From 42879ad5a11d5938625f71b51c3cc3911298933a Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Thu, 18 Aug 2022 16:38:37 +0200
Subject: [PATCH 1/3] add risotto target

---
 seed/base-machine/manual/install/diff.py      | 20 ++++++++++---------
 seed/dovecot/templates/dovecot-init.service   |  2 +-
 seed/gitea/templates/gitea.service            |  2 +-
 .../dictionaries/21_ldap-client.xml           |  2 +-
 .../ldap-client/templates/ldap-client.service |  8 ++++++++
 .../lemonldap-ng-fastcgi-server.service       |  3 +--
 seed/mailman/templates/mailman3.service       |  2 +-
 seed/mailman/templates/postorius.service      |  2 +-
 .../dictionaries/20_mariadb.xml               |  2 +-
 .../templates/mariadbclient.service           |  3 ++-
 seed/nextcloud/templates/nextcloud.service    |  2 +-
 seed/nsd/templates/nsd.service                |  2 +-
 .../dictionaries/30_oauth2_client.xml         |  3 +++
 .../manual/image/preinstall/oauth2-client.sh  |  1 +
 .../templates/oauth2-client.service           |  7 +++++++
 seed/piwigo/templates/piwigo.service          |  2 +-
 .../dictionaries/23_postgresql.xml            |  2 +-
 .../templates/postgresqlclient.service        |  3 ++-
 seed/roundcube/templates/roundcube.service    |  2 +-
 seed/systemd/dictionaries/15-systemd.xml      |  1 +
 seed/systemd/templates/risotto.target         |  5 +++++
 21 files changed, 52 insertions(+), 24 deletions(-)
 create mode 100644 seed/ldap-client/templates/ldap-client.service
 create mode 100644 seed/oauth2-client/manual/image/preinstall/oauth2-client.sh
 create mode 100644 seed/oauth2-client/templates/oauth2-client.service
 create mode 100644 seed/systemd/templates/risotto.target

diff --git a/seed/base-machine/manual/install/diff.py b/seed/base-machine/manual/install/diff.py
index 510dcc5..b203086 100755
--- a/seed/base-machine/manual/install/diff.py
+++ b/seed/base-machine/manual/install/diff.py
@@ -1,12 +1,11 @@
 #!/usr/bin/env python3
 
 
-from os.path import join
 from filecmp import dircmp
 from difflib import unified_diff
 from sys import stdout, argv
 from os import walk
-from os.path import join
+from os.path import join, islink
 from datetime import datetime, timezone
 
 
@@ -87,10 +86,13 @@ for filename in old - new:
 
 
 for filename in new - old:
-    print(f'\n- fichier {filename} ajouté :\n')
-    with open(join(NEW_DIR, filename), 'r') as fh:
-        if WEBSITE:
-            print('```')
-        print(fh.read())
-        if WEBSITE:
-            print('```')
+    if islink(join(NEW_DIR, filename)):
+        print(f'\n- lien {filename} ajouté\n')
+    else:
+        print(f'\n- fichier {filename} ajouté :\n')
+        with open(join(NEW_DIR, filename), 'r') as fh:
+            if WEBSITE:
+                print('```')
+            print(fh.read())
+            if WEBSITE:
+                print('```')
diff --git a/seed/dovecot/templates/dovecot-init.service b/seed/dovecot/templates/dovecot-init.service
index b4f9cec..1df2ef4 100644
--- a/seed/dovecot/templates/dovecot-init.service
+++ b/seed/dovecot/templates/dovecot-init.service
@@ -1,5 +1,5 @@
 [Unit]
-After=network.target
+After=risotto.target
 
 [Service]
 ExecStart=
diff --git a/seed/gitea/templates/gitea.service b/seed/gitea/templates/gitea.service
index 9f19bf7..abb4929 100644
--- a/seed/gitea/templates/gitea.service
+++ b/seed/gitea/templates/gitea.service
@@ -1,7 +1,7 @@
 #ORIGIN https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/systemd/gitea.service
 [Unit]
 Description=Gitea (Git with a cup of tea)
-After=network.target postgresqlclient.service
+After=risotto.target
 
 [Service]
 # Modify these two values and uncomment them if you have
diff --git a/seed/ldap-client/dictionaries/21_ldap-client.xml b/seed/ldap-client/dictionaries/21_ldap-client.xml
index ac1ce2f..b0835e4 100644
--- a/seed/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/ldap-client/dictionaries/21_ldap-client.xml
@@ -2,7 +2,7 @@
 
 <rougail version="0.10">
   <services>
-    <service name="ldap_client" manage="False">
+    <service name="ldap-client" target="risotto" engine="creole">
       <file source="ldap.conf" file_type="variable">ldap_client_file</file>
       <file source="ca_LDAP.crt" file_type="variable">ldap_ca_file</file>
       <file source="ldap_client.crt" file_type="variable">ldap_cert_file</file>
diff --git a/seed/ldap-client/templates/ldap-client.service b/seed/ldap-client/templates/ldap-client.service
new file mode 100644
index 0000000..6cbf68c
--- /dev/null
+++ b/seed/ldap-client/templates/ldap-client.service
@@ -0,0 +1,8 @@
+[Unit]
+After=network-online.target
+Before=risotto.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
+
diff --git a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
index f61277e..adbfcf3 100644
--- a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
+++ b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
@@ -1,7 +1,6 @@
 [Unit]
-After=nginx.service
+After=risotto.target nginx.service
 
 [Service]
-ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
 ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 1; done'
 ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'
diff --git a/seed/mailman/templates/mailman3.service b/seed/mailman/templates/mailman3.service
index 58932c6..5727c46 100644
--- a/seed/mailman/templates/mailman3.service
+++ b/seed/mailman/templates/mailman3.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Postorius WSGI Service
-After=postgresqlclient.service
+After=risotto.target
 
 [Service]
 %for %%domain in %%mailman_domains
diff --git a/seed/mailman/templates/postorius.service b/seed/mailman/templates/postorius.service
index 1f29c6c..83374d6 100644
--- a/seed/mailman/templates/postorius.service
+++ b/seed/mailman/templates/postorius.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Postorius WSGI Service
-After=network.target postgresqlclient.service
+After=risotto.target
 
 [Service]
 Type=notify
diff --git a/seed/mariadb-client/dictionaries/20_mariadb.xml b/seed/mariadb-client/dictionaries/20_mariadb.xml
index 39ac585..36155f6 100644
--- a/seed/mariadb-client/dictionaries/20_mariadb.xml
+++ b/seed/mariadb-client/dictionaries/20_mariadb.xml
@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="mariadbclient" target="multi-user" engine="creole"/>
+    <service name="mariadbclient" target="risotto" engine="creole"/>
   </services>
   <variables>
     <family name="mariadb" description="MariaDB">
diff --git a/seed/mariadb-client/templates/mariadbclient.service b/seed/mariadb-client/templates/mariadbclient.service
index 0b583e1..007e422 100644
--- a/seed/mariadb-client/templates/mariadbclient.service
+++ b/seed/mariadb-client/templates/mariadbclient.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Waiting for mariadb server
-Before=network.target
+After=network-online.target
+Before=risotto.target
 
 [Service]
 Type=oneshot
diff --git a/seed/nextcloud/templates/nextcloud.service b/seed/nextcloud/templates/nextcloud.service
index 0a9339f..16c79b5 100644
--- a/seed/nextcloud/templates/nextcloud.service
+++ b/seed/nextcloud/templates/nextcloud.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Nextcloud management
-After=postgresqlclient.service
+After=risotto.target
 Before=apache.service php-fpm.service
 
