diff --git a/doc/certificates.md b/doc/certificates.md
new file mode 100644
index 0000000..6bcf049
--- /dev/null
+++ b/doc/certificates.md
@@ -0,0 +1,68 @@
+# Généré des certificats via la PKI interne de mini_risotto
+
+## Génération des certificates sur le serveur
+
+Création la variable contenant la chain :
+
+```
+<variables>
+  <variable name='service_ca_chain' description="CA certificate" hidden='True'/>
+</variable>
+```
+
+Création d'une autorité avec le nom "AuthorityName" (le nom est un terme en CamelCase) :
+
+```
+<fill name="get_chain">
+  <param name="cn" type="information">server_name</param>
+  <param name="authority_cn" type="information">server_name</param>
+  <param name="authority_name">AuthorityName</param>
+  <target>service_chain</target>
+</fill>
+```
+
+La création du fichier de CA est simple, il suffit d'utiliser la variable "service_ca_chain".
+
+Puis il faut créer le certificat avec un template qui contient :
+
+```
+%%get_certificate(%%domain_name_eth0, authority_name="AuthorityName")
+```
+
+Si l'autorité n'est pas gérer par le serveur courant, il faut précicer le nom du serveur responsable de l'autorité :
+
+```
+%%get_certificate(%%domain_name_eth0, authority_cn=%%server, authority_name="AuthorityName")
+```
+
+Enfin, le certificat peut avoir plusieurs nom de domaine, dans ce cas on peut le gérer par exemple en faisant :
+
+```
+%set %%extra_domainnames = []
+%for %%idx in %%range(1, %%number_of_interfaces)
+  %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
+%end for
+%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
+```
+
+Enfin on peut récupérer la clef privée (attention APRÉS avoir récupérer le certificat) :
+
+```
+%get_private_key(%%domain_name_eth0, %%server)
+```
+
+Comme le certificat, l'autorité peut ne pas être de la responsabilité du serveur courant :
+
+```
+%get_private_key(%%domain_name_eth0, authority_cn=%%server, authority_name="ReverseProxy")
+```
+
+## PKI sous Fedora
+
+Création des fichiers pour l'autorité "AuthorityName" pour le service "service" :
+
+```
+<file>/etc/pki/ca-trust/source/anchors/ca_AuthorityName.crt</file>
+<file>/etc/pki/tls/certs/service.crt</file>
+<file owner="root" group="root" mode="400">/etc/pki/tls/private/service.key</file>
+```
diff --git a/doc/format.txt b/doc/format.txt
new file mode 100644
index 0000000..80369c4
--- /dev/null
+++ b/doc/format.txt
@@ -0,0 +1,21 @@
+Modèle de serveur
+=================
+
+name : nom du serveur modèle
+description : description du serveur modèle
+applicationservice : application service spécifique à ce serveur modèle
+os_name : nom de l'image
+os_version : version de l'image
+iso : URL de téléchargement de l'image
+
+Service applicatif
+==================
+
+format : numéro du format
+name : nom du service applicatif
+description: description du service applicatifs
+depends : liste de dépendances vers d'autres service applicatifs
+packages : liste de paquets logiciel a installé dans l'image
+os : liste des "os_name" et "os_version" compatible avec ce service applicatif
+
+
diff --git a/doc/link.md b/doc/link.md
new file mode 100644
index 0000000..98b7d68
--- /dev/null
+++ b/doc/link.md
@@ -0,0 +1,177 @@
+# Configuration liée
+
+Une configuration liée est un ensemble d'élément partagé entre deux serveurs différents.
+
+## Lier un client à un serveur
+
+```
+<check name="set_linked">
+  <param name="linked_provider">clients</param>
+  <param name="linked_value" type="variable">service_variable</param>
+  <target>service_variable_2</target>
+</check>
+```
+
+## Lier un client à un serveur avec un nom d'utilisateur issu du nom de domaine
+
+Il faut commencer de créer une variable côté serveur :
+
+```
+<variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
+```
+
+Le nom d'utilisateur sera ici le nom de domaine du serveur avec l'application de la fonction 'normalize_family'.
+
+Pour lier deux configurations il faut créer deux variables côté client :
+
+```
+<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
+<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
+```
+
+Enfin il faut lier les deux configurations :
+
+```
+<fill name="set_linked">
+  <param name="linked_server" type="variable">service_server_address</param>
+  <param name="linked_provider">clients</param>
+  <param name="linked_value" type="information">server_name</param>
+  <target>service_remote_user</target>
+</fill>
+```
+
+Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
+En retour la variable "service_remote_user" aura comme valeur "normalize_family(service_server_address)".
+
+## Lier un client unique à un serveur avec un nom d'utilisateur calculé sur le serveur
+
+Il faut commencer de créer les variables côté serveur :
+
+```
+<variables>
+  <variable name="remote" description="The client" type="domainname" provider="client"/>
+  <variable name="username" hidden="True" provider="client_name"/>
+</variables>
+<constraints>
+  <fill name="gen_user_name">
+    <target>username</target>
+  </fill>
+</constraints>
+```
+
+Côté client :
+
+```
+<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
+<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
+```
+
+```
+<fill name="set_linked">
+  <param name="linked_server" type="variable">service_server_address</param>
+  <param name="linked_provider">clients</param>
+  <param name="linked_value" type="information">server_name</param>
+  <param name="linked_returns">client_name</param>
+  <target>service_remote_user</target>
+</fill>
+```
+
+Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera la variable "remote" du serveur.
+Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
+
+## Lier plusieurs clients à un serveur avec un nom d'utilisateur calculé sur le serveur
+
+Il faut commencer de créer les variables côté serveur :
+
+```
+<variables>
+  <variable name="remotes" description="All clients" type="domainname" multi="True" provider="clients"/>
+  <family name="remote_" description="Compte pour " dynamic="remotes">
+    <variable name="username_" hidden="True" provider="client_name"/>
+  </family>
+</variables>
+<constraints>
+  <fill name="gen_user_name">
+    <target>username_</target>
+  </fill>
+</constraints>
+```
+
+Côté client :
+
+```
+<variable name='service_server_address' type='domainname' description="Nom DNS du serveur" mandatory='True'/>
+<variable name='service_remote_user' type='string' description="Remote username" mandatory='True' hidden="True"/>
+```
+
+```
+<fill name="set_linked">
+  <param name="linked_server" type="variable">service_server_address</param>
+  <param name="linked_provider">clients</param>
+  <param name="linked_value" type="information">server_name</param>
+  <param name="linked_returns">client_name</param>
+  <param name="dynamic" type="information">server_name</param>
+  <target>service_remote_user</target>
+</fill>
+```
+
+Ainsi, lorsque l'utilisateur renseignera la variable "service_server_address", cette valeur sera ajouter à la variable "remotes" du serveur.
+Un nom d'utilisateur sera alors généré côté serveur, la valeur de ce nom sera retourner au client comme valeur de 'service_remote_user'.
+
+## Caculer une variable d'un client par rapport à la valeur d'un serveur
+
+Il faut commencer de créer une nouvelle variables côté serveur par exemple dans une famille dynamique :
+
+```
+<variables>
+  <family name="remote_" description="Compte pour " dynamic="remotes">
+    <variable name="password_" description="Password " auto_save="True" hidden="True" type="password" provider="client_password"/>
+  </family>
+</variables>
+<constraints>
+  <fill name="gen_password">
+    <target>password_</target>
+  </fill>
+</constraints>
+```
+
+Côté client on veut récupérer ce mot de passe dans une variable :
+
+```
+<variable name='service_remote_user_password' type='password' description="Remote password" mandatory='True' hidden="True"/>
+```
+
+Et calculer cette valeur :
+
+```
+<fill name="get_linked_configuration">
+  <param name="linked_server" type="variable">service_server_address</param>
+  <param name="linked_provider">client_password</param>
+  <param name="dynamic" type="variable">service_remote_user</param>
+  <target>service_remote_user_password</target>
+</fill>
+```
+
+## Propoger la valeur d'une variable d'un client vers un serveur
+
+```
+<check name="set_linked_configuration">
+  <param name="linked_server" type="variable">service_server_address</param>
+  <param name="linked_provider">client_var</param>
+  <param name="dynamic" type="variable">service_remote_user</param>
+  <target>service_variable</target>
+</check>
+```
+
+## Propoger la valeur d'une variable d'un client vers un variable esclave du serveur
+
+```
+<check name="set_linked_configuration">
+  <param name="linked_server" type="variable">service_server_address</param>
+  <param name="leader_provider">client_var</param>
+  <param name="leader_value" type="variable">service_variable</param>
+  <param name="linked_provider">slave</param>
+  <param name="dynamic" type="variable">service_server_address</param>
+  <target>service_variable_2</target>
+</check>
+```
diff --git a/seed/applicationservice/2022.03.08/apache/FIXME b/seed/applicationservice/2022.03.08/apache/FIXME
new file mode 100644
index 0000000..7899c2f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/FIXME
@@ -0,0 +1,2 @@
+# ln -s /etc/httpd/conf.d/nextcloud-access.conf.avail /etc/httpd/conf.d/z-nextcloud-access.conf
+
diff --git a/seed/applicationservice/2022.03.08/apache/applicationservice.yml b/seed/applicationservice/2022.03.08/apache/applicationservice.yml
new file mode 100644
index 0000000..f9746bb
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Apache configuration
+depends:
+  - base-fedora-35
+  - reverse-proxy-client
diff --git a/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
new file mode 100644
index 0000000..e51a2da
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/dictionaries/20_web.xml
@@ -0,0 +1,31 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="httpd" target="multi-user">
+      <file>/etc/httpd/conf/httpd.conf</file>
+      <file>/etc/httpd/conf.d/risotto.conf</file>
+      <file>/etc/httpd/conf.d/ssl.conf</file>
+      <file>/etc/httpd/ssl/server.ca</file>
+      <file>/etc/httpd/ssl/server.key</file>
+      <file>/etc/httpd/ssl/server.crt</file>
+      <file engine="none" source="sysuser-httpd.conf">/sysusers.d/httpd.conf</file>
+      <file engine="none" source="tmpfile-httpd.conf">/tmpfiles.d/0httpd.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
+      <variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
+        <value>300</value>
+      </variable>
+      <variable name="apache_keepalive" type="boolean" description="Autoriser les connexions persistantes"/>
+      <variable name="server_ca" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_chain">
+      <param name="authority_cn" type="variable">revprox_client_server_domainname</param>
+      <param name="authority_name">ReverseProxy</param>
+      <target>server_ca</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/apache/templates/httpd.conf b/seed/applicationservice/2022.03.08/apache/templates/httpd.conf
new file mode 100644
index 0000000..5de9077
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/httpd.conf
@@ -0,0 +1,360 @@
+#
+# This is the main Apache HTTP server configuration file.  It contains the
+# configuration directives that give the server its instructions.
+# See <URL:http://httpd.apache.org/docs/2.4/> for detailed information.
+# In particular, see 
+# <URL:http://httpd.apache.org/docs/2.4/mod/directives.html>
+# for a discussion of each configuration directive.
+#
+# See the httpd.conf(5) man page for more information on this configuration,
+# and httpd.service(8) on using and configuring the httpd service.
+#
+# Do NOT simply read the instructions in here without understanding
+# what they do.  They're here only as hints or reminders.  If you are unsure
+# consult the online docs. You have been warned.  
+#
+# Configuration and logfile names: If the filenames you specify for many
+# of the server's control files begin with "/" (or "drive:/" for Win32), the
+# server will use that explicit path.  If the filenames do *not* begin
+# with "/", the value of ServerRoot is prepended -- so 'log/access_log'
+# with ServerRoot set to '/www' will be interpreted by the
+# server as '/www/log/access_log', where as '/log/access_log' will be
+# interpreted as '/log/access_log'.
+
+#
+# ServerRoot: The top of the directory tree under which the server's
+# configuration, error, and log files are kept.
+#
+# Do not add a slash at the end of the directory path.  If you point
+# ServerRoot at a non-local disk, be sure to specify a local disk on the
+# Mutex directive, if file-based mutexes are used.  If you wish to share the
+# same ServerRoot for multiple httpd daemons, you will need to change at
+# least PidFile.
+#
+ServerRoot "/etc/httpd"
+
+#
+# Listen: Allows you to bind Apache to specific IP addresses and/or
+# ports, instead of the default. See also the <VirtualHost>
+# directive.
+#
+# Change this to Listen on a specific IP address, but note that if
+# httpd.service is enabled to run at boot time, the address may not be
+# available when the service starts.  See the httpd.service(8) man
+# page for more information.
+#
+#Listen 12.34.56.78:80
+Listen 80
+
+#
+# Dynamic Shared Object (DSO) Support
+#
+# To be able to use the functionality of a module which was built as a DSO you
+# have to place corresponding `LoadModule' lines at this location so the
+# directives contained in it are actually available _before_ they are used.
+# Statically compiled modules (those listed by `httpd -l') do not need
+# to be loaded here.
+#
+# Example:
+# LoadModule foo_module modules/mod_foo.so
+#
+Include conf.modules.d/*.conf
+
+#
+# If you wish httpd to run as a different user or group, you must run
+# httpd as root initially and it will switch.  
+#
+# User/Group: The name (or #number) of the user/group to run httpd as.
+# It is usually good practice to create a dedicated user and group for
+# running httpd, as with most system services.
+#
+User apache
+Group apache
+
+# 'Main' server configuration
+#
+# The directives in this section set up the values used by the 'main'
+# server, which responds to any requests that aren't handled by a
+# <VirtualHost> definition.  These values also provide defaults for
+# any <VirtualHost> containers you may define later in the file.
+#
+# All of these directives may appear inside <VirtualHost> containers,
+# in which case these default settings will be overridden for the
+# virtual host being defined.
+#
+
+#
+# ServerAdmin: Your address, where problems with the server should be
+# e-mailed.  This address appears on some server-generated pages, such
+# as error documents.  e.g. admin@your-domain.com
+#
+ServerAdmin root@localhost
+
+#
+# ServerName gives the name and port that the server uses to identify itself.
+# This can often be determined automatically, but we recommend you specify
+# it explicitly to prevent problems during startup.
+#
+# If your host doesn't have a registered DNS name, enter its IP address here.
+#
+#ServerName www.example.com:80
+
+#
+# Deny access to the entirety of your server's filesystem. You must
+# explicitly permit access to web content directories in other 
+# <Directory> blocks below.
+#
+<Directory />
+    AllowOverride none
+    Require all denied
+</Directory>
+
+#
+# Note that from this point forward you must specifically allow
+# particular features to be enabled - so if something's not working as
+# you might expect, make sure that you have specifically enabled it
+# below.
+#
+
+#
+# DocumentRoot: The directory out of which you will serve your
+# documents. By default, all requests are taken from this directory, but
+# symbolic links and aliases may be used to point to other locations.
+#
+DocumentRoot "/var/www/html"
+
+#
+# Relax access to content within /var/www.
+#
+<Directory "/var/www">
+    AllowOverride None
+    # Allow open access:
+    Require all granted
+</Directory>
+
+# Further relax access to the default document root:
+<Directory "/var/www/html">
+    #
+    # Possible values for the Options directive are "None", "All",
+    # or any combination of:
+    #   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
+    #
+    # Note that "MultiViews" must be named *explicitly* --- "Options All"
+    # doesn't give it to you.
+    #
+    # The Options directive is both complicated and important.  Please see
+    # http://httpd.apache.org/docs/2.4/mod/core.html#options
+    # for more information.
+    #
+    Options Indexes FollowSymLinks
+
+    #
+    # AllowOverride controls what directives may be placed in .htaccess files.
+    # It can be "All", "None", or any combination of the keywords:
+    #   Options FileInfo AuthConfig Limit
+    #
+    AllowOverride None
+
+    #
+    # Controls who can get stuff from this server.
+    #
+    Require all granted
+</Directory>
+
+#
+# DirectoryIndex: sets the file that Apache will serve if a directory
+# is requested.
+#
+<IfModule dir_module>
+    DirectoryIndex index.html
+</IfModule>
+
+#
+# The following lines prevent .htaccess and .htpasswd files from being 
+# viewed by Web clients. 
+#
+<Files ".ht*">
+    Require all denied
+</Files>
+
+#
+# ErrorLog: The location of the error log file.
+# If you do not specify an ErrorLog directive within a <VirtualHost>
+# container, error messages relating to that virtual host will be
+# logged here.  If you *do* define an error logfile for a <VirtualHost>
+# container, that host's errors will be logged there and not here.
+#
+# GNUNUX ErrorLog "logs/error_log"
+ErrorLog "|/usr/bin/systemd-cat -p err -t httpd"
+
+#
+# LogLevel: Control the number of messages logged to the error_log.
+# Possible values include: debug, info, notice, warn, error, crit,
+# alert, emerg.
+#
+LogLevel warn
+
+<IfModule log_config_module>
+    #
+    # The following directives define some format nicknames for use with
+    # a CustomLog directive (see below).
+    #
+    LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined
+    LogFormat "%h %l %u %t \"%r\" %>s %b" common
+
+    <IfModule logio_module>
+      # You need to enable mod_logio.c to use %I and %O
+      LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio
+    </IfModule>
+
+    #
+    # The location and format of the access logfile (Common Logfile Format).
+    # If you do not define any access logfiles within a <VirtualHost>
+    # container, they will be logged here.  Contrariwise, if you *do*
+    # define per-<VirtualHost> access logfiles, transactions will be
+    # logged therein and *not* in this file.
+    #
+    #CustomLog "logs/access_log" common
+
+    #
+    # If you prefer a logfile with access, agent, and referer information
+    # (Combined Logfile Format) you can use the following directive.
+    #
+    # GNUNUX CustomLog "logs/access_log" combined
+    CustomLog "|/usr/bin/systemd-cat -t httpd" combined
+</IfModule>
+
+<IfModule alias_module>
+    #
+    # Redirect: Allows you to tell clients about documents that used to 
+    # exist in your server's namespace, but do not anymore. The client 
+    # will make a new request for the document at its new location.
+    # Example:
+    # Redirect permanent /foo http://www.example.com/bar
+
+    #
+    # Alias: Maps web paths into filesystem paths and is used to
+    # access content that does not live under the DocumentRoot.
+    # Example:
+    # Alias /webpath /full/filesystem/path
+    #
+    # If you include a trailing / on /webpath then the server will
+    # require it to be present in the URL.  You will also likely
+    # need to provide a <Directory> section to allow access to
+    # the filesystem path.
+
+    #
+    # ScriptAlias: This controls which directories contain server scripts. 
+    # ScriptAliases are essentially the same as Aliases, except that
+    # documents in the target directory are treated as applications and
+    # run by the server when requested rather than as documents sent to the
+    # client.  The same rules about trailing "/" apply to ScriptAlias
+    # directives as to Alias.
+    #
+    ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
+
+</IfModule>
+
+#
+# "/var/www/cgi-bin" should be changed to whatever your ScriptAliased
+# CGI directory exists, if you have that configured.
+#
+<Directory "/var/www/cgi-bin">
+    AllowOverride None
+    Options None
+    Require all granted
+</Directory>
+
+<IfModule mime_module>
+    #
+    # TypesConfig points to the file containing the list of mappings from
+    # filename extension to MIME-type.
+    #
+    TypesConfig /etc/mime.types
+
+    #
+    # AddType allows you to add to or override the MIME configuration
+    # file specified in TypesConfig for specific file types.
+    #
+    #AddType application/x-gzip .tgz
+    #
+    # AddEncoding allows you to have certain browsers uncompress
+    # information on the fly. Note: Not all browsers support this.
+    #
+    #AddEncoding x-compress .Z
+    #AddEncoding x-gzip .gz .tgz
+    #
+    # If the AddEncoding directives above are commented-out, then you
+    # probably should define those extensions to indicate media types:
+    #
+    AddType application/x-compress .Z
+    AddType application/x-gzip .gz .tgz
+
+    #
+    # AddHandler allows you to map certain file extensions to "handlers":
+    # actions unrelated to filetype. These can be either built into the server
+    # or added with the Action directive (see below)
+    #
+    # To use CGI scripts outside of ScriptAliased directories:
+    # (You will also need to add "ExecCGI" to the "Options" directive.)
+    #
+    #AddHandler cgi-script .cgi
+
+    # For type maps (negotiated resources):
+    #AddHandler type-map var
+
+    #
+    # Filters allow you to process content before it is sent to the client.
+    #
+    # To parse .shtml files for server-side includes (SSI):
+    # (You will also need to add "Includes" to the "Options" directive.)
+    #
+    AddType text/html .shtml
+    AddOutputFilter INCLUDES .shtml
+</IfModule>
+
+#
+# Specify a default charset for all content served; this enables
+# interpretation of all content as UTF-8 by default.  To use the 
+# default browser choice (ISO-8859-1), or to allow the META tags
+# in HTML content to override this choice, comment out this
+# directive:
+#
+AddDefaultCharset UTF-8
+
+<IfModule mime_magic_module>
+    #
+    # The mod_mime_magic module allows the server to use various hints from the
+    # contents of the file itself to determine its type.  The MIMEMagicFile
+    # directive tells the module where the hint definitions are located.
+    #
+    MIMEMagicFile conf/magic
+</IfModule>
+
+#
+# Customizable error responses come in three flavors:
+# 1) plain text 2) local redirects 3) external redirects
+#
+# Some examples:
+#ErrorDocument 500 "The server made a boo boo."
+#ErrorDocument 404 /missing.html
+#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
+#ErrorDocument 402 http://www.example.com/subscription_info.html
+#
+
+#
+# EnableMMAP and EnableSendfile: On systems that support it, 
+# memory-mapping or the sendfile syscall may be used to deliver
+# files.  This usually improves server performance, but must
+# be turned off when serving from networked-mounted 
+# filesystems or if support for these functions is otherwise
+# broken on your system.
+# Defaults if commented: EnableMMAP On, EnableSendfile Off
+#
+#EnableMMAP off
+EnableSendfile on
+
+# Supplemental configuration
+#
+# Load config files in the "/etc/httpd/conf.d" directory, if any.
+IncludeOptional conf.d/*.conf
diff --git a/seed/applicationservice/2022.03.08/apache/templates/risotto.conf b/seed/applicationservice/2022.03.08/apache/templates/risotto.conf
new file mode 100644
index 0000000..3ee7beb
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/risotto.conf
@@ -0,0 +1,15 @@
+# Timeout
+Timeout %%apache_timeout
+
+# Keepalive
+%if %%apache_keepalive
+KeepAlive On
+%else
+KeepAlive Off
+%end if
+MaxKeepAliveRequests 50
+KeepAliveTimeout %%apache_timeout
+
+# RemoteIp
+RemoteIPHeader X-Forwarded-For
+RemoteIPInternalProxy %%revprox_client_server_ip
diff --git a/seed/applicationservice/2022.03.08/apache/templates/server.ca b/seed/applicationservice/2022.03.08/apache/templates/server.ca
new file mode 100644
index 0000000..898516b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/server.ca
@@ -0,0 +1 @@
+%%server_ca
diff --git a/seed/applicationservice/2022.03.08/apache/templates/server.crt b/seed/applicationservice/2022.03.08/apache/templates/server.crt
new file mode 100644
index 0000000..a07a55f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/server.crt
@@ -0,0 +1 @@
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
diff --git a/seed/applicationservice/2022.03.08/apache/templates/server.key b/seed/applicationservice/2022.03.08/apache/templates/server.key
new file mode 100644
index 0000000..3855f57
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/server.key
@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="ReverseProxy")
diff --git a/seed/applicationservice/2022.03.08/apache/templates/ssl.conf b/seed/applicationservice/2022.03.08/apache/templates/ssl.conf
new file mode 100644
index 0000000..0067b4a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/ssl.conf
@@ -0,0 +1,226 @@
+#
+# When we also provide SSL we have to listen to the 
+# standard HTTPS port in addition.
+#
+Listen 443 https
+
+##
+##  SSL Global Context
+##
+##  All SSL configuration in this context applies both to
+##  the main server and all SSL-enabled virtual hosts.
+##
+
+#   Pass Phrase Dialog:
+#   Configure the pass phrase gathering process.
+#   The filtering dialog program (`builtin' is a internal
+#   terminal dialog) has to provide the pass phrase on stdout.
+SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
+
+#   Inter-Process Session Cache:
+#   Configure the SSL Session Cache: First the mechanism 
+#   to use and second the expiring timeout (in seconds).
+SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
+SSLSessionCacheTimeout  300
+
+#   Pseudo Random Number Generator (PRNG):
+#   Configure one or more sources to seed the PRNG of the 
+#   SSL library. The seed data should be of good random quality.
+#   WARNING! On some platforms /dev/random blocks if not enough entropy
+#   is available. This means you then cannot use the /dev/random device
+#   because it would lead to very long connection times (as long as
+#   it requires to make more entropy available). But usually those
+#   platforms additionally provide a /dev/urandom device which doesn't
+#   block. So, if available, use this one instead. Read the mod_ssl User
+#   Manual for more details.
+SSLRandomSeed startup file:/dev/urandom  256
+SSLRandomSeed connect builtin
+#SSLRandomSeed startup file:/dev/random  512
+#SSLRandomSeed connect file:/dev/random  512
+#SSLRandomSeed connect file:/dev/urandom 512
+
+#
+# Use "SSLCryptoDevice" to enable any supported hardware
+# accelerators. Use "openssl engine -v" to list supported
+# engine names.  NOTE: If you enable an accelerator and the
+# server does not start, consult the error logs and ensure
+# your accelerator is functioning properly. 
+#
+SSLCryptoDevice builtin
+#SSLCryptoDevice ubsec
+
+##
+## SSL Virtual Host Context
+##
+
+<VirtualHost _default_:443>
+
+# General setup for the virtual host, inherited from global configuration
+#DocumentRoot "/var/www/html"
+#ServerName www.example.com:443
+
+# Use separate log files for the SSL virtual host; note that LogLevel
+# is not inherited from httpd.conf.
+# GNUNUX ErrorLog logs/ssl_error_log
+ErrorLog "|/usr/bin/systemd-cat -p err -t httpd"
+# GNUNUX TransferLog logs/ssl_access_log
+LogLevel warn
+
+#   SSL Engine Switch:
+#   Enable/Disable SSL for this virtual host.
+SSLEngine on
+
+#   List the protocol versions which clients are allowed to connect with.
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+#SSLProtocol all -SSLv3
+#SSLProxyProtocol all -SSLv3
+
+#   User agents such as web browsers are not configured for the user's
+#   own preference of either security or performance, therefore this
+#   must be the prerogative of the web server administrator who manages
+#   cpu load versus confidentiality, so enforce the server's cipher order.
+SSLHonorCipherOrder on
+
+#   SSL Cipher Suite:
+#   List the ciphers that the client is permitted to negotiate.
+#   See the mod_ssl documentation for a complete list.
+#   The OpenSSL system profile is configured by default.  See
+#   update-crypto-policies(8) for more details.
+SSLCipherSuite PROFILE=SYSTEM
+SSLProxyCipherSuite PROFILE=SYSTEM
+
+#   Point SSLCertificateFile at a PEM encoded certificate.  If
+#   the certificate is encrypted, then you will be prompted for a
+#   pass phrase.  Note that restarting httpd will prompt again.  Keep
+#   in mind that if you have both an RSA and a DSA certificate you
+#   can configure both in parallel (to also allow the use of DSA
+#   ciphers, etc.)
+#   Some ECC cipher suites (http://www.ietf.org/rfc/rfc4492.txt)
+#   require an ECC certificate which can also be configured in
+#   parallel.
+# GNUNUX SSLCertificateFile /etc/pki/tls/certs/localhost.crt
+SSLCertificateFile      /etc/httpd/ssl/server.crt
+
+#   Server Private Key:
+#   If the key is not combined with the certificate, use this
+#   directive to point at the key file.  Keep in mind that if
+#   you've both a RSA and a DSA private key you can configure
+#   both in parallel (to also allow the use of DSA ciphers, etc.)
+#   ECC keys, when in use, can also be configured in parallel
+# GNUNUX SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
+SSLCertificateKeyFile   /etc/httpd/ssl/server.key
+
+#   Server Certificate Chain:
+#   Point SSLCertificateChainFile at a file containing the
+#   concatenation of PEM encoded CA certificates which form the
+#   certificate chain for the server certificate. Alternatively
+#   the referenced file can be the same as SSLCertificateFile
+#   when the CA certificates are directly appended to the server
+#   certificate for convenience.
+#SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
+
+#   Certificate Authority (CA):
+#   Set the CA certificate verification path where to find CA
+#   certificates for client authentication or alternatively one
+#   huge file containing all of them (file must be PEM encoded)
+#SSLCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
+#>GNUNUX
+SSLCACertificateFile /etc/httpd/ssl/server.ca
+#<GNUNUX
+
+#   Client Authentication (Type):
+#   Client certificate verification type and depth.  Types are
+#   none, optional, require and optional_no_ca.  Depth is a
+#   number which specifies how deeply to verify the certificate
+#   issuer chain before deciding the certificate is not valid.
+#SSLVerifyClient require
+#SSLVerifyDepth  10
+
+#   Access Control:
+#   With SSLRequire you can do per-directory access control based
+#   on arbitrary complex boolean expressions containing server
+#   variable checks and other lookup directives.  The syntax is a
+#   mixture between C and Perl.  See the mod_ssl documentation
+#   for more details.
+#<Location />
+#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
+#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
+#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
+#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
+#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
+#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
+#</Location>
+
+#   SSL Engine Options:
+#   Set various options for the SSL engine.
+#   o FakeBasicAuth:
+#     Translate the client X.509 into a Basic Authorisation.  This means that
+#     the standard Auth/DBMAuth methods can be used for access control.  The
+#     user name is the `one line' version of the client's X.509 certificate.
+#     Note that no password is obtained from the user. Every entry in the user
+#     file needs this password: `xxj31ZMTZzkVA'.
+#   o ExportCertData:
+#     This exports two additional environment variables: SSL_CLIENT_CERT and
+#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
+#     server (always existing) and the client (only existing when client
+#     authentication is used). This can be used to import the certificates
+#     into CGI scripts.
+#   o StdEnvVars:
+#     This exports the standard SSL/TLS related `SSL_*' environment variables.
+#     Per default this exportation is switched off for performance reasons,
+#     because the extraction step is an expensive operation and is usually
+#     useless for serving static content. So one usually enables the
+#     exportation for CGI and SSI requests only.
+#   o StrictRequire:
+#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
+#     under a "Satisfy any" situation, i.e. when it applies access is denied
+#     and no other module can change it.
+#   o OptRenegotiate:
+#     This enables optimized SSL connection renegotiation handling when SSL
+#     directives are used in per-directory context. 
+#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
+<FilesMatch "\.(cgi|shtml|phtml|php)$">
+    SSLOptions +StdEnvVars
+</FilesMatch>
+<Directory "/var/www/cgi-bin">
+    SSLOptions +StdEnvVars
+</Directory>
+
+#   SSL Protocol Adjustments:
+#   The safe and default but still SSL/TLS standard compliant shutdown
+#   approach is that mod_ssl sends the close notify alert but doesn't wait for
+#   the close notify alert from client. When you need a different shutdown
+#   approach you can use one of the following variables:
+#   o ssl-unclean-shutdown:
+#     This forces an unclean shutdown when the connection is closed, i.e. no
+#     SSL close notify alert is sent or allowed to be received.  This violates
+#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
+#     this when you receive I/O errors because of the standard approach where
+#     mod_ssl sends the close notify alert.
+#   o ssl-accurate-shutdown:
+#     This forces an accurate shutdown when the connection is closed, i.e. a
+#     SSL close notify alert is sent and mod_ssl waits for the close notify
+#     alert of the client. This is 100% SSL/TLS standard compliant, but in
+#     practice often causes hanging connections with brain-dead browsers. Use
+#     this only for browsers where you know that their SSL implementation
+#     works correctly. 
+#   Notice: Most problems of broken clients are also related to the HTTP
+#   keep-alive facility, so you usually additionally want to disable
+#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
+#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
+#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
+#   "force-response-1.0" for this.
+BrowserMatch "MSIE [2-5]" \
+         nokeepalive ssl-unclean-shutdown \
+         downgrade-1.0 force-response-1.0
+
+#   Per-Server Logging:
+#   The home of a custom SSL log file. Use this when you want a
+#   compact non-error SSL logfile on a virtual host basis.
+# GNUNUX CustomLog logs/ssl_request_log \
+# GNUNUX           "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
+CustomLog "|/usr/bin/systemd-cat -t httpd" combined
+
+</VirtualHost>
+
diff --git a/seed/applicationservice/2022.03.08/apache/templates/sysuser-httpd.conf b/seed/applicationservice/2022.03.08/apache/templates/sysuser-httpd.conf
new file mode 100644
index 0000000..cf50a90
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/sysuser-httpd.conf
@@ -0,0 +1,2 @@
+g apache 48 -
+u apache 48:48     "Apache" /usr/share/httpd /sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/apache/templates/tmpfile-httpd.conf b/seed/applicationservice/2022.03.08/apache/templates/tmpfile-httpd.conf
new file mode 100644
index 0000000..099d6b2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/apache/templates/tmpfile-httpd.conf
@@ -0,0 +1,2 @@
+d /var/www/html 750 root apache - -
+
diff --git a/seed/applicationservice/2022.03.08/base-debian-bullseye/applicationservice.yml b/seed/applicationservice/2022.03.08/base-debian-bullseye/applicationservice.yml
new file mode 100644
index 0000000..7ffa230
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian-bullseye/applicationservice.yml
@@ -0,0 +1,4 @@
+format: '0.1'
+description: Information de base d'un serveur Debian Buster
+depends:
+  - base-debian
diff --git a/seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml b/seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml
new file mode 100644
index 0000000..3a16d80
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian-bullseye/dictionaries/00-debian-bullseye.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="dnssec" manage="False">
+      <file>/etc/dnssec-trust-anchors.d/local.negative</file>
+    </service>
+  </services>
+  <variables>
+    <family name="general">
+      <variable name="os_version" type="string" description="OS Version" hidden="True">
+        <value>bullseye</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-debian-bullseye/manual/image/preinstall/base_debian_bullseye.sh b/seed/applicationservice/2022.03.08/base-debian-bullseye/manual/image/preinstall/base_debian_bullseye.sh
new file mode 100644
index 0000000..439a6d4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian-bullseye/manual/image/preinstall/base_debian_bullseye.sh
@@ -0,0 +1 @@
+RELEASEVER=bullseye
diff --git a/seed/applicationservice/2022.03.08/base-debian-bullseye/templates/local.negative b/seed/applicationservice/2022.03.08/base-debian-bullseye/templates/local.negative
new file mode 100644
index 0000000..f571c67
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian-bullseye/templates/local.negative
@@ -0,0 +1,2 @@
+%set %%domain=%%domain_name_eth0.split('.', 1)[1]
+%%domain
diff --git a/seed/applicationservice/2022.03.08/base-debian/applicationservice.yml b/seed/applicationservice/2022.03.08/base-debian/applicationservice.yml
new file mode 100644
index 0000000..3d7d747
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Information de base d'un serveur Debian
+depends:
+  - base
+  - systemd
diff --git a/seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml b/seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml
new file mode 100644
index 0000000..2c6876f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/dictionaries/00-debian-base.xml
@@ -0,0 +1,26 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="debian" manage="False">
+      <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
+      <file engine="none">/etc/default/locale</file>
+    </service>
+    <service name="update-ca-certificates" engine="creole" target="multi-user"/>
+  </services>
+  <variables>
+    <family name="general">
+      <variable name="os_name" type="string" description="OS name" hidden="True">
+        <value>Debian</value>
+      </variable>
+      <variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
+        <value>/etc/ssl-localca</value>
+      </variable>
+      <variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
+        <value>/etc/ssl/certs</value>
+      </variable>
+      <variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
+        <value>/etc/ssl/private</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-debian/manual/image/postinstall/debian.sh b/seed/applicationservice/2022.03.08/base-debian/manual/image/postinstall/debian.sh
new file mode 100644
index 0000000..f93d970
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/manual/image/postinstall/debian.sh
@@ -0,0 +1,2 @@
+rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
diff --git a/seed/applicationservice/2022.03.08/base-debian/manual/image/preinstall/base_debian.sh b/seed/applicationservice/2022.03.08/base-debian/manual/image/preinstall/base_debian.sh
new file mode 100644
index 0000000..a9e39f5
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/manual/image/preinstall/base_debian.sh
@@ -0,0 +1,3 @@
+BASE_PKG="dbus,udev,systemd,bash,lsof,strace,apt-listchanges"
+INSTALL_TOOL="apt"
+OS_NAME="debian"
diff --git a/seed/applicationservice/2022.03.08/base-debian/templates/locale b/seed/applicationservice/2022.03.08/base-debian/templates/locale
new file mode 100644
index 0000000..6df3e00
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/templates/locale
@@ -0,0 +1 @@
+LANG="fr_FR.UTF-8"
diff --git a/seed/applicationservice/2022.03.08/base-debian/templates/tmpfile-tmp.conf b/seed/applicationservice/2022.03.08/base-debian/templates/tmpfile-tmp.conf
new file mode 100644
index 0000000..892f6aa
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/templates/tmpfile-tmp.conf
@@ -0,0 +1 @@
+q /var/tmp 1777 root root 30d
diff --git a/seed/applicationservice/2022.03.08/base-debian/templates/update-ca-certificates.service b/seed/applicationservice/2022.03.08/base-debian/templates/update-ca-certificates.service
new file mode 100644
index 0000000..66bf60e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-debian/templates/update-ca-certificates.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Update CA Certificates
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/update-ca-certificates --localcertsdir %%tls_ca_directory
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/seed/applicationservice/2022.03.08/base-fedora/README.md b/seed/applicationservice/2022.03.08/base-fedora/README.md
new file mode 100644
index 0000000..d7ad423
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/README.md
@@ -0,0 +1 @@
+Inspired by: https://pagure.io/fedora-kickstarts/tree/main
diff --git a/seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml b/seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml
new file mode 100644
index 0000000..f961670
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Information de base d'un serveur Fedora
+depends:
+  - base
+  - systemd
diff --git a/seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml b/seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml
new file mode 100644
index 0000000..7da1647
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/dictionaries/00-fedora-base.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="update-ca-trust" engine="creole" target="multi-user"/>
+    <service name="fedora-base" manage="False">
+      <file engine="none">/tmpfiles.d/fedora.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="general">
+      <variable name="os_name" type="string" description="OS name" hidden="True">
+        <value>Fedora</value>
+      </variable>
+      <variable name="tls_ca_directory" type="filename" description="Directory where CA are stored" hidden="True">
+        <value>/etc/pki/ca-trust/source/anchors</value>
+      </variable>
+      <variable name="tls_cert_directory" type="filename" description="Directory where certificates are stored" hidden="True">
+        <value>/etc/pki/tls/certs</value>
+      </variable>
+      <variable name="tls_key_directory" type="filename" description="Directory where private keys are stored" hidden="True">
+        <value>/etc/pki/tls/private</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/base-fedora/manual/image/preinstall/base_fedora.sh b/seed/applicationservice/2022.03.08/base-fedora/manual/image/preinstall/base_fedora.sh
new file mode 100644
index 0000000..260e740
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/manual/image/preinstall/base_fedora.sh
@@ -0,0 +1,4 @@
+BASE_PKG="systemd systemd-networkd systemd-resolved fedora-release-container lsof strace"
+INSTALL_TOOL="dnf"
+OS_NAME='fedora'
+REPO_DIR="$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/yum.repos.d/"
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/preprocessors b/seed/applicationservice/2022.03.08/base-fedora/packer/image/preprocessors
new file mode 100755
index 0000000..2436388
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/preprocessors
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -xe
+
+echo "Preprocessors"
+
+if [ ! -z $https_proxy ]; then
+    echo "echo 'export https_proxy=$https_proxy' > /tmp/proxy.sh" > scripts/00-proxy
+fi
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json b/seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json
new file mode 100644
index 0000000..c8f1838
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json
@@ -0,0 +1,63 @@
+{
+  "builders": [
+    {
+      "format": "qcow2",
+      "headless": true,
+      "output_directory": "{{user `tmp_directory`}}/output",
+      "shutdown_command": "echo packer | sudo -S shutdown -P now",
+      "ssh_password": "qemubuild",
+      "ssh_username": "qemubuild",
+      "ssh_wait_timeout": "120m",
+      "type": "qemu",
+      "disk_interface": "virtio",
+      "vm_name": "image.img",
+      "qemuargs": [
+          ["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
+          ["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
+      ],
+      "memory": "2048",
+      "vnc_bind_address": "0.0.0.0",
+      "disk_image": true,
+      "iso_checksum": "{{user `iso_checksum` }}",
+      "iso_url": "{{user `iso_url` }}",
+      "iso_checksum_type": "sha256"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "file",
+      "source": "{{user `tmp_directory`}}/scripts",
+      "destination": "/tmp/scripts"
+    },
+    {
+      "type": "shell",
+      "inline": [
+        "sudo chown root: /tmp/scripts/*",
+        "sudo chmod +x /tmp/scripts/*",
+        "sudo risotto-run-parts /tmp/scripts/"
+      ]
+   }
+  ],
+  "post-processors": [
+    {
+      "type": "shell-local",
+      "inline": [
+        "sleep 5",
+        "mkdir -p {{user `tmp_directory`}}/tmp",
+        "echo 'Syst Prep'",
+        "LIBGUESTFS_BACKEND=direct virt-sysprep --delete \"/var/*\" --delete \"/home/*\" -a {{user `tmp_directory`}}/output/image.img",
+        "echo 'Sparsify before shink'",
+        "LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/output/sparse.img",
+        "echo 'Shink'",
+        "guestfish add {{user `tmp_directory`}}/output/sparse.img : run : resize2fs-M /dev/sda2",
+        "truncate -s $(virt-df {{user `tmp_directory`}}/output/sparse.img --csv|tail -n +2|awk -F, '{x+=$3}END{print x + 16012}')K {{user `tmp_directory`}}/output/shrink.img",
+        "virt-resize --shrink /dev/sda2 {{user `tmp_directory`}}/output/sparse.img {{user `tmp_directory`}}/output/shrink.img",
+        "echo 'Sparsify and convert to qcow2'",
+        "LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress --convert qcow2 {{user `tmp_directory`}}/output/shrink.img {{user `tmp_directory`}}/image.img",
+        "echo 'SHASUM'",
+        "sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
+        "rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
+      ]
+    }
+  ]
+}
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json.ext2 b/seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json.ext2
new file mode 100644
index 0000000..e5c962a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/recipe.json.ext2
@@ -0,0 +1,63 @@
+{
+  "builders": [
+    {
+      "format": "qcow2",
+      "headless": true,
+      "output_directory": "{{user `tmp_directory`}}/output",
+      "shutdown_command": "echo packer | sudo -S shutdown -P now",
+      "ssh_password": "qemubuild",
+      "ssh_username": "qemubuild",
+      "ssh_wait_timeout": "120m",
+      "type": "qemu",
+      "disk_interface": "virtio",
+      "vm_name": "image.img",
+      "qemuargs": [
+          ["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
+          ["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
+      ],
+      "memory": "2048",
+      "vnc_bind_address": "0.0.0.0",
+      "disk_image": true,
+      "iso_checksum": "{{user `iso_checksum` }}",
+      "iso_url": "{{user `iso_url` }}",
+      "iso_checksum_type": "sha256"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "file",
+      "source": "{{user `tmp_directory`}}/scripts",
+      "destination": "/tmp/scripts"
+    },
+    {
+      "type": "shell",
+      "inline": [
+        "sudo chown root: /tmp/scripts/*",
+        "sudo chmod +x /tmp/scripts/*",
+        "sudo risotto-run-parts /tmp/scripts/"
+      ]
+   }
+  ],
+  "post-processors": [
+    {
+      "type": "shell-local",
+      "inline": [
+        "sleep 5",
+        "mkdir -p {{user `tmp_directory`}}/tmp",
+        "echo 'Syst Prep'",
+        "LIBGUESTFS_BACKEND=direct virt-sysprep --delete \"/var/*\" --delete \"/home/*\" -a {{user `tmp_directory`}}/output/image.img",
+        "echo 'Sparsify before shink'",
+        "LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/output/sparse.img",
+        "echo 'Shink'",
+        "guestfish add {{user `tmp_directory`}}/output/sparse.img : run : resize2fs-M /dev/sda2",
+        "truncate -s $(virt-df {{user `tmp_directory`}}/output/sparse.img --csv|tail -n +2|awk -F, '{x+=$3}END{print x + 16384}')K {{user `tmp_directory`}}/output/shrink.img",
+        "virt-resize --shrink /dev/sda2 {{user `tmp_directory`}}/output/sparse.img {{user `tmp_directory`}}/output/shrink.img",
+        "echo 'Sparsify and convert to qcow2'",
+        "LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress --convert qcow2 {{user `tmp_directory`}}/output/shrink.img {{user `tmp_directory`}}/image.img",
+        "echo 'SHASUM'",
+        "sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
+        "rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
+      ]
+    }
+  ]
+}
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/10-update b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/10-update
new file mode 100644
index 0000000..b63561f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/10-update
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+set -xe
+
+[ -e /tmp/proxy.sh ] && . /tmp/proxy.sh
+microdnf update
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/40-remove_microdnf b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/40-remove_microdnf
new file mode 100644
index 0000000..ec98084
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/40-remove_microdnf
@@ -0,0 +1,9 @@
+#!/bin/bash
+set -xe
+
+microdnf clean all
+for package in microdnf libdnf libpeas libstdc++ gobject-introspection libsolv librepo libmodulemd file-libs zchunk-libs libyaml gpgme gnupg2 libassuan libksba libusbx npth; do
+    rpm -e $package || true
+done
+rm -rf /var/lib/dnf
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/50-rpm_vaccum b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/50-rpm_vaccum
new file mode 100644
index 0000000..a3015ae
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/50-rpm_vaccum
@@ -0,0 +1,29 @@
+#!/bin/bash
+set -xe
+
+rpm -qa | sort > /tmp/rpm.txt
+# try to remove this packages
+PKG=" rpm rpm-libs curl libcurl lua-libs libarchive sqlite-libs libnghttp2 libssh libbrotli libpsl publicsuffix-list-dafsa libxml2 libssh-config elfutils-libs dbus-broker "
+# exclude package
+PKG2=""
+while read -r a; do
+    pkg="$(echo "$a" | awk '{ print $1 }' | awk -F'(' '{ print $1 }')"
+    [ -n "$PKG2" ] && PKG2="$PKG2\n"
+    PKG2="$PKG2$pkg"
+done <<< "$( rpm --test -ev $PKG 2>&1 | grep -v ^'erreur' )"
+
+while read -r b; do
+    pkg=$(rpm -q $b --quiet && echo $b || rpm -qf $(find / -name $b -print -quit) --query --queryformat "%{NAME}\n";)
+    echo "Ne pas désinstaller $pkg"
+    PKG=${PKG// $pkg / }
+done <<< "$(echo -e $PKG2 | sort -u)"
+
+echo "Suppression de $PKG"
+rpm -e $PKG
+
+echo "Remove rpm database"
+rm -rf /var/lib/rpm/*
+rm -rf /usr/lib/rpm
+mv /tmp/rpm.txt /var/lib/rpm/rpm.txt
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/60-tmpfiles b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/60-tmpfiles
new file mode 100644
index 0000000..5094043
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/60-tmpfiles
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -xe
+
+rm -rf /etc/X11 /etc/firewalld /etc/pki/rpm-gpg /etc/yum.repos.d /etc/dconf
+make_volatile /etc
+#
+make_volatile /var/lib/rpm
+
+sed -i 's/ ro$/ ro systemd.volatile=yes selinux=1 net.ifnames=0/g' /boot/efi/loader/entries/fedora.conf
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/70-locale b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/70-locale
new file mode 100644
index 0000000..d8cbf03
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/70-locale
@@ -0,0 +1,15 @@
+#!/bin/bash
+
+set -xe
+
+find /usr/share/locale/ -mindepth 1 -maxdepth 1 ! -name fr ! -name fr_FR -exec rm -rf '{}' \;
+find /usr/lib/locale/ -mindepth 1 -maxdepth 1 ! -name fr_FR.utf8 ! -name C.utf8 -exec rm -rf '{}' \;
+find /usr/lib/kbd/keymaps/xkb/ -type f ! -name fr-oss.map.gz -delete
+find /usr/lib/kbd/consolefonts/ -type f ! -name eurlatgr.psfu.gz -delete
+rm -rf /usr/share/bash-completion
+rm -rf /usr/share/pkgconfig
+rm -rf /usr/share/licenses/
+rm -rf /usr/share/zsh
+rm -rf /usr/lib/.build-id
+rm -rf /usr/lib/debug
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/80-log b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/80-log
new file mode 100644
index 0000000..be3836f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/80-log
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -xe
+
+rm -rf /var/cache/* /var/log/*
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/90-initrd b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/90-initrd
new file mode 100644
index 0000000..8586e42
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/90-initrd
@@ -0,0 +1,10 @@
+#!/bin/bash
+
+set -xe
+
+KERNELVERSION=$(ls /lib/modules)
+if [ -f "/boot/efi/$KERNELVERSION/initrd.cdrom" ]; then
+    mv "/boot/efi/$KERNELVERSION/initrd.cdrom" "/boot/efi/$KERNELVERSION/initrd"
+fi
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/99-reduce b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/99-reduce
new file mode 100644
index 0000000..2ba994b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/image/scripts/99-reduce
@@ -0,0 +1,11 @@
+#!/bin/bash
+
+set -ex
+#
+#duperemove -rd /
+#
+#for size in 1000000000 100000000 10000000 1000000 100000 10000 1000 100 10 1; do
+#    echo "========================= $size ========================="
+#    while btrfs filesystem resize -$size /; do :; done
+#done
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/make_volatile b/seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/make_volatile
new file mode 100644
index 0000000..feae040
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/make_volatile
@@ -0,0 +1,63 @@
+#!/bin/bash
+set -e
+DESTDIR='/usr/lib/tmpfiles.d'
+CONF_DST='/usr/share/factory'
+EXCLUDES="^(/etc/passwd|/etc/group|/etc/.updated|/etc/.pwd.lock|/etc/pam.d|/etc/systemd/network/dhcp.network|/etc/sudoers.d/qemubuild)$"
+ONLY_COPY="^(/etc/localtime)$"
+FORCE_LINKS="^(/etc/udev/hwdb.bin)$"
+
+function file_dir_in_tmpfiles() {
+    letter=$1
+    directory=$2
+    mode=$(stat --format "%a" "$directory")
+    user=$(stat --format "%U" "$directory")
+    group=$(stat --format "%G" "$directory")
+    echo "$letter $directory $mode $user $group - -"
+}
+
+function calc_symlink_in_tmpfiles() {
+    dest_name=$1
+    src_file=$(readlink "$dest_name")
+    symlink_in_tmpfiles "$dest_name" "$src_file"
+}
+
+function symlink_in_tmpfiles() {
+    dest_name=$1
+    src_file=$2
+    echo "L+ $dest_name - - - - $src_file"
+}
+
+function main() {
+    dir_config_orig=$1
+
+    mkdir -p "$DESTDIR"
+    mkdir -p "$CONF_DST$dir_config_orig"
+    name="${dir_config_orig//\//-}"
+    systemd_conf="$DESTDIR/risotto$name.conf"
+    echo "" > $systemd_conf
+    while IFS= read -r -d '' src_file; do
+        dest_file="$CONF_DST$src_file"
+	echo $src_file
+        if [[ "$src_file" =~ $EXCLUDES ]]; then
+             echo "$src_file: exclude" >&2
+        elif [[ -L "$src_file" ]]; then
+            calc_symlink_in_tmpfiles "$src_file" >> $systemd_conf
+        elif [[ "$src_file" =~ $FORCE_LINKS ]]; then
+            symlink_in_tmpfiles "$src_file" "$dest_file" >> $systemd_conf
+        elif [[ -d "$src_file" ]]; then
+            file_dir_in_tmpfiles 'd' "$src_file" >> $systemd_conf
+            [[ ! -d "$dest_file" ]] && mkdir -p "$dest_file"
+            #echo "$src_file: directory ok"
+        else
+            if [[ ! "$src_file" =~ $ONLY_COPY ]]; then
+                file_dir_in_tmpfiles "C" "$src_file" >> $systemd_conf
+            fi
+            [[ -e "$dest_file" ]] && rm -f "$dest_file"
+            # not a symlink... an hardlink
+            ln "$src_file" "$dest_file"
+            #echo "$src_file: file ok"
+        fi
+    done <  <(find "$dir_config_orig" -print0)
+}
+main "$1"
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/risotto-run-parts b/seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/risotto-run-parts
new file mode 100644
index 0000000..10a4bb0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/os/bin/risotto-run-parts
@@ -0,0 +1,24 @@
+#!/usr/bin/bash
+# run-parts - concept taken from Debian
+
+set +xe
+
+if [ $# -lt 1 ]; then
+	echo "Usage: risotto-run-parts <dir>"
+	exit 1
+fi
+
+if [ ! -d $1 ]; then
+	echo "Not a directory: $1"
+	exit 1
+fi
+
+# Ignore *~ and *, scripts
+for i in $(LC_ALL=C; echo ${1%/}/*[^~,]) ; do
+	[ -d $i ] && continue
+	[ ! -x $i ] && continue
+	echo "execute $i"
+	$i 2>&1
+done
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/os/http/ks-34.cfg b/seed/applicationservice/2022.03.08/base-fedora/packer/os/http/ks-34.cfg
new file mode 100644
index 0000000..0090bf8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/os/http/ks-34.cfg
@@ -0,0 +1,169 @@
+# Keyboard layouts
+keyboard --xlayouts='fr (oss)'
+# System language
+lang fr_FR.UTF-8
+# Required settings
+rootpw qemubuild
+user --name=qemubuild --password=qemubuild --groups=wheel
+authconfig --enableshadow --enablemd5
+
+# System timezone
+timezone Europe/Paris --utc
+repo --name=fedora --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-$releasever&arch=$basearch
+repo --name=updates --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=updates-released-f$releasever&arch=$basearch
+url --mirrorlist=https://mirrors.fedoraproject.org/mirrorlist?repo=fedora-\$releasever&arch=\$basearch%%EXTRA_URL%%
+
+# Optional settings
+#bootloader --location=mbr
+bootloader --disabled
+clearpart --all --initlabel
+firstboot --enable
+#install
+network --bootproto=dhcp
+reboot
+selinux --enforcing
+#services --enabled=sshd,zram-swap,systemd-networkd,systemd-resolved
+services --enabled=sshd --disabled=systemd-vconsole-setup
+skipx
+text
+zerombr
+
+# Disk partition
+part / --fstype="ext2" --ondisk=vda --grow
+# btrfs : part btrfs.50 --fstype="btrfs" --ondisk=vda --grow
+part /boot/efi --fstype="efi" --ondisk=vda --size=30 --fsoptions="umask=0077,shortname=winnt"
+
+#btrfs none --label=fedora_fedora btrfs.50
+#btrfs / --subvol --name=root LABEL=fedora_fedora
+
+# Packages
+%packages --excludedocs --instLangs=fr --nocore --exclude-weakdeps
+#@core --nodefaults
+audit
+bash
+coreutils
+#dracut-config-generic
+# btrfs duperemove
+#glibc-langpack-fr
+kbd
+kernel-core
+microdnf
+openssh-server
+openssh-clients
+qemu-guest-agent
+systemd-networkd
+#rpm
+#shadow-utils
+screen
+sudo
+systemd
+#util-linux
+-zram
+#
+-kernel
+%end
+
+# Post
+%post
+
+# for microdnf
+touch /etc/dnf/dnf.conf
+
+# add qemubuild to sudo
+echo "qemubuild        ALL=(ALL)       NOPASSWD: ALL" >> /etc/sudoers.d/qemubuild
+
+# remove unecessary directories
+rm -rf /usr/share/doc
+rm -rf /usr/share/licenses
+#rm -rfv /usr/share/icons/*
+# remove some random help txt files
+rm -fv /usr/share/gnupg/help*.txt
+# Pruning random things
+rm usr/lib/rpm/rpm.daily
+#some random not-that-useful binaries
+rm -fv /usr/bin/pinky
+
+# if you want to change the timezone, bind-mount it from the host or reinstall tzdata
+localzone=$(readlink /etc/localtime)
+mv $localzone /tmp
+rm -rfv  /usr/share/zoneinfo
+mkdir -p $(dirname $localzone)
+mv /tmp/$(basename $localzone) $localzone
+
+# configure systemd-networkd
+echo """[Match]
+Name=*
+
+[Network]
+DHCP=yes""" > /etc/systemd/network/dhcp.network
+SYSTEMDDIR=/usr/lib/systemd/system
+MULTI=$SYSTEMDDIR/multi-user.target.wants
+ln -sf ../systemd-networkd.service $MULTI/systemd-networkd.service
+ln -sf ../systemd-resolved.service $MULTI/systemd-resolved.service
+
+# initramfs have to mount iso9660 partition
+# install bootload
+SYSDISK="/dev/vda2"
+MACHINEID=`cat /etc/machine-id`
+KERNELVERSION=`ls /lib/modules`
+DISK=`lsblk -n $SYSDISK -o uuid`
+mkdir /boot/$MACHINEID
+# btrfs : echo "root=UUID=$DISK ro rootflags=subvol=root" > /etc/kernel/cmdline
+echo "root=UUID=$DISK ro" > /etc/kernel/cmdline
+# add CDROM driver
+echo 'add_drivers+=" iso9660 "' > /etc/dracut.conf.d/cdrom.conf
+kernel-install add $KERNELVERSION /lib/modules/$KERNELVERSION/vmlinuz
+mv /boot/$MACHINEID/$KERNELVERSION /boot/efi
+# // ADD MOUNT INSTRUCTION IN INITRAMFS
+# build second initrd file that mount cdrom to /usr
+#echo 'add_fstab+=/tmp/fstab' >> /etc/dracut.conf.d/cdrom.conf
+#echo "/dev/sr0 /sysroot/usr/local/lib iso9660 ro,relatime,x-systemd.after=sysroot.mount,x-systemd.before=systemd-volatile-root.service 0 0" > /tmp/fstab
+#echo "/dev/sr0 /sysroot/usr/local/lib iso9660 ro,x-initrd.mount,nosuid,noexec,uid=0,gid=0,mode=400 0 0" > /tmp/fstab
+echo "[Unit]
+DefaultDependencies=no
+After=sysroot.mount
+Before=initrd-udevadm-cleanup-db.service
+#Before=systemd-volatile-root.service
+After=blockdev@dev-sr0.target
+
+[Service]
+Type=oneshot
+ExecStart=mount /dev/sr0 /sysroot/usr/local/lib -t iso9660 -o defaults,ro,nosuid,noexec,uid=0,gid=0,mode=400
+" > /usr/lib/systemd/system/sysroot-usr-local-lib.service
+
+# // VERSION .mount
+#[Mount]
+#Where=/sysroot/usr/local/lib
+#What=/dev/sr0
+#Type=iso9660
+#Options=defaults,ro,nosuid,noexec,uid=0,gid=0,mode=400" > /usr/lib/systemd/system/sysroot-usr-local-lib.mount
+mkdir -p /usr/lib/systemd/system/initrd-root-fs.target.requires
+cd /usr/lib/systemd/system/initrd-root-fs.target.requires
+#ln -sf ../sysroot-usr-local-lib.mount .
+ln -sf ../sysroot-usr-local-lib.service .
+#echo 'install_items+=" /usr/lib/systemd/system/sysroot-usr-local-lib.mount /usr/lib/systemd/system/initrd-root-fs.target.requires/sysroot-usr-local-lib.mount "' >> /etc/dracut.conf.d/cdrom.conf
+echo 'install_items+=" /usr/lib/systemd/system/sysroot-usr-local-lib.service /usr/lib/systemd/system/initrd-root-fs.target.requires/sysroot-usr-local-lib.service "' >> /etc/dracut.conf.d/cdrom.conf
+kernel-install add $KERNELVERSION /lib/modules/$KERNELVERSION/vmlinuz
+mv /boot/$MACHINEID/$KERNELVERSION/initrd /boot/efi/$KERNELVERSION/initrd.cdrom
+rm -f /etc/dracut.conf.d/cdrom.conf
+ // END INITRAMFS
+# rename entry file without machine ID
+mv /boot/loader/entries/$MACHINEID-$KERNELVERSION.conf /boot/loader/entries/fedora.conf
+sed -i "/^machine-id /d" /boot/loader/entries/fedora.conf
+sed -i "s@/boot/$MACHINEID/$KERNELVERSION/@/$KERNELVERSION/@g" /boot/loader/entries/fedora.conf
+# move it in EFI directory for systemd-boot
+mv /boot/loader /boot/efi
+# remove unused file
+rm -rf /lib/modules/$KERNELVERSION/vmlinuz /boot/initramfs* /boot/$MACHINEID
+# install systemd-boot
+bootctl install
+
+# remove authselect and dracut
+microdnf -y remove dracut xz acl authselect authselect-compat authselect-libs chrony cpio libkcapi-hmaccalc libkcapi linux-firmware linux-firmware-whence
+# remove python3
+microdnf -y remove python3 python3-libs python-pip-wheel python-setuptools-wheel gdbm-libs
+# remove langpacks fr
+microdnf -y remove langpacks-fr langpacks-core-fr langpacks-core-font-fr dejavu-sans-fonts fonts-filesystem
+rm -f /var/lib/systemd/random-seed
+rm -rfv /var/lib/authselect
+%end
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/os/preprocessors b/seed/applicationservice/2022.03.08/base-fedora/packer/os/preprocessors
new file mode 100755
index 0000000..66a9da6
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/os/preprocessors
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+set -xe
+
+echo "Preprocessors"
+
+if [ ! -z $https_proxy ]; then
+    sed -i "s@%%EXTRA_URL%%@ --proxy=$https_proxy@g" http/ks-34.cfg
+else
+    sed -i "s@%%EXTRA_URL%%@@g" http/ks-34.cfg
+fi
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/os/recipe.json b/seed/applicationservice/2022.03.08/base-fedora/packer/os/recipe.json
new file mode 100644
index 0000000..03e6ac7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/os/recipe.json
@@ -0,0 +1,71 @@
+{
+  "builders": [
+    {
+      "format": "qcow2",
+      "headless": true,
+      "output_directory": "{{user `tmp_directory`}}/output",
+      "shutdown_command": "echo packer | sudo -S shutdown -P now",
+      "ssh_password": "qemubuild",
+      "ssh_username": "qemubuild",
+      "ssh_wait_timeout": "120m",
+      "type": "qemu",
+      "disk_interface": "virtio",
+      "vm_name": "image.img",
+      "qemuargs": [
+          ["-drive", "file=output/image.img,if=virtio,cache=writeback,discard=ignore,format=qcow2"],
+          ["-drive", "if=pflash,format=raw,readonly=on,file=/usr/share/OVMF/OVMF_CODE.fd"]
+      ],
+      "memory": "2048",
+      "vnc_bind_address": "0.0.0.0",
+      "boot_command": [
+        "<up>e<down><down><end> inst.text inst.gpt inst.ks=http://{{ .HTTPIP }}:{{ .HTTPPort }}/ks-34.cfg <leftCtrlOn>x<leftCtrlOff> <wait>"
+      ],
+      "disk_size": "4096",
+      "iso_checksum_type": "sha256",
+      "iso_checksum": "e1a38b9faa62f793ad4561b308c31f32876cfaaee94457a7a9108aaddaeec406",
+      "iso_url": "https://download.fedoraproject.org/pub/fedora/linux/releases/34/Server/x86_64/iso/Fedora-Server-netinst-x86_64-34-1.2.iso",
+      "http_directory": "{{user `tmp_directory`}}/http"
+    }
+  ],
+  "provisioners": [
+    {
+      "type": "file",
+      "source": "{{user `tmp_directory`}}/bin",
+      "destination": "/tmp/bin"
+    },
+    {
+      "type": "shell",
+      "inline": [
+        "sudo mv /tmp/bin/* /usr/local/bin",
+        "sudo chown root: /usr/local/bin/*",
+        "sudo chmod +x /usr/local/bin/*"
+      ]
+    },
+    {
+      "type": "file",
+      "source": "{{user `tmp_directory`}}/scripts",
+      "destination": "/tmp/scripts"
+    },
+    {
+      "type": "shell",
+      "inline": [
+        "sudo chown root: /tmp/scripts/*",
+        "sudo chmod +x /tmp/scripts/*",
+        "sudo risotto-run-parts /tmp/scripts/"
+      ]
+   }
+  ],
+  "post-processors": [
+    {
+      "type": "shell-local",
+      "inline": [
+        "sleep 5",
+        "mkdir -p {{user `tmp_directory`}}/tmp",
+        "LIBGUESTFS_BACKEND=direct virt-sysprep -a {{user `tmp_directory`}}/output/image.img",
+        "LIBGUESTFS_BACKEND=direct virt-sparsify --check-tmpdir=ignore --tmp {{user `tmp_directory`}}/tmp/ --compress {{user `tmp_directory`}}/output/image.img {{user `tmp_directory`}}/image.img",
+        "sha256sum {{user `tmp_directory`}}/image.img > {{user `tmp_directory`}}/image.sha256",
+        "rm -rf {{user `tmp_directory`}}/tmp {{user `tmp_directory`}}/output"
+      ]
+    }
+  ]
+}
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/30-rpm_vaccum b/seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/30-rpm_vaccum
new file mode 100644
index 0000000..ff1d4f0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/30-rpm_vaccum
@@ -0,0 +1,7 @@
+#!/bin/bash
+set -xe
+
+echo VACUUM |sqlite3 /var/lib/rpm/rpmdb.sqlite
+
+exit 0
+
diff --git a/seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/40-locale b/seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/40-locale
new file mode 100644
index 0000000..85a7779
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/packer/os/scripts/40-locale
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+set -xe
+
+find /usr/share/locale/ -mindepth 1 -maxdepth 1 ! -name fr ! -name fr_FR -exec rm -rf '{}' \;
+find /usr/lib/locale/ -mindepth 1 -maxdepth 1 ! -name fr_FR.utf8 ! -name C.utf8 -exec rm -rf '{}' \;
+find /usr/share/terminfo -mindepth 1 -maxdepth 1 ! -name l ! -name d ! -name s -exec rm -rf '{}' \;
+find /usr/share/terminfo/s/screen -type f ! -name screen-256color -delete
+find /usr/lib/kbd/keymaps/xkb/ -type f ! -name fr-oss.map.gz -delete
+find /usr/lib/kbd/consolefonts/ -type f ! -name eurlatgr.psfu.gz -delete
+rm -rf /usr/lib/kbd/consoletrans
+rm -rf /usr/lib/kbd/unimaps
+rm -rf /usr/lib/kernel
+rm -rf /usr/lib/systemd/boot
+rm -rf /usr/share/bash-completion
+rm -rf /usr/share/pkgconfig
+rm -rf /usr/share/licenses/
+rm -rf /usr/lib/debug
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base-fedora/templates/fedora.conf b/seed/applicationservice/2022.03.08/base-fedora/templates/fedora.conf
new file mode 100644
index 0000000..fbc43e8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/templates/fedora.conf
@@ -0,0 +1,2 @@
+d /var/log/audit 755 root root - -
+d /var/log/journal 755 root systemd-journal - -
diff --git a/seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service b/seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service
new file mode 100644
index 0000000..ace2152
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Update CA trust
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/update-ca-trust
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/seed/applicationservice/2022.03.08/base/applicationservice.yml b/seed/applicationservice/2022.03.08/base/applicationservice.yml
new file mode 100644
index 0000000..029925a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Information de base d'un serveur
diff --git a/seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml b/seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml
new file mode 100644
index 0000000..71039c3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/dictionaries/00-base.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <family name='general' description="Général">
+      <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" hidden="True"/>
+      <variable name="number_of_interfaces" type="number" description="Nombre d'interface disponible" hidden="True"/>
+      <variable name="interfaces_list" type="number" multi="True" description="Liste de toutes les interfaces" hidden="True"/>
+      <variable name="server_deployed" type="boolean" description="Le serveur est déployé" hidden="True">
+        <value>False</value>
+      </variable>
+    </family>
+    <family name="dns" description="DNS">
+      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur SMTP"/>
+      <variable name="ip_dns" type="ip" description="The DNS server" hidden="True"/>
+    </family>
+    <family name="interface_" description="Interface " dynamic="interfaces_list">
+      <variable name="zone_name_eth" type="string" description="Zone name for interface " hidden="True"/>
+      <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" provider="ip"/>
+      <variable name="network_eth" type="network_cidr" description="The zone network for interface " hidden="True"/>
+      <variable name="gateway_eth" type="ip" description="The zone gateway for interface "/>
+      <variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">dns_client_address</param>
+      <param name="linked_provider">dns</param>
+      <param name="linked_value" type="variable">ip_eth0</param>
+      <param name="linked_returns">ip</param>
+      <target>ip_dns</target>
+    </fill>
+    <fill name="get_number_of_interfaces">
+      <param type="information">zones_name</param>
+      <target>number_of_interfaces</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="information">zones_name</param>
+      <target>zones_list</target>
+    </fill>
+    <fill name="get_range">
+      <param type="variable">number_of_interfaces</param>
+      <target>interfaces_list</target>
+    </fill>
+    <fill name="get_ip">
+      <param name="server_name" type="information">server_name</param>
+      <param name="zones_name" type="information">zones_name</param>
+      <param name="index" type="suffix"/>
+      <target>ip_eth</target>
+    </fill>
+    <!-- Return "server_name" only for domain_name_eth0 -->
+    <fill name="get_domain_name">
+      <param type="information">server_name</param>
+      <param type="information">extra_domainnames</param>
+      <param type="suffix"/>
+      <target>domain_name_eth</target>
+    </fill>
+    <fill name="get_zone_name">
+      <param type="information">zones_name</param>
+      <param name="index" type="suffix"/>
+      <target>zone_name_eth</target>
+    </fill>
+    <fill name="zone_information">
+      <param type="variable">zone_name_eth</param>
+      <param>network</param>
+      <target>network_eth</target>
+    </fill>
+    <fill name="zone_information">
+      <param type="variable">zone_name_eth</param>
+      <param>gateway</param>
+      <param name="index" type="suffix"/>
+      <target>gateway_eth</target>
+    </fill>
+    <check name="valid_entier">
+      <param name="mini" type="number">1</param>
+      <target>number_of_interfaces</target>
+    </check>
+  </constraints>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml b/seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml
new file mode 100644
index 0000000..5f58ffd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml
@@ -0,0 +1,14 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+    <variables>
+        <variable name='name' description="Machine name" type="domainname" hidden="True"/>
+        <variable name='data_disk_size' description="Data disk size" type="number"/>
+    </variables>
+    <constraints>
+        <fill name="calc_value">
+            <param type="variable">domain_name_eth0</param>
+            <target>machine.name</target>
+        </fill>
+    </constraints>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/base/funcs/funcs.py b/seed/applicationservice/2022.03.08/base/funcs/funcs.py
new file mode 100644
index 0000000..6b32c0f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/funcs/funcs.py
@@ -0,0 +1,95 @@
+import __main__
+from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
+from string import ascii_letters as _ascii_letters
+from random import choice as _choice
+from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile, isdir as _isdir
+from os import makedirs as _makedirs
+
+
+HERE = _dirname(_abspath(__main__.__file__))
+PASSWORD_DIR = _join(HERE, 'password')
+
+
+def get_password(server_name: str, 
+                 username: str,
+                 description: str,
+                 type: str,
+                 length: int=20,
+                 temporary: bool=True,
+                 ) -> str:
+    if type != 'cleartext':
+        raise Exception('only cleartext is supported')
+    def gen_password():
+        return _token_urlsafe(length)[:length]
+    return _set_password(server_name,
+                         username,
+                         description,
+                         gen_password,
+                         temporary,
+                         )
+
+
+def get_password_alpha_num(server_name,
+                           username: str,
+                           description: str,
+                           length,
+                           starts_with_char=False,
+                           ):
+    def gen_password():
+        password = _token_hex()
+        if starts_with_char:
+            password = _choice(_ascii_letters) + password
+        return password[:length]
+    return _set_password(server_name,
+                         username,
+                         description,
+                         gen_password,
+                         True,
+                         )
+
+
+def _set_password(server_name: str, 
+                  username: str,
+                  description: str,
+                  gen_password,
+                  temporary,
+                  ) -> str:
+    if not server_name or not username:
+        return
+    dir_name = _join('password', server_name, description)
+    if not _isdir(dir_name):
+        _makedirs(dir_name)
+    file_name = _join(dir_name, username)
+    if not _isfile(file_name):
+        password = gen_password()
+        with open(file_name, 'w') as fh:
+            fh.write(password)
+    with open(file_name, 'r') as fh:
+        return fh.read().strip()
+
+
+def get_range(stop):
+    return list(range(stop))
+
+
+def get_number_of_interfaces(zones):
+    if zones is None:
+        return 1
+    return len(zones)
+
+
+def get_zone_name(zones: list,
+                  index: str,
+                  ):
+    if zones is not None:
+        return zones[int(index)]
+
+
+def get_domain_name(server_name: str,
+                    extra_domainnames: list,
+                    suffix: str,
+                    ) -> str:
+    index = int(suffix)
+    if index == 0:
+        return server_name
+    return extra_domainnames[index - 1]
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/config.sh b/seed/applicationservice/2022.03.08/base/manual/install/config.sh
new file mode 100644
index 0000000..9ba3364
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/config.sh
@@ -0,0 +1,11 @@
+# root dir configuration
+RISOTTO_DIR="/var/lib/risotto"
+RISOTTO_IMAGE_DIR="$RISOTTO_DIR/images"
+RISOTTO_SRV_DIR="$RISOTTO_DIR/srv"
+RISOTTO_CONFIG_DIR="$RISOTTO_DIR/configurations"
+MACHINES_DIR="/var/lib/machines"
+# image configuration
+IMAGE_BASE_RISOTTO_BASE_DIR="$RISOTTO_IMAGE_DIR/image_bases"
+IMAGE_NAME_RISOTTO_IMAGE_DIR="$RISOTTO_IMAGE_DIR/$IMAGE_NAME"
+IMAGE_NAME_RISOTTO_IMAGE_NAME="$RISOTTO_IMAGE_DIR/$IMAGE_NAME".tar
+IMAGE_NAME_MACHINE_LOCK="$MACHINES_DIR/.#$IMAGE_NAME.lck"
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh b/seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh
new file mode 100644
index 0000000..f2991e9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh
@@ -0,0 +1,14 @@
+# machine configuration
+MACHINE_RISOTTO_SRV_DIR_LOCAL="srv/$MACHINE"
+MACHINE_RISOTTO_SRV_DIR="$RISOTTO_SRV_DIR/$MACHINE"
+MACHINE_RISOTTO_CONFIG_DIR_LOCAL="$IMAGE_NAME/configurations/$MACHINE"
+MACHINE_RISOTTO_CONFIG_DIR="$RISOTTO_CONFIG_DIR/$MACHINE"
+MACHINE_MACHINES_DIR="$MACHINES_DIR/$MACHINE"
+HOST_DIR="host/configurations/$HOST_NAME"
+MACHINE_NAME_NSPAWN="/etc/systemd/nspawn/$MACHINE.nspawn"
+MACHINE_NAME_NSPAWN_LOCAL="$HOST_DIR$MACHINE_NAME_NSPAWN"
+MACHINE_NAME_SCRIPT="/usr/local/lib/sbin/network-$MACHINE"
+MACHINE_NAME_SCRIPT_LOCAL="$HOST_DIR$MACHINE_NAME_SCRIPT"
+#MACHINE_MACHINE_LOCK="$MACHINES_DIR/.#$MACHINE.lck"
+SHA_MACHINE_DIR="$RISOTTO_CONFIG_DIR/sha"
+SHA_MACHINE="$SHA_MACHINE_DIR/$MACHINE".sha
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/diff.py b/seed/applicationservice/2022.03.08/base/manual/install/diff.py
new file mode 100755
index 0000000..7411444
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/diff.py
@@ -0,0 +1,53 @@
+#!/usr/bin/env python3
+
+
+from os.path import join
+from filecmp import dircmp
+from difflib import unified_diff
+from sys import stdout, argv
+from datetime import datetime, timezone
+
+
+os_name = argv[1]
+OLD_DIR = argv[2]
+NEW_DIR = argv[3]
+FILES = []
+def diff_files(dcmp):
+    for name in dcmp.diff_files:
+        FILES.append(join(dcmp.right[len(NEW_DIR):], name))
+    for sub_dcmp in dcmp.subdirs.values():
+        diff_files(sub_dcmp)
+
+
+dcmp = dircmp(OLD_DIR, NEW_DIR)
+diff_files(dcmp) 
+
+date = datetime.now(timezone.utc).isoformat()
+title = f"Nouvelle version de la configuration de {os_name}"
+subtitle = f"Différence entre les fichiers de configuration de {os_name}"
+print(f"""+++
+title = "{title}"
+description = "{subtitle}"
+date = {date}
+updated = {date}
+draft = false
+template = "blog/page.html"
+
+[taxonomies]
+authors = ["Automate"]
+
+[extra]
+lead = "{subtitle}."
+type = "installe"
++++
+""")
+for filename in FILES:
+    with open(join(OLD_DIR, filename[1:]), 'r') as ori:
+        ori_content = ori.readlines()
+    with open(join(NEW_DIR, filename[1:]), 'r') as new:
+        new_content = new.readlines()
+    print(f'- mise à jour du fichier {filename} :\n')
+    print('```diff')
+    for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
+        print(line.rstrip())
+    print('```')
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_host b/seed/applicationservice/2022.03.08/base/manual/install/install_host
new file mode 100755
index 0000000..99bf603
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_host
@@ -0,0 +1,27 @@
+#!/bin/bash -xe
+
+HOST_NAME=$1
+if [ -z "$HOST_NAME" ]; then
+    echo "usage: $0 host name"
+    exit 1
+fi
+apt install --yes systemd-container dnf jq debootstrap htop
+systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
+systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
+systemctl daemon-reload
+systemctl restart systemd-sysctl.service
+systemctl enable systemd-networkd
+systemctl restart systemd-networkd
+systemctl enable systemd-resolved
+systemctl restart systemd-resolved
+# systemctl mask dev-hugepages.mount
+
+#nft add table nat
+#nft flush table nat;
+#nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
+#nft 'add rule nat prerouting iif enp0s3 tcp dport { 80, 443 } dnat to 192.168.45.12'
+#nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
+#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
+#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_image b/seed/applicationservice/2022.03.08/base/manual/install/install_image
new file mode 100755
index 0000000..b63231c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_image
@@ -0,0 +1,161 @@
+#!/bin/bash -xe
+
+HOST_NAME=$1
+IMAGE_NAME=$2
+
+if [ -z "$IMAGE_NAME" ]; then
+    echo "PAS DE NOM DE MODULE"
+    exit 1
+fi
+
+. config.sh
+
+rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
+mkdir -p "$RISOTTO_IMAGE_DIR"
+PKG=""
+BASE_DIR=""
+for script in $(ls $IMAGE_NAME/preinstall/*.sh 2> /dev/null); do
+    . "$script"
+done
+
+if [ -z "$OS_NAME" ]; then
+    echo "NO OS NAME DEFINED"
+    exit 0
+fi
+if [ -z "$RELEASEVER" ]; then
+    echo "NO RELEASEVER DEFINED"
+    exit 0
+fi
+if [ -z "$INSTALL_TOOL" ]; then
+    echo "NO INSTALL TOOL DEFINED"
+    exit 0
+fi
+BASE_NAME="$OS_NAME-$RELEASEVER"
+BASE_DIR="$IMAGE_BASE_RISOTTO_BASE_DIR/$BASE_NAME"
+BASE_TAR="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME".tar
+BASE_PKGS_FILE="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.pkgs"
+BASE_LOCK="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.build"
+
+function dnf_opt() {
+    INSTALL_DIR=$1
+    INSTALL_PKG=$2
+    echo "--setopt=install_weak_deps=False --nodocs --noplugins --installroot=$INSTALL_DIR --releasever $RELEASEVER install $INSTALL_PKG"
+}
+function new_package_base() {
+    if [ "$INSTALL_TOOL" = "dnf" ]; then
+        OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
+        dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
+    else
+        debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR"
+        chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
+    fi
+}
+function install_base() {
+    if [ "$INSTALL_TOOL" = "dnf" ]; then
+        OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
+        dnf --assumeyes $OPT
+    fi
+}
+function new_package() {
+    if [ "$INSTALL_TOOL" = "dnf" ]; then
+        OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
+        dnf --assumeno $OPT | grep ^" " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
+    else
+        chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG -s 2>/dev/null|grep ^"Inst " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
+    fi
+}
+function install_pkg() {
+    if [ "$INSTALL_TOOL" = "dnf" ]; then
+        OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
+        dnf --assumeyes $OPT
+    else
+        chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG
+    fi
+}
+
+
+if [ ! -f "$BASE_LOCK" ]; then
+    rm -rf "$BASE_DIR"
+    new_package_base
+    diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
+    if [ ! -f "$BASE_TAR" ] || [ "$NEW_BASE" = true ]; then
+        mkdir -p "$IMAGE_BASE_RISOTTO_BASE_DIR"
+        install_base
+        cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
+        tar cf "$BASE_TAR" "$BASE_NAME"
+        cd -
+        if [ -f "$BASE_PKGS_FILE" ]; then
+            mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
+        fi
+        mv "$BASE_PKGS_FILE".new "$BASE_PKGS_FILE"
+        rm -rf "$IMAGE_BASE_RISOTTO_BASE_DIR"
+    fi
+    rm -rf "$BASE_DIR"
+    touch "$BASE_LOCK"
+fi
+
+tar xf "$BASE_TAR"
+mv "$BASE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
+if [ -n "$COPR" ]; then
+    #FIXME signature...
+    mkdir -p "$REPO_DIR"
+    cd "$REPO_DIR"
+    wget "$COPR"
+    cd -
+fi
+
+# FIXME verifier s'il y a des modifs sur pre/post
+if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
+    echo "Différence(s) avec les paquets de base"
+    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && NEW_BASE=false || NEW_BASE=true
+else
+    NEW_BASE=true
+fi
+new_package
+if [ "$NEW_BASE" = false ]; then
+    echo "Différence(s) avec les paquets de l'image"
+    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
+else
+    INSTALL=true
+fi
+if [ "$INSTALL" = true ]; then
+    if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
+        VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
+    else
+        VERSION=0
+    fi
+    mkdir tmp
+    cd tmp
+    if [ ! "$VERSION" = 0 ]; then
+        tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
+    fi
+    ../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
+    cd -
+    rm -rf tmp
+    install_pkg
+    sleep 2
+    
+    for script in $(ls $IMAGE_NAME/postinstall/*.sh 2> /dev/null); do
+        . "$script"
+    done
+    
+    CONTAINER=$IMAGE_NAME ./make_volatile /etc
+    if [ ! "$?" = 0 ]; then
+        echo "make_volatile failed"
+        exit 1
+    fi
+    cd "$RISOTTO_IMAGE_DIR"
+    #7zr a "$IMAGE_NAME".7z "$IMAGE_NAME"
+    if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
+        mv -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_NAME".old
+    fi
+    tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
+    sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
+    cd -
+    cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
+    mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
+    VERSION=$((VERSION + 1)) 
+    echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
+fi
+rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_images b/seed/applicationservice/2022.03.08/base/manual/install/install_images
new file mode 100755
index 0000000..31df9cd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_images
@@ -0,0 +1,15 @@
+#!/bin/bash -xe
+HOST_NAME=$1
+if [ -z "$HOST_NAME" ]; then
+    echo "usage: $0 host name"
+    exit 1
+fi
+. config.sh
+rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
+for image in *; do
+    if [ -d "$image" ]; then
+        ./install_image "$HOST_NAME" "$image"
+    fi
+done
+rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_machine b/seed/applicationservice/2022.03.08/base/manual/install/install_machine
new file mode 100755
index 0000000..708641e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_machine
@@ -0,0 +1,51 @@
+#!/bin/bash -xe
+HOST_NAME=$1
+IMAGE_NAME=$2
+MACHINE=$3
+. config.sh
+. config_machine.sh
+if [ -z "$MACHINE" ]; then
+    echo "usage: $0 name pkg dns_name"
+    exit 1
+fi
+if [ ! -f "$MACHINE_NAME_NSPAWN_LOCAL" ]; then
+    echo "PAS DE CONFIG NSPAWN $MACHINE_NAME_NSPAWN_LOCAL"
+    exit 0
+fi
+
+if [ ! -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
+    echo "PAS D'IMAGE $IMAGE_NAME_RISOTTO_IMAGE_NAME"
+    exit 1
+fi
+if [ -L "$MACHINE_MACHINES_DIR" ] || [ -d "$MACHINE_MACHINES_DIR" ]; then
+    machinectl stop "$MACHINE" 2> /dev/null || true
+    while true; do
+        machinectl status "$MACHINE" > /dev/null 2>&1 || break
+        sleep 1
+        echo "retry..."
+    done
+    diff -q "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE" || rm -rf "$MACHINE_MACHINES_DIR"
+fi
+if [ -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
+    # fait un diff
+    diff -q --no-dereference -Nru "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" || ( ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md; rm -rf "$MACHINE_RISOTTO_CONFIG_DIR" )
+fi
+
+cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
+cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
+if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
+    cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
+fi
+if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
+    mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
+fi
+if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
+    cd "$MACHINES_DIR"
+    tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
+    mkdir -p "$SHA_MACHINE_DIR"
+    cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
+    mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
+    cd -
+fi
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_machines b/seed/applicationservice/2022.03.08/base/manual/install/install_machines
new file mode 100755
index 0000000..70e5f0d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/install_machines
@@ -0,0 +1,25 @@
+#!/bin/bash -xe
+HOST_NAME=$1
+if [ -z "$HOST_NAME" ]; then
+    echo "usage: $0 host name"
+    exit 1
+fi
+
+MACHINES=""
+for image in *; do
+    if [ -d "$image" ]; then
+        for os in $image/configurations/*; do
+            if [ -d "$os" ]; then
+                osname="$(basename $os)"
+                if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
+                    MACHINES="$MACHINES$osname "
+                fi
+                ./install_machine "$HOST_NAME" "$image" "$osname"
+            fi
+        done
+    fi
+done
+machinectl enable $MACHINES
+machinectl start $MACHINES
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/make_changelog b/seed/applicationservice/2022.03.08/base/manual/install/make_changelog
new file mode 100755
index 0000000..fcc0967
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/make_changelog
@@ -0,0 +1,178 @@
+#!/usr/bin/env python3
+
+
+import logging
+from dnf.conf import Conf
+from dnf.cli.cli import BaseCli, Cli
+from dnf.cli.output import Output
+from dnf.cli.option_parser import OptionParser
+from dnf.i18n import _, ucd
+from datetime import datetime, timezone
+from sys import argv
+from os import getcwd, unlink
+from os.path import isfile, join
+from glob import glob
+from subprocess import run
+
+
+# List new or removed file
+def read_dnf_pkg_file(os_name, filename1, filename2):
+    if os_name == 'debian':
+        idx_pkg = 0, 1
+        idx_version = 1, 2
+        header_idx = 0, 0
+    else:
+        idx_pkg = 0, 0
+        idx_version = 2, 2
+        header_idx = 2, 2
+        pass
+    pkgs = {}
+    for fidx, filename in enumerate((filename1, filename2)):
+        if not isfile(filename):
+            continue
+        with open(filename, 'r') as pkgs_fh:
+            for idx, pkg_line in enumerate(pkgs_fh.readlines()):
+                if idx < header_idx[fidx]:
+                    # header
+                    print("béééé")
+                    continue
+                sp_line = pkg_line.strip().split()
+                if len(sp_line) < idx_version[fidx] + 1:
+                    continue
+                if sp_line[idx_pkg[fidx]] in pkgs:
+                    raise Exception(f'package already set {sp_line[0]}?')
+                version = sp_line[idx_version[fidx]]
+                if os_name == 'debian' and version.startswith('('):
+                    version = version[1:]
+                pkgs[sp_line[idx_pkg[fidx]]] = version
+    return pkgs
+
+
+def list_packages(title, packages, packages_info):
+    print(f'# {title}\n')
+    if not packages:
+        print('*Aucun*')
+    packages = list(packages)
+    packages = sorted(packages)
+    for idx, pkg in enumerate(packages):
+        print(f' - {pkg} ({packages_info[pkg]})')
+    print()
+
+
+# List updated packages
+class CustomOutput(Output):
+    def listPkgs(self, *args, **kwargs):
+        # do not display list
+        pass
+
+
+def format_changelog_markdown(changelog):
+    """Return changelog formatted as in spec file"""
+    text = '\n'.join([f'    {line}' for line in changelog['text'].split('\n')])
+    chlog_str = '  - %s %s\n\n%s\n' % (
+        changelog['timestamp'].strftime("%a %b %d %X %Y"),
+        ucd(changelog['author']),
+        ucd(text))
+    return chlog_str
+
+
+def print_changelogs_markdown(packages):
+    # group packages by src.rpm to avoid showing duplicate changelogs
+    self = BASE
+    bysrpm = dict()
+    for p in packages:
+        # there are packages without source_name, use name then.
+        bysrpm.setdefault(p.source_name or p.name, []).append(p)
+    for source_name in sorted(bysrpm.keys()):
+        bin_packages = bysrpm[source_name]
+        print('- ' + _("Changelogs for {}").format(', '.join([str(pkg) for pkg in bin_packages])))
+        print()
+        for chl in self.latest_changelogs(bin_packages[0]):
+            print(format_changelog_markdown(chl))
+
+
+def dnf_update(image_name):
+    conf = Conf()
+    # obsoletes are already listed
+    conf.obsoletes = False
+    with BaseCli(conf) as base:
+        global BASE
+        BASE = base
+        base.print_changelogs = print_changelogs_markdown
+        custom_output = CustomOutput(base.output.base, base.output.conf)
+        base.output = custom_output
+        cli = Cli(base)
+        image_dir = join(getcwd(), image_name)
+        cli.configure(['--setopt=install_weak_deps=False', '--nodocs', '--noplugins', '--installroot=' + image_dir, '--releasever', '35', 'check-update', '--changelog'], OptionParser())
+        logger = logging.getLogger("dnf")
+        for h in logger.handlers:
+            logger.removeHandler(h)
+        logger.addHandler(logging.NullHandler())
+        cli.run()
+
+
+def main(os_name, image_name, old_version, releasever):
+    date = datetime.now(timezone.utc).isoformat()
+    if old_version == 0:
+        title = f"Création de l'image {image_name}"
+        subtitle = f"Les paquets de la première image {image_name} sur base Fedora {releasever}"
+    else:
+        title = f"Nouvelle version de l'image {image_name}"
+        subtitle = f"Différence des paquets de l'image {image_name} sur base Fedora {releasever} entre la version {old_version} et {old_version + 1}"
+    print(f"""+++
+title = "{title}"
+description = "{subtitle}"
+date = {date}
+updated = {date}
+draft = false
+template = "blog/page.html"
+
+[taxonomies]
+authors = ["Automate"]
+
+[extra]
+lead = "{subtitle}."
+type = "installe"
++++
+""")
+    new_dict = read_dnf_pkg_file(os_name, f'/var/lib/risotto/images/image_bases-{os_name}-{releasever}.pkgs', f'/var/lib/risotto/images/{image_name}.pkgs.new')
+    new_pkg = new_dict.keys()
+    old_file = f'/var/lib/risotto/images/{image_name}.pkgs'
+    if not old_version or not isfile(old_file):
+        list_packages('Liste des paquets', new_pkg, new_dict)
+    else:
+        ori_dict = read_dnf_pkg_file(os_name, f'/var/lib/risotto/images/{image_name}.base.pkgs', old_file)
+        ori_pkg = ori_dict.keys()
+        list_packages('Les paquets supprimés', ori_pkg - new_pkg, ori_dict)
+        list_packages('Les paquets ajoutés', new_pkg - ori_pkg, new_dict)
+        print('# Les paquets mises à jour\n')
+        if os_name == 'fedora':
+            dnf_update(image_name)
+        else:
+            for filename in glob('*.deb'):
+                unlink(filename)
+            for package in ori_pkg & new_dict:
+                if ori_dict[package] == new_dict[package]:
+                    continue
+                run(['apt', 'download', package])
+            packages = list(glob('*.deb'))
+            packages.sort()
+            for package in packages:
+                info = run(['apt-listchanges', '--which', 'both', '-f', 'text', package], capture_output=True)
+                header = True
+                for line in info.split('\n'):
+                    if not header:
+                        print(line)
+                    if line.startswith('-----------------------'):
+                        header = False
+                print()
+                unlink(package)
+
+
+
+if __name__ == "__main__":
+    image_name = argv[1]
+    old_version = int(argv[2])
+    os_name = argv[3]
+    releasever = argv[4]
+    main(os_name, image_name, old_version, releasever)
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/make_volatile b/seed/applicationservice/2022.03.08/base/manual/install/make_volatile
new file mode 100755
index 0000000..2227692
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/manual/install/make_volatile
@@ -0,0 +1,77 @@
+#!/bin/bash -e
+if [ -z $CONTAINER ]; then
+    echo "PAS DE CONTAINER"
+    exit 1
+fi
+ROOT="/var/lib/risotto/images/$CONTAINER"
+echo "$ROOT"
+DESTDIR="$ROOT/usr/lib/tmpfiles.d"
+CONF_DST="/usr/share/factory"
+EXCLUDES="^($ROOT/etc/passwd|$ROOT/etc/group|$ROOT/etc/.updated|$ROOT/etc/.pwd.lock|$ROOT/etc/systemd/network/dhcp.network|$ROOT/etc/sudoers.d/qemubuild)$"
+ONLY_COPY="^($ROOT/etc/localtime)$"
+FORCE_LINKS="^($ROOT/etc/udev/hwdb.bin)$"
+
+function execute() {
+    chroot $ROOT $@
+}
+
+function file_dir_in_tmpfiles() {
+    letter=$1
+    directory=$2
+    local_directory=$(echo $directory|sed "s@^$ROOT@@g")
+    mode=$(execute "/usr/bin/stat" "--format" "%a" "$local_directory" | grep -o "[0-9.]\+")
+    user=$(execute "/usr/bin/stat" "--format" "%U" "$local_directory" | grep -o "[0-9a-zA-Z.-]\+")
+    group=$(execute "/usr/bin/stat" "--format" "%G" "$local_directory" | grep -o "[0-9a-zA-Z.-]\+")
+    echo "$letter $local_directory $mode $user $group - -"
+}
+
+function calc_symlink_in_tmpfiles() {
+    dest_name=$1
+    local_dest_name=$2
+    src_file=$(readlink "$dest_name")
+    symlink_in_tmpfiles "$local_dest_name" "$src_file"
+}
+
+function symlink_in_tmpfiles() {
+    dest_name=$1
+    src_file=$2
+    echo "L+ $dest_name - - - - $src_file"
+}
+
+function main() {
+    dir_config_orig=$1
+    name="${dir_config_orig//\//-}"
+    dir_config_orig=$ROOT$dir_config_orig
+
+    mkdir -p "$DESTDIR"
+    mkdir -p "$ROOTCONF_DST$dir_config_orig"
+    systemd_conf="$DESTDIR/risotto$name.conf"
+    rm -f $systemd_conf
+    shopt -s globstar
+    for src_file in $dir_config_orig/**; do
+        local_src=$(echo $src_file|sed "s@$ROOT@@g")
+        dest_file="$ROOT$CONF_DST$local_src"
+        if [[ "$src_file" =~ $EXCLUDES ]]; then
+             echo "$src_file: exclude" >&2
+        elif [[ -L "$src_file" ]]; then
+            calc_symlink_in_tmpfiles "$src_file" "$local_src" >> $systemd_conf
+        elif [[ "$src_file" =~ $FORCE_LINKS ]]; then
+            symlink_in_tmpfiles "$src_file" "$dest_file" >> $systemd_conf
+        elif [[ -d "$src_file" ]]; then
+            file_dir_in_tmpfiles 'd' "$src_file" >> $systemd_conf
+            [[ ! -d "$dest_file" ]] && mkdir -p "$dest_file"
+            #echo "$src_file: directory ok"
+        else
+            if [[ ! "$src_file" =~ $ONLY_COPY ]]; then
+                file_dir_in_tmpfiles "C" "$src_file" >> $systemd_conf
+            fi
+            [[ -e "$dest_file" ]] && rm -f "$dest_file"
+            # not a symlink... an hardlink
+            ln "$src_file" "$dest_file"
+            #echo "$src_file: file ok"
+        fi
+    done
+}
+main "$1"
+echo "fin"
+exit 0
diff --git a/seed/applicationservice/2022.03.08/dovecot/DEBUG.md b/seed/applicationservice/2022.03.08/dovecot/DEBUG.md
new file mode 100644
index 0000000..258611a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/DEBUG.md
@@ -0,0 +1,67 @@
+# recherche d'un utilisateur :
+
+```
+USER=gnunux@gnunux.info
+su - postfix -s /bin/bash -c "postmap -q $USER ldap:/etc/postfix/ldapsource.cf"
+```
+Doit retourner le nom de l'utilisateur.
+
+Il est possible de demander le mode verbeux :
+
+```
+su - postfix -s /bin/bash -c "postmap -vq $USER ldap:/etc/postfix/ldapsource.cf"
+```
+
+# Test with telnet
+
+EHLO root.gnunux.info
+[..]
+250-AUTH PLAIN LOGIN
+[..]
+MAIL FROM:<gnunux@gnunux.info>
+RCPT TO:<gnunux@gnunux.info>
+DATA
+To:<gnunux@gnunux.info>
+From:<gnunux@gnunux.info>
+Subject:SMTP Test
+This is a test message
+
+.
+
+# auth with telnet
+
+echo -ne '\000gnunux@gnunux.info\000password' | openssl base64
+openssl s_client -connect 192.168.45.13:25 -starttls smtp
+EHLO client.example.com
+[..]
+AUTH PLAIN AGdudW51eEBnbnVudXguaW5mbwBxVV96Vl9kbEUzUm82WmpTcjFHOGNzbmd4ajA=
+235 2.7.0 Authentication successful
+
+# Un élément de configuration
+
+postconf maillog_file
+
+# Editer la configuration
+
+postconf maillog_file=/dev/stdout
+
+# debug
+
+You can easily print the last 1000 error messages of a running Dovecot:
+
+doveadm log errors
+
+## debug
+
+sed -i 's/#mail_debug = no/mail_debug = yes/g' /etc/dovecot/conf.d/10-logging.conf
+systemctl restart dovecot
+
+## ldap debug
+
+echo "debug_level = -1" >> /etc/dovecot/dovecot-ldap.conf.ext
+systemctl restart dovecot
+
+## oauth debug
+
+echo "debug = yes" >> /etc/dovecot/dovecot-oauth2.conf.ext
+systemctl restart dovecot
diff --git a/seed/applicationservice/2022.03.08/dovecot/FIXME b/seed/applicationservice/2022.03.08/dovecot/FIXME
new file mode 100644
index 0000000..73bc7aa
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/FIXME
@@ -0,0 +1,2 @@
+SPF : https://www.djaodjin.com/blog/postfix-dovecot-openldap.blog.html
+Postcreen : modoboa_installer/scripts/files/postfix/main.cf.tpl
diff --git a/seed/applicationservice/2022.03.08/dovecot/applicationservice.yml b/seed/applicationservice/2022.03.08/dovecot/applicationservice.yml
new file mode 100644
index 0000000..6246beb
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/applicationservice.yml
@@ -0,0 +1,7 @@
+format: '0.1'
+description: Postfix et Dovecot
+depends:
+  - base-fedora-35
+  - relay-mail-client
+  - ldap-client-fedora
+  - oauth2-client
diff --git a/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
new file mode 100644
index 0000000..3e72304
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml
@@ -0,0 +1,107 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="postfix" target="multi-user">
+      <override/>
+      <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
+      <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
+      <file>/etc/postfix/main.cf</file>
+      <file>/etc/postfix/master.cf</file>
+      <file>/etc/postfix/ldapsource.cf</file>
+      <file>/etc/postfix/relay_passwd</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
+      <file>/etc/pki/tls/certs/postfix.crt</file>
+      <file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
+    </service>
+    <service name='dovecot-init'>
+      <override/>
+    </service>
+    <service name="dovecot" target="multi-user">
+      <file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
+      <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
+      <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
+      <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
+      <file engine='none'>/etc/dovecot/conf.d/10-auth.conf</file>
+      <file engine='none'>/etc/dovecot/conf.d/10-mail.conf</file>
+      <file>/etc/dovecot/conf.d/10-master.conf</file>
+      <file engine='none'>/etc/dovecot/conf.d/10-ssl.conf</file>
+      <!-- FIXME file engine='none'>/etc/dovecot/conf.d/12-managesieve.conf</file-->
+      <file engine='none'>/etc/dovecot/conf.d/15-ldap.conf</file>
+      <file engine='none'>/etc/dovecot/conf.d/30-service-stats.conf</file>
+      <file engine='none'>/etc/dovecot/conf.d/00-risotto.conf</file>
+      <!--plain authentification-->
+      <file>/etc/dovecot/conf.d/auth-ldap.conf.ext</file>
+      <file>/etc/dovecot/dovecot-ldap.conf.ext</file>
+      <!--oauth2 authentification-->
+      <file>/etc/dovecot/conf.d/auth-oauth2.conf.ext</file>
+      <file>/etc/dovecot/dovecot-oauth2.conf.ext</file>
+      <!--internal authentification-->
+      <file>/etc/dovecot/conf.d/auth-passwdfile.conf.ext</file>
+      <file>/etc/dovecot/risotto_users</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
+      <file>/etc/pki/tls/certs/dovecot.crt</file>
+      <file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
+    </service>
+  </services>
+  <variables>
+    <family name="annuaire">
+      <variable name="ldap_key_file_owner" redefine="True">
+        <value>dovecot</value>
+      </variable>
+      <variable name="ldap_key_file_group" redefine="True">
+        <value>postfix</value>
+      </variable>
+    </family>
+    <family name="postfix" description="Postfix mail server">
+      <variable name="postfix_my_domains" type="domainname" description="Domaine de courriel généré localement" mandatory="True" multi="True"/>
+      <variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
+    </family>
+    <family name="dovecot" description="IMAP mail server">
+      <variable name='dovecot_ca_chain' description="CA certificate" hidden='True'/>
+      <variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
+      <family name="local_authentification_" description="Local server authentification" dynamic='dovecot_local_authentifications'>
+        <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
+        <variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
+      </family>
+      <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
+      <variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_chain">
+      <param name="authority_cn" type="variable">domain_name_eth0</param>
+      <param name="authority_name">MailServer</param>
+      <target>postfix_ca_chain</target>
+    </fill>
+    <fill name="get_chain">
+      <param name="authority_cn" type="variable">domain_name_eth0</param>
+      <param name="authority_name">IMAPServer</param>
+      <target>dovecot_ca_chain</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type="suffix"/>
+      <param name="description">local authentification</param>
+      <param name="type">cleartext</param>
+      <target>local_authentification_password_</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">smtp_relay_address</param>
+      <param name="linked_provider">lmtp_server</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>postfix_my_domains</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">smtp_relay_address</param>
+      <param name="linked_provider">lmtp_criteria</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>postfix_my_domains</target>
+    </check>
+    <fill name="calc_value">
+      <param type="variable">tls_ca_directory</param>
+      <param>ca_ReverseProxy.crt</param>
+      <param name="join">/</param>
+      <target>revprox_ca_file</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/dovecot/funcs/dovecot.py b/seed/applicationservice/2022.03.08/dovecot/funcs/dovecot.py
new file mode 100644
index 0000000..b113013
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/funcs/dovecot.py
@@ -0,0 +1,9 @@
+from crypt import crypt as _crypt
+from string import ascii_letters as _ascii_letters, digits as _digits
+from secrets import choice as _choice
+
+
+def sha512_crypt(password):
+    salt = ''.join([_choice(_ascii_letters + _digits) for _ in range(8)])
+    prefix = '$6$'
+    return _crypt(password, prefix + salt)
diff --git a/seed/applicationservice/2022.03.08/dovecot/manual/image/preinstall/postfix_dovecot.sh b/seed/applicationservice/2022.03.08/dovecot/manual/image/preinstall/postfix_dovecot.sh
new file mode 100644
index 0000000..ea7db55
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/manual/image/preinstall/postfix_dovecot.sh
@@ -0,0 +1 @@
+PKG="$PKG postfix-ldap dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain"
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/00-risotto.conf b/seed/applicationservice/2022.03.08/dovecot/templates/00-risotto.conf
new file mode 100644
index 0000000..086ee6c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/00-risotto.conf
@@ -0,0 +1 @@
+protocols = imap lmtp
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/10-auth.conf b/seed/applicationservice/2022.03.08/dovecot/templates/10-auth.conf
new file mode 100644
index 0000000..113b796
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/10-auth.conf
@@ -0,0 +1,142 @@
+##
+## Authentication processes
+##
+
+# Disable LOGIN command and all other plaintext authentications unless
+# SSL/TLS is used (LOGINDISABLED capability). Note that if the remote IP
+# matches the local IP (ie. you're connecting from the same computer), the
+# connection is considered secure and plaintext authentication is allowed.
+# See also ssl=required setting.
+#disable_plaintext_auth = yes
+#>GNUNUX
+disable_plaintext_auth = yes
+#<GNUNUX
+
+# Authentication cache size (e.g. 10M). 0 means it's disabled. Note that
+# bsdauth and PAM require cache_key to be set for caching to be used.
+#auth_cache_size = 0
+# Time to live for cached data. After TTL expires the cached record is no
+# longer used, *except* if the main database lookup returns internal failure.
+# We also try to handle password changes automatically: If user's previous
+# authentication was successful, but this one wasn't, the cache isn't used.
+# For now this works only with plaintext authentication.
+#auth_cache_ttl = 1 hour
+# TTL for negative hits (user not found, password mismatch).
+# 0 disables caching them completely.
+#auth_cache_negative_ttl = 1 hour
+
+# Space separated list of realms for SASL authentication mechanisms that need
+# them. You can leave it empty if you don't want to support multiple realms.
+# Many clients simply use the first one listed here, so keep the default realm
+# first.
+#auth_realms =
+
+# Default realm/domain to use if none was specified. This is used for both
+# SASL realms and appending @domain to username in plaintext logins.
+#auth_default_realm = 
+
+# List of allowed characters in username. If the user-given username contains
+# a character not listed in here, the login automatically fails. This is just
+# an extra check to make sure user can't exploit any potential quote escaping
+# vulnerabilities with SQL/LDAP databases. If you want to allow all characters,
+# set this value to empty.
+#auth_username_chars = abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890.-_@
+
+# Username character translations before it's looked up from databases. The
+# value contains series of from -> to characters. For example "#@/@" means
+# that '#' and '/' characters are translated to '@'.
+#auth_username_translation =
+
+# Username formatting before it's looked up from databases. You can use
+# the standard variables here, eg. %Lu would lowercase the username, %n would
+# drop away the domain if it was given, or "%n-AT-%d" would change the '@' into
+# "-AT-". This translation is done after auth_username_translation changes.
+#auth_username_format = %Lu
+
+# If you want to allow master users to log in by specifying the master
+# username within the normal username string (ie. not using SASL mechanism's
+# support for it), you can specify the separator character here. The format
+# is then <username><separator><master username>. UW-IMAP uses "*" as the
+# separator, so that could be a good choice.
+#auth_master_user_separator =
+
+# Username to use for users logging in with ANONYMOUS SASL mechanism
+#auth_anonymous_username = anonymous
+
+# Maximum number of dovecot-auth worker processes. They're used to execute
+# blocking passdb and userdb queries (eg. MySQL and PAM). They're
+# automatically created and destroyed as needed.
+#auth_worker_max_count = 30
+
+# Host name to use in GSSAPI principal names. The default is to use the
+# name returned by gethostname(). Use "$ALL" (with quotes) to allow all keytab
+# entries.
+#auth_gssapi_hostname =
+
+# Kerberos keytab to use for the GSSAPI mechanism. Will use the system
+# default (usually /etc/krb5.keytab) if not specified. You may need to change
+# the auth service to run as root to be able to read this file.
+#auth_krb5_keytab = 
+
+# Do NTLM and GSS-SPNEGO authentication using Samba's winbind daemon and
+# ntlm_auth helper. <doc/wiki/Authentication/Mechanisms/Winbind.txt>
+#auth_use_winbind = no
+
+# Path for Samba's ntlm_auth helper binary.
+#auth_winbind_helper_path = /usr/bin/ntlm_auth
+
+# Time to delay before replying to failed authentications.
+#auth_failure_delay = 2 secs
+
+# Require a valid SSL client certificate or the authentication fails.
+#auth_ssl_require_client_cert = no
+
+# Take the username from client's SSL certificate, using 
+# X509_NAME_get_text_by_NID() which returns the subject's DN's
+# CommonName. 
+#auth_ssl_username_from_cert = no
+
+# Space separated list of wanted authentication mechanisms:
+#   plain login digest-md5 cram-md5 ntlm rpa apop anonymous gssapi otp
+#   gss-spnego
+# NOTE: See also disable_plaintext_auth setting.
+auth_mechanisms = plain
+#>GNUNUX
+auth_mechanisms = $auth_mechanisms xoauth2
+#FIXME oauthbearer?
+#<GNUNUX
+
+##
+## Password and user databases
+##
+
+#
+# Password database is used to verify user's password (and nothing more).
+# You can have multiple passdbs and userdbs. This is useful if you want to
+# allow both system users (/etc/passwd) and virtual users to login without
+# duplicating the system users into virtual database.
+#
+# <doc/wiki/PasswordDatabase.txt>
+#
+# User database specifies where mails are located and what user/group IDs
+# own them. For single-UID configuration use "static" userdb.
+#
+# <doc/wiki/UserDatabase.txt>
+
+#!include auth-deny.conf.ext
+#!include auth-master.conf.ext
+
+#GNUNUX!include auth-system.conf.ext
+#!include auth-sql.conf.ext
+#!include auth-ldap.conf.ext
+#!include auth-passwdfile.conf.ext
+#!include auth-checkpassword.conf.ext
+#!include auth-static.conf.ext
+#>GNUNUX
+# Webmail auth (ie. roundcube)
+!include auth-oauth2.conf.ext
+# IMAP auth
+!include auth-ldap.conf.ext
+# Internal users (ie. roundcube)
+!include auth-passwdfile.conf.ext
+#<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/10-logging.conf b/seed/applicationservice/2022.03.08/dovecot/templates/10-logging.conf
new file mode 100644
index 0000000..ac4b190
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/10-logging.conf
@@ -0,0 +1,115 @@
+##
+## Log destination.
+##
+
+# Log file to use for error messages. "syslog" logs to syslog,
+# /dev/stderr logs to stderr.
+#>GNUNUX
+log_path = syslog
+#<GNUNUX
+
+# Log file to use for informational messages. Defaults to log_path.
+#info_log_path = 
+# Log file to use for debug messages. Defaults to info_log_path.
+#debug_log_path = 
+
+# Syslog facility to use if you're logging to syslog. Usually if you don't
+# want to use "mail", you'll use local0..local7. Also other standard
+# facilities are supported.
+#>GNUNUX
+syslog_facility = mail
+#<GNUNUX
+
+##
+## Logging verbosity and debugging.
+##
+
+# Log filter is a space-separated list conditions. If any of the conditions
+# match, the log filter matches (i.e. they're ORed together). Parenthesis
+# are supported if multiple conditions need to be matched together.
+#
+# See https://doc.dovecot.org/configuration_manual/event_filter/ for details.
+#
+# For example: event=http_request_* AND category=error AND category=storage
+#
+# Filter to specify what debug logging to enable. This will eventually replace
+# mail_debug and auth_debug settings.
+#log_debug = 
+
+# Crash after logging a matching event. For example category=error will crash
+# any time an error is logged, which can be useful for debugging.
+#log_core_filter = 
+
+# Log unsuccessful authentication attempts and the reasons why they failed.
+#>GNUNUX
+auth_verbose = yes
+#<GNUNUX
+
+# In case of password mismatches, log the attempted password. Valid values are
+# no, plain and sha1. sha1 can be useful for detecting brute force password
+# attempts vs. user simply trying the same password over and over again.
+# You can also truncate the value to n chars by appending ":n" (e.g. sha1:6).
+#>GNUNUX
+auth_verbose_passwords = no
+#<GNUNUX
+
+# Even more verbose logging for debugging purposes. Shows for example SQL
+# queries.
+#auth_debug = no
+
+# In case of password mismatches, log the passwords and used scheme so the
+# problem can be debugged. Enabling this also enables auth_debug.
+#auth_debug_passwords = no
+
+# Enable mail process debugging. This can help you figure out why Dovecot
+# isn't finding your mails.
+#mail_debug = no
+
+# Show protocol level SSL errors.
+#verbose_ssl = no
+
+# mail_log plugin provides more event logging for mail processes.
+plugin {
+  # Events to log. Also available: flag_change append
+  #mail_log_events = delete undelete expunge copy mailbox_delete mailbox_rename
+  # Available fields: uid, box, msgid, from, subject, size, vsize, flags
+  # size and vsize are available only for expunge and copy events.
+#>GNUNUX
+  mail_log_fields = uid box msgid size
+#<GNUNUX
+}
+
+##
+## Log formatting.
+##
+
+# Prefix for each line written to log file. % codes are in strftime(3)
+# format.
+#log_timestamp = "%b %d %H:%M:%S "
+
+# Space-separated list of elements we want to log. The elements which have
+# a non-empty variable value are joined together to form a comma-separated
+# string.
+#login_log_format_elements = user=<%u> method=%m rip=%r lip=%l mpid=%e %c
+
+# Login log format. %s contains login_log_format_elements string, %$ contains
+# the data we want to log.
+#login_log_format = %$: %s
+ 
+# Log prefix for mail processes. See doc/wiki/Variables.txt for list of
+# possible variables you can use.
+#mail_log_prefix = "%s(%u)<%{pid}><%{session}>: "
+
+# Format to use for logging mail deliveries:
+#  %$ - Delivery status message (e.g. "saved to INBOX")
+#  %m / %{msgid} - Message-ID
+#  %s / %{subject} - Subject
+#  %f / %{from} - From address
+#  %p / %{size} - Physical size
+#  %w / %{vsize} - Virtual size
+#  %e / %{from_envelope} - MAIL FROM envelope
+#  %{to_envelope} - RCPT TO envelope
+#  %{delivery_time} - How many milliseconds it took to deliver the mail
+#  %{session_time} - How long LMTP session took, not including delivery_time
+#  %{storage_id} - Backend-specific ID for mail, e.g. Maildir filename
+#deliver_log_format = msgid=%m: %$
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf b/seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf
new file mode 100644
index 0000000..a6dcb17
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/10-mail.conf
@@ -0,0 +1,418 @@
+##
+## Mailbox locations and namespaces
+##
+
+# Location for users' mailboxes. The default is empty, which means that Dovecot
+# tries to find the mailboxes automatically. This won't work if the user
+# doesn't yet have any mail, so you should explicitly tell Dovecot the full
+# location.
