improvements

seed/apache/dictionaries/20_web.xml

@@ -19,7 +19,7 @@
       </variable>
     </family>
     <family name="apache" description="Apache" help="Paramètrage avancé du serveur web Apache">
-      <variable name="apache_timeout" type="number" description="Temps en secondes pendant lequel le serveur va attendre des entrées/sorties avant de considérer qu'une requête a échoué">
+      <variable name="apache_timeout" type="number" description="Temps d'attente des entrées/sorties avant de considérer qu'une requête a échoué" help="Temps en secondes">
         <value>300</value>
       </variable>
       <variable name="apache_keepalive" type="boolean" description="Autoriser les connexions persistantes"/>

seed/apache/templates/server.ca

@@ -1 +1 @@
-%%get_chain(authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)
+%%get_chain(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)

seed/base-debian/dictionaries/11-debian-base.xml

@@ -10,7 +10,9 @@
       <file engine="none" source="sysuser-debian.conf">/sysusers.d/debian.conf</file>
     </service>
     <service name='apt-daily' disabled="True"/>
+    <service name='apt-daily' disabled="True" type="timer"/>
     <service name='apt-daily-upgrade' disabled="True"/>
+    <service name='apt-daily-upgrade' disabled="True" type="timer"/>
     <service name='avahi-daemon' disabled="True"/>
     <service name='cron' disabled="True"/>
   </services>

seed/base-debian/dictionaries/17-debian-base.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <services>
-    <service name="update-ca-certificates" engine="creole" target="multi-user"/>
+    <service name="update-ca-certificates" engine="cheetah" target="multi-user"/>
   </services>
   <variables>
     <variable name="tls_ca_directory" type="filename" description="Répertoire des autorités de certification" hidden="True">

seed/base-debian/manual/image/postinstall/debian.sh

@@ -1,8 +1,8 @@
-rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
-ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
-#mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+#mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
-#chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+#chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
-#ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
+#ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
-#ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
+#ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
-#ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
+#ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
-#ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"
+#ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

seed/base-fedora-35/manual/image/postinstall/base_fedora_35.sh

@@ -1,7 +1,7 @@
 # ACTIVE NETWORKD
-mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
-chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
-ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
-ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
-ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
+ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
-ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"
+ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

seed/base-fedora-36/manual/image/postinstall/base_fedora_version.sh

@@ -1,7 +1,7 @@
 # ACTIVE NETWORKD
-mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
-chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants
-ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
-ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
-ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
+ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
-ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"
+ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

seed/base-fedora/dictionaries/17-fedora-base.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <services>
-    <service name="update-ca-trust" engine="creole" target="multi-user"/>
+    <service name="update-ca-trust" engine="cheetah" target="multi-user"/>
   </services>
   <variables>
     <variable name="tls_ca_directory" type="filename" description="Nom du répertoire des autorités de certification" hidden="True">

seed/base-fedora/manual/image/preinstall/base_fedora.sh

@@ -1,4 +1,4 @@
 BASE_PKG="systemd systemd-networkd systemd-resolved fedora-release-container lsof strace glibc-langpack-fr $BASE_PKG"
 INSTALL_TOOL="dnf"
 OS_NAME='fedora'
-REPO_DIR="$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/yum.repos.d/"
+REPO_DIR="$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/yum.repos.d/"

seed/base-machine/dictionaries/12-base.xml

@@ -6,25 +6,26 @@
     </service>
   </services>
   <variables>
-    <variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents">
+    <variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents" hidden="True">
       <value>False</value>
     </variable>
     <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
     <family name="network" description="Réseau">
-      <variable name="server_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
+      <variable name="server_name" description="Nom de domaine du serveur" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
       <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
       <variable name="interfaces_list" type="number" multi="True" description="Liste de tous les numéros d'interfaces" hidden="True" provider="global:zones_list"/>
       <family name="interface_" description="Interface " dynamic="interfaces_list">
         <variable name="zone_name_eth" type="string" description="Nom de la zone de l'interface " hidden="True" mandatory="True"/>
         <variable name="ip_eth" type="ip" description="Adresse IP pour l'interface " hidden="True" mandatory="True"/>
         <variable name="network_eth" type="network_cidr" description="Réseau de l'interface " hidden="True"/>
-        <variable name="gateway_eth" type="ip" description="La route de l'interface "/>
+        <variable name="gateway_eth" type="ip" description="La route de l'interface " hidden="True"/>
         <variable name="domain_name_eth" type="domainname" description="Nom de domaine pour l'interface " mandatory="True" hidden="True" provider="global:server_names"/>
       </family>
     </family>
   </variables>
   <constraints>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param name="server_name" type="variable">domain_name_eth</param>
       <target>ip_eth</target>
     </fill>
@@ -33,14 +34,16 @@
       <param name="index" type="suffix"/>
       <target>zone_name_eth</target>
     </fill>
-    <fill name="zone_information">
+    <fill name="get_zones_info">
-      <param type="variable">zone_name_eth</param>
+      <param type="information">zones</param>
       <param>network</param>
+      <param type="variable" name="zone_name">zone_name_eth</param>
       <target>network_eth</target>
     </fill>
-    <fill name="zone_information">
+    <fill name="get_zones_info">
-      <param type="variable">zone_name_eth</param>
+      <param type="information">zones</param>
-      <param>gateway</param>
+      <param>host_ip</param>
+      <param type="variable" name="zone_name">zone_name_eth</param>
       <param name="index" type="suffix"/>
       <target>gateway_eth</target>
     </fill>

seed/base-machine/funcs/funcs.py

@@ -6,9 +6,6 @@ from os.path import join as _join, isfile as _isfile, isdir as _isdir
 from os import makedirs as _makedirs, environ as _environ
 
 
-#from risotto.utils import ZONES_SERVER
-
-
 _HERE = _environ['PWD']
 _PASSWORD_DIR = _join(_HERE, 'password')
 

seed/base/funcs/base.py

@@ -1,10 +1,11 @@
-from typing import List
-from risotto.utils import load_domains, DOMAINS
 from risotto.utils import multi_function as _multi_function
+from typing import List as _List
 
 
 @_multi_function
-def get_ip(server_name: str) -> str:
+def get_ip(zones: dict,
+           server_name: str,
+           ) -> str:
     if server_name is None:
         return
     if isinstance(server_name, list):
@@ -15,12 +16,32 @@ def get_ip(server_name: str) -> str:
     lst = []
     for s_name in server_name:
         host_name, domain_name = s_name.split('.', 1)
-        if not domain_name in DOMAINS:
+        for zone in zones.values():
+            if domain_name == zone['domain_name']:
+                break
+        else:
             raise ValueError(f'cannot find IP in domain name "{domain_name}" (for "{s_name}")')
-        domain = DOMAINS[domain_name]
+        ret = zone['hosts'][host_name]
-        ret = domain[1][domain[0].index(host_name)]
         if not return_list:
             return ret
         if ret not in lst:
             lst.append(ret)
     return lst
+
+
+@_multi_function
+def get_zones_info(zones: dict,
+                   type: str,
+                   zone_names: _List[str]=None,
+                   zone_name: str=None,
+                   index: int=None,
+                   ) -> str:
+    if type == 'host_ip' and index != 0:
+        return
+    if zone_name:
+        if zone_name not in zones:
+            raise ValueError(f"cannot get zone informations in unknown zone '{zone_name}'")
+        if type == 'cidr':
+            return zones[zone_name]['host_ip'] + '/' + zones[zone_name]['network'].split('/')[-1]
+        return zones[zone_name][type]
+    return [data[type] for zone_name, data in zones.items() if not zone_names or zone_name in zone_names]

seed/dns-local/dictionaries/13-dns-local.xml

@@ -10,12 +10,13 @@
       <variable name="dns_is_only_local" type="boolean" description="DNS resolve only local address" hidden="True">
         <value>True</value>
       </variable>
-      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS" supplier="LocalDNS"/>
+      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS" supplier="LocalDNS" hidden="True"/>
       <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
     </family>
   </variables>
   <constraints>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param name="server_name" type="variable">dns_client_address</param>
       <target>ip_dns</target>
     </fill>

seed/dns-local/templates/dns-local.yml

@@ -6,15 +6,15 @@ addresses:
 %elif %%getVar('unbound_forward_address', None) is not None
   %for %%authority in %%unbound_forward_address
 - dns_address: %%authority
-  dns_ip: %%get_ip(%%str(%%authority))
+  dns_ip: %%authority.unbound_allowed_client
   %end for
-%else
+%elif %%getVar('nsd_zones', None)
   %for %%zone in %%nsd_zones
     %set %%suffix = %%normalize_family(%%zone)
     %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
-    %for %%nsd in %%hostnames
+    %for %%hostname in %%hostnames
-- dns_address: %%{nsd}.%%zone
+- dns_address: %%{hostname}.%%zone
-  dns_ip: %%nsd["ip_" + %%suffix]
+  dns_ip: %%hostname["ip_" + %%suffix]
     %end for
   %end for
 %end if

seed/dovecot/dictionaries/26_dovecot.xml

@@ -85,11 +85,13 @@
       <variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
       <variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
     </family>
-    <family name="nginx">
+    <family name="revprox">
       <family name="revprox_client">
         <variable name="revprox_client_external_domainnames" redefine="True"/>
         <variable name="revprox_client_web_address" redefine="True"/>
       </family>
+    </family>
+    <family name="nginx">
       <variable name="nginx_root" redefine='True'>
         <value>/var/www/html</value>
       </variable>

seed/dovecot/templates/ca_IMAPServer.crt

@@ -1 +1 @@
-%%get_chain(%%domain_name_eth0, "IMAPServer", hide=%%hide_secret)
+%%get_chain(%%domain_name_eth0, %%domain_name_eth0, "IMAPServer", hide=%%hide_secret)

seed/dovecot/templates/ca_MailServer.crt

@@ -1 +1 @@
-%%get_chain(%%domain_name_eth0, "MailServer", hide=%%hide_secret)
+%%get_chain(%%domain_name_eth0, %%domain_name_eth0, "MailServer", hide=%%hide_secret)

seed/dovecot/templates/imap.yml

@@ -8,5 +8,5 @@ password: %%get_password(server_name='test', username=%%username, description="t
 username_family: %%username_family
 password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
 name_family: %%name_family
-smtp: %%get_ip(%%smtp_relay_address)
+smtp: %%smtp_relay_ip
 ext_username: 'test@example.net'

seed/gitea/dictionaries/31_gitea.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="gitea" target="multi-user" engine="creole">
+    <service name="gitea" target="multi-user" engine="cheetah">
       <file engine="none" source="sysuser-gitea.conf">/sysusers.d/0gitea.conf</file>
       <file engine="none" source="tmpfile-gitea.conf">/tmpfiles.d/0gitea.conf</file>
       <file>/etc/gitea/app.ini</file>
@@ -28,7 +28,7 @@
       <variable name="gitea_internal_token" type="password" hidden="True"/>
       <variable name="gitea_lfs_jwt_secret" type="password" hidden="True"/>
     </family>
-    <family name="nginx">
+    <family name="revprox">
       <family name="revprox_client">
         <variable name="revprox_client_local_location" redefine="True">
           <value>/</value>

seed/gitea/manual/image/postinstall/gitea.sh

@@ -9,9 +9,11 @@ VERS=$(wget https://dl.gitea.io/gitea/version.json -q -O - | jq -r '.latest.vers
 mkdir -p ~/gitea/
 
 if [ ! -f ~/"gitea/gitea-$VERS-linux-amd64.xz" ]; then
+    rm -rf ~/"gitea/gitea-*-linux-amd64.xz"
     wget "https://dl.gitea.io/gitea/$VERS/gitea-$VERS-linux-amd64.xz" -O ~/"gitea/gitea-$VERS-linux-amd64.xz"
 fi
 if [ ! -f ~/"gitea/gitea-$VERS-linux-amd64.xz.asc" ]; then
+    rm -rf ~/"gitea/gitea-*-linux-amd64.xz.asc"
     wget "https://dl.gitea.io/gitea/$VERS/gitea-$VERS-linux-amd64.xz.asc" -O ~/"gitea/gitea-$VERS-linux-amd64.xz.asc"
 fi
 
