add new services

seed/applicationservice/2022.03.08/apache/manual/image/preinstall/apache.sh

@@ -0,0 +1 @@
+PKG="$PKG mod_ssl"

seed/applicationservice/2022.03.08/base-fedora-36/applicationservice.yml

@@ -0,0 +1,4 @@
+format: '0.1'
+description: Information de base d'un serveur fedora version 36
+depends:
+  - base-fedora

seed/applicationservice/2022.03.08/base-fedora-36/dictionaries/00-fedora-version.xml

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="utf-8"?>
+<rougail version="0.10">
+  <variables>
+    <family name="general">
+      <variable name="os_version" type="string" description="OS Version" hidden="True">
+        <value>36</value>
+      </variable>
+    </family>
+  </variables>
+</rougail>

seed/applicationservice/2022.03.08/base-fedora-36/manual/image/postinstall/base_fedora_version.sh

@@ -0,0 +1,7 @@
+# ACTIVE NETWORKD
+mkdir $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+chmod 775 $IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/dbus-org.freedesktop.network1.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/multi-user.target.wants/systemd-networkd.service"
+ln -s /usr/lib/systemd/system/systemd-networkd-wait-online.service "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/network-online.target.wants/systemd-networkd-wait-online.service"
+ln -s /usr/lib/systemd/system/systemd-networkd.socket "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/lib/systemd/system/sockets.target.wants/systemd-networkd.socket"

seed/applicationservice/2022.03.08/base-fedora-36/manual/image/preinstall/base_fedora_version.sh

@@ -0,0 +1 @@
+RELEASEVER=36

seed/applicationservice/2022.03.08/base/manual/install/diff.py

@@ -42,12 +42,16 @@ type = "installe"
 +++
 """)
 for filename in FILES:
-    with open(join(OLD_DIR, filename[1:]), 'r') as ori:
-        ori_content = ori.readlines()
-    with open(join(NEW_DIR, filename[1:]), 'r') as new:
-        new_content = new.readlines()
     print(f'- mise à jour du fichier {filename} :\n')
-    print('```diff')
-    for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
-        print(line.rstrip())
-    print('```')
+    try:
+        with open(join(OLD_DIR, filename[1:]), 'r') as ori:
+            ori_content = ori.readlines()
+        with open(join(NEW_DIR, filename[1:]), 'r') as new:
+            new_content = new.readlines()
+    except UnicodeDecodeError:
+        print('fichier binaire')
+    else:
+        print('```diff')
+        for line in unified_diff(ori_content, new_content, fromfile=filename, tofile=filename):
+            print(line.rstrip())
+        print('```')

seed/applicationservice/2022.03.08/base/manual/install/install_host

@@ -5,7 +5,7 @@ if [ -z "$HOST_NAME" ]; then
     echo "usage: $0 host name"
     exit 1
 fi
-apt install --yes systemd-container dnf jq debootstrap htop gettext
+apt install --yes systemd-container dnf jq debootstrap htop gettext patch
 systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0asystemd-nspawn.conf
 systemd-tmpfiles --create --clean --remove $PWD/host/configurations/$HOST_NAME/tmpfiles.d/0rougail.conf
 systemctl daemon-reload

seed/applicationservice/2022.03.08/base/manual/install/install_image

@@ -103,6 +103,9 @@ if [ -n "$COPR" ]; then
     wget "$COPR"
     cd -
 fi
+if [ "$FUSION" = true ]; then
+    dnf -y install "https://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$RELEASEVER.noarch.rpm" --installroot="$IMAGE_NAME_RISOTTO_IMAGE_DIR"
+fi
 
 # FIXME verifier s'il y a des modifs sur pre/post
 if [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".base.pkgs ] && [ -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR".pkgs ]; then
@@ -125,12 +128,19 @@ if [ "$INSTALL" = true ]; then
         VERSION=0
     fi
     mkdir tmp
+    ORI_DIR=$PWD
     cd tmp
     if [ ! "$VERSION" = 0 ]; then
         tar xf "$IMAGE_NAME_RISOTTO_IMAGE_NAME"
+        if [ "$INSTALL_TOOL" = "apt" ]; then
+            chown _apt "$IMAGE_NAME"
+        fi
+    else
+        mkdir "$IMAGE_NAME"
     fi
-    ../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
-    cd -
+    cd "$IMAGE_NAME"
+    ../../make_changelog "$IMAGE_NAME" "$VERSION" "$OS_NAME" "$RELEASEVER" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR"_"$RELEASEVER"_"$VERSION"_changelog.md
+    cd $ORI_DIR
     rm -rf tmp
     install_pkg
     sleep 2

seed/applicationservice/2022.03.08/base/manual/install/make_changelog

@@ -34,7 +34,6 @@ def read_dnf_pkg_file(os_name, filename1, filename2):
             for idx, pkg_line in enumerate(pkgs_fh.readlines()):
                 if idx < header_idx[fidx]:
                     # header
-                    print("béééé")
                     continue
                 sp_line = pkg_line.strip().split()
                 if len(sp_line) < idx_version[fidx] + 1:
@@ -154,13 +153,17 @@ type = "installe"
             for package in ori_pkg & new_dict:
                 if ori_dict[package] == new_dict[package]:
                     continue
-                run(['apt', 'download', package])
+                info = run(['apt', 'download', package], capture_output=True)
+                if info.returncode:
+                    raise Exception(f'cannot download {package}: {info}')
             packages = list(glob('*.deb'))
             packages.sort()
             for package in packages:
-                info = run(['apt-listchanges', '--which', 'both', '-f', 'text', package], capture_output=True)
+                info = run(['chroot', '.', 'apt-listchanges', '--which', 'both', '-f', 'text', package], capture_output=True)
+                if info.returncode:
+                    raise Exception(f'cannot list changes for {package}: {info}')
                 header = True
-                for line in info.split('\n'):
+                for line in info.stdout.decode().split('\n'):
                     if not header:
                         print(line)
                     if line.startswith('-----------------------'):

seed/applicationservice/2022.03.08/dovecot/applicationservice.yml

@@ -5,3 +5,4 @@ depends:
   - relay-mail-client
   - ldap-client-fedora
   - oauth2-client
+  - nginx-common

seed/applicationservice/2022.03.08/dovecot/dictionaries/22_dovecot.xml

@@ -18,9 +18,15 @@
     </service>
     <service name='dovecot-init'>
       <override/>
+      <file>/etc/nginx/conf.d/autoconfig.conf</file>
+    </service>
+    <service name='nginx'>
+      <file source='config-v1.1.xml' file_type="variable" variable="mail_domains">well_known_filenames</file>
+      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
+      <file file_type="variable" source="revprox.crt">revprox_cert_file</file>
+      <file file_type="variable" source="revprox.key" mode="400">revprox_key_file</file>
     </service>
     <service name="dovecot" target="multi-user">
-      <file file_type="variable" source="ca_InternalReverseProxy.crt">revprox_ca_file</file>
       <file engine="none" source="sysuser-dovecot.conf">/sysusers.d/1dovecot.conf</file>
       <file engine="none" source="tmpfile-dovecot.conf">/tmpfiles.d/0dovecot.conf</file>
       <file engine='none'>/etc/dovecot/conf.d/10-logging.conf</file>
@@ -63,6 +69,7 @@
     </family>
     <family name="mail" description="Mail domain" leadership="True">
       <variable name="mail_domains" type="domainname" description="Domaine de courriel géré localement" mandatory="True" multi="True"/>
+      <variable name="mail_domains_calc" type="domainname" multi="True" hidden="True"/>
       <variable name="imap_domainname" type="domainname" mandatory="True"/>
       <variable name="submission_domainname" type="domainname" mandatory="True"/>
     </family>
@@ -70,6 +77,8 @@
       <variable name='postfix_pem_files' type="filename" hidden='True' multi='True'/>
     </family>
     <family name="dovecot" description="IMAP mail server">
+      <variable name="well_knowns" type="web_address" hidden='True' multi="True"/>
+      <variable name="well_known_filenames" type="filename" hidden='True' multi="True"/>
       <variable name='external_imap_crt' type="filename" hidden='True' multi='True'/>
       <variable name='external_imap_key' type="filename" hidden='True' multi='True'/>
       <variable name='dovecot_local_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
@@ -77,7 +86,12 @@
         <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
         <variable name="local_authentification_password_" type="secret" auto_save="True" provider="mail_password"/>
       </family>
+    </family>
+    <family name="nginx">
+      <variable name="nginx_default" redefine="True" remove_fill="True" mandatory="False"/>
       <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
+      <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
+      <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
       <variable name="revprox_server_domainname" type="domainname" description="Reverse proxy domain name for CA" mandatory="True"/>
     </family>
   </variables>
@@ -107,6 +121,18 @@
       <param name="join">/</param>
       <target>revprox_ca_file</target>
     </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_cert_directory</param>
+      <param>revprox.crt</param>
+      <param name="join">/</param>
+      <target>revprox_cert_file</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="variable">tls_key_directory</param>
+      <param>revprox.key</param>
+      <param name="join">/</param>
+      <target>revprox_key_file</target>
+    </fill>
     <fill name="calc_value">
       <param>/etc/pki/tls/certs/imap_</param>
       <param type="variable">imap_domainname</param>
@@ -131,5 +157,46 @@
       <param name="multi" type="boolean">True</param>
       <target>postfix_pem_files</target>
     </fill>
+    <fill name="calc_value">
+      <param type="variable">mail_domains</param>
+      <param name="multi" type="boolean">True</param>
+      <target>mail_domains_calc</target>
+    </fill>
+    <fill name="calc_value">
+      <param>/var/www/html/mail/</param>
+      <param type="variable">mail_domains</param>
+      <param>/autodiscover/autodiscover.xml</param>
+      <!--param>/config-v1.1.xml</param-->
+      <param name="join"></param>
+      <param name="multi" type="boolean">True</param>
+      <target>well_known_filenames</target>
+    </fill>
+    <check name="set_linked_multi_variables">
+      <param type="variable">revprox_server_domainname</param>
+      <param name="linked_provider_0">revprox_clients</param>
+      <param name="linked_provider_1">revprox_location</param>
+      <param name="linked_value_1">/.well-known/autoconfig/mail/config-v1.1.xml</param>
+      <param name="linked_provider_2">revprox_is_websocket</param>
+      <param name="linked_value_2" type="boolean">False</param>
+      <param name="linked_provider_3">revprox_url</param>
+      <param name="linked_value_3" type="variable">well_knowns</param>
+      <target>mail_domains_calc</target>
+    </check>
+    <check name="set_linked_multi_variables">
+      <param type="variable">revprox_server_domainname</param>
+      <param name="linked_provider_0">revprox_clients</param>
+      <param name="linked_provider_1">revprox_location</param>
+      <param name="linked_value_1">/autodiscover/autodiscover.xml</param>
+      <param name="linked_provider_2">revprox_is_websocket</param>
+      <param name="linked_value_2" type="boolean">False</param>
+      <param name="linked_provider_3">revprox_url</param>
+      <param name="linked_value_3" type="variable">well_knowns</param>
+      <target>mail_domains_calc</target>
+    </check>
+    <fill name="calc_well_known">
+      <param type="variable">domain_name_eth0</param>
+      <param type="variable">mail_domains</param>
+      <target>well_knowns</target>
+    </fill>
   </constraints>
 </rougail>

seed/applicationservice/2022.03.08/dovecot/funcs/dovecot.py

@@ -1,9 +1,20 @@
 from crypt import crypt as _crypt
 from string import ascii_letters as _ascii_letters, digits as _digits
 from secrets import choice as _choice
+from risotto.utils import multi_function as _multi_function
 
 
 def sha512_crypt(password):
     salt = ''.join([_choice(_ascii_letters + _digits) for _ in range(8)])
     prefix = '$6$'
     return _crypt(password, prefix + salt)
+
+
+@_multi_function
+def calc_well_known(*args):
+    if None in args:
+        return
+    ret = []
+    for dom in args[1]:
+        ret.append(f'https://{args[0]}/mail/{dom}/autodiscover/autodiscover.xml')
+    return ret

seed/applicationservice/2022.03.08/dovecot/manual/image/preinstall/postfix_dovecot.sh

@@ -1 +1 @@
-PKG="$PKG postfix-ldap dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain"
+PKG="$PKG postfix-ldap dovecot cyrus-sasl cyrus-sasl-lib cyrus-sasl-plain nginx"

seed/applicationservice/2022.03.08/dovecot/templates/autoconfig.conf

@@ -0,0 +1,12 @@
+server {
+    listen 443 ssl;
+    server_name %%domain_name_eth0;
+
+    ssl_client_certificate %%revprox_ca_file;
+    ssl_certificate        %%revprox_cert_file;
+    ssl_certificate_key    %%revprox_key_file;
+
+    root /var/www/html/;
+    # To allow POST on static pages
+    error_page  405     =200 $uri;
+}

seed/applicationservice/2022.03.08/dovecot/templates/config-v1.1.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0"?>
+# GNUNUX: from https://wiki.mozilla.org/Thunderbird:Autoconfiguration:ConfigFileFormat -->
+%set %%domain = %%rougail_variable
+%set %%leader = %%mail_domains[%%mail_domains.index(%%domain)]
+%set %%imap_domain = %%leader.imap_domainname
+%set %%submission_domain = %%leader.submission_domainname
+<clientConfig version="1.1">
+  <emailProvider id="%%domain">
+    <domain>%%domain</domain>
+    <displayName>Services %%domain</displayName>
+    <displayShortName>%%domain</displayShortName>
+    <incomingServer type="imap">
+      <hostname>%%imap_domain</hostname>
+      <port>993</port>
+      <socketType>SSL</socketType>
+      <username>%EMAILADDRESS%</username>
+      <authentication>password-cleartext</authentication>
+    </incomingServer>
+    <outgoingServer type="smtp">
+      <hostname>%%submission_domain</hostname>
+      <port>587</port>
+      <socketType>STARTTLS</socketType>
+      <username>%EMAILADDRESS%</username>
+      <authentication>password-cleartext</authentication>
+    </outgoingServer>
+  </emailProvider>
+</clientConfig>

seed/applicationservice/2022.03.08/dovecot/templates/revprox.crt

@@ -0,0 +1,2 @@
+%%get_certificate(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type="server")
+%%get_chain(%%revprox_server_domainname, 'InternalReverseProxy')

seed/applicationservice/2022.03.08/dovecot/templates/revprox.key

@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, authority_cn=%%revprox_server_domainname, authority_name='InternalReverseProxy', type='server')

seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml

@@ -42,6 +42,12 @@
       <variable name="oauth2_client_description" redefine='True'>
         <value>Forge logiciel Gitea</value>
       </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Développement</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_note.png</value>
+      </variable>
       <variable name="oauth2_client_token_signature_algo" redefine="True">
         <value>RS256</value>
       </variable>

seed/applicationservice/2022.03.08/gitea/templates/app.ini

@@ -10,7 +10,7 @@ NAME     = %%pg_client_database
 USER     = %%pg_client_username
 PASSWD   = %%pg_client_password
 SCHEMA   =
-SSL_MODE = disable
+SSL_MODE = verify-full
 CHARSET  = utf8
 LOG_SQL  = false
 

seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml

@@ -11,6 +11,8 @@
       <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
       <file>/etc/distro.repos.d/boot.repo</file>
       <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-35-x86_64</file>
+      <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-36-x86_64</file>
+      <file>/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-fedora-36</file>
       <file>/etc/sysctl.d/90-risotto.conf</file>
       <file file_type="variable" source="dhcp.network" variable="host_dhcp_interface">host_dhcp_filename</file>
     </service>

seed/applicationservice/2022.03.08/host-systemd-machined/templates/RPM-GPG-KEY-fedora-36-x86_64

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBGAkKwgBEAC+IQKqp/BI1VIvRRqcnRoAxkzsY3pxIS1L+C4gaWjIMf1eBBTq
+v9eKd4xHsW80VL/tl81WZWO/7JXKmgHODiXrv4HmDIOo6Z1hxehjVRF3Ih4+sKHR
+XCJgwcdJnMfqTKnHiycQggeDuheWbfjV2Fgmvxy0jh0M5PCB5taNz41LmPOaUQmn
+PXcI05CjP5msKjRBObw5Cd2oad60pTNhnBWRf288S8W4wH4jNISOZLZTOf6HU5gJ
+w9wU9RZoaz8kZPNArlJjZsN83S0XLCxpa6UUgYdzPDHOWGtcWGs3bvNAlTYuacun
+oICOvTH/ZJU7mgaZbbdSPVLDJdLBKRVgHbdTAK0J913FEiU93GJR5bf/W5FMN7DV
+6hsJVMiY/knJmkTFE9whDSjEc0TAYhQuC1HnzvMPGJvkeEz9nRqna5QUuo7V6LI4
+fZNTSlqFyIi/Oa3ZoliOyOshxJmU3y1HaNcHerO1nFbTtZ7s/TKBhY9oFq4T4gJV
+yFWy33p/JDxOtlVjpHEkzwXGdPe6R4xK8xHObEVraOMZMaweII+tMOGwVbxZu2kC
+A1aflM+oeyU1Fx9qqM0+dYyHO+kp3M5UtfM006RcNcdfoGrA4l6z9sUnHKsYzOLP
+RvKkzxiX3T91vHtRGCXjPOgOsJJzjkFtE1a5oFZg39fC99HZdbX0rUqAtQARAQAB
+tDFGZWRvcmEgKDM2KSA8ZmVkb3JhLTM2LXByaW1hcnlAZmVkb3JhcHJvamVjdC5v
+cmc+iQJOBBMBCAA4FiEEU97Sy5Iti42eY/0YmZ98vzircfQFAmAkKwgCGw8FCwkI
+BwIGFQoJCAsCBBYCAwECHgECF4AACgkQmZ98vzircfSGaxAAlDBWuY1Ch3YsssGE
+uaeOuaHmDj08p08WUAFUPBN0ID+0pmRQjywFzrufw8Z2g/lHwic+tpXXr/RtMmcl
++WzLh1E34TRqEngjDJ27QBq1Jyid3h1manKLhZhJ8b1usKHP7Dqh7n+eMTv2Qgrt
+6MrCNe4otWZ9WJ5vp/Bay5yAtU6lNoWBmJ+6BS1/2mg2jhoXrfg/Vey+/i6nYZIk
+M4IcYCyGCi9rjc8NMgkCyzPkPJtsy2taB+VdUcZyjFpc1acmC8sR/2/SEl4+pOtM
+UzW+OUOQFrerX/8MC5LqvmtsiPMyRDCOw3reJTXyoUIehoHoK9QtAdIRRP2nAkPy
+GKycVzsLbtheJXUZharXL1DwOkpMNlm3hp9BxX89m7dLblMSjtrQPs8CkpAExAQW
+FBltsD73ZhGnfE/XdWp7343m1w5W2m85/rczP+2et+c+HPmYTgaJTu8fAF0FoTDd
+uD1r9DxRa2oN3YBiPP/nXnhJaH//GgF/RRw7Fbc66fCh8DTrMsPgmyi/O3/pdSGe
+k0UqEfSdzNPbl7gVFlCbr4Ur5n1ph+sEZqOhMuyszLZZvYvUrHsDuanML5X25coP
+h+rqyjHJJeYlS2tMAQB1fmHB0LWhRhKYaOROAXFmUutFUxVVoigNCl8mV561DCz6
+6/zy81ZGeyUGOEIZ1NFuoY0EhC8=
+=KaIq
+-----END PGP PUBLIC KEY BLOCK-----

seed/applicationservice/2022.03.08/host-systemd-machined/templates/RPM-GPG-KEY-rpmfusion-free-fedora-36

