SetAllPass a disparu ! Reste le secretgen à refaire + revoir les valeurs "liées" par setallpass. Rien n'est testé pour le moment.

2025-07-23 03:19:27 +02:00
parent bce3b9eff5
commit 44ff3980f9
45 changed files with 421 additions and 944 deletions
--- a/bin/applyTemplate.sh
+++ b/bin/applyTemplate.sh
@@ -16,7 +16,6 @@ KAZ_ROOT=$(cd "$(dirname $0)/.."; pwd)
 setKazVars
 . "${DOCKERS_ENV}"
 . "${KAZ_KEY_DIR}/SetAllPass.sh"
 usage () {
    echo $(basename "$0") " [-h] [-help] [-timestamp] template dst"
@@ -64,8 +63,8 @@ done
 	-e "s|__DOKUWIKI_HOST__|${dokuwikiHost}|g"\
 	-e "s|__DOMAIN__|${domain}|g"\
 	-e "s|__FILE_HOST__|${fileHost}|g"\
-	-e "s|__PAHEKO_API_PASSWORD__|${paheko_API_PASSWORD}|g"\
+#	-e "s|__PAHEKO_API_PASSWORD__|${paheko_API_PASSWORD}|g"\
-	-e "s|__PAHEKO_API_USER__|${paheko_API_USER}|g"\
+#	-e "s|__PAHEKO_API_USER__|${paheko_API_USER}|g"\
 	-e "s|__PAHEKO_HOST__|${pahekoHost}|g"\
 	-e "s|__GIT_HOST__|${gitHost}|g"\
 	-e "s|__GRAV_HOST__|${gravHost}|g"\
@@ -79,9 +78,9 @@ done
 	-e "s|__SMTP_HOST__|${smtpHost}|g"\
 	-e "s|__SYMPADB__|${sympaDBName}|g"\
 	-e "s|__SYMPA_HOST__|${sympaHost}|g"\
-	-e "s|__SYMPA_MYSQL_DATABASE__|${sympa_MYSQL_DATABASE}|g"\
+#	-e "s|__SYMPA_MYSQL_DATABASE__|${sympa_MYSQL_DATABASE}|g"\
-	-e "s|__SYMPA_MYSQL_PASSWORD__|${sympa_MYSQL_PASSWORD}|g"\
+#	-e "s|__SYMPA_MYSQL_PASSWORD__|${sympa_MYSQL_PASSWORD}|g"\
-	-e "s|__SYMPA_MYSQL_USER__|${sympa_MYSQL_USER}|g"\
+#	-e "s|__SYMPA_MYSQL_USER__|${sympa_MYSQL_USER}|g"\
 	-e "s|__VIGILO_HOST__|${vigiloHost}|g"\
 	-e "s|__WEBMAIL_HOST__|${webmailHost}|g"\
 	-e "s|__CASTOPOD_HOST__|${castopodHost}|g"\
--- a/bin/container.sh
+++ b/bin/container.sh
@@ -61,20 +61,6 @@ doCompose () {
 	${SIMU} ln -fs ../../config/dockers.env .env
    fi
    ${SIMU} docker-compose $1
    if [ "$2" = "cachet" ] && [ "$1" != "down" ]; then
 	NEW_KEY=$(cd "${KAZ_COMP_DIR}/$2" ; docker-compose logs | grep APP_KEY=base64: | sed "s/^.*'APP_KEY=\(base64:[^']*\)'.*$/\1/" | tail -1)
 	if [ -n "${NEW_KEY}" ]; then
 	    printKazMsg "cachet key change"
 	    # change key
 	    ${SIMU} sed -i \
 		    -e 's%^\(\s*cachet_APP_KEY=\).*$%\1"'"${NEW_KEY}"'"%' \
 		    "${KAZ_KEY_DIR}/SetAllPass.sh"
 	    ${SIMU} "${KAZ_BIN_DIR}/secretGen.sh"
 	    # restart
 	    ${SIMU} docker-compose $1
 	fi
    fi
 }
 doComposes () {
@@ -177,7 +163,6 @@ statusComposes () {
 saveComposes () {
    . "${DOCKERS_ENV}"
    . "${KAZ_ROOT}/secret/SetAllPass.sh"
    savedComposes+=( ${enableMailComposes[@]} )
    savedComposes+=( ${enableProxyComposes[@]} )
@@ -195,49 +180,59 @@ saveComposes () {
 	    ;;
 	    sympa)
       		echo "save sympa"
-		saveDB ${sympaDBName} "${sympa_MYSQL_USER}" "${sympa_MYSQL_PASSWORD}" "${sympa_MYSQL_DATABASE}" sympa mysql
+		. $KAZ_BIN_DIR/getPasswords.sh sympaDB
 		saveDB ${sympaDBName} "${sympaDB_MYSQL_USER}" "${sympaDB_MYSQL_PASSWORD}" "${sympaDB_MYSQL_DATABASE}" sympa mysql
 		;;
 	    web)
 		# rien à faire (fichiers)
 		;;
 	    etherpad)
 		echo "save pad"
-		saveDB ${etherpadDBName} "${etherpad_MYSQL_USER}" "${etherpad_MYSQL_PASSWORD}" "${etherpad_MYSQL_DATABASE}" etherpad mysql
+		. $KAZ_BIN_DIR/getPasswords.sh etherpadDB
 		saveDB ${etherpadDBName} "${etherpadDB_MYSQL_USER}" "${etherpadDB_MYSQL_PASSWORD}" "${etherpadDB_MYSQL_DATABASE}" etherpad mysql
 		;;
 	    framadate)
 		echo "save date"		
-		saveDB ${framadateDBName} "${framadate_MYSQL_USER}" "${framadate_MYSQL_PASSWORD}" "${framadate_MYSQL_DATABASE}" framadate mysql
+		. $KAZ_BIN_DIR/getPasswords.sh framadateDB
 		saveDB ${framadateDBName} "${framadateDB_MYSQL_USER}" "${framadateDB_MYSQL_PASSWORD}" "${framadateDB_MYSQL_DATABASE}" framadate mysql
 		;;
 	    cloud)
 		echo "save cloud"
-		saveDB ${nextcloudDBName} "${nextcloud_MYSQL_USER}" "${nextcloud_MYSQL_PASSWORD}" "${nextcloud_MYSQL_DATABASE}" nextcloud mysql
+		. $KAZ_BIN_DIR/getPasswords.sh nextcloudDB
 		saveDB ${nextcloudDBName} "${nextcloudDB_MYSQL_USER}" "${nextcloudDB_MYSQL_PASSWORD}" "${nextcloudDB_MYSQL_DATABASE}" nextcloud mysql
 		;;
 	    paheko)
 		# rien à faire (fichiers)
 		;;		
 	    mattermost)
 		echo "save mattermost"
-		saveDB matterPG "${mattermost_POSTGRES_USER}" "${mattermost_POSTGRES_PASSWORD}" "${mattermost_POSTGRES_DB}" mattermost postgres
+		. $KAZ_BIN_DIR/getPasswords.sh mattermostDB
 		saveDB matterPG "${mattermostDB_POSTGRES_USER}" "${mattermostDB_POSTGRES_PASSWORD}" "${mattermostDB_POSTGRES_DB}" mattermost postgres
 		;;
 	    mobilizon)
 		echo "save mobilizon"
-		saveDB ${mobilizonDBName} "${mobilizon_POSTGRES_USER}" "${mobilizon_POSTGRES_PASSWORD}" "${mobilizon_POSTGRES_DB}" mobilizon postgres
+		. $KAZ_BIN_DIR/getPasswords.sh mobilizonDB
 		saveDB ${mobilizonDBName} "${mobilizonDB_POSTGRES_USER}" "${mobilizonDB_POSTGRES_PASSWORD}" "${mobilizonDB_POSTGRES_DB}" mobilizon postgres
 		;;
 	    peertube)
 		echo "save peertube"
-		saveDB ${peertubeDBName} "${peertube_POSTGRES_USER}" "${peertube_POSTGRES_PASSWORD}" "${PEERTUBE_DB_HOSTNAME}" peertube postgres
+		. $KAZ_BIN_DIR/getPasswords.sh peertubeDB
 		saveDB ${peertubeDBName} "${peertubeDB_POSTGRES_USER}" "${peertubeDB_POSTGRES_PASSWORD}" "${peertubeDB_PEERTUBE_DB_HOSTNAME}" peertube postgres
 		;;
 	    mastodon)
 		echo "save mastodon"
-		saveDB ${mastodonDBName} "${mastodon_POSTGRES_USER}" "${mastodon_POSTGRES_PASSWORD}" "${mastodon_POSTGRES_DB}" mastodon postgres
+		. $KAZ_BIN_DIR/getPasswords.sh mastodonDB
 		saveDB ${mastodonDBName} