ansible template

2023-06-23 08:12:05 +02:00 · 2023-06-23 08:12:05 +02:00 · 21c86b0e97
commit 21c86b0e97
parent 84e583f8a4
281 changed files with 4341 additions and 2136 deletions
--- a/seed/apache/dictionaries/20_web.xml
+++ b/seed/apache/dictionaries/20_web.xml
@ -2,9 +2,9 @@
 <rougail version="0.10">
  <services>
    <service name="httpd" target="multi-user">
-      <file>/etc/httpd/conf/httpd.conf</file>
+      <file engine="none">/etc/httpd/conf/httpd.conf</file>
-      <file>/etc/httpd/conf.d/risotto.conf</file>
+      <file engine="ansible">/etc/httpd/conf.d/risotto.conf</file>
-      <file>/etc/httpd/conf.d/ssl.conf</file>
+      <file engine="ansible">/etc/httpd/conf.d/ssl.conf</file>
      <file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
      <file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
    </service>
--- a/seed/apache/templates/risotto.conf
+++ b/seed/apache/templates/risotto.conf
@ -1,15 +1,15 @@
 # Timeout
-Timeout %%apache_timeout
+Timeout {{ general.apache.apache_timeout }}
 # Keepalive
-%if %%apache_keepalive
+{% if general.apache.apache_keepalive %}
 KeepAlive On
-%else
+{% else %}
 KeepAlive Off
-%end if
+{% endif %}
 MaxKeepAliveRequests 50
-KeepAliveTimeout %%apache_timeout
+KeepAliveTimeout {{ general.apache.apache_timeout }}
 # RemoteIp
 RemoteIPHeader X-Forwarded-For
-RemoteIPInternalProxy %%revprox_client_server_ip
+RemoteIPInternalProxy {{ general.revprox.revprox_client_server_ip }}
--- a/seed/apache/templates/ssl.conf
+++ b/seed/apache/templates/ssl.conf
@ -100,7 +100,7 @@ SSLProxyCipherSuite PROFILE=SYSTEM
 #   require an ECC certificate which can also be configured in
 #   parallel.
 # GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-SSLCertificateFile      %%tls_cert_directory/revprox.crt
+SSLCertificateFile      {{ general.tls_cert_directory }}/revprox.crt
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
@ -109,7 +109,7 @@ SSLCertificateFile      %%tls_cert_directory/revprox.crt
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
 #   ECC keys, when in use, can also be configured in parallel
 # GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-SSLCertificateKeyFile   %%tls_key_directory/revprox.key
+SSLCertificateKeyFile   {{ general.tls_key_directory }}/revprox.key
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@ -126,7 +126,7 @@ SSLCertificateKeyFile   %%tls_key_directory/revprox.key
 #   huge file containing all of them (file must be PEM encoded)
 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
 #>GNUNUX
-SSLCACertificateFile %%tls_ca_directory/InternalReverseProxy.crt
+SSLCACertificateFile {{ general.tls_ca_directory }}/InternalReverseProxy.crt
 #<GNUNUX
 #   Client Authentication (Type):
--- a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
+++ b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="dnssec" manage="False">
-      <file>/etc/dnssec-trust-anchors.d/local.negative</file>
+      <file engine="ansible">/etc/dnssec-trust-anchors.d/local.negative</file>
    </service>
  </services>
  <variables>
--- a/seed/base-debian-bullseye/templates/local.negative
+++ b/seed/base-debian-bullseye/templates/local.negative
@ -1,2 +1,2 @@
-%set %%domain=%%domain_name_eth0.split('.', 1)[1]
+{% set domain = domain_name_eth0.split('.', 1)[1] %}
-%%domain
+{{ domain }}
--- a/seed/base-debian/dictionaries/11_debian-base.xml
+++ b/seed/base-debian/dictionaries/11_debian-base.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="systemd-networkd">
-      <override/>
+      <override engine="none"/>
    </service>
    <service name='logrotate' disabled="True"/>
    <service name="debian" manage="False">
--- a/seed/base-debian/dictionaries/17_debian-base.xml
+++ b/seed/base-debian/dictionaries/17_debian-base.xml
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <services>
-    <service name="update-ca-certificates" engine="cheetah" target="multi-user"/>
+    <service name="update-ca-certificates" engine="ansible" target="multi-user"/>
  </services>
  <variables>
    <variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
--- a/seed/base-debian/templates/update-ca-certificates.service
+++ b/seed/base-debian/templates/update-ca-certificates.service
@ -4,7 +4,7 @@ Before=network-pre.target
 [Service]
 Type=oneshot
-ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
+ExecStart=/usr/sbin/update-ca-certificates --localcertsdir {{ general.tls_ca_directory }}
 [Install]
 WantedBy=multi-user.target
--- a/seed/base-fedora-38/applicationservice.yml
+++ b/seed/base-fedora-38/applicationservice.yml
@ -0,0 +1,6 @@
 format: '0.1'
 description: Base information of a Fedora 38
 website: https://getfedora.org/
 depends:
  - base-fedora
 distribution: true
--- a/seed/base-fedora-38/dictionaries/11_fedora-version.xml
+++ b/seed/base-fedora-38/dictionaries/11_fedora-version.xml
@ -0,0 +1,13 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <!--services>
    <service name="base">
      <file engine="none">/etc/pam.d/login</file>
    </service>
  </services-->
  <variables>
    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
      <value>38</value>
    </variable>
  </variables>
 </rougail>
--- a/seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh
+++ b/seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh
@ -0,0 +1,7 @@
 # ACTIVE NETWORKD
 mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
 chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
 ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
 ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
 ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
 ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"
--- a/seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh
+++ b/seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh
@ -0,0 +1 @@
 BASE_PKG="$BASE_PKG pam util-linux"
--- a/seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh
+++ b/seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh
@ -0,0 +1 @@
 RELEASEVER=38
--- a/seed/base-fedora-38/templates/login
+++ b/seed/base-fedora-38/templates/login
@ -0,0 +1,17 @@
 #GNUNUX File from util-linux-*.x86_64 (not installed)
 #%PAM-1.0
 auth       substack     system-auth
 auth       include      postlogin
 account    required     pam_nologin.so
 account    include      system-auth
 password   include      system-auth
 # pam_selinux.so close should be the first session rule
 session    required     pam_selinux.so close
 session    required     pam_loginuid.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
 session    required     pam_selinux.so open
 session    required     pam_namespace.so
 session    optional     pam_keyinit.so force revoke
 session    include      system-auth
 session    include      postlogin
 -session   optional     pam_ck_connector.so
--- a/seed/base-fedora/dictionaries/11_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/11_fedora-base.xml
@ -5,6 +5,7 @@
      <file engine="none">/tmpfiles.d/fedora.conf</file>
    </service>
    <service name='logrotate' disabled="True"/>
    <service name='logrotate' disabled="True" type="timer"/>
  </services>
  <variables>
    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
--- a/seed/base-fedora/dictionaries/17_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/17_fedora-base.xml
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <services>
-    <service name="update-ca-trust" engine="cheetah" target="multi-user"/>
+    <service name="update-ca-trust" engine="ansible" target="multi-user"/>
  </services>
  <variables>
    <variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
--- a/seed/base-machine/dictionaries/12_base.xml
+++ b/seed/base-machine/dictionaries/12_base.xml
@ -12,6 +12,7 @@
    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
    <family name="network" description="Réseau">
      <variable name="server_name" description="Nom de domaine du serveur" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
      <variable name="last_server_name" type="domainname" hidden="True"/>
      <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
      <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
      <family name="interface_" description="Interface " dynamic="interfaces_list">
@ -47,6 +48,10 @@
      <param name="index" type="suffix"/>
      <target>gateway_eth</target>
    </fill>
    <fill name="get_last_server_name">
      <param type="variable">domain_name_eth</param>
      <target>last_server_name</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/base-machine/funcs/funcs.py
+++ b/seed/base-machine/funcs/funcs.py
@ -83,3 +83,7 @@ def get_zone_name(zones: list,
                  ):
    if zones is not None:
        return zones[int(index)]
 def get_last_server_name(server_names):
    return server_names[-1]
--- a/seed/base/dictionaries/00_base.xml
+++ b/seed/base/dictionaries/00_base.xml
@ -1,6 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <variables>
    <variable name="providers" hidden="True"/>
    <variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
  </variables>
  <constraints>
--- a/seed/base/funcs/base.py
+++ b/seed/base/funcs/base.py
@ -38,6 +38,7 @@ def get_zones_info(zones: dict,
                   zone_names: _List[str]=None,
                   zone_name: str=None,
                   index: int=None,
                   uniq: bool=False,
                   ) -> str:
    if type == 'host_ip' and index != 0:
        return
@ -47,4 +48,12 @@ def get_zones_info(zones: dict,
        if type == 'cidr':
            return zones[zone_name]['host_ip'] + '/' + zones[zone_name]['network'].split('/')[-1]
        return zones[zone_name][type]
-    return [data[type] for zone_name, data in zones.items() if not zone_names or zone_name in zone_names]
+    ret = []
    for zone_name, data in zones.items():
        if zone_names and zone_name not in zone_names:
            continue
        val = data[type]
        if uniq and val in ret:
            continue
        ret.append(val)
    return ret
--- a/seed/dns-local/dictionaries/13_dns-local.xml
+++ b/seed/dns-local/dictionaries/13_dns-local.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="dns-local" manage="False">
-      <file filelist="copy_tests">/tests/dns-local.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/dns-local.yml</file>
    </service>
  </services>
  <variables>
@ -22,5 +22,3 @@
    </fill>
  </constraints>
 </rougail>
--- a/seed/dns-local/templates/dns-local.yml
+++ b/seed/dns-local/templates/dns-local.yml
@ -1,25 +1,26 @@
-address: '%%domain_name_eth0'
+address: '{{ domain_name_eth0 }}'
 addresses:
-%if %%getVar('dns_client_address', None)
+{% if 'dns_client_address' in general.network %}
- dns_address: '%%dns_client_address'
+- dns_address: '{{ general.network.dns_client_address }}'
-  dns_ip: '%%ip_dns'
+  dns_ip: '{{ ip_dns }}'
-%elif %%getVar('unbound_forward_address', None) is not None
+{% elif 'unbound_forward_address' in general.dns_resolver.forward_zones %}
-  %for %%authority in %%unbound_forward_address
+{% for authority in general.dns_resolver.forward_zones.unbound_forward_address %}
- dns_address: %%authority
+- dns_address: {{ authority }}
-  dns_ip: %%authority.unbound_allowed_client
+  dns_ip: {{ authority.unbound_allowed_client }}
-  %end for
+{% endfor %}
-%elif %%getVar('nsd_zones', None)
+{% elif 'nsd_zones' in general.dns_zone %}
-  %for %%zone in %%nsd_zones
+{%for zone in general.dns_zone.nsd_zones %}
-    %set %%suffix = %%normalize_family(%%zone)
+{% set suffix = zone|normalize_family %}
-    %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
+{% set hostnames = nsd["nsd_zone_" + suffix]["hostname_" + suffix]["hostname_" + suffix] %}
-    %for %%hostname in %%hostnames
+{% for hostname in hostnames %}
- dns_address: %%{hostname}.%%zone
+- dns_address: {{ hostname }}.{{ zone }}
-  dns_ip: %%hostname["ip_" + %%suffix]
+  dns_ip: {{ hostname["ip_" + suffix] }}
-    %end for
+{% endfor %}
-  %end for
+{% endfor %}
-%end if
+{% endif %}
-%if %%dns_is_only_local
+{% endif %}
 {% if dns_is_only_local %}
 dns_is_only_local: true
-%else
+{% else %}
 dns_is_only_local: false
-%end if
+{% endif %}
--- a/seed/dovecot/dictionaries/26_dovecot.xml
+++ b/seed/dovecot/dictionaries/26_dovecot.xml
@ -2,49 +2,48 @@
 <rougail version="0.10">
  <services>
    <service name="postfix" target="multi-user">
-      <override/>
+      <override engine="none"/>
      <certificate format="pem" authority="External" type="server" domain="submission_domainname" provider="mail_crt_provider" certificate_type="variable">submission_domainname</certificate>
-      <certificate format="pem" authority="Mail" owner="postfix" type="server">postfixlocal</certificate>
+      <certificate format="pem" server="last_server_name" domain="last_server_name" authority="InternalMail" owner="postfix" type="server">postfixlocal</certificate>
      <certificate authority="Mail" owner="postfix" type="server">postfix</certificate>
      <certificate authority="LDAP" owner="postfix" server="ldap_server_address">postfix_ldap_client</certificate>
      <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
      <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
-      <file>/etc/postfix/main.cf</file>
+      <file engine="ansible">/etc/postfix/main.cf</file>
-      <file>/etc/postfix/master.cf</file>
+      <file engine="none">/etc/postfix/master.cf</file>
-      <file>/etc/postfix/relay_passwd</file>
+      <file engine="ansible">/etc/postfix/relay_passwd</file>
-      <file>/etc/postfix/ldapsource.cf</file>
+      <file engine="ansible">/etc/postfix/ldapsource.cf</file>
-      <file>/etc/postfix/sni</file>
+      <file engine="ansible">/etc/postfix/sni</file>
-      <file mode="700">/sbin/risotto_backup</file>
+      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
    </service>
    <service name='dovecot-init'>
-      <override/>
+      <override engine="none"/>
-      <file>/etc/nginx/default.d/autoconfig.conf</file>
+      <file engine="none">/etc/nginx/default.d/autoconfig.conf</file>
    </service>
    <service name='nginx'>
-      <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
+      <file engine="ansible" source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
    </service>
    <service name="dovecot" target="multi-user">
      <certificate authority="External" type="server" domain="imap_domainname" provider="mail_crt_provider" certificate_type="variable">imap_domainname</certificate>
-      <certificate authority="IMAP" owner="dovecot" type="server">dovecot</certificate>
+      <certificate authority="IMAP" domain="last_server_name" owner="dovecot" type="server">dovecot</certificate>
      <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
      <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
-      <file>/etc/dovecot/conf.d/10-master.conf</file>
+      <file engine="ansible">/etc/dovecot/conf.d/10-master.conf</file>
-      <file>/etc/dovecot/conf.d/10-ssl.conf</file>
+      <file engine="ansible">/etc/dovecot/conf.d/10-ssl.conf</file>
      <!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
      <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
      <!--plain authentification-->
-      <file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
+      <file engine="none">/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
-      <file>/etc/dovecot/dovecot-ldap.conf.ext</file>
+      <file engine="ansible">/etc/dovecot/dovecot-ldap.conf.ext</file>
      <!--oauth2 authentification-->
-      <file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
+      <file engine="none">/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
-      <file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
+      <file engine="ansible">/etc/dovecot/dovecot-oauth2.conf.ext</file>
      <!--internal authentification-->
-      <file filelist="copy_tests">/tests/imap.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/imap.yml</file>
    </service>
  </services>
  <variables>
@ -54,7 +53,7 @@
        <value>993</value>
      </variable>
    </family>
-    <family name="annuaire">
+    <family name="ldap">
      <family name="client">
        <variable name='ldapclient_family' redefine="True">
          <value>all</value>
--- a/seed/dovecot/templates/10-master.conf
+++ b/seed/dovecot/templates/10-master.conf
@ -73,7 +73,7 @@ service lmtp {
  #}
 #>GNUNUX
  inet_listener lmtp {
-    address = %%ip_eth0
+    address = {{ general.smtp.smtp_client_ip }}
    port = 8024
  }
 #<GNUNUX
--- a/seed/dovecot/templates/10-ssl.conf
+++ b/seed/dovecot/templates/10-ssl.conf
@ -14,17 +14,17 @@ ssl = required
 #GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
 #GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
 #>GNUNUX
-ssl_cert = </etc/pki/tls/certs/dovecot.crt
+ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
-ssl_key = </etc/pki/tls/private/dovecot.key
+ssl_key = <{{ general.tls_key_directory }}/dovecot.key
-%for %%mail in %%mail_domains
+{% for mail in general.mail.domain.mail_domains %}
-local_name %%mail.imap_domainname {
+local_name {{ mail.imap_domainname }} {
-    ssl_cert = %echo '<' + %%tls_cert_directory + '/' + %%mail.imap_domainname + '.crt'
+    ssl_cert = <{{ general.tls_cert_directory }}/{{ mail.imap_domainname }}.crt
-    ssl_key = %echo '<' + %%tls_key_directory + '/' + %%mail.imap_domainname + '.key'
+    ssl_key = <{{ general.tls_key_directory }}/{{ mail.imap_domainname }}.key
 }
-%end for
+{% endfor %}
-local_name %%domain_name_eth0 {
+local_name {{ general.network.last_server_name }} {
-    ssl_cert = %echo '<' + %%tls_cert_directory + '/dovecot.crt'
+    ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
-    ssl_key = %echo '<' + %%tls_key_directory + '/dovecot.key'
