296 changed files with 2181 additions and 4399 deletions
--- a/seed/apache/dictionaries/20_web.xml
+++ b/seed/apache/dictionaries/20_web.xml
@ -2,9 +2,9 @@
 <rougail version="0.10">
  <services>
    <service name="httpd" target="multi-user">
-      <file engine="none">/etc/httpd/conf/httpd.conf</file>
+      <file>/etc/httpd/conf/httpd.conf</file>
-      <file engine="ansible">/etc/httpd/conf.d/risotto.conf</file>
+      <file>/etc/httpd/conf.d/risotto.conf</file>
-      <file engine="ansible">/etc/httpd/conf.d/ssl.conf</file>
+      <file>/etc/httpd/conf.d/ssl.conf</file>
      <file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
      <file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
    </service>
--- a/seed/apache/templates/risotto.conf
+++ b/seed/apache/templates/risotto.conf
@ -1,15 +1,15 @@
 # Timeout
-Timeout {{ general.apache.apache_timeout }}
+Timeout %%apache_timeout
 # Keepalive
-{% if general.apache.apache_keepalive %}
+%if %%apache_keepalive
 KeepAlive On
-{% else %}
+%else
 KeepAlive Off
-{% endif %}
+%end if
 MaxKeepAliveRequests 50
-KeepAliveTimeout {{ general.apache.apache_timeout }}
+KeepAliveTimeout %%apache_timeout
 # RemoteIp
 RemoteIPHeader X-Forwarded-For
-RemoteIPInternalProxy {{ general.revprox.revprox_client_server_ip }}
+RemoteIPInternalProxy %%revprox_client_server_ip
--- a/seed/apache/templates/ssl.conf
+++ b/seed/apache/templates/ssl.conf
@ -100,7 +100,7 @@ SSLProxyCipherSuite PROFILE=SYSTEM
 #   require an ECC certificate which can also be configured in
 #   parallel.
 # GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
-SSLCertificateFile      {{ general.tls_cert_directory }}/revprox.crt
+SSLCertificateFile      %%tls_cert_directory/revprox.crt
 #   Server Private Key:
 #   If the key is not combined with the certificate, use this
@ -109,7 +109,7 @@ SSLCertificateFile      {{ general.tls_cert_directory }}/revprox.crt
 #   both in parallel (to also allow the use of DSA ciphers, etc.)
 #   ECC keys, when in use, can also be configured in parallel
 # GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
-SSLCertificateKeyFile   {{ general.tls_key_directory }}/revprox.key
+SSLCertificateKeyFile   %%tls_key_directory/revprox.key
 #   Server Certificate Chain:
 #   Point SSLCertificateChainFile at a file containing the
@ -126,7 +126,7 @@ SSLCertificateKeyFile   {{ general.tls_key_directory }}/revprox.key
 #   huge file containing all of them (file must be PEM encoded)
 #SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
 #>GNUNUX
-SSLCACertificateFile {{ general.tls_ca_directory }}/InternalReverseProxy.crt
+SSLCACertificateFile %%tls_ca_directory/InternalReverseProxy.crt
 #<GNUNUX
 #   Client Authentication (Type):
--- a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
+++ b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="dnssec" manage="False">
-      <file engine="ansible">/etc/dnssec-trust-anchors.d/local.negative</file>
+      <file>/etc/dnssec-trust-anchors.d/local.negative</file>
    </service>
  </services>
  <variables>
--- a/seed/base-debian-bullseye/templates/local.negative
+++ b/seed/base-debian-bullseye/templates/local.negative
@ -1,2 +1,2 @@
-{% set domain = domain_name_eth0.split('.', 1)[1] %}
+%set %%domain=%%domain_name_eth0.split('.', 1)[1]
-{{ domain }}
+%%domain
--- a/seed/base-debian/dictionaries/11_debian-base.xml
+++ b/seed/base-debian/dictionaries/11_debian-base.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="systemd-networkd">
-      <override engine="none"/>
+      <override/>
    </service>
    <service name='logrotate' disabled="True"/>
    <service name="debian" manage="False">
--- a/seed/base-debian/dictionaries/17_debian-base.xml
+++ b/seed/base-debian/dictionaries/17_debian-base.xml
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <services>
-    <service name="update-ca-certificates" engine="ansible" target="multi-user"/>
+    <service name="update-ca-certificates" engine="cheetah" target="multi-user"/>
  </services>
  <variables>
    <variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
--- a/seed/base-debian/templates/update-ca-certificates.service
+++ b/seed/base-debian/templates/update-ca-certificates.service
@ -4,7 +4,7 @@ Before=network-pre.target
 [Service]
 Type=oneshot
-ExecStart=/usr/sbin/update-ca-certificates --localcertsdir {{ general.tls_ca_directory }}
+ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
 [Install]
 WantedBy=multi-user.target
--- a/seed/base-fedora-38/applicationservice.yml
+++ b/seed/base-fedora-38/applicationservice.yml
@ -1,6 +0,0 @@
 format: '0.1'
 description: Base information of a Fedora 38
 website: https://getfedora.org/
 depends:
  - base-fedora
 distribution: true
--- a/seed/base-fedora-38/dictionaries/11_fedora-version.xml
+++ b/seed/base-fedora-38/dictionaries/11_fedora-version.xml
@ -1,13 +0,0 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <!--services>
    <service name="base">
      <file engine="none">/etc/pam.d/login</file>
    </service>
  </services-->
  <variables>
    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
      <value>38</value>
    </variable>
  </variables>
 </rougail>
--- a/seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh
+++ b/seed/base-fedora-38/manual/image/postinstall/base_fedora_version.sh
@ -1,7 +0,0 @@
 # ACTIVE NETWORKD
 mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
 chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
 ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
 ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
 ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
 ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"
--- a/seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh
+++ b/seed/base-fedora-38/manual/image/preinstall/base_fedora_38.sh
@ -1 +0,0 @@
 BASE_PKG="$BASE_PKG pam util-linux"
--- a/seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh
+++ b/seed/base-fedora-38/manual/image/preinstall/base_fedora_version.sh
@ -1 +0,0 @@
 RELEASEVER=38
--- a/seed/base-fedora-38/templates/login
+++ b/seed/base-fedora-38/templates/login
@ -1,17 +0,0 @@
 #GNUNUX File from util-linux-*.x86_64 (not installed)
 #%PAM-1.0
 auth       substack     system-auth
 auth       include      postlogin
 account    required     pam_nologin.so
 account    include      system-auth
 password   include      system-auth
 # pam_selinux.so close should be the first session rule
 session    required     pam_selinux.so close
 session    required     pam_loginuid.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
 session    required     pam_selinux.so open
 session    required     pam_namespace.so
 session    optional     pam_keyinit.so force revoke
 session    include      system-auth
 session    include      postlogin
 -session   optional     pam_ck_connector.so
--- a/seed/base-fedora/dictionaries/11_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/11_fedora-base.xml
@ -5,7 +5,6 @@
      <file engine="none">/tmpfiles.d/fedora.conf</file>
    </service>
    <service name='logrotate' disabled="True"/>
    <service name='logrotate' disabled="True" type="timer"/>
  </services>
  <variables>
    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
--- a/seed/base-fedora/dictionaries/17_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/17_fedora-base.xml
@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <services>
-    <service name="update-ca-trust" engine="ansible" target="multi-user"/>
+    <service name="update-ca-trust" engine="cheetah" target="multi-user"/>
  </services>
  <variables>
    <variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
--- a/seed/base-machine/dictionaries/12_base.xml
+++ b/seed/base-machine/dictionaries/12_base.xml
@ -12,7 +12,6 @@
    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
    <family name="network" description="Réseau">
      <variable name="server_name" description="Nom de domaine du serveur" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
      <variable name="last_server_name" type="domainname" hidden="True"/>
      <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
      <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
      <family name="interface_" description="Interface " dynamic="interfaces_list">
@ -48,10 +47,6 @@
      <param name="index" type="suffix"/>
      <target>gateway_eth</target>
    </fill>
    <fill name="get_last_server_name">
      <param type="variable">domain_name_eth</param>
      <target>last_server_name</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/base-machine/funcs/funcs.py
+++ b/seed/base-machine/funcs/funcs.py
@ -83,7 +83,3 @@ def get_zone_name(zones: list,
                  ):
    if zones is not None:
        return zones[int(index)]
 def get_last_server_name(server_names):
    return server_names[-1]
--- a/seed/base/dictionaries/00_base.xml
+++ b/seed/base/dictionaries/00_base.xml
@ -1,7 +1,6 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <variables>
    <variable name="providers" hidden="True"/>
    <variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
  </variables>
  <constraints>
--- a/seed/base/funcs/base.py
+++ b/seed/base/funcs/base.py
@ -38,7 +38,6 @@ def get_zones_info(zones: dict,
                   zone_names: _List[str]=None,
                   zone_name: str=None,
                   index: int=None,
                   uniq: bool=False,
                   ) -> str:
    if type == 'host_ip' and index != 0:
        return
@ -48,12 +47,4 @@ def get_zones_info(zones: dict,
        if type == 'cidr':
            return zones[zone_name]['host_ip'] + '/' + zones[zone_name]['network'].split('/')[-1]
        return zones[zone_name][type]
-    ret = []
+    return [data[type] for zone_name, data in zones.items() if not zone_names or zone_name in zone_names]
    for zone_name, data in zones.items():
        if zone_names and zone_name not in zone_names:
            continue
        val = data[type]
        if uniq and val in ret:
            continue
        ret.append(val)
    return ret
--- a/seed/dns-local/dictionaries/13_dns-local.xml
+++ b/seed/dns-local/dictionaries/13_dns-local.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="dns-local" manage="False">
-      <file engine="ansible" filelist="copy_tests">/tests/dns-local.yml</file>
+      <file filelist="copy_tests">/tests/dns-local.yml</file>
    </service>
  </services>
  <variables>
@ -22,3 +22,5 @@
    </fill>
  </constraints>
 </rougail>
--- a/seed/dns-local/templates/dns-local.yml
+++ b/seed/dns-local/templates/dns-local.yml
@ -1,26 +1,25 @@
-address: '{{ domain_name_eth0 }}'
+address: '%%domain_name_eth0'
 addresses:
-{% if 'dns_client_address' in general.network %}
+%if %%getVar('dns_client_address', None)
- dns_address: '{{ general.network.dns_client_address }}'
+- dns_address: '%%dns_client_address'
-  dns_ip: '{{ ip_dns }}'
+  dns_ip: '%%ip_dns'
-{% elif 'unbound_forward_address' in general.dns_resolver.forward_zones %}
+%elif %%getVar('unbound_forward_address', None) is not None
-{% for authority in general.dns_resolver.forward_zones.unbound_forward_address %}
+  %for %%authority in %%unbound_forward_address
- dns_address: {{ authority }}
+- dns_address: %%authority
-  dns_ip: {{ authority.unbound_allowed_client }}
+  dns_ip: %%authority.unbound_allowed_client
-{% endfor %}
+  %end for
-{% elif 'nsd_zones' in general.dns_zone %}
+%elif %%getVar('nsd_zones', None)
-{%for zone in general.dns_zone.nsd_zones %}
+  %for %%zone in %%nsd_zones
-{% set suffix = zone|normalize_family %}
+    %set %%suffix = %%normalize_family(%%zone)
-{% set hostnames = nsd["nsd_zone_" + suffix]["hostname_" + suffix]["hostname_" + suffix] %}
+    %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
-{% for hostname in hostnames %}
+    %for %%hostname in %%hostnames
- dns_address: {{ hostname }}.{{ zone }}
+- dns_address: %%{hostname}.%%zone
-  dns_ip: {{ hostname["ip_" + suffix] }}
+  dns_ip: %%hostname["ip_" + %%suffix]
-{% endfor %}
+    %end for
-{% endfor %}
+  %end for
-{% endif %}
+%end if
-{% endif %}
+%if %%dns_is_only_local
 {% if dns_is_only_local %}
 dns_is_only_local: true
-{% else %}
+%else
 dns_is_only_local: false
-{% endif %}
+%end if
--- a/seed/dovecot/dictionaries/26_dovecot.xml
+++ b/seed/dovecot/dictionaries/26_dovecot.xml
@ -2,48 +2,49 @@
 <rougail version="0.10">
  <services>
    <service name="postfix" target="multi-user">
-      <override engine="none"/>
+      <override/>
      <certificate format="pem" authority="External" type="server" domain="submission_domainname" provider="mail_crt_provider" certificate_type="variable">submission_domainname</certificate>
-      <certificate format="pem" server="last_server_name" domain="last_server_name" authority="InternalMail" owner="postfix" type="server">postfixlocal</certificate>
+      <certificate format="pem" authority="Mail" owner="postfix" type="server">postfixlocal</certificate>
      <certificate authority="Mail" owner="postfix" type="server">postfix</certificate>
      <certificate authority="LDAP" owner="postfix" server="ldap_server_address">postfix_ldap_client</certificate>
      <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
      <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
-      <file engine="ansible">/etc/postfix/main.cf</file>
+      <file>/etc/postfix/main.cf</file>
-      <file engine="none">/etc/postfix/master.cf</file>
+      <file>/etc/postfix/master.cf</file>
-      <file engine="ansible">/etc/postfix/relay_passwd</file>
+      <file>/etc/postfix/relay_passwd</file>
-      <file engine="ansible">/etc/postfix/ldapsource.cf</file>
+      <file>/etc/postfix/ldapsource.cf</file>
-      <file engine="ansible">/etc/postfix/sni</file>
+      <file>/etc/postfix/sni</file>
-      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
+      <file mode="700">/sbin/risotto_backup</file>
    </service>
    <service name='dovecot-init'>
-      <override engine="none"/>
+      <override/>
-      <file engine="none">/etc/nginx/default.d/autoconfig.conf</file>
+      <file>/etc/nginx/default.d/autoconfig.conf</file>
    </service>
    <service name='nginx'>
-      <file engine="ansible" source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
+      <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
    </service>
    <service name="dovecot" target="multi-user">
      <certificate authority="External" type="server" domain="imap_domainname" provider="mail_crt_provider" certificate_type="variable">imap_domainname</certificate>
-      <certificate authority="IMAP" domain="last_server_name" owner="dovecot" type="server">dovecot</certificate>
+      <certificate authority="IMAP" owner="dovecot" type="server">dovecot</certificate>
      <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
      <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
-      <file engine="ansible">/etc/dovecot/conf.d/10-master.conf</file>
+      <file>/etc/dovecot/conf.d/10-master.conf</file>
-      <file engine="ansible">/etc/dovecot/conf.d/10-ssl.conf</file>
+      <file>/etc/dovecot/conf.d/10-ssl.conf</file>
      <!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
      <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
      <file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
      <!--plain authentification-->
-      <file engine="none">/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
+      <file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
-      <file engine="ansible">/etc/dovecot/dovecot-ldap.conf.ext</file>
+      <file>/etc/dovecot/dovecot-ldap.conf.ext</file>
      <!--oauth2 authentification-->
-      <file engine="none">/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
+      <file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
-      <file engine="ansible">/etc/dovecot/dovecot-oauth2.conf.ext</file>
+      <file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
      <!--internal authentification-->
-      <file engine="ansible" filelist="copy_tests">/tests/imap.yml</file>
+      <file filelist="copy_tests">/tests/imap.yml</file>
    </service>
  </services>
  <variables>
@ -53,7 +54,7 @@
        <value>993</value>
      </variable>
    </family>
-    <family name="ldap">
+    <family name="annuaire">
      <family name="client">
        <variable name='ldapclient_family' redefine="True">
          <value>all</value>
--- a/seed/dovecot/templates/10-master.conf
+++ b/seed/dovecot/templates/10-master.conf
@ -73,7 +73,7 @@ service lmtp {
  #}
 #>GNUNUX
  inet_listener lmtp {
-    address = {{ general.smtp.smtp_client_ip }}
+    address = %%ip_eth0
    port = 8024
  }
 #<GNUNUX
--- a/seed/dovecot/templates/10-ssl.conf
+++ b/seed/dovecot/templates/10-ssl.conf
@ -14,17 +14,17 @@ ssl = required
 #GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
 #GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
 #>GNUNUX
-ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
+ssl_cert = </etc/pki/tls/certs/dovecot.crt
-ssl_key = <{{ general.tls_key_directory }}/dovecot.key
+ssl_key = </etc/pki/tls/private/dovecot.key
-{% for mail in general.mail.domain.mail_domains %}
+%for %%mail in %%mail_domains
-local_name {{ mail.imap_domainname }} {
+local_name %%mail.imap_domainname {
-    ssl_cert = <{{ general.tls_cert_directory }}/{{ mail.imap_domainname }}.crt
+    ssl_cert = %echo '<' + %%tls_cert_directory + '/' + %%mail.imap_domainname + '.crt'
-    ssl_key = <{{ general.tls_key_directory }}/{{ mail.imap_domainname }}.key
+    ssl_key = %echo '<' + %%tls_key_directory + '/' + %%mail.imap_domainname + '.key'
 }
-{% endfor %}
+%end for
-local_name {{ general.network.last_server_name }} {
+local_name %%domain_name_eth0 {
-    ssl_cert = <{{ general.tls_cert_directory }}/dovecot.crt
+    ssl_cert = %echo '<' + %%tls_cert_directory + '/dovecot.crt'
-    ssl_key = <{{ general.tls_key_directory }}/dovecot.key
+    ssl_key = %echo '<' + %%tls_key_directory + '/dovecot.key'
