From 43b00863aeac93c6121fdf198a0af1b0ee3a4b8a Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@silique.fr>
Date: Tue, 1 Oct 2024 13:18:45 +0200
Subject: [PATCH] feat: upgrate to format 1.1

---
 seed/apache/applicationservice.yml            |   1 +
 seed/apache/dictionaries/20_web.xml           |  25 --
 seed/apache/dictionaries/20_web.yml           |  23 ++
 .../applicationservice.yml                    |   1 +
 .../dictionaries/00_debian-bullseye.xml       |  13 --
 .../dictionaries/00_debian-bullseye.yml       |   7 +
 seed/base-debian/applicationservice.yml       |   1 +
 .../dictionaries/11_debian-base.xml           |  26 ---
 .../dictionaries/11_debian-base.yml           |   7 +
 .../dictionaries/17_debian-base.xml           |  17 --
 .../dictionaries/17_debian-base.yml           |  20 ++
 seed/base-fedora-35/applicationservice.yml    |   1 +
 .../dictionaries/11_fedora-35.xml             |   8 -
 .../dictionaries/11_fedora-35.yml             |   7 +
 seed/base-fedora-36/applicationservice.yml    |   1 +
 .../dictionaries/11_fedora-version.xml        |  13 --
 .../dictionaries/11_fedora-version.yml        |   7 +
 seed/base-fedora-37/applicationservice.yml    |   1 +
 .../dictionaries/11_fedora-version.xml        |  13 --
 .../dictionaries/11_fedora-version.yml        |   7 +
 seed/base-fedora-38/applicationservice.yml    |   1 +
 .../dictionaries/11_fedora-version.xml        |  13 --
 .../dictionaries/11_fedora-version.yml        |   7 +
 seed/base-fedora/applicationservice.yml       |   1 +
 .../dictionaries/11_fedora-base.xml           |  15 --
 .../dictionaries/11_fedora-base.yml           |   7 +
 .../dictionaries/17_fedora-base.xml           |  17 --
 .../dictionaries/17_fedora-base.yml           |  20 ++
 seed/base-machine/applicationservice.yml      |   1 +
 seed/base-machine/dictionaries/12_base.xml    |  60 -----
 seed/base-machine/dictionaries/12_base.yml    | 129 ++++++++++
 seed/base-machine/extras/machine/00_base.xml  |  14 --
 seed/base-machine/extras/machine/00_base.yml  |  14 ++
 seed/base-machine/funcs/funcs.py              |  12 -
 seed/base/applicationservice.yml              |   1 +
 seed/base/dictionaries/00_base.xml            |  17 --
 seed/base/dictionaries/00_base.yml            |  16 ++
 seed/base/funcs/base.py                       |   9 -
 seed/dns-external/applicationservice.yml      |   1 +
 .../dictionaries/14_dns-external.xml          |  11 -
 .../dictionaries/14_dns-external.yml          |  14 ++
 seed/dns-local/applicationservice.yml         |   1 +
 seed/dns-local/dictionaries/13_dns-local.xml  |  24 --
 seed/dns-local/dictionaries/13_dns-local.yml  |  25 ++
 seed/dovecot/applicationservice.yml           |   6 +-
 seed/dovecot/dictionaries/31_dovecot.xml      | 131 -----------
 seed/dovecot/dictionaries/31_dovecot.yml      | 142 +++++++++++
 seed/forgejo/applicationservice.yml           |   1 +
 seed/forgejo/dictionaries/31_forgejo.xml      | 127 ----------
 seed/forgejo/dictionaries/31_forgejo.yml      | 164 +++++++++++++
 seed/gitea/README.md                          | 139 -----------
 seed/gitea/applicationservice.yml             |   5 -
 seed/gitea/dictionaries/32_gitea.xml          |  17 --
 seed/gitea/templates/gitea.service            |  17 --
 seed/grafana/applicationservice.yml           |   4 +-
 seed/grafana/dictionaries/31_grafana.xml      |  67 ------
 seed/grafana/dictionaries/31_grafana.yml      |  76 ++++++
 .../applicationservice.yml                    |   2 +
 .../dictionaries/21_machined.xml              | 176 --------------
 .../dictionaries/21_machined.yml              | 221 ++++++++++++++++++
 .../extras/machined/00_machined.xml           |  66 ------
 .../extras/machined/00_machined.yml           | 119 ++++++++++
 seed/host-systemd-machined/funcs/machined.py  |   9 -
 seed/imap-client/applicationservice.yml       |   1 +
 .../dictionaries/21_imap_client.xml           |  16 --
 .../dictionaries/21_imap_client.yml           |  14 ++
 seed/journald/applicationservice.yml          |   1 +
 seed/journald/dictionaries/20_journald.xml    |  21 --
 seed/journald/dictionaries/20_journald.yml    |  10 +
 seed/journald_remote/applicationservice.yml   |   1 +
 .../dictionaries/21_journald.xml              |  11 -
 .../extras/accounts/00_accounts.xml           |  20 --
 .../extras/accounts/00_accounts.yml           |  52 +++++
 seed/ldap-client/applicationservice.yml       |   1 +
 .../dictionaries/21_ldap-client.xml           |  94 --------
 .../dictionaries/21_ldap-client.yml           | 135 +++++++++++
 seed/lemonldap/applicationservice.yml         |   1 +
 .../dictionaries/70_lemonldap_ng.xml          |  45 ----
 .../dictionaries/70_lemonldap_ng.yml          |  32 +++
 seed/lemonldap/extras/oauth2/00_oauth2.xml    |  31 ---
 seed/lemonldap/extras/oauth2/00_oauth2.yml    |  90 +++++++
 seed/loki/applicationservice.yml              |   1 +
 seed/loki/dictionaries/20_loki.xml            |  16 --
 seed/loki/dictionaries/20_loki.yml            |  11 +
 seed/mailman/applicationservice.yml           |   4 +-
 seed/mailman/dictionaries/31_mailman.xml      |  80 -------
 seed/mailman/dictionaries/31_mailman.yml      |  92 ++++++++
 seed/mailman/extras/machine/20_mailman.xml    |  17 --
 seed/mailman/extras/machine/20_mailman.yml    |  19 ++
 seed/mailman/extras/mailman/20_mailman.xml    |  23 --
 seed/mailman/extras/mailman/20_mailman.yml    |  38 +++
 seed/mariadb-client/applicationservice.yml    |   1 +
 .../dictionaries/20_mariadb.xml               |  45 ----
 .../dictionaries/20_mariadb.yml               |  63 +++++
 seed/mariadb/applicationservice.yml           |   1 +
 seed/mariadb/dictionaries/20_mariadb.xml      |  29 ---
 seed/mariadb/dictionaries/20_mariadb.yml      |  18 ++
 seed/mariadb/extras/accounts/00_accounts.xml  |  12 -
 seed/mariadb/extras/accounts/00_accounts.yml  |  29 +++
 seed/nextcloud/applicationservice.yml         |   1 +
 seed/nextcloud/dictionaries/31_nextcloud.xml  |  67 ------
 seed/nextcloud/dictionaries/31_nextcloud.yml  |  71 ++++++
 seed/nginx-common/applicationservice.yml      |   1 +
 seed/nginx-common/dictionaries/21_nginx.xml   |  75 ------
 seed/nginx-common/dictionaries/21_nginx.yml   |  72 ++++++
 seed/nginx-https/applicationservice.yml       |   1 +
 seed/nginx-https/dictionaries/25_nginx.xml    |  26 ---
 seed/nginx-https/dictionaries/25_nginx.yml    |  33 +++
 .../applicationservice.yml                    |   3 +-
 .../dictionaries/25_nginx.xml                 |  37 ---
 .../dictionaries/25_nginx.yml                 |  41 ++++
 .../extras/machine/20_reverse_proxy.xml       |  20 --
 .../extras/machine/20_reverse_proxy.yml       |  23 ++
 .../extras/nginx/00_nginx.xml                 |  27 ---
 .../extras/nginx/00_nginx.yml                 |  78 +++++++
 seed/nginx-static/applicationservice.yml      |   1 +
 .../dictionaries/22_nginx_static.xml          |  25 --
 .../dictionaries/22_nginx_static.yml          |  17 ++
 seed/nsd-local/applicationservice.yml         |   1 +
 seed/nsd-local/dictionaries/21_nsd-local.xml  |  48 ----
 seed/nsd-local/dictionaries/21_nsd-local.yml  |  89 +++++++
 seed/nsd-local/extras/nsd/01_nsd-local.xml    |  25 --
 seed/nsd-local/extras/nsd/01_nsd-local.yml    |  34 +++
 seed/nsd/applicationservice.yml               |   1 +
 seed/nsd/dictionaries/20_nsd.xml              | 104 ---------
 seed/nsd/dictionaries/20_nsd.yml              | 165 +++++++++++++
 seed/nsd/extras/machine/20_nsd.xml            |  20 --
 seed/nsd/extras/machine/20_nsd.yml            |  23 ++
 seed/nsd/extras/nsd/00_nsd.xml                |  33 ---
 seed/nsd/extras/nsd/00_nsd.yml                |  50 ++++
 seed/nsd/funcs/funcs.py                       |   6 +-
 seed/oauth2-client/applicationservice.yml     |   1 +
 .../dictionaries/30_oauth2_client.xml         |  63 -----
 .../dictionaries/30_oauth2_client.yml         | 108 +++++++++
 seed/odoo/applicationservice.yml              |   1 +
 seed/odoo/dictionaries/40_odoo.xml            |  98 --------
 seed/odoo/dictionaries/40_odoo.yml            | 160 +++++++++++++
 seed/openldap/applicationservice.yml          |   3 +-
 .../dictionaries/21_openldap-server.xml       | 128 ----------
 .../dictionaries/21_openldap-server.yml       | 141 +++++++++++
 seed/openldap/extras/accounts/00_account.xml  |  51 ----
 seed/openldap/extras/accounts/00_account.yml  | 157 +++++++++++++
 seed/openldap/extras/machine/20_openldap.xml  |  17 --
 seed/openldap/extras/machine/20_openldap.yml  |  19 ++
 seed/openldap/funcs/ldap.py                   |   9 -
 seed/peertube/applicationservice.yml          |   1 +
 seed/peertube/dictionaries/30_peertube.xml    |  80 -------
 seed/peertube/dictionaries/30_peertube.yml    |  96 ++++++++
 seed/php-fpm/applicationservice.yml           |   1 +
 seed/php-fpm/dictionaries/20_phpfpm.xml       |  18 --
 seed/php-fpm/dictionaries/20_phpfpm.yml       |   9 +
 seed/php/applicationservice.yml               |   1 +
 seed/php/dictionaries/20_php.xml              |  36 ---
 seed/php/dictionaries/20_php.yml              |  49 ++++
 seed/piwigo/applicationservice.yml            |   1 +
 seed/piwigo/dictionaries/31_piwigo.xml        |  58 -----
 seed/piwigo/dictionaries/31_piwigo.yml        |  76 ++++++
 seed/piwigo/funcs/piwigo.py                   |   6 -
 seed/pki-tls/applicationservice.yml           |   1 +
 seed/pki-tls/dictionaries/20_tls.xml          |  10 -
 .../postfix-lmtp-relay/applicationservice.yml |   1 +
 .../extras/lmtp/00_lmtp.xml                   |  15 --
 seed/postfix-relay/applicationservice.yml     |   6 +-
 .../postfix-relay/dictionaries/30_postfix.xml |  87 -------
 .../postfix-relay/dictionaries/30_postfix.yml |  98 ++++++++
 seed/postgresql-client/applicationservice.yml |   1 +
 .../dictionaries/23_postgresql.xml            |  49 ----
 .../dictionaries/23_postgresql.yml            |  43 ++++
 seed/postgresql/applicationservice.yml        |   1 +
 .../postgresql/dictionaries/22_postgresql.xml |  83 -------
 .../postgresql/dictionaries/22_postgresql.yml | 110 +++++++++
 .../extras/accounts/00_accounts.xml           |  19 --
 .../extras/accounts/00_accounts.yml           |  41 ++++
 seed/prometheus/applicationservice.yml        |   1 +
 .../prometheus/dictionaries/20_prometheus.xml |  25 --
 .../prometheus/dictionaries/20_prometheus.yml |  25 ++
 .../applicationservice.yml                    |   2 +
 .../dictionaries/10_machined.xml              |   7 -
 .../dictionaries/10_machined.yml              |   9 +
 .../dictionaries/16_machined.xml              |  81 -------
 .../dictionaries/16_machined.yml              | 104 +++++++++
 .../extras/machine/11_systemd.xml             |  19 --
 .../extras/machine/11_systemd.yml             |  30 +++
 seed/redis-client/applicationservice.yml      |   1 +
 seed/redis-client/dictionaries/23_redis.xml   |  33 ---
 seed/redis-client/dictionaries/23_redis.yml   |  43 ++++
 seed/redis-common/applicationservice.yml      |   1 +
 .../dictionaries/90_redis-common.xml          |   8 -
 seed/redis/applicationservice.yml             |   1 +
 seed/redis/dictionaries/90_redis.xml          |  46 ----
 seed/redis/dictionaries/90_redis.yml          |  43 ++++
 seed/redis/extras/accounts/00_accounts.xml    |  27 ---
 seed/redis/extras/accounts/00_accounts.yml    |  51 ++++
 seed/redis/funcs/redis.py                     |   8 -
 seed/relay-lmtp-client/applicationservice.yml |   4 +-
 .../dictionaries/30_lmtp.xml                  |  12 -
 .../dictionaries/30_lmtp.yml                  |   9 +
 seed/relay-mail-client/applicationservice.yml |   1 +
 .../dictionaries/20_smtp_client.xml           |  45 ----
 .../dictionaries/20_smtp_client.yml           |  62 +++++
 seed/resolved/applicationservice.yml          |   1 +
 seed/resolved/dictionaries/20_resolved.xml    |  15 --
 seed/resolved/dictionaries/20_resolved.yml    |  11 +
 .../applicationservice.yml                    |   2 +-
 .../dictionaries/21_revprox_client.xml        |  53 -----
 .../dictionaries/21_revprox_client.yml        |  99 ++++++++
 .../funcs/revprox_client.py                   |  18 --
 seed/roundcube/applicationservice.yml         |   1 +
 seed/roundcube/dictionaries/31_roundcube.xml  |  98 --------
 seed/roundcube/dictionaries/31_roundcube.yml  | 128 ++++++++++
 .../roundcube/extras/machine/20_roundcube.xml |  20 --
 .../roundcube/extras/machine/20_roundcube.yml |  23 ++
 seed/roundcube/funcs/roundcube.py             |   9 -
 seed/speedtest-rs/applicationservice.yml      |   1 +
 .../dictionaries/40_speedtest-rs.xml          |  18 --
 .../dictionaries/40_speedtest-rs.yml          |   8 +
 .../extras/machine/20_speedtest-rs.xml        |  20 --
 .../extras/machine/20_speedtest-rs.yml        |  23 ++
 seed/systemd/applicationservice.yml           |   1 +
 seed/systemd/dictionaries/15_systemd.xml      | 130 -----------
 seed/systemd/dictionaries/15_systemd.yml      | 125 ++++++++++
 seed/systemd/extras/machine/10_systemd.xml    |  47 ----
 seed/systemd/extras/machine/10_systemd.yml    |  57 +++++
 seed/tls/applicationservice.yml               |   3 +-
 seed/tls/dictionaries/26_tls.xml              |  57 -----
 seed/tls/dictionaries/26_tls.yml              |  58 +++++
 seed/tls/extras/machine/20_tls.xml            |  23 --
 seed/tls/extras/machine/20_tls.yml            |  29 +++
 seed/unbound/applicationservice.yml           |   1 +
 seed/unbound/dictionaries/20_unbound.xml      |  47 ----
 seed/unbound/dictionaries/20_unbound.yml      |  62 +++++
 seed/unbound/extras/machine/20_unbound.xml    |  17 --
 seed/unbound/extras/machine/20_unbound.yml    |  19 ++
 seed/unbound/funcs/funcs.py                   |  12 -
 seed/vaultwarden/applicationservice.yml       |   1 +
 .../dictionaries/40_vaultwarden.xml           |  72 ------
 .../dictionaries/40_vaultwarden.yml           |  93 ++++++++
 seed/vaultwarden/funcs/vaultwarden.py         |   6 -
 seed/vector/applicationservice.yml            |   4 +-
 seed/vector/dictionaries/20_vector.xml        |  21 --
 seed/vector/dictionaries/20_vector.yml        |  31 +++
 seed/znc/applicationservice.yml               |   5 +-
 seed/znc/dictionaries/40_znc.xml              |  46 ----
 seed/znc/dictionaries/40_znc.yml              |  81 +++++++
 seed/znc/extras/machine/20_unbound.xml        |  17 --
 seed/znc/extras/machine/20_unbound.yml        |  19 ++
 246 files changed, 4768 insertions(+), 3926 deletions(-)
 delete mode 100644 seed/apache/dictionaries/20_web.xml
 create mode 100644 seed/apache/dictionaries/20_web.yml
 delete mode 100644 seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
 create mode 100644 seed/base-debian-bullseye/dictionaries/00_debian-bullseye.yml
 delete mode 100644 seed/base-debian/dictionaries/11_debian-base.xml
 create mode 100644 seed/base-debian/dictionaries/11_debian-base.yml
 delete mode 100644 seed/base-debian/dictionaries/17_debian-base.xml
 create mode 100644 seed/base-debian/dictionaries/17_debian-base.yml
 delete mode 100644 seed/base-fedora-35/dictionaries/11_fedora-35.xml
 create mode 100644 seed/base-fedora-35/dictionaries/11_fedora-35.yml
 delete mode 100644 seed/base-fedora-36/dictionaries/11_fedora-version.xml
 create mode 100644 seed/base-fedora-36/dictionaries/11_fedora-version.yml
 delete mode 100644 seed/base-fedora-37/dictionaries/11_fedora-version.xml
 create mode 100644 seed/base-fedora-37/dictionaries/11_fedora-version.yml
 delete mode 100644 seed/base-fedora-38/dictionaries/11_fedora-version.xml
 create mode 100644 seed/base-fedora-38/dictionaries/11_fedora-version.yml
 delete mode 100644 seed/base-fedora/dictionaries/11_fedora-base.xml
 create mode 100644 seed/base-fedora/dictionaries/11_fedora-base.yml
 delete mode 100644 seed/base-fedora/dictionaries/17_fedora-base.xml
 create mode 100644 seed/base-fedora/dictionaries/17_fedora-base.yml
 delete mode 100644 seed/base-machine/dictionaries/12_base.xml
 create mode 100644 seed/base-machine/dictionaries/12_base.yml
 delete mode 100644 seed/base-machine/extras/machine/00_base.xml
 create mode 100644 seed/base-machine/extras/machine/00_base.yml
 delete mode 100644 seed/base/dictionaries/00_base.xml
 create mode 100644 seed/base/dictionaries/00_base.yml
 delete mode 100644 seed/dns-external/dictionaries/14_dns-external.xml
 create mode 100644 seed/dns-external/dictionaries/14_dns-external.yml
 delete mode 100644 seed/dns-local/dictionaries/13_dns-local.xml
 create mode 100644 seed/dns-local/dictionaries/13_dns-local.yml
 delete mode 100644 seed/dovecot/dictionaries/31_dovecot.xml
 create mode 100644 seed/dovecot/dictionaries/31_dovecot.yml
 delete mode 100644 seed/forgejo/dictionaries/31_forgejo.xml
 create mode 100644 seed/forgejo/dictionaries/31_forgejo.yml
 delete mode 100644 seed/gitea/README.md
 delete mode 100644 seed/gitea/applicationservice.yml
 delete mode 100644 seed/gitea/dictionaries/32_gitea.xml
 delete mode 100644 seed/gitea/templates/gitea.service
 delete mode 100644 seed/grafana/dictionaries/31_grafana.xml
 create mode 100644 seed/grafana/dictionaries/31_grafana.yml
 delete mode 100644 seed/host-systemd-machined/dictionaries/21_machined.xml
 create mode 100644 seed/host-systemd-machined/dictionaries/21_machined.yml
 delete mode 100644 seed/host-systemd-machined/extras/machined/00_machined.xml
 create mode 100644 seed/host-systemd-machined/extras/machined/00_machined.yml
 delete mode 100644 seed/imap-client/dictionaries/21_imap_client.xml
 create mode 100644 seed/imap-client/dictionaries/21_imap_client.yml
 delete mode 100644 seed/journald/dictionaries/20_journald.xml
 create mode 100644 seed/journald/dictionaries/20_journald.yml
 delete mode 100644 seed/journald_remote/dictionaries/21_journald.xml
 delete mode 100644 seed/journald_remote/extras/accounts/00_accounts.xml
 create mode 100644 seed/journald_remote/extras/accounts/00_accounts.yml
 delete mode 100644 seed/ldap-client/dictionaries/21_ldap-client.xml
 create mode 100644 seed/ldap-client/dictionaries/21_ldap-client.yml
 delete mode 100644 seed/lemonldap/dictionaries/70_lemonldap_ng.xml
 create mode 100644 seed/lemonldap/dictionaries/70_lemonldap_ng.yml
 delete mode 100644 seed/lemonldap/extras/oauth2/00_oauth2.xml
 create mode 100644 seed/lemonldap/extras/oauth2/00_oauth2.yml
 delete mode 100644 seed/loki/dictionaries/20_loki.xml
 create mode 100644 seed/loki/dictionaries/20_loki.yml
 delete mode 100644 seed/mailman/dictionaries/31_mailman.xml
 create mode 100644 seed/mailman/dictionaries/31_mailman.yml
 delete mode 100644 seed/mailman/extras/machine/20_mailman.xml
 create mode 100644 seed/mailman/extras/machine/20_mailman.yml
 delete mode 100644 seed/mailman/extras/mailman/20_mailman.xml
 create mode 100644 seed/mailman/extras/mailman/20_mailman.yml
 delete mode 100644 seed/mariadb-client/dictionaries/20_mariadb.xml
 create mode 100644 seed/mariadb-client/dictionaries/20_mariadb.yml
 delete mode 100644 seed/mariadb/dictionaries/20_mariadb.xml
 create mode 100644 seed/mariadb/dictionaries/20_mariadb.yml
 delete mode 100644 seed/mariadb/extras/accounts/00_accounts.xml
 create mode 100644 seed/mariadb/extras/accounts/00_accounts.yml
 delete mode 100644 seed/nextcloud/dictionaries/31_nextcloud.xml
 create mode 100644 seed/nextcloud/dictionaries/31_nextcloud.yml
 delete mode 100644 seed/nginx-common/dictionaries/21_nginx.xml
 create mode 100644 seed/nginx-common/dictionaries/21_nginx.yml
 delete mode 100644 seed/nginx-https/dictionaries/25_nginx.xml
 create mode 100644 seed/nginx-https/dictionaries/25_nginx.yml
 delete mode 100644 seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
 create mode 100644 seed/nginx-reverse-proxy/dictionaries/25_nginx.yml
 delete mode 100644 seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.xml
 create mode 100644 seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.yml
 delete mode 100644 seed/nginx-reverse-proxy/extras/nginx/00_nginx.xml
 create mode 100644 seed/nginx-reverse-proxy/extras/nginx/00_nginx.yml
 delete mode 100644 seed/nginx-static/dictionaries/22_nginx_static.xml
 create mode 100644 seed/nginx-static/dictionaries/22_nginx_static.yml
 delete mode 100644 seed/nsd-local/dictionaries/21_nsd-local.xml
 create mode 100644 seed/nsd-local/dictionaries/21_nsd-local.yml
 delete mode 100644 seed/nsd-local/extras/nsd/01_nsd-local.xml
 create mode 100644 seed/nsd-local/extras/nsd/01_nsd-local.yml
 delete mode 100644 seed/nsd/dictionaries/20_nsd.xml
 create mode 100644 seed/nsd/dictionaries/20_nsd.yml
 delete mode 100644 seed/nsd/extras/machine/20_nsd.xml
 create mode 100644 seed/nsd/extras/machine/20_nsd.yml
 delete mode 100644 seed/nsd/extras/nsd/00_nsd.xml
 create mode 100644 seed/nsd/extras/nsd/00_nsd.yml
 delete mode 100644 seed/oauth2-client/dictionaries/30_oauth2_client.xml
 create mode 100644 seed/oauth2-client/dictionaries/30_oauth2_client.yml
 delete mode 100644 seed/odoo/dictionaries/40_odoo.xml
 create mode 100644 seed/odoo/dictionaries/40_odoo.yml
 delete mode 100644 seed/openldap/dictionaries/21_openldap-server.xml
 create mode 100644 seed/openldap/dictionaries/21_openldap-server.yml
 delete mode 100644 seed/openldap/extras/accounts/00_account.xml
 create mode 100644 seed/openldap/extras/accounts/00_account.yml
 delete mode 100644 seed/openldap/extras/machine/20_openldap.xml
 create mode 100644 seed/openldap/extras/machine/20_openldap.yml
 delete mode 100644 seed/peertube/dictionaries/30_peertube.xml
 create mode 100644 seed/peertube/dictionaries/30_peertube.yml
 delete mode 100644 seed/php-fpm/dictionaries/20_phpfpm.xml
 create mode 100644 seed/php-fpm/dictionaries/20_phpfpm.yml
 delete mode 100644 seed/php/dictionaries/20_php.xml
 create mode 100644 seed/php/dictionaries/20_php.yml
 delete mode 100644 seed/piwigo/dictionaries/31_piwigo.xml
 create mode 100644 seed/piwigo/dictionaries/31_piwigo.yml
 delete mode 100644 seed/piwigo/funcs/piwigo.py
 delete mode 100644 seed/pki-tls/dictionaries/20_tls.xml
 delete mode 100644 seed/postfix-lmtp-relay/extras/lmtp/00_lmtp.xml
 delete mode 100644 seed/postfix-relay/dictionaries/30_postfix.xml
 create mode 100644 seed/postfix-relay/dictionaries/30_postfix.yml
 delete mode 100644 seed/postgresql-client/dictionaries/23_postgresql.xml
 create mode 100644 seed/postgresql-client/dictionaries/23_postgresql.yml
 delete mode 100644 seed/postgresql/dictionaries/22_postgresql.xml
 create mode 100644 seed/postgresql/dictionaries/22_postgresql.yml
 delete mode 100644 seed/postgresql/extras/accounts/00_accounts.xml
 create mode 100644 seed/postgresql/extras/accounts/00_accounts.yml
 delete mode 100644 seed/prometheus/dictionaries/20_prometheus.xml
 create mode 100644 seed/prometheus/dictionaries/20_prometheus.yml
 delete mode 100644 seed/provider-systemd-machined/dictionaries/10_machined.xml
 create mode 100644 seed/provider-systemd-machined/dictionaries/10_machined.yml
 delete mode 100644 seed/provider-systemd-machined/dictionaries/16_machined.xml
 create mode 100644 seed/provider-systemd-machined/dictionaries/16_machined.yml
 delete mode 100644 seed/provider-systemd-machined/extras/machine/11_systemd.xml
 create mode 100644 seed/provider-systemd-machined/extras/machine/11_systemd.yml
 delete mode 100644 seed/redis-client/dictionaries/23_redis.xml
 create mode 100644 seed/redis-client/dictionaries/23_redis.yml
 delete mode 100644 seed/redis-common/dictionaries/90_redis-common.xml
 delete mode 100644 seed/redis/dictionaries/90_redis.xml
 create mode 100644 seed/redis/dictionaries/90_redis.yml
 delete mode 100644 seed/redis/extras/accounts/00_accounts.xml
 create mode 100644 seed/redis/extras/accounts/00_accounts.yml
 delete mode 100644 seed/redis/funcs/redis.py
 delete mode 100644 seed/relay-lmtp-client/dictionaries/30_lmtp.xml
 create mode 100644 seed/relay-lmtp-client/dictionaries/30_lmtp.yml
 delete mode 100644 seed/relay-mail-client/dictionaries/20_smtp_client.xml
 create mode 100644 seed/relay-mail-client/dictionaries/20_smtp_client.yml
 delete mode 100644 seed/resolved/dictionaries/20_resolved.xml
 create mode 100644 seed/resolved/dictionaries/20_resolved.yml
 delete mode 100644 seed/reverse-proxy-client/dictionaries/21_revprox_client.xml
 create mode 100644 seed/reverse-proxy-client/dictionaries/21_revprox_client.yml
 delete mode 100644 seed/reverse-proxy-client/funcs/revprox_client.py
 delete mode 100644 seed/roundcube/dictionaries/31_roundcube.xml
 create mode 100644 seed/roundcube/dictionaries/31_roundcube.yml
 delete mode 100644 seed/roundcube/extras/machine/20_roundcube.xml
 create mode 100644 seed/roundcube/extras/machine/20_roundcube.yml
 delete mode 100644 seed/roundcube/funcs/roundcube.py
 delete mode 100644 seed/speedtest-rs/dictionaries/40_speedtest-rs.xml
 create mode 100644 seed/speedtest-rs/dictionaries/40_speedtest-rs.yml
 delete mode 100644 seed/speedtest-rs/extras/machine/20_speedtest-rs.xml
 create mode 100644 seed/speedtest-rs/extras/machine/20_speedtest-rs.yml
 delete mode 100644 seed/systemd/dictionaries/15_systemd.xml
 create mode 100644 seed/systemd/dictionaries/15_systemd.yml
 delete mode 100644 seed/systemd/extras/machine/10_systemd.xml
 create mode 100644 seed/systemd/extras/machine/10_systemd.yml
 delete mode 100644 seed/tls/dictionaries/26_tls.xml
 create mode 100644 seed/tls/dictionaries/26_tls.yml
 delete mode 100644 seed/tls/extras/machine/20_tls.xml
 create mode 100644 seed/tls/extras/machine/20_tls.yml
 delete mode 100644 seed/unbound/dictionaries/20_unbound.xml
 create mode 100644 seed/unbound/dictionaries/20_unbound.yml
 delete mode 100644 seed/unbound/extras/machine/20_unbound.xml
 create mode 100644 seed/unbound/extras/machine/20_unbound.yml
 delete mode 100644 seed/vaultwarden/dictionaries/40_vaultwarden.xml
 create mode 100644 seed/vaultwarden/dictionaries/40_vaultwarden.yml
 delete mode 100644 seed/vector/dictionaries/20_vector.xml
 create mode 100644 seed/vector/dictionaries/20_vector.yml
 delete mode 100644 seed/znc/dictionaries/40_znc.xml
 create mode 100644 seed/znc/dictionaries/40_znc.yml
 delete mode 100644 seed/znc/extras/machine/20_unbound.xml
 create mode 100644 seed/znc/extras/machine/20_unbound.yml

diff --git a/seed/apache/applicationservice.yml b/seed/apache/applicationservice.yml
index 6ba1732c..57b34308 100644
--- a/seed/apache/applicationservice.yml
+++ b/seed/apache/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Apache as web server
 website: https://httpd.apache.org/
diff --git a/seed/apache/dictionaries/20_web.xml b/seed/apache/dictionaries/20_web.xml
deleted file mode 100644
index c885b4c4..00000000
--- a/seed/apache/dictionaries/20_web.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="httpd" target="multi-user">
-      <file engine="none">/etc/httpd/conf/httpd.conf</file>
-      <file engine="ansible">/etc/httpd/conf.d/risotto.conf</file>
-      <file engine="ansible">/etc/httpd/conf.d/ssl.conf</file>
-      <file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
-      <file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nginx">
-      <variable name="php_fpm_user" redefine="True" exists="True">
-        <value>apache</value>
-      </variable>
-    </family>
-    <family name="apache" description="Apache" help="Advance Apache web server settings" mode="expert">
-      <variable name="apache_timeout" type="number" description="Amount of time the server will wait for certain events before failing a request" help="Time in seconds">
-        <value>300</value>
-      </variable>
-      <variable name="apache_keepalive" type="boolean" description="Enables HTTP persistent connections" mode="expert"/>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/apache/dictionaries/20_web.yml b/seed/apache/dictionaries/20_web.yml
new file mode 100644
index 00000000..f09d3162
--- /dev/null
+++ b/seed/apache/dictionaries/20_web.yml
@@ -0,0 +1,23 @@
+---
+version: 1.1
+
+nginx:
+
+  php_fpm_user:
+    redefine: true
+    exists: true
+    default: apache
+
+apache:
+  description: Apache
+  help: Advance Apache web server settings
+  mode: advanced
+
+  apache_timeout:
+    description: >-
+      Amount of time the server will wait for certain events before failing a
+      request
+    help: Time in seconds
+    default: 300
+
+  apache_keepalive: true  # Enables HTTP persistent connections
diff --git a/seed/base-debian-bullseye/applicationservice.yml b/seed/base-debian-bullseye/applicationservice.yml
index 04522d68..3fa1351f 100644
--- a/seed/base-debian-bullseye/applicationservice.yml
+++ b/seed/base-debian-bullseye/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Debian Bulleye server
 website: https://www.debian.org/
diff --git a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
deleted file mode 100644
index db8615ff..00000000
--- a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="dnssec" manage="False">
-      <file engine="ansible">/etc/dnssec-trust-anchors.d/local.negative</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>bullseye</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.yml b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.yml
new file mode 100644
index 00000000..091e3cdd
--- /dev/null
+++ b/seed/base-debian-bullseye/dictionaries/00_debian-bullseye.yml
@@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: bullseye
diff --git a/seed/base-debian/applicationservice.yml b/seed/base-debian/applicationservice.yml
index b0c3a56c..10a20370 100644
--- a/seed/base-debian/applicationservice.yml
+++ b/seed/base-debian/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Debian server
 website: https://www.debian.org/
diff --git a/seed/base-debian/dictionaries/11_debian-base.xml b/seed/base-debian/dictionaries/11_debian-base.xml
deleted file mode 100644
index d664df6b..00000000
--- a/seed/base-debian/dictionaries/11_debian-base.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-networkd">
-      <override engine="none"/>
-    </service>
-    <service name='logrotate' disabled="True"/>
-    <service name="debian" manage="False">
-      <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
-      <file engine="none">/etc/default/locale</file>
-      <file engine="none" source="sysuser-debian.conf">/sysusers.d/debian.conf</file>
-    </service>
-    <service name='apt-daily' disabled="True"/>
-    <service name='apt-daily' disabled="True" type="timer"/>
-    <service name='apt-daily-upgrade' disabled="True"/>
-    <service name='apt-daily-upgrade' disabled="True" type="timer"/>
-    <service name='avahi-daemon' disabled="True"/>
-    <service name='cron' disabled="True"/>
-  </services>
-  <variables>
-    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
-      <value>Debian</value>
-    </variable>
-  </variables>
-</rougail>
-
diff --git a/seed/base-debian/dictionaries/11_debian-base.yml b/seed/base-debian/dictionaries/11_debian-base.yml
new file mode 100644
index 00000000..c281fc20
--- /dev/null
+++ b/seed/base-debian/dictionaries/11_debian-base.yml
@@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_name:
+  description: Nom de l'OS
+  hidden: true
+  default: Debian
diff --git a/seed/base-debian/dictionaries/17_debian-base.xml b/seed/base-debian/dictionaries/17_debian-base.xml
deleted file mode 100644
index b1754b8f..00000000
--- a/seed/base-debian/dictionaries/17_debian-base.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="update-ca-certificates" engine="ansible" target="multi-user"/>
-  </services>
-  <variables>
-    <variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">
-      <value>/etc/ssl-localca</value>
-    </variable>
-    <variable name="tls_cert_directory" type="filename" description="Répertoire des certificats" hidden="True">
-      <value>/etc/ssl/certs</value>
-    </variable>
-    <variable name="tls_key_directory" type="filename" description="Répertoire des clefs privés" hidden="True">
-      <value>/etc/ssl/private</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-debian/dictionaries/17_debian-base.yml b/seed/base-debian/dictionaries/17_debian-base.yml
new file mode 100644
index 00000000..3b780fee
--- /dev/null
+++ b/seed/base-debian/dictionaries/17_debian-base.yml
@@ -0,0 +1,20 @@
+---
+version: 1.1
+
+tls_ca_directory:
+  type: unix_filename
+  description: Répertoire des autorités de certification
+  hidden: true
+  default: /etc/ssl-localca
+
+tls_cert_directory:
+  type: unix_filename
+  description: Répertoire des certificats
+  hidden: true
+  default: /etc/ssl/certs
+
+tls_key_directory:
+  type: unix_filename
+  description: Répertoire des clefs privés
+  hidden: true
+  default: /etc/ssl/private
diff --git a/seed/base-fedora-35/applicationservice.yml b/seed/base-fedora-35/applicationservice.yml
index f77d4354..73638d18 100644
--- a/seed/base-fedora-35/applicationservice.yml
+++ b/seed/base-fedora-35/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 35
 website: https://getfedora.org/
diff --git a/seed/base-fedora-35/dictionaries/11_fedora-35.xml b/seed/base-fedora-35/dictionaries/11_fedora-35.xml
deleted file mode 100644
index ef17a8e5..00000000
--- a/seed/base-fedora-35/dictionaries/11_fedora-35.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>35</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-fedora-35/dictionaries/11_fedora-35.yml b/seed/base-fedora-35/dictionaries/11_fedora-35.yml
new file mode 100644
index 00000000..f32c16a1
--- /dev/null
+++ b/seed/base-fedora-35/dictionaries/11_fedora-35.yml
@@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '35'
diff --git a/seed/base-fedora-36/applicationservice.yml b/seed/base-fedora-36/applicationservice.yml
index 1f67b779..12e4c782 100644
--- a/seed/base-fedora-36/applicationservice.yml
+++ b/seed/base-fedora-36/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 36
 website: https://getfedora.org/
diff --git a/seed/base-fedora-36/dictionaries/11_fedora-version.xml b/seed/base-fedora-36/dictionaries/11_fedora-version.xml
deleted file mode 100644
index 24ace668..00000000
--- a/seed/base-fedora-36/dictionaries/11_fedora-version.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="base">
-      <file engine="none">/etc/pam.d/login</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>36</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-fedora-36/dictionaries/11_fedora-version.yml b/seed/base-fedora-36/dictionaries/11_fedora-version.yml
new file mode 100644
index 00000000..d5978817
--- /dev/null
+++ b/seed/base-fedora-36/dictionaries/11_fedora-version.yml
@@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '36'
diff --git a/seed/base-fedora-37/applicationservice.yml b/seed/base-fedora-37/applicationservice.yml
index 27803c3d..d56e5cc0 100644
--- a/seed/base-fedora-37/applicationservice.yml
+++ b/seed/base-fedora-37/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 37
 website: https://getfedora.org/
diff --git a/seed/base-fedora-37/dictionaries/11_fedora-version.xml b/seed/base-fedora-37/dictionaries/11_fedora-version.xml
deleted file mode 100644
index 8449d3e0..00000000
--- a/seed/base-fedora-37/dictionaries/11_fedora-version.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <!--services>
-    <service name="base">
-      <file engine="none">/etc/pam.d/login</file>
-    </service>
-  </services-->
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>37</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-fedora-37/dictionaries/11_fedora-version.yml b/seed/base-fedora-37/dictionaries/11_fedora-version.yml
new file mode 100644
index 00000000..a962f8d0
--- /dev/null
+++ b/seed/base-fedora-37/dictionaries/11_fedora-version.yml
@@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '37'
diff --git a/seed/base-fedora-38/applicationservice.yml b/seed/base-fedora-38/applicationservice.yml
index 83bdbc3e..fe915e58 100644
--- a/seed/base-fedora-38/applicationservice.yml
+++ b/seed/base-fedora-38/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora 38
 website: https://getfedora.org/
diff --git a/seed/base-fedora-38/dictionaries/11_fedora-version.xml b/seed/base-fedora-38/dictionaries/11_fedora-version.xml
deleted file mode 100644
index 9ba13460..00000000
--- a/seed/base-fedora-38/dictionaries/11_fedora-version.xml
+++ /dev/null
@@ -1,13 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <!--services>
-    <service name="base">
-      <file engine="none">/etc/pam.d/login</file>
-    </service>
-  </services-->
-  <variables>
-    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
-      <value>38</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-fedora-38/dictionaries/11_fedora-version.yml b/seed/base-fedora-38/dictionaries/11_fedora-version.yml
new file mode 100644
index 00000000..43c10257
--- /dev/null
+++ b/seed/base-fedora-38/dictionaries/11_fedora-version.yml
@@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_version:
+  description: Version de l'OS
+  hidden: true
+  default: '38'
diff --git a/seed/base-fedora/applicationservice.yml b/seed/base-fedora/applicationservice.yml
index 712b7590..f19f6123 100644
--- a/seed/base-fedora/applicationservice.yml
+++ b/seed/base-fedora/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information of a Fedora
 website: https://getfedora.org/
diff --git a/seed/base-fedora/dictionaries/11_fedora-base.xml b/seed/base-fedora/dictionaries/11_fedora-base.xml
deleted file mode 100644
index 011eb792..00000000
--- a/seed/base-fedora/dictionaries/11_fedora-base.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="fedora-base" manage="False">
-      <file engine="none">/tmpfiles.d/fedora.conf</file>
-    </service>
-    <service name='logrotate' disabled="True"/>
-    <service name='logrotate' disabled="True" type="timer"/>
-  </services>
-  <variables>
-    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
-      <value>Fedora</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-fedora/dictionaries/11_fedora-base.yml b/seed/base-fedora/dictionaries/11_fedora-base.yml
new file mode 100644
index 00000000..39b28d4d
--- /dev/null
+++ b/seed/base-fedora/dictionaries/11_fedora-base.yml
@@ -0,0 +1,7 @@
+---
+version: 1.1
+
+os_name:
+  description: Nom de l'OS
+  hidden: true
+  default: Fedora
diff --git a/seed/base-fedora/dictionaries/17_fedora-base.xml b/seed/base-fedora/dictionaries/17_fedora-base.xml
deleted file mode 100644
index f2df6f92..00000000
--- a/seed/base-fedora/dictionaries/17_fedora-base.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="update-ca-trust" engine="ansible" target="multi-user"/>
-  </services>
-  <variables>
-    <variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">
-      <value>/etc/pki/ca-trust/source/anchors</value>
-    </variable>
-    <variable name="tls_cert_directory" type="filename" description="Nom du répertoire des certificats" hidden="True">
-      <value>/etc/pki/tls/certs</value>
-    </variable>
-    <variable name="tls_key_directory" type="filename" description="Nom du répertoire des clefs privés" hidden="True">
-      <value>/etc/pki/tls/private</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/base-fedora/dictionaries/17_fedora-base.yml b/seed/base-fedora/dictionaries/17_fedora-base.yml
new file mode 100644
index 00000000..8e98ae4e
--- /dev/null
+++ b/seed/base-fedora/dictionaries/17_fedora-base.yml
@@ -0,0 +1,20 @@
+---
+version: 1.1
+
+tls_ca_directory:
+  type: unix_filename
+  description: Nom du répertoire des autorités de certification
+  hidden: true
+  default: /etc/pki/ca-trust/source/anchors
+
+tls_cert_directory:
+  type: unix_filename
+  description: Nom du répertoire des certificats
+  hidden: true
+  default: /etc/pki/tls/certs
+
+tls_key_directory:
+  type: unix_filename
+  description: Nom du répertoire des clefs privés
+  hidden: true
+  default: /etc/pki/tls/private
diff --git a/seed/base-machine/applicationservice.yml b/seed/base-machine/applicationservice.yml
index 7f5c7ade..bfe8c7c3 100644
--- a/seed/base-machine/applicationservice.yml
+++ b/seed/base-machine/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Base information for a machine
 depends:
diff --git a/seed/base-machine/dictionaries/12_base.xml b/seed/base-machine/dictionaries/12_base.xml
deleted file mode 100644
index 065bf5b0..00000000
--- a/seed/base-machine/dictionaries/12_base.xml
+++ /dev/null
@@ -1,60 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="base" manage="False">
-      <file engine="none">/etc/locale.conf</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents" hidden="True">
-      <value>False</value>
-    </variable>
-    <family name="base">
-      <variable name="time_zone" provider="Host:time_zone" hidden="True"/>
-    </family>
-    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
-    <family name="network" description="Réseau">
-      <variable name="server_name" description="Nom de domaine du serveur" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
-      <variable name="last_server_name" type="domainname" hidden="True"/>
-      <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
-      <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
-      <family name="interface_" description="Interface " dynamic="interfaces_list">
-        <variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True" mandatory="True"/>
-        <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" mandatory="True"/>
-        <variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/>
-        <variable name="gateway_eth" type="ip" description="La route de l'interface " hidden="True"/>
-        <variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True" provider="global:server_names"/>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param name="server_name" type="variable">domain_name_eth</param>
-      <target>ip_eth</target>
-    </fill>
-    <fill name="get_zone_name">
-      <param type="variable">zones_list</param>
-      <param name="index" type="suffix"/>
-      <target>zone_name_eth</target>
-    </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>network</param>
-      <param type="variable" name="zone_name">zone_name_eth</param>
-      <target>network_eth</target>
-    </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>host_ip</param>
-      <param type="variable" name="zone_name">zone_name_eth</param>
-      <param name="index" type="suffix"/>
-      <target>gateway_eth</target>
-    </fill>
-    <fill name="get_last_server_name">
-      <param type="variable">domain_name_eth</param>
-      <target>last_server_name</target>
-    </fill>
-  </constraints>
-</rougail>
-
diff --git a/seed/base-machine/dictionaries/12_base.yml b/seed/base-machine/dictionaries/12_base.yml
new file mode 100644
index 00000000..311af87b
--- /dev/null
+++ b/seed/base-machine/dictionaries/12_base.yml
@@ -0,0 +1,129 @@
+---
+version: 1.1
+
+hide_secret:
+  description: Les secrets sont obscurcis
+  mode: advanced
+  help: >-
+    Obscurcir les secrets peut permettre de générer des configurations
+    diffusable sans problème de confidentialité ou pour comparer deux
+    configurations générés à des moments différents
+  hidden: true
+  default: false
+
+base:
+
+  time_zone:
+    provider: Host:time_zone
+    hidden: true
+    mandatory: false
+
+module_name:
+  hidden: true
+  provider: global:module_name
+
+network:
+
+  server_name:
+    description: Nom de domaine du serveur
+    type: domainname
+    hidden: true
+    provider: global:server_name
+
+  last_server_name:
+    type: domainname
+    hidden: true
+    default:
+      jinja: >-
+        {%- if domain_name -%}
+        {{ domain_name[-1] }}
+        {%- endif -%}
+      params:
+        domain_name:
+          variable: >-
+            _.interface_{{ suffix }}.domain_name
+
+  zones_list:
+    multi: true
+    description: Liste de toutes les zones
+    hidden: true
+    provider: global:zones_name
+
+  interfaces_list:
+    type: number
+    multi: true
+    description: Liste de tous les numéros d'interfaces
+    hidden: true
+    provider: global:zones_list
+    mandatory: false
+
+  "interface_{{ suffix }}":
+    description: 'Interface {{ suffix }}'
+    dynamic:
+      variable: general.network.interfaces_list
+
+    zone_name:
+      description: "Nom de la zone de l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {%- if __.zones_list -%}
+          {{ __.zones_list[index] }}
+          {%- endif -%}
+        params:
+          index:
+            type: suffix
+
+    ip:
+      type: ip
+      description: "Adresse IP pour l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_ip(server_name=_.domain_name) }}
+        params:
+          zones:
+            information: zones
+
+    network:
+      type: network_cidr
+      description: "Réseau de l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_zones_info("network", zone_name=_.zone_name) }}
+        params:
+          zones:
+            information: zones
+
+    gateway:
+      type: ip
+      description: "La route de l'interface {{ suffix }}"
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_zones_info("host_ip",
+                                    zone_name=_.zone_name,
+                                    index=index)
+            }}
+        params:
+          zones:
+            information: zones
+          index:
+            type: suffix
+      disabled:
+        jinja: >-
+          {%- if index == 0 -%}
+          false
+          {%- else -%}
+          true
+          {%- endif -%}
+        params:
+          index:
+            type: suffix
+
+    domain_name:
+      type: domainname
+      description: "Nom de domaine pour l'interface {{ suffix }}"
+      hidden: true
+      provider: global:server_names
diff --git a/seed/base-machine/extras/machine/00_base.xml b/seed/base-machine/extras/machine/00_base.xml
deleted file mode 100644
index cb49a5b8..00000000
--- a/seed/base-machine/extras/machine/00_base.xml
+++ /dev/null
@@ -1,14 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-    <variables>
-        <variable name='name' description="Machine name" type="domainname" hidden="True"/>
-        <variable name='data_disk_size' description="Data disk size" type="number"/>
-    </variables>
-    <constraints>
-        <fill name="calc_value">
-            <param type="variable">server_name</param>
-            <target>machine.name</target>
-        </fill>
-    </constraints>
-</rougail>
-
diff --git a/seed/base-machine/extras/machine/00_base.yml b/seed/base-machine/extras/machine/00_base.yml
new file mode 100644
index 00000000..3cbcc933
--- /dev/null
+++ b/seed/base-machine/extras/machine/00_base.yml
@@ -0,0 +1,14 @@
+---
+version: 1.1
+
+name:
+  description: Machine name
+  type: domainname
+  hidden: true
+  default:
+    variable: general.network.server_name
+
+data_disk_size:
+  description: Data disk size
+  type: number
+  mandatory: false
diff --git a/seed/base-machine/funcs/funcs.py b/seed/base-machine/funcs/funcs.py
index 8e545b0d..41288639 100644
--- a/seed/base-machine/funcs/funcs.py
+++ b/seed/base-machine/funcs/funcs.py
@@ -76,15 +76,3 @@ def _set_password(server_name: str,
     with open(file_name, 'r') as fh:
         file_content = fh.read().strip()
         return file_content
-
-
-def get_zone_name(zones: list,
-                  index: str,
-                  ):
-    if zones is not None:
-        return zones[int(index)]
-
-
-def get_last_server_name(server_names):
-    if server_names:
-        return server_names[-1]
diff --git a/seed/base/applicationservice.yml b/seed/base/applicationservice.yml
index a6c3577d..07a7cd66 100644
--- a/seed/base/applicationservice.yml
+++ b/seed/base/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Base of all application services
diff --git a/seed/base/dictionaries/00_base.xml b/seed/base/dictionaries/00_base.xml
deleted file mode 100644
index dd9f34d8..00000000
--- a/seed/base/dictionaries/00_base.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="information">copy_tests</param>
-      <target>copy_tests</target>
-    </fill>
-    <condition name="disabled_if_in" source="copy_tests">
-      <param>False</param>
-      <target type="filelist" optional="True">copy_tests</target>
-    </condition>
-  </constraints>
-</rougail>
-
diff --git a/seed/base/dictionaries/00_base.yml b/seed/base/dictionaries/00_base.yml
new file mode 100644
index 00000000..6fd05374
--- /dev/null
+++ b/seed/base/dictionaries/00_base.yml
@@ -0,0 +1,16 @@
+---
+version: 1.1
+
+copy_tests:
+  type: boolean
+  hidden: true
+  default:
+    jinja: >-
+      {%- if copy_tests -%}
+      true
+      {%- else -%}
+      false
+      {%- endif -%}
+    params:
+      copy_tests:
+        information: copy_tests
diff --git a/seed/base/funcs/base.py b/seed/base/funcs/base.py
index 95f02e44..acbeed06 100644
--- a/seed/base/funcs/base.py
+++ b/seed/base/funcs/base.py
@@ -60,12 +60,3 @@ def get_zones_info(zones: dict,
             continue
         ret.append(val)
     return ret
-
-
-def get_first_value(lst: list):
-    if lst:
-        if isinstance(lst[0], list):
-            if lst[0] and lst[0][0]:
-                return lst[0][0]
-        else:
-            return lst[0]
diff --git a/seed/dns-external/applicationservice.yml b/seed/dns-external/applicationservice.yml
index 31b118ba..157266e8 100644
--- a/seed/dns-external/applicationservice.yml
+++ b/seed/dns-external/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: DNS client with resolution on all zones (especially outside)
diff --git a/seed/dns-external/dictionaries/14_dns-external.xml b/seed/dns-external/dictionaries/14_dns-external.xml
deleted file mode 100644
index 2758fb93..00000000
--- a/seed/dns-external/dictionaries/14_dns-external.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <family name="network">
-      <variable name="dns_is_only_local" redefine="True" hidden="True">
-        <value>False</value>
-      </variable>
-      <variable name="dns_client_address" redefine="True" supplier="ExternalDNS" hidden="True"/>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/dns-external/dictionaries/14_dns-external.yml b/seed/dns-external/dictionaries/14_dns-external.yml
new file mode 100644
index 00000000..67f6d53f
--- /dev/null
+++ b/seed/dns-external/dictionaries/14_dns-external.yml
@@ -0,0 +1,14 @@
+---
+version: 1.1
+
+network:
+
+  dns_is_only_local:
+    redefine: true
+    hidden: true
+    default: false
+
+  dns_client_address:
+    redefine: true
+    supplier: ExternalDNS
+    hidden: true
diff --git a/seed/dns-local/applicationservice.yml b/seed/dns-local/applicationservice.yml
index 710f4c5c..3a23d24a 100644
--- a/seed/dns-local/applicationservice.yml
+++ b/seed/dns-local/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: DNS client with access to local zones
diff --git a/seed/dns-local/dictionaries/13_dns-local.xml b/seed/dns-local/dictionaries/13_dns-local.xml
deleted file mode 100644
index f3fd6284..00000000
--- a/seed/dns-local/dictionaries/13_dns-local.xml
+++ /dev/null
@@ -1,24 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="dns-local" manage="False">
-      <file engine="ansible" filelist="copy_tests">/tests/dns-local.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="dns_is_only_local" type="boolean" description="DNS resolve only local address" hidden="True">
-        <value>True</value>
-      </variable>
-      <variable name="dns_client_address" type="domainname" supplier="LocalDNS" hidden="True" mandatory="True"/>
-      <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param name="server_name" type="variable">dns_client_address</param>
-      <target>ip_dns</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/dns-local/dictionaries/13_dns-local.yml b/seed/dns-local/dictionaries/13_dns-local.yml
new file mode 100644
index 00000000..6a1e5c79
--- /dev/null
+++ b/seed/dns-local/dictionaries/13_dns-local.yml
@@ -0,0 +1,25 @@
+---
+version: 1.1
+
+network:
+
+  dns_is_only_local:
+    description: DNS resolve only local address
+    hidden: true
+    default: true
+
+  dns_client_address:
+    type: domainname
+    supplier: LocalDNS
+    hidden: true
+
+  ip_dns:
+    type: ip
+    description: Adresse IP du serveur DNS
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(server_name=general.network.dns_client_address) }}
+      params:
+        zones:
+          information: zones
diff --git a/seed/dovecot/applicationservice.yml b/seed/dovecot/applicationservice.yml
index 9c6d8123..2c4f7982 100644
--- a/seed/dovecot/applicationservice.yml
+++ b/seed/dovecot/applicationservice.yml
@@ -1,6 +1,10 @@
+---
 format: '0.1'
 description: Postfix and Dovecot as mail servers (IMAP and submission)
-help: "This application service provides email server. Two servers are used: Dovecot as IMAP server and Postfix as submission server. In addition, an auto-detection file of the email configuration is set up."
+help: |-
+  This application service provides email server. Two servers are used:
+  Dovecot as IMAP server and Postfix as submission server.
+  In addition, an auto-detection file of the email configuration is set up.
 website: https://www.dovecot.org/
 depends:
   - base-fedora-36
diff --git a/seed/dovecot/dictionaries/31_dovecot.xml b/seed/dovecot/dictionaries/31_dovecot.xml
deleted file mode 100644
index 06d5381f..00000000
--- a/seed/dovecot/dictionaries/31_dovecot.xml
+++ /dev/null
@@ -1,131 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="postfix" target="multi-user">
-      <override engine="none"/>
-      <certificate format="pem" authority="External" type="server" domain="submission_domainname" provider="mail_crt_provider" certificate_type="variable">submission_domainname</certificate>
-      <certificate format="pem" server="last_server_name" domain="last_server_name" authority="InternalMail" owner="postfix" type="server">postfixlocal</certificate>
-      <certificate authority="Mail" owner="postfix" type="server">postfix</certificate>
-      <certificate authority="LDAP" owner="postfix" server="ldap_server_address">postfix_ldap_client</certificate>
-      <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
-      <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
-      <file engine="ansible">/etc/postfix/main.cf</file>
-      <file engine="none">/etc/postfix/master.cf</file>
-      <file engine="ansible">/etc/postfix/relay_passwd</file>
-      <file engine="ansible">/etc/postfix/ldapsource.cf</file>
-      <file engine="ansible">/etc/postfix/sni</file>
-      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
-    </service>
-    <service name='dovecot-init'>
-      <override engine="none"/>
-      <file engine="none">/etc/nginx/default.d/autoconfig.conf</file>
-    </service>
-    <service name='nginx'>
-      <file engine="ansible" source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
-    </service>
-    <service name="dovecot" target="multi-user">
-      <certificate authority="External" type="server" domain="imap_domainname" provider="mail_crt_provider" certificate_type="variable">imap_domainname</certificate>
-      <certificate authority="IMAP" domain="last_server_name" owner="dovecot" type="server">dovecot</certificate>
-      <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
-      <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
-      <file engine="ansible">/etc/dovecot/conf.d/10-master.conf</file>
-      <file engine="ansible">/etc/dovecot/conf.d/10-ssl.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
-      <file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
-      <!--plain authentification-->
-      <file engine="none">/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
-      <file engine="ansible">/etc/dovecot/dovecot-ldap.conf.ext</file>
-      <!--oauth2 authentification-->
-      <file engine="none">/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
-      <file engine="ansible">/etc/dovecot/dovecot-oauth2.conf.ext</file>
-      <!--internal authentification-->
-      <file engine="ansible" filelist="copy_tests">/tests/imap.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="incoming_ports" redefine="True">
-        <value>587</value>
-        <value>993</value>
-      </variable>
-    </family>
-    <family name="ldap">
-      <family name="client">
-        <variable name='ldapclient_family' redefine="True">
-          <value>all</value>
-        </variable>
-        <variable name="ldap_key_file_owner" redefine="True">
-          <value>dovecot</value>
-        </variable>
-      </family>
-    </family>
-    <family name="mail" description="Mail configuration" help="Configure IMAP servers and submission to access email accounts and send emails">
-      <family name="domain" description="Mail domain" leadership="True">
-        <variable name="mail_domains" type="domainname" description="Final destination email address" mandatory="True" multi="True" supplier="LMTP:criteria" test="example.net" help="These domain names are the domain names for emails (user@*example.net*) and for auto configuration of email clients (https://*example.net*/.well-known/autoconfig/mail/config-v1.1.xml)"/>
-        <variable name="mail_domains_calc" type="domainname" hidden="True"/>
-        <variable name="imap_domainname" type="domainname" description="External IMAP server address" mandatory="True" test="imap.example.net" help='Matches TLS connection’s SNI name, if it’s sent by the client. For some email clients, use in DNS configuration a line like "_submissions._tcp IN SRV 1 587 *imap.example.net*."'/>
-        <variable name="submission_domainname" type="domainname" description="External submission server address" mandatory="True" test="submission.example.net" help='Matches TLS connection’s SNI name, if it’s sent by the client. For some email clients, add in DNS configuration a line like "_imaps._tcp IN SRV 0 1 993 *submission.example.net*."'/>
-      </family>
-      <variable name="mail_crt_provider" type="choice" description="Type of certificate autority signing external IMAP and submission domain certificates" mandatory="True" mode="basic" help="The certificate can be self-signed (therefore invalid by default for the client) or obtained via the Let's Encrypt service (generally valid for the client)">
-        <value>self-signed</value>
-        <choice>self-signed</choice>
-        <choice>letsencrypt</choice>
-      </variable>
-    </family>
-    <family name="dovecot" description="IMAP mail server">
-      <variable name="imap_internal_addresses" type="domainname" description="IMAP server connexion" mandatory="True" provider="IMAP" multi="True" hidden="True"/>
-      <variable name="well_known_filenames" type="filename" hidden='True' multi="True"/>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
-        <variable name="revprox_client_web_address" redefine="True" hidden="True"/>
-      </family>
-    </family>
-    <family name="nginx" hidden="True">
-      <variable name="nginx_root" redefine='True'>
-        <value>/var/www/html</value>
-      </variable>
-    </family>
-    <!-- just for doc ... -->
-    <family name="oauth2_client" hidden="True"/>
-  </variables>
-  <constraints>
-    <!--fill name="calc_value">
-      <param type="variable">domain_name_eth0</param>
-      <target>imap_internal_address</target>
-    </fill-->
-    <fill name="calc_value">
-      <param type="variable">mail_domains</param>
-      <target>mail_domains_calc</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/var/www/html/mail/</param>
-      <param type="variable">mail_domains</param>
-      <param>/autodiscover/autodiscover.xml</param>
-      <!--param>/config-v1.1.xml</param-->
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>well_known_filenames</target>
-    </fill>
-    <fill name="calc_well_known">
-      <param type="index"/>
-      <param type="variable">domain_name_eth0</param>
-      <param type="variable">mail_domains</param>
-      <target>revprox_client_web_address</target>
-    </fill>
-    <fill name="calc_domains">
-      <param type="variable">mail_domains</param>
-      <target>revprox_client_external_domainnames</target>
-    </fill>
-    <fill name="calc_locations">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <param type="index"/>
-      <target>revprox_client_location</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/dovecot/dictionaries/31_dovecot.yml b/seed/dovecot/dictionaries/31_dovecot.yml
new file mode 100644
index 00000000..b58949bb
--- /dev/null
+++ b/seed/dovecot/dictionaries/31_dovecot.yml
@@ -0,0 +1,142 @@
+---
+version: 1.1
+
+network:
+  incoming_ports:
+    redefine: true
+    default:
+      - 587
+      - 993
+
+ldap:
+
+  client:
+
+    family:
+      redefine: true
+      default: all
+
+    key_file_owner:
+      redefine: true
+      default: dovecot
+
+revprox:
+
+  client:
+
+    external_domainnames:
+      redefine: true
+      hidden: true
+      default:
+        jinja: |-
+          {%- for domain in general.mail.domain.domains | calc_domains %}
+          {{ domain }}
+          {%- endfor -%}
+
+    web_address:
+      redefine: true
+      hidden: true
+      default:
+        jinja: >-
+          {{ __index |
+              calc_well_known(general.network.interface_0.domain_name,
+                              general.mail.domain.domains)
+            }}
+        params:
+          __index:
+            type: index
+
+    location:
+      redefine: true
+      default:
+        jinja: >-
+          {{ _.external_domainnames | calc_locations(index) }}
+        params:
+          index:
+            type: index
+
+mail:
+  description: Mail configuration
+  help: >-
+    Configure IMAP servers and submission to access email accounts and send
+    emails
+
+  domain:
+    description: Mail domain
+    type: leadership
+
+    domains:
+      type: domainname
+      description: Final destination email address
+      supplier: LMTP:criteria
+      examples:
+        - example.net
+      help: >-
+        These domain names are the domain names for emails (user@*example.net*)
+        and for auto configuration of email clients
+        (https://*example.net*/.well-known/autoconfig/mail/config-v1.1.xml)
+
+    imap_domainname:
+      type: domainname
+      description: External IMAP server address
+      examples:
+        - imap.example.net
+      help: >-
+        Matches TLS connection’s SNI name, if it’s sent by the client. For some
+        email clients, use in DNS configuration a line like "_submissions._tcp
+        IN SRV 1 587 *imap.example.net*."
+
+    submission_domainname:
+      type: domainname
+      description: External submission server address
+      examples:
+        - submission.example.net
+      help: >-
+        Matches TLS connection’s SNI name, if it’s sent by the client. For some
+        email clients, add in DNS configuration a line like "_imaps._tcp IN SRV
+        0 1 993 *submission.example.net*."
+
+  crt_provider:
+    description: >-
+      Type of certificate autority signing external IMAP and submission
+      domain certificates
+    mode: basic
+    help: >-
+      The certificate can be self-signed (therefore invalid by default for the
+      client) or obtained via the Let's Encrypt service (generally valid for
+      the client)
+    default: self-signed
+    choices:
+      - self-signed
+      - letsencrypt
+
+dovecot:  # IMAP mail server
+
+  internal_addresses:
+    type: domainname
+    description: IMAP server connexion
+    provider: IMAP
+    multi: true
+    hidden: true
+
+  well_known_filenames:
+    type: unix_filename
+    hidden: true
+    multi: true
+    default:
+      jinja: |-
+        {%- for domain in __.mail.domain.domains %}
+        /var/www/html/mail/{{ domain }}/autodiscover/autodiscover.xml
+        {%- endfor -%}
+
+nginx:
+  redefine: true
+  hidden: true
+
+  root:
+    redefine: true
+    default: /var/www/html
+
+oauth2:
+  redefine: true
+  hidden: true
diff --git a/seed/forgejo/applicationservice.yml b/seed/forgejo/applicationservice.yml
index 5bc593f6..7f774a7c 100644
--- a/seed/forgejo/applicationservice.yml
+++ b/seed/forgejo/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Forgejo, a community managed lightweight code hosting solution
 website: https://forgejo.org/
diff --git a/seed/forgejo/dictionaries/31_forgejo.xml b/seed/forgejo/dictionaries/31_forgejo.xml
deleted file mode 100644
index 06922543..00000000
--- a/seed/forgejo/dictionaries/31_forgejo.xml
+++ /dev/null
@@ -1,127 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="forgejo" target="multi-user" engine="ansible">
-      <file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
-      <file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
-      <file engine="ansible">/etc/forgejo/app.ini</file>
-      <file engine="ansible" filelist="copy_tests">/tests/forgejo.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="incoming_ports" redefine="True">
-        <value>2222</value>
-      </variable>
-    </family>
-    <family name="redis" description="Redis">
-      <variable name="redis_client_key_owner" redefine="True">
-        <value>forgejo</value>
-      </variable>
-    </family>
-    <family name="forgejo" description="Forgejo" help="Git forge Forgejo">
-      <variable name="forgejo_title" mandatory="True" description="Titre de la forge" mode="basic">
-        <value>Forgejo : Au-delà du développement. Nous forgeons.</value>
-      </variable>
-      <variable name="forgejo_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True" test="admin@example.net"/>
-      <variable name="forgejo_secret_key" type="password" hidden="True"/>
-      <variable name="forgejo_internal_token" type="password" hidden="True"/>
-      <variable name="forgejo_lfs_jwt_secret" type="password" hidden="True"/>
-      <variable name="forgejo_jwt_secret" type="password" hidden="True"/>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_local_location" redefine="True">
-          <value>/</value>
-        </variable>
-      </family>
-      <variable name="revprox_client_port" redefine="True">
-        <value>3000</value>
-      </variable>
-      <variable name="revprox_client_cert_owner" redefine="True">
-        <value>forgejo</value>
-      </variable>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Forge</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Forge logiciel Forgejo</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Développement</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_note.png</value>
-      </variable>
-      <variable name="oauth2_client_token_signature_algo" redefine="True">
-        <value>RS256</value>
-      </variable>
-      <family name="external">
-        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
-      </family>
-    </family>
-    <family name="postgresql">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>forgejo</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">secret_key</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">105</param>
-      <target>forgejo_secret_key</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">internal_token</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">105</param>
-      <target>forgejo_internal_token</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">lfs_jwt_secret</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">43</param>
-      <target>forgejo_lfs_jwt_secret</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">jwt_secret</param>
-      <param name="description">forgejo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">43</param>
-      <target>forgejo_jwt_secret</target>
-    </fill>
-    <fill name="calc_oauth2_client_login">
-      <param type="variable" optional="True">revprox_client_external_domainnames</param>
-      <param type="variable" optional="True">revprox_client_location</param>
-      <param>user/oauth2/</param>
-      <param type="variable">domain_name_eth0</param>
-      <param>/callback</param>
-      <target>oauth2_client_login</target>
-    </fill>
-    <fill name="calc_oauth2_client_external">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <param type="variable">revprox_client_location</param>
-      <param>user/oauth2/</param>
-      <param type="variable">domain_name_eth0</param>
-      <target>oauth2_client_external</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/forgejo/dictionaries/31_forgejo.yml b/seed/forgejo/dictionaries/31_forgejo.yml
new file mode 100644
index 00000000..8fd2e59a
--- /dev/null
+++ b/seed/forgejo/dictionaries/31_forgejo.yml
@@ -0,0 +1,164 @@
+---
+version: 1.1
+
+network:
+
+  incoming_ports:
+    redefine: true
+    default:
+      - 2222
+
+forgejo:
+  description: Forgejo
+  help: Git forge Forgejo
+
+  title:
+    description: Titre de la forge
+    mode: basic
+    default: 'Forgejo : Au-delà du développement. Nous forgeons.'
+
+  mail_sender:
+    description: Les courriels sont envoyés à partir de cet adresse
+    examples:
+      - admin@example.net
+    type: mail
+
+  secret_key:
+    type: secret
+    default:
+      jinja: >-
+        {{ "secret_key" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret,
+                       length=105)
+          }}
+    hidden: true
+
+  internal_token:
+    type: secret
+    default:
+      jinja: >-
+        {{ "internal_token" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret, length=105)
+         }}
+    hidden: true
+
+  lfs_jwt_secret:
+    type: secret
+    default:
+      jinja: >-
+        {{ "lfs_jwt_secret" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret,
+                       length=43)
+         }}
+    hidden: true
+
+  jwt_secret:
+    type: secret
+    default:
+      jinja: >-
+        {{ "jwt_secret" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="forgejo",
+                       type="cleartext",
+                       hide=general.hide_secret,
+                       length=43)
+          }}
+    hidden: true
+
+revprox:
+
+  client:
+
+    local_location:
+      redefine: true
+      default: /
+
+  client_port:
+    redefine: true
+    default: 3000
+
+  client_cert_owner:
+    redefine: true
+    default: forgejo
+
+redis:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: forgejo
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Forge
+
+    description:
+      redefine: true
+      default: Forge logiciel Forgejo
+
+    category:
+      redefine: true
+      default: Développement
+
+    logo:
+      redefine: true
+      default: silique_note.png
+
+    login:
+      redefine: true
+      default:
+        jinja: >-
+          {{ general.revprox.client.external_domainnames |
+               calc_oauth2_client_login(
+                 general.revprox.client.location,
+                 "user/oauth2/",
+                 general.network.interface_0.domain_name,
+                 "/callback"
+                 )
+            }}
+
+    token_signature_algo:
+      redefine: true
+      default: RS256
+
+    external:
+
+      external:
+        redefine: true
+        default:
+          jinja: |-
+            {%- for domain in
+             general.revprox.client.external_domainnames |
+             calc_oauth2_client_external(
+               general.revprox.client.location,
+               "user/oauth2/",
+               general.network.interface_0.domain_name)
+               %}
+            {{ domain }}
+            {%- endfor -%}
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: forgejo
diff --git a/seed/gitea/README.md b/seed/gitea/README.md
deleted file mode 100644
index 954dd139..00000000
--- a/seed/gitea/README.md
+++ /dev/null
@@ -1,139 +0,0 @@
----
-gitea: none
-include_toc: true
----
-
-
-[Return to the list of application services.](../README.md)
-# gitea
-
-## Synopsis
-
-Transitional package for Gitea to Forgejo.
-
-## Example
-
-Zone names are provided as examples. Think about adapting with the value of provider_zone in configuration file.
-
-```
-gitea:
-  applicationservice: gitea
-  zones_name:
-    - localdns
-    - oauth2
-    - postgresql
-    - redis
-    - reverseproxy
-    - smtp
-  values:
-    general.revprox.revprox_client.revprox_client_external_domainnames:
-      - service.example.net
-```
-
-## Basic variables
-
-### General
-
-#### Reverse proxy
-
-##### Clients configuration
-
-This family is a leadership.
-
-| Parameter                                                                                                                                                                                                                                                                       | Comment                                                            |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------------------------------------------|
-| **[general.revprox.revprox_client.revprox_client_external_domainnames](dictionaries/21_revprox_client.xml)**<br/>mandatory, multiple<br/>**Type:** [`domainname`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Service external domain name.<br/>**Example:** service.example.net |
-| **[general.revprox.revprox_client.revprox_client_location](dictionaries/21_revprox_client.xml)**<br/>mandatory<br/>**Type:** [`filename`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)                         | URI to route request to the correct service.<br/>**Default:** /    |
-
-#### Forgejo
-
-Git forge Forgejo.
-
-| Parameter                                                                                                                                                                                                             | Comment                                                                                |
-|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------|
-| **[general.forgejo.forgejo_title](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Titre de la forge.<br/>**Default:** Forgejo : Au-delà du développement. Nous forgeons. |
-
-
-
-## Variables
-
-### General
-
-#### Reverse proxy
-
-##### Clients configuration
-
-This family is a leadership.
-
-| Parameter                                                                                                                                                                                                                                    | Comment                                              |
-|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|------------------------------------------------------|
-| **[general.revprox.revprox_client.revprox_client_max_body_size](dictionaries/21_revprox_client.xml)**<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | The maximum allowed size of the client request body. |
-
-#### OAuth2 client
-
-| Parameter                                                                                                                                                                                                                               | Comment                                                                                                 |
-|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------|
-| **[general.oauth2_client.oauth2_client_name](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)        | OAuth2 client name.<br/>**Default:** Forge<br/>**Example:** example                                     |
-| **[general.oauth2_client.oauth2_client_description](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 client description.<br/>**Default:** Forge logiciel Forgejo<br/>**Example:** Example description |
-| **[general.oauth2_client.oauth2_client_login](dictionaries/30_oauth2_client.xml)**<br/>**Type:** [`web_address`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)          | OAuth2 URL to valid login.<br/>**Default:** *calculated*                                                |
-
-##### external
-
-| Parameter                                                                                                                                                                                                                                                    | Comments                                              |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------------|
-| **[general.oauth2_client.external.oauth2_client_external](dictionaries/31_forgejo.xml)**<br/>mandatory, multiple<br/>**Type:** [`web_address`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 client external.<br/>**Default:** *calculated* |
-| **[general.oauth2_client.external.oauth2_client_family](dictionaries/30_oauth2_client.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)            | OAuth2 family.<br/>**Default:** users                 |
-
-| Parameter                                                                                                                                                                                                                            | Comment                                         |
-|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-------------------------------------------------|
-| **[general.oauth2_client.oauth2_client_category](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2 category.<br/>**Default:** Développement |
-| **[general.oauth2_client.oauth2_client_logo](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`string`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)     | OAuth2 logo.<br/>**Default:** silique_note.png  |
-
-#### Forgejo
-
-Git forge Forgejo.
-
-| Parameter                                                                                                                                                                                                                 | Comment                                                                                                              |
-|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
-| **[general.forgejo.forgejo_mail_sender](dictionaries/31_forgejo.xml)**<br/>mandatory<br/>**Type:** [`mail`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Les courriels sont envoyés à partir de cet adresse.<br/>**Default:** *calculated*<br/>**Example:** admin@example.net |
-
-#### Transitional family
-
-| Parameter                                                                                                                                                                                             | Comments                                     |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------|
-| **[general.gitea.gitea_mail_sender](dictionaries/32_gitea.xml)**<br/>**Type:** [`mail`](https://forge.cloud.silique.fr/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Transitional variable, please do not use it. |
-
-
-## Requirements services
-
-### Mandatories
-
-- [LocalDNS](../README.LocalDNS.md): DNS forwarder for local domain name.
-- [SMTP](../README.SMTP.md): Create a SMTP relay account and authorize sending email.
-- [ReverseProxy](../README.ReverseProxy.md): Register to service to a reverse proxy server.
-- [Postgresql](../README.Postgresql.md): Create account and connexion to a PostgreSQL server.
-- [OAuth2](../README.OAuth2.md): Remote clients needing to verify OAuth2 account.
-- [Redis](../README.Redis.md): Create account and connexion to a Redis server.
-
-### Optionals
-
-- [Journald](../README.Journald.md): Concentrate journal messages on one host.
-
-## Dependances
-
-- [forgejo](../forgejo/README.md): Forgejo, a community managed lightweight code hosting solution.
-  - [base-fedora-38](../base-fedora-38/README.md): Base information of a Fedora 38.
-    - [base-fedora](../base-fedora/README.md): Base information of a Fedora.
-      - [systemd](../systemd/README.md): Systemd, a system and service manager.
-        - [base-machine](../base-machine/README.md): Base information for a machine.
-          - [base](../base/README.md): Base of all application services.
-          - [dns-local](../dns-local/README.md): DNS client with access to local zones.
-          - [pki-tls](../pki-tls/README.md): Autosign PKI or Let's encrypt support for TLS certificates.
-        - [journald](../journald/README.md): Journald.
-        - [resolved](../resolved/README.md): Resolved.
-  - [postgresql-client](../postgresql-client/README.md): Application service needs interact with a Postgresql server.
-  - [reverse-proxy-client](../reverse-proxy-client/README.md): Application service needs interact with a a reverse proxy server.
-  - [relay-mail-client](../relay-mail-client/README.md): Client SMTP.
-  - [redis-client](../redis-client/README.md): Application service needs interact with a Redis server.
-    - [redis-common](../redis-common/README.md): Redis, an in-memory data structure store.
