From 41c8b44bd10dcd2cb9b4d649667604833a73fabb Mon Sep 17 00:00:00 2001
From: Emmanuel Garette <egarette@cadoles.com>
Date: Wed, 29 Jun 2022 11:44:01 +0200
Subject: [PATCH] manage firewall for host

---
 .../base-debian/applicationservice.yml        |  2 +-
 .../base-fedora/applicationservice.yml        |  2 +-
 .../templates/update-ca-trust.service         |  1 -
 .../base-machine/applicationservice.yml       |  4 ++++
 .../dictionaries/12-base.xml                  |  2 --
 .../2022.03.08/{base => base-machine}/doc.md  |  0
 .../extras/machine/00_base.xml                |  0
 .../{base => base-machine}/funcs/funcs.py     | 13 +---------
 .../manual/install/config.sh                  |  0
 .../manual/install/config_machine.sh          |  0
 .../manual/install/diff.py                    |  0
 .../manual/install/install_host               |  0
 .../manual/install/install_image              |  0
 .../manual/install/install_images             |  0
 .../manual/install/install_machine            |  0
 .../manual/install/install_machines           |  0
 .../manual/install/make_changelog             |  0
 .../manual/install/make_volatile              |  0
 .../templates/locale.conf                     |  0
 .../2022.03.08/base/applicationservice.yml    |  2 +-
 .../2022.03.08/base/funcs/base.py             |  9 +++++++
 .../dovecot/dictionaries/26_dovecot.xml       |  2 +-
 .../gitea/dictionaries/31_gitea.xml           |  2 +-
 .../applicationservice.yml                    |  2 ++
 .../dictionaries/21-machined.xml              |  2 ++
 .../2022.03.08/host-systemd-machined/doc.md   |  2 +-
 .../extras/machined/00-machined.xml           |  3 ++-
 .../host-systemd-machined/templates/nspawn    |  2 +-
 .../templates/risottofirewall.service         | 24 +++++++++++++++++++
 .../dictionaries/25_nginx.xml                 |  2 +-
 .../postfix-relay/dictionaries/30_postfix.xml |  5 +++-
 .../dictionaries/16-machined.xml              | 13 +++++++---
 .../2022.03.08/systemd/applicationservice.yml |  2 +-
 .../unbound/dictionaries/20_unbound.xml       |  4 ++++
 34 files changed, 71 insertions(+), 29 deletions(-)
 create mode 100644 seed/applicationservice/2022.03.08/base-machine/applicationservice.yml
 rename seed/applicationservice/2022.03.08/{base => base-machine}/dictionaries/12-base.xml (96%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/doc.md (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/extras/machine/00_base.xml (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/funcs/funcs.py (90%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/config.sh (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/config_machine.sh (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/diff.py (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/install_host (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/install_image (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/install_images (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/install_machine (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/install_machines (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/make_changelog (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/manual/install/make_volatile (100%)
 rename seed/applicationservice/2022.03.08/{base => base-machine}/templates/locale.conf (100%)
 create mode 100644 seed/applicationservice/2022.03.08/base/funcs/base.py
 create mode 100644 seed/applicationservice/2022.03.08/host-systemd-machined/templates/risottofirewall.service

diff --git a/seed/applicationservice/2022.03.08/base-debian/applicationservice.yml b/seed/applicationservice/2022.03.08/base-debian/applicationservice.yml
index 3d7d7471..afedc8c7 100644
--- a/seed/applicationservice/2022.03.08/base-debian/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/base-debian/applicationservice.yml
@@ -1,5 +1,5 @@
 format: '0.1'
 description: Information de base d'un serveur Debian
 depends:
-  - base
+  - base-machine
   - systemd
diff --git a/seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml b/seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml
index f9616709..32ea7abe 100644
--- a/seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/base-fedora/applicationservice.yml
@@ -1,5 +1,5 @@
 format: '0.1'
 description: Information de base d'un serveur Fedora
 depends:
-  - base
+  - base-machine
   - systemd
diff --git a/seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service b/seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service
index ace2152d..23399838 100644
--- a/seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service
+++ b/seed/applicationservice/2022.03.08/base-fedora/templates/update-ca-trust.service
@@ -8,4 +8,3 @@ ExecStart=/usr/bin/update-ca-trust
 
 [Install]
 WantedBy=multi-user.target
-
diff --git a/seed/applicationservice/2022.03.08/base-machine/applicationservice.yml b/seed/applicationservice/2022.03.08/base-machine/applicationservice.yml