 }
 #<GNUNUX
@ -50,7 +50,7 @@ local_name {{ general.network.last_server_name }} {
 # large CA bundles, because it leads to excessive memory usage.
 #ssl_client_ca_dir =
 #ssl_client_ca_file =
-ssl_client_ca_file = {{ general.tls_ca_directory }}/IMAP.crt
+ssl_client_ca_file = %%tls_ca_directory/IMAP.crt
 # Require valid cert when connecting to a remote server
 #ssl_client_require_valid_cert = yes
--- a/seed/dovecot/templates/12-managesieve.conf
+++ b/seed/dovecot/templates/12-managesieve.conf
@ -0,0 +1,23 @@
 # Uncomment to enable managesieve protocol:
 protocols = $protocols sieve
 service managesieve-login {
  inet_listener sieve {
    port = 4190
  }
  #inet_listener sieve_deprecated {
  #  port = 2000
  #}
  # Number of connections to handle before starting a new process. Typically
  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
  # is faster. <doc/wiki/LoginProcess.txt>
  service_count = 1
  # Number of processes to always keep waiting for more connections.
  process_min_avail = 0
  # If you set service_count=0, you probably need to grow this.
  vsz_limit = 64M
 }
--- a/seed/dovecot/templates/config-v1.1.xml
+++ b/seed/dovecot/templates/config-v1.1.xml
@ -1,23 +1,23 @@
 <?xml version="1.0"?>
 # GNUNUX: from https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat -->
-{%set domain = rougail_variable %}
+%set %%domain = %%rougail_variable
-{%set leader = general.mail.domain.mail_domains[mail_domains.index(domain)] %}
+%set %%leader = %%mail_domains[%%mail_domains.index(%%domain)]
-{%set imap_domain = leader.imap_domainname %}
+%set %%imap_domain = %%leader.imap_domainname
-{%set submission_domain = leader.submission_domainname %}
+%set %%submission_domain = %%leader.submission_domainname
 <clientConfig version="1.1">
-  <emailProvider id="{{ domain }}">
+  <emailProvider id="%%domain">
-    <domain>{{ domain }}</domain>
+    <domain>%%domain</domain>
-    <displayName>Services {{ domain }}</displayName>
+    <displayName>Services %%domain</displayName>
-    <displayShortName>{{ domain }}</displayShortName>
+    <displayShortName>%%domain</displayShortName>
    <incomingServer type="imap">
-      <hostname>{{ imap_domain }}</hostname>
+      <hostname>%%imap_domain</hostname>
      <port>993</port>
      <socketType>SSL</socketType>
      <username>%EMAILADDRESS%</username>
      <authentication>password-cleartext</authentication>
    </incomingServer>
    <outgoingServer type="smtp">
-      <hostname>{{ submission_domain }}</hostname>
+      <hostname>%%submission_domain</hostname>
      <port>587</port>
      <socketType>STARTTLS</socketType>
      <username>%EMAILADDRESS%</username>
--- a/seed/dovecot/templates/dovecot-ldap.conf.ext
+++ b/seed/dovecot/templates/dovecot-ldap.conf.ext
@ -24,7 +24,7 @@
 # setting isn't supported by all LDAP libraries.
 #uris = 
 #>GNUNUX
-uris = ldaps://{{ general.ldap.server.ldap_server_address }}
+uris = ldaps://%%ldap_server_address
 #<GNUNUX
 # Distinguished Name - the username used to login to the LDAP server.
@ -34,8 +34,8 @@ uris = ldaps://{{ general.ldap.server.ldap_server_address }}
 # Password for LDAP server, if dn is specified.
 #dnpass = 
 #>GNUNUX
-dn = {{ general.ldap.client.ldapclient_user }}
+dn = %%ldapclient_user
-dnpass = {{ general.ldap.client.ldapclient_user_password }}
+dnpass = %%ldapclient_user_password
 #<GNUNUX
 # Use SASL binding instead of the simple binding. Note that this changes
@ -61,9 +61,9 @@ dnpass = {{ general.ldap.client.ldapclient_user_password }}
 # Valid values: never, hard, demand, allow, try
 #tls_require_cert =
 #>GNUNUX
-tls_cert_file = {{ general.tls_cert_directory }}/ldap_client.crt
+tls_cert_file = %%tls_cert_directory/ldap_client.crt
-tls_key_file = {{ general.tls_key_directory }}/ldap_client.key
+tls_key_file = %%tls_key_directory/ldap_client.key
-tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
+tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
 tls_require_cert = hard
 #>GNUNUX
@ -107,7 +107,7 @@ auth_bind = yes
 # LDAP base. %variables can be used here.
 # For example: dc=mail, dc=example, dc=org
 # GNUNUX base =
-base = {{ general.ldap.client.ldapclient_search_dn }}
+base = %%ldapclient_search_dn
 # Dereference: never, searching, finding, always
 #deref = never
--- a/seed/dovecot/templates/dovecot-oauth2.conf.ext
+++ b/seed/dovecot/templates/dovecot-oauth2.conf.ext
@ -4,7 +4,7 @@
 ## url for verifying token validity. Token is appended to the URL
 # tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
 #>GNUNUX
-tokeninfo_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/userinfo/?access_token=
+tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
 #<GNUNUX
 ## introspection endpoint, used to gather extra fields and other information.
@ -21,7 +21,7 @@ tokeninfo_url = https://{{ general.oauth2_client.oauth2_client_server_domainname
 ## Set this to yes if you are using active_attribute
 # force_introspection = no
 #>GNUNUX
-introspection_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/oauth2/introspect/
+introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
 introspection_mode = post
 force_introspection = no
 #<GNUNUX
@ -57,7 +57,7 @@ username_attribute = email
 ## URL to RFC 7628 OpenID Provider Configuration Information schema
 # openid_configuration_url =
 #>GNUNUX
-openid_configuration_url = https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration
+openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
 #<GNUNUX
 ## Extra fields to set in passdb response (in passdb static style)
@ -79,8 +79,8 @@ openid_configuration_url = https://{{ general.oauth2_client.oauth2_client_server
 # rawlog_dir = /tmp/oauth2
 #>GNUNUX
-client_id = {{ general.oauth2_client.oauth2_client_id }}
+client_id = %%oauth2_client_id
-client_secret = {{ general.oauth2_client.oauth2_client_secret }}
+client_secret = %%oauth2_client_secret
 #<GNUNUX
 ## TLS settings
--- a/seed/dovecot/templates/external_imap.crt
+++ b/seed/dovecot/templates/external_imap.crt
@ -0,0 +1,2 @@
 %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
--- a/seed/dovecot/templates/external_imap.key
+++ b/seed/dovecot/templates/external_imap.key
@ -0,0 +1 @@
 %%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
--- a/seed/dovecot/templates/imap.yml
+++ b/seed/dovecot/templates/imap.yml
@ -1,12 +1,12 @@
-{%set username="rougail_test@silique.fr" %}
+%set %%username="rougail_test@silique.fr"
-{%set username_family="rougail_test@gnunux.info" %}
+%set %%username_family="rougail_test@gnunux.info"
-{%set name_family="gnunux" %}
+%set %%name_family="gnunux"
-address: {{ general.network.interface_0.ip_eth0 }}
+address: %%ip_eth0
-dns: {{ general.network.interface_0.domain_name_eth0 }}
+dns: %%domain_name_eth0
-username: {{ username }}
+username: %%username
-password: {{ username|get_password(server_name='test', description="test", type="cleartext", hide=hide_secret, temporary=True) }}
+password: %%get_password(server_name='test', username=%%username, description="test", type="cleartext", hide=%%hide_secret, temporary=True)
-username_family: {{ username_family }}
+username_family: %%username_family
-password_family: {{ username_family|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True)
+password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
-name_family: {{ name_family }}
+name_family: %%name_family
-smtp: {{ general.smtp.smtp_relay_ip }}
+smtp: %%smtp_relay_ip
 ext_username: 'test@example.net'
--- a/seed/dovecot/templates/ldapsource.cf
+++ b/seed/dovecot/templates/ldapsource.cf
@ -1,13 +1,13 @@
-server_host = ldaps://{{ general.ldap.server.ldap_server_address }}
+server_host = ldaps://%%ldap_server_address
-server_port = {{ general.ldap.server.ldap_port }}
+server_port = %%ldap_port
-tls_cert = {{ general.tls_cert_directory }}/postfix_ldap_client.crt
+tls_cert = %%tls_cert_directory/postfix_ldap_client.crt
-tls_key = {{ general.tls_key_directory }}/postfix_ldap_client.key
+tls_key = %%tls_key_directory/postfix_ldap_client.key
-tls_ca_cert_file = {{ general.tls_ca_directory }}/LDAP.crt
+tls_ca_cert_file = %%tls_ca_directory/LDAP.crt
 tls_require_cert = yes
 version = 3
 bind = yes
-bind_dn = {{ general.ldap.client.ldapclient_user }}
+bind_dn = %%ldapclient_user
-bind_pw = {{ general.ldap.client.ldapclient_user_password }}
+bind_pw = %%ldapclient_user_password
-search_base = {{ general.ldap.client.ldapclient_search_dn }}
+search_base = %%ldapclient_search_dn
 query_filter = (mailLocalAddress=%s)
 result_attribute = cn
--- a/seed/dovecot/templates/main.cf
+++ b/seed/dovecot/templates/main.cf
@ -95,7 +95,7 @@ mail_owner = postfix
 #
 #myhostname = host.domain.tld
 #myhostname = virtual.domain.tld
-myhostname = {{ general.network.interface_0.domain_name_eth0 }}
+myhostname = %%domain_name_eth0
 # The mydomain parameter specifies the local internet domain name.
 # The default is to use $myhostname minus the first component.
@ -119,7 +119,7 @@ myhostname = {{ general.network.interface_0.domain_name_eth0 }}
 #
 #myorigin = $myhostname
 #myorigin = $mydomain
-myorigin = {{ general.network.interface_0.domain_name_eth0 }}
+myorigin = %%domain_name_eth0
 # RECEIVING MAIL
@ -359,7 +359,7 @@ mynetworks = 127.0.0.0/8
 #relayhost = uucphost
 #relayhost = [an.ip.add.ress]
 #>GNUNUX
-relayhost = {{ general.smtp.smtp_relay_address }}
+relayhost = %%smtp_relay_address
 smtp_sasl_auth_enable = yes
 smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
 smtp_sasl_security_options = noanonymous
@ -742,15 +742,15 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 # in PEM format. Intermediate certificates should be included in general,