 [Service]
diff --git a/seed/nsd/templates/nsd.service b/seed/nsd/templates/nsd.service
index 6f45f4e..f48cf18 100644
--- a/seed/nsd/templates/nsd.service
+++ b/seed/nsd/templates/nsd.service
@@ -1,2 +1,2 @@
 [Unit]
-After=network.target
+After=risotto.target
diff --git a/seed/oauth2-client/dictionaries/30_oauth2_client.xml b/seed/oauth2-client/dictionaries/30_oauth2_client.xml
index cc6e415..80a28a6 100644
--- a/seed/oauth2-client/dictionaries/30_oauth2_client.xml
+++ b/seed/oauth2-client/dictionaries/30_oauth2_client.xml
@@ -1,5 +1,8 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
+  <services>
+    <service name="oauth2-client" target="risotto" engine="creole"/>
+  </services>
   <variables>
     <family name="oauth2_client" description="OAuth2 client">
       <variable name="oauth2_client_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True' supplier="OAuth2"/>
diff --git a/seed/oauth2-client/manual/image/preinstall/oauth2-client.sh b/seed/oauth2-client/manual/image/preinstall/oauth2-client.sh
new file mode 100644
index 0000000..c6335d9
--- /dev/null
+++ b/seed/oauth2-client/manual/image/preinstall/oauth2-client.sh
@@ -0,0 +1 @@
+PKG="$PKG curl"
diff --git a/seed/oauth2-client/templates/oauth2-client.service b/seed/oauth2-client/templates/oauth2-client.service
new file mode 100644
index 0000000..c2bb776
--- /dev/null
+++ b/seed/oauth2-client/templates/oauth2-client.service
@@ -0,0 +1,7 @@
+[Unit]
+After=network-online.target
+Before=risotto.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://%%oauth2_client_server_domainname/.well-known/openid-configuration)" = 200 ]; do sleep 1; done;'
diff --git a/seed/piwigo/templates/piwigo.service b/seed/piwigo/templates/piwigo.service
index e75c1c1..16b5b98 100644
--- a/seed/piwigo/templates/piwigo.service
+++ b/seed/piwigo/templates/piwigo.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Piwigo management
-After=mariadbclient.service
+After=risotto.target
 Before=nginx.service php-fpm.service
 
 [Service]
diff --git a/seed/postgresql-client/dictionaries/23_postgresql.xml b/seed/postgresql-client/dictionaries/23_postgresql.xml
index 138f7d3..9afde85 100644
--- a/seed/postgresql-client/dictionaries/23_postgresql.xml
+++ b/seed/postgresql-client/dictionaries/23_postgresql.xml
@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="postgresqlclient" target="multi-user" engine="creole">
+    <service name="postgresqlclient" target="risotto" engine="creole">
       <file mode="400">/secrets/postgresql.pass</file>
       <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
       <file>/etc/pki/tls/certs/postgresql.crt</file>
diff --git a/seed/postgresql-client/templates/postgresqlclient.service b/seed/postgresql-client/templates/postgresqlclient.service
index 7addde1..fd8b647 100644
--- a/seed/postgresql-client/templates/postgresqlclient.service
+++ b/seed/postgresql-client/templates/postgresqlclient.service
@@ -1,6 +1,7 @@
 [Unit]
 Description=Waiting for postgresql server
-Before=network.target
+After=network-online.target
+Before=risotto.target
 
 [Service]
 Type=oneshot
diff --git a/seed/roundcube/templates/roundcube.service b/seed/roundcube/templates/roundcube.service
index 92913e3..19b462b 100644
--- a/seed/roundcube/templates/roundcube.service
+++ b/seed/roundcube/templates/roundcube.service
@@ -1,6 +1,6 @@
 [Unit]
 Description=Roundcube database init
-After=postgresqlclient.service
+After=risotto.target
 Before=nginx.service php-fpm.service
 
 [Service]
diff --git a/seed/systemd/dictionaries/15-systemd.xml b/seed/systemd/dictionaries/15-systemd.xml
index 6819b86..deaf2e7 100644
--- a/seed/systemd/dictionaries/15-systemd.xml
+++ b/seed/systemd/dictionaries/15-systemd.xml
@@ -29,6 +29,7 @@
       <file>/secrets/root.pwd</file>
       <file engine="none">/tmpfiles.d/risotto-volatile.conf</file>
     </service>
+    <service name="risotto" target="multi-user" type="target" engine="none"/>
   </services>
   <variables>
     <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" auto_save='False' mandatory="True"/>
diff --git a/seed/systemd/templates/risotto.target b/seed/systemd/templates/risotto.target
new file mode 100644
index 0000000..8f4c5e6
--- /dev/null
+++ b/seed/systemd/templates/risotto.target
@@ -0,0 +1,5 @@
+[Unit]
+Description=Waiting for all dependencies
+Before=multi-user.target
+After=network-online.target
+Wants=network-online.target

From 6ce90c458006e7f0f2f1a23a2b81459e44ffb1fb Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Fri, 19 Aug 2022 20:30:13 +0200
Subject: [PATCH 2/3] simplify nginx configuration

---
 .../manual/install/install_machines           | 38 +++++++++-
 seed/dovecot/dictionaries/26_dovecot.xml      |  6 +-
 seed/dovecot/templates/autoconfig.conf        | 14 +---
 .../dictionaries/70_lemonldap_ng.xml          |  2 +-
 seed/lemonldap/templates/wget.pl              |  1 -
 seed/mailman/applicationservice.yml           |  2 +-
 seed/mailman/dictionaries/31_mailman.xml      |  7 +-
 seed/mailman/templates/config-nginx.conf      | 71 ++++++++-----------
 .../{20_nginx.xml => 21_nginx.xml}            |  1 +
 seed/nginx-common/templates/nginx-common.yml  | 13 ++++
 seed/nginx-common/templates/nginx.conf        | 18 ++++-
 seed/nginx-common/tests/test_nginx_commmon.py | 50 +++++++++++++
 seed/nginx-https/dictionaries/25_nginx.xml    | 21 ++----
 .../dictionaries/20_nginx.xml                 |  8 +++
 .../dictionaries/25_nginx.xml                 |  5 +-
 .../nginx-reverse-proxy/templates/ca_HTTP.crt |  3 +
 seed/nginx-reverse-proxy/templates/nginx.crt  |  2 +
 seed/nginx-reverse-proxy/templates/nginx.key  |  1 +
 .../templates/revprox-nginx.conf              |  2 +-
 .../nginx-reverse-proxy/tests/test_revprox.py | 13 +---
 seed/peertube/applicationservice.yml          |  2 +-
 seed/peertube/dictionaries/30_peertube.xml    |  6 +-
 seed/peertube/templates/nginx.peertube.conf   | 39 +++++-----
 .../templates/nginx.peertube.conf.d.conf      |  4 ++
 seed/piwigo/dictionaries/31_piwigo.xml        |  9 +--
 .../templates/piwigo.nginx.conf}              | 18 +++--
 seed/pleroma/dictionaries/30_pleroma.xml      |  2 +-
 seed/postgresql/DEBUG.md                      |  1 +
 seed/reverse-proxy-client/tests/revprox.py    |  2 +-
 29 files changed, 222 insertions(+), 139 deletions(-)
 rename seed/nginx-common/dictionaries/{20_nginx.xml => 21_nginx.xml} (98%)
 create mode 100644 seed/nginx-common/templates/nginx-common.yml
 create mode 100644 seed/nginx-common/tests/test_nginx_commmon.py
 create mode 100644 seed/nginx-reverse-proxy/dictionaries/20_nginx.xml
 create mode 100644 seed/nginx-reverse-proxy/templates/ca_HTTP.crt
 create mode 100644 seed/nginx-reverse-proxy/templates/nginx.crt
 create mode 100644 seed/nginx-reverse-proxy/templates/nginx.key
 create mode 100644 seed/peertube/templates/nginx.peertube.conf.d.conf
 rename seed/{nginx-https/templates/risotto.conf => piwigo/templates/piwigo.nginx.conf} (82%)
 create mode 100644 seed/postgresql/DEBUG.md