@@ -0,0 +1,29 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBF2tu8EBEADnI6bmlE7ebLuYSBKJavk7gwX8L2S0lDwtmAFmNcxQ/tAhh5Gx
+2RKEneou12pSxav8MvbKOr4IpJLLmuoQMLYkbQRHovgVfDYdtvK9T8tZH51ACtnC
+KKr9SucnKhWpDk3/n/djV0I2qSesE6QcJVrh66bT/8nbyIFbbiYLOgE88YAX5Wdj
+TkgmYXJ54l1MP/3N64pFlmk6myYCrLh7cibFYLZOW2Xwfq6Go6HOpGn9Cazb+T6m
+LALkVPERu2QkcUhMqy/slD5tFFb7DW1gkwnYiu5PKwThW7laZgmw2yAgDV+JccdK
+D9ZHALmy9GyQ1ZjDptpa5BObE5vazbuAbSndoIqwaMxCrlqhIYdmqz4m/HJ9BaC0
+mRSkT6N9SqytZXFhu5/Ld6+/Ol3b+q28bnV64qQrDH6hgnrRdqCQpm8g7tZFuk5X
+JsB/A+EfI2kE6YXqWaGdEx0XcqOv97n6sRZNweOHX3vSM0eLwmM2dpgc7RvMfcqr
+73ylZ9CnWVUD6cl+wE8SnGnVVqYau2spZFzKVAcfi/Zwvh6wM7/83XC2mkIHmoFR
+OY5aDWFhoFZFgiHHnmDv6kACNmSHb/oYRkvwQ+JhAQu4I9CYw1sxaUDjwtt7a+4I
+mBZM8WuvAVLkqnF+MJetiL15/W834HjCNITV03t9593T6Z1Dxpfv4hy7YwARAQAB
+tFVSUE0gRnVzaW9uIGZyZWUgcmVwb3NpdG9yeSBmb3IgRmVkb3JhICgyMDIwKSA8
+cnBtZnVzaW9uLWJ1aWxkc3lzQGxpc3RzLnJwbWZ1c2lvbi5vcmc+iQJFBBMBCAAv
+FiEE6aSRo94keBTn4Gfq4G+OzdZR/y4FAl2tu8ECGwMECwkIBwMVCAoCHgECF4AA
+CgkQ4G+OzdZR/y4ZQhAAmF5A4XC9ymd94BFwsbbpCnx2YlfmsZwT1QzBu9njjkH7
+MC4THknYe2B/muE5dPu3NseZMzue1Ou4KbMz4wq82731prLRu+iHAxAxJ1qd8whA
+QGuRJAg8+YEXKhpwpD/8P/xJo9IRmPxPM+6mQVTlASv34CEIGff1vJr40tNiU53P
+PZq9SWD3/uG84PQRmGXetfF2K3NkXqzkvQSM68JZiYR2+wMkoO9f72B7LTBrfkwy
+RcFPA7kj65pysB+l2wez03Dh/MyA3LTusd9M6FGiSOUVpQZ+NUFipIisS3vh/Bgp
+zMsj1NSsMLjUDcX8stR8GfVgTxSgWwHTNl75XwTZpJOKMoj97kh9zzLwBhZ1W+xo
+8s2W7YqVnOUl8rPm7ZbOefGkamNg8bhqcyNIEbHqR5QZVzDBT2AxVcB6jsxSHf5b
+sb+KEJff4g6E4fWPA/IYdtJ7DItbVXnkAjqD7ADUh7Xq7pOgfC/4Cledf27x73m+
+sdBvKsEBrroAsX/v4z46mQApszkfjTUAXwj2lUT+ujoktJHXqR71jbY0+8JX6Fyw
+6ZW0emxR++bt9ksLcsNmjOQP9TmQpi2CW4Z+Ol2tlwtlnKAo6ecx4aacHKg+FYuQ
+HTJRq6E6GpCPn1avf1v797RM+3zzw9TYkadfVLIQQ4HYbYzienOgGGporclrtrQ=
+=oOVZ
+-----END PGP PUBLIC KEY BLOCK-----

seed/applicationservice/2022.03.08/lemonldap/dictionaries/70_lemonldap_ng.xml

@@ -3,6 +3,13 @@
   <services>
     <service name="lemonldap-ng-fastcgi-server">
       <override/>
+      <file engine="none">/static/logo.png</file>
+      <file engine="none">/static/demo.png</file>
+      <file engine="none">/static/silique_email.png</file>
+      <file engine="none">/static/silique_folder.png</file>
+      <file engine="none">/static/silique_note.png</file>
+      <file engine="none">/static/silique_video.png</file>
+      <file engine="none">/static/risotto.css</file>
       <file>/var/lib/lemonldap-ng/conf/lmConf-1.json</file>
       <file engine="none">/etc/lemonldap-ng/lemonldap-ng.ini</file>
       <!--file>/etc/lemonldap-ng/handler-nginx.conf</file-->
@@ -15,20 +22,10 @@
   </services>
   <variables>
     <family name="lemonldap" description="LemonLDAP" help="Configuration de la solution d'authentification unique LemonLDAP::NG">
-      <variable name="lemon_domain" description="Nom DNS derrière LemonLDAP::NG"/>
-      <variable name="lemon_reload_web_name" description="Nom DNS du service Reload de LemonLDAP-NG" mode="expert"/>
       <variable name="lemon_proc" type="number" description="Nombre de processus dédié à LemonLdap (équivalent au nombre de processeurs)" mandatory="True">
         <value>1</value>
       </variable>
       <variable name="lemon_mail_admin" type="mail" description="Courriel de l'administrateur" mandatory="True"/>
     </family>
   </variables>
-  <constraints>
-    <fill name="calc_value">
-      <param>reload.</param>
-      <param type="variable">lemon_domain</param>
-      <param name="join"></param>
-      <target>lemon_reload_web_name</target>
-    </fill>
-  </constraints>
 </rougail>

seed/applicationservice/2022.03.08/lemonldap/extras/oauth2/00_oauth2.xml

@@ -6,8 +6,10 @@
       <variable name="secret_" description="Remote secret for" type="password" mandatory="True" hidden="True" provider="oauth2_secret"/>
       <variable name="name_" description="Remote name for" hidden="True" provider="oauth2_name"/>
       <variable name="description_" description="Remote description for" hidden="True" provider="oauth2_description"/>
+      <variable name="category_" hidden="True" provider="oauth2_category"/>
       <variable name="login_" description="Remote URL to login" hidden="True" provider="oauth2_login"/>
       <variable name="external_" description="Remote external for" hidden="True" provider="oauth2_external"/>
+      <variable name="logo_" hidden="True" provider="oauth2_logo"/>
       <variable name="token_signature_algo_" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden="True" provider="oauth2_token_signature_algo">
         <choice>HS512</choice>
         <choice>RS256</choice>

seed/applicationservice/2022.03.08/lemonldap/templates/lemonldap-ng.ini

@@ -187,7 +187,10 @@ staticPrefix = /static
 templateDir  = /usr/share/lemonldap-ng/portal/templates
 
 ; languages: available languages for portal interface
-languages    = fr, en, vi, it, ar, de, fi, tr
+# GNUNUX languages    = fr, en, vi, it, ar, de, fi, tr
+#>GNUNUX
+languages    = fr
+#<GNUNUX
 
 ; II - Optional parameters (overwrite configuration)
 
@@ -195,7 +198,7 @@ languages    = fr, en, vi, it, ar, de, fi, tr
 portalSkin = bootstrap
 ; Modules displayed
 ;portalDisplayLogout = 1
-portalDisplayResetPassword = 1
+;portalDisplayResetPassword = 1
 portalDisplayChangePassword = 1
 ;portalDisplayAppslist = 1
 ;portalDisplayLoginHistory = 1
@@ -372,7 +375,10 @@ staticPrefix = /static
 templateDir  = /usr/share/lemonldap-ng/manager/htdocs/templates
 
 ; languages: available languages for manager interface
-languages    = fr, en, it, vi, ar, tr
+# GNUNUX languages    = fr, en, it, vi, ar, tr
+#>GNUNUX
+languages    = fr
+#<GNUNUX
 
 ; Manager modules enabled
 ; Set here the list of modules you want to see in manager interface

seed/applicationservice/2022.03.08/lemonldap/templates/lmConf-1.json

@@ -4,7 +4,8 @@ commentStartToken = §
 {
    "mailFrom" : "%%lemon_mail_admin",
    "mailLDAPFilter" : "(&(mail=$mail)(objectClass=inetOrgPerson))",
-   "portalSkinBackground" : "1280px-Cedar_Breaks_National_Monument_partially.jpg",
+   "portalSkinBackground" : "",
+   "portalCustomCss": "risotto/risotto.css",
    "authentication" : "LDAP",
    "AuthLDAPFilter" : "(&(cn=$user)(objectClass=inetOrgPerson))",
    "managerDn" : "%%ldapclient_remote_user",
@@ -56,12 +57,21 @@ commentStartToken = §
    "locationRules" : {
       "%%revprox_client_external_domainname" : {
          "default" : "accept"
+%set %%domains = []
 %for %%app in %%oauth2.remotes
   %set %%key = %%normalize_family(%%app)
+  %set %%external = %%oauth2['oauth2_' + %%key]['external_' + %%key]
+  § external is somethink like https://domain/
+  %if %%external
+   %set %%domain = %%str(%%external).split('/', 3)[-2]
+   %if %%domain not in %%domains
       },
-      "%%lemon_domain" : {
+      "%%domain" : {
          "^/logout" : "logout_sso",
          "default" : "accept"
+%%domains.append(%%domain)%slurp
+   %end if
+  %end if
 %end for
       }
    },
@@ -147,32 +157,48 @@ commentStartToken = §
       "LockDirectory": "/srv/lemonldap-ng/psessions/lock"
    },
    "portal" : "https://%%revprox_client_external_domainname/",
-   "registerUrl" : "https://%%lemon_reload_web_name/register",
-   "reloadUrls" : {
-      "localhost" : "https://%%lemon_reload_web_name/reload"
-   },
+   "portalCheckLogins": 0,
+   "portalDisplayRegister": 0,
+   "portalDisplayResetPassword": 0,
+   "portalMainLogo": "risotto/logo.png",
+   "showLanguages": 0,
    "whatToTrace" : "_whatToTrace",
+%set %%remotes = {}
+%for %%index, %%app in %%enumerate(%%oauth2.remotes)
+ %set %%key = %%normalize_family(%%app)
+ %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
+ %if not %%description
+  %continue
+ %end if
+ %set %%dico = {'key': %%key,
+                'description': %%description,
+                'logo': "risotto/" + %%oauth2['oauth2_' + %%key]['logo_' + %%key],
+                'name': %%oauth2['oauth2_' + %%key]['name_' + %%key],
+                'uri': %%oauth2['oauth2_' + %%key]['external_' + %%key]}
+%%remotes.setdefault(%%oauth2['oauth2_' + %%key]['category_' + %%key], []).append(%%dico)%slurp
+%end for
    "applicationList" : {
-      "test" : {
-         "catname" : "Test Cat",
-%for %%app in %%oauth2.remotes
-  %set %%key = %%normalize_family(%%app)
-  %set %%description = %%oauth2['oauth2_' + %%key]['description_' + %%key]
-  %if not %%description
-    %continue
-  %end if
-         "%%key" : {
+%for %%index, %%cat in %%enumerate(%%remotes)
+ %if %%index != 0
+,
+ %end if
+      "cat_%%index" : {
+         "catname" : "%%cat",
+ %for %%dico in %%remotes[%%cat]
+         "%%dico['key']" : {
             "options" : {
-               "description" : "%%description",
+               "description" : "%%dico['description']",
                "display" : "auto",
-               "logo" : "demo.png",
-               "name" : "%%oauth2['oauth2_' + %%key]['name_' + %%key]",
-               "uri" : "%%oauth2['oauth2_' + %%key]['external_' + %%key]"
+               "logo" : "%%dico['logo']",
+               "name" : "%%dico['name']",
+               "uri" : "%%dico['uri']"
             },
             "type" : "application"
          },
 %end for
          "type" : "category"
-      }
+      }%slurp
+%end for
+
    }
 }

seed/applicationservice/2022.03.08/lemonldap/templates/portal-nginx.conf

@@ -147,6 +147,15 @@ server {
     alias /usr/share/lemonldap-ng/portal/htdocs/static/;
   }
 
+#>GNUNUX
+  location /static/risotto/ {
+    alias /usr/local/lib/static/;
+  }
+  location /static/common/apps/risotto/ {
+    alias /usr/local/lib/static/;
+  }
+#<GNUNUX
+
   # DEBIAN
   # If install was made with USEDEBIANLIBS (official releases), uncomment this
   location /javascript/ {

seed/applicationservice/2022.03.08/lemonldap/templates/risotto.css

@@ -0,0 +1,12 @@
+#header img {
+  background-color: transparent;
+}
+#footer {
+  display: none;
+}
+#logincontent {
+    max-width: 600px;
+}
+.alert {
+  text-align: center;
+}

seed/applicationservice/2022.03.08/mailman/dictionaries/31_mailman.xml

@@ -31,6 +31,12 @@
       <variable name="oauth2_client_description" redefine='True'>
         <value>Liste de distribution Mailman</value>
       </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Développement</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_email.png</value>
+      </variable>
       <variable name="oauth2_client_token_signature_algo" redefine="True">
         <value>RS256</value>
       </variable>

seed/applicationservice/2022.03.08/mailman/templates/mailman.cfg

@@ -24,8 +24,7 @@ layout: fhs
 #>GNUNUX
 [database]  
 class: mailman.database.postgresql.PostgreSQLDatabase  
-url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database
-#FIXME ?sslmode=require
+url: postgresql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full
 
 [mta]
 lmtp_host: %%ip_eth0

seed/applicationservice/2022.03.08/mailman/templates/postorius-settings.py

@@ -10,6 +10,7 @@ DATABASES = {
         'HOST': '%%pg_client_server_domainname',      # Database server
         'PORT': '',               # Database port (leave blank for default)
         'CONN_MAX_AGE': 300,      # Max database connection age
+        'OPTIONS': {'sslmode': 'verify-full'},
     }
 }
 ALLOWED_HOSTS = ['%%revprox_client_external_domainname']

seed/applicationservice/2022.03.08/nextcloud/dictionaries/31_nextcloud.xml

@@ -17,8 +17,9 @@
       <variable name="nextcloud_admin_password" type="password" auto_freeze="True" hidden="True"/>
       <variable name="nextcloud_mail_admin" type="mail" mandatory="True"/>
       <variable name="nextcloud_instance_id" type="password" auto_freeze="True" hidden="True"/>
-      <variable name="nexcloud_well_known_caldav" type="web_address" hidden='True'/>
-      <variable name="nexcloud_well_known_carddav" type="web_address" hidden='True'/>
+      <variable name="nextcloud_well_known_server" type="domainname" description="Nom de domaine du serveur hebergeant le répertoire .well-known"/>
+      <variable name="nextcloud_well_known_caldav" type="web_address" hidden='True'/>
+      <variable name="nextcloud_well_known_carddav" type="web_address" hidden='True'/>
     </family>
     <family name="oauth2_client">
       <variable name="oauth2_is_client_application" redefine='True'>
@@ -30,6 +31,12 @@
       <variable name="oauth2_client_description" redefine='True'>
         <value>Plateforme de collaboration Nextcloud</value>
       </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Collaboration</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_folder.png</value>
+      </variable>
     </family>
     <family name="php">
       <variable name="php_enable_output_buffering" redefine="True">
@@ -57,39 +64,43 @@
       <param name="starts_with_char" type="boolean">True</param>
       <target>nextcloud_instance_id</target>
     </fill>
+    <fill name="calc_value">
+      <param type="variable">revprox_client_external_domainname</param>
+      <target>nextcloud_well_known_server</target>
+    </fill>
     <check name="set_linked_multi_variables">
       <param name="linked_provider_0">revprox_clients</param>
-      <param name="linked_value_0" type="variable">revprox_client_external_domainname</param>
+      <param name="linked_value_0" type="variable">nextcloud_well_known_server</param>
       <param name="linked_provider_1">revprox_location</param>
       <param name="linked_value_1">/.well-known/caldav</param>
       <param name="linked_provider_2">revprox_is_websocket</param>
       <param name="linked_value_2" type="boolean">False</param>
       <param name="linked_provider_3">revprox_url</param>
-      <param name="linked_value_3" type="variable">nexcloud_well_known_caldav</param>
+      <param name="linked_value_3" type="variable">nextcloud_well_known_caldav</param>
       <target>revprox_client_server_domainname</target>
     </check>
     <fill name="calc_web_address">
       <param type="variable">domain_name_eth0</param>
       <param type="variable">revprox_client_port</param>
       <param>/.well-known/caldav</param>
-      <target>nexcloud_well_known_caldav</target>
+      <target>nextcloud_well_known_caldav</target>
     </fill>
     <check name="set_linked_multi_variables">
       <param name="linked_provider_0">revprox_clients</param>
-      <param name="linked_value_0" type="variable">revprox_client_external_domainname</param>
+      <param name="linked_value_0" type="variable">nextcloud_well_known_server</param>
       <param name="linked_provider_1">revprox_location</param>
       <param name="linked_value_1">/.well-known/carddav</param>
       <param name="linked_provider_2">revprox_is_websocket</param>
       <param name="linked_value_2" type="boolean">False</param>
       <param name="linked_provider_3">revprox_url</param>
-      <param name="linked_value_3" type="variable">nexcloud_well_known_carddav</param>
+      <param name="linked_value_3" type="variable">nextcloud_well_known_carddav</param>
       <target>revprox_client_server_domainname</target>
     </check>
     <fill name="calc_web_address">
       <param type="variable">domain_name_eth0</param>
       <param type="variable">revprox_client_port</param>
       <param>/.well-known/carddav</param>
-      <target>nexcloud_well_known_carddav</target>
+      <target>nextcloud_well_known_carddav</target>
     </fill>
   </constraints>
 </rougail>

seed/applicationservice/2022.03.08/nextcloud/manual/image/preinstall/nextcloud.sh

@@ -1 +1 @@
-PKG="$PKG mod_ssl nextcloud-postgresql php-intl php-bcmath php-opcache php-pecl-redis"
+PKG="$PKG nextcloud-postgresql php-intl php-bcmath php-opcache php-pecl-redis"

seed/applicationservice/2022.03.08/nextcloud/templates/nextcloud-config.php

@@ -37,7 +37,7 @@ $CONFIG = array (
   'dbtableprefix' => 'oc_',
   'dbuser' => '%%pg_client_username',
   'dbpassword' => '%%pg_client_password',
-  'dbdriveroptions' => array('sslmode' => true),
+  'dbdriveroptions' => array('sslmode' => 'verify-full'),
   'passwordsalt' => '{{SALT}}',
   'secret' => '{{SECRET}}',
   'instanceid' => '%%nextcloud_instance_id',

seed/applicationservice/2022.03.08/nginx-common/dictionaries/20_nginx.xml

@@ -4,7 +4,7 @@
     <service name='nginx' target='multi-user'>
       <file>/etc/nginx/nginx.conf</file>
       <file source="default">/etc/nginx/sites-available/default</file>
-      <file source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file>
+      <file filelist="nginx_default" source="default-nginx.conf">/etc/nginx/default.d/risotto.conf</file>
       <!--file source="default-nginx-ssl.conf">/etc/nginx/conf.d/risotto-ssl.conf</file-->
       <file source="nginx.index.html">/var/www/html/index.html</file>
       <file source="nginx-options.conf">/etc/nginx/conf.d/options.conf</file>
@@ -36,5 +36,9 @@
       <param>Fedora</param>
       <target type="filelist">nginx_fedora</target>
     </condition>
+    <condition name="disabled_if_in" source="nginx_default">
+      <param type="nil"/>
+      <target type="filelist">nginx_default</target>
+    </condition>
   </constraints>
 </rougail>

seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/dictionaries/25_nginx.xml