 # the server certificate first, then the issuing CA(s) (bottom-up order).
 #
-smtpd_tls_cert_file = {{ general.tls_cert_directory }}/postfix.crt
+smtpd_tls_cert_file = %%tls_cert_directory/postfix.crt
 # The full pathname of a file with the Postfix SMTP server RSA private key
 # in PEM format. The private key must be accessible without a pass-phrase,
 # i.e. it must not be encrypted.
 #
-smtpd_tls_key_file = {{ general.tls_key_directory }}/postfix.key
+smtpd_tls_key_file = %%tls_key_directory/postfix.key
-smtpd_tls_CApath = {{ general.tls_ca_directory }}
+smtpd_tls_CApath = %%tls_ca_directory
 #>GNUNUX
 tls_server_sni_maps = hash:/etc/postfix/sni
 #<GNUNUX
@ -762,13 +762,13 @@ smtpd_tls_security_level = may
 # Directory with PEM format Certification Authority certificates that the
 # Postfix SMTP client uses to verify a remote SMTP server certificate.
 #
-smtp_tls_CApath = {{ general.tls_ca_directory }}
+smtp_tls_CApath = %%tls_ca_directory
 # The full pathname of a file containing CA certificates of root CAs
 # trusted to sign either remote SMTP server certificates or intermediate CA
 # certificates.
 #
-smtp_tls_CAfile = {{ general.tls_ca_directory }}/Mail.crt
+smtp_tls_CAfile = %%tls_ca_directory/Mail.crt
 # Use TLS if this is supported by the remote SMTP server, otherwise use
 # plaintext (opportunistic TLS outbound).
@ -800,11 +800,11 @@ smtpd_sasl_path = /srv/dovecot/auth
 broken_sasl_auth_clients = yes
 dovecot_destination_recipient_limit = 1
-{% set domains = [] %}
+%set %%domains = []
-{% for domain in general.mail.domain.mail_domains %}
+%for %%domain in %%mail_domains
-{{ domains.append(domain|string) }}
+%%domains.append(%%str(%%domain))%slurp
-{% endfor %}
+%end for
-virtual_mailbox_domains = {{ domains|join(', ') }}
+virtual_mailbox_domains = %echo ', '.join(%%domains)
 virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
 virtual_minimum_uid = 1000
 #vmail uid
--- a/seed/dovecot/templates/postfix_sni.pem
+++ b/seed/dovecot/templates/postfix_sni.pem
@ -0,0 +1,3 @@
 %set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
 %%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
 %%cert
--- a/seed/dovecot/templates/relay_passwd
+++ b/seed/dovecot/templates/relay_passwd
@ -1,2 +1,2 @@
-{{ general.smtp.smtp_relay_address }}	{{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}:{{ general.smtp.smtp_relay_password }}
+%%smtp_relay_address	%%smtp_relay_user@%%ip_eth0:%%smtp_relay_password
--- a/seed/dovecot/templates/risotto_backup
+++ b/seed/dovecot/templates/risotto_backup
@ -1,6 +1,6 @@
-#!/bin/bash
+%echo "#!/bin/bash"
-BACKUP_DIR="{{ general.backup_dir }}"
+BACKUP_DIR="%%backup_dir"
 mkdir -p $BACKUP_DIR
 chown vmail: $BACKUP_DIR
@ -14,7 +14,7 @@ done
 ls $BACKUP_DIR | while read $user; do
    if [ ! -f $BACKUP_DIR/$user.done ]; then
        rm -rf $BACKUP_DIR/$user
-    fi
+    if
 done
 rm -f $BACKUP_DIR/*.done
--- a/seed/dovecot/templates/sni
+++ b/seed/dovecot/templates/sni
@ -1,4 +1,4 @@
-{% for name in general.mail.domain.mail_domains %}
+%for %%name in %%mail_domains
-{{ name.submission_domainname }} {{ general.tls_key_directory }}/{{ name.submission_domainname }}.pem
+%%name.submission_domainname %%tls_key_directory/%%{name.submission_domainname}.pem
-{% endfor %}
+%end for
-{{ general.network.last_server_name }} {{ general.tls_key_directory }}/postfixlocal.pem
+%%domain_name_eth0 %%tls_key_directory/postfixlocal.pem
--- a/seed/forgejo/applicationservice.yml
+++ b/seed/forgejo/applicationservice.yml
@ -2,7 +2,7 @@ format: '0.1'
 description: Forgejo, a community managed lightweight code hosting solution
 website: https://forgejo.org/
 depends:
-  - base-fedora-38
+  - base-fedora-37
  - postgresql-client
  - reverse-proxy-client
  - relay-mail-client
--- a/seed/forgejo/dictionaries/31_forgejo.xml
+++ b/seed/forgejo/dictionaries/31_forgejo.xml
@ -1,11 +1,11 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
-    <service name="forgejo" target="multi-user" engine="ansible">
+    <service name="forgejo" target="multi-user" engine="cheetah">
      <file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
      <file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
-      <file engine="ansible">/etc/forgejo/app.ini</file>
+      <file>/etc/forgejo/app.ini</file>
-      <file engine="ansible" filelist="copy_tests">/tests/forgejo.yml</file>
+      <file filelist="copy_tests">/tests/forgejo.yml</file>
    </service>
  </services>
  <variables>
--- a/seed/forgejo/templates/app.ini
+++ b/seed/forgejo/templates/app.ini
@ -1,4 +1,7 @@
 #RISOTTO: https://codeberg.org/forgejo/forgejo/raw/branch/forgejo/custom/conf/app.example.ini
 %compiler-settings
 commentStartToken = ;
 %end compiler-settings
 ; This file lists the default values used by Gitea
 ;; Copy required sections to your own app.ini (default is custom/conf/app.ini)
 ;; and modify as needed.
@ -47,7 +50,7 @@
 ;; App name that shows in every page title
 ;>GNUNUX
 ;APP_NAME = ; Gitea: Git with a cup of tea
-APP_NAME = {{ general.forgejo.forgejo_title }}
+APP_NAME = %%forgejo_title
 ;<GNUNUX
 ;;
 ;; RUN_USER will automatically detect the current user - but you can set it here change it if you run locally
@ -86,13 +89,13 @@ PROTOCOL         = https
 ;; Set the domain for the server
 ;DOMAIN = localhost
 ;>GNUNUX
-DOMAIN           = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
+DOMAIN           = %%revprox_client_external_domainnames[0]
 ;<GNUNUX
 ;;
 ;; Overwrite the automatically generated public URL. Necessary for proxies and docker.
 ;ROOT_URL = %(PROTOCOL)s://%(DOMAIN)s:%(HTTP_PORT)s/
 ;>GNUNUX
-ROOT_URL         = https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}{{ general.revprox.revprox_client.revprox_client_external_domainnames[0]['revprox_client_location'] }}
+ROOT_URL         = https://%%revprox_client_external_domainnames[0]%%revprox_client_external_domainnames[0]revprox_client_location
 ;<GNUNUX
 ;;
 ;; when STATIC_URL_PREFIX is empty it will follow ROOT_URL
@ -143,7 +146,7 @@ HTTP_PORT        = 3000
 ;; Do not set this variable if PROTOCOL is set to 'unix'.
 ;LOCAL_ROOT_URL = %(PROTOCOL)s://%(HTTP_ADDR)s:%(HTTP_PORT)s/
 ;>GNUNUX
-LOCAL_ROOT_URL   = https://{{ general.network.interface_0.domain_name_eth0 }}:3000/
+LOCAL_ROOT_URL   = https://%%domain_name_eth0:3000/
 ;<GNUNUX
 ;;
 ;; When making local connections pass the PROXY protocol header.
@ -173,7 +176,7 @@ BUILTIN_SSH_SERVER_USER = "git"
 ;; Domain name to be exposed in clone URL
 ;SSH_DOMAIN = %(DOMAIN)s
 ;>GNUNUX
-SSH_DOMAIN       = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
+SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
 ;<GNUNUX
 ;;
 ;; SSH username displayed in clone URLs.
@ -185,13 +188,13 @@ SSH_DOMAIN       = {{ general.revprox.revprox_client.revprox_client_external_dom
 ;; Port number to be exposed in clone URL
 ;SSH_PORT = 22
 ;>GNUNUX
-SSH_PORT         = {{ general.network.incoming_ports[0] }}
+SSH_PORT         = %%incoming_ports[0]
 ;<GNUNUX
 ;;
 ;; The port number the builtin SSH server should listen on
 ;SSH_LISTEN_PORT = %(SSH_PORT)s
 ;>GNUNUX
-SSH_LISTEN_PORT  = {{ general.network.incoming_ports[0] }}
+SSH_LISTEN_PORT  = %%incoming_ports[0]
 ;<GNUNUX
 ;;
 ;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
@ -316,8 +319,8 @@ OFFLINE_MODE     = true
 ;CERT_FILE = https/cert.pem
 ;KEY_FILE = https/key.pem
 ;>GNUNUX
-CERT_FILE        = {{ general.tls_cert_directory }}/revprox.crt
+CERT_FILE        = %%tls_cert_directory/revprox.crt
-KEY_FILE         = {{ general.tls_key_directory }}/revprox.key
+KEY_FILE         = %%tls_key_directory/revprox.key
 ;<GNUNUX
 ;;
 ;; Root directory containing templates and static files.
@ -352,7 +355,7 @@ LFS_START_SERVER = true
 ;; LFS authentication secret, change this yourself
 ;>GNUNUX
 ;LFS_JWT_SECRET =
-LFS_JWT_SECRET   = {{ general.forgejo.forgejo_lfs_jwt_secret }}
+LFS_JWT_SECRET   = %%forgejo_lfs_jwt_secret
 ;<GNUNUX
 ;;
 ;; LFS authentication validity period (in time.Duration), pushes taking longer than this may fail.
@ -416,10 +419,10 @@ LFS_JWT_SECRET   = {{ general.forgejo.forgejo_lfs_jwt_secret }}
 ;SSL_MODE=disable ;either "disable" (default), "require", or "verify-full"
 ;>GNUNUX
 DB_TYPE  = postgres
-HOST     = {{ general.postgresql.pg_client_server_domainname }}:5432
+HOST     = %%pg_client_server_domainname:5432
-NAME     = {{ general.postgresql.pg_client_database }}
+NAME     = %%pg_client_database
-USER     = {{ general.postgresql.pg_client_username }}
+USER     = %%pg_client_username
-PASSWD   = {{ general.postgresql.pg_client_password }}
+PASSWD   = %%pg_client_password
 SCHEMA   =
 SSL_MODE = verify-full
 CHARSET  = utf8
@ -489,7 +492,7 @@ INSTALL_LOCK = true
 ;; This key is VERY IMPORTANT. If you lose it, the data encrypted by it (like 2FA secret) can't be decrypted anymore.
 ;>GNUNUX
 ;SECRET_KEY =
-SECRET_KEY     = {{ general.forgejo.forgejo_secret_key }}
+SECRET_KEY     = %%forgejo_secret_key
 ;<GNUNUX
 ;;
 ;; Alternative location to specify secret key, instead of this file; you cannot specify both this and SECRET_KEY, and must pick one
@ -499,7 +502,7 @@ SECRET_KEY     = {{ general.forgejo.forgejo_secret_key }}
 ;; Secret used to validate communication within Gitea binary.
 ;>GNUNUX
 ;INTERNAL_TOKEN=
-INTERNAL_TOKEN     = {{ general.forgejo.forgejo_internal_token }}
+INTERNAL_TOKEN     = %%forgejo_internal_token
 ;<GNUNUX
 ;;
 ;; Alternative location to specify internal token, instead of this file; you cannot specify both this and INTERNAL_TOKEN, and must pick one
@ -668,7 +671,7 @@ ROUTER = console
 ;ACCESS = file
 ;;
 ;; Sets the template used to create the access log.
-{#;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}" #}
+;ACCESS_LOG_TEMPLATE = {{.Ctx.RemoteAddr}} - {{.Identity}} {{.Start.Format "[02/Jan/2006:15:04:05 -0700]" }} "{{.Ctx.Req.Method}} {{.Ctx.Req.URL.RequestURI}} {{.Ctx.Req.Proto}}" {{.ResponseWriter.Status}} {{.ResponseWriter.Size}} "{{.Ctx.Req.Referer}}\" \"{{.Ctx.Req.UserAgent}}"
 ;;
 ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
 ;;
@ -1757,7 +1760,7 @@ PROTOCOL  = smtp+starttls
 ;; (Before 1.18, see the notice, this was combined with SMTP_PORT as HOST.)
 ;SMTP_ADDR =
 ;>GNUNUX
-SMTP_ADDR = {{ smtp_relay_address }}
+SMTP_ADDR = %%smtp_relay_address
 ;<GNUNUX
 ;;
 ;; Mail server port. Common ports are:
@ -1790,7 +1793,7 @@ SMTP_PORT = 25
 ;; Mail from address, RFC 5322. This can be just an email address, or the `"Name" <email@example.com>` format
 ;FROM =
 ;>GNUNUX
-FROM      = {{ general.forgejo.forgejo_mail_sender }}
+FROM      = %%forgejo_mail_sender
 ;<GNUNUX
 ;;
 ;; Sometimes it is helpful to use a different address on the envelope. Set this to use ENVELOPE_FROM as the from on the envelope. Set to `<>` to send an empty address.
@ -1799,13 +1802,13 @@ FROM      = {{ general.forgejo.forgejo_mail_sender }}
 ;; Mailer user name and password, if required by provider.
 ;USER =
 ;>GNUNUX
-USER      = {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}
+USER      = %%smtp_relay_user@%%ip_eth0
 ;<GNUNUX
 ;;
 ;; Use PASSWD = `your password` for quoting if you use special characters in the password.
 ;PASSWD =
 ;>GNUNUX
-PASSWD    = {{ general.smtp.smtp_relay_password }}
+PASSWD    = %%smtp_relay_password
 ;<GNUNUX
 ;;
 ;; Send mails only in plain text, without HTML alternative
@ -1854,7 +1857,7 @@ ADAPTER = redis
 ;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
 ;HOST =
 ;>GNUNUX
-HOST = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,username={{ general.redis.redis_client_username }},password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
+HOST = network=tcp,addr=%%redis_client_server_domainname:6379,username=%%redis_client_username,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
 ;<GNUNUX
 ;;
 ;; Time to keep items in cache if not used, default is 16 hours.
@ -1901,7 +1904,7 @@ PROVIDER = redis
 ;; mysql: go-sql-driver/mysql dsn config string, e.g. `root:password@/session_table`
 ;PROVIDER_CONFIG = data/sessions ; Relative paths will be made absolute against _`AppWorkPath`_.