diff --git a/seed/base-machine/manual/install/install_machines b/seed/base-machine/manual/install/install_machines
index f053a5f..82388f3 100755
--- a/seed/base-machine/manual/install/install_machines
+++ b/seed/base-machine/manual/install/install_machines
@@ -14,7 +14,7 @@ for image in *; do
                 if [ -f "host/configurations/$HOST_NAME/etc/systemd/nspawn/$osname.nspawn" ]; then
                     MACHINES="$MACHINES$osname "
                 fi
-		echo
+                echo
                 echo "Install machine $image"
                 ./install_machine "$HOST_NAME" "$image" "$osname"
             fi
@@ -23,5 +23,39 @@ for image in *; do
 done
 machinectl enable $MACHINES
 machinectl start $MACHINES
+STARTED=""
+DEGRADED=""
+found=true
+idx=0
+while [ $found = true ]; do
+    found=false
+    echo "tentative $idx"
+    for machine in $MACHINES; do
+        if ! echo $STARTED | grep -q " $machine "; then
+            status=$(machinectl -q shell $machine /usr/bin/systemctl is-system-running || true)
+            if echo "$status" | grep -q degraded; then
+                STARTED="$STARTED $machine "
+                DEGRADED="$DEGRADED $machine"
+            elif echo "$status" | grep -q running; then
+                STARTED="$STARTED $machine "
+            else
+                found=true
+                echo "status actuel de $machine : $status"
+            fi
+        fi
+    done
+    sleep 2
+    idx=$((idx+1))
+    if [ $idx = 60 ]; then
+        break
+    fi
+done
+retcode=0
+for machine in $DEGRADED; do
+    echo
+    echo "========= $machine"
+    machinectl -q shell $machine /usr/bin/systemctl --state=failed --no-legend --no-pager
+    retcode=1
+done
 
-exit 0
+exit $retcode
diff --git a/seed/dovecot/dictionaries/26_dovecot.xml b/seed/dovecot/dictionaries/26_dovecot.xml
index 05e555e..89a5502 100644
--- a/seed/dovecot/dictionaries/26_dovecot.xml
+++ b/seed/dovecot/dictionaries/26_dovecot.xml
@@ -18,7 +18,7 @@
     </service>
     <service name='dovecot-init'>
       <override/>
-      <file>/etc/nginx/conf.d/autoconfig.conf</file>
+      <file>/etc/nginx/default.d/autoconfig.conf</file>
     </service>
     <service name='nginx'>
       <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
@@ -90,8 +90,8 @@
         <variable name="revprox_client_external_domainnames" redefine="True"/>
         <variable name="revprox_client_web_address" redefine="True"/>
       </family>
-      <variable name="nginx_default_https" redefine="True">
-        <value>False</value>
+      <variable name="nginx_root" redefine='True'>
+        <value>/var/www/html</value>
       </variable>
     </family>
   </variables>
diff --git a/seed/dovecot/templates/autoconfig.conf b/seed/dovecot/templates/autoconfig.conf
index 8be4082..c4faeeb 100644
--- a/seed/dovecot/templates/autoconfig.conf
+++ b/seed/dovecot/templates/autoconfig.conf
@@ -1,12 +1,2 @@
-server {
-    listen 443 ssl;
-    server_name %%domain_name_eth0;
-
-    ssl_client_certificate %%revprox_ca_file;
-    ssl_certificate        %%revprox_cert_file;
-    ssl_certificate_key    %%revprox_key_file;
-
-    root /var/www/html/;
-    # To allow POST on static pages
-    error_page  405     =200 $uri;
-}
+# To allow POST on static pages
+error_page  405     =200 $uri;
diff --git a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
index 37b7de8..d5b9eea 100644
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
@@ -25,10 +25,10 @@
   </services>
   <variables>
     <family name="nginx">
+      <variable name="oauth2_client_external_domain" type="domainname" hidden="True" supplier="OAuth2Client:external_domain"/>
       <variable name="nginx_default_https" redefine="True">
         <value>False</value>
       </variable>
-      <variable name="oauth2_client_external_domain" type="domainname" hidden="True" supplier="OAuth2Client:external_domain"/>
     </family>
     <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
       <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
diff --git a/seed/lemonldap/templates/wget.pl b/seed/lemonldap/templates/wget.pl
index b46dc4b..ca4eda7 100644
--- a/seed/lemonldap/templates/wget.pl
+++ b/seed/lemonldap/templates/wget.pl
@@ -1,7 +1,6 @@
 %echo "#!/usr/bin/env perl"
 
 use HTTP::Tiny;
-use JSON qw(from_json to_json);
 
 my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
 
diff --git a/seed/mailman/applicationservice.yml b/seed/mailman/applicationservice.yml
index 769c586..17e1ec5 100644
--- a/seed/mailman/applicationservice.yml
+++ b/seed/mailman/applicationservice.yml
@@ -5,5 +5,5 @@ depends:
   - postgresql-client
   - relay-lmtp-client
   - reverse-proxy-client
-  - nginx-common
+  - nginx-https
   - oauth2-client
diff --git a/seed/mailman/dictionaries/31_mailman.xml b/seed/mailman/dictionaries/31_mailman.xml
index b705502..3bf09da 100644
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ b/seed/mailman/dictionaries/31_mailman.xml
@@ -11,7 +11,7 @@
     <service name="postorius" target="multi-user" engine="creole">
       <file engine="none">/etc/postorius/gunicorn_config.py</file>
       <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file>
-      <file source="config-nginx.conf">/etc/nginx/conf.d/postorius.conf</file>
+      <file source="config-nginx.conf">/etc/nginx/default.d/postorius.conf</file>
       <file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file>
     </service>
     <service name="postgresqlclient" target="multi-user" engine="creole">
@@ -47,6 +47,11 @@
         <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
       </family>
     </family>
+    <family name="nginx">
+      <variable name="nginx_root" redefine="True">
+        <value>/usr/share/webapps/postorius</value>
+      </variable>
+    </family>
     <family name="postgresql">
       <variable name="pg_client_key_owner" redefine="True">
         <value>mailman</value>
diff --git a/seed/mailman/templates/config-nginx.conf b/seed/mailman/templates/config-nginx.conf
index 5c928d7..56b0747 100644
--- a/seed/mailman/templates/config-nginx.conf
+++ b/seed/mailman/templates/config-nginx.conf
@@ -1,42 +1,31 @@
-server {
-    listen 443 ssl;
-    server_name %%domain_name_eth0;
-
-    ssl_client_certificate %%revprox_ca_file;
-    ssl_certificate        %%revprox_cert_file;
-    ssl_certificate_key    %%revprox_key_file;
-
-    charset utf-8;
-    client_max_body_size 75M;
-    root /usr/share/webapps/postorius;
-
-    location /mailman/postorius_static {
-        alias /usr/lib/python3.10/site-packages/postorius/static;
-    }
-    #FIXME user-profile seems to be in hyperkitty redirect in existing page
-    location /mailman/user-profile {
-        proxy_pass http://127.0.0.1:8002/postorius/users;
-        proxy_set_header        Host                    $http_host;
-        proxy_set_header        X-Real-IP               $remote_addr;
-        proxy_set_header        X-Forwarded-Host        $host;
-        proxy_set_header        X-Forwarded-Port        $server_port;
-        proxy_set_header        X-Forwarded-Server      $host;
-        proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
-        proxy_set_header        X-Forwarded-Proto       $scheme;
-    }
-%for %%location in ['accounts', 'admin', 'postorius']
-    location /mailman/%%location {
-        proxy_pass http://127.0.0.1:8002/%%location;
-        proxy_set_header        Host                    $http_host;
-        proxy_set_header        X-Real-IP               $remote_addr;
-        proxy_set_header        X-Forwarded-Host        $host;
-        proxy_set_header        X-Forwarded-Port        $server_port;
-        proxy_set_header        X-Forwarded-Server      $host;
-        proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
-        proxy_set_header        X-Forwarded-Proto       $scheme;
-    }
-%end for
-    location /mailman {
-        rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;
-    }
+charset utf-8;
+client_max_body_size 75M;
+location /mailman/postorius_static {
+    alias /usr/lib/python3.10/site-packages/postorius/static;
+}
+#FIXME user-profile seems to be in hyperkitty redirect in existing page
+location /mailman/user-profile {
+    proxy_pass http://127.0.0.1:8002/postorius/users;
+    proxy_set_header        Host                    $http_host;
+    proxy_set_header        X-Real-IP               $remote_addr;
+    proxy_set_header        X-Forwarded-Host        $host;
+    proxy_set_header        X-Forwarded-Port        $server_port;
+    proxy_set_header        X-Forwarded-Server      $host;
+    proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto       $scheme;
+}
+%for %%location in ['accounts', 'admin', 'postorius']
+location /mailman/%%location {
+    proxy_pass http://127.0.0.1:8002/%%location;
+    proxy_set_header        Host                    $http_host;
+    proxy_set_header        X-Real-IP               $remote_addr;
+    proxy_set_header        X-Forwarded-Host        $host;
+    proxy_set_header        X-Forwarded-Port        $server_port;
+    proxy_set_header        X-Forwarded-Server      $host;
+    proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
+    proxy_set_header        X-Forwarded-Proto       $scheme;
+}
+%end for
+location /mailman {
+    rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;
 }
diff --git a/seed/nginx-common/dictionaries/20_nginx.xml b/seed/nginx-common/dictionaries/21_nginx.xml
similarity index 98%
rename from seed/nginx-common/dictionaries/20_nginx.xml
rename to seed/nginx-common/dictionaries/21_nginx.xml
index 2279a56..0ab1a52 100644
--- a/seed/nginx-common/dictionaries/20_nginx.xml
+++ b/seed/nginx-common/dictionaries/21_nginx.xml
@@ -13,6 +13,7 @@
       <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
       <file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
       <file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
+      <file>/tests/nginx-common.yml</file>
     </service>
   </services>
   <variables>
diff --git a/seed/nginx-common/templates/nginx-common.yml b/seed/nginx-common/templates/nginx-common.yml
new file mode 100644
index 0000000..4680042
--- /dev/null
+++ b/seed/nginx-common/templates/nginx-common.yml
@@ -0,0 +1,13 @@
+address: %%ip_eth0
+nginx_default_http: %slurp
+%if %%getVar('nginx_default_http', False) and not %%getVar('revprox_client_external_domainnames', None)
+true
+%else
+false
+%end if
+nginx_default_https: %slurp
+%if %%getVar('nginx_default_https', False) and not %%getVar('revprox_client_external_domainnames', None)
+true
+%else
+false
+%end if
diff --git a/seed/nginx-common/templates/nginx.conf b/seed/nginx-common/templates/nginx.conf
index 758cb4d..b8cf422 100644
--- a/seed/nginx-common/templates/nginx.conf
+++ b/seed/nginx-common/templates/nginx.conf
@@ -76,14 +76,24 @@ http {
  %if %%nginx_default_https
     server {
         listen       443 ssl http2;
-        server_name  %%domain_name_eth0;
+  %if %%getVar('revprox_client_external_domainnames', None)
+   %for %%domain in %%revprox_client_external_domainnames
+        server_name %%domain;
+   %end for
+  %else
+        server_name  _;
+  %end if
         root         %%nginx_root;
 