+#
+# If you're using mbox, giving a path to the INBOX file (eg. /var/mail/%u)
+# isn't enough. You'll also need to tell Dovecot where the other mailboxes are
+# kept. This is called the "root mail directory", and it must be the first
+# path given in the mail_location setting.
+#
+# There are a few special variables you can use, eg.:
+#
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if there's no domain
+#   %h - home directory
+#
+# See doc/wiki/Variables.txt for full list. Some examples:
+#
+#   mail_location = maildir:~/Maildir
+#   mail_location = mbox:~/mail:INBOX=/var/mail/%u
+#   mail_location = mbox:/var/mail/%d/%1n/%n:INDEX=/var/indexes/%d/%1n/%n
+#
+# <doc/wiki/MailLocation.txt>
+#
+#>GNUNUX
+mail_location = maildir:/srv/mail/%u
+#<GNUNUX
+
+# If you need to set multiple mailbox locations or want to change default
+# namespace settings, you can do it by defining namespace sections.
+#
+# You can have private, shared and public namespaces. Private namespaces
+# are for user's personal mails. Shared namespaces are for accessing other
+# users' mailboxes that have been shared. Public namespaces are for shared
+# mailboxes that are managed by sysadmin. If you create any shared or public
+# namespaces you'll typically want to enable ACL plugin also, otherwise all
+# users can access all the shared mailboxes, assuming they have permissions
+# on filesystem level to do so.
+namespace inbox {
+  # Namespace type: private, shared or public
+  #type = private
+
+  # Hierarchy separator to use. You should use the same separator for all
+  # namespaces or some clients get confused. '/' is usually a good one.
+  # The default however depends on the underlying mail storage format.
+  #separator = 
+
+  # Prefix required to access this namespace. This needs to be different for
+  # all namespaces. For example "Public/".
+  #prefix = 
+
+  # Physical location of the mailbox. This is in same format as
+  # mail_location, which is also the default for it.
+  #location =
+
+  # There can be only one INBOX, and this setting defines which namespace
+  # has it.
+  inbox = yes
+
+  # If namespace is hidden, it's not advertised to clients via NAMESPACE
+  # extension. You'll most likely also want to set list=no. This is mostly
+  # useful when converting from another server with different namespaces which
+  # you want to deprecate but still keep working. For example you can create
+  # hidden namespaces with prefixes "~/mail/", "~%u/mail/" and "mail/".
+  #hidden = no
+
+  # Show the mailboxes under this namespace with LIST command. This makes the
+  # namespace visible for clients that don't support NAMESPACE extension.
+  # "children" value lists child mailboxes, but hides the namespace prefix.
+  #list = yes
+
+  # Namespace handles its own subscriptions. If set to "no", the parent
+  # namespace handles them (empty prefix should always have this as "yes")
+  #subscriptions = yes
+
+  # See 15-mailboxes.conf for definitions of special mailboxes.
+}
+
+# Example shared namespace configuration
+#namespace {
+  #type = shared
+  #separator = /
+
+  # Mailboxes are visible under "shared/user@domain/"
+  # %%n, %%d and %%u are expanded to the destination user.
+  #prefix = shared/%%u/
+
+  # Mail location for other users' mailboxes. Note that %variables and ~/
+  # expands to the logged in user's data. %%n, %%d, %%u and %%h expand to the
+  # destination user's data.
+  #location = maildir:%%h/Maildir:INDEX=~/Maildir/shared/%%u
+
+  # Use the default namespace for saving subscriptions.
+  #subscriptions = no
+
+  # List the shared/ namespace only if there are visible shared mailboxes.
+  #list = children
+#}
+# Should shared INBOX be visible as "shared/user" or "shared/user/INBOX"?
+#mail_shared_explicit_inbox = no
+
+# System user and group used to access mails. If you use multiple, userdb
+# can override these by returning uid or gid fields. You can use either numbers
+# or names. <doc/wiki/UserIds.txt>
+#mail_uid =
+#mail_gid =
+
+# Group to enable temporarily for privileged operations. Currently this is
+# used only with INBOX when either its initial creation or dotlocking fails.
+# Typically this is set to "mail" to give access to /var/mail.
+#mail_privileged_group =
+
+# Grant access to these supplementary groups for mail processes. Typically
+# these are used to set up access to shared mailboxes. Note that it may be
+# dangerous to set these if users can create symlinks (e.g. if "mail" group is
+# set here, ln -s /var/mail ~/mail/var could allow a user to delete others'
+# mailboxes, or ln -s /secret/shared/box ~/mail/mybox would allow reading it).
+#mail_access_groups =
+
+# Allow full filesystem access to clients. There's no access checks other than
+# what the operating system does for the active UID/GID. It works with both
+# maildir and mboxes, allowing you to prefix mailboxes names with eg. /path/
+# or ~user/.
+#mail_full_filesystem_access = no
+
+# Dictionary for key=value mailbox attributes. This is used for example by
+# URLAUTH and METADATA extensions.
+#mail_attribute_dict =
+
+# A comment or note that is associated with the server. This value is
+# accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/comment". 
+#mail_server_comment = ""
+
+# Indicates a method for contacting the server administrator. According to
+# RFC 5464, this value MUST be a URI (e.g., a mailto: or tel: URL), but that
+# is currently not enforced. Use for example mailto:admin@example.com. This
+# value is accessible for authenticated users through the IMAP METADATA server
+# entry "/shared/admin".
+#mail_server_admin = 
+
+##
+## Mail processes
+##
+
+# Don't use mmap() at all. This is required if you store indexes to shared
+# filesystems (NFS or clustered filesystem).
+#mmap_disable = no
+
+# Rely on O_EXCL to work when creating dotlock files. NFS supports O_EXCL
+# since version 3, so this should be safe to use nowadays by default.
+#dotlock_use_excl = yes
+
+# When to use fsync() or fdatasync() calls:
+#   optimized (default): Whenever necessary to avoid losing important data
+#   always: Useful with e.g. NFS when write()s are delayed
+#   never: Never use it (best performance, but crashes can lose data)
+#mail_fsync = optimized
+
+# Locking method for index files. Alternatives are fcntl, flock and dotlock.
+# Dotlocking uses some tricks which may create more disk I/O than other locking
+# methods. NFS users: flock doesn't work, remember to change mmap_disable.
+#lock_method = fcntl
+
+# Directory where mails can be temporarily stored. Usually it's used only for
+# mails larger than >= 128 kB. It's used by various parts of Dovecot, for
+# example LDA/LMTP while delivering large mails or zlib plugin for keeping
+# uncompressed mails.
+#mail_temp_dir = /tmp
+
+# Valid UID range for users, defaults to 500 and above. This is mostly
+# to make sure that users can't log in as daemons or other system users.
+# Note that denying root logins is hardcoded to dovecot binary and can't
+# be done even if first_valid_uid is set to 0.
+#first_valid_uid = 500
+#last_valid_uid = 0
+
+# Valid GID range for users, defaults to non-root/wheel. Users having
+# non-valid GID as primary group ID aren't allowed to log in. If user
+# belongs to supplementary groups with non-valid GIDs, those groups are
+# not set.
+#first_valid_gid = 1
+#last_valid_gid = 0
+
+# Maximum allowed length for mail keyword name. It's only forced when trying
+# to create new keywords.
+#mail_max_keyword_length = 50
+
+# ':' separated list of directories under which chrooting is allowed for mail
+# processes (ie. /var/mail will allow chrooting to /var/mail/foo/bar too).
+# This setting doesn't affect login_chroot, mail_chroot or auth chroot
+# settings. If this setting is empty, "/./" in home dirs are ignored.
+# WARNING: Never add directories here which local users can modify, that
+# may lead to root exploit. Usually this should be done only if you don't
+# allow shell access for users. <doc/wiki/Chrooting.txt>
+#valid_chroot_dirs = 
+
+# Default chroot directory for mail processes. This can be overridden for
+# specific users in user database by giving /./ in user's home directory
+# (eg. /home/./user chroots into /home). Note that usually there is no real
+# need to do chrooting, Dovecot doesn't allow users to access files outside
+# their mail directory anyway. If your home directories are prefixed with
+# the chroot directory, append "/." to mail_chroot. <doc/wiki/Chrooting.txt>
+#mail_chroot = 
+
+# UNIX socket path to master authentication server to find users.
+# This is used by imap (for shared users) and lda.
+#auth_socket_path = /var/run/dovecot/auth-userdb
+
+# Directory where to look up mail plugins.
+#mail_plugin_dir = /usr/lib/dovecot
+
+# Space separated list of plugins to load for all services. Plugins specific to
+# IMAP, LDA, etc. are added to this list in their own .conf files.
+#mail_plugins = 
+
+##
+## Mailbox handling optimizations
+##
+
+# Mailbox list indexes can be used to optimize IMAP STATUS commands. They are
+# also required for IMAP NOTIFY extension to be enabled.
+#mailbox_list_index = yes
+
+# Trust mailbox list index to be up-to-date. This reduces disk I/O at the cost
+# of potentially returning out-of-date results after e.g. server crashes.
+# The results will be automatically fixed once the folders are opened.
+#mailbox_list_index_very_dirty_syncs = yes
+
+# Should INBOX be kept up-to-date in the mailbox list index? By default it's
+# not, because most of the mailbox accesses will open INBOX anyway.
+#mailbox_list_index_include_inbox = no
+
+# The minimum number of mails in a mailbox before updates are done to cache
+# file. This allows optimizing Dovecot's behavior to do less disk writes at
+# the cost of more disk reads.
+#mail_cache_min_mail_count = 0
+
+# When IDLE command is running, mailbox is checked once in a while to see if
+# there are any new mails or other changes. This setting defines the minimum
+# time to wait between those checks. Dovecot can also use inotify and
+# kqueue to find out immediately when changes occur.
+#mailbox_idle_check_interval = 30 secs
+
+# Save mails with CR+LF instead of plain LF. This makes sending those mails
+# take less CPU, especially with sendfile() syscall with Linux and FreeBSD.
+# But it also creates a bit more disk I/O which may just make it slower.
+# Also note that if other software reads the mboxes/maildirs, they may handle
+# the extra CRs wrong and cause problems.
+#mail_save_crlf = no
+
+# Max number of mails to keep open and prefetch to memory. This only works with
+# some mailbox formats and/or operating systems.
+#mail_prefetch_count = 0
+
+# How often to scan for stale temporary files and delete them (0 = never).
+# These should exist only after Dovecot dies in the middle of saving mails.
+#mail_temp_scan_interval = 1w
+
+# How many slow mail accesses sorting can perform before it returns failure.
+# With IMAP the reply is: NO [LIMIT] Requested sort would have taken too long.
+# The untagged SORT reply is still returned, but it's likely not correct.
+#mail_sort_max_read_count = 0
+
+protocol !indexer-worker {
+  # If folder vsize calculation requires opening more than this many mails from
+  # disk (i.e. mail sizes aren't in cache already), return failure and finish
+  # the calculation via indexer process. Disabled by default. This setting must
+  # be 0 for indexer-worker processes.
+  #mail_vsize_bg_after_count = 0
+}
+
+##
+## Maildir-specific settings
+##
+
+# By default LIST command returns all entries in maildir beginning with a dot.
+# Enabling this option makes Dovecot return only entries which are directories.
+# This is done by stat()ing each entry, so it causes more disk I/O.
+# (For systems setting struct dirent->d_type, this check is free and it's
+# done always regardless of this setting)
+#maildir_stat_dirs = no
+
+# When copying a message, do it with hard links whenever possible. This makes
+# the performance much better, and it's unlikely to have any side effects.
+#maildir_copy_with_hardlinks = yes
+
+# Assume Dovecot is the only MUA accessing Maildir: Scan cur/ directory only
+# when its mtime changes unexpectedly or when we can't find the mail otherwise.
+#maildir_very_dirty_syncs = no
+
+# If enabled, Dovecot doesn't use the S=<size> in the Maildir filenames for
+# getting the mail's physical size, except when recalculating Maildir++ quota.
+# This can be useful in systems where a lot of the Maildir filenames have a
+# broken size. The performance hit for enabling this is very small.
+#maildir_broken_filename_sizes = no
+
+# Always move mails from new/ directory to cur/, even when the \Recent flags
+# aren't being reset.
+#maildir_empty_new = no
+
+##
+## mbox-specific settings
+##
+
+# Which locking methods to use for locking mbox. There are four available:
+#  dotlock: Create <mailbox>.lock file. This is the oldest and most NFS-safe
+#           solution. If you want to use /var/mail/ like directory, the users
+#           will need write access to that directory.
+#  dotlock_try: Same as dotlock, but if it fails because of permissions or
+#               because there isn't enough disk space, just skip it.
+#  fcntl  : Use this if possible. Works with NFS too if lockd is used.
+#  flock  : May not exist in all systems. Doesn't work with NFS.
+#  lockf  : May not exist in all systems. Doesn't work with NFS.
+#
+# You can use multiple locking methods; if you do the order they're declared
+# in is important to avoid deadlocks if other MTAs/MUAs are using multiple
+# locking methods as well. Some operating systems don't allow using some of
+# them simultaneously.
+#mbox_read_locks = fcntl
+#mbox_write_locks = dotlock fcntl
+mbox_write_locks = fcntl
+
+# Maximum time to wait for lock (all of them) before aborting.
+#mbox_lock_timeout = 5 mins
+
+# If dotlock exists but the mailbox isn't modified in any way, override the
+# lock file after this much time.
+#mbox_dotlock_change_timeout = 2 mins
+
+# When mbox changes unexpectedly we have to fully read it to find out what
+# changed. If the mbox is large this can take a long time. Since the change
+# is usually just a newly appended mail, it'd be faster to simply read the
+# new mails. If this setting is enabled, Dovecot does this but still safely
+# fallbacks to re-reading the whole mbox file whenever something in mbox isn't
+# how it's expected to be. The only real downside to this setting is that if
+# some other MUA changes message flags, Dovecot doesn't notice it immediately.
+# Note that a full sync is done with SELECT, EXAMINE, EXPUNGE and CHECK 
+# commands.
+#mbox_dirty_syncs = yes
+
+# Like mbox_dirty_syncs, but don't do full syncs even with SELECT, EXAMINE,
+# EXPUNGE or CHECK commands. If this is set, mbox_dirty_syncs is ignored.
+#mbox_very_dirty_syncs = no
+
+# Delay writing mbox headers until doing a full write sync (EXPUNGE and CHECK
+# commands and when closing the mailbox). This is especially useful for POP3
+# where clients often delete all mails. The downside is that our changes
+# aren't immediately visible to other MUAs.
+#mbox_lazy_writes = yes
+
+# If mbox size is smaller than this (e.g. 100k), don't write index files.
+# If an index file already exists it's still read, just not updated.
+#mbox_min_index_size = 0
+
+# Mail header selection algorithm to use for MD5 POP3 UIDLs when
+# pop3_uidl_format=%m. For backwards compatibility we use apop3d inspired
+# algorithm, but it fails if the first Received: header isn't unique in all
+# mails. An alternative algorithm is "all" that selects all headers.
+#mbox_md5 = apop3d
+
+##
+## mdbox-specific settings
+##
+
+# Maximum dbox file size until it's rotated.
+#mdbox_rotate_size = 10M
+
+# Maximum dbox file age until it's rotated. Typically in days. Day begins
+# from midnight, so 1d = today, 2d = yesterday, etc. 0 = check disabled.
+#mdbox_rotate_interval = 0
+
+# When creating new mdbox files, immediately preallocate their size to
+# mdbox_rotate_size. This setting currently works only in Linux with some
+# filesystems (ext4, xfs).
+#mdbox_preallocate_space = no
+
+##
+## Mail attachments
+##
+
+# sdbox and mdbox support saving mail attachments to external files, which
+# also allows single instance storage for them. Other backends don't support
+# this for now.
+
+# Directory root where to store mail attachments. Disabled, if empty.
+#mail_attachment_dir =
+
+# Attachments smaller than this aren't saved externally. It's also possible to
+# write a plugin to disable saving specific attachments externally.
+#mail_attachment_min_size = 128k
+
+# Filesystem backend to use for saving attachments:
+#  posix : No SiS done by Dovecot (but this might help FS's own deduplication)
+#  sis posix : SiS with immediate byte-by-byte comparison during saving
+#  sis-queue posix : SiS with delayed comparison and deduplication
+#mail_attachment_fs = sis posix
+
+# Hash format to use in attachment filenames. You can add any text and
+# variables: %{md4}, %{md5}, %{sha1}, %{sha256}, %{sha512}, %{size}.
+# Variables can be truncated, e.g. %{sha256:80} returns only first 80 bits
+#mail_attachment_hash = %{sha1}
+
+# Settings to control adding $HasAttachment or $HasNoAttachment keywords.
+# By default, all MIME parts with Content-Disposition=attachment, or inlines
+# with filename parameter are consired attachments.
+#   add-flags - Add the keywords when saving new mails or when fetching can
+#      do it efficiently.
+#   content-type=type or !type - Include/exclude content type. Excluding will
+#     never consider the matched MIME part as attachment. Including will only
+#     negate an exclusion (e.g. content-type=!foo/* content-type=foo/bar).
+#   exclude-inlined - Exclude any Content-Disposition=inline MIME part.
+#mail_attachment_detection_options =
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/10-master.conf b/seed/applicationservice/2022.03.08/dovecot/templates/10-master.conf
new file mode 100644
index 0000000..848ecf3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/10-master.conf
@@ -0,0 +1,156 @@
+#default_process_limit = 100
+#default_client_limit = 1000
+
+# Default VSZ (virtual memory size) limit for service processes. This is mainly
+# intended to catch and kill processes that leak memory before they eat up
+# everything.
+#default_vsz_limit = 256M
+
+# Login user is internally used by login processes. This is the most untrusted
+# user in Dovecot system. It shouldn't have access to anything at all.
+#default_login_user = dovenull
+
+# Internal user is used by unprivileged processes. It should be separate from
+# login user, so that login processes can't disturb other processes.
+#default_internal_user = dovecot
+
+service imap-login {
+  inet_listener imap {
+    #port = 143
+#>GNUNUX
+    port = 0
+#<GNUNUX
+  }
+  inet_listener imaps {
+    #port = 993
+    #ssl = yes
+  }
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  #service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  #process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  #vsz_limit = $default_vsz_limit
+}
+
+service pop3-login {
+  inet_listener pop3 {
+    #port = 110
+#>GNUNUX
+    port = 0
+#<GNUNUX
+  }
+  inet_listener pop3s {
+#>GNUNUX
+    port = 0
+#<GNUNUX
+    #port = 995
+    #ssl = yes
+  }
+}
+
+service submission-login {
+  inet_listener submission {
+    #port = 587
+  }
+}
+
+service lmtp {
+  unix_listener lmtp {
+    #mode = 0666
+  }
+
+  # Create inet listener only if you can't use the above UNIX socket
+  #inet_listener lmtp {
+    # Avoid making LMTP visible for the entire internet
+    #address =
+    #port = 
+  #}
+#>GNUNUX
+  inet_listener lmtp {
+    address = %%ip_eth0
+    port = 8024
+  }
+#<GNUNUX
+}
+
+service imap {
+  # Most of the memory goes to mmap()ing files. You may need to increase this
+  # limit if you have huge mailboxes.
+  #vsz_limit = $default_vsz_limit
+
+  # Max. number of IMAP processes (connections)
+  #process_limit = 1024
+}
+
+service pop3 {
+  # Max. number of POP3 processes (connections)
+  #process_limit = 1024
+}
+
+service submission {
+  # Max. number of SMTP Submission processes (connections)
+  #process_limit = 1024
+}
+
+service auth {
+  # auth_socket_path points to this userdb socket by default. It's typically
+  # used by dovecot-lda, doveadm, possibly imap process, etc. Users that have
+  # full permissions to this socket are able to get a list of all usernames and
+  # get the results of everyone's userdb lookups.
+  #
+  # The default 0666 mode allows anyone to connect to the socket, but the
+  # userdb lookups will succeed only if the userdb returns an "uid" field that
+  # matches the caller process's UID. Also if caller's uid or gid matches the
+  # socket's uid or gid the lookup succeeds. Anything else causes a failure.
+  #
+  # To give the caller full permissions to lookup all users, set the mode to
+  # something else than 0666 and Dovecot lets the kernel enforce the
+  # permissions (e.g. 0777 allows everyone full permissions).
+  unix_listener auth-userdb {
+    #mode = 0666
+    #user = 
+    #group = 
+#>GNUNUX
+    mode = 0666
+    user = vmail
+#<GNUNUX
+  }
+
+  # Postfix smtp-auth
+  #unix_listener /var/spool/postfix/private/auth {
+  #  mode = 0666
+  #}
+#>GNUNUX
+  unix_listener /srv/dovecot/auth {
+    mode = 0666
+    user = postfix
+    group = postfix
+  }
+#<GNUNUX
+
+  # Auth process is run as this user.
+  #user = $default_internal_user
+}
+
+service auth-worker {
+  # Auth worker process is run as root by default, so that it can access
+  # /etc/shadow. If this isn't necessary, the user should be changed to
+  # $default_internal_user.
+  #user = root
+}
+
+service dict {
+  # If dict proxy is used, mail processes should have access to its socket.
+  # For example: mode=0660, group=vmail and global mail_access_groups=vmail
+  unix_listener dict {
+    #mode = 0600
+    #user = 
+    #group = 
+  }
+}
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf b/seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf
new file mode 100644
index 0000000..2c9459b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/10-ssl.conf
@@ -0,0 +1,90 @@
+##
+## SSL settings
+##
+
+# SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt>
+# disable plain pop3 and imap, allowed are only pop3+TLS, pop3s, imap+TLS and imaps
+# plain imap and pop3 are still allowed for local connections
+ssl = required
+
+# PEM encoded X.509 SSL/TLS certificate and private key. They're opened before
+# dropping root privileges, so keep the key file unreadable by anyone but
+# root. Included doc/mkcert.sh can be used to easily generate self-signed
+# certificate, just make sure to update the domains in dovecot-openssl.cnf
+#GNUNUX ssl_cert = </etc/pki/dovecot/certs/dovecot.pem
+#GNUNUX ssl_key = </etc/pki/dovecot/private/dovecot.pem
+#>GNUNUX
+ssl_cert = </etc/pki/tls/certs/dovecot.crt
+ssl_key = </etc/pki/tls/private/dovecot.key
+#<GNUNUX
+
+# If key file is password protected, give the password here. Alternatively
+# give it when starting dovecot with -p parameter. Since this file is often
+# world-readable, you may want to place this setting instead to a different
+# root owned 0600 file by using ssl_key_password = <path.
+#ssl_key_password =
+
+# PEM encoded trusted certificate authority. Set this only if you intend to use
+# ssl_verify_client_cert=yes. The file should contain the CA certificate(s)
+# followed by the matching CRL(s). (e.g. ssl_ca = </etc/pki/dovecot/certs/ca.pem)
+#ssl_ca = 
+
+# Require that CRL check succeeds for client certificates.
+#ssl_require_crl = yes
+
+# Directory and/or file for trusted SSL CA certificates. These are used only
+# when Dovecot needs to act as an SSL client (e.g. imapc backend or
+# submission service). The directory is usually /etc/pki/dovecot/certs in
+# Debian-based systems and the file is /etc/pki/tls/cert.pem in
+# RedHat-based systems. Note that ssl_client_ca_file isn't recommended with
+# large CA bundles, because it leads to excessive memory usage.
+#ssl_client_ca_dir =
+#ssl_client_ca_file =
+ssl_client_ca_file = /etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt
+
+# Require valid cert when connecting to a remote server
+#ssl_client_require_valid_cert = yes
+
+# Request client to send a certificate. If you also want to require it, set
+# auth_ssl_require_client_cert=yes in auth section.
+#ssl_verify_client_cert = no
+
+# Which field from certificate to use for username. commonName and
+# x500UniqueIdentifier are the usual choices. You'll also need to set
+# auth_ssl_username_from_cert=yes.
+#ssl_cert_username_field = commonName
+
+# SSL DH parameters
+# Generate new params with `openssl dhparam -out /etc/dovecot/dh.pem 4096`
+# Or migrate from old ssl-parameters.dat file with the command dovecot
+# gives on startup when ssl_dh is unset.
+#ssl_dh = </etc/dovecot/dh.pem
+
+# Minimum SSL protocol version to use. Potentially recognized values are SSLv3,
+# TLSv1, TLSv1.1, TLSv1.2 and TLSv1.3, depending on the OpenSSL version used.
+#
+# Dovecot also recognizes values ANY and LATEST. ANY matches with any protocol
+# version, and LATEST matches with the latest version supported by library.
+#ssl_min_protocol = TLSv1.2
+
+# SSL ciphers to use, the default is:
+#ssl_cipher_list = ALL:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+# To disable non-EC DH, use:
+#ssl_cipher_list = ALL:!DH:!kRSA:!SRP:!kDHd:!DSS:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4:!ADH:!LOW@STRENGTH
+ssl_cipher_list = PROFILE=SYSTEM
+
+# Colon separated list of elliptic curves to use. Empty value (the default)
+# means use the defaults from the SSL library. P-521:P-384:P-256 would be an
+# example of a valid value.
+#ssl_curve_list =
+
+# Prefer the server's order of ciphers over client's.
+#ssl_prefer_server_ciphers = no
+
+# SSL crypto device to use, for valid values run "openssl engine"
+#ssl_crypto_device =
+
+# SSL extra options. Currently supported options are:
+#   compression - Enable compression.
+#   no_ticket - Disable SSL session tickets.
+#ssl_options =
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/12-managesieve.conf b/seed/applicationservice/2022.03.08/dovecot/templates/12-managesieve.conf
new file mode 100644
index 0000000..c06febc
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/12-managesieve.conf
@@ -0,0 +1,23 @@
+# Uncomment to enable managesieve protocol:
+protocols = $protocols sieve
+
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+
+  #inet_listener sieve_deprecated {
+  #  port = 2000
+  #}
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  vsz_limit = 64M
+}
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/15-ldap.conf b/seed/applicationservice/2022.03.08/dovecot/templates/15-ldap.conf
new file mode 100644
index 0000000..c19fb97
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/15-ldap.conf
@@ -0,0 +1,51 @@
+##
+## LDA specific settings (also used by LMTP)
+##
+
+# Address to use when sending rejection mails.
+# Default is postmaster@%d. %d expands to recipient domain.
+#postmaster_address =
+
+# Hostname to use in various parts of sent mails (e.g. in Message-Id) and
+# in LMTP replies. Default is the system's real hostname@domain.
+#hostname = 
+
+# If user is over quota, return with temporary failure instead of
+# bouncing the mail.
+#quota_full_tempfail = no
+
+# Binary to use for sending mails.
+#sendmail_path = /usr/sbin/sendmail
+
+# If non-empty, send mails via this SMTP host[:port] instead of sendmail.
+#submission_host =
+
+# Subject: header to use for rejection mails. You can use the same variables
+# as for rejection_reason below.
+#rejection_subject = Rejected: %s
+
+# Human readable error message for rejection mails. You can use variables:
+#  %n = CRLF, %r = reason, %s = original subject, %t = recipient
+#rejection_reason = Your message to <%t> was automatically rejected:%n%r
+
+# Delimiter character between local-part and detail in email address.
+#recipient_delimiter = +
+
+# Header where the original recipient address (SMTP's RCPT TO: address) is taken
+# from if not available elsewhere. With dovecot-lda -a parameter overrides this. 
+# A commonly used header for this is X-Original-To.
+#lda_original_recipient_header =
+
+# Should saving a mail to a nonexistent mailbox automatically create it?
+#lda_mailbox_autocreate = no
+
+# Should automatically created mailboxes be also automatically subscribed?
+#lda_mailbox_autosubscribe = no
+
+# GNUNUX protocol lda {
+# GNUNUX   # Space separated list of plugins to load (default is global mail_plugins).
+# GNUNUX   #mail_plugins = $mail_plugins
+# GNUNUX #>GNUNUX
+# GNUNUX   mail_plugins = sieve
+# GNUNUX #<GNUNUX
+# GNUNUX }
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/30-service-stats.conf b/seed/applicationservice/2022.03.08/dovecot/templates/30-service-stats.conf
new file mode 100644
index 0000000..1b60642
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/30-service-stats.conf
@@ -0,0 +1,12 @@
+service stats {
+  unix_listener stats-reader {
+    user = vmail
+    group = vmail
+    mode = 0660
+  }
+  unix_listener stats-writer {
+    user = vmail
+    group = vmail
+    mode = 0660
+  }
+}
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext
new file mode 100644
index 0000000..1b459c0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/auth-ldap.conf.ext
@@ -0,0 +1,39 @@
+# Authentication for LDAP users. Included from 10-auth.conf.
+#
+# <doc/wiki/AuthDatabase.LDAP.txt>
+
+passdb {
+  driver = ldap
+
+  # Path for LDAP configuration file, see example-config/dovecot-ldap.conf.ext
+  args = /etc/dovecot/dovecot-ldap.conf.ext
+}
+
+# "prefetch" user database means that the passdb already provided the
+# needed information and there's no need to do a separate userdb lookup.
+# <doc/wiki/UserDatabase.Prefetch.txt>
+#userdb {
+#  driver = prefetch
+#}
+
+# GNUNUX userdb {
+# GNUNUX   driver = ldap
+# GNUNUX   args = /etc/dovecot/dovecot-ldap.conf.ext
+# GNUNUX   
+# GNUNUX   # Default fields can be used to specify defaults that LDAP may override
+# GNUNUX   #default_fields = home=/home/virtual/%u
+# GNUNUX }
+
+# If you don't have any user-specific settings, you can avoid the userdb LDAP
+# lookup by using userdb static instead of userdb ldap, for example:
+# <doc/wiki/UserDatabase.Static.txt>
+#userdb {
+  #driver = static
+  #args = uid=vmail gid=vmail home=/var/vmail/%u
+#}
+#>GNUNUX
+userdb {
+  driver = static
+  args = uid=vmail gid=vmail home=/srv/mail/%u
+}
+#<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/auth-oauth2.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/auth-oauth2.conf.ext
new file mode 100644
index 0000000..54470f7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/auth-oauth2.conf.ext
@@ -0,0 +1,6 @@
+# GNUNUX see /usr/share/doc/dovecot/wiki/PasswordDatabase.oauth2.txt
+passdb {
+  driver = oauth2
+  mechanisms = xoauth2 #FIXME oauthbearer
+  args = /etc/dovecot/dovecot-oauth2.conf.ext
+}
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/auth-passwdfile.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/auth-passwdfile.conf.ext
new file mode 100644
index 0000000..5bf0328
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/auth-passwdfile.conf.ext
@@ -0,0 +1,21 @@
+# Authentication for passwd-file users. Included from 10-auth.conf.
+#
+# passwd-like file with specified location.
+# <doc/wiki/AuthDatabase.PasswdFile.txt>
+
+passdb {
+  driver = passwd-file
+  # GNUNUX args = scheme=CRYPT username_format=%u /etc/dovecot/users
+  args = scheme=SHA512-CRYPT username_format=%n /etc/dovecot/risotto_users
+}
+
+# GNUNUX userdb {
+# GNUNUX   driver = passwd-file
+# GNUNUX   args = username_format=%u /etc/dovecot/users
+# GNUNUX 
+# GNUNUX   # Default fields that can be overridden by passwd-file
+# GNUNUX   #default_fields = quota_rule=*:storage=1G
+# GNUNUX 
+# GNUNUX   # Override fields from passwd-file
+# GNUNUX   #override_fields = home=/home/virtual/%u
+# GNUNUX }
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
new file mode 100644
index 0000000..c60dbec
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_IMAPServer.crt
@@ -0,0 +1 @@
+%%dovecot_ca_chain
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
new file mode 100644
index 0000000..dadb6c9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_MailServer.crt
@@ -0,0 +1 @@
+%%postfix_ca_chain
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt b/seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt
new file mode 100644
index 0000000..e0bc5f9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ca_ReverseProxy.crt
@@ -0,0 +1 @@
+%%get_chain(%%revprox_server_domainname, authority_name='ReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-init.service b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-init.service
new file mode 100644
index 0000000..b4f9cec
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-init.service
@@ -0,0 +1,6 @@
+[Unit]
+After=network.target
+
+[Service]
+ExecStart=
+ExecStart=/bin/true
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
new file mode 100644
index 0000000..4bc7f34
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-ldap.conf.ext
@@ -0,0 +1,181 @@
+# SEE /usr/share/doc/dovecot/example-config/dovecot-ldap.conf.ext
+# This file is commonly accessed via passdb {} or userdb {} section in
+# conf.d/auth-ldap.conf.ext
+
+# This file is opened as root, so it should be owned by root and mode 0600.
+#
+# http://wiki2.dovecot.org/AuthDatabase/LDAP
+#
+# NOTE: If you're not using authentication binds, you'll need to give
+# dovecot-auth read access to userPassword field in the LDAP server.
+# With OpenLDAP this is done by modifying /etc/ldap/slapd.conf. There should
+# already be something like this:
+
+# access to attribute=userPassword
+#        by dn="<dovecot's dn>" read # add this
+#        by anonymous auth
+#        by self write
+#        by * none
+
+# Space separated list of LDAP hosts to use. host:port is allowed too.
+#hosts =
+
+# LDAP URIs to use. You can use this instead of hosts list. Note that this
+# setting isn't supported by all LDAP libraries.
+#uris = 
+#>GNUNUX
+uris = ldaps://%%ldap_server_address
+#<GNUNUX
+
+# Distinguished Name - the username used to login to the LDAP server.
+# Leave it commented out to bind anonymously (useful with auth_bind=yes).
+#dn = 
+
+# Password for LDAP server, if dn is specified.
+#dnpass = 
+#>GNUNUX
+dn = %%ldapclient_remote_user
+dnpass = %%ldapclient_remote_user_password
+#<GNUNUX
+
+# Use SASL binding instead of the simple binding. Note that this changes
+# ldap_version automatically to be 3 if it's lower.
+#sasl_bind = no
+# SASL mechanism name to use.
+#sasl_mech =
+# SASL realm to use.
+#sasl_realm =
+# SASL authorization ID, ie. the dnpass is for this "master user", but the
+# dn is still the logged in user. Normally you want to keep this empty.
+#sasl_authz_id =
+
+# Use TLS to connect to the LDAP server.
+#tls = no
+# TLS options, currently supported only with OpenLDAP:
+#tls_ca_cert_file =
+#tls_ca_cert_dir =
+#tls_cipher_suite =
+# TLS cert/key is used only if LDAP server requires a client certificate.
+#tls_cert_file =
+#tls_key_file =
+# Valid values: never, hard, demand, allow, try
+#tls_require_cert =
+#>GNUNUX
+tls_cert_file = %%ldap_cert_file
+tls_key_file = %%ldap_key_file
+tls_ca_cert_file = %%ldap_ca_file
+tls_require_cert = hard
+#>GNUNUX
+
+# Use the given ldaprc path.
+#ldaprc_path =
+
+# LDAP library debug level as specified by LDAP_DEBUG_* in ldap_log.h.
+# -1 = everything. You may need to recompile OpenLDAP with debugging enabled
+# to get enough output.
+#debug_level = 0
+
+# Use authentication binding for verifying password's validity. This works by
+# logging into LDAP server using the username and password given by client.
+# The pass_filter is used to find the DN for the user. Note that the pass_attrs
+# is still used, only the password field is ignored in it. Before doing any
+# search, the binding is switched back to the default DN.
+#auth_bind = no
+
+# If authentication binding is used, you can save one LDAP request per login
+# if users' DN can be specified with a common template. The template can use
+# the standard %variables (see user_filter). Note that you can't
+# use any pass_attrs if you use this setting.
+#
+# If you use this setting, it's a good idea to use a different
+# dovecot-ldap.conf.ext for userdb (it can even be a symlink, just as long as
+# the filename is different in userdb's args). That way one connection is used
+# only for LDAP binds and another connection is used for user lookups.
+# Otherwise the binding is changed to the default DN before each user lookup.
+#
+# For example:
+#   auth_bind_userdn = cn=%u,ou=people,o=org
+#
+#auth_bind_userdn =
+#>GNUNUX
+auth_bind = yes
+auth_bind_userdn = cn=%u,ou=users,%%ldap_base_dn
+#<GNUNUX
+
+# LDAP protocol version to use. Likely 2 or 3.
+#ldap_version = 3
+
+# LDAP base. %variables can be used here.
+# For example: dc=mail, dc=example, dc=org
+# GNUNUX base =
+base = ou=users,%%ldap_base_dn
+
+# Dereference: never, searching, finding, always
+#deref = never
+
+# Search scope: base, onelevel, subtree
+#scope = subtree
+
+# User attributes are given in LDAP-name=dovecot-internal-name list. The
+# internal names are:
+#   uid - System UID
+#   gid - System GID
+#   home - Home directory
+#   mail - Mail location
+#
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/UserDatabase/ExtraFields
+#user_attrs = homeDirectory=home,uidNumber=uid,gidNumber=gid
+
+# Filter for user lookup. Some variables can be used (see
+# http://wiki2.dovecot.org/Variables for full list):
+#   %u - username
+#   %n - user part in user@domain, same as %u if there's no domain
+#   %d - domain part in user@domain, empty if user there's no domain
+#user_filter = (&(objectClass=posixAccount)(uid=%u))
+#>GNUNUX
+user_filter = (&(objectClass=inetOrgPerson)(cn=%u))
+#<GNUNUX
+
+# Password checking attributes:
+#  user: Virtual user name (user@domain), if you wish to change the
+#        user-given username to something else
+#  password: Password, may optionally start with {type}, eg. {crypt}
+# There are also other special fields which can be returned, see
+# http://wiki2.dovecot.org/PasswordDatabase/ExtraFields
+#pass_attrs = uid=user,userPassword=password
+
+# If you wish to avoid two LDAP lookups (passdb + userdb), you can use
+# userdb prefetch instead of userdb ldap in dovecot.conf. In that case you'll
+# also have to include user_attrs in pass_attrs field prefixed with "userdb_"
+# string. For example:
+#pass_attrs = uid=user,userPassword=password,\
+#  homeDirectory=userdb_home,uidNumber=userdb_uid,gidNumber=userdb_gid
+
+# Filter for password lookups
+#pass_filter = (&(objectClass=posixAccount)(uid=%u))
+#>GNUNUX
+pass_attrs = cn=user
+pass_filter = (&(objectClass=inetOrgPerson)(cn=%u))
+#<GNUNUX
+
+# Attributes and filter to get a list of all users
+#iterate_attrs = uid=user
+#iterate_filter = (objectClass=posixAccount)
+#>GNUNUX
+iterate_attrs = cn=user
+iterate_filter = (&(objectClass=inetOrgPerson)(cn=%u))
+#<GNUNUX
+
+# Default password scheme. "{scheme}" before password overrides this.
+# List of supported schemes is in: http://wiki2.dovecot.org/Authentication
+#default_pass_scheme = CRYPT
+
+# By default all LDAP lookups are performed by the auth master process.
+# If blocking=yes, auth worker processes are used to perform the lookups.
+# Each auth worker process creates its own LDAP connection so this can
+# increase parallelism. With blocking=no the auth master process can
+# keep 8 requests pipelined for the LDAP connection, while with blocking=yes
+# each connection has a maximum of 1 request running. For small systems the
+# blocking=no is sufficient and uses less resources.
+#blocking = no
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-oauth2.conf.ext b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-oauth2.conf.ext
new file mode 100644
index 0000000..a445d53
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot-oauth2.conf.ext
@@ -0,0 +1,92 @@
+# GNUNUX from : /usr/share/doc/dovecot/example-config/dovecot-oauth2.conf.ext
+### OAuth2 password database configuration
+
+## url for verifying token validity. Token is appended to the URL
+# tokeninfo_url = http://endpoint/oauth/tokeninfo?access_token=
+#>GNUNUX
+tokeninfo_url = https://%%oauth2_client_server_domainname/oauth2/userinfo/?access_token=
+#<GNUNUX
+
+## introspection endpoint, used to gather extra fields and other information.
+# introspection_url = http://endpoint/oauth/me
+
+## How introspection is made, valid values are
+##   auth = GET request with Bearer authentication
+##   get  = GET request with token appended to URL
+##   post = POST request with token=bearer_token as content
+##   local = perform local validation only
+# introspection_mode = auth
+
+## Force introspection even if tokeninfo contains wanted fields
+## Set this to yes if you are using active_attribute
+# force_introspection = no
+#>GNUNUX
+introspection_url = https://%%oauth2_client_server_domainname/oauth2/introspect/
+introspection_mode = post
+force_introspection = no
+#<GNUNUX
+
+## Validation key dictionary (e.g. fs:posix:prefix=/etc/dovecot/keys/)
+## Lookup key is /shared/<azp:default>/<alg>/<kid:default>
+# local_validation_key_dict =
+
+## A single wanted scope of validity (optional)
+# scope = something
+#>GNUNUX
+#scope = openid,profile,email
+#<GNUNUX
+
+## username attribute in response (default: email)
+# username_attribute = email
+#>GNUNUX
+username_attribute = email
+#<GNUNUX
+
+## username normalization format (default: %Lu)
+# username_format = %Lu
+
+## Attribute name for checking whether account is disabled (optional)
+# active_attribute =
+
+## Expected value in active_attribute (empty = require present, but anything goes)
+# active_value =
+
+## Expected issuer(s) for the token (space separated list)
+# issuers =
+
+## URL to RFC 7628 OpenID Provider Configuration Information schema
+# openid_configuration_url =
+#>GNUNUX
+openid_configuration_url = https://%%oauth2_client_server_domainname/.well-known/openid-configuration
+#<GNUNUX
+
+## Extra fields to set in passdb response (in passdb static style)
+# pass_attrs =
+
+## Timeout in milliseconds
+# timeout_msecs = 0
+
+## Enable debug logging
+# debug = no
+
+## Max parallel connections (how many simultaneous connections to open)
+# max_parallel_connections = 10
+
+## Max pipelined requests (how many requests to send per connection, requires server-side support)
+# max_pipelined_requests = 1
+
+## HTTP request raw log directory
+# rawlog_dir = /tmp/oauth2
+
+#>GNUNUX
+client_id = %%oauth2_client_id
+client_secret = %%oauth2_client_secret
+#<GNUNUX
+
+## TLS settings
+# tls_ca_cert_file = /path/to/ca-certificates.txt
+# tls_ca_cert_dir = /path/to/certs/
+# tls_cert_file = /path/to/client/cert
+# tls_key_file = /path/to/client/key
+# tls_cipher_suite = HIGH:!SSLv2
+# tls_allow_invalid_cert = FALSE
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt
new file mode 100644
index 0000000..4eae295
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.crt
@@ -0,0 +1,5 @@
+%set %%extra_domainnames = []
+%for %%idx in %%range(1, %%number_of_interfaces)
+  %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
+%end for
+%%get_certificate(%%domain_name_eth0, 'IMAPServer', extra_domainnames=%%extra_domainnames)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key
new file mode 100644
index 0000000..f224c58
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/dovecot.key
@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, 'IMAPServer')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf b/seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf
new file mode 100644
index 0000000..9184842
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/ldapsource.cf
@@ -0,0 +1,13 @@
+server_host = ldaps://%%ldap_server_address
+server_port = %%ldap_port
+tls_cert = %%ldap_cert_file
+tls_key = %%ldap_key_file
+tls_ca_cert_file = %%ldap_ca_file
+tls_require_cert = yes
+version = 3
+bind = yes
+bind_dn = %%ldapclient_remote_user
+bind_pw = %%ldapclient_remote_user_password
+search_base = ou=users,%%ldap_base_dn
+query_filter = (mail=%s)
+result_attribute = cn
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/main.cf b/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
new file mode 100644
index 0000000..f078d64
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/main.cf
@@ -0,0 +1,808 @@
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+# For common configuration examples, see BASIC_CONFIGURATION_README
+# and STANDARD_CONFIGURATION_README. To find these documents, use
+# the command "postconf html_directory readme_directory", or go to
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
+#
+# For best results, change no more than 2-3 parameters at a time,
+# and test if Postfix still works after every change.
+
+# COMPATIBILITY
+#
+# The compatibility_level determines what default settings Postfix
+# will use for main.cf and master.cf settings. These defaults will
+# change over time.
+#
+# To avoid breaking things, Postfix will use backwards-compatible
+# default settings and log where it uses those old backwards-compatible
+# default settings, until the system administrator has determined
+# if any backwards-compatible default settings need to be made
+# permanent in main.cf or master.cf.
+#
+# When this review is complete, update the compatibility_level setting
+# below as recommended in the RELEASE_NOTES file.
+#
+# The level below is what should be used with new (not upgrade) installs.
+#
+compatibility_level = 3.6
+
+# SOFT BOUNCE
+#
+# The soft_bounce parameter provides a limited safety net for
+# testing.  When soft_bounce is enabled, mail will remain queued that
+# would otherwise bounce. This parameter disables locally-generated
+# bounces, and prevents the SMTP server from rejecting mail permanently
+# (by changing 5xx replies into 4xx replies). However, soft_bounce
+# is no cure for address rewriting mistakes or mail routing mistakes.
+#
+#soft_bounce = no
+
+# LOCAL PATHNAME INFORMATION
+#
+# The queue_directory specifies the location of the Postfix queue.
+# This is also the root directory of Postfix daemons that run chrooted.
+# See the files in examples/chroot-setup for setting up Postfix chroot
+# environments on different UNIX systems.
+#
+# GNUNUX queue_directory = /var/spool/postfix
+queue_directory = /srv/postfix/spool
+
+# The command_directory parameter specifies the location of all
+# postXXX commands.
+#
+command_directory = /usr/sbin
+
+# The daemon_directory parameter specifies the location of all Postfix
+# daemon programs (i.e. programs listed in the master.cf file). This
+# directory must be owned by root.
+#
+daemon_directory = /usr/libexec/postfix
+
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+#
+# GNUNUX data_directory = /var/lib/postfix
+data_directory = /srv/postfix/data
+
+# QUEUE AND PROCESS OWNERSHIP
+#
+# The mail_owner parameter specifies the owner of the Postfix queue
+# and of most Postfix daemon processes.  Specify the name of a user
+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+# USER.
+#
+mail_owner = postfix
+
+# The default_privs parameter specifies the default rights used by
+# the local delivery agent for delivery to external file or command.
+# These rights are used in the absence of a recipient user context.
+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+#
+#default_privs = nobody
+
+# INTERNET HOST AND DOMAIN NAMES
+# 
+# The myhostname parameter specifies the internet hostname of this
+# mail system. The default is to use the fully-qualified domain name
+# from gethostname(). $myhostname is used as a default value for many
+# other configuration parameters.
+#
+#myhostname = host.domain.tld
+#myhostname = virtual.domain.tld
+myhostname = %%domain_name_eth0
+
+# The mydomain parameter specifies the local internet domain name.
+# The default is to use $myhostname minus the first component.
+# $mydomain is used as a default value for many other configuration
+# parameters.
+#
+#mydomain = domain.tld
+
+# SENDING MAIL
+# 
+# The myorigin parameter specifies the domain that locally-posted
+# mail appears to come from. The default is to append $myhostname,
+# which is fine for small sites.  If you run a domain with multiple
+# machines, you should (1) change this to $mydomain and (2) set up
+# a domain-wide alias database that aliases each user to
+# user@that.users.mailhost.
+#
+# For the sake of consistency between sender and recipient addresses,
+# myorigin also specifies the default domain name that is appended
+# to recipient addresses that have no @domain part.
+#
+#myorigin = $myhostname
+#myorigin = $mydomain
+myorigin = %%domain_name_eth0
+
+# RECEIVING MAIL
+
+# The inet_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on.  By default,
+# the software claims all active interfaces on the machine. The
+# parameter also controls delivery of mail to user@[ip.address].
+#
+# See also the proxy_interfaces parameter, for network addresses that
+# are forwarded to us via a proxy or network address translator.
+#
+# Note: you need to stop/start Postfix when this parameter changes.
+#
+#inet_interfaces = all
+#inet_interfaces = $myhostname
+#inet_interfaces = $myhostname, localhost
+# GNUNUX inet_interfaces = localhost
+inet_interfaces = all
+
+# Enable IPv4, and IPv6 if supported
+inet_protocols = all
+
+# The proxy_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on by way of a
+# proxy or network address translation unit. This setting extends
+# the address list specified with the inet_interfaces parameter.
+#
+# You must specify your proxy/NAT addresses when your system is a
+# backup MX host for other domains, otherwise mail delivery loops
+# will happen when the primary MX host is down.
+#
+#proxy_interfaces =
+#proxy_interfaces = 1.2.3.4
+
+# The mydestination parameter specifies the list of domains that this
+# machine considers itself the final destination for.
+#
+# These domains are routed to the delivery agent specified with the
+# local_transport parameter setting. By default, that is the UNIX
+# compatible delivery agent that lookups all recipients in /etc/passwd
+# and /etc/aliases or their equivalent.
+#
+# The default is $myhostname + localhost.$mydomain + localhost.  On
+# a mail domain gateway, you should also include $mydomain.
+#
+# Do not specify the names of virtual domains - those domains are
+# specified elsewhere (see VIRTUAL_README).
+#
+# Do not specify the names of domains that this machine is backup MX
+# host for. Specify those names via the relay_domains settings for
+# the SMTP server, or use permit_mx_backup if you are lazy (see
+# STANDARD_CONFIGURATION_README).
+#
+# The local machine is always the final destination for mail addressed
+# to user@[the.net.work.address] of an interface that the mail system
+# receives mail on (see the inet_interfaces parameter).
+#
+# Specify a list of host or domain names, /file/name or type:table
+# patterns, separated by commas and/or whitespace. A /file/name
+# pattern is replaced by its contents; a type:table is matched when
+# a name matches a lookup key (the right-hand side is ignored).
+# Continue long lines by starting the next line with whitespace.
+#
+# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
+#
+mydestination = $myhostname, localhost.$mydomain, localhost
+
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
+#	mail.$mydomain, www.$mydomain, ftp.$mydomain
+
+# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+#
+# The local_recipient_maps parameter specifies optional lookup tables
+# with all names or addresses of users that are local with respect
+# to $mydestination, $inet_interfaces or $proxy_interfaces.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown local users. This parameter is defined by default.
+#
+# To turn off local recipient checking in the SMTP server, specify
+# local_recipient_maps = (i.e. empty).
+#
+# The default setting assumes that you use the default Postfix local
+# delivery agent for local delivery. You need to update the
+# local_recipient_maps setting if:
+#
+# - You define $mydestination domain recipients in files other than
+#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
+#   For example, you define $mydestination domain recipients in    
+#   the $virtual_mailbox_maps files.
+#
+# - You redefine the local delivery agent in master.cf.
+#
+# - You redefine the "local_transport" setting in main.cf.
+#
+# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
+#   feature of the Postfix local delivery agent (see local(8)).
+#
+# Details are described in the LOCAL_RECIPIENT_README file.
+#
+# Beware: if the Postfix SMTP server runs chrooted, you probably have
+# to access the passwd file via the proxymap service, in order to
+# overcome chroot restrictions. The alternative, having a copy of
+# the system passwd file in the chroot jail is just not practical.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify a bare username, an @domain.tld
+# wild-card, or specify a user@domain.tld address.
+# 
+#local_recipient_maps = unix:passwd.byname $alias_maps
+#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
+#local_recipient_maps =
+
+# The unknown_local_recipient_reject_code specifies the SMTP server
+# response code when a recipient domain matches $mydestination or
+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
+# and the recipient address or address local-part is not found.
+#
+# The default setting is 550 (reject mail) but it is safer to start
+# with 450 (try again later) until you are certain that your
+# local_recipient_maps settings are OK.
+#
+unknown_local_recipient_reject_code = 550
+#>GNUNUX
+unverified_recipient_reject_code = 550
+#<GNUNUX
+
+# TRUST AND RELAY CONTROL
+
+smtpd_recipient_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,
+        reject_unauth_destination,
+	reject_unknown_client,
+	reject_non_fqdn_helo_hostname,
+	reject_invalid_helo_hostname,
+        reject_non_fqdn_sender,
+        reject_unknown_sender_domain,
+        reject_unlisted_recipient,
+# FIXME        check_sender_access hash:/etc/postfix/sender_access,
+# FIXME        check_recipient_access hash:/etc/postfix/recv_access,
+
+
+# The mynetworks parameter specifies the list of "trusted" SMTP
+# clients that have more privileges than "strangers".
+#
+# In particular, "trusted" SMTP clients are allowed to relay mail
+# through Postfix.  See the smtpd_recipient_restrictions parameter
+# in postconf(5).
+#
+# You can specify the list of "trusted" network addresses by hand
+# or you can let Postfix do it for you (which is the default).
+#
+# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
+# clients in the same IP subnetworks as the local machine.
+# On Linux, this works correctly only with interfaces specified
+# with the "ifconfig" command.
+# 
+# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
+# clients in the same IP class A/B/C networks as the local machine.
+# Don't do this with a dialup site - it would cause Postfix to "trust"
+# your entire provider's network.  Instead, specify an explicit
+# mynetworks list by hand, as described below.
+#  
+# Specify "mynetworks_style = host" when Postfix should "trust"
+# only the local machine.
+# 
+#mynetworks_style = class
+#mynetworks_style = subnet
+#mynetworks_style = host
+
+# Alternatively, you can specify the mynetworks list by hand, in
+# which case Postfix ignores the mynetworks_style setting.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+#mynetworks = 168.100.3.0/28, 127.0.0.0/8
+#mynetworks = $config_directory/mynetworks
+#mynetworks = hash:/etc/postfix/network_table
+mynetworks = 172.0.0.0/8
+
+# The relay_domains parameter restricts what destinations this system will
+# relay mail to.  See the smtpd_recipient_restrictions description in
+# postconf(5) for detailed information.
+#
+# By default, Postfix relays mail
+# - from "trusted" clients (IP address matches $mynetworks) to any destination,
+# - from "untrusted" clients to destinations that match $relay_domains or
+#   subdomains thereof, except addresses with sender-specified routing.
+# The default relay_domains value is $mydestination.
+# 
+# In addition to the above, the Postfix SMTP server by default accepts mail
+# that Postfix is final destination for:
+# - destinations that match $inet_interfaces or $proxy_interfaces,
+# - destinations that match $mydestination
+# - destinations that match $virtual_alias_domains,
+# - destinations that match $virtual_mailbox_domains.
+# These destinations do not need to be listed in $relay_domains.
+# 
+# Specify a list of hosts or domains, /file/name patterns or type:name
+# lookup tables, separated by commas and/or whitespace.  Continue
+# long lines by starting the next line with whitespace. A file name
+# is replaced by its contents; a type:name table is matched when a
+# (parent) domain appears as lookup key.
+#
+# NOTE: Postfix will not automatically forward mail for domains that
+# list this system as their primary or backup MX host. See the
+# permit_mx_backup restriction description in postconf(5).
+#
+#relay_domains = $mydestination
+
+# INTERNET OR INTRANET
+
+# The relayhost parameter specifies the default host to send mail to
+# when no entry is matched in the optional transport(5) table. When
+# no relayhost is given, mail is routed directly to the destination.
+#
+# On an intranet, specify the organizational domain name. If your
+# internal DNS uses no MX records, specify the name of the intranet
+# gateway host instead.
+#
+# In the case of SMTP, specify a domain, host, host:port, [host]:port,
+# [address] or [address]:port; the form [host] turns off MX lookups.
+#
+# If you're connected via UUCP, see also the default_transport parameter.
+#
+#relayhost = $mydomain
+#relayhost = [gateway.my.domain]
+#relayhost = [mailserver.isp.tld]
+#relayhost = uucphost
+#relayhost = [an.ip.add.ress]
+#>GNUNUX
+relayhost = %%smtp_relay_address
+smtp_sasl_auth_enable = yes
+smtp_sasl_password_maps = hash:/etc/postfix/relay_passwd
+smtp_sasl_security_options = noanonymous
+#<GNUNUX
+
+# REJECTING UNKNOWN RELAY USERS
+#
+# The relay_recipient_maps parameter specifies optional lookup tables
+# with all addresses in the domains that match $relay_domains.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown relay users. This feature is off by default.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify an @domain.tld wild-card, or specify
+# a user@domain.tld address.
+# 
+#relay_recipient_maps = hash:/etc/postfix/relay_recipients
+
+# INPUT RATE CONTROL
+#
+# The in_flow_delay configuration parameter implements mail input
+# flow control. This feature is turned on by default, although it
+# still needs further development (it's disabled on SCO UNIX due
+# to an SCO bug).
+# 
+# A Postfix process will pause for $in_flow_delay seconds before
+# accepting a new message, when the message arrival rate exceeds the
+# message delivery rate. With the default 100 SMTP server process
+# limit, this limits the mail inflow to 100 messages a second more
+# than the number of messages delivered per second.
+# 
+# Specify 0 to disable the feature. Valid delays are 0..10.
+# 
+#in_flow_delay = 1s
+
+# ADDRESS REWRITING
+#
+# The ADDRESS_REWRITING_README document gives information about
+# address masquerading or other forms of address rewriting including
+# username->Firstname.Lastname mapping.
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+
+# "USER HAS MOVED" BOUNCE MESSAGES
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# TRANSPORT MAP
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+# 
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible.  Use
+# "postfix reload" to eliminate the delay.
+#
+#alias_maps = dbm:/etc/aliases
+alias_maps = hash:/etc/aliases
+#alias_maps = hash:/etc/aliases, nis:mail.aliases
+#alias_maps = netinfo:/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi".  This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+#alias_database = dbm:/etc/aliases
+#alias_database = dbm:/etc/mail/aliases
+alias_database = hash:/etc/aliases
+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+#recipient_delimiter = +
+#>GNUNUX
+recipient_delimiter = +
+#<GNUNUX
+
+# DELIVERY TO MAILBOX
+#
+# The home_mailbox parameter specifies the optional pathname of a
+# mailbox file relative to a user's home directory. The default
+# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
+# "Maildir/" for qmail-style delivery (the / is required).
+#
+#home_mailbox = Mailbox
+#home_mailbox = Maildir/
+ 
+# The mail_spool_directory parameter specifies the directory where
+# UNIX-style mailboxes are kept. The default setting depends on the
+# system type.
+#
+#mail_spool_directory = /var/mail
+#mail_spool_directory = /var/spool/mail
+
+# The mailbox_command parameter specifies the optional external
+# command to use instead of mailbox delivery. The command is run as
+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
+# Exception:  delivery for root is done as $default_user.
+#
+# Other environment variables of interest: USER (recipient username),
+# EXTENSION (address extension), DOMAIN (domain part of address),
+# and LOCAL (the address localpart).
+#
+# Unlike other Postfix configuration parameters, the mailbox_command
+# parameter is not subjected to $parameter substitutions. This is to
+# make it easier to specify shell syntax (see example below).
+#
+# Avoid shell meta characters because they will force Postfix to run
+# an expensive shell process. Procmail alone is expensive enough.
+#
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
+#mailbox_command = /some/where/procmail
+#mailbox_command = /some/where/procmail -a "$EXTENSION"
+
+# The mailbox_transport specifies the optional transport in master.cf
+# to use after processing aliases and .forward files. This parameter
+# has precedence over the mailbox_command, fallback_transport and
+# luser_relay parameters.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf.  The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+# Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+
+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
+# server using LMTP (Local Mail Transport Protocol), this is prefered
+# over the older cyrus deliver program by setting the
+# mailbox_transport as below:
+#
+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#
+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
+# these settings.
+#
+# local_destination_recipient_limit = 300
+# local_destination_concurrency_limit = 5
+#
+# Of course you should adjust these settings as appropriate for the
+# capacity of the hardware you are using. The recipient limit setting
+# can be used to take advantage of the single instance message store
+# capability of Cyrus. The concurrency limit can be used to control
+# how many simultaneous LMTP sessions will be permitted to the Cyrus
+# message store.
+#
+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+# subsequent line in master.cf.
+#mailbox_transport = cyrus
+
+# The fallback_transport specifies the optional transport in master.cf
+# to use for recipients that are not found in the UNIX passwd database.
+# This parameter has precedence over the luser_relay parameter.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf.  The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#fallback_transport =
+
+# The luser_relay parameter specifies an optional destination address
+# for unknown recipients.  By default, mail for unknown@$mydestination,
+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
+# as undeliverable.
+#
+# The following expansions are done on luser_relay: $user (recipient
+# username), $shell (recipient shell), $home (recipient home directory),
+# $recipient (full recipient address), $extension (recipient address
+# extension), $domain (recipient domain), $local (entire recipient
+# localpart), $recipient_delimiter. Specify ${name?value} or
+# ${name:value} to expand value only when $name does (does not) exist.
+#
+# luser_relay works only for the default Postfix local delivery agent.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#luser_relay = $user@other.host
+#luser_relay = $local@other.host
+#luser_relay = admin+$local
+  
+# JUNK MAIL CONTROLS
+# 
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+#header_checks = regexp:/etc/postfix/header_checks
+
+# FAST ETRN SERVICE
+#
+# Postfix maintains per-destination logfiles with information about
+# deferred mail, so that mail can be flushed quickly with the SMTP
+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
+# See the ETRN_README document for a detailed description.
+# 
+# The fast_flush_domains parameter controls what destinations are
+# eligible for this service. By default, they are all domains that
+# this server is willing to relay mail to.
+# 
+#fast_flush_domains = $relay_domains
+
+# SHOW SOFTWARE VERSION OR NOT
+#
+# The smtpd_banner parameter specifies the text that follows the 220
+# code in the SMTP server's greeting banner. Some people like to see
+# the mail version advertised. By default, Postfix shows no version.
+#
+# You MUST specify $myhostname at the start of the text. That is an
+# RFC requirement. Postfix itself does not care.
+#
+#smtpd_banner = $myhostname ESMTP $mail_name
+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+
+# PARALLEL DELIVERY TO THE SAME DESTINATION
+#
+# How many parallel deliveries to the same user or domain? With local
+# delivery, it does not make sense to do massively parallel delivery
+# to the same user, because mailbox updates must happen sequentially,
+# and expensive pipelines in .forward files can cause disasters when
+# too many are run at the same time. With SMTP deliveries, 10
+# simultaneous connections to the same domain could be sufficient to
+# raise eyebrows.
+# 
+# Each message delivery transport has its XXX_destination_concurrency_limit
+# parameter.  The default is $default_destination_concurrency_limit for
+# most delivery transports. For the local delivery agent the default is 2.
+
+#local_destination_concurrency_limit = 2
+#default_destination_concurrency_limit = 20
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+#
+debug_peer_level = 2
+
+# The debug_peer_list parameter specifies an optional list of domain
+# or network patterns, /file/name patterns or type:name tables. When
+# an SMTP client or server host name or address matches a pattern,
+# increase the verbose logging level by the amount specified in the
+# debug_peer_level parameter.
+#
+#debug_peer_list = 127.0.0.1
+#debug_peer_list = some.domain
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+	 ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# If you can't use X, use this to capture the call stack when a
+# daemon crashes. The result is in a file in the configuration
+# directory, and is named after the process name and the process ID.
+#
+# debugger_command =
+#	PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
+#	echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
+#	>$config_directory/$process_name.$process_id.log & sleep 5
+#
+# Another possibility is to run gdb under a detached screen session.
+# To attach to the screen session, su root and run "screen -r
+# <id_string>" where <id_string> uniquely matches one of the detached
+# sessions (from "screen -list").
+#
+# debugger_command =
+#	PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
+#	-dmS $process_name gdb $daemon_directory/$process_name
+#	$process_id & sleep 1
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+# 
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+# 
+sendmail_path = /usr/sbin/sendmail.postfix
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases.postfix
+
+# mailq_path: The full pathname of the Postfix mailq command.  This
+# is the Sendmail-compatible mail queue listing command.
+# 
+mailq_path = /usr/bin/mailq.postfix
+
+# setgid_group: The group for mail submission and queue management
+# commands.  This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+#
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+#
+html_directory = no
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+#
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+#
+sample_directory = /usr/share/doc/postfix/samples
+
+# readme_directory: The location of the Postfix README files.
+#
+readme_directory = /usr/share/doc/postfix/README_FILES
+
+# TLS CONFIGURATION
+#
+# Basic Postfix TLS configuration by default with self-signed certificate
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
+
+# The full pathname of a file with the Postfix SMTP server RSA certificate
+# in PEM format. Intermediate certificates should be included in general,
+# the server certificate first, then the issuing CA(s) (bottom-up order).
+#
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
+
+# The full pathname of a file with the Postfix SMTP server RSA private key
+# in PEM format. The private key must be accessible without a pass-phrase,
+# i.e. it must not be encrypted.
+#
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+
+smtpd_tls_CApath = /etc/pki/tls/certs
+smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
+# Announce STARTTLS support to remote SMTP clients, but do not require that
+# clients use TLS encryption (opportunistic TLS inbound).
+#
+smtpd_tls_security_level = may
+
+# Directory with PEM format Certification Authority certificates that the
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
+#
+smtp_tls_CApath = /etc/pki/tls/certs
+
+# The full pathname of a file containing CA certificates of root CAs
+# trusted to sign either remote SMTP server certificates or intermediate CA
+# certificates.
+#
+smtp_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
+
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext (opportunistic TLS outbound).
+#
+smtp_tls_security_level = may
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64/postfix
+
+#>GNUNUX
+smtpd_helo_required = yes
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+
+smtpd_use_tls = yes
+mailbox_size_limit = 0
+message_size_limit = 202400000
+biff = no
+#virtual_maps = ldap:/etc/postfix/ldapsource.cf
+smtpd_tls_loglevel = 1
+smtp_tls_note_starttls_offer = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_received_header = yes
+tls_random_source = dev:/dev/urandom
+
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_security_options = noanonymous
+smtpd_sasl_local_domain =
+smtpd_sasl_type = dovecot
+smtpd_sasl_path = /srv/dovecot/auth
+broken_sasl_auth_clients = yes
+
+dovecot_destination_recipient_limit = 1
+virtual_mailbox_domains = %echo ', '.join(%%postfix_my_domains)
+virtual_mailbox_maps = ldap:/etc/postfix/ldapsource.cf
+virtual_alias_maps = ldap:/etc/postfix/ldapsource.cf
+virtual_minimum_uid = 1000
+#vmail uid
+virtual_uid_maps = static:999
+virtual_gid_maps = static:999
+virtual_transport = dovecot
+virtual_mailbox_base = /srv/mail
+#<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/master.cf b/seed/applicationservice/2022.03.08/dovecot/templates/master.cf
new file mode 100644
index 0000000..b16eaae
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/master.cf
@@ -0,0 +1,146 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       -       smtpd
+#smtp      inet  n       -       n       -       1       postscreen
+#smtpd     pass  -       -       n       -       -       smtpd
+#dnsblog   unix  -       -       n       -       0       dnsblog
+#tlsproxy  unix  -       -       n       -       0       tlsproxy
+# Choose one: enable submission for loopback clients only, or for any client.
+#127.0.0.1:submission inet n -   n       -       -       smtpd
+#>GNUNUX
+submission inet n       -       n       -       -       smtpd
+#<GNUNUX
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+# Choose one: enable smtps for loopback clients only, or for any client.
+#127.0.0.1:smtps inet n  -       n       -       -       smtpd
+#smtps     inet  n       -       n       -       -       smtpd
+#>GNUNUX
+smtps     inet  n       -       n       -       -       smtpd
+#<GNUNUX
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       n       -       -       qmqpd
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+#
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# ====================================================================
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
+#
+#scalemail-backend unix -       n       n       -       2       pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+#  ${nexthop} ${user} ${extension}
+#
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}
+#>GNUNUX
+dovecot   unix  -       n       n	       -       -       pipe
+  flags=DRhu user=vmail:vmail argv=/usr/libexec/dovecot/deliver -f ${sender} -d ${recipient}
+#>GNUNUX
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt
new file mode 100644
index 0000000..d247a0a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.crt
@@ -0,0 +1,5 @@
+%set %%extra_domainnames = []
+%for %%idx in %%range(1, %%number_of_interfaces)
+  %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
+%end for
+%%get_certificate(%%domain_name_eth0, "MailServer", extra_domainnames=%%extra_domainnames)
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.key b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.key
new file mode 100644
index 0000000..4febac3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.key
@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, 'MailServer')
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/postfix.service b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.service
new file mode 100644
index 0000000..0144b44
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/postfix.service
@@ -0,0 +1,3 @@
+[Service]
+ExecStartPre=/usr/sbin/postmap /etc/postfix/relay_passwd
+PIDFile=/srv/postfix/spool/pid/master.pid
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/relay_passwd b/seed/applicationservice/2022.03.08/dovecot/templates/relay_passwd
new file mode 100644
index 0000000..b9d81ca
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/relay_passwd
@@ -0,0 +1,2 @@
+%%smtp_relay_address	%%smtp_relay_user@%%ip_eth0:%%smtp_relay_password
+
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/risotto_users b/seed/applicationservice/2022.03.08/dovecot/templates/risotto_users
new file mode 100644
index 0000000..c7202a8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/risotto_users
@@ -0,0 +1,6 @@
+%for %%local in %%dovecot_local_authentifications
+  %set %%user = %%normalize_family(%%local)
+  %set %%password = %%getVar('local_authentification_password_' + %%user)
+  %set %%ip = %%getVar('local_authentification_ip_' + %%user)
+%%user:{SHA512-CRYPT}%%sha512_crypt(%%password)::::::allow_nets=%%ip
+%end for
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf b/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf
new file mode 100644
index 0000000..a334d8e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-dovecot.conf
@@ -0,0 +1,6 @@
+g dovecot 97 -
+g dovenull 982 -
+g vmail 999 -
+u dovecot 97:97     "Dovecot IMAP server" /usr/libexec/dovecot	/sbin/nologin
+u dovenull 984:982     "Dovecot's unauthorized user" /usr/libexec/dovecot	/sbin/nologin
+u vmail 999:999     "Virtual mail user" /srv/mail	/sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-postfix.conf b/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-postfix.conf
new file mode 100644
index 0000000..bfd0af9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/sysuser-postfix.conf
@@ -0,0 +1,8 @@
+g mail 12 -
+g postfix 89 -
+g postdrop 90 -
+u mail 8:12	"mail" /var/spool/mail	/sbin/nologin
+u postfix 89:89     "Postfix" /srv/postfix/spool	/sbin/nologin
+# useful?
+m     postfix  mail
+m     postfix  opendkim
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf
new file mode 100644
index 0000000..a0776cc
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-dovecot.conf
@@ -0,0 +1 @@
+d /srv/dovecot 750 dovecot postfix - -
diff --git a/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-postfix.conf b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-postfix.conf
new file mode 100644
index 0000000..98e5358
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/dovecot/templates/tmpfile-postfix.conf
@@ -0,0 +1,5 @@
+d /srv/postfix 750 postfix postfix - -
+d /srv/postfix/data 750 postfix postfix - -
+d /srv/postfix/spool 755 root root - -
+d /srv/mail 770 root vmail - -
+d /var/lib/misc/ 755 root root - -
diff --git a/seed/applicationservice/2022.03.08/gitea/DEBUG.md b/seed/applicationservice/2022.03.08/gitea/DEBUG.md
new file mode 100644
index 0000000..ca0ce10
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/DEBUG.md
@@ -0,0 +1,7 @@
+Créer un utilisateur
+=====================
+
+su - gitea -s /bin/bash -c "gitea admin user create --username gnunux --password Njw_csh7DeeZtWDxC6WVXDdB-9A --email gnunux@gnunux.info --admin -c /etc/gitea/app.ini"
+
+
+
diff --git a/seed/applicationservice/2022.03.08/gitea/applicationservice.yml b/seed/applicationservice/2022.03.08/gitea/applicationservice.yml
new file mode 100644
index 0000000..03b4102
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/applicationservice.yml
@@ -0,0 +1,9 @@
+format: '0.1'
+description: Gitea
+depends:
+  - base-fedora-35
+  - postgresql-client
+  - reverse-proxy-client
+  - relay-mail-client
+  - redis-client
+  - oauth2-client
diff --git a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
new file mode 100644
index 0000000..a1b096c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
@@ -0,0 +1,105 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="gitea" target="multi-user" engine="creole">
+      <file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
+      <file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
+      <file>/etc/gitea/app.ini</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="external_ports" redefine="True">
+      <value>2222</value>
+    </variable>
+    <family name="gitea" description="Gitea" help="Git forge Gitea">
+      <variable name="gitea_title" mandatory="True" description="Titre de la forge"/>
+      <variable name="gitea_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True"/>
+      <variable name="gitea_secret_key" type="password" hidden="True"/>
+      <variable name="gitea_internal_token" type="password" hidden="True"/>
+      <variable name="gitea_lfs_jwt_secret" type="password" hidden="True"/>
+    </family>
+    <family name="nginx">
+      <variable name="revprox_client_location" redefine="True">
+        <value>/gitea/</value>
+      </variable>
+      <variable name="revprox_client_local_location" redefine="True">
+        <value>/</value>
+      </variable>
+      <variable name="revprox_client_port" redefine="True">
+        <value>3000</value>
+      </variable>
+      <variable name="revprox_client_cert_owner" redefine="True">
+        <value>gitea</value>
+      </variable>
+      <variable name="revprox_client_cert_group" redefine="True">
+        <value>gitea</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>Forge</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>Forge logiciel Gitea</value>
+      </variable>
+      <variable name="oauth2_client_token_signature_algo" redefine="True">
+        <value>RS256</value>
+      </variable>
+      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param>Gitea: Git with a cup of tea for</param>
+      <param type="variable">revprox_client_external_domainname</param>
+      <param name="join" type="space"/>
+      <target>gitea_title</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">secret_key</param>
+      <param name="description">gitea</param>
+      <param name="type">cleartext</param>
+      <param name="length" type="number">105</param>
+      <target>gitea_secret_key</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">internal_token</param>
+      <param name="description">gitea</param>
+      <param name="type">cleartext</param>
+      <param name="length" type="number">105</param>
+      <target>gitea_internal_token</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">lfs_jwt_secret</param>
+      <param name="description">gitea</param>
+      <param name="type">cleartext</param>
+      <param name="length" type="number">43</param>
+      <target>gitea_lfs_jwt_secret</target>
+    </fill>
+    <fill name="calc_value">
+      <param>https://</param>
+      <param type="variable" optional="True">revprox_client_external_domainname</param>
+      <param type="variable" optional="True">revprox_client_location</param>
+      <param>user/oauth2/</param>
+      <param type="variable">domain_name_eth0</param>
+      <param>/callback</param>
+      <param name="join"></param>
+      <target>oauth2_client_login</target>
+    </fill>
+    <fill name="calc_value">
+      <param>https://</param>
+      <param type="variable">revprox_client_external_domainname</param>
+      <param type="variable">revprox_client_location</param>
+      <param>user/oauth2/</param>
+      <param type="variable">domain_name_eth0</param>
+      <param name="join"></param>
+      <target>oauth2_client_external</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/gitea/manual/image/postinstall/gitea.sh b/seed/applicationservice/2022.03.08/gitea/manual/image/postinstall/gitea.sh
new file mode 100644
index 0000000..5a10d1a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/manual/image/postinstall/gitea.sh
@@ -0,0 +1,24 @@
+#!/bin/bash
+
+set -ex
+
+gpg --keyserver keys.openpgp.org --recv 7C9E68152594688862D62AF62D9AE806EC1592E2
+
+VERSION=$(wget https://dl.gitea.io/gitea/version.json -q -O - | jq -r '.latest.version')
+
+mkdir -p ~/gitea/
+
+if [ ! -f "~/gitea/gitea-$VERSION-linux-amd64.xz" ]; then
+    wget https://dl.gitea.io/gitea/$VERSION/gitea-$VERSION-linux-amd64.xz -O ~/gitea/gitea-$VERSION-linux-amd64.xz
+fi
+if [ ! -f "~/gitea/gitea-$VERSION-linux-amd64.xz.asc" ]; then
+    wget https://dl.gitea.io/gitea/$VERSION/gitea-$VERSION-linux-amd64.xz.asc -O ~/gitea/gitea-$VERSION-linux-amd64.xz.asc
+fi
+
+gpg --verify ~/gitea/gitea-$VERSION-linux-amd64.xz.asc ~/gitea/gitea-$VERSION-linux-amd64.xz
+
+cp -a ~/gitea/gitea-$VERSION-linux-amd64.xz .
+xz -d gitea-$VERSION-linux-amd64.xz
+mv gitea-$VERSION-linux-amd64 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/bin/gitea
+chmod +x $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/bin/gitea
+
diff --git a/seed/applicationservice/2022.03.08/gitea/manual/image/preinstall/mailman.sh b/seed/applicationservice/2022.03.08/gitea/manual/image/preinstall/mailman.sh
new file mode 100644
index 0000000..d71aaf2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/manual/image/preinstall/mailman.sh
@@ -0,0 +1 @@
+PKG="$PKG git openssh-server"
diff --git a/seed/applicationservice/2022.03.08/gitea/templates/app.ini b/seed/applicationservice/2022.03.08/gitea/templates/app.ini
new file mode 100644
index 0000000..def0b96
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/templates/app.ini
@@ -0,0 +1,107 @@
+# GNUNUX https://github.com/go-gitea/gitea/blob/main/custom/conf/app.example.ini
+APP_NAME = %%gitea_title
+RUN_USER = gitea
+RUN_MODE = prod
+
+[database]
+DB_TYPE  = postgres
+HOST     = %%pg_client_server_domainname:5432
+NAME     = %%pg_client_database
+USER     = %%pg_client_username
+PASSWD   = %%pg_client_password
+SCHEMA   =
+SSL_MODE = disable
+CHARSET  = utf8
+LOG_SQL  = false
+
+[repository]
+ROOT = /srv/gitea/lib/data/gitea-repositories
+DEFAULT_BRANCH = main
+
+[server]
+SSH_DOMAIN       = %%revprox_client_external_domainname
+DOMAIN           = %%revprox_client_external_domainname
+HTTP_PORT        = 3000
+ROOT_URL         = https://%%revprox_client_external_domainname/gitea/
+LOCAL_ROOT_URL   = https://%%domain_name_eth0:3000/
+DISABLE_SSH      = false
+START_SSH_SERVER = true
+SSH_LISTEN_PORT  = 2222
+SSH_PORT         = 2222
+LFS_START_SERVER = true
+LFS_CONTENT_PATH = /srv/gitea/lib/data/lfs
+LFS_JWT_SECRET   = %%gitea_lfs_jwt_secret
+OFFLINE_MODE     = true
+PROTOCOL         = https
+CERT_FILE        = %%revprox_cert_file
+KEY_FILE         = %%revprox_key_file
+
+[mailer]
+ENABLED = true
+HOST    = %%smtp_relay_address
+FROM    = %%gitea_mail_sender
+USER    = %%smtp_relay_user@%%ip_eth0
+PASSWD  = %%smtp_relay_password
+IS_TLS_ENABLED = true
+;USE_CERTIFICATE = false
+;CERT_FILE = custom/mailer/cert.pem
+;KEY_FILE = custom/mailer/key.pem
+
+[service]
+REGISTER_EMAIL_CONFIRM            = false
+ENABLE_NOTIFY_MAIL                = false
+DISABLE_REGISTRATION              = true
+ALLOW_ONLY_EXTERNAL_REGISTRATION  = false
+ENABLE_CAPTCHA                    = false
+REQUIRE_SIGNIN_VIEW               = false
+DEFAULT_KEEP_EMAIL_PRIVATE        = false
+DEFAULT_ALLOW_CREATE_ORGANIZATION = true
+DEFAULT_ENABLE_TIMETRACKING       = true
+NO_REPLY_ADDRESS                  = noreply.localhost
+
+[picture]
+DISABLE_GRAVATAR        = true
+ENABLE_FEDERATED_AVATAR = false
+
+[openid]
+ENABLE_OPENID_SIGNIN = true
+ENABLE_OPENID_SIGNUP = true
+
+[oauth2_client]
+ENABLE_AUTO_REGISTRATION = true
+
+[session]
+PROVIDER = redis
+PROVIDER_CONFIG = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
+
+[cache]
+;; if the cache enabled
+NABLED = true
+;;
+;; Either "memory", "redis", "memcache", or "twoqueue". default is "memory"
+ADAPTER = redis
+;;
+;; For "memory" only, GC interval in seconds, default is 60
+;INTERVAL = 60
+;;
+;; For "redis" and "memcache", connection host address
+;; redis: network=tcp,addr=:6379,password=macaron,db=0,pool_size=100,idle_timeout=180
+;; memcache: `127.0.0.1:11211`
+;; twoqueue: `{"size":50000,"recent_ratio":0.25,"ghost_ratio":0.5}` or `50000`
+HOST = network=tcp,addr=%%redis_client_server_domainname:6379,password=%%redis_client_password,db=0,pool_size=100,idle_timeout=180
+;;
+;; Time to keep items in cache if not used, default is 16 hours.
+;; Setting it to 0 disables caching
+;ITEM_TTL = 16h
+
+[log]
+MODE      = console
+LEVEL     = info
+ROOT_PATH = /srv/gitea/lib/log
+ROUTER    = console
+
+[security]
+INSTALL_LOCK       = true
+SECRET_KEY     = %%gitea_secret_key
+INTERNAL_TOKEN     = %%gitea_internal_token
+PASSWORD_HASH_ALGO = pbkdf2
diff --git a/seed/applicationservice/2022.03.08/gitea/templates/gitea.service b/seed/applicationservice/2022.03.08/gitea/templates/gitea.service
new file mode 100644
index 0000000..3100900
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/templates/gitea.service
@@ -0,0 +1,24 @@
+#ORIGIN https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/systemd/gitea.service
+[Unit]
+Description=Gitea (Git with a cup of tea)
+After=network.target postgresqlclient.service
+
+[Service]
+# Modify these two values and uncomment them if you have
+# repos with lots of files and get an HTTP error 500 because
+# of that
+###
+#LimitMEMLOCK=infinity
+#LimitNOFILE=65535
+RestartSec=2s
+Type=simple
+User=gitea
+Group=gitea
+WorkingDirectory=/srv/gitea/lib/
+ExecStart=/usr/bin/gitea web --config /etc/gitea/app.ini
+ExecStartPost=-/usr/bin/timeout 90 bash -c 'while ! /usr/bin/gitea admin auth list --config /etc/gitea/app.ini | grep "OAuth2"; do echo "TRY TO CONFIGURE"; /usr/bin/gitea admin auth add-oauth --name "%%domain_name_eth0" --provider "openidConnect" --key "%%oauth2_client_id" --secret "%%oauth2_client_secret" --scopes "profile email" --auto-discover-url "https://%%oauth2_client_server_domainname/.well-known/openid-configuration" --config /etc/gitea/app.ini; sleep 2; done; echo "CONFIGURATION DONE"'
+Restart=always
+Environment=USER=gitea HOME=/srv/gitea/home GITEA_WORK_DIR=/srv/gitea/lib
+
+[Install]
+WantedBy=multi-user.target
diff --git a/seed/applicationservice/2022.03.08/gitea/templates/sysuser-gitea.conf b/seed/applicationservice/2022.03.08/gitea/templates/sysuser-gitea.conf
new file mode 100644
index 0000000..5c68947
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/templates/sysuser-gitea.conf
@@ -0,0 +1,2 @@
+g gitea 999 -
+u gitea 999:999 "Git Version Control" /srv/gitea/home  /bin/nologin
diff --git a/seed/applicationservice/2022.03.08/gitea/templates/tmpfile-gitea.conf b/seed/applicationservice/2022.03.08/gitea/templates/tmpfile-gitea.conf
new file mode 100644
index 0000000..059dc73
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/gitea/templates/tmpfile-gitea.conf
@@ -0,0 +1,4 @@
+d /srv/gitea/lib/custom 750 gitea gitea - -
+d /srv/gitea/lib/data 750 gitea gitea - -
+d /srv/gitea/lib/log 750 gitea gitea - -
+d /srv/gitea/home 750 gitea gitea - -
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml b/seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml
new file mode 100644
index 0000000..d8ff0c1
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Configure Systemd Machined
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml b/seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml
new file mode 100644
index 0000000..4ea8541
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml
@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="systemd-machined">
+      <file>/etc/systemd/network/80-container-vz.network</file>
+      <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
+      <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
+    </service>
+    <service name="systemd-nspawn@">
+      <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
+      <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
+      <file>/etc/distro.repos.d/boot.repo</file>
+      <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
+      <file>/etc/sysctl.d/90-risotto.conf</file>
+      <file file_type="variable" source="dhcp.network" variable="host_dhcp_interface">host_dhcp_filename</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True"/>
+    <variable name="host_dhcp_interface" description="Carte réseau en DHCP" multi="True"/>
+    <variable name="host_dhcp_filename" type="filename" hidden="True" multi="True"/>
+    <variable name="host_name" type="hostname" hidden="True"/>
+    <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
+    <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
+    <family name="zones" leadership="True">
+      <variable name="zone_name" type="string" hidden="True" multi="True"/>
+      <variable name="zone_cidr" type="cidr" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_internal_zone_names">
+      <target>zone_name</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/systemd/network/70-container-</param>
+      <param type="variable">zone_name</param>
+      <param>.network</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>systemd_zone_filename</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/systemd/network/80-</param>
+      <param type="variable">host_dhcp_interface</param>
+      <param>.network</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>host_dhcp_filename</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/systemd/network/70-container-</param>
+      <param type="variable">zone_name</param>
+      <param>.netdev</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>systemd_netzone_filename</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="information">server_name</param>
+      <target>host_name</target>
+    </fill>
+    <fill name="get_internal_zone_information">
+      <param type="variable">zone_name</param>
+      <param>cidr</param>
+      <target>zone_cidr</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml b/seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml
new file mode 100644
index 0000000..b69248f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml
@@ -0,0 +1,39 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="systemd-nspawn@">
+      <file file_type="variable" source="nspawn" variable="machined.machines">machined.nspawn_zone_filename</file>
+      <file file_type="variable" source="network-script" variable="machined.machines" mode="700">machined.nspawn_script_filename</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="machines"/>
+    <family name="machine_" description="Machine " dynamic="machined.machines">
+      <variable name="external_ports_" description="External ports for " hidden="True" type="port" multi="True" provider="external_ports"/>
+      <variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="machine_srv"/>
+      <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="machine_config" mandatory="True"/>
+      <variable name="zones_" description="Zones for " hidden="True" provider="machine_zones" mandatory="True" multi="True"/>
+    </family>
+    <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
+    <variable name="nspawn_script_filename" type="filename" hidden="True" multi="True"/>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param>/usr/local/lib/sbin/network-</param>
+      <param type="variable">machined.machines</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>machined.nspawn_script_filename</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/systemd/nspawn/</param>
+      <param type="variable">machined.machines</param>
+      <param>.nspawn</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>machined.nspawn_zone_filename</target>
+    </fill>
+  </constraints>
+</rougail>
+
+
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/0asystemd-nspawn.conf b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/0asystemd-nspawn.conf
new file mode 100644
index 0000000..d4bc73a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/0asystemd-nspawn.conf
@@ -0,0 +1,8 @@
+D /usr/local/lib/sbin/ 0755 root root - -
+D /etc/systemd/nspawn/ 0755 root root - -
+D /etc/systemd/network/ 0755 root root - -
+d /var/lib/risotto/configurations/ 0755 root root - -
+r /etc/network/interfaces -    -    -     -           -
+%for %%filename in %%machined.nspawn_script_filename
+C %%filename 0755 root root - %%host_install_dir/host/configurations/%%host_name%%filename
+%end for
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/70-container.netdev b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/70-container.netdev
new file mode 100644
index 0000000..30ecb7f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/70-container.netdev
@@ -0,0 +1,3 @@
+[NetDev]
+Name=%%rougail_variable
+Kind=bridge
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/70-container.network b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/70-container.network
new file mode 100644
index 0000000..a7557d7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/70-container.network
@@ -0,0 +1,6 @@
+[Match]
+Name=%%rougail_variable
+
+[Network]
+Address=%%zone_name[%%rougail_index].zone_cidr
+EmitLLDP=customer-bridge
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/80-container-vz.network b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/80-container-vz.network
new file mode 100644
index 0000000..342f49e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/80-container-vz.network
@@ -0,0 +1,8 @@
+[Match]
+Name=vz-*
+Driver=bridge
+
+[Network]
+LinkLocalAddressing=yes
+EmitLLDP=customer-bridge
+
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/90-risotto.conf b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/90-risotto.conf
new file mode 100644
index 0000000..74ac745
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/90-risotto.conf
@@ -0,0 +1,2 @@
+net.ipv4.ip_forward = 1
+fs.inotify.max_user_instances = 1024
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/RPM-GPG-KEY-fedora-35-x86_64 b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/RPM-GPG-KEY-fedora-35-x86_64
new file mode 100644
index 0000000..899affa
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/RPM-GPG-KEY-fedora-35-x86_64
@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGAcScoBEADLf8YHkezJ6adlMYw7aGGIlJalt8Jj2x/B2K+hIfIuxGtpVj7e
+LRgDU76jaT5pVD5mFMJ3pkeneR/cTmqqQkNyQshX2oQXwEzUSb1CNMCfCGgkX8Q2
+zZkrIcCrF0Q2wrKblaudhU+iVanADsm18YEqsb5AU37dtUrM3QYdWg9R+XiPfV8R
+KBjT03vVBOdMSsY39LaCn6Ip1Ovp8IEo/IeEVY1qmCOPAaK0bJH3ufg4Cueks+TS
+wQWTeCLxuZL6OMXoOPKwvMQfxbg1XD8vuZ0Ktj/cNH2xau0xmsAu9HJpekvOPRxl
+yqtjyZfroVieFypwZgvQwtnnM8/gSEu/JVTrY052mEUT7Ccb74kcHFTFfMklnkG/
+0fU4ARa504H3xj0ktbe3vKcPXoPOuKBVsHSv00UGYAyPeuy+87cU/YEhM7k3SVKj
+6eIZgyiMO0wl1YGDRKculwks9A+ulkg1oTb4s3zmZvP07GoTxW42jaK5WS+NhZee
+860XoVhbc1KpS+jfZojsrEtZ8PbUZ+YvF8RprdWArjHbJk2JpRKAxThxsQAsBhG1
+0Lux2WaMB0g2I5PcMdJ/cqjo08ccrjBXuixWri5iu9MXp8qT/fSzNmsdIgn8/qZK
+i8Qulfu77uqhW/wt2btnitgRsqjhxMujYU4Zb4hktF8hKU/XX742qhL5KwARAQAB
+tDFGZWRvcmEgKDM1KSA8ZmVkb3JhLTM1LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
+cmc+iQJOBBMBCAA4FiEEeH6mrhFH7uVsQLMM20Y5cZhnxY8FAmAcScoCGw8FCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQ20Y5cZhnxY+NYA/7BYpglySAZYHhjyKh
+/+f6zPfVvbH20Eq3kI7OFBN0nLX+BU1muvS+qTuS3WLrB3m3GultpKREJKLtm5ED
+1rGzXAoT1yp9YI8LADdMCCOyjAjsoWU87YUuC+/bnjrTeR2LROCfyPC76W985iOV
+m5S+bsQDw7C2LrldAM4MDuoyZ1SitGaZ4KQLVt+TEa14isYSGCjzo7PY8V3JOk50
+gqWg82N/bm2EzS7T83WEDb1lvj4IlvxgIqKeg11zXYxmrYSZJJCfvzf+lNS6uxgH
+jx/J0ylZ2LibGr6GAAyO9UWrAZSwSM0EcjT8wECnxkSDuyqmWwVvNBXuEIV8Oe3Y
+MiU1fJN8sd7DpsFx5M+XdnMnQS+HrjTPKD3mWrlAdnEThdYV8jZkpWhDys3/99eO
+hk0rLny0jNwkauf/iU8Oc6XvMkjLRMJg5U9VKyJuWWtzwXnjMN5WRFBqK4sZomMM
+ftbTH1+5ybRW/A3vBbaxRW2t7UzNjczekSZEiaLN9L/HcJCIR1QF8682DdAlEF9d
+k2gQiYSQAaaJ0JJAzHvRkRJLLgK2YQYiHNVy2t3JyFfsram5wSCWOfhPeIyLBTZJ
+vrpNlPbefsT957Tf2BNIugzZrC5VxDSKkZgRh1VGvSIQnCyzkQy6EU2qPpiW59G/
+hPIXZrKocK3KLS9/izJQTRltjMA=
+=PfT7
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/boot.repo b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/boot.repo
new file mode 100644
index 0000000..7b26eff
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/boot.repo
@@ -0,0 +1,17 @@
+[fedora]
+name=Fedora $releasever - $basearch
+failovermethod=priority
+#baseurl=http://download.fedoraproject.org/pub/fedora/linux/releases/$releasever/Everything/$basearch/os/
+metalink=https://mirrors.fedoraproject.org/metalink?repo=fedora-$releasever&arch=$basearch
+enabled=1
+gpgcheck=0
+repo_gpgcheck=0
+
+[updates]
+name=Fedora $releasever - $basearch - Updates
+failovermethod=priority
+#baseurl=http://download.fedoraproject.org/pub/fedora/linux/updates/$releasever/Everything/$basearch/
+metalink=https://mirrors.fedoraproject.org/metalink?repo=updates-released-f$releasever&arch=$basearch
+enabled=1
+gpgcheck=0
+repo_gpgcheck=0
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/dhcp.network b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/dhcp.network
new file mode 100644
index 0000000..d6df20a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/dhcp.network
@@ -0,0 +1,5 @@
+[Match]
+Name=%%rougail_variable
+
+[Network]
+DHCP=ipv4
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/network-script b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/network-script
new file mode 100644
index 0000000..0011b7d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/network-script
@@ -0,0 +1,17 @@
+%echo "#!/bin/bash"
+
+%set %%name = %%normalize_family(%%rougail_variable)
+%set %%container = %%machined['machine_' + %%name]
+%set zones = %%container['zones_' + %%name]
+%if %%len(%%zones) > 1
+ %for %%idx, %%zone in %%enumerate(%%zones)
+  %if not %%idx
+    %continue
+  %end if
+  %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
+echo "configuration de %intname"
+/usr/sbin/ip link set dev %%intname[:15] master %%zone
+/usr/sbin/ip link set dev %%intname[:15] up
+ %end for
+%end if
+exit 0
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn
new file mode 100644
index 0000000..3fc90b4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn
@@ -0,0 +1,27 @@
+[Files]
+Volatile=true
+PrivateUsersChown=false
+%set %%name = %%normalize_family(%%rougail_variable)
+%set %%container = %%machined['machine_' + %%name]
+%if %%container['srv_dir_' + %%name]
+Bind=%%container['srv_dir_' + %%name]:/srv
+%end if
+BindReadOnly=%%container['config_dir_' + %%name]:/usr/local/lib
+%set zones = %%container['zones_' + %%name]
+%if %%zones
+
+[Network]
+Private=yes
+VirtualEthernet=yes
+ %for %%idx, %%zone in %%enumerate(%%zones)
+  %if %%idx == 0
+Bridge=%%zones[0]
+  %else
+   %set %%intname = "vc-" + %%str(%%idx) + %%rougail_variable
+VirtualEthernetExtra=%%intname[:15]:host%%idx
+  %end if
+ %end for
+%end if
+%for %%port in %%container['external_ports_' + %%name]
+Port=tcp:%%port:%%port
+%end for
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/systemd-nspawn@.conf b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/systemd-nspawn@.conf
new file mode 100644
index 0000000..187ef2d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/systemd-nspawn@.conf
@@ -0,0 +1,2 @@
+[Service]
+ExecStartPost=-/usr/local/lib/sbin/network-%i
diff --git a/seed/applicationservice/2022.03.08/imap-client/applicationservice.yml b/seed/applicationservice/2022.03.08/imap-client/applicationservice.yml
new file mode 100644
index 0000000..d29f98b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/imap-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Client IMAP
diff --git a/seed/applicationservice/2022.03.08/imap-client/dictionaries/21_imap_client.xml b/seed/applicationservice/2022.03.08/imap-client/dictionaries/21_imap_client.xml
new file mode 100644
index 0000000..7604151
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/imap-client/dictionaries/21_imap_client.xml
@@ -0,0 +1,13 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="imap" manage="False">
+      <file>/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt</file>
+    </service>
+  </services>
+  <variables>
+    <family name="imap" description="Client SMTP">
+      <variable name="imap_address" type="domainname" description="Nom de domaine du serveur IMAP" mandatory="True"/>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/imap-client/templates/ca_IMAPServer.crt b/seed/applicationservice/2022.03.08/imap-client/templates/ca_IMAPServer.crt
new file mode 100644
index 0000000..9334b3a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/imap-client/templates/ca_IMAPServer.crt
@@ -0,0 +1 @@
+%%get_chain(%%imap_address, 'IMAPServer')
diff --git a/seed/applicationservice/2022.03.08/ldap-client-debian/applicationservice.yml b/seed/applicationservice/2022.03.08/ldap-client-debian/applicationservice.yml
new file mode 100644
index 0000000..2a6103c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client-debian/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: LDAP client for Fedora
+depends:
+  - ldap-client
+  - base-debian
diff --git a/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/20_ldap-client-debian.xml b/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/20_ldap-client-debian.xml
new file mode 100644
index 0000000..c30b952
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client-debian/dictionaries/20_ldap-client-debian.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<rougail version="0.10">
+  <variables>
+    <family name="annuaire">
+      <variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
+        <value>/etc/ldap/ldap.conf</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client-fedora/applicationservice.yml b/seed/applicationservice/2022.03.08/ldap-client-fedora/applicationservice.yml
new file mode 100644
index 0000000..09daada
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client-fedora/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: LDAP client for Fedora
+depends:
+  - ldap-client
+  - base-fedora
diff --git a/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/20_ldap-client-fedora.xml b/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/20_ldap-client-fedora.xml
new file mode 100644
index 0000000..e0c77bb
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client-fedora/dictionaries/20_ldap-client-fedora.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<rougail version="0.10">
+  <variables>
+    <family name="annuaire">
+      <variable name="ldap_client_file" type="filename" description="LDAP client filename" hidden="True">
+        <value>/etc/openldap/ldap.conf</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client/applicationservice.yml b/seed/applicationservice/2022.03.08/ldap-client/applicationservice.yml
new file mode 100644
index 0000000..df0f004
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: LDAP client
diff --git a/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml b/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
new file mode 100644
index 0000000..1972067
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client/dictionaries/21_ldap-client.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<rougail version="0.10">
+  <services>
+    <service name="ldap_client" manage="False">
+      <file source="ldap.conf" file_type="variable">ldap_client_file</file>
+      <file source="ca_LDAP.crt" file_type="variable">ldap_ca_file</file>
+      <file source="ldap_client.crt" file_type="variable">ldap_cert_file</file>
+      <file source="ldap_client.key" file_type="variable" owner_type="variable" owner="ldap_key_file_owner" group_type="variable" group="ldap_key_file_group" mode="440">ldap_key_file</file>
+    </service>
+  </services>
+  <variables>
+    <family name="annuaire">
+      <variable name='ldap_server_address' type='domainname' description="Nom DNS du serveur LDAP" mandatory='True'/>
+      <variable name='ldapclient_remote_user' type='string' description="DN de l'tilisateur distant" mandatory='True' hidden="True"/>
+      <variable name='ldapclient_remote_user_password' type='password' description="Mot de passe de l'utilisateur distant" mandatory='True' hidden="True"/>
+      <variable name='ldap_base_dn' type='string' description="Base DN de l'annuaire" mandatory="True" test="dc=test,o=fr"/>
+      <variable name='ldap_port' type='port' description='Port du serveur LDAP' mandatory='True' test="636"/>
+      <variable name="ldap_ca_file" type="filename" description="LDAP CA filename" hidden="True"/>
+      <variable name="ldap_cert_file" type="filename" description="LDAP certificate filename" hidden="True"/>
+      <variable name="ldap_key_file" type="filename" description="LDAP private key filename" hidden="True"/>
+      <variable name="ldap_key_file_owner" type="unix_user" description="LDAP private key file owner" hidden="True">
+        <value>root</value>
+      </variable>
+      <variable name="ldap_key_file_group" type="unix_user" description="LDAP private key file group" hidden="True">
+        <value>root</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <check name='valid_base_dn'>
+      <target>ldap_base_dn</target>
+    </check>
+    <fill name="calc_value">
+      <param type="variable">tls_ca_directory</param>
+      <param>ca_LDAP.crt</param>
+      <param name="join">/</param>
+      <target>ldap_ca_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_cert_directory</param>
+      <param>ldap_client.crt</param>
+      <param name="join">/</param>
+      <target>ldap_cert_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_key_directory</param>
+      <param>ldap_client.key</param>
+      <param name="join">/</param>
+      <target>ldap_key_file</target>
+    </fill>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">ldap_server_address</param>
+      <param name="linked_provider">clients</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <param name="linked_returns">dn</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>ldapclient_remote_user</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">ldap_server_address</param>
+      <param name="linked_provider">client_password</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>ldapclient_remote_user_password</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">ldap_server_address</param>
+      <param name="linked_provider">LDAP_DN</param>
+      <target>ldap_base_dn</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">ldap_server_address</param>
+      <param name="linked_provider">LDAP_PORT</param>
+      <target>ldap_port</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py b/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
new file mode 100644
index 0000000..a65ff06
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client/funcs/openldap_client.py
@@ -0,0 +1,19 @@
+def get_default_base_dn(server_name: str) -> str:
+    if not server_name or '.' not in server_name:
+        return None
+    values = server_name.split('.')
+    # cannot calculated base dn should be server.domain.tld
+    # remove 'server' in dn
+    if len(values) < 3:
+        return None
+    domain = ['ou=' + domain for domain in values[1:-2]]
+    domain.append(f'o={values[-2]},o={values[-1]}')
+    return ','.join(domain)
+
+
+def valid_base_dn(base_dn: str) -> None:
+    for att in ['o', 'dc', 'ou']:
+        if base_dn.startswith(att + '='):
+            break
+    else:
+        raise ValueError('La racine doit débuter par une organisation (o=), une composante du domaine (dc=) ou une unité organisationnelle (ou=)')
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ca_LDAP.crt b/seed/applicationservice/2022.03.08/ldap-client/templates/ca_LDAP.crt
new file mode 100644
index 0000000..86dff29
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ca_LDAP.crt
@@ -0,0 +1 @@
+%%get_chain(%%ldap_server_address, 'LDAP')
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
new file mode 100644
index 0000000..907b975
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap.conf
@@ -0,0 +1,38 @@
+#
+# LDAP Defaults
+#
+
+# See ldap.conf(5) for details
+# This file should be world readable but not world writable.
+
+#BASE	dc=example,dc=com
+BASE ou=users,%%ldap_base_dn
+#URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+URI ldaps://%%ldap_server_address:%%ldap_port
+
+#SIZELIMIT	12
+#TIMELIMIT	15
+#DEREF		never
+
+# When no CA certificates are specified the Shared System Certificates
+# are in use. In order to have these available along with the ones specified
+# by TLS_CACERTDIR one has to include them explicitly:
+#TLS_CACERT	/etc/pki/tls/cert.pem
+TLS_KEY %%ldap_key_file
+TLS_CERT %%ldap_cert_file
+TLS_CACERT %%ldap_ca_file
+
+# System-wide Crypto Policies provide up to date cipher suite which should
+# be used unless one needs a finer grinded selection of ciphers. Hence, the
+# PROFILE=SYSTEM value represents the default behavior which is in place
+# when no explicit setting is used. (see openssl-ciphers(1) for more info)
+#TLS_CIPHER_SUITE PROFILE=SYSTEM
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON	on
+
+BINDDN %%ldapclient_remote_user
+TIMELIMIT 10
+NETWORK_TIMEOUT 10
+TIMEOUT 10
+BINDPW %%ldapclient_remote_user_password
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.crt b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.crt
new file mode 100644
index 0000000..1b8dd51
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.crt
@@ -0,0 +1 @@
+%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
diff --git a/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.key b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.key
new file mode 100644
index 0000000..65e88b1
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/ldap-client/templates/ldap_client.key
@@ -0,0 +1,5 @@
+%set %%key = %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name='LDAP', type='client')
+%if not %%key
+  %raise Exception('empty key')
+%end if
+%%key
diff --git a/seed/applicationservice/2022.03.08/lemonldap/DEBUG.md b/seed/applicationservice/2022.03.08/lemonldap/DEBUG.md
new file mode 100644
index 0000000..e786356
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/DEBUG.md
@@ -0,0 +1,5 @@
+Log level to DEBUG
+==================
+
+sed -i "s/logLevel     = info/logLevel     = debug/g" /etc/lemonldap-ng/lemonldap-ng.ini
+systemctl restart lemonldap-ng-fastcgi-server.service
diff --git a/seed/applicationservice/2022.03.08/lemonldap/applicationservice.yml b/seed/applicationservice/2022.03.08/lemonldap/applicationservice.yml
new file mode 100644
index 0000000..723261e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/applicationservice.yml
@@ -0,0 +1,8 @@
+format: '0.1'
+description: LemonLDAP
+depends:
+  - base-debian-bullseye
+  - ldap-client-debian
+  - reverse-proxy-client
+  - relay-mail-client
+  - nginx-common
diff --git a/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
new file mode 100644
index 0000000..91b5f22
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml
@@ -0,0 +1,34 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="lemonldap-ng-fastcgi-server">
+      <override/>
+      <file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
+      <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
+      <!--file>/etc/lemonldap-ng/handler-nginx.conf</file-->
+      <file>/etc/lemonldap-ng/portal-nginx.conf</file>
+      <file>/etc/lemonldap-ng/nginx-lmlog.conf</file>
+      <file>/etc/default/lemonldap-ng-fastcgi-server</file>
+      <file mode="750">/sbin/interne_well_known.pl</file>
+      <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
+      <variable name="lemon_domain" description="Nom DNS derrière LemonLDAP::NG"/>
+      <variable name="lemon_reload_web_name" description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
+      <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
+        <value>1</value>
+      </variable>
+      <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param>reload.</param>
+      <param type="variable">lemon_domain</param>
+      <param name="join"></param>
+      <target>lemon_reload_web_name</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml b/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
new file mode 100644
index 0000000..31ab6ba
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml
@@ -0,0 +1,27 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <variable name="remotes" description="Remote clients needing to verify OAuth2 account" type="domainname" multi="True" provider="oauth2"/>
+    <family name="oauth2_" description="OAuth2 for" dynamic="oauth2.remotes">
+      <variable name="secret_" description="Remote secret for" type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
+      <variable name="name_" description="Remote name for" hidden="True" provider="oauth2_name"/>
+      <variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
+      <variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
+      <variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external"/>
+      <variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
+        <choice>HS512</choice>
+        <choice>RS256</choice>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type="suffix"/>
+      <param name="description">remote</param>
+      <param name="type">cleartext</param>
+      <target>oauth2.oauth2_.secret_</target>
+    </fill>
+  </constraints>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/lemonldap/funcs/lemonldap.py b/seed/applicationservice/2022.03.08/lemonldap/funcs/lemonldap.py
new file mode 100644
index 0000000..cae0b21
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/funcs/lemonldap.py
@@ -0,0 +1,10 @@
+def getSSOFilters():
+    return []
+
+
+def is_file(f):
+    return True
+
+
+def readPass(f, password):
+    return password
diff --git a/seed/applicationservice/2022.03.08/lemonldap/manual/image/preinstall/lemonldap.sh b/seed/applicationservice/2022.03.08/lemonldap/manual/image/preinstall/lemonldap.sh
new file mode 100644
index 0000000..edc77c9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/manual/image/preinstall/lemonldap.sh
@@ -0,0 +1 @@
+PKG="$PKG lemonldap-ng libnginx-mod-http-lua lemonldap-ng-fastcgi-server libnet-ldap-perl libunicode-string-perl libio-socket-timeout-perl libio-string-perl libmime-tools-perl libemail-sender-perl libstring-random-perl libgd-securityimage-perl libimage-magick-perl"
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/handler-nginx.conf b/seed/applicationservice/2022.03.08/lemonldap/templates/handler-nginx.conf
new file mode 100644
index 0000000..7192abd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/handler-nginx.conf
@@ -0,0 +1,82 @@
+#=======================================================================
+# Nginx configuration for LemonLDAP::NG Handler
+#=======================================================================
+# This file implements the reload virtualhost that permits to reload
+# configuration without restarting server.
+# You need then to declare this vhost in reloadUrls (in the manager
+# interface if this server doesn't host the manager itself):
+#
+#         KEY       :               VALUE
+#   host-or-IP:port :  http://reload.example.com/reload
+#
+# IMPORTANT:
+# To protect applications, see test-nginx.conf template in example files
+
+# Log format
+include /etc/lemonldap-ng/nginx-lmlog.conf;
+#access_log /var/log/nginx/access.log lm_combined;
+
+server {
+  # GNUNUX listen 80;
+  # GNUNUX server_name reload.example.com;
+#>GNUNUX
+  listen 443 ssl;
+  server_name %%lemon_reload_web_name;
+  ssl_certificate         %%revprox_cert_file;
+  ssl_certificate_key     %%revprox_key_file;
+  ssl_client_certificate  %%revprox_ca_file;
+#<GNUNUX
+  root /var/www/html;
+
+  # Uncomment this if you are running behind a reverse proxy and want
+  # LemonLDAP::NG to see the real IP address of the end user
+  # Adjust the settings to match the IP address of your reverse proxy
+  # and the header containing the original IP address
+  # As an alternative, you can use the PROXY protocol
+  #
+  #set_real_ip_from  127.0.0.1;
+  #real_ip_header    X-Forwarded-For;
+
+# GNUNUX  location = /reload {
+# GNUNUX    allow 127.0.0.0/8;
+# GNUNUX    allow ::1/128;
+# GNUNUX    deny all;
+# GNUNUX
+# GNUNUX    # FastCGI configuration
+# GNUNUX    include /etc/nginx/fastcgi_params;
+# GNUNUX    fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+# GNUNUX    fastcgi_param LLTYPE reload;
+# GNUNUX
+# GNUNUX    # OR TO USE uWSGI
+# GNUNUX    #include /etc/nginx/uwsgi_params;
+# GNUNUX    #uwsgi_pass 127.0.0.1:5000;
+# GNUNUX    #uwsgi_param LLTYPE reload;
+# GNUNUX  }
+
+  # Client requests
+  location / {
+    allow %%revprox_client_server_ip;
+    deny all;
+
+    # Uncomment this if you use https only
+    #add_header Strict-Transport-Security "max-age=15768000";
+#>GNUNUX
+    add_header Strict-Transport-Security "max-age=15768000";
+#<GNUNUX
+  }
+
+  # Uncomment this if status is enabled
+  #location = /status {
+  #  allow 127.0.0.1/8;
+  #  allow ::1/128;
+  #  deny all;
+  #  # FastCGI configuration
+  #  include /etc/nginx/fastcgi_params;
+  #  fastcgi_pass unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+  #  fastcgi_param LLTYPE status;
+  #  # OR TO USE uWSGI
+  #  #include /etc/nginx/uwsgi_params;
+  #  #uwsgi_pass 127.0.0.1:5000;
+  #  #uwsgi_param LLTYPE status;
+  #}
+}
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/interne_well_known.pl b/seed/applicationservice/2022.03.08/lemonldap/templates/interne_well_known.pl
new file mode 100644
index 0000000..5137895
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/interne_well_known.pl
@@ -0,0 +1,16 @@
+%echo "#!/usr/bin/env perl"
+
+use HTTP::Tiny;
+use JSON qw(from_json to_json);
+
+my $baseUrl = 'https://%%domain_name_eth0/';
+
+my $response = HTTP::Tiny->new->get('http://localhost/.well-known/openid-configuration');
+
+die "Failed!\n" unless $response->{success};
+
+my $json = from_json($response->{content});
+$json->{token_endpoint} = $baseUrl . 'oauth2/token';
+$json->{userinfo_endpoint} = $baseUrl . 'oauth2/userinfo';
+$json->{jwks_uri} = $baseUrl . 'oauth2/jwks';
+printf to_json($json) . "\n";
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server
new file mode 100644
index 0000000..277d740
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server
@@ -0,0 +1,18 @@
+# Number of process (default: 7)
+#NPROC = 7
+#>GNUNUX
+NPROC=%%lemon_proc
+#<GNUNUX
+
+# Unix socket to listen to
+SOCKET=/run/llng-fastcgi-server/llng-fastcgi.sock
+
+# Pid file
+PID=/run/llng-fastcgi-server/llng-fastcgi-server.pid
+
+# User and GROUP
+USER=www-data
+GROUP=www-data
+
+# Custom functions file
+#CUSTOM_FUNCTIONS_FILE=/var/lib/lemonldap-ng/myfile.pm
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server.service b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server.service
new file mode 100644
index 0000000..f4e6639
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng-fastcgi-server.service
@@ -0,0 +1,5 @@
+[Unit]
+After=nginx.service
+
+[Service]
+ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration; do sleep 5; done'
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng.ini b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng.ini
new file mode 100644
index 0000000..ddbb422
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng.ini
@@ -0,0 +1,400 @@
+;==============================================================================
+; LemonLDAP::NG local configuration parameters
+;
+; This file is dedicated to configuration parameters override
+; You can set here configuration parameters that will be used only by
+; local LemonLDAP::NG elements
+;
+; Section "all" is always read first before "portal", "handler"
+; and "manager"
+;
+; Section "configuration" is used to load global configuration and set cache
+; (replace old storage.conf file)
+;
+; Other section are only read by the specific LemonLDAP::NG component
+;==============================================================================
+
+[all]
+
+; CUSTOM FUNCTION
+; If you want to create customFunctions in rules, declare them here:
+;customFunctions = function1 function2
+;customFunctions = Package::func1 Package::func2
+
+; CROSS-DOMAIN
+; If you have some handlers that are not registered on the main domain,
+; uncomment this
+;cda = 1
+
+; SAFE JAIL
+; Uncomment this to disable Safe jail.
+; Warning: this can allow malicious code in custom functions or rules
+;useSafeJail = 0
+
+; LOGGING
+;
+; 1 - Defined logging level
+;   Set here one of error, warn, notice, info or debug
+logLevel     = info
+; Note that this has no effect for Apache2 logging: Apache LogLevel is used
+; instead
+;
+; 2 - Change logger
+;
+;   By default, logging is set to:
+;    - Lemonldap::NG::Common::Logger::Apache2  for ApacheMP2 handlers
+;    - Lemonldap::NG::Common::Logger::Syslog   for FastCGI (Nginx)
+;    - Lemonldap::NG::Common::Logger::Std      for PSGI applications (manager,
+;                                              portal,...) when they are not
+;                                              launched by FastCGI server
+;   Other loggers availables:
+;    - Lemonldap::NG::Common::Logger::Log4perl to use Log4perl
+;
+;   "Std" is redirected to the web server logs for Apache. For Nginx, only if
+;   request failed
+;
+;   You can overload this in this section (for all) or in another section if
+;   you want to change logger for a specified app.