+    ssl_key = <{{ general.tls_key_directory }}/dovecot.key
 }
 #<GNUNUX
@ -50,7 +50,7 @@ local_name %%domain_name_eth0 {
 # large CA bundles, because it leads to excessive memory usage.
 #ssl_client_ca_dir =
 #ssl_client_ca_file =
-ssl_client_ca_file = %%tls_ca_directory/IMAP.crt
+ssl_client_ca_file = {{ general.tls_ca_directory }}/IMAP.crt
 # Require valid cert when connecting to a remote server
 #ssl_client_require_valid_cert = yes
--- a/seed/dovecot/templates/12-managesieve.conf
+++ b/seed/dovecot/templates/12-managesieve.conf
@ -1,23 +0,0 @@
 # Uncomment to enable managesieve protocol:
 protocols = $protocols sieve
 service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  #inet_listener sieve_deprecated {
  #  port = 2000
  #}
  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  service_count = 1
  # Number of processes to always keep waiting for more connections.
  process_min_avail = 0
  # If you set service_count=0, you probably need to grow this.
  vsz_limit = 64M
 }
--- a/seed/dovecot/templates/config-v1.1.xml
+++ b/seed/dovecot/templates/config-v1.1.xml
@ -1,23 +1,23 @@
 <?xml version="1.0"?>
 # GNUNUX: from https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat -->
-%set %%domain = %%rougail_variable
+{%set domain = rougail_variable %}
-%set %%leader = %%mail_domains[%%mail_domains.index(%%domain)]
+{%set leader = general.mail.domain.mail_domains[mail_domains.index(domain)] %}
-%set %%imap_domain = %%leader.imap_domainname
+{%set imap_domain = leader.imap_domainname %}
-%set %%submission_domain = %%leader.submission_domainname
+{%set submission_domain = leader.submission_domainname %}
 <clientConfig version="1.1">
-  <emailProvider id="%%domain">
+  <emailProvider id="{{ domain }}">
-    <domain>%%domain</domain>
+    <domain>{{ domain }}</domain>
-    <displayName>Services %%domain</displayName>
+    <displayName>Services {{ domain }}</displayName>
-    <displayShortName>%%domain</displayShortName>
+    <displayShortName>{{ domain }}</displayShortName>
    <incomingServer type="imap">
-      <hostname>%%imap_domain</hostname>
+      <hostname>{{ imap_domain }}</hostname>
      <port>993</port>
      <socketType>SSL</socketType>
      <username>%EMAILADDRESS%</username>
      <authentication>password-cleartext</authentication>
    </incomingServer>
    <outgoingServer type="smtp">
-      <hostname>%%submission_domain</hostname>
+      <hostname>{{ submission_domain }}</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <username>%EMAILADDRESS%</username>
--- a/seed/dovecot/templates/dovecot-ldap.conf.ext
+++ b/seed/dovecot/templates/dovecot-ldap.conf.ext
@ -24,7 +24,7 @@
 # setting isn't supported by all LDAP libraries.
 #uris = 
 #>GNUNUX
-uris = ldaps://%%ldap_server_address
+uris = ldaps://{{ general.ldap.server.ldap_server_address }}
 #<GNUNUX
 # Distinguished Name - the username used to login to the LDAP server.
@ -34,8 +34,8 @@ uris = ldaps://%%ldap_server_address
 # Password for LDAP server, if dn is specified.
 #dnpass = 
 #>GNUNUX
-dn = %%ldapclient_user
+dn = {{ general.ldap.client.ldapclient_user }}
-dnpass = %%ldapclient_user_password
+dnpass = {{ general.ldap.client.ldapclient_user_password }}
 #<GNUNUX
 # Use SASL binding instead of the simple binding. Note that this changes
@ -61,9 +61,9 @@ dnpass = %%ldapclient_user_password
 # Valid values: never, hard, demand, allow, try
 #tls_require_cert =
 #>GNUNUX
-tls_cert_file = %%tls_cert_directory/ldap_client.crt
+tls_cert_file = {{ general.tls_cert_directory }}/ldap_client.crt
-tls_key_file = %%tls_key_directory/ldap_client.key
+tls_key_file = {{ general.tls_key_directory }}/ldap_client.key
-tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
+tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
 tls_require_cert = hard
 #>GNUNUX
@ -107,7 +107,7 @@ auth_bind = yes
 # LDAP base. %variables can be used here.
 # For example: dc=mail, dc=example, dc=org
 # GNUNUX base =
-base = %%ldapclient_search_dn
+base = {{ general.ldap.client.ldapclient_search_dn }}
 # Dereference: never, searching, finding, always
 #deref = never
--- a/seed/dovecot/templates/dovecot-oauth2.conf.ext
+++ b/seed/dovecot/templates/dovecot-oauth2.conf.ext
@ -4,7 +4,7 @@
 ## url for verifying token validity. Token is appended to the URL
 # tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
 #>GNUNUX
-tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
+tokeninfo_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/userinfo/?access_token=
 #<GNUNUX
 ## introspection endpoint, used to gather extra fields and other information.
@ -21,7 +21,7 @@ tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?acces
 ## Set this to yes if you are using active_attribute
 # force_introspection = no
 #>GNUNUX
-introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
+introspection_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/introspect/
 introspection_mode = post
 force_introspection = no
 #<GNUNUX
@ -57,7 +57,7 @@ username_attribute = email
 ## URL to RFC 7628 OpenID Provider Configuration Information schema
 # openid_configuration_url =
 #>GNUNUX
-openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
+openid_configuration_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration
 #<GNUNUX
 ## Extra fields to set in passdb response (in passdb static style)
@ -79,8 +79,8 @@ openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known
 # rawlog_dir = /tmp/oauth2
 #>GNUNUX
-client_id = %%oauth2_client_id
+client_id = {{ general.oauth2_client.oauth2_client_id }}
-client_secret = %%oauth2_client_secret
+client_secret = {{ general.oauth2_client.oauth2_client_secret }}
 #<GNUNUX
 ## TLS settings
--- a/seed/dovecot/templates/external_imap.crt
+++ b/seed/dovecot/templates/external_imap.crt
@ -1,2 +0,0 @@
 %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
--- a/seed/dovecot/templates/external_imap.key
+++ b/seed/dovecot/templates/external_imap.key
@ -1 +0,0 @@
 %%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
--- a/seed/dovecot/templates/imap.yml
+++ b/seed/dovecot/templates/imap.yml
@ -1,12 +1,12 @@
-%set %%username="rougail_test@silique.fr"
+{%set username="rougail_test@silique.fr" %}
-%set %%username_family="rougail_test@gnunux.info"
+{%set username_family="rougail_test@gnunux.info" %}
-%set %%name_family="gnunux"
+{%set name_family="gnunux" %}
-address: %%ip_eth0
+address: {{ general.network.interface_0.ip_eth0 }}
-dns: %%domain_name_eth0
+dns: {{ general.network.interface_0.domain_name_eth0 }}
-username: %%username
+username: {{ username }}
-password: %%get_password(server_name='test', username=%%username, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
+password: {{ username|get_password(server_name='test', description="test", type="cleartext", hide=hide_secret, temporary=True) }}
-username_family: %%username_family
+username_family: {{ username_family }}
-password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
+password_family: {{ username_family|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True)
-name_family: %%name_family
+name_family: {{ name_family }}
-smtp: %%smtp_relay_ip
+smtp: {{ general.smtp.smtp_relay_ip }}
 ext_username: 'test@example.net'
--- a/seed/dovecot/templates/ldapsource.cf
+++ b/seed/dovecot/templates/ldapsource.cf
@ -1,13 +1,13 @@
-server_host = ldaps://%%ldap_server_address
+server_host = ldaps://{{ general.ldap.server.ldap_server_address }}
-server_port = %%ldap_port
+server_port = {{ general.ldap.server.ldap_port }}
-tls_cert = %%tls_cert_directory/postfix_ldap_client.crt
+tls_cert = {{ general.tls_cert_directory }}/postfix_ldap_client.crt
-tls_key = %%tls_key_directory/postfix_ldap_client.key
+tls_key = {{ general.tls_key_directory }}/postfix_ldap_client.key
-tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
+tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
 tls_require_cert = yes
 version = 3
 bind = yes
-bind_dn = %%ldapclient_user
+bind_dn = {{ general.ldap.client.ldapclient_user }}
-bind_pw = %%ldapclient_user_password
+bind_pw = {{ general.ldap.client.ldapclient_user_password }}
-search_base = %%ldapclient_search_dn
+search_base = {{ general.ldap.client.ldapclient_search_dn }}
 query_filter = (mailLocalAddress=%s)
 result_attribute = cn
--- a/seed/dovecot/templates/main.cf
+++ b/seed/dovecot/templates/main.cf
@ -95,7 +95,7 @@ mail_owner = postfix
 #
 #myhostname = host.domain.tld
 #myhostname = virtual.domain.tld
-myhostname = %%domain_name_eth0
+myhostname = {{ general.network.interface_0.domain_name_eth0 }}
 # The mydomain parameter specifies the local internet domain name.
 # The default is to use $myhostname minus the first component.
@ -119,7 +119,7 @@ myhostname = %%domain_name_eth0
 #
 #myorigin = $myhostname
 #myorigin = $mydomain
-myorigin = %%domain_name_eth0
+myorigin = {{ general.network.interface_0.domain_name_eth0 }}
 # RECEIVING MAIL
@ -359,7 +359,7 @@ mynetworks = 127.0.0.0/8
 #relayhost = uucphost
 #relayhost = [an.ip.add.ress]
 #>GNUNUX
-relayhost = %%smtp_relay_address
+relayhost = {{ general.smtp.smtp_relay_address }}
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
 smtp_sasl_security_options = noanonymous
@ -742,15 +742,15 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # in PEM format. Intermediate certificates should be included in general,
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
-smtpd_tls_cert_file = %%tls_cert_directory/postfix.crt
+smtpd_tls_cert_file = {{ general.tls_cert_directory }}/postfix.crt
 # The full pathname of a file with the Postfix SMTP server RSA private key
 # in PEM format. The private key must be accessible without a pass-phrase,
 # i.e. it must not be encrypted.
 #
-smtpd_tls_key_file = %%tls_key_directory/postfix.key
+smtpd_tls_key_file = {{ general.tls_key_directory }}/postfix.key
-smtpd_tls_CApath = %%tls_ca_directory
+smtpd_tls_CApath = {{ general.tls_ca_directory }}
 #>GNUNUX
 tls_server_sni_maps = hash:/etc/postfix/sni
 #<GNUNUX
@ -762,13 +762,13 @@ smtpd_tls_security_level = may
 # Directory with PEM format Certification Authority certificates that the
 # Postfix SMTP client uses to verify a remote SMTP server certificate.
 #
-smtp_tls_CApath = %%tls_ca_directory
+smtp_tls_CApath = {{ general.tls_ca_directory }}
 # The full pathname of a file containing CA certificates of root CAs
 # trusted to sign either remote SMTP server certificates or intermediate CA
 # certificates.
 #
-smtp_tls_CAfile = %%tls_ca_directory/Mail.crt
+smtp_tls_CAfile = {{ general.tls_ca_directory }}/Mail.crt
 # Use TLS if this is supported by the remote SMTP server, otherwise use
 # plaintext (opportunistic TLS outbound).
@ -800,11 +800,11 @@ smtpd_sasl_path = /srv/dovecot/auth
 broken_sasl_auth_clients = yes
 dovecot_destination_recipient_limit = 1
-%set %%domains = []
+{% set domains = [] %}
-%for %%domain in %%mail_domains
+{% for domain in general.mail.domain.mail_domains %}
-%%domains.append(%%str(%%domain))%slurp
+{{ domains.append(domain|string) }}
-%end for
+{% endfor %}
-virtual_mailbox_domains = %echo ', '.join(%%domains)
+virtual_mailbox_domains = {{ domains|join(', ') }}
 virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
 virtual_minimum_uid = 1000
 #vmail uid
--- a/seed/dovecot/templates/postfix_sni.pem
+++ b/seed/dovecot/templates/postfix_sni.pem
@ -1,3 +0,0 @@
 %set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
 %%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
 %%cert
--- a/seed/dovecot/templates/relay_passwd
+++ b/seed/dovecot/templates/relay_passwd
@ -1,2 +1,2 @@
-%%smtp_relay_address	%%smtp_relay_user@%%ip_eth0:%%smtp_relay_password
+{{ general.smtp.smtp_relay_address }}	{{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}:{{ general.smtp.smtp_relay_password }}
--- a/seed/dovecot/templates/risotto_backup
+++ b/seed/dovecot/templates/risotto_backup
@ -1,6 +1,6 @@
-%echo "#!/bin/bash"
+#!/bin/bash
-BACKUP_DIR="%%backup_dir"
+BACKUP_DIR="{{ general.backup_dir }}"
 mkdir -p $BACKUP_DIR
 chown vmail: $BACKUP_DIR
@ -14,7 +14,7 @@ done
 ls $BACKUP_DIR | while read $user; do
    if [ ! -f $BACKUP_DIR/$user.done ]; then
        rm -rf $BACKUP_DIR/$user
-    if
+    fi
 done
 rm -f $BACKUP_DIR/*.done
--- a/seed/dovecot/templates/sni
+++ b/seed/dovecot/templates/sni
@ -1,4 +1,4 @@
-%for %%name in %%mail_domains
+{% for name in general.mail.domain.mail_domains %}
-%%name.submission_domainname %%tls_key_directory/%%{name.submission_domainname}.pem
+{{ name.submission_domainname }} {{ general.tls_key_directory }}/{{ name.submission_domainname }}.pem
-%end for
+{% endfor %}
-%%domain_name_eth0 %%tls_key_directory/postfixlocal.pem
+{{ general.network.last_server_name }} {{ general.tls_key_directory }}/postfixlocal.pem
--- a/seed/forgejo/applicationservice.yml
+++ b/seed/forgejo/applicationservice.yml
@ -2,7 +2,7 @@ format: '0.1'
 description: Forgejo, a community managed lightweight code hosting solution
 website: https://forgejo.org/
 depends:
-  - base-fedora-37
+  - base-fedora-38
  - postgresql-client
  - reverse-proxy-client
  - relay-mail-client
--- a/seed/forgejo/dictionaries/31_forgejo.xml
+++ b/seed/forgejo/dictionaries/31_forgejo.xml
@ -1,11 +1,11 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
-    <service name="forgejo" target="multi-user" engine="cheetah">
+    <service name="forgejo" target="multi-user" engine="ansible">
      <file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
      <file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
-      <file>/etc/forgejo/app.ini</file>
+      <file engine="ansible">/etc/forgejo/app.ini</file>
-      <file filelist="copy_tests">/tests/forgejo.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/forgejo.yml</file>
    </service>
  </services>
  <variables>
--- a/seed/forgejo/templates/app.ini
+++ b/seed/forgejo/templates/app.ini
@ -1,7 +1,4 @@
 #RISOTTO: https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/custom/conf/app.example.ini
 %compiler-settings
 commentStartToken = ;
 %end compiler-settings
 ; This file lists the default values used by Gitea
 ;; Copy required sections to your own app.ini (default is custom/conf/app.ini)
 ;; and modify as needed.
@ -50,7 +47,7 @@ commentStartToken = ;
 ;; App name that shows in every page title
 ;>GNUNUX
 ;APP_NAME = ; Gitea: Git with a cup of tea
-APP_NAME = %%forgejo_title
+APP_NAME = {{ general.forgejo.forgejo_title }}
 ;<GNUNUX
 ;;
 ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
@ -89,13 +86,13 @@ PROTOCOL         = https
 ;; Set the domain for the server
 ;DOMAIN = localhost
 ;>GNUNUX
-DOMAIN           = %%revprox_client_external_domainnames[0]
+DOMAIN           = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
 ;<GNUNUX
 ;;
 ;; Overwrite the automatically generated public URL. Necessary for proxies and docker.
 ;ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
 ;>GNUNUX
-ROOT_URL         = https://%%revprox_client_external_domainnames[0]%%revprox_client_external_domainnames[0]revprox_client_location
+ROOT_URL         = https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}{{ general.revprox.revprox_client.revprox_client_external_domainnames[0]['revprox_client_location'] }}
 ;<GNUNUX
 ;;
 ;; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
@ -146,7 +143,7 @@ HTTP_PORT        = 3000
 ;; Do not set this variable if PROTOCOL is set to 'unix'.
 ;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
 ;>GNUNUX
-LOCAL_ROOT_URL   = https://%%domain_name_eth0:3000/
+LOCAL_ROOT_URL   = https://{{ general.network.interface_0.domain_name_eth0 }}:3000/
 ;<GNUNUX
 ;;
 ;; When making local connections pass the PROXY protocol header.
@ -176,7 +173,7 @@ BUILTIN_SSH_SERVER_USER = "git"
 ;; Domain name to be exposed in clone URL
 ;SSH_DOMAIN = %(DOMAIN)s
 ;>GNUNUX
-SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
+SSH_DOMAIN       = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
 ;<GNUNUX
 ;;
 ;; SSH username displayed in clone URLs.
@ -188,13 +185,13 @@ SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
 ;; Port number to be exposed in clone URL
 ;SSH_PORT = 22
 ;>GNUNUX
-SSH_PORT         = %%incoming_ports[0]
+SSH_PORT         = {{ general.network.incoming_ports[0] }}
 ;<GNUNUX
 ;;
 ;; The port number the builtin SSH server should listen on
 ;SSH_LISTEN_PORT = %(SSH_PORT)s
 ;>GNUNUX
-SSH_LISTEN_PORT  = %%incoming_ports[0]
+SSH_LISTEN_PORT  = {{ general.network.incoming_ports[0] }}
 ;<GNUNUX
 ;;
 ;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
@ -319,8 +316,8 @@ OFFLINE_MODE     = true
 ;CERT_FILE = https/cert.pem
 ;KEY_FILE = https/key.pem
 ;>GNUNUX
-CERT_FILE        = %%tls_cert_directory/revprox.crt
+CERT_FILE        = {{ general.tls_cert_directory }}/revprox.crt
-KEY_FILE         = %%tls_key_directory/revprox.key
+KEY_FILE         = {{ general.tls_key_directory }}/revprox.key
 ;<GNUNUX
 ;;
 ;; Root directory containing templates and static files.
@ -355,7 +352,7 @@ LFS_START_SERVER = true
 ;; LFS authentication secret, change this yourself
 ;>GNUNUX
 ;LFS_JWT_SECRET =
-LFS_JWT_SECRET   = %%forgejo_lfs_jwt_secret
+LFS_JWT_SECRET   = {{ general.forgejo.forgejo_lfs_jwt_secret }}
 ;<GNUNUX
 ;;
 ;; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
@ -419,10 +416,10 @@ LFS_JWT_SECRET   = %%forgejo_lfs_jwt_secret
 ;SSL_MODE=disable ;either "disable" (default), "require", or "verify-full"
 ;>GNUNUX
 DB_TYPE  = postgres
-HOST     = %%pg_client_server_domainname:5432
+HOST     = {{ general.postgresql.pg_client_server_domainname }}:5432
-NAME     = %%pg_client_database
+NAME     = {{ general.postgresql.pg_client_database }}
-USER     = %%pg_client_username
+USER     = {{ general.postgresql.pg_client_username }}
-PASSWD   = %%pg_client_password
+PASSWD   = {{ general.postgresql.pg_client_password }}
 SCHEMA   =
 SSL_MODE = verify-full
 CHARSET  = utf8
@ -492,7 +489,7 @@ INSTALL_LOCK = true
 ;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
 ;>GNUNUX
 ;SECRET_KEY =
-SECRET_KEY     = %%forgejo_secret_key
+SECRET_KEY     = {{ general.forgejo.forgejo_secret_key }}
 ;<GNUNUX
 ;;
 ;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
@ -502,7 +499,7 @@ SECRET_KEY     = %%forgejo_secret_key
 ;; Secret used to validate communication within Gitea binary.
 ;>GNUNUX
 ;INTERNAL_TOKEN=
-INTERNAL_TOKEN     = %%forgejo_internal_token
+INTERNAL_TOKEN     = {{ general.forgejo.forgejo_internal_token }}
 ;<GNUNUX
 ;;
 ;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
@ -671,7 +668,7 @@ ROUTER = console
 ;ACCESS = file
 ;;
 ;; Sets the template used to create the access log.
-;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"
+{#;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}" #}
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -1760,7 +1757,7 @@ PROTOCOL  = smtp+starttls
 ;; (Before 1.18, see the notice, this was combined with SMTP_PORT as HOST.)
 ;SMTP_ADDR =
 ;>GNUNUX
-SMTP_ADDR = %%smtp_relay_address
+SMTP_ADDR = {{ smtp_relay_address }}
 ;<GNUNUX
 ;;
 ;; Mail server port. Common ports are:
@ -1793,7 +1790,7 @@ SMTP_PORT = 25
 ;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
 ;FROM =
 ;>GNUNUX
-FROM      = %%forgejo_mail_sender
+FROM      = {{ general.forgejo.forgejo_mail_sender }}
 ;<GNUNUX
 ;;
 ;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
@ -1802,13 +1799,13 @@ FROM      = %%forgejo_mail_sender
 ;; Mailer user name and password, if required by provider.
 ;USER =
 ;>GNUNUX
-USER      = %%smtp_relay_user@%%ip_eth0
+USER      = {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}
 ;<GNUNUX
 ;;
 ;; Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;PASSWD =
 ;>GNUNUX
-PASSWD    = %%smtp_relay_password
+PASSWD    = {{ general.smtp.smtp_relay_password }}
 ;<GNUNUX
 ;;
 ;; Send mails only in plain text, without HTML alternative
@ -1857,7 +1854,7 @@ ADAPTER = redis
 ;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
 ;HOST =
 ;>GNUNUX
-HOST = network=tcp,addr=%%redis_client_server_domainname:6379,username=%%redis_client_username,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
+HOST = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,username={{ general.redis.redis_client_username }},password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
 ;<GNUNUX
 ;;
 ;; Time to keep items in cache if not used, default is 16 hours.
