ansible integration

certificate for reverse proxy
remove logrotate service
2022-10-01 19:29:50 +02:00 · 2022-10-01 19:29:09 +02:00 · 2022-10-01 19:28:39 +02:00 · 2022-10-01 19:28:13 +02:00 · 2022-10-01 19:26:37 +02:00 · 2022-10-01 19:25:21 +02:00
70 changed files with 725 additions and 432 deletions
--- a/seed/apache/dictionaries/20_web.xml
+++ b/seed/apache/dictionaries/20_web.xml
@ -24,15 +24,6 @@
        <value>300</value>
      </variable>
      <variable name="apache_keepalive" type="boolean" description="Autoriser les connexions persistantes"/>
      <variable name="server_ca" hidden="True"/>
    </family>
  </variables>
  <constraints>
    <fill name="get_chain">
      <param name="authority_cn" type="variable">revprox_client_server_domainname</param>
      <param name="authority_name">InternalReverseProxy</param>
      <param name="hide" type="variable">hide_secret</param>
      <target>server_ca</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/apache/templates/server.ca
+++ b/seed/apache/templates/server.ca
@ -1 +1 @@
-%%server_ca
+%%get_chain(authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)
--- a/seed/base-debian-bullseye/applicationservice.yml
+++ b/seed/base-debian-bullseye/applicationservice.yml
@ -2,3 +2,4 @@ format: '0.1'
 description: Information de base d'un serveur Debian Buster
 depends:
  - base-debian
 distribution: true
--- a/seed/base-debian/dictionaries/11-debian-base.xml
+++ b/seed/base-debian/dictionaries/11-debian-base.xml
@ -4,7 +4,12 @@
    <service name="debian" manage="False">
      <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
      <file engine="none">/etc/default/locale</file>
      <file engine="none" source="sysuser-debian.conf">/sysusers.d/debian.conf</file>
    </service>
    <service name='apt-daily' disabled="True"/>
    <service name='apt-daily-upgrade' disabled="True"/>
    <service name='avahi-daemon' disabled="True"/>
    <service name='cron' disabled="True"/>
  </services>
  <variables>
    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
--- a/seed/base-debian/manual/image/postinstall/debian.sh
+++ b/seed/base-debian/manual/image/postinstall/debian.sh
@ -1,2 +1,8 @@
 rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
 ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
 #mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
 #chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
 #ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
 #ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
 #ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
 #ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"
--- a/seed/base-debian/templates/sysuser-debian.conf
+++ b/seed/base-debian/templates/sysuser-debian.conf
@ -0,0 +1,3 @@
 g Debian-exim 109
 u Debian-exim 104:109 "Exim" /var/spool/exim4 /usr/sbin/nologin
 g kvm 103
--- a/seed/base-fedora-35/applicationservice.yml
+++ b/seed/base-fedora-35/applicationservice.yml
@ -2,3 +2,4 @@ format: '0.1'
 description: Information de base d'un serveur fedora version 35
 depends:
  - base-fedora
 distribution: true
--- a/seed/base-fedora-36/applicationservice.yml
+++ b/seed/base-fedora-36/applicationservice.yml
@ -2,3 +2,4 @@ format: '0.1'
 description: Information de base d'un serveur fedora version 36
 depends:
  - base-fedora
 distribution: true
--- a/seed/base-fedora-36/manual/image/preinstall/base_fedora_36.sh
+++ b/seed/base-fedora-36/manual/image/preinstall/base_fedora_36.sh
@ -1 +1 @@
-BASE_PKG="$BASE_PKG pam"
+BASE_PKG="$BASE_PKG pam util-linux"
--- a/seed/base-fedora/dictionaries/11-fedora-base.xml
+++ b/seed/base-fedora/dictionaries/11-fedora-base.xml
@ -4,6 +4,7 @@
    <service name="fedora-base" manage="False">
      <file engine="none">/tmpfiles.d/fedora.conf</file>
    </service>
    <service name='logrotate' disabled="True"/>
  </services>
  <variables>
    <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">
--- a/seed/base-machine/dictionaries/12-base.xml
+++ b/seed/base-machine/dictionaries/12-base.xml
@ -9,6 +9,7 @@
    <variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents">
      <value>False</value>
    </variable>
    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
    <family name="network" description="Réseau">
      <variable name="server_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
      <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>
--- a/seed/base-machine/funcs/funcs.py
+++ b/seed/base-machine/funcs/funcs.py
@ -9,7 +9,7 @@ from os import makedirs as _makedirs
 #from risotto.utils import ZONES_SERVER
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _PASSWORD_DIR = _join(_HERE, 'password')
--- a/seed/base-machine/manual/install/install_host
+++ b/seed/base-machine/manual/install/install_host
@ -1,35 +0,0 @@
 #!/bin/bash -e
 HOST_NAME=$1
 if [ -z "$HOST_NAME" ]; then
    echo "usage: $0 host name"
    exit 1
 fi
 # remove current rules
 systemctl stop risottofirewall.service || true
 apt install --yes systemd-container dnf jq debootstrap htop gettext patch unzip mlocate xz-utils iptables
 systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
 systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
 systemctl daemon-reload
 systemctl restart systemd-sysctl.service
 systemctl enable systemd-networkd
 systemctl restart systemd-networkd
 systemctl enable systemd-resolved
 systemctl restart systemd-resolved
 # systemctl mask dev-hugepages.mount
 systemctl enable risotto-images.timer
 systemctl restart risotto-images.timer
 systemctl enable risottofirewall.service
 systemctl start risottofirewall.service
 #nft add table nat
 #nft flush table nat;
 #nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
 #nft 'add rule nat prerouting iif enp0s3 tcp dport { 80, 443 } dnat to 192.168.45.12'
 #nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
 #nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
 #nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
 echo "install host OK"
 exit 0
--- a/seed/base-machine/manual/install/install_image
+++ b/seed/base-machine/manual/install/install_image
@ -1,177 +0,0 @@
 #!/bin/bash -e
 HOST_NAME=$1
 IMAGE_NAME=$2
 if [ -z "$IMAGE_NAME" ]; then
    echo "PAS DE NOM DE MODULE"
    exit 1
 fi
 . config.sh
 rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
 mkdir -p "$RISOTTO_IMAGE_DIR"
 PKG=""
 BASE_DIR=""
 for script in $(ls $IMAGE_NAME/manual/preinstall/*.sh 2> /dev/null); do
    . "$script"
 done
 if [ -z "$OS_NAME" ]; then
    echo "NO OS NAME DEFINED"
    exit 0
 fi
 if [ -z "$RELEASEVER" ]; then
    echo "NO RELEASEVER DEFINED"
    exit 0
 fi
 if [ -z "$INSTALL_TOOL" ]; then
    echo "NO INSTALL TOOL DEFINED"
    exit 0
 fi
 BASE_NAME="$OS_NAME-$RELEASEVER"
 BASE_DIR="$IMAGE_BASE_RISOTTO_BASE_DIR/$BASE_NAME"
 BASE_TAR="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME".tar
 BASE_PKGS_FILE="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.pkgs"
 BASE_LOCK="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.build"
 function dnf_opt() {
    INSTALL_DIR=$1
    INSTALL_PKG=$2
    echo "--setopt=install_weak_deps=False --nodocs --noplugins --installroot=$INSTALL_DIR --releasever $RELEASEVER install $INSTALL_PKG"
 }
 function new_package_base() {
    if [ "$INSTALL_TOOL" = "dnf" ]; then
        OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
        dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
    else
        debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" > /dev/null
        chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
    fi
 }
 function install_base() {
    if [ "$INSTALL_TOOL" = "dnf" ]; then
        OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
        dnf --assumeyes $OPT
    fi
 }
 function new_package() {
    if [ "$INSTALL_TOOL" = "dnf" ]; then
        OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
        dnf --assumeno $OPT | grep ^" " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
    else
        chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG -s 2>/dev/null|grep ^"Inst " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
    fi
 }
 function install_pkg() {
    if [ "$INSTALL_TOOL" = "dnf" ]; then
        OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
        dnf --assumeyes $OPT
    else
        chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG
    fi
 }
 if [ ! -f "$BASE_LOCK" ]; then
    echo "  - reinstallation de l'image de base"
    rm -rf "$BASE_DIR"
    new_package_base
    diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
    if [ ! -f "$BASE_TAR" ] || [ "$NEW_BASE" = true ]; then
        mkdir -p "$IMAGE_BASE_RISOTTO_BASE_DIR"
        install_base
        cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
        tar cf "$BASE_TAR" "$BASE_NAME"
        cd - > /dev/null
        if [ -f "$BASE_PKGS_FILE" ]; then
            mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
        fi
        mv "$BASE_PKGS_FILE".new "$BASE_PKGS_FILE"
        rm -rf "$IMAGE_BASE_RISOTTO_BASE_DIR"
    fi
    rm -rf "$BASE_DIR"
    touch "$BASE_LOCK"
 fi
 tar xf "$BASE_TAR"
 mv "$BASE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
 if [ -n "$COPR" ]; then
    #FIXME signature...
