update documentations

seed/README.md

@@ -15,8 +15,9 @@
   - [dns-local](dns-local/README.md): DNS client with access to local zones
 - [dotclear](dotclear/README.md): Dotclear an open-source web publishing software
 - [dovecot](dovecot/README.md): Postfix and Dovecot as mail servers (Submission and IMAP)
+- [forgejo](forgejo/README.md): Forgejo, a community managed lightweight code hosting solution
 - [galette](galette/README.md): Galette, a membership management web application towards non profit organizations
-- [gitea](gitea/README.md): Gitea, a community managed lightweight code hosting solution
+- [gitea](gitea/README.md): Transitional package for Gitea to Forgejo
 - [host-systemd-machined](host-systemd-machined/README.md): Host with machine started in Systemd Machined environment
 - [imap-client](imap-client/README.md): Application service needs interact with an IMAP server
 - [ldap-client](ldap-client/README.md): Application service needs interact with a LDAP server
@@ -62,3 +63,47 @@
 - [unbound](unbound/README.md): Unbound, a validating, recursive, caching DNS resolver
 - [vaultwarden](vaultwarden/README.md): Vaultwarden, a password manager
 - [znc](znc/README.md): ZNC, a bouncer IRC
+
+# Providers and suppliers
+
+- ExternalDNS:
+  - Provider: [unbound](unbound/README.md)
+  - Suppliers:
+    - [dns-external](dns-external/README.md)
+    - [nsd](nsd/README.md)
+- Host:
+  - Provider: [host-systemd-machined](host-systemd-machined/README.md)
+  - Supplier: [provider-systemd-machined](provider-systemd-machined/README.md)
+- IMAP:
+  - Provider: [dovecot](dovecot/README.md)
+  - Supplier: [imap-client](imap-client/README.md)
+- LDAP:
+  - Provider: [openldap](openldap/README.md)
+  - Supplier: [ldap-client](ldap-client/README.md)
+- LMTP:
+  - Provider: [postfix-lmtp-relay](postfix-lmtp-relay/README.md)
+  - Supplier: [relay-lmtp-client](relay-lmtp-client/README.md)
+- LocalDNS:
+  - Provider: [nsd](nsd/README.md)
+  - Supplier: [dns-local](dns-local/README.md)
+- MariaDB:
+  - Provider: [mariadb](mariadb/README.md)
+  - Supplier: [mariadb-client](mariadb-client/README.md)
+- OAuth2:
+  - Provider: [lemonldap](lemonldap/README.md)
+  - Supplier: [oauth2-client](oauth2-client/README.md)
+- OAuth2Client:
+  - Provider: [oauth2-client](oauth2-client/README.md)
+  - Supplier: [lemonldap](lemonldap/README.md)
+- Postgresql:
+  - Provider: [postgresql](postgresql/README.md)
+  - Supplier: [postgresql-client](postgresql-client/README.md)
+- Redis:
+  - Provider: [redis](redis/README.md)
+  - Supplier: [redis-client](redis-client/README.md)
+- ReverseProxy:
+  - Provider: [nginx-reverse-proxy](nginx-reverse-proxy/README.md)
+  - Supplier: [reverse-proxy-client](reverse-proxy-client/README.md)
+- SMTP:
+  - Provider: [postfix-relay](postfix-relay/README.md)
+  - Supplier: [relay-mail-client](relay-mail-client/README.md)

seed/base-fedora-36/README.md

@@ -24,22 +24,14 @@ Base information of a Fedora 36.
 ## Used by
 
 - [galette](../galette/README.md)
-- [nginx-static](../nginx-static/README.md)
-- [postgresql](../postgresql/README.md)
 - [peertube](../peertube/README.md)
 - [piwigo](../piwigo/README.md)
 - [dovecot](../dovecot/README.md)
-- [unbound](../unbound/README.md)
-- [redis](../redis/README.md)
-- [nsd](../nsd/README.md)
 - [dotclear](../dotclear/README.md)
 - [speedtest-rs](../speedtest-rs/README.md)
-- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
 - [sensmotdire](../sensmotdire/README.md)
 - [roundcube](../roundcube/README.md)
 - [znc](../znc/README.md)
 - [vaultwarden](../vaultwarden/README.md)
 - [mariadb](../mariadb/README.md)
 - [nextcloud](../nextcloud/README.md)
-- [openldap](../openldap/README.md)
-- [gitea](../gitea/README.md)

seed/base-fedora-37/README.md

@@ -20,3 +20,14 @@ Base information of a Fedora 37.
     - [base-machine](../base-machine/README.md)
       - [base](../base/README.md)
       - [dns-local](../dns-local/README.md)
+
+## Used by
+
+- [nginx-static](../nginx-static/README.md)
+- [postgresql](../postgresql/README.md)
+- [unbound](../unbound/README.md)
+- [redis](../redis/README.md)
+- [forgejo](../forgejo/README.md)
+- [nsd](../nsd/README.md)
+- [nginx-reverse-proxy](../nginx-reverse-proxy/README.md)
+- [openldap](../openldap/README.md)

seed/base-machine/templates/locale.conf

@@ -1 +1,6 @@
+# This is the fallback locale configuration provided by systemd.
+
+#>GNUNUX
+#LANG="C.UTF-8"
 LANG=fr_FR.UTF-8
+#<GNUNUX

seed/dns-local/dictionaries/13-dns-local.xml

@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="dns-local" manage="False">
-      <file>/tests/dns-local.yml</file>
+      <file filelist="copy_tests">/tests/dns-local.yml</file>
     </service>
   </services>
   <variables>

seed/dovecot/README.md

@@ -61,18 +61,18 @@ This a family is a leadership.
 
 #### IMAP mail server (*general.dovecot*)
 
-| Description                                                                                  | Type                                                                                                                       | Provider   |
+| Description                                                                                  | Type                                                                                                                       | Values       | Provider   |
-|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
+|----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|------------|
-| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | IMAP       |
+| **Adresse interne du serveur IMAP** (*[imap_internal_address](dictionaries/26_dovecot.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | IMAP       |
 
 #### revprox (*general.revprox*)
 
 ##### revprox_client (*general.revprox.revprox_client*)
 
-| Description                                                          |
+| Description                                                          | Values       |
-|----------------------------------------------------------------------|
+|----------------------------------------------------------------------|--------------|
-| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* |
+| *[revprox_client_external_domainnames](dictionaries/26_dovecot.xml)* | <calculated> |
-| *[revprox_client_web_address](dictionaries/26_dovecot.xml)*          |
+| *[revprox_client_web_address](dictionaries/26_dovecot.xml)*          | <calculated> |
 
 #### nginx (*general.nginx*)
 

seed/dovecot/dictionaries/26_dovecot.xml

@@ -47,7 +47,7 @@
       <file owner="root" group="dovecot" mode="440">/etc/pki/tls/private/dovecot.key</file>
       <file source="external_imap.crt" file_type="variable" variable="imap_domainname">external_imap_crt</file>
       <file owner="root" group="dovecot" mode="440" source="external_imap.key" file_type="variable" variable="imap_domainname">external_imap_key</file>
-      <file>/tests/imap.yml</file>
+      <file filelist="copy_tests">/tests/imap.yml</file>
     </service>
   </services>
   <variables>

seed/forgejo/README.md

@@ -0,0 +1,92 @@
+---
+gitea: none
+include_toc: true
+---
+
+# forgejo
+
+[All applications services for this dataset.](../README.md)
+
+## Description
+
+Forgejo, a community managed lightweight code hosting solution.
+
+[For more informations](https://forgejo.org/)
+
+## Dependances
+
+- [base-fedora-37](../base-fedora-37/README.md)
+  - [base-fedora](../base-fedora/README.md)
+    - [systemd](../systemd/README.md)
+      - [base-machine](../base-machine/README.md)
+        - [base](../base/README.md)
+        - [dns-local](../dns-local/README.md)
+- [postgresql-client](../postgresql-client/README.md)
+- [reverse-proxy-client](../reverse-proxy-client/README.md)
+- [relay-mail-client](../relay-mail-client/README.md)
+- [redis-client](../redis-client/README.md)
+- [oauth2-client](../oauth2-client/README.md)
+
+## Variables
+
+### Général (*general*)
+
+#### network (*general.network*)
+
+| Description                                         |   Values |
+|-----------------------------------------------------|----------|
+| *[**incoming_ports**](dictionaries/31_forgejo.xml)* |     2222 |
+
+#### Redis (*general.redis*)
+
+| Description                                                 | Values   |
+|-------------------------------------------------------------|----------|
+| *[**redis_client_key_owner**](dictionaries/31_forgejo.xml)* | forgejo  |
+
+#### Forgejo (*general.forgejo*)
+
+Git forge Forgejo
+
+| Description                                                                                                   | Values                                             | Type                                                                                                                   |
+|---------------------------------------------------------------------------------------------------------------|----------------------------------------------------|------------------------------------------------------------------------------------------------------------------------|
+| **Titre de la forge** (*[forgejo_title](dictionaries/31_forgejo.xml)*)                                        | Forgejo : Au-delà du développement. Nous forgeons. | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
+| **Les courriels sont envoyés à partir de cet adresse** (*[forgejo_mail_sender](dictionaries/31_forgejo.xml)*) |                                                    | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)   |
+
+#### revprox (*general.revprox*)
+
+| Description                                                    | Values   |
+|----------------------------------------------------------------|----------|
+| *[**revprox_client_port**](dictionaries/31_forgejo.xml)*       | 3000     |
+| *[**revprox_client_cert_owner**](dictionaries/31_forgejo.xml)* | forgejo  |
+| *[**revprox_client_cert_group**](dictionaries/31_forgejo.xml)* | forgejo  |
+
+##### revprox_client (*general.revprox.revprox_client*)
+
+| Description                                                        | Values   |
+|--------------------------------------------------------------------|----------|
+| *[**revprox_client_local_location**](dictionaries/31_forgejo.xml)* | /        |
+
+#### oauth2_client (*general.oauth2_client*)
+
+| Description                                                             | Values                 |
+|-------------------------------------------------------------------------|------------------------|
+| *[**oauth2_is_client_application**](dictionaries/31_forgejo.xml)*       | True                   |
+| *[**oauth2_client_name**](dictionaries/31_forgejo.xml)*                 | Forge                  |
+| *[**oauth2_client_description**](dictionaries/31_forgejo.xml)*          | Forge logiciel Forgejo |
+| *[**oauth2_client_category**](dictionaries/31_forgejo.xml)*             | Développement          |
+| *[**oauth2_client_logo**](dictionaries/31_forgejo.xml)*                 | silique_note.png       |
+| *[**oauth2_client_token_signature_algo**](dictionaries/31_forgejo.xml)* | RS256                  |
+
+##### external (*general.oauth2_client.external*)
+
+| Description                                             | Values       |
+|---------------------------------------------------------|--------------|
+| *[oauth2_client_external](dictionaries/31_forgejo.xml)* | <calculated> |
+
+
+- [+]: variable is multiple
+- **bold**: variable is mandatory
+
+## Used by
+
+- [gitea](../gitea/README.md)

seed/forgejo/applicationservice.yml

@@ -2,7 +2,7 @@ format: '0.1'
 description: Forgejo, a community managed lightweight code hosting solution
 website: https://forgejo.org/
 depends:
-  - base-fedora-36
+  - base-fedora-37
   - postgresql-client
   - reverse-proxy-client
   - relay-mail-client

seed/forgejo/dictionaries/31_forgejo.xml

@@ -5,7 +5,7 @@
       <file engine="none" source="sysuser-forgejo.conf">/sysusers.d/0forgejo.conf</file>
       <file engine="none" source="tmpfile-forgejo.conf">/tmpfiles.d/0forgejo.conf</file>
       <file>/etc/forgejo/app.ini</file>
-      <file>/tests/forgejo.yml</file>
+      <file filelist="copy_tests">/tests/forgejo.yml</file>
     </service>
   </services>
   <variables>
@@ -19,9 +19,9 @@
         <value>forgejo</value>
       </variable>
     </family>
-    <family name="forgejo" description="Gitea" help="Git forge Gitea">
+    <family name="forgejo" description="Forgejo" help="Git forge Forgejo">
       <variable name="forgejo_title" mandatory="True" description="Titre de la forge">
-        <value>Gitea: Git avec une tasse de thé</value>
+        <value>Forgejo : Au-delà du développement. Nous forgeons.</value>
       </variable>
       <variable name="forgejo_mail_sender" type="mail" description="Les courriels sont envoyés à partir de cet adresse" mandatory="True"/>
       <variable name="forgejo_secret_key" type="password" hidden="True"/>
@@ -52,7 +52,7 @@
         <value>Forge</value>
       </variable>
       <variable name="oauth2_client_description" redefine='True'>
-        <value>Forge logiciel Gitea</value>
+        <value>Forge logiciel Forgejo</value>
       </variable>
       <variable name="oauth2_client_category" redefine='True'>
         <value>Développement</value>

seed/forgejo/manual/image/postinstall/forgejo.sh

@@ -4,8 +4,8 @@ set -ex
 
 gpg --keyserver keys.openpgp.org --recv EB114F5E6C0DC2BCDD183550A4B61A2DC5923710
 
-JSON==$(wget -q 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?draft=false&pre-release=false&limit=1' --header 'accept: application/json' -O -)
+JSON=$(wget -q 'https://codeberg.org/api/v1/repos/forgejo/forgejo/releases?draft=false&pre-release=false&limit=1' --header 'accept: application/json' -O -)
-VERS=$(echo JSON| jq -r '.[0].name')
+VERS=$(echo $JSON| jq -r '.[0].name')
 
 mkdir -p ~/forgejo/
 
@@ -15,7 +15,7 @@ if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz" ]; then
 fi
 if [ ! -f ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ]; then
     rm -rf ~/"forgejo/forgejo-*-linux-amd64.xz.asc"
-    wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc"
+    wget $(echo $JSON | jq -r '.[0].assets | map(select(.name | endswith("linux-amd64.xz.asc"))) | .[0].browser_download_url') -O ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc"
 fi
 
 gpg --verify ~/"forgejo/forgejo-$VERS-linux-amd64.xz.asc" ~/"forgejo/forgejo-$VERS-linux-amd64.xz"

seed/forgejo/tests/test_forgejo.py

@@ -1,3 +1,4 @@
+import datetime
 from yaml import load, SafeLoader
 from os import environ, makedirs, unlink
 from os.path import expandvars, isfile, isdir, dirname, join
@@ -14,12 +15,11 @@ from mookdns import MookDnsSystem
 
 
 PORT = '3000'
-GITEA_USERNAME = 'forgejo'
+FORGEJO_USERNAME = 'forgejo'
-GITEA_PORT = '2222'
+FORGEJO_PORT = '2222'
 KEY_FILE = '/var/lib/risotto/srv/hosts/forgejo'
 # transition between gitea and forgejo
 GITEA_KEY_FILE = '/var/lib/risotto/srv/hosts/gitea'
-KNOWN_KEY = expandvars('$HOME/.ssh/known_hosts')
 CONFIG_SSH = expandvars('$HOME/.ssh/config')
 CONFIG_GIT = expandvars('$HOME/.gitconfig')
 
