From 0cab6271540dfcfeb2aca27a33556b481c30a5f6 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Fri, 24 Jun 2022 19:00:16 +0200
Subject: [PATCH] update

---
 .../2022.03.08/apache/dictionaries/20_web.xml |   1 +
 .../2022.03.08/apache/templates/server.crt    |   2 +-
 .../2022.03.08/apache/templates/server.key    |   2 +-
 .../dictionaries/00-debian-bullseye.xml       |   8 +-
 .../dictionaries/00-debian-base.xml           |  26 ---
 .../dictionaries/11-debian-base.xml           |  15 ++
 .../dictionaries/17-debian-base.xml           |  17 ++
 .../dictionaries/00-fedora-35.xml             |  10 --
 .../dictionaries/11-fedora-35.xml             |   8 +
 .../dictionaries/00-fedora-version.xml        |  10 --
 .../dictionaries/11-fedora-version.xml        |   8 +
 .../dictionaries/00-fedora-base.xml           |  25 ---
 .../dictionaries/11-fedora-base.xml           |  13 ++
 .../dictionaries/17-fedora-base.xml           |  17 ++
 .../dictionaries/{00-base.xml => 12-base.xml} |  41 ++---
 .../2022.03.08/base/funcs/funcs.py            |  30 +++-
 .../2022.03.08/base/manual/install/diff.py    |  19 ++-
 .../dovecot/dictionaries/22_dovecot.xml       |  34 ++--
 .../dovecot/templates/ca_IMAPServer.crt       |   2 +-
 .../dovecot/templates/ca_MailServer.crt       |   2 +-
 .../dovecot/templates/dovecot-ldap.conf.ext   |   6 +-
 .../2022.03.08/dovecot/templates/dovecot.crt  |   7 +-
 .../2022.03.08/dovecot/templates/dovecot.key  |   2 +-
 .../dovecot/templates/external_imap.crt       |   2 +-
 .../dovecot/templates/external_imap.key       |   2 +-
 .../dovecot/templates/ldapsource.cf           |   6 +-
 .../2022.03.08/dovecot/templates/postfix.crt  |   7 +-
 .../2022.03.08/dovecot/templates/postfix.key  |   2 +-
 .../2022.03.08/dovecot/templates/postfix.pem  |   4 +-
 .../dovecot/templates/postfix_sni.pem         |   4 +-
 .../gitea/dictionaries/31_gitea.xml           |  15 +-
 .../imap-client/templates/ca_IMAPServer.crt   |   2 +-
 .../dictionaries/20_ldap-client-debian.xml    |  11 --
 .../dictionaries/22_ldap-client-debian.xml    |  13 ++
 .../dictionaries/20_ldap-client-fedora.xml    |  11 --
 .../dictionaries/22_ldap-client-fedora.xml    |  13 ++
 .../dictionaries/21_ldap-client.xml           |  97 ++++++-----
 .../ldap-client/funcs/openldap_client.py      |  27 ++-
 .../ldap-client/templates/ca_LDAP.crt         |   2 +-
 .../ldap-client/templates/ldap.conf           |   4 +-
 .../ldap-client/templates/ldap_client.crt     |   2 +-
 .../ldap-client/templates/ldap_client.key     |   2 +-
 .../dictionaries/70_lemonldap_ng.xml          |  16 +-
 .../2022.03.08/lemonldap/doc.md               |   3 +-
 .../lemonldap/extras/oauth2/00_oauth2.xml     |   8 +-
 .../lemonldap-ng-fastcgi-server.service       |   1 +
 .../lemonldap/templates/lmConf-1.json         |  36 ++--
 .../dictionaries/20-letsencrypt.xml           |   1 +
 .../letsencrypt/funcs/letsencrypt.py          |   3 +
 .../mailman/dictionaries/31_mailman.xml       |   7 +-
 .../templates/postgresql_postorius.key        |   2 +-
 .../templates/mariadbclient.service           |   2 +-
 .../mariadb/dictionaries/20_mariadb.xml       |   1 +
 .../nextcloud/dictionaries/31_nextcloud.xml   |   6 +-
 .../nextcloud/templates/nextcloud.init        |   4 +-
 .../nginx-common/templates/nginx-options.conf |   2 +-
 .../nginx-https/templates/nginx.crt           |   4 +-
 .../nginx-https/templates/nginx.key           |   2 +-
 .../dictionaries/25_nginx.xml                 |  10 +-
 .../templates/ca_InternalReverseProxy.crt     |   4 +-
 .../templates/certificate.crt                 |   2 +-
 .../nginx-reverse-proxy/templates/private.key |   2 +-
 .../2022.03.08/nsd/dictionaries/20_nsd.xml    |   2 +-
 .../2022.03.08/nsd/templates/risotto.conf     |   2 +-
 .../dictionaries/30_oauth2_client.xml         |  15 +-
 .../dictionaries/21_openldap-server.xml       | 158 +++++++-----------
 .../openldap/extras/accounts/00_account.xml   |  44 +++--
 .../openldap/templates/admin_ldap.pwd         |   2 +-
 .../2022.03.08/openldap/templates/config.ldif |  20 ++-
 .../openldap/templates/config_acl.ldif        |  22 +--
 .../openldap/templates/openldap.crt           |   4 +-
 .../openldap/templates/openldap.key           |   2 +-
 .../openldap/templates/slapd.service          |   6 +-
 .../templates/tmpfile-openldap-server.conf    |   1 +
 .../2022.03.08/openldap/templates/users.ldif  |  41 +++--
 .../openldap/templates/users_mod.ldif         |   4 +-
 .../peertube/dictionaries/30_peertube.xml     |   4 +-
 .../piwigo/dictionaries/31_piwigo.xml         |   3 +-
 .../pleroma/dictionaries/30_pleroma.xml       |   4 +-
 .../postfix-relay/dictionaries/30_postfix.xml |  11 +-
 .../postfix-relay/templates/ca_MailServer.crt |   2 +-
 .../postfix-relay/templates/postfix.crt       |   2 +-
 .../postfix-relay/templates/postfix.key       |   2 +-
 .../2022.03.08/postfix-relay/templates/sni    |   2 +-
 .../postfix-relay/templates/sni.pem           |   6 +-
 .../templates/ca_PostgreSQL.crt               |   2 +-
 .../templates/postgresql.crt                  |   2 +-
 .../templates/postgresql.key                  |   2 +-
 .../templates/postgresqlclient.service        |   4 +-
 .../postgresql/templates/ca_PostgreSQL.crt    |   2 +-
 .../postgresql/templates/postgresql.crt       |   2 +-
 .../postgresql/templates/postgresql.key       |   2 +-
 .../dictionaries/10-machined.xml              |   7 +
 .../{21-machined.xml => 16-machined.xml}      |  18 +-
 .../extras/machine/11_systemd.xml             |  13 ++
 .../redis-client/templates/ca_Redis.crt       |   2 +-
 .../redis-client/templates/redis.crt          |   2 +-
 .../redis-client/templates/redis.key          |   2 +-
 .../redis-client/templates/redis.pem          |   6 +-
 .../redis/extras/account/00_account.xml       |   3 +-
 .../2022.03.08/redis/templates/ca_Redis.crt   |   2 +-
 .../2022.03.08/redis/templates/redis.crt      |   2 +-
 .../2022.03.08/redis/templates/redis.key      |   2 +-
 .../templates/ca_MailRelay.crt                |   2 +-
 .../templates/ca_InternalReverseProxy.crt     |   2 +-
 .../templates/revprox.crt                     |   4 +-
 .../templates/revprox.key                     |   2 +-
 .../roundcube/dictionaries/31_roundcube.xml   |  37 +++-
 .../2022.03.08/roundcube/funcs/roundcube.py   |  10 ++
 .../roundcube/templates/ca_MailServer.crt     |   2 +-
 .../roundcube/templates/config.inc.php        |   5 +-
 .../roundcube/templates/domain.inc.php        |  11 +-
 .../server/extras/accounts/00_accounts.xml    |   3 +-
 .../{00-systemd.xml => 15-systemd.xml}        |  19 ++-
 .../unbound/dictionaries/20_unbound.xml       |   2 +-
 .../2022.03.08/unbound/templates/risotto.conf |   4 +-
 .../dictionaries/40_vaultwarden.xml           |   7 +-
 .../templates/vaultwarden_config.env          |   1 +
 118 files changed, 673 insertions(+), 519 deletions(-)
 delete mode 100644 seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml
 create mode 100644 seed/applicationservice/2022.03.08/base-debian/dictionaries/11-debian-base.xml
 create mode 100644 seed/applicationservice/2022.03.08/base-debian/dictionaries/17-debian-base.xml
 delete mode 100644 seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/00-fedora-35.xml
 create mode 100644 seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/11-fedora-35.xml
 delete mode 100644 seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/00-fedora-version.xml
 create mode 100644 seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/11-fedora-version.xml
 delete mode 100644 seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml
 create mode 100644 seed/applicationservice/2022.03.08/base-fedora/dictionaries/11-fedora-base.xml
 create mode 100644 seed/applicationservice/2022.03.08/base-fedora/dictionaries/17-fedora-base.xml
 rename seed/applicationservice/2022.03.08/base/dictionaries/{00-base.xml => 12-base.xml} (58%)
 delete mode 100644 seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/20_ldap-client-debian.xml
 create mode 100644 seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/22_ldap-client-debian.xml
 delete mode 100644 seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/20_ldap-client-fedora.xml
 create mode 100644 seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/22_ldap-client-fedora.xml
 create mode 100644 seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/10-machined.xml
 rename seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/{21-machined.xml => 16-machined.xml} (83%)
 create mode 100644 seed/applicationservice/2022.03.08/provider-systemd-machined/extras/machine/11_systemd.xml
 create mode 100644 seed/applicationservice/2022.03.08/roundcube/funcs/roundcube.py
 rename seed/applicationservice/2022.03.08/systemd/dictionaries/{00-systemd.xml => 15-systemd.xml} (78%)

