ansible integration

seed/apache/dictionaries/20_web.xml

@@ -24,15 +24,6 @@
         <value>300</value>
       </variable>
       <variable name="apache_keepalive" type="boolean" description="Autoriser les connexions persistantes"/>
-      <variable name="server_ca" hidden="True"/>
     </family>
   </variables>
-  <constraints>
-    <fill name="get_chain">
-      <param name="authority_cn" type="variable">revprox_client_server_domainname</param>
-      <param name="authority_name">InternalReverseProxy</param>
-      <param name="hide" type="variable">hide_secret</param>
-      <target>server_ca</target>
-    </fill>
-  </constraints>
 </rougail>

seed/apache/templates/server.ca

@@ -1 +1 @@
-%%server_ca
+%%get_chain(authority_cn=%%revprox_client_server_domainname, authority_name="InternalReverseProxy", hide=%%hide_secret)

seed/base-debian-bullseye/applicationservice.yml

@@ -2,3 +2,4 @@ format: '0.1'
 description: Information de base d'un serveur Debian Buster
 depends:
   - base-debian
+distribution: true

seed/base-debian/dictionaries/11-debian-base.xml

@@ -4,7 +4,12 @@
     <service name="debian" manage="False">
       <file engine="none" source="tmpfile-tmp.conf">/tmpfiles.d/0tmp.conf</file>
       <file engine="none">/etc/default/locale</file>
+      <file engine="none" source="sysuser-debian.conf">/sysusers.d/debian.conf</file>
     </service>
+    <service name='apt-daily' disabled="True"/>
+    <service name='apt-daily-upgrade' disabled="True"/>
+    <service name='avahi-daemon' disabled="True"/>
+    <service name='cron' disabled="True"/>
   </services>
   <variables>
     <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">

seed/base-debian/manual/image/postinstall/debian.sh

@@ -1,2 +1,8 @@
 rm -f $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
 ln -s ../run/systemd/resolve/stub-resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+#mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+#chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+#ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
+#ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
+#ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
+#ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

seed/base-debian/templates/sysuser-debian.conf

@@ -0,0 +1,3 @@
+g Debian-exim 109
+u Debian-exim 104:109 "Exim" /var/spool/exim4 /usr/sbin/nologin
+g kvm 103

seed/base-fedora-35/applicationservice.yml

@@ -2,3 +2,4 @@ format: '0.1'
 description: Information de base d'un serveur fedora version 35
 depends:
   - base-fedora
+distribution: true

seed/base-fedora-36/applicationservice.yml

@@ -2,3 +2,4 @@ format: '0.1'
 description: Information de base d'un serveur fedora version 36
 depends:
   - base-fedora
+distribution: true

seed/base-fedora-36/manual/image/preinstall/base_fedora_36.sh

@@ -1 +1 @@
-BASE_PKG="$BASE_PKG pam"
+BASE_PKG="$BASE_PKG pam util-linux"

seed/base-fedora/dictionaries/11-fedora-base.xml

@@ -4,6 +4,7 @@
     <service name="fedora-base" manage="False">
       <file engine="none">/tmpfiles.d/fedora.conf</file>
     </service>
+    <service name='logrotate' disabled="True"/>
   </services>
   <variables>
     <variable name="os_name" type="string" description="Nom de l'OS" hidden="True">

seed/base-machine/dictionaries/12-base.xml

@@ -9,6 +9,7 @@
     <variable name="hide_secret" type="boolean" description="Les secrets sont obscurcis" mode="expert" help="Obscurcir les secrets peut permettre de générer des configurations diffusable sans problème de confidentialité ou pour comparer deux configurations générés à des moments différents">
       <value>False</value>
     </variable>
+    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
     <family name="network" description="Réseau">
       <variable name="server_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
       <variable name="zones_list" type="string" multi="True" description="Liste de toutes les zones" mandatory="True" hidden="True" provider="global:zones_name"/>

seed/base-machine/funcs/funcs.py

@@ -9,7 +9,7 @@ from os import makedirs as _makedirs
 #from risotto.utils import ZONES_SERVER
 
 
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _PASSWORD_DIR = _join(_HERE, 'password')
 
 

seed/base-machine/manual/install/install_host

@@ -1,35 +0,0 @@
-#!/bin/bash -e
-
-HOST_NAME=$1
-if [ -z "$HOST_NAME" ]; then
-    echo "usage: $0 host name"
-    exit 1
-fi
-# remove current rules
-systemctl stop risottofirewall.service || true
-apt install --yes systemd-container dnf jq debootstrap htop gettext patch unzip mlocate xz-utils iptables
-systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
-systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
-systemctl daemon-reload
-systemctl restart systemd-sysctl.service
-systemctl enable systemd-networkd
-systemctl restart systemd-networkd
-systemctl enable systemd-resolved
-systemctl restart systemd-resolved
-# systemctl mask dev-hugepages.mount
-systemctl enable risotto-images.timer
-systemctl restart risotto-images.timer
-systemctl enable risottofirewall.service
-systemctl start risottofirewall.service
-
-#nft add table nat
-#nft flush table nat;
-#nft 'add chain nat prerouting { type nat hook prerouting priority -100; }'
-#nft 'add rule nat prerouting iif enp0s3 tcp dport { 80, 443 } dnat to 192.168.45.12'
-#nft 'add chain nat postrouting { type nat hook postrouting priority -100; }'
-#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 tcp dport 53 snat to 10.0.3.15'
-#nft 'add rule nat postrouting ip saddr 192.168.45.10 oif enp0s8 udp dport 53 snat to 10.0.3.15'
-
-echo "install host OK"
-
-exit 0