 ;>GNUNUX
-PROVIDER_CONFIG = network=tcp,addr={{ general.redis.redis_client_server_domainname }}:6379,password={{ general.redis.redis_client_password }},db={{ general.redis.redis_client_index }},pool_size=100,idle_timeout=180
+PROVIDER_CONFIG = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
 ;<GNUNUX
 ;;
 ;; Session cookie name
--- a/seed/forgejo/templates/forgejo.service
+++ b/seed/forgejo/templates/forgejo.service
@ -20,17 +20,17 @@ User=forgejo
 Group=forgejo
 WorkingDirectory=/srv/forgejo/lib/
 ExecStart=/usr/bin/forgejo web --config /etc/forgejo/app.ini
-ExecStartPre=/bin/bash -c '{% if True -%}{% endif -%}
+ExecStartPre=/bin/bash -c '%slurp
-/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
+/usr/bin/forgejo migrate --config /etc/forgejo/app.ini;%slurp
-if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then {% if True -%}{% endif -%}
+if /usr/bin/forgejo admin auth list --config /etc/forgejo/app.ini | grep "OAuth2"; then %slurp
-  echo "UPDATE";{% if True -%}{% endif -%}
+  echo "UPDATE";%slurp
-  id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");{% if True -%}{% endif -%}
+  id=$(/usr/bin/forgejo --config /etc/forgejo/app.ini admin auth list |tail -n 1|awk "{ print \$1}");%slurp
-  /usr/bin/forgejo admin auth update-oauth --id $id --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
+  /usr/bin/forgejo admin auth update-oauth --id $id --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
-else {% if True -%}{% endif -%}
+else %slurp
-  echo "CONFIGURE";{% if True -%}{% endif -%}
+  echo "CONFIGURE";%slurp
-  /usr/bin/forgejo admin auth add-oauth --name "{{ general.network.interface_0.domain_name_eth0 }}" --provider "openidConnect" --key "{{ general.oauth2_client.oauth2_client_id }}" --secret "{{ general.oauth2_client.oauth2_client_secret }}" --scopes "profile email" --auto-discover-url "https://{{ general.oauth2_client.oauth2_client_server_domainname }}/.well-known/openid-configuration" --config /etc/forgejo/app.ini;{% if True -%}{% endif -%}
+  /usr/bin/forgejo admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/forgejo/app.ini;%slurp
-fi;{% if True -%}{% endif -%}
+fi;%slurp
-sleep 2;{% if True -%}{% endif -%}
+sleep 2;%slurp
 echo "CONFIGURATION DONE"'
 Restart=always
 Environment=GITEA_WORK_DIR=/srv/forgejo/lib
--- a/seed/forgejo/templates/forgejo.yml
+++ b/seed/forgejo/templates/forgejo.yml
@ -1,11 +1,11 @@
-{% set username="rougail_test@silique.fr" %}
+%set %%username="rougail_test@silique.fr"
-ip: {{ general.network.interface_0.ip_eth0 }}
+ip: %%ip_eth0
-revprox_ip: {{ general.revprox.revprox_client.revprox_client_server_ip }}
+revprox_ip: %%revprox_client_server_ip
-{% set domain = {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}
+%set %%domain = %%revprox_client_external_domainnames[0]
-base_url: https://{{ domain }}{{domain.revprox_client_location }}
+base_url: https://%%domain%%domain.revprox_client_location
-auth_url: {{ general.oauth2_client.oauth2_client_external[0] }}
+auth_url: %%oauth2_client_external[0]
-auth_server: {{ general.oauth2_client.oauth2_server_domainname }}
+auth_server: %%oauth2_server_domainname
-username: {{ username }}
+username: %%username
-password: {{ username|get_password(server_name='test', description='test', type="cleartext", hide=hide_secret, temporary=True) }}
+password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
-forgejo_title: "{{ general.forgejo.forgejo_title }}"
+forgejo_title: "%%forgejo_title"
-git_url: "[{{ domain] }}:{{ general.network.incoming_ports[0] }}"
+git_url: "[%%domain]:%%incoming_ports[0]"
--- a/seed/grafana/DEBUG.md
+++ b/seed/grafana/DEBUG.md
@ -1,2 +0,0 @@
 sed -i "s/;level = info/level = debug/g" /etc/grafana/grafana.ini 
 systemctl restart grafana-server
--- a/seed/grafana/applicationservice.yml
+++ b/seed/grafana/applicationservice.yml
@ -1,9 +0,0 @@
 format: '0.1'
 description: Grafana is an analytics and interactive visualization web application
 website: https://grafana.com/
 depends:
  - base-fedora-38
  - postgresql-client
  - oauth2-client
  - reverse-proxy-client
  - relay-mail-client
--- a/seed/grafana/dictionaries/31_grafana.xml
+++ b/seed/grafana/dictionaries/31_grafana.xml
@ -1,67 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="grafana-server" target="multi-user">
      <override engine="none"/>
      <file engine="ansible">/etc/grafana/grafana.ini</file>
      <file engine="ansible">/etc/sysconfig/grafana-server</file>
      <file engine="none" source="tmpfile-grafana.conf">/tmpfiles.d/0grafana.conf</file>
    </service>
  </services>
  <variables>
    <family name="grafana">
      <variable name="admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
    </family>
    <family name="revprox">
      <family name="revprox_client">
        <variable name="revprox_client_local_location" redefine="True">
          <value>/</value>
        </variable>
      </family>
      <variable name="revprox_client_port" redefine="True">
        <value>3000</value>
      </variable>
      <variable name="revprox_client_cert_owner" redefine="True">
        <value>grafana</value>
      </variable>
    </family>
    <family name="oauth2_client">
      <variable name="oauth2_is_client_application" redefine='True'>
        <value>True</value>
      </variable>
      <variable name="oauth2_client_name" redefine='True'>
        <value>Grafana</value>
      </variable>
      <variable name="oauth2_client_description" redefine='True'>
        <value>Visualisation de données</value>
      </variable>
      <variable name="oauth2_client_category" redefine='True'>
        <value>Administration</value>
      </variable>
      <variable name="oauth2_client_logo" redefine='True'>
        <value>silique_note.png</value>
      </variable>
      <variable name="oauth2_client_token_signature_algo" redefine="True">
        <value>RS256</value>
      </variable>
      <variable name="oauth2_email_domain" type="domainname" description="Domain name allowed to log on Grafana" mandatory="True"/>
    </family>
    <family name="postgresql">
      <variable name="pg_client_key_owner" redefine="True">
        <value>grafana</value>
      </variable>
    </family>
  </variables>
  <constraints>
    <fill name="get_password">
      <param name="server_name" type="variable">domain_name_eth0</param>
      <param name="username">admin</param>
      <param name="description">admin</param>
      <param name="type">cleartext</param>
      <param name="hide" type="variable">hide_secret</param>
      <param name="temporary" type="boolean">True</param>
      <target>admin_password</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/grafana/manual/image/postinstall/grafana.sh
+++ b/seed/grafana/manual/image/postinstall/grafana.sh
@ -1,11 +0,0 @@
 mkdir -p $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/grafana/plugins
 #echo """#!/bin/bash -xe
 #grafana-cli plugins install grafana-image-renderer
 #mkdir -p /usr/lib/grafana
 #mv /var/lib/grafana/plugins/ /usr/lib/grafana/
 #""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 #chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 #mv $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf /tmp
 #echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
 #chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh
 #mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
--- a/seed/grafana/manual/image/preinstall/grafana.sh
+++ b/seed/grafana/manual/image/preinstall/grafana.sh
@ -1 +0,0 @@
 PKG="$PKG grafana"
--- a/seed/grafana/templates/grafana-server
+++ b/seed/grafana/templates/grafana-server
@ -1,30 +0,0 @@
 GRAFANA_USER=grafana
 GRAFANA_GROUP=grafana
 #>GNUNUX
 #GRAFANA_HOME=/usr/share/grafana
 GRAFANA_HOME=/srv/grafana/home
 #<GNUNUX
 LOG_DIR=/var/log/grafana
 #>GNUNUX
 #DATA_DIR=/var/lib/grafana
 DATA_DIR=/srv/grafana/var
 #<GNUNUX
 MAX_OPEN_FILES=10000
 CONF_DIR=/etc/grafana
 CONF_FILE=/etc/grafana/grafana.ini
 RESTART_ON_UPGRADE=true
 PLUGINS_DIR=/var/lib/grafana/plugins
 PROVISIONING_CFG_DIR=/etc/grafana/provisioning
 # Only used on systemd systems
 PID_FILE_DIR=/var/run/grafana
--- a/seed/grafana/templates/grafana-server.service
+++ b/seed/grafana/templates/grafana-server.service
@ -1,5 +0,0 @@
 [Unit]
 After=risotto.target
 [Service]
 GRAFANA_HOME=/srv/grafana/home
--- a/seed/grafana/templates/grafana.ini
+++ b/seed/grafana/templates/grafana.ini
--- a/seed/grafana/templates/tmpfile-grafana.conf
+++ b/seed/grafana/templates/tmpfile-grafana.conf
@ -1,2 +0,0 @@
 d /srv/grafana 700 grafana grafana - -
 d /srv/grafana/home 700 grafana grafana - -
--- a/seed/host-systemd-machined/dictionaries/21_machined.xml
+++ b/seed/host-systemd-machined/dictionaries/21_machined.xml
@ -2,37 +2,32 @@
 <rougail version="0.10">
  <services>
    <service name="systemd-machined">
-      <file engine="none">/etc/systemd/network/80-container-vz.network</file>
+      <file>/etc/systemd/network/80-container-vz.network</file>
-      <file file_type="variable" source="70-container.network" variable="zone_name" engine="ansible">systemd_zone_filename</file>
+      <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
-      <file file_type="variable" source="70-container.netdev" variable="zone_name" engine="ansible">systemd_netzone_filename</file>
+      <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
    </service>
-    <service name="risotto-images" engine="ansible" manage="False"/>
+    <service name="risotto-images" engine="cheetah" manage="False"/>
    <service name="systemd-sysctl"/>
    <service name="systemd-networkd"/>
    <service name="systemd-resolved"/>
-    <service name="risotto-images" type="timer" engine="none"/>
+    <service name="risotto-images" type="timer" engine="cheetah"/>
-    <service name="risottofirewall" engine="ansible"/>
+    <service name="risottofirewall" engine="cheetah"/>
    <service name="systemd-nspawn@">
-      <file engine="none">/tmpfiles.d/0asystemd-nspawn.conf</file>
+      <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
-      <file engine="none">/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
+      <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
-      <file engine="none">/etc/distro.repos.d/boot.repo</file>
+      <file>/etc/distro.repos.d/boot.repo</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-38-x86_64</file>
      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
-      <file engine="ansible">/etc/sysctl.d/90-risotto.conf</file>
+      <file>/etc/sysctl.d/90-risotto.conf</file>
-      <file engine="ansible" file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
+      <file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
    </service>
    <service name="vector" servicelist="vector">
      <file engine="ansible">/etc/vector/vector.toml</file>
    </service>
  </services>
  <variables>
    <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True" provider="global:host_install_dir"/>
    <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
    <variable name="tls_server" type="domainname" description="tls domaine name" mandatory="True" provider="global:tls_server"/>
    <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
@ -85,14 +80,6 @@
      <variable name="zone_name" type="string" hidden="True" multi="True"/>
      <variable name="zone_cidr" type="cidr" hidden="True"/>
    </family>
    <family name="vector">
      <variable name="server_address" type="domainname" hidden="True" supplier="Vector"/>
      <variable name="ip_address" type="ip" hidden="True"/>
    </family>
    <family name="prometheus">
      <variable name="prometheus_server_address" type="domainname" hidden="True" supplier="Prometheus"/>
      <variable name="prometheus_ip_address" type="ip" hidden="True" supplier="Prometheus:address"/>
    </family>
  </variables>
  <constraints>
    <fill name="get_internal_zone_names">
@ -133,16 +120,6 @@
      <param type="index"/>
      <target>first_interface</target>
    </fill>
    <fill name="get_ip">
      <param type="information">zones</param>
      <param type="variable">server_address</param>
      <target>ip_address</target>
    </fill>
    <fill name="get_host_ip">
      <param type="information">zones</param>
      <param type="variable">prometheus_server_address</param>
      <target>prometheus_ip_address</target>
    </fill>
    <condition name="disabled_if_not_in" source="interface_type">
      <param>ipv4</param>
      <target>interface_ip</target>
@ -154,14 +131,5 @@
      <target>interface_gateway</target>
      <target>interface_domain_name_servers</target>
    </condition>
    <condition name="disabled_if_in" source="server_address">
      <param type="nil"/>
      <target type="servicelist">vector</target>
      <target type="variable">ip_address</target>
    </condition>
    <condition name="disabled_if_in" source="prometheus_server_address">
      <param type="nil"/>
      <target type="variable">prometheus_ip_address</target>
    </condition>
  </constraints>
 </rougail>
--- a/seed/host-systemd-machined/extras/machined/00_machined.xml
+++ b/seed/host-systemd-machined/extras/machined/00_machined.xml
@ -2,10 +2,9 @@
 <rougail version="0.10">
  <services>
    <service name="systemd-nspawn@">
-      <file engine="ansible" file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
+      <file file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
-      <file engine="ansible" file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
+      <file file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
-      <file engine="ansible" file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
+      <file file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
      <file engine="ansible" file_type="variable" source="directory-script" variable="machined.machines" mode="700">machined.nspawn_script_directory</file>
    </service>
  </services>
  <variables>
@ -23,7 +22,6 @@
    <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="nspawn_script_network" type="filename" hidden="True" multi="True"/>
    <variable name="nspawn_script_tls" type="filename" hidden="True" multi="True"/>
    <variable name="nspawn_script_directory" type="filename" hidden="True" multi="True"/>
  </variables>
  <constraints>
    <fill name="calc_value">
@ -40,13 +38,6 @@
      <param name="multi" type="boolean">True</param>
      <target>machined.nspawn_script_tls</target>
    </fill>