+;
+;   LLNG uses 2 loggers: 1 for technical logs (logger), 1 for user actions
+;   (userLogger). "userLogger" uses the same class as "logger" if not set.
+;logger     = Lemonldap::NG::Common::Logger::Syslog
+;userLogger = Lemonldap::NG::Common::Logger::Std
+;
+; 2.1 - Using Syslog
+;
+;   For Syslog logging, you can also overwrite facilities. Default values:
+logger             = Lemonldap::NG::Common::Logger::Syslog
+syslogFacility     = daemon
+userSyslogFacility = auth
+;
+; 2.2 - Using Log4perl
+;
+;   If you want to use Log4perl, you can set these parameters. Here are default
+;   values:
+;logger             = Lemonldap::NG::Common::Logger::Log4perl
+;log4perlConfFile   = /etc/lemonldap-ng/log4perl.conf
+;log4perlLogger     = LLNG
+;log4perlUserLogger = LLNG.user
+;
+;   Here, Log4perl configuration is read from /etc/log4perl.conf. The "LLNG"
+;   value points to the logger class. Example:
+;     log4perl.logger.LLNG      = WARN, File1
+;     log4perl.logger.LLNG.user = INFO, File2
+;     ...
+
+; CONFIGURATION CHECK
+;
+; LLNG verify configuration at server start. If you use "reload" mechanism,
+; local cache will be updated. Configuration is checked locally every
+; 10 minutes by each LLNG component. You can change this value using
+; `checkTime` (time in seconds).
+; To increase performances, you should comment this parameter and rely on cache.
+checkTime = 1
+
+[configuration]
+
+; confTimeout: maximum time to get configuration (default 10)
+;confTimeout = 5
+
+; GLOBAL CONFIGURATION ACCESS TYPE
+; (File, REST, SOAP, RDBI/CDBI, LDAP, YAMLFile)
+; Set here the parameters needed to access to LemonLDAP::NG configuration.
+; You have to set "type" to one of the followings :
+;
+; * File/YAMLFile: you have to set 'dirName' parameter. Example:
+;
+;           type = File ; or type = YAMLFile
+;           dirName = /var/lib/lemonldap-ng/conf
+;
+; * RDBI/CDBI : you have to set 'dbiChain' (required) and 'dbiUser' and 'dbiPassword'
+;         if needed. Example:
+;
+;           type        = RDBI
+;          ;type        = CDBI 
+;           dbiChain    = DBI:MariaDB:database=lemonldap-ng;host=1.2.3.4
+;           dbiUser     = lemonldap
+;           dbiPassword = password
+;
+; * REST: REST configuration access is a sort of proxy: the portal is
+;         configured to use the real session storage type (DBI or File for
+;         example).
+;         You have to set 'baseUrl' parameter. Example:
+;
+;           type         = REST
+;           baseUrl      = https://auth.example.com/config
+;           proxyOptions = { timeout => 5 }
+;           User         = lemonldap
+;           Password     = mypassword
+;
+; * SOAP: SOAP configuration access is a sort of proxy: the portal is
+;         configured to use the real session storage type (DBI or File for
+;         example).
+;         You have to set 'proxy' parameter. Example:
+;
+;           type         = SOAP
+;           proxy        = https://auth.example.com/config
+;           proxyOptions = { timeout => 5 }
+;           User         = lemonldap
+;           Password     = mypassword
+;
+; * LDAP: you have to set ldapServer, ldapConfBase, ldapBindDN and ldapBindPassword.
+;
+;           type                 = LDAP
+;           ldapServer           = ldap://localhost
+;           ldapConfBase         = ou=conf,ou=applications,dc=example,dc=com
+;           ldapBindDN           = cn=manager,dc=example,dc=com
+;           ldapBindPassword     = secret
+;           ldapObjectClass      = applicationProcess
+;           ldapAttributeId      = cn
+;           ldapAttributeContent = description
+
+type=File
+dirName = /var/lib/lemonldap-ng/conf
+
+; LOCAL CACHE CONFIGURATION
+;
+; To increase performances, use a local cache for the configuration. You have
+; to choose a Cache::Cache module and set its parameters. Example:
+;
+;           localStorage = Cache::FileCache
+;           localStorageOptions={                             \
+;               'namespace'          => 'lemonldap-ng-config',\
+;               'default_expires_in' => 600,                  \
+;               'directory_umask'    => '007',                \
+;               'cache_root'         => '/tmp',               \
+;               'cache_depth'        => 3,                    \
+;           }
+localStorage=Cache::FileCache
+localStorageOptions={                             \
+    'namespace'          => 'lemonldap-ng-config',\
+    'default_expires_in' => 600,                  \
+    'directory_umask'    => '007',                \
+    'cache_root'         => '/tmp',               \
+    'cache_depth'        => 3,                    \
+}
+
+[portal]
+
+; PORTAL CUSTOMIZATION
+
+; I - Required parameters
+
+; staticPrefix: relative (or URL) location of static HTML components
+staticPrefix = /static
+
+; location of HTML templates directory
+templateDir  = /usr/share/lemonldap-ng/portal/templates
+
+; languages: available languages for portal interface
+languages    = fr, en, vi, it, ar, de, fi, tr
+
+; II - Optional parameters (overwrite configuration)
+
+; Name of the skin
+portalSkin = bootstrap
+; Modules displayed
+;portalDisplayLogout = 1
+portalDisplayResetPassword = 1
+portalDisplayChangePassword = 1
+;portalDisplayAppslist = 1
+;portalDisplayLoginHistory = 1
+; Require the old password when changing password
+portalRequireOldPassword = 1
+; Attribute displayed as connected user
+;portalUserAttr = mail
+; Old menu HTML code
+; Enable it if you use old templates
+;useOldMenuItems=1
+; Override error codes
+;error_0 = You are well authenticated!
+; Custom template parameters
+; For example to use <TMPL_VAR NAME="myparam"> 
+;tpl_myparam = test
+
+; COMBINATION FORMS
+; If you want to fix forms to display, you can use this;
+;combinationForms = standardform, yubikeyform
+
+;syslog = auth
+; SOAP FUNCTIONS
+; Remove comment to activate SOAP Functions getCookies(user,pwd) and
+; error(language, code)
+;Soap = 1
+; Note that getAttibutes() will be activated but on a different URI
+; (http://auth.example.com/sessions)
+; You can also restrict attributes and macros exported by getAttributes
+;exportedAttr = uid mail
+
+; PASSWORD POLICY
+; Remove comment to use LDAP Password Policy
+;ldapPpolicyControl = 1
+; Remove comment to store password in session (use with caution)
+;storePassword = 1
+; Remove comment to use LDAP modify password extension
+; (beware of compatibility with LDAP Password Policy)
+;ldapSetPassword    = 1
+; RESET PASSWORD BY MAIL
+; SMTP server (default to localhost), set to '' to use default mail service
+;SMTPServer = localhost
+; SMTP auth user
+;SMTPAuthUser = toto
+; SMTP auth password
+;SMTPAuthPass = secret
+; Mail From address
+;mailFrom = noreply@example.com
+; Reply To
+;mailReplyTo = noreply@example.com
+; Mail confirmation URL
+;mailUrl = http://reset.example.com
+; Mail subject for confirmation message
+;mailConfirmSubject = [LemonLDAP::NG] Password reset confirmation
+; Mail body for confiramtion (can use $url for confirmation URL, and other session
+; infos, like $cn). Keep comment to use HTML templates
+;mailConfirmBody = Hello $cn,\n\nClick here to receive your new password: $url
+; Mail subject for new password message
+;mailSubject = [LemonLDAP::NG] Your new password
+; Mail body for new password (can use $password for generated password, and other session
+; infos, like $cn). Keep comment to use HTML templates
+;mailBody = Hello $cn,\n\nYour new password is $password
+; LDAP filter to use
+;mailLDAPFilter = '(&(mail=$mail)(objectClass=inetOrgPerson))'
+; Random regexp for password generation
+;randomPasswordRegexp = [A-Z]{3}[a-z]{5}.\d{2}
+; LDAP GROUPS
+; Set the base DN of your groups branch
+;ldapGroupBase = ou=groups,dc=example,dc=com
+; Objectclass used by groups
+;ldapGroupObjectClass = groupOfUniqueNames
+; Attribute used by groups to store member
+;ldapGroupAttributeName = uniqueMember
+; Attribute used by user to link to groups
+;ldapGroupAttributeNameUser = dn
+; Attribute used to identify a group. The group will be displayed as
+; cn|mail|status, where cn, mail and status will be replaced by their
+; values.
+;ldapGroupAttributeNameSearch = cn mail
+
+; NOTIFICATIONS SERVICE
+; Use it to be able to notify messages during authentication
+;notification = 1
+; Note that the SOAP function newNotification will be activated on
+; http://auth.example.com/notification
+; If you want to hide this, just protect "/index.fcgi/notification" in
+; your Apache configuration file
+; XSS protection bypass
+; By default, the portal refuse redirections that comes from sites not
+; registered in the configuration (manager) except for those coming
+; from trusted domains. By default, trustedDomains contains the domain
+; declared in the manager. You can set trustedDomains to empty value so
+; that, undeclared sites will be rejected. You can also set here a list
+; of trusted domains or hosts separated by spaces. This is usefull if
+; your website use LemonLDAP::NG without handler with SOAP functions.
+;trustedDomains = my.trusted.host example2.com
+
+; Check XSS
+; Set to 0 to disable error on XSS attack detection
+;checkXSS = 0
+
+; pdata cookie domain
+; pdata cookie could not be sent with cross domains AJAX request
+; Null is default value
+;pdataDomain = example.com
+
+; CUSTOM PLUGINS
+; If you want to add custom plugins, set list here (comma separated)
+; Read Lemonldap::NG::Portal::Main::Plugin(3pm) man page.
+;customPlugins = ::My::Package1, ::My::Package2
+
+; To avoid bad/expired OTT if "authssl" and "auth" are served by different Load Balancers
+; you can override OTT configuration to store Upgrade or Issuer OTT into global storage
+;forceGlobalStorageUpgradeOTT = 1
+;forceGlobalStorageIssuerOTT = 1
+
+[handler]
+
+; Handler cache configuration
+; You can overwrite here local session cache settings in manager:
+;          localSessionStorage=Cache::FileCache
+;          localSessionStorageOptions={                         \
+;              'namespace'          => 'lemonldap-ng-sessions', \
+;              'default_expires_in' => 600,                     \
+;              'directory_umask'    => '007',                   \
+;              'cache_root'         => '/tmp',                  \
+;              'cache_depth'        => 3,                       \
+;          }
+
+; Set https to 1 if your handler protect a https website (used only for
+; redirections to the portal)
+https = 1
+; Set port if your your hanlder protect a website on a non standard port
+; - 80 for http, 443 for https (used only for redirections to the portal)
+;port = 8080
+; Set status to 1 if you want to have the report of activity (used for
+; example to inform MRTG)
+status = 0
+; Set useRedirectOnForbidden to 1 if you want to use REDIRECT and not FORBIDDEN
+; when a user is not allowed by Handler
+;useRedirectOnForbidden = 1
+; Hide LemonLDAP::NG Handler in Apache Server Signature
+;hideSignature = 1
+; Set ServiceToken timeout
+;handlerServiceTokenTTL = 30
+; Set Impersonation/ContextSwitching prefix
+; impersonationPrefix = real_
+useRedirectOnError = 1
+
+; Zimbra Handler parameters
+;zimbraPreAuthKey = XXXX
+;zimbraAccountKey = uid
+;zimbraBy =id
+;zimbraUrl = /service/preauth
+;zimbraSsoUrl = ^/zimbrasso$
+
+[manager]
+
+; Manager protection: by default, the manager is protected by a demo account.
+; You can protect it :
+; * by Apache itself,
+; * by the parameter 'protection' which can take one of the following
+; values :
+;   * authenticate : all authenticated users can access
+;   * manager      : manager is protected like other virtual hosts: you
+;                    have to set rules in the corresponding virtual host
+;   * <rule>       : you can set here directly the rule to apply
+;   * none         : no protection
+protection   = manager
+
+; staticPrefix: relative (or URL) location of static HTML components
+staticPrefix = /static
+;
+; location of HTML templates directory
+templateDir  = /usr/share/lemonldap-ng/manager/htdocs/templates
+
+; languages: available languages for manager interface
+languages    = fr, en, it, vi, ar, tr
+
+; Manager modules enabled
+; Set here the list of modules you want to see in manager interface
+; The first will be used as default module displayed
+;enabledModules = conf, sessions, notifications, 2ndFA, viewer
+enabledModules = conf, sessions, notifications, 2ndFA
+
+; To avoid restricted users to edit configuration, defaulModule MUST be different than 'conf'
+; 'conf' is set by default
+;defaultModule = viewer
+
+; Viewer module allows us to edit configuration in read-only mode
+; Options can be set with specific rules like this :
+;viewerAllowBrowser = $uid eq 'dwho'
+;viewerAllowDiff = $uid ne 'dwho'
+;
+; Viewer options - Default values
+;viewerHiddenKeys = samlIDPMetaDataNodes samlSPMetaDataNodes managerPassword ManagerDn globalStorageOptions persistentStorageOptions
+;viewerAllowBrowser = 0
+;viewerAllowDiff = 0
+
+;[node-handler]
+;
+;This section is for node-lemonldap-ng-handler
+;nodeVhosts = test3.example.com, test4.example.com
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
new file mode 100644
index 0000000..e76fd16
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json
@@ -0,0 +1,178 @@
+%compiler-settings
+commentStartToken = §
+%end compiler-settings
+{
+   "mailFrom" : "%%lemon_mail_admin",
+   "mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
+   "portalSkinBackground" : "1280px-Cedar_Breaks_National_Monument_partially.jpg",
+   "authentication" : "LDAP",
+   "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
+   "managerDn" : "%%ldapclient_remote_user",
+   "managerPassword" : "%%ldapclient_remote_user_password",
+   "ldapPpolicyControl" : 1,
+   "ldapAllowResetExpiredPassword" : 1,
+   "ldapChangePasswordAsUser" : 1,
+   "ldapBase" : "ou=users,%%ldap_base_dn",
+   "ldapExportedVars" : {
+      "uid" : "uid",
+      "cn" : "cn",
+      "sn" : "sn",
+      "mail" : "mail",
+      "givenName" : "givenName"
+   },
+   "ldapGroupAttributeName" : "memberUid",
+   "ldapGroupAttributeNameUser" : "cn",
+   "ldapGroupObjectClass" : "group",
+   "ldapPort" : "636",
+   "ldapServer" : "ldaps://%%ldap_server_address",
+   "ldapVerify" : "required",
+   "ldapTimeout" : 120,
+   "cfgAuthor" : "EOLE",
+   "cfgNum" : 1,
+   "cfgVersion" : "2.0.9",
+   "demoExportedVars" : {
+      "cn" : "cn",
+      "mail" : "mail",
+      "uid" : "uid"
+   },
+   "domain" : "%%revprox_client_external_domainname",
+   "exportedVars" : {
+       "UA" : "HTTP_USER_AGENT",
+       "cn" : "cn",
+       "mail" : "mail"
+   },
+   "globalStorageOptions" : {
+      "Directory" : "/srv/lemonldap-ng/sessions",
+      "LockDirectory" : "/srv/lemonldap-ng/sessions/lock"
+   },
+   "issuerDBOpenIDConnectActivation" : 1,
+   "localSessionStorageOptions" : {
+      "cache_depth" : 3,
+      "cache_root" : "/srv/lemonldap-ng/cache",
+      "default_expires_in" : 600,
+      "directory_umask" : "007",
+      "namespace" : "lemonldap-ng-sessions"
+  },
+   "locationRules" : {
+      "%%revprox_client_external_domainname" : {
+         "default" : "accept"
+%for %%app in %%oauth2.remotes
+  %set %%key = %%normalize_family(%%app)
+      },
+      "%%lemon_domain" : {
+         "^/logout" : "logout_sso",
+         "default" : "accept"
+%end for
+      }
+   },
+   "loginHistoryEnabled" : 1,
+   "macros" : {
+      "UA" : "$ENV{HTTP_USER_AGENT}",
+      "_whatToTrace" : "$_auth eq 'SAML' ? lc($_user.'@'.$_idpConfKey) : $_auth eq 'OpenIDConnect' ? lc($_user.'@'.$_oidc_OP) : lc($_user)"
+   },
+   "mailUrl" : "https://%%revprox_client_external_domainname/resetpwd",
+   "mySessionAuthorizedRWKeys" : [
+      "_appsListOrder",
+      "_oidcConnectedRP",
+      "_oidcConsents"
+   ],
+   "notification" : 1,
+   "notificationStorageOptions" : {
+       "dirName" : "/srv/lemonldap-ng/notifications"
+   },
+   "oidcRPMetaDataExportedVars" : {
+%set %%len_app = %%len(%%oauth2.remotes)
+%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
+  %set %%key = %%normalize_family(%%app)
+  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
+      "%%app" : {
+         "email" : "mail",
+         "family_name" : "sn",
+         "name" : "cn",
+	 "nickname" : "uid"
+  %if %%len_app - 1 == %%idx
+      }
+  %else
+      },
+  %end if
+%end for
+   },
+   "oidcRPMetaDataOptions" : {
+%for %%idx, %%app in %%enumerate(%%oauth2.remotes)
+  %set %%key = %%normalize_family(%%app)
+  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
+      "%%app" : {
+         "oidcRPMetaDataOptionsAllowClientCredentialsGrant" : 0,
+         "oidcRPMetaDataOptionsAllowOffline" : 1,
+         "oidcRPMetaDataOptionsAllowPasswordGrant" : 0,
+         "oidcRPMetaDataOptionsBypassConsent" : 1,
+         "oidcRPMetaDataOptionsClientID" : "%%key",
+         "oidcRPMetaDataOptionsClientSecret" : "%%oauth2['oauth2_' + %%key]['secret_' + %%key]",
+         "oidcRPMetaDataOptionsIDTokenForceClaims" : 0,
+         "oidcRPMetaDataOptionsIDTokenSignAlg" : "%%oauth2['oauth2_' + %%key]['token_signature_algo_' + %%key]",
+         "oidcRPMetaDataOptionsLogoutSessionRequired" : 0,
+         "oidcRPMetaDataOptionsLogoutType" : "front",
+§         "oidcRPMetaDataOptionsLogoutUrl" : "https://git.gnunux.com/user/oauth2/NAME/logout",
+§FIXME
+         "oidcRPMetaDataOptionsPostLogoutRedirectUris" : "gnunux-allow",
+         "oidcRPMetaDataOptionsPublic" : 0,
+  %if %%oauth2['oauth2_' + %%key]['login_' + %%key] 
+         "oidcRPMetaDataOptionsRedirectUris" : "%%oauth2['oauth2_' + %%key]['login_' + %%key]",
+  %end if
+         "oidcRPMetaDataOptionsRefreshToken" : 0,
+         "oidcRPMetaDataOptionsRequirePKCE" : 0
+  %if %%len_app - 1 == %%idx
+      }
+  %else
+      },
+  %end if
+%end for
+   },
+   "oidcServiceKeyIdSig" : "2PDCicoyT45rjsARYcxjfg",
+   "oidcServiceMetaDataAuthnContext" : {
+      "loa-1" : 1,
+      "loa-2" : 2,
+      "loa-3" : 3,
+      "loa-4" : 4,
+      "loa-5" : 5
+   },
+%set %%pub = '\\n'.join(%%get_public_key(%%domain_name_eth0).split("\n"))
+   "oidcServicePublicKeySig" : "%%pub",
+%set %%priv = '\\n'.join(%%get_private_key(%%domain_name_eth0).split("\n"))
+   "oidcServicePrivateKeySig" : "%%priv",
+   "passwordDB" : "LDAP",
+   "persistentStorage" : "Apache::Session::File",
+   "persistentStorageOptions" : {
+      "Directory": "/srv/lemonldap-ng/psessions",
+      "LockDirectory": "/srv/lemonldap-ng/psessions/lock"
+   },
+   "portal" : "https://%%revprox_client_external_domainname/",
+   "registerUrl" : "https://%%lemon_reload_web_name/register",
+   "reloadUrls" : {
+      "localhost" : "https://%%lemon_reload_web_name/reload"
+   },
+   "whatToTrace" : "_whatToTrace",
+   "applicationList" : {
+      "test" : {
+         "catname" : "Test Cat",
+%for %%app in %%oauth2.remotes
+  %set %%key = %%normalize_family(%%app)
+  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
+  %if not %%description
+    %continue
+  %end if
+         "%%key" : {
+            "options" : {
+               "description" : "%%description",
+               "display" : "auto",
+               "logo" : "demo.png",
+               "name" : "%%oauth2['oauth2_' + %%key]['name_' + %%key]",
+               "uri" : "%%oauth2['oauth2_' + %%key]['external_' + %%key]"
+            },
+            "type" : "application"
+         },
+%end for
+         "type" : "category"
+      }
+   }
+}
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/nginx-lmlog.conf b/seed/applicationservice/2022.03.08/lemonldap/templates/nginx-lmlog.conf
new file mode 100644
index 0000000..16a218b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/nginx-lmlog.conf
@@ -0,0 +1,6 @@
+log_format lm_combined '$remote_addr - $upstream_http_lm_remote_custom [$time_local] '
+        '"$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';
+log_format lm_app '$remote_addr - $upstream_http_lm_remote_user [$time_local] '
+        '"$request" $status $body_bytes_sent '
+        '"$http_referer" "$http_user_agent" $upstream_http_lm_remote_custom';
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf b/seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf
new file mode 100644
index 0000000..7b5cfca
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf
@@ -0,0 +1,161 @@
+# Uncomment this if you use Auth SSL:
+#map $ssl_client_s_dn  $ssl_client_s_dn_cn {
+#  default           "";
+#  ~/CN=(?<CN>[^/]+) $CN;
+#}
+#>GNUNUX
+map $ssl_client_s_dn  $ssl_client_s_dn_cn {
+  default           "";
+  ~/CN=(?<CN>[^/]+) $CN;
+}
+#<GNUNUX
+
+# FastCGI backend definition
+upstream llng_portal_upstream {
+    server unix:/var/run/llng-fastcgi-server/llng-fastcgi.sock;
+}
+
+server {
+  listen 127.0.0.1:80;
+  server_name localhost;
+  root /usr/share/lemonldap-ng/portal/htdocs/;
+  if ($uri !~ ^/((static|javascript|favicon|.internal-well-known).*|.*\.psgi)) {
+    rewrite ^/(.*)$ /index.psgi/$1 break;
+  }
+  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+    include /etc/nginx/fastcgi_params;
+    fastcgi_pass llng_portal_upstream;
+    fastcgi_param REQUEST_URI /.well-known/openid-configuration;
+    fastcgi_param HTTP_HOST %%domain_name_eth0;
+    fastcgi_param LLTYPE psgi;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+    fastcgi_param PATH_INFO  $fastcgi_path_info;
+  }
+}
+
+server {
+  # GNUNUX listen 80;
+  # GNUNUX listen [::]:80;
+  # GNUNUX server_name auth.example.com;
+#>GNUNUX
+  listen 443 ssl;
+  server_name %%revprox_client_external_domainname;
+  ssl_certificate %%revprox_cert_file;
+  ssl_certificate_key %%revprox_key_file;
+  ssl_client_certificate %%revprox_ca_file;
+  ssl_session_cache shared:SSL:10m;
+#<GNUNUX
+  root /usr/share/lemonldap-ng/portal/htdocs/;
+  # Use "lm_app" format to get username in nginx.log (see nginx-lmlog.conf)
+  #access_log /var/log/nginx/portal.log lm_app;
+
+  # Uncomment this if you are running behind a reverse proxy and want
+  # LemonLDAP::NG to see the real IP address of the end user
+  # Adjust the settings to match the IP address of your reverse proxy
+  # and the header containing the original IP address
+  # As an alternative, you can use the PROXY protocol
+  #
+  #set_real_ip_from  127.0.0.1;
+  #real_ip_header    X-Forwarded-For;
+#>GNUNUX
+  set_real_ip_from  %%revprox_client_server_ip;
+  real_ip_header    X-Forwarded-For;
+#<GNUNUX
+
+  if ($uri !~ ^/((static|javascript|favicon|.well-known).*|.*\.psgi)) {
+    rewrite ^/(.*)$ /index.psgi/$1 break;
+  }
+
+  location ~ ^(?<sc>/.*\.psgi)(?:$|/) {
+    # Note that Content-Security-Policy header is generated by portal itself
+
+    # FastCGI configuration
+    include /etc/nginx/fastcgi_params;
+    fastcgi_pass llng_portal_upstream;
+    fastcgi_param LLTYPE psgi;
+    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+    fastcgi_split_path_info ^(.*\.psgi)(/.*)$;
+    fastcgi_param PATH_INFO  $fastcgi_path_info;
+    # Uncomment this if you use Auth SSL:
+    #fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
+#>GNUNUX
+    fastcgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
+#<GNUNUX
+
+    # OR TO USE uWSGI
+    #include /etc/nginx/uwsgi_params;
+    #uwsgi_pass 127.0.0.1:5000;
+    #uwsgi_param LLTYPE psgi;
+    #uwsgi_param SCRIPT_FILENAME $document_root$sc;
+    #uwsgi_param SCRIPT_NAME $sc;
+    # Uncomment this if you use Auth SSL:
+    #uwsgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
+#>GNUNUX
+    uwsgi_param  SSL_CLIENT_S_DN_CN $ssl_client_s_dn_cn;
+#<GNUNUX
+
+    # REST/SOAP functions for sessions management (disabled by default)
+    location ~ ^/index.psgi/adminSessions {
+      fastcgi_pass llng_portal_upstream;
+      allow %%revprox_client_server_ip;
+      deny all;
+    }
+
+    # REST/SOAP functions for proxy auth and password reset (disabled by default)
+    location ~ ^/index.psgi/proxy {
+      fastcgi_pass llng_portal_upstream;
+      allow %%revprox_client_server_ip;
+      deny all;
+    }
+
+    # REST/SOAP functions for sessions access (disabled by default)
+    location ~ ^/index.psgi/sessions {
+      fastcgi_pass llng_portal_upstream;
+      allow %%revprox_client_server_ip;
+      deny all;
+    }
+
+    # REST/SOAP functions for configuration access (disabled by default)
+    location ~ ^/index.psgi/config {
+      fastcgi_pass llng_portal_upstream;
+      allow %%revprox_client_server_ip;
+      deny all;
+    }
+
+    # REST/SOAP functions for notification insertion (disabled by default)
+    location ~ ^/index.psgi/notification {
+      fastcgi_pass llng_portal_upstream;
+      allow %%revprox_client_server_ip;
+      deny all;
+    }
+
+  }
+
+  index index.psgi;
+  location / {
+    try_files $uri $uri/ =404;
+
+    # Uncomment this if you use https only
+    #add_header Strict-Transport-Security "max-age=15768000";
+#>GNUNUX
+    add_header Strict-Transport-Security "max-age=15768000";
+#<GNUNUX
+  }
+
+  location /static/ {
+    alias /usr/share/lemonldap-ng/portal/htdocs/static/;
+  }
+
+  # DEBIAN
+  # If install was made with USEDEBIANLIBS (official releases), uncomment this
+  location /javascript/ {
+    alias /usr/share/javascript/;
+  }
+#>GNUNUX
+# rewrite well-known
+  location /.well-known/openid-configuration {
+    root /var/www/html;
+  }
+#<GNUNUX
+}
diff --git a/seed/applicationservice/2022.03.08/lemonldap/templates/tmpfile-lemonldap.conf b/seed/applicationservice/2022.03.08/lemonldap/templates/tmpfile-lemonldap.conf
new file mode 100644
index 0000000..dd4d8af
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/lemonldap/templates/tmpfile-lemonldap.conf
@@ -0,0 +1,12 @@
+L     /etc/nginx/snippets/llng-lua-headers.conf               -    -    -     -           /etc/lemonldap-ng/nginx-lua-headers.conf
+#L     /etc/nginx/sites-enabled/handler-nginx.conf             -    -    -     -           /etc/nginx/sites-available/handler-nginx.conf 
+L     /etc/nginx/sites-enabled/portal-nginx.conf              -    -    -     -           /etc/nginx/sites-available/portal-nginx.conf  
+d     /srv/lemonldap-ng 750 www-data www-data - -
+d     /srv/lemonldap-ng/captcha 750 www-data www-data - -
+d     /srv/lemonldap-ng/notifications 750 www-data www-data - -
+d     /srv/lemonldap-ng/psessions 750 www-data www-data - -
+d     /srv/lemonldap-ng/psessions/lock 750 www-data www-data - -
+d     /srv/lemonldap-ng/sessions 750 www-data www-data - -
+d     /srv/lemonldap-ng/sessions/lock 750 www-data www-data - -
+d     /srv/lemonldap-ng/cache 750 www-data www-data - -
+d     /var/www/html/.well-known 755 root root - -
diff --git a/seed/applicationservice/2022.03.08/mailman/DEBUG.md b/seed/applicationservice/2022.03.08/mailman/DEBUG.md
new file mode 100644
index 0000000..871c9ed
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/DEBUG.md
@@ -0,0 +1,44 @@
+# list config
+su - mailman -s /bin/bash -c "mailman3 conf"
+
+# add members
+echo "gnunux@gnunux.info" > /tmp/test
+su - mailman -s /bin/bash -c "mailman3 addmembers /tmp/test list1@lists.gnunux.info"
+
+# try to send mail
+from mailman.mta.connection import Connection, as_SecureMode
+from lazr.config import as_boolean
+from mailman.config import config
+from importlib_resources import read_text  
+from zope.configuration import xmlconfig
+
+xmlconfig.string(read_text('mailman.config', 'configure.zcml'))
+config.load('/etc/mailman.cfg')
+
+connection = Connection(
+     config.mta.smtp_host, int(config.mta.smtp_port), 0,
+     config.mta.smtp_user, config.mta.smtp_pass,
+     as_SecureMode(config.mta.smtp_secure_mode),
+     as_boolean(config.mta.smtp_verify_cert),
+     as_boolean(config.mta.smtp_verify_hostname))
+
+
+
+connection.sendmail('gnunux@gnunux.info', ['gnunux@gnunux.info'], """\
+From: gnunux@gnunux.info
+To: gnunux@gnunux.info
+Subject: test
+
+""")
+
+# admin password for postorius
+
+echo "ACCOUNT_EMAIL_VERIFICATION = 'none'" >> /etc/mailman3.d/postorius.py
+systemctl restart postorius
+export MAILMAN_WEB_CONFIG=/usr/share/postorius/m_postorius/settings.py
+/usr/share/postorius/manage.py changepassword admin@gnunux.info 
+
+# debug postorius
+
+echo "DEBUG=True" >> /etc/mailman3.d/postorius.py
+systemctl restart postorius
diff --git a/seed/applicationservice/2022.03.08/mailman/FIXME.md b/seed/applicationservice/2022.03.08/mailman/FIXME.md
new file mode 100644
index 0000000..66a4222
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/FIXME.md
@@ -0,0 +1,3 @@
+Jusqu'à la version 0.49 de django-allauth :
+
+Récupération de : https://github.com/pennersr/django-allauth/tree/master/allauth/socialaccount/providers/lemonldap
diff --git a/seed/applicationservice/2022.03.08/mailman/applicationservice.yml b/seed/applicationservice/2022.03.08/mailman/applicationservice.yml
new file mode 100644
index 0000000..7ade44c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/applicationservice.yml
@@ -0,0 +1,9 @@
+format: '0.1'
+description: Gestionnaire de liste de diffusion Mailman
+depends:
+  - base-fedora-35
+  - postgresql-client
+  - relay-mail-client
+  - reverse-proxy-client
+  - nginx-common
+  - oauth2-client
diff --git a/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml b/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
new file mode 100644
index 0000000..f024d84
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml
@@ -0,0 +1,62 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="mailman3" target="multi-user">
+      <override/>
+      <file owner="root" group="mailman" mode="640">/etc/mailman.cfg</file>
+      <file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file>
+      <file engine="none" source="sysuser-mailman.conf">/sysusers.d/0mailman.conf</file>
+      <file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
+    </service>
+    <service name="postorius" target="multi-user" engine="creole">
+      <file engine="none">/etc/postorius/gunicorn_config.py</file>
+      <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file>
+      <file source="config-nginx.conf">/etc/nginx/conf.d/postorius.conf</file>
+      <file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file>
+    </service>
+  </services>
+  <variables>
+    <family name="mailman" description="Gestionnaire de liste">
+      <variable name="mailman_mail_owner" type="mail" description="Courriel du gestionnaire de liste du site"/>
+      <variable name="mailman_domains" type="domainname" description="Nom de domaine des listes" multi="True" mandatory="True" provider="domain_list"/>
+      <variable name="postorius_secret_key" type="password" description="Internal secret key" mandatory="True" hidden="True" auto_save="True"/>
+    </family>
+    <family name="nginx">
+      <variable name="revprox_client_location" redefine="True">
+        <value>/mailman</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>Liste de distribution</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>Liste de distribution Mailman</value>
+      </variable>
+      <variable name="oauth2_client_token_signature_algo" redefine="True">
+        <value>RS256</value>
+      </variable>
+      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">postorius</param>
+      <param name="description">secret_key</param>
+      <param name="type">cleartext</param>
+      <target>postorius_secret_key</target>
+    </fill>
+    <fill name="calc_value">
+      <param>https://</param>
+      <param type="variable">revprox_client_external_domainname</param>
+      <param type="variable">revprox_client_location</param>
+      <param>/accounts/risotto/login/</param>
+      <param name="join"></param>
+      <target>oauth2_client_external</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/mailman/extras/machine/20_mailman.xml b/seed/applicationservice/2022.03.08/mailman/extras/machine/20_mailman.xml
new file mode 100644
index 0000000..ce5c6c8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/extras/machine/20_mailman.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="var_size" redefine="True">
+      <value>256</value>
+    </variable>
+    <variable name="add_tmp" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_srv" redefine="True">
+      <value>True</value>
+    </variable>
+    <variable name="add_swap" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name='memory' redefine="True" exists="True">
+      <value>512</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/mailman/extras/mailman/20_mailman.xml b/seed/applicationservice/2022.03.08/mailman/extras/mailman/20_mailman.xml
new file mode 100644
index 0000000..4811ffe
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/extras/mailman/20_mailman.xml
@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <family name="list_" description="Listes du domaine " dynamic="mailman_domains">
+      <variable name="name_" description="Nom des listes" type="unix_user" multi="True" mandatory="True"/>
+      <variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True"/>
+    </family>
+    <variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True"/>
+  </variables>
+  <constraints>
+    <fill name="mailman_emails">
+      <param type="variable">mailman.list_.name_</param>
+      <param type="suffix"/>
+      <target>mailman.list_.names_</target>
+    </fill>
+    <fill name="mailman_concat">
+      <param type="variable">mailman.list_.names_</param>
+      <target>mailman.names_</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">smtp_relay_address</param>
+      <param name="linked_provider">lmtp_server</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>mailman.names_</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">smtp_relay_address</param>
+      <param name="linked_provider">lmtp_criteria</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>mailman.names_</target>
+    </check>
+  </constraints>
+</rougail>
+
+
diff --git a/seed/applicationservice/2022.03.08/mailman/funcs/mailman.py b/seed/applicationservice/2022.03.08/mailman/funcs/mailman.py
new file mode 100644
index 0000000..ff94fd2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/funcs/mailman.py
@@ -0,0 +1,21 @@
+from utils import multi_function as _multi_function
+from itertools import chain
+
+
+@_multi_function
+def mailman_emails(lists, domain):
+    ret = []
+    for lst in lists:
+        for suffix in [None, 'bounces', 'confirm', 'join', 'leave', 'owner', 'request', 'subscribe', 'unsubscribe']:
+            if suffix:
+                lst_name = lst + '-' + suffix
+            else:
+                lst_name = lst
+            ret.append(lst_name + '@' + domain)
+    return ret
+
+
+@_multi_function
+def mailman_concat(lists):
+    # list of lists to a single list
+    return list(chain(*lists))
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/__init__.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/provider.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/provider.py
new file mode 100644
index 0000000..d8883f8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/provider.py
@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+from allauth.socialaccount.providers.base import ProviderAccount
+from allauth.socialaccount.providers.oauth2.provider import OAuth2Provider
+
+
+class LemonLDAPAccount(ProviderAccount):
+    def get_avatar_url(self):
+        return self.account.extra_data.get("picture")
+
+    def to_str(self):
+        dflt = super(LemonLDAPAccount, self).to_str()
+        return self.account.extra_data.get("name", dflt)
+
+
+class LemonLDAPProvider(OAuth2Provider):
+    id = "lemonldap"
+    name = "LemonLDAP::NG"
+    account_class = LemonLDAPAccount
+
+    def get_default_scope(self):
+        return ["openid", "profile", "email"]
+
+    def extract_uid(self, data):
+        return str(data["id"])
+
+    def extract_common_fields(self, data):
+        return dict(
+            email=data.get("email"),
+            username=data.get("preferred_username"),
+            name=data.get("name"),
+            picture=data.get("picture"),
+        )
+
+
+provider_classes = [LemonLDAPProvider]
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/urls.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/urls.py
new file mode 100644
index 0000000..264dfed
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/urls.py
@@ -0,0 +1,8 @@
+# -*- coding: utf-8 -*-
+from allauth.socialaccount.providers.lemonldap.provider import (
+    LemonLDAPProvider,
+)
+from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
+
+
+urlpatterns = default_urlpatterns(LemonLDAPProvider)
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/views.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/views.py
new file mode 100644
index 0000000..53a76cf
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/lemonldap/views.py
@@ -0,0 +1,39 @@
+# -*- coding: utf-8 -*-
+import requests
+
+from allauth.socialaccount import app_settings
+from allauth.socialaccount.providers.lemonldap.provider import (
+    LemonLDAPProvider,
+)
+from allauth.socialaccount.providers.oauth2.views import (
+    OAuth2Adapter,
+    OAuth2CallbackView,
+    OAuth2LoginView,
+)
+
+
+class LemonLDAPOAuth2Adapter(OAuth2Adapter):
+    provider_id = LemonLDAPProvider.id
+    supports_state = True
+
+    settings = app_settings.PROVIDERS.get(provider_id, {})
+    provider_base_url = settings.get("LEMONLDAP_URL")
+
+    access_token_url = "{0}/oauth2/token".format(provider_base_url)
+    authorize_url = "{0}/oauth2/authorize".format(provider_base_url)
+    profile_url = "{0}/oauth2/userinfo".format(provider_base_url)
+
+    def complete_login(self, request, app, token, response):
+        response = requests.post(
+            self.profile_url, headers={"Authorization": "Bearer " + str(token)}
+        )
+        response.raise_for_status()
+        extra_data = response.json()
+        extra_data["id"] = extra_data["sub"]
+        del extra_data["sub"]
+
+        return self.get_provider().sociallogin_from_response(request, extra_data)
+
+
+oauth2_login = OAuth2LoginView.adapter_view(LemonLDAPOAuth2Adapter)
+oauth2_callback = OAuth2CallbackView.adapter_view(LemonLDAPOAuth2Adapter)
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius.sh b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius.sh
new file mode 100644
index 0000000..483a88b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius.sh
@@ -0,0 +1,8 @@
+PYTHON="usr/lib/python3.10/site-packages"
+cp -a "mailman/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "mailman/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "mailman/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
+chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
+ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
+ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
+ln -s ../../django/contrib/admin/static/admin "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/README.md b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/README.md
new file mode 100644
index 0000000..02c315f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/README.md
@@ -0,0 +1 @@
+From mailman-web
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/__init__.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/settings.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/settings.py
new file mode 100644
index 0000000..64dce24
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/settings.py
@@ -0,0 +1,314 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 1998-2021 by the Free Software Foundation, Inc.
+#
+# This file is part of Postorius.
+#
+# Postorius is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# Postorius is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# Postorius.  If not, see <http://www.gnu.org/licenses/>.
+
+"""
+Django settings for postorius project.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/1.9/topics/settings/
+
+For the full list of settings and their values, see
+https://docs.djangoproject.com/en/1.9/ref/settings/
+"""
+
+# Build paths inside the project like this: os.path.join(BASE_DIR, ...)
+import os
+
+# Compatibility with Bootstrap 3
+from django.contrib.messages import constants as messages
+
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+
+
+# Quick-start development settings - unsuitable for production
+# See https://docs.djangoproject.com/en/1.9/howto/deployment/checklist/
+
+# SECURITY WARNING: keep the secret key used in production secret!
+SECRET_KEY = 'MyVerrySecretKey'
+
+# SECURITY WARNING: don't run with debug turned on in production!
+DEBUG = False
+
+ADMINS = (
+    #('Admin', 'webmaster@example.com'),
+)
+
+SITE_ID = 1
+
+ALLOWED_HOSTS = []
+
+# Mailman API credentials
+MAILMAN_REST_API_URL = 'http://localhost:8001'
+MAILMAN_REST_API_USER = 'restadmin'
+MAILMAN_REST_API_PASS = 'restpass'
+
+
+# Application definition
+
+INSTALLED_APPS = (
+    'django.contrib.admin',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.sites',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'postorius',
+    'django_mailman3',
+    'django_gravatar',
+    'allauth',
+    'allauth.account',
+    'allauth.socialaccount',
+    'allauth.socialaccount.providers.risotto',
+# GNUNUX    'allauth.socialaccount.providers.openid',
+# GNUNUX    'django_mailman3.lib.auth.fedora',
+# GNUNUX    'allauth.socialaccount.providers.github',
+# GNUNUX    'allauth.socialaccount.providers.gitlab',
+# GNUNUX    'allauth.socialaccount.providers.google',
+# GNUNUX    # 'allauth.socialaccount.providers.facebook',
+# GNUNUX    'allauth.socialaccount.providers.twitter',
+# GNUNUX    'allauth.socialaccount.providers.stackexchange',
+#>GNUNUX
+    'corsheaders',
+#<GNUNUX
+)
+
+
+MIDDLEWARE = [
+    'django.contrib.sessions.middleware.SessionMiddleware',
+    'django.middleware.common.CommonMiddleware',
+    'django.middleware.csrf.CsrfViewMiddleware',
+    'django.middleware.locale.LocaleMiddleware',
+    'django.contrib.auth.middleware.AuthenticationMiddleware',
+    'django.contrib.messages.middleware.MessageMiddleware',
+    'django.middleware.clickjacking.XFrameOptionsMiddleware',
+    'django.middleware.security.SecurityMiddleware',
+    'django_mailman3.middleware.TimezoneMiddleware',
+    'postorius.middleware.PostoriusMiddleware',
+#>GNUNUX
+    'corsheaders.middleware.CorsMiddleware',
+#<GNUNUX
+]
+
+# Set `postorius.urls` as main url config if Postorius
+# is the only app you want to serve.
+ROOT_URLCONF = 'urls'
+
+
+TEMPLATES = [
+    {
+        'BACKEND': 'django.template.backends.django.DjangoTemplates',
+        'DIRS': [],
+        'APP_DIRS': True,
+        'OPTIONS': {
+            'context_processors': [
+                'django.template.context_processors.debug',
+                'django.template.context_processors.i18n',
+                'django.template.context_processors.media',
+                'django.template.context_processors.static',
+                'django.template.context_processors.tz',
+                'django.template.context_processors.csrf',
+                'django.template.context_processors.request',
+                'django.contrib.auth.context_processors.auth',
+                'django.contrib.messages.context_processors.messages',
+                'django_mailman3.context_processors.common',
+                'postorius.context_processors.postorius',
+            ],
+        },
+    },
+]
+
+WSGI_APPLICATION = 'wsgi.application'
+
+
+# Database
+# https://docs.djangoproject.com/en/1.9/ref/settings/#databases
+
+DATABASES = {
+    'default': {
+        'ENGINE': 'django.db.backends.sqlite3',
+        'NAME': os.path.join(BASE_DIR, 'postorius.db'),
+    }
+}
+
+# Maintain type of autogenerated keys going forward
+# https://docs.djangoproject.com/en/3.2/releases/3.2/#customizing-type-of-auto-created-primary-keys
+DEFAULT_AUTO_FIELD = 'django.db.models.AutoField'
+
+# Password validation
+# https://docs.djangoproject.com/en/1.9/ref/settings/#auth-password-validators
+
+AUTH_PASSWORD_VALIDATORS = [
+    {
+        'NAME': 'django.contrib.auth.password_validation.UserAttributeSimilarityValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.MinimumLengthValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.CommonPasswordValidator',
+    },
+    {
+        'NAME': 'django.contrib.auth.password_validation.NumericPasswordValidator',
+    },
+]
+
+# Internationalization
+# https://docs.djangoproject.com/en/1.9/topics/i18n/
+
+LANGUAGE_CODE = 'en-us'
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+
+USE_L10N = True
+
+USE_TZ = True
+
+
+# Static files (CSS, JavaScript, Images)
+# https://docs.djangoproject.com/en/1.9/howto/static-files/
+
+
+# Absolute path to the directory static files should be collected to.
+# Don't put anything in this directory yourself; store your static files
+# in apps' "static/" subdirectories and in STATICFILES_DIRS.
+# Example: "/var/www/example.com/static/"
+STATIC_ROOT = os.path.join(BASE_DIR, 'static')
+
+# URL prefix for static files.
+# Example: "http://example.com/static/", "http://static.example.com/"
+STATIC_URL = '/static/'
+
+LOGIN_URL = 'account_login'
+LOGIN_REDIRECT_URL = 'list_index'
+LOGOUT_URL = 'account_logout'
+
+
+
+# From Address for emails sent to users
+DEFAULT_FROM_EMAIL = 'postorius@localhost.local'
+# From Address for emails sent to admins
+SERVER_EMAIL = 'root@localhost.local'
+MESSAGE_TAGS = {
+    messages.ERROR: 'danger'
+}
+
+
+AUTHENTICATION_BACKENDS = (
+    'django.contrib.auth.backends.ModelBackend',
+    'allauth.account.auth_backends.AuthenticationBackend',
+)
+
+# Django Allauth
+ACCOUNT_AUTHENTICATION_METHOD = "username_email"
+ACCOUNT_EMAIL_REQUIRED = True
+ACCOUNT_EMAIL_VERIFICATION = "mandatory"
+ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
+ACCOUNT_UNIQUE_EMAIL  = True
+
+# GNUNUX SOCIALACCOUNT_PROVIDERS = {
+# GNUNUX     'openid': {
+# GNUNUX         'SERVERS': [
+# GNUNUX             dict(id='yahoo',
+# GNUNUX                  name='Yahoo',
+# GNUNUX                  openid_url='http://me.yahoo.com'),
+# GNUNUX         ],
+# GNUNUX     },
+# GNUNUX     'google': {
+# GNUNUX         'SCOPE': ['profile', 'email'],
+# GNUNUX         'AUTH_PARAMS': {'access_type': 'online'},
+# GNUNUX     },
+# GNUNUX     'facebook': {
+# GNUNUX        'METHOD': 'oauth2',
+# GNUNUX        'SCOPE': ['email'],
+# GNUNUX        'FIELDS': [
+# GNUNUX            'email',
+# GNUNUX            'name',
+# GNUNUX            'first_name',
+# GNUNUX            'last_name',
+# GNUNUX            'locale',
+# GNUNUX            'timezone',
+# GNUNUX            ],
+# GNUNUX        'VERSION': 'v2.4',
+# GNUNUX     },
+# GNUNUX }
+
+
+
+# These can be set to override the defaults but are not mandatory:
+# EMAIL_CONFIRMATION_TEMPLATE = 'postorius/address_confirmation_message.txt'
+# EMAIL_CONFIRMATION_SUBJECT = 'Confirmation needed'
+
+
+LOGGING = {
+    'version': 1,
+    'disable_existing_loggers': False,
+    'handlers': {
+        'console': {
+            'class': 'logging.StreamHandler',
+            'formatter': 'simple',
+        },
+        'file':{
+            'level': 'INFO',
+            #'class': 'logging.handlers.RotatingFileHandler',
+            'class': 'logging.handlers.WatchedFileHandler',
+# GNUNUX            'filename': os.path.join(BASE_DIR, 'logs', 'postorius.log'),
+#>GNUNUX
+            'filename': os.path.join('/var/log/mailman', 'postorius.log'),
+#<GNUNUX
+            'formatter': 'verbose',
+        },
+    },
+    'loggers': {
+        'django': {
+            'handlers': ['console', 'file'],
+            'level': 'INFO',
+        },
+        'django.request': {
+            'handlers': ['console', 'file'],
+            'level': 'ERROR',
+        },
+        'postorius': {
+            'handlers': ['console', 'file'],
+            'level': 'DEBUG',
+        }
+    },
+    'formatters': {
+        'simple': {
+            'format': '%(levelname)s: %(message)s'
+        },
+        'verbose': {
+            'format': '%(levelname)s %(asctime)s %(process)d %(name)s %(message)s'
+        },
+    },
+}
+
+
+POSTORIUS_TEMPLATE_BASE_URL = "http://localhost:8000"
+
+
+if DEBUG:
+    MIDDLEWARE.append('postorius.middleware.APICountingMiddleware')
+
+try:
+    from settings_local import *
+except ImportError:
+    pass
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/urls.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/urls.py
new file mode 100644
index 0000000..4e5e69f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/urls.py
@@ -0,0 +1,35 @@
+# -*- coding: utf-8 -*-
+# Copyright (C) 1998-2016 by the Free Software Foundation, Inc.
+#
+# This file is part of Postorius.
+#
+# Postorius is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# Postorius is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# Postorius.  If not, see <http://www.gnu.org/licenses/>.
+
+from django.conf.urls import include, url
+from django.contrib import admin
+from django.urls import reverse_lazy
+from django.views.generic import RedirectView
+
+urlpatterns = [
+    url(r'^$', RedirectView.as_view(
+        url=reverse_lazy('list_index'),
+        permanent=True)),
+    url(r'^postorius/', include('postorius.urls')),
+# GNUNUX    url(r'^archives/', include('hyperkitty.urls')),
+    url(r'', include('django_mailman3.urls')),
+    url(r'^accounts/', include('allauth.urls')),
+    # Django admin
+    url(r'^admin/', admin.site.urls),
+]
+
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/wsgi.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/wsgi.py
new file mode 100644
index 0000000..fdd862a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/m_postorius/wsgi.py
@@ -0,0 +1,19 @@
+"""
+WSGI config for Mialman-web
+
+It exposes the WSGI callable as a module-level variable named ``application``.
+
+For more information on this file, see
+https://docs.djangoproject.com/en/2.2/howto/deployment/wsgi/
+"""
+
+import os
+
+from django.core.wsgi import get_wsgi_application
+# GNUNUX from mailman_web.manage import setup
+#>GNUNUX
+from manage import setup
+#<GNUNUX
+
+setup()
+application = get_wsgi_application()
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/manage.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/manage.py
new file mode 100755
index 0000000..1152876
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/postorius/manage.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python
+import os
+import sys
+from pathlib import Path
+
+def setup():
+    """Setup environment for Mailman web."""
+    if os.getenv('DJANGO_SETTINGS_MODULE') is not None:
+        return
+
+    MAILMAN_WEB_CONFIG = os.getenv('MAILMAN_WEB_CONFIG', '/etc/mailman3/settings.py')
+
+    if not os.path.exists(MAILMAN_WEB_CONFIG):
+        print('Mailman web configuration file at {} does not exist'.format(
+              MAILMAN_WEB_CONFIG), file=sys.stderr)
+        print('Modify "MAILMAN_WEB_CONFIG" environment variable to point at '
+              'settings.py', file=sys.stderr)
+        sys.exit(1)
+
+    config_path = Path(MAILMAN_WEB_CONFIG).resolve()
+    sys.path.append(str(config_path.parent))
+
+    os.environ['DJANGO_SETTINGS_MODULE'] = config_path.stem
+
+def main():
+    setup()
+
+    os.environ['DJANGO_IS_MANAGEMENT_COMMAND'] = '1'
+    from django.core.management import execute_from_command_line
+    execute_from_command_line(sys.argv)
+
+
+if __name__ == "__main__":
+    main()
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/__init__.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/provider.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/provider.py
new file mode 100644
index 0000000..dd39f1f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/provider.py
@@ -0,0 +1,13 @@
+# -*- coding: utf-8 -*-
+from allauth.socialaccount.providers.lemonldap.provider import LemonLDAPAccount, LemonLDAPProvider
+from allauth.socialaccount import app_settings
+
+
+class RisottoProvider(LemonLDAPProvider):
+    id = "risotto"
+    settings = app_settings.PROVIDERS.get('risotto', {})
+    name = settings.get("LEMONLDAP_NAME", 'Risotto')
+    account_class = LemonLDAPAccount
+
+
+provider_classes = [RisottoProvider]
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/urls.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/urls.py
new file mode 100644
index 0000000..68333cf
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/urls.py
@@ -0,0 +1,6 @@
+# -*- coding: utf-8 -*-
+from allauth.socialaccount.providers.risotto.provider import RisottoProvider
+from allauth.socialaccount.providers.oauth2.urls import default_urlpatterns
+
+
+urlpatterns = default_urlpatterns(RisottoProvider)
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/views.py b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/views.py
new file mode 100644
index 0000000..7a3a415
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/postinstall/risotto/views.py
@@ -0,0 +1,25 @@
+# -*- coding: utf-8 -*-
+import requests
+
+from allauth.socialaccount.providers.lemonldap.views import LemonLDAPOAuth2Adapter
+from allauth.socialaccount.providers.risotto.provider import RisottoProvider
+from allauth.socialaccount import app_settings
+from allauth.socialaccount.providers.oauth2.views import (
+    OAuth2CallbackView,
+    OAuth2LoginView,
+)
+
+
+class RisottoOAuth2Adapter(LemonLDAPOAuth2Adapter):
+    provider_id = RisottoProvider.id
+    settings = app_settings.PROVIDERS.get(provider_id, {})
+    provider_base_url = settings.get("LEMONLDAP_URL")
+    provider_base_local_url = settings.get("LEMONLDAP_LOCAL_URL")
+    access_token_url = "{0}/oauth2/token".format(provider_base_local_url)
+    authorize_url = "{0}/oauth2/authorize".format(provider_base_url)
+    profile_url = "{0}/oauth2/userinfo".format(provider_base_local_url)
+
+
+
+oauth2_login = OAuth2LoginView.adapter_view(RisottoOAuth2Adapter)
+oauth2_callback = OAuth2CallbackView.adapter_view(RisottoOAuth2Adapter)
diff --git a/seed/applicationservice/2022.03.08/mailman/manual/image/preinstall/mailman.sh b/seed/applicationservice/2022.03.08/mailman/manual/image/preinstall/mailman.sh
new file mode 100644
index 0000000..fcc29ea
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/manual/image/preinstall/mailman.sh
@@ -0,0 +1 @@
+PKG="$PKG mailman3 postorius python3-psycopg2 python-unversioned-command python3-django-cors-headers"
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/config-nginx.conf b/seed/applicationservice/2022.03.08/mailman/templates/config-nginx.conf
new file mode 100644
index 0000000..5c928d7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/config-nginx.conf
@@ -0,0 +1,42 @@
+server {
+    listen 443 ssl;
+    server_name %%domain_name_eth0;
+
+    ssl_client_certificate %%revprox_ca_file;
+    ssl_certificate        %%revprox_cert_file;
+    ssl_certificate_key    %%revprox_key_file;
+
+    charset utf-8;
+    client_max_body_size 75M;
+    root /usr/share/webapps/postorius;
+
+    location /mailman/postorius_static {
+        alias /usr/lib/python3.10/site-packages/postorius/static;
+    }
+    #FIXME user-profile seems to be in hyperkitty redirect in existing page
+    location /mailman/user-profile {
+        proxy_pass http://127.0.0.1:8002/postorius/users;
+        proxy_set_header        Host                    $http_host;
+        proxy_set_header        X-Real-IP               $remote_addr;
+        proxy_set_header        X-Forwarded-Host        $host;
+        proxy_set_header        X-Forwarded-Port        $server_port;
+        proxy_set_header        X-Forwarded-Server      $host;
+        proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto       $scheme;
+    }
+%for %%location in ['accounts', 'admin', 'postorius']
+    location /mailman/%%location {
+        proxy_pass http://127.0.0.1:8002/%%location;
+        proxy_set_header        Host                    $http_host;
+        proxy_set_header        X-Real-IP               $remote_addr;
+        proxy_set_header        X-Forwarded-Host        $host;
+        proxy_set_header        X-Forwarded-Port        $server_port;
+        proxy_set_header        X-Forwarded-Server      $host;
+        proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto       $scheme;
+    }
+%end for
+    location /mailman {
+        rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;
+    }
+}
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/gunicorn_config.py b/seed/applicationservice/2022.03.08/mailman/templates/gunicorn_config.py
new file mode 100644
index 0000000..a061de9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/gunicorn_config.py
@@ -0,0 +1,221 @@
+# FORK of https://raw.githubusercontent.com/benoitc/gunicorn/master/examples/example_config.py
+# Sample Gunicorn configuration file.
+
+#
+# Server socket
+#
+#   bind - The socket to bind.
+#
+#       A string of the form: 'HOST', 'HOST:PORT', 'unix:PATH'.
+#       An IP is a valid HOST.
+#
+#   backlog - The number of pending connections. This refers
+#       to the number of clients that can be waiting to be
+#       served. Exceeding this number results in the client
+#       getting an error when attempting to connect. It should
+#       only affect servers under significant load.
+#
+#       Must be a positive integer. Generally set in the 64-2048
+#       range.
+#
+
+bind = '127.0.0.1:8002'
+backlog = 2048
+
+#
+# Worker processes
+#
+#   workers - The number of worker processes that this server
+#       should keep alive for handling requests.
+#
+#       A positive integer generally in the 2-4 x $(NUM_CORES)
+#       range. You'll want to vary this a bit to find the best
+#       for your particular application's work load.
+#
+#   worker_class - The type of workers to use. The default
+#       sync class should handle most 'normal' types of work
+#       loads. You'll want to read
+#       http://docs.gunicorn.org/en/latest/design.html#choosing-a-worker-type
+#       for information on when you might want to choose one
+#       of the other worker classes.
+#
+#       A string referring to a Python path to a subclass of
+#       gunicorn.workers.base.Worker. The default provided values
+#       can be seen at
+#       http://docs.gunicorn.org/en/latest/settings.html#worker-class
+#
+#   worker_connections - For the eventlet and gevent worker classes
+#       this limits the maximum number of simultaneous clients that
+#       a single process can handle.
+#
+#       A positive integer generally set to around 1000.
+#
+#   timeout - If a worker does not notify the master process in this
+#       number of seconds it is killed and a new worker is spawned
+#       to replace it.
+#
+#       Generally set to thirty seconds. Only set this noticeably
+#       higher if you're sure of the repercussions for sync workers.
+#       For the non sync workers it just means that the worker
+#       process is still communicating and is not tied to the length
+#       of time required to handle a single request.
+#
+#   keepalive - The number of seconds to wait for the next request
+#       on a Keep-Alive HTTP connection.
+#
+#       A positive integer. Generally set in the 1-5 seconds range.
+#
+
+workers = 1
+worker_class = 'sync'
+worker_connections = 1000
+# GNUNUX timeout = 30
+#>GNUNUX
+timeout = 120
+#>GNUNUX
+keepalive = 2
+
+#
+#   spew - Install a trace function that spews every line of Python
+#       that is executed when running the server. This is the
+#       nuclear option.
+#
+#       True or False
+#
+
+spew = False
+
+#
+# Server mechanics
+#
+#   daemon - Detach the main Gunicorn process from the controlling
+#       terminal with a standard fork/fork sequence.
+#
+#       True or False
+#
+#   raw_env - Pass environment variables to the execution environment.
+#
+#   pidfile - The path to a pid file to write
+#
+#       A path string or None to not write a pid file.
+#
+#   user - Switch worker processes to run as this user.
+#
+#       A valid user id (as an integer) or the name of a user that
+#       can be retrieved with a call to pwd.getpwnam(value) or None
+#       to not change the worker process user.
+#
+#   group - Switch worker process to run as this group.
+#
+#       A valid group id (as an integer) or the name of a user that
+#       can be retrieved with a call to pwd.getgrnam(value) or None
+#       to change the worker processes group.
+#
+#   umask - A mask for file permissions written by Gunicorn. Note that
+#       this affects unix socket permissions.
+#
+#       A valid value for the os.umask(mode) call or a string
+#       compatible with int(value, 0) (0 means Python guesses
+#       the base, so values like "0", "0xFF", "0022" are valid
+#       for decimal, hex, and octal representations)
+#
+#   tmp_upload_dir - A directory to store temporary request data when
+#       requests are read. This will most likely be disappearing soon.
+#
+#       A path to a directory where the process owner can write. Or
+#       None to signal that Python should choose one on its own.
+#
+
+daemon = False
+raw_env = [
+    'DJANGO_SECRET_KEY=something',
+    'SPAM=eggs',
+]
+pidfile = None
+umask = 0
+user = None
+group = None
+tmp_upload_dir = None
+
+#
+#   Logging
+#
+#   logfile - The path to a log file to write to.
+#
+#       A path string. "-" means log to stdout.
+#
+#   loglevel - The granularity of log output
+#
+#       A string of "debug", "info", "warning", "error", "critical"
+#
+
+errorlog = '-'
+loglevel = 'info'
+accesslog = '-'
+access_log_format = '%(h)s %(l)s %(u)s %(t)s "%(r)s" %(s)s %(b)s "%(f)s" "%(a)s"'
+
+#
+# Process naming
+#
+#   proc_name - A base to use with setproctitle to change the way
+#       that Gunicorn processes are reported in the system process
+#       table. This affects things like 'ps' and 'top'. If you're
+#       going to be running more than one instance of Gunicorn you'll
+#       probably want to set a name to tell them apart. This requires
+#       that you install the setproctitle module.
+#
+#       A string or None to choose a default of something like 'gunicorn'.
+#
+
+proc_name = None
+
+#
+# Server hooks
+#
+#   post_fork - Called just after a worker has been forked.
+#
+#       A callable that takes a server and worker instance
+#       as arguments.
+#
+#   pre_fork - Called just prior to forking the worker subprocess.
+#
+#       A callable that accepts the same arguments as after_fork
+#
+#   pre_exec - Called just prior to forking off a secondary
+#       master process during things like config reloading.
+#
+#       A callable that takes a server instance as the sole argument.
+#
+
+def post_fork(server, worker):
+    server.log.info("Worker spawned (pid: %s)", worker.pid)
+
+def pre_fork(server, worker):
+    pass
+
+def pre_exec(server):
+    server.log.info("Forked child, re-executing.")
+
+def when_ready(server):
+    server.log.info("Server is ready. Spawning workers")
+
+def worker_int(worker):
+    worker.log.info("worker received INT or QUIT signal")
+
+    ## get traceback info
+    import threading, sys, traceback
+    id2name = {th.ident: th.name for th in threading.enumerate()}
+    code = []
+    for threadId, stack in sys._current_frames().items():
+        code.append("\n# Thread: %s(%d)" % (id2name.get(threadId,""),
+            threadId))
+        for filename, lineno, name, line in traceback.extract_stack(stack):
+            code.append('File: "%s", line %d, in %s' % (filename,
+                lineno, name))
+            if line:
+                code.append("  %s" % (line.strip()))
+    worker.log.debug("\n".join(code))
+
+def worker_abort(worker):
+    worker.log.info("worker received SIGABRT signal")
+
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg b/seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg
new file mode 100644
index 0000000..2e3e34c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg
@@ -0,0 +1,54 @@
+# This is the absolute bare minimum base configuration file.  User supplied
+# configurations are pushed onto this.
+
+[mailman]
+# GNUNUX default_language: en
+#>GNUNUX
+default_language: fr
+#<GNUNUX
+# This address is the "site owner" address.  Certain messages which must be
+# delivered to a human, but which can't be delivered to a list owner (e.g. a
+# bounce from a list owner), will be sent to this address.  It should point to
+# a human.
+# GNUNUX site_owner: root@localhost
+site_owner: %%mailman_mail_owner
+
+# The local URL part to the administration interface (Postorius).
+# The full URL will be constructed by prepending the domain URL set in the
+# list's domain properties.
+#listinfo_url = /postorius/
+
+# Set the paths to be Fedora-compliant
+layout: fhs
+
+#>GNUNUX
+[database]  
+class: mailman.database.postgresql.PostgreSQLDatabase  
+url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database
+#FIXME ?sslmode=require
+
+[mta]
+lmtp_host: %%ip_eth0
+configuration: /etc/mailman3.d/postfix.cfg
+smtp_host: %%smtp_relay_address
+smtp_user: %%smtp_relay_user@%%ip_eth0
+smtp_pass: %%smtp_relay_password
+smtp_port: 25
+smtp_secure_mode: starttls
+smtp_verify_cert: yes
+smtp_verify_hostname: yes
+#<GNUNUX
+
+[paths.fhs]
+bin_dir: /usr/libexec/mailman3
+# GNUNUX var_dir: /var/lib/mailman3
+# GNUNUX queue_dir: /var/spool/mailman3
+# GNUNUX log_dir: /var/log/mailman3
+#>GNUNUX
+var_dir: /srv/mailman/lib
+queue_dir: /srv/mailman/spool
+log_dir: /var/log/mailman
+#<GNUNUX
+lock_dir: /run/lock/mailman3
+ext_dir: /etc/mailman3.d
+pid_file: /run/mailman3/master.pid
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/mailman3.service b/seed/applicationservice/2022.03.08/mailman/templates/mailman3.service
new file mode 100644
index 0000000..58932c6
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/mailman3.service
@@ -0,0 +1,11 @@
+[Unit]
+Description=Postorius WSGI Service
+After=postgresqlclient.service
+
+[Service]
+%for %%domain in %%mailman_domains
+ %set %%key = %%normalize_family(%%domain)
+ %for %%name in %%mailman['list_' + %%key]['name_' + %%key]
+ExecStartPre=-/usr/bin/mailman3 create --language fr -o %%mailman_mail_owner -N -d %%name@%%domain
+ %end for
+%end for
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/postfix.cfg b/seed/applicationservice/2022.03.08/mailman/templates/postfix.cfg
new file mode 100644
index 0000000..7d06921
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/postfix.cfg
@@ -0,0 +1,14 @@
+# see /usr/lib/python3.10/site-packages/mailman/config/postfix.cfg
+[postfix]
+# Additional configuration variables for the postfix MTA.
+
+# This variable describe the program to use for regenerating the transport map
+# db file, from the associated plain text files.  The file being updated will
+# be appended to this string (with a separating space), so it must be
+# appropriate for os.system().
+postmap_command: /usr/sbin/postmap
+
+# This variable describes the type of transport maps that will be generated by
+# mailman to be used with postfix for LMTP transport. By default, it is set to
+# hash, but mailman also supports `regex` tables.
+transport_file_type: regex
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py b/seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py
new file mode 100644
index 0000000..0a66a48
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py
@@ -0,0 +1,54 @@
+# -*- coding: utf-8 -*-
+SECRET_KEY = '%%postorius_secret_key'
+#FIXME same database has mailman?
+DATABASES = {
+    'default' : {
+        'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        'NAME': '%%pg_client_database',         # Database name
+        'USER': '%%pg_client_username',               # PostgreSQL username
+        'PASSWORD': '%%pg_client_password',           # PostgreSQL password
+        'HOST': '%%pg_client_server_domainname',      # Database server
+        'PORT': '',               # Database port (leave blank for default)
+        'CONN_MAX_AGE': 300,      # Max database connection age
+    }
+}
+ALLOWED_HOSTS = ['%%revprox_client_external_domainname']
+POSTORIUS_TEMPLATE_BASE_URL = 'https://%%revprox_client_external_domainname'
+CSRF_TRUSTED_ORIGINS = ['%%revprox_client_external_domainname']
+USE_X_FORWARDED_HOST = True
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+LANGUAGE_CODE = 'fr'
+STATIC_URL = '/mailman/postorius_static/'
+FORCE_SCRIPT_NAME = '/mailman'
+
+EMAIL_HOST = "%%smtp_relay_address"
+EMAIL_PORT = 25
+EMAIL_HOST_USER = "%%smtp_relay_user@%%ip_eth0"
+EMAIL_HOST_PASSWORD = "%%smtp_relay_password"
+EMAIL_USE_TLS = True
+DEFAULT_FROM_EMAIL = '%%mailman_mail_owner'
+EMAIL_SUBJECT_PREFIX = '[Django] '
+SERVER_EMAIL = '%%mailman_mail_owner'
+SOCIALACCOUNT_EMAIL_VERIFICATION = 'none'
+SOCIALACCOUNT_PROVIDERS = {
+    'risotto': {
+        'LEMONLDAP_NAME': 'Authentification centralisée',
+        'LEMONLDAP_URL': 'https://%%oauth2_server_domainname',
+        'LEMONLDAP_LOCAL_URL': 'https://%%oauth2_client_server_domainname',
+        'ACCOUNT_EMAIL_REQUIRED': True,
+        'ACCOUNT_UNIQUE_EMAIL': True,
+        'ACCOUNT_USERNAME_REQUIRED': False,
+        'ACCOUNT_AUTHENTICATION_METHOD': 'email',
+        'SOCIALACCOUNT_AUTO_SIGNUP': True,
+    },
+}
+#FIXME
+## This goes in /etc/cron.d/mailman
+#
+#@hourly  mailman  /opt/mailman/venv/bin/mailman-web runjobs hourly
+#@daily   mailman  /opt/mailman/venv/bin/mailman-web runjobs daily
+#@weekly  mailman  /opt/mailman/venv/bin/mailman-web runjobs weekly
+#@monthly mailman  /opt/mailman/venv/bin/mailman-web runjobs monthly
+#@yearly  mailman  /opt/mailman/venv/bin/mailman-web runjobs yearly
+#* * * * *  mailman  /opt/mailman/venv/bin/mailman-web runjobs minutely
+#2,17,32,47 * * * * mailman  /opt/mailman/venv/bin/mailman-web runjobs quarter_hourly
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/postorius.service b/seed/applicationservice/2022.03.08/mailman/templates/postorius.service
new file mode 100644
index 0000000..484c26f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/postorius.service
@@ -0,0 +1,31 @@
+[Unit]
+Description=Postorius WSGI Service
+After=network.target postgresqlclient.service
+
+[Service]
+Type=notify
+User=postorius
+Group=postorius
+WorkingDirectory=/usr/share/postorius
+RuntimeDirectory=postorius
+StateDirectory=postorius
+PrivateTmp=yes
+PrivateUsers=yes
+ProtectHostname=yes
+ProtectKernelModules=yes
+ProtectKernelLogs=yes
+LockPersonality=yes
+RestrictRealtime=yes
+PrivateMounts=yes
+Environment="MAILMAN_WEB_CONFIG=/usr/share/postorius/m_postorius/settings.py"
+ExecStartPre=/usr/share/postorius/manage.py migrate
+ExecStartPre=/usr/share/postorius/manage.py shell -c 'from django.contrib.sites.models import Site; site=Site.objects.first(); site.name="%%revprox_client_external_domainname"; site.domain="%%revprox_client_external_domainname"; site.save()'
+ExecStartPre=/usr/share/postorius/manage.py shell -c 'from allauth.socialaccount.models import SocialApp; SocialApp.objects.create() if SocialApp.objects.count() == 0 else print("social app already exists"); a=SocialApp.objects.first(); a.name = "%%domain_name_eth0"; a.provider = "risotto"; a.client_id = "%%oauth2_client_id"; a.secret = "%%oauth2_client_secret"; a.sites.set([1]); a.save()'
+ExecStartPre=-/usr/share/postorius/manage.py createsuperuser --username "%%mailman_mail_owner" --email "%%mailman_mail_owner" --noinput
+ExecStart=/usr/bin/gunicorn --config /etc/postorius/gunicorn_config.py m_postorius.wsgi
+ExecReload=/bin/kill -s HUP $MAINPID
+KillMode=mixed
+TimeoutStopSec=5
+
+[Install]
+WantedBy=multi-user.target
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/sysuser-mailman.conf b/seed/applicationservice/2022.03.08/mailman/templates/sysuser-mailman.conf
new file mode 100644
index 0000000..a444333
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/sysuser-mailman.conf
@@ -0,0 +1,2 @@
+g mailman 41 -
+u mailman 41:41 "Mailman, the mailing-list manager" /srv/mailman/lib  /sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/sysuser-postorius.conf b/seed/applicationservice/2022.03.08/mailman/templates/sysuser-postorius.conf
new file mode 100644
index 0000000..e646d69
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/sysuser-postorius.conf
@@ -0,0 +1,3 @@
+g postorius 985 -
+u postorius 985:987     "Postorius user" /usr/share/postorius  /bin/bash
+
diff --git a/seed/applicationservice/2022.03.08/mailman/templates/tmpfile-mailman.conf b/seed/applicationservice/2022.03.08/mailman/templates/tmpfile-mailman.conf
new file mode 100644
index 0000000..b67cb80
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mailman/templates/tmpfile-mailman.conf
@@ -0,0 +1,3 @@
+d /srv/mailman 750 mailman mailman - -
+d /var/log/mailman 755 mailman mailman - -
+f /var/log/mailman/postorius.log 644 postorius postorius - -
diff --git a/seed/applicationservice/2022.03.08/mariadb-client/applicationservice.yml b/seed/applicationservice/2022.03.08/mariadb-client/applicationservice.yml
new file mode 100644
index 0000000..07acd8a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Mariadb client
diff --git a/seed/applicationservice/2022.03.08/mariadb-client/dictionaries/20_mariadb.xml b/seed/applicationservice/2022.03.08/mariadb-client/dictionaries/20_mariadb.xml
new file mode 100644
index 0000000..e0748d0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-client/dictionaries/20_mariadb.xml
@@ -0,0 +1,29 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="mariadb" description="MariaDB">
+      <variable name="mariadb_client_server_domainname" type="domainname" description="Nom de domaine du serveur MariaDB" mandatory="True"/>
+      <variable name="mariadb_client_username" description="Database username" mandatory="True" hidden="True"/>
+      <variable name="mariadb_client_password" type="secret" description="Database password" mandatory="True" hidden="True"/>
+      <variable name="mariadb_client_database" description="Database name" mandatory="True" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">mariadb_client_server_domainname</param>
+      <param name="linked_provider">clients</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>mariadb_client_username</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">mariadb_client_server_domainname</param>
+      <param name="linked_provider">client_password</param>
+      <param name="dynamic" type="variable">mariadb_client_username</param>
+      <target>mariadb_client_password</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">mariadb_client_username</param>
+      <target>mariadb_client_database</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/mariadb-server/applicationservice.yml b/seed/applicationservice/2022.03.08/mariadb-server/applicationservice.yml
new file mode 100644
index 0000000..f168f31
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-server/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Mariadb
+depends:
+  - server
+  - base-fedora-35
diff --git a/seed/applicationservice/2022.03.08/mariadb-server/dictionaries/20_mariadb.xml b/seed/applicationservice/2022.03.08/mariadb-server/dictionaries/20_mariadb.xml
new file mode 100644
index 0000000..91f67a3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-server/dictionaries/20_mariadb.xml
@@ -0,0 +1,26 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="mariadb" target="multi-user">
+      <override/>
+      <file>/etc/my.cnf.d/risotto.cnf</file>
+      <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
+      <file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
+    </service>
+  </services>
+  <variables>
+    <family name="mariadb" description="MariaDB" help="Paramétrage du serveur de gestion de bases de données MariaDB">
+      <variable name="mariadb_root_password" type="password" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">root_password</param>
+      <param name="description">mariadb</param>
+      <param name="type">cleartext</param>
+      <param name="length" type="number">50</param>
+      <target>mariadb_root_password</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/mariadb-server/manual/image/preinstall/mariadb_server.sh b/seed/applicationservice/2022.03.08/mariadb-server/manual/image/preinstall/mariadb_server.sh
new file mode 100644
index 0000000..f923704
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-server/manual/image/preinstall/mariadb_server.sh
@@ -0,0 +1 @@
+PKG="$PKG mariadb-server"
diff --git a/seed/applicationservice/2022.03.08/mariadb-server/templates/mariadb.service b/seed/applicationservice/2022.03.08/mariadb-server/templates/mariadb.service
new file mode 100644
index 0000000..fcfd36f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-server/templates/mariadb.service
@@ -0,0 +1,3 @@
+[Service]
+ExecStartPost=-/usr/bin/mysql -e "UPDATE mysql.global_priv SET priv=json_set(priv, '$.plugin', 'mysql_native_password', '$.authentication_string', PASSWORD('%%mariadb_root_password')) WHERE User='root';" -e "FLUSH PRIVILEGES;"
+ExecStartPost=-/usr/bin/mysql -e "source /etc/mariadb.sql;"
diff --git a/seed/applicationservice/2022.03.08/mariadb-server/templates/mariadb.sql b/seed/applicationservice/2022.03.08/mariadb-server/templates/mariadb.sql
new file mode 100644
index 0000000..3957f31
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-server/templates/mariadb.sql
@@ -0,0 +1,8 @@
+%for %%server in %%accounts.remotes
+ %set %%name = %%normalize_family(%%server)
+ %set %%password = %%accounts['remote_' + %%name]['password_' + %%name]
+CREATE USER IF NOT EXISTS '%%name'@'%%server' IDENTIFIED BY '%%password';
+CREATE DATABASE IF NOT EXISTS %%name CHARACTER SET utf8;
+GRANT ALL PRIVILEGES ON %%name.* TO '%%name'@'%%server' IDENTIFIED BY '%%password';
+FLUSH PRIVILEGES;
+%end for
diff --git a/seed/applicationservice/2022.03.08/mariadb-server/templates/risotto.cnf b/seed/applicationservice/2022.03.08/mariadb-server/templates/risotto.cnf
new file mode 100644
index 0000000..ae8ab03
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-server/templates/risotto.cnf
@@ -0,0 +1,3 @@
+[mysqld]
+datadir=/srv/mariadb
+log-error=
diff --git a/seed/applicationservice/2022.03.08/mariadb-server/templates/tmpfile-mariadb.conf b/seed/applicationservice/2022.03.08/mariadb-server/templates/tmpfile-mariadb.conf
new file mode 100644
index 0000000..b91b38a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/mariadb-server/templates/tmpfile-mariadb.conf
@@ -0,0 +1,2 @@
+d /srv/mariadb 750 mysql mysql - -
+d /var/lib/mysql 750 mysql mysql - -
diff --git a/seed/applicationservice/2022.03.08/nextcloud/DEBUG.md b/seed/applicationservice/2022.03.08/nextcloud/DEBUG.md
new file mode 100644
index 0000000..d85ac5b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/DEBUG.md
@@ -0,0 +1,36 @@
+# DEBUG
+
+## Mode debug
+
+sed -i "s/'debug' => false,/'debug' => true,/g" /etc/nextcloud/config.php
+
+## LDAP
+
+Test configuration:
+
+```
+php /usr/share/nextcloud/occ ldap:test-config s01
+```
+
+Show LDAP configuration:
+
+```
+php /usr/share/nextcloud/occ ldap:show-config s01
+```
+
+Check a user:
+
+```
+php /usr/share/nextcloud/occ ldap:search Emmanuel
+```
+
+Check a login name:
+
+```
+php /usr/share/nextcloud/occ ldap:check-user gnunux@gnunux.info
+```
+
+## admin
+
+su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ app:disable oidc_login"
+Password : password/nextcloud.in.gnunux.info/nextcloud/admin_password
diff --git a/seed/applicationservice/2022.03.08/nextcloud/applicationservice.yml b/seed/applicationservice/2022.03.08/nextcloud/applicationservice.yml
new file mode 100644
index 0000000..023692d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/applicationservice.yml
@@ -0,0 +1,11 @@
+format: '0.1'
+description: Nextcloud
+depends:
+  - base-fedora-35
+  - postgresql-client
+  - ldap-client-fedora
+  - redis-client
+  - oauth2-client
+  - relay-mail-client
+  - apache
+  - php-fpm
diff --git a/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
new file mode 100644
index 0000000..f548a84
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml
@@ -0,0 +1,64 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="nextcloudcron" engine="none"/>
+    <service name="nextcloudcron" type="timer" engine="none" target="timers"/>
+    <service name="nextcloud" engine="creole" target="multi-user">
+      <file owner="apache" group="apache" mode="440" source="nextcloud-config.php">/etc/nextcloud/config.php</file>
+      <file owner="root" group="apache" mode="750">/etc/nextcloud/nextcloud.init</file>
+      <file>/etc/httpd/conf.d/a-nextcloud-access.conf</file>
+      <file>/etc/httpd/conf.d/z-nextcloud-access.conf</file>
+      <file>/etc/php.d/20-pgsql.ini</file>
+      <file engine="none" source="tmpfile-nextcloud.conf">/tmpfiles.d/0nextcloud.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="nextcloud" description="Nextcloud">
+      <variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/>
+      <variable name="nextcloud_mail_admin" type="mail" mandatory="True"/>
+      <variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/>
+    </family>
+    <family name="nginx">
+      <variable name="revprox_client_location" redefine="True">
+        <value>/nextcloud</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>Collaboration</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>Plateforme de collaboration Nextcloud</value>
+      </variable>
+    </family>
+    <family name="php">
+      <variable name="php_enable_output_buffering" redefine="True">
+        <value>False</value>
+      </variable>
+      <variable name="php_disable_pcntl" redefine="True">
+        <value>False</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">admin_password</param>
+      <param name="description">nextcloud</param>
+      <param name="type">cleartext</param>
+      <target>nextcloud_admin_password</target>
+    </fill>
+    <!-- see lib/private/legacy/OC_Util.php -->
+    <fill name="get_password_alpha_num">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">instance_id</param>
+      <param name="description">nextcloud</param>
+      <param name="length" type="number">10</param>
+      <param name="starts_with_char" type="boolean">True</param>
+      <target>nextcloud_instance_id</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/nextcloud/manual/image/postinstall/nextcloud.sh b/seed/applicationservice/2022.03.08/nextcloud/manual/image/postinstall/nextcloud.sh
new file mode 100644
index 0000000..63cbd0a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/manual/image/postinstall/nextcloud.sh
@@ -0,0 +1,34 @@
+ln -s "$IMAGE_NAME_RISOTTO_IMAGE_DIR/srv/nextcloud/data" "/var/lib/risotto/images/nextcloud//usr/share/nextcloud/data"
+mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share/nextcloud/apps"
+cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share/nextcloud/apps"
+#user_saml=$(wget https://api.github.com/repos/nextcloud/user_saml/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+app=$(wget https://api.github.com/repos/pulsejet/nextcloud-oidc-login/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+wget -q $app
+tar xf *tar.gz
+rm -f *tar.gz
+chown -R root: oidc_login
+#
+app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+wget -q $app -O app.tar.gz
+tar xf app.tar.gz
+rm -f app.tar.gz
+chown -R root: calendar
+#
+app=$(wget https://api.github.com/repos/nextcloud-releases/contacts/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+wget -q $app -O app.tar.gz
+tar xf app.tar.gz
+rm -f app.tar.gz
+chown -R root: contacts
+#
+app=$(wget https://api.github.com/repos/nextcloud/notes/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+wget -q $app -O app.tar.gz
+tar xf app.tar.gz
+rm -f app.tar.gz
+chown -R root: notes
+#
+app=$(wget https://api.github.com/repos/nextcloud/tasks/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+wget -q $app -O app.tar.gz
+tar xf app.tar.gz
+rm -f app.tar.gz
+chown -R root: tasks
+cd -
diff --git a/seed/applicationservice/2022.03.08/nextcloud/manual/image/preinstall/nextcloud.sh b/seed/applicationservice/2022.03.08/nextcloud/manual/image/preinstall/nextcloud.sh
new file mode 100644
index 0000000..5aaa2fe
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/manual/image/preinstall/nextcloud.sh
@@ -0,0 +1 @@
+PKG="$PKG mod_ssl nextcloud-postgresql php-intl php-bcmath php-opcache php-pecl-redis"
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/20-pgsql.ini b/seed/applicationservice/2022.03.08/nextcloud/templates/20-pgsql.ini
new file mode 100644
index 0000000..34da569
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/20-pgsql.ini
@@ -0,0 +1,10 @@
+extension=pgsql
+
+#from https://docs.nextcloud.com/server/13/admin_manual/configuration_database/linux_database_configuration.html#parameters
+[PostgresSQL]
+pgsql.allow_persistent = On
+pgsql.auto_reset_persistent = Off
+pgsql.max_persistent = -1
+pgsql.max_links = -1
+pgsql.ignore_notice = 0
+pgsql.log_notice = 0
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/a-nextcloud-access.conf b/seed/applicationservice/2022.03.08/nextcloud/templates/a-nextcloud-access.conf
new file mode 100644
index 0000000..72cb0f8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/a-nextcloud-access.conf
@@ -0,0 +1 @@
+Alias /nextcloud/apps-appstore /usr/local/share/nextcloud/apps/
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php
new file mode 100644
index 0000000..b715b52
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php
@@ -0,0 +1,115 @@
+<?php
+$CONFIG = array (
+  'log_type' => 'syslog',
+  'debug' => false,
+  'datadirectory' => '/srv/nextcloud/data/',
+  'updatechecker' => false,
+  'check_for_working_htaccess' => false,
+  'asset-pipeline.enabled' => false,
+  'assetdirectory' => '/var/lib/nextcloud',
+  'preview_libreoffice_path' => '/usr/bin/libreoffice',
+  'trusted_domains' => 
+  array (
+    0 => 'localhost',
+    1 => '%%revprox_client_external_domainname',
+  ),
+  'apps_paths' =>
+  array (
+    0 =>
+    array (
+        'path' => '/usr/share/nextcloud/apps',
+        'url' => '/apps',
+        'writable' => false,
+    ),
+    1 =>
+    array (
+        'path' => '/usr/local/share/nextcloud/apps',
+        'url' => '/apps-appstore',
+        'writable' => true,
+    ),
+  ),
+  'dbtype' => 'pgsql',
+  'version' => '22.1.0.1',
+  'overwrite.cli.url' => 'http://localhost',
+  'dbname' => '%%pg_client_database',
+  'dbhost' => '%%pg_client_server_domainname',
+  'dbport' => '',
+  'dbtableprefix' => 'oc_',
+  'dbuser' => '%%pg_client_username',
+  'dbpassword' => '%%pg_client_password',
+  'dbdriveroptions' => array('sslmode' => true),
+  'passwordsalt' => '{{SALT}}',
+  'secret' => '{{SECRET}}',
+  'instanceid' => '%%nextcloud_instance_id',
+  'config_is_read_only' => true,
+  'installed' => false,
+  'maintenance' => false,
+  'appstoreenabled' => false,
+  'appcodechecker' => false,
+  'memcache.distributed' => '\OC\Memcache\Redis',
+  'memcache.locking' => '\OC\Memcache\Redis',
+  'trusted_proxies' => '%%revprox_client_server_ip',
+  'overwritehost' => '%%revprox_client_external_domainname',
+  'filelocking.enabled' => true,
+  'redis' => [
+     'host' => '%%redis_client_server_domainname',
+     'port' => 6379,
+     'password' => '%%redis_client_password',
+     'dbindex' => 0,
+  ],
+  'default_phone_region' => 'FR',
+//OIDC login
+  'allow_user_to_change_display_name' => false,
+  'lost_password_link' => 'disabled',
+  'oidc_login_provider_url' => 'https://%%oauth2_client_server_domainname',
+  'oidc_login_client_id' => '%%oauth2_client_id',
+  'oidc_login_client_secret' => '%%oauth2_client_secret',
+  'oidc_login_auto_redirect' => true,
+//FIXME 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
+//FIXME to true
+  'oidc_login_end_session_redirect' => false,
+//If no quota, we cannot send file
+  'oidc_login_default_quota' => '1000000000000000',
+  'oidc_login_button_text' => 'Log in with OpenID',
+  'oidc_login_hide_password_form' => true,
+  'oidc_login_use_id_token' => false,
+  'oidc_login_attributes' => array (
+      'id' => 'sub',
+      'name' => 'name',
+      'mail' => 'email',
+//      'quota' => 'ownCloudQuota',
+//      'home' => 'homeDirectory',
+      'ldap_uid' => 'uid',
+//      'groups' => 'ownCloudGroups',
+//      'photoURL' => 'picture',
+//      'is_admin' => 'ownCloudAdmin',
+  ),
+  'oidc_login_default_group' => 'oidc',
+  'oidc_login_scope' => 'openid profile email',
+  'oidc_login_proxy_ldap' => false,
+  'oidc_login_disable_registration' => true,
+  'oidc_login_redir_fallback' => false,
+  'oidc_login_alt_login_page' => 'assets/login.php',
+  'oidc_login_tls_verify' => true,
+  'oidc_create_groups' => false,
+//FIXME
+  'oidc_login_webdav_enabled' => false,
+  'oidc_login_password_authentication' => false,
+  'oidc_login_public_key_caching_time' => 86400,
+  'oidc_login_min_time_between_jwks_requests' => 10,
+  'oidc_login_well_known_caching_time' => 86400,
+  'oidc_login_update_avatar' => false,
+//mail
+  'mail_smtpmode' => 'smtp',
+  'mail_smtpsecure' => 'tls',
+  'mail_sendmailmode' => 'smtp',
+%set %%mailfrom, %%maildomain = %%nextcloud_mail_admin.split("@")
+  'mail_from_address' => '%%mailfrom',
+  'mail_domain' => '%%maildomain',
+  'mail_smtpauthtype' => 'PLAIN',
+  'mail_smtpauth' => 1,
+  'mail_smtphost' => '%%smtp_relay_address',
+  'mail_smtpport' => '25',
+  'mail_smtpname' => '%%smtp_relay_user@%%ip_eth0',
+  'mail_smtppassword' => '%%smtp_relay_password',
+);
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
new file mode 100644
index 0000000..b1e0f0f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.init
@@ -0,0 +1,52 @@
+%echo "#!/bin/bash -ex"
+
+if [ ! -f /srv/nextcloud/keys/secret.txt ]; then
+    /usr/bin/php /usr/share/nextcloud/occ maintenance:install --no-interaction --data-dir /srv/nextcloud/data/ --database "pgsql" --database-host "%%pg_client_server_domainname" --database-name "%%pg_client_database"  --database-user "%%pg_client_username" --database-pass "%%pg_client_password" --admin-user "admin" --admin-pass "%%nextcloud_admin_password"
+    umask 027
+    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get passwordsalt > /srv/nextcloud/keys/passwordsalt.txt
+    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get secret > /srv/nextcloud/keys/secret.txt
+
+    /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
+    /usr/bin/php /usr/share/nextcloud/occ ldap:create-empty-config -q
+else
+    sed -i "s'{{SECRET}}'$(cat /srv/nextcloud/keys/secret.txt)'g" /etc/nextcloud/config.php
+    sed -i "s'{{SALT}}'$(cat /srv/nextcloud/keys/passwordsalt.txt)'g" /etc/nextcloud/config.php
+    sed -i "s/'installed' => false,/'installed' => true,/g" /etc/nextcloud/config.php
+    /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
+fi
+# SSO
+/usr/bin/php /usr/share/nextcloud/occ app:enable oidc_login
+# Feature
+/usr/bin/php /usr/share/nextcloud/occ app:enable calendar
+/usr/bin/php /usr/share/nextcloud/occ app:enable contacts
+/usr/bin/php /usr/share/nextcloud/occ app:enable notes
+/usr/bin/php /usr/share/nextcloud/occ app:enable tasks
+# LDAP
+/usr/bin/php /usr/share/nextcloud/occ config:app:set user_ldap bgjRefreshInterval --value=300 -q
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapHost "ldaps://%%ldap_server_address"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPort "%%ldap_port"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentName "%%ldapclient_remote_user"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapAgentPassword "%%ldapclient_remote_user_password"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBase "ou=users,%%ldap_base_dn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseUsers "ou=users,%%ldap_base_dn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapBaseGroups "ou=users,%%ldap_base_dn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExperiencedAdmin "0"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapExpertUUIDUserAttr "cn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapLoginFilter "(&(cn=%uid)(ObjectClass=inetOrgPerson))"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapUserFilter "ObjectClass=inetOrgPerson"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapGroupFilter "ObjectClass=posixGroup"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapUserFilterObjectclass "inetOrgPerson"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapGroupFilterObjectclass "posixGroup"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapGroupMemberAssocAttr "memberUid"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapEmailAttribute "mail"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapCacheTTL "300"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapPagingSize "0"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapUserDisplayName "sn"
+/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapConfigurationActive "1"
+#/usr/bin/php /usr/share/nextcloud/occ ldap:set-config s01 ldapTLS "1"
+# cron
+/usr/bin/php /usr/share/nextcloud/occ config:app:set core backgroundjobs_mode --value=cron
+# need network
+/usr/bin/php /usr/share/nextcloud/occ app:disable weather_status
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.service b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.service
new file mode 100644
index 0000000..a561133
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud.service
@@ -0,0 +1,20 @@
+[Unit]
+Description=Nextcloud management
+After=postgresqlclient.service
+Before=apache.service php-fpm.service
+
+[Service]
+Type=oneshot
+WorkingDirectory=/usr/share/nextcloud
+#FIXME
+ExecStart=+/usr/bin/chmod +w /etc/nextcloud/config.php
+ExecStart=/etc/nextcloud/nextcloud.init
+ExecStart=/usr/bin/php occ files:scan --all -q
+ExecStart=/usr/bin/php occ maintenance:repair -q
+ExecStart=+/usr/bin/chmod -w /etc/nextcloud/config.php
+User=apache
+Group=apache
+
+[Install]
+WantedBy=multi-user.target
+
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloudcron.service b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloudcron.service
new file mode 100644
index 0000000..0802b14
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloudcron.service
@@ -0,0 +1,8 @@
+# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html
+[Unit]
+Description=Nextcloud cron.php job
+
+[Service]
+User=apache
+ExecStart=/usr/bin/php -f /usr/share/nextcloud/cron.php
+KillMode=process
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloudcron.timer b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloudcron.timer
new file mode 100644
index 0000000..e5543a1
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/nextcloudcron.timer
@@ -0,0 +1,11 @@
+# https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html
+[Unit]
+Description=Run Nextcloud cron.php every 5 minutes
+
+[Timer]
+OnBootSec=5min
+OnUnitActiveSec=5min
+Unit=nextcloudcron.service
+
+[Install]
+WantedBy=timers.target
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/tmpfile-nextcloud.conf b/seed/applicationservice/2022.03.08/nextcloud/templates/tmpfile-nextcloud.conf
new file mode 100644
index 0000000..678707f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/tmpfile-nextcloud.conf
@@ -0,0 +1,3 @@
+d /var/lib/nextcloud 750 apache apache - -
+d /srv/nextcloud/data 750 apache apache - -
+d /srv/nextcloud/keys 750 apache apache - -
diff --git a/seed/applicationservice/2022.03.08/nextcloud/templates/z-nextcloud-access.conf b/seed/applicationservice/2022.03.08/nextcloud/templates/z-nextcloud-access.conf
new file mode 100644
index 0000000..488a738
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nextcloud/templates/z-nextcloud-access.conf
@@ -0,0 +1,35 @@
+# GNUNUX Source /etc/httpd/conf.d/nextcloud-access.conf.avail
+# If symlinked or copied to /etc/httpd/conf.d/z-nextcloud-access.conf
+# (or any other name that is alphabetically later than
+# 'nextcloud.conf'), this file will permit access to the ownCloud
+# installation from any client. Ensure your deployment is correctly
+# configured and secured before doing this!
+#
+# If you SYMLINK this file, you can rely on the ownCloud package to
+# handle any future changes in the directory or URL hierarchy; this
+# file will always achieve the high-level goal 'allow access to the
+# ownCloud installation from any client'. If you COPY this file, you
+# will have to check for changes to the original in future ownCloud
+# package updates, and make any appropriate adjustments to your copy.
+
+<Directory /usr/share/nextcloud/>
+    Include conf.d/nextcloud-auth-any.inc
+</Directory>
+
+# GNUNUX <Directory /var/lib/nextcloud/apps/>
+# GNUNUX     Include conf.d/nextcloud-auth-any.inc
+# GNUNUX </Directory>
+
+<Directory /var/lib/nextcloud/assets/>
+    Include conf.d/nextcloud-auth-any.inc
+</Directory>
+
+#>GNUNUX
+<Directory /usr/local/share/nextcloud/apps/>
+    Include conf.d/nextcloud-auth-any.inc
+</Directory>
+
+<Directory /srv/nextcloud/assets/>
+    Include conf.d/nextcloud-auth-any.inc
+</Directory>
+#<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/nginx-common/applicationservice.yml b/seed/applicationservice/2022.03.08/nginx-common/applicationservice.yml
new file mode 100644
index 0000000..0227163
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Nginx common configuration
diff --git a/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml b/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
new file mode 100644
index 0000000..e6fda66
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml
@@ -0,0 +1,40 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name='nginx' target='multi-user'>
+      <file>/etc/nginx/nginx.conf</file>
+      <file source="default">/etc/nginx/sites-available/default</file>
+      <file source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file>
+      <!--file source="default-nginx-ssl.conf">/etc/nginx/conf.d/risotto-ssl.conf</file-->
+      <file source="nginx.index.html">/var/www/html/index.html</file>
+      <file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
+      <file>/var/www/html/error.html</file>
+      <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
+      <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
+      <variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='True'/>
+      <variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">
+        <value>128</value>
+        <choice type="string">128</choice>
+        <choice type="string">64</choice>
+        <choice type="string">32</choice>
+      </variable>
+      <variable name="nginx_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)" mode="expert" mandatory="True">
+        <value>32</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param type="variable">domain_name_eth0</param>
+      <target>nginx_default</target>
+    </fill>
+    <condition name="disabled_if_not_in" source="os_name">
+      <param>Fedora</param>
+      <target type="filelist">nginx_fedora</target>
+    </condition>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/nginx-common/manual/image/preinstall/nginx_common.sh b/seed/applicationservice/2022.03.08/nginx-common/manual/image/preinstall/nginx_common.sh
new file mode 100644
index 0000000..103fcfe
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/manual/image/preinstall/nginx_common.sh
@@ -0,0 +1 @@
+PKG="$PKG nginx"
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/default b/seed/applicationservice/2022.03.08/nginx-common/templates/default
new file mode 100644
index 0000000..f21feb7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/default
@@ -0,0 +1 @@
+# GNUNUX disable default file
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx-ssl.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx-ssl.conf
new file mode 100644
index 0000000..4459747
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx-ssl.conf
@@ -0,0 +1,10 @@
+#FIXME    server {
+#FIXME        listen 443 ssl;
+#FIXME        ssl_certificate    %%nginx_certificate[%%revprox_domainnames_all.index(%%nginx_default)];
+#FIXME        ssl_certificate_key     %%nginx_private_key[%%revprox_domainnames_all.index(%%nginx_default)];
+#FIXME        ssl_client_certificate  /etc/ssl/certs/ca.crt;
+#FIXME        server_name _ default;
+#FIXME        rewrite ^(.*) https://%%nginx_default$1;
+#FIXME        break;
+#FIXME    }
+
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx.conf
new file mode 100644
index 0000000..639e06d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/default-nginx.conf
@@ -0,0 +1,2 @@
+        rewrite ^(.*) http://%%nginx_default$1;
+        break;
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/error.html b/seed/applicationservice/2022.03.08/nginx-common/templates/error.html
new file mode 100644
index 0000000..b1b4af9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/error.html
@@ -0,0 +1,21 @@
+<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd">
+<html>
+    <META http-equiv="Content-Type" content="text/html; charset=utf-8;">
+    <head>
+<title>Page indisponible</title>
+<style>
+    .main{
+        background:#FFFFCC;
+        text-align:center;
+    }
+.message{
+top:25%;
+text-align:center;
+}
+</style>
+    </head>
+    <body class='main'>
+    <hr/>
+    <div class="message">La page que vous avez demandée est indisponible</div>
+    </body>
+</html>
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx-options.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx-options.conf
new file mode 100644
index 0000000..9025b2e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx-options.conf
@@ -0,0 +1,28 @@
+client_max_body_size %%{nginx_post_max_size}M;
+client_body_buffer_size 128k;
+
+# Always trust ourself
+%for %%interface in %%range(%%number_of_interfaces)
+set_real_ip_from %%getVar('ip_eth{0}'.format(%%interface));
+%end for
+
+server_names_hash_bucket_size %%{nginx_hash_bucket_size};
+proxy_buffer_size   16k;
+proxy_buffers   6 32k;
+proxy_busy_buffers_size   32k;
+large_client_header_buffers 8 8k;
+
+client_body_temp_path /var/tmp/client_body;
+proxy_temp_path /var/tmp/proxy;
+fastcgi_temp_path /var/tmp/fastcgi;
+uwsgi_temp_path /var/tmp/uwsgi;
+scgi_temp_path /var/tmp/scgi;
+#FIXME
+%if %%getVar('activer_web_behind_revproxy', 'non') == 'oui'
+# Define globally trusted reverse proxy
+set_real_ip_from %%web_behind_revproxy_ip;
+# The original client address that matches one of the trusted
+# addresses is replaced by the last non-trusted address sent in the
+# request header field
+real_ip_recursive on;
+%end if
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
new file mode 100644
index 0000000..05531f0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.conf
@@ -0,0 +1,103 @@
+# For more information on configuration, see:
+#   * Official English Documentation: http://nginx.org/en/docs/
+#   * Official Russian Documentation: http://nginx.org/ru/docs/
+
+%if %%os_name == 'Fedora'
+user nginx;
+%else
+user www-data;
+%end if
+worker_processes auto;
+#GNUNUX error_log /var/log/nginx/error.log;
+#>GNUNUX
+error_log syslog:server=unix:/dev/log;
+#<GNUNUX
+
+pid /run/nginx.pid;
+
+# Load dynamic modules. See /usr/share/doc/nginx/README.dynamic.
+%if %%os_name == 'Fedora'
+include /usr/share/nginx/modules/*.conf;
+%else
+include /etc/nginx/modules-enabled/*.conf;
+%end if
+
+events {
+    worker_connections 1024;
+}
+
+http {
+%if %%os_name == 'Fedora'
+    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                      '$status $body_bytes_sent "$http_referer" '
+                      '"$http_user_agent" "$http_x_forwarded_for"';
+%end if
+    #GNUNUX    access_log  /var/log/nginx/access.log  main;
+    #>GNUNUX
+    access_log syslog:server=unix:/dev/log combined;
+    error_log syslog:server=unix:/dev/log error;
+    #<GNUNUX
+
+    sendfile            on;
+    tcp_nopush          on;
+    tcp_nodelay         on;
+    keepalive_timeout   65;
+    types_hash_max_size 4096;
+
+    include             /etc/nginx/mime.types;
+    default_type        application/octet-stream;
+
+    # Load modular configuration files from the /etc/nginx/conf.d directory.
+    # See http://nginx.org/en/docs/ngx_core_module.html#include
+    # for more information.
+    include /etc/nginx/conf.d/*.conf;
+%if %%os_name == 'Fedora'
+    server {
+        listen       80;
+        listen       [::]:80;
+        server_name  _;
+        root         /usr/share/nginx/html;
+
+        # Load configuration files for the default server block.
+        include /etc/nginx/default.d/*.conf;
+
+        error_page 404 /404.html;
+        location = /404.html {
+        }
+
+        error_page 500 502 503 504 /50x.html;
+        location = /50x.html {
+        }
+    }
+%else
+    include /etc/nginx/sites-enabled/*;
+%end if
+
+# Settings for a TLS enabled server.
+#
+#    server {
+#        listen       443 ssl http2;
+#        listen       [::]:443 ssl http2;
+#        server_name  _;
+#        root         /usr/share/nginx/html;
+#
+#        ssl_certificate "/etc/pki/nginx/server.crt";
+#        ssl_certificate_key "/etc/pki/nginx/private/server.key";
+#        ssl_session_cache shared:SSL:1m;
+#        ssl_session_timeout  10m;
+#        ssl_ciphers PROFILE=SYSTEM;
+#        ssl_prefer_server_ciphers on;
+#
+#        # Load configuration files for the default server block.
+#        include /etc/nginx/default.d/*.conf;
+#
+#        error_page 404 /404.html;
+#            location = /40x.html {
+#        }
+#
+#        error_page 500 502 503 504 /50x.html;
+#            location = /50x.html {
+#        }
+#    }
+
+}
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.index.html b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.index.html
new file mode 100644
index 0000000..eeef59d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/nginx.index.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome</title>
+<style>
+</style>
+</head>
+<body>
+</body>
+</html>
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/sysusers.nginx.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/sysusers.nginx.conf
new file mode 100644
index 0000000..f60298d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/sysusers.nginx.conf
@@ -0,0 +1,2 @@
+g nginx 999 -
+u nginx 999:999     "NGINX Server" /etc/nginx /sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/nginx-common/templates/tmpfiles.nginx.conf b/seed/applicationservice/2022.03.08/nginx-common/templates/tmpfiles.nginx.conf
new file mode 100644
index 0000000..310157f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-common/templates/tmpfiles.nginx.conf
@@ -0,0 +1,9 @@
+# this directory is not used, but must be created
+%if %%os_name == 'Fedora'
+ %set %%usr = "nginx"
+ %set %%grp = %%usr
+%else
+ %set %%usr = "www-data"
+ %set %%grp = "adm"
+%end if
+d /var/log/nginx/ 0750 %%usr %%grp -
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/applicationservice.yml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/applicationservice.yml
new file mode 100644
index 0000000..6ad1c19
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Nginx as reverse proxy
+depends:
+  - base-fedora-35
+  - nginx-common
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml
new file mode 100644
index 0000000..fbeefb0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml
@@ -0,0 +1,75 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name='nginx'>
+      <override engine="creole"/>
+      <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
+      <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
+      <file source="ca.crt" file_type="variable" mode="600">nginx_chain_filename</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_ReverseProxy.crt</file>
+      <file source="certificate.crt" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_certificate_filename</file>
+      <file source="private.key" file_type="variable" mode="600" variable="revprox_domainnames_all">nginx_private_key_filename</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="external_ports" redefine="True">
+      <value>80</value>
+      <value>443</value>
+    </variable>
+    <family name="interface_">
+      <variable name="ip_eth" redefine="True" provider="ip"/>
+    </family>
+    <family name="nginx" description="NGINX" help="Paramétrage global de NGINX">
+      <variable name="nginx_default" redefine="True" remove_fill="True"/>
+      <variable name="revprox_domainnames" type="domainname" description="Nom des domaines à configurer dans le serveur mandataire inverse" help="Liste des domaines gérés par le serveur mandataire inverse" multi="True"/>
+      <variable name="revprox_domainnames_auto" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="clients" hidden="True"/>
+      <variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
+      <variable name='nginx_private_key_filename' type="filename" description="Private key filename" hidden='True' multi='True'/>
+      <variable name='nginx_certificate_filename' type="filename" description="Certificate filename" hidden='True' multi='True'/>
+      <variable name='nginx_chain_filename' type="filename" description="Chain filename" hidden='True' multi='True'/>
+      <variable name='nginx_chain' type="string" description="Certificate" hidden='True' multi='True'/>
+      <variable name='internal_nginx_chain' type="string" description="Certificate" hidden='True'/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="nginx_concat_lists">
+      <param type="variable">revprox_domainnames</param>
+      <param type="variable">revprox_domainnames_auto</param>
+      <target>revprox_domainnames_all</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/pki/tls/certs/</param>
+      <param type="variable">revprox_domainnames_all</param>
+      <param>.crt</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>nginx_certificate_filename</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/pki/tls/private/</param>
+      <param type="variable">revprox_domainnames_all</param>
+      <param>.key</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>nginx_private_key_filename</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/nginx/</param>
+      <param type="variable">revprox_domainnames_all</param>
+      <param>.ca</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>nginx_chain_filename</target>
+    </fill>
+    <fill name="get_chain">
+      <param name="authority_cn" type="variable">revprox_domainnames_all</param> 
+      <param name="authority_name">ReverseProxy</param>
+      <target>nginx_chain</target>
+    </fill>
+    <fill name="get_chain">
+      <param name="authority_cn" type="variable">domain_name_eth0</param> 
+      <param name="authority_name">ReverseProxy</param>
+      <target>internal_nginx_chain</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/extras/machine/20_unbound.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/extras/machine/20_unbound.xml
new file mode 100644
index 0000000..ac4f5b3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/extras/machine/20_unbound.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="var_size" redefine="True">
+      <value>256</value>
+    </variable>
+    <variable name="add_tmp" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_srv" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_swap" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name='memory' redefine="True" exists="True">
+      <value>512</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/extras/nginx/00-nginx.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/extras/nginx/00-nginx.xml
new file mode 100644
index 0000000..0bbc5d7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/extras/nginx/00-nginx.xml
@@ -0,0 +1,15 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="reverse_proxy_for_" description="Serveur mandataire inverse pour " dynamic="revprox_domainnames_all">
+      <variable name="revprox_domain_wildcard_" description="Activer la redirection pour tous les sous-domaines" help="Exemple pour &quot;domaine&quot; : tous les sous-domaines de &quot;domaine&quot; seront redirigés" type="boolean">
+        <value>False</value>
+      </variable>
+      <family name="reverse_proxy_" description="Reverse proxy" help="Paramètrage du proxy inverse" leadership="True">
+        <variable name="revprox_location_" type="filename" description="Répertoire ou nom de la page à rediriger" help="URL relative (sans le nom de domaine) redirigée pour l'adresse définie dans la variable ci-dessus (exemple &quot;/mail&quot;)" mandatory="True" multi="True" provider="location"/>
+        <variable name="revprox_url_" type="web_address" description="Domaine de destination ou URI complète" mandatory="True" help="Nom de domaine ou IP de destination, par exemple &quot;http://domainelocal&quot; ou URI, par exemple &quot;http://domainelocal/dir/&quot;" provider="url"/>
+      </family>
+    </family>
+  </variables>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/funcs/nginx.py b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/funcs/nginx.py
new file mode 100644
index 0000000..d4b6ef5
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/funcs/nginx.py
@@ -0,0 +1,9 @@
+from typing import List as _List
+from utils import multi_function
+
+
+@multi_function
+def nginx_concat_lists(list1: _List[str],
+                       list2: _List[str],
+                       ) -> _List[str]:
+    return list1 + list2
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca.crt
new file mode 100644
index 0000000..6694717
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca.crt
@@ -0,0 +1 @@
+%%nginx_chain[%%rougail_index]
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_ReverseProxy.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_ReverseProxy.crt
new file mode 100644
index 0000000..16d5ebd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_ReverseProxy.crt
@@ -0,0 +1 @@
+%%internal_nginx_chain
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
new file mode 100644
index 0000000..95220f6
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/certificate.crt
@@ -0,0 +1,5 @@
+%set %%extra_domainnames = []
+%for %%idx in %%range(1, %%number_of_interfaces)
+  %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
+%end for
+%%get_certificate(%%domain_name_eth0, 'ReverseProxy', extra_domainnames=%%extra_domainnames)
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx-options-rp.conf b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx-options-rp.conf
new file mode 100644
index 0000000..cafa625
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx-options-rp.conf
@@ -0,0 +1,2 @@
+# We use X-Forwarded-For header
+real_ip_header    X-Forwarded-For;
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx.index.html b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx.index.html
new file mode 100644
index 0000000..eeef59d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx.index.html
@@ -0,0 +1,10 @@
+<!DOCTYPE html>
+<html>
+<head>
+<title>Welcome</title>
+<style>
+</style>
+</head>
+<body>
+</body>
+</html>
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx.service b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx.service
new file mode 100644
index 0000000..3176d6d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/nginx.service
@@ -0,0 +1,17 @@
+%set %%domains = []
+%for %%domainname in %%revprox_domainnames_all
+ %set %%family = %%normalize_family(%%domainname)
+ %set %%revprox = %%nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family]
+ %for %%location in %%revprox['revprox_location_' + family]
+  %set %%domain = %%location['revprox_url_' + family].split('/', 3)[2].split(':')[0]
+%%domains.append(%%domain)%slurp
+ %end for
+%end for
+%if %%domains
+ %set %%domains_str = " ".join(%%domains)
+[Service]
+ExecStartPre=
+ExecStartPre=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/resolvectl query %%domains_str; do sleep 1; done'
+ExecStartPre=/usr/bin/rm -f /run/nginx.pid
+ExecStartPre=/usr/sbin/nginx -t
+%end if
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
new file mode 100644
index 0000000..1dc49e5
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/private.key
@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, 'ReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf
new file mode 100644
index 0000000..7e7c55e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf
@@ -0,0 +1,83 @@
+%for %%idx, %%domainname in %%enumerate(%%revprox_domainnames_all)
+ %set %%family = %%normalize_family(%%domainname)
+ %set %%revprox = %%nginx['reverse_proxy_for_' + family]['reverse_proxy_' + family]
+ %set %%wildcard = %%nginx['reverse_proxy_for_' + family]['revprox_domain_wildcard_' + family]
+# Configuration HTTP %%domainname
+server {
+    listen 80;
+ %if %%wildcard
+  %set %%prefix = "*."
+ %else
+  %set %%prefix = ""
+ %end if
+    server_name %%prefix%%domainname;
+    error_page   403 404 502 503 504  /error.html;
+
+    location = /error.html{
+        root /var/www/html;
+    }
+ %for %%location in %%revprox['revprox_location_' + family]
+  %set %%location_str = %%str(%%location)
+  %if %%location_str != '/' and %%location_str.endswith('/')
+    %set %%location_str = %%location_str[:-1]
+  %end if
+    location %%location_str {
+%if %%wildcard
+        if ($host ~* ".%%domainname" ) {
+%else
+        if ($host = "%%domainname" ) {
+%end if
+            rewrite     ^(.*)  https://$host$1 permanent;
+            break;
+        }
+        index  error.html;
+        root /var/www/html;
+    }
+# FIXME     return 301 https://www.domain.com$request_uri; => https://www.nginx.com/blog/creating-nginx-rewrite-rules/
+ %end for
+}
+
+# Configuration HTTPS %%domainname
+server {
+    listen 443 ssl;
+    ssl_certificate    %%nginx_certificate_filename[%%idx];
+    ssl_certificate_key     %%nginx_private_key_filename[%%idx];
+    ssl_client_certificate    %%nginx_chain_filename[%%idx];
+    server_name %%domainname;
+    error_page   403 404 502 503 504  /error.html;
+    location = /error.html{
+        root /var/www/html;
+    }
+
+ %for %%location in %%revprox['revprox_location_' + family]
+    location %%location {
+	# FIXME proxy_bind A.A.A.A;
+  %set %%location_str = %%str(%%location)
+  %if %%location_str != '/' and not %%location_str.endswith('/')
+        rewrite ^(%%location_str)$ $1/ permanent;
+  %end if
+        proxy_pass              %%location['revprox_url_' + family];
+        proxy_set_header        Host                    $http_host;
+        proxy_set_header        X-Real-IP               $remote_addr;
+        proxy_set_header        X-Forwarded-Host        $host;
+        proxy_set_header        X-Forwarded-Port        $server_port;
+        proxy_set_header        X-Forwarded-Server      $host;
+        proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto       $scheme;
+        proxy_set_header        Destination             $dest;
+        proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_ReverseProxy.crt;
+        proxy_ssl_verify       on;
+        proxy_ssl_verify_depth 2;
+        proxy_ssl_session_reuse on;
+        set                     $dest  $http_destination;
+        index  error.html;
+        root /var/www/html;
+    }
+  %if %%location_str != '/' and %%location_str.endswith('/')
+    location %%location_str[:-1] {
+        rewrite ^(%%location_str[:-1])$ $1/ permanent;
+    }
+  %end if
+ %end for
+}
+%end for
diff --git a/seed/applicationservice/2022.03.08/nsd/DEBUG.md b/seed/applicationservice/2022.03.08/nsd/DEBUG.md
new file mode 100644
index 0000000..4f350d5
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/DEBUG.md
@@ -0,0 +1,40 @@
+# test zone file
+nsd-checkzone -p in.gnunux.info /etc/nsd/in.gnunux.info.zone.signed 
+nsd-checkzone -p 47.168.192.in-addr.arpa. /etc/nsd/47.168.192.in-addr.arpa.reverse.signed
+
+# resolvectl
+resolvectl log-level debug
+pour les versions plus ancien, éditer : /var/lib/machines/lemonldap.in.gnunux.info/lib/systemd/system/systemd-resolved.service
+Ajouter : 
+[Service]
+Environment=SYSTEMD_LOG_LEVEL=debug
+
+
+# verification avec delv
+
+cat keys
+
+```
+trusted-keys {
+in.gnunux.info. 257 3 13 "USFnZ0by5kztge0ATp0RGnLmiE6moqF97MkhkeeYRZHk38ZBma3Ww2yr C2wImxlu7cCPIcLzh6fJhZNESHqngQ==";
+};
+```
+
+## Pas correctement signé
+
+```
+root@debian:~# delv @192.168.45.11 -a keys +root=in.gnunux.info ldap.in.gnunux.info. A
+;; keys:1: option 'trusted-keys' is deprecated
+;; validating ldap.in.gnunux.info/A: no valid signature found
+;; RRSIG failed to verify resolving 'ldap.in.gnunux.info/A/IN': 192.168.45.11#53
+;; resolution failed: RRSIG failed to verify
+```
+
+## Correctement signé
+
+```
+root@debian:~# delv @192.168.45.11 -a keys +root=in.gnunux.info lemonldap.in.gnunux.info. A
+;; keys:1: option 'trusted-keys' is deprecated
+; fully validated
+```
+
diff --git a/seed/applicationservice/2022.03.08/nsd/applicationservice.yml b/seed/applicationservice/2022.03.08/nsd/applicationservice.yml
new file mode 100644
index 0000000..ad102d8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Configuration du serveur faisant autorité NSD
+service: true
+depends:
+  - base-fedora-35
diff --git a/seed/applicationservice/2022.03.08/nsd/dictionaries/20_nsd.xml b/seed/applicationservice/2022.03.08/nsd/dictionaries/20_nsd.xml
new file mode 100644
index 0000000..c50334f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/dictionaries/20_nsd.xml
@@ -0,0 +1,119 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="nsd" target="multi-user">
+      <override/>
+      <ip ip_type="variable">nsd_allowed_all_client</ip>
+      <file>/etc/nsd/conf.d/risotto.conf</file>
+      <file file_type="variable" source="nsd.zone" variable="nsd_zones_all" included="content">nsd_zone_filenames</file>
+      <file file_type="variable" source="nsd.signed" variable="nsd_zone_filenames">nsd_zone_filenames_signed</file>
+      <file file_type="variable" source="nsd.reverse" variable="nsd_reverse_reverse_name" included="content">nsd_reverse_filenames</file>
+      <file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
+      <file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
+      <file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="dns" description="DNS">
+      <variable name="dns_client_address" redefine="True" disabled="True"/>
+      <variable name="ip_dns" redefine="True" remove_fill="True">
+        <value>127.0.0.1</value>
+      </variable>
+    </family>
+    <family name="dns_server" description="Serveur DNS">
+      <variable name="nsd_allowed_client" type="ip" description="Clients" multi="True" mandatory="True" hidden="True" provider="dns"/>
+      <variable name="nsd_resolver" type="domainname" description="Nom de domaine du résolveur DNS associé"/>
+      <variable name="nsd_resolve_ip" type="ip" hidden="True"/>
+      <variable name="nsd_allowed_all_client" type="ip" description="All autorised IP" multi="True" hidden="True"/>
+    </family>
+    <family name="dns_zone" description="Zone DNS">
+      <variable name="nsd_zones" type="domainname" description="Zones DNS" multi="True"/>
+      <variable name="nsd_zones_auto" type="domainname" description="Zones DNS automatique" multi="True" hidden="True"/>
+      <variable name="nsd_zones_all" type="domainname" description="Toutes les zones DNS" multi="True" hidden="True" mandatory="True"/>
+    </family>
+    <family name="dns_reverses" description="Zone DNS reverse" leadership="True">
+      <variable name="nsd_reverse_network" description="Réseau pour la résolution reverse" type="network_cidr" multi="True"/>
+      <variable name="nsd_reverse_reverse_name" description="Nom de la zone" hidden="True"/>
+    </family>
+    <variable name="nsd_zone_filenames" type="filename" description="Nom des fichiers de zone" multi="True" hidden="True"/>
+    <variable name="nsd_zone_filenames_signed" type="filename" description="Nom des fichiers de zone signé" multi="True" hidden="True"/>
+    <variable name="nsd_reverse_filenames" type="filename" description="Nom des fichiers de zone reverse" multi="True" hidden="True"/>
+    <variable name="nsd_reverse_filenames_signed" type="filename" description="Nom des fichiers de zone reverse signé" multi="True" hidden="True"/>
+  </variables>
+  <constraints>
+    <fill name="nsd_concat_lists">
+      <param type="variable">ip_eth</param>
+      <param type="variable">nsd_allowed_client</param>
+      <param type="variable">nsd_resolve_ip</param>
+      <target>nsd_allowed_all_client</target>
+    </fill>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">nsd_resolver</param>
+      <param name="linked_provider">authorities</param>
+      <param name="linked_value" type="variable">ip_eth0</param>
+      <param name="linked_returns">ip</param>
+      <param name="dynamic">0</param>
+      <target>nsd_resolve_ip</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">nsd_resolver</param>
+      <param name="leader_provider">authorities</param>
+      <param name="leader_value" type="variable">ip_eth0</param>
+      <param name="linked_provider">authority_zones</param>
+      <target>nsd_zones_all</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">nsd_resolver</param>
+      <param name="leader_provider">authorities</param>
+      <param name="leader_value" type="variable">ip_eth0</param>
+      <param name="linked_provider">authority_zones</param>
+      <target>nsd_reverse_reverse_name</target>
+    </check>
+    <fill name="get_internal_zones">
+      <target>nsd_zones_auto</target>
+    </fill>
+    <fill name="nsd_concat_lists">
+      <param type="variable">nsd_zones</param>
+      <param type="variable">nsd_zones_auto</param>
+      <target>nsd_zones_all</target>
+    </fill>
+    <fill name="get_reverse_name">
+      <param type="variable">nsd_reverse_network</param>
+      <target>nsd_reverse_reverse_name</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/nsd/</param>
+      <param type="variable">nsd_zones_all</param>
+      <param>.zone</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>nsd_zone_filenames</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">nsd_zone_filenames</param>
+      <param>.signed</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>nsd_zone_filenames_signed</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/nsd/</param>
+      <param type="variable">nsd_reverse_reverse_name</param>
+      <param>reverse</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>nsd_reverse_filenames</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">nsd_reverse_filenames</param>
+      <param>.signed</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>nsd_reverse_filenames_signed</target>
+    </fill>
+    <fill name="get_zones_info">
+      <param>network</param>
+      <target>nsd_reverse_network</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/nsd/extras/machine/20_nsd.xml b/seed/applicationservice/2022.03.08/nsd/extras/machine/20_nsd.xml
new file mode 100644
index 0000000..ac4f5b3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/extras/machine/20_nsd.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="var_size" redefine="True">
+      <value>256</value>
+    </variable>
+    <variable name="add_tmp" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_srv" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_swap" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name='memory' redefine="True" exists="True">
+      <value>512</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/nsd/extras/nsd/00_nsd.xml b/seed/applicationservice/2022.03.08/nsd/extras/nsd/00_nsd.xml
new file mode 100644
index 0000000..2db2f9d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/extras/nsd/00_nsd.xml
@@ -0,0 +1,50 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="nsd_zone_" description="Zone " dynamic="nsd_zones_all">
+      <variable name="is_auto_" description="Le domaine est automatique " type="boolean" hidden="True"/>
+      <family name="hostname_" description="Nom d'hôte pour " leadership="True">
+        <variable name="hostname_" description="Nom d'hôte pour " type="hostname" multi="True" mandatory="True"/>
+        <variable name="type_" description="Type pour " type="choice">
+          <choice type="string">A</choice>
+          <choice type="string">CNAME</choice>
+          <value type="string">A</value>
+        </variable>
+        <variable name="ip_" description="Adresse IP a renvoyer pour " type="ip" mandatory="True"/>
+        <variable name="cname_" description="Nom de domaine a renvoyer pour " type="domainname" mandatory="True"/>
+      </family>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="value_in">
+      <param type="suffix"/>
+      <param type="variable">nsd_zones_auto</param>
+      <target>nsd.nsd_zone_.is_auto_</target>
+    </fill>
+    <fill name="get_internal_info_in_zone">
+      <param type="suffix"/>
+      <param type="variable">nsd.nsd_zone_.is_auto_</param>
+      <param>host</param>
+      <target>nsd.nsd_zone_.hostname_.hostname_</target>
+    </fill>
+    <fill name="get_internal_info_in_zone">
+      <param type="suffix"/>
+      <param type="variable">nsd.nsd_zone_.is_auto_</param>
+      <param>ip</param>
+      <param type="index"/>
+      <target>nsd.nsd_zone_.hostname_.ip_</target>
+    </fill>
+    <condition name="disabled_if_in" source="nsd.nsd_zone_.hostname_.type_">
+      <param>A</param>
+      <target type="variable">nsd.nsd_zone_.hostname_.cname_</target>
+    </condition>
+    <condition name="disabled_if_in" source="nsd.nsd_zone_.hostname_.type_">
+      <param>CNAME</param>
+      <target type="variable">nsd.nsd_zone_.hostname_.ip_</target>
+    </condition>
+    <condition name="hidden_if_in" source="nsd.nsd_zone_.is_auto_">
+      <param type="boolean">True</param>
+      <target type="family">nsd.nsd_zone_.hostname_</target>
+    </condition>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/nsd/funcs/funcs.py b/seed/applicationservice/2022.03.08/nsd/funcs/funcs.py
new file mode 100644
index 0000000..0d680fe
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/funcs/funcs.py
@@ -0,0 +1,110 @@
+from typing import List as _List
+from os.path import join as _join, isdir as _isdir, abspath as _abspath
+from datetime import datetime as _datetime
+from ipaddress import ip_network, ip_address
+from subprocess import run as _run
+from os import makedirs as _makedirs, unlink as _unlink
+from shutil import rmtree as _rmtree
+from glob import glob as _glob
+
+
+_PKI_DIR = _abspath('pki/dnssec')
+_ALGO = 'ECDSAP256SHA256'
+_ZSK_LEN = 512
+_KSK_LEN = _ZSK_LEN
+
+
+def nsd_serial() -> str:
+    return _datetime.now().strftime('%m%d%H%M%S')
+
+
+def value_in(value: str,
+             values: _List[str],
+             ) -> bool:
+    for val in values:
+        if value == val:
+            return True
+    return False
+
+
+def nsd_concat_lists(list1: _List[str],
+                     list2: _List[str],
+                     str1: str=None,
+                     ) -> _List[str]:
+    ret = list1 + list2
+    if str1:
+        ret.append(str1)
+    return ret
+
+
+def get_reverse_name(network: str) -> str:
+    if not network:
+        return
+    network_obj = ip_network(network)
+    if network_obj.prefixlen != 24:
+        raise ValueError('only netmask "255.255.255.0" is supported for DNS reverse name')
+    o1, o2, o3, o4 = network.split('.')
+    return f'{o3}.{o2}.{o1}.in-addr.arpa.'
+
+
+def _gen_key(cn:str,
+             authority_cn: str,
+             type: str,
+             ) -> str:
+    dir_name = _join(_PKI_DIR, cn, authority_cn, type)
+    filename = None
+    if _isdir(dir_name):
+        filenames = _glob(_join(dir_name, f'K{authority_cn}.+*.key'))
+        if filenames:
+            filename = filenames[0].rsplit('.', 1)[0]
+    if filename is None:
+        if _isdir(dir_name):
+            _rmtree(dir_name)
+        _makedirs(dir_name)
+        if type == 'zsk':
+            cmd = ['ldns-keygen', '-a', _ALGO, '-b', str(_ZSK_LEN), authority_cn]
+        else:
+            cmd = ['ldns-keygen', '-a', _ALGO, '-b', str(_KSK_LEN), '-k', authority_cn]
+        proc = _run(cmd,
+                    cwd=dir_name,
+                    capture_output=True,
+                    )
+        if proc.returncode != 0:
+            raise Exception(f'cannot generate {type}: {proc.stdout.decode()}, {proc.stderr.decode()}')
+        filename = _join(dir_name, proc.stdout.decode().strip())
+    return filename
+
+
+def _gen_keys(cn,
+              authority_cn,
+              ) -> str:
+    zsk = _gen_key(cn, authority_cn, 'zsk')
+    ksk = _gen_key(cn, authority_cn, 'ksk')
+    return zsk, ksk
+
+
+def gen_cert(cn: str,
+             authority_cn: str,
+             ) -> str:
+    zsk, ksk = _gen_keys(cn, authority_cn)
+    with open(f'{ksk}.key') as fh:
+        content = fh.read().strip()
+    scontent = content.split()
+    infos = ' '.join(scontent[3:6])
+    return f'"{authority_cn}." {infos} "{scontent[6]}";'
+
+
+def sign(zone_filename: str,
+         cn: str,
+         ) -> str:
+    authority_cn = zone_filename.rsplit('/', 1)[-1].rsplit('.', 1)[0]
+    zsk, ksk = _gen_keys(cn, authority_cn)
+    cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
+    proc = _run(cmd, capture_output=True)
+    if proc.returncode != 0:
+        raise Exception(f'cannot sign {zone_filename}: {proc.stdout.decode()}, {proc.stderr.decode()}')
+    signed_filename = f'{zone_filename}.signed'
+    with open(signed_filename) as fh:
+        content = fh.read().strip()
+    _unlink(signed_filename)
+    return content
diff --git a/seed/applicationservice/2022.03.08/nsd/manual/image/preinstall/nsd.sh b/seed/applicationservice/2022.03.08/nsd/manual/image/preinstall/nsd.sh
new file mode 100644
index 0000000..eb927b6
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/manual/image/preinstall/nsd.sh
@@ -0,0 +1 @@
+PKG="$PKG nsd"
diff --git a/seed/applicationservice/2022.03.08/nsd/packer/image/scripts/20-nsd b/seed/applicationservice/2022.03.08/nsd/packer/image/scripts/20-nsd
new file mode 100644
index 0000000..1f22a34
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/packer/image/scripts/20-nsd
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -xe
+
+[ -e /tmp/proxy.sh ] && . /tmp/proxy.sh
+microdnf -y --nodocs --noplugins install nsd
+# make_volatile /var/lib/nsd
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/nsd.reverse b/seed/applicationservice/2022.03.08/nsd/templates/nsd.reverse
new file mode 100644
index 0000000..e532059
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/templates/nsd.reverse
@@ -0,0 +1,32 @@
+%set %%name = None
+%set %%network = %%ip_network(%%nsd_reverse_network[%%rougail_index])
+%for %%zone in %%nsd_zones_all
+  %set %%suffix = %%normalize_family(%%zone)
+  %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
+  %for %%hostname in %%hostnames
+    %set %%type = %%hostname['type_' + %%suffix]
+    %if %%type == 'A'
+      %if not %%name
+%set %%name = %%str(%%zone)
+$ORIGIN %%rougail_variable
+$TTL 1800
+
+@       IN      SOA     %%domain_name_eth0.      admin.%%name. (
+                        %%nsd_serial()              ; serial number
+                        3600                    ; refresh
+                        900                     ; retry
+                        1209600                 ; expire
+                        1800                    ; ttl
+                        )
+; Name servers
+
+        IN      NS      %%domain_name_eth0.
+      %end if
+      %set %%ip = %%hostname['ip_' + %%suffix]
+      %if %%ip_address(%%ip) in %%network
+%set %%id = %%ip.rsplit('.', 1)[1]
+%%id       PTR %%hostname.%%{zone}.
+      %end if
+    %end if
+  %end for
+%end for
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/nsd.service b/seed/applicationservice/2022.03.08/nsd/templates/nsd.service
new file mode 100644
index 0000000..6f45f4e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/templates/nsd.service
@@ -0,0 +1,2 @@
+[Unit]
+After=network.target
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/nsd.signed b/seed/applicationservice/2022.03.08/nsd/templates/nsd.signed
new file mode 100644
index 0000000..8f92c51
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/templates/nsd.signed
@@ -0,0 +1 @@
+%%sign(%%rougail_destination_dir + %%rougail_variable, %%domain_name_eth0)
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/nsd.zone b/seed/applicationservice/2022.03.08/nsd/templates/nsd.zone
new file mode 100644
index 0000000..0fd111a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/templates/nsd.zone
@@ -0,0 +1,25 @@
+$ORIGIN %%rougail_variable.
+$TTL 1800
+
+@       IN      SOA     %%domain_name_eth0.      admin.%%rougail_variable. (
+                        %%nsd_serial()              ; serial number
+                        3600                    ; refresh
+                        900                     ; retry
+                        1209600                 ; expire
+                        1800                    ; ttl
+                        )
+; Name servers
+
+        NS      %%domain_name_eth0.
+
+%set %%suffix = %%normalize_family(%%rougail_variable)
+%set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
+%for %%nsd in %%hostnames
+  %set %%type = %%nsd['type_' + %%suffix]
+  %if %%type == 'A'
+    %set %%value = %%nsd['ip_' + %%suffix]
+  %else
+    %set %%value = %%nsd['cname_' + %%suffix] + '.'
+  %end if
+%%nsd       %%type %%value
+%end for
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/risotto.conf b/seed/applicationservice/2022.03.08/nsd/templates/risotto.conf
new file mode 100644
index 0000000..a1f22d4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/templates/risotto.conf
@@ -0,0 +1,24 @@
+server:
+    interface: 127.0.0.1
+%for %%interface in %%interfaces_list
+    interface: %%getVar('ip_eth' + %%str(%%interface))
+%end for
+    do-ip4: yes
+    do-ip6: no
+    log-only-syslog: no
+    xfrdir: /var/tmp
+
+remote-control:
+    control-enable: no
+%for %%zone in %%nsd_zones_all
+
+zone:
+    name: "%%zone"
+    zonefile: "%%{zone}.zone.signed"
+%end for
+%for %%reverse in %%nsd_reverse_network
+
+zone:
+    name: "%%reverse.nsd_reverse_reverse_name"
+    zonefile: "%%{reverse.nsd_reverse_reverse_name}reverse.signed"
+%end for
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/sysuser-nsd.conf b/seed/applicationservice/2022.03.08/nsd/templates/sysuser-nsd.conf
new file mode 100644
index 0000000..f0c1e06
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/templates/sysuser-nsd.conf
@@ -0,0 +1,2 @@
+g nsd 999 -
+u nsd 999:999     "nsd daemon account" /etc/nsd  /sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/nsd/templates/tmpfile-nsd.conf b/seed/applicationservice/2022.03.08/nsd/templates/tmpfile-nsd.conf
new file mode 100644
index 0000000..5151864
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/nsd/templates/tmpfile-nsd.conf
@@ -0,0 +1 @@
+d /var/lib/nsd 750 nsd nsd - -
diff --git a/seed/applicationservice/2022.03.08/oauth2-client/applicationservice.yml b/seed/applicationservice/2022.03.08/oauth2-client/applicationservice.yml
new file mode 100644
index 0000000..b6f735e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/oauth2-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Oauth2 client
diff --git a/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml b/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
new file mode 100644
index 0000000..4715253
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml
@@ -0,0 +1,85 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="oauth2_client" description="OAuth2 client">
+      <variable name="oauth2_client_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True'/>
+      <variable name="oauth2_is_client_application" type="boolean" description="OAuth2 client is an application" mandatory='True'>
+        <value>False</value>
+      </variable>
+      <variable name="oauth2_client_name" description="OAuth2 client name" mandatory='True'/>
+      <variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
+      <variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login"/>
+      <variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True'/>
+      <variable name="oauth2_client_id" description="OAuth2 ID" mandatory='True' hidden='True'/>
+      <variable name="oauth2_client_secret" type="password" description="OAuth2 secret" mandatory='True' hidden='True'/>
+      <variable name="oauth2_client_token_signature_algo" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden='True'>
+        <value>HS512</value>
+        <choice>HS512</choice>
+        <choice>RS256</choice>
+      </variable>
+      <variable name="oauth2_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True' hidden='True'/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>oauth2_client_id</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_secret</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_secret</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">external_domainname</param>
+      <target>oauth2_server_domainname</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_name</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_name</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_description</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_description</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_external</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_external</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_login</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_login</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_token_signature_algo</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_token_signature_algo</target>
+    </check>
+    <fill name="calc_value">
+      <param>https://</param>
+      <param type="variable" optional="True">revprox_client_external_domainname</param>
+      <param type="variable" optional="True">revprox_client_location</param>
+      <param name="join"></param>
+      <target>oauth2_client_external</target>
+    </fill>
+    <condition name="disabled_if_in" source="oauth2_is_client_application">
+      <param>False</param>
+      <target type="variable">oauth2_client_name</target>
+      <target type="variable">oauth2_client_description</target>
+      <target type="variable">oauth2_client_external</target>
+    </condition>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/openldap-server/DEBUG.md b/seed/applicationservice/2022.03.08/openldap-server/DEBUG.md
new file mode 100644
index 0000000..fa1978d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/DEBUG.md
@@ -0,0 +1,26 @@
+# DEBUG
+
+Search with admin user:
+
+```
+ldapsearch -D cn=admin,ou=in,o=gnunux,o=info -y /usr/local/lib/secrets/admin_ldap.pwd -b ou=users,ou=in,o=gnunux,o=info
+```
+
+Search with nexcloud admin user:
+
+```
+USER="cn=nextcloud_in_gnunux_info,ou=in,o=gnunux,o=info"
+PASS="01CXZAjVr4A2iSoqdYIU5CFiC2BCuCQlvCR-wmeG6ns"
+DN="ou=users,ou=in,o=gnunux,o=info"
+ldapsearch -D "$USER" -w "$PASS" -b "$DN"
+```
+
+Retrieve the password in nextcloud machine:
+
+```
+grep ldapAgentPassword /etc/nextcloud/nextcloud.init
+```
+
+Search information with standard user:
+
+ldapsearch -D cn=gnunux@gnunux.info,ou=users,ou=in,o=gnunux,o=info -w "1vCE09NRW2kxHIpf1PkehOS9bSLZual82saHSBj9RPM" -b cn=gnunux@gnunux.info,ou=users,ou=in,o=gnunux,o=info
diff --git a/seed/applicationservice/2022.03.08/openldap-server/README.md b/seed/applicationservice/2022.03.08/openldap-server/README.md
new file mode 100644
index 0000000..a357f06
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/README.md
@@ -0,0 +1,12 @@
+slapcat -b cn=config  -o ldif-wrap=no > /tmp/config.ldif
+
+Supprimé dans chaque entrée les lignes suivantes :
+
+structuralObjectClass: olcMdbConfig
+entryUUID: 410ce868-f846-103b-8f45-a3349ac8bd80
+creatorsName: cn=config
+createTimestamp: 20211223141332Z
+entryCSN: 20211223141332.369257Z#000000#000#000000
+modifiersName: cn=config
+modifyTimestamp: 20211223141332Z
+
diff --git a/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/bareos/fichier/annuaire.conf b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/bareos/fichier/annuaire.conf
new file mode 100644
index 0000000..82c2bec
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/bareos/fichier/annuaire.conf
@@ -0,0 +1,8 @@
+Include {
+  Options {
+    aclsupport = no
+    signature = md5
+    @/etc/bareos/include-options.conf
+  }
+  File = /root/.reader
+}
diff --git a/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/bareos/restore/ldap.py b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/bareos/restore/ldap.py
new file mode 100644
index 0000000..4c7fbe1
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/bareos/restore/ldap.py
@@ -0,0 +1,61 @@
+#!/usr/bin/env python
+"""Module ldap"""
+import sys
+from glob import glob
+from shutil import copyfile
+from os import unlink, makedirs, stat
+from os.path import dirname, isdir, isfile
+from creole.client import CreoleClient
+from pyeole.process import system_code
+from pyeole.service import manage_service
+from pyeole.bareosrestore import bareos_restore_one_file, exit_if_running_jobs
+
+LDAPFILE = '/home/backup/sauv_ldap.ldif'
+
+def execute(option, opt_str, value, parser, jobid, test_jobs=True):
+    """ldap helper"""
+    if len(parser.rargs) > 0:
+        option = parser.rargs[0]
+        if option == 'pre':
+            pre()
+        elif option == 'post':
+            post()
+    else:
+        if test_jobs:
+            exit_if_running_jobs()
+        job(jobid)
+
+def pre():
+    print("pre ldap")
+
+def post():
+    print("post ldap")
+    if not isfile(LDAPFILE):
+        print("Il manque le fichier {0}".format(LDAPFILE))
+        sys.exit(1)
+    if stat(LDAPFILE).st_size == 0:
+        print("Le fichier {0} est vide".format(LDAPFILE))
+        sys.exit(1)
+    path = CreoleClient().get_creole('container_path_annuaire')
+    if path != '':
+        # copie du ldif dans le conteneur
+        destdir = path + dirname(LDAPFILE)
+        if not isdir(destdir):
+            makedirs(destdir)
+        copyfile(LDAPFILE, path + LDAPFILE)
+    manage_service('stop', 'slapd', 'annuaire')
+    system_code(["sleep", "5"])
+    for files in glob("{0}/var/lib/ldap/*.*".format(path)):
+        unlink(files)
+    slapadd_cmd = ['/usr/sbin/slapadd', '-f', '/etc/ldap/slapd.conf',
+                   '-l', LDAPFILE]
+    system_code(slapadd_cmd , container='annuaire')
+    system_code(["chown", "-R", "openldap:openldap", "/var/lib/ldap"],
+                 container='annuaire')
+    manage_service('start', 'slapd', 'annuaire')
+
+def job(jobid):
+    print("Restauration de l'annuaire LDAP")
+    bareos_restore_one_file(LDAPFILE, jobid)
+
+priority = 20
diff --git a/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/extra/schedule/01_annuaire.xml b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/extra/schedule/01_annuaire.xml
new file mode 100644
index 0000000..1df727a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/extra/schedule/01_annuaire.xml
@@ -0,0 +1,19 @@
+<?xml version="1.0" encoding="utf-8"?>
+
+<creole>
+    <variables>
+        <family name="annuaire">
+            <variable name="description" type="string" hidden="True"><value>Export de l'annuaire LDAP</value></variable>
+            <variable name="day" type="schedule" description="Périodicité d'exécution"></variable>
+            <variable name="mode" type="schedulemod" hidden ="True"><value>pre</value></variable>
+        </family>
+    </variables>
+    <constraints>
+        <fill name='calc_multi_condition' target='schedule.annuaire.day'>
+            <param>local</param>
+            <param type='eole' name='condition_1'>activer_client_ldap</param>
+            <param name='match'>daily</param>
+            <param name='mismatch'>none</param>
+        </fill>
+    </constraints>
+</creole>
diff --git a/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/schedule/scripts/annuaire b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/schedule/scripts/annuaire
new file mode 100755
index 0000000..7da09d2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/a_voir/sauvegarde/schedule/scripts/annuaire
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+DESC="Exportation de l'annuaire LDAP"
+
+. /usr/share/eole/schedule/config.sh
+
+LDAPSAVDIR=$SAVDIR
+LDAPSAVFILE=$LDAPSAVDIR/sauv_ldap.ldif
+
+rm -f $LDAPSAVFILE
+mkdir -p $LDAPSAVDIR
+
+CreoleService slapd stop -c annuaire
+CreoleRun "slapcat -v -f /etc/ldap/slapd.conf -o ldif-wrap=no" annuaire > $LDAPSAVFILE
+slapd_error=$?
+CreoleService slapd start -c annuaire
+[ $slapd_error -ne 0 ] && exit 1
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/openldap-server/applicationservice.yml b/seed/applicationservice/2022.03.08/openldap-server/applicationservice.yml
new file mode 100644
index 0000000..6bd6c9c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: OpenLDAP server
+depends:
+  - ldap-client-fedora
+  - base-fedora-35
diff --git a/seed/applicationservice/2022.03.08/openldap-server/dictionaries/21_openldap-server.xml b/seed/applicationservice/2022.03.08/openldap-server/dictionaries/21_openldap-server.xml
new file mode 100644
index 0000000..850791d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/dictionaries/21_openldap-server.xml
@@ -0,0 +1,133 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="slapd" target="multi-user">
+      <override/>
+      <file source='default.slapd'>/etc/default/slapd</file>
+      <file>/etc/pki/tls/certs/openldap.crt</file>
+      <file owner="ldap" mode="400">/etc/pki/tls/private/openldap.key</file>
+      <file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
+      <file>/secrets/users.ldif</file>
+      <file>/secrets/config.ldif</file>
+      <file>/secrets/config_acl.ldif</file>
+      <file>/secrets/admin_ldap.pwd</file>
+      <file engine="none">/sysusers.d/risotto-openldap.conf</file>
+      <file engine="none" source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
+    </service>
+  </services>
+
+  <variables>
+    <family name="annuaire">
+      <variable name='ldap_server_address' redefine="True" hidden="True"/>
+      <variable name='ldap_base_dn' redefine="True" mandatory="True" provider="LDAP_DN"/>
+      <variable name='ldap_port' redefine="True" remove_fill="True" hidden="False" provider="LDAP_PORT">
+        <value>636</value>
+      </variable>
+      <variable name='ldap_admin_dn' type='string' description="Administrateur de l'annuaire" mandatory="True" auto_freeze='True'/>
+      <variable name='ldap_admin_password' type="password" description="Mot de passe de l'administrateur de l'annuaire" hidden='True' auto_save='True'/>
+      <family name='ldap_index_attribute' leadership='True' description="Gestion des index des attributes">
+        <variable name='ldap_index_attribute' type='string' description="Attribut à indexer" multi="True">
+          <value>objectClass</value>
+          <value>uid</value>
+          <value>cn</value>
+          <value>sn</value>
+          <value>givenName</value>
+          <value>mail</value>
+          <value>entryCSN</value>
+          <value>entryUUID</value>
+          <value>contextCSN</value>
+        </variable>
+        <variable name='ldap_index_indices' type='string' description="Types d'index" multi="True">
+          <value>eq</value>
+          <value>pres</value>
+        </variable>
+	      <variable name='openldap_ca_chain' description="CA certificate" hidden='True'/>
+      </family>
+      <variable name='ldap_schemas' type='filename' description='Schémas LDAP additionnel' multi='True'>
+        <value>/etc/openldap/schema/cosine.ldif</value>
+        <value>/etc/openldap/schema/inetorgperson.ldif</value>
+      </variable>
+      <variable name='ldap_loglevel' type='number' description='Niveau de log' mode="expert">
+        <value>0</value>
+      </variable>
+      <variable name='ldap_sizelimit' type='number' description="Nombre maximum d'entrées à retourner lors d'une requête" mode="expert">
+        <value>5000</value>
+      </variable>
+      <variable name='ldap_timelimit' type='number' description='Temps de réponse maximum à une requête (en secondes)' mode="expert">
+        <value>3600</value>
+      </variable>
+      <variable name='ldapclient_remote_user' redefine="True"/>
+      <variable name='ldapclient_remote_user_password' redefine="True"/>
+    </family>
+    <family name='db_environment' description='DB environment' mode='expert'>
+      <variable name='db_cache_size_g' description="Quantité de Giga-octets à utiliser pour le cache HDB" type="number">
+        <value>0</value>
+      </variable>
+      <variable name='db_cache_size_o' description="Quantité d'octets à utiliser pour le cache HDB" type="number">
+        <value>268435456</value>
+      </variable>
+      <variable name='db_cache_chunks' description="Nombre de fichiers ou écrire le cache HDB" type="number">
+        <value>1</value>
+      </variable>
+      <variable name='db_log_region_max' type='number' description="Quantité de fichier de cache mis en cache mémoire">
+        <value>262144</value>
+      </variable>
+      <variable name='db_log_max' type='number' description="Quantité d'informations de journalisation conservé jusqu'à rotation">
+        <value>10485760</value>
+      </variable>
+      <variable name='db_log_bsize' type='number' description="Quantité d'informations de journalisation du cache reporté sur le disque">
+        <value>2097152</value>
+      </variable>
+      <variable name='db_log_directory' type='filename' description='Répertoire de conservation des informations de journalisation'>
+        <value>/var/lib/ldap/logs</value>
+      </variable>
+      <variable name='db_lk_max_objects' type='number' description="Numbre d'objet qui peuvent être verrouillés simultanément ">
+        <value>5000</value>
+      </variable>
+      <variable name='db_lk_max' type='number' description='Nombre de verrous maximal'>
+        <value>5000</value>
+      </variable>
+      <variable name='db_lk_max_lockers' type='number' description='Nombre de verrouilleur maximal'>
+        <value>5000</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <!--fill/auto-->
+    <fill name='calc_value'>
+      <param type='variable'>domain_name_eth0</param>
+      <target>ldap_server_address</target>
+    </fill>
+    <fill name='get_default_base_dn'>
+      <param type="variable">domain_name_eth0</param>
+      <target>ldap_base_dn</target>
+    </fill>
+    <fill name='calc_value'>
+      <param>cn=admin</param>
+      <param type='variable'>ldap_base_dn</param>
+      <param name="join">,</param>
+      <target>ldap_admin_dn</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">writer</param>
+      <param name="description">LDAP</param>
+      <param name="type">cleartext</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>ldap_admin_password</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">ldap_admin_dn</param>
+      <target>ldapclient_remote_user</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">ldap_admin_password</param>
+      <target>ldapclient_remote_user_password</target>
+    </fill>
+    <fill name="get_chain">
+      <param name="authority_cn" type="variable">domain_name_eth0</param>
+      <param name="authority_name">LDAP</param>
+      <target>openldap_ca_chain</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/openldap-server/extras/accounts/00_account.xml b/seed/applicationservice/2022.03.08/openldap-server/extras/accounts/00_account.xml
new file mode 100644
index 0000000..d862d29
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/extras/accounts/00_account.xml
@@ -0,0 +1,49 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <variable name="remotes" description="Serveurs distant ayant un compte" type="domainname" multi="True" provider="clients"/>
+    <family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
+      <variable name="dn_" description="LDAP DN" hidden="True" provider="dn"/>
+      <variable name="password_" description="Mot de passe" auto_save="True" hidden="True" provider="client_password"/>
+      <variable name="read_only_" description="Le compte est en lecture seule" type="boolean"/>
+    </family>
+    <family name="users" description="Gestion des utilisateurs" leadership="True">
+      <variable name='ldap_user_mail' type="mail" description="Adresse courriel du compte" multi="True"/>
+      <variable name='ldap_user_aliases' type="mail" description="Aliases du mail" multi="True"/> <!-- FIXME -->
+      <variable name='ldap_user_uid' type="unix_user" description="Nom de compte" mandatory="True"/>
+      <variable name='ldap_user_sn' type="string" description="Prénom" mandatory="True"/>
+      <variable name='ldap_user_gn' type="string" description="Nom de famille" mandatory="True"/>
+      <variable name='ldap_user_password' type="password" description="Mot de passe" mandatory="True" hidden="True"/>
+    </family>
+    <family name="acl" description="Gestion des droits d'accès aux attributes" leadership="True">
+      <variable name='ldap_acl_attribute' type="string" description="ACL de l'attribut" multi="True"/>
+      <variable name='ldap_acl_rights' type="string" description="ACL de l'attribut" multi="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name='calc_value'>
+      <param>cn=</param>
+      <param type='suffix'></param>
+      <param>,</param>
+      <param type='variable'>ldap_base_dn</param>
+      <param name="join"></param>
+      <target>accounts.remote_.dn_</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type='suffix'/>
+      <param name="description">remote account</param>
+      <param name="type">cleartext</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>accounts.remote_.password_</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type='variable'>accounts.users.ldap_user_mail</param>
+      <param name="description">ldap user</param>
+      <param name="type">cleartext</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>accounts.users.ldap_user_password</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/openldap-server/funcs/ldap.py b/seed/applicationservice/2022.03.08/openldap-server/funcs/ldap.py
new file mode 100644
index 0000000..c74d106
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/funcs/ldap.py
@@ -0,0 +1,12 @@
+from os import urandom as _urandom
+from hashlib import sha1 as _sha1
+from base64 import encodebytes as _encodebytes, b64encode as _b64encode
+
+
+# unproudly borrowed from
+# http://www.openldap.org/faq/data/cache/347.html
+def ssha_encode(password):
+    salt = _urandom(4)
+    h = _sha1(password.encode())
+    h.update(salt)
+    return _b64encode(b"{SSHA}" + _encodebytes(h.digest() + salt)[:-1]).decode()
diff --git a/seed/applicationservice/2022.03.08/openldap-server/ldap.service b/seed/applicationservice/2022.03.08/openldap-server/ldap.service
new file mode 100644
index 0000000..db59eb9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/ldap.service
@@ -0,0 +1,4 @@
+si le fichier /var/lib/ldap/cn.bdb n'existe pas !
+rm -rf /var/lib/ldap/alock
+rm -rf /var/lib/ldap/*.*
+$CHROOT su openldap -s /bin/bash -c "slapadd -l /var/lib/ldap/${ldif} -f /etc/ldap/slapd.conf" > /dev/null
diff --git a/seed/applicationservice/2022.03.08/openldap-server/manual/image/postinstall/openldap_server.sh b/seed/applicationservice/2022.03.08/openldap-server/manual/image/postinstall/openldap_server.sh
new file mode 100644
index 0000000..c025a65
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/manual/image/postinstall/openldap_server.sh
@@ -0,0 +1 @@
+rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/openldap/slapd.d/"
diff --git a/seed/applicationservice/2022.03.08/openldap-server/manual/image/preinstall/openldap_server.sh b/seed/applicationservice/2022.03.08/openldap-server/manual/image/preinstall/openldap_server.sh
new file mode 100644
index 0000000..dfee09a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/manual/image/preinstall/openldap_server.sh
@@ -0,0 +1 @@
+PKG="$PKG openldap-servers openldap-clients"
diff --git a/seed/applicationservice/2022.03.08/openldap-server/packer/image/scripts/20-openldap-server b/seed/applicationservice/2022.03.08/openldap-server/packer/image/scripts/20-openldap-server
new file mode 100644
index 0000000..fad8671
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/packer/image/scripts/20-openldap-server
@@ -0,0 +1,7 @@
+#!/bin/bash
+
+set -xe
+
+microdnf -y --nodocs --noplugins install openldap-servers
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/DB_CONFIG b/seed/applicationservice/2022.03.08/openldap-server/templates/DB_CONFIG
new file mode 100644
index 0000000..84ebaa7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/DB_CONFIG
@@ -0,0 +1,90 @@
+# $OpenLDAP$
+# Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
+#
+# See the Oracle Berkeley DB documentation
+#   <http://www.oracle.com/technology/documentation/berkeley-db/db/ref/env/db_config.html>
+# for detail description of DB_CONFIG syntax and semantics.
+#
+# Hints can also be found in the OpenLDAP Software FAQ
+#       <http://www.openldap.org/faq/index.cgi?file=2>
+# in particular:
+#   <http://www.openldap.org/faq/index.cgi?file=1075>
+
+# Note: most DB_CONFIG settings will take effect only upon rebuilding
+# the DB environment.
+
+# Set the database in memory cache size.
+#
+# set_cachesize <gbytes> <bytes> <ncache>
+#   Sets the database in memory cache size.
+#   Database entries and indexes will be stored in this cache to
+#   avoid disk access during database read and write operations.
+#   Tuning this value can greatly effect your database performance.
+#   The parameters are:
+#      <gbytes>: The number of gigabytes of memory to allocate to the cache.
+#      <bytes>: The number of bytes of memory to allocate to the cache.
+#      <ncache>: The number of cache segments to use. If this value is set to
+#          0 or 1 then Berkeley DB will try to allocate one contiguous section
+#          of memory for the cache. If this value is greater than 1, the cache
+#          will be split into that number of segments.
+%if %%getVar('import_slapadd', 'no') != 'no'
+set_cachesize   2       0        1
+%else
+set_cachesize   %%db_cache_size_g   %%db_cache_size_o    %%db_cache_chunks
+%end if
+
+# Sets the database startup flags.
+#
+# set_flags <flag>
+#   There are various flag options that may be set. The DB_TXN_NOSYNC flag
+#   tells the database not to immediately flush transaction buffers to disk.
+#   Setting this flag can help speed up database access during periods of
+#   database write activity BUT at expense of data safety. Enable it only
+#   to load data with slapadd, while slapd is not running.
+%if %%getVar('import_slapadd', 'no') != 'no'
+set_flags       DB_TXN_NOSYNC
+%end if
+
+# Data Directory
+#set_data_dir db
+
+# Set the maximum in memory cache in <bytes> for database file name caching.
+#
+# set_lg_regionmax <bytes>
+#   This value should be increased as the number of database files increases
+#   (tables and indexes).
+set_lg_regionmax %%db_log_region_max
+#
+# Set the maximum size of log files in <bytes>.
+#
+# set_lg_max <bytes>
+#   Logs will be rotated when <bytes> amount of data have been written to
+#   one log file. This value should be at least four times the size of
+#   set_lg_bsize.
+#set_lg_max              10485760
+set_lg_max   %%db_log_max
+
+# Set the in memory cache for log information.
+#
+# set_lg_bsize <bytes>
+#   When <bytes> amount of logging information have been written to this
+#   cache it will be flushed to disk.
+set_lg_bsize %%db_log_bsize
+
+# Set the log file directory to <directory>.
+#
+# set_lg_dir              /usr/local/var/openldap-logs
+#   Log files should preferably be on a different disk than the
+#   database files. This both improves reliability (for disastrous
+#   recovery) and speed of the database.
+set_lg_dir %%db_log_directory
+
+# Number of objects that can be locked at the same time.
+set_lk_max_objects %%db_lk_max_objects
+# Number of locks (both requested and granted)
+set_lk_max_locks %%db_lk_max
+# Number of lockers
+set_lk_max_lockers %%db_lk_max_lockers
+
+# Purge automatique des logs
+set_flags       DB_LOG_AUTOREMOVE
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/admin_ldap.pwd b/seed/applicationservice/2022.03.08/openldap-server/templates/admin_ldap.pwd
new file mode 100644
index 0000000..c8dab95
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/admin_ldap.pwd
@@ -0,0 +1 @@
+%%ldap_admin_password%slurp
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/config.ldif b/seed/applicationservice/2022.03.08/openldap-server/templates/config.ldif
new file mode 100644
index 0000000..d434f92
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/config.ldif
@@ -0,0 +1,122 @@
+dn: cn=config
+objectClass: olcGlobal
+#olcLogLevel: %%ldap_loglevel
+olcTLSCertificateFile: /etc/pki/tls/certs/openldap.crt
+olcTLSCertificateKeyFile: /etc/pki/tls/private/openldap.key
+olcTLSCACertificateFile: /etc/pki/ca-trust/source/anchors/ca_LDAP.crt
+cn: config
+
+dn: cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: schema
+
+dn: cn={0}core,cn=schema,cn=config
+objectClass: olcSchemaConfig
+cn: {0}core
+olcAttributeTypes: {0}( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: knowledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (family) name(s) for which the entity is known by' SUP name )
+olcAttributeTypes: {2}( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial number of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
+olcAttributeTypes: {3}( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC4519: two-letter ISO-3166 country code' SUP name SYNTAX 1.3.6.1.4.1.1466.115.121.1.11 SINGLE-VALUE )
+olcAttributeTypes: {4}( 2.5.4.7 NAME ( 'l' 'localityName' ) DESC 'RFC2256: locality which this object resides in' SUP name )
+olcAttributeTypes: {5}( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) DESC 'RFC2256: state or province which this object resides in' SUP name )
+olcAttributeTypes: {6}( 2.5.4.9 NAME ( 'street' 'streetAddress' ) DESC 'RFC2256: street address of this object' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+olcAttributeTypes: {7}( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC 'RFC2256: organization this object belongs to' SUP name )
+olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC 'RFC2256: organizational unit this object belongs to' SUP name )
+olcAttributeTypes: {9}( 2.5.4.12 NAME 'title' DESC 'RFC2256: title associated with the entity' SUP name )
+olcAttributeTypes: {10}( 2.5.4.14 NAME 'searchGuide' DESC 'RFC2256: search guide, deprecated by enhancedSearchGuide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
+olcAttributeTypes: {11}( 2.5.4.15 NAME 'businessCategory' DESC 'RFC2256: business category' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+olcAttributeTypes: {12}( 2.5.4.16 NAME 'postalAddress' DESC 'RFC2256: postal address' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+olcAttributeTypes: {13}( 2.5.4.17 NAME 'postalCode' DESC 'RFC2256: postal code' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+olcAttributeTypes: {14}( 2.5.4.18 NAME 'postOfficeBox' DESC 'RFC2256: Post Office Box' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{40} )
+olcAttributeTypes: {15}( 2.5.4.19 NAME 'physicalDeliveryOfficeName' DESC 'RFC2256: Physical Delivery Office Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+olcAttributeTypes: {16}( 2.5.4.20 NAME 'telephoneNumber' DESC 'RFC2256: Telephone Number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
+olcAttributeTypes: {17}( 2.5.4.21 NAME 'telexNumber' DESC 'RFC2256: Telex Number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
+olcAttributeTypes: {18}( 2.5.4.22 NAME 'teletexTerminalIdentifier' DESC 'RFC2256: Teletex Terminal Identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
+olcAttributeTypes: {19}( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) DESC 'RFC2256: Facsimile (Fax) Telephone Number' SYNTAX 1.3.6.1.4.1.1466.115.121.1.22 )
+olcAttributeTypes: {20}( 2.5.4.24 NAME 'x121Address' DESC 'RFC2256: X.121 Address' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{15} )
+olcAttributeTypes: {21}( 2.5.4.25 NAME 'internationaliSDNNumber' DESC 'RFC2256: international ISDN number' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
+olcAttributeTypes: {22}( 2.5.4.26 NAME 'registeredAddress' DESC 'RFC2256: registered postal address' SUP postalAddress SYNTAX 1.3.6.1.4.1.1466.115.121.1.41 )
+olcAttributeTypes: {23}( 2.5.4.27 NAME 'destinationIndicator' DESC 'RFC2256: destination indicator' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
+olcAttributeTypes: {24}( 2.5.4.28 NAME 'preferredDeliveryMethod' DESC 'RFC2256: preferred delivery method' SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SINGLE-VALUE )
+olcAttributeTypes: {25}( 2.5.4.29 NAME 'presentationAddress' DESC 'RFC2256: presentation address' EQUALITY presentationAddressMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.43 SINGLE-VALUE )
+olcAttributeTypes: {26}( 2.5.4.30 NAME 'supportedApplicationContext' DESC 'RFC2256: supported application context' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 )
+olcAttributeTypes: {27}( 2.5.4.31 NAME 'member' DESC 'RFC2256: member of a group' SUP distinguishedName )
+olcAttributeTypes: {28}( 2.5.4.32 NAME 'owner' DESC 'RFC2256: owner (of the object)' SUP distinguishedName )
+olcAttributeTypes: {29}( 2.5.4.33 NAME 'roleOccupant' DESC 'RFC2256: occupant of role' SUP distinguishedName )
+olcAttributeTypes: {30}( 2.5.4.36 NAME 'userCertificate' DESC 'RFC2256: X.509 user certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+olcAttributeTypes: {31}( 2.5.4.37 NAME 'cACertificate' DESC 'RFC2256: X.509 CA certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.8 )
+olcAttributeTypes: {32}( 2.5.4.38 NAME 'authorityRevocationList' DESC 'RFC2256: X.509 authority revocation list, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+olcAttributeTypes: {33}( 2.5.4.39 NAME 'certificateRevocationList' DESC 'RFC2256: X.509 certificate revocation list, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+olcAttributeTypes: {34}( 2.5.4.40 NAME 'crossCertificatePair' DESC 'RFC2256: X.509 cross certificate pair, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.10 )
+olcAttributeTypes: {35}( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'RFC2256: first name(s) for which the entity is known by' SUP name )
+olcAttributeTypes: {36}( 2.5.4.43 NAME 'initials' DESC 'RFC2256: initials of some or all of names, but not the surname(s).' SUP name )
+olcAttributeTypes: {37}( 2.5.4.44 NAME 'generationQualifier' DESC 'RFC2256: name qualifier indicating a generation' SUP name )
+olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: X.500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.6 )
+olcAttributeTypes: {39}( 2.5.4.46 NAME 'dnQualifier' DESC 'RFC2256: DN qualifier' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
+olcAttributeTypes: {40}( 2.5.4.47 NAME 'enhancedSearchGuide' DESC 'RFC2256: enhanced search guide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
+olcAttributeTypes: {41}( 2.5.4.48 NAME 'protocolInformation' DESC 'RFC2256: protocol information' EQUALITY protocolInformationMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.42 )
+olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique member of a group' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.34 )
+olcAttributeTypes: {43}( 2.5.4.51 NAME 'houseIdentifier' DESC 'RFC2256: house identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
+olcAttributeTypes: {44}( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'RFC2256: supported algorithms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
+olcAttributeTypes: {45}( 2.5.4.53 NAME 'deltaRevocationList' DESC 'RFC2256: delta revocation list; use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
+olcAttributeTypes: {46}( 2.5.4.54 NAME 'dmdName' DESC 'RFC2256: name of DMD' SUP name )
+olcAttributeTypes: {47}( 2.5.4.65 NAME 'pseudonym' DESC 'X.520(4th): pseudonym for the object' SUP name )
+olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbox' ) DESC 'RFC1274: RFC822 Mailbox'   EQUALITY caseIgnoreIA5Match   SUBSTR caseIgnoreIA5SubstringsMatch   SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
+olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainComponent' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
+olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DESC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
+olcAttributeTypes: {51}( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress' 'pkcs9email' ) DESC 'RFC3280: legacy attribute for email addresses in DNs' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} )
+olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP top STRUCTURAL MUST c MAY ( searchGuide $ description ) )
+olcObjectClasses: {1}( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description ) )
+olcObjectClasses: {2}( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organization' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $  facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+olcObjectClasses: {3}( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an organizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+olcObjectClasses: {4}( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $ description ) )
+olcObjectClasses: {5}( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an organizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $  facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l ) )
+olcObjectClasses: {6}( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an organizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $ st $ l $ description ) )
+olcObjectClasses: {7}( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of names (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+olcObjectClasses: {8}( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an residential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l ) )
+olcObjectClasses: {9}( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an application process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ description ) )
+olcObjectClasses: {10}( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an application entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY ( supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) )
+olcObjectClasses: {11}( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation )
+olcObjectClasses: {12}( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP top STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ description ) )
+olcObjectClasses: {13}( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256: a strong authentication user' SUP top AUXILIARY MUST userCertificate )
+olcObjectClasses: {14}( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256: a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ certificateRevocationList $ cACertificate ) MAY crossCertificatePair )
+olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
+olcObjectClasses: {16}( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256: a user security information' SUP top AUXILIARY MAY ( supportedAlgorithms ) )
+olcObjectClasses: {17}( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certificationAuthority AUXILIARY MAY ( deltaRevocationList ) )
+olcObjectClasses: {18}( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURAL MUST ( cn ) MAY ( certificateRevocationList $ authorityRevocationList $ deltaRevocationList ) )
+olcObjectClasses: {19}( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName ) MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ description ) )
+olcObjectClasses: {20}( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP top AUXILIARY MAY userCertificate )
+olcObjectClasses: {21}( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate authority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevocationList $ cACertificate $ crossCertificatePair ) )
+olcObjectClasses: {22}( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP top AUXILIARY MAY deltaRevocationList )
+olcObjectClasses: {23}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC2079: object that contains the URI attribute type' MAY ( labeledURI ) SUP top AUXILIARY )
+olcObjectClasses: {24}( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject' DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword )
+olcObjectClasses: {25}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: domain component object' SUP top AUXILIARY MUST dc )
+olcObjectClasses: {26}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid object' SUP top AUXILIARY MUST uid )
+
+dn: olcDatabase={-1}frontend,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {-1}frontend
+
+dn: olcDatabase={0}config,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {0}config
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="%%ldap_admin_dn" write by * none
+
+dn: olcDatabase={1}monitor,cn=config
+objectClass: olcDatabaseConfig
+olcDatabase: {1}monitor
+olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none
+
+dn: olcDatabase={2}mdb,cn=config
+objectClass: olcDatabaseConfig
+objectClass: olcMdbConfig
+olcDatabase: {2}mdb
+olcDbDirectory: /srv/openldap
+olcRootDN: %%ldap_admin_dn
+olcRootPW:: %%ssha_encode(%%ldap_admin_password)
+olcSuffix: %%ldap_base_dn
+olcSizeLimit: %%ldap_sizelimit
+olcTimeLimit: %%ldap_timelimit
+%for %%attribute in %%ldap_index_attribute
+olcDbIndex: %%attribute %echo ','.join(%%attribute.ldap_index_indices)
+%end for
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/config_acl.ldif b/seed/applicationservice/2022.03.08/openldap-server/templates/config_acl.ldif
new file mode 100644
index 0000000..1eaefdd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/config_acl.ldif
@@ -0,0 +1,25 @@
+dn: olcDatabase={2}mdb,cn=config
+changetype:modify
+replace: olcAccess
+olcAccess: {0}to attrs=userPassword
+    by self write
+    by anonymous auth
+    by * none
+olcAccess: {1}to dn.subtree="ou=users,%%ldap_base_dn"
+    by self read
+%set %%aclidx = 1
+%for %%remote in %%accounts.remotes
+ %set %%name = %%normalize_family(%%remote)
+    by dn="%%accounts['remote_' + %%name]['dn_' + %%name]" %slurp
+ %if %%accounts['remote_' + %%name]['read_only_' + %%name]
+read%slurp
+ %else
+write%slurp
+ %end if
+%end for
+
+    by * none
+%for %%idx, %%acl in %%enumerate(%%accounts.acl.ldap_acl_attribute)
+ %set %%aclidx += 1
+olcAccess: {%%aclidx}to %%acl %echo ' '.join(%%acl.ldap_acl_rights)
+%end for
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/default.slapd b/seed/applicationservice/2022.03.08/openldap-server/templates/default.slapd
new file mode 100644
index 0000000..d8a0544
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/default.slapd
@@ -0,0 +1,48 @@
+# Location of the slapd configuration to use.  If using the cn=config
+# backend to store configuration in LDIF, set this variable to the
+# directory containing the cn=config data; otherwise set it to the location
+# of your slapd.conf file.  If empty, use the compiled-in default
+# (/etc/ldap/slapd.d).
+SLAPD_CONF="/etc/ldap/slapd.conf"
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+SLAPD_SERVICES="ldaps:///"
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
+
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/openldap.crt b/seed/applicationservice/2022.03.08/openldap-server/templates/openldap.crt
new file mode 100644
index 0000000..e53ea99
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/openldap.crt
@@ -0,0 +1,5 @@
+%set %%extra_domainnames = []
+%for %%idx in %%range(1, %%number_of_interfaces)
+  %%extra_domainnames.append(%%getVar('domain_name_eth' + %%str(%%idx)))
+%end for
+%%get_certificate(%%domain_name_eth0, 'LDAP', extra_domainnames=%%extra_domainnames)
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/openldap.key b/seed/applicationservice/2022.03.08/openldap-server/templates/openldap.key
new file mode 100644
index 0000000..3f464d0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/openldap.key
@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, 'LDAP')
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/replication.conf b/seed/applicationservice/2022.03.08/openldap-server/templates/replication.conf
new file mode 100644
index 0000000..792d600
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/replication.conf
@@ -0,0 +1 @@
+#
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/risotto-openldap.conf b/seed/applicationservice/2022.03.08/openldap-server/templates/risotto-openldap.conf
new file mode 100644
index 0000000..2ab5717
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/risotto-openldap.conf
@@ -0,0 +1,2 @@
+g     ldap       55
+u     ldap       55:55                "OpenLDAP server"     /var/lib/ldap
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/slapd.service b/seed/applicationservice/2022.03.08/openldap-server/templates/slapd.service
new file mode 100644
index 0000000..81a6049
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/slapd.service
@@ -0,0 +1,15 @@
+[Service]
+ExecStartPre=
+ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l /usr/local/lib/secrets/config.ldif
+%for %%schema in %%ldap_schemas
+ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l %%schema
+%end for
+ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -c -v -l /usr/local/lib/secrets/users.ldif
+User=ldap
+Group=ldap
+ExecStart=
+# remove none tls port
+ExecStart=+/usr/sbin/slapd -u ldap -h ldaps:///
+#waiting for ldap server...
+ExecStartPost=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
+ExecStartPost=-/usr/bin/ldapmodify -D %%ldap_admin_dn -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/tmpfile-openldap-server.conf b/seed/applicationservice/2022.03.08/openldap-server/templates/tmpfile-openldap-server.conf
new file mode 100644
index 0000000..d08deaf
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/tmpfile-openldap-server.conf
@@ -0,0 +1,2 @@
+d /srv/openldap 700 ldap ldap - -
+d /etc/openldap/slapd.d 750 ldap ldap - -
diff --git a/seed/applicationservice/2022.03.08/openldap-server/templates/users.ldif b/seed/applicationservice/2022.03.08/openldap-server/templates/users.ldif
new file mode 100644
index 0000000..e21193a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/openldap-server/templates/users.ldif
@@ -0,0 +1,42 @@
+# BaseDN
+dn: %%ldap_base_dn
+%set %%attribute, %%organization = %%ldap_base_dn.split(',', 1)[0].split('=')
+%%attribute: %%organization
+objectClass: top
+%if %%attribute == 'o'
+objectClass: organization
+%else
+objectClass: organizationalUnit
+%end if
+
+# Remote
+%for %%remote in %%accounts.remotes
+ %set %%name = %%normalize_family(%%remote)
+dn: %%accounts['remote_' + %%name]['dn_' + %%name]
+cn: %%remote
+sn: %%remote
+uid: %%remote
+userPassword:: %%ssha_encode(%%accounts['remote_' + %%name]['password_' + %%name])
+objectClass: top
+objectClass: inetOrgPerson
+
+%end for
+dn: ou=users,%%ldap_base_dn
+ou: users
+objectClass: top
+objectClass: organizationalUnit
+
+# Users
+%for %%user in %%accounts.users.ldap_user_mail
+dn: cn=%%user,ou=users,%%ldap_base_dn
+cn: %%user
+mail: %%user
+sn: %%user.ldap_user_sn
+givenName: %%user.ldap_user_gn
+uid: %%user.ldap_user_uid
+#%%user.ldap_user_password
+userPassword:: %%ssha_encode(%%user.ldap_user_password)
+objectClass: top
+objectClass: inetOrgPerson
+
+%end for
diff --git a/seed/applicationservice/2022.03.08/php-fpm/applicationservice.yml b/seed/applicationservice/2022.03.08/php-fpm/applicationservice.yml
new file mode 100644
index 0000000..a829932
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php-fpm/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: PHP FPM
+depends:
+  - base-fedora-35
+  - php
diff --git a/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml b/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml
new file mode 100644
index 0000000..520e571
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php-fpm/dictionaries/20_phpfpm.xml
@@ -0,0 +1,10 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="php-fpm">
+      <file engine="none">/etc/php-fpm.conf</file>
+      <file engine="none" source="sysuser-phpfpm.conf">/sysusers.d/phpfpm.conf</file>
+      <file engine="none" source="tmpfile-phpfpm.conf">/tmpfiles.d/0phpfpm.conf</file>
+    </service>
+  </services>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/php-fpm/templates/php-fpm.conf b/seed/applicationservice/2022.03.08/php-fpm/templates/php-fpm.conf
new file mode 100644
index 0000000..d9a1847
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php-fpm/templates/php-fpm.conf
@@ -0,0 +1,137 @@
+;;;;;;;;;;;;;;;;;;;;;
+; FPM Configuration ;
+;;;;;;;;;;;;;;;;;;;;;
+
+; All relative paths in this configuration file are relative to PHP's install
+; prefix.
+
+; Include one or more files. If glob(3) exists, it is used to include a bunch of
+; files from a glob(3) pattern. This directive can be used everywhere in the
+; file.
+include=/etc/php-fpm.d/*.conf
+
+;;;;;;;;;;;;;;;;;;
+; Global Options ;
+;;;;;;;;;;;;;;;;;;
+
+[global]
+; Pid file
+; Default Value: none
+pid = /run/php-fpm/php-fpm.pid
+
+; Error log file
+; If it's set to "syslog", log is sent to syslogd instead of being written
+; in a local file.
+; Default Value: /var/log/php-fpm.log
+; GNUNUX error_log = /var/log/php-fpm/error.log
+error_log = syslog
+
+; syslog_facility is used to specify what type of program is logging the
+; message. This lets syslogd specify that messages from different facilities
+; will be handled differently.
+; See syslog(3) for possible values (ex daemon equiv LOG_DAEMON)
+; Default Value: daemon
+;syslog.facility = daemon
+
+; syslog_ident is prepended to every message. If you have multiple FPM
+; instances running on the same server, you can change the default value
+; which must suit common needs.
+; Default Value: php-fpm
+;syslog.ident = php-fpm
+
+; Log level
+; Possible Values: alert, error, warning, notice, debug
+; Default Value: notice
+;log_level = notice
+
+; Log limit on number of characters in the single line (log entry). If the
+; line is over the limit, it is wrapped on multiple lines. The limit is for
+; all logged characters including message prefix and suffix if present. However
+; the new line character does not count into it as it is present only when
+; logging to a file descriptor. It means the new line character is not present
+; when logging to syslog.
+; Default Value: 1024
+;log_limit = 4096
+
+; Log buffering specifies if the log line is buffered which means that the
+; line is written in a single write operation. If the value is false, then the
+; data is written directly into the file descriptor. It is an experimental
+; option that can potentionaly improve logging performance and memory usage
+; for some heavy logging scenarios. This option is ignored if logging to syslog
+; as it has to be always buffered.
+; Default value: yes
+;log_buffering = no
+
+; If this number of child processes exit with SIGSEGV or SIGBUS within the time
+; interval set by emergency_restart_interval then FPM will restart. A value
+; of '0' means 'Off'.
+; Default Value: 0
+;emergency_restart_threshold = 0
+
+; Interval of time used by emergency_restart_interval to determine when
+; a graceful restart will be initiated.  This can be useful to work around
+; accidental corruptions in an accelerator's shared memory.
+; Available Units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;emergency_restart_interval = 0
+
+; Time limit for child processes to wait for a reaction on signals from master.
+; Available units: s(econds), m(inutes), h(ours), or d(ays)
+; Default Unit: seconds
+; Default Value: 0
+;process_control_timeout = 0
+
+; The maximum number of processes FPM will fork. This has been designed to control
+; the global number of processes when using dynamic PM within a lot of pools.
+; Use it with caution.
+; Note: A value of 0 indicates no limit
+; Default Value: 0
+;process.max = 128
+
+; Specify the nice(2) priority to apply to the master process (only if set)
+; The value can vary from -19 (highest priority) to 20 (lowest priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool process will inherit the master process priority
+;         unless specified otherwise
+; Default Value: no set
+;process.priority = -19
+
+; Send FPM to background. Set to 'no' to keep FPM in foreground for debugging.
+; Default Value: yes
+daemonize = yes
+
+; Set open file descriptor rlimit for the master process.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit for the master process.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Specify the event mechanism FPM will use. The following is available:
+; - select     (any POSIX os)
+; - poll       (any POSIX os)
+; - epoll      (linux >= 2.5.44)
+; Default Value: not set (auto detection)
+;events.mechanism = epoll
+
+; When FPM is built with systemd integration, specify the interval,
+; in seconds, between health report notification to systemd.
+; Set to 0 to disable.
+; Available Units: s(econds), m(inutes), h(ours)
+; Default Unit: seconds
+; Default value: 10
+;systemd_interval = 10
+
+;;;;;;;;;;;;;;;;;;;;
+; Pool Definitions ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Multiple pools of child processes may be started with different listening
+; ports and different management options.  The name of the pool will be
+; used in logs and stats. There is no limitation on the number of pools which
+; FPM can handle. Your system will tell you anyway :)
+
+; See /etc/php-fpm.d/*.conf
diff --git a/seed/applicationservice/2022.03.08/php-fpm/templates/sysuser-phpfpm.conf b/seed/applicationservice/2022.03.08/php-fpm/templates/sysuser-phpfpm.conf
new file mode 100644
index 0000000..d188758
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php-fpm/templates/sysuser-phpfpm.conf
@@ -0,0 +1,2 @@
+g nginx 984 -
+u nginx 986:984     "Nginx web server" /var/lib/nginx /sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/php-fpm/templates/tmpfile-phpfpm.conf b/seed/applicationservice/2022.03.08/php-fpm/templates/tmpfile-phpfpm.conf
new file mode 100644
index 0000000..ad78522
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php-fpm/templates/tmpfile-phpfpm.conf
@@ -0,0 +1 @@
+d /var/lib/php/session 770 root apache - -
diff --git a/seed/applicationservice/2022.03.08/php/applicationservice.yml b/seed/applicationservice/2022.03.08/php/applicationservice.yml
new file mode 100644
index 0000000..b097efd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php/applicationservice.yml
@@ -0,0 +1,4 @@
+format: '0.1'
+description: PHP configuration
+depends:
+  - apache
diff --git a/seed/applicationservice/2022.03.08/php/dictionaries/20_php.xml b/seed/applicationservice/2022.03.08/php/dictionaries/20_php.xml
new file mode 100644
index 0000000..d985cec
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php/dictionaries/20_php.xml
@@ -0,0 +1,45 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="php" manage="False">
+      <file>/etc/php.ini</file>
+    </service>
+  </services>
+  <variables>
+    <family name="php" description="PHP" mode="expert" help="Paramètrage avancé de PHP">
+      <variable name="php_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)">
+        <value>32</value>
+      </variable>
+      <variable name="php_upload_max_filesize" type="number" description="Taille maximale d'un fichier à charger (en Mo)">
+        <value>16</value>
+      </variable>
+      <variable name="php_max_execution_time" type="number" description="Temps maximal d'exécution d'un script (en secondes)">
+        <value>30</value>
+      </variable>
+      <variable name="php_max_input_time" type="number" description="Durée maximale pour analyser les données d'entrée (en secondes)">
+        <value>60</value>
+      </variable>
+      <variable name="php_memory_limit" type="number" description="Taille mémoire maximale qu'un script est autorisé à allouer (en Mo)">
+        <value>512</value>
+      </variable>
+      <variable name="php_display_errors" type="boolean" description="Affichage des erreurs à l'écran">
+        <value>False</value>
+      </variable>
+      <variable name="php_session_gc_maxlifetime" type="number" description="Durée de vie des données sur le serveur (en secondes)">
+        <value>3600</value>
+      </variable>
+      <variable name="php_browscap" type="boolean" description="Activer la directive de configuration browscap" help="La directive de configuration browscap permet d'obtenir plus d'information sur les capacités du navigateur client grâce à la fonction get_browser()">
+        <value>False</value>
+      </variable>
+      <variable name="time_zone" type="string" description="Fuseau horaire">
+        <value>Europe/Paris</value>
+      </variable>
+      <variable name="php_enable_output_buffering" type="boolean" description="Activer les tampons de sortie">
+        <value>True</value>
+      </variable>
+      <variable name="php_disable_pcntl" type="boolean" description="Désactiver PCNTL">
+        <value>True</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/php/templates/php.ini b/seed/applicationservice/2022.03.08/php/templates/php.ini
new file mode 100644
index 0000000..8dcd9a7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/php/templates/php.ini
@@ -0,0 +1,1965 @@
+[PHP]
+
+;;;;;;;;;;;;;;;;;;;
+; About php.ini   ;
+;;;;;;;;;;;;;;;;;;;
+; PHP's initialization file, generally called php.ini, is responsible for
+; configuring many of the aspects of PHP's behavior.
+
+; PHP attempts to find and load this configuration from a number of locations.
+; The following is a summary of its search order:
+; 1. SAPI module specific location.
+; 2. The PHPRC environment variable. (As of PHP 5.2.0)
+; 3. A number of predefined registry keys on Windows (As of PHP 5.2.0)
+; 4. Current working directory (except CLI)
+; 5. The web server's directory (for SAPI modules), or directory of PHP
+; (otherwise in Windows)
+; 6. The directory from the --with-config-file-path compile time option, or the
+; Windows directory (usually C:\windows)
+; See the PHP docs for more specific information.
+; http://php.net/configuration.file
+
+; The syntax of the file is extremely simple.  Whitespace and lines
+; beginning with a semicolon are silently ignored (as you probably guessed).
+; Section headers (e.g. [Foo]) are also silently ignored, even though
+; they might mean something in the future.
+
+; Directives following the section heading [PATH=/www/mysite] only
+; apply to PHP files in the /www/mysite directory.  Directives
+; following the section heading [HOST=www.example.com] only apply to
+; PHP files served from www.example.com.  Directives set in these
+; special sections cannot be overridden by user-defined INI files or
+; at runtime. Currently, [PATH=] and [HOST=] sections only work under
+; CGI/FastCGI.
+; http://php.net/ini.sections
+
+; Directives are specified using the following syntax:
+; directive = value
+; Directive names are *case sensitive* - foo=bar is different from FOO=bar.
+; Directives are variables used to configure PHP or PHP extensions.
+; There is no name validation.  If PHP can't find an expected
+; directive because it is not set or is mistyped, a default value will be used.
+
+; The value can be a string, a number, a PHP constant (e.g. E_ALL or M_PI), one
+; of the INI constants (On, Off, True, False, Yes, No and None) or an expression
+; (e.g. E_ALL & ~E_NOTICE), a quoted string ("bar"), or a reference to a
+; previously set variable or directive (e.g. ${foo})
+
+; Expressions in the INI file are limited to bitwise operators and parentheses:
+; |  bitwise OR
+; ^  bitwise XOR
+; &  bitwise AND
+; ~  bitwise NOT
+; !  boolean NOT
+
+; Boolean flags can be turned on using the values 1, On, True or Yes.
+; They can be turned off using the values 0, Off, False or No.
+
+; An empty string can be denoted by simply not writing anything after the equal
+; sign, or by using the None keyword:
+
+; foo =         ; sets foo to an empty string
+; foo = None    ; sets foo to an empty string
+; foo = "None"  ; sets foo to the string 'None'
+
+; If you use constants in your value, and these constants belong to a
+; dynamically loaded extension (either a PHP extension or a Zend extension),
+; you may only use these constants *after* the line that loads the extension.
+
+;;;;;;;;;;;;;;;;;;;
+; About this file ;
+;;;;;;;;;;;;;;;;;;;
+; PHP comes packaged with two INI files. One that is recommended to be used
+; in production environments and one that is recommended to be used in
+; development environments.
+
+; php.ini-production contains settings which hold security, performance and
+; best practices at its core. But please be aware, these settings may break
+; compatibility with older or less security conscience applications. We
+; recommending using the production ini in production and testing environments.
+
+; php.ini-development is very similar to its production variant, except it is
+; much more verbose when it comes to errors. We recommend using the
+; development version only in development environments, as errors shown to
+; application users can inadvertently leak otherwise secure information.
+
+; This is the php.ini-production INI file.
+
+;;;;;;;;;;;;;;;;;;;
+; Quick Reference ;
+;;;;;;;;;;;;;;;;;;;
+; The following are all the settings which are different in either the production
+; or development versions of the INIs with respect to PHP's default behavior.
+; Please see the actual settings later in the document for more details as to why
+; we recommend these changes in PHP's behavior.
+
+; display_errors
+;   Default Value: On
+;   Development Value: On
+;   Production Value: Off
+
+; display_startup_errors
+;   Default Value: Off
+;   Development Value: On
+;   Production Value: Off
+
+; error_reporting
+;   Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+;   Development Value: E_ALL
+;   Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; log_errors
+;   Default Value: Off
+;   Development Value: On
+;   Production Value: On
+
+; max_input_time
+;   Default Value: -1 (Unlimited)
+;   Development Value: 60 (60 seconds)
+;   Production Value: 60 (60 seconds)
+
+; output_buffering
+;   Default Value: Off
+;   Development Value: 4096
+;   Production Value: 4096
+
+; register_argc_argv
+;   Default Value: On
+;   Development Value: Off
+;   Production Value: Off
+
+; request_order
+;   Default Value: None
+;   Development Value: "GP"
+;   Production Value: "GP"
+
+; session.gc_divisor
+;   Default Value: 100
+;   Development Value: 1000
+;   Production Value: 1000
+
+; session.sid_bits_per_character
+;   Default Value: 4
+;   Development Value: 5
+;   Production Value: 5
+
+; short_open_tag
+;   Default Value: On
+;   Development Value: Off
+;   Production Value: Off
+
+; variables_order
+;   Default Value: "EGPCS"
+;   Development Value: "GPCS"
+;   Production Value: "GPCS"
+
+;;;;;;;;;;;;;;;;;;;;
+; php.ini Options  ;
+;;;;;;;;;;;;;;;;;;;;
+; Name for user-defined php.ini (.htaccess) files. Default is ".user.ini"
+;user_ini.filename = ".user.ini"
+
+; To disable this feature set this option to an empty value
+;user_ini.filename =
+
+; TTL for user-defined php.ini files (time-to-live) in seconds. Default is 300 seconds (5 minutes)
+;user_ini.cache_ttl = 300
+
+;;;;;;;;;;;;;;;;;;;;
+; Language Options ;
+;;;;;;;;;;;;;;;;;;;;
+
+; Enable the PHP scripting language engine under Apache.
+; http://php.net/engine
+engine = On
+
+; This directive determines whether or not PHP will recognize code between
+; <? and ?> tags as PHP source which should be processed as such. It is
+; generally recommended that <?php and ?> should be used and that this feature
+; should be disabled, as enabling it may result in issues when generating XML
+; documents, however this remains supported for backward compatibility reasons.
+; Note that this directive does not control the <?= shorthand tag, which can be
+; used regardless of this directive.
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/short-open-tag
+short_open_tag = Off
+
+; The number of significant digits displayed in floating point numbers.
+; http://php.net/precision
+precision = 14
+
+; Output buffering is a mechanism for controlling how much output data
+; (excluding headers and cookies) PHP should keep internally before pushing that
+; data to the client. If your application's output exceeds this setting, PHP
+; will send that data in chunks of roughly the size you specify.
+; Turning on this setting and managing its maximum buffer size can yield some
+; interesting side-effects depending on your application and web server.
+; You may be able to send headers and cookies after you've already sent output
+; through print or echo. You also may see performance benefits if your server is
+; emitting less packets due to buffered output versus PHP streaming the output
+; as it gets it. On production servers, 4096 bytes is a good setting for performance
+; reasons.
+; Note: Output buffering can also be controlled via Output Buffering Control
+;   functions.
+; Possible Values:
+;   On = Enabled and buffer is unlimited. (Use with caution)
+;   Off = Disabled
+;   Integer = Enables the buffer and sets its maximum size in bytes.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; Default Value: Off
+; Development Value: 4096
+; Production Value: 4096
+; http://php.net/output-buffering
+%if %%php_enable_output_buffering
+output_buffering = 4096
+%end if
+
+; You can redirect all of the output of your scripts to a function.  For
+; example, if you set output_handler to "mb_output_handler", character
+; encoding will be transparently converted to the specified encoding.
+; Setting any output handler automatically turns on output buffering.
+; Note: People who wrote portable scripts should not depend on this ini
+;   directive. Instead, explicitly set the output handler using ob_start().
+;   Using this ini directive may cause problems unless you know what script
+;   is doing.
+; Note: You cannot use both "mb_output_handler" with "ob_iconv_handler"
+;   and you cannot use both "ob_gzhandler" and "zlib.output_compression".
+; Note: output_handler must be empty if this is set 'On' !!!!
+;   Instead you must use zlib.output_handler.
+; http://php.net/output-handler
+;output_handler =
+
+; URL rewriter function rewrites URL on the fly by using
+; output buffer. You can set target tags by this configuration.
+; "form" tag is special tag. It will add hidden input tag to pass values.
+; Refer to session.trans_sid_tags for usage.
+; Default Value: "form="
+; Development Value: "form="
+; Production Value: "form="
+;url_rewriter.tags
+
+; URL rewriter will not rewrite absolute URL nor form by default. To enable
+; absolute URL rewrite, allowed hosts must be defined at RUNTIME.
+; Refer to session.trans_sid_hosts for more details.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;url_rewriter.hosts
+
+; Transparent output compression using the zlib library
+; Valid values for this option are 'off', 'on', or a specific buffer size
+; to be used for compression (default is 4KB)
+; Note: Resulting chunk size may vary due to nature of compression. PHP
+;   outputs chunks that are few hundreds bytes each as a result of
+;   compression. If you prefer a larger chunk size for better
+;   performance, enable output_buffering in addition.
+; Note: You need to use zlib.output_handler instead of the standard
+;   output_handler, or otherwise the output will be corrupted.
+; http://php.net/zlib.output-compression
+zlib.output_compression = Off
+
+; http://php.net/zlib.output-compression-level
+;zlib.output_compression_level = -1
+
+; You cannot specify additional output handlers if zlib.output_compression
+; is activated here. This setting does the same as output_handler but in
+; a different order.
+; http://php.net/zlib.output-handler
+;zlib.output_handler =
+
+; Implicit flush tells PHP to tell the output layer to flush itself
+; automatically after every output block.  This is equivalent to calling the
+; PHP function flush() after each and every call to print() or echo() and each
+; and every HTML block.  Turning this option on has serious performance
+; implications and is generally recommended for debugging purposes only.
+; http://php.net/implicit-flush
+; Note: This directive is hardcoded to On for the CLI SAPI
+implicit_flush = Off
+
+; The unserialize callback function will be called (with the undefined class'
+; name as parameter), if the unserializer finds an undefined class
+; which should be instantiated. A warning appears if the specified function is
+; not defined, or if the function doesn't include/implement the missing class.
+; So only set this entry, if you really want to implement such a
+; callback-function.
+unserialize_callback_func =
+
+; The unserialize_max_depth specifies the default depth limit for unserialized
+; structures. Setting the depth limit too high may result in stack overflows
+; during unserialization. The unserialize_max_depth ini setting can be
+; overridden by the max_depth option on individual unserialize() calls.
+; A value of 0 disables the depth limit.
+;unserialize_max_depth = 4096
+
+; When floats & doubles are serialized, store serialize_precision significant
+; digits after the floating point. The default value ensures that when floats
+; are decoded with unserialize, the data will remain the same.
+; The value is also used for json_encode when encoding double values.
+; If -1 is used, then dtoa mode 0 is used which automatically select the best
+; precision.
+serialize_precision = -1
+
+; open_basedir, if set, limits all file operations to the defined directory
+; and below.  This directive makes most sense if used in a per-directory
+; or per-virtualhost web server configuration file.
+; Note: disables the realpath cache
+; http://php.net/open-basedir
+;open_basedir =
+
+; This directive allows you to disable certain functions for security reasons.
+; It receives a comma-delimited list of function names.
+; http://php.net/disable-functions
+%if %%php_disable_pcntl
+disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
+%else
+disable_functions =
+%end if
+
+; This directive allows you to disable certain classes for security reasons.
+; It receives a comma-delimited list of class names.
+; http://php.net/disable-classes
+disable_classes =
+
+; Colors for Syntax Highlighting mode.  Anything that's acceptable in
+; <span style="color: ???????"> would work.
+; http://php.net/syntax-highlighting
+;highlight.string  = #DD0000
+;highlight.comment = #FF9900
+;highlight.keyword = #007700
+;highlight.default = #0000BB
+;highlight.html    = #000000
+
+; If enabled, the request will be allowed to complete even if the user aborts
+; the request. Consider enabling it if executing long requests, which may end up
+; being interrupted by the user or a browser timing out. PHP's default behavior
+; is to disable this feature.
+; http://php.net/ignore-user-abort
+;ignore_user_abort = On
+
+; Determines the size of the realpath cache to be used by PHP. This value should
+; be increased on systems where PHP opens many files to reflect the quantity of
+; the file operations performed.
+; Note: if open_basedir is set, the cache is disabled
+; http://php.net/realpath-cache-size
+;realpath_cache_size = 4096k
+
+; Duration of time, in seconds for which to cache realpath information for a given
+; file or directory. For systems with rarely changing files, consider increasing this
+; value.
+; http://php.net/realpath-cache-ttl
+;realpath_cache_ttl = 120
+
+; Enables or disables the circular reference collector.
+; http://php.net/zend.enable-gc
+zend.enable_gc = On
+
+; If enabled, scripts may be written in encodings that are incompatible with
+; the scanner.  CP936, Big5, CP949 and Shift_JIS are the examples of such
+; encodings.  To use this feature, mbstring extension must be enabled.
+; Default: Off
+;zend.multibyte = Off
+
+; Allows to set the default encoding for the scripts.  This value will be used
+; unless "declare(encoding=...)" directive appears at the top of the script.
+; Only affects if zend.multibyte is set.
+; Default: ""
+;zend.script_encoding =
+
+; Allows to include or exclude arguments from stack traces generated for exceptions
+; Default: Off
+; In production, it is recommended to turn this setting on to prohibit the output 
+; of sensitive information in stack traces
+zend.exception_ignore_args = On
+
+;;;;;;;;;;;;;;;;;
+; Miscellaneous ;
+;;;;;;;;;;;;;;;;;
+
+; Decides whether PHP may expose the fact that it is installed on the server
+; (e.g. by adding its signature to the Web server header).  It is no security
+; threat in any way, but it makes it possible to determine whether you use PHP
+; on your server or not.
+; http://php.net/expose-php
+expose_php = Off
+
+;;;;;;;;;;;;;;;;;;;
+; Resource Limits ;
+;;;;;;;;;;;;;;;;;;;
+
+; Maximum execution time of each script, in seconds
+; http://php.net/max-execution-time
+; Note: This directive is hardcoded to 0 for the CLI SAPI
+max_execution_time = %%php_max_execution_time
+
+; Maximum amount of time each script may spend parsing request data. It's a good
+; idea to limit this time on productions servers in order to eliminate unexpectedly
+; long running scripts.
+; Note: This directive is hardcoded to -1 for the CLI SAPI
+; Default Value: -1 (Unlimited)
+; Development Value: 60 (60 seconds)
+; Production Value: 60 (60 seconds)
+; http://php.net/max-input-time
+max_input_time = %%php_max_input_time
+
+; Maximum input variable nesting level
+; http://php.net/max-input-nesting-level
+;max_input_nesting_level = 64
+
+; How many GET/POST/COOKIE input variables may be accepted
+;max_input_vars = 1000
+
+; Maximum amount of memory a script may consume (128MB)
+; http://php.net/memory-limit
+memory_limit = %%{php_memory_limit}M
+
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+; Error handling and logging ;
+;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; This directive informs PHP of which errors, warnings and notices you would like
+; it to take action for. The recommended way of setting values for this
+; directive is through the use of the error level constants and bitwise
+; operators. The error level constants are below here for convenience as well as
+; some common settings and their meanings.
+; By default, PHP is set to take action on all errors, notices and warnings EXCEPT
+; those related to E_NOTICE and E_STRICT, which together cover best practices and
+; recommended coding standards in PHP. For performance reasons, this is the
+; recommend error reporting setting. Your production server shouldn't be wasting
+; resources complaining about best practices and coding standards. That's what
+; development servers and development settings are for.
+; Note: The php.ini-development file has this setting as E_ALL. This
+; means it pretty much reports everything which is exactly what you want during
+; development and early testing.
+;
+; Error Level Constants:
+; E_ALL             - All errors and warnings (includes E_STRICT as of PHP 5.4.0)
+; E_ERROR           - fatal run-time errors
+; E_RECOVERABLE_ERROR  - almost fatal run-time errors
+; E_WARNING         - run-time warnings (non-fatal errors)
+; E_PARSE           - compile-time parse errors
+; E_NOTICE          - run-time notices (these are warnings which often result
+;                     from a bug in your code, but it's possible that it was
+;                     intentional (e.g., using an uninitialized variable and
+;                     relying on the fact it is automatically initialized to an
+;                     empty string)
+; E_STRICT          - run-time notices, enable to have PHP suggest changes
+;                     to your code which will ensure the best interoperability
+;                     and forward compatibility of your code
+; E_CORE_ERROR      - fatal errors that occur during PHP's initial startup
+; E_CORE_WARNING    - warnings (non-fatal errors) that occur during PHP's
+;                     initial startup
+; E_COMPILE_ERROR   - fatal compile-time errors
+; E_COMPILE_WARNING - compile-time warnings (non-fatal errors)
+; E_USER_ERROR      - user-generated error message
+; E_USER_WARNING    - user-generated warning message
+; E_USER_NOTICE     - user-generated notice message
+; E_DEPRECATED      - warn about code that will not work in future versions
+;                     of PHP
+; E_USER_DEPRECATED - user-generated deprecation warnings
+;
+; Common Values:
+;   E_ALL (Show all errors, warnings and notices including coding standards.)
+;   E_ALL & ~E_NOTICE  (Show all errors, except for notices)
+;   E_ALL & ~E_NOTICE & ~E_STRICT  (Show all errors, except for notices and coding standards warnings.)
+;   E_COMPILE_ERROR|E_RECOVERABLE_ERROR|E_ERROR|E_CORE_ERROR  (Show only errors)
+; Default Value: E_ALL & ~E_NOTICE & ~E_STRICT & ~E_DEPRECATED
+; Development Value: E_ALL
+; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
+; http://php.net/error-reporting
+error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+
+; This directive controls whether or not and where PHP will output errors,
+; notices and warnings too. Error output is very useful during development, but
+; it could be very dangerous in production environments. Depending on the code
+; which is triggering the error, sensitive information could potentially leak
+; out of your application such as database usernames and passwords or worse.
+; For production environments, we recommend logging errors rather than
+; sending them to STDOUT.
+; Possible Values:
+;   Off = Do not display any errors
+;   stderr = Display errors to STDERR (affects only CGI/CLI binaries!)
+;   On or stdout = Display errors to STDOUT
+; Default Value: On
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-errors
+%if %%php_display_errors
+display_errors = On
+%else
+display_errors = Off
+%end if
+
+; The display of errors which occur during PHP's startup sequence are handled
+; separately from display_errors. PHP's default behavior is to suppress those
+; errors from clients. Turning the display of startup errors on can be useful in
+; debugging configuration problems. We strongly recommend you
+; set this to 'off' for production servers.
+; Default Value: Off
+; Development Value: On
+; Production Value: Off
+; http://php.net/display-startup-errors
+display_startup_errors = Off
+
+; Besides displaying errors, PHP can also log errors to locations such as a
+; server-specific log, STDERR, or a location specified by the error_log
+; directive found below. While errors should not be displayed on productions
+; servers they should still be monitored and logging is a great way to do that.
+; Default Value: Off
+; Development Value: On
+; Production Value: On
+; http://php.net/log-errors
+log_errors = On
+
+; Set maximum length of log_errors. In error_log information about the source is
+; added. The default is 1024 and 0 allows to not apply any maximum length at all.
+; http://php.net/log-errors-max-len
+log_errors_max_len = 1024
+
+; Do not log repeated messages. Repeated errors must occur in same file on same
+; line unless ignore_repeated_source is set true.
+; http://php.net/ignore-repeated-errors
+ignore_repeated_errors = Off
+
+; Ignore source of message when ignoring repeated messages. When this setting
+; is On you will not log errors with repeated messages from different files or
+; source lines.
+; http://php.net/ignore-repeated-source
+ignore_repeated_source = Off
+
+; If this parameter is set to Off, then memory leaks will not be shown (on
+; stdout or in the log). This is only effective in a debug compile, and if
+; error reporting includes E_WARNING in the allowed list
+; http://php.net/report-memleaks
+report_memleaks = On
+
+; This setting is on by default.
+;report_zend_debug = 0
+
+; Store the last error/warning message in $php_errormsg (boolean). Setting this value
+; to On can assist in debugging and is appropriate for development servers. It should
+; however be disabled on production servers.
+; This directive is DEPRECATED.
+; Default Value: Off
+; Development Value: Off
+; Production Value: Off
+; http://php.net/track-errors
+;track_errors = Off
+
+; Turn off normal error reporting and emit XML-RPC error XML
+; http://php.net/xmlrpc-errors
+;xmlrpc_errors = 0
+
+; An XML-RPC faultCode
+;xmlrpc_error_number = 0
+
+; When PHP displays or logs an error, it has the capability of formatting the
+; error message as HTML for easier reading. This directive controls whether
+; the error message is formatted as HTML or not.
+; Note: This directive is hardcoded to Off for the CLI SAPI
+; http://php.net/html-errors
+#CADOLES
+;html_errors = On
+html_errors = Off
+
+; If html_errors is set to On *and* docref_root is not empty, then PHP
+; produces clickable error messages that direct to a page describing the error
+; or function causing the error in detail.
+; You can download a copy of the PHP manual from http://php.net/docs
+; and change docref_root to the base URL of your local copy including the
+; leading '/'. You must also specify the file extension being used including
+; the dot. PHP's default behavior is to leave these settings empty, in which
+; case no links to documentation are generated.
+; Note: Never use this feature for production boxes.
+; http://php.net/docref-root
+; Examples
+;docref_root = "/phpmanual/"
+
+; http://php.net/docref-ext
+;docref_ext = .html
+
+; String to output before an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-prepend-string
+; Example:
+;error_prepend_string = "<span style='color: #ff0000'>"
+
+; String to output after an error message. PHP's default behavior is to leave
+; this setting blank.
+; http://php.net/error-append-string
+; Example:
+;error_append_string = "</span>"
+
+; Log errors to specified file. PHP's default behavior is to leave this value
+; empty.
+; http://php.net/error-log
+; Example:
+;error_log = php_errors.log
+; Log errors to syslog (Event Log on Windows).
+;error_log = syslog
+
+; The syslog ident is a string which is prepended to every message logged
+; to syslog. Only used when error_log is set to syslog.
+;syslog.ident = php
+
+; The syslog facility is used to specify what type of program is logging
+; the message. Only used when error_log is set to syslog.
+;syslog.facility = user
+
+; Set this to disable filtering control characters (the default).
+; Some loggers only accept NVT-ASCII, others accept anything that's not
+; control characters. If your logger accepts everything, then no filtering
+; is needed at all.
+; Allowed values are:
+;   ascii (all printable ASCII characters and NL)
+;   no-ctrl (all characters except control characters)
+;   all (all characters)
+;   raw (like "all", but messages are not split at newlines)
+; http://php.net/syslog.filter
+;syslog.filter = ascii
+
+;windows.show_crt_warning
+; Default value: 0
+; Development value: 0
+; Production value: 0
+
+;;;;;;;;;;;;;;;;;
+; Data Handling ;
+;;;;;;;;;;;;;;;;;
+
+; The separator used in PHP generated URLs to separate arguments.
+; PHP's default setting is "&".
+; http://php.net/arg-separator.output
+; Example:
+;arg_separator.output = "&amp;"
+
+; List of separator(s) used by PHP to parse input URLs into variables.
+; PHP's default setting is "&".
+; NOTE: Every character in this directive is considered as separator!
+; http://php.net/arg-separator.input
+; Example:
+;arg_separator.input = ";&"
+
+; This directive determines which super global arrays are registered when PHP
+; starts up. G,P,C,E & S are abbreviations for the following respective super
+; globals: GET, POST, COOKIE, ENV and SERVER. There is a performance penalty
+; paid for the registration of these arrays and because ENV is not as commonly
+; used as the others, ENV is not recommended on productions servers. You
+; can still get access to the environment variables through getenv() should you
+; need to.
+; Default Value: "EGPCS"
+; Development Value: "GPCS"
+; Production Value: "GPCS";
+; http://php.net/variables-order
+variables_order = "GPCS"
+
+; This directive determines which super global data (G,P & C) should be
+; registered into the super global array REQUEST. If so, it also determines
+; the order in which that data is registered. The values for this directive
+; are specified in the same manner as the variables_order directive,
+; EXCEPT one. Leaving this value empty will cause PHP to use the value set
+; in the variables_order directive. It does not mean it will leave the super
+; globals array REQUEST empty.
+; Default Value: None
+; Development Value: "GP"
+; Production Value: "GP"
+; http://php.net/request-order
+request_order = "GP"
+
+; This directive determines whether PHP registers $argv & $argc each time it
+; runs. $argv contains an array of all the arguments passed to PHP when a script
+; is invoked. $argc contains an integer representing the number of arguments
+; that were passed when the script was invoked. These arrays are extremely
+; useful when running scripts from the command line. When this directive is
+; enabled, registering these variables consumes CPU cycles and memory each time
+; a script is executed. For performance reasons, this feature should be disabled
+; on production servers.
+; Note: This directive is hardcoded to On for the CLI SAPI
+; Default Value: On
+; Development Value: Off
+; Production Value: Off
+; http://php.net/register-argc-argv
+register_argc_argv = Off
+
+; When enabled, the ENV, REQUEST and SERVER variables are created when they're
+; first used (Just In Time) instead of when the script starts. If these
+; variables are not used within a script, having this directive on will result
+; in a performance gain. The PHP directive register_argc_argv must be disabled
+; for this directive to have any effect.
+; http://php.net/auto-globals-jit
+auto_globals_jit = On
+
+; Whether PHP will read the POST data.
+; This option is enabled by default.
+; Most likely, you won't want to disable this option globally. It causes $_POST
+; and $_FILES to always be empty; the only way you will be able to read the
+; POST data will be through the php://input stream wrapper. This can be useful
+; to proxy requests or to process the POST data in a memory efficient fashion.
+; http://php.net/enable-post-data-reading
+;enable_post_data_reading = Off
+
+; Maximum size of POST data that PHP will accept.
+; Its value may be 0 to disable the limit. It is ignored if POST data reading
+; is disabled through enable_post_data_reading.
+; http://php.net/post-max-size
+post_max_size = %%{php_post_max_size}M
+
+; Automatically add files before PHP document.
+; http://php.net/auto-prepend-file
+auto_prepend_file =
+
+; Automatically add files after PHP document.
+; http://php.net/auto-append-file
+auto_append_file =
+
+; By default, PHP will output a media type using the Content-Type header. To
+; disable this, simply set it to be empty.
+;
+; PHP's built-in default media type is set to text/html.
+; http://php.net/default-mimetype
+default_mimetype = "text/html"
+
+; PHP's default character set is set to UTF-8.
+; http://php.net/default-charset
+default_charset = "UTF-8"
+
+; PHP internal character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/internal-encoding
+;internal_encoding =
+
+; PHP input character encoding is set to empty.
+; If empty, default_charset is used.
+; http://php.net/input-encoding
+;input_encoding =
+
+; PHP output character encoding is set to empty.
+; If empty, default_charset is used.
+; See also output_buffer.
+; http://php.net/output-encoding
+;output_encoding =
+
+;;;;;;;;;;;;;;;;;;;;;;;;;
+; Paths and Directories ;
+;;;;;;;;;;;;;;;;;;;;;;;;;
+
+; UNIX: "/path1:/path2"
+;include_path = ".:/php/includes"
+;
+; Windows: "\path1;\path2"
+;include_path = ".;c:\php\includes"
+;
+; PHP's default setting for include_path is ".;/path/to/php/pear"
+; http://php.net/include-path
+
+; The root of the PHP pages, used only if nonempty.
+; if PHP was not compiled with FORCE_REDIRECT, you SHOULD set doc_root
+; if you are running php as a CGI under any web server (other than IIS)
+; see documentation for security issues.  The alternate is to use the
+; cgi.force_redirect configuration below
+; http://php.net/doc-root
+doc_root =
+
+; The directory under which PHP opens the script using /~username used only
+; if nonempty.
+; http://php.net/user-dir
+user_dir =
+
+; Directory in which the loadable extensions (modules) reside.
+; http://php.net/extension-dir
+;extension_dir = "./"
+; On windows:
+;extension_dir = "ext"
+
+; Directory where the temporary files should be placed.
+; Defaults to the system default (see sys_get_temp_dir)
+;sys_temp_dir = "/tmp"
+
+; Whether or not to enable the dl() function.  The dl() function does NOT work
+; properly in multithreaded servers, such as IIS or Zeus, and is automatically
+; disabled on them.
+; http://php.net/enable-dl
+enable_dl = Off
+
+; cgi.force_redirect is necessary to provide security running PHP as a CGI under
+; most web servers.  Left undefined, PHP turns this on by default.  You can
+; turn it off here AT YOUR OWN RISK
+; **You CAN safely turn this off for IIS, in fact, you MUST.**
+; http://php.net/cgi.force-redirect
+;cgi.force_redirect = 1
+
+; if cgi.nph is enabled it will force cgi to always sent Status: 200 with
+; every request. PHP's default behavior is to disable this feature.
+;cgi.nph = 1
+
+; if cgi.force_redirect is turned on, and you are not running under Apache or Netscape
+; (iPlanet) web servers, you MAY need to set an environment variable name that PHP
+; will look for to know it is OK to continue execution.  Setting this variable MAY
+; cause security issues, KNOW WHAT YOU ARE DOING FIRST.
+; http://php.net/cgi.redirect-status-env
+;cgi.redirect_status_env =
+
+; cgi.fix_pathinfo provides *real* PATH_INFO/PATH_TRANSLATED support for CGI.  PHP's
+; previous behaviour was to set PATH_TRANSLATED to SCRIPT_FILENAME, and to not grok
+; what PATH_INFO is.  For more information on PATH_INFO, see the cgi specs.  Setting
+; this to 1 will cause PHP CGI to fix its paths to conform to the spec.  A setting
+; of zero causes PHP to behave as before.  Default is 1.  You should fix your scripts
+; to use SCRIPT_FILENAME rather than PATH_TRANSLATED.
+; http://php.net/cgi.fix-pathinfo
+;cgi.fix_pathinfo=1
+
+; if cgi.discard_path is enabled, the PHP CGI binary can safely be placed outside
+; of the web tree and people will not be able to circumvent .htaccess security.
+;cgi.discard_path=1
+
+; FastCGI under IIS supports the ability to impersonate
+; security tokens of the calling client.  This allows IIS to define the
+; security context that the request runs under.  mod_fastcgi under Apache
+; does not currently support this feature (03/17/2002)
+; Set to 1 if running under IIS.  Default is zero.
+; http://php.net/fastcgi.impersonate
+;fastcgi.impersonate = 1
+
+; Disable logging through FastCGI connection. PHP's default behavior is to enable
+; this feature.
+;fastcgi.logging = 0
+
+; cgi.rfc2616_headers configuration option tells PHP what type of headers to
+; use when sending HTTP response code. If set to 0, PHP sends Status: header that
+; is supported by Apache. When this option is set to 1, PHP will send
+; RFC2616 compliant header.
+; Default is zero.
+; http://php.net/cgi.rfc2616-headers
+;cgi.rfc2616_headers = 0
+
+; cgi.check_shebang_line controls whether CGI PHP checks for line starting with #!
+; (shebang) at the top of the running script. This line might be needed if the
+; script support running both as stand-alone script and via PHP CGI<. PHP in CGI
+; mode skips this line and ignores its content if this directive is turned on.
+; http://php.net/cgi.check-shebang-line
+;cgi.check_shebang_line=1
+
+;;;;;;;;;;;;;;;;
+; File Uploads ;
+;;;;;;;;;;;;;;;;
+
+; Whether to allow HTTP file uploads.
+; http://php.net/file-uploads
+file_uploads = On
+
+; Temporary directory for HTTP uploaded files (will use system default if not
+; specified).
+; http://php.net/upload-tmp-dir
+;upload_tmp_dir =
+
+; Maximum allowed size for uploaded files.
+; http://php.net/upload-max-filesize
+upload_max_filesize = %%{php_upload_max_filesize}M
+
+; Maximum number of files that can be uploaded via a single request
+max_file_uploads = 20
+
+;;;;;;;;;;;;;;;;;;
+; Fopen wrappers ;
+;;;;;;;;;;;;;;;;;;
+
+; Whether to allow the treatment of URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-fopen
+#CADOLES
+;allow_url_fopen = On
+allow_url_fopen = Off
+
+; Whether to allow include/require to open URLs (like http:// or ftp://) as files.
+; http://php.net/allow-url-include
+allow_url_include = Off
+
+; Define the anonymous ftp password (your email address). PHP's default setting
+; for this is empty.
+; http://php.net/from
+;from="john@doe.com"
+
+; Define the User-Agent string. PHP's default setting for this is empty.
+; http://php.net/user-agent
+;user_agent="PHP"
+
+; Default timeout for socket based streams (seconds)
+; http://php.net/default-socket-timeout
+default_socket_timeout = 60
+
+; If your scripts have to deal with files from Macintosh systems,
+; or you are running on a Mac and need to deal with files from
+; unix or win32 systems, setting this flag will cause PHP to
+; automatically detect the EOL character in those files so that
+; fgets() and file() will work regardless of the source of the file.
+; http://php.net/auto-detect-line-endings
+;auto_detect_line_endings = Off
+
+;;;;;;;;;;;;;;;;;;;;;;
+; Dynamic Extensions ;
+;;;;;;;;;;;;;;;;;;;;;;
+
+; If you wish to have an extension loaded automatically, use the following
+; syntax:
+;
+;   extension=modulename
+;
+; For example:
+;
+;   extension=mysqli
+;
+; When the extension library to load is not located in the default extension
+; directory, You may specify an absolute path to the library file:
+;
+;   extension=/path/to/extension/mysqli.so
+;
+; Note : The syntax used in previous PHP versions ('extension=<ext>.so' and
+; 'extension='php_<ext>.dll') is supported for legacy reasons and may be
+; deprecated in a future PHP major version. So, when it is possible, please
+; move to the new ('extension=<ext>) syntax.
+;
+; Notes for Windows environments :
+;
+; - Many DLL files are located in the extensions/ (PHP 4) or ext/ (PHP 5+)
+;   extension folders as well as the separate PECL DLL download (PHP 5+).
+;   Be sure to appropriately set the extension_dir directive.
+;
+;extension=bz2
+;extension=curl
+;extension=ffi
+;extension=ftp
+;extension=fileinfo
+;extension=gd2
+;extension=gettext
+;extension=gmp
+;extension=intl
+;extension=imap
+;extension=ldap
+;extension=mbstring
+;extension=exif      ; Must be after mbstring as it depends on it
+;extension=mysqli
+;extension=oci8_12c  ; Use with Oracle Database 12c Instant Client
+;extension=odbc
+;extension=openssl
+;extension=pdo_firebird
+;extension=pdo_mysql
+;extension=pdo_oci
+;extension=pdo_odbc
+;extension=pdo_pgsql
+;extension=pdo_sqlite
+;extension=pgsql
+;extension=shmop
+
+; The MIBS data available in the PHP distribution must be installed.
+; See http://www.php.net/manual/en/snmp.installation.php
+;extension=snmp
+
+;extension=soap
+;extension=sockets
+;extension=sodium
+;extension=sqlite3
+;extension=tidy
+;extension=xmlrpc
+;extension=xsl
+
+;;;;;;;;;;;;;;;;;;;
+; Module Settings ;
+;;;;;;;;;;;;;;;;;;;
+
+[CLI Server]
+; Whether the CLI web server uses ANSI color coding in its terminal output.
+cli_server.color = On
+
+[Date]
+; Defines the default timezone used by the date functions
+; http://php.net/date.timezone
+date.timezone = "%%time_zone"
+
+; http://php.net/date.default-latitude
+;date.default_latitude = 31.7667
+
+; http://php.net/date.default-longitude
+;date.default_longitude = 35.2333
+
+; http://php.net/date.sunrise-zenith
+;date.sunrise_zenith = 90.583333
+
+; http://php.net/date.sunset-zenith
+;date.sunset_zenith = 90.583333
+
+[filter]
+; http://php.net/filter.default
+;filter.default = unsafe_raw
+
+; http://php.net/filter.default-flags
+;filter.default_flags =
+
+[iconv]
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; If empty, default_charset or input_encoding or iconv.input_encoding is used.
+; The precedence is: default_charset < input_encoding < iconv.input_encoding
+;iconv.input_encoding =
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;iconv.internal_encoding =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; If empty, default_charset or output_encoding or iconv.output_encoding is used.
+; The precedence is: default_charset < output_encoding < iconv.output_encoding
+; To use an output encoding conversion, iconv's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+;iconv.output_encoding =
+
+[imap]
+; rsh/ssh logins are disabled by default. Use this INI entry if you want to
+; enable them. Note that the IMAP library does not filter mailbox names before
+; passing them to rsh/ssh command, thus passing untrusted data to this function
+; with rsh/ssh enabled is insecure.
+;imap.enable_insecure_rsh=0
+
+[intl]
+;intl.default_locale =
+; This directive allows you to produce PHP errors when some error
+; happens within intl functions. The value is the level of the error produced.
+; Default is 0, which does not produce any errors.
+;intl.error_level = E_WARNING
+;intl.use_exceptions = 0
+
+[sqlite3]
+; Directory pointing to SQLite3 extensions
+; http://php.net/sqlite3.extension-dir
+;sqlite3.extension_dir =
+
+; SQLite defensive mode flag (only available from SQLite 3.26+)
+; When the defensive flag is enabled, language features that allow ordinary
+; SQL to deliberately corrupt the database file are disabled. This forbids
+; writing directly to the schema, shadow tables (eg. FTS data tables), or
+; the sqlite_dbpage virtual table.
+; https://www.sqlite.org/c3ref/c_dbconfig_defensive.html
+; (for older SQLite versions, this flag has no use)
+;sqlite3.defensive = 1
+
+[Pcre]
+; PCRE library backtracking limit.
+; http://php.net/pcre.backtrack-limit
+;pcre.backtrack_limit=100000
+
+; PCRE library recursion limit.
+; Please note that if you set this value to a high number you may consume all
+; the available process stack and eventually crash PHP (due to reaching the
+; stack size limit imposed by the Operating System).
+; http://php.net/pcre.recursion-limit
+;pcre.recursion_limit=100000
+
+; Enables or disables JIT compilation of patterns. This requires the PCRE
+; library to be compiled with JIT support.
+;pcre.jit=1
+
+[Pdo]
+; Whether to pool ODBC connections. Can be one of "strict", "relaxed" or "off"
+; http://php.net/pdo-odbc.connection-pooling
+;pdo_odbc.connection_pooling=strict
+
+;pdo_odbc.db2_instance_name
+
+[Pdo_mysql]
+; Default socket name for local MySQL connects.  If empty, uses the built-in
+; MySQL defaults.
+pdo_mysql.default_socket=
+
+[Phar]
+; http://php.net/phar.readonly
+;phar.readonly = On
+
+; http://php.net/phar.require-hash
+;phar.require_hash = On
+
+;phar.cache_list =
+
+[mail function]
+; For Win32 only.
+; http://php.net/smtp
+SMTP = localhost
+; http://php.net/smtp-port
+smtp_port = 25
+
+; For Win32 only.
+; http://php.net/sendmail-from
+;sendmail_from = me@example.com
+
+; For Unix only.  You may supply arguments as well (default: "sendmail -t -i").
+; http://php.net/sendmail-path
+sendmail_path = /usr/sbin/sendmail -t -i
+
+; Force the addition of the specified parameters to be passed as extra parameters
+; to the sendmail binary. These parameters will always replace the value of
+; the 5th parameter to mail().
+;mail.force_extra_parameters =
+
+; Add X-PHP-Originating-Script: that will include uid of the script followed by the filename
+#CADOLES
+;mail.add_x_header = Off
+mail.add_x_header = On
+
+; The path to a log file that will log all mail() calls. Log entries include
+; the full path of the script, line number, To address and headers.
+;mail.log =
+; Log mail to syslog (Event Log on Windows).
+;mail.log = syslog
+
+[ODBC]
+; http://php.net/odbc.default-db
+;odbc.default_db    =  Not yet implemented
+
+; http://php.net/odbc.default-user
+;odbc.default_user  =  Not yet implemented
+
+; http://php.net/odbc.default-pw
+;odbc.default_pw    =  Not yet implemented
+
+; Controls the ODBC cursor model.
+; Default: SQL_CURSOR_STATIC (default).
+;odbc.default_cursortype
+
+; Allow or prevent persistent links.
+; http://php.net/odbc.allow-persistent
+odbc.allow_persistent = On
+
+; Check that a connection is still valid before reuse.
+; http://php.net/odbc.check-persistent
+odbc.check_persistent = On
+
+; Maximum number of persistent links.  -1 means no limit.
+; http://php.net/odbc.max-persistent
+odbc.max_persistent = -1
+
+; Maximum number of links (persistent + non-persistent).  -1 means no limit.
+; http://php.net/odbc.max-links
+odbc.max_links = -1
+
+; Handling of LONG fields.  Returns number of bytes to variables.  0 means
+; passthru.
+; http://php.net/odbc.defaultlrl
+odbc.defaultlrl = 4096
+
+; Handling of binary data.  0 means passthru, 1 return as is, 2 convert to char.
+; See the documentation on odbc_binmode and odbc_longreadlen for an explanation
+; of odbc.defaultlrl and odbc.defaultbinmode
+; http://php.net/odbc.defaultbinmode
+odbc.defaultbinmode = 1
+
+[MySQLi]
+
+; Maximum number of persistent links.  -1 means no limit.
+; http://php.net/mysqli.max-persistent
+mysqli.max_persistent = -1
+
+; Allow accessing, from PHP's perspective, local files with LOAD DATA statements
+; http://php.net/mysqli.allow_local_infile
+;mysqli.allow_local_infile = On
+
+; Allow or prevent persistent links.
+; http://php.net/mysqli.allow-persistent
+mysqli.allow_persistent = On
+
+; Maximum number of links.  -1 means no limit.
+; http://php.net/mysqli.max-links
+mysqli.max_links = -1
+
+; Default port number for mysqli_connect().  If unset, mysqli_connect() will use
+; the $MYSQL_TCP_PORT or the mysql-tcp entry in /etc/services or the
+; compile-time value defined MYSQL_PORT (in that order).  Win32 will only look
+; at MYSQL_PORT.
+; http://php.net/mysqli.default-port
+mysqli.default_port = 3306
+
+; Default socket name for local MySQL connects.  If empty, uses the built-in
+; MySQL defaults.
+; http://php.net/mysqli.default-socket
+mysqli.default_socket =
+
+; Default host for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-host
+mysqli.default_host =
+
+; Default user for mysqli_connect() (doesn't apply in safe mode).
+; http://php.net/mysqli.default-user
+mysqli.default_user =
+
+; Default password for mysqli_connect() (doesn't apply in safe mode).
+; Note that this is generally a *bad* idea to store passwords in this file.
+; *Any* user with PHP access can run 'echo get_cfg_var("mysqli.default_pw")
+; and reveal this password!  And of course, any users with read access to this
+; file will be able to reveal the password as well.
+; http://php.net/mysqli.default-pw
+mysqli.default_pw =
+
+; Allow or prevent reconnect
+mysqli.reconnect = Off
+
+[mysqlnd]
+; Enable / Disable collection of general statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_statistics = On
+
+; Enable / Disable collection of memory usage statistics by mysqlnd which can be
+; used to tune and monitor MySQL operations.
+mysqlnd.collect_memory_statistics = Off
+
+; Records communication from all extensions using mysqlnd to the specified log
+; file.
+; http://php.net/mysqlnd.debug
+;mysqlnd.debug =
+
+; Defines which queries will be logged.
+;mysqlnd.log_mask = 0
+
+; Default size of the mysqlnd memory pool, which is used by result sets.
+;mysqlnd.mempool_default_size = 16000
+
+; Size of a pre-allocated buffer used when sending commands to MySQL in bytes.
+;mysqlnd.net_cmd_buffer_size = 2048
+
+; Size of a pre-allocated buffer used for reading data sent by the server in
+; bytes.
+;mysqlnd.net_read_buffer_size = 32768
+
+; Timeout for network requests in seconds.
+;mysqlnd.net_read_timeout = 31536000
+
+; SHA-256 Authentication Plugin related. File with the MySQL server public RSA
+; key.
+;mysqlnd.sha256_server_public_key =
+
+[OCI8]
+
+; Connection: Enables privileged connections using external
+; credentials (OCI_SYSOPER, OCI_SYSDBA)
+; http://php.net/oci8.privileged-connect
+;oci8.privileged_connect = Off
+
+; Connection: The maximum number of persistent OCI8 connections per
+; process. Using -1 means no limit.
+; http://php.net/oci8.max-persistent
+;oci8.max_persistent = -1
+
+; Connection: The maximum number of seconds a process is allowed to
+; maintain an idle persistent connection. Using -1 means idle
+; persistent connections will be maintained forever.
+; http://php.net/oci8.persistent-timeout
+;oci8.persistent_timeout = -1
+
+; Connection: The number of seconds that must pass before issuing a
+; ping during oci_pconnect() to check the connection validity. When
+; set to 0, each oci_pconnect() will cause a ping. Using -1 disables
+; pings completely.
+; http://php.net/oci8.ping-interval
+;oci8.ping_interval = 60
+
+; Connection: Set this to a user chosen connection class to be used
+; for all pooled server requests with Oracle 11g Database Resident
+; Connection Pooling (DRCP).  To use DRCP, this value should be set to
+; the same string for all web servers running the same application,
+; the database pool must be configured, and the connection string must
+; specify to use a pooled server.
+;oci8.connection_class =
+
+; High Availability: Using On lets PHP receive Fast Application
+; Notification (FAN) events generated when a database node fails. The
+; database must also be configured to post FAN events.
+;oci8.events = Off
+
+; Tuning: This option enables statement caching, and specifies how
+; many statements to cache. Using 0 disables statement caching.
+; http://php.net/oci8.statement-cache-size
+;oci8.statement_cache_size = 20
+
+; Tuning: Enables statement prefetching and sets the default number of
+; rows that will be fetched automatically after statement execution.
+; http://php.net/oci8.default-prefetch
+;oci8.default_prefetch = 100
+
+; Compatibility. Using On means oci_close() will not close
+; oci_connect() and oci_new_connect() connections.
+; http://php.net/oci8.old-oci-close-semantics
+;oci8.old_oci_close_semantics = Off
+
+[PostgreSQL]
+; Allow or prevent persistent links.