seed/base-machine/manual/install/install_image

@@ -1,177 +0,0 @@
-#!/bin/bash -e
-
-HOST_NAME=$1
-IMAGE_NAME=$2
-
-if [ -z "$IMAGE_NAME" ]; then
-    echo "PAS DE NOM DE MODULE"
-    exit 1
-fi
-
-. config.sh
-
-rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR" tmp
-mkdir -p "$RISOTTO_IMAGE_DIR"
-PKG=""
-BASE_DIR=""
-for script in $(ls $IMAGE_NAME/manual/preinstall/*.sh 2> /dev/null); do
-    . "$script"
-done
-
-if [ -z "$OS_NAME" ]; then
-    echo "NO OS NAME DEFINED"
-    exit 0
-fi
-if [ -z "$RELEASEVER" ]; then
-    echo "NO RELEASEVER DEFINED"
-    exit 0
-fi
-if [ -z "$INSTALL_TOOL" ]; then
-    echo "NO INSTALL TOOL DEFINED"
-    exit 0
-fi
-BASE_NAME="$OS_NAME-$RELEASEVER"
-BASE_DIR="$IMAGE_BASE_RISOTTO_BASE_DIR/$BASE_NAME"
-BASE_TAR="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME".tar
-BASE_PKGS_FILE="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.pkgs"
-BASE_LOCK="$IMAGE_BASE_RISOTTO_BASE_DIR-$BASE_NAME.build"
-
-function dnf_opt() {
-    INSTALL_DIR=$1
-    INSTALL_PKG=$2
-    echo "--setopt=install_weak_deps=False --nodocs --noplugins --installroot=$INSTALL_DIR --releasever $RELEASEVER install $INSTALL_PKG"
-}
-function new_package_base() {
-    if [ "$INSTALL_TOOL" = "dnf" ]; then
-        OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
-        dnf --assumeno $OPT | grep ^" " > "$BASE_PKGS_FILE".new
-    else
-        debootstrap --include="$BASE_PKG" --variant=minbase "$RELEASEVER" "$BASE_DIR" > /dev/null
-        chroot "$BASE_DIR" dpkg-query -f '${binary:Package} ${source:Version}\n' -W > "$BASE_PKGS_FILE".new
-    fi
-}
-function install_base() {
-    if [ "$INSTALL_TOOL" = "dnf" ]; then
-        OPT=$(dnf_opt "$BASE_DIR" "$BASE_PKG")
-        dnf --assumeyes $OPT
-    fi
-}
-function new_package() {
-    if [ "$INSTALL_TOOL" = "dnf" ]; then
-        OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
-        dnf --assumeno $OPT | grep ^" " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
-    else
-        chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG -s 2>/dev/null|grep ^"Inst " > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new
-    fi
-}
-function install_pkg() {
-    if [ "$INSTALL_TOOL" = "dnf" ]; then
-        OPT=$(dnf_opt "$IMAGE_NAME_RISOTTO_IMAGE_DIR" "$PKG")
-        dnf --assumeyes $OPT
-    else
-        chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" apt install --no-install-recommends --yes $PKG
-    fi
-}
-
-
-if [ ! -f "$BASE_LOCK" ]; then
-    echo "  - reinstallation de l'image de base"
-    rm -rf "$BASE_DIR"
-    new_package_base
-    diff -u "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".new && NEW_BASE=false || NEW_BASE=true
-    if [ ! -f "$BASE_TAR" ] || [ "$NEW_BASE" = true ]; then
-        mkdir -p "$IMAGE_BASE_RISOTTO_BASE_DIR"
-        install_base
-        cd "$IMAGE_BASE_RISOTTO_BASE_DIR"
-        tar cf "$BASE_TAR" "$BASE_NAME"
-        cd - > /dev/null
-        if [ -f "$BASE_PKGS_FILE" ]; then
-            mv "$BASE_PKGS_FILE" "$BASE_PKGS_FILE".old
-        fi
-        mv "$BASE_PKGS_FILE".new "$BASE_PKGS_FILE"
-        rm -rf "$IMAGE_BASE_RISOTTO_BASE_DIR"
-    fi
-    rm -rf "$BASE_DIR"
-    touch "$BASE_LOCK"
-fi
-
-tar xf "$BASE_TAR"
-mv "$BASE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
-if [ -n "$COPR" ]; then
-    #FIXME signature...
-    mkdir -p "$REPO_DIR"
-    cd "$REPO_DIR"
-    wget -q "$COPR"
-    cd - > /dev/null
-fi
-if [ "$FUSION" = true ]; then
-    dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR" > /dev/null
-fi
-
-# FIXME verifier s'il y a des modifs sur pre/post
-if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
-    echo "  - différence(s) avec les paquets de base"
-    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs "$BASE_PKGS_FILE" && INSTALL=false || INSTALL=true
-else
-    INSTALL=true
-fi
-new_package
-if [ "$INSTALL" = false ]; then
-    echo "  - différence(s) avec les paquets de l'image"
-    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new && INSTALL=false || INSTALL=true
-fi
-find $IMAGE_NAME/manual -type f -exec md5sum '{}' \; > "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new
-if [ "$INSTALL" = false ]; then
-    diff -u "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new && INSTALL=false || INSTALL=true
-fi
-if [ "$INSTALL" = true ]; then
-    echo "  - installation"
-    if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version ]; then
-        VERSION=$(cat "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version)
-    else
-        VERSION=0
-    fi
-    mkdir tmp
-    ORI_DIR=$PWD
-    cd tmp
-    if [ ! "$VERSION" = 0 ]; then
-        tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
-        if [ "$INSTALL_TOOL" = "apt" ]; then
-            chown _apt "$IMAGE_NAME"
-        fi
-    else
-        mkdir "$IMAGE_NAME"
-    fi
-    cd "$IMAGE_NAME"
-    ../../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
-    cd $ORI_DIR
-    rm -rf tmp
-    install_pkg
-    sleep 2
-    
-    for script in $(ls $IMAGE_NAME/manual/postinstall/*.sh 2> /dev/null); do
-        . "$script"
-    done
-    
-    CONTAINER=$IMAGE_NAME ./make_volatile /etc
-    if [ ! "$?" = 0 ]; then
-        echo "make_volatile failed"
-        exit 1
-    fi
-    cd "$RISOTTO_IMAGE_DIR"
-    #7zr a "$IMAGE_NAME".7z "$IMAGE_NAME"
-    if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" ]; then
-        mv -f "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME_RISOTTO_IMAGE_NAME".old
-    fi
-    tar cf "$IMAGE_NAME_RISOTTO_IMAGE_NAME" "$IMAGE_NAME"
-    sha256sum "$IMAGE_NAME_RISOTTO_IMAGE_NAME" > "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha
-    cd - > /dev/null
-    cp -f "$BASE_PKGS_FILE" "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs
-    mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs
-    mv -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum.new "$IMAGE_NAME_RISOTTO_IMAGE_DIR".md5sum
-    VERSION=$((VERSION + 1)) 
-    echo "$VERSION" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER".version
-fi
-rm -rf "$IMAGE_NAME_RISOTTO_IMAGE_DIR"
-echo "  => OK"
-exit 0

seed/base-machine/manual/install/install_images

@@ -1,17 +0,0 @@
-#!/bin/bash -e
-HOST_NAME=$1
-if [ -z "$HOST_NAME" ]; then
-    echo "usage: $0 host name"
-    exit 1
-fi
-. config.sh
-rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
-for image in *; do
-    if [ -d "$image" ]; then
-	echo
-        echo "Install image $image"
-        ./install_image "$HOST_NAME" "$image"
-    fi
-done
-rm -f $IMAGE_BASE_RISOTTO_BASE_DIR*.build
-exit 0

seed/base-machine/manual/install/install_machine

@@ -2,6 +2,7 @@
 HOST_NAME=$1
 IMAGE_NAME=$2
 MACHINE=$3
+exit 0
 . config.sh
 . config_machine.sh
 if [ -z "$MACHINE" ]; then
@@ -40,24 +41,25 @@ fi
 if [ "$NEW_CONF" = true ]; then
     echo "  - delete old settings"
     ./diff.py "$MACHINE" "$MACHINE_RISOTTO_CONFIG_DIR" "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" > "$MACHINE_RISOTTO_CONFIG_DIR"_changelog.md
-    rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
+#    rm -rf "$MACHINE_RISOTTO_CONFIG_DIR"
 fi
 
-cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
-cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
-if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
-    cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
-fi
-if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
-    mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
-fi
-mkdir -p "$RISOTTO_JOURNALD_DIR"
+#cp -a "$MACHINE_NAME_NSPAWN_LOCAL" "$MACHINE_NAME_NSPAWN"
+#cp -a "$MACHINE_NAME_SCRIPT_LOCAL" "$MACHINE_NAME_SCRIPT"
+#if [ ! -d "$MACHINE_RISOTTO_CONFIG_DIR" ]; then
+#    cp -a "$MACHINE_RISOTTO_CONFIG_DIR_LOCAL" "$MACHINE_RISOTTO_CONFIG_DIR"
+#fi
+#if [ ! -d "$MACHINE_RISOTTO_SRV_DIR" ] && [ -d "$MACHINE_RISOTTO_SRV_DIR_LOCAL" ]; then
+#    mkdir -p "$MACHINE_RISOTTO_SRV_DIR"
+#fi
+#mkdir -p "$RISOTTO_JOURNALD_DIR"
 if [ ! -d "$MACHINE_MACHINES_DIR" ]; then
     cd "$MACHINES_DIR"
+    mkdir "$IMAGE_NAME"
+    cd "$IMAGE_NAME"
     tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
     mkdir -p "$SHA_MACHINE_DIR"
     cp -a "$IMAGE_NAME_RISOTTO_IMAGE_NAME".sha "$SHA_MACHINE"
-    mv "$IMAGE_NAME" "$MACHINE_MACHINES_DIR"
     cd - > /dev/null
 fi
 

seed/dovecot/templates/dovecot-ldap.conf.ext

@@ -136,7 +136,7 @@ user_attrs = homeDirectory=home
 #   %d - domain part in user@domain, empty if user there's no domain
 #user_filter = (&(objectClass=posixAccount)(uid=%u))
 #>GNUNUX
-user_filter = (&(objectClass=inetOrgPerson)(mail=%u))
+user_filter = (&(objectClass=inetOrgPerson)(mailLocalAddress=%u))
 #<GNUNUX
 
 # Password checking attributes:

seed/dovecot/templates/imap.yml

@@ -8,3 +8,5 @@ password: %%get_password(server_name='test', username=%%username, description="t
 username_family: %%username_family
 password_family: %%get_password(server_name='test', username=%%username_family, description='test', type="cleartext", hide=%%hide_secret, temporary=True)
 name_family: %%name_family
+smtp: %%get_ip(%%smtp_relay_address)
+ext_username: 'test@example.net'

seed/dovecot/tests/test_imap.py

@@ -1,6 +1,7 @@
 from yaml import load, SafeLoader
 from os import environ
 import pytest
+import datetime
 
 from imaplib2 import IMAP4_SSL
 from smtplib import SMTP, SMTPNotSupportedError, SMTPAuthenticationError
@@ -10,17 +11,29 @@ from smtplib import SMTP, SMTPNotSupportedError, SMTPAuthenticationError
 conf_file = f'{environ["MACHINE_TEST_DIR"]}/imap.yml'
 with open(conf_file) as yaml:
     data = load(yaml, Loader=SafeLoader)
-parameters = (('user', data['username'], [data['password']]),
-              ('family', data['username_family'], [data['password_family'], data['password_family'] + "2"]),
+parameters = (
+              (1, 5, 'user', data['username'], data['username'], data['username'], [data['password']]),
+              (2, 5, 'user', data['username'], data['username'], 'alias_' + data['username'], [data['password']]),
+              (1, 3, 'family', data['username_family'], data['username_family'], data['username_family'], [data['password_family'], data['password_family'] + "2"]),
+              (3, 5, 'user', data['username'], data['ext_username'], data['username'], [data['password']]),
+             (4, 5, 'user', data['username'], data['ext_username'], 'alias_' + data['username'], [data['password']]),
+              (2, 3, 'family', data['username_family'], data['ext_username'], data['username_family'], [data['password_family'], data['password_family'] + "2"]),
               )
 
