feat: upgrate to format 1.1

2024-10-01 13:18:45 +02:00 · 2024-10-01 13:18:45 +02:00 · 43b00863ae
commit 43b00863ae
parent 0df0c1e80b
246 changed files with 4768 additions and 3926 deletions
--- a/seed/apache/applicationservice.yml
+++ b/seed/apache/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Apache as web server
 website: https://httpd.apache.org/
--- a/seed/apache/dictionaries/20_web.xml
+++ b/seed/apache/dictionaries/20_web.xml
@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="httpd" target="multi-user">
-      <file engine="none">/etc/httpd/conf/httpd.conf</file>
-      <file engine="ansible">/etc/httpd/conf.d/risotto.conf</file>
-      <file engine="ansible">/etc/httpd/conf.d/ssl.conf</file>
-      <file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
-      <file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nginx">
-      <variable name="php_fpm_user" redefine="True" exists="True">
-        <value>apache</value>
-      </variable>
-    </family>
-    <family name="apache" description="Apache" help="Advance Apache web server settings" mode="expert">
-      <variable name="apache_timeout" type="number" description="Amount of time the server will wait for certain events before failing a request" help="Time in seconds">
-        <value>300</value>
-      </variable>
-      <variable name="apache_keepalive" type="boolean" description="Enables HTTP persistent connections" mode="expert"/>
-    </family>
-  </variables>
-</rougail>
--- a/seed/apache/dictionaries/20_web.yml
+++ b/seed/apache/dictionaries/20_web.yml
@ -0,0 +1,23 @@
+---
+version: 1.1
+
+nginx:
+
+  php_fpm_user:
+    redefine: true
+    exists: true
+    default: apache
+
+apache:
+  description: Apache
+  help: Advance Apache web server settings
+  mode: advanced
+
+  apache_timeout:
+    description: >-
+      Amount of time the server will wait for certain events before failing a
+      request
+    help: Time in seconds
+    default: 300
+
+  apache_keepalive: true  # Enables HTTP persistent connections
--- a/seed/base-debian-bullseye/applicationservice.yml
+++ b/seed/base-debian-bullseye/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Debian Bulleye server
 website: https://www.debian.org/
--- a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
+++ b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="dnssec" manage="False">
-      <file engine="ansible">/etc/dnssec-trust-anchors.d/local.negative</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>bullseye</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.yml
+++ b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.yml
@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: bullseye
--- a/seed/base-debian/applicationservice.yml
+++ b/seed/base-debian/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Debian server
 website: https://www.debian.org/
--- a/seed/base-debian/dictionaries/11_debian-base.xml
+++ b/seed/base-debian/dictionaries/11_debian-base.xml
@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-networkd">
-      <override engine="none"/>
-    </service>
-    <service name='logrotate' disabled="True"/>
-    <service name="debian" manage="False">
-      <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
-      <file engine="none">/etc/default/locale</file>
-      <file engine="none" source="sysuser-debian.conf">/sysusers.d/debian.conf</file>
-    </service>
-    <service name='apt-daily' disabled="True"/>
-    <service name='apt-daily' disabled="True" type="timer"/>
-    <service name='apt-daily-upgrade' disabled="True"/>
-    <service name='apt-daily-upgrade' disabled="True" type="timer"/>
-    <service name='avahi-daemon' disabled="True"/>
-    <service name='cron' disabled="True"/>
-  </services>
-  <variables>
-    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
-      <value>Debian</value>
-    </variable>
-  </variables>
-</rougail>
-
--- a/seed/base-debian/dictionaries/11_debian-base.yml
+++ b/seed/base-debian/dictionaries/11_debian-base.yml
@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_name:
+  description: Nom de l'OS
+  hidden: true
+  default: Debian
--- a/seed/base-debian/dictionaries/17_debian-base.xml
+++ b/seed/base-debian/dictionaries/17_debian-base.xml
@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="update-ca-certificates" engine="ansible" target="multi-user"/>
-  </services>
-  <variables>
-    <variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
-      <value>/etc/ssl-localca</value>
-    </variable>
-    <variable name="tls_cert_directory" type="filename" description="Répertoire des certificats" hidden="True">
-      <value>/etc/ssl/certs</value>
-    </variable>
-    <variable name="tls_key_directory" type="filename" description="Répertoire des clefs privés" hidden="True">
-      <value>/etc/ssl/private</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-debian/dictionaries/17_debian-base.yml
+++ b/seed/base-debian/dictionaries/17_debian-base.yml
@ -0,0 +1,20 @@
+---
+version: 1.1
+
+tls_ca_directory:
+  type: unix_filename
+  description: Répertoire des autorités de certification
+  hidden: true
+  default: /etc/ssl-localca
+
+tls_cert_directory:
+  type: unix_filename
+  description: Répertoire des certificats
+  hidden: true
+  default: /etc/ssl/certs
+
+tls_key_directory:
+  type: unix_filename
+  description: Répertoire des clefs privés
+  hidden: true
+  default: /etc/ssl/private
--- a/seed/base-fedora-35/applicationservice.yml
+++ b/seed/base-fedora-35/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 35
 website: https://getfedora.org/
--- a/seed/base-fedora-35/dictionaries/11_fedora-35.xml
+++ b/seed/base-fedora-35/dictionaries/11_fedora-35.xml
@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>35</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-fedora-35/dictionaries/11_fedora-35.yml
+++ b/seed/base-fedora-35/dictionaries/11_fedora-35.yml
@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '35'
--- a/seed/base-fedora-36/applicationservice.yml
+++ b/seed/base-fedora-36/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 36
 website: https://getfedora.org/
--- a/seed/base-fedora-36/dictionaries/11_fedora-version.xml
+++ b/seed/base-fedora-36/dictionaries/11_fedora-version.xml
@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="base">
-      <file engine="none">/etc/pam.d/login</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>36</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-fedora-36/dictionaries/11_fedora-version.yml
+++ b/seed/base-fedora-36/dictionaries/11_fedora-version.yml
@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '36'
--- a/seed/base-fedora-37/applicationservice.yml
+++ b/seed/base-fedora-37/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 37
 website: https://getfedora.org/
--- a/seed/base-fedora-37/dictionaries/11_fedora-version.xml
+++ b/seed/base-fedora-37/dictionaries/11_fedora-version.xml
@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <!--services>
-    <service name="base">
-      <file engine="none">/etc/pam.d/login</file>
-    </service>
-  </services-->
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>37</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-fedora-37/dictionaries/11_fedora-version.yml
+++ b/seed/base-fedora-37/dictionaries/11_fedora-version.yml
@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '37'
--- a/seed/base-fedora-38/applicationservice.yml
+++ b/seed/base-fedora-38/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 38
 website: https://getfedora.org/
--- a/seed/base-fedora-38/dictionaries/11_fedora-version.xml
+++ b/seed/base-fedora-38/dictionaries/11_fedora-version.xml
@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <!--services>
-    <service name="base">
-      <file engine="none">/etc/pam.d/login</file>
-    </service>
-  </services-->
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>38</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-fedora-38/dictionaries/11_fedora-version.yml
+++ b/seed/base-fedora-38/dictionaries/11_fedora-version.yml
@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '38'
--- a/seed/base-fedora/applicationservice.yml
+++ b/seed/base-fedora/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora
 website: https://getfedora.org/
--- a/seed/base-fedora/dictionaries/11_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/11_fedora-base.xml
@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="fedora-base" manage="False">
-      <file engine="none">/tmpfiles.d/fedora.conf</file>
-    </service>
-    <service name='logrotate' disabled="True"/>
-    <service name='logrotate' disabled="True" type="timer"/>
-  </services>
-  <variables>
-    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
-      <value>Fedora</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-fedora/dictionaries/11_fedora-base.yml
+++ b/seed/base-fedora/dictionaries/11_fedora-base.yml
@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_name:
+  description: Nom de l'OS
+  hidden: true
+  default: Fedora
--- a/seed/base-fedora/dictionaries/17_fedora-base.xml
+++ b/seed/base-fedora/dictionaries/17_fedora-base.xml
@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="update-ca-trust" engine="ansible" target="multi-user"/>
-  </services>
-  <variables>
-    <variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
-      <value>/etc/pki/ca-trust/source/anchors</value>
-    </variable>
-    <variable name="tls_cert_directory" type="filename" description="Nom du répertoire des certificats" hidden="True">
-      <value>/etc/pki/tls/certs</value>
-    </variable>
-    <variable name="tls_key_directory" type="filename" description="Nom du répertoire des clefs privés" hidden="True">
-      <value>/etc/pki/tls/private</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/base-fedora/dictionaries/17_fedora-base.yml
+++ b/seed/base-fedora/dictionaries/17_fedora-base.yml
@ -0,0 +1,20 @@
+---
+version: 1.1
+
+tls_ca_directory:
+  type: unix_filename
+  description: Nom du répertoire des autorités de certification
+  hidden: true
+  default: /etc/pki/ca-trust/source/anchors
+
+tls_cert_directory:
+  type: unix_filename
+  description: Nom du répertoire des certificats
+  hidden: true
+  default: /etc/pki/tls/certs
+
+tls_key_directory:
+  type: unix_filename
+  description: Nom du répertoire des clefs privés
+  hidden: true
+  default: /etc/pki/tls/private
--- a/seed/base-machine/applicationservice.yml
+++ b/seed/base-machine/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information for a machine
 depends:
--- a/seed/base-machine/dictionaries/12_base.xml
+++ b/seed/base-machine/dictionaries/12_base.xml
@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="base" manage="False">
-      <file engine="none">/etc/locale.conf</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents" hidden="True">
-      <value>False</value>
-    </variable>
-    <family name="base">
-      <variable name="time_zone" provider="Host:time_zone" hidden="True"/>
-    </family>
-    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
-    <family name="network" description="Réseau">
-      <variable name="server_name" description="Nom de domaine du serveur" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
-      <variable name="last_server_name" type="domainname" hidden="True"/>
-      <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
-      <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
-      <family name="interface_" description="Interface " dynamic="interfaces_list">
-        <variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True" mandatory="True"/>
-        <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" mandatory="True"/>
-        <variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/>
-        <variable name="gateway_eth" type="ip" description="La route de l'interface " hidden="True"/>
-        <variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True" provider="global:server_names"/>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param name="server_name" type="variable">domain_name_eth</param>
-      <target>ip_eth</target>
-    </fill>
-    <fill name="get_zone_name">
-      <param type="variable">zones_list</param>
-      <param name="index" type="suffix"/>
-      <target>zone_name_eth</target>
-    </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>network</param>
-      <param type="variable" name="zone_name">zone_name_eth</param>
-      <target>network_eth</target>
-    </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>host_ip</param>
-      <param type="variable" name="zone_name">zone_name_eth</param>
-      <param name="index" type="suffix"/>
-      <target>gateway_eth</target>
-    </fill>
-    <fill name="get_last_server_name">
-      <param type="variable">domain_name_eth</param>
-      <target>last_server_name</target>
-    </fill>
-  </constraints>
-</rougail>
-
--- a/seed/base-machine/dictionaries/12_base.yml
+++ b/seed/base-machine/dictionaries/12_base.yml
@ -0,0 +1,129 @@
+---
+version: 1.1
+
+hide_secret:
+  description: Les secrets sont obscurcis
+  mode: advanced
+  help: >-
+    Obscurcir les secrets peut permettre de générer des configurations
+    diffusable sans problème de confidentialité ou pour comparer deux
+    configurations générés à des moments différents
+  hidden: true
+  default: false
+
+base:
+
+  time_zone:
+    provider: Host:time_zone
+    hidden: true
+    mandatory: false
+
+module_name:
+  hidden: true
+  provider: global:module_name
+
+network:
+
+  server_name:
+    description: Nom de domaine du serveur
+    type: domainname
+    hidden: true
+    provider: global:server_name
+
+  last_server_name:
+    type: domainname
+    hidden: true
+    default:
+      jinja: >-
+        {%- if domain_name -%}
+        {{ domain_name[-1] }}
+        {%- endif -%}
+      params:
+        domain_name:
+          variable: >-
+            _.interface_{{ suffix }}.domain_name
+
+  zones_list:
+    multi: true
+    description: Liste de toutes les zones
+    hidden: true
+    provider: global:zones_name
+
+  interfaces_list:
+    type: number
+    multi: true
+    description: Liste de tous les numéros d'interfaces
+    hidden: true
+    provider: global:zones_list
+    mandatory: false
+
+  "interface_{{ suffix }}":
+    description: 'Interface {{ suffix }}'
+    dynamic:
+      variable: general.network.interfaces_list
+
+    zone_name:
+      description: "Nom de la zone de l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {%- if __.zones_list -%}
+          {{ __.zones_list[index] }}
+          {%- endif -%}
+        params:
+          index:
+            type: suffix
+
+    ip:
+      type: ip
+      description: "Adresse IP pour l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_ip(server_name=_.domain_name) }}
+        params:
+          zones:
+            information: zones
+
+    network:
+      type: network_cidr
+      description: "Réseau de l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_zones_info("network", zone_name=_.zone_name) }}
+        params:
+          zones:
+            information: zones
+
+    gateway:
+      type: ip
+      description: "La route de l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_zones_info("host_ip",
+                                    zone_name=_.zone_name,
+                                    index=index)
+            }}
+        params:
+          zones:
+            information: zones
+          index:
+            type: suffix
+      disabled:
+        jinja: >-
+          {%- if index == 0 -%}
+          false
+          {%- else -%}
+          true
+          {%- endif -%}
+        params:
+          index:
+            type: suffix
+
+    domain_name:
+      type: domainname
+      description: "Nom de domaine pour l'interface {{ suffix }}"
+      hidden: true
+      provider: global:server_names
--- a/seed/base-machine/extras/machine/00_base.xml
+++ b/seed/base-machine/extras/machine/00_base.xml
@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-    <variables>
-        <variable name='name' description="Machine name" type="domainname" hidden="True"/>
-        <variable name='data_disk_size' description="Data disk size" type="number"/>
-    </variables>
-    <constraints>
-        <fill name="calc_value">
-            <param type="variable">server_name</param>
-            <target>machine.name</target>
-        </fill>
-    </constraints>
-</rougail>
-
--- a/seed/base-machine/extras/machine/00_base.yml
+++ b/seed/base-machine/extras/machine/00_base.yml
@ -0,0 +1,14 @@
+---
+version: 1.1
+
+name:
+  description: Machine name
+  type: domainname
+  hidden: true
+  default:
+    variable: general.network.server_name
+
+data_disk_size:
+  description: Data disk size
+  type: number
+  mandatory: false
--- a/seed/base-machine/funcs/funcs.py
+++ b/seed/base-machine/funcs/funcs.py
@ -76,15 +76,3 @@ def _set_password(server_name: str,
    with open(file_name, 'r') as fh:
        file_content = fh.read().strip()
        return file_content
-
-
-def get_zone_name(zones: list,
-                  index: str,
-                  ):
-    if zones is not None:
-        return zones[int(index)]
-
-
-def get_last_server_name(server_names):
-    if server_names:
-        return server_names[-1]
--- a/seed/base/applicationservice.yml
+++ b/seed/base/applicationservice.yml
@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Base of all application services
--- a/seed/base/dictionaries/00_base.xml
+++ b/seed/base/dictionaries/00_base.xml
@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="information">copy_tests</param>
-      <target>copy_tests</target>
-    </fill>
-    <condition name="disabled_if_in" source="copy_tests">
-      <param>False</param>
-      <target type="filelist" optional="True">copy_tests</target>
-    </condition>
-  </constraints>
-</rougail>
-
--- a/seed/base/dictionaries/00_base.yml
+++ b/seed/base/dictionaries/00_base.yml
@ -0,0 +1,16 @@
+---
+version: 1.1
+
+copy_tests:
+  type: boolean
+  hidden: true
+  default:
+    jinja: >-
+      {%- if copy_tests -%}
+      true
+      {%- else -%}
+      false
+      {%- endif -%}
+    params:
+      copy_tests:
+        information: copy_tests
--- a/seed/base/funcs/base.py
+++ b/seed/base/funcs/base.py
@ -60,12 +60,3 @@ def get_zones_info(zones: dict,
            continue
        ret.append(val)
    return ret
-
-
-def get_first_value(lst: list):
-    if lst:
-        if isinstance(lst[0], list):
-            if lst[0] and lst[0][0]:
-                return lst[0][0]
-        else:
-            return lst[0]
--- a/seed/dns-external/applicationservice.yml
+++ b/seed/dns-external/applicationservice.yml
@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: DNS client with resolution on all zones (especially outside)
--- a/seed/dns-external/dictionaries/14_dns-external.xml
+++ b/seed/dns-external/dictionaries/14_dns-external.xml
@ -1,11 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <family name="network">
-      <variable name="dns_is_only_local" redefine="True" hidden="True">
-        <value>False</value>
-      </variable>
-      <variable name="dns_client_address" redefine="True" supplier="ExternalDNS" hidden="True"/>
-    </family>
-  </variables>
-</rougail>
--- a/seed/dns-external/dictionaries/14_dns-external.yml
+++ b/seed/dns-external/dictionaries/14_dns-external.yml
@ -0,0 +1,14 @@
+---
+version: 1.1
+
+network:
+
+  dns_is_only_local:
+    redefine: true
+    hidden: true
+    default: false
+
+  dns_client_address:
+    redefine: true
+    supplier: ExternalDNS
+    hidden: true
--- a/seed/dns-local/applicationservice.yml
+++ b/seed/dns-local/applicationservice.yml
@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: DNS client with access to local zones
--- a/seed/dns-local/dictionaries/13_dns-local.xml
+++ b/seed/dns-local/dictionaries/13_dns-local.xml
@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="dns-local" manage="False">
-      <file engine="ansible" filelist="copy_tests">/tests/dns-local.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="dns_is_only_local" type="boolean" description="DNS resolve only local address" hidden="True">
-        <value>True</value>
-      </variable>
-      <variable name="dns_client_address" type="domainname" supplier="LocalDNS" hidden="True" mandatory="True"/>
-      <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param name="server_name" type="variable">dns_client_address</param>
-      <target>ip_dns</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/dns-local/dictionaries/13_dns-local.yml
+++ b/seed/dns-local/dictionaries/13_dns-local.yml
@ -0,0 +1,25 @@
+---
+version: 1.1
+
+network:
+
+  dns_is_only_local:
+    description: DNS resolve only local address
+    hidden: true
+    default: true
+
+  dns_client_address:
+    type: domainname
+    supplier: LocalDNS
+    hidden: true
+
+  ip_dns:
+    type: ip
+    description: Adresse IP du serveur DNS
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(server_name=general.network.dns_client_address) }}
+      params:
+        zones:
+          information: zones
--- a/seed/dovecot/applicationservice.yml
+++ b/seed/dovecot/applicationservice.yml
@ -1,6 +1,10 @@
+---
 format: '0.1'
 description: Postfix and Dovecot as mail servers (IMAP and submission)
-help: "This application service provides email server. Two servers are used: Dovecot as IMAP server and Postfix as submission server. In addition, an auto-detection file of the email configuration is set up."
+help: |-
+  This application service provides email server. Two servers are used:
+  Dovecot as IMAP server and Postfix as submission server.
+  In addition, an auto-detection file of the email configuration is set up.
 website: https://www.dovecot.org/
 depends:
  - base-fedora-36
--- a/seed/dovecot/dictionaries/31_dovecot.xml
+++ b/seed/dovecot/dictionaries/31_dovecot.xml
@ -1,131 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="postfix" target="multi-user">
-      <override engine="none"/>
-      <certificate format="pem" authority="External" type="server" domain="submission_domainname" provider="mail_crt_provider" certificate_type="variable">submission_domainname</certificate>
-      <certificate format="pem" server="last_server_name" domain="last_server_name" authority="InternalMail" owner="postfix" type="server">postfixlocal</certificate>
-      <certificate authority="Mail" owner="postfix" type="server">postfix</certificate>
-      <certificate authority="LDAP" owner="postfix" server="ldap_server_address">postfix_ldap_client</certificate>
-      <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
-      <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
-      <file engine="ansible">/etc/postfix/main.cf</file>
-      <file engine="none">/etc/postfix/master.cf</file>
-      <file engine="ansible">/etc/postfix/relay_passwd</file>
-      <file engine="ansible">/etc/postfix/ldapsource.cf</file>
-      <file engine="ansible">/etc/postfix/sni</file>
-      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
-    </service>
-    <service name='dovecot-init'>
-      <override engine="none"/>
-      <file engine="none">/etc/nginx/default.d/autoconfig.conf</file>
-    </service>
-    <service name='nginx'>
-      <file engine="ansible" source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
-    </service>
-    <service name="dovecot" target="multi-user">
-      <certificate authority="External" type="server" domain="imap_domainname" provider="mail_crt_provider" certificate_type="variable">imap_domainname</certificate>
-      <certificate authority="IMAP" domain="last_server_name" owner="dovecot" type="server">dovecot</certificate>
-      <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
-      <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
-      <file engine="ansible">/etc/dovecot/conf.d/10-master.conf</file>
-      <file engine="ansible">/etc/dovecot/conf.d/10-ssl.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
-      <!--plain authentification-->
-      <file engine="none">/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
-      <file engine="ansible">/etc/dovecot/dovecot-ldap.conf.ext</file>
-      <!--oauth2 authentification-->
-      <file engine="none">/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
-      <file engine="ansible">/etc/dovecot/dovecot-oauth2.conf.ext</file>
-      <!--internal authentification-->
-      <file engine="ansible" filelist="copy_tests">/tests/imap.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="incoming_ports" redefine="True">
-        <value>587</value>
-        <value>993</value>
-      </variable>
-    </family>
-    <family name="ldap">
-      <family name="client">
-        <variable name='ldapclient_family' redefine="True">
-          <value>all</value>
-        </variable>
-        <variable name="ldap_key_file_owner" redefine="True">
-          <value>dovecot</value>
-        </variable>
-      </family>
-    </family>
-    <family name="mail" description="Mail configuration" help="Configure IMAP servers and submission to access email accounts and send emails">
-      <family name="domain" description="Mail domain" leadership="True">
-        <variable name="mail_domains" type="domainname" description="Final destination email address" mandatory="True" multi="True" supplier="LMTP:criteria" test="example.net" help="These domain names are the domain names for emails (user@*example.net*) and for auto configuration of email clients (https://*example.net*/.well-known/autoconfig/mail/config-v1.1.xml)"/>
-        <variable name="mail_domains_calc" type="domainname" hidden="True"/>
-        <variable name="imap_domainname" type="domainname" description="External IMAP server address" mandatory="True" test="imap.example.net" help='Matches TLS connection’s SNI name, if it’s sent by the client. For some email clients, use in DNS configuration a line like "_submissions._tcp IN SRV 1 587 *imap.example.net*."'/>
-        <variable name="submission_domainname" type="domainname" description="External submission server address" mandatory="True" test="submission.example.net" help='Matches TLS connection’s SNI name, if it’s sent by the client. For some email clients, add in DNS configuration a line like "_imaps._tcp IN SRV 0 1 993 *submission.example.net*."'/>
-      </family>
-      <variable name="mail_crt_provider" type="choice" description="Type of certificate autority signing external IMAP and submission domain certificates" mandatory="True" mode="basic" help="The certificate can be self-signed (therefore invalid by default for the client) or obtained via the Let's Encrypt service (generally valid for the client)">
-        <value>self-signed</value>
-        <choice>self-signed</choice>
-        <choice>letsencrypt</choice>
-      </variable>
-    </family>
-    <family name="dovecot" description="IMAP mail server">
-      <variable name="imap_internal_addresses" type="domainname" description="IMAP server connexion" mandatory="True" provider="IMAP" multi="True" hidden="True"/>
-      <variable name="well_known_filenames" type="filename" hidden='True' multi="True"/>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
-        <variable name="revprox_client_web_address" redefine="True" hidden="True"/>
-      </family>
-    </family>
-    <family name="nginx" hidden="True">
-      <variable name="nginx_root" redefine='True'>
-        <value>/var/www/html</value>
-      </variable>
-    </family>
-    <!-- just for doc ... -->
-    <family name="oauth2_client" hidden="True"/>
-  </variables>
-  <constraints>
-    <!--fill name="calc_value">
-      <param type="variable">domain_name_eth0</param>
-      <target>imap_internal_address</target>
-    </fill-->
-    <fill name="calc_value">
-      <param type="variable">mail_domains</param>
-      <target>mail_domains_calc</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/var/www/html/mail/</param>
-      <param type="variable">mail_domains</param>
-      <param>/autodiscover/autodiscover.xml</param>
-      <!--param>/config-v1.1.xml</param-->
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>well_known_filenames</target>
-    </fill>
-    <fill name="calc_well_known">
-      <param type="index"/>
-      <param type="variable">domain_name_eth0</param>
-      <param type="variable">mail_domains</param>
-      <target>revprox_client_web_address</target>
-    </fill>
-    <fill name="calc_domains">
-      <param type="variable">mail_domains</param>
-      <target>revprox_client_external_domainnames</target>
-    </fill>
-    <fill name="calc_locations">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <param type="index"/>
-      <target>revprox_client_location</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/dovecot/dictionaries/31_dovecot.yml
+++ b/seed/dovecot/dictionaries/31_dovecot.yml
@ -0,0 +1,142 @@
+---
+version: 1.1
+
+network:
+  incoming_ports:
+    redefine: true
+    default:
+      - 587
+      - 993
+
+ldap:
+
+  client:
+
+    family:
+      redefine: true
+      default: all
+
+    key_file_owner:
+      redefine: true
+      default: dovecot
+
+revprox:
+
+  client:
+
+    external_domainnames:
+      redefine: true
+      hidden: true
+      default:
+        jinja: |-
+          {%- for domain in general.mail.domain.domains | calc_domains %}
+          {{ domain }}
+          {%- endfor -%}
+
+    web_address:
+      redefine: true
+      hidden: true
+      default:
+        jinja: >-
+          {{ __index |
+              calc_well_known(general.network.interface_0.domain_name,
+                              general.mail.domain.domains)
+            }}
+        params:
+          __index:
+            type: index
+
+    location:
+      redefine: true
+      default:
+        jinja: >-
+          {{ _.external_domainnames | calc_locations(index) }}
+        params:
+          index:
+            type: index
+
+mail:
+  description: Mail configuration
+  help: >-
+    Configure IMAP servers and submission to access email accounts and send
+    emails
+
+  domain:
+    description: Mail domain
+    type: leadership
+
+    domains:
+      type: domainname
+      description: Final destination email address
+      supplier: LMTP:criteria
+      examples:
+        - example.net
+      help: >-
+        These domain names are the domain names for emails (user@*example.net*)
+        and for auto configuration of email clients
+        (https://*example.net*/.well-known/autoconfig/mail/config-v1.1.xml)
+
+    imap_domainname:
+      type: domainname
+      description: External IMAP server address
+      examples:
+        - imap.example.net
+      help: >-
+        Matches TLS connection’s SNI name, if it’s sent by the client. For some
+        email clients, use in DNS configuration a line like "_submissions._tcp
+        IN SRV 1 587 *imap.example.net*."
+
+    submission_domainname:
+      type: domainname
+      description: External submission server address
+      examples:
+        - submission.example.net
+      help: >-
+        Matches TLS connection’s SNI name, if it’s sent by the client. For some
+        email clients, add in DNS configuration a line like "_imaps._tcp IN SRV
+        0 1 993 *submission.example.net*."
+
+  crt_provider:
+    description: >-
+      Type of certificate autority signing external IMAP and submission
+      domain certificates
+    mode: basic
+    help: >-
+      The certificate can be self-signed (therefore invalid by default for the
+      client) or obtained via the Let's Encrypt service (generally valid for
+      the client)
+    default: self-signed
+    choices:
+      - self-signed
+      - letsencrypt
+
+dovecot:  # IMAP mail server
+
+  internal_addresses:
+    type: domainname
+    description: IMAP server connexion
+    provider: IMAP
+    multi: true
+    hidden: true
+
+  well_known_filenames:
+    type: unix_filename
+    hidden: true
+    multi: true
+    default:
+      jinja: |-
+        {%- for domain in __.mail.domain.domains %}
+        /var/www/html/mail/{{ domain }}/autodiscover/autodiscover.xml
+        {%- endfor -%}
+
+nginx:
+  redefine: true
+  hidden: true
+
+  root:
+    redefine: true
+    default: /var/www/html
+
+oauth2:
+  redefine: true
+  hidden: true
--- a/seed/forgejo/applicationservice.yml
+++ b/seed/forgejo/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Forgejo, a community managed lightweight code hosting solution
 website: https://forgejo.org/
--- a/seed/forgejo/dictionaries/31_forgejo.xml
+++ b/seed/forgejo/dictionaries/31_forgejo.xml
@ -1,127 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="forgejo" target="multi-user" engine="ansible">
-      <file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
-      <file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
-      <file engine="ansible">/etc/forgejo/app.ini</file>
-      <file engine="ansible" filelist="copy_tests">/tests/forgejo.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="incoming_ports" redefine="True">
-        <value>2222</value>
-      </variable>
-    </family>
-    <family name="redis" description="Redis">
-      <variable name="redis_client_key_owner" redefine="True">
-        <value>forgejo</value>
-      </variable>
-    </family>
-    <family name="forgejo" description="Forgejo" help="Git forge Forgejo">
-      <variable name="forgejo_title" mandatory="True" description="Titre de la forge" mode="basic">
-        <value>Forgejo : Au-delà du développement. Nous forgeons.</value>
-      </variable>
-      <variable name="forgejo_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True" test="admin@example.net"/>
-      <variable name="forgejo_secret_key" type="password" hidden="True"/>
-      <variable name="forgejo_internal_token" type="password" hidden="True"/>
-      <variable name="forgejo_lfs_jwt_secret" type="password" hidden="True"/>
-      <variable name="forgejo_jwt_secret" type="password" hidden="True"/>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_local_location" redefine="True">
-          <value>/</value>
-        </variable>
-      </family>
-      <variable name="revprox_client_port" redefine="True">
-        <value>3000</value>
-      </variable>
-      <variable name="revprox_client_cert_owner" redefine="True">
-        <value>forgejo</value>
-      </variable>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Forge</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Forge logiciel Forgejo</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Développement</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_note.png</value>
-      </variable>
-      <variable name="oauth2_client_token_signature_algo" redefine="True">
-        <value>RS256</value>
-      </variable>
-      <family name="external">
-        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
-      </family>
-    </family>
-    <family name="postgresql">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>forgejo</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">secret_key</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">105</param>
-      <target>forgejo_secret_key</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">internal_token</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">105</param>
-      <target>forgejo_internal_token</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">lfs_jwt_secret</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">43</param>
-      <target>forgejo_lfs_jwt_secret</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">jwt_secret</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">43</param>
-      <target>forgejo_jwt_secret</target>
-    </fill>
-    <fill name="calc_oauth2_client_login">
-      <param type="variable" optional="True">revprox_client_external_domainnames</param>
-      <param type="variable" optional="True">revprox_client_location</param>
-      <param>user/oauth2/</param>
-      <param type="variable">domain_name_eth0</param>
-      <param>/callback</param>
-      <target>oauth2_client_login</target>
-    </fill>
-    <fill name="calc_oauth2_client_external">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <param type="variable">revprox_client_location</param>
-      <param>user/oauth2/</param>
-      <param type="variable">domain_name_eth0</param>
-      <target>oauth2_client_external</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/forgejo/dictionaries/31_forgejo.yml
+++ b/seed/forgejo/dictionaries/31_forgejo.yml
@ -0,0 +1,164 @@
+---
+version: 1.1
+
+network:
+
+  incoming_ports:
+    redefine: true
+    default:
+      - 2222
+
+forgejo:
+  description: Forgejo
+  help: Git forge Forgejo
+
+  title:
+    description: Titre de la forge
+    mode: basic
+    default: 'Forgejo : Au-delà du développement. Nous forgeons.'
+
+  mail_sender:
+    description: Les courriels sont envoyés à partir de cet adresse
+    examples:
+      - admin@example.net
+    type: mail
+
+  secret_key:
+    type: secret
+    default:
+      jinja: >-
+        {{ "secret_key" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret,
+                       length=105)
+          }}
+    hidden: true
+
+  internal_token:
+    type: secret
+    default:
+      jinja: >-
+        {{ "internal_token" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret, length=105)
+         }}
+    hidden: true
+
+  lfs_jwt_secret:
+    type: secret
+    default:
+      jinja: >-
+        {{ "lfs_jwt_secret" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret,
+                       length=43)
+         }}
+    hidden: true
+
+  jwt_secret:
+    type: secret
+    default:
+      jinja: >-
+        {{ "jwt_secret" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret,
+                       length=43)
+          }}
+    hidden: true
+
+revprox:
+
+  client:
+
+    local_location:
+      redefine: true
+      default: /
+
+  client_port:
+    redefine: true
+    default: 3000
+
+  client_cert_owner:
+    redefine: true
+    default: forgejo
+
+redis:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: forgejo
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Forge
+
+    description:
+      redefine: true
+      default: Forge logiciel Forgejo
+
+    category:
+      redefine: true
+      default: Développement
+
+    logo:
+      redefine: true
+      default: silique_note.png
+
+    login:
+      redefine: true
+      default:
+        jinja: >-
+          {{ general.revprox.client.external_domainnames |
+               calc_oauth2_client_login(
+                 general.revprox.client.location,
+                 "user/oauth2/",
+                 general.network.interface_0.domain_name,
+                 "/callback"
+                 )
+            }}
+
+    token_signature_algo:
+      redefine: true
+      default: RS256
+
+    external:
+
+      external:
+        redefine: true
+        default:
+          jinja: |-
+            {%- for domain in
+             general.revprox.client.external_domainnames |
+             calc_oauth2_client_external(
+               general.revprox.client.location,
+               "user/oauth2/",
+               general.network.interface_0.domain_name)
+               %}
+            {{ domain }}
+            {%- endfor -%}
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: forgejo
--- a/seed/gitea/README.md
+++ b/seed/gitea/README.md
@ -1,139 +0,0 @@
---
-gitea: none
-include_toc: true
---
-
-
-[Return to the list of application services.](../README.md)
-# gitea
-
-## Synopsis
-
-Transitional package for Gitea to Forgejo.
-
-## Example
-
-Zone names are provided as examples. Think about adapting with the value of provider_zone in configuration file.
-
-```
-gitea:
-  applicationservice: gitea
-  zones_name:
-    - localdns
-    - oauth2
-    - postgresql
-    - redis
-    - reverseproxy
-    - smtp
-  values:
-    general.revprox.revprox_client.revprox_client_external_domainnames:
-      - service.example.net
-```
-
-## Basic variables
-
-### General
-
-#### Reverse proxy
-
-##### Clients configuration
-
-This family is a leadership.
-
-| Parameter                                                                                                                                                                                                                                                                       | Comment                                                            |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| **[general.revprox.revprox_client.revprox_client_external_domainnames](dictionaries/21_revprox_client.xml)**<br/>mandatory, multiple<br/>**Type:** [`domainname`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Service external domain name.<br/>**Example:** service.example.net |
-| **[general.revprox.revprox_client.revprox_client_location](dictionaries/21_revprox_client.xml)**<br/>mandatory<br/>**Type:** [`filename`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)                         | URI to route request to the correct service.<br/>**Default:** /    |
-
-#### Forgejo
-
-Git forge Forgejo.
-
-| Parameter                                                                                                                                                                                                             | Comment                                                                                |
-|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|
-| **[general.forgejo.forgejo_title](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Titre de la forge.<br/>**Default:** Forgejo : Au-delà du développement. Nous forgeons. |
-
-
-
-## Variables
-
-### General
-
-#### Reverse proxy
-
-##### Clients configuration
-
-This family is a leadership.
-
-| Parameter                                                                                                                                                                                                                                    | Comment                                              |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------|
-| **[general.revprox.revprox_client.revprox_client_max_body_size](dictionaries/21_revprox_client.xml)**<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | The maximum allowed size of the client request body. |
-
-#### OAuth2 client
-
-| Parameter                                                                                                                                                                                                                               | Comment                                                                                                 |
-|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
-| **[general.oauth2_client.oauth2_client_name](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)        | OAuth2 client name.<br/>**Default:** Forge<br/>**Example:** example                                     |
-| **[general.oauth2_client.oauth2_client_description](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 client description.<br/>**Default:** Forge logiciel Forgejo<br/>**Example:** Example description |
-| **[general.oauth2_client.oauth2_client_login](dictionaries/30_oauth2_client.xml)**<br/>**Type:** [`web_address`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)          | OAuth2 URL to valid login.<br/>**Default:** *calculated*                                                |
-
-##### external
-
-| Parameter                                                                                                                                                                                                                                                    | Comments                                              |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|
-| **[general.oauth2_client.external.oauth2_client_external](dictionaries/31_forgejo.xml)**<br/>mandatory, multiple<br/>**Type:** [`web_address`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 client external.<br/>**Default:** *calculated* |
-| **[general.oauth2_client.external.oauth2_client_family](dictionaries/30_oauth2_client.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)            | OAuth2 family.<br/>**Default:** users                 |
-
-| Parameter                                                                                                                                                                                                                            | Comment                                         |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|
-| **[general.oauth2_client.oauth2_client_category](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 category.<br/>**Default:** Développement |
-| **[general.oauth2_client.oauth2_client_logo](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)     | OAuth2 logo.<br/>**Default:** silique_note.png  |
-
-#### Forgejo
-
-Git forge Forgejo.
-
-| Parameter                                                                                                                                                                                                                 | Comment                                                                                                              |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
-| **[general.forgejo.forgejo_mail_sender](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`mail`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Les courriels sont envoyés à partir de cet adresse.<br/>**Default:** *calculated*<br/>**Example:** admin@example.net |
-
-#### Transitional family
-
-| Parameter                                                                                                                                                                                             | Comments                                     |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|
-| **[general.gitea.gitea_mail_sender](dictionaries/32_gitea.xml)**<br/>**Type:** [`mail`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Transitional variable, please do not use it. |
-
-
-## Requirements services
-
-### Mandatories
-
- [LocalDNS](../README.LocalDNS.md): DNS forwarder for local domain name.
- [SMTP](../README.SMTP.md): Create a SMTP relay account and authorize sending email.
- [ReverseProxy](../README.ReverseProxy.md): Register to service to a reverse proxy server.
- [Postgresql](../README.Postgresql.md): Create account and connexion to a PostgreSQL server.
- [OAuth2](../README.OAuth2.md): Remote clients needing to verify OAuth2 account.
- [Redis](../README.Redis.md): Create account and connexion to a Redis server.
-
-### Optionals
-
- [Journald](../README.Journald.md): Concentrate journal messages on one host.
-
-## Dependances
-
- [forgejo](../forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
-  - [base-fedora-38](../base-fedora-38/README.md): Base information of a Fedora 38.
-    - [base-fedora](../base-fedora/README.md): Base information of a Fedora.
-      - [systemd](../systemd/README.md): Systemd, a system and service manager.
-        - [base-machine](../base-machine/README.md): Base information for a machine.
-          - [base](../base/README.md): Base of all application services.
-          - [dns-local](../dns-local/README.md): DNS client with access to local zones.
-          - [pki-tls](../pki-tls/README.md): Autosign PKI or Let's encrypt support for TLS certificates.
-        - [journald](../journald/README.md): Journald.
-        - [resolved](../resolved/README.md): Resolved.
-  - [postgresql-client](../postgresql-client/README.md): Application service needs interact with a Postgresql server.
-  - [reverse-proxy-client](../reverse-proxy-client/README.md): Application service needs interact with a a reverse proxy server.
-  - [relay-mail-client](../relay-mail-client/README.md): Client SMTP.
-  - [redis-client](../redis-client/README.md): Application service needs interact with a Redis server.
-    - [redis-common](../redis-common/README.md): Redis, an in-memory data structure store.
-  - [oauth2-client](../oauth2-client/README.md): Application service needs interact with a Oauth2 server.
--- a/seed/gitea/applicationservice.yml
+++ b/seed/gitea/applicationservice.yml
@ -1,5 +0,0 @@
-format: '0.1'
-description: Transitional package for Gitea to Forgejo
-depends:
-  - forgejo
-service: true
--- a/seed/gitea/dictionaries/32_gitea.xml
+++ b/seed/gitea/dictionaries/32_gitea.xml
@ -1,17 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="gitea" target="risotto" engine="cheetah"/>
-  </services>
-  <variables>
-    <family name="gitea" description="Transitional family">
-      <variable name="gitea_mail_sender" type="mail" description="Transitional variable, please do not use it"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">gitea_mail_sender</param>
-      <target>forgejo_mail_sender</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/gitea/templates/gitea.service
+++ b/seed/gitea/templates/gitea.service
@ -1,17 +0,0 @@
-[Unit]
-Description=Gitea transitional
-Before=risotto.target
-
-[Service]
-Type=oneshot
-ExecStart=/bin/bash -c '%slurp
-[ -d /srv/gitea/lib/data/gitea-repositories ] && mv /srv/gitea/lib/data/gitea-repositories /srv/gitea/lib/data/forgejo-repositories; %slurp
-[ -d /srv/gitea ] && (mv /srv/gitea/* /srv/forgejo; rmdir /srv/gitea); %slurp
-find /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks -name gitea | while read a; do b=$(dirname $a); mv $b/gitea $b/forgejo; done; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/proc-receive; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/pre-receive.d/forgejo; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/update.d/forgejo; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/post-receive.d/forgejo; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/config; %slurp
-exit 0%slurp
-'
--- a/seed/grafana/applicationservice.yml
+++ b/seed/grafana/applicationservice.yml
@ -1,5 +1,7 @@
+---
 format: '0.1'
-description: Grafana is an analytics and interactive visualization web application
+description: >
+  Grafana is an analytics and interactive visualization web application
 website: https://grafana.com/
 depends:
  - base-fedora-38
--- a/seed/grafana/dictionaries/31_grafana.xml
+++ b/seed/grafana/dictionaries/31_grafana.xml
@ -1,67 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="grafana-server" target="multi-user">
-      <override engine="none"/>
-      <file engine="ansible">/etc/grafana/grafana.ini</file>
-      <file engine="ansible">/etc/sysconfig/grafana-server</file>
-      <file engine="none" source="tmpfile-grafana.conf">/tmpfiles.d/0grafana.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="grafana">
-      <variable name="admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_local_location" redefine="True">
-          <value>/</value>
-        </variable>
-      </family>
-      <variable name="revprox_client_port" redefine="True">
-        <value>3000</value>
-      </variable>
-      <variable name="revprox_client_cert_owner" redefine="True">
-        <value>grafana</value>
-      </variable>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Grafana</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Visualisation de données</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Administration</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_note.png</value>
-      </variable>
-      <variable name="oauth2_client_token_signature_algo" redefine="True">
-        <value>RS256</value>
-      </variable>
-      <variable name="oauth2_email_domain" type="domainname" description="Domain name allowed to log on Grafana" mandatory="True" test="example.net"/>
-    </family>
-    <family name="postgresql">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>grafana</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">admin</param>
-      <param name="description">admin</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>admin_password</target>
-    </fill>
-  </constraints>
-</rougail>
-
--- a/seed/grafana/dictionaries/31_grafana.yml
+++ b/seed/grafana/dictionaries/31_grafana.yml
@ -0,0 +1,76 @@
+---
+version: 1.1
+
+grafana:
+
+  admin_password:
+    type: secret
+    description: Mot de passe de l'administrateur
+    hidden: true
+    default:
+      jinja: >-
+        {{ "admin" |
+             get_password(server_name=general.network.interface_0.domain_name,
+             description="admin",
+             type="cleartext",
+             hide=general.hide_secret,
+             temporary=true)
+          }}
+
+revprox:
+
+  client:
+
+    local_location:
+      redefine: true
+      default: /
+
+  client_port:
+    redefine: true
+    default: 3000
+
+  client_cert_owner:
+    redefine: true
+    default: grafana
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Grafana
+
+    description:
+      redefine: true
+      default: Visualisation de données
+
+    category:
+      redefine: true
+      default: Administration
+
+    logo:
+      redefine: true
+      default: silique_note.png
+
+    token_signature_algo:
+      redefine: true
+      default: RS256
+
+    email_domain:
+      type: domainname
+      description: Domain name allowed to log on Grafana
+      examples:
+        - example.net
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: grafana
--- a/seed/host-systemd-machined/applicationservice.yml
+++ b/seed/host-systemd-machined/applicationservice.yml
@ -1,5 +1,7 @@
+---
 format: '0.1'
 description: Host with machine started in Systemd Machined environment
 website: https://www.freedesktop.org/wiki/Software/systemd/machined/
 depends:
  - base
+host: true
--- a/seed/host-systemd-machined/dictionaries/21_machined.xml
+++ b/seed/host-systemd-machined/dictionaries/21_machined.xml
@ -1,176 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-machined">
-      <file engine="none">/etc/systemd/network/80-container-vz.network</file>
-      <file file_type="variable" source="70-container.network" variable="zone_name" engine="ansible">systemd_zone_filename</file>
-      <file file_type="variable" source="70-container.netdev" variable="zone_name" engine="ansible">systemd_netzone_filename</file>
-    </service>
-    <service name="risotto-images" engine="ansible" manage="False"/>
-    <service name="systemd-sysctl"/>
-    <service name="systemd-networkd"/>
-    <service name="systemd-resolved"/>
-    <service name="risotto-images" type="timer" engine="none"/>
-    <service name="risottofirewall" engine="ansible"/>
-    <service name="systemd-nspawn@">
-      <file engine="none">/tmpfiles.d/0asystemd-nspawn.conf</file>
-      <file engine="none">/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
-      <file engine="none">/etc/distro.repos.d/boot.repo</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-38-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-38</file>
-      <file engine="ansible">/etc/sysctl.d/90-risotto.conf</file>
-      <file engine="ansible" file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
-    </service>
-    <service name="modprobe@">
-      <override engine="none"/>
-    </service>
-    <service name="vector" servicelist="vector">
-      <file engine="ansible">/etc/vector/vector.toml</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="host_install_dir" type="filename" mandatory="True" provider="global:host_install_dir" hidden="True"/>
-    <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
-    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
-    <variable name="tls_server" type="domainname" mandatory="True" provider="global:tls_server" hidden="True"/>
-    <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
-    <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
-    <variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
-      <value>60</value>
-    </variable>
-    <variable name="host_packages" multi="True" hidden="True">
-      <value>systemd-container</value>
-      <value>dnf</value>
-      <value>jq</value>
-      <value>debootstrap</value>
-      <value>htop</value>
-      <value>iotop</value>
-      <value>man</value>
-      <value>gettext</value>
-      <value>patch</value>
-      <value>unzip</value>
-      <value>mlocate</value>
-      <value>xz-utils</value>
-      <value>iptables</value>
-      <value>curl</value>
-      <value>tree</value>
-      <value>tshark</value>
-      <value>vim</value>
-      <value>python3-pytest</value>
-      <value>python3-yaml</value>
-      <value>python3-ldap</value>
-      <value>python3-dnspython</value>
-      <value>python3-dulwich</value>
-      <value>python3-psycopg2</value>
-      <value>python3-redis</value>
-      <value>python3-imaplib2</value>
-      <value>python3-pymysql</value>
-    </variable>
-    <variable name="host_removed_packages" multi="True" hidden="True">
-      <value>resolvconf</value>
-    </variable>
-    <family name="base">
-      <variable name="time_zone" type="string" description="Time zone" supplier="Host:time_zone">
-        <value>Europe/Paris</value>
-      </variable>
-    </family>
-    <family name="network">
-      <variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>
-      <family name="interfaces" leadership="True">
-        <variable name="interface_names" description="Nom de l'interface" multi="True" mandatory="True"/>
-        <variable name="interface_type" type="choice" description="Type de la carte" mandatory="True">
-          <choice>dhcp</choice>
-          <choice>ipv4</choice>
-          <value>dhcp</value>
-        </variable>
-        <variable name="interface_ip" type="cidr" description="IP au format CIDR de l'interface" mandatory="True"/>
-        <variable name="interface_gateway" type="ip" description="IP de la route par défaut" mandatory="True"/>
-        <variable name="interface_domain_name_servers" type="ip" description="IP des serveurs DNS" mandatory="True" multi="True"/>
-        <variable name="first_interface" type="boolean" hidden="True"/>
-      </family>
-      <variable name="host_network_filename" type="filename" multi="True" hidden="True"/>
-    </family>
-    <family name="zones" leadership="True">
-      <variable name="zone_name" type="string" hidden="True" multi="True"/>
-      <variable name="zone_cidr" type="cidr" hidden="True"/>
-    </family>
-    <family name="vector">
-      <variable name="server_address" type="domainname" hidden="True" supplier="Vector"/>
-      <variable name="ip_address" type="ip" hidden="True" supplier="Vector:address"/>
-    </family>
-    <family name="prometheus">
-      <variable name="prometheus_server_address" type="domainname" hidden="True" supplier="Prometheus"/>
-      <variable name="prometheus_ip_address" type="ip" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_internal_zone_names">
-      <param type="information">zones</param>
-      <target>zone_name</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/network/70-container-</param>
-      <param type="variable">zone_name</param>
-      <param>.network</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>systemd_zone_filename</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/network/80-</param>
-      <param type="variable">interface_names</param>
-      <param>.network</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>host_network_filename</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/network/70-container-</param>
-      <param type="variable">zone_name</param>
-      <param>.netdev</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>systemd_netzone_filename</target>
-    </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>cidr</param>
-      <param type="variable" name="zone_name">zone_name</param>
-      <target>zone_cidr</target>
-    </fill>
-    <fill name="is_first_interface">
-      <param type="index"/>
-      <target>first_interface</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">server_address</param>
-      <target>ip_address</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">prometheus_server_address</param>
-      <target>prometheus_ip_address</target>
-    </fill>
-    <condition name="disabled_if_not_in" source="interface_type">
-      <param>ipv4</param>
-      <target>interface_ip</target>
-      <target>interface_gateway</target>
-      <target>interface_domain_name_servers</target>
-    </condition>
-    <condition name="disabled_if_not_in" source="first_interface">
-      <param>True</param>
-      <target>interface_gateway</target>
-      <target>interface_domain_name_servers</target>
-    </condition>
-    <condition name="disabled_if_in" source="server_address">
-      <param type="nil"/>
-      <target type="servicelist">vector</target>
-      <target type="variable">ip_address</target>
-    </condition>
-  </constraints>
-</rougail>
--- a/seed/host-systemd-machined/dictionaries/21_machined.yml
+++ b/seed/host-systemd-machined/dictionaries/21_machined.yml
@ -0,0 +1,221 @@
+---
+version: 1.1
+
+host_install_dir:
+  type: unix_filename
+  provider: global:host_install_dir
+  hidden: true
+
+host_name:
+  type: domainname
+  hidden: true
+  provider: global:server_name
+
+module_name:
+  hidden: true
+  provider: global:module_name
+
+tls_server:
+  type: domainname
+  provider: global:tls_server
+  hidden: true
+
+systemd_zone_filename:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for zone in general.zones.zone_name %}
+      /etc/systemd/network/70-container-{{ zone }}.network %}
+      {%- endfor -%}
+
+systemd_netzone_filename:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for zone in general.zones.zone_name %}
+      /etc/systemd/network/70-container-{{ zone }}.netdev" %}
+      {%- endfor -%}
+
+vm_swappiness: 60  # Ajustement de la mémoire virtuelle
+
+host_packages:
+  hidden: true
+  default:
+    - systemd-container
+    - dnf
+    - jq
+    - debootstrap
+    - htop
+    - iotop
+    - man
+    - gettext
+    - patch
+    - unzip
+    - mlocate
+    - xz-utils
+    - iptables
+    - curl
+    - tree
+    - tshark
+    - vim
+    - python3-pytest
+    - python3-yaml
+    - python3-ldap
+    - python3-dnspython
+    - python3-dulwich
+    - python3-psycopg2
+    - python3-redis
+    - python3-imaplib2
+    - python3-pymysql
+
+host_removed_packages:
+  hidden: true
+  default:
+    - resolvconf
+
+base:
+
+  time_zone:
+    description: Time zone
+    supplier: Host:time_zone
+    default: Europe/Paris
+
+network:
+
+  output_interface: null  # Nom de l'interface de sortie
+
+  interfaces:
+    type: leadership
+
+    interface_names: []  # Nom de l'interface
+
+    interface_type:
+      description: Type de la carte
+      default: dhcp
+      choices:
+        - dhcp
+        - ipv4
+
+    interface_ip:
+      type: cidr
+      description: IP au format CIDR de l'interface
+      disabled:
+        variable: _.interface_type
+        when_not: ipv4
+
+    first_interface:
+      type: boolean
+      hidden: true
+      default:
+        jinja: >-
+          {%- if index == 0 -%}
+          true
+          {%- else -%}
+          false
+          {%- endif -%}
+        params:
+          index:
+            type: index
+
+    interface_gateway:
+      type: ip
+      description: IP de la route par défaut
+      disabled:
+        jinja: >-
+          {%- if _.interface_type != 'ipv4' or not _.first_interface -%}
+          disabled
+          {%- endif -%}
+        description: >-
+          if it's not the first interface or the address is automatcly
+          set via DHCP or not the first interface
+
+    interface_domain_name_servers:
+      type: ip
+      description: IP des serveurs DNS
+      multi: true
+      disabled:
+        jinja: >-
+          {%- if _.interface_type != 'ipv4' or not _.first_interface -%}
+          disabled
+          {%- endif -%}
+        description: >-
+          if it's not the first interface or the address is automatcly
+          set via DHCP or not the first interface
+
+  host_network_filename:
+    type: unix_filename
+    multi: true
+    hidden: true
+    default:
+      jinja: |-
+        {%- for interface in _.interfaces.interface_names %}
+        /etc/systemd/network/80-{{ interface }}.network
+        {% endfor %}
+
+zones:
+  type: leadership
+
+  zone_name:
+    hidden: true
+    default:
+      jinja: |-
+        {%- for zone in zones %}
+        {{ zone }}
+        {%- endfor -%}
+      params:
+        zones:
+          information: zones
+
+  zone_cidr:
+    type: cidr
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_zones_info("cidr", zone_name=_.zone_name) }}
+      params:
+        zones:
+          information: zones
+
+vector:
+
+  server_address:
+    type: domainname
+    hidden: true
+    supplier: Vector
+    mandatory: false
+
+  ip_address:
+    type: ip
+    hidden: true
+    supplier: Vector:address
+    disabled:
+      variable: _.server_address
+      when: null
+    default:
+      jinja: >-
+        {{ zones | get_ip(_.server_address) }}
+      params:
+        zones:
+          information: zones
+
+prometheus:
+
+  server_address:
+    type: domainname
+    hidden: true
+    supplier: Prometheus
+    mandatory: false
+
+  ip_address:
+    type: ip
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(_.server_address) }}
+      params:
+        zones:
+          information: zones
--- a/seed/host-systemd-machined/extras/machined/00_machined.xml
+++ b/seed/host-systemd-machined/extras/machined/00_machined.xml
@ -1,66 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-nspawn@">
-      <file engine="ansible" file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
-      <file engine="ansible" file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
-      <file engine="ansible" file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
-      <file engine="ansible" file_type="variable" source="directory-script" variable="machined.machines" mode="700">machined.nspawn_script_directory</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="Host" hidden="True"/>
-    <family name="machine_" description="Machine " dynamic="machined.machines">
-      <variable name="incoming_ports_" description="Incomming external ports for " hidden="True" type="port" multi="True" provider="Host:incoming_ports"/>
-      <variable name="outgoing_ports_" description="Outcoming external ports for " hidden="True" type="port" multi="True" provider="Host:outgoing_ports"/>
-      <variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="Host:machine_srv"/>
-      <variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="Host:machine_journal"/>
-      <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="Host:config_dir" mandatory="True"/>
-      <variable name="tls_dir_" hidden="True" type="filename" provider="Host:machine_tls"/>
-      <variable name="zones_" description="Zones for " hidden="True" provider="Host:machine_zones" multi="True"/>
-      <variable name="ip_" description="IP for " type="ip" hidden="True"/>
-    </family>
-    <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
-    <variable name="nspawn_script_network" type="filename" hidden="True" multi="True"/>
-    <variable name="nspawn_script_tls" type="filename" hidden="True" multi="True"/>
-    <variable name="nspawn_script_directory" type="filename" hidden="True" multi="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param>/sbin/network-</param>
-      <param type="variable">machined.machines</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_script_network</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/sbin/tls-</param>
-      <param type="variable">machined.machines</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_script_tls</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/sbin/directory-</param>
-      <param type="variable">machined.machines</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_script_directory</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/nspawn/</param>
-      <param type="variable">machined.machines</param>
