From 5ccb69012b965b093d8c3babc0e21b8cf95cf250 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Wed, 4 May 2022 10:29:03 +0200
Subject: [PATCH] dovecot

---
 .../2022.03.08/apache/dictionaries/20_web.xml |  9 +-
 .../base/manual/install/install_host          |  4 +-
 .../base/manual/install/install_image         | 28 ++++--
 .../base/manual/install/install_images        |  4 +-
 .../base/manual/install/install_machine       | 11 ++-
 .../base/manual/install/install_machines      |  4 +-
 .../2022.03.08/dovecot/applicationservice.yml |  2 +-
 .../dovecot/dictionaries/22_dovecot.xml       | 39 ++------
 .../2022.03.08/dovecot/templates/10-mail.conf |  6 +-
 .../dovecot/templates/auth-ldap.conf.ext      | 21 ++--
 .../templates/ca_InternalReverseProxy.crt     |  1 -
 .../dovecot/templates/dovecot-ldap.conf.ext   |  7 +-
 .../2022.03.08/dovecot/templates/main.cf      |  4 +-
 .../2022.03.08/dovecot/templates/revprox.crt  |  2 -
 .../2022.03.08/dovecot/templates/revprox.key  |  1 -
 .../dovecot/templates/sysuser-dovecot.conf    |  2 +-
 .../dovecot/templates/tmpfile-dovecot.conf    |  3 +
 .../dovecot/templates/tmpfile-postfix.conf    |  1 -
 .../gitea/dictionaries/31_gitea.xml           |  1 +
 .../dictionaries/21_ldap-client.xml           | 17 +++-
 .../ldap-client/funcs/openldap_client.py      |  8 ++
 .../ldap-client/templates/ldap.conf           |  2 +-
 .../lemonldap/templates/lmConf-1.json         |  8 +-
 .../manual/image/postinstall/postorius.sh     |  6 +-
 .../nextcloud/templates/nextcloud.init        |  6 +-
 .../nginx-common/dictionaries/20_nginx.xml    | 29 ++++--
 .../templates/default-nginx-ssl.conf          | 10 --
 .../nginx-common/templates/nginx.conf         | 62 ++++++------
 .../nginx-https/applicationservice.yml        |  1 +
 .../nginx-https/dictionaries/25_nginx.xml     | 41 +++++---
 .../templates/ca_InternalReverseProxy.crt     |  1 -
 .../nginx-https/templates/nginx.crt           |  3 +-
 .../nginx-https/templates/nginx.key           |  2 +-
 .../nginx-https/templates/risotto.conf        | 54 ++++-------
 .../dictionaries/25_nginx.xml                 |  3 +-
 .../2022.03.08/nsd/funcs/funcs.py             | 29 ++++--
 .../2022.03.08/nsd/templates/nsd.reverse      |  2 +-
 .../2022.03.08/nsd/templates/nsd.zone         |  2 +-
 .../dictionaries/21_openldap-server.xml       |  5 +-
 .../openldap/extras/accounts/00_account.xml   |  1 +
 .../openldap/templates/config_acl.ldif        | 26 +++--
 .../2022.03.08/openldap/templates/users.ldif  | 10 +-
 .../openldap/templates/users_mod.ldif         | 17 ++++
 .../peertube/dictionaries/30_peertube.xml     |  4 +-
 .../manual/image/postinstall/peertube.sh      |  2 +-
 .../2022.03.08/php-fpm/DEBUG.md               |  6 ++
 .../php-fpm/dictionaries/20_phpfpm.xml        | 14 +--
 .../2022.03.08/piwigo/applicationservice.yml  |  1 -
 .../piwigo/dictionaries/31_piwigo.xml         |  8 +-
 .../piwigo/manual/image/postinstall/piwigo.sh |  6 +-
 .../2022.03.08/postfix-relay/funcs/postfix.py |  2 +-
 .../dictionaries/21_nginx_client.xml          |  9 --
 .../2022.03.08/roundcube/DEBUG.md             |  5 +
 .../roundcube/applicationservice.yml          |  3 +-
 .../roundcube/dictionaries/31_roundcube.xml   | 14 ++-
 .../manual/image/postinstall/roundcube.sh     |  8 ++
 .../roundcube/templates/config.inc.php        |  6 +-
 .../roundcube/templates/roundcube.service     |  2 +-
 .../roundcube/templates/roundcubemail.conf    | 97 +++++++++----------
 .../dictionaries/40_vaultwarden.xml           |  1 +
 60 files changed, 384 insertions(+), 299 deletions(-)
 delete mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt
 delete mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/revprox.crt
 delete mode 100644 seed/applicationservice/2022.03.08/dovecot/templates/revprox.key
 delete mode 100644 seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx-ssl.conf
 delete mode 100644 seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt
 create mode 100644 seed/applicationservice/2022.03.08/php-fpm/DEBUG.md
 create mode 100644 seed/applicationservice/2022.03.08/roundcube/manual/image/postinstall/roundcube.sh

diff --git a/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
index 62fb7c5..0b6dcf8 100644
--- a/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
+++ b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
@@ -2,6 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="httpd" target="multi-user">
+      <file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
       <file>/etc/httpd/conf/httpd.conf</file>
       <file>/etc/httpd/conf.d/risotto.conf</file>
       <file>/etc/httpd/conf.d/ssl.conf</file>
@@ -13,9 +14,11 @@
     </service>
   </services>
   <variables>
-    <variable name="php_fpm_user" redefine="True" exists="True">
-      <value>apache</value>
-    </variable>
+    <family name="nginx">
+      <variable name="php_fpm_user" redefine="True" exists="True">
+        <value>apache</value>
+      </variable>
+    </family>
     <family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
       <variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
         <value>300</value>
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_host b/seed/applicationservice/2022.03.08/base/manual/install/install_host
index 68faef0..03ab9aa 100755
--- a/seed/applicationservice/2022.03.08/base/manual/install/install_host
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_host
@@ -1,4 +1,4 @@
-#!/bin/bash -xe
+#!/bin/bash -e
 
 HOST_NAME=$1
 if [ -z "$HOST_NAME" ]; then
@@ -24,4 +24,6 @@ systemctl restart systemd-resolved
 #nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
 #nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
 
+echo "install host OK"
+
 exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_image b/seed/applicationservice/2022.03.08/base/manual/install/install_image
index 36a3b5d..b412782 100755
--- a/seed/applicationservice/2022.03.08/base/manual/install/install_image
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_image
@@ -1,4 +1,4 @@
-#!/bin/bash -xe
+#!/bin/bash -e
 
 HOST_NAME=$1
 IMAGE_NAME=$2
@@ -14,7 +14,7 @@ rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
 mkdir -p "$RISOTTO_IMAGE_DIR"
 PKG=""
 BASE_DIR=""
-for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
+for script in $(ls $IMAGE_NAME/manual/preinstall/*.sh 2> /dev/null); do
     . "$script"
 done
 
@@ -46,7 +46,7 @@ function new_package_base() {
         OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
         dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
     else
-        debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
+        debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" > /dev/null
         chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
     fi
 }
@@ -75,6 +75,7 @@ function install_pkg() {
 
 
 if [ ! -f "$BASE_LOCK" ]; then
+    echo "  - reinstallation de l'image de base"
     rm -rf "$BASE_DIR"
     new_package_base
     diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
@@ -83,7 +84,7 @@ if [ ! -f "$BASE_LOCK" ]; then
         install_base
         cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
         tar cf "$BASE_TAR" "$BASE_NAME"
-        cd -
+        cd - > /dev/null
         if [ -f "$BASE_PKGS_FILE" ]; then
             mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
         fi
@@ -100,8 +101,8 @@ if [ -n "$COPR" ]; then
     #FIXME signature...
     mkdir -p "$REPO_DIR"
     cd "$REPO_DIR"
-    wget "$COPR"
-    cd -
+    wget -q "$COPR"
+    cd - > /dev/null
 fi
 if [ "$FUSION" = true ]; then
     dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR"
@@ -109,19 +110,24 @@ fi
 