new file mode 100644
index 00000000..faed7a84
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base-machine/applicationservice.yml
@@ -0,0 +1,4 @@
+format: '0.1'
+description: Base information for a machine
+depends:
+  - base
diff --git a/seed/applicationservice/2022.03.08/base/dictionaries/12-base.xml b/seed/applicationservice/2022.03.08/base-machine/dictionaries/12-base.xml
similarity index 96%
rename from seed/applicationservice/2022.03.08/base/dictionaries/12-base.xml
rename to seed/applicationservice/2022.03.08/base-machine/dictionaries/12-base.xml
index 553c19a6..20dbf7b1 100644
--- a/seed/applicationservice/2022.03.08/base/dictionaries/12-base.xml
+++ b/seed/applicationservice/2022.03.08/base-machine/dictionaries/12-base.xml
@@ -46,8 +46,6 @@
     </fill>
     <fill name="get_ip">
       <param name="server_name" type="information">server_name</param>
-      <param name="zones_name" type="information">zones_name</param>
-      <param name="index" type="suffix"/>
       <target>ip_eth</target>
     </fill>
     <!-- Return "server_name" only for domain_name_eth0 -->
diff --git a/seed/applicationservice/2022.03.08/base/doc.md b/seed/applicationservice/2022.03.08/base-machine/doc.md
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/doc.md
rename to seed/applicationservice/2022.03.08/base-machine/doc.md
diff --git a/seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml b/seed/applicationservice/2022.03.08/base-machine/extras/machine/00_base.xml
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/extras/machine/00_base.xml
rename to seed/applicationservice/2022.03.08/base-machine/extras/machine/00_base.xml
diff --git a/seed/applicationservice/2022.03.08/base/funcs/funcs.py b/seed/applicationservice/2022.03.08/base-machine/funcs/funcs.py
similarity index 90%
rename from seed/applicationservice/2022.03.08/base/funcs/funcs.py
rename to seed/applicationservice/2022.03.08/base-machine/funcs/funcs.py
index bd0e6e26..848abfaf 100644
--- a/seed/applicationservice/2022.03.08/base/funcs/funcs.py
+++ b/seed/applicationservice/2022.03.08/base-machine/funcs/funcs.py
@@ -1,5 +1,4 @@
 import __main__
-from typing import List
 from secrets import token_urlsafe as _token_urlsafe, token_hex as _token_hex
 from string import ascii_letters as _ascii_letters
 from random import choice as _choice
@@ -7,7 +6,7 @@ from os.path import dirname as _dirname, abspath as _abspath, join as _join, isf
 from os import makedirs as _makedirs
 
 
-from risotto.utils import load_domains, DOMAINS, ZONES_SERVER
+from risotto.utils import ZONES_SERVER
 
 
 _HERE = _dirname(_abspath(__main__.__file__))
@@ -103,16 +102,6 @@ def get_domain_name(server_name: str,
     return extra_domainnames[index - 1]
 
 
-def get_ip(server_name: str,
-           zones_name: List[str],
-           index: str,
-           ) -> str:
-    load_domains()
-    host_name, domain_name = server_name.split('.', 1)
-    domain = DOMAINS[domain_name]
-    return domain[1][domain[0].index(host_name)]
-
-
 def get_provider_name(network_name: str,
                       provider: str,
                       ) -> str:
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/config.sh b/seed/applicationservice/2022.03.08/base-machine/manual/install/config.sh
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/config.sh
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/config.sh
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh b/seed/applicationservice/2022.03.08/base-machine/manual/install/config_machine.sh
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/config_machine.sh
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/config_machine.sh
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/diff.py b/seed/applicationservice/2022.03.08/base-machine/manual/install/diff.py
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/diff.py
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/diff.py
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_host b/seed/applicationservice/2022.03.08/base-machine/manual/install/install_host
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/install_host
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/install_host
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_image b/seed/applicationservice/2022.03.08/base-machine/manual/install/install_image
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/install_image
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/install_image
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_images b/seed/applicationservice/2022.03.08/base-machine/manual/install/install_images
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/install_images
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/install_images
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_machine b/seed/applicationservice/2022.03.08/base-machine/manual/install/install_machine
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/install_machine