 
-def get_msg(username, msg='MESSAGE'):
-    return f'From: {username}\r\nTo: {username}\r\n\r\nSubject: TEST\r\n{msg}\r\n'
+def get_msg(username, dest, msg='MESSAGE', with_date=True):
+    date = datetime.datetime.now()
+    ret = f'From: {username}\r\nTo: {dest}\r\n\r\nSubject: TEST\r\n{msg}\r\n'
+    if with_date:
+        date_str = date.strftime('%a, %d %b %Y %H:%M:%S +0200 (CEST)')
+        ret = f'Date: {date_str}\r\n{ret}'
+    return ret
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_wrong_password(typ, username, passwords):
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_wrong_password(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
     imap = IMAP4_SSL(data['address'])
     try:
         imap.LOGIN(username, 'b')
@@ -30,9 +43,13 @@ def test_imap_wrong_password(typ, username, passwords):
         raise Exception('wrong login !')
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_migration(typ, username, passwords):
-    msg = get_msg(username, 'MIGRATION')
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_migration(idx, maxi, typ, login_username, username, dest, passwords):
+    if dest.startswith('alias_'):
+        return
+    if username == data['ext_username']:
+        return
+    msg = get_msg(username, dest, 'MIGRATION', False)
     if 'FIRST_RUN' in environ:
         smtp = SMTP(data['address'], '587')
         smtp.starttls()
@@ -45,7 +62,7 @@ def test_imap_migration(typ, username, passwords):
                 error = err
         else:
             raise error from error
-        smtp.sendmail(username, username, msg)
+        smtp.sendmail(username, dest, msg)
         smtp.quit()
     imap = IMAP4_SSL(data['address'])
     error = None
@@ -69,15 +86,19 @@ def test_imap_migration(typ, username, passwords):
     imap.LOGOUT()
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_no_tls(typ, username, passwords):
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_no_tls(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
     smtp = SMTP(data['address'], '587')
     with pytest.raises(SMTPNotSupportedError):
         smtp.login(username, passwords[0])
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_wrong_passwd(typ, username, passwords):
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_wrong_passwd(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
     smtp = SMTP(data['address'], '587')
     smtp.starttls()
     with pytest.raises(SMTPAuthenticationError):
@@ -85,8 +106,10 @@ def test_smtp_wrong_passwd(typ, username, passwords):
     smtp.quit()
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_login(typ, username, passwords):
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_login(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
     smtp = SMTP(data['address'], '587')
     smtp.starttls()
     error = None
@@ -101,8 +124,11 @@ def test_smtp_login(typ, username, passwords):
     smtp.quit()
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_smtp_sendmail(typ, username, passwords):
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_smtp_sendmail(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        smtp = SMTP(data['smtp'], '25')
+    else:
         smtp = SMTP(data['address'], '587')
         smtp.starttls()
         error = None
@@ -114,17 +140,17 @@ def test_smtp_sendmail(typ, username, passwords):
                 error = err
         else:
             raise error from error
-    smtp.sendmail(username, username, get_msg(username))
+    smtp.sendmail(username, dest, get_msg(username, dest))
     smtp.quit()
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_read_mail(typ, username, passwords):
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_read_mail(idx, maxi, typ, login_username, username, dest, passwords):
     imap = IMAP4_SSL(data['address'])
     error = None
     for password in passwords:
         try:
-            imap.LOGIN(username, password)
+            imap.LOGIN(login_username, password)
             break
         except Exception as err:
             error = err
@@ -134,24 +160,31 @@ def test_imap_read_mail(typ, username, passwords):
     typ, req = imap.SEARCH(None, 'ALL')
     assert typ == 'OK'
     assert len(req) == 1
-    msg = get_msg(username)
+    msg = get_msg(username, dest, with_date=False)
     msg_no = req[0].split()
-    assert len(msg_no) == 2
-    for num in msg_no[1:]:
+    assert len(msg_no) == maxi
+    num = msg_no[idx]
     field = imap.FETCH(num, '(RFC822)')
     assert field[0] == 'OK'
-        assert field[1][-2][-1].decode().endswith(msg)
+    fdata = field[1][-2][-1].decode().split('\r\n')
+    if fdata[-2].startswith('--'):
+        fdata = fdata[:-2]
+    fdata = '\r\n'.join(fdata)
+    assert 'Undelivered' not in fdata
+    assert fdata.endswith(msg)
     imap.CLOSE()
     imap.LOGOUT()
 
 
-@pytest.mark.parametrize('typ, username, passwords', parameters)
-def test_imap_delete_mail(typ, username, passwords):
+@pytest.mark.parametrize('idx, maxi, typ, login_username, username, dest, passwords', parameters)
+def test_imap_delete_mail(idx, maxi, typ, login_username, username, dest, passwords):
+    if username == data['ext_username']:
+        return
     imap = IMAP4_SSL(data['address'])
     error = None
     for password in passwords:
         try:
-            imap.LOGIN(username, password)
+            imap.LOGIN(login_username, password)
             break
         except Exception as err:
             error = err

seed/gitea/templates/app.ini

@@ -33,8 +33,8 @@ LFS_CONTENT_PATH = /srv/gitea/lib/data/lfs
 LFS_JWT_SECRET   = %%gitea_lfs_jwt_secret
 OFFLINE_MODE     = true
 PROTOCOL         = https
-CERT_FILE        = %%revprox_cert_file
-KEY_FILE         = %%revprox_key_file
+CERT_FILE        = %%revprox_client_cert_file
+KEY_FILE         = %%revprox_client_key_file
 
 [mailer]
 ENABLED = true

seed/host-systemd-machined/dictionaries/21-machined.xml

@@ -2,16 +2,18 @@
 <rougail version="0.10">
   <services>
     <service name="systemd-machined">
-      <file>/etc/systemd/system/risotto-images.service</file>
-      <file>/etc/systemd/system/risotto-images.timer</file>
       <file>/etc/systemd/network/80-container-vz.network</file>
       <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
       <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
     </service>
-    <service name="risottofirewall" engine="creole" target="multi-user">
-    </service>
+    <service name="risotto-images" engine="creole" manage="False"/>
+    <service name="systemd-sysctl"/>
+    <service name="systemd-networkd"/>
+    <service name="systemd-resolved"/>
+    <service name="risotto-images" type="timer" engine="creole"/>
+    <service name="risottofirewall" engine="creole"/>
     <service name="systemd-nspawn@">
-      <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
+      <file>/usr/local/lib/risotto-tmpfiles.d/0asystemd-nspawn.conf</file>
       <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
       <file>/etc/distro.repos.d/boot.repo</file>
       <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
@@ -25,8 +27,25 @@
     <variable name="host_install_dir" type="filename" description="Nom du répertoire comprenant les descriptions d'installation" mandatory="True"/>
     <variable name="host_dhcp_filename" type="filename" hidden="True" multi="True"/>
     <variable name="host_name" type="domainname" hidden="True" provider="global:server_name" mandatory="True"/>
+    <variable name="module_name" type="string" hidden="True" provider="global:module_name" mandatory="True"/>
     <variable name="systemd_zone_filename" type="filename" hidden="True" multi="True"/>
     <variable name="systemd_netzone_filename" type="filename" hidden="True" multi="True"/>
+    <variable name="vm_swappiness" type="number" description="Ajustement de la mémoire virtuelle" mandatory="True">
+      <value>60</value>
+    </variable>
+    <variable name="host_packages" multi="True" hidden="True">
+      <value>systemd-container</value>
+      <value>dnf</value>
+      <value>jq</value>
+      <value>debootstrap</value>
+      <value>htop</value>
+      <value>gettext</value>
+      <value>patch</value>
+      <value>unzip</value>
+      <value>mlocate</value>
+      <value>xz-utils</value>
+      <value>iptables</value>
+    </variable>
     <family name="network">
       <variable name="host_dhcp_interface" description="Carte réseau en DHCP" multi="True"/>
       <variable name="output_interface" description="Nom de l'interface de sortie" mandatory="True"/>

seed/host-systemd-machined/templates/0asystemd-nspawn.conf

@@ -4,12 +4,3 @@ D /etc/systemd/network/ 0755 root root - -
 D /usr/local/lib/systemd/system/ 0755 root root - -
 d /var/lib/risotto/configurations/ 0755 root root - -
 r /etc/network/interfaces -    -    -     -           -
-%for %%filename in %%machined.nspawn_script_filename
-C %%filename 0755 root root - %%host_install_dir/host/configurations/%%host_name%%filename
-%end for
-%for %%service in %%services
-  %if %%service.engine != 'none'
-    %set %%filename = '/usr/local/lib/systemd/system/' + %%service.doc
-C %%filename 0755 root root - %%host_install_dir/host/configurations/%%host_name%%filename
-  %end if
-%end for

seed/host-systemd-machined/templates/90-risotto.conf

@@ -1,2 +1,3 @@
 net.ipv4.ip_forward = 1
 fs.inotify.max_user_instances = 1024
+vm.swappiness = %%vm_swappiness