 # FIXME verifier s'il y a des modifs sur pre/post
 if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
-    echo "Différence(s) avec les paquets de base"
+    echo "  - différence(s) avec les paquets de base"
     diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
 else
     NEW_BASE=true
 fi
 new_package
 if [ "$NEW_BASE" = false ]; then
-    echo "Différence(s) avec les paquets de l'image"
+    echo "  - différence(s) avec les paquets de l'image"
     diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
 else
     INSTALL=true
 fi
+find $IMAGE_NAME/manual -type f -exec md5sum '{}' \; > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new
+if [ "$NEW_BASE" = false ]; then
+    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new && INSTALL=false || INSTALL=true
+fi
 if [ "$INSTALL" = true ]; then
+    echo "  - installation"
     if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
         VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
     else
@@ -145,7 +151,7 @@ if [ "$INSTALL" = true ]; then
     install_pkg
     sleep 2
     
-    for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
+    for script in $(ls $IMAGE_NAME/manual/postinstall/*.sh 2> /dev/null); do
         . "$script"
     done
     
@@ -161,11 +167,13 @@ if [ "$INSTALL" = true ]; then
     fi
     tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
     sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
-    cd -
+    cd - > /dev/null
     cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
     mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
+    mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum
     VERSION=$((VERSION + 1)) 
     echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
 fi
 rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
+echo "  => OK"
 exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_images b/seed/applicationservice/2022.03.08/base/manual/install/install_images
index 31df9cd..c9f5f2d 100755
--- a/seed/applicationservice/2022.03.08/base/manual/install/install_images
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_images
@@ -1,4 +1,4 @@
-#!/bin/bash -xe
+#!/bin/bash -e
 HOST_NAME=$1
 if [ -z "$HOST_NAME" ]; then
     echo "usage: $0 host name"
@@ -8,6 +8,8 @@ fi
 rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
 for image in *; do
     if [ -d "$image" ]; then
+	echo
+        echo "Install image $image"
         ./install_image "$HOST_NAME" "$image"
     fi
 done
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_machine b/seed/applicationservice/2022.03.08/base/manual/install/install_machine
index ca04cf4..d6aec7b 100755
--- a/seed/applicationservice/2022.03.08/base/manual/install/install_machine
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_machine
@@ -1,4 +1,4 @@
-#!/bin/bash -xe
+#!/bin/bash -e
 HOST_NAME=$1
 IMAGE_NAME=$2
 MACHINE=$3
@@ -26,19 +26,19 @@ if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
     diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || NEW_CONF=true
 fi
 if [ "$NEW_IMAGE" = true ] || [ "$NEW_CONF" = true ]; then
+    echo "  - stop $IMAGE_NAME"
     machinectl stop "$MACHINE" 2> /dev/null || true
     while true; do
         machinectl status "$MACHINE" > /dev/null 2>&1 || break
         sleep 1
-        echo "retry..."
     done
 fi
 if [ "$NEW_IMAGE" = true ]; then
-    echo "SUPPRIME ANCIENNE IMAGE"
+    echo "  - delete old image"
     rm -rf "$MACHINE_MACHINES_DIR"
 fi
 if [ "$NEW_CONF" = true ]; then
-    echo "SUPPRIME ANCIENNE CONF"
+    echo "  - delete old settings"
     ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
     rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
 fi
@@ -58,7 +58,8 @@ if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
     mkdir -p "$SHA_MACHINE_DIR"
     cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
     mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
-    cd -
+    cd - > /dev/null
 fi
 
+echo "  => OK"
 exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_machines b/seed/applicationservice/2022.03.08/base/manual/install/install_machines
index 70e5f0d..f053a5f 100755
--- a/seed/applicationservice/2022.03.08/base/manual/install/install_machines
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_machines
@@ -1,4 +1,4 @@
-#!/bin/bash -xe
+#!/bin/bash -e
 HOST_NAME=$1
 if [ -z "$HOST_NAME" ]; then
     echo "usage: $0 host name"
@@ -14,6 +14,8 @@ for image in *; do
                 if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
                     MACHINES="$MACHINES$osname "
                 fi
+		echo
+                echo "Install machine $image"
                 ./install_machine "$HOST_NAME" "$image" "$osname"
             fi
         done
diff --git a/seed/applicationservice/2022.03.08/dovecot/applicationservice.yml b/seed/applicationservice/2022.03.08/dovecot/applicationservice.yml
index 3482af2..61f85e8 100644
--- a/seed/applicationservice/2022.03.08/dovecot/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/dovecot/applicationservice.yml
@@ -5,4 +5,4 @@ depends:
   - relay-mail-client
   - ldap-client-fedora
   - oauth2-client
-  - nginx-common
+  - nginx-https
diff --git a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
index 9a4717e..61ea6f2 100644
--- a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
+++ b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
@@ -7,7 +7,6 @@
       <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
       <file>/etc/postfix/main.cf</file>
       <file>/etc/postfix/master.cf</file>
-      <file>/etc/postfix/ldapsource.cf</file>
       <file>/etc/postfix/relay_passwd</file>
       <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
       <file>/etc/pki/tls/certs/postfix.crt</file>
@@ -22,9 +21,6 @@
     </service>
     <service name='nginx'>
       <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
-      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
-      <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
-      <file file_type="variable" source="revprox.key" mode="400">revprox_key_file</file>
     </service>
     <service name="dovecot" target="multi-user">
       <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
@@ -69,7 +65,7 @@
     </family>
     <family name="mail" description="Mail domain" leadership="True">
       <variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
-      <variable name="mail_domains_calc" type="domainname" multi="True" hidden="True"/>
+      <variable name="mail_domains_calc" type="domainname" hidden="True"/>
       <variable name="imap_domainname" type="domainname" mandatory="True"/>
       <variable name="submission_domainname" type="domainname" mandatory="True"/>
     </family>
@@ -88,11 +84,11 @@
       </family>
     </family>
     <family name="nginx">
-      <variable name="nginx_default" redefine="True" remove_fill="True" mandatory="False"/>
-      <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
-      <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
-      <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
-      <variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
+      <family name="revprox_client">
+        <variable name="revprox_client_location" redefine="True" mandatory="False">
+          <value/>
+        </variable>
+      </family>
     </family>
   </variables>
   <constraints>
@@ -115,24 +111,6 @@
       <param name="dynamic" type="variable">domain_name_eth0</param>
       <target>mail_domains</target>
     </check>
-    <fill name="calc_value">
-      <param type="variable">tls_ca_directory</param>
-      <param>ca_InternalReverseProxy.crt</param>
-      <param name="join">/</param>
-      <target>revprox_ca_file</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">tls_cert_directory</param>
-      <param>revprox.crt</param>
-      <param name="join">/</param>
-      <target>revprox_cert_file</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">tls_key_directory</param>
-      <param>revprox.key</param>
-      <param name="join">/</param>
-      <target>revprox_key_file</target>
-    </fill>
     <fill name="calc_value">
       <param>/etc/pki/tls/certs/imap_</param>
       <param type="variable">imap_domainname</param>
@@ -159,7 +137,6 @@
     </fill>
     <fill name="calc_value">
       <param type="variable">mail_domains</param>
-      <param name="multi" type="boolean">True</param>
       <target>mail_domains_calc</target>
     </fill>
     <fill name="calc_value">
@@ -172,7 +149,7 @@
       <target>well_known_filenames</target>
     </fill>
     <check name="set_linked_multi_variables">
-      <param type="variable">revprox_server_domainname</param>
+      <param type="variable">revprox_client_server_domainname</param>
       <param name="linked_provider_0">revprox_clients</param>
       <param name="linked_provider_1">revprox_location</param>
       <param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
@@ -183,7 +160,7 @@
       <target>mail_domains_calc</target>
     </check>
     <check name="set_linked_multi_variables">
-      <param type="variable">revprox_server_domainname</param>
+      <param type="variable">revprox_client_server_domainname</param>
       <param name="linked_provider_0">revprox_clients</param>
       <param name="linked_provider_1">revprox_location</param>
       <param name="linked_value_1">/autodiscover/autodiscover.xml</param>
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf b/seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf
index a6dcb17..8edb816 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf
@@ -28,7 +28,7 @@
 # <doc/wiki/MailLocation.txt>
 #
 #>GNUNUX
-mail_location = maildir:/srv/mail/%u
+mail_location = maildir:~/
 #<GNUNUX
 