-  - [oauth2-client](../oauth2-client/README.md): Application service needs interact with a Oauth2 server.
diff --git a/seed/gitea/applicationservice.yml b/seed/gitea/applicationservice.yml
deleted file mode 100644
index 5fe006d4..00000000
--- a/seed/gitea/applicationservice.yml
+++ /dev/null
@@ -1,5 +0,0 @@
-format: '0.1'
-description: Transitional package for Gitea to Forgejo
-depends:
-  - forgejo
-service: true
diff --git a/seed/gitea/dictionaries/32_gitea.xml b/seed/gitea/dictionaries/32_gitea.xml
deleted file mode 100644
index 7cf6116d..00000000
--- a/seed/gitea/dictionaries/32_gitea.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="gitea" target="risotto" engine="cheetah"/>
-  </services>
-  <variables>
-    <family name="gitea" description="Transitional family">
-      <variable name="gitea_mail_sender" type="mail" description="Transitional variable, please do not use it"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">gitea_mail_sender</param>
-      <target>forgejo_mail_sender</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/gitea/templates/gitea.service b/seed/gitea/templates/gitea.service
deleted file mode 100644
index cec11ce4..00000000
--- a/seed/gitea/templates/gitea.service
+++ /dev/null
@@ -1,17 +0,0 @@
-[Unit]
-Description=Gitea transitional
-Before=risotto.target
-
-[Service]
-Type=oneshot
-ExecStart=/bin/bash -c '%slurp
-[ -d /srv/gitea/lib/data/gitea-repositories ] && mv /srv/gitea/lib/data/gitea-repositories /srv/gitea/lib/data/forgejo-repositories; %slurp
-[ -d /srv/gitea ] && (mv /srv/gitea/* /srv/forgejo; rmdir /srv/gitea); %slurp
-find /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks -name gitea | while read a; do b=$(dirname $a); mv $b/gitea $b/forgejo; done; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/proc-receive; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/pre-receive.d/forgejo; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/update.d/forgejo; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/post-receive.d/forgejo; %slurp
-sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/config; %slurp
-exit 0%slurp
-'
diff --git a/seed/grafana/applicationservice.yml b/seed/grafana/applicationservice.yml
index f90c179a..050d6642 100644
--- a/seed/grafana/applicationservice.yml
+++ b/seed/grafana/applicationservice.yml
@@ -1,5 +1,7 @@
+---
 format: '0.1'
-description: Grafana is an analytics and interactive visualization web application
+description: >
+  Grafana is an analytics and interactive visualization web application
 website: https://grafana.com/
 depends:
   - base-fedora-38
diff --git a/seed/grafana/dictionaries/31_grafana.xml b/seed/grafana/dictionaries/31_grafana.xml
deleted file mode 100644
index b1530587..00000000
--- a/seed/grafana/dictionaries/31_grafana.xml
+++ /dev/null
@@ -1,67 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="grafana-server" target="multi-user">
-      <override engine="none"/>
-      <file engine="ansible">/etc/grafana/grafana.ini</file>
-      <file engine="ansible">/etc/sysconfig/grafana-server</file>
-      <file engine="none" source="tmpfile-grafana.conf">/tmpfiles.d/0grafana.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="grafana">
-      <variable name="admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_local_location" redefine="True">
-          <value>/</value>
-        </variable>
-      </family>
-      <variable name="revprox_client_port" redefine="True">
-        <value>3000</value>
-      </variable>
-      <variable name="revprox_client_cert_owner" redefine="True">
-        <value>grafana</value>
-      </variable>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Grafana</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Visualisation de données</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Administration</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_note.png</value>
-      </variable>
-      <variable name="oauth2_client_token_signature_algo" redefine="True">
-        <value>RS256</value>
-      </variable>
-      <variable name="oauth2_email_domain" type="domainname" description="Domain name allowed to log on Grafana" mandatory="True" test="example.net"/>
-    </family>
-    <family name="postgresql">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>grafana</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">admin</param>
-      <param name="description">admin</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>admin_password</target>
-    </fill>
-  </constraints>
-</rougail>
-
diff --git a/seed/grafana/dictionaries/31_grafana.yml b/seed/grafana/dictionaries/31_grafana.yml
new file mode 100644
index 00000000..436f60f2
--- /dev/null
+++ b/seed/grafana/dictionaries/31_grafana.yml
@@ -0,0 +1,76 @@
+---
+version: 1.1
+
+grafana:
+
+  admin_password:
+    type: secret
+    description: Mot de passe de l'administrateur
+    hidden: true
+    default:
+      jinja: >-
+        {{ "admin" |
+             get_password(server_name=general.network.interface_0.domain_name,
+             description="admin",
+             type="cleartext",
+             hide=general.hide_secret,
+             temporary=true)
+          }}
+
+revprox:
+
+  client:
+
+    local_location:
+      redefine: true
+      default: /
+
+  client_port:
+    redefine: true
+    default: 3000
+
+  client_cert_owner:
+    redefine: true
+    default: grafana
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Grafana
+
+    description:
+      redefine: true
+      default: Visualisation de données
+
+    category:
+      redefine: true
+      default: Administration
+
+    logo:
+      redefine: true
+      default: silique_note.png
+
+    token_signature_algo:
+      redefine: true
+      default: RS256
+
+    email_domain:
+      type: domainname
+      description: Domain name allowed to log on Grafana
+      examples:
+        - example.net
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: grafana
diff --git a/seed/host-systemd-machined/applicationservice.yml b/seed/host-systemd-machined/applicationservice.yml
index 50b2813d..348ba53c 100644
--- a/seed/host-systemd-machined/applicationservice.yml
+++ b/seed/host-systemd-machined/applicationservice.yml
@@ -1,5 +1,7 @@
+---
 format: '0.1'
 description: Host with machine started in Systemd Machined environment
 website: https://www.freedesktop.org/wiki/Software/systemd/machined/
 depends:
   - base
+host: true
diff --git a/seed/host-systemd-machined/dictionaries/21_machined.xml b/seed/host-systemd-machined/dictionaries/21_machined.xml
deleted file mode 100644
index f2323a2b..00000000
--- a/seed/host-systemd-machined/dictionaries/21_machined.xml
+++ /dev/null
@@ -1,176 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-machined">
-      <file engine="none">/etc/systemd/network/80-container-vz.network</file>
-      <file file_type="variable" source="70-container.network" variable="zone_name" engine="ansible">systemd_zone_filename</file>
-      <file file_type="variable" source="70-container.netdev" variable="zone_name" engine="ansible">systemd_netzone_filename</file>
-    </service>
-    <service name="risotto-images" engine="ansible" manage="False"/>
-    <service name="systemd-sysctl"/>
-    <service name="systemd-networkd"/>
-    <service name="systemd-resolved"/>
-    <service name="risotto-images" type="timer" engine="none"/>
-    <service name="risottofirewall" engine="ansible"/>
-    <service name="systemd-nspawn@">
-      <file engine="none">/tmpfiles.d/0asystemd-nspawn.conf</file>
-      <file engine="none">/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
-      <file engine="none">/etc/distro.repos.d/boot.repo</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-38-x86_64</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
-      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-38</file>
-      <file engine="ansible">/etc/sysctl.d/90-risotto.conf</file>
-      <file engine="ansible" file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
-    </service>
-    <service name="modprobe@">
-      <override engine="none"/>
-    </service>
-    <service name="vector" servicelist="vector">
-      <file engine="ansible">/etc/vector/vector.toml</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="host_install_dir" type="filename" mandatory="True" provider="global:host_install_dir" hidden="True"/>
-    <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
-    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
-    <variable name="tls_server" type="domainname" mandatory="True" provider="global:tls_server" hidden="True"/>
-    <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
-    <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
-    <variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
-      <value>60</value>
-    </variable>
-    <variable name="host_packages" multi="True" hidden="True">
-      <value>systemd-container</value>
-      <value>dnf</value>
-      <value>jq</value>
-      <value>debootstrap</value>
-      <value>htop</value>
-      <value>iotop</value>
-      <value>man</value>
-      <value>gettext</value>
-      <value>patch</value>
-      <value>unzip</value>
-      <value>mlocate</value>
-      <value>xz-utils</value>
-      <value>iptables</value>
-      <value>curl</value>
-      <value>tree</value>
-      <value>tshark</value>
-      <value>vim</value>
-      <value>python3-pytest</value>
-      <value>python3-yaml</value>
-      <value>python3-ldap</value>
-      <value>python3-dnspython</value>
-      <value>python3-dulwich</value>
-      <value>python3-psycopg2</value>
-      <value>python3-redis</value>
-      <value>python3-imaplib2</value>
-      <value>python3-pymysql</value>
-    </variable>
-    <variable name="host_removed_packages" multi="True" hidden="True">
-      <value>resolvconf</value>
-    </variable>
-    <family name="base">
-      <variable name="time_zone" type="string" description="Time zone" supplier="Host:time_zone">
-        <value>Europe/Paris</value>
-      </variable>
-    </family>
-    <family name="network">
-      <variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>
-      <family name="interfaces" leadership="True">
-        <variable name="interface_names" description="Nom de l'interface" multi="True" mandatory="True"/>
-        <variable name="interface_type" type="choice" description="Type de la carte" mandatory="True">
-          <choice>dhcp</choice>
-          <choice>ipv4</choice>
-          <value>dhcp</value>
-        </variable>
-        <variable name="interface_ip" type="cidr" description="IP au format CIDR de l'interface" mandatory="True"/>
-        <variable name="interface_gateway" type="ip" description="IP de la route par défaut" mandatory="True"/>
-        <variable name="interface_domain_name_servers" type="ip" description="IP des serveurs DNS" mandatory="True" multi="True"/>
-        <variable name="first_interface" type="boolean" hidden="True"/>
-      </family>
-      <variable name="host_network_filename" type="filename" multi="True" hidden="True"/>
-    </family>
-    <family name="zones" leadership="True">
-      <variable name="zone_name" type="string" hidden="True" multi="True"/>
-      <variable name="zone_cidr" type="cidr" hidden="True"/>
-    </family>
-    <family name="vector">
-      <variable name="server_address" type="domainname" hidden="True" supplier="Vector"/>
-      <variable name="ip_address" type="ip" hidden="True" supplier="Vector:address"/>
-    </family>
-    <family name="prometheus">
-      <variable name="prometheus_server_address" type="domainname" hidden="True" supplier="Prometheus"/>
-      <variable name="prometheus_ip_address" type="ip" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_internal_zone_names">
-      <param type="information">zones</param>
-      <target>zone_name</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/network/70-container-</param>
-      <param type="variable">zone_name</param>
-      <param>.network</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>systemd_zone_filename</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/network/80-</param>
-      <param type="variable">interface_names</param>
-      <param>.network</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>host_network_filename</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/network/70-container-</param>
-      <param type="variable">zone_name</param>
-      <param>.netdev</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>systemd_netzone_filename</target>
-    </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>cidr</param>
-      <param type="variable" name="zone_name">zone_name</param>
-      <target>zone_cidr</target>
-    </fill>
-    <fill name="is_first_interface">
-      <param type="index"/>
-      <target>first_interface</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">server_address</param>
-      <target>ip_address</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">prometheus_server_address</param>
-      <target>prometheus_ip_address</target>
-    </fill>
-    <condition name="disabled_if_not_in" source="interface_type">
-      <param>ipv4</param>
-      <target>interface_ip</target>
-      <target>interface_gateway</target>
-      <target>interface_domain_name_servers</target>
-    </condition>
-    <condition name="disabled_if_not_in" source="first_interface">
-      <param>True</param>
-      <target>interface_gateway</target>
-      <target>interface_domain_name_servers</target>
-    </condition>
-    <condition name="disabled_if_in" source="server_address">
-      <param type="nil"/>
-      <target type="servicelist">vector</target>
-      <target type="variable">ip_address</target>
-    </condition>
-  </constraints>
-</rougail>
diff --git a/seed/host-systemd-machined/dictionaries/21_machined.yml b/seed/host-systemd-machined/dictionaries/21_machined.yml
new file mode 100644
index 00000000..191a66f9
--- /dev/null
+++ b/seed/host-systemd-machined/dictionaries/21_machined.yml
@@ -0,0 +1,221 @@
+---
+version: 1.1
+
+host_install_dir:
+  type: unix_filename
+  provider: global:host_install_dir
+  hidden: true
+
+host_name:
+  type: domainname
+  hidden: true
+  provider: global:server_name
+
+module_name:
+  hidden: true
+  provider: global:module_name
+
+tls_server:
+  type: domainname
+  provider: global:tls_server
+  hidden: true
+
+systemd_zone_filename:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for zone in general.zones.zone_name %}
+      /etc/systemd/network/70-container-{{ zone }}.network %}
+      {%- endfor -%}
+
+systemd_netzone_filename:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for zone in general.zones.zone_name %}
+      /etc/systemd/network/70-container-{{ zone }}.netdev" %}
+      {%- endfor -%}
+
+vm_swappiness: 60  # Ajustement de la mémoire virtuelle
+
+host_packages:
+  hidden: true
+  default:
+    - systemd-container
+    - dnf
+    - jq
+    - debootstrap
+    - htop
+    - iotop
+    - man
+    - gettext
+    - patch
+    - unzip
+    - mlocate
+    - xz-utils
+    - iptables
+    - curl
+    - tree
+    - tshark
+    - vim
+    - python3-pytest
+    - python3-yaml
+    - python3-ldap
+    - python3-dnspython
+    - python3-dulwich
+    - python3-psycopg2
+    - python3-redis
+    - python3-imaplib2
+    - python3-pymysql
+
+host_removed_packages:
+  hidden: true
+  default:
+    - resolvconf
+
+base:
+
+  time_zone:
+    description: Time zone
+    supplier: Host:time_zone
+    default: Europe/Paris
+
+network:
+
+  output_interface: null  # Nom de l'interface de sortie
+
+  interfaces:
+    type: leadership
+
+    interface_names: []  # Nom de l'interface
+
+    interface_type:
+      description: Type de la carte
+      default: dhcp
+      choices:
+        - dhcp
+        - ipv4
+
+    interface_ip:
+      type: cidr
+      description: IP au format CIDR de l'interface
+      disabled:
+        variable: _.interface_type
+        when_not: ipv4
+
+    first_interface:
+      type: boolean
+      hidden: true
+      default:
+        jinja: >-
+          {%- if index == 0 -%}
+          true
+          {%- else -%}
+          false
+          {%- endif -%}
+        params:
+          index:
+            type: index
+
+    interface_gateway:
+      type: ip
+      description: IP de la route par défaut
+      disabled:
+        jinja: >-
+          {%- if _.interface_type != 'ipv4' or not _.first_interface -%}
+          disabled
+          {%- endif -%}
+        description: >-
+          if it's not the first interface or the address is automatcly
+          set via DHCP or not the first interface
+
+    interface_domain_name_servers:
+      type: ip
+      description: IP des serveurs DNS
+      multi: true
+      disabled:
+        jinja: >-
+          {%- if _.interface_type != 'ipv4' or not _.first_interface -%}
+          disabled
+          {%- endif -%}
+        description: >-
+          if it's not the first interface or the address is automatcly
+          set via DHCP or not the first interface
+
+  host_network_filename:
+    type: unix_filename
+    multi: true
+    hidden: true
+    default:
+      jinja: |-
+        {%- for interface in _.interfaces.interface_names %}
+        /etc/systemd/network/80-{{ interface }}.network
+        {% endfor %}
+
+zones:
+  type: leadership
+
+  zone_name:
+    hidden: true
+    default:
+      jinja: |-
+        {%- for zone in zones %}
+        {{ zone }}
+        {%- endfor -%}
+      params:
+        zones:
+          information: zones
+
+  zone_cidr:
+    type: cidr
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_zones_info("cidr", zone_name=_.zone_name) }}
+      params:
+        zones:
+          information: zones
+
+vector:
+
+  server_address:
+    type: domainname
+    hidden: true
+    supplier: Vector
+    mandatory: false
+
+  ip_address:
+    type: ip
+    hidden: true
+    supplier: Vector:address
+    disabled:
+      variable: _.server_address
+      when: null
+    default:
+      jinja: >-
+        {{ zones | get_ip(_.server_address) }}
+      params:
+        zones:
+          information: zones
+
+prometheus:
+
+  server_address:
+    type: domainname
+    hidden: true
+    supplier: Prometheus
+    mandatory: false
+
+  ip_address:
+    type: ip
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(_.server_address) }}
+      params:
+        zones:
+          information: zones
diff --git a/seed/host-systemd-machined/extras/machined/00_machined.xml b/seed/host-systemd-machined/extras/machined/00_machined.xml
deleted file mode 100644
index 708ac6e2..00000000
--- a/seed/host-systemd-machined/extras/machined/00_machined.xml
+++ /dev/null
@@ -1,66 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-nspawn@">
-      <file engine="ansible" file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
-      <file engine="ansible" file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_network</file>
-      <file engine="ansible" file_type="variable" source="tls-script" variable="machined.machines" mode="700">machined.nspawn_script_tls</file>
-      <file engine="ansible" file_type="variable" source="directory-script" variable="machined.machines" mode="700">machined.nspawn_script_directory</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="Host" hidden="True"/>
-    <family name="machine_" description="Machine " dynamic="machined.machines">
-      <variable name="incoming_ports_" description="Incomming external ports for " hidden="True" type="port" multi="True" provider="Host:incoming_ports"/>
-      <variable name="outgoing_ports_" description="Outcoming external ports for " hidden="True" type="port" multi="True" provider="Host:outgoing_ports"/>
-      <variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="Host:machine_srv"/>
-      <variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="Host:machine_journal"/>
-      <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="Host:config_dir" mandatory="True"/>
-      <variable name="tls_dir_" hidden="True" type="filename" provider="Host:machine_tls"/>
-      <variable name="zones_" description="Zones for " hidden="True" provider="Host:machine_zones" multi="True"/>
-      <variable name="ip_" description="IP for " type="ip" hidden="True"/>
-    </family>
-    <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
-    <variable name="nspawn_script_network" type="filename" hidden="True" multi="True"/>
-    <variable name="nspawn_script_tls" type="filename" hidden="True" multi="True"/>
-    <variable name="nspawn_script_directory" type="filename" hidden="True" multi="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param>/sbin/network-</param>
-      <param type="variable">machined.machines</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_script_network</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/sbin/tls-</param>
-      <param type="variable">machined.machines</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_script_tls</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/sbin/directory-</param>
-      <param type="variable">machined.machines</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_script_directory</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/nspawn/</param>
-      <param type="variable">machined.machines</param>
-      <param>.nspawn</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>machined.nspawn_zone_filename</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <target>machined.machine_.ip_</target>
-    </fill>
-  </constraints>
-</rougail>
-
-
diff --git a/seed/host-systemd-machined/extras/machined/00_machined.yml b/seed/host-systemd-machined/extras/machined/00_machined.yml
new file mode 100644
index 00000000..aa74c312
--- /dev/null
+++ b/seed/host-systemd-machined/extras/machined/00_machined.yml
@@ -0,0 +1,119 @@
+---
+version: 1.1
+
+machines:
+  description: Machines started in this host
+  type: domainname
+  multi: true
+  provider: Host
+  hidden: true
+  mandatory: false
+
+"machine_{{ suffix }}":
+  description: 'Machine {{ suffix }}'
+  dynamic:
+    variable: machined.machines
+
+  incoming_ports:
+    description: 'Incomming external ports for {{ suffix }}'
+    hidden: true
+    type: port
+    multi: true
+    provider: Host:incoming_ports
+    mandatory: false
+
+  outgoing_ports:
+    description: 'Outcoming external ports for {{ suffix }}'
+    hidden: true
+    type: port
+    params:
+      allow_protocol: true
+    multi: true
+    provider: Host:outgoing_ports
+    mandatory: false
+
+  srv_dir:
+    description: 'Directory with srv volume for {{ suffix }}'
+    hidden: true
+    type: unix_filename
+    provider: Host:machine_srv
+    mandatory: false
+
+  journal_dir:
+    description: 'Directory with journal volume for {{ suffix }}'
+    hidden: true
+    type: unix_filename
+    provider: Host:machine_journal
+    mandatory: false
+
+  config_dir:
+    description: 'Directory with configuration volume for {{ suffix }}'
+    hidden: true
+    type: unix_filename
+    provider: Host:config_dir
+
+  tls_dir:
+    hidden: true
+    type: unix_filename
+    provider: Host:machine_tls
+    mandatory: false
+
+  zones:
+    description: 'Zones for {{ suffix }}'
+    hidden: true
+    provider: Host:machine_zones
+    multi: true
+    mandatory: false
+
+  ip:
+    description: 'IP for {{ suffix }}'
+    type: ip
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(suffix) }}
+      params:
+        zones:
+          information: zones
+        suffix:
+          type: suffix
+
+nspawn_zone_filename:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /etc/systemd/nspawn/{{ machine }}.nspawn
+      {%- endfor -%}
+
+nspawn_script_network:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /sbin/network-{{ machine }}
+      {%- endfor -%}
+
+nspawn_script_tls:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /sbin/tls-{{ machine }}
+      {%- endfor -%}
+
+nspawn_script_directory:
+  type: unix_filename
+  hidden: true
+  multi: true
+  default:
+    jinja: |-
+      {%- for machine in machined.machines %}
+      /sbin/directory-{{ machine }}
+      {%- endfor -%}
diff --git a/seed/host-systemd-machined/funcs/machined.py b/seed/host-systemd-machined/funcs/machined.py
index 4b0bc6c2..d9912a06 100644
--- a/seed/host-systemd-machined/funcs/machined.py
+++ b/seed/host-systemd-machined/funcs/machined.py
@@ -2,15 +2,6 @@ from risotto.utils import multi_function as _multi_function
 from typing import List as _List
 
 
-@_multi_function
-def get_internal_zone_names(zones) -> _List[str]:
-    return list(zones)
-
-
-def is_first_interface(index) -> bool:
-    return index == 0
-
-
 @_multi_function
 def get_host_ip(zones: dict,
                 server_name: str,
diff --git a/seed/imap-client/applicationservice.yml b/seed/imap-client/applicationservice.yml
index 6a6ec258..f43a982c 100644
--- a/seed/imap-client/applicationservice.yml
+++ b/seed/imap-client/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Application service needs interact with an IMAP server
diff --git a/seed/imap-client/dictionaries/21_imap_client.xml b/seed/imap-client/dictionaries/21_imap_client.xml
deleted file mode 100644
index 8b11b2d7..00000000
--- a/seed/imap-client/dictionaries/21_imap_client.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="imap" manage="False">
-      <certificate authority="IMAP" server="imap_address" owner="imap_cert_owner" owner_type="variable">imap</certificate>
-    </service>
-  </services>
-  <variables>
-    <family name="imap" description="Client SMTP">
-      <variable name="imap_address" type="domainname" mandatory="True" supplier="IMAP" hidden="True"/>
-      <variable name="imap_cert_owner" type="unix_user" mandatory="True" hidden="True">
-        <value>root</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/imap-client/dictionaries/21_imap_client.yml b/seed/imap-client/dictionaries/21_imap_client.yml
new file mode 100644
index 00000000..6c5dfe64
--- /dev/null
+++ b/seed/imap-client/dictionaries/21_imap_client.yml
@@ -0,0 +1,14 @@
+---
+version: 1.1
+
+imap:
+  description: Client SMTP
+  hidden: true
+
+  address:
+    type: domainname
+    supplier: IMAP
+
+  cert_owner:
+    type: unix_user
+    default: root
diff --git a/seed/journald/applicationservice.yml b/seed/journald/applicationservice.yml
index 0a1e96f1..8bd9aa55 100644
--- a/seed/journald/applicationservice.yml
+++ b/seed/journald/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Journald
 website: https://systemd.io/
diff --git a/seed/journald/dictionaries/20_journald.xml b/seed/journald/dictionaries/20_journald.xml
deleted file mode 100644
index c035cf15..00000000
--- a/seed/journald/dictionaries/20_journald.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-journal-upload" target="multi-user" servicelist="journald">
-      <override engine="none"/>
-      <certificate authority="Journald" server="journal_client_server_domainname" group="systemd-journal">journald</certificate>
-      <file engine="ansible">/etc/systemd/journal-upload.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="journald" description="systemd-journald">
-      <variable name="journal_client_server_domainname" type="domainname" supplier="Journald" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <condition name="disabled_if_in" source="journal_client_server_domainname">
-      <param type="nil"/>
-      <target type="servicelist">journald</target>
-    </condition>
-  </constraints>
-</rougail>
diff --git a/seed/journald/dictionaries/20_journald.yml b/seed/journald/dictionaries/20_journald.yml
new file mode 100644
index 00000000..d8418b55
--- /dev/null
+++ b/seed/journald/dictionaries/20_journald.yml
@@ -0,0 +1,10 @@
+---
+version: 1.1
+
+journald:
+
+  journal_client_server_domainname:
+    type: domainname
+    supplier: Journald
+    hidden: true
+    mandatory: false
diff --git a/seed/journald_remote/applicationservice.yml b/seed/journald_remote/applicationservice.yml
index 4b6acfba..e751a7d6 100644
--- a/seed/journald_remote/applicationservice.yml
+++ b/seed/journald_remote/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Journald remote
 website: https://systemd.io/
diff --git a/seed/journald_remote/dictionaries/21_journald.xml b/seed/journald_remote/dictionaries/21_journald.xml
deleted file mode 100644
index d3afbb54..00000000
--- a/seed/journald_remote/dictionaries/21_journald.xml
+++ /dev/null
@@ -1,11 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-journal-remote" target="multi-user">
-      <override engine="none"/>
-      <certificate certificatelist="journald" authority="Journald" type="server" owner="systemd-journal-remote">journald</certificate>
-      <file engine="ansible" filelist="journald">/etc/systemd/journal-remote.conf</file>
-    </service>
-  </services>
-</rougail>
-
diff --git a/seed/journald_remote/extras/accounts/00_accounts.xml b/seed/journald_remote/extras/accounts/00_accounts.xml
deleted file mode 100644
index 38982d74..00000000
--- a/seed/journald_remote/extras/accounts/00_accounts.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Concentrate journal messages on one host" type="domainname" provider="Journald" mandatory="True" multi="True" hidden="True"/>
-    <family name="remote_" description="Account for " dynamic="accounts.remotes" hidden="True">
-      <variable name="services_" description="Log from this service to exclude for " multi="True" provider="Journald:service" unique="False"/>
-      <variable name="functions_" description="Function use to compare message (if not defined, exlude same message) for " multi="True" provider="Journald:function" mandatory="False" unique="False"/>
-      <variable name="messages_" description="Message to exclude for " multi="True" provider="Journald:message" unique="False"/>
-    </family>
-    <variable name="vector_conditions" hidden="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_vector_conditions">
-      <param type="variable">accounts.remote_.messages_</param>
-      <param type="variable">accounts.remote_.services_</param>
-      <param type="variable">accounts.remote_.functions_</param>
-      <target>accounts.vector_conditions</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/journald_remote/extras/accounts/00_accounts.yml b/seed/journald_remote/extras/accounts/00_accounts.yml
new file mode 100644
index 00000000..71f14d54
--- /dev/null
+++ b/seed/journald_remote/extras/accounts/00_accounts.yml
@@ -0,0 +1,52 @@
+---
+version: 1.1
+
+remotes:
+  description: Concentrate journal messages on one host
+  type: domainname
+  multi: true
+  hidden: true
+  provider: Journald
+
+"remote_{{ suffix }}":
+  description: 'Account for {{ suffix }}'
+  dynamic:
+    variable: accounts.remotes
+  hidden: true
+
+  services:
+    description: 'Log from this service to exclude for {{ suffix }}'
+    multi: true
+    unique: false
+    mandatory: false
+    provider: Journald:service
+
+  functions:
+    description: >-
+      Function use to compare message (if not defined, exlude same message)
+      for {{ suffix }}
+    multi: true
+    mandatory: false
+    empty: false
+    unique: false
+    provider: Journald:function
+
+  messages:
+    description: 'Message to exclude for {{ suffix }}'
+    multi: true
+    unique: false
+    mandatory: false
+    provider: Journald:message
+
+vector_conditions:
+  default:
+    jinja: >-
+      {{ messages | calc_vector_conditions(services, functions) }}
+    params:
+      messages:
+        variable: accounts.remote_{{ suffix }}.messages
+      services:
+        variable: accounts.remote_{{ suffix }}.services
+      functions:
+        variable: accounts.remote_{{ suffix }}.functions
+  hidden: true
diff --git a/seed/ldap-client/applicationservice.yml b/seed/ldap-client/applicationservice.yml
index 98817f8c..664f069e 100644
--- a/seed/ldap-client/applicationservice.yml
+++ b/seed/ldap-client/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Application service needs interact with a LDAP server
diff --git a/seed/ldap-client/dictionaries/21_ldap-client.xml b/seed/ldap-client/dictionaries/21_ldap-client.xml
deleted file mode 100644
index 79a2c294..00000000
--- a/seed/ldap-client/dictionaries/21_ldap-client.xml
+++ /dev/null
@@ -1,94 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="ldap-client" target="risotto" engine="ansible">
-      <certificate authority="LDAP" owner="ldap_key_file_owner" owner_type="variable" server="ldap_server_address">ldap_client</certificate>
-      <file engine="ansible" source="ldap.conf" file_type="variable">ldap_client_file</file>
-    </service>
-  </services>
-  <variables>
-    <family name="ldap" description="OpenLDAP directory">
-      <family name="server" description="Server">
-        <variable name='ldap_server_address' type='domainname' hidden="True" mandatory='True' supplier="LDAP"/>
-        <variable name="ldap_server_ip" type="ip" hidden="True"/>
-        <variable name='ldap_port' type='port' hidden="True">
-          <value>636</value>
-        </variable>
-        <variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
-      </family>
-      <family name="client" description="Client">
-        <variable name='ldapclient_family' type='unix_user' description="Restrict service configuration for a LDAP family" help='"all" for all families.' supplier="LDAP:family"/>
-        <variable name='ldapclient_user' type='string' mandatory='False' hidden="True" supplier="LDAP:dn"/>
-        <variable name='ldapclient_address' hidden="True"/>
-        <variable name='ldapclient_user_password' type='password' mandatory='True' hidden="True" supplier="LDAP:password"/>
-        <variable name='ldapclient_base_dn' type='string' mandatory="True" supplier="LDAP:base_dn" hidden="True"/>
-        <variable name='ldapclient_search_dn' type='string' mandatory="True" hidden="True"/>
-        <variable name='ldapclient_group_dn' type='string' mandatory="True" hidden="True"/>
-        <variable name='ldapclient_user_dn' type='string' mandatory="True" hidden="True"/>
-        <variable name="ldap_key_file_owner" type="unix_user" hidden="True">
-          <value>root</value>
-        </variable>
-        <variable name="ldap_client_file" type="filename" hidden="True"/>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <check name='valid_base_dn'>
-      <target>ldapclient_base_dn</target>
-    </check>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">ldap_server_address</param>
-      <target>ldap_server_ip</target>
-    </fill>
-    <fill name='get_default_base_dn'>
-      <param type="variable">prefix_domain_name</param>
-      <target>ldapclient_base_dn</target>
-    </fill>
-    <fill name='calc_value'>
-      <param>ou=accounts</param>
-      <param type="variable">ldapclient_base_dn</param>
-      <param name="join">,</param>
-      <target>ldapclient_search_dn</target>
-    </fill>
-    <fill name='calc_value'>
-      <param>cn=</param>
-      <param type='variable'>ldapclient_address</param>
-      <param>,</param>
-      <param type='variable'>ldapclient_base_dn</param>
-      <param name="join"></param>
-      <target>ldapclient_user</target>
-    </fill>
-    <fill name="get_client_address">
-      <param type='variable'>ldap_server_ip</param>
-      <param type='variable'>domain_name_eth</param>
-      <param type='variable'>network_eth</param>
-      <target>ldapclient_address</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">ldap_server_address</param>
-      <param name="username" type="variable">ldapclient_user</param>
-      <param name="description">remote account</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>ldapclient_user_password</target>
-    </fill>
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldapclient_base_dn</param>
-      <param name="group" type="boolean">True</param>
-      <target>ldapclient_group_dn</target>
-    </fill>
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldapclient_base_dn</param>
-      <target>ldapclient_user_dn</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/ldap/ldap.conf</param>
-      <param name="condition" type="variable">os_name</param>
-      <param name="expected">Debian</param>
-      <param name="default">/etc/openldap/ldap.conf</param>
-      <target>ldap_client_file</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/ldap-client/dictionaries/21_ldap-client.yml b/seed/ldap-client/dictionaries/21_ldap-client.yml
new file mode 100644
index 00000000..79aebb18
--- /dev/null
+++ b/seed/ldap-client/dictionaries/21_ldap-client.yml
@@ -0,0 +1,135 @@
+---
+version: 1.1
+
+ldap:  # OpenLDAP directory
+
+  server:  # Server
+
+    address:
+      type: domainname
+      hidden: true
+      supplier: LDAP
+
+    ip:
+      type: ip
+      default:
+        jinja: >-
+          {{ zones | get_ip(_.address) }}
+        params:
+          zones:
+            information: zones
+      hidden: true
+
+    port:
+      type: port
+      default: 636
+      hidden: true
+
+    prefix_domain_name:
+      hidden: true
+      provider: global:prefix_domain_name
+
+  client:  # Client
+
+    family:
+      description: Restrict service configuration for a LDAP family
+      help: '"all" for all families.'
+      type: unix_user
+      mandatory: false
+      supplier: LDAP:family
+
+    user:
+      type: string
+      default:
+        jinja: |-
+          cn={{ _.address }},{{ _.base_dn }}
+      hidden: true
+      supplier: LDAP:dn
+
+    address:
+      default:
+        jinja: >-
+          {{ __.server.ip |
+               get_client_address(domain_name, network) }}
+        params:
+          network:
+            variable: >-
+              general.network.interface_{{ suffix }}.network
+          domain_name:
+            variable: >-
+              general.network.interface_{{ suffix }}.domain_name
+      hidden: true
+
+    user_password:
+      type: secret
+      default:
+        jinja: >-
+          {{ _.user | get_password(server_name=__.server.address,
+                                   description="remote account",
+                                   type="cleartext",
+                                   hide=general.hide_secret,
+                                   temporary=true)
+            }}
+      hidden: true
+      supplier: LDAP:password
+
+    base_dn:
+      type: string
+      validators:
+        - jinja: >-
+            {%- set var = {'ok': false} -%}
+            {%- for att in ['o', 'dc', 'ou'] -%}
+              {%- if _.base_dn.startswith(att + '=') -%}
+                {%- set var = var.update({'ok': true}) -%}
+              {%- endif -%}
+            {%- endfor -%}
+            {%- if not var.ok -%}
+              {%- set e = "the root LDAP base DN must starts with an " -%}
+              {%- set e = e + "organisation (o=), a domain componant (dc=) " -%}
+              {%- set e = e + "or an organizational unit (ou=)" -%}
+              {{ e }}
+            {%- endif -%}
+          description: >-
+            if LDAP base DN starts with an organisation (o=), a domain componant
+            (dc=) or an organizational unit (ou=)
+      default:
+        jinja: >-
+          {{ __.server.prefix_domain_name | get_default_base_dn }}
+      hidden: true
+      supplier: LDAP:base_dn
+
+    search_dn:
+      default:
+        jinja: >-
+          ou=accounts,{{ _.base_dn }}
+      hidden: true
+
+    group_dn:
+      type: string
+      default:
+        jinja: >-
+          {{ _.base_dn | calc_ldapclient_base_dn(group=true) }}
+      hidden: true
+
+    user_dn:
+      type: string
+      default:
+        jinja: >-
+          {{ _.base_dn | calc_ldapclient_base_dn }}
+      hidden: true
+
+    key_file_owner:
+      type: unix_user
+      default: root
+      hidden: true
+
+    file:
+      type: unix_filename
+      default:
+        jinja: >-
+          {%- if general.os_name == 'Debian' -%}
+          /etc/ldap/ldap.conf
+          {%- else -%}
+          /etc/openldap/ldap.conf
+          {%- endif -%}
+      hidden: true
diff --git a/seed/lemonldap/applicationservice.yml b/seed/lemonldap/applicationservice.yml
index 9348a6d9..d5b76ec8 100644
--- a/seed/lemonldap/applicationservice.yml
+++ b/seed/lemonldap/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: LemonLDAP, a Web Single Sign On and Access Management
 website: https://lemonldap-ng.org/
diff --git a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
deleted file mode 100644
index 9dbb88b1..00000000
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="lemonldap-ng-fastcgi-server">
-      <override engine="none"/>
-      <file engine="none">/static/logo.png</file>
-      <file engine="none">/static/demo.png</file>
-      <file engine="none">/static/silique_email.png</file>
-      <file engine="none">/static/silique_folder.png</file>
-      <file engine="none">/static/silique_note.png</file>
-      <file engine="none">/static/silique_video.png</file>
-      <file engine="none">/static/silique_image.png</file>
-      <file engine="none">/static/risotto.css</file>
-      <file engine="ansible">/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
-      <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
-      <file engine="ansible">/etc/lemonldap-ng/portal-nginx.conf</file>
-      <file engine="none">/etc/lemonldap-ng/nginx-lmlog.conf</file>
-      <file engine="ansible">/etc/default/lemonldap-ng-fastcgi-server</file>
-      <file engine="ansible" mode="750">/sbin/interne_well_known.pl</file>
-      <file engine="ansible" mode="750">/sbin/wget.pl</file>
-      <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/lemonldap.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nginx">
-      <variable name="nginx_default_https" redefine="True">
-        <value>False</value>
-      </variable>
-    </family>
-    <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
-      <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True" mode="expert">
-        <value>1</value>
-      </variable>
-      <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True" test="admin@example.net"/>
-    </family>
-    <family name="ldap">
-      <family name="client">
-        <variable name='ldapclient_family' redefine="True">
-          <value>all</value>
-        </variable>
-      </family>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/lemonldap/dictionaries/70_lemonldap_ng.yml b/seed/lemonldap/dictionaries/70_lemonldap_ng.yml
new file mode 100644
index 00000000..1f303062
--- /dev/null
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.yml
@@ -0,0 +1,32 @@
+---
+version: 1.1
+
+nginx:
+
+  default_https:
+    redefine: true
+    default: false
+
+lemonldap:
+  description: LemonLDAP
+  help: Configuration de la solution d'authentification unique LemonLDAP::NG
+
+  proc:
+    description: Nombre de processus dédié à LemonLdap
+    help: Équivalent au nombre de processeurs
+    mode: advanced
+    default: 1
+
+  mail_admin:
+    type: mail
+    description: Courriel de l'administrateur
+    examples:
+      - admin@example.net
+
+ldap:
+
+  client:
+
+    family:
+      redefine: true
+      default: all
diff --git a/seed/lemonldap/extras/oauth2/00_oauth2.xml b/seed/lemonldap/extras/oauth2/00_oauth2.xml
deleted file mode 100644
index b9b9285a..00000000
--- a/seed/lemonldap/extras/oauth2/00_oauth2.xml
+++ /dev/null
@@ -1,31 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="OAuth2" hidden="True"/>
-    <family name="oauth2_" description="OAuth2 for " dynamic="oauth2.remotes">
-      <variable name="client_id_" description="Remote client id for " mandatory="True" hidden="True" provider="OAuth2:client_id"/>
-      <variable name="secret_" description="Remote secret for " type="password" mandatory="True" hidden="True" provider="OAuth2:secret"/>
-      <variable name="name_" description="Remote name for " hidden="True" provider="OAuth2:name"/>
-      <variable name="description_" description="Remote description for " hidden="True" provider="OAuth2:description"/>
-      <variable name="category_" description="Remode category for " hidden="True" provider="OAuth2:category"/>
-      <variable name="login_" description="Remote URL to login for " hidden="True" provider="OAuth2:login"/>
-      <family name="external_" leadership="True">
-        <variable name="hosts_" description="Remote external for " provider="OAuth2:external" multi="True" hidden="True"/>
-        <variable name="family_" description="Remote family for " provider="OAuth2:family"/>
-      </family>
-      <variable name="logo_" description="Logo for " hidden="True" provider="OAuth2:logo"/>
-      <variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm for " mandatory='True' hidden="True" provider="OAuth2:token_signature_algo">
-        <choice>HS512</choice>
-        <choice>RS256</choice>
-      </variable>
-      <variable name="oauth2_client_external_domain_" description="External domain for " type="domainname" hidden="True" supplier="OAuth2:external_domain"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_first_value">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <target>oauth2.oauth2_.oauth2_client_external_domain_</target>
-    </fill>
-  </constraints>
-</rougail>
-
diff --git a/seed/lemonldap/extras/oauth2/00_oauth2.yml b/seed/lemonldap/extras/oauth2/00_oauth2.yml
new file mode 100644
index 00000000..48b96974
--- /dev/null
+++ b/seed/lemonldap/extras/oauth2/00_oauth2.yml
@@ -0,0 +1,90 @@
+---
+version: 1.1
+
+remotes:
+  description: Remote clients needing to verify OAuth2 account
+  type: domainname
+  multi: true
+  provider: OAuth2
+  hidden: true
+  mandatory: false
+
+"oauth2_{{ suffix }}":
+  _description: 'OAuth2 for {{ suffix }}'
+  dynamic:
+    variable: oauth2.remotes
+
+  client_id:
+    description: 'Remote client id for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:client_id
+
+  secret:
+    description: 'Remote secret for {{ suffix }}'
+    type: secret
+    hidden: true
+    provider: OAuth2:secret
+
+  name:
+    description: 'Remote name for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:name
+    mandatory: false
+
+  description:
+    description: 'Remote description for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:description
+    mandatory: false
+
+  category:
+    description: 'Remote category for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:category
+    mandatory: false
+
+  login:
+    description: 'Remote URL to login for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:login
+    mandatory: false
+
+  external:
+    type: leadership
+
+    hosts:
+      description: 'Remote external for {{ suffix }}'
+      provider: OAuth2:external
+      hidden: true
+      mandatory: false
+
+    family:
+      description: 'Remote family for {{ suffix }}'
+      provider: OAuth2:family
+      mandatory: false
+
+  logo:
+    description: 'Logo for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:logo
+    mandatory: false
+
+  token_signature_algo:
+    description: 'OAuth2 token signature algorithm for {{ suffix }}'
+    hidden: true
+    provider: OAuth2:token_signature_algo
+    choices:
+      - HS512
+      - RS256
+
+  oauth2_client_external_domain:
+    description: 'External domain for {{ suffix }}'
+    type: domainname
+    hidden: true
+    supplier: OAuth2:external_domain
+    default:
+      jinja: >-
+        {% set domains = general.revprox.client.external_domainnames %}
+        {%- if domains -%}
+        {{ domains[0] }}
+        {%- endif -%}
diff --git a/seed/loki/applicationservice.yml b/seed/loki/applicationservice.yml
index 81f5763d..283d649b 100644
--- a/seed/loki/applicationservice.yml
+++ b/seed/loki/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Loki, a log aggregation platform
 website: https://grafana.com/
diff --git a/seed/loki/dictionaries/20_loki.xml b/seed/loki/dictionaries/20_loki.xml
deleted file mode 100644
index 3e3d6643..00000000
--- a/seed/loki/dictionaries/20_loki.xml
+++ /dev/null
@@ -1,16 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="loki" target="multi-user" engine="ansible">
-      <file engine="ansible" source="loki-local-config.yaml">/etc/loki/loki.yaml</file>
-      <file engine="none" source="sysuser-loki.conf">/sysusers.d/loki.conf</file>
-      <file engine="none" source="tmpfile-loki.conf">/tmpfiles.d/0loki.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="loki" description="Loki">
-      <variable name="remotes" description="Concentrate log messages" type="domainname" provider="Loki" mandatory="True" multi="True" hidden="True"/>
-    </family>
-  </variables>
-</rougail>
-
diff --git a/seed/loki/dictionaries/20_loki.yml b/seed/loki/dictionaries/20_loki.yml
new file mode 100644
index 00000000..5e8177ef
--- /dev/null
+++ b/seed/loki/dictionaries/20_loki.yml
@@ -0,0 +1,11 @@
+---
+version: 1.1
+
+loki:  # Loki
+
+  remotes:
+    description: Concentrate log messages
+    type: domainname
+    provider: Loki
+    multi: true
+    hidden: true
diff --git a/seed/mailman/applicationservice.yml b/seed/mailman/applicationservice.yml
index 20ed537c..31b4441f 100644
--- a/seed/mailman/applicationservice.yml
+++ b/seed/mailman/applicationservice.yml
@@ -1,5 +1,7 @@
+---
 format: '0.1'
-description: GNU Mailman, managing electronic mail discussion and e-newsletter lists
+description: >
+  GNU Mailman, managing electronic mail discussion and e-newsletter lists
 website: https://www.list.org
 depends:
   - base-debian-bullseye
diff --git a/seed/mailman/dictionaries/31_mailman.xml b/seed/mailman/dictionaries/31_mailman.xml
deleted file mode 100644
index 9ce073e4..00000000
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ /dev/null
@@ -1,80 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="mailman3"> <!-- target="multi-user">-->
-      <override engine="ansible"/>
-      <file engine="ansible" owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
-      <file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/mailman.yml</file>
-      <!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
-    </service>
-    <service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->
-      <override engine="ansible"/>
-      <certificate authority="PostgreSQL" owner="www-data" server="pg_client_server_domainname">postgresql_postorius</certificate>
-      <!--file engine="none">/etc/postorius/gunicorn_config.py</file>
-      <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file-->
-      <file engine="ansible" source="config-nginx.conf">/etc/mailman3/nginx.conf</file>
-      <file engine="ansible">/etc/mailman3/mailman-web.py</file>
-      <file engine="none">/etc/mailman3/uwsgi.ini</file>
-    </service>
-  </services>
-  <variables>
-    <family name="mailman" description="Gestionnaire de liste">
-      <variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site" mandatory="True" test="admin@example.net"/>
-      <variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True" test="list.example.net"/>
-      <variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="False"/>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Liste de distribution</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Liste de distribution Mailman</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Développement</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_email.png</value>
-      </variable>
-      <variable name="oauth2_client_token_signature_algo" redefine="True">
-        <value>RS256</value>
-      </variable>
-      <family name="external">
-        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
-      </family>
-    </family>
-    <family name="nginx">
-      <variable name="nginx_default_https" redefine="True">
-        <value>False</value>
-      </variable>
-      <variable name="nginx_root" redefine="True">
-        <value>/usr/share/webapps/postorius</value>
-      </variable>
-    </family>
-    <family name="postgresql">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>list</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">postorius</param>
-      <param name="description">secret_key</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>postorius_secret_key</target>
-    </fill>
-    <fill name="calc_oauth2_client_external">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <param type="variable">revprox_client_location</param>
-      <param>accounts/risotto/login/</param>
-      <target>oauth2_client_external</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/mailman/dictionaries/31_mailman.yml b/seed/mailman/dictionaries/31_mailman.yml
new file mode 100644
index 00000000..1168a29a
--- /dev/null
+++ b/seed/mailman/dictionaries/31_mailman.yml
@@ -0,0 +1,92 @@
+---
+version: 1.1
+
+mailman:  # Gestionnaire de liste
+
+  mail_owner:
+    type: mail
+    description: Courriel du gestionnaire de liste du site
+    examples:
+      - admin@example.net
+
+  domains:
+    type: domainname
+    description: Nom de domaine des listes
+    multi: true
+    examples:
+      - list.example.net
+
+  postorius_secret_key:
+    type: secret
+    description: Internal secret key
+    hidden: true
+    auto_save: false
+    default:
+      jinja: >-
+        {{ "postorius" |
+             get_password(server_name=general.network.interface_0.domain_name,
+             description="secret_key",
+             type="cleartext",
+             hide=general.hide_secret)
+          }}
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Liste de distribution
+
+    description:
+      redefine: true
+      default: Liste de distribution Mailman
+
+    category:
+      redefine: true
+      default: Développement
+
+    logo:
+      redefine: true
+      default: silique_email.png
+
+    token_signature_algo:
+      redefine: true
+      default: RS256
+
+    external:
+
+      external:
+        redefine: true
+        default:
+          jinja: |-
+            {%- for val in
+              general.revprox.client.external_domainnames |
+              calc_oauth2_client_external(
+                general.revprox.client.location,
+                "accounts/risotto/login/")
+               %}
+            {{ val }}
+            {%- endfor -%}
+
+nginx:
+
+  default_https:
+    redefine: true
+    default: false
+
+  root:
+    redefine: true
+    default: /usr/share/webapps/postorius
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: list
diff --git a/seed/mailman/extras/machine/20_mailman.xml b/seed/mailman/extras/machine/20_mailman.xml
deleted file mode 100644
index c8842485..00000000
--- a/seed/mailman/extras/machine/20_mailman.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/mailman/extras/machine/20_mailman.yml b/seed/mailman/extras/machine/20_mailman.yml
new file mode 100644
index 00000000..ae6b614c
--- /dev/null
+++ b/seed/mailman/extras/machine/20_mailman.yml
@@ -0,0 +1,19 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: '256'
+
+add_tmp:
+  redefine: true
+  default: 'False'
+
+add_swap:
+  redefine: true
+  default: 'False'
+
+memory:
+  redefine: true
+  exists: true
+  default: '512'
diff --git a/seed/mailman/extras/mailman/20_mailman.xml b/seed/mailman/extras/mailman/20_mailman.xml
deleted file mode 100644
index e356b1a7..00000000
--- a/seed/mailman/extras/mailman/20_mailman.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <family name="list_" description="Listes du domaine " dynamic="mailman_domains">
-      <variable name="name_" description="Nom des listes " type="unix_user" multi="True" mandatory="True"/>
-      <variable name="names_" description="Address names " type="string" mandatory="True" hidden="True"/>
-    </family>
-    <variable name="names_" description="All address names " type="string" multi="True" mandatory="True" hidden="True" supplier="LMTP:criteria"/>
-  </variables>
-  <constraints>
-    <fill name="mailman_emails">
-      <param type="variable">mailman.list_.name_</param>
-      <param type="suffix"/>
-      <target>mailman.list_.names_</target>
-    </fill>
-    <fill name="mailman_concat">
-      <param type="variable">mailman.list_.names_</param>
-      <target>mailman.names_</target>
-    </fill>
-  </constraints>
-</rougail>
-
-
diff --git a/seed/mailman/extras/mailman/20_mailman.yml b/seed/mailman/extras/mailman/20_mailman.yml
new file mode 100644
index 00000000..d88c9c38
--- /dev/null
+++ b/seed/mailman/extras/mailman/20_mailman.yml
@@ -0,0 +1,38 @@
+---
+version: 1.1
+
+"list_{{ suffix }}":
+  description: 'Listes du domaine {{ suffix }}'
+  dynamic:
+    variable: general.mailman.domains
+
+  name:
+    description: 'Nom des listes {{ suffix }}'
+    type: unix_user
+    multi: true
+
+  names:
+    description: 'Address names {{ suffix }}'
+    type: string
+    hidden: true
+    default:
+      jinja: >-
+        {{ _.name | mailman_emails(suffix) }}
+      params:
+        suffix:
+          type: suffix
+
+names:
+  description: 'All address names'
+  type: string
+  multi: true
+  hidden: true
+  supplier: LMTP:criteria
+  default:
+    jinja: |-
+      {%- for name in names | mailman_concat %}
+      {{ name }}
+      {%- endfor -%}
+    params:
+      names:
+        variable: _.list_{{ suffix }}.names
diff --git a/seed/mariadb-client/applicationservice.yml b/seed/mariadb-client/applicationservice.yml
index 9c519da6..08284549 100644
--- a/seed/mariadb-client/applicationservice.yml
+++ b/seed/mariadb-client/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Application service needs interact with a MariaDB server
 website: https://mariadb.org/
diff --git a/seed/mariadb-client/dictionaries/20_mariadb.xml b/seed/mariadb-client/dictionaries/20_mariadb.xml
deleted file mode 100644
index 83144041..00000000
--- a/seed/mariadb-client/dictionaries/20_mariadb.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="mariadbclient" target="risotto" engine="ansible"/>
-  </services>
-  <variables>
-    <family name="mariadb" description="MariaDB">
-      <variable name="mariadb_client_server_domainname" type="domainname" mandatory="True" supplier="MariaDB" hidden="True"/>
-      <variable name="mariadb_client_server_ip" type="ip" hidden="True"/>
-      <variable name="mariadb_client_username" description="Database username" mandatory="True" supplier="MariaDB:username" hidden="True"/>
-      <variable name="mariadb_client_password" type="secret" description="Database password" mandatory="True" hidden="True" supplier="MariaDB:password"/>
-      <variable name="mariadb_client_database" description="Database name" mandatory="True" hidden="True" supplier="MariaDB:database"/>
-      <variable name='mariadb_client_address' hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">mariadb_client_server_domainname</param>
-      <target>mariadb_client_server_ip</target>
-    </fill>
-    <fill name="get_client_address">
-      <param type='variable'>mariadb_client_server_ip</param>
-      <param type='variable'>domain_name_eth</param>
-      <param type='variable'>network_eth</param>
-      <target>mariadb_client_address</target>
-    </fill>
-    <fill name="normalize_family">
-      <param type="variable">server_name</param>
-      <target>mariadb_client_username</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">mariadb_client_username</param>
-      <target>mariadb_client_database</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">mariadb_client_server_domainname</param>
-      <param name="username" type="variable">mariadb_client_address</param>
-      <param name="description">remote</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>mariadb_client_password</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/mariadb-client/dictionaries/20_mariadb.yml b/seed/mariadb-client/dictionaries/20_mariadb.yml
new file mode 100644
index 00000000..71760b9e
--- /dev/null
+++ b/seed/mariadb-client/dictionaries/20_mariadb.yml
@@ -0,0 +1,63 @@
+---
+version: 1.1
+
+mariadb:  # MariaDB
+
+  client:  # MariaDB client
+
+    server_domainname:
+      type: domainname
+      supplier: MariaDB
+      hidden: true
+
+    server_ip:
+      type: ip
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones | get_ip(_.server_domainname) }}
+        params:
+          zones:
+            information: zones
+
+    username:
+      description: Database username
+      supplier: MariaDB:username
+      hidden: true
+      default:
+        jinja: >-
+          {{ general.network.server_name | normalize_family }}
+
+    password:
+      type: secret
+      description: Database password
+      hidden: true
+      supplier: MariaDB:password
+      default:
+        jinja: >-
+          {% set server_name=_.server_domainname %}
+          {{ _.address | get_password(server_name=server_name,
+                                      description="remote",
+                                      type="cleartext",
+                                      hide=general.hide_secret)
+            }}
+
+    database:
+      description: Database name
+      hidden: true
+      supplier: MariaDB:database
+      default:
+        variable: _.username
+
+    address:
+      hidden: true
+      default:
+        jinja: >-
+          {{ _.server_ip | get_client_address(domain_name, network) }}
+        params:
+          network:
+            variable: >-
+              general.network.interface_{{ suffix }}.network
+          domain_name:
+            variable: >-
+              general.network.interface_{{ suffix }}.domain_name
diff --git a/seed/mariadb/applicationservice.yml b/seed/mariadb/applicationservice.yml
index c2e948b1..02f66471 100644
--- a/seed/mariadb/applicationservice.yml
+++ b/seed/mariadb/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: MariaDB, a relational database
 website: https://mariadb.org/
diff --git a/seed/mariadb/dictionaries/20_mariadb.xml b/seed/mariadb/dictionaries/20_mariadb.xml
deleted file mode 100644
index 346f98a9..00000000
--- a/seed/mariadb/dictionaries/20_mariadb.xml
+++ /dev/null
@@ -1,29 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="mariadb" target="multi-user">
-      <override engine="ansible"/>
-      <file engine="none">/etc/my.cnf.d/risotto.cnf</file>
-      <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
-      <file engine="ansible" mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
-      <file engine="ansible" filelist="copy_tests">/tests/mariadb.yml</file>
-      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
-    </service>
-  </services>
-  <variables>
-    <family name="mariadb" description="MariaDB" help="Paramétrage du serveur de gestion de bases de données MariaDB">
-      <variable name="mariadb_root_password" type="password" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">root_password</param>
-      <param name="description">mariadb</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="length" type="number">50</param>
-      <target>mariadb_root_password</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/mariadb/dictionaries/20_mariadb.yml b/seed/mariadb/dictionaries/20_mariadb.yml
new file mode 100644
index 00000000..c95ab260
--- /dev/null
+++ b/seed/mariadb/dictionaries/20_mariadb.yml
@@ -0,0 +1,18 @@
+---
+version: 1.1
+
+mariadb:
+  description: MariaDB
+  help: Paramétrage du serveur de gestion de bases de données MariaDB
+
+  mariadb_root_password:
+    type: secret
+    hidden: true
+    default:
+      jinja: >-
+        {{ "root_password" |
+           get_password(server_name=general.network.interface_0.domain_name,
+                        description="mariadb",
+                        type="cleartext",
+                        hide=general.hide_secret, length=50)
+          }}
diff --git a/seed/mariadb/extras/accounts/00_accounts.xml b/seed/mariadb/extras/accounts/00_accounts.xml
deleted file mode 100644
index 5a688d63..00000000
--- a/seed/mariadb/extras/accounts/00_accounts.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Create account and connexion to a MariaDB server." type="domainname" multi="True" provider="MariaDB" hidden="True"/>
-    <family name="remote_" description="Account for " dynamic="accounts.remotes" hidden="True">
-      <variable name="database_" description="MariaDB database name for " mandatory="True" provider="MariaDB:database"/>
-      <variable name="username_" description="MariaDB user name for " mandatory="True" provider="MariaDB:username"/>
-      <variable name="password_" description="MariaDB password for " type="password" mandatory="True" provider="MariaDB:password"/>
-    </family>
-  </variables>
-</rougail>
-
diff --git a/seed/mariadb/extras/accounts/00_accounts.yml b/seed/mariadb/extras/accounts/00_accounts.yml
new file mode 100644
index 00000000..98399211
--- /dev/null
+++ b/seed/mariadb/extras/accounts/00_accounts.yml
@@ -0,0 +1,29 @@
+---
+version: 1.1
+
+remotes:
+  description: Create account and connexion to a MariaDB server.
+  type: domainname
+  multi: true
+  mandatory: false
+  hidden: true
+  provider: MariaDB
+
+"remote_{{ suffix }}":
+  description: 'Account for {{ suffix }}'
+  dynamic:
+    variable: accounts.remotes
+  hidden: true
+
+  database:
+    description: 'MariaDB database name for {{ suffix }}'
+    provider: MariaDB:database
+
+  username:
+    description: 'MariaDB user name for {{ suffix }}'
+    provider: MariaDB:username
+
+  password:
+    description: 'MariaDB password for {{ suffix }}'
+    type: secret
+    provider: MariaDB:password
diff --git a/seed/nextcloud/applicationservice.yml b/seed/nextcloud/applicationservice.yml
index 1a82fdcf..4571bdad 100644
--- a/seed/nextcloud/applicationservice.yml
+++ b/seed/nextcloud/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Nextcloud, Online collaboration platform
 website: https://nextcloud.com/
diff --git a/seed/nextcloud/dictionaries/31_nextcloud.xml b/seed/nextcloud/dictionaries/31_nextcloud.xml
deleted file mode 100644
index fb5ed8a4..00000000
--- a/seed/nextcloud/dictionaries/31_nextcloud.xml
+++ /dev/null
@@ -1,67 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="nextcloudcron" engine="none"/>
-    <service name="nextcloudcron" type="timer" engine="none" target="timers"/>
-    <service name="nextcloud" engine="ansible" target="multi-user">
-      <file engine="ansible" owner="apache" group="apache" mode="440" source="nextcloud-config.php">/etc/nextcloud/config.php</file>
-      <file engine="ansible" owner="root" group="root" mode="755">/sbin/nextcloud.init</file>
-      <file engine="ansible">/etc/httpd/conf.d/a-nextcloud-access.conf</file>
-      <file engine="none">/etc/httpd/conf.d/z-nextcloud-access.conf</file>
-      <file engine="none">/etc/php.d/20-pgsql.ini</file>
-      <file engine="none" source="tmpfile-nextcloud.conf">/tmpfiles.d/0nextcloud.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nextcloud" description="Nextcloud">
-      <variable name="nextcloud_admin_password" type="password" auto_save="False" hidden="True"/>
-      <variable name="nextcloud_mail_admin" type="mail" description="The administrator email" mandatory="True" test="admin@example.net"/>
-      <variable name="nextcloud_instance_id" type="password" auto_save="False" hidden="True"/>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Collaboration</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Plateforme de collaboration Nextcloud</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Diffusion</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_folder.png</value>
-      </variable>
-    </family>
-    <family name="php">
-      <variable name="php_enable_output_buffering" redefine="True">
-        <value>False</value>
-      </variable>
-      <variable name="php_disable_pcntl" redefine="True">
-        <value>False</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">admin_password</param>
-      <param name="description">nextcloud</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>nextcloud_admin_password</target>
-    </fill>
-    <!-- see lib/private/legacy/OC_Util.php -->
-    <fill name="get_password_alpha_num">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">instance_id</param>
-      <param name="description">nextcloud</param>
-      <param name="length" type="number">10</param>
-      <param name="starts_with_char" type="boolean">True</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>nextcloud_instance_id</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/nextcloud/dictionaries/31_nextcloud.yml b/seed/nextcloud/dictionaries/31_nextcloud.yml
new file mode 100644
index 00000000..b3f55d9b
--- /dev/null
+++ b/seed/nextcloud/dictionaries/31_nextcloud.yml
@@ -0,0 +1,71 @@
+---
+version: 1.1
+
+nextcloud:  # Nextcloud
+
+  admin_password:
+    type: secret
+    auto_save: false
+    hidden: true
+    default:
+      jinja: >-
+        {{ "admin_password" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="nextcloud",
+                       type="cleartext",
+                       hide=general.hide_secret)
+          }}
+
+  mail_admin:
+    type: mail
+    description: The administrator email
+    examples:
+      - admin@example.net
+
+  instance_id:
+    type: secret
+    auto_save: false
+    hidden: true
+    default:
+      jinja: >-
+        {{ general.network.interface_0.domain_name|
+             get_password_alpha_num(username="instance_id",
+                                    description="nextcloud",
+                                    length=10,
+                                    starts_with_char=true,
+                                    hide=general.hide_secret)
+          }}
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Collaboration
+
+    description:
+      redefine: true
+      default: Plateforme de collaboration Nextcloud
+
+    category:
+      redefine: true
+      default: Diffusion
+
+    logo:
+      redefine: true
+      default: silique_folder.png
+
+php:
+
+  enable_output_buffering:
+    redefine: true
+    default: 'False'
+
+  disable_pcntl:
+    redefine: true
+    default: 'False'
diff --git a/seed/nginx-common/applicationservice.yml b/seed/nginx-common/applicationservice.yml
index 09835368..98537466 100644
--- a/seed/nginx-common/applicationservice.yml
+++ b/seed/nginx-common/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Nginx common configuration
 website: https://nginx.org/
diff --git a/seed/nginx-common/dictionaries/21_nginx.xml b/seed/nginx-common/dictionaries/21_nginx.xml
deleted file mode 100644
index 15fdfd50..00000000
--- a/seed/nginx-common/dictionaries/21_nginx.xml
+++ /dev/null
@@ -1,75 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name='nginx' target='multi-user'>
-      <file engine="ansible" source="nginx_source_conf" source_type="variable">/etc/nginx/nginx.conf</file>
-      <file engine="ansible" filelist="nginx_debian">/etc/nginx/sites-available/default</file>
-      <file engine="ansible" filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
-      <file engine="ansible" source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
-      <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
-      <file engine="ansible" source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/nginx-common.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nginx" description="NGINX">
-      <variable name="nginx_default_http" type="boolean" mandatory='True' hidden="True">
-        <value>False</value>
-      </variable>
-      <variable name="nginx_default_https" type="boolean" description="Support the default.d directory for HTTPS connexion" mandatory='True' hidden="True">
-        <value>False</value>
-      </variable>
-      <variable name="nginx_default" type="domainname" mandatory='False' hidden="True"/>
-      <variable name="nginx_root" type="filename" mandatory='False' hidden="True">
-        <value>/usr/share/nginx/html</value>
-      </variable>
-      <variable name="nginx_hash_bucket_size" description="The bucket size for the server names hash tables" mode="expert" type="choice">
-        <value>128</value>
-        <choice type="string">128</choice>
-        <choice type="string">64</choice>
-        <choice type="string">32</choice>
-      </variable>
-      <variable name="nginx_post_max_size" type="number" description="The maximum allowed size of the client request body" help="This value is in Mb" mode="expert" mandatory="True">
-        <value>32</value>
-      </variable>
-      <variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
-      <variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
-      <variable name="nginx_source_conf" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <condition name="disabled_if_not_in" source="os_name">
-      <param>Fedora</param>
-      <target type="filelist">nginx_fedora</target>
-      <target>nginx_default</target>
-    </condition>
-    <condition name="disabled_if_not_in" source="os_name">
-      <param>Debian</param>
-      <target type="filelist">nginx_debian</target>
-    </condition>
-    <condition name="disabled_if_in" source="nginx_default">
-      <param type="nil"/>
-      <target type="filelist">nginx_default</target>
-    </condition>
-    <fill name="calc_value">
-      <param>nginx</param>
-      <param name="default">www-data</param>
-      <param name="condition" type="variable">os_name</param>
-      <param name="expected">Fedora</param>
-      <target>nginx_owner</target>
-    </fill>
-    <fill name="calc_value">
-      <param>nginx</param>
-      <param name="default">adm</param>
-      <param name="condition" type="variable">os_name</param>
-      <param name="expected">Fedora</param>
-      <target>nginx_group</target>
-    </fill>
-    <fill name="calc_value">
-      <param>nginx.conf</param>
-      <param type="variable">os_name</param>
-      <param name="join">.</param>
-      <target>nginx_source_conf</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/nginx-common/dictionaries/21_nginx.yml b/seed/nginx-common/dictionaries/21_nginx.yml
new file mode 100644
index 00000000..05627434
--- /dev/null
+++ b/seed/nginx-common/dictionaries/21_nginx.yml
@@ -0,0 +1,72 @@
+---
+version: 1.1
+
+nginx:
+
+  default_http:
+    hidden: true
+    default: false
+
+  default_https:
+    description: Support the default.d directory for HTTPS connexion
+    hidden: true
+    default: false
+
+  default:
+    type: domainname
+    mandatory: false
+    hidden: true
+    disabled:
+      variable: general.os_name
+      when_not: Fedora
+
+  root:
+    type: unix_filename
+    mandatory: false
+    hidden: true
+    default: /usr/share/nginx/html
+
+  hash_bucket_size:
+    description: The bucket size for the server names hash tables
+    mode: advanced
+    default: '128'
+    choices:
+      - '128'
+      - '64'
+      - '32'
+
+  post_max_size:
+    description: The maximum allowed size of the client request body
+    help: This value is in Mb
+    mode: advanced
+    default: 32
+
+  owner:
+    type: unix_user
+    description: Nginx process owner
+    hidden: true
+    default:
+      jinja: >-
+        {%- if general.os_name == "Fedora" -%}
+        nginx
+        {%- else -%}
+        www-data
+        {%- endif -%}
+
+  group:
+    type: unix_user
+    description: Nginx process group
+    hidden: true
+    default:
+      jinja: >-
+        {%- if general.os_name == "Fedora" -%}
+        nginx
+        {%- else -%}
+        adm
+        {%- endif -%}
+
+  source_conf:
+    hidden: true
+    default:
+      jinja: >-
+        nginx.conf.{{ general.os_name }}
diff --git a/seed/nginx-https/applicationservice.yml b/seed/nginx-https/applicationservice.yml
index 2f09cf44..789917f7 100644
--- a/seed/nginx-https/applicationservice.yml
+++ b/seed/nginx-https/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Nginx as HTTPS web site
 website: https://nginx.org/
diff --git a/seed/nginx-https/dictionaries/25_nginx.xml b/seed/nginx-https/dictionaries/25_nginx.xml
deleted file mode 100644
index 1f24bfaf..00000000
--- a/seed/nginx-https/dictionaries/25_nginx.xml
+++ /dev/null
@@ -1,26 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <family name="nginx">
-      <variable name="nginx_default_http" redefine="True" hidden="True">
-        <value>False</value>
-      </variable>
-      <variable name="nginx_default_https" redefine="True" hidden="True">
-        <value>True</value>
-      </variable>
-      <variable name="php_fpm_user" redefine="True" exists="True">
-        <value>nginx</value>
-      </variable>
-    </family>
-    <family name="redis" description="Redis">
-      <variable name="redis_client_key_owner" redefine="True" exists="True">
-        <value>nginx</value>
-      </variable>
-    </family>
-    <family name="postgresql" description="PostgreSQL">
-      <variable name="pg_client_key_owner" redefine="True" exists="True">
-        <value>nginx</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/nginx-https/dictionaries/25_nginx.yml b/seed/nginx-https/dictionaries/25_nginx.yml
new file mode 100644
index 00000000..58506f06
--- /dev/null
+++ b/seed/nginx-https/dictionaries/25_nginx.yml
@@ -0,0 +1,33 @@
+---
+version: 1.1
+
+nginx:
+
+  default_http:
+    redefine: true
+    hidden: true
+    default: false
+
+  default_https:
+    redefine: true
+    hidden: true
+    default: true
+
+  php_fpm_user:
+    redefine: true
+    exists: true
+    default: nginx
+
+redis:
+
+  client_key_owner:
+    redefine: true
+    exists: true
+    default: nginx
+
+postgresql:
+
+  client_key_owner:
+    redefine: true
+    exists: true
+    default: nginx
diff --git a/seed/nginx-reverse-proxy/applicationservice.yml b/seed/nginx-reverse-proxy/applicationservice.yml
index b55a580c..135df13d 100644
--- a/seed/nginx-reverse-proxy/applicationservice.yml
+++ b/seed/nginx-reverse-proxy/applicationservice.yml
@@ -1,6 +1,7 @@
+---
 format: '0.1'
 description: Nginx as reverse proxy
-help: |
+help: |-
   The reverse proxy provides access to internal services.
   These internal services are integrated automatically.
 website: https://nginx.org/
diff --git a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
deleted file mode 100644
index 9c72f362..00000000
--- a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ /dev/null
@@ -1,37 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name='nginx'>
-      <override engine="ansible"/>
-      <!--certificate authority="External" owner="nginx" type="server">nginx</certificate-->
-      <certificate authority="External" owner="nginx" type="server" domain="nginx.revprox_domainnames" provider="nginx_certificates_provider" certificate_type="variable">nginx.revprox_domainnames</certificate>
-      <certificate server="last_server_name" authority="InternalReverseProxy">revprox</certificate>
-      <file engine="none" source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
-      <file engine="ansible" source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/reverse-proxy.yml</file>
-      <file engine="none">/var/www/html/error.html</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="incoming_ports" redefine="True">
-        <value>80</value>
-        <value>443</value>
-      </variable>
-    </family>
-    <family name="nginx" description="NGINX">
-      <variable name="nginx_default" redefine="True" mandatory="True" hidden="False" description="Default reverse proxy domaine name" help="If a client access to reverse proxy with an unknown domain name, the connexion is redirect to this domain name. By default this variable is the first associated service to this reverse proxy" mode="basic"/>
-      <variable name="nginx_default_http" redefine="True">
-        <value>False</value>
-      </variable>
-      <variable name="nginx_default_https" redefine="True">
-        <value>False</value>
-      </variable>
-      <variable name="nginx_certificates_provider" type="choice" description="Type of certificate autority signing external certificates" mandatory="True" mode="basic" help="The certificate can be self-signed (therefore invalid by default for the client) or obtained via the Let's Encrypt service (generally valid for the client)">
-        <value>self-signed</value>
-        <choice>self-signed</choice>
-        <choice>letsencrypt</choice>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/nginx-reverse-proxy/dictionaries/25_nginx.yml b/seed/nginx-reverse-proxy/dictionaries/25_nginx.yml
new file mode 100644
index 00000000..79b04d79
--- /dev/null
+++ b/seed/nginx-reverse-proxy/dictionaries/25_nginx.yml
@@ -0,0 +1,41 @@
+---
+version: 1.1
+
+network:
+  incoming_ports:
+    redefine: true
+    default:
+      - 80
+      - 443
+
+nginx:
+
+  default:
+    redefine: true
+    hidden: false
+    description: Default reverse proxy domaine name
+    help: >-
+      If a client access to reverse proxy with an unknown domain name, the
+      connexion is redirect to this domain name. By default this variable is
+      the first associated service to this reverse proxy
+    mode: basic
+
+  default_http:
+    redefine: true
+    default: false
+
+  default_https:
+    redefine: true
+    default: false
+
+  certificates_provider:
+    description: Type of certificate autority signing external certificates
+    mode: basic
+    help: >-
+      The certificate can be self-signed (therefore invalid by default for the
+      client) or obtained via the Let's Encrypt service (generally valid for
+      the client)
+    default: self-signed
+    choices:
+      - self-signed
+      - letsencrypt
diff --git a/seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.xml b/seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.xml
deleted file mode 100644
index ac4f5b31..00000000
--- a/seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_srv" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.yml b/seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.yml
new file mode 100644
index 00000000..2a5318b8
--- /dev/null
+++ b/seed/nginx-reverse-proxy/extras/machine/20_reverse_proxy.yml
@@ -0,0 +1,23 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: '256'
+
+add_tmp:
+  redefine: true
+  default: 'False'
+
+add_srv:
+  redefine: true
+  default: 'False'
+
+add_swap:
+  redefine: true
+  default: 'False'
+
+memory:
+  redefine: true
+  exists: true
+  default: '512'
diff --git a/seed/nginx-reverse-proxy/extras/nginx/00_nginx.xml b/seed/nginx-reverse-proxy/extras/nginx/00_nginx.xml
deleted file mode 100644
index 26151f99..00000000
--- a/seed/nginx-reverse-proxy/extras/nginx/00_nginx.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Register to service to a reverse proxy server" type="domainname" multi="True" provider="ReverseProxy" hidden="True"/>
-    <family name="reverse_proxy_for_" description="Serveur mandataire inverse pour " dynamic="nginx.remotes">
-      <family name="reverse_proxy_" description="Reverse proxy " help="Paramètrage du proxy inverse" leadership="True">
-        <variable name="revprox_domainnames_" type="domainname" description="External domain name for " multi="True" provider="ReverseProxy:external" hidden="True" mandatory="False"/>
-	<variable name="revprox_location_" type="filename" description="URI to redirect for " help="Relative redirected URI (without domaine name)" mandatory="True" multi="True" unique="False" provider="ReverseProxy:location" test="/mail"/>
-        <variable name="revprox_url_" type="web_address" description="Internal URL for " mandatory="True" unique="False" provider="ReverseProxy:url"/>
-        <variable name="revprox_is_websocket_" type="boolean" description="The entry point is a websocket for " mandatory="True" multi="True" unique="False" provider="ReverseProxy:websocket"/>
-        <variable name="revprox_max_body_size_" description="Body size max for " provider="ReverseProxy:max_body_size" unique="False"/>
-        <variable name="revprox_http_" type="boolean" description="The website is in HTTP for " provider="ReverseProxy:http" unique="False"/>
-      </family>
-    </family>
-    <variable name="revprox_domainnames" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" hidden="True" mandatory="False"/>
-  </variables>
-  <constraints>
-    <fill name="nginx_list">
-      <param type="variable">nginx.reverse_proxy_for_.reverse_proxy_.revprox_domainnames_</param>
-      <target>nginx.revprox_domainnames</target>
-    </fill>
-    <fill name="get_first_value">
-      <param type="variable">nginx.reverse_proxy_for_.reverse_proxy_.revprox_domainnames_</param>
-      <target>nginx_default</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/nginx-reverse-proxy/extras/nginx/00_nginx.yml b/seed/nginx-reverse-proxy/extras/nginx/00_nginx.yml
new file mode 100644
index 00000000..589a6bb8
--- /dev/null
+++ b/seed/nginx-reverse-proxy/extras/nginx/00_nginx.yml
@@ -0,0 +1,78 @@
+---
+version: 1.1
+
+remotes:
+  description: Register to service to a reverse proxy server
+  type: domainname
+  multi: true
+  hidden: true
+  mandatory: false
+  provider: ReverseProxy
+
+"reverse_proxy_for_{{ suffix }}":
+  description: 'Serveur mandataire inverse pour {{ suffix }}'
+  dynamic:
+    variable: nginx.remotes
+
+  reverse_proxy:
+    description: 'Reverse proxy {{ suffix }}'
+    help: Paramètrage du proxy inverse
+    type: leadership
+
+    domainnames:
+      description: 'External domain name for {{ suffix }}'
+      type: domainname
+      hidden: true
+      mandatory: false
+      provider: ReverseProxy:external
+
+    location:
+      description: 'URI to redirect for {{ suffix }}'
+      help: Relative redirected URI (without domaine name)
+      examples:
+        - /mail
+      type: unix_filename
+      multi: true
+      unique: false
+      provider: ReverseProxy:location
+
+    url:
+      description: 'Internal URL for {{ suffix }}'
+      type: web_address
+      unique: false
+      provider: ReverseProxy:url
+
+    is_websocket:
+      description: 'The entry point is a websocket for {{ suffix }}'
+      type: boolean
+      multi: true
+      unique: false
+      provider: ReverseProxy:websocket
+
+    max_body_size:
+      description: 'Body size max for {{ suffix }}'
+      unique: false
+      mandatory: false
+      provider: ReverseProxy:max_body_size
+
+    http:
+      type: boolean
+      description: 'The website is in HTTP for {{ suffix }}'
+      unique: false
+      provider: ReverseProxy:http
+
+revprox_domainnames:
+  description: >-
+    Nom des domaines auto-configurés dans le serveur mandataire inverse
+  type: domainname
+  multi: true
+  default:
+    jinja: |-
+      {%- for domain in domainnames | nginx_list %}
+      {{ domain }}
+      {%- endfor -%}
+    params:
+      domainnames:
+        variable: "nginx.reverse_proxy_for_{{ suffix }}.\
+                   reverse_proxy.domainnames"
+  hidden: true
diff --git a/seed/nginx-static/applicationservice.yml b/seed/nginx-static/applicationservice.yml
index 7d302da8..b91f82fe 100644
--- a/seed/nginx-static/applicationservice.yml
+++ b/seed/nginx-static/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Nginx as static web site
 website: https://nginx.org/
diff --git a/seed/nginx-static/dictionaries/22_nginx_static.xml b/seed/nginx-static/dictionaries/22_nginx_static.xml
deleted file mode 100644
index 5ed613df..00000000
--- a/seed/nginx-static/dictionaries/22_nginx_static.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name='nginx' target='multi-user'>
-      <file engine="ansible" source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
-      <file engine="none" source="index.html" file_type="variable">nginx_index_file</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nginx">
-      <variable name="nginx_root" description="Adresse racine du site web" redefine="True" mandatory='True' hidden="False">
-        <value>/srv/static</value>
-      </variable>
-      <variable name="nginx_index_file" type="filename" mandatory='True' hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">nginx_root</param>
-      <param>index.html</param>
-      <param name="join">/</param>
-      <target>nginx_index_file</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/nginx-static/dictionaries/22_nginx_static.yml b/seed/nginx-static/dictionaries/22_nginx_static.yml
new file mode 100644
index 00000000..ca564e74
--- /dev/null
+++ b/seed/nginx-static/dictionaries/22_nginx_static.yml
@@ -0,0 +1,17 @@
+---
+version: 1.1
+
+nginx:
+
+  root:
+    description: Adresse racine du site web
+    redefine: true
+    hidden: false
+    default: /srv/static
+
+  index_file:
+    type: unix_filename
+    hidden: true
+    default:
+      jinja: >-
+        {{ _.root }}/index.html
diff --git a/seed/nsd-local/applicationservice.yml b/seed/nsd-local/applicationservice.yml
index 78d8efd5..661be70c 100644
--- a/seed/nsd-local/applicationservice.yml
+++ b/seed/nsd-local/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: NSD, an authoritative DNS name server for local resolution
 website: https://www.nlnetlabs.nl/projects/nsd/about/
diff --git a/seed/nsd-local/dictionaries/21_nsd-local.xml b/seed/nsd-local/dictionaries/21_nsd-local.xml
deleted file mode 100644
index 071af5e2..00000000
--- a/seed/nsd-local/dictionaries/21_nsd-local.xml
+++ /dev/null
@@ -1,48 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <family name="dns_server" description="Serveur DNS">
-      <variable name="nsd_allowed_client_cidr" redefine="True" hidden="True"/>
-      <variable name="nsd_allowed_clients" type="domainname" description="DNS forwarder for local domain name" multi="True" hidden="True" provider="LocalDNS"/>
-      <family name="nsd_client_" dynamic="nsd_allowed_clients">
-        <variable name="nsd_dnssec_ds_" supplier="LocalDNS:DNSSEC_DS" hidden="True" multi="True"/>
-      </family>
-      <variable name="nsd_allowed_client_ip" type="ip" description="Clients" multi="True" hidden="True"/>
-      <variable name="nsd_resolver" redefine="True" supplier="ExternalDNS" hidden="True"/>
-      <variable name="nsd_resolve_ip" type="ip" hidden="True"/>
-    </family>
-    <family name="dns_zone">
-      <variable name="nsd_zones" redefine="True" hidden="True"/>
-    </family>
-    <family name="dns_reverses">
-      <variable name="nsd_reverse_network" redefine="True" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">nsd_allowed_clients</param>
-      <target>nsd_allowed_client_ip</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">nsd_resolver</param>
-      <target>nsd_resolve_ip</target>
-    </fill>
-    <fill name="get_internal_zones">
-      <param type="information">zones</param>
-      <target>nsd_zones</target>
-    </fill>
-    <fill name="get_zones_info">
-      <param type="information">zones</param>
-      <param>network</param>
-      <param name="uniq" type="boolean">True</param>
-      <target>nsd_reverse_network</target>
-    </fill>
-    <fill name="get_dnssec_ds">
-      <param type="variable">domain_name_eth0</param>
-      <param type="variable">nsd_zones_all</param>
-      <target>nsd_dnssec_ds_</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/nsd-local/dictionaries/21_nsd-local.yml b/seed/nsd-local/dictionaries/21_nsd-local.yml
new file mode 100644
index 00000000..a1ee67a5
--- /dev/null
+++ b/seed/nsd-local/dictionaries/21_nsd-local.yml
@@ -0,0 +1,89 @@
+---
+version: 1.1
+
+dns_server:
+
+  nsd_allowed_client_cidr:
+    redefine: true
+    hidden: true
+
+  nsd_allowed_clients:
+    type: domainname
+    description: DNS forwarder for local domain name
+    multi: true
+    hidden: true
+    provider: LocalDNS
+    mandatory: false
+
+  "nsd_client_{{ suffix }}":
+    dynamic:
+      variable: _.nsd_allowed_clients
+
+    nsd_dnssec_ds:
+      supplier: LocalDNS:DNSSEC_DS
+      hidden: true
+      multi: true
+      default:
+        jinja: |-
+          {%- for variable in general.network.interface_0.domain_name |
+               get_dnssec_ds(general.nsd_zones_all) %}
+          {{ variable }}
+          {%- endfor -%}
+
+  nsd_allowed_client_ip:
+    type: ip
+    description: Clients
+    multi: true
+    hidden: true
+    default:
+      jinja: |-
+        {%- for client in zones | get_ip(_.nsd_allowed_clients) %}
+        {{ client }}
+        {%- endfor -%}
+      params:
+        zones:
+          information: zones
+
+  nsd_resolver:
+    redefine: true
+    supplier: ExternalDNS
+    hidden: true
+
+  nsd_resolve_ip:
+    type: ip
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(general.dns_server.nsd_resolver) }}
+      params:
+        zones:
+          information: zones
+
+dns_zone:
+
+  nsd_zones:
+    redefine: true
+    hidden: true
+    multi: true
+    default:
+      jinja: |-
+        {%- for zone in zones | get_internal_zones %}
+        {{ zone }}
+        {%- endfor -%}
+      params:
+        zones:
+          information: zones
+
+dns_reverses:
+
+  nsd_reverse_network:
+    redefine: true
+    hidden: true
+    default:
+      jinja: |-
+        {%- for zone in zones | get_zones_info("network", uniq=true) %}
+        {{ zone }}
+        {%- endfor -%}
+      params:
+        zones:
+          information: zones
diff --git a/seed/nsd-local/extras/nsd/01_nsd-local.xml b/seed/nsd-local/extras/nsd/01_nsd-local.xml
deleted file mode 100644
index c38a13cf..00000000
--- a/seed/nsd-local/extras/nsd/01_nsd-local.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <family name="nsd_zone_" hidden="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">domain_name_eth</param>
-      <target>nsd.nsd_zone_.ns_</target>
-    </fill>
-    <fill name="get_internal_info_in_zone">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <param>host</param>
-      <target>nsd.nsd_zone_.hostname_.hostname_</target>
-    </fill>
-    <fill name="get_internal_info_in_zone">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <param>ip</param>
-      <param type="index"/>
-      <target>nsd.nsd_zone_.hostname_.ip_</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/nsd-local/extras/nsd/01_nsd-local.yml b/seed/nsd-local/extras/nsd/01_nsd-local.yml
new file mode 100644
index 00000000..db42a830
--- /dev/null
+++ b/seed/nsd-local/extras/nsd/01_nsd-local.yml
@@ -0,0 +1,34 @@
+---
+version: 1.1
+
+"nsd_zone_{{ suffix }}":
+  hidden: true
+  redefine: true
+
+  hosts:
+
+    hostname:
+      redefine: true
+      default:
+        jinja: |-
+          {%- for zone in zones | get_internal_info_in_zone(suffix, "host") %}
+          {{ zone }}
+          {%- endfor %}
+        params:
+          zones:
+            information: zones
+          suffix:
+            type: suffix
+
+    ip:
+      redefine: true
+      default:
+        jinja: >-
+          {{ zones | get_internal_info_in_zone(suffix, "ip", index) }}
+        params:
+          zones:
+            information: zones
+          suffix:
+            type: suffix
+          index:
+            type: index
diff --git a/seed/nsd/applicationservice.yml b/seed/nsd/applicationservice.yml
index 1ff6b639..090d0342 100644
--- a/seed/nsd/applicationservice.yml
+++ b/seed/nsd/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: NSD, an authoritative DNS name server
 website: https://www.nlnetlabs.nl/projects/nsd/about/
diff --git a/seed/nsd/dictionaries/20_nsd.xml b/seed/nsd/dictionaries/20_nsd.xml
deleted file mode 100644
index 9c956c8f..00000000
--- a/seed/nsd/dictionaries/20_nsd.xml
+++ /dev/null
@@ -1,104 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="nsd" target="multi-user">
-      <override engine="none"/>
-      <ip ip_type="variable">nsd_allowed_all_client</ip>
-      <file engine="ansible">/etc/nsd/conf.d/risotto.conf</file>
-      <file engine="ansible" file_type="variable" source="nsd.zone" variable="nsd_zones" included="content">nsd_zone_filenames</file>
-      <file engine="ansible" file_type="variable" source="nsd.signed" variable="nsd_zone_filenames">nsd_zone_filenames_signed</file>
-      <file engine="ansible" file_type="variable" source="nsd.reverse" variable="nsd_reverse_names" included="content">nsd_reverse_filenames</file>
-      <file engine="ansible" file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
-      <file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
-      <file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/nsd.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="dns_client_address" redefine="True" disabled="True"/>
-      <variable name="ip_dns" redefine="True" remove_fill="True"/>
-    </family>
-    <family name="dns_server" description="Serveur DNS">
-      <variable name="nsd_allowed_client_cidr" type="network_cidr" description="Clients autorisés à interroger le serveur DNS" multi="True" mode="basic"/>
-      <variable name="nsd_resolver" type="domainname" description="Nom de domaine du résolveur DNS associé" mode="basic"/>
-      <variable name="nsd_allowed_all_client" type="network_cidr" description="All autorised IP" multi="True" hidden="True"/>
-    </family>
-    <family name="dns_zone" description="Zone DNS">
-      <variable name="nsd_zones" type="domainname" description="Zones DNS" multi="True" mandatory="True" test="subdomain.example.net" mode="basic"/>
-    </family>
-    <family name="dns_reverses" description="Zone DNS reverse" leadership="True">
-      <variable name="nsd_reverse_network" description="Réseau pour la résolution reverse" type="network_cidr" multi="True" mode="basic"/>
-      <variable name="nsd_reverse_name" description="Nom de la zone" hidden="True"/>
-    </family>
-    <variable name="nsd_reverse_networks" description="Réseaux pour la résolution inverse" hidden="True" multi="True"/>
-    <variable name="nsd_reverse_names" description="Nom des zones" hidden="True" multi="True"/>
-    <variable name="nsd_zones_all" type="domainname" multi="True" supplier="ExternalDNS:authority_zones" hidden="True"/>
-    <variable name="nsd_zone_filenames" type="filename" description="Nom des fichiers de zone" multi="True" hidden="True"/>
-    <variable name="nsd_zone_filenames_signed" type="filename" description="Nom des fichiers de zone signé" multi="True" hidden="True"/>
-    <variable name="nsd_reverse_filenames" type="filename" description="Nom des fichiers de zone reverse" multi="True" hidden="True"/>
-    <variable name="nsd_reverse_filenames_signed" type="filename" description="Nom des fichiers de zone reverse signé" multi="True" hidden="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">ip_eth0</param>
-      <target>ip_dns</target>
-    </fill>
-    <fill name="nsd_concat_lists">
-      <param type="variable">nsd_zones</param>
-      <param type="variable">nsd_reverse_name</param>
-      <target>nsd_zones_all</target>
-    </fill>
-    <fill name="nsd_concat_lists">
-      <param type="variable">ip_eth</param>
-      <param type="variable">nsd_allowed_client_cidr</param>
-      <param type="variable" optional="True">nsd_allowed_client_ip</param>
-      <param type="variable" name="ip" optional="True">nsd_resolve_ip</param>
-      <param type="boolean" name="cidr">True</param>
-      <target>nsd_allowed_all_client</target>
-    </fill>
-    <fill name="get_reverse_name">
-      <param type="variable">nsd_reverse_network</param>
-      <target>nsd_reverse_name</target>
-    </fill>
-    <fill name="calc_reverse_networks">
-      <param type="variable">nsd_reverse_network</param>
-      <target>nsd_reverse_networks</target>
-    </fill>
-    <fill name="calc_reverse_names">
-      <param type="variable">nsd_reverse_name</param>
-      <target>nsd_reverse_names</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/nsd/</param>
-      <param type="variable">nsd_zones</param>
-      <param>.zone</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>nsd_zone_filenames</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">nsd_zone_filenames</param>
-      <param>.signed</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>nsd_zone_filenames_signed</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/nsd/</param>
-      <param type="variable">nsd_reverse_name</param>
-      <param>reverse</param>
-      <param name="remove_duplicate_value" type="boolean">True</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>nsd_reverse_filenames</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">nsd_reverse_filenames</param>
-      <param>.signed</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>nsd_reverse_filenames_signed</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/nsd/dictionaries/20_nsd.yml b/seed/nsd/dictionaries/20_nsd.yml
new file mode 100644
index 00000000..2d08c3ec
--- /dev/null
+++ b/seed/nsd/dictionaries/20_nsd.yml
@@ -0,0 +1,165 @@
+---
+version: 1.1
+
+network:
+
+  dns_client_address:
+    redefine: true
+    disabled: true
+
+  ip_dns:
+    redefine: true
+    default:
+      variable: _.interface_0.ip
+
+dns_server:  # Serveur DNS
+
+  nsd_allowed_client_cidr:
+    type: network_cidr
+    description: Clients autorisés à interroger le serveur DNS
+    multi: true
+    mode: basic
+    mandatory: false
+
+  nsd_resolver:
+    type: domainname
+    description: Nom de domaine du résolveur DNS associé
+    mode: basic
+    mandatory: false
+
+  nsd_allowed_all_client:
+    type: network_cidr
+    description: All autorised IP
+    multi: true
+    hidden: true
+    default:
+      jinja: |-
+        {%- if _.nsd_allowed_client_ip is defined -%}
+        {%- set nsd_allowed_client_ip = _.nsd_allowed_client_ip -%}
+        {%- set nsd_resolve_ip = _.nsd_resolve_ip -%}
+        {%- else -%}
+        {%- set nsd_allowed_client_ip = none -%}
+        {%- set nsd_resolve_ip = none -%}
+        {%- endif -%}
+        {%- for network in ip_eth | nsd_concat_lists(_.nsd_allowed_client_cidr,
+                                                     nsd_allowed_client_ip,
+                                                     ip=nsd_resolve_ip,
+                                                     cidr=true)
+           %}
+        {{ network }}
+        {%- endfor -%}
+      params:
+        ip_eth:
+          variable: general.network.interface_{{ suffix }}.ip
+
+dns_zone:  # Zone DNS
+
+  nsd_zones:
+    type: domainname
+    description: Zones DNS
+    multi: true
+    examples:
+      - subdomain.example.net
+    mode: basic
+
+dns_reverses:
+  description: Zone DNS reverse
+  type: leadership
+
+  nsd_reverse_network:
+    description: Réseau pour la résolution reverse
+    type: network_cidr
+    mode: basic
+    mandatory: false
+
+  nsd_reverse_name:
+    description: Nom de la zone
+    hidden: true
+    default:
+      jinja: >-
+        {{ _.nsd_reverse_network | get_reverse_name }}
+
+nsd_reverse_networks:
+  description: Réseaux pour la résolution inverse
+  hidden: true
+  multi: true
+  mandatory: false
+  default:
+    jinja: |-
+      {%- for n in _.dns_reverses.nsd_reverse_network|calc_reverse_networks %}
+      {{ n }}
+      {%- endfor -%}
+
+nsd_reverse_names:
+  description: Nom des zones
+  hidden: true
+  multi: true
+  mandatory: false
+  default:
+    jinja: |-
+      {%- for zone in _.dns_reverses.nsd_reverse_name | calc_reverse_names %}
+      {{ zone }}