+; http://php.net/pgsql.allow-persistent
+pgsql.allow_persistent = On
+
+; Detect broken persistent links always with pg_pconnect().
+; Auto reset feature requires a little overheads.
+; http://php.net/pgsql.auto-reset-persistent
+pgsql.auto_reset_persistent = Off
+
+; Maximum number of persistent links.  -1 means no limit.
+; http://php.net/pgsql.max-persistent
+pgsql.max_persistent = -1
+
+; Maximum number of links (persistent+non persistent).  -1 means no limit.
+; http://php.net/pgsql.max-links
+pgsql.max_links = -1
+
+; Ignore PostgreSQL backends Notice message or not.
+; Notice message logging require a little overheads.
+; http://php.net/pgsql.ignore-notice
+pgsql.ignore_notice = 0
+
+; Log PostgreSQL backends Notice message or not.
+; Unless pgsql.ignore_notice=0, module cannot log notice message.
+; http://php.net/pgsql.log-notice
+pgsql.log_notice = 0
+
+[bcmath]
+; Number of decimal digits for all bcmath functions.
+; http://php.net/bcmath.scale
+bcmath.scale = 0
+
+[browscap]
+; http://php.net/browscap
+;browscap = extra/browscap.ini
+%if %%php_browscap
+browscap = /etc/php/extra/browscap.ini
+%end if
+
+[Session]
+; Handler used to store/retrieve data.
+; http://php.net/session.save-handler
+session.save_handler = files
+
+; Argument passed to save_handler.  In the case of files, this is the path
+; where data files are stored. Note: Windows users have to change this
+; variable in order to use PHP's session functions.
+;
+; The path can be defined as:
+;
+;     session.save_path = "N;/path"
+;
+; where N is an integer.  Instead of storing all the session files in
+; /path, what this will do is use subdirectories N-levels deep, and
+; store the session data in those directories.  This is useful if
+; your OS has problems with many files in one directory, and is
+; a more efficient layout for servers that handle many sessions.
+;
+; NOTE 1: PHP will not create this directory structure automatically.
+;         You can use the script in the ext/session dir for that purpose.
+; NOTE 2: See the section on garbage collection below if you choose to
+;         use subdirectories for session storage
+;
+; The file storage module creates files using mode 600 by default.
+; You can change that by using
+;
+;     session.save_path = "N;MODE;/path"
+;
+; where MODE is the octal representation of the mode. Note that this
+; does not overwrite the process's umask.
+; http://php.net/session.save-path
+;session.save_path = "/var/lib/php/sessions"
+
+; Whether to use strict session mode.
+; Strict session mode does not accept an uninitialized session ID, and
+; regenerates the session ID if the browser sends an uninitialized session ID.
+; Strict mode protects applications from session fixation via a session adoption
+; vulnerability. It is disabled by default for maximum compatibility, but
+; enabling it is encouraged.
+; https://wiki.php.net/rfc/strict_sessions
+session.use_strict_mode = 0
+
+; Whether to use cookies.
+; http://php.net/session.use-cookies
+session.use_cookies = 1
+
+; http://php.net/session.cookie-secure
+;session.cookie_secure =
+
+; This option forces PHP to fetch and use a cookie for storing and maintaining
+; the session id. We encourage this operation as it's very helpful in combating
+; session hijacking when not specifying and managing your own session id. It is
+; not the be-all and end-all of session hijacking defense, but it's a good start.
+; http://php.net/session.use-only-cookies
+session.use_only_cookies = 1
+
+; Name of the session (used as cookie name).
+; http://php.net/session.name
+session.name = PHPSESSID
+
+; Initialize session on request startup.
+; http://php.net/session.auto-start
+session.auto_start = 0
+
+; Lifetime in seconds of cookie or, if 0, until browser is restarted.
+; http://php.net/session.cookie-lifetime
+session.cookie_lifetime = 0
+
+; The path for which the cookie is valid.
+; http://php.net/session.cookie-path
+session.cookie_path = /
+
+; The domain for which the cookie is valid.
+; http://php.net/session.cookie-domain
+session.cookie_domain =
+
+; Whether or not to add the httpOnly flag to the cookie, which makes it
+; inaccessible to browser scripting languages such as JavaScript.
+; http://php.net/session.cookie-httponly
+session.cookie_httponly =
+
+; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
+; Current valid values are "Lax" or "Strict"
+; https://tools.ietf.org/html/draft-west-first-party-cookies-07
+session.cookie_samesite =
+
+; Handler used to serialize data. php is the standard serializer of PHP.
+; http://php.net/session.serialize-handler
+session.serialize_handler = php
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.gc-probability
+session.gc_probability = 0
+
+; Defines the probability that the 'garbage collection' process is started on every
+; session initialization. The probability is calculated by using gc_probability/gc_divisor,
+; e.g. 1/100 means there is a 1% chance that the GC process starts on each request.
+; For high volume production servers, using a value of 1000 is a more efficient approach.
+; Default Value: 100
+; Development Value: 1000
+; Production Value: 1000
+; http://php.net/session.gc-divisor
+session.gc_divisor = 1000
+
+; After this number of seconds, stored data will be seen as 'garbage' and
+; cleaned up by the garbage collection process.
+; http://php.net/session.gc-maxlifetime
+session.gc_maxlifetime = %%php_session_gc_maxlifetime
+
+; NOTE: If you are using the subdirectory option for storing session files
+;       (see session.save_path above), then garbage collection does *not*
+;       happen automatically.  You will need to do your own garbage
+;       collection through a shell script, cron entry, or some other method.
+;       For example, the following script would is the equivalent of
+;       setting session.gc_maxlifetime to 1440 (1440 seconds = 24 minutes):
+;          find /path/to/sessions -cmin +24 -type f | xargs rm
+
+; Check HTTP Referer to invalidate externally stored URLs containing ids.
+; HTTP_REFERER has to contain this substring for the session to be
+; considered as valid.
+; http://php.net/session.referer-check
+session.referer_check =
+
+; Set to {nocache,private,public,} to determine HTTP caching aspects
+; or leave this empty to avoid sending anti-caching headers.
+; http://php.net/session.cache-limiter
+session.cache_limiter = nocache
+
+; Document expires after n minutes.
+; http://php.net/session.cache-expire
+session.cache_expire = 180
+
+; trans sid support is disabled by default.
+; Use of trans sid may risk your users' security.
+; Use this option with caution.
+; - User may send URL contains active session ID
+;   to other person via. email/irc/etc.
+; - URL that contains active session ID may be stored
+;   in publicly accessible computer.
+; - User may access your site with the same session ID
+;   always using URL stored in browser's history or bookmarks.
+; http://php.net/session.use-trans-sid
+session.use_trans_sid = 0
+
+; Set session ID character length. This value could be between 22 to 256.
+; Shorter length than default is supported only for compatibility reason.
+; Users should use 32 or more chars.
+; http://php.net/session.sid-length
+; Default Value: 32
+; Development Value: 26
+; Production Value: 26
+session.sid_length = 26
+
+; The URL rewriter will look for URLs in a defined set of HTML tags.
+; <form> is special; if you include them here, the rewriter will
+; add a hidden <input> field with the info which is otherwise appended
+; to URLs. <form> tag's action attribute URL will not be modified
+; unless it is specified.
+; Note that all valid entries require a "=", even if no value follows.
+; Default Value: "a=href,area=href,frame=src,form="
+; Development Value: "a=href,area=href,frame=src,form="
+; Production Value: "a=href,area=href,frame=src,form="
+; http://php.net/url-rewriter.tags
+session.trans_sid_tags = "a=href,area=href,frame=src,form="
+
+; URL rewriter does not rewrite absolute URLs by default.
+; To enable rewrites for absolute paths, target hosts must be specified
+; at RUNTIME. i.e. use ini_set()
+; <form> tags is special. PHP will check action attribute's URL regardless
+; of session.trans_sid_tags setting.
+; If no host is defined, HTTP_HOST will be used for allowed host.
+; Example value: php.net,www.php.net,wiki.php.net
+; Use "," for multiple hosts. No spaces are allowed.
+; Default Value: ""
+; Development Value: ""
+; Production Value: ""
+;session.trans_sid_hosts=""
+
+; Define how many bits are stored in each character when converting
+; the binary hash data to something readable.
+; Possible values:
+;   4  (4 bits: 0-9, a-f)
+;   5  (5 bits: 0-9, a-v)
+;   6  (6 bits: 0-9, a-z, A-Z, "-", ",")
+; Default Value: 4
+; Development Value: 5
+; Production Value: 5
+; http://php.net/session.hash-bits-per-character
+session.sid_bits_per_character = 5
+
+; Enable upload progress tracking in $_SESSION
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.enabled
+;session.upload_progress.enabled = On
+
+; Cleanup the progress information as soon as all POST data has been read
+; (i.e. upload completed).
+; Default Value: On
+; Development Value: On
+; Production Value: On
+; http://php.net/session.upload-progress.cleanup
+;session.upload_progress.cleanup = On
+
+; A prefix used for the upload progress key in $_SESSION
+; Default Value: "upload_progress_"
+; Development Value: "upload_progress_"
+; Production Value: "upload_progress_"
+; http://php.net/session.upload-progress.prefix
+;session.upload_progress.prefix = "upload_progress_"
+
+; The index name (concatenated with the prefix) in $_SESSION
+; containing the upload progress information
+; Default Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Development Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; Production Value: "PHP_SESSION_UPLOAD_PROGRESS"
+; http://php.net/session.upload-progress.name
+;session.upload_progress.name = "PHP_SESSION_UPLOAD_PROGRESS"
+
+; How frequently the upload progress should be updated.
+; Given either in percentages (per-file), or in bytes
+; Default Value: "1%"
+; Development Value: "1%"
+; Production Value: "1%"
+; http://php.net/session.upload-progress.freq
+;session.upload_progress.freq =  "1%"
+
+; The minimum delay between updates, in seconds
+; Default Value: 1
+; Development Value: 1
+; Production Value: 1
+; http://php.net/session.upload-progress.min-freq
+;session.upload_progress.min_freq = "1"
+
+; Only write session data when session data is changed. Enabled by default.
+; http://php.net/session.lazy-write
+;session.lazy_write = On
+
+[Assertion]
+; Switch whether to compile assertions at all (to have no overhead at run-time)
+; -1: Do not compile at all
+;  0: Jump over assertion at run-time
+;  1: Execute assertions
+; Changing from or to a negative value is only possible in php.ini! (For turning assertions on and off at run-time, see assert.active, when zend.assertions = 1)
+; Default Value: 1
+; Development Value: 1
+; Production Value: -1
+; http://php.net/zend.assertions
+zend.assertions = -1
+
+; Assert(expr); active by default.
+; http://php.net/assert.active
+;assert.active = On
+
+; Throw an AssertionError on failed assertions
+; http://php.net/assert.exception
+;assert.exception = On
+
+; Issue a PHP warning for each failed assertion. (Overridden by assert.exception if active)
+; http://php.net/assert.warning
+;assert.warning = On
+
+; Don't bail out by default.
+; http://php.net/assert.bail
+;assert.bail = Off
+
+; User-function to be called if an assertion fails.
+; http://php.net/assert.callback
+;assert.callback = 0
+
+; Eval the expression with current error_reporting().  Set to true if you want
+; error_reporting(0) around the eval().
+; http://php.net/assert.quiet-eval
+;assert.quiet_eval = 0
+
+[COM]
+; path to a file containing GUIDs, IIDs or filenames of files with TypeLibs
+; http://php.net/com.typelib-file
+;com.typelib_file =
+
+; allow Distributed-COM calls
+; http://php.net/com.allow-dcom
+;com.allow_dcom = true
+
+; autoregister constants of a component's typlib on com_load()
+; http://php.net/com.autoregister-typelib
+;com.autoregister_typelib = true
+
+; register constants casesensitive
+; http://php.net/com.autoregister-casesensitive
+;com.autoregister_casesensitive = false
+
+; show warnings on duplicate constant registrations
+; http://php.net/com.autoregister-verbose
+;com.autoregister_verbose = true
+
+; The default character set code-page to use when passing strings to and from COM objects.
+; Default: system ANSI code page
+;com.code_page=
+
+[mbstring]
+; language for internal character representation.
+; This affects mb_send_mail() and mbstring.detect_order.
+; http://php.net/mbstring.language
+;mbstring.language = Japanese
+
+; Use of this INI entry is deprecated, use global internal_encoding instead.
+; internal/script encoding.
+; Some encoding cannot work as internal encoding. (e.g. SJIS, BIG5, ISO-2022-*)
+; If empty, default_charset or internal_encoding or iconv.internal_encoding is used.
+; The precedence is: default_charset < internal_encoding < iconv.internal_encoding
+;mbstring.internal_encoding =
+
+; Use of this INI entry is deprecated, use global input_encoding instead.
+; http input encoding.
+; mbstring.encoding_translation = On is needed to use this setting.
+; If empty, default_charset or input_encoding or mbstring.input is used.
+; The precedence is: default_charset < input_encoding < mbsting.http_input
+; http://php.net/mbstring.http-input
+;mbstring.http_input =
+
+; Use of this INI entry is deprecated, use global output_encoding instead.
+; http output encoding.
+; mb_output_handler must be registered as output buffer to function.
+; If empty, default_charset or output_encoding or mbstring.http_output is used.
+; The precedence is: default_charset < output_encoding < mbstring.http_output
+; To use an output encoding conversion, mbstring's output handler must be set
+; otherwise output encoding conversion cannot be performed.
+; http://php.net/mbstring.http-output
+;mbstring.http_output =
+
+; enable automatic encoding translation according to
+; mbstring.internal_encoding setting. Input chars are
+; converted to internal encoding by setting this to On.
+; Note: Do _not_ use automatic encoding translation for
+;       portable libs/applications.
+; http://php.net/mbstring.encoding-translation
+;mbstring.encoding_translation = Off
+
+; automatic encoding detection order.
+; "auto" detect order is changed according to mbstring.language
+; http://php.net/mbstring.detect-order
+;mbstring.detect_order = auto
+
+; substitute_character used when character cannot be converted
+; one from another
+; http://php.net/mbstring.substitute-character
+;mbstring.substitute_character = none
+
+; overload(replace) single byte functions by mbstring functions.
+; mail(), ereg(), etc are overloaded by mb_send_mail(), mb_ereg(),
+; etc. Possible values are 0,1,2,4 or combination of them.
+; For example, 7 for overload everything.
+; 0: No overload
+; 1: Overload mail() function
+; 2: Overload str*() functions
+; 4: Overload ereg*() functions
+; http://php.net/mbstring.func-overload
+;mbstring.func_overload = 0
+
+; enable strict encoding detection.
+; Default: Off
+;mbstring.strict_detection = On
+
+; This directive specifies the regex pattern of content types for which mb_output_handler()
+; is activated.
+; Default: mbstring.http_output_conv_mimetype=^(text/|application/xhtml\+xml)
+;mbstring.http_output_conv_mimetype=
+
+; This directive specifies maximum stack depth for mbstring regular expressions. It is similar
+; to the pcre.recursion_limit for PCRE.
+; Default: 100000
+;mbstring.regex_stack_limit=100000
+
+; This directive specifies maximum retry count for mbstring regular expressions. It is similar
+; to the pcre.backtrack_limit for PCRE.
+; Default: 1000000
+;mbstring.regex_retry_limit=1000000
+
+[gd]
+; Tell the jpeg decode to ignore warnings and try to create
+; a gd image. The warning will then be displayed as notices
+; disabled by default
+; http://php.net/gd.jpeg-ignore-warning
+;gd.jpeg_ignore_warning = 1
+
+[exif]
+; Exif UNICODE user comments are handled as UCS-2BE/UCS-2LE and JIS as JIS.
+; With mbstring support this will automatically be converted into the encoding
+; given by corresponding encode setting. When empty mbstring.internal_encoding
+; is used. For the decode settings you can distinguish between motorola and
+; intel byte order. A decode setting cannot be empty.
+; http://php.net/exif.encode-unicode
+;exif.encode_unicode = ISO-8859-15
+
+; http://php.net/exif.decode-unicode-motorola
+;exif.decode_unicode_motorola = UCS-2BE
+
+; http://php.net/exif.decode-unicode-intel
+;exif.decode_unicode_intel    = UCS-2LE
+
+; http://php.net/exif.encode-jis
+;exif.encode_jis =
+
+; http://php.net/exif.decode-jis-motorola
+;exif.decode_jis_motorola = JIS
+
+; http://php.net/exif.decode-jis-intel
+;exif.decode_jis_intel    = JIS
+
+[Tidy]
+; The path to a default tidy configuration file to use when using tidy
+; http://php.net/tidy.default-config
+;tidy.default_config = /usr/local/lib/php/default.tcfg
+
+; Should tidy clean and repair output automatically?
+; WARNING: Do not use this option if you are generating non-html content
+; such as dynamic images
+; http://php.net/tidy.clean-output
+tidy.clean_output = Off
+
+[soap]
+; Enables or disables WSDL caching feature.
+; http://php.net/soap.wsdl-cache-enabled
+soap.wsdl_cache_enabled=1
+
+; Sets the directory name where SOAP extension will put cache files.
+; http://php.net/soap.wsdl-cache-dir
+soap.wsdl_cache_dir="/tmp"
+
+; (time to live) Sets the number of second while cached file will be used
+; instead of original one.
+; http://php.net/soap.wsdl-cache-ttl
+soap.wsdl_cache_ttl=86400
+
+; Sets the size of the cache limit. (Max. number of WSDL files to cache)
+soap.wsdl_cache_limit = 5
+
+[sysvshm]
+; A default size of the shared memory segment
+;sysvshm.init_mem = 10000
+
+[ldap]
+; Sets the maximum number of open links or -1 for unlimited.
+ldap.max_links = -1
+
+[dba]
+;dba.default_handler=
+
+[opcache]
+; Determines if Zend OPCache is enabled
+;opcache.enable=1
+
+; Determines if Zend OPCache is enabled for the CLI version of PHP
+;opcache.enable_cli=0
+
+; The OPcache shared memory storage size.
+;opcache.memory_consumption=128
+
+; The amount of memory for interned strings in Mbytes.
+;opcache.interned_strings_buffer=8
+
+; The maximum number of keys (scripts) in the OPcache hash table.
+; Only numbers between 200 and 1000000 are allowed.
+;opcache.max_accelerated_files=10000
+
+; The maximum percentage of "wasted" memory until a restart is scheduled.
+;opcache.max_wasted_percentage=5
+
+; When this directive is enabled, the OPcache appends the current working
+; directory to the script key, thus eliminating possible collisions between
+; files with the same name (basename). Disabling the directive improves
+; performance, but may break existing applications.
+;opcache.use_cwd=1
+
+; When disabled, you must reset the OPcache manually or restart the
+; webserver for changes to the filesystem to take effect.
+;opcache.validate_timestamps=1
+
+; How often (in seconds) to check file timestamps for changes to the shared
+; memory storage allocation. ("1" means validate once per second, but only
+; once per request. "0" means always validate)
+;opcache.revalidate_freq=2
+
+; Enables or disables file search in include_path optimization
+;opcache.revalidate_path=0
+
+; If disabled, all PHPDoc comments are dropped from the code to reduce the
+; size of the optimized code.
+;opcache.save_comments=1
+
+; Allow file existence override (file_exists, etc.) performance feature.
+;opcache.enable_file_override=0
+
+; A bitmask, where each bit enables or disables the appropriate OPcache
+; passes
+;opcache.optimization_level=0x7FFFBFFF
+
+;opcache.dups_fix=0
+
+; The location of the OPcache blacklist file (wildcards allowed).
+; Each OPcache blacklist file is a text file that holds the names of files
+; that should not be accelerated. The file format is to add each filename
+; to a new line. The filename may be a full path or just a file prefix
+; (i.e., /var/www/x  blacklists all the files and directories in /var/www
+; that start with 'x'). Line starting with a ; are ignored (comments).
+;opcache.blacklist_filename=
+
+; Allows exclusion of large files from being cached. By default all files
+; are cached.
+;opcache.max_file_size=0
+
+; Check the cache checksum each N requests.
+; The default value of "0" means that the checks are disabled.
+;opcache.consistency_checks=0
+
+; How long to wait (in seconds) for a scheduled restart to begin if the cache
+; is not being accessed.
+;opcache.force_restart_timeout=180
+
+; OPcache error_log file name. Empty string assumes "stderr".
+;opcache.error_log=
+
+; All OPcache errors go to the Web server log.
+; By default, only fatal errors (level 0) or errors (level 1) are logged.
+; You can also enable warnings (level 2), info messages (level 3) or
+; debug messages (level 4).
+;opcache.log_verbosity_level=1
+
+; Preferred Shared Memory back-end. Leave empty and let the system decide.
+;opcache.preferred_memory_model=
+
+; Protect the shared memory from unexpected writing during script execution.
+; Useful for internal debugging only.
+;opcache.protect_memory=0
+
+; Allows calling OPcache API functions only from PHP scripts which path is
+; started from specified string. The default "" means no restriction
+;opcache.restrict_api=
+
+; Mapping base of shared memory segments (for Windows only). All the PHP
+; processes have to map shared memory into the same address space. This
+; directive allows to manually fix the "Unable to reattach to base address"
+; errors.
+;opcache.mmap_base=
+
+; Facilitates multiple OPcache instances per user (for Windows only). All PHP
+; processes with the same cache ID and user share an OPcache instance.
+;opcache.cache_id=
+
+; Enables and sets the second level cache directory.
+; It should improve performance when SHM memory is full, at server restart or
+; SHM reset. The default "" disables file based caching.
+;opcache.file_cache=
+
+; Enables or disables opcode caching in shared memory.
+;opcache.file_cache_only=0
+
+; Enables or disables checksum validation when script loaded from file cache.
+;opcache.file_cache_consistency_checks=1
+
+; Implies opcache.file_cache_only=1 for a certain process that failed to
+; reattach to the shared memory (for Windows only). Explicitly enabled file
+; cache is required.
+;opcache.file_cache_fallback=1
+
+; Enables or disables copying of PHP code (text segment) into HUGE PAGES.
+; This should improve performance, but requires appropriate OS configuration.
+;opcache.huge_code_pages=1
+
+; Validate cached file permissions.
+;opcache.validate_permission=0
+
+; Prevent name collisions in chroot'ed environment.
+;opcache.validate_root=0
+
+; If specified, it produces opcode dumps for debugging different stages of
+; optimizations.
+;opcache.opt_debug_level=0
+
+; Specifies a PHP script that is going to be compiled and executed at server
+; start-up.
+; http://php.net/opcache.preload
+;opcache.preload=
+
+; Preloading code as root is not allowed for security reasons. This directive
+; facilitates to let the preloading to be run as another user.
+; http://php.net/opcache.preload_user
+;opcache.preload_user=
+
+; Prevents caching files that are less than this number of seconds old. It
+; protects from caching of incompletely updated files. In case all file updates
+; on your site are atomic, you may increase performance by setting it to "0".
+;opcache.file_update_protection=2
+
+; Absolute path used to store shared lockfiles (for *nix only).
+;opcache.lockfile_path=/tmp
+
+[curl]
+; A default value for the CURLOPT_CAINFO option. This is required to be an
+; absolute path.
+;curl.cainfo =
+
+[openssl]
+; The location of a Certificate Authority (CA) file on the local filesystem
+; to use when verifying the identity of SSL/TLS peers. Most users should
+; not specify a value for this directive as PHP will attempt to use the
+; OS-managed cert stores in its absence. If specified, this value may still
+; be overridden on a per-stream basis via the "cafile" SSL stream context
+; option.
+;openssl.cafile=
+
+; If openssl.cafile is not specified or if the CA file is not found, the
+; directory pointed to by openssl.capath is searched for a suitable
+; certificate. This value must be a correctly hashed certificate directory.
+; Most users should not specify a value for this directive as PHP will
+; attempt to use the OS-managed cert stores in its absence. If specified,
+; this value may still be overridden on a per-stream basis via the "capath"
+; SSL stream context option.
+;openssl.capath=
+
+[ffi]
+; FFI API restriction. Possible values:
+; "preload" - enabled in CLI scripts and preloaded files (default)
+; "false"   - always disabled
+; "true"    - always enabled
+;ffi.enable=preload
+
+; List of headers files to preload, wildcard patterns allowed.
+;ffi.preload=
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/DEBUG.md b/seed/applicationservice/2022.03.08/postfix-relay/DEBUG.md
new file mode 100644
index 0000000..be1cb65
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/DEBUG.md
@@ -0,0 +1,47 @@
+# recherche d'un utilisateur :
+
+```
+USER=gnunux@gnunux.info
+su - postfix -s /bin/bash -c "postmap -q $USER ldap:/etc/postfix/ldapsource.cf"
+```
+Doit retourner le nom de l'utilisateur.
+
+Il est possible de demander le mode verbeux :
+
+```
+su - postfix -s /bin/bash -c "postmap -vq $USER ldap:/etc/postfix/ldapsource.cf"
+```
+
+# Test with telnet
+
+EHLO root.gnunux.info
+[..]
+250-AUTH PLAIN LOGIN
+[..]
+MAIL FROM:<gnunux@gnunux.info>
+RCPT TO:<gnunux@gnunux.info>
+DATA
+To:<gnunux@gnunux.info>
+From:<gnunux@gnunux.info>
+Subject:SMTP Test
+This is a test message
+
+.
+
+# auth with telnet
+
+echo -ne '\000gnunux@gnunux.info\000password' | openssl base64
+openssl s_client -connect 192.168.45.13:25 -starttls smtp
+EHLO client.example.com
+[..]
+AUTH PLAIN AGdudW51eEBnbnVudXguaW5mbwBxVV96Vl9kbEUzUm82WmpTcjFHOGNzbmd4ajA=
+235 2.7.0 Authentication successful
+
+# Un élément de configuration
+
+postconf maillog_file
+
+# Editer la configuration
+
+postconf maillog_file=/dev/stdout
+
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/FIXME b/seed/applicationservice/2022.03.08/postfix-relay/FIXME
new file mode 100644
index 0000000..73bc7aa
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/FIXME
@@ -0,0 +1,2 @@
+SPF : https://www.djaodjin.com/blog/postfix-dovecot-openldap.blog.html
+Postcreen : modoboa_installer/scripts/files/postfix/main.cf.tpl
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/applicationservice.yml b/seed/applicationservice/2022.03.08/postfix-relay/applicationservice.yml
new file mode 100644
index 0000000..9268ab4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/applicationservice.yml
@@ -0,0 +1,4 @@
+format: '0.1'
+description: Postfix has relay
+depends:
+  - base-fedora-35
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/20_postfix.xml b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/20_postfix.xml
new file mode 100644
index 0000000..a9ff87f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/20_postfix.xml
@@ -0,0 +1,80 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="postfix" target="multi-user">
+      <override/>
+      <file engine="none" source="sysuser-postfix.conf">/sysusers.d/1postfix.conf</file>
+      <file engine="none" source="tmpfile-postfix.conf">/tmpfiles.d/0postfix.conf</file>
+      <file>/etc/postfix/main.cf</file>
+      <file>/etc/postfix/lmtp</file>
+      <file>/etc/postfix/sni</file>
+      <file engine="none">/etc/postfix/master.cf</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
+      <file>/etc/pki/tls/certs/postfix.crt</file>
+      <file source="sni.pem" file_type="variable" mode="400" owner="postfix" variable="domain_name_eth">postfix_pem_files</file>
+      <file owner="root" group="postfix" mode="440">/etc/pki/tls/private/postfix.key</file>
+    </service>
+    <service name="saslauthd">
+      <file>/etc/sasl2/smtpd.conf</file>
+    </service>
+    <service name="opendkim" target="multi-user">
+      <file engine="none" source="sysuser-opendkim.conf">/sysusers.d/0opendkim.conf</file>
+      <file>/etc/opendkim.conf</file>
+      <file>/etc/opendkim/KeyTable</file>
+      <file>/etc/opendkim/SigningTable</file>
+      <file>/etc/opendkim/TrustedHosts</file>
+      <file file_type="variable" owner="opendkim" mode="400" source="opendkim.key" variable="postfix_relay_domains">opendkim_keys</file>
+    </service>
+    <service name="opendmarc" target="multi-user">
+      <file engine="none" source="sysuser-opendmarc.conf">/sysusers.d/0opendmarc.conf</file>
+      <file engine="none" source="tmpfile-opendmarc.conf">/tmpfiles.d/0opendmarc.conf</file>
+      <file>/etc/opendmarc.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="postfix" description="Postfix mail server">
+      <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
+      <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True"/>
+      <variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
+      <variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
+      <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
+        <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
+        <variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
+      </family>
+      <variable name='postfix_pem_files' type="filename" description="PEM certificates" hidden='True' multi='True'/>
+    </family>
+    <family name="opendkim">
+      <variable name="opendkim_keys" type="filename" description="Keys filename" multi="True" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_chain">
+      <param name="authority_cn" type="variable">domain_name_eth0</param>
+      <param name="authority_name">MailServer</param>
+      <target>postfix_ca_chain</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/opendkim/keys/</param>
+      <param type="variable">postfix_relay_domains</param>
+      <param>.key</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>opendkim_keys</target>
+    </fill>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type="suffix"/>
+      <param name="description">local authentification</param>
+      <param name="type">cleartext</param>
+      <target>local_authentification_password_</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/postfix/certs/</param>
+      <param type="variable">domain_name_eth</param>
+      <param>.pem</param>
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>postfix_pem_files</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/extras/lmtp/00-lmtp.xml b/seed/applicationservice/2022.03.08/postfix-relay/extras/lmtp/00-lmtp.xml
new file mode 100644
index 0000000..9a22c22
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/extras/lmtp/00-lmtp.xml
@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="server_lmtp" description="LMTP remote server" type="domainname" provider="lmtp_server" multi="True"/>
+    <family name="lmtp_" description="LMTP " dynamic="lmtp.server_lmtp">
+      <variable name="criteria_" description="transport criteria" type="string" multi="True" mandatory="True" hidden="True" provider="lmtp_criteria"/>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/funcs/opendkim.py b/seed/applicationservice/2022.03.08/postfix-relay/funcs/opendkim.py
new file mode 100644
index 0000000..608947a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/funcs/opendkim.py
@@ -0,0 +1,29 @@
+import dkim.dknewkey as _dknewkey
+from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile, isdir as _isdir
+from os import makedirs as _makedirs
+from shutil import rmtree as _rmtree
+import __main__
+
+def _eprint(*args, **kwargs):
+    pass
+
+_dknewkey.eprint = _eprint
+
+
+HERE = _dirname(_abspath(__main__.__file__))
+DKIM_DIR = _join(HERE, 'pki/dkim')
+
+
+def get_dkim_key(domain_name_eth0, domain):
+    dkim_dir = _join(DKIM_DIR, domain_name_eth0, domain)
+    dkim_file_src = _join(dkim_dir, f'{domain}')
+    dkim_file_key = _join(dkim_dir, f'{domain}.key')
+    dkim_file = _join(dkim_dir, f'{domain}.dns')
+    if not _isfile(dkim_file):
+        if _isdir(dkim_dir):
+            _rmtree(dkim_dir)
+        _makedirs(dkim_dir)
+        priv_key = _dknewkey.GenEd25519Keys(dkim_file_src)
+        _dknewkey.ExtractEd25519PublicKey(dkim_file_key, priv_key)
+    with open(dkim_file_key, 'r') as fh:
+        return fh.read().strip()
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/manual/image/preinstall/postfix_relay.sh b/seed/applicationservice/2022.03.08/postfix-relay/manual/image/preinstall/postfix_relay.sh
new file mode 100644
index 0000000..9201488
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/manual/image/preinstall/postfix_relay.sh
@@ -0,0 +1 @@
+PKG="$PKG postfix cyrus-sasl cyrus-sasl-plain opendkim opendmarc"
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/12-managesieve.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/12-managesieve.conf
new file mode 100644
index 0000000..c06febc
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/12-managesieve.conf
@@ -0,0 +1,23 @@
+# Uncomment to enable managesieve protocol:
+protocols = $protocols sieve
+
+service managesieve-login {
+  inet_listener sieve {
+    port = 4190
+  }
+
+  #inet_listener sieve_deprecated {
+  #  port = 2000
+  #}
+
+  # Number of connections to handle before starting a new process. Typically
+  # the only useful values are 0 (unlimited) or 1. 1 is more secure, but 0
+  # is faster. <doc/wiki/LoginProcess.txt>
+  service_count = 1
+
+  # Number of processes to always keep waiting for more connections.
+  process_min_avail = 0
+
+  # If you set service_count=0, you probably need to grow this.
+  vsz_limit = 64M
+}
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/KeyTable b/seed/applicationservice/2022.03.08/postfix-relay/templates/KeyTable
new file mode 100644
index 0000000..5b1114b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/KeyTable
@@ -0,0 +1,9 @@
+# OPENDKIM KEY TABLE
+# To use this file, uncomment the #KeyTable option in /etc/opendkim.conf,
+# then uncomment the following line and replace example.com with your domain
+# name, then restart OpenDKIM. Additional keys may be added on separate lines.
+
+#default._domainkey.example.com example.com:default:/etc/opendkim/keys/default.private
+%for %%idx, %%domain in %%enumerate(%%postfix_relay_domains)
+default._domainkey.%%domain %%domain:default:%%opendkim_keys[%%idx]
+%end for
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/SigningTable b/seed/applicationservice/2022.03.08/postfix-relay/templates/SigningTable
new file mode 100644
index 0000000..bf0df9d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/SigningTable
@@ -0,0 +1,28 @@
+# OPENDKIM SIGNING TABLE
+# This table controls how to apply one or more signatures to outgoing messages based
+# on the address found in the From: header field. In simple terms, this tells
+# OpenDKIM "how" to apply your keys.
+
+# To use this file, uncomment the SigningTable option in /etc/opendkim.conf,
+# then uncomment one of the usage examples below and replace example.com with your
+# domain name, then restart OpenDKIM.
+
+# WILDCARD EXAMPLE
+# Enables signing for any address on the listed domain(s), but will work only if
+# "refile:/etc/opendkim/SigningTable" is included in /etc/opendkim.conf.
+# Create additional lines for additional domains.
+
+#*@example.com default._domainkey.example.com
+
+# NON-WILDCARD EXAMPLE
+# If "file:" (instead of "refile:") is specified in /etc/opendkim.conf, then
+# wildcards will not work. Instead, full user@host is checked first, then simply host,
+# then user@.domain (with all superdomains checked in sequence, so "foo.example.com"
+# would first check "user@foo.example.com", then "user@.example.com", then "user@.com"),
+# then .domain, then user@*, and finally *. See the opendkim.conf(5) man page under
+# "SigningTable" for more details.
+
+#example.com default._domainkey.example.com
+%for %%domain in %%postfix_relay_domains
+%%domain default._domainkey.%%domain
+%end for
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/TrustedHosts b/seed/applicationservice/2022.03.08/postfix-relay/templates/TrustedHosts
new file mode 100644
index 0000000..09824c2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/TrustedHosts
@@ -0,0 +1,12 @@
+# OPENDKIM TRUSTED HOSTS
+# To use this file, uncomment the #ExternalIgnoreList and/or the #InternalHosts
+# option in /etc/opendkim.conf then restart OpenDKIM. Additional hosts
+# may be added on separate lines (IP addresses, hostnames, or CIDR ranges).
+# The localhost IP (127.0.0.1) should always be the first entry in this file.
+127.0.0.1
+::1
+#host.example.com
+#192.168.1.0/24
+%for %%domain in %%postfix_relay_domains
+*.%%domain
+%end for
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt b/seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt
new file mode 100644
index 0000000..dadb6c9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt
@@ -0,0 +1 @@
+%%postfix_ca_chain
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/lmtp b/seed/applicationservice/2022.03.08/postfix-relay/templates/lmtp
new file mode 100644
index 0000000..f0657b2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/lmtp
@@ -0,0 +1,6 @@
+%for %%domain in %%lmtp.server_lmtp
+  %set %%name=%%normalize_family(%%domain)
+  %for %%lst in %%lmtp['lmtp_' + name]['criteria_' + %%name]
+%%lst                       lmtp:[%%domain]:8024
+  %end for
+%end for
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/main.cf b/seed/applicationservice/2022.03.08/postfix-relay/templates/main.cf
new file mode 100644
index 0000000..e383cda
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/main.cf
@@ -0,0 +1,811 @@
+# Global Postfix configuration file. This file lists only a subset
+# of all parameters. For the syntax, and for a complete parameter
+# list, see the postconf(5) manual page (command: "man 5 postconf").
+#
+# For common configuration examples, see BASIC_CONFIGURATION_README
+# and STANDARD_CONFIGURATION_README. To find these documents, use
+# the command "postconf html_directory readme_directory", or go to
+# http://www.postfix.org/BASIC_CONFIGURATION_README.html etc.
+#
+# For best results, change no more than 2-3 parameters at a time,
+# and test if Postfix still works after every change.
+
+# COMPATIBILITY
+#
+# The compatibility_level determines what default settings Postfix
+# will use for main.cf and master.cf settings. These defaults will
+# change over time.
+#
+# To avoid breaking things, Postfix will use backwards-compatible
+# default settings and log where it uses those old backwards-compatible
+# default settings, until the system administrator has determined
+# if any backwards-compatible default settings need to be made
+# permanent in main.cf or master.cf.
+#
+# When this review is complete, update the compatibility_level setting
+# below as recommended in the RELEASE_NOTES file.
+#
+# The level below is what should be used with new (not upgrade) installs.
+#
+compatibility_level = 3.6
+
+# SOFT BOUNCE
+#
+# The soft_bounce parameter provides a limited safety net for
+# testing.  When soft_bounce is enabled, mail will remain queued that
+# would otherwise bounce. This parameter disables locally-generated
+# bounces, and prevents the SMTP server from rejecting mail permanently
+# (by changing 5xx replies into 4xx replies). However, soft_bounce
+# is no cure for address rewriting mistakes or mail routing mistakes.
+#
+#soft_bounce = no
+
+# LOCAL PATHNAME INFORMATION
+#
+# The queue_directory specifies the location of the Postfix queue.
+# This is also the root directory of Postfix daemons that run chrooted.
+# See the files in examples/chroot-setup for setting up Postfix chroot
+# environments on different UNIX systems.
+#
+# GNUNUX queue_directory = /var/spool/postfix
+#>GNUNUX
+queue_directory = /srv/postfix/spool
+#<GNUNUX
+
+# The command_directory parameter specifies the location of all
+# postXXX commands.
+#
+command_directory = /usr/sbin
+
+# The daemon_directory parameter specifies the location of all Postfix
+# daemon programs (i.e. programs listed in the master.cf file). This
+# directory must be owned by root.
+#
+daemon_directory = /usr/libexec/postfix
+
+# The data_directory parameter specifies the location of Postfix-writable
+# data files (caches, random numbers). This directory must be owned
+# by the mail_owner account (see below).
+#
+# GNUNUX data_directory = /var/lib/postfix
+#>GNUNUX
+data_directory = /srv/postfix/data
+#<GNUNUX
+
+# QUEUE AND PROCESS OWNERSHIP
+#
+# The mail_owner parameter specifies the owner of the Postfix queue
+# and of most Postfix daemon processes.  Specify the name of a user
+# account THAT DOES NOT SHARE ITS USER OR GROUP ID WITH OTHER ACCOUNTS
+# AND THAT OWNS NO OTHER FILES OR PROCESSES ON THE SYSTEM.  In
+# particular, don't specify nobody or daemon. PLEASE USE A DEDICATED
+# USER.
+#
+mail_owner = postfix
+
+# The default_privs parameter specifies the default rights used by
+# the local delivery agent for delivery to external file or command.
+# These rights are used in the absence of a recipient user context.
+# DO NOT SPECIFY A PRIVILEGED USER OR THE POSTFIX OWNER.
+#
+#default_privs = nobody
+
+# INTERNET HOST AND DOMAIN NAMES
+# 
+# The myhostname parameter specifies the internet hostname of this
+# mail system. The default is to use the fully-qualified domain name
+# from gethostname(). $myhostname is used as a default value for many
+# other configuration parameters.
+#
+#myhostname = host.domain.tld
+#myhostname = virtual.domain.tld
+myhostname = %%postfix_mail_hostname
+
+# The mydomain parameter specifies the local internet domain name.
+# The default is to use $myhostname minus the first component.
+# $mydomain is used as a default value for many other configuration
+# parameters.
+#
+#mydomain = domain.tld
+
+# SENDING MAIL
+# 
+# The myorigin parameter specifies the domain that locally-posted
+# mail appears to come from. The default is to append $myhostname,
+# which is fine for small sites.  If you run a domain with multiple
+# machines, you should (1) change this to $mydomain and (2) set up
+# a domain-wide alias database that aliases each user to
+# user@that.users.mailhost.
+#
+# For the sake of consistency between sender and recipient addresses,
+# myorigin also specifies the default domain name that is appended
+# to recipient addresses that have no @domain part.
+#
+#myorigin = $myhostname
+#myorigin = $mydomain
+myorigin = %%postfix_mail_hostname
+
+# RECEIVING MAIL
+
+# The inet_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on.  By default,
+# the software claims all active interfaces on the machine. The
+# parameter also controls delivery of mail to user@[ip.address].
+#
+# See also the proxy_interfaces parameter, for network addresses that
+# are forwarded to us via a proxy or network address translator.
+#
+# Note: you need to stop/start Postfix when this parameter changes.
+#
+#inet_interfaces = all
+#inet_interfaces = $myhostname
+#inet_interfaces = $myhostname, localhost
+# GNUNUX inet_interfaces = localhost
+inet_interfaces = all
+
+# Enable IPv4, and IPv6 if supported
+inet_protocols = all
+
+# The proxy_interfaces parameter specifies the network interface
+# addresses that this mail system receives mail on by way of a
+# proxy or network address translation unit. This setting extends
+# the address list specified with the inet_interfaces parameter.
+#
+# You must specify your proxy/NAT addresses when your system is a
+# backup MX host for other domains, otherwise mail delivery loops
+# will happen when the primary MX host is down.
+#
+#proxy_interfaces =
+#proxy_interfaces = 1.2.3.4
+
+# The mydestination parameter specifies the list of domains that this
+# machine considers itself the final destination for.
+#
+# These domains are routed to the delivery agent specified with the
+# local_transport parameter setting. By default, that is the UNIX
+# compatible delivery agent that lookups all recipients in /etc/passwd
+# and /etc/aliases or their equivalent.
+#
+# The default is $myhostname + localhost.$mydomain + localhost.  On
+# a mail domain gateway, you should also include $mydomain.
+#
+# Do not specify the names of virtual domains - those domains are
+# specified elsewhere (see VIRTUAL_README).
+#
+# Do not specify the names of domains that this machine is backup MX
+# host for. Specify those names via the relay_domains settings for
+# the SMTP server, or use permit_mx_backup if you are lazy (see
+# STANDARD_CONFIGURATION_README).
+#
+# The local machine is always the final destination for mail addressed
+# to user@[the.net.work.address] of an interface that the mail system
+# receives mail on (see the inet_interfaces parameter).
+#
+# Specify a list of host or domain names, /file/name or type:table
+# patterns, separated by commas and/or whitespace. A /file/name
+# pattern is replaced by its contents; a type:table is matched when
+# a name matches a lookup key (the right-hand side is ignored).
+# Continue long lines by starting the next line with whitespace.
+#
+# See also below, section "REJECTING MAIL FOR UNKNOWN LOCAL USERS".
+#
+mydestination = localhost
+
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain
+#mydestination = $myhostname, localhost.$mydomain, localhost, $mydomain,
+#	mail.$mydomain, www.$mydomain, ftp.$mydomain
+
+# REJECTING MAIL FOR UNKNOWN LOCAL USERS
+#
+# The local_recipient_maps parameter specifies optional lookup tables
+# with all names or addresses of users that are local with respect
+# to $mydestination, $inet_interfaces or $proxy_interfaces.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown local users. This parameter is defined by default.
+#
+# To turn off local recipient checking in the SMTP server, specify
+# local_recipient_maps = (i.e. empty).
+#
+# The default setting assumes that you use the default Postfix local
+# delivery agent for local delivery. You need to update the
+# local_recipient_maps setting if:
+#
+# - You define $mydestination domain recipients in files other than
+#   /etc/passwd, /etc/aliases, or the $virtual_alias_maps files.
+#   For example, you define $mydestination domain recipients in    
+#   the $virtual_mailbox_maps files.
+#
+# - You redefine the local delivery agent in master.cf.
+#
+# - You redefine the "local_transport" setting in main.cf.
+#
+# - You use the "luser_relay", "mailbox_transport", or "fallback_transport"
+#   feature of the Postfix local delivery agent (see local(8)).
+#
+# Details are described in the LOCAL_RECIPIENT_README file.
+#
+# Beware: if the Postfix SMTP server runs chrooted, you probably have
+# to access the passwd file via the proxymap service, in order to
+# overcome chroot restrictions. The alternative, having a copy of
+# the system passwd file in the chroot jail is just not practical.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify a bare username, an @domain.tld
+# wild-card, or specify a user@domain.tld address.
+# 
+#local_recipient_maps = unix:passwd.byname $alias_maps
+#local_recipient_maps = proxy:unix:passwd.byname $alias_maps
+#local_recipient_maps =
+
+# The unknown_local_recipient_reject_code specifies the SMTP server
+# response code when a recipient domain matches $mydestination or
+# ${proxy,inet}_interfaces, while $local_recipient_maps is non-empty
+# and the recipient address or address local-part is not found.
+#
+# The default setting is 550 (reject mail) but it is safer to start
+# with 450 (try again later) until you are certain that your
+# local_recipient_maps settings are OK.
+#
+unknown_local_recipient_reject_code = 550
+#>GNUNUX
+unverified_recipient_reject_code = 550
+#<GNUNUX
+
+# TRUST AND RELAY CONTROL
+
+smtpd_recipient_restrictions =
+        permit_mynetworks,
+        permit_sasl_authenticated,  # FIXME needed? and other sasl_ options!
+        reject_sender_login_mismatch,
+        reject_unauth_destination,
+        reject_unknown_client,
+        reject_unverified_recipient,
+        reject_non_fqdn_recipient,
+        reject_unknown_recipient_domain,
+        reject_unlisted_recipient,
+        reject_invalid_hostname,
+        reject_non_fqdn_hostname,
+        reject_invalid_helo_hostname,
+        reject_non_fqdn_helo_hostname,
+	reject_rbl_client zen.spamhaus.org,
+        reject_non_fqdn_sender,
+        reject_unknown_sender_domain,
+	#reject_unauth_pipelining
+# FIXME        check_sender_access hash:/etc/postfix/sender_access,
+# FIXME        check_recipient_access hash:/etc/postfix/recv_access,
+
+
+# The mynetworks parameter specifies the list of "trusted" SMTP
+# clients that have more privileges than "strangers".
+#
+# In particular, "trusted" SMTP clients are allowed to relay mail
+# through Postfix.  See the smtpd_recipient_restrictions parameter
+# in postconf(5).
+#
+# You can specify the list of "trusted" network addresses by hand
+# or you can let Postfix do it for you (which is the default).
+#
+# By default (mynetworks_style = subnet), Postfix "trusts" SMTP
+# clients in the same IP subnetworks as the local machine.
+# On Linux, this works correctly only with interfaces specified
+# with the "ifconfig" command.
+# 
+# Specify "mynetworks_style = class" when Postfix should "trust" SMTP
+# clients in the same IP class A/B/C networks as the local machine.
+# Don't do this with a dialup site - it would cause Postfix to "trust"
+# your entire provider's network.  Instead, specify an explicit
+# mynetworks list by hand, as described below.
+#  
+# Specify "mynetworks_style = host" when Postfix should "trust"
+# only the local machine.
+# 
+#mynetworks_style = class
+#mynetworks_style = subnet
+#mynetworks_style = host
+
+# Alternatively, you can specify the mynetworks list by hand, in
+# which case Postfix ignores the mynetworks_style setting.
+#
+# Specify an explicit list of network/netmask patterns, where the
+# mask specifies the number of bits in the network part of a host
+# address.
+#
+# You can also specify the absolute pathname of a pattern file instead
+# of listing the patterns here. Specify type:table for table-based lookups
+# (the value on the table right-hand side is not used).
+#
+#mynetworks = 168.100.3.0/28, 127.0.0.0/8
+#mynetworks = $config_directory/mynetworks
+#mynetworks = hash:/etc/postfix/network_table
+mynetworks = 172.0.0.0/8
+
+# The relay_domains parameter restricts what destinations this system will
+# relay mail to.  See the smtpd_recipient_restrictions description in
+# postconf(5) for detailed information.
+#
+# By default, Postfix relays mail
+# - from "trusted" clients (IP address matches $mynetworks) to any destination,
+# - from "untrusted" clients to destinations that match $relay_domains or
+#   subdomains thereof, except addresses with sender-specified routing.
+# The default relay_domains value is $mydestination.
+# 
+# In addition to the above, the Postfix SMTP server by default accepts mail
+# that Postfix is final destination for:
+# - destinations that match $inet_interfaces or $proxy_interfaces,
+# - destinations that match $mydestination
+# - destinations that match $virtual_alias_domains,
+# - destinations that match $virtual_mailbox_domains.
+# These destinations do not need to be listed in $relay_domains.
+# 
+# Specify a list of hosts or domains, /file/name patterns or type:name
+# lookup tables, separated by commas and/or whitespace.  Continue
+# long lines by starting the next line with whitespace. A file name
+# is replaced by its contents; a type:name table is matched when a
+# (parent) domain appears as lookup key.
+#
+# NOTE: Postfix will not automatically forward mail for domains that
+# list this system as their primary or backup MX host. See the
+# permit_mx_backup restriction description in postconf(5).
+#
+#relay_domains = $mydestination
+#>GNUNUX
+%if %%lmtp.server_lmtp
+transport_maps = hash:/etc/postfix/lmtp
+%end if
+#<GNUNUX
+
+# INTERNET OR INTRANET
+
+# The relayhost parameter specifies the default host to send mail to
+# when no entry is matched in the optional transport(5) table. When
+# no relayhost is given, mail is routed directly to the destination.
+#
+# On an intranet, specify the organizational domain name. If your
+# internal DNS uses no MX records, specify the name of the intranet
+# gateway host instead.
+#
+# In the case of SMTP, specify a domain, host, host:port, [host]:port,
+# [address] or [address]:port; the form [host] turns off MX lookups.
+#
+# If you're connected via UUCP, see also the default_transport parameter.
+#
+#relayhost = $mydomain
+#relayhost = [gateway.my.domain]
+#relayhost = [mailserver.isp.tld]
+#relayhost = uucphost
+#relayhost = [an.ip.add.ress]
+
+# REJECTING UNKNOWN RELAY USERS
+#
+# The relay_recipient_maps parameter specifies optional lookup tables
+# with all addresses in the domains that match $relay_domains.
+#
+# If this parameter is defined, then the SMTP server will reject
+# mail for unknown relay users. This feature is off by default.
+#
+# The right-hand side of the lookup tables is conveniently ignored.
+# In the left-hand side, specify an @domain.tld wild-card, or specify
+# a user@domain.tld address.
+# 
+#relay_recipient_maps = hash:/etc/postfix/relay_recipients
+
+# INPUT RATE CONTROL
+#
+# The in_flow_delay configuration parameter implements mail input
+# flow control. This feature is turned on by default, although it
+# still needs further development (it's disabled on SCO UNIX due
+# to an SCO bug).
+# 
+# A Postfix process will pause for $in_flow_delay seconds before
+# accepting a new message, when the message arrival rate exceeds the
+# message delivery rate. With the default 100 SMTP server process
+# limit, this limits the mail inflow to 100 messages a second more
+# than the number of messages delivered per second.
+# 
+# Specify 0 to disable the feature. Valid delays are 0..10.
+# 
+#in_flow_delay = 1s
+
+# ADDRESS REWRITING
+#
+# The ADDRESS_REWRITING_README document gives information about
+# address masquerading or other forms of address rewriting including
+# username->Firstname.Lastname mapping.
+
+# ADDRESS REDIRECTION (VIRTUAL DOMAIN)
+#
+# The VIRTUAL_README document gives information about the many forms
+# of domain hosting that Postfix supports.
+
+# "USER HAS MOVED" BOUNCE MESSAGES
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# TRANSPORT MAP
+#
+# See the discussion in the ADDRESS_REWRITING_README document.
+
+# ALIAS DATABASE
+#
+# The alias_maps parameter specifies the list of alias databases used
+# by the local delivery agent. The default list is system dependent.
+#
+# On systems with NIS, the default is to search the local alias
+# database, then the NIS alias database. See aliases(5) for syntax
+# details.
+# 
+# If you change the alias database, run "postalias /etc/aliases" (or
+# wherever your system stores the mail alias file), or simply run
+# "newaliases" to build the necessary DBM or DB file.
+#
+# It will take a minute or so before changes become visible.  Use
+# "postfix reload" to eliminate the delay.
+#
+#alias_maps = dbm:/etc/aliases
+alias_maps = hash:/etc/aliases
+#alias_maps = hash:/etc/aliases, nis:mail.aliases
+#alias_maps = netinfo:/aliases
+
+# The alias_database parameter specifies the alias database(s) that
+# are built with "newaliases" or "sendmail -bi".  This is a separate
+# configuration parameter, because alias_maps (see above) may specify
+# tables that are not necessarily all under control by Postfix.
+#
+#alias_database = dbm:/etc/aliases
+#alias_database = dbm:/etc/mail/aliases
+alias_database = hash:/etc/aliases
+#alias_database = hash:/etc/aliases, hash:/opt/majordomo/aliases
+
+# ADDRESS EXTENSIONS (e.g., user+foo)
+#
+# The recipient_delimiter parameter specifies the separator between
+# user names and address extensions (user+foo). See canonical(5),
+# local(8), relocated(5) and virtual(5) for the effects this has on
+# aliases, canonical, virtual, relocated and .forward file lookups.
+# Basically, the software tries user+foo and .forward+foo before
+# trying user and .forward.
+#
+#recipient_delimiter = +
+
+# DELIVERY TO MAILBOX
+#
+# The home_mailbox parameter specifies the optional pathname of a
+# mailbox file relative to a user's home directory. The default
+# mailbox file is /var/spool/mail/user or /var/mail/user.  Specify
+# "Maildir/" for qmail-style delivery (the / is required).
+#
+#home_mailbox = Mailbox
+#home_mailbox = Maildir/
+ 
+# The mail_spool_directory parameter specifies the directory where
+# UNIX-style mailboxes are kept. The default setting depends on the
+# system type.
+#
+#mail_spool_directory = /var/mail
+#mail_spool_directory = /var/spool/mail
+
+# The mailbox_command parameter specifies the optional external
+# command to use instead of mailbox delivery. The command is run as
+# the recipient with proper HOME, SHELL and LOGNAME environment settings.
+# Exception:  delivery for root is done as $default_user.
+#
+# Other environment variables of interest: USER (recipient username),
+# EXTENSION (address extension), DOMAIN (domain part of address),
+# and LOCAL (the address localpart).
+#
+# Unlike other Postfix configuration parameters, the mailbox_command
+# parameter is not subjected to $parameter substitutions. This is to
+# make it easier to specify shell syntax (see example below).
+#
+# Avoid shell meta characters because they will force Postfix to run
+# an expensive shell process. Procmail alone is expensive enough.
+#
+# IF YOU USE THIS TO DELIVER MAIL SYSTEM-WIDE, YOU MUST SET UP AN
+# ALIAS THAT FORWARDS MAIL FOR ROOT TO A REAL USER.
+#
+#mailbox_command = /some/where/procmail
+#mailbox_command = /some/where/procmail -a "$EXTENSION"
+
+# The mailbox_transport specifies the optional transport in master.cf
+# to use after processing aliases and .forward files. This parameter
+# has precedence over the mailbox_command, fallback_transport and
+# luser_relay parameters.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf.  The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+# Cyrus IMAP over LMTP. Specify ``lmtpunix      cmd="lmtpd"
+# listen="/var/imap/socket/lmtp" prefork=0'' in cyrus.conf.
+#mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+
+# If using the cyrus-imapd IMAP server deliver local mail to the IMAP
+# server using LMTP (Local Mail Transport Protocol), this is prefered
+# over the older cyrus deliver program by setting the
+# mailbox_transport as below:
+#
+# mailbox_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#
+# The efficiency of LMTP delivery for cyrus-imapd can be enhanced via
+# these settings.
+#
+# local_destination_recipient_limit = 300
+# local_destination_concurrency_limit = 5
+#
+# Of course you should adjust these settings as appropriate for the
+# capacity of the hardware you are using. The recipient limit setting
+# can be used to take advantage of the single instance message store
+# capability of Cyrus. The concurrency limit can be used to control
+# how many simultaneous LMTP sessions will be permitted to the Cyrus
+# message store.
+#
+# Cyrus IMAP via command line. Uncomment the "cyrus...pipe" and
+# subsequent line in master.cf.
+#mailbox_transport = cyrus
+
+# The fallback_transport specifies the optional transport in master.cf
+# to use for recipients that are not found in the UNIX passwd database.
+# This parameter has precedence over the luser_relay parameter.
+#
+# Specify a string of the form transport:nexthop, where transport is
+# the name of a mail delivery transport defined in master.cf.  The
+# :nexthop part is optional. For more details see the sample transport
+# configuration file.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must update the "local_recipient_maps" setting in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#fallback_transport = lmtp:unix:/var/lib/imap/socket/lmtp
+#fallback_transport =
+
+# The luser_relay parameter specifies an optional destination address
+# for unknown recipients.  By default, mail for unknown@$mydestination,
+# unknown@[$inet_interfaces] or unknown@[$proxy_interfaces] is returned
+# as undeliverable.
+#
+# The following expansions are done on luser_relay: $user (recipient
+# username), $shell (recipient shell), $home (recipient home directory),
+# $recipient (full recipient address), $extension (recipient address
+# extension), $domain (recipient domain), $local (entire recipient
+# localpart), $recipient_delimiter. Specify ${name?value} or
+# ${name:value} to expand value only when $name does (does not) exist.
+#
+# luser_relay works only for the default Postfix local delivery agent.
+#
+# NOTE: if you use this feature for accounts not in the UNIX password
+# file, then you must specify "local_recipient_maps =" (i.e. empty) in
+# the main.cf file, otherwise the SMTP server will reject mail for    
+# non-UNIX accounts with "User unknown in local recipient table".
+#
+#luser_relay = $user@other.host
+#luser_relay = $local@other.host
+#luser_relay = admin+$local
+  
+# JUNK MAIL CONTROLS
+# 
+# The controls listed here are only a very small subset. The file
+# SMTPD_ACCESS_README provides an overview.
+
+# The header_checks parameter specifies an optional table with patterns
+# that each logical message header is matched against, including
+# headers that span multiple physical lines.
+#
+# By default, these patterns also apply to MIME headers and to the
+# headers of attached messages. With older Postfix versions, MIME and
+# attached message headers were treated as body text.
+#
+# For details, see "man header_checks".
+#
+#header_checks = regexp:/etc/postfix/header_checks
+
+# FAST ETRN SERVICE
+#
+# Postfix maintains per-destination logfiles with information about
+# deferred mail, so that mail can be flushed quickly with the SMTP
+# "ETRN domain.tld" command, or by executing "sendmail -qRdomain.tld".
+# See the ETRN_README document for a detailed description.
+# 
+# The fast_flush_domains parameter controls what destinations are
+# eligible for this service. By default, they are all domains that
+# this server is willing to relay mail to.
+# 
+#fast_flush_domains = $relay_domains
+
+# SHOW SOFTWARE VERSION OR NOT
+#
+# The smtpd_banner parameter specifies the text that follows the 220
+# code in the SMTP server's greeting banner. Some people like to see
+# the mail version advertised. By default, Postfix shows no version.
+#
+# You MUST specify $myhostname at the start of the text. That is an
+# RFC requirement. Postfix itself does not care.
+#
+#smtpd_banner = $myhostname ESMTP $mail_name
+#smtpd_banner = $myhostname ESMTP $mail_name ($mail_version)
+
+# PARALLEL DELIVERY TO THE SAME DESTINATION
+#
+# How many parallel deliveries to the same user or domain? With local
+# delivery, it does not make sense to do massively parallel delivery
+# to the same user, because mailbox updates must happen sequentially,
+# and expensive pipelines in .forward files can cause disasters when
+# too many are run at the same time. With SMTP deliveries, 10
+# simultaneous connections to the same domain could be sufficient to
+# raise eyebrows.
+# 
+# Each message delivery transport has its XXX_destination_concurrency_limit
+# parameter.  The default is $default_destination_concurrency_limit for
+# most delivery transports. For the local delivery agent the default is 2.
+
+#local_destination_concurrency_limit = 2
+#default_destination_concurrency_limit = 20
+
+# DEBUGGING CONTROL
+#
+# The debug_peer_level parameter specifies the increment in verbose
+# logging level when an SMTP client or server host name or address
+# matches a pattern in the debug_peer_list parameter.
+#
+debug_peer_level = 2
+
+# The debug_peer_list parameter specifies an optional list of domain
+# or network patterns, /file/name patterns or type:name tables. When
+# an SMTP client or server host name or address matches a pattern,
+# increase the verbose logging level by the amount specified in the
+# debug_peer_level parameter.
+#
+#debug_peer_list = 127.0.0.1
+#debug_peer_list = some.domain
+
+# The debugger_command specifies the external command that is executed
+# when a Postfix daemon program is run with the -D option.
+#
+# Use "command .. & sleep 5" so that the debugger can attach before
+# the process marches on. If you use an X-based debugger, be sure to
+# set up your XAUTHORITY environment variable before starting Postfix.
+#
+debugger_command =
+	 PATH=/bin:/usr/bin:/usr/local/bin:/usr/X11R6/bin
+	 ddd $daemon_directory/$process_name $process_id & sleep 5
+
+# If you can't use X, use this to capture the call stack when a
+# daemon crashes. The result is in a file in the configuration
+# directory, and is named after the process name and the process ID.
+#
+# debugger_command =
+#	PATH=/bin:/usr/bin:/usr/local/bin; export PATH; (echo cont;
+#	echo where) | gdb $daemon_directory/$process_name $process_id 2>&1
+#	>$config_directory/$process_name.$process_id.log & sleep 5
+#
+# Another possibility is to run gdb under a detached screen session.
+# To attach to the screen session, su root and run "screen -r
+# <id_string>" where <id_string> uniquely matches one of the detached
+# sessions (from "screen -list").
+#
+# debugger_command =
+#	PATH=/bin:/usr/bin:/sbin:/usr/sbin; export PATH; screen
+#	-dmS $process_name gdb $daemon_directory/$process_name
+#	$process_id & sleep 1
+
+# INSTALL-TIME CONFIGURATION INFORMATION
+#
+# The following parameters are used when installing a new Postfix version.
+# 
+# sendmail_path: The full pathname of the Postfix sendmail command.
+# This is the Sendmail-compatible mail posting interface.
+# 
+sendmail_path = /usr/sbin/sendmail.postfix
+
+# newaliases_path: The full pathname of the Postfix newaliases command.
+# This is the Sendmail-compatible command to build alias databases.
+#
+newaliases_path = /usr/bin/newaliases.postfix
+
+# mailq_path: The full pathname of the Postfix mailq command.  This
+# is the Sendmail-compatible mail queue listing command.
+# 
+mailq_path = /usr/bin/mailq.postfix
+
+# setgid_group: The group for mail submission and queue management
+# commands.  This must be a group name with a numerical group ID that
+# is not shared with other accounts, not even with the Postfix account.
+#
+setgid_group = postdrop
+
+# html_directory: The location of the Postfix HTML documentation.
+#
+html_directory = no
+
+# manpage_directory: The location of the Postfix on-line manual pages.
+#
+manpage_directory = /usr/share/man
+
+# sample_directory: The location of the Postfix sample configuration files.
+# This parameter is obsolete as of Postfix 2.1.
+#
+sample_directory = /usr/share/doc/postfix/samples
+
+# readme_directory: The location of the Postfix README files.
+#
+readme_directory = /usr/share/doc/postfix/README_FILES
+
+# TLS CONFIGURATION
+#
+# Basic Postfix TLS configuration by default with self-signed certificate
+# for inbound SMTP and also opportunistic TLS for outbound SMTP.
+
+# The full pathname of a file with the Postfix SMTP server RSA certificate
+# in PEM format. Intermediate certificates should be included in general,
+# the server certificate first, then the issuing CA(s) (bottom-up order).
+#
+smtpd_tls_cert_file = /etc/pki/tls/certs/postfix.crt
+
+# The full pathname of a file with the Postfix SMTP server RSA private key
+# in PEM format. The private key must be accessible without a pass-phrase,
+# i.e. it must not be encrypted.
+#
+smtpd_tls_key_file = /etc/pki/tls/private/postfix.key
+
+smtpd_tls_CApath = /etc/pki/tls/certs
+#smtpd_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
+#>GNUNUX
+tls_server_sni_maps = hash:/etc/postfix/sni
+#<GNUNUX
+# Announce STARTTLS support to remote SMTP clients, but do not require that
+# clients use TLS encryption (opportunistic TLS inbound).
+#
+smtpd_tls_security_level = may
+
+# Directory with PEM format Certification Authority certificates that the
+# Postfix SMTP client uses to verify a remote SMTP server certificate.
+#
+smtp_tls_CApath = /etc/pki/tls/certs
+
+# The full pathname of a file containing CA certificates of root CAs
+# trusted to sign either remote SMTP server certificates or intermediate CA
+# certificates.
+#
+smtp_tls_CAfile = /etc/pki/ca-trust/source/anchors/ca_MailServer.crt
+
+# Use TLS if this is supported by the remote SMTP server, otherwise use
+# plaintext (opportunistic TLS outbound).
+#
+smtp_tls_security_level = may
+meta_directory = /etc/postfix
+shlib_directory = /usr/lib64/postfix
+
+#>GNUNUX
+smtpd_helo_required = yes
+disable_vrfy_command = yes
+strict_rfc821_envelopes = yes
+
+smtpd_use_tls = yes
+message_size_limit = 202400000
+biff = no
+smtpd_tls_loglevel = 1
+smtp_tls_note_starttls_offer = yes
+smtpd_tls_auth_only = yes
+smtpd_tls_received_header = yes
+
+#auth
+smtpd_sasl_auth_enable = yes
+smtpd_sasl_path = smtpd
+smtpd_sasl_security_options = noanonymous, noplaintext
+smtpd_sasl_tls_security_options = noanonymous
+
+# OpenDKIM setup
+smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
+non_smtpd_milters = inet:127.0.0.1:8891,inet:127.0.0.1:8893
+milter_default_action = accept
+milter_content_timeout = 30s
+milter_protocol = 6
+#<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/master.cf b/seed/applicationservice/2022.03.08/postfix-relay/templates/master.cf
new file mode 100644
index 0000000..65af55c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/master.cf
@@ -0,0 +1,139 @@
+#
+# Postfix master process configuration file.  For details on the format
+# of the file, see the master(5) manual page (command: "man 5 master" or
+# on-line: http://www.postfix.org/master.5.html).
+#
+# Do not forget to execute "postfix reload" after editing this file.
+#
+# ==========================================================================
+# service type  private unpriv  chroot  wakeup  maxproc command + args
+#               (yes)   (yes)   (no)    (never) (100)
+# ==========================================================================
+smtp      inet  n       -       n       -       -       smtpd
+#smtp      inet  n       -       n       -       1       postscreen
+#smtpd     pass  -       -       n       -       -       smtpd
+#dnsblog   unix  -       -       n       -       0       dnsblog
+#tlsproxy  unix  -       -       n       -       0       tlsproxy
+# Choose one: enable submission for loopback clients only, or for any client.
+#127.0.0.1:submission inet n -   n       -       -       smtpd
+#  -o syslog_name=postfix/submission
+#  -o smtpd_tls_security_level=encrypt
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_tls_auth_only=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+# Choose one: enable smtps for loopback clients only, or for any client.
+#127.0.0.1:smtps inet n  -       n       -       -       smtpd
+#smtps     inet  n       -       n       -       -       smtpd
+#>GNUNUX
+smtps     inet  n       -       n       -       -       smtpd
+#<GNUNUX
+#  -o syslog_name=postfix/smtps
+#  -o smtpd_tls_wrappermode=yes
+#  -o smtpd_sasl_auth_enable=yes
+#  -o smtpd_reject_unlisted_recipient=no
+#  -o smtpd_client_restrictions=$mua_client_restrictions
+#  -o smtpd_helo_restrictions=$mua_helo_restrictions
+#  -o smtpd_sender_restrictions=$mua_sender_restrictions
+#  -o smtpd_recipient_restrictions=
+#  -o smtpd_relay_restrictions=permit_sasl_authenticated,reject
+#  -o milter_macro_daemon_name=ORIGINATING
+#628       inet  n       -       n       -       -       qmqpd
+pickup    unix  n       -       n       60      1       pickup
+cleanup   unix  n       -       n       -       0       cleanup
+qmgr      unix  n       -       n       300     1       qmgr
+#qmgr     unix  n       -       n       300     1       oqmgr
+tlsmgr    unix  -       -       n       1000?   1       tlsmgr
+rewrite   unix  -       -       n       -       -       trivial-rewrite
+bounce    unix  -       -       n       -       0       bounce
+defer     unix  -       -       n       -       0       bounce
+trace     unix  -       -       n       -       0       bounce
+verify    unix  -       -       n       -       1       verify
+flush     unix  n       -       n       1000?   0       flush
+proxymap  unix  -       -       n       -       -       proxymap
+proxywrite unix -       -       n       -       1       proxymap
+smtp      unix  -       -       n       -       -       smtp
+relay     unix  -       -       n       -       -       smtp
+        -o syslog_name=postfix/$service_name
+#       -o smtp_helo_timeout=5 -o smtp_connect_timeout=5
+showq     unix  n       -       n       -       -       showq
+error     unix  -       -       n       -       -       error
+retry     unix  -       -       n       -       -       error
+discard   unix  -       -       n       -       -       discard
+# GNUNUX local     unix  -       n       n       -       -       local
+virtual   unix  -       n       n       -       -       virtual
+lmtp      unix  -       -       n       -       -       lmtp
+anvil     unix  -       -       n       -       1       anvil
+scache    unix  -       -       n       -       1       scache
+postlog   unix-dgram n  -       n       -       1       postlogd
+#
+# ====================================================================
+# Interfaces to non-Postfix software. Be sure to examine the manual
+# pages of the non-Postfix software to find out what options it wants.
+#
+# Many of the following services use the Postfix pipe(8) delivery
+# agent.  See the pipe(8) man page for information about ${recipient}
+# and other message envelope options.
+# ====================================================================
+#
+# maildrop. See the Postfix MAILDROP_README file for details.
+# Also specify in main.cf: maildrop_destination_recipient_limit=1
+#
+#maildrop  unix  -       n       n       -       -       pipe
+#  flags=DRXhu user=vmail argv=/usr/local/bin/maildrop -d ${recipient}
+#
+# ====================================================================
+#
+# Recent Cyrus versions can use the existing "lmtp" master.cf entry.
+#
+# Specify in cyrus.conf:
+#   lmtp    cmd="lmtpd -a" listen="localhost:lmtp" proto=tcp4
+#
+# Specify in main.cf one or more of the following:
+#  mailbox_transport = lmtp:inet:localhost
+#  virtual_transport = lmtp:inet:localhost
+#
+# ====================================================================
+#
+# Cyrus 2.1.5 (Amos Gouaux)
+# Also specify in main.cf: cyrus_destination_recipient_limit=1
+#
+#cyrus     unix  -       n       n       -       -       pipe
+#  flags=DRX user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -r ${sender} -m ${extension} ${user}
+#
+# ====================================================================
+#
+# Old example of delivery via Cyrus.
+#
+#old-cyrus unix  -       n       n       -       -       pipe
+#  flags=R user=cyrus argv=/usr/lib/cyrus-imapd/deliver -e -m ${extension} ${user}
+#
+# ====================================================================
+#
+# See the Postfix UUCP_README file for configuration details.
+#
+#uucp      unix  -       n       n       -       -       pipe
+#  flags=Fqhu user=uucp argv=uux -r -n -z -a$sender - $nexthop!rmail ($recipient)
+#
+# ====================================================================
+#
+# Other external delivery methods.
+#
+#ifmail    unix  -       n       n       -       -       pipe
+#  flags=F user=ftn argv=/usr/lib/ifmail/ifmail -r $nexthop ($recipient)
+#
+#bsmtp     unix  -       n       n       -       -       pipe
+#  flags=Fq. user=bsmtp argv=/usr/local/sbin/bsmtp -f $sender $nexthop $recipient
+#
+#scalemail-backend unix -       n       n       -       2       pipe
+#  flags=R user=scalemail argv=/usr/lib/scalemail/bin/scalemail-store
+#  ${nexthop} ${user} ${extension}
+#
+#mailman   unix  -       n       n       -       -       pipe
+#  flags=FRX user=list argv=/usr/lib/mailman/bin/postfix-to-mailman.py
+#  ${nexthop} ${user}
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/opendkim.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/opendkim.conf
new file mode 100644
index 0000000..557dabc
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/opendkim.conf
@@ -0,0 +1,149 @@
+## BASIC OPENDKIM CONFIGURATION FILE
+## See opendkim.conf(5) or /usr/share/doc/opendkim/opendkim.conf.sample for more
+
+## BEFORE running OpenDKIM you must:
+
+## - make your MTA (Postfix, Sendmail, etc.) aware of OpenDKIM
+## - generate keys for your domain (if signing)
+## - edit your DNS records to publish your public keys (if signing)
+
+## See /usr/share/doc/opendkim/INSTALL for detailed instructions.
+
+## DEPRECATED CONFIGURATION OPTIONS
+##
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendkim being unable to start.
+##
+## Removed in 2.10.0:
+##   AddAllSignatureResults
+##   ADSPAction
+##   ADSPNoSuchDomain
+##   BogusPolicy
+##   DisableADSP
+##   LDAPSoftStart
+##   LocalADSP
+##   NoDiscardableMailTo
+##   On-PolicyError
+##   SendADSPReports
+##   UnprotectedPolicy
+
+## CONFIGURATION OPTIONS
+
+##  Specifies the path to the process ID file.
+PidFile	/run/opendkim/opendkim.pid
+
+##  Selects operating modes. Valid modes are s (sign) and v (verify). Default is v.
+##  Must be changed to s (sign only) or sv (sign and verify) in order to sign outgoing
+##  messages.
+# GNUNUX Mode	v
+#>GNUNUX
+Mode	sv
+#<GNUNUX
+
+
+##  Log activity to the system log.
+Syslog	yes
+
+##  Log additional entries indicating successful signing or verification of messages.
+SyslogSuccess	yes
+
+##  If logging is enabled, include detailed logging about why or why not a message was
+##  signed or verified. This causes an increase in the amount of log data generated
+##  for each message, so set this to No (or comment it out) if it gets too noisy.
+LogWhy	yes
+
+##  Attempt to become the specified user before starting operations.
+UserID	opendkim:opendkim
+
+##  Create a socket through which your MTA can communicate.
+Socket	inet:8891@localhost
+
+##  Required to use local socket with MTAs that access the socket as a non-
+##  privileged user (e.g. Postfix)
+Umask	002
+
+##  This specifies a text file in which to store DKIM transaction statistics.
+##  OpenDKIM must be manually compiled with --enable-stats to enable this feature.
+# Statistics	/var/spool/opendkim/stats.dat
+
+##  Specifies whether or not the filter should generate report mail back
+##  to senders when verification fails and an address for such a purpose
+##  is provided. See opendkim.conf(5) for details.
+# GNUNUX SendReports	yes
+
+##  Specifies the sending address to be used on From: headers of outgoing
+##  failure reports.  By default, the e-mail address of the user executing
+##  the filter is used (executing_user@hostname).
+# ReportAddress	"Example.com Postmaster" <postmaster@example.com>
+
+##  Add a DKIM-Filter header field to messages passing through this filter
+##  to identify messages it has processed.
+SoftwareHeader	yes
+
+## SIGNING OPTIONS
+
+##  Selects the canonicalization method(s) to be used when signing messages.
+Canonicalization	relaxed/relaxed
+
+##  Domain(s) whose mail should be signed by this filter. Mail from other domains will
+##  be verified rather than being signed. Uncomment and use your domain name.
+##  This parameter is not required if a SigningTable is in use.
+# Domain	example.com
+
+##  Defines the name of the selector to be used when signing messages.
+Selector	default
+
+##  Specifies the minimum number of key bits for acceptable keys and signatures.
+MinimumKeyBits	1024
+
+##  Gives the location of a private key to be used for signing ALL messages. This
+##  directive is ignored if KeyTable is enabled.
+KeyFile	/etc/opendkim/keys/default.private
+
+##  Gives the location of a file mapping key names to signing keys. In simple terms,
+##  this tells OpenDKIM where to find your keys. If present, overrides any KeyFile
+##  directive in the configuration file. Requires SigningTable be enabled.
+# KeyTable	/etc/opendkim/KeyTable
+#>GNUNUX
+KeyTable	/etc/opendkim/KeyTable
+#<GNUNUX
+
+##  Defines a table used to select one or more signatures to apply to a message based
+##  on the address found in the From: header field. In simple terms, this tells
+##  OpenDKIM how to use your keys. Requires KeyTable be enabled.
+# SigningTable	refile:/etc/opendkim/SigningTable
+#>GNUNUX
+SigningTable	refile:/etc/opendkim/SigningTable
+#<GNUNUX
+
+##  Identifies a set of "external" hosts that may send mail through the server as one
+##  of the signing domains without credentials as such.
+# ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
+#>GNUNUX
+ExternalIgnoreList	refile:/etc/opendkim/TrustedHosts
+#<GNUNUX
+
+##  Identifies a set "internal" hosts whose mail should be signed rather than verified.
+# InternalHosts	refile:/etc/opendkim/TrustedHosts
+#>GNUNUX
+InternalHosts	refile:/etc/opendkim/TrustedHosts
+#<GNUNUX
+
+##  Contains a list of IP addresses, CIDR blocks, hostnames or domain names
+##  whose mail should be neither signed nor verified by this filter.  See man
+##  page for file format.
+# PeerList	X.X.X.X
+
+##  Always oversign From (sign using actual From and a null From to prevent
+##  malicious signatures header fields (From and/or others) between the signer
+##  and the verifier.  From is oversigned by default in the Fedora package
+##  because it is often the identity key used by reputation systems and thus
+##  somewhat security sensitive.
+OversignHeaders	From
+
+##  Instructs the DKIM library to maintain its own local cache of keys and
+##  policies retrieved from DNS, rather than relying on the nameserver for
+##  caching service. Useful if the nameserver being used by the filter is
+##  not local.
+# QueryCache	yes
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/opendkim.key b/seed/applicationservice/2022.03.08/postfix-relay/templates/opendkim.key
new file mode 100644
index 0000000..f791249
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/opendkim.key
@@ -0,0 +1 @@
+%%get_dkim_key(%%domain_name_eth0, %%rougail_variable)
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/opendmarc.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/opendmarc.conf
new file mode 100644
index 0000000..25598ec
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/opendmarc.conf
@@ -0,0 +1,451 @@
+## opendmarc.conf -- configuration file for OpenDMARC filter
+##
+## Copyright (c) 2012-2015, 2018, 2021, The Trusted Domain Project.
+##   All rights reserved.
+
+## DEPRECATED CONFIGURATION OPTIONS
+##
+## The following configuration options are no longer valid.  They should be
+## removed from your existing configuration file to prevent potential issues.
+## Failure to do so may result in opendmarc being unable to start.
+##
+## Renamed in 1.3.0:
+##   ForensicReports became FailureReports
+##   ForensicReportsBcc became FailureReportsBcc
+##   ForensicReportsOnNone became FailureReportsOnNone
+##   ForensicReportsSentBy became FailureReportsSentBy
+
+## CONFIGURATION OPTIONS
+
+##  AuthservID (string)
+##  	defaults to MTA name
+##
+##  Sets the "authserv-id" to use when generating the Authentication-Results:
+##  header field after verifying a message.  If the string "HOSTNAME" is
+##  provided, the name of the host running the filter (as returned by the
+##  gethostname(3) function) will be used.
+#
+# AuthservID name
+
+##  AuthservIDWithJobID { true | false }
+##  	default "false"
+##
+##  If "true", requests that the authserv-id portion of the added
+##  Authentication-Results header fields contain the job ID of the message
+##  being evaluated.
+#
+# AuthservIDWithJobID false
+
+##  AutoRestart { true | false }
+##  	default "false"
+##
+##  Automatically re-start on failures. Use with caution; if the filter fails
+##  instantly after it starts, this can cause a tight fork(2) loop.
+#
+# AutoRestart false
+
+##  AutoRestartCount n
+##  	default 0
+##
+##  Sets the maximum automatic restart count.  After this number of automatic
+##  restarts, the filter will give up and terminate.  A value of 0 implies no
+##  limit.
+#
+# AutoRestartCount 0
+
+##  AutoRestartRate n/t[u]
+##  	default (no limit)
+##
+##  Sets the maximum automatic restart rate.  If the filter begins restarting
+##  faster than the rate defined here, it will give up and terminate.  This
+##  is a string of the form n/t[u] where n is an integer limiting the count
+##  of restarts in the given interval and t[u] defines the time interval
+##  through which the rate is calculated; t is an integer and u defines the
+##  units thus represented ("s" or "S" for seconds, the default; "m" or "M"
+##  for minutes; "h" or "H" for hours; "d" or "D" for days). For example, a
+##  value of "10/1h" limits the restarts to 10 in one hour. There is no
+##  default, meaning restart rate is not limited.
+#
+# AutoRestartRate n/t[u]
+
+##  Background { true | false }
+##  	default "true"
+##
+##  Causes opendmarc to fork and exits immediately, leaving the service
+##  running in the background.
+#
+# Background true
+
+##  BaseDirectory (string)
+##  	default (none)
+##
+##  If set, instructs the filter to change to the specified directory using
+##  chdir(2) before doing anything else.  This means any files referenced
+##  elsewhere in the configuration file can be specified relative to this
+##  directory.  It's also useful for arranging that any crash dumps will be
+##  saved to a specific location.
+#
+# BaseDirectory /var/run/opendmarc
+
+##  ChangeRootDirectory (string)
+##  	default (none)
+##
+##  Requests that the operating system change the effective root directory of
+##  the process to the one specified here prior to beginning execution.
+##  chroot(2) requires superuser access.  A warning will be generated if
+##  UserID is not also set.
+#
+# ChangeRootDirectory /var/chroot/opendmarc
+
+##  CopyFailuresTo (string)
+##  	default (none)
+##
+##  Requests addition of the specified email address to the envelope of
+##  any message that fails the DMARC evaluation.
+#
+# CopyFailuresTo postmaster@localhost
+
+##  DomainWhitelist (string)
+##  	default (none)
+##
+##  A brief list of whitelisted domains for which ARC signature headers are
+##  trusted as determined by evaluating entries in the "arc.chain" field found
+##  in a locally generated Authentication-Results header.
+##
+##  This list will be concatenated with DomainWhitelistFile (if provided).
+##
+# 
+# DomainWhitelist example.com
+
+##  DomainWhitelistFile path
+##  	default (none)
+##
+##  A comprehensive list of whitelisted domains for which ARC signature headers
+##  are trusted as determined by evaluating entries in the "arc.chain" field
+##  found in a locally generated Authentication-Results header.
+##
+##  This list will be concatenated with DomainWhitelist (if provided).
+##
+# 
+# DomainWhitelistFile /etc/opendmarc/whitelist.domains
+
+##  DomainWhitelistSize
+##  	default 3000
+##
+##  The maximum number of entries in the DomainWhitelist including both entries
+##  in the DomainWhitelist configuration parameter (above) and entries in the
+##  DomainWhitelistFile. This number will be increased by approximately 20% to
+##  increase the efficiency of the hashing algorithm.
+##
+# 
+# DomainWhitelistSize 3000
+
+##  DNSTimeout (integer)
+##  	default 5
+##
+##  Sets the DNS timeout in seconds.  A value of 0 causes an infinite wait.
+##  (NOT YET IMPLEMENTED)
+#
+# DNSTimeout 5
+
+##  EnableCoredumps { true | false }
+##  	default "false"
+##
+##  On systems that have such support, make an explicit request to the kernel
+##  to dump cores when the filter crashes for some reason.  Some modern UNIX
+##  systems suppress core dumps during crashes for security reasons if the
+##  user ID has changed during the lifetime of the process.  Currently only
+##  supported on Linux.
+#
+# EnableCoreDumps false
+
+##  FailureReports { true | false }
+##  	default "false"
+##
+##  Enables generation of failure reports when the DMARC test fails and the
+##  purported sender of the message has requested such reports.  Reports are
+##  formatted per RFC6591.
+#
+# FailureReports false
+
+##  FailureReportsBcc (string)
+##  	default (none)
+##
+##  When failure reports are enabled and one is to be generated, always
+##  send one to the address(es) specified here.  If a failure report is
+##  requested by the domain owner, the address(es) are added in a Bcc: field.
+##  If no request is made, they address(es) are used in a To: field.  There
+##  is no default.
+#
+# FailureReportsBcc postmaster@example.coom
+
+##  FailureReportsOnNone { true | false }
+##  	default "false"
+##
+##  Supplements the "FailureReports" setting by generating reports for
+##  domains that advertise "none" policies.  By default, reports are only
+##  generated (when enabled) for sending domains advertising a "quarantine"
+##  or "reject" policy.
+#
+# FailureReportsOnNone false
+
+##  FailureReportsSentBy string
+##  	default "USER@HOSTNAME"
+##
+##  Specifies the email address to use in the From: field of failure
+##  reports generated by the filter.  The default is to use the userid of
+##  the user running the filter and the local hostname to construct an
+##  email address.  "postmaster" is used in place of the userid if a name
+##  could not be determined.
+#
+# FailureReportsSentBy USER@HOSTNAME
+
+##  HistoryFile path
+##  	default (none)
+##
+##  If set, specifies the location of a text file to which records are written
+##  that can be used to generate DMARC aggregate reports.  Records are groups
+##  of rows containing information about a single received message, and
+##  include all relevant information needed to generate a DMARC aggregate
+##  report.  It is expected that this will not be used in its raw form, but
+##  rather periodically imported into a relational database from which the
+##  aggregate reports can be extracted by a tool such as opendmarc-import(8).
+#
+# HistoryFile /var/spool/opendmarc/opendmarc.dat
+
+##  HoldQuarantinedMessages { true | false }
+##  	default "false"
+##
+##  If set, the milter will signal to the mta that messages with
+##  p=quarantine, which fail dmarc authentication, should be held in
+##  the MTA's "Hold" or "Quarantine" queue.  The name varies by MTA.
+##  If false, messsages will be accepted and passed along with the 
+##  regular mail flow, and the quarantine will be left up to downstream
+##  MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers,
+##  including the Authentication-Results header added by OpenDMARC
+#
+# HoldQuarantinedMessages false
+
+##  IgnoreAuthenticatedClients { true | false }
+##  	default "false"
+##
+##  If set, causes mail from authenticated clients (i.e., those that used
+##  SMTP AUTH) to be ignored by the filter.
+#
+# IgnoreAuthenticatedClients false
+#>GNUNUX
+IgnoreAuthenticatedClients true
+#<GNUNUX
+
+## HoldQuarantinedMessages { true | false }
+##  	default "false"
+##
+##  If set, the milter will signal to the mta that messages with
+##  p=quarantine, which fail dmarc authentication, should be held in
+##  the MTA's "Hold" or "Quarantine" queue.  The name varies by MTA.
+##  If false, messsages will be accepted and passed along with the 
+##  regular mail flow, and the quarantine will be left up to downstream
+##  MTA/MDA/MUA filters, if any, to handle by re-evaluating the headers,
+##  including the Authentication-Results header added by OpenDMARC
+#
+# HoldQuarantinedMessages false
+
+
+##  IgnoreHosts path
+##  	default (internal)
+##
+##  Specifies the path to a file that contains a list of hostnames, IP
+##  addresses, and/or CIDR expressions identifying hosts whose SMTP
+##  connections are to be ignored by the filter.  If not specified, defaults
+##  to "127.0.0.1" only.
+#
+# IgnoreHosts /etc/opendmarc/ignore.hosts
+
+##  IgnoreMailFrom domain[,...]
+##  	default (none)
+##
+##  Gives a list of domain names whose mail (based on the From: domain) is to
+##  be ignored by the filter.  The list should be comma-separated.  Matching
+##  against this list is case-insensitive.  The default is an empty list,
+##  meaning no mail is ignored.
+#
+# IgnoreMailFrom example.com
+
+##  MilterDebug (integer)
+##  	default 0
+##
+##  Sets the debug level to be requested from the milter library.
+#
+# MilterDebug 0
+
+##  PidFile path
+##  	default (none)
+##
+##  Specifies the path to a file that should be created at process start
+##  containing the process ID.
+#
+# PidFile /var/run/opendmarc.pid
+
+##  PublicSuffixList path
+##  	default (none)
+##
+##  Specifies the path to a file that contains top-level domains (TLDs) that
+##  will be used to compute the Organizational Domain for a given domain name,
+##  as described in the DMARC specification.  If not provided, the filter will
+##  not be able to determine the Organizational Domain and only the presented
+##  domain will be evaluated.  This file should be periodically updated.
+##  One location to retrieve the file from is https://publicsuffix.org/list/
+#
+# PublicSuffixList path
+
+##  RecordAllMessages { true | false }
+##  	default "false"
+##
+##  If set and "HistoryFile" is in use, all received messages are recorded
+##  to the history file.  If not set (the default), only messages for which
+##  the From: domain published a DMARC record will be recorded in the
+##  history file.
+#
+# RecordAllMessages false
+
+##  RejectFailures { true | false }
+##  	default "false"
+##
+##  If set, messages will be rejected if they fail the DMARC evaluation, or
+##  temp-failed if evaluation could not be completed.  By default, no message
+##  will be rejected or temp-failed regardless of the outcome of the DMARC
+##  evaluation of the message.  Instead, an Authentication-Results header
+##  field will be added.
+#
+# RejectFailures false
+#>GNUNUX
+RejectFailures true
+#<GNUNUX
+
+##  RejectMultiValueFrom { true | false }
+##  	default "false"
+##
+##  If set, messages with multiple addresses in the From: field of the message
+##  will be rejected unless all domains in the field are the same.  They will
+##  otherwise be ignored by the filter (the default).
+# 
+# RejectMultiValueFrom false
+
+##  ReportCommand string
+##  	default "/usr/sbin/sendmail -t"
+##
+##  Indicates the shell command to which failure reports should be passed for
+##  delivery when "FailureReports" is enabled.
+#
+# ReportCommand /usr/sbin/sendmail -t
+
+##  RequiredHeaders { true | false }
+##  	default "false"
+##
+##  If set, the filter will ensure the header of the message conforms to the
+##  basic header field count restrictions laid out in RFC5322, Section 3.6.
+##  Messages failing this test are rejected without further processing.  A
+##  From: field from which no domain name could be extracted will also be
+##  rejected.
+#
+# RequiredHeaders false
+#>GNUNUX
+RequiredHeaders true
+#<GNUNUX
+
+##  Socket socketspec
+##  	default (none)
+##
+##  Specifies the socket that should be established by the filter to receive
+##  connections from sendmail(8) in order to provide service.  socketspec is
+##  in one of two forms: local:path, which creates a UNIX domain socket at
+##  the specified path, or inet:port[@host] or inet6:port[@host] which creates
+##  a TCP socket on the specified port for the appropriate protocol family.
+##  If the host is not given as either a hostname or an IP address, the
+##  socket will be listening on all interfaces.  This option is mandatory
+##  either in the configuration file or on the command line.  If an IP
+##  address is used, it must be enclosed in square brackets.
+#
+Socket inet:8893@localhost
+
+##  SoftwareHeader { true | false }
+##  	default "false"
+##
+##  Causes the filter to add a "DMARC-Filter" header field indicating the
+##  presence of this filter in the path of the message from injection to
+##  delivery.  The product's name, version, and the job ID are included in
+##  the header field's contents.
+#
+SoftwareHeader true
+
+##  SPFIgnoreResults { true | false }
+##	default "false"
+##
+##  Causes the filter to ignore any SPF results in the header of the
+##  message.  This is useful if you want the filter to perform SPF checks
+##  itself, or because you don't trust the arriving header.
+#
+SPFIgnoreResults true
+
+##  SPFSelfValidate { true | false }
+##	default false
+##
+##  Enable internal spf checking with --with-spf
+##  To use libspf2 instead:  --with-spf --with-spf2-include=path --with-spf2-lib=path
+##
+##  Causes the filter to perform a fallback SPF check itself when
+##  it can find no SPF results in the message header.  If SPFIgnoreResults
+##  is also set, it never looks for SPF results in headers and
+##  always performs the SPF check itself when this is set.
+#
+SPFSelfValidate true
+
+##  Syslog { true | false }
+##  	default "false"
+##
+##  Log via calls to syslog(3) any interesting activity.
+#
+Syslog true
+
+##  SyslogFacility facility-name
+##  	default "mail"
+##
+##  Log via calls to syslog(3) using the named facility.  The facility names
+##  are the same as the ones allowed in syslog.conf(5).
+#
+# SyslogFacility mail
+
+##  TrustedAuthservIDs string
+##  	default HOSTNAME
+##
+##  Specifies one or more "authserv-id" values to trust as relaying true
+##  upstream DKIM and SPF results.  The default is to use the name of
+##  the MTA processing the message.  To specify a list, separate each entry
+##  with a comma.  The key word "HOSTNAME" will be replaced by the name of
+##  the host running the filter as reported by the gethostname(3) function.
+#
+# TrustedAuthservIDs HOSTNAME
+#>GNUNUX
+TrustedAuthservIDs %%postfix_mail_hostname
+#>GNUNUX
+
+##  UMask mask
+##  	default (none)
+##
+##  Requests a specific permissions mask to be used for file creation.  This
+##  only really applies to creation of the socket when Socket specifies a
+##  UNIX domain socket, and to the HistoryFile and PidFile (if any); temporary
+##  files are normally created by the mkstemp(3) function that enforces a
+##  specific file mode on creation regardless of the process umask.  See
+##  umask(2) for more information.
+#
+UMask 007
+
+##  UserID user[:group]
+##  	default (none)
+##
+##  Attempts to become the specified userid before starting operations.
+##  The process will be assigned all of the groups and primary group ID of
+##  the named userid unless an alternate group is specified.
+#
+UserID opendmarc:mail
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.crt b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.crt
new file mode 100644
index 0000000..fbd3d86
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.crt
@@ -0,0 +1 @@
+%%get_certificate(%%domain_name_eth0, 'MailServer')
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.key b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.key
new file mode 100644
index 0000000..4febac3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.key
@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, 'MailServer')
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.service b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.service
new file mode 100644
index 0000000..7e33496
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/postfix.service
@@ -0,0 +1,11 @@
+[Service]
+ExecStartPre=/usr/sbin/postmap /etc/postfix/lmtp
+ExecStartPre=/usr/sbin/postmap -F /etc/postfix/sni
+%for %%local in %%postfix_relay_authentifications
+  %set %%user = %%normalize_family(%%local)
+  %set %%password = %%getVar('local_authentification_password_' + %%user)
+  %set %%ip = %%getVar('local_authentification_ip_' + %%user)
+ExecStartPre=-/usr/bin/bash -c "echo %%password | /usr/sbin/saslpasswd2 -u %%ip %%user -p"
+%end for
+ExecStartPre=/usr/bin/chown postfix: /etc/sasl2/sasldb2
+PIDFile=/srv/postfix/spool/pid/master.pid
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/smtpd.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/smtpd.conf
new file mode 100644
index 0000000..2c1247e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/smtpd.conf
@@ -0,0 +1,3 @@
+pwcheck_method: auxprop
+auxprop_plugin: sasldb
+mech_list: plain login
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni
new file mode 100644
index 0000000..72acebe
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni
@@ -0,0 +1,5 @@
+%for %%idx in %%range(0, %%number_of_interfaces)
+  %set %%domain = %%getVar('domain_name_eth' + %%str(%%idx))
+%%domain /etc/postfix/certs/%%{domain}.pem
+%end for
+
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem
new file mode 100644
index 0000000..9d489ca
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sni.pem
@@ -0,0 +1,5 @@
+%set %%chain = %%get_chain(%%rougail_variable, 'MailRelay')
+%set %%cert = %%get_certificate(%%rougail_variable, 'MailRelay')
+%%get_private_key(%%rougail_variable, 'MailRelay')
+%%cert
+%%chain
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-opendkim.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-opendkim.conf
new file mode 100644
index 0000000..7a98bc1
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-opendkim.conf
@@ -0,0 +1,3 @@
+g opendkim 980 -
+u opendkim 982:980     "OpenDKIM Milter" /run/opendkim	/sbin/nologin
+m opendkim mail
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-opendmarc.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-opendmarc.conf
new file mode 100644
index 0000000..f668006
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-opendmarc.conf
@@ -0,0 +1,3 @@
+g opendmarc 979 -
+u opendmarc 981:979     "OpenDMARC Milter" /run/opendmarc /sbin/nologin
+m opendmarc mail
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-postfix.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-postfix.conf
new file mode 100644
index 0000000..bfd0af9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/sysuser-postfix.conf
@@ -0,0 +1,8 @@
+g mail 12 -
+g postfix 89 -
+g postdrop 90 -
+u mail 8:12	"mail" /var/spool/mail	/sbin/nologin
+u postfix 89:89     "Postfix" /srv/postfix/spool	/sbin/nologin
+# useful?
+m     postfix  mail
+m     postfix  opendkim
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/tmpfile-opendmarc.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/tmpfile-opendmarc.conf
new file mode 100644
index 0000000..9d8cded
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/tmpfile-opendmarc.conf
@@ -0,0 +1 @@
+D /run/opendmarc 0710 opendmarc mail -
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/templates/tmpfile-postfix.conf b/seed/applicationservice/2022.03.08/postfix-relay/templates/tmpfile-postfix.conf
new file mode 100644
index 0000000..2d727df
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postfix-relay/templates/tmpfile-postfix.conf
@@ -0,0 +1,4 @@
+d /srv/postfix 750 postfix postfix - -
+d /srv/postfix/data 750 postfix postfix - -
+d /srv/postfix/spool 755 root root - -
+d /var/lib/misc/ 755 root root - -
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/applicationservice.yml b/seed/applicationservice/2022.03.08/postgresql-client/applicationservice.yml
new file mode 100644
index 0000000..3364b86
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Postgresql client
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml b/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml
new file mode 100644
index 0000000..c919483
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml
@@ -0,0 +1,41 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="postgresqlclient" target="multi-user" engine="creole">
+      <file mode="400">/secrets/postgresql.pass</file>
+    </service>
+  </services>
+  <variables>
+    <family name="postgresql" description="PostgreSQL">
+      <variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True"/>
+      <variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/>
+      <variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True"/>
+      <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">pg_client_server_domainname</param>
+      <param name="linked_provider">clients</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>pg_client_username</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">pg_client_server_domainname</param>
+      <param name="linked_provider">client_password</param>
+      <param name="dynamic" type="variable">pg_client_username</param>
+      <target>pg_client_password</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">pg_client_server_domainname</param>
+      <param name="linked_provider">client_ip</param>
+      <param name="linked_value" type="variable">ip_eth0</param>
+      <param name="dynamic" type="variable">pg_client_username</param>
+      <target>pg_client_password</target>
+    </check>
+    <fill name="calc_value">
+      <param type="variable">pg_client_username</param>
+      <target>pg_client_database</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/manual/image/preinstall/postgresql_client.sh b/seed/applicationservice/2022.03.08/postgresql-client/manual/image/preinstall/postgresql_client.sh
new file mode 100644
index 0000000..f5d15a1
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-client/manual/image/preinstall/postgresql_client.sh
@@ -0,0 +1 @@
+PKG="$PKG postgresql"
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.pass b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.pass
new file mode 100644
index 0000000..ac136a6
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.pass
@@ -0,0 +1 @@
+%%pg_client_server_domainname:5432:%%pg_client_database:%%pg_client_username:%%pg_client_password
diff --git a/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service
new file mode 100644
index 0000000..6ae07e0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service
@@ -0,0 +1,9 @@
+[Unit]
+Description=Waiting for postgresql server
+Before=network.target
+
+[Service]
+Type=oneshot
+Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
+ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
+ExecStart=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/applicationservice.yml b/seed/applicationservice/2022.03.08/postgresql-server/applicationservice.yml
new file mode 100644
index 0000000..43817f4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Postgresql
+depends:
+  - server
+  - base-fedora-35
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/dictionaries/22_postgresql.xml b/seed/applicationservice/2022.03.08/postgresql-server/dictionaries/22_postgresql.xml
new file mode 100644
index 0000000..bed1dbd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/dictionaries/22_postgresql.xml
@@ -0,0 +1,77 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="postgresql" target="multi-user">
+      <override engine="none"/>
+      <ip ip_type='variable'>accounts.remote_.remote_ip_</ip>
+      <file>/etc/postgresql/postgresql.conf</file>
+      <file>/etc/postgresql/pg_hba.conf</file>
+      <file mode="600" owner="postgres" group="postgres">/etc/postgresql/postgresql.sql</file>
+      <file engine="none">/etc/postgresql/pg_ident.conf</file>
+      <file engine="none" mode="755">/bin/postgresql_init</file>
+      <file engine="none" source="sysuser-postgresql.conf">/sysusers.d/0postgresql.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="postgresql" description="PostgreSQL" help="Paramétrage du serveur de gestion de bases de données PostgreSQL">
+      <variable name="pg_max_connections" type="number" description="Nombre maximum de connexions" help="Nombre maximum de connexions concurrentes au serveur de base de données">
+        <value>100</value>
+      </variable>
+      <variable name="pg_authentication_timeout" type="number" description="Délai de connexion maximum (en secondes)" help="Temps maximum pour terminer l'authentification du client">
+        <value>60</value>
+      </variable>
+      <variable name="pg_server_key" type="filename" description="Emplacement de la clé SSL du serveur PostgreSQL">
+        <value>/etc/postgresql/12/main/server.key</value>
+      </variable>
+      <variable name="pg_server_cert" type="filename" description="Emplacement du certificat du serveur PostgreSQL">
+        <value>/etc/postgresql/12/main/server.crt</value>
+      </variable>
+      <variable name="pg_autovacuum" type="boolean" description="Activer le VACUUM automatique"/>
+      <variable name="pg_work_mem" type="number" description="Mémoire tampon allouée aux opérations de tri et tables de hash" help="Quantité de mémoire allouée à chaque opération avant écriture sur le disque (par défaut : 4MB)">
+        <value>4</value>
+      </variable>
+      <variable name="pg_work_mem_unit" description="Unité de la mémoire tampon" type="choice">
+        <value>MB</value>
+        <choice type="string">MB</choice>
+        <choice type="string">kB</choice>
+      </variable>
+      <variable name="pg_maintenance_work_mem" type="number" description="Mémoire tampon allouée pour les opérations de maintenance" help="Quantité de mémoire allouée à chaque opération avant écriture sur le disque (par défaut : 64MB, minimum: 1024kB)">
+        <value>64</value>
+      </variable>
+      <variable name="pg_maintenance_work_mem_unit" description="Unité de la mémoire tampon" type="choice">
+        <value>MB</value>
+        <choice type="string">MB</choice>
+        <choice type="string">kB</choice>
+      </variable>
+      <variable name="pg_wal_buffers" type="number" description="Mémoire tampon allouée pour les journaux" help="Quantité de mémoire allouée avant écriture sur le disque (par défaut : -1, soit 1/32ème de la valeur de shared_buffers)">
+        <value>-1</value>
+      </variable>
+      <variable name="pg_max_wal_size" type="number" description="Limite douce du Write Ahead Log" help="Limite douce pour le Write Ahead Log">
+        <value>1</value>
+      </variable>
+      <variable name="pg_max_wal_size_unit" description="Unité de la limite douce du Write Ahead Log" type="choice">
+        <value>GB</value>
+        <choice type="string">GB</choice>
+        <choice type="string">MB</choice>
+        <choice type="string">kB</choice>
+      </variable>
+      <variable name="pg_shared_buffers" type="number" description="Quantité de mémoire pour les buffers partagés" help="Quantité de mémoire que le serveur de bases de données utilise comme mémoire partagée">
+        <value>128</value>
+      </variable>
+      <variable name="pg_shared_buffers_unit" description="Unité de la quantité de mémoire pour les buffers partagés" type="choice">
+        <value>MB</value>
+        <choice type="string">MB</choice>
+        <choice type="string">kB</choice>
+      </variable>
+      <variable name="pg_effective_cache_size" type="number" description="Taille du cache (blocs de 8ko)" mandatory="True" help="Initialise l'estimation faite par le planificateur de la taille réelle du cache disque disponible pour une requête">
+        <value>4</value>
+      </variable>
+      <variable name="pg_effective_cache_size_unit" description="Unité de la taille du cache" type="choice">
+        <value>GB</value>
+        <choice type="string">MB</choice>
+        <choice type="string">kB</choice>
+        <choice type="string">GB</choice>
+      </variable>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/manual/image/preinstall/postgresql_server.sh b/seed/applicationservice/2022.03.08/postgresql-server/manual/image/preinstall/postgresql_server.sh
new file mode 100644
index 0000000..a533301
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/manual/image/preinstall/postgresql_server.sh
@@ -0,0 +1 @@
+PKG="$PKG postgresql-server glibc-langpack-fr"
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/templates/pg_hba.conf b/seed/applicationservice/2022.03.08/postgresql-server/templates/pg_hba.conf
new file mode 100644
index 0000000..75c3d46
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/templates/pg_hba.conf
@@ -0,0 +1,103 @@
+# PostgreSQL Client Authentication Configuration File
+# ===================================================
+#
+# Refer to the "Client Authentication" section in the PostgreSQL
+# documentation for a complete description of this file.  A short
+# synopsis follows.
+#
+# This file controls: which hosts are allowed to connect, how clients
+# are authenticated, which PostgreSQL user names they can use, which
+# databases they can access.  Records take one of these forms:
+#
+# local         DATABASE  USER  METHOD  [OPTIONS]
+# host          DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostssl       DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnossl     DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostgssenc    DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+# hostnogssenc  DATABASE  USER  ADDRESS  METHOD  [OPTIONS]
+#
+# (The uppercase items must be replaced by actual values.)
+#
+# The first field is the connection type: "local" is a Unix-domain
+# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# non-SSL TCP/IP socket.  Similarly, "hostgssenc" uses a
+# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a
+# non-GSSAPI socket.
+#
+# DATABASE can be "all", "sameuser", "samerole", "replication", a
+# database name, or a comma-separated list thereof. The "all"
+# keyword does not match "replication". Access to replication
+# must be enabled in a separate record (see example below).
+#
+# USER can be "all", a user name, a group name prefixed with "+", or a
+# comma-separated list thereof.  In both the DATABASE and USER fields
+# you can also write a file name prefixed with "@" to include names
+# from a separate file.
+#
+# ADDRESS specifies the set of hosts the record matches.  It can be a
+# host name, or it is made up of an IP address and a CIDR mask that is
+# an integer (between 0 and 32 (IPv4) or 128 (IPv6) inclusive) that
+# specifies the number of significant bits in the mask.  A host name
+# that starts with a dot (.) matches a suffix of the actual host name.
+# Alternatively, you can write an IP address and netmask in separate
+# columns to specify the set of hosts.  Instead of a CIDR-address, you
+# can write "samehost" to match any of the server's own IP addresses,
+# or "samenet" to match any address in any subnet that the server is
+# directly connected to.
+#
+# METHOD can be "trust", "reject", "md5", "password", "scram-sha-256",
+# "gss", "sspi", "ident", "peer", "pam", "ldap", "radius" or "cert".
+# Note that "password" sends passwords in clear text; "md5" or
+# "scram-sha-256" are preferred since they send encrypted passwords.
+#
+# OPTIONS are a set of options for the authentication in the format
+# NAME=VALUE.  The available options depend on the different
+# authentication methods -- refer to the "Client Authentication"
+# section in the documentation for a list of which options are
+# available for which authentication methods.
+#
+# Database and user names containing spaces, commas, quotes and other
+# special characters must be quoted.  Quoting one of the keywords
+# "all", "sameuser", "samerole" or "replication" makes the name lose
+# its special character, and just match a database or username with
+# that name.
+#
+# This file is read on server startup and when the server receives a
+# SIGHUP signal.  If you edit the file on a running system, you have to
+# SIGHUP the server for the changes to take effect, run "pg_ctl reload",
+# or execute "SELECT pg_reload_conf()".
+#
+# Put your actual configuration here
+# ----------------------------------
+#
+# If you want to allow non-local connections, you need to add more
+# "host" records.  In that case you will also need to make PostgreSQL
+# listen on a non-local interface via the listen_addresses
+# configuration parameter, or via the -i or -h command line switches.
+
+
+
+# TYPE  DATABASE        USER            ADDRESS                 METHOD
+
+# "local" is for Unix domain socket connections only
+#GNUNUX local   all             all                                     peer
+#>GNUNUX
+local   all         postgres	ident	map=pg_map
+#<GNUNUX
+# IPv4 local connections:
+#>GNUNUX
+# host    all             all             127.0.0.1/32            ident
+%for %%server in %%accounts.remotes
+host	%%normalize_family(%%server)	%%normalize_family(%%server)	%%server	md5
+%end for
+#<GNUNUX
+# IPv6 local connections:
+host    all             all             ::1/128                 ident
+# Allow replication connections from localhost, by a user with the
+# replication privilege.
+#>GNUNUX
+#local   replication     all                                     peer
+#host    replication     all             127.0.0.1/32            ident
+#host    replication     all             ::1/128                 ident
+#<GNUNUX
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/templates/pg_ident.conf b/seed/applicationservice/2022.03.08/postgresql-server/templates/pg_ident.conf
new file mode 100644
index 0000000..bfd7b6c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/templates/pg_ident.conf
@@ -0,0 +1,41 @@
+# PostgreSQL User Name Maps
+# =========================
+#
+# Refer to the PostgreSQL Administrator's Guide, chapter "Client
+# Authentication" for a complete description.  A short synopsis follows.
+#
+# This file controls PostgreSQL username mapping. It maps
+# external user names to their corresponding
+# PostgreSQL user names.  Records are of the form:
+#
+# MAPNAME  SYSTEM-USERNAME  PG-USERNAME
+#
+# (The uppercase quantities must be replaced by actual values.)
+#
+# MAPNAME is the (otherwise freely chosen) map name that was used in
+# pg_hba.conf.  SYSTEM-USERNAME is the detected user name of the
+# client.  PG-USERNAME is the requested PostgreSQL user name.  The
+# existence of a record specifies that SYSTEM-USERNAME may connect as
+# PG-USERNAME.
+#
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as
+# a regular expression.  Optionally this can contain a capture (a
+# parenthesized subexpression).  The substring matching the capture
+# will be substituted for \1 (backslash-one) if present in PG-USERNAME.
+#
+# Multiple maps may be specified in this file and used by pg_hba.conf.
+#
+# No map names are defined in the default configuration.  If all system
+# user names and PostgreSQL user names are the same, you don't need
+# anything in this file.
+#
+# This file is read on server startup and when the postmaster receives
+# a SIGHUP signal.  If you edit the file on a running system, you have
+# to SIGHUP the postmaster for the changes to take effect.  You can use
+# "pg_ctl reload" to do that.
+
+# Put your actual configuration here
+# ----------------------------------
+
+# MAPNAME     SYSTEM-USERNAME    PG-USERNAME
+pg_map	postgres	postgres
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.conf b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.conf
new file mode 100644
index 0000000..625df37
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.conf
@@ -0,0 +1,835 @@
+%compiler-settings
+cheetahVarStartToken = §§
+directiveStartToken = §
+%end compiler-settings
+#GNUNUX: encoding is present in source so try to convert it
+#encoding: utf8
+# -----------------------------
+# PostgreSQL configuration file
+# -----------------------------
+#
+# This file consists of lines of the form:
+#
+#   name = value
+#
+# (The "=" is optional.)  Whitespace may be used.  Comments are introduced with
+# "#" anywhere on a line.  The complete list of parameter names and allowed
+# values can be found in the PostgreSQL documentation.
+#
+# The commented-out settings shown in this file represent the default values.
+# Re-commenting a setting is NOT sufficient to revert it to the default value;
+# you need to reload the server.
+#
+# This file is read on server startup and when the server receives a SIGHUP
+# signal.  If you edit the file on a running system, you have to SIGHUP the
+# server for the changes to take effect, run "pg_ctl reload", or execute
+# "SELECT pg_reload_conf()".  Some parameters, which are marked below,
+# require a server shutdown and restart to take effect.
+#
+# Any parameter can also be given as a command-line option to the server, e.g.,
+# "postgres -c log_connections=on".  Some parameters can be changed at run time
+# with the "SET" SQL command.
+#
+# Memory units:  B  = bytes            Time units:  us  = microseconds
+#                kB = kilobytes                     ms  = milliseconds
+#                MB = megabytes                     s   = seconds
+#                GB = gigabytes                     min = minutes
+#                TB = terabytes                     h   = hours
+#                                                   d   = days
+
+
+#------------------------------------------------------------------------------
+# FILE LOCATIONS
+#------------------------------------------------------------------------------
+
+# The default values of these variables are driven from the -D command-line
+# option or PGDATA environment variable, represented here as ConfigDir.
+
+#data_directory = 'ConfigDir'		# use data in another directory
+					# (change requires restart)
+#>GNUNUX
+data_directory = '/srv/postgresql'
+#<GNUNUX
+#hba_file = 'ConfigDir/pg_hba.conf'	# host-based authentication file
+					# (change requires restart)
+#>GNUNUX
+hba_file = '/etc/postgresql/pg_hba.conf'
+#<GNUNUX
+#ident_file = 'ConfigDir/pg_ident.conf'	# ident configuration file
+					# (change requires restart)
+#>GNUNUX
+ident_file = '/etc/postgresql/pg_ident.conf'
+#<GNUNUX
+
+# If external_pid_file is not explicitly set, no extra PID file is written.