diff --git a/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
index 0b6dcf80..eaa7ee23 100644
--- a/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
+++ b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
@@ -31,6 +31,7 @@
     <fill name="get_chain">
       <param name="authority_cn" type="variable">revprox_client_server_domainname</param>
       <param name="authority_name">InternalReverseProxy</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>server_ca</target>
     </fill>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/apache/templates/server.crt b/seed/applicationservice/2022.03.08/apache/templates/server.crt
index 36e5562b..da844246 100644
--- a/seed/applicationservice/2022.03.08/apache/templates/server.crt
+++ b/seed/applicationservice/2022.03.08/apache/templates/server.crt
@@ -1 +1 @@
-%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/apache/templates/server.key b/seed/applicationservice/2022.03.08/apache/templates/server.key
index 53e9ce02..e8593618 100644
--- a/seed/applicationservice/2022.03.08/apache/templates/server.key
+++ b/seed/applicationservice/2022.03.08/apache/templates/server.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy")
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml b/seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml
index 3a16d808..a5dd7cf8 100644
--- a/seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml
+++ b/seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml
@@ -6,10 +6,8 @@
     </service>
   </services>
   <variables>
-    <family name="general">
-      <variable name="os_version" type="string" description="OS Version" hidden="True">
-        <value>bullseye</value>
-      </variable>
-    </family>
+    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
+      <value>bullseye</value>
+    </variable>
   </variables>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml b/seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml
deleted file mode 100644
index 2c6876f6..00000000
--- a/seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="debian" manage="False">
-      <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
-      <file engine="none">/etc/default/locale</file>
-    </service>
-    <service name="update-ca-certificates" engine="creole" target="multi-user"/>
-  </services>
-  <variables>
-    <family name="general">
-      <variable name="os_name" type="string" description="OS name" hidden="True">
-        <value>Debian</value>
-      </variable>
-      <variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
-        <value>/etc/ssl-localca</value>
-      </variable>
-      <variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
-        <value>/etc/ssl/certs</value>
-      </variable>
-      <variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
-        <value>/etc/ssl/private</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-debian/dictionaries/11-debian-base.xml b/seed/applicationservice/2022.03.08/base-debian/dictionaries/11-debian-base.xml
new file mode 100644
index 00000000..03d4922b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/dictionaries/11-debian-base.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="debian" manage="False">
+      <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
+      <file engine="none">/etc/default/locale</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
+      <value>Debian</value>
+    </variable>
+  </variables>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/base-debian/dictionaries/17-debian-base.xml b/seed/applicationservice/2022.03.08/base-debian/dictionaries/17-debian-base.xml
new file mode 100644
index 00000000..b17a9da7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/dictionaries/17-debian-base.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="update-ca-certificates" engine="creole" target="multi-user"/>
+  </services>
+  <variables>
+    <variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
+      <value>/etc/ssl-localca</value>
+    </variable>
+    <variable name="tls_cert_directory" type="filename" description="Répertoire des certificats" hidden="True">
+      <value>/etc/ssl/certs</value>
+    </variable>
+    <variable name="tls_key_directory" type="filename" description="Répertoire des clefs privés" hidden="True">
+      <value>/etc/ssl/private</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/00-fedora-35.xml b/seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/00-fedora-35.xml
deleted file mode 100644
index 038e8cb9..00000000
--- a/seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/00-fedora-35.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <family name="general">
-      <variable name="os_version" type="string" description="OS Version" hidden="True">
-        <value>35</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/11-fedora-35.xml b/seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/11-fedora-35.xml
new file mode 100644
index 00000000..ef17a8e5
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora-35/dictionaries/11-fedora-35.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
+      <value>35</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/00-fedora-version.xml b/seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/00-fedora-version.xml
deleted file mode 100644
index 2d7cea1a..00000000
--- a/seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/00-fedora-version.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <family name="general">
-      <variable name="os_version" type="string" description="OS Version" hidden="True">
-        <value>36</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/11-fedora-version.xml b/seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/11-fedora-version.xml
new file mode 100644
index 00000000..9e1b8cb0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/11-fedora-version.xml
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
+      <value>36</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml b/seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml
deleted file mode 100644
index 7da1647b..00000000
--- a/seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="update-ca-trust" engine="creole" target="multi-user"/>
-    <service name="fedora-base" manage="False">
-      <file engine="none">/tmpfiles.d/fedora.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="general">
-      <variable name="os_name" type="string" description="OS name" hidden="True">
-        <value>Fedora</value>
-      </variable>
-      <variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
-        <value>/etc/pki/ca-trust/source/anchors</value>
-      </variable>
-      <variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
-        <value>/etc/pki/tls/certs</value>
-      </variable>
-      <variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
-        <value>/etc/pki/tls/private</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora/dictionaries/11-fedora-base.xml b/seed/applicationservice/2022.03.08/base-fedora/dictionaries/11-fedora-base.xml
new file mode 100644
index 00000000..fe122088
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/dictionaries/11-fedora-base.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="fedora-base" manage="False">
+      <file engine="none">/tmpfiles.d/fedora.conf</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
+      <value>Fedora</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora/dictionaries/17-fedora-base.xml b/seed/applicationservice/2022.03.08/base-fedora/dictionaries/17-fedora-base.xml
new file mode 100644
index 00000000..09f1c24c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/dictionaries/17-fedora-base.xml
@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="update-ca-trust" engine="creole" target="multi-user"/>
+  </services>
+  <variables>
+    <variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
+      <value>/etc/pki/ca-trust/source/anchors</value>
+    </variable>
+    <variable name="tls_cert_directory" type="filename" description="Nom du répertoire des certificats" hidden="True">
+      <value>/etc/pki/tls/certs</value>
+    </variable>
+    <variable name="tls_key_directory" type="filename" description="Nom du répertoire des clefs privés" hidden="True">
+      <value>/etc/pki/tls/private</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml b/seed/applicationservice/2022.03.08/base/dictionaries/12-base.xml
similarity index 58%
rename from seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml
rename to seed/applicationservice/2022.03.08/base/dictionaries/12-base.xml
index a8e25115..ba360184 100644
--- a/seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml
+++ b/seed/applicationservice/2022.03.08/base/dictionaries/12-base.xml
@@ -6,24 +6,21 @@
     </service>
   </services>
   <variables>
-    <family name='general' description="Général">
+    <variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents">
+      <value>False</value>
+    </variable>
+    <family name="network" description="Réseau">
       <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
-      <variable name="number_of_interfaces" type="number" description="Nombre d'interface disponible" hidden="True"/>
-      <variable name="interfaces_list" type="number" multi="True" description="Liste de toutes les interfaces" hidden="True"/>
-      <variable name="server_deployed" type="boolean" description="Le serveur est déployé" hidden="True">
-        <value>False</value>
-      </variable>
-    </family>
-    <family name="dns" description="DNS">
-      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur SMTP"/>
-      <variable name="ip_dns" type="ip" description="The DNS server" hidden="True"/>
-    </family>
-    <family name="interface_" description="Interface " dynamic="interfaces_list">
-      <variable name="zone_name_eth" type="string" description="Zone name for interface " hidden="True"/>
-      <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
-      <variable name="network_eth" type="network_cidr" description="The zone network for interface " hidden="True"/>
-      <variable name="gateway_eth" type="ip" description="The zone gateway for interface "/>
-      <variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
+      <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True"/>
+      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS"/>
+      <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
+      <family name="interface_" description="Interface " dynamic="interfaces_list">
+        <variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True"/>
+        <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
+        <variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/>
+        <variable name="gateway_eth" type="ip" description="La route de l'interface "/>
+        <variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
+      </family>
     </family>
   </variables>
   <constraints>
@@ -34,16 +31,12 @@
       <param name="linked_returns">ip</param>
       <target>ip_dns</target>
     </fill>
-    <fill name="get_number_of_interfaces">
-      <param type="information">zones_name</param>
-      <target>number_of_interfaces</target>
-    </fill>
     <fill name="calc_value">
       <param type="information">zones_name</param>
       <target>zones_list</target>
     </fill>
     <fill name="get_range">
-      <param type="variable">number_of_interfaces</param>
+      <param type="information">zones_name</param>
       <target>interfaces_list</target>
     </fill>
     <fill name="get_ip">
@@ -75,10 +68,6 @@
       <param name="index" type="suffix"/>
       <target>gateway_eth</target>
     </fill>
-    <check name="valid_entier">
-      <param name="mini" type="number">1</param>
-      <target>number_of_interfaces</target>
-    </check>
   </constraints>
 </rougail>
 
diff --git a/seed/applicationservice/2022.03.08/base/funcs/funcs.py b/seed/applicationservice/2022.03.08/base/funcs/funcs.py
index 8792841f..c9deac13 100644
--- a/seed/applicationservice/2022.03.08/base/funcs/funcs.py
+++ b/seed/applicationservice/2022.03.08/base/funcs/funcs.py
@@ -1,4 +1,5 @@
 import __main__
+from typing import List
 from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
 from string import ascii_letters as _ascii_letters
 from random import choice as _choice
@@ -6,6 +7,9 @@ from os.path import dirname as _dirname, abspath as _abspath, join as _join, isf
 from os import makedirs as _makedirs
 
 
+from risotto.utils import load_domains, DOMAINS
+
+
 _HERE = _dirname(_abspath(__main__.__file__))
 _PASSWORD_DIR = _join(_HERE, 'password')
 
@@ -14,9 +18,12 @@ def get_password(server_name: str,
                  username: str,
                  description: str,
                  type: str,
+                 hide: bool,
                  length: int=20,
                  temporary: bool=True,
                  ) -> str:
+    if hide:
+        return "XXXXX"
     def gen_password():
         return _token_urlsafe(length)[:length]
     return _set_password(server_name,
@@ -32,8 +39,11 @@ def get_password_alpha_num(server_name,
                            username: str,
                            description: str,
                            length,
+                           hide: bool,
                            starts_with_char=False,
                            ):
+    if hide:
+        return "XXXXX"
     def gen_password():
         password = _token_hex()
         if starts_with_char:
@@ -72,14 +82,8 @@ def _set_password(server_name: str,
         return file_content
 
 
-def get_range(stop):
-    return list(range(stop))
-
-
-def get_number_of_interfaces(zones):
-    if zones is None:
-        return 1
-    return len(zones)
+def get_range(lst):
+    return list(range(max(1, len(lst))))
 
 
 def get_zone_name(zones: list,
@@ -97,3 +101,13 @@ def get_domain_name(server_name: str,
     if index == 0:
         return server_name
     return extra_domainnames[index - 1]
+
+
+def get_ip(server_name: str,
+           zones_name: List[str],
+           index: str,
+           ) -> str:
+    load_domains()
+    host_name, domain_name = server_name.split('.', 1)
+    domain = DOMAINS[domain_name]
+    return domain[1][domain[0].index(host_name)]
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/diff.py b/seed/applicationservice/2022.03.08/base/manual/install/diff.py
index f5780f60..ef9c1a92 100755
--- a/seed/applicationservice/2022.03.08/base/manual/install/diff.py
+++ b/seed/applicationservice/2022.03.08/base/manual/install/diff.py
@@ -11,6 +11,8 @@ from datetime import datetime, timezone
 os_name = argv[1]
 OLD_DIR = argv[2]
 NEW_DIR = argv[3]
+WEBSITE = len(argv) != 5
+
 FILES = []
 def diff_files(dcmp):
     for name in dcmp.diff_files:
@@ -25,7 +27,8 @@ diff_files(dcmp)
 date = datetime.now(timezone.utc).isoformat()
 title = f"Nouvelle version de la configuration de {os_name}"
 subtitle = f"Différence entre les fichiers de configuration de {os_name}"
-print(f"""+++
+if WEBSITE:
+    print(f"""+++
 title = "{title}"
 description = "{subtitle}"
 date = {date}
@@ -41,7 +44,15 @@ lead = "{subtitle}."
 type = "installe"
 +++
 """)
+    TITLE = True
+else:
+    TITLE = False
 for filename in FILES:
+    if not TITLE:
+        print(title)
+        print("=" * len(title))
+        print()
+        TITLE = True
     print(f'- mise à jour du fichier {filename} :\n')
     try:
         with open(join(OLD_DIR, filename[1:]), 'r') as ori:
@@ -51,7 +62,9 @@ for filename in FILES:
     except UnicodeDecodeError:
         print('fichier binaire')
     else:
-        print('```diff')
+        if WEBSITE:
+            print('```diff')
         for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
             print(line.rstrip())
-        print('```')
+        if WEBSITE:
+            print('```')
diff --git a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
index 3383139c..fff7eca5 100644
--- a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
+++ b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
@@ -50,17 +50,24 @@
     </service>
   </services>
   <variables>
-    <variable name="external_ports" redefine="True">
-      <value>587</value>
-      <value>993</value>
-    </variable>
+    <family name="network">
+      <variable name="external_ports" redefine="True">
+        <value>587</value>
+        <value>993</value>
+      </variable>
+    </family>
     <family name="annuaire">
-      <variable name="ldap_key_file_owner" redefine="True">
-        <value>dovecot</value>
-      </variable>
-      <variable name="ldap_key_file_group" redefine="True">
-        <value>postfix</value>
-      </variable>
+      <family name="client">
+        <variable name='ldapclient_family' redefine="True">
+          <value>all</value>
+        </variable>
+        <variable name="ldap_key_file_owner" redefine="True">
+          <value>dovecot</value>
+        </variable>
+        <variable name="ldap_key_file_group" redefine="True">
+          <value>postfix</value>
+        </variable>
+      </family>
     </family>
     <family name="mail" description="Mail domain" leadership="True">
       <variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
@@ -187,12 +194,5 @@
       <param type="variable">mail_domains</param>
       <target>well_knowns</target>
     </fill>
-    <check name="set_linked_configuration">
-      <param name="linked_value">all</param>
-      <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">client_family</param>
-      <param name="dynamic" type="variable">domain_name_eth0</param>
-      <target>mail_domains_calc</target>
-    </check>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
index deacd1ec..d0097871 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
@@ -1 +1 @@
-%%get_chain(%%domain_name_eth0, "IMAPServer")
+%%get_chain(%%domain_name_eth0, "IMAPServer", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
index 10f316a5..7b251cee 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
@@ -1 +1 @@
-%%get_chain(%%domain_name_eth0, "MailServer")
+%%get_chain(%%domain_name_eth0, "MailServer", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
index 1bdb6c45..4e3bf82d 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
@@ -34,8 +34,8 @@ uris = ldaps://%%ldap_server_address
 # Password for LDAP server, if dn is specified.
 #dnpass = 
 #>GNUNUX
-dn = %%ldapclient_remote_user
-dnpass = %%ldapclient_remote_user_password
+dn = %%ldapclient_user
+dnpass = %%ldapclient_user_password
 #<GNUNUX
 
