nsd|unbound|nginx reverse proxy use fedora 36

seed/base-machine/applicationservice.yml

@@ -2,3 +2,4 @@ format: '0.1'
 description: Base information for a machine
 depends:
   - base
+  - dns-local

seed/base-machine/dictionaries/12-base.xml

@@ -12,8 +12,6 @@
     <family name="network" description="Réseau">
       <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
       <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True"/>
-      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS"/>
-      <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
       <family name="interface_" description="Interface " dynamic="interfaces_list">
         <variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True"/>
         <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
@@ -24,18 +22,6 @@
     </family>
   </variables>
   <constraints>
-    <fill name="get_provider_name">
-      <param type="variable">zone_name_eth0</param>
-      <param>LocalDNS</param>
-      <target>dns_client_address</target>
-    </fill>
-    <fill name="set_linked">
-      <param name="linked_server" type="variable">dns_client_address</param>
-      <param name="linked_provider">dns</param>
-      <param name="linked_value" type="variable">ip_eth0</param>
-      <param name="linked_returns">ip</param>
-      <target>ip_dns</target>
-    </fill>
     <fill name="calc_value">
       <param type="information">zones_name</param>
       <target>zones_list</target>

seed/base-machine/manual/install/install_host

@@ -5,7 +5,9 @@ if [ -z "$HOST_NAME" ]; then
     echo "usage: $0 host name"
     exit 1
 fi
-apt install --yes systemd-container dnf jq debootstrap htop gettext patch unzip mlocate xz-utils
+# remove current rules
+systemctl stop risottofirewall.service || true
+apt install --yes systemd-container dnf jq debootstrap htop gettext patch unzip mlocate xz-utils iptables
 systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
 systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
 systemctl daemon-reload
@@ -17,6 +19,8 @@ systemctl restart systemd-resolved
 # systemctl mask dev-hugepages.mount
 systemctl enable risotto-images.timer
 systemctl restart risotto-images.timer
+systemctl enable risottofirewall.service
+systemctl start risottofirewall.service
 
 #nft add table nat
 #nft flush table nat;

seed/base-machine/tests/execute.py

@@ -0,0 +1,26 @@
+from os import fdopen
+from dbus import SystemBus, Array
+
+
+def run(host, cmd):
+    bus = SystemBus()
+    remote_object = bus.get_object('org.freedesktop.machine1',
+                                   '/org/freedesktop/machine1',
+                                   False,
+                                   )
+    res = remote_object.OpenMachineShell(host,
+                                         '',
+                                         cmd[0],
+                                         Array(cmd, signature='s'),
+                                         Array(['TERM=dumb'], signature='s'),
+                                         dbus_interface='org.freedesktop.machine1.Manager',
+                                         )
+    fd = res[0].take()
+    fh = fdopen(fd)
+    while True:
+        try:
+            yield fh.readline().strip()
+        except OSError as err:
+            if err.errno != 5:
+                raise err from err
+            break

seed/dns-external/applicationservice.yml

@@ -0,0 +1,2 @@
+format: '0.1'
+description: Configuration du client DNS externe

seed/dns-external/dictionaries/14-dns-external.xml

@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="network">
+      <variable name="dns_is_only_local" redefine="True">
+        <value>False</value>
+      </variable>
+      <variable name="dns_client_address" redefine="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_provider_name">
+      <param type="variable">zone_name_eth0</param>
+      <param>ExternalDNS</param>
+      <target>dns_client_address</target>
+    </fill>
+  </constraints>
+</rougail>

seed/dns-external/tests/test_dns_external.py

@@ -0,0 +1,17 @@
+from yaml import load, SafeLoader
+from os import environ
+
+from execute import run
+
+
+EXTERNAL_DOMAIN = 'google.fr'
+
+
+def test_dns_external():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/dns-local.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    result = run(data['address'],
+                 ['/bin/resolvectl', 'query', EXTERNAL_DOMAIN],
+                 )
+    assert 'resolve call failed' not in next(result), f'cannot resolved {EXTERNAL_DOMAIN}'

