From e5f53eda0daf953628ff1652fa2844471adf9cbe Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Wed, 19 Oct 2022 18:37:51 +0200
Subject: [PATCH] smtp and postgresql tls path

---
 seed/mailman/dictionaries/31_mailman.xml      |  3 ++-
 seed/mailman/templates/mailman.cfg            |  2 +-
 .../templates/postgresql_postorius.key        |  1 -
 seed/mailman/templates/postorius-settings.py  |  2 +-
 seed/nextcloud/templates/nextcloud-config.php |  6 ++---
 seed/odoo/templates/odoo.service              |  6 ++---
 seed/odoo/templates/sysuser-odoo.conf         |  1 +
 seed/odoo/templates/tmpfile-odoo.conf         |  1 +
 seed/peertube/templates/production.yaml       |  2 +-
 seed/pleroma/templates/production.yaml        |  2 +-
 .../dictionaries/23_postgresql.xml            | 27 ++++++++++++++++---
 .../dictionaries/20_smtp_client.xml           |  9 ++++++-
 seed/roundcube/templates/config.inc.php       |  2 +-
 .../templates/speedtest-rs.service            | 10 -------
 .../templates/vaultwarden_config.env          |  2 +-
 15 files changed, 48 insertions(+), 28 deletions(-)
 delete mode 100644 seed/mailman/templates/postgresql_postorius.key

diff --git a/seed/mailman/dictionaries/31_mailman.xml b/seed/mailman/dictionaries/31_mailman.xml
index 575e133..3ee89c0 100644
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ b/seed/mailman/dictionaries/31_mailman.xml
@@ -16,7 +16,8 @@
       <file>/tests/mailman.yml</file>
     </service>
     <service name="postgresqlclient" target="multi-user" engine="creole">
-      <file owner="postorius" mode="400">/etc/pki/tls/private/postgresql_postorius.key</file>
+      <!-- mailman and postorius have differents username -->
+      <file owner="postorius" mode="400" source="postgresql.key">/etc/pki/tls/private/postgresql_postorius.key</file>
     </service>
   </services>
   <variables>
diff --git a/seed/mailman/templates/mailman.cfg b/seed/mailman/templates/mailman.cfg
index b5ec3ac..3690e6f 100644
--- a/seed/mailman/templates/mailman.cfg
+++ b/seed/mailman/templates/mailman.cfg
@@ -24,7 +24,7 @@ layout: fhs
 #>GNUNUX
 [database]  
 class: mailman.database.postgresql.PostgreSQLDatabase  
-url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt
+url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file
 
 [mta]
 lmtp_host: %%ip_eth0
diff --git a/seed/mailman/templates/postgresql_postorius.key b/seed/mailman/templates/postgresql_postorius.key
deleted file mode 100644
index f87d892..0000000
--- a/seed/mailman/templates/postgresql_postorius.key
+++ /dev/null
@@ -1 +0,0 @@
-%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
diff --git a/seed/mailman/templates/postorius-settings.py b/seed/mailman/templates/postorius-settings.py
index 64cf818..a0aae36 100644
--- a/seed/mailman/templates/postorius-settings.py
+++ b/seed/mailman/templates/postorius-settings.py
@@ -10,7 +10,7 @@ DATABASES = {
         'HOST': '%%pg_client_server_domainname',      # Database server
         'PORT': '',               # Database port (leave blank for default)
         'CONN_MAX_AGE': 300,      # Max database connection age
-        'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '/etc/pki/tls/certs/postgresql.crt', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'},
+        'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '%%pg_client_crt_file', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '%%pg_client_ca_file'},
     }
 }
 ALLOWED_HOSTS = ['%%{revprox_client_external_domainnames[0]}']
diff --git a/seed/nextcloud/templates/nextcloud-config.php b/seed/nextcloud/templates/nextcloud-config.php
index 7d6902b..97cdc6c 100644
--- a/seed/nextcloud/templates/nextcloud-config.php
+++ b/seed/nextcloud/templates/nextcloud-config.php
@@ -40,9 +40,9 @@ $CONFIG = array (
   'dbdriveroptions' => 
   array (
     'sslmode' => 'verify-full',
-    'sslcert' => '/etc/pki/tls/certs/postgresql.crt',
-    'sslkey' => '/etc/pki/tls/private/postgresql.key',
-    'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt',
+    'sslcert' => '%%pg_client_crt_file',
+    'sslkey' => '%%pg_client_key_file',
+    'sslrootcert' => '%%pg_client_ca_file',
   ),
   'passwordsalt' => '{{SALT}}',
   'secret' => '{{SECRET}}',
diff --git a/seed/odoo/templates/odoo.service b/seed/odoo/templates/odoo.service
index 1c0f22f..9ec8a1a 100644
--- a/seed/odoo/templates/odoo.service
+++ b/seed/odoo/templates/odoo.service
@@ -2,9 +2,9 @@
 After=risotto.target
 