+#external_pid_file = ''			# write an extra PID file
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONNECTIONS AND AUTHENTICATION
+#------------------------------------------------------------------------------
+
+# - Connection Settings -
+
+#listen_addresses = 'localhost'		# what IP address(es) to listen on;
+					# comma-separated list of addresses;
+					# defaults to 'localhost'; use '*' for all
+					# (change requires restart)
+#>GNUNUX
+listen_addresses = '*'
+#<GNUNUX
+#port = 5432				# (change requires restart)
+#>GNUNUX
+#max_connections = 100			# (change requires restart)
+max_connections = §§pg_max_connections
+#<GNUNUX
+#superuser_reserved_connections = 3	# (change requires restart)
+#unix_socket_directories = '/var/run/postgresql, /tmp'	# comma-separated list of directories
+#>GNUNUX
+unix_socket_directories = '/var/run/postgresql'
+#<GNUNUX
+					# (change requires restart)
+#unix_socket_group = ''			# (change requires restart)
+#unix_socket_permissions = 0777		# begin with 0 to use octal notation
+					# (change requires restart)
+#bonjour = off				# advertise server via Bonjour
+					# (change requires restart)
+#bonjour_name = ''			# defaults to the computer name
+					# (change requires restart)
+
+# - TCP settings -
+# see "man tcp" for details
+
+#tcp_keepalives_idle = 0		# TCP_KEEPIDLE, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_interval = 0		# TCP_KEEPINTVL, in seconds;
+					# 0 selects the system default
+#tcp_keepalives_count = 0		# TCP_KEEPCNT;
+					# 0 selects the system default
+#tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
+					# 0 selects the system default
+
+# - Authentication -
+
+#authentication_timeout = 1min		# 1s-600s
+#>GNUNUX
+authentication_timeout = §§{pg_authentication_timeout}s
+#<GNUNUX
+#password_encryption = md5		# md5 or scram-sha-256
+#db_user_namespace = off
+
+# GSSAPI using Kerberos
+#krb_server_keyfile = 'FILE:${sysconfdir}/krb5.keytab'
+#krb_caseins_users = off
+
+# - SSL -
+
+#ssl = off
+#ssl_ca_file = ''
+#ssl_cert_file = 'server.crt'
+#ssl_crl_file = ''
+#ssl_key_file = 'server.key'
+#ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
+#ssl_prefer_server_ciphers = on
+#ssl_ecdh_curve = 'prime256v1'
+#ssl_min_protocol_version = 'TLSv1.2'
+#ssl_max_protocol_version = ''
+#ssl_dh_params_file = ''
+#ssl_passphrase_command = ''
+#ssl_passphrase_command_supports_reload = off
+#>FIXME
+#ssl = true				# (change requires restart)
+#%import os
+#%set %%pg_server_cert_chain = os.path.splitext(§§pg_server_cert)[0] + '_ca-chain.crt'
+#ssl_cert_file = '%%pg_server_cert_chain'		# (change requires restart)
+#ssl_key_file = '§§pg_server_key'		# (change requires restart)
+#<FIXME
+
+#------------------------------------------------------------------------------
+# RESOURCE USAGE (except WAL)
+#------------------------------------------------------------------------------
+
+# - Memory -
+
+shared_buffers = 128MB			# min 128kB
+					# (change requires restart)
+shared_buffers = §§{pg_shared_buffers}§§pg_shared_buffers_unit
+#huge_pages = try			# on, off, or try
+					# (change requires restart)
+#temp_buffers = 8MB			# min 800kB
+#max_prepared_transactions = 0		# zero disables the feature
+					# (change requires restart)
+# Caution: it is not advisable to set max_prepared_transactions nonzero unless
+# you actively intend to use prepared transactions.
+#work_mem = 4MB				# min 64kB
+#hash_mem_multiplier = 1.0		# 1-1000.0 multiplier on hash table work_mem
+#maintenance_work_mem = 64MB		# min 1MB
+#autovacuum_work_mem = -1		# min 1MB, or -1 to use maintenance_work_mem
+#logical_decoding_work_mem = 64MB	# min 64kB
+#>GNUNUX
+work_mem = §§{pg_work_mem}§§pg_work_mem_unit	# min 64kB
+maintenance_work_mem = §§{pg_maintenance_work_mem}§§pg_maintenance_work_mem_unit	# min 1MB
+#<GNUNUX
+#max_stack_depth = 2MB			# min 100kB
+#shared_memory_type = mmap		# the default is the first option
+					# supported by the operating system:
+					#   mmap
+					#   sysv
+					#   windows
+					# (change requires restart)
+dynamic_shared_memory_type = posix	# the default is the first option
+					# supported by the operating system:
+					#   posix
+					#   sysv
+					#   windows
+					#   mmap
+					# (change requires restart)
+
+# - Disk -
+
+#temp_file_limit = -1			# limits per-process temp file space
+					# in kilobytes, or -1 for no limit
+
+# - Kernel Resources -
+
+#max_files_per_process = 1000		# min 64
+					# (change requires restart)
+
+# - Cost-Based Vacuum Delay -
+
+#vacuum_cost_delay = 0			# 0-100 milliseconds (0 disables)
+#vacuum_cost_page_hit = 1		# 0-10000 credits
+#vacuum_cost_page_miss = 10		# 0-10000 credits
+#vacuum_cost_page_dirty = 20		# 0-10000 credits
+#vacuum_cost_limit = 200		# 1-10000 credits
+
+# - Background Writer -
+
+#bgwriter_delay = 200ms			# 10-10000ms between rounds
+#bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
+#bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
+#bgwriter_flush_after = 512kB		# measured in pages, 0 disables
+
+# - Asynchronous Behavior -
+
+#effective_io_concurrency = 1		# 1-1000; 0 disables prefetching
+#maintenance_io_concurrency = 10	# 1-1000; 0 disables prefetching
+#max_worker_processes = 8		# (change requires restart)
+#max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
+#max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
+#parallel_leader_participation = on
+#max_parallel_workers = 8		# maximum number of max_worker_processes that
+					# can be used in parallel operations
+#old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
+					# (change requires restart)
+#backend_flush_after = 0		# measured in pages, 0 disables
+
+
+#------------------------------------------------------------------------------
+# WRITE-AHEAD LOG
+#------------------------------------------------------------------------------
+
+# - Settings -
+
+#wal_level = replica			# minimal, replica, or logical
+					# (change requires restart)
+#fsync = on				# flush data to disk for crash safety
+					# (turning this off can cause
+					# unrecoverable data corruption)
+#synchronous_commit = on		# synchronization level;
+					# off, local, remote_write, remote_apply, or on
+#wal_sync_method = fsync		# the default is the first option
+					# supported by the operating system:
+					#   open_datasync
+					#   fdatasync (default on Linux and FreeBSD)
+					#   fsync
+					#   fsync_writethrough
+					#   open_sync
+#full_page_writes = on			# recover from partial page writes
+#wal_compression = off			# enable compression of full-page writes
+#wal_log_hints = off			# also do full page writes of non-critical updates
+					# (change requires restart)
+#wal_init_zero = on			# zero-fill new WAL files
+#wal_recycle = on			# recycle WAL files
+#wal_buffers = -1			# min 32kB, -1 sets based on shared_buffers
+wal_buffers = §§pg_wal_buffers
+					# (change requires restart)
+#wal_writer_delay = 200ms		# 1-10000 milliseconds
+#wal_writer_flush_after = 1MB		# measured in pages, 0 disables
+#wal_skip_threshold = 2MB
+
+#commit_delay = 0			# range 0-100000, in microseconds
+#commit_siblings = 5			# range 1-1000
+
+# - Checkpoints -
+
+#checkpoint_timeout = 5min		# range 30s-1d
+#>GNUNUX
+#max_wal_size = 1GB
+max_wal_size = §§{pg_max_wal_size}§§pg_max_wal_size_unit
+#<GNUNUX
+min_wal_size = 80MB
+#checkpoint_completion_target = 0.5	# checkpoint target duration, 0.0 - 1.0
+#checkpoint_flush_after = 256kB		# measured in pages, 0 disables
+#checkpoint_warning = 30s		# 0 disables
+
+# - Archiving -
+
+#archive_mode = off		# enables archiving; off, on, or always
+				# (change requires restart)
+#archive_command = ''		# command to use to archive a logfile segment
+				# placeholders: %p = path of file to archive
+				#               %f = file name only
+				# e.g. 'test ! -f /mnt/server/archivedir/%f && cp %p /mnt/server/archivedir/%f'
+#archive_timeout = 0		# force a logfile segment switch after this
+				# number of seconds; 0 disables
+
+# - Archive Recovery -
+
+# These are only used in recovery mode.
+
+#restore_command = ''		# command to use to restore an archived logfile segment
+				# placeholders: %p = path of file to restore
+				#               %f = file name only
+				# e.g. 'cp /mnt/server/archivedir/%f %p'
+				# (change requires restart)
+#archive_cleanup_command = ''	# command to execute at every restartpoint
+#recovery_end_command = ''	# command to execute at completion of recovery
+
+# - Recovery Target -
+
+# Set these only when performing a targeted recovery.
+
+#recovery_target = ''		# 'immediate' to end recovery as soon as a
+                                # consistent state is reached
+				# (change requires restart)
+#recovery_target_name = ''	# the named restore point to which recovery will proceed
+				# (change requires restart)
+#recovery_target_time = ''	# the time stamp up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_xid = ''	# the transaction ID up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_lsn = ''	# the WAL LSN up to which recovery will proceed
+				# (change requires restart)
+#recovery_target_inclusive = on # Specifies whether to stop:
+				# just after the specified recovery target (on)
+				# just before the recovery target (off)
+				# (change requires restart)
+#recovery_target_timeline = 'latest'	# 'current', 'latest', or timeline ID
+				# (change requires restart)
+#recovery_target_action = 'pause'	# 'pause', 'promote', 'shutdown'
+				# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# REPLICATION
+#------------------------------------------------------------------------------
+
+# - Sending Servers -
+
+# Set these on the master and on any standby that will send replication data.
+
+#max_wal_senders = 10		# max number of walsender processes
+				# (change requires restart)
+#wal_keep_size = 0		# in megabytes; 0 disables
+#max_slot_wal_keep_size = -1	# in megabytes; -1 disables
+#wal_sender_timeout = 60s	# in milliseconds; 0 disables
+
+#max_replication_slots = 10	# max number of replication slots
+				# (change requires restart)
+#track_commit_timestamp = off	# collect timestamp of transaction commit
+				# (change requires restart)
+
+# - Master Server -
+
+# These settings are ignored on a standby server.
+
+#synchronous_standby_names = ''	# standby servers that provide sync rep
+				# method to choose sync standbys, number of sync standbys,
+				# and comma-separated list of application_name
+				# from standby(s); '*' = all
+#vacuum_defer_cleanup_age = 0	# number of xacts by which cleanup is delayed
+
+# - Standby Servers -
+
+# These settings are ignored on a master server.
+
+#primary_conninfo = ''			# connection string to sending server
+#primary_slot_name = ''			# replication slot on sending server
+#promote_trigger_file = ''		# file name whose presence ends recovery
+#hot_standby = on			# "off" disallows queries during recovery
+					# (change requires restart)
+#max_standby_archive_delay = 30s	# max delay before canceling queries
+					# when reading WAL from archive;
+					# -1 allows indefinite delay
+#max_standby_streaming_delay = 30s	# max delay before canceling queries
+					# when reading streaming WAL;
+					# -1 allows indefinite delay
+#wal_receiver_create_temp_slot = off	# create temp slot if primary_slot_name
+					# is not set
+#wal_receiver_status_interval = 10s	# send replies at least this often
+					# 0 disables
+#hot_standby_feedback = off		# send info from standby to prevent
+					# query conflicts
+#wal_receiver_timeout = 60s		# time that receiver waits for
+					# communication from master
+					# in milliseconds; 0 disables
+#wal_retrieve_retry_interval = 5s	# time to wait before retrying to
+					# retrieve WAL after a failed attempt
+#recovery_min_apply_delay = 0		# minimum delay for applying changes during recovery
+
+# - Subscribers -
+
+# These settings are ignored on a publisher.
+
+#max_logical_replication_workers = 4	# taken from max_worker_processes
+					# (change requires restart)
+#max_sync_workers_per_subscription = 2	# taken from max_logical_replication_workers
+
+
+#------------------------------------------------------------------------------
+# QUERY TUNING
+#------------------------------------------------------------------------------
+
+# - Planner Method Configuration -
+
+#enable_bitmapscan = on
+#enable_hashagg = on
+#enable_hashjoin = on
+#enable_indexscan = on
+#enable_indexonlyscan = on
+#enable_material = on
+#enable_mergejoin = on
+#enable_nestloop = on
+#enable_parallel_append = on
+#enable_seqscan = on
+#enable_sort = on
+#enable_incremental_sort = on
+#enable_tidscan = on
+#enable_partitionwise_join = off
+#enable_partitionwise_aggregate = off
+#enable_parallel_hash = on
+#enable_partition_pruning = on
+
+# - Planner Cost Constants -
+
+#seq_page_cost = 1.0			# measured on an arbitrary scale
+#random_page_cost = 4.0			# same scale as above
+#cpu_tuple_cost = 0.01			# same scale as above
+#cpu_index_tuple_cost = 0.005		# same scale as above
+#cpu_operator_cost = 0.0025		# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
+#parallel_setup_cost = 1000.0	# same scale as above
+
+#jit_above_cost = 100000		# perform JIT compilation if available
+					# and query more expensive than this;
+					# -1 disables
+#jit_inline_above_cost = 500000		# inline small functions if query is
+					# more expensive than this; -1 disables
+#jit_optimize_above_cost = 500000	# use expensive JIT optimizations if
+					# query is more expensive than this;
+					# -1 disables
+
+#min_parallel_table_scan_size = 8MB
+#min_parallel_index_scan_size = 512kB
+#effective_cache_size = 4GB
+effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_unit
+
+# - Genetic Query Optimizer -
+
+#geqo = on
+#geqo_threshold = 12
+#geqo_effort = 5			# range 1-10
+#geqo_pool_size = 0			# selects default based on effort
+#geqo_generations = 0			# selects default based on effort
+#geqo_selection_bias = 2.0		# range 1.5-2.0
+#geqo_seed = 0.0			# range 0.0-1.0
+
+# - Other Planner Options -
+
+#default_statistics_target = 100	# range 1-10000
+#constraint_exclusion = partition	# on, off, or partition
+#cursor_tuple_fraction = 0.1		# range 0.0-1.0
+#from_collapse_limit = 8
+#join_collapse_limit = 8		# 1 disables collapsing of explicit
+					# JOIN clauses
+#force_parallel_mode = off
+#jit = on				# allow JIT compilation
+#plan_cache_mode = auto			# auto, force_generic_plan or
+					# force_custom_plan
+
+
+#------------------------------------------------------------------------------
+# REPORTING AND LOGGING
+#------------------------------------------------------------------------------
+
+# - Where to Log -
+
+#>GNUNUX
+#log_destination = 'stderr'		# Valid values are combinations of
+					# stderr, csvlog, syslog, and eventlog,
+					# depending on platform.  csvlog
+					# requires logging_collector to be on.
+log_destination = 'syslog'
+#<GNUNUX
+# This is used when logging to stderr:
+#logging_collector = off		# Enable capturing of stderr and csvlog
+					# into log files. Required to be on for
+					# csvlogs.
+					# (change requires restart)
+
+# These are only used if logging_collector is on:
+#log_directory = 'pg_log'		# directory where log files are written,
+					# can be absolute or relative to PGDATA
+#log_filename = 'postgresql-%Y-%m-%d_%H%M%S.log'	# log file name pattern,
+					# can include strftime() escapes
+#log_file_mode = 0600			# creation mode for log files,
+					# begin with 0 to use octal notation
+#log_truncate_on_rotation = off		# If on, an existing log file with the
+					# same name as the new log file will be
+					# truncated rather than appended to.
+					# But such truncation only occurs on
+					# time-driven rotation, not on restarts
+					# or size-driven rotation.  Default is
+					# off, meaning append to existing files
+					# in all cases.
+#log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#log_rotation_size = 10MB		# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
+
+# These are relevant when logging to syslog:
+#syslog_facility = 'LOCAL0'
+#syslog_ident = 'postgres'
+#syslog_sequence_numbers = on
+#syslog_split_messages = on
+
+# This is only relevant when logging to eventlog (win32):
+# (change requires restart)
+#event_source = 'PostgreSQL'
+
+# - When to Log -
+
+#log_min_messages = warning		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic
+
+#log_min_error_statement = error	# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   info
+					#   notice
+					#   warning
+					#   error
+					#   log
+					#   fatal
+					#   panic (effectively off)
+
+#log_min_duration_statement = -1	# -1 is disabled, 0 logs all statements
+					# and their durations, > 0 logs only
+					# statements running at least this number
+					# of milliseconds
+
+#log_min_duration_sample = -1		# -1 is disabled, 0 logs a sample of statements
+					# and their durations, > 0 logs only a sample of
+					# statements running at least this number
+					# of milliseconds;
+					# sample fraction is determined by log_statement_sample_rate
+
+#log_statement_sample_rate = 1.0	# fraction of logged statements exceeding
+					# log_min_duration_sample to be logged;
+					# 1.0 logs all such statements, 0.0 never logs
+
+
+#log_transaction_sample_rate = 0.0	# fraction of transactions whose statements
+					# are logged regardless of their duration; 1.0 logs all
+					# statements from all transactions, 0.0 never logs
+
+# - What to Log -
+
+#debug_print_parse = off
+#debug_print_rewritten = off
+#debug_print_plan = off
+#debug_pretty_print = on
+#log_checkpoints = off
+#log_connections = off
+#log_disconnections = off
+#log_duration = off
+#log_error_verbosity = default		# terse, default, or verbose messages
+#log_hostname = off
+#log_line_prefix = '%m [%p] '		# special values:
+					#   %a = application name
+					#   %u = user name
+					#   %d = database name
+					#   %r = remote host and port
+					#   %h = remote host
+					#   %b = backend type
+					#   %p = process ID
+					#   %t = timestamp without milliseconds
+					#   %m = timestamp with milliseconds
+					#   %n = timestamp with milliseconds (as a Unix epoch)
+					#   %i = command tag
+					#   %e = SQL state
+					#   %c = session ID
+					#   %l = session line number
+					#   %s = session start timestamp
+					#   %v = virtual transaction ID
+					#   %x = transaction ID (0 if none)
+					#   %q = stop here in non-session
+					#        processes
+					#   %% = '%'
+					# e.g. '<%u%%%d> '
+#log_lock_waits = off			# log lock waits >= deadlock_timeout
+#log_parameter_max_length = -1		# when logging statements, limit logged
+					# bind-parameter values to N bytes;
+					# -1 means print in full, 0 disables
+#log_parameter_max_length_on_error = 0	# when logging an error, limit logged
+					# bind-parameter values to N bytes;
+					# -1 means print in full, 0 disables
+#log_statement = 'none'			# none, ddl, mod, all
+#log_replication_commands = off
+#log_temp_files = -1			# log temporary files equal or larger
+					# than the specified size in kilobytes;
+					# -1 disables, 0 logs all temp files
+#FIXME en dure ?
+log_timezone = 'Europe/Paris'
+
+#------------------------------------------------------------------------------
+# PROCESS TITLE
+#------------------------------------------------------------------------------
+
+#cluster_name = ''			# added to process titles if nonempty
+					# (change requires restart)
+#update_process_title = on
+
+
+#------------------------------------------------------------------------------
+# STATISTICS
+#------------------------------------------------------------------------------
+
+# - Query and Index Statistics Collector -
+
+#track_activities = on
+#track_counts = on
+#track_io_timing = off
+#track_functions = none			# none, pl, all
+#track_activity_query_size = 1024	# (change requires restart)
+#stats_temp_directory = 'pg_stat_tmp'
+
+
+# - Monitoring -
+
+#log_parser_stats = off
+#log_planner_stats = off
+#log_executor_stats = off
+#log_statement_stats = off
+
+
+#------------------------------------------------------------------------------
+# AUTOVACUUM
+#------------------------------------------------------------------------------
+
+#autovacuum = on			# Enable autovacuum subprocess?  'on'
+					# requires track_counts to also be on.
+#>GNUNUX
+§if §§pg_autovacuum
+autovacuum = on
+§else
+autovacuum = off
+§end if
+#<GNUNUX
+#log_autovacuum_min_duration = -1	# -1 disables, 0 logs all actions and
+					# their durations, > 0 logs only
+					# actions running at least this number
+					# of milliseconds.
+#autovacuum_max_workers = 3		# max number of autovacuum subprocesses
+					# (change requires restart)
+#autovacuum_naptime = 1min		# time between autovacuum runs
+#autovacuum_vacuum_threshold = 50	# min number of row updates before
+					# vacuum
+#autovacuum_vacuum_insert_threshold = 1000	# min number of row inserts
+					# before vacuum; -1 disables insert
+					# vacuums
+#autovacuum_analyze_threshold = 50	# min number of row updates before
+					# analyze
+#autovacuum_vacuum_scale_factor = 0.2	# fraction of table size before vacuum
+#autovacuum_vacuum_insert_scale_factor = 0.2	# fraction of inserts over table
+					# size before insert vacuum
+#autovacuum_analyze_scale_factor = 0.1	# fraction of table size before analyze
+#autovacuum_freeze_max_age = 200000000	# maximum XID age before forced vacuum
+					# (change requires restart)
+#autovacuum_multixact_freeze_max_age = 400000000	# maximum multixact age
+					# before forced vacuum
+					# (change requires restart)
+#autovacuum_vacuum_cost_delay = 2ms	# default vacuum cost delay for
+					# autovacuum, in milliseconds;
+					# -1 means use vacuum_cost_delay
+#autovacuum_vacuum_cost_limit = -1	# default vacuum cost limit for
+					# autovacuum, -1 means use
+					# vacuum_cost_limit
+
+
+#------------------------------------------------------------------------------
+# CLIENT CONNECTION DEFAULTS
+#------------------------------------------------------------------------------
+
+# - Statement Behavior -
+
+#client_min_messages = notice		# values in order of decreasing detail:
+					#   debug5
+					#   debug4
+					#   debug3
+					#   debug2
+					#   debug1
+					#   log
+					#   notice
+					#   warning
+					#   error
+#search_path = '"$user", public'	# schema names
+#row_security = on
+#default_tablespace = ''		# a tablespace name, '' uses the default
+#temp_tablespaces = ''			# a list of tablespace names, '' uses
+					# only default tablespace
+#default_table_access_method = 'heap'
+#check_function_bodies = on
+#default_transaction_isolation = 'read committed'
+#default_transaction_read_only = off
+#default_transaction_deferrable = off
+#session_replication_role = 'origin'
+#statement_timeout = 0			# in milliseconds, 0 is disabled
+#lock_timeout = 0			# in milliseconds, 0 is disabled
+#idle_in_transaction_session_timeout = 0	# in milliseconds, 0 is disabled
+#vacuum_freeze_min_age = 50000000
+#vacuum_freeze_table_age = 150000000
+#vacuum_multixact_freeze_min_age = 5000000
+#vacuum_multixact_freeze_table_age = 150000000
+#vacuum_cleanup_index_scale_factor = 0.1	# fraction of total number of tuples
+						# before index cleanup, 0 always performs
+						# index cleanup
+#bytea_output = 'hex'			# hex, escape
+#xmlbinary = 'base64'
+#xmloption = 'content'
+#gin_fuzzy_search_limit = 0
+#gin_pending_list_limit = 4MB
+
+# - Locale and Formatting -
+
+datestyle = 'iso, dmy'
+#intervalstyle = 'postgres'
+#FIXME en dure ?
+timezone = 'Europe/Paris'
+#timezone_abbreviations = 'Default'     # Select the set of available time zone
+					# abbreviations.  Currently, there are
+					#   Default
+					#   Australia (historical usage)
+					#   India
+					# You can create your own file in
+					# share/timezonesets/.
+#extra_float_digits = 1			# min -15, max 3; any value >0 actually
+					# selects precise output mode
+#client_encoding = sql_ascii		# actually, defaults to database
+					# encoding
+
+# These settings are initialized by initdb, but they can be changed.
+#FIXME en dure ?
+lc_messages = 'fr_FR.UTF-8'			# locale for system error message
+					# strings
+lc_monetary = 'fr_FR.UTF-8'			# locale for monetary formatting
+lc_numeric = 'fr_FR.UTF-8'			# locale for number formatting
+lc_time = 'fr_FR.UTF-8'				# locale for time formatting
+
+# default configuration for text search
+default_text_search_config = 'pg_catalog.french'
+
+# - Shared Library Preloading -
+
+#shared_preload_libraries = ''	# (change requires restart)
+#local_preload_libraries = ''
+#session_preload_libraries = ''
+#jit_provider = 'llvmjit'		# JIT library to use
+
+# - Other Defaults -
+
+#dynamic_library_path = '$libdir'
+
+
+#------------------------------------------------------------------------------
+# LOCK MANAGEMENT
+#------------------------------------------------------------------------------
+
+#deadlock_timeout = 1s
+#max_locks_per_transaction = 64		# min 10
+					# (change requires restart)
+#max_pred_locks_per_transaction = 64	# min 10
+					# (change requires restart)
+#max_pred_locks_per_relation = -2	# negative values mean
+					# (max_pred_locks_per_transaction
+					#  / -max_pred_locks_per_relation) - 1
+#max_pred_locks_per_page = 2            # min 0
+
+
+#------------------------------------------------------------------------------
+# VERSION AND PLATFORM COMPATIBILITY
+#------------------------------------------------------------------------------
+
+# - Previous PostgreSQL Versions -
+
+#array_nulls = on
+#backslash_quote = safe_encoding	# on, off, or safe_encoding
+#escape_string_warning = on
+#lo_compat_privileges = off
+#operator_precedence_warning = off
+#quote_all_identifiers = off
+#standard_conforming_strings = on
+#synchronize_seqscans = on
+
+# - Other Platforms and Clients -
+
+#transform_null_equals = off
+
+
+#------------------------------------------------------------------------------
+# ERROR HANDLING
+#------------------------------------------------------------------------------
+
+#exit_on_error = off			# terminate session on any error?
+#restart_after_crash = on		# reinitialize after backend crash?
+#data_sync_retry = off			# retry or panic on failure to fsync
+					# data?
+					# (change requires restart)
+
+
+#------------------------------------------------------------------------------
+# CONFIG FILE INCLUDES
+#------------------------------------------------------------------------------
+
+# These options allow settings to be loaded from files other than the
+# default postgresql.conf.  Note that these are directives, not variable
+# assignments, so they can usefully be given more than once.
+
+#include_dir = '...'			# include files ending in '.conf' from
+					# a directory, e.g., 'conf.d'
+#include_if_exists = '...'		# include file only if it exists
+#include = '...'			# include file
+
+
+#------------------------------------------------------------------------------
+# CUSTOMIZED OPTIONS
+#------------------------------------------------------------------------------
+
+# Add settings for extensions here
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.service b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.service
new file mode 100644
index 0000000..2e4e745
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.service
@@ -0,0 +1,11 @@
+[Service]
+ExecStartPre=
+ExecStartPre=+/usr/local/lib/bin/postgresql_init
+ExecStartPre=/usr/libexec/postgresql-check-db-dir %N
+Environment=PGDATA=/srv/postgresql
+Environment=PG_CONF=/etc/postgresql/postgresql.conf
+Environment=PG_HBA=/etc/postgresql/pg_hba.conf
+Environment=PG_IDENT=/etc/postgresql/pg_ident.conf
+ExecStart=
+ExecStart=/usr/bin/postmaster -D ${PGDATA} -c config_file=${PG_CONF} -c hba_file=${PG_HBA} -c ident_file=${PG_IDENT}
+ExecStartPost=-/usr/bin/psql -f /etc/postgresql/postgresql.sql
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.sql b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.sql
new file mode 100644
index 0000000..312b46e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.sql
@@ -0,0 +1,6 @@
+%for %%server in %%accounts.remotes
+ %set %%name = %%normalize_family(%%server)
+CREATE DATABASE "%%name";
+CREATE ROLE "%%name" WITH LOGIN ENCRYPTED PASSWORD '%%accounts["remote_" + %%name]["password_" + %%name]';
+GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%name";
+%end for
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql_init b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql_init
new file mode 100644
index 0000000..fc84c6c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql_init
@@ -0,0 +1,14 @@
+#!/bin/bash -e
+
+[ -d "/srv/postgresql" ] && exit 0 || true
+
+/bin/mkdir /srv/postgresql
+/bin/chown postgres: /srv/postgresql
+mkdir /var/lib/pgsql
+/bin/chown postgres: /var/lib/pgsql
+/usr/bin/postgresql-setup --initdb
+/bin/rm /srv/postgresql/postgresql.conf
+/bin/rm /srv/postgresql/pg_hba.conf  
+/bin/rm /srv/postgresql/pg_ident.conf
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/postgresql-server/templates/sysuser-postgresql.conf b/seed/applicationservice/2022.03.08/postgresql-server/templates/sysuser-postgresql.conf
new file mode 100644
index 0000000..d07f84f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/postgresql-server/templates/sysuser-postgresql.conf
@@ -0,0 +1,3 @@
+g postgres 26 -
+u postgres 26:26     "PostgreSQL Server" /srv/postgresql  /bin/bash
+
diff --git a/seed/applicationservice/2022.03.08/provider-systemd-machined/applicationservice.yml b/seed/applicationservice/2022.03.08/provider-systemd-machined/applicationservice.yml
new file mode 100644
index 0000000..2b3a7d5
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/provider-systemd-machined/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Information for Systemd Machined
+provider: true
+depends:
+  - systemd
diff --git a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml
new file mode 100644
index 0000000..9675731
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/21-machined.xml
@@ -0,0 +1,79 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name='dev-hugepages' type='mount' disabled="True"/>
+    <service name='systemd-oomd' disabled="True"/>
+    <service name='systemd-homed' disabled="True"/>
+    <service name="systemd-networkd">
+      <file redefine='True' disabled='True'>link_configurations</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="container_srv_path" type="filename" description="Nom du répertoire racine des données">
+      <value>/var/lib/risotto/srv</value>
+    </variable>
+    <variable name="container_config_path" type="filename" description="Nom du répertoire racine des configurations">
+      <value>/var/lib/risotto/configurations</value>
+    </variable>
+    <variable name="host" type="hostname" description="Machine où est démarrer le conteneur" mandatory="True"/>
+    <variable name="external_ports" type="port" description="Port exposé depuis l'extérieur" multi="True"/>
+    <variable name="srv_dir" type="filename" hidden="True"/>
+    <variable name="config_dir" type="filename" hidden="True" mandatory="True"/>
+    <variable name="use_systemd_repart" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="netwokd_interface_name_type" redefine="True">
+      <value>host</value>
+    </variable>
+  </variables>
+  <constraints>
+    <condition name="disabled_if_in" source="machine.add_srv">
+      <param>False</param>
+      <target type="variable">srv_dir</target>
+    </condition>
+    <fill name="calc_value">
+      <param type="variable">container_srv_path</param>
+      <param>/</param>
+      <param type="variable">domain_name_eth0</param>
+      <param name="join"></param>
+      <target>srv_dir</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">container_config_path</param>
+      <param>/</param>
+      <param type="variable">domain_name_eth0</param>
+      <param name="join"></param>
+      <target>config_dir</target>
+    </fill>
+    <check name="set_linked">
+      <param name="linked_provider">machines</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>host</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">host</param>
+      <param name="linked_provider">external_ports</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>external_ports</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">host</param>
+      <param name="linked_provider">machine_srv</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>srv_dir</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">host</param>
+      <param name="linked_provider">machine_config</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>config_dir</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">host</param>
+      <param name="linked_provider">machine_zones</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>zones_list</target>
+    </check>
+  </constraints>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/redis-client/applicationservice.yml b/seed/applicationservice/2022.03.08/redis-client/applicationservice.yml
new file mode 100644
index 0000000..9396c51
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Redis client
diff --git a/seed/applicationservice/2022.03.08/redis-client/dictionaries/23_redis.xml b/seed/applicationservice/2022.03.08/redis-client/dictionaries/23_redis.xml
new file mode 100644
index 0000000..9d76005
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-client/dictionaries/23_redis.xml
@@ -0,0 +1,31 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <family name="redis" description="Redis">
+      <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True"/>
+      <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" hidden="True"/>
+      <variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">redis_client_server_domainname</param>
+      <param name="linked_provider">redis_client</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>redis_client_username</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">redis_client_server_domainname</param>
+      <param name="linked_provider">redis_client_password</param>
+      <param name="dynamic" type="variable">redis_client_username</param>
+      <target>redis_client_password</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">redis_client_server_domainname</param>
+      <param name="linked_provider">redis_client_ip</param>
+      <param name="linked_value" type="variable">ip_eth0</param>
+      <param name="dynamic" type="variable">redis_client_username</param>
+      <target>redis_client_password</target>
+    </check>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/redis-server/DEBUG.md b/seed/applicationservice/2022.03.08/redis-server/DEBUG.md
new file mode 100644
index 0000000..9b911e7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/DEBUG.md
@@ -0,0 +1,5 @@
+# Tester si le redis est utilisé :
+
+redis-cli -a FFCHtN-HWO_X6-bVaXgw MONITOR
+
+Puis naviger sur l'application
diff --git a/seed/applicationservice/2022.03.08/redis-server/applicationservice.yml b/seed/applicationservice/2022.03.08/redis-server/applicationservice.yml
new file mode 100644
index 0000000..0c898fe
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/applicationservice.yml
@@ -0,0 +1,4 @@
+format: '0.1'
+description: Redis
+depends:
+  - base-fedora-35
diff --git a/seed/applicationservice/2022.03.08/redis-server/creolefuncs/redis.py b/seed/applicationservice/2022.03.08/redis-server/creolefuncs/redis.py
new file mode 100644
index 0000000..967f764
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/creolefuncs/redis.py
@@ -0,0 +1,11 @@
+# -*- coding: utf-8 -*-
+
+
+#
+# just add 2 numbers ...
+#
+def add(num1, num2):
+    return str(int(num1) + int(num2)).decode("utf-8")
+
+def intAdd(num1, num2):
+    return int(num1) + int(num2)
diff --git a/seed/applicationservice/2022.03.08/redis-server/dictionaries/90_redis.xml b/seed/applicationservice/2022.03.08/redis-server/dictionaries/90_redis.xml
new file mode 100644
index 0000000..6730547
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/dictionaries/90_redis.xml
@@ -0,0 +1,45 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="redis" target="multi-user">
+      <file>/etc/redis/redis.conf</file>
+      <ip ip_type='variable'>account.remote_ip</ip>
+      <file engine="none" source="sysuser-redis.conf">/sysusers.d/0redis.conf</file>
+      <file engine="none" source="tmpfile-redis.conf">/tmpfiles.d/0redis.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="redis" description="Redis" help="Configuration du service de cache Redis">
+      <variable name="redis_instance_name" description="Nom de l'instance"/>
+      <variable name="redis_save" description="Activer la persistence des données">
+          <value>False</value>
+      </variable>
+      <variable name="redis_max_memory" type="number" description="Quantité de mémoire utilisable par Redis" help="La valeur est en Mo">
+        <value>512</value>
+      </variable>
+      <variable name="redis_memory_policy" description="Méthode de libération de mémoire lorsque le maximum est atteint" type="choice">
+        <value>noeviction</value>
+        <choice>volatile-lru</choice>
+        <choice>allkeys-lru</choice>
+        <choice>volatile-lfu</choice>
+        <choice>allkeys-lfu</choice>
+        <choice>volatile-random</choice>
+        <choice>allkeys-random</choice>
+        <choice>volatile-ttl</choice>
+        <choice>noeviction</choice>
+      </variable>
+      <variable name="redis_tcp_keepalive" type="number" description="Intervalle entre le dernier envoi de paquet TCP et la réponse ACK" help="La valeur est en seconde">
+        <value>60</value>
+      </variable>
+      <variable name="redis_max_clients" type="number" description="Nombre de client maximum autorisé">
+        <value>10000</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param type="variable">domain_name_eth0</param>
+      <target>redis_instance_name</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/redis-server/extras/account/00_account.xml b/seed/applicationservice/2022.03.08/redis-server/extras/account/00_account.xml
new file mode 100644
index 0000000..19ba54a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/extras/account/00_account.xml
@@ -0,0 +1,18 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <variable name="remote" description="Remote client needing an account" type="domainname" provider="redis_client" mandatory="True"/>
+    <variable name="remote_ip" description="Remote IP" type="ip" provider="redis_client_ip" mandatory="True"/>
+    <variable name="password" description="Remote password" auto_save="True" hidden="True" type="password" mandatory="True" provider="redis_client_password"/>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type="variable">account.remote</param>
+      <param name="description">redis</param>
+      <param name="type">cleartext</param>
+      <target>account.password</target>
+    </fill>
+  </constraints>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/redis-server/manual/image/preinstall/redis-server.sh b/seed/applicationservice/2022.03.08/redis-server/manual/image/preinstall/redis-server.sh
new file mode 100644
index 0000000..71dc98d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/manual/image/preinstall/redis-server.sh
@@ -0,0 +1 @@
+PKG="$PKG redis"
diff --git a/seed/applicationservice/2022.03.08/redis-server/templates/redis.conf b/seed/applicationservice/2022.03.08/redis-server/templates/redis.conf
new file mode 100644
index 0000000..da6377e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/templates/redis.conf
@@ -0,0 +1,2091 @@
+# Redis configuration file example.
+#
+# Note that in order to read the configuration file, Redis must be
+# started with the file path as first argument:
+#
+# ./redis-server /path/to/redis.conf
+
+# Note on units: when memory size is needed, it is possible to specify
+# it in the usual form of 1k 5GB 4M and so forth:
+#
+# 1k => 1000 bytes
+# 1kb => 1024 bytes
+# 1m => 1000000 bytes
+# 1mb => 1024*1024 bytes
+# 1g => 1000000000 bytes
+# 1gb => 1024*1024*1024 bytes
+#
+# units are case insensitive so 1GB 1Gb 1gB are all the same.
+
+################################## INCLUDES ###################################
+
+# Include one or more other config files here.  This is useful if you
+# have a standard template that goes to all Redis servers but also need
+# to customize a few per-server settings.  Include files can include
+# other files, so use this wisely.
+#
+# Note that option "include" won't be rewritten by command "CONFIG REWRITE"
+# from admin or Redis Sentinel. Since Redis always uses the last processed
+# line as value of a configuration directive, you'd better put includes
+# at the beginning of this file to avoid overwriting config change at runtime.
+#
+# If instead you are interested in using includes to override configuration
+# options, it is better to use include as the last line.
+#
+# include /path/to/local.conf
+# include /path/to/other.conf
+
+################################## MODULES #####################################
+
+# Load modules at startup. If the server is not able to load modules
+# it will abort. It is possible to use multiple loadmodule directives.
+#
+# loadmodule /path/to/my_module.so
+# loadmodule /path/to/other_module.so
+
+################################## NETWORK #####################################
+
+# By default, if no "bind" configuration directive is specified, Redis listens
+# for connections from all available network interfaces on the host machine.
+# It is possible to listen to just one or multiple selected interfaces using
+# the "bind" configuration directive, followed by one or more IP addresses.
+# Each address can be prefixed by "-", which means that redis will not fail to
+# start if the address is not available. Being not available only refers to
+# addresses that does not correspond to any network interfece. Addresses that
+# are already in use will always fail, and unsupported protocols will always BE
+# silently skipped.
+#
+# Examples:
+#
+# bind 192.168.1.100 10.0.0.1     # listens on two specific IPv4 addresses
+# bind 127.0.0.1 ::1              # listens on loopback IPv4 and IPv6
+# bind * -::*                     # like the default, all available interfaces
+#
+# ~~~ WARNING ~~~ If the computer running Redis is directly exposed to the
+# internet, binding to all the interfaces is dangerous and will expose the
+# instance to everybody on the internet. So by default we uncomment the
+# following bind directive, that will force Redis to listen only on the
+# IPv4 and IPv6 (if available) loopback interface addresses (this means Redis
+# will only be able to accept client connections from the same host that it is
+# running on).
+#
+# IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
+# JUST COMMENT OUT THE FOLLOWING LINE.
+# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+#>GNUNUX
+#bind 127.0.0.1 -::1
+bind 0.0.0.0
+#<GNUNUX
+
+# Protected mode is a layer of security protection, in order to avoid that
+# Redis instances left open on the internet are accessed and exploited.
+#
+# When protected mode is on and if:
+#
+# 1) The server is not binding explicitly to a set of addresses using the
+#    "bind" directive.
+# 2) No password is configured.
+#
+# The server only accepts connections from clients connecting from the
+# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
+# sockets.
+#
+# By default protected mode is enabled. You should disable it only if
+# you are sure you want clients from other hosts to connect to Redis
+# even if no authentication is configured, nor a specific set of interfaces
+# are explicitly listed using the "bind" directive.
+#FIXMEprotected-mode yes
+protected-mode no
+
+# Accept connections on the specified port, default is 6379 (IANA #815344).
+# If port 0 is specified Redis will not listen on a TCP socket.
+port 6379
+
+# TCP listen() backlog.
+#
+# In high requests-per-second environments you need a high backlog in order
+# to avoid slow clients connection issues. Note that the Linux kernel
+# will silently truncate it to the value of /proc/sys/net/core/somaxconn so
+# make sure to raise both the value of somaxconn and tcp_max_syn_backlog
+# in order to get the desired effect.
+tcp-backlog 511
+
+# Unix socket.
+#
+# Specify the path for the Unix socket that will be used to listen for
+# incoming connections. There is no default, so Redis will not listen
+# on a unix socket when not specified.
+#
+# unixsocket /run/redis.sock
+# unixsocketperm 700
+
+# Close the connection after a client is idle for N seconds (0 to disable)
+timeout 0
+
+# TCP keepalive.
+#
+# If non-zero, use SO_KEEPALIVE to send TCP ACKs to clients in absence
+# of communication. This is useful for two reasons:
+#
+# 1) Detect dead peers.
+# 2) Force network equipment in the middle to consider the connection to be
+#    alive.
+#
+# On Linux, the specified value (in seconds) is the period used to send ACKs.
+# Note that to close the connection the double of the time is needed.
+# On other kernels the period depends on the kernel configuration.
+#
+# A reasonable value for this option is 300 seconds, which is the new
+# Redis default starting with Redis 3.2.1.
+#>GNUNUX
+#tcp-keepalive 300
+tcp-keepalive %%redis_tcp_keepalive
+#<GNUNUX
+#FIXME TLS !!
+################################# TLS/SSL #####################################
+
+# By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
+# directive can be used to define TLS-listening ports. To enable TLS on the
+# default port, use:
+#
+# port 0
+# tls-port 6379
+
+# Configure a X.509 certificate and private key to use for authenticating the
+# server to connected clients, masters or cluster peers.  These files should be
+# PEM formatted.
+#
+# tls-cert-file redis.crt 
+# tls-key-file redis.key
+#
+# If the key file is encrypted using a passphrase, it can be included here
+# as well.
+#
+# tls-key-file-pass secret
+
+# Normally Redis uses the same certificate for both server functions (accepting
+# connections) and client functions (replicating from a master, establishing
+# cluster bus connections, etc.).
+#
+# Sometimes certificates are issued with attributes that designate them as
+# client-only or server-only certificates. In that case it may be desired to use
+# different certificates for incoming (server) and outgoing (client)
+# connections. To do that, use the following directives:
+#
+# tls-client-cert-file client.crt
+# tls-client-key-file client.key
+#
+# If the key file is encrypted using a passphrase, it can be included here
+# as well.
+#
+# tls-client-key-file-pass secret
+
+# Configure a DH parameters file to enable Diffie-Hellman (DH) key exchange:
+#
+# tls-dh-params-file redis.dh
+
+# Configure a CA certificate(s) bundle or directory to authenticate TLS/SSL
+# clients and peers.  Redis requires an explicit configuration of at least one
+# of these, and will not implicitly use the system wide configuration.
+#
+# tls-ca-cert-file ca.crt
+# tls-ca-cert-dir /etc/ssl/certs
+
+# By default, clients (including replica servers) on a TLS port are required
+# to authenticate using valid client side certificates.
+#
+# If "no" is specified, client certificates are not required and not accepted.
+# If "optional" is specified, client certificates are accepted and must be
+# valid if provided, but are not required.
+#
+# tls-auth-clients no
+# tls-auth-clients optional
+
+# By default, a Redis replica does not attempt to establish a TLS connection
+# with its master.
+#
+# Use the following directive to enable TLS on replication links.
+#
+# tls-replication yes
+
+# By default, the Redis Cluster bus uses a plain TCP connection. To enable
+# TLS for the bus protocol, use the following directive:
+#
+# tls-cluster yes
+
+# By default, only TLSv1.2 and TLSv1.3 are enabled and it is highly recommended
+# that older formally deprecated versions are kept disabled to reduce the attack surface.
+# You can explicitly specify TLS versions to support.
+# Allowed values are case insensitive and include "TLSv1", "TLSv1.1", "TLSv1.2",
+# "TLSv1.3" (OpenSSL >= 1.1.1) or any combination.
+# To enable only TLSv1.2 and TLSv1.3, use:
+#
+# tls-protocols "TLSv1.2 TLSv1.3"
+
+# Configure allowed ciphers.  See the ciphers(1ssl) manpage for more information
+# about the syntax of this string.
+#
+# Note: this configuration applies only to <= TLSv1.2.
+#
+# tls-ciphers DEFAULT:!MEDIUM
+
+# Configure allowed TLSv1.3 ciphersuites.  See the ciphers(1ssl) manpage for more
+# information about the syntax of this string, and specifically for TLSv1.3
+# ciphersuites.
+#
+# tls-ciphersuites TLS_CHACHA20_POLY1305_SHA256
+
+# When choosing a cipher, use the server's preference instead of the client
+# preference. By default, the server follows the client's preference.
+#
+# tls-prefer-server-ciphers yes
+
+# By default, TLS session caching is enabled to allow faster and less expensive
+# reconnections by clients that support it. Use the following directive to disable
+# caching.
+#
+# tls-session-caching no
+
+# Change the default number of TLS sessions cached. A zero value sets the cache
+# to unlimited size. The default size is 20480.
+#
+# tls-session-cache-size 5000
+
+# Change the default timeout of cached TLS sessions. The default timeout is 300
+# seconds.
+#
+# tls-session-cache-timeout 60
+
+################################# GENERAL #####################################
+
+# By default Redis does not run as a daemon. Use 'yes' if you need it.
+# Note that Redis will write a pid file in /var/run/redis.pid when daemonized.
+# When Redis is supervised by upstart or systemd, this parameter has no impact.
+daemonize no
+
+# If you run Redis from upstart or systemd, Redis can interact with your
+# supervision tree. Options:
+#   supervised no      - no supervision interaction
+#   supervised upstart - signal upstart by putting Redis into SIGSTOP mode
+#                        requires "expect stop" in your upstart job config
+#   supervised systemd - signal systemd by writing READY=1 to $NOTIFY_SOCKET
+#                        on startup, and updating Redis status on a regular
+#                        basis.
+#   supervised auto    - detect upstart or systemd method based on
+#                        UPSTART_JOB or NOTIFY_SOCKET environment variables
+# Note: these supervision methods only signal "process is ready."
+#       They do not enable continuous pings back to your supervisor.
+#
+# The default is "no". To run under upstart/systemd, you can simply uncomment
+# the line below:
+#
+# supervised auto
+#>GNUNUX
+supervised systemd
+#<GNUNUX
+
+# If a pid file is specified, Redis writes it where specified at startup
+# and removes it at exit.
+#
+# When the server runs non daemonized, no pid file is created if none is
+# specified in the configuration. When the server is daemonized, the pid file
+# is used even if not specified, defaulting to "/var/run/redis.pid".
+#
+# Creating a pid file is best effort: if Redis is not able to create it
+# nothing bad happens, the server will start and run normally.
+#
+# Note that on modern Linux systems "/run/redis.pid" is more conforming
+# and should be used instead.
+#>GNUNUX
+#pidfile /var/run/redis_6379.pid
+pidfile /run/redis.pid
+
+# Specify the server verbosity level.
+# This can be one of:
+# debug (a lot of information, useful for development/testing)
+# verbose (many rarely useful info, but not a mess like the debug level)
+# notice (moderately verbose, what you want in production probably)
+# warning (only very important / critical messages are logged)
+loglevel notice
+
+# Specify the log file name. Also the empty string can be used to force
+# Redis to log on the standard output. Note that if you use standard
+# output for logging but daemonize, logs will be sent to /dev/null
+#GNUNUX logfile /var/log/redis/redis.log
+
+# To enable logging to the system logger, just set 'syslog-enabled' to yes,
+# and optionally update the other syslog parameters to suit your needs.
+# syslog-enabled no
+#>GNUNUX
+syslog-enabled yes
+#<GNUNUX
+
+# Specify the syslog identity.
+# syslog-ident redis
+
+# Specify the syslog facility. Must be USER or between LOCAL0-LOCAL7.
+# syslog-facility local0
+
+# To disable the built in crash log, which will possibly produce cleaner core
+# dumps when they are needed, uncomment the following:
+#
+# crash-log-enabled no
+
+# To disable the fast memory check that's run as part of the crash log, which
+# will possibly let redis terminate sooner, uncomment the following:
+#
+# crash-memcheck-enabled no
+
+# Set the number of databases. The default database is DB 0, you can select
+# a different one on a per-connection basis using SELECT <dbid> where
+# dbid is a number between 0 and 'databases'-1
+databases 16
+
+# By default Redis shows an ASCII art logo only when started to log to the
+# standard output and if the standard output is a TTY and syslog logging is
+# disabled. Basically this means that normally a logo is displayed only in
+# interactive sessions.
+#
+# However it is possible to force the pre-4.0 behavior and always show a
+# ASCII art logo in startup logs by setting the following option to yes.
+always-show-logo no
+
+# By default, Redis modifies the process title (as seen in 'top' and 'ps') to
+# provide some runtime information. It is possible to disable this and leave
+# the process name as executed by setting the following to no.
+set-proc-title yes
+
+# When changing the process title, Redis uses the following template to construct
+# the modified title.
+#
+# Template variables are specified in curly brackets. The following variables are
+# supported:
+#
+# {title}           Name of process as executed if parent, or type of child process.
+# {listen-addr}     Bind address or '*' followed by TCP or TLS port listening on, or
+#                   Unix socket if only that's available.
+# {server-mode}     Special mode, i.e. "[sentinel]" or "[cluster]".
+# {port}            TCP port listening on, or 0.
+# {tls-port}        TLS port listening on, or 0.
+# {unixsocket}      Unix domain socket listening on, or "".
+# {config-file}     Name of configuration file used.
+#
+proc-title-template "{title} {listen-addr} {server-mode}"
+
+################################ SNAPSHOTTING  ################################
+
+# Save the DB to disk.
+#
+# save <seconds> <changes>
+#
+# Redis will save the DB if both the given number of seconds and the given
+# number of write operations against the DB occurred.
+#
+# Snapshotting can be completely disabled with a single empty string argument
+# as in following example:
+#
+# save ""
+#
+# Unless specified otherwise, by default Redis will save the DB:
+#   * After 3600 seconds (an hour) if at least 1 key changed
+#   * After 300 seconds (5 minutes) if at least 100 keys changed
+#   * After 60 seconds if at least 10000 keys changed
+#
+# You can set these explicitly by uncommenting the three following lines.
+#
+# save 3600 1
+# save 300 100
+# save 60 10000
+#   save ""
+#>GNUNUX
+%if %%redis_save
+save 900 1
+save 300 10
+save 60 10000
+%else
+save ""
+%end if
+#<GNUNUX
+
+# By default Redis will stop accepting writes if RDB snapshots are enabled
+# (at least one save point) and the latest background save failed.
+# This will make the user aware (in a hard way) that data is not persisting
+# on disk properly, otherwise chances are that no one will notice and some
+# disaster will happen.
+#
+# If the background saving process will start working again Redis will
+# automatically allow writes again.
+#
+# However if you have setup your proper monitoring of the Redis server
+# and persistence, you may want to disable this feature so that Redis will
+# continue to work as usual even if there are problems with disk,
+# permissions, and so forth.
+stop-writes-on-bgsave-error yes
+
+# Compress string objects using LZF when dump .rdb databases?
+# By default compression is enabled as it's almost always a win.
+# If you want to save some CPU in the saving child set it to 'no' but
+# the dataset will likely be bigger if you have compressible values or keys.
+rdbcompression yes
+
+# Since version 5 of RDB a CRC64 checksum is placed at the end of the file.
+# This makes the format more resistant to corruption but there is a performance
+# hit to pay (around 10%) when saving and loading RDB files, so you can disable it
+# for maximum performances.
+#
+# RDB files created with checksum disabled have a checksum of zero that will
+# tell the loading code to skip the check.
+rdbchecksum yes
+
+# Enables or disables full sanitation checks for ziplist and listpack etc when
+# loading an RDB or RESTORE payload. This reduces the chances of a assertion or
+# crash later on while processing commands.
+# Options:
+#   no         - Never perform full sanitation
+#   yes        - Always perform full sanitation
+#   clients    - Perform full sanitation only for user connections.
+#                Excludes: RDB files, RESTORE commands received from the master
+#                connection, and client connections which have the
+#                skip-sanitize-payload ACL flag.
+# The default should be 'clients' but since it currently affects cluster
+# resharding via MIGRATE, it is temporarily set to 'no' by default.
+#
+# sanitize-dump-payload no
+#>GNUNUX
+sanitize-dump-payload clients
+#<GNUNUX
+
+# The filename where to dump the DB
+dbfilename dump.rdb
+
+# Remove RDB files used by replication in instances without persistence
+# enabled. By default this option is disabled, however there are environments
+# where for regulations or other security concerns, RDB files persisted on
+# disk by masters in order to feed replicas, or stored on disk by replicas
+# in order to load them for the initial synchronization, should be deleted
+# ASAP. Note that this option ONLY WORKS in instances that have both AOF
+# and RDB persistence disabled, otherwise is completely ignored.
+#
+# An alternative (and sometimes better) way to obtain the same effect is
+# to use diskless replication on both master and replicas instances. However
+# in the case of replicas, diskless is not always an option.
+rdb-del-sync-files no
+
+# The working directory.
+#
+# The DB will be written inside this directory, with the filename specified
+# above using the 'dbfilename' configuration directive.
+#
+# The Append Only File will also be created inside this directory.
+#
+# Note that you must specify a directory here, not a file name.
+dir /srv/redis
+
+################################# REPLICATION #################################
+
+# Master-Replica replication. Use replicaof to make a Redis instance a copy of
+# another Redis server. A few things to understand ASAP about Redis replication.
+#
+#   +------------------+      +---------------+
+#   |      Master      | ---> |    Replica    |
+#   | (receive writes) |      |  (exact copy) |
+#   +------------------+      +---------------+
+#
+# 1) Redis replication is asynchronous, but you can configure a master to
+#    stop accepting writes if it appears to be not connected with at least
+#    a given number of replicas.
+# 2) Redis replicas are able to perform a partial resynchronization with the
+#    master if the replication link is lost for a relatively small amount of
+#    time. You may want to configure the replication backlog size (see the next
+#    sections of this file) with a sensible value depending on your needs.
+# 3) Replication is automatic and does not need user intervention. After a
+#    network partition replicas automatically try to reconnect to masters
+#    and resynchronize with them.
+#
+# replicaof <masterip> <masterport>
+
+# If the master is password protected (using the "requirepass" configuration
+# directive below) it is possible to tell the replica to authenticate before
+# starting the replication synchronization process, otherwise the master will
+# refuse the replica request.
+#
+# masterauth <master-password>
+#
+# However this is not enough if you are using Redis ACLs (for Redis version
+# 6 or greater), and the default user is not capable of running the PSYNC
+# command and/or other commands needed for replication. In this case it's
+# better to configure a special user to use with replication, and specify the
+# masteruser configuration as such:
+#
+# masteruser <username>
+#
+# When masteruser is specified, the replica will authenticate against its
+# master using the new AUTH form: AUTH <username> <password>.
+
+# When a replica loses its connection with the master, or when the replication
+# is still in progress, the replica can act in two different ways:
+#
+# 1) if replica-serve-stale-data is set to 'yes' (the default) the replica will
+#    still reply to client requests, possibly with out of date data, or the
+#    data set may just be empty if this is the first synchronization.
+#
+# 2) If replica-serve-stale-data is set to 'no' the replica will reply with
+#    an error "SYNC with master in progress" to all commands except:
+#    INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
+#    UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
+#    HOST and LATENCY.
+#
+replica-serve-stale-data yes
+
+# You can configure a replica instance to accept writes or not. Writing against
+# a replica instance may be useful to store some ephemeral data (because data
+# written on a replica will be easily deleted after resync with the master) but
+# may also cause problems if clients are writing to it because of a
+# misconfiguration.
+#
+# Since Redis 2.6 by default replicas are read-only.
+#
+# Note: read only replicas are not designed to be exposed to untrusted clients
+# on the internet. It's just a protection layer against misuse of the instance.
+# Still a read only replica exports by default all the administrative commands
+# such as CONFIG, DEBUG, and so forth. To a limited extent you can improve
+# security of read only replicas using 'rename-command' to shadow all the
+# administrative / dangerous commands.
+replica-read-only yes
+
+# Replication SYNC strategy: disk or socket.
+#
+# New replicas and reconnecting replicas that are not able to continue the
+# replication process just receiving differences, need to do what is called a
+# "full synchronization". An RDB file is transmitted from the master to the
+# replicas.
+#
+# The transmission can happen in two different ways:
+#
+# 1) Disk-backed: The Redis master creates a new process that writes the RDB
+#                 file on disk. Later the file is transferred by the parent
+#                 process to the replicas incrementally.
+# 2) Diskless: The Redis master creates a new process that directly writes the
+#              RDB file to replica sockets, without touching the disk at all.
+#
+# With disk-backed replication, while the RDB file is generated, more replicas
+# can be queued and served with the RDB file as soon as the current child
+# producing the RDB file finishes its work. With diskless replication instead
+# once the transfer starts, new replicas arriving will be queued and a new
+# transfer will start when the current one terminates.
+#
+# When diskless replication is used, the master waits a configurable amount of
+# time (in seconds) before starting the transfer in the hope that multiple
+# replicas will arrive and the transfer can be parallelized.
+#
+# With slow disks and fast (large bandwidth) networks, diskless replication
+# works better.
+repl-diskless-sync no
+
+# When diskless replication is enabled, it is possible to configure the delay
+# the server waits in order to spawn the child that transfers the RDB via socket
+# to the replicas.
+#
+# This is important since once the transfer starts, it is not possible to serve
+# new replicas arriving, that will be queued for the next RDB transfer, so the
+# server waits a delay in order to let more replicas arrive.
+#
+# The delay is specified in seconds, and by default is 5 seconds. To disable
+# it entirely just set it to 0 seconds and the transfer will start ASAP.
+repl-diskless-sync-delay 5
+
+# -----------------------------------------------------------------------------
+# WARNING: RDB diskless load is experimental. Since in this setup the replica
+# does not immediately store an RDB on disk, it may cause data loss during
+# failovers. RDB diskless load + Redis modules not handling I/O reads may also
+# cause Redis to abort in case of I/O errors during the initial synchronization
+# stage with the master. Use only if you know what you are doing.
+# -----------------------------------------------------------------------------
+#
+# Replica can load the RDB it reads from the replication link directly from the
+# socket, or store the RDB to a file and read that file after it was completely
+# received from the master.
+#
+# In many cases the disk is slower than the network, and storing and loading
+# the RDB file may increase replication time (and even increase the master's
+# Copy on Write memory and salve buffers).
+# However, parsing the RDB file directly from the socket may mean that we have
+# to flush the contents of the current database before the full rdb was
+# received. For this reason we have the following options:
+#
+# "disabled"    - Don't use diskless load (store the rdb file to the disk first)
+# "on-empty-db" - Use diskless load only when it is completely safe.
+# "swapdb"      - Keep a copy of the current db contents in RAM while parsing
+#                 the data directly from the socket. note that this requires
+#                 sufficient memory, if you don't have it, you risk an OOM kill.
+repl-diskless-load disabled
+
+# Replicas send PINGs to server in a predefined interval. It's possible to
+# change this interval with the repl_ping_replica_period option. The default
+# value is 10 seconds.
+#
+# repl-ping-replica-period 10
+
+# The following option sets the replication timeout for:
+#
+# 1) Bulk transfer I/O during SYNC, from the point of view of replica.
+# 2) Master timeout from the point of view of replicas (data, pings).
+# 3) Replica timeout from the point of view of masters (REPLCONF ACK pings).
+#
+# It is important to make sure that this value is greater than the value
+# specified for repl-ping-replica-period otherwise a timeout will be detected
+# every time there is low traffic between the master and the replica. The default
+# value is 60 seconds.
+#
+# repl-timeout 60
+
+# Disable TCP_NODELAY on the replica socket after SYNC?
+#
+# If you select "yes" Redis will use a smaller number of TCP packets and
+# less bandwidth to send data to replicas. But this can add a delay for
+# the data to appear on the replica side, up to 40 milliseconds with
+# Linux kernels using a default configuration.
+#
+# If you select "no" the delay for data to appear on the replica side will
+# be reduced but more bandwidth will be used for replication.
+#
+# By default we optimize for low latency, but in very high traffic conditions
+# or when the master and replicas are many hops away, turning this to "yes" may
+# be a good idea.
+repl-disable-tcp-nodelay no
+
+# Set the replication backlog size. The backlog is a buffer that accumulates
+# replica data when replicas are disconnected for some time, so that when a
+# replica wants to reconnect again, often a full resync is not needed, but a
+# partial resync is enough, just passing the portion of data the replica
+# missed while disconnected.
+#
+# The bigger the replication backlog, the longer the replica can endure the
+# disconnect and later be able to perform a partial resynchronization.
+#
+# The backlog is only allocated if there is at least one replica connected.
+#
+# repl-backlog-size 1mb
+
+# After a master has no connected replicas for some time, the backlog will be
+# freed. The following option configures the amount of seconds that need to
+# elapse, starting from the time the last replica disconnected, for the backlog
+# buffer to be freed.
+#
+# Note that replicas never free the backlog for timeout, since they may be
+# promoted to masters later, and should be able to correctly "partially
+# resynchronize" with other replicas: hence they should always accumulate backlog.
+#
+# A value of 0 means to never release the backlog.
+#
+# repl-backlog-ttl 3600
+
+# The replica priority is an integer number published by Redis in the INFO
+# output. It is used by Redis Sentinel in order to select a replica to promote
+# into a master if the master is no longer working correctly.
+#
+# A replica with a low priority number is considered better for promotion, so
+# for instance if there are three replicas with priority 10, 100, 25 Sentinel
+# will pick the one with priority 10, that is the lowest.
+#
+# However a special priority of 0 marks the replica as not able to perform the
+# role of master, so a replica with priority of 0 will never be selected by
+# Redis Sentinel for promotion.
+#
+# By default the priority is 100.
+replica-priority 100
+
+# -----------------------------------------------------------------------------
+# By default, Redis Sentinel includes all replicas in its reports. A replica
+# can be excluded from Redis Sentinel's announcements. An unannounced replica
+# will be ignored by the 'sentinel replicas <master>' command and won't be
+# exposed to Redis Sentinel's clients.
+#
+# This option does not change the behavior of replica-priority. Even with
+# replica-announced set to 'no', the replica can be promoted to master. To
+# prevent this behavior, set replica-priority to 0.
+#
+# replica-announced yes
+
+# It is possible for a master to stop accepting writes if there are less than
+# N replicas connected, having a lag less or equal than M seconds.
+#
+# The N replicas need to be in "online" state.
+#
+# The lag in seconds, that must be <= the specified value, is calculated from
+# the last ping received from the replica, that is usually sent every second.
+#
+# This option does not GUARANTEE that N replicas will accept the write, but
+# will limit the window of exposure for lost writes in case not enough replicas
+# are available, to the specified number of seconds.
+#
+# For example to require at least 3 replicas with a lag <= 10 seconds use:
+#
+# min-replicas-to-write 3
+# min-replicas-max-lag 10
+#
+# Setting one or the other to 0 disables the feature.
+#
+# By default min-replicas-to-write is set to 0 (feature disabled) and
+# min-replicas-max-lag is set to 10.
+
+# A Redis master is able to list the address and port of the attached
+# replicas in different ways. For example the "INFO replication" section
+# offers this information, which is used, among other tools, by
+# Redis Sentinel in order to discover replica instances.
+# Another place where this info is available is in the output of the
+# "ROLE" command of a master.
+#
+# The listed IP address and port normally reported by a replica is
+# obtained in the following way:
+#
+#   IP: The address is auto detected by checking the peer address
+#   of the socket used by the replica to connect with the master.
+#
+#   Port: The port is communicated by the replica during the replication
+#   handshake, and is normally the port that the replica is using to
+#   listen for connections.
+#
+# However when port forwarding or Network Address Translation (NAT) is
+# used, the replica may actually be reachable via different IP and port
+# pairs. The following two options can be used by a replica in order to
+# report to its master a specific set of IP and port, so that both INFO
+# and ROLE will report those values.
+#
+# There is no need to use both the options if you need to override just
+# the port or the IP address.
+#
+# replica-announce-ip 5.5.5.5
+# replica-announce-port 1234
+
+############################### KEYS TRACKING #################################
+
+# Redis implements server assisted support for client side caching of values.
+# This is implemented using an invalidation table that remembers, using
+# a radix key indexed by key name, what clients have which keys. In turn
+# this is used in order to send invalidation messages to clients. Please
+# check this page to understand more about the feature:
+#
+#   https://redis.io/topics/client-side-caching
+#
+# When tracking is enabled for a client, all the read only queries are assumed
+# to be cached: this will force Redis to store information in the invalidation
+# table. When keys are modified, such information is flushed away, and
+# invalidation messages are sent to the clients. However if the workload is
+# heavily dominated by reads, Redis could use more and more memory in order
+# to track the keys fetched by many clients.
+#
+# For this reason it is possible to configure a maximum fill value for the
+# invalidation table. By default it is set to 1M of keys, and once this limit
+# is reached, Redis will start to evict keys in the invalidation table
+# even if they were not modified, just to reclaim memory: this will in turn
+# force the clients to invalidate the cached values. Basically the table
+# maximum size is a trade off between the memory you want to spend server
+# side to track information about who cached what, and the ability of clients
+# to retain cached objects in memory.
+#
+# If you set the value to 0, it means there are no limits, and Redis will
+# retain as many keys as needed in the invalidation table.
+# In the "stats" INFO section, you can find information about the number of
+# keys in the invalidation table at every given moment.
+#
+# Note: when key tracking is used in broadcasting mode, no memory is used
+# in the server side so this setting is useless.
+#
+# tracking-table-max-keys 1000000
+
+################################## SECURITY ###################################
+
+# Warning: since Redis is pretty fast, an outside user can try up to
+# 1 million passwords per second against a modern box. This means that you
+# should use very strong passwords, otherwise they will be very easy to break.
+# Note that because the password is really a shared secret between the client
+# and the server, and should not be memorized by any human, the password
+# can be easily a long string from /dev/urandom or whatever, so by using a
+# long and unguessable password no brute force attack will be possible.
+
+# Redis ACL users are defined in the following format:
+#
+#   user <username> ... acl rules ...
+#
+# For example:
+#
+#   user worker +@list +@connection ~jobs:* on >ffa9203c493aa99
+#
+# The special username "default" is used for new connections. If this user
+# has the "nopass" rule, then new connections will be immediately authenticated
+# as the "default" user without the need of any password provided via the
+# AUTH command. Otherwise if the "default" user is not flagged with "nopass"
+# the connections will start in not authenticated state, and will require
+# AUTH (or the HELLO command AUTH option) in order to be authenticated and
+# start to work.
+#
+# The ACL rules that describe what a user can do are the following:
+#
+#  on           Enable the user: it is possible to authenticate as this user.
+#  off          Disable the user: it's no longer possible to authenticate
+#               with this user, however the already authenticated connections
+#               will still work.
+#  skip-sanitize-payload    RESTORE dump-payload sanitation is skipped.
+#  sanitize-payload         RESTORE dump-payload is sanitized (default).
+#  +<command>   Allow the execution of that command
+#  -<command>   Disallow the execution of that command
+#  +@<category> Allow the execution of all the commands in such category
+#               with valid categories are like @admin, @set, @sortedset, ...
+#               and so forth, see the full list in the server.c file where
+#               the Redis command table is described and defined.
+#               The special category @all means all the commands, but currently
+#               present in the server, and that will be loaded in the future
+#               via modules.
+#  +<command>|subcommand    Allow a specific subcommand of an otherwise
+#                           disabled command. Note that this form is not
+#                           allowed as negative like -DEBUG|SEGFAULT, but
+#                           only additive starting with "+".
+#  allcommands  Alias for +@all. Note that it implies the ability to execute
+#               all the future commands loaded via the modules system.
+#  nocommands   Alias for -@all.
+#  ~<pattern>   Add a pattern of keys that can be mentioned as part of
+#               commands. For instance ~* allows all the keys. The pattern
+#               is a glob-style pattern like the one of KEYS.
+#               It is possible to specify multiple patterns.
+#  allkeys      Alias for ~*
+#  resetkeys    Flush the list of allowed keys patterns.
+#  &<pattern>   Add a glob-style pattern of Pub/Sub channels that can be
+#               accessed by the user. It is possible to specify multiple channel
+#               patterns.
+#  allchannels  Alias for &*
+#  resetchannels            Flush the list of allowed channel patterns.
+#  ><password>  Add this password to the list of valid password for the user.
+#               For example >mypass will add "mypass" to the list.
+#               This directive clears the "nopass" flag (see later).
+#  <<password>  Remove this password from the list of valid passwords.
+#  nopass       All the set passwords of the user are removed, and the user
+#               is flagged as requiring no password: it means that every
+#               password will work against this user. If this directive is
+#               used for the default user, every new connection will be
+#               immediately authenticated with the default user without
+#               any explicit AUTH command required. Note that the "resetpass"
+#               directive will clear this condition.
+#  resetpass    Flush the list of allowed passwords. Moreover removes the
+#               "nopass" status. After "resetpass" the user has no associated
+#               passwords and there is no way to authenticate without adding
+#               some password (or setting it as "nopass" later).
+#  reset        Performs the following actions: resetpass, resetkeys, off,
+#               -@all. The user returns to the same state it has immediately
+#               after its creation.
+#
+# ACL rules can be specified in any order: for instance you can start with
+# passwords, then flags, or key patterns. However note that the additive
+# and subtractive rules will CHANGE MEANING depending on the ordering.
+# For instance see the following example:
+#
+#   user alice on +@all -DEBUG ~* >somepassword
+#
+# This will allow "alice" to use all the commands with the exception of the
+# DEBUG command, since +@all added all the commands to the set of the commands
+# alice can use, and later DEBUG was removed. However if we invert the order
+# of two ACL rules the result will be different:
+#
+#   user alice on -DEBUG +@all ~* >somepassword
+#
+# Now DEBUG was removed when alice had yet no commands in the set of allowed
+# commands, later all the commands are added, so the user will be able to
+# execute everything.
+#
+# Basically ACL rules are processed left-to-right.
+#
+# For more information about ACL configuration please refer to
+# the Redis web site at https://redis.io/topics/acl
+
+# ACL LOG
+#
+# The ACL Log tracks failed commands and authentication events associated
+# with ACLs. The ACL Log is useful to troubleshoot failed commands blocked 
+# by ACLs. The ACL Log is stored in memory. You can reclaim memory with 
+# ACL LOG RESET. Define the maximum entry length of the ACL Log below.
+acllog-max-len 128
+
+# Using an external ACL file
+#
+# Instead of configuring users here in this file, it is possible to use
+# a stand-alone file just listing users. The two methods cannot be mixed:
+# if you configure users here and at the same time you activate the external
+# ACL file, the server will refuse to start.
+#
+# The format of the external ACL user file is exactly the same as the
+# format that is used inside redis.conf to describe users.
+#
+# aclfile /etc/redis/users.acl
+
+# IMPORTANT NOTE: starting with Redis 6 "requirepass" is just a compatibility
+# layer on top of the new ACL system. The option effect will be just setting
+# the password for the default user. Clients will still authenticate using
+# AUTH <password> as usually, or more explicitly with AUTH default <password>
+# if they follow the new protocol: both will work.
+#
+# The requirepass is not compatable with aclfile option and the ACL LOAD
+# command, these will cause requirepass to be ignored.
+#
+# requirepass foobared
+#>GNUNUX
+requirepass %%account.password
+#<GNUNUX
+
+# New users are initialized with restrictive permissions by default, via the
+# equivalent of this ACL rule 'off resetkeys -@all'. Starting with Redis 6.2, it
+# is possible to manage access to Pub/Sub channels with ACL rules as well. The
+# default Pub/Sub channels permission if new users is controlled by the 
+# acl-pubsub-default configuration directive, which accepts one of these values:
+#
+# allchannels: grants access to all Pub/Sub channels
+# resetchannels: revokes access to all Pub/Sub channels
+#
+# To ensure backward compatibility while upgrading Redis 6.0, acl-pubsub-default
+# defaults to the 'allchannels' permission.
+#
+# Future compatibility note: it is very likely that in a future version of Redis
+# the directive's default of 'allchannels' will be changed to 'resetchannels' in
+# order to provide better out-of-the-box Pub/Sub security. Therefore, it is
+# recommended that you explicitly define Pub/Sub permissions for all users
+# rather then rely on implicit default values. Once you've set explicit
+# Pub/Sub for all existing users, you should uncomment the following line.
+#
+# acl-pubsub-default resetchannels
+
+# Command renaming (DEPRECATED).
+#
+# ------------------------------------------------------------------------
+# WARNING: avoid using this option if possible. Instead use ACLs to remove
+# commands from the default user, and put them only in some admin user you
+# create for administrative purposes.
+# ------------------------------------------------------------------------
+#
+# It is possible to change the name of dangerous commands in a shared
+# environment. For instance the CONFIG command may be renamed into something
+# hard to guess so that it will still be available for internal-use tools
+# but not available for general clients.
+#
+# Example:
+#
+# rename-command CONFIG b840fc02d524045429941cc15f59e41cb7be6c52
+#
+# It is also possible to completely kill a command by renaming it into
+# an empty string:
+#
+# rename-command CONFIG ""
+#
+# Please note that changing the name of commands that are logged into the
+# AOF file or transmitted to replicas may cause problems.
+
+################################### CLIENTS ####################################
+
+# Set the max number of connected clients at the same time. By default
+# this limit is set to 10000 clients, however if the Redis server is not
+# able to configure the process file limit to allow for the specified limit
+# the max number of allowed clients is set to the current file limit
+# minus 32 (as Redis reserves a few file descriptors for internal uses).
+#
+# Once the limit is reached Redis will close all the new connections sending
+# an error 'max number of clients reached'.
+#
+# IMPORTANT: When Redis Cluster is used, the max number of connections is also
+# shared with the cluster bus: every node in the cluster will use two
+# connections, one incoming and another outgoing. It is important to size the
+# limit accordingly in case of very large clusters.
+#
+# maxclients 10000
+#>GNUNUX
+maxclients %%redis_max_clients
+#<GNUNUX
+
+############################## MEMORY MANAGEMENT ################################
+
+# Set a memory usage limit to the specified amount of bytes.
+# When the memory limit is reached Redis will try to remove keys
+# according to the eviction policy selected (see maxmemory-policy).
+#
+# If Redis can't remove keys according to the policy, or if the policy is
+# set to 'noeviction', Redis will start to reply with errors to commands
+# that would use more memory, like SET, LPUSH, and so on, and will continue
+# to reply to read-only commands like GET.
+#
+# This option is usually useful when using Redis as an LRU or LFU cache, or to
+# set a hard memory limit for an instance (using the 'noeviction' policy).
+#
+# WARNING: If you have replicas attached to an instance with maxmemory on,
+# the size of the output buffers needed to feed the replicas are subtracted
+# from the used memory count, so that network problems / resyncs will
+# not trigger a loop where keys are evicted, and in turn the output
+# buffer of replicas is full with DELs of keys evicted triggering the deletion
+# of more keys, and so forth until the database is completely emptied.
+#
+# In short... if you have replicas attached it is suggested that you set a lower
+# limit for maxmemory so that there is some free RAM on the system for replica
+# output buffers (but this is not needed if the policy is 'noeviction').
+#
+# maxmemory <bytes>
+#>GNUNUX
+maxmemory %%{redis_max_memory}mb
+#<GNUNUX
+
+# MAXMEMORY POLICY: how Redis will select what to remove when maxmemory
+# is reached. You can select one from the following behaviors:
+#
+# volatile-lru -> Evict using approximated LRU, only keys with an expire set.
+# allkeys-lru -> Evict any key using approximated LRU.
+# volatile-lfu -> Evict using approximated LFU, only keys with an expire set.
+# allkeys-lfu -> Evict any key using approximated LFU.
+# volatile-random -> Remove a random key having an expire set.
+# allkeys-random -> Remove a random key, any key.
+# volatile-ttl -> Remove the key with the nearest expire time (minor TTL)
+# noeviction -> Don't evict anything, just return an error on write operations.
+#
+# LRU means Least Recently Used
+# LFU means Least Frequently Used
+#
+# Both LRU, LFU and volatile-ttl are implemented using approximated
+# randomized algorithms.
+#
+# Note: with any of the above policies, when there are no suitable keys for
+# eviction, Redis will return an error on write operations that require
+# more memory. These are usually commands that create new keys, add data or
+# modify existing keys. A few examples are: SET, INCR, HSET, LPUSH, SUNIONSTORE,
+# SORT (due to the STORE argument), and EXEC (if the transaction includes any
+# command that requires memory).
+#
+# The default is:
+#
+# maxmemory-policy noeviction
+#>GNUNUX
+maxmemory-policy %%redis_memory_policy
+#<GNUNUX
+
+# LRU, LFU and minimal TTL algorithms are not precise algorithms but approximated
+# algorithms (in order to save memory), so you can tune it for speed or
+# accuracy. By default Redis will check five keys and pick the one that was
+# used least recently, you can change the sample size using the following
+# configuration directive.
+#
+# The default of 5 produces good enough results. 10 Approximates very closely
+# true LRU but costs more CPU. 3 is faster but not very accurate.
+#
+# maxmemory-samples 5
+
+# Eviction processing is designed to function well with the default setting.
+# If there is an unusually large amount of write traffic, this value may need to
+# be increased.  Decreasing this value may reduce latency at the risk of 
+# eviction processing effectiveness
+#   0 = minimum latency, 10 = default, 100 = process without regard to latency
+#
+# maxmemory-eviction-tenacity 10
+
+# Starting from Redis 5, by default a replica will ignore its maxmemory setting
+# (unless it is promoted to master after a failover or manually). It means
+# that the eviction of keys will be just handled by the master, sending the
+# DEL commands to the replica as keys evict in the master side.
+#
+# This behavior ensures that masters and replicas stay consistent, and is usually
+# what you want, however if your replica is writable, or you want the replica
+# to have a different memory setting, and you are sure all the writes performed
+# to the replica are idempotent, then you may change this default (but be sure
+# to understand what you are doing).
+#
+# Note that since the replica by default does not evict, it may end using more
+# memory than the one set via maxmemory (there are certain buffers that may
+# be larger on the replica, or data structures may sometimes take more memory
+# and so forth). So make sure you monitor your replicas and make sure they
+# have enough memory to never hit a real out-of-memory condition before the
+# master hits the configured maxmemory setting.
+#
+# replica-ignore-maxmemory yes
+
+# Redis reclaims expired keys in two ways: upon access when those keys are
+# found to be expired, and also in background, in what is called the
+# "active expire key". The key space is slowly and interactively scanned
+# looking for expired keys to reclaim, so that it is possible to free memory
+# of keys that are expired and will never be accessed again in a short time.
+#
+# The default effort of the expire cycle will try to avoid having more than
+# ten percent of expired keys still in memory, and will try to avoid consuming
+# more than 25% of total memory and to add latency to the system. However
+# it is possible to increase the expire "effort" that is normally set to
+# "1", to a greater value, up to the value "10". At its maximum value the
+# system will use more CPU, longer cycles (and technically may introduce
+# more latency), and will tolerate less already expired keys still present
+# in the system. It's a tradeoff between memory, CPU and latency.
+#
+# active-expire-effort 1
+
+############################# LAZY FREEING ####################################
+
+# Redis has two primitives to delete keys. One is called DEL and is a blocking
+# deletion of the object. It means that the server stops processing new commands
+# in order to reclaim all the memory associated with an object in a synchronous
+# way. If the key deleted is associated with a small object, the time needed
+# in order to execute the DEL command is very small and comparable to most other
+# O(1) or O(log_N) commands in Redis. However if the key is associated with an
+# aggregated value containing millions of elements, the server can block for
+# a long time (even seconds) in order to complete the operation.
+#
+# For the above reasons Redis also offers non blocking deletion primitives
+# such as UNLINK (non blocking DEL) and the ASYNC option of FLUSHALL and
+# FLUSHDB commands, in order to reclaim memory in background. Those commands
+# are executed in constant time. Another thread will incrementally free the
+# object in the background as fast as possible.
+#
+# DEL, UNLINK and ASYNC option of FLUSHALL and FLUSHDB are user-controlled.
+# It's up to the design of the application to understand when it is a good
+# idea to use one or the other. However the Redis server sometimes has to
+# delete keys or flush the whole database as a side effect of other operations.
+# Specifically Redis deletes objects independently of a user call in the
+# following scenarios:
+#
+# 1) On eviction, because of the maxmemory and maxmemory policy configurations,
+#    in order to make room for new data, without going over the specified
+#    memory limit.
+# 2) Because of expire: when a key with an associated time to live (see the
+#    EXPIRE command) must be deleted from memory.
+# 3) Because of a side effect of a command that stores data on a key that may
+#    already exist. For example the RENAME command may delete the old key
+#    content when it is replaced with another one. Similarly SUNIONSTORE
+#    or SORT with STORE option may delete existing keys. The SET command
+#    itself removes any old content of the specified key in order to replace
+#    it with the specified string.
+# 4) During replication, when a replica performs a full resynchronization with
+#    its master, the content of the whole database is removed in order to
+#    load the RDB file just transferred.
+#
+# In all the above cases the default is to delete objects in a blocking way,
+# like if DEL was called. However you can configure each case specifically
+# in order to instead release memory in a non-blocking way like if UNLINK
+# was called, using the following configuration directives.
+
+lazyfree-lazy-eviction no
+lazyfree-lazy-expire no
+lazyfree-lazy-server-del no
+replica-lazy-flush no
+
+# It is also possible, for the case when to replace the user code DEL calls
+# with UNLINK calls is not easy, to modify the default behavior of the DEL
+# command to act exactly like UNLINK, using the following configuration
+# directive:
+
+lazyfree-lazy-user-del no
+
+# FLUSHDB, FLUSHALL, and SCRIPT FLUSH support both asynchronous and synchronous
+# deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
+# commands. When neither flag is passed, this directive will be used to determine
+# if the data should be deleted asynchronously.
+
+lazyfree-lazy-user-flush no
+
+################################ THREADED I/O #################################
+
+# Redis is mostly single threaded, however there are certain threaded
+# operations such as UNLINK, slow I/O accesses and other things that are
+# performed on side threads.
+#
+# Now it is also possible to handle Redis clients socket reads and writes
+# in different I/O threads. Since especially writing is so slow, normally
+# Redis users use pipelining in order to speed up the Redis performances per
+# core, and spawn multiple instances in order to scale more. Using I/O
+# threads it is possible to easily speedup two times Redis without resorting
+# to pipelining nor sharding of the instance.
+#
+# By default threading is disabled, we suggest enabling it only in machines
+# that have at least 4 or more cores, leaving at least one spare core.
+# Using more than 8 threads is unlikely to help much. We also recommend using
+# threaded I/O only if you actually have performance problems, with Redis
+# instances being able to use a quite big percentage of CPU time, otherwise
+# there is no point in using this feature.
+#
+# So for instance if you have a four cores boxes, try to use 2 or 3 I/O
+# threads, if you have a 8 cores, try to use 6 threads. In order to
+# enable I/O threads use the following configuration directive:
+#
+# io-threads 4
+#
+# Setting io-threads to 1 will just use the main thread as usual.
+# When I/O threads are enabled, we only use threads for writes, that is
+# to thread the write(2) syscall and transfer the client buffers to the
+# socket. However it is also possible to enable threading of reads and
+# protocol parsing using the following configuration directive, by setting
+# it to yes:
+#
+# io-threads-do-reads no
+#
+# Usually threading reads doesn't help much.
+#
+# NOTE 1: This configuration directive cannot be changed at runtime via
+# CONFIG SET. Aso this feature currently does not work when SSL is
+# enabled.
+#
+# NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
+# sure you also run the benchmark itself in threaded mode, using the
+# --threads option to match the number of Redis threads, otherwise you'll not
+# be able to notice the improvements.
+
+############################ KERNEL OOM CONTROL ##############################
+
+# On Linux, it is possible to hint the kernel OOM killer on what processes
+# should be killed first when out of memory.
+#
+# Enabling this feature makes Redis actively control the oom_score_adj value
+# for all its processes, depending on their role. The default scores will
+# attempt to have background child processes killed before all others, and
+# replicas killed before masters.
+#
+# Redis supports three options:
+#
+# no:       Don't make changes to oom-score-adj (default).
+# yes:      Alias to "relative" see below.
+# absolute: Values in oom-score-adj-values are written as is to the kernel.
+# relative: Values are used relative to the initial value of oom_score_adj when
+#           the server starts and are then clamped to a range of -1000 to 1000.
+#           Because typically the initial value is 0, they will often match the
+#           absolute values.
+oom-score-adj no
+
+# When oom-score-adj is used, this directive controls the specific values used
+# for master, replica and background child processes. Values range -2000 to
+# 2000 (higher means more likely to be killed).
+#
+# Unprivileged processes (not root, and without CAP_SYS_RESOURCE capabilities)
+# can freely increase their value, but not decrease it below its initial
+# settings. This means that setting oom-score-adj to "relative" and setting the
+# oom-score-adj-values to positive values will always succeed.
+oom-score-adj-values 0 200 800
+
+
+#################### KERNEL transparent hugepage CONTROL ######################
+
+# Usually the kernel Transparent Huge Pages control is set to "madvise" or
+# or "never" by default (/sys/kernel/mm/transparent_hugepage/enabled), in which
+# case this config has no effect. On systems in which it is set to "always",
+# redis will attempt to disable it specifically for the redis process in order
+# to avoid latency problems specifically with fork(2) and CoW.
+# If for some reason you prefer to keep it enabled, you can set this config to
+# "no" and the kernel global to "always".
+
+disable-thp yes
+
+############################## APPEND ONLY MODE ###############################
+
+# By default Redis asynchronously dumps the dataset on disk. This mode is
+# good enough in many applications, but an issue with the Redis process or
+# a power outage may result into a few minutes of writes lost (depending on
+# the configured save points).
+#
+# The Append Only File is an alternative persistence mode that provides
+# much better durability. For instance using the default data fsync policy
+# (see later in the config file) Redis can lose just one second of writes in a
+# dramatic event like a server power outage, or a single write if something
+# wrong with the Redis process itself happens, but the operating system is
+# still running correctly.
+#
+# AOF and RDB persistence can be enabled at the same time without problems.
+# If the AOF is enabled on startup Redis will load the AOF, that is the file
+# with the better durability guarantees.
+#
+# Please check https://redis.io/topics/persistence for more information.
+
+appendonly no
+
+# The name of the append only file (default: "appendonly.aof")
+
+appendfilename "appendonly.aof"
+
+# The fsync() call tells the Operating System to actually write data on disk
+# instead of waiting for more data in the output buffer. Some OS will really flush
+# data on disk, some other OS will just try to do it ASAP.
+#
+# Redis supports three different modes:
+#
+# no: don't fsync, just let the OS flush the data when it wants. Faster.
+# always: fsync after every write to the append only log. Slow, Safest.
+# everysec: fsync only one time every second. Compromise.
+#
+# The default is "everysec", as that's usually the right compromise between
+# speed and data safety. It's up to you to understand if you can relax this to
+# "no" that will let the operating system flush the output buffer when
+# it wants, for better performances (but if you can live with the idea of
+# some data loss consider the default persistence mode that's snapshotting),
+# or on the contrary, use "always" that's very slow but a bit safer than
+# everysec.
+#
+# More details please check the following article:
+# http://antirez.com/post/redis-persistence-demystified.html
+#
+# If unsure, use "everysec".
+
+# appendfsync always
+appendfsync everysec
+# appendfsync no
+
+# When the AOF fsync policy is set to always or everysec, and a background
+# saving process (a background save or AOF log background rewriting) is
+# performing a lot of I/O against the disk, in some Linux configurations
+# Redis may block too long on the fsync() call. Note that there is no fix for
+# this currently, as even performing fsync in a different thread will block
+# our synchronous write(2) call.
+#
+# In order to mitigate this problem it's possible to use the following option
+# that will prevent fsync() from being called in the main process while a
+# BGSAVE or BGREWRITEAOF is in progress.
+#
+# This means that while another child is saving, the durability of Redis is
+# the same as "appendfsync none". In practical terms, this means that it is
+# possible to lose up to 30 seconds of log in the worst scenario (with the
+# default Linux settings).
+#
+# If you have latency problems turn this to "yes". Otherwise leave it as
+# "no" that is the safest pick from the point of view of durability.
+
+no-appendfsync-on-rewrite no
+
+# Automatic rewrite of the append only file.
+# Redis is able to automatically rewrite the log file implicitly calling
+# BGREWRITEAOF when the AOF log size grows by the specified percentage.
+#
+# This is how it works: Redis remembers the size of the AOF file after the
+# latest rewrite (if no rewrite has happened since the restart, the size of
+# the AOF at startup is used).
+#
+# This base size is compared to the current size. If the current size is
+# bigger than the specified percentage, the rewrite is triggered. Also
+# you need to specify a minimal size for the AOF file to be rewritten, this
+# is useful to avoid rewriting the AOF file even if the percentage increase
+# is reached but it is still pretty small.
+#
+# Specify a percentage of zero in order to disable the automatic AOF
+# rewrite feature.
+
+auto-aof-rewrite-percentage 100
+auto-aof-rewrite-min-size 64mb
+
+# An AOF file may be found to be truncated at the end during the Redis
+# startup process, when the AOF data gets loaded back into memory.
+# This may happen when the system where Redis is running
+# crashes, especially when an ext4 filesystem is mounted without the
+# data=ordered option (however this can't happen when Redis itself
+# crashes or aborts but the operating system still works correctly).
+#
+# Redis can either exit with an error when this happens, or load as much
+# data as possible (the default now) and start if the AOF file is found
+# to be truncated at the end. The following option controls this behavior.
+#
+# If aof-load-truncated is set to yes, a truncated AOF file is loaded and
+# the Redis server starts emitting a log to inform the user of the event.
+# Otherwise if the option is set to no, the server aborts with an error
+# and refuses to start. When the option is set to no, the user requires
+# to fix the AOF file using the "redis-check-aof" utility before to restart
+# the server.
+#
+# Note that if the AOF file will be found to be corrupted in the middle
+# the server will still exit with an error. This option only applies when
+# Redis will try to read more data from the AOF file but not enough bytes
+# will be found.
+aof-load-truncated yes
+
+# When rewriting the AOF file, Redis is able to use an RDB preamble in the
+# AOF file for faster rewrites and recoveries. When this option is turned
+# on the rewritten AOF file is composed of two different stanzas:
+#
+#   [RDB file][AOF tail]
+#
+# When loading, Redis recognizes that the AOF file starts with the "REDIS"
+# string and loads the prefixed RDB file, then continues loading the AOF
+# tail.
+aof-use-rdb-preamble yes
+
+################################ LUA SCRIPTING  ###############################
+
+# Max execution time of a Lua script in milliseconds.
+#
+# If the maximum execution time is reached Redis will log that a script is
+# still in execution after the maximum allowed time and will start to
+# reply to queries with an error.
+#
+# When a long running script exceeds the maximum execution time only the
+# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
+# used to stop a script that did not yet call any write commands. The second
+# is the only way to shut down the server in the case a write command was
+# already issued by the script but the user doesn't want to wait for the natural
+# termination of the script.
+#
+# Set it to 0 or a negative value for unlimited execution without warnings.
+lua-time-limit 5000
+
+################################ REDIS CLUSTER  ###############################
+
+# Normal Redis instances can't be part of a Redis Cluster; only nodes that are
+# started as cluster nodes can. In order to start a Redis instance as a
+# cluster node enable the cluster support uncommenting the following:
+#
+# cluster-enabled yes
+
+# Every cluster node has a cluster configuration file. This file is not
+# intended to be edited by hand. It is created and updated by Redis nodes.
+# Every Redis Cluster node requires a different cluster configuration file.
+# Make sure that instances running in the same system do not have
+# overlapping cluster configuration file names.
+#
+# cluster-config-file nodes-6379.conf
+
+# Cluster node timeout is the amount of milliseconds a node must be unreachable
+# for it to be considered in failure state.
+# Most other internal time limits are a multiple of the node timeout.
+#
+# cluster-node-timeout 15000
+
+# A replica of a failing master will avoid to start a failover if its data
+# looks too old.
+#
+# There is no simple way for a replica to actually have an exact measure of
+# its "data age", so the following two checks are performed:
+#
+# 1) If there are multiple replicas able to failover, they exchange messages
+#    in order to try to give an advantage to the replica with the best
+#    replication offset (more data from the master processed).
+#    Replicas will try to get their rank by offset, and apply to the start
+#    of the failover a delay proportional to their rank.
+#
+# 2) Every single replica computes the time of the last interaction with
+#    its master. This can be the last ping or command received (if the master
+#    is still in the "connected" state), or the time that elapsed since the
+#    disconnection with the master (if the replication link is currently down).
+#    If the last interaction is too old, the replica will not try to failover
+#    at all.
+#
+# The point "2" can be tuned by user. Specifically a replica will not perform
+# the failover if, since the last interaction with the master, the time
+# elapsed is greater than:
+#
+#   (node-timeout * cluster-replica-validity-factor) + repl-ping-replica-period
+#
+# So for example if node-timeout is 30 seconds, and the cluster-replica-validity-factor
+# is 10, and assuming a default repl-ping-replica-period of 10 seconds, the
+# replica will not try to failover if it was not able to talk with the master
+# for longer than 310 seconds.
+#
+# A large cluster-replica-validity-factor may allow replicas with too old data to failover
+# a master, while a too small value may prevent the cluster from being able to
+# elect a replica at all.
+#
+# For maximum availability, it is possible to set the cluster-replica-validity-factor
+# to a value of 0, which means, that replicas will always try to failover the
+# master regardless of the last time they interacted with the master.
+# (However they'll always try to apply a delay proportional to their
+# offset rank).
+#
+# Zero is the only value able to guarantee that when all the partitions heal
+# the cluster will always be able to continue.
+#
+# cluster-replica-validity-factor 10
+
+# Cluster replicas are able to migrate to orphaned masters, that are masters
+# that are left without working replicas. This improves the cluster ability
+# to resist to failures as otherwise an orphaned master can't be failed over
+# in case of failure if it has no working replicas.
+#
+# Replicas migrate to orphaned masters only if there are still at least a
+# given number of other working replicas for their old master. This number
+# is the "migration barrier". A migration barrier of 1 means that a replica
+# will migrate only if there is at least 1 other working replica for its master
+# and so forth. It usually reflects the number of replicas you want for every
+# master in your cluster.
+#
+# Default is 1 (replicas migrate only if their masters remain with at least
+# one replica). To disable migration just set it to a very large value or
+# set cluster-allow-replica-migration to 'no'.
+# A value of 0 can be set but is useful only for debugging and dangerous
+# in production.
+#
+# cluster-migration-barrier 1
+
+# Turning off this option allows to use less automatic cluster configuration.
+# It both disables migration to orphaned masters and migration from masters
+# that became empty.
+#
+# Default is 'yes' (allow automatic migrations).
+#
+# cluster-allow-replica-migration yes
+
+# By default Redis Cluster nodes stop accepting queries if they detect there
+# is at least a hash slot uncovered (no available node is serving it).
+# This way if the cluster is partially down (for example a range of hash slots
+# are no longer covered) all the cluster becomes, eventually, unavailable.
+# It automatically returns available as soon as all the slots are covered again.
+#
+# However sometimes you want the subset of the cluster which is working,
+# to continue to accept queries for the part of the key space that is still
+# covered. In order to do so, just set the cluster-require-full-coverage
+# option to no.
+#
+# cluster-require-full-coverage yes
+
+# This option, when set to yes, prevents replicas from trying to failover its
+# master during master failures. However the replica can still perform a
+# manual failover, if forced to do so.
+#
+# This is useful in different scenarios, especially in the case of multiple
+# data center operations, where we want one side to never be promoted if not
+# in the case of a total DC failure.
+#
+# cluster-replica-no-failover no
+
+# This option, when set to yes, allows nodes to serve read traffic while the
+# the cluster is in a down state, as long as it believes it owns the slots. 
+#
+# This is useful for two cases.  The first case is for when an application 
+# doesn't require consistency of data during node failures or network partitions.
+# One example of this is a cache, where as long as the node has the data it
+# should be able to serve it. 
+#
+# The second use case is for configurations that don't meet the recommended  
+# three shards but want to enable cluster mode and scale later. A 
+# master outage in a 1 or 2 shard configuration causes a read/write outage to the
+# entire cluster without this option set, with it set there is only a write outage.
+# Without a quorum of masters, slot ownership will not change automatically. 
+#
+# cluster-allow-reads-when-down no
+
+# In order to setup your cluster make sure to read the documentation
+# available at https://redis.io web site.
+
+########################## CLUSTER DOCKER/NAT support  ########################
+
+# In certain deployments, Redis Cluster nodes address discovery fails, because
+# addresses are NAT-ted or because ports are forwarded (the typical case is
+# Docker and other containers).
+#
+# In order to make Redis Cluster working in such environments, a static
+# configuration where each node knows its public address is needed. The
+# following four options are used for this scope, and are:
+#
+# * cluster-announce-ip
+# * cluster-announce-port
+# * cluster-announce-tls-port
+# * cluster-announce-bus-port
+#
+# Each instructs the node about its address, client ports (for connections
+# without and with TLS) and cluster message bus port. The information is then
+# published in the header of the bus packets so that other nodes will be able to
+# correctly map the address of the node publishing the information.
+#
+# If cluster-tls is set to yes and cluster-announce-tls-port is omitted or set
+# to zero, then cluster-announce-port refers to the TLS port. Note also that
+# cluster-announce-tls-port has no effect if cluster-tls is set to no.
+#
+# If the above options are not used, the normal Redis Cluster auto-detection
+# will be used instead.
+#
+# Note that when remapped, the bus port may not be at the fixed offset of
+# clients port + 10000, so you can specify any port and bus-port depending
+# on how they get remapped. If the bus-port is not set, a fixed offset of
+# 10000 will be used as usual.
+#
+# Example:
+#
+# cluster-announce-ip 10.1.1.5
+# cluster-announce-tls-port 6379
+# cluster-announce-port 0
+# cluster-announce-bus-port 6380
+
+################################## SLOW LOG ###################################
+
+# The Redis Slow Log is a system to log queries that exceeded a specified
+# execution time. The execution time does not include the I/O operations
+# like talking with the client, sending the reply and so forth,
+# but just the time needed to actually execute the command (this is the only
+# stage of command execution where the thread is blocked and can not serve
+# other requests in the meantime).
+#
+# You can configure the slow log with two parameters: one tells Redis
+# what is the execution time, in microseconds, to exceed in order for the
+# command to get logged, and the other parameter is the length of the
+# slow log. When a new command is logged the oldest one is removed from the
+# queue of logged commands.
+
+# The following time is expressed in microseconds, so 1000000 is equivalent
+# to one second. Note that a negative number disables the slow log, while
+# a value of zero forces the logging of every command.
+slowlog-log-slower-than 10000
+
+# There is no limit to this length. Just be aware that it will consume memory.
+# You can reclaim memory used by the slow log with SLOWLOG RESET.
+slowlog-max-len 128
+
+################################ LATENCY MONITOR ##############################
+
+# The Redis latency monitoring subsystem samples different operations
+# at runtime in order to collect data related to possible sources of
+# latency of a Redis instance.
+#
+# Via the LATENCY command this information is available to the user that can
+# print graphs and obtain reports.
+#
+# The system only logs operations that were performed in a time equal or
+# greater than the amount of milliseconds specified via the
+# latency-monitor-threshold configuration directive. When its value is set
+# to zero, the latency monitor is turned off.
+#
+# By default latency monitoring is disabled since it is mostly not needed
+# if you don't have latency issues, and collecting data has a performance
+# impact, that while very small, can be measured under big load. Latency
+# monitoring can easily be enabled at runtime using the command
+# "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
+latency-monitor-threshold 0
+
+############################# EVENT NOTIFICATION ##############################
+
+# Redis can notify Pub/Sub clients about events happening in the key space.
+# This feature is documented at https://redis.io/topics/notifications
+#
+# For instance if keyspace events notification is enabled, and a client
+# performs a DEL operation on key "foo" stored in the Database 0, two
+# messages will be published via Pub/Sub:
+#
+# PUBLISH __keyspace@0__:foo del
+# PUBLISH __keyevent@0__:del foo
+#
+# It is possible to select the events that Redis will notify among a set
+# of classes. Every class is identified by a single character:
+#
+#  K     Keyspace events, published with __keyspace@<db>__ prefix.
+#  E     Keyevent events, published with __keyevent@<db>__ prefix.
+#  g     Generic commands (non-type specific) like DEL, EXPIRE, RENAME, ...
+#  $     String commands
+#  l     List commands
+#  s     Set commands
+#  h     Hash commands
+#  z     Sorted set commands
+#  x     Expired events (events generated every time a key expires)
+#  e     Evicted events (events generated when a key is evicted for maxmemory)
+#  t     Stream commands
+#  d     Module key type events
+#  m     Key-miss events (Note: It is not included in the 'A' class)
+#  A     Alias for g$lshzxetd, so that the "AKE" string means all the events
+#        (Except key-miss events which are excluded from 'A' due to their
+#         unique nature).
+#
+#  The "notify-keyspace-events" takes as argument a string that is composed
+#  of zero or multiple characters. The empty string means that notifications
+#  are disabled.
+#
+#  Example: to enable list and generic events, from the point of view of the
+#           event name, use:
+#
+#  notify-keyspace-events Elg
+#
+#  Example 2: to get the stream of the expired keys subscribing to channel
+#             name __keyevent@0__:expired use:
+#
+#  notify-keyspace-events Ex
+#
+#  By default all notifications are disabled because most users don't need
+#  this feature and the feature has some overhead. Note that if you don't
+#  specify at least one of K or E, no events will be delivered.
+notify-keyspace-events ""
+
+############################### GOPHER SERVER #################################
+
+# Redis contains an implementation of the Gopher protocol, as specified in
+# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
+#
+# The Gopher protocol was very popular in the late '90s. It is an alternative
+# to the web, and the implementation both server and client side is so simple
+# that the Redis server has just 100 lines of code in order to implement this
+# support.
+#
+# What do you do with Gopher nowadays? Well Gopher never *really* died, and
+# lately there is a movement in order for the Gopher more hierarchical content
+# composed of just plain text documents to be resurrected. Some want a simpler
+# internet, others believe that the mainstream internet became too much
+# controlled, and it's cool to create an alternative space for people that
+# want a bit of fresh air.
+#
+# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
+# as a gift.
+#
+# --- HOW IT WORKS? ---
+#
+# The Redis Gopher support uses the inline protocol of Redis, and specifically
+# two kind of inline requests that were anyway illegal: an empty request
+# or any request that starts with "/" (there are no Redis commands starting
+# with such a slash). Normal RESP2/RESP3 requests are completely out of the
+# path of the Gopher protocol implementation and are served as usual as well.
+#
+# If you open a connection to Redis when Gopher is enabled and send it
+# a string like "/foo", if there is a key named "/foo" it is served via the
+# Gopher protocol.
+#
+# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
+# talking), you likely need a script like the following:
+#
+#   https://github.com/antirez/gopher2redis
+#
+# --- SECURITY WARNING ---
+#
+# If you plan to put Redis on the internet in a publicly accessible address
+# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
+# Once a password is set:
+#
+#   1. The Gopher server (when enabled, not by default) will still serve
+#      content via Gopher.
+#   2. However other commands cannot be called before the client will
+#      authenticate.
+#
+# So use the 'requirepass' option to protect your instance.
+#
+# Note that Gopher is not currently supported when 'io-threads-do-reads'
+# is enabled.
+#
+# To enable Gopher support, uncomment the following line and set the option
+# from no (the default) to yes.
+#
+# gopher-enabled no
+
+############################### ADVANCED CONFIG ###############################
+
+# Hashes are encoded using a memory efficient data structure when they have a
+# small number of entries, and the biggest entry does not exceed a given
+# threshold. These thresholds can be configured using the following directives.
+hash-max-ziplist-entries 512
+hash-max-ziplist-value 64
+
+# Lists are also encoded in a special way to save a lot of space.
+# The number of entries allowed per internal list node can be specified
+# as a fixed maximum size or a maximum number of elements.
+# For a fixed maximum size, use -5 through -1, meaning:
+# -5: max size: 64 Kb  <-- not recommended for normal workloads
+# -4: max size: 32 Kb  <-- not recommended
+# -3: max size: 16 Kb  <-- probably not recommended
+# -2: max size: 8 Kb   <-- good
+# -1: max size: 4 Kb   <-- good
+# Positive numbers mean store up to _exactly_ that number of elements
+# per list node.
+# The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
+# but if your use case is unique, adjust the settings as necessary.
+list-max-ziplist-size -2
+
+# Lists may also be compressed.
+# Compress depth is the number of quicklist ziplist nodes from *each* side of
+# the list to *exclude* from compression.  The head and tail of the list
+# are always uncompressed for fast push/pop operations.  Settings are:
+# 0: disable all list compression
+# 1: depth 1 means "don't start compressing until after 1 node into the list,
+#    going from either the head or tail"
+#    So: [head]->node->node->...->node->[tail]
+#    [head], [tail] will always be uncompressed; inner nodes will compress.
+# 2: [head]->[next]->node->node->...->node->[prev]->[tail]
+#    2 here means: don't compress head or head->next or tail->prev or tail,
+#    but compress all nodes between them.
+# 3: [head]->[next]->[next]->node->node->...->node->[prev]->[prev]->[tail]
+# etc.
+list-compress-depth 0
+
+# Sets have a special encoding in just one case: when a set is composed
+# of just strings that happen to be integers in radix 10 in the range
+# of 64 bit signed integers.
+# The following configuration setting sets the limit in the size of the
+# set in order to use this special memory saving encoding.
+set-max-intset-entries 512
+
+# Similarly to hashes and lists, sorted sets are also specially encoded in
+# order to save a lot of space. This encoding is only used when the length and
+# elements of a sorted set are below the following limits:
+zset-max-ziplist-entries 128
+zset-max-ziplist-value 64
+
+# HyperLogLog sparse representation bytes limit. The limit includes the
+# 16 bytes header. When an HyperLogLog using the sparse representation crosses
+# this limit, it is converted into the dense representation.
+#
+# A value greater than 16000 is totally useless, since at that point the
+# dense representation is more memory efficient.
+#
+# The suggested value is ~ 3000 in order to have the benefits of
+# the space efficient encoding without slowing down too much PFADD,
+# which is O(N) with the sparse encoding. The value can be raised to
+# ~ 10000 when CPU is not a concern, but space is, and the data set is
+# composed of many HyperLogLogs with cardinality in the 0 - 15000 range.
+hll-sparse-max-bytes 3000
+
+# Streams macro node max size / items. The stream data structure is a radix
+# tree of big nodes that encode multiple items inside. Using this configuration
+# it is possible to configure how big a single node can be in bytes, and the
+# maximum number of items it may contain before switching to a new node when
+# appending new stream entries. If any of the following settings are set to
+# zero, the limit is ignored, so for instance it is possible to set just a
+# max entries limit by setting max-bytes to 0 and max-entries to the desired
+# value.
+stream-node-max-bytes 4096
+stream-node-max-entries 100
+
+# Active rehashing uses 1 millisecond every 100 milliseconds of CPU time in
+# order to help rehashing the main Redis hash table (the one mapping top-level
+# keys to values). The hash table implementation Redis uses (see dict.c)
+# performs a lazy rehashing: the more operation you run into a hash table
+# that is rehashing, the more rehashing "steps" are performed, so if the
+# server is idle the rehashing is never complete and some more memory is used
+# by the hash table.
+#
+# The default is to use this millisecond 10 times every second in order to
+# actively rehash the main dictionaries, freeing memory when possible.
+#
+# If unsure:
+# use "activerehashing no" if you have hard latency requirements and it is
+# not a good thing in your environment that Redis can reply from time to time
+# to queries with 2 milliseconds delay.
+#
+# use "activerehashing yes" if you don't have such hard requirements but
+# want to free memory asap when possible.
+activerehashing yes
+
+# The client output buffer limits can be used to force disconnection of clients
+# that are not reading data from the server fast enough for some reason (a
+# common reason is that a Pub/Sub client can't consume messages as fast as the
+# publisher can produce them).
+#
+# The limit can be set differently for the three different classes of clients:
+#
+# normal -> normal clients including MONITOR clients
+# replica  -> replica clients
+# pubsub -> clients subscribed to at least one pubsub channel or pattern
+#
+# The syntax of every client-output-buffer-limit directive is the following:
+#
+# client-output-buffer-limit <class> <hard limit> <soft limit> <soft seconds>
+#
+# A client is immediately disconnected once the hard limit is reached, or if
+# the soft limit is reached and remains reached for the specified number of
+# seconds (continuously).
+# So for instance if the hard limit is 32 megabytes and the soft limit is
+# 16 megabytes / 10 seconds, the client will get disconnected immediately
+# if the size of the output buffers reach 32 megabytes, but will also get
+# disconnected if the client reaches 16 megabytes and continuously overcomes
+# the limit for 10 seconds.
+#
+# By default normal clients are not limited because they don't receive data
+# without asking (in a push way), but just after a request, so only
+# asynchronous clients may create a scenario where data is requested faster
+# than it can read.
+#
+# Instead there is a default limit for pubsub and replica clients, since
+# subscribers and replicas receive data in a push fashion.
+#
+# Both the hard or the soft limit can be disabled by setting them to zero.
+client-output-buffer-limit normal 0 0 0
+client-output-buffer-limit replica 256mb 64mb 60
+client-output-buffer-limit pubsub 32mb 8mb 60
+
+# Client query buffers accumulate new commands. They are limited to a fixed
+# amount by default in order to avoid that a protocol desynchronization (for
+# instance due to a bug in the client) will lead to unbound memory usage in
+# the query buffer. However you can configure it here if you have very special
+# needs, such us huge multi/exec requests or alike.
+#
+# client-query-buffer-limit 1gb
+
+# In the Redis protocol, bulk requests, that are, elements representing single
+# strings, are normally limited to 512 mb. However you can change this limit
+# here, but must be 1mb or greater
+#
+# proto-max-bulk-len 512mb
+
+# Redis calls an internal function to perform many background tasks, like
+# closing connections of clients in timeout, purging expired keys that are
+# never requested, and so forth.
+#
+# Not all tasks are performed with the same frequency, but Redis checks for
+# tasks to perform according to the specified "hz" value.
+#
+# By default "hz" is set to 10. Raising the value will use more CPU when
+# Redis is idle, but at the same time will make Redis more responsive when
+# there are many keys expiring at the same time, and timeouts may be
+# handled with more precision.
+#
+# The range is between 1 and 500, however a value over 100 is usually not
+# a good idea. Most users should use the default of 10 and raise this up to
+# 100 only in environments where very low latency is required.
+hz 10
+
+# Normally it is useful to have an HZ value which is proportional to the
+# number of clients connected. This is useful in order, for instance, to
+# avoid too many clients are processed for each background task invocation
+# in order to avoid latency spikes.
+#
+# Since the default HZ value by default is conservatively set to 10, Redis
+# offers, and enables by default, the ability to use an adaptive HZ value
+# which will temporarily raise when there are many connected clients.
+#
+# When dynamic HZ is enabled, the actual configured HZ will be used
+# as a baseline, but multiples of the configured HZ value will be actually
+# used as needed once more clients are connected. In this way an idle
+# instance will use very little CPU time while a busy instance will be
+# more responsive.
+dynamic-hz yes
+
+# When a child rewrites the AOF file, if the following option is enabled
+# the file will be fsync-ed every 32 MB of data generated. This is useful
+# in order to commit the file to the disk more incrementally and avoid
+# big latency spikes.
+aof-rewrite-incremental-fsync yes
+
+# When redis saves RDB file, if the following option is enabled
+# the file will be fsync-ed every 32 MB of data generated. This is useful
+# in order to commit the file to the disk more incrementally and avoid
+# big latency spikes.
+rdb-save-incremental-fsync yes
+
+# Redis LFU eviction (see maxmemory setting) can be tuned. However it is a good
+# idea to start with the default settings and only change them after investigating
+# how to improve the performances and how the keys LFU change over time, which
+# is possible to inspect via the OBJECT FREQ command.
+#
+# There are two tunable parameters in the Redis LFU implementation: the
+# counter logarithm factor and the counter decay time. It is important to
+# understand what the two parameters mean before changing them.
+#
+# The LFU counter is just 8 bits per key, it's maximum value is 255, so Redis
+# uses a probabilistic increment with logarithmic behavior. Given the value
+# of the old counter, when a key is accessed, the counter is incremented in
+# this way:
+#
+# 1. A random number R between 0 and 1 is extracted.
+# 2. A probability P is calculated as 1/(old_value*lfu_log_factor+1).
+# 3. The counter is incremented only if R < P.
+#
+# The default lfu-log-factor is 10. This is a table of how the frequency
+# counter changes with a different number of accesses with different
+# logarithmic factors:
+#
+# +--------+------------+------------+------------+------------+------------+
+# | factor | 100 hits   | 1000 hits  | 100K hits  | 1M hits    | 10M hits   |
+# +--------+------------+------------+------------+------------+------------+
+# | 0      | 104        | 255        | 255        | 255        | 255        |
+# +--------+------------+------------+------------+------------+------------+
+# | 1      | 18         | 49         | 255        | 255        | 255        |
+# +--------+------------+------------+------------+------------+------------+
+# | 10     | 10         | 18         | 142        | 255        | 255        |
+# +--------+------------+------------+------------+------------+------------+
+# | 100    | 8          | 11         | 49         | 143        | 255        |
+# +--------+------------+------------+------------+------------+------------+
+#
+# NOTE: The above table was obtained by running the following commands:
+#
+#   redis-benchmark -n 1000000 incr foo
+#   redis-cli object freq foo
+#
+# NOTE 2: The counter initial value is 5 in order to give new objects a chance
+# to accumulate hits.
+#
+# The counter decay time is the time, in minutes, that must elapse in order
+# for the key counter to be divided by two (or decremented if it has a value
+# less <= 10).
+#
+# The default value for the lfu-decay-time is 1. A special value of 0 means to
+# decay the counter every time it happens to be scanned.
+#
+# lfu-log-factor 10
+# lfu-decay-time 1
+
+########################### ACTIVE DEFRAGMENTATION #######################
+#
+# What is active defragmentation?
+# -------------------------------
+#
+# Active (online) defragmentation allows a Redis server to compact the
+# spaces left between small allocations and deallocations of data in memory,
+# thus allowing to reclaim back memory.
+#
+# Fragmentation is a natural process that happens with every allocator (but
+# less so with Jemalloc, fortunately) and certain workloads. Normally a server
+# restart is needed in order to lower the fragmentation, or at least to flush
+# away all the data and create it again. However thanks to this feature
+# implemented by Oran Agra for Redis 4.0 this process can happen at runtime
+# in a "hot" way, while the server is running.