    mkdir -p "$REPO_DIR"
    cd "$REPO_DIR"
    wget -q "$COPR"
    cd - > /dev/null
 fi
 if [ "$FUSION" = true ]; then
    dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR" > /dev/null
 fi
 # FIXME verifier s'il y a des modifs sur pre/post
 if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
    echo "  - différence(s) avec les paquets de base"
    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && INSTALL=false || INSTALL=true
 else
    INSTALL=true
 fi
 new_package
 if [ "$INSTALL" = false ]; then
    echo "  - différence(s) avec les paquets de l'image"
    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
 fi
 find $IMAGE_NAME/manual -type f -exec md5sum '{}' \; > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new
 if [ "$INSTALL" = false ]; then
    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new && INSTALL=false || INSTALL=true
 fi
 if [ "$INSTALL" = true ]; then
    echo "  - installation"
    if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
        VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
    else
        VERSION=0
    fi
    mkdir tmp
    ORI_DIR=$PWD
    cd tmp
    if [ ! "$VERSION" = 0 ]; then
        tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
        if [ "$INSTALL_TOOL" = "apt" ]; then
            chown _apt "$IMAGE_NAME"
        fi
    else
        mkdir "$IMAGE_NAME"
    fi
    cd "$IMAGE_NAME"
    ../../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
    cd $ORI_DIR
    rm -rf tmp
    install_pkg
    sleep 2
    for script in $(ls $IMAGE_NAME/manual/postinstall/*.sh 2> /dev/null); do
        . "$script"
    done
    CONTAINER=$IMAGE_NAME ./make_volatile /etc
    if [ ! "$?" = 0 ]; then
        echo "make_volatile failed"
        exit 1
    fi
    cd "$RISOTTO_IMAGE_DIR"
    #7zr a "$IMAGE_NAME".7z "$IMAGE_NAME"
    if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
        mv -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_NAME".old
    fi
    tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
    sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
    cd - > /dev/null
    cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
    mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
    mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum
    VERSION=$((VERSION + 1)) 
    echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
 fi
 rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
 echo "  => OK"
 exit 0
--- a/seed/base-machine/manual/install/install_images
+++ b/seed/base-machine/manual/install/install_images
@ -1,17 +0,0 @@
 #!/bin/bash -e
 HOST_NAME=$1
 if [ -z "$HOST_NAME" ]; then
    echo "usage: $0 host name"
    exit 1
 fi
 . config.sh
 rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
 for image in *; do
    if [ -d "$image" ]; then
 	echo
        echo "Install image $image"
        ./install_image "$HOST_NAME" "$image"
    fi
 done
 rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
 exit 0
--- a/seed/base-machine/manual/install/install_machine
+++ b/seed/base-machine/manual/install/install_machine
@ -2,6 +2,7 @@
 HOST_NAME=$1
 IMAGE_NAME=$2
 MACHINE=$3
 exit 0
 . config.sh
 . config_machine.sh
 if [ -z "$MACHINE" ]; then
@ -40,24 +41,25 @@ fi
 if [ "$NEW_CONF" = true ]; then
    echo "  - delete old settings"
    ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
-    rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
+#    rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
 fi
-cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
+#cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
-cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
+#cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
-if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
+#if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
-    cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
+#    cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
-fi
+#fi
-if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
+#if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
-    mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
+#    mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
-fi
+#fi
-mkdir -p "$RISOTTO_JOURNALD_DIR"
+#mkdir -p "$RISOTTO_JOURNALD_DIR"
 if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
    cd "$MACHINES_DIR"
    mkdir "$IMAGE_NAME"
    cd "$IMAGE_NAME"
    tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
    mkdir -p "$SHA_MACHINE_DIR"
    cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
    mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
    cd - > /dev/null
 fi
--- a/seed/dovecot/templates/dovecot-ldap.conf.ext
+++ b/seed/dovecot/templates/dovecot-ldap.conf.ext
@ -136,7 +136,7 @@ user_attrs = homeDirectory=home
 #   %d - domain part in user@domain, empty if user there's no domain
 #user_filter = (&(objectClass=posixAccount)(uid=%u))
 #>GNUNUX
-user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
+user_filter = (&(objectClass=inetOrgPerson)(mailLocalAddress=%u))
 #<GNUNUX
 # Password checking attributes:
--- a/seed/dovecot/templates/imap.yml
+++ b/seed/dovecot/templates/imap.yml
@ -8,3 +8,5 @@ password: %%get_password(server_name='test', username=%%username, description="t
 username_family: %%username_family
 password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
 name_family: %%name_family
 smtp: %%get_ip(%%smtp_relay_address)
 ext_username: 'test@example.net'
--- a/seed/dovecot/tests/test_imap.py
+++ b/seed/dovecot/tests/test_imap.py
@ -1,6 +1,7 @@
 from yaml import load, SafeLoader
 from os import environ
 import pytest
 import datetime
 from imaplib2 import IMAP4_SSL
 from smtplib import SMTP, SMTPNotSupportedError, SMTPAuthenticationError
@ -10,17 +11,29 @@ from smtplib import SMTP, SMTPNotSupportedError, SMTPAuthenticationError
 conf_file = f'{environ["MACHINE_TEST_DIR"]}/imap.yml'
 with open(conf_file) as yaml:
    data = load(yaml, Loader=SafeLoader)
-parameters = (('user', data['username'], [data['password']]),
+parameters = (
-              ('family', data['username_family'], [data['password_family'], data['password_family'] + "2"]),
+              (1, 5, 'user', data['username'], data['username'], data['username'], [data['password']]),
              (2, 5, 'user', data['username'], data['username'], 'alias_' + data['username'], [data['password']]),
              (1, 3, 'family', data['username_family'], data['username_family'], data['username_family'], [data['password_family'], data['password_family'] + "2"]),
              (3, 5, 'user', data['username'], data['ext_username'], data['username'], [data['password']]),
             (4, 5, 'user', data['username'], data['ext_username'], 'alias_' + data['username'], [data['password']]),
              (2, 3, 'family', data['username_family'], data['ext_username'], data['username_family'], [data['password_family'], data['password_family'] + "2"]),
              )
-def get_msg(username, msg='MESSAGE'):
+def get_msg(username, dest, msg='MESSAGE', with_date=True):
-    return f'From: {username}\r\nTo: {username}\r\n\r\nSubject: TEST\r\n{msg}\r\n'
+    date = datetime.datetime.now()
    ret = f'From: {username}\r\nTo: {dest}\r\n\r\nSubject: TEST\r\n{msg}\r\n'
    if with_date:
        date_str = date.strftime('%a, %d %b %Y %H:%M:%S +0200 (CEST)')
        ret = f'Date: {date_str}\r\n{ret}'
    return ret
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_imap_wrong_password(typ, username, passwords):
+def test_imap_wrong_password(idx, maxi, typ, login_username, username, dest, passwords):
    if username == data['ext_username']:
        return
    imap = IMAP4_SSL(data['address'])
    try:
        imap.LOGIN(username, 'b')
@ -30,9 +43,13 @@ def test_imap_wrong_password(typ, username, passwords):
        raise Exception('wrong login !')
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_imap_migration(typ, username, passwords):
+def test_imap_migration(idx, maxi, typ, login_username, username, dest, passwords):
-    msg = get_msg(username, 'MIGRATION')
+    if dest.startswith('alias_'):
        return
    if username == data['ext_username']:
        return
    msg = get_msg(username, dest, 'MIGRATION', False)
    if 'FIRST_RUN' in environ:
        smtp = SMTP(data['address'], '587')
        smtp.starttls()
@ -45,7 +62,7 @@ def test_imap_migration(typ, username, passwords):
                error = err
        else:
            raise error from error
-        smtp.sendmail(username, username, msg)
+        smtp.sendmail(username, dest, msg)
        smtp.quit()
    imap = IMAP4_SSL(data['address'])
    error = None
@ -69,15 +86,19 @@ def test_imap_migration(typ, username, passwords):
    imap.LOGOUT()
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_smtp_no_tls(typ, username, passwords):
+def test_smtp_no_tls(idx, maxi, typ, login_username, username, dest, passwords):
    if username == data['ext_username']:
        return
    smtp = SMTP(data['address'], '587')
    with pytest.raises(SMTPNotSupportedError):
        smtp.login(username, passwords[0])
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_smtp_wrong_passwd(typ, username, passwords):
+def test_smtp_wrong_passwd(idx, maxi, typ, login_username, username, dest, passwords):
    if username == data['ext_username']:
        return
    smtp = SMTP(data['address'], '587')
    smtp.starttls()
    with pytest.raises(SMTPAuthenticationError):
@ -85,8 +106,10 @@ def test_smtp_wrong_passwd(typ, username, passwords):
    smtp.quit()
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_smtp_login(typ, username, passwords):
+def test_smtp_login(idx, maxi, typ, login_username, username, dest, passwords):
    if username == data['ext_username']:
        return
    smtp = SMTP(data['address'], '587')
    smtp.starttls()
    error = None
@ -101,30 +124,33 @@ def test_smtp_login(typ, username, passwords):
    smtp.quit()
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_smtp_sendmail(typ, username, passwords):
+def test_smtp_sendmail(idx, maxi, typ, login_username, username, dest, passwords):
-    smtp = SMTP(data['address'], '587')
+    if username == data['ext_username']:
-    smtp.starttls()
+        smtp = SMTP(data['smtp'], '25')
    error = None
    for password in passwords:
        try:
            smtp.login(username, password)
            break
        except SMTPAuthenticationError as err:
            error = err
    else:
-        raise error from error
+        smtp = SMTP(data['address'], '587')
-    smtp.sendmail(username, username, get_msg(username))
+        smtp.starttls()
        error = None
        for password in passwords:
            try:
                smtp.login(username, password)
                break
            except SMTPAuthenticationError as err:
                error = err
        else:
            raise error from error
    smtp.sendmail(username, dest, get_msg(username, dest))
    smtp.quit()
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_imap_read_mail(typ, username, passwords):
+def test_imap_read_mail(idx, maxi, typ, login_username, username, dest, passwords):
    imap = IMAP4_SSL(data['address'])
    error = None
    for password in passwords:
        try:
-            imap.LOGIN(username, password)
+            imap.LOGIN(login_username, password)
            break
        except Exception as err:
            error = err
@ -134,24 +160,31 @@ def test_imap_read_mail(typ, username, passwords):
    typ, req = imap.SEARCH(None, 'ALL')
    assert typ == 'OK'
    assert len(req) == 1
-    msg = get_msg(username)
+    msg = get_msg(username, dest, with_date=False)
    msg_no = req[0].split()
-    assert len(msg_no) == 2
+    assert len(msg_no) == maxi
-    for num in msg_no[1:]:
+    num = msg_no[idx]
-        field = imap.FETCH(num, '(RFC822)')
+    field = imap.FETCH(num, '(RFC822)')
-        assert field[0] == 'OK'
+    assert field[0] == 'OK'
-        assert field[1][-2][-1].decode().endswith(msg)
+    fdata = field[1][-2][-1].decode().split('\r\n')
    if fdata[-2].startswith('--'):
        fdata = fdata[:-2]
    fdata = '\r\n'.join(fdata)
    assert 'Undelivered' not in fdata
    assert fdata.endswith(msg)
    imap.CLOSE()
    imap.LOGOUT()
-@pytest.mark.parametrize('typ, username, passwords', parameters)
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
-def test_imap_delete_mail(typ, username, passwords):
+def test_imap_delete_mail(idx, maxi, typ, login_username, username, dest, passwords):
    if username == data['ext_username']:
        return
    imap = IMAP4_SSL(data['address'])
    error = None
    for password in passwords:
        try:
-            imap.LOGIN(username, password)
+            imap.LOGIN(login_username, password)
            break
        except Exception as err:
            error = err
--- a/seed/gitea/templates/app.ini
+++ b/seed/gitea/templates/app.ini
@ -33,8 +33,8 @@ LFS_CONTENT_PATH = /srv/gitea/lib/data/lfs
 LFS_JWT_SECRET   = %%gitea_lfs_jwt_secret
 OFFLINE_MODE     = true
 PROTOCOL         = https
-CERT_FILE        = %%revprox_cert_file
+CERT_FILE        = %%revprox_client_cert_file
-KEY_FILE         = %%revprox_key_file
+KEY_FILE         = %%revprox_client_key_file
 [mailer]
 ENABLED = true
--- a/seed/host-systemd-machined/dictionaries/21-machined.xml
+++ b/seed/host-systemd-machined/dictionaries/21-machined.xml
@ -2,16 +2,18 @@
 <rougail version="0.10">
  <services>
    <service name="systemd-machined">
      <file>/etc/systemd/system/risotto-images.service</file>
      <file>/etc/systemd/system/risotto-images.timer</file>
      <file>/etc/systemd/network/80-container-vz.network</file>
      <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
      <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
    </service>
-    <service name="risottofirewall" engine="creole" target="multi-user">
+    <service name="risotto-images" engine="creole" manage="False"/>
-    </service>
+    <service name="systemd-sysctl"/>
    <service name="systemd-networkd"/>
    <service name="systemd-resolved"/>
    <service name="risotto-images" type="timer" engine="creole"/>
    <service name="risottofirewall" engine="creole"/>
    <service name="systemd-nspawn@">
-      <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
+      <file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
      <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
      <file>/etc/distro.repos.d/boot.repo</file>
      <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
@ -25,8 +27,25 @@
    <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True"/>
    <variable name="host_dhcp_filename" type="filename" hidden="True" multi="True"/>
    <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
    <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
    <variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
      <value>60</value>
    </variable>
    <variable name="host_packages" multi="True" hidden="True">
      <value>systemd-container</value>
      <value>dnf</value>
      <value>jq</value>
      <value>debootstrap</value>
      <value>htop</value>
      <value>gettext</value>
      <value>patch</value>
      <value>unzip</value>
      <value>mlocate</value>
      <value>xz-utils</value>
      <value>iptables</value>
    </variable>
    <family name="network">
      <variable name="host_dhcp_interface" description="Carte réseau en DHCP" multi="True"/>
      <variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>
--- a/seed/host-systemd-machined/templates/0asystemd-nspawn.conf
+++ b/seed/host-systemd-machined/templates/0asystemd-nspawn.conf
@ -4,12 +4,3 @@ D /etc/systemd/network/ 0755 root root - -
 D /usr/local/lib/systemd/system/ 0755 root root - -
 d /var/lib/risotto/configurations/ 0755 root root - -
 r /etc/network/interfaces -    -    -     -           -
 %for %%filename in %%machined.nspawn_script_filename
 C %%filename 0755 root root - %%host_install_dir/host/configurations/%%host_name%%filename
 %end for
 %for %%service in %%services
  %if %%service.engine != 'none'
    %set %%filename = '/usr/local/lib/systemd/system/' + %%service.doc
 C %%filename 0755 root root - %%host_install_dir/host/configurations/%%host_name%%filename
  %end if
 %end for
--- a/seed/host-systemd-machined/templates/90-risotto.conf
+++ b/seed/host-systemd-machined/templates/90-risotto.conf
@ -1,2 +1,3 @@
 net.ipv4.ip_forward = 1
 fs.inotify.max_user_instances = 1024
 vm.swappiness = %%vm_swappiness
--- a/seed/host-systemd-machined/templates/risotto-images.service
+++ b/seed/host-systemd-machined/templates/risotto-images.service
@ -5,7 +5,7 @@ After=network.target local-fs.target systemd-logind.service
 [Service]
 Type=oneshot
 WorkingDirectory=%%host_install_dir
-ExecStart=%%host_install_dir/install_images %%host_name
+ExecStart=/usr/local/sbin/build_images
 ExecStart=%%host_install_dir/backup %%host_name no
 ExecStart=%%host_install_dir/install_machines %%host_name
--- a/seed/lemonldap/templates/handler-nginx.conf
+++ b/seed/lemonldap/templates/handler-nginx.conf
@ -22,8 +22,8 @@ server {
 #>GNUNUX
  listen 443 ssl;
  server_name %%lemon_reload_web_name;
-  ssl_certificate         %%revprox_cert_file;
+  ssl_certificate         %%revprox_client_cert_file;
-  ssl_certificate_key     %%revprox_key_file;
+  ssl_certificate_key     %%revprox_client_key_file;
  ssl_client_certificate  %%revprox_ca_file;
 #<GNUNUX
  root /var/www/html;
--- a/seed/lemonldap/templates/portal-nginx.conf
+++ b/seed/lemonldap/templates/portal-nginx.conf
@ -49,8 +49,8 @@ server {
 #>GNUNUX
  listen 443 ssl;
  server_name %%{revprox_client_external_domainnames[0]};
-  ssl_certificate %%revprox_cert_file;
+  ssl_certificate %%revprox_client_cert_file;
-  ssl_certificate_key %%revprox_key_file;
+  ssl_certificate_key %%revprox_client_key_file;
  ssl_client_certificate %%revprox_ca_file;
  ssl_session_cache shared:SSL:10m;
 #<GNUNUX
--- a/seed/letsencrypt/funcs/letsencrypt.py
+++ b/seed/letsencrypt/funcs/letsencrypt.py
@ -8,6 +8,7 @@ from os import makedirs as _makedirs
 _HERE = _dirname(_abspath(__main__.__file__))
 _HERE = '/home/gnunux/git/risotto/risotto'
 _LE_DIR = _join(_HERE, 'pki', 'letsencrypt')
 _X509_DIR = _join(_HERE, 'pki', 'x509')
@ -33,7 +34,7 @@ def letsencrypt_certif(domain: str,
        with open(date_file, 'r') as fh:
            letsencrypt_date = fh.read().strip()
    if letsencrypt_date != today:
-        print(f"Obtain or renew Let's Encrypt certificate for {domain}...")
+#        print(f"Obtain or renew Let's Encrypt certificate for {domain}...")
        cli_args = ['certbot',
                    'certonly',
                    f'--dns-{plugin_name}',
@ -58,7 +59,7 @@ def letsencrypt_certif(domain: str,
        if ret.returncode != 0:
            print("FIXME")
            #raise ValueError(ret.stderr.decode())
-        print("Done")
+#        print("Done")
    with open(date_file, 'w') as fh:
        fh.write(today)
    rootdir = _join(_X509_DIR, f'{authority_name}+{authority_cn}')
--- a/seed/mailman/manual/image/postinstall/postorius.sh
+++ b/seed/mailman/manual/image/postinstall/postorius.sh
@ -1,7 +1,7 @@
 PYTHON="usr/lib/python3.10/site-packages"
-cp -a "mailman/manual/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
-cp -a "mailman/manual/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
-cp -a "mailman/manual/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
+cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
 chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
 ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
 ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"
--- a/seed/nextcloud/DEBUG.md
+++ b/seed/nextcloud/DEBUG.md
@ -43,6 +43,13 @@ Vérification :
 su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know
 ```
 Il faut quelque chose comme : 
 ```
            "well-known": "{\"grant_types_supported\": [...]}"
 ```
 Suppression de cache nextcloud :
 ```
@ -54,3 +61,9 @@ Sur lemonldap, le script de création du fichier .well-known :
 ```
 /usr/local/lib/sbin/interne_well_known.pl
 ```
 Pour regénérer :
 ```
 systemctl restart lemonldap-ng-fastcgi-server.service
 ```
--- a/seed/nextcloud/templates/nextcloud-config.php
+++ b/seed/nextcloud/templates/nextcloud-config.php
@ -13,23 +13,23 @@ $CONFIG = array (
    0 => 'localhost',
    1 => '%%revprox_client_external_domainnames[0]',
  ),
-  'apps_paths' =>
+  'apps_paths' => 
  array (
-    0 =>
+    0 => 
    array (
-        'path' => '/usr/share/nextcloud/apps',
+      'path' => '/usr/share/nextcloud/apps',
-        'url' => '/apps',
+      'url' => '/apps',
-        'writable' => false,
+      'writable' => false,
    ),
-    1 =>
+    1 => 
    array (
-        'path' => '/usr/local/share/nextcloud/apps',
+      'path' => '/usr/local/share/nextcloud/apps',
-        'url' => '/apps-appstore',
+      'url' => '/apps-appstore',
-        'writable' => true,
+      'writable' => true,
    ),
  ),
  'dbtype' => 'pgsql',
-  'version' => '22.1.0.1',
+  'version' => '{{VERSION}}',
  'overwrite.cli.url' => 'http://localhost',
  'dbname' => '%%pg_client_database',
  'dbhost' => '%%pg_client_server_domainname',
@ -37,7 +37,13 @@ $CONFIG = array (
  'dbtableprefix' => 'oc_',
  'dbuser' => '%%pg_client_username',
  'dbpassword' => '%%pg_client_password',
-  'dbdriveroptions' => array('sslmode' => 'verify-full', 'sslcert' => '/etc/pki/tls/certs/postgresql.crt', 'sslkey' => '/etc/pki/tls/private/postgresql.key', 'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'),
+  'dbdriveroptions' => 
  array (
    'sslmode' => 'verify-full',
    'sslcert' => '/etc/pki/tls/certs/postgresql.crt',
    'sslkey' => '/etc/pki/tls/private/postgresql.key',
    'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt',
  ),
  'passwordsalt' => '{{SALT}}',
  'secret' => '{{SECRET}}',
  'instanceid' => '%%nextcloud_instance_id',
@ -46,49 +52,52 @@ $CONFIG = array (
  'maintenance' => false,
  'appstoreenabled' => false,
  'appcodechecker' => false,
-  'memcache.distributed' => '\OC\Memcache\Redis',
+  'memcache.distributed' => '\\OC\\Memcache\\Redis',
-  'memcache.locking' => '\OC\Memcache\Redis',
+  'memcache.locking' => '\\OC\\Memcache\\Redis',
  'trusted_proxies' => '%%revprox_client_server_ip',
  'overwritehost' => '%%revprox_client_external_domainnames[0]',
  'filelocking.enabled' => true,
-  'redis' => [
+  'redis' => 
-     'host' => '%%redis_client_server_domainname',
+  array (
-     'port' => 6380,
+    'host' => '%%redis_client_server_domainname',
-     'user' => '%%redis_client_username',
+    'port' => 6380,
-     'password' => '%%redis_client_password',
+    'user' => '%%redis_client_username',
-     'dbindex' => 0,
+    'password' => '%%redis_client_password',
-      'ssl_context' => [
+    'dbindex' => 0,
-         'local_cert' => '/etc/pki/tls/certs/redis.crt',
+    'ssl_context' => 
-         'local_pk' => '/etc/pki/tls/private/redis.key',
+    array (
-         'cafile' => '/etc/pki/ca-trust/source/anchors/ca_Redis.crt',
+      'local_cert' => '/etc/pki/tls/certs/redis.crt',
-      ]
+      'local_pk' => '/etc/pki/tls/private/redis.key',
-  ],
+      'cafile' => '/etc/pki/ca-trust/source/anchors/ca_Redis.crt',
    )
  ),
  'default_phone_region' => 'FR',
-//OIDC login
+# OIDC login
  'allow_user_to_change_display_name' => false,
  'lost_password_link' => 'disabled',
  'oidc_login_provider_url' => 'https://%%oauth2_client_server_domainname',
  'oidc_login_client_id' => '%%oauth2_client_id',
  'oidc_login_client_secret' => '%%oauth2_client_secret',
  'oidc_login_auto_redirect' => true,
-//FIXME 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
+# FIXME 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
-//FIXME to true
+# FIXME to true
  'oidc_login_end_session_redirect' => false,
-//If no quota, we cannot send file
+# If no quota, we cannot send file
  'oidc_login_default_quota' => '1000000000000000',
  'oidc_login_button_text' => 'Log in with OpenID',
  'oidc_login_hide_password_form' => true,
  'oidc_login_use_id_token' => false,
-  'oidc_login_attributes' => array (
+  'oidc_login_attributes' => 
-      'id' => 'sub',
+  array (
-      'name' => 'name',
+    'id' => 'sub',
-      'mail' => 'email',
+    'name' => 'name',
-//      'quota' => 'ownCloudQuota',
+    'mail' => 'email',
-//      'home' => 'homeDirectory',
+#    'quota' => 'ownCloudQuota',
-      'ldap_uid' => 'uid',
+#    'home' => 'homeDirectory',
-//      'groups' => 'ownCloudGroups',
+    'ldap_uid' => 'uid',
-//      'photoURL' => 'picture',
+#    'groups' => 'ownCloudGroups',
-//      'is_admin' => 'ownCloudAdmin',
+#    'photoURL' => 'picture',
 #    'is_admin' => 'ownCloudAdmin',
  ),
  'oidc_login_default_group' => 'oidc',
  'oidc_login_scope' => 'openid profile email',
@ -98,14 +107,14 @@ $CONFIG = array (
  'oidc_login_alt_login_page' => 'assets/login.php',
  'oidc_login_tls_verify' => true,
  'oidc_create_groups' => false,
-//FIXME
+# FIXME
  'oidc_login_webdav_enabled' => false,
  'oidc_login_password_authentication' => false,
  'oidc_login_public_key_caching_time' => 86400,
  'oidc_login_min_time_between_jwks_requests' => 10,
  'oidc_login_well_known_caching_time' => 86400,
  'oidc_login_update_avatar' => false,
-//mail
+# mail
  'mail_smtpmode' => 'smtp',
  'mail_smtpsecure' => 'tls',
  'mail_sendmailmode' => 'smtp',
@ -118,4 +127,5 @@ $CONFIG = array (
  'mail_smtpport' => '25',
  'mail_smtpname' => '%%smtp_relay_user@%%ip_eth0',
  'mail_smtppassword' => '%%smtp_relay_password',
  'loglevel' => 2,
 );
--- a/seed/nextcloud/templates/nextcloud.init
+++ b/seed/nextcloud/templates/nextcloud.init
@ -5,17 +5,26 @@ if [ ! -f /srv/nextcloud/keys/secret.txt ]; then
    umask 027
    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get passwordsalt > /srv/nextcloud/keys/passwordsalt.txt
    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get secret > /srv/nextcloud/keys/secret.txt
    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get version > /srv/nextcloud/keys/version.txt
    /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
    /usr/bin/php /usr/share/nextcloud/occ ldap:create-empty-config -q
 else
    sed -i "s'{{SECRET}}'$(cat /srv/nextcloud/keys/secret.txt)'g" /etc/nextcloud/config.php
    sed -i "s'{{SALT}}'$(cat /srv/nextcloud/keys/passwordsalt.txt)'g" /etc/nextcloud/config.php
    sed -i "s'{{VERSION}}'$(cat /srv/nextcloud/keys/version.txt)'g" /etc/nextcloud/config.php
    sed -i "s/'installed' => false,/'installed' => true,/g" /etc/nextcloud/config.php
    # Upgrade
    sha256sum /etc/nextcloud/config.php > /tmp/sha
    sed -i "s/'config_is_read_only' => true,/'config_is_read_only' => false,/g" /etc/nextcloud/config.php
    /usr/bin/php /usr/share/nextcloud/occ upgrade || true
    sed -i "s/'config_is_read_only' => false,/'config_is_read_only' => true,/g" /etc/nextcloud/config.php
    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get version > /srv/nextcloud/keys/version.txt
    ## if file is modified, copy upgraded version
    sha256sum -c /tmp/sha || cp -a /etc/nextcloud/config.php /srv/nextcloud/keys/config.UPGRADED.php
    # Configure LDAP
    /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
 fi
 # Upgrade
 /usr/bin/php /usr/share/nextcloud/occ upgrade || true
 # SSO
 /usr/bin/php /usr/share/nextcloud/occ app:enable oidc_login
 # Feature
@ -52,6 +61,11 @@ fi
 /usr/bin/php /usr/share/nextcloud/occ app:disable weather_status
 # Maintenance
 /usr/bin/php /usr/share/nextcloud/occ files:scan --all -q
 sha256sum /etc/nextcloud/config.php > /tmp/sha
 sed -i "s/'config_is_read_only' => true,/'config_is_read_only' => false,/g" /etc/nextcloud/config.php
 /usr/bin/php /usr/share/nextcloud/occ maintenance:repair -q
 sed -i "s/'config_is_read_only' => false,/'config_is_read_only' => true,/g" /etc/nextcloud/config.php
 ## if file is modified, copy upgraded version
 sha256sum -c /tmp/sha || cp -a /etc/nextcloud/config.php /srv/nextcloud/keys/config.UPGRADED.php
 exit 0
--- a/seed/nextcloud/tests/test_nextcloud.py
+++ b/seed/nextcloud/tests/test_nextcloud.py
@ -0,0 +1,5 @@
 from os.path import isfile
 def test_nextcloud_not_upgraded():
    assert not isfile('/var/lib/risotto/srv/nextcloud/keys/config.UPGRADED.php')
--- a/seed/nginx-common/dictionaries/21_nginx.xml
+++ b/seed/nginx-common/dictionaries/21_nginx.xml
@ -11,8 +11,8 @@
      <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
      <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
-      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
+      <file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.crt">revprox_crt_file</file>
-      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
+      <file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.key">revprox_key_file</file>
      <file>/tests/nginx-common.yml</file>
    </service>
  </services>
@ -38,6 +38,10 @@
        <value>32</value>
      </variable>
      <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
      <variable name="revprox_crt_file" type="filename" description="Reverse proxy cert filename" hidden="True"/>
      <variable name="revprox_key_file" type="filename" description="Reverse proxy key filename" hidden="True"/>
      <variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
      <variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
    </family>
  </variables>
  <constraints>
@ -45,8 +49,6 @@
      <param>Fedora</param>
      <target type="filelist">nginx_fedora</target>
      <target>nginx_default</target>
      <target>nginx_default_http</target>
      <target>nginx_default_https</target>
    </condition>
    <condition name="disabled_if_in" source="nginx_default">
      <param type="nil"/>
@ -62,5 +64,31 @@
      <param name="join">/</param>
      <target>revprox_ca_file</target>
    </fill>
    <fill name="calc_value">
      <param type="variable">tls_cert_directory</param>
      <param>nginx.crt</param>
      <param name="join">/</param>
      <target>revprox_crt_file</target>
    </fill>
    <fill name="calc_value">
      <param type="variable">tls_key_directory</param>
      <param>nginx.key</param>
      <param name="join">/</param>
      <target>revprox_key_file</target>
    </fill>
    <fill name="calc_value">
      <param>nginx</param>
      <param name="default">www-data</param>
      <param name="condition" type="variable">os_name</param>
      <param name="expected">Fedora</param>
      <target>nginx_owner</target>
    </fill>
    <fill name="calc_value">
      <param>nginx</param>
      <param name="default">adm</param>
      <param name="condition" type="variable">os_name</param>
      <param name="expected">Fedora</param>
      <target>nginx_group</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/nginx-common/templates/nginx.conf
+++ b/seed/nginx-common/templates/nginx.conf
@ -27,11 +27,9 @@ events {
 }
 http {
 %if %%os_name == 'Fedora'
    log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';
 %end if
    #GNUNUX    access_log  /var/log/nginx/access.log  main;
    #>GNUNUX
    access_log syslog:server=unix:/dev/log combined;
