50 changed files with 161 additions and 272 deletions
--- a/seed/base-machine/manual/install/diff.py
+++ b/seed/base-machine/manual/install/diff.py
@ -1,11 +1,12 @@
 #!/usr/bin/env python3
 from os.path import join
 from filecmp import dircmp
 from difflib import unified_diff
 from sys import stdout, argv
 from os import walk
-from os.path import join, islink
+from os.path import join
 from datetime import datetime, timezone
@ -86,9 +87,6 @@ for filename in old - new:
 for filename in new - old:
    if islink(join(NEW_DIR, filename)):
        print(f'\n- lien {filename} ajouté\n')
    else:
    print(f'\n- fichier {filename} ajouté :\n')
    with open(join(NEW_DIR, filename), 'r') as fh:
        if WEBSITE:
--- a/seed/base-machine/manual/install/install_machines
+++ b/seed/base-machine/manual/install/install_machines
@ -23,39 +23,5 @@ for image in *; do
 done
 machinectl enable $MACHINES
 machinectl start $MACHINES
 STARTED=""
 DEGRADED=""
 found=true
 idx=0
 while [ $found = true ]; do
    found=false
    echo "tentative $idx"
    for machine in $MACHINES; do
        if ! echo $STARTED | grep -q " $machine "; then
            status=$(machinectl -q shell $machine /usr/bin/systemctl is-system-running || true)
            if echo "$status" | grep -q degraded; then
                STARTED="$STARTED $machine "
                DEGRADED="$DEGRADED $machine"
            elif echo "$status" | grep -q running; then
                STARTED="$STARTED $machine "
            else
                found=true
                echo "status actuel de $machine : $status"
            fi
        fi
    done
    sleep 2
    idx=$((idx+1))
    if [ $idx = 60 ]; then
        break
    fi
 done
 retcode=0
 for machine in $DEGRADED; do
    echo
    echo "========= $machine"
    machinectl -q shell $machine /usr/bin/systemctl --state=failed --no-legend --no-pager
    retcode=1
 done
-exit $retcode
+exit 0
--- a/seed/dovecot/dictionaries/26_dovecot.xml
+++ b/seed/dovecot/dictionaries/26_dovecot.xml
@ -18,7 +18,7 @@
    </service>
    <service name='dovecot-init'>
      <override/>
-      <file>/etc/nginx/default.d/autoconfig.conf</file>
+      <file>/etc/nginx/conf.d/autoconfig.conf</file>
    </service>
    <service name='nginx'>
      <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
@ -90,8 +90,8 @@
        <variable name="revprox_client_external_domainnames" redefine="True"/>
        <variable name="revprox_client_web_address" redefine="True"/>
      </family>
-      <variable name="nginx_root" redefine='True'>
+      <variable name="nginx_default_https" redefine="True">
-        <value>/var/www/html</value>
+        <value>False</value>
      </variable>
    </family>
  </variables>
--- a/seed/dovecot/templates/autoconfig.conf
+++ b/seed/dovecot/templates/autoconfig.conf
@ -1,2 +1,12 @@
 server {
    listen 443 ssl;
    server_name %%domain_name_eth0;
    ssl_client_certificate %%revprox_ca_file;
    ssl_certificate        %%revprox_cert_file;
    ssl_certificate_key    %%revprox_key_file;
    root /var/www/html/;
    # To allow POST on static pages
    error_page  405     =200 $uri;
 }
--- a/seed/dovecot/templates/dovecot-init.service
+++ b/seed/dovecot/templates/dovecot-init.service
@ -1,5 +1,5 @@
 [Unit]
-After=risotto.target
+After=network.target
 [Service]
 ExecStart=
--- a/seed/gitea/templates/gitea.service
+++ b/seed/gitea/templates/gitea.service
@ -1,7 +1,7 @@
 #ORIGIN https://raw.githubusercontent.com/go-gitea/gitea/main/contrib/systemd/gitea.service
 [Unit]
 Description=Gitea (Git with a cup of tea)
-After=risotto.target
+After=network.target postgresqlclient.service
 [Service]
 # Modify these two values and uncomment them if you have
--- a/seed/ldap-client/dictionaries/21_ldap-client.xml
+++ b/seed/ldap-client/dictionaries/21_ldap-client.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
-    <service name="ldap-client" target="risotto" engine="creole">
+    <service name="ldap_client" manage="False">
      <file source="ldap.conf" file_type="variable">ldap_client_file</file>
      <file source="ca_LDAP.crt" file_type="variable">ldap_ca_file</file>
      <file source="ldap_client.crt" file_type="variable">ldap_cert_file</file>
--- a/seed/ldap-client/templates/ldap-client.service
+++ b/seed/ldap-client/templates/ldap-client.service
@ -1,8 +0,0 @@
 [Unit]
 After=network-online.target
 Before=risotto.target
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
--- a/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
+++ b/seed/lemonldap/dictionaries/70_lemonldap_ng.xml
@ -25,10 +25,10 @@
  </services>
  <variables>
    <family name="nginx">
      <variable name="oauth2_client_external_domain" type="domainname" hidden="True" supplier="OAuth2Client:external_domain"/>
      <variable name="nginx_default_https" redefine="True">
        <value>False</value>
      </variable>
      <variable name="oauth2_client_external_domain" type="domainname" hidden="True" supplier="OAuth2Client:external_domain"/>
    </family>
    <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
      <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
--- a/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
+++ b/seed/lemonldap/templates/lemonldap-ng-fastcgi-server.service
@ -1,6 +1,7 @@
 [Unit]
-After=risotto.target nginx.service
+After=nginx.service
 [Service]
 ExecStartPre=/usr/bin/timeout 90 bash -c 'while ! 3<> /dev/tcp/%%ldap_server_address/%%ldap_port; do sleep 1; done'
 ExecStartPost=-/usr/bin/timeout 10 bash -c 'while ! /usr/local/lib/sbin/interne_well_known.pl > /var/www/html/.well-known/openid-configuration/int; do sleep 1; done'
 ExecStartPost=-/bin/bash -c '/usr/local/lib/sbin/interne_well_known.pl no > /var/www/html/.well-known/openid-configuration/ext'
--- a/seed/lemonldap/templates/wget.pl
+++ b/seed/lemonldap/templates/wget.pl
@ -1,6 +1,7 @@
 %echo "#!/usr/bin/env perl"
 use HTTP::Tiny;
 use JSON qw(from_json to_json);
 my $response = HTTP::Tiny->new->get('https://%%domain_name_eth0/.well-known/openid-configuration');
--- a/seed/mailman/applicationservice.yml
+++ b/seed/mailman/applicationservice.yml
@ -5,5 +5,5 @@ depends:
  - postgresql-client
  - relay-lmtp-client
  - reverse-proxy-client
-  - nginx-https
+  - nginx-common
  - oauth2-client
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ b/seed/mailman/dictionaries/31_mailman.xml
@ -11,7 +11,7 @@
    <service name="postorius" target="multi-user" engine="creole">
      <file engine="none">/etc/postorius/gunicorn_config.py</file>
      <file engine="none" source="sysuser-postorius.conf">/sysusers.d/0postorius.conf</file>
-      <file source="config-nginx.conf">/etc/nginx/default.d/postorius.conf</file>
+      <file source="config-nginx.conf">/etc/nginx/conf.d/postorius.conf</file>
      <file source="postorius-settings.py">/etc/mailman3.d/postorius.py</file>
    </service>
    <service name="postgresqlclient" target="multi-user" engine="creole">
@ -47,11 +47,6 @@
        <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
      </family>
    </family>
    <family name="nginx">
      <variable name="nginx_root" redefine="True">
        <value>/usr/share/webapps/postorius</value>
      </variable>
    </family>
    <family name="postgresql">
      <variable name="pg_client_key_owner" redefine="True">
        <value>mailman</value>
--- a/seed/mailman/templates/config-nginx.conf
+++ b/seed/mailman/templates/config-nginx.conf
@ -1,5 +1,15 @@
 server {
    listen 443 ssl;
    server_name %%domain_name_eth0;
    ssl_client_certificate %%revprox_ca_file;
    ssl_certificate        %%revprox_cert_file;
    ssl_certificate_key    %%revprox_key_file;
    charset utf-8;
    client_max_body_size 75M;
    root /usr/share/webapps/postorius;
    location /mailman/postorius_static {
        alias /usr/lib/python3.10/site-packages/postorius/static;
    }
@ -29,3 +39,4 @@ location /mailman/%%location {
    location /mailman {
        rewrite ^(/mailman/.*)$ /mailman/postorius/ permanent;
    }
 }
--- a/seed/mailman/templates/mailman3.service
+++ b/seed/mailman/templates/mailman3.service
@ -1,6 +1,6 @@
 [Unit]
 Description=Postorius WSGI Service
-After=risotto.target
+After=postgresqlclient.service
 [Service]
 %for %%domain in %%mailman_domains
--- a/seed/mailman/templates/postorius.service
+++ b/seed/mailman/templates/postorius.service
@ -1,6 +1,6 @@
 [Unit]
 Description=Postorius WSGI Service
-After=risotto.target
+After=network.target postgresqlclient.service
 [Service]
 Type=notify
--- a/seed/mariadb-client/dictionaries/20_mariadb.xml
+++ b/seed/mariadb-client/dictionaries/20_mariadb.xml
@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
-    <service name="mariadbclient" target="risotto" engine="creole"/>
+    <service name="mariadbclient" target="multi-user" engine="creole"/>
  </services>
  <variables>
    <family name="mariadb" description="MariaDB">
--- a/seed/mariadb-client/templates/mariadbclient.service
+++ b/seed/mariadb-client/templates/mariadbclient.service
@ -1,7 +1,6 @@
 [Unit]
 Description=Waiting for mariadb server
-After=network-online.target
+Before=network.target
 Before=risotto.target
 [Service]
 Type=oneshot
--- a/seed/nextcloud/templates/nextcloud.service
+++ b/seed/nextcloud/templates/nextcloud.service
@ -1,6 +1,6 @@
 [Unit]
 Description=Nextcloud management
-After=risotto.target
+After=postgresqlclient.service
 Before=apache.service php-fpm.service
 [Service]
--- a/seed/nginx-common/dictionaries/20_nginx.xml
+++ b/seed/nginx-common/dictionaries/20_nginx.xml
@ -13,7 +13,6 @@
      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
      <file>/tests/nginx-common.yml</file>
    </service>
  </services>
  <variables>
--- a/seed/nginx-common/templates/nginx-common.yml
+++ b/seed/nginx-common/templates/nginx-common.yml
@ -1,13 +0,0 @@
 address: %%ip_eth0
 nginx_default_http: %slurp
 %if %%getVar('nginx_default_http', False) and not %%getVar('revprox_client_external_domainnames', None)
 true
 %else
 false
 %end if
 nginx_default_https: %slurp
 %if %%getVar('nginx_default_https', False) and not %%getVar('revprox_client_external_domainnames', None)
 true
 %else
 false
 %end if
--- a/seed/nginx-common/templates/nginx.conf
+++ b/seed/nginx-common/templates/nginx.conf
@ -76,24 +76,14 @@ http {
 %if %%nginx_default_https
    server {
        listen       443 ssl http2;
-  %if %%getVar('revprox_client_external_domainnames', None)
+        server_name  %%domain_name_eth0;
   %for %%domain in %%revprox_client_external_domainnames
        server_name %%domain;
   %end for
  %else
        server_name  _;
  %end if
        root         %%nginx_root;
        # ssl_certificate "/etc/pki/nginx/server.crt";
        # ssl_certificate_key "/etc/pki/nginx/private/server.key";
        ssl_certificate              /etc/pki/tls/certs/nginx.crt;
        ssl_certificate_key          /etc/pki/tls/private/nginx.key;
-  %if %%getVar('revprox_client_external_domainnames', None)
+        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
        ssl_client_certificate       %%revprox_ca_file;