 # If you need to set multiple mailbox locations or want to change default
@@ -107,8 +107,8 @@ namespace inbox {
 # System user and group used to access mails. If you use multiple, userdb
 # can override these by returning uid or gid fields. You can use either numbers
 # or names. <doc/wiki/UserIds.txt>
-#mail_uid =
-#mail_gid =
+mail_uid = vmail
+mail_gid = vmail
 
 # Group to enable temporarily for privileged operations. Currently this is
 # used only with INBOX when either its initial creation or dotlocking fails.
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext
index 1b459c0..2db1a3c 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext
@@ -16,13 +16,14 @@ passdb {
 #  driver = prefetch
 #}
 
-# GNUNUX userdb {
-# GNUNUX   driver = ldap
-# GNUNUX   args = /etc/dovecot/dovecot-ldap.conf.ext
-# GNUNUX   
-# GNUNUX   # Default fields can be used to specify defaults that LDAP may override
-# GNUNUX   #default_fields = home=/home/virtual/%u
-# GNUNUX }
+userdb {
+  driver = ldap
+# GNUNUX  args = /etc/dovecot/dovecot-ldap.conf.ext
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+  
+  # Default fields can be used to specify defaults that LDAP may override
+  #default_fields = home=/home/virtual/%u
+}
 
 # If you don't have any user-specific settings, you can avoid the userdb LDAP
 # lookup by using userdb static instead of userdb ldap, for example:
@@ -31,9 +32,3 @@ passdb {
   #driver = static
   #args = uid=vmail gid=vmail home=/var/vmail/%u
 #}
-#>GNUNUX
-userdb {
-  driver = static
-  args = uid=vmail gid=vmail home=/srv/mail/%u
-}
-#<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt
deleted file mode 100644
index 172e3cd..0000000
--- a/seed/applicationservice/2022.03.08/dovecot/templates/ca_InternalReverseProxy.crt
+++ /dev/null
@@ -1 +0,0 @@
-%%get_chain(%%revprox_server_domainname, authority_name='InternalReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
index 4bc7f34..d721fdc 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
@@ -99,7 +99,7 @@ tls_require_cert = hard
 #auth_bind_userdn =
 #>GNUNUX
 auth_bind = yes
-auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
+auth_bind_userdn = cn=%u,%%ldapclient_base_dn
 #<GNUNUX
 
 # LDAP protocol version to use. Likely 2 or 3.
@@ -108,7 +108,7 @@ auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
 # LDAP base. %variables can be used here.
 # For example: dc=mail, dc=example, dc=org
 # GNUNUX base =
-base = ou=users,%%ldap_base_dn
+base = %%ldapclient_base_dn
 
 # Dereference: never, searching, finding, always
 #deref = never
@@ -126,6 +126,9 @@ base = ou=users,%%ldap_base_dn
 # There are also other special fields which can be returned, see
 # http://wiki2.dovecot.org/UserDatabase/ExtraFields
 #user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
+#>GNUNUX
+user_attrs = homeDirectory=home
+#<GNUNUX
 
 # Filter for user lookup. Some variables can be used (see
 # http://wiki2.dovecot.org/Variables for full list):
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/main.cf b/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
index 42e60f8..3b4b980 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
@@ -784,7 +784,6 @@ smtpd_use_tls = yes
 mailbox_size_limit = 0
 message_size_limit = 202400000
 biff = no
-#virtual_maps = ldap:/etc/postfix/ldapsource.cf
 smtpd_tls_loglevel = 1
 smtp_tls_note_starttls_offer = yes
 smtpd_tls_auth_only = yes
@@ -804,12 +803,11 @@ dovecot_destination_recipient_limit = 1
 %%domains.append(%%str(%%domain))%slurp
 %end for
 virtual_mailbox_domains = %echo ', '.join(%%domains)
-virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
 virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
 virtual_minimum_uid = 1000
 #vmail uid
 virtual_uid_maps = static:999
 virtual_gid_maps = static:999
 virtual_transport = dovecot
-virtual_mailbox_base = /srv/mail
+#virtual_mailbox_base = /srv/mail
 #<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/revprox.crt b/seed/applicationservice/2022.03.08/dovecot/templates/revprox.crt
deleted file mode 100644
index 14fccb1..0000000
--- a/seed/applicationservice/2022.03.08/dovecot/templates/revprox.crt
+++ /dev/null
@@ -1,2 +0,0 @@
-%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type="server")
-%%get_chain(%%revprox_server_domainname, 'InternalReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/revprox.key b/seed/applicationservice/2022.03.08/dovecot/templates/revprox.key
deleted file mode 100644
index 649ae0b..0000000
--- a/seed/applicationservice/2022.03.08/dovecot/templates/revprox.key
+++ /dev/null
@@ -1 +0,0 @@
-%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type='server')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf b/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf
index a334d8e..21bd39d 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf
@@ -3,4 +3,4 @@ g dovenull 982 -
 g vmail 999 -
 u dovecot 97:97     "Dovecot IMAP server" /usr/libexec/dovecot	/sbin/nologin
 u dovenull 984:982     "Dovecot's unauthorized user" /usr/libexec/dovecot	/sbin/nologin
-u vmail 999:999     "Virtual mail user" /srv/mail	/sbin/nologin
+u vmail 999:999     "Virtual mail user" /srv/home	/sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf
index a0776cc..b2a979a 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf
@@ -1 +1,4 @@
 d /srv/dovecot 750 dovecot postfix - -
+d /srv/home 750 root vmail - -
+d /srv/home/users 770 root vmail - -
+d /srv/home/families 770 root vmail - -
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-postfix.conf b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-postfix.conf
index 98e5358..2d727df 100644
--- a/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-postfix.conf
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-postfix.conf
@@ -1,5 +1,4 @@
 d /srv/postfix 750 postfix postfix - -
 d /srv/postfix/data 750 postfix postfix - -
 d /srv/postfix/spool 755 root root - -
-d /srv/mail 770 root vmail - -
 d /var/lib/misc/ 755 root root - -
diff --git a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
index 5cce308..705cc1c 100644
--- a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
+++ b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
@@ -2,6 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="gitea" target="multi-user" engine="creole">
+      <file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
       <file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
       <file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
       <file>/etc/gitea/app.ini</file>
diff --git a/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml b/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
index 1972067..cf7751b 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
@@ -12,9 +12,11 @@
   <variables>
     <family name="annuaire">
       <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
+      <variable name='ldapclient_family' type='unix_user' description="L'arbre LDAP est de type famille"/>
       <variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
       <variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
       <variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
+      <variable name='ldapclient_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True"/>
       <variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
       <variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
       <variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
@@ -31,6 +33,11 @@
     <check name='valid_base_dn'>
       <target>ldap_base_dn</target>
     </check>
+    <fill name="calc_ldapclient_base_dn">
+      <param type="variable">ldap_base_dn</param>
+      <param type="variable">ldapclient_family</param>
+      <target>ldapclient_base_dn</target>
+    </fill>
     <fill name="calc_value">
       <param type="variable">tls_ca_directory</param>
       <param>ca_LDAP.crt</param>
@@ -65,13 +72,19 @@
     </fill>
     <fill name="get_linked_configuration">
       <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">LDAP_DN</param>
+      <param name="linked_provider">ldap_dn</param>
       <target>ldap_base_dn</target>
     </fill>
     <fill name="get_linked_configuration">
       <param name="linked_server" type="variable">ldap_server_address</param>
-      <param name="linked_provider">LDAP_PORT</param>
+      <param name="linked_provider">ldap_port</param>
       <target>ldap_port</target>
     </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">ldap_server_address</param>
+      <param name="linked_provider">client_family</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>ldapclient_family</target>
+    </check>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py b/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
index 1e606da..43efc52 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
+++ b/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
@@ -4,3 +4,11 @@ def valid_base_dn(base_dn: str) -> None:
             break
     else:
         raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
+
+
+def calc_ldapclient_base_dn(ldap_base_dn: str,
+                            family_name: str,
+                            ) -> str:
+    if not family_name:
+        return f'ou=users,{ldap_base_dn}'
+    return f'ou={family_name},ou=families,{ldap_base_dn}'
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
index 907b975..0b20b64 100644
--- a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
@@ -6,7 +6,7 @@
 # This file should be world readable but not world writable.
 