@@ -25,7 +25,6 @@
       <variable name="revprox_domainnames_all" type="domainname" description="Tous les noms de domaines" multi="True" hidden="True"/>
       <variable name='nginx_private_key_filename' type="filename" description="Private key filename" hidden='True' multi='True'/>
       <variable name='nginx_certificate_filename' type="filename" description="Certificate filename" hidden='True' multi='True'/>
-      <variable name='internal_nginx_chain' type="string" description="Certificate" hidden='True'/>
     </family>
   </variables>
   <constraints>
@@ -50,10 +49,5 @@
       <param name="multi" type="boolean">True</param>
       <target>nginx_private_key_filename</target>
     </fill>
-    <fill name="get_chain">
-      <param name="authority_cn" type="variable">domain_name_eth0</param> 
-      <param name="authority_name">InternalReverseProxy</param>
-      <target>internal_nginx_chain</target>
-    </fill>
   </constraints>
 </rougail>

seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/extras/nginx/00-nginx.xml

@@ -9,8 +9,8 @@
         <variable name="revprox_location_" type="filename" description="Répertoire ou nom de la page à rediriger" help="URL relative (sans le nom de domaine) redirigée pour l'adresse définie dans la variable ci-dessus (exemple &quot;/mail&quot;)" mandatory="True" multi="True" provider="revprox_location"/>
         <variable name="revprox_url_" type="web_address" description="Domaine de destination ou URI complète" mandatory="True" help="Nom de domaine ou IP de destination, par exemple &quot;http://domainelocal&quot; ou URI, par exemple &quot;http://domainelocal/dir/&quot;" provider="revprox_url"/>
 	<variable name="revprox_is_websocket_" type="boolean" description="Le point d'entré est de types websocket" mandatory="True" provider="revprox_is_websocket"/>
+	<variable name="revprox_max_body_size_" description="Taille maximum du corps" provider="revprox_max_body_size"/>
       </family>
     </family>
   </variables>
 </rougail>
-

seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/ca_InternalReverseProxy.crt

@@ -1 +1 @@
-%%internal_nginx_chain
+%%get_chain(authority_cn=%%domain_name_eth0, authority_name="InternalReverseProxy")

seed/applicationservice/2022.03.08/nginx-reverse-proxy-server/templates/revprox-nginx.conf

@@ -6,7 +6,7 @@
 server {
     listen 80;
     server_name %%domainname;
-    return 301 https://www.domain.com$request_uri;
+    return 301 https://%%domainname$request_uri;
 }
 
 # Configuration HTTPS %%domainname
@@ -25,6 +25,7 @@ server {
     location %%location {
         proxy_pass              %%location['revprox_url_' + family];
   %if %%location['revprox_is_websocket_' + family]
+        proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
   %else
@@ -41,6 +42,10 @@ server {
         proxy_ssl_verify       on;
         proxy_ssl_verify_depth 2;
         proxy_ssl_session_reuse on;
+  %set %%maxbody = %%location['revprox_max_body_size_' + family]
+  %if %%maxbody
+        client_max_body_size %%maxbody;
+  %end if
         set                     $dest  $http_destination;
         index  error.html;
         root /var/www/html;

seed/applicationservice/2022.03.08/oauth2-client/dictionaries/30_oauth2_client.xml

@@ -10,6 +10,12 @@
       <variable name="oauth2_client_description" description="OAuth2 client description" mandatory='True'/>
       <variable name="oauth2_client_login" type="web_address" description="OAuth2 URL to valid login"/>
       <variable name="oauth2_client_external" type="web_address" description="OAuth2 client external" mandatory='True'/>
+      <variable name="oauth2_client_category" description="OAuth2 category" mandatory='True'>
+        <value>Défaut</value>
+      </variable>
+      <variable name="oauth2_client_logo" description="OAuth2 logo" mandatory='True'>
+        <value>demo.png</value>
+      </variable>
       <variable name="oauth2_client_id" description="OAuth2 ID" mandatory='True' hidden='True'/>
       <variable name="oauth2_client_secret" type="password" description="OAuth2 secret" mandatory='True' hidden='True'/>
       <variable name="oauth2_client_token_signature_algo" type="choice" description="OAuth2 token signature algorithm" mandatory='True' hidden='True'>
@@ -50,12 +56,24 @@
       <param name="dynamic" type="variable">oauth2_client_id</param>
       <target>oauth2_client_description</target>
     </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_category</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_category</target>
+    </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
       <param name="linked_provider">oauth2_external</param>
       <param name="dynamic" type="variable">oauth2_client_id</param>
       <target>oauth2_client_external</target>
     </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
+      <param name="linked_provider">oauth2_logo</param>
+      <param name="dynamic" type="variable">oauth2_client_id</param>
+      <target>oauth2_client_logo</target>
+    </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">oauth2_client_server_domainname</param>
       <param name="linked_provider">oauth2_login</param>

seed/applicationservice/2022.03.08/peertube/DEBUG.md

@@ -0,0 +1,10 @@
+# Mettre un mot de passe à l'utilisateur root
+cd /usr/share/peertube/
+export NODE_CONFIG_DIR=/etc/peertube/
+export NODE_ENV=production
+node ./dist/scripts/reset-password.js -u root
+
+
+# Debug
+sed -i "s/level: 'info' # 'debug'/level: 'debug' # 'debug'/g" /etc/peertube/production.yaml
+systemctl restart peertube

seed/applicationservice/2022.03.08/peertube/FIXME

@@ -0,0 +1,3 @@
+yarn(pkg) !
+
+server/tools/ ?

seed/applicationservice/2022.03.08/peertube/applicationservice.yml

@@ -0,0 +1,10 @@
+format: '0.1'
+description: Peertube
+depends:
+  - base-fedora-36
+  - postgresql-client
+  - relay-mail-client
+  - reverse-proxy-client
+  - redis-client
+  - nginx-common
+  - oauth2-client

seed/applicationservice/2022.03.08/peertube/dictionaries/30_peertube.xml

@@ -0,0 +1,68 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="peertube" target="multi-user">
+      <override/>
+      <file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file>
+      <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
+      <file>/etc/peertube/production.yaml</file>
+      <file engine="none">/etc/pam.d/login</file>
+      <file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="peertube">
+      <variable name="peertube_admin_email" type="mail" description="Adresse courriel de l'administrateur Peertube" mandatory="True"/>
+      <variable name="peertube_short_description" type="string" description="Description courte de l'instance">
+        <value>PeerTube, an ActivityPub-federated video streaming platform using P2P directly in your web browser.</value>
+      </variable>
+      <variable name="peertube_description" type="string" description="Description de l'instance">
+        <value>Welcome to this PeerTube instance!</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>Vidéo</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>Plateforme de partage de vidéo Peertube</value>
+      </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Réseaux sociaux</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_video.png</value>
+      </variable>
+      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+    </family>
+    <family name="nginx" description="Reverse proxy">
+      <family name="revprox_client" description="Point d'entré des clients" leadership="True">
+        <variable name="revprox_client_location" redefine="True">
+          <value>/</value>
+        </variable>
+        <variable name="revprox_client_max_body_size" redefine="True">
+          <value>12G</value>
+        </variable>
+      </family>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_oauth2_client_external">
+      <param type="variable">revprox_client_external_domainname</param>
+      <param type="variable">revprox_client_location</param>
+      <param>plugins/auth-openid-connect/0.0.7/auth/openid-connect</param>
+      <target>oauth2_client_external</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="boolean">True</param>
+      <param name="default" type="boolean">False</param>
+      <param name="condition" type="variable">revprox_client_location</param>
+      <param name="expected">/socket.io</param>
+      <target>revprox_client_is_websocket</target>
+    </fill>
+  </constraints>
+</rougail>
+

seed/applicationservice/2022.03.08/peertube/manual/image/postinstall/peertube.patch

@@ -0,0 +1,60 @@
+--- peertube_plugins/node_modules/peertube-plugin-auth-openid-connect/main.js 
++++ peertube_plugins/node_modules/peertube-plugin-auth-openid-connect/main.js
+@@ -110,6 +110,14 @@ async function register ({
+     descriptionHTML: 'Will only allow login for users whose group array contains this group'
+   })
+ 
++  registerSetting({
++    name: 'signature-algorithm',
++    label: 'Token signature algorithm',
++    type: 'input',
++    private: true,
++    default: 'RS256'
++  })
++
+   const router = getRouter()
+   router.use('/code-cb', (req, res) => handleCb(peertubeHelpers, settingsManager, req, res))
+ 
+@@ -159,7 +167,8 @@ async function loadSettingsAndCreateClient (registerExternalAuth, unregisterExte
+     'scope',
+     'discover-url',
+     'client-id',
+-    'client-secret'
++    'client-secret',
++    'signature-algorithm'
+   ])
+ 
+   if (!settings['discover-url']) {
+@@ -188,6 +197,8 @@ async function loadSettingsAndCreateClient (registerExternalAuth, unregisterExte
+   } else {
+     clientOptions.token_endpoint_auth_method = 'none'
+   }
++  clientOptions.id_token_signed_response_alg = settings['signature-algorithm']
++  clientOptions.authorization_signed_response_alg = settings['signature-algorithm']
+ 
+   store.client = new issuer.Client(clientOptions)
+
+--- peertube/dist/server/helpers/custom-validators/activitypub/actor.js.ori	2022-04-06 13:58:17.752681849 +0000
++++ peertube/dist/server/helpers/custom-validators/activitypub/actor.js	2022-04-06 13:58:22.268682531 +0000
+@@ -43,8 +43,8 @@
+ function isActorPrivateKeyValid(privateKey) {
+     return (0, misc_1.exists)(privateKey) &&
+         typeof privateKey === 'string' &&
+-        privateKey.startsWith('-----BEGIN RSA PRIVATE KEY-----') &&
+-        privateKey.includes('-----END RSA PRIVATE KEY-----') &&
++        privateKey.startsWith('-----BEGIN PRIVATE KEY-----') &&
++        privateKey.includes('-----END PRIVATE KEY-----') &&
+         validator_1.default.isLength(privateKey, constants_1.CONSTRAINTS_FIELDS.ACTORS.PRIVATE_KEY);
+ }
+ exports.isActorPrivateKeyValid = isActorPrivateKeyValid;
+--- peertube/node_modules/pem/lib/pem.js.ori	2022-04-06 13:59:36.232693763 +0000
++++ peertube/node_modules/pem/lib/pem.js	2022-04-06 13:59:48.916695687 +0000
+@@ -74,7 +74,7 @@
+ 
+   params.push(keyBitsize)
+ 
+-  openssl.exec(params, 'RSA PRIVATE KEY', function (sslErr, key) {
++  openssl.exec(params, 'PRIVATE KEY', function (sslErr, key) {
+     function done (err) {
+       if (err) {
+         return callback(err)

seed/applicationservice/2022.03.08/peertube/manual/image/postinstall/peertube.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
+cat /proc/self/stat > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat"
+PLUGINS_DIR=/usr/share/peertube_plugins
+echo """#!/bin/bash
+set -ex
+mv /etc/resolv.conf /tmp
+echo "nameserver 9.9.9.9" > /etc/resolv.conf
+PLUGINS_DIR=$PLUGINS_DIR
+mkdir -p "\$PLUGINS_DIR"
+cd "\$PLUGINS_DIR"
+yarn add peertube-plugin-auth-openid-connect@0.0.7 --production
+mkdir -p "\$PLUGINS_DIR/data/peertube-plugin-auth-openid-connect"
+chown peertube: "\$PLUGINS_DIR/data"
+chown peertube: "\$PLUGINS_DIR/data/peertube-plugin-auth-openid-connect"
+
+rm -f /etc/resolv.conf
+mv /tmp/resolv.conf /etc
+""" > "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+chmod +x "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+chroot "$IMAGE_NAME_RISOTTO_IMAGE_DIR" /install.sh
+rm "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/stat"
+rmdir "$IMAGE_NAME_RISOTTO_IMAGE_DIR/proc/self/"
+
+rm -f "$IMAGE_NAME_RISOTTO_IMAGE_DIR/install.sh"
+cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR$PLUGINS_DIR/.."
+patch -p0 < $OLDPWD/peertube/postinstall/peertube.patch
+cd -

seed/applicationservice/2022.03.08/peertube/manual/image/preinstall/peertube.sh

@@ -0,0 +1,3 @@
+PKG="$PKG peertube yarnpkg"
+COPR="https://copr.fedorainfracloud.org/coprs/daftaupe/peertube/repo/fedora-36/daftaupe-peertube-fedora-36.repo"
+FUSION=true

seed/applicationservice/2022.03.08/peertube/templates/login

@@ -0,0 +1,17 @@
+# File from util-linux-*.x86_64 (not installed)
+#%PAM-1.0
+auth       substack     system-auth
+auth       include      postlogin
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      system-auth
+session    include      postlogin
+-session   optional     pam_ck_connector.so

seed/applicationservice/2022.03.08/peertube/templates/nginx.peertube.conf

@@ -0,0 +1,271 @@
+# GNUNUX /usr/share/peertube/support/nginx/peertube
+# Minimum Nginx version required:  1.13.0 (released Apr 25, 2017)
+# Please check your Nginx installation features the following modules via 'nginx -V':
+# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading.
+# THIRD PARTY MODULES:   None.
+
+# GNUNUX server {
+# GNUNUX   listen 80;
+# GNUNUX   listen [::]:80;
+# GNUNUX   server_name ${WEBSERVER_HOST};
+# GNUNUX 
+# GNUNUX   location /.well-known/acme-challenge/ {
+# GNUNUX     default_type "text/plain";
+# GNUNUX     root /var/www/certbot;
+# GNUNUX   }
+# GNUNUX   location / { return 301 https://$host$request_uri; }
+# GNUNUX }
+
+upstream %%domain_name_eth0 {
+# GNUNUX  server ${PEERTUBE_HOST};
+  server localhost:9000;
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name %%domain_name_eth0;
+
+# GNUNUX  access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
+# GNUNUX  error_log  /var/log/nginx/peertube.error.log;
+
+  ##
+  # Certificates
+  # you need a certificate to run in production. see https://letsencrypt.org/
+  ##
+# GNUNUX  ssl_certificate     /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
+# GNUNUX  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
+#>GNUNUX
+  ssl_client_certificate %%revprox_ca_file;
+  ssl_certificate        %%revprox_cert_file;
+  ssl_certificate_key    %%revprox_key_file;
+#<GNUNUX
+
+# GNUNUX  location ^~ '/.well-known/acme-challenge' {
+# GNUNUX    default_type "text/plain";
+# GNUNUX    root /var/www/certbot;
+# GNUNUX  }
+
+  ##
+  # Security hardening (as of Nov 15, 2020)
+  # based on Mozilla Guideline v5.6
+  ##
+
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
+  ssl_session_timeout       1d; # defaults to 5m
+  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
+  ssl_session_tickets       off;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+  ##
+  # Application
+  ##
+
+  location @api {
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            %%revprox_client_external_domainname;
+#    proxy_set_header X-Real-IP       $remote_addr;
+
+    client_max_body_size  100k; # default is 1M
+
+    proxy_connect_timeout 10m;
+    proxy_send_timeout    10m;
+    proxy_read_timeout    10m;
+    send_timeout          10m;
+
+    proxy_pass http://%%domain_name_eth0;
+  }
+
+  location / {
+    try_files /dev/null @api;
+  }
+
+  location = /api/v1/videos/upload-resumable {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location = /api/v1/videos/upload {
+    limit_except POST HEAD { deny all; }
+
+    # This is the maximum upload size, which roughly matches the maximum size of a video file.
+    # Note that temporary space is needed equal to the total size of all concurrent uploads.
+    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
+    # on a dedicated filesystem.
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
+    client_max_body_size                      6M; # default is 1M
+    add_header            X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  ##
+  # Websocket
+  ##
+
+  location @api_websocket {
+    proxy_http_version 1.1;
+#    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            %%revprox_client_external_domainname;
+#    proxy_set_header   X-Real-IP       $remote_addr;
+#    proxy_set_header   Upgrade         $http_upgrade;
+#    proxy_set_header   Connection      "upgrade";
+
+    proxy_pass http://%%domain_name_eth0;
+  }
+
+  location /socket.io {
+    try_files /dev/null @api_websocket;
+  }
+
+  location /tracker/socket {
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before then
+    proxy_read_timeout 15m; # default is 60s
+
+    try_files /dev/null @api_websocket;
+  }
+
+  ##
+  # Performance optimizations
+  # For extra performance please refer to https://github.com/denji/nginx-tuning
+  ##
+
+# GNUNUX  root /var/www/peertube/storage;
+  root /usr/share/peertube;
+
+  # Enable compression for JS/CSS/HTML, for improved client load times.
+  # It might be nice to compress JSON/XML as returned by the API, but
+  # leaving that out to protect against potential BREACH attack.
+  gzip              on;
+  gzip_vary         on;
+  gzip_types        # text/html is always compressed by HttpGzipModule
+                    text/css
+                    application/javascript
+                    font/truetype
+                    font/opentype
+                    application/vnd.ms-fontobject
+                    image/svg+xml;
+  gzip_min_length   1000; # default is 20 bytes
+  gzip_buffers      16 8k;
+  gzip_comp_level   2; # default is 1
+
+  client_body_timeout       30s; # default is 60
+  client_header_timeout     10s; # default is 60
+  send_timeout              10s; # default is 60
+  keepalive_timeout         10s; # default is 75
+  resolver_timeout          10s; # default is 30
+  reset_timedout_connection on;
+  proxy_ignore_client_abort on;
+
+  tcp_nopush                on; # send headers in one piece
+  tcp_nodelay               on; # don't buffer data sent, good for small data bursts in real time
+
+  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+  #client_body_temp_path /var/www/peertube/storage/nginx/;
+
+  # Bypass PeerTube for performance reasons. Optional.
+  # Should be consistent with client-overrides assets list in /server/controllers/client.ts
+  location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-video-channel\.png))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+# GNUNUX    root /var/www/peertube;
+    root /usr/share/peertube;
+
+    try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+# GNUNUX    alias /var/www/peertube/client/dist/$1;
+    alias /usr/share/peertube/client/dist/$1;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/static/(thumbnails|avatars)/ {
+    root /srv/peertube;
+    if ($request_method = 'OPTIONS') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
+      add_header Content-Type                 'text/plain charset=UTF-8';
+      add_header Content-Length               0;
+      return 204;
+    }
+
+    add_header Access-Control-Allow-Origin    '*';
+    add_header Access-Control-Allow-Methods   'GET, OPTIONS';
+    add_header Access-Control-Allow-Headers   'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+    add_header Cache-Control                  "public, max-age=7200"; # Cache response 2 hours
+
+    rewrite ^/static/(.*)$ /$1 break;
+
+    try_files $uri @api;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
+    root /srv/peertube;
+    limit_rate_after            5M;
+
+    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
+    set $peertube_limit_rate    800k;
+
+    # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
+    if ($request_uri ~ -fragmented.mp4$) {
+      set $peertube_limit_rate  5M;
+    }
+
+    # Use this line with nginx >= 1.17.0
+    #limit_rate $peertube_limit_rate;
+    # Or this line if your nginx < 1.17.0
+    set $limit_rate $peertube_limit_rate;
+
+    if ($request_method = 'OPTIONS') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
+      add_header Content-Type                 'text/plain charset=UTF-8';
+      add_header Content-Length               0;
+      return 204;
+    }
+
+    if ($request_method = 'GET') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+      # Don't spam access log file with byte range requests
+      access_log off;
+    }
+
+    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
+    # and enables direct copying data from one file descriptor to another.
+    sendfile on;
+    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
+    aio threads;
+
+    rewrite ^/static/webseed/(.*)$ /videos/$1 break;
+    rewrite ^/static/(.*)$         /$1        break;
+
+    try_files $uri @api;
+  }
+}