  %else
        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_HTTP.crt;
  %end if
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
@ -115,7 +105,5 @@ http {
 %else
    include /etc/nginx/sites-enabled/*;
 %end if
-%if not %%getVar('revprox_client_external_domainnames', None)
+
    include /etc/nginx/sites-enabled/*;
 %end if
 }
--- a/seed/nginx-common/tests/test_nginx_commmon.py
+++ b/seed/nginx-common/tests/test_nginx_commmon.py
@ -1,50 +0,0 @@
 from yaml import load, SafeLoader
 from os import environ
 from pytest import raises
 import warnings
 import socket
 from requests import get
 from requests.exceptions import SSLError
 def req(url, ip, verify=True):
    # Monkey patch to force IPv4 resolution
    old_getaddrinfo = socket.getaddrinfo
    def new_getaddrinfo(*args, **kwargs):
        ret = old_getaddrinfo(*args, **kwargs)
        dns = list(ret[0])
        dns[-1] = (ip, dns[-1][1])
        return [dns]
    socket.getaddrinfo = new_getaddrinfo
    if not verify:
        with warnings.catch_warnings():
            warnings.simplefilter("ignore")
            ret = get(url, verify=verify)
    else:
        ret = get(url, verify=verify)
    ret_code = ret.status_code
    content = ret.content
    socket.getaddrinfo = old_getaddrinfo
    return ret_code, content.decode()
 def test_revprox():
    conf_file = f'{environ["MACHINE_TEST_DIR"]}/nginx-common.yml'
    with open(conf_file) as yaml:
        data = load(yaml, Loader=SafeLoader)
    # test unknown domain
    url = 'google.fr'
    protocols = []
    if data['nginx_default_http']:
        protocols.append('http')
    if data['nginx_default_https']:
        protocols.append('https')
        # test certificate
        with raises(SSLError):
            # not certificat problem for https://{url}
            req(f'https://{url}', data['address'])
    for protocol in protocols:
        ret_code, content = req(f'{protocol}://{url}', data['address'], verify=False)
        assert ret_code == 200, f'{protocol}://{url} do not returns code 200 but {ret_code}'
        assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'{protocol}://{url} do not returns default fedora page'
--- a/seed/nginx-https/dictionaries/25_nginx.xml
+++ b/seed/nginx-https/dictionaries/25_nginx.xml
@ -1,16 +1,22 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name='nginx'>
      <file filelist="nginx_default_risotto">/etc/nginx/default.d/risotto.conf</file>
    </service>
  </services>
  <variables>
    <family name="nginx">
-      <variable name="nginx_default_http" redefine="True" hidden="True">
+      <variable name="nginx_default_https" redefine="True">
        <value>False</value>
      </variable>
      <variable name="nginx_default_https" redefine="True" hidden="True">
        <value>True</value>
      </variable>
      <variable name="php_fpm_user" redefine="True" exists="True">
        <value>nginx</value>
      </variable>
      <variable name="nginx_root_directory" type="filename"/>
      <variable name="nginx_locations" type="filename" multi="True" mandatory="True">
        <value>/</value>
      </variable>
    </family>
    <family name="redis" description="Redis">
      <variable name="redis_client_key_owner" redefine="True" exists="True">
@ -23,4 +29,11 @@
      </variable>
    </family>
  </variables>
  <constraints>
    <condition name="disabled_if_in" source="nginx_root_directory">
      <param type="nil"/>
      <target type="filelist">nginx_default_risotto</target>
      <target type="variable">nginx_locations</target>
    </condition>
  </constraints>
 </rougail>
--- a/seed/nginx-https/templates/risotto.conf
+++ b/seed/nginx-https/templates/risotto.conf