@ -1904,7 +1901,7 @@ PROVIDER = redis
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
 ;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;>GNUNUX
-PROVIDER_CONFIG = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
+PROVIDER_CONFIG = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
 ;<GNUNUX
 ;;
 ;; Session cookie name
--- a/seed/forgejo/templates/forgejo.service
+++ b/seed/forgejo/templates/forgejo.service
@ -20,17 +20,17 @@ User=forgejo
 Group=forgejo
 WorkingDirectory=/srv/forgejo/lib/
 ExecStart=/usr/bin/forgejo web --config /etc/forgejo/app.ini
-ExecStartPre=/bin/bash -c '%slurp
+ExecStartPre=/bin/bash -c '{% if True -%}{% endif -%}
-/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;%slurp
+/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
-if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then %slurp
+if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then {% if True -%}{% endif -%}
-  echo "UPDATE";%slurp
+  echo "UPDATE";{% if True -%}{% endif -%}
-  id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");%slurp
+  id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");{% if True -%}{% endif -%}
-  /usr/bin/forgejo admin auth update-oauth --id $id --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
+  /usr/bin/forgejo admin auth update-oauth --id $id --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
-else %slurp
+else {% if True -%}{% endif -%}
-  echo "CONFIGURE";%slurp
+  echo "CONFIGURE";{% if True -%}{% endif -%}
-  /usr/bin/forgejo admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
+  /usr/bin/forgejo admin auth add-oauth --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
-fi;%slurp
+fi;{% if True -%}{% endif -%}
-sleep 2;%slurp
+sleep 2;{% if True -%}{% endif -%}
 echo "CONFIGURATION DONE"'
 Restart=always
 Environment=GITEA_WORK_DIR=/srv/forgejo/lib
--- a/seed/forgejo/templates/forgejo.yml
+++ b/seed/forgejo/templates/forgejo.yml
@ -1,11 +1,11 @@
-%set %%username="rougail_test@silique.fr"
+{% set username="rougail_test@silique.fr" %}
-ip: %%ip_eth0
+ip: {{ general.network.interface_0.ip_eth0 }}
-revprox_ip: %%revprox_client_server_ip
+revprox_ip: {{ general.revprox.revprox_client.revprox_client_server_ip }}
-%set %%domain = %%revprox_client_external_domainnames[0]
+{% set domain = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
-base_url: https://%%domain%%domain.revprox_client_location
+base_url: https://{{ domain }}{{domain.revprox_client_location }}
-auth_url: %%oauth2_client_external[0]
+auth_url: {{ general.oauth2_client.oauth2_client_external[0] }}
-auth_server: %%oauth2_server_domainname
+auth_server: {{ general.oauth2_client.oauth2_server_domainname }}
-username: %%username
+username: {{ username }}
-password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
+password: {{ username|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True) }}
-forgejo_title: "%%forgejo_title"
+forgejo_title: "{{ general.forgejo.forgejo_title }}"
-git_url: "[%%domain]:%%incoming_ports[0]"
+git_url: "[{{ domain] }}:{{ general.network.incoming_ports[0] }}"
--- a/seed/grafana/DEBUG.md
+++ b/seed/grafana/DEBUG.md
@ -0,0 +1,2 @@
 sed -i "s/;level = info/level = debug/g" /etc/grafana/grafana.ini 
 systemctl restart grafana-server
--- a/seed/grafana/applicationservice.yml
+++ b/seed/grafana/applicationservice.yml
@ -0,0 +1,9 @@
 format: '0.1'
 description: Grafana is an analytics and interactive visualization web application
 website: https://grafana.com/
 depends:
  - base-fedora-38
  - postgresql-client
  - oauth2-client
  - reverse-proxy-client
  - relay-mail-client
--- a/seed/grafana/dictionaries/31_grafana.xml
+++ b/seed/grafana/dictionaries/31_grafana.xml
@ -0,0 +1,67 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="grafana-server" target="multi-user">
      <override engine="none"/>
      <file engine="ansible">/etc/grafana/grafana.ini</file>
      <file engine="ansible">/etc/sysconfig/grafana-server</file>
      <file engine="none" source="tmpfile-grafana.conf">/tmpfiles.d/0grafana.conf</file>
    </service>
  </services>
  <variables>
    <family name="grafana">
      <variable name="admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
    </family>
    <family name="revprox">
      <family name="revprox_client">
        <variable name="revprox_client_local_location" redefine="True">
          <value>/</value>
        </variable>
      </family>
      <variable name="revprox_client_port" redefine="True">
        <value>3000</value>
      </variable>
      <variable name="revprox_client_cert_owner" redefine="True">
        <value>grafana</value>
      </variable>
    </family>
    <family name="oauth2_client">
      <variable name="oauth2_is_client_application" redefine='True'>
        <value>True</value>
      </variable>
      <variable name="oauth2_client_name" redefine='True'>
        <value>Grafana</value>
      </variable>
      <variable name="oauth2_client_description" redefine='True'>
        <value>Visualisation de données</value>
      </variable>
      <variable name="oauth2_client_category" redefine='True'>
        <value>Administration</value>
      </variable>
      <variable name="oauth2_client_logo" redefine='True'>
        <value>silique_note.png</value>
      </variable>
      <variable name="oauth2_client_token_signature_algo" redefine="True">
        <value>RS256</value>
      </variable>
      <variable name="oauth2_email_domain" type="domainname" description="Domain name allowed to log on Grafana" mandatory="True"/>
    </family>
    <family name="postgresql">
      <variable name="pg_client_key_owner" redefine="True">
        <value>grafana</value>
      </variable>
    </family>
  </variables>
  <constraints>
    <fill name="get_password">
      <param name="server_name" type="variable">domain_name_eth0</param>
      <param name="username">admin</param>
      <param name="description">admin</param>
      <param name="type">cleartext</param>
      <param name="hide" type="variable">hide_secret</param>
      <param name="temporary" type="boolean">True</param>
      <target>admin_password</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/grafana/manual/image/postinstall/grafana.sh
+++ b/seed/grafana/manual/image/postinstall/grafana.sh
@ -0,0 +1,11 @@
 mkdir -p $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/grafana/plugins
 #echo """#!/bin/bash -xe
 #grafana-cli plugins install grafana-image-renderer
 #mkdir -p /usr/lib/grafana
 #mv /var/lib/grafana/plugins/ /usr/lib/grafana/
 #""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 #chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 #mv $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf /tmp
 #echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
 #chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh
 #mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
--- a/seed/grafana/manual/image/preinstall/grafana.sh
+++ b/seed/grafana/manual/image/preinstall/grafana.sh
@ -0,0 +1 @@
 PKG="$PKG grafana"
--- a/seed/grafana/templates/grafana-server
+++ b/seed/grafana/templates/grafana-server
@ -0,0 +1,30 @@
 GRAFANA_USER=grafana
 GRAFANA_GROUP=grafana
 #>GNUNUX
 #GRAFANA_HOME=/usr/share/grafana
 GRAFANA_HOME=/srv/grafana/home
 #<GNUNUX
 LOG_DIR=/var/log/grafana
 #>GNUNUX
 #DATA_DIR=/var/lib/grafana
 DATA_DIR=/srv/grafana/var
 #<GNUNUX
 MAX_OPEN_FILES=10000
 CONF_DIR=/etc/grafana
 CONF_FILE=/etc/grafana/grafana.ini
 RESTART_ON_UPGRADE=true
 PLUGINS_DIR=/var/lib/grafana/plugins
 PROVISIONING_CFG_DIR=/etc/grafana/provisioning
 # Only used on systemd systems
 PID_FILE_DIR=/var/run/grafana
--- a/seed/grafana/templates/grafana-server.service
+++ b/seed/grafana/templates/grafana-server.service
@ -0,0 +1,5 @@
 [Unit]
 After=risotto.target
 [Service]
 GRAFANA_HOME=/srv/grafana/home
--- a/seed/grafana/templates/grafana.ini
+++ b/seed/grafana/templates/grafana.ini
--- a/seed/grafana/templates/tmpfile-grafana.conf
+++ b/seed/grafana/templates/tmpfile-grafana.conf
@ -0,0 +1,2 @@
 d /srv/grafana 700 grafana grafana - -
 d /srv/grafana/home 700 grafana grafana - -
--- a/seed/host-systemd-machined/dictionaries/21_machined.xml
+++ b/seed/host-systemd-machined/dictionaries/21_machined.xml
@ -2,32 +2,37 @@
 <rougail version="0.10">
  <services>
    <service name="systemd-machined">
-      <file>/etc/systemd/network/80-container-vz.network</file>
+      <file engine="none">/etc/systemd/network/80-container-vz.network</file>
-      <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
+      <file file_type="variable" source="70-container.network" variable="zone_name" engine="ansible">systemd_zone_filename</file>
-      <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
+      <file file_type="variable" source="70-container.netdev" variable="zone_name" engine="ansible">systemd_netzone_filename</file>
    </service>
-    <service name="risotto-images" engine="cheetah" manage="False"/>
+    <service name="risotto-images" engine="ansible" manage="False"/>
    <service name="systemd-sysctl"/>
    <service name="systemd-networkd"/>
    <service name="systemd-resolved"/>
-    <service name="risotto-images" type="timer" engine="cheetah"/>
+    <service name="risotto-images" type="timer" engine="none"/>
-    <service name="risottofirewall" engine="cheetah"/>
+    <service name="risottofirewall" engine="ansible"/>
    <service name="systemd-nspawn@">
-      <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
+      <file engine="none">/tmpfiles.d/0asystemd-nspawn.conf</file>
-      <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
+      <file engine="none">/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
-      <file>/etc/distro.repos.d/boot.repo</file>
+      <file engine="none">/etc/distro.repos.d/boot.repo</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-38-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
-      <file>/etc/sysctl.d/90-risotto.conf</file>
+      <file engine="ansible">/etc/sysctl.d/90-risotto.conf</file>
-      <file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
+      <file engine="ansible" file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
    </service>
    <service name="vector" servicelist="vector">
      <file engine="ansible">/etc/vector/vector.toml</file>
    </service>
  </services>
  <variables>
    <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True" provider="global:host_install_dir"/>
    <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
    <variable name="tls_server" type="domainname" description="tls domaine name" mandatory="True" provider="global:tls_server"/>
    <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
@ -80,6 +85,14 @@
      <variable name="zone_name" type="string" hidden="True" multi="True"/>
      <variable name="zone_cidr" type="cidr" hidden="True"/>
    </family>
    <family name="vector">
      <variable name="server_address" type="domainname" hidden="True" supplier="Vector"/>
      <variable name="ip_address" type="ip" hidden="True"/>
    </family>
    <family name="prometheus">
      <variable name="prometheus_server_address" type="domainname" hidden="True" supplier="Prometheus"/>
      <variable name="prometheus_ip_address" type="ip" hidden="True" supplier="Prometheus:address"/>
    </family>
  </variables>
  <constraints>
    <fill name="get_internal_zone_names">
@ -120,6 +133,16 @@
      <param type="index"/>
      <target>first_interface</target>
    </fill>
    <fill name="get_ip">
      <param type="information">zones</param>
      <param type="variable">server_address</param>
      <target>ip_address</target>
    </fill>
    <fill name="get_host_ip">
      <param type="information">zones</param>
      <param type="variable">prometheus_server_address</param>
      <target>prometheus_ip_address</target>
    </fill>
    <condition name="disabled_if_not_in" source="interface_type">
      <param>ipv4</param>
      <target>interface_ip</target>
@ -131,5 +154,14 @@
      <target>interface_gateway</target>
      <target>interface_domain_name_servers</target>
    </condition>
    <condition name="disabled_if_in" source="server_address">
      <param type="nil"/>
      <target type="servicelist">vector</target>
      <target type="variable">ip_address</target>
    </condition>
    <condition name="disabled_if_in" source="prometheus_server_address">
      <param type="nil"/>
      <target type="variable">prometheus_ip_address</target>
    </condition>
  </constraints>
 </rougail>
--- a/seed/host-systemd-machined/extras/machined/00_machined.xml
+++ b/seed/host-systemd-machined/extras/machined/00_machined.xml
@ -2,9 +2,10 @@
 <rougail version="0.10">
  <services>
    <service name="systemd-nspawn@">
-      <file file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
+      <file engine="ansible" file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
-      <file file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
+      <file engine="ansible" file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
-      <file file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
+      <file engine="ansible" file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
      <file engine="ansible" file_type="variable" source="directory-script" variable="machined.machines" mode="700">machined.nspawn_script_directory</file>
    </service>
  </services>
  <variables>
@ -22,6 +23,7 @@
    <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="nspawn_script_network" type="filename" hidden="True" multi="True"/>
    <variable name="nspawn_script_tls" type="filename" hidden="True" multi="True"/>
    <variable name="nspawn_script_directory" type="filename" hidden="True" multi="True"/>
  </variables>
  <constraints>
    <fill name="calc_value">
@ -38,6 +40,13 @@
      <param name="multi" type="boolean">True</param>
      <target>machined.nspawn_script_tls</target>
    </fill>
    <fill name="calc_value">
      <param>/sbin/directory-</param>
      <param type="variable">machined.machines</param>