         # ssl_certificate "/etc/pki/nginx/server.crt";
         # ssl_certificate_key "/etc/pki/nginx/private/server.key";
         ssl_certificate              /etc/pki/tls/certs/nginx.crt;
         ssl_certificate_key          /etc/pki/tls/private/nginx.key;
-        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
+  %if %%getVar('revprox_client_external_domainnames', None)
+        ssl_client_certificate       %%revprox_ca_file;
+  %else
+        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_HTTP.crt;
+  %end if
 
         ssl_session_cache shared:SSL:1m;
         ssl_session_timeout  10m;
@@ -105,5 +115,7 @@ http {
 %else
     include /etc/nginx/sites-enabled/*;
 %end if
-
+%if not %%getVar('revprox_client_external_domainnames', None)
+    include /etc/nginx/sites-enabled/*;
+%end if
 }
diff --git a/seed/nginx-common/tests/test_nginx_commmon.py b/seed/nginx-common/tests/test_nginx_commmon.py
new file mode 100644
index 0000000..efbfc86
--- /dev/null
+++ b/seed/nginx-common/tests/test_nginx_commmon.py
@@ -0,0 +1,50 @@
+from yaml import load, SafeLoader
+from os import environ
+from pytest import raises
+
+import warnings
+import socket
+from requests import get
+from requests.exceptions import SSLError
+
+
+def req(url, ip, verify=True):
+    # Monkey patch to force IPv4 resolution
+    old_getaddrinfo = socket.getaddrinfo
+    def new_getaddrinfo(*args, **kwargs):
+        ret = old_getaddrinfo(*args, **kwargs)
+        dns = list(ret[0])
+        dns[-1] = (ip, dns[-1][1])
+        return [dns]
+    socket.getaddrinfo = new_getaddrinfo
+    if not verify:
+        with warnings.catch_warnings():
+            warnings.simplefilter("ignore")
+            ret = get(url, verify=verify)
+    else:
+        ret = get(url, verify=verify)
+    ret_code = ret.status_code
+    content = ret.content
+    socket.getaddrinfo = old_getaddrinfo
+    return ret_code, content.decode()
+
+
+def test_revprox():
+    conf_file = f'{environ["MACHINE_TEST_DIR"]}/nginx-common.yml'
+    with open(conf_file) as yaml:
+        data = load(yaml, Loader=SafeLoader)
+    # test unknown domain
+    url = 'google.fr'
+    protocols = []
+    if data['nginx_default_http']:
+        protocols.append('http')
+    if data['nginx_default_https']:
+        protocols.append('https')
+        # test certificate
+        with raises(SSLError):
+            # not certificat problem for https://{url}
+            req(f'https://{url}', data['address'])
+    for protocol in protocols:
+        ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
+        assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
+        assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'{protocol}://{url} do not returns default fedora page'
diff --git a/seed/nginx-https/dictionaries/25_nginx.xml b/seed/nginx-https/dictionaries/25_nginx.xml
index f908f0b..1f24bfa 100644
--- a/seed/nginx-https/dictionaries/25_nginx.xml
+++ b/seed/nginx-https/dictionaries/25_nginx.xml
@@ -1,22 +1,16 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
-  <services>
-    <service name='nginx'>
-      <file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
-    </service>
-  </services>
   <variables>
     <family name="nginx">
-      <variable name="nginx_default_https" redefine="True">
+      <variable name="nginx_default_http" redefine="True" hidden="True">
+        <value>False</value>
+      </variable>
+      <variable name="nginx_default_https" redefine="True" hidden="True">
         <value>True</value>
       </variable>
       <variable name="php_fpm_user" redefine="True" exists="True">
         <value>nginx</value>
       </variable>
-      <variable name="nginx_root_directory" type="filename"/>
-      <variable name="nginx_locations" type="filename" multi="True" mandatory="True">
-        <value>/</value>
-      </variable>
     </family>
     <family name="redis" description="Redis">
       <variable name="redis_client_key_owner" redefine="True" exists="True">
@@ -29,11 +23,4 @@
       </variable>
     </family>
   </variables>
-  <constraints>
-    <condition name="disabled_if_in" source="nginx_root_directory">
-      <param type="nil"/>
-      <target type="filelist">nginx_default_risotto</target>
-      <target type="variable">nginx_locations</target>
-    </condition>
-  </constraints>
 </rougail>
diff --git a/seed/nginx-reverse-proxy/dictionaries/20_nginx.xml b/seed/nginx-reverse-proxy/dictionaries/20_nginx.xml
new file mode 100644
index 0000000..85ac9c5
--- /dev/null
+++ b/seed/nginx-reverse-proxy/dictionaries/20_nginx.xml
@@ -0,0 +1,8 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name='nginx'>
+      <file>/etc/pki/ca-trust/source/anchors/ca_HTTP.crt</file>
+    </service>
+  </services>
+</rougail>
diff --git a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
index 3ed3d35..e4aa369 100644
--- a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
@@ -4,7 +4,7 @@
     <service name='nginx'>
       <override engine="creole"/>
       <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
-      <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
+      <file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
       <file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
       <file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
       <file>/tests/reverse-proxy.yml</file>
@@ -22,6 +22,9 @@
       <variable name="nginx_default_http" redefine="True">
         <value>True</value>
       </variable>
+      <variable name="nginx_default_https" redefine="True">
+        <value>True</value>
+      </variable>
     </family>
   </variables>
 </rougail>
diff --git a/seed/nginx-reverse-proxy/templates/ca_HTTP.crt b/seed/nginx-reverse-proxy/templates/ca_HTTP.crt
new file mode 100644
index 0000000..dcbc3aa
--- /dev/null
+++ b/seed/nginx-reverse-proxy/templates/ca_HTTP.crt
@@ -0,0 +1,3 @@
+%for %%idx in %%range(%%len(%%zones_list))
+%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="HTTP", hide=%%hide_secret)
+%end for
diff --git a/seed/nginx-reverse-proxy/templates/nginx.crt b/seed/nginx-reverse-proxy/templates/nginx.crt
new file mode 100644
index 0000000..de2a8a1
--- /dev/null
+++ b/seed/nginx-reverse-proxy/templates/nginx.crt
@@ -0,0 +1,2 @@
+%%get_certificate(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type="server", hide=%%hide_secret)
+%%get_chain(%%nginx_default, 'HTTP', hide=%%hide_secret)
diff --git a/seed/nginx-reverse-proxy/templates/nginx.key b/seed/nginx-reverse-proxy/templates/nginx.key
new file mode 100644
index 0000000..4d393c6
--- /dev/null
+++ b/seed/nginx-reverse-proxy/templates/nginx.key
@@ -0,0 +1 @@
+%%get_private_key(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type='server', hide=%%hide_secret)
diff --git a/seed/nginx-reverse-proxy/templates/revprox-nginx.conf b/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
index c1c7ff6..0f48e77 100644
--- a/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
+++ b/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
@@ -41,7 +41,7 @@ server {
         proxy_set_header        X-Forwarded-Proto       $scheme;
         proxy_set_header        Destination             $dest;
        %end if
-        proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
+        proxy_ssl_trusted_certificate %%revprox_ca_file;
         proxy_ssl_verify       on;
         proxy_ssl_verify_depth 2;
         proxy_ssl_session_reuse on;
diff --git a/seed/nginx-reverse-proxy/tests/test_revprox.py b/seed/nginx-reverse-proxy/tests/test_revprox.py
index d48cc78..592807d 100644
--- a/seed/nginx-reverse-proxy/tests/test_revprox.py
+++ b/seed/nginx-reverse-proxy/tests/test_revprox.py
@@ -32,19 +32,8 @@ def test_revprox():
     conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
     with open(conf_file) as yaml:
         data = load(yaml, Loader=SafeLoader)
-    # test unknown domain
-    url = 'google.fr'
-    ret_code, content = req(f'https://{url}', data['address'], verify=False)
-    assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
-    assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'https://{url} returns default fedora page'
-    # test certificate
-    try:
-        req(f'https://{url}', data['address'])
-        raise Exception(f'not certificat problem for https://{url}')
-    except SSLError:
-        pass
     # test known domains
     for url in data['urls']:
         ret_code, content = req(f'https://{url}', data['address'])
         assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
-        assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} returns default fedora page'
+        assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} do returns default fedora page'
diff --git a/seed/peertube/applicationservice.yml b/seed/peertube/applicationservice.yml
index 6ae8b4b..1aa97ab 100644
--- a/seed/peertube/applicationservice.yml
+++ b/seed/peertube/applicationservice.yml
@@ -7,5 +7,5 @@ depends:
   - relay-mail-client
   - reverse-proxy-client
   - redis-client
-  - nginx-common
+  - nginx-https
   - oauth2-client
diff --git a/seed/peertube/dictionaries/30_peertube.xml b/seed/peertube/dictionaries/30_peertube.xml
index 47aa548..6e627f1 100644
--- a/seed/peertube/dictionaries/30_peertube.xml
+++ b/seed/peertube/dictionaries/30_peertube.xml
@@ -6,7 +6,8 @@
       <file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file>
       <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
       <file>/etc/peertube/production.yaml</file>
-      <file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file>
+      <file source="nginx.peertube.conf">/etc/nginx/default.d/peertube.conf</file>
+      <file source="nginx.peertube.conf.d.conf">/etc/nginx/conf.d/peertube.conf</file>
     </service>
   </services>
   <variables>
@@ -45,6 +46,9 @@
       </family>
     </family>
     <family name="nginx">
+      <variable name="nginx_root" redefine='True'>
+	<value>/usr/share/peertube</value>
+      </variable>
       <family name="revprox_client">
         <variable name="revprox_client_location" redefine="True">
           <value>/</value>
diff --git a/seed/peertube/templates/nginx.peertube.conf b/seed/peertube/templates/nginx.peertube.conf
index 145eee6..0f1fcf9 100644
--- a/seed/peertube/templates/nginx.peertube.conf
+++ b/seed/peertube/templates/nginx.peertube.conf
@@ -16,15 +16,14 @@
 # GNUNUX   location / { return 301 https://$host$request_uri; }
 # GNUNUX }
 
