fedora 37

seed/base-fedora-37/dictionaries/11-fedora-version.xml

@@ -0,0 +1,13 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <!--services>
+    <service name="base">
+      <file engine="none">/etc/pam.d/login</file>
+    </service>
+  </services-->
+  <variables>
+    <variable name="os_version" type="string" description="Version de l'OS" hidden="True">
+      <value>37</value>
+    </variable>
+  </variables>
+</rougail>

seed/base-fedora-37/manual/image/postinstall/base_fedora_version.sh

@@ -0,0 +1,7 @@
+# ACTIVE NETWORKD
+mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
+chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
+ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

seed/base-fedora-37/manual/image/preinstall/base_fedora_37.sh

@@ -0,0 +1 @@
+BASE_PKG="$BASE_PKG pam util-linux"

seed/base-fedora-37/manual/image/preinstall/base_fedora_version.sh

@@ -0,0 +1 @@
+RELEASEVER=37

seed/base-fedora-37/templates/login

@@ -0,0 +1,17 @@
+#GNUNUX File from util-linux-*.x86_64 (not installed)
+#%PAM-1.0
+auth       substack     system-auth
+auth       include      postlogin
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      system-auth
+session    include      postlogin
+-session   optional     pam_ck_connector.so

seed/base/dictionaries/00-base.xml

@@ -0,0 +1,17 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="copy_tests" type="boolean" mandatory="True" hidden="True"/>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param type="information">copy_tests</param>
+      <target>copy_tests</target>
+    </fill>
+    <condition name="disabled_if_in" source="copy_tests">
+      <param>False</param>
+      <target type="filelist" optional="True">copy_tests</target>
+    </condition>
+  </constraints>
+</rougail>
+

seed/gitea/applicationservice.yml

@@ -0,0 +1,4 @@
+format: '0.1'
+description: Transitional package for Gitea to Forgejo
+depends:
+  - forgejo

seed/gitea/dictionaries/32_gitea.xml

@@ -0,0 +1,17 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="gitea" target="risotto" engine="cheetah"/>
+  </services>
+  <variables>
+    <family name="gitea" description="Transitional family">
+      <variable name="gitea_mail_sender" type="mail" description="Transitional variable, please do not use it"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param type="variable">gitea_mail_sender</param>
+      <target>forgejo_mail_sender</target>
+    </fill>
+  </constraints>
+</rougail>

seed/gitea/templates/gitea.service

@@ -0,0 +1,17 @@
+[Unit]
+Description=Gitea transitional
+Before=risotto.target
+
+[Service]
+Type=oneshot
+ExecStart=/bin/bash -c '%slurp
+[ -d /srv/gitea/lib/data/gitea-repositories ] && mv /srv/gitea/lib/data/gitea-repositories /srv/gitea/lib/data/forgejo-repositories; %slurp
+[ -d /srv/gitea ] && (mv /srv/gitea/* /srv/forgejo; rmdir /srv/gitea); %slurp
+find /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks -name gitea | while read a; do b=$(dirname $a); mv $b/gitea $b/forgejo; done; %slurp
+sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/proc-receive; %slurp
+sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/pre-receive.d/forgejo; %slurp
+sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/update.d/forgejo; %slurp
+sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/hooks/post-receive.d/forgejo; %slurp
+sed -i 's/gitea/forgejo/g' /srv/forgejo/lib/data/forgejo-repositories/*/*.git/config; %slurp
+exit 0%slurp
+'

