local DNS is mandatory

seed/base-debian/dictionaries/11_debian-base.xml

@@ -4,6 +4,7 @@
     <service name="systemd-networkd">
       <override/>
     </service>
+    <service name='logrotate' disabled="True"/>
     <service name="debian" manage="False">
       <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
       <file engine="none">/etc/default/locale</file>

seed/dns-local/dictionaries/13_dns-local.xml

@@ -10,7 +10,7 @@
       <variable name="dns_is_only_local" type="boolean" description="DNS resolve only local address" hidden="True">
         <value>True</value>
       </variable>
-      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS" supplier="LocalDNS" hidden="True"/>
+      <variable name="dns_client_address" type="domainname" description="Nom de domaine du serveur DNS" supplier="LocalDNS" hidden="True" mandatory="True"/>
       <variable name="ip_dns" type="ip" description="Adresse IP du serveur DNS" hidden="True"/>
     </family>
   </variables>

seed/dovecot/dictionaries/26_dovecot.xml

@@ -14,6 +14,7 @@
       <file>/etc/postfix/relay_passwd</file>
       <file>/etc/postfix/ldapsource.cf</file>
       <file>/etc/postfix/sni</file>
+      <file mode="700">/sbin/risotto_backup</file>
     </service>
     <service name='dovecot-init'>
       <override/>

seed/dovecot/templates/risotto_backup

@@ -0,0 +1,21 @@
+%echo "#!/bin/bash"
+
+BACKUP_DIR="%%backup_dir"
+
+mkdir -p $BACKUP_DIR
+chown vmail: $BACKUP_DIR
+
+rm -f $BACKUP_DIR/*.done
+find /srv/home/ -name *@* -type d -printf "%f\n" | while read user; do
+    doveadm backup -u $user maildir:$BACKUP_DIR/$user
+    touch $BACKUP_DIR/$user.done
+done
+
+ls $BACKUP_DIR | while read $user; do
+    if [ ! -f $BACKUP_DIR/$user.done ]; then
+        rm -rf $BACKUP_DIR/$user
+    if
+done
+rm -f $BACKUP_DIR/*.done
+
+exit 0

seed/forgejo/templates/app.ini

@@ -188,13 +188,13 @@ SSH_DOMAIN       = %%revprox_client_external_domainnames[0]
 ;; Port number to be exposed in clone URL
 ;SSH_PORT = 22
 ;>GNUNUX
-SSH_PORT         = %%incoming_ports
+SSH_PORT         = %%incoming_ports[0]
 ;<GNUNUX
 ;;
 ;; The port number the builtin SSH server should listen on
 ;SSH_LISTEN_PORT = %(SSH_PORT)s
 ;>GNUNUX
-SSH_LISTEN_PORT  = %%incoming_ports
+SSH_LISTEN_PORT  = %%incoming_ports[0]
 ;<GNUNUX
 ;;
 ;; Root path of SSH directory, default is '~/.ssh', but you have to use '/home/git/.ssh'.

seed/forgejo/templates/forgejo.yml

@@ -8,4 +8,4 @@ auth_server: %%oauth2_server_domainname
 username: %%username
 password: %%get_password(server_name='test', username=%%username, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
 forgejo_title: "%%forgejo_title"
-git_url: "[%%domain]:%%incoming_ports"
+git_url: "[%%domain]:%%incoming_ports[0]"

seed/mariadb/dictionaries/20_mariadb.xml

@@ -7,6 +7,7 @@
       <file engine="none" source="tmpfile-mariadb.conf">/tmpfiles.d/0mariadb.conf</file>
       <file mode="600" owner="mysql" group="mysql">/etc/mariadb.sql</file>
       <file filelist="copy_tests">/tests/mariadb.yml</file>
+      <file mode="700">/sbin/risotto_backup</file>
     </service>
   </services>
   <variables>

seed/mariadb/manual/image/preinstall/mariadb_server.sh

@@ -1 +1 @@
-PKG="$PKG mariadb-server"
+PKG="$PKG mariadb-server mariadb-backup"

seed/mariadb/templates/risotto_backup

@@ -0,0 +1,6 @@
+%echo "#!/bin/bash -e"
+
+mkdir -p %%backup_dir
+mariabackup --backup --target-dir=%%backup_dir --user=root --password=%%mariadb_root_password
+
+exit 0

seed/odoo/dictionaries/40_odoo.xml

@@ -5,11 +5,11 @@
       <override/>
       <file engine="none" source="sysuser-odoo.conf">/sysusers.d/1odoo.conf</file>
       <file engine="none" source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
-      <file mode="700">/sbin/config_odoo.py</file>
+      <file mode="755">/sbin/config_odoo.py</file>
       <file mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
       <file mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>
       <file>/etc/hosts</file>
-      <file source="config-nginx.conf">/etc/nginx/default.d/odoo.conf</file>
+      <file source="config-nginx.conf">/etc/nginx/sites-enabled/odoo.conf</file>
     </service>
   </services>
   <variables>
@@ -78,6 +78,11 @@
         </variable>
       </family>
     </family>
+    <family name="nginx">
+      <variable name="nginx_default_https" redefine="True">
+        <value>False</value>
+      </variable>
+    </family>
   </variables>
   <constraints>
     <fill name="get_password">

seed/odoo/manual/image/postinstall/odoo.sh

@@ -24,9 +24,6 @@ apt -f install -y
 """ > $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/install.sh
 chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP /install.sh
-
-
-
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/server.py
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/service/db.py 
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR_TMP/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py

seed/odoo/templates/config-nginx.conf

@@ -1,3 +1,21 @@
+server {
+    listen 443 ssl http2;
+#    listen [::]:443 ssl http2;
+    server_name _;
+    server_tokens off;
+
+    ## Strong SSL Security
+    ## https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html & https://cipherli.st/
+#    ssl on;
+    ssl_certificate              %%tls_cert_directory/revprox.crt;
+    ssl_certificate_key          %%tls_key_directory/revprox.key;
+    ssl_client_certificate       %%tls_ca_directory/InternalReverseProxy.crt;
+
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_prefer_server_ciphers on;
+    ssl_session_cache shared:SSL:10m;
+    ssl_session_timeout 5m;
     # Redirect requests to odoo backend server
     location / {
       proxy_redirect off;
@@ -17,3 +35,4 @@ location / {
       gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
       gzip on;
     }
+}

seed/odoo/templates/odoo.service

@@ -11,7 +11,7 @@ Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
 %set %%addons = ','.join(%%odoo_addons)
 ExecStartPre=/usr/bin/bash -c '/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\dt account_account" 2>&1 | grep -vq "not find" || (echo "INIT DATABASE"; /usr/bin/odoo --config /etc/odoo/odoo.conf -i %%addons --stop-after-init; echo "OK")'
 #change default values in database
-ExecStartPre=+/usr/local/lib/sbin/config_odoo.py
+ExecStartPre=/usr/local/lib/sbin/config_odoo.py
 
 ExecStart=
 ExecStart=/usr/bin/odoo --config /etc/odoo/odoo.conf

seed/provider-systemd-machined/dictionaries/16_machined.xml

@@ -33,6 +33,9 @@
         <value>host</value>
       </variable>
       <variable name="zones_list" redefine="True" supplier="Host:machine_zones"/>
+      <variable name="backup_dir" type="filename" hidden="True">
+        <value>/srv/backup</value>
+      </variable>
     </family>
   </variables>
   <constraints>

seed/reverse-proxy-client/dictionaries/21_revprox_client.xml

@@ -20,7 +20,7 @@
         </variable>
         <variable name="revprox_client_max_body_size" description="Taille maximum du corps" supplier="ReverseProxy:max_body_size"/>
         <variable name="revprox_client_local_location" type="filename" hidden='True'/>
-        <variable name="revprox_client_web_address" type="web_address" hidden='True' supplier="ReverseProxy:url"/>
+        <variable name="revprox_client_web_address" type="web_address" hidden='True' supplier="ReverseProxy:url" mandatory="True"/>
         <variable name="revprox_http" type="boolean" hidden='True' supplier="ReverseProxy:http">
           <value>False</value>
         </variable>
@@ -43,10 +43,10 @@
       <target>revprox_client_server_ip</target>
     </fill>
     <fill name="calc_web_address">
-      <param type="variable">domain_name_eth0</param>
+      <param type="variable" name="domain_name" optional="True">domain_name_eth0</param>
-      <param type="variable">revprox_client_port</param>
+      <param type="variable" name="port">revprox_client_port</param>
-      <param type="variable">revprox_client_local_location</param>
+      <param type="variable" name="local_location">revprox_client_local_location</param>
-      <param type="variable">revprox_client_http</param>
+      <param type="variable" name="http">revprox_client_http</param>
       <target>revprox_client_web_address</target>
     </fill>
   </constraints>

seed/reverse-proxy-client/funcs/revprox_client.py

@@ -1,7 +1,7 @@
-def calc_web_address(domain_name: str,
+def calc_web_address(domain_name: str=None,
-                     port: str,
+                     port: str=None,
-                     local_location: str,
+                     local_location: str=None,
-                     http: bool,
+                     http: bool=None,
                      ) -> str:
     if not domain_name or not port:
         return

seed/tls/dictionaries/26_tls.xml

@@ -12,9 +12,9 @@
   <variables>
     <family name="network" description="Réseau">
       <variable name="zones_list" mandatory="False" redefine="True"/>
-      <variable name="outgoing_ports" redefine="True">
+      <variable name="first_zone_name" hidden="True"/>
-        <value>443</value>
+      <variable name="outgoing_ports" redefine="True" mandatory="False"/>
-      </variable>
+      <variable name="dns_client_address" redefine="True" mandatory="False"/>
     </family>
     <family name="revprox">
       <variable name="revprox_client_server_domainname" redefine="True" mandatory="False"/>
@@ -25,12 +25,10 @@
         <variable name="revprox_client_location" redefine="True">
           <value>/.well-known/acme-challenge</value>
         </variable>
-        <!--variable name="revprox_client_local_location" redefine="True">
-          <value>/</value>
-        </variable-->
         <variable name="revprox_http" redefine="True">
           <value>True</value>
         </variable>
+        <variable name="revprox_client_web_address" redefine="True" mandatory="False"/>
       </family>
       <variable name="revprox_client_http" redefine='True'>
         <value>True</value>
@@ -40,4 +38,20 @@
       </variable>
     </family>
   </variables>
+  <constraints>
+    <fill name="calc_value">
+      <param type="variable" optional="True">domain_name_eth0</param>
+      <param type="nil"/>
+      <param name="first" type="boolean">True</param>
+      <target>first_zone_name</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="nil"/>
+      <param name="default">443</param>
+      <param name="condition" type="variable">first_zone_name</param>
+      <param name="expected" type="nil"/>
+      <param name="multi">True</param>
+      <target>outgoing_ports</target>
+    </fill>
+  </constraints>
 </rougail>