-upstream %%domain_name_eth0 {
-# GNUNUX  server ${PEERTUBE_HOST};
-  server localhost:9000;
-}
+# GNUNUX upstream %%domain_name_eth0 {
+# GNUNUX   server ${PEERTUBE_HOST};
+# GNUNUX }
 
-server {
-  listen 443 ssl http2;
-  listen [::]:443 ssl http2;
-  server_name %%domain_name_eth0;
+# GNUNUX server {
+# GNUNUX   listen 443 ssl http2;
+# GNUNUX   listen [::]:443 ssl http2;
+# GNUNUX   server_name %%domain_name_eth0;
 
 # GNUNUX  access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
 # GNUNUX  error_log  /var/log/nginx/peertube.error.log;
@@ -35,11 +34,6 @@ server {
   ##
 # GNUNUX  ssl_certificate     /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
 # GNUNUX  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
-#>GNUNUX
-  ssl_client_certificate %%revprox_ca_file;
-  ssl_certificate        %%revprox_cert_file;
-  ssl_certificate_key    %%revprox_key_file;
-#<GNUNUX
 
 # GNUNUX  location ^~ '/.well-known/acme-challenge' {
 # GNUNUX    default_type "text/plain";
@@ -51,14 +45,14 @@ server {
   # based on Mozilla Guideline v5.6
   ##
 
-  ssl_protocols             TLSv1.2 TLSv1.3;
-  ssl_prefer_server_ciphers on;
-  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
-  ssl_session_timeout       1d; # defaults to 5m
-  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
-  ssl_session_tickets       off;
-  ssl_stapling              on;
-  ssl_stapling_verify       on;
+# GNUNUX  ssl_protocols             TLSv1.2 TLSv1.3;
+# GNUNUX  ssl_prefer_server_ciphers on;
+# GNUNUX  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
+# GNUNUX  ssl_session_timeout       1d; # defaults to 5m
+# GNUNUX  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
+# GNUNUX  ssl_session_tickets       off;
+# GNUNUX  ssl_stapling              on;
+# GNUNUX  ssl_stapling_verify       on;
   # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
   #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 
@@ -145,7 +139,6 @@ server {
   ##
 
 # GNUNUX  root /var/www/peertube/storage;
-  root /usr/share/peertube;
 
   # Enable compression for JS/CSS/HTML, for improved client load times.
   # It might be nice to compress JSON/XML as returned by the API, but
@@ -268,4 +261,4 @@ server {
 
