From b91e8ab45529a7a2c615538d9c929c39750768f0 Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@silique.fr>
Date: Mon, 27 Feb 2023 12:23:45 +0100
Subject: [PATCH] start extraction before backup function

---
 .../dictionaries/11_debian-base.xml           |  1 +
 seed/dovecot/dictionaries/26_dovecot.xml      |  1 +
 seed/dovecot/templates/risotto_backup         | 21 ++++++++
 seed/forgejo/templates/app.ini                |  4 +-
 seed/forgejo/templates/forgejo.yml            |  2 +-
 seed/mariadb/dictionaries/20_mariadb.xml      |  1 +
 .../manual/image/preinstall/mariadb_server.sh |  2 +-
 seed/mariadb/templates/risotto_backup         |  6 +++
 seed/odoo/dictionaries/40_odoo.xml            |  9 +++-
 seed/odoo/manual/image/postinstall/odoo.sh    |  3 --
 seed/odoo/templates/config-nginx.conf         | 53 +++++++++++++------
 seed/odoo/templates/odoo.service              |  2 +-
 .../dictionaries/16_machined.xml              |  3 ++
 13 files changed, 81 insertions(+), 27 deletions(-)
 create mode 100644 seed/dovecot/templates/risotto_backup
 create mode 100644 seed/mariadb/templates/risotto_backup

diff --git a/seed/base-debian/dictionaries/11_debian-base.xml b/seed/base-debian/dictionaries/11_debian-base.xml
index 73c4a16..90a8ecf 100644
--- a/seed/base-debian/dictionaries/11_debian-base.xml
+++ b/seed/base-debian/dictionaries/11_debian-base.xml
@@ -4,6 +4,7 @@
     <service name="systemd-networkd">
       <override/>
     </service>
+    <service name='logrotate' disabled="True"/>
     <service name="debian" manage="False">
       <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
       <file engine="none">/etc/default/locale</file>
diff --git a/seed/dovecot/dictionaries/26_dovecot.xml b/seed/dovecot/dictionaries/26_dovecot.xml
index c0d7874..d70b96d 100644
--- a/seed/dovecot/dictionaries/26_dovecot.xml
+++ b/seed/dovecot/dictionaries/26_dovecot.xml
@@ -14,6 +14,7 @@
       <file>/etc/postfix/relay_passwd</file>
       <file>/etc/postfix/ldapsource.cf</file>
       <file>/etc/postfix/sni</file>
+      <file mode="700">/sbin/risotto_backup</file>
     </service>
     <service name='dovecot-init'>
       <override/>
diff --git a/seed/dovecot/templates/risotto_backup b/seed/dovecot/templates/risotto_backup
new file mode 100644
index 0000000..0af0b0c
--- /dev/null
+++ b/seed/dovecot/templates/risotto_backup
@@ -0,0 +1,21 @@
+%echo "#!/bin/bash"
+
+BACKUP_DIR="%%backup_dir"
+
+mkdir -p $BACKUP_DIR
+chown vmail: $BACKUP_DIR
+
+rm -f $BACKUP_DIR/*.done
+find /srv/home/ -name *@* -type d -printf "%f\n" | while read user; do
+    doveadm backup -u $user maildir:$BACKUP_DIR/$user
+    touch $BACKUP_DIR/$user.done
+done
+
+ls $BACKUP_DIR | while read $user; do
+    if [ ! -f $BACKUP_DIR/$user.done ]; then
+        rm -rf $BACKUP_DIR/$user
+    if
+done
+rm -f $BACKUP_DIR/*.done
+
+exit 0
diff --git a/seed/forgejo/templates/app.ini b/seed/forgejo/templates/app.ini
index fea9a62..acd9426 100644
--- a/seed/forgejo/templates/app.ini
+++ b/seed/forgejo/templates/app.ini
@@ -188,13 +188,13 @@ SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
 ;; Port number to be exposed in clone URL
 ;SSH_PORT = 22
 ;>GNUNUX
-SSH_PORT         = %%incoming_ports
+SSH_PORT         = %%incoming_ports[0]
 ;<GNUNUX
 ;;
 ;; The port number the builtin SSH server should listen on
 ;SSH_LISTEN_PORT = %(SSH_PORT)s
 ;>GNUNUX
-SSH_LISTEN_PORT  = %%incoming_ports
+SSH_LISTEN_PORT  = %%incoming_ports[0]
 ;<GNUNUX
 ;;
 ;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.