-      <param>.nspawn</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_zone_filename</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <target>machined.machine_.ip_</target>
-    </fill>
-  </constraints>
-</rougail>
-
-
--- a/seed/host-systemd-machined/extras/machined/00_machined.yml
+++ b/seed/host-systemd-machined/extras/machined/00_machined.yml
@ -0,0 +1,119 @@
+---
+version: 1.1
+
+machines:
+  description: Machines started in this host
+  type: domainname
+  multi: true
+  provider: Host
+  hidden: true
+  mandatory: false
+
+"machine_{{ suffix }}":
+  description: 'Machine {{ suffix }}'
+  dynamic:
+    variable: machined.machines
+
+  incoming_ports:
+    description: 'Incomming external ports for {{ suffix }}'
+    hidden: true
+    type: port
+    multi: true
+    provider: Host:incoming_ports
+    mandatory: false
+
+  outgoing_ports:
+    description: 'Outcoming external ports for {{ suffix }}'
+    hidden: true
+    type: port
+    params:
+      allow_protocol: true
+    multi: true
+    provider: Host:outgoing_ports
+    mandatory: false
+
+  srv_dir:
+    description: 'Directory with srv volume for {{ suffix }}'
+    hidden: true
+    type: unix_filename
+    provider: Host:machine_srv
+    mandatory: false
+
+  journal_dir:
+    description: 'Directory with journal volume for {{ suffix }}'
+    hidden: true
+    type: unix_filename
+    provider: Host:machine_journal
+    mandatory: false
+
+  config_dir:
+    description: 'Directory with configuration volume for {{ suffix }}'
+    hidden: true
+    type: unix_filename
+    provider: Host:config_dir
+
+  tls_dir:
+    hidden: true
+    type: unix_filename
+    provider: Host:machine_tls
+    mandatory: false
+
+  zones:
+    description: 'Zones for {{ suffix }}'
+    hidden: true
+    provider: Host:machine_zones
+    multi: true
+    mandatory: false
+
+  ip:
+    description: 'IP for {{ suffix }}'
+    type: ip
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(suffix) }}
+      params:
+        zones:
+          information: zones
+        suffix:
+          type: suffix
+
+nspawn_zone_filename:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /etc/systemd/nspawn/{{ machine }}.nspawn
+      {%- endfor -%}
+
+nspawn_script_network:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /sbin/network-{{ machine }}
+      {%- endfor -%}
+
+nspawn_script_tls:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /sbin/tls-{{ machine }}
+      {%- endfor -%}
+
+nspawn_script_directory:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /sbin/directory-{{ machine }}
+      {%- endfor -%}
--- a/seed/host-systemd-machined/funcs/machined.py
+++ b/seed/host-systemd-machined/funcs/machined.py
@ -2,15 +2,6 @@ from risotto.utils import multi_function as _multi_function
 from typing import List as _List


-@_multi_function
-def get_internal_zone_names(zones) -> _List[str]:
-    return list(zones)
-
-
-def is_first_interface(index) -> bool:
-    return index == 0
-
-
@_multi_function
 def get_host_ip(zones: dict,
                server_name: str,
--- a/seed/imap-client/applicationservice.yml
+++ b/seed/imap-client/applicationservice.yml
@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Application service needs interact with an IMAP server
--- a/seed/imap-client/dictionaries/21_imap_client.xml
+++ b/seed/imap-client/dictionaries/21_imap_client.xml
@ -1,16 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="imap" manage="False">
-      <certificate authority="IMAP" server="imap_address" owner="imap_cert_owner" owner_type="variable">imap</certificate>
-    </service>
-  </services>
-  <variables>
-    <family name="imap" description="Client SMTP">
-      <variable name="imap_address" type="domainname" mandatory="True" supplier="IMAP" hidden="True"/>
-      <variable name="imap_cert_owner" type="unix_user" mandatory="True" hidden="True">
-        <value>root</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
--- a/seed/imap-client/dictionaries/21_imap_client.yml
+++ b/seed/imap-client/dictionaries/21_imap_client.yml
@ -0,0 +1,14 @@
+---
+version: 1.1
+
+imap:
+  description: Client SMTP
+  hidden: true
+
+  address:
+    type: domainname
+    supplier: IMAP
+
+  cert_owner:
+    type: unix_user
+    default: root
--- a/seed/journald/applicationservice.yml
+++ b/seed/journald/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Journald
 website: https://systemd.io/
--- a/seed/journald/dictionaries/20_journald.xml
+++ b/seed/journald/dictionaries/20_journald.xml
@ -1,21 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-journal-upload" target="multi-user" servicelist="journald">
-      <override engine="none"/>
-      <certificate authority="Journald" server="journal_client_server_domainname" group="systemd-journal">journald</certificate>
-      <file engine="ansible">/etc/systemd/journal-upload.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="journald" description="systemd-journald">
-      <variable name="journal_client_server_domainname" type="domainname" supplier="Journald" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <condition name="disabled_if_in" source="journal_client_server_domainname">
-      <param type="nil"/>
-      <target type="servicelist">journald</target>
-    </condition>
-  </constraints>
-</rougail>
--- a/seed/journald/dictionaries/20_journald.yml
+++ b/seed/journald/dictionaries/20_journald.yml
@ -0,0 +1,10 @@
+---
+version: 1.1
+
+journald:
+
+  journal_client_server_domainname:
+    type: domainname
+    supplier: Journald
+    hidden: true
+    mandatory: false
--- a/seed/journald_remote/applicationservice.yml
+++ b/seed/journald_remote/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Journald remote
 website: https://systemd.io/
--- a/seed/journald_remote/dictionaries/21_journald.xml
+++ b/seed/journald_remote/dictionaries/21_journald.xml
@ -1,11 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-journal-remote" target="multi-user">
-      <override engine="none"/>
-      <certificate certificatelist="journald" authority="Journald" type="server" owner="systemd-journal-remote">journald</certificate>
-      <file engine="ansible" filelist="journald">/etc/systemd/journal-remote.conf</file>
-    </service>
-  </services>
-</rougail>
-
--- a/seed/journald_remote/extras/accounts/00_accounts.xml
+++ b/seed/journald_remote/extras/accounts/00_accounts.xml
@ -1,20 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Concentrate journal messages on one host" type="domainname" provider="Journald" mandatory="True" multi="True" hidden="True"/>
-    <family name="remote_" description="Account for " dynamic="accounts.remotes" hidden="True">
-      <variable name="services_" description="Log from this service to exclude for " multi="True" provider="Journald:service" unique="False"/>
-      <variable name="functions_" description="Function use to compare message (if not defined, exlude same message) for " multi="True" provider="Journald:function" mandatory="False" unique="False"/>
-      <variable name="messages_" description="Message to exclude for " multi="True" provider="Journald:message" unique="False"/>
-    </family>
-    <variable name="vector_conditions" hidden="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_vector_conditions">
-      <param type="variable">accounts.remote_.messages_</param>
-      <param type="variable">accounts.remote_.services_</param>
-      <param type="variable">accounts.remote_.functions_</param>
-      <target>accounts.vector_conditions</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/journald_remote/extras/accounts/00_accounts.yml
+++ b/seed/journald_remote/extras/accounts/00_accounts.yml
@ -0,0 +1,52 @@
+---
+version: 1.1
+
+remotes:
+  description: Concentrate journal messages on one host
+  type: domainname
+  multi: true
+  hidden: true
+  provider: Journald
+
+"remote_{{ suffix }}":
+  description: 'Account for {{ suffix }}'
+  dynamic:
+    variable: accounts.remotes
+  hidden: true
+
+  services:
+    description: 'Log from this service to exclude for {{ suffix }}'
+    multi: true
+    unique: false
+    mandatory: false
+    provider: Journald:service
+
+  functions:
+    description: >-
+      Function use to compare message (if not defined, exlude same message)
+      for {{ suffix }}
+    multi: true
+    mandatory: false
+    empty: false
+    unique: false
+    provider: Journald:function
+
+  messages:
+    description: 'Message to exclude for {{ suffix }}'
+    multi: true
+    unique: false
+    mandatory: false
+    provider: Journald:message
+
+vector_conditions:
+  default:
+    jinja: >-
+      {{ messages | calc_vector_conditions(services, functions) }}
+    params:
+      messages:
+        variable: accounts.remote_{{ suffix }}.messages
+      services:
+        variable: accounts.remote_{{ suffix }}.services
+      functions:
+        variable: accounts.remote_{{ suffix }}.functions
+  hidden: true
--- a/seed/ldap-client/applicationservice.yml
+++ b/seed/ldap-client/applicationservice.yml
@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Application service needs interact with a LDAP server
--- a/seed/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/ldap-client/dictionaries/21_ldap-client.xml
@ -1,94 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="ldap-client" target="risotto" engine="ansible">
-      <certificate authority="LDAP" owner="ldap_key_file_owner" owner_type="variable" server="ldap_server_address">ldap_client</certificate>
-      <file engine="ansible" source="ldap.conf" file_type="variable">ldap_client_file</file>
-    </service>
-  </services>
-  <variables>
-    <family name="ldap" description="OpenLDAP directory">
-      <family name="server" description="Server">
-        <variable name='ldap_server_address' type='domainname' hidden="True" mandatory='True' supplier="LDAP"/>
-        <variable name="ldap_server_ip" type="ip" hidden="True"/>
-        <variable name='ldap_port' type='port' hidden="True">
-          <value>636</value>
-        </variable>
-        <variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
-      </family>
-      <family name="client" description="Client">
-        <variable name='ldapclient_family' type='unix_user' description="Restrict service configuration for a LDAP family" help='"all" for all families.' supplier="LDAP:family"/>
-        <variable name='ldapclient_user' type='string' mandatory='False' hidden="True" supplier="LDAP:dn"/>
-        <variable name='ldapclient_address' hidden="True"/>
-        <variable name='ldapclient_user_password' type='password' mandatory='True' hidden="True" supplier="LDAP:password"/>
-        <variable name='ldapclient_base_dn' type='string' mandatory="True" supplier="LDAP:base_dn" hidden="True"/>
-        <variable name='ldapclient_search_dn' type='string' mandatory="True" hidden="True"/>
-        <variable name='ldapclient_group_dn' type='string' mandatory="True" hidden="True"/>
-        <variable name='ldapclient_user_dn' type='string' mandatory="True" hidden="True"/>
-        <variable name="ldap_key_file_owner" type="unix_user" hidden="True">
-          <value>root</value>
-        </variable>
-        <variable name="ldap_client_file" type="filename" hidden="True"/>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <check name='valid_base_dn'>
-      <target>ldapclient_base_dn</target>
-    </check>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">ldap_server_address</param>
-      <target>ldap_server_ip</target>
-    </fill>
-    <fill name='get_default_base_dn'>
-      <param type="variable">prefix_domain_name</param>
-      <target>ldapclient_base_dn</target>
-    </fill>
-    <fill name='calc_value'>
-      <param>ou=accounts</param>
-      <param type="variable">ldapclient_base_dn</param>
-      <param name="join">,</param>
-      <target>ldapclient_search_dn</target>
-    </fill>
-    <fill name='calc_value'>
-      <param>cn=</param>
-      <param type='variable'>ldapclient_address</param>
-      <param>,</param>
-      <param type='variable'>ldapclient_base_dn</param>
-      <param name="join"></param>
-      <target>ldapclient_user</target>
-    </fill>
-    <fill name="get_client_address">
-      <param type='variable'>ldap_server_ip</param>
-      <param type='variable'>domain_name_eth</param>
-      <param type='variable'>network_eth</param>
-      <target>ldapclient_address</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">ldap_server_address</param>
-      <param name="username" type="variable">ldapclient_user</param>
-      <param name="description">remote account</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>ldapclient_user_password</target>
-    </fill>
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldapclient_base_dn</param>
-      <param name="group" type="boolean">True</param>
-      <target>ldapclient_group_dn</target>
-    </fill>
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldapclient_base_dn</param>
-      <target>ldapclient_user_dn</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/ldap/ldap.conf</param>
-      <param name="condition" type="variable">os_name</param>
-      <param name="expected">Debian</param>
-      <param name="default">/etc/openldap/ldap.conf</param>
-      <target>ldap_client_file</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/ldap-client/dictionaries/21_ldap-client.yml
+++ b/seed/ldap-client/dictionaries/21_ldap-client.yml
@ -0,0 +1,135 @@
+---
+version: 1.1
+
+ldap:  # OpenLDAP directory
+
+  server:  # Server
+
+    address:
+      type: domainname
+      hidden: true
+      supplier: LDAP
+
+    ip:
+      type: ip
+      default:
+        jinja: >-
+          {{ zones | get_ip(_.address) }}
+        params:
+          zones:
+            information: zones
+      hidden: true
+
+    port:
+      type: port
+      default: 636
+      hidden: true
+
+    prefix_domain_name:
+      hidden: true
+      provider: global:prefix_domain_name
+
+  client:  # Client
+
+    family:
+      description: Restrict service configuration for a LDAP family
+      help: '"all" for all families.'