seed/host-systemd-machined/templates/risotto-images.service

@@ -5,7 +5,7 @@ After=network.target local-fs.target systemd-logind.service
 [Service]
 Type=oneshot
 WorkingDirectory=%%host_install_dir
-ExecStart=%%host_install_dir/install_images %%host_name
+ExecStart=/usr/local/sbin/build_images
 ExecStart=%%host_install_dir/backup %%host_name no
 ExecStart=%%host_install_dir/install_machines %%host_name
 

seed/lemonldap/templates/handler-nginx.conf

@@ -22,8 +22,8 @@ server {
 #>GNUNUX
   listen 443 ssl;
   server_name %%lemon_reload_web_name;
-  ssl_certificate         %%revprox_cert_file;
-  ssl_certificate_key     %%revprox_key_file;
+  ssl_certificate         %%revprox_client_cert_file;
+  ssl_certificate_key     %%revprox_client_key_file;
   ssl_client_certificate  %%revprox_ca_file;
 #<GNUNUX
   root /var/www/html;

seed/lemonldap/templates/portal-nginx.conf

@@ -49,8 +49,8 @@ server {
 #>GNUNUX
   listen 443 ssl;
   server_name %%{revprox_client_external_domainnames[0]};
-  ssl_certificate %%revprox_cert_file;
-  ssl_certificate_key %%revprox_key_file;
+  ssl_certificate %%revprox_client_cert_file;
+  ssl_certificate_key %%revprox_client_key_file;
   ssl_client_certificate %%revprox_ca_file;
   ssl_session_cache shared:SSL:10m;
 #<GNUNUX

seed/letsencrypt/funcs/letsencrypt.py

@@ -8,6 +8,7 @@ from os import makedirs as _makedirs
 
 
 _HERE = _dirname(_abspath(__main__.__file__))
+_HERE = '/home/gnunux/git/risotto/risotto'
 _LE_DIR = _join(_HERE, 'pki', 'letsencrypt')
 _X509_DIR = _join(_HERE, 'pki', 'x509')
 
@@ -33,7 +34,7 @@ def letsencrypt_certif(domain: str,
         with open(date_file, 'r') as fh:
             letsencrypt_date = fh.read().strip()
     if letsencrypt_date != today:
-        print(f"Obtain or renew Let's Encrypt certificate for {domain}...")
+#        print(f"Obtain or renew Let's Encrypt certificate for {domain}...")
         cli_args = ['certbot',
                     'certonly',
                     f'--dns-{plugin_name}',
@@ -58,7 +59,7 @@ def letsencrypt_certif(domain: str,
         if ret.returncode != 0:
             print("FIXME")
             #raise ValueError(ret.stderr.decode())
-        print("Done")
+#        print("Done")
     with open(date_file, 'w') as fh:
         fh.write(today)
     rootdir = _join(_X509_DIR, f'{authority_name}+{authority_cn}')

seed/mailman/manual/image/postinstall/postorius.sh

@@ -1,7 +1,7 @@
 PYTHON="usr/lib/python3.10/site-packages"
-cp -a "mailman/manual/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
-cp -a "mailman/manual/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
-cp -a "mailman/manual/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
+cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/lemonldap" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/risotto" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/allauth/socialaccount/providers/"
+cp -a "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/postorius" "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius"
 chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/manage.py"
 ln -s /etc/mailman3.d/postorius.py "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/share/postorius/m_postorius/settings_local.py"
 ln -s ../../django_mailman3/static/django-mailman3 "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$PYTHON/postorius/static/"

seed/nextcloud/DEBUG.md

@@ -43,6 +43,13 @@ Vérification :
 su - apache -s /bin/bash -c "php /usr/share/nextcloud/occ config:list"|grep know
 ```
 
+Il faut quelque chose comme : 
+
+```
+            "well-known": "{\"grant_types_supported\": [...]}"
+```
+
+
 Suppression de cache nextcloud :
 
 ```
@@ -54,3 +61,9 @@ Sur lemonldap, le script de création du fichier .well-known :
 ```
 /usr/local/lib/sbin/interne_well_known.pl
 ```
+
+Pour regénérer :
+
+```
+systemctl restart lemonldap-ng-fastcgi-server.service
+```

seed/nextcloud/templates/nextcloud-config.php

@@ -29,7 +29,7 @@ $CONFIG = array (
     ),
   ),
   'dbtype' => 'pgsql',
-  'version' => '22.1.0.1',
+  'version' => '{{VERSION}}',
   'overwrite.cli.url' => 'http://localhost',
   'dbname' => '%%pg_client_database',
   'dbhost' => '%%pg_client_server_domainname',
@@ -37,7 +37,13 @@ $CONFIG = array (
   'dbtableprefix' => 'oc_',
   'dbuser' => '%%pg_client_username',
   'dbpassword' => '%%pg_client_password',
-  'dbdriveroptions' => array('sslmode' => 'verify-full', 'sslcert' => '/etc/pki/tls/certs/postgresql.crt', 'sslkey' => '/etc/pki/tls/private/postgresql.key', 'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'),
+  'dbdriveroptions' => 
+  array (
+    'sslmode' => 'verify-full',
+    'sslcert' => '/etc/pki/tls/certs/postgresql.crt',
+    'sslkey' => '/etc/pki/tls/private/postgresql.key',
+    'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt',
+  ),
   'passwordsalt' => '{{SALT}}',
   'secret' => '{{SECRET}}',
   'instanceid' => '%%nextcloud_instance_id',
@@ -46,49 +52,52 @@ $CONFIG = array (
   'maintenance' => false,
   'appstoreenabled' => false,
   'appcodechecker' => false,
-  'memcache.distributed' => '\OC\Memcache\Redis',
-  'memcache.locking' => '\OC\Memcache\Redis',
+  'memcache.distributed' => '\\OC\\Memcache\\Redis',
+  'memcache.locking' => '\\OC\\Memcache\\Redis',
   'trusted_proxies' => '%%revprox_client_server_ip',
   'overwritehost' => '%%revprox_client_external_domainnames[0]',
   'filelocking.enabled' => true,
-  'redis' => [
+  'redis' => 
+  array (
     'host' => '%%redis_client_server_domainname',
     'port' => 6380,
     'user' => '%%redis_client_username',
     'password' => '%%redis_client_password',
     'dbindex' => 0,
-      'ssl_context' => [
+    'ssl_context' => 
+    array (
       'local_cert' => '/etc/pki/tls/certs/redis.crt',
       'local_pk' => '/etc/pki/tls/private/redis.key',
       'cafile' => '/etc/pki/ca-trust/source/anchors/ca_Redis.crt',
-      ]
-  ],
+    )
+  ),
   'default_phone_region' => 'FR',
-//OIDC login
+# OIDC login
   'allow_user_to_change_display_name' => false,
   'lost_password_link' => 'disabled',
   'oidc_login_provider_url' => 'https://%%oauth2_client_server_domainname',
   'oidc_login_client_id' => '%%oauth2_client_id',
   'oidc_login_client_secret' => '%%oauth2_client_secret',
   'oidc_login_auto_redirect' => true,
-//FIXME 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
-//FIXME to true
+# FIXME 'oidc_login_logout_url' => 'https://openid.example.com/thankyou',
+# FIXME to true
   'oidc_login_end_session_redirect' => false,
-//If no quota, we cannot send file
+# If no quota, we cannot send file
   'oidc_login_default_quota' => '1000000000000000',
   'oidc_login_button_text' => 'Log in with OpenID',
   'oidc_login_hide_password_form' => true,
   'oidc_login_use_id_token' => false,
-  'oidc_login_attributes' => array (
+  'oidc_login_attributes' => 
+  array (
     'id' => 'sub',
     'name' => 'name',
     'mail' => 'email',
-//      'quota' => 'ownCloudQuota',
-//      'home' => 'homeDirectory',
+#    'quota' => 'ownCloudQuota',
+#    'home' => 'homeDirectory',
     'ldap_uid' => 'uid',
-//      'groups' => 'ownCloudGroups',
-//      'photoURL' => 'picture',
-//      'is_admin' => 'ownCloudAdmin',
+#    'groups' => 'ownCloudGroups',
+#    'photoURL' => 'picture',
+#    'is_admin' => 'ownCloudAdmin',
   ),
   'oidc_login_default_group' => 'oidc',
   'oidc_login_scope' => 'openid profile email',
@@ -98,14 +107,14 @@ $CONFIG = array (
   'oidc_login_alt_login_page' => 'assets/login.php',
   'oidc_login_tls_verify' => true,
   'oidc_create_groups' => false,
-//FIXME
+# FIXME
   'oidc_login_webdav_enabled' => false,
   'oidc_login_password_authentication' => false,
   'oidc_login_public_key_caching_time' => 86400,
   'oidc_login_min_time_between_jwks_requests' => 10,
   'oidc_login_well_known_caching_time' => 86400,
   'oidc_login_update_avatar' => false,
-//mail
+# mail
   'mail_smtpmode' => 'smtp',
   'mail_smtpsecure' => 'tls',
   'mail_sendmailmode' => 'smtp',
@@ -118,4 +127,5 @@ $CONFIG = array (
   'mail_smtpport' => '25',
   'mail_smtpname' => '%%smtp_relay_user@%%ip_eth0',
   'mail_smtppassword' => '%%smtp_relay_password',
+  'loglevel' => 2,
 );

seed/nextcloud/templates/nextcloud.init

@@ -5,17 +5,26 @@ if [ ! -f /srv/nextcloud/keys/secret.txt ]; then
     umask 027
     /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get passwordsalt > /srv/nextcloud/keys/passwordsalt.txt
     /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get secret > /srv/nextcloud/keys/secret.txt
+    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get version > /srv/nextcloud/keys/version.txt
 