      <param name="join"></param>
      <param name="multi" type="boolean">True</param>
      <target>machined.nspawn_script_directory</target>
    </fill>
    <fill name="calc_value">
      <param>/etc/systemd/nspawn/</param>
      <param type="variable">machined.machines</param>
--- a/seed/host-systemd-machined/funcs/machined.py
+++ b/seed/host-systemd-machined/funcs/machined.py
@ -9,3 +9,16 @@ def get_internal_zone_names(zones) -> _List[str]:
 def is_first_interface(index) -> bool:
    return index == 0
@_multi_function
 def get_host_ip(zones: dict,
                server_name: str,
                ):
    host_name, domain_name = server_name.split('.', 1)
    for zone in zones.values():
        if domain_name == zone['domain_name']:
            break
    else:
        raise ValueError(f'cannot find IP in domain name "{domain_name}" (for "{server_name}")')
    return zone['host_ip']
--- a/seed/host-systemd-machined/templates/70-container.netdev
+++ b/seed/host-systemd-machined/templates/70-container.netdev
@ -1,3 +1,3 @@
 [NetDev]
-Name=%%rougail_variable
+Name={{ rougail_variable }}
 Kind=bridge
--- a/seed/host-systemd-machined/templates/70-container.network
+++ b/seed/host-systemd-machined/templates/70-container.network
@ -1,6 +1,6 @@
 [Match]
-Name=%%rougail_variable
+Name={{ rougail_variable }}
 [Network]
-Address=%%zone_name[%%rougail_index].zone_cidr
+Address={{ general.zones.zone_name[rougail_index].zone_cidr }}
 EmitLLDP=customer-bridge
--- a/seed/host-systemd-machined/templates/90-risotto.conf
+++ b/seed/host-systemd-machined/templates/90-risotto.conf
@ -1,3 +1,3 @@
 net.ipv4.ip_forward = 1
 fs.inotify.max_user_instances = 1024
-vm.swappiness = %%vm_swappiness
+vm.swappiness = {{ general.vm_swappiness }}
--- a/seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64
+++ b/seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64
@ -0,0 +1,29 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGIC2cYBEADJye1aE0AR17qwj6wsHWlCQlcihmqkL8s4gbOk1IevBbH4iXJx
 lu6bN+NhTcCCX6eHmaL5Pwb/bpkMmLR+/r1D2cLDK24YzvN6kJnwRQUTf2dbqYmg
 mNBgIMm+kAabBZPwUHUzyQ9CT/WJpYr1OYu8JIkdxF35nrPewnnOUUqxqbi8fXRQ
 gskSLF8UveiOjFIqmWwlPwT1UtnevAaF80UGQlkwFvqjjh4b9vKY2gHMAQwt+wg5
 HFFCSwSrnd88ZoDb3pKvDMeurYUiPzF5f2r+ziVkMuaSNckvp58uge7HvyqQPAdJ
 ZRswCCxhUAo9VqkNfB4Ud25ASyalk9jOE3HB8E35gFfPXvuX1n15THXNcwMEiybk
 Omne2YwXL8ShGNr5otjqywThMrrqcl2g/pJVTcpDHTR5Hn9YRp+GHlYLjyEr+/x7
 xM19y9ca9GUiJqDbEREHcKKIhYiGmcIjjcJvei/3C/aM4pqeGFJBbVSnw3qeMxH/
 6ArAMA1sAdShCkv2YjlcF0r4uoCjXdS3xrKLz9PSCquot7RySnOE9TZ7flfJll7Z
 q+lNaSeJg7FK8VWSUb9Lit6VEYVbzWKzespDDbujrHbFpydyq8gXurk7bSR2w0te
 gsmytQqT/w1z2bydgGF6SfY9Px0wuA8GQKr48l5Bhdc6+vHHFqPKzz0PVQARAQAB
 tDFGZWRvcmEgKDM4KSA8ZmVkb3JhLTM4LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
 cmc+iQJOBBMBCAA4FiEEalG7q7o9VGe2FxIhgJqNfOsQtGQFAmIC2cYCGw8FCwkI
 BwIGFQoJCAsCBBYCAwECHgECF4AACgkQgJqNfOsQtGScyw/7BLmD4Fwi4QZY94zl
 vlJdNufZRavOemSIVVDHoCr8pQBAdrvoMypxJd5zM4ODIqFsjdYpFti+Tkeq4/4U
 25UoLPEOtU8UDt2uq7LqfdCxspaj7VyXAJIkpf7wEvLS4Jzo+YaMIlsd0dCrMXTM
 vhu4gKpBFW6C+gGlmuDyTJbyrf7ilytgVzVtIfRrT7XffylviIlZHwKm43UDjvzX
 YEl3EAFR1RjATwXMy2aJh7GCNsz+fKs+7YRKQUhpMF5un/2pyNJO+LbVGGwGZvga
 K9Kfsg/4r1ync4nDDD1dadKIHhobDeiJ9uZLoBvvVDz7Ywu7q/vv4zIPxstYBNq4
 6fLKDtYXuJCK0EV9Qy4ox67t0UGlaRGH8y5YUqOI10xH7iQej0xWlSc8w2dKhPz8
 z9XLv2OMK+PvqvflhFHhWkqEoQRqTu0TVD0fLLe4lqieJlqZcJqW0F9G/vNSSWmf
 POLa/Nim71gL2fPjCJOIRV4K/cJSyBmu5NchG7dHD5sUtJxZ4TFSuepaBZ8cPK1x
 e26TaCBqoUWgUXWmw+P89aOpYOJYEFfT/VAm2Ywn+c1EFUmD+30wQ7aP/RUFl94z
 n0BjqsWDnCKVFHydZ0TZSpeADmXMg2VYZPcp/cQR1KjoBoDxAscis7b1XPQUg7CB
 zquq5jBVAnsNIhs7g47GWKyDUJM=
 =aCLl
 -----END PGP PUBLIC KEY BLOCK-----
--- a/seed/host-systemd-machined/templates/dhcp.network
+++ b/seed/host-systemd-machined/templates/dhcp.network
@ -1,17 +1,17 @@
 [Match]
-Name=%%rougail_variable
+Name={{ rougail_variable }}
 [Network]
-%set %%leader = %%interface_names[%%rougail_index]
+{% set leader = general.network.interfaces.interface_names[rougail_index] %}
-%if %%leader.interface_type == 'dhcp'
+{% if leader.interface_type == 'dhcp' %}
 DHCP=ipv4
-%else
+{% else %}
 DHCP=no
-Address=%%leader.interface_ip
+Address={{ leader.interface_ip }}
-  %if %%leader.first_interface
+{% if leader.first_interface %}
-Gateway=%%leader.interface_gateway
+Gateway={{ leader.interface_gateway }}
-    %for %%dns in %%leader.interface_domain_name_servers
+{% for dns in leader.interface_domain_name_servers %}
-DNS=%%dns
+DNS={{ dns }}
-    %end for
+{% endfor %}
-  %end if
+{% endif %}
-%end if
+{% endif %}
--- a/seed/host-systemd-machined/templates/directory-script
+++ b/seed/host-systemd-machined/templates/directory-script
@ -0,0 +1,16 @@
 #!/bin/bash
 set -e
 {% set family = rougail_variable|normalize_family %}
 {% set srv_dir = machined['machine_' + family]['srv_dir_' + family] %}
 {% if srv_dir %}
 mkdir -p {{ srv_dir }}
 chmod 755 {{ srv_dir }}
 {% endif %}
 {% set journal_dir = machined['machine_' + family]['journal_dir_' + family] %}
 mkdir -p {{ journal_dir }}
 chmod 755 {{ journal_dir }}
 exit 0
--- a/seed/host-systemd-machined/templates/network-script
+++ b/seed/host-systemd-machined/templates/network-script
@ -1,18 +1,18 @@
-%echo "#!/bin/bash"
+#!/bin/bash
 set -e
-%set %%name = %%normalize_family(%%rougail_variable)
+{% set name = rougail_variable|normalize_family %}
-%set %%container = %%machined['machine_' + %%name]
+{% set container = machined['machine_' + name] %}
-%set zones = %%container['zones_' + %%name]
+{% set zones = container['zones_' + name] %}
-%if %%len(%%zones) > 1
+{% if zones| length > 1 %}
- %for %%idx, %%zone in %%enumerate(%%zones)
+{% for zone in zones %}
-  %if not %%idx
+{% set idx = loop.index - 1 %}
-    %continue
+{% if idx %}
-  %end if
+{% set intname = "vc-" + idx|string + rougail_variable %}
-  %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
+echo "configuration de {{ intname }}"
-echo "configuration de %intname"
+/usr/sbin/ip link set dev {{ intname[:15] }} master {{ zone }}
-/usr/sbin/ip link set dev %%intname[:15] master %%zone
+/usr/sbin/ip link set dev {{ intname[:15] }} up
-/usr/sbin/ip link set dev %%intname[:15] up
+{% endif %}
- %end for
+{% endfor %}
-%end if
+{% endif %}
-exit 0
+exit 0  
--- a/seed/host-systemd-machined/templates/nspawn
+++ b/seed/host-systemd-machined/templates/nspawn
@ -1,31 +1,32 @@
 [Files]
 Volatile=true
 PrivateUsersChown=false
-%set %%name = %%normalize_family(%%rougail_variable)
+{% set name = rougail_variable|normalize_family %}
-%set %%container = %%machined['machine_' + %%name]
+{% set container = machined['machine_' + name] %}
-%if %%container['srv_dir_' + %%name]
+{% if container['srv_dir_' + name] %}
-Bind=%%container['srv_dir_' + %%name]:/srv
+Bind={{ container['srv_dir_' + name] }}:/srv
-%end if
+{% endif %}
-Bind=%%container['journal_dir_' + %%name]:/var/log/journal/
+Bind={{ container['journal_dir_' + name] }}:/var/log/journal/
-BindReadOnly=%%container['config_dir_' + %%name]:/usr/local/lib
+BindReadOnly={{ container['config_dir_' + name] }}:/usr/local/lib
-%if %%container['tls_dir_' + %%name]
+{% if container['tls_dir_' + name] %}
-Bind=%%container['tls_dir_' + %%name]:/srv/tls
+Bind={{ container['tls_dir_' + name] }}:/srv/tls
-%end if
+{% endif %}
-%set zones = %%container['zones_' + %%name]
+{% set zones = container['zones_' + name] %}
-%if %%zones
+{% if zones %}
 [Network]
 Private=yes
 VirtualEthernet=yes
- %for %%idx, %%zone in %%enumerate(%%zones)
+{% for zone in zones %}
-  %if %%idx == 0
+{% set index = loop.index - 1 %}
-Bridge=%%zones[0]
+{% if index == 0 %}
-  %else
+Bridge={{ zones[0] }}
-   %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
+{% else %}
-VirtualEthernetExtra=%%intname[:15]:host%%idx
+{% set intname = "vc-" + index|string + rougail_variable %}
-  %end if
+VirtualEthernetExtra={{ intname[:15] }}:host{{ index }}
- %end for
+{% endif %}
-%end if
+{% endfor %}
-%for %%port in %%container['incoming_ports_' + %%name]
+{% endif %}
-Port=tcp:%%port:%%port
+{% for port in container['incoming_ports_' + name] %}
-%end for
+Port=tcp:{{ port }}:{{ port }}
 {% endfor %}
--- a/seed/host-systemd-machined/templates/risotto-images.service
+++ b/seed/host-systemd-machined/templates/risotto-images.service
@ -4,8 +4,8 @@ After=network.target local-fs.target systemd-logind.service
 [Service]
 Type=oneshot
-ExecStart=/usr/local/sbin/backup_images no
+ExecStart=/usr/local/sbin/backup_images
-ExecStart=/usr/local/sbin/update_images
+ExecStart=/usr/local/sbin/update_images {{ tls_server }} "" reboot_every_monday
 [Install]
 WantedBy=multi-user.target
--- a/seed/host-systemd-machined/templates/risottofirewall.service
+++ b/seed/host-systemd-machined/templates/risottofirewall.service
@ -1,11 +1,3 @@
 %def %%get_protocol_port(%%port)
  %if ':' in %%port
    %set %%protocol, %%port = %%port.split(':')
  %else
    %set %%protocol = 'tcp'
  %end if
  %return %%protocol, %%port
 %end def
 [Unit]
 Description=Firewall for Risotto
 After=network.target
@ -13,32 +5,54 @@ After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-%set %%has_rules = False
+{% set ns = namespace(has_rules=False, incoming_ports={"tcp": {}, "udp": {}}) %}
-%set %%incoming_ports = {'tcp': {}, 'udp': {}}
+{% for dns in machined.machines %}
-%for %%dns in %%machined.machines
+{% set machine = dns|normalize_family %}
-  %set %%machine = %%normalize_family(%%dns)
+{% set outgoing = machined["machine_" + machine]["outgoing_ports_" + machine] %}
-  %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
+{% if outgoing %}
-  %if %%outgoing
+{% set ip = machined["machine_" + machine]["ip_" + machine] %}
-    %set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
+{% for port in outgoing %}
-    %for %%port in %%outgoing
+{% if ":" in port %}
-       %set %%protocol, %%port = %%get_protocol_port(%%port)
+{% set protocol, port = port.split(":") %}
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
+{% else %}
-ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
+{% set protocol = "tcp" %}
-       %set %%has_rules = False
+{% endif %}
-    %end for
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
-  %end if
+ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
-  %set %%incoming = %%machined['machine_' + %%machine]['incoming_ports_' + %%machine]
+{% set ns.has_rules = True %}
-  %for %%port in %%incoming
+{% endfor %}
-     %set %%protocol, %%port = %%get_protocol_port(%%port)
+{% endif %}
-     %if %%port in %%incoming_ports[%%protocol]
+{% set incoming = machined["machine_" + machine]["incoming_ports_" + machine] %}
-       %raise Exception('the port "' + %%port + '" cannot be deployed for multiple machines: "' + %%dns + '" and "' + %%incoming_ports[%%protocol][%%port] + '"')
+{% for port in incoming %}
-     %end if
+{% if ":" in port %}
-     %set %%incoming_ports[%%protocol][%%port] = %%dns
+{% set protocol, port = port.split(":") %}
-  %end for
+{% else %}
-%end for
+{% set protocol = "tcp" %}
-%if not %%has_rules
+{% endif %}
 {% if port in ns.incoming_ports[protocol] %}
 {% set msg = 'the port "' + port + '" cannot be deployed for multiple machines: "' + dns + '" and "' + ns.incoming_ports[protocol][port] + '"' %}
 {{ msg|raise }}
 {% endif %}
 {% set x=ns.incoming_ports.__getitem__(protocol).__setitem__(port, dns) %}
 {% endfor %}
 {% endfor %}
 {% if not ns.has_rules %}
 ExecStart=/usr/bin/echo "No rule"
-%end if
+{% endif %}
 #FIXME
 ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
 ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
 ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
 ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
 #FIXME
 [Install]
 WantedBy=multi-user.target
--- a/seed/host-systemd-machined/templates/systemd-nspawn@.conf
+++ b/seed/host-systemd-machined/templates/systemd-nspawn@.conf
@ -1,3 +1,4 @@
 [Service]
 ExecStartPre=/usr/local/lib/sbin/directory-%i
 ExecStartPre=/usr/local/lib/sbin/tls-%i
 ExecStartPost=/usr/local/lib/sbin/network-%i
--- a/seed/host-systemd-machined/templates/tls-script
+++ b/seed/host-systemd-machined/templates/tls-script
@ -1,29 +1,29 @@
-%echo "#!/bin/bash"
+#!/bin/bash
 set -e
-%for %%machine in %%machined.machines
+{% set ns = namespace(tls_dir=None) %}  
-  %set %%nor_machine = %%normalize_family(%%machine)
+{% for machine in machined.machines %}
-  %set tls_dir = %%machined['machine_' + %%nor_machine]['tls_dir_' + %%nor_machine]
+{% if not ns.tls_dir %}
-  %if %%tls_dir
+{% set nor_machine = machine|normalize_family %}
-%break
+{% set ns.tls_dir = machined['machine_' + nor_machine]['tls_dir_' + nor_machine] %}
-  %end if
+{% endif %}
-%end for
+{% endfor %}
-%if %%tls_dir
+{% if ns.tls_dir %}
-  %set %%dst_dir = %%machined['machine_' + %%normalize_family(%%rougail_variable)]['config_dir_' +  %%normalize_family(%%rougail_variable)]
+{% set dst_dir = machined['machine_' + rougail_variable|normalize_family]['config_dir_' + rougail_variable|normalize_family] %}
-  %set %%src_dir = %%tls_dir + "/machines/" + %%rougail_variable
+{% set src_dir = ns.tls_dir + "/machines/" + rougail_variable %}
-  %if 'certificates' in %%extra_variables and %%rougail_variable in %%extra_variables['certificates']
+{% if 'certificates' in extra_variables and rougail_variable in extra_variables['certificates'] %}
-if [ -d "%%dst_dir" ] && [ -d "%%src_dir" ]; then
+if [ -d "{{ dst_dir }}" ] && [ -d "{{ src_dir }}" ]; then
-    %for %%certificate in %%extra_variables['certificates'][%%rougail_variable]
+{% for certificate in extra_variables['certificates'][rougail_variable] %}
-      %set %%files = [%%certificate.name]
+{% set files = [certificate.name] %}
-	  %if %%certificate.provider == 'autosigne'
+{% if certificate.provider == 'autosigne' %}
-	    %%files.append(%%certificate.authority)
+{{ files.append(certificate.authority) }}
-	  %end if
+{% endif %}
-      %if 'private' in %%certificate
+{% if 'private' in certificate %}
-        %%files.append(%%certificate.private)
+{{ files.append(certificate.private) }}
-      %end if
+{% endif %}
-      %for %%file in %%files
+{% for file in files %}
-    src_file="%%{src_dir}%%file"