+      type: unix_user
+      mandatory: false
+      supplier: LDAP:family
+
+    user:
+      type: string
+      default:
+        jinja: |-
+          cn={{ _.address }},{{ _.base_dn }}
+      hidden: true
+      supplier: LDAP:dn
+
+    address:
+      default:
+        jinja: >-
+          {{ __.server.ip |
+               get_client_address(domain_name, network) }}
+        params:
+          network:
+            variable: >-
+              general.network.interface_{{ suffix }}.network
+          domain_name:
+            variable: >-
+              general.network.interface_{{ suffix }}.domain_name
+      hidden: true
+
+    user_password:
+      type: secret
+      default:
+        jinja: >-
+          {{ _.user | get_password(server_name=__.server.address,
+                                   description="remote account",
+                                   type="cleartext",
+                                   hide=general.hide_secret,
+                                   temporary=true)
+            }}
+      hidden: true
+      supplier: LDAP:password
+
+    base_dn:
+      type: string
+      validators:
+        - jinja: >-
+            {%- set var = {'ok': false} -%}
+            {%- for att in ['o', 'dc', 'ou'] -%}
+              {%- if _.base_dn.startswith(att + '=') -%}
+                {%- set var = var.update({'ok': true}) -%}
+              {%- endif -%}
+            {%- endfor -%}
+            {%- if not var.ok -%}
+              {%- set e = "the root LDAP base DN must starts with an " -%}
+              {%- set e = e + "organisation (o=), a domain componant (dc=) " -%}
+              {%- set e = e + "or an organizational unit (ou=)" -%}
+              {{ e }}
+            {%- endif -%}
+          description: >-
+            if LDAP base DN starts with an organisation (o=), a domain componant
+            (dc=) or an organizational unit (ou=)
+      default:
+        jinja: >-
+          {{ __.server.prefix_domain_name | get_default_base_dn }}
+      hidden: true
+      supplier: LDAP:base_dn
+
+    search_dn:
+      default:
+        jinja: >-
+          ou=accounts,{{ _.base_dn }}
+      hidden: true
+
+    group_dn:
+      type: string
+      default:
+        jinja: >-
+          {{ _.base_dn | calc_ldapclient_base_dn(group=true) }}
+      hidden: true
+
+    user_dn:
+      type: string
+      default:
+        jinja: >-
+          {{ _.base_dn | calc_ldapclient_base_dn }}
+      hidden: true
+
+    key_file_owner:
+      type: unix_user
+      default: root
+      hidden: true
+
+    file:
+      type: unix_filename
+      default:
+        jinja: >-
+          {%- if general.os_name == 'Debian' -%}
+          /etc/ldap/ldap.conf
+          {%- else -%}
+          /etc/openldap/ldap.conf
+          {%- endif -%}
+      hidden: true
--- a/seed/lemonldap/applicationservice.yml
+++ b/seed/lemonldap/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: LemonLDAP, a Web Single Sign On and Access Management
 website: https://lemonldap-ng.org/
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
@ -1,45 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="lemonldap-ng-fastcgi-server">
-      <override engine="none"/>
-      <file engine="none">/static/logo.png</file>
-      <file engine="none">/static/demo.png</file>
-      <file engine="none">/static/silique_email.png</file>
-      <file engine="none">/static/silique_folder.png</file>
-      <file engine="none">/static/silique_note.png</file>
-      <file engine="none">/static/silique_video.png</file>
-      <file engine="none">/static/silique_image.png</file>
-      <file engine="none">/static/risotto.css</file>
-      <file engine="ansible">/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
-      <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
-      <file engine="ansible">/etc/lemonldap-ng/portal-nginx.conf</file>
-      <file engine="none">/etc/lemonldap-ng/nginx-lmlog.conf</file>
-      <file engine="ansible">/etc/default/lemonldap-ng-fastcgi-server</file>
-      <file engine="ansible" mode="750">/sbin/interne_well_known.pl</file>
-      <file engine="ansible" mode="750">/sbin/wget.pl</file>
-      <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/lemonldap.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nginx">
-      <variable name="nginx_default_https" redefine="True">
-        <value>False</value>
-      </variable>
-    </family>
-    <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
-      <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True" mode="expert">
-        <value>1</value>
-      </variable>
-      <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True" test="admin@example.net"/>
-    </family>
-    <family name="ldap">
-      <family name="client">
-        <variable name='ldapclient_family' redefine="True">
-          <value>all</value>
-        </variable>
-      </family>
-    </family>
-  </variables>
-</rougail>
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.yml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.yml
@ -0,0 +1,32 @@
+---
+version: 1.1
+
+nginx:
+
+  default_https:
+    redefine: true
+    default: false
+
+lemonldap:
+  description: LemonLDAP
+  help: Configuration de la solution d'authentification unique LemonLDAP::NG
+
+  proc:
+    description: Nombre de processus dédié à LemonLdap
+    help: Équivalent au nombre de processeurs
+    mode: advanced
+    default: 1
+
+  mail_admin:
+    type: mail
+    description: Courriel de l'administrateur
+    examples:
+      - admin@example.net
+
+ldap:
+
+  client:
+
+    family:
+      redefine: true
+      default: all
--- a/seed/lemonldap/extras/oauth2/00_oauth2.xml
+++ b/seed/lemonldap/extras/oauth2/00_oauth2.xml
@ -1,31 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="OAuth2" hidden="True"/>
-    <family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
-      <variable name="client_id_" description="Remote client id for " mandatory="True" hidden="True" provider="OAuth2:client_id"/>
-      <variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="OAuth2:secret"/>
-      <variable name="name_" description="Remote name for " hidden="True" provider="OAuth2:name"/>
-      <variable name="description_" description="Remote description for " hidden="True" provider="OAuth2:description"/>
-      <variable name="category_" description="Remode category for " hidden="True" provider="OAuth2:category"/>
-      <variable name="login_" description="Remote URL to login for " hidden="True" provider="OAuth2:login"/>
-      <family name="external_" leadership="True">
-        <variable name="hosts_" description="Remote external for " provider="OAuth2:external" multi="True" hidden="True"/>
-        <variable name="family_" description="Remote family for " provider="OAuth2:family"/>
-      </family>
-      <variable name="logo_" description="Logo for " hidden="True" provider="OAuth2:logo"/>
-      <variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm for " mandatory='True' hidden="True" provider="OAuth2:token_signature_algo">
-        <choice>HS512</choice>
-        <choice>RS256</choice>
-      </variable>
-      <variable name="oauth2_client_external_domain_" description="External domain for " type="domainname" hidden="True" supplier="OAuth2:external_domain"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_first_value">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <target>oauth2.oauth2_.oauth2_client_external_domain_</target>
-    </fill>
-  </constraints>
-</rougail>
-
--- a/seed/lemonldap/extras/oauth2/00_oauth2.yml
+++ b/seed/lemonldap/extras/oauth2/00_oauth2.yml
@ -0,0 +1,90 @@
+---
+version: 1.1
+
+remotes:
+  description: Remote clients needing to verify OAuth2 account
+  type: domainname
+  multi: true
+  provider: OAuth2
+  hidden: true
+  mandatory: false
+
+"oauth2_{{ suffix }}":
+  _description: 'OAuth2 for {{ suffix }}'
+  dynamic:
+    variable: oauth2.remotes
+
+  client_id:
+    description: 'Remote client id for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:client_id
+
+  secret:
+    description: 'Remote secret for {{ suffix }}'
+    type: secret
+    hidden: true
+    provider: OAuth2:secret
+
+  name:
+    description: 'Remote name for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:name
+    mandatory: false
+
+  description:
+    description: 'Remote description for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:description
+    mandatory: false
+
+  category:
+    description: 'Remote category for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:category
+    mandatory: false
+
+  login:
+    description: 'Remote URL to login for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:login
+    mandatory: false
+
+  external:
+    type: leadership
+
+    hosts:
+      description: 'Remote external for {{ suffix }}'
+      provider: OAuth2:external
+      hidden: true
+      mandatory: false
+
+    family:
+      description: 'Remote family for {{ suffix }}'
+      provider: OAuth2:family
+      mandatory: false
+
+  logo:
+    description: 'Logo for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:logo
+    mandatory: false
+
+  token_signature_algo:
+    description: 'OAuth2 token signature algorithm for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:token_signature_algo
+    choices:
+      - HS512
+      - RS256
+
+  oauth2_client_external_domain:
+    description: 'External domain for {{ suffix }}'
+    type: domainname
+    hidden: true
+    supplier: OAuth2:external_domain
+    default:
+      jinja: >-
+        {% set domains = general.revprox.client.external_domainnames %}
+        {%- if domains -%}
+        {{ domains[0] }}
+        {%- endif -%}
--- a/seed/loki/applicationservice.yml
+++ b/seed/loki/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Loki, a log aggregation platform
 website: https://grafana.com/
--- a/seed/loki/dictionaries/20_loki.xml
+++ b/seed/loki/dictionaries/20_loki.xml
@ -1,16 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="loki" target="multi-user" engine="ansible">
-      <file engine="ansible" source="loki-local-config.yaml">/etc/loki/loki.yaml</file>
-      <file engine="none" source="sysuser-loki.conf">/sysusers.d/loki.conf</file>
-      <file engine="none" source="tmpfile-loki.conf">/tmpfiles.d/0loki.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="loki" description="Loki">
-      <variable name="remotes" description="Concentrate log messages" type="domainname" provider="Loki" mandatory="True" multi="True" hidden="True"/>
-    </family>
-  </variables>
-</rougail>
-
--- a/seed/loki/dictionaries/20_loki.yml
+++ b/seed/loki/dictionaries/20_loki.yml
@ -0,0 +1,11 @@
+---
+version: 1.1
+
+loki:  # Loki
+
+  remotes:
+    description: Concentrate log messages
+    type: domainname
+    provider: Loki
+    multi: true
+    hidden: true
--- a/seed/mailman/applicationservice.yml
+++ b/seed/mailman/applicationservice.yml
@ -1,5 +1,7 @@
+---
 format: '0.1'
-description: GNU Mailman, managing electronic mail discussion and e-newsletter lists
+description: >
+  GNU Mailman, managing electronic mail discussion and e-newsletter lists
 website: https://www.list.org
 depends:
  - base-debian-bullseye
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ b/seed/mailman/dictionaries/31_mailman.xml
@ -1,80 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="mailman3"> <!-- target="multi-user">-->
-      <override engine="ansible"/>
-      <file engine="ansible" owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
-      <file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/mailman.yml</file>
-      <!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
-    </service>
-    <service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->
-      <override engine="ansible"/>
-      <certificate authority="PostgreSQL" owner="www-data" server="pg_client_server_domainname">postgresql_postorius</certificate>
-      <!--file engine="none">/etc/postorius/gunicorn_config.py</file>
-      <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file-->
-      <file engine="ansible" source="config-nginx.conf">/etc/mailman3/nginx.conf</file>
-      <file engine="ansible">/etc/mailman3/mailman-web.py</file>
-      <file engine="none">/etc/mailman3/uwsgi.ini</file>
-    </service>
-  </services>
-  <variables>
-    <family name="mailman" description="Gestionnaire de liste">
-      <variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site" mandatory="True" test="admin@example.net"/>
-      <variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True" test="list.example.net"/>
-      <variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="False"/>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Liste de distribution</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Liste de distribution Mailman</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Développement</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_email.png</value>