 #BASE	dc=example,dc=com
-BASE ou=users,%%ldap_base_dn
+BASE %%ldapclient_base_dn
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
 URI ldaps://%%ldap_server_address:%%ldap_port
 
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
index 03bd7d8..3410a9f 100644
--- a/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
@@ -13,13 +13,14 @@ commentStartToken = §
    "ldapPpolicyControl" : 1,
    "ldapAllowResetExpiredPassword" : 1,
    "ldapChangePasswordAsUser" : 1,
-   "ldapBase" : "ou=users,%%ldap_base_dn",
+   "ldapBase" : "%%ldapclient_base_dn",
    "ldapExportedVars" : {
       "uid" : "uid",
       "cn" : "cn",
       "sn" : "sn",
       "mail" : "mail",
-      "givenName" : "givenName"
+      "givenName" : "givenName",
+      "home" : "homeDirectory"
    },
    "ldapGroupAttributeName" : "memberUid",
    "ldapGroupAttributeNameUser" : "cn",
@@ -99,7 +100,8 @@ commentStartToken = §
          "email" : "mail",
          "family_name" : "sn",
          "name" : "cn",
-	 "nickname" : "uid"
+	 "nickname" : "uid",
+	 "home" : "home"
   %if %%len_app - 1 == %%idx
       }
   %else
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius.sh b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius.sh
index 41d27a0..9e99d57 100644
--- a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius.sh
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius.sh
@@ -1,7 +1,7 @@
 PYTHON="usr/lib/python3.10/site-packages"
-cp -a "mailman/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
-cp -a "mailman/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
-cp -a "mailman/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
+cp -a "mailman/manual/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "mailman/manual/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "mailman/manual/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
 chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
 ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
 ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
index 5d6e74f..3279d88 100644
--- a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
@@ -29,9 +29,9 @@ fi
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "ou=users,%%ldap_base_dn"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "ou=users,%%ldap_base_dn"
-/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "ou=users,%%ldap_base_dn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "%%ldapclient_base_dn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "%%ldapclient_base_dn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "%%ldapclient_base_dn"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
 /usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"
diff --git a/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml b/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
index 4230d19..70bab6e 100644
--- a/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
@@ -4,18 +4,26 @@
     <service name='nginx' target='multi-user'>
       <file>/etc/nginx/nginx.conf</file>
       <file source="default">/etc/nginx/sites-available/default</file>
-      <file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file>
-      <!--file source="default-nginx-ssl.conf">/etc/nginx/conf.d/risotto-ssl.conf</file-->
+      <file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
       <file source="nginx.index.html">/var/www/html/index.html</file>
       <file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
       <file>/var/www/html/error.html</file>
       <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
       <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
+      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
+      <file filelist="nginx_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
+      <file filelist="nginx_https" mode="600">/etc/pki/tls/private/nginx.key</file>
     </service>
   </services>
   <variables>
     <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
-      <variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='True'/>
+      <variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
+      <variable name="nginx_root" type="filename" mandatory='False'>
+        <value>/usr/share/nginx/html</value>
+      </variable>
+      <variable name="nginx_https" type="boolean" description="Activer HTTPS sur le serveur" mandatory='True' hidden="True">
+        <value>False</value>
+      </variable>
       <variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
         <value>128</value>
         <choice type="string">128</choice>
@@ -25,13 +33,10 @@
       <variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True">
         <value>32</value>
       </variable>
+      <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
     </family>
   </variables>
   <constraints>
-    <fill name="calc_value">
-      <param type="variable">domain_name_eth0</param>
-      <target>nginx_default</target>
-    </fill>
     <condition name="disabled_if_not_in" source="os_name">
       <param>Fedora</param>
       <target type="filelist">nginx_fedora</target>
@@ -40,5 +45,15 @@
       <param type="nil"/>
       <target type="filelist">nginx_default</target>
     </condition>
+    <condition name="disabled_if_in" source="nginx_https">
+      <param type="boolean">False</param>
+      <target type="filelist">nginx_https</target>
+    </condition>
+    <fill name="calc_value">
+      <param type="variable">tls_ca_directory</param>
+      <param>ca_InternalReverseProxy.crt</param>
+      <param name="join">/</param>
+      <target>revprox_ca_file</target>
+    </fill>
   </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx-ssl.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx-ssl.conf
deleted file mode 100644
index 4459747..0000000
--- a/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx-ssl.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-#FIXME    server {
-#FIXME        listen 443 ssl;
-#FIXME        ssl_certificate    %%nginx_certificate[%%revprox_domainnames_all.index(%%nginx_default)];
-#FIXME        ssl_certificate_key     %%nginx_private_key[%%revprox_domainnames_all.index(%%nginx_default)];
-#FIXME        ssl_client_certificate  /etc/ssl/certs/ca.crt;
-#FIXME        server_name _ default;
-#FIXME        rewrite ^(.*) https://%%nginx_default$1;
-#FIXME        break;
-#FIXME    }
-
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
index 05531f0..9d4ecd9 100644
--- a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
@@ -52,11 +52,12 @@ http {
     # for more information.
     include /etc/nginx/conf.d/*.conf;
 %if %%os_name == 'Fedora'
+ %if %%nginx_default
     server {
         listen       80;
         listen       [::]:80;
         server_name  _;
-        root         /usr/share/nginx/html;
+        root         %%nginx_root;
 