seed/applicationservice/2022.03.08/peertube/templates/peertube.service

@@ -0,0 +1,5 @@
+[Service]
+Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
+ExecStartPost=+/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "SELECT * FROM plugin;"; do sleep 1; done'
+ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "DELETE FROM plugin;"
+ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "INSERT INTO plugin (name, type, version, enabled, uninstalled, \"peertubeEngine\", description, homepage, settings, \"createdAt\", \"updatedAt\") VALUES ('auth-openid-connect', '1', '0.0.7', true, false, '>=2.2.0', 'Add OpenID connect support to login form in PeerTube.', 'https://framagit.org/framasoft/peertube/official-plugins/tree/master/peertube-plugin-auth-openid-connect', '{\"scope\": \"openid email profile\", \"client-id\": \"%%oauth2_client_id\", \"discover-url\": \"https://%%oauth2_client_server_domainname/.well-known/openid-configuration\", \"client-secret\": \"%%oauth2_client_secret\", \"mail-property\": \"email\", \"auth-display-name\": \"OpenID Connect\", \"username-property\": \"nickname\", \"signature-algorithm\": \"%%oauth2_client_token_signature_algo\", \"display-name-property\": \"email\"}', '2022-04-05 18:12:34.832+02', '2022-04-05 18:12:34.832+02')"

seed/applicationservice/2022.03.08/peertube/templates/production.yaml

@@ -0,0 +1,638 @@
+%compiler-settings
+commentStartToken = §
+%end compiler-settings
+listen:
+  hostname: 'localhost'
+  port: 9000
+
+# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
+webserver:
+  https: true
+  hostname: '%%revprox_client_external_domainname'
+  port: 443
+
+rates_limit:
+  api:
+    # 50 attempts in 10 seconds
+    window: 10 seconds
+    max: 50
+  login:
+    # 15 attempts in 5 min
+    window: 5 minutes
+    max: 15
+  signup:
+    # 2 attempts in 5 min (only succeeded attempts are taken into account)
+    window: 5 minutes
+    max: 2
+  ask_send_email:
+    # 3 attempts in 5 min
+    window: 5 minutes
+    max: 3
+
+# Proxies to trust to get real client IP
+# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
+# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
+trust_proxy:
+  - 'loopback'
+
+# Your database name will be database.name OR 'peertube'+database.suffix
+database:
+  hostname: '%%pg_client_server_domainname'
+  port: 5432
+  ssl: true
+  suffix: '_prod'
+  name: '%%pg_client_database'
+  username: '%%pg_client_username'
+  password: '%%pg_client_password'
+  pool:
+    max: 5
+
+# Redis server for short time storage
+# You can also specify a 'socket' path to a unix socket but first need to
+# comment out hostname and port
+redis:
+  hostname: '%%redis_client_server_domainname'
+  port: 6379
+  auth: '%%redis_client_password'
+  db: 0
+
+# SMTP server to send emails
+smtp:
+  # smtp or sendmail
+  transport: smtp
+  # Path to sendmail command. Required if you use sendmail transport
+  sendmail: null
+  hostname: '%%smtp_relay_address'
+  port: 25 # If you use StartTLS: 587
+  username: '%%smtp_relay_user'
+  password: '%%smtp_relay_password'
+  tls: false # If you use StartTLS: false
+  disable_starttls: false
+  ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
+  from_address: '%%peertube_admin_email'
+
+email:
+  body:
+    signature: 'PeerTube'
+  subject:
+    prefix: '[PeerTube]'
+
+# Update default PeerTube values
+# Set by API when the field is not provided and put as default value in client
+defaults:
+  # Change default values when publishing a video (upload/import/go Live)
+  publish:
+    download_enabled: true
+
+    comments_enabled: true
+
+    # public = 1, unlisted = 2, private = 3, internal = 4
+    privacy: 1
+
+    # CC-BY = 1, CC-SA = 2, CC-ND = 3, CC-NC = 4, CC-NC-SA = 5, CC-NC-ND = 6, Public Domain = 7
+    # You can also choose a custom licence value added by a plugin
+    # No licence by default
+    licence: null
+
+  p2p:
+    # Enable P2P by default
+    # Can be enabled/disabled by anonymous users and logged in users
+    webapp:
+      enabled: true
+
+    embed:
+      enabled: true
+
+# From the project root directory
+storage:
+  tmp: '/srv/peertube/tmp/' # Use to download data (imports etc), store uploaded files before and during processing...
+  bin: '/srv/peertube/bin/'
+  avatars: '/srv/peertube/avatars/'
+  videos: '/srv/peertube/videos/'
+  streaming_playlists: '/srv/peertube/streaming-playlists/'
+  redundancy: '/srv/peertube/redundancy/'
+  logs: '/srv/peertube/logs/'
+  previews: '/srv/peertube/previews/'
+  thumbnails: '/srv/peertube/thumbnails/'
+  torrents: '/srv/peertube/torrents/'
+  captions: '/srv/peertube/captions/'
+  cache: '/srv/peertube/cache/'
+  plugins: '/usr/share/peertube_plugins/'
+  # Overridable client files in client/dist/assets/images:
+  # - logo.svg
+  # - favicon.png
+  # - default-playlist.jpg
+  # - default-avatar-account.png
+  # - default-avatar-video-channel.png
+  # - and icons/*.png (PWA)
+  # Could contain for example assets/images/favicon.png
+  # If the file exists, peertube will serve it
+  # If not, peertube will fallback to the default file
+  client_overrides: '/srv/peertube/client-overrides/'
+
+object_storage:
+  enabled: false
+
+  # Without protocol, will default to HTTPS
+  endpoint: '' # 's3.amazonaws.com' or 's3.fr-par.scw.cloud' for example
+
+  region: 'us-east-1'
+
+  credentials:
+    # You can also use AWS_ACCESS_KEY_ID env variable
+    access_key_id: ''
+    # You can also use AWS_SECRET_ACCESS_KEY env variable
+    secret_access_key: ''
+
+  # Maximum amount to upload in one request to object storage
+  max_upload_part: 2GB
+
+  streaming_playlists:
+    bucket_name: 'streaming-playlists'
+
+    # Allows setting all buckets to the same value but with a different prefix
+    prefix: '' # Example: 'streaming-playlists:'
+
+    # Base url for object URL generation, scheme and host will be replaced by this URL
+    # Useful when you want to use a CDN/external proxy
+    base_url: '' # Example: 'https://mirror.example.com'
+
+  # Same settings but for webtorrent videos
+  videos:
+    bucket_name: 'videos'
+    prefix: ''
+    base_url: ''
+
+log:
+  level: 'info' # 'debug' | 'info' | 'warn' | 'error'
+  rotation:
+    enabled : false # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
+    max_file_size: 12MB
+    max_files: 20
+  anonymize_ip: false
+  log_ping_requests: true
+  prettify_sql: false
+
+trending:
+  videos:
+    interval_days: 7 # Compute trending videos for the last x days
+    algorithms:
+      enabled:
+        - 'best' # adaptation of Reddit's 'Best' algorithm (Hot minus History)
+        - 'hot' # adaptation of Reddit's 'Hot' algorithm
+        - 'most-viewed' # default, used initially by PeerTube as the trending page
+        - 'most-liked'
+      default: 'most-viewed'
+
+# Cache remote videos on your server, to help other instances to broadcast the video
+# You can define multiple caches using different sizes/strategies
+# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
+redundancy:
+  videos:
+    check_interval: '1 hour' # How often you want to check new videos to cache
+    strategies: # Just uncomment strategies you want
+#      -
+#        size: '10GB'
+#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+#        min_lifetime: '48 hours'
+#        strategy: 'most-views' # Cache videos that have the most views
+#      -
+#        size: '10GB'
+#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+#        min_lifetime: '48 hours'
+#        strategy: 'trending' # Cache trending videos
+#      -
+#        size: '10GB'
+#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+#        min_lifetime: '48 hours'
+#        strategy: 'recently-added' # Cache recently added videos
+#        min_views: 10 # Having at least x views
+
+# Other instances that duplicate your content
+remote_redundancy:
+  videos:
+    # 'nobody': Do not accept remote redundancies
+    # 'anybody': Accept remote redundancies from anybody
+    # 'followings': Accept redundancies from instance followings
+    accept_from: 'anybody'
+
+csp:
+  enabled: false
+  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
+  report_uri:
+
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
+tracker:
+  # If you disable the tracker, you disable the P2P aspect of PeerTube
+  enabled: true
+  # Only handle requests on your videos
+  # If you set this to false it means you have a public tracker
+  # Then, it is possible that clients overload your instance with external torrents
+  private: true
+  # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
+  reject_too_many_announces: false
+
+history:
+  videos:
+    # If you want to limit users videos history
+    # -1 means there is no limitations
+    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
+    max_age: -1
+
+views:
+  videos:
+    # PeerTube creates a database entry every hour for each video to track views over a period of time
+    # This is used in particular by the Trending page
+    # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
+    # -1 means no cleanup
+    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
+    remote:
+      max_age: '30 days'
+
+    # PeerTube buffers local video views before updating and federating the video
+    local_buffer_update_interval: '30 minutes'
+
+    ip_view_expiration: '1 hour'
+
+plugins:
+  # The website PeerTube will ask for available PeerTube plugins and themes
+  # This is an unmoderated plugin index, so only install plugins/themes you trust
+  index:
+    enabled: false
+    check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
+    url: 'https://packages.joinpeertube.org'
+
+federation:
+  videos:
+    federate_unlisted: false
+
+    # Add a weekly job that cleans up remote AP interactions on local videos (shares, rates and comments)
+    # It removes objects that do not exist anymore, and potentially fix their URLs
+    cleanup_remote_interactions: true
+
+peertube:
+  check_latest_version:
+    # Check and notify admins of new PeerTube versions
+    enabled: false
+    # You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json
+    url: 'https://joinpeertube.org/api/v1/versions.json'
+
+webadmin:
+  configuration:
+    edition:
+      # Set this to false if you don't want to allow config edition in the web interface by instance admins
+      allowed: false
+
+###############################################################################
+#
+# From this point, all the following keys can be overridden by the web interface
+# (local-production.json file). If you need to change some values, prefer to
+# use the web interface because the configuration will be automatically
+# reloaded without any need to restart PeerTube
+#
+# /!\ If you already have a local-production.json file, the modification of the
+# following keys will have no effect /!\
+#
+###############################################################################
+
+cache:
+  previews:
+    size: 500 # Max number of previews you want to cache
+  captions:
+    size: 500 # Max number of video captions/subtitles you want to cache
+  torrents:
+    size: 500 # Max number of video torrents you want to cache
+
+admin:
+  # Used to generate the root user at first startup
+  # And to receive emails from the contact form
+  email: '%%peertube_admin_email'
+
+contact_form:
+  enabled: true
+
+signup:
+  enabled: false
+  limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
+  minimum_age: 16 # Used to configure the signup form
+  requires_email_verification: false
+  filters:
+    cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
+      whitelist: []
+      blacklist: []
+
+user:
+  # Default value of maximum video bytes the user can upload (does not take into account transcoded files)
+  # Byte format is supported ("1GB" etc)
+  # -1 == unlimited
+  video_quota: -1
+  video_quota_daily: -1
+
+video_channels:
+  max_per_user: 20 # Allows each user to create up to 20 video channels.
+
+# If enabled, the video will be transcoded to mp4 (x264) with `faststart` flag
+# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions
+# Please, do not disable transcoding since many uploaded videos will not work
+transcoding:
+  enabled: true
+
+  # Allow your users to upload .mkv, .mov, .avi, .wmv, .flv, .f4v, .3g2, .3gp, .mts, m2ts, .mxf, .nut videos
+  allow_additional_extensions: true
+
+  # If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
+  allow_audio_files: true
+
+  # Amount of threads used by ffmpeg for 1 transcoding job
+  threads: 1
+  # Amount of transcoding jobs to execute in parallel
+  concurrency: 1
+
+  # Choose the transcoding profile
+  # New profiles can be added by plugins
+  # Available in core PeerTube: 'default'
+  profile: 'default'
+
+  resolutions: # Only created if the original video has a higher resolution, uses more storage!
+    0p: false # audio-only (creates mp4 without video stream, always created when enabled)
+    144p: false
+    240p: false
+    360p: false
+    480p: false
+    720p: false
+    1080p: false
+    1440p: false
+    2160p: false
+
+  # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
+  # If you also enabled the hls format, it will multiply videos storage by 2
+  # If disabled, breaks federation with PeerTube instances < 2.1
+  webtorrent:
+    enabled: false
+
+  # /!\ Requires ffmpeg >= 4.1
+  # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
+  #     * Resolution change is smoother
+  #     * Faster playback in particular with long videos
+  #     * More stable playback (less bugs/infinite loading)
+  # If you also enabled the webtorrent format, it will multiply videos storage by 2
+  hls:
+    enabled: true
+
+live:
+  enabled: false
+
+  # Limit lives duration
+  # -1 == unlimited
+  max_duration: -1 # For example: '5 hours'
+
+  # Limit max number of live videos created on your instance
+  # -1 == unlimited
+  max_instance_lives: 20
+
+  # Limit max number of live videos created by a user on your instance
+  # -1 == unlimited
+  max_user_lives: 3
+
+  # Allow your users to save a replay of their live
+  # PeerTube will transcode segments in a video file
+  # If the user daily/total quota is reached, PeerTube will stop the live
+  # /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay
+  allow_replay: true
+
+  # Your firewall should accept traffic from this port in TCP if you enable live
+  rtmp:
+    enabled: true
+    port: 1935
+
+  rtmps:
+    enabled: false
+    port: 1936
+    # Absolute path
+    key_file: ''
+    # Absolute path
+    cert_file: ''
+
+  # Allow to transcode the live streaming in multiple live resolutions
+  transcoding:
+    enabled: true
+    threads: 2
+
+    # Choose the transcoding profile
+    # New profiles can be added by plugins
+    # Available in core PeerTube: 'default'
+    profile: 'default'
+
+    resolutions:
+      144p: false
+      240p: false
+      360p: false
+      480p: false
+      720p: false
+      1080p: false
+      1440p: false
+      2160p: false
+
+import:
+  # Add ability for your users to import remote videos (from YouTube, torrent...)
+  videos:
+    # Amount of import jobs to execute in parallel
+    concurrency: 1
+
+    # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
+    http:
+      # We recommend to use a HTTP proxy if you enable HTTP import to prevent private URL access from this server
+      # See https://docs.joinpeertube.org/maintain-configuration?id=security for more information
+      enabled: true
+
+      youtube_dl_release:
+        # Direct download URL to youtube-dl binary
+        # Github releases API is also supported
+        # Examples:
+        #   * https://api.github.com/repos/ytdl-org/youtube-dl/releases
+        #   * https://api.github.com/repos/yt-dlp/yt-dlp/releases
+        url: 'https://yt-dl.org/downloads/latest/youtube-dl'
+
+        # youtube-dl binary name
+        # yt-dlp is also supported
+        name: 'youtube-dl'
+
+        # Path to the python binary to execute for youtube-dl or yt-dlp
+        python_path: '/usr/bin/python3'
+
+      # IPv6 is very strongly rate-limited on most sites supported by youtube-dl
+      force_ipv4: false
+
+    # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
+    torrent:
+      # We recommend to only enable magnet URI/torrent import if you trust your users
+      # See https://docs.joinpeertube.org/maintain-configuration?id=security for more information
+      enabled: false
+
+auto_blacklist:
+  # New videos automatically blacklisted so moderators can review before publishing
+  videos:
+    of_users:
+      enabled: false
+
+# Instance settings
+instance:
+  name: 'PeerTube'
+  short_description: '%%peertube_short_description'
+  description: '%%peertube_description' # Support markdown
+  terms: 'No terms for now.' # Support markdown
+  code_of_conduct: '' # Supports markdown
+
+  # Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
+  moderation_information: '' # Supports markdown
+
+  # Why did you create this instance?
+  creation_reason: '' # Supports Markdown
+
+  # Who is behind the instance? A single person? A non profit?
+  administrator: '' # Supports Markdown
+
+  # How long do you plan to maintain this instance?
+  maintenance_lifetime: '' # Supports Markdown
+
+  # How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
+  business_model: '' # Supports Markdown
+
+  # If you want to explain on what type of hardware your PeerTube instance runs
+  # Example: '2 vCore, 2GB RAM...'
+  hardware_information: '' # Supports Markdown
+
+  # What are the main languages of your instance? To interact with your users for example
+  # Uncomment or add the languages you want
+  # List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
+  languages:
+#    - en
+#    - es
+    - fr
+
+  # You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
+  # Uncomment or add the category ids you want
+  # List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
+  categories:
+#    - 1  # Music
+#    - 2  # Films
+#    - 3  # Vehicles
+#    - 4  # Art
+#    - 5  # Sports
+#    - 6  # Travels
+#    - 7  # Gaming
+#    - 8  # People
+#    - 9  # Comedy
+#    - 10 # Entertainment
+#    - 11 # News & Politics
+#    - 12 # How To
+#    - 13 # Education
+#    - 14 # Activism
+#    - 15 # Science & Technology
+#    - 16 # Animals
+#    - 17 # Kids
+#    - 18 # Food
+
+  default_client_route: '/videos/trending'
+
+  # Whether or not the instance is dedicated to NSFW content
+  # Enabling it will allow other administrators to know that you are mainly federating sensitive content
+  # Moreover, the NSFW checkbox on video upload will be automatically checked by default
+  is_nsfw: false
+  # By default, `do_not_list` or `blur` or `display` NSFW videos
+  # Could be overridden per user with a setting
+  default_nsfw_policy: 'do_not_list'
+
+  customizations:
+    javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
+    css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
+  # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add `/` to `Disallow:`
+  robots: |
+    User-agent: *
+    Disallow:
+  # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string
+  securitytxt:
+    '# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:'
+
+services:
+  # Cards configuration to format video in Twitter
+  twitter:
+    username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
+    # If true, a video player will be embedded in the Twitter feed on PeerTube video share
+    # If false, we use an image link card that will redirect on your PeerTube instance
+    # Change it to `true`, and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
+    whitelisted: false
+
+followers:
+  instance:
+    # Allow or not other instances to follow yours
+    enabled: true
+    # Whether or not an administrator must manually validate a new follower
+    manual_approval: false
+
+followings:
+  instance:
+    # If you want to automatically follow back new instance followers
+    # If this option is enabled, use the mute feature instead of deleting followings
+    # /!\ Don't enable this if you don't have a reactive moderation team /!\
+    auto_follow_back:
+      enabled: false
+
+    # If you want to automatically follow instances of the public index
+    # If this option is enabled, use the mute feature instead of deleting followings
+    # /!\ Don't enable this if you don't have a reactive moderation team /!\
+    auto_follow_index:
+      enabled: false
+      # Host your own using https://framagit.org/framasoft/peertube/instances-peertube#peertube-auto-follow
+      index_url: ''
+
+theme:
+  default: 'default'
+
+broadcast_message:
+  enabled: false
+  message: '' # Support markdown
+  level: 'info' # 'info' | 'warning' | 'error'
+  dismissable: false
+
+search:
+  # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
+  # If enabled, the associated group will be able to "escape" from the instance follows
+  # That means they will be able to follow channels, watch videos, list videos of non followed instances
+  remote_uri:
+    users: true
+    anonymous: false
+
+  # Use a third party index instead of your local index, only for search results
+  # Useful to discover content outside of your instance
+  # If you enable search_index, you must enable remote_uri search for users
+  # If you do not enable remote_uri search for anonymous user, your instance will redirect the user on the origin instance
+  # instead of loading the video locally
+  search_index:
+    enabled: false
+    # URL of the search index, that should use the same search API and routes
+    # than PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
+    # You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
+    # and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
+    url: ''
+    # You can disable local search, so users only use the search index
+    disable_local_search: false
+    # If you did not disable local search, you can decide to use the search index by default
+    is_default_search: false
+
+# PeerTube client/interface configuration
+client:
+  videos:
+    miniature:
+      # By default PeerTube client displays author username
+      prefer_author_display_name: false
+
+  menu:
+    login:
+      # If you enable only one external auth plugin
+      # You can automatically redirect your users on this external platform when they click on the login button
+      redirect_on_single_external_auth: false