@@ -19,5 +21,5 @@ gpg --verify ~/"gitea/gitea-$VERS-linux-amd64.xz.asc" ~/"gitea/gitea-$VERS-linux
 
 cp -a ~/"gitea/gitea-$VERS-linux-amd64.xz" .
 xz -d "gitea-$VERS-linux-amd64.xz"
-mv "gitea-$VERS-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/bin/gitea"
+mv "gitea-$VERS-linux-amd64" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/gitea"
-chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/bin/gitea"
+chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/bin/gitea"

seed/host-systemd-machined/dictionaries/21-machined.xml

@@ -6,12 +6,12 @@
       <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
       <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
     </service>
-    <service name="risotto-images" engine="creole" manage="False"/>
+    <service name="risotto-images" engine="cheetah" manage="False"/>
     <service name="systemd-sysctl"/>
     <service name="systemd-networkd"/>
     <service name="systemd-resolved"/>
-    <service name="risotto-images" type="timer" engine="creole"/>
+    <service name="risotto-images" type="timer" engine="cheetah"/>
-    <service name="risottofirewall" engine="creole"/>
+    <service name="risottofirewall" engine="cheetah"/>
     <service name="systemd-nspawn@">
       <file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
       <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
@@ -20,12 +20,11 @@
       <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
       <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
       <file>/etc/sysctl.d/90-risotto.conf</file>
-      <file file_type="variable" source="dhcp.network" variable="host_dhcp_interface">host_dhcp_filename</file>
+      <file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
     </service>
   </services>
   <variables>
-    <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True"/>
+    <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True" provider="global:host_install_dir"/>
-    <variable name="host_dhcp_filename" type="filename" hidden="True" multi="True"/>
     <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
     <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
     <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
@@ -39,16 +38,34 @@
       <value>jq</value>
       <value>debootstrap</value>
       <value>htop</value>
+      <value>iotop</value>
+      <value>man</value>
       <value>gettext</value>
       <value>patch</value>
       <value>unzip</value>
       <value>mlocate</value>
       <value>xz-utils</value>
       <value>iptables</value>
+      <value>curl</value>
+      <value>tree</value>
+      <value>tshark</value>
+      <value>vim</value>
     </variable>
     <family name="network">
-      <variable name="host_dhcp_interface" description="Carte réseau en DHCP" multi="True"/>
       <variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>
+      <family name="interfaces" leadership="True">
+        <variable name="interface_names" description="Nom de l'interface" multi="True" mandatory="True"/>
+        <variable name="interface_type" type="choice" description="Type de la carte" mandatory="True">
+          <choice>dhcp</choice>
+          <choice>ipv4</choice>
+          <value>dhcp</value>
+        </variable>
+        <variable name="interface_ip" type="cidr" description="IP au format CIDR de l'interface" mandatory="True"/>
+        <variable name="interface_gateway" type="ip" description="IP de la route par défaut" mandatory="True"/>
+        <variable name="interface_domain_name_servers" type="ip" description="IP des serveurs DNS" mandatory="True" multi="True"/>
+        <variable name="first_interface" type="boolean" hidden="True"/>
+      </family>
+      <variable name="host_network_filename" type="filename" multi="True" hidden="True"/>
     </family>
     <family name="zones" leadership="True">
       <variable name="zone_name" type="string" hidden="True" multi="True"/>
@@ -57,6 +74,7 @@
   </variables>
   <constraints>
     <fill name="get_internal_zone_names">
+      <param type="information">zones</param>
       <target>zone_name</target>
     </fill>
     <fill name="calc_value">
@@ -69,11 +87,11 @@
     </fill>
     <fill name="calc_value">
       <param>/etc/systemd/network/80-</param>
-      <param type="variable">host_dhcp_interface</param>
+      <param type="variable">interface_names</param>
       <param>.network</param>
       <param name="join"></param>
       <param name="multi" type="boolean">True</param>
-      <target>host_dhcp_filename</target>
+      <target>host_network_filename</target>
     </fill>
     <fill name="calc_value">
       <param>/etc/systemd/network/70-container-</param>
@@ -83,10 +101,26 @@
       <param name="multi" type="boolean">True</param>
       <target>systemd_netzone_filename</target>
     </fill>
-    <fill name="get_internal_zone_information">
+    <fill name="get_zones_info">
-      <param type="variable">zone_name</param>
+      <param type="information">zones</param>
       <param>cidr</param>
+      <param type="variable" name="zone_name">zone_name</param>
       <target>zone_cidr</target>
     </fill>
+    <fill name="is_first_interface">
+      <param type="index"/>
+      <target>first_interface</target>
+    </fill>
+    <condition name="disabled_if_not_in" source="interface_type">
+      <param>ipv4</param>
+      <target>interface_ip</target>
+      <target>interface_gateway</target>
+      <target>interface_domain_name_servers</target>
+    </condition>
+    <condition name="disabled_if_not_in" source="first_interface">
+      <param>True</param>
+      <target>interface_gateway</target>
+      <target>interface_domain_name_servers</target>
+    </condition>
   </constraints>
 </rougail>

seed/host-systemd-machined/extras/machined/00-machined.xml

@@ -15,6 +15,7 @@
       <variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="Host:machine_journal"/>
       <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="Host:config_dir" mandatory="True"/>
       <variable name="zones_" description="Zones for " hidden="True" provider="Host:machine_zones" mandatory="True" multi="True"/>
+      <variable name="ip_" description="IP for " type="ip" hidden="True"/>
     </family>
     <variable name="nspawn_zone_filename" type="filename" hidden="True" multi="True"/>
     <variable name="nspawn_script_filename" type="filename" hidden="True" multi="True"/>
@@ -35,6 +36,11 @@
       <param name="multi" type="boolean">True</param>
       <target>machined.nspawn_zone_filename</target>
     </fill>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="suffix"/>
+      <target>machined.machine_.ip_</target>
+    </fill>
   </constraints>
 </rougail>
 

seed/host-systemd-machined/templates/dhcp.network

@@ -2,4 +2,16 @@
 Name=%%rougail_variable
 
 [Network]
+%set %%leader = %%interface_names[%%rougail_index]
+%if %%leader.interface_type == 'dhcp'
 DHCP=ipv4
+%else
+DHCP=no
+Address=%%leader.interface_ip
+  %if %%leader.first_interface
+Gateway=%%leader.interface_gateway
+    %for %%dns in %%leader.interface_domain_name_servers
+DNS=%%dns
+    %end for
+  %end if
+%end if

seed/host-systemd-machined/templates/risottofirewall.service

@@ -5,21 +5,27 @@ After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
+%set %%has_rules = False
 %for %%dns in %%machined.machines
-%set %%machine = %%normalize_family(%%dns)
+  %set %%machine = %%normalize_family(%%dns)
-%set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
+  %set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
   %if %%outgoing
+    %set %%ip = %%machined['machine_' + %%machine]['ip_' + %%machine]
     %for %%port in %%outgoing
       %if ':' in %%port
-%set %%protocol, %%port = %%port.split(':')
+  %set %%protocol, %%port = %%port.split(':')
       %else
-%set %%protocol = 'tcp'
+  %set %%protocol = 'tcp'
       %end if
-ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
-ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
+ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%ip -p %%protocol -m %%protocol --dport %%port -o %%output_interface -j MASQUERADE
+       %set %%has_rules = False
     %end for
   %end if
 %end for
+%if not %%has_rules
+ExecStart=/usr/bin/echo "No rule"
+%end if
 
 [Install]
 WantedBy=multi-user.target

seed/imap-client/templates/ca_IMAPServer.crt

@@ -1 +1 @@
-%%get_chain(%%imap_address, 'IMAPServer', hide=%%hide_secret)
+%%get_chain(%%domain_name_eth0, %%imap_address, 'IMAPServer', hide=%%hide_secret)

seed/ldap-client/dictionaries/21_ldap-client.xml

@@ -2,7 +2,7 @@
 
 <rougail version="0.10">
   <services>
-    <service name="ldap-client" target="risotto" engine="creole">
+    <service name="ldap-client" target="risotto" engine="cheetah">
       <file source="ldap.conf" file_type="variable">ldap_client_file</file>
       <file source="ca_LDAP.crt" file_type="variable">ldap_ca_file</file>
       <file source="ldap_client.crt" file_type="variable">ldap_cert_file</file>

seed/ldap-client/templates/ca_LDAP.crt

@@ -1 +1 @@
-%%get_chain(%%ldap_server_address, 'LDAP', hide=%%hide_secret)
+%%get_chain(cn=%%domain_name_eth0, authority_cn=%%ldap_server_address, authority_name="LDAP", hide=%%hide_secret)

seed/letsencrypt/funcs/letsencrypt.py

@@ -3,7 +3,7 @@ from subprocess import run as _run
 from os.path import join as _join, isfile as _isfile, isdir as _isdir
 from datetime import datetime as _datetime
 from shutil import copyfile as _copyfile
-from os import makedirs as _makedirs, environ as _environ
+from os import makedirs as _makedirs, environ as _environ, listdir as _listdir, unlink as _unlink
 
 
 _HERE = _environ['PWD']
@@ -54,25 +54,31 @@ def letsencrypt_certif(domain: str,
                     '360',
                     ]
         ret = _run(cli_args, capture_output=True)
-        if ret.returncode != 0:
+        #if ret.returncode != 0:
-            print("FIXME")
+        #    print("FIXME")
             #raise ValueError(ret.stderr.decode())
 #        print("Done")
     with open(date_file, 'w') as fh:
         fh.write(today)
     rootdir = _join(_X509_DIR, f'{authority_name}+{authority_cn}')
-    chaindir = _join(rootdir, 'ca')
     certdir = _join(rootdir, 'certificats', domain, 'server')
+    chaindir = _join(rootdir, 'certificats', domain, 'ca')
     week_number = date.isocalendar().week
     for dirname in (chaindir, certdir):
         if not _isdir(dirname):
             _makedirs(dirname)
+    certificate_name = f'certificate_{week_number}.crt'
     _copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'chain.pem'),
-              _join(chaindir, f'certificate_{week_number}.crt'),
+              _join(chaindir, certificate_name),
               )
     _copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'privkey.pem'),
               _join(certdir, 'private.key'),
               )
     _copyfile(_join(_LE_DIR, domain, 'config/live', domain, 'fullchain.pem'),
-              _join(certdir, f'certificate_{week_number}.crt'),
+              _join(certdir, certificate_name),
               )
+    for dirname in (chaindir, certdir):
+        for filename in _listdir(dirname):
+            if not filename.endswith('.crt') or filename == certificate_name:
+                continue
+            _unlink(_join(dirname, filename))

seed/mailman/dictionaries/31_mailman.xml

@@ -1,24 +1,23 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="mailman3" target="multi-user">
+    <service name="mailman3"> <!-- target="multi-user">-->
-      <override/>
+      <!--override/-->
-      <file owner="root" group="mailman" mode="640">/etc/mailman.cfg</file>
+      <file owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
-      <file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file>
-      <file engine="none" source="sysuser-mailman.conf">/sysusers.d/0mailman.conf</file>
       <file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
-    </service>
-    <service name="postorius" target="multi-user" engine="creole">
-      <file engine="none">/etc/postorius/gunicorn_config.py</file>
-      <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file>
-      <file source="config-nginx.conf">/etc/nginx/default.d/postorius.conf</file>
-      <file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file>
       <file>/tests/mailman.yml</file>
+      <!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
     </service>
-    <service name="postgresqlclient" target="multi-user" engine="creole">
+    <service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->
+      <!--file engine="none">/etc/postorius/gunicorn_config.py</file>
+      <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file>
+      <file source="config-nginx.conf">/etc/nginx/default.d/postorius.conf</file-->
+      <file>/etc/mailman3/mailman-web.py</file>
+    </service>
+    <!--service name="postgresqlclient" target="multi-user" engine="cheetah"-->
       <!-- mailman and postorius have differents username -->
-      <file owner="postorius" mode="400" source="postgresql.key">/etc/pki/tls/private/postgresql_postorius.key</file>
+      <!--file owner="postorius" mode="400" source="postgresql.key">/etc/pki/tls/private/postgresql_postorius.key</file-->
-    </service>
+    <!--/service-->
   </services>
   <variables>
     <family name="mailman" description="Gestionnaire de liste">
@@ -56,7 +55,7 @@
     </family>
     <family name="postgresql">
       <variable name="pg_client_key_owner" redefine="True">
-        <value>mailman</value>
+        <value>list</value>
       </variable>
     </family>
   </variables>

seed/mailman/manual/image/postinstall/postorius.sh

@@ -1,12 +1,12 @@
-PYTHON="usr/lib/python3.10/site-packages"
+#PYTHON="usr/lib/python3/site-packages"
-cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+#cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/allauth/socialaccount/providers/"
-cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+#cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/allauth/socialaccount/providers/"
-cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
+#cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/postorius"
-chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
+#chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/postorius/manage.py"
-ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
+#ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/postorius/m_postorius/settings_local.py"
-ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
+#ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/static/"
-ln -s ../../django/contrib/admin/static/admin "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
+#ln -s ../../django/contrib/admin/static/admin "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/static/"
-#translation
+##translation
-msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.mo
+#msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/postorius/locale/fr/LC_MESSAGES/django.mo
-sed -i 's/$event.mlist.fqdn_listname\./$event.mlist.fqdn_listname/g' $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po
+#sed -i 's/$event.mlist.fqdn_listname\./$event.mlist.fqdn_listname/g' $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po
-msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.mo
+#msgfmt $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.po -o $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$PYTHON/mailman/messages/fr/LC_MESSAGES/mailman.mo

seed/mailman/manual/image/preinstall/mailman.sh

@@ -1 +1,3 @@
-PKG="$PKG mailman3 postorius python3-psycopg2 python-unversioned-command python3-django-cors-headers"
+#PKG="$PKG mailman3 postorius python3-psycopg2 python-unversioned-command python3-django-cors-headers"
+PKG="$PKG mailman3-full"
+#python3-xapian-haystack

seed/mailman/templates/mailman-web.py

@@ -1,37 +1,239 @@
-# -*- coding: utf-8 -*-
+# This file is imported by the Mailman Suite. It is used to override
+# the default settings from /usr/share/mailman3-web/settings.py.
+
+# SECURITY WARNING: keep the secret key used in production secret!
+#>GNUNUX
 SECRET_KEY = '%%postorius_secret_key'
-#FIXME same database has mailman?
+#<GNUNUX
+
+
+#FIXME
+#ADMINS = (
+#     ('Mailman Suite Admin', 'root@localhost'),
+#)
+
+# Hosts/domain names that are valid for this site; required if DEBUG is False
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#allowed-hosts
+# Set to '*' per default in the Deian package to allow all hostnames. Mailman3
+# is meant to run behind a webserver reverse proxy anyway.
+ALLOWED_HOSTS = [
+    #"localhost",  # Archiving API from Mailman, keep it.
+    # "lists.your-domain.org",
+    # Add here all production URLs you may have.
+#>GNUNUX
+    #'*'
+    '%%{revprox_client_external_domainnames[0]}'
+#<GNUNUX
+]
+
+#>GNUNUX
+# Mailman API credentials
+#MAILMAN_REST_API_URL = 'http://localhost:8001'
+#MAILMAN_REST_API_USER = 'restadmin'
+#MAILMAN_REST_API_PASS = 'T0zVrLFZBJrftkW9Sjs660sEr/P3zehYGYPuo93LSGZT1KHd'
+#MAILMAN_ARCHIVER_KEY = 'BzzgFI+QbeFOsGFy0Q6wfD5cp9fQvk1o'
+#MAILMAN_ARCHIVER_FROM = ('127.0.0.1', '::1')
+#<GNUNUX
+
+# Application definition
+
+#FIXME
+INSTALLED_APPS = (
+    'hyperkitty',
+    'postorius',
+    'django_mailman3',
+    # Uncomment the next line to enable the admin:
+    'django.contrib.admin',
+    # Uncomment the next line to enable admin documentation:
+    # 'django.contrib.admindocs',
+    'django.contrib.auth',
+    'django.contrib.contenttypes',
+    'django.contrib.sessions',
+    'django.contrib.sites',
+    'django.contrib.messages',
+    'django.contrib.staticfiles',
+    'rest_framework',
+    'django_gravatar',
+    'compressor',
+    'haystack',
+    'django_extensions',
+    'django_q',
+    'allauth',
+    'allauth.account',
+    'allauth.socialaccount',
+    'django_mailman3.lib.auth.fedora',
+    #'allauth.socialaccount.providers.openid',
+    #'allauth.socialaccount.providers.github',
+    #'allauth.socialaccount.providers.gitlab',
+    #'allauth.socialaccount.providers.google',
+    #'allauth.socialaccount.providers.facebook',
+    #'allauth.socialaccount.providers.twitter',
+    #'allauth.socialaccount.providers.stackexchange',
+)
+
+
+# Database
+# https://docs.djangoproject.com/en/1.8/ref/settings/#databases
+
 DATABASES = {
-    'default' : {
+    'default': {
+        # Use 'sqlite3', 'postgresql_psycopg2', 'mysql', 'sqlite3' or 'oracle'.
+#>GNUNUX
+        #'ENGINE': 'django.db.backends.sqlite3',
+#<GNUNUX
+        #'ENGINE': 'django.db.backends.postgresql_psycopg2',
+        #'ENGINE': 'django.db.backends.mysql',
+        # DB name or path to database file if using sqlite3.
+#>GNUNUX
+        #'NAME': '/var/lib/mailman3/web/mailman3web.db',
+#<GNUNUX
+        # The following settings are not used with sqlite3:
+#>GNUNUX
+        #'USER': '',
+        #'PASSWORD': '',
+#<GNUNUX
+        # HOST: empty for localhost through domain sockets or '127.0.0.1' for
+        # localhost through TCP.
+#>GNUNUX
+        #'HOST': '',
         'ENGINE': 'django.db.backends.postgresql_psycopg2',
-        'NAME': '%%pg_client_database',         # Database name
+#FIXME same database has mailman?
+        'NAME': '%%pg_client_database',
         'USER': '%%pg_client_username',               # PostgreSQL username
         'PASSWORD': '%%pg_client_password',           # PostgreSQL password
         'HOST': '%%pg_client_server_domainname',      # Database server
-        'PORT': '',               # Database port (leave blank for default)
+        'CONN_MAX_AGE': 300,
-        'CONN_MAX_AGE': 300,      # Max database connection age
+#>GNUNUX
-        'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '%%pg_client_crt_file', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '%%pg_client_ca_file'},
+        # PORT: set to empty string for default.
+        'PORT': '',
+        # OPTIONS: Extra parameters to use when connecting to the database.
+        'OPTIONS': {
+            # Set sql_mode to 'STRICT_TRANS_TABLES' for MySQL. See
+            # https://docs.djangoproject.com/en/1.11/ref/
+            #     databases/#setting-sql-mode
+            #'init_command': "SET sql_mode='STRICT_TRANS_TABLES'",
+#>GNUNUX
+            'sslmode': 'verify-full',
+            'sslcert': '%%pg_client_crt_file',
+            'sslkey': '/etc/pki/tls/private/postgresql_postorius.key',
+            'sslrootcert': '%%pg_client_ca_file',
+#<GNUNUX
+        },
     }
 }
-ALLOWED_HOSTS = ['%%{revprox_client_external_domainnames[0]}']
-POSTORIUS_TEMPLATE_BASE_URL = 'https://%%{revprox_client_external_domainnames[0]}'
-CSRF_TRUSTED_ORIGINS = ['%%{revprox_client_external_domainnames[0]}']
-USE_X_FORWARDED_HOST = True
-SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
-LANGUAGE_CODE = 'fr'
-STATIC_URL = '/mailman/postorius_static/'
-FORCE_SCRIPT_NAME = '/mailman'
 
+
+# If you're behind a proxy, use the X-Forwarded-Host header
+# See https://docs.djangoproject.com/en/1.8/ref/settings/#use-x-forwarded-host
+USE_X_FORWARDED_HOST = True
+
+# And if your proxy does your SSL encoding for you, set SECURE_PROXY_SSL_HEADER
+# https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+# SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_SCHEME', 'https')
+#>GNUNUX
+SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https')
+#<GNUNUX
+
+# Other security settings
+# SECURE_SSL_REDIRECT = True
+# If you set SECURE_SSL_REDIRECT to True, make sure the SECURE_REDIRECT_EXEMPT
+# contains at least this line:
+# SECURE_REDIRECT_EXEMPT = [
+#     "archives/api/mailman/.*",  # Request from Mailman.
+#     ]
+# SESSION_COOKIE_SECURE = True
+# SECURE_CONTENT_TYPE_NOSNIFF = True
+# SECURE_BROWSER_XSS_FILTER = True
+# CSRF_COOKIE_SECURE = True
+# CSRF_COOKIE_HTTPONLY = True
+# X_FRAME_OPTIONS = 'DENY'
+#>GNUNUX
+CSRF_TRUSTED_ORIGINS = ['%%{revprox_client_external_domainnames[0]}']
+#<GNUNUX
+
+# Internationalization
+# https://docs.djangoproject.com/en/1.8/topics/i18n/
+
+#>GNUNUX
+#LANGUAGE_CODE = 'en-us'
+LANGUAGE_CODE = 'fr'
+#<GNUNUX
+
+TIME_ZONE = 'UTC'
+
+USE_I18N = True
+USE_L10N = True
+USE_TZ = True
+
+
+# Set default domain for email addresses.
+#FIXME
+EMAILNAME = 'localhost.local'
+
+# If you enable internal authentication, this is the address that the emails
+# will appear to be coming from. Make sure you set a valid domain name,
+# otherwise the emails may get rejected.
+# https://docs.djangoproject.com/en/1.8/ref/settings/#default-from-email
+# DEFAULT_FROM_EMAIL = "mailing-lists@you-domain.org"
+#>GNUNUX
+#DEFAULT_FROM_EMAIL = 'postorius@{}'.format(EMAILNAME)
+DEFAULT_FROM_EMAIL = '%%mailman_mail_owner'
+#<GNUNUX
+
+# If you enable email reporting for error messages, this is where those emails
+# will appear to be coming from. Make sure you set a valid domain name,
+# otherwise the emails may get rejected.
+# https://docs.djangoproject.com/en/1.8/ref/settings/#std:setting-SERVER_EMAIL
+# SERVER_EMAIL = 'root@your-domain.org'
+#>GNUNUX
+#SERVER_EMAIL = 'root@{}'.format(EMAILNAME)
+SERVER_EMAIL = '%%mailman_mail_owner'
 EMAIL_HOST = "%%smtp_relay_address"
 EMAIL_PORT = 25
 EMAIL_HOST_USER = "%%smtp_relay_user@%%ip_eth0"
 EMAIL_HOST_PASSWORD = "%%smtp_relay_password"
 EMAIL_USE_TLS = True
-DEFAULT_FROM_EMAIL = '%%mailman_mail_owner'
+#FIXME
 EMAIL_SUBJECT_PREFIX = '[Django] '
-SERVER_EMAIL = '%%mailman_mail_owner'
+
-SOCIALACCOUNT_EMAIL_VERIFICATION = 'none'
+
+STATIC_URL = '/mailman/postorius_static/'
+FORCE_SCRIPT_NAME = '/mailman'
+#<GNUNUX
+
+# Django Allauth
+ACCOUNT_DEFAULT_HTTP_PROTOCOL = "https"
+
+
+#
+# Social auth
+#
 SOCIALACCOUNT_PROVIDERS = {
+    #'openid': {
+    #    'SERVERS': [
+    #        dict(id='yahoo',
+    #             name='Yahoo',
+    #             openid_url='http://me.yahoo.com'),
+    #    ],
+    #},
+    #'google': {
+    #    'SCOPE': ['profile', 'email'],
+    #    'AUTH_PARAMS': {'access_type': 'online'},
+    #},
+    #'facebook': {
+    #   'METHOD': 'oauth2',
+    #   'SCOPE': ['email'],
+    #   'FIELDS': [
+    #       'email',
+    #       'name',
+    #       'first_name',
+    #       'last_name',
+    #       'locale',
+    #       'timezone',
+    #       ],
+    #   'VERSION': 'v2.4',
+    #},
     'risotto': {
         'LEMONLDAP_NAME': 'Authentification centralisée',
         'LEMONLDAP_URL': 'https://%%oauth2_server_domainname',
@@ -44,13 +246,18 @@ SOCIALACCOUNT_PROVIDERS = {
         'VERIFIED_EMAIL': True,
     },
 }
-#FIXME
+#>GNUNUX
-## This goes in /etc/cron.d/mailman
+SOCIALACCOUNT_EMAIL_VERIFICATION = 'none'
-#
+#<GNUNUX
-#@hourly  mailman  /opt/mailman/venv/bin/mailman-web runjobs hourly
+
-#@daily   mailman  /opt/mailman/venv/bin/mailman-web runjobs daily
+# On a production setup, setting COMPRESS_OFFLINE to True will bring a
-#@weekly  mailman  /opt/mailman/venv/bin/mailman-web runjobs weekly
+# significant performance improvement, as CSS files will not need to be
-#@monthly mailman  /opt/mailman/venv/bin/mailman-web runjobs monthly
+# recompiled on each requests. It means running an additional "compress"
-#@yearly  mailman  /opt/mailman/venv/bin/mailman-web runjobs yearly
+# management command after each code upgrade.
-#* * * * *  mailman  /opt/mailman/venv/bin/mailman-web runjobs minutely
+# http://django-compressor.readthedocs.io/en/latest/usage/#offline-compression
-#2,17,32,47 * * * * mailman  /opt/mailman/venv/bin/mailman-web runjobs quarter_hourly
+COMPRESS_OFFLINE = True
+
+#>GNUNUX
+#POSTORIUS_TEMPLATE_BASE_URL = 'http://localhost/mailman3/'
+POSTORIUS_TEMPLATE_BASE_URL = 'https://%%{revprox_client_external_domainnames[0]}'
+#<GNUNUX