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/install_machine
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/install_machines b/seed/applicationservice/2022.03.08/base-machine/manual/install/install_machines
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/install_machines
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/install_machines
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/make_changelog b/seed/applicationservice/2022.03.08/base-machine/manual/install/make_changelog
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/make_changelog
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/make_changelog
diff --git a/seed/applicationservice/2022.03.08/base/manual/install/make_volatile b/seed/applicationservice/2022.03.08/base-machine/manual/install/make_volatile
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/manual/install/make_volatile
rename to seed/applicationservice/2022.03.08/base-machine/manual/install/make_volatile
diff --git a/seed/applicationservice/2022.03.08/base/templates/locale.conf b/seed/applicationservice/2022.03.08/base-machine/templates/locale.conf
similarity index 100%
rename from seed/applicationservice/2022.03.08/base/templates/locale.conf
rename to seed/applicationservice/2022.03.08/base-machine/templates/locale.conf
diff --git a/seed/applicationservice/2022.03.08/base/applicationservice.yml b/seed/applicationservice/2022.03.08/base/applicationservice.yml
index 029925ae..2daf18e8 100644
--- a/seed/applicationservice/2022.03.08/base/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/base/applicationservice.yml
@@ -1,2 +1,2 @@
 format: '0.1'
-description: Information de base d'un serveur
+description: Base
diff --git a/seed/applicationservice/2022.03.08/base/funcs/base.py b/seed/applicationservice/2022.03.08/base/funcs/base.py
new file mode 100644
index 00000000..10a4031f
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/base/funcs/base.py
@@ -0,0 +1,9 @@
+from typing import List
+from risotto.utils import load_domains, DOMAINS
+
+
+def get_ip(server_name: str) -> str:
+    load_domains()
+    host_name, domain_name = server_name.split('.', 1)
+    domain = DOMAINS[domain_name]
+    return domain[1][domain[0].index(host_name)]
diff --git a/seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml b/seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml
index c711bea9..696623de 100644
--- a/seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml
+++ b/seed/applicationservice/2022.03.08/dovecot/dictionaries/26_dovecot.xml
@@ -51,7 +51,7 @@
   </services>
   <variables>
     <family name="network">
-      <variable name="external_ports" redefine="True">
+      <variable name="incoming_ports" redefine="True">
         <value>587</value>
         <value>993</value>
       </variable>
diff --git a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
index 8855276f..812ea94e 100644
--- a/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
+++ b/seed/applicationservice/2022.03.08/gitea/dictionaries/31_gitea.xml
@@ -10,7 +10,7 @@
   </services>
   <variables>
     <family name="network">
-      <variable name="external_ports" redefine="True">
+      <variable name="incoming_ports" redefine="True">
         <value>2222</value>
       </variable>
     </family>
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml b/seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml
index d8ff0c1f..747473a7 100644
--- a/seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/applicationservice.yml
@@ -1,2 +1,4 @@
 format: '0.1'
 description: Configure Systemd Machined
+depends:
+  - base
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml b/seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml
index 161a535d..9e19a522 100644
--- a/seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/dictionaries/21-machined.xml
@@ -8,6 +8,8 @@
       <file file_type="variable" source="70-container.network" variable="zone_name">systemd_zone_filename</file>
       <file file_type="variable" source="70-container.netdev" variable="zone_name">systemd_netzone_filename</file>
     </service>
+    <service name="risottofirewall" engine="creole" target="multi-user">
+    </service>
     <service name="systemd-nspawn@">
       <file>/tmpfiles.d/0asystemd-nspawn.conf</file>
       <file>/etc/systemd/system/systemd-nspawn@.service.d/systemd-nspawn@.conf</file>
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/doc.md b/seed/applicationservice/2022.03.08/host-systemd-machined/doc.md
index c859c38a..4686184d 100644
--- a/seed/applicationservice/2022.03.08/host-systemd-machined/doc.md
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/doc.md
@@ -2,7 +2,7 @@ Providers
 =========
 
 - machines : nom de domaine des machines (au sens systemd-machined) exécuté sur l'hôte (c'est une variable multiple). Cette variable est une variable meneuse, les variables suivantes sont des variables suiveuses.