@@ -99,7 +99,6 @@ def get_info(authentication,
              with_data_id=False,
              found_string=None
              ):
-    # <input type="hidden" name="_csrf" value="YQbVgdYHX_3VQ-KuZ5cKtr9RzXE6MTY1NzgxMzUzNTA0OTYwODQ0NQ">
     pattern_csrf = r'name="_csrf" value="([a-zA-Z0-9\-\_=]+)"'
     ret = authentication.get(url)
     csrf = search(pattern_csrf, ret)[1]
@@ -203,7 +202,7 @@ def test_repo():
     with TemporaryDirectory() as tmpdirname:
         username = data['username'].split('@', 1)[0]
         dns = data['base_url'].split('/', 3)[2]
-        ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:{GITEA_PORT}/{username}/test.git'
+        ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test.git'
         with SSHConfig():
             with MookDnsSystem(dns, data['ip']):
                 filename = join(tmpdirname, 'test.txt')
@@ -268,11 +267,11 @@ def test_repo_persistent():
     with TemporaryDirectory() as tmpdirname:
         username = data['username'].split('@', 1)[0]
         dns = data['base_url'].split('/', 3)[2]
-        ssh_url = f'ssh://{GITEA_USERNAME}@{dns}:{GITEA_PORT}/{username}/test_persistent.git'
+        ssh_url = f'ssh://{FORGEJO_USERNAME}@{dns}:{FORGEJO_PORT}/{username}/test_persistent.git'
         with SSHConfig():
             with MookDnsSystem(dns, data['ip']):
-                if 'FIRST_RUN' in environ:
                 filename = join(tmpdirname, 'test.txt')
+                if 'FIRST_RUN' in environ:
                     with open(filename, 'w') as fh:
                         fh.write('test')
                     repo = init(tmpdirname)
@@ -284,6 +283,25 @@ def test_repo_persistent():
                     )
                 else:
                     repo = clone(ssh_url, tmpdirname)
+                with open(filename, 'r') as fh:
+                    len_file = len(fh.readlines())
+                # get previous commit number
                 lst = list(repo.get_walker())
-                assert len(lst) == 1
+                len_before_commit = len(lst)
-                assert lst[0].commit.message == b'test commit'
+                assert len_before_commit == len_file
+                # add a new line in file and commit
+                with open(filename, 'a') as fh:
+                    fh.write('\ntest')
+                add(repo, filename)
+                date = datetime.datetime.now()
+                commit_message = f'test commit {date}'.encode()
+                commit(repo, message=commit_message)
+                push(repo=repo,
+                     remote_location=ssh_url,
+                     refspecs='master',
+                )
+                # test if commit is added and last commit
+                lst = list(repo.get_walker())
+                len_after_commit = len(lst)
+                assert len_before_commit + 1 == len_after_commit
+                assert lst[-1].commit.message == commit_message

seed/gitea/README.md

@@ -0,0 +1,41 @@
+---
+gitea: none
+include_toc: true
+---
+
+# gitea
+
+[All applications services for this dataset.](../README.md)
+
+## Description
+
+Transitional package for Gitea to Forgejo.
+
+## Dependances
+
+- [forgejo](../forgejo/README.md)
+  - [base-fedora-37](../base-fedora-37/README.md)
+    - [base-fedora](../base-fedora/README.md)
+      - [systemd](../systemd/README.md)
+        - [base-machine](../base-machine/README.md)
+          - [base](../base/README.md)
+          - [dns-local](../dns-local/README.md)
+  - [postgresql-client](../postgresql-client/README.md)
+  - [reverse-proxy-client](../reverse-proxy-client/README.md)
+  - [relay-mail-client](../relay-mail-client/README.md)
+  - [redis-client](../redis-client/README.md)
+  - [oauth2-client](../oauth2-client/README.md)
+
+## Variables
+
+### Général (*general*)
+
+#### Transitional family (*general.gitea*)
+
+| Description                                                                                    | Type                                                                                                                 |
+|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------|
+| Transitional variable, please do not use it (*[gitea_mail_sender](dictionaries/32_gitea.xml)*) | [mail](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
+
+
+- [+]: variable is multiple
+- **bold**: variable is mandatory

seed/host-systemd-machined/dictionaries/21-machined.xml

@@ -16,9 +16,10 @@
       <file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
       <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
       <file>/etc/distro.repos.d/boot.repo</file>
-      <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
+      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
-      <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
+      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
-      <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
+      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-37-x86_64</file>
+      <file engine="none">/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
       <file>/etc/sysctl.d/90-risotto.conf</file>
       <file file_type="variable" source="dhcp.network" variable="interface_names">host_network_filename</file>
     </service>
@@ -50,6 +51,13 @@
       <value>tree</value>
       <value>tshark</value>
       <value>vim</value>
+      <value>python3-pytest</value>
+      <value>python3-yaml</value>
+      <value>python3-ldap</value>
+      <value>python3-dnspython</value>
+      <value>python3-dulwich</value>
+      <value>python3-psycopg2</value>
+      <value>python3-redis</value>
     </variable>
     <family name="network">
       <variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>

seed/ldap-client/README.md

@@ -25,13 +25,13 @@ Application service needs interact with a LDAP server.
 
 ##### Client (*general.annuaire.client*)
 
-| Description                                                                                                                      | Type                                                                                                                      | Supplier     |
+| Description                                                                                                                      | Type                                                                                                                      | Supplier     | Values       |
-|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|
+|----------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------|--------------|--------------|
-| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*)                                                  | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family  |
+| Nom de la famille LDAP (*[ldapclient_family](dictionaries/21_ldap-client.xml)*)                                                  | [unix_user](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LDAP:family  |              |
-| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*)                                              | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    | LDAP:base_dn |
+| **Base DN de l'annuaire** (*[ldapclient_base_dn](dictionaries/21_ldap-client.xml)*)                                              | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    | LDAP:base_dn | <calculated> |
-| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*)                           | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    |              |
+| **Base DN de l'annuaire des utilisateurs** (*[ldapclient_search_dn](dictionaries/21_ldap-client.xml)*)                           | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    |              | <calculated> |
-| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*)                                 | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    |              |
+| **Base DN de l'annuaire des groupes** (*[ldapclient_group_dn](dictionaries/21_ldap-client.xml)*)                                 | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    |              | <calculated> |
-| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    |              |
+| **Base DN de l'annuaire des utilisateurs n'appartenant à une famille** (*[ldapclient_user_dn](dictionaries/21_ldap-client.xml)*) | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)    |              | <calculated> |
 
 
 - [+]: variable is multiple

seed/ldap-client/templates/ldap.conf

@@ -6,9 +6,11 @@
 # This file should be world readable but not world writable.
 
 #BASE	dc=example,dc=com
-BASE %%ldapclient_search_dn
 #URI	ldap://ldap.example.com ldap://ldap-master.example.com:666
+#>GNUNUX
+BASE %%ldapclient_search_dn
 URI ldaps://%%ldap_server_address:%%ldap_port
+#<GNUNUX
 
 #SIZELIMIT	12
 #TIMELIMIT	15
@@ -18,9 +20,11 @@ URI ldaps://%%ldap_server_address:%%ldap_port
 # are in use. In order to have these available along with the ones specified
 # by TLS_CACERTDIR one has to include them explicitly:
 #TLS_CACERT	/etc/pki/tls/cert.pem
+#>GNUNUX
 TLS_KEY %%ldap_key_file
 TLS_CERT %%ldap_cert_file
 TLS_CACERT %%ldap_ca_file
+#<GNUNUX
 
 # System-wide Crypto Policies provide up to date cipher suite which should
 # be used unless one needs a finer grinded selection of ciphers. Hence, the
@@ -31,8 +35,10 @@ TLS_CACERT %%ldap_ca_file
 # Turning this off breaks GSSAPI used with krb5 when rdns = false
 SASL_NOCANON	on
 
+#>GNUNUX
 BINDDN %%ldapclient_user
 TIMELIMIT 10
 NETWORK_TIMEOUT 10
 TIMEOUT 10
 BINDPW %%ldapclient_user_password
+#<GNUNUX

seed/lemonldap/README.md

@@ -15,16 +15,16 @@ LemonLDAP, a Web Single Sign On and Access Management.
 
 ## Dependances
 
+- [ldap-client](../ldap-client/README.md)
+- [reverse-proxy-client](../reverse-proxy-client/README.md)
+- [relay-mail-client](../relay-mail-client/README.md)
+- [nginx-common](../nginx-common/README.md)
 - [base-debian-bullseye](../base-debian-bullseye/README.md)
   - [base-debian](../base-debian/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)
         - [base](../base/README.md)
         - [dns-local](../dns-local/README.md)
-- [ldap-client](../ldap-client/README.md)
-- [reverse-proxy-client](../reverse-proxy-client/README.md)
-- [relay-mail-client](../relay-mail-client/README.md)
-- [nginx-common](../nginx-common/README.md)
 
 ## Variables
 
@@ -55,10 +55,10 @@ Configuration de la solution d'authentification unique LemonLDAP::NG
 
 ### Oauth2 (*oauth2*)
 
-| Description                                                                                    | Type                                                                                                                       | Provider   | Supplier     |
+| Description                                                                                    | Type                                                                                                                       | Provider   | Values       | Supplier     |
-|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|
+|------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|--------------|
-| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2     |              |
+| Remote clients needing to verify OAuth2 account (*[remotes](extras/oauth2/00_oauth2.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2     |              |              |
-| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+]                                  | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |            | OAuth2Client |
+| Remote clients (*[clients](extras/oauth2/00_oauth2.xml)*) [+]                                  | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |            | <calculated> | OAuth2Client |
 
 #### OAuth2 for  (*oauth2.oauth2_*)
 

seed/lemonldap/applicationservice.yml

@@ -2,8 +2,8 @@ format: '0.1'
 description: LemonLDAP, a Web Single Sign On and Access Management
 website: https://lemonldap-ng.org/
 depends:
-  - base-debian-bullseye
   - ldap-client
   - reverse-proxy-client
   - relay-mail-client
   - nginx-common
+  - base-debian-bullseye

seed/lemonldap/dictionaries/70_lemonldap_ng.xml

@@ -20,7 +20,7 @@
       <file mode="750">/sbin/interne_well_known.pl</file>
       <file mode="750">/sbin/wget.pl</file>
       <file engine="none" source="tmpfile-lemonldap.conf">/tmpfiles.d/0lemonldap.conf</file>
-      <file>/tests/lemonldap.yml</file>
+      <file filelist="copy_tests">/tests/lemonldap.yml</file>
     </service>
   </services>
   <variables>

seed/mailman/README.md

@@ -54,9 +54,9 @@ GNU Mailman, managing electronic mail discussion and e-newsletter lists.
 
 ##### external (*general.oauth2_client.external*)
 
-| Description                                             |
+| Description                                             | Values       |
-|---------------------------------------------------------|
+|---------------------------------------------------------|--------------|
-| *[oauth2_client_external](dictionaries/31_mailman.xml)* |
+| *[oauth2_client_external](dictionaries/31_mailman.xml)* | <calculated> |
 
 #### nginx (*general.nginx*)
 

seed/mailman/dictionaries/31_mailman.xml

@@ -5,7 +5,7 @@
       <!--override/-->
       <file owner="root" group="list" mode="640">/etc/mailman3/mailman.cfg</file>
       <file engine="none" source="tmpfile-mailman.conf">/tmpfiles.d/0mailman.conf</file>
-      <file>/tests/mailman.yml</file>
+      <file filelist="copy_tests">/tests/mailman.yml</file>
       <!--file owner="root" group="mailman" mode="640">/etc/mailman3.d/postfix.cfg</file-->
     </service>
     <service name="mailman3-web"> <!-- target="multi-user" engine="cheetah">-->

seed/mariadb/dictionaries/20_mariadb.xml

@@ -6,7 +6,7 @@
       <file>/etc/my.cnf.d/risotto.cnf</file>
       <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
       <file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
-      <file>/tests/mariadb.yml</file>
+      <file filelist="copy_tests">/tests/mariadb.yml</file>
     </service>
   </services>
   <variables>

seed/nextcloud/manual/image/postinstall/nextcloud.sh

@@ -1,4 +1,4 @@
-CALENDAR="3.5.2"
+#CALENDAR="3.5.2"
 ln -s "/srv/nextcloud/data" "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/share/nextcloud/data"
 mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
 cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/local/share/nextcloud/apps"
@@ -9,8 +9,11 @@ tar xf *tar.gz
 rm -f *tar.gz
 chown -R root: oidc_login
 #
-#app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+if [ -z "$CALENDAR" ]; then
-app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
+  app=$(wget https://api.github.com/repos/nextcloud-releases/calendar/releases/latest -q -O - | jq -r '.assets[0].browser_download_url')
+else
+  app="https://github.com/nextcloud-releases/calendar/releases/download/v${CALENDAR}/calendar-v${CALENDAR}.tar.gz"
+fi
 wget -q $app -O app.tar.gz
 tar xf app.tar.gz
 rm -f app.tar.gz

seed/nginx-common/dictionaries/21_nginx.xml

@@ -2,17 +2,15 @@
 <rougail version="0.10">
   <services>
     <service name='nginx' target='multi-user'>
-      <file>/etc/nginx/nginx.conf</file>
+      <file source="nginx_source_conf" source_type="variable">/etc/nginx/nginx.conf</file>
-      <file source="default">/etc/nginx/sites-available/default</file>
+      <file filelist="nginx_debian">/etc/nginx/sites-available/default</file>
       <file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/default.conf</file>
-      <file source="nginx.index.html">/var/www/html/index.html</file>
       <file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
-      <file>/var/www/html/error.html</file>
       <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
       <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
       <file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.crt">revprox_crt_file</file>
       <file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.key">revprox_key_file</file>
-      <file>/tests/nginx-common.yml</file>
+      <file filelist="copy_tests">/tests/nginx-common.yml</file>
     </service>
   </services>
   <variables>
@@ -41,6 +39,7 @@
       <variable name="revprox_key_file" type="filename" description="Reverse proxy key filename" hidden="True"/>
       <variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
       <variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
+      <variable name="nginx_source_conf" hidden="True"/>
     </family>
   </variables>
   <constraints>
@@ -49,6 +48,10 @@
       <target type="filelist">nginx_fedora</target>
       <target>nginx_default</target>
     </condition>
+    <condition name="disabled_if_not_in" source="os_name">
+      <param>Debian</param>
+      <target type="filelist">nginx_debian</target>
+    </condition>
     <condition name="disabled_if_in" source="nginx_default">
       <param type="nil"/>
       <target type="filelist">nginx_default</target>
@@ -89,5 +92,11 @@
       <param name="expected">Fedora</param>
       <target>nginx_group</target>
     </fill>
+    <fill name="calc_value">
+      <param>nginx.conf</param>
+      <param type="variable">os_name</param>
+      <param name="join">.</param>
+      <target>nginx_source_conf</target>
+    </fill>
   </constraints>
 </rougail>

seed/nginx-common/templates/default-nginx.conf

@@ -1,2 +1,3 @@
+#RISOTTO: do not compare
         rewrite ^(.*) http://%%nginx_default$1;
         break;

seed/nginx-common/templates/nginx-options.conf

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 client_max_body_size %%{nginx_post_max_size}M;
 client_body_buffer_size 128k;
 

seed/nginx-common/tests/test_nginx_commmon.py

@@ -42,9 +42,9 @@ def test_revprox():
         protocols.append('https')
         # test certificate
         with raises(SSLError):
-            # not certificat problem for https://{url}
+            # certificat problem for https://{url}
             req(f'https://{url}', data['address'])
     for protocol in protocols:
         ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
         assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
-        assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'{protocol}://{url} do not returns default fedora page'
+#        assert "<title>Welcome</title>" in content, f'{protocol}://{url} do not returns default fedora page'

seed/nginx-reverse-proxy/README.md

@@ -15,13 +15,13 @@ Nginx as reverse proxy.
 