     try_files $uri @api;
   }
-}
+# GNUNUX }
diff --git a/seed/peertube/templates/nginx.peertube.conf.d.conf b/seed/peertube/templates/nginx.peertube.conf.d.conf
new file mode 100644
index 0000000..f4183bb
--- /dev/null
+++ b/seed/peertube/templates/nginx.peertube.conf.d.conf
@@ -0,0 +1,4 @@
+upstream %%domain_name_eth0 {
+# GNUNUX  server ${PEERTUBE_HOST};
+  server localhost:9000;
+}
diff --git a/seed/piwigo/dictionaries/31_piwigo.xml b/seed/piwigo/dictionaries/31_piwigo.xml
index 58659e1..2e55fa6 100644
--- a/seed/piwigo/dictionaries/31_piwigo.xml
+++ b/seed/piwigo/dictionaries/31_piwigo.xml
@@ -7,16 +7,13 @@
       <file>/etc/piwigo/database.inc.php</file>
       <file mode="755">/sbin/piwigo.sh</file>
       <file engine="none">/etc/php-fpm.d/piwigo.conf</file>
+      <file source="piwigo.nginx.conf">/etc/nginx/default.d/piwigo.conf</file>
     </service>
   </services>
   <variables>
     <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
     <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
-    <family name="nginx">
-      <variable name="nginx_root_directory" mandatory="True" redefine="True">
-        <value>/usr/local/share/piwigo</value>
-      </variable>
-    </family>
+    <variable name="piwigo_locations" type="filename" multi="True" mandatory="True"/>
     <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
       <value>Album photographique</value>
     </variable>
@@ -53,7 +50,7 @@
     </fill>
     <fill name="get_locations">
       <param name="usernames" type="variable">piwigo_users</param>
-      <target>nginx_locations</target>
+      <target>piwigo_locations</target>
     </fill>
   </constraints>
 </rougail>
diff --git a/seed/nginx-https/templates/risotto.conf b/seed/piwigo/templates/piwigo.nginx.conf
similarity index 82%
rename from seed/nginx-https/templates/risotto.conf
rename to seed/piwigo/templates/piwigo.nginx.conf
index e7d34a4..1ba02a3 100644
--- a/seed/nginx-https/templates/risotto.conf
+++ b/seed/piwigo/templates/piwigo.nginx.conf
@@ -1,3 +1,5 @@
+# To allow POST on static pages
+error_page  405     =200 $uri;
 add_header                    X-Frame-Options "SAMEORIGIN";
 add_header                    X-Content-Type-Options nosniff;
 add_header                    X-XSS-Protection "1; mode=block";
@@ -6,18 +8,15 @@ add_header                    X-Download-Options noopen;
 add_header                    X-Permitted-Cross-Domain-Policies none;
 add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
 add_header                    Referrer-Policy no-referrer always;
-
-%for %%location in %%nginx_locations
+    
+%for %%location in %%piwigo_locations
 location %%location {
-%if %%location == '/'
+  %if %%location == '/'
   root                        %slurp
-%else
+  %else
   alias                       %slurp
-%end if
-%%nginx_root_directory;
-%if not %%getVar('php_fpm_installed', False)
-  index                       index.html;
-%else
+  %end if
+  /usr/local/share/piwigo;
   index                       index.php;
   location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
     fastcgi_pass              php-fpm;
@@ -25,6 +24,5 @@ location %%location {
     fastcgi_param             SCRIPT_FILENAME $request_filename;
     include                   fastcgi_params;
   }
-%end if
 }
 %end for
diff --git a/seed/pleroma/dictionaries/30_pleroma.xml b/seed/pleroma/dictionaries/30_pleroma.xml
index b457600..6a6cc7e 100644
--- a/seed/pleroma/dictionaries/30_pleroma.xml
+++ b/seed/pleroma/dictionaries/30_pleroma.xml
@@ -7,7 +7,7 @@
       <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
       <file>/etc/peertube/production.yaml</file>
       <file engine="none">/etc/pam.d/login</file>
-      <file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file>
+      <file source="nginx.peertube.conf">/etc/nginx/sites-enabled/peertube.conf</file>
     </service>
   </services>
   <variables>
diff --git a/seed/postgresql/DEBUG.md b/seed/postgresql/DEBUG.md
new file mode 100644
index 0000000..c835ba0
--- /dev/null
+++ b/seed/postgresql/DEBUG.md
@@ -0,0 +1 @@
+pg_dumpall --clean > /srv/database.sql
diff --git a/seed/reverse-proxy-client/tests/revprox.py b/seed/reverse-proxy-client/tests/revprox.py
index bb9ab17..abc9c09 100644
--- a/seed/reverse-proxy-client/tests/revprox.py
+++ b/seed/reverse-proxy-client/tests/revprox.py
@@ -33,7 +33,7 @@ class Authentication:
         ret = req.get(url)
         code = ret.status_code
         content = ret.content
-        assert code == 200
+        assert code == 200, f"cannot access to lemonldap; {content}"
         assert b'<title trspan="authPortal">Authentication portal</title>' in content, f'cannot find LemonLdap title: {content}'
 
     def auth_lemonldap(self,

From 29c09a37997ad6eba0bfa041536ea1a76b975bc4 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Sun, 21 Aug 2022 18:59:02 +0200
Subject: [PATCH 3/3] add mailman test

---
 seed/base-machine/tests/execute.py         |   4 +-
 seed/mailman/dictionaries/31_mailman.xml   |   1 +
 seed/mailman/extras/mailman/20_mailman.xml |   2 +-
 seed/mailman/funcs/mailman.py              |  24 +-
 seed/mailman/templates/mailman.yml         |  12 +
 seed/mailman/tests/test_mailman.py         | 396 +++++++++++++++++++++
 seed/reverse-proxy-client/tests/revprox.py |   6 +-
 7 files changed, 428 insertions(+), 17 deletions(-)
 create mode 100644 seed/mailman/templates/mailman.yml
 create mode 100644 seed/mailman/tests/test_mailman.py

diff --git a/seed/base-machine/tests/execute.py b/seed/base-machine/tests/execute.py
index 7b9cb08..76747d7 100644
--- a/seed/base-machine/tests/execute.py
+++ b/seed/base-machine/tests/execute.py
@@ -2,12 +2,14 @@ from os import fdopen
 from dbus import SystemBus, Array
 
 
-def run(host, cmd):
+def run(host, cmd, user=None):
     bus = SystemBus()
     remote_object = bus.get_object('org.freedesktop.machine1',
                                    '/org/freedesktop/machine1',
                                    False,
                                    )
+    if user is not None:
+        cmd = ['/bin/su', '-', user, '-s', '/bin/bash', '-c', ' '.join(cmd)]
     res = remote_object.OpenMachineShell(host,
                                          '',
                                          cmd[0],
diff --git a/seed/mailman/dictionaries/31_mailman.xml b/seed/mailman/dictionaries/31_mailman.xml
index 3bf09da..575e133 100644
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ b/seed/mailman/dictionaries/31_mailman.xml
@@ -13,6 +13,7 @@
       <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file>
       <file source="config-nginx.conf">/etc/nginx/default.d/postorius.conf</file>
       <file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file>
+      <file>/tests/mailman.yml</file>
     </service>
     <service name="postgresqlclient" target="multi-user" engine="creole">
       <file owner="postorius" mode="400">/etc/pki/tls/private/postgresql_postorius.key</file>
diff --git a/seed/mailman/extras/mailman/20_mailman.xml b/seed/mailman/extras/mailman/20_mailman.xml
index 97066c7..37e46c9 100644
--- a/seed/mailman/extras/mailman/20_mailman.xml
+++ b/seed/mailman/extras/mailman/20_mailman.xml
@@ -3,7 +3,7 @@
   <variables>
     <family name="list_" description="Listes du domaine " dynamic="mailman_domains">
       <variable name="name_" description="Nom des listes" type="unix_user" multi="True" mandatory="True"/>
-      <variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True"/>
+      <variable name="names_" description="Address names" type="string" mandatory="True" hidden="True"/>
     </family>
     <variable name="names_" description="Address names" type="string" multi="True" mandatory="True" hidden="True" supplier="LMTP:criteria"/>
   </variables>
diff --git a/seed/mailman/funcs/mailman.py b/seed/mailman/funcs/mailman.py
index 07372bc..66b633d 100644
--- a/seed/mailman/funcs/mailman.py
+++ b/seed/mailman/funcs/mailman.py
@@ -1,20 +1,18 @@
 from risotto.utils import multi_function as _multi_function
-from itertools import chain
 
-@_multi_function
 def mailman_emails(lists, domain):
-    ret = []
-    for lst in lists:
-        for suffix in [None, 'bounces(\+.*)?', 'confirm(\+.*)?', 'join', 'leave', 'owner', 'request', 'subscribe', 'unsubscribe']:
-            if suffix:
-                lst_name = lst + '-' + suffix
-            else:
-                lst_name = lst
-            ret.append(lst_name + '@' + domain)
-    return ret
+    return '.*@' + domain
+#    ret = []
+#    for lst in lists:
+#        for suffix in [None, 'bounces(\+.*)?', 'confirm(\+.*)?', 'join', 'leave', 'owner', 'request', 'subscribe', 'unsubscribe']:
+#            if suffix:
+#                lst_name = lst + '-' + suffix
+#            else:
+#                lst_name = lst
+#            ret.append(lst_name + '@' + domain)
+#    return ret
 
