16 changed files with 31 additions and 49 deletions
--- a/seed/mailman/dictionaries/31_mailman.xml
+++ b/seed/mailman/dictionaries/31_mailman.xml
@ -16,8 +16,7 @@
      <file>/tests/mailman.yml</file>
    </service>
    <service name="postgresqlclient" target="multi-user" engine="creole">
-      <!-- mailman and postorius have differents username -->
-      <file owner="postorius" mode="400" source="postgresql.key">/etc/pki/tls/private/postgresql_postorius.key</file>
+      <file owner="postorius" mode="400">/etc/pki/tls/private/postgresql_postorius.key</file>
    </service>
  </services>
  <variables>
--- a/seed/mailman/templates/mailman.cfg
+++ b/seed/mailman/templates/mailman.cfg
@ -24,7 +24,7 @@ layout: fhs
 #>GNUNUX
 [database]  
 class: mailman.database.postgresql.PostgreSQLDatabase  
-url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file
+url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt

 [mta]
 lmtp_host: %%ip_eth0
--- a/seed/mailman/templates/postgresql_postorius.key
+++ b/seed/mailman/templates/postgresql_postorius.key
@ -0,0 +1 @@
+%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)
--- a/seed/mailman/templates/postorius-settings.py
+++ b/seed/mailman/templates/postorius-settings.py
@ -10,7 +10,7 @@ DATABASES = {
        'HOST': '%%pg_client_server_domainname',      # Database server
        'PORT': '',               # Database port (leave blank for default)
        'CONN_MAX_AGE': 300,      # Max database connection age
-        'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '%%pg_client_crt_file', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '%%pg_client_ca_file'},
+        'OPTIONS': {'sslmode': 'verify-full', 'sslcert': '/etc/pki/tls/certs/postgresql.crt', 'sslkey': '/etc/pki/tls/private/postgresql_postorius.key', 'sslrootcert': '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'},
    }
 }
 ALLOWED_HOSTS = ['%%{revprox_client_external_domainnames[0]}']
--- a/seed/nextcloud/templates/nextcloud-config.php
+++ b/seed/nextcloud/templates/nextcloud-config.php
@ -40,9 +40,9 @@ $CONFIG = array (
  'dbdriveroptions' => 
  array (
    'sslmode' => 'verify-full',
-    'sslcert' => '%%pg_client_crt_file',
-    'sslkey' => '%%pg_client_key_file',
-    'sslrootcert' => '%%pg_client_ca_file',
+    'sslcert' => '/etc/pki/tls/certs/postgresql.crt',
+    'sslkey' => '/etc/pki/tls/private/postgresql.key',
+    'sslrootcert' => '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt',
  ),
  'passwordsalt' => '{{SALT}}',
  'secret' => '{{SECRET}}',
--- a/seed/odoo/manual/image/postinstall/odoo.sh
+++ b/seed/odoo/manual/image/postinstall/odoo.sh
@ -1,5 +1,7 @@
 set -e
-ODOO_VERSION="16.0"
+ODOO_VERSION="15.0"
+#FIXME
+ODOO_VERSION="master"
 WKHTML_VERSION="0.12.6.1-2"
 #curl  http://nightly.odoo.com/${ODOO_VERSION}/nightly/rpm/odoo_${ODOO_VERSION}.latest.rpm -o odoo_${ODOO_VERSION}.latest.rpm
 #OPT=$(dnf_opt_base "$IMAGE_NAME_RISOTTO_IMAGE_DIR")
--- a/seed/odoo/templates/odoo.service
+++ b/seed/odoo/templates/odoo.service
@ -2,9 +2,9 @@
 After=risotto.target

 [Service]
-Environment="PGSSLROOTCERT=%%pg_client_crt_file"
-Environment="PGSSLCERT=%%pg_client_crt_file"
-Environment="PGSSLKEY=%%pg_client_key_file"
+Environment="PGSSLROOTCERT=/etc/pki/tls/certs/postgresql.crt"
+Environment="PGSSLCERT=/etc/pki/tls/certs/postgresql.crt"
+Environment="PGSSLKEY=/etc/pki/tls/private/postgresql.key"
 Environment="PGPASSFILE=/etc/odoo/postgresql.pass"

 #if database not imported, imported it active addons
--- a/seed/odoo/templates/sysuser-odoo.conf
+++ b/seed/odoo/templates/sysuser-odoo.conf
@ -1,3 +1,2 @@
 g odoo 1000 -
 u odoo 998:1000     "ODOO" /srv/odoo	/bin/bash
-m odoo ssl-cert
--- a/seed/odoo/templates/tmpfile-odoo.conf
+++ b/seed/odoo/templates/tmpfile-odoo.conf
@ -1,2 +1 @@
 d /srv/odoo 750 odoo odoo - -
-d /etc/ssl/private 750 root ssl-cert - -
--- a/seed/peertube/templates/production.yaml
+++ b/seed/peertube/templates/production.yaml
@ -72,7 +72,7 @@ smtp:
  password: '%%smtp_relay_password'
  tls: false # If you use StartTLS: false
  disable_starttls: false
-  ca_file: '%%smtp_ca_file' # Used for self signed certificates
+  ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
  from_address: '%%peertube_admin_email'

 email:
--- a/seed/pleroma/templates/production.yaml
+++ b/seed/pleroma/templates/production.yaml
@ -68,7 +68,7 @@ smtp:
  password: '%%smtp_relay_password'
  tls: false # If you use StartTLS: false
  disable_starttls: false
-  ca_file: '%%smtp_ca_file' # Used for self signed certificates
+  ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
  from_address: '%%peertube_admin_email'