 ## Dependances
 
-- [base-fedora-36](../base-fedora-36/README.md)
+- [nginx-common](../nginx-common/README.md)
+- [base-fedora-37](../base-fedora-37/README.md)
   - [base-fedora](../base-fedora/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)
         - [base](../base/README.md)
         - [dns-local](../dns-local/README.md)
-- [nginx-common](../nginx-common/README.md)
 
 ## Variables
 
@@ -38,8 +38,8 @@ Nginx as reverse proxy.
 Paramétrage global de NGINX
 
 | Description                                            | Values       |
-|--------------------------------------------------------|----------|
+|--------------------------------------------------------|--------------|
-| *[**nginx_default**](dictionaries/25_nginx.xml)*       |          |
+| *[**nginx_default**](dictionaries/25_nginx.xml)*       | <calculated> |
 | *[**nginx_default_http**](dictionaries/25_nginx.xml)*  | True         |
 | *[**nginx_default_https**](dictionaries/25_nginx.xml)* | True         |
 

seed/nginx-reverse-proxy/applicationservice.yml

@@ -2,5 +2,5 @@ format: '0.1'
 description: Nginx as reverse proxy
 website: https://nginx.org/
 depends:
-  - base-fedora-36
   - nginx-common
+  - base-fedora-37

seed/nginx-reverse-proxy/dictionaries/25_nginx.xml

@@ -4,10 +4,12 @@
     <service name='nginx'>
       <override engine="cheetah"/>
       <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
-      <file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
+      <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_External.crt</file>
       <file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
       <file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
-      <file>/tests/reverse-proxy.yml</file>
+      <file filelist="copy_tests">/tests/reverse-proxy.yml</file>
+      <file>/var/www/html/error.html</file>
     </service>
   </services>
   <variables>

seed/nginx-reverse-proxy/extras/nginx/00-nginx.xml

@@ -37,7 +37,7 @@
       <target>nginx.nginx_private_key_filename</target>
     </fill>
     <fill name="get_first_value">
-      <param type="variable">nginx.remotes</param>
+      <param type="variable">nginx.reverse_proxy_for_.reverse_proxy_.revprox_domainnames_</param>
       <target>nginx_default</target>
     </fill>
   </constraints>

seed/nginx-reverse-proxy/templates/certificate.crt

@@ -1,2 +1 @@
-%set %%chain=%%get_chain(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name="External", hide=%%hide_secret)
 %%get_certificate(cn=%%rougail_variable, authority_cn=%%domain_name_eth0, authority_name='External', hide=%%hide_secret)

seed/nginx-reverse-proxy/templates/nginx-options-rp.conf

@@ -1,2 +1,3 @@
+#RISOTTO: do not compare
 # We use X-Forwarded-For header
 real_ip_header    X-Forwarded-For;

seed/nginx-reverse-proxy/templates/reverse-proxy.yml

@@ -10,3 +10,4 @@ urls:
     %end for
   %end for
 %end for
+ca_certificate: ../etc/pki/ca-trust/source/anchors/ca_External.crt

seed/nginx-reverse-proxy/templates/revprox-nginx.conf

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 %for %%idx, %%domainname in %%enumerate(%%nginx.revprox_domainnames)
 # Configuration HTTP %%domainname
 server {

seed/nginx-reverse-proxy/tests/test_revprox.py

@@ -1,5 +1,6 @@
 from yaml import load, SafeLoader
 from os import environ
+from os.path import join
 
 import warnings
 import socket
@@ -19,9 +20,9 @@ def req(url, ip, verify=True):
     if not verify:
         with warnings.catch_warnings():
             warnings.simplefilter("ignore")
-            ret = get(url, verify=verify)
+            ret = get(url, verify=verify, allow_redirects=False)
     else:
-        ret = get(url, verify=verify)
+        ret = get(url, verify=verify, allow_redirects=False)
     ret_code = ret.status_code
     content = ret.content
     socket.getaddrinfo = old_getaddrinfo
@@ -34,6 +35,8 @@ def test_revprox():
         data = load(yaml, Loader=SafeLoader)
     # test known domains
     for url in data['urls']:
+        try:
             ret_code, content = req(f'https://{url}', data['address'])
+        except SSLError:
+            ret_code, content = req(f'https://{url}', data['address'], verify=join(environ["MACHINE_TEST_DIR"], data["ca_certificate"]))
         assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
-        assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} do returns default fedora page'

seed/nginx-static/README.md

@@ -18,7 +18,7 @@ Nginx as static web site.
 - [nginx-https](../nginx-https/README.md)
   - [nginx-common](../nginx-common/README.md)
   - [reverse-proxy-client](../reverse-proxy-client/README.md)
-- [base-fedora-36](../base-fedora-36/README.md)
+- [base-fedora-37](../base-fedora-37/README.md)
   - [base-fedora](../base-fedora/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)

seed/nginx-static/applicationservice.yml

@@ -3,4 +3,4 @@ description: Nginx as static web site
 website: https://nginx.org/
 depends:
   - nginx-https
-  - base-fedora-36
+  - base-fedora-37

seed/nginx-static/dictionaries/22_nginx_static.xml

@@ -3,6 +3,7 @@
   <services>
     <service name='nginx' target='multi-user'>
       <file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
+      <file source="index.html">/srv/static/index.html</file>
     </service>
   </services>
   <variables>

seed/nsd/README.md

@@ -15,7 +15,7 @@ NSD, an authoritative DNS name server.
 
 ## Dependances
 
-- [base-fedora-36](../base-fedora-36/README.md)
+- [base-fedora-37](../base-fedora-37/README.md)
   - [base-fedora](../base-fedora/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)
@@ -28,9 +28,9 @@ NSD, an authoritative DNS name server.
 
 #### network (*general.network*)
 
-| Description                         |
+| Description                         | Values       |
-|-------------------------------------|
+|-------------------------------------|--------------|
-| *[ip_dns](dictionaries/20_nsd.xml)* |
+| *[ip_dns](dictionaries/20_nsd.xml)* | <calculated> |
 
 #### Serveur DNS (*general.dns_server*)
 
@@ -40,17 +40,17 @@ NSD, an authoritative DNS name server.
 
 #### Zone DNS (*general.dns_zone*)
 
-| Description                                            | Type                                                                                                                       |
+| Description                                            | Type                                                                                                                       | Values       |
-|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|
+|--------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|
-| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
+| Zones DNS (*[nsd_zones](dictionaries/20_nsd.xml)*) [+] | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
 
 #### Zone DNS reverse (*general.dns_reverses*)
 
 This a family is a leadership.
 
-| Description                                                                              | Type                                                                                                                         |
+| Description                                                                              | Type                                                                                                                         | Values       |
-|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|
+|------------------------------------------------------------------------------------------|------------------------------------------------------------------------------------------------------------------------------|--------------|
-| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
+| Réseau pour la résolution reverse (*[nsd_reverse_network](dictionaries/20_nsd.xml)*) [+] | [network_cidr](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
 
 ### Machine (*machine*)
 

seed/nsd/applicationservice.yml

@@ -3,4 +3,4 @@ description: NSD, an authoritative DNS name server
 website: https://www.nlnetlabs.nl/projects/nsd/about/
 service: true
 depends:
-  - base-fedora-36
+  - base-fedora-37

seed/nsd/dictionaries/20_nsd.xml

@@ -11,7 +11,7 @@
       <file file_type="variable" source="nsd.signed" variable="nsd_reverse_filenames">nsd_reverse_filenames_signed</file>
       <file engine="none" source="sysuser-nsd.conf">/sysusers.d/0nsd.conf</file>
       <file engine="none" source="tmpfile-nsd.conf">/tmpfiles.d/0nsd.conf</file>
-      <file>/tests/nsd.yml</file>
+      <file filelist="copy_tests">/tests/nsd.yml</file>
     </service>
   </services>
   <variables>

seed/nsd/templates/nsd.signed

@@ -1 +1,2 @@
+#RISOTTO: do not compare
 %%sign(%%rougail_destination_dir + %%rougail_variable, %%domain_name_eth0)

seed/nsd/templates/risotto.conf

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 server:
     interface: 127.0.0.1
 %for %%interface in %%range(%%len(%%zones_list))

seed/oauth2-client/README.md

@@ -31,10 +31,10 @@ Application service needs interact with a Oauth2 server.
 
 ##### external (*general.oauth2_client.external*)
 
-| Description                                                                                    | Type                                                                                                                        | Supplier        | Values   |
+| Description                                                                                    | Type                                                                                                                        | Values       | Supplier        |
-|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|-----------------|----------|
+|------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|--------------|-----------------|
-| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | OAuth2:external |          |
+| **OAuth2 client external** (*[oauth2_client_external](dictionaries/30_oauth2_client.xml)*) [+] | [web_address](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | OAuth2:external |
-| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*)                | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)      | OAuth2:family   | users    |
+| **OAuth2 family** (*[oauth2_client_family](dictionaries/30_oauth2_client.xml)*)                | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)      | users        | OAuth2:family   |
 
 
 - [+]: variable is multiple
@@ -47,9 +47,9 @@ Application service needs interact with a Oauth2 server.
 - [peertube](../peertube/README.md)
 - [piwigo](../piwigo/README.md)
 - [dovecot](../dovecot/README.md)
+- [forgejo](../forgejo/README.md)
 - [roundcube](../roundcube/README.md)
 - [nextcloud](../nextcloud/README.md)
-- [gitea](../gitea/README.md)
 
 ## Linked to
 

seed/odoo/dictionaries/40_odoo.xml

@@ -14,7 +14,7 @@
   </services>
   <variables>
     <family name="odoo" description="Odoo">
-      <variable name="odoo_admin_password" description="Mot de passe de l'administrateur" hidden="True"/>
+      <variable name="odoo_admin_password" type="password" description="Mot de passe de l'administrateur" hidden="True"/>
       <variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True"/>
       <variable name="odoo_company_name" description="Nom" mandatory="True"/>
       <variable name="odoo_company_street" description="Adresse" mandatory="True"/>

seed/openldap/README.md

@@ -16,7 +16,7 @@ OpenLDAP, a LDAP server.
 ## Dependances
 
 - [ldap-client](../ldap-client/README.md)
-- [base-fedora-36](../base-fedora-36/README.md)
+- [base-fedora-37](../base-fedora-37/README.md)
   - [base-fedora](../base-fedora/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)
@@ -60,12 +60,12 @@ OpenLDAP, a LDAP server.
 
 ##### client (*general.annuaire.client*)
 
-| Description                                                                                           |
+| Description                                                                                           | Values       |
-|-------------------------------------------------------------------------------------------------------|
+|-------------------------------------------------------------------------------------------------------|--------------|
-| *[ldapclient_user](dictionaries/21_openldap-server.xml)*                                              |
+| *[ldapclient_user](dictionaries/21_openldap-server.xml)*                                              | <calculated> |
-| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*)                             |
+| **Base DN** (*[ldapclient_base_dn](dictionaries/21_openldap-server.xml)*)                             |              |
-| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) |
+| **Base DN de l'annuaire des utilisateurs** (*[ldap_account_dn](dictionaries/21_openldap-server.xml)*) | <calculated> |
-| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)*                                         |
+| *[ldapclient_search_dn](dictionaries/21_openldap-server.xml)*                                         | <calculated> |
 
 ### Machine (*machine*)
 

seed/openldap/applicationservice.yml

@@ -3,4 +3,4 @@ description: OpenLDAP, a LDAP server
 website: https://www.openldap.org/
 depends:
   - ldap-client
-  - base-fedora-36
+  - base-fedora-37

seed/openldap/dictionaries/21_openldap-server.xml

@@ -3,18 +3,17 @@
   <services>
     <service name="slapd" target="multi-user">
       <override/>
-      <file source='default.slapd'>/etc/default/slapd</file>
       <file>/etc/pki/tls/certs/openldap.crt</file>
       <file owner="ldap" mode="400">/etc/pki/tls/private/openldap.key</file>
       <file owner="ldap">/var/lib/ldap/DB_CONFIG</file>
-      <file>/secrets/users.ldif</file>
-      <file>/secrets/users_mod.ldif</file>
       <file owner="ldap" mode="400">/etc/ldap/secrets/config.ldif</file>
-      <file owner="ldap" mode="400">/etc/ldap/secrets/config_acl.ldif</file>
+      <file owner="ldap" mode="400">/etc/ldap/secrets/users.ldif</file>
-      <file>/secrets/admin_ldap.pwd</file>
+      <file>/secrets/users_mod.ldif</file>
+      <file>/secrets/config_acl.ldif</file>
+      <file mode="400">/secrets/admin_ldap.pwd</file>
       <file engine="none">/sysusers.d/risotto-openldap.conf</file>
       <file source="tmpfile-openldap-server.conf">/tmpfiles.d/0openldap-server.conf</file>
-      <file>/tests/openldap.yml</file>
+      <file filelist="copy_tests">/tests/openldap.yml</file>
     </service>
   </services>
 

seed/openldap/extras/accounts/00_account.xml

@@ -5,7 +5,7 @@
     <family name="remote_" description="Compte LDAP pour " dynamic="accounts.remotes">
       <variable name="family_" description="Nom de la familly de " hidden="True" provider="LDAP:family"/>
       <variable name="dn_" description="LDAP DN de " hidden="True" provider="LDAP:dn"/>
-      <variable name="password_" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
+      <variable name="password_" type ="password" description="Mot de passe de " hidden="True" provider="LDAP:password"/>
       <variable name="base_dn_" description="LDAP base DN de " hidden="True" provider="LDAP:base_dn"/>
     </family>
     <family name="users" description="Gestion des utilisateurs" leadership="True">

seed/openldap/templates/DB_CONFIG

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 # $OpenLDAP$
 # Example DB_CONFIG file for use with slapd(8) BDB/HDB databases.
 #

seed/openldap/templates/config.ldif

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 dn: cn=config
 objectClass: olcGlobal
 #olcLogLevel: %%ldap_loglevel

seed/openldap/templates/config_acl.ldif

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 %set %%name_family = 'gnunux'
 %set %%dns = {}
 %set %%groups = []

seed/openldap/templates/openldap.yml

@@ -47,3 +47,8 @@ groups:
     - cn=%%user,%%families
   %end for
 %end for
+%if 'gnunux' not in %%accounts.families
+  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, 'gnunux')
+  gnunux:
+    - cn=rougail_test@gnunux.info,%%families
+%end if

seed/openldap/templates/users.ldif

@@ -1,3 +1,4 @@
+%set %%add_test = True
 %set %%username="rougail_test@silique.fr"
 %set %%username_family="rougail_test@gnunux.info"
 %set %%name_family="gnunux"
@@ -64,41 +65,23 @@ ou: families
 objectClass: top
 objectClass: organizationalUnit
 
-%for %%family in %%accounts.families
+%def add_family(%%family, %%families)
-%set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
 dn: %%families
 ou: %%family
 objectClass: top
 objectClass: organizationalUnit
-
+%end def
+%if %%add_test and 'gnunux' not in %%accounts.families
+  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name='gnunux')
+%%add_family('gnunux', %%families)
+%end if
+%for %%family in %%accounts.families
+  %set %%families = %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%family)
+%%add_family(%%family, %%families)
   %for %%user in %%accounts['family_' + %%family]['users_' + %%family]['ldap_user_mail_' + %%family]
 %set %%userdn = "cn=" + %%user + "," + %%families
 %%groups.setdefault(%%family, []).append(%%userdn)%slurp
 %%acc.append((%%userdn, %%user, %%user['ldap_user_password_' + %%family], %%user['ldap_user_sn_' + %%family], %%user['ldap_user_gn_' + %%family], %%user['ldap_user_uid_' + %%family], %%user['ldap_user_aliases_' + %%family], %%family))%slurp
-#pouet
-#dn: %%userdn
-#cn: %%user
-#mail: %%user
-#sn: 
-#givenName: 
-#uid: 
-#userPassword:: %%ssha_encode()
-#homeDirectory: /srv/home/families/%%family/%%user
-#mailLocalAddress: %%user
-#    %if %%user['ldap_user_aliases_' + %%family]
-#      %for %%alias in 
-#mailLocalAddress: %%alias
-#      %end for
-#    %end if
-#uidNumber: 0
-#gidNumber: 0
-#objectClass: top
-#objectClass: inetOrgPerson
-#objectClass: posixAccount
-#objectClass: inetLocalMailRecipient
-#
-#  %end for
-#%end for
   %end for
 %end for
 %for %%userdn, %%user, %%password, %%sn, %%gn, %%uid, %%aliases, %%family in %%acc

seed/openldap/tests/test_openldap.py

@@ -79,7 +79,10 @@ def test_ldap_migration():
     if 'FIRST_RUN' in environ:
         l.simple_bind_s(data['admin_dn'], data['admin_password'])
         l.passwd_s(data['user_family_dn'], data['user_family_password'], data['user_family_password'] + "2")
+    try:
         l.simple_bind_s(data['user_family_dn'], data['user_family_password'] + "2")
+    except INVALID_CREDENTIALS as err:
+        raise Exception(f'cannot find {data["user_family_dn"]} do you run script with FIRST_RUN env variables?')
 
 
 def test_ldap_remote_auth():

seed/peertube/README.md

@@ -61,9 +61,9 @@ Peertube, a federated (ActivityPub) video streaming platform.
 