 # Use SASL binding instead of the simple binding. Note that this changes
@@ -107,7 +107,7 @@ auth_bind = yes
 # LDAP base. %variables can be used here.
 # For example: dc=mail, dc=example, dc=org
 # GNUNUX base =
-base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
+base = %%ldapclient_base_dn
 
 # Dereference: never, searching, finding, always
 #deref = never
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt
index 4eae295d..60f06838 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt
@@ -1,5 +1,8 @@
 %set %%extra_domainnames = []
-%for %%idx in %%range(1, %%number_of_interfaces)
+%for %%idx in %%range(%%len(%%zones_list))
+  %if not idx
+    %continue
+  %end if
   %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
 %end for
-%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames)
+%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames, hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key
index f224c583..3cbe873c 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, 'IMAPServer')
+%%get_private_key(cn=%%domain_name_eth0, authority_name='IMAPServer', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt
index ddfa2967..58eb3550 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.crt
@@ -1,2 +1,2 @@
-%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
 
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key
index 1662468a..1c195f41 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/external_imap.key
@@ -1 +1 @@
-%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf b/seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf
index 33a19882..56068014 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf
@@ -6,8 +6,8 @@ tls_ca_cert_file = %%ldap_ca_file
 tls_require_cert = yes
 version = 3
 bind = yes
-bind_dn = %%ldapclient_remote_user
-bind_pw = %%ldapclient_remote_user_password
-search_base = %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
+bind_dn = %%ldapclient_user
+bind_pw = %%ldapclient_user_password
+search_base = %%ldapclient_base_dn
 query_filter = (mailLocalAddress=%s)
 result_attribute = cn
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt
index d247a0a3..d19137f0 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt
@@ -1,5 +1,8 @@
 %set %%extra_domainnames = []
-%for %%idx in %%range(1, %%number_of_interfaces)
+%for %%idx in %%range(%%len(%%zones_list))
+  %if not %%idx
+    %continue
+  %end if
   %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
 %end for
-%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames)
+%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames, hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.key b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.key
index 4febac3f..716da9ca 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.key
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, 'MailServer')
+%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem
index f7f70610..898b738b 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.pem
@@ -1,2 +1,2 @@
-%%get_private_key(%%domain_name_eth0, 'MailServer')
-%%get_certificate(%%domain_name_eth0, "MailServer")
+%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)
+%%get_certificate(cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem b/seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem
index 918a89bb..7e5f2193 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix_sni.pem
@@ -1,3 +1,3 @@
-%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
-%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
+%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
 %%cert
diff --git a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
index 90c88257..2a22d6ee 100644
--- a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
+++ b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
@@ -9,9 +9,11 @@
     </service>
   </services>
   <variables>
-    <variable name="external_ports" redefine="True">
-      <value>2222</value>
-    </variable>
+    <family name="network">
+      <variable name="external_ports" redefine="True">
+        <value>2222</value>
+      </variable>
+    </family>
     <family name="gitea" description="Gitea" help="Git forge Gitea">
       <variable name="gitea_title" mandatory="True" description="Titre de la forge">
         <value>Gitea: Git avec une tasse de thé</value>
@@ -54,7 +56,9 @@
       <variable name="oauth2_client_token_signature_algo" redefine="True">
         <value>RS256</value>
       </variable>
-      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      <family name="external">
+        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      </family>
     </family>
   </variables>
   <constraints>
@@ -63,6 +67,7 @@
       <param name="username">secret_key</param>
       <param name="description">gitea</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <param name="length" type="number">105</param>
       <target>gitea_secret_key</target>
     </fill>
@@ -71,6 +76,7 @@
       <param name="username">internal_token</param>
       <param name="description">gitea</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <param name="length" type="number">105</param>
       <target>gitea_internal_token</target>
     </fill>
@@ -79,6 +85,7 @@
       <param name="username">lfs_jwt_secret</param>
       <param name="description">gitea</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <param name="length" type="number">43</param>
       <target>gitea_lfs_jwt_secret</target>
     </fill>
diff --git a/seed/applicationservice/2022.03.08/imap-client/templates/ca_IMAPServer.crt b/seed/applicationservice/2022.03.08/imap-client/templates/ca_IMAPServer.crt
index 9334b3a2..ed24ab89 100644
--- a/seed/applicationservice/2022.03.08/imap-client/templates/ca_IMAPServer.crt
+++ b/seed/applicationservice/2022.03.08/imap-client/templates/ca_IMAPServer.crt
@@ -1 +1 @@
-%%get_chain(%%imap_address, 'IMAPServer')
+%%get_chain(%%imap_address, 'IMAPServer', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/20_ldap-client-debian.xml b/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/20_ldap-client-debian.xml
deleted file mode 100644
index c30b952e..00000000
--- a/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/20_ldap-client-debian.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-
-<rougail version="0.10">
-  <variables>
-    <family name="annuaire">
-      <variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
-        <value>/etc/ldap/ldap.conf</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/22_ldap-client-debian.xml b/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/22_ldap-client-debian.xml
new file mode 100644
index 00000000..85905435
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/22_ldap-client-debian.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<rougail version="0.10">
+  <variables>
+    <family name="annuaire">
+      <family name="client">
+        <variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True">
+          <value>/etc/ldap/ldap.conf</value>
+        </variable>
+      </family>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/20_ldap-client-fedora.xml b/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/20_ldap-client-fedora.xml
deleted file mode 100644
index e0c77bb2..00000000
--- a/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/20_ldap-client-fedora.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-
-<rougail version="0.10">
-  <variables>
-    <family name="annuaire">
-      <variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
-        <value>/etc/openldap/ldap.conf</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/22_ldap-client-fedora.xml b/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/22_ldap-client-fedora.xml
new file mode 100644
index 00000000..23e3d61b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/22_ldap-client-fedora.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<rougail version="0.10">
+  <variables>
+    <family name="annuaire">
+      <family name="client">
+        <variable name="ldap_client_file" type="filename" description="Nom du fichier du client LDAP" hidden="True">
+          <value>/etc/openldap/ldap.conf</value>
+        </variable>
+      </family>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml b/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
index 6b962541..53eeddca 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
@@ -10,34 +10,34 @@
     </service>
   </services>
   <variables>
-    <family name="annuaire">
-      <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
-      <variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP"/>
-      <variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
-      <variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
-      <variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
-      <variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
-      <variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
-      <variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
-      <variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
-      <variable name="ldap_key_file" type="filename" description="LDAP private key filename" hidden="True"/>
-      <variable name="ldap_key_file_owner" type="unix_user" description="LDAP private key file owner" hidden="True">
-        <value>root</value>
-      </variable>
-      <variable name="ldap_key_file_group" type="unix_user" description="LDAP private key file group" hidden="True">
-        <value>root</value>
-      </variable>
+    <family name="annuaire" description="Annuaire OpenLDAP">
+      <family name="server" description="Serveur">
+        <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
+        <variable name='ldap_port' type='port' description='Port du serveur LDAP' hidden="True">
+          <value>636</value>
+        </variable>
+      </family>
+      <family name="client" description="Client">
+        <variable name='ldapclient_family' type='unix_user' description="Nom de la famille LDAP"/>
+        <variable name='ldapclient_user' type='string' description="DN de l'utilisateur LDAP" mandatory='False' hidden="True"/>
+        <variable name='ldapclient_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True"/>
+        <variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="False"/>
+        <variable name="ldap_ca_file" type="filename" description="Fichier de l'autorité de certification LDAP" hidden="True"/>
+        <variable name="ldap_cert_file" type="filename" description="Fichier du certificate LDAP" hidden="True"/>
+        <variable name="ldap_key_file" type="filename" description="Fichier de la clef privée LDAP" hidden="True"/>
+        <variable name="ldap_key_file_owner" type="unix_user" description="Propriétaire du fichier de la clef privée LDAP" hidden="True">
+          <value>root</value>
+        </variable>
+        <variable name="ldap_key_file_group" type="unix_user" description="Groupe du fichier de la clef privée LDAP" hidden="True">
+          <value>root</value>
+        </variable>
+      </family>
     </family>
   </variables>
   <constraints>
     <check name='valid_base_dn'>
-      <target>ldap_base_dn</target>
-    </check>
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldap_base_dn</param>
-      <param type="variable">ldapclient_family</param>
       <target>ldapclient_base_dn</target>
-    </fill>
+    </check>
     <fill name="calc_value">
       <param type="variable">tls_ca_directory</param>
       <param>ca_LDAP.crt</param>
@@ -56,35 +56,32 @@
       <param name="join">/</param>
       <target>ldap_key_file</target>
     </fill>
-    <fill name="set_linked">
-      <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">clients</param>
-      <param name="linked_value" type="variable">domain_name_eth0</param>
+    <fill name="set_linked_multi_variables">
+      <param type="variable">ldap_server_address</param>
+      <param name="linked_provider_0">clients</param>
+      <param name="linked_value_0" type="variable">domain_name_eth0</param>
+      <param name="linked_provider_1">client_family</param>
+      <param name="linked_value_1" type="variable">ldapclient_family</param>
+      <param name="allow_none_1" type="boolean">True</param>
       <param name="linked_returns">dn</param>
+      <target>ldapclient_user</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">ldap_server_address</param>
+      <param name="username" type="variable">ldapclient_user</param>
+      <param name="description">remote account</param>
+      <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>ldapclient_user_password</target>
+    </fill>
+    <fill name="set_linked_multi_variables">
+      <param type="variable">ldap_server_address</param>
+      <param name="linked_provider_0">client_password</param>
+      <param name="linked_value_0" type="variable">ldapclient_user_password</param>
+      <param name="linked_returns">base_dn</param>
       <param name="dynamic" type="variable">domain_name_eth0</param>
-      <target>ldapclient_remote_user</target>
+      <target>ldapclient_base_dn</target>
     </fill>
-    <fill name="get_linked_configuration">
-      <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">client_password</param>
-      <param name="dynamic" type="variable">domain_name_eth0</param>
-      <target>ldapclient_remote_user_password</target>
-    </fill>
-    <fill name="get_linked_configuration">
-      <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">ldap_dn</param>
-      <target>ldap_base_dn</target>
-    </fill>
-    <fill name="get_linked_configuration">
-      <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">ldap_port</param>
-      <target>ldap_port</target>
-    </fill>
-    <check name="set_linked_configuration">
-      <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">client_family</param>
-      <param name="dynamic" type="variable">domain_name_eth0</param>
-      <target>ldapclient_family</target>
-    </check>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py b/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
index 830b1886..59789164 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
+++ b/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
@@ -7,15 +7,24 @@ def valid_base_dn(base_dn: str) -> None:
 
 
 def calc_ldapclient_base_dn(ldap_base_dn: str,
-                            family_name: str,
-                            accounts: bool=False,
+                            family_name: str=None,
+                            base: bool=False,
+                            group: bool=False,
                             ) -> str:
-    base = f'ou=accounts,{ldap_base_dn}'
-    if accounts:
-        return base
+    if family_name == 'all':
+        family_name = None
+        base = True
+    if group:
+        return f'ou=groups,{ldap_base_dn}'
+    if not ldap_base_dn.startswith('ou=accounts,'):
+        base_name = f'ou=accounts,{ldap_base_dn}'
+    else:
+        base_name = ldap_base_dn
+    if base:
+        return base_name
     if not family_name:
-        return f'ou=users,{base}'
-    families = f'ou=families,{base}'
+        return f'ou=users,{base_name}'
+    base_name = f'ou=families,{base_name}'
     if family_name != '-':
-        return f'ou={family_name},{families}'
-    return families
+        base_name = f'ou={family_name},{base_name}'
+    return base_name
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ca_LDAP.crt b/seed/applicationservice/2022.03.08/ldap-client/templates/ca_LDAP.crt
index 86dff29e..d04f2f99 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/templates/ca_LDAP.crt
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ca_LDAP.crt
@@ -1 +1 @@
-%%get_chain(%%ldap_server_address, 'LDAP')
+%%get_chain(%%ldap_server_address, 'LDAP', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
index 0b20b64b..7c40a7f5 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
@@ -31,8 +31,8 @@ TLS_CACERT %%ldap_ca_file
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON	on
 