 [Service]
-Environment="PGSSLROOTCERT=/etc/pki/tls/certs/postgresql.crt"
-Environment="PGSSLCERT=/etc/pki/tls/certs/postgresql.crt"
-Environment="PGSSLKEY=/etc/pki/tls/private/postgresql.key"
+Environment="PGSSLROOTCERT=%%pg_client_crt_file"
+Environment="PGSSLCERT=%%pg_client_crt_file"
+Environment="PGSSLKEY=%%pg_client_key_file"
 Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
 
 #if database not imported, imported it active addons
diff --git a/seed/odoo/templates/sysuser-odoo.conf b/seed/odoo/templates/sysuser-odoo.conf
index f22b160..0c437c1 100644
--- a/seed/odoo/templates/sysuser-odoo.conf
+++ b/seed/odoo/templates/sysuser-odoo.conf
@@ -1,2 +1,3 @@
 g odoo 1000 -
 u odoo 998:1000     "ODOO" /srv/odoo	/bin/bash
+m odoo ssl-cert
diff --git a/seed/odoo/templates/tmpfile-odoo.conf b/seed/odoo/templates/tmpfile-odoo.conf
index 0fd203c..f3d6d23 100644
--- a/seed/odoo/templates/tmpfile-odoo.conf
+++ b/seed/odoo/templates/tmpfile-odoo.conf
@@ -1 +1,2 @@
 d /srv/odoo 750 odoo odoo - -
+d /etc/ssl/private 750 root ssl-cert - -
diff --git a/seed/peertube/templates/production.yaml b/seed/peertube/templates/production.yaml
index 96f7361..b7a056b 100644
--- a/seed/peertube/templates/production.yaml
+++ b/seed/peertube/templates/production.yaml
@@ -72,7 +72,7 @@ smtp:
   password: '%%smtp_relay_password'
   tls: false # If you use StartTLS: false
   disable_starttls: false
-  ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
+  ca_file: '%%smtp_ca_file' # Used for self signed certificates
   from_address: '%%peertube_admin_email'
 
 email:
diff --git a/seed/pleroma/templates/production.yaml b/seed/pleroma/templates/production.yaml
index d9b1e31..32fdf84 100644
--- a/seed/pleroma/templates/production.yaml
+++ b/seed/pleroma/templates/production.yaml
@@ -68,7 +68,7 @@ smtp:
   password: '%%smtp_relay_password'
   tls: false # If you use StartTLS: false
   disable_starttls: false
-  ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
+  ca_file: '%%smtp_ca_file' # Used for self signed certificates
   from_address: '%%peertube_admin_email'
 