 ##### external (*general.oauth2_client.external*)
 
-| Description                                              |
+| Description                                              | Values       |
-|----------------------------------------------------------|
+|----------------------------------------------------------|--------------|
-| *[oauth2_client_external](dictionaries/30_peertube.xml)* |
+| *[oauth2_client_external](dictionaries/30_peertube.xml)* | <calculated> |
 
 #### nginx (*general.nginx*)
 

seed/postfix-relay/dictionaries/30_postfix.xml

@@ -42,7 +42,7 @@
     </family>
     <family name="postfix" description="Postfix mail server">
       <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
-      <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
+      <variable name="postfix_relay_domains" type="domainname" description="Local LTMP domain" multi="True" hidden="True"/>
       <variable name='postfix_relay_authentifications' description="Authentification sur le relai SMTP" multi="True" provider="SMTP"/>
       <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
         <variable name="local_authentification_password_" type="secret" auto_save="False" provider="SMTP:password"/>

seed/postgresql-client/README.md

@@ -18,11 +18,11 @@ Application service needs interact with a Postgresql server.
 - [odoo](../odoo/README.md)
 - [mailman](../mailman/README.md)
 - [peertube](../peertube/README.md)
+- [forgejo](../forgejo/README.md)
 - [dotclear](../dotclear/README.md)
 - [roundcube](../roundcube/README.md)
 - [vaultwarden](../vaultwarden/README.md)
 - [nextcloud](../nextcloud/README.md)
-- [gitea](../gitea/README.md)
 
 ## Linked to
 

seed/postgresql-client/dictionaries/23_postgresql.xml

@@ -12,9 +12,9 @@
   <variables>
     <family name="postgresql" description="PostgreSQL">
       <variable name="pg_client_server_domainname" type="domainname" description="Nom de domaine du serveur PostgreSQL" mandatory="True" supplier="Postgresql" hidden="True"/>
-      <variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/>
+      <variable name="pg_client_username" description="Client username" mandatory="True" hidden="True" supplier="Postgresql:username"/>
       <variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True" supplier="Postgresql:password"/>
-      <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
+      <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True" supplier="Postgresql:database"/>
       <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
         <value>apache</value>
       </variable>

seed/postgresql/README.md

@@ -15,7 +15,7 @@ Postgresql, a database.
 
 ## Dependances
 
-- [base-fedora-36](../base-fedora-36/README.md)
+- [base-fedora-37](../base-fedora-37/README.md)
   - [base-fedora](../base-fedora/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)
@@ -59,9 +59,9 @@ Paramétrage du serveur de gestion de bases de données PostgreSQL
 
 This a dynamic family generated from the variable "accounts.remotes".
 
-| Description                                                     | Type                                                                                                               |
+| Description                                                      | Type                                                                                                               | Values       |
-|-----------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|
+|------------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------------|--------------|
-| **Remote IP** (*[remote_ip_](extras/accounts/00_accounts.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |
+| **Remote IP ** (*[remote_ip_](extras/accounts/00_accounts.xml)*) | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> |
 
 
 - [+]: variable is multiple

seed/postgresql/applicationservice.yml

@@ -2,4 +2,4 @@ format: '0.1'
 description: Postgresql, a database
 website: https://www.postgresql.org
 depends:
-  - base-fedora-36
+  - base-fedora-37

seed/postgresql/dictionaries/22_postgresql.xml

@@ -14,7 +14,7 @@
       <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
       <file>/etc/pki/tls/certs/postgresql.crt</file>
       <file owner="root" group="postgres" mode="440">/etc/pki/tls/private/postgresql.key</file>
-      <file>/tests/postgresql.yml</file>
+      <file filelist="copy_tests">/tests/postgresql.yml</file>
     </service>
   </services>
   <variables>

seed/postgresql/extras/accounts/00_accounts.xml

@@ -3,8 +3,10 @@
   <variables>
     <variable name="remotes" description="Remote clients needing an account" type="domainname" multi="True" provider="Postgresql"/>
     <family name="remote_" description="Account for " dynamic="accounts.remotes">
-      <variable name="remote_ip_" description="Remote IP" type="ip" mandatory="True"/>
+      <variable name="remote_ip_" description="Remote IP " type="ip" mandatory="True"/>
-      <variable name="password_" description="Remote password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
+      <variable name="database_" description="Remote database " auto_save="False" hidden="True" mandatory="True" provider="Postgresql:database"/>
+      <variable name="username_" description="Remote username " auto_save="False" hidden="True" type="unix_user" mandatory="True" provider="Postgresql:username"/>
+      <variable name="password_" description="Remote password " auto_save="False" hidden="True" type="password" mandatory="True" provider="Postgresql:password"/>
     </family>
   </variables>
   <constraints>

seed/postgresql/templates/pg_hba.conf

@@ -1,3 +1,4 @@
+#RISOTTO: file://usr/share/pgsql/pg_hba.conf.sample
 # PostgreSQL Client Authentication Configuration File
 # ===================================================
 #
@@ -18,12 +19,13 @@
 #
 # (The uppercase items must be replaced by actual values.)
 #
-# The first field is the connection type: "local" is a Unix-domain
+# The first field is the connection type:
-# socket, "host" is either a plain or SSL-encrypted TCP/IP socket,
+# - "local" is a Unix-domain socket
-# "hostssl" is an SSL-encrypted TCP/IP socket, and "hostnossl" is a
+# - "host" is a TCP/IP socket (encrypted or not)
-# non-SSL TCP/IP socket.  Similarly, "hostgssenc" uses a
+# - "hostssl" is a TCP/IP socket that is SSL-encrypted
-# GSSAPI-encrypted TCP/IP socket, while "hostnogssenc" uses a
+# - "hostnossl" is a TCP/IP socket that is not SSL-encrypted
-# non-GSSAPI socket.
+# - "hostgssenc" is a TCP/IP socket that is GSSAPI-encrypted
+# - "hostnogssenc" is a TCP/IP socket that is not GSSAPI-encrypted
 #
 # DATABASE can be "all", "sameuser", "samerole", "replication", a
 # database name, or a comma-separated list thereof. The "all"
@@ -76,29 +78,32 @@
 # listen on a non-local interface via the listen_addresses
 # configuration parameter, or via the -i or -h command line switches.
 
-
+#GNUNUX @authcomment@
 
 # TYPE  DATABASE        USER            ADDRESS                 METHOD
 
-# "local" is for Unix domain socket connections only
-#GNUNUX local   all             all                                     peer
 #>GNUNUX
+#@remove-line-for-nolocal@# "local" is for Unix domain socket connections only
+#@remove-line-for-nolocal@local   all             all                                     @authmethodlocal@
 local   all         postgres	ident	map=pg_map
 #<GNUNUX
 # IPv4 local connections:
 #>GNUNUX
-# host    all             all             127.0.0.1/32            ident
+#host    all             all             127.0.0.1/32            @authmethodhost@
 hostssl	rougail_test	rougail_test	%%gateway_eth0/32	md5
 %for %%server in %%accounts.remotes
-hostssl	%%normalize_family(%%server)	%%normalize_family(%%server)	%%server	md5
+ %set %%name = %%normalize_family(%%server)
+ %set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
+ %set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
+hostssl	%%database	%%username	%%server	md5
 %end for
 #<GNUNUX
 # IPv6 local connections:
-#host    all             all             ::1/128                 ident
+#GNUNUX host    all             all             ::1/128                 @authmethodhost@
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 #>GNUNUX
-#local   replication     all                                     peer
+#@remove-line-for-nolocal@local   replication     all                                     @authmethodlocal@
-#host    replication     all             127.0.0.1/32            ident
+#host    replication     all             127.0.0.1/32            @authmethodhost@
-#host    replication     all             ::1/128                 ident
+#host    replication     all             ::1/128                 @authmethodhost@
 #<GNUNUX

seed/postgresql/templates/pg_ident.conf

@@ -1,12 +1,14 @@
+#RISOTTO: file://usr/share/pgsql/pg_ident.conf.sample
 # PostgreSQL User Name Maps
 # =========================
 #
-# Refer to the PostgreSQL Administrator's Guide, chapter "Client
+# Refer to the PostgreSQL documentation, chapter "Client
-# Authentication" for a complete description.  A short synopsis follows.
+# Authentication" for a complete description.  A short synopsis
+# follows.
 #
-# This file controls PostgreSQL username mapping. It maps
+# This file controls PostgreSQL user name mapping.  It maps external
-# external user names to their corresponding
+# user names to their corresponding PostgreSQL user names.  Records
-# PostgreSQL user names.  Records are of the form:
+# are of the form:
 #
 # MAPNAME  SYSTEM-USERNAME  PG-USERNAME
 #
@@ -18,24 +20,27 @@
 # existence of a record specifies that SYSTEM-USERNAME may connect as
 # PG-USERNAME.
 #
-# If SYSTEM-USERNAME starts with a slash (/), it will be treated as
+# If SYSTEM-USERNAME starts with a slash (/), it will be treated as a
-# a regular expression.  Optionally this can contain a capture (a
+# regular expression.  Optionally this can contain a capture (a
 # parenthesized subexpression).  The substring matching the capture
-# will be substituted for \1 (backslash-one) if present in PG-USERNAME.
+# will be substituted for \1 (backslash-one) if present in
+# PG-USERNAME.
 #
 # Multiple maps may be specified in this file and used by pg_hba.conf.
 #
-# No map names are defined in the default configuration.  If all system
+# No map names are defined in the default configuration.  If all
-# user names and PostgreSQL user names are the same, you don't need
+# system user names and PostgreSQL user names are the same, you don't
-# anything in this file.
+# need anything in this file.
 #
 # This file is read on server startup and when the postmaster receives
 # a SIGHUP signal.  If you edit the file on a running system, you have
-# to SIGHUP the postmaster for the changes to take effect.  You can use
+# to SIGHUP the postmaster for the changes to take effect.  You can
-# "pg_ctl reload" to do that.
+# use "pg_ctl reload" to do that.
 
 # Put your actual configuration here
 # ----------------------------------
 
 # MAPNAME       SYSTEM-USERNAME         PG-USERNAME
+#>GNUNUX
 pg_map		postgres		postgres
+#<GNUNUX

seed/postgresql/templates/postgresql.conf

@@ -1,3 +1,4 @@
+#RISOTTO: file://usr/share/pgsql/postgresql.conf.sample
 %compiler-settings
 cheetahVarStartToken = §§
 directiveStartToken = §
@@ -77,16 +78,16 @@ ident_file = '/etc/postgresql/pg_ident.conf'
 listen_addresses = '*'
 #<GNUNUX
 #port = 5432				# (change requires restart)
-#>GNUNUX
 #max_connections = 100			# (change requires restart)
+#>GNUNUX
 max_connections = §§pg_max_connections
 #<GNUNUX
 #superuser_reserved_connections = 3	# (change requires restart)
-#unix_socket_directories = '/var/run/postgresql, /tmp'	# comma-separated list of directories
+#unix_socket_directories = '/tmp'	# comma-separated list of directories
+					# (change requires restart)
 #>GNUNUX
 unix_socket_directories = '/var/run/postgresql'
 #<GNUNUX
-					# (change requires restart)
 #unix_socket_group = ''			# (change requires restart)
 #unix_socket_permissions = 0777		# begin with 0 to use octal notation
 					# (change requires restart)
@@ -107,6 +108,10 @@ unix_socket_directories = '/var/run/postgresql'
 #tcp_user_timeout = 0			# TCP_USER_TIMEOUT, in milliseconds;
 					# 0 selects the system default
 
+#client_connection_check_interval = 0	# time between checks for client
+					# disconnection while running queries;
+					# 0 for never
+
 # - Authentication -
 
 #authentication_timeout = 1min		# 1s-600s
@@ -126,7 +131,7 @@ authentication_timeout = §§{pg_authentication_timeout}s
 #ssl_ca_file = ''
 #ssl_cert_file = 'server.crt'
 #ssl_crl_file = ''
-##ssl_crl_dir = ''
+#ssl_crl_dir = ''
 #ssl_key_file = 'server.key'
 #ssl_ciphers = 'HIGH:MEDIUM:+3DES:!aNULL' # allowed SSL ciphers
 #ssl_prefer_server_ciphers = on
@@ -143,15 +148,18 @@ ssl_cert_file = '/etc/pki/tls/certs/postgresql.crt'		# (change requires restart)
 ssl_key_file = '/etc/pki/tls/private/postgresql.key'		# (change requires restart)
 #<GNUNUX
 
+
 #------------------------------------------------------------------------------
 # RESOURCE USAGE (except WAL)
 #------------------------------------------------------------------------------
 
 # - Memory -
 
-shared_buffers = 128MB			# min 128kB
+#shared_buffers = 32MB			# min 128kB
 					# (change requires restart)
+#>GNUNUX
 shared_buffers = §§{pg_shared_buffers}§§pg_shared_buffers_unit
+#<GNUNUX
 #huge_pages = try			# on, off, or try
 					# (change requires restart)
 #huge_page_size = 0			# zero for system default
@@ -177,7 +185,7 @@ maintenance_work_mem = §§{pg_maintenance_work_mem}§§pg_maintenance_work_mem_
 					#   sysv
 					#   windows
 					# (change requires restart)
-dynamic_shared_memory_type = posix	# the default is the first option
+#dynamic_shared_memory_type = posix	# the default is the first option
 					# supported by the operating system:
 					#   posix
 					#   sysv
@@ -209,7 +217,7 @@ dynamic_shared_memory_type = posix	# the default is the first option
 #bgwriter_delay = 200ms			# 10-10000ms between rounds
 #bgwriter_lru_maxpages = 100		# max buffers written/round, 0 disables
 #bgwriter_lru_multiplier = 2.0		# 0-10.0 multiplier on buffers scanned/round
-#bgwriter_flush_after = 512kB		# measured in pages, 0 disables
+#bgwriter_flush_after = 0		# measured in pages, 0 disables
 
 # - Asynchronous Behavior -
 
@@ -219,9 +227,9 @@ dynamic_shared_memory_type = posix	# the default is the first option
 #max_worker_processes = 8		# (change requires restart)
 #max_parallel_workers_per_gather = 2	# taken from max_parallel_workers
 #max_parallel_maintenance_workers = 2	# taken from max_parallel_workers
-#parallel_leader_participation = on
 #max_parallel_workers = 8		# maximum number of max_worker_processes that
 					# can be used in parallel operations
+#parallel_leader_participation = on
 #old_snapshot_threshold = -1		# 1min-60d; -1 disables; 0 is immediate
 					# (change requires restart)
 
@@ -268,13 +276,14 @@ wal_buffers = §§pg_wal_buffers
 
 #checkpoint_timeout = 5min		# range 30s-1d
 #checkpoint_completion_target = 0.9	# checkpoint target duration, 0.0 - 1.0
-#checkpoint_flush_after = 256kB		# measured in pages, 0 disables
+#checkpoint_flush_after = 0		# measured in pages, 0 disables
 #checkpoint_warning = 30s		# 0 disables
-#>GNUNUX
 #max_wal_size = 1GB
+#min_wal_size = 80MB
+#>GNUNUX
 max_wal_size = §§{pg_max_wal_size}§§pg_max_wal_size_unit
-#<GNUNUX
 min_wal_size = 80MB
+#<GNUNUX
 
 # - Archiving -
 
@@ -422,8 +431,8 @@ min_wal_size = 80MB
 #cpu_tuple_cost = 0.01			# same scale as above
 #cpu_index_tuple_cost = 0.005		# same scale as above
 #cpu_operator_cost = 0.0025		# same scale as above
-#parallel_tuple_cost = 0.1		# same scale as above
 #parallel_setup_cost = 1000.0	# same scale as above
+#parallel_tuple_cost = 0.1		# same scale as above
 #min_parallel_table_scan_size = 8MB
 #min_parallel_index_scan_size = 512kB
 #effective_cache_size = 4GB
@@ -440,7 +449,6 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
 					# query is more expensive than this;
 					# -1 disables
 
-
 # - Genetic Query Optimizer -
 
 #geqo = on
@@ -474,6 +482,7 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
 					# stderr, csvlog, syslog, and eventlog,
 					# depending on platform.  csvlog
 					# requires logging_collector to be on.
+
 # This is used when logging to stderr:
 #GNUNUX: logging_collector = on		# Enable capturing of stderr and csvlog
 					# into log files. Required to be on for
@@ -487,6 +496,11 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
 					# can include strftime() escapes
 #log_file_mode = 0600			# creation mode for log files,
 					# begin with 0 to use octal notation
+#GNUNUX: log_rotation_age = 1d			# Automatic rotation of logfiles will
+					# happen after that time.  0 disables.
+#GNUNUX: log_rotation_size = 0			# Automatic rotation of logfiles will
+					# happen after that much log output.
+					# 0 disables.
 #GNUNUX: log_truncate_on_rotation = on		# If on, an existing log file with the
 					# same name as the new log file will be
 					# truncated rather than appended to.
@@ -495,11 +509,6 @@ effective_cache_size = §§{pg_effective_cache_size}§§pg_effective_cache_size_
 					# or size-driven rotation.  Default is
 					# off, meaning append to existing files
 					# in all cases.
-#GNUNUX: log_rotation_age = 1d			# Automatic rotation of logfiles will
-					# happen after that time.  0 disables.
-#GNUNUX: log_rotation_size = 0			# Automatic rotation of logfiles will
-					# happen after that much log output.
-					# 0 disables.
 #>GNUNUX
 log_destination = 'syslog'
 #<GNUNUX
@@ -620,7 +629,10 @@ log_destination = 'syslog'
 					# than the specified size in kilobytes;
 					# -1 disables, 0 logs all temp files
 #FIXME en dure ?
+#>GNUNUX
+#log_timezone = 'GMT'
 log_timezone = 'Europe/Paris'
+#<GNUNUX
 
 
 #------------------------------------------------------------------------------
@@ -741,10 +753,16 @@ autovacuum = off
 
 # - Locale and Formatting -
 
+#datestyle = 'iso, mdy'
+#>GNUNUX
 datestyle = 'iso, dmy'
+#<GNUNUX
 #intervalstyle = 'postgres'
+#timezone = 'GMT'
+#>GNUNUX
 #FIXME en dure ?
 timezone = 'Europe/Paris'
+#<GNUNUX
 #timezone_abbreviations = 'Default'     # Select the set of available time zone
 					# abbreviations.  Currently, there are
 					#   Default
@@ -758,15 +776,24 @@ timezone = 'Europe/Paris'
 					# encoding
 
 # These settings are initialized by initdb, but they can be changed.
-#FIXME en dure ?
+#lc_messages = 'C'			# locale for system error message
-lc_messages = 'fr_FR.UTF-8'			# locale for system error message
 					# strings
-lc_monetary = 'fr_FR.UTF-8'			# locale for monetary formatting
+#lc_monetary = 'C'			# locale for monetary formatting
-lc_numeric = 'fr_FR.UTF-8'			# locale for number formatting
+#lc_numeric = 'C'			# locale for number formatting
-lc_time = 'fr_FR.UTF-8'				# locale for time formatting
+#lc_time = 'C'				# locale for time formatting
+#>GNUNUX
+#FIXME en dure ?
+lc_messages = 'fr_FR.UTF-8'
+lc_monetary = 'fr_FR.UTF-8'
+lc_numeric = 'fr_FR.UTF-8'
+lc_time = 'fr_FR.UTF-8'	
+#<GNUNUX
 
 # default configuration for text search
+#>GNUNUX
+#default_text_search_config = 'pg_catalog.french'
 default_text_search_config = 'pg_catalog.french'
+#<GNUNUX
 
 # - Shared Library Preloading -
 

seed/postgresql/templates/postgresql.sql

@@ -1,12 +1,15 @@
-%set %%new_accounts = [('rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
+#RISOTTO: do not compare
+%set %%new_accounts = [('rougail_test', 'rougail_test', %%get_password(server_name=%%domain_name_eth0, username='rougail_test', description="remote", type="cleartext", hide=%%hide_secret, temporary=True))]
 %for %%server in %%accounts.remotes
  %set %%name = %%normalize_family(%%server)
+ %set %%database = %%accounts["remote_" + %%name]["database_" + %%name]
+ %set %%username = %%accounts["remote_" + %%name]["username_" + %%name]
  %set %%password = %%accounts["remote_" + %%name]["password_" + %%name]
-%%new_accounts.append((%%name, %%password))%slurp
+%%new_accounts.append((%%database, %%username, %%password))%slurp
 %end for
-%for %%name, %%password in %%new_accounts
+%for %%database, %%name, %%password in %%new_accounts
 CREATE DATABASE "%%name";
 CREATE ROLE "%%name" WITH LOGIN ENCRYPTED PASSWORD '%%password';
 ALTER USER "%%name" PASSWORD '%%password';
-GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%name";
+GRANT ALL PRIVILEGES ON DATABASE "%%name" TO "%%database";
 %end for

seed/redis-client/README.md

@@ -19,11 +19,11 @@ Application service needs interact with a Redis server.
 
 #### Redis (*general.redis*)
 
-| Description                                                                                   | Type                                                                                                                       | Supplier       |
+| Description                                                                                   | Type                                                                                                                       | Supplier       | Values       |
-|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------------|
+|-----------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|----------------|--------------|
-| **Nom de domaine du serveur** (*[redis_client_server_domainname](dictionaries/23_redis.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis          |
+| **Nom de domaine du serveur** (*[redis_client_server_domainname](dictionaries/23_redis.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis          |              |
-| **Nom d'utilisateur** (*[redis_client_username](dictionaries/23_redis.xml)*)                  | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)     |                |
+| **Nom d'utilisateur** (*[redis_client_username](dictionaries/23_redis.xml)*)                  | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)     | Redis:username | <calculated> |
-| **Mot de passe de connexion** (*[redis_client_password](dictionaries/23_redis.xml)*)          | [password](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)   | Redis:password |
+| **Mot de passe de connexion** (*[redis_client_password](dictionaries/23_redis.xml)*)          | [password](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)   | Redis:password | <calculated> |
 
 
 - [+]: variable is multiple
@@ -33,9 +33,9 @@ Application service needs interact with a Redis server.
 
 - [peertube](../peertube/README.md)
 - [piwigo](../piwigo/README.md)
+- [forgejo](../forgejo/README.md)
 - [roundcube](../roundcube/README.md)
 - [nextcloud](../nextcloud/README.md)
-- [gitea](../gitea/README.md)
 
 ## Linked to
 

seed/redis-client/dictionaries/23_redis.xml

@@ -11,7 +11,7 @@
   <variables>
     <family name="redis" description="Redis">
       <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
-      <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True"/>
+      <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True" supplier="Redis:username"/>
       <variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
       <variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
         <value>apache</value>

seed/redis/README.md

@@ -15,7 +15,7 @@ Redis, an in-memory data structure store.
 
 ## Dependances
 
-- [base-fedora-36](../base-fedora-36/README.md)
+- [base-fedora-37](../base-fedora-37/README.md)
   - [base-fedora](../base-fedora/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)
@@ -31,20 +31,20 @@ Redis, an in-memory data structure store.
 Configuration du service de cache Redis
 
 | Description                                                                                                                | Values       | Help                     | Type                                                                                                                   | Choices                                                                                                                                     |
-|----------------------------------------------------------------------------------------------------------------------------|------------|--------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
+|----------------------------------------------------------------------------------------------------------------------------|--------------|--------------------------|------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------|
-| **Nom de l'instance** (*[redis_instance_name](dictionaries/90_redis.xml)*)                                                 |            |                          | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |                                                                                                                                             |
+| **Nom de l'instance** (*[redis_instance_name](dictionaries/90_redis.xml)*)                                                 | <calculated> |                          | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |                                                                                                                                             |
 | **Activer la persistence des données** (*[redis_save](dictionaries/90_redis.xml)*)                                         | False        |                          | [string](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |                                                                                                                                             |
 | **Quantité de mémoire utilisable par Redis** (*[redis_max_memory](dictionaries/90_redis.xml)*)                             | 512          | La valeur est en Mo      | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |                                                                                                                                             |
 | **Méthode de libération de mémoire lorsque le maximum est atteint** (*[redis_memory_policy](dictionaries/90_redis.xml)*)   | noeviction   |                          | [choice](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | volatile-lru<br />allkeys-lru<br />volatile-lfu<br />allkeys-lfu<br />volatile-random<br />allkeys-random<br />volatile-ttl<br />noeviction |
-| **Intervalle entre le dernier envoi de paquet TCP et la réponse ACK** (*[redis_tcp_keepalive](dictionaries/90_redis.xml)*) | 60         | La valeur est en seconde | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |                                                                                                                                             |
+| **Intervalle entre le dernier envoi de paquet TCP et la réponse ACK** (*[redis_tcp_keepalive](dictionaries/90_redis.xml)*) | 300          | La valeur est en seconde | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |                                                                                                                                             |
 | **Nombre de client maximum autorisé** (*[redis_max_clients](dictionaries/90_redis.xml)*)                                   | 10000        |                          | [number](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) |                                                                                                                                             |
 
 ### Account (*account*)
 
-| Description                                                                            | Type                                                                                                                       | Provider   |
+| Description                                                                            | Type                                                                                                                       | Provider   | Values       |
-|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
+|----------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|--------------|
-| **Remote Redis client needing an account** (*[remote](extras/account/00_account.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis      |
+| **Remote Redis client needing an account** (*[remote](extras/account/00_account.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | Redis      |              |
-| **Remote IP** (*[remote_ip](extras/account/00_account.xml)*)                           | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)         |            |
+| **Remote IP** (*[remote_ip](extras/account/00_account.xml)*)                           | [ip](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable)         |            | <calculated> |
 
 
 - [+]: variable is multiple

seed/redis/applicationservice.yml

@@ -2,4 +2,4 @@ format: '0.1'
 description: Redis, an in-memory data structure store
 website: https://redis.io/
 depends:
-  - base-fedora-36
+  - base-fedora-37

seed/redis/dictionaries/90_redis.xml

@@ -9,7 +9,7 @@
       <file>/etc/pki/ca-trust/source/anchors/ca_Redis.crt</file>
       <file>/etc/pki/tls/certs/redis.crt</file>
       <file owner="root" group="redis" mode="440">/etc/pki/tls/private/redis.key</file>
-	  <file>/tests/redis.yml</file>
+      <file filelist="copy_tests">/tests/redis.yml</file>
     </service>
   </services>
   <variables>
@@ -33,7 +33,7 @@
         <choice>noeviction</choice>
       </variable>
       <variable name="redis_tcp_keepalive" type="number" description="Intervalle entre le dernier envoi de paquet TCP et la réponse ACK" help="La valeur est en seconde">
-        <value>60</value>
+        <value>300</value>
       </variable>
       <variable name="redis_max_clients" type="number" description="Nombre de client maximum autorisé">
         <value>10000</value>

seed/redis/extras/account/00_account.xml

@@ -3,6 +3,7 @@
   <variables>
     <variable name="remote" description="Remote Redis client needing an account" type="domainname" provider="Redis" mandatory="True"/>
     <variable name="remote_ip" description="Remote IP" type="ip" mandatory="True"/>
+    <variable name="username" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:username"/>
     <variable name="password" auto_save="False" hidden="True" type="password" mandatory="True" provider="Redis:password"/>
   </variables>
   <constraints>

seed/redis/templates/redis.conf

@@ -32,8 +32,17 @@
 # If instead you are interested in using includes to override configuration
 # options, it is better to use include as the last line.
 #
+# Included paths may contain wildcards. All files matching the wildcards will
+# be included in alphabetical order.
+# Note that if an include path contains a wildcards but no files match it when
+# the server is started, the include statement will be ignored and no error will
+# be emitted.  It is safe, therefore, to include wildcard files from empty
+# directories.
+#
 # include /path/to/local.conf
 # include /path/to/other.conf
+# include /path/to/fragments/*.conf
+#
 
 ################################## MODULES #####################################
 
@@ -51,7 +60,7 @@
 # the "bind" configuration directive, followed by one or more IP addresses.
 # Each address can be prefixed by "-", which means that redis will not fail to
 # start if the address is not available. Being not available only refers to
-# addresses that does not correspond to any network interfece. Addresses that
+# addresses that does not correspond to any network interface. Addresses that
 # are already in use will always fail, and unsupported protocols will always BE
 # silently skipped.
 #
@@ -70,36 +79,65 @@
 # running on).
 #
 # IF YOU ARE SURE YOU WANT YOUR INSTANCE TO LISTEN TO ALL THE INTERFACES
-# JUST COMMENT OUT THE FOLLOWING LINE.
+# COMMENT OUT THE FOLLOWING LINE.
+#
+# You will also need to set a password unless you explicitly disable protected
+# mode.
 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 #>GNUNUX
 #bind 127.0.0.1 -::1
 bind 0.0.0.0
 #<GNUNUX
 
+# By default, outgoing connections (from replica to master, from Sentinel to
+# instances, cluster bus, etc.) are not bound to a specific local address. In
+# most cases, this means the operating system will handle that based on routing
+# and the interface through which the connection goes out.
+#
+# Using bind-source-addr it is possible to configure a specific address to bind
+# to, which may also affect how the connection gets routed.
+#
+# Example:
+#
+# bind-source-addr 10.0.0.1
+
 # Protected mode is a layer of security protection, in order to avoid that
 # Redis instances left open on the internet are accessed and exploited.
 #
-# When protected mode is on and if:
+# When protected mode is on and the default user has no password, the server
-#
+# only accepts local connections from the IPv4 address (127.0.0.1), IPv6 address
-# 1) The server is not binding explicitly to a set of addresses using the
+# (::1) or Unix domain sockets.
-#    "bind" directive.
-# 2) No password is configured.
-#
-# The server only accepts connections from clients connecting from the
-# IPv4 and IPv6 loopback addresses 127.0.0.1 and ::1, and from Unix domain
-# sockets.
 #
 # By default protected mode is enabled. You should disable it only if
 # you are sure you want clients from other hosts to connect to Redis
-# even if no authentication is configured, nor a specific set of interfaces
+# even if no authentication is configured.
-# are explicitly listed using the "bind" directive.
+protected-mode yes
-#FIXMEprotected-mode yes
+
-protected-mode no
+# Redis uses default hardened security configuration directives to reduce the
+# attack surface on innocent users. Therefore, several sensitive configuration
+# directives are immutable, and some potentially-dangerous commands are blocked.
+#
+# Configuration directives that control files that Redis writes to (e.g., 'dir'
+# and 'dbfilename') and that aren't usually modified during runtime
+# are protected by making them immutable.
+#
+# Commands that can increase the attack surface of Redis and that aren't usually
+# called by users are blocked by default.
+#
+# These can be exposed to either all connections or just local ones by setting
+# each of the configs listed below to either of these values:
+#
+# no    - Block for any connection (remain immutable)
+# yes   - Allow for any connection (no protection)
+# local - Allow only for local connections. Ones originating from the
+#         IPv4 address (127.0.0.1), IPv6 address (::1) or Unix domain sockets.
+#
+# enable-protected-configs no
+# enable-debug-command no
+# enable-module-command no
 
 # Accept connections on the specified port, default is 6379 (IANA #815344).
 # If port 0 is specified Redis will not listen on a TCP socket.
-# GNUNUX: for php/php-fpm
 port 6379
 
 # TCP listen() backlog.
@@ -142,6 +180,17 @@ timeout 0
 #tcp-keepalive 300
 tcp-keepalive %%redis_tcp_keepalive
 #<GNUNUX
+
+# Apply OS-specific mechanism to mark the listening socket with the specified
+# ID, to support advanced routing and filtering capabilities.
+#
+# On Linux, the ID represents a connection mark.
+# On FreeBSD, the ID represents a socket cookie ID.
+# On OpenBSD, the ID represents a route table ID.
+#
+# The default value is 0, which implies no marking is required.
+# socket-mark-id 0
+
 ################################# TLS/SSL #####################################
 
 # By default, TLS/SSL is disabled. To enable it, the "tls-port" configuration
@@ -384,10 +433,10 @@ proc-title-template "{title} {listen-addr} {server-mode}"
 