-BINDDN %%ldapclient_remote_user
+BINDDN %%ldapclient_user
 TIMELIMIT 10
 NETWORK_TIMEOUT 10
 TIMEOUT 10
-BINDPW %%ldapclient_remote_user_password
+BINDPW %%ldapclient_user_password
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.crt b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.crt
index 1b8dd519..bc9cf4fd 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.crt
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.crt
@@ -1 +1 @@
-%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
+%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.key b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.key
index 65e88b1c..94134b17 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.key
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.key
@@ -1,4 +1,4 @@
-%set %%key = %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
+%set %%key = %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client', hide=%%hide_secret)
 %if not %%key
   %raise Exception('empty key')
 %end if
diff --git a/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
index e73c0719..816e2aaa 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
@@ -28,14 +28,12 @@
       </variable>
       <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
     </family>
+    <family name="annuaire">
+      <family name="client">
+        <variable name='ldapclient_family' redefine="True">
+          <value>all</value>
+        </variable>
+      </family>
+    </family>
   </variables>
-  <constraints>
-    <check name="set_linked_configuration">
-      <param name="linked_value">all</param>
-      <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">client_family</param>
-      <param name="dynamic" type="variable">domain_name_eth0</param>
-      <target>lemon_mail_admin</target>
-    </check>
-  </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/lemonldap/doc.md b/seed/applicationservice/2022.03.08/lemonldap/doc.md
index cef4967c..0cb05caa 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/doc.md
+++ b/seed/applicationservice/2022.03.08/lemonldap/doc.md
@@ -7,6 +7,7 @@ Providers
 - oauth2_token_signature_algo : algorithme de la signature du jeton
 - oauth2_name : nom du service affiché à l'utilisateur
 - oauth2_description : description du service affiché à l'utilisateur
-- oauth2_external : adresse du service (de type https://domaine/location/) c'est une variable multiple, dans ce cas plusieurs lien peuvent être généré pour accéder à ce service (par exemple un pour les utilisateurs + un différent pour une famille)
+- oauth2_host : adresse du service (de type https://domaine/location/) c'est une variable multiple, dans ce cas plusieurs lien peuvent être généré pour accéder à ce service (par exemple un pour les utilisateurs + un différent pour une famille)
+- oauth2_family : famille autoriser à accéder
 - oauth2_logo : logo visible par l'utilisateur
 - oauth2_category : catégorie qui permet de classer le service
diff --git a/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml b/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
index 56a6fec8..7c72c61d 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
+++ b/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
@@ -8,7 +8,12 @@
       <variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
       <variable name="category_" hidden="True" provider="oauth2_category"/>
       <variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
-      <variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external" multi="True"/>
+      <family name="external_" leadership="True">
+        <variable name="hosts_" description="Remote external for" provider="oauth2_external" multi="True"/>
+        <variable name="family_" hidden="True" provider="oauth2_family">
+          <value>users</value>
+        </variable>
+      </family>
       <variable name="logo_" hidden="True" provider="oauth2_logo"/>
       <variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
         <choice>HS512</choice>
@@ -22,6 +27,7 @@
       <param name="username" type="suffix"/>
       <param name="description">remote</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>oauth2.oauth2_.secret_</target>
     </fill>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server.service b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server.service
index f4e66392..2b1add61 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server.service
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server.service
@@ -2,4 +2,5 @@
 After=nginx.service
 
 [Service]
+ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
 ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
index 0a4fac4d..832fe91c 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
@@ -8,12 +8,12 @@ commentStartToken = §
    "portalCustomCss": "risotto/risotto.css",
    "authentication" : "LDAP",
    "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
-   "managerDn" : "%%ldapclient_remote_user",
-   "managerPassword" : "%%ldapclient_remote_user_password",
+   "managerDn" : "%%ldapclient_user",
+   "managerPassword" : "%%ldapclient_user_password",
    "ldapPpolicyControl" : 1,
    "ldapAllowResetExpiredPassword" : 1,
    "ldapChangePasswordAsUser" : 1,
-   "ldapBase" : "%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)",
+   "ldapBase" : "%%ldapclient_base_dn",
    "ldapExportedVars" : {
       "uid" : "uid",
       "cn" : "cn",
@@ -22,9 +22,13 @@ commentStartToken = §
       "givenName" : "givenName",
       "home" : "homeDirectory"
    },
-   "ldapGroupAttributeName" : "memberUid",
+   "ldapGroupBase" : "%%ldapclient_base_dn",
+   "ldapGroupAttributeName" : "member",
    "ldapGroupAttributeNameUser" : "cn",
-   "ldapGroupObjectClass" : "group",
+   "ldapGroupAttributeNameGroup" : "dn",
+   "ldapGroupAttributeNameSearch" : "cn",
+   "ldapGroupAttributeNameUser" : "dn",
+   "ldapGroupObjectClass" : "groupOfNames",
    "ldapPort" : "636",
    "ldapServer" : "ldaps://%%ldap_server_address",
    "ldapVerify" : "required",
@@ -61,18 +65,18 @@ commentStartToken = §
 %set %%domains = []
 %for %%app in %%oauth2.remotes
   %set %%key = %%normalize_family(%%app)
-  %set %%external = %%oauth2['oauth2_' + %%key]['external_' + %%key]
-  § external is somethink like https://domain/
-  %if %%external
+  § somethink like ['https://domain/']
+  %for %%external in %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]
    %set %%domain = %%str(%%external).split('/', 3)[-2]
    %if %%domain not in %%domains
-      },
-      "%%domain" : {
-         "^/logout" : "logout_sso",
-         "default" : "accept"
+     },
+     "%%domain" : {
+        "^/logout" : "logout_sso",
+§ FIXME       "default" : "$groups eq %%external['family_' + %%key]"
+        "default" : "accept"
 %%domains.append(%%domain)%slurp
    %end if
-  %end if
+  %end for
 %end for
       }
    },
@@ -148,9 +152,9 @@ commentStartToken = §
       "loa-4" : 4,
       "loa-5" : 5
    },
-%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0).split("\n"))
+%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
    "oidcServicePublicKeySig" : "%%pub",
-%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0).split("\n"))
+%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0, hide=%%hide_secret).split("\n"))
    "oidcServicePrivateKeySig" : "%%priv",
    "passwordDB" : "LDAP",
    "persistentStorage" : "Apache::Session::File",
@@ -176,7 +180,7 @@ commentStartToken = §
                 'description': %%description,
                 'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
                 'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
-                'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]}
+                'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]['hosts_' + %%key]}
 %%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
 %end for
    "applicationList" : {
diff --git a/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml b/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml
index e305d5bb..30b8b7ed 100644
--- a/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml
+++ b/seed/applicationservice/2022.03.08/letsencrypt/dictionaries/20-letsencrypt.xml
@@ -14,6 +14,7 @@
       <param type="variable">plugin_name</param>
       <param type="variable">credential_filename</param>
       <param type="variable">email</param>
+      <param type="variable">hide_secret</param>
       <target>domain_names</target>
     </check>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py b/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py
index a104fd50..170ca950 100644
--- a/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py
+++ b/seed/applicationservice/2022.03.08/letsencrypt/funcs/letsencrypt.py
@@ -17,7 +17,10 @@ def letsencrypt_certif(domain: str,
                        plugin_name: str,
                        credential_filename: str,
                        email: str,
+                       hide_secret: bool,
                        ) -> None:
+    if hide_secret:
+        return
     if None in (domain, authority_cn, plugin_name, credential_filename, email):
         return
     authority_name = 'External'
diff --git a/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml b/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
index d219e806..1c71bb94 100644
--- a/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
+++ b/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
@@ -22,7 +22,7 @@
     <family name="mailman" description="Gestionnaire de liste">
       <variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site"/>
       <variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True"/>
-      <variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="True"/>
+      <variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="False"/>
     </family>
     <family name="oauth2_client">
       <variable name="oauth2_is_client_application" redefine='True'>
@@ -43,7 +43,9 @@
       <variable name="oauth2_client_token_signature_algo" redefine="True">
         <value>RS256</value>
       </variable>
-      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      <family name="external">
+        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      </family>
     </family>
     <family name="postgresql">
       <variable name="pg_client_key_owner" redefine="True">
@@ -57,6 +59,7 @@
       <param name="username">postorius</param>
       <param name="description">secret_key</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>postorius_secret_key</target>
     </fill>
     <fill name="calc_oauth2_client_external">
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key b/seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key
index 316de5e6..f87d892a 100644
--- a/seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key
+++ b/seed/applicationservice/2022.03.08/mailman/templates/postgresql_postorius.key
@@ -1 +1 @@
-%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
+%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service b/seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service
index 60caeff3..0b583e18 100644
--- a/seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service
+++ b/seed/applicationservice/2022.03.08/mariadb-client/templates/mariadbclient.service
@@ -4,4 +4,4 @@ Before=network.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%mariadb_client_server_domainname/3306; do sleep 1; done; echo "MARIADB STARTED"'
diff --git a/seed/applicationservice/2022.03.08/mariadb/dictionaries/20_mariadb.xml b/seed/applicationservice/2022.03.08/mariadb/dictionaries/20_mariadb.xml
index 91f67a38..11e45311 100644
--- a/seed/applicationservice/2022.03.08/mariadb/dictionaries/20_mariadb.xml
+++ b/seed/applicationservice/2022.03.08/mariadb/dictionaries/20_mariadb.xml
@@ -19,6 +19,7 @@
       <param name="username">root_password</param>
       <param name="description">mariadb</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <param name="length" type="number">50</param>
       <target>mariadb_root_password</target>
     </fill>
diff --git a/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
index 42828bc2..2cc50fa2 100644
--- a/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
+++ b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
@@ -14,9 +14,9 @@
   </services>
   <variables>
     <family name="nextcloud" description="Nextcloud">
-      <variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/>
+      <variable name="nextcloud_admin_password" type="password" auto_save="False" hidden="True"/>
       <variable name="nextcloud_mail_admin" type="mail" mandatory="True"/>
-      <variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/>
+      <variable name="nextcloud_instance_id" type="password" auto_save="False" hidden="True"/>
       <variable name="nextcloud_well_known_server" type="domainname" description="Nom de domaine du serveur hebergeant le répertoire .well-known"/>
       <variable name="nextcloud_well_known_caldav" type="web_address" hidden='True'/>
       <variable name="nextcloud_well_known_carddav" type="web_address" hidden='True'/>
@@ -53,6 +53,7 @@
       <param name="username">admin_password</param>
       <param name="description">nextcloud</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>nextcloud_admin_password</target>
     </fill>
     <!-- see lib/private/legacy/OC_Util.php -->
@@ -62,6 +63,7 @@
       <param name="description">nextcloud</param>
       <param name="length" type="number">10</param>
       <param name="starts_with_char" type="boolean">True</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>nextcloud_instance_id</target>
     </fill>
     <fill name="calc_value">
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
index 3279d880..f68c9595 100644
--- a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
@@ -27,8 +27,8 @@ fi
 /usr/bin/php /usr/share/nextcloud/occ config:app:set user_ldap bgjRefreshInterval --value=300 -q
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapHost "ldaps://%%ldap_server_address"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_user"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_user_password"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx-options.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx-options.conf
index 9025b2ee..185ff4dc 100644
--- a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx-options.conf
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx-options.conf
@@ -2,7 +2,7 @@ client_max_body_size %%{nginx_post_max_size}M;
 client_body_buffer_size 128k;
 
 # Always trust ourself
-%for %%interface in %%range(%%number_of_interfaces)
+%for %%interface in %%range(%%len(%%zones_list))
 set_real_ip_from %%getVar('ip_eth{0}'.format(%%interface));
 %end for
 
diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt
index 4ea9946c..9a430003 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt
+++ b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt
@@ -1,2 +1,2 @@
-%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
-%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server", hide=%%hide_secret)
+%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key
index a02eba1e..56d50e1e 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key
+++ b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
index 3ccd39c8..910feb89 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
@@ -10,10 +10,12 @@
     </service>
   </services>
   <variables>
-    <variable name="external_ports" redefine="True">
-      <value>80</value>
-      <value>443</value>
-    </variable>
+    <family name="network">
+      <variable name="external_ports" redefine="True">
+        <value>80</value>
+        <value>443</value>
+      </variable>
+    </family>
     <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
       <variable name="nginx_default" redefine="True" mandatory="True"/>
       <variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt
index 7aa65537..0342bded 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt
@@ -1,3 +1,3 @@
-%for %%idx in %%range(0, %%number_of_interfaces)
-%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy")
+%for %%idx in %%range(%%len(%%zones_list))
+%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy", hide=%%hide_secret)
 %end for
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/certificate.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/certificate.crt
index 45a1426c..f604de8c 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/certificate.crt
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/certificate.crt
@@ -1 +1 @@
-%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+%%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/private.key b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/private.key
index 1662468a..1c195f41 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/private.key
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/templates/private.key
@@ -1 +1 @@
-%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External')
+%%get_private_key(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/nsd/dictionaries/20_nsd.xml b/seed/applicationservice/2022.03.08/nsd/dictionaries/20_nsd.xml
index c50334ff..cb5bbdf4 100644
--- a/seed/applicationservice/2022.03.08/nsd/dictionaries/20_nsd.xml
+++ b/seed/applicationservice/2022.03.08/nsd/dictionaries/20_nsd.xml
@@ -14,7 +14,7 @@
     </service>
   </services>
   <variables>
-    <family name="dns" description="DNS">
+    <family name="network">
       <variable name="dns_client_address" redefine="True" disabled="True"/>
       <variable name="ip_dns" redefine="True" remove_fill="True">
         <value>127.0.0.1</value>
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/risotto.conf b/seed/applicationservice/2022.03.08/nsd/templates/risotto.conf
index a1f22d4f..9a40a9a2 100644
--- a/seed/applicationservice/2022.03.08/nsd/templates/risotto.conf
+++ b/seed/applicationservice/2022.03.08/nsd/templates/risotto.conf
@@ -1,6 +1,6 @@
 server:
     interface: 127.0.0.1
-%for %%interface in %%interfaces_list
+%for %%interface in %%range(%%len(%%zones_list))
     interface: %%getVar('ip_eth' + %%str(%%interface))
 %end for
     do-ip4: yes
diff --git a/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml b/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
index 8ab4358d..75f8671f 100644
--- a/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
+++ b/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
@@ -9,7 +9,12 @@
       <variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/>
       <variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
       <variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" multi="True"/>
-      <variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/>
+      <family name="external">
+        <variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True"/>
+        <variable name="oauth2_client_family" description="OAuth2 family">
+          <value>users</value>
+        </variable>
+      </family>
       <variable name="oauth2_client_category" description="OAuth2 category" mandatory='True'>
         <value>Défaut</value>
       </variable>
@@ -74,6 +79,13 @@
       <param name="dynamic" type="variable">oauth2_client_id</param>
       <target>oauth2_client_logo</target>
     </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_family</param>
+      <param name="leader_provider">oauth2_external</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_family</target>
+    </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
       <param name="linked_provider">oauth2_login</param>
@@ -96,6 +108,7 @@
       <target type="variable">oauth2_client_name</target>
       <target type="variable">oauth2_client_description</target>
       <target type="variable">oauth2_client_external</target>
+      <target type="variable">oauth2_client_family</target>
     </condition>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml b/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
index a815148f..4354fb32 100644
--- a/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
+++ b/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
@@ -13,87 +13,70 @@
       <file>/secrets/config_acl.ldif</file>
       <file>/secrets/admin_ldap.pwd</file>
       <file engine="none">/sysusers.d/risotto-openldap.conf</file>
-      <file engine="none" source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
+      <file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
     </service>
   </services>
 
   <variables>
     <family name="annuaire">
-      <variable name='ldap_server_address' redefine="True" hidden="True"/>
-      <variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
-      <variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
-        <value>636</value>
-      </variable>
-      <variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
-      <variable name='ldap_admin_password' type="password" description="Mot de passe de l'administrateur de l'annuaire" hidden='True' auto_save='True'/>
-      <family name='ldap_index_attribute' leadership='True' description="Gestion des index des attributes">
-        <variable name='ldap_index_attribute' type='string' description="Attribut à indexer" multi="True">
-          <value>objectClass</value>
-          <value>uid</value>
-          <value>cn</value>
-          <value>sn</value>
-          <!--value>mailLocalAddress</value-->
-          <value>givenName</value>
-          <value>mail</value>
-          <value>entryCSN</value>
-          <value>entryUUID</value>
-          <value>contextCSN</value>
+      <family name="server">
+        <variable name='ldap_server_address' redefine="True" hidden="True"/>
+        <variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
+          <value>/etc/openldap/schema/cosine.ldif</value>
+          <value>/etc/openldap/schema/inetorgperson.ldif</value>
+          <value>/etc/openldap/schema/nis.ldif</value>
+          <value>/etc/openldap/schema/misc.ldif</value>
         </variable>
-        <variable name='ldap_index_indices' type='string' description="Types d'index" multi="True">
-          <value>eq</value>
-          <value>pres</value>
-        </variable>
-	      <variable name='openldap_ca_chain' description="CA certificate" hidden='True'/>
+        <family name='limits' description='Limites' mode='expert'>
+          <variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
+            <value>0</value>
+          </variable>
+          <variable name='ldap_sizelimit' type='number' description="Nombre maximum d'entrées à retourner lors d'une requête" mode="expert">
+            <value>5000</value>
+          </variable>
+          <variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
+            <value>3600</value>
+          </variable>
+        </family>
+        <family name='db_environment' description='DB environment' mode='expert'>
+          <variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
+            <value>0</value>
+          </variable>
+          <variable name='db_cache_size_o' description="Quantité d'octets à utiliser pour le cache HDB" type="number">
+            <value>268435456</value>
+          </variable>
+          <variable name='db_cache_chunks' description="Nombre de fichiers ou écrire le cache HDB" type="number">
+            <value>1</value>
+          </variable>
+          <variable name='db_log_region_max' type='number' description="Quantité de fichier de cache mis en cache mémoire">
+            <value>262144</value>
+          </variable>
+          <variable name='db_log_max' type='number' description="Quantité d'informations de journalisation conservé jusqu'à rotation">
+            <value>10485760</value>
+          </variable>
+          <variable name='db_log_bsize' type='number' description="Quantité d'informations de journalisation du cache reporté sur le disque">
+            <value>2097152</value>
+          </variable>
+          <variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
+            <value>/srv/openldap/log</value>
+          </variable>
+          <variable name='db_lk_max_objects' type='number' description="Nombre d'objet qui peuvent être verrouillés simultanément ">
+            <value>5000</value>
+          </variable>
+          <variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
+            <value>5000</value>
+          </variable>
+          <variable name='db_lk_max_lockers' type='number' description='Nombre de verroulleur maximal'>
+            <value>5000</value>
+          </variable>
+        </family>
+      </family>
+      <family name="client">
+        <variable name='ldapclient_user' redefine="True"/>
+        <!--variable name='ldapclient_user_password' redefine="True"/-->
+        <variable name='ldapclient_family' redefine="True" disabled="True"/>
+        <variable name='ldapclient_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
       </family>
-      <variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
-        <value>/etc/openldap/schema/cosine.ldif</value>
-        <value>/etc/openldap/schema/inetorgperson.ldif</value>
-        <value>/etc/openldap/schema/nis.ldif</value>
-        <value>/etc/openldap/schema/misc.ldif</value>
-      </variable>
-      <variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
-        <value>0</value>
-      </variable>
-      <variable name='ldap_sizelimit' type='number' description="Nombre maximum d'entrées à retourner lors d'une requête" mode="expert">
-        <value>5000</value>
-      </variable>
-      <variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
-        <value>3600</value>
-      </variable>
-      <variable name='ldapclient_remote_user' redefine="True"/>
-      <variable name='ldapclient_remote_user_password' redefine="True"/>
-    </family>
-    <family name='db_environment' description='DB environment' mode='expert'>
-      <variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
-        <value>0</value>
-      </variable>
-      <variable name='db_cache_size_o' description="Quantité d'octets à utiliser pour le cache HDB" type="number">
-        <value>268435456</value>
-      </variable>
-      <variable name='db_cache_chunks' description="Nombre de fichiers ou écrire le cache HDB" type="number">
-        <value>1</value>
-      </variable>
-      <variable name='db_log_region_max' type='number' description="Quantité de fichier de cache mis en cache mémoire">
-        <value>262144</value>
-      </variable>
-      <variable name='db_log_max' type='number' description="Quantité d'informations de journalisation conservé jusqu'à rotation">
-        <value>10485760</value>
-      </variable>
-      <variable name='db_log_bsize' type='number' description="Quantité d'informations de journalisation du cache reporté sur le disque">
-        <value>2097152</value>
-      </variable>
-      <variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
-        <value>/var/lib/ldap/logs</value>
-      </variable>
-      <variable name='db_lk_max_objects' type='number' description="Numbre d'objet qui peuvent être verrouillés simultanément ">
-        <value>5000</value>
-      </variable>
-      <variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
-        <value>5000</value>
-      </variable>
-      <variable name='db_lk_max_lockers' type='number' description='Nombre de verrouilleur maximal'>
-        <value>5000</value>
-      </variable>
     </family>
   </variables>
   <constraints>
@@ -104,34 +87,13 @@
     </fill>
     <fill name='get_default_base_dn'>
       <param type="variable">domain_name_eth0</param>
-      <target>ldap_base_dn</target>
+      <target>ldapclient_base_dn</target>
     </fill>
     <fill name='calc_value'>
       <param>cn=admin</param>
-      <param type='variable'>ldap_base_dn</param>
+      <param type='variable'>ldapclient_base_dn</param>
       <param name="join">,</param>
-      <target>ldap_admin_dn</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">writer</param>
-      <param name="description">LDAP</param>
-      <param name="type">cleartext</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>ldap_admin_password</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">ldap_admin_dn</param>
-      <target>ldapclient_remote_user</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">ldap_admin_password</param>
-      <target>ldapclient_remote_user_password</target>
-    </fill>
-    <fill name="get_chain">
-      <param name="authority_cn" type="variable">domain_name_eth0</param>
-      <param name="authority_name">LDAP</param>
-      <target>openldap_ca_chain</target>
+      <target>ldapclient_user</target>
     </fill>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml b/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml
index 8a891caa..63691336 100644
--- a/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml
+++ b/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml
@@ -3,14 +3,11 @@
   <variables>
     <variable name="remotes" description="Serveurs distant ayant un compte" type="domainname" multi="True" provider="clients"/>
     <family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
-      <variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
-      <variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
-      <variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
-      <variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
-    </family>
-    <family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
-      <variable name='ldap_acl_attribute' type="string" description="ACL de l'attribut" multi="True"/>
-      <variable name='ldap_acl_rights' type="string" description="ACL de l'attribut" multi="True"/>
+      <variable name="family_" description="Nom de la familly de " hidden="True" provider="client_family"/>
+      <variable name="dn_" description="LDAP DN de " hidden="True" provider="dn"/>
+      <variable name="password_" description="Mot de passe de " hidden="True" provider="client_password"/>
+      <variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="base_dn"/>
+      <variable name="read_only_" description="Le compte est en lecture seule de " type="boolean"/>
     </family>
     <family name="users" description="Gestion des utilisateurs" leadership="True">
       <variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/>
@@ -22,38 +19,36 @@
     </family>
     <variable name="families" description="Familles" type="unix_user" multi="True"/>
     <family name="family_" description="Gestion de la famille " dynamic="accounts.families">
-      <family name="users_" description="Gestion des utilisateurs" leadership="True">
-        <variable name='ldap_user_mail_' type="mail" description="Adresse courriel du compte" multi="True"/>
-        <variable name='ldap_user_aliases_' type="mail" description="Aliases du mail" multi="True"/>
-        <variable name='ldap_user_uid_' type="unix_user" description="Nom de compte" mandatory="True"/>
-        <variable name='ldap_user_sn_' type="string" description="Prénom" mandatory="True"/>
-        <variable name='ldap_user_gn_' type="string" description="Nom de famille" mandatory="True"/>
-        <variable name='ldap_user_password_' type="password" description="Mot de passe" mandatory="True" hidden="True"/>
+      <family name="users_" description="Gestion des utilisateurs de la famille " leadership="True">
+        <variable name='ldap_user_mail_' type="mail" description="Adresse courriel du compte de la famille " multi="True"/>
+        <variable name='ldap_user_aliases_' type="mail" description="Aliases du mail de la famille " multi="True"/>
+        <variable name='ldap_user_uid_' type="unix_user" description="Nom de compte de la famille " mandatory="True"/>
+        <variable name='ldap_user_sn_' type="string" description="Prénom de la famille " mandatory="True"/>
+        <variable name='ldap_user_gn_' type="string" description="Nom de famille de la famille " mandatory="True"/>
+        <variable name='ldap_user_password_' type="password" description="Mot de passe de la famille " mandatory="True" hidden="True"/>
       </family>
     </family>
   </variables>
   <constraints>
+    <fill name="calc_ldapclient_base_dn">
+      <param type="variable">ldapclient_base_dn</param>
+      <param type="variable">accounts.remote_.family_</param>
+      <target>accounts.remote_.base_dn_</target>
+    </fill>
     <fill name='calc_value'>
       <param>cn=</param>
       <param type='suffix'></param>
       <param>,</param>
-      <param type='variable'>ldap_base_dn</param>
+      <param type='variable'>ldapclient_base_dn</param>
       <param name="join"></param>
       <target>accounts.remote_.dn_</target>
     </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username" type='suffix'/>
-      <param name="description">remote account</param>
-      <param name="type">cleartext</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>accounts.remote_.password_</target>
-    </fill>
     <fill name="get_password">
       <param name="server_name" type="variable">domain_name_eth0</param>
       <param name="username" type='variable'>accounts.users.ldap_user_mail</param>
       <param name="description">ldap user</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <param name="temporary" type="boolean">True</param>
       <target>accounts.users.ldap_user_password</target>
     </fill>
@@ -62,6 +57,7 @@
       <param name="username" type='variable'>accounts.family_.users_.ldap_user_mail_</param>
       <param name="description">ldap family user</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <param name="temporary" type="boolean">True</param>
       <target>accounts.family_.users_.ldap_user_password_</target>
     </fill>
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/admin_ldap.pwd b/seed/applicationservice/2022.03.08/openldap/templates/admin_ldap.pwd
index c8dab958..22610d3f 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/admin_ldap.pwd
+++ b/seed/applicationservice/2022.03.08/openldap/templates/admin_ldap.pwd
@@ -1 +1 @@
-%%ldap_admin_password%slurp
+%%ldapclient_user_password%slurp
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/config.ldif b/seed/applicationservice/2022.03.08/openldap/templates/config.ldif
index d434f92a..d01eed77 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/config.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/config.ldif
@@ -100,7 +100,7 @@ olcDatabase: {-1}frontend
 dn: olcDatabase={0}config,cn=config
 objectClass: olcDatabaseConfig
 olcDatabase: {0}config
-olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldap_admin_dn" write by * none
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldapclient_user" write by * none
 