seed/host-systemd-machined/templates/RPM-GPG-KEY-fedora-37-x86_64

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGESvNwBEAC7HsCDTlugVeDSMFX6aW3zAPFMfvBssNj+89fdmbxcI9t7UY6f
+HvkkGziUET8e+9jB8R2/wXQCGOw1J+sfmwO4aN0LdVQjhKvVNj+F5jWt3m5FAIBa
+OTWS6Kvqw2ECTpH7fD86541eK3BuCni6d5U3PCd73t976FcUmpQ/1AthqMksM0Jz
+cJapvNmLTCR0NZ2XyyLmn/K1hgNXe8G5j0cSrJiY+Zpz5aQkT96j96Jm6W2A+tBI
+icU4n6V4vlj2TxmCumtXJGXGBGJnof/dCgh45aqi+sk5c429ns+5sooYcaEJojj6
+FYSITv10l+az6ZMJz/j61VYSkhMY8hQ4Wd+yL2JVzLE9N9V0L95sX1yEZ5ILmzwx
+oRKe4WHSBE6yMxNWobv7hmC+3ZC5mLPaEDS/g/0xuQj9Sy9eT2mhhFPxOv29YQ+P
+sC3zXHJMMT0tlGd72PVHQQ0JYONfMhcC+7AHGFGz8p4/wor2jIFG1ouqE6Lfzm8o
+XWZMYm3AydlrP/xkYaoWNE3jL/+dskSBr/Yz7ZzlkAqH9lb1HKnXQLTrw6gz6pmI
+KufSDXjEFNxnFI/9gMlshJtk5+QSDzezmxFm+NMviSvDUNAVIzrU1D84dauBYph4
+OrJVeECQHEotny/I53AdlVwLYB4TWkObzTs6vtV7Pz1TK2CmHpe3UW72xwARAQAB
+tDFGZWRvcmEgKDM3KSA8ZmVkb3JhLTM3LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
+cmc+iQJOBBMBCAA4FiEErLXuToMcdLt8Fo0n9VrT+1MjVSoFAmESvNwCGw8FCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ9VrT+1MjVSoPMhAAist7kK/YtcyBL/dt
+P55hPrkJT6Ay+e2Dvt4Pixe4iT32Y3jG12aoX2LY//mxVOOpV+EhXYTTb5aLt2Jj
+a8/qCKJFk7zuCOxa1hgdRcjoR7ZbU0lNjD9mMCax/YT9QafcaMEib/FlknP3g1SN
+GRSKLObTJd6BbtZXCE80JRIX+Dy6+/Oz7LXRXeKpiimhlXT1wuTaqAJEtuHdQvg7
+dkL4DzAJ2FiURVd5gvgo266WaCMafJjFRrSGHJm0c+V+0Z9NsuH80JbPm+rCUh5U
+E9PMyztqlqtldtqc1+aZ1iUbVuXY059BUmlAhmf5sAlBktY+hEabH/4kmfGccbBL
+TyBIn03Y9q9173okZSUe6q16m/hbbWI8dwkSpIADZbGGJbRi8PJpCg9y6KI355qD
+atE2irleoy6eXqpKa+uPTRBk7i/r6jDoA+u+tZyFfcEnwvSWP8cN1j5mNklvITZl
+YF1n5b3fejkZVdOmRZQNkyzMxYEd4UZFQZNYrx0nltAagRS8b5ikqNk2UTl+dyBG
+k9gLOSZhAa2JdmAqwe9rT69jaa4kZMLlxPPC3246s83t0s7lp7vF+zLPfPSvxpsU
+tg+fuT+OFKWYdBFF7VkEA+wezHAznIP6TPyQXbBpkzE889/hOXy4BYs0wy8Bpda/
+Ve2Ba329f99dSCZKImi5DPCxJY4=
+=ZmVd
+-----END PGP PUBLIC KEY BLOCK-----

seed/nginx-common/templates/nginx.conf.Debian

@@ -0,0 +1,103 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user www-data;
+worker_processes auto;
+#GNUNUX error_log /var/log/nginx/error.log;
+#>GNUNUX
+error_log syslog:server=unix:/dev/log;
+#<GNUNUX
+
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+    #GNUNUX    access_log  /var/log/nginx/access.log  main;
+    #>GNUNUX
+    access_log syslog:server=unix:/dev/log combined;
+    error_log syslog:server=unix:/dev/log error;
+    #<GNUNUX
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+%if %%nginx_default_http
+    server {
+        listen       80;
+        listen       [::]:80;
+        server_name  _;
+        root         %%nginx_root;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /404.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+    }
+%end if
+# Settings for a TLS enabled server.
+#
+%if %%nginx_default_https
+    server {
+        listen       443 ssl http2;
+ %if %%getVar('revprox_client_external_domainnames', None)
+  %for %%domain in %%revprox_client_external_domainnames
+        server_name %%domain;
+  %end for
+ %else
+        server_name  _;
+ %end if
+        root         %%nginx_root;
+
+        # ssl_certificate "/etc/pki/nginx/server.crt";
+        # ssl_certificate_key "/etc/pki/nginx/private/server.key";
+        ssl_certificate              %%revprox_crt_file;
+        ssl_certificate_key          %%revprox_key_file;
+ %if %%getVar('revprox_client_external_domainnames', None)
+        ssl_client_certificate       %%revprox_ca_file;
+ %else
+        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_HTTP.crt;
+ %end if
+
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+    }
+%end if
+    include /etc/nginx/sites-enabled/*;
+}