 # Save the DB to disk.
 #
-# save <seconds> <changes>
+# save <seconds> <changes> [<seconds> <changes> ...]
 #
-# Redis will save the DB if both the given number of seconds and the given
+# Redis will save the DB if the given number of seconds elapsed and it
-# number of write operations against the DB occurred.
+# surpassed the given number of write operations against the DB.
 #
 # Snapshotting can be completely disabled with a single empty string argument
 # as in following example:
@@ -395,23 +444,16 @@ proc-title-template "{title} {listen-addr} {server-mode}"
 # save ""
 #
 # Unless specified otherwise, by default Redis will save the DB:
-#   * After 3600 seconds (an hour) if at least 1 key changed
+#   * After 3600 seconds (an hour) if at least 1 change was performed
-#   * After 300 seconds (5 minutes) if at least 100 keys changed
+#   * After 300 seconds (5 minutes) if at least 100 changes were performed
-#   * After 60 seconds if at least 10000 keys changed
+#   * After 60 seconds if at least 10000 changes were performed
 #
-# You can set these explicitly by uncommenting the three following lines.
+# You can set these explicitly by uncommenting the following line.
 #
-# save 3600 1
+# save 3600 1 300 100 60 10000
-# save 300 100
-# save 60 10000
-#   save ""
 #>GNUNUX
 %if %%redis_save
-save 900 1
+save 900 1 300 10 60 10000
-save 300 10
-save 60 10000
-%else
-save ""
 %end if
 #<GNUNUX
 
@@ -445,13 +487,13 @@ rdbcompression yes
 # tell the loading code to skip the check.
 rdbchecksum yes
 
-# Enables or disables full sanitation checks for ziplist and listpack etc when
+# Enables or disables full sanitization checks for ziplist and listpack etc when
 # loading an RDB or RESTORE payload. This reduces the chances of a assertion or
 # crash later on while processing commands.
 # Options:
-#   no         - Never perform full sanitation
+#   no         - Never perform full sanitization
-#   yes        - Always perform full sanitation
+#   yes        - Always perform full sanitization
-#   clients    - Perform full sanitation only for user connections.
+#   clients    - Perform full sanitization only for user connections.
 #                Excludes: RDB files, RESTORE commands received from the master
 #                connection, and client connections which have the
 #                skip-sanitize-payload ACL flag.
@@ -540,9 +582,10 @@ dir /srv/redis
 #    still reply to client requests, possibly with out of date data, or the
 #    data set may just be empty if this is the first synchronization.
 #
-# 2) If replica-serve-stale-data is set to 'no' the replica will reply with
+# 2) If replica-serve-stale-data is set to 'no' the replica will reply with error
-#    an error "SYNC with master in progress" to all commands except:
+#    "MASTERDOWN Link with MASTER is down and replica-serve-stale-data is set to 'no'"
-#    INFO, REPLICAOF, AUTH, PING, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
+#    to all data access commands, excluding commands such as:
+#    INFO, REPLICAOF, AUTH, SHUTDOWN, REPLCONF, ROLE, CONFIG, SUBSCRIBE,
 #    UNSUBSCRIBE, PSUBSCRIBE, PUNSUBSCRIBE, PUBLISH, PUBSUB, COMMAND, POST,
 #    HOST and LATENCY.
 #
@@ -591,7 +634,7 @@ replica-read-only yes
 #
 # With slow disks and fast (large bandwidth) networks, diskless replication
 # works better.
-repl-diskless-sync no
+repl-diskless-sync yes
 
 # When diskless replication is enabled, it is possible to configure the delay
 # the server waits in order to spawn the child that transfers the RDB via socket
@@ -605,6 +648,12 @@ repl-diskless-sync no
 # it entirely just set it to 0 seconds and the transfer will start ASAP.
 repl-diskless-sync-delay 5
 
+# When diskless replication is enabled with a delay, it is possible to let
+# the replication start before the maximum delay is reached if the maximum
+# number of replicas expected have connected. Default of 0 means that the
+# maximum is not defined and Redis will wait the full delay.
+repl-diskless-sync-max-replicas 0
+
 # -----------------------------------------------------------------------------
 # WARNING: RDB diskless load is experimental. Since in this setup the replica
 # does not immediately store an RDB on disk, it may cause data loss during
@@ -619,19 +668,23 @@ repl-diskless-sync-delay 5
 #
 # In many cases the disk is slower than the network, and storing and loading
 # the RDB file may increase replication time (and even increase the master's
-# Copy on Write memory and salve buffers).
+# Copy on Write memory and replica buffers).
 # However, parsing the RDB file directly from the socket may mean that we have
 # to flush the contents of the current database before the full rdb was
 # received. For this reason we have the following options:
 #
 # "disabled"    - Don't use diskless load (store the rdb file to the disk first)
 # "on-empty-db" - Use diskless load only when it is completely safe.
-# "swapdb"      - Keep a copy of the current db contents in RAM while parsing
+# "swapdb"      - Keep current db contents in RAM while parsing the data directly
-#                 the data directly from the socket. note that this requires
+#                 from the socket. Replicas in this mode can keep serving current
-#                 sufficient memory, if you don't have it, you risk an OOM kill.
+#                 data set while replication is in progress, except for cases where
+#                 they can't recognize master as having a data set from same
+#                 replication history.
+#                 Note that this requires sufficient memory, if you don't have it,
+#                 you risk an OOM kill.
 repl-diskless-load disabled
 
-# Replicas send PINGs to server in a predefined interval. It's possible to
+# Master send PINGs to its replicas in a predefined interval. It's possible to
 # change this interval with the repl_ping_replica_period option. The default
 # value is 10 seconds.
 #
@@ -706,6 +759,31 @@ repl-disable-tcp-nodelay no
 # By default the priority is 100.
 replica-priority 100
 
+# The propagation error behavior controls how Redis will behave when it is
+# unable to handle a command being processed in the replication stream from a master
+# or processed while reading from an AOF file. Errors that occur during propagation
+# are unexpected, and can cause data inconsistency. However, there are edge cases
+# in earlier versions of Redis where it was possible for the server to replicate or persist
+# commands that would fail on future versions. For this reason the default behavior
+# is to ignore such errors and continue processing commands.
+#
+# If an application wants to ensure there is no data divergence, this configuration
+# should be set to 'panic' instead. The value can also be set to 'panic-on-replicas'
+# to only panic when a replica encounters an error on the replication stream. One of
+# these two panic values will become the default value in the future once there are
+# sufficient safety mechanisms in place to prevent false positive crashes.
+#
+# propagation-error-behavior ignore
+
+# Replica ignore disk write errors controls the behavior of a replica when it is
+# unable to persist a write command received from its master to disk. By default,
+# this configuration is set to 'no' and will crash the replica in this condition.
+# It is not recommended to change this default, however in order to be compatible
+# with older versions of Redis this config can be toggled to 'yes' which will just
+# log a warning and execute the write command it got from the master.
+#
+# replica-ignore-disk-write-errors no
+
 # -----------------------------------------------------------------------------
 # By default, Redis Sentinel includes all replicas in its reports. A replica
 # can be excluded from Redis Sentinel's announcements. An unannounced replica
@@ -837,10 +915,12 @@ replica-priority 100
 #  off          Disable the user: it's no longer possible to authenticate
 #               with this user, however the already authenticated connections
 #               will still work.
-#  skip-sanitize-payload    RESTORE dump-payload sanitation is skipped.
+#  skip-sanitize-payload    RESTORE dump-payload sanitization is skipped.
 #  sanitize-payload         RESTORE dump-payload is sanitized (default).
-#  +<command>   Allow the execution of that command
+#  +<command>   Allow the execution of that command.
-#  -<command>   Disallow the execution of that command
+#               May be used with `|` for allowing subcommands (e.g "+config|get")
+#  -<command>   Disallow the execution of that command.
+#               May be used with `|` for blocking subcommands (e.g "-config|set")
 #  +@<category> Allow the execution of all the commands in such category
 #               with valid categories are like @admin, @set, @sortedset, ...
 #               and so forth, see the full list in the server.c file where
@@ -848,10 +928,11 @@ replica-priority 100
 #               The special category @all means all the commands, but currently
 #               present in the server, and that will be loaded in the future
 #               via modules.
-#  +<command>|subcommand    Allow a specific subcommand of an otherwise
+#  +<command>|first-arg  Allow a specific first argument of an otherwise
-#                           disabled command. Note that this form is not
+#                        disabled command. It is only supported on commands with
-#                           allowed as negative like -DEBUG|SEGFAULT, but
+#                        no sub-commands, and is not allowed as negative form
-#                           only additive starting with "+".
+#                        like -SELECT|1, only additive starting with "+". This
+#                        feature is deprecated and may be removed in the future.
 #  allcommands  Alias for +@all. Note that it implies the ability to execute
 #               all the future commands loaded via the modules system.
 #  nocommands   Alias for -@all.
@@ -859,6 +940,10 @@ replica-priority 100
 #               commands. For instance ~* allows all the keys. The pattern
 #               is a glob-style pattern like the one of KEYS.
 #               It is possible to specify multiple patterns.
+# %R~<pattern>  Add key read pattern that specifies which keys can be read 
+#               from.
+# %W~<pattern>  Add key write pattern that specifies which keys can be
+#               written to. 
 #  allkeys      Alias for ~*
 #  resetkeys    Flush the list of allowed keys patterns.
 #  &<pattern>   Add a glob-style pattern of Pub/Sub channels that can be
@@ -884,6 +969,14 @@ replica-priority 100
 #  reset        Performs the following actions: resetpass, resetkeys, off,
 #               -@all. The user returns to the same state it has immediately
 #               after its creation.
+# (<options>)   Create a new selector with the options specified within the
+#               parentheses and attach it to the user. Each option should be 
+#               space separated. The first character must be ( and the last 
+#               character must be ).
+# clearselectors            Remove all of the currently attached selectors. 
+#                           Note this does not change the "root" user permissions,
+#                           which are the permissions directly applied onto the
+#                           user (outside the parentheses).
 #
 # ACL rules can be specified in any order: for instance you can start with
 # passwords, then flags, or key patterns. However note that the additive
@@ -905,10 +998,44 @@ replica-priority 100
 #
 # Basically ACL rules are processed left-to-right.
 #
+# The following is a list of command categories and their meanings:
+# * keyspace - Writing or reading from keys, databases, or their metadata 
+#     in a type agnostic way. Includes DEL, RESTORE, DUMP, RENAME, EXISTS, DBSIZE,
+#     KEYS, EXPIRE, TTL, FLUSHALL, etc. Commands that may modify the keyspace,
+#     key or metadata will also have `write` category. Commands that only read
+#     the keyspace, key or metadata will have the `read` category.
+# * read - Reading from keys (values or metadata). Note that commands that don't
+#     interact with keys, will not have either `read` or `write`.
+# * write - Writing to keys (values or metadata)
+# * admin - Administrative commands. Normal applications will never need to use
+#     these. Includes REPLICAOF, CONFIG, DEBUG, SAVE, MONITOR, ACL, SHUTDOWN, etc.
+# * dangerous - Potentially dangerous (each should be considered with care for
+#     various reasons). This includes FLUSHALL, MIGRATE, RESTORE, SORT, KEYS,
+#     CLIENT, DEBUG, INFO, CONFIG, SAVE, REPLICAOF, etc.
+# * connection - Commands affecting the connection or other connections.
+#     This includes AUTH, SELECT, COMMAND, CLIENT, ECHO, PING, etc.
+# * blocking - Potentially blocking the connection until released by another
+#     command.
+# * fast - Fast O(1) commands. May loop on the number of arguments, but not the
+#     number of elements in the key.
+# * slow - All commands that are not Fast.
+# * pubsub - PUBLISH / SUBSCRIBE related
+# * transaction - WATCH / MULTI / EXEC related commands.
+# * scripting - Scripting related.
+# * set - Data type: sets related.
+# * sortedset - Data type: zsets related.
+# * list - Data type: lists related.
+# * hash - Data type: hashes related.
+# * string - Data type: strings related.
+# * bitmap - Data type: bitmaps related.
+# * hyperloglog - Data type: hyperloglog related.
+# * geo - Data type: geo related.
+# * stream - Data type: streams related.
+#
 # For more information about ACL configuration please refer to
 # the Redis web site at https://redis.io/topics/acl
 #>GNUNUX
-user %%normalize_family(%%account.remote) on >%%account.password ~* &* +@all
+user %%account.username on >%%account.password ~* &* +@all
 #<GNUNUX
 
 # ACL LOG
@@ -937,7 +1064,7 @@ acllog-max-len 128
 # AUTH <password> as usually, or more explicitly with AUTH default <password>
 # if they follow the new protocol: both will work.
 #
-# The requirepass is not compatable with aclfile option and the ACL LOAD
+# The requirepass is not compatible with aclfile option and the ACL LOAD
 # command, these will cause requirepass to be ignored.
 #
 # requirepass foobared
@@ -954,15 +1081,7 @@ requirepass %%account.password
 # allchannels: grants access to all Pub/Sub channels
 # resetchannels: revokes access to all Pub/Sub channels
 #
-# To ensure backward compatibility while upgrading Redis 6.0, acl-pubsub-default
+# From Redis 7.0, acl-pubsub-default defaults to 'resetchannels' permission.
-# defaults to the 'allchannels' permission.
-#
-# Future compatibility note: it is very likely that in a future version of Redis
-# the directive's default of 'allchannels' will be changed to 'resetchannels' in
-# order to provide better out-of-the-box Pub/Sub security. Therefore, it is
-# recommended that you explicitly define Pub/Sub permissions for all users
-# rather then rely on implicit default values. Once you've set explicit
-# Pub/Sub for all existing users, you should uncomment the following line.
 #
 # acl-pubsub-default resetchannels
 
@@ -1186,7 +1305,7 @@ replica-lazy-flush no
 
 lazyfree-lazy-user-del no
 
-# FLUSHDB, FLUSHALL, and SCRIPT FLUSH support both asynchronous and synchronous
+# FLUSHDB, FLUSHALL, SCRIPT FLUSH and FUNCTION FLUSH support both asynchronous and synchronous
 # deletion, which can be controlled by passing the [SYNC|ASYNC] flags into the
 # commands. When neither flag is passed, this directive will be used to determine
 # if the data should be deleted asynchronously.
@@ -1231,7 +1350,7 @@ lazyfree-lazy-user-flush no
 # Usually threading reads doesn't help much.
 #
 # NOTE 1: This configuration directive cannot be changed at runtime via
-# CONFIG SET. Aso this feature currently does not work when SSL is
+# CONFIG SET. Also, this feature currently does not work when SSL is
 # enabled.
 #
 # NOTE 2: If you want to test the Redis speedup using redis-benchmark, make
@@ -1249,7 +1368,7 @@ lazyfree-lazy-user-flush no
 # attempt to have background child processes killed before all others, and
 # replicas killed before masters.
 #
-# Redis supports three options:
+# Redis supports these options:
 #
 # no:       Don't make changes to oom-score-adj (default).
 # yes:      Alias to "relative" see below.
@@ -1305,10 +1424,39 @@ disable-thp yes
 
 appendonly no
 
-# The name of the append only file (default: "appendonly.aof")
+# The base name of the append only file.
+#
+# Redis 7 and newer use a set of append-only files to persist the dataset
+# and changes applied to it. There are two basic types of files in use:
+#
+# - Base files, which are a snapshot representing the complete state of the
+#   dataset at the time the file was created. Base files can be either in
+#   the form of RDB (binary serialized) or AOF (textual commands).
+# - Incremental files, which contain additional commands that were applied
+#   to the dataset following the previous file.
+#
+# In addition, manifest files are used to track the files and the order in
+# which they were created and should be applied.
+#
+# Append-only file names are created by Redis following a specific pattern.
+# The file name's prefix is based on the 'appendfilename' configuration
+# parameter, followed by additional information about the sequence and type.
+#
+# For example, if appendfilename is set to appendonly.aof, the following file
+# names could be derived:
+#
+# - appendonly.aof.1.base.rdb as a base file.
+# - appendonly.aof.1.incr.aof, appendonly.aof.2.incr.aof as incremental files.
+# - appendonly.aof.manifest as a manifest file.
 
 appendfilename "appendonly.aof"
 
