on'
 					# requires track_counts to also be on.
 #>GNUNUX
-§if §§pg_autovacuum
+{% if pg_autovacuum %}
 autovacuum = on
-§else
+{% else %}
 autovacuum = off
-§end if
+{% endif %}
 #<GNUNUX
 #autovacuum_max_workers = 3		# max number of autovacuum subprocesses
 					# (change requires restart)
diff --git a/seed/postgresql/templates/postgresql.service b/seed/postgresql/templates/postgresql.service
index 4bae4c9..4b35ca7 100644
--- a/seed/postgresql/templates/postgresql.service
+++ b/seed/postgresql/templates/postgresql.service
@@ -6,33 +6,33 @@ Environment=PG_IDENT=/etc/postgresql/pg_ident.conf
 Environment=LC_ALL=fr_FR.UTF-8
 ExecStartPre=
 ExecStartPre=+/usr/local/lib/sbin/postgresql_init
-# if upgrade needed, do it
-ExecStartPre=/bin/bash -c '%slurp
-/usr/libexec/postgresql-check-db-dir %N || (%slurp
- echo "UPGRADE" &&%slurp
-# directory creation must have 700 rights
- umask 0077 &&%slurp
-# pg_upgrade do not like ssl activation
- /bin/grep -v "ssl " ${PG_CONF} > /tmp/postgresql.conf &&%slurp
- mv -f /tmp/postgresql.conf ${PGDATA}/postgresql.conf &&%slurp
-# pg_upgrade modify pg_hba.conf so copy it
- /bin/rm ${PGDATA}/pg_hba.conf &&%slurp
- /bin/cp -af ${PG_HBA} ${PGDATA} &&%slurp
-# do upgrade
- /usr/bin/postgresql-setup --upgrade &&%slurp
-# re do link
- ln -sf ${PG_HBA} ${PGDATA}/ &&%slurp
- ln -sf ${PG_CONF} ${PGDATA}/ &&%slurp
-# remove old cluster
- /srv/postgresql/postgresql/delete_old_cluster.sh &&%slurp
- rm -f /srv/postgresql/postgresql/delete_old_cluster.sh &&%slurp
-# force index (see later)
- touch /srv/postgresql/risotto_upgrade.lock%slurp
+{# if upgrade needed, do it #}
+ExecStartPre=/bin/bash -c '{% if True -%}{% endif -%}
+/usr/libexec/postgresql-check-db-dir %N || ({% if True -%}{% endif -%}
+ echo "UPGRADE" &&{% if True -%}{% endif -%}
+{# directory creation must have 700 rights #}
+ umask 0077 &&{% if True -%}{% endif -%}
+{# pg_upgrade do not like ssl activation #}
+ /bin/grep -v "ssl " ${PG_CONF} > /tmp/postgresql.conf &&{% if True -%}{% endif -%}
+ mv -f /tmp/postgresql.conf ${PGDATA}/postgresql.conf &&{% if True -%}{% endif -%}
+{# pg_upgrade modify pg_hba.conf so copy it #}
+ /bin/rm ${PGDATA}/pg_hba.conf &&{% if True -%}{% endif -%}
+ /bin/cp -af ${PG_HBA} ${PGDATA} &&{% if True -%}{% endif -%}
+{# do upgrade #}
+ /usr/bin/postgresql-setup --upgrade &&{% if True -%}{% endif -%}
+{# re do link #}
+ ln -sf ${PG_HBA} ${PGDATA}/ &&{% if True -%}{% endif -%}
+ ln -sf ${PG_CONF} ${PGDATA}/ &&{% if True -%}{% endif -%}
+{# remove old cluster #}
+ /srv/postgresql/postgresql/delete_old_cluster.sh &&{% if True -%}{% endif -%}
+ rm -f /srv/postgresql/postgresql/delete_old_cluster.sh &&{% if True -%}{% endif -%}
+{# force index (see later) #}
+ touch /srv/postgresql/risotto_upgrade.lock{% if True -%}{% endif -%}
 )'
-# recheck db
+{# recheck db #}
 ExecStartPre=/usr/libexec/postgresql-check-db-dir %N
 ExecStart=
 ExecStart=/usr/bin/postmaster -D ${PGDATA} -c config_file=${PG_CONF} -c hba_file=${PG_HBA} -c ident_file=${PG_IDENT}
 ExecStartPost=-/usr/bin/psql -f /etc/postgresql/postgresql.sql
-# if lock do reindex
+{# if lock do reindex #}
 ExecStartPost=/bin/bash -c 'if [ -f /srv/postgresql/risotto_upgrade.lock ];then echo REINDEX; /usr/bin/reindexdb && rm -f /srv/postgresql/risotto_upgrade.lock; fi'
diff --git a/seed/postgresql/templates/postgresql.sql b/seed/postgresql/templates/postgresql.sql
index 84d23b7..f1b94c0 100644
--- a/seed/postgresql/templates/postgresql.sql
+++ b/seed/postgresql/templates/postgresql.sql
@@ -1,15 +1,15 @@
 #RISOTTO: do not compare
-%set %%new_accounts = [('rougail_test', 'rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
-%for %%server in %%accounts.remotes
- %set %%name = %%normalize_family(%%server)
- %set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
- %set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
- %set %%password = %%accounts["remote_" + %%name]["password_" + %%name]
-%%new_accounts.append((%%database, %%username, %%password))%slurp
-%end for
-%for %%database, %%name, %%password in %%new_accounts
-CREATE DATABASE "%%name";
-CREATE ROLE "%%name" WITH LOGIN ENCRYPTED PASSWORD '%%password';
-ALTER USER "%%name" PASSWORD '%%password';
-GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%database";
-%end for
+{% set new_accounts = [('rougail_test', 'rougail_test', 'rougail_test'|get_password(server_name=domain_name_eth0, description="remote", type="cleartext", hide=hide_secret, temporary=True))] %}
+{% for server in accounts.remotes %}
+{% set name = server|normalize_family %}
+{% set database = accounts["remote_" + name]["database_" + name] %}
+{% set username = accounts["remote_" + name]["username_" + name] %}
+{% set password = accounts["remote_" + name]["password_" + name] %}
+{{ new_accounts.append((database, username, password)) }}
+{% endfor %}
+{% for database, name, password in new_accounts %}
+CREATE DATABASE "{{ name }}";
+CREATE ROLE "{{ name }}" WITH LOGIN ENCRYPTED PASSWORD '{{ password }}';
+ALTER USER "{{ name }}" PASSWORD '{{ password }}';
+GRANT ALL PRIVILEGES ON DATABASE "{{ name }}" TO "{{ database }}";
+{% endfor %}
diff --git a/seed/postgresql/templates/postgresql.yml b/seed/postgresql/templates/postgresql.yml
index 471b4cd..5d9071a 100644
--- a/seed/postgresql/templates/postgresql.yml
+++ b/seed/postgresql/templates/postgresql.yml
@@ -1,4 +1,4 @@
-address: %%ip_eth0
+address: {{ general.network.interface_0.ip_eth0 }}
 user: rougail_test
-password: %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True)
+password: {{ 'rougail_test'|get_password(server_name=domain_name_eth0, description="remote", type="cleartext", hide=hide_secret, temporary=True) }}
 dbname: rougail_test
diff --git a/seed/postgresql/templates/risotto_backup b/seed/postgresql/templates/risotto_backup
new file mode 100644
index 0000000..fc38211
--- /dev/null
+++ b/seed/postgresql/templates/risotto_backup
@@ -0,0 +1,12 @@
+#!/bin/bash -e
+
+rm -rf {{ general.backup_dir }}
+mkdir -p {{ general.backup_dir }}
+chown postgres: {{ general.backup_dir }}
+{% for server in accounts.remotes %}
+{% set name = server|normalize_family %}
+{% set database = accounts["remote_" + name]["database_" + name] %}
+su -c "pg_dump -F c -b -v -f {{ general.backup_dir }}/{{ database }}.dump {{ database }}" postgres
+{% endfor %}
+
+exit 0
diff --git a/seed/prometheus/DEBUG.md b/seed/prometheus/DEBUG.md
new file mode 100644
index 0000000..381f56b
--- /dev/null
+++ b/seed/prometheus/DEBUG.md
@@ -0,0 +1,3 @@
+sed -i 's/"--web.listen-address/"--log.level=debug --web.listen-address/g' /etc/default/prometheus
+systemctl restart prometheus
+
diff --git a/seed/prometheus/applicationservice.yml b/seed/prometheus/applicationservice.yml
new file mode 100644
index 0000000..acdb6bf
--- /dev/null
+++ b/seed/prometheus/applicationservice.yml
@@ -0,0 +1,6 @@
+format: '0.1'
+description: Prometheus, an event monitoring
+website: https://prometheus.io/
+depends:
+  - base-fedora-38
+#  - reverse-proxy-client
diff --git a/seed/prometheus/dictionaries/20_prometheus.xml b/seed/prometheus/dictionaries/20_prometheus.xml
new file mode 100644
index 0000000..afddd10
--- /dev/null
+++ b/seed/prometheus/dictionaries/20_prometheus.xml
@@ -0,0 +1,26 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="prometheus" target="multi-user">
+      <override/>
+      <file engine="none" source="sysuser-prometheus.conf">/sysusers.d/prometheus.conf</file>
+      <file engine="none" source="tmpfile-prometheus.conf">/tmpfiles.d/0prometheus.conf</file>
+      <file engine="ansible">/etc/prometheus/prometheus.yml</file>
+      <file engine="ansible">/etc/default/prometheus</file>
+    </service>
+  </services>
+  <variables>
+    <family name="prometheus">
+      <variable name="client_addresses" type="domainname" provider="Prometheus" multi="True"/>
+      <variable name="client_ip_addresses" type="ip" multi="True" provider="Prometheus:address" mandatory="False"/>
+      <variable name="listen_address" type="ip" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="information" variable="providers">Prometheus</param>
+      <target>listen_address</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/prometheus/manual/image/preinstall/prometheus.sh b/seed/prometheus/manual/image/preinstall/prometheus.sh
new file mode 100644
index 0000000..3cdb14c
--- /dev/null
+++ b/seed/prometheus/manual/image/preinstall/prometheus.sh
@@ -0,0 +1,2 @@
+PKG="$PKG prometheus"
+COPR="https://copr.fedorainfracloud.org/coprs/lkiesow/prometheus/repo/fedora-38/lkiesow-prometheus-fedora-38.repo"
diff --git a/seed/prometheus/templates/prometheus b/seed/prometheus/templates/prometheus
new file mode 100644
index 0000000..e9ed16b
--- /dev/null
+++ b/seed/prometheus/templates/prometheus
@@ -0,0 +1,5 @@
+# Additional command-line arguments to pass to the server.
+#>GNUNUX
+#ARGS="--web.listen-address=127.0.0.1:9090"
+ARGS="--web.listen-address={{ general.prometheus.listen_address }}:9090"
+#<GNUNUX
diff --git a/seed/prometheus/templates/prometheus.service b/seed/prometheus/templates/prometheus.service
new file mode 100644
index 0000000..43378f6
--- /dev/null
+++ b/seed/prometheus/templates/prometheus.service
@@ -0,0 +1,7 @@
+[Service]
+ExecStart=
+ExecStart=/bin/sh -c 'exec /usr/bin/prometheus \
+  --config.file=/etc/prometheus/prometheus.yml \
+  --storage.tsdb.path=/srv/prometheus/ \
+  ${ARGS}'
+
diff --git a/seed/prometheus/templates/prometheus.yml b/seed/prometheus/templates/prometheus.yml
new file mode 100644
index 0000000..15e3d21
--- /dev/null
+++ b/seed/prometheus/templates/prometheus.yml
@@ -0,0 +1,37 @@
+# my global config
+global:
+  scrape_interval: 15s # Set the scrape interval to every 15 seconds. Default is every 1 minute.
+  evaluation_interval: 15s # Evaluate rules every 15 seconds. The default is every 1 minute.
+  # scrape_timeout is set to the global default (10s).
+
+# Alertmanager configuration
+alerting:
+  alertmanagers:
+    - static_configs:
+        - targets:
+          # - alertmanager:9093
+
+# Load rules once and periodically evaluate them according to the global 'evaluation_interval'.
+rule_files:
+  # - "first_rules.yml"
+  # - "second_rules.yml"
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+#>GNUNUX
+#  # The job name is added as a label `job=<job_name>` to any timeseries scraped from this config.
+#  - job_name: "prometheus"
+#
+#    # metrics_path defaults to '/metrics'
+#    # scheme defaults to 'http'.
+#
+#    static_configs:
+#      - targets: ["localhost:9090"]
+
+{% for node in general.prometheus.client_addresses %}
+  - job_name: "{{ node }}"
+    static_configs:
+      - targets: ["{{ general.prometheus.client_ip_addresses[loop.index - 1] }}:9090"]
+{% endfor %}
+#<GNUNUX
diff --git a/seed/prometheus/templates/sysuser-prometheus.conf b/seed/prometheus/templates/sysuser-prometheus.conf
new file mode 100644
index 0000000..ca9620f
--- /dev/null
+++ b/seed/prometheus/templates/sysuser-prometheus.conf
@@ -0,0 +1,2 @@
+g prometheus 7970 -
+u prometheus 7970:7970     "Prometheus" /srv/prometheus /sbin/nologin
diff --git a/seed/prometheus/templates/tmpfile-prometheus.conf b/seed/prometheus/templates/tmpfile-prometheus.conf
new file mode 100644
index 0000000..a40b034
--- /dev/null
+++ b/seed/prometheus/templates/tmpfile-prometheus.conf
@@ -0,0 +1 @@
+d /srv/prometheus 700 prometheus prometheus - -
diff --git a/seed/provider-systemd-machined/dictionaries/16_machined.xml b/seed/provider-systemd-machined/dictionaries/16_machined.xml
index 892976a..0a8bb01 100644
--- a/seed/provider-systemd-machined/dictionaries/16_machined.xml
+++ b/seed/provider-systemd-machined/dictionaries/16_machined.xml
@@ -8,6 +8,9 @@
     <service name="systemd-networkd">
       <file redefine='True' disabled='True'>link_configurations</file>
     </service>
+    <service name="backup" manage="False">
+      <file engine="ansible" filelist="no_backup">/no_risotto_backup</file>
+    </service>
   </services>
   <variables>
     <variable name="link_configurations" redefine="True" disabled="True"/>
@@ -33,12 +36,19 @@
         <value>host</value>
       </variable>
       <variable name="zones_list" redefine="True" supplier="Host:machine_zones"/>
-      <variable name="backup_dir" type="filename" hidden="True">
-        <value>/srv/backup</value>
-      </variable>
     </family>
+    <variable name="do_backup" type="boolean" description="Do backup for this machine">
+      <value>True</value>
+    </variable>
+    <variable name="backup_dir" type="filename" hidden="True">
+      <value>/srv/backup</value>
+    </variable>
   </variables>
   <constraints>
+    <condition name="disabled_if_in" source="do_backup">
+      <param>True</param>
+      <target type="filelist">no_backup</target>
+    </condition>
     <condition name="disabled_if_in" source="machine.add_srv">
       <param>False</param>
       <target type="variable">srv_dir</target>
diff --git a/seed/provider-systemd-machined/templates/no_risotto_backup b/seed/provider-systemd-machined/templates/no_risotto_backup
new file mode 100644
index 0000000..ea97de2
--- /dev/null
+++ b/seed/provider-systemd-machined/templates/no_risotto_backup
@@ -0,0 +1 @@
+#no backup!
diff --git a/seed/relay-mail-client/dictionaries/20_smtp_client.xml b/seed/relay-mail-client/dictionaries/20_smtp_client.xml
index ce1f8f8..2cbcf24 100644
--- a/seed/relay-mail-client/dictionaries/20_smtp_client.xml
+++ b/seed/relay-mail-client/dictionaries/20_smtp_client.xml
@@ -2,20 +2,24 @@
 <rougail version="0.10">
   <services>
     <service name="smtp" manage="False">
-      <certificate authority="Mail" server="smtp_relay_address">smtp</certificate>
+      <certificate authority="InternalMail" server="smtp_relay_address">smtp</certificate>
     </service>
   </services>
   <variables>
     <family name="smtp" description="Client SMTP">
       <variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True" supplier="SMTP"/>
       <variable name="smtp_relay_ip" type="ip" hidden="True"/>
-      <variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
+      <variable name="smtp_client_ip" type="ip" hidden="True" mandatory="True"/>
+      <variable name="smtp_relay_user" description="Relay username" mandatory="True" hidden="True"/>
       <variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True" supplier="SMTP:password"/>
     </family>
   </variables>
   <constraints>
-    <fill name="normalize_family">
-      <param type="variable">domain_name_eth0</param>
+    <fill name="get_local_smtp_info">
+      <param type="variable">smtp_relay_ip</param>
+      <param type="variable">domain_name_eth</param>
+      <param type="variable">network_eth</param>
+      <param name="normalize" type="boolean">True</param>
       <target>smtp_relay_user</target>
     </fill>
     <fill name="get_password">
@@ -31,5 +35,11 @@
       <param type="variable">smtp_relay_address</param>
       <target>smtp_relay_ip</target>
     </fill>
+    <fill name="get_local_smtp_info">
+      <param type="variable">smtp_relay_ip</param>
+      <param type="variable">ip_eth</param>
+      <param type="variable">network_eth</param>
+      <target>smtp_client_ip</target>
+    </fill>
   </constraints>
 </rougail>
diff --git a/seed/relay-mail-client/funcs/relay_mail.py b/seed/relay-mail-client/funcs/relay_mail.py
new file mode 100644
index 0000000..967fc8a
--- /dev/null
+++ b/seed/relay-mail-client/funcs/relay_mail.py
@@ -0,0 +1,12 @@
+from ipaddress import ip_network as _ip_network, ip_address as _ip_address
+from rougail.utils import normalize_family as _normalize_family
+
+
+def get_local_smtp_info(ip_smtp, infos, network_eth, normalize=False):
+    ip_smtp_o = _ip_address(ip_smtp)
+    for idx, net in enumerate(network_eth):
+        if ip_smtp_o in _ip_network(net):
+            val = infos[idx]
+            if normalize:
+                val = _normalize_family(val)
+            return val
diff --git a/seed/reverse-proxy-client/dictionaries/21_revprox_client.xml b/seed/reverse-proxy-client/dictionaries/21_revprox_client.xml
index e378abe..94186f9 100644
--- a/seed/reverse-proxy-client/dictionaries/21_revprox_client.xml
+++ b/seed/reverse-proxy-client/dictionaries/21_revprox_client.xml
@@ -3,7 +3,7 @@
   <services>
     <service name="revprox" manage="False">
       <certificate server="revprox_client_server_domainname" authority="InternalReverseProxy" owner="revprox_client_cert_owner" owner_type="variable" type="server">revprox</certificate>
-      <file filelist="copy_tests">/tests/reverse-proxy.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/reverse-proxy.yml</file>
     </service>
   </services>
   <variables>
diff --git a/seed/reverse-proxy-client/templates/reverse-proxy.yml b/seed/reverse-proxy-client/templates/reverse-proxy.yml
index 671cfad..f18ffe2 100644
--- a/seed/reverse-proxy-client/templates/reverse-proxy.yml
+++ b/seed/reverse-proxy-client/templates/reverse-proxy.yml
@@ -1 +1 @@
-ca_certificate: ../../%%{revprox_client_server_domainname.split('.', 1)[0]}.*/etc/pki/ca-trust/source/anchors/ca_External.crt
+ca_certificate: ../../{{ revprox_client_server_domainname.split('.', 1)[0] }}.*/etc/pki/ca-trust/source/anchors/ca_External.crt
diff --git a/seed/roundcube/dictionaries/31_roundcube.xml b/seed/roundcube/dictionaries/31_roundcube.xml
index 4380747..855a6c8 100644
--- a/seed/roundcube/dictionaries/31_roundcube.xml
+++ b/seed/roundcube/dictionaries/31_roundcube.xml
@@ -1,11 +1,11 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="roundcube" engine="cheetah" target="multi-user">
+    <service name="roundcube" engine="ansible" target="multi-user">
       <certificate authority="InternalMail" owner="nginx" server="imap_address">roundcube</certificate>
-      <file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
-      <file>/etc/nginx/default.d/roundcubemail.conf</file>
-      <file source="domain.inc.php" file_type="variable" variable="roundcube_domains">roundcube_config</file>
+      <file engine="ansible" owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
+      <file engine="ansible">/etc/nginx/default.d/roundcubemail.conf</file>
+      <file engine="ansible" source="domain.inc.php" file_type="variable" variable="roundcube_domains">roundcube_config</file>
       <file engine="none">/static/silique_cloud.svg</file>
       <file engine="none">/static/watermark.html</file>
     </service>
@@ -59,7 +59,7 @@
         <value>nginx</value>
       </variable>
     </family>
-    <family name="annuaire">
+    <family name="ldap">
       <family name="client">
         <variable name='ldapclient_family' redefine="True" hidden="True"/>
       </family>
diff --git a/seed/roundcube/funcs/roundcube.py b/seed/roundcube/funcs/roundcube.py
index 9d99bfa..a4a90a7 100644
--- a/seed/roundcube/funcs/roundcube.py
+++ b/seed/roundcube/funcs/roundcube.py
@@ -7,4 +7,3 @@ def calc_roundcube_family(families):
     if not uniq_fam[0]:
         return
     return uniq_fam[0]
-
diff --git a/seed/roundcube/templates/config.inc.php b/seed/roundcube/templates/config.inc.php
index 3f6adf9..c39b3b9 100644
--- a/seed/roundcube/templates/config.inc.php
+++ b/seed/roundcube/templates/config.inc.php
@@ -31,7 +31,8 @@ $config = [];
 //       e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
 // GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
 //>GNUNUX
-$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%tls_cert_directory/postgresql.crt&sslkey=%%tls_key_directory/postgresql.key&sslrootcert=%%tls_ca_directory/PostgreSQL.crt';
+$config['db_dsnw'] = 'pgsql://{{ general.postgresql.pg_client_username }}:{{ general.postgresql.pg_client_password }}@{{ general.postgresql.pg_client_server_domainname }}/{{ general.postgresql.pg_client_database }}?sslmode=verify-full&sslcert={{ general.tls_cert_directory }}/postgresql.crt&sslkey={{ general.tls_key_directory }}/postgresql.key&sslrootcert={{ general.tls_ca_directory }}/PostgreSQL.crt';
+
 //<GNUNUX
 
 // Database DSN for read-only operations (if empty write database will be used)
@@ -258,16 +259,16 @@ $config['messages_cache_ttl'] = '10d';
 $config['messages_cache_threshold'] = 50;
 
 //>GNUNUX
-$config['default_host'] = 'ssl://%%imap_address';
+$config['default_host'] = 'ssl://{{ general.imap.imap_address }}';
 $config['default_port'] = 993;
 $config['imap_auth_type'] = 'PLAIN';
 $config['imap_conn_options'] = [
   'ssl'         => [
      'verify_peer'  => true,
      'verify_depth' => 3,
-     'local_cert'   => '%%tls_cert_directory/imap.crt',
-     'local_pk'     => '%%tls_key_directory/imap.key',
-     'cafile'       => '%%tls_ca_directory/IMAP.crt',
+     'local_cert'   => '{{ general.tls_cert_directory }}/imap.crt',
+     'local_pk'     => '{{ general.tls_key_directory }}/imap.key',
+     'cafile'       => '{{ general.tls_ca_directory }}/IMAP.crt',
    ],
 ];
 $config['imap_delimiter'] = "+";
@@ -347,16 +348,16 @@ $config['smtp_conn_options'] = null;
 
 
 //>GNUNUX
-$config['smtp_server'] = 'tls://%%imap_address';
+$config['smtp_server'] = 'tls://{{ general.imap.imap_address }}';
 $config['smtp_port'] = 587;
 $config['smtp_auth_type'] = 'PLAIN';
 $config['smtp_conn_options'] = [
    'ssl'         => [
      'verify_peer'  => true,
      'verify_depth' => 3,
-     'local_cert'   => '%%tls_cert_directory/roundcube.crt',
-     'local_pk'     => '%%tls_key_directory/roundcube.key',
-     'cafile'       => '%%tls_ca_directory/InternalMail.crt',
+     'local_cert'   => '{{ general.tls_cert_directory }}/roundcube.crt',
+     'local_pk'     => '{{ general.tls_key_directory }}/roundcube.key',
+     'cafile'       => '{{ general.tls_ca_directory }}/InternalMail.crt',
    ],
  ];
 //<GNUNUX
@@ -440,11 +441,11 @@ $config['oauth_login_redirect'] = false;
 //>GNUNUX
 $config['oauth_provider'] = 'generic';
 $config['oauth_provider_name'] = 'LemonLdap';
-$config['oauth_client_id'] = '%%oauth2_client_id';
-$config['oauth_client_secret'] = '%%oauth2_client_secret';
-$config['oauth_auth_uri'] = 'https://%%oauth2_server_domainname/oauth2/authorize';
-$config['oauth_token_uri'] = 'https://%%oauth2_client_server_domainname/oauth2/token';
-$config['oauth_identity_uri'] = 'https://%%oauth2_client_server_domainname/oauth2/userinfo';
+$config['oauth_client_id'] = '{{ general.oauth2_client.oauth2_client_id }}';
+$config['oauth_client_secret'] = '{{ general.oauth2_client.oauth2_client_secret }}';
+$config['oauth_auth_uri'] = 'https://{{ general.oauth2_client.oauth2_server_domainname }}/oauth2/authorize';
+$config['oauth_token_uri'] = 'https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/token';
+$config['oauth_identity_uri'] = 'https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/userinfo';
 $config['oauth_verify_peer'] = true;
 $config['oauth_scope'] = "profile email openid";
 $config['oauth_auth_parameters'] = [];
@@ -495,7 +496,7 @@ $config['memcache_retry_interval'] = 15;
 //     ['unix:///var/run/redis/redis-server.sock:1:secret'];
 $config['redis_hosts'] = null;
 //>GNUNUX
-$config['redis_hosts'] = array('%%redis_client_server_domainname:6379:0:%%redis_client_password');
+$config['redis_hosts'] = array('{{ general.redis.redis_client_server_domainname }}:6379:0:{{ general.redis.redis_client_password }}');
 //<GNUNUX
 
 // Maximum size of an object in memcache (in bytes). Default: 2MB
@@ -683,7 +684,7 @@ $config['session_storage'] = 'redis';
 // X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
 $config['proxy_whitelist'] = [];
 //>GNUNUX
-$config['proxy_whitelist'] = ['%%revprox_client_server_domainname'];
+$config['proxy_whitelist'] = ['{{ revprox_client_server_domainname }}'];
 //<GNUNUX
 
 // List of trusted host names
@@ -713,7 +714,7 @@ $config['des_key'] = 'rcmail-!24ByteDESkey*Str';
 // but you can choose e.g. AES-256-CBC which we consider a better choice.
 $config['cipher_method'] = 'DES-EDE3-CBC';
 //>GNUNUX
-$config['des_key'] = '%%roundcube_des_key';
+$config['des_key'] = '{{ general.roundcube.roundcube_des_key }}';
 $config['cipher_method'] = 'AES-256-CBC';
 //<GNUNUX
 
@@ -780,9 +781,9 @@ $config['useragent'] = null;
 //>GNUNUX
 //$config['include_host_config'] = false;
 $config['include_host_config'] = array(
-%for %%domain in %%roundcube_domains
-  "%%domain" => "%%{domain}.inc.php",
-%end for
+{% for domain in general.roundcube.roundcube_domain.roundcube_domains %}
+  "{{ domain }}" => "{{ domain }}.inc.php",
+{% endfor %}
 );
 //<GNUNUX
 