seed/applicationservice/2022.03.08/peertube/templates/sysuser-peertube.conf

@@ -0,0 +1,2 @@
+g peertube 982 -
+u peertube 983:982     "Peertube Server" /usr/share/peertube  /sbin/nologin

seed/applicationservice/2022.03.08/peertube/templates/tmpfile-peertube.conf

@@ -0,0 +1 @@
+d /srv/peertube/ 750 peertube nginx - -

seed/applicationservice/2022.03.08/php/applicationservice.yml

@@ -1,4 +1,2 @@
 format: '0.1'
 description: PHP configuration
-depends:
-  - apache

seed/applicationservice/2022.03.08/piwigo/applicationservice.yml

@@ -0,0 +1,11 @@
+format: '0.1'
+description: Nextcloud
+depends:
+  - base-fedora-35
+  - mariadb-client
+  - ldap-client-fedora
+  - oauth2-client
+  - relay-mail-client
+  - nginx-common
+  - php-fpm
+  - reverse-proxy-client

seed/applicationservice/2022.03.08/piwigo/dictionaries/31_piwigo.xml

@@ -0,0 +1,11 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="piwigo" manage="False">
+    </service>
+  </services>
+  <variables>
+    <family name="piwigo" description="Piwigo">
+    </family>
+  </variables>
+</rougail>

seed/applicationservice/2022.03.08/piwigo/manual/image/postinstall/piwigo.sh

@@ -0,0 +1,9 @@
+mkdir -p "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share"
+cd "$IMAGE_NAME_RISOTTO_IMAGE_DIR/usr/local/share"
+app=$(wget https://api.github.com/repos/Piwigo/Piwigo/releases/latest -q -O - | jq -r '.tag_name')
+wget -q "https://github.com/Piwigo/Piwigo/archive/refs/tags/$app.tar.gz"
+tar xf *tar.gz
+rm -f *tar.gz
+mv Piwigo-* piwigo
+chown -R root: piwigo
+cd -

seed/applicationservice/2022.03.08/pleroma/applicationservice.yml

@@ -0,0 +1,10 @@
+format: '0.1'
+description: Pleroma
+depends:
+  - base-fedora-36
+  - postgresql-client
+  - relay-mail-client
+  - reverse-proxy-client
+  - redis-client
+  - nginx-common
+  - oauth2-client

seed/applicationservice/2022.03.08/pleroma/dictionaries/30_peertube.xml

@@ -0,0 +1,68 @@
+<?xml version='1.0' encoding='UTF-8'?>
+<rougail version="0.10">
+  <services>
+    <service name="peertube" target="multi-user">
+      <override/>
+      <file engine="none" source="sysuser-peertube.conf">/sysusers.d/0peertube.conf</file>
+      <file engine="none" source="tmpfile-peertube.conf">/tmpfiles.d/0peertube.conf</file>
+      <file>/etc/peertube/production.yaml</file>
+      <file engine="none">/etc/pam.d/login</file>
+      <file source="nginx.peertube.conf">/etc/nginx/conf.d/peertube.conf</file>
+    </service>
+  </services>
+  <variables>
+    <family name="peertube">
+      <variable name="peertube_admin_email" type="mail" description="Adresse courriel de l'administrateur Peertube" mandatory="True"/>
+      <variable name="peertube_short_description" type="string" description="Description courte de l'instance">
+        <value>PeerTube, an ActivityPub-federated video streaming platform using P2P directly in your web browser.</value>
+      </variable>
+      <variable name="peertube_description" type="string" description="Description de l'instance">
+        <value>Welcome to this PeerTube instance!</value>
+      </variable>
+    </family>
+    <family name="oauth2_client">
+      <variable name="oauth2_is_client_application" redefine='True'>
+        <value>True</value>
+      </variable>
+      <variable name="oauth2_client_name" redefine='True'>
+        <value>Vidéo</value>
+      </variable>
+      <variable name="oauth2_client_description" redefine='True'>
+        <value>Plateforme de partage de vidéo Peertube</value>
+      </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Réseaux sociaux</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_video.png</value>
+      </variable>
+      <variable name="oauth2_client_external" redefine="True" remove_fill="True"/>
+    </family>
+    <family name="nginx" description="Reverse proxy">
+      <family name="revprox_client" description="Point d'entré des clients" leadership="True">
+        <variable name="revprox_client_location" redefine="True">
+          <value>/</value>
+        </variable>
+        <variable name="revprox_client_max_body_size" redefine="True">
+          <value>12G</value>
+        </variable>
+      </family>
+    </family>
+  </variables>
+  <constraints>
+    <fill name="calc_oauth2_client_external">
+      <param type="variable">revprox_client_external_domainname</param>
+      <param type="variable">revprox_client_location</param>
+      <param>plugins/auth-openid-connect/0.0.7/auth/openid-connect</param>
+      <target>oauth2_client_external</target>
+    </fill>
+    <fill name="calc_value">
+      <param type="boolean">True</param>
+      <param name="default" type="boolean">False</param>
+      <param name="condition" type="variable">revprox_client_location</param>
+      <param name="expected">/socket.io</param>
+      <target>revprox_client_is_websocket</target>
+    </fill>
+  </constraints>
+</rougail>
+

seed/applicationservice/2022.03.08/pleroma/manual/image/postinstall/pleroma.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+# https://docs-develop.pleroma.social/backend/installation/otp_en/
+
+arch="$(uname -m)";if [ "$arch" = "x86_64" ];then arch="amd64";elif [ "$arch" = "armv7l" ];then arch="arm";elif [ "$arch" = "aarch64" ];then arch="arm64";else echo "Unsupported arch: $arch">&2;fi;if getconf GNU_LIBC_VERSION>/dev/null;then libc_postfix="";elif [ "$(ldd 2>&1|head -c 9)" = "musl libc" ];then libc_postfix="-musl";elif [ "$(find /lib/libc.musl*|wc -l)" ];then libc_postfix="-musl";else echo "Unsupported libc">&2;fi;echo "$arch$libc_postfix"

seed/applicationservice/2022.03.08/pleroma/manual/image/preinstall/pleroma.sh

@@ -0,0 +1,2 @@
+PKG="$PKG ffmpeg"
+FUSION=true

seed/applicationservice/2022.03.08/pleroma/templates/login

@@ -0,0 +1,17 @@
+# File from util-linux-*.x86_64 (not installed)
+#%PAM-1.0
+auth       substack     system-auth
+auth       include      postlogin
+account    required     pam_nologin.so
+account    include      system-auth
+password   include      system-auth
+# pam_selinux.so close should be the first session rule
+session    required     pam_selinux.so close
+session    required     pam_loginuid.so
+# pam_selinux.so open should only be followed by sessions to be executed in the user context
+session    required     pam_selinux.so open
+session    required     pam_namespace.so
+session    optional     pam_keyinit.so force revoke
+session    include      system-auth
+session    include      postlogin
+-session   optional     pam_ck_connector.so

seed/applicationservice/2022.03.08/pleroma/templates/nginx.peertube.conf

@@ -0,0 +1,271 @@
+# GNUNUX /usr/share/peertube/support/nginx/peertube
+# Minimum Nginx version required:  1.13.0 (released Apr 25, 2017)
+# Please check your Nginx installation features the following modules via 'nginx -V':
+# STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading.
+# THIRD PARTY MODULES:   None.
+
+# GNUNUX server {
+# GNUNUX   listen 80;
+# GNUNUX   listen [::]:80;
+# GNUNUX   server_name ${WEBSERVER_HOST};
+# GNUNUX 
+# GNUNUX   location /.well-known/acme-challenge/ {
+# GNUNUX     default_type "text/plain";
+# GNUNUX     root /var/www/certbot;
+# GNUNUX   }
+# GNUNUX   location / { return 301 https://$host$request_uri; }
+# GNUNUX }
+
+upstream %%domain_name_eth0 {
+# GNUNUX  server ${PEERTUBE_HOST};
+  server localhost:9000;
+}
+
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name %%domain_name_eth0;
+
+# GNUNUX  access_log /var/log/nginx/peertube.access.log; # reduce I/0 with buffer=10m flush=5m
+# GNUNUX  error_log  /var/log/nginx/peertube.error.log;
+
+  ##
+  # Certificates
+  # you need a certificate to run in production. see https://letsencrypt.org/
+  ##
+# GNUNUX  ssl_certificate     /etc/letsencrypt/live/${WEBSERVER_HOST}/fullchain.pem;
+# GNUNUX  ssl_certificate_key /etc/letsencrypt/live/${WEBSERVER_HOST}/privkey.pem;
+#>GNUNUX
+  ssl_client_certificate %%revprox_ca_file;
+  ssl_certificate        %%revprox_cert_file;
+  ssl_certificate_key    %%revprox_key_file;
+#<GNUNUX
+
+# GNUNUX  location ^~ '/.well-known/acme-challenge' {
+# GNUNUX    default_type "text/plain";
+# GNUNUX    root /var/www/certbot;
+# GNUNUX  }
+
+  ##
+  # Security hardening (as of Nov 15, 2020)
+  # based on Mozilla Guideline v5.6
+  ##
+
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
+  ssl_session_timeout       1d; # defaults to 5m
+  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
+  ssl_session_tickets       off;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
+  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
+  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
+
+  ##
+  # Application
+  ##
+
+  location @api {
+#    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header Host            %%revprox_client_external_domainname;
+#    proxy_set_header X-Real-IP       $remote_addr;
+
+    client_max_body_size  100k; # default is 1M
+
+    proxy_connect_timeout 10m;
+    proxy_send_timeout    10m;
+    proxy_read_timeout    10m;
+    send_timeout          10m;
+
+    proxy_pass http://%%domain_name_eth0;
+  }
+
+  location / {
+    try_files /dev/null @api;
+  }
+
+  location = /api/v1/videos/upload-resumable {
+    client_max_body_size    0;
+    proxy_request_buffering off;
+
+    try_files /dev/null @api;
+  }
+
+  location = /api/v1/videos/upload {
+    limit_except POST HEAD { deny all; }
+
+    # This is the maximum upload size, which roughly matches the maximum size of a video file.
+    # Note that temporary space is needed equal to the total size of all concurrent uploads.
+    # This data gets stored in /var/lib/nginx by default, so you may want to put this directory
+    # on a dedicated filesystem.
+    client_max_body_size                      12G; # default is 1M
+    add_header            X-File-Maximum-Size 8G always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  location ~ ^/api/v1/(videos|video-playlists|video-channels|users/me) {
+    client_max_body_size                      6M; # default is 1M
+    add_header            X-File-Maximum-Size 4M always; # inform backend of the set value in bytes before mime-encoding (x * 1.4 >= client_max_body_size)
+
+    try_files /dev/null @api;
+  }
+
+  ##
+  # Websocket
+  ##
+
+  location @api_websocket {
+    proxy_http_version 1.1;
+#    proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header   Host            %%revprox_client_external_domainname;
+#    proxy_set_header   X-Real-IP       $remote_addr;
+#    proxy_set_header   Upgrade         $http_upgrade;
+#    proxy_set_header   Connection      "upgrade";
+
+    proxy_pass http://%%domain_name_eth0;
+  }
+
+  location /socket.io {
+    try_files /dev/null @api_websocket;
+  }
+
+  location /tracker/socket {
+    # Peers send a message to the tracker every 15 minutes
+    # Don't close the websocket before then
+    proxy_read_timeout 15m; # default is 60s
+
+    try_files /dev/null @api_websocket;
+  }
+
+  ##
+  # Performance optimizations
+  # For extra performance please refer to https://github.com/denji/nginx-tuning
+  ##
+
+# GNUNUX  root /var/www/peertube/storage;
+  root /usr/share/peertube;
+
+  # Enable compression for JS/CSS/HTML, for improved client load times.
+  # It might be nice to compress JSON/XML as returned by the API, but
+  # leaving that out to protect against potential BREACH attack.
+  gzip              on;
+  gzip_vary         on;
+  gzip_types        # text/html is always compressed by HttpGzipModule
+                    text/css
+                    application/javascript
+                    font/truetype
+                    font/opentype
+                    application/vnd.ms-fontobject
+                    image/svg+xml;
+  gzip_min_length   1000; # default is 20 bytes
+  gzip_buffers      16 8k;
+  gzip_comp_level   2; # default is 1
+
+  client_body_timeout       30s; # default is 60
+  client_header_timeout     10s; # default is 60
+  send_timeout              10s; # default is 60
+  keepalive_timeout         10s; # default is 75
+  resolver_timeout          10s; # default is 30
+  reset_timedout_connection on;
+  proxy_ignore_client_abort on;
+
+  tcp_nopush                on; # send headers in one piece
+  tcp_nodelay               on; # don't buffer data sent, good for small data bursts in real time
+
+  # If you have a small /var/lib partition, it could be interesting to store temp nginx uploads in a different place
+  # See https://nginx.org/en/docs/http/ngx_http_core_module.html#client_body_temp_path
+  #client_body_temp_path /var/www/peertube/storage/nginx/;
+
+  # Bypass PeerTube for performance reasons. Optional.
+  # Should be consistent with client-overrides assets list in /server/controllers/client.ts
+  location ~ ^/client/(assets/images/(icons/icon-36x36\.png|icons/icon-48x48\.png|icons/icon-72x72\.png|icons/icon-96x96\.png|icons/icon-144x144\.png|icons/icon-192x192\.png|icons/icon-512x512\.png|logo\.svg|favicon\.png|default-playlist\.jpg|default-avatar-account\.png|default-avatar-video-channel\.png))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+# GNUNUX    root /var/www/peertube;
+    root /usr/share/peertube;
+
+    try_files /storage/client-overrides/$1 /peertube-latest/client/dist/$1 @api;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/client/(.*\.(js|css|png|svg|woff2|otf|ttf|woff|eot))$ {
+    add_header Cache-Control "public, max-age=31536000, immutable"; # Cache 1 year
+
+# GNUNUX    alias /var/www/peertube/client/dist/$1;
+    alias /usr/share/peertube/client/dist/$1;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/static/(thumbnails|avatars)/ {
+    root /srv/peertube;
+    if ($request_method = 'OPTIONS') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
+      add_header Content-Type                 'text/plain charset=UTF-8';
+      add_header Content-Length               0;
+      return 204;
+    }
+
+    add_header Access-Control-Allow-Origin    '*';
+    add_header Access-Control-Allow-Methods   'GET, OPTIONS';
+    add_header Access-Control-Allow-Headers   'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+    add_header Cache-Control                  "public, max-age=7200"; # Cache response 2 hours
+
+    rewrite ^/static/(.*)$ /$1 break;
+
+    try_files $uri @api;
+  }
+
+  # Bypass PeerTube for performance reasons. Optional.
+  location ~ ^/static/(webseed|redundancy|streaming-playlists)/ {
+    root /srv/peertube;
+    limit_rate_after            5M;
+
+    # Clients usually have 4 simultaneous webseed connections, so the real limit is 3MB/s per client
+    set $peertube_limit_rate    800k;
+
+    # Increase rate limit in HLS mode, because we don't have multiple simultaneous connections
+    if ($request_uri ~ -fragmented.mp4$) {
+      set $peertube_limit_rate  5M;
+    }
+
+    # Use this line with nginx >= 1.17.0
+    #limit_rate $peertube_limit_rate;
+    # Or this line if your nginx < 1.17.0
+    set $limit_rate $peertube_limit_rate;
+
+    if ($request_method = 'OPTIONS') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+      add_header Access-Control-Max-Age       1728000; # Preflight request can be cached 20 days
+      add_header Content-Type                 'text/plain charset=UTF-8';
+      add_header Content-Length               0;
+      return 204;
+    }
+
+    if ($request_method = 'GET') {
+      add_header Access-Control-Allow-Origin  '*';
+      add_header Access-Control-Allow-Methods 'GET, OPTIONS';
+      add_header Access-Control-Allow-Headers 'Range,DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';
+
+      # Don't spam access log file with byte range requests
+      access_log off;
+    }
+
+    # Enabling the sendfile directive eliminates the step of copying the data into the buffer
+    # and enables direct copying data from one file descriptor to another.
+    sendfile on;
+    sendfile_max_chunk 1M; # prevent one fast connection from entirely occupying the worker process. should be > 800k.
+    aio threads;
+
+    rewrite ^/static/webseed/(.*)$ /videos/$1 break;
+    rewrite ^/static/(.*)$         /$1        break;
+
+    try_files $uri @api;
+  }
+}

seed/applicationservice/2022.03.08/pleroma/templates/peertube.service

@@ -0,0 +1,5 @@
+[Service]
+Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
+ExecStartPost=+/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "SELECT * FROM plugin;"; do sleep 1; done'
+ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "DELETE FROM plugin;"
+ExecStartPost=+/usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "INSERT INTO plugin (name, type, version, enabled, uninstalled, \"peertubeEngine\", description, homepage, settings, \"createdAt\", \"updatedAt\") VALUES ('auth-openid-connect', '1', '0.0.7', true, false, '>=2.2.0', 'Add OpenID connect support to login form in PeerTube.', 'https://framagit.org/framasoft/peertube/official-plugins/tree/master/peertube-plugin-auth-openid-connect', '{\"scope\": \"openid email profile\", \"client-id\": \"%%oauth2_client_id\", \"discover-url\": \"https://%%oauth2_client_server_domainname/.well-known/openid-configuration\", \"client-secret\": \"%%oauth2_client_secret\", \"mail-property\": \"email\", \"auth-display-name\": \"OpenID Connect\", \"username-property\": \"nickname\", \"signature-algorithm\": \"%%oauth2_client_token_signature_algo\", \"display-name-property\": \"email\"}', '2022-04-05 18:12:34.832+02', '2022-04-05 18:12:34.832+02')"