+      {%- endfor -%}
+
+nsd_zones_all:
+  type: domainname
+  multi: true
+  supplier: ExternalDNS:authority_zones
+  hidden: true
+  default:
+    jinja: |-
+      {%- for zone in _.dns_zone.nsd_zones |
+            nsd_concat_lists(_.dns_reverses.nsd_reverse_name) %}
+      {{ zone }}
+      {%- endfor -%}
+
+nsd_zone_filenames:
+  type: unix_filename
+  description: Nom des fichiers de zone
+  multi: true
+  hidden: true
+  default:
+    jinja: |-
+      {%- for zone in _.dns_zone.nsd_zones %}
+      /etc/nsd/{{ zone }}.zone
+      {%- endfor -%}
+
+nsd_zone_filenames_signed:
+  type: unix_filename
+  description: Nom des fichiers de zone signé
+  multi: true
+  hidden: true
+  default:
+    jinja: |-
+      {%- for filename in _.nsd_zone_filenames %}
+      {{ filename }}.signed
+      {%- endfor -%}
+
+nsd_reverse_filenames:
+  type: unix_filename
+  description: Nom des fichiers de zone reverse
+  multi: true
+  hidden: true
+  mandatory: false
+  default:
+    jinja: |-
+      {% set filenames = [] %}
+      {%- for name in _.dns_reverses.nsd_reverse_name %}
+      {% set filename = "/etc/nsd/" + name + "reverse" %}
+      {%- if filename not in filenames -%}
+      {% set tmp = filenames.append(filename) %}
+      {{ filename }}
+      {%- endif -%}
+      {%- endfor -%}
+
+nsd_reverse_filenames_signed:
+  type: unix_filename
+  description: Nom des fichiers de zone reverse signé
+  multi: true
+  hidden: true
+  mandatory: false
+  default:
+    jinja: |-
+      {%- for filename in _.nsd_reverse_filenames %}
+      {{ filename }}.signed
+      {%- endfor -%}
diff --git a/seed/nsd/extras/machine/20_nsd.xml b/seed/nsd/extras/machine/20_nsd.xml
deleted file mode 100644
index ac4f5b31..00000000
--- a/seed/nsd/extras/machine/20_nsd.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_srv" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/nsd/extras/machine/20_nsd.yml b/seed/nsd/extras/machine/20_nsd.yml
new file mode 100644
index 00000000..b628a69e
--- /dev/null
+++ b/seed/nsd/extras/machine/20_nsd.yml
@@ -0,0 +1,23 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: 256
+
+add_tmp:
+  redefine: true
+  default: false
+
+add_srv:
+  redefine: true
+  default: false
+
+add_swap:
+  redefine: true
+  default: false
+
+memory:
+  redefine: true
+  exists: true
+  default: 512
diff --git a/seed/nsd/extras/nsd/00_nsd.xml b/seed/nsd/extras/nsd/00_nsd.xml
deleted file mode 100644
index 5b2e33ca..00000000
--- a/seed/nsd/extras/nsd/00_nsd.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <family name="nsd_zone_" description="Zone " dynamic="nsd_zones">
-      <family name="hostname_" description="Nom d'hôte pour " leadership="True">
-        <variable name="hostname_" description="Nom d'hôte pour " type="string" multi="True" mandatory="True"/>
-        <variable name="type_" description="Type pour " type="choice" mode="basic">
-          <choice type="string">A</choice>
-          <choice type="string">CNAME</choice>
-          <value type="string">A</value>
-        </variable>
-        <variable name="ip_" description="Adresse IP a renvoyer pour " type="ip" mandatory="True"/>
-        <variable name="cname_" description="Nom de domaine a renvoyer pour " type="domainname" mandatory="True"/>
-      </family>
-      <variable name="ns_" description="Nom des serveurs de nom de la zone " type="domainname" mandatory="True" multi="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <condition name="disabled_if_in" source="nsd.nsd_zone_.hostname_.type_">
-      <param>A</param>
-      <target type="variable">nsd.nsd_zone_.hostname_.cname_</target>
-    </condition>
-    <condition name="disabled_if_in" source="nsd.nsd_zone_.hostname_.type_">
-      <param>CNAME</param>
-      <target type="variable">nsd.nsd_zone_.hostname_.ip_</target>
-    </condition>
-    <check name="valid_dns_hostname">
-      <param type="suffix"/>
-      <param type="variable">nsd_zones_all</param>
-      <target>nsd.nsd_zone_.hostname_.hostname_</target>
-    </check>
-  </constraints>
-</rougail>
diff --git a/seed/nsd/extras/nsd/00_nsd.yml b/seed/nsd/extras/nsd/00_nsd.yml
new file mode 100644
index 00000000..83acdd8c
--- /dev/null
+++ b/seed/nsd/extras/nsd/00_nsd.yml
@@ -0,0 +1,50 @@
+---
+version: 1.1
+
+"nsd_zone_{{ suffix }}":
+  description: 'Zone {{ suffix }}'
+  dynamic:
+    variable: general.dns_zone.nsd_zones
+
+  "hosts":
+    description: "Hôtes pour {{ suffix }}"
+    _type: leadership
+
+    hostname:
+      description: "Nom d'hôte pour {{ suffix }}"
+      validators:
+        - jinja: >-
+            {{ _.hostname |
+                valid_dns_hostname(suffix, general.nsd_zones_all) }}
+          params:
+            suffix:
+              type: suffix
+
+    type:
+      description: 'Type pour {{ suffix }}'
+      mode: basic
+      default: A
+      choices:
+        - A
+        - CNAME
+
+    ip:
+      description: 'Adresse IP a renvoyer pour {{ suffix }}'
+      type: ip
+      disabled:
+        variable: _.type
+        when: CNAME
+
+    cname:
+      description: 'Nom de domaine a renvoyer pour {{ suffix }}'
+      type: domainname
+      disabled:
+        variable: _.type
+        when: A
+
+  ns:
+    description: 'Nom des serveurs de nom de la zone {{ suffix }}'
+    type: domainname
+    multi: true
+    default:
+      variable: general.network.interface_{{ suffix }}.domain_name
diff --git a/seed/nsd/funcs/funcs.py b/seed/nsd/funcs/funcs.py
index dcae4f81..f6cf5414 100644
--- a/seed/nsd/funcs/funcs.py
+++ b/seed/nsd/funcs/funcs.py
@@ -37,6 +37,8 @@ def nsd_concat_lists(*args,
                      ) -> _List[str]:
     ret = set()
     for lst in args:
+        if lst is None:
+            continue
         if cidr:
             for l in lst:
                 if '/' not in l:
@@ -185,9 +187,9 @@ def valid_dns_hostname(hostname,
             DomainnameOption('a', '', hostname, type='hostname', allow_ip=False)
         except ValueError as err:
             err.prefix = ''
-            raise err from err
+            return err
         if hostname + '.' + domainname in zone_names:
-            raise ValueError(f'"{hostname}.{domainname}" is also a zone name')
+            return f'"{hostname}.{domainname}" is also a zone name'
 
 
 @_multi_function
diff --git a/seed/oauth2-client/applicationservice.yml b/seed/oauth2-client/applicationservice.yml
index ea3b43d0..005870b6 100644
--- a/seed/oauth2-client/applicationservice.yml
+++ b/seed/oauth2-client/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Application service needs interact with a Oauth2 server
diff --git a/seed/oauth2-client/dictionaries/30_oauth2_client.xml b/seed/oauth2-client/dictionaries/30_oauth2_client.xml
deleted file mode 100644
index e829a151..00000000
--- a/seed/oauth2-client/dictionaries/30_oauth2_client.xml
+++ /dev/null
@@ -1,63 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="oauth2-client" target="risotto" engine="ansible"/>
-  </services>
-  <variables>
-    <family name="oauth2_client" description="OAuth2 client">
-      <variable name="oauth2_client_server_domainname" type="domainname" mandatory='True' supplier="OAuth2" hidden="True"/>
-      <variable name="oauth2_is_client_application" type="boolean" mandatory='True' hidden="True">
-        <value>False</value>
-      </variable>
-      <variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True' supplier="OAuth2:name" test="example"/>
-      <variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True' supplier="OAuth2:description" test="Example description"/>
-      <variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login" supplier="OAuth2:login"/>
-      <family name="external">
-        <variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True' multi="True" supplier="OAuth2:external"/>
-        <variable name="oauth2_client_family" description="OAuth2 family" supplier="OAuth2:family">
-          <value>users</value>
-        </variable>
-      </family>
-      <variable name="oauth2_client_category" description="OAuth2 category" mandatory='True' supplier="OAuth2:category">
-        <value>Défaut</value>
-      </variable>
-      <variable name="oauth2_client_logo" description="OAuth2 logo" mandatory='True' supplier="OAuth2:logo">
-        <value>demo.png</value>
-      </variable>
-      <variable name="oauth2_client_id" description="OAuth2 ID" mandatory='True' hidden='True' supplier="OAuth2:client_id"/>
-      <variable name="oauth2_client_secret" type="password" description="OAuth2 secret" mandatory='True' hidden='True' supplier="OAuth2:secret"/>
-      <variable name="oauth2_client_token_signature_algo" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden='True' supplier="OAuth2:token_signature_algo">
-        <value>HS512</value>
-        <choice>HS512</choice>
-        <choice>RS256</choice>
-      </variable>
-      <variable name="oauth2_server_domainname" description="OAuth2 server domain name" type="domainname" mandatory='True' provider="OAuth2:external_domain" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="normalize_family">
-      <param type="variable">domain_name_eth0</param>
-      <target>oauth2_client_id</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username" type="variable">oauth2_client_id</param>
-      <param name="description">remote</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>oauth2_client_secret</target>
-    </fill>
-    <fill name="calc_oauth2_client_external">
-      <param type="variable" optional="True">revprox_client_external_domainnames</param>
-      <param type="variable" optional="True">revprox_client_location</param>
-      <target>oauth2_client_external</target>
-    </fill>
-    <condition name="disabled_if_in" source="oauth2_is_client_application">
-      <param>False</param>
-      <target type="variable">oauth2_client_name</target>
-      <target type="variable">oauth2_client_description</target>
-      <target type="variable">oauth2_client_external</target>
-      <target type="variable">oauth2_client_family</target>
-    </condition>
-  </constraints>
-</rougail>
diff --git a/seed/oauth2-client/dictionaries/30_oauth2_client.yml b/seed/oauth2-client/dictionaries/30_oauth2_client.yml
new file mode 100644
index 00000000..2247610d
--- /dev/null
+++ b/seed/oauth2-client/dictionaries/30_oauth2_client.yml
@@ -0,0 +1,108 @@
+---
+version: 1.1
+
+oauth2:  # OAuth2
+
+  client:  # OAuth2 client
+
+    server_domainname:
+      type: domainname
+      supplier: OAuth2
+      hidden: true
+
+    is_client_application:
+      hidden: true
+      default: false
+
+    name:
+      description: OAuth2 client name
+      supplier: OAuth2:name
+      examples:
+        - example
+      disabled: &id001
+        variable: _.is_client_application
+        when: false
+
+    description:
+      description: OAuth2 client description
+      supplier: OAuth2:description
+      examples:
+        - Example description
+      disabled: *id001
+
+    login:
+      type: web_address
+      description: OAuth2 URL to valid login
+      supplier: OAuth2:login
+      mandatory: false
+
+    external:
+
+      external:
+        type: web_address
+        description: OAuth2 client external
+        multi: true
+        supplier: OAuth2:external
+        disabled: &id002
+          variable: __.is_client_application
+          when: false
+        default:
+          jinja: |-
+            {%- for domain in general.revprox.client.external_domainnames
+                 | calc_oauth2_client_external(general.revprox.client.location)
+               %}
+            {{ domain }}
+            {%- endfor -%}
+
+      family:
+        description: OAuth2 family
+        supplier: OAuth2:family
+        default: users
+        disabled: *id002
+
+    category:
+      description: OAuth2 category
+      supplier: OAuth2:category
+      default: Défaut
+
+    logo:
+      description: OAuth2 logo
+      supplier: OAuth2:logo
+      default: demo.png
+
+    id:
+      description: OAuth2 ID
+      hidden: true
+      supplier: OAuth2:client_id
+      default:
+        jinja: >-
+          {{ general.network.interface_0.domain_name | normalize_family }}
+
+    secret:
+      type: secret
+      description: OAuth2 secret
+      hidden: true
+      supplier: OAuth2:secret
+      default:
+        jinja: >-
+          {{ _.id |
+            get_password(server_name=general.network.interface_0.domain_name,
+                         description="remote",
+                         type="cleartext",
+                         hide=general.hide_secret)
+            }}
+
+    token_signature_algo:
+      description: OAuth2 token signature algorithm
+      hidden: true
+      supplier: OAuth2:token_signature_algo
+      default: HS512
+      choices:
+        - HS512
+        - RS256
+
+    domainname:
+      description: OAuth2 server domain name
+      type: domainname
+      provider: OAuth2:external_domain
+      hidden: true
diff --git a/seed/odoo/applicationservice.yml b/seed/odoo/applicationservice.yml
index b95f5450..d422eba7 100644
--- a/seed/odoo/applicationservice.yml
+++ b/seed/odoo/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Odoo, an ERP and CRM
 website: https://www.odoo.com/fr
diff --git a/seed/odoo/dictionaries/40_odoo.xml b/seed/odoo/dictionaries/40_odoo.xml
deleted file mode 100644
index 8f483702..00000000
--- a/seed/odoo/dictionaries/40_odoo.xml
+++ /dev/null
@@ -1,98 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="odoo" target="multi-user">
-      <override engine="ansible"/>
-      <file engine="none" source="sysuser-odoo.conf">/sysusers.d/1odoo.conf</file>
-      <file engine="none" source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
-      <file engine="ansible" mode="755">/sbin/config_odoo.py</file>
-      <file engine="ansible" mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
-      <file engine="ansible" mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>
-      <file engine="ansible">/etc/hosts</file>
-      <file engine="ansible" source="config-nginx.conf">/etc/nginx/sites-enabled/odoo.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="odoo" description="Odoo">
-      <variable name="odoo_admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
-      <variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True" test="johndoe@example.net"/>
-      <variable name="odoo_company_name" description="Nom" mandatory="True" test="ACME"/>
-      <variable name="odoo_company_street" description="Adresse" mandatory="True" test="John Doe Street"/>
-      <variable name="odoo_company_city" description="Ville" mandatory="True" test="Dijon"/>
-      <variable name="odoo_company_zip" description="Code postal" mandatory="True" test="21000"/>
-      <variable name="odoo_company_vat" description="Numéro TVA" mandatory="True" test="FR 99999999999"/>
-      <variable name="odoo_company_registry" description="Registre de la société" mandatory="True" test="999 999 999 00099"/>
-      <variable name="odoo_company_phone" description="Numéro de téléphone" mode="basic"/>
-      <variable name="odoo_company_mobile" description="Numéro de téléphone mobile" mode="basic"/>
-      <variable name="odoo_company_email" description="Adresse courriel" mandatory="True" test="johndoe@example.net"/>
-      <variable name="odoo_company_website" description="Site internet" mandatory="True" test="https://example.net"/>
-      <variable name="odoo_company_logo" type="filename" description="Chemin du logo" mandatory="True" test="/home/jdoe/logo.png"/>
-      <variable name="odoo_company_footer" description="Pied de page des documents" mandatory="True" test="foot"/>
-      <variable name="odoo_company_layout" description="Agencement des documents" mandatory="True" type="choice" mode="basic">
-        <value>standard</value>
-        <choice>standard</choice>
-        <choice>bold</choice>
-        <choice>boxed</choice>
-        <choice>striped</choice>
-      </variable>
-      <variable name="odoo_addons" description="Liste des applications à activer" multi="True" mode="expert">
-        <value>base</value>
-        <value>l10n_fr</value>
-        <value>l10n_fr_fec</value>
-        <value>account</value>
-        <value>hr</value>
-        <value>hr_contract</value>
-        <value>sale_management</value>
-      </variable>
-    </family>
-    <family name="postgresql">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>odoo</value>
-      </variable>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>ERP</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>ERP Odoo</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Entreprise</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_note.png</value>
-      </variable>
-      <family name="external">
-        <variable name="oauth2_client_external" redefine="True" multi='True'/>
-	<variable name="oauth2_client_family" redefine="True" multi="True"/>
-      </family>
-    </family>
-    <family name="ldap">
-      <family name="client">
-        <variable name="ldap_key_file_owner" redefine="True">
-          <value>odoo</value>
-        </variable>
-      </family>
-    </family>
-    <family name="nginx">
-      <variable name="nginx_default_https" redefine="True">
-        <value>False</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">admin</param>
-      <param name="description">admin</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>odoo_admin_password</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/odoo/dictionaries/40_odoo.yml b/seed/odoo/dictionaries/40_odoo.yml
new file mode 100644
index 00000000..0fc46165
--- /dev/null
+++ b/seed/odoo/dictionaries/40_odoo.yml
@@ -0,0 +1,160 @@
+---
+version: 1.1
+
+odoo:  # Odoo
+
+  admin_password:
+    type: secret
+    description: Mot de passe de l'administrateur
+    hidden: true
+    default:
+      jinja: >-
+        {{ "admin" |
+           get_password(server_name=general.network.interface_0.domain_name,
+                        description="admin",
+                        type="cleartext",
+                        hide=general.hide_secret,
+                        temporary=true)
+          }}
+
+  admin_email:
+    type: mail
+    description: Adresse courriel de l'administrateur
+    examples:
+      - johndoe@example.net
+
+  company_name:
+    description: Nom
+    examples:
+      - ACME
+
+  company_street:
+    description: Adresse
+    examples:
+      - John Doe Street
+
+  company_city:
+    description: Ville
+    examples:
+      - Dijon
+
+  company_zip:
+    description: Code postal
+    examples:
+      - '21000'
+
+  company_vat:
+    description: Numéro TVA
+    examples:
+      - FR 99999999999
+
+  company_registry:
+    description: Registre de la société
+    examples:
+      - 999 999 999 00099
+
+  company_phone:
+    description: Numéro de téléphone
+    mode: basic
+    mandatory: false
+
+  company_mobile:
+    description: Numéro de téléphone mobile
+    mode: basic
+    mandatory: false
+
+  company_email:
+    description: Adresse courriel
+    examples:
+      - johndoe@example.net
+
+  company_website:
+    description: Site internet
+    examples:
+      - https://example.net
+
+  company_logo:
+    type: unix_filename
+    description: Chemin du logo
+    examples:
+      - /home/jdoe/logo.png
+
+  company_footer:
+    description: Pied de page des documents
+    examples:
+      - foot
+
+  company_layout:
+    description: Agencement des documents
+    mode: basic
+    default: standard
+    choices:
+      - standard
+      - bold
+      - boxed
+      - striped
+
+  addons:
+    description: Liste des applications à activer
+    mode: advanced
+    default:
+      - base
+      - l10n_fr
+      - l10n_fr_fec
+      - account
+      - hr
+      - hr_contract
+      - sale_management
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: odoo
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: ERP
+
+    description:
+      redefine: true
+      default: ERP Odoo
+
+    category:
+      redefine: true
+      default: Entreprise
+
+    logo:
+      redefine: true
+      default: silique_note.png
+
+    external:
+
+      family:
+        redefine: true
+        default:
+          - users
+
+ldap:
+
+  client:
+
+    key_file_owner:
+      redefine: true
+      default: odoo
+
+nginx:
+
+  default_https:
+    redefine: true
+    default: false
diff --git a/seed/openldap/applicationservice.yml b/seed/openldap/applicationservice.yml
index 5b16eb20..129d64eb 100644
--- a/seed/openldap/applicationservice.yml
+++ b/seed/openldap/applicationservice.yml
@@ -1,6 +1,7 @@
+---
 format: '0.1'
 description: OpenLDAP, the LDAP server
-help: |
+help: |-
   This service provides a LDAP server.
 
   It is possible to request the creation of users. Those users can be mixed or
diff --git a/seed/openldap/dictionaries/21_openldap-server.xml b/seed/openldap/dictionaries/21_openldap-server.xml
deleted file mode 100644
index 0a37c37e..00000000
--- a/seed/openldap/dictionaries/21_openldap-server.xml
+++ /dev/null
@@ -1,128 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="slapd" target="multi-user">
-      <override engine="ansible"/>
-      <certificate authority="LDAP" owner="ldap" type="server">openldap</certificate>
-      <file engine="ansible" owner="ldap">/var/lib/ldap/DB_CONFIG</file>
-      <file engine="ansible" owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
-      <file engine="ansible" owner="ldap" mode="400">/etc/ldap/secrets/users.ldif</file>
-      <file engine="ansible">/secrets/users_mod.ldif</file>
-      <file engine="ansible">/secrets/config_acl.ldif</file>
-      <file engine="ansible" mode="400">/secrets/admin_ldap.pwd</file>
-      <file engine="none">/sysusers.d/risotto-openldap.conf</file>
-      <file engine="ansible">/etc/openldap/ldap.conf</file>
-      <file engine="ansible" source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/openldap.yml</file>
-    </service>
-  </services>
-
-  <variables>
-    <family name="ldap" description="LDAP">
-      <!--variable name='ldap_server_address' redefine="True" hidden="True"/-->
-      <variable name='prefix_domain_name' hidden="True" mandatory="True" provider="global:prefix_domain_name"/>
-      <variable name='ldap_schemas' type='filename' description='Additional LDAP schemas' multi='True' mode="expert">
-        <value>/etc/openldap/schema/cosine.ldif</value>
-        <value>/etc/openldap/schema/inetorgperson.ldif</value>
-        <value>/etc/openldap/schema/nis.ldif</value>
-        <value>/etc/openldap/schema/misc.ldif</value>
-      </variable>
-      <family name='limits' description='Limits' mode='expert'>
-        <variable name='ldap_loglevel' type='number' description='Log level' mode="expert">
-          <value>0</value>
-        </variable>
-        <variable name='ldap_sizelimit' type='number' description="Nombre maximum d'entrées à retourner lors d'une requête" mode="expert">
-          <value>5000</value>
-        </variable>
-        <variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
-          <value>3600</value>
-        </variable>
-      </family>
-      <family name='db_environment' description='DB environment' mode='expert'>
-        <variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
-          <value>0</value>
-        </variable>
-        <variable name='db_cache_size_o' description="Quantité d'octets à utiliser pour le cache HDB" type="number">
-          <value>268435456</value>
-        </variable>
-        <variable name='db_cache_chunks' description="Nombre de fichiers ou écrire le cache HDB" type="number">
-          <value>1</value>
-        </variable>
-        <variable name='db_log_region_max' type='number' description="Quantité de fichier de cache mis en cache mémoire">
-          <value>262144</value>
-        </variable>
-        <variable name='db_log_max' type='number' description="Quantité d'informations de journalisation conservé jusqu'à rotation">
-          <value>10485760</value>
-        </variable>
-        <variable name='db_log_bsize' type='number' description="Quantité d'informations de journalisation du cache reporté sur le disque">
-          <value>2097152</value>
-        </variable>
-        <variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
-          <value>/srv/openldap/log</value>
-        </variable>
-        <variable name='db_lk_max_objects' type='number' description="Nombre d'objet qui peuvent être verrouillés simultanément ">
-          <value>5000</value>
-        </variable>
-        <variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
-          <value>5000</value>
-        </variable>
-        <variable name='db_lk_max_lockers' type='number' description='Nombre de verroulleur maximal'>
-          <value>5000</value>
-        </variable>
-        <variable name="openldap_key_file" type="filename" hidden="True"/>
-      </family>
-      <variable name='ldap_user' mandatory="True" hidden="True"/>
-      <variable name='ldap_user_password' type='password' description="Mot de passe de l'utilisateur LDAP" mandatory='True' hidden="True"/>
-      <variable name='ldap_base_dn' mandatory="True" description="Base DN" hidden="True"/>
-      <variable name='ldap_account_dn' type='string' description="Base DN de l'annuaire des utilisateurs" mandatory="True" hidden="True"/>
-      <variable name='ldap_user_dn' type='string' description="Base DN de l'annuaire des utilisateurs n'appartenant à une famille" mandatory="True" hidden="True"/>
-      <variable name='ldap_group_dn' type='string' description="Base DN de l'annuaire des groupes" mandatory="True" hidden="True"/>
-      <!--family name="client">
-        <variable name='ldapclient_family' redefine="True" disabled="True"/>
-        <variable name='ldapclient_search_dn' redefine="True"/>
-      </family-->
-    </family>
-  </variables>
-  <constraints>
-    <check name='valid_base_dn'>
-      <target>ldap_base_dn</target>
-    </check>
-    <fill name='get_default_base_dn'>
-      <param type="variable">prefix_domain_name</param>
-      <target>ldap_base_dn</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username" type="variable">ldap_user</param>
-      <param name="description">remote account</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>ldap_user_password</target>
-    </fill>
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldap_base_dn</param>
-      <param name="base" type="boolean">True</param>
-      <target>ldap_account_dn</target>
-    </fill>
-    <fill name='calc_value'>
-      <param>cn=admin</param>
-      <param type='variable'>ldap_base_dn</param>
-      <param name="join">,</param>
-      <target>ldap_user</target>
-    </fill>
-    <!--fill name='calc_value'>
-      <param type="variable">ldapclient_base_dn</param>
-      <target>ldapclient_search_dn</target>
-    </fill-->
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldap_base_dn</param>
-      <target>ldap_user_dn</target>
-    </fill>
-    <fill name="calc_ldapclient_base_dn">
-      <param type="variable">ldap_base_dn</param>
-      <param name="group" type="boolean">True</param>
-      <target>ldap_group_dn</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/openldap/dictionaries/21_openldap-server.yml b/seed/openldap/dictionaries/21_openldap-server.yml
new file mode 100644
index 00000000..d12c9b2f
--- /dev/null
+++ b/seed/openldap/dictionaries/21_openldap-server.yml
@@ -0,0 +1,141 @@
+---
+version: 1.1
+
+ldap:  # LDAP
+
+  prefix_domain_name:
+    hidden: true
+    provider: global:prefix_domain_name
+
+  ldap_schemas:
+    description: Additional LDAP schemas
+    mode: advanced
+    type: unix_filename
+    default:
+      - /etc/openldap/schema/cosine.ldif
+      - /etc/openldap/schema/inetorgperson.ldif
+      - /etc/openldap/schema/nis.ldif
+      - /etc/openldap/schema/misc.ldif
+
+  limits:
+    description: Limits
+    mode: advanced
+
+    ldap_loglevel: 0  # Log level
+
+    ldap_sizelimit:
+      description: Nombre maximum d'entrées à retourner lors d'une requête
+      default: 5000
+
+    ldap_timelimit:
+      description: Temps de réponse maximum à une requête (en secondes)
+      default: 3600
+
+  db_environment:
+    description: DB environment
+    mode: advanced
+
+    db_cache_size_g: 0  # Quantité de Giga-octets à utiliser pour le cache HDB
+
+    db_cache_size_o: 268435456  # Quantité d'octets à utiliser pour le cache HDB
+
+    db_cache_chunks: 1  # Nombre de fichiers ou écrire le cache HDB
+
+    db_log_region_max:
+      description: Quantité de fichier de cache mis en cache mémoire
+      default: 262144
+
+    db_log_max:
+      description: >-
+        Quantité d'informations de journalisation conservé jusqu'à rotation
+      default: 10485760
+
+    db_log_bsize:
+      description: >-
+        Quantité d'informations de journalisation du cache reporté sur
+        le disque
+      default: 2097152
+
+    db_log_directory:
+      description: Répertoire de conservation des informations de journalisation
+      type: unix_filename
+      default: /srv/openldap/log
+
+    db_lk_max_objects:
+      description: "Nombre d'objet qui peuvent être verrouillés simultanément "
+      default: 5000
+
+    db_lk_max: 5000  # Nombre de verrous maximal
+
+    db_lk_max_lockers: 5000  # Nombre de verroulleur maximal
+
+    openldap_key_file:
+      type: unix_filename
+      mandatory: false
+      hidden: true
+
+  ldap_user:
+    default:
+      jinja: >-
+        cn=admin,{{ general.ldap.ldap_base_dn }}
+    hidden: true
+
+  ldap_user_password:
+    description: Mot de passe de l'utilisateur LDAP
+    type: secret
+    default:
+      jinja: >-
+        {{ general.ldap.ldap_user |
+         get_password(server_name=general.network.interface_0.domain_name,
+                      description="remote account",
+                      type="cleartext",
+                      hide=general.hide_secret,
+                      temporary=true)
+         }}
+    hidden: true
+
+  ldap_base_dn:
+    description: Base DN
+    validators:
+      - jinja: >-
+          {%- set var = {'ok': false} -%}
+          {%- for att in ['o', 'dc', 'ou'] -%}
+            {%- if _.ldap_base_dn.startswith(att + '=') -%}
+              {%- set var = var.update({'ok': true}) -%}
+            {%- endif -%}
+          {%- endfor -%}
+          {%- if not var.ok -%}
+            {%- set e = "the LDAP base DN must starts with an " -%}
+            {%- set e = e + "organisation (o=), a domain componant (dc=) " -%}
+            {%- set e = e + "or an organizational unit (ou=)" -%}
+            {{ e }}
+          {%- endif -%}
+        description: >-
+          if LDAP base DN starts with an organisation (o=), a domain componant
+          (dc=) or an organizational unit (ou=)
+    default:
+      jinja: >-
+        {{ general.ldap.prefix_domain_name | get_default_base_dn }}
+    hidden: true
+
+  ldap_account_dn:
+    description: Base DN de l'annuaire des utilisateurs
+    default:
+      jinja: >-
+        {{ general.ldap.ldap_base_dn | calc_ldapclient_base_dn(base=true) }}
+    hidden: true
+
+  ldap_user_dn:
+    description: >-
+      Base DN de l'annuaire des utilisateurs n'appartenant à une famille
+    default:
+      jinja: >-
+        {{ general.ldap.ldap_base_dn | calc_ldapclient_base_dn }}
+    hidden: true
+
+  ldap_group_dn:
+    description: Base DN de l'annuaire des groupes
+    default:
+      jinja: >-
+        {{ general.ldap.ldap_base_dn | calc_ldapclient_base_dn(group=true) }}
+    hidden: true
diff --git a/seed/openldap/extras/accounts/00_account.xml b/seed/openldap/extras/accounts/00_account.xml
deleted file mode 100644
index 8f4a1022..00000000
--- a/seed/openldap/extras/accounts/00_account.xml
+++ /dev/null
@@ -1,51 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Create account and connexion to a LDAP server" type="domainname" multi="True" provider="LDAP" hidden="True"/>
-    <family name="remote_" dynamic="accounts.remotes" hidden="True">
-      <variable description="LDAP family name for " name="family_" provider="LDAP:family"/>
-      <variable description="LDAP account DN for " name="dn_" provider="LDAP:dn"/>
-      <variable description="LDAP passowrd for " name="password_" type="password" provider="LDAP:password"/>
-      <variable description="LDAP base DN for " name="base_dn_" provider="LDAP:base_dn"/>
-    </family>
-    <family name="users" description="Users management" leadership="True" help="Management of manually created local users. Those users are not classified.">
-      <variable name='ldap_user_mail' type="mail" description="Email address" multi="True" test="johndoe@example.net" help="An user is identify by his email address."/>
-      <variable name='ldap_user_aliases' type="mail" description="Emails aliases" multi="True" test="jdoe@example.net"/>
-      <variable name='ldap_user_uid' type="unix_user" description="Account name" mandatory="True" test="jdoe"/>
-      <variable name='ldap_user_gn' type="string" description="Given name" mandatory="True" test="John"/>
-      <variable name='ldap_user_sn' type="string" description="Surname" mandatory="True" test="Doe"/>
-      <variable name='ldap_user_password' type="password" mandatory="True" hidden="True"/>
-    </family>
-    <variable name="families" description="Families to create" type="unix_user" multi="True" help="Users can be classified into families. This variable contains all the names of the families to be created."/>
-    <family name="family_" description="Management of family " dynamic="accounts.families">
-      <family name="users_" description="Users management for the family " leadership="True" help="Management of manually created users. Those users are classified in a family.">
-        <variable name='ldap_user_mail_' type="mail" description="Email address for the family " multi="True" test="johndoe@family.net" help="An user is identify by his email address."/>
-        <variable name='ldap_user_aliases_' type="mail" description="Emails aliases for the family " multi="True" test="jdoe@family.net"/>
-        <variable name='ldap_user_uid_' type="unix_user" description="Account name for the family " mandatory="True" test="jdoe"/>
-        <variable name='ldap_user_gn_' type="string" description="Given name for the family " mandatory="True" test="John"/>
-        <variable name='ldap_user_sn_' type="string" description="Surname for the family " mandatory="True" test="Doe"/>
-        <variable name='ldap_user_password_' type="password" mandatory="True" hidden="True"/>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username" type='variable'>accounts.users.ldap_user_mail</param>
-      <param name="description">ldap user</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>accounts.users.ldap_user_password</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username" type='variable'>accounts.family_.users_.ldap_user_mail_</param>
-      <param name="description">ldap family user</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <param name="temporary" type="boolean">True</param>
-      <target>accounts.family_.users_.ldap_user_password_</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/openldap/extras/accounts/00_account.yml b/seed/openldap/extras/accounts/00_account.yml
new file mode 100644
index 00000000..d548bda0
--- /dev/null
+++ b/seed/openldap/extras/accounts/00_account.yml
@@ -0,0 +1,157 @@
+---
+version: 1.1
+
+remotes:
+  description: Create account and connexion to a LDAP server
+  type: domainname
+  multi: true
+  mandatory: false
+  hidden: true
+  provider: LDAP
+
+"remote_{{ suffix }}":
+  dynamic:
+    variable: accounts.remotes
+  hidden: true
+
+  family:
+    description: 'LDAP family name for {{ suffix }}'
+    mandatory: false
+    provider: LDAP:family
+
+  dn:
+    description: 'LDAP account DN for {{ suffix }}'
+    mandatory: false
+    provider: LDAP:dn
+
+  password:
+    description: 'LDAP passowrd for {{ suffix }}'
+    type: secret
+    mandatory: false
+    provider: LDAP:password
+
+  base_dn:
+    description: 'LDAP base DN for {{ suffix }}'
+    mandatory: false
+    provider: LDAP:base_dn
+
+users:
+  description: Users management
+  help: >-
+    Management of manually created local users. Those users are not classified
+  type: leadership
+
+  ldap_user_mail:
+    description: Email address
+    examples:
+      - johndoe@example.net
+    help: An user is identify by his email address.
+    type: mail
+    mandatory: false
+
+  ldap_user_aliases:
+    description: Emails aliases
+    multi: true
+    examples:
+      - jdoe@example.net
+    type: mail
+    mandatory: false
+
+  ldap_user_uid:
+    description: Account name
+    examples:
+      - jdoe
+    type: unix_user
+
+  ldap_user_gn:
+    description: Given name
+    examples:
+      - John
+    type: string
+
+  ldap_user_sn:
+    description: Surname
+    examples:
+      - Doe
+    type: string
+
+  ldap_user_password:
+    type: secret
+    default:
+      jinja: >-
+        {{ accounts.users.ldap_user_mail |
+            get_password(server_name=general.network.interface_0.domain_name,
+                         description="ldap user",
+                         type="cleartext",
+                         hide=general.hide_secret,
+                         temporary=true)
+          }}
+    hidden: true
+
+families:
+  description: Families to create
+  type: unix_user
+  multi: true
+  help: >-
+    Users can be classified into families. This variable contains all the names
+    of the families to be created.
+  mandatory: false
+
+"family_{{ suffix }}":
+  description: 'Management of family {{ suffix }}'
+  dynamic:
+    variable: accounts.families
+
+  users:
+    description: 'Users management for the family {{ suffix }}'
+    help: >-
+      Management of manually created users. Those users are classified in a
+      family.
+    type: leadership
+
+    ldap_user_mail:
+      description: 'Email address for the family {{ suffix }}'
+      examples:
+        - johndoe@family.net
+      help: An user is identify by his email address.