-      </variable>
-      <variable name="oauth2_client_token_signature_algo" redefine="True">
-        <value>RS256</value>
-      </variable>
-      <family name="external">
-        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
-      </family>
-    </family>
-    <family name="nginx">
-      <variable name="nginx_default_https" redefine="True">
-        <value>False</value>
-      </variable>
-      <variable name="nginx_root" redefine="True">
-        <value>/usr/share/webapps/postorius</value>
-      </variable>
-    </family>
-    <family name="postgresql">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>list</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">postorius</param>
-      <param name="description">secret_key</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>postorius_secret_key</target>
-    </fill>
-    <fill name="calc_oauth2_client_external">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <param type="variable">revprox_client_location</param>
-      <param>accounts/risotto/login/</param>
-      <target>oauth2_client_external</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/mailman/dictionaries/31_mailman.yml
+++ b/seed/mailman/dictionaries/31_mailman.yml
@ -0,0 +1,92 @@
+---
+version: 1.1
+
+mailman:  # Gestionnaire de liste
+
+  mail_owner:
+    type: mail
+    description: Courriel du gestionnaire de liste du site
+    examples:
+      - admin@example.net
+
+  domains:
+    type: domainname
+    description: Nom de domaine des listes
+    multi: true
+    examples:
+      - list.example.net
+
+  postorius_secret_key:
+    type: secret
+    description: Internal secret key
+    hidden: true
+    auto_save: false
+    default:
+      jinja: >-
+        {{ "postorius" |
+             get_password(server_name=general.network.interface_0.domain_name,
+             description="secret_key",
+             type="cleartext",
+             hide=general.hide_secret)
+          }}
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Liste de distribution
+
+    description:
+      redefine: true
+      default: Liste de distribution Mailman
+
+    category:
+      redefine: true
+      default: Développement
+
+    logo:
+      redefine: true
+      default: silique_email.png
+
+    token_signature_algo:
+      redefine: true
+      default: RS256
+
+    external:
+
+      external:
+        redefine: true
+        default:
+          jinja: |-
+            {%- for val in
+              general.revprox.client.external_domainnames |
+              calc_oauth2_client_external(
+                general.revprox.client.location,
+                "accounts/risotto/login/")
+               %}
+            {{ val }}
+            {%- endfor -%}
+
+nginx:
+
+  default_https:
+    redefine: true
+    default: false
+
+  root:
+    redefine: true
+    default: /usr/share/webapps/postorius
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: list
--- a/seed/mailman/extras/machine/20_mailman.xml
+++ b/seed/mailman/extras/machine/20_mailman.xml
@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
--- a/seed/mailman/extras/machine/20_mailman.yml
+++ b/seed/mailman/extras/machine/20_mailman.yml
@ -0,0 +1,19 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: '256'
+
+add_tmp:
+  redefine: true
+  default: 'False'
+
+add_swap:
+  redefine: true
+  default: 'False'
+
+memory:
+  redefine: true
+  exists: true
+  default: '512'
--- a/seed/mailman/extras/mailman/20_mailman.xml
+++ b/seed/mailman/extras/mailman/20_mailman.xml
@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <family name="list_" description="Listes du domaine " dynamic="mailman_domains">
-      <variable name="name_" description="Nom des listes " type="unix_user" multi="True" mandatory="True"/>
-      <variable name="names_" description="Address names " type="string" mandatory="True" hidden="True"/>
-    </family>
-    <variable name="names_" description="All address names " type="string" multi="True" mandatory="True" hidden="True" supplier="LMTP:criteria"/>
-  </variables>
-  <constraints>
-    <fill name="mailman_emails">
-      <param type="variable">mailman.list_.name_</param>
-      <param type="suffix"/>
-      <target>mailman.list_.names_</target>
-    </fill>
-    <fill name="mailman_concat">
-      <param type="variable">mailman.list_.names_</param>
-      <target>mailman.names_</target>
-    </fill>
-  </constraints>
-</rougail>
-
-
--- a/seed/mailman/extras/mailman/20_mailman.yml
+++ b/seed/mailman/extras/mailman/20_mailman.yml
@ -0,0 +1,38 @@
+---
+version: 1.1
+
+"list_{{ suffix }}":
+  description: 'Listes du domaine {{ suffix }}'
+  dynamic:
+    variable: general.mailman.domains
+
+  name:
+    description: 'Nom des listes {{ suffix }}'
+    type: unix_user
+    multi: true
+
+  names:
+    description: 'Address names {{ suffix }}'
+    type: string
+    hidden: true
+    default:
+      jinja: >-
+        {{ _.name | mailman_emails(suffix) }}
+      params:
+        suffix:
+          type: suffix
+
+names:
+  description: 'All address names'
+  type: string
+  multi: true
+  hidden: true
+  supplier: LMTP:criteria
+  default:
+    jinja: |-
+      {%- for name in names | mailman_concat %}
+      {{ name }}
+      {%- endfor -%}
+    params:
+      names:
+        variable: _.list_{{ suffix }}.names
--- a/seed/mariadb-client/applicationservice.yml
+++ b/seed/mariadb-client/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Application service needs interact with a MariaDB server
 website: https://mariadb.org/
--- a/seed/mariadb-client/dictionaries/20_mariadb.xml
+++ b/seed/mariadb-client/dictionaries/20_mariadb.xml
@ -1,45 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="mariadbclient" target="risotto" engine="ansible"/>
-  </services>
-  <variables>
-    <family name="mariadb" description="MariaDB">
-      <variable name="mariadb_client_server_domainname" type="domainname" mandatory="True" supplier="MariaDB" hidden="True"/>
-      <variable name="mariadb_client_server_ip" type="ip" hidden="True"/>
-      <variable name="mariadb_client_username" description="Database username" mandatory="True" supplier="MariaDB:username" hidden="True"/>
-      <variable name="mariadb_client_password" type="secret" description="Database password" mandatory="True" hidden="True" supplier="MariaDB:password"/>
-      <variable name="mariadb_client_database" description="Database name" mandatory="True" hidden="True" supplier="MariaDB:database"/>
-      <variable name='mariadb_client_address' hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">mariadb_client_server_domainname</param>
-      <target>mariadb_client_server_ip</target>
-    </fill>
-    <fill name="get_client_address">
-      <param type='variable'>mariadb_client_server_ip</param>
-      <param type='variable'>domain_name_eth</param>
-      <param type='variable'>network_eth</param>
-      <target>mariadb_client_address</target>
-    </fill>
-    <fill name="normalize_family">
-      <param type="variable">server_name</param>
-      <target>mariadb_client_username</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">mariadb_client_username</param>
-      <target>mariadb_client_database</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">mariadb_client_server_domainname</param>
-      <param name="username" type="variable">mariadb_client_address</param>
-      <param name="description">remote</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>mariadb_client_password</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/mariadb-client/dictionaries/20_mariadb.yml
+++ b/seed/mariadb-client/dictionaries/20_mariadb.yml
@ -0,0 +1,63 @@
+---
+version: 1.1
+
+mariadb:  # MariaDB
+
+  client:  # MariaDB client
+
+    server_domainname:
+      type: domainname
+      supplier: MariaDB
+      hidden: true
+
+    server_ip:
+      type: ip
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_ip(_.server_domainname) }}
+        params:
+          zones:
+            information: zones
+
+    username:
+      description: Database username
+      supplier: MariaDB:username
+      hidden: true
+      default:
+        jinja: >-
+          {{ general.network.server_name | normalize_family }}
+
+    password:
+      type: secret
+      description: Database password
+      hidden: true
+      supplier: MariaDB:password
+      default:
+        jinja: >-
+          {% set server_name=_.server_domainname %}
+          {{ _.address | get_password(server_name=server_name,
+                                      description="remote",
+                                      type="cleartext",
+                                      hide=general.hide_secret)
+            }}
+
+    database:
+      description: Database name
+      hidden: true
+      supplier: MariaDB:database
+      default:
+        variable: _.username
+
+    address:
+      hidden: true
+      default:
+        jinja: >-
+          {{ _.server_ip | get_client_address(domain_name, network) }}
+        params:
+          network:
+            variable: >-
+              general.network.interface_{{ suffix }}.network
+          domain_name:
+            variable: >-
+              general.network.interface_{{ suffix }}.domain_name
--- a/seed/mariadb/applicationservice.yml
+++ b/seed/mariadb/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: MariaDB, a relational database
 website: https://mariadb.org/
--- a/seed/mariadb/dictionaries/20_mariadb.xml
+++ b/seed/mariadb/dictionaries/20_mariadb.xml
@ -1,29 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="mariadb" target="multi-user">
-      <override engine="ansible"/>
-      <file engine="none">/etc/my.cnf.d/risotto.cnf</file>
-      <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
-      <file engine="ansible" mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
-      <file engine="ansible" filelist="copy_tests">/tests/mariadb.yml</file>
-      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
-    </service>
-  </services>
-  <variables>
-    <family name="mariadb" description="MariaDB" help="Paramétrage du serveur de gestion de bases de données MariaDB">
-      <variable name="mariadb_root_password" type="password" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">root_password</param>
-      <param name="description">mariadb</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">50</param>
-      <target>mariadb_root_password</target>
-    </fill>
-  </constraints>
-</rougail>
--- a/seed/mariadb/dictionaries/20_mariadb.yml
+++ b/seed/mariadb/dictionaries/20_mariadb.yml
@ -0,0 +1,18 @@
+---
+version: 1.1
+
+mariadb:
+  description: MariaDB
+  help: Paramétrage du serveur de gestion de bases de données MariaDB
+
+  mariadb_root_password:
+    type: secret
+    hidden: true
+    default:
+      jinja: >-
+        {{ "root_password" |
+           get_password(server_name=general.network.interface_0.domain_name,
+                        description="mariadb",
+                        type="cleartext",
+                        hide=general.hide_secret, length=50)
+          }}
--- a/seed/mariadb/extras/accounts/00_accounts.xml
+++ b/seed/mariadb/extras/accounts/00_accounts.xml
@ -1,12 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Create account and connexion to a MariaDB server." type="domainname" multi="True" provider="MariaDB" hidden="True"/>
-    <family name="remote_" description="Account for " dynamic="accounts.remotes" hidden="True">
-      <variable name="database_" description="MariaDB database name for " mandatory="True" provider="MariaDB:database"/>
-      <variable name="username_" description="MariaDB user name for " mandatory="True" provider="MariaDB:username"/>
-      <variable name="password_" description="MariaDB password for " type="password" mandatory="True" provider="MariaDB:password"/>
-    </family>
-  </variables>
-</rougail>
-
--- a/seed/mariadb/extras/accounts/00_accounts.yml
+++ b/seed/mariadb/extras/accounts/00_accounts.yml
@ -0,0 +1,29 @@
+---
+version: 1.1
+
+remotes:
+  description: Create account and connexion to a MariaDB server.
+  type: domainname
+  multi: true
+  mandatory: false
+  hidden: true
+  provider: MariaDB
+
+"remote_{{ suffix }}":
+  description: 'Account for {{ suffix }}'
+  dynamic:
+    variable: accounts.remotes
+  hidden: true
+
+  database:
+    description: 'MariaDB database name for {{ suffix }}'
+    provider: MariaDB:database
+
+  username:
+    description: 'MariaDB user name for {{ suffix }}'
+    provider: MariaDB:username
+
+  password:
+    description: 'MariaDB password for {{ suffix }}'
+    type: secret
+    provider: MariaDB:password
--- a/seed/nextcloud/applicationservice.yml
+++ b/seed/nextcloud/applicationservice.yml
@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Nextcloud, Online collaboration platform
 website: https://nextcloud.com/
--- a/Show more
+++ b/Show more