+# For convenience, Redis stores all persistent append-only files in a dedicated
+# directory. The name of the directory is determined by the appenddirname
+# configuration parameter.
+
+appenddirname "appendonlydir"
+
 # The fsync() call tells the Operating System to actually write data on disk
 # instead of waiting for more data in the output buffer. Some OS will really flush
 # data on disk, some other OS will just try to do it ASAP.
@@ -1348,7 +1496,7 @@ appendfsync everysec
 # BGSAVE or BGREWRITEAOF is in progress.
 #
 # This means that while another child is saving, the durability of Redis is
-# the same as "appendfsync none". In practical terms, this means that it is
+# the same as "appendfsync no". In practical terms, this means that it is
 # possible to lose up to 30 seconds of log in the worst scenario (with the
 # default Linux settings).
 #
@@ -1401,34 +1549,69 @@ auto-aof-rewrite-min-size 64mb
 # will be found.
 aof-load-truncated yes
 
-# When rewriting the AOF file, Redis is able to use an RDB preamble in the
+# Redis can create append-only base files in either RDB or AOF formats. Using
-# AOF file for faster rewrites and recoveries. When this option is turned
+# the RDB format is always faster and more efficient, and disabling it is only
-# on the rewritten AOF file is composed of two different stanzas:
+# supported for backward compatibility purposes.
-#
-#   [RDB file][AOF tail]
-#
-# When loading, Redis recognizes that the AOF file starts with the "REDIS"
-# string and loads the prefixed RDB file, then continues loading the AOF
-# tail.
 aof-use-rdb-preamble yes
 
-################################ LUA SCRIPTING  ###############################
+# Redis supports recording timestamp annotations in the AOF to support restoring
+# the data from a specific point-in-time. However, using this capability changes
+# the AOF format in a way that may not be compatible with existing AOF parsers.
+aof-timestamp-enabled no
 
-# Max execution time of a Lua script in milliseconds.
+################################ SHUTDOWN #####################################
+
+# Maximum time to wait for replicas when shutting down, in seconds.
 #
-# If the maximum execution time is reached Redis will log that a script is
+# During shut down, a grace period allows any lagging replicas to catch up with
-# still in execution after the maximum allowed time and will start to
+# the latest replication offset before the master exists. This period can
-# reply to queries with an error.
+# prevent data loss, especially for deployments without configured disk backups.
 #
-# When a long running script exceeds the maximum execution time only the
+# The 'shutdown-timeout' value is the grace period's duration in seconds. It is
-# SCRIPT KILL and SHUTDOWN NOSAVE commands are available. The first can be
+# only applicable when the instance has replicas. To disable the feature, set
-# used to stop a script that did not yet call any write commands. The second
+# the value to 0.
-# is the only way to shut down the server in the case a write command was
-# already issued by the script but the user doesn't want to wait for the natural
-# termination of the script.
 #
-# Set it to 0 or a negative value for unlimited execution without warnings.
+# shutdown-timeout 10
-lua-time-limit 5000
+
+# When Redis receives a SIGINT or SIGTERM, shutdown is initiated and by default
+# an RDB snapshot is written to disk in a blocking operation if save points are configured.
+# The options used on signaled shutdown can include the following values:
+# default:  Saves RDB snapshot only if save points are configured.
+#           Waits for lagging replicas to catch up.
+# save:     Forces a DB saving operation even if no save points are configured.
+# nosave:   Prevents DB saving operation even if one or more save points are configured.
+# now:      Skips waiting for lagging replicas.
+# force:    Ignores any errors that would normally prevent the server from exiting.
+#
+# Any combination of values is allowed as long as "save" and "nosave" are not set simultaneously.
+# Example: "nosave force now"
+#
+# shutdown-on-sigint default
+# shutdown-on-sigterm default
+
+################ NON-DETERMINISTIC LONG BLOCKING COMMANDS #####################
+
+# Maximum time in milliseconds for EVAL scripts, functions and in some cases
+# modules' commands before Redis can start processing or rejecting other clients.
+#
+# If the maximum execution time is reached Redis will start to reply to most
+# commands with a BUSY error.
+#
+# In this state Redis will only allow a handful of commands to be executed.
+# For instance, SCRIPT KILL, FUNCTION KILL, SHUTDOWN NOSAVE and possibly some
+# module specific 'allow-busy' commands.
+#
+# SCRIPT KILL and FUNCTION KILL will only be able to stop a script that did not
+# yet call any write commands, so SHUTDOWN NOSAVE may be the only way to stop
+# the server in the case a write command was already issued by the script when
+# the user doesn't want to wait for the natural termination of the script.
+#
+# The default is 5 seconds. It is possible to set it to 0 or a negative value
+# to disable this mechanism (uninterrupted execution). Note that in the past
+# this config had a different name, which is now an alias, so both of these do
+# the same:
+# lua-time-limit 5000
+# busy-reply-threshold 5000
 
 ################################ REDIS CLUSTER  ###############################
 
@@ -1452,6 +1635,11 @@ lua-time-limit 5000
 #
 # cluster-node-timeout 15000
 
+# The cluster port is the port that the cluster bus will listen for inbound connections on. When set 
+# to the default value, 0, it will be bound to the command port + 10000. Setting this value requires 
+# you to specify the cluster bus port when executing cluster meet.
+# cluster-port 0
+
 # A replica of a failing master will avoid to start a failover if its data
 # looks too old.
 #
@@ -1549,7 +1737,7 @@ lua-time-limit 5000
 # cluster-replica-no-failover no
 
 # This option, when set to yes, allows nodes to serve read traffic while the
-# the cluster is in a down state, as long as it believes it owns the slots. 
+# cluster is in a down state, as long as it believes it owns the slots.
 #
 # This is useful for two cases.  The first case is for when an application
 # doesn't require consistency of data during node failures or network partitions.
@@ -1564,6 +1752,52 @@ lua-time-limit 5000
 #
 # cluster-allow-reads-when-down no
 
+# This option, when set to yes, allows nodes to serve pubsub shard traffic while
+# the cluster is in a down state, as long as it believes it owns the slots.
+#
+# This is useful if the application would like to use the pubsub feature even when
+# the cluster global stable state is not OK. If the application wants to make sure only
+# one shard is serving a given channel, this feature should be kept as yes.
+#
+# cluster-allow-pubsubshard-when-down yes
+
+# Cluster link send buffer limit is the limit on the memory usage of an individual
+# cluster bus link's send buffer in bytes. Cluster links would be freed if they exceed
+# this limit. This is to primarily prevent send buffers from growing unbounded on links
+# toward slow peers (E.g. PubSub messages being piled up).
+# This limit is disabled by default. Enable this limit when 'mem_cluster_links' INFO field
+# and/or 'send-buffer-allocated' entries in the 'CLUSTER LINKS` command output continuously increase.
+# Minimum limit of 1gb is recommended so that cluster link buffer can fit in at least a single
+# PubSub message by default. (client-query-buffer-limit default value is 1gb)
+#
+# cluster-link-sendbuf-limit 0
+ 
+# Clusters can configure their announced hostname using this config. This is a common use case for 
+# applications that need to use TLS Server Name Indication (SNI) or dealing with DNS based
+# routing. By default this value is only shown as additional metadata in the CLUSTER SLOTS
+# command, but can be changed using 'cluster-preferred-endpoint-type' config. This value is 
+# communicated along the clusterbus to all nodes, setting it to an empty string will remove 
+# the hostname and also propagate the removal.
+#
+# cluster-announce-hostname ""
+
+# Clusters can advertise how clients should connect to them using either their IP address,
+# a user defined hostname, or by declaring they have no endpoint. Which endpoint is
+# shown as the preferred endpoint is set by using the cluster-preferred-endpoint-type
+# config with values 'ip', 'hostname', or 'unknown-endpoint'. This value controls how
+# the endpoint returned for MOVED/ASKING requests as well as the first field of CLUSTER SLOTS. 
+# If the preferred endpoint type is set to hostname, but no announced hostname is set, a '?' 
+# will be returned instead.
+#
+# When a cluster advertises itself as having an unknown endpoint, it's indicating that
+# the server doesn't know how clients can reach the cluster. This can happen in certain 
+# networking situations where there are multiple possible routes to the node, and the 
+# server doesn't know which one the client took. In this case, the server is expecting
+# the client to reach out on the same endpoint it used for making the last request, but use
+# the port provided in the response.
+#
+# cluster-preferred-endpoint-type ip
+
 # In order to setup your cluster make sure to read the documentation
 # available at https://redis.io web site.
 
@@ -1651,6 +1885,20 @@ slowlog-max-len 128
 # "CONFIG SET latency-monitor-threshold <milliseconds>" if needed.
 latency-monitor-threshold 0
 
+################################ LATENCY TRACKING ##############################
+
+# The Redis extended latency monitoring tracks the per command latencies and enables
+# exporting the percentile distribution via the INFO latencystats command,
+# and cumulative latency distributions (histograms) via the LATENCY command.
+#
+# By default, the extended latency monitoring is enabled since the overhead
+# of keeping track of the command latency is very small.
+# latency-tracking yes
+
+# By default the exported latency percentiles via the INFO latencystats command
+# are the p50, p99, and p999.
+# latency-tracking-info-percentiles 50 99 99.9
+
 ############################# EVENT NOTIFICATION ##############################
 
 # Redis can notify Pub/Sub clients about events happening in the key space.
@@ -1676,6 +1924,7 @@ latency-monitor-threshold 0
 #  z     Sorted set commands
 #  x     Expired events (events generated every time a key expires)
 #  e     Evicted events (events generated when a key is evicted for maxmemory)
+#  n     New key events (Note: not included in the 'A' class)
 #  t     Stream commands
 #  d     Module key type events
 #  m     Key-miss events (Note: It is not included in the 'A' class)
@@ -1702,71 +1951,13 @@ latency-monitor-threshold 0
 #  specify at least one of K or E, no events will be delivered.
 notify-keyspace-events ""
 
-############################### GOPHER SERVER #################################
-
-# Redis contains an implementation of the Gopher protocol, as specified in
-# the RFC 1436 (https://www.ietf.org/rfc/rfc1436.txt).
-#
-# The Gopher protocol was very popular in the late '90s. It is an alternative
-# to the web, and the implementation both server and client side is so simple
-# that the Redis server has just 100 lines of code in order to implement this
-# support.
-#
-# What do you do with Gopher nowadays? Well Gopher never *really* died, and
-# lately there is a movement in order for the Gopher more hierarchical content
-# composed of just plain text documents to be resurrected. Some want a simpler
-# internet, others believe that the mainstream internet became too much
-# controlled, and it's cool to create an alternative space for people that
-# want a bit of fresh air.
-#
-# Anyway for the 10nth birthday of the Redis, we gave it the Gopher protocol
-# as a gift.
-#
-# --- HOW IT WORKS? ---
-#
-# The Redis Gopher support uses the inline protocol of Redis, and specifically
-# two kind of inline requests that were anyway illegal: an empty request
-# or any request that starts with "/" (there are no Redis commands starting
-# with such a slash). Normal RESP2/RESP3 requests are completely out of the
-# path of the Gopher protocol implementation and are served as usual as well.
-#
-# If you open a connection to Redis when Gopher is enabled and send it
-# a string like "/foo", if there is a key named "/foo" it is served via the
-# Gopher protocol.
-#
-# In order to create a real Gopher "hole" (the name of a Gopher site in Gopher
-# talking), you likely need a script like the following:
-#
-#   https://github.com/antirez/gopher2redis
-#
-# --- SECURITY WARNING ---
-#
-# If you plan to put Redis on the internet in a publicly accessible address
-# to server Gopher pages MAKE SURE TO SET A PASSWORD to the instance.
-# Once a password is set:
-#
-#   1. The Gopher server (when enabled, not by default) will still serve
-#      content via Gopher.
-#   2. However other commands cannot be called before the client will
-#      authenticate.
-#
-# So use the 'requirepass' option to protect your instance.
-#
-# Note that Gopher is not currently supported when 'io-threads-do-reads'
-# is enabled.
-#
-# To enable Gopher support, uncomment the following line and set the option
-# from no (the default) to yes.
-#
-# gopher-enabled no
-
 ############################### ADVANCED CONFIG ###############################
 
 # Hashes are encoded using a memory efficient data structure when they have a
 # small number of entries, and the biggest entry does not exceed a given
 # threshold. These thresholds can be configured using the following directives.
-hash-max-ziplist-entries 512
+hash-max-listpack-entries 512
-hash-max-ziplist-value 64
+hash-max-listpack-value 64
 
 # Lists are also encoded in a special way to save a lot of space.
 # The number of entries allowed per internal list node can be specified
@@ -1781,7 +1972,7 @@ hash-max-ziplist-value 64
 # per list node.
 # The highest performing option is usually -2 (8 Kb size) or -1 (4 Kb size),
 # but if your use case is unique, adjust the settings as necessary.
-list-max-ziplist-size -2
+list-max-listpack-size -2
 
 # Lists may also be compressed.
 # Compress depth is the number of quicklist ziplist nodes from *each* side of
@@ -1809,8 +2000,8 @@ set-max-intset-entries 512
 # Similarly to hashes and lists, sorted sets are also specially encoded in
 # order to save a lot of space. This encoding is only used when the length and
 # elements of a sorted set are below the following limits:
-zset-max-ziplist-entries 128
+zset-max-listpack-entries 128
-zset-max-ziplist-value 64
+zset-max-listpack-value 64
 
 # HyperLogLog sparse representation bytes limit. The limit includes the
 # 16 bytes header. When an HyperLogLog using the sparse representation crosses
@@ -1889,6 +2080,13 @@ activerehashing yes
 # Instead there is a default limit for pubsub and replica clients, since
 # subscribers and replicas receive data in a push fashion.
 #
+# Note that it doesn't make sense to set the replica clients output buffer
+# limit lower than the repl-backlog-size config (partial sync will succeed
+# and then replica will get disconnected).
+# Such a configuration is ignored (the size of repl-backlog-size will be used).
+# This doesn't have memory consumption implications since the replica client
+# will share the backlog buffers memory.
+#
 # Both the hard or the soft limit can be disabled by setting them to zero.
 client-output-buffer-limit normal 0 0 0
 client-output-buffer-limit replica 256mb 64mb 60
@@ -1902,6 +2100,25 @@ client-output-buffer-limit pubsub 32mb 8mb 60
 #
 # client-query-buffer-limit 1gb
 
+# In some scenarios client connections can hog up memory leading to OOM
+# errors or data eviction. To avoid this we can cap the accumulated memory
+# used by all client connections (all pubsub and normal clients). Once we
+# reach that limit connections will be dropped by the server freeing up
+# memory. The server will attempt to drop the connections using the most 
+# memory first. We call this mechanism "client eviction".
+#
+# Client eviction is configured using the maxmemory-clients setting as follows:
+# 0 - client eviction is disabled (default)
+#
+# A memory value can be used for the client eviction threshold,
+# for example:
+# maxmemory-clients 1g
+#
+# A percentage value (between 1% and 100%) means the client eviction threshold
+# is based on a percentage of the maxmemory setting. For example to set client
+# eviction at 5% of maxmemory:
+# maxmemory-clients 5%
+
 # In the Redis protocol, bulk requests, that are, elements representing single
 # strings, are normally limited to 512 mb. However you can change this limit
 # here, but must be 1mb or greater
@@ -1942,13 +2159,13 @@ hz 10
 dynamic-hz yes
 
 # When a child rewrites the AOF file, if the following option is enabled
-# the file will be fsync-ed every 32 MB of data generated. This is useful
+# the file will be fsync-ed every 4 MB of data generated. This is useful
 # in order to commit the file to the disk more incrementally and avoid
 # big latency spikes.
 aof-rewrite-incremental-fsync yes
 
 # When redis saves RDB file, if the following option is enabled
-# the file will be fsync-ed every 32 MB of data generated. This is useful
+# the file will be fsync-ed every 4 MB of data generated. This is useful
 # in order to commit the file to the disk more incrementally and avoid
 # big latency spikes.
 rdb-save-incremental-fsync yes
@@ -2045,7 +2262,7 @@ rdb-save-incremental-fsync yes
 # defragmentation process. If you are not sure about what they mean it is
 # a good idea to leave the defaults untouched.
 