 
 @_multi_function
 def mailman_concat(lists):
-    # list of lists to a single list
-    return list(chain(*lists))
+    return lists
diff --git a/seed/mailman/templates/mailman.yml b/seed/mailman/templates/mailman.yml
new file mode 100644
index 0000000..2c96daf
--- /dev/null
+++ b/seed/mailman/templates/mailman.yml
@@ -0,0 +1,12 @@
+%set %%username="rougail_test@silique.fr"
+ip: %%ip_eth0
+revprox_ip: %%revprox_client_server_ip
+%set %%domain = %%revprox_client_external_domainnames[0]
+domain_name: %%domain
+base_url: https://%%domain%%domain.revprox_client_location
+auth_url: %%oauth2_client_external[0]
+auth_server: %%oauth2_server_domainname
+username: %%username
+password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
+mailman_domain: %%mailman_domains[0]
+internal_address: %%domain_name_eth0
diff --git a/seed/mailman/tests/test_mailman.py b/seed/mailman/tests/test_mailman.py
new file mode 100644
index 0000000..2b7e899
--- /dev/null
+++ b/seed/mailman/tests/test_mailman.py
@@ -0,0 +1,396 @@
+from yaml import load, SafeLoader
+from os import environ
+from os.path import join, isdir
+from revprox import Authentication
+from execute import run
+from re import search
+from time import sleep
+from imaplib2 import IMAP4_SSL
+from smtplib import SMTP
+from email import message_from_bytes
+from email.mime.multipart import MIMEMultipart
+from email.mime.text import MIMEText
+
+
+DATA = None
+DATA_IMAP = None
+IMAP = None
+IMAP_FAMILY = None
+
+
+def get_data():
+    global DATA
+    if not DATA:
+        conf_file = f'{environ["MACHINE_TEST_DIR"]}/mailman.yml'
+        with open(conf_file) as yaml:
+            DATA = load(yaml, Loader=SafeLoader)
+    return DATA
+
+
+def get_imap_data():
+    global DATA_IMAP
+    if not DATA_IMAP:
+        machine_test_dir = environ['MACHINE_TEST_DIR']
+        print("FIXME")
+        machine_test_dir = machine_test_dir.replace('mailman', 'dovecot')
+        if not isdir(machine_test_dir):
+            print('!!! No local IMAP server found !!!')
+            return
+        conf_file = f'{machine_test_dir}/imap.yml'
+        with open(conf_file) as yaml:
+            DATA_IMAP = load(yaml, Loader=SafeLoader)
+    return DATA_IMAP
+
+
+def get_authentication(data, family=False):
+    if family:
+        username = data['username_family']
+        password = data['password_family']
+    else:
+        username = data['username']
+        password = data['password']
+    return Authentication(data['auth_url'],
+                          data['auth_server'],
+                          data['revprox_ip'],
+                          username,
+                          password,
+                          f"""<title>
+Listes - {data["domain_name"]}
+</title>""",
+                          )
+
+
+def check_mail(subject, family=False, reply=False):
+    global IMAP, IMAP_FAMILY
+    data = get_imap_data()
+    if data is None:
+        return
+    if family:
+        if IMAP_FAMILY is None:
+            IMAP_FAMILY = IMAP4_SSL(data['address'])
+            IMAP_FAMILY.LOGIN(data['username_family'], data['password_family'] + '2')
+        imap = IMAP_FAMILY
+    else:
+        if IMAP is None:
+            IMAP = IMAP4_SSL(data['address'])
+            IMAP.LOGIN(data['username'], data['password'])
+        imap = IMAP
+    imap.SELECT(readonly=False)
+    typ, req = imap.SEARCH(None, 'ALL')
+    assert typ == 'OK'
+    if not req[0].decode():
+        raise Exception('pas de mail')
+    num = req[0].decode().split()[-1]
+    field = imap.FETCH(num, '(RFC822)')
+    assert field[0] == 'OK'
+    msg = message_from_bytes(field[1][-2][-1])
+    #if msg.is_multipart():
+    #    for part in msg.walk():
+    #        # extract content type of email
+    #        try:
+    #            print(part.get_payload(decode=True).decode())
+    #        except:
+    #            pass
+    #else:
+    #    print(msg.get_payload(decode=True).decode())
+    if subject is not None:
+        assert subject == msg['Subject']
+    if reply:
+        reply_message(msg)
+    ret = imap.store(num, '+FLAGS', '\\Deleted')
+    assert ret[0] == 'OK', f'error when deleting mail: {ret}'
+    imap.expunge()
+#    imap.CLOSE()
+#    imap.LOGOUT()
+
+
+def reply_message(msg):
+    data = get_imap_data()
+    body = MIMEText('resend') 
+    message = MIMEMultipart()
+    message["to"] = msg["From"]
+    message['from'] = msg["To"]
+    message['subject'] = f'Re: {msg["Subject"]}'
+    message.add_header('reply-to', msg["From"])
+    message.attach(body)
+    #
+    smtp = SMTP(data['address'], '587')
+    smtp.starttls()
+    smtp.login(data['username_family'], data['password_family'] + '2')
+    smtp.sendmail(msg["To"],
+                  msg["From"],
+                  message.as_string(),
+                  )
+    smtp.quit()
+
+
+def send_mail(subject, data, data_mm, family=False, add_mail=''):
+    list_name = 'test'
+    smtp = SMTP(data['address'], '587')
+    smtp.starttls()
+    if not family:
+        sender = data['username']
+        smtp.login(sender, data['password'])
+    else:
+        sender = data['username_family']
+        smtp.login(sender, data['password_family'] + '2')
+    list_addr = f'{list_name}{add_mail}@{data_mm["mailman_domain"]}'
+    msg = f"""From: {sender}\r\n\
+To: {list_addr}\r\n\
+Subject: {subject}\r\n\
+\r\n\
+MESSAGE"""
+    smtp.sendmail(sender,
+                  list_addr,
+                  msg,
+                  )
+    smtp.quit()
+
+
+def test_mailman():
+    data = get_data()
+    get_authentication(data)
+
+
+def test_mailman_login():
+    data = get_data()
+    authentication = get_authentication(data)
+    content = authentication.get(data['auth_url'])
+    login = data['username'].split('@')[0]
+    assert f'Successfully signed in as {login}.' in content
+
+
+def test_mailman_list():
+    data = get_data()
+    authentication = get_authentication(data)
+    list_name = 'test'
+    search_list = f'href="/mailman/postorius/lists/{list_name}.{data["mailman_domain"]}/"'
+    if 'FIRST_RUN' in environ:
+        content = authentication.get(data['auth_url'])
+        assert search_list not in content
+        result = run(data['internal_address'],
+                     ['/usr/bin/mailman3', 'create', '--language', 'fr', '-o', data['username'], '-N', '-d', f'{list_name}@{data["mailman_domain"]}'],
+                     'mailman',
+                     )
+        assert list(result) == [f'Liste de diffusion créée : {list_name}@{data["mailman_domain"]}']
+    content = authentication.get(data['auth_url'])
+    assert search_list in content
+
+
+def test_mailman_inscription():
+    data = get_data()
+    authentication = get_authentication(data)
+    list_name = 'test'
+    search_inscription = f'<td>Adresse principale ({data["username"]})</td>'
+    url = join(data['base_url'], f'postorius/lists/{list_name}.{data["mailman_domain"]}/')
+    if 'FIRST_RUN' in environ:
+        content = authentication.get(url)
+        assert search_inscription not in content
+        pattern_csrf = r'name="csrfmiddlewaretoken" value="([a-zA-Z0-9\-\_=]+)"'
+        pattern_sub = r'<option value="([a-zA-Z0-9\-\_=]+)">Adresse principale'
+        csrf = search(pattern_csrf, content)[1]
+        subscriber = search(pattern_sub, content)[1]
+        headers = {'Referer': url}
+        authentication.post(url + 'subscribe', {'csrfmiddlewaretoken': csrf, 'subscriber': subscriber, 'delivery_mode': 'regular', 'display_name': ''}, headers=headers)
+        subject = f'=?utf-8?q?Bienvenue_sur_la_liste_de_diffusion_=22{list_name.capitalize()}=22?='
+        idx = 0
+        while True:
+            try:
+                check_mail(subject)
+                break
+            except:
+                idx += 1
+                if idx == 10:
+                    raise Exception('mail not arrived')
+                sleep(1)
+    content = authentication.get(url)
+    assert search_inscription in content
+
+
+def test_send_mail():
+    data = get_imap_data()
+    if data is None:
+        return
+    data_mm = get_data()
+    subject = 'TEST MAILMAN'
+    send_mail(subject, data, data_mm)
+    idx = 0
+    while True:
+        try:
+            check_mail("=?utf-8?b?W1Rlc3Rd?= TEST MAILMAN")
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('mail not arrived')
+            sleep(1)
+
+
+def test_send_wrong_mail():
+    data = get_imap_data()
+    if data is None:
+        return
+    data_mm = get_data()
+    url = f'{data_mm["base_url"]}postorius/lists/test.{data_mm["mailman_domain"]}/held_messages'
+    # no moderated mail
+    authentication = get_authentication(data_mm)
+    content = authentication.get(url)
+    subject = 'TEST MAILMAN'
+    assert subject not in content
+    # send mail
+    smtp = SMTP(data['address'], '587')
+    smtp.starttls()
+    smtp.login(data['username_family'], data['password_family'] + '2')
+    list_name = 'test'
+    list_addr = f'{list_name}@{data_mm["mailman_domain"]}'
+    msg = f"""From: {data["username_family"]}\r\n\
+To: {list_addr}\r\n\
+Subject: {subject}\r\n\
+\r\n\
+MESSAGE"""
+    smtp.sendmail(data['username_family'], list_addr, msg)
+    smtp.quit()
+    idx = 0
+    mailman_domain = data_mm['mailman_domain'].replace('.', '=2E')
+    while True:
+        try:
+            check_mail(f'=?utf-8?q?Votre_message_=C3=A0_test=40{mailman_domain}_attend_la_validation_d=27un_mod=C3=A9rateur?=', family=True)
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('mail not arrived...')
+            sleep(1)
+    #
+    mail = data['username_family'].replace('@', '=40').replace('.', '=2E').replace('_', '=5F')
+    while True:
+        try:
+            check_mail(f'=?utf-8?q?Le_message_test=40{mailman_domain}_de_{mail}_n=C3=A9cessite_une_validation?=')
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('mail 2 not arrived...')
+            sleep(1)
+    # reject mail
+    content = authentication.get(url)
+    assert subject in content
+    pattern_csrf = r'name="csrfmiddlewaretoken" value="([a-zA-Z0-9\-\_=]+)"'
+    csrf = search(pattern_csrf, content)[1]
+    pattern_msg_id = r'class="message-checkbox" name="choices" value="([a-zA-Z0-9\-\_=]+)"'
+    msg_id = search(pattern_msg_id, content)[1]
+    #
+    headers = {'Referer': url}
+    authentication.post(url, {'csrfmiddlewaretoken': csrf, 'reject': 'Rejeter', 'choices': msg_id}, headers=headers)
+    content = authentication.get(url)
+    assert subject not in content
+    while True:
+        try:
+            check_mail('=?utf-8?q?Requ=C3=AAte_pour_la_liste_de_diffusion_=22Test=22_rejet=C3=A9e?=', family=True)
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('mail reject not arrived...')
+            sleep(1)
+
+
+def test_mailman_create_delete():
+    data = get_data()
+    authentication = get_authentication(data)
+    list_name = 'test_tmp'
+    search_list = f'href="/mailman/postorius/lists/{list_name}.{data["mailman_domain"]}/"'
+    #
+    content = authentication.get(data['auth_url'])
+    assert search_list not in content
+    #
+    result = run(data['internal_address'],
+                 ['/usr/bin/mailman3', 'create', '--language', 'fr', '-o', data['username'], '-N', '-d', f'{list_name}@{data["mailman_domain"]}'],
+                 'mailman',
+                 )
+    assert list(result) == [f'Liste de diffusion créée : {list_name}@{data["mailman_domain"]}']
+    content = authentication.get(data['auth_url'])
+    assert search_list in content
+    #
+    result = run(data['internal_address'],
+                 ['/usr/bin/mailman3', 'remove', f'{list_name}@{data["mailman_domain"]}'],
+                 'mailman',
+                 )
+    assert list(result) == [f'Liste supprimée : {list_name}@{data["mailman_domain"]}']
+    content = authentication.get(data['auth_url'])
+    assert search_list not in content
+
+
+def test_mailman_inscription_desinscription_mail():
+    list_name = 'test'
+    data = get_imap_data()
+    if data is None:
+        return
+    data_mm = get_data()
+    send_mail('subscribe', data, data_mm, family=True, add_mail='-join')
+    idx = 0
+    # inscription + validation
+    mailman_domain = data_mm['mailman_domain'].replace('.', '=2E')
+    while True:
+        try:
+            check_mail(f'=?utf-8?q?Votre_validation_est_n=C3=A9cessaire_pour_vous_abonner_de_la_liste_de_diffusion_test=40{mailman_domain}?=', family=True, reply=True)
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('mail not arrived...')
+            sleep(1)
+    idx = 0
+    while True:
+        try:
+            check_mail(f'=?utf-8?q?Bienvenue_sur_la_liste_de_diffusion_=22{list_name.capitalize()}=22?=', family=True)
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('confirmation not arrived...')
+            sleep(1)
+    # send mail and check
+    subject = 'TEST MAILMAN'
+    send_mail(subject, data, data_mm)
+    idx = 0
+    while True:
+        try:
+            check_mail("=?utf-8?b?W1Rlc3Rd?= TEST MAILMAN")
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('mail not arrived')
+            sleep(1)
+    while True:
+        try:
+            check_mail("=?utf-8?b?W1Rlc3Rd?= TEST MAILMAN", family=True)
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('mail not arrived')
+            sleep(1)
+    # unsubscribe
+    send_mail('unsubscribe', data, data_mm, family=True, add_mail="-leave")
+    idx = 0
+    while True:
+        try:
+            check_mail(f'=?utf-8?q?Votre_validation_est_n=C3=A9cessaire_pour_vous_d=C3=A9sabonner_de_la_liste_de_diffusion_test=40{mailman_domain}?=', family=True, reply=True)
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('unsubscribe not arrived...')
+            sleep(1)
+    idx = 0
+    while True:
+        try:
+            check_mail(f'=?utf-8?q?Vous_avez_=C3=A9t=C3=A9_d=C3=A9sinscrits_de_la_liste_de_diffusion_Test?=', family=True)
+            break
+        except:
+            idx += 1
+            if idx == 10:
+                raise Exception('unsubscribe confirmation not arrived...')
+            sleep(1)
diff --git a/seed/reverse-proxy-client/tests/revprox.py b/seed/reverse-proxy-client/tests/revprox.py
index abc9c09..134fb4f 100644
--- a/seed/reverse-proxy-client/tests/revprox.py
+++ b/seed/reverse-proxy-client/tests/revprox.py
@@ -62,7 +62,8 @@ class Authentication:
         authorize_url = f'{portal_url}authorize'
         ret = req.get(authorize_url)
         assert ret.status_code == 200
-        assert title in ret.content.decode()
+        content = ret.content.decode()
+        assert title in content, f'cannot find {title} in {content}'
 
     def get(self,
             url,
@@ -78,7 +79,8 @@ class Authentication:
     def post(self,
              url,
              data,
+             headers=None,
              ):
         with MookDns(self.ip):
-            ret = post(url, cookies=self.cookies, data=data)
+            ret = post(url, cookies=self.cookies, data=data, headers=headers)
         assert ret.status_code == 200, f'return code is {ret.status_code}'