seed/dns-local/applicationservice.yml

@@ -0,0 +1,2 @@
+format: '0.1'
+description: Configuration du client DNS local

seed/dns-local/dictionaries/13-dns-local.xml

@@ -0,0 +1,33 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="dns-local" manage="False">
+      <file>/tests/dns-local.yml</file>
+    </service>
+  </services>
+  <variables>
+    <family name="network">
+      <variable name="dns_is_only_local" type="boolean" description="DNS resolve only local address" hidden="True">
+        <value>True</value>
+      </variable>
+      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS"/>
+      <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_provider_name">
+      <param type="variable">zone_name_eth0</param>
+      <param>LocalDNS</param>
+      <target>dns_client_address</target>
+    </fill>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">dns_client_address</param>
+      <param name="linked_provider">dns</param>
+      <param name="linked_value" type="variable">ip_eth0</param>
+      <param name="linked_returns">ip</param>
+      <target>ip_dns</target>
+    </fill>
+  </constraints>
+</rougail>
+
+

seed/dns-local/templates/dns-local.yml

@@ -0,0 +1,25 @@
+address: '%%domain_name_eth0'
+addresses:
+%if %%getVar('dns_client_address', None)
+- dns_address: '%%dns_client_address'
+  dns_ip: '%%ip_dns'
+%elif %%getVar('unbound_forward_address', None)
+  %for %%authority in %%unbound_forward_address
+- dns_address: %%authority
+  dns_ip: %%get_ip(%%str(%%authority))
+  %end for
+%else
+  %for %%zone in %%nsd_zones_auto
+    %set %%suffix = %%normalize_family(%%zone)
+    %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
+    %for %%nsd in %%hostnames
+- dns_address: %%{nsd}.%%zone
+  dns_ip: %%nsd["ip_" + %%suffix]
+    %end for
+  %end for
+%end if
+%if %%dns_is_only_local
+dns_is_only_local: true
+%else
+dns_is_only_local: false
+%end if

seed/dns-local/tests/test_dns_local.py

@@ -0,0 +1,32 @@
+from yaml import load, SafeLoader
+from os import environ
+
+from execute import run
+
+EXTERNAL_DOMAIN = 'google.fr'
+
+
+def test_dns_local():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/dns-local.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    if 'addresses' not in data:
+        return
+    for address in data['addresses']:
+        result = run(data['address'],
+                     ['/bin/resolvectl', 'query', address['dns_address']],
+                     )
+        first = next(result)
+        search = f"{address['dns_address']}: {address['dns_ip']}"
+        assert first == search or first.startswith(search + " "), f'dns return "{first}" instead of "{search}"'
+
+
+def test_dns_external():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/dns-local.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    if data['dns_is_only_local']:
+        result = run(data['address'],
+                     ['/bin/resolvectl', 'query', EXTERNAL_DOMAIN],
+                     )
+        assert 'resolve call failed' in next(result), f'should not resolved {EXTERNAL_DOMAIN}'

seed/host-systemd-machined/dictionaries/21-machined.xml

@@ -23,11 +23,14 @@
   </services>
   <variables>
     <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True"/>
-    <variable name="host_dhcp_interface" description="Carte réseau en DHCP" multi="True"/>
     <variable name="host_dhcp_filename" type="filename" hidden="True" multi="True"/>
     <variable name="host_name" type="domainname" hidden="True"/>
     <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
     <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
+    <family name="network">
+      <variable name="host_dhcp_interface" description="Carte réseau en DHCP" multi="True"/>
+      <variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>
+    </family>
     <family name="zones" leadership="True">
       <variable name="zone_name" type="string" hidden="True" multi="True"/>
       <variable name="zone_cidr" type="cidr" hidden="True"/>