         # Load configuration files for the default server block.
         include /etc/nginx/default.d/*.conf;
@@ -69,35 +70,40 @@ http {
         location = /50x.html {
         }
     }
+ %end if
+# Settings for a TLS enabled server.
+#
+ %if %%nginx_https
+    server {
+        listen       443 ssl http2;
+        server_name  %%domain_name_eth0;
+        root         %%nginx_root;
+
+        # ssl_certificate "/etc/pki/nginx/server.crt";
+        # ssl_certificate_key "/etc/pki/nginx/private/server.key";
+        ssl_certificate              /etc/pki/tls/certs/nginx.crt;
+        ssl_certificate_key          /etc/pki/tls/private/nginx.key;
+        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
+
+        ssl_session_cache shared:SSL:1m;
+        ssl_session_timeout  10m;
+        ssl_ciphers PROFILE=SYSTEM;
+        ssl_prefer_server_ciphers on;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /40x.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+    }
+ %end if
 %else
     include /etc/nginx/sites-enabled/*;
 %end if
 
-# Settings for a TLS enabled server.
-#
-#    server {
-#        listen       443 ssl http2;
-#        listen       [::]:443 ssl http2;
-#        server_name  _;
-#        root         /usr/share/nginx/html;
-#
-#        ssl_certificate "/etc/pki/nginx/server.crt";
-#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
-#        ssl_session_cache shared:SSL:1m;
-#        ssl_session_timeout  10m;
-#        ssl_ciphers PROFILE=SYSTEM;
-#        ssl_prefer_server_ciphers on;
-#
-#        # Load configuration files for the default server block.
-#        include /etc/nginx/default.d/*.conf;
-#
-#        error_page 404 /404.html;
-#            location = /40x.html {
-#        }
-#
-#        error_page 500 502 503 504 /50x.html;
-#            location = /50x.html {
-#        }
-#    }
-
 }
diff --git a/seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml b/seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml
index 076ecac..f809754 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/nginx-https/applicationservice.yml
@@ -2,3 +2,4 @@ format: '0.1'
 description: Nginx as reverse proxy
 depends:
   - nginx-common
+  - reverse-proxy-client
diff --git a/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml
index c34612c..65ec9bb 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-https/dictionaries/25_nginx.xml
@@ -2,19 +2,38 @@
 <rougail version="0.10">
   <services>
     <service name='nginx'>
-      <file>/etc/nginx/conf.d/risotto.conf</file>
-      <file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
-      <file mode="600">/etc/pki/tls/certs/nginx.crt</file>
-      <file mode="600">/etc/pki/tls/private/nginx.key</file>
+      <file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
     </service>
   </services>
   <variables>
-    <variable name="nginx_root_directory" type="filename" mandatory="True"/>
-    <variable name="php_fpm_user" redefine="True" exists="True">
-      <value>nginx</value>
-    </variable>
-    <variable name="nginx_locations" type="filename" multi="True" mandatory="True">
-      <value>/</value>
-    </variable>
+    <family name="nginx">
+      <variable name="nginx_https" redefine="True">
+        <value>True</value>
+      </variable>
+      <variable name="php_fpm_user" redefine="True" exists="True">
+        <value>nginx</value>
+      </variable>
+      <variable name="nginx_root_directory" type="filename"/>
+      <variable name="nginx_locations" type="filename" multi="True" mandatory="True">
+        <value>/</value>
+      </variable>
+    </family>
+    <family name="redis" description="Redis">
+      <variable name="redis_client_key_owner" redefine="True" exists="True">
+        <value>nginx</value>
+      </variable>
+    </family>
+    <family name="postgresql" description="PostgreSQL">
+      <variable name="pg_client_key_owner" redefine="True" exists="True">
+        <value>nginx</value>
+      </variable>
+    </family>
   </variables>
+  <constraints>
+    <condition name="disabled_if_in" source="nginx_root_directory">
+      <param type="nil"/>
+      <target type="filelist">nginx_default_risotto</target>
+      <target type="variable">nginx_locations</target>
+    </condition>
+  </constraints>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt b/seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt
deleted file mode 100644
index 55ee905..0000000
--- a/seed/applicationservice/2022.03.08/nginx-https/templates/ca_InternalReverseProxy.crt
+++ /dev/null
@@ -1 +0,0 @@
-%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy")
diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt
index 73d46b2..4ea9946 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt
+++ b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.crt
@@ -1 +1,2 @@
-%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server")
+%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key
index 9edabbb..a02eba1 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key
+++ b/seed/applicationservice/2022.03.08/nginx-https/templates/nginx.key
@@ -1 +1 @@
-%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy')
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type='server')
diff --git a/seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf b/seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf
index cf541f8..e7d34a4 100644
--- a/seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf
+++ b/seed/applicationservice/2022.03.08/nginx-https/templates/risotto.conf
@@ -1,44 +1,30 @@
-server {
-  listen        443 default ssl;
-  server_name %%domain_name_eth0;
-
-  ssl_certificate              /etc/pki/tls/certs/nginx.crt;
-  ssl_certificate_key          /etc/pki/tls/private/nginx.key;
-  ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
-
-  error_page   403 404 502 503 504  /error.html;
-  location = /error.html{
-    root /var/www/html;
-  }
-
-  add_header                    X-Frame-Options "SAMEORIGIN";
-  add_header                    X-Content-Type-Options nosniff;
-  add_header                    X-XSS-Protection "1; mode=block";
-  add_header                    X-Robots-Tag none;
-  add_header                    X-Download-Options noopen;
-  add_header                    X-Permitted-Cross-Domain-Policies none;
-  add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
-  add_header                    Referrer-Policy no-referrer always;
+add_header                    X-Frame-Options "SAMEORIGIN";
+add_header                    X-Content-Type-Options nosniff;
+add_header                    X-XSS-Protection "1; mode=block";
+add_header                    X-Robots-Tag none;
+add_header                    X-Download-Options noopen;
+add_header                    X-Permitted-Cross-Domain-Policies none;
+add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
+add_header                    Referrer-Policy no-referrer always;
 
 %for %%location in %%nginx_locations
-  location %%location {
+location %%location {
 %if %%location == '/'
-    root                        %slurp
+  root                        %slurp
 %else
-    alias                       %slurp
+  alias                       %slurp
 %end if
 %%nginx_root_directory;
 %if not %%getVar('php_fpm_installed', False)
-    index                       index.html;
+  index                       index.html;
 %else
-    index                       index.php;
-    location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
-      fastcgi_pass              php-fpm;
-      fastcgi_index             index.php;
-      fastcgi_param             SCRIPT_FILENAME $request_filename;
-      include                   fastcgi_params;
-    }
-%end if
+  index                       index.php;
+  location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
+    fastcgi_pass              php-fpm;
+    fastcgi_index             index.php;
+    fastcgi_param             SCRIPT_FILENAME $request_filename;
+    include                   fastcgi_params;
   }
-%end for
+%end if
 }
+%end for
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
index 93c8f95..09f818b 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
@@ -5,7 +5,6 @@
       <override engine="creole"/>
       <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
       <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
-      <file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
       <file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
       <file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
     </service>
@@ -19,7 +18,7 @@
       <variable name="ip_eth" redefine="True" provider="ip"/>
     </family>
     <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
-      <variable name="nginx_default" redefine="True" remove_fill="True"/>
+      <variable name="nginx_default" redefine="True" mandatory="True"/>
       <variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
       <variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="revprox_clients" hidden="True"/>
       <variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
diff --git a/seed/applicationservice/2022.03.08/nsd/funcs/funcs.py b/seed/applicationservice/2022.03.08/nsd/funcs/funcs.py
index 0d680fe..ca521b1 100644
--- a/seed/applicationservice/2022.03.08/nsd/funcs/funcs.py
+++ b/seed/applicationservice/2022.03.08/nsd/funcs/funcs.py
@@ -1,11 +1,12 @@
 from typing import List as _List
-from os.path import join as _join, isdir as _isdir, abspath as _abspath
+from os.path import join as _join, isfile as _isfile, isdir as _isdir, abspath as _abspath, basename as _basename
 from datetime import datetime as _datetime
 from ipaddress import ip_network, ip_address
 from subprocess import run as _run
-from os import makedirs as _makedirs, unlink as _unlink
-from shutil import rmtree as _rmtree
+from os import makedirs as _makedirs
+from shutil import rmtree as _rmtree, copy2 as _copy2
 from glob import glob as _glob
+from filecmp import cmp as _cmp
 