-# Enabled active defragmentation
+# Active defragmentation is disabled by default
 # activedefrag no
 
 # Minimum amount of fragmentation waste to start active defrag

seed/redis/templates/redis.yml

@@ -1,3 +1,3 @@
 address: %%ip_eth0
-username: %%normalize_family(%%account.remote)
+username: %%account.username
 password: %%account.password

seed/relay-lmtp-client/README.md

@@ -19,9 +19,9 @@ Application service needs interact with a Postfix server with LMTP protocol.
 
 ### Général (*general*)
 
-| Description                                                                           | Type                                                                                                                       | Supplier   |
+| Description                                                                           | Type                                                                                                                       | Values       | Supplier   |
-|---------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|------------|
+|---------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------|--------------|------------|
-| **Nom de domaine du serveur LMTP** (*[lmtp_relay_address](dictionaries/30_lmtp.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | LMTP       |
+| **Nom de domaine du serveur LMTP** (*[lmtp_relay_address](dictionaries/30_lmtp.xml)*) | [domainname](https://cloud.silique.fr/gitea/risotto/rougail/src/branch/main/doc/variable/README.md#le-type-de-la-variable) | <calculated> | LMTP       |
 
 
 - [+]: variable is multiple

seed/relay-mail-client/README.md

@@ -30,11 +30,11 @@ Client SMTP.
 - [odoo](../odoo/README.md)
 - [peertube](../peertube/README.md)
 - [piwigo](../piwigo/README.md)
+- [forgejo](../forgejo/README.md)
 - [vaultwarden](../vaultwarden/README.md)
 - [relay-lmtp-client](../relay-lmtp-client/README.md)
 - [nextcloud](../nextcloud/README.md)
 - [lemonldap](../lemonldap/README.md)
-- [gitea](../gitea/README.md)
 
 ## Linked to
 

seed/reverse-proxy-client/README.md

@@ -36,12 +36,12 @@ This a family is a leadership.
 - [odoo](../odoo/README.md)
 - [mailman](../mailman/README.md)
 - [peertube](../peertube/README.md)
+- [forgejo](../forgejo/README.md)
 - [speedtest-rs](../speedtest-rs/README.md)
 - [nginx-https](../nginx-https/README.md)
 - [vaultwarden](../vaultwarden/README.md)
 - [apache](../apache/README.md)
 - [lemonldap](../lemonldap/README.md)
-- [gitea](../gitea/README.md)
 
 ## Linked to
 

seed/reverse-proxy-client/dictionaries/21_revprox_client.xml

@@ -2,9 +2,10 @@
 <rougail version="0.10">
   <services>
     <service name="revprox" manage="False">
+      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_client_ca_file</file>
       <file file_type="variable" source="revprox.crt">revprox_client_cert_file</file>
       <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_client_key_file</file>
-      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_client_ca_file</file>
+      <file filelist="copy_tests">/tests/reverse-proxy.yml</file>
     </service>
   </services>
   <variables>

seed/reverse-proxy-client/funcs/revprox_client.py

@@ -11,4 +11,8 @@ def calc_web_address(domain_name: str, port: str, local_location: str) -> str:
 
 def get_first_value(lst: list):
     if lst:
+        if isinstance(lst[0], list):
+            if lst[0] and lst[0][0]:
+                return lst[0][0]
+        else:
             return lst[0]

seed/reverse-proxy-client/tests/revprox.py

@@ -1,5 +1,13 @@
 from requests import get, post, session
+from requests.exceptions import SSLError
 from mookdns import MookDns
+from os import environ
+from os.path import join
+from yaml import load, SafeLoader
+from glob import glob
+
+
+VERIFY = True
 
 
 class Authentication:
@@ -30,7 +38,19 @@ class Authentication:
                      req,
                      url,
                      ):
-        ret = req.get(url)
+        global VERIFY
+        try:
+            ret = req.get(url, verify=VERIFY)
+        except SSLError:
+            conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
+            with open(conf_file) as yaml:
+                data = load(yaml, Loader=SafeLoader)
+            path = join(environ["MACHINE_TEST_DIR"], data["ca_certificate"])
+            cert = glob(path)
+            if len(cert) != 1:
+                raise Exception(f'{path} should find one and one certificate but found: {cert}')
+            VERIFY=cert[0]
+            ret = req.get(url, verify=VERIFY)
         code = ret.status_code
         content = ret.content
         assert code == 200, f"cannot access to lemonldap; {content}"
@@ -51,7 +71,7 @@ class Authentication:
                    "Accept": "application/json",
                    }
         portal_url = f'https://{portal_server}/oauth2/'
-        ret = req.post(portal_url, data=json, headers=headers)
+        ret = req.post(portal_url, data=json, headers=headers, verify=VERIFY)
         json = ret.json()
         assert json['error']
         assert json['result'] == 1
@@ -60,7 +80,7 @@ class Authentication:
         # curl -X POST -d user=dwho -d password=dwho -H 'Accept: application/json' 'https://oidctest.wsweet.org/oauth2/'
         # curl -s -D - -o /dev/null -b lemonldap=0640f95827111f00ba7ad5863ba819fe46cfbcecdb18ce525836369fb4c8350b 'https://oidctest.wsweet.org/oauth2/authorize?response_type=code&client_id=private&scope=openid+profile+email&redirect_uri=http://localhost' | grep '^location'
         authorize_url = f'{portal_url}authorize'
-        ret = req.get(authorize_url)
+        ret = req.get(authorize_url, verify=VERIFY)
         assert ret.status_code == 200
         content = ret.content.decode()
         assert title in content, f'cannot find {title} in {content}'
@@ -70,7 +90,7 @@ class Authentication:
             json=False,
             ):
         with MookDns(self.ip):
-            ret = get(url, cookies=self.cookies)
+            ret = get(url, cookies=self.cookies, verify=VERIFY)
         assert ret.status_code == 200, f'return code is {ret.status_code}'
         if json:
             return ret.json()
@@ -82,5 +102,5 @@ class Authentication:
              headers=None,
              ):
         with MookDns(self.ip):
-            ret = post(url, cookies=self.cookies, data=data, headers=headers)
+            ret = post(url, cookies=self.cookies, data=data, headers=headers, verify=VERIFY)
         assert ret.status_code == 200, f'return code is {ret.status_code}'

seed/roundcube/README.md

@@ -60,10 +60,10 @@ This a family is a leadership.
 
 ##### external (*general.oauth2_client.external*)
 
-| Description                                                   |
+| Description                                                   | Values       |
-|---------------------------------------------------------------|
+|---------------------------------------------------------------|--------------|
-| *[oauth2_client_external](dictionaries/31_roundcube.xml)* [+] |
+| *[oauth2_client_external](dictionaries/31_roundcube.xml)* [+] |              |
-| *[oauth2_client_family](dictionaries/31_roundcube.xml)* [+]   |
+| *[oauth2_client_family](dictionaries/31_roundcube.xml)* [+]   | <calculated> |
 
 #### nginx (*general.nginx*)
 

seed/systemd/templates/network

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 %set %%intnb = %%rougail_index
 [Match]
 %if %%netwokd_interface_name_type == 'host'

seed/systemd/templates/systemd-firstboot.service

@@ -1,4 +1,4 @@
 [Service]
 ExecStart=
-ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd
+ExecStart=/usr/bin/systemd-firstboot --root-password-file=/usr/local/lib/secrets/root.pwd --locale=fr_FR.UTF-8
 ExecStart=/usr/bin/systemd-firstboot --copy

seed/unbound/README.md

@@ -15,13 +15,13 @@ Unbound, a validating, recursive, caching DNS resolver.
 
 ## Dependances
 
-- [base-fedora-36](../base-fedora-36/README.md)
+- [dns-external](../dns-external/README.md)
+- [base-fedora-37](../base-fedora-37/README.md)
   - [base-fedora](../base-fedora/README.md)
     - [systemd](../systemd/README.md)
       - [base-machine](../base-machine/README.md)
         - [base](../base/README.md)
         - [dns-local](../dns-local/README.md)
-- [dns-external](../dns-external/README.md)
 
 ## Variables
 
@@ -31,7 +31,7 @@ Unbound, a validating, recursive, caching DNS resolver.
 
 | Description                                             | Values         |
 |---------------------------------------------------------|----------------|
-| *[ip_dns](dictionaries/20_unbound.xml)*                 |                |
+| *[ip_dns](dictionaries/20_unbound.xml)*                 | <calculated>   |
 | *[**outgoing_ports**](dictionaries/20_unbound.xml)* [+] | udp:53<br />53 |
 
 #### Résolveur DNS (*general.dns_resolver*)

seed/unbound/applicationservice.yml

@@ -3,5 +3,5 @@ description: Unbound, a validating, recursive, caching DNS resolver
 website: https://www.nlnetlabs.nl/projects/unbound/about/
 service: true
 depends:
-  - base-fedora-36
   - dns-external
+  - base-fedora-37

seed/unbound/templates/risotto.conf

@@ -1,3 +1,4 @@
+#RISOTTO: do not compare
 server:
 %for %%interface in %%range(%%len(%%zones_list))
     interface: %%getVar('ip_eth' + %%str(%%interface))

seed/unbound/templates/unbound.conf

@@ -185,6 +185,10 @@ server:
 	# perform connect for UDP sockets to mitigate ICMP side channel.
 	# udp-connect: yes
 
+	# The number of retries, per upstream nameserver in a delegation, when
+	# a throwaway response (also timeouts) is received.
+	# outbound-msg-retry: 5
+
 	# msec for waiting for an unknown server to reply.  Increase if you
 	# are behind a slow satellite link, to eg. 1128.
 	# unknown-server-time-limit: 376
@@ -216,6 +220,9 @@ server:
 	# minimum wait time for responses, increase if uplink is long. In msec.
 	# infra-cache-min-rtt: 50
 
+	# maximum wait time for responses. In msec.
+	# infra-cache-max-rtt: 120000
+
 	# enable to make server probe down hosts more frequently.
 	# infra-keep-probing: no
 
@@ -393,9 +400,6 @@ server:
 	# enable to not answer version.server and version.bind queries.
 	# hide-version: no
 
-	# enable to not set the User-Agent HTTP header.
-	# hide-http-user-agent: no
-
 	# enable to not answer trustanchor.unbound queries.
 	# hide-trustanchor: no
 
@@ -704,6 +708,7 @@ server:
 	# local-zone: "localhost." nodefault
 	# local-zone: "127.in-addr.arpa." nodefault
 	# local-zone: "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa." nodefault
+	# local-zone: "home.arpa." nodefault
 	# local-zone: "onion." nodefault
 	# local-zone: "test." nodefault
 	# local-zone: "invalid." nodefault
@@ -851,6 +856,8 @@ server:
 
 	# Add system certs to the cert bundle, from the Windows Cert Store
 	# tls-win-cert: no
+	# and on other systems, the default openssl certificates
+	# tls-system-cert: no
 
 	# Pad queries over TLS upstreams
 	# pad-queries: yes
@@ -900,6 +907,10 @@ server:
 	# 0 blocks when ratelimited, otherwise let 1/xth traffic through
 	# ratelimit-factor: 10
 
+	# Aggressive rate limit when the limit is reached and until demand has
+	# decreased in a 2 second rate window.
+	# ratelimit-backoff: no
+
 	# override the ratelimit for a specific domain name.
 	# give this setting multiple times to have multiple overrides.
 	# ratelimit-for-domain: example.com 1000
@@ -920,6 +931,10 @@ server:
 	# 0 blocks when ip is ratelimited, otherwise let 1/xth traffic through
 	# ip-ratelimit-factor: 10
 
+	# Aggressive rate limit when the limit is reached and until demand has
+	# decreased in a 2 second rate window.
+	# ip-ratelimit-backoff: no
+
 	# Limit the number of connections simultaneous from a netblock
 	# tcp-connection-limit: 192.0.2.0/24 12
 
@@ -929,6 +944,14 @@ server:
 	# the number of servers that will be used in the fast server selection.
 	# fast-server-num: 3
 
+	# Enable to attach Extended DNS Error codes (RFC8914) to responses.
+	ede: yes
+
+	# Enable to attach an Extended DNS Error (RFC8914) Code 3 - Stale
+	# Answer as EDNS0 option to expired responses.
+	# Note that the ede option above needs to be enabled for this to work.
+	ede-serve-expired: yes
+
 	# Specific options for ipsecmod. Unbound needs to be configured with
 	# --enable-ipsecmod for these to take effect.
 	#
@@ -1040,6 +1063,7 @@ include: /etc/unbound/conf.d/*.conf
 #	stub-addr: 192.0.2.68
 #	stub-prime: no
 #	stub-first: no
+#	stub-tcp-upstream: no
 #	stub-tls-upstream: no
 #	stub-no-cache: no
 # stub-zone:
@@ -1061,6 +1085,7 @@ include: /etc/unbound/conf.d/*.conf
 # 	forward-addr: 192.0.2.68
 # 	forward-addr: 192.0.2.73@5355  # forward to port 5355.
 # 	forward-first: no
+# 	forward-tcp-upstream: no
 # 	forward-tls-upstream: no
 #	forward-no-cache: no
 # forward-zone:
@@ -1131,6 +1156,7 @@ auth-zone:
 #         another crypto library
 #
 # DNSCrypt
+# o enable, use --enable-dnscrypt to configure before compiling.
 # Caveats:
 # 1. the keys/certs cannot be produced by Unbound. You can use dnscrypt-wrapper
 #   for this: https://github.com/cofyc/dnscrypt-wrapper/blob/master/README.md#usage
@@ -1151,7 +1177,9 @@ auth-zone:
 #     dnscrypt-provider-cert: /path/unbound-conf/keys2/1.cert
 
 # CacheDB
-# Enable external backend DB as auxiliary cache.  Specify the backend name
+# External backend DB as auxiliary cache.
+# To enable, use --enable-cachedb to configure before compiling.
+# Specify the backend name
 # (default is "testframe", which has no use other than for debugging and
 # testing) and backend-specific options.  The 'cachedb' module must be
 # included in module-config, just before the iterator module.
@@ -1161,6 +1189,7 @@ auth-zone:
 #     secret-seed: "default"
 #
 #     # For "redis" backend:
+#     # (to enable, use --with-libhiredis to configure before compiling)
 #     # redis server's IP address or host name
 #     redis-server-host: 127.0.0.1
 #     # redis server's TCP port
@@ -1172,7 +1201,9 @@ auth-zone:
 
 # IPSet
 # Add specify domain into set via ipset.
-# Note: To enable ipset Unbound needs to run as root user.
+# To enable:
+# o use --enable-ipset to configure before compiling;
+# o Unbound then needs to run as root user.
 # ipset:
 #     # set name for ip v4 addresses
 #     name-v4: "list-v4"
@@ -1180,9 +1211,10 @@ auth-zone:
 #     name-v6: "list-v6"
 #
 
-# Dnstap logging support, if compiled in.  To enable, set the dnstap-enable
+# Dnstap logging support, if compiled in by using --enable-dnstap to configure.
-# to yes and also some of dnstap-log-..-messages to yes.  And select an
+# To enable, set the dnstap-enable to yes and also some of
-# upstream log destination, by socket path, TCP or TLS destination.
+# dnstap-log-..-messages to yes.  And select an upstream log destination, by
+# socket path, TCP or TLS destination.
 # dnstap:
 # 	dnstap-enable: no
 # 	# if set to yes frame streams will be used in bidirectional mode

seed/vaultwarden/dictionaries/40_vaultwarden.xml

@@ -5,7 +5,7 @@
       <override/>
       <file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
       <file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
-      <file>/tests/vaultwarden.yml</file>
+      <file filelist="copy_tests">/tests/vaultwarden.yml</file>
     </service>
   </services>
   <variables>

seed/znc/templates/sysuser-znc.conf

@@ -1,3 +1,3 @@
 g znc 998 -
-u znc 998:1000     "Account for ZNC to run as" /var/lib/znc	/sbin/nologin
+u znc 998:998    "Account for ZNC to run as" /var/lib/znc	/sbin/nologin
 m znc ssl-cert