+#
+# Basically when the fragmentation is over a certain level (see the
+# configuration options below) Redis will start to create new copies of the
+# values in contiguous memory regions by exploiting certain specific Jemalloc
+# features (in order to understand if an allocation is causing fragmentation
+# and to allocate it in a better place), and at the same time, will release the
+# old copies of the data. This process, repeated incrementally for all the keys
+# will cause the fragmentation to drop back to normal values.
+#
+# Important things to understand:
+#
+# 1. This feature is disabled by default, and only works if you compiled Redis
+#    to use the copy of Jemalloc we ship with the source code of Redis.
+#    This is the default with Linux builds.
+#
+# 2. You never need to enable this feature if you don't have fragmentation
+#    issues.
+#
+# 3. Once you experience fragmentation, you can enable this feature when
+#    needed with the command "CONFIG SET activedefrag yes".
+#
+# The configuration parameters are able to fine tune the behavior of the
+# defragmentation process. If you are not sure about what they mean it is
+# a good idea to leave the defaults untouched.
+
+# Enabled active defragmentation
+# activedefrag no
+
+# Minimum amount of fragmentation waste to start active defrag
+# active-defrag-ignore-bytes 100mb
+
+# Minimum percentage of fragmentation to start active defrag
+# active-defrag-threshold-lower 10
+
+# Maximum percentage of fragmentation at which we use maximum effort
+# active-defrag-threshold-upper 100
+
+# Minimal effort for defrag in CPU percentage, to be used when the lower
+# threshold is reached
+# active-defrag-cycle-min 1
+
+# Maximal effort for defrag in CPU percentage, to be used when the upper
+# threshold is reached
+# active-defrag-cycle-max 25
+
+# Maximum number of set/hash/zset/list fields that will be processed from
+# the main dictionary scan
+# active-defrag-max-scan-fields 1000
+
+# Jemalloc background thread for purging will be enabled by default
+jemalloc-bg-thread yes
+
+# It is possible to pin different threads and processes of Redis to specific
+# CPUs in your system, in order to maximize the performances of the server.
+# This is useful both in order to pin different Redis threads in different
+# CPUs, but also in order to make sure that multiple Redis instances running
+# in the same host will be pinned to different CPUs.
+#
+# Normally you can do this using the "taskset" command, however it is also
+# possible to this via Redis configuration directly, both in Linux and FreeBSD.
+#
+# You can pin the server/IO threads, bio threads, aof rewrite child process, and
+# the bgsave child process. The syntax to specify the cpu list is the same as
+# the taskset command:
+#
+# Set redis server/io threads to cpu affinity 0,2,4,6:
+# server_cpulist 0-7:2
+#
+# Set bio threads to cpu affinity 1,3:
+# bio_cpulist 1,3
+#
+# Set aof rewrite child process to cpu affinity 8,9,10,11:
+# aof_rewrite_cpulist 8-11
+#
+# Set bgsave child process to cpu affinity 1,10,11
+# bgsave_cpulist 1,10-11
+
+# In some cases redis will emit warnings and even refuse to start if it detects
+# that the system is in bad state, it is possible to suppress these warnings
+# by setting the following config which takes a space delimited list of warnings
+# to suppress
+#
+# ignore-warnings ARM64-COW-BUG
diff --git a/seed/applicationservice/2022.03.08/redis-server/templates/sysuser-redis.conf b/seed/applicationservice/2022.03.08/redis-server/templates/sysuser-redis.conf
new file mode 100644
index 0000000..7cc7c59
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/templates/sysuser-redis.conf
@@ -0,0 +1,2 @@
+g redis 996 -
+u redis 996:996     "Redis Database Server" /var/lib/redis  /sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/redis-server/templates/tmpfile-redis.conf b/seed/applicationservice/2022.03.08/redis-server/templates/tmpfile-redis.conf
new file mode 100644
index 0000000..7360662
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/redis-server/templates/tmpfile-redis.conf
@@ -0,0 +1 @@
+d /srv/redis 750 redis redis - -
diff --git a/seed/applicationservice/2022.03.08/relay-mail-client/applicationservice.yml b/seed/applicationservice/2022.03.08/relay-mail-client/applicationservice.yml
new file mode 100644
index 0000000..1720749
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/relay-mail-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Client SMTP
diff --git a/seed/applicationservice/2022.03.08/relay-mail-client/dictionaries/20_smtp_client.xml b/seed/applicationservice/2022.03.08/relay-mail-client/dictionaries/20_smtp_client.xml
new file mode 100644
index 0000000..c7271f3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/relay-mail-client/dictionaries/20_smtp_client.xml
@@ -0,0 +1,36 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="smtp" manage="False">
+      <file>/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt</file>
+    </service>
+  </services>
+  <variables>
+    <family name="smtp" description="Client SMTP">
+      <variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True"/>
+      <variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
+      <variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">smtp_relay_address</param>
+      <param name="linked_provider">mail</param>
+      <param name="linked_value" type="variable">domain_name_eth0</param>
+      <target>smtp_relay_user</target>
+    </fill>
+    <fill name="get_linked_configuration">
+      <param name="linked_server" type="variable">smtp_relay_address</param>
+      <param name="linked_provider">mail_password</param>
+      <param name="dynamic" type="variable">smtp_relay_user</param>
+      <target>smtp_relay_password</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">smtp_relay_address</param>
+      <param name="linked_provider">mail_ip</param>
+      <param name="linked_value" type="variable">ip_eth0</param>
+      <param name="dynamic" type="variable">smtp_relay_user</param>
+      <target>smtp_relay_password</target>
+    </check>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/relay-mail-client/templates/ca_MailRelay.crt b/seed/applicationservice/2022.03.08/relay-mail-client/templates/ca_MailRelay.crt
new file mode 100644
index 0000000..8ffa12c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/relay-mail-client/templates/ca_MailRelay.crt
@@ -0,0 +1 @@
+%%get_chain(%%smtp_relay_address, authority_name='MailRelay')
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/applicationservice.yml b/seed/applicationservice/2022.03.08/reverse-proxy-client/applicationservice.yml
new file mode 100644
index 0000000..ccfe573
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Web site behind Nginx reverse proxy
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/20_nginx_client.xml b/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/20_nginx_client.xml
new file mode 100644
index 0000000..aaeb9a0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/20_nginx_client.xml
@@ -0,0 +1,82 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="nginx" manage="False">
+      <file file_type="variable" source="ca_ReverseProxy.crt">revprox_ca_file</file>
+      <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
+      <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
+    </service>
+  </services>
+  <variables>
+    <family name="nginx" description="Reverse proxy">
+      <variable name="revprox_client_server_domainname" type="domainname" description="Nom de domaine du serveur mandataire inverse" mandatory='True'/>
+      <variable name="revprox_client_server_ip" type="ip" hidden='True'/>
+      <variable name="revprox_client_external_domainname" type="domainname" description="Nom de domaine exterieur du serveur" mandatory='True' provider="external_domainname"/>
+      <variable name="revprox_client_location" type="filename" description="Nom de l'arborescence racine du site" mandatory="True">
+        <value>/</value>
+      </variable>
+      <variable name="revprox_client_local_location" type="filename" description="Nom de l'arborescene racine du site localement" hidden='True'/>
+      <variable name="revprox_client_web_address" type="web_address" description="Nom de domaine du client du mandataire inverse" hidden='True'/>
+      <variable name="revprox_client_port" type="port" description="Port du client du mandataire inverse" hidden='True'>
+        <value>443</value>
+      </variable>
+      <variable name="revprox_client_cert_owner" type="unix_user" description="Reverse proxy certificate owner">
+        <value>root</value>
+      </variable>
+      <variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
+        <value>root</value>
+      </variable>
+      <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
+      <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
+      <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_web_address">
+      <param type="variable">domain_name_eth0</param>
+      <param type="variable">revprox_client_port</param>
+      <param type="variable">revprox_client_local_location</param>
+      <target>revprox_client_web_address</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_ca_directory</param>
+      <param>ca_ReverseProxy.crt</param>
+      <param name="join">/</param>
+      <target>revprox_ca_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_cert_directory</param>
+      <param>revprox.crt</param>
+      <param name="join">/</param>
+      <target>revprox_cert_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_key_directory</param>
+      <param>revprox.key</param>
+      <param name="join">/</param>
+      <target>revprox_key_file</target>
+    </fill>
+    <fill name="set_linked">
+      <param name="linked_server" type="variable">revprox_client_server_domainname</param>
+      <param name="linked_provider">clients</param>
+      <param name="linked_value" type="variable">revprox_client_external_domainname</param>
+      <param name="linked_returns">ip</param>
+      <param name="dynamic">0</param>
+      <target>revprox_client_server_ip</target>
+    </fill>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">revprox_client_server_domainname</param>
+      <param name="linked_provider">location</param>
+      <param name="dynamic" type="variable">revprox_client_external_domainname</param>
+      <target>revprox_client_location</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">revprox_client_server_domainname</param>
+      <param name="leader_provider">location</param>
+      <param name="leader_value" type="variable">revprox_client_location</param>
+      <param name="linked_provider">url</param>
+      <param name="dynamic" type="variable">revprox_client_external_domainname</param>
+      <target>revprox_client_web_address</target>
+    </check>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/funcs/revprox_client.py b/seed/applicationservice/2022.03.08/reverse-proxy-client/funcs/revprox_client.py
new file mode 100644
index 0000000..4813751
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/funcs/revprox_client.py
@@ -0,0 +1,7 @@
+def calc_web_address(domain_name:str, port:str, local_location:str):
+    if not domain_name or not port:
+        return
+    web_address = f'https://{domain_name}:{port}'
+    if local_location:
+        web_address += local_location
+    return web_address
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_ReverseProxy.crt b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_ReverseProxy.crt
new file mode 100644
index 0000000..e39381c
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/ca_ReverseProxy.crt
@@ -0,0 +1 @@
+%%get_chain(%%revprox_client_server_domainname, authority_name='ReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
new file mode 100644
index 0000000..8d74a36
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.crt
@@ -0,0 +1,2 @@
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='ReverseProxy', type="server")
+%%get_chain(%%revprox_client_server_domainname, 'ReverseProxy')
diff --git a/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
new file mode 100644
index 0000000..4f3837a
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/reverse-proxy-client/templates/revprox.key
@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='ReverseProxy', type='server')
diff --git a/seed/applicationservice/2022.03.08/roundcube/DEBUG.md b/seed/applicationservice/2022.03.08/roundcube/DEBUG.md
new file mode 100644
index 0000000..1b728a9
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/DEBUG.md
@@ -0,0 +1,15 @@
+Debug ldap
+==========
+
+sed -i "s/ldap_debug'] = false/ldap_debug'] = true/g" /etc/roundcubemail/config.inc.php
+
+
+Debug redis
+===========
+
+sed -i "s/$config\['redis_debug'\] = false;/$config['redis_debug'] = true;/g" /etc/roundcubemail/config.inc.php
+
+Tous debugger
+==============
+
+sed -i "s/_debug'] = false/_debug'] = true/g" /etc/roundcubemail/config.inc.php
diff --git a/seed/applicationservice/2022.03.08/roundcube/applicationservice.yml b/seed/applicationservice/2022.03.08/roundcube/applicationservice.yml
new file mode 100644
index 0000000..66e6ddf
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/applicationservice.yml
@@ -0,0 +1,11 @@
+format: '0.1'
+description: Interface web de consultation des courriels Roundcube
+depends:
+  - base-fedora-35
+  - postgresql-client
+  - ldap-client-fedora
+  - imap-client
+  - redis-client
+  - oauth2-client
+  - apache
+  - php-fpm
diff --git a/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
new file mode 100644
index 0000000..cf39096
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml
@@ -0,0 +1,49 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="roundcube" engine="creole" target="multi-user">
+      <file owner="root" group="apache" mode="640">/etc/roundcubemail/config.inc.php</file>
+      <file>/etc/httpd/conf.d/roundcubemail.conf</file>
+      <file>/secrets/roundcube-init.php</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
+    </service>
+  </services>
+  <variables>
+    <family name="roundcube" description="Interface web de consultation des courriels Roundcube">
+      <variable name="roundcube_des_key" type="secret" auto_freeze="True" hidden="True"/>
+    </family>
+    <family name="nginx">
+      <variable name="revprox_client_location" redefine="True">
+        <value>/roundcube</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>Courriel</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>Consulter ces courriels avec Roundcube</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">roundcube</param>
+      <param name="description">des_key</param>
+      <param name="type">cleartext</param>
+      <target>roundcube_des_key</target>
+    </fill>
+    <fill name="calc_value">
+      <param>https://</param>
+      <param type="variable" optional="True">revprox_client_external_domainname</param>
+      <param type="variable" optional="True">revprox_client_location</param>
+      <param>/index.php/login/oauth</param>
+      <param name="join"></param>
+      <target>oauth2_client_login</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/roundcube/extras/machine/20_roundcube.xml b/seed/applicationservice/2022.03.08/roundcube/extras/machine/20_roundcube.xml
new file mode 100644
index 0000000..ac4f5b3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/extras/machine/20_roundcube.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="var_size" redefine="True">
+      <value>256</value>
+    </variable>
+    <variable name="add_tmp" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_srv" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_swap" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name='memory' redefine="True" exists="True">
+      <value>512</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/roundcube/manual/image/preinstall/roundcube.sh b/seed/applicationservice/2022.03.08/roundcube/manual/image/preinstall/roundcube.sh
new file mode 100644
index 0000000..276c052
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/manual/image/preinstall/roundcube.sh
@@ -0,0 +1 @@
+PKG="$PKG mod_ssl roundcubemail php-cli php-pgsql php-pecl-redis5"
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/ca_MailServer.crt b/seed/applicationservice/2022.03.08/roundcube/templates/ca_MailServer.crt
new file mode 100644
index 0000000..b379d10
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/ca_MailServer.crt
@@ -0,0 +1 @@
+%%get_chain(%%imap_address, 'MailServer')
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php b/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
new file mode 100644
index 0000000..9c95668
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php
@@ -0,0 +1,1563 @@
+<?php
+// SEE /etc/roundcubemail/defaults.inc.php
+/*
+ +-----------------------------------------------------------------------+
+ | Default settings for all configuration options                        |
+ |                                                                       |
+ | This file is part of the Roundcube Webmail client                     |
+ | Copyright (C) The Roundcube Dev Team                                  |
+ |                                                                       |
+ | Licensed under the GNU General Public License version 3 or            |
+ | any later version with exceptions for skins & plugins.                |
+ | See the README file for a full license statement.                     |
+ +-----------------------------------------------------------------------+
+*/
+
+$config = [];
+
+// ----------------------------------
+// SQL DATABASE
+// ----------------------------------
+
+// Database connection string (DSN) for read+write operations
+// Format (compatible with PEAR MDB2): db_provider://user:password@host/database
+// Currently supported db_providers: mysql, pgsql, sqlite, mssql, sqlsrv, oracle
+// For examples see http://pear.php.net/manual/en/package.database.mdb2.intro-dsn.php
+// Note: for SQLite use absolute path (Linux): 'sqlite:////full/path/to/sqlite.db?mode=0646'
+//       or (Windows): 'sqlite:///C:/full/path/to/sqlite.db'
+// Note: Various drivers support various additional arguments for connection,
+//       for Mysql: key, cipher, cert, capath, ca, verify_server_cert,
+//       for Postgres: application_name, sslmode, sslcert, sslkey, sslrootcert, sslcrl, sslcompression, service.
+//       e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
+// GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
+//>GNUNUX
+$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database';
+//<GNUNUX
+
+// Database DSN for read-only operations (if empty write database will be used)
+// useful for database replication
+$config['db_dsnr'] = '';
+
+// Disable the use of already established dsnw connections for subsequent reads
+$config['db_dsnw_noread'] = false;
+
+// use persistent db-connections
+// beware this will not "always" work as expected
+// see: http://www.php.net/manual/en/features.persistent-connections.php
+$config['db_persistent'] = false;
+
+// you can define specific table (and sequence) names prefix
+$config['db_prefix'] = '';
+
+// Mapping of table names and connections to use for ALL operations.
+// This can be used in a setup with replicated databases and a DB master
+// where read/write access to cache tables should not go to master.
+$config['db_table_dsn'] = [
+//    'cache' => 'r',
+//    'cache_index' => 'r',
+//    'cache_thread' => 'r',
+//    'cache_messages' => 'r',
+];
+
+// It is possible to specify database variable values e.g. some limits here.
+// Use them if your server is not MySQL or for better performance.
+// For example Roundcube uses max_allowed_packet value (in bytes)
+// which limits query size for database cache operations.
+$config['db_max_allowed_packet'] = null;
+
+
+// ----------------------------------
+// LOGGING/DEBUGGING
+// ----------------------------------
+
+// log driver:  'syslog', 'stdout' or 'file'.
+// GNUNUX $config['log_driver'] = 'file';
+//>GNUNUX
+$config['log_driver'] = 'syslog';
+//<GNUNUX
+
+// date format for log entries
+// (read http://php.net/manual/en/function.date.php for all format characters)
+$config['log_date_format'] = 'd-M-Y H:i:s O';
+
+// length of the session ID to prepend each log line with
+// set to 0 to avoid session IDs being logged.
+$config['log_session_id'] = 8;
+
+// Default extension used for log file name
+$config['log_file_ext'] = '.log';
+
+// Syslog ident string to use, if using the 'syslog' log driver.
+$config['syslog_id'] = 'roundcube';
+
+// Syslog facility to use, if using the 'syslog' log driver.
+// For possible values see installer or http://php.net/manual/en/function.openlog.php
+$config['syslog_facility'] = LOG_USER;
+
+// Activate this option if logs should be written to per-user directories.
+// Data will only be logged if a directory <log_dir>/<username>/ exists and is writable.
+$config['per_user_logging'] = false;
+
+// Log sent messages to <log_dir>/sendmail.log or to syslog
+$config['smtp_log'] = true;
+
+// Log successful/failed logins to <log_dir>/userlogins.log or to syslog
+// GNUNUX $config['log_logins'] = false;
+#>GNUNUX
+$config['log_logins'] = false;
+#<GNUNUX
+
+// Log session debug information/authentication errors to <log_dir>/session.log or to syslog
+$config['session_debug'] = false;
+
+// Log SQL queries to <log_dir>/sql.log or to syslog
+$config['sql_debug'] = false;
+
+// Log IMAP conversation to <log_dir>/imap.log or to syslog
+$config['imap_debug'] = false;
+
+// Log LDAP conversation to <log_dir>/ldap.log or to syslog
+$config['ldap_debug'] = false;
+
+// Log SMTP conversation to <log_dir>/smtp.log or to syslog
+$config['smtp_debug'] = false;
+
+// Log Memcache conversation to <log_dir>/memcache.log or to syslog
+$config['memcache_debug'] = false;
+
+// Log APC conversation to <log_dir>/apc.log or to syslog
+$config['apc_debug'] = false;
+
+// Log Redis conversation to <log_dir>/redis.log or to syslog
+$config['redis_debug'] = false;
+
+
+// ----------------------------------
+// IMAP
+// ----------------------------------
+
+// The IMAP host chosen to perform the log-in.
+// Leave blank to show a textbox at login, give a list of hosts
+// to display a pulldown menu or set one host as string.
+// Enter hostname with prefix ssl:// to use Implicit TLS, or use
+// prefix tls:// to use STARTTLS.
+// Supported replacement variables:
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %s - domain name after the '@' from e-mail address provided at login screen
+// For example %n = mail.domain.tld, %t = domain.tld
+// WARNING: After hostname change update of mail_host column in users table is
+//          required to match old user data records with the new host.
+$config['default_host'] = 'localhost';
+
+// TCP port used for IMAP connections
+$config['default_port'] = 143;
+
+// IMAP authentication method (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or null).
+// Use 'IMAP' to authenticate with IMAP LOGIN command.
+// By default the most secure method (from supported) will be selected.
+$config['imap_auth_type'] = null;
+
+// IMAP socket context options
+// See http://php.net/manual/en/context.ssl.php
+// The example below enables server certificate validation
+//$config['imap_conn_options'] = [
+//  'ssl'         => [
+//     'verify_peer'  => true,
+//     'verify_depth' => 3,
+//     'cafile'       => '/etc/openssl/certs/ca.crt',
+//   ],
+// ];
+// Note: These can be also specified as an array of options indexed by hostname
+
+
+$config['imap_conn_options'] = null;
+
+// IMAP connection timeout, in seconds. Default: 0 (use default_socket_timeout)
+$config['imap_timeout'] = 0;
+
+// Optional IMAP authentication identifier to be used as authorization proxy
+$config['imap_auth_cid'] = null;
+
+// Optional IMAP authentication password to be used for imap_auth_cid
+$config['imap_auth_pw'] = null;
+
+// If you know your imap's folder delimiter, you can specify it here.
+// Otherwise it will be determined automatically
+$config['imap_delimiter'] = null;
+
+// If you know your imap's folder vendor, you can specify it here.
+// Otherwise it will be determined automatically. Use lower-case
+// identifiers, e.g. 'dovecot', 'cyrus', 'gimap', 'hmail', 'uw-imap'.
+$config['imap_vendor'] = null;
+
+// If IMAP server doesn't support NAMESPACE extension, but you're
+// using shared folders or personal root folder is non-empty, you'll need to
+// set these options. All can be strings or arrays of strings.
+// Note: Folders need to be ended with directory separator, e.g. "INBOX."
+//       (special directory "~" is an exception to this rule)
+// Note: These can be used also to overwrite server's namespaces
+// Note: Set these to FALSE to disable access to specified namespace
+$config['imap_ns_personal'] = null;
+$config['imap_ns_other']    = null;
+$config['imap_ns_shared']   = null;
+
+// By default IMAP capabilities are read after connection to IMAP server
+// In some cases, e.g. when using IMAP proxy, there's a need to refresh the list
+// after login. Set to True if you've got this case.
+$config['imap_force_caps'] = false;
+
+// By default list of subscribed folders is determined using LIST-EXTENDED
+// extension if available. Some servers (dovecot 1.x) returns wrong results
+// for shared namespaces in this case. https://github.com/roundcube/roundcubemail/issues/2474
+// Enable this option to force LSUB command usage instead.
+// Deprecated: Use imap_disabled_caps = ['LIST-EXTENDED']
+$config['imap_force_lsub'] = false;
+
+// Some server configurations (e.g. Courier) doesn't list folders in all namespaces
+// Enable this option to force listing of folders in all namespaces
+$config['imap_force_ns'] = false;
+
+// Some servers return hidden folders (name starting with a dot)
+// from user home directory. IMAP RFC does not forbid that.
+// Enable this option to hide them and disable possibility to create such.
+$config['imap_skip_hidden_folders'] = false;
+
+// Some servers do not support folders with both folders and messages inside
+// If your server supports that use true, if it does not, use false.
+// By default it will be determined automatically (once per user session).
+$config['imap_dual_use_folders'] = null;
+
+// List of disabled imap extensions.
+// Use if your IMAP server has broken implementation of some feature
+// and you can't remove it from CAPABILITY string on server-side.
+// For example UW-IMAP server has broken ESEARCH.
+// Note: Because the list is cached, re-login is required after change.
+$config['imap_disabled_caps'] = [];
+
+// Log IMAP session identifiers after each IMAP login.
+// This is used to relate IMAP session with Roundcube user sessions
+$config['imap_log_session'] = false;
+
+// Type of IMAP indexes cache. Supported values: 'db', 'apc' and 'memcache' or 'memcached'.
+$config['imap_cache'] = 'db';
+
+// Enables messages cache. Only 'db' cache is supported.
+// This requires an IMAP server that supports QRESYNC and CONDSTORE
+// extensions (RFC7162). See synchronize() in program/lib/Roundcube/rcube_imap_cache.php
+// for further info, or if you experience syncing problems.
+$config['messages_cache'] = false;
+
+// Lifetime of IMAP indexes cache. Possible units: s, m, h, d, w
+$config['imap_cache_ttl'] = '10d';
+
+// Lifetime of messages cache. Possible units: s, m, h, d, w
+$config['messages_cache_ttl'] = '10d';
+
+// Maximum cached message size in kilobytes.
+// Note: On MySQL this should be less than (max_allowed_packet - 30%)
+$config['messages_cache_threshold'] = 50;
+
+//>GNUNUX
+$config['default_host'] = 'ssl://%%imap_address';
+$config['default_port'] = 993;
+$config['imap_auth_type'] = 'PLAIN';
+$config['imap_conn_options'] = [
+  'ssl'         => [
+     'verify_peer'  => true,
+     'verify_depth' => 3,
+     'cafile'       => '/etc/pki/ca-trust/source/anchors/ca_IMAPServer.crt',
+   ],
+];
+$config['imap_delimiter'] = "+";
+$config['imap_vendor'] = 'dovecot';
+//<GNUNUX
+
+// ----------------------------------
+// SMTP
+// ----------------------------------
+
+// SMTP server host (for sending mails).
+// Enter hostname with prefix ssl:// to use Implicit TLS, or use
+// prefix tls:// to use STARTTLS.
+// Supported replacement variables:
+// %h - user's IMAP hostname
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %z - IMAP domain (IMAP hostname without the first part)
+// For example %n = mail.domain.tld, %t = domain.tld
+// To specify different SMTP servers for different IMAP hosts provide an array
+// of IMAP host (no prefix or port) and SMTP server e.g. ['imap.example.com' => 'smtp.example.net']
+$config['smtp_server'] = 'localhost';
+
+// SMTP port. Use 25 for cleartext, 465 for Implicit TLS, or 587 for STARTTLS (default)
+$config['smtp_port'] = 587;
+
+// SMTP username (if required) if you use %u as the username Roundcube
+// will use the current username for login
+$config['smtp_user'] = '%u';
+
+// SMTP password (if required) if you use %p as the password Roundcube
+// will use the current user's password for login
+$config['smtp_pass'] = '%p';
+
+// SMTP AUTH type (DIGEST-MD5, CRAM-MD5, LOGIN, PLAIN or empty to use
+// best server supported one)
+$config['smtp_auth_type'] = null;
+
+// Optional SMTP authentication identifier to be used as authorization proxy
+$config['smtp_auth_cid'] = null;
+
+// Optional SMTP authentication password to be used for smtp_auth_cid
+$config['smtp_auth_pw'] = null;
+
+// Pass the username (XCLIENT LOGIN) to the server
+$config['smtp_xclient_login'] = false;
+
+// Pass the remote IP (XCLIENT ADDR) to the server
+$config['smtp_xclient_addr'] = false;
+
+
+// SMTP HELO host
+// Hostname to give to the remote server for SMTP 'HELO' or 'EHLO' messages
+// Leave this blank and you will get the server variable 'server_name' or
+// localhost if that isn't defined.
+$config['smtp_helo_host'] = '';
+
+// SMTP connection timeout, in seconds. Default: 0 (use default_socket_timeout)
+// Note: There's a known issue where using ssl connection with
+// timeout > 0 causes connection errors (https://bugs.php.net/bug.php?id=54511)
+$config['smtp_timeout'] = 0;
+
+// SMTP socket context options
+// See http://php.net/manual/en/context.ssl.php
+// The example below enables server certificate validation, and
+// requires 'smtp_timeout' to be non zero.
+// $config['smtp_conn_options'] = [
+//   'ssl'         => [
+//     'verify_peer'  => true,
+//     'verify_depth' => 3,
+//     'cafile'       => '/etc/openssl/certs/ca.crt',
+//   ],
+// ];
+// Note: These can be also specified as an array of options indexed by hostname
+$config['smtp_conn_options'] = null;
+
+
+//>GNUNUX
+$config['smtp_server'] = 'tls://%%imap_address';
+$config['smtp_port'] = 587;
+$config['smtp_auth_type'] = 'PLAIN';
+$config['smtp_conn_options'] = [
+   'ssl'         => [
+     'verify_peer'  => true,
+     'verify_depth' => 3,
+     'cafile'       => '/etc/pki/ca-trust/source/anchors/ca_MailServer.crt',
+   ],
+ ];
+//<GNUNUX
+
+// ----------------------------------
+// OAuth
+// ----------------------------------
+
+// Enable OAuth2 by defining a provider. Use 'generic' here
+$config['oauth_provider'] = null;
+
+// Provider name to be displayed on the login button
+$config['oauth_provider_name'] = 'Google';
+
+// Mandatory: OAuth client ID for your Roundcube installation
+$config['oauth_client_id'] = null;
+
+// Mandatory: OAuth client secret
+$config['oauth_client_secret'] = null;
+
+// Mandatory: URI for OAuth user authentication (redirect)
+$config['oauth_auth_uri'] = null;
+
+// Mandatory: Endpoint for OAuth authentication requests (server-to-server)
+$config['oauth_token_uri'] = null;
+
+// Optional: Endpoint to query user identity if not provided in auth response
+$config['oauth_identity_uri'] = null;
+
+// Optional: disable SSL certificate check on HTTP requests to OAuth server
+// See http://docs.guzzlephp.org/en/stable/request-options.html#verify for possible values
+$config['oauth_verify_peer'] = true;
+
+// Mandatory: OAuth scopes to request (space-separated string)
+$config['oauth_scope'] = null;
+
+// Optional: additional query parameters to send with login request (hash array)
+$config['oauth_auth_parameters'] = [];
+
+// Optional: array of field names used to resolve the username within the identity information
+$config['oauth_identity_fields'] = null;
+
+// Boolean: automatically redirect to OAuth login when opening Roundcube without a valid session
+$config['oauth_login_redirect'] = false;
+
+///// Example config for Gmail
+
+// Register your service at https://console.developers.google.com/
+// - use https://<your-roundcube-url>/index.php/login/oauth as redirect URL
+
+// $config['default_host'] = 'ssl://imap.gmail.com';
+// $config['oauth_provider'] = 'google';
+// $config['oauth_provider_name'] = 'Google';
+// $config['oauth_client_id'] = "<your-credentials-client-id>";
+// $config['oauth_client_secret'] = "<your-credentials-client-secret>";
+// $config['oauth_auth_uri'] = "https://accounts.google.com/o/oauth2/auth";
+// $config['oauth_token_uri'] = "https://oauth2.googleapis.com/token";
+// $config['oauth_identity_uri'] = 'https://www.googleapis.com/oauth2/v1/userinfo';
+// $config['oauth_scope'] = "email profile openid https://mail.google.com/";
+// $config['oauth_auth_parameters'] = ['access_type' => 'offline', 'prompt' => 'consent'];
+
+///// Example config for Outlook.com (Office 365)
+
+// Register your OAuth client at https://portal.azure.com
+// - use https://<your-roundcube-url>/index.php/login/oauth as redirect URL
+// - grant permissions to Microsoft Graph API "IMAP.AccessAsUser.All", "SMTP.Send", "User.Read" and "offline_access"
+
+// $config['default_host'] = 'ssl://outlook.office365.com';
+// $config['smtp_server'] = 'ssl://smtp.office365.com';
+
+// $config['oauth_provider'] = 'outlook';
+// $config['oauth_provider_name'] = 'Outlook.com';
+// $config['oauth_client_id'] = "<your-credentials-client-id>";
+// $config['oauth_client_secret'] = "<your-credentials-client-secret>";
+// $config['oauth_auth_uri'] = "https://login.microsoftonline.com/common/oauth2/v2.0/authorize";
+// $config['oauth_token_uri'] = "https://login.microsoftonline.com/common/oauth2/v2.0/token";
+// $config['oauth_identity_uri'] = "https://graph.microsoft.com/v1.0/me";
+// $config['oauth_identity_fields'] = ['email', 'userPrincipalName'];
+// $config['oauth_scope'] = "https://outlook.office365.com/IMAP.AccessAsUser.All https://outlook.office365.com/SMTP.Send User.Read offline_access";
+// $config['oauth_auth_parameters'] = ['nonce' => mt_rand()];
+//>GNUNUX
+$config['oauth_provider'] = 'generic';
+$config['oauth_provider_name'] = 'LemonLdap';
+$config['oauth_client_id'] = '%%oauth2_client_id';
+$config['oauth_client_secret'] = '%%oauth2_client_secret';
+$config['oauth_auth_uri'] = 'https://%%oauth2_server_domainname/oauth2/authorize';
+$config['oauth_token_uri'] = 'https://%%oauth2_client_server_domainname/oauth2/token';
+$config['oauth_identity_uri'] = 'https://%%oauth2_client_server_domainname/oauth2/userinfo';
+$config['oauth_verify_peer'] = true;
+$config['oauth_scope'] = "profile email openid";
+$config['oauth_auth_parameters'] = [];
+$config['oauth_identity_fields'] = null;
+$config['oauth_login_redirect'] = true;
+//<GNUNUX
+
+// ----------------------------------
+// LDAP
+// ----------------------------------
+
+// Type of LDAP cache. Supported values: 'db', 'apc' and 'memcache' or 'memcached'.
+$config['ldap_cache'] = 'db';
+
+// Lifetime of LDAP cache. Possible units: s, m, h, d, w
+$config['ldap_cache_ttl'] = '10m';
+
+
+// ----------------------------------
+// CACHE(S)
+// ----------------------------------
+
+// Use these hosts for accessing memcached
+// Define any number of hosts in the form of hostname:port or unix:///path/to/socket.file
+// Example: ['localhost:11211', '192.168.1.12:11211', 'unix:///var/tmp/memcached.sock'];
+$config['memcache_hosts'] = null;
+
+// Controls the use of a persistent connections to memcache servers
+// See http://php.net/manual/en/memcache.addserver.php
+$config['memcache_pconnect'] = true;
+
+// Value in seconds which will be used for connecting to the daemon
+// See http://php.net/manual/en/memcache.addserver.php
+$config['memcache_timeout'] = 1;
+
+// Controls how often a failed server will be retried (value in seconds).
+// Setting this parameter to -1 disables automatic retry.
+// See http://php.net/manual/en/memcache.addserver.php
+$config['memcache_retry_interval'] = 15;
+
+// Use these hosts for accessing Redis.
+// Currently only one host is supported. Cluster support may come in a future release.
+// You can pass 4 fields, host, port (optional), database (optional) and password (optional).
+// Unset fields will be set to the default values host=127.0.0.1, port=6379.
+// Examples:
+//     ['localhost:6379'];
+//     ['192.168.1.1:6379:1:secret'];
+//     ['unix:///var/run/redis/redis-server.sock:1:secret'];
+$config['redis_hosts'] = null;
+//>GNUNUX
+$config['redis_hosts'] = array('%%redis_client_server_domainname:6379:0:%%redis_client_password');
+//<GNUNUX
+
+// Maximum size of an object in memcache (in bytes). Default: 2MB
+$config['memcache_max_allowed_packet'] = '2M';
+
+// Maximum size of an object in APC cache (in bytes). Default: 2MB
+$config['apc_max_allowed_packet'] = '2M';
+
+// Maximum size of an object in Redis cache (in bytes). Default: 2MB
+$config['redis_max_allowed_packet'] = '2M';
+
+
+// ----------------------------------
+// SYSTEM
+// ----------------------------------
+
+// THIS OPTION WILL ALLOW THE INSTALLER TO RUN AND CAN EXPOSE SENSITIVE CONFIG DATA.
+// ONLY ENABLE IT IF YOU'RE REALLY SURE WHAT YOU'RE DOING!
+$config['enable_installer'] = false;
+
+// don't allow these settings to be overridden by the user
+$config['dont_override'] = [];
+
+// List of disabled UI elements/actions
+$config['disabled_actions'] = [];
+
+// define which settings should be listed under the 'advanced' block
+// which is hidden by default
+$config['advanced_prefs'] = [];
+
+// provide an URL where a user can get support for this Roundcube installation
+// PLEASE DO NOT LINK TO THE ROUNDCUBE.NET WEBSITE HERE!
+$config['support_url'] = '';
+
+// Location of the blank (watermark) frame page. By default it is the watermark.html
+// file from the currently selected skin. Prepend name/path with a slash to use
+// current skin folder. Remove the slash to point to a file in the Roundcube
+// root directory. It can be also a full URL.
+$config['blankpage_url'] = '/watermark.html';
+
+// Logo image replacement. Specifies location of the image as:
+// - URL relative to the document root of this Roundcube installation
+// - full URL with http:// or https:// prefix
+// - URL relative to the current skin folder (when starts with a '/')
+//
+// An array can be used to specify different logos for specific template files
+// The array key specifies the place(s) the logo should be applied to and
+// is made up of (up to) 3 parts:
+// - skin name prefix (always with colon, can be replaced with *)
+// - template name (or * for all templates)
+// - logo type - it is used for logos used on multiple templates
+//   the available types include '[favicon]' for favicon, '[print]' for logo on all print
+//   templates (e.g. messageprint, contactprint) and '[small]' for small screen logo in supported skins
+//   '[dark]' and '[small-dark]' for dark mode logo in supported skins
+//
+// Example config for skin_logo
+/*
+   [
+     // show the image /images/logo_login_small.png for the Login screen in the Elastic skin on small screens
+     "elastic:login[small]" => "/images/logo_login_small.png",
+     // show the image /images/logo_login.png for the Login screen in the Elastic skin
+     "elastic:login" => "/images/logo_login.png",
+     // show the image /images/logo_small.png in the Elastic skin
+     "elastic:*[small]" => "/images/logo_small.png",
+     // show the image /images/larry.png in the Larry skin
+     "larry:*" => "/images/larry.png",
+     // show the image /images/logo_login.png on the login template in all skins
+     "login" => "/images/logo_login.png",
+     // show the image /images/logo_print.png for all print type logos in all skins
+     "[print]" => "/images/logo_print.png",
+   ];
+*/
+$config['skin_logo'] = null;
+
+// Automatically register user in Roundcube database on successful (IMAP) logon.
+// Set to false if only registered users should be allowed to the webmail.
+// Note: If disabled you have to create records in Roundcube users table by yourself.
+// Note: Roundcube does not manage/create users on a mail server.
+$config['auto_create_user'] = true;
+
+// Enables possibility to log in using email address from user identities
+$config['user_aliases'] = false;
+
+// use this folder to store log files
+// must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
+// This is used by the 'file' log driver.
+$config['log_dir'] = '/var/log/roundcubemail/';
+
+// Location of temporary saved files such as attachments and cache files
+// must be writeable for the user who runs PHP process (Apache user if mod_php is being used)
+$config['temp_dir'] = '/tmp/';
+
+// expire files in temp_dir after 48 hours
+// possible units: s, m, h, d, w
+$config['temp_dir_ttl'] = '48h';
+
+// Enforce connections over https
+// With this option enabled, all non-secure connections will be redirected.
+// It can be also a port number, hostname or hostname:port if they are
+// different than default HTTP_HOST:443
+$config['force_https'] = false;
+
+// tell PHP that it should work as under secure connection
+// even if it doesn't recognize it as secure ($_SERVER['HTTPS'] is not set)
+// e.g. when you're running Roundcube behind a https proxy
+// this option is mutually exclusive to 'force_https' and only either one of them should be set to true.
+$config['use_https'] = false;
+
+// Allow browser-autocompletion on login form.
+// 0 - disabled, 1 - username and host only, 2 - username, host, password
+$config['login_autocomplete'] = 0;
+
+// Forces conversion of logins to lower case.
+// 0 - disabled, 1 - only domain part, 2 - domain and local part.
+// If users authentication is case-insensitive this must be enabled.
+// Note: After enabling it all user records need to be updated, e.g. with query:
+//       UPDATE users SET username = LOWER(username);
+$config['login_lc'] = 2;
+
+// Maximum length (in bytes) of logon username and password.
+$config['login_username_maxlen'] = 1024;
+$config['login_password_maxlen'] = 1024;
+
+// Logon username filter. Regular expression for use with preg_match().
+// Use special value 'email' if you accept only full email addresses as user logins.
+// Example: '/^[a-z0-9_@.-]+$/'
+$config['login_username_filter'] = null;
+
+// Brute-force attacks prevention.
+// The value specifies maximum number of failed logon attempts per minute.
+$config['login_rate_limit'] = 3;
+
+// Includes should be interpreted as PHP files
+$config['skin_include_php'] = false;
+
+// display product name and software version on login screen
+// 0 - hide product name and version number, 1 - show product name only, 2 - show product name and version number
+$config['display_product_info'] = 1;
+
+// Session lifetime in minutes
+$config['session_lifetime'] = 10;
+
+// Session domain: .example.org
+$config['session_domain'] = '';
+
+// Session name. Default: 'roundcube_sessid'
+$config['session_name'] = null;
+
+// Session authentication cookie name. Default: 'roundcube_sessauth'
+$config['session_auth_name'] = null;
+
+// Session path. Defaults to PHP session.cookie_path setting.
+$config['session_path'] = null;
+
+// Session samesite. Defaults to PHP session.cookie_samesite setting.
+// Requires PHP >= 7.3.0, see https://wiki.php.net/rfc/same-site-cookie for more info
+// Possible values: null (default), 'Lax', or 'Strict'
+$config['session_samesite'] = null;
+
+// Backend to use for session storage. Can either be 'db' (default), 'redis', 'memcache', or 'php'
+//
+// If set to 'memcache' or 'memcached', a list of servers need to be specified in 'memcache_hosts'
+// Make sure the Memcache extension (https://pecl.php.net/package/memcache) version >= 2.0.0
+// or the Memcached extension (https://pecl.php.net/package/memcached) version >= 2.0.0 is installed.
+//
+// If set to 'redis', a server needs to be specified in 'redis_hosts'
+// Make sure the Redis extension (https://pecl.php.net/package/redis) version >= 2.0.0 is installed.
+//
+// Setting this value to 'php' will use the default session save handler configured in PHP
+$config['session_storage'] = 'redis';
+
+// List of trusted proxies
+// X_FORWARDED_* and X_REAL_IP headers are only accepted from these IPs
+$config['proxy_whitelist'] = [];
+//>GNUNUX
+$config['proxy_whitelist'] = ['%%revprox_client_server_domainname'];
+//<GNUNUX
+
+// List of trusted host names
+// Attackers can modify Host header of the HTTP request causing $_SERVER['SERVER_NAME']
+// or $_SERVER['HTTP_HOST'] variables pointing to a different host, that could be used
+// to collect user names and passwords. Some server configurations prevent that, but not all.
+// An empty list accepts any host name. The list can contain host names
+// or PCRE patterns (without // delimiters, that will be added automatically).
+$config['trusted_host_patterns'] = [];
+
+// check client IP in session authorization
+$config['ip_check'] = false;
+
+// X-Frame-Options HTTP header value sent to prevent from Clickjacking.
+// Possible values: sameorigin|deny|allow-from <uri>.
+// Set to false in order to disable sending the header.
+$config['x_frame_options'] = 'sameorigin';
+
+// This key is used for encrypting purposes, like storing of imap password
+// in the session. For historical reasons it's called DES_key, but it's used
+// with any configured cipher_method (see below).
+// For the default cipher_method a required key length is 24 characters.
+$config['des_key'] = 'rcmail-!24ByteDESkey*Str';
+
+// Encryption algorithm. You can use any method supported by OpenSSL.
+// Default is set for backward compatibility to DES-EDE3-CBC,
+// but you can choose e.g. AES-256-CBC which we consider a better choice.
+$config['cipher_method'] = 'DES-EDE3-CBC';
+//>GNUNUX
+$config['des_key'] = '%%roundcube_des_key';
+$config['cipher_method'] = 'AES-256-CBC';
+//<GNUNUX
+
+// Automatically add this domain to user names for login
+// Only for IMAP servers that require full e-mail addresses for login
+// Specify an array with 'host' => 'domain' values to support multiple hosts
+// Supported replacement variables:
+// %h - user's IMAP hostname
+// %n - hostname ($_SERVER['SERVER_NAME'])
+// %t - hostname without the first part
+// %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+// %z - IMAP domain (IMAP hostname without the first part)
+// For example %n = mail.domain.tld, %t = domain.tld
+$config['username_domain'] = '';
+
+// Force domain configured in username_domain to be used for login.
+// Any domain in username will be replaced by username_domain.
+$config['username_domain_forced'] = false;
+
+// This domain will be used to form e-mail addresses of new users
+// Specify an array with 'host' => 'domain' values to support multiple hosts
+// Supported replacement variables:
+// %h - user's IMAP hostname
+// %n - http hostname ($_SERVER['SERVER_NAME'])
+// %d - domain (http hostname without the first part)
+// %z - IMAP domain (IMAP hostname without the first part)
+// For example %n = mail.domain.tld, %t = domain.tld
+$config['mail_domain'] = '';
+
+// Password character set, to change the password for user
+// authentication or for password change operations
+$config['password_charset'] = 'UTF-8';
+
+// How many seconds must pass between emails sent by a user
+$config['sendmail_delay'] = 0;
+
+// Message size limit. Note that SMTP server(s) may use a different value.
+// This limit is verified when user attaches files to a composed message.
+// Size in bytes (possible unit suffix: K, M, G)
+$config['max_message_size'] = '100M';
+
+// Maximum number of recipients per message (including To, Cc, Bcc).
+// Default: 0 (no limit)
+$config['max_recipients'] = 0;
+
+// Maximum number of recipients per message excluding Bcc header.
+// This is a soft limit, which means we only display a warning to the user.
+// Default: 5
+$config['max_disclosed_recipients'] = 5;
+
+// Maximum allowed number of members of an address group. Default: 0 (no limit)
+// If 'max_recipients' is set this value should be less or equal
+$config['max_group_members'] = 0;
+
+// Name your service. This is displayed on the login screen and in the window title
+$config['product_name'] = 'Roundcube Webmail';
+
+// Add this user-agent to message headers when sending. Default: not set.
+$config['useragent'] = null;
+
+// try to load host-specific configuration
+// see https://github.com/roundcube/roundcubemail/wiki/Configuration:-Multi-Domain-Setup
+// for more details
+$config['include_host_config'] = false;
+
+// path to a text file which will be added to each sent message
+// paths are relative to the Roundcube root folder
+$config['generic_message_footer'] = '';
+
+// path to a text file which will be added to each sent HTML message
+// paths are relative to the Roundcube root folder
+$config['generic_message_footer_html'] = '';
+
+// add a received header to outgoing mails containing the creators IP and hostname
+$config['http_received_header'] = false;
+
+// Whether or not to encrypt the IP address and the host name
+// these could, in some circles, be considered as sensitive information;
+// however, for the administrator, these could be invaluable help
+// when tracking down issues.
+$config['http_received_header_encrypt'] = false;
+
+// number of chars allowed for line when wrapping text.
+// text wrapping is done when composing/sending messages
+$config['line_length'] = 72;
+
+// send plaintext messages as format=flowed
+$config['send_format_flowed'] = true;
+
+// According to RFC2298, return receipt envelope sender address must be empty.
+// If this option is true, Roundcube will use user's identity as envelope sender for MDN responses.
+$config['mdn_use_from'] = false;
+
+// Set identities access level:
+// 0 - many identities with possibility to edit all params
+// 1 - many identities with possibility to edit all params but not email address
+// 2 - one identity with possibility to edit all params
+// 3 - one identity with possibility to edit all params but not email address
+// 4 - one identity with possibility to edit only signature
+$config['identities_level'] = 0;
+
+// Maximum size of uploaded image in kilobytes
+// Images (in html signatures) are stored in database as data URIs
+$config['identity_image_size'] = 64;
+
+// Mimetypes supported by the browser.
+// Attachments of these types will open in a preview window.
+// Either a comma-separated list or an array. Default list includes:
+//     text/plain,text/html,
+//     image/jpeg,image/gif,image/png,image/bmp,image/tiff,image/webp,
+//     application/x-javascript,application/pdf,application/x-shockwave-flash
+$config['client_mimetypes'] = null;
+
+// Path to a local mime magic database file for PHPs finfo extension.
+// Set to null if the default path should be used.
+$config['mime_magic'] = null;
+
+// Absolute path to a local mime.types mapping table file.
+// This is used to derive mime-types from the filename extension or vice versa.
+// Such a file is usually part of the apache webserver. If you don't find a file named mime.types on your system,
+// download it from http://svn.apache.org/repos/asf/httpd/httpd/trunk/docs/conf/mime.types
+$config['mime_types'] = '/etc/mime.types';
+
+// path to imagemagick identify binary (if not set we'll use Imagick or GD extensions)
+$config['im_identify_path'] = null;
+
+// path to imagemagick convert binary (if not set we'll use Imagick or GD extensions)
+$config['im_convert_path'] = null;
+
+// Size of thumbnails from image attachments displayed below the message content.
+// Note: whether images are displayed at all depends on the 'inline_images' option.
+// Set to 0 to display images in full size.
+$config['image_thumbnail_size'] = 240;
+
+// maximum size of uploaded contact photos in pixel
+$config['contact_photo_size'] = 160;
+
+// Enable DNS checking for e-mail address validation
+$config['email_dns_check'] = false;
+
+// Disables saving sent messages in Sent folder (like gmail) (Default: false)
+// Note: useful when SMTP server stores sent mail in user mailbox
+$config['no_save_sent_messages'] = false;
+
+// Improve system security by using special URL with security token.
+// This can be set to a number defining token length. Default: 16.
+// Warning: This requires http server configuration. Sample:
+//    RewriteRule ^/roundcubemail/[a-zA-Z0-9]{16}/(.*) /roundcubemail/$1 [PT]
+//    Alias /roundcubemail /var/www/roundcubemail/
+// Note: Use assets_path to not prevent the browser from caching assets
+$config['use_secure_urls'] = false;
+
+// Allows to define separate server/path for image/js/css files
+// Warning: If the domain is different cross-domain access to some
+// resources need to be allowed
+// Sample:
+//    <FilesMatch ".(eot|ttf|woff)">
+//    Header set Access-Control-Allow-Origin "*"
+//    </FilesMatch>
+$config['assets_path'] = '';
+
+// While assets_path is for the browser, assets_dir informs
+// PHP code about the location of asset files in filesystem
+$config['assets_dir'] = '';
+
+// Options passed when creating Guzzle HTTP client, used to fetch remote content
+// For example:
+// [
+//   'timeout' => 10,
+//   'proxy' => 'tcp://localhost:8125',
+// ]
+$config['http_client'] = [];
+
+// List of supported subject prefixes for a message reply
+// This list is used to clean the subject when replying or sorting messages
+$config['subject_reply_prefixes'] = ['Re:'];
+
+// List of supported subject prefixes for a message forward
+// This list is used to clean the subject when forwarding or sorting messages
+$config['subject_forward_prefixes'] = ['Fwd:', 'Fw:'];
+
+// Prefix to use in subject when replying to a message
+$config['response_prefix'] = 'Re:';
+
+// Prefix to use in subject when forwarding a message
+$config['forward_prefix'] = 'Fwd:';
+
+// ----------------------------------
+// PLUGINS
+// ----------------------------------
+
+// List of active plugins (in plugins/ directory)
+$config['plugins'] = [];
+
+// ----------------------------------
+// USER INTERFACE
+// ----------------------------------
+
+// default messages sort column. Use empty value for default server's sorting,
+// or 'arrival', 'date', 'subject', 'from', 'to', 'fromto', 'size', 'cc'
+$config['message_sort_col'] = '';
+
+// default messages sort order
+$config['message_sort_order'] = 'DESC';
+
+// These cols are shown in the message list. Available cols are:
+// subject, from, to, fromto, cc, replyto, date, size, status, flag, attachment, priority
+$config['list_cols'] = ['subject', 'status', 'fromto', 'date', 'size', 'flag', 'attachment'];
+
+// the default locale setting (leave empty for auto-detection)
+// RFC1766 formatted language name like en_US, de_DE, de_CH, fr_FR, pt_BR
+$config['language'] = null;
+
+// use this format for date display (date or strftime format)
+$config['date_format'] = 'Y-m-d';
+
+// give this choice of date formats to the user to select from
+// Note: do not use ambiguous formats like m/d/Y
+$config['date_formats'] = ['Y-m-d', 'Y/m/d', 'Y.m.d', 'd-m-Y', 'd/m/Y', 'd.m.Y', 'j.n.Y'];
+
+// use this format for time display (date or strftime format)
+$config['time_format'] = 'H:i';
+
+// give this choice of time formats to the user to select from
+$config['time_formats'] = ['G:i', 'H:i', 'g:i a', 'h:i A'];
+
+// use this format for short date display (derived from date_format and time_format)
+$config['date_short'] = 'D H:i';
+
+// use this format for detailed date/time formatting (derived from date_format and time_format)
+$config['date_long'] = 'Y-m-d H:i';
+
+// store draft message is this mailbox
+// leave blank if draft messages should not be stored
+// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+$config['drafts_mbox'] = 'Drafts';
+
+// store spam messages in this mailbox
+// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+$config['junk_mbox'] = 'Junk';
+
+// store sent message is this mailbox
+// leave blank if sent messages should not be stored
+// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+$config['sent_mbox'] = 'Sent';
+
+// move messages to this folder when deleting them
+// leave blank if they should be deleted directly
+// NOTE: Use folder names with namespace prefix (INBOX. on Courier-IMAP)
+$config['trash_mbox'] = 'Trash';
+
+//>GNUNUX
+$config['language'] = 'fr_FR';
+$config['date_format'] = 'd-m-Y';
+$config['date_long'] = 'H:i d-m-Y';
+$config['drafts_mbox'] = 'Brouillons';
+$config['sent_mbox'] = 'Envoyes';
+$config['trash_mbox'] = 'Poubelle';
+//<GNUNUX
+
+// automatically create the above listed default folders on user login
+$config['create_default_folders'] = false;
+
+// protect the default folders from renames, deletes, and subscription changes
+$config['protect_default_folders'] = true;
+
+// Disable localization of the default folder names listed above
+$config['show_real_foldernames'] = false;
+
+// if in your system 0 quota means no limit set this option to true
+$config['quota_zero_as_unlimited'] = false;
+
+// Make use of the built-in spell checker.
+$config['enable_spellcheck'] = false;
+
+// Enables spellchecker exceptions dictionary.
+// Setting it to 'shared' will make the dictionary shared by all users.
+$config['spellcheck_dictionary'] = false;
+
+// Set the spell checking engine. Possible values:
+// - 'googie'  - the default (also used for connecting to Nox Spell Server, see 'spellcheck_uri' setting)
+// - 'pspell'  - requires the PHP Pspell module and aspell installed
+// - 'enchant' - requires the PHP Enchant module
+// - 'atd'     - install your own After the Deadline server or check with the people at http://www.afterthedeadline.com before using their API
+// Since Google shut down their public spell checking service, the default settings
+// connect to http://spell.roundcube.net which is a hosted service provided by Roundcube.
+// You can connect to any other googie-compliant service by setting 'spellcheck_uri' accordingly.
+$config['spellcheck_engine'] = 'googie';
+
+// For locally installed Nox Spell Server or After the Deadline services,
+// please specify the URI to call it.
+// Get Nox Spell Server from http://orangoo.com/labs/?page_id=72 or
+// the After the Deadline package from http://www.afterthedeadline.com.
+// Leave empty to use the public API of service.afterthedeadline.com
+$config['spellcheck_uri'] = '';
+
+// These languages can be selected for spell checking.
+// Configure as a PHP style hash array: ['en'=>'English', 'de'=>'Deutsch'];
+// Leave empty for default set of available language.
+$config['spellcheck_languages'] = null;
+
+// Makes that words with all letters capitalized will be ignored (e.g. GOOGLE)
+$config['spellcheck_ignore_caps'] = false;
+
+// Makes that words with numbers will be ignored (e.g. g00gle)
+$config['spellcheck_ignore_nums'] = false;
+
+// Makes that words with symbols will be ignored (e.g. g@@gle)
+$config['spellcheck_ignore_syms'] = false;
+
+// Number of lines at the end of a message considered to contain the signature.
+// Increase this value if signatures are not properly detected and colored
+$config['sig_max_lines'] = 15;
+
+// don't let users set pagesize to more than this value if set
+$config['max_pagesize'] = 200;
+
+// Minimal value of user's 'refresh_interval' setting (in seconds)
+$config['min_refresh_interval'] = 60;
+
+// Specifies for how many seconds the Undo button will be available
+// after object delete action. Currently used with supporting address book sources.
+// Setting it to 0, disables the feature.
+$config['undo_timeout'] = 0;
+
+// A static list of canned responses which are immutable for the user
+$config['compose_responses_static'] = [
+//  ['name' => 'Canned Response 1', 'text' => 'Static Response One'],
+//  ['name' => 'Canned Response 2', 'text' => 'Static Response Two'],
+];
+
+// List of HKP key servers for PGP public key lookups in Enigma/Mailvelope
+// Note: Lookup is client-side, so the server must support Cross-Origin Resource Sharing
+$config['keyservers'] = ['keys.openpgp.org'];
+
+// Enables use of the Main Keyring in Mailvelope? If disabled, a per-site keyring
+// will be used. This is set to false for backwards compatibility.
+$config['mailvelope_main_keyring'] = false;
+
+// Mailvelope RSA bit size for newly generated keys, either 2048 or 4096.
+// It maybe desirable to use 2048 for sites with many mobile users.
+$config['mailvelope_keysize'] = 4096;
+
+// ----------------------------------
+// ADDRESSBOOK SETTINGS
+// ----------------------------------
+
+// This indicates which type of address book to use. Possible choices:
+// 'sql' - built-in sql addressbook enabled (default),
+// ''    - built-in sql addressbook disabled.
+//         Still LDAP or plugin-added addressbooks will be available.
+//         BC Note: The value can actually be anything except 'sql', it does not matter.
+$config['address_book_type'] = 'sql';
+
+// In order to enable public ldap search, configure an array like the Verisign
+// example further below. if you would like to test, simply uncomment the example.
+// Array key must contain only safe characters, ie. a-zA-Z0-9_
+$config['ldap_public'] = [];
+#>GNUNUX
+$config['ldap_public'] = array (
+  'Local' => array (
+    'name' => "Contacts",
+    'hosts' =>  array (
+      0 => 'ldaps://%%ldap_server_address',
+      ),
+    'port' => 636,
+    'use_tls' => false,
+    'bind_user' => '',
+    'bind_dn' => '%%ldapclient_remote_user',
+    'bind_pass' => '%%ldapclient_remote_user_password',
+    'auth_method'    => '',
+    'vlv' => false, //Samba do not support Virtual List View functions
+    'user_specific' => false,
+    'base_dn' => 'ou=users,%%ldap_base_dn',
+    'writable' => false,
+    'required_fields' =>  array (
+      0 => 'cn',
+      1 => 'sn',
+      2 => 'mail',
+      3 => 'uid',
+      ),
+    'groups' => array(
+      'base_dn'           => '',
+      'object_classes'    => ['top', 'groupOfNames'],                                                 
+    ),
+    'LDAP_rdn' => 'mail',
+    'ldap_version' => 3,
+    'search_fields' => array ('mail', 'cn', 'sn', 'givenName'),
+    'name_field' => 'cn',
+    'email_field' => 'mail',
+    'surname_field' => 'sn',
+    'firstname_field' => 'gn',
+    'sort' => 'cn',
+    'scope' => 'sub',
+    'filter' => '(mail=*)',
+    'fuzzy_search' => true,
+    'fieldmap' => array(
+      'name'         => 'cn',
+      'surname'      => 'sn',
+      'firstname'    => 'givenName',
+      'email'        => 'mail',
+      ),
+  ),
+);
+#<GNUNUX
+
+// If you are going to use LDAP for individual address books, you will need to
+// set 'user_specific' to true and use the variables to generate the appropriate DNs to access it.
+//
+// The recommended directory structure for LDAP is to store all the address book entries
+// under the users main entry, e.g.:
+//
+//  o=root
+//   ou=people
+//    uid=user@domain
+//  mail=contact@contactdomain
+//
+// So the base_dn would be uid=%fu,ou=people,o=root
+// The bind_dn would be the same as based_dn or some super user login.
+/*
+ * example config for Verisign directory
+ *
+$config['ldap_public']['Verisign'] = [
+  'name'          => 'Verisign.com',
+  // Replacement variables supported in host names:
+  // %h - user's IMAP hostname
+  // %n - hostname ($_SERVER['SERVER_NAME'])
+  // %t - hostname without the first part
+  // %d - domain (http hostname $_SERVER['HTTP_HOST'] without the first part)
+  // %z - IMAP domain (IMAP hostname without the first part)
+  // For example %n = mail.domain.tld, %t = domain.tld
+  // Note: Host can also be a full URI e.g. ldaps://hostname.local:636 (for SSL)
+  'hosts'         => array('directory.verisign.com'),
+  'port'          => 389,
+  'use_tls'       => false,
+  'ldap_version'  => 3,       // using LDAPv3
+  'network_timeout' => 10,    // The timeout (in seconds) for connect + bind attempts. This is only supported in PHP >= 5.3.0 with OpenLDAP 2.x
+  'user_specific' => false,   // If true the base_dn, bind_dn and bind_pass default to the user's IMAP login.
+  // When 'user_specific' is enabled following variables can be used in base_dn/bind_dn config:
+  // %fu - The full username provided, assumes the username is an email
+  //       address, uses the username_domain value if not an email address.
+  // %u  - The username prior to the '@'.
+  // %d  - The domain name after the '@'.
+  // %dc - The domain name hierarchal string e.g. "dc=test,dc=domain,dc=com"
+  // %dn - DN found by ldap search when search_filter/search_base_dn are used
+  'base_dn'       => '',
+  'bind_dn'       => '',
+  'bind_pass'     => '',
+  // It's possible to bind for an individual address book
+  // The login name is used to search for the DN to bind with
+  'search_base_dn' => '',
+  'search_filter'  => '',   // e.g. '(&(objectClass=posixAccount)(uid=%u))'
+  // DN and password to bind as before searching for bind DN, if anonymous search is not allowed
+  'search_bind_dn' => '',
+  'search_bind_pw' => '',
+  // Base DN and filter used for resolving the user's domain root DN which feeds the %dc variables
+  // Leave empty to skip this lookup and derive the root DN from the username domain
+  'domain_base_dn' => '',
+  'domain_filter'  => '',
+  // Optional map of replacement strings => attributes used when binding for an individual address book
+  'search_bind_attrib' => [],  // e.g. ['%udc' => 'ou']
+  // Default for %dn variable if search doesn't return DN value
+  'search_dn_default' => '',
+  // Optional authentication identifier to be used as SASL authorization proxy
+  // bind_dn need to be empty
+  'auth_cid'       => '',
+  // SASL authentication method (for proxy auth), e.g. DIGEST-MD5
+  'auth_method'    => '',
+  // Indicates if the addressbook shall be hidden from the list.
+  // With this option enabled you can still search/view contacts.
+  'hidden'        => false,
+  // Indicates if the addressbook shall not list contacts but only allows searching.
+  'searchonly'    => false,
+  // Indicates if we can write to the LDAP directory or not.
+  // If writable is true then these fields need to be populated:
+  // LDAP_Object_Classes, required_fields, LDAP_rdn
+  'writable'       => false,
+  // To create a new contact these are the object classes to specify
+  // (or any other classes you wish to use).
+  'LDAP_Object_Classes' => ['top', 'inetOrgPerson'],
+  // The RDN field that is used for new entries, this field needs
+  // to be one of the search_fields, the base of base_dn is appended
+  // to the RDN to insert into the LDAP directory.
+  'LDAP_rdn'       => 'cn',
+  // The required fields needed to build a new contact as required by
+  // the object classes (can include additional fields not required by the object classes).
+  'required_fields' => ['cn', 'sn', 'mail'],
+  'search_fields'   => ['mail', 'cn'],  // fields to search in
+  // mapping of contact fields to directory attributes
+  //   1. for every attribute one can specify the number of values (limit) allowed.
+  //      default is 1, a wildcard * means unlimited
+  //   2. another possible parameter is separator character for composite fields
+  //   3. it's possible to define field format for write operations, e.g. for date fields
+  //      example: 'birthday:date[YmdHis\\Z]'
+  'fieldmap' => [
+    // Roundcube  => LDAP:limit
+    'name'        => 'cn',
+    'surname'     => 'sn',
+    'firstname'   => 'givenName',
+    'jobtitle'    => 'title',
+    'email'       => 'mail:*',
+    'phone:home'  => 'homePhone',
+    'phone:work'  => 'telephoneNumber',
+    'phone:mobile' => 'mobile',
+    'phone:pager' => 'pager',
+    'phone:workfax' => 'facsimileTelephoneNumber',
+    'street'      => 'street',
+    'zipcode'     => 'postalCode',
+    'region'      => 'st',
+    'locality'    => 'l',
+    // if you country is a complex object, you need to configure 'sub_fields' below
+    'country'      => 'c',
+    'organization' => 'o',
+    'department'   => 'ou',
+    'jobtitle'     => 'title',
+    'notes'        => 'description',
+    'photo'        => 'jpegPhoto',
+    // these currently don't work:
+    // 'manager'       => 'manager',
+    // 'assistant'     => 'secretary',
+  ],
+  // Map of contact sub-objects (attribute name => objectClass(es)), e.g. 'c' => 'country'
+  'sub_fields' => [],
+  // Generate values for the following LDAP attributes automatically when creating a new record
+  'autovalues' => [
+    // 'uid'  => 'md5(microtime())',               // You may specify PHP code snippets which are then eval'ed
+    // 'mail' => '{givenname}.{sn}@mydomain.com',  // or composite strings with placeholders for existing attributes
+  ],
+  'sort'           => 'cn',         // The field to sort the listing by.
+  'scope'          => 'sub',        // search mode: sub|base|list
+  'filter'         => '(objectClass=inetOrgPerson)',      // used for basic listing (if not empty) and will be &'d with search queries. example: status=act
+  'fuzzy_search'   => true,         // server allows wildcard search
+  'vlv'            => false,        // Enable Virtual List View to more efficiently fetch paginated data (if server supports it)
+  'vlv_search'     => false,        // Use Virtual List View functions for autocompletion searches (if server supports it)
+  'numsub_filter'  => '(objectClass=organizationalUnit)',   // with VLV, we also use numSubOrdinates to query the total number of records. Set this filter to get all numSubOrdinates attributes for counting
+  'config_root_dn' => 'cn=config',  // Root DN to search config entries (e.g. vlv indexes)
+  'sizelimit'      => '0',          // Enables you to limit the count of entries fetched. Setting this to 0 means no limit.
+  'timelimit'      => '0',          // Sets the number of seconds how long is spend on the search. Setting this to 0 means no limit.
+  'referrals'      => false,        // Sets the LDAP_OPT_REFERRALS option. Mostly used in multi-domain Active Directory setups
+  'dereference'    => 0,            // Sets the LDAP_OPT_DEREF option. One of: LDAP_DEREF_NEVER, LDAP_DEREF_SEARCHING, LDAP_DEREF_FINDING, LDAP_DEREF_ALWAYS
+                                    // Used where addressbook contains aliases to objects elsewhere in the LDAP tree.
+
+  // definition for contact groups (uncomment if no groups are supported)
+  // for the groups base_dn, the user replacements %fu, %u, %d and %dc work as for base_dn (see above)
+  // if the groups base_dn is empty, the contact base_dn is used for the groups as well
+  // -> in this case, assure that groups and contacts are separated due to the concerning filters!
+  'groups'  => [
+    'base_dn'           => '',
+    'scope'             => 'sub',       // Search mode: sub|base|list
+    'filter'            => '(objectClass=groupOfNames)',
+    'object_classes'    => ['top', 'groupOfNames'],   // Object classes to be assigned to new groups
+    'member_attr'       => 'member',   // Name of the default member attribute, e.g. uniqueMember
+    'name_attr'         => 'cn',       // Attribute to be used as group name
+    'email_attr'        => 'mail',     // Group email address attribute (e.g. for mailing lists)
+    'member_filter'     => '(objectclass=*)',  // Optional filter to use when querying for group members
+    'vlv'               => false,      // Use VLV controls to list groups
+    'class_member_attr' => [      // Mapping of group object class to member attribute used in these objects
+      'groupofnames'       => 'member',
+      'groupofuniquenames' => 'uniquemember'
+    ],
+  ],
+  // this configuration replaces the regular groups listing in the directory tree with
+  // a hard-coded list of groups, each listing entries with the configured base DN and filter.
+  // if the 'groups' option from above is set, it'll be shown as the first entry with the name 'Groups'
+  'group_filters' => [
+    'departments' => [
+      'name'    => 'Company Departments',
+      'scope'   => 'list',
+      'base_dn' => 'ou=Groups,dc=mydomain,dc=com',
+      'filter'  => '(|(objectclass=groupofuniquenames)(objectclass=groupofurls))',
+      'name_attr' => 'cn',
+    ],
+    'customers' => [
+      'name'    => 'Customers',
+      'scope'   => 'sub',
+      'base_dn' => 'ou=Customers,dc=mydomain,dc=com',
+      'filter'  => '(objectClass=inetOrgPerson)',
+      'name_attr' => 'sn',
+    ],
+  ],
+];
+*/
+
+// An ordered array of the ids of the addressbooks that should be searched
+// when populating address autocomplete fields server-side. ex: ['sql','Verisign'];
+$config['autocomplete_addressbooks'] = ['sql'];
+
+// The minimum number of characters required to be typed in an autocomplete field
+// before address books will be searched. Most useful for LDAP directories that
+// may need to do lengthy results building given overly-broad searches
+$config['autocomplete_min_length'] = 1;
+
+// Number of parallel autocomplete requests.
+// If there's more than one address book, n parallel (async) requests will be created,
+// where each request will search in one address book. By default (0), all address
+// books are searched in one request.
+$config['autocomplete_threads'] = 0;
+
+// Max. number of entries in autocomplete popup. Default: 15.
+$config['autocomplete_max'] = 15;
+
+// show address fields in this order
+// available placeholders: {street}, {locality}, {zipcode}, {country}, {region}
+$config['address_template'] = '{street}<br/>{locality} {zipcode}<br/>{country} {region}';
+
+// Matching mode for addressbook search (including autocompletion)
+// 0 - partial (*abc*), default
+// 1 - strict (abc)
+// 2 - prefix (abc*)
+// Note: For LDAP sources fuzzy_search must be enabled to use 'partial' or 'prefix' mode
+$config['addressbook_search_mode'] = 0;
+
+// List of fields used on contacts list and for autocompletion searches
+// Warning: These are field names not LDAP attributes (see 'fieldmap' setting)!
+$config['contactlist_fields'] = ['name', 'firstname', 'surname', 'email'];
+
+// Template of contact entry on the autocompletion list.
+// You can use contact fields as: name, email, organization, department, etc.
+// See program/actions/contacts/index.php for a list
+$config['contact_search_name'] = '{name} <{email}>';
+
+// Contact mode. If your contacts are mostly business, switch it to 'business'.
+// This will prioritize form fields related to 'work' (instead of 'home').
+// Default: 'private'.
+$config['contact_form_mode'] = 'private';
+
+// The addressbook source to store automatically collected recipients in.
+// Default: true (the built-in "Collected recipients" addressbook, source id = '1')
+// Note: It can be set to any writeable addressbook, e.g. 'sql'
+$config['collected_recipients'] = true;
+
+// The addressbook source to store trusted senders in.
+// Default: true (the built-in "Trusted senders" addressbook, source id = '2')
+// Note: It can be set to any writeable addressbook, e.g. 'sql'
+$config['collected_senders'] = true;
+
+
+// ----------------------------------
+// USER PREFERENCES
+// ----------------------------------
+
+// Use this charset as fallback for message decoding
+$config['default_charset'] = 'ISO-8859-1';
+
+// Skin name: folder from skins/
+$config['skin'] = 'elastic';
+
+// Limit skins available for the user.
+// Note: When not empty, it should include the default skin set in 'skin' option.
+$config['skins_allowed'] = [];
+
+// Enables using standard browser windows (that can be handled as tabs)
+// instead of popup windows
+$config['standard_windows'] = false;
+
+// show up to X items in messages list view
+$config['mail_pagesize'] = 50;
+
+// show up to X items in contacts list view
+$config['addressbook_pagesize'] = 50;
+
+// sort contacts by this col (preferably either one of name, firstname, surname)
+$config['addressbook_sort_col'] = 'surname';
+
+// The way how contact names are displayed in the list.
+// 0: prefix firstname middlename surname suffix (only if display name is not set)
+// 1: firstname middlename surname
+// 2: surname firstname middlename
+// 3: surname, firstname middlename
+$config['addressbook_name_listing'] = 0;
+
+// use this timezone to display date/time
+// valid timezone identifiers are listed here: php.net/manual/en/timezones.php
+// 'auto' will use the browser's timezone settings
+$config['timezone'] = 'auto';
+
+// prefer displaying HTML messages
+$config['prefer_html'] = true;
+
+// Display remote resources (inline images, styles) in HTML messages. Default: 0.
+// 0 - Never, always ask
+// 1 - Allow from my contacts (all writeable addressbooks + collected senders and recipients)
+// 2 - Always allow
+// 3 - Allow from trusted senders only
+$config['show_images'] = 0;
+
+// open messages in new window
+$config['message_extwin'] = false;
+
+// open message compose form in new window
+$config['compose_extwin'] = false;
+
+// compose html formatted messages by default
+//  0 - never,
+//  1 - always,
+//  2 - on reply to HTML message,
+//  3 - on forward or reply to HTML message
+//  4 - always, except when replying to plain text message
+$config['htmleditor'] = 0;
+
+// save copies of compose messages in the browser's local storage
+// for recovery in case of browser crashes and session timeout.
+$config['compose_save_localstorage'] = true;
+
+// show pretty dates as standard
+$config['prettydate'] = true;
+
+// save compose message every 300 seconds (5min)
+$config['draft_autosave'] = 300;
+
+// Interface layout. Default: 'widescreen'.
+//  'widescreen' - three columns
+//  'desktop'    - two columns, preview on bottom
+//  'list'       - two columns, no preview
+$config['layout'] = 'widescreen';
+
+// Mark as read when viewing a message (delay in seconds)
+// Set to -1 if messages should not be marked as read
+$config['mail_read_time'] = 0;
+
+// Clear Trash on logout
+$config['logout_purge'] = false;
+
+// Compact INBOX on logout
+$config['logout_expunge'] = false;
+
+// Display attached images below the message body
+$config['inline_images'] = true;
+
+// Encoding of long/non-ascii attachment names:
+// 0 - Full RFC 2231 compatible
+// 1 - RFC 2047 for 'name' and RFC 2231 for 'filename' parameter (Thunderbird's default)
+// 2 - Full 2047 compatible
+$config['mime_param_folding'] = 1;
+
+// Set true if deleted messages should not be displayed
+// This will make the application run slower
+$config['skip_deleted'] = false;
+
+// Set true to Mark deleted messages as read as well as deleted
+// False means that a message's read status is not affected by marking it as deleted
+$config['read_when_deleted'] = true;
+
+// Set to true to never delete messages immediately
+// Use 'Purge' to remove messages marked as deleted
+$config['flag_for_deletion'] = false;
+
+// Default interval for auto-refresh requests (in seconds)
+// These are requests for system state updates e.g. checking for new messages, etc.
+// Setting it to 0 disables the feature.
+$config['refresh_interval'] = 60;
+
+// If true all folders will be checked for recent messages
+$config['check_all_folders'] = false;
+
+// If true, after message/contact delete/move, the next message/contact will be displayed
+$config['display_next'] = true;
+
+// Default messages listing mode. One of 'threads' or 'list'.
+$config['default_list_mode'] = 'list';
+
+// 0 - Do not expand threads
+// 1 - Expand all threads automatically
+// 2 - Expand only threads with unread messages
+$config['autoexpand_threads'] = 0;
+
+// When replying:
+// -1 - don't cite the original message
+// 0  - place cursor below the original message
+// 1  - place cursor above original message (top posting)
+// 2  - place cursor above original message (top posting), but do not indent the quote
+$config['reply_mode'] = 0;
+
+// When replying strip original signature from message
+$config['strip_existing_sig'] = true;
+
+// Show signature:
+// 0 - Never
+// 1 - Always
+// 2 - New messages only
+// 3 - Forwards and Replies only
+$config['show_sig'] = 1;
+
+// By default the signature is placed depending on cursor position (reply_mode).
+// Sometimes it might be convenient to start the reply on top but keep
+// the signature below the quoted text (sig_below = true).
+$config['sig_below'] = false;
+
+// Enables adding of standard separator to the signature
+$config['sig_separator'] = true;
+
+// Use MIME encoding (quoted-printable) for 8bit characters in message body
+$config['force_7bit'] = false;
+
+// Default fields configuration for mail search.
+// The array can contain a per-folder list of header fields which should be considered when searching
+// The entry with key '*' stands for all folders which do not have a specific list set.
+// Supported fields: subject, from, to, cc, bcc, body, text.
+// Please note that folder names should to be in sync with $config['*_mbox'] options
+$config['search_mods'] = null;  // Example: ['*' => ['subject'=>1, 'from'=>1], 'Sent' => ['subject'=>1, 'to'=>1]];
+
+// Defaults of the addressbook search field configuration.
+$config['addressbook_search_mods'] = null;  // Example: ['name'=>1, 'firstname'=>1, 'surname'=>1, 'email'=>1, '*'=>1];
+
+// Directly delete messages in Junk instead of moving to Trash
+$config['delete_junk'] = false;
+
+// Behavior if a received message requests a message delivery notification (read receipt)
+// 0 = ask the user,
+// 1 = send automatically,
+// 2 = ignore (never send or ask)
+// 3 = send automatically if sender is in my contacts, otherwise ask the user
+// 4 = send automatically if sender is in my contacts, otherwise ignore
+// 5 = send automatically if sender is a trusted sender, otherwise ask the user
+// 6 = send automatically if sender is a trusted sender, otherwise ignore
+$config['mdn_requests'] = 0;
+
+// Return receipt checkbox default state
+$config['mdn_default'] = 0;
+
+// Delivery Status Notification checkbox default state
+// Note: This can be used only if smtp_server is non-empty
+$config['dsn_default'] = 0;
+
+// Place replies in the folder of the message being replied to
+$config['reply_same_folder'] = false;
+
+// Sets default mode of Forward feature to "forward as attachment"
+$config['forward_attachment'] = false;
+
+// Defines address book (internal index) to which new contacts will be added
+// By default it is the first writeable addressbook.
+// Note: Use '0' for built-in address book.
+$config['default_addressbook'] = null;
+
+// Enables spell checking before sending a message.
+$config['spellcheck_before_send'] = false;
+
+// Skip alternative email addresses in autocompletion (show one address per contact)
+$config['autocomplete_single'] = false;
+
+// Default font for composed HTML message.
+// Supported values: Andale Mono, Arial, Arial Black, Book Antiqua, Courier New,
+// Georgia, Helvetica, Impact, Tahoma, Terminal, Times New Roman, Trebuchet MS, Verdana
+$config['default_font'] = 'Verdana';
+
+// Default font size for composed HTML message.
+// Supported sizes: 8pt, 10pt, 12pt, 14pt, 18pt, 24pt, 36pt
+$config['default_font_size'] = '10pt';
+
+// Enables display of email address with name instead of a name (and address in title)
+$config['message_show_email'] = false;
+
+// Default behavior of Reply-All button:
+// 0 - Reply-All always
+// 1 - Reply-List if mailing list is detected
+$config['reply_all_mode'] = 0;
+
+// Keys directory for all users.
+// Must be writeable by PHP process, and not in the web server document root
+$config['enigma_pgp_homedir'] = '/var/lib/roundcubemail/enigma';
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/roundcube-init.php b/seed/applicationservice/2022.03.08/roundcube/templates/roundcube-init.php
new file mode 100644
index 0000000..73f6d0f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/roundcube-init.php
@@ -0,0 +1,13 @@
+<?php
+//$sql = file_get_contents('/usr/share/roundcubemail/SQL/mysql.initial.sql');
+//$mysqli = mysqli_init();
+//$mysqli->options(MYSQLI_OPT_SSL_VERIFY_SERVER_CERT, true);
+//$mysqli->ssl_set(NULL, NULL, "/etc/ssl/certs/ca-bundle.crt", NULL, NULL);
+//$mysqli->real_connect('mariadb_client_server_domainname', 'mariadb_client_username', 'mariadb_client_password', 'mariadb_client_database');
+//$mysqli->multi_query($sql);
+//$mysqli->close();
+$sql = file_get_contents('/usr/share/roundcubemail/SQL/postgres.initial.sql');
+$db = pg_connect("host=%%pg_client_server_domainname port=5432 dbname=%%pg_client_database user=%%pg_client_username password=%%pg_client_password");
+pg_query($db, $sql);
+pg_close($db);
+?>
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/roundcube.service b/seed/applicationservice/2022.03.08/roundcube/templates/roundcube.service
new file mode 100644
index 0000000..8b6acd7
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/roundcube.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Roundcube database init
+After=postgresqlclient.service
+Before=apache.service php-fpm.service
+
+[Service]
+Type=oneshot
+ExecStart=-/usr/bin/php /usr/local/lib/secrets/roundcube-init.php
+
+[Install]
+WantedBy=multi-user.target
+
+
diff --git a/seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf b/seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf
new file mode 100644
index 0000000..5cc2fce
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf
@@ -0,0 +1,53 @@
+#
+# Round Cube Webmail is a browser-based multilingual IMAP client
+#
+
+# GNUNUX Alias /roundcubemail /usr/share/roundcubemail
+Alias /roundcube /usr/share/roundcubemail
+
+# Define who can access the Webmail
+# You can enlarge permissions once configured
+
+<Directory /usr/share/roundcubemail/>
+    Require all granted
+# GNUNUX    <IfModule mod_authz_core.c>
+# GNUNUX        # Apache 2.4
+# GNUNUX        Require local
+# GNUNUX    </IfModule>
+# GNUNUX    <IfModule !mod_authz_core.c>
+# GNUNUX        # Apache 2.2
+# GNUNUX        Order Deny,Allow
+# GNUNUX        Deny from all
+# GNUNUX        Allow from 127.0.0.1
+# GNUNUX        Allow from ::1
+# GNUNUX    </IfModule>
+</Directory>
+
+# Define who can access the installer
+# keep this secured once configured
+
+<Directory /usr/share/roundcubemail/installer/>
+    Order Allow,Deny
+    Deny from all
+# GNUNUX    <IfModule mod_authz_core.c>
+# GNUNUX        # Apache 2.4
+# GNUNUX        Require local
+# GNUNUX    </IfModule>
+# GNUNUX    <IfModule !mod_authz_core.c>
+# GNUNUX        # Apache 2.2
+# GNUNUX        Order Deny,Allow
+# GNUNUX        Deny from all
+# GNUNUX        Allow from 127.0.0.1
+# GNUNUX        Allow from ::1
+# GNUNUX    </IfModule>
+</Directory>
+
+# Those directories should not be viewed by Web clients.
+<Directory /usr/share/roundcubemail/bin/>
+    Order Allow,Deny
+    Deny from all
+</Directory>
+<Directory /usr/share/roundcubemail/plugins/enigma/home/>
+    Order Allow,Deny
+    Deny from all
+</Directory>
diff --git a/seed/applicationservice/2022.03.08/server/applicationservice.yml b/seed/applicationservice/2022.03.08/server/applicationservice.yml
new file mode 100644
index 0000000..70c7367
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/server/applicationservice.yml
@@ -0,0 +1,2 @@
+format: '0.1'
+description: Extra files to allowed easily Server-Client configuration
diff --git a/seed/applicationservice/2022.03.08/server/extras/accounts/00_accounts.xml b/seed/applicationservice/2022.03.08/server/extras/accounts/00_accounts.xml
new file mode 100644
index 0000000..9b7670b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/server/extras/accounts/00_accounts.xml
@@ -0,0 +1,20 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <variables>
+    <variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="clients"/>
+    <family name="remote_" description="Account for " dynamic="accounts.remotes">
+      <variable name="password_" description="Remote password" auto_save="True" hidden="True" type="password" mandatory="True" provider="client_password"/>
+      <variable name="remote_ip_" description="Remote IP" type="ip" hidden="True" provider="client_ip"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username" type="suffix"/>
+      <param name="description">remote</param>
+      <param name="type">cleartext</param>
+      <target>accounts.remote_.password_</target>
+    </fill>
+  </constraints>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/systemd/applicationservice.yml b/seed/applicationservice/2022.03.08/systemd/applicationservice.yml
new file mode 100644
index 0000000..0805bb8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/applicationservice.yml
@@ -0,0 +1,4 @@
+format: '0.1'
+description: Configuration de systemd
+depends:
+  - base
diff --git a/seed/applicationservice/2022.03.08/systemd/dictionaries/00-systemd.xml b/seed/applicationservice/2022.03.08/systemd/dictionaries/00-systemd.xml
new file mode 100644
index 0000000..1971317
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/dictionaries/00-systemd.xml
@@ -0,0 +1,77 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <service name="systemd-networkd">
+      <file file_type="variable" source="network" variable="zones_list">netwokd_configurations</file>
+      <file file_type="variable" source="link" variable="zones_list">link_configurations</file>
+    </service>
+    <service name="systemd-repart" servicelist='systemd_repart' undisable="True">
+      <override/>
+    </service>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var" engine="creole" target="multi-user" servicelist='systemd_repart' undisable='True'>
+      <file>/repart.d/50-var.conf</file>
+    </service>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var-tmp" engine="creole" target="multi-user" servicelist="add_tmp" undisable='True'>
+      <file>/repart.d/40-tmp.conf</file>
+    </service>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-srv" engine="creole" target="multi-user" servicelist="add_srv" undisable='True'>
+      <file>/repart.d/60-srv.conf</file>
+    </service>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-swap" engine="creole" target="multi-user" servicelist="add_swap" undisable='True'>
+      <file>/repart.d/30-swap.conf</file>
+    </service>
+    <service name="var" engine="creole" target="multi-user" type="mount" servicelist='systemd_repart' undisable='True'/>
+    <service name="var-tmp" engine="creole" target="multi-user" type="mount" servicelist="add_tmp" undisable='True'/>
+    <service name="srv" engine="creole" target="multi-user" type="mount" servicelist="add_srv" undisable='True'/>
+    <service name="dev-disk-by\x2dpartlabel-swap" engine="none" target="multi-user" type="swap" servicelist="add_swap" undisable='True'/>
+    <service name="systemd-firstboot">
+      <override/>
+      <file>/secrets/root.pwd</file>
+      <file engine="none">/tmpfiles.d/risotto-volatile.conf</file>
+    </service>
+  </services>
+  <variables>
+    <variable name="netwokd_configurations" type="filename" multi="True" hidden="True"/>
+    <variable name="netwokd_interface_name_type" type="string" hidden="True">
+      <value>zone_name</value>
+    </variable>
+    <variable name="link_configurations" type="filename" multi="True" hidden="True"/>
+    <variable name="use_systemd_repart" type="boolean" hidden="True"/>
+    <family name="general">
+      <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" auto_save='True' mandatory="True"/>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">root</param>
+      <param name="description">local connection</param>
+      <param name="type">cleartext</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>root_password</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/etc/systemd/network/10</param>
+      <param type="variable">zones_list</param>
+      <param>risotto.network</param>
+      <param name="join">-</param>
+      <param name="multi" type="boolean">True</param>
+      <target>netwokd_configurations</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/systemd/network/10</param>
+      <param type="variable">zones_list</param>
+      <param>risotto.link</param>
+      <param name="join">-</param>
+      <param name="multi" type="boolean">True</param>
+      <target>link_configurations</target>
+    </fill>
+    <condition name="disabled_if_in" source="use_systemd_repart">
+      <param>False</param>
+      <target type="servicelist">systemd_repart</target>
+      <target type="servicelist">add_tmp</target>
+      <target type="servicelist">add_srv</target>
+      <target type="servicelist">add_swap</target>
+    </condition>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/systemd/extras/machine/10_systemd.xml b/seed/applicationservice/2022.03.08/systemd/extras/machine/10_systemd.xml
new file mode 100644
index 0000000..8e3ef89
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/extras/machine/10_systemd.xml
@@ -0,0 +1,47 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="var_size" type="number" description="Variable directory size">
+      <value>1024</value>
+    </variable>
+    <variable name="add_tmp" type="boolean" description="Add a temporary directory"/>
+    <variable name="var_tmp_size" type="number" description="Temporary directory size">
+      <value>1024</value>
+    </variable>
+    <variable name="add_srv" type="boolean" description="Add a persistent directory"/>
+    <variable name="srv_size" type="number" description="Persistent directory size">
+      <value>1024</value>
+    </variable>
+    <variable name="add_swap" type="boolean" description="Add a SWAP partition"/>
+    <variable name="swap_size" type="number" description="SWAP size">
+      <value>512</value>
+    </variable>
+  </variables>
+  <constraints>
+    <condition name='disabled_if_in' source='machine.add_tmp'>
+        <param>False</param>
+        <target>machine.var_tmp_size</target>
+        <target type="servicelist">add_tmp</target>
+    </condition>
+    <condition name='disabled_if_in' source='machine.add_srv'>
+        <param>False</param>
+        <target>machine.srv_size</target>
+        <target type="servicelist">add_srv</target>
+    </condition>
+    <condition name='disabled_if_in' source='machine.add_swap'>
+        <param>False</param>
+        <target>machine.swap_size</target>
+        <target type="servicelist">add_swap</target>
+    </condition>
+    <fill name="calc_value">
+      <param type="variable">machine.var_size</param>
+      <param type="variable" propertyerror="False">machine.var_tmp_size</param>
+      <param type="variable" propertyerror="False">machine.srv_size</param>
+      <param type="variable" propertyerror="False">machine.swap_size</param>
+      <param type="number">16</param>
+      <param name="operator">add</param>
+      <target>machine.data_disk_size</target>
+    </fill>
+  </constraints>
+</rougail>
+
diff --git a/seed/applicationservice/2022.03.08/systemd/manual/image/postinstall/systemd.sh b/seed/applicationservice/2022.03.08/systemd/manual/image/postinstall/systemd.sh
new file mode 100644
index 0000000..685e925
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/manual/image/postinstall/systemd.sh
@@ -0,0 +1 @@
+rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/network/80-container-host0.network"
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/30-swap.conf b/seed/applicationservice/2022.03.08/systemd/templates/30-swap.conf
new file mode 100644
index 0000000..fb6fb3f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/30-swap.conf
@@ -0,0 +1,5 @@
+[Partition]
+Type=swap
+SizeMinBytes=%%{machine.swap_size}M
+SizeMaxBytes=%%{machine.swap_size}M
+FactoryReset=yes
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/40-tmp.conf b/seed/applicationservice/2022.03.08/systemd/templates/40-tmp.conf
new file mode 100644
index 0000000..156d8b0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/40-tmp.conf
@@ -0,0 +1,5 @@
+[Partition]
+Type=tmp
+SizeMinBytes=%%{machine.var_tmp_size}M
+SizeMaxBytes=%%{machine.var_tmp_size}M
+FactoryReset=yes
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/50-var.conf b/seed/applicationservice/2022.03.08/systemd/templates/50-var.conf
new file mode 100644
index 0000000..ce9933e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/50-var.conf
@@ -0,0 +1,5 @@
+[Partition]
+Type=var
+SizeMinBytes=%%{machine.var_size}M
+SizeMaxBytes=%%{machine.var_size}M
+FactoryReset=yes
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/60-srv.conf b/seed/applicationservice/2022.03.08/systemd/templates/60-srv.conf
new file mode 100644
index 0000000..d3475f2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/60-srv.conf
@@ -0,0 +1,4 @@
+[Partition]
+Type=srv
+SizeMinBytes=%%{machine.srv_size}M
+SizeMaxBytes=%%{machine.srv_size}M
diff --git "a/seed/applicationservice/2022.03.08/systemd/templates/dev-disk-by\\x2dpartlabel-swap.swap" "b/seed/applicationservice/2022.03.08/systemd/templates/dev-disk-by\\x2dpartlabel-swap.swap"
new file mode 100644
index 0000000..b4409c5
--- /dev/null
+++ "b/seed/applicationservice/2022.03.08/systemd/templates/dev-disk-by\\x2dpartlabel-swap.swap"
@@ -0,0 +1,12 @@
+[Unit]
+DefaultDependencies=no
+After=blockdev@dev-disk-by\x2dpartlabel-swap.target
+Before=swap.target
+
+[Swap]
+What=/dev/disk/by-partlabel/swap
+Options=defaults,x-systemd.device-timeout=0
+Priority=11
+
+[Install]
+WantedBy=multi-user.target
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/include.mount b/seed/applicationservice/2022.03.08/systemd/templates/include.mount
new file mode 100644
index 0000000..346b1d5
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/include.mount
@@ -0,0 +1,13 @@
+[Unit]
+DefaultDependencies=no
+After=blockdev@dev-disk-by\x2dpartlabel-%%{part}.target
+Before=local-fs.target
+
+[Mount]
+Where=%%dir
+What=/dev/disk/by-partlabel/%%part
+Type=ext4
+Options=defaults
+
+[Install]
+WantedBy=multi-user.target
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/link b/seed/applicationservice/2022.03.08/systemd/templates/link
new file mode 100644
index 0000000..1f795cc
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/link
@@ -0,0 +1,6 @@
+%set %%intnb = %%zones_list.index(%%rougail_variable)
+[Match]
+OriginalName=eth%%intnb
+
+[Link]
+Name=%%rougail_variable
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/network b/seed/applicationservice/2022.03.08/systemd/templates/network
new file mode 100644
index 0000000..9d3a437
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/network
@@ -0,0 +1,25 @@
+%set %%intnb = %%rougail_index
+[Match]
+%if %%netwokd_interface_name_type == 'host'
+Name=host%%intnb
+%else
+Name=%%rougail_variable
+%end if
+
+[Link]
+RequiredForOnline=yes
+
+[Network]
+LinkLocalAddressing=no
+DHCP=no
+%set %%cidr = %%str(%%getVar('network_eth' + %%str(intnb))).split('/')[1]
+Address=%%getVar('ip_eth' + %%str(intnb))/%%cidr
+%set %%gateway = %%getVar('gateway_eth' + %%str(intnb))
+%if %%gateway
+Gateway=%%gateway
+%end if
+%set %%dns = %%ip_dns
+%if %%dns
+DNS=%%dns
+ConfigureWithoutCarrier=yes
+%end if
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/risotto-volatile.conf b/seed/applicationservice/2022.03.08/systemd/templates/risotto-volatile.conf
new file mode 100644
index 0000000..05df1b3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/risotto-volatile.conf
@@ -0,0 +1,2 @@
+r! /var/*
+r! /var/tmp/*
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/root.pwd b/seed/applicationservice/2022.03.08/systemd/templates/root.pwd
new file mode 100644
index 0000000..d734bd2
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/root.pwd
@@ -0,0 +1 @@
+%%root_password
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/srv.mount b/seed/applicationservice/2022.03.08/systemd/templates/srv.mount
new file mode 100644
index 0000000..77565ca
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/srv.mount
@@ -0,0 +1,3 @@
+%set global %%part = 'srv'
+%set global %%dir = '/srv'
+%include "include.mount"
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/systemd-firstboot.service b/seed/applicationservice/2022.03.08/systemd/templates/systemd-firstboot.service
new file mode 100644
index 0000000..4f2a052
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/systemd-firstboot.service
@@ -0,0 +1,4 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd
+ExecStart=/usr/bin/systemd-firstboot --copy
diff --git "a/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-srv.service" "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-srv.service"
new file mode 100644
index 0000000..9f86dda
--- /dev/null
+++ "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-srv.service"
@@ -0,0 +1,4 @@
+%set global %%part = 'srv'
+%set global %%name = 'srv'
+%set global %%format = 'ext4'
+%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
diff --git "a/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-swap.service" "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-swap.service"
new file mode 100644
index 0000000..0219111
--- /dev/null
+++ "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-swap.service"
@@ -0,0 +1,5 @@
+%set global %%part = 'swap'
+%set global %%name = 'swap'
+%set global %%format = 'swap'
+%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
+
diff --git "a/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var-tmp.service" "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var-tmp.service"
new file mode 100644
index 0000000..8b9faf3
--- /dev/null
+++ "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var-tmp.service"
@@ -0,0 +1,4 @@
+%set global %%part = 'tmp'
+%set global %%name = 'var-tmp'
+%set global %%format = 'ext4'
+%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
diff --git "a/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var.service" "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var.service"
new file mode 100644
index 0000000..868361e
--- /dev/null
+++ "b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-by\\x2dpartlabel-var.service"
@@ -0,0 +1,4 @@
+%set global %%part = 'var'
+%set global %%name = 'var'
+%set global %%format = 'ext4'
+%include "systemd-makefs@dev-disk-byx2dpartlabel.service"
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-byx2dpartlabel.service b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-byx2dpartlabel.service
new file mode 100644
index 0000000..8c2416f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/systemd-makefs@dev-disk-byx2dpartlabel.service
@@ -0,0 +1,19 @@
+[Unit]
+DefaultDependencies=no
+BindsTo=dev-disk-by\x2dpartlabel-%%{part}.device
+Conflicts=shutdown.target
+After=dev-disk-by\x2dpartlabel-%%{part}.device
+%if %%format == 'swap'
+Before=shutdown.target dev-disk-by\x2dpartlabel-swap.swap
+%else
+Before=shutdown.target systemd-fsck@dev-disk-by\x2dpartlabel-%%{part}.service %%{name}.mount
+%end if
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/lib/systemd/systemd-makefs %%format /dev/disk/by-partlabel/%%part
+TimeoutSec=0
+
+[Install]
+WantedBy=multi-user.target
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/systemd-repart.service b/seed/applicationservice/2022.03.08/systemd/templates/systemd-repart.service
new file mode 100644
index 0000000..41016f3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/systemd-repart.service
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/bin/systemd-repart --dry-run=no /dev/sdb --empty=allow
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/var-tmp.mount b/seed/applicationservice/2022.03.08/systemd/templates/var-tmp.mount
new file mode 100644
index 0000000..c3673d0
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/var-tmp.mount
@@ -0,0 +1,3 @@
+%set global %%part = 'tmp'
+%set global %%dir = '/var/tmp'
+%include "include.mount"
diff --git a/seed/applicationservice/2022.03.08/systemd/templates/var.mount b/seed/applicationservice/2022.03.08/systemd/templates/var.mount
new file mode 100644
index 0000000..0c8e5cd
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/systemd/templates/var.mount
@@ -0,0 +1,3 @@
+%set global %%part = 'var'
+%set global %%dir = '/var'
+%include "include.mount"
diff --git a/seed/applicationservice/2022.03.08/unbound/DEBUG.md b/seed/applicationservice/2022.03.08/unbound/DEBUG.md
new file mode 100644
index 0000000..de8681e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/DEBUG.md
@@ -0,0 +1,17 @@
+Mode debug
+==========
+
+unbound-control verbosity 9
+
+Test DNSSEC
+===========
+
+root@debian:~# dig com. +dnssec @192.168.45.10
+[..]
+com.			426	IN	SOA	a.gtld-servers.net. nstld.verisign-grs.com. 1640718785 1800 900 604800 86400
+com.			426	IN	RRSIG	SOA 8 1 900 20220104191305 20211228180305 15549 com. hM30zU8QqdKPZWPJPFI2YXbTHwOWn9jTuNXMtu7/l5OVUcxu62Er2TnY jo1ASYNsNJ9oxK3Iw+xWAxKL5PIrol2OMPEu82jZCsuMoe1oO8+oZDTC qVpNn4KF9tsEMvgg0VHGa/TiJM1uj0E5/kE0TExNLFs6FHeMafF9WpR0 q8+qtaZ7OeNDUWlkf+qjNdBT4pz2KLD7WP/gIssq4otwSQ==
+CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21126 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
+CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 21126 IN RRSIG NSEC3 8 2 86400 20220103052342 20211227041342 15549 com. t1rjWzy49vLszmDnuIKZWvd+mGElr55we162Eym1qs3zV5JedBi7BSxi EdMaGSmePJ/xltgaoPapL+xPMSXruCQ5mejTHXvYuzFKYKMTz/PP6Tci jilbQE0s+HRWDvFFSfqN6X+h6YNIkbEhVDyPFkbywAcqqCQd9yg1TGVJ mgggR6oW7/HNH/jiL5UGRQn3kpE3cMjAQI3ijbEZthiIag==
+[..]
+
+
diff --git a/seed/applicationservice/2022.03.08/unbound/applicationservice.yml b/seed/applicationservice/2022.03.08/unbound/applicationservice.yml
new file mode 100644
index 0000000..bc02208
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/applicationservice.yml
@@ -0,0 +1,5 @@
+format: '0.1'
+description: Configuration du serveur DNS unbound
+service: true
+depends:
+  - base-fedora-35
diff --git a/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml b/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
new file mode 100644
index 0000000..26dd7f4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
@@ -0,0 +1,39 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <services>
+    <!-- FIXME activer le timer ? -->
+    <service name='unbound' target="multi-user">
+      <ip ip_type='variable'>unbound_allowed_client</ip>
+      <override/>
+      <file>/etc/unbound/conf.d/risotto.conf</file>
+      <file>/etc/unbound/unbound.conf</file>
+      <file engine="none" source="sysuser-unbound.conf">/sysusers.d/0unbound.conf</file>
+      <file engine="none" source="tmpfile-unbound.conf">/tmpfiles.d/0unbound.conf</file>
+    </service>
+    <service name='unbound-anchor'>
+      <override/>
+    </service>
+    <service name='unbound-keygen' disabled="True"/>
+  </services>
+  <variables>
+    <family name="dns" description="DNS">
+      <variable name="dns_client_address" redefine="True" disabled="True"/>
+      <variable name="ip_dns" redefine="True" remove_fill="True"/>
+    </family>
+    <family name='dns_resolver' description='Résolveur DNS'>
+      <variable name="unbound_allowed_client" type="ip" description="Réseau des clients autorisés à faire des requêtes DNS" multi="True" mandatory="True" provider="dns"/>
+      <variable name="unbound_default_forwards" description="Serveur résolveur DNS par défaut" multi="True" mandatory="True"/>
+      <family name="forward_zones" description="Serveur DNS faisant autorité sur une zone particulière" leadership="True" hidden="True">
+        <variable name="unbound_forward_address" description="Adresse du serveur faisant autorité" provider="authorities" multi="True"/>
+        <variable name="unbound_forward_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="authority_zones"/>
+        <variable name="unbound_forward_reverse_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="reverse_authority_zones"/>
+      </family>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param type="variable">ip_eth0</param>
+      <target>ip_dns</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/unbound/extras/machine/20_unbound.xml b/seed/applicationservice/2022.03.08/unbound/extras/machine/20_unbound.xml
new file mode 100644
index 0000000..ce5c6c8
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/extras/machine/20_unbound.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="var_size" redefine="True">
+      <value>256</value>
+    </variable>
+    <variable name="add_tmp" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name="add_srv" redefine="True">
+      <value>True</value>
+    </variable>
+    <variable name="add_swap" redefine="True">
+      <value>False</value>
+    </variable>
+    <variable name='memory' redefine="True" exists="True">
+      <value>512</value>
+    </variable>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/unbound/extras/unbound/20_unbound.xml b/seed/applicationservice/2022.03.08/unbound/extras/unbound/20_unbound.xml
new file mode 100644
index 0000000..a7a1f5b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/extras/unbound/20_unbound.xml
@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <variable name="unbound_local_authority" description="Nom du serveur DNS gérant les zones local" provider="autority"/>
+    <family name="unbound_forward_zones" description="Serveur DNS faisant autorité sur une zone particulière" leadership="True">
+      <variable name="unbound_forward_zones" type="domainname" description="Nom de domaine de la zone" multi="True" test="test2.com"/>
+      <variable name="unbound_forward_addresses" description="Adresse du serveur faisant autorité"/>
+    </family>
+  </variables>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/unbound/funcs/funcs.py b/seed/applicationservice/2022.03.08/unbound/funcs/funcs.py
new file mode 100644
index 0000000..cac5dd4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/funcs/funcs.py
@@ -0,0 +1,17 @@
+from typing import List
+from ipaddress import ip_interface
+from os.path import join
+from datetime import datetime
+
+
+def unbound_filename(dirname: str,
+                     variables: List[str],
+                     extension: str) -> List[str]:
+    ret = []
+    for variable in variables:
+        ret.append(join(dirname, f'{variable}{extension}'))
+    return ret
+
+
+def unbound_serial() -> str:
+    return datetime.now().strftime('%Y%m%d%H%M%S')
diff --git a/seed/applicationservice/2022.03.08/unbound/manual/image/preinstall/unbound.sh b/seed/applicationservice/2022.03.08/unbound/manual/image/preinstall/unbound.sh
new file mode 100644
index 0000000..0ac78fc
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/manual/image/preinstall/unbound.sh
@@ -0,0 +1 @@
+PKG="$PKG unbound"
diff --git a/seed/applicationservice/2022.03.08/unbound/packer/image/scripts/20-unbound b/seed/applicationservice/2022.03.08/unbound/packer/image/scripts/20-unbound
new file mode 100644
index 0000000..21f743d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/packer/image/scripts/20-unbound
@@ -0,0 +1,9 @@
+#!/bin/bash
+
+set -xe
+
+[ -e /tmp/proxy.sh ] && . /tmp/proxy.sh
+microdnf -y --nodocs --noplugins install unbound
+make_volatile /var/lib/unbound
+
+exit 0
diff --git a/seed/applicationservice/2022.03.08/unbound/templates/risotto.conf b/seed/applicationservice/2022.03.08/unbound/templates/risotto.conf
new file mode 100644
index 0000000..c488c41
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/templates/risotto.conf
@@ -0,0 +1,33 @@
+server:
+%for %%interface in %%interfaces_list
+    interface: %%getVar('ip_eth' + %%str(%%interface))
+%end for
+    do-ip4: yes
+    do-ip6: no
+    use-syslog: yes
+%for %%interface in %%interfaces_list
+    access-control: %%getVar('ip_eth' + %%str(%%interface)) allow
+%end for
+%for %%allowed in %%unbound_allowed_client
+    access-control: %%allowed allow
+%end for
+    do-not-query-localhost: no
+    auto-trust-anchor-file: "/srv/unbound/root.key"
+
+remote-control:
+    control-interface: 127.0.0.1
+
+%for %%authority in %%unbound_forward_address
+ %for %%zone in %%authority.unbound_forward_zones
+forward-zone:
+    name: "%%zone"
+    forward-addr: %%authority
+
+ %end for
+%end for
+forward-zone:
+    name: "."
+%for %%forward in %%unbound_default_forwards
+    forward-addr: %%forward
+%end for
+    # forward-first: no
diff --git a/seed/applicationservice/2022.03.08/unbound/templates/sysuser-unbound.conf b/seed/applicationservice/2022.03.08/unbound/templates/sysuser-unbound.conf
new file mode 100644
index 0000000..2b08312
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/templates/sysuser-unbound.conf
@@ -0,0 +1,2 @@
+g unbound 999 -
+u unbound 999:999     "Unbound DNS resolver" /etc/unbound  /sbin/nologin
diff --git a/seed/applicationservice/2022.03.08/unbound/templates/tmpfile-unbound.conf b/seed/applicationservice/2022.03.08/unbound/templates/tmpfile-unbound.conf
new file mode 100644
index 0000000..9981a7b
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/templates/tmpfile-unbound.conf
@@ -0,0 +1 @@
+d /srv/unbound 755 unbound unbound - -
diff --git a/seed/applicationservice/2022.03.08/unbound/templates/unbound-anchor.service b/seed/applicationservice/2022.03.08/unbound/templates/unbound-anchor.service
new file mode 100644
index 0000000..b9bcab3
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/templates/unbound-anchor.service
@@ -0,0 +1,3 @@
+[Service]
+ExecStart=
+ExecStart=/usr/sbin/unbound-anchor -a /srv/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R -4
diff --git a/seed/applicationservice/2022.03.08/unbound/templates/unbound.conf b/seed/applicationservice/2022.03.08/unbound/templates/unbound.conf
new file mode 100644
index 0000000..f158790
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/templates/unbound.conf
@@ -0,0 +1,1226 @@
+#
+# Example configuration file.
+#
+# See unbound.conf(5) man page
+#
+# this is a comment.
+
+# Use this anywhere in the file to include other text into this file.
+#include: "otherfile.conf"
+
+# Use this anywhere in the file to include other text, that explicitly starts a
+# clause, into this file. Text after this directive needs to start a clause.
+#include-toplevel: "otherfile.conf"
+
+# The server clause sets the main parameters.
+server:
+	# whitespace is not necessary, but looks cleaner.
+
+	# verbosity number, 0 is least verbose. 1 is default.
+	verbosity: 1
+
+	# print statistics to the log (for every thread) every N seconds.
+	# Set to "" or 0 to disable. Default is disabled.
+	# Needs to be disabled for munin plugin
+	statistics-interval: 0
+
+	# enable shm for stats, default no.  if you enable also enable
+	# statistics-interval, every time it also writes stats to the
+	# shared memory segment keyed with shm-key.
+	# shm-enable: no
+
+	# shm for stats uses this key, and key+1 for the shared mem segment.
+	# shm-key: 11777
+
+	# enable cumulative statistics, without clearing them after printing.
+	# Needs to be disabled for munin plugin
+	statistics-cumulative: no
+
+	# enable extended statistics (query types, answer codes, status)
+	# printed from unbound-control. default off, because of speed.
+	# Needs to be enabled for munin plugin
+	extended-statistics: yes
+
+	# number of threads to create. 1 disables threading.
+	num-threads: 4
+
+	# specify the interfaces to answer queries from by ip-address.
+	# The default is to listen to localhost (127.0.0.1 and ::1).
+	# specify 0.0.0.0 and ::0 to bind to all available interfaces.
+	# specify every interface[@port] on a new 'interface:' labelled line.
+	# The listen interfaces are not changed on reload, only on restart.
+	# interface: 0.0.0.0
+	# interface: ::0
+	# interface: 192.0.2.153
+	# interface: 192.0.2.154
+	# interface: 192.0.2.154@5003
+	# interface: 2001:DB8::5
+	#
+	# for dns over tls and raw dns over port 80
+	# interface: 0.0.0.0@443
+	# interface: ::0@443
+	# interface: 0.0.0.0@80
+	# interface: ::0@80
+
+	# enable this feature to copy the source address of queries to reply.
+	# Socket options are not supported on all platforms. experimental.
+	# interface-automatic: yes
+	#
+	# NOTE: Enable this option when specifying interface 0.0.0.0 or ::0
+	# NOTE: Disabled per Fedora policy not to listen to * on default install
+	# NOTE: If deploying on non-default port, eg 80/443, this needs to be disabled
+	interface-automatic: no
+
+	# port to answer queries from
+	# port: 53
+
+	# specify the interfaces to send outgoing queries to authoritative
+	# server from by ip-address. If none, the default (all) interface
+	# is used. Specify every interface on a 'outgoing-interface:' line.
+	# outgoing-interface: 192.0.2.153
+	# outgoing-interface: 2001:DB8::5
+	# outgoing-interface: 2001:DB8::6
+
+	# Specify a netblock to use remainder 64 bits as random bits for
+	# upstream queries.  Uses freebind option (Linux).
+	# outgoing-interface: 2001:DB8::/64
+	# Also (Linux:) ip -6 addr add 2001:db8::/64 dev lo
+	# And: ip -6 route add local 2001:db8::/64 dev lo
+	# And set prefer-ip6: yes to use the ip6 randomness from a netblock.
+	# Set this to yes to prefer ipv6 upstream servers over ipv4.
+	# prefer-ip6: no
+
+	# Prefer ipv4 upstream servers, even if ipv6 is available.
+	# prefer-ip4: no
+
+	# number of ports to allocate per thread, determines the size of the
+	# port range that can be open simultaneously.  About double the
+	# num-queries-per-thread, or, use as many as the OS will allow you.
+	# outgoing-range: 4096
+
+	# permit unbound to use this port number or port range for
+	# making outgoing queries, using an outgoing interface.
+	# Only ephemeral ports are allowed by SElinux
+	outgoing-port-permit: 32768-60999
+
+	# deny unbound the use this of port number or port range for
+	# making outgoing queries, using an outgoing interface.
+	# Use this to make sure unbound does not grab a UDP port that some
+	# other server on this computer needs. The default is to avoid
+	# IANA-assigned port numbers.
+	# If multiple outgoing-port-permit and outgoing-port-avoid options
+	# are present, they are processed in order.
+	# Our SElinux policy does not allow non-ephemeral ports to be used
+	outgoing-port-avoid: 0-32767
+	outgoing-port-avoid: 61000-65535
+
+	# number of outgoing simultaneous tcp buffers to hold per thread.
+	# outgoing-num-tcp: 10
+
+	# number of incoming simultaneous tcp buffers to hold per thread.
+	# incoming-num-tcp: 10
+
+	# buffer size for UDP port 53 incoming (SO_RCVBUF socket option).
+	# 0 is system default.  Use 4m to catch query spikes for busy servers.
+	# so-rcvbuf: 0
+
+	# buffer size for UDP port 53 outgoing (SO_SNDBUF socket option).
+	# 0 is system default.  Use 4m to handle spikes on very busy servers.
+	# so-sndbuf: 0
+
+	# use SO_REUSEPORT to distribute queries over threads.
+	# at extreme load it could be better to turn it off to distribute even.
+	so-reuseport: yes
+
+	# use IP_TRANSPARENT so the interface: addresses can be non-local
+	# and you can config non-existing IPs that are going to work later on
+	# (uses IP_BINDANY on FreeBSD).
+	ip-transparent: yes
+
+	# use IP_FREEBIND so the interface: addresses can be non-local
+	# and you can bind to nonexisting IPs and interfaces that are down.
+	# Linux only.  On Linux you also have ip-transparent that is similar.
+	# ip-freebind: no
+
+	# the value of the Differentiated Services Codepoint (DSCP)
+	# in the differentiated services field (DS) of the outgoing
+	# IP packets
+	# ip-dscp: 0
+
+	# EDNS reassembly buffer to advertise to UDP peers (the actual buffer
+	# is set with msg-buffer-size). 1472 can solve fragmentation (timeouts)
+	# edns-buffer-size: 1232
+
+	# Maximum UDP response size (not applied to TCP response).
+	# Suggested values are 512 to 4096. Default is 4096. 65536 disables it.
+	# 3072 causes +dnssec any isc.org queries to need TC=1.
+	# Helps mitigating DDOS
+	max-udp-size: 3072
+
+	# max memory to use for stream(tcp and tls) waiting result buffers.
+	# stream-wait-size: 4m
+
+	# buffer size for handling DNS data. No messages larger than this
+	# size can be sent or received, by UDP or TCP. In bytes.
+	# msg-buffer-size: 65552
+
+	# the amount of memory to use for the message cache.
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
+	# msg-cache-size: 4m
+
+	# the number of slabs to use for the message cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# msg-cache-slabs: 4
+
+	# the number of queries that a thread gets to service.
+	# num-queries-per-thread: 1024
+
+	# if very busy, 50% queries run to completion, 50% get timeout in msec
+	# jostle-timeout: 200
+
+	# msec to wait before close of port on timeout UDP. 0 disables.
+	# delay-close: 0
+
+	# perform connect for UDP sockets to mitigate ICMP side channel.