-- external_ports : ports rendu accessible depuis l'extérieur (cette variable est multiple).
+- incoming_ports : ports rendu accessible depuis l'extérieur (cette variable est multiple).
 - machine_srv : répertoire contenant le répertoire /srv de la machine (cette variable n'est pas obligatoire).
 - marchine_journal : répertoire contenant le répertoire /var/log/journal de la machine.
 - machine_config : répertoire contenant le répertoire /usr/local/lib de la machine.
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml b/seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml
index 3b1449d6..c75f73d9 100644
--- a/seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/extras/machined/00-machined.xml
@@ -9,7 +9,8 @@
   <variables>
     <variable name="machines" description="Machines started in this host" type="domainname" multi="True" provider="machines"/>
     <family name="machine_" description="Machine " dynamic="machined.machines">
-      <variable name="external_ports_" description="External ports for " hidden="True" type="port" multi="True" provider="external_ports"/>
+      <variable name="incoming_ports_" description="Incomming external ports for " hidden="True" type="port" multi="True" provider="incoming_ports"/>
+      <variable name="outgoing_ports_" description="Outcoming external ports for " hidden="True" type="port" multi="True" provider="outgoing_ports"/>
       <variable name="srv_dir_" description="Directory with srv volume for " hidden="True" type="filename" provider="machine_srv"/>
       <variable name="journal_dir_" description="Directory with journal volume for " hidden="True" type="filename" provider="machine_journal"/>
       <variable name="config_dir_" description="Directory with configuration volume for " hidden="True" type="filename" provider="machine_config" mandatory="True"/>
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn
index d67b4c66..4a9a5fa9 100644
--- a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/nspawn
@@ -23,6 +23,6 @@ VirtualEthernetExtra=%%intname[:15]:host%%idx
   %end if
  %end for
 %end if
-%for %%port in %%container['external_ports_' + %%name]
+%for %%port in %%container['incoming_ports_' + %%name]
 Port=tcp:%%port:%%port
 %end for
diff --git a/seed/applicationservice/2022.03.08/host-systemd-machined/templates/risottofirewall.service b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/risottofirewall.service
new file mode 100644
index 00000000..d3eb053e
--- /dev/null
+++ b/seed/applicationservice/2022.03.08/host-systemd-machined/templates/risottofirewall.service
@@ -0,0 +1,24 @@
+[Unit]
+Description=Firewall for Risotto
+After=network.target
+
+[Service]
+Type=oneshot
+%for %%dns in %%machined.machines
+%set %%machine = %%normalize_family(%%dns)
+%set %%outgoing = %%machined['machine_' + %%machine]['outgoing_ports_' + %%machine]
+  %if %%outgoing
+    %for %%port in %%outgoing
+      %if ':' in %%port
+%set %%protocol, %%port = %%port.split(':')
+      %else
+%set %%protocol = 'tcp'
+      %end if
+ExecStart=/sbin/iptables -t nat -A POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o enp3s0 -j MASQUERADE
+ExecStop=-/sbin/iptables -t nat -D POSTROUTING -s %%get_ip(%%dns) -p %%protocol -m %%protocol --dport %%port -o enp3s0 -j MASQUERADE
+    %end for
+  %end if
+%end for
+
+[Install]
+WantedBy=multi-user.target
diff --git a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
index 515ff0b9..dd654437 100644
--- a/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
+++ b/seed/applicationservice/2022.03.08/nginx-reverse-proxy/dictionaries/25_nginx.xml
@@ -11,7 +11,7 @@
   </services>
   <variables>
     <family name="network">