seed/applicationservice/2022.03.08/pleroma/templates/production.yaml

@@ -0,0 +1,638 @@
+%compiler-settings
+commentStartToken = §
+%end compiler-settings
+listen:
+  hostname: 'localhost'
+  port: 9000
+
+# Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
+webserver:
+  https: true
+  hostname: '%%revprox_client_external_domainname'
+  port: 443
+
+rates_limit:
+  api:
+    # 50 attempts in 10 seconds
+    window: 10 seconds
+    max: 50
+  login:
+    # 15 attempts in 5 min
+    window: 5 minutes
+    max: 15
+  signup:
+    # 2 attempts in 5 min (only succeeded attempts are taken into account)
+    window: 5 minutes
+    max: 2
+  ask_send_email:
+    # 3 attempts in 5 min
+    window: 5 minutes
+    max: 3
+
+# Proxies to trust to get real client IP
+# If you run PeerTube just behind a local proxy (nginx), keep 'loopback'
+# If you run PeerTube behind a remote proxy, add the proxy IP address (or subnet)
+trust_proxy:
+  - 'loopback'
+
+# Your database name will be database.name OR 'peertube'+database.suffix
+database:
+  hostname: '%%pg_client_server_domainname'
+  port: 5432
+  ssl: true
+  suffix: '_prod'
+  name: '%%pg_client_database'
+  username: '%%pg_client_username'
+  password: '%%pg_client_password'
+  pool:
+    max: 5
+
+# Redis server for short time storage
+# You can also specify a 'socket' path to a unix socket but first need to
+# comment out hostname and port
+redis:
+  hostname: '%%redis_client_server_domainname'
+  port: 6379
+  auth: '%%redis_client_password'
+  db: 0
+
+# SMTP server to send emails
+smtp:
+  # smtp or sendmail
+  transport: smtp
+  # Path to sendmail command. Required if you use sendmail transport
+  sendmail: null
+  hostname: '%%smtp_relay_address'
+  port: 25 # If you use StartTLS: 587
+  username: '%%smtp_relay_user'
+  password: '%%smtp_relay_password'
+  tls: false # If you use StartTLS: false
+  disable_starttls: false
+  ca_file: '/etc/pki/ca-trust/source/anchors/ca_MailRelay.crt' # Used for self signed certificates
+  from_address: '%%peertube_admin_email'
+
+email:
+  body:
+    signature: 'PeerTube'
+  subject:
+    prefix: '[PeerTube]'
+
+# Update default PeerTube values
+# Set by API when the field is not provided and put as default value in client
+defaults:
+  # Change default values when publishing a video (upload/import/go Live)
+  publish:
+    download_enabled: true
+
+    comments_enabled: true
+
+    # public = 1, unlisted = 2, private = 3, internal = 4
+    privacy: 1
+
+    # CC-BY = 1, CC-SA = 2, CC-ND = 3, CC-NC = 4, CC-NC-SA = 5, CC-NC-ND = 6, Public Domain = 7
+    # You can also choose a custom licence value added by a plugin
+    # No licence by default
+    licence: null
+
+  p2p:
+    # Enable P2P by default
+    # Can be enabled/disabled by anonymous users and logged in users
+    webapp:
+      enabled: true
+
+    embed:
+      enabled: true
+
+# From the project root directory
+storage:
+  tmp: '/srv/peertube/tmp/' # Use to download data (imports etc), store uploaded files before and during processing...
+  bin: '/srv/peertube/bin/'
+  avatars: '/srv/peertube/avatars/'
+  videos: '/srv/peertube/videos/'
+  streaming_playlists: '/srv/peertube/streaming-playlists/'
+  redundancy: '/srv/peertube/redundancy/'
+  logs: '/srv/peertube/logs/'
+  previews: '/srv/peertube/previews/'
+  thumbnails: '/srv/peertube/thumbnails/'
+  torrents: '/srv/peertube/torrents/'
+  captions: '/srv/peertube/captions/'
+  cache: '/srv/peertube/cache/'
+  plugins: '/usr/share/peertube_plugins/'
+  # Overridable client files in client/dist/assets/images:
+  # - logo.svg
+  # - favicon.png
+  # - default-playlist.jpg
+  # - default-avatar-account.png
+  # - default-avatar-video-channel.png
+  # - and icons/*.png (PWA)
+  # Could contain for example assets/images/favicon.png
+  # If the file exists, peertube will serve it
+  # If not, peertube will fallback to the default file
+  client_overrides: '/srv/peertube/client-overrides/'
+
+object_storage:
+  enabled: false
+
+  # Without protocol, will default to HTTPS
+  endpoint: '' # 's3.amazonaws.com' or 's3.fr-par.scw.cloud' for example
+
+  region: 'us-east-1'
+
+  credentials:
+    # You can also use AWS_ACCESS_KEY_ID env variable
+    access_key_id: ''
+    # You can also use AWS_SECRET_ACCESS_KEY env variable
+    secret_access_key: ''
+
+  # Maximum amount to upload in one request to object storage
+  max_upload_part: 2GB
+
+  streaming_playlists:
+    bucket_name: 'streaming-playlists'
+
+    # Allows setting all buckets to the same value but with a different prefix
+    prefix: '' # Example: 'streaming-playlists:'
+
+    # Base url for object URL generation, scheme and host will be replaced by this URL
+    # Useful when you want to use a CDN/external proxy
+    base_url: '' # Example: 'https://mirror.example.com'
+
+  # Same settings but for webtorrent videos
+  videos:
+    bucket_name: 'videos'
+    prefix: ''
+    base_url: ''
+
+log:
+  level: 'info' # 'debug' | 'info' | 'warn' | 'error'
+  rotation:
+    enabled : false # Enabled by default, if disabled make sure that 'storage.logs' is pointing to a folder handled by logrotate
+    max_file_size: 12MB
+    max_files: 20
+  anonymize_ip: false
+  log_ping_requests: true
+  prettify_sql: false
+
+trending:
+  videos:
+    interval_days: 7 # Compute trending videos for the last x days
+    algorithms:
+      enabled:
+        - 'best' # adaptation of Reddit's 'Best' algorithm (Hot minus History)
+        - 'hot' # adaptation of Reddit's 'Hot' algorithm
+        - 'most-viewed' # default, used initially by PeerTube as the trending page
+        - 'most-liked'
+      default: 'most-viewed'
+
+# Cache remote videos on your server, to help other instances to broadcast the video
+# You can define multiple caches using different sizes/strategies
+# Once you have defined your strategies, choose which instances you want to cache in admin -> manage follows -> following
+redundancy:
+  videos:
+    check_interval: '1 hour' # How often you want to check new videos to cache
+    strategies: # Just uncomment strategies you want
+#      -
+#        size: '10GB'
+#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+#        min_lifetime: '48 hours'
+#        strategy: 'most-views' # Cache videos that have the most views
+#      -
+#        size: '10GB'
+#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+#        min_lifetime: '48 hours'
+#        strategy: 'trending' # Cache trending videos
+#      -
+#        size: '10GB'
+#        # Minimum time the video must remain in the cache. Only accept values > 10 hours (to not overload remote instances)
+#        min_lifetime: '48 hours'
+#        strategy: 'recently-added' # Cache recently added videos
+#        min_views: 10 # Having at least x views
+
+# Other instances that duplicate your content
+remote_redundancy:
+  videos:
+    # 'nobody': Do not accept remote redundancies
+    # 'anybody': Accept remote redundancies from anybody
+    # 'followings': Accept redundancies from instance followings
+    accept_from: 'anybody'
+
+csp:
+  enabled: false
+  report_only: true # CSP directives are still being tested, so disable the report only mode at your own risk!
+  report_uri:
+
+security:
+  # Set the X-Frame-Options header to help to mitigate clickjacking attacks
+  frameguard:
+    enabled: true
+
+tracker:
+  # If you disable the tracker, you disable the P2P aspect of PeerTube
+  enabled: true
+  # Only handle requests on your videos
+  # If you set this to false it means you have a public tracker
+  # Then, it is possible that clients overload your instance with external torrents
+  private: true
+  # Reject peers that do a lot of announces (could improve privacy of TCP/UDP peers)
+  reject_too_many_announces: false
+
+history:
+  videos:
+    # If you want to limit users videos history
+    # -1 means there is no limitations
+    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
+    max_age: -1
+
+views:
+  videos:
+    # PeerTube creates a database entry every hour for each video to track views over a period of time
+    # This is used in particular by the Trending page
+    # PeerTube could remove old remote video views if you want to reduce your database size (video view counter will not be altered)
+    # -1 means no cleanup
+    # Other values could be '6 months' or '30 days' etc (PeerTube will periodically delete old entries from database)
+    remote:
+      max_age: '30 days'
+
+    # PeerTube buffers local video views before updating and federating the video
+    local_buffer_update_interval: '30 minutes'
+
+    ip_view_expiration: '1 hour'
+
+plugins:
+  # The website PeerTube will ask for available PeerTube plugins and themes
+  # This is an unmoderated plugin index, so only install plugins/themes you trust
+  index:
+    enabled: false
+    check_latest_versions_interval: '12 hours' # How often you want to check new plugins/themes versions
+    url: 'https://packages.joinpeertube.org'
+
+federation:
+  videos:
+    federate_unlisted: false
+
+    # Add a weekly job that cleans up remote AP interactions on local videos (shares, rates and comments)
+    # It removes objects that do not exist anymore, and potentially fix their URLs
+    cleanup_remote_interactions: true
+
+peertube:
+  check_latest_version:
+    # Check and notify admins of new PeerTube versions
+    enabled: false
+    # You can use a custom URL if your want, that respect the format behind https://joinpeertube.org/api/v1/versions.json
+    url: 'https://joinpeertube.org/api/v1/versions.json'
+
+webadmin:
+  configuration:
+    edition:
+      # Set this to false if you don't want to allow config edition in the web interface by instance admins
+      allowed: false
+
+###############################################################################
+#
+# From this point, all the following keys can be overridden by the web interface
+# (local-production.json file). If you need to change some values, prefer to
+# use the web interface because the configuration will be automatically
+# reloaded without any need to restart PeerTube
+#
+# /!\ If you already have a local-production.json file, the modification of the
+# following keys will have no effect /!\
+#
+###############################################################################
+
+cache:
+  previews:
+    size: 500 # Max number of previews you want to cache
+  captions:
+    size: 500 # Max number of video captions/subtitles you want to cache
+  torrents:
+    size: 500 # Max number of video torrents you want to cache
+
+admin:
+  # Used to generate the root user at first startup
+  # And to receive emails from the contact form
+  email: '%%peertube_admin_email'
+
+contact_form:
+  enabled: true
+
+signup:
+  enabled: false
+  limit: 10 # When the limit is reached, registrations are disabled. -1 == unlimited
+  minimum_age: 16 # Used to configure the signup form
+  requires_email_verification: false
+  filters:
+    cidr: # You can specify CIDR ranges to whitelist (empty = no filtering) or blacklist
+      whitelist: []
+      blacklist: []
+
+user:
+  # Default value of maximum video bytes the user can upload (does not take into account transcoded files)
+  # Byte format is supported ("1GB" etc)
+  # -1 == unlimited
+  video_quota: -1
+  video_quota_daily: -1
+
+video_channels:
+  max_per_user: 20 # Allows each user to create up to 20 video channels.
+
+# If enabled, the video will be transcoded to mp4 (x264) with `faststart` flag
+# In addition, if some resolutions are enabled the mp4 video file will be transcoded to these new resolutions
+# Please, do not disable transcoding since many uploaded videos will not work
+transcoding:
+  enabled: true
+
+  # Allow your users to upload .mkv, .mov, .avi, .wmv, .flv, .f4v, .3g2, .3gp, .mts, m2ts, .mxf, .nut videos
+  allow_additional_extensions: true
+
+  # If a user uploads an audio file, PeerTube will create a video by merging the preview file and the audio file
+  allow_audio_files: true
+
+  # Amount of threads used by ffmpeg for 1 transcoding job
+  threads: 1
+  # Amount of transcoding jobs to execute in parallel
+  concurrency: 1
+
+  # Choose the transcoding profile
+  # New profiles can be added by plugins
+  # Available in core PeerTube: 'default'
+  profile: 'default'
+
+  resolutions: # Only created if the original video has a higher resolution, uses more storage!
+    0p: false # audio-only (creates mp4 without video stream, always created when enabled)
+    144p: false
+    240p: false
+    360p: false
+    480p: false
+    720p: false
+    1080p: false
+    1440p: false
+    2160p: false
+
+  # Generate videos in a WebTorrent format (what we do since the first PeerTube release)
+  # If you also enabled the hls format, it will multiply videos storage by 2
+  # If disabled, breaks federation with PeerTube instances < 2.1
+  webtorrent:
+    enabled: false
+
+  # /!\ Requires ffmpeg >= 4.1
+  # Generate HLS playlists and fragmented MP4 files. Better playback than with WebTorrent:
+  #     * Resolution change is smoother
+  #     * Faster playback in particular with long videos
+  #     * More stable playback (less bugs/infinite loading)
+  # If you also enabled the webtorrent format, it will multiply videos storage by 2
+  hls:
+    enabled: true
+
+live:
+  enabled: false
+
+  # Limit lives duration
+  # -1 == unlimited
+  max_duration: -1 # For example: '5 hours'
+
+  # Limit max number of live videos created on your instance
+  # -1 == unlimited
+  max_instance_lives: 20
+
+  # Limit max number of live videos created by a user on your instance
+  # -1 == unlimited
+  max_user_lives: 3
+
+  # Allow your users to save a replay of their live
+  # PeerTube will transcode segments in a video file
+  # If the user daily/total quota is reached, PeerTube will stop the live
+  # /!\ transcoding.enabled (and not live.transcoding.enabled) has to be true to create a replay
+  allow_replay: true
+
+  # Your firewall should accept traffic from this port in TCP if you enable live
+  rtmp:
+    enabled: true
+    port: 1935
+
+  rtmps:
+    enabled: false
+    port: 1936
+    # Absolute path
+    key_file: ''
+    # Absolute path
+    cert_file: ''
+
+  # Allow to transcode the live streaming in multiple live resolutions
+  transcoding:
+    enabled: true
+    threads: 2
+
+    # Choose the transcoding profile
+    # New profiles can be added by plugins
+    # Available in core PeerTube: 'default'
+    profile: 'default'
+
+    resolutions:
+      144p: false
+      240p: false
+      360p: false
+      480p: false
+      720p: false
+      1080p: false
+      1440p: false
+      2160p: false
+
+import:
+  # Add ability for your users to import remote videos (from YouTube, torrent...)
+  videos:
+    # Amount of import jobs to execute in parallel
+    concurrency: 1
+
+    # Classic HTTP or all sites supported by youtube-dl https://rg3.github.io/youtube-dl/supportedsites.html
+    http:
+      # We recommend to use a HTTP proxy if you enable HTTP import to prevent private URL access from this server
+      # See https://docs.joinpeertube.org/maintain-configuration?id=security for more information
+      enabled: true
+
+      youtube_dl_release:
+        # Direct download URL to youtube-dl binary
+        # Github releases API is also supported
+        # Examples:
+        #   * https://api.github.com/repos/ytdl-org/youtube-dl/releases
+        #   * https://api.github.com/repos/yt-dlp/yt-dlp/releases
+        url: 'https://yt-dl.org/downloads/latest/youtube-dl'
+
+        # youtube-dl binary name
+        # yt-dlp is also supported
+        name: 'youtube-dl'
+
+        # Path to the python binary to execute for youtube-dl or yt-dlp
+        python_path: '/usr/bin/python3'
+
+      # IPv6 is very strongly rate-limited on most sites supported by youtube-dl
+      force_ipv4: false
+
+    # Magnet URI or torrent file (use classic TCP/UDP/WebSeed to download the file)
+    torrent:
+      # We recommend to only enable magnet URI/torrent import if you trust your users
+      # See https://docs.joinpeertube.org/maintain-configuration?id=security for more information
+      enabled: false
+
+auto_blacklist:
+  # New videos automatically blacklisted so moderators can review before publishing
+  videos:
+    of_users:
+      enabled: false
+
+# Instance settings
+instance:
+  name: 'PeerTube'
+  short_description: '%%peertube_short_description'
+  description: '%%peertube_description' # Support markdown
+  terms: 'No terms for now.' # Support markdown
+  code_of_conduct: '' # Supports markdown
+
+  # Who moderates the instance? What is the policy regarding NSFW videos? Political videos? etc
+  moderation_information: '' # Supports markdown
+
+  # Why did you create this instance?
+  creation_reason: '' # Supports Markdown
+
+  # Who is behind the instance? A single person? A non profit?
+  administrator: '' # Supports Markdown
+
+  # How long do you plan to maintain this instance?
+  maintenance_lifetime: '' # Supports Markdown
+
+  # How will you pay the PeerTube instance server? With your own funds? With users donations? Advertising?
+  business_model: '' # Supports Markdown
+
+  # If you want to explain on what type of hardware your PeerTube instance runs
+  # Example: '2 vCore, 2GB RAM...'
+  hardware_information: '' # Supports Markdown
+
+  # What are the main languages of your instance? To interact with your users for example
+  # Uncomment or add the languages you want
+  # List of supported languages: https://peertube.cpy.re/api/v1/videos/languages
+  languages:
+#    - en
+#    - es
+    - fr
+
+  # You can specify the main categories of your instance (dedicated to music, gaming or politics etc)
+  # Uncomment or add the category ids you want
+  # List of supported categories: https://peertube.cpy.re/api/v1/videos/categories
+  categories:
+#    - 1  # Music
+#    - 2  # Films
+#    - 3  # Vehicles
+#    - 4  # Art
+#    - 5  # Sports
+#    - 6  # Travels
+#    - 7  # Gaming
+#    - 8  # People
+#    - 9  # Comedy
+#    - 10 # Entertainment
+#    - 11 # News & Politics
+#    - 12 # How To
+#    - 13 # Education
+#    - 14 # Activism
+#    - 15 # Science & Technology
+#    - 16 # Animals
+#    - 17 # Kids
+#    - 18 # Food
+
+  default_client_route: '/videos/trending'
+
+  # Whether or not the instance is dedicated to NSFW content
+  # Enabling it will allow other administrators to know that you are mainly federating sensitive content
+  # Moreover, the NSFW checkbox on video upload will be automatically checked by default
+  is_nsfw: false
+  # By default, `do_not_list` or `blur` or `display` NSFW videos
+  # Could be overridden per user with a setting
+  default_nsfw_policy: 'do_not_list'
+
+  customizations:
+    javascript: '' # Directly your JavaScript code (without <script> tags). Will be eval at runtime
+    css: '' # Directly your CSS code (without <style> tags). Will be injected at runtime
+  # Robot.txt rules. To disallow robots to crawl your instance and disallow indexation of your site, add `/` to `Disallow:`
+  robots: |
+    User-agent: *
+    Disallow:
+  # Security.txt rules. To discourage researchers from testing your instance and disable security.txt integration, set this to an empty string
+  securitytxt:
+    '# If you would like to report a security issue\n# you may report it to:\nContact: https://github.com/Chocobozzz/PeerTube/blob/develop/SECURITY.md\nContact: mailto:'
+
+services:
+  # Cards configuration to format video in Twitter
+  twitter:
+    username: '@Chocobozzz' # Indicates the Twitter account for the website or platform on which the content was published
+    # If true, a video player will be embedded in the Twitter feed on PeerTube video share
+    # If false, we use an image link card that will redirect on your PeerTube instance
+    # Change it to `true`, and then test on https://cards-dev.twitter.com/validator to see if you are whitelisted
+    whitelisted: false
+
+followers:
+  instance:
+    # Allow or not other instances to follow yours
+    enabled: true
+    # Whether or not an administrator must manually validate a new follower
+    manual_approval: false
+
+followings:
+  instance:
+    # If you want to automatically follow back new instance followers
+    # If this option is enabled, use the mute feature instead of deleting followings
+    # /!\ Don't enable this if you don't have a reactive moderation team /!\
+    auto_follow_back:
+      enabled: false
+
+    # If you want to automatically follow instances of the public index
+    # If this option is enabled, use the mute feature instead of deleting followings
+    # /!\ Don't enable this if you don't have a reactive moderation team /!\
+    auto_follow_index:
+      enabled: false
+      # Host your own using https://framagit.org/framasoft/peertube/instances-peertube#peertube-auto-follow
+      index_url: ''
+
+theme:
+  default: 'default'
+
+broadcast_message:
+  enabled: false
+  message: '' # Support markdown
+  level: 'info' # 'info' | 'warning' | 'error'
+  dismissable: false
+
+search:
+  # Add ability to fetch remote videos/actors by their URI, that may not be federated with your instance
+  # If enabled, the associated group will be able to "escape" from the instance follows
+  # That means they will be able to follow channels, watch videos, list videos of non followed instances
+  remote_uri:
+    users: true
+    anonymous: false
+
+  # Use a third party index instead of your local index, only for search results
+  # Useful to discover content outside of your instance
+  # If you enable search_index, you must enable remote_uri search for users
+  # If you do not enable remote_uri search for anonymous user, your instance will redirect the user on the origin instance
+  # instead of loading the video locally
+  search_index:
+    enabled: false
+    # URL of the search index, that should use the same search API and routes
+    # than PeerTube: https://docs.joinpeertube.org/api-rest-reference.html
+    # You should deploy your own with https://framagit.org/framasoft/peertube/search-index,
+    # and can use https://search.joinpeertube.org/ for tests, but keep in mind the latter is an unmoderated search index
+    url: ''
+    # You can disable local search, so users only use the search index
+    disable_local_search: false
+    # If you did not disable local search, you can decide to use the search index by default
+    is_default_search: false
+
+# PeerTube client/interface configuration
+client:
+  videos:
+    miniature:
+      # By default PeerTube client displays author username
+      prefer_author_display_name: false
+
+  menu:
+    login:
+      # If you enable only one external auth plugin
+      # You can automatically redirect your users on this external platform when they click on the login button
+      redirect_on_single_external_auth: false

seed/applicationservice/2022.03.08/pleroma/templates/sysuser-peertube.conf

@@ -0,0 +1,2 @@
+g peertube 982 -
+u peertube 983:982     "Peertube Server" /usr/share/peertube  /sbin/nologin

seed/applicationservice/2022.03.08/pleroma/templates/tmpfile-peertube.conf

@@ -0,0 +1 @@
+d /srv/peertube/ 750 peertube nginx - -

seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml

@@ -38,7 +38,6 @@
     <family name="postfix" description="Postfix mail server">
       <variable name="postfix_mail_hostname" type="domainname" description="Nom de domaine extérieur du serveur de courriel" mandatory="True"/>
       <variable name="postfix_relay_domains" type="domainname" description="Domaine de courriel généré localement" multi="True" mandatory="True" hidden="True"/>
-      <variable name='postfix_ca_chain' description="CA certificate" hidden='True'/>
       <variable name='postfix_relay_authentifications' description="CA certificate" hidden='True' multi="True" provider="mail"/>
       <family name="local_authentification_" description="Local server authentification" dynamic='postfix_relay_authentifications'>
         <variable name="local_authentification_ip_" type="ip" provider="mail_ip"/>
@@ -51,11 +50,6 @@
     </family>
   </variables>
   <constraints>
-    <fill name="get_chain">
-      <param name="authority_cn" type="variable">domain_name_eth0</param>
-      <param name="authority_name">MailServer</param>
-      <target>postfix_ca_chain</target>
-    </fill>
     <fill name="calc_value">
       <param>/etc/opendkim/keys/</param>
       <param type="variable">postfix_relay_domains</param>

seed/applicationservice/2022.03.08/postfix-relay/templates/ca_MailServer.crt

@@ -1 +1 @@
-%%postfix_ca_chain
+%%get_chain(authority_cn=%%domain_name_eth0, authority_name="MailServer")

seed/applicationservice/2022.03.08/postgresql-client/dictionaries/23_postgresql.xml

@@ -3,6 +3,9 @@
   <services>
     <service name="postgresqlclient" target="multi-user" engine="creole">
       <file mode="400">/secrets/postgresql.pass</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
+      <file>/etc/pki/tls/certs/postgresql.crt</file>
+      <file owner_type="variable" owner="pg_client_key_owner" mode="440">/etc/pki/tls/private/postgresql.key</file>
     </service>
   </services>
   <variables>
@@ -11,6 +14,9 @@
       <variable name="pg_client_username" description="Client username" mandatory="True" hidden="True"/>
       <variable name="pg_client_password" type="password" description="Client password" mandatory="True" hidden="True"/>
       <variable name="pg_client_database" description="Client database" mandatory="True" hidden="True"/>
+      <variable name="pg_client_key_owner" type="unix_user" description="Key owner" mandatory="True">
+        <value>root</value>
+      </variable>
     </family>
   </variables>
   <constraints>

seed/applicationservice/2022.03.08/postgresql-client/templates/ca_PostgreSQL.crt

@@ -0,0 +1,2 @@
+%%get_chain(authority_cn=%%pg_client_server_domainname, authority_name="PostgreSQL")
+

seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.crt

@@ -0,0 +1 @@
+%%get_certificate(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")

seed/applicationservice/2022.03.08/postgresql-client/templates/postgresql.key

@@ -0,0 +1 @@
+%%get_private_key(cn=%%domain_name_eth0, authority_cn=%%pg_client_server_domainname, authority_name='PostgreSQL', type="client")

seed/applicationservice/2022.03.08/postgresql-client/templates/postgresqlclient.service

@@ -6,4 +6,4 @@ Before=network.target
 Type=oneshot
 Environment=PGPASSFILE=/usr/local/lib/secrets/postgresql.pass
 ExecStart=/usr/bin/timeout 90 sh -c 'while ! 3<> /dev/tcp/%%pg_client_server_domainname/5432; do sleep 1; done; echo "POSTGRESQL STARTED"'
-ExecStart=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'
+ExecStart=/usr/bin/timeout 90 sh -c 'while ! /usr/bin/psql --set=sslmode=verify-full -h %%pg_client_server_domainname -U %%pg_client_username %%pg_client_database -c "\l"; do sleep 1; done; echo "POSTGRESQL READY"'

seed/applicationservice/2022.03.08/postgresql-server/dictionaries/22_postgresql.xml

@@ -10,6 +10,9 @@
       <file engine="none">/etc/postgresql/pg_ident.conf</file>
       <file engine="none" mode="755">/bin/postgresql_init</file>
       <file engine="none" source="sysuser-postgresql.conf">/sysusers.d/0postgresql.conf</file>
+      <file>/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt</file>
+      <file>/etc/pki/tls/certs/postgresql.crt</file>
+      <file owner="root" group="postgres" mode="440">/etc/pki/tls/private/postgresql.key</file>
     </service>
   </services>
   <variables>

seed/applicationservice/2022.03.08/postgresql-server/manual/image/preinstall/postgresql_server.sh

@@ -1 +1 @@
-PKG="$PKG postgresql-server"
+PKG="$PKG postgresql-server postgresql-contrib"

seed/applicationservice/2022.03.08/postgresql-server/templates/ca_PostgreSQL.crt

@@ -0,0 +1 @@
+%%get_chain(authority_cn=%%domain_name_eth0, authority_name="PostgreSQL")

seed/applicationservice/2022.03.08/postgresql-server/templates/pg_hba.conf

@@ -89,11 +89,11 @@ local   all         postgres	ident	map=pg_map
 #>GNUNUX
 # host    all             all             127.0.0.1/32            ident
 %for %%server in %%accounts.remotes
-host	%%normalize_family(%%server)	%%normalize_family(%%server)	%%server	md5
+hostssl	%%normalize_family(%%server)	%%normalize_family(%%server)	%%server	md5
 %end for
 #<GNUNUX
 # IPv6 local connections:
-host    all             all             ::1/128                 ident
+#host    all             all             ::1/128                 ident
 # Allow replication connections from localhost, by a user with the
 # replication privilege.
 #>GNUNUX

seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.conf

@@ -138,13 +138,12 @@ authentication_timeout = §§{pg_authentication_timeout}s
 #ssl_dh_params_file = ''
 #ssl_passphrase_command = ''
 #ssl_passphrase_command_supports_reload = off
-#>FIXME
-#ssl = true				# (change requires restart)
-#%import os
-#%set %%pg_server_cert_chain = os.path.splitext(§§pg_server_cert)[0] + '_ca-chain.crt'
-#ssl_cert_file = '%%pg_server_cert_chain'		# (change requires restart)
-#ssl_key_file = '§§pg_server_key'		# (change requires restart)
-#<FIXME
+#>GNUNUX
+ssl = true				# (change requires restart)
+ssl_ca_file = '/etc/pki/ca-trust/source/anchors/ca_PostgreSQL.crt'
+ssl_cert_file = '/etc/pki/tls/certs/postgresql.crt'		# (change requires restart)
+ssl_key_file = '/etc/pki/tls/private/postgresql.key'		# (change requires restart)
+#<GNUNUX
 
 #------------------------------------------------------------------------------
 # RESOURCE USAGE (except WAL)

seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.crt

@@ -0,0 +1 @@
+%%get_certificate(%%domain_name_eth0, 'PostgreSQL')

seed/applicationservice/2022.03.08/postgresql-server/templates/postgresql.key

@@ -0,0 +1 @@
+%%get_private_key(%%domain_name_eth0, 'PostgreSQL')

seed/applicationservice/2022.03.08/reverse-proxy-client/dictionaries/21_nginx_client.xml

@@ -19,6 +19,7 @@
         <variable name="revprox_client_is_websocket" type="boolean" description="Le point d'entré est de types websocket" mandatory="True">
           <value>False</value>
         </variable>
+        <variable name="revprox_client_max_body_size" description="Taille maximum du corps"/>
       </family>
       <variable name="revprox_client_local_location" type="filename" description="Nom de l'arborescene racine du site localement" hidden='True'/>
       <variable name="revprox_client_web_address" type="web_address" description="Nom de domaine du client du mandataire inverse" hidden='True'/>
@@ -34,6 +35,7 @@
       <variable name="revprox_ca_file" type="filename" description="Reverse proxy CA filename" hidden="True"/>
       <variable name="revprox_cert_file" type="filename" description="Reverse proxy certificate filename" hidden="True"/>
       <variable name="revprox_key_file" type="filename" description="Reverse proxy private key filename" hidden="True"/>
+      <variable name="nginx_default" exists="True" redefine="True" remove_fill="True" mandatory="False"/>
     </family>
   </variables>
   <constraints>
@@ -83,6 +85,14 @@
       <param name="leader_value" type="variable">revprox_client_location</param>
       <target>revprox_client_is_websocket</target>
     </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">revprox_client_server_domainname</param>
+      <param name="linked_provider">revprox_max_body_size</param>
+      <param name="dynamic" type="variable">revprox_client_external_domainname</param>
+      <param name="leader_provider">revprox_location</param>
+      <param name="leader_value" type="variable">revprox_client_location</param>
+      <target>revprox_client_max_body_size</target>
+    </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">revprox_client_server_domainname</param>
       <param name="linked_provider">revprox_url</param>

seed/applicationservice/2022.03.08/roundcube/dictionaries/31_roundcube.xml

@@ -5,6 +5,8 @@
       <file owner="root" group="apache" mode="640">/etc/roundcubemail/config.inc.php</file>
       <file>/etc/httpd/conf.d/roundcubemail.conf</file>
       <file>/secrets/roundcube-init.php</file>
+      <file engine="none">/static/silique_cloud.svg</file>
+      <file engine="none">/static/watermark.html</file>
       <file>/etc/pki/ca-trust/source/anchors/ca_MailServer.crt</file>
     </service>
   </services>
@@ -22,6 +24,12 @@
       <variable name="oauth2_client_description" redefine='True'>
         <value>Consulter ces courriels avec Roundcube</value>
       </variable>
+      <variable name="oauth2_client_category" redefine='True'>
+        <value>Collaboration</value>
+      </variable>
+      <variable name="oauth2_client_logo" redefine='True'>
+        <value>silique_email.png</value>
+      </variable>
     </family>
   </variables>
   <constraints>

seed/applicationservice/2022.03.08/roundcube/manual/image/preinstall/roundcube.sh

@@ -1 +1 @@
-PKG="$PKG mod_ssl roundcubemail php-cli php-pgsql php-pecl-redis5"
+PKG="$PKG roundcubemail php-cli php-pgsql php-pecl-redis5"

seed/applicationservice/2022.03.08/roundcube/templates/config.inc.php

@@ -31,7 +31,7 @@ $config = [];
 //       e.g. 'mysql://roundcube:@localhost/roundcubemail?verify_server_cert=false'
 // GNUNUX $config['db_dsnw'] = 'mysql://roundcube:@localhost/roundcubemail';
 //>GNUNUX
-$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database';
+$config['db_dsnw'] = 'pgsql://%%pg_client_username:%%pg_client_password@%%pg_client_server_domainname/%%pg_client_database?sslmode=verify-full';
 //<GNUNUX
 
 // Database DSN for read-only operations (if empty write database will be used)
@@ -532,7 +532,7 @@ $config['support_url'] = '';
 // file from the currently selected skin. Prepend name/path with a slash to use
 // current skin folder. Remove the slash to point to a file in the Roundcube
 // root directory. It can be also a full URL.
-$config['blankpage_url'] = '/watermark.html';
+$config['blankpage_url'] = '/risotto/watermark.html';
 
 // Logo image replacement. Specifies location of the image as:
 // - URL relative to the document root of this Roundcube installation
@@ -566,7 +566,7 @@ $config['blankpage_url'] = '/watermark.html';
      "[print]" => "/images/logo_print.png",
    ];
 */
-$config['skin_logo'] = null;
+$config['skin_logo'] = '/risotto/silique_cloud.svg';
 
 // Automatically register user in Roundcube database on successful (IMAP) logon.
 // Set to false if only registered users should be allowed to the webmail.

seed/applicationservice/2022.03.08/roundcube/templates/roundcubemail.conf

@@ -2,6 +2,13 @@
 # Round Cube Webmail is a browser-based multilingual IMAP client
 #
 
+
+#>GNUNUX
+Alias /roundcube/skins/elastic/risotto/ /usr/local/lib/static/
+<Directory /usr/local/lib/static/>
+    Require all granted
+</Directory>
+#<GNUNUX
 # GNUNUX Alias /roundcubemail /usr/share/roundcubemail
 Alias /roundcube /usr/share/roundcubemail
 