    <fill name="calc_value">
      <param>/sbin/directory-</param>
      <param type="variable">machined.machines</param>
      <param name="join"></param>
      <param name="multi" type="boolean">True</param>
      <target>machined.nspawn_script_directory</target>
    </fill>
    <fill name="calc_value">
      <param>/etc/systemd/nspawn/</param>
      <param type="variable">machined.machines</param>
--- a/seed/host-systemd-machined/funcs/machined.py
+++ b/seed/host-systemd-machined/funcs/machined.py
@ -9,16 +9,3 @@ def get_internal_zone_names(zones) -> _List[str]:
 def is_first_interface(index) -> bool:
    return index == 0
@_multi_function
 def get_host_ip(zones: dict,
                server_name: str,
                ):
    host_name, domain_name = server_name.split('.', 1)
    for zone in zones.values():
        if domain_name == zone['domain_name']:
            break
    else:
        raise ValueError(f'cannot find IP in domain name "{domain_name}" (for "{server_name}")')
    return zone['host_ip']
--- a/seed/host-systemd-machined/templates/70-container.netdev
+++ b/seed/host-systemd-machined/templates/70-container.netdev
@ -1,3 +1,3 @@
 [NetDev]
-Name={{ rougail_variable }}
+Name=%%rougail_variable
 Kind=bridge
--- a/seed/host-systemd-machined/templates/70-container.network
+++ b/seed/host-systemd-machined/templates/70-container.network
@ -1,6 +1,6 @@
 [Match]
-Name={{ rougail_variable }}
+Name=%%rougail_variable
 [Network]
-Address={{ general.zones.zone_name[rougail_index].zone_cidr }}
+Address=%%zone_name[%%rougail_index].zone_cidr
 EmitLLDP=customer-bridge
--- a/seed/host-systemd-machined/templates/90-risotto.conf
+++ b/seed/host-systemd-machined/templates/90-risotto.conf
@ -1,3 +1,3 @@
 net.ipv4.ip_forward = 1
 fs.inotify.max_user_instances = 1024
-vm.swappiness = {{ general.vm_swappiness }}
+vm.swappiness = %%vm_swappiness
--- a/seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64
+++ b/seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-38-x86_64
@ -1,29 +0,0 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 mQINBGIC2cYBEADJye1aE0AR17qwj6wsHWlCQlcihmqkL8s4gbOk1IevBbH4iXJx
 lu6bN+NhTcCCX6eHmaL5Pwb/bpkMmLR+/r1D2cLDK24YzvN6kJnwRQUTf2dbqYmg
 mNBgIMm+kAabBZPwUHUzyQ9CT/WJpYr1OYu8JIkdxF35nrPewnnOUUqxqbi8fXRQ
 gskSLF8UveiOjFIqmWwlPwT1UtnevAaF80UGQlkwFvqjjh4b9vKY2gHMAQwt+wg5
 HFFCSwSrnd88ZoDb3pKvDMeurYUiPzF5f2r+ziVkMuaSNckvp58uge7HvyqQPAdJ
 ZRswCCxhUAo9VqkNfB4Ud25ASyalk9jOE3HB8E35gFfPXvuX1n15THXNcwMEiybk
 Omne2YwXL8ShGNr5otjqywThMrrqcl2g/pJVTcpDHTR5Hn9YRp+GHlYLjyEr+/x7
 xM19y9ca9GUiJqDbEREHcKKIhYiGmcIjjcJvei/3C/aM4pqeGFJBbVSnw3qeMxH/
 6ArAMA1sAdShCkv2YjlcF0r4uoCjXdS3xrKLz9PSCquot7RySnOE9TZ7flfJll7Z
 q+lNaSeJg7FK8VWSUb9Lit6VEYVbzWKzespDDbujrHbFpydyq8gXurk7bSR2w0te
 gsmytQqT/w1z2bydgGF6SfY9Px0wuA8GQKr48l5Bhdc6+vHHFqPKzz0PVQARAQAB
 tDFGZWRvcmEgKDM4KSA8ZmVkb3JhLTM4LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
 cmc+iQJOBBMBCAA4FiEEalG7q7o9VGe2FxIhgJqNfOsQtGQFAmIC2cYCGw8FCwkI
 BwIGFQoJCAsCBBYCAwECHgECF4AACgkQgJqNfOsQtGScyw/7BLmD4Fwi4QZY94zl
 vlJdNufZRavOemSIVVDHoCr8pQBAdrvoMypxJd5zM4ODIqFsjdYpFti+Tkeq4/4U
 25UoLPEOtU8UDt2uq7LqfdCxspaj7VyXAJIkpf7wEvLS4Jzo+YaMIlsd0dCrMXTM
 vhu4gKpBFW6C+gGlmuDyTJbyrf7ilytgVzVtIfRrT7XffylviIlZHwKm43UDjvzX
 YEl3EAFR1RjATwXMy2aJh7GCNsz+fKs+7YRKQUhpMF5un/2pyNJO+LbVGGwGZvga
 K9Kfsg/4r1ync4nDDD1dadKIHhobDeiJ9uZLoBvvVDz7Ywu7q/vv4zIPxstYBNq4
 6fLKDtYXuJCK0EV9Qy4ox67t0UGlaRGH8y5YUqOI10xH7iQej0xWlSc8w2dKhPz8
 z9XLv2OMK+PvqvflhFHhWkqEoQRqTu0TVD0fLLe4lqieJlqZcJqW0F9G/vNSSWmf
 POLa/Nim71gL2fPjCJOIRV4K/cJSyBmu5NchG7dHD5sUtJxZ4TFSuepaBZ8cPK1x
 e26TaCBqoUWgUXWmw+P89aOpYOJYEFfT/VAm2Ywn+c1EFUmD+30wQ7aP/RUFl94z
 n0BjqsWDnCKVFHydZ0TZSpeADmXMg2VYZPcp/cQR1KjoBoDxAscis7b1XPQUg7CB
 zquq5jBVAnsNIhs7g47GWKyDUJM=
 =aCLl
 -----END PGP PUBLIC KEY BLOCK-----
--- a/seed/host-systemd-machined/templates/dhcp.network
+++ b/seed/host-systemd-machined/templates/dhcp.network
@ -1,17 +1,17 @@
 [Match]
-Name={{ rougail_variable }}
+Name=%%rougail_variable
 [Network]
-{% set leader = general.network.interfaces.interface_names[rougail_index] %}
+%set %%leader = %%interface_names[%%rougail_index]
-{% if leader.interface_type == 'dhcp' %}
+%if %%leader.interface_type == 'dhcp'
 DHCP=ipv4
-{% else %}
+%else
 DHCP=no
-Address={{ leader.interface_ip }}
+Address=%%leader.interface_ip
-{% if leader.first_interface %}
+  %if %%leader.first_interface
-Gateway={{ leader.interface_gateway }}
+Gateway=%%leader.interface_gateway
-{% for dns in leader.interface_domain_name_servers %}
+    %for %%dns in %%leader.interface_domain_name_servers
-DNS={{ dns }}
+DNS=%%dns
-{% endfor %}
+    %end for
-{% endif %}
+  %end if
-{% endif %}
+%end if
--- a/seed/host-systemd-machined/templates/directory-script
+++ b/seed/host-systemd-machined/templates/directory-script
@ -1,16 +0,0 @@
 #!/bin/bash
 set -e
 {% set family = rougail_variable|normalize_family %}
 {% set srv_dir = machined['machine_' + family]['srv_dir_' + family] %}
 {% if srv_dir %}
 mkdir -p {{ srv_dir }}
 chmod 755 {{ srv_dir }}
 {% endif %}
 {% set journal_dir = machined['machine_' + family]['journal_dir_' + family] %}
 mkdir -p {{ journal_dir }}
 chmod 755 {{ journal_dir }}
 exit 0
--- a/seed/host-systemd-machined/templates/network-script
+++ b/seed/host-systemd-machined/templates/network-script
@ -1,18 +1,18 @@
-#!/bin/bash
+%echo "#!/bin/bash"
 set -e
-{% set name = rougail_variable|normalize_family %}
+%set %%name = %%normalize_family(%%rougail_variable)
-{% set container = machined['machine_' + name] %}
+%set %%container = %%machined['machine_' + %%name]
-{% set zones = container['zones_' + name] %}
+%set zones = %%container['zones_' + %%name]
-{% if zones| length > 1 %}
+%if %%len(%%zones) > 1
-{% for zone in zones %}
+ %for %%idx, %%zone in %%enumerate(%%zones)
-{% set idx = loop.index - 1 %}
+  %if not %%idx
-{% if idx %}
+    %continue
-{% set intname = "vc-" + idx|string + rougail_variable %}
+  %end if
-echo "configuration de {{ intname }}"
+  %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
-/usr/sbin/ip link set dev {{ intname[:15] }} master {{ zone }}
+echo "configuration de %intname"
-/usr/sbin/ip link set dev {{ intname[:15] }} up
+/usr/sbin/ip link set dev %%intname[:15] master %%zone
-{% endif %}
+/usr/sbin/ip link set dev %%intname[:15] up
-{% endfor %}
+ %end for
-{% endif %}
+%end if
 exit 0
--- a/seed/host-systemd-machined/templates/nspawn
+++ b/seed/host-systemd-machined/templates/nspawn
@ -1,32 +1,31 @@
 [Files]
 Volatile=true
 PrivateUsersChown=false
-{% set name = rougail_variable|normalize_family %}
+%set %%name = %%normalize_family(%%rougail_variable)
-{% set container = machined['machine_' + name] %}
+%set %%container = %%machined['machine_' + %%name]
-{% if container['srv_dir_' + name] %}
+%if %%container['srv_dir_' + %%name]
-Bind={{ container['srv_dir_' + name] }}:/srv
+Bind=%%container['srv_dir_' + %%name]:/srv
-{% endif %}
+%end if
-Bind={{ container['journal_dir_' + name] }}:/var/log/journal/
+Bind=%%container['journal_dir_' + %%name]:/var/log/journal/
-BindReadOnly={{ container['config_dir_' + name] }}:/usr/local/lib
+BindReadOnly=%%container['config_dir_' + %%name]:/usr/local/lib
-{% if container['tls_dir_' + name] %}
+%if %%container['tls_dir_' + %%name]
-Bind={{ container['tls_dir_' + name] }}:/srv/tls
+Bind=%%container['tls_dir_' + %%name]:/srv/tls
-{% endif %}
+%end if
-{% set zones = container['zones_' + name] %}
+%set zones = %%container['zones_' + %%name]
-{% if zones %}
+%if %%zones
 [Network]
 Private=yes
 VirtualEthernet=yes
-{% for zone in zones %}
+ %for %%idx, %%zone in %%enumerate(%%zones)
-{% set index = loop.index - 1 %}
+  %if %%idx == 0
-{% if index == 0 %}
+Bridge=%%zones[0]
-Bridge={{ zones[0] }}
+  %else
-{% else %}
+   %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
-{% set intname = "vc-" + index|string + rougail_variable %}
+VirtualEthernetExtra=%%intname[:15]:host%%idx
-VirtualEthernetExtra={{ intname[:15] }}:host{{ index }}
+  %end if
-{% endif %}
+ %end for
-{% endfor %}
+%end if
-{% endif %}
+%for %%port in %%container['incoming_ports_' + %%name]
-{% for port in container['incoming_ports_' + name] %}
+Port=tcp:%%port:%%port
-Port=tcp:{{ port }}:{{ port }}
+%end for
 {% endfor %}
--- a/seed/host-systemd-machined/templates/risotto-images.service
+++ b/seed/host-systemd-machined/templates/risotto-images.service
@ -4,8 +4,8 @@ After=network.target local-fs.target systemd-logind.service
 [Service]
 Type=oneshot
-ExecStart=/usr/local/sbin/backup_images
+ExecStart=/usr/local/sbin/backup_images no
-ExecStart=/usr/local/sbin/update_images {{ tls_server }} "" reboot_every_monday
+ExecStart=/usr/local/sbin/update_images
 [Install]
 WantedBy=multi-user.target
--- a/seed/host-systemd-machined/templates/risottofirewall.service
+++ b/seed/host-systemd-machined/templates/risottofirewall.service
@ -1,3 +1,11 @@
 %def %%get_protocol_port(%%port)
  %if ':' in %%port
    %set %%protocol, %%port = %%port.split(':')
  %else
    %set %%protocol = 'tcp'
  %end if
  %return %%protocol, %%port
 %end def
 [Unit]
 Description=Firewall for Risotto
 After=network.target
@ -5,54 +13,32 @@ After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-{% set ns = namespace(has_rules=False, incoming_ports={"tcp": {}, "udp": {}}) %}
+%set %%has_rules = False
-{% for dns in machined.machines %}
+%set %%incoming_ports = {'tcp': {}, 'udp': {}}
-{% set machine = dns|normalize_family %}
+%for %%dns in %%machined.machines
-{% set outgoing = machined["machine_" + machine]["outgoing_ports_" + machine] %}
+  %set %%machine = %%normalize_family(%%dns)
-{% if outgoing %}
+  %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
-{% set ip = machined["machine_" + machine]["ip_" + machine] %}
+  %if %%outgoing
-{% for port in outgoing %}
+    %set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
-{% if ":" in port %}
+    %for %%port in %%outgoing
-{% set protocol, port = port.split(":") %}
+       %set %%protocol, %%port = %%get_protocol_port(%%port)
-{% else %}
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
-{% set protocol = "tcp" %}
+ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
-{% endif %}
+       %set %%has_rules = False
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
+    %end for
-ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s {{ ip }} -p {{ protocol }} -m {{ protocol }} --dport {{ port }} -o {{ output_interface }} -j MASQUERADE
+  %end if
-{% set ns.has_rules = True %}
+  %set %%incoming = %%machined['machine_' + %%machine]['incoming_ports_' + %%machine]
-{% endfor %}
+  %for %%port in %%incoming
-{% endif %}
+     %set %%protocol, %%port = %%get_protocol_port(%%port)
-{% set incoming = machined["machine_" + machine]["incoming_ports_" + machine] %}
+     %if %%port in %%incoming_ports[%%protocol]
-{% for port in incoming %}
+       %raise Exception('the port "' + %%port + '" cannot be deployed for multiple machines: "' + %%dns + '" and "' + %%incoming_ports[%%protocol][%%port] + '"')
-{% if ":" in port %}
+     %end if
-{% set protocol, port = port.split(":") %}
+     %set %%incoming_ports[%%protocol][%%port] = %%dns
-{% else %}
+  %end for
-{% set protocol = "tcp" %}
+%end for
-{% endif %}
+%if not %%has_rules
 {% if port in ns.incoming_ports[protocol] %}
 {% set msg = 'the port "' + port + '" cannot be deployed for multiple machines: "' + dns + '" and "' + ns.incoming_ports[protocol][port] + '"' %}
 {{ msg|raise }}
 {% endif %}
 {% set x=ns.incoming_ports.__getitem__(protocol).__setitem__(port, dns) %}
 {% endfor %}
 {% endfor %}
 {% if not ns.has_rules %}
 ExecStart=/usr/bin/echo "No rule"
-{% endif %}
+%end if
 #FIXME
 ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
 ExecStart=/sbin/iptables-legacy -t nat -A POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
 ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D PREROUTING -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p tcp -m tcp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D OUTPUT ! -d 127.0.0.0/8 -p udp -m udp --dport 53 -m addrtype --dst-type LOCAL -j DNAT --to-destination 5.135.181.125:53
 ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p tcp -m tcp --dport 53 -j MASQUERADE
 ExecStop=/sbin/iptables-legacy -t nat -D POSTROUTING -o enp3s0 -p udp -m udp --dport 53 -j MASQUERADE
 #FIXME
 [Install]
 WantedBy=multi-user.target
--- a/seed/host-systemd-machined/templates/systemd-nspawn@.conf
+++ b/seed/host-systemd-machined/templates/systemd-nspawn@.conf
@ -1,4 +1,3 @@
 [Service]
 ExecStartPre=/usr/local/lib/sbin/directory-%i
 ExecStartPre=/usr/local/lib/sbin/tls-%i
 ExecStartPost=/usr/local/lib/sbin/network-%i
--- a/seed/host-systemd-machined/templates/tls-script
+++ b/seed/host-systemd-machined/templates/tls-script
@ -1,29 +1,29 @@
-#!/bin/bash
+%echo "#!/bin/bash"
 set -e
-{% set ns = namespace(tls_dir=None) %}  
+%for %%machine in %%machined.machines
-{% for machine in machined.machines %}
+  %set %%nor_machine = %%normalize_family(%%machine)
-{% if not ns.tls_dir %}
+  %set tls_dir = %%machined['machine_' + %%nor_machine]['tls_dir_' + %%nor_machine]
-{% set nor_machine = machine|normalize_family %}
+  %if %%tls_dir
-{% set ns.tls_dir = machined['machine_' + nor_machine]['tls_dir_' + nor_machine] %}
+%break
-{% endif %}
+  %end if
-{% endfor %}
+%end for
-{% if ns.tls_dir %}
+%if %%tls_dir
-{% set dst_dir = machined['machine_' + rougail_variable|normalize_family]['config_dir_' + rougail_variable|normalize_family] %}
+  %set %%dst_dir = %%machined['machine_' + %%normalize_family(%%rougail_variable)]['config_dir_' +  %%normalize_family(%%rougail_variable)]
-{% set src_dir = ns.tls_dir + "/machines/" + rougail_variable %}
+  %set %%src_dir = %%tls_dir + "/machines/" + %%rougail_variable
-{% if 'certificates' in extra_variables and rougail_variable in extra_variables['certificates'] %}
+  %if 'certificates' in %%extra_variables and %%rougail_variable in %%extra_variables['certificates']
-if [ -d "{{ dst_dir }}" ] && [ -d "{{ src_dir }}" ]; then
+if [ -d "%%dst_dir" ] && [ -d "%%src_dir" ]; then
-{% for certificate in extra_variables['certificates'][rougail_variable] %}
+    %for %%certificate in %%extra_variables['certificates'][%%rougail_variable]
-{% set files = [certificate.name] %}
+      %set %%files = [%%certificate.name]
-{% if certificate.provider == 'autosigne' %}
+	  %if %%certificate.provider == 'autosigne'
-{{ files.append(certificate.authority) }}
+	    %%files.append(%%certificate.authority)
-{% endif %}