     /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
     /usr/bin/php /usr/share/nextcloud/occ ldap:create-empty-config -q
 else
     sed -i "s'{{SECRET}}'$(cat /srv/nextcloud/keys/secret.txt)'g" /etc/nextcloud/config.php
     sed -i "s'{{SALT}}'$(cat /srv/nextcloud/keys/passwordsalt.txt)'g" /etc/nextcloud/config.php
+    sed -i "s'{{VERSION}}'$(cat /srv/nextcloud/keys/version.txt)'g" /etc/nextcloud/config.php
     sed -i "s/'installed' => false,/'installed' => true,/g" /etc/nextcloud/config.php
+    # Upgrade
+    sha256sum /etc/nextcloud/config.php > /tmp/sha
+    sed -i "s/'config_is_read_only' => true,/'config_is_read_only' => false,/g" /etc/nextcloud/config.php
+    /usr/bin/php /usr/share/nextcloud/occ upgrade || true
+    sed -i "s/'config_is_read_only' => false,/'config_is_read_only' => true,/g" /etc/nextcloud/config.php
+    /usr/bin/php /usr/share/nextcloud/occ --no-warnings config:system:get version > /srv/nextcloud/keys/version.txt
+    ## if file is modified, copy upgraded version
+    sha256sum -c /tmp/sha || cp -a /etc/nextcloud/config.php /srv/nextcloud/keys/config.UPGRADED.php
+    # Configure LDAP
     /usr/bin/php /usr/share/nextcloud/occ app:enable user_ldap -q
 fi
-# Upgrade
-/usr/bin/php /usr/share/nextcloud/occ upgrade || true
 # SSO
 /usr/bin/php /usr/share/nextcloud/occ app:enable oidc_login
 # Feature
@@ -52,6 +61,11 @@ fi
 /usr/bin/php /usr/share/nextcloud/occ app:disable weather_status
 # Maintenance
 /usr/bin/php /usr/share/nextcloud/occ files:scan --all -q
+sha256sum /etc/nextcloud/config.php > /tmp/sha
+sed -i "s/'config_is_read_only' => true,/'config_is_read_only' => false,/g" /etc/nextcloud/config.php
 /usr/bin/php /usr/share/nextcloud/occ maintenance:repair -q
+sed -i "s/'config_is_read_only' => false,/'config_is_read_only' => true,/g" /etc/nextcloud/config.php
+## if file is modified, copy upgraded version
+sha256sum -c /tmp/sha || cp -a /etc/nextcloud/config.php /srv/nextcloud/keys/config.UPGRADED.php
 
 exit 0

seed/nextcloud/tests/test_nextcloud.py

@@ -0,0 +1,5 @@
+from os.path import isfile
+
+
+def test_nextcloud_not_upgraded():
+    assert not isfile('/var/lib/risotto/srv/nextcloud/keys/config.UPGRADED.php')

seed/nginx-common/dictionaries/21_nginx.xml

@@ -11,8 +11,8 @@
       <file engine="none" source="sysusers.nginx.conf" filelist="nginx_fedora">/sysusers.d/nginx.conf</file>
       <file source="tmpfiles.nginx.conf">/tmpfiles.d/nginx.conf</file>
       <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
-      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/certs/nginx.crt</file>
-      <file filelist="nginx_default_https" mode="600">/etc/pki/tls/private/nginx.key</file>
+      <file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.crt">revprox_crt_file</file>
+      <file file_type="variable" filelist="nginx_default_https" mode="600" source="nginx.key">revprox_key_file</file>
       <file>/tests/nginx-common.yml</file>
     </service>
   </services>
@@ -38,6 +38,10 @@
         <value>32</value>
       </variable>
       <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
+      <variable name="revprox_crt_file" type="filename" description="Reverse proxy cert filename" hidden="True"/>
+      <variable name="revprox_key_file" type="filename" description="Reverse proxy key filename" hidden="True"/>
+      <variable name="nginx_owner" type="unix_user" description="Nginx process owner" mandatory="True" hidden="True"/>
+      <variable name="nginx_group" type="unix_user" description="Nginx process group" mandatory="True" hidden="True"/>
     </family>
   </variables>
   <constraints>
@@ -45,8 +49,6 @@
       <param>Fedora</param>
       <target type="filelist">nginx_fedora</target>
       <target>nginx_default</target>
-      <target>nginx_default_http</target>
-      <target>nginx_default_https</target>
     </condition>
     <condition name="disabled_if_in" source="nginx_default">
       <param type="nil"/>
@@ -62,5 +64,31 @@
       <param name="join">/</param>
       <target>revprox_ca_file</target>
     </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_cert_directory</param>
+      <param>nginx.crt</param>
+      <param name="join">/</param>
+      <target>revprox_crt_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_key_directory</param>
+      <param>nginx.key</param>
+      <param name="join">/</param>
+      <target>revprox_key_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param>nginx</param>
+      <param name="default">www-data</param>
+      <param name="condition" type="variable">os_name</param>
+      <param name="expected">Fedora</param>
+      <target>nginx_owner</target>
+    </fill>
+    <fill name="calc_value">
+      <param>nginx</param>
+      <param name="default">adm</param>
+      <param name="condition" type="variable">os_name</param>
+      <param name="expected">Fedora</param>
+      <target>nginx_group</target>
+    </fill>
   </constraints>
 </rougail>

seed/nginx-common/templates/nginx.conf

@@ -27,11 +27,9 @@ events {
 }
 
 http {
-%if %%os_name == 'Fedora'
     log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
-%end if
     #GNUNUX    access_log  /var/log/nginx/access.log  main;
     #>GNUNUX
     access_log syslog:server=unix:/dev/log combined;
@@ -51,7 +49,6 @@ http {
     # See http://nginx.org/en/docs/ngx_core_module.html#include
     # for more information.
     include /etc/nginx/conf.d/*.conf;
-%if %%os_name == 'Fedora'
 %if %%nginx_default_http
     server {
         listen       80;
@@ -87,8 +84,8 @@ http {
 
         # ssl_certificate "/etc/pki/nginx/server.crt";
         # ssl_certificate_key "/etc/pki/nginx/private/server.key";
-        ssl_certificate              /etc/pki/tls/certs/nginx.crt;
-        ssl_certificate_key          /etc/pki/tls/private/nginx.key;
+        ssl_certificate              %%revprox_crt_file;
+        ssl_certificate_key          %%revprox_key_file;
  %if %%getVar('revprox_client_external_domainnames', None)
         ssl_client_certificate       %%revprox_ca_file;
  %else
@@ -97,9 +94,11 @@ http {
 
         ssl_session_cache shared:SSL:1m;
         ssl_session_timeout  10m;
+
+ %if %%os_name == 'Fedora'
         ssl_ciphers PROFILE=SYSTEM;
         ssl_prefer_server_ciphers on;
-
+ %end if
         # Load configuration files for the default server block.
         include /etc/nginx/default.d/*.conf;
 
@@ -112,10 +111,5 @@ http {
         }
     }
 %end if
-%else
     include /etc/nginx/sites-enabled/*;
-%end if
-%if not %%getVar('revprox_client_external_domainnames', None)
-    include /etc/nginx/sites-enabled/*;
-%end if
 }

seed/nginx-common/templates/tmpfiles.nginx.conf

@@ -1,9 +1,2 @@
 # this directory is not used, but must be created
-%if %%os_name == 'Fedora'
- %set %%usr = "nginx"
- %set %%grp = %%usr
-%else
- %set %%usr = "www-data"
- %set %%grp = "adm"
-%end if
-d /var/log/nginx/ 0750 %%usr %%grp -
+d /var/log/nginx/ 0750 %%nginx_owner %%nginx_group -

seed/nginx-https/applicationservice.yml

@@ -1,5 +1,5 @@
 format: '0.1'
-description: Nginx as reverse proxy
+description: Nginx as HTTPS web site
 depends:
   - nginx-common
   - reverse-proxy-client

seed/nginx-static/applicationservice.yml

@@ -0,0 +1,5 @@
+format: '0.1'
+description: Nginx with static web site
+depends:
+  - nginx-https
+  - base-fedora-36