seed/mailman/templates/mailman.cfg

@@ -1,53 +1,331 @@
-# This is the absolute bare minimum base configuration file.  User supplied
+# Copyright (C) 2008-2017 by the Free Software Foundation, Inc.
-# configurations are pushed onto this.
+#
+# This file is part of GNU Mailman.
+#
+# GNU Mailman is free software: you can redistribute it and/or modify it under
+# the terms of the GNU General Public License as published by the Free
+# Software Foundation, either version 3 of the License, or (at your option)
+# any later version.
+#
+# GNU Mailman is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for
+# more details.
+#
+# You should have received a copy of the GNU General Public License along with
+# GNU Mailman.  If not, see <http://www.gnu.org/licenses/>.
+
+# This file contains the Debian configuration for mailman.  It uses ini-style
+# formats under the lazr.config regime to define all system configuration
+# options.  See <https://launchpad.net/lazr.config> for details.
+
 
 [mailman]
-# GNUNUX default_language: en
-#>GNUNUX
-default_language: fr
-#<GNUNUX
 # This address is the "site owner" address.  Certain messages which must be
 # delivered to a human, but which can't be delivered to a list owner (e.g. a
 # bounce from a list owner), will be sent to this address.  It should point to
 # a human.
-# GNUNUX site_owner: root@localhost
+#>GNUNUX
+#site_owner: changeme@example.com
 site_owner: %%mailman_mail_owner
+#<GNUNUX
+
+# This is the local-part of an email address used in the From field whenever a
+# message comes from some entity to which there is no natural reply recipient.
+# Mailman will append '@' and the host name of the list involved.  This
+# address must not bounce and it must not point to a Mailman process.
+noreply_address: noreply
+
+# The default language for this server.
+#>GNUNUX
+#default_language: en
+default_language: fr
+#<GNUNUX
+
+# Membership tests for posting purposes are usually performed by looking at a
+# set of headers, passing the test if any of their values match a member of
+# the list.  Headers are checked in the order given in this variable.  The
+# value From_ means to use the envelope sender.  Field names are case
+# insensitive.  This is a space separate list of headers.
+sender_headers: from from_ reply-to sender
 
 # The local URL part to the administration interface (Postorius).
 # The full URL will be constructed by prepending the domain URL set in the
 # list's domain properties.
 #listinfo_url = /postorius/
 
-# Set the paths to be Fedora-compliant
+# Mail command processor will ignore mail command lines after designated max.
-layout: fhs
+email_commands_max_lines: 10
 
+# Default length of time a pending request is live before it is evicted from
+# the pending database.
+pending_request_life: 3d
+
+# How long should files be saved before they are evicted from the cache?
+cache_life: 7d
+
+# A callable to run with no arguments early in the initialization process.
+# This runs before database initialization.
+pre_hook:
+
+# A callable to run with no arguments late in the initialization process.
+# This runs after adapters are initialized.
+post_hook:
+
+# Which paths.* file system layout to use.
+# You should not change this variable.
+layout: debian
+
+# Can MIME filtered messages be preserved by list owners?
+filtered_messages_are_preservable: no
+
+# How should text/html parts be converted to text/plain when the mailing list
+# is set to convert HTML to plaintext?  This names a command to be called,
+# where the substitution variable $filename is filled in by Mailman, and
+# contains the path to the temporary file that the command should read from.
+# The command should print the converted text to stdout.
+html_to_plain_text_command: /usr/bin/lynx -dump $filename
+
+# Specify what characters are allowed in list names.  Characters outside of
+# the class [-_.+=!$*{}~0-9a-z] matched case insensitively are never allowed,
+# but this specifies a subset as the only allowable characters.  This must be
+# a valid character class regexp or the effect on list creation is
+# unpredictable.
+listname_chars: [-_.0-9a-z]
+
+
+[shell]
+# `mailman shell` (also `withlist`) gives you an interactive prompt that you
+# can use to interact with an initialized and configured Mailman system.  Use
+# --help for more information.  This section allows you to configure certain
+# aspects of this interactive shell.
+
+# Customize the interpreter prompt.
+prompt: >>>
+
+# Banner to show on startup.
+banner: Welcome to the GNU Mailman shell
+
+# Use IPython as the shell, which must be found on the system.  Valid values
+# are `no`, `yes`, and `debug` where the latter is equivalent to `yes` except
+# that any import errors will be displayed to stderr.
+use_ipython: no
+
+# Set this to allow for command line history if readline is available.  This
+# can be as simple as $var_dir/history.py to put the file in the var directory.
+history_file:
+
+
+[paths.debian]
+# Important directories for Mailman operation.  These are defined here so that
+# different layouts can be supported.   For example, a developer layout would
+# be different from a FHS layout.  Most paths are based off the var_dir, and
+# often just setting that will do the right thing for all the other paths.
+# You might also have to set spool_dir though.
+#
+# Substitutions are allowed, but must be of the form $var where 'var' names a
+# configuration variable in the paths.* section.  Substitutions are expanded
+# recursively until no more $-variables are present.  Beware of infinite
+# expansion loops!
+#
+# This is the root of the directory structure that Mailman will use to store
+# its run-time data.
 #>GNUNUX
+#var_dir: /var/lib/mailman3
+var_dir: /srv/mailman/
+#<GNUNUX
+# This is where the Mailman queue files directories will be created.
+queue_dir: $var_dir/queue
+# This is the directory containing the Mailman 'runner' and 'master' commands
+# if set to the string '$argv', it will be taken as the directory containing
+# the 'mailman' command.
+bin_dir: /usr/lib/mailman3/bin
+# All list-specific data.
+list_data_dir: $var_dir/lists
+# Directory where log files go.
+#>GNUNUX
+#log_dir: /var/log/mailman3
+log_dir: /srv/mailman/log
+#<GNUNUX
+# Directory for system-wide locks.
+lock_dir: $var_dir/locks
+# Directory for system-wide data.
+data_dir: $var_dir/data
+# Cache files.
+cache_dir: $var_dir/cache
+# Directory for configuration files and such.
+etc_dir: /etc/mailman3
+# Directory containing Mailman plugins.
+ext_dir: $var_dir/ext
+# Directory where the default IMessageStore puts its messages.
+messages_dir: $var_dir/messages
+# Directory for archive backends to store their messages in.  Archivers should
+# create a subdirectory in here to store their files.
+archive_dir: $var_dir/archives
+# Root directory for site-specific template override files.
+template_dir: $var_dir/templates
+# There are also a number of paths to specific file locations that can be
+# defined.  For these, the directory containing the file must already exist,
+# or be one of the directories created by Mailman as per above.
+#
+# This is where PID file for the master runner is stored.
+pid_file: /run/mailman3/master.pid
+# Lock file.
+lock_file: $lock_dir/master.lck
+
+
 [database]
+# The class implementing the IDatabase.
+#GNUNUX class: mailman.database.sqlite.SQLiteDatabase
+#class: mailman.database.mysql.MySQLDatabase
+#class: mailman.database.postgresql.PostgreSQLDatabase
+#>GNUNUX
 class: mailman.database.postgresql.PostgreSQLDatabase  
+#<GNUNUX
+
+# Use this to set the Storm database engine URL.  You generally have one
+# primary database connection for all of Mailman.  List data and most rosters
+# will store their data in this database, although external rosters may access
+# other databases in their own way.  This string supports standard
+# 'configuration' substitutions.
+#GNUNUX url: sqlite:///$DATA_DIR/mailman.db
+#url: mysql+pymysql://mailman3:mmpass@localhost/mailman3?charset=utf8&use_unicode=1
+#url: postgres://mailman3:mmpass@localhost/mailman3
+#>GNUNUX
 url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file
+#<GNUNUX
+
+debug: no
+
+
+[logging.debian]
+# This defines various log settings.  The options available are:
+#
+# - level     -- Overrides the default level; this may be any of the
+#                standard Python logging levels, case insensitive.
+# - format    -- Overrides the default format string
+# - datefmt   -- Overrides the default date format string
+# - path      -- Overrides the default logger path.  This may be a relative
+#                path name, in which case it is relative to Mailman's LOG_DIR,
+#                or it may be an absolute path name.  You cannot change the
+#                handler class that will be used.
+# - propagate -- Boolean specifying whether to propagate log message from this
+#                logger to the root "mailman" logger.  You cannot override
+#                settings for the root logger.
+#
+# In this section, you can define defaults for all loggers, which will be
+# prefixed by 'mailman.'.  Use subsections to override settings for specific
+# loggers.  The names of the available loggers are:
+#
+# - archiver        --  All archiver output
+# - bounce          --  All bounce processing logs go here
+# - config          --  Configuration issues
+# - database        --  Database logging (SQLAlchemy and Alembic)
+# - debug           --  Only used for development
+# - error           --  All exceptions go to this log
+# - fromusenet      --  Information related to the Usenet to Mailman gateway
+# - http            --  Internal wsgi-based web interface
+# - locks           --  Lock state changes
+# - mischief        --  Various types of hostile activity
+# - runner          --  Runner process start/stops
+# - smtp            --  Successful SMTP activity
+# - smtp-failure    --  Unsuccessful SMTP activity
+# - subscribe       --  Information about leaves/joins
+# - vette           --  Message vetting information
+#>GNUNUX
+#FIXME format: %(asctime)s (%(process)d) %(message)s
+#FIXME datefmt: %b %d %H:%M:%S %Y
+#FIXME propagate: no
+#FIXME level: info
+#FIXME path: mailman.log
+#<GNUNUX
+
+[webservice]
+# The hostname at which admin web service resources are exposed.
+#>GNUNUX
+#hostname: localhost
+hostname: %%mailman_domains
+#<GNUNUX
+
+# The port at which the admin web service resources are exposed.
+#>GNUNUX
+#port: 8001
+port: 443
+#<GNUNUX
+
+# Whether or not requests to the web service are secured through SSL.
+#>GNUNUX
+#use_https: no
+use_https: yes
+#<GNUNUX
+
+# Whether or not to show tracebacks in an HTTP response for a request that
+# raised an exception.
+show_tracebacks: yes
+
+# The API version number for the current (highest) API.
+api_version: 3.1
+
+# The administrative username.
+admin_user: restadmin
+
+# The administrative password.
+admin_pass: T0zVrLFZBJrftkW9Sjs660sEr/P3zehYGYPuo93LSGZT1KHd
 
 [mta]
-lmtp_host: %%ip_eth0
+# The class defining the interface to the incoming mail transport agent.
-configuration: /etc/mailman3.d/postfix.cfg
+#incoming: mailman.mta.exim4.LMTP
+incoming: mailman.mta.postfix.LMTP
+
+# The callable implementing delivery to the outgoing mail transport agent.
+# This must accept three arguments, the mailing list, the message, and the
+# message metadata dictionary.
+outgoing: mailman.mta.deliver.deliver
+
+# How to connect to the outgoing MTA.  If smtp_user and smtp_pass is given,
+# then Mailman will attempt to log into the MTA when making a new connection.
+#>GNUNUX
+#smtp_host: localhost
 smtp_host: %%smtp_relay_address
-smtp_user: %%smtp_relay_user@%%ip_eth0
-smtp_pass: %%smtp_relay_password
 smtp_port: 25
+#smtp_user:
+smtp_user: %%smtp_relay_user@%%ip_eth0
+#smtp_pass:
+smtp_pass: %%smtp_relay_password
 smtp_secure_mode: starttls
 smtp_verify_cert: yes
 smtp_verify_hostname: yes
 #<GNUNUX
 