+	  %end if
-{% if 'private' in certificate %}
+      %if 'private' in %%certificate
-{{ files.append(certificate.private) }}
+        %%files.append(%%certificate.private)
-{% endif %}
+      %end if
-{% for file in files %}
+      %for %%file in %%files
-    src_file="{{ src_dir }}{{ file}}"
+    src_file="%%{src_dir}%%file"
-    dst_file="{{dst_dir}}{{ file }}"
+    dst_file="%%{dst_dir}%%file"
    dst_dir=$(dirname "$dst_file")
    mkdir -p "$dst_dir"
 # ne fonctionne pas avec revprox :/
@ -39,9 +39,9 @@ if [ -d "{{ dst_dir }}" ] && [ -d "{{ src_dir }}" ]; then
    chown root: "$dst_file"
    chmod 700 "$dst_file"
-{% endfor %}
+      %end for
-{% endfor %}
+    %end for
 fi
-{% endif %}
+  %end if
-{% endif %}
+%end if
 exit 0
--- a/seed/host-systemd-machined/templates/vector.toml
+++ b/seed/host-systemd-machined/templates/vector.toml
@ -1,69 +0,0 @@
 #                                    __   __  __
 #                                    \ \ / / / /
 #                                     \ V / / /
 #                                      \_/  \/
 #
 #                                    V E C T O R
 #                                   Configuration
 #
 # ------------------------------------------------------------------------------
 # Website: https://vector.dev
 # Docs: https://vector.dev/docs
 # Chat: https://chat.vector.dev
 # ------------------------------------------------------------------------------
 # Change this to use a non-default directory for Vector data storage:
 # data_dir = "/var/lib/vector"
 # Random Syslog-formatted logs
 #>GNUNUX
 #[sources.dummy_logs]
 #type = "demo_logs"
 #format = "syslog"
 #interval = 1
 [sources.journal]
 type = "journald"
 {% if general.prometheus.prometheus_server_address %}
 [sources.metrics]
 type = "host_metrics"
 {% endif %}
 #<GNUNUX
 # Parse Syslog logs
 # See the Vector Remap Language reference for more info: https://vrl.dev
 #>GNUNUX
 #[transforms.parse_logs]
 #type = "remap"
 #inputs = ["dummy_logs"]
 #source = '''
 #. = parse_syslog!(string!(.message))
 #'''
 #<GNUNUX
 # Print parsed logs to stdout
 #>GNUNUX
 [sinks.vector]
 type = "vector"
 inputs = ["journal"]
 address = "{{ general.vector.ip_address }}:8686"
 {% if general.prometheus.prometheus_server_address %}
 [sinks.prometheus]
 type = "prometheus_exporter"
 inputs = ["metrics"]
 address = "{{ general.prometheus.prometheus_ip_address }}:9090"
 #{% endif %}
 #<GNUNUX
 # Vector's GraphQL API (disabled by default)
 # Uncomment to try it out with the `vector top` command or
 # in your browser at http://localhost:8686
 #[api]
 #enabled = true
 #address = "127.0.0.1:8686"
 #>GNUNUX
 [api]
 enabled = true
 address = "127.0.0.1:8686"
 #<GNUNUX
--- a/seed/journald/applicationservice.yml
+++ b/seed/journald/applicationservice.yml
@ -1,3 +0,0 @@
 format: '0.1'
 description: Journald
 website: https://systemd.io/
--- a/seed/journald/dictionaries/20_journald.xml
+++ b/seed/journald/dictionaries/20_journald.xml
@ -1,26 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="systemd-journal-upload" target="multi-user" servicelist="journald">
      <override engine="none"/>
      <certificate authority="Journald" server="journal_client_server_domainname" group="systemd-journal">journald</certificate>
      <file engine="ansible">/etc/systemd/journal-upload.conf</file>
    </service>
  </services>
  <variables>
    <family name="journald" description="systemd-journald">
      <variable name="journal_client_server_domainname" type="domainname" supplier="Journald"/>
      <variable name="journal_host_name" type="domainname" supplier="Journald:host"/>
    </family>
  </variables>
  <constraints>
    <condition name="disabled_if_in" source="journal_client_server_domainname">
      <param type="nil"/>
      <target type="servicelist">journald</target>
    </condition>
    <fill name="calc_value">
      <param type="variable">domain_name_eth0</param>
      <target>journal_host_name</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/journald/manual/image/preinstall/journald.sh
+++ b/seed/journald/manual/image/preinstall/journald.sh
@ -1 +0,0 @@
 PKG="$PKG systemd-journal-remote"
--- a/seed/journald/templates/journal-upload.conf
+++ b/seed/journald/templates/journal-upload.conf
@ -1,25 +0,0 @@
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it under the
 #  terms of the GNU Lesser General Public License as published by the Free
 #  Software Foundation; either version 2.1 of the License, or (at your option)
 #  any later version.
 #
 # Entries in this file show the compile time defaults. Local configuration
 # should be created by either modifying this file, or by creating "drop-ins" in
 # the journal-upload.conf.d/ subdirectory. The latter is generally recommended.
 # Defaults can be restored by simply deleting this file and all drop-ins.
 #
 # See journal-upload.conf(5) for details.
 [Upload]
 # URL=
 # ServerKeyFile=/etc/ssl/private/journal-upload.pem
 # ServerCertificateFile=/etc/ssl/certs/journal-upload.pem
 # TrustedCertificateFile=/etc/ssl/ca/trusted.pem
 #>GNUNUX
 URL=https://{{ journal_client_server_domainname }}:19532
 ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
 ServerKeyFile={{ general.tls_key_directory }}/journald.key
 TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
 #<GNUNUX
--- a/seed/journald/templates/systemd-journal-upload.service
+++ b/seed/journald/templates/systemd-journal-upload.service
@ -1,2 +0,0 @@
 [Unit]
 After=risotto.target
--- a/seed/journald_remote/applicationservice.yml
+++ b/seed/journald_remote/applicationservice.yml
@ -1,3 +0,0 @@
 format: '0.1'
 description: Journald remote
 website: https://systemd.io/
--- a/seed/journald_remote/dictionaries/21_journald.xml
+++ b/seed/journald_remote/dictionaries/21_journald.xml
@ -1,11 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="systemd-journal-remote" target="multi-user">
      <override engine="none"/>
      <certificate certificatelist="journald" authority="Journald" type="server" owner="systemd-journal-remote">journald</certificate>
      <file engine="ansible" filelist="journald">/etc/systemd/journal-remote.conf</file>
    </service>
  </services>
 </rougail>
--- a/seed/journald_remote/extras/accounts/00_accounts.xml
+++ b/seed/journald_remote/extras/accounts/00_accounts.xml
@ -1,21 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <variables>
    <variable name="remotes" description="Remote journald" type="domainname" provider="Journald" mandatory="True" multi="True"/>
    <family name="remote_" description="Account for " dynamic="accounts.remotes">
      <variable name="host_" description="Remote host" type="domainname" mandatory="True" provider="Journald:host"/>
      <variable name="messages_" multi="True" provider="Journald:message" unique="False"/>
      <variable name="services_" multi="True" provider="Journald:service" unique="False"/>
      <variable name="functions_" multi="True" provider="Journald:function" mandatory="False" unique="False"/>
    </family>
    <variable name="vector_conditions" hidden="True"/>
  </variables>
  <constraints>
    <fill name="calc_vector_conditions">
      <param type="variable">accounts.remote_.messages_</param>
      <param type="variable">accounts.remote_.services_</param>
      <param type="variable">accounts.remote_.functions_</param>
      <target>accounts.vector_conditions</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/journald_remote/funcs/journald_remote.py
+++ b/seed/journald_remote/funcs/journald_remote.py
@ -1,20 +0,0 @@
 from itertools import chain as _chain
 def calc_vector_conditions(messages, services, functions):
    mes = _chain(*messages)
    ser = list(_chain(*services))
    fun = list(_chain(*functions))
    conditions = []
    for idx, message in enumerate(mes):
        service = ser[idx]
        function = fun[idx]
        condition = '(.SYSLOG_IDENTIFIER == "' + service + '" && '
        if not function:
            condition += '.message == "' + message + '"'
        else:
            condition += function + '(to_string(.message) ?? "", "' + message + '")'
        condition += ')'
        if condition not in conditions:
            conditions.append(condition)
    return '!(' + ' || '.join(conditions) + ')'
--- a/seed/journald_remote/manual/image/preinstall/journald.sh
+++ b/seed/journald_remote/manual/image/preinstall/journald.sh
@ -1 +0,0 @@
 PKG="$PKG systemd-journal-remote"
--- a/seed/journald_remote/templates/journal-remote.conf
+++ b/seed/journald_remote/templates/journal-remote.conf
@ -1,26 +0,0 @@
 #  This file is part of systemd.
 #
 #  systemd is free software; you can redistribute it and/or modify it under the
 #  terms of the GNU Lesser General Public License as published by the Free
 #  Software Foundation; either version 2.1 of the License, or (at your option)
 #  any later version.
 #
 # Entries in this file show the compile time defaults. Local configuration
 # should be created by either modifying this file, or by creating "drop-ins" in
 # the journal-remote.conf.d/ subdirectory. The latter is generally recommended.
 # Defaults can be restored by simply deleting this file and all drop-ins.
 #
 # See journal-remote.conf(5) for details.
 [Remote]
 # Seal=false
 # SplitMode=host
 # ServerKeyFile=/etc/ssl/private/journal-remote.pem
 # ServerCertificateFile=/etc/ssl/certs/journal-remote.pem
 # TrustedCertificateFile=/etc/ssl/ca/trusted.pem
 #>GNUNUX
 SplitMode=none
 ServerCertificateFile={{ general.tls_cert_directory }}/journald.crt
 ServerKeyFile={{ general.tls_key_directory }}/journald.key
 TrustedCertificateFile={{ general.tls_ca_directory }}/Journald.crt
 #<GNUNUX
--- a/seed/journald_remote/templates/systemd-journal-remote.service
+++ b/seed/journald_remote/templates/systemd-journal-remote.service
@ -1,3 +0,0 @@
 [Service]
 ExecStart=
 ExecStart=/usr/lib/systemd/systemd-journal-remote --listen-https=-3 --output=/var/log/journal/remote/risotto.journal
--- a/seed/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/ldap-client/dictionaries/21_ldap-client.xml
@ -1,25 +1,22 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
  <services>
-    <service name="ldap-client" target="risotto" engine="ansible">
+    <service name="ldap-client" target="risotto" engine="cheetah">
      <certificate authority="LDAP" owner="ldap_key_file_owner" owner_type="variable" server="ldap_server_address">ldap_client</certificate>
-      <file engine="ansible" source="ldap.conf" file_type="variable">ldap_client_file</file>
+      <file source="ldap.conf" file_type="variable">ldap_client_file</file>
    </service>
  </services>
  <variables>
-    <family name="ldap" description="Annuaire OpenLDAP">
+    <family name="annuaire" description="Annuaire OpenLDAP">
      <family name="server" description="Serveur">
        <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True' supplier="LDAP"/>
        <variable name="ldap_server_ip" type="ip" hidden="True"/>
        <variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
          <value>636</value>
        </variable>
        <variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
      </family>
      <family name="client" description="Client">
        <variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP" supplier="LDAP:family"/>
        <variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True" supplier="LDAP:dn"/>
        <variable name='ldapclient_address' hidden="True"/>
        <variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True" supplier="LDAP:password"/>
        <variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" supplier="LDAP:base_dn"/>
        <variable name='ldapclient_search_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True"/>
@ -28,7 +25,7 @@
        <variable name="ldap_key_file_owner" type="unix_user" description="Propriétaire du fichier de la clef privée LDAP" hidden="True">
          <value>root</value>
        </variable>
-        <variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True"/>
+	<variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True"/>
      </family>
    </family>
  </variables>
@ -36,13 +33,8 @@
    <check name='valid_base_dn'>
      <target>ldapclient_base_dn</target>
    </check>
    <fill name="get_ip">
      <param type="information">zones</param>
      <param type="variable">ldap_server_address</param>
      <target>ldap_server_ip</target>
    </fill>
    <fill name='get_default_base_dn'>
-      <param type="variable">prefix_domain_name</param>
+      <param type="variable">ldap_server_address</param>
      <target>ldapclient_base_dn</target>
    </fill>
    <fill name='calc_value'>
@ -53,18 +45,12 @@
    </fill>
    <fill name='calc_value'>
      <param>cn=</param>
-      <param type='variable'>ldapclient_address</param>
+      <param type='variable'>domain_name_eth0</param>
      <param>,</param>
      <param type='variable'>ldapclient_base_dn</param>
      <param name="join"></param>
      <target>ldapclient_user</target>
    </fill>
    <fill name="get_client_address">
      <param type='variable'>ldap_server_ip</param>
      <param type='variable'>domain_name_eth</param>
      <param type='variable'>network_eth</param>
      <target>ldapclient_address</target>
    </fill>
    <fill name="get_password">
      <param name="server_name" type="variable">ldap_server_address</param>
      <param name="username" type="variable">ldapclient_user</param>
--- a/seed/ldap-client/funcs/openldap_client.py
+++ b/seed/ldap-client/funcs/openldap_client.py
@ -1,8 +1,4 @@
 from ipaddress import ip_network as _ip_network, ip_address as _ip_address
 def valid_base_dn(base_dn: str) -> None:
    # copied from openldap
    for att in ['o', 'dc', 'ou']:
        if base_dn.startswith(att + '='):
            break
@ -15,7 +11,6 @@ def calc_ldapclient_base_dn(ldap_base_dn: str,
                            base: bool=False,
                            group: bool=False,
                            ) -> str:
    # copied from openldap
    if ldap_base_dn is None:
        return
    if family_name == 'all':
@ -44,23 +39,14 @@ class _Undefined:
 _undefined = _Undefined()
-def get_default_base_dn(prefix: str) -> str:
+def get_default_base_dn(server_name: str) -> str:
-    # copied from openldap
+    if not server_name or '.' not in server_name:
    if not prefix or '.' not in prefix:
        return None
-    values = prefix.split('.')