+      type: mail
+      mandatory: false
+
+    ldap_user_aliases:
+      description: 'Emails aliases for the family {{ suffix }}'
+      examples:
+        - jdoe@family.net
+      type: mail
+      multi: true
+      mandatory: false
+
+    ldap_user_uid:
+      description: 'Account name for the family {{ suffix }}'
+      examples:
+        - jdoe
+      type: unix_user
+
+    ldap_user_gn:
+      description: 'Given name for the family {{ suffix }}'
+      examples:
+        - John
+      type: string
+
+    ldap_user_sn:
+      description: 'Surname for the family {{ suffix }}'
+      examples:
+        - Doe
+      type: string
+
+    ldap_user_password:
+      type: secret
+      default:
+        jinja: >-
+          {{ _.ldap_user_mail |
+             get_password(server_name=general.network.interface_0.domain_name,
+                          description="ldap family user",
+                          type="cleartext",
+                          hide=general.hide_secret,
+                          temporary=true)
+            }}
+      hidden: true
diff --git a/seed/openldap/extras/machine/20_openldap.xml b/seed/openldap/extras/machine/20_openldap.xml
deleted file mode 100644
index c8842485..00000000
--- a/seed/openldap/extras/machine/20_openldap.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/openldap/extras/machine/20_openldap.yml b/seed/openldap/extras/machine/20_openldap.yml
new file mode 100644
index 00000000..789bb984
--- /dev/null
+++ b/seed/openldap/extras/machine/20_openldap.yml
@@ -0,0 +1,19 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: 256
+
+add_tmp:
+  redefine: true
+  default: false
+
+add_swap:
+  redefine: true
+  default: false
+
+memory:
+  redefine: true
+  exists: true
+  default: 512
diff --git a/seed/openldap/funcs/ldap.py b/seed/openldap/funcs/ldap.py
index 14f65b84..12cdfd3b 100644
--- a/seed/openldap/funcs/ldap.py
+++ b/seed/openldap/funcs/ldap.py
@@ -70,12 +70,3 @@ def get_default_base_dn(prefix: str) -> str:
     domain = ['ou=' + domain for domain in values[0:-2]]
     domain.append(f'o={values[-2]},o={values[-1]}')
     return ','.join(domain)
-
-
-def valid_base_dn(base_dn: str) -> None:
-    # copied from ldap-client
-    for att in ['o', 'dc', 'ou']:
-        if base_dn.startswith(att + '='):
-            break
-    else:
-        raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
diff --git a/seed/peertube/applicationservice.yml b/seed/peertube/applicationservice.yml
index 590bb35d..c2aca12a 100644
--- a/seed/peertube/applicationservice.yml
+++ b/seed/peertube/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Peertube, a federated (ActivityPub) video streaming platform
 website: https://www.openldap.org/
diff --git a/seed/peertube/dictionaries/30_peertube.xml b/seed/peertube/dictionaries/30_peertube.xml
deleted file mode 100644
index 716950ab..00000000
--- a/seed/peertube/dictionaries/30_peertube.xml
+++ /dev/null
@@ -1,80 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="peertube" target="multi-user">
-      <override engine="ansible"/>
-      <file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file>
-      <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
-      <file engine="ansible">/etc/peertube/production.yaml</file>
-      <file engine="ansible" source="nginx.peertube.conf">/etc/nginx/default.d/peertube.conf</file>
-      <file engine="ansible" source="nginx.peertube.conf.d.conf">/etc/nginx/conf.d/peertube.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="outgoing_ports" redefine="True">
-        <value>443</value>
-      </variable>
-    </family>
-    <family name="peertube">
-      <variable name="peertube_admin_email" type="mail" description="Adresse courriel de l'administrateur Peertube" mandatory="True" test="john.doe@example.net"/>
-      <variable name="peertube_short_description" type="string" description="Description courte de l'instance">
-        <value>PeerTube, an ActivityPub-federated video streaming platform using P2P directly in your web browser.</value>
-      </variable>
-      <variable name="peertube_description" type="string" description="Description de l'instance">
-        <value>Welcome to this PeerTube instance!</value>
-      </variable>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Vidéo</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Plateforme de partage de vidéo Peertube</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Réseaux sociaux</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_video.png</value>
-      </variable>
-      <family name="external">
-        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
-      </family>
-    </family>
-    <family name="nginx">
-      <variable name="nginx_root" redefine='True'>
-        <value>/usr/share/peertube</value>
-      </variable>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_location" redefine="True">
-          <value>/</value>
-        </variable>
-        <variable name="revprox_client_max_body_size" redefine="True">
-          <value>12G</value>
-        </variable>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_oauth2_client_external">
-      <param type="variable">revprox_client_external_domainnames</param>
-      <param type="variable">revprox_client_location</param>
-      <param>plugins/auth-openid-connect/0.1.0/auth/openid-connect</param>
-      <target>oauth2_client_external</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="boolean">True</param>
-      <param name="default" type="boolean">False</param>
-      <param name="condition" type="variable">revprox_client_location</param>
-      <param name="expected">/socket.io</param>
-      <target>revprox_client_is_websocket</target>
-    </fill>
-  </constraints>
-</rougail>
-
diff --git a/seed/peertube/dictionaries/30_peertube.yml b/seed/peertube/dictionaries/30_peertube.yml
new file mode 100644
index 00000000..9d4716f4
--- /dev/null
+++ b/seed/peertube/dictionaries/30_peertube.yml
@@ -0,0 +1,96 @@
+---
+version: 1.1
+
+network:
+
+  outgoing_ports:
+    redefine: true
+    default:
+      - 443
+
+peertube:
+
+  admin_email:
+    description: Adresse courriel de l'administrateur Peertube
+    examples:
+      - john.doe@example.net
+    type: mail
+
+  short_description:
+    description: Description courte de l'instance
+    default: >-
+      PeerTube, an ActivityPub-federated video streaming platform using P2P
+      directly in your web browser.
+
+  description:
+    description: Description de l'instance
+    default: Welcome to this PeerTube instance!
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Vidéo
+
+    description:
+      redefine: true
+      default: Plateforme de partage de vidéo Peertube
+
+    category:
+      redefine: true
+      default: Réseaux sociaux
+
+    logo:
+      redefine: true
+      default: silique_video.png
+
+    external:
+
+      external:
+        redefine: true
+        default:
+          jinja: |-
+            {%- for val in
+              general.revprox.client.external_domainnames |
+              calc_oauth2_client_external(
+                  general.revprox.client.location,
+                  "plugins/auth-openid-connect/0.1.0/auth/openid-connect"
+                )
+              %}
+            {{ val }}
+            {%- endfor -%}
+
+nginx:
+
+  root:
+    redefine: true
+    default: /usr/share/peertube
+
+revprox:
+
+  client:
+
+    location:
+      redefine: true
+      default: /
+
+    max_body_size:
+      redefine: true
+      default: 12G
+
+    is_websocket:
+      redefine: true
+      type: boolean
+      default:
+        jinja: >-
+          {%- if _.location == "/socket.io" -%}
+          true
+          {%- else -%}
+          false
+          {%- endif -%}
diff --git a/seed/php-fpm/applicationservice.yml b/seed/php-fpm/applicationservice.yml
index 6e8bc5fd..02ce36b3 100644
--- a/seed/php-fpm/applicationservice.yml
+++ b/seed/php-fpm/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: PHP FPM
 depends:
diff --git a/seed/php-fpm/dictionaries/20_phpfpm.xml b/seed/php-fpm/dictionaries/20_phpfpm.xml
deleted file mode 100644
index d1cdfe5f..00000000
--- a/seed/php-fpm/dictionaries/20_phpfpm.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="php-fpm">
-      <file engine="none">/etc/php-fpm.conf</file>
-      <file engine="ansible">/etc/php-fpm.d/www.conf</file>
-      <file engine="none" source="sysuser-phpfpm.conf">/sysusers.d/phpfpm.conf</file>
-      <file engine="ansible" source="tmpfile-phpfpm.conf">/tmpfiles.d/0phpfpm.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="nginx">
-      <variable name="php_fpm_user" type="unix_user" hidden="True">
-        <value>root</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/php-fpm/dictionaries/20_phpfpm.yml b/seed/php-fpm/dictionaries/20_phpfpm.yml
new file mode 100644
index 00000000..a7067dab
--- /dev/null
+++ b/seed/php-fpm/dictionaries/20_phpfpm.yml
@@ -0,0 +1,9 @@
+---
+version: 1.1
+
+nginx:
+
+  php_fpm_user:
+    type: unix_user
+    hidden: true
+    default: root
diff --git a/seed/php/applicationservice.yml b/seed/php/applicationservice.yml
index 5ddef7e3..07372eea 100644
--- a/seed/php/applicationservice.yml
+++ b/seed/php/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: PHP, a popular general-purpose scripting language
 website: https://secure.php.net/
diff --git a/seed/php/dictionaries/20_php.xml b/seed/php/dictionaries/20_php.xml
deleted file mode 100644
index ed80b0f8..00000000
--- a/seed/php/dictionaries/20_php.xml
+++ /dev/null
@@ -1,36 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="php" manage="False">
-      <file engine="ansible">/etc/php.ini</file>
-    </service>
-  </services>
-  <variables>
-    <family name="php" description="PHP" mode="expert" help="Paramètrage avancé de PHP">
-      <variable name="php_post_max_size" type="number" description="Maximum size of POST data that PHP will accept" help="Value in Mb">
-        <value>32</value>
-      </variable>
-      <variable name="php_upload_max_filesize" type="number" description="Maximum allowed size for uploaded files" help="Value in Mb">
-        <value>16</value>
-      </variable>
-      <variable name="php_max_execution_time" type="number" description="Maximum amount of time each script may spend parsing request data" help="Value in seconds">
-        <value>30</value>
-      </variable>
-      <variable name="php_max_input_time" type="number" description="Maximum amount of time each script may spend parsing request data" help="Value in seconds">
-        <value>60</value>
-      </variable>
-      <variable name="php_memory_limit" type="number" description="Maximum amount of memory a script may consume" help="Value in Mb">
-        <value>512</value>
-      </variable>
-      <variable name="php_session_gc_maxlifetime" type="number" description="Data will be seen as 'garbage' and potentially cleaned up after this delay" help="Value in seconds">
-        <value>3600</value>
-      </variable>
-      <variable name="php_enable_output_buffering" type="boolean" hidden="True">
-        <value>True</value>
-      </variable>
-      <variable name="php_disable_pcntl" type="boolean" hidden="True">
-        <value>True</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/php/dictionaries/20_php.yml b/seed/php/dictionaries/20_php.yml
new file mode 100644
index 00000000..80fae8e8
--- /dev/null
+++ b/seed/php/dictionaries/20_php.yml
@@ -0,0 +1,49 @@
+---
+version: 1.1
+
+php:
+  description: PHP
+  mode: advanced
+  help: Paramètrage avancé de PHP
+
+  post_max_size:
+    description: Maximum size of POST data that PHP will accept
+    help: Value in Mb
+    default: 32
+
+  upload_max_filesize:
+    description: Maximum allowed size for uploaded files
+    help: Value in Mb
+    default: 16
+
+  max_execution_time:
+    description: >-
+      Maximum amount of time each script may spend parsing request data
+    help: Value in seconds
+    default: 30
+
+  max_input_time:
+    description: >-
+      Maximum amount of time each script may spend parsing request data
+    help: Value in seconds
+    default: 60
+
+  memory_limit:
+    description: Maximum amount of memory a script may consume
+    help: Value in Mb
+    default: 512
+
+  session_gc_maxlifetime:
+    description: >-
+      Data will be seen as 'garbage' and potentially cleaned up after this
+      delay
+    help: Value in seconds
+    default: 3600
+
+  enable_output_buffering:
+    hidden: true
+    default: true
+
+  disable_pcntl:
+    hidden: true
+    default: true
diff --git a/seed/piwigo/applicationservice.yml b/seed/piwigo/applicationservice.yml
index 1e75689d..e393cb93 100644
--- a/seed/piwigo/applicationservice.yml
+++ b/seed/piwigo/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Piwigo, a photo management software
 website: http://piwigo.org/
diff --git a/seed/piwigo/dictionaries/31_piwigo.xml b/seed/piwigo/dictionaries/31_piwigo.xml
deleted file mode 100644
index a8758b56..00000000
--- a/seed/piwigo/dictionaries/31_piwigo.xml
+++ /dev/null
@@ -1,58 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="piwigo" engine="none" target="multi-user">
-      <file engine="ansible" source="tmpfile-piwigo.conf">/tmpfiles.d/0piwigo.conf</file>
-      <file engine="ansible">/etc/piwigo/config.inc.php</file>
-      <file engine="ansible">/etc/piwigo/database.inc.php</file>
-      <file engine="ansible" mode="755">/sbin/piwigo.sh</file>
-      <file engine="none">/etc/php-fpm.d/piwigo.conf</file>
-      <file engine="ansible" source="piwigo.nginx.conf">/etc/nginx/default.d/piwigo.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="piwigo" description="Piwigo">
-      <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True" test="admin@example.net"/>
-      <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
-      <variable name="piwigo_locations" type="filename" multi="True" mandatory="True" hidden="True"/>
-      <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
-        <value>Album photographique</value>
-      </variable>
-      <family name="users" description="Piwigo users" leadership="True">
-        <variable name="piwigo_users" type="unix_user" description="Utilisateur ayant un album" multi="True" mandatory="True" test="jdoe"/>
-        <variable name="piwigo_email" type="mail" description="Adresse courriel" mandatory="True" test="johndoe@example.net"/>
-      </family>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Album</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Album photographique Piwigo</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Diffusion</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_image.png</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">admin_password</param>
-      <param name="description">piwigo</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>piwigo_admin_password</target>
-    </fill>
-    <fill name="get_locations">
-      <param name="usernames" type="variable">piwigo_users</param>
-      <target>piwigo_locations</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/piwigo/dictionaries/31_piwigo.yml b/seed/piwigo/dictionaries/31_piwigo.yml
new file mode 100644
index 00000000..cb24ee84
--- /dev/null
+++ b/seed/piwigo/dictionaries/31_piwigo.yml
@@ -0,0 +1,76 @@
+---
+version: 1.1
+
+piwigo:  # Piwigo
+
+  admin_email:
+    type: mail
+    description: Adresse courriel de l'administrateur Piwigo
+    examples:
+      - admin@example.net
+
+  admin_password:
+    type: secret
+    auto_save: false
+    hidden: true
+    default:
+      jinja: >-
+        {{ "admin_password" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="piwigo",
+                       type="cleartext",
+                       hide=general.hide_secret)
+          }}
+
+  locations:
+    type: unix_filename
+    multi: true
+    hidden: true
+    default:
+      jinja: |-
+        /
+        {%- for user in _.users.users %}
+        /{{ user }}
+        {%- endfor -%}
+
+  title: Album photographique  # Titre de l'album
+
+  users:
+    description: Piwigo users
+    type: leadership
+
+    users:
+      type: unix_user
+      description: Utilisateur ayant un album
+      examples:
+        - jdoe
+
+    email:
+      type: mail
+      description: Adresse courriel
+      examples:
+        - johndoe@example.net
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Album
+
+    description:
+      redefine: true
+      default: Album photographique Piwigo
+
+    category:
+      redefine: true
+      default: Diffusion
+
+    logo:
+      redefine: true
+      default: silique_image.png
diff --git a/seed/piwigo/funcs/piwigo.py b/seed/piwigo/funcs/piwigo.py
deleted file mode 100644
index d177538c..00000000
--- a/seed/piwigo/funcs/piwigo.py
+++ /dev/null
@@ -1,6 +0,0 @@
-from risotto.utils import multi_function as _multi_function
-
-
-@_multi_function
-def get_locations(usernames):
-    return ['/'] + ['/' + user for user in usernames]
diff --git a/seed/pki-tls/applicationservice.yml b/seed/pki-tls/applicationservice.yml
index 2c29ca65..5fd40992 100644
--- a/seed/pki-tls/applicationservice.yml
+++ b/seed/pki-tls/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Autosign PKI or Let's encrypt support for TLS certificates
diff --git a/seed/pki-tls/dictionaries/20_tls.xml b/seed/pki-tls/dictionaries/20_tls.xml
deleted file mode 100644
index 0ed80832..00000000
--- a/seed/pki-tls/dictionaries/20_tls.xml
+++ /dev/null
@@ -1,10 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="tls">
-      <file engine="ansible" source="0certificate.conf">/tmpfiles.d/0certificate.conf</file>
-    </service>
-  </services>
-</rougail>
-
-
diff --git a/seed/postfix-lmtp-relay/applicationservice.yml b/seed/postfix-lmtp-relay/applicationservice.yml
index 79a68c8a..bcb8d083 100644
--- a/seed/postfix-lmtp-relay/applicationservice.yml
+++ b/seed/postfix-lmtp-relay/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Postfix, the mail server, as LMTP relay
 website: http://www.postfix.org/
diff --git a/seed/postfix-lmtp-relay/extras/lmtp/00_lmtp.xml b/seed/postfix-lmtp-relay/extras/lmtp/00_lmtp.xml
deleted file mode 100644
index 64662bf8..00000000
--- a/seed/postfix-lmtp-relay/extras/lmtp/00_lmtp.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="server_lmtp" description="LMTP remote server"  help="A service needs send email with LMTP protocol" type="domainname" provider="LMTP" multi="True" hidden="True"/>
-    <family name="lmtp_" description="LMTP " dynamic="lmtp.server_lmtp" hidden="True">
-      <variable name="criteria_" description="Domain name allowes to send email with LMTP protocol for " type="string" multi="True" mandatory="True" provider="LMTP:criteria"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_postfix_relay_domains">
-      <param type="variable">lmtp.lmtp_.criteria_</param>
-      <target>postfix_relay_domains</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/postfix-relay/applicationservice.yml b/seed/postfix-relay/applicationservice.yml
index 7e0789d1..ef1037df 100644
--- a/seed/postfix-relay/applicationservice.yml
+++ b/seed/postfix-relay/applicationservice.yml
@@ -1,7 +1,9 @@
+---
 format: '0.1'
 description: Postfix, the mail server, as relay
-help: |
-  The mail relay allows the various internal services to communicate with the other services.
+help: |-
+  The mail relay allows the various internal services to communicate
+  with the other services.
   It is also possible to receive from outside or send emails to the outside.
 website: http://www.postfix.org/
 depends:
diff --git a/seed/postfix-relay/dictionaries/30_postfix.xml b/seed/postfix-relay/dictionaries/30_postfix.xml
deleted file mode 100644
index 6ad01ddf..00000000
--- a/seed/postfix-relay/dictionaries/30_postfix.xml
+++ /dev/null
@@ -1,87 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="postfix" target="multi-user">
-      <override engine="ansible"/>
-      <certificate authority="Mail" owner="postfix" type="server" domain="postfix_mail_hostname" provider="postfix_crt_provider">postfix</certificate>
-      <certificate authority="InternalMail" type="server" domain="domain_name_eth" certificate_type="variable" format="pem">domain_name_eth</certificate>
-      <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
-      <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
-      <file engine="ansible">/etc/postfix/main.cf</file>
-      <file engine="ansible">/etc/postfix/lmtp</file>
-      <file engine="ansible">/etc/postfix/sni</file>
-      <file engine="none">/etc/postfix/master.cf</file>
-    </service>
-    <service name="saslauthd">
-      <file engine="none">/etc/sasl2/smtpd.conf</file>
-    </service>
-    <service name="opendkim" target="multi-user">
-      <file engine="none" source="sysuser-opendkim.conf">/sysusers.d/0opendkim.conf</file>
-      <file engine="none">/etc/opendkim.conf</file>
-      <file engine="ansible">/etc/opendkim/KeyTable</file>
-      <file engine="ansible">/etc/opendkim/SigningTable</file>
-      <file engine="ansible">/etc/opendkim/TrustedHosts</file>
-      <file engine="ansible" file_type="variable" owner="opendkim" mode="400" source="opendkim.key" variable="postfix_relay_domains">opendkim_keys</file>
-    </service>
-    <service name="opendmarc" target="multi-user">
-      <file engine="none" source="sysuser-opendmarc.conf">/sysusers.d/0opendmarc.conf</file>
-      <file engine="none" source="tmpfile-opendmarc.conf">/tmpfiles.d/0opendmarc.conf</file>
-      <file engine="ansible">/etc/opendmarc.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="outgoing_ports" redefine="True" mandatory="False"/>
-      <variable name="incoming_ports" redefine="True" mandatory="False"/>
-    </family>
-    <family name="postfix" description="Postfix mail server">
-      <variable name="postfix_mail_hostname" type="domainname" description="External email server domain name" help="This variable is mandatory if mail server needs to interact with external area" mode="basic"/>
-      <variable name="postfix_crt_provider" type="choice" description="Type of certificate autority signing external certificate" mandatory="True" mode="basic" help="The certificate can be self-signed (therefore invalid by default for the client) or obtained via the Let's Encrypt service (generally valid for the client)">
-        <value>self-signed</value>
-        <choice>self-signed</choice>
-        <choice>letsencrypt</choice>
-      </variable>
-      <variable name="postfix_relay_domains" type="domainname" multi="True" hidden="True"/>
-      <variable name='postfix_relay_authentifications' description="Create a SMTP relay account and authorize sending email" help="A service needs send email with SMTP protocol, so an account is created and SMTP relay accept sending mail by this account" multi="True" provider="SMTP" hidden="True"/>
-      <family name="local_authentification_" dynamic='postfix_relay_authentifications' hidden="True">
-        <variable name="local_authentification_username_" description="User account to send email for " type="unix_user" provider="SMTP:username"/>
-        <variable name="local_authentification_password_" description="Password to send email for " type="secret" provider="SMTP:password"/>
-        <variable name="postfix_relay_ip_" type="ip"/>
-      </family>
-    </family>
-    <family name="opendkim">
-      <variable name="opendkim_keys" type="filename" multi="True" hidden="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param>/etc/opendkim/keys/</param>
-      <param type="variable">postfix_relay_domains</param>
-      <param>.key</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>opendkim_keys</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <target>postfix_relay_ip_</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="nil"/>
-      <param name="default">25</param>
-      <param name="condition" type="variable">postfix_mail_hostname</param>
-      <param name="expected" type="nil"/>
-      <param name="multi">True</param>
-      <target>incoming_ports</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="nil"/>
-      <param name="default">25</param>
-      <param name="condition" type="variable">postfix_mail_hostname</param>
-      <param name="expected" type="nil"/>
-      <param name="multi">True</param>
-      <target>outgoing_ports</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/postfix-relay/dictionaries/30_postfix.yml b/seed/postfix-relay/dictionaries/30_postfix.yml
new file mode 100644
index 00000000..8e17997f
--- /dev/null
+++ b/seed/postfix-relay/dictionaries/30_postfix.yml
@@ -0,0 +1,98 @@
+---
+version: 1.1
+
+network:
+
+  outgoing_ports:
+    redefine: true
+    default:
+      jinja: >-
+        {%- if general.postfix.mail_hostname -%}
+        25
+        {%- endif -%}
+
+  incoming_ports:
+    redefine: true
+    default:
+      variable: _.outgoing_ports
+
+postfix:
+  description: Postfix mail server
+
+  mail_hostname:
+    description: External email server domain name
+    help: >-
+      This variable is mandatory if mail server needs to interact with external
+      area
+    mode: basic
+    type: domainname
+    mandatory: false
+
+  crt_provider:
+    description: Type of certificate autority signing external certificate
+    mode: basic
+    help: >-
+      The certificate can be self-signed (therefore invalid by default for the
+      client) or obtained via the Let's Encrypt service (generally valid for
+      the client)
+    choices:
+      - self-signed
+      - letsencrypt
+    default: self-signed
+
+  relay_domains:
+    type: domainname
+    multi: true
+    mandatory: false
+    hidden: true
+
+  relay_authentifications:
+    description: Create a SMTP relay account and authorize sending email
+    help: >-
+      A service needs send email with SMTP protocol, so an account is created
+      and SMTP relay accept sending mail by this account
+    multi: true
+    mandatory: false
+    hidden: true
+    provider: SMTP
+
+  "local_authentification_{{ suffix }}":
+    dynamic:
+      variable: _.relay_authentifications
+    hidden: true
+
+    local_authentification_username:
+      description: 'User account to send email for {{ suffix }}'
+      type: unix_user
+      mandatory: false
+      provider: SMTP:username
+
+    local_authentification_password:
+      description: 'Password to send email for {{ suffix }}'
+      type: secret
+      mandatory: false
+      provider: SMTP:password
+
+    relay_ip:
+      type: ip
+      default:
+        jinja: >-
+          {{ zones | get_ip(suffix) }}
+        params:
+          zones:
+            information: zones
+          suffix:
+            type: suffix
+
+opendkim:
+
+  opendkim_keys:
+    type: unix_filename
+    multi: true
+    default:
+      jinja: |-
+        {%- for domaine in general.postfix.relay_domains %}
+        /etc/opendkim/keys/{{ domain }}.key
+        {%- endfor -%}
+    mandatory: false
+    hidden: true
diff --git a/seed/postgresql-client/applicationservice.yml b/seed/postgresql-client/applicationservice.yml
index e529c920..167cd1df 100644
--- a/seed/postgresql-client/applicationservice.yml
+++ b/seed/postgresql-client/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Application service needs interact with a Postgresql server
 website: https://www.postgresql.org
diff --git a/seed/postgresql-client/dictionaries/23_postgresql.xml b/seed/postgresql-client/dictionaries/23_postgresql.xml
deleted file mode 100644
index 11d9604f..00000000
--- a/seed/postgresql-client/dictionaries/23_postgresql.xml
+++ /dev/null
@@ -1,49 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="postgresqlclient" target="risotto" engine="ansible">
-      <certificate authority="PostgreSQL" owner="pg_client_key_owner" owner_type="variable" server="pg_client_server_domainname">postgresql</certificate>
-      <file engine="ansible" mode="400">/secrets/postgresql.pass</file>
-      <file engine="ansible" mode="400">/secrets/postgresql.pass2</file>
-      <file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="postgresql" description="PostgreSQL">
-      <variable name="pg_client_server_domainname" type="domainname" mandatory="True" supplier="Postgresql" hidden="True"/>
-      <variable name="pg_client_username" mandatory="True" supplier="Postgresql:username" hidden="True"/>
-      <variable name="pg_client_password" type="password" mandatory="True" supplier="Postgresql:password" hidden="True"/>
-      <variable name="pg_client_database" mandatory="True" supplier="Postgresql:database" hidden="True"/>
-      <variable name="pg_client_key_owner" type="unix_user" mandatory="True" hidden="True">
-        <value>apache</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="normalize_family">
-      <param type="variable">domain_name_eth0</param>
-      <target>pg_client_username</target>
-    </fill>
-    <!--fill name="get_provider_name">
-      <param type="variable">zone_name_eth0</param>
-      <param>Postgresql</param>
-      <target>pg_client_server_domainname</target>
-    </fill-->
-    <fill name="get_password">
-      <param name="server_name" type="variable">pg_client_server_domainname</param>
-      <param name="username" type="variable">domain_name_eth0</param>
-      <param name="description">remote</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>pg_client_password</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">pg_client_username</param>
-      <target>pg_client_database</target>
-    </fill>
-    <condition name="disabled_if_not_in" source="os_name">
-      <param>Debian</param>
-      <target type="filelist">postgresql_debian</target>
-    </condition>
-  </constraints>
-</rougail>
diff --git a/seed/postgresql-client/dictionaries/23_postgresql.yml b/seed/postgresql-client/dictionaries/23_postgresql.yml
new file mode 100644
index 00000000..1f866bf9
--- /dev/null
+++ b/seed/postgresql-client/dictionaries/23_postgresql.yml
@@ -0,0 +1,43 @@
+---
+version: 1.1
+
+postgresql:  # PostgreSQL
+
+  client:  # PostgreSQL as a client
+
+    server_domainname:
+      type: domainname
+      supplier: Postgresql
+      hidden: true
+
+    username:
+      supplier: Postgresql:username
+      hidden: true
+      default:
+        jinja: >-
+          {{ general.network.interface_0.domain_name | normalize_family }}
+
+    password:
+      type: secret
+      supplier: Postgresql:password
+      hidden: true
+      default:
+        jinja: >-
+          {% set server_name = _.server_domainname %}
+          {{ general.network.interface_0.domain_name |
+               get_password(server_name=server_name,
+                            description="remote",
+                            type="cleartext",
+                            hide=general.hide_secret)
+            }}
+
+    database:
+      supplier: Postgresql:database
+      hidden: true
+      default:
+        variable: _.username
+
+    key_owner:
+      type: unix_user
+      hidden: true
+      default: apache
diff --git a/seed/postgresql/applicationservice.yml b/seed/postgresql/applicationservice.yml
index 134ea81a..a841403c 100644
--- a/seed/postgresql/applicationservice.yml
+++ b/seed/postgresql/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Postgresql, a database
 website: https://www.postgresql.org
diff --git a/seed/postgresql/dictionaries/22_postgresql.xml b/seed/postgresql/dictionaries/22_postgresql.xml
deleted file mode 100644
index 73ea7a31..00000000
--- a/seed/postgresql/dictionaries/22_postgresql.xml
+++ /dev/null
@@ -1,83 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="postgresql" target="multi-user">
-      <override engine="ansible"/>
-      <certificate authority="PostgreSQL" owner="postgres" type="server">postgresql</certificate>
-      <ip ip_type='variable'>accounts.remote_.remote_ip_</ip>
-      <file engine="ansible">/etc/postgresql/postgresql.conf</file>
-      <file engine="ansible">/etc/postgresql/pg_hba.conf</file>
-      <file engine="ansible" mode="600" owner="postgres" group="postgres">/etc/postgresql/postgresql.sql</file>
-      <file engine="none">/etc/postgresql/pg_ident.conf</file>
-      <file engine="none" mode="755">/sbin/postgresql_init</file>
-      <file engine="none" source="sysuser-postgresql.conf">/sysusers.d/0postgresql.conf</file>
-      <file engine="none" source="tmpfiles.postgresql.conf">/tmpfiles.d/0postgresql.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/postgresql.yml</file>
-      <file engine="ansible" mode="700">/sbin/risotto_backup</file>
-    </service>
-  </services>
-  <variables>
-    <family name="postgresql" description="PostgreSQL" help="Paramétrage du serveur de gestion de bases de données PostgreSQL">
-      <variable name="pg_max_connections" type="number" description="Nombre maximum de connexions" help="Nombre maximum de connexions concurrentes au serveur de base de données">
-        <value>100</value>
-      </variable>
-      <variable name="pg_authentication_timeout" type="number" description="Délai de connexion maximum (en secondes)" help="Temps maximum pour terminer l'authentification du client">
-        <value>60</value>
-      </variable>
-      <variable name="pg_server_key" type="filename" description="Emplacement de la clé SSL du serveur PostgreSQL">
-        <value>/etc/postgresql/12/main/server.key</value>
-      </variable>
-      <variable name="pg_server_cert" type="filename" description="Emplacement du certificat du serveur PostgreSQL">
-        <value>/etc/postgresql/12/main/server.crt</value>
-      </variable>
-      <variable name="pg_autovacuum" type="boolean" description="Activer le VACUUM automatique"/>
-      <variable name="pg_work_mem" type="number" description="Mémoire tampon allouée aux opérations de tri et tables de hash" help="Quantité de mémoire allouée à chaque opération avant écriture sur le disque (par défaut : 4MB)">
-        <value>4</value>
-      </variable>
-      <variable name="pg_work_mem_unit" description="Unité de la mémoire tampon" type="choice">
-        <value>MB</value>
-        <choice type="string">MB</choice>
-        <choice type="string">kB</choice>
-      </variable>
-      <variable name="pg_maintenance_work_mem" type="number" description="Mémoire tampon allouée pour les opérations de maintenance" help="Quantité de mémoire allouée à chaque opération avant écriture sur le disque (par défaut : 64MB, minimum: 1024kB)">
-        <value>64</value>
-      </variable>
-      <variable name="pg_maintenance_work_mem_unit" description="Unité de la mémoire tampon" type="choice">
-        <value>MB</value>
-        <choice type="string">MB</choice>
-        <choice type="string">kB</choice>
-      </variable>
-      <variable name="pg_wal_buffers" type="number" description="Mémoire tampon allouée pour les journaux" help="Quantité de mémoire allouée avant écriture sur le disque (par défaut : -1, soit 1/32ème de la valeur de shared_buffers)">
-        <value>-1</value>
-      </variable>
-      <variable name="pg_max_wal_size" type="number" description="Limite douce du Write Ahead Log" help="Limite douce pour le Write Ahead Log">
-        <value>1</value>
-      </variable>
-      <variable name="pg_max_wal_size_unit" description="Unité de la limite douce du Write Ahead Log" type="choice">
-        <value>GB</value>
-        <choice type="string">GB</choice>
-        <choice type="string">MB</choice>
-        <choice type="string">kB</choice>
-      </variable>
-      <variable name="pg_shared_buffers" type="number" description="Quantité de mémoire pour les buffers partagés" help="Quantité de mémoire que le serveur de bases de données utilise comme mémoire partagée">
-        <value>128</value>
-      </variable>
-      <variable name="pg_shared_buffers_unit" description="Unité de la quantité de mémoire pour les buffers partagés" type="choice">
-        <value>MB</value>
-        <choice type="string">MB</choice>
-        <choice type="string">kB</choice>
-      </variable>
-      <variable name="pg_effective_cache_size" type="number" description="Taille du cache" mandatory="True" help="Initialise l'estimation faite par le planificateur pour le nombre de bloc de 8ko réelle du cache disque disponible pour une requête">
-        <value>4</value>
-      </variable>
-      <variable name="pg_effective_cache_size_unit" description="Unité de la taille du cache" type="choice">
-        <value>GB</value>
-        <choice type="string">MB</choice>
-        <choice type="string">kB</choice>
-        <choice type="string">GB</choice>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-  </constraints>
-</rougail>
diff --git a/seed/postgresql/dictionaries/22_postgresql.yml b/seed/postgresql/dictionaries/22_postgresql.yml
new file mode 100644
index 00000000..80c53b91
--- /dev/null
+++ b/seed/postgresql/dictionaries/22_postgresql.yml
@@ -0,0 +1,110 @@
+---
+version: 1.1
+
+postgresql:
+  description: PostgreSQL
+  help: Paramétrage du serveur de gestion de bases de données PostgreSQL
+
+  pg_max_connections:
+    description: Nombre maximum de connexions
+    help: >-
+      Nombre maximum de connexions concurrentes au serveur de base de données
+    default: 100
+
+  pg_authentication_timeout:
+    description: Délai de connexion maximum (en secondes)
+    help: Temps maximum pour terminer l'authentification du client
+    default: 60
+
+  pg_server_key:
+    type: unix_filename
+    description: Emplacement de la clé SSL du serveur PostgreSQL
+    default: /etc/postgresql/12/main/server.key
+
+  pg_server_cert:
+    type: unix_filename
+    description: Emplacement du certificat du serveur PostgreSQL
+    default: /etc/postgresql/12/main/server.crt
+
+  pg_autovacuum:
+    type: boolean
+    description: Activer le VACUUM automatique
+
+  pg_work_mem:
+    description: Mémoire tampon allouée aux opérations de tri et tables de hash
+    help: >-
+      Quantité de mémoire, en MB, allouée à chaque opération avant écriture
+      sur le disque
+    default: 4
+
+  pg_work_mem_unit:
+    description: Unité de la mémoire tampon
+    default: MB
+    choices:
+      - MB
+      - kB
+
+  pg_maintenance_work_mem:
+    description: Mémoire tampon allouée pour les opérations de maintenance
+    help: >-
+      Quantité de mémoire allouée, en MB, à chaque opération avant
+      écriture sur le disque
+    default: 64
+    params:
+      min_lentgh: 1
+
+  pg_maintenance_work_mem_unit:
+    description: Unité de la mémoire tampon
+    default: MB
+    choices:
+      - MB
+      - kB
+
+  pg_wal_buffers:
+    description: Mémoire tampon allouée pour les journaux
+    help: >-
+      Quantité de mémoire allouée avant écriture sur le disque
+      (par défaut -1, soit 1/32ème de la valeur de shared_buffers)
+    default: -1
+
+  pg_max_wal_size:
+    description: Limite douce du Write Ahead Log
+    help: Limite douce pour le Write Ahead Log
+    default: 1
+
+  pg_max_wal_size_unit:
+    description: Unité de la limite douce du Write Ahead Log
+    default: GB
+    choices:
+      - GB
+      - MB
+      - kB
+
+  pg_shared_buffers:
+    description: Quantité de mémoire pour les buffers partagés
+    help: >-
+      Quantité de mémoire que le serveur de bases de données utilise
+      comme mémoire partagée
+    default: 128
+
+  pg_shared_buffers_unit:
+    description: Unité de la quantité de mémoire pour les buffers partagés
+    default: MB
+    choices:
+      - MB
+      - kB
+
+  pg_effective_cache_size:
+    description: Taille du cache
+    help: >-
+      Initialise l'estimation faite par le planificateur pour le nombre de bloc
+      de 8ko réelle du cache disque disponible pour une requête
+    default: 4
+
+  pg_effective_cache_size_unit:
+    description: Unité de la taille du cache
+    default: GB
+    choices:
+      - MB
+      - kB
+      - GB
diff --git a/seed/postgresql/extras/accounts/00_accounts.xml b/seed/postgresql/extras/accounts/00_accounts.xml
deleted file mode 100644
index 120d5627..00000000
--- a/seed/postgresql/extras/accounts/00_accounts.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Create account and connexion to a PostgreSQL server" type="domainname" multi="True" provider="Postgresql" hidden="True"/>
-    <family name="remote_" description="Account for " dynamic="accounts.remotes" hidden="True">
-      <variable name="remote_ip_" description="Remote IP " type="ip" mandatory="True"/>
-      <variable name="database_" description="Postgresql database name for " mandatory="True" provider="Postgresql:database"/>
-      <variable name="username_" description="Postgresql username for " mandatory="True" provider="Postgresql:username"/>
-      <variable name="password_" description="Postgresql password for " type="password" mandatory="True" provider="Postgresql:password"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <target>accounts.remote_.remote_ip_</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/postgresql/extras/accounts/00_accounts.yml b/seed/postgresql/extras/accounts/00_accounts.yml
new file mode 100644
index 00000000..30c69315
--- /dev/null
+++ b/seed/postgresql/extras/accounts/00_accounts.yml
@@ -0,0 +1,41 @@
+---
+version: 1.1
+
+remotes:
+  description: Create account and connexion to a PostgreSQL server
+  type: domainname
+  multi: true
+  mandatory: false
+  hidden: true
+  provider: Postgresql
+
+"remote_{{ suffix }}":
+  description: 'Account for {{ suffix }}'
+  hidden: true
+  dynamic:
+    variable: accounts.remotes
+
+  remote_ip:
+    description: 'Remote IP {{ suffix }}'
+    type: ip
+    default:
+      jinja: >-
+        {{ zones | get_ip(suffix) }}
+      params:
+        zones:
+          information: zones
+        suffix:
+          type: suffix
+
+  database:
+    description: 'Postgresql database name for {{ suffix }}'
+    provider: Postgresql:database
+
+  username:
+    description: 'Postgresql username for {{ suffix }}'
+    provider: Postgresql:username
+
+  password:
+    description: 'Postgresql password for {{ suffix }}'
+    type: secret
+    provider: Postgresql:password
diff --git a/seed/prometheus/applicationservice.yml b/seed/prometheus/applicationservice.yml
index 0557debf..0a7a084d 100644
--- a/seed/prometheus/applicationservice.yml
+++ b/seed/prometheus/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Prometheus, an event monitoring
 website: https://prometheus.io/
diff --git a/seed/prometheus/dictionaries/20_prometheus.xml b/seed/prometheus/dictionaries/20_prometheus.xml
deleted file mode 100644
index 03b30cd0..00000000
--- a/seed/prometheus/dictionaries/20_prometheus.xml
+++ /dev/null
@@ -1,25 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="prometheus" target="multi-user">
-      <override engine="none"/>
-      <file engine="none" source="sysuser-prometheus.conf">/sysusers.d/prometheus.conf</file>
-      <file engine="none" source="tmpfile-prometheus.conf">/tmpfiles.d/0prometheus.conf</file>
-      <file engine="ansible">/etc/prometheus/prometheus.yml</file>
-      <file engine="ansible">/etc/default/prometheus</file>
-    </service>
-  </services>
-  <variables>
-    <family name="prometheus">
-      <variable name="client_addresses" description="Configure Prometheus exporter" type="domainname" provider="Prometheus" multi="True" hidden="True"/>
-      <variable name="listen_addresses" type="ip" hidden="True" multi="True"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">client_addresses</param>
-      <target>listen_addresses</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/prometheus/dictionaries/20_prometheus.yml b/seed/prometheus/dictionaries/20_prometheus.yml