 dn: olcDatabase={1}monitor,cn=config
 objectClass: olcDatabaseConfig
@@ -112,11 +112,17 @@ objectClass: olcDatabaseConfig
 objectClass: olcMdbConfig
 olcDatabase: {2}mdb
 olcDbDirectory: /srv/openldap
-olcRootDN: %%ldap_admin_dn
-olcRootPW:: %%ssha_encode(%%ldap_admin_password)
-olcSuffix: %%ldap_base_dn
+olcRootDN: %%ldapclient_user
+olcRootPW:: %%ssha_encode(%%ldapclient_user_password)
+olcSuffix: %%ldapclient_base_dn
 olcSizeLimit: %%ldap_sizelimit
 olcTimeLimit: %%ldap_timelimit
-%for %%attribute in %%ldap_index_attribute
-olcDbIndex: %%attribute %echo ','.join(%%attribute.ldap_index_indices)
-%end for
+olcDbIndex: objectClass eq,pres
+olcDbIndex: uid eq,pres
+olcDbIndex: cn eq,pres
+olcDbIndex: sn eq,pres
+olcDbIndex: givenName eq,pres
+olcDbIndex: mail eq,pres
+olcDbIndex: entryCSN eq,pres
+olcDbIndex: entryUUID eq,pres
+olcDbIndex: contextCSN eq,pres
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif b/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
index e74e8a50..86e1c008 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
@@ -1,7 +1,9 @@
 %set %%dns = {}
+%set %%groups = []
 %for %%remote in %%accounts.remotes
  %set %%name = %%normalize_family(%%remote)
  %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
+%%groups.append(%%accounts['remote_' + %%name]['dn_' + %%name])%slurp
 %%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
 %end for
 dn: olcDatabase={2}mdb,cn=config
@@ -11,27 +13,27 @@ olcAccess: {0}to attrs=userPassword
     by self write
     by anonymous auth
     by * none
-%set %%aclidx = 1
+olcAccess: {1}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)"
+%for group in %%groups
+    by dn="%%group" read
+%end for
+    by * none
+%set %%aclidx = 2
 %for %%family, %%remotes in %%dns.items()
  %if %%family == 'all'
-olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)"
+olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)"
  %else
-olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
+olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)"
  %end if
     by self read
  %for %%remote in %%remotes
     by dn="%%remote[0]" %slurp
   %if %%remote[1]
-read%slurp
+read
   %else
-write%slurp
+write
   %end if
  %end for
   %set %%aclidx += 1
-
     by * none
 %end for
-%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
- %set %%aclidx += 1
-olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
-%end for
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/openldap.crt b/seed/applicationservice/2022.03.08/openldap/templates/openldap.crt
index e53ea995..098fcae5 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/openldap.crt
+++ b/seed/applicationservice/2022.03.08/openldap/templates/openldap.crt
@@ -1,5 +1,5 @@
 %set %%extra_domainnames = []
-%for %%idx in %%range(1, %%number_of_interfaces)
+%for %%idx in %%range(%%len(%%zones_list))
   %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
 %end for
-%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
+%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames, hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/openldap.key b/seed/applicationservice/2022.03.08/openldap/templates/openldap.key
index 3f464d05..48aa6898 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/openldap.key
+++ b/seed/applicationservice/2022.03.08/openldap/templates/openldap.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, 'LDAP')
+%%get_private_key(cn=%%domain_name_eth0, authority_name='LDAP', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/slapd.service b/seed/applicationservice/2022.03.08/openldap/templates/slapd.service
index 9b4b2539..8a3c0566 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/slapd.service
+++ b/seed/applicationservice/2022.03.08/openldap/templates/slapd.service
@@ -11,6 +11,6 @@ ExecStart=
 # remove none tls port
 ExecStart=+/usr/sbin/slapd -u ldap -h ldaps:///
 #waiting for ldap server...
-ExecStartPost=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
-ExecStartPost=-/usr/bin/ldapmodify -D %%ldap_admin_dn -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
-ExecStartPost=-/usr/bin/ldapmodify -D %%ldap_admin_dn -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
+ExecStartPost=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
+ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
+ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/tmpfile-openldap-server.conf b/seed/applicationservice/2022.03.08/openldap/templates/tmpfile-openldap-server.conf
index d08deaf7..97c2bc1e 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/tmpfile-openldap-server.conf
+++ b/seed/applicationservice/2022.03.08/openldap/templates/tmpfile-openldap-server.conf
@@ -1,2 +1,3 @@
 d /srv/openldap 700 ldap ldap - -
+d %%db_log_directory 700 ldap ldap - -
 d /etc/openldap/slapd.d 750 ldap ldap - -
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
index 08c37c01..76848136 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
@@ -1,6 +1,7 @@
 # BaseDN
-dn: %%ldap_base_dn
-%set %%attribute, %%organization = %%ldap_base_dn.split(',', 1)[0].split('=')
+%set groups = {}
+dn: %%ldapclient_base_dn
+%set %%attribute, %%organization = %%ldapclient_base_dn.split(',', 1)[0].split('=')
 %%attribute: %%organization
 objectClass: top
 %if %%attribute == 'o'
@@ -22,21 +23,22 @@ objectClass: inetOrgPerson
 
 %end for
 # Accounts
-%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
-dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, None, accounts=True)
+dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, base=True)
 ou: accounts
 objectClass: top
 objectClass: organizationalUnit
 
-## Users
-%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
+## Accounts users
+%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None)
 dn: %%users
 ou: users
 objectClass: top
 objectClass: organizationalUnit
 
 %for %%user in %%accounts.users.ldap_user_mail
-dn: cn=%%user,%%users
+%set %%userdn = "cn=" + %%user + "," + %%users
+%%groups.setdefault('users', []).append(%%userdn)
+dn: %%userdn
 cn: %%user
 mail: %%user
 sn: %%user.ldap_user_sn
@@ -59,20 +61,22 @@ objectClass: inetLocalMailRecipient
 
 %end for
 ## Families
-dn: %%calc_ldapclient_base_dn(%%ldap_base_dn, '-')
+dn: %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='-')
 ou: families
 objectClass: top
 objectClass: organizationalUnit
 
 %for %%family in %%accounts.families
-%set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
+%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
 dn: %%families
 ou: %%family
 objectClass: top
 objectClass: organizationalUnit
 
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
-dn: cn=%%user,%%families
+%set %%userdn = "cn=" + %%user + "," + %%families
+%%groups.setdefault(%%family, []).append(%%userdn)
+dn: %%userdn
 cn: %%user
 mail: %%user
 sn: %%user['ldap_user_sn_' + %%family]
@@ -95,3 +99,20 @@ objectClass: inetLocalMailRecipient
 
   %end for
 %end for
+## Groups
+%set %%groupdn = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=None, group=True)
+dn: %%groupdn
+ou: groups
+objectClass: top
+objectClass: organizationalUnit
+
+%for %%group, %%members in %%groups.items()
+dn: cn=%%group,%%groupdn
+cn: %%group
+objectclass: top
+objectclass: groupOfNames
+ %for %%member in %%members
+member: %%member
+ %end for
+
+%end for
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif b/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
index d22294dc..90427daf 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
@@ -8,7 +8,7 @@ userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name
 
 %end for
 # Users
-%set %%users = %%calc_ldapclient_base_dn(%%ldap_base_dn, '')
+%set %%users = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, '')
 %for %%user in %%accounts.users.ldap_user_mail
 dn: cn=%%user,%%users
 changetype: modify
@@ -26,7 +26,7 @@ mailLocalAddress: %%alias
 %end for
 # Families
 %for %%family in %%accounts.families
-  %set %%families = %%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)
+  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, %%family)
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
 dn: cn=%%user,%%families
 changetype: modify
diff --git a/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml b/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml
index 2d30bd67..d54f2145 100644
--- a/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml
+++ b/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml
@@ -36,7 +36,9 @@
       <variable name="oauth2_client_logo" redefine='True'>
         <value>silique_video.png</value>
       </variable>
-      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      <family name="external">
+        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      </family>
     </family>
     <family name="nginx">
       <family name="revprox_client">
diff --git a/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml b/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml
index a00d7b14..9274b5ad 100644
--- a/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml
+++ b/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml
@@ -11,7 +11,7 @@
   </services>
   <variables>
     <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
-    <variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
+    <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
     <family name="nginx">
       <variable name="nginx_root_directory" mandatory="True" redefine="True">
         <value>/usr/local/share/piwigo</value>
@@ -48,6 +48,7 @@
       <param name="username">admin_password</param>
       <param name="description">piwigo</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>piwigo_admin_password</target>
     </fill>
     <fill name="get_locations">
diff --git a/seed/applicationservice/2022.03.08/pleroma/dictionaries/30_pleroma.xml b/seed/applicationservice/2022.03.08/pleroma/dictionaries/30_pleroma.xml
index 1720529f..b457600c 100644
--- a/seed/applicationservice/2022.03.08/pleroma/dictionaries/30_pleroma.xml
+++ b/seed/applicationservice/2022.03.08/pleroma/dictionaries/30_pleroma.xml
@@ -36,7 +36,9 @@
       <variable name="oauth2_client_logo" redefine='True'>
         <value>silique_video.png</value>
       </variable>
-      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      <family name="external">
+        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+      </family>
     </family>
     <family name="nginx" description="Reverse proxy">
       <family name="revprox_client" description="Point d'entré des clients" leadership="True">
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
index 37d0f69e..0033df29 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
+++ b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
@@ -32,16 +32,18 @@
     </service>
   </services>
   <variables>
-    <variable name="external_ports" redefine="True">
-      <value>25</value>
-    </variable>
+    <family name="network">
+      <variable name="external_ports" redefine="True">
+        <value>25</value>
+      </variable>
+    </family>
     <family name="postfix" description="Postfix mail server">
       <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
       <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
       <variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
       <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
         <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
-        <variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
+        <variable name="local_authentification_password_" type="secret" auto_save="False" provider="mail_password"/>
       </family>
       <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
     </family>
@@ -63,6 +65,7 @@
       <param name="username" type="suffix"/>
       <param name="description">local authentification</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>local_authentification_password_</target>
     </fill>
     <fill name="calc_value">
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt b/seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt
index 8db50d45..13b8d621 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt
@@ -1 +1 @@
-%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer")
+%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.crt b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.crt
index fbd3d864..b9d68a8c 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.crt
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.crt
@@ -1 +1 @@
-%%get_certificate(%%domain_name_eth0, 'MailServer')
+%%get_certificate(%%domain_name_eth0, 'MailServer', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.key b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.key
index 4febac3f..716da9ca 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.key
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, 'MailServer')
+%%get_private_key(cn=%%domain_name_eth0, authority_name='MailServer', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni
index 72acebe8..90df9ab4 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni
@@ -1,4 +1,4 @@
-%for %%idx in %%range(0, %%number_of_interfaces)
+%for %%idx in %%range(%%len(%%zones_list))
   %set %%domain = %%getVar('domain_name_eth' + %%str(%%idx))
 %%domain /etc/postfix/certs/%%{domain}.pem
 %end for
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem
index 8706e9de..92fdfd2b 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem
@@ -1,4 +1,4 @@
-%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay")
-%set %%cert = %%get_certificate(%%rougail_variable, 'MailRelay')
-%%get_private_key(%%rougail_variable, 'MailRelay')
+%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret)
+%set %%cert = %%get_certificate(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
+%%get_private_key(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
 %%cert
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/templates/ca_PostgreSQL.crt b/seed/applicationservice/2022.03.08/postgresql-client/templates/ca_PostgreSQL.crt
index d7868fd1..72b8123c 100644
--- a/seed/applicationservice/2022.03.08/postgresql-client/templates/ca_PostgreSQL.crt
+++ b/seed/applicationservice/2022.03.08/postgresql-client/templates/ca_PostgreSQL.crt
@@ -1,2 +1,2 @@
-%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL")
+%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL", hide=%%hide_secret)
 