@ -51,8 +49,7 @@ http {
    # See http://nginx.org/en/docs/ngx_core_module.html#include
    # for more information.
    include /etc/nginx/conf.d/*.conf;
-%if %%os_name == 'Fedora'
+%if %%nginx_default_http
 %if %%nginx_default_http
    server {
        listen       80;
        listen       [::]:80;
@ -70,36 +67,38 @@ http {
        location = /50x.html {
        }
    }
- %end if
+%end if
 # Settings for a TLS enabled server.
 #
- %if %%nginx_default_https
+%if %%nginx_default_https
    server {
        listen       443 ssl http2;
-  %if %%getVar('revprox_client_external_domainnames', None)
+ %if %%getVar('revprox_client_external_domainnames', None)
-   %for %%domain in %%revprox_client_external_domainnames
+  %for %%domain in %%revprox_client_external_domainnames
        server_name %%domain;
-   %end for
+  %end for
-  %else
+ %else
        server_name  _;
-  %end if
+ %end if
        root         %%nginx_root;
        # ssl_certificate "/etc/pki/nginx/server.crt";
        # ssl_certificate_key "/etc/pki/nginx/private/server.key";
-        ssl_certificate              /etc/pki/tls/certs/nginx.crt;
+        ssl_certificate              %%revprox_crt_file;
-        ssl_certificate_key          /etc/pki/tls/private/nginx.key;
+        ssl_certificate_key          %%revprox_key_file;
-  %if %%getVar('revprox_client_external_domainnames', None)
+ %if %%getVar('revprox_client_external_domainnames', None)
        ssl_client_certificate       %%revprox_ca_file;
-  %else
+ %else
        ssl_client_certificate       /etc/pki/ca-trust/source/anchors/ca_HTTP.crt;
-  %end if
+ %end if
        ssl_session_cache shared:SSL:1m;
        ssl_session_timeout  10m;
 %if %%os_name == 'Fedora'
        ssl_ciphers PROFILE=SYSTEM;
        ssl_prefer_server_ciphers on;
-
+ %end if
        # Load configuration files for the default server block.
        include /etc/nginx/default.d/*.conf;
@ -111,11 +110,6 @@ http {
        location = /50x.html {
        }
    }
 %end if
 %else
    include /etc/nginx/sites-enabled/*;
 %end if
 %if not %%getVar('revprox_client_external_domainnames', None)
    include /etc/nginx/sites-enabled/*;
 %end if
 }
--- a/seed/nginx-common/templates/tmpfiles.nginx.conf
+++ b/seed/nginx-common/templates/tmpfiles.nginx.conf
@ -1,9 +1,2 @@
 # this directory is not used, but must be created
-%if %%os_name == 'Fedora'
+d /var/log/nginx/ 0750 %%nginx_owner %%nginx_group -
 %set %%usr = "nginx"
 %set %%grp = %%usr
 %else
 %set %%usr = "www-data"
 %set %%grp = "adm"
 %end if
 d /var/log/nginx/ 0750 %%usr %%grp -
--- a/seed/nginx-https/applicationservice.yml
+++ b/seed/nginx-https/applicationservice.yml
@ -1,5 +1,5 @@
 format: '0.1'
-description: Nginx as reverse proxy
+description: Nginx as HTTPS web site
 depends:
  - nginx-common
  - reverse-proxy-client
--- a/seed/nginx-static/applicationservice.yml
+++ b/seed/nginx-static/applicationservice.yml
@ -0,0 +1,5 @@
 format: '0.1'
 description: Nginx with static web site
 depends:
  - nginx-https
  - base-fedora-36
--- a/seed/nginx-static/dictionaries/22_nginx_static.xml
+++ b/seed/nginx-static/dictionaries/22_nginx_static.xml
@ -0,0 +1,15 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name='nginx' target='multi-user'>
      <file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
    </service>
  </services>
  <variables>
    <family name="nginx">
      <variable name="nginx_root" redefine="True" mandatory='True'>
        <value>/srv/static</value>
      </variable>
    </family>
  </variables>
 </rougail>
--- a/seed/nginx-static/templates/tmpfiles.nginx_static.conf
+++ b/seed/nginx-static/templates/tmpfiles.nginx_static.conf
@ -0,0 +1 @@
 d /srv/static/ 0750 root %%nginx_owner -
--- a/seed/odoo/DEBUG.md
+++ b/seed/odoo/DEBUG.md
@ -0,0 +1,32 @@
 echo "log_level = debug" > /etc/odoo/odoo.conf
 echo "log_db= debug" > /etc/odoo/odoo.conf
 systemctl restart odoo
 Voir les logs dans la console
 =============================
 sed -i 's/syslog/#syslog/g' /etc/odoo/odoo.conf 
 su - odoo
 /usr/bin/odoo --config /etc/odoo/odoo.conf
 Connaitre les modules initialisés
 =================================
 Il se peut qu'il manque des dépendances au chargement des modules lors qu'on le fait à la main (je ne sais pas pourquoi).
 Pour connaitre la liste des modules à charger, le faire "graphiquement" puis avec Risotto et comparer les deux listes.