seed/applicationservice/2022.03.08/roundcube/templates/silique_cloud.svg

@@ -0,0 +1,420 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<!-- Created with Inkscape (http://www.inkscape.org/) -->
+
+<svg
+   version="1.1"
+   id="svg2"
+   width="177.44817"
+   height="84.108955"
+   viewBox="0 0 177.44817 84.108956"
+   sodipodi:docname="silique_cloud.svg"
+   inkscape:version="1.1.2 (0a00cf5339, 2022-02-04)"
+   inkscape:export-filename="/home/gnunux/Silique/silique_cloud.png"
+   inkscape:export-xdpi="216.39999"
+   inkscape:export-ydpi="216.39999"
+   xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
+   xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
+   xmlns:xlink="http://www.w3.org/1999/xlink"
+   xmlns="http://www.w3.org/2000/svg"
+   xmlns:svg="http://www.w3.org/2000/svg">
+  <defs
+     id="defs6">
+    <linearGradient
+       id="linearGradient4842">
+      <stop
+         id="stop4838"
+         style="stop-color:#ffe96b;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop4840"
+         style="stop-color:#91c644;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="linearGradient126196">
+      <stop
+         style="stop-color:#007203;stop-opacity:1;"
+         offset="0"
+         id="stop126192" />
+      <stop
+         style="stop-color:#007203;stop-opacity:0;"
+         offset="1"
+         id="stop126194" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       id="fond_vert">
+      <stop
+         style="stop-color:#007203;stop-opacity:1;"
+         offset="0"
+         id="stop38409" />
+      <stop
+         style="stop-color:#5ca20e;stop-opacity:1"
+         offset="1"
+         id="stop38411" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient14755"
+       inkscape:swatch="solid">
+      <stop
+         style="stop-color:#9bca48;stop-opacity:1;"
+         offset="0"
+         id="stop14753" />
+    </linearGradient>
+    <marker
+       style="overflow:visible"
+       id="Arrow1Lstart"
+       refX="0"
+       refY="0"
+       orient="auto"
+       inkscape:stockid="Arrow1Lstart"
+       inkscape:isstock="true">
+      <path
+         transform="matrix(0.8,0,0,0.8,10,0)"
+         style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
+         d="M 0,0 5,-5 -12.5,0 5,5 Z"
+         id="path2092" />
+    </marker>
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient126196"
+       id="linearGradient126198"
+       x1="228.22656"
+       y1="202.49219"
+       x2="324.28137"
+       y2="202.49219"
+       gradientUnits="userSpaceOnUse" />
+    <clipPath
+       id="clipPath530"
+       clipPathUnits="userSpaceOnUse">
+      <path
+         id="path532"
+         inkscape:connector-curvature="0"
+         d="m 492.82,620.53 c 0,0 -1.181,-8.485 -10.269,-16.019 -9.092,-7.53 -31.685,-15.146 -46.705,-33.749 -15.018,-18.601 -7.72,-36.875 -3.868,-42.334 2.211,-3.134 5.562,-3.876 8.019,-3.935 -0.91,4.277 -1.486,9.019 -1.24,13.954 1.975,19.781 17.473,32.284 19.949,34.611 1.349,1.202 3.866,3.206 6.919,5.426 3.133,2.181 6.435,4.655 9.461,7.536 6.074,5.517 10.949,11.079 10.935,11.079 0.012,0 -4.141,-6.116 -9.656,-12.355 -2.642,-3.15 -5.994,-6.258 -8.846,-8.643 -2.823,-2.472 -5.122,-4.588 -6.416,-5.743 -1.264,-1.176 -5.338,-4.717 -9.235,-10.434 -1.967,-2.905 -3.76,-6.166 -5.493,-10.141 -1.684,-3.434 -2.509,-7.461 -2.548,-11.521 -0.062,-7.086 1.858,-14.012 3.846,-19.377 2.668,-1.382 6.865,-1.834 13.43,0.615 5.236,2.902 9.737,6.218 13.616,9.831 l -6.202,8.169 11.594,-2.494 c 3.872,4.61 6.918,9.569 9.3,14.689 l -11.267,3.398 14.096,3.661 c 2.466,7.16 3.802,14.474 4.41,21.474 l -11.195,-1.946 -0.114,-0.047 0.067,0.04 -1.22,-0.213 12.821,8.513 c 0.57,19.967 -4.189,35.955 -4.189,35.955" />
+    </clipPath>
+    <clipPath
+       id="clipPath554"
+       clipPathUnits="userSpaceOnUse">
+      <path
+         id="path556"
+         inkscape:connector-curvature="0"
+         d="m 435.85,570.76 c 13.509,16.729 33.148,24.578 43.571,31.466 -8.989,-8.201 -29.577,-17.459 -42.001,-36.625 -11.215,-17.302 -5.693,-33.296 -1.208,-40.414 -1.528,0.569 -3.041,1.559 -4.23,3.239 -3.852,5.459 -11.15,23.733 3.868,42.334" />
+    </clipPath>
+    <linearGradient
+       id="linearGradient886"
+       y2="7.5225039"
+       y1="7.5225039"
+       x1="7.7122393"
+       gradientTransform="matrix(0.03841487,0,0,0.03915282,255.99999,340.61689)"
+       x2="416.12695"
+       gradientUnits="userSpaceOnUse">
+      <stop
+         id="stop888"
+         style="stop-color:#004f00"
+         offset="0" />
+      <stop
+         id="stop889"
+         style="stop-color:#92c705"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient882"
+       y2="324.68274"
+       y1="157.96686"
+       x2="312.29535"
+       x1="207.02525"
+       gradientTransform="matrix(0.03700393,0,0,0.0406457,255.99999,340.61689)"
+       gradientUnits="userSpaceOnUse"
+       spreadMethod="pad">
+      <stop
+         id="stop884"
+         style="stop-color:#ffe96b;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop885"
+         style="stop-color:#91c644;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient882"
+       id="linearGradient2848"
+       x1="260.90359"
+       y1="348.3031"
+       x2="266.93088"
+       y2="352.25424"
+       gradientUnits="userSpaceOnUse" />
+    <linearGradient
+       id="linearGradient2220"
+       y2="439.15341"
+       xlink:href="#linearGradient4842"
+       gradientUnits="userSpaceOnUse"
+       x2="127.65018"
+       y1="306.14713"
+       x1="-15.283262"
+       inkscape:collect="always"
+       gradientTransform="matrix(0.03070057,0,0,0.03070057,241.2189,385.12111)" />
+    <linearGradient
+       id="linearGradient1762">
+      <stop
+         id="stop1758"
+         style="stop-color:#91c644;stop-opacity:1"
+         offset="0" />
+      <stop
+         id="stop1760"
+         style="stop-color:#85a25a;stop-opacity:1"
+         offset="1" />
+    </linearGradient>
+    <linearGradient
+       id="linearGradient2222"
+       y2="226.93604"
+       xlink:href="#linearGradient4842"
+       gradientUnits="userSpaceOnUse"
+       x2="326.89941"
+       gradientTransform="matrix(0.03070057,0,0,-0.03070057,241.2189,407.43705)"
+       y1="17.076748"
+       x1="116.66689"
+       inkscape:collect="always" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#linearGradient4842"
+       id="linearGradient1766"
+       x1="-77.476402"
+       y1="256.38412"
+       x2="417.90433"
+       y2="338.79333"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="matrix(0.03070057,0,0,0.03070057,241.2189,385.12111)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#fond_vert"
+       id="linearGradient117744"
+       x1="163.58594"
+       y1="176.38477"
+       x2="267.45612"
+       y2="176.4704"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(-4.5684325,17.666728)" />
+    <linearGradient
+       inkscape:collect="always"
+       xlink:href="#fond_vert"
+       id="linearGradient1964"
+       x1="114.961"
+       y1="205.82333"
+       x2="292.40918"
+       y2="205.82333"
+       gradientUnits="userSpaceOnUse"
+       gradientTransform="translate(0.712326,1.22743)" />
+  </defs>
+  <sodipodi:namedview
+     id="namedview4"
+     pagecolor="#ffffff"
+     bordercolor="#666666"
+     borderopacity="1.0"
+     inkscape:pageshadow="2"
+     inkscape:pageopacity="0.0"
+     inkscape:pagecheckerboard="0"
+     showgrid="false"
+     inkscape:zoom="5.656854"
+     inkscape:cx="88.653517"
+     inkscape:cy="47.376156"
+     inkscape:window-width="1920"
+     inkscape:window-height="1011"
+     inkscape:window-x="0"
+     inkscape:window-y="0"
+     inkscape:window-maximized="1"
+     inkscape:current-layer="g8" />
+  <g
+     inkscape:groupmode="layer"
+     inkscape:label="Image"
+     id="g8"
+     transform="translate(-115.67333,-164.99629)">
+    <path
+       style="mix-blend-mode:normal;fill:url(#linearGradient1964);fill-opacity:1;fill-rule:nonzero;stroke:none;stroke-width:4.162;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 156.21634,241.25216 c -36.77875,-0.52415 -40.28886,-59.93704 -37.81186,-73.76847 4.31487,-6.88361 5.16377,67.54956 53.91071,53.40865 7.63767,-0.10896 7.46241,-0.48863 13.68295,0 0,0 6.02631,2.83696 11.70294,0 5.22924,0.25068 10.25553,-0.0838 14.96127,0 0,0 5.67039,3.50471 11.34285,0 5.0883,0.0159 9.51716,-0.0359 13.05654,0 8.45048,4.08054 11.69352,-0.0346 13.68994,0 26.68644,0.65642 13.91688,-3.86364 38.61636,18.90144 -21.12865,9.24298 -8.34416,6.82043 -38.1506,7.05356 -5.24229,-2.03839 -8.53586,-2.46696 -13.52289,0 -3.55366,-0.002 -7.27687,0.0168 -11.17766,0 -4.69904,-2.2063 -6.65631,-2.36355 -12.33414,0 -4.57699,-0.0288 -9.36866,-0.10654 -14.3819,0 -4.34019,-2.68118 -7.61214,-2.67501 -13.50967,0 -12.85877,0.19749 -16.15141,1.41622 -30.07484,-5.59518 z"
+       id="path827-0-6-1-75"
+       sodipodi:nodetypes="ccccccccccccccccc" />
+    <path
+       style="mix-blend-mode:normal;fill:none;fill-opacity:1;fill-rule:nonzero;stroke:#91c644;stroke-width:4.162;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 156.21634,241.25216 c -36.77875,-0.52415 -40.28886,-59.93704 -37.81186,-73.76847 4.31487,-6.88361 5.16377,67.54956 53.91071,53.40865 7.63767,-0.10896 7.46241,-0.48863 13.68295,0 0,0 6.02631,2.83696 11.70294,0 5.22924,0.25068 10.25553,-0.0838 14.96127,0 0,0 5.67039,3.50471 11.34285,0 5.0883,0.0159 9.51716,-0.0359 13.05654,0 8.45048,4.08054 11.69352,-0.0346 13.68994,0 26.68644,0.65642 13.91688,-3.86364 38.61636,18.90144 -21.12865,9.24298 -8.34416,6.82043 -38.1506,7.05356 -5.24229,-2.03839 -8.53586,-2.46696 -13.52289,0 -3.55366,-0.002 -7.27687,0.0168 -11.17766,0 -4.69904,-2.2063 -6.65631,-2.36355 -12.33414,0 -4.57699,-0.0288 -9.36866,-0.10654 -14.3819,0 -4.34019,-2.68118 -7.61214,-2.67501 -13.50967,0 -12.85877,0.19749 -16.15141,1.41622 -30.07484,-5.59518 z"
+       id="path827-0-6-1-3"
+       sodipodi:nodetypes="ccccccccccccccccc" />
+    <path
+       style="fill:none;stroke:#91c644;stroke-width:4.162;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 235.82819,238.00607 7.42578,7.47041"
+       id="path91935"
+       sodipodi:nodetypes="cc" />
+    <path
+       style="fill:none;stroke:#91c644;stroke-width:4.162;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 263.62793,234.46973 9.35742,0.004 5.46192,-3.47167"
+       id="path153373"
+       sodipodi:nodetypes="ccc" />
+    <path
+       style="fill:none;stroke:#91c644;stroke-width:3.93761;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 172.07706,233.36811 -11.95437,0.28623 -3.98525,7.95874"
+       id="path153586"
+       sodipodi:nodetypes="ccc" />
+    <path
+       style="fill:none;stroke:#91c644;stroke-width:4.162;stroke-linecap:butt;stroke-linejoin:miter;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+       d="m 211.91015,231.56698 6.38309,-2.13379 0.199,-6.5135"
+       id="path92149-7"
+       sodipodi:nodetypes="ccc" />
+    <g
+       id="g2694"
+       transform="translate(76.763398,0.17972214)">
+      <path
+         id="path2822"
+         d="m 172.07706,238.93915 v -1.85702 l 9.28505,-3.71402 9.28506,3.71402 v 1.85702 l -9.28506,3.71401 z"
+         fill="#a6e2ff"
+         style="fill:#ace55a;fill-opacity:1;stroke-width:0.371401" />
+      <path
+         id="path2824"
+         d="m 172.07706,237.08213 v -1.85702 l 9.28505,-3.71402 9.28506,3.71402 v 1.85702 l -9.28506,3.71401 z"
+         fill="#74ca61"
+         style="fill:#91c644;fill-opacity:1;stroke-width:0.371401" />
+      <path
+         id="path2833"
+         d="m 172.07706,235.22511 v -1.857 l 9.28505,-3.71404 9.28506,3.71404 v 1.857 l -9.28506,3.71404 z"
+         fill="#ffe96b"
+         style="stroke-width:0.371401" />
+      <path
+         id="path3609"
+         d="m 172.07706,233.36811 v -1.85702 l 9.28505,-3.71401 9.28506,3.71401 v 1.85702 l -9.28506,3.71402 z"
+         fill="#f78047"
+         style="fill:#546738;fill-opacity:1;stroke-width:0.371401" />
+      <path
+         id="path3687"
+         d="m 172.07706,231.51109 v -1.85702 l 9.28505,-3.71401 9.28506,3.71401 v 1.85702 l -9.34486,3.71402 z"
+         fill="#ee4043"
+         style="fill:#91c644;fill-opacity:1;stroke-width:0.371401" />
+      <path
+         id="path2820"
+         fill="#f8555a"
+         d="m 172.07706,229.65407 9.28505,3.71404 9.28506,-3.71404 -9.28506,-3.71401 z"
+         style="fill:#c1ec82;fill-opacity:1;stroke-width:0.371401" />
+      <path
+         id="path3739"
+         d="m 178.01949,231.88249 6.31384,0.3714 c -1.33704,0 -2.59981,-1.1142 -2.59981,-1.857 -0.33426,0.3714 -2.48841,1.4856 -3.71403,1.4856 z"
+         fill="#bf3336"
+         style="fill:#608e1e;fill-opacity:1;stroke-width:0.371401" />
+      <path
+         id="path2835"
+         d="m 172.07706,229.65407 v 9.28508 l 9.28505,3.71401 v -9.28505 z"
+         fill-opacity="0.098039"
+         sodipodi:nodetypes="ccccc"
+         style="stroke-width:0.371401" />
+    </g>
+    <g
+       id="g2753"
+       transform="matrix(0.04657204,0,0,0.04657204,195.73217,220.61663)">
+      <path
+         id="path585"
+         style="fill-opacity:0"
+         d="m 110.53373,192.39147 0.718,163.36 227.83,-0.95 -0.72,-163.36 -227.83,0.95 z" />
+      <path
+         id="path634"
+         style="fill:#dbf7b3;fill-opacity:1;fill-rule:evenodd;stroke-width:13.442;stroke-linejoin:bevel"
+         d="m 65.741729,146.00947 c 1.246,26.392 -2.011,107.15 -1.74,124.25 0.21,14.65 30.478,6.03 42.869001,6.27 1.689,-18 -0.454,-74.53 1.049,-90.36 31.084,5.04 208.15,1.72 233.82,0.48 0.34,22.68 1.83,75.28 0.12,89.99 17.12,-0.94 15.5,4.71 22.76,-2.61 0.62,-26.9 -0.47,-88.33 0.89,-129.06 -6.4,-11.469 -10.25,-16.655 -19.55,-21.743 -38.6,0.156 -232.57,-1.632 -259.820001,-0.999 -7.734,6.204 -12.918,12.305 -20.402,23.78 z" />
+      <path
+         id="path632"
+         style="fill:#dbf7b3;fill-opacity:1;fill-rule:evenodd;stroke-width:13.442;stroke-linejoin:bevel"
+         d="m 67.148729,395.59147 c 1.246,-26.39 -2.011,-107.15 -1.74,-124.25 0.21,-14.65 30.478,-6.03 42.869001,-6.27 1.689,18 3.766,73.12 5.27,88.96 24.056,3.39 201.12,-0.32 226.79,0.92 0.35,-22.68 1.83,-76.69 0.13,-91.39 17.11,0.93 25.35,2.32 26.98,4.02 0.62,26.89 -1.88,88.32 -0.52,129.05 -6.4,11.47 -10.26,16.66 -19.55,21.74 -38.6,-0.15 -232.57,1.64 -259.830001,1 -7.727,-6.2 -12.911,-12.3 -20.395,-23.78 z" />
+      <path
+         id="path578"
+         style="fill:#ffffff;fill-rule:evenodd"
+         d="m 82.179729,402.83147 4.295,-244 c 0,0.002 0,8.27 1.073,-2.066 1.074,-10.339 17.179001,-14.474 17.179001,-14.474 l 195.41,-10.339 c 0,0 -199.7,-2.068 -207.220001,0 -7.513,2.068 -16.102,7.237 -17.176,15.508 -1.074,8.271 0,247.1 0,247.1 l 6.442,8.27 z" />
+      <path
+         id="path579"
+         style="fill:#68912d;fill-opacity:1;fill-rule:evenodd"
+         d="m 355.48373,133.30747 -4.29,251.99 c 0,0 0,-8.27 -1.08,2.07 -1.07,10.34 -17.17,14.47 -17.17,14.47 l -195.41,10.34 c 0,0 199.7,2.07 207.22,0 7.51,-2.07 16.1,-7.24 17.17,-15.51 1.08,-8.27 -1.01,-244.1 0,-255.09 l -6.44,-8.274 z" />
+      <path
+         id="path586"
+         style="fill:#bdfffd;fill-opacity:0.8316;fill-rule:evenodd"
+         d="m 106.56273,187.85147 v 81.96 h 233.06 v -81.96 z" />
+      <path
+         id="path577"
+         style="fill:none;stroke:#91c644;stroke-width:6.3395;stroke-opacity:1"
+         d="m 107.66773,360.19147 h 236.25 l -2.1,-172.48" />
+      <path
+         id="path593"
+         style="fill:#ffff80;fill-opacity:0.907909;fill-rule:evenodd;stroke:#e46900;stroke-width:6.25;stroke-linejoin:bevel;stroke-opacity:0.5561"
+         d="m 281.61373,263.81147 c 4.07,0 5.09,-6 17.3,-7 12.21,-1 35.62,2 38.67,8 3.05,6 0,88.95 0,88.95 l -226.95,1 c 0,0 166.91,-26.99 159.78,-39.98 -7.12,-12.99 -31.55,-22.99 -28.49,-28.98 3.05,-6 29.51,-16.99 39.69,-21.99 z" />
+      <path
+         id="path581"
+         style="fill:#649eff;fill-opacity:0.4286;fill-rule:evenodd;stroke:#0000d4;stroke-width:4.4808;stroke-linejoin:bevel;stroke-opacity:0.6837"
+         d="m 110.96473,270.66147 c 2.879,-1.42 159.76,-1.42 159.76,-1.42 0,0 -50.2,12.14 -4.14,36.17 46.05,24.03 -155.62,48.64 -155.62,48.64 l 10e-4,-83.39 z" />
+      <path
+         id="path580"
+         style="fill:none;stroke:#91c644;stroke-width:6.25;stroke-opacity:1"
+         d="m 341.63373,189.71147 h -233.97 l 2.034,171.7" />
+      <path
+         id="path590"
+         style="fill:#ffff80;fill-opacity:0.6582;fill-rule:evenodd;stroke:#ff0000;stroke-width:4.4808;stroke-opacity:0.6429"
+         d="m 172.85373,219.77147 c 0,7.81 -6.77,14.14 -15.11,14.14 -8.35,0 -15.11,-6.33 -15.11,-14.14 0,-7.8 6.76,-14.13 15.11,-14.13 8.34,0 15.11,6.33 15.11,14.13 z" />
+      <path
+         id="path591"
+         style="fill:#ecf480;fill-opacity:0.602;fill-rule:evenodd"
+         d="m 136.87373,270.66147 c 5.76,0 18.71,7.06 14.39,8.48 -4.32,1.41 -20.149,5.65 -11.51,8.48 8.63,2.83 23.03,2.83 15.83,7.07 -7.2,4.24 -14.39,8.48 -10.08,9.89 4.32,1.41 12.96,9.89 20.15,5.65 7.2,-4.24 5.76,-9.89 0,-12.72 -5.75,-2.82 -18.71,-4.24 -11.51,-8.48 7.2,-4.24 25.91,0 24.47,-5.65 -1.44,-5.66 -10.08,-2.83 -17.27,-4.24 -7.2,-1.42 30.22,-5.66 21.59,-7.07 -8.64,-1.41 -43.18,0 -46.06,-1.41 z" />
+      <path
+         id="path576"
+         style="fill:none;stroke:#91c644;stroke-width:20;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none;stroke-opacity:1"
+         d="m 69.148729,397.59147 c 1.246,-26.39 -1.196,-235.14 1.073,-252.27 5.276,-11.834 15.411,-16.487 21.709,-19.472 62.133001,0.116 222.420001,-1.202 260.660001,-1.202 5.39,4.136 11.73,8.732 18.25,15.508 0.62,26.896 -3.28,217.75 -1.92,258.48 -6.4,11.47 -10.26,16.66 -19.55,21.74 -38.6,-0.15 -232.57,1.64 -259.830001,1 -7.727,-6.2 -12.911,-12.3 -20.395,-23.78 z" />
+    </g>
+    <g
+       id="g3666"
+       transform="matrix(1.0647964,0,0,1.0647964,-49.256187,-137.85828)"
+       style="stroke:none;stroke-width:1.00019121;stroke-miterlimit:4;stroke-dasharray:none">
+      <g
+         id="g2785"
+         style="stroke:none;stroke-width:1.00019121;stroke-miterlimit:4;stroke-dasharray:none">
+        <path
+           id="path164"
+           style="fill:url(#linearGradient886);fill-rule:evenodd;stroke:none;stroke-width:1.00019121;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none"
+           d="m 256.54492,347.35489 c 3.58382,-0.48749 10.18573,-6.16558 10.44867,-6.23306 0.3122,0.0163 3.5443,8.36879 4.84156,9.68932 -1.13515,0.69963 -7.53769,5.05331 -9.80024,5.89333 -3.04474,-3.13941 -5.89138,-9.11418 -5.48999,-9.34959 z" />
+        <path
+           id="path163"
+           style="mix-blend-mode:normal;fill:url(#linearGradient2848);fill-opacity:1;fill-rule:evenodd;stroke:none;stroke-width:1.00019121;stroke-linejoin:bevel;stroke-miterlimit:4;stroke-dasharray:none"
+           d="m 262.15355,356.6847 c -0.12023,-1.63544 -0.22067,-6.50647 -1.24995,-8.38159 -0.008,-0.23889 3.70641,-2.64881 3.79367,-2.57784 0.11944,10e-4 0.35175,2.40177 0.23114,2.7512 0.12255,0.20904 4.47157,-1.89994 7.27009,-4.51385 0.42544,-0.10106 0.28078,6.43395 -0.25907,6.81518 -0.66511,0.36067 -8.89932,5.80684 -9.78588,5.9069 z" />
+      </g>
+    </g>
+    <g
+       id="g4848"
+       transform="translate(-31.377865,-88.795766)">
+      <g
+         id="g4735"
+         transform="matrix(0.7334806,0,0,0.7334806,25.750307,31.287723)">
+        <rect
+           id="rect2160"
+           style="color:#000000;fill:url(#linearGradient2220);fill-opacity:1;stroke:#4c7115;stroke-width:0.153503;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+           rx="1.6666112"
+           ry="1.6666112"
+           height="17.36762"
+           width="26.490295"
+           y="387.60583"
+           x="238.93828" />
+        <path
+           id="path3221"
+           sodipodi:nodetypes="ccccccccc"
+           style="color:#000000;fill:url(#linearGradient2222);fill-opacity:1;stroke:#4c7115;stroke-width:0.0921017;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+           d="m 240.60489,404.95215 c -0.92329,0 -1.66646,-0.74296 -1.66646,-1.66643 v -1.28267 l 12.25813,-7.49094 c 0.71685,-0.4381 1.87058,-0.4381 2.58744,0 l 11.64411,7.11578 v 1.65783 c 0,0.92347 -0.74295,1.66643 -1.66642,1.66643 h -23.15683 z" />
+        <path
+           id="rect3141"
+           sodipodi:nodetypes="ccccccccc"
+           style="color:#000000;fill:url(#linearGradient1766);fill-opacity:1;stroke:#4c7115;stroke-width:0.196201;stroke-linecap:round;stroke-linejoin:round;stroke-opacity:1"
+           d="m 240.60489,387.60595 c -0.92329,0 -1.66646,0.74302 -1.66646,1.66649 v 1.28267 l 12.25813,7.49094 c 0.71685,0.4381 1.87058,0.4381 2.58744,0 l 11.64411,-7.11578 v -1.65783 c 0,-0.92347 -0.74295,-1.66649 -1.66642,-1.66649 h -23.15683 z" />
+      </g>
+    </g>
+    <text
+       xml:space="preserve"
+       style="font-style:normal;font-variant:normal;font-weight:normal;font-stretch:normal;font-size:40px;line-height:1.25;font-family:'WenQuanYi Micro Hei';-inkscape-font-specification:'WenQuanYi Micro Hei';letter-spacing:-2.01px;word-spacing:0px;fill:url(#linearGradient117744);fill-opacity:1;stroke:none"
+       x="156.98627"
+       y="204.44211"
+       id="text103160"><tspan
+         sodipodi:role="line"
+         id="tspan103158"
+         x="156.98627"
+         y="204.44211"
+         style="font-style:normal;font-variant:normal;font-weight:bold;font-stretch:normal;font-family:'WenQuanYi Micro Hei';-inkscape-font-specification:'WenQuanYi Micro Hei Bold';fill:url(#linearGradient117744);fill-opacity:1">Silique</tspan></text>
+  </g>
+</svg>