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.crt b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.crt
index 1dbbe3db..31d9f7fa 100644
--- a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.crt
+++ b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.crt
@@ -1 +1 @@
-%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
+%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.key b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.key
index 316de5e6..f87d892a 100644
--- a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.key
+++ b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.key
@@ -1 +1 @@
-%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")
+%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service
index c25764ad..0dc6a152 100644
--- a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service
+++ b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service
@@ -5,5 +5,5 @@ Before=network.target
 [Service]
 Type=oneshot
 Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
-ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
-ExecStart=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'
diff --git a/seed/applicationservice/2022.03.08/postgresql/templates/ca_PostgreSQL.crt b/seed/applicationservice/2022.03.08/postgresql/templates/ca_PostgreSQL.crt
index 25cbe11a..4abf995f 100644
--- a/seed/applicationservice/2022.03.08/postgresql/templates/ca_PostgreSQL.crt
+++ b/seed/applicationservice/2022.03.08/postgresql/templates/ca_PostgreSQL.crt
@@ -1 +1 @@
-%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL")
+%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.crt b/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.crt
index 9b858de1..a8c406b3 100644
--- a/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.crt
+++ b/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.crt
@@ -1 +1 @@
-%%get_certificate(%%domain_name_eth0, 'PostgreSQL')
+%%get_certificate(%%domain_name_eth0, 'PostgreSQL', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.key b/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.key
index 929a99b0..fe777130 100644
--- a/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.key
+++ b/seed/applicationservice/2022.03.08/postgresql/templates/postgresql.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, 'PostgreSQL')
+%%get_private_key(cn=%%domain_name_eth0, authority_name='PostgreSQL', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/10-machined.xml b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/10-machined.xml
new file mode 100644
index 00000000..16d589e1
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/10-machined.xml
@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True"/>
+  </variables>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml
similarity index 83%
rename from seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml
rename to seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml
index e4b6b724..0e131b94 100644
--- a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml
+++ b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml
@@ -9,26 +9,28 @@
     </service>
   </services>
   <variables>
+    <variable name="link_configurations" redefine="True" disabled="True"/>
     <variable name="container_srv_path" type="filename" description="Nom du répertoire racine des données">
       <value>/var/lib/risotto/srv</value>
     </variable>
+    <variable name="srv_dir" description='Nom du répertoire des données' type="filename" hidden="True"/>
     <variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations">
       <value>/var/lib/risotto/configurations</value>
     </variable>
+    <variable name="config_dir" description='Nom du répertoire des configurations' type="filename" hidden="True" mandatory="True"/>
     <variable name="container_journal_path" type="filename" description="Nom du répertoire racine des journaux">
       <value>/var/lib/risotto/journals</value>
     </variable>
-    <variable name="host" type="domainname" description="Machine où est démarrer le conteneur" mandatory="True"/>
-    <variable name="external_ports" type="port" description="Port exposé depuis l'extérieur" multi="True"/>
-    <variable name="srv_dir" type="filename" hidden="True"/>
-    <variable name="journal_dir" type="filename" hidden="True" mandatory="True"/>
-    <variable name="config_dir" type="filename" hidden="True" mandatory="True"/>
+    <variable name="journal_dir" description='Nom du répertoire des journaux' type="filename" hidden="True" mandatory="True"/>
     <variable name="use_systemd_repart" redefine="True">
       <value>False</value>
     </variable>
-    <variable name="netwokd_interface_name_type" redefine="True">
-      <value>host</value>
-    </variable>
+    <family name="network">
+      <variable name="external_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/>
+      <variable name="netwokd_interface_name_type" redefine="True">
+        <value>host</value>
+      </variable>
+    </family>
   </variables>
   <constraints>
     <condition name="disabled_if_in" source="machine.add_srv">
diff --git a/seed/applicationservice/2022.03.08/provider-systemd-machined/extras/machine/11_systemd.xml b/seed/applicationservice/2022.03.08/provider-systemd-machined/extras/machine/11_systemd.xml
new file mode 100644
index 00000000..44514c6c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/provider-systemd-machined/extras/machine/11_systemd.xml
@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="var_size" disabled="True" redefine="True"/>
+    <variable name="srv_size" disabled="True" redefine="True"/>
+    <variable name='data_disk_size' disabled="True" redefine="True"/>
+    <variable name="add_tmp" disabled="True" redefine="True"/>
+    <variable name="var_tmp_size" disabled="True" redefine="True"/>
+    <variable name="add_swap" disabled="True" redefine="True"/>
+    <variable name="swap_size" disabled="True" redefine="True"/>
+  </variables>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/redis-client/templates/ca_Redis.crt b/seed/applicationservice/2022.03.08/redis-client/templates/ca_Redis.crt
index 2dac58eb..39aadb9b 100644
--- a/seed/applicationservice/2022.03.08/redis-client/templates/ca_Redis.crt
+++ b/seed/applicationservice/2022.03.08/redis-client/templates/ca_Redis.crt
@@ -1 +1 @@
-%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")
+%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/redis-client/templates/redis.crt b/seed/applicationservice/2022.03.08/redis-client/templates/redis.crt
index d135a14b..cb3ea89f 100644
--- a/seed/applicationservice/2022.03.08/redis-client/templates/redis.crt
+++ b/seed/applicationservice/2022.03.08/redis-client/templates/redis.crt
@@ -1 +1 @@
-%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
+%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/redis-client/templates/redis.key b/seed/applicationservice/2022.03.08/redis-client/templates/redis.key
index 672f29f9..af63fbc5 100644
--- a/seed/applicationservice/2022.03.08/redis-client/templates/redis.key
+++ b/seed/applicationservice/2022.03.08/redis-client/templates/redis.key
@@ -1 +1 @@
-%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
+%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/redis-client/templates/redis.pem b/seed/applicationservice/2022.03.08/redis-client/templates/redis.pem
index 00f8956d..618f1e99 100644
--- a/seed/applicationservice/2022.03.08/redis-client/templates/redis.pem
+++ b/seed/applicationservice/2022.03.08/redis-client/templates/redis.pem
@@ -1,5 +1,5 @@
-%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis")
-%set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
-%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client")
+%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
+%set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
+%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
 %%cert
 %%ca_chain
diff --git a/seed/applicationservice/2022.03.08/redis/extras/account/00_account.xml b/seed/applicationservice/2022.03.08/redis/extras/account/00_account.xml
index fad45fc9..3202ce19 100644
--- a/seed/applicationservice/2022.03.08/redis/extras/account/00_account.xml
+++ b/seed/applicationservice/2022.03.08/redis/extras/account/00_account.xml
@@ -3,7 +3,7 @@
   <variables>
     <variable name="remote" description="Remote client needing an account" type="domainname" provider="redis_client" mandatory="True"/>
     <variable name="remote_ip" description="Remote IP" type="ip" provider="redis_client_ip" mandatory="True"/>
-    <variable name="password" auto_save="True" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
+    <variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
   </variables>
   <constraints>
     <fill name="get_password">
@@ -11,6 +11,7 @@
       <param name="username" type="variable">account.remote</param>
       <param name="description">redis</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>account.password</target>
     </fill>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/redis/templates/ca_Redis.crt b/seed/applicationservice/2022.03.08/redis/templates/ca_Redis.crt
index f9587634..bcf1212c 100644
--- a/seed/applicationservice/2022.03.08/redis/templates/ca_Redis.crt
+++ b/seed/applicationservice/2022.03.08/redis/templates/ca_Redis.crt
@@ -1 +1 @@
-%%get_chain(authority_cn=%%domain_name_eth0, authority_name="Redis")
+%%get_chain(authority_cn=%%domain_name_eth0, authority_name="Redis", hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/redis/templates/redis.crt b/seed/applicationservice/2022.03.08/redis/templates/redis.crt
index 93f26f88..48c6f25c 100644
--- a/seed/applicationservice/2022.03.08/redis/templates/redis.crt
+++ b/seed/applicationservice/2022.03.08/redis/templates/redis.crt
@@ -1 +1 @@
-%%get_certificate(%%domain_name_eth0, 'Redis')
+%%get_certificate(%%domain_name_eth0, 'Redis', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/redis/templates/redis.key b/seed/applicationservice/2022.03.08/redis/templates/redis.key
index 3e26e9c0..4865bc0c 100644
--- a/seed/applicationservice/2022.03.08/redis/templates/redis.key
+++ b/seed/applicationservice/2022.03.08/redis/templates/redis.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, 'Redis')
+%%get_private_key(cn=%%domain_name_eth0, authority_name='Redis', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/relay-mail-client/templates/ca_MailRelay.crt b/seed/applicationservice/2022.03.08/relay-mail-client/templates/ca_MailRelay.crt
index 8ffa12ca..e210e25e 100644
--- a/seed/applicationservice/2022.03.08/relay-mail-client/templates/ca_MailRelay.crt
+++ b/seed/applicationservice/2022.03.08/relay-mail-client/templates/ca_MailRelay.crt
@@ -1 +1 @@
-%%get_chain(%%smtp_relay_address, authority_name='MailRelay')
+%%get_chain(%%smtp_relay_address, authority_name='MailRelay', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_InternalReverseProxy.crt b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_InternalReverseProxy.crt
index 64f7daca..59b5b7a9 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_InternalReverseProxy.crt
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_InternalReverseProxy.crt
@@ -1 +1 @@
-%%get_chain(%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
+%%get_chain(%%revprox_client_server_domainname, authority_name='InternalReverseProxy', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
index 4ea9946c..9a430003 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
@@ -1,2 +1,2 @@
-%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
-%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server", hide=%%hide_secret)
+%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
index a02eba1e..56d50e1e 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
@@ -1 +1 @@
-%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
index 487cdbdb..1250b6c3 100644
--- a/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
+++ b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
@@ -4,7 +4,7 @@
     <service name="roundcube" engine="creole" target="multi-user">
       <file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
       <file>/etc/nginx/default.d/roundcubemail.conf</file>
-      <file source="domain.inc.php">/etc/roundcubemail/courriel.cloud.silique.fr.inc.php</file>
+      <file source="domain.inc.php" file_type="variable" variable="roundcube_domains">roundcube_config</file>
       <file>/secrets/roundcube-init.php</file>
       <file engine="none">/static/silique_cloud.svg</file>
       <file engine="none">/static/watermark.html</file>
@@ -13,7 +13,13 @@
   </services>
   <variables>
     <family name="roundcube" description="Interface web de consultation des courriels Roundcube">
-      <variable name="roundcube_des_key" type="secret" auto_freeze="True" hidden="True"/>
+      <variable name="roundcube_des_key" type="secret" auto_save="False" hidden="True"/>
+      <variable name="roundcube_config" type="filename" hidden="True" multi="True"/>
+      <family name="roundcube_domain" leadership="True">
+        <variable name="roundcube_domains" type="domainname" description="Nom de domaines d'accès à Roundcube" multi="True" mandatory="True"/>
+        <variable name="roundcube_mail_domain" type="domainname" description="Nom de domaines des courriels" mandatory="True"/>
+        <variable name="roundcube_family" type="unix_user" description="Nom de la famille"/>
+      </family>
     </family>
     <family name="oauth2_client">
       <variable name="oauth2_is_client_application" redefine='True'>
@@ -31,7 +37,9 @@
       <variable name="oauth2_client_logo" redefine='True'>
         <value>silique_email.png</value>
       </variable>
-      <variable name="oauth2_client_external" redefine="True" multi='True'/>
+      <family name="external">
+        <variable name="oauth2_client_external" redefine="True" multi='True'/>
+      </family>
     </family>
     <family name="nginx">
       <variable name="nginx_root" redefine="True">
@@ -40,6 +48,12 @@
       <variable name="revprox_client_local_location" redefine="True">
         <value>/</value>
       </variable>
+      <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
+    </family>
+    <family name="annuaire">
+      <family name="client">
+        <variable name='ldapclient_family' redefine="True" hidden="True"/>
+      </family>
     </family>
   </variables>
   <constraints>
@@ -48,7 +62,24 @@
       <param name="username">roundcube</param>
       <param name="description">des_key</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>roundcube_des_key</target>
     </fill>
+    <fill name="calc_value">
+      <param>/etc/roundcubemail/</param>
+      <param type="variable">roundcube_domains</param>
+      <param>.inc.php</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>roundcube_config</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">roundcube_domains</param>
+      <target>revprox_client_external_domainnames</target>
+    </fill>
+    <fill name="calc_roundcube_family">
+      <param type="variable">roundcube_family</param>
+      <target>ldapclient_family</target>
+    </fill>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/roundcube/funcs/roundcube.py b/seed/applicationservice/2022.03.08/roundcube/funcs/roundcube.py
new file mode 100644
index 00000000..9d99bfa3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/funcs/roundcube.py
@@ -0,0 +1,10 @@
+def calc_roundcube_family(families):
+    if not families:
+        return
+    uniq_fam = set(families)
+    if len(set(families)) > 1:
+        return 'all'
+    if not uniq_fam[0]:
+        return
+    return uniq_fam[0]
+
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/ca_MailServer.crt b/seed/applicationservice/2022.03.08/roundcube/templates/ca_MailServer.crt
index b379d100..ab69613a 100644
--- a/seed/applicationservice/2022.03.08/roundcube/templates/ca_MailServer.crt
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/ca_MailServer.crt
@@ -1 +1 @@
-%%get_chain(%%imap_address, 'MailServer')
+%%get_chain(%%imap_address, 'MailServer', hide=%%hide_secret)
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php b/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
index c80512aa..9fc53716 100644
--- a/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
@@ -763,7 +763,10 @@ $config['useragent'] = null;
 // try to load host-specific configuration
 // see https://github.com/roundcube/roundcubemail/wiki/Configuration:-Multi-Domain-Setup
 // for more details
-$config['include_host_config'] = array("%%revprox_client_external_domainname" => "%%{revprox_client_external_domainname}.inc.php"
+$config['include_host_config'] = array(
+%for %%domain in %%roundcube_domains
+  "%%domain" => "%%{domain}.inc.php",
+%end for
 );
 