 
 _PKI_DIR = _abspath('pki/dnssec')
@@ -98,13 +99,21 @@ def sign(zone_filename: str,
          cn: str,
          ) -> str:
     authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
-    zsk, ksk = _gen_keys(cn, authority_cn)
-    cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
-    proc = _run(cmd, capture_output=True)
-    if proc.returncode != 0:
-        raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
-    signed_filename = f'{zone_filename}.signed'
+    copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename))
+    signed_filename = f'{copy_file}.signed'
+    if not _isfile(copy_file) or not _cmp(zone_filename, copy_file):
+        _copy2(zone_filename, copy_file)
+        zsk, ksk = _gen_keys(cn, authority_cn)
+        cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
+        proc = _run(cmd, capture_output=True)
+        if proc.returncode != 0:
+            raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
+        new_signed_filename = f'{zone_filename}.signed'
+        with open(new_signed_filename) as fh:
+            content = fh.read().strip()
+            content.replace('0000000000', nsd_serial())
+        with open(signed_filename, 'w') as fh:
+            fh.write(content)
     with open(signed_filename) as fh:
         content = fh.read().strip()
-    _unlink(signed_filename)
     return content
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/nsd.reverse b/seed/applicationservice/2022.03.08/nsd/templates/nsd.reverse
index e532059..48d5076 100644
--- a/seed/applicationservice/2022.03.08/nsd/templates/nsd.reverse
+++ b/seed/applicationservice/2022.03.08/nsd/templates/nsd.reverse
@@ -12,7 +12,7 @@ $ORIGIN %%rougail_variable
 $TTL 1800
 
 @       IN      SOA     %%domain_name_eth0.      admin.%%name. (
-                        %%nsd_serial()              ; serial number
+                        0000000000              ; serial number
                         3600                    ; refresh
                         900                     ; retry
                         1209600                 ; expire
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/nsd.zone b/seed/applicationservice/2022.03.08/nsd/templates/nsd.zone
index 0fd111a..d1e187b 100644
--- a/seed/applicationservice/2022.03.08/nsd/templates/nsd.zone
+++ b/seed/applicationservice/2022.03.08/nsd/templates/nsd.zone
@@ -2,7 +2,7 @@ $ORIGIN %%rougail_variable.
 $TTL 1800
 
 @       IN      SOA     %%domain_name_eth0.      admin.%%rougail_variable. (
-                        %%nsd_serial()              ; serial number
+                        0000000000              ; serial number
                         3600                    ; refresh
                         900                     ; retry
                         1209600                 ; expire
diff --git a/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml b/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
index e7750ac..d3d1fc3 100644
--- a/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
+++ b/seed/applicationservice/2022.03.08/openldap/dictionaries/21_openldap-server.xml
@@ -20,8 +20,8 @@
   <variables>
     <family name="annuaire">
       <variable name='ldap_server_address' redefine="True" hidden="True"/>
-      <variable name='ldap_base_dn' redefine="True" mandatory="True" provider="LDAP_DN"/>
-      <variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="LDAP_PORT">
+      <variable name='ldap_base_dn' redefine="True" mandatory="True" provider="ldap_dn"/>
+      <variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="ldap_port">
         <value>636</value>
       </variable>
       <variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
@@ -47,6 +47,7 @@
       <variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
         <value>/etc/openldap/schema/cosine.ldif</value>
         <value>/etc/openldap/schema/inetorgperson.ldif</value>
+        <value>/etc/openldap/schema/nis.ldif</value>
       </variable>
       <variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
         <value>0</value>
diff --git a/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml b/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml
index 886421f..56bee09 100644
--- a/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml
+++ b/seed/applicationservice/2022.03.08/openldap/extras/accounts/00_account.xml
@@ -5,6 +5,7 @@
     <family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
       <variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
       <variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
+      <variable name="family_" description="Nom de la familly" auto_save="True" hidden="True" provider="client_family"/>
       <variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
     </family>
     <family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif b/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
index 1eaefdd..34a86a0 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/config_acl.ldif
@@ -1,3 +1,9 @@
+%set %%dns = {}
+%for %%remote in %%accounts.remotes
+ %set %%name = %%normalize_family(%%remote)
+ %set %%family = %%accounts['remote_' + %%name]['family_' + %%name]
+%%dns.setdefault(%%family, []).append((%%accounts['remote_' + %%name]['dn_' + %%name], %%accounts['remote_' + %%name]['read_only_' + %%name]))%slurp
+%end for
 dn: olcDatabase={2}mdb,cn=config
 changetype:modify
 replace: olcAccess
@@ -5,20 +11,22 @@ olcAccess: {0}to attrs=userPassword
     by self write
     by anonymous auth
     by * none
-olcAccess: {1}to dn.subtree="ou=users,%%ldap_base_dn"
-    by self read
 %set %%aclidx = 1
-%for %%remote in %%accounts.remotes
- %set %%name = %%normalize_family(%%remote)
-    by dn="%%accounts['remote_' + %%name]['dn_' + %%name]" %slurp
- %if %%accounts['remote_' + %%name]['read_only_' + %%name]
+%for %%family, %%remotes in %%dns.items()
+olcAccess: {%%aclidx}to dn.subtree="%%calc_ldapclient_base_dn(%%ldap_base_dn, %%family)"
+    by self read
+ %for %%remote in %%remotes
+    by dn="%%remote[0]" %slurp
+  %if %%remote[1]
 read%slurp
- %else
+  %else
 write%slurp
- %end if
-%end for
+  %end if
+ %end for
+  %set %%aclidx += 1
 
     by * none
+%end for
 %for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
  %set %%aclidx += 1
 olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
index f170dbf..53fcff8 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/users.ldif
@@ -35,8 +35,12 @@ sn: %%user.ldap_user_sn
 givenName: %%user.ldap_user_gn
 uid: %%user.ldap_user_uid
 userPassword:: %%ssha_encode(%%user.ldap_user_password)
+homeDirectory: /srv/home/users/%%user
+uidNumber: 0
+gidNumber: 0
 objectClass: top
 objectClass: inetOrgPerson
+objectClass: posixAccount
 
 %end for
 # Families
@@ -52,15 +56,19 @@ objectClass: top
 objectClass: organizationalUnit
 
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
-dn: cn=%%user,ou=families,%%ldap_base_dn
+dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
 cn: %%user
 mail: %%user
 sn: %%user['ldap_user_sn_' + %%family]
 givenName: %%user['ldap_user_gn_' + %%family]
 uid: %%user['ldap_user_uid_' + %%family]
 userPassword:: %%ssha_encode(%%user['ldap_user_password_' + %%family])
+homeDirectory: /srv/home/families/%%family/%%user
+uidNumber: 0
+gidNumber: 0
 objectClass: top
 objectClass: inetOrgPerson
+objectClass: posixAccount
 