seed/nginx-static/dictionaries/22_nginx_static.xml

@@ -0,0 +1,15 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name='nginx' target='multi-user'>
+      <file source="tmpfiles.nginx_static.conf">/tmpfiles.d/0static.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="nginx">
+      <variable name="nginx_root" redefine="True" mandatory='True'>
+        <value>/srv/static</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>

seed/nginx-static/templates/tmpfiles.nginx_static.conf

@@ -0,0 +1 @@
+d /srv/static/ 0750 root %%nginx_owner -

seed/odoo/DEBUG.md

@@ -0,0 +1,32 @@
+echo "log_level = debug" > /etc/odoo/odoo.conf
+echo "log_db= debug" > /etc/odoo/odoo.conf
+
+systemctl restart odoo
+
+
+Voir les logs dans la console
+=============================
+
+sed -i 's/syslog/#syslog/g' /etc/odoo/odoo.conf 
+su - odoo
+/usr/bin/odoo --config /etc/odoo/odoo.conf
+
+Connaitre les modules initialisés
+=================================
+
+Il se peut qu'il manque des dépendances au chargement des modules lors qu'on le fait à la main (je ne sais pas pourquoi).
+
+Pour connaitre la liste des modules à charger, le faire "graphiquement" puis avec Risotto et comparer les deux listes.
+
+Avec fichier de log :
+
+```
+grep "Loading module" /var/log/odoo/odoo-server.log|awk -F'Loading module' '{ print $2 }'| awk '{ print $1 }'|sort -u
+```
+
+Avec journald :
+
+
+```
+journalctl -m -M odoo.in.silique.fr -g "Loading module"|awk -F'Loading module' '{ print $2 }'| awk '{ print $1 }'|sort -u
+```

seed/odoo/applicationservice.yml

@@ -0,0 +1,10 @@
+format: '0.1'
+description: Odoo
+depends:
+  - base-debian-bullseye
+  - postgresql-client
+  - reverse-proxy-client
+  - relay-mail-client
+  - ldap-client-debian
+  - oauth2-client
+  - nginx-https

seed/odoo/dictionaries/40_odoo.xml

@@ -0,0 +1,93 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="odoo" target="multi-user">
+      <override/>
+      <file engine="none" source="sysuser-odoo.conf">/sysusers.d/1odoo.conf</file>
+      <file source="tmpfile-odoo.conf">/tmpfiles.d/0odoo.conf</file>
+      <file mode="700">/sbin/config_odoo.py</file>
+      <file mode="400" owner="odoo">/etc/odoo/odoo.conf</file>
+      <file mode="400" owner="odoo">/etc/odoo/postgresql.pass</file>
+      <file>/etc/hosts</file>
+      <file source="config-nginx.conf">/etc/nginx/default.d/odoo.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="odoo" description="Odoo">
+      <variable name="odoo_admin_password" description="Mot de passe de l'administrateur" hidden="True"/>
+      <variable name="odoo_admin_email" type="mail" description="Adresse courriel de l'administrateur" mandatory="True"/>
+      <variable name="odoo_company_name" description="Nom" mandatory="True"/>
+      <variable name="odoo_company_street" description="Adresse" mandatory="True"/>
+      <variable name="odoo_company_city" description="Ville" mandatory="True"/>
+      <variable name="odoo_company_zip" description="Code postal" mandatory="True"/>
+      <variable name="odoo_company_vat" description="Numéro TVA" mandatory="True"/>
+      <variable name="odoo_company_registry" description="Registre de la société" mandatory="True"/>
+      <variable name="odoo_company_phone" description="Numéro de téléphone"/>
+      <variable name="odoo_company_mobile" description="Numéro de téléphone mobile"/>
+      <variable name="odoo_company_email" description="Adresse courriel" mandatory="True"/>
+      <variable name="odoo_company_website" description="Site internet" mandatory="True"/>
+      <variable name="odoo_company_logo" type="filename" description="Chemin du logo" mandatory="True"/>
+      <variable name="odoo_company_footer" description="Pied de page des documents" mandatory="True"/>
+      <variable name="odoo_company_layout" description="Agencement des documents" mandatory="True" type="choice">
+        <value>standard</value>
+        <choice>standard</choice>
+        <choice>bold</choice>
+        <choice>boxed</choice>
+        <choice>striped</choice>
+      </variable>
+      <variable name="odoo_addons" description="Liste des applications à activer" multi="True">
+        <value>base</value>
+        <value>l10n_fr</value>
+        <value>l10n_fr_fec</value>
+        <value>account</value>
+        <value>hr</value>
+        <value>hr_contract</value>
+        <value>sale_management</value>
+      </variable>
+    </family>
+    <family name="postgresql">
+      <variable name="pg_client_key_owner" redefine="True">
+        <value>odoo</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>ERP</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>ERP Odoo</value>
+      </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Entreprise</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_note.png</value>
+      </variable>
+      <family name="external">
+        <variable name="oauth2_client_external" redefine="True" multi='True'/>
+	<variable name="oauth2_client_family" redefine="True" multi="True"/>
+      </family>
+    </family>
+    <family name="annuaire">
+      <family name="client">
+        <variable name="ldap_key_file_owner" redefine="True">
+          <value>odoo</value>
+        </variable>
+      </family>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="get_password">
+      <param name="server_name" type="variable">domain_name_eth0</param>
+      <param name="username">admin</param>
+      <param name="description">admin</param>
+      <param name="type">cleartext</param>
+      <param name="hide" type="variable">hide_secret</param>
+      <param name="temporary" type="boolean">True</param>
+      <target>odoo_admin_password</target>
+    </fill>
+  </constraints>
+</rougail>

seed/odoo/funcs/odoo.py

@@ -0,0 +1,8 @@
+from base64 import b64encode as _b64encode
+from os.path import isfile as _isfile
+
+
+def get_logo(filename):
+    if not _isfile(filename):
+        raise Exception(f'cannot find odoo logo {filename}')
+    return _b64encode(open(filename, 'rb') .read())

seed/odoo/manual/image/postinstall/odoo.sh

@@ -0,0 +1,38 @@
+set -e
+ODOO_VERSION="15.0"
+#FIXME
+ODOO_VERSION="master"
+WKHTML_VERSION="0.12.6.1-2"
+#curl  http://nightly.odoo.com/${ODOO_VERSION}/nightly/rpm/odoo_${ODOO_VERSION}.latest.rpm -o odoo_${ODOO_VERSION}.latest.rpm
+#OPT=$(dnf_opt_base "$IMAGE_NAME_RISOTTO_IMAGE_DIR")
+#dnf --assumeyes $OPT localinstall odoo_${ODOO_VERSION}.latest.rpm
+#rm -f odoo_${ODOO_VERSION}.latest.rpm
+mv $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf /tmp
+echo "nameserver 9.9.9.9" > $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+
+WKHTML_PKG=wkhtmltox_$WKHTML_VERSION.bullseye_amd64.deb
+
+curl https://nightly.odoo.com/odoo.key -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/odoo.key"
+curl -L "https://github.com/wkhtmltopdf/packaging/releases/download/$WKHTML_VERSION/$WKHTML_PKG" -o "$IMAGE_NAME_RISOTTO_IMAGE_DIR/$WKHTML_PKG"
+echo """#!/bin/bash -xe
+cat /odoo.key | apt-key add -
+rm /odoo.key
+echo "deb http://nightly.odoo.com/$ODOO_VERSION/nightly/deb/ ./" >> /etc/apt/sources.list 
+apt update
+apt install --no-install-recommends -y odoo
+dpkg -i /"$WKHTML_PKG" || true
+rm -f /"$WKHTML_PKG"
+apt -f install -y
+""" > $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh
+chmod 755 $IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh
+chroot $IMAGE_NAME_RISOTTO_IMAGE_DIR /install.sh
+
+
+
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/server.py
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/service/db.py 
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/bus/models/bus.py
+sed -i "s/'postgres'/odoo.tools.config['db_name']/g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/base/models/ir_cron.py
+sed -i "s@ldap://@ldaps://@g" $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/python3/dist-packages/odoo/addons/auth_ldap/models/res_company_ldap.py
+mv -f /tmp/resolv.conf $IMAGE_NAME_RISOTTO_IMAGE_DIR/etc/resolv.conf
+set +e

seed/odoo/manual/image/preinstall/odoo.sh

@@ -0,0 +1,3 @@
+PKG="$PKG dirmngr gnupg2 python3-ldap"
+#PKG="$PKG curl wkhtmltopdf python3-chardet python3-ldap python3-libsass"
+# missing python3-chardet dependency (for initialize database)

seed/odoo/templates/config-nginx.conf

@@ -0,0 +1,19 @@
+# Redirect requests to odoo backend server
+location / {
+  proxy_redirect off;
+  proxy_pass http://127.0.0.1:8069;
+  
+  proxy_read_timeout 720s;
+  proxy_connect_timeout 720s;
+  proxy_send_timeout 720s;
+  
+  # Add Headers for odoo proxy mode
+  proxy_set_header X-Forwarded-Host $host;
+  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+  proxy_set_header X-Forwarded-Proto $scheme;
+  proxy_set_header X-Real-IP $remote_addr;
+
+  # common gzip
+  gzip_types text/css text/scss text/plain text/xml application/xml application/json application/javascript;
+  gzip on;
+}