+	# udp-connect: yes
+
+	# msec for waiting for an unknown server to reply.  Increase if you
+	# are behind a slow satellite link, to eg. 1128.
+	# unknown-server-time-limit: 376
+
+	# the amount of memory to use for the RRset cache.
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
+	# rrset-cache-size: 4m
+
+	# the number of slabs to use for the RRset cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# rrset-cache-slabs: 4
+
+	# the time to live (TTL) value lower bound, in seconds. Default 0.
+	# If more than an hour could easily give trouble due to stale data.
+	# cache-min-ttl: 0
+
+	# the time to live (TTL) value cap for RRsets and messages in the
+	# cache. Items are not cached for longer. In seconds.
+	# cache-max-ttl: 86400
+
+	# the time to live (TTL) value cap for negative responses in the cache
+	# cache-max-negative-ttl: 3600
+
+	# the time to live (TTL) value for cached roundtrip times, lameness and
+	# EDNS version information for hosts. In seconds.
+	# infra-host-ttl: 900
+
+	# minimum wait time for responses, increase if uplink is long. In msec.
+	# infra-cache-min-rtt: 50
+
+	# enable to make server probe down hosts more frequently.
+	# infra-keep-probing: no
+
+	# the number of slabs to use for the Infrastructure cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# infra-cache-slabs: 4
+
+	# the maximum number of hosts that are cached (roundtrip, EDNS, lame).
+	# infra-cache-numhosts: 10000
+
+	# define a number of tags here, use with local-zone, access-control.
+	# repeat the define-tag statement to add additional tags.
+	# define-tag: "tag1 tag2 tag3"
+
+	# Enable IPv4, "yes" or "no".
+	# do-ip4: yes
+
+	# Enable IPv6, "yes" or "no".
+	# do-ip6: yes
+
+	# Enable UDP, "yes" or "no".
+	# NOTE: if setting up an unbound on tls443 for public use, you might want to
+	# disable UDP to avoid being used in DNS amplification attacks.
+	# do-udp: yes
+
+	# Enable TCP, "yes" or "no".
+	# do-tcp: yes
+
+	# upstream connections use TCP only (and no UDP), "yes" or "no"
+	# useful for tunneling scenarios, default no.
+	# tcp-upstream: no
+
+	# upstream connections also use UDP (even if do-udp is no).
+	# useful if if you want UDP upstream, but don't provide UDP downstream.
+	# udp-upstream-without-downstream: no
+
+	# Maximum segment size (MSS) of TCP socket on which the server
+	# responds to queries. Default is 0, system default MSS.
+	# tcp-mss: 0
+
+	# Maximum segment size (MSS) of TCP socket for outgoing queries.
+	# Default is 0, system default MSS.
+	# outgoing-tcp-mss: 0
+
+	# Idle TCP timeout, connection closed in milliseconds
+	# tcp-idle-timeout: 30000
+
+	# Enable EDNS TCP keepalive option.
+	edns-tcp-keepalive: yes
+
+	# Timeout for EDNS TCP keepalive, in msec.
+	# edns-tcp-keepalive-timeout: 120000
+
+	# Fedora note: do not activate this - can cause a crash
+	# Use systemd socket activation for UDP, TCP, and control sockets.
+	# use-systemd: no
+
+	# Detach from the terminal, run in background, "yes" or "no".
+	# Set the value to "no" when unbound runs as systemd service.
+	# do-daemonize: yes
+
+	# control which clients are allowed to make (recursive) queries
+	# to this server. Specify classless netblocks with /size and action.
+	# By default everything is refused, except for localhost.
+	# Choose deny (drop message), refuse (polite error reply),
+	# allow (recursive ok), allow_setrd (recursive ok, rd bit is forced on),
+	# allow_snoop (recursive and nonrecursive ok)
+	# deny_non_local (drop queries unless can be answered from local-data)
+	# refuse_non_local (like deny_non_local but polite error reply).
+	# access-control: 0.0.0.0/0 refuse
+	# access-control: 127.0.0.0/8 allow
+	# access-control: ::0/0 refuse
+	# access-control: ::1 allow
+	# access-control: ::ffff:127.0.0.1 allow
+
+	# tag access-control with list of tags (in "" with spaces between)
+	# Clients using this access control element use localzones that
+	# are tagged with one of these tags.
+	# access-control-tag: 192.0.2.0/24 "tag2 tag3"
+
+	# set action for particular tag for given access control element
+	# if you have multiple tag values, the tag used to lookup the action
+	# is the first tag match between access-control-tag and local-zone-tag
+	# where "first" comes from the order of the define-tag values.
+	# access-control-tag-action: 192.0.2.0/24 tag3 refuse
+
+	# set redirect data for particular tag for access control element
+	# access-control-tag-data: 192.0.2.0/24 tag2 "A 127.0.0.1"
+
+	# Set view for access control element
+	# access-control-view: 192.0.2.0/24 viewname
+
+	# if given, a chroot(2) is done to the given directory.
+	# i.e. you can chroot to the working directory, for example,
+	# for extra security, but make sure all files are in that directory.
+	#
+	# If chroot is enabled, you should pass the configfile (from the
+	# commandline) as a full path from the original root. After the
+	# chroot has been performed the now defunct portion of the config
+	# file path is removed to be able to reread the config after a reload.
+	#
+	# All other file paths (working dir, logfile, roothints, and
+	# key files) can be specified in several ways:
+	# 	o as an absolute path relative to the new root.
+	# 	o as a relative path to the working directory.
+	# 	o as an absolute path relative to the original root.
+	# In the last case the path is adjusted to remove the unused portion.
+	#
+	# The pid file can be absolute and outside of the chroot, it is
+	# written just prior to performing the chroot and dropping permissions.
+	#
+	# Additionally, unbound may need to access /dev/urandom (for entropy).
+	# How to do this is specific to your OS.
+	#
+	# If you give "" no chroot is performed. The path must not end in a /.
+	# chroot: "/var/lib/unbound"
+	chroot: ""
+
+	# if given, user privileges are dropped (after binding port),
+	# and the given username is assumed. Default is user "unbound".
+	# If you give "" no privileges are dropped.
+	username: "unbound"
+
+	# the working directory. The relative files in this config are
+	# relative to this directory. If you give "" the working directory
+	# is not changed.
+	# If you give a server: directory: dir before include: file statements
+	# then those includes can be relative to the working directory.
+	directory: "/etc/unbound"
+
+	# the log file, "" means log to stderr.
+	# Use of this option sets use-syslog to "no".
+	# logfile: ""
+
+	# Log to syslog(3) if yes. The log facility LOG_DAEMON is used to
+	# log to. If yes, it overrides the logfile.
+	# use-syslog: yes
+ 
+	# Log identity to report. if empty, defaults to the name of argv[0]
+	# (usually "unbound").
+	# log-identity: ""
+
+	# print UTC timestamp in ascii to logfile, default is epoch in seconds.
+	log-time-ascii: yes
+
+	# print one line with time, IP, name, type, class for every query.
+	# log-queries: no
+
+	# print one line per reply, with time, IP, name, type, class, rcode,
+	# timetoresolve, fromcache and responsesize.
+	# log-replies: no
+
+	# log with tag 'query' and 'reply' instead of 'info' for
+	# filtering log-queries and log-replies from the log.
+	# log-tag-queryreply: no
+
+	# log the local-zone actions, like local-zone type inform is enabled
+	# also for the other local zone types.
+	# log-local-actions: no
+
+	# print log lines that say why queries return SERVFAIL to clients.
+	# log-servfail: no
+
+	# the pid file. Can be an absolute path outside of chroot/work dir.
+	pidfile: "/var/run/unbound/unbound.pid"
+
+	# file to read root hints from.
+	# get one from https://www.internic.net/domain/named.cache
+	# root-hints: ""
+
+	# enable to not answer id.server and hostname.bind queries.
+	# hide-identity: no
+
+	# enable to not answer version.server and version.bind queries.
+	# hide-version: no
+
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
+
+	# enable to not answer trustanchor.unbound queries.
+	# hide-trustanchor: no
+
+	# enable to not set the User-Agent HTTP header.
+	# hide-http-user-agent: no
+
+	# the identity to report. Leave "" or default to return hostname.
+	# identity: ""
+
+	# the version to report. Leave "" or default to return package version.
+	# version: ""
+
+	# NSID identity (hex string, or "ascii_somestring"). default disabled.
+	# nsid: "aabbccdd"
+
+	# User-Agent HTTP header to use. Leave "" or default to use package name
+	# and version.
+	# http-user-agent: ""
+
+	# the target fetch policy.
+	# series of integers describing the policy per dependency depth.
+	# The number of values in the list determines the maximum dependency
+	# depth the recursor will pursue before giving up. Each integer means:
+	# 	-1 : fetch all targets opportunistically,
+	# 	0: fetch on demand,
+	#	positive value: fetch that many targets opportunistically.
+	# Enclose the list of numbers between quotes ("").
+	# target-fetch-policy: "3 2 1 0 0"
+
+	# Harden against very small EDNS buffer sizes.
+	# harden-short-bufsize: yes
+
+	# Harden against unseemly large queries.
+	# harden-large-queries: no
+
+	# Harden against out of zone rrsets, to avoid spoofing attempts.
+	harden-glue: yes
+
+	# Harden against receiving dnssec-stripped data. If you turn it
+	# off, failing to validate dnskey data for a trustanchor will
+	# trigger insecure mode for that zone (like without a trustanchor).
+	# Default on, which insists on dnssec data for trust-anchored zones.
+	harden-dnssec-stripped: yes
+
+	# Harden against queries that fall under dnssec-signed nxdomain names.
+	harden-below-nxdomain: yes
+
+	# Harden the referral path by performing additional queries for
+	# infrastructure data.  Validates the replies (if possible).
+	# Default off, because the lookups burden the server.  Experimental
+	# implementation of draft-wijngaards-dnsext-resolver-side-mitigation.
+	harden-referral-path: yes
+
+	# Harden against algorithm downgrade when multiple algorithms are
+	# advertised in the DS record.  If no, allows the weakest algorithm
+	# to validate the zone.
+	# harden-algo-downgrade: no
+
+	# Sent minimum amount of information to upstream servers to enhance
+	# privacy. Only sent minimum required labels of the QNAME and set QTYPE
+	# to A when possible.
+	qname-minimisation: yes
+
+	# QNAME minimisation in strict mode. Do not fall-back to sending full
+	# QNAME to potentially broken nameservers. A lot of domains will not be
+	# resolvable when this option in enabled.
+	# This option only has effect when qname-minimisation is enabled.
+	# qname-minimisation-strict: no
+
+	# Aggressive NSEC uses the DNSSEC NSEC chain to synthesize NXDOMAIN
+	# and other denials, using information from previous NXDOMAINs answers.
+	aggressive-nsec: yes
+
+	# Use 0x20-encoded random bits in the query to foil spoof attempts.
+	# This feature is an experimental implementation of draft dns-0x20.
+	# use-caps-for-id: no
+
+	# Domains (and domains in them) without support for dns-0x20 and
+	# the fallback fails because they keep sending different answers.
+	# caps-exempt: "licdn.com"
+	# caps-exempt: "senderbase.org"
+
+	# Enforce privacy of these addresses. Strips them away from answers.
+	# It may cause DNSSEC validation to additionally mark it as bogus.
+	# Protects against 'DNS Rebinding' (uses browser as network proxy).
+	# Only 'private-domain' and 'local-data' names are allowed to have
+	# these private addresses. No default.
+	# private-address: 10.0.0.0/8
+	# private-address: 172.16.0.0/12
+	# private-address: 192.168.0.0/16
+	# private-address: 169.254.0.0/16
+	# private-address: fd00::/8
+	# private-address: fe80::/10
+	# private-address: ::ffff:0:0/96
+
+	# Allow the domain (and its subdomains) to contain private addresses.
+	# local-data statements are allowed to contain private addresses too.
+	# private-domain: "example.com"
+
+	# If nonzero, unwanted replies are not only reported in statistics,
+	# but also a running total is kept per thread. If it reaches the
+	# threshold, a warning is printed and a defensive action is taken,
+	# the cache is cleared to flush potential poison out of it.
+	# A suggested value is 10000000, the default is 0 (turned off).
+	unwanted-reply-threshold: 10000000
+
+	# Do not query the following addresses. No DNS queries are sent there.
+	# List one address per entry. List classless netblocks with /size,
+	# do-not-query-address: 127.0.0.1/8
+	# do-not-query-address: ::1
+
+	# if yes, the above default do-not-query-address entries are present.
+	# if no, localhost can be queried (for testing and debugging).
+	# do-not-query-localhost: yes
+
+	# if yes, perform prefetching of almost expired message cache entries.
+	prefetch: yes
+
+	# if yes, perform key lookups adjacent to normal lookups.
+	prefetch-key: yes
+
+	# deny queries of type ANY with an empty response.
+	deny-any: yes
+
+	# if yes, Unbound rotates RRSet order in response.
+	rrset-roundrobin: yes
+
+	# if yes, Unbound doesn't insert authority/additional sections
+	# into response messages when those sections are not required.
+	minimal-responses: yes
+
+	# true to disable DNSSEC lameness check in iterator.
+	# disable-dnssec-lame-check: no
+
+	# module configuration of the server. A string with identifiers
+	# separated by spaces. Syntax: "[dns64] [validator] iterator"
+	# most modules have to be listed at the beginning of the line,
+	# except cachedb(just before iterator), and python (at the beginning,
+	# or, just before the iterator).
+	module-config: "ipsecmod validator iterator"
+
+	# File with trusted keys, kept uptodate using RFC5011 probes,
+	# initial file like trust-anchor-file, then it stores metadata.
+	# Use several entries, one per domain name, to track multiple zones.
+	#
+	# If you want to perform DNSSEC validation, run unbound-anchor before
+	# you start unbound (i.e. in the system boot scripts).  And enable:
+	# Please note usage of unbound-anchor root anchor is at your own risk
+	# and under the terms of our LICENSE (see that file in the source).
+	# auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# trust anchor signaling sends a RFC8145 key tag query after priming.
+	trust-anchor-signaling: yes
+
+	# Root key trust anchor sentinel (draft-ietf-dnsop-kskroll-sentinel)
+	root-key-sentinel: yes
+
+	# File with trusted keys for validation. Specify more than one file
+	# with several entries, one file per entry.
+	# Zone file format, with DS and DNSKEY entries.
+	# Note this gets out of date, use auto-trust-anchor-file please.
+	# trust-anchor-file: ""
+
+	# Trusted key for validation. DS or DNSKEY. specify the RR on a
+	# single line, surrounded by "". TTL is ignored. class is IN default.
+	# Note this gets out of date, use auto-trust-anchor-file please.
+	# (These examples are from August 2007 and may not be valid anymore).
+	# trust-anchor: "nlnetlabs.nl. DNSKEY 257 3 5 AQPzzTWMz8qSWIQlfRnPckx2BiVmkVN6LPupO3mbz7FhLSnm26n6iG9N Lby97Ji453aWZY3M5/xJBSOS2vWtco2t8C0+xeO1bc/d6ZTy32DHchpW 6rDH1vp86Ll+ha0tmwyy9QP7y2bVw5zSbFCrefk8qCUBgfHm9bHzMG1U BYtEIQ=="
+	# trust-anchor: "jelte.nlnetlabs.nl. DS 42860 5 1 14D739EB566D2B1A5E216A0BA4D17FA9B038BE4A"
+
+	# File with trusted keys for validation. Specify more than one file
+	# with several entries, one file per entry. Like trust-anchor-file
+	# but has a different file format. Format is BIND-9 style format,
+	# the trusted-keys { name flag proto algo "key"; }; clauses are read.
+	# you need external update procedures to track changes in keys.
+	# trusted-keys-file: ""
+	#
+	trusted-keys-file: /etc/unbound/keys.d/*.key
+	# GNUNUX define in risotto.conf auto-trust-anchor-file: "/var/lib/unbound/root.key"
+
+	# Ignore chain of trust. Domain is treated as insecure.
+	# domain-insecure: "example.com"
+
+	# Override the date for validation with a specific fixed date.
+	# Do not set this unless you are debugging signature inception
+	# and expiration. "" or "0" turns the feature off. -1 ignores date.
+	# val-override-date: ""
+
+	# The time to live for bogus data, rrsets and messages. This avoids
+	# some of the revalidation, until the time interval expires. in secs.
+	# val-bogus-ttl: 60
+
+	# The signature inception and expiration dates are allowed to be off
+	# by 10% of the signature lifetime (expir-incep) from our local clock.
+	# This leeway is capped with a minimum and a maximum.  In seconds.
+	# val-sig-skew-min: 3600
+	# val-sig-skew-max: 86400
+
+	# The maximum number the validator should restart validation with
+	# another authority in case of failed validation.
+	# val-max-restart: 5
+
+	# Should additional section of secure message also be kept clean of
+	# unsecure data. Useful to shield the users of this validator from
+	# potential bogus data in the additional section. All unsigned data
+	# in the additional section is removed from secure messages.
+	val-clean-additional: yes
+
+	# Turn permissive mode on to permit bogus messages. Thus, messages
+	# for which security checks failed will be returned to clients,
+	# instead of SERVFAIL. It still performs the security checks, which
+	# result in interesting log files and possibly the AD bit in
+	# replies if the message is found secure. The default is off.
+	# NOTE: TURNING THIS ON DISABLES ALL DNSSEC SECURITY
+	val-permissive-mode: no
+
+	# Ignore the CD flag in incoming queries and refuse them bogus data.
+	# Enable it if the only clients of unbound are legacy servers (w2008)
+	# that set CD but cannot validate themselves.
+	# ignore-cd-flag: no
+
+	# Serve expired responses from cache, with serve-expired-reply-ttl in
+	# the response, and then attempt to fetch the data afresh.
+	serve-expired: yes
+	#
+	# Limit serving of expired responses to configured seconds after
+	# expiration. 0 disables the limit.
+	serve-expired-ttl: 14400
+	#
+	# Set the TTL of expired records to the serve-expired-ttl value after a
+	# failed attempt to retrieve the record from upstream. This makes sure
+	# that the expired records will be served as long as there are queries
+	# for it.
+	# serve-expired-ttl-reset: no
+	#
+	# TTL value to use when replying with expired data.
+	# serve-expired-reply-ttl: 30
+	#
+	# Time in milliseconds before replying to the client with expired data.
+	# This essentially enables the serve-stale behavior as specified in
+	# RFC 8767 that first tries to resolve before
+	# immediately responding with expired data.  0 disables this behavior.
+	# A recommended value is 1800.
+	# serve-expired-client-timeout: 0
+
+	# Return the original TTL as received from the upstream name server rather
+	# than the decrementing TTL as stored in the cache.  Enabling this feature
+	# does not impact cache expiry, it only changes the TTL unbound embeds in
+	# responses to queries. Note that enabling this feature implicitly disables
+	# enforcement of the configured minimum and maximum TTL.
+	# serve-original-ttl: no
+
+	# Have the validator log failed validations for your diagnosis.
+	# 0: off. 1: A line per failed user query. 2: With reason and bad IP.
+	val-log-level: 1
+
+	# It is possible to configure NSEC3 maximum iteration counts per
+	# keysize. Keep this table very short, as linear search is done.
+	# A message with an NSEC3 with larger count is marked insecure.
+	# List in ascending order the keysize and count values.
+	# val-nsec3-keysize-iterations: "1024 150 2048 150 4096 150"
+
+	# if enabled, ZONEMD verification failures do not block the zone.
+	# zonemd-permissive-mode: no
+
+	# instruct the auto-trust-anchor-file probing to add anchors after ttl.
+	# add-holddown: 2592000 # 30 days
+
+	# instruct the auto-trust-anchor-file probing to del anchors after ttl.
+	# del-holddown: 2592000 # 30 days
+
+	# auto-trust-anchor-file probing removes missing anchors after ttl.
+	# If the value 0 is given, missing anchors are not removed.
+	# keep-missing: 31622400 # 366 days
+
+	# debug option that allows very small holddown times for key rollover,
+	# otherwise the RFC mandates probe intervals must be at least 1 hour.
+	# permit-small-holddown: no
+
+	# the amount of memory to use for the key cache.
+	# plain value in bytes or you can append k, m or G. default is "4Mb".
+	# key-cache-size: 4m
+
+	# the number of slabs to use for the key cache.
+	# the number of slabs must be a power of 2.
+	# more slabs reduce lock contention, but fragment memory usage.
+	# key-cache-slabs: 4
+
+	# the amount of memory to use for the negative cache.
+	# plain value in bytes or you can append k, m or G. default is "1Mb".
+	# neg-cache-size: 1m
+
+	# By default, for a number of zones a small default 'nothing here'
+	# reply is built-in.  Query traffic is thus blocked.  If you
+	# wish to serve such zone you can unblock them by uncommenting one
+	# of the nodefault statements below.
+	# You may also have to use domain-insecure: zone to make DNSSEC work,
+	# unless you have your own trust anchors for this zone.
+	# local-zone: "localhost." nodefault
+	# local-zone: "127.in-addr.arpa." nodefault
+	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+	# local-zone: "onion." nodefault
+	# local-zone: "test." nodefault
+	# local-zone: "invalid." nodefault
+	# local-zone: "10.in-addr.arpa." nodefault
+	# local-zone: "16.172.in-addr.arpa." nodefault
+	# local-zone: "17.172.in-addr.arpa." nodefault
+	# local-zone: "18.172.in-addr.arpa." nodefault
+	# local-zone: "19.172.in-addr.arpa." nodefault
+	# local-zone: "20.172.in-addr.arpa." nodefault
+	# local-zone: "21.172.in-addr.arpa." nodefault
+	# local-zone: "22.172.in-addr.arpa." nodefault
+	# local-zone: "23.172.in-addr.arpa." nodefault
+	# local-zone: "24.172.in-addr.arpa." nodefault
+	# local-zone: "25.172.in-addr.arpa." nodefault
+	# local-zone: "26.172.in-addr.arpa." nodefault
+	# local-zone: "27.172.in-addr.arpa." nodefault
+	# local-zone: "28.172.in-addr.arpa." nodefault
+	# local-zone: "29.172.in-addr.arpa." nodefault
+	# local-zone: "30.172.in-addr.arpa." nodefault
+	# local-zone: "31.172.in-addr.arpa." nodefault
+	# local-zone: "168.192.in-addr.arpa." nodefault
+	# local-zone: "0.in-addr.arpa." nodefault
+	# local-zone: "254.169.in-addr.arpa." nodefault
+	# local-zone: "2.0.192.in-addr.arpa." nodefault
+	# local-zone: "100.51.198.in-addr.arpa." nodefault
+	# local-zone: "113.0.203.in-addr.arpa." nodefault
+	# local-zone: "255.255.255.255.in-addr.arpa." nodefault
+	# local-zone: "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+	# local-zone: "d.f.ip6.arpa." nodefault
+	# local-zone: "8.e.f.ip6.arpa." nodefault
+	# local-zone: "9.e.f.ip6.arpa." nodefault
+	# local-zone: "a.e.f.ip6.arpa." nodefault
+	# local-zone: "b.e.f.ip6.arpa." nodefault
+	# local-zone: "8.b.d.0.1.0.0.2.ip6.arpa." nodefault
+	# And for 64.100.in-addr.arpa. to 127.100.in-addr.arpa.
+
+	# Add example.com into ipset
+	# local-zone: "example.com" ipset
+
+	# If unbound is running service for the local host then it is useful
+	# to perform lan-wide lookups to the upstream, and unblock the
+	# long list of local-zones above.  If this unbound is a dns server
+	# for a network of computers, disabled is better and stops information
+	# leakage of local lan information.
+	# unblock-lan-zones: no
+
+	# The insecure-lan-zones option disables validation for
+	# these zones, as if they were all listed as domain-insecure.
+	# insecure-lan-zones: no
+
+	# a number of locally served zones can be configured.
+	# 	local-zone: <zone> <type>
+	# 	local-data: "<resource record string>"
+	# o deny serves local data (if any), else, drops queries.
+	# o refuse serves local data (if any), else, replies with error.
+	# o static serves local data, else, nxdomain or nodata answer.
+	# o transparent gives local data, but resolves normally for other names
+	# o redirect serves the zone data for any subdomain in the zone.
+	# o nodefault can be used to normally resolve AS112 zones.
+	# o typetransparent resolves normally for other types and other names
+	# o inform acts like transparent, but logs client IP address
+	# o inform_deny drops queries and logs client IP address
+	# o inform_redirect redirects queries and logs client IP address
+	# o always_transparent, always_refuse, always_nxdomain, always_nodata,
+	#   always_deny resolve in that way but ignore local data for
+	#   that name
+	# o always_null returns 0.0.0.0 or ::0 for any name in the zone.
+	# o noview breaks out of that view towards global local-zones.
+	#
+	# defaults are localhost address, reverse for 127.0.0.1 and ::1
+	# and nxdomain for AS112 zones. If you configure one of these zones
+	# the default content is omitted, or you can omit it with 'nodefault'.
+	#
+	# If you configure local-data without specifying local-zone, by
+	# default a transparent local-zone is created for the data.
+	#
+	# You can add locally served data with
+	# local-zone: "local." static
+	# local-data: "mycomputer.local. IN A 192.0.2.51"
+	# local-data: 'mytext.local TXT "content of text record"'
+	#
+	# You can override certain queries with
+	# local-data: "adserver.example.com A 127.0.0.1"
+	#
+	# You can redirect a domain to a fixed address with
+	# (this makes example.com, www.example.com, etc, all go to 192.0.2.3)
+	# local-zone: "example.com" redirect
+	# local-data: "example.com A 192.0.2.3"
+	#
+	# Shorthand to make PTR records, "IPv4 name" or "IPv6 name".
+	# You can also add PTR records using local-data directly, but then
+	# you need to do the reverse notation yourself.
+	# local-data-ptr: "192.0.2.3 www.example.com"
+
+	include: /etc/unbound/local.d/*.conf
+
+	# tag a localzone with a list of tag names (in "" with spaces between)
+	# local-zone-tag: "example.com" "tag2 tag3"
+
+	# add a netblock specific override to a localzone, with zone type
+	# local-zone-override: "example.com" 192.0.2.0/24 refuse
+
+	# service clients over TLS (on the TCP sockets) with plain DNS inside
+	# the TLS stream, and over HTTPS using HTTP/2 as specified in RFC8484.
+	# Give the certificate to use and private key.
+	# default is "" (disabled).  requires restart to take effect.
+	# tls-service-key: "/etc/unbound/unbound_server.key"
+	# tls-service-pem: "/etc/unbound/unbound_server.pem"
+	# tls-port: 853
+	# https-port: 443
+
+	# cipher setting for TLSv1.2
+	# tls-ciphers: "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256"
+	# cipher setting for TLSv1.3
+	# tls-ciphersuites: "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_8_SHA256:TLS_AES_128_CCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256"
+	# Fedora/RHEL: use system-wide crypto policies
+	tls-ciphers: "PROFILE=SYSTEM"
+	# TODO: ask system-wide crypto people what to use here
+	#tls-ciphersuites: "PROFILE=SYSTEM" # does not work
+
+	# Pad responses to padded queries received over TLS
+	# pad-responses: yes
+
+	# Padded responses will be padded to the closest multiple of this size.
+	# pad-responses-block-size: 468
+
+	# Use the SNI extension for TLS connections.  Default is yes.
+	# Changing the value requires a reload.
+	# tls-use-sni: yes
+
+	# Add the secret file for TLS Session Ticket.
+	# Secret file must be 80 bytes of random data.
+	# First key use to encrypt and decrypt TLS session tickets.
+	# Other keys use to decrypt only.
+	# requires restart to take effect.
+	# tls-session-ticket-keys: "path/to/secret_file1"
+	# tls-session-ticket-keys: "path/to/secret_file2"
+
+	# request upstream over TLS (with plain DNS inside the TLS stream).
+	# Default is no.  Can be turned on and off with unbound-control.
+	# tls-upstream: no
+
+	# Certificates used to authenticate connections made upstream.
+	# tls-cert-bundle: ""
+
+	# Add system certs to the cert bundle, from the Windows Cert Store
+	# tls-win-cert: no
+
+	# Pad queries over TLS upstreams
+	# pad-queries: yes
+
+	# Padded queries will be padded to the closest multiple of this size.
+	# pad-queries-block-size: 128
+
+	# Also serve tls on these port numbers (eg. 443, ...), by listing
+	# tls-additional-port: portno for each of the port numbers.
+
+	# HTTP endpoint to provide DNS-over-HTTPS service on.
+	# http-endpoint: "/dns-query"
+
+	# HTTP/2 SETTINGS_MAX_CONCURRENT_STREAMS value to use.
+	# http-max-streams: 100
+
+	# Maximum number of bytes used for all HTTP/2 query buffers.
+	# http-query-buffer-size: 4m
+
+	# Maximum number of bytes used for all HTTP/2 response buffers.
+	# http-response-buffer-size: 4m
+
+	# Set TCP_NODELAY socket option on sockets used for DNS-over-HTTPS
+	# service.
+	# http-nodelay: yes
+
+	# Disable TLS for DNS-over-HTTP downstream service.
+	# http-notls-downstream: no
+
+	# DNS64 prefix. Must be specified when DNS64 is use.
+	# Enable dns64 in module-config.  Used to synthesize IPv6 from IPv4.
+	# dns64-prefix: 64:ff9b::0/96
+
+	# DNS64 ignore AAAA records for these domains and use A instead.
+	# dns64-ignore-aaaa: "example.com"
+
+	# ratelimit for uncached, new queries, this limits recursion effort.
+	# ratelimiting is experimental, and may help against randomqueryflood.
+	# if 0(default) it is disabled, otherwise state qps allowed per zone.
+	# ratelimit: 0
+
+	# ratelimits are tracked in a cache, size in bytes of cache (or k,m).
+	# ratelimit-size: 4m
+	# ratelimit cache slabs, reduces lock contention if equal to cpucount.
+	# ratelimit-slabs: 4
+
+	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
+	# ratelimit-factor: 10
+
+	# override the ratelimit for a specific domain name.
+	# give this setting multiple times to have multiple overrides.
+	# ratelimit-for-domain: example.com 1000
+	# override the ratelimits for all domains below a domain name
+	# can give this multiple times, the name closest to the zone is used.
+	# ratelimit-below-domain: com 1000
+
+	# global query ratelimit for all ip addresses.
+	# feature is experimental.
+	# if 0(default) it is disabled, otherwise states qps allowed per ip address
+	# ip-ratelimit: 0
+
+	# ip ratelimits are tracked in a cache, size in bytes of cache (or k,m).
+	# ip-ratelimit-size: 4m
+	# ip ratelimit cache slabs, reduces lock contention if equal to cpucount.
+	# ip-ratelimit-slabs: 4
+
+	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
+	# ip-ratelimit-factor: 10
+
+	# Limit the number of connections simultaneous from a netblock
+	# tcp-connection-limit: 192.0.2.0/24 12
+
+	# select from the fastest servers this many times out of 1000. 0 means
+	# the fast server select is disabled. prefetches are not sped up.
+	# fast-server-permil: 0
+	# the number of servers that will be used in the fast server selection.
+	# fast-server-num: 3
+
+	# Specific options for ipsecmod. unbound needs to be configured with
+	# --enable-ipsecmod for these to take effect.
+	#
+	# Enable or disable ipsecmod (it still needs to be defined in
+	# module-config above). Can be used when ipsecmod needs to be
+	# enabled/disabled via remote-control(below).
+	# Fedora: module will be enabled on-demand by libreswan
+	ipsecmod-enabled: no
+
+	# Path to executable external hook. It must be defined when ipsecmod is
+	# listed in module-config (above).
+	# ipsecmod-hook: "./my_executable"
+	ipsecmod-hook:/usr/libexec/ipsec/_unbound-hook
+
+	# When enabled unbound will reply with SERVFAIL if the return value of
+	# the ipsecmod-hook is not 0.
+	# ipsecmod-strict: no
+	#
+	# Maximum time to live (TTL) for cached A/AAAA records with IPSECKEY.
+	# ipsecmod-max-ttl: 3600
+	#
+	# Reply with A/AAAA even if the relevant IPSECKEY is bogus. Mainly used for
+	# testing.
+	# ipsecmod-ignore-bogus: no
+	#
+	# Domains for which ipsecmod will be triggered. If not defined (default)
+	# all domains are treated as being allowed.
+	# ipsecmod-allow: "example.com"
+	# ipsecmod-allow: "nlnetlabs.nl"
+
+	# Timeout for REUSE entries in milliseconds.
+	# tcp-reuse-timeout: 60000
+	# Max number of queries on a reuse connection.
+	# max-reuse-tcp-queries: 200
+	# Timeout in milliseconds for TCP queries to auth servers.
+	# tcp-auth-query-timeout: 3000
+
+# Python config section. To enable:
+# o use --with-pythonmodule to configure before compiling.
+# o list python in the module-config string (above) to enable.
+#   It can be at the start, it gets validated results, or just before
+#   the iterator and process before DNSSEC validation.
+# o and give a python-script to run.
+python:
+	# Script file to load
+	# python-script: "/etc/unbound/ubmodule-tst.py"
+
+# Dynamic library config section. To enable:
+# o use --with-dynlibmodule to configure before compiling.
+# o list dynlib in the module-config string (above) to enable.
+#   It can be placed anywhere, the dynlib module is only a very thin wrapper
+#   to load modules dynamically.
+# o and give a dynlib-file to run. If more than one dynlib entry is listed in
+#   the module-config then you need one dynlib-file per instance.
+dynlib:
+	# Script file to load
+	# dynlib-file: "/etc/unbound/dynlib.so"
+
+# Remote control config section.
+remote-control:
+	# Enable remote control with unbound-control(8) here.
+	# set up the keys and certificates with unbound-control-setup.
+	# Note: required for unbound-munin package
+    control-enable: yes
+
+	# Set to no and use an absolute path as control-interface to use
+	# a unix local named pipe for unbound-control.
+	# control-use-cert: yes
+
+	# what interfaces are listened to for remote control.
+	# give 0.0.0.0 and ::0 to listen to all interfaces.
+	# set to an absolute path to use a unix local name pipe, certificates
+	# are not used for that, so key and cert files need not be present.
+	# control-interface: 127.0.0.1
+	# control-interface: ::1
+
+	# port number for remote control operations.
+	# control-port: 8953
+
+	# for localhost, you can disable use of TLS by setting this to "no"
+	# For local sockets this option is ignored, and TLS is not used.
+	control-use-cert: "no"
+
+	# unbound server key file.
+	# GNUNUX server-key-file: "/etc/unbound/unbound_server.key"
+
+	# unbound server certificate file.
+	# GNUNUX server-cert-file: "/etc/unbound/unbound_server.pem"
+
+	# unbound-control key file.
+	# GNUNUX control-key-file: "/etc/unbound/unbound_control.key"
+
+	# unbound-control certificate file.
+	# GNUNUX control-cert-file: "/etc/unbound/unbound_control.pem"
+
+# Stub and Forward zones
+include: /etc/unbound/conf.d/*.conf
+
+# Stub zones.
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of nameservers. list zero or more
+# nameservers by hostname or by ipaddress. If you set stub-prime to yes,
+# the list is treated as priming hints (default is no).
+# With stub-first yes, it attempts without the stub if it fails.
+# Consider adding domain-insecure: name and local-zone: name nodefault
+# to the server: section if the stub is a locally served zone.
+# stub-zone:
+#	name: "example.com"
+#	stub-addr: 192.0.2.68
+#	stub-prime: no
+#	stub-first: no
+#	stub-tls-upstream: no
+#	stub-no-cache: no
+# stub-zone:
+#	name: "example.org"
+#	stub-host: ns.example.com.
+
+# You can now also dynamically create and delete stub-zone's using
+# unbound-control stub_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control stub_remove domain.com 1.2.3.4 5.6.7.8
+
+# Forward zones
+# Create entries like below, to make all queries for 'example.com' and
+# 'example.org' go to the given list of servers. These servers have to handle
+# recursion to other nameservers. List zero or more nameservers by hostname
+# or by ipaddress. Use an entry with name "." to forward all queries.
+# If you enable forward-first, it attempts without the forward if it fails.
+# forward-zone:
+# 	name: "example.com"
+# 	forward-addr: 192.0.2.68
+# 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
+# 	forward-first: no
+# 	forward-tls-upstream: no
+#	forward-no-cache: no
+# forward-zone:
+# 	name: "example.org"
+# 	forward-host: fwd.example.com
+#
+# You can now also dynamically create and delete forward-zone's using
+# unbound-control forward_add domain.com 1.2.3.4 5.6.7.8
+# unbound-control forward_remove domain.com 1.2.3.4 5.6.7.8
+
+# Authority zones
+# The data for these zones is kept locally, from a file or downloaded.
+# The data can be served to downstream clients, or used instead of the
+# upstream (which saves a lookup to the upstream).  The first example
+# has a copy of the root for local usage.  The second serves example.org
+# authoritatively.  zonefile: reads from file (and writes to it if you also
+# download it), master: fetches with AXFR and IXFR, or url to zonefile.
+# With allow-notify: you can give additional (apart from masters) sources of
+# notifies.
+auth-zone:
+	name: "."
+	primary: 199.9.14.201         # b.root-servers.net
+	primary: 192.33.4.12          # c.root-servers.net
+	primary: 199.7.91.13          # d.root-servers.net
+	primary: 192.5.5.241          # f.root-servers.net
+	primary: 192.112.36.4         # g.root-servers.net
+	primary: 193.0.14.129         # k.root-servers.net
+	primary: 192.0.47.132         # xfr.cjr.dns.icann.org
+	primary: 192.0.32.132         # xfr.lax.dns.icann.org
+	primary: 2001:500:200::b      # b.root-servers.net
+	primary: 2001:500:2::c        # c.root-servers.net
+	primary: 2001:500:2d::d       # d.root-servers.net
+	primary: 2001:500:2f::f       # f.root-servers.net
+	primary: 2001:500:12::d0d     # g.root-servers.net
+	primary: 2001:7fd::1          # k.root-servers.net
+	primary: 2620:0:2830:202::132 # xfr.cjr.dns.icann.org
+	primary: 2620:0:2d0:202::132  # xfr.lax.dns.icann.org
+	fallback-enabled: yes
+	for-downstream: no
+	for-upstream: yes
+
+# auth-zone:
+#	name: "example.org"
+#	for-downstream: yes
+#	for-upstream: yes
+#	zonemd-check: no
+#	zonemd-reject-absence: no
+#	zonefile: "example.org.zone"
+
+# Views
+# Create named views. Name must be unique. Map views to requests using
+# the access-control-view option. Views can contain zero or more local-zone
+# and local-data options. Options from matching views will override global
+# options. Global options will be used if no matching view is found.
+# With view-first yes, it will try to answer using the global local-zone and
+# local-data elements if there is no view specific match.
+# view:
+#	name: "viewname"
+#	local-zone: "example.com" redirect
+#	local-data: "example.com A 192.0.2.3"
+#	local-data-ptr: "192.0.2.3 www.example.com"
+#	view-first: no
+# view:
+#	name: "anotherview"
+#	local-zone: "example.com" refuse
+
+# Fedora: DNSCrypt support not enabled since it requires linking to
+#         another crypto library
+#
+# DNSCrypt
+# Caveats:
+# 1. the keys/certs cannot be produced by unbound. You can use dnscrypt-wrapper
+#   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
+# 2. dnscrypt channel attaches to an interface. you MUST set interfaces to
+#   listen on `dnscrypt-port` with the follo0wing snippet:
+# server:
+#     interface: 0.0.0.0@443
+#     interface: ::0@443
+#
+# Finally, `dnscrypt` config has its own section.
+# dnscrypt:
+#     dnscrypt-enable: yes
+#     dnscrypt-port: 443
+#     dnscrypt-provider: 2.dnscrypt-cert.example.com.
+#     dnscrypt-secret-key: /path/unbound-conf/keys1/1.key
+#     dnscrypt-secret-key: /path/unbound-conf/keys2/1.key
+#     dnscrypt-provider-cert: /path/unbound-conf/keys1/1.cert
+#     dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
+
+# CacheDB
+# Enable external backend DB as auxiliary cache.  Specify the backend name
+# (default is "testframe", which has no use other than for debugging and
+# testing) and backend-specific options.  The 'cachedb' module must be
+# included in module-config, just before the iterator module.
+# cachedb:
+#     backend: "testframe"
+#     # secret seed string to calculate hashed keys
+#     secret-seed: "default"
+#
+#     # For "redis" backend:
+#     # redis server's IP address or host name
+#     redis-server-host: 127.0.0.1
+#     # redis server's TCP port
+#     redis-server-port: 6379
+#     # timeout (in ms) for communication with the redis server
+#     redis-timeout: 100
+#     # set timeout on redis records based on DNS response TTL
+#     redis-expire-records: no
+
+# IPSet
+# Add specify domain into set via ipset.
+# Note: To enable ipset unbound needs to run as root user.
+# ipset:
+#     # set name for ip v4 addresses
+#     name-v4: "list-v4"
+#     # set name for ip v6 addresses
+#     name-v6: "list-v6"
+#
+
+# Dnstap logging support, if compiled in.  To enable, set the dnstap-enable
+# to yes and also some of dnstap-log-..-messages to yes.  And select an
+# upstream log destination, by socket path, TCP or TLS destination.
+# dnstap:
+# 	dnstap-enable: no
+# 	# if set to yes frame streams will be used in bidirectional mode
+# 	dnstap-bidirectional: yes
+# 	dnstap-socket-path: "/etc/unbound/dnstap.sock"
+# 	# if "" use the unix socket in dnstap-socket-path, otherwise,
+# 	# set it to "IPaddress[@port]" of the destination.
+# 	dnstap-ip: ""
+# 	# if set to yes if you want to use TLS to dnstap-ip, no for TCP.
+# 	dnstap-tls: yes
+# 	# name for authenticating the upstream server. or "" disabled.
+# 	dnstap-tls-server-name: ""
+# 	# if "", it uses the cert bundle from the main unbound config.
+# 	dnstap-tls-cert-bundle: ""
+# 	# key file for client authentication, or "" disabled.
+# 	dnstap-tls-client-key-file: ""
+# 	# cert file for client authentication, or "" disabled.
+# 	dnstap-tls-client-cert-file: ""
+# 	dnstap-send-identity: no
+# 	dnstap-send-version: no
+# 	# if "" it uses the hostname.
+# 	dnstap-identity: ""
+# 	# if "" it uses the package version.
+# 	dnstap-version: ""
+# 	dnstap-log-resolver-query-messages: no
+# 	dnstap-log-resolver-response-messages: no
+# 	dnstap-log-client-query-messages: no
+# 	dnstap-log-client-response-messages: no
+# 	dnstap-log-forwarder-query-messages: no
+# 	dnstap-log-forwarder-response-messages: no
+
+# Response Policy Zones
+# RPZ policies. Applied in order of configuration. QNAME and Response IP
+# Address trigger are the only supported triggers. Supported actions are:
+# NXDOMAIN, NODATA, PASSTHRU, DROP and Local Data. Policies can be loaded from
+# file, using zone transfer, or using HTTP. The respip module needs to be added
+# to the module-config, e.g.: module-config: "respip validator iterator".
+# rpz:
+#     name: "rpz.example.com"
+#     zonefile: "rpz.example.com"
+#     primary: 192.0.2.0
+#     allow-notify: 192.0.2.0/32
+#     url: http://www.example.com/rpz.example.org.zone
+#     rpz-action-override: cname
+#     rpz-cname-override: www.example.org
+#     rpz-log: yes
+#     rpz-log-name: "example policy"
+#     tags: "example"
diff --git a/seed/applicationservice/2022.03.08/unbound/templates/unbound.service b/seed/applicationservice/2022.03.08/unbound/templates/unbound.service
new file mode 100644
index 0000000..1d18c9d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/unbound/templates/unbound.service
@@ -0,0 +1,4 @@
+[Service]
+ExecStartPre=
+ExecStartPre=-/usr/sbin/unbound-anchor -a /srv/unbound/root.key -c /etc/unbound/icannbundle.pem -f /etc/resolv.conf -R -4
+ExecStartPre=/usr/sbin/unbound-checkconf
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/applicationservice.yml b/seed/applicationservice/2022.03.08/vaultwarden/applicationservice.yml
new file mode 100644
index 0000000..fd7e1ac
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/applicationservice.yml
@@ -0,0 +1,7 @@
+format: '0.1'
+description: Vaultwarden
+depends:
+  - base-fedora-35
+  - postgresql-client
+  - relay-mail-client
+  - reverse-proxy-client
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/20_vaultwarden.xml b/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/20_vaultwarden.xml
new file mode 100644
index 0000000..a96440d
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/dictionaries/20_vaultwarden.xml
@@ -0,0 +1,46 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="vaultwarden" target="multi-user">
+      <override/>
+      <file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
+      <file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
+    </service>
+  </services>
+  <variables>
+    <family name="nginx">
+      <variable name="revprox_client_location" redefine="True">
+        <value>/vaultwarden</value>
+      </variable>
+      <variable name="revprox_client_cert_group" redefine="True" hidden="True">
+        <value>vaultwarden</value>
+      </variable>
+    </family>
+    <family name="vaultwarden" description="Vaultwarden">
+      <variable name="password_admin_username" description="Nom de l'utilisateur Risotto de Vaultwarden" auto_freeze="True">
+        <value>risotto</value>
+      </variable>
+      <variable name="vaultwarden_admin_email" type="mail" description="Adresse courriel de l'utilisateur Risotto" mandatory="True"/>
+      <variable name="vaultwarden_admin_password" type="password" description="Mot de passe de l'utilisateur Risotto" auto_save="True" hidden="True"/>
+      <variable name="vaultwarden_device_identifier" description="Identifiant de l'appareil se connectant" auto_save="True" hidden="True"/>
+      <variable name="vaultwarden_length" type="number" description="Taille par défaut du mot de passe">
+        <value>20</value>
+      </variable>
+      <variable name="vaultwarden_org_name" description="Nom de l'organisation lors de l'envoi des invitations" mandatory="True">
+        <value>Vaultwarden</value>
+      </variable>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">admin_password</param>
+      <param name="description">vaultwarden</param>
+      <param name="type">cleartext</param>
+      <target>vaultwarden_admin_password</target>
+    </fill>
+    <fill name="gen_uuid">
+      <target>vaultwarden_device_identifier</target>
+    </fill>
+  </constraints>
+</rougail>
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/funcs/risotto_setting.py b/seed/applicationservice/2022.03.08/vaultwarden/funcs/risotto_setting.py
new file mode 100644
index 0000000..a400771
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/funcs/risotto_setting.py
@@ -0,0 +1,6 @@
+from uuid import uuid4 as _uuid4
+
+
+def gen_uuid():
+    return str(_uuid4())
+
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/funcs/vaultwarden.py b/seed/applicationservice/2022.03.08/vaultwarden/funcs/vaultwarden.py
new file mode 100644
index 0000000..a400771
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/funcs/vaultwarden.py
@@ -0,0 +1,6 @@
+from uuid import uuid4 as _uuid4
+
+
+def gen_uuid():
+    return str(_uuid4())
+
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/manual/image/preinstall/vaultwarden.sh b/seed/applicationservice/2022.03.08/vaultwarden/manual/image/preinstall/vaultwarden.sh
new file mode 100644
index 0000000..8d96f88
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/manual/image/preinstall/vaultwarden.sh
@@ -0,0 +1,2 @@
+PKG="$PKG vaultwarden-postgresql"
+COPR="https://copr.fedorainfracloud.org/coprs/dusc/vaultwarden/repo/fedora-35/dusc-vaultwarden-fedora-35.repo"
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/templates/tmpfile-vaultwarden.conf b/seed/applicationservice/2022.03.08/vaultwarden/templates/tmpfile-vaultwarden.conf
new file mode 100644
index 0000000..0b2b231
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/templates/tmpfile-vaultwarden.conf
@@ -0,0 +1 @@
+d /srv/vaultwarden 750 vaultwarden vaultwarden - -
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden.service b/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden.service
new file mode 100644
index 0000000..eb6b284
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden.service
@@ -0,0 +1,9 @@
+[Service]
+PrivateDevices=false
+ProtectHome=false
+ProtectSystem=false
+LimitNOFILE=
+LimitNPROC=
+WorkingDirectory=/srv/vaultwarden
+ReadWriteDirectories=
+ReadWriteDirectories=
diff --git a/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden_config.env b/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden_config.env
new file mode 100644
index 0000000..7515fc4
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/vaultwarden/templates/vaultwarden_config.env
@@ -0,0 +1,369 @@
+## Vaultwarden Configuration File
+## Uncomment any of the following lines to change the defaults
+##
+## Be aware that most of these settings will be overridden if they were changed
+## in the admin interface. Those overrides are stored within DATA_FOLDER/config.json .
+
+## Main data folder
+DATA_FOLDER=/srv/vaultwarden
+
+## Database URL
+## When using SQLite, this is the path to the DB file, default to %DATA_FOLDER%/db.sqlite3
+# DATABASE_URL=data/db.sqlite3
+## When using MySQL, specify an appropriate connection URI.
+## Details: https://docs.diesel.rs/diesel/mysql/struct.MysqlConnection.html
+# DATABASE_URL=mysql://user:password@host[:port]/database_name
+## When using PostgreSQL, specify an appropriate connection URI (recommended)
+## or keyword/value connection string.
+## Details:
+## - https://docs.diesel.rs/diesel/pg/struct.PgConnection.html
+## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
+# DATABASE_URL=postgresql://user:password@host[:port]/database_name
+#>GNUNUX
+DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database
+#<GNUNUX
+
+## Database max connections
+## Define the size of the connection pool used for connecting to the database.
+# DATABASE_MAX_CONNS=10
+
+## Individual folders, these override %DATA_FOLDER%
+# RSA_KEY_FILENAME=data/rsa_key
+# ICON_CACHE_FOLDER=data/icon_cache
+# ATTACHMENTS_FOLDER=data/attachments
+# SENDS_FOLDER=data/sends
+
+## Templates data folder, by default uses embedded templates
+## Check source code to see the format
+# TEMPLATES_FOLDER=/path/to/templates
+## Automatically reload the templates for every request, slow, use only for development
+# RELOAD_TEMPLATES=false
+
+## Client IP Header, used to identify the IP of the client, defaults to "X-Client-IP"
+## Set to the string "none" (without quotes), to disable any headers and just use the remote IP
+# IP_HEADER=X-Real-IP
+#>GNUNUX
+IP_HEADER=X-Real-IP
+#<GNUNUX
+
+## Cache time-to-live for successfully obtained icons, in seconds (0 is "forever")
+# ICON_CACHE_TTL=2592000
+## Cache time-to-live for icons which weren't available, in seconds (0 is "forever")
+# ICON_CACHE_NEGTTL=259200
+
+## Web vault settings
+WEB_VAULT_FOLDER=/usr/share/vaultwarden/
+WEB_VAULT_ENABLED=true
+
+## Enables websocket notifications
+# WEBSOCKET_ENABLED=false
+
+## Controls the WebSocket server address and port
+# WEBSOCKET_ADDRESS=0.0.0.0
+# WEBSOCKET_PORT=3012
+
+## Controls whether users are allowed to create Bitwarden Sends.
+## This setting applies globally to all users.
+## To control this on a per-org basis instead, use the "Disable Send" org policy.
+# SENDS_ALLOWED=true
+
+## Controls whether users can enable emergency access to their accounts.
+## This setting applies globally to all users.
+# EMERGENCY_ACCESS_ALLOWED=true
+
+## Job scheduler settings
+##
+## Job schedules use a cron-like syntax (as parsed by https://crates.io/crates/cron),
+## and are always in terms of UTC time (regardless of your local time zone settings).
+##
+## How often (in ms) the job scheduler thread checks for jobs that need running.
+## Set to 0 to globally disable scheduled jobs.
+# JOB_POLL_INTERVAL_MS=30000
+##
+## Cron schedule of the job that checks for Sends past their deletion date.
+## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
+# SEND_PURGE_SCHEDULE="0 5 * * * *"
+##
+## Cron schedule of the job that checks for trashed items to delete permanently.
+## Defaults to daily (5 minutes after midnight). Set blank to disable this job.
+# TRASH_PURGE_SCHEDULE="0 5 0 * * *"
+##
+## Cron schedule of the job that checks for incomplete 2FA logins.
+## Defaults to once every minute. Set blank to disable this job.
+# INCOMPLETE_2FA_SCHEDULE="30 * * * * *"
+##
+## Cron schedule of the job that sends expiration reminders to emergency access grantors.
+## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_NOTIFICATION_REMINDER_SCHEDULE="0 5 * * * *"
+##
+## Cron schedule of the job that grants emergency access requests that have met the required wait time.
+## Defaults to hourly (5 minutes after the hour). Set blank to disable this job.
+# EMERGENCY_REQUEST_TIMEOUT_SCHEDULE="0 5 * * * *"
+
+## Enable extended logging, which shows timestamps and targets in the logs
+# EXTENDED_LOGGING=true
+
+## Timestamp format used in extended logging.
+## Format specifiers: https://docs.rs/chrono/latest/chrono/format/strftime
+# LOG_TIMESTAMP_FORMAT="%Y-%m-%d %H:%M:%S.%3f"
+
+## Logging to file
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# LOG_FILE=/path/to/log
+
+## Logging to Syslog
+## This requires extended logging
+## It's recommended to also set 'ROCKET_CLI_COLORS=off'
+# USE_SYSLOG=false
+
+## Log level
+## Change the verbosity of the log output
+## Valid values are "trace", "debug", "info", "warn", "error" and "off"
+## Setting it to "trace" or "debug" would also show logs for mounted
+## routes and static file, websocket and alive requests
+# LOG_LEVEL=Info
+
+## Enable WAL for the DB
+## Set to false to avoid enabling WAL during startup.
+## Note that if the DB already has WAL enabled, you will also need to disable WAL in the DB,
+## this setting only prevents vaultwarden from automatically enabling it on start.
+## Please read project wiki page about this setting first before changing the value as it can
+## cause performance degradation or might render the service unable to start.
+# ENABLE_DB_WAL=true
+
+## Database connection retries
+## Number of times to retry the database connection during startup, with 1 second delay between each retry, set to 0 to retry indefinitely
+# DB_CONNECTION_RETRIES=15
+
+## Disable icon downloading
+## Set to true to disable icon downloading, this would still serve icons from $ICON_CACHE_FOLDER,
+## but it won't produce any external network request. Needs to set $ICON_CACHE_TTL to 0,
+## otherwise it will delete them and they won't be downloaded again.
+# DISABLE_ICON_DOWNLOAD=false
+
+## Icon download timeout
+## Configure the timeout value when downloading the favicons.
+## The default is 10 seconds, but this could be to low on slower network connections
+# ICON_DOWNLOAD_TIMEOUT=10
+
+## Icon blacklist Regex
+## Any domains or IPs that match this regex won't be fetched by the icon service.
+## Useful to hide other servers in the local network. Check the WIKI for more details
+## NOTE: Always enclose this regex withing single quotes!
+# ICON_BLACKLIST_REGEX='^(192\.168\.0\.[0-9]+|192\.168\.1\.[0-9]+)$'
+
+## Any IP which is not defined as a global IP will be blacklisted.
+## Useful to secure your internal environment: See https://en.wikipedia.org/wiki/Reserved_IP_addresses for a list of IPs which it will block
+# ICON_BLACKLIST_NON_GLOBAL_IPS=true
+
+## Disable 2FA remember
+## Enabling this would force the users to use a second factor to login every time.
+## Note that the checkbox would still be present, but ignored.
+# DISABLE_2FA_REMEMBER=false
+
+## Maximum attempts before an email token is reset and a new email will need to be sent.
+# EMAIL_ATTEMPTS_LIMIT=3
+
+## Token expiration time
+## Maximum time in seconds a token is valid. The time the user has to open email client and copy token.
+# EMAIL_EXPIRATION_TIME=600
+
+## Email token size
+## Number of digits in an email token (min: 6, max: 19).
+## Note that the Bitwarden clients are hardcoded to mention 6 digit codes regardless of this setting!
+# EMAIL_TOKEN_SIZE=6
+
+## Controls if new users can register
+# SIGNUPS_ALLOWED=true
+
+## Controls if new users need to verify their email address upon registration
+## Note that setting this option to true prevents logins until the email address has been verified!
+## The welcome email will include a verification link, and login attempts will periodically
+## trigger another verification email to be sent.
+# SIGNUPS_VERIFY=false
+
+## If SIGNUPS_VERIFY is set to true, this limits how many seconds after the last time
+## an email verification link has been sent another verification email will be sent
+# SIGNUPS_VERIFY_RESEND_TIME=3600
+
+## If SIGNUPS_VERIFY is set to true, this limits how many times an email verification
+## email will be re-sent upon an attempted login.
+# SIGNUPS_VERIFY_RESEND_LIMIT=6
+
+## Controls if new users from a list of comma-separated domains can register
+## even if SIGNUPS_ALLOWED is set to false
+# SIGNUPS_DOMAINS_WHITELIST=example.com,example.net,example.org
+
+## Controls which users can create new orgs.
+## Blank or 'all' means all users can create orgs (this is the default):
+# ORG_CREATION_USERS=
+## 'none' means no users can create orgs:
+# ORG_CREATION_USERS=none
+## A comma-separated list means only those users can create orgs:
+# ORG_CREATION_USERS=admin1@example.com,admin2@example.com
+
+## Token for the admin interface, preferably use a long random string
+## One option is to use 'openssl rand -base64 48'
+## If not set, the admin panel is disabled
+# ADMIN_TOKEN=Vy2VyYTTsKPv8W5aEOWUbB/Bt3DEKePbHmI4m9VcemUMS2rEviDowNAFqYi1xjmp
+
+## Enable this to bypass the admin panel security. This option is only
+## meant to be used with the use of a separate auth layer in front
+# DISABLE_ADMIN_TOKEN=false
+
+## Invitations org admins to invite users, even when signups are disabled
+# INVITATIONS_ALLOWED=true
+## Name shown in the invitation emails that don't come from a specific organization
+# INVITATION_ORG_NAME=Vaultwarden
+#>GNUNUX
+INVITATION_ORG_NAME=%%vaultwarden_org_name
+#<GNUNUX
+
+## Per-organization attachment storage limit (KB)
+## Max kilobytes of attachment storage allowed per organization.
+## When this limit is reached, organization members will not be allowed to upload further attachments for ciphers owned by that organization.
+# ORG_ATTACHMENT_LIMIT=
+## Per-user attachment storage limit (KB)
+## Max kilobytes of attachment storage allowed per user.
+## When this limit is reached, the user will not be allowed to upload further attachments.
+# USER_ATTACHMENT_LIMIT=
+
+## Number of days to wait before auto-deleting a trashed item.
+## If unset (the default), trashed items are not auto-deleted.
+## This setting applies globally, so make sure to inform all users of any changes to this setting.
+# TRASH_AUTO_DELETE_DAYS=
+
+## Number of minutes to wait before a 2FA-enabled login is considered incomplete,
+## resulting in an email notification. An incomplete 2FA login is one where the correct
+## master password was provided but the required 2FA step was not completed, which
+## potentially indicates a master password compromise. Set to 0 to disable this check.
+## This setting applies globally to all users.
+# INCOMPLETE_2FA_TIME_LIMIT=3
+
+## Controls the PBBKDF password iterations to apply on the server
+## The change only applies when the password is changed
+# PASSWORD_ITERATIONS=100000
+
+## Controls whether a password hint should be shown directly in the web page if
+## SMTP service is not configured. Not recommended for publicly-accessible instances
+## as this provides unauthenticated access to potentially sensitive data.
+# SHOW_PASSWORD_HINT=false
+
+## Domain settings
+## The domain must match the address from where you access the server
+## It's recommended to configure this value, otherwise certain functionality might not work,
+## like attachment downloads, email links and U2F.
+## For U2F to work, the server must use HTTPS, you can use Let's Encrypt for free certs
+# DOMAIN=https://bw.domain.tld:8443
+#>GNUNUX
+DOMAIN=https://%%revprox_client_external_domainname%%revprox_client_location
+#<GNUNUX
+
+## Allowed iframe ancestors (Know the risks!)
+## https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/frame-ancestors
+## Allows other domains to embed the web vault into an iframe, useful for embedding into secure intranets
+## This adds the configured value to the 'Content-Security-Policy' headers 'frame-ancestors' value.
+## Multiple values must be separated with a whitespace.
+# ALLOWED_IFRAME_ANCESTORS=
+
+## Yubico (Yubikey) Settings
+## Set your Client ID and Secret Key for Yubikey OTP
+## You can generate it here: https://upgrade.yubico.com/getapikey/
+## You can optionally specify a custom OTP server
+# YUBICO_CLIENT_ID=11111
+# YUBICO_SECRET_KEY=AAAAAAAAAAAAAAAAAAAAAAAA
+# YUBICO_SERVER=http://yourdomain.com/wsapi/2.0/verify
+
+## Duo Settings
+## You need to configure all options to enable global Duo support, otherwise users would need to configure it themselves
+## Create an account and protect an application as mentioned in this link (only the first step, not the rest):
+## https://help.bitwarden.com/article/setup-two-step-login-duo/#create-a-duo-security-account
+## Then set the following options, based on the values obtained from the last step:
+# DUO_IKEY=<Integration Key>
+# DUO_SKEY=<Secret Key>
+# DUO_HOST=<API Hostname>
+## After that, you should be able to follow the rest of the guide linked above,
+## ignoring the fields that ask for the values that you already configured beforehand.
+
+## Authenticator Settings
+## Disable authenticator time drifted codes to be valid.
+## TOTP codes of the previous and next 30 seconds will be invalid
+##
+## According to the RFC6238 (https://tools.ietf.org/html/rfc6238),
+## we allow by default the TOTP code which was valid one step back and one in the future.
+## This can however allow attackers to be a bit more lucky with there attempts because there are 3 valid codes.
+## You can disable this, so that only the current TOTP Code is allowed.
+## Keep in mind that when a sever drifts out of time, valid codes could be marked as invalid.
+## In any case, if a code has been used it can not be used again, also codes which predates it will be invalid.
+# AUTHENTICATOR_DISABLE_TIME_DRIFT=false
+
+## Rocket specific settings
+## See https://rocket.rs/v0.4/guide/configuration/ for more details.
+# ROCKET_ADDRESS=0.0.0.0
+# ROCKET_PORT=80  # Defaults to 80 in the Docker images, or 8000 otherwise.
+# ROCKET_WORKERS=10
+# ROCKET_TLS={certs="/path/to/certs.pem",key="/path/to/key.pem"}
+#>GNUNUX
+ROCKET_PORT=443
+ROCKET_TLS='{certs="/etc/pki/tls/certs/revproxy.crt",key="/etc/pki/tls/private/revproxy.key"}'
+#<GNUNUX
+
+## Mail specific settings, set SMTP_HOST and SMTP_FROM to enable the mail service.
+## To make sure the email links are pointing to the correct host, set the DOMAIN variable.
+## Note: if SMTP_USERNAME is specified, SMTP_PASSWORD is mandatory
+# SMTP_HOST=smtp.domain.tld
+# SMTP_FROM=vaultwarden@domain.tld
+# SMTP_FROM_NAME=Vaultwarden
+# SMTP_PORT=587          # Ports 587 (submission) and 25 (smtp) are standard without encryption and with encryption via STARTTLS (Explicit TLS). Port 465 is outdated and used with Implicit TLS.
+# SMTP_SSL=true          # (Explicit) - This variable by default configures Explicit STARTTLS, it will upgrade an insecure connection to a secure one. Unless SMTP_EXPLICIT_TLS is set to true. Either port 587 or 25 are default.
+# SMTP_EXPLICIT_TLS=true # (Implicit) - N.B. This variable configures Implicit TLS. It's currently mislabelled (see bug #851) - SMTP_SSL Needs to be set to true for this option to work. Usually port 465 is used here.
+# SMTP_USERNAME=username
+# SMTP_PASSWORD=password
+# SMTP_TIMEOUT=15
+#>GNUNUX
+SMTP_HOST=%%smtp_relay_address
+SMTP_FROM=root@%%domain_name_eth0
+SMTP_FROM_NAME=%%domain_name_eth0
+SMTP_PORT=587
+SMTP_SSL=true
+#SMTP_EXPLICIT_TLS=true
+SMTP_TIMEOUT=15
+SMTP_USERNAME=%%smtp_relay_user@%%ip_eth0
+SMTP_PASSWORD=%%smtp_relay_password
+#<GNUNUX
+
+## Defaults for SSL is "Plain" and "Login" and nothing for Non-SSL connections.
+## Possible values: ["Plain", "Login", "Xoauth2"].
+## Multiple options need to be separated by a comma ','.
+# SMTP_AUTH_MECHANISM="Plain"
+
+## Server name sent during the SMTP HELO
+## By default this value should be is on the machine's hostname,
+## but might need to be changed in case it trips some anti-spam filters
+# HELO_NAME=
+
+## SMTP debugging
+## When set to true this will output very detailed SMTP messages.
+## WARNING: This could contain sensitive information like passwords and usernames! Only enable this during troubleshooting!
+# SMTP_DEBUG=false
+
+## Accept Invalid Hostnames
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+# SMTP_ACCEPT_INVALID_HOSTNAMES=false
+
+## Accept Invalid Certificates
+## DANGEROUS: This option introduces significant vulnerabilities to man-in-the-middle attacks!
+## Only use this as a last resort if you are not able to use a valid certificate.
+## If the Certificate is valid but the hostname doesn't match, please use SMTP_ACCEPT_INVALID_HOSTNAMES instead.
+# SMTP_ACCEPT_INVALID_CERTS=false
+
+## Require new device emails. When a user logs in an email is required to be sent.
+## If sending the email fails the login attempt will fail!!
+# REQUIRE_DEVICE_EMAIL=false
+
+## HIBP Api Key
+## HaveIBeenPwned API Key, request it here: https://haveibeenpwned.com/API/Key
+# HIBP_API_KEY=
+
+# vim: syntax=ini
diff --git a/seed/applicationservice/releases.yml b/seed/applicationservice/releases.yml
new file mode 100644
index 0000000..986f1a9
--- /dev/null
+++ b/seed/applicationservice/releases.yml
@@ -0,0 +1,2 @@
+stable:
+  target: '2022.03.08'
diff --git a/tests/risotto.conf b/tests/risotto.conf
new file mode 100644
index 0000000..37f000e
--- /dev/null
+++ b/tests/risotto.conf
@@ -0,0 +1,5 @@
+PASSWORD_ADMIN_EMAIL="test@test.com"
+PASSWORD_ADMIN_PASSWORD="xxx"
+PKI_ADMIN_EMAIL="test@test.com"
+PKI_ADMIN_PASSWORD="xxx"
+MESSAGE_PATH="../risotto-message/messages/"
diff --git a/tests/test_adictionaries.py b/tests/test_adictionaries.py
new file mode 100644
index 0000000..41fb330
--- /dev/null
+++ b/tests/test_adictionaries.py
@@ -0,0 +1,187 @@
+from pytest import fixture, mark
+from os import makedirs, listdir, link
+from os.path import isfile, isdir, join, abspath, basename
+from yaml import load, SafeLoader
+from json import dump
+from shutil import rmtree
+from traceback import print_exc
+
+from tiramisu import Config
+from rougail import RougailConvert, RougailConfig
+
+
+FUNCTIONS = b"""from tiramisu import valid_network_netmask, valid_ip_netmask, valid_broadcast, valid_in_network, valid_not_equal as valid_differ, valid_not_equal, calc_value
+# =============================================================
+# fork of risotto-setting/src/risotto_setting/config/config.py
+def get_password(**kwargs):
+    return 'password'
+
+
+def get_ip(**kwargs):
+    return '1.1.1.1'
+
+
+def get_chain(**kwargs):
+    return 'chain'
+
+
+def get_certificate(**kwargs):
+    return 'certificate'
+
+
+def get_private_key(**kwargs):
+    return 'private_key'
+
+
+def get_linked_configuration(**kwargs):
+    if 'test' in kwargs and kwargs['test']:
+        return kwargs['test'][0]
+    if kwargs.get('multi', False) is True:
+        return ['configuration']
+    return 'configuration'
+
+
+def get_certificates(**kwargs):
+    return ["XXXX", "YYYY", "ZZZZ"]
+
+
+def zone_information(*args, **kwargs):
+    return "192.168.0.0/24"
+# =============================================================
+
+"""
+
+
+def tiramisu_display_name(kls,
+                          dyn_name: 'Base'=None,
+                          suffix: str=None,
+                          ) -> str:
+    if dyn_name is not None:
+        name = dyn_name
+    else:
+        name = kls.impl_getname()
+    return name
+
+
+GENERATED_DIR = 'generated'
+if isdir(GENERATED_DIR):
+    rmtree(GENERATED_DIR)
+
+
+applications = {}
+
+
+test_ok = []
+for distrib in listdir('seed'):
+    distrib_dir = join('seed', distrib, 'applicationservice')
+    if isdir(distrib_dir):
+        for release in listdir(distrib_dir):
+            release_dir = join(distrib_dir, release)
+            if isdir(release_dir):
+                for applicationservice in listdir(release_dir):
+                    applicationservice_dir = join(release_dir, applicationservice)
+                    if isdir(applicationservice_dir):
+                        if applicationservice in applications:
+                            raise Exception('multi applicationservice')
+                        applications[applicationservice] = applicationservice_dir
+                        if isdir(join(applicationservice_dir, 'dictionaries')):
+                            test_ok.append(applicationservice_dir)
+
+
+
+@fixture(scope="module", params=test_ok)
+def test_dir(request):
+    return request.param
+
+
+def calc_depends(xmls, appname):
+    application = join(applications[appname], 'applicationservice.yml')
+    with open(application) as yaml:
+        app = load(yaml, Loader=SafeLoader)
+
+    if 'depends' in app and app['depends']:
+        for xml in app['depends']:
+            if xml not in xmls:
+                xmls.insert(0, xml)
+            calc_depends(xmls, xml)
+
+
+@mark.asyncio
+async def test_template(test_dir):
+#    if test_dir != 'seed/eole/applicationservice/2020.1.1/eole-lemonldap-ng':
+#        return
+#    if test_dir in [
+#                    'seed/eole/applicationservice/2020.1.1/eole-proxy',
+#                    'seed/eole/applicationservice/2020.1.1/eole-bareos',
+#                    ]:
+#        return
+    if not isdir(GENERATED_DIR):
+        makedirs(GENERATED_DIR)
+    test_name = basename(test_dir)
+    root_dir = f'{GENERATED_DIR}/{test_name}'
+    tmp_dir = f'{root_dir}/tmp'
+    funcs_dir = f'{root_dir}/funcs'
+    for dirname in [root_dir, tmp_dir, funcs_dir]:
+        if isdir(dirname):
+            rmtree(dirname)
+        makedirs(dirname)
+    print()
+    print('>', test_dir)
+    test_file = test_dir.rsplit('/', 1)[-1]
+    xmls = [test_file]
+    calc_depends(xmls, test_file)
+    print('  o dependencies: ' + ', '.join(xmls))
+    with open(f'{root_dir}/dependencies.txt', 'w') as fh:
+        dump(xmls, fh)
+    dictionaries = [join(applications[xml], 'dictionaries') for xml in xmls if isdir(join(applications[xml], 'dictionaries'))]
+    if 'risotto_setting.rougail' not in RougailConfig['extra_annotators']:
+        RougailConfig['extra_annotators'].append('risotto_setting.rougail')
+    RougailConfig['dictionaries_dir'] = dictionaries
+    print('  o dictionaries: ' + ', '.join(dictionaries))
+    RougailConfig['extra_dictionaries'] = {}
+    extra_dictionaries = []
+    for xml in xmls:
+        extras_dir = join(applications[xml], 'extras')
+        if isdir(extras_dir):
+            for extra in listdir(extras_dir):
+                extra_dir = join(extras_dir, extra)
+                if isdir(extra_dir):
+                    RougailConfig['extra_dictionaries'].setdefault(extra, []).append(extra_dir)
+                    extra_dictionaries.append(extra_dir)
+    if RougailConfig['extra_dictionaries']:
+        print('  o extra dictionaries: ' + ', '.join(extra_dictionaries))
+    if isdir('templates'):
+        rmtree('templates')
+    makedirs('templates')
+    func = f'{funcs_dir}/funcs.py'
+    with open(func, 'wb') as fh:
+        fh.write(FUNCTIONS)
+        for xml in xmls:
+            func_dir = join(applications[xml], 'funcs')
+            if isdir(func_dir):
+                for f in listdir(func_dir):
+                    if not f.startswith('__'):
+                        with open(join(func_dir, f), 'rb') as rfh:
+                            fh.write(rfh.read())
+            templates_dir = join(applications[xml], 'templates')
+            if isdir(templates_dir):
+                for f in listdir(templates_dir):
+                    template_file = join(templates_dir, f)
+                    dest_template_file = join('templates', f)
+                    if isfile(dest_template_file):
+                        raise Exception(f'duplicate template {f}')
+                    link(template_file, dest_template_file)
+
+    RougailConfig['functions_file'] = func
+    eolobj = RougailConvert()
+    xml = eolobj.save(join(root_dir, 'dictionary.py'))
+    optiondescription = {}
+    try:
+        exec(xml, None, optiondescription)
+    except Exception as err:
+        print('Tiramisu file ' + join(root_dir, 'dictionary.py'))
+        print_exc()
+        raise Exception(f'unknown error when load tiramisu object {err}') from err
+    config = await Config(optiondescription['option_0'], display_name=tiramisu_display_name)
+    rmtree(tmp_dir)
+    rmtree(funcs_dir)
diff --git a/tests/test_applicationservice.py b/tests/test_applicationservice.py
new file mode 100644
index 0000000..66b52c9
--- /dev/null
+++ b/tests/test_applicationservice.py
@@ -0,0 +1,577 @@
+from typing import Any
+from pytest import fixture, mark
+from os import makedirs, listdir, link, environ
+from os.path import isfile, isdir, join, abspath, basename
+from yaml import load, SafeLoader
+from json import dump
+from shutil import rmtree
+from traceback import print_exc
+
+from tiramisu import Config
+from tiramisu.error import PropertiesOptionError, LeadershipError
+from rougail import RougailConvert, RougailSystemdTemplate, RougailConfig
+
+
+FUNCTIONS = b"""from tiramisu import valid_network_netmask, valid_ip_netmask, valid_broadcast, valid_in_network, valid_not_equal as valid_differ, valid_not_equal, calc_value
+# =============================================================
+# fork of risotto-setting/src/risotto_setting/config/config.py
+def get_password(**kwargs):
+    return 'password'
+
+
+def get_ip(**kwargs):
+    return '1.1.1.1'
+
+
+def get_chain(**kwargs):
+    return 'chain'
+
+
+def get_certificate(**kwargs):
+    return 'certificate'
+
+
+def get_private_key(**kwargs):
+    return 'private_key'
+
+
+def get_linked_configuration(**kwargs):
+    if 'test' in kwargs and kwargs['test']:
+        return kwargs['test'][0]
+    if kwargs.get('multi', False) is True:
+        return ['configuration']
+    return 'configuration'
+
+
+def get_certificates(**kwargs):
+    return ["XXXX", "YYYY", "ZZZZ"]
+
+
+def zone_information(*args, **kwargs):
+    if args[1] == 'network':
+        val = '192.168.0.0/24'
+    else:
+        val = '192.168.0.1'
+    if kwargs.get('multi', False):
+        val = [val]
+    return val
+# =============================================================
+
+"""
+
+
+def tiramisu_display_name(kls,
+                          dyn_name: 'Base'=None,
+                          suffix: str=None,
+                          ) -> str:
+    if dyn_name is not None:
+        name = dyn_name
+    else:
+        name = kls.impl_getname()
+    return name
+
+
+GENERATED_DIR = 'generated'
+if isdir(GENERATED_DIR):
+    rmtree(GENERATED_DIR)
+
+
+applications = {}
+
+
+test_ok = []
+for distrib in listdir('seed'):
+    distrib_dir = join('seed', distrib, 'applicationservice')
+    if isdir(distrib_dir):
+        for release in listdir(distrib_dir):
+            release_dir = join(distrib_dir, release)
+            if isdir(release_dir):
+                for applicationservice in listdir(release_dir):
+                    applicationservice_dir = join(release_dir, applicationservice)
+                    if isdir(applicationservice_dir):
+                        if applicationservice in applications:
+                            raise Exception('multi applicationservice')
+                        applications[applicationservice] = applicationservice_dir
+                        if isdir(join(applicationservice_dir, 'dictionaries')):
+                            test_ok.append(applicationservice_dir)
+if 'APPLICATIONSERVICE_DIR' in environ:
+    test_ok = []
+    if isdir(join(applicationservice_dir, 'dictionaries')):
+        test_ok.append(applicationservice_dir)
+
+
+print(test_ok)
+
+
+@fixture(scope="module", params=test_ok)
+def test_dir(request):
+    return request.param
+
+
+async def get_value(type: str,
+                    properties: list,
+                    test_values: Any,
+                    multi: bool,
+                    has_dependency: bool,
+                    path,
+                    min_number,
+                    ) -> list:
+    if test_values is not None:
+        values = list(test_values)
+        has_dependency = True
+    elif type == 'hostname':
+        values = ['test']
+    elif type == 'domainname':
+        values = ['test.test.com']
+    elif type == 'filename':
+        values = ['/a']
+    elif type == 'ip':
+        values = ['192.168.1.1']
+    elif type == 'ip_cidr':
+        values = ['192.168.1.1/24']
+    elif type == 'network':
+        values = ['192.168.1.0']
+    elif type == 'network_cidr':
+        values = ['192.168.1.0/24']
+    elif type == 'netmask':
+        values = ['255.255.255.0']
+    elif type in ['string', 'password']:
+        values = ['string']
+    elif type == 'integer':
+        if min_number is None:
+            min_number = 0
+        values = [min_number, min_number + 1]
+    elif type in 'port':
+        values = ["80"]
+    elif type == 'boolean':
+        values = [True, False]
+    elif type == 'url':
+        values = ['http://value']
+    elif type == 'username':
+        values = ['myname']
+    elif type == 'email':
+        values = ['a@a.com']
+    elif type == 'date':
+        values = ['2011-11-11']
+    elif type == 'float':
+        values = [1.1]
+    else:
+        raise Exception(f'Unknown type {type}')
+    if not has_dependency:
+        values = [values[0]]
+    if multi:
+        values = [values]
+    if 'mandatory' not in properties:
+        if not multi:
+            values.insert(0, None)
+        else:
+            values.insert(0, [])
+    return values
+
+
+async def build_values(paths: list,
+                       paths_values: dict,
+                       ):
+    if paths:
+        path, option, values, _ = paths[0]
+        for val in values:
+            new_paths_values = paths_values.copy()
+            new_paths_values[path] = val
+            next_paths = paths[1:]
+            if next_paths:
+                async for value in build_values(next_paths,
+                                                new_paths_values,
+                                                ):
+                    yield value
+            else:
+                yield new_paths_values
+
+
+async def set_dep_paths(new_paths_no_deps, config, old_paths_values, new_paths_values, leader_followers):
+    n = new_paths_no_deps.copy()
+    for path, values in n.items():
+        dico = await config.value.dict()
+        if path in dico:
+            value = new_paths_no_deps[path][0]
+            await set_value(config, path, value, old_paths_values, new_paths_values, leader_followers, new_paths_no_deps, is_dep=True)
+
+
+async def set_value(config, path, value, old_paths_values, new_paths_values, leader_followers, new_paths_no_deps, is_dep=False):
+    setted = False
+    if path not in old_paths_values or old_paths_values[path] != value:
+        if isinstance(value, tuple):
+            value = list(value)
+        if not await config.option(path).option.isfollower():
+            if await config.option(path).option.isleader():
+                old_values = await config.unrestraint.option(path).value.get()
+                if len(old_values) > len(value):
+                    await config.unrestraint.option(path).value.reset()
+                    leadership_path = path.rsplit('.', 1)[0]
+                    if leadership_path in leader_followers:
+                        for follower, values in leader_followers[leadership_path]:
+                            new_paths_no_deps[follower] = values.copy()
+            await config.unrestraint.option(path).value.set(value)
+            setted = True
+        else:
+            length = await config.unrestraint.option(path).value.len()
+            if length:
+                setted = True
+                await config.unrestraint.option(path, length-1).value.set(value)
+    if setted and is_dep:
+        new_paths_no_deps[path].pop(0)
+        if not new_paths_no_deps[path]:
+            del new_paths_no_deps[path]
+
+
+async def get_values(config, new_paths, new_paths_no_deps, root_dir, leader_followers):
+    old_paths_values = {}
+    if not new_paths:
+        yield await config.value.dict()
+    async for new_paths_values in build_values(new_paths, {}):
+        try:
+            await config.property.read_write()
+            copy_paths_values = new_paths_values.copy()
+            for path, value in new_paths_values.items():
+                await set_value(config, path, value, old_paths_values, new_paths_values, leader_followers, new_paths_no_deps)
+            if new_paths_no_deps:
+                await set_dep_paths(new_paths_no_deps, config, old_paths_values, new_paths_values, leader_followers)
+            await config.property.read_only()
+            dico = await config.value.dict()
+            old_paths_values = dico
+            yield dico
+        except Exception as err:
+            print_exc()
+            print('Tiramisu file ' + join(root_dir, 'dictionary.py'))
+            print(f'test with {new_paths_values}')
+            raise Exception(f'error {err}')
+
+
+def calc_depends(xmls, appname):
+    application = join(applications[appname], 'applicationservice.yml')
+    with open(application) as yaml:
+        app = load(yaml, Loader=SafeLoader)
+
+    if 'depends' in app and app['depends']:
+        for xml in app['depends']:
+            if xml not in xmls:
+                xmls.insert(0, xml)
+            calc_depends(xmls, xml)
+
+
+def reorder_new_paths(paths, new_paths=None, not_added_paths=None, added_paths=None):
+    root = new_paths is None
+    if root:
+        new_paths = []
+        added_paths = []
+    new_not_added_paths = set()
+    has_old_path = False
+    for path, option, values, option_dependencies in paths:
+        if path not in added_paths:
+            if not_added_paths is not None and not option_dependencies & not_added_paths:
+                #all dependencies are already managed, so added this paths
+                new_paths.append((path, option, values, option_dependencies))
+                added_paths.append(path)
+            else:
+                has_old_path = True
+                new_not_added_paths.add(path)
+    if has_old_path:
+        reorder_new_paths(paths, new_paths, new_not_added_paths, added_paths)
+    if root:
+        return new_paths
+
+
+async def populate_paths(paths_done, paths, dependencies, unrestraint, unaccessible_paths, config):
+    for path in await unrestraint.value.dict():
+        if path in paths_done:
+            continue
+        properties = await config.option(path).property.get(only_raises=True,
+                                                            uncalculated=True,
+                                                            )
+        if properties:
+            # unmodified path
+            continue
+        for unaccessible_path in unaccessible_paths:
+            if path.startswith(unaccessible_path + '.'):
+                break
+        else:
+            # this variable is not un unaccessible path
+            option = unrestraint.option(path)
+            current_dependencies = await option.option.dependencies()
+            test_values = await option.information.get('test', None)
+            if await option.option.isfollower():
+                ismulti = await option.option.issubmulti()
+            else:
+                ismulti = await option.option.ismulti()
+            min_number = None
+            type = await option.option.type()
+            if test_values is None:
+                if type == 'choice':
+                    test_values = await option.value.list()
+                    if not test_values:
+                        test_values = [None]
+                elif type == 'integer':
+                    real_option = await option.option.get()
+                    min_number = real_option.impl_get_extra('min_number')
+                elif type == 'domainname':
+                    real_option = await option.option.get()
+                    if real_option.impl_get_extra('_dom_type') in ['netbios', 'hostname']:
+                        type = 'hostname'
+                elif type == 'ip':
+                    true_option = await option.option.get()
+                    if true_option.impl_get_extra('_cidr'):
+                        type = 'ip_cidr'
+                elif type == 'network':
+                    true_option = await option.option.get()
+                    if true_option.impl_get_extra('_cidr'):
+                        type = 'network_cidr'
+            else:
+                test_values = tuple(test_values)
+            full_properties = await option.property.get()
+            for dependency in current_dependencies:
+                dependencies.add(await dependency.option.path())
+            paths.append((path,
+                          full_properties,
+                          test_values,
+                          ismulti,
+                          type,
+                          option,
+                          min_number,
+                          ))
+            paths_done.append(path)
+
+
+@mark.asyncio
+async def test_template(test_dir):
+    if test_dir.startswith('seed/eole'):
+        return
+#    if test_dir != 'seed/eole/applicationservice/2020.1.1/eole-lemonldap-ng':
+#        return
+#    if test_dir in [
+#                    'seed/eole/applicationservice/2020.1.1/eole-proxy',
+#                    'seed/eole/applicationservice/2020.1.1/eole-bareos',
+#                    ]:
+#        return
+    if not isdir(GENERATED_DIR):
+        makedirs(GENERATED_DIR)
+    test_name = basename(test_dir)
+    root_dir = f'{GENERATED_DIR}/{test_name}'
+    tmp_dir = f'{root_dir}/tmp'
+    funcs_dir = f'{root_dir}/funcs'
+    for dirname in [root_dir, tmp_dir, funcs_dir]:
+        if isdir(dirname):
+            rmtree(dirname)
+        makedirs(dirname)
+    print()
+    print('>', test_dir)
+    test_file = test_dir.rsplit('/', 1)[-1]
+    xmls = [test_file]
+    calc_depends(xmls, test_file)
+    print('  o dependencies: ' + ', '.join(xmls))
+    with open(f'{root_dir}/dependencies.txt', 'w') as fh:
+        dump(xmls, fh)
+    dictionaries = [join(applications[xml], 'dictionaries') for xml in xmls if isdir(join(applications[xml], 'dictionaries'))]
+    if 'risotto_setting.rougail' not in RougailConfig['extra_annotators']:
+        RougailConfig['extra_annotators'].append('risotto_setting.rougail')
+    RougailConfig['dictionaries_dir'] = dictionaries
+    print('  o dictionaries: ' + ', '.join(dictionaries))
+    RougailConfig['extra_dictionaries'] = {}
+    extra_dictionaries = []
+    for xml in xmls:
+        extras_dir = join(applications[xml], 'extras')
+        if isdir(extras_dir):
+            for extra in listdir(extras_dir):
+                extra_dir = join(extras_dir, extra)
+                if isdir(extra_dir):
+                    RougailConfig['extra_dictionaries'].setdefault(extra, []).append(extra_dir)
+                    extra_dictionaries.append(extra_dir)
+    if RougailConfig['extra_dictionaries']:
+        print('  o extra dictionaries: ' + ', '.join(extra_dictionaries))
+    if isdir('templates'):
+        rmtree('templates')
+    makedirs('templates')
+    func = f'{funcs_dir}/funcs.py'
+    with open(func, 'wb') as fh:
+        fh.write(FUNCTIONS)
+        for xml in xmls:
+            func_dir = join(applications[xml], 'funcs')
+            if isdir(func_dir):
+                for f in listdir(func_dir):
+                    if not f.startswith('__'):
+                        with open(join(func_dir, f), 'rb') as rfh:
+                            fh.write(rfh.read())
+            templates_dir = join(applications[xml], 'templates')
+            if isdir(templates_dir):
+                for f in listdir(templates_dir):
+                    template_file = join(templates_dir, f)
+                    dest_template_file = join('templates', f)
+                    if isfile(dest_template_file):
+                        raise Exception(f'duplicate template {f}')
+                    link(template_file, dest_template_file)
+
+    RougailConfig['functions_file'] = func
+    eolobj = RougailConvert()
+    xml = eolobj.save(join(root_dir, 'dictionary.py'))
+    optiondescription = {}
+    try:
+        exec(xml, None, optiondescription)
+    except Exception as err:
+        print('Tiramisu file ' + join(root_dir, 'dictionary.py'))
+        print_exc()
+        raise Exception(f'unknown error when load tiramisu object {err}') from err
+    config = await Config(optiondescription['option_0'], display_name=tiramisu_display_name)
+    has_services = False
+    for option in await config.option.list('optiondescription'):
+        if await option.option.name() == 'services':
+            has_services = True
+            break
+    if not has_services:
+        print(f'  o number of tests: any template')
+        rmtree(root_dir)
+        return
+    await config.property.read_write()
+    paths = []
+    unrestraint = config.unrestraint
+    # this paths in unaccessible, so variable inside are unaccessible too
+    unaccessible_paths = []
+    dependencies = set()
+    for option in await unrestraint.option.list('optiondescription',
+                                                recursive=True,
+                                                ):
+        path = await option.option.path()
+        properties = await config.option(path).property.get(only_raises=True,
+                                                            uncalculated=True,
+                                                            )
+        if properties:
+            unaccessible_paths.append(path)
+        for dependency in await option.option.dependencies():
+            dependencies.add(await dependency.option.path())
+    paths_done = []
+    await populate_paths(paths_done, paths, dependencies, unrestraint, unaccessible_paths, config)
+
+    all_values = {}
+    for path, full_properties, test_values, ismulti, type, option, min_number in paths:
+        values = await get_value(type,
+                                 full_properties,
+                                 test_values,
+                                 ismulti,
+                                 path in dependencies,
+                                 path,
+                                 min_number,
+                                 )
+        all_values[path] = values
+        if await option.option.isfollower() or len(values) > 1:
+            continue
+        if await config.unrestraint.option(path).option.isleader():
+            old_values = await config.unrestraint.option(path).value.get()
+            for idx in reversed(range(len(old_values))):
+                await config.unrestraint.option(path).value.pop(idx)
+        await config.unrestraint.option(path).value.set(values[0])
+    await populate_paths(paths_done, paths, dependencies, unrestraint, unaccessible_paths, config)
+    new_paths = []
+    number_test = 1
+    nb_var = 0
+    for path, full_properties, test_values, ismulti, type, option, min_number in paths:
+        if path in all_values:
+            values = all_values[path]
+            has_values = True
+        else:
+            values = await get_value(type,
+                                     full_properties,
+                                     test_values,
+                                     ismulti,
+                                     path in dependencies,
+                                     path,
+                                     min_number,
+                                     )
+            has_values = False
+        number_test *= len(values)
+        if await option.option.isfollower() or len(values) > 1:
+            option_dependencies = {await subopt.option.path() for subopt in await option.option.dependencies()}
+            new_paths.append((path, option, values, option_dependencies))
+            nb_var += 1
+        elif not has_values:
+            if await config.unrestraint.option(path).option.isleader():
+                old_values = await config.unrestraint.option(path).value.get()
+                for idx in reversed(range(len(old_values))):
+                    await config.unrestraint.option(path).value.pop(idx)
+            await config.unrestraint.option(path).value.set(values[0])
+    print('  o number of variables: {}'.format(len(paths)))
+    new_paths = reorder_new_paths(new_paths)
+    print(f'  o number of tested variables: {nb_var}')
+    print(f'  o estimate number of tests: {number_test}')
+    new_paths_no_deps = {}
+    leader_followers = {}
+    if number_test > 1001:
+        number_test = 1
+        nb2 = 0
+        print(f'      degraded mode...')
+        new_paths_2 = []
+        for path, option, values, option_dependencies in new_paths:
+            isfollower = await option.option.isfollower()
+            if isfollower:
+                has_dependencies = len(option_dependencies) > 1
+            else:
+                has_dependencies = len(option_dependencies) > 0
+            if not has_dependencies:
+                if isfollower:
+                    leadership_path = path.rsplit('.', 1)[0]
+                    leader_followers.setdefault(leadership_path, []).append((path, values.copy()))
+                new_paths_no_deps[path] = values
+                nb2 += len(values) - 1
+            else:
+                number_test *= len(values)
+                new_paths_2.append((path, option, values, option_dependencies))
+        new_paths = new_paths_2
+        print('      > degraded variables: {}'.format(len(new_paths_no_deps)))
+        print(f'      > new estimated number of tests: {number_test + nb2}')
+    idx = 0
+    real_idx = 0
+    old_dico = {}
+    async for dico in get_values(config, new_paths, new_paths_no_deps, root_dir, leader_followers):
+        try:
+            real_idx += 1
+            if str(real_idx).endswith('0'):
+                print(f'   ... {real_idx}')
+            build_dir = f'{root_dir}/{idx}'
+            dest_dir = f'{build_dir}/dest'
+            mandatories = await config.value.mandatory()
+            if old_dico == dico:
+                continue
+            for dirname in [build_dir, dest_dir]:
+                makedirs(dirname)
+            old_dico = dico
+            if mandatories:
+                print('Tiramisu file ' + join(root_dir, 'dictionary.py'))
+                raise Exception(f'Mandatory option not configured {mandatories}')
+            RougailConfig['functions_file'] = func
+            RougailConfig['tmp_dir'] = tmp_dir
+            RougailConfig['templates_dir'] = 'templates'
+            RougailConfig['destinations_dir'] = dest_dir
+            await launch(config, root_dir, dico)
+            await config.value.dict()
+            with open(f'{build_dir}/variables.txt', 'w') as fh:
+                dump(await config.value.dict(leader_to_list=True), fh, indent=4, sort_keys=True)
+            idx += 1
+        except Exception as err:
+            print_exc()
+            print('Tiramisu file ' + join(root_dir, 'dictionary.py'))
+            print(f'test with {dico}')
+            raise Exception(f'unknown error {err}') from err
+    print(f'  o number of tests: {idx}')
+
+    if isdir('templates'):
+        rmtree('templates')
+    rmtree(tmp_dir)
+    rmtree(funcs_dir)
+
+
+async def launch(config, root_dir, dico):
+    try:
+        await config.property.read_only()
+        engine = RougailSystemdTemplate(config)
+        await engine.instance_files()
+    except Exception as err:
+        print_exc()
+        print('Tiramisu file ' + join(root_dir, 'dictionary.py'))
+        print(f'test with {dico}')
+        raise Exception(f'unknown error {err}') from err
diff --git a/tests/test_cluster.py b/tests/test_cluster.py
new file mode 100644
index 0000000..939147e
--- /dev/null
+++ b/tests/test_cluster.py
@@ -0,0 +1,321 @@
+from typing import Any
+from pytest import fixture, mark
+from os import makedirs, listdir, link
+from os.path import isfile, isdir, join
+from yaml import load, SafeLoader
+from json import dump
+from shutil import rmtree
+from traceback import print_exc
+
+from tiramisu import Config
+from tiramisu.error import PropertiesOptionError, LeadershipError
+from rougail import RougailConvert, RougailSystemdTemplate, RougailConfig
+
+
+IDX = 0
+GENERATED_DIR = 'generated'
+if isdir(GENERATED_DIR):
+    rmtree(GENERATED_DIR)
+
+
+test_ok = []
+for distrib in listdir('seed'):
+    distrib_dir = join('seed', distrib, 'cluster')
+    if isdir(distrib_dir):
+        for cluster in listdir(distrib_dir):
+            cluster_dir = join(distrib_dir, cluster)
+            if isdir(join(cluster_dir, 'dictionaries')):
+                test_ok.append(cluster_dir)
+
+
+@fixture(scope="module", params=test_ok)
+def test_dir(request):
+    return request.param
+
+
+async def get_values(option: 'TiramisuOption',
+                     type: str,
+                     properties: list,
+                     test_value: Any,
+                     multi: bool,
+                     has_dependency: bool) -> list:
+    if test_value is not None:
+        values = test_value
+        has_dependency = True
+    elif type == 'choice':
+        values = await option.value.list()
+    elif type == 'domainname':
+        values = ['test.com']
+    elif type == 'filename':
+        values = ['/a']
+    elif type == 'ip':
+        true_option = await option.option.get()
+        if true_option.impl_get_extra('_cidr'):
+            values = ['192.168.1.1/24', '192.168.0.1/32']
+        else:
+            values = ['192.168.1.1']
+    elif type == 'network':
+        true_option = await option.option.get()
+        if true_option.impl_get_extra('_cidr'):
+            values = ['192.168.1.0/24', '192.168.1.1/32']
+        else:
+            values = ['192.168.1.0']
+    elif type in ['string', 'password']:
+        values = ['string']
+    elif type == 'integer':
+        values = [0, 1]
+    elif type in 'port':
+        values = ["80"]
+    elif type == 'boolean':
+        values = [True, False]
+    else:
+        raise Exception(f'Unknown type {type}')
+    if not has_dependency:
+        values = [values[0]]
+    if multi:
+        values = [values]
+    if 'mandatory' not in properties:
+        if not multi:
+            values.insert(0, None)
+        else:
+            values.insert(0, [])
+    return values
+
+
+async def build_values(paths: list,
+                       paths_values: dict,
+                       dependencies,
+                       ):
+    path, option, properties, test = paths[0]
+
+    for val in await get_values(option,
+                                await option.option.type(),
+                                properties,
+                                test,
+                                await option.option.ismulti(),
+                                path in dependencies):
+        new_paths_values = paths_values.copy()
+        new_paths_values[path] = val
+        new_values = paths[1:]
+        if new_values:
+            async for value in build_values(new_values,
+                                            new_paths_values,
+                                            dependencies,
+                                            ):
+                yield value
+        else:
+            yield new_paths_values
+
+
+def calc_depends(test_root_dir, xmls, appname):
+    cluster = join(test_root_dir, appname, 'cluster.yml')
+    with open(cluster) as yaml:
+        app = load(yaml, Loader=SafeLoader)
+
+    if 'depends' in app and app['depends']:
+        for xml in app['depends']:
+            xmls.insert(0, xml)
+            calc_depends(test_root_dir, xmls, xml)
+
+
+@mark.asyncio
+async def test_template(test_dir):
+    global IDX
+    if not isdir(GENERATED_DIR):
+        makedirs(GENERATED_DIR)
+    root_dir = f'{GENERATED_DIR}/{IDX}'
+    IDX += 1
+    if isdir(root_dir):
+        rmtree(root_dir)
+    tmp_dir = f'{root_dir}/tmp'
+    funcs_dir = f'{root_dir}/funcs'
+    for dirname in [root_dir, tmp_dir, funcs_dir]:
+        makedirs(dirname)
+    print()
+    print('>', test_dir)
+    test_root_dir, test_file = test_dir.rsplit('/', 1)
+    xmls = [test_file]
+    calc_depends(test_root_dir, xmls, test_file)
+    print('  o dependencies: ' + ', '.join(xmls))
+    with open(f'{root_dir}/dependencies.txt', 'w') as fh:
+        dump(xmls, fh)
+    dictionaries = [join(test_root_dir, xml, 'dictionaries') for xml in xmls if isdir(join(test_root_dir, xml, 'dictionaries'))]
+    print('  o dictionaries: ' + ', '.join(dictionaries))
+    RougailConfig['dictionaries_dir'] = dictionaries
+    RougailConfig['extra_dictionaries'] = {}
+    extras_dir = join(test_dir, 'extras')
+    if isdir(extras_dir):
+        for extra in listdir(extras_dir):
+            extra_dir = join(extras_dir, extra)
+            if isdir(extra_dir):
+                RougailConfig['extra_dictionaries'][extra] = [extra_dir]
+    if isdir('templates'):
+        rmtree('templates')
+    makedirs('templates')
+    func = f'{funcs_dir}/funcs.py'
+    with open(func, 'wb') as fh:
+        fh.write(b"""from tiramisu import valid_network_netmask, valid_ip_netmask, valid_broadcast, valid_in_network, valid_not_equal as valid_differ, valid_not_equal, calc_value
+# =============================================================
+# fork of risotto-setting/src/risotto_setting/config/config.py
+def get_password(**kwargs):
+    return 'password'
+
+
+def get_ip(**kwargs):
+    return '1.1.1.1'
+
+
+def get_chain(**kwargs):
+    return 'chain'
+
+
+def get_certificate(**kwargs):
+    return 'certificate'
+
+
+def get_private_key(**kwargs):
+    return 'private_key'
+
+
+def get_linked_configuration(**kwargs):
+    if 'test' in kwargs and kwargs['test']:
+        return kwargs['test'][0]
+    if kwargs.get('multi', False) is True:
+        return ['configuration']
+    return 'configuration'
+
+
+def get_certificates(**kwargs):
+    return ["XXXX", "YYYY", "ZZZZ"]
+
+
+def zone_information(*args, **kwargs):
+    return "192.168.0.0/24"
+# =============================================================
+
+""")
+
+        for func_file in xmls:
+            func_dir = join(test_root_dir, func_file, 'funcs')
+            if isdir(func_dir):
+                for f in listdir(func_dir):
+                    if not f.startswith('__'):
+                        with open(join(func_dir, f), 'rb') as rfh:
+                            fh.write(rfh.read())
+            templates_dir = join(test_root_dir, func_file, 'templates')
+            if isdir(templates_dir):
+                for f in listdir(templates_dir):
+                    template_file = join(templates_dir, f)
+                    dest_template_file = join('templates', f)
+                    if isfile(dest_template_file):
+                        raise Exception(f'duplicate template {f}')
+                    link(template_file, dest_template_file)
+
+    RougailConfig['functions_file'] = func
+    eolobj = RougailConvert()
+    xml = eolobj.save(None)
+    optiondescription = {}
+    try:
+        exec(xml, None, optiondescription)
+    except Exception as err:
+        print(xml)
+        print_exc()
+        raise Exception(f'unknown error when load tiramisu object {err}') from err
+    config = await Config(optiondescription['option_0'])
+    has_services = False
+    for option in await config.option.list('optiondescription'):
+        if await option.option.name() == 'services':
+            has_services = True
+            break
+    if not has_services:
+        print(f'  o number of tests: any template')
+        rmtree(root_dir)
+        return
+    await config.property.read_write()
+    paths = []
+    unrestraint = config.unrestraint
+    unaccessible_paths = []
+    dependencies = set()
+    for option in await unrestraint.option.list('optiondescription',
+                                                recursive=True,
+                                                ):
+        path = await option.option.path()
+        properties = await config.option(path).property.get(only_raises=True,
+                                                            uncalculated=True,
+                                                            )
+        if properties:
+            unaccessible_paths.append(path)
+        for dependency in await option.option.dependencies():
+            dependencies.add(await dependency.option.path())
+    for path in await unrestraint.value.dict():
+        properties = await config.option(path).property.get(only_raises=True,
+                                                            uncalculated=True,
+                                                            )
+        if properties:
+            continue
+        for dependency in await option.option.dependencies():
+            dependencies.add(await dependency.option.path())
+        for unaccessible_path in unaccessible_paths:
+            if path.startswith(unaccessible_path + '.'):
+                break
+        else:
+            option = unrestraint.option(path)
+            paths.append((path,
+                          option,
+                          await option.property.get(),
+                          await option.information.get('test', None),
+                          ))
+    print('  o variables number: {}'.format(len(paths)))
+    idx = 0
+    async for new_paths_values in build_values(paths,
+                                               {},
+                                               dependencies,
+                                               ):
+        build_dir = f'{root_dir}/{idx}'
+        dest_dir = f'{build_dir}/dest'
+        for dirname in [build_dir, dest_dir]:
+            makedirs(dirname)
+        try:
+            await config.property.read_write()
+            for path, value in new_paths_values.items():
+                try:
+                    if isinstance(value, tuple):
+                        value = list(value)
+                    if not await config.option(path).option.isfollower():
+                        await config.option(path).value.set(value)
+                    else:
+                        await config.option(path, 0).value.set(value)
+                except (PropertiesOptionError, LeadershipError):
+                    pass
+        except:
+            print_exc()
+            print(xml)
+            print(f'test with {new_paths_values}')
+            raise Exception('unable to set value')
+        mandatories = await config.value.mandatory()
+        if mandatories:
+            print(xml)
+            dico = await config.value.dict()
+            print(f'test with {dico}')
+            raise Exception(f'Mandatory option not configured {mandatories}')
+        RougailConfig['functions_file'] = func
+        RougailConfig['tmp_dir'] = tmp_dir
+        RougailConfig['templates_dir'] = 'templates'
+        RougailConfig['destinations_dir'] = dest_dir
+        try:
+            await config.property.read_only()
+            engine = RougailSystemdTemplate(config)
+            await engine.instance_files()
+        except Exception as err:
+            print_exc()
+            print(xml)
+            print(f'test with {new_paths_values}')
+            raise Exception(f'unknown error {err}') from err
+        with open(f'{build_dir}/variables.txt', 'w') as fh:
+            dump(await config.value.dict(), fh, indent=4, sort_keys=True)
+        idx += 1
+    print(f'  o number of tests: {idx}')
+    if isdir('templates'):
+        rmtree('templates')
+    rmtree(tmp_dir)
+    rmtree(funcs_dir)
diff --git a/tests/test_zone.py b/tests/test_zone.py
new file mode 100644
index 0000000..b972834
--- /dev/null
+++ b/tests/test_zone.py
@@ -0,0 +1,321 @@
+from typing import Any
+from pytest import fixture, mark
+from os import makedirs, listdir, link
+from os.path import isfile, isdir, join
+from yaml import load, SafeLoader
+from json import dump
+from shutil import rmtree
+from traceback import print_exc
+
+from tiramisu import Config
+from tiramisu.error import PropertiesOptionError, LeadershipError
+from rougail import RougailConvert, RougailSystemdTemplate, RougailConfig
+
+
+IDX = 0
+GENERATED_DIR = 'generated'
+if isdir(GENERATED_DIR):
+    rmtree(GENERATED_DIR)
+
+
+test_ok = []
+for distrib in listdir('seed'):
+    distrib_dir = join('seed', distrib, 'zone')
+    if isdir(distrib_dir):
+        for zone in listdir(distrib_dir):
+            zone_dir = join(distrib_dir, zone)
+            if isdir(join(zone_dir, 'dictionaries')):
+                test_ok.append(zone_dir)
+
+
+@fixture(scope="module", params=test_ok)
+def test_dir(request):
+    return request.param
+
+
+async def get_values(option: 'TiramisuOption',
+                     type: str,
+                     properties: list,
+                     test_value: Any,
+                     multi: bool,
+                     has_dependency: bool) -> list:
+    if test_value is not None:
+        values = test_value
+        has_dependency = True
+    elif type == 'choice':
+        values = await option.value.list()
+    elif type == 'domainname':
+        values = ['test.com']
+    elif type == 'filename':
+        values = ['/a']
+    elif type == 'ip':
+        true_option = await option.option.get()
+        if true_option.impl_get_extra('_cidr'):
+            values = ['192.168.1.1/24', '192.168.0.1/32']
+        else:
+            values = ['192.168.1.1']
+    elif type == 'network':
+        true_option = await option.option.get()
+        if true_option.impl_get_extra('_cidr'):
+            values = ['192.168.1.0/24', '192.168.1.1/32']
+        else:
+            values = ['192.168.1.0']
+    elif type in ['string', 'password']:
+        values = ['string']
+    elif type == 'integer':
+        values = [0, 1]
+    elif type in 'port':
+        values = ["80"]
+    elif type == 'boolean':
+        values = [True, False]
+    else:
+        raise Exception(f'Unknown type {type}')
+    if not has_dependency:
+        values = [values[0]]
+    if multi:
+        values = [values]
+    if 'mandatory' not in properties:
+        if not multi:
+            values.insert(0, None)
+        else:
+            values.insert(0, [])
+    return values
+
+
+async def build_values(paths: list,
+                       paths_values: dict,
+                       dependencies,
+                       ):
+    path, option, properties, test = paths[0]
+
+    for val in await get_values(option,
+                                await option.option.type(),
+                                properties,
+                                test,
+                                await option.option.ismulti(),
+                                path in dependencies):
+        new_paths_values = paths_values.copy()
+        new_paths_values[path] = val
+        new_values = paths[1:]
+        if new_values:
+            async for value in build_values(new_values,
+                                            new_paths_values,
+                                            dependencies,
+                                            ):
+                yield value
+        else:
+            yield new_paths_values
+
+
+def calc_depends(test_root_dir, xmls, appname):
+    zone = join(test_root_dir, appname, 'zone.yml')
+    with open(zone) as yaml:
+        app = load(yaml, Loader=SafeLoader)
+
+    if 'depends' in app and app['depends']:
+        for xml in app['depends']:
+            xmls.insert(0, xml)
+            calc_depends(test_root_dir, xmls, xml)
+
+
+@mark.asyncio
+async def test_template(test_dir):
+    global IDX
+    if not isdir(GENERATED_DIR):
+        makedirs(GENERATED_DIR)
+    root_dir = f'{GENERATED_DIR}/{IDX}'
+    IDX += 1
+    if isdir(root_dir):
+        rmtree(root_dir)
+    tmp_dir = f'{root_dir}/tmp'
+    funcs_dir = f'{root_dir}/funcs'
+    for dirname in [root_dir, tmp_dir, funcs_dir]:
+        makedirs(dirname)
+    print()
+    print('>', test_dir)
+    test_root_dir, test_file = test_dir.rsplit('/', 1)
+    xmls = [test_file]
+    calc_depends(test_root_dir, xmls, test_file)
+    print('  o dependencies: ' + ', '.join(xmls))
+    with open(f'{root_dir}/dependencies.txt', 'w') as fh:
+        dump(xmls, fh)
+    dictionaries = [join(test_root_dir, xml, 'dictionaries') for xml in xmls if isdir(join(test_root_dir, xml, 'dictionaries'))]
+    print('  o dictionaries: ' + ', '.join(dictionaries))
+    RougailConfig['dictionaries_dir'] = dictionaries
+    RougailConfig['extra_dictionaries'] = {}
+    extras_dir = join(test_dir, 'extras')
+    if isdir(extras_dir):
+        for extra in listdir(extras_dir):
+            extra_dir = join(extras_dir, extra)
+            if isdir(extra_dir):
+                RougailConfig['extra_dictionaries'][extra] = [extra_dir]
+    if isdir('templates'):
+        rmtree('templates')
+    makedirs('templates')
+    func = f'{funcs_dir}/funcs.py'
+    with open(func, 'wb') as fh:
+        fh.write(b"""from tiramisu import valid_network_netmask, valid_ip_netmask, valid_broadcast, valid_in_network, valid_not_equal as valid_differ, valid_not_equal, calc_value
+# =============================================================
+# fork of risotto-setting/src/risotto_setting/config/config.py
+def get_password(**kwargs):
+    return 'password'
+
+
+def get_ip(**kwargs):
+    return '1.1.1.1'
+
+
+def get_chain(**kwargs):
+    return 'chain'
+
+
+def get_certificate(**kwargs):
+    return 'certificate'
+
+
+def get_private_key(**kwargs):
+    return 'private_key'
+
+
+def get_linked_configuration(**kwargs):
+    if 'test' in kwargs and kwargs['test']:
+        return kwargs['test'][0]
+    if kwargs.get('multi', False) is True:
+        return ['configuration']
+    return 'configuration'
+
+
+def get_certificates(**kwargs):
+    return ["XXXX", "YYYY", "ZZZZ"]
+
+
+def zone_information(*args, **kwargs):
+    return "192.168.0.0/24"
+# =============================================================
+
+""")
+
+        for func_file in xmls:
+            func_dir = join(test_root_dir, func_file, 'funcs')
+            if isdir(func_dir):
+                for f in listdir(func_dir):
+                    if not f.startswith('__'):
+                        with open(join(func_dir, f), 'rb') as rfh:
+                            fh.write(rfh.read())
+            templates_dir = join(test_root_dir, func_file, 'templates')
+            if isdir(templates_dir):
+                for f in listdir(templates_dir):
+                    template_file = join(templates_dir, f)
+                    dest_template_file = join('templates', f)
+                    if isfile(dest_template_file):
+                        raise Exception(f'duplicate template {f}')
+                    link(template_file, dest_template_file)
+
+    RougailConfig['functions_file'] = func
+    eolobj = RougailConvert()
+    xml = eolobj.save(None)
+    optiondescription = {}
+    try:
+        exec(xml, None, optiondescription)
+    except Exception as err:
+        print(xml)
+        print_exc()
+        raise Exception(f'unknown error when load tiramisu object {err}') from err
+    config = await Config(optiondescription['option_0'])
+    has_services = False
+    for option in await config.option.list('optiondescription'):
+        if await option.option.name() == 'services':
+            has_services = True
+            break
+    if not has_services:
+        print(f'  o number of tests: any template')
+        rmtree(root_dir)
+        return
+    await config.property.read_write()
+    paths = []
+    unrestraint = config.unrestraint
+    unaccessible_paths = []
+    dependencies = set()
+    for option in await unrestraint.option.list('optiondescription',
+                                                recursive=True,
+                                                ):
+        path = await option.option.path()
+        properties = await config.option(path).property.get(only_raises=True,
+                                                            uncalculated=True,
+                                                            )
+        if properties:
+            unaccessible_paths.append(path)
+        for dependency in await option.option.dependencies():
+            dependencies.add(await dependency.option.path())
+    for path in await unrestraint.value.dict():
+        properties = await config.option(path).property.get(only_raises=True,
+                                                            uncalculated=True,
+                                                            )
+        if properties:
+            continue
+        for dependency in await option.option.dependencies():
+            dependencies.add(await dependency.option.path())
+        for unaccessible_path in unaccessible_paths:
+            if path.startswith(unaccessible_path + '.'):
+                break
+        else:
+            option = unrestraint.option(path)
+            paths.append((path,
+                          option,
+                          await option.property.get(),
+                          await option.information.get('test', None),
+                          ))
+    print('  o variables number: {}'.format(len(paths)))
+    idx = 0
+    async for new_paths_values in build_values(paths,
+                                               {},
+                                               dependencies,
+                                               ):
+        build_dir = f'{root_dir}/{idx}'
+        dest_dir = f'{build_dir}/dest'
+        for dirname in [build_dir, dest_dir]:
+            makedirs(dirname)
+        try:
+            await config.property.read_write()
+            for path, value in new_paths_values.items():
+                try:
+                    if isinstance(value, tuple):
+                        value = list(value)
+                    if not await config.option(path).option.isfollower():
+                        await config.option(path).value.set(value)
+                    else:
+                        await config.option(path, 0).value.set(value)
+                except (PropertiesOptionError, LeadershipError):
+                    pass
+        except:
+            print_exc()
+            print(xml)
+            print(f'test with {new_paths_values}')
+            raise Exception('unable to set value')
+        mandatories = await config.value.mandatory()
+        if mandatories:
+            print(xml)
+            dico = await config.value.dict()
+            print(f'test with {dico}')
+            raise Exception(f'Mandatory option not configured {mandatories}')
+        RougailConfig['functions_file'] = func
+        RougailConfig['tmp_dir'] = tmp_dir
+        RougailConfig['templates_dir'] = 'templates'
+        RougailConfig['destinations_dir'] = dest_dir
+        try:
+            await config.property.read_only()
+            engine = RougailSystemdTemplate(config)
+            await engine.instance_files()
+        except Exception as err:
+            print_exc()
+            print(xml)
+            print(f'test with {new_paths_values}')
+            raise Exception(f'unknown error {err}') from err
+        with open(f'{build_dir}/variables.txt', 'w') as fh:
+            dump(await config.value.dict(), fh, indent=4, sort_keys=True)
+        idx += 1
+    print(f'  o number of tests: {idx}')
+    if isdir('templates'):
+        rmtree('templates')
+    rmtree(tmp_dir)
+    rmtree(funcs_dir)