diff --git a/seed/roundcube/templates/domain.inc.php b/seed/roundcube/templates/domain.inc.php
index a3692a7..2b8482f 100644
--- a/seed/roundcube/templates/domain.inc.php
+++ b/seed/roundcube/templates/domain.inc.php
@@ -1,24 +1,24 @@
 <?php
 #>GNUNUX
-%set %%domain = %%roundcube_domains[%%rougail_index]
-$config['login_username_filter'] = '/^[a-z0-9_]+@%%{domain.roundcube_mail_domain}$/';
-%set %%family =  %%domain.roundcube_family
-%if %%family
+{% set domain = general.roundcube.roundcube_domain.roundcube_domains[rougail_index] %}
+$config['login_username_filter'] = '/^[a-z0-9_]+@{{ domain.roundcube_mail_domain }}$/';
+{% set family = domain.roundcube_family %}
+{% if family %}
 $config['ldap_public'] = array (
   'Local' => array (
     'name' => "Ma famille",
     'hosts' =>  array (
-      0 => 'ldaps://%%ldap_server_address',
+      0 => 'ldaps://{{ general.ldap.server.ldap_server_address }}',
       ),
     'port' => 636,
     'use_tls' => false,
     'bind_user' => '',
-    'bind_dn' => '%%ldapclient_user',
-    'bind_pass' => '%%ldapclient_user_password',
+    'bind_dn' => '{{ general.ldap.client.ldapclient_user }}',
+    'bind_pass' => '{{ general.ldap.client.ldapclient_user_password }}',
     'auth_method'    => '',
     'vlv' => false, //Samba do not support Virtual List View functions
     'user_specific' => false,
-    'base_dn' => '%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)',
+    'base_dn' => '{{ ldapclient_base_dn|calc_ldapclient_base_dn(family_name=family) }}',
     'writable' => false,
     'required_fields' =>  array (
       0 => 'cn',
@@ -49,6 +49,6 @@ $config['ldap_public'] = array (
       ),
   ),
 );
-%end if
+{% endif %}
 #<GNUNUX
 ?>
diff --git a/seed/roundcube/templates/roundcube.service b/seed/roundcube/templates/roundcube.service
index cb7c312..6fe546d 100644
--- a/seed/roundcube/templates/roundcube.service
+++ b/seed/roundcube/templates/roundcube.service
@@ -6,7 +6,7 @@ Before=nginx.service php-fpm.service
 [Service]
 Type=oneshot
 Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
-ExecStart=-/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -f /usr/share/roundcubemail/SQL/postgres.initial.sql"
+ExecStart=-/usr/bin/psql --set=sslmode=verify-full -h {{ general.postgresql.pg_client_server_domainname }} -U {{ general.postgresql.pg_client_username }} {{ general.postgresql.pg_client_database }} -f /usr/share/roundcubemail/SQL/postgres.initial.sql"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/seed/roundcube/templates/roundcubemail.conf b/seed/roundcube/templates/roundcubemail.conf
index 6213e65..179a762 100644
--- a/seed/roundcube/templates/roundcubemail.conf
+++ b/seed/roundcube/templates/roundcubemail.conf
@@ -2,7 +2,7 @@
 #location = /roundcubemail {
 #alias /usr/share/roundcubemail/;
 location = / {
-    alias %%nginx_root;
+    alias {{ general.nginx.nginx_root }};
 #<GNUNUX
 }
 
@@ -10,7 +10,7 @@ location = / {
 #location /roundcubemail/ {
 #    root /usr/share;
 location / {
-    root %%nginx_root;
+    root {{ general.nginx.nginx_root }};
 #<GNUNUX
     index index.php;
 
diff --git a/seed/speedtest-rs/dictionaries/40_speedtest-rs.xml b/seed/speedtest-rs/dictionaries/40_speedtest-rs.xml
index 09b1ec7..d973c1c 100644
--- a/seed/speedtest-rs/dictionaries/40_speedtest-rs.xml
+++ b/seed/speedtest-rs/dictionaries/40_speedtest-rs.xml
@@ -2,8 +2,8 @@
 <rougail version="0.10">
   <services>
     <service name="speedtest-rs" target="multi-user">
-      <override/>
-      <file>/etc/speedtest-rs/config.env</file>
+      <override engine="none"/>
+      <file engine="ansible">/etc/speedtest-rs/config.env</file>
       <file engine="none">/var/lib/speedtest-rs/speedtest-rs.css</file>
       <file engine="none">/var/lib/speedtest-rs/logo.png</file>
     </service>
diff --git a/seed/speedtest-rs/templates/config.env b/seed/speedtest-rs/templates/config.env
index 0c443a4..d123609 100644
--- a/seed/speedtest-rs/templates/config.env
+++ b/seed/speedtest-rs/templates/config.env
@@ -4,10 +4,10 @@ SPEEDTEST_PORT=443
 
 # certificats and public key
 # those to option are mandatory if you want tu active TLS support
-SPEEDTEST_CERT=%%tls_cert_directory/revprox.crt
-SPEEDTEST_KEY=%%tls_key_directory/revprox.key
+SPEEDTEST_CERT={{ general.tls_cert_directory }}/revprox.crt
+SPEEDTEST_KEY={{ general.tls_key_directory }}/revprox.key
 # optional CA to validate client
-SPEEDTEST_CA_CERT=%%tls_ca_directory/InternalReverseProxy.crt
+SPEEDTEST_CA_CERT={{ general.tls_ca_directory }}/InternalReverseProxy.crt
 
 # Directory with HTML/js files
 SPEEDTEST_DIR=/usr/share/speedtest-rs/
diff --git a/seed/systemd/applicationservice.yml b/seed/systemd/applicationservice.yml
index a5b06a5..b40f320 100644
--- a/seed/systemd/applicationservice.yml
+++ b/seed/systemd/applicationservice.yml
@@ -3,3 +3,4 @@ description: Systemd, a system and service manager
 website: https://systemd.io/
 depends:
   - base-machine
+  - journald
diff --git a/seed/systemd/dictionaries/15_systemd.xml b/seed/systemd/dictionaries/15_systemd.xml
index 7353cd6..1231721 100644
--- a/seed/systemd/dictionaries/15_systemd.xml
+++ b/seed/systemd/dictionaries/15_systemd.xml
@@ -2,31 +2,31 @@
 <rougail version="0.10">
   <services>
     <service name="systemd-networkd">
-      <file file_type="variable" source="network" variable="zones_list">netwokd_configurations</file>
-      <file file_type="variable" source="link" variable="zones_list">link_configurations</file>
+      <file engine="ansible" file_type="variable" source="network" variable="zones_list">netwokd_configurations</file>
+      <file engine="ansible" file_type="variable" source="link" variable="zones_list">link_configurations</file>
     </service>
     <service name="systemd-repart" servicelist='systemd_repart' undisable="True">
-      <override/>
+      <override engine="none"/>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var" engine="cheetah" target="multi-user" servicelist='systemd_repart' undisable='True'>
-      <file>/repart.d/50-var.conf</file>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var" engine="ansible" target="multi-user" servicelist='systemd_repart' undisable='True'>
+      <file engine="ansible">/repart.d/50-var.conf</file>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var-tmp" engine="cheetah" target="multi-user" servicelist="add_tmp" undisable='True'>
-      <file>/repart.d/40-tmp.conf</file>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var-tmp" engine="ansible" target="multi-user" servicelist="add_tmp" undisable='True'>
+      <file engine="ansible">/repart.d/40-tmp.conf</file>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-srv" engine="cheetah" target="multi-user" servicelist="add_srv" undisable='True'>
-      <file>/repart.d/60-srv.conf</file>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-srv" engine="ansible" target="multi-user" servicelist="add_srv" undisable='True'>
+      <file engine="ansible">/repart.d/60-srv.conf</file>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-swap" engine="cheetah" target="multi-user" servicelist="add_swap" undisable='True'>
-      <file>/repart.d/30-swap.conf</file>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-swap" engine="ansible" target="multi-user" servicelist="add_swap" undisable='True'>
+      <file engine="ansible">/repart.d/30-swap.conf</file>
     </service>
-    <service name="var" engine="cheetah" target="multi-user" type="mount" servicelist='systemd_repart' undisable='True'/>
-    <service name="var-tmp" engine="cheetah" target="multi-user" type="mount" servicelist="add_tmp" undisable='True'/>
-    <service name="srv" engine="cheetah" target="multi-user" type="mount" servicelist="add_srv" undisable='True'/>
+    <service name="var" engine="ansible" target="multi-user" type="mount" servicelist='systemd_repart' undisable='True'/>
+    <service name="var-tmp" engine="ansible" target="multi-user" type="mount" servicelist="add_tmp" undisable='True'/>
+    <service name="srv" engine="ansible" target="multi-user" type="mount" servicelist="add_srv" undisable='True'/>
     <service name="dev-disk-by\x2dpartlabel-swap" engine="none" target="multi-user" type="swap" servicelist="add_swap" undisable='True'/>
     <service name="systemd-firstboot">
-      <override/>
-      <file>/secrets/root.pwd</file>
+      <override engine="none"/>
+      <file engine="ansible">/secrets/root.pwd</file>
       <file engine="none">/tmpfiles.d/risotto-volatile.conf</file>
     </service>
     <service name="risotto" target="multi-user" type="target" engine="none"/>
@@ -43,6 +43,55 @@
         <value>zone_name</value>
       </variable>
     </family>
+    <family name="journald">
+      <family name="conditions" hidden="True">
+        <variable name="vector_messages" mandatory="True" multi="True" supplier="Journald:message" unique="False">
+          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
+          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
+          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
+          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
+          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
+          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
+          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
+          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
+          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
+          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
+          <value>Failed to open libbpf, cgroup BPF features disabled: Operation not supported</value>
+          <value>rm(/var/log): Directory not empty</value>
+          <value>: Duplicate line for path</value>
+        </variable>
+        <variable name="vector_services" multi="True" supplier="Journald:service" unique="False">
+          <value>systemd</value><!-- fedora 36-->
+          <value>(systemd)</value><!-- fedora 37-->
+          <value>(ystemctl)</value><!-- fedora 37-->
+          <value>(sh)</value><!-- fedora 38-->
+          <value>su</value>
+          <value>systemd</value><!-- fedora 36-->
+          <value>(systemd)</value><!-- fedora 37-->
+          <value>(ystemctl)</value><!-- fedora 37-->
+          <value>(sh)</value><!-- fedora 38-->
+          <value>su</value>
+          <value>systemd</value>
+          <value>systemd-tmpfiles</value>
+          <value>systemd-tmpfiles</value>
+        </variable>
+        <variable name="vector_functions" multi="True" supplier="Journald:function" mandatory="False" unique="False">
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value type="nil"/>
+          <value>contains</value>
+        </variable>
+      </family>
+    </family>
   </variables>
   <constraints>
     <fill name="get_password">
diff --git a/seed/systemd/templates/30-swap.conf b/seed/systemd/templates/30-swap.conf
index fb6fb3f..9ff88a7 100644
--- a/seed/systemd/templates/30-swap.conf
+++ b/seed/systemd/templates/30-swap.conf
@@ -1,5 +1,5 @@
 [Partition]
 Type=swap
-SizeMinBytes=%%{machine.swap_size}M
-SizeMaxBytes=%%{machine.swap_size}M
+SizeMinBytes={{ machine.swap_size }}M
+SizeMaxBytes={{ machine.swap_size }}M
 FactoryReset=yes
diff --git a/seed/systemd/templates/40-tmp.conf b/seed/systemd/templates/40-tmp.conf
index 156d8b0..48b04b5 100644
--- a/seed/systemd/templates/40-tmp.conf
+++ b/seed/systemd/templates/40-tmp.conf
@@ -1,5 +1,5 @@
 [Partition]
 Type=tmp
-SizeMinBytes=%%{machine.var_tmp_size}M
-SizeMaxBytes=%%{machine.var_tmp_size}M
+SizeMinBytes={{ machine.var_tmp_size }}M
+SizeMaxBytes={{ machine.var_tmp_size }}M
 FactoryReset=yes
diff --git a/seed/systemd/templates/50-var.conf b/seed/systemd/templates/50-var.conf
index ce9933e..35c84f4 100644
--- a/seed/systemd/templates/50-var.conf
+++ b/seed/systemd/templates/50-var.conf
@@ -1,5 +1,5 @@
 [Partition]
 Type=var
-SizeMinBytes=%%{machine.var_size}M
-SizeMaxBytes=%%{machine.var_size}M
+SizeMinBytes={{ machine.var_size }}M
+SizeMaxBytes={{ machine.var_size }}M
 FactoryReset=yes
diff --git a/seed/systemd/templates/60-srv.conf b/seed/systemd/templates/60-srv.conf
index d3475f2..a90c999 100644
--- a/seed/systemd/templates/60-srv.conf
+++ b/seed/systemd/templates/60-srv.conf
@@ -1,4 +1,4 @@
 [Partition]
 Type=srv
-SizeMinBytes=%%{machine.srv_size}M
-SizeMaxBytes=%%{machine.srv_size}M
+SizeMinBytes={{ machine.srv_size }}M
+SizeMaxBytes={{ machine.srv_size }}M
diff --git a/seed/systemd/templates/include.mount b/seed/systemd/templates/include.mount
index 346b1d5..723f6e9 100644
--- a/seed/systemd/templates/include.mount
+++ b/seed/systemd/templates/include.mount
@@ -1,11 +1,11 @@
 [Unit]
 DefaultDependencies=no
-After=blockdev@dev-disk-by\x2dpartlabel-%%{part}.target
+After=blockdev@dev-disk-by\x2dpartlabel-{{ part }}.target
 Before=local-fs.target
 