@ -1,5 +1,3 @@
 # To allow POST on static pages
 error_page  405     =200 $uri;
 add_header                    X-Frame-Options "SAMEORIGIN";
 add_header                    X-Content-Type-Options nosniff;
 add_header                    X-XSS-Protection "1; mode=block";
@ -9,14 +7,17 @@ add_header                    X-Permitted-Cross-Domain-Policies none;
 add_header                    Strict-Transport-Security 'max-age=31536000; includeSubDomains;';
 add_header                    Referrer-Policy no-referrer always;
-%for %%location in %%piwigo_locations
+%for %%location in %%nginx_locations
 location %%location {
 %if %%location == '/'
  root                        %slurp
 %else
  alias                       %slurp
 %end if
-  /usr/local/share/piwigo;
+%%nginx_root_directory;
 %if not %%getVar('php_fpm_installed', False)
  index                       index.html;
 %else
  index                       index.php;
  location ~ ^(?<script_name>.+?\.php)(?<path_info>/.*)?$ {
    fastcgi_pass              php-fpm;
@ -24,5 +25,6 @@ location %%location {
    fastcgi_param             SCRIPT_FILENAME $request_filename;
    include                   fastcgi_params;
  }
 %end if
 }
 %end for
--- a/seed/nginx-reverse-proxy/dictionaries/20_nginx.xml
+++ b/seed/nginx-reverse-proxy/dictionaries/20_nginx.xml
@ -1,8 +0,0 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name='nginx'>
      <file>/etc/pki/ca-trust/source/anchors/ca_HTTP.crt</file>
    </service>
  </services>
 </rougail>
--- a/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ b/seed/nginx-reverse-proxy/dictionaries/25_nginx.xml
@ -4,7 +4,7 @@
    <service name='nginx'>
      <override engine="creole"/>
      <file source="nginx-options-rp.conf">/etc/nginx/conf.d/options-rp.conf</file>
-      <file source="revprox-nginx.conf">/etc/nginx/sites-enabled/risotto.conf</file>
+      <file source="revprox-nginx.conf">/etc/nginx/conf.d/risotto.conf</file>
      <file source="certificate.crt" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_certificate_filename</file>
      <file source="private.key" file_type="variable" mode="600" variable="nginx.revprox_domainnames">nginx.nginx_private_key_filename</file>
      <file>/tests/reverse-proxy.yml</file>
@ -22,9 +22,6 @@
      <variable name="nginx_default_http" redefine="True">
        <value>True</value>
      </variable>
      <variable name="nginx_default_https" redefine="True">
        <value>True</value>
      </variable>
    </family>
  </variables>
 </rougail>
--- a/seed/nginx-reverse-proxy/templates/ca_HTTP.crt
+++ b/seed/nginx-reverse-proxy/templates/ca_HTTP.crt
@ -1,3 +0,0 @@
 %for %%idx in %%range(%%len(%%zones_list))
 %%get_chain(authority_cn=%%getVar('domain_name_eth' + %%str(%%idx)), authority_name="HTTP", hide=%%hide_secret)
 %end for
--- a/seed/nginx-reverse-proxy/templates/nginx.crt
+++ b/seed/nginx-reverse-proxy/templates/nginx.crt
@ -1,2 +0,0 @@
 %%get_certificate(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type="server", hide=%%hide_secret)
 %%get_chain(%%nginx_default, 'HTTP', hide=%%hide_secret)
--- a/seed/nginx-reverse-proxy/templates/nginx.key
+++ b/seed/nginx-reverse-proxy/templates/nginx.key
@ -1 +0,0 @@
 %%get_private_key(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type='server', hide=%%hide_secret)
--- a/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
+++ b/seed/nginx-reverse-proxy/templates/revprox-nginx.conf
@ -41,7 +41,7 @@ server {
        proxy_set_header        X-Forwarded-Proto       $scheme;
        proxy_set_header        Destination             $dest;
       %end if
-        proxy_ssl_trusted_certificate %%revprox_ca_file;