 // path to a text file which will be added to each sent message
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/domain.inc.php b/seed/applicationservice/2022.03.08/roundcube/templates/domain.inc.php
index 1e0bd579..a3692a7f 100644
--- a/seed/applicationservice/2022.03.08/roundcube/templates/domain.inc.php
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/domain.inc.php
@@ -1,5 +1,9 @@
 <?php
 #>GNUNUX
+%set %%domain = %%roundcube_domains[%%rougail_index]
+$config['login_username_filter'] = '/^[a-z0-9_]+@%%{domain.roundcube_mail_domain}$/';
+%set %%family =  %%domain.roundcube_family
+%if %%family
 $config['ldap_public'] = array (
   'Local' => array (
     'name' => "Ma famille",
@@ -9,12 +13,12 @@ $config['ldap_public'] = array (
     'port' => 636,
     'use_tls' => false,
     'bind_user' => '',
-    'bind_dn' => '%%ldapclient_remote_user',
-    'bind_pass' => '%%ldapclient_remote_user_password',
+    'bind_dn' => '%%ldapclient_user',
+    'bind_pass' => '%%ldapclient_user_password',
     'auth_method'    => '',
     'vlv' => false, //Samba do not support Virtual List View functions
     'user_specific' => false,
-    'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
+    'base_dn' => '%%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)',
     'writable' => false,
     'required_fields' =>  array (
       0 => 'cn',
@@ -45,5 +49,6 @@ $config['ldap_public'] = array (
       ),
   ),
 );
+%end if
 #<GNUNUX
 ?>
diff --git a/seed/applicationservice/2022.03.08/server/extras/accounts/00_accounts.xml b/seed/applicationservice/2022.03.08/server/extras/accounts/00_accounts.xml
index 9b7670bc..7f8a1f01 100644
--- a/seed/applicationservice/2022.03.08/server/extras/accounts/00_accounts.xml
+++ b/seed/applicationservice/2022.03.08/server/extras/accounts/00_accounts.xml
@@ -3,7 +3,7 @@
   <variables>
     <variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="clients"/>
     <family name="remote_" description="Account for " dynamic="accounts.remotes">
-      <variable name="password_" description="Remote password" auto_save="True" hidden="True" type="password" mandatory="True" provider="client_password"/>
+      <variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="client_password"/>
       <variable name="remote_ip_" description="Remote IP" type="ip" hidden="True" provider="client_ip"/>
     </family>
   </variables>
@@ -13,6 +13,7 @@
       <param name="username" type="suffix"/>
       <param name="description">remote</param>
       <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>accounts.remote_.password_</target>
     </fill>
   </constraints>
diff --git a/seed/applicationservice/2022.03.08/systemd/dictionaries/00-systemd.xml b/seed/applicationservice/2022.03.08/systemd/dictionaries/15-systemd.xml
similarity index 78%
rename from seed/applicationservice/2022.03.08/systemd/dictionaries/00-systemd.xml
rename to seed/applicationservice/2022.03.08/systemd/dictionaries/15-systemd.xml
index 1971317c..6819b861 100644
--- a/seed/applicationservice/2022.03.08/systemd/dictionaries/00-systemd.xml
+++ b/seed/applicationservice/2022.03.08/systemd/dictionaries/15-systemd.xml
@@ -31,14 +31,16 @@
     </service>
   </services>
   <variables>
-    <variable name="netwokd_configurations" type="filename" multi="True" hidden="True"/>
-    <variable name="netwokd_interface_name_type" type="string" hidden="True">
-      <value>zone_name</value>
-    </variable>
-    <variable name="link_configurations" type="filename" multi="True" hidden="True"/>
-    <variable name="use_systemd_repart" type="boolean" hidden="True"/>
-    <family name="general">
-      <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" auto_save='True' mandatory="True"/>
+    <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" auto_save='False' mandatory="True"/>
+    <variable name="link_configurations" description='Nom des fichiers "link" networkd' type="filename" multi="True" hidden="True"/>
+    <variable name="use_systemd_repart" description='Activer le partitionnement systemd' type="boolean" hidden="True"/>
+    <family name="network">
+      <variable name="netwokd_configurations" description="Nom des fichiers de configuration du réseau networkd" type="filename" multi="True" hidden="True"/>
+      <variable name="netwokd_interface_name_type" description="Type de réseau networkd" type="choice" hidden="True">
+        <choice>zone_name</choice>
+        <choice>host</choice>
+        <value>zone_name</value>
+      </variable>
     </family>
   </variables>
   <constraints>
@@ -48,6 +50,7 @@
       <param name="description">local connection</param>
       <param name="type">cleartext</param>
       <param name="temporary" type="boolean">True</param>
+      <param name="hide" type="variable">hide_secret</param>
       <target>root_password</target>
     </fill>
     <fill name="calc_value">
diff --git a/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml b/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
index 26dd7f41..5459f621 100644
--- a/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
+++ b/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
@@ -16,7 +16,7 @@
     <service name='unbound-keygen' disabled="True"/>
   </services>
   <variables>
-    <family name="dns" description="DNS">
+    <family name="network">
       <variable name="dns_client_address" redefine="True" disabled="True"/>
       <variable name="ip_dns" redefine="True" remove_fill="True"/>
     </family>
diff --git a/seed/applicationservice/2022.03.08/unbound/templates/risotto.conf b/seed/applicationservice/2022.03.08/unbound/templates/risotto.conf
index c488c411..9032e980 100644
--- a/seed/applicationservice/2022.03.08/unbound/templates/risotto.conf
+++ b/seed/applicationservice/2022.03.08/unbound/templates/risotto.conf
@@ -1,11 +1,11 @@
 server:
-%for %%interface in %%interfaces_list
+%for %%interface in %%range(%%len(%%zones_list))
     interface: %%getVar('ip_eth' + %%str(%%interface))
 %end for
     do-ip4: yes
     do-ip6: no
     use-syslog: yes
-%for %%interface in %%interfaces_list
+%for %%interface in %%range(%%len(%%zones_list))
     access-control: %%getVar('ip_eth' + %%str(%%interface)) allow
 %end for
 %for %%allowed in %%unbound_allowed_client
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml b/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml
index 9a9b7e44..3bf7973b 100644
--- a/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml
+++ b/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml
@@ -22,12 +22,12 @@
       </variable>
     </family>
     <family name="vaultwarden" description="Vaultwarden">
-      <variable name="password_admin_username" description="Nom de l'utilisateur Risotto de Vaultwarden" auto_freeze="True">
+      <variable name="password_admin_username" description="Nom de l'utilisateur Risotto de Vaultwarden" auto_save="False">
         <value>risotto</value>
       </variable>
       <variable name="vaultwarden_admin_email" type="mail" description="Adresse courriel de l'utilisateur Risotto" mandatory="True"/>
-      <variable name="vaultwarden_admin_password" type="password" description="Mot de passe de l'utilisateur Risotto" auto_save="True" hidden="True"/>
-      <variable name="vaultwarden_device_identifier" description="Identifiant de l'appareil se connectant" auto_save="True" hidden="True"/>
+      <variable name="vaultwarden_admin_password" type="password" description="Mot de passe de l'utilisateur Risotto" auto_save="False" hidden="True"/>
+      <variable name="vaultwarden_device_identifier" description="Identifiant de l'appareil se connectant" auto_save="False" hidden="True"/>
       <variable name="vaultwarden_length" type="number" description="Taille par défaut du mot de passe">
         <value>20</value>
       </variable>
@@ -48,6 +48,7 @@
       <param name="description">vaultwarden</param>
       <param name="type">cleartext</param>
       <target>vaultwarden_admin_password</target>
+      <param name="hide" type="variable">hide_secret</param>
     </fill>
     <fill name="gen_uuid">
       <target>vaultwarden_device_identifier</target>
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden_config.env b/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden_config.env
index f90aa81e..e87abe1c 100644
--- a/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden_config.env
+++ b/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden_config.env
@@ -308,6 +308,7 @@ DOMAIN=https://%%revprox_client_external_domainname%%location
 # ROCKET_WORKERS=10
 # ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
 #>GNUNUX
+ROCKET_ADDRESS=0.0.0.0
 ROCKET_PORT=443
 ROCKET_TLS='{certs="/etc/pki/tls/certs/revprox.crt",key="/etc/pki/tls/private/revprox.key"}'
 #<GNUNUX