-[paths.fhs]
+# Where the LMTP server listens for connections.  Use 127.0.0.1 instead of
-bin_dir: /usr/libexec/mailman3
+# localhost for Postfix integration, because Postfix only consults DNS
-# GNUNUX var_dir: /var/lib/mailman3
+# (e.g. not /etc/hosts).
-# GNUNUX queue_dir: /var/spool/mailman3
-# GNUNUX log_dir: /var/log/mailman3
 #>GNUNUX
-var_dir: /srv/mailman/lib
+#lmtp_host: 127.0.0.1
-queue_dir: /srv/mailman/spool
+lmtp_host: %%ip_eth0
-log_dir: /var/log/mailman
 #<GNUNUX
-lock_dir: /run/lock/mailman3
+lmtp_port: 8024
-ext_dir: /etc/mailman3.d
+
-pid_file: /run/mailman3/master.pid
+# Where can we find the mail server specific configuration file?  The path can
+# be either a file system path or a Python import path.  If the value starts
+# with python: then it is a Python import path, otherwise it is a file system
+# path.  File system paths must be absolute since no guarantees are made about
+# the current working directory.  Python paths should not include the trailing
+# .cfg, which the file must end with.
+#configuration: python:mailman.config.exim4
+configuration: python:mailman.config.postfix
+
+# see /usr/lib/python3.10/site-packages/mailman/config/postfix.cfg
+[postfix]
+# Additional configuration variables for the postfix MTA.
+
+# This variable describe the program to use for regenerating the transport map
+# db file, from the associated plain text files.  The file being updated will
+# be appended to this string (with a separating space), so it must be
+# appropriate for os.system().
+postmap_command: /usr/sbin/postmap
+
+# This variable describes the type of transport maps that will be generated by
+# mailman to be used with postfix for LMTP transport. By default, it is set to
+# hash, but mailman also supports `regex` tables.
+transport_file_type: regex

seed/mailman/templates/tmpfile-mailman.conf

@@ -1,3 +1,3 @@
-d /srv/mailman 750 mailman mailman - -
+d /srv/mailman 750 list list - -
-d /var/log/mailman 755 mailman mailman - -
+d /var/log/mailman 755 list list - -
-f /var/log/mailman/postorius.log 644 postorius postorius - -
+#f /var/log/mailman/postorius.log 644 postorius postorius - -

seed/mariadb-client/dictionaries/20_mariadb.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="mariadbclient" target="risotto" engine="creole"/>
+    <service name="mariadbclient" target="risotto" engine="cheetah"/>
   </services>
   <variables>
     <family name="mariadb" description="MariaDB">

seed/nextcloud/dictionaries/31_nextcloud.xml

@@ -3,7 +3,7 @@
   <services>
     <service name="nextcloudcron" engine="none"/>
     <service name="nextcloudcron" type="timer" engine="none" target="timers"/>
-    <service name="nextcloud" engine="creole" target="multi-user">
+    <service name="nextcloud" engine="cheetah" target="multi-user">
       <file owner="apache" group="apache" mode="440" source="nextcloud-config.php">/etc/nextcloud/config.php</file>
       <file owner="root" group="root" mode="755">/sbin/nextcloud.init</file>
       <file>/etc/httpd/conf.d/a-nextcloud-access.conf</file>

seed/nextcloud/manual/image/postinstall/nextcloud.sh

@@ -1,6 +1,7 @@
-ln -s "$IMAGE_NAME_RISOTTO_IMAGE_DIR/srv/nextcloud/data" "/var/lib/risotto/images/nextcloud//usr/share/nextcloud/data"
+CALENDAR="3.5.2"
-mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share/nextcloud/apps"
+ln -s "/srv/nextcloud/data" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/nextcloud/data"
-cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share/nextcloud/apps"
+mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
+cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
 #user_saml=$(wget https://api.github.com/repos/nextcloud/user_saml/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
 app=$(wget https://api.github.com/repos/pulsejet/nextcloud-oidc-login/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
 wget -q $app
@@ -8,20 +9,21 @@ tar xf *tar.gz
 rm -f *tar.gz
 chown -R root: oidc_login
 #
-app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+#app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
 wget -q $app -O app.tar.gz
 tar xf app.tar.gz
 rm -f app.tar.gz
 chown -R root: calendar
 #
-app=$(wget https://api.github.com/repos/nextcloud-releases/contacts/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+#app=$(wget https://api.github.com/repos/nextcloud-releases/contacts/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
 app=https://github.com/nextcloud-releases/contacts/releases/download/v4.2.2/contacts-v4.2.2.tar.gz
 wget -q $app -O app.tar.gz
 tar xf app.tar.gz
 rm -f app.tar.gz
 chown -R root: contacts
 #
-app=$(wget https://api.github.com/repos/nextcloud/notes/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+#app=$(wget https://api.github.com/repos/nextcloud/notes/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
 app=https://github.com/nextcloud/notes/releases/download/v4.5.1/notes.tar.gz
 wget -q $app -O app.tar.gz
 tar xf app.tar.gz

seed/nginx-common/dictionaries/21_nginx.xml

@@ -24,7 +24,7 @@
         <value>False</value>
       </variable>
       <variable name="nginx_default" type="domainname" description="Nom de domaine du serveur mandataire inverse par défaut" help="Si un client accède au serveur avec un nom de domaine non déclaré, le flux est redirigé vers ce domaine" mandatory='False'/>
-      <variable name="nginx_root" type="filename" mandatory='False'>
+      <variable name="nginx_root" type="filename" mandatory='False' hidden="True">
         <value>/usr/share/nginx/html</value>
       </variable>
       <variable name="nginx_hash_bucket_size" description="Longueur maximum pour un nom de domaine" mode="expert" type="choice">

seed/nginx-https/templates/nginx.crt

@@ -1,2 +1,3 @@
+%set %%chain = %%get_chain(%%domain_name_eth0, %%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)
 %%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server", hide=%%hide_secret)
-%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)
+%%chain

seed/nginx-reverse-proxy/dictionaries/25_nginx.xml

@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name='nginx'>
-      <override engine="creole"/>
+      <override engine="cheetah"/>
       <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
       <file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
       <file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>

seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml

@@ -7,7 +7,7 @@
         <variable name="revprox_domainnames_" type="domainname" description="Nom des domaines auto-configurés dans le serveur mandataire inverse" multi="True" provider="ReverseProxy:external" hidden="True"/>
         <variable name="revprox_location_" type="filename" description="Répertoire ou nom de la page à rediriger pour " help="URL relative (sans le nom de domaine) redirigée pour l'adresse définie dans la variable ci-dessus (exemple &quot;/mail&quot;)" mandatory="True" multi="True" provider="ReverseProxy:location"/>
         <variable name="revprox_url_" type="web_address" description="Domaine de destination ou URI complète pour " mandatory="True" help="Nom de domaine ou IP de destination, par exemple &quot;http://domainelocal&quot; ou URI, par exemple &quot;http://domainelocal/dir/&quot;" provider="ReverseProxy:url"/>
-        <variable name="revprox_is_websocket_" type="boolean" description="Le point d'entré est de types websocket pour " mandatory="True" multi="True" provider="ReverseProxy:websocket"/>
+        <variable name="revprox_is_websocket_" type="boolean" description="Le point d'entrée est de types websocket pour " mandatory="True" multi="True" provider="ReverseProxy:websocket"/>
         <variable name="revprox_max_body_size_" description="Taille maximum du corps pour " provider="ReverseProxy:max_body_size"/>
       </family>
     </family>
@@ -36,5 +36,9 @@
       <param name="multi" type="boolean">True</param>
       <target>nginx.nginx_private_key_filename</target>
     </fill>
+    <fill name="get_first_value">
+      <param type="variable">nginx.remotes</param>
+      <target>nginx_default</target>
+    </fill>
   </constraints>
 </rougail>

seed/nginx-reverse-proxy/templates/ca_HTTP.crt

@@ -1,3 +1,3 @@
 %for %%idx in %%range(%%len(%%zones_list))
-%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="HTTP", hide=%%hide_secret)
+%%get_chain(cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="HTTP", hide=%%hide_secret)
 %end for

seed/nginx-reverse-proxy/templates/ca_InternalReverseProxy.crt

@@ -1,3 +1,3 @@
 %for %%idx in %%range(%%len(%%zones_list))
-%%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy", hide=%%hide_secret)
+%%get_chain(cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="InternalReverseProxy", hide=%%hide_secret)
 %end for

seed/nginx-reverse-proxy/templates/certificate.crt

@@ -1 +1,2 @@
+%set %%chain=%%get_chain(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)
 %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

seed/nginx-reverse-proxy/templates/nginx.crt

@@ -1,2 +1,3 @@
+%set %%chain = %%get_chain(cn=%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', hide=%%hide_secret)
 %%get_certificate(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type="server", hide=%%hide_secret)
-%%get_chain(%%nginx_default, 'HTTP', hide=%%hide_secret)
+%%chain

seed/nginx-reverse-proxy/templates/revprox-nginx.conf

@@ -45,6 +45,8 @@ server {
         proxy_ssl_verify       on;
         proxy_ssl_verify_depth 2;
         proxy_ssl_session_reuse on;
+	# SNI support
+	proxy_ssl_server_name on;
        %set %%maxbody = %%rp_domainname['revprox_max_body_size_' + %%family]
        %if %%maxbody
         client_max_body_size %%maxbody;

seed/nsd/dictionaries/20_nsd.xml

@@ -45,6 +45,7 @@
       <target>ip_dns</target>
     </fill>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param type="variable">nsd_allowed_client</param>
       <target>nsd_allowed_client_ip</target>
     </fill>
@@ -60,10 +61,13 @@
       <target>nsd_allowed_all_client</target>
     </fill>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param type="variable">nsd_resolver</param>
       <target>nsd_resolve_ip</target>
     </fill>
     <fill name="get_internal_zones">
+      <param type="variable">zones_list</param>
+      <param type="information">zones</param>
       <target>nsd_zones</target>
     </fill>
     <fill name="get_reverse_name">
@@ -101,7 +105,9 @@
       <target>nsd_reverse_filenames_signed</target>
     </fill>
     <fill name="get_zones_info">
+      <param type="information">zones</param>
       <param>network</param>
+      <param type="variable" name="zone_names">zones_list</param>
       <target>nsd_reverse_network</target>
     </fill>
   </constraints>

seed/nsd/extras/nsd/00_nsd.xml

@@ -16,11 +16,13 @@
   </variables>
   <constraints>
     <fill name="get_internal_info_in_zone">
+      <param type="information">zones</param>
       <param type="suffix"/>
       <param>host</param>
       <target>nsd.nsd_zone_.hostname_.hostname_</target>
     </fill>
     <fill name="get_internal_info_in_zone">
+      <param type="information">zones</param>
       <param type="suffix"/>
       <param>ip</param>
       <param type="index"/>

seed/nsd/funcs/funcs.py

@@ -8,8 +8,6 @@ from shutil import rmtree as _rmtree, copy2 as _copy2
 from glob import glob as _glob
 from filecmp import cmp as _cmp
 
-from risotto.utils import DOMAINS as _DOMAINS
-
 
 _PKI_DIR = _abspath('pki/dnssec')
 _ALGO = 'ECDSAP256SHA256'
@@ -106,8 +104,8 @@ def sign(zone_filename: str,
     copy_file = _join(_PKI_DIR, cn, authority_cn, _basename(zone_filename))
     signed_filename = f'{copy_file}.signed'
     if not _isfile(copy_file) or not _cmp(zone_filename, copy_file):
-        _copy2(zone_filename, copy_file)
         zsk, ksk = _gen_keys(cn, authority_cn)
+        _copy2(zone_filename, copy_file)
         cmd = ['ldns-signzone', '-n', zone_filename, zsk, ksk]
         proc = _run(cmd, capture_output=True)
         if proc.returncode != 0:
@@ -123,12 +121,20 @@ def sign(zone_filename: str,
     return content
 