+    values = server_name.split('.')
-    # cannot calculated base dn should be subdomain.domain.tld
+    # cannot calculated base dn should be server.domain.tld
    # remove 'server' in dn
    if len(values) < 3:
        return None
-    domain = ['ou=' + domain for domain in values[0:-2]]
+    domain = ['ou=' + domain for domain in values[1:-2]]
    domain.append(f'o={values[-2]},o={values[-1]}')
    return ','.join(domain)
 def get_client_address(ip, infos, network_eth):
    ip_mail = _ip_address(ip)
    for idx, net in enumerate(network_eth):
        if ip_mail in _ip_network(net):
            val = infos[idx]
            return val
--- a/seed/ldap-client/templates/ldap-client.service
+++ b/seed/ldap-client/templates/ldap-client.service
@ -4,4 +4,4 @@ Before=risotto.target
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/{{ ldap_server_address }}/{{ ldap_port }}; do sleep 1; done'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
--- a/seed/ldap-client/templates/ldap.conf
+++ b/seed/ldap-client/templates/ldap.conf
@ -8,8 +8,8 @@
 #BASE	dc=example,dc=com
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
 #>GNUNUX
-BASE {{ ldapclient_search_dn }}
+BASE %%ldapclient_search_dn
-URI ldaps://{{ ldap_server_address }}:{{ ldap_port }}
+URI ldaps://%%ldap_server_address:%%ldap_port
 #<GNUNUX
 #SIZELIMIT	12
@ -21,9 +21,9 @@ URI ldaps://{{ ldap_server_address }}:{{ ldap_port }}
 # by TLS_CACERTDIR one has to include them explicitly:
 #TLS_CACERT	/etc/pki/tls/cert.pem
 #>GNUNUX
-TLS_CERT {{ tls_cert_directory }}/ldap_client.crt
+TLS_CERT %%tls_cert_directory/ldap_client.crt
-TLS_KEY {{ tls_key_directory }}/ldap_client.key
+TLS_KEY %%tls_key_directory/ldap_client.key
-TLS_CACERT {{ tls_ca_directory }}/LDAP.crt
+TLS_CACERT %%tls_ca_directory/LDAP.crt
 #<GNUNUX
 # System-wide Crypto Policies provide up to date cipher suite which should
@ -36,9 +36,9 @@ TLS_CACERT {{ tls_ca_directory }}/LDAP.crt
 SASL_NOCANON	on
 #>GNUNUX
-BINDDN {{ ldapclient_user }}
+BINDDN %%ldapclient_user
 TIMELIMIT 10
 NETWORK_TIMEOUT 10
 TIMEOUT 10
-BINDPW {{ ldapclient_user_password }}
+BINDPW %%ldapclient_user_password
 #<GNUNUX
--- a/seed/lemonldap/DEBUG.md
+++ b/seed/lemonldap/DEBUG.md
@ -3,7 +3,3 @@ Log level to DEBUG
 sed -i "s/logLevel     = info/logLevel     = debug/g" /etc/lemonldap-ng/lemonldap-ng.ini
 systemctl restart lemonldap-ng-fastcgi-server.service
 sed -i 's/log error/log debug/g' /etc/nginx/nginx.conf
 systemctl restart nginx
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="lemonldap-ng-fastcgi-server">
-      <override engine="none"/>
+      <override/>
      <file engine="none">/static/logo.png</file>
      <file engine="none">/static/demo.png</file>
      <file engine="none">/static/silique_email.png</file>
@ -11,15 +11,16 @@
      <file engine="none">/static/silique_video.png</file>
      <file engine="none">/static/silique_image.png</file>
      <file engine="none">/static/risotto.css</file>
-      <file engine="ansible">/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
+      <file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
      <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
-      <file engine="ansible">/etc/lemonldap-ng/portal-nginx.conf</file>
+      <!--file>/etc/lemonldap-ng/handler-nginx.conf</file-->
-      <file engine="none">/etc/lemonldap-ng/nginx-lmlog.conf</file>
+      <file>/etc/lemonldap-ng/portal-nginx.conf</file>
-      <file engine="ansible">/etc/default/lemonldap-ng-fastcgi-server</file>
+      <file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
-      <file engine="ansible" mode="750">/sbin/interne_well_known.pl</file>
+      <file>/etc/default/lemonldap-ng-fastcgi-server</file>
-      <file engine="ansible" mode="750">/sbin/wget.pl</file>
+      <file mode="750">/sbin/interne_well_known.pl</file>
      <file mode="750">/sbin/wget.pl</file>
      <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/lemonldap.yml</file>
+      <file filelist="copy_tests">/tests/lemonldap.yml</file>
    </service>
  </services>
  <variables>
@ -35,7 +36,7 @@
      </variable>
      <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
    </family>
-    <family name="ldap">
+    <family name="annuaire">
      <family name="client">
        <variable name='ldapclient_family' redefine="True">
          <value>all</value>
--- a/seed/lemonldap/extras/oauth2/00_oauth2.xml
+++ b/seed/lemonldap/extras/oauth2/00_oauth2.xml
@ -3,7 +3,6 @@
  <variables>
    <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="OAuth2"/>
    <family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
      <variable name="client_id_" description="Remote client id for " mandatory="True" hidden="True" provider="OAuth2:client_id"/>
      <variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="OAuth2:secret"/>
      <variable name="name_" description="Remote name for " hidden="True" provider="OAuth2:name"/>
      <variable name="description_" description="Remote description for " hidden="True" provider="OAuth2:description"/>
--- a/seed/lemonldap/templates/handler-nginx.conf
+++ b/seed/lemonldap/templates/handler-nginx.conf
@ -21,10 +21,10 @@ server {
  # GNUNUX server_name reload.example.com;
 #>GNUNUX
  listen 443 ssl;
-  server_name {{ general.lemonldap.lemon_reload_web_name }};
+  server_name %%lemon_reload_web_name;
-  ssl_certificate         {{ general.tls_cert_directory }}/revprox.crt;
+  ssl_certificate         %%tls_cert_directory/revprox.crt;
-  ssl_certificate_key     {{ general.tls_key_directory }}/revprox.key;
+  ssl_certificate_key     %%tls_key_directory/revprox.key;
-  ssl_client_certificate  {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
+  ssl_client_certificate  %%tls_ca_directory/InternalReverseProxy.crt;
 #<GNUNUX
  root /var/www/html;
@ -55,7 +55,7 @@ server {
  # Client requests
  location / {
-    allow {{ general.revprox.revprox_client.revprox_client_server_ip }};
+    allow %%revprox_client_server_ip;
    deny all;
    # Uncomment this if you use https only
--- a/seed/lemonldap/templates/interne_well_known.pl
+++ b/seed/lemonldap/templates/interne_well_known.pl
@ -1,17 +1,17 @@
-#!/usr/bin/env perl
+%echo "#!/usr/bin/env perl"
 # retrieve and modify (if no argument) well-known file
 use HTTP::Tiny;
 use JSON qw(from_json to_json);
-my $baseUrl = 'https://{{ general.network.interface_0.domain_name_eth0 }}/';
+my $baseUrl = 'https://%%domain_name_eth0/';
 my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configuration');
 die "Failed!\n" unless $response->{success};
 my $json = from_json($response->{content});
-$num_args = $#ARGV + 1;
+%echo "$num_args = $#ARGV + 1;"
 if ($num_args == 0) {
    $json->{token_endpoint} = $baseUrl . 'oauth2/token';
--- a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server
+++ b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server
@ -1,7 +1,7 @@
 # Number of process (default: 7)
 #NPROC = 7
 #>GNUNUX
-NPROC={{ general.lemonldap.lemon_proc }}
+NPROC=%%lemon_proc
 #<GNUNUX
 # Unix socket to listen to
--- a/seed/lemonldap/templates/lemonldap.yml
+++ b/seed/lemonldap/templates/lemonldap.yml
@ -1,3 +1,3 @@
-address: {{ revprox_client_external_domainnames[0] }}
+address: %%revprox_client_external_domainnames[0]
-internal_address: {{ domain_name_eth0 }}
+internal_address: %%domain_name_eth0
-ip: {{ ip_eth0 }}
+ip: %%ip_eth0
--- a/seed/lemonldap/templates/lmConf-1.json
+++ b/seed/lemonldap/templates/lmConf-1.json
@ -1,16 +1,19 @@
 %compiler-settings
 commentStartToken = §
 %end compiler-settings
 {
-   "mailFrom" : "{{ general.lemonldap.lemon_mail_admin }}",
+   "mailFrom" : "%%lemon_mail_admin",
   "mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
   "portalSkinBackground" : "",
   "portalCustomCss": "risotto/risotto.css",
   "authentication" : "LDAP",
   "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
-   "managerDn" : "{{ general.ldap.client.ldapclient_user }}",
+   "managerDn" : "%%ldapclient_user",
-   "managerPassword" : "{{ general.ldap.client.ldapclient_user_password }}",
+   "managerPassword" : "%%ldapclient_user_password",
   "ldapPpolicyControl" : 1,
   "ldapAllowResetExpiredPassword" : 1,
   "ldapChangePasswordAsUser" : 1,
-   "ldapBase" : "{{ general.ldap.client.ldapclient_search_dn }}",
+   "ldapBase" : "%%ldapclient_search_dn",
   "ldapExportedVars" : {
      "uid" : "uid",
      "cn" : "cn",
@ -19,7 +22,7 @@
      "givenName" : "givenName",
      "home" : "homeDirectory"
   },
-   "ldapGroupBase" : "{{ general.ldap.client.ldapclient_group_dn }}",
+   "ldapGroupBase" : "%%ldapclient_group_dn",
   "ldapGroupAttributeName" : "member",
   "ldapGroupAttributeNameUser" : "cn",
   "ldapGroupAttributeNameGroup" : "dn",
@ -27,7 +30,7 @@
   "ldapGroupAttributeNameUser" : "dn",
   "ldapGroupObjectClass" : "groupOfNames",
   "ldapPort" : "636",
-   "ldapServer" : "ldaps://{{ general.ldap.server.ldap_server_address }}",
+   "ldapServer" : "ldaps://%%ldap_server_address",
   "ldapVerify" : "required",
   "ldapTimeout" : 120,
   "cfgAuthor" : "Risotto",
@ -38,7 +41,7 @@
      "mail" : "mail",
      "uid" : "uid"
   },
-   "domain" : "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}",
+   "domain" : "%%revprox_client_external_domainnames[0]",
   "exportedVars" : {
       "UA" : "HTTP_USER_AGENT",
       "cn" : "cn",
@ -57,22 +60,23 @@
      "namespace" : "lemonldap-ng-sessions"
  },
   "locationRules" : {
-      "{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}" : {
+      "%%revprox_client_external_domainnames[0]" : {
         "default" : "accept"
-{% set domains = [] %}
+%set %%domains = []
-{% for app in oauth2.remotes %}
+%for %%app in %%oauth2.remotes
-{% set key = app|normalize_family %}
+  %set %%key = %%normalize_family(%%app)
-{% for external in oauth2['oauth2_' + key]['external_' + key]['hosts_' + key] %}
+  § somethink like ['https://domain/']
-{% set domain = (external|string).split('/', 3)[-2] %}
+  %for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
-{% if domain not in domains %}
+    %set %%domain = %%str(%%external).split('/', 3)[-2]
    %if %%domain not in %%domains
     },
-     "{{ domain }}" : {
+     "%%domain" : {
        "^/logout" : "logout_sso",
-        "default" : "$groups eq \"{{ external['family_' + key] }}\""
+        "default" : "$groups eq \"%%external['family_' + %%key]\""
-{{ domains.append(domain) }}
+%%domains.append(%%domain)%slurp
-{% endif %}
+    %end if
-{% endfor %}
+  %end for
-{% endfor %}
+%end for
      }
   },
   "loginHistoryEnabled" : 1,
@ -80,7 +84,7 @@
      "UA" : "$ENV{HTTP_USER_AGENT}",
      "_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
   },
-   "mailUrl" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/resetpwd",
+   "mailUrl" : "https://%%revprox_client_external_domainnames[0]/resetpwd",
   "mySessionAuthorizedRWKeys" : [
      "_appsListOrder",
      "_oidcConnectedRP",
@ -91,50 +95,53 @@
       "dirName" : "/srv/lemonldap-ng/notifications"
   },
   "oidcRPMetaDataExportedVars" : {
-{% set len_app = oauth2.remotes|length %}
+%set %%len_app = %%len(%%oauth2.remotes)
-{% for app in oauth2.remotes %}
+%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
-{% set key = app|normalize_family %}
+  %set %%key = %%normalize_family(%%app)
-{% set description = oauth2['oauth2_' + key]['description_' + key] %}
+  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
-      "{{ app }}" : {
+      "%%app" : {
         "email" : "mail",
         "family_name" : "sn",
         "name" : "cn",
 	 "nickname" : "uid",
 	 "home" : "home"
-{% if len_app == loop.index %}
+  %if %%len_app - 1 == %%idx
      }
-{% else %}
+  %else
      },
-{% endif %}
+  %end if
-{% endfor %}
+%end for
   },
   "oidcRPMetaDataOptions" : {
-{% for app in oauth2.remotes %}
+%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
-{% set key = app|normalize_family %}
+  %set %%key = %%normalize_family(%%app)
-{% set description = oauth2['oauth2_' + key]['description_' + key] %}
+  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
-      "{{ app }}" : {
+      "%%app" : {
         "oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
         "oidcRPMetaDataOptionsAllowOffline" : 1,
         "oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
         "oidcRPMetaDataOptionsBypassConsent" : 1,
-         "oidcRPMetaDataOptionsClientID" : "{{ oauth2['oauth2_' + key]['client_id_' + key] }}",
+         "oidcRPMetaDataOptionsClientID" : "%%key",
-         "oidcRPMetaDataOptionsClientSecret" : "{{ oauth2['oauth2_' + key]['secret_' + key] }}",
+         "oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]",
         "oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
-         "oidcRPMetaDataOptionsIDTokenSignAlg" : "{{ oauth2['oauth2_' + key]['token_signature_algo_' + key] }}",
+         "oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]",
         "oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