 Avec fichier de log :
 ```
 grep "Loading module" /var/log/odoo/odoo-server.log|awk -F'Loading module' '{ print $2 }'| awk '{ print $1 }'|sort -u
 ```
 Avec journald :
 ```
 journalctl -m -M odoo.in.silique.fr -g "Loading module"|awk -F'Loading module' '{ print $2 }'| awk '{ print $1 }'|sort -u
 ```
--- a/seed/odoo/applicationservice.yml
+++ b/seed/odoo/applicationservice.yml
@ -0,0 +1,10 @@
 format: '0.1'
 description: Odoo
 depends:
  - base-debian-bullseye
  - postgresql-client
  - reverse-proxy-client
  - relay-mail-client
  - ldap-client-debian
  - oauth2-client
  - nginx-https
--- a/seed/odoo/dictionaries/40_odoo.xml
+++ b/seed/odoo/dictionaries/40_odoo.xml
@ -0,0 +1,93 @@
 <?xml version='1.0' encoding='UTF-8'?>
 <rougail version="0.10">
  <services>
    <service name="odoo" target="multi-user">
      <override/>
      <file engine="none" source="sysuser-odoo.conf">/sysusers.d/1odoo.conf</file>
      <file source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
      <file mode="700">/sbin/config_odoo.py</file>
      <file mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
      <file mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>
      <file>/etc/hosts</file>
      <file source="config-nginx.conf">/etc/nginx/default.d/odoo.conf</file>
    </service>
  </services>
  <variables>
    <family name="odoo" description="Odoo">
      <variable name="odoo_admin_password" description="Mot de passe de l'administrateur" hidden="True"/>
      <variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True"/>
      <variable name="odoo_company_name" description="Nom" mandatory="True"/>
      <variable name="odoo_company_street" description="Adresse" mandatory="True"/>
      <variable name="odoo_company_city" description="Ville" mandatory="True"/>
      <variable name="odoo_company_zip" description="Code postal" mandatory="True"/>
      <variable name="odoo_company_vat" description="Numéro TVA" mandatory="True"/>
      <variable name="odoo_company_registry" description="Registre de la société" mandatory="True"/>
      <variable name="odoo_company_phone" description="Numéro de téléphone"/>
      <variable name="odoo_company_mobile" description="Numéro de téléphone mobile"/>
      <variable name="odoo_company_email" description="Adresse courriel" mandatory="True"/>
      <variable name="odoo_company_website" description="Site internet" mandatory="True"/>
      <variable name="odoo_company_logo" type="filename" description="Chemin du logo" mandatory="True"/>
      <variable name="odoo_company_footer" description="Pied de page des documents" mandatory="True"/>
      <variable name="odoo_company_layout" description="Agencement des documents" mandatory="True" type="choice">
        <value>standard</value>
        <choice>standard</choice>
        <choice>bold</choice>
        <choice>boxed</choice>
        <choice>striped</choice>
      </variable>
      <variable name="odoo_addons" description="Liste des applications à activer" multi="True">
        <value>base</value>
        <value>l10n_fr</value>
        <value>l10n_fr_fec</value>
        <value>account</value>
        <value>hr</value>
        <value>hr_contract</value>
        <value>sale_management</value>
      </variable>
    </family>
    <family name="postgresql">
      <variable name="pg_client_key_owner" redefine="True">
        <value>odoo</value>
      </variable>
    </family>
    <family name="oauth2_client">
      <variable name="oauth2_is_client_application" redefine='True'>
        <value>True</value>
      </variable>
      <variable name="oauth2_client_name" redefine='True'>
        <value>ERP</value>
      </variable>
      <variable name="oauth2_client_description" redefine='True'>
        <value>ERP Odoo</value>
      </variable>
      <variable name="oauth2_client_category" redefine='True'>
        <value>Entreprise</value>
      </variable>
      <variable name="oauth2_client_logo" redefine='True'>
        <value>silique_note.png</value>
      </variable>
      <family name="external">
        <variable name="oauth2_client_external" redefine="True" multi='True'/>
 	<variable name="oauth2_client_family" redefine="True" multi="True"/>
      </family>
    </family>
    <family name="annuaire">
      <family name="client">
        <variable name="ldap_key_file_owner" redefine="True">
          <value>odoo</value>
        </variable>
      </family>
    </family>
  </variables>
  <constraints>
    <fill name="get_password">
      <param name="server_name" type="variable">domain_name_eth0</param>
      <param name="username">admin</param>
      <param name="description">admin</param>
      <param name="type">cleartext</param>
      <param name="hide" type="variable">hide_secret</param>
      <param name="temporary" type="boolean">True</param>
      <target>odoo_admin_password</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/odoo/funcs/odoo.py
+++ b/seed/odoo/funcs/odoo.py
@ -0,0 +1,8 @@
 from base64 import b64encode as _b64encode
 from os.path import isfile as _isfile
 def get_logo(filename):
    if not _isfile(filename):
        raise Exception(f'cannot find odoo logo {filename}')
    return _b64encode(open(filename, 'rb') .read())
--- a/seed/odoo/manual/image/postinstall/odoo.sh
+++ b/seed/odoo/manual/image/postinstall/odoo.sh
@ -0,0 +1,38 @@
 set -e
 ODOO_VERSION="15.0"
 #FIXME
 ODOO_VERSION="master"
 WKHTML_VERSION="0.12.6.1-2"
 #curl  http://nightly.odoo.com/${ODOO_VERSION}/nightly/rpm/odoo_${ODOO_VERSION}.latest.rpm -o odoo_${ODOO_VERSION}.latest.rpm
 #OPT=$(dnf_opt_base "$IMAGE_NAME_RISOTTO_IMAGE_DIR")
 #dnf --assumeyes $OPT localinstall odoo_${ODOO_VERSION}.latest.rpm
 #rm -f odoo_${ODOO_VERSION}.latest.rpm
 mv $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf /tmp
 echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
 WKHTML_PKG=wkhtmltox_$WKHTML_VERSION.bullseye_amd64.deb
 curl https://nightly.odoo.com/odoo.key -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/odoo.key"
 curl -L "https://github.com/wkhtmltopdf/packaging/releases/download/$WKHTML_VERSION/$WKHTML_PKG" -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$WKHTML_PKG"
 echo """#!/bin/bash -xe
 cat /odoo.key | apt-key add -
 rm /odoo.key
 echo "deb http://nightly.odoo.com/$ODOO_VERSION/nightly/deb/ ./" >> /etc/apt/sources.list 
 apt update
 apt install --no-install-recommends -y odoo
 dpkg -i /"$WKHTML_PKG" || true
 rm -f /"$WKHTML_PKG"
 apt -f install -y
 """ > $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh
 chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh
 chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR /install.sh
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/server.py
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/db.py 
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py
 sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_cron.py
 sed -i "s@ldap://@ldaps://@g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/auth_ldap/models/res_company_ldap.py
 mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
 set +e
--- a/seed/odoo/manual/image/preinstall/odoo.sh
+++ b/seed/odoo/manual/image/preinstall/odoo.sh
@ -0,0 +1,3 @@
 PKG="$PKG dirmngr gnupg2 python3-ldap"
 #PKG="$PKG curl wkhtmltopdf python3-chardet python3-ldap python3-libsass"
 # missing python3-chardet dependency (for initialize database)
--- a/seed/odoo/templates/config-nginx.conf
+++ b/seed/odoo/templates/config-nginx.conf
@ -0,0 +1,19 @@
 # Redirect requests to odoo backend server
 location / {
  proxy_redirect off;
  proxy_pass http://127.0.0.1:8069;
  proxy_read_timeout 720s;
  proxy_connect_timeout 720s;
  proxy_send_timeout 720s;
  # Add Headers for odoo proxy mode
  proxy_set_header X-Forwarded-Host $host;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Real-IP $remote_addr;
  # common gzip
  gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
  gzip on;
 }
--- a/seed/odoo/templates/config_odoo.py
+++ b/seed/odoo/templates/config_odoo.py
@ -0,0 +1,75 @@
 %echo '#!/usr/bin/env python3'
 from os import environ
 environ['ODOO_RC'] = '/etc/odoo/odoo.conf'
 from odoo import registry, SUPERUSER_ID
 from odoo.api import Environment
 with registry('%%pg_client_database').cursor() as cr:
    ctx = Environment(cr, SUPERUSER_ID, {})["res.users"].context_get()
    env = Environment(cr, SUPERUSER_ID, ctx)
    # Company
    env.company.name = '%%odoo_company_name'
    env.company.street = '%%odoo_company_street'
    env.company.city = '%%odoo_company_city'
    env.company.zip = '%%odoo_company_zip'
    env.company.vat = '%%odoo_company_vat'
    env.company.company_registry = '%%odoo_company_registry'
    env.company.phone = '%%odoo_company_phone'
    env.company.mobile = '%%odoo_company_mobile'
    env.company.email = '%%odoo_company_email'
    env.company.website = '%%odoo_company_website'
    env.company.logo = %%get_logo(%%odoo_company_logo)
    env.company.report_footer = '%%odoo_company_footer'
    env.company.external_report_layout_id = env.ref('web.external_layout_%%odoo_company_layout').id
    doc = env['base.document.layout'].create({'company_id': env.company.id})
    doc._onchange_company_id()
    # Admin
    admin = env['res.users'].search([('name', '=', 'Administrator')])
    admin.email = "%%odoo_admin_email"