+        proxy_ssl_trusted_certificate /etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt;
        proxy_ssl_verify       on;
        proxy_ssl_verify_depth 2;
        proxy_ssl_session_reuse on;
--- a/seed/nginx-reverse-proxy/tests/test_revprox.py
+++ b/seed/nginx-reverse-proxy/tests/test_revprox.py
@ -32,8 +32,19 @@ def test_revprox():
    conf_file = f'{environ["MACHINE_TEST_DIR"]}/reverse-proxy.yml'
    with open(conf_file) as yaml:
        data = load(yaml, Loader=SafeLoader)
    # test unknown domain
    url = 'google.fr'
    ret_code, content = req(f'https://{url}', data['address'], verify=False)
    assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
    assert "<title>Test Page for the HTTP Server on Fedora</title>" in content, f'https://{url} returns default fedora page'
    # test certificate
    try:
        req(f'https://{url}', data['address'])
        raise Exception(f'not certificat problem for https://{url}')
    except SSLError:
        pass
    # test known domains
    for url in data['urls']:
        ret_code, content = req(f'https://{url}', data['address'])
        assert ret_code == 200, f'https://{url} do not returns code 200 but {ret_code}'
-        assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} do returns default fedora page'
+        assert "<title>Test Page for the HTTP Server on Fedora</title>" not in content, f'https://{url} returns default fedora page'
--- a/seed/nsd/templates/nsd.service
+++ b/seed/nsd/templates/nsd.service
@ -1,2 +1,2 @@
 [Unit]
-After=risotto.target
+After=network.target
--- a/seed/oauth2-client/dictionaries/30_oauth2_client.xml
+++ b/seed/oauth2-client/dictionaries/30_oauth2_client.xml
@ -1,8 +1,5 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="oauth2-client" target="risotto" engine="creole"/>
  </services>
  <variables>
    <family name="oauth2_client" description="OAuth2 client">
      <variable name="oauth2_client_server_domainname" type="domainname" description="OAuth2 server domain name" mandatory='True' supplier="OAuth2"/>
--- a/seed/oauth2-client/manual/image/preinstall/oauth2-client.sh
+++ b/seed/oauth2-client/manual/image/preinstall/oauth2-client.sh
@ -1 +0,0 @@
 PKG="$PKG curl"
--- a/seed/oauth2-client/templates/oauth2-client.service
+++ b/seed/oauth2-client/templates/oauth2-client.service
@ -1,7 +0,0 @@
 [Unit]
 After=network-online.target
 Before=risotto.target
 [Service]
 Type=oneshot
 ExecStart=/usr/bin/timeout 90 bash -c 'while ! [ "$(/usr/bin/curl --write-out '%{http_code}' --silent --output /dev/null https://%%oauth2_client_server_domainname/.well-known/openid-configuration)" = 200 ]; do sleep 1; done;'
--- a/seed/peertube/applicationservice.yml
+++ b/seed/peertube/applicationservice.yml
@ -7,5 +7,5 @@ depends:
  - relay-mail-client
  - reverse-proxy-client
  - redis-client
-  - nginx-https
+  - nginx-common
  - oauth2-client
--- a/seed/peertube/dictionaries/30_peertube.xml
+++ b/seed/peertube/dictionaries/30_peertube.xml
@ -6,8 +6,7 @@
      <file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file>
      <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
      <file>/etc/peertube/production.yaml</file>
-      <file source="nginx.peertube.conf">/etc/nginx/default.d/peertube.conf</file>
+      <file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file>
      <file source="nginx.peertube.conf.d.conf">/etc/nginx/conf.d/peertube.conf</file>
    </service>
  </services>
  <variables>
@ -46,9 +45,6 @@
      </family>
    </family>
    <family name="nginx">
      <variable name="nginx_root" redefine='True'>
 	<value>/usr/share/peertube</value>
      </variable>
      <family name="revprox_client">
        <variable name="revprox_client_location" redefine="True">