seed/host-systemd-machined/templates/0asystemd-nspawn.conf

@@ -1,8 +1,15 @@
 D /usr/local/lib/sbin/ 0755 root root - -
 D /etc/systemd/nspawn/ 0755 root root - -
 D /etc/systemd/network/ 0755 root root - -
+D /usr/local/lib/systemd/system/ 0755 root root - -
 d /var/lib/risotto/configurations/ 0755 root root - -
 r /etc/network/interfaces -    -    -     -           -
 %for %%filename in %%machined.nspawn_script_filename
 C %%filename 0755 root root - %%host_install_dir/host/configurations/%%host_name%%filename
 %end for
+%for %%service in %%services
+  %if %%service.engine != 'none'
+    %set %%filename = '/usr/local/lib/systemd/system/' + %%service.doc
+C %%filename 0755 root root - %%host_install_dir/host/configurations/%%host_name%%filename
+  %end if
+%end for

seed/host-systemd-machined/templates/risottofirewall.service

@@ -4,6 +4,7 @@ After=network.target
 
 [Service]
 Type=oneshot
+RemainAfterExit=yes
 %for %%dns in %%machined.machines
 %set %%machine = %%normalize_family(%%dns)
 %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
@@ -14,8 +15,8 @@ Type=oneshot
       %else
 %set %%protocol = 'tcp'
       %end if
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o enp3s0 -j MASQUERADE
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
-ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o enp3s0 -j MASQUERADE
+ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
     %end for
   %end if
 %end for

seed/letsencrypt/applicationservice.yml

@@ -1,4 +1,4 @@
 format: '0.1'
 description: Let's encrypt
 depends:
-  - base-fedora-35
+  - base-fedora

seed/nextcloud/dictionaries/31_nextcloud.xml

@@ -70,7 +70,7 @@
       <param type="variable">revprox_client_external_domainnames</param>
       <target>nextcloud_well_known_server</target>
     </fill>
-    <check name="set_linked_multi_variables">
+    <!-- FIXME : check name="set_linked_multi_variables">
       <param name="linked_provider_0">revprox_clients</param>
       <param name="linked_value_0" type="variable">nextcloud_well_known_server</param>
       <param name="linked_provider_1">revprox_location</param>
@@ -80,14 +80,14 @@
       <param name="linked_provider_3">revprox_url</param>
       <param name="linked_value_3" type="variable">nextcloud_well_known_caldav</param>
       <target>revprox_client_server_domainname</target>
-    </check>
+    </check-->
     <fill name="calc_web_address">
       <param type="variable">domain_name_eth0</param>
       <param type="variable">revprox_client_port</param>
       <param>/.well-known/caldav</param>
       <target>nextcloud_well_known_caldav</target>
     </fill>
-    <check name="set_linked_multi_variables">
+    <!-- FIXME : check name="set_linked_multi_variables">
       <param name="linked_provider_0">revprox_clients</param>
       <param name="linked_value_0" type="variable">nextcloud_well_known_server</param>
       <param name="linked_provider_1">revprox_location</param>
@@ -97,7 +97,7 @@
       <param name="linked_provider_3">revprox_url</param>
       <param name="linked_value_3" type="variable">nextcloud_well_known_carddav</param>
       <target>revprox_client_server_domainname</target>
-    </check>
+    </check-->
     <fill name="calc_web_address">
       <param type="variable">domain_name_eth0</param>
       <param type="variable">revprox_client_port</param>

seed/nginx-reverse-proxy/applicationservice.yml

@@ -1,6 +1,6 @@
 format: '0.1'
 description: Nginx as reverse proxy
 depends:
-  - base-fedora-35
+  - base-fedora-36
   - nginx-common
 provider: ReverseProxy

seed/nginx-reverse-proxy/dictionaries/25_nginx.xml

@@ -7,6 +7,7 @@
       <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
       <file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
       <file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
+      <file>/tests/reverse-proxy.yml</file>
     </service>
   </services>
   <variables>

seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml

@@ -5,11 +5,11 @@
       <variable name="revprox_domain_wildcard_" description="Activer la redirection pour tous les sous-domaines" help="Exemple pour &quot;domaine&quot; : tous les sous-domaines de &quot;domaine&quot; seront redirigés" type="boolean">
         <value>False</value>
       </variable>
-      <family name="reverse_proxy_" description="Reverse proxy" help="Paramètrage du proxy inverse" leadership="True">
+      <family name="reverse_proxy_" description="Reverse proxy " help="Paramètrage du proxy inverse" leadership="True">
-        <variable name="revprox_location_" type="filename" description="Répertoire ou nom de la page à rediriger" help="URL relative (sans le nom de domaine) redirigée pour l'adresse définie dans la variable ci-dessus (exemple &quot;/mail&quot;)" mandatory="True" multi="True" provider="revprox_location"/>
+        <variable name="revprox_location_" type="filename" description="Répertoire ou nom de la page à rediriger pour " help="URL relative (sans le nom de domaine) redirigée pour l'adresse définie dans la variable ci-dessus (exemple &quot;/mail&quot;)" mandatory="True" multi="True" provider="revprox_location"/>
-        <variable name="revprox_url_" type="web_address" description="Domaine de destination ou URI complète" mandatory="True" help="Nom de domaine ou IP de destination, par exemple &quot;http://domainelocal&quot; ou URI, par exemple &quot;http://domainelocal/dir/&quot;" provider="revprox_url"/>
+        <variable name="revprox_url_" type="web_address" description="Domaine de destination ou URI complète pour " mandatory="True" help="Nom de domaine ou IP de destination, par exemple &quot;http://domainelocal&quot; ou URI, par exemple &quot;http://domainelocal/dir/&quot;" provider="revprox_url"/>
-	<variable name="revprox_is_websocket_" type="boolean" description="Le point d'entré est de types websocket" mandatory="True" provider="revprox_is_websocket"/>
+	<variable name="revprox_is_websocket_" type="boolean" description="Le point d'entré est de types websocket pour " mandatory="True" provider="revprox_is_websocket"/>
-	<variable name="revprox_max_body_size_" description="Taille maximum du corps" provider="revprox_max_body_size"/>
+	<variable name="revprox_max_body_size_" description="Taille maximum du corps pour " provider="revprox_max_body_size"/>
       </family>
     </family>
   </variables>

seed/nginx-reverse-proxy/templates/nginx.service

@@ -1,12 +1,14 @@
-%set %%domains = []
+%set %%domains = set()
 %for %%domainname in %%revprox_domainnames_all
  %set %%family = %%normalize_family(%%domainname)
  %set %%revprox = %%nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family]
  %for %%location in %%revprox['revprox_location_' + family]
   %set %%domain = %%location['revprox_url_' + family].split('/', 3)[2].split(':')[0]
-%%domains.append(%%domain)%slurp
+%%domains.add(%%domain)%slurp
  %end for
 %end for
+%set %%domains = %%list(%%domains)
+%%domains.sort()
 %if %%domains
  %set %%domains_str = " ".join(%%domains)
 [Service]

seed/nginx-reverse-proxy/templates/reverse-proxy.yml

@@ -0,0 +1,10 @@
+address: %%ip_eth0
+urls:
+%for %%domain in %%revprox_domainnames_all
+  %set %%suffix = %%normalize_family(%%domain)
+  %for %%location in %%nginx['reverse_proxy_for_' + %%suffix]['reverse_proxy_' + %%suffix]['revprox_location_' + %%suffix]
+    %if not %%location['revprox_is_websocket_' + %%suffix]
+- %%domain%%location
+    %end if
+  %end for
+%end for