seed/odoo/templates/config_odoo.py

@@ -0,0 +1,75 @@
+%echo '#!/usr/bin/env python3'
+
+from os import environ
+environ['ODOO_RC'] = '/etc/odoo/odoo.conf'
+
+from odoo import registry, SUPERUSER_ID
+from odoo.api import Environment
+
+
+with registry('%%pg_client_database').cursor() as cr:
+    ctx = Environment(cr, SUPERUSER_ID, {})["res.users"].context_get()
+    env = Environment(cr, SUPERUSER_ID, ctx)
+    # Company
+    env.company.name = '%%odoo_company_name'
+    env.company.street = '%%odoo_company_street'
+    env.company.city = '%%odoo_company_city'
+    env.company.zip = '%%odoo_company_zip'
+    env.company.vat = '%%odoo_company_vat'
+    env.company.company_registry = '%%odoo_company_registry'
+    env.company.phone = '%%odoo_company_phone'
+    env.company.mobile = '%%odoo_company_mobile'
+    env.company.email = '%%odoo_company_email'
+    env.company.website = '%%odoo_company_website'
+    env.company.logo = %%get_logo(%%odoo_company_logo)
+    env.company.report_footer = '%%odoo_company_footer'
+    env.company.external_report_layout_id = env.ref('web.external_layout_%%odoo_company_layout').id
+    doc = env['base.document.layout'].create({'company_id': env.company.id})
+    doc._onchange_company_id()
+    # Admin
+    admin = env['res.users'].search([('name', '=', 'Administrator')])
+    admin.email = "%%odoo_admin_email"
+    admin.password = '%%odoo_admin_password'
+    # URL
+    env['ir.config_parameter'].set_param('web.base.url', 'https://%%revprox_client_external_domainnames[0]')
+    env['ir.config_parameter'].set_param('web.base.url.freeze', True)
+    # LDAP
+    env['res.config.settings'].create({'module_auth_ldap': True}).execute()
+    ldaps = env.company.ldaps
+    if ldaps:
+        ldap = ldaps[0]
+        ldap.ldap_server = '%%ldap_server_address'
+        ldap.ldap_server_port = '636'
+        ldap.ldap_binddn = '%%ldapclient_user'
+        ldap.ldap_password = '%%ldapclient_user_password'
+        ldap.ldap_filter = 'cn=%s'
+        ldap.ldap_base = '%%ldapclient_user_dn'
+    else:
+        ldap = env['res.company.ldap'].create({'company': env.company.id,
+                                               'ldap_server': '%%ldap_server_address',
+                                               'ldap_server_port': '636',
+                                               'ldap_binddn': '%%ldapclient_user',
+                                               'ldap_password': '%%ldapclient_user_password',
+                                               'ldap_filter': 'cn=%s',
+                                               'ldap_base': '%%ldapclient_user_dn',
+                                               })
+        env.company.ldaps = ldap
+    # SMTP
+    mail = env['ir.mail_server'].search([('name', '=', 'Silique')])
+    if mail.id is False:
+        env['ir.mail_server'].create({'name': 'Silique',
+                                      'smtp_host': '%%smtp_relay_address',
+                                      'smtp_port': '25',
+                                      'smtp_authentication': 'login',
+                                      'smtp_user': '%%smtp_relay_user@%%ip_eth0',
+                                      'smtp_pass': '%%smtp_relay_password',
+                                      'smtp_encryption': 'starttls',
+                                      })
+    else:
+        mail.smtp_host = '%%smtp_relay_address'
+        mail.smtp_port = '25'
+        mail.smtp_authentication = 'login'
+        mail.smtp_user = '%%smtp_relay_user@%%ip_eth0'
+        mail.smtp_pass = '%%smtp_relay_password'
+        mail.smtp_encryption = 'starttls'
+    env['ir.config_parameter'].set_param('base_setup.default_external_email_server', True)

seed/odoo/templates/hosts

@@ -0,0 +1,4 @@
+127.0.0.1	localhost  %%revprox_client_external_domainnames[0]
+::1		localhost ip6-localhost ip6-loopback
+ff02::1		ip6-allnodes
+ff02::2		ip6-allrouters

seed/odoo/templates/odoo.conf

@@ -0,0 +1,38 @@
+[options]
+; This is the password that allows database operations:
+admin_passwd = %%odoo_admin_password
+db_host = %%pg_client_server_domainname
+db_port = 5432
+db_user = %%pg_client_username
+db_password = %%pg_client_password
+db_name = %%pg_client_database
+# FIXME db_sslmode = verify-full 
+db_sslmode = require
+no_database_list = True
+
+addons_path = /usr/lib/python3/dist-packages/odoo/addons
+
+data_dir = /srv/odoo
+
+proxy_mode = True
+http_interface = 127.0.0.1
+syslog = True
+without_demo = True
+
+max_cron_threads = 1
+workers = 2
+
+#limit_time_real = 1800
+#limit_time_cpu = 1800 
+#
+#limit_memory_hard = 5368706371
+#limit_memory_soft = 4831835734
+
+# 'smtp_port', 'smtp_ssl'
+#                'email_from', 'smtp_server', 'smtp_user', 'smtp_password', 'from_filter',
+#                'smtp_ssl_certificate_filename', 'smtp_ssl_private_key_filename',
+#
+
+# language load_language
+language = fr_FR
+load_language = fr_FR

seed/odoo/templates/odoo.service

@@ -0,0 +1,18 @@
+[Unit]
+After=risotto.target
+
+[Service]
+Environment="PGSSLROOTCERT=/etc/pki/tls/certs/postgresql.crt"
+Environment="PGSSLCERT=/etc/pki/tls/certs/postgresql.crt"
+Environment="PGSSLKEY=/etc/pki/tls/private/postgresql.key"
+Environment="PGPASSFILE=/etc/odoo/postgresql.pass"
+
+#if database not imported, imported it active addons
+%set %%addons = ','.join(%%odoo_addons)
+ExecStartPre=/usr/bin/bash -c '/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\dt account_account" 2>&1 | grep -vq "not find" || (echo "INIT DATABASE"; /usr/bin/odoo --config /etc/odoo/odoo.conf -i %%addons --stop-after-init; echo "OK")'
+#change default values in database
+ExecStartPre=+/usr/local/lib/sbin/config_odoo.py
+
+ExecStart=
+ExecStart=/usr/bin/odoo --config /etc/odoo/odoo.conf
+TimeoutStartSec=360

seed/odoo/templates/sysuser-odoo.conf

@@ -0,0 +1,2 @@
+g odoo 1000 -
+u odoo 998:1000     "ODOO" /srv/odoo	/bin/bash

seed/odoo/templates/tmpfile-odoo.conf

@@ -0,0 +1 @@
+d /srv/odoo 750 odoo odoo - -

seed/openldap/funcs/ldap.py

@@ -6,7 +6,7 @@ from json import load as _load, dump as _dump
 from os.path import dirname as _dirname, abspath as _abspath, join as _join, isfile as _isfile
 
 
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _SSHA_PASSWORD_DIR = _join(_HERE, 'password', 'ssha.json')
 
 

seed/openldap/templates/users_mod.ldif

@@ -19,7 +19,7 @@ userPassword:: %%ssha_encode(%%password)
 
 %end for
 # Users
-%set %%userdn = 'cn=' + %%username + ',' + %%ldapclient_base_dn
+%set %%userdn = 'cn=' + %%username + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn)
 %set %%userfamilydn = 'cn=' + %%username_family + ',' + %%calc_ldapclient_base_dn(%%ldapclient_base_dn, family_name=%%name_family)
 %set %%acc = [(%%userdn, %%username, ['alias_' + %%username]),
               (%%userfamilydn, %%username_family, ['alias_' + %%username_family]),

seed/peertube/manual/image/postinstall/peertube.sh

@@ -1,5 +1,3 @@
-#!/bin/bash
-
 mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
 cat /proc/self/stat > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat"
 PLUGINS_DIR=/usr/share/peertube_plugins
@@ -25,5 +23,5 @@ rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
 
 rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
 cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
-patch -p0 < $OLDPWD/peertube/manual/postinstall/peertube.patch
+patch -p0 < "$IMAGE_DIR_RECIPIENT_IMAGE/postinstall/peertube.patch"
 cd -

seed/piwigo/manual/image/postinstall/piwigo.sh

@@ -14,10 +14,10 @@ ln -s /etc/piwigo/database.inc.php piwigo/local/config/database.inc.php
 ln -s /srv/piwigo/data piwigo/_data
 ln -s /srv/piwigo/upload piwigo/upload
 ln -s /srv/piwigo/logs piwigo/logs
-cp $OLDPWD/piwigo/manual/postinstall/osmmap.php piwigo/
+cp $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/osmmap.php piwigo/
 chmod 644 piwigo/osmmap.php
-patch -p0 < $OLDPWD/piwigo/manual/postinstall/piwigo.patch
-cp $OLDPWD/piwigo/manual/postinstall/piwigo_cli.php piwigo/
+patch -p0 < $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/piwigo.patch
+cp $IMAGE_DIR_RECIPIENT_IMAGE/postinstall/piwigo_cli.php piwigo/
 # Plugins
 cd piwigo/plugins
 wget https://piwigo.org/ext/download.php?rid=7848 -O plugin.zip
@@ -42,16 +42,16 @@ wget https://piwigo.org/ext/download.php?rid=8160 -O plugin.zip
 unzip plugin.zip
 rm -f plugin.zip
 echo """<?php
-$lang['Edit photos'] = 'Editer les photos';
-$lang['Edit Photos'] = 'Editer les photos';
-$lang['Edit your photos'] = 'Editer vos photos';
-$lang['Photos posted by %s'] = 'Photos postées par %s';
-$lang['Photos posted by %s in album %s'] = 'Photos postées par %s dans l\'album %s';
-$lang['Select at least one tag'] = 'Sélectionner au moins un tag';
-$lang['Select at least one photo'] = 'Sélectionner au moins une photo';
-$lang['No photo can be deleted'] = 'Aucune photo ne peut être supprimée';
-$lang['You need to confirm deletion'] = 'Vous devez confirmer la suppression';
-$lang['No photo selected, no action possible.'] = 'Aucune photo sélectionnée, aucune action possible.';
+\$lang['Edit photos'] = 'Editer les photos';
+\$lang['Edit Photos'] = 'Editer les photos';
+\$lang['Edit your photos'] = 'Editer vos photos';
+\$lang['Photos posted by %s'] = 'Photos postées par %s';
+\$lang['Photos posted by %s in album %s'] = 'Photos postées par %s dans l\'album %s';
+\$lang['Select at least one tag'] = 'Sélectionner au moins un tag';
+\$lang['Select at least one photo'] = 'Sélectionner au moins une photo';
+\$lang['No photo can be deleted'] = 'Aucune photo ne peut être supprimée';
+\$lang['You need to confirm deletion'] = 'Vous devez confirmer la suppression';
+\$lang['No photo selected, no action possible.'] = 'Aucune photo sélectionnée, aucune action possible.';
 ?>
 """ >> community/language/fr_FR/plugin.lang.php
 # embedded

seed/pleroma/templates/nginx.peertube.conf

@@ -37,8 +37,8 @@ server {
 # GNUNUX  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
 #>GNUNUX
   ssl_client_certificate %%revprox_ca_file;
-  ssl_certificate        %%revprox_cert_file;
-  ssl_certificate_key    %%revprox_key_file;
+  ssl_certificate        %%revprox_client_cert_file;
+  ssl_certificate_key    %%revprox_client_key_file;
 #<GNUNUX
 
 # GNUNUX  location ^~ '/.well-known/acme-challenge' {

seed/postfix-relay/DEBUG.md

@@ -19,7 +19,7 @@ EHLO root.gnunux.info
 250-AUTH PLAIN LOGIN
 [..]
 MAIL FROM:<gnunux@gnunux.info>
-RCPT TO:<gnunux@gnunux.info>
+RCPT TO:<contact@silique.fr>
 DATA
 To:<gnunux@gnunux.info>
 From:<gnunux@gnunux.info>

seed/postfix-relay/funcs/opendkim.py

@@ -10,7 +10,7 @@ def _eprint(*args, **kwargs):
 _dknewkey.eprint = _eprint
 
 
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _DKIM_DIR = _join(_HERE, 'pki/dkim')
 
 

seed/postgresql-client/dictionaries/23_postgresql.xml

@@ -6,6 +6,7 @@
       <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
       <file>/etc/pki/tls/certs/postgresql.crt</file>
       <file owner_type="variable" owner="pg_client_key_owner" mode="400">/etc/pki/tls/private/postgresql.key</file>
+      <file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
     </service>
   </services>
   <variables>
@@ -41,5 +42,9 @@
       <param type="variable">pg_client_username</param>
       <target>pg_client_database</target>
     </fill>
+    <condition name="disabled_if_not_in" source="os_name">
+      <param>Debian</param>
+      <target type="filelist">postgresql_debian</target>
+    </condition>
   </constraints>
 </rougail>

seed/postgresql-client/manual/image/preinstall/postgresql_client.sh

@@ -1 +1,5 @@
+if [ "$INSTALL_TOOL" = "dnf" ]; then
   PKG="$PKG postgresql"
+else
+  PKG="$PKG postgresql-client"
+fi

seed/postgresql-client/templates/sysuser-postgresql-client.conf

@@ -0,0 +1,4 @@
+g ssl-cert 108
+g postgres 109
+u postgres 104:109 "PostgreSQL administrator" /var/lib/postgresql  /bin/bash
+m postgres ssl-cert

seed/postgresql/DEBUG.md

@@ -1 +1,20 @@
 pg_dumpall --clean > /srv/database.sql
+
+Conversion SQL_ASCII vers UTF-8
+===============================
+
+Sauvegarde :
+
+```
+pg_dumpall -c -E UTF8 > sql.sql
+```
+
+Dans le fichier, remplacer "ENCODING = 'SQL_ASCII'" en "ENCODING = 'UTF8'" et remplacer "LOCALE = 'C'" en "LOCALE = 'fr_FR.UTF-8'".
+
+Arrêter les applications qui utilise les bases.
+
+Restaurer :
+
+```
+psql < sql.sql
+```

seed/provider-systemd-machined/dictionaries/16-machined.xml

@@ -4,6 +4,7 @@
     <service name='dev-hugepages' type='mount' disabled="True"/>
     <service name='systemd-oomd' disabled="True"/>
     <service name='systemd-homed' disabled="True"/>
+    <service name='systemd-machine-id-commit' disabled="True"/>
     <service name="systemd-networkd">
       <file redefine='True' disabled='True'>link_configurations</file>
     </service>

seed/redis-client/dictionaries/23_redis.xml

@@ -13,7 +13,7 @@
       <variable name="redis_client_server_domainname" type="domainname" description="Nom de domaine du serveur" mandatory="True" supplier="Redis"/>
       <variable name="redis_client_username" description="Nom d'utilisateur" mandatory="True"/>
       <variable name="redis_client_password" type="password" description="Mot de passe de connexion" mandatory="True" supplier="Redis:password"/>
-      <variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
+      <variable name="redis_client_key_owner" type="unix_user" description="Key owner" mandatory="True" hidden="True">
         <value>apache</value>
       </variable>
     </family>

seed/redis/DEBUG.md

@@ -3,3 +3,16 @@
 redis-cli -a FFCHtN-HWO_X6-bVaXgw MONITOR
 
 Puis naviger sur l'application
+
+
+# PING
+
+(après avoir copier les certifs du clients)
+redis-cli --tls -a BZET2ptPyGw6ufYG0-iG --cacert /etc/pki/ca-trust/source/anchors/ca_Redis.crt  --cert /usr/local/lib/redis.crt --key /usr/local/lib/redis.key -p 6380 PING
+
+# Mode debug
+
+sed -i "s/loglevel notice/loglevel debug/g" /etc/redis/redis.conf
+systemctl restart redis
+
+

seed/reverse-proxy-client/dictionaries/21_nginx_client.xml

@@ -2,8 +2,8 @@
 <rougail version="0.10">
   <services>
     <service name="nginx" manage="False">
-      <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
-      <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_key_file</file>
+      <file file_type="variable" source="revprox.crt">revprox_client_cert_file</file>
+      <file file_type="variable" source="revprox.key" owner_type="variable" owner="revprox_client_cert_owner" group_type="variable" group="revprox_client_cert_group" mode="400">revprox_client_key_file</file>
     </service>
   </services>
   <variables>
@@ -31,8 +31,8 @@
       <variable name="revprox_client_cert_group" type="unix_user" description="Reverse proxy certificate group">
         <value>root</value>
       </variable>
-      <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
-      <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
+      <variable name="revprox_client_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
+      <variable name="revprox_client_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
     </family>
   </variables>
   <constraints>
@@ -50,13 +50,13 @@
       <param type="variable">tls_cert_directory</param>
       <param>revprox.crt</param>
       <param name="join">/</param>
-      <target>revprox_cert_file</target>
+      <target>revprox_client_cert_file</target>
     </fill>
     <fill name="calc_value">
       <param type="variable">tls_key_directory</param>
       <param>revprox.key</param>
       <param name="join">/</param>
-      <target>revprox_key_file</target>
+      <target>revprox_client_key_file</target>
     </fill>
   </constraints>
 </rougail>

seed/vaultwarden/funcs/vaultwarden.py

@@ -4,7 +4,7 @@ from os import makedirs as _makedirs
 from uuid import uuid4 as _uuid4
 
 
-_HERE = _dirname(_abspath(__main__.__file__))
+_HERE = _dirname(_dirname(_abspath(__main__.__file__)))
 _PASSWORD_DIR = _join(_HERE, 'password')