+    src_file="{{ src_dir }}{{ file}}"
-    dst_file="%%{dst_dir}%%file"
+    dst_file="{{dst_dir}}{{ file }}"
    dst_dir=$(dirname "$dst_file")
    mkdir -p "$dst_dir"
 # ne fonctionne pas avec revprox :/
@ -39,9 +39,9 @@ if [ -d "%%dst_dir" ] && [ -d "%%src_dir" ]; then
    chown root: "$dst_file"
    chmod 700 "$dst_file"
-      %end for
+{% endfor %}
-    %end for
+{% endfor %}
 fi
-  %end if
+{% endif %}
-%end if
+{% endif %}
 exit 0
--- a/seed/host-systemd-machined/templates/vector.toml
+++ b/seed/host-systemd-machined/templates/vector.toml
@ -0,0 +1,69 @@
 #                                    __   __  __
 #                                    \ \ / / / /
 #                                     \ V / / /
 #                                      \_/  \/
 #
 #                                    V E C T O R
 #                                   Configuration
 #
 # ------------------------------------------------------------------------------
 # Website: https://vector.dev
 # Docs: https://vector.dev/docs
 # Chat: https://chat.vector.dev
 # ------------------------------------------------------------------------------
 # Change this to use a non-default directory for Vector data storage:
 # data_dir = "/var/lib/vector"
 # Random Syslog-formatted logs
 #>GNUNUX
 #[sources.dummy_logs]
 #type = "demo_logs"
 #format = "syslog"
 #interval = 1
 [sources.journal]
 type = "journald"
 {% if general.prometheus.prometheus_server_address %}
 [sources.metrics]
 type = "host_metrics"
 {% endif %}
 #<GNUNUX
 # Parse Syslog logs
 # See the Vector Remap Language reference for more info: https://vrl.dev
 #>GNUNUX
 #[transforms.parse_logs]
 #type = "remap"
 #inputs = ["dummy_logs"]
 #source = '''
 #. = parse_syslog!(string!(.message))
 #'''
 #<GNUNUX
 # Print parsed logs to stdout
 #>GNUNUX
 [sinks.vector]
 type = "vector"
 inputs = ["journal"]
 address = "{{ general.vector.ip_address }}:8686"
 {% if general.prometheus.prometheus_server_address %}
 [sinks.prometheus]
 type = "prometheus_exporter"
 inputs = ["metrics"]
 address = "{{ general.prometheus.prometheus_ip_address }}:9090"
 #{% endif %}
 #<GNUNUX
 # Vector's GraphQL API (disabled by default)
 # Uncomment to try it out with the `vector top` command or
 # in your browser at http://localhost:8686
 #[api]
 #enabled = true
 #address = "127.0.0.1:8686"
 #>GNUNUX
 [api]
 enabled = true
 address = "127.0.0.1:8686"
 #<GNUNUX
--- a/seed/journald/applicationservice.yml
+++ b/seed/journald/applicationservice.yml
@ -0,0 +1,3 @@
 format: '0.1'
 description: Journald
 website: https://systemd.io/
--- a/seed/journald/dictionaries/20_journald.xml
+++ b/seed/journald/dictionaries/20_journald.xml
@ -0,0 +1,26 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="systemd-journal-upload" target="multi-user" servicelist="journald">
      <override engine="none"/>
      <certificate authority="Journald" server="journal_client_server_domainname" group="systemd-journal">journald</certificate>
      <file engine="ansible">/etc/systemd/journal-upload.conf</file>
    </service>
  </services>
  <variables>
    <family name="journald" description="systemd-journald">
      <variable name="journal_client_server_domainname" type="domainname" supplier="Journald"/>
      <variable name="journal_host_name" type="domainname" supplier="Journald:host"/>
    </family>
  </variables>
  <constraints>
    <condition name="disabled_if_in" source="journal_client_server_domainname">
      <param type="nil"/>
      <target type="servicelist">journald</target>
    </condition>
    <fill name="calc_value">
      <param type="variable">domain_name_eth0</param>
      <target>journal_host_name</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/journald/manual/image/preinstall/journald.sh
+++ b/seed/journald/manual/image/preinstall/journald.sh
@ -0,0 +1 @@
 PKG="$PKG systemd-journal-remote"
--- a/seed/journald/templates/journal-upload.conf
+++ b/seed/journald/templates/journal-upload.conf
@ -0,0 +1,25 @@
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it under the
 #  terms of the GNU Lesser General Public License as published by the Free
 #  Software Foundation; either version 2.1 of the License, or (at your option)
 #  any later version.
 #
 # Entries in this file show the compile time defaults. Local configuration
 # should be created by either modifying this file, or by creating "drop-ins" in
 # the journal-upload.conf.d/ subdirectory. The latter is generally recommended.
 # Defaults can be restored by simply deleting this file and all drop-ins.
 #
 # See journal-upload.conf(5) for details.
 [Upload]
 # URL=
 # ServerKeyFile=/etc/ssl/private/journal-upload.pem
 # ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
 # TrustedCertificateFile=/etc/ssl/ca/trusted.pem
 #>GNUNUX
 URL=https://{{ journal_client_server_domainname }}:19532
 ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
 ServerKeyFile={{ general.tls_key_directory }}/journald.key
 TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
 #<GNUNUX
--- a/seed/journald/templates/systemd-journal-upload.service
+++ b/seed/journald/templates/systemd-journal-upload.service
@ -0,0 +1,2 @@
 [Unit]
 After=risotto.target
--- a/seed/journald_remote/applicationservice.yml
+++ b/seed/journald_remote/applicationservice.yml
@ -0,0 +1,3 @@
 format: '0.1'
 description: Journald remote
 website: https://systemd.io/
--- a/seed/journald_remote/dictionaries/21_journald.xml
+++ b/seed/journald_remote/dictionaries/21_journald.xml
@ -0,0 +1,11 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="systemd-journal-remote" target="multi-user">
      <override engine="none"/>
      <certificate certificatelist="journald" authority="Journald" type="server" owner="systemd-journal-remote">journald</certificate>
      <file engine="ansible" filelist="journald">/etc/systemd/journal-remote.conf</file>
    </service>
  </services>
 </rougail>
--- a/seed/journald_remote/extras/accounts/00_accounts.xml
+++ b/seed/journald_remote/extras/accounts/00_accounts.xml
@ -0,0 +1,21 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <variables>
    <variable name="remotes" description="Remote journald" type="domainname" provider="Journald" mandatory="True" multi="True"/>
    <family name="remote_" description="Account for " dynamic="accounts.remotes">
      <variable name="host_" description="Remote host" type="domainname" mandatory="True" provider="Journald:host"/>
      <variable name="messages_" multi="True" provider="Journald:message" unique="False"/>
      <variable name="services_" multi="True" provider="Journald:service" unique="False"/>
      <variable name="functions_" multi="True" provider="Journald:function" mandatory="False" unique="False"/>
    </family>
    <variable name="vector_conditions" hidden="True"/>
  </variables>
  <constraints>
    <fill name="calc_vector_conditions">
      <param type="variable">accounts.remote_.messages_</param>
      <param type="variable">accounts.remote_.services_</param>
      <param type="variable">accounts.remote_.functions_</param>
      <target>accounts.vector_conditions</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/journald_remote/funcs/journald_remote.py
+++ b/seed/journald_remote/funcs/journald_remote.py
@ -0,0 +1,20 @@
 from itertools import chain as _chain
 def calc_vector_conditions(messages, services, functions):
    mes = _chain(*messages)
    ser = list(_chain(*services))
    fun = list(_chain(*functions))
    conditions = []
    for idx, message in enumerate(mes):
        service = ser[idx]
        function = fun[idx]
        condition = '(.SYSLOG_IDENTIFIER == "' + service + '" && '
        if not function:
            condition += '.message == "' + message + '"'
        else:
            condition += function + '(to_string(.message) ?? "", "' + message + '")'
        condition += ')'
        if condition not in conditions:
            conditions.append(condition)
    return '!(' + ' || '.join(conditions) + ')'
--- a/seed/journald_remote/manual/image/preinstall/journald.sh
+++ b/seed/journald_remote/manual/image/preinstall/journald.sh
@ -0,0 +1 @@
 PKG="$PKG systemd-journal-remote"
--- a/seed/journald_remote/templates/journal-remote.conf
+++ b/seed/journald_remote/templates/journal-remote.conf
@ -0,0 +1,26 @@
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it under the
 #  terms of the GNU Lesser General Public License as published by the Free
 #  Software Foundation; either version 2.1 of the License, or (at your option)
 #  any later version.
 #
 # Entries in this file show the compile time defaults. Local configuration
 # should be created by either modifying this file, or by creating "drop-ins" in
 # the journal-remote.conf.d/ subdirectory. The latter is generally recommended.
 # Defaults can be restored by simply deleting this file and all drop-ins.
 #
 # See journal-remote.conf(5) for details.
 [Remote]
 # Seal=false
 # SplitMode=host
 # ServerKeyFile=/etc/ssl/private/journal-remote.pem
 # ServerCertificateFile=/etc/ssl/certs/journal-remote.pem
 # TrustedCertificateFile=/etc/ssl/ca/trusted.pem
 #>GNUNUX
 SplitMode=none
 ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
 ServerKeyFile={{ general.tls_key_directory }}/journald.key
 TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
 #<GNUNUX
--- a/seed/journald_remote/templates/systemd-journal-remote.service
+++ b/seed/journald_remote/templates/systemd-journal-remote.service
@ -0,0 +1,3 @@
 [Service]
 ExecStart=
 ExecStart=/usr/lib/systemd/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/risotto.journal
--- a/seed/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/ldap-client/dictionaries/21_ldap-client.xml
@ -1,22 +1,25 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <services>
-    <service name="ldap-client" target="risotto" engine="cheetah">
+    <service name="ldap-client" target="risotto" engine="ansible">
      <certificate authority="LDAP" owner="ldap_key_file_owner" owner_type="variable" server="ldap_server_address">ldap_client</certificate>
-      <file source="ldap.conf" file_type="variable">ldap_client_file</file>
+      <file engine="ansible" source="ldap.conf" file_type="variable">ldap_client_file</file>
    </service>
  </services>
  <variables>
-    <family name="annuaire" description="Annuaire OpenLDAP">
+    <family name="ldap" description="Annuaire OpenLDAP">
      <family name="server" description="Serveur">
        <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True' supplier="LDAP"/>
        <variable name="ldap_server_ip" type="ip" hidden="True"/>
        <variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
          <value>636</value>
        </variable>
        <variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
      </family>
      <family name="client" description="Client">
        <variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP" supplier="LDAP:family"/>
        <variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True" supplier="LDAP:dn"/>
        <variable name='ldapclient_address' hidden="True"/>
        <variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True" supplier="LDAP:password"/>
        <variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" supplier="LDAP:base_dn"/>
        <variable name='ldapclient_search_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
@ -25,7 +28,7 @@
        <variable name="ldap_key_file_owner" type="unix_user" description="Propriétaire du fichier de la clef privée LDAP" hidden="True">
          <value>root</value>
        </variable>
-	<variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True"/>
+        <variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True"/>
      </family>
    </family>
  </variables>
@ -33,8 +36,13 @@
    <check name='valid_base_dn'>
      <target>ldapclient_base_dn</target>
    </check>
-    <fill name='get_default_base_dn'>
+    <fill name="get_ip">
      <param type="information">zones</param>
      <param type="variable">ldap_server_address</param>
      <target>ldap_server_ip</target>
    </fill>
    <fill name='get_default_base_dn'>
      <param type="variable">prefix_domain_name</param>
      <target>ldapclient_base_dn</target>
    </fill>
    <fill name='calc_value'>
@ -45,12 +53,18 @@
    </fill>
    <fill name='calc_value'>
      <param>cn=</param>
-      <param type='variable'>domain_name_eth0</param>
+      <param type='variable'>ldapclient_address</param>
      <param>,</param>
      <param type='variable'>ldapclient_base_dn</param>
      <param name="join"></param>
      <target>ldapclient_user</target>
    </fill>
    <fill name="get_client_address">
      <param type='variable'>ldap_server_ip</param>
      <param type='variable'>domain_name_eth</param>
      <param type='variable'>network_eth</param>
      <target>ldapclient_address</target>
    </fill>
    <fill name="get_password">
      <param name="server_name" type="variable">ldap_server_address</param>
      <param name="username" type="variable">ldapclient_user</param>
--- a/seed/ldap-client/funcs/openldap_client.py
+++ b/seed/ldap-client/funcs/openldap_client.py
@ -1,4 +1,8 @@
 from ipaddress import ip_network as _ip_network, ip_address as _ip_address
 def valid_base_dn(base_dn: str) -> None:
    # copied from openldap
    for att in ['o', 'dc', 'ou']:
        if base_dn.startswith(att + '='):
            break
@ -11,6 +15,7 @@ def calc_ldapclient_base_dn(ldap_base_dn: str,
                            base: bool=False,
                            group: bool=False,
                            ) -> str:
    # copied from openldap
    if ldap_base_dn is None:
        return
    if family_name == 'all':
@ -39,14 +44,23 @@ class _Undefined:
 _undefined = _Undefined()
-def get_default_base_dn(server_name: str) -> str:
+def get_default_base_dn(prefix: str) -> str:
-    if not server_name or '.' not in server_name:
+    # copied from openldap
    if not prefix or '.' not in prefix:
        return None
-    values = server_name.split('.')
+    values = prefix.split('.')
-    # cannot calculated base dn should be server.domain.tld
+    # cannot calculated base dn should be subdomain.domain.tld
    # remove 'server' in dn
    if len(values) < 3:
        return None
-    domain = ['ou=' + domain for domain in values[1:-2]]
+    domain = ['ou=' + domain for domain in values[0:-2]]
    domain.append(f'o={values[-2]},o={values[-1]}')
    return ','.join(domain)
 def get_client_address(ip, infos, network_eth):
    ip_mail = _ip_address(ip)
    for idx, net in enumerate(network_eth):
        if ip_mail in _ip_network(net):
            val = infos[idx]
            return val
--- a/seed/ldap-client/templates/ldap-client.service
+++ b/seed/ldap-client/templates/ldap-client.service
@ -4,4 +4,4 @@ Before=risotto.target
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/{{ ldap_server_address }}/{{ ldap_port }}; do sleep 1; done'
--- a/seed/ldap-client/templates/ldap.conf
+++ b/seed/ldap-client/templates/ldap.conf
@ -8,8 +8,8 @@
 #BASE	dc=example,dc=com
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
 #>GNUNUX
-BASE %%ldapclient_search_dn
+BASE {{ ldapclient_search_dn }}
-URI ldaps://%%ldap_server_address:%%ldap_port
+URI ldaps://{{ ldap_server_address }}:{{ ldap_port }}
 #<GNUNUX
 #SIZELIMIT	12
@ -21,9 +21,9 @@ URI ldaps://%%ldap_server_address:%%ldap_port
 # by TLS_CACERTDIR one has to include them explicitly:
 #TLS_CACERT	/etc/pki/tls/cert.pem
 #>GNUNUX
-TLS_CERT %%tls_cert_directory/ldap_client.crt
+TLS_CERT {{ tls_cert_directory }}/ldap_client.crt
-TLS_KEY %%tls_key_directory/ldap_client.key
+TLS_KEY {{ tls_key_directory }}/ldap_client.key
-TLS_CACERT %%tls_ca_directory/LDAP.crt
+TLS_CACERT {{ tls_ca_directory }}/LDAP.crt
 #<GNUNUX
 # System-wide Crypto Policies provide up to date cipher suite which should
@ -36,9 +36,9 @@ TLS_CACERT %%tls_ca_directory/LDAP.crt
 SASL_NOCANON	on
 #>GNUNUX
-BINDDN %%ldapclient_user
+BINDDN {{ ldapclient_user }}
 TIMELIMIT 10
 NETWORK_TIMEOUT 10
 TIMEOUT 10
-BINDPW %%ldapclient_user_password
+BINDPW {{ ldapclient_user_password }}
 #<GNUNUX
--- a/seed/lemonldap/DEBUG.md
+++ b/seed/lemonldap/DEBUG.md
@ -3,3 +3,7 @@ Log level to DEBUG
 sed -i "s/logLevel     = info/logLevel     = debug/g" /etc/lemonldap-ng/lemonldap-ng.ini
 systemctl restart lemonldap-ng-fastcgi-server.service
 sed -i 's/log error/log debug/g' /etc/nginx/nginx.conf
 systemctl restart nginx
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="lemonldap-ng-fastcgi-server">
-      <override/>
+      <override engine="none"/>
      <file engine="none">/static/logo.png</file>
      <file engine="none">/static/demo.png</file>
      <file engine="none">/static/silique_email.png</file>
@ -11,16 +11,15 @@
      <file engine="none">/static/silique_video.png</file>
      <file engine="none">/static/silique_image.png</file>
      <file engine="none">/static/risotto.css</file>
-      <file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
+      <file engine="ansible">/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
      <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
-      <!--file>/etc/lemonldap-ng/handler-nginx.conf</file-->
+      <file engine="ansible">/etc/lemonldap-ng/portal-nginx.conf</file>
-      <file>/etc/lemonldap-ng/portal-nginx.conf</file>
+      <file engine="none">/etc/lemonldap-ng/nginx-lmlog.conf</file>
-      <file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
+      <file engine="ansible">/etc/default/lemonldap-ng-fastcgi-server</file>
-      <file>/etc/default/lemonldap-ng-fastcgi-server</file>
+      <file engine="ansible" mode="750">/sbin/interne_well_known.pl</file>
-      <file mode="750">/sbin/interne_well_known.pl</file>
+      <file engine="ansible" mode="750">/sbin/wget.pl</file>
      <file mode="750">/sbin/wget.pl</file>
      <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
-      <file filelist="copy_tests">/tests/lemonldap.yml</file>
+      <file engine="ansible" filelist="copy_tests">/tests/lemonldap.yml</file>
    </service>
  </services>
  <variables>
@ -36,7 +35,7 @@
      </variable>
      <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
    </family>
-    <family name="annuaire">
+    <family name="ldap">
      <family name="client">
        <variable name='ldapclient_family' redefine="True">
          <value>all</value>
--- a/seed/lemonldap/extras/oauth2/00_oauth2.xml
+++ b/seed/lemonldap/extras/oauth2/00_oauth2.xml
@ -3,6 +3,7 @@
  <variables>
    <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="OAuth2"/>
    <family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
      <variable name="client_id_" description="Remote client id for " mandatory="True" hidden="True" provider="OAuth2:client_id"/>
      <variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="OAuth2:secret"/>
      <variable name="name_" description="Remote name for " hidden="True" provider="OAuth2:name"/>
      <variable name="description_" description="Remote description for " hidden="True" provider="OAuth2:description"/>
--- a/seed/lemonldap/templates/handler-nginx.conf
+++ b/seed/lemonldap/templates/handler-nginx.conf
@ -21,10 +21,10 @@ server {
  # GNUNUX server_name reload.example.com;
 #>GNUNUX
  listen 443 ssl;
-  server_name %%lemon_reload_web_name;
+  server_name {{ general.lemonldap.lemon_reload_web_name }};
-  ssl_certificate         %%tls_cert_directory/revprox.crt;
+  ssl_certificate         {{ general.tls_cert_directory }}/revprox.crt;
-  ssl_certificate_key     %%tls_key_directory/revprox.key;
+  ssl_certificate_key     {{ general.tls_key_directory }}/revprox.key;
-  ssl_client_certificate  %%tls_ca_directory/InternalReverseProxy.crt;
+  ssl_client_certificate  {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
 #<GNUNUX
  root /var/www/html;
@ -55,7 +55,7 @@ server {
  # Client requests
  location / {
-    allow %%revprox_client_server_ip;
+    allow {{ general.revprox.revprox_client.revprox_client_server_ip }};
    deny all;
    # Uncomment this if you use https only
--- a/seed/lemonldap/templates/interne_well_known.pl
+++ b/seed/lemonldap/templates/interne_well_known.pl
@ -1,17 +1,17 @@
-%echo "#!/usr/bin/env perl"
+#!/usr/bin/env perl
 # retrieve and modify (if no argument) well-known file
 use HTTP::Tiny;
 use JSON qw(from_json to_json);
-my $baseUrl = 'https://%%domain_name_eth0/';
+my $baseUrl = 'https://{{ general.network.interface_0.domain_name_eth0 }}/';
 my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configuration');
 die "Failed!\n" unless $response->{success};
 my $json = from_json($response->{content});
-%echo "$num_args = $#ARGV + 1;"
+$num_args = $#ARGV + 1;
 if ($num_args == 0) {
    $json->{token_endpoint} = $baseUrl . 'oauth2/token';
--- a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server
+++ b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server
@ -1,7 +1,7 @@
 # Number of process (default: 7)
 #NPROC = 7
 #>GNUNUX
-NPROC=%%lemon_proc
+NPROC={{ general.lemonldap.lemon_proc }}
 #<GNUNUX
 # Unix socket to listen to
--- a/seed/lemonldap/templates/lemonldap.yml
+++ b/seed/lemonldap/templates/lemonldap.yml
@ -1,3 +1,3 @@
-address: %%revprox_client_external_domainnames[0]
+address: {{ revprox_client_external_domainnames[0] }}
-internal_address: %%domain_name_eth0
+internal_address: {{ domain_name_eth0 }}
-ip: %%ip_eth0
+ip: {{ ip_eth0 }}
--- a/seed/lemonldap/templates/lmConf-1.json
+++ b/seed/lemonldap/templates/lmConf-1.json
@ -1,19 +1,16 @@
 %compiler-settings
 commentStartToken = §
 %end compiler-settings
 {
-   "mailFrom" : "%%lemon_mail_admin",
+   "mailFrom" : "{{ general.lemonldap.lemon_mail_admin }}",
   "mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
   "portalSkinBackground" : "",
   "portalCustomCss": "risotto/risotto.css",
   "authentication" : "LDAP",
   "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
-   "managerDn" : "%%ldapclient_user",
+   "managerDn" : "{{ general.ldap.client.ldapclient_user }}",
-   "managerPassword" : "%%ldapclient_user_password",
+   "managerPassword" : "{{ general.ldap.client.ldapclient_user_password }}",
   "ldapPpolicyControl" : 1,
   "ldapAllowResetExpiredPassword" : 1,
   "ldapChangePasswordAsUser" : 1,
-   "ldapBase" : "%%ldapclient_search_dn",
+   "ldapBase" : "{{ general.ldap.client.ldapclient_search_dn }}",
   "ldapExportedVars" : {
      "uid" : "uid",
      "cn" : "cn",
@ -22,7 +19,7 @@ commentStartToken = §
      "givenName" : "givenName",
      "home" : "homeDirectory"
   },
-   "ldapGroupBase" : "%%ldapclient_group_dn",
+   "ldapGroupBase" : "{{ general.ldap.client.ldapclient_group_dn }}",
   "ldapGroupAttributeName" : "member",
   "ldapGroupAttributeNameUser" : "cn",
   "ldapGroupAttributeNameGroup" : "dn",
@ -30,7 +27,7 @@ commentStartToken = §
   "ldapGroupAttributeNameUser" : "dn",
   "ldapGroupObjectClass" : "groupOfNames",
   "ldapPort" : "636",
-   "ldapServer" : "ldaps://%%ldap_server_address",
+   "ldapServer" : "ldaps://{{ general.ldap.server.ldap_server_address }}",
   "ldapVerify" : "required",
   "ldapTimeout" : 120,
   "cfgAuthor" : "Risotto",
@ -41,7 +38,7 @@ commentStartToken = §
      "mail" : "mail",
      "uid" : "uid"
   },
-   "domain" : "%%revprox_client_external_domainnames[0]",
+   "domain" : "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}",
   "exportedVars" : {
       "UA" : "HTTP_USER_AGENT",
       "cn" : "cn",
@ -60,23 +57,22 @@ commentStartToken = §
      "namespace" : "lemonldap-ng-sessions"
  },
   "locationRules" : {
-      "%%revprox_client_external_domainnames[0]" : {
+      "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}" : {
         "default" : "accept"
-%set %%domains = []
+{% set domains = [] %}
-%for %%app in %%oauth2.remotes
+{% for app in oauth2.remotes %}
-  %set %%key = %%normalize_family(%%app)
+{% set key = app|normalize_family %}
-  § somethink like ['https://domain/']
+{% for external in oauth2['oauth2_' + key]['external_' + key]['hosts_' + key] %}
-  %for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
+{% set domain = (external|string).split('/', 3)[-2] %}
-    %set %%domain = %%str(%%external).split('/', 3)[-2]
+{% if domain not in domains %}
    %if %%domain not in %%domains
     },
-     "%%domain" : {
+     "{{ domain }}" : {
        "^/logout" : "logout_sso",
-        "default" : "$groups eq \"%%external['family_' + %%key]\""
+        "default" : "$groups eq \"{{ external['family_' + key] }}\""
-%%domains.append(%%domain)%slurp
+{{ domains.append(domain) }}
-    %end if
+{% endif %}
-  %end for
+{% endfor %}
-%end for
+{% endfor %}
      }
   },
   "loginHistoryEnabled" : 1,
@ -84,7 +80,7 @@ commentStartToken = §
      "UA" : "$ENV{HTTP_USER_AGENT}",
      "_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
   },
-   "mailUrl" : "https://%%revprox_client_external_domainnames[0]/resetpwd",
+   "mailUrl" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/resetpwd",
   "mySessionAuthorizedRWKeys" : [
      "_appsListOrder",
      "_oidcConnectedRP",
@ -95,53 +91,50 @@ commentStartToken = §
       "dirName" : "/srv/lemonldap-ng/notifications"
   },
   "oidcRPMetaDataExportedVars" : {
-%set %%len_app = %%len(%%oauth2.remotes)
+{% set len_app = oauth2.remotes|length %}
-%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
+{% for app in oauth2.remotes %}
-  %set %%key = %%normalize_family(%%app)
+{% set key = app|normalize_family %}
-  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
+{% set description = oauth2['oauth2_' + key]['description_' + key] %}
-      "%%app" : {
+      "{{ app }}" : {
         "email" : "mail",
         "family_name" : "sn",
         "name" : "cn",
 	 "nickname" : "uid",
 	 "home" : "home"
-  %if %%len_app - 1 == %%idx
+{% if len_app == loop.index %}
      }
-  %else
+{% else %}
      },
-  %end if
+{% endif %}
-%end for
+{% endfor %}
   },
   "oidcRPMetaDataOptions" : {
-%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
+{% for app in oauth2.remotes %}
-  %set %%key = %%normalize_family(%%app)
+{% set key = app|normalize_family %}
-  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
+{% set description = oauth2['oauth2_' + key]['description_' + key] %}
-      "%%app" : {
+      "{{ app }}" : {
         "oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
         "oidcRPMetaDataOptionsAllowOffline" : 1,
         "oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
         "oidcRPMetaDataOptionsBypassConsent" : 1,
-         "oidcRPMetaDataOptionsClientID" : "%%key",
+         "oidcRPMetaDataOptionsClientID" : "{{ oauth2['oauth2_' + key]['client_id_' + key] }}",
-         "oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]",
+         "oidcRPMetaDataOptionsClientSecret" : "{{ oauth2['oauth2_' + key]['secret_' + key] }}",