seed/nginx-reverse-proxy/tests/test_revprox.py

@@ -0,0 +1,47 @@
+from yaml import load, SafeLoader
+from os import environ
+
+import warnings
+import socket
+from requests import get
+from requests.exceptions import SSLError
+
+
+def req(url, ip, verify=True):
+    # Monkey patch to force IPv4 resolution
+    old_getaddrinfo = socket.getaddrinfo
+    def new_getaddrinfo(*args, **kwargs):
+        ret = old_getaddrinfo(*args, **kwargs)
+        dns = list(ret[0])
+        dns[-1] = (ip, dns[-1][1])
+        return [dns]
+    socket.getaddrinfo = new_getaddrinfo
+    ret = get(url, verify=verify)
+    ret_code = ret.status_code
+    content = ret.content
+    socket.getaddrinfo = old_getaddrinfo
+    return ret_code, content.decode()
+
+
+def test_revprox():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    # test unknown domain
+    url = 'google.fr'
+    with warnings.catch_warnings():
+        warnings.simplefilter("ignore")
+        ret_code, content = req(f'https://{url}', data['address'], verify=False)
+    assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
+    assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'https://{url} returns default fedora page'
+    # test certificate
+    try:
+        req(f'https://{url}', data['address'])
+        raise Exception(f'not certificat problem for https://{url}')
+    except SSLError:
+        pass
+    # test known domains
+    for url in data['urls']:
+        ret_code, content = req(f'https://{url}', data['address'])
+        assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
+        assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} returns default fedora page'

seed/nsd/dictionaries/20_nsd.xml

@@ -17,9 +17,7 @@
   <variables>
     <family name="network">
       <variable name="dns_client_address" redefine="True" disabled="True"/>
-      <variable name="ip_dns" redefine="True" remove_fill="True">
+      <variable name="ip_dns" redefine="True" remove_fill="True"/>
-        <value>127.0.0.1</value>
-      </variable>
     </family>
     <family name="dns_server" description="Serveur DNS">
       <variable name="nsd_allowed_client" type="ip" description="Clients" multi="True" mandatory="True" hidden="True" provider="dns"/>
@@ -47,6 +45,10 @@
       <param>ExternalDNS</param>
       <target>nsd_resolver</target>
     </fill>
+    <fill name="calc_value">
+      <param type="variable">ip_eth0</param>
+      <target>ip_dns</target>
+    </fill>
     <fill name="nsd_concat_lists">
       <param type="variable">ip_eth</param>
       <param type="variable">nsd_allowed_client</param>
@@ -56,7 +58,7 @@
     <fill name="set_linked">
       <param name="linked_server" type="variable">nsd_resolver</param>
       <param name="linked_provider">authorities</param>
-      <param name="linked_value" type="variable">ip_eth0</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
       <param name="linked_returns">ip</param>
       <param name="dynamic">0</param>
       <target>nsd_resolve_ip</target>
@@ -64,14 +66,14 @@
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">nsd_resolver</param>
       <param name="leader_provider">authorities</param>
-      <param name="leader_value" type="variable">ip_eth0</param>
+      <param name="leader_value" type="variable">domain_name_eth0</param>
       <param name="linked_provider">authority_zones</param>
       <target>nsd_zones_all</target>
     </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">nsd_resolver</param>
       <param name="leader_provider">authorities</param>
-      <param name="leader_value" type="variable">ip_eth0</param>
+      <param name="leader_value" type="variable">domain_name_eth0</param>
       <param name="linked_provider">authority_zones</param>
       <target>nsd_reverse_reverse_name</target>
     </check>

seed/nsd/tests/test_dns.py

@@ -1,14 +1,20 @@
 # DNSSEC : https://github.com/wubo1994/DNS-resolver-in-python3/blob/master/dnssec.py
-from yaml import loads
+# python3-pytest python3-yaml
+from yaml import load, SafeLoader
 from dns.resolver import Resolver
+from os import environ
 