diff --git a/seed/forgejo/templates/forgejo.yml b/seed/forgejo/templates/forgejo.yml
index a6922db..49d6943 100644
--- a/seed/forgejo/templates/forgejo.yml
+++ b/seed/forgejo/templates/forgejo.yml
@@ -8,4 +8,4 @@ auth_server: %%oauth2_server_domainname
 username: %%username
 password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
 forgejo_title: "%%forgejo_title"
-git_url: "[%%domain]:%%incoming_ports"
+git_url: "[%%domain]:%%incoming_ports[0]"
diff --git a/seed/mariadb/dictionaries/20_mariadb.xml b/seed/mariadb/dictionaries/20_mariadb.xml
index e8faddf..896094b 100644
--- a/seed/mariadb/dictionaries/20_mariadb.xml
+++ b/seed/mariadb/dictionaries/20_mariadb.xml
@@ -7,6 +7,7 @@
       <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
       <file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
       <file filelist="copy_tests">/tests/mariadb.yml</file>
+      <file mode="700">/sbin/risotto_backup</file>
     </service>
   </services>
   <variables>
diff --git a/seed/mariadb/manual/image/preinstall/mariadb_server.sh b/seed/mariadb/manual/image/preinstall/mariadb_server.sh
index f923704..4e2af33 100644
--- a/seed/mariadb/manual/image/preinstall/mariadb_server.sh
+++ b/seed/mariadb/manual/image/preinstall/mariadb_server.sh
@@ -1 +1 @@
-PKG="$PKG mariadb-server"
+PKG="$PKG mariadb-server mariadb-backup"
diff --git a/seed/mariadb/templates/risotto_backup b/seed/mariadb/templates/risotto_backup
new file mode 100644
index 0000000..e0d34a1
--- /dev/null
+++ b/seed/mariadb/templates/risotto_backup
@@ -0,0 +1,6 @@
+%echo "#!/bin/bash -e"
+
+mkdir -p %%backup_dir
+mariabackup --backup --target-dir=%%backup_dir --user=root --password=%%mariadb_root_password
+
+exit 0
diff --git a/seed/odoo/dictionaries/40_odoo.xml b/seed/odoo/dictionaries/40_odoo.xml
index 74e2f64..6906baa 100644
--- a/seed/odoo/dictionaries/40_odoo.xml
+++ b/seed/odoo/dictionaries/40_odoo.xml
@@ -5,11 +5,11 @@
       <override/>
       <file engine="none" source="sysuser-odoo.conf">/sysusers.d/1odoo.conf</file>
       <file engine="none" source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
-      <file mode="700">/sbin/config_odoo.py</file>
+      <file mode="755">/sbin/config_odoo.py</file>
       <file mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
       <file mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>
       <file>/etc/hosts</file>
-      <file source="config-nginx.conf">/etc/nginx/default.d/odoo.conf</file>
+      <file source="config-nginx.conf">/etc/nginx/sites-enabled/odoo.conf</file>
     </service>
   </services>
   <variables>
@@ -78,6 +78,11 @@
         </variable>
       </family>
     </family>
+    <family name="nginx">
+      <variable name="nginx_default_https" redefine="True">
+        <value>False</value>
+      </variable>
+    </family>
   </variables>
   <constraints>
     <fill name="get_password">
diff --git a/seed/odoo/manual/image/postinstall/odoo.sh b/seed/odoo/manual/image/postinstall/odoo.sh
index 3925932..7b1ca8e 100644
--- a/seed/odoo/manual/image/postinstall/odoo.sh
+++ b/seed/odoo/manual/image/postinstall/odoo.sh
@@ -24,9 +24,6 @@ apt -f install -y
 """ > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh
-
-
-
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/server.py
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/db.py 
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py
diff --git a/seed/odoo/templates/config-nginx.conf b/seed/odoo/templates/config-nginx.conf
index 797d3d7..2772e05 100644
--- a/seed/odoo/templates/config-nginx.conf
+++ b/seed/odoo/templates/config-nginx.conf
@@ -1,19 +1,38 @@
-# Redirect requests to odoo backend server
-location / {
-  proxy_redirect off;
-  proxy_pass http://127.0.0.1:8069;
-  
-  proxy_read_timeout 720s;
-  proxy_connect_timeout 720s;
-  proxy_send_timeout 720s;
-  
-  # Add Headers for odoo proxy mode
-  proxy_set_header X-Forwarded-Host $host;
-  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-  proxy_set_header X-Forwarded-Proto $scheme;
-  proxy_set_header X-Real-IP $remote_addr;
+server {
+    listen 443 ssl http2;
+#    listen [::]:443 ssl http2;
+    server_name _;
+    server_tokens off;
 
-  # common gzip
-  gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
-  gzip on;
+    ## Strong SSL Security
+    ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+#    ssl on;
+    ssl_certificate              %%tls_cert_directory/revprox.crt;
+    ssl_certificate_key          %%tls_key_directory/revprox.key;
+    ssl_client_certificate       %%tls_ca_directory/InternalReverseProxy.crt;
+
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 5m;
+    # Redirect requests to odoo backend server
+    location / {
+      proxy_redirect off;
+      proxy_pass http://127.0.0.1:8069;
+      
+      proxy_read_timeout 720s;
+      proxy_connect_timeout 720s;
+      proxy_send_timeout 720s;
+      
+      # Add Headers for odoo proxy mode
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+      proxy_set_header X-Forwarded-Proto $scheme;
+      proxy_set_header X-Real-IP $remote_addr;
+    
+      # common gzip
+      gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
+      gzip on;
+    }
 }
diff --git a/seed/odoo/templates/odoo.service b/seed/odoo/templates/odoo.service
index efd2faf..093ce85 100644
--- a/seed/odoo/templates/odoo.service
+++ b/seed/odoo/templates/odoo.service
@@ -11,7 +11,7 @@ Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
 %set %%addons = ','.join(%%odoo_addons)
 ExecStartPre=/usr/bin/bash -c '/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\dt account_account" 2>&1 | grep -vq "not find" || (echo "INIT DATABASE"; /usr/bin/odoo --config /etc/odoo/odoo.conf -i %%addons --stop-after-init; echo "OK")'
 #change default values in database
-ExecStartPre=+/usr/local/lib/sbin/config_odoo.py
+ExecStartPre=/usr/local/lib/sbin/config_odoo.py
 
 ExecStart=
 ExecStart=/usr/bin/odoo --config /etc/odoo/odoo.conf
diff --git a/seed/provider-systemd-machined/dictionaries/16_machined.xml b/seed/provider-systemd-machined/dictionaries/16_machined.xml
index cfd4261..892976a 100644
--- a/seed/provider-systemd-machined/dictionaries/16_machined.xml
+++ b/seed/provider-systemd-machined/dictionaries/16_machined.xml
@@ -33,6 +33,9 @@
         <value>host</value>
       </variable>
       <variable name="zones_list" redefine="True" supplier="Host:machine_zones"/>
+      <variable name="backup_dir" type="filename" hidden="True">
+        <value>/srv/backup</value>
+      </variable>
     </family>
   </variables>
   <constraints>