 [Mount]
-Where=%%dir
-What=/dev/disk/by-partlabel/%%part
+Where={{ dir }}
+What=/dev/disk/by-partlabel/{{ part }}
 Type=ext4
 Options=defaults
 
diff --git a/seed/systemd/templates/link b/seed/systemd/templates/link
index 1f795cc..b30b5b3 100644
--- a/seed/systemd/templates/link
+++ b/seed/systemd/templates/link
@@ -1,6 +1,6 @@
-%set %%intnb = %%zones_list.index(%%rougail_variable)
+{% set intnb = zones_list.index(rougail_variable) %}
 [Match]
-OriginalName=eth%%intnb
+OriginalName=eth{{ intnb }}
 
 [Link]
-Name=%%rougail_variable
+Name={{ rougail_variable }}
diff --git a/seed/systemd/templates/network b/seed/systemd/templates/network
index 09ebe0b..630b7ab 100644
--- a/seed/systemd/templates/network
+++ b/seed/systemd/templates/network
@@ -1,11 +1,11 @@
 #RISOTTO: do not compare
-%set %%intnb = %%rougail_index
+{% set intnb = rougail_index %}
 [Match]
-%if %%netwokd_interface_name_type == 'host'
-Name=host%%intnb
-%else
-Name=%%rougail_variable
-%end if
+{% if netwokd_interface_name_type == 'host' %}
+Name=host{{ intnb }}
+{% else %}
+Name={{ rougail_variable }}
+{% endif %}
 
 [Link]
 RequiredForOnline=yes
@@ -13,14 +13,15 @@ RequiredForOnline=yes
 [Network]
 LinkLocalAddressing=no
 DHCP=no
-%set %%cidr = %%str(%%getVar('network_eth' + %%str(intnb))).split('/')[1]
-Address=%%getVar('ip_eth' + %%str(intnb))/%%cidr
-%set %%gateway = %%getVar('gateway_eth' + %%str(intnb))
-%if %%gateway
-Gateway=%%gateway
-%end if
-%set %%dns = %%ip_dns
-%if %%dns
-DNS=%%dns
+{% set parent = general.network['interface_' + intnb|string] %}
+{% set cidr = parent['network_eth' + intnb|string].split('/')[1] %}
+Address={{ parent['ip_eth' + intnb|string] }}/{{ cidr }}
+{% set gateway = parent['gateway_eth' + intnb|string] %}
+{% if gateway %}
+Gateway={{ gateway }}
+{% endif %}
+{% set dns = general.network.ip_dns %}
+{% if dns %}
+DNS={{ dns }}
 ConfigureWithoutCarrier=yes
-%end if
+{% endif %}
diff --git a/seed/systemd/templates/root.pwd b/seed/systemd/templates/root.pwd
index d734bd2..7b16bb3 100644
--- a/seed/systemd/templates/root.pwd
+++ b/seed/systemd/templates/root.pwd
@@ -1 +1 @@
-%%root_password
+{{ root_password }}
diff --git a/seed/systemd/templates/srv.mount b/seed/systemd/templates/srv.mount
index 77565ca..5c12593 100644
--- a/seed/systemd/templates/srv.mount
+++ b/seed/systemd/templates/srv.mount
@@ -1,3 +1,3 @@
-%set global %%part = 'srv'
-%set global %%dir = '/srv'
-%include "include.mount"
+{% set part = 'srv' %}
+{% set dir = '/srv' %}
+{% include "include.mount" %}
diff --git a/seed/systemd/templates/systemd-firstboot.service b/seed/systemd/templates/systemd-firstboot.service
index 7cc2859..e3afeb2 100644
--- a/seed/systemd/templates/systemd-firstboot.service
+++ b/seed/systemd/templates/systemd-firstboot.service
@@ -1,4 +1,4 @@
 [Service]
 ExecStart=
-ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd --locale=fr_FR.UTF-8
+ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd --locale=fr_FR.UTF-8 --timezone=Europe/Paris
 ExecStart=/usr/bin/systemd-firstboot --copy
diff --git "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-srv.service" "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-srv.service"
index 9f86dda..336142a 100644
--- "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-srv.service"
+++ "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-srv.service"
@@ -1,4 +1,4 @@
-%set global %%part = 'srv'
-%set global %%name = 'srv'
-%set global %%format = 'ext4'
-%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
+{% set part = 'srv' %}
+{% set name = 'srv' %}
+{% set format = 'ext4' %}
+{% include "systemd-makefs@dev-disk-byx2dpartlabel.service" %}
diff --git "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-swap.service" "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-swap.service"
index 0219111..909b467 100644
--- "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-swap.service"
+++ "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-swap.service"
@@ -1,5 +1,4 @@
-%set global %%part = 'swap'
-%set global %%name = 'swap'
-%set global %%format = 'swap'
-%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
-
+{% set part = 'swap' %}
+{% set name = 'swap' %}
+{% set format = 'swap' %}
+{% include "systemd-makefs@dev-disk-byx2dpartlabel.service" %}
diff --git "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var-tmp.service" "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var-tmp.service"
index 8b9faf3..e2b240e 100644
--- "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var-tmp.service"
+++ "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var-tmp.service"
@@ -1,4 +1,4 @@
-%set global %%part = 'tmp'
-%set global %%name = 'var-tmp'
-%set global %%format = 'ext4'
-%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
+{% set part = 'tmp' %}
+{% set name = 'var-tmp' %}
+{% set format = 'ext4' %}
+{% include "systemd-makefs@dev-disk-byx2dpartlabel.service" %}
diff --git "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var.service" "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var.service"
index 868361e..ec75934 100644
--- "a/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var.service"
+++ "b/seed/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var.service"
@@ -1,4 +1,4 @@
-%set global %%part = 'var'
-%set global %%name = 'var'
-%set global %%format = 'ext4'
-%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
+{% set part = 'var' %}
+{% set name = 'var' %}
+{% set format = 'ext4' %}
+{% include "systemd-makefs@dev-disk-byx2dpartlabel.service" %}
diff --git a/seed/systemd/templates/systemd-makefs@dev-disk-byx2dpartlabel.service b/seed/systemd/templates/systemd-makefs@dev-disk-byx2dpartlabel.service
index 8c2416f..820791d 100644
--- a/seed/systemd/templates/systemd-makefs@dev-disk-byx2dpartlabel.service
+++ b/seed/systemd/templates/systemd-makefs@dev-disk-byx2dpartlabel.service
@@ -1,18 +1,18 @@
 [Unit]
 DefaultDependencies=no
-BindsTo=dev-disk-by\x2dpartlabel-%%{part}.device
+BindsTo=dev-disk-by\x2dpartlabel-{{ part }}.device
 Conflicts=shutdown.target
-After=dev-disk-by\x2dpartlabel-%%{part}.device
-%if %%format == 'swap'
+After=dev-disk-by\x2dpartlabel-{{ part }}.device
+{% if format == 'swap' %}
 Before=shutdown.target dev-disk-by\x2dpartlabel-swap.swap
-%else
-Before=shutdown.target systemd-fsck@dev-disk-by\x2dpartlabel-%%{part}.service %%{name}.mount
-%end if
+{% else %}
+Before=shutdown.target systemd-fsck@dev-disk-by\x2dpartlabel-{{ part }}.service {{ name }}.mount
+{% endif %}
 