seed/nginx-common/templates/nginx.conf.Fedora

@@ -0,0 +1,112 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+user nginx;
+worker_processes auto;
+#>GNUNUX
+#error_log /var/log/nginx/error.log notice;
+error_log syslog:server=unix:/dev/log;
+#<GNUNUX
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+include /usr/share/nginx/modules/*.conf;
+
+events {
+    worker_connections 1024;
+}
+
+http {
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+#GNUNUX    access_log  /var/log/nginx/access.log  main;
+#>GNUNUX
+    access_log syslog:server=unix:/dev/log combined;
+    error_log syslog:server=unix:/dev/log error;
+#<GNUNUX
+
+    sendfile            on;
+    tcp_nopush          on;
+#>GNUNUX
+    tcp_nodelay         on;
+#<GNUNUX
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+
+%if %%nginx_default_http
+    server {
+        listen       80;
+        listen       [::]:80;
+        server_name  _;
+        root         %%nginx_root;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /404.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+    }
+%end if
+
+# Settings for a TLS enabled server.
+#
+%if %%nginx_default_https
+    server {
+        listen       443 ssl http2;
+	#listen       [::]:443 ssl http2;
+ %if %%getVar('revprox_client_external_domainnames', None)
+  %for %%domain in %%revprox_client_external_domainnames
+        server_name %%domain;
+  %end for
+ %else
+        server_name  _;
+ %end if
+        root         %%nginx_root;
+
+#>GNUNUX
+        #ssl_certificate "/etc/pki/nginx/server.crt";
+        #ssl_certificate_key "/etc/pki/nginx/private/server.key";
+        ssl_certificate              %%revprox_crt_file;
+        ssl_certificate_key          %%revprox_key_file;
+ %if %%getVar('revprox_client_external_domainnames', None)
+        ssl_client_certificate       %%revprox_ca_file;
+ %else
+        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_HTTP.crt;
+ %end if
+ #<GNUNUX
+
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers PROFILE=SYSTEM;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /404.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+    }
+
+%end if
+}
+

seed/nginx-reverse-proxy/templates/ca_External.crt

@@ -0,0 +1 @@
+%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)