new file mode 100644
index 00000000..59f484f3
--- /dev/null
+++ b/seed/prometheus/dictionaries/20_prometheus.yml
@@ -0,0 +1,25 @@
+---
+version: 1.1
+
+prometheus:
+
+  client_addresses:
+    description: Configure Prometheus exporter
+    type: domainname
+    provider: Prometheus
+    multi: true
+    hidden: true
+    mandatory: false
+
+  listen_addresses:
+    type: ip
+    hidden: true
+    multi: true
+    default:
+      jinja: |-
+        {%- for ip in zones | get_ip(_.client_addresses) %}
+        {{ ip }}
+        {%- endfor -%}
+      params:
+        zones:
+          information: zones
diff --git a/seed/provider-systemd-machined/applicationservice.yml b/seed/provider-systemd-machined/applicationservice.yml
index f39bf6d9..e32598b5 100644
--- a/seed/provider-systemd-machined/applicationservice.yml
+++ b/seed/provider-systemd-machined/applicationservice.yml
@@ -1,5 +1,7 @@
+---
 format: '0.1'
 description: Machine started in Systemd Machined environment
 website: https://www.freedesktop.org/wiki/Software/systemd/machined/
 depends:
   - systemd
+provider: true
diff --git a/seed/provider-systemd-machined/dictionaries/10_machined.xml b/seed/provider-systemd-machined/dictionaries/10_machined.xml
deleted file mode 100644
index 267173a4..00000000
--- a/seed/provider-systemd-machined/dictionaries/10_machined.xml
+++ /dev/null
@@ -1,7 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True" provider="global:host_name" supplier="Host" hidden="True"/>
-  </variables>
-</rougail>
-
diff --git a/seed/provider-systemd-machined/dictionaries/10_machined.yml b/seed/provider-systemd-machined/dictionaries/10_machined.yml
new file mode 100644
index 00000000..28236c15
--- /dev/null
+++ b/seed/provider-systemd-machined/dictionaries/10_machined.yml
@@ -0,0 +1,9 @@
+---
+version: 1.1
+
+host:
+  type: domainname
+  description: Machine où est démarré le conteneur
+  provider: global:host_name
+  supplier: Host
+  hidden: true
diff --git a/seed/provider-systemd-machined/dictionaries/16_machined.xml b/seed/provider-systemd-machined/dictionaries/16_machined.xml
deleted file mode 100644
index 75ec713c..00000000
--- a/seed/provider-systemd-machined/dictionaries/16_machined.xml
+++ /dev/null
@@ -1,81 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name='dev-hugepages' type='mount' disabled="True"/>
-    <service name='systemd-oomd' disabled="True"/>
-    <service name='systemd-homed' disabled="True"/>
-    <service name='systemd-machine-id-commit' disabled="True"/>
-    <service name="systemd-networkd">
-      <file redefine='True' disabled='True'>link_configurations</file>
-    </service>
-    <service name="backup" manage="False">
-      <file engine="ansible" filelist="no_backup">/no_risotto_backup</file>
-    </service>
-  </services>
-  <variables>
-    <variable name="link_configurations" redefine="True" disabled="True"/>
-    <variable name="container_srv_path" type="filename" description="Nom du répertoire racine des données" hidden="True">
-      <value>/var/lib/risotto/srv</value>
-    </variable>
-    <variable name="srv_dir" description='Nom du répertoire des données' type="filename" hidden="True" supplier="Host:machine_srv"/>
-    <variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations" hidden="True">
-      <value>/var/lib/risotto/configurations</value>
-    </variable>
-    <variable name="config_dir" description='Nom du répertoire des configurations' type="filename" hidden="True" mandatory="True" supplier="Host:config_dir"/>
-    <variable name="container_journal_path" type="filename" description="Nom du répertoire racine des journaux" hidden="True">
-      <value>/var/lib/risotto/journals</value>
-    </variable>
-    <variable name="journal_dir" description='Nom du répertoire des journaux' type="filename" hidden="True" mandatory="True" supplier="Host:machine_journal"/>
-    <variable name="use_systemd_repart" redefine="True" hidden="True">
-      <value>False</value>
-    </variable>
-    <family name="network">
-      <variable name="incoming_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True" supplier="Host:incoming_ports" hidden="True"/>
-      <variable name="outgoing_ports" type="port" description="Ports autorisés vers l'extérieur" multi="True" supplier="Host:outgoing_ports" hidden="True"/>
-      <variable name="netwokd_interface_name_type" redefine="True" hidden="True">
-        <value>host</value>
-      </variable>
-      <variable name="zones_list" redefine="True" supplier="Host:machine_zones" hidden="True"/>
-    </family>
-    <variable name="do_backup" type="boolean" description="Do backup for this machine" mode="expert"/>
-    <variable name="backup_dir" type="filename" hidden="True">
-      <value>/srv/backup</value>
-    </variable>
-  </variables>
-  <constraints>
-    <condition name="disabled_if_in" source="do_backup">
-      <param>True</param>
-      <target type="filelist">no_backup</target>
-    </condition>
-    <condition name="disabled_if_in" source="machine.add_srv">
-      <param>False</param>
-      <target type="variable">srv_dir</target>
-    </condition>
-    <condition name="hidden_if_in" source="machine.add_srv">
-      <param>False</param>
-      <target type="variable">do_backup</target>
-    </condition>
-    <fill name="calc_value">
-      <param type="variable">container_srv_path</param>
-      <param>/</param>
-      <param type="variable">server_name</param>
-      <param name="join"></param>
-      <target>srv_dir</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">container_journal_path</param>
-      <param>/</param>
-      <param type="variable">server_name</param>
-      <param name="join"></param>
-      <target>journal_dir</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">container_config_path</param>
-      <param>/</param>
-      <param type="variable">server_name</param>
-      <param name="join"></param>
-      <target>config_dir</target>
-    </fill>
-  </constraints>
-</rougail>
-
diff --git a/seed/provider-systemd-machined/dictionaries/16_machined.yml b/seed/provider-systemd-machined/dictionaries/16_machined.yml
new file mode 100644
index 00000000..36215ca1
--- /dev/null
+++ b/seed/provider-systemd-machined/dictionaries/16_machined.yml
@@ -0,0 +1,104 @@
+---
+version: 1.1
+
+link_configurations:
+  redefine: true
+  disabled: true
+
+container_srv_path:
+  type: unix_filename
+  description: Nom du répertoire racine des données
+  hidden: true
+  default: /var/lib/risotto/srv
+
+srv_dir:
+  description: Nom du répertoire des données
+  type: unix_filename
+  hidden: true
+  supplier: Host:machine_srv
+  disabled:
+    variable: machine.add_srv
+    when: false
+  default:
+    jinja: >-
+      {{ general.container_srv_path }}/{{ general.network.server_name }}
+
+container_config_path:
+  type: unix_filename
+  description: Nom du répertoire racine des configurations
+  hidden: true
+  default: /var/lib/risotto/configurations
+
+config_dir:
+  description: Nom du répertoire des configurations
+  type: unix_filename
+  hidden: true
+  supplier: Host:config_dir
+  default:
+    jinja: >-
+      {{ general.container_config_path }}/{{ general.network.server_name }}
+
+container_journal_path:
+  type: unix_filename
+  description: Nom du répertoire racine des journaux
+  hidden: true
+  default: /var/lib/risotto/journals
+
+journal_dir:
+  description: Nom du répertoire des journaux
+  type: unix_filename
+  hidden: true
+  supplier: Host:machine_journal
+  default:
+    jinja: >-
+      {{ general.container_journal_path }}/{{ general.network.server_name }}
+
+use_systemd_repart:
+  redefine: true
+  hidden: true
+  default: false
+
+network:
+
+  incoming_ports:
+    type: port
+    description: Ports exposés depuis l'extérieur
+    multi: true
+    supplier: Host:incoming_ports
+    hidden: true
+    mandatory: false
+
+  outgoing_ports:
+    type: port
+    params:
+      allow_protocol: true
+    description: Ports autorisés vers l'extérieur
+    multi: true
+    supplier: Host:outgoing_ports
+    hidden: true
+    mandatory: false
+
+  netwokd_interface_name_type:
+    redefine: true
+    hidden: true
+    default: host
+
+  zones_list:
+    redefine: true
+    supplier: Host:machine_zones
+    hidden: true
+
+do_backup:
+  type: boolean
+  description: Do backup for this machine
+  mode: advanced
+  hidden:
+    variable: machine.add_srv
+    when: false
+  default:
+    variable: machine.add_srv
+
+backup_dir:
+  type: unix_filename
+  hidden: true
+  default: /srv/backup
diff --git a/seed/provider-systemd-machined/extras/machine/11_systemd.xml b/seed/provider-systemd-machined/extras/machine/11_systemd.xml
deleted file mode 100644
index c8019976..00000000
--- a/seed/provider-systemd-machined/extras/machine/11_systemd.xml
+++ /dev/null
@@ -1,19 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" disabled="True" redefine="True"/>
-    <variable name="srv_size" disabled="True" redefine="True"/>
-    <variable name='data_disk_size' disabled="True" redefine="True"/>
-    <variable name="add_tmp" disabled="True" redefine="True"/>
-    <variable name="var_tmp_size" disabled="True" redefine="True"/>
-    <variable name="add_swap" disabled="True" redefine="True"/>
-    <variable name="swap_size" disabled="True" redefine="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">machine.add_srv</param>
-      <target>do_backup</target>
-    </fill>
-  </constraints>
-</rougail>
-
diff --git a/seed/provider-systemd-machined/extras/machine/11_systemd.yml b/seed/provider-systemd-machined/extras/machine/11_systemd.yml
new file mode 100644
index 00000000..2b733986
--- /dev/null
+++ b/seed/provider-systemd-machined/extras/machine/11_systemd.yml
@@ -0,0 +1,30 @@
+---
+version: 1.1
+
+var_size:
+  disabled: true
+  redefine: true
+
+srv_size:
+  disabled: true
+  redefine: true
+
+data_disk_size:
+  disabled: true
+  redefine: true
+
+add_tmp:
+  disabled: true
+  redefine: true
+
+var_tmp_size:
+  disabled: true
+  redefine: true
+
+add_swap:
+  disabled: true
+  redefine: true
+
+swap_size:
+  disabled: true
+  redefine: true
diff --git a/seed/redis-client/applicationservice.yml b/seed/redis-client/applicationservice.yml
index 7c180ed2..b968e8f2 100644
--- a/seed/redis-client/applicationservice.yml
+++ b/seed/redis-client/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Application service needs interact with a Redis server
 website: https://redis.io/
diff --git a/seed/redis-client/dictionaries/23_redis.xml b/seed/redis-client/dictionaries/23_redis.xml
deleted file mode 100644
index 58b48b14..00000000
--- a/seed/redis-client/dictionaries/23_redis.xml
+++ /dev/null
@@ -1,33 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="redis-client" target="risotto" engine="ansible">
-      <certificate authority="Redis" owner="redis_client_key_owner" owner_type="variable" server="redis_client_server_domainname">redis</certificate>
-    </service>
-  </services>
-  <variables>
-    <family name="redis" description="Redis" hidden="True">
-      <variable name="redis_client_server_domainname" type="domainname" mandatory="True" supplier="Redis"/>
-      <variable name="redis_client_username" mandatory="True" supplier="Redis:username"/>
-      <variable name="redis_client_password" type="password" mandatory="True" supplier="Redis:password"/>
-      <variable name="redis_client_index" description="Redis database index" help="Only index 0 is allowed, Redis project discourage to use the server with several database" type="number" mandatory='True' provider="Redis:index"/>
-      <variable name="redis_client_key_owner" description="" type="unix_user" mandatory="True">
-        <value>apache</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="normalize_family">
-      <param type="variable">domain_name_eth0</param>
-      <target>redis_client_username</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">redis_client_server_domainname</param>
-      <param name="username" type="variable">domain_name_eth0</param>
-      <param name="description">redis</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>redis_client_password</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/redis-client/dictionaries/23_redis.yml b/seed/redis-client/dictionaries/23_redis.yml
new file mode 100644
index 00000000..30413ed6
--- /dev/null
+++ b/seed/redis-client/dictionaries/23_redis.yml
@@ -0,0 +1,43 @@
+---
+version: 1.1
+
+redis:
+  description: Redis
+  hidden: true
+
+  client:  # Redis as a client
+
+    server_domainname:
+      type: domainname
+      supplier: Redis
+
+    username:
+      supplier: Redis:username
+      default:
+        jinja: >-
+          {{ general.network.interface_0.domain_name | normalize_family }}
+
+    password:
+      type: secret
+      supplier: Redis:password
+      default:
+        jinja: >-
+          {{ general.network.interface_0.domain_name |
+            get_password(server_name=_.server_domainname,
+                         description="redis",
+                         type="cleartext",
+                         hide=general.hide_secret)
+            }}
+
+    index:
+      description: Redis database index
+      help: >-
+        Only index 0 is allowed, Redis project discourage to use
+        the server with several database
+      type: number
+      provider: Redis:index
+
+    key_owner:
+      description: 'Redis client key owner'
+      type: unix_user
+      default: apache
diff --git a/seed/redis-common/applicationservice.yml b/seed/redis-common/applicationservice.yml
index 1ee4d42e..f8e5f9ae 100644
--- a/seed/redis-common/applicationservice.yml
+++ b/seed/redis-common/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Redis, an in-memory data structure store
 website: https://redis.io/
diff --git a/seed/redis-common/dictionaries/90_redis-common.xml b/seed/redis-common/dictionaries/90_redis-common.xml
deleted file mode 100644
index e96340f9..00000000
--- a/seed/redis-common/dictionaries/90_redis-common.xml
+++ /dev/null
@@ -1,8 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="redis">
-      <file engine="none" source="sysuser-redis.conf">/sysusers.d/0redis.conf</file>
-    </service>
-  </services>
-</rougail>
diff --git a/seed/redis/applicationservice.yml b/seed/redis/applicationservice.yml
index 5a41b679..6c6171b7 100644
--- a/seed/redis/applicationservice.yml
+++ b/seed/redis/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Redis, an in-memory data structure store
 website: https://redis.io/
diff --git a/seed/redis/dictionaries/90_redis.xml b/seed/redis/dictionaries/90_redis.xml
deleted file mode 100644
index 8b53046c..00000000
--- a/seed/redis/dictionaries/90_redis.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="redis" target="multi-user">
-      <ip ip_type='variable'>accounts.remote_.ip_</ip>
-      <certificate authority="Redis" owner="redis" type="server">redis</certificate>
-      <file engine="ansible">/etc/redis/redis.conf</file>
-      <file engine="none" source="tmpfile-redis.conf">/tmpfiles.d/0redis.conf</file>
-      <file engine="ansible" filelist="copy_tests">/tests/redis.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="redis" description="Redis" help="Configuration du service de cache Redis">
-      <variable name="redis_instance_name" description="Nom de l'instance" mandatory="True"/>
-      <variable name="redis_save" description="Activer la persistence des données">
-          <value>False</value>
-      </variable>
-      <variable name="redis_max_memory" type="number" description="Quantité de mémoire utilisable par Redis" help="La valeur est en Mo">
-        <value>512</value>
-      </variable>
-      <variable name="redis_memory_policy" description="Méthode de libération de mémoire lorsque le maximum est atteint" type="choice">
-        <value>noeviction</value>
-        <choice>volatile-lru</choice>
-        <choice>allkeys-lru</choice>
-        <choice>volatile-lfu</choice>
-        <choice>allkeys-lfu</choice>
-        <choice>volatile-random</choice>
-        <choice>allkeys-random</choice>
-        <choice>volatile-ttl</choice>
-        <choice>noeviction</choice>
-      </variable>
-      <variable name="redis_tcp_keepalive" type="number" description="Intervalle entre le dernier envoi de paquet TCP et la réponse ACK" help="La valeur est en seconde">
-        <value>300</value>
-      </variable>
-      <variable name="redis_max_clients" type="number" description="Nombre de client maximum autorisé">
-        <value>10000</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">domain_name_eth0</param>
-      <target>redis_instance_name</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/redis/dictionaries/90_redis.yml b/seed/redis/dictionaries/90_redis.yml
new file mode 100644
index 00000000..7e3dc773
--- /dev/null
+++ b/seed/redis/dictionaries/90_redis.yml
@@ -0,0 +1,43 @@
+---
+version: 1.1
+
+redis:
+  description: Redis
+  help: Configuration du service de cache Redis
+
+  redis_instance_name:
+    description: Nom de l'instance
+    default:
+      variable: general.network.interface_0.domain_name
+
+  redis_save:
+    description: Activer la persistence des données
+    default: false
+
+  redis_max_memory:
+    description: Quantité de mémoire utilisable par Redis
+    help: La valeur est en Mo
+    default: 512
+
+  redis_memory_policy:
+    description: Méthode de libération de mémoire lorsque le maximum est atteint
+    default: noeviction
+    choices:
+      - volatile-lru
+      - allkeys-lru
+      - volatile-lfu
+      - allkeys-lfu
+      - volatile-random
+      - allkeys-random
+      - volatile-ttl
+      - noeviction
+
+  redis_tcp_keepalive:
+    description: >-
+      Intervalle entre le dernier envoi de paquet TCP et la réponse ACK
+    help: La valeur est en seconde
+    default: 300
+
+  redis_max_clients:
+    description: Nombre de client maximum autorisé
+    default: 10000
diff --git a/seed/redis/extras/accounts/00_accounts.xml b/seed/redis/extras/accounts/00_accounts.xml
deleted file mode 100644
index 36beb291..00000000
--- a/seed/redis/extras/accounts/00_accounts.xml
+++ /dev/null
@@ -1,27 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="remotes" description="Create account and connexion to a Redis server" type="domainname" provider="Redis" mandatory="True" multi="True" hidden="True"/>
-    <family name="remote_" dynamic="accounts.remotes" hidden="True">
-      <variable name="ip_" type="ip" mandatory="True"/>
-      <variable name="username_" description="Redis user name for " mandatory="True" provider="Redis:username"/>
-      <variable name="password_" description="Redis password for " type="password" mandatory="True" provider="Redis:password"/>
-      <variable name="index_" type="number" mandatory="True" supplier="Redis:index"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="suffix"/>
-      <target>accounts.remote_.ip_</target>
-    </fill>
-    <fill name="redis_index_of">
-      <param type="variable">accounts.remotes</param>
-      <param type="suffix"/>
-      <target>accounts.remote_.index_</target>
-    </fill>
-    <check name="redis_only_one">
-      <target>accounts.remote_.index_</target>
-    </check>
-  </constraints>
-</rougail>
diff --git a/seed/redis/extras/accounts/00_accounts.yml b/seed/redis/extras/accounts/00_accounts.yml
new file mode 100644
index 00000000..c2039947
--- /dev/null
+++ b/seed/redis/extras/accounts/00_accounts.yml
@@ -0,0 +1,51 @@
+---
+version: 1.1
+
+remotes:
+  description: Create account and connexion to a Redis server
+  type: domainname
+  multi: true
+  hidden: true
+  provider: Redis
+
+"remote_{{ suffix }}":
+  dynamic:
+    variable: accounts.remotes
+  hidden: true
+
+  ip:
+    type: ip
+    default:
+      jinja: >-
+        {{ zones | get_ip(suffix) }}
+      params:
+        zones:
+          information: zones
+        suffix:
+          type: suffix
+
+  username:
+    description: 'Redis user name for '
+    provider: Redis:username
+
+  password:
+    description: 'Redis password for '
+    type: secret
+    provider: Redis:password
+
+  index:
+    type: number
+    validators:
+      # see https://github.com/redis/redis/issues/8099#issuecomment-741868975
+      - jinja: >-
+          {%- if _.index -%}
+          Redis only works for one service
+          {%- endif -%}
+    default:
+      jinja: >-
+        {{ accounts.remotes.index(suffix) }}
+      params:
+        suffix:
+          type: suffix
+      description: get current index
+    supplier: Redis:index
diff --git a/seed/redis/funcs/redis.py b/seed/redis/funcs/redis.py
deleted file mode 100644
index 3672b132..00000000
--- a/seed/redis/funcs/redis.py
+++ /dev/null
@@ -1,8 +0,0 @@
-def redis_index_of(remotes, suffix):
-    return remotes.index(suffix)
-
-
-def redis_only_one(idx):
-    if idx:
-        # see https://github.com/redis/redis/issues/8099#issuecomment-741868975
-        raise Exception('Redis only works for one service')
diff --git a/seed/relay-lmtp-client/applicationservice.yml b/seed/relay-lmtp-client/applicationservice.yml
index 32c6b751..797cf060 100644
--- a/seed/relay-lmtp-client/applicationservice.yml
+++ b/seed/relay-lmtp-client/applicationservice.yml
@@ -1,4 +1,6 @@
+---
 format: '0.1'
-description: Application service needs interact with a Postfix server with LMTP protocol
+description: >
+  Application service needs interact with a Postfix server with LMTP protocol
 depends:
   - relay-mail-client
diff --git a/seed/relay-lmtp-client/dictionaries/30_lmtp.xml b/seed/relay-lmtp-client/dictionaries/30_lmtp.xml
deleted file mode 100644
index 8bc2d79a..00000000
--- a/seed/relay-lmtp-client/dictionaries/30_lmtp.xml
+++ /dev/null
@@ -1,12 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <variables>
-    <variable name="lmtp_relay_address" type="domainname" mandatory="True" supplier="LMTP" hidden="True"/>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable" optional="True">smtp_relay_address</param>
-      <target>lmtp_relay_address</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/relay-lmtp-client/dictionaries/30_lmtp.yml b/seed/relay-lmtp-client/dictionaries/30_lmtp.yml
new file mode 100644
index 00000000..76bda930
--- /dev/null
+++ b/seed/relay-lmtp-client/dictionaries/30_lmtp.yml
@@ -0,0 +1,9 @@
+---
+version: 1.1
+
+lmtp_relay_address:
+  type: domainname
+  supplier: LMTP
+  hidden: true
+  default:
+    variable: general.smtp.smtp_relay_address
diff --git a/seed/relay-mail-client/applicationservice.yml b/seed/relay-mail-client/applicationservice.yml
index 17207496..48188eed 100644
--- a/seed/relay-mail-client/applicationservice.yml
+++ b/seed/relay-mail-client/applicationservice.yml
@@ -1,2 +1,3 @@
+---
 format: '0.1'
 description: Client SMTP
diff --git a/seed/relay-mail-client/dictionaries/20_smtp_client.xml b/seed/relay-mail-client/dictionaries/20_smtp_client.xml
deleted file mode 100644
index 014d08e5..00000000
--- a/seed/relay-mail-client/dictionaries/20_smtp_client.xml
+++ /dev/null
@@ -1,45 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="smtp" manage="False">
-      <certificate authority="InternalMail" server="smtp_relay_address">smtp</certificate>
-    </service>
-  </services>
-  <variables>
-    <family name="smtp" description="Client SMTP">
-      <variable name="smtp_relay_address" type="domainname" mandatory="True" supplier="SMTP" hidden="True"/>
-      <variable name="smtp_relay_ip" type="ip" hidden="True"/>
-      <variable name="smtp_client_ip" type="ip" hidden="True" mandatory="True"/>
-      <variable name="smtp_relay_user" mandatory="True" hidden="True" supplier="SMTP:username"/>
-      <variable name="smtp_relay_password" type="secret" mandatory="True" hidden="True" supplier="SMTP:password"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_local_smtp_info">
-      <param type="variable">smtp_relay_ip</param>
-      <param type="variable">domain_name_eth</param>
-      <param type="variable">network_eth</param>
-      <param name="normalize" type="boolean">True</param>
-      <target>smtp_relay_user</target>
-    </fill>
-    <fill name="get_password">
-      <param name="server_name" type="variable">smtp_relay_address</param>
-      <param name="username" type="variable">domain_name_eth0</param>
-      <param name="description">local authentification</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>smtp_relay_password</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">smtp_relay_address</param>
-      <target>smtp_relay_ip</target>
-    </fill>
-    <fill name="get_local_smtp_info">
-      <param type="variable">smtp_relay_ip</param>
-      <param type="variable">ip_eth</param>
-      <param type="variable">network_eth</param>
-      <target>smtp_client_ip</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/relay-mail-client/dictionaries/20_smtp_client.yml b/seed/relay-mail-client/dictionaries/20_smtp_client.yml
new file mode 100644
index 00000000..fd4ae9ac
--- /dev/null
+++ b/seed/relay-mail-client/dictionaries/20_smtp_client.yml
@@ -0,0 +1,62 @@
+---
+version: 1.1
+
+smtp:  # Client SMTP
+
+  smtp_relay_address:
+    type: domainname
+    supplier: SMTP
+    hidden: true
+
+  smtp_relay_ip:
+    type: ip
+    hidden: true
+    default:
+      jinja: >-
+        {{ zones | get_ip(_.smtp_relay_address) }}
+      params:
+        zones:
+          information: zones
+
+  smtp_client_ip:
+    type: ip
+    hidden: true
+    default:
+      jinja: >-
+        {{ _.smtp_relay_ip | get_local_smtp_info(ip_eth, network_eth) }}
+      params:
+        ip_eth:
+          variable: general.network.interface_{{ suffix }}.ip
+        network_eth:
+          variable: >-
+            general.network.interface_{{ suffix }}.network
+
+  smtp_relay_user:
+    hidden: true
+    supplier: SMTP:username
+    default:
+      jinja: >-
+        {{ _.smtp_relay_ip | get_local_smtp_info(domain_name,
+                                                 network_eth,
+                                                 normalize=true)
+          }}
+      params:
+        network_eth:
+          variable: >-
+            general.network.interface_{{ suffix }}.network
+        domain_name:
+          variable: >-
+            general.network.interface_{{ suffix }}.domain_name
+
+  smtp_relay_password:
+    type: secret
+    hidden: true
+    supplier: SMTP:password
+    default:
+      jinja: >-
+        {{ general.network.interface_0.domain_name |
+             get_password(server_name=_.smtp_relay_address,
+             description="local authentification",
+             type="cleartext",
+             hide=general.hide_secret)
+          }}
diff --git a/seed/resolved/applicationservice.yml b/seed/resolved/applicationservice.yml
index 7db20f8a..463a63c0 100644
--- a/seed/resolved/applicationservice.yml
+++ b/seed/resolved/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Resolved
 website: https://systemd.io/
diff --git a/seed/resolved/dictionaries/20_resolved.xml b/seed/resolved/dictionaries/20_resolved.xml
deleted file mode 100644
index e31c17ef..00000000
--- a/seed/resolved/dictionaries/20_resolved.xml
+++ /dev/null
@@ -1,15 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-resolved">
-      <file engine="ansible">/etc/systemd/resolved.conf</file>
-      <file engine="ansible">/etc/dnssec-trust-anchors.d/risotto.positive</file>
-      <file engine="ansible">/etc/dnssec-trust-anchors.d/risotto.negative</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="dnssec_ds" description="DNSSEC DS informations" provider="LocalDNS:DNSSEC_DS" hidden="True" multi="True"/>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/resolved/dictionaries/20_resolved.yml b/seed/resolved/dictionaries/20_resolved.yml
new file mode 100644
index 00000000..4818fca3
--- /dev/null
+++ b/seed/resolved/dictionaries/20_resolved.yml
@@ -0,0 +1,11 @@
+---
+version: 1.1
+
+network:
+
+  dnssec_ds:
+    description: DNSSEC DS informations
+    provider: LocalDNS:DNSSEC_DS
+    hidden: true
+    multi: true
+    mandatory: false
diff --git a/seed/reverse-proxy-client/applicationservice.yml b/seed/reverse-proxy-client/applicationservice.yml
index ae274999..b33e399b 100644
--- a/seed/reverse-proxy-client/applicationservice.yml
+++ b/seed/reverse-proxy-client/applicationservice.yml
@@ -1,3 +1,3 @@
+---
 format: '0.1'
-description: Web site behind Nginx reverse proxy
 description: Application service needs interact with a a reverse proxy server
diff --git a/seed/reverse-proxy-client/dictionaries/21_revprox_client.xml b/seed/reverse-proxy-client/dictionaries/21_revprox_client.xml
deleted file mode 100644
index afc1746e..00000000
--- a/seed/reverse-proxy-client/dictionaries/21_revprox_client.xml
+++ /dev/null
@@ -1,53 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="revprox" manage="False">
-      <certificate server="revprox_client_server_domainname" authority="InternalReverseProxy" owner="revprox_client_cert_owner" owner_type="variable" type="server">revprox</certificate>
-      <file engine="ansible" filelist="copy_tests">/tests/reverse-proxy-client.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="revprox" description="Reverse proxy">
-      <variable name="revprox_client_server_domainname" type="domainname" mandatory='True' supplier="ReverseProxy" hidden="True"/>
-      <variable name="revprox_client_server_ip" type="ip" hidden='True'/>
-      <family name="revprox_client" description="Clients configuration" leadership="True">
-        <variable name="revprox_client_external_domainnames" type="domainname" description="Service external domain name" mandatory='True' multi="True" unique="False" supplier="ReverseProxy:external" test="service.example.net"/>
-        <variable name="revprox_client_location" type="filename" description="URI to route request to the correct service" mandatory="True" supplier="ReverseProxy:location" mode="basic">
-          <value>/</value>
-        </variable>
-        <variable name="revprox_client_max_body_size" description="The maximum allowed size of the client request body" supplier="ReverseProxy:max_body_size"/>
-        <variable name="revprox_client_is_websocket" type="boolean" mandatory="True" supplier="ReverseProxy:websocket" hidden="True">
-          <value>False</value>
-        </variable>
-        <variable name="revprox_client_local_location" type="filename" hidden='True'/>
-        <variable name="revprox_client_web_address" type="web_address" hidden='True' supplier="ReverseProxy:url" mandatory="True"/>
-        <variable name="revprox_http" type="boolean" hidden='True' supplier="ReverseProxy:http">
-          <value>False</value>
-        </variable>
-      </family>
-      <variable name="revprox_client_http" type="boolean" hidden='True'>
-        <value>False</value>
-      </variable>
-      <variable name="revprox_client_port" type="port" hidden='True'>
-        <value>443</value>
-      </variable>
-      <variable name="revprox_client_cert_owner" type="unix_user" hidden="True">
-        <value>root</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">revprox_client_server_domainname</param>
-      <target>revprox_client_server_ip</target>
-    </fill>
-    <fill name="calc_web_address">
-      <param type="variable" name="domain_name" optional="True">domain_name_eth0</param>
-      <param type="variable" name="port">revprox_client_port</param>
-      <param type="variable" name="local_location">revprox_client_local_location</param>
-      <param type="variable" name="http">revprox_client_http</param>
-      <target>revprox_client_web_address</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/reverse-proxy-client/dictionaries/21_revprox_client.yml b/seed/reverse-proxy-client/dictionaries/21_revprox_client.yml
new file mode 100644
index 00000000..75a0b677
--- /dev/null
+++ b/seed/reverse-proxy-client/dictionaries/21_revprox_client.yml
@@ -0,0 +1,99 @@
+---
+version: 1.1
+
+revprox:  # Reverse proxy
+
+  client_server_domainname:
+    type: domainname
+    hidden: true
+    supplier: ReverseProxy
+
+  client_server_ip:
+    type: ip
+    default:
+      jinja: >-
+        {{ zones | get_ip(general.revprox.client_server_domainname) }}
+      params:
+        zones:
+          information: zones
+    hidden: true
+
+  client_http:
+    default: false
+    hidden: true
+
+  client_port:
+    type: port
+    default: '443'
+    hidden: true
+
+  client_cert_owner:
+    type: unix_user
+    default: root
+    hidden: true
+
+  client:
+    description: Clients configuration
+    type: leadership
+
+    external_domainnames:
+      description: Service external domain name
+      examples:
+        - service.example.net
+      type: domainname
+      unique: false
+      supplier: ReverseProxy:external
+
+    location:
+      description: URI to route request to the correct service
+      mode: basic
+      type: unix_filename
+      default: /
+      supplier: ReverseProxy:location
+
+    max_body_size:
+      description: The maximum allowed size of the client request body
+      mandatory: false
+      supplier: ReverseProxy:max_body_size
+
+    is_websocket:
+      type: boolean
+      default: false
+      hidden: true
+      supplier: ReverseProxy:websocket
+
+    local_location:
+      type: unix_filename
+      mandatory: false
+      hidden: true
+
+    web_address:
+      type: web_address
+      default:
+        jinja: >-
+          {%- set domain_name = general.network.interface_0.domain_name -%}
+          {%- if domain_name and __.client_port -%}
+            {%- set web_address = 'http' %}
+            {%- if not __.client_http -%}
+              {%- set web_address = web_address + 's' %}
+            {%- endif -%}
+            {%- set web_address = web_address + '://' + domain_name -%}
+            {%- if (__.client_http and __.client_port != '80' ) or
+                   (not __.client_http and __.client_port != '443') -%}
+              {%- set web_address = web_address + ':' + __.client_port -%}
+            {%- endif -%}
+            {%- if _.local_location -%}
+              {%- set web_address = web_address + _.local_location -%}
+            {%- endif -%}
+            {{ web_address }}
+          {%- endif -%}
+        description: >-
+          calculating web_address with domain_name, client_port and
+          local_location
+      hidden: true
+      supplier: ReverseProxy:url
+
+    http:
+      default: false
+      hidden: true
+      supplier: ReverseProxy:http
diff --git a/seed/reverse-proxy-client/funcs/revprox_client.py b/seed/reverse-proxy-client/funcs/revprox_client.py
deleted file mode 100644
index 1d56324c..00000000
--- a/seed/reverse-proxy-client/funcs/revprox_client.py
+++ /dev/null
@@ -1,18 +0,0 @@
-def calc_web_address(domain_name: str=None,
-                     port: str=None,
-                     local_location: str=None,
-                     http: bool=None,
-                     ) -> str:
-    if not domain_name or not port:
-        return
-    if http:
-        web_address = f'http://{domain_name}'
-        test_port = '80'
-    else:
-        web_address = f'https://{domain_name}'
-        test_port = '443'
-    if port != test_port:
-        web_address += f':{port}'
-    if local_location:
-        web_address += local_location
-    return web_address
diff --git a/seed/roundcube/applicationservice.yml b/seed/roundcube/applicationservice.yml
index a2a56f79..61d5ead3 100644
--- a/seed/roundcube/applicationservice.yml
+++ b/seed/roundcube/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Roundcube, a webmail
 website: https://roundcube.net/
diff --git a/seed/roundcube/dictionaries/31_roundcube.xml b/seed/roundcube/dictionaries/31_roundcube.xml
deleted file mode 100644
index f6ab4945..00000000
--- a/seed/roundcube/dictionaries/31_roundcube.xml
+++ /dev/null
@@ -1,98 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="roundcube" engine="ansible" target="multi-user">
-      <certificate authority="InternalMail" owner="nginx" server="imap_address">roundcube</certificate>
-      <file engine="ansible" owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
-      <file engine="ansible">/etc/nginx/default.d/roundcubemail.conf</file>
-      <file engine="ansible" source="domain.inc.php" file_type="variable" variable="roundcube_domains">roundcube_config</file>
-      <file engine="none">/static/silique_cloud.svg</file>
-      <file engine="none">/static/watermark.html</file>
-    </service>
-  </services>
-  <variables>
-    <family name="roundcube" description="Interface web de consultation des courriels Roundcube">
-      <variable name="roundcube_des_key" type="secret" auto_save="False" hidden="True"/>
-      <variable name="roundcube_config" type="filename" hidden="True" multi="True"/>
-      <family name="roundcube_domain" leadership="True">
-        <variable name="roundcube_domains" type="domainname" description="Nom de domaines d'accès à Roundcube" multi="True" mandatory="True" test="webmail.example.net"/>
-        <variable name="roundcube_mail_domain" type="domainname" description="Nom de domaines des courriels" mandatory="True" test="mail.example.net"/>
-        <variable name="roundcube_family" type="unix_user" description="Nom de la famille"/>
-      </family>
-    </family>
-    <family name="oauth2_client">
-      <variable name="oauth2_is_client_application" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="oauth2_client_name" redefine='True'>
-        <value>Courriel</value>
-      </variable>
-      <variable name="oauth2_client_description" redefine='True'>
-        <value>Consulter ces courriels avec Roundcube</value>
-      </variable>
-      <variable name="oauth2_client_category" redefine='True'>
-        <value>Diffusion</value>
-      </variable>
-      <variable name="oauth2_client_logo" redefine='True'>
-        <value>silique_email.png</value>
-      </variable>
-      <family name="external">
-        <variable name="oauth2_client_external" redefine="True" multi='True'/>
-        <variable name="oauth2_client_family" redefine="True" multi="True"/>
-      </family>
-    </family>
-    <family name="nginx">
-      <variable name="nginx_root" redefine="True">
-        <value>/usr/share/roundcubemail/</value>
-      </variable>
-    </family>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
-        <variable name="revprox_client_local_location" redefine="True">
-          <value>/</value>
-        </variable>
-      </family>
-    </family>
-    <family name="imap">
-      <variable name="imap_cert_owner" redefine="True">
-        <value>nginx</value>
-      </variable>
-    </family>
-    <family name="ldap">
-      <family name="client">
-        <variable name='ldapclient_family' redefine="True" hidden="True"/>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">roundcube</param>
-      <param name="description">des_key</param>
-      <param name="type">cleartext</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>roundcube_des_key</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/roundcubemail/</param>
-      <param type="variable">roundcube_domains</param>
-      <param>.inc.php</param>
-      <param name="join"></param>
-      <param name="multi" type="boolean">True</param>
-      <target>roundcube_config</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">roundcube_domains</param>
-      <target>revprox_client_external_domainnames</target>
-    </fill>
-    <fill name="calc_oauth2_families">
-      <param type="variable">roundcube_family</param>
-      <target>oauth2_client_family</target>
-    </fill>
-    <fill name="calc_roundcube_family">
-      <param type="variable">roundcube_family</param>
-      <target>ldapclient_family</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/roundcube/dictionaries/31_roundcube.yml b/seed/roundcube/dictionaries/31_roundcube.yml
new file mode 100644
index 00000000..77dc209f
--- /dev/null
+++ b/seed/roundcube/dictionaries/31_roundcube.yml
@@ -0,0 +1,128 @@
+---
+version: 1.1
+
+roundcube:  # Interface web de consultation des courriels Roundcube
+
+  des_key:
+    type: secret
+    default:
+      jinja: >-
+        {{ "roundcube" |
+          get_password(server_name=general.network.interface_0.domain_name,
+                       description="des_key",
+                       type="cleartext",
+                       hide=general.hide_secret)
+          }}
+    auto_save: false
+    hidden: true
+
+  config:
+    type: unix_filename
+    multi: true
+    default:
+      jinja: |-
+        {%- for domain in _.domain.domains %}
+        /etc/roundcubemail/{{ domain }}.inc.php
+        {%- endfor -%}
+    hidden: true
+
+  domain:
+    type: leadership
+
+    domains:
+      description: Nom de domaines d'accès à Roundcube
+      examples:
+        - webmail.example.net
+      type: domainname
+      multi: true
+
+    mail_domain:
+      description: Nom de domaines des courriels
+      examples:
+        - mail.example.net
+      type: domainname
+
+    family:
+      description: Nom de la famille
+      type: unix_user
+      mandatory: false
+
+oauth2:
+
+  client:
+
+    is_client_application:
+      redefine: true
+      default: true
+
+    name:
+      redefine: true
+      default: Courriel
+
+    description:
+      redefine: true
+      default: Consulter ces courriels avec Roundcube
+
+    category:
+      redefine: true
+      default: Diffusion
+
+    logo:
+      redefine: true
+      default: silique_email.png
+
+    external:
+
+      family:
+        redefine: true
+        multi: true
+        default:
+          jinja: |-
+            {%- for family in general.roundcube.domain.family
+                            | calc_oauth2_families %}
+            {{ family }}
+            {%- endfor -%}
+
+nginx:
+
+  root:
+    redefine: true
+    default: /usr/share/roundcubemail/
+
+revprox:
+
+  client:
+
+    external_domainnames:
+      redefine: true
+      default:
+        variable: general.roundcube.domain.domains
+      hidden: true
+
+    local_location:
+      redefine: true
+      default: /
+
+imap:
+
+  cert_owner:
+    redefine: true
+    default: nginx
+
+ldap:
+
+  client:
+
+    family:
+      redefine: true
+      default:
+        jinja: >-
+          {%- if general.roundcube.domain.family -%}
+            {%- if general.roundcube.domain.family | unique | list | length > 1 -%}
+            all
+            {%- else -%}
+            {{ general.roundcube.domain.family[0] }}
+            pouet
+            {%- endif -%}
+          {%- endif -%}
+      hidden: true
diff --git a/seed/roundcube/extras/machine/20_roundcube.xml b/seed/roundcube/extras/machine/20_roundcube.xml
deleted file mode 100644
index ac4f5b31..00000000
--- a/seed/roundcube/extras/machine/20_roundcube.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_srv" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/roundcube/extras/machine/20_roundcube.yml b/seed/roundcube/extras/machine/20_roundcube.yml
new file mode 100644
index 00000000..2a5318b8
--- /dev/null
+++ b/seed/roundcube/extras/machine/20_roundcube.yml
@@ -0,0 +1,23 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: '256'
+
+add_tmp:
+  redefine: true
+  default: 'False'
+
+add_srv:
+  redefine: true
+  default: 'False'
+
+add_swap:
+  redefine: true
+  default: 'False'
+
+memory:
+  redefine: true
+  exists: true
+  default: '512'
diff --git a/seed/roundcube/funcs/roundcube.py b/seed/roundcube/funcs/roundcube.py
deleted file mode 100644
index a4a90a75..00000000
--- a/seed/roundcube/funcs/roundcube.py
+++ /dev/null
@@ -1,9 +0,0 @@
-def calc_roundcube_family(families):
-    if not families:
-        return
-    uniq_fam = set(families)
-    if len(set(families)) > 1:
-        return 'all'
-    if not uniq_fam[0]:
-        return
-    return uniq_fam[0]
diff --git a/seed/speedtest-rs/applicationservice.yml b/seed/speedtest-rs/applicationservice.yml
index 86139da4..c09945d3 100644
--- a/seed/speedtest-rs/applicationservice.yml
+++ b/seed/speedtest-rs/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Speedtest-rs, a very lightweight Speedtest
 website: https://cloud.silique.fr/gitea/Silique/speedtest-rs
diff --git a/seed/speedtest-rs/dictionaries/40_speedtest-rs.xml b/seed/speedtest-rs/dictionaries/40_speedtest-rs.xml
deleted file mode 100644
index d973c1cc..00000000
--- a/seed/speedtest-rs/dictionaries/40_speedtest-rs.xml
+++ /dev/null
@@ -1,18 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="speedtest-rs" target="multi-user">
-      <override engine="none"/>
-      <file engine="ansible">/etc/speedtest-rs/config.env</file>
-      <file engine="none">/var/lib/speedtest-rs/speedtest-rs.css</file>
-      <file engine="none">/var/lib/speedtest-rs/logo.png</file>
-    </service>
-  </services>
-  <variables>
-    <family name="revprox">
-      <variable name="revprox_client_cert_owner" redefine="True">
-        <value>speedtest</value>
-      </variable>
-    </family>
-  </variables>
-</rougail>
diff --git a/seed/speedtest-rs/dictionaries/40_speedtest-rs.yml b/seed/speedtest-rs/dictionaries/40_speedtest-rs.yml
new file mode 100644
index 00000000..10be6925
--- /dev/null
+++ b/seed/speedtest-rs/dictionaries/40_speedtest-rs.yml
@@ -0,0 +1,8 @@
+---
+version: 1.1
+
+revprox:
+
+  client_cert_owner:
+    redefine: true
+    default: speedtest
diff --git a/seed/speedtest-rs/extras/machine/20_speedtest-rs.xml b/seed/speedtest-rs/extras/machine/20_speedtest-rs.xml
deleted file mode 100644
index ac4f5b31..00000000
--- a/seed/speedtest-rs/extras/machine/20_speedtest-rs.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_srv" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/speedtest-rs/extras/machine/20_speedtest-rs.yml b/seed/speedtest-rs/extras/machine/20_speedtest-rs.yml
new file mode 100644
index 00000000..b628a69e
--- /dev/null
+++ b/seed/speedtest-rs/extras/machine/20_speedtest-rs.yml
@@ -0,0 +1,23 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: 256
+
+add_tmp:
+  redefine: true
+  default: false
+
+add_srv:
+  redefine: true
+  default: false
+
+add_swap:
+  redefine: true
+  default: false
+
+memory:
+  redefine: true
+  exists: true
+  default: 512
diff --git a/seed/systemd/applicationservice.yml b/seed/systemd/applicationservice.yml
index 9ca71206..f42b5415 100644
--- a/seed/systemd/applicationservice.yml
+++ b/seed/systemd/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Systemd, a system and service manager
 website: https://systemd.io/
diff --git a/seed/systemd/dictionaries/15_systemd.xml b/seed/systemd/dictionaries/15_systemd.xml
deleted file mode 100644
index 35b69c59..00000000
--- a/seed/systemd/dictionaries/15_systemd.xml
+++ /dev/null
@@ -1,130 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="systemd-networkd">
-      <file engine="ansible" file_type="variable" source="network" variable="zones_list">netwokd_configurations</file>
-      <file engine="ansible" file_type="variable" source="link" variable="zones_list">link_configurations</file>
-    </service>
-    <service name="systemd-repart" servicelist='systemd_repart' undisable="True">
-      <override engine="none"/>
-    </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var" engine="ansible" target="multi-user" servicelist='systemd_repart' undisable='True'>
-      <file engine="ansible">/repart.d/50-var.conf</file>
-    </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var-tmp" engine="ansible" target="multi-user" servicelist="add_tmp" undisable='True'>
-      <file engine="ansible">/repart.d/40-tmp.conf</file>
-    </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-srv" engine="ansible" target="multi-user" servicelist="add_srv" undisable='True'>
-      <file engine="ansible">/repart.d/60-srv.conf</file>
-    </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-swap" engine="ansible" target="multi-user" servicelist="add_swap" undisable='True'>
-      <file engine="ansible">/repart.d/30-swap.conf</file>
-    </service>
-    <service name="var" engine="ansible" target="multi-user" type="mount" servicelist='systemd_repart' undisable='True'/>
-    <service name="var-tmp" engine="ansible" target="multi-user" type="mount" servicelist="add_tmp" undisable='True'/>
-    <service name="srv" engine="ansible" target="multi-user" type="mount" servicelist="add_srv" undisable='True'/>
-    <service name="dev-disk-by\x2dpartlabel-swap" engine="none" target="multi-user" type="swap" servicelist="add_swap" undisable='True'/>
-    <service name="systemd-firstboot">
-      <override engine="ansible"/>
-      <file engine="ansible">/secrets/root.pwd</file>
-      <file engine="none">/tmpfiles.d/risotto-volatile.conf</file>
-    </service>
-    <service name="risotto" target="multi-user" type="target" engine="none"/>
-  </services>
-  <variables>
-    <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" mandatory="True" hidden="True"/>
-    <variable name="link_configurations" description='Nom des fichiers "link" networkd' type="filename" multi="True" hidden="True"/>
-    <variable name="use_systemd_repart" description='Activer le partitionnement systemd' type="boolean" hidden="True"/>
-    <family name="network">
-      <variable name="netwokd_configurations" description="Nom des fichiers de configuration du réseau networkd" type="filename" multi="True" hidden="True"/>
-      <variable name="netwokd_interface_name_type" description="Type de réseau networkd" type="choice" hidden="True">
-        <choice>zone_name</choice>
-        <choice>host</choice>
-        <value>zone_name</value>
-      </variable>
-    </family>
-    <family name="journald">
-      <family name="conditions" hidden="True">
-        <variable name="vector_messages" mandatory="True" multi="True" supplier="Journald:message" unique="False">
-          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
-          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
-          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
-          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
-          <value>PAM adding faulty module: /usr/lib64/security/pam_sss.so</value>
-          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
-          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
-          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
-          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
-          <value>PAM unable to dlopen(/usr/lib64/security/pam_sss.so): /usr/lib64/security/pam_sss.so: cannot open shared object file: No such file or directory</value>
-          <value>Failed to open libbpf, cgroup BPF features disabled: Operation not supported</value>
-          <value>rm(/var/log): Directory not empty</value>
-          <value>: Duplicate line for path</value>
-        </variable>
-        <variable name="vector_services" multi="True" supplier="Journald:service" unique="False">
-          <value>systemd</value><!-- fedora 36-->
-          <value>(systemd)</value><!-- fedora 37-->
-          <value>(ystemctl)</value><!-- fedora 37-->
-          <value>(sh)</value><!-- fedora 38-->
-          <value>su</value>
-          <value>systemd</value><!-- fedora 36-->
-          <value>(systemd)</value><!-- fedora 37-->
-          <value>(ystemctl)</value><!-- fedora 37-->
-          <value>(sh)</value><!-- fedora 38-->
-          <value>su</value>
-          <value>systemd</value>
-          <value>systemd-tmpfiles</value>
-          <value>systemd-tmpfiles</value>
-        </variable>
-        <variable name="vector_functions" multi="True" supplier="Journald:function" mandatory="False" unique="False">
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value type="nil"/>
-          <value>contains</value>
-        </variable>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable" optional="True">domain_name_eth0</param>
-      <param name="username">root</param>
-      <param name="description">local connection</param>
-      <param name="type">cleartext</param>
-      <param name="temporary" type="boolean">True</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>root_password</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/etc/systemd/network/10</param>
-      <param type="variable">zones_list</param>
-      <param>risotto.network</param>
-      <param name="join">-</param>
-      <param name="multi" type="boolean">True</param>
-      <target>netwokd_configurations</target>
-    </fill>
-    <fill name="calc_value">
-      <param>/systemd/network/10</param>
-      <param type="variable">zones_list</param>
-      <param>risotto.link</param>
-      <param name="join">-</param>
-      <param name="multi" type="boolean">True</param>
-      <target>link_configurations</target>
-    </fill>
-    <condition name="disabled_if_in" source="use_systemd_repart">
-      <param>False</param>
-      <target type="servicelist">systemd_repart</target>
-      <target type="servicelist">add_tmp</target>
-      <target type="servicelist">add_srv</target>
-      <target type="servicelist">add_swap</target>
-    </condition>
-  </constraints>
-</rougail>
diff --git a/seed/systemd/dictionaries/15_systemd.yml b/seed/systemd/dictionaries/15_systemd.yml
new file mode 100644
index 00000000..09006705
--- /dev/null
+++ b/seed/systemd/dictionaries/15_systemd.yml
@@ -0,0 +1,125 @@
+---
+version: 1.1
+
+root_password:
+  type: secret
+  description: Mot de passe de l'administrateur système root
+  hidden: true
+  default:
+    jinja: >-
+      {{ "root" |
+         get_password(server_name=general.network.interface_0.domain_name,
+                      description="local connection",
+                      type="cleartext",
+                      temporary=true,
+                      hide=general.hide_secret)
+        }}
+
+link_configurations:
+  description: Nom des fichiers "link" networkd
+  type: unix_filename
+  multi: true
+  hidden: true
+  default:
+    jinja: |-
+      {%- for zone in general.network.zones_list %}
+      /systemd/network/10-{{ zone }}-risotto.link
+      {%- endfor -%}
+
+use_systemd_repart:
+  description: Activer le partitionnement systemd
+  type: boolean
+  hidden: true
+
+network:
+
+  networkd_configurations:
+    description: Nom des fichiers de configuration du réseau networkd
+    type: unix_filename
+    multi: true
+    hidden: true
+    default:
+      jinja: |-
+        {%- for zone in general.network.zones_list %}
+        /etc/systemd/network/10-{{ zone}}-risotto.network
+        {%- endfor -%}
+
+  netwokd_interface_name_type:
+    description: Type de réseau networkd
+    hidden: true
+    default: zone_name
+    choices:
+      - zone_name
+      - host
+
+journald:
+
+  conditions:
+    hidden: true
+
+    vector_messages:
+      supplier: Journald:message
+      unique: false
+      default:
+        - 'PAM adding faulty module: /usr/lib64/security/pam_sss.so'
+        - 'PAM adding faulty module: /usr/lib64/security/pam_sss.so'
+        - 'PAM adding faulty module: /usr/lib64/security/pam_sss.so'
+        - 'PAM adding faulty module: /usr/lib64/security/pam_sss.so'
+        - 'PAM adding faulty module: /usr/lib64/security/pam_sss.so'
+        - "PAM unable to dlopen(/usr/lib64/security/pam_sss.so): \
+          /usr/lib64/security/pam_sss.so: cannot open shared object file: \
+          No such file or directory"
+        - "PAM unable to dlopen(/usr/lib64/security/pam_sss.so): \
+          /usr/lib64/security/pam_sss.so: cannot open shared object file: \
+          No such file or directory"
+        - "PAM unable to dlopen(/usr/lib64/security/pam_sss.so): \
+          /usr/lib64/security/pam_sss.so: cannot open shared object file: \
+          No such file or directory"
+        - "PAM unable to dlopen(/usr/lib64/security/pam_sss.so): \
+          /usr/lib64/security/pam_sss.so: cannot open shared object file: \
+          No such file or directory"
+        - "PAM unable to dlopen(/usr/lib64/security/pam_sss.so): \
+          /usr/lib64/security/pam_sss.so: cannot open shared object file: \
+          No such file or directory"
+        - "Failed to open libbpf, cgroup BPF features disabled: Operation \
+          not supported"
+        - "rm(/var/log): Directory not empty"
+        - ': Duplicate line for path'
+
+    vector_services:
+      supplier: Journald:service
+      unique: false
+      default:
+        - systemd
+        - (systemd)
+        - (ystemctl)
+        - (sh)
+        - su
+        - systemd
+        - (systemd)
+        - (ystemctl)
+        - (sh)
+        - su
+        - systemd
+        - systemd-tmpfiles
+        - systemd-tmpfiles
+
+    vector_functions:
+      supplier: Journald:function
+      mandatory: false
+      empty: false
+      unique: false
+      default:
+        - null
+        - null
+        - null
+        - null
+        - null
+        - null
+        - null
+        - null
+        - null
+        - null
+        - null
+        - null
+        - contains
diff --git a/seed/systemd/extras/machine/10_systemd.xml b/seed/systemd/extras/machine/10_systemd.xml
deleted file mode 100644
index e6af7beb..00000000
--- a/seed/systemd/extras/machine/10_systemd.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" type="number" description="Variable directory size" hidden="True">
-      <value>1024</value>
-    </variable>
-    <variable name="add_tmp" type="boolean" description="Add a temporary directory" hidden="True"/>
-    <variable name="var_tmp_size" type="number" description="Temporary directory size" hidden="True">
-      <value>1024</value>
-    </variable>
-    <variable name="add_srv" type="boolean" description="Add a persistent directory" hidden="True"/>
-    <variable name="srv_size" type="number" description="Persistent directory size" hidden="True">
-      <value>1024</value>
-    </variable>
-    <variable name="add_swap" type="boolean" description="Add a SWAP partition" hidden="True"/>
-    <variable name="swap_size" type="number" description="SWAP size" hidden="True">
-      <value>512</value>
-    </variable>
-  </variables>
-  <constraints>
-    <condition name='disabled_if_in' source='machine.add_tmp'>
-        <param>False</param>
-        <target>machine.var_tmp_size</target>
-        <target type="servicelist">add_tmp</target>
-    </condition>
-    <condition name='disabled_if_in' source='machine.add_srv'>
-        <param>False</param>
-        <target>machine.srv_size</target>
-        <target type="servicelist">add_srv</target>
-    </condition>
-    <condition name='disabled_if_in' source='machine.add_swap'>
-        <param>False</param>
-        <target>machine.swap_size</target>
-        <target type="servicelist">add_swap</target>
-    </condition>
-    <fill name="calc_value">
-      <param type="variable">machine.var_size</param>
-      <param type="variable" propertyerror="False">machine.var_tmp_size</param>
-      <param type="variable" propertyerror="False">machine.srv_size</param>
-      <param type="variable" propertyerror="False">machine.swap_size</param>
-      <param type="number">16</param>
-      <param name="operator">add</param>
-      <target>machine.data_disk_size</target>
-    </fill>
-  </constraints>
-</rougail>
-
diff --git a/seed/systemd/extras/machine/10_systemd.yml b/seed/systemd/extras/machine/10_systemd.yml
new file mode 100644
index 00000000..656a0830
--- /dev/null
+++ b/seed/systemd/extras/machine/10_systemd.yml
@@ -0,0 +1,57 @@
+---
+version: 1.1
+
+var_size:
+  description: Variable directory size
+  hidden: true
+  default: 1024
+
+add_tmp:
+  type: boolean
+  description: Add a temporary directory
+  hidden: true
+
+var_tmp_size:
+  description: Temporary directory size
+  hidden: true
+  default: 1024
+  disabled:
+    variable: machine.add_tmp
+    when: false
+
+add_srv:
+  type: boolean
+  description: Add a persistent directory
+  hidden: true
+
+srv_size:
+  description: Persistent directory size
+  hidden: true
+  default: 1024
+  disabled:
+    variable: machine.add_srv
+    when: false
+
+add_swap:
+  type: boolean
+  description: Add a SWAP partition
+  hidden: true
+
+swap_size:
+  description: SWAP size
+  hidden: true
+  default: 512
+  disabled:
+    variable: machine.add_swap
+    when: false
+
+data_disk_size:
+  redefine: true
+  default:
+    jinja: >-
+      {% set total = machine.var_size +
+                     machine.var_tmp_size +
+                     machine.srv_size +
+                     machine.swap_size + 16
+        %}
+      {{ total }}
diff --git a/seed/tls/applicationservice.yml b/seed/tls/applicationservice.yml
index 81365cda..28c129fd 100644
--- a/seed/tls/applicationservice.yml
+++ b/seed/tls/applicationservice.yml
@@ -1,5 +1,6 @@
+---
 format: '0.1'
-description: PLEASE DO NOT USE THIS APPLICATION SERVICE, use for manage tls certificates
+description: Manage tls certificates
 documentation: false
 depends:
   - base-fedora-38
diff --git a/seed/tls/dictionaries/26_tls.xml b/seed/tls/dictionaries/26_tls.xml
deleted file mode 100644
index 88f2b6d0..00000000
--- a/seed/tls/dictionaries/26_tls.xml
+++ /dev/null
@@ -1,57 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <service name="tls" engine="none" target="multi-user">
-      <file engine="none" source="sysuser-tls.conf">/sysusers.d/tls.conf</file>
-      <file engine="none" source="tmpfile-tls.conf">/tmpfiles.d/0tls.conf</file>
-      <file engine="ansible">/etc/risotto/configuration.yml</file>
-      <file engine="ansible">/etc/risotto/certificates.yml</file>
-    </service>
-    <service name="tls" type="timer" engine="none" target="timers"/>
-  </services>
-  <variables>
-    <family name="network" description="Réseau">
-      <variable name="zones_list" mandatory="False" redefine="True"/>
-      <variable name="first_zone_name" hidden="True"/>
-      <variable name="outgoing_ports" redefine="True" mandatory="False"/>
-      <variable name="dns_client_address" redefine="True" mandatory="False"/>
-    </family>
-    <family name="revprox">
-      <variable name="revprox_client_server_domainname" redefine="True" mandatory="False"/>
-      <family name="revprox_client">
-        <variable name="revprox_client_external_domainnames" redefine="True" mandatory="False">
-          <value type="nil"/>
-        </variable>
-        <variable name="revprox_client_location" redefine="True">
-          <value>/.well-known/acme-challenge</value>
-        </variable>
-        <variable name="revprox_http" redefine="True">
-          <value>True</value>
-        </variable>
-        <variable name="revprox_client_web_address" redefine="True" mandatory="False"/>
-      </family>
-      <variable name="revprox_client_http" redefine='True'>
-        <value>True</value>
-      </variable>
-      <variable name="revprox_client_port" redefine='True'>
-        <value>8080</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable" optional="True">domain_name_eth0</param>
-      <param type="nil"/>
-      <param name="first" type="boolean">True</param>
-      <target>first_zone_name</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="nil"/>
-      <param name="default">443</param>
-      <param name="condition" type="variable">first_zone_name</param>
-      <param name="expected" type="nil"/>
-      <param name="multi">True</param>
-      <target>outgoing_ports</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/tls/dictionaries/26_tls.yml b/seed/tls/dictionaries/26_tls.yml
new file mode 100644
index 00000000..0cd44036
--- /dev/null
+++ b/seed/tls/dictionaries/26_tls.yml
@@ -0,0 +1,58 @@
+---
+version: 1.1
+
+network:  # Réseau
+
+  zones_list:
+    redefine: true
+    mandatory: false
+
+  first_zone_name:
+    default:
+      variable: general.network.interface_0.domain_name
+    hidden: true
+
+  outgoing_ports:
+    redefine: true
+    default:
+      jinja: >-
+        {%- if general.network.first_zone_name -%}
+        443
+        {%- endif -%}
+
+  dns_client_address:
+    redefine: true
+    mandatory: false
+
+revprox:
+
+  client_server_domainname:
+    redefine: true
+    mandatory: false
+
+  client:
+
+    external_domainnames:
+      redefine: true
+      default: null
+      mandatory: false
+
+    location:
+      redefine: true
+      default: /.well-known/acme-challenge
+
+    http:
+      redefine: true
+      default: true
+
+    web_address:
+      redefine: true
+      mandatory: false
+
+  client_http:
+    redefine: true
+    default: true
+
+  client_port:
+    redefine: true
+    default: 8080
diff --git a/seed/tls/extras/machine/20_tls.xml b/seed/tls/extras/machine/20_tls.xml
deleted file mode 100644
index 0cab45bb..00000000
--- a/seed/tls/extras/machine/20_tls.xml
+++ /dev/null
@@ -1,23 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-    <variable name="add_srv" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="tls_dir" hidden="True" type="filename" supplier="Host:machine_tls">
-      <value>/var/lib/risotto/tls</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/tls/extras/machine/20_tls.yml b/seed/tls/extras/machine/20_tls.yml
new file mode 100644
index 00000000..4b17fd2e
--- /dev/null
+++ b/seed/tls/extras/machine/20_tls.yml
@@ -0,0 +1,29 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: 256
+
+add_tmp:
+  redefine: true
+  default: false
+
+add_swap:
+  redefine: true
+  default: false
+
+memory:
+  redefine: true
+  exists: true
+  default: 512
+
+add_srv:
+  redefine: true
+  default: false
+
+tls_dir:
+  hidden: true
+  type: unix_filename
+  supplier: Host:machine_tls
+  default: /var/lib/risotto/tls
diff --git a/seed/unbound/applicationservice.yml b/seed/unbound/applicationservice.yml
index 149a6b91..6be8d86c 100644
--- a/seed/unbound/applicationservice.yml
+++ b/seed/unbound/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Unbound, a validating, recursive, caching DNS resolver
 website: https://www.nlnetlabs.nl/projects/unbound/about/
diff --git a/seed/unbound/dictionaries/20_unbound.xml b/seed/unbound/dictionaries/20_unbound.xml
deleted file mode 100644
index 92106e52..00000000
--- a/seed/unbound/dictionaries/20_unbound.xml
+++ /dev/null
@@ -1,47 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <services>
-    <!-- FIXME activer le timer ? -->
-    <service name='unbound' target="multi-user">
-      <ip ip_type='variable'>unbound_allowed_client</ip>
-      <override engine="none"/>
-      <file engine="ansible">/etc/unbound/conf.d/risotto.conf</file>
-      <file engine="ansible">/etc/unbound/unbound.conf</file>
-      <file engine="none" source="sysuser-unbound.conf">/sysusers.d/0unbound.conf</file>
-      <file engine="none" source="tmpfile-unbound.conf">/tmpfiles.d/0unbound.conf</file>
-    </service>
-    <service name='unbound-anchor'>
-      <override engine="none"/>
-    </service>
-    <service name='unbound-keygen' disabled="True"/>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="dns_client_address" redefine="True" disabled="True" supplier=""/>
-      <variable name="ip_dns" redefine="True" remove_fill="True"/>
-      <variable name="outgoing_ports" redefine="True">
-        <value>udp:53</value>
-        <value>53</value>
-      </variable>
-    </family>
-    <family name='dns_resolver' description='Résolveur DNS'>
-      <family name="forward_zones" description="Serveur DNS faisant autorité sur une zone particulière" leadership="True" hidden="True">
-        <variable name="unbound_forward_address" description="DNS forwarder for all DNS zones" help="This provider is able to answer query for external and internal domain name" provider="ExternalDNS" multi="True" hidden="True"/>
-        <variable name="unbound_forward_zones" description="Local DNS server can export own authority zones" type="domainname" multi="True" provider="ExternalDNS:authority_zones" hidden="True"/>
-        <variable name="unbound_allowed_client" type="ip" hidden="True"/>
-      </family>
-      <variable name="unbound_default_forwards" description="Serveur résolveur DNS par défaut" multi="True" mandatory="True" test="9.9.9.9"/>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">ip_eth0</param>
-      <target>ip_dns</target>
-    </fill>
-    <fill name="get_ip">
-      <param type="information">zones</param>
-      <param type="variable">unbound_forward_address</param>
-      <target>unbound_allowed_client</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/unbound/dictionaries/20_unbound.yml b/seed/unbound/dictionaries/20_unbound.yml
new file mode 100644
index 00000000..0cdd2543
--- /dev/null
+++ b/seed/unbound/dictionaries/20_unbound.yml
@@ -0,0 +1,62 @@
+---
+version: 1.1
+
+network:
+
+  dns_client_address:
+    redefine: true
+    disabled: true
+    supplier: ''
+
+  ip_dns:
+    redefine: true
+    default:
+      variable: _.interface_0.ip
+
+  outgoing_ports:
+    redefine: true
+    default:
+      - udp:53
+      - 53
+
+dns_resolver:  # Résolveur DNS
+
+  forward_zones:
+    description: Serveur DNS faisant autorité sur une zone particulière
+    hidden: true
+    type: leadership
+
+    unbound_forward_address:
+      description: DNS forwarder for all DNS zones
+      help: >-
+        This provider is able to answer query for external and internal domain
+        name
+      provider: ExternalDNS
+      hidden: true
+      mandatory: false
+
+    unbound_forward_zones:
+      description: Local DNS server can export own authority zones
+      type: domainname
+      multi: true
+      provider: ExternalDNS:authority_zones
+      hidden: true
+      mandatory: false
+
+    unbound_allowed_client:
+      type: ip
+      hidden: true
+      default:
+        jinja: >-
+          {{ zones |
+              get_ip(general.dns_resolver.forward_zones.unbound_forward_address)
+            }}
+        params:
+          zones:
+            information: zones
+
+  unbound_default_forwards:
+    description: Serveur résolveur DNS par défaut
+    multi: true
+    examples:
+      - 9.9.9.9
diff --git a/seed/unbound/extras/machine/20_unbound.xml b/seed/unbound/extras/machine/20_unbound.xml
deleted file mode 100644
index c8842485..00000000
--- a/seed/unbound/extras/machine/20_unbound.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/unbound/extras/machine/20_unbound.yml b/seed/unbound/extras/machine/20_unbound.yml
new file mode 100644
index 00000000..789bb984
--- /dev/null
+++ b/seed/unbound/extras/machine/20_unbound.yml
@@ -0,0 +1,19 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: 256
+
+add_tmp:
+  redefine: true
+  default: false
+
+add_swap:
+  redefine: true
+  default: false
+
+memory:
+  redefine: true
+  exists: true
+  default: 512
diff --git a/seed/unbound/funcs/funcs.py b/seed/unbound/funcs/funcs.py
index cac5dd45..a34ab752 100644
--- a/seed/unbound/funcs/funcs.py
+++ b/seed/unbound/funcs/funcs.py
@@ -1,17 +1,5 @@
-from typing import List
-from ipaddress import ip_interface
-from os.path import join
 from datetime import datetime
 
 
-def unbound_filename(dirname: str,
-                     variables: List[str],
-                     extension: str) -> List[str]:
-    ret = []
-    for variable in variables:
-        ret.append(join(dirname, f'{variable}{extension}'))
-    return ret
-
-
 def unbound_serial() -> str:
     return datetime.now().strftime('%Y%m%d%H%M%S')
diff --git a/seed/vaultwarden/applicationservice.yml b/seed/vaultwarden/applicationservice.yml
index a602de7f..08aa67b4 100644
--- a/seed/vaultwarden/applicationservice.yml
+++ b/seed/vaultwarden/applicationservice.yml
@@ -1,3 +1,4 @@
+---
 format: '0.1'
 description: Vaultwarden, a password manager
 website: https://github.com/dani-garcia/vaultwarden
diff --git a/seed/vaultwarden/dictionaries/40_vaultwarden.xml b/seed/vaultwarden/dictionaries/40_vaultwarden.xml
deleted file mode 100644
index 7daa77c1..00000000
--- a/seed/vaultwarden/dictionaries/40_vaultwarden.xml
+++ /dev/null
@@ -1,72 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="vaultwarden" target="multi-user">
-      <override engine="none"/>
-      <file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
-      <file engine="ansible" source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
-      <file engine="ansible" filelist="copy_tests">/tests/vaultwarden.yml</file>
-    </service>
-  </services>
-  <variables>
-    <family name="revprox">
-      <family name="revprox_client">
-        <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
-      </family>
-      <variable name="revprox_client_cert_owner" redefine="True">
-        <value>vaultwarden</value>
-      </variable>
-    </family>
-    <family name="vaultwarden" description="Vaultwarden">
-      <variable name="vaultwarden_domainname" type="domainname" description="Nom de domaine d'accès à Vaultwarden" mandatory="True" test="vault.example.net"/>
-      <variable name="password_admin_username" description="Nom de l'utilisateur Risotto de Vaultwarden" auto_save="False">
-        <value>risotto</value>
-      </variable>
-      <variable name="vaultwarden_admin_email" type="mail" description="Adresse courriel de l'utilisateur Risotto" mandatory="True" test="admin@example.net"/>
-      <variable name="vaultwarden_admin_password" type="password" description="Mot de passe de l'utilisateur Risotto" auto_save="False" hidden="True"/>
-      <variable name="vaultwarden_length" type="number" description="Taille par défaut du mot de passe">
-        <value>20</value>
-      </variable>
-      <variable name="vaultwarden_org_name" description="Nom de l'organisation lors de l'envoi des invitations" mandatory="True">
-        <value>Vaultwarden</value>
-      </variable>
-      <variable name="vaultwarden_test_device_identifier" description="Identifiant de test de l'appareil se connectant" hidden="True"/>
-    </family>
-    <family name="postgresql" description="PostgreSQL">
-      <variable name="pg_client_key_owner" redefine="True">
-        <value>vaultwarden</value>
-      </variable>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="get_password">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <param name="username">admin_password</param>
-      <param name="description">vaultwarden</param>
-      <param name="type">cleartext</param>
-      <target>vaultwarden_admin_password</target>
-      <param name="hide" type="variable">hide_secret</param>
-    </fill>
-    <fill name="get_uuid">
-      <param name="server_name" type="variable">domain_name_eth0</param>
-      <target>vaultwarden_test_device_identifier</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">vaultwarden_domainname</param>
-      <param type="variable">vaultwarden_domainname</param>
-      <param name="multi" type="boolean">True</param>
-      <target>revprox_client_external_domainnames</target>
-    </fill>
-    <fill name="calc_vaulwarden_location">
-      <param type="index"/>
-      <target>revprox_client_location</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="boolean">True</param>
-      <param name="default" type="boolean">False</param>
-      <param name="condition" type="variable">revprox_client_location</param>
-      <param name="expected">/notifications/hub</param>
-      <target>revprox_client_is_websocket</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/vaultwarden/dictionaries/40_vaultwarden.yml b/seed/vaultwarden/dictionaries/40_vaultwarden.yml
new file mode 100644
index 00000000..1bda7d9e
--- /dev/null
+++ b/seed/vaultwarden/dictionaries/40_vaultwarden.yml
@@ -0,0 +1,93 @@
+---
+version: 1.1
+
+revprox:
+
+  client:
+
+    external_domainnames:
+      redefine: true
+      default:
+        - variable: general.vaultwarden.domainname
+      hidden: true
+
+    location:
+      redefine: true
+      default:
+        jinja: >-
+          {%- if index -%}
+          /notifications/hub
+          {%- else -%}
+          /
+          {%- endif -%}
+        params:
+          index:
+            type: index
+        description: first location is for "/"
+
+    is_websocket:
+      redefine: true
+      type: boolean
+      default:
+        jinja: >-
+          {%- if _.location == "/" -%}
+          false
+          {%- else -%}
+          true
+          {%- endif -%}
+        description: / is not a websocket
+
+  client_cert_owner:
+    redefine: true
+    default: vaultwarden
+
+vaultwarden:  # Vaultwarden
+
+  domainname:
+    description: Nom de domaine d'accès à Vaultwarden
+    examples:
+      - vault.example.net
+    type: domainname
+
+  password_admin_username: risotto  # Nom de l'utilisateur Risotto
+
+  admin_email:
+    description: Adresse courriel de l'utilisateur Risotto
+    examples:
+      - admin@example.net
+    type: mail
+
+  admin_password:
+    description: Mot de passe de l'utilisateur Risotto
+    type: secret
+    default:
+      jinja: >-
+        {{ "admin_password" |
+             get_password(
+               server_name=general.network.interface_0.domain_name,
+               description="vaultwarden",
+               type="cleartext",
+               hide=general.hide_secret)
+          }}
+    hidden: true
+
+  length: 20  # Taille par défaut du mot de passe
+
+  org_name:
+    description: Nom de l'organisation lors de l'envoi des invitations
+    default: Vaultwarden
+
+  test_device_identifier:
+    description: Identifiant de test de l'appareil se connectant
+    default:
+      jinja: |-
+        {{ general.network.interface_0.domain_name | get_uuid }}
+    hidden: true
+
+postgresql:
+
+  client:
+
+    key_owner:
+      redefine: true
+      default: vaultwarden
diff --git a/seed/vaultwarden/funcs/vaultwarden.py b/seed/vaultwarden/funcs/vaultwarden.py
index f3c3a5f4..ed531dcb 100644
--- a/seed/vaultwarden/funcs/vaultwarden.py
+++ b/seed/vaultwarden/funcs/vaultwarden.py
@@ -22,9 +22,3 @@ def get_uuid(server_name: str) -> str:
     with open(file_name, 'r') as fh:
         file_content = fh.read().strip()
         return file_content
-
-
-def calc_vaulwarden_location(index):
-    if not index:
-        return '/'
-    return '/notifications/hub'
diff --git a/seed/vector/applicationservice.yml b/seed/vector/applicationservice.yml
index 6be108b6..10924a08 100644
--- a/seed/vector/applicationservice.yml
+++ b/seed/vector/applicationservice.yml
@@ -1,5 +1,7 @@
+---
 format: '0.1'
-description: Vector, a lightweight, ultra-fast tool for building observability pipelines
+description: >
+  Vector, a lightweight, ultra-fast tool for building observability pipelines
 website: https://vector.dev/
 depends:
   - base-fedora-38
diff --git a/seed/vector/dictionaries/20_vector.xml b/seed/vector/dictionaries/20_vector.xml
deleted file mode 100644
index 35ca2586..00000000
--- a/seed/vector/dictionaries/20_vector.xml
+++ /dev/null
@@ -1,21 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="vector" target="multi-user">
-      <file engine="none" source="sysuser-vector.conf">/sysusers.d/vector.conf</file>
-      <file engine="none" source="tmpfile-vector.conf">/tmpfiles.d/0vector.conf</file>
-      <file engine="ansible">/etc/vector/vector.toml</file>
-      <file engine="ansible" mode="755">/sbin/vector_journalctl</file>
-    </service>
-  </services>
-  <variables>
-    <family name="vector" description="loki" hidden="True">
-      <variable name="client_addresses" description="Collect observability data from another Vector instance" type="domainname" provider="Vector" multi="True"/>
-      <variable name="listen_addresses" description="Send Journal on this IP address" help="Vector must listen on this address, clients are configured to use this destination IP" type="ip" multi="True" provider="Vector:address"/>
-    </family>
-    <family name="loki" description="loki" hidden="True">
-      <variable name="server_domainname" type="domainname" supplier="Loki" mandatory="True"/>
-    </family>
-  </variables>
-</rougail>
-
diff --git a/seed/vector/dictionaries/20_vector.yml b/seed/vector/dictionaries/20_vector.yml
new file mode 100644
index 00000000..d3c81a5b
--- /dev/null
+++ b/seed/vector/dictionaries/20_vector.yml
@@ -0,0 +1,31 @@
+---
+version: 1.1
+
+vector:
+  description: loki
+  hidden: true
+
+  client_addresses:
+    description: Collect observability data from another Vector instance
+    type: domainname
+    provider: Vector
+    multi: true
+    mandatory: false
+
+  listen_addresses:
+    description: Send Journal on this IP address
+    help: >-
+      Vector must listen on this address, clients are configured to use this
+      destination IP
+    type: ip
+    multi: true
+    provider: Vector:address
+    mandatory: false
+
+loki:
+  description: loki
+  hidden: true
+
+  server_domainname:
+    type: domainname
+    supplier: Loki
diff --git a/seed/znc/applicationservice.yml b/seed/znc/applicationservice.yml
index 6901ae95..7c1c3cff 100644
--- a/seed/znc/applicationservice.yml
+++ b/seed/znc/applicationservice.yml
@@ -1,6 +1,9 @@
+---
 format: '0.1'
 description: ZNC, a bouncer IRC
-help: The IRC network bouncer or BNC can detach the client from the actual IRC server, and also from selected channels
+help: |-
+  The IRC network bouncer or BNC can detach the client from the actual IRC
+  server, and also from selected channels
 website: https://wiki.znc.in/
 depends:
   - base-fedora-36
diff --git a/seed/znc/dictionaries/40_znc.xml b/seed/znc/dictionaries/40_znc.xml
deleted file mode 100644
index 8bb76112..00000000
--- a/seed/znc/dictionaries/40_znc.xml
+++ /dev/null
@@ -1,46 +0,0 @@
-<?xml version='1.0' encoding='UTF-8'?>
-<rougail version="0.10">
-  <services>
-    <service name="znc" target="multi-user">
-      <override engine="none"/>
-      <certificate authority="External" owner="znc" type="server" domain="external_domain_name" provider="znc_crt_provider">znc</certificate>
-      <file mode="700" engine="ansible">/secrets/znc_passwords</file>
-      <file engine="none" source="sysuser-znc.conf">/sysusers.d/1znc.conf</file>
-      <file engine="ansible" source="tmpfile-znc.conf">/tmpfiles.d/0znc.conf</file>
-      <file engine="ansible" owner="znc" mode="640">/etc/znc/znc.conf</file>
-    </service>
-  </services>
-  <variables>
-    <family name="network">
-      <variable name="incoming_ports" redefine="True">
-        <value>5535</value>
-      </variable>
-    </family>
-    <family name="znc" description="IRC Bouncer ZNC">
-      <variable name="external_domain_name" type="domainname" description="External domain name" mandatory="True" test="irc.example.net"/>
-      <variable name="znc_crt_provider" type="choice" description="Type of certificate autority signing external certificate" mandatory="True" mode="basic" help="The certificate can be self-signed (therefore invalid by default for the client) or obtained via the Let's Encrypt service (generally valid for the client)">
-        <value>self-signed</value>
-        <choice>self-signed</choice>
-        <choice>letsencrypt</choice>
-      </variable>
-      <variable name="user_name" type="unix_user" description="IRC and ZNC username" mandatory="True" test="jdoe"/>
-      <variable name="user_password" type="password" description="ZNC user password" mandatory="True" test="JD0eP@ss"/>
-      <variable name="real_name" description="Real IRC user name" mandatory="True" test="John Doe"/>
-      <family name="servers" description="Serveurs IRC" leadership="True">
-        <variable name="server_names" type="domainname" description="IRC domain name" multi="True" mandatory="True" test="irc.oftc.net"/>
-        <variable name="password" type="password" description="IR user passwordC" mandatory="True" test="p@ssw0rd"/>
-        <variable name="port" type="port" description="TLS port of server IRC" mandatory="True" hidden="True">
-          <value>6697</value>
-        </variable>
-        <variable name="channels" description="IRC channels" multi="True" mandatory="True" test="example"/>
-      </family>
-    </family>
-  </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param type="variable">port</param>
-      <param name="remove_duplicate_value" type="boolean">True</param>
-      <target>outgoing_ports</target>
-    </fill>
-  </constraints>
-</rougail>
diff --git a/seed/znc/dictionaries/40_znc.yml b/seed/znc/dictionaries/40_znc.yml
new file mode 100644
index 00000000..763866b1
--- /dev/null
+++ b/seed/znc/dictionaries/40_znc.yml
@@ -0,0 +1,81 @@
+---
+version: 1.1
+
+network:
+
+  incoming_ports:
+    redefine: true
+    default:
+      - 5535
+  outgoing_ports:
+    redefine: true
+    default:
+      jinja: |-
+        {%- for port in general.znc.servers.port | unique %}
+        {{ port }}
+        {%- endfor -%}
+
+znc:  # IRC Bouncer ZNC
+
+  external_domain_name:
+    description: External domain name
+    examples:
+      - irc.example.net
+    type: domainname
+
+  crt_provider:
+    description: Type of certificate autority signing external certificate
+    help: >-
+      The certificate can be self-signed (therefore invalid by default for the
+      client) or obtained via the Let's Encrypt service (generally valid for
+      the client)
+    mode: basic
+    choices:
+      - self-signed
+      - letsencrypt
+    default: self-signed
+
+  user_name:
+    description: IRC and ZNC username
+    examples:
+      - jdoe
+    type: unix_user
+
+  user_password:
+    description: ZNC user password
+    examples:
+      - JD0eP@ss
+    type: secret
+
+  real_name:
+    description: Real IRC user name
+    examples:
+      - John Doe
+
+  servers:
+    description: Serveurs IRC
+    type: leadership
+
+    server_names:
+      description: IRC domain name
+      examples:
+        - irc.oftc.net
+      type: domainname
+
+    password:
+      description: IR user passwordC
+      examples:
+        - p@ssw0rd
+      type: secret
+
+    port:
+      description: TLS port of server IRC
+      type: port
+      default: 6697
+      hidden: true
+
+    channels:
+      description: IRC channels
+      examples:
+        - example
+      multi: true
diff --git a/seed/znc/extras/machine/20_unbound.xml b/seed/znc/extras/machine/20_unbound.xml
deleted file mode 100644
index c8842485..00000000
--- a/seed/znc/extras/machine/20_unbound.xml
+++ /dev/null
@@ -1,17 +0,0 @@
-<?xml version="1.0" encoding="utf-8"?>
-<rougail version="0.10">
-  <variables>
-    <variable name="var_size" redefine="True">
-      <value>256</value>
-    </variable>
-    <variable name="add_tmp" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name="add_swap" redefine="True">
-      <value>False</value>
-    </variable>
-    <variable name='memory' redefine="True" exists="True">
-      <value>512</value>
-    </variable>
-  </variables>
-</rougail>
diff --git a/seed/znc/extras/machine/20_unbound.yml b/seed/znc/extras/machine/20_unbound.yml
new file mode 100644
index 00000000..789bb984
--- /dev/null
+++ b/seed/znc/extras/machine/20_unbound.yml
@@ -0,0 +1,19 @@
+---
+version: 1.1
+
+var_size:
+  redefine: true
+  default: 256
+
+add_tmp:
+  redefine: true
+  default: false
+
+add_swap:
+  redefine: true
+  default: false
+
+memory:
+  redefine: true
+  exists: true
+  default: 512