          <value>/</value>
--- a/seed/peertube/templates/nginx.peertube.conf
+++ b/seed/peertube/templates/nginx.peertube.conf
@ -16,14 +16,15 @@
 # GNUNUX   location / { return 301 https://$host$request_uri; }
 # GNUNUX }
-# GNUNUX upstream %%domain_name_eth0 {
+upstream %%domain_name_eth0 {
 # GNUNUX  server ${PEERTUBE_HOST};
-# GNUNUX }
+  server localhost:9000;
 }
-# GNUNUX server {
+server {
-# GNUNUX   listen 443 ssl http2;
+  listen 443 ssl http2;
-# GNUNUX   listen [::]:443 ssl http2;
+  listen [::]:443 ssl http2;
-# GNUNUX   server_name %%domain_name_eth0;
+  server_name %%domain_name_eth0;
 # GNUNUX  access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
 # GNUNUX  error_log  /var/log/nginx/peertube.error.log;
@ -34,6 +35,11 @@
  ##
 # GNUNUX  ssl_certificate     /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
 # GNUNUX  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
 #>GNUNUX
  ssl_client_certificate %%revprox_ca_file;
  ssl_certificate        %%revprox_cert_file;
  ssl_certificate_key    %%revprox_key_file;
 #<GNUNUX
 # GNUNUX  location ^~ '/.well-known/acme-challenge' {
 # GNUNUX    default_type "text/plain";
@ -45,14 +51,14 @@
  # based on Mozilla Guideline v5.6
  ##
-# GNUNUX  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_protocols             TLSv1.2 TLSv1.3;
-# GNUNUX  ssl_prefer_server_ciphers on;
+  ssl_prefer_server_ciphers on;
-# GNUNUX  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
+  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
-# GNUNUX  ssl_session_timeout       1d; # defaults to 5m
+  ssl_session_timeout       1d; # defaults to 5m
-# GNUNUX  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
+  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
-# GNUNUX  ssl_session_tickets       off;
+  ssl_session_tickets       off;
-# GNUNUX  ssl_stapling              on;
+  ssl_stapling              on;
-# GNUNUX  ssl_stapling_verify       on;
+  ssl_stapling_verify       on;
  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
@ -139,6 +145,7 @@
  ##
 # GNUNUX  root /var/www/peertube/storage;
  root /usr/share/peertube;
  # Enable compression for JS/CSS/HTML, for improved client load times.
  # It might be nice to compress JSON/XML as returned by the API, but
@ -261,4 +268,4 @@
    try_files $uri @api;
  }
-# GNUNUX }
+}
--- a/seed/peertube/templates/nginx.peertube.conf.d.conf
+++ b/seed/peertube/templates/nginx.peertube.conf.d.conf
@ -1,4 +0,0 @@
 upstream %%domain_name_eth0 {
 # GNUNUX  server ${PEERTUBE_HOST};
  server localhost:9000;
 }
--- a/seed/piwigo/dictionaries/31_piwigo.xml
+++ b/seed/piwigo/dictionaries/31_piwigo.xml
@ -7,13 +7,16 @@
      <file>/etc/piwigo/database.inc.php</file>
      <file mode="755">/sbin/piwigo.sh</file>
      <file engine="none">/etc/php-fpm.d/piwigo.conf</file>
      <file source="piwigo.nginx.conf">/etc/nginx/default.d/piwigo.conf</file>
    </service>
  </services>
  <variables>
    <variable name="piwigo_admin_email" type="mail" description="Adresse courriel de l'administrateur Piwigo" mandatory="True"/>
    <variable name="piwigo_admin_password" type="password" auto_save="False" hidden="True"/>
-    <variable name="piwigo_locations" type="filename" multi="True" mandatory="True"/>
+    <family name="nginx">
      <variable name="nginx_root_directory" mandatory="True" redefine="True">
        <value>/usr/local/share/piwigo</value>
      </variable>
    </family>
    <variable name="piwigo_title" type="string" description="Titre de l'album" mandatory="True">
      <value>Album photographique</value>
    </variable>
@ -50,7 +53,7 @@
    </fill>
    <fill name="get_locations">