 
-def get_internal_info_in_zone(zone: str,
+def get_internal_info_in_zone(zones: list,
+                              domain_name: str,
                               type: str,
                               index: int=None,
                               ) -> _List[str]:
-    if zone not in _DOMAINS:
+    for zone in zones.values():
+        if domain_name == zone['domain_name']:
+            break
+    else:
         return []
     if type == 'host':
-        return list(_DOMAINS[zone][0])
+        return list(zone['hosts'])
-    return _DOMAINS[zone][1][index]
+    return list(zone['hosts'].values())[index]
+    
+                                                                                  
+def get_internal_zones(zones_name, zones) -> _List[str]: 
+    return [zone['domain_name'] for zone_name, zone in zones.items() if zone_name in zones_name]

seed/nsd/templates/nsd.yml

@@ -3,10 +3,10 @@ records:
 %for %%domain in %%nsd_zones
   %set %%suffix = %%normalize_family(%%domain)
   %set %%hostnames = %%nsd["nsd_zone_" + %%suffix]["hostname_" + %%suffix]["hostname_" + %%suffix]
-  %for %%nsd in %%hostnames
+  %for %%hostname in %%hostnames
-    %set %%type = %%nsd['type_' + %%suffix]
+    %set %%type = %%hostname['type_' + %%suffix]
     %if %%type == 'A'
-  %%{nsd}.%%domain: '%%nsd['ip_' + %%suffix]'
+  %%{hostname}.%%domain: '%%hostname['ip_' + %%suffix]'
     %end if
   %end for
 %end for

seed/oauth2-client/dictionaries/30_oauth2_client.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="oauth2-client" target="risotto" engine="creole"/>
+    <service name="oauth2-client" target="risotto" engine="cheetah"/>
   </services>
   <variables>
     <family name="oauth2_client" description="OAuth2 client">

seed/oauth2-client/templates/oauth2-client.service

@@ -4,4 +4,4 @@ Before=risotto.target
 
 [Service]
 Type=oneshot
-ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://%%oauth2_client_server_domainname/.well-known/openid-configuration)" = 200 ]; do sleep 1; done;'
+ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://%%oauth2_client_server_domainname/.well-known/openid-configuration)" = 200 ]; do /usr/bin/curl https://%%oauth2_client_server_domainname/.well-known/openid-configuration; sleep 1; done;'

seed/odoo/dictionaries/40_odoo.xml

@@ -4,7 +4,7 @@
     <service name="odoo" target="multi-user">
       <override/>
       <file engine="none" source="sysuser-odoo.conf">/sysusers.d/1odoo.conf</file>
-      <file source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
+      <file engine="none" source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
       <file mode="700">/sbin/config_odoo.py</file>
       <file mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
       <file mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>

seed/odoo/manual/image/postinstall/odoo.sh

@@ -2,16 +2,16 @@ set -e
 ODOO_VERSION="16.0"
 WKHTML_VERSION="0.12.6.1-2"
 #curl  http://nightly.odoo.com/${ODOO_VERSION}/nightly/rpm/odoo_${ODOO_VERSION}.latest.rpm -o odoo_${ODOO_VERSION}.latest.rpm
-#OPT=$(dnf_opt_base "$IMAGE_NAME_RISOTTO_IMAGE_DIR")
+#OPT=$(dnf_opt_base "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP")
 #dnf --assumeyes $OPT localinstall odoo_${ODOO_VERSION}.latest.rpm
 #rm -f odoo_${ODOO_VERSION}.latest.rpm
-mv $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf /tmp
+mv $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf /tmp
-echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
 
 WKHTML_PKG=wkhtmltox_$WKHTML_VERSION.bullseye_amd64.deb
 
-curl https://nightly.odoo.com/odoo.key -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/odoo.key"
+curl https://nightly.odoo.com/odoo.key -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/odoo.key"
-curl -L "https://github.com/wkhtmltopdf/packaging/releases/download/$WKHTML_VERSION/$WKHTML_PKG" -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$WKHTML_PKG"
+curl -L "https://github.com/wkhtmltopdf/packaging/releases/download/$WKHTML_VERSION/$WKHTML_PKG" -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/$WKHTML_PKG"
 echo """#!/bin/bash -xe
 cat /odoo.key | apt-key add -
 rm /odoo.key
@@ -21,16 +21,16 @@ apt install --no-install-recommends -y odoo
 dpkg -i /"$WKHTML_PKG" || true
 rm -f /"$WKHTML_PKG"
 apt -f install -y
-""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh
+""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
-chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh
+chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
-chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR /install.sh
+chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh
 
 
 
-sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/server.py
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/server.py
-sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/db.py 
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/db.py 
-sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py
-sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_cron.py
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_cron.py
-sed -i "s@ldap://@ldaps://@g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/auth_ldap/models/res_company_ldap.py
+sed -i "s@ldap://@ldaps://@g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/auth_ldap/models/res_company_ldap.py
-mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/resolv.conf
 set +e

seed/openldap/dictionaries/21_openldap-server.xml

@@ -9,8 +9,8 @@
       <file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
       <file>/secrets/users.ldif</file>
       <file>/secrets/users_mod.ldif</file>
-      <file>/secrets/config.ldif</file>
+      <file owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
-      <file>/secrets/config_acl.ldif</file>
+      <file owner="ldap" mode="400">/etc/ldap/secrets/config_acl.ldif</file>
       <file>/secrets/admin_ldap.pwd</file>
       <file engine="none">/sysusers.d/risotto-openldap.conf</file>
       <file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>

seed/openldap/manual/image/postinstall/openldap_server.sh

@@ -1 +1 @@
-rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/openldap/slapd.d/"
+rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/etc/openldap/slapd.d/"

seed/openldap/templates/slapd.service

@@ -1,10 +1,10 @@
 [Service]
 ExecStartPre=
-ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l /usr/local/lib/secrets/config.ldif
+ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l /etc/ldap/secrets/config.ldif
 %for %%schema in %%ldap_schemas
 ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -v -b cn=config -l %%schema
 %end for
-ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -c -v -l /usr/local/lib/secrets/users.ldif
+ExecStartPre=-/usr/sbin/slapadd -F /etc/openldap/slapd.d -c -v -l /etc/ldap/secrets/users.ldif
 User=ldap
 Group=ldap
 ExecStart=
@@ -12,5 +12,5 @@ ExecStart=
 ExecStart=+/usr/sbin/slapd -u ldap -h ldaps:///
 #waiting for ldap server...
 ExecStartPost=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/localhost/%%ldap_port; do sleep 1; done'
-ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
+ExecStartPost=+-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/config_acl.ldif
-ExecStartPost=-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif
+ExecStartPost=+-/usr/bin/ldapmodify -D %%ldapclient_user -y /usr/local/lib/secrets/admin_ldap.pwd -v -f /usr/local/lib/secrets/users_mod.ldif

seed/peertube/dictionaries/30_peertube.xml

@@ -49,6 +49,8 @@
       <variable name="nginx_root" redefine='True'>
 	<value>/usr/share/peertube</value>
       </variable>
+    </family>
+    <family name="revprox">
       <family name="revprox_client">
         <variable name="revprox_client_location" redefine="True">
           <value>/</value>

seed/peertube/manual/image/postinstall/peertube.sh

@@ -1,5 +1,5 @@
-mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
+mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/"
-cat /proc/self/stat > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat"
+cat /proc/self/stat > "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/stat"
 PLUGINS_DIR=/usr/share/peertube_plugins
 echo """#!/bin/bash
 set -ex
@@ -15,13 +15,13 @@ chown peertube: "\$PLUGINS_DIR/data/peertube-plugin-auth-openid-connect"
 
 rm -f /etc/resolv.conf
 mv /tmp/resolv.conf /etc
-""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh"
-chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh"
-chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
+chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP" /install.sh
-rm "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat"
+rm "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/stat"
-rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
+rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/proc/self/"
 
-rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh"
-cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
+cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP$PLUGINS_DIR/.."
 #patch -p0 < "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/peertube.patch"
 cd -

seed/php-fpm/templates/php-fpm.conf

@@ -137,3 +137,4 @@ daemonize = yes
 ; FPM can handle. Your system will tell you anyway :)
 
 ; See /etc/php-fpm.d/*.conf
+

seed/php-fpm/templates/www.conf

@@ -448,10 +448,13 @@ php_admin_flag[log_errors] = on
 ; See warning about choosing the location of these directories on your system
 ; at http://php.net/session.save-path
 ;<GNUNUX
-;php_value[session.save_handler] = files
+%if not %%getVar('redis_client_server_domainname', None)
-;php_value[session.save_path]    = /var/lib/php/session
+php_value[session.save_handler] = files
+php_value[session.save_path]    = /var/lib/php/session
+%else
 php_value[session.save_handler] = redis
 ;php_value[session.save_path]    = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password"
+%end if
 ;>GNUNUX
 php_value[soap.wsdl_cache_dir]  = /var/lib/php/wsdlcache
 ;php_value[opcache.file_cache]  = /var/lib/php/opcache

seed/php/dictionaries/20_php.xml

@@ -7,25 +7,25 @@
   </services>
   <variables>
     <family name="php" description="PHP" mode="expert" help="Paramètrage avancé de PHP">
-      <variable name="php_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST (en Mo)">
+      <variable name="php_post_max_size" type="number" description="Taille maximale des données reçues par la méthode POST" help="Valeur en Mo">
         <value>32</value>
       </variable>
-      <variable name="php_upload_max_filesize" type="number" description="Taille maximale d'un fichier à charger (en Mo)">
+      <variable name="php_upload_max_filesize" type="number" description="Taille maximale d'un fichier à charger" help="Valeur en Mo">
         <value>16</value>
       </variable>
-      <variable name="php_max_execution_time" type="number" description="Temps maximal d'exécution d'un script (en secondes)">
+      <variable name="php_max_execution_time" type="number" description="Temps maximal d'exécution d'un script" help="Valeur en secondes">
         <value>30</value>
       </variable>
-      <variable name="php_max_input_time" type="number" description="Durée maximale pour analyser les données d'entrée (en secondes)">
+      <variable name="php_max_input_time" type="number" description="Durée maximale pour analyser les données d'entrée" help="Valeur en secondes">
         <value>60</value>
       </variable>
-      <variable name="php_memory_limit" type="number" description="Taille mémoire maximale qu'un script est autorisé à allouer (en Mo)">
+      <variable name="php_memory_limit" type="number" description="Taille mémoire maximale qu'un script est autorisé à allouer" help="Valeur en Mo">
         <value>512</value>
       </variable>
       <variable name="php_display_errors" type="boolean" description="Affichage des erreurs à l'écran">
         <value>False</value>
       </variable>
-      <variable name="php_session_gc_maxlifetime" type="number" description="Durée de vie des données sur le serveur (en secondes)">
+      <variable name="php_session_gc_maxlifetime" type="number" description="Durée de vie des données sur le serveur" help="Valeur en secondes">
         <value>3600</value>
       </variable>
       <variable name="php_browscap" type="boolean" description="Activer la directive de configuration browscap" help="La directive de configuration browscap permet d'obtenir plus d'information sur les capacités du navigateur client grâce à la fonction get_browser()">

seed/php/templates/php.ini

@@ -1266,11 +1266,14 @@ browscap = /etc/php/extra/browscap.ini
 ; Handler used to store/retrieve data.
 ; https://php.net/session.save-handler
 ;>GNUNUX
-; session.save_handler = files
+%if not %%getVar('redis_client_server_domainname', None)
+session.save_handler = files
+%else
 session.save_handler = redis
 session.save_path    = "tcp://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password"
 ;GNUNUX https://github.com/phpredis/phpredis/issues/2062
 ;session.save_path    = "tls://%%redis_client_server_domainname:6379?auth[user]=%%redis_client_username&auth[pass]=%%redis_client_password&stream[verify_peer]=1&stream[cafile]=/etc/pki/ca-trust/source/anchors/ca_Redis.crt&stream[local_cert]=/etc/pki/tls/certs/redis.crt&stream[local_pk]=/etc/pki/tls/private/redis.key"
+%end if
 ;<GNUNUX
 