 
 def test_nsd():
-    data = loads('./nsd.yml')
+    if 'MACHINE_TEST_DIR' not in environ:
+        return
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/nsd.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
     resolver = Resolver()
     resolver.nameservers = [data['address']]
     for dns, ip in data['records'].items():
         records = resolver.resolve(dns, 'A')
         ips = [record.address for record in records]
         assert len(ips) == 1, f"le domaine {dns} n'a pas qu'une ip {ips}"
-        assert ips[0] == ip, f"l'IP du domaine {dns} n'est pas correct, attendu : {ip}, obtenu {ips[0}}"
+        assert ips[0] == ip, f"l'IP du domaine {dns} n'est pas correct, attendu : {ip}, obtenu {ips[0]}"

seed/peertube/applicationservice.yml

@@ -2,6 +2,7 @@ format: '0.1'
 description: Peertube
 depends:
   - base-fedora-36
+  - dns-external
   - postgresql-client
   - relay-mail-client
   - reverse-proxy-client

seed/peertube/dictionaries/30_peertube.xml

@@ -11,7 +11,9 @@
   </services>
   <variables>
     <family name="network">
-      <variable name="dns_client_address" redefine="True"/>
+      <variable name="outgoing_ports" redefine="True">
+        <value>443</value>
+      </variable>
     </family>
     <family name="peertube">
       <variable name="peertube_admin_email" type="mail" description="Adresse courriel de l'administrateur Peertube" mandatory="True"/>
@@ -54,11 +56,6 @@
     </family>
   </variables>
   <constraints>
-    <fill name="get_provider_name">
-      <param type="variable">zone_name_eth0</param>
-      <param>ExternalDNS</param>
-      <target>dns_client_address</target>
-    </fill>
     <fill name="calc_oauth2_client_external">
       <param type="variable">revprox_client_external_domainnames</param>
       <param type="variable">revprox_client_location</param>

seed/postfix-relay/applicationservice.yml

@@ -2,4 +2,5 @@ format: '0.1'
 description: Postfix has relay
 depends:
   - base-fedora-35
+  - dns-external
 provider: SMTP

seed/postfix-relay/dictionaries/30_postfix.xml

@@ -33,7 +33,6 @@
   </services>
   <variables>
     <family name="network">
-      <variable name="dns_client_address" redefine="True"/>
       <variable name="outgoing_ports" redefine="True">
         <value>25</value>
       </variable>
@@ -56,11 +55,6 @@
     </family>
   </variables>
   <constraints>
-    <fill name="get_provider_name">
-      <param type="variable">zone_name_eth0</param>
-      <param>ExternalDNS</param>
-      <target>dns_client_address</target>
-    </fill>
     <fill name="calc_value">
       <param>/etc/opendkim/keys/</param>
       <param type="variable">postfix_relay_domains</param>

seed/unbound/applicationservice.yml

@@ -2,5 +2,6 @@ format: '0.1'
 description: Configuration du serveur DNS unbound
 service: true
 depends:
-  - base-fedora-35
+  - base-fedora-36
+  - dns-external
 provider: ExternalDNS

seed/unbound/templates/risotto.conf

@@ -21,7 +21,7 @@ remote-control:
  %for %%zone in %%authority.unbound_forward_zones
 forward-zone:
     name: "%%zone"
-    forward-addr: %%authority
+    forward-addr: %%get_ip(%%str(%%authority))
 
  %end for
 %end for

seed/vaultwarden/dictionaries/40_vaultwarden.xml

@@ -14,7 +14,7 @@
         <variable name="revprox_client_location" redefine="True">
           <value>/</value>
           <value>/notifications/hub</value>
-          <value>/notifications/hub/negotiate</value>
+          <!-- FIXME : value>/notifications/hub/negotiate</value-->
         </variable>
       </family>
       <variable name="revprox_client_cert_owner" redefine="True" hidden="True">