    admin.password = '%%odoo_admin_password'
    # URL
    env['ir.config_parameter'].set_param('web.base.url', 'https://%%revprox_client_external_domainnames[0]')
    env['ir.config_parameter'].set_param('web.base.url.freeze', True)
    # LDAP
    env['res.config.settings'].create({'module_auth_ldap': True}).execute()
    ldaps = env.company.ldaps
    if ldaps:
        ldap = ldaps[0]
        ldap.ldap_server = '%%ldap_server_address'
        ldap.ldap_server_port = '636'
        ldap.ldap_binddn = '%%ldapclient_user'
        ldap.ldap_password = '%%ldapclient_user_password'
        ldap.ldap_filter = 'cn=%s'
        ldap.ldap_base = '%%ldapclient_user_dn'
    else:
        ldap = env['res.company.ldap'].create({'company': env.company.id,
                                               'ldap_server': '%%ldap_server_address',
                                               'ldap_server_port': '636',
                                               'ldap_binddn': '%%ldapclient_user',
                                               'ldap_password': '%%ldapclient_user_password',
                                               'ldap_filter': 'cn=%s',
                                               'ldap_base': '%%ldapclient_user_dn',
                                               })
        env.company.ldaps = ldap
    # SMTP
    mail = env['ir.mail_server'].search([('name', '=', 'Silique')])
    if mail.id is False:
        env['ir.mail_server'].create({'name': 'Silique',
                                      'smtp_host': '%%smtp_relay_address',
                                      'smtp_port': '25',
                                      'smtp_authentication': 'login',
                                      'smtp_user': '%%smtp_relay_user@%%ip_eth0',
                                      'smtp_pass': '%%smtp_relay_password',
                                      'smtp_encryption': 'starttls',
                                      })
    else:
        mail.smtp_host = '%%smtp_relay_address'
        mail.smtp_port = '25'
        mail.smtp_authentication = 'login'
        mail.smtp_user = '%%smtp_relay_user@%%ip_eth0'
        mail.smtp_pass = '%%smtp_relay_password'
        mail.smtp_encryption = 'starttls'
    env['ir.config_parameter'].set_param('base_setup.default_external_email_server', True)
--- a/seed/odoo/templates/hosts
+++ b/seed/odoo/templates/hosts
@ -0,0 +1,4 @@
 127.0.0.1	localhost  %%revprox_client_external_domainnames[0]
 ::1		localhost ip6-localhost ip6-loopback
 ff02::1		ip6-allnodes
 ff02::2		ip6-allrouters
--- a/seed/odoo/templates/odoo.conf
+++ b/seed/odoo/templates/odoo.conf
@ -0,0 +1,38 @@
 [options]
 ; This is the password that allows database operations:
 admin_passwd = %%odoo_admin_password
 db_host = %%pg_client_server_domainname
 db_port = 5432
 db_user = %%pg_client_username
 db_password = %%pg_client_password
 db_name = %%pg_client_database
 # FIXME db_sslmode = verify-full 
 db_sslmode = require
 no_database_list = True
 addons_path = /usr/lib/python3/dist-packages/odoo/addons
 data_dir = /srv/odoo
 proxy_mode = True
 http_interface = 127.0.0.1
 syslog = True
 without_demo = True
 max_cron_threads = 1
 workers = 2
 #limit_time_real = 1800
 #limit_time_cpu = 1800 
 #
 #limit_memory_hard = 5368706371
 #limit_memory_soft = 4831835734
 # 'smtp_port', 'smtp_ssl'
 #                'email_from', 'smtp_server', 'smtp_user', 'smtp_password', 'from_filter',
 #                'smtp_ssl_certificate_filename', 'smtp_ssl_private_key_filename',
 #
 # language load_language
 language = fr_FR
 load_language = fr_FR
--- a/seed/odoo/templates/odoo.service
+++ b/seed/odoo/templates/odoo.service
@ -0,0 +1,18 @@
 [Unit]
 After=risotto.target
 [Service]
 Environment="PGSSLROOTCERT=/etc/pki/tls/certs/postgresql.crt"
 Environment="PGSSLCERT=/etc/pki/tls/certs/postgresql.crt"
 Environment="PGSSLKEY=/etc/pki/tls/private/postgresql.key"
 Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
 #if database not imported, imported it active addons
 %set %%addons = ','.join(%%odoo_addons)
 ExecStartPre=/usr/bin/bash -c '/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\dt account_account" 2>&1 | grep -vq "not find" || (echo "INIT DATABASE"; /usr/bin/odoo --config /etc/odoo/odoo.conf -i %%addons --stop-after-init; echo "OK")'
 #change default values in database
 ExecStartPre=+/usr/local/lib/sbin/config_odoo.py
 ExecStart=
 ExecStart=/usr/bin/odoo --config /etc/odoo/odoo.conf
 TimeoutStartSec=360
--- a/seed/odoo/templates/sysuser-odoo.conf
+++ b/seed/odoo/templates/sysuser-odoo.conf
@ -0,0 +1,2 @@
 g odoo 1000 -
 u odoo 998:1000     "ODOO" /srv/odoo	/bin/bash
--- a/seed/odoo/templates/tmpfile-odoo.conf
+++ b/seed/odoo/templates/tmpfile-odoo.conf
@ -0,0 +1 @@
 d /srv/odoo 750 odoo odoo - -
--- a/seed/openldap/funcs/ldap.py
+++ b/seed/openldap/funcs/ldap.py
@ -6,7 +6,7 @@ from json import load as _load, dump as _dump
 from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _SSHA_PASSWORD_DIR = _join(_HERE, 'password', 'ssha.json')
--- a/seed/openldap/templates/users_mod.ldif
+++ b/seed/openldap/templates/users_mod.ldif
@ -19,7 +19,7 @@ userPassword:: %%ssha_encode(%%password)
 %end for
 # Users
-%set %%userdn = 'cn=' + %%username + ',' + %%ldapclient_base_dn
+%set %%userdn = 'cn=' + %%username + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn)
 %set %%userfamilydn = 'cn=' + %%username_family + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
 %set %%acc = [(%%userdn, %%username, ['alias_' + %%username]),
              (%%userfamilydn, %%username_family, ['alias_' + %%username_family]),
--- a/seed/peertube/manual/image/postinstall/peertube.sh
+++ b/seed/peertube/manual/image/postinstall/peertube.sh
@ -1,5 +1,3 @@
 #!/bin/bash
 mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
 cat /proc/self/stat > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat"
 PLUGINS_DIR=/usr/share/peertube_plugins
@ -25,5 +23,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
 rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
 cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
-patch -p0 < $OLDPWD/peertube/manual/postinstall/peertube.patch
+patch -p0 < "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/peertube.patch"
 cd -
--- a/seed/piwigo/manual/image/postinstall/piwigo.sh
+++ b/seed/piwigo/manual/image/postinstall/piwigo.sh
@ -14,10 +14,10 @@ ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
 ln -s /srv/piwigo/data piwigo/_data
 ln -s /srv/piwigo/upload piwigo/upload
 ln -s /srv/piwigo/logs piwigo/logs
-cp $OLDPWD/piwigo/manual/postinstall/osmmap.php piwigo/
+cp $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/osmmap.php piwigo/
 chmod 644 piwigo/osmmap.php
-patch -p0 < $OLDPWD/piwigo/manual/postinstall/piwigo.patch
+patch -p0 < $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/piwigo.patch
-cp $OLDPWD/piwigo/manual/postinstall/piwigo_cli.php piwigo/
+cp $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/piwigo_cli.php piwigo/
 # Plugins
 cd piwigo/plugins
 wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
@ -42,16 +42,16 @@ wget https://piwigo.org/ext/download.php?rid=8160 -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 echo """<?php
-$lang['Edit photos'] = 'Editer les photos';
+\$lang['Edit photos'] = 'Editer les photos';
-$lang['Edit Photos'] = 'Editer les photos';
+\$lang['Edit Photos'] = 'Editer les photos';
-$lang['Edit your photos'] = 'Editer vos photos';
+\$lang['Edit your photos'] = 'Editer vos photos';
-$lang['Photos posted by %s'] = 'Photos postées par %s';
+\$lang['Photos posted by %s'] = 'Photos postées par %s';
-$lang['Photos posted by %s in album %s'] = 'Photos postées par %s dans l\'album %s';
+\$lang['Photos posted by %s in album %s'] = 'Photos postées par %s dans l\'album %s';
-$lang['Select at least one tag'] = 'Sélectionner au moins un tag';
+\$lang['Select at least one tag'] = 'Sélectionner au moins un tag';
-$lang['Select at least one photo'] = 'Sélectionner au moins une photo';
+\$lang['Select at least one photo'] = 'Sélectionner au moins une photo';
-$lang['No photo can be deleted'] = 'Aucune photo ne peut être supprimée';
+\$lang['No photo can be deleted'] = 'Aucune photo ne peut être supprimée';
-$lang['You need to confirm deletion'] = 'Vous devez confirmer la suppression';
+\$lang['You need to confirm deletion'] = 'Vous devez confirmer la suppression';
-$lang['No photo selected, no action possible.'] = 'Aucune photo sélectionnée, aucune action possible.';
+\$lang['No photo selected, no action possible.'] = 'Aucune photo sélectionnée, aucune action possible.';
 ?>
 """ >> community/language/fr_FR/plugin.lang.php
 # embedded
--- a/seed/pleroma/templates/nginx.peertube.conf
+++ b/seed/pleroma/templates/nginx.peertube.conf
@ -37,8 +37,8 @@ server {
 # GNUNUX  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
 #>GNUNUX
  ssl_client_certificate %%revprox_ca_file;
-  ssl_certificate        %%revprox_cert_file;
+  ssl_certificate        %%revprox_client_cert_file;
-  ssl_certificate_key    %%revprox_key_file;
+  ssl_certificate_key    %%revprox_client_key_file;
 #<GNUNUX
 # GNUNUX  location ^~ '/.well-known/acme-challenge' {
--- a/seed/postfix-relay/DEBUG.md
+++ b/seed/postfix-relay/DEBUG.md
@ -19,7 +19,7 @@ EHLO root.gnunux.info
 250-AUTH PLAIN LOGIN
 [..]