         "oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
-         "oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]",
+         "oidcRPMetaDataOptionsIDTokenSignAlg" : "{{ oauth2['oauth2_' + key]['token_signature_algo_' + key] }}",
         "oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
         "oidcRPMetaDataOptionsLogoutType" : "front",
 §         "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout",
 §FIXME
         "oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow",
         "oidcRPMetaDataOptionsPublic" : 0,
-  %if %%oauth2['oauth2_' + %%key]['login_' + %%key] 
+{% if oauth2['oauth2_' + key]['login_' + key] %}
-         "oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]",
+         "oidcRPMetaDataOptionsRedirectUris" : "{{ oauth2['oauth2_' + key]['login_' + key] }}",
-  %end if
+{% endif %}
         "oidcRPMetaDataOptionsRefreshToken" : 0,
         "oidcRPMetaDataOptionsRequirePKCE" : 0
-  %if %%len_app - 1 == %%idx
+{% if len_app == loop.index %}
      }
-  %else
+{% else %}
      },
-  %end if
+{% endif %}
-%end for
+{% endfor %}
   },
   "oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
   "oidcServiceMetaDataAuthnContext" : {
@ -151,62 +144,63 @@ commentStartToken = §
      "loa-4" : 4,
      "loa-5" : 5
   },
-%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
+{% set tpub = domain_name_eth0|get_public_key(hide=hide_secret) %}
-   "oidcServicePublicKeySig" : "%%pub",
+{% set pub = tpub.split("\n")|join('\\n') %}
-%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
+   "oidcServicePublicKeySig" : "{{ pub }}",
-   "oidcServicePrivateKeySig" : "%%priv",
+{% set tpriv = domain_name_eth0|get_private_key(hide=hide_secret) %}
 {% set priv = tpriv.split("\n")|join('\\n') %}
   "oidcServicePrivateKeySig" : "{{ priv }}",
   "passwordDB" : "LDAP",
   "persistentStorage" : "Apache::Session::File",
   "persistentStorageOptions" : {
      "Directory": "/srv/lemonldap-ng/psessions",
      "LockDirectory": "/srv/lemonldap-ng/psessions/lock"
   },
-   "portal" : "https://%%revprox_client_external_domainnames[0]/",
+   "portal" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/",
   "portalCheckLogins": 0,
   "portalDisplayRegister": 0,
   "portalDisplayResetPassword": 0,
   "portalMainLogo": "risotto/logo.png",
   "showLanguages": 0,
-   "requireToken": "$env->{REMOTE_ADDR} ne '%%gateway_eth0'",
+   "requireToken": "$env->{REMOTE_ADDR} ne '{{ gateway_eth0 }}'",
   "whatToTrace" : "_whatToTrace",
-%set %%remotes = {}
+{% set remotes = {} %}
-%for %%index, %%app in %%enumerate(%%oauth2.remotes)
+{% for app in oauth2.remotes %}
- %set %%key = %%normalize_family(%%app)
+{% set key = app|normalize_family %}
- %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
+{% set description = oauth2['oauth2_' + key]['description_' + key] %}
- %if not %%description
+{% if description %}
-  %continue
+{% set dico = {'key': key,
- %end if
+               'description': description,
- %set %%dico = {'key': %%key,
+               'logo': "risotto/" + oauth2['oauth2_' + key]['logo_' + key],
-                'description': %%description,
+               'name': oauth2['oauth2_' + key]['name_' + key],
-                'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
+               'uri': oauth2['oauth2_' + key]['external_' + key]['hosts_' + key]} %}
-                'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
+{{ remotes.setdefault(oauth2['oauth2_' + key]['category_' + key], []).append(dico) }}
-                'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
+{% endif %}
-%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
+{% endfor %}
 %end for
   "applicationList" : {
-%for %%index, %%cat in %%enumerate(%%remotes)
+{% for cat in remotes %}
- %if %%index != 0
+{% if loop.index != 1 %}
 ,
- %end if
+{% endif %}
-      "cat_%%index" : {
+      "cat_{{ loop.index - 1 }}" : {
-         "catname" : "%%cat",
+         "catname" : "{{ cat }}",
- %for %%dico in %%remotes[%%cat]
+{% for dico in remotes[cat] %}
-  %for %%idx, %%uri in %%enumerate(%%dico['uri'])
+{% for uri in dico['uri'] %}
-         "%%{dico['key']}_%%idx" : {
+         "{{ dico['key'] }}_{{ loop.index - 1 }}" : {
            "options" : {
-               "description" : "%%dico['description']",
+               "description" : "{{ dico['description'] }}",
               "display" : "auto",
-               "logo" : "%%dico['logo']",
+               "logo" : "{{ dico['logo'] }}",
-               "name" : "%%dico['name']",
+               "name" : "{{ dico['name'] }}",
-               "uri" : "%%uri"
+               "uri" : "{{ uri }}"
            },
            "type" : "application"
         },
-  %end for
+{% endfor %}
- %end for
+{% endfor %}
         "type" : "category"
-      }%slurp
+      }
-%end for
+{%- endfor -%}
   }
 }
--- a/seed/lemonldap/templates/portal-nginx.conf
+++ b/seed/lemonldap/templates/portal-nginx.conf
@ -26,7 +26,7 @@ server {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass llng_portal_upstream;
    fastcgi_param REQUEST_URI /.well-known/openid-configuration;
-    fastcgi_param HTTP_HOST %%domain_name_eth0;
+    fastcgi_param HTTP_HOST {{ general.network.interface_0.domain_name_eth0 }};
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
@ -37,8 +37,10 @@ server {
 #>GNUNUX
 geo $zone_name {
  default ext;
-  %%gateway_eth0 ext;
+  {{ general.network.interface_0.gateway_eth0 }} ext;
-  %%network_eth0 int;
+{% for interface in range(zones_list|length) %}
  {{ general.network['interface_' + interface|string]['network_eth' + interface|string] }} int;
 {% endfor %}
 }
 #<GNUNUX
@ -47,11 +49,11 @@ server {
  # GNUNUX listen [::]:80;
  # GNUNUX server_name auth.example.com;
 #>GNUNUX
-  listen 443 ssl;
+  listen {{ general.network.interface_0.domain_name_eth0 }}:443 ssl;
-  server_name %%{revprox_client_external_domainnames[0]};
+  server_name {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
-  ssl_certificate %%tls_cert_directory/revprox.crt;
+  ssl_certificate {{ general.tls_cert_directory }}/revprox.crt;
-  ssl_certificate_key %%tls_key_directory/revprox.key;
+  ssl_certificate_key {{ general.tls_key_directory }}/revprox.key;
-  ssl_client_certificate %%tls_ca_directory/InternalReverseProxy.crt;
+  ssl_client_certificate {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
  ssl_session_cache shared:SSL:10m;
 #<GNUNUX
  root /usr/share/lemonldap-ng/portal/htdocs/;
@ -67,7 +69,7 @@ server {
  #set_real_ip_from  127.0.0.1;
  #real_ip_header    X-Forwarded-For;
 #>GNUNUX
-  set_real_ip_from  %%revprox_client_server_ip;
+  set_real_ip_from  {{ general.revprox.revprox_client_server_ip }};
  real_ip_header    X-Forwarded-For;
 #<GNUNUX
@ -106,35 +108,35 @@ server {
    # REST/SOAP functions for sessions management (disabled by default)
    location ~ ^/index.psgi/adminSessions {
      fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }
    # REST/SOAP functions for proxy auth and password reset (disabled by default)
    location ~ ^/index.psgi/proxy {
      fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }
    # REST/SOAP functions for sessions access (disabled by default)
    location ~ ^/index.psgi/sessions {
      fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }
    # REST/SOAP functions for configuration access (disabled by default)
    location ~ ^/index.psgi/config {
      fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }
    # REST/SOAP functions for notification insertion (disabled by default)
    location ~ ^/index.psgi/notification {
      fastcgi_pass llng_portal_upstream;
-      allow %%revprox_client_server_ip;
+      allow {{ general.revprox.revprox_client_server_ip }};
      deny all;
    }
--- a/seed/lemonldap/templates/wget.pl
+++ b/seed/lemonldap/templates/wget.pl
@ -1,8 +1,8 @@
-%echo "#!/usr/bin/env perl"
+#!/usr/bin/env perl
 use HTTP::Tiny;
-my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
+my $response = HTTP::Tiny->new->get('https://{{ general.network.interface_0.domain_name_eth0 }}/.well-known/openid-configuration');
 die "Failed!\n" unless $response->{success};
--- a/seed/loki/applicationservice.yml
+++ b/seed/loki/applicationservice.yml
@ -0,0 +1,5 @@
 format: '0.1'
 description: Loki, a log aggregation platform
 website: https://grafana.com/
 depends:
  - base-fedora-38
--- a/seed/loki/dictionaries/20_loki.xml
+++ b/seed/loki/dictionaries/20_loki.xml
@ -0,0 +1,16 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="loki" target="multi-user" engine="ansible">
      <file engine="ansible" source="loki-local-config.yaml">/etc/loki/loki.yaml</file>
      <file engine="none" source="sysuser-loki.conf">/sysusers.d/loki.conf</file>
      <file engine="none" source="tmpfile-loki.conf">/tmpfiles.d/0loki.conf</file>
    </service>
  </services>
  <variables>
    <family name="loki" description="loki">
      <variable name="remotes" description="Remote loki client" type="domainname" provider="Loki" mandatory="True" multi="True"/>
    </family>
  </variables>
 </rougail>
--- a/seed/loki/manual/image/postinstall/loki.sh
+++ b/seed/loki/manual/image/postinstall/loki.sh
@ -0,0 +1,17 @@
 set -ex
 #FIXME unsign?
 mkdir -p ~/loki/
 URL=$(wget https://api.github.com/repos/grafana/loki/releases/latest -q -O - | jq -r '.assets[].browser_download_url'|grep loki-linux-amd64)
 VERS=$(echo "$URL" | awk -F'/' '{ print $8 }')
 if [ ! -f ~/"loki/loki-$VERS-linux-amd64.zip" ]; then
    rm -rf ~/"loki/loki-*-linux-amd64.zip"
    wget "$URL" -O ~/"loki/loki-$VERS-linux-amd64.zip"
 fi
 cp -a ~/"loki/loki-$VERS-linux-amd64.zip" .
 unzip "loki-$VERS-linux-amd64.zip"
 mv "loki-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"
 chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"
--- a/seed/loki/templates/loki-local-config.yaml
+++ b/seed/loki/templates/loki-local-config.yaml
@ -0,0 +1,55 @@
 #RISOTTO: https://raw.githubusercontent.com/grafana/loki/main/cmd/loki/loki-local-config.yaml
 auth_enabled: false
 server:
  http_listen_port: 3100
  grpc_listen_port: 9096
 common:
  instance_addr: 127.0.0.1
  path_prefix: /srv/loki
  storage:
    filesystem:
      chunks_directory: /srv/loki/chunks
      rules_directory: /srv/loki/rules
  replication_factor: 1
  ring:
    kvstore:
      store: inmemory
 query_range:
  results_cache:
    cache:
      embedded_cache:
        enabled: true
        max_size_mb: 100
 schema_config:
  configs:
    - from: 2020-10-24
      store: boltdb-shipper
      object_store: filesystem
      schema: v11
      index:
        prefix: index_
        period: 24h
 ruler:
  alertmanager_url: http://localhost:9093
 # By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
 # analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
 #
 # Statistics help us better understand how Loki is used, and they show us performance
 # levels for most users. This helps us prioritize features and documentation.
 # For more information on what's sent, look at
 # https://github.com/grafana/loki/blob/main/pkg/usagestats/stats.go
 # Refer to the buildReport method to see what goes into a report.
 #
 # If you would like to disable reporting, uncomment the following lines:
 #analytics:
 #  reporting_enabled: false
 #>GNUNUX
 analytics:
  reporting_enabled: false
 #<GNUNUX
--- a/seed/loki/templates/loki.service
+++ b/seed/loki/templates/loki.service
@ -0,0 +1,14 @@
 [Unit]
 Description=Loki Grafana
 Wants=risotto.target
 After=risotto.target
 [Service]
 Type=simple
 User=loki
 Group=loki
 ExecStart=/usr/bin/loki -config.file=/etc/loki/loki.yaml
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/seed/loki/templates/sysuser-loki.conf
+++ b/seed/loki/templates/sysuser-loki.conf
@ -0,0 +1,2 @@
 g loki 997 -
 u loki 997:997     "Loki Grafana" /tmp /sbin/nologin
--- a/Show more
+++ b/Show more
`@ -1,2 +1,2 @@`
	`%set %%domain=%%domain_name_eth0.split('.', 1)[1]`	`{% set domain = domain_name_eth0.split('.', 1)[1] %}`
	`%%domain`	`{{ domain }}`
		`@ -1,2 +0,0 @@`
			`%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)`
		`@ -1 +0,0 @@`
			`%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)`
`@ -1,2 +1,2 @@`
	`%%smtp_relay_address %%smtp_relay_user@%%ip_eth0:%%smtp_relay_password`	`{{ general.smtp.smtp_relay_address }} {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}:{{ general.smtp.smtp_relay_password }}`
		`@ -0,0 +1,2 @@`
							`sed -i "s/;level = info/level = debug/g" /etc/grafana/grafana.ini`
							`systemctl restart grafana-server`
		`@ -0,0 +1,2 @@`
							`d /srv/grafana 700 grafana grafana - -`
							`d /srv/grafana/home 700 grafana grafana - -`
		`@ -0,0 +1,2 @@`
							`g loki 997 -`
							`u loki 997:997 "Loki Grafana" /tmp /sbin/nologin`