         "oidcRPMetaDataOptionsLogoutType" : "front",
 §         "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout",
 §FIXME
         "oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow",
         "oidcRPMetaDataOptionsPublic" : 0,
-{% if oauth2['oauth2_' + key]['login_' + key] %}
+  %if %%oauth2['oauth2_' + %%key]['login_' + %%key] 
-         "oidcRPMetaDataOptionsRedirectUris" : "{{ oauth2['oauth2_' + key]['login_' + key] }}",
+         "oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]",
-{% endif %}
+  %end if
         "oidcRPMetaDataOptionsRefreshToken" : 0,
         "oidcRPMetaDataOptionsRequirePKCE" : 0
-{% if len_app == loop.index %}
+  %if %%len_app - 1 == %%idx
      }
-{% else %}
+  %else
      },
-{% endif %}
+  %end if
-{% endfor %}
+%end for
   },
   "oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
   "oidcServiceMetaDataAuthnContext" : {
@ -144,63 +151,62 @@
      "loa-4" : 4,
      "loa-5" : 5
   },
-{% set tpub = domain_name_eth0|get_public_key(hide=hide_secret) %}
+%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
-{% set pub = tpub.split("\n")|join('\\n') %}
+   "oidcServicePublicKeySig" : "%%pub",
-   "oidcServicePublicKeySig" : "{{ pub }}",
+%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
-{% set tpriv = domain_name_eth0|get_private_key(hide=hide_secret) %}
+   "oidcServicePrivateKeySig" : "%%priv",
 {% set priv = tpriv.split("\n")|join('\\n') %}
   "oidcServicePrivateKeySig" : "{{ priv }}",
   "passwordDB" : "LDAP",
   "persistentStorage" : "Apache::Session::File",
   "persistentStorageOptions" : {
      "Directory": "/srv/lemonldap-ng/psessions",
      "LockDirectory": "/srv/lemonldap-ng/psessions/lock"
   },
-   "portal" : "https://{{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }}/",
+   "portal" : "https://%%revprox_client_external_domainnames[0]/",
   "portalCheckLogins": 0,
   "portalDisplayRegister": 0,
   "portalDisplayResetPassword": 0,
   "portalMainLogo": "risotto/logo.png",
   "showLanguages": 0,
-   "requireToken": "$env->{REMOTE_ADDR} ne '{{ gateway_eth0 }}'",
+   "requireToken": "$env->{REMOTE_ADDR} ne '%%gateway_eth0'",
   "whatToTrace" : "_whatToTrace",
-{% set remotes = {} %}
+%set %%remotes = {}
-{% for app in oauth2.remotes %}
+%for %%index, %%app in %%enumerate(%%oauth2.remotes)
-{% set key = app|normalize_family %}
+ %set %%key = %%normalize_family(%%app)
-{% set description = oauth2['oauth2_' + key]['description_' + key] %}
+ %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
-{% if description %}
+ %if not %%description
-{% set dico = {'key': key,
+  %continue
-               'description': description,
+ %end if
-               'logo': "risotto/" + oauth2['oauth2_' + key]['logo_' + key],
+ %set %%dico = {'key': %%key,
-               'name': oauth2['oauth2_' + key]['name_' + key],
+                'description': %%description,
-               'uri': oauth2['oauth2_' + key]['external_' + key]['hosts_' + key]} %}
+                'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
-{{ remotes.setdefault(oauth2['oauth2_' + key]['category_' + key], []).append(dico) }}
+                'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
-{% endif %}
+                'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
-{% endfor %}
+%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
 %end for
   "applicationList" : {
-{% for cat in remotes %}
+%for %%index, %%cat in %%enumerate(%%remotes)
-{% if loop.index != 1 %}
+ %if %%index != 0
 ,
-{% endif %}
+ %end if
-      "cat_{{ loop.index - 1 }}" : {
+      "cat_%%index" : {
-         "catname" : "{{ cat }}",
+         "catname" : "%%cat",
-{% for dico in remotes[cat] %}
+ %for %%dico in %%remotes[%%cat]
-{% for uri in dico['uri'] %}
+  %for %%idx, %%uri in %%enumerate(%%dico['uri'])
-         "{{ dico['key'] }}_{{ loop.index - 1 }}" : {
+         "%%{dico['key']}_%%idx" : {
            "options" : {
-               "description" : "{{ dico['description'] }}",
+               "description" : "%%dico['description']",
               "display" : "auto",
-               "logo" : "{{ dico['logo'] }}",
+               "logo" : "%%dico['logo']",
-               "name" : "{{ dico['name'] }}",
+               "name" : "%%dico['name']",
-               "uri" : "{{ uri }}"
+               "uri" : "%%uri"
            },
            "type" : "application"
         },
-{% endfor %}
+  %end for
-{% endfor %}
+ %end for
         "type" : "category"
-      }
+      }%slurp
-{%- endfor -%}
+%end for
   }
 }
--- a/seed/lemonldap/templates/portal-nginx.conf
+++ b/seed/lemonldap/templates/portal-nginx.conf
@ -26,7 +26,7 @@ server {
    include /etc/nginx/fastcgi_params;
    fastcgi_pass llng_portal_upstream;
    fastcgi_param REQUEST_URI /.well-known/openid-configuration;
-    fastcgi_param HTTP_HOST {{ general.network.interface_0.domain_name_eth0 }};
+    fastcgi_param HTTP_HOST %%domain_name_eth0;
    fastcgi_param LLTYPE psgi;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
@ -37,10 +37,8 @@ server {
 #>GNUNUX
 geo $zone_name {
  default ext;
-  {{ general.network.interface_0.gateway_eth0 }} ext;
+  %%gateway_eth0 ext;
-{% for interface in range(zones_list|length) %}
+  %%network_eth0 int;
  {{ general.network['interface_' + interface|string]['network_eth' + interface|string] }} int;
 {% endfor %}
 }
 #<GNUNUX
@ -49,11 +47,11 @@ server {
  # GNUNUX listen [::]:80;
  # GNUNUX server_name auth.example.com;
 #>GNUNUX
-  listen {{ general.network.interface_0.domain_name_eth0 }}:443 ssl;
+  listen 443 ssl;
-  server_name {{ general.revprox.revprox_client.revprox_client_external_domainnames[0] }};
+  server_name %%{revprox_client_external_domainnames[0]};
-  ssl_certificate {{ general.tls_cert_directory }}/revprox.crt;
+  ssl_certificate %%tls_cert_directory/revprox.crt;
-  ssl_certificate_key {{ general.tls_key_directory }}/revprox.key;
+  ssl_certificate_key %%tls_key_directory/revprox.key;
-  ssl_client_certificate {{ general.tls_ca_directory }}/InternalReverseProxy.crt;
+  ssl_client_certificate %%tls_ca_directory/InternalReverseProxy.crt;
  ssl_session_cache shared:SSL:10m;
 #<GNUNUX
  root /usr/share/lemonldap-ng/portal/htdocs/;
@ -69,7 +67,7 @@ server {
  #set_real_ip_from  127.0.0.1;
  #real_ip_header    X-Forwarded-For;
 #>GNUNUX
-  set_real_ip_from  {{ general.revprox.revprox_client_server_ip }};
+  set_real_ip_from  %%revprox_client_server_ip;
  real_ip_header    X-Forwarded-For;
 #<GNUNUX
@ -108,35 +106,35 @@ server {
    # REST/SOAP functions for sessions management (disabled by default)
    location ~ ^/index.psgi/adminSessions {
      fastcgi_pass llng_portal_upstream;
-      allow {{ general.revprox.revprox_client_server_ip }};
+      allow %%revprox_client_server_ip;
      deny all;
    }
    # REST/SOAP functions for proxy auth and password reset (disabled by default)
    location ~ ^/index.psgi/proxy {
      fastcgi_pass llng_portal_upstream;
-      allow {{ general.revprox.revprox_client_server_ip }};
+      allow %%revprox_client_server_ip;
      deny all;
    }
    # REST/SOAP functions for sessions access (disabled by default)
    location ~ ^/index.psgi/sessions {
      fastcgi_pass llng_portal_upstream;
-      allow {{ general.revprox.revprox_client_server_ip }};
+      allow %%revprox_client_server_ip;
      deny all;
    }
    # REST/SOAP functions for configuration access (disabled by default)
    location ~ ^/index.psgi/config {
      fastcgi_pass llng_portal_upstream;
-      allow {{ general.revprox.revprox_client_server_ip }};
+      allow %%revprox_client_server_ip;
      deny all;
    }
    # REST/SOAP functions for notification insertion (disabled by default)
    location ~ ^/index.psgi/notification {
      fastcgi_pass llng_portal_upstream;
-      allow {{ general.revprox.revprox_client_server_ip }};
+      allow %%revprox_client_server_ip;
      deny all;
    }
--- a/seed/lemonldap/templates/wget.pl
+++ b/seed/lemonldap/templates/wget.pl
@ -1,8 +1,8 @@
-#!/usr/bin/env perl
+%echo "#!/usr/bin/env perl"
 use HTTP::Tiny;
-my $response = HTTP::Tiny->new->get('https://{{ general.network.interface_0.domain_name_eth0 }}/.well-known/openid-configuration');
+my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
 die "Failed!\n" unless $response->{success};
--- a/seed/loki/applicationservice.yml
+++ b/seed/loki/applicationservice.yml
@ -1,5 +0,0 @@
 format: '0.1'
 description: Loki, a log aggregation platform
 website: https://grafana.com/
 depends:
  - base-fedora-38
--- a/seed/loki/dictionaries/20_loki.xml
+++ b/seed/loki/dictionaries/20_loki.xml
@ -1,16 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="loki" target="multi-user" engine="ansible">
      <file engine="ansible" source="loki-local-config.yaml">/etc/loki/loki.yaml</file>
      <file engine="none" source="sysuser-loki.conf">/sysusers.d/loki.conf</file>
      <file engine="none" source="tmpfile-loki.conf">/tmpfiles.d/0loki.conf</file>
    </service>
  </services>
  <variables>
    <family name="loki" description="loki">
      <variable name="remotes" description="Remote loki client" type="domainname" provider="Loki" mandatory="True" multi="True"/>
    </family>
  </variables>
 </rougail>
--- a/seed/loki/manual/image/postinstall/loki.sh
+++ b/seed/loki/manual/image/postinstall/loki.sh
@ -1,17 +0,0 @@
 set -ex
 #FIXME unsign?
 mkdir -p ~/loki/
 URL=$(wget https://api.github.com/repos/grafana/loki/releases/latest -q -O - | jq -r '.assets[].browser_download_url'|grep loki-linux-amd64)
 VERS=$(echo "$URL" | awk -F'/' '{ print $8 }')
 if [ ! -f ~/"loki/loki-$VERS-linux-amd64.zip" ]; then
    rm -rf ~/"loki/loki-*-linux-amd64.zip"
    wget "$URL" -O ~/"loki/loki-$VERS-linux-amd64.zip"
 fi
 cp -a ~/"loki/loki-$VERS-linux-amd64.zip" .
 unzip "loki-$VERS-linux-amd64.zip"
 mv "loki-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"
 chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/loki"
--- a/seed/loki/templates/loki-local-config.yaml
+++ b/seed/loki/templates/loki-local-config.yaml
@ -1,55 +0,0 @@
 #RISOTTO: https://raw.githubusercontent.com/grafana/loki/main/cmd/loki/loki-local-config.yaml
 auth_enabled: false
 server:
  http_listen_port: 3100
  grpc_listen_port: 9096
 common:
  instance_addr: 127.0.0.1
  path_prefix: /srv/loki
  storage:
    filesystem:
      chunks_directory: /srv/loki/chunks
      rules_directory: /srv/loki/rules
  replication_factor: 1
  ring:
    kvstore:
      store: inmemory
 query_range:
  results_cache:
    cache:
      embedded_cache:
        enabled: true
        max_size_mb: 100
 schema_config:
  configs:
    - from: 2020-10-24
      store: boltdb-shipper
      object_store: filesystem
      schema: v11
      index:
        prefix: index_
        period: 24h
 ruler:
  alertmanager_url: http://localhost:9093
 # By default, Loki will send anonymous, but uniquely-identifiable usage and configuration
 # analytics to Grafana Labs. These statistics are sent to https://stats.grafana.org/
 #
 # Statistics help us better understand how Loki is used, and they show us performance
 # levels for most users. This helps us prioritize features and documentation.
 # For more information on what's sent, look at
 # https://github.com/grafana/loki/blob/main/pkg/usagestats/stats.go
 # Refer to the buildReport method to see what goes into a report.
 #
 # If you would like to disable reporting, uncomment the following lines:
 #analytics:
 #  reporting_enabled: false
 #>GNUNUX
 analytics:
  reporting_enabled: false
 #<GNUNUX
--- a/seed/loki/templates/loki.service
+++ b/seed/loki/templates/loki.service
@ -1,14 +0,0 @@
 [Unit]
 Description=Loki Grafana
 Wants=risotto.target
 After=risotto.target
 [Service]
 Type=simple
 User=loki
 Group=loki
 ExecStart=/usr/bin/loki -config.file=/etc/loki/loki.yaml
 Restart=always
 [Install]
 WantedBy=multi-user.target
--- a/seed/loki/templates/sysuser-loki.conf
+++ b/seed/loki/templates/sysuser-loki.conf
@ -1,2 +0,0 @@
 g loki 997 -
 u loki 997:997     "Loki Grafana" /tmp /sbin/nologin
--- a/Show more
+++ b/Show more
`@ -1,2 +1,2 @@`
	`{% set domain = domain_name_eth0.split('.', 1)[1] %}`	`%set %%domain=%%domain_name_eth0.split('.', 1)[1]`
	`{{ domain }}`	`%%domain`
		`@ -0,0 +1,2 @@`
							`%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)`
		`@ -0,0 +1 @@`
							`%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)`
`@ -1,2 +1,2 @@`
	`{{ general.smtp.smtp_relay_address }} {{ general.smtp.smtp_relay_user }}@{{ general.smtp.smtp_client_ip }}:{{ general.smtp.smtp_relay_password }}`	`%%smtp_relay_address %%smtp_relay_user@%%ip_eth0:%%smtp_relay_password`
		`@ -1,2 +0,0 @@`
			`sed -i "s/;level = info/level = debug/g" /etc/grafana/grafana.ini`
			`systemctl restart grafana-server`
		`@ -1,2 +0,0 @@`
			`d /srv/grafana 700 grafana grafana - -`
			`d /srv/grafana/home 700 grafana grafana - -`
		`@ -1,2 +0,0 @@`
			`g loki 997 -`
			`u loki 997:997 "Loki Grafana" /tmp /sbin/nologin`