 email:
diff --git a/seed/postgresql-client/dictionaries/23_postgresql.xml b/seed/postgresql-client/dictionaries/23_postgresql.xml
index 58dfcb6..9bdf204 100644
--- a/seed/postgresql-client/dictionaries/23_postgresql.xml
+++ b/seed/postgresql-client/dictionaries/23_postgresql.xml
@@ -3,9 +3,9 @@
   <services>
     <service name="postgresqlclient" target="risotto" engine="creole">
       <file mode="400">/secrets/postgresql.pass</file>
-      <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
-      <file>/etc/pki/tls/certs/postgresql.crt</file>
-      <file owner_type="variable" owner="pg_client_key_owner" mode="400">/etc/pki/tls/private/postgresql.key</file>
+      <file file_type="variable" source="ca_PostgreSQL.crt">pg_client_ca_file</file>
+      <file file_type="variable" owner_type="variable" owner="pg_client_key_owner" mode="444" source="postgresql.crt">pg_client_crt_file</file>
+      <file file_type="variable" owner_type="variable" owner="pg_client_key_owner" mode="400" source="postgresql.key">pg_client_key_file</file>
       <file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
     </service>
   </services>
@@ -18,6 +18,9 @@
       <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
         <value>apache</value>
       </variable>
+      <variable name="pg_client_ca_file" type="filename" description="Postgresql CA filename" hidden="True"/>
+      <variable name="pg_client_crt_file" type="filename" description="Postgresql cert filename" hidden="True"/>
+      <variable name="pg_client_key_file" type="filename" description="Postgresql key filename" hidden="True"/>
     </family>
   </variables>
   <constraints>
@@ -42,6 +45,24 @@
       <param type="variable">pg_client_username</param>
       <target>pg_client_database</target>
     </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_ca_directory</param>
+      <param>ca_PostgreSQL.crt</param>
+      <param name="join">/</param>
+      <target>pg_client_ca_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_cert_directory</param>
+      <param>postgresql.crt</param>
+      <param name="join">/</param>
+      <target>pg_client_crt_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_key_directory</param>
+      <param>postgresql.key</param>
+      <param name="join">/</param>
+      <target>pg_client_key_file</target>
+    </fill>
     <condition name="disabled_if_not_in" source="os_name">
       <param>Debian</param>
       <target type="filelist">postgresql_debian</target>
diff --git a/seed/relay-mail-client/dictionaries/20_smtp_client.xml b/seed/relay-mail-client/dictionaries/20_smtp_client.xml
index f04bfc3..5fb01e0 100644
--- a/seed/relay-mail-client/dictionaries/20_smtp_client.xml
+++ b/seed/relay-mail-client/dictionaries/20_smtp_client.xml
@@ -2,7 +2,7 @@
 <rougail version="0.10">
   <services>
     <service name="smtp" manage="False">
-      <file>/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt</file>
+      <file file_type="variable" source="ca_MailRelay.crt">smtp_ca_file</file>
     </service>
   </services>
   <variables>
@@ -10,6 +10,7 @@
       <variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True" supplier="SMTP"/>
       <variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
       <variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True" supplier="SMTP:password"/>
+      <variable name="smtp_ca_file" type="filename" description="SMTP CA filename" hidden="True"/>
     </family>
   </variables>
   <constraints>
@@ -25,5 +26,11 @@
       <param name="hide" type="variable">hide_secret</param>
       <target>smtp_relay_password</target>
     </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_ca_directory</param>
+      <param>ca_MailRelay.crt</param>
+      <param name="join">/</param>
+      <target>smtp_ca_file</target>
+    </fill>
   </constraints>
 </rougail>
diff --git a/seed/roundcube/templates/config.inc.php b/seed/roundcube/templates/config.inc.php
index 9fc5371..46a9f02 100644
--- a/seed/roundcube/templates/config.inc.php
+++ b/seed/roundcube/templates/config.inc.php
@@ -31,7 +31,7 @@ $config = [];
 //       e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
 // GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
 //>GNUNUX
-$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt';
+$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file';
 //<GNUNUX
 
 // Database DSN for read-only operations (if empty write database will be used)
diff --git a/seed/speedtest-rs/templates/speedtest-rs.service b/seed/speedtest-rs/templates/speedtest-rs.service
index b32d9f9..f48cf18 100644
--- a/seed/speedtest-rs/templates/speedtest-rs.service
+++ b/seed/speedtest-rs/templates/speedtest-rs.service
@@ -1,12 +1,2 @@
 [Unit]
 After=risotto.target
-
-[Service]
-PrivateDevices=false
-ProtectHome=false
-ProtectSystem=false
-LimitNOFILE=
-LimitNPROC=
-WorkingDirectory=/srv/vaultwarden
-ReadWriteDirectories=
-ReadWriteDirectories=
diff --git a/seed/vaultwarden/templates/vaultwarden_config.env b/seed/vaultwarden/templates/vaultwarden_config.env
index 69a3fdd..aeabe07 100644
--- a/seed/vaultwarden/templates/vaultwarden_config.env
+++ b/seed/vaultwarden/templates/vaultwarden_config.env
@@ -20,7 +20,7 @@ DATA_FOLDER=/srv/vaultwarden
 ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 # DATABASE_URL=postgresql://user:password@host[:port]/database_name
 #>GNUNUX
-DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt
+DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file
 #<GNUNUX
 
 ## Database max connections