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/lib/systemd/systemd-makefs %%format /dev/disk/by-partlabel/%%part
+ExecStart=/usr/lib/systemd/systemd-makefs {{ format }} /dev/disk/by-partlabel/{{ part }}
 TimeoutSec=0
 
 [Install]
diff --git a/seed/systemd/templates/var-tmp.mount b/seed/systemd/templates/var-tmp.mount
index c3673d0..7ae101e 100644
--- a/seed/systemd/templates/var-tmp.mount
+++ b/seed/systemd/templates/var-tmp.mount
@@ -1,3 +1,3 @@
-%set global %%part = 'tmp'
-%set global %%dir = '/var/tmp'
-%include "include.mount"
+{% set part = 'tmp' %}
+{% set dir = '/var/tmp' %}
+{% include "include.mount" %}
diff --git a/seed/systemd/templates/var.mount b/seed/systemd/templates/var.mount
index 0c8e5cd..77c493a 100644
--- a/seed/systemd/templates/var.mount
+++ b/seed/systemd/templates/var.mount
@@ -1,3 +1,3 @@
-%set global %%part = 'var'
-%set global %%dir = '/var'
-%include "include.mount"
+{% set part = 'var' %}
+{% set dir = '/var' %}
+{% include "include.mount" %}
diff --git a/seed/tls/applicationservice.yml b/seed/tls/applicationservice.yml
index dc320f5..81365cd 100644
--- a/seed/tls/applicationservice.yml
+++ b/seed/tls/applicationservice.yml
@@ -2,6 +2,6 @@ format: '0.1'
 description: PLEASE DO NOT USE THIS APPLICATION SERVICE, use for manage tls certificates
 documentation: false
 depends:
-  - base-fedora-37
+  - base-fedora-38
   - reverse-proxy-client
   - dns-external
diff --git a/seed/tls/dictionaries/26_tls.xml b/seed/tls/dictionaries/26_tls.xml
index 47983f3..88f2b6d 100644
--- a/seed/tls/dictionaries/26_tls.xml
+++ b/seed/tls/dictionaries/26_tls.xml
@@ -1,11 +1,11 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <services>
-    <service name="tls" engine="cheetah" target="multi-user">
+    <service name="tls" engine="none" target="multi-user">
       <file engine="none" source="sysuser-tls.conf">/sysusers.d/tls.conf</file>
       <file engine="none" source="tmpfile-tls.conf">/tmpfiles.d/0tls.conf</file>
-      <file>/etc/risotto/configuration.yml</file>
-      <file>/etc/risotto/certificates.yml</file>
+      <file engine="ansible">/etc/risotto/configuration.yml</file>
+      <file engine="ansible">/etc/risotto/certificates.yml</file>
     </service>
     <service name="tls" type="timer" engine="none" target="timers"/>
   </services>
diff --git a/seed/tls/manual/image/postinstall/autosign.py b/seed/tls/manual/image/postinstall/autosign.py
index 171c6d8..969a3ba 100644
--- a/seed/tls/manual/image/postinstall/autosign.py
+++ b/seed/tls/manual/image/postinstall/autosign.py
@@ -71,11 +71,11 @@ def _gen_cert(is_ca,
               ):
     validity_end_in_seconds = 10*24*60*60
     email_address = config['email']
-    country_name = config['country']
-    locality_name = config['locality']
-    state_or_province_name = config['state']
-    organization_name = config['org_name']
-    organization_unit_name = config['org_unit_name']
+#    country_name = config['country']
+#    locality_name = config['locality']
+#    state_or_province_name = config['state']
+#    organization_name = config['org_name']
+#    organization_unit_name = config['org_unit_name']
     #can look at generated file using openssl:
     #openssl x509 -inform pem -in selfsigned.crt -noout -text
     # create a key pair
@@ -87,13 +87,13 @@ def _gen_cert(is_ca,
         key = _gen_key_pair()
     cert = X509()
     cert.set_version(2)
-    cert.get_subject().C = country_name
-    cert.get_subject().ST = state_or_province_name
-    cert.get_subject().L = locality_name
-    cert.get_subject().O = organization_name
-    cert.get_subject().OU = organization_unit_name
+#    cert.get_subject().C = country_name
+#    cert.get_subject().ST = state_or_province_name
+#    cert.get_subject().L = locality_name
+#    cert.get_subject().O = organization_name
+#    cert.get_subject().OU = organization_unit_name
     cert.get_subject().CN = common_names[0]
-    cert.get_subject().emailAddress = email_address
+#    cert.get_subject().emailAddress = email_address
     cert_ext = []
     if not is_ca:
         cert_ext.append(X509Extension(b'basicConstraints', False, b'CA:FALSE'))
diff --git a/seed/tls/templates/certificates.yml b/seed/tls/templates/certificates.yml
index f995712..f07efa8 100644
--- a/seed/tls/templates/certificates.yml
+++ b/seed/tls/templates/certificates.yml
@@ -1,15 +1,14 @@
-%for %%machine, %%certificates in %%extra_variables['certificates'].items()
-%%machine:
-  %for %%certificate in %%certificates
-  - certificate: %%certificate.name
-    %if 'private' in %%certificate
-    private: %%certificate.private
-    %end if
-    authority: %%certificate.authority
-    authority_server: %%certificate.get('server', 'null')
-    domain: %%certificate.domain
-    provider: %%certificate.provider
-    type: %%certificate.type
-    pouet: test
-  %end for
-%end for
+{% for machine, certificates in extra_variables['certificates'].items() %}
+{{ machine }}:
+{% for certificate in certificates %}
+  - certificate: {{ certificate.name }}
+{% if 'private' in certificate %}
+    private: {{ certificate.private }}
+{% endif %}
+    authority: {{ certificate.authority }}
+    authority_server: {{ certificate.get('server', 'null') }}
+    domain: {{ certificate.domain }}
+    provider: {{ certificate.provider }}
+    type: {{ certificate.type }}
+{% endfor %}
+{% endfor %}
diff --git a/seed/tls/templates/configuration.yml b/seed/tls/templates/configuration.yml
index d4d2ff6..240f721 100644
--- a/seed/tls/templates/configuration.yml
+++ b/seed/tls/templates/configuration.yml
@@ -1,3 +1,3 @@
-%for %%key, %%value in %%extra_variables['configuration'].items()
-%%key: %%value
-%end for
+{% for key, value in extra_variables['configuration'].items() %}
+{{ key }}: {{ value }}
+{% endfor %}
diff --git a/seed/unbound/dictionaries/20_unbound.xml b/seed/unbound/dictionaries/20_unbound.xml
index 9338265..4c12fd7 100644
--- a/seed/unbound/dictionaries/20_unbound.xml
+++ b/seed/unbound/dictionaries/20_unbound.xml
@@ -4,14 +4,14 @@
     <!-- FIXME activer le timer ? -->
     <service name='unbound' target="multi-user">
       <ip ip_type='variable'>unbound_allowed_client</ip>
-      <override/>
-      <file>/etc/unbound/conf.d/risotto.conf</file>
-      <file>/etc/unbound/unbound.conf</file>
+      <override engine="none"/>
+      <file engine="ansible">/etc/unbound/conf.d/risotto.conf</file>
+      <file engine="ansible">/etc/unbound/unbound.conf</file>
       <file engine="none" source="sysuser-unbound.conf">/sysusers.d/0unbound.conf</file>
       <file engine="none" source="tmpfile-unbound.conf">/tmpfiles.d/0unbound.conf</file>
     </service>
     <service name='unbound-anchor'>
-      <override/>
+      <override engine="none"/>
     </service>
     <service name='unbound-keygen' disabled="True"/>
   </services>
diff --git a/seed/unbound/templates/risotto.conf b/seed/unbound/templates/risotto.conf
index 66813ee..584f23e 100644
--- a/seed/unbound/templates/risotto.conf
+++ b/seed/unbound/templates/risotto.conf
@@ -1,34 +1,34 @@
 #RISOTTO: do not compare
 server:
-%for %%interface in %%range(%%len(%%zones_list))
-    interface: %%getVar('ip_eth' + %%str(%%interface))
-%end for
+{% for interface in general.network.interfaces_list %}
+    interface: {{ general.network['interface_' + interface|string]['ip_eth' + interface|string] }}
+{% endfor %}
     do-ip4: yes
     do-ip6: no
     use-syslog: yes
-%for %%interface in %%range(%%len(%%zones_list))
-    access-control: %%getVar('ip_eth' + %%str(%%interface)) allow
-%end for
-%for %%authority in %%unbound_forward_address
-    access-control: %%authority.unbound_allowed_client allow
-%end for
+{% for interface in general.network.interfaces_list %}
+    access-control: {{ general.network['interface_' + interface|string]['ip_eth' + interface|string] }} allow
+{% endfor %}
+{% for authority in general.dns_resolver.forward_zones.unbound_forward_address %}
+    access-control: {{ authority.unbound_allowed_client }} allow
+{% endfor %}
     do-not-query-localhost: no
     auto-trust-anchor-file: "/srv/unbound/root.key"
 
 remote-control:
     control-interface: 127.0.0.1
 
-%for %%authority in %%unbound_forward_address
- %for %%zone in %%authority.unbound_forward_zones
+{% for authority in general.dns_resolver.forward_zones.unbound_forward_address %}
+{% for zone in authority.unbound_forward_zones %}
 forward-zone:
-    name: "%%zone"
-    forward-addr: %%authority.unbound_allowed_client
+    name: "{{ zone }}"
+    forward-addr: {{ authority.unbound_allowed_client }}
 