 MAIL FROM:<gnunux@gnunux.info>
-RCPT TO:<gnunux@gnunux.info>
+RCPT TO:<contact@silique.fr>
 DATA
 To:<gnunux@gnunux.info>
 From:<gnunux@gnunux.info>
--- a/seed/postfix-relay/funcs/opendkim.py
+++ b/seed/postfix-relay/funcs/opendkim.py
@ -10,7 +10,7 @@ def _eprint(*args, **kwargs):
 _dknewkey.eprint = _eprint
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _DKIM_DIR = _join(_HERE, 'pki/dkim')
--- a/seed/postfix-relay/templates/main.cf
+++ b/seed/postfix-relay/templates/main.cf
@ -268,10 +268,10 @@ smtpd_recipient_restrictions =
        reject_non_fqdn_hostname,
        reject_invalid_helo_hostname,
        reject_non_fqdn_helo_hostname,
-	reject_rbl_client zen.spamhaus.org,
+        reject_rbl_client zen.spamhaus.org,
        reject_non_fqdn_sender,
        reject_unknown_sender_domain,
-	#reject_unauth_pipelining
+        #reject_unauth_pipelining
 # FIXME        check_sender_access hash:/etc/postfix/sender_access,
 # FIXME        check_recipient_access hash:/etc/postfix/recv_access,
--- a/seed/postgresql-client/dictionaries/23_postgresql.xml
+++ b/seed/postgresql-client/dictionaries/23_postgresql.xml
@ -6,6 +6,7 @@
      <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
      <file>/etc/pki/tls/certs/postgresql.crt</file>
      <file owner_type="variable" owner="pg_client_key_owner" mode="400">/etc/pki/tls/private/postgresql.key</file>
      <file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
    </service>
  </services>
  <variables>
@ -41,5 +42,9 @@
      <param type="variable">pg_client_username</param>
      <target>pg_client_database</target>
    </fill>
    <condition name="disabled_if_not_in" source="os_name">
      <param>Debian</param>
      <target type="filelist">postgresql_debian</target>
    </condition>
  </constraints>
 </rougail>
--- a/seed/postgresql-client/manual/image/preinstall/postgresql_client.sh
+++ b/seed/postgresql-client/manual/image/preinstall/postgresql_client.sh
@ -1 +1,5 @@
-PKG="$PKG postgresql"
+if [ "$INSTALL_TOOL" = "dnf" ]; then
  PKG="$PKG postgresql"
 else
  PKG="$PKG postgresql-client"
 fi
--- a/seed/postgresql-client/templates/sysuser-postgresql-client.conf
+++ b/seed/postgresql-client/templates/sysuser-postgresql-client.conf
@ -0,0 +1,4 @@
 g ssl-cert 108
 g postgres 109
 u postgres 104:109 "PostgreSQL administrator" /var/lib/postgresql  /bin/bash
 m postgres ssl-cert
--- a/seed/postgresql/DEBUG.md
+++ b/seed/postgresql/DEBUG.md
@ -1 +1,20 @@
 pg_dumpall --clean > /srv/database.sql
 Conversion SQL_ASCII vers UTF-8
 ===============================
 Sauvegarde :
 ```
 pg_dumpall -c -E UTF8 > sql.sql
 ```
 Dans le fichier, remplacer "ENCODING = 'SQL_ASCII'" en "ENCODING = 'UTF8'" et remplacer "LOCALE = 'C'" en "LOCALE = 'fr_FR.UTF-8'".
 Arrêter les applications qui utilise les bases.
 Restaurer :
 ```
 psql < sql.sql
 ```
--- a/seed/provider-systemd-machined/dictionaries/16-machined.xml
+++ b/seed/provider-systemd-machined/dictionaries/16-machined.xml
@ -4,6 +4,7 @@
    <service name='dev-hugepages' type='mount' disabled="True"/>
    <service name='systemd-oomd' disabled="True"/>
    <service name='systemd-homed' disabled="True"/>
    <service name='systemd-machine-id-commit' disabled="True"/>
    <service name="systemd-networkd">
      <file redefine='True' disabled='True'>link_configurations</file>
    </service>
--- a/seed/redis-client/dictionaries/23_redis.xml
+++ b/seed/redis-client/dictionaries/23_redis.xml
@ -13,7 +13,7 @@
      <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
      <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True"/>
      <variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
-      <variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
+      <variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
        <value>apache</value>
      </variable>
    </family>
--- a/seed/redis/DEBUG.md
+++ b/seed/redis/DEBUG.md
@ -3,3 +3,16 @@
 redis-cli -a FFCHtN-HWO_X6-bVaXgw MONITOR
 Puis naviger sur l'application
 # PING
 (après avoir copier les certifs du clients)
 redis-cli --tls -a BZET2ptPyGw6ufYG0-iG --cacert /etc/pki/ca-trust/source/anchors/ca_Redis.crt  --cert /usr/local/lib/redis.crt --key /usr/local/lib/redis.key -p 6380 PING
 # Mode debug
 sed -i "s/loglevel notice/loglevel debug/g" /etc/redis/redis.conf
 systemctl restart redis
--- a/seed/reverse-proxy-client/dictionaries/21_nginx_client.xml
+++ b/seed/reverse-proxy-client/dictionaries/21_nginx_client.xml
@ -2,8 +2,8 @@
 <rougail version="0.10">
  <services>
    <service name="nginx" manage="False">
-      <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
+      <file file_type="variable" source="revprox.crt">revprox_client_cert_file</file>
-      <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
+      <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_client_key_file</file>
    </service>
  </services>
  <variables>
@ -31,8 +31,8 @@
      <variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
        <value>root</value>
      </variable>
-      <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
+      <variable name="revprox_client_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
-      <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
+      <variable name="revprox_client_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
    </family>
  </variables>
  <constraints>
@ -50,13 +50,13 @@
      <param type="variable">tls_cert_directory</param>
      <param>revprox.crt</param>
      <param name="join">/</param>
-      <target>revprox_cert_file</target>
+      <target>revprox_client_cert_file</target>
    </fill>
    <fill name="calc_value">
      <param type="variable">tls_key_directory</param>
      <param>revprox.key</param>
      <param name="join">/</param>
-      <target>revprox_key_file</target>
+      <target>revprox_client_key_file</target>
    </fill>
  </constraints>
 </rougail>
--- a/seed/vaultwarden/dictionaries/40_vaultwarden.xml
+++ b/seed/vaultwarden/dictionaries/40_vaultwarden.xml
@ -6,7 +6,7 @@
      <file>/etc/pki/ca-trust/source/anchors/ca_InternalReverseProxy.crt</file>
      <file engine="none" source="tmpfile-vaultwarden.conf">/tmpfiles.d/0vaultwarden.conf</file>
      <file source="vaultwarden_config.env">/etc/vaultwarden/config.env</file>
-	  <file>/tests/vaultwarden.yml</file>
+      <file>/tests/vaultwarden.yml</file>
    </service>
  </services>
  <variables>
--- a/seed/vaultwarden/funcs/vaultwarden.py
+++ b/seed/vaultwarden/funcs/vaultwarden.py
@ -4,7 +4,7 @@ from os import makedirs as _makedirs
 from uuid import uuid4 as _uuid4
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _PASSWORD_DIR = _join(_HERE, 'password')
Author	SHA1	Message	Date
Emmanuel Garette	856607fc52	ansible integration	2022-10-01 19:29:50 +02:00
Emmanuel Garette	abe9155b4c	certificate for reverse proxy	2022-10-01 19:29:09 +02:00
Emmanuel Garette	ffaed709df	remove logrotate service	2022-10-01 19:28:39 +02:00
Emmanuel Garette	b2eab154bc	add util-linux in fedora 36 (for 'su' command)	2022-10-01 19:28:13 +02:00
Emmanuel Garette	3862609e6b	add distribution attribute	2022-10-01 19:26:37 +02:00
Emmanuel Garette	d572b8f64f	certificate for apache	2022-10-01 19:25:21 +02:00
Emmanuel Garette	465f68235b	change base directory for postfix	2022-10-01 19:24:39 +02:00
Emmanuel Garette	16f930572e	remove comment	2022-10-01 19:23:14 +02:00
Emmanuel Garette	97e74efd17	correction in piwigo	2022-10-01 19:22:47 +02:00
Emmanuel Garette	63ebd87431	certificate for pleroma	2022-10-01 19:22:12 +02:00
Emmanuel Garette	b61bb58f73	certificate for gitea	2022-10-01 19:21:55 +02:00
Emmanuel Garette	0a2b6d1fa2	change base directory for mailman	2022-10-01 19:16:35 +02:00
Emmanuel Garette	30b4e12ae8	correction with userdn	2022-10-01 19:16:07 +02:00
Emmanuel Garette	1a3d562829	certificate for lemonldap	2022-10-01 19:13:56 +02:00
Emmanuel Garette	3316ae70d3	manage aliases	2022-10-01 19:12:00 +02:00
Emmanuel Garette	cacc4afc4d	upgrade for nextcloud	2022-10-01 19:11:05 +02:00
Emmanuel Garette	dd4d51c53c	change directory path for patch	2022-10-01 19:10:05 +02:00
Emmanuel Garette	dab5d03ac5	static nginx	2022-10-01 19:09:16 +02:00
Emmanuel Garette	2d10335f45	remove systemd-machine-id-commit service	2022-10-01 19:08:36 +02:00
Emmanuel Garette	2d9de85e03	add postgresql debug informations	2022-10-01 19:08:05 +02:00
Emmanuel Garette	d3c31e0cea	hidden redis owner	2022-10-01 19:07:42 +02:00
Emmanuel Garette	94c73f97ab	add redis debug informations	2022-10-01 19:07:14 +02:00
Emmanuel Garette	b25763ec32	change base directory for vaultwarden	2022-10-01 19:04:48 +02:00
Emmanuel Garette	0ac3e884e4	postgresql client for debian	2022-10-01 19:01:12 +02:00
Emmanuel Garette	349a035ad0	update base debian template	2022-10-01 19:00:20 +02:00
Emmanuel Garette	52e612afba	add static web with nginx	2022-10-01 18:58:20 +02:00
Emmanuel Garette	883bdac398	add nextcloud tests	2022-10-01 18:57:53 +02:00
Emmanuel Garette	f1b2e20063	add odoo	2022-10-01 18:57:37 +02:00
`@ -1 +1 @@`
	`%%server_ca`	`%%get_chain(authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)`
`@ -1 +1 @@`
	`BASE_PKG="$BASE_PKG pam"`	`BASE_PKG="$BASE_PKG pam util-linux"`
		`@ -0,0 +1,2 @@`
							`g odoo 1000 -`
							`u odoo 998:1000 "ODOO" /srv/odoo /bin/bash`