   %end for
 %end for
diff --git a/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif b/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
index 6908924..506724a 100644
--- a/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
+++ b/seed/applicationservice/2022.03.08/openldap/templates/users_mod.ldif
@@ -7,3 +7,20 @@ replace: userPassword
 userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
 
 %end for
+## Users
+#%for %%user in %%accounts.users.ldap_user_mail
+#dn: cn=%%user,ou=users,%%ldap_base_dn
+#changetype: modify
+#replace: homeDirectory
+#homeDirectory: /srv/home/users/%%user
+#
+#%end for
+## Families
+#%for %%family in %%accounts.families
+#  %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
+#dn: cn=%%user,ou=%%family,ou=families,%%ldap_base_dn
+#replace: homeDirectory
+#homeDirectory: /srv/home/families/%%family/%%user
+#
+#  %end for
+#%end for
diff --git a/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml b/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml
index 2d23712..e5ace0e 100644
--- a/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml
+++ b/seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml
@@ -38,8 +38,8 @@
       </variable>
       <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
     </family>
-    <family name="nginx" description="Reverse proxy">
-      <family name="revprox_client" description="Point d'entré des clients" leadership="True">
+    <family name="nginx">
+      <family name="revprox_client">
         <variable name="revprox_client_location" redefine="True">
           <value>/</value>
         </variable>
diff --git a/seed/applicationservice/2022.03.08/peertube/manual/image/postinstall/peertube.sh b/seed/applicationservice/2022.03.08/peertube/manual/image/postinstall/peertube.sh
index bacc2e6..882fe0c 100644
--- a/seed/applicationservice/2022.03.08/peertube/manual/image/postinstall/peertube.sh
+++ b/seed/applicationservice/2022.03.08/peertube/manual/image/postinstall/peertube.sh
@@ -25,5 +25,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
 
 rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
 cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
-patch -p0 < $OLDPWD/peertube/postinstall/peertube.patch
+patch -p0 < $OLDPWD/peertube/manual/postinstall/peertube.patch
 cd -
diff --git a/seed/applicationservice/2022.03.08/php-fpm/DEBUG.md b/seed/applicationservice/2022.03.08/php-fpm/DEBUG.md
new file mode 100644
index 0000000..af9fa14
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php-fpm/DEBUG.md
@@ -0,0 +1,6 @@
+Debug
+======
+
+echo "log_level = debug" >> /etc/php-fpm.conf
+systemctl restart php-fpm
+
diff --git a/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml b/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml
index 6514de7..6eab830 100644
--- a/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml
+++ b/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml
@@ -9,11 +9,13 @@
     </service>
   </services>
   <variables>
-    <variable name="php_fpm_user" type="unix_user">
-      <value>root</value>
-    </variable>
-    <variable name="php_fpm_installed" type="boolean">
-      <value>True</value>
-    </variable>
+    <family name="nginx">
+      <variable name="php_fpm_user" type="unix_user">
+        <value>root</value>
+      </variable>
+      <variable name="php_fpm_installed" type="boolean">
+        <value>True</value>
+      </variable>
+    </family>
   </variables>
 </rougail>
diff --git a/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml b/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml
index 561214a..b5c8ec5 100644
--- a/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/piwigo/applicationservice.yml
@@ -8,4 +8,3 @@ depends:
   - relay-mail-client
   - nginx-https
   - php-fpm
-  - reverse-proxy-client
diff --git a/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml b/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml
index 0b4b8a1..a00d7b1 100644
--- a/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml
+++ b/seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml
@@ -12,9 +12,11 @@
   <variables>
     <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
     <variable name="piwigo_admin_password" type="password" auto_save="True" hidden="True"/>
-    <variable name="nginx_root_directory" mandatory="True" redefine="True">
-      <value>/usr/local/share/piwigo</value>
-    </variable>
+    <family name="nginx">
+      <variable name="nginx_root_directory" mandatory="True" redefine="True">
+        <value>/usr/local/share/piwigo</value>
+      </variable>
+    </family>
     <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
       <value>Album photographique</value>
     </variable>
diff --git a/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh
index 4f68015..1005f30 100644
--- a/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh
+++ b/seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh
@@ -14,10 +14,10 @@ ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
 ln -s /srv/piwigo/data piwigo/_data
 ln -s /srv/piwigo/upload piwigo/upload
 ln -s /srv/piwigo/logs piwigo/logs
-cp $OLDPWD/piwigo/postinstall/osmmap.php piwigo/
+cp $OLDPWD/piwigo/manual/postinstall/osmmap.php piwigo/
 chmod 644 piwigo/osmmap.php
-patch -p0 < $OLDPWD/piwigo/postinstall/piwigo.patch
-cp $OLDPWD/piwigo/postinstall/piwigo_cli.php piwigo/
+patch -p0 < $OLDPWD/piwigo/manual/postinstall/piwigo.patch
+cp $OLDPWD/piwigo/manual/postinstall/piwigo_cli.php piwigo/
 # Plugins
 cd piwigo/plugins
 wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py b/seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py
index 4c43fd1..3185a74 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py
+++ b/seed/applicationservice/2022.03.08/postfix-relay/funcs/postfix.py
@@ -9,4 +9,4 @@ def calc_postfix_relay_domains(criteria):
             if '@' in lst:
                 lst = lst.split('@')[1]
             relay.add(lst)
-    return list(relay)
+    return sorted(list(relay))
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/21_nginx_client.xml b/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/21_nginx_client.xml
index 3ad5310..392c529 100644
--- a/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/21_nginx_client.xml
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/21_nginx_client.xml
@@ -2,7 +2,6 @@
 <rougail version="0.10">
   <services>
     <service name="nginx" manage="False">
-      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
       <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
       <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
     </service>
@@ -32,10 +31,8 @@
       <variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
         <value>root</value>
       </variable>
-      <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
       <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
       <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
-      <variable name="nginx_default" exists="True" redefine="True" remove_fill="True" mandatory="False"/>
     </family>
   </variables>
   <constraints>
@@ -45,12 +42,6 @@
       <param type="variable">revprox_client_local_location</param>
       <target>revprox_client_web_address</target>
     </fill>
-    <fill name="calc_value">
-      <param type="variable">tls_ca_directory</param>
-      <param>ca_InternalReverseProxy.crt</param>
-      <param name="join">/</param>
-      <target>revprox_ca_file</target>
-    </fill>
     <fill name="calc_value">
       <param type="variable">tls_cert_directory</param>
       <param>revprox.crt</param>
diff --git a/seed/applicationservice/2022.03.08/roundcube/DEBUG.md b/seed/applicationservice/2022.03.08/roundcube/DEBUG.md
index 1b728a9..84dd63d 100644
--- a/seed/applicationservice/2022.03.08/roundcube/DEBUG.md
+++ b/seed/applicationservice/2022.03.08/roundcube/DEBUG.md
@@ -1,3 +1,8 @@
+Supprimer oauth
+================
+
+sed -i "s/'generic'/null/g" /etc/roundcubemail/config.inc.php
+
 Debug ldap
 ==========
 