- %end for
-%end for
+{% endfor %}
+{% endfor %}
 forward-zone:
     name: "."
-%for %%forward in %%unbound_default_forwards
-    forward-addr: %%forward
-%end for
+{% for forward in general.dns_resolver.unbound_default_forwards %}
+    forward-addr: {{ forward }}
+{% endfor %}
     # forward-first: no
diff --git a/seed/unbound/templates/unbound.conf b/seed/unbound/templates/unbound.conf
index b8b4804..3283054 100644
--- a/seed/unbound/templates/unbound.conf
+++ b/seed/unbound/templates/unbound.conf
@@ -583,11 +583,11 @@ server:
 	# Ignore chain of trust. Domain is treated as insecure.
 	# domain-insecure: "example.com"
 	#>GNUNUX
-%for %%authority in %%unbound_forward_address
- %for %%zone in %%authority.unbound_forward_zones
-	domain-insecure: "%%zone"
- %end for
-%end for
+{% for authority in unbound_forward_address %}
+{% for zone in authority.unbound_forward_zones %}
+	domain-insecure: "{{ zone }}"
+{%- endfor %}
+{%- endfor %}
 	#<GNUNUX
 
 	# Override the date for validation with a specific fixed date.
diff --git a/seed/vaultwarden/dictionaries/40_vaultwarden.xml b/seed/vaultwarden/dictionaries/40_vaultwarden.xml
index 270cf5d..811502d 100644
--- a/seed/vaultwarden/dictionaries/40_vaultwarden.xml
+++ b/seed/vaultwarden/dictionaries/40_vaultwarden.xml
@@ -2,10 +2,10 @@
 <rougail version="0.10">
   <services>
     <service name="vaultwarden" target="multi-user">
-      <override/>
+      <override engine="none"/>
       <file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
-      <file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
-      <file filelist="copy_tests">/tests/vaultwarden.yml</file>
+      <file engine="ansible" source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
+      <file engine="ansible" filelist="copy_tests">/tests/vaultwarden.yml</file>
     </service>
   </services>
   <variables>
diff --git a/seed/vaultwarden/templates/vaultwarden.yml b/seed/vaultwarden/templates/vaultwarden.yml
index 06c489b..a7508af 100644
--- a/seed/vaultwarden/templates/vaultwarden.yml
+++ b/seed/vaultwarden/templates/vaultwarden.yml
@@ -1,8 +1,8 @@
-%set %%domain = %%revprox_client_external_domainnames[0]
-url: https://%%domain%%domain.revprox_client_location
-%set %%username='rougail_test@silique.fr'
-username: %%username
-password: %%get_password(server_name=%%domain_name_eth0, username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=False)
-privkey: %%srv_dir/vaultwarden/rsa_key.pem
-uuid: %%vaultwarden_test_device_identifier
-revprox_ip: %%revprox_client_server_ip
+{% set domain = general.revprox.revprox_client.revprox_client_external_domainnames[0] %}
+url: https://{{ domain }}{{ domain.revprox_client_location }}
+{% set username='rougail_test@silique.fr' %}
+username: {{ username }}
+password: {{ username|get_password(server_name=general.network.interface_0.domain_name_eth0, description='test', type="cleartext", hide=general.hide_secret, temporary=False) }}
+privkey: {{ srv_dir }}/vaultwarden/rsa_key.pem
+uuid: {{ general.vaultwarden.vaultwarden_test_device_identifier }}
+revprox_ip: {{ general.revprox.revprox_client.revprox_client_server_ip }}
diff --git a/seed/vaultwarden/templates/vaultwarden_config.env b/seed/vaultwarden/templates/vaultwarden_config.env
index e48d207..b701f3e 100644
--- a/seed/vaultwarden/templates/vaultwarden_config.env
+++ b/seed/vaultwarden/templates/vaultwarden_config.env
@@ -20,7 +20,7 @@ DATA_FOLDER=/srv/vaultwarden
 ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 # DATABASE_URL=postgresql://user:password@host[:port]/database_name
 #>GNUNUX
-DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%tls_cert_directory/postgresql.crt&sslkey=%%tls_key_directory/postgresql.key&sslrootcert=%%tls_ca_directory/PostgreSQL.crt
+DATABASE_URL=postgresql://{{ general.postgresql.pg_client_username }}:{{ general.postgresql.pg_client_password }}@{{ general.postgresql.pg_client_server_domainname }}/{{ general.postgresql.pg_client_database }}?sslmode=verify-full&sslcert={{ general.tls_cert_directory }}/postgresql.crt&sslkey={{ general.tls_key_directory }}/postgresql.key&sslrootcert={{ general.tls_ca_directory }}/PostgreSQL.crt
 #<GNUNUX
 
 ## Database max connections
@@ -216,7 +216,7 @@ WEB_VAULT_ENABLED=true
 ## Name shown in the invitation emails that don't come from a specific organization
 # INVITATION_ORG_NAME=Vaultwarden
 #>GNUNUX
-INVITATION_ORG_NAME=%%vaultwarden_org_name
+INVITATION_ORG_NAME={{ general.vaultwarden.vaultwarden_org_name }}
 #<GNUNUX
 
 ## Per-organization attachment storage limit (KB)
@@ -256,11 +256,11 @@ INVITATION_ORG_NAME=%%vaultwarden_org_name
 ## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
 # DOMAIN=https://bw.domain.tld:8443
 #>GNUNUX
-%set %%location = %%revprox_client_external_domainnames[0].revprox_client_location
-%if %%location.endswith('/')
- %set %%location = %%location[:-1]
-%end if
-DOMAIN=https://%%{revprox_client_external_domainnames[0]}%%location
+{% set location = general.revprox.revprox_client.revprox_client_external_domainnames[0].revprox_client_location %}
+{% if location.endswith('/') %}
+{% set location = location[:-1] %}
+{% endif %}
+DOMAIN=https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}{{ location }}
 #<GNUNUX
 
 ## Allowed iframe ancestors (Know the risks!)
@@ -326,15 +326,15 @@ ROCKET_TLS='{certs="/etc/pki/tls/certs/revprox.crt",key="/etc/pki/tls/private/re
 # SMTP_PASSWORD=password
 # SMTP_TIMEOUT=15
 #>GNUNUX
-SMTP_HOST=%%smtp_relay_address
-SMTP_FROM=%%vaultwarden_admin_email
-SMTP_FROM_NAME=%%domain_name_eth0
+SMTP_HOST={{ general.smtp.smtp_relay_address }}
+SMTP_FROM={{ general.vaultwarden.vaultwarden_admin_email }}
+SMTP_FROM_NAME={{ general.network.interface_0.domain_name_eth0 }}
 SMTP_PORT=25
 SMTP_SSL=true
 #SMTP_EXPLICIT_TLS=true
 SMTP_TIMEOUT=15
-SMTP_USERNAME=%%smtp_relay_user@%%ip_eth0
-SMTP_PASSWORD=%%smtp_relay_password
+SMTP_USERNAME={{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}
+SMTP_PASSWORD={{ general.smtp.smtp_relay_password }}
 #<GNUNUX
 
 ## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
diff --git a/seed/vector/DEBUG.md b/seed/vector/DEBUG.md
new file mode 100644
index 0000000..b0d3828
--- /dev/null
+++ b/seed/vector/DEBUG.md
@@ -0,0 +1 @@
+vector top
diff --git a/seed/vector/applicationservice.yml b/seed/vector/applicationservice.yml
new file mode 100644
index 0000000..5f826de
--- /dev/null
+++ b/seed/vector/applicationservice.yml
@@ -0,0 +1,6 @@
+format: '0.1'
+description: Vector, a lightweight, ultra-fast tool for building observability pipelines
+website: https://vector.dev/
+depends:
+  - base-fedora-38
+  - journald_remote
diff --git a/seed/vector/dictionaries/20_vector.xml b/seed/vector/dictionaries/20_vector.xml
new file mode 100644
index 0000000..1e91077
--- /dev/null
+++ b/seed/vector/dictionaries/20_vector.xml
@@ -0,0 +1,28 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="vector" target="multi-user">
+      <file engine="none" source="sysuser-vector.conf">/sysusers.d/vector.conf</file>
+      <file engine="none" source="tmpfile-vector.conf">/tmpfiles.d/0vector.conf</file>
+      <file engine="ansible">/etc/vector/vector.toml</file>
+      <file engine="ansible" mode="755">/sbin/vector_journalctl</file>
+    </service>
+  </services>
+  <variables>
+    <family name="vector" description="loki">
+      <variable name="client_addresses" type="domainname" provider="Vector" multi="True"/>
+      <variable name="listen_address" type="ip" hidden="True"/>
+    </family>
+    <family name="loki" description="loki">
+      <variable name="server_domainname" type="domainname" supplier="Loki" mandatory="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="information" variable="providers">Vector</param>
+      <target>listen_address</target>
+    </fill>
+  </constraints>
+</rougail>
+
diff --git a/seed/vector/manual/image/postinstall/vector.sh b/seed/vector/manual/image/postinstall/vector.sh
new file mode 100644
index 0000000..89ad8e7
--- /dev/null
+++ b/seed/vector/manual/image/postinstall/vector.sh
@@ -0,0 +1,16 @@
+#FIXME signature...
+ORI_PWD=$PWD
+cd "$REPO_DIR"
+FEDO_VERSION=$(bash -c ". ../os-release; echo \$VERSION_ID")
+URL="https://repositories.timber.io/public/vector/config.rpm.txt?distro=fedora&codename=Workstation\ Edition&version=$FEDO_VERSION&arch=$(uname -m)}"
+wget -q "$URL" -O vector.repo
+sed -i 's/repo_gpgcheck=1/repo_gpgcheck=0/g' vector.repo
+sed -i 's/sslverify=1/sslverify=0/g' vector.repo
+#sed -i "s@sslcacert=@sslcacert=$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP@g" vector.repo
+sed -i "s@gpgkey=https://repositories.timber.io/public/vector/@gpgkey=file://$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/pki/rpm-gpg/@g" vector.repo
+cd ../pki/rpm-gpg
+wget -q https://repositories.timber.io/public/vector/gpg.3543DB2D0A2BC4B8.key
+cd $ORI_PWD > /dev/null
+
+OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP" "vector")
+dnf --assumeyes $OPT
diff --git a/seed/vector/manual/image/preinstall/vector.sh b/seed/vector/manual/image/preinstall/vector.sh
new file mode 100644
index 0000000..c260d01
--- /dev/null
+++ b/seed/vector/manual/image/preinstall/vector.sh
@@ -0,0 +1 @@
+PKG="$PKG systemd-journal-remote"
diff --git a/seed/vector/templates/sysuser-vector.conf b/seed/vector/templates/sysuser-vector.conf
new file mode 100644
index 0000000..08258fe
--- /dev/null
+++ b/seed/vector/templates/sysuser-vector.conf
@@ -0,0 +1,4 @@
+g vector 997 -
+u vector 997:997     "Vector observability data router" /srv/vector /sbin/nologin
+m vector systemd-journal
+m vector systemd-journal-remote
diff --git a/seed/vector/templates/tmpfile-vector.conf b/seed/vector/templates/tmpfile-vector.conf
new file mode 100644
index 0000000..3d292e4
--- /dev/null
+++ b/seed/vector/templates/tmpfile-vector.conf
@@ -0,0 +1 @@
+d /srv/vector 700 vector vector - -
diff --git a/seed/vector/templates/vector.toml b/seed/vector/templates/vector.toml
new file mode 100644
index 0000000..8858ad8
--- /dev/null
+++ b/seed/vector/templates/vector.toml
@@ -0,0 +1,112 @@
+#                                    __   __  __
+#                                    \ \ / / / /
+#                                     \ V / / /
+#                                      \_/  \/
+#
+#                                    V E C T O R
+#                                   Configuration
+#
+# ------------------------------------------------------------------------------
+# Website: https://vector.dev
+# Docs: https://vector.dev/docs
+# Chat: https://chat.vector.dev
+# ------------------------------------------------------------------------------
+
+# Change this to use a non-default directory for Vector data storage:
+# data_dir = "/var/lib/vector"
+#>GNUNUX
+data_dir = "/srv/vector"
+#<GNUNUX
+
+# Random Syslog-formatted logs
+#>GNUNUX
+#[sources.dummy_logs]
+#type = "demo_logs"
+#format = "syslog"
+#interval = 1
+{% if general.vector.client_addresses %}
+[sources.vector_client]
+type = "vector"
+address = "{{ general.vector.listen_address }}:8686"
+{% endif %}
+
+[sources.remote_journal]
+type = "journald"
+#journal_directory = "/var/log/journal/remote/"
+journalctl_path = "/usr/local/lib/sbin/vector_journalctl"
+current_boot_only = false
+#<GNUNUX
+
+# Parse Syslog logs
+# See the Vector Remap Language reference for more info: https://vrl.dev
+#>GNUNUX
+#[transforms.parse_logs]
+#type = "remap"
+#inputs = ["dummy_logs"]
+#source = '''
+#. = parse_syslog!(string!(.message))
+#'''
+[transforms.filter_logs]
+type = "filter"
+{% if general.vector.client_addresses %}
+inputs = ["vector_client", "remote_journal"]
+{% else %}
+inputs = ["remote_journal"]
+{% endif %}
+condition = '{{ accounts.vector_conditions }}'
+
+[transforms.parse_logs]
+type = "remap"
+inputs = ["filter_logs"]
+#    "syslog_identifier": .SYSLOG_IDENTIFIER,
+source = '''
+if is_null(.SYSLOG_IDENTIFIER) {
+  .SYSLOG_IDENTIFIER = ._SYSTEMD_UNIT
+}
+. = {
+    "message" : .message,
+    "timestamp": .timestamp,
+    "hostname" : .host,
+    "priority": .PRIORITY,
+    "identifier": .SYSLOG_IDENTIFIER,
+    "uid": ._UID,
+    "gid": ._GID,
+    "pid": ._PID,
+    "severity": to_syslog_level(to_int(.PRIORITY) ?? 0) ?? ""
+}
+'''
+#<GNUNUX
+
+# Print parsed logs to stdout
+#>GNUNUX
+#[sinks.print]
+#type = "console"
+#inputs = ["parse_logs"]
+#encoding.codec = "json"
+#[sinks.file_text_output]
+#type = "file"
+#inputs = ["parse_logs"]
+#encoding.codec = "json"
+#{% raw %}path = "/srv/vector/logs/by-host/{{ hostname }}/%Y-%m-%d.log"{% endraw %}
+
+[sinks.loki_output]
+type = "loki"
+inputs = ["parse_logs"]
+endpoint = "http://{{ general.loki.server_domainname }}:3100"
+encoding.codec = "json"
+{%- raw %}
+labels = {app="{{ identifier }}", host=" {{ hostname }}", severity="{{ severity }}"}
+{% endraw -%}
+#<GNUNUX
+
+# Vector's GraphQL API (disabled by default)
+# Uncomment to try it out with the `vector top` command or
+# in your browser at http://localhost:8686
+#[api]
+#enabled = true
+#address = "127.0.0.1:8686"
+#>GNUNUX
+[api]
+enabled = true
+address = "127.0.0.1:8686"
+#<GNUNUX
diff --git a/seed/vector/templates/vector_journalctl b/seed/vector/templates/vector_journalctl
new file mode 100644
index 0000000..8549e60
--- /dev/null
+++ b/seed/vector/templates/vector_journalctl
@@ -0,0 +1,3 @@
+#!/bin/bash
+
+/usr/bin/journalctl --merge $@
diff --git a/seed/znc/dictionaries/40_znc.xml b/seed/znc/dictionaries/40_znc.xml
index 497df6d..e6704fe 100644
--- a/seed/znc/dictionaries/40_znc.xml
+++ b/seed/znc/dictionaries/40_znc.xml
@@ -2,12 +2,12 @@
 <rougail version="0.10">
   <services>
     <service name="znc" target="multi-user">
-      <override/>
+      <override engine="none"/>
       <certificate authority="External" owner="znc" type="server" domain="external_domain_name" provider="znc_crt_provider">znc</certificate>
-      <file mode="700">/secrets/znc_passwords</file>
+      <file mode="700" engine="ansible">/secrets/znc_passwords</file>
       <file engine="none" source="sysuser-znc.conf">/sysusers.d/1znc.conf</file>
-      <file source="tmpfile-znc.conf">/tmpfiles.d/0znc.conf</file>
-      <file owner="znc" mode="640">/etc/znc/znc.conf</file>
+      <file engine="ansible" source="tmpfile-znc.conf">/tmpfiles.d/0znc.conf</file>
+      <file engine="ansible" owner="znc" mode="640">/etc/znc/znc.conf</file>
     </service>
   </services>
   <variables>
diff --git a/seed/znc/templates/znc.conf b/seed/znc/templates/znc.conf
index 98439bf..8c50607 100644
--- a/seed/znc/templates/znc.conf
+++ b/seed/znc/templates/znc.conf
@@ -1,6 +1,3 @@
-%compiler-settings
-commentStartToken = //
-%end compiler-settings
 //GNUNUX generate with command znc --makeconf
 // WARNING
 //
@@ -13,8 +10,8 @@ commentStartToken = //
 // Also check https://wiki.znc.in/Configuration
 
 //>GNUNUX
-SSLCertFile = %%tls_cert_directory/znc.crt
-SSLKeyFile  = %%tls_key_directory/znc.key
+SSLCertFile = {{ tls_cert_directory }}/znc.crt
+SSLKeyFile  = {{ tls_key_directory }}/znc.key
 //<GNUNUX
 
 Version = 1.8.2
@@ -29,20 +26,20 @@ Version = 1.8.2
 </Listener>
 //GNUNUX LoadModule = webadmin
 
-<User %%user_name>
-        {{PASSWORD}}
+<User {{ user_name }}>
+        @@PASSWORD@@
 	Admin      = false
-	Nick       = %%user_name
-	AltNick    = %%{user_name}_
-	Ident      = %%user_name
+	Nick       = {{ user_name }}
+	AltNick    = {{ user_name}}_
+	Ident      = {{ user_name }}
 	LoadModule = chansaver
 //GNUNUX	LoadModule = controlpanel
 //>GNUNUX
-        RealName   = %%real_name
+        RealName   = {{ real_name }}
 //<GNUNUX
 
-%for %%server in %%server_names
-	<Network %%server>
+{% for server in server_names %}
+	<Network {{ server }}>
 		LoadModule = simple_away
 //>GNUNUX
                 LoadModule = keepnick
@@ -50,12 +47,12 @@ Version = 1.8.2
                 LoadModule = nickserv
                 IRCConnectEnabled = true
 //<GNUNUX
-		Server     = %%server +%%server.port %%server.password
-  %for %%channel in %%server.channels
-		<Chan #%%channel>
+		Server     = {{ server }} +{{ server.port }} {{ server.password }}
+{% for channel in server.channels %}
+		<Chan #{{ channel }}>
 		</Chan>
-  %end for
+{% endfor %}
 	</Network>
-%end for
+{% endfor %}
 </User>
 
diff --git a/seed/znc/templates/znc_passwords b/seed/znc/templates/znc_passwords
index 3e245de..2c81d44 100644
--- a/seed/znc/templates/znc_passwords
+++ b/seed/znc/templates/znc_passwords
@@ -1,8 +1,8 @@
-%echo '#!/bin/bash -e'
+#!/bin/bash -e
 
 # Convert password with znc
-password="%%user_password"
+password="{{ user_password }}"
 pass=$(echo -e "$password\n$password\n"|/usr/bin/znc -ns|grep -A4 '<Pass');
 pass_sed=${pass//$'\n'/\\$'\n'}
-sed -i "s@{{PASSWORD}}@$pass_sed@g" /etc/znc/znc.conf
+sed -i "s%@@PASSWORD@@%$pass_sed%g" /etc/znc/znc.conf
 exit 0