seed/postfix-relay/tests/test_smtp.py

@@ -0,0 +1,201 @@
+from yaml import load, SafeLoader
+from os import environ
+import pytest
+import datetime
+
+from imaplib2 import IMAP4_SSL
+from smtplib import SMTP, SMTPNotSupportedError, SMTPAuthenticationError
+
+
+
+conf_file = f'{environ["MACHINE_TEST_DIR"]}/imap.yml'
+with open(conf_file) as yaml:
+    data = load(yaml, Loader=SafeLoader)
+parameters = (
+              (1, 5, 'user', data['username'], data['username'], data['username'], [data['password']]),
+              (2, 5, 'user', data['username'], data['username'], 'alias_' + data['username'], [data['password']]),
+              (1, 3, 'family', data['username_family'], data['username_family'], data['username_family'], [data['password_family'], data['password_family'] + "2"]),
+              (3, 5, 'user', data['username'], data['ext_username'], data['username'], [data['password']]),
+             (4, 5, 'user', data['username'], data['ext_username'], 'alias_' + data['username'], [data['password']]),
+              (2, 3, 'family', data['username_family'], data['ext_username'], data['username_family'], [data['password_family'], data['password_family'] + "2"]),
+              )
+
+
+def get_msg(username, dest, msg='MESSAGE', with_date=True):
+    date = datetime.datetime.now()
+    ret = f'From: {username}\r\nTo: {dest}\r\n\r\nSubject: TEST\r\n{msg}\r\n'
+    if with_date:
+        date_str = date.strftime('%a, %d %b %Y %H:%M:%S +0200 (CEST)')
+        ret = f'Date: {date_str}\r\n{ret}'
+    return ret
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_wrong_password(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
+    imap = IMAP4_SSL(data['address'])
+    try:
+        imap.LOGIN(username, 'b')
+    except:
+        pass
+    else:
+        raise Exception('wrong login !')
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_migration(idx, maxi, typ, login_username, username, dest, passwords):
+    if dest.startswith('alias_'):
+        return
+    if username == data['ext_username']:
+        return
+    msg = get_msg(username, dest, 'MIGRATION', False)
+    if 'FIRST_RUN' in environ:
+        smtp = SMTP(data['address'], '587')
+        smtp.starttls()
+        error = None
+        for password in passwords:
+            try:
+                smtp.login(username, password)
+                break
+            except SMTPAuthenticationError as err:
+                error = err
+        else:
+            raise error from error
+        smtp.sendmail(username, dest, msg)
+        smtp.quit()
+    imap = IMAP4_SSL(data['address'])
+    error = None
+    for password in passwords:
+        try:
+            imap.LOGIN(username, password)
+            break
+        except Exception as err:
+            error = err
+    else:
+        raise error from error
+    imap.SELECT(readonly=True)
+    typ, req = imap.SEARCH(None, 'ALL')
+    assert typ == 'OK'
+    assert len(req) == 1
+    assert req[0] == b'1'
+    field = imap.FETCH('1', '(RFC822)')
+    assert field[0] == 'OK'
+    assert field[1][-2][-1].decode().endswith(msg)
+    imap.CLOSE()
+    imap.LOGOUT()
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_no_tls(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
+    smtp = SMTP(data['address'], '587')
+    with pytest.raises(SMTPNotSupportedError):
+        smtp.login(username, passwords[0])
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_wrong_passwd(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
+    smtp = SMTP(data['address'], '587')
+    smtp.starttls()
+    with pytest.raises(SMTPAuthenticationError):
+        smtp.login(username, 'a')
+    smtp.quit()
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_login(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
+    smtp = SMTP(data['address'], '587')
+    smtp.starttls()
+    error = None
+    for password in passwords:
+        try:
+            smtp.login(username, password)
+            break
+        except SMTPAuthenticationError as err:
+            error = err
+    else:
+        raise error from error
+    smtp.quit()
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_sendmail(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        smtp = SMTP(data['smtp'], '25')
+    else:
+        smtp = SMTP(data['address'], '587')
+        smtp.starttls()
+        error = None
+        for password in passwords:
+            try:
+                smtp.login(username, password)
+                break
+            except SMTPAuthenticationError as err:
+                error = err
+        else:
+            raise error from error
+    smtp.sendmail(username, dest, get_msg(username, dest))
+    smtp.quit()
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_read_mail(idx, maxi, typ, login_username, username, dest, passwords):
+    imap = IMAP4_SSL(data['address'])
+    error = None
+    for password in passwords:
+        try:
+            imap.LOGIN(login_username, password)
+            break
+        except Exception as err:
+            error = err
+    else:
+        raise error from error
+    imap.SELECT(readonly=True)
+    typ, req = imap.SEARCH(None, 'ALL')
+    assert typ == 'OK'
+    assert len(req) == 1
+    msg = get_msg(username, dest, with_date=False)
+    msg_no = req[0].split()
+    assert len(msg_no) == maxi
+    num = msg_no[idx]
+    field = imap.FETCH(num, '(RFC822)')
+    assert field[0] == 'OK'
+    fdata = field[1][-2][-1].decode().split('\r\n')
+    if fdata[-2].startswith('--'):
+        fdata = fdata[:-2]
+    fdata = '\r\n'.join(fdata)
+    assert 'Undelivered' not in fdata
+    assert fdata.endswith(msg)
+    imap.CLOSE()
+    imap.LOGOUT()
+
+
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_delete_mail(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
+    imap = IMAP4_SSL(data['address'])
+    error = None
+    for password in passwords:
+        try:
+            imap.LOGIN(login_username, password)
+            break
+        except Exception as err:
+            error = err
+    else:
+        raise error from error
+    imap.SELECT()
+    typ, req = imap.SEARCH(None, 'ALL')
+    msg_no = req[0].split()
+    for num in msg_no[1:]:
+        ret = imap.store(num, '+FLAGS', '\\Deleted')
+        assert ret[0] == 'OK', f'error when deleting mail: {ret}'
+    imap.expunge()
+    imap.CLOSE()
+    imap.LOGOUT()

seed/reverse-proxy-client/templates/reverse-proxy.yml

@@ -0,0 +1 @@
+ca_certificate: ../../%%{revprox_client_server_domainname.split('.', 1)[0]}.*/etc/pki/ca-trust/source/anchors/ca_External.crt