      <param name="usernames" type="variable">piwigo_users</param>
-      <target>piwigo_locations</target>
+      <target>nginx_locations</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/piwigo/templates/piwigo.service
+++ b/seed/piwigo/templates/piwigo.service
@ -1,6 +1,6 @@
 [Unit]
 Description=Piwigo management
-After=risotto.target
+After=mariadbclient.service
 Before=nginx.service php-fpm.service
 [Service]
--- a/seed/pleroma/dictionaries/30_pleroma.xml
+++ b/seed/pleroma/dictionaries/30_pleroma.xml
@ -7,7 +7,7 @@
      <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
      <file>/etc/peertube/production.yaml</file>
      <file engine="none">/etc/pam.d/login</file>
-      <file source="nginx.peertube.conf">/etc/nginx/sites-enabled/peertube.conf</file>
+      <file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file>
    </service>
  </services>
  <variables>
--- a/seed/postgresql-client/dictionaries/23_postgresql.xml
+++ b/seed/postgresql-client/dictionaries/23_postgresql.xml
@ -1,7 +1,7 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
-    <service name="postgresqlclient" target="risotto" engine="creole">
+    <service name="postgresqlclient" target="multi-user" engine="creole">
      <file mode="400">/secrets/postgresql.pass</file>
      <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
      <file>/etc/pki/tls/certs/postgresql.crt</file>
--- a/seed/postgresql-client/templates/postgresqlclient.service
+++ b/seed/postgresql-client/templates/postgresqlclient.service
@ -1,7 +1,6 @@
 [Unit]
 Description=Waiting for postgresql server
-After=network-online.target
+Before=network.target
 Before=risotto.target
 [Service]
 Type=oneshot
--- a/seed/postgresql/DEBUG.md
+++ b/seed/postgresql/DEBUG.md
@ -1 +0,0 @@
 pg_dumpall --clean > /srv/database.sql
--- a/seed/reverse-proxy-client/tests/revprox.py
+++ b/seed/reverse-proxy-client/tests/revprox.py
@ -33,7 +33,7 @@ class Authentication:
        ret = req.get(url)
        code = ret.status_code
        content = ret.content
-        assert code == 200, f"cannot access to lemonldap; {content}"
+        assert code == 200
        assert b'<title trspan="authPortal">Authentication portal</title>' in content, f'cannot find LemonLdap title: {content}'
    def auth_lemonldap(self,
--- a/seed/roundcube/templates/roundcube.service
+++ b/seed/roundcube/templates/roundcube.service
@ -1,6 +1,6 @@
 [Unit]
 Description=Roundcube database init
-After=risotto.target
+After=postgresqlclient.service
 Before=nginx.service php-fpm.service
 [Service]
--- a/seed/systemd/dictionaries/15-systemd.xml
+++ b/seed/systemd/dictionaries/15-systemd.xml
@ -29,7 +29,6 @@
      <file>/secrets/root.pwd</file>
      <file engine="none">/tmpfiles.d/risotto-volatile.conf</file>
    </service>
    <service name="risotto" target="multi-user" type="target" engine="none"/>
  </services>
  <variables>
    <variable name='root_password' type="password" description="Mot de passe de l'administrateur système root" auto_save='False' mandatory="True"/>
--- a/seed/systemd/templates/risotto.target
+++ b/seed/systemd/templates/risotto.target
@ -1,5 +0,0 @@
 [Unit]
 Description=Waiting for all dependencies
 Before=multi-user.target
 After=network-online.target
 Wants=network-online.target
		`@ -1,2 +0,0 @@`
			`%%get_certificate(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type="server", hide=%%hide_secret)`
			`%%get_chain(%%nginx_default, 'HTTP', hide=%%hide_secret)`
		`@ -1 +0,0 @@`
			`%%get_private_key(%%nginx_default, authority_cn=%%domain_name_eth0, authority_name='HTTP', type='server', hide=%%hide_secret)`
`@ -1,2 +1,2 @@`
	`[Unit]`	`[Unit]`
	`After=risotto.target`	`After=network.target`