diff --git a/seed/applicationservice/2022.03.08/roundcube/applicationservice.yml b/seed/applicationservice/2022.03.08/roundcube/applicationservice.yml
index 66e6ddf..eb793c3 100644
--- a/seed/applicationservice/2022.03.08/roundcube/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/roundcube/applicationservice.yml
@@ -3,9 +3,8 @@ description: Interface web de consultation des courriels Roundcube
 depends:
   - base-fedora-35
   - postgresql-client
-  - ldap-client-fedora
   - imap-client
   - redis-client
   - oauth2-client
-  - apache
+  - nginx-https
   - php-fpm
diff --git a/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
index fe67c34..92b8269 100644
--- a/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
+++ b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
@@ -2,8 +2,8 @@
 <rougail version="0.10">
   <services>
     <service name="roundcube" engine="creole" target="multi-user">
-      <file owner="root" group="apache" mode="640">/etc/roundcubemail/config.inc.php</file>
-      <file>/etc/httpd/conf.d/roundcubemail.conf</file>
+      <file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
+      <file>/etc/nginx/default.d/roundcubemail.conf</file>
       <file>/secrets/roundcube-init.php</file>
       <file engine="none">/static/silique_cloud.svg</file>
       <file engine="none">/static/watermark.html</file>
@@ -32,9 +32,15 @@
       </variable>
     </family>
     <family name="nginx">
-      <variable name="revprox_client_local_location" redefine="True">
-        <value>/roundcube/</value>
+      <variable name="nginx_root" redefine="True">
+        <value>/usr/share/roundcubemail/</value>
       </variable>
+      <variable name="revprox_client_local_location" redefine="True">
+        <value>/</value>
+      </variable>
+    </family>
+    <family name="annuaire">
+      <variable name='ldapclient_family' redefine="True" exists="True" mandatory="True"/>
     </family>
   </variables>
   <constraints>
diff --git a/seed/applicationservice/2022.03.08/roundcube/manual/image/postinstall/roundcube.sh b/seed/applicationservice/2022.03.08/roundcube/manual/image/postinstall/roundcube.sh
new file mode 100644
index 0000000..ea09851
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/manual/image/postinstall/roundcube.sh
@@ -0,0 +1,8 @@
+#!/bin/bash -ex
+
+echo """#!/bin/bash -e
+/usr/bin/chgrp nginx /etc/roundcubemail/*
+""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
+rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php b/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
index d3d8ff8..5c7f05b 100644
--- a/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
@@ -1059,9 +1059,10 @@ $config['address_book_type'] = 'sql';
 // Array key must contain only safe characters, ie. a-zA-Z0-9_
 $config['ldap_public'] = [];
 #>GNUNUX
+%if %%getVar('ldap_server_address', None)
 $config['ldap_public'] = array (
   'Local' => array (
-    'name' => "Contacts",
+    'name' => "Ma famille",
     'hosts' =>  array (
       0 => 'ldaps://%%ldap_server_address',
       ),
@@ -1073,7 +1074,7 @@ $config['ldap_public'] = array (
     'auth_method'    => '',
     'vlv' => false, //Samba do not support Virtual List View functions
     'user_specific' => false,
-    'base_dn' => 'ou=users,%%ldap_base_dn',
+    'base_dn' => 'ou=%%ldapclient_family,ou=families,%%ldap_base_dn',
     'writable' => false,
     'required_fields' =>  array (
       0 => 'cn',
@@ -1104,6 +1105,7 @@ $config['ldap_public'] = array (
       ),
   ),
 );
+%end if
 #<GNUNUX
 
 // If you are going to use LDAP for individual address books, you will need to
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/roundcube.service b/seed/applicationservice/2022.03.08/roundcube/templates/roundcube.service
index 8b6acd7..92913e3 100644
--- a/seed/applicationservice/2022.03.08/roundcube/templates/roundcube.service
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/roundcube.service
@@ -1,7 +1,7 @@
 [Unit]
 Description=Roundcube database init
 After=postgresqlclient.service
-Before=apache.service php-fpm.service
+Before=nginx.service php-fpm.service
 
 [Service]
 Type=oneshot
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf b/seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf
index 63f39d6..b373e2f 100644
--- a/seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf
@@ -1,60 +1,51 @@
-#
-# Round Cube Webmail is a browser-based multilingual IMAP client
-#
+location = / {
+    alias %%nginx_root;
+}
 
+location / {
+    root %%nginx_root;
+    index index.php;
 
-#>GNUNUX
-Alias /roundcube/skins/elastic/risotto/ /usr/local/lib/static/
-<Directory /usr/local/lib/static/>
-    Require all granted
-</Directory>
-#<GNUNUX
-# GNUNUX Alias /roundcubemail /usr/share/roundcubemail
-Alias /roundcube /usr/share/roundcubemail
+    location ~ ^/bin/(.+)$ {
+        deny all;
+    }
+    location ~ ^/plugins/enigma/home/(.+)$ {
+        deny all;
+    }
 
-# Define who can access the Webmail
-# You can enlarge permissions once configured
+    # Define who can access the installer
+    # keep this secured once configured
 
-<Directory /usr/share/roundcubemail/>
-    Require all granted
-# GNUNUX    <IfModule mod_authz_core.c>
-# GNUNUX        # Apache 2.4
-# GNUNUX        Require local
-# GNUNUX    </IfModule>
-# GNUNUX    <IfModule !mod_authz_core.c>
-# GNUNUX        # Apache 2.2
-# GNUNUX        Order Deny,Allow
-# GNUNUX        Deny from all
-# GNUNUX        Allow from 127.0.0.1
-# GNUNUX        Allow from ::1
-# GNUNUX    </IfModule>
-</Directory>
+    location ~ ^/installer/(.+\.php)$ {
+        allow 127.0.0.1;
+        allow ::1;
+        deny all;
 
-# Define who can access the installer
-# keep this secured once configured
+        try_files $uri =404;
+        fastcgi_intercept_errors on;
+        include        fastcgi_params;
+        fastcgi_param  SERVER_NAME      $host;
+        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        fastcgi_pass   php-fpm;
+    }
 
-<Directory /usr/share/roundcubemail/installer/>
-    Order Allow,Deny
-    Deny from all
-# GNUNUX    <IfModule mod_authz_core.c>
-# GNUNUX        # Apache 2.4
-# GNUNUX        Require local
-# GNUNUX    </IfModule>
-# GNUNUX    <IfModule !mod_authz_core.c>
-# GNUNUX        # Apache 2.2
-# GNUNUX        Order Deny,Allow
-# GNUNUX        Deny from all
-# GNUNUX        Allow from 127.0.0.1
-# GNUNUX        Allow from ::1
-# GNUNUX    </IfModule>
-</Directory>
+    # Define who can access the Webmail
+    # You can enlarge permissions once configured
 
-# Those directories should not be viewed by Web clients.
-<Directory /usr/share/roundcubemail/bin/>
-    Order Allow,Deny
-    Deny from all
-</Directory>
-<Directory /usr/share/roundcubemail/plugins/enigma/home/>
-    Order Allow,Deny
-    Deny from all
-</Directory>
+    location ~ ^/(.+\.php)$ {
+# GNUNUX        allow 127.0.0.1;
+# GNUNUX        allow ::1;
+# GNUNUX        deny all;
+
+        try_files $uri =404;
+        fastcgi_intercept_errors on;
+        include        fastcgi_params;
+        fastcgi_param  SERVER_NAME      $host;
+        fastcgi_param  SCRIPT_FILENAME  $document_root$fastcgi_script_name;
+        fastcgi_pass   php-fpm;
+    }
+}
+
+location /skins/elastic/risotto {
+    alias /usr/local/lib/static/;
+}
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml b/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml
index 849c935..aa4e1ff 100644
--- a/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml
+++ b/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/40_vaultwarden.xml
@@ -3,6 +3,7 @@
   <services>
     <service name="vaultwarden" target="multi-user">
       <override/>
+      <file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
       <file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
       <file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
     </service>