-      <variable name="external_ports" redefine="True">
+      <variable name="incoming_ports" redefine="True">
         <value>80</value>
         <value>443</value>
       </variable>
diff --git a/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
index 78974219..c7c03889 100644
--- a/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
+++ b/seed/applicationservice/2022.03.08/postfix-relay/dictionaries/30_postfix.xml
@@ -34,7 +34,10 @@
   <variables>
     <family name="network">
       <variable name="dns_client_address" redefine="True"/>
-      <variable name="external_ports" redefine="True">
+      <variable name="outgoing_ports" redefine="True">
+        <value>25</value>
+      </variable>
+      <variable name="incoming_ports" redefine="True">
         <value>25</value>
       </variable>
     </family>
diff --git a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml
index 0e131b94..0e08e934 100644
--- a/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml
+++ b/seed/applicationservice/2022.03.08/provider-systemd-machined/dictionaries/16-machined.xml
@@ -26,7 +26,8 @@
       <value>False</value>
     </variable>
     <family name="network">
-      <variable name="external_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/>
+      <variable name="incoming_ports" type="port" description="Ports exposés depuis l'extérieur" multi="True"/>
+      <variable name="outgoing_ports" type="port" description="Ports autorisés vers l'extérieur" multi="True"/>
       <variable name="netwokd_interface_name_type" redefine="True">
         <value>host</value>
       </variable>
@@ -65,9 +66,15 @@
     </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">host</param>
-      <param name="linked_provider">external_ports</param>
+      <param name="linked_provider">incoming_ports</param>
       <param name="dynamic" type="variable">domain_name_eth0</param>
-      <target>external_ports</target>
+      <target>incoming_ports</target>
+    </check>
+    <check name="set_linked_configuration">
+      <param name="linked_server" type="variable">host</param>
+      <param name="linked_provider">outgoing_ports</param>
+      <param name="dynamic" type="variable">domain_name_eth0</param>
+      <target>outgoing_ports</target>
     </check>
     <check name="set_linked_configuration">
       <param name="linked_server" type="variable">host</param>
diff --git a/seed/applicationservice/2022.03.08/systemd/applicationservice.yml b/seed/applicationservice/2022.03.08/systemd/applicationservice.yml
index 0805bb81..30e352a4 100644
--- a/seed/applicationservice/2022.03.08/systemd/applicationservice.yml
+++ b/seed/applicationservice/2022.03.08/systemd/applicationservice.yml
@@ -1,4 +1,4 @@
 format: '0.1'
 description: Configuration de systemd
 depends:
-  - base
+  - base-machine
diff --git a/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml b/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
index 5459f621..aba7c4bf 100644
--- a/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
+++ b/seed/applicationservice/2022.03.08/unbound/dictionaries/20_unbound.xml
@@ -19,6 +19,10 @@
     <family name="network">
       <variable name="dns_client_address" redefine="True" disabled="True"/>
       <variable name="ip_dns" redefine="True" remove_fill="True"/>
+      <variable name="outgoing_ports" redefine="True">
+        <value>udp:53</value>
+        <value>53</value>
+      </variable>
     </family>
     <family name='dns_resolver' description='Résolveur DNS'>
       <variable name="unbound_allowed_client" type="ip" description="Réseau des clients autorisés à faire des requêtes DNS" multi="True" mandatory="True" provider="dns"/>