 email:
--- a/seed/postgresql-client/dictionaries/23_postgresql.xml
+++ b/seed/postgresql-client/dictionaries/23_postgresql.xml
@ -3,9 +3,9 @@
  <services>
    <service name="postgresqlclient" target="risotto" engine="creole">
      <file mode="400">/secrets/postgresql.pass</file>
-      <file file_type="variable" source="ca_PostgreSQL.crt">pg_client_ca_file</file>
-      <file file_type="variable" owner_type="variable" owner="pg_client_key_owner" mode="444" source="postgresql.crt">pg_client_crt_file</file>
-      <file file_type="variable" owner_type="variable" owner="pg_client_key_owner" mode="400" source="postgresql.key">pg_client_key_file</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
+      <file>/etc/pki/tls/certs/postgresql.crt</file>
+      <file owner_type="variable" owner="pg_client_key_owner" mode="400">/etc/pki/tls/private/postgresql.key</file>
      <file filelist="postgresql_debian" engine="none" source="sysuser-postgresql-client.conf">/sysusers.d/0postgresqlclient.conf</file>
    </service>
  </services>
@ -18,9 +18,6 @@
      <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
        <value>apache</value>
      </variable>
-      <variable name="pg_client_ca_file" type="filename" description="Postgresql CA filename" hidden="True"/>
-      <variable name="pg_client_crt_file" type="filename" description="Postgresql cert filename" hidden="True"/>
-      <variable name="pg_client_key_file" type="filename" description="Postgresql key filename" hidden="True"/>
    </family>
  </variables>
  <constraints>
@ -45,24 +42,6 @@
      <param type="variable">pg_client_username</param>
      <target>pg_client_database</target>
    </fill>
-    <fill name="calc_value">
-      <param type="variable">tls_ca_directory</param>
-      <param>ca_PostgreSQL.crt</param>
-      <param name="join">/</param>
-      <target>pg_client_ca_file</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">tls_cert_directory</param>
-      <param>postgresql.crt</param>
-      <param name="join">/</param>
-      <target>pg_client_crt_file</target>
-    </fill>
-    <fill name="calc_value">
-      <param type="variable">tls_key_directory</param>
-      <param>postgresql.key</param>
-      <param name="join">/</param>
-      <target>pg_client_key_file</target>
-    </fill>
    <condition name="disabled_if_not_in" source="os_name">
      <param>Debian</param>
      <target type="filelist">postgresql_debian</target>
--- a/seed/relay-mail-client/dictionaries/20_smtp_client.xml
+++ b/seed/relay-mail-client/dictionaries/20_smtp_client.xml
@ -2,7 +2,7 @@
 <rougail version="0.10">
  <services>
    <service name="smtp" manage="False">
-      <file file_type="variable" source="ca_MailRelay.crt">smtp_ca_file</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt</file>
    </service>
  </services>
  <variables>
@ -10,7 +10,6 @@
      <variable name="smtp_relay_address" type="domainname" description="Nom de domaine du serveur SMTP" mandatory="True" supplier="SMTP"/>
      <variable name="smtp_relay_user" type="unix_user" description="Relay username" mandatory="True" hidden="True"/>
      <variable name="smtp_relay_password" type="secret" description="Relay password" mandatory="True" hidden="True" supplier="SMTP:password"/>
-      <variable name="smtp_ca_file" type="filename" description="SMTP CA filename" hidden="True"/>
    </family>
  </variables>
  <constraints>
@ -26,11 +25,5 @@
      <param name="hide" type="variable">hide_secret</param>
      <target>smtp_relay_password</target>
    </fill>
-    <fill name="calc_value">
-      <param type="variable">tls_ca_directory</param>
-      <param>ca_MailRelay.crt</param>
-      <param name="join">/</param>
-      <target>smtp_ca_file</target>
-    </fill>
  </constraints>
 </rougail>
--- a/seed/roundcube/templates/config.inc.php
+++ b/seed/roundcube/templates/config.inc.php
@ -31,7 +31,7 @@ $config = [];
 //       e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
 // GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
 //>GNUNUX
-$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file';
+$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt';
 //<GNUNUX

 // Database DSN for read-only operations (if empty write database will be used)
--- a/seed/speedtest-rs/templates/speedtest-rs.service
+++ b/seed/speedtest-rs/templates/speedtest-rs.service
@ -1,2 +1,12 @@
 [Unit]
 After=risotto.target
+
+[Service]
+PrivateDevices=false
+ProtectHome=false
+ProtectSystem=false
+LimitNOFILE=
+LimitNPROC=
+WorkingDirectory=/srv/vaultwarden
+ReadWriteDirectories=
+ReadWriteDirectories=
--- a/seed/vaultwarden/templates/vaultwarden_config.env
+++ b/seed/vaultwarden/templates/vaultwarden_config.env
@ -20,7 +20,7 @@ DATA_FOLDER=/srv/vaultwarden
 ## - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
 # DATABASE_URL=postgresql://user:password@host[:port]/database_name
 #>GNUNUX
-DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=%%pg_client_crt_file&sslkey=%%pg_client_key_file&sslrootcert=%%pg_client_ca_file
+DATABASE_URL=postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full&sslcert=/etc/pki/tls/certs/postgresql.crt&sslkey=/etc/pki/tls/private/postgresql.key&sslrootcert=/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt
 #<GNUNUX

 ## Database max connections
				`@ -0,0 +1 @@`
				`%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client", hide=%%hide_secret)`