 ; Argument passed to save_handler.  In the case of files, this is the path

seed/piwigo/dictionaries/31_piwigo.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="piwigo" engine="creole" target="multi-user">
+    <service name="piwigo" engine="cheetah" target="multi-user">
       <file source="tmpfile-piwigo.conf">/tmpfiles.d/0piwigo.conf</file>
       <file>/etc/piwigo/config.inc.php</file>
       <file>/etc/piwigo/database.inc.php</file>
@@ -13,11 +13,11 @@
   <variables>
     <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
     <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
-    <variable name="piwigo_locations" type="filename" multi="True" mandatory="True"/>
+    <variable name="piwigo_locations" type="filename" multi="True" mandatory="True" hidden="True"/>
     <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
       <value>Album photographique</value>
     </variable>
-    <family name="users" leadership="True">
+    <family name="users" description="Piwigo users" leadership="True">
       <variable name="piwigo_users" type="unix_user" description="Utilisateur ayant un album" multi="True" mandatory="True"/>
       <variable name="piwigo_email" type="mail" description="Adresse courriel" mandatory="True"/>
     </family>

seed/piwigo/manual/image/postinstall/piwigo.sh

@@ -1,7 +1,15 @@
 set -e
+
+gdthumb=7848
+rv_tscroller=8014
+openidconnect=7744
+community=8160   # FIXME translation already needed?
+embedded_videos=7924
+bootstrap_darkroom=8261
+
 ORIPWD=$PWD
-mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share"
+mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share"
-cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share"
+cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share"
 app=$(wget https://api.github.com/repos/Piwigo/Piwigo/releases/latest -q -O - | jq -r '.tag_name')
 wget -q "https://github.com/Piwigo/Piwigo/archive/refs/tags/$app.tar.gz"
 tar xf *tar.gz
@@ -20,11 +28,11 @@ patch -p0 < $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/piwigo.patch
 cp $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/piwigo_cli.php piwigo/
 # Plugins
 cd piwigo/plugins
-wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
+wget https://piwigo.org/ext/download.php?rid=$gdthumb -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 #
-wget https://piwigo.org/ext/download.php?rid=8014 -O plugin.zip
+wget https://piwigo.org/ext/download.php?rid=$rv_tscroller -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 #
@@ -34,15 +42,14 @@ tar xf *tar.gz
 rm -f *tar.gz
 mv piwigo-openstreetmap-* piwigo-openstreetmap
 #
-wget https://piwigo.org/ext/download.php?rid=7744 -O plugin.zip
+wget https://piwigo.org/ext/download.php?rid=$openidconnect -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 # community
-wget https://piwigo.org/ext/download.php?rid=8160 -O plugin.zip
+wget https://piwigo.org/ext/download.php?rid=$community -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 echo """<?php
-\$lang['Edit photos'] = 'Editer les photos';
 \$lang['Edit Photos'] = 'Editer les photos';
 \$lang['Edit your photos'] = 'Editer vos photos';
 \$lang['Photos posted by %s'] = 'Photos postées par %s';
@@ -55,7 +62,7 @@ echo """<?php
 ?>
 """ >> community/language/fr_FR/plugin.lang.php
 # embedded
-wget https://fr.piwigo.org/ext/download.php?rid=7924 -O plugin.zip
+wget https://fr.piwigo.org/ext/download.php?rid=$embedded_videos -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 # user delete photo
@@ -64,7 +71,7 @@ rm -f plugin.zip
 #rm -f plugin.zip
 # Theme
 cd ../themes/
-wget https://piwigo.org/ext/download.php?rid=8163 -O plugin.zip
+wget https://piwigo.org/ext/download.php?rid=$bootstrap_darkroom -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 ln -s /srv/piwigo/bootstrap_darkroom ../local/bootstrap_darkroom

seed/postfix-relay/dictionaries/30_postfix.xml

@@ -46,6 +46,7 @@
       <variable name='postfix_relay_authentifications' description="Authentification sur le relai SMTP" multi="True" provider="SMTP"/>
       <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
         <variable name="local_authentification_password_" type="secret" auto_save="False" provider="SMTP:password"/>
+        <variable name="postfix_relay_ip_" type="ip" hidden="True"/>
       </family>
       <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
     </family>
@@ -70,5 +71,10 @@
       <param name="multi" type="boolean">True</param>
       <target>postfix_pem_files</target>
     </fill>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="suffix"/>
+      <target>postfix_relay_ip_</target>
+    </fill>
   </constraints>
 </rougail>

seed/postfix-relay/templates/ca_MailServer.crt

@@ -1 +1 @@
-%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)
+%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="MailServer", hide=%%hide_secret)

seed/postfix-relay/templates/postfix.service

@@ -4,7 +4,7 @@ ExecStartPre=/usr/sbin/postmap -F /etc/postfix/sni
 %for %%local in %%postfix_relay_authentifications
   %set %%user = %%normalize_family(%%local)
   %set %%password = %%getVar('local_authentification_password_' + %%user)
-  %set %%ip = %%get_ip(%%local)
+  %set %%ip = %%getVar('postfix_relay_ip_' + %%user)
 ExecStartPre=-/usr/bin/bash -c "echo %%password | /usr/sbin/saslpasswd2 -u %%ip %%user -p"
 %end for
 ExecStartPre=/usr/bin/chown postfix: /etc/sasl2/sasldb2

seed/postfix-relay/templates/sni.pem

@@ -1,4 +1,4 @@
-%set %%chain = %%get_chain(authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret)
+%set %%chain = %%get_chain(cn=%%rougail_variable, authority_cn=%%rougail_variable, authority_name="MailRelay", hide=%%hide_secret)
 %set %%cert = %%get_certificate(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
 %%get_private_key(cn=%%rougail_variable, authority_name='MailRelay', hide=%%hide_secret)
 %%cert

seed/postgresql-client/dictionaries/23_postgresql.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="postgresqlclient" target="risotto" engine="creole">
+    <service name="postgresqlclient" target="risotto" engine="cheetah">
       <file mode="400">/secrets/postgresql.pass</file>
       <file file_type="variable" source="ca_PostgreSQL.crt">pg_client_ca_file</file>
       <file file_type="variable" owner_type="variable" owner="pg_client_key_owner" mode="444" source="postgresql.crt">pg_client_crt_file</file>
@@ -11,11 +11,11 @@
   </services>
   <variables>
     <family name="postgresql" description="PostgreSQL">
-      <variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql"/>
+      <variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql" hidden="True"/>
       <variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/>
       <variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True" supplier="Postgresql:password"/>
       <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
-      <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
+      <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
         <value>apache</value>
       </variable>
       <variable name="pg_client_ca_file" type="filename" description="Postgresql CA filename" hidden="True"/>

seed/postgresql-client/templates/ca_PostgreSQL.crt

@@ -1,2 +1,2 @@
-%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL", hide=%%hide_secret)
+%%get_chain(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL", hide=%%hide_secret)
 

seed/postgresql/dictionaries/22_postgresql.xml

@@ -68,7 +68,7 @@
         <choice type="string">MB</choice>
         <choice type="string">kB</choice>
       </variable>
-      <variable name="pg_effective_cache_size" type="number" description="Taille du cache (blocs de 8ko)" mandatory="True" help="Initialise l'estimation faite par le planificateur de la taille réelle du cache disque disponible pour une requête">
+      <variable name="pg_effective_cache_size" type="number" description="Taille du cache" mandatory="True" help="Initialise l'estimation faite par le planificateur pour le nombre de bloc de 8ko réelle du cache disque disponible pour une requête">
         <value>4</value>
       </variable>
       <variable name="pg_effective_cache_size_unit" description="Unité de la taille du cache" type="choice">

seed/postgresql/extras/accounts/00_accounts.xml

@@ -9,6 +9,7 @@
   </variables>
   <constraints>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param type="suffix"/>
       <target>accounts.remote_.remote_ip_</target>
     </fill>

seed/postgresql/templates/ca_PostgreSQL.crt

@@ -1 +1 @@
-%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL", hide=%%hide_secret)
+%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="PostgreSQL", hide=%%hide_secret)

seed/provider-systemd-machined/dictionaries/10-machined.xml

@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <variables>
-    <variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True" supplier="Host"/>
+    <variable name="host" type="domainname" description="Machine où est démarré le conteneur" mandatory="True" provider="global:host_name" supplier="Host" hidden="True"/>
   </variables>
 </rougail>
 

seed/provider-systemd-machined/dictionaries/16-machined.xml

@@ -27,8 +27,8 @@
       <value>False</value>
     </variable>
     <family name="network">
-      <variable name="incoming_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True" supplier="Host:incoming_ports"/>
+      <variable name="incoming_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True" supplier="Host:incoming_ports" hidden="True"/>
-      <variable name="outgoing_ports" type="port" description="Ports autorisés vers l'extérieur" multi="True" supplier="Host:outgoing_ports"/>
+      <variable name="outgoing_ports" type="port" description="Ports autorisés vers l'extérieur" multi="True" supplier="Host:outgoing_ports" hidden="True"/>
       <variable name="netwokd_interface_name_type" redefine="True">
         <value>host</value>
       </variable>

seed/redis-client/dictionaries/23_redis.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="redis-client" target="risotto" engine="creole">
+    <service name="redis-client" target="risotto" engine="cheetah">
       <file>/etc/pki/ca-trust/source/anchors/ca_Redis.crt</file>
       <file>/etc/pki/tls/certs/redis.crt</file>
       <file owner_type="variable" owner="redis_client_key_owner" mode="400">/etc/pki/tls/private/redis.key</file>

seed/redis-client/templates/ca_Redis.crt

@@ -1 +1 @@
-%%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
+%%get_chain(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)

seed/redis-client/templates/redis.pem

@@ -1,4 +1,4 @@
-%set %%ca_chain = %%get_chain(authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
+%set %%ca_chain = %%get_chain(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name="Redis", hide=%%hide_secret)
 %set %%cert = %%get_certificate(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
 %%get_private_key(cn=%%domain_name_eth0, authority_cn=%%redis_client_server_domainname, authority_name='Redis', type="client", hide=%%hide_secret)
 %%cert

seed/redis/dictionaries/90_redis.xml

@@ -14,7 +14,7 @@
   </services>
   <variables>
     <family name="redis" description="Redis" help="Configuration du service de cache Redis">
-      <variable name="redis_instance_name" description="Nom de l'instance"/>
+      <variable name="redis_instance_name" description="Nom de l'instance" mandatory="True"/>
       <variable name="redis_save" description="Activer la persistence des données">
           <value>False</value>
       </variable>

seed/redis/extras/account/00_account.xml

@@ -7,6 +7,7 @@
   </variables>
   <constraints>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param type="variable">account.remote</param>
       <target>account.remote_ip</target>
     </fill>

seed/redis/templates/ca_Redis.crt

@@ -1 +1 @@
-%%get_chain(authority_cn=%%domain_name_eth0, authority_name="Redis", hide=%%hide_secret)
+%%get_chain(cn=%%domain_name_eth0, authority_cn=%%domain_name_eth0, authority_name="Redis", hide=%%hide_secret)

seed/relay-mail-client/dictionaries/20_smtp_client.xml

@@ -8,6 +8,7 @@
   <variables>
     <family name="smtp" description="Client SMTP">
       <variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True" supplier="SMTP"/>
+      <variable name="smtp_relay_ip" type="ip" hidden="True"/>
       <variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
       <variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True" supplier="SMTP:password"/>
       <variable name="smtp_ca_file" type="filename" description="SMTP CA filename" hidden="True"/>
@@ -32,5 +33,10 @@
       <param name="join">/</param>
       <target>smtp_ca_file</target>
     </fill>
+    <fill name="get_ip">
+      <param type="information">zones</param>
+      <param type="variable">smtp_relay_address</param>
+      <target>smtp_relay_ip</target>
+    </fill>
   </constraints>
 </rougail>

seed/relay-mail-client/templates/ca_MailRelay.crt

@@ -1 +1 @@
-%%get_chain(%%smtp_relay_address, authority_name='MailRelay', hide=%%hide_secret)
+%%get_chain(%%domain_name_eth0, %%smtp_relay_address, authority_name='MailRelay', hide=%%hide_secret)

seed/reverse-proxy-client/dictionaries/21_revprox_client.xml

@@ -1,22 +1,22 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="nginx" manage="False">
+    <service name="revprox" manage="False">
       <file file_type="variable" source="revprox.crt">revprox_client_cert_file</file>
       <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_client_key_file</file>
       <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_client_ca_file</file>
     </service>
   </services>
   <variables>
-    <family name="nginx" description="Reverse proxy">
+    <family name="revprox" description="Reverse proxy">
-      <variable name="revprox_client_server_domainname" type="domainname" description="Nom de domaine du serveur mandataire inverse" mandatory='True' supplier="ReverseProxy"/>
+      <variable name="revprox_client_server_domainname" type="domainname" description="Nom de domaine du serveur mandataire inverse" mandatory='True' supplier="ReverseProxy" hidden="True"/>
       <variable name="revprox_client_server_ip" type="ip" hidden='True'/>
-      <family name="revprox_client" description="Point d'entré des clients" leadership="True">
+      <family name="revprox_client" description="Point d'entrée des clients" leadership="True">
         <variable name="revprox_client_external_domainnames" type="domainname" description="Nom de domaine exterieur du serveur" mandatory='True' multi="True" unique="False" supplier="ReverseProxy:external"/>
         <variable name="revprox_client_location" type="filename" description="Nom de l'arborescence racine du site" mandatory="True" supplier="ReverseProxy:location">
           <value>/</value>
         </variable>
-        <variable name="revprox_client_is_websocket" type="boolean" description="Le point d'entré est de types websocket" mandatory="True" supplier="ReverseProxy:websocket">
+        <variable name="revprox_client_is_websocket" type="boolean" description="Le point d'entrée est de types websocket" mandatory="True" supplier="ReverseProxy:websocket" hidden="True">
           <value>False</value>
         </variable>
         <variable name="revprox_client_max_body_size" description="Taille maximum du corps" supplier="ReverseProxy:max_body_size"/>
@@ -26,10 +26,10 @@
       <variable name="revprox_client_port" type="port" description="Port du client du mandataire inverse" hidden='True'>
         <value>443</value>
       </variable>
-      <variable name="revprox_client_cert_owner" type="unix_user" description="Reverse proxy certificate owner">
+      <variable name="revprox_client_cert_owner" type="unix_user" description="Reverse proxy certificate owner" hidden="True">
         <value>root</value>
       </variable>
-      <variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
+      <variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group" hidden="True">
         <value>root</value>
       </variable>
       <variable name="revprox_client_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
@@ -39,6 +39,7 @@
   </variables>
   <constraints>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param type="variable">revprox_client_server_domainname</param>
       <target>revprox_client_server_ip</target>
     </fill>

seed/reverse-proxy-client/templates/ca_InternalReverseProxy.crt

@@ -1 +1 @@
-%%get_chain(%%revprox_client_server_domainname, authority_name='InternalReverseProxy', hide=%%hide_secret)
+%%get_chain(%%domain_name_eth0, %%revprox_client_server_domainname, authority_name='InternalReverseProxy', hide=%%hide_secret)

seed/reverse-proxy-client/templates/revprox.crt

@@ -1,2 +1,2 @@
 %%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_client_server_domainname, authority_name='InternalReverseProxy', type="server", hide=%%hide_secret)
-%%get_chain(%%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)
+%%get_chain(%%domain_name_eth0, %%revprox_client_server_domainname, 'InternalReverseProxy', hide=%%hide_secret)

seed/roundcube/dictionaries/31_roundcube.xml

@@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
   <services>
-    <service name="roundcube" engine="creole" target="multi-user">
+    <service name="roundcube" engine="cheetah" target="multi-user">
       <file owner="root" group="nginx" mode="640">/etc/roundcubemail/config.inc.php</file>
       <file>/etc/nginx/default.d/roundcubemail.conf</file>
       <file source="domain.inc.php" file_type="variable" variable="roundcube_domains">roundcube_config</file>
@@ -45,6 +45,8 @@
       <variable name="nginx_root" redefine="True">
         <value>/usr/share/roundcubemail/</value>
       </variable>
+    </family>
+    <family name="revprox">
       <family name="revprox_client">
         <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
         <variable name="revprox_client_local_location" redefine="True">

seed/roundcube/manual/image/postinstall/roundcube.sh

@@ -2,7 +2,7 @@
 
 echo """#!/bin/bash -e
 /usr/bin/chgrp nginx /etc/roundcubemail/*
-""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh"
-chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh"
-chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
+chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP" /install.sh
-rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh"

seed/roundcube/templates/ca_MailServer.crt

@@ -1 +1 @@
-%%get_chain(%%imap_address, 'MailServer', hide=%%hide_secret)
+%%get_chain(%%imap_address, %%imap_address, 'MailServer', hide=%%hide_secret)

seed/speedtest-rs/dictionaries/40_speedtest-rs.xml

@@ -9,8 +9,8 @@
     </service>
   </services>
   <variables>
-    <family name="nginx">
+    <family name="revprox">
-      <variable name="revprox_client_cert_owner" redefine="True" hidden="True">
+      <variable name="revprox_client_cert_owner" redefine="True">
         <value>speedtest</value>
       </variable>
     </family>

seed/speedtest-rs/manual/image/postinstall/speedtest-rs.sh

@@ -1,4 +1,4 @@
-rm "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/speedtest-rs/index.html"
+rm "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/speedtest-rs/index.html"
-cp "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/index.html" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/speedtest-rs/index.html"
+cp "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/index.html" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/speedtest-rs/index.html"
-ln -s ../../../var/lib/speedtest-rs/speedtest-rs.css "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/speedtest-rs/"
+ln -s ../../../var/lib/speedtest-rs/speedtest-rs.css "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/speedtest-rs/"
-ln -s ../../../var/lib/speedtest-rs/logo.png "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/speedtest-rs/"
+ln -s ../../../var/lib/speedtest-rs/logo.png "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/speedtest-rs/"

seed/systemd/dictionaries/15-systemd.xml

@@ -8,21 +8,21 @@
     <service name="systemd-repart" servicelist='systemd_repart' undisable="True">
       <override/>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var" engine="creole" target="multi-user" servicelist='systemd_repart' undisable='True'>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var" engine="cheetah" target="multi-user" servicelist='systemd_repart' undisable='True'>
       <file>/repart.d/50-var.conf</file>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var-tmp" engine="creole" target="multi-user" servicelist="add_tmp" undisable='True'>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-var-tmp" engine="cheetah" target="multi-user" servicelist="add_tmp" undisable='True'>
       <file>/repart.d/40-tmp.conf</file>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-srv" engine="creole" target="multi-user" servicelist="add_srv" undisable='True'>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-srv" engine="cheetah" target="multi-user" servicelist="add_srv" undisable='True'>
       <file>/repart.d/60-srv.conf</file>
     </service>
-    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-swap" engine="creole" target="multi-user" servicelist="add_swap" undisable='True'>
+    <service name="systemd-makefs@dev-disk-by\x2dpartlabel-swap" engine="cheetah" target="multi-user" servicelist="add_swap" undisable='True'>
       <file>/repart.d/30-swap.conf</file>
     </service>
-    <service name="var" engine="creole" target="multi-user" type="mount" servicelist='systemd_repart' undisable='True'/>
+    <service name="var" engine="cheetah" target="multi-user" type="mount" servicelist='systemd_repart' undisable='True'/>
-    <service name="var-tmp" engine="creole" target="multi-user" type="mount" servicelist="add_tmp" undisable='True'/>
+    <service name="var-tmp" engine="cheetah" target="multi-user" type="mount" servicelist="add_tmp" undisable='True'/>
-    <service name="srv" engine="creole" target="multi-user" type="mount" servicelist="add_srv" undisable='True'/>
+    <service name="srv" engine="cheetah" target="multi-user" type="mount" servicelist="add_srv" undisable='True'/>
     <service name="dev-disk-by\x2dpartlabel-swap" engine="none" target="multi-user" type="swap" servicelist="add_swap" undisable='True'/>
     <service name="systemd-firstboot">
       <override/>
@@ -32,7 +32,7 @@
     <service name="risotto" target="multi-user" type="target" engine="none"/>
   </services>
   <variables>
-    <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" auto_save='False' mandatory="True"/>
+    <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" mandatory="True" hidden="True"/>
     <variable name="link_configurations" description='Nom des fichiers "link" networkd' type="filename" multi="True" hidden="True"/>
     <variable name="use_systemd_repart" description='Activer le partitionnement systemd' type="boolean" hidden="True"/>
     <family name="network">

seed/systemd/extras/machine/10_systemd.xml

@@ -1,19 +1,19 @@
 <?xml version="1.0" encoding="utf-8"?>
 <rougail version="0.10">
   <variables>
-    <variable name="var_size" type="number" description="Variable directory size">
+    <variable name="var_size" type="number" description="Variable directory size" hidden="True">
       <value>1024</value>
     </variable>
-    <variable name="add_tmp" type="boolean" description="Add a temporary directory"/>
+    <variable name="add_tmp" type="boolean" description="Add a temporary directory" hidden="True"/>
-    <variable name="var_tmp_size" type="number" description="Temporary directory size">
+    <variable name="var_tmp_size" type="number" description="Temporary directory size" hidden="True">
       <value>1024</value>
     </variable>
-    <variable name="add_srv" type="boolean" description="Add a persistent directory"/>
+    <variable name="add_srv" type="boolean" description="Add a persistent directory" hidden="True"/>
-    <variable name="srv_size" type="number" description="Persistent directory size">
+    <variable name="srv_size" type="number" description="Persistent directory size" hidden="True">
       <value>1024</value>
     </variable>
-    <variable name="add_swap" type="boolean" description="Add a SWAP partition"/>
+    <variable name="add_swap" type="boolean" description="Add a SWAP partition" hidden="True"/>
-    <variable name="swap_size" type="number" description="SWAP size">
+    <variable name="swap_size" type="number" description="SWAP size" hidden="True">
       <value>512</value>
     </variable>
   </variables>

seed/systemd/manual/image/postinstall/systemd.sh

@@ -1 +1 @@
-rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/network/80-container-host0.network"
+rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/systemd/network/80-container-host0.network"

seed/unbound/dictionaries/20_unbound.xml

@@ -29,8 +29,8 @@
         <variable name="unbound_forward_address" description="Adresse du serveur faisant autorité" provider="ExternalDNS" multi="True"/>
         <variable name="unbound_forward_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="ExternalDNS:authority_zones"/>
         <variable name="unbound_forward_reverse_zones" type="domainname" description="Nom de domaine de la zone" multi="True" provider="ExternalDNS:reverse_authority_zones"/>
+        <variable name="unbound_allowed_client" type="ip" hidden="True"/>
       </family>
-      <variable name="unbound_allowed_client" type="ip" description="IP des clients autorisés à faire des requêtes DNS" multi="True" mandatory="True"/>
       <variable name="unbound_default_forwards" description="Serveur résolveur DNS par défaut" multi="True" mandatory="True"/>
     </family>
   </variables>
@@ -40,6 +40,7 @@
       <target>ip_dns</target>
     </fill>
     <fill name="get_ip">
+      <param type="information">zones</param>
       <param type="variable">unbound_forward_address</param>
       <target>unbound_allowed_client</target>
     </fill>

seed/unbound/templates/risotto.conf

@@ -8,8 +8,8 @@ server:
 %for %%interface in %%range(%%len(%%zones_list))
     access-control: %%getVar('ip_eth' + %%str(%%interface)) allow
 %end for
-%for %%allowed in %%unbound_allowed_client
+%for %%authority in %%unbound_forward_address
-    access-control: %%allowed allow
+    access-control: %%authority.unbound_allowed_client allow
 %end for
     do-not-query-localhost: no
     auto-trust-anchor-file: "/srv/unbound/root.key"
@@ -21,7 +21,7 @@ remote-control:
  %for %%zone in %%authority.unbound_forward_zones
 forward-zone:
     name: "%%zone"
-    forward-addr: %%get_ip(%%str(%%authority))
+    forward-addr: %%authority.unbound_allowed_client
 
  %end for
 %end for

seed/vaultwarden/dictionaries/40_vaultwarden.xml

@@ -9,11 +9,11 @@
     </service>
   </services>
   <variables>
-    <family name="nginx">
+    <family name="revprox">
       <family name="revprox_client">
         <variable name="revprox_client_external_domainnames" redefine="True" hidden="True"/>
       </family>
-      <variable name="revprox_client_cert_owner" redefine="True" hidden="True">
+      <variable name="revprox_client_cert_owner" redefine="True">
         <value>vaultwarden</value>
       </variable>
     </family>

seed/vaultwarden/manual/image/postinstall/vaultwarden.sh

@@ -1,3 +1,3 @@
 # locale in jslib/common/src/models/domain/globalState.ts is "en" by default, change it to "fr"
 # this information is store in browser local storage
-sed -i 's/this.locale="en",/this.locale="fr",/g' $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/vaultwarden/app/main.*.js
+sed -i 's/this.locale="en",/this.locale="fr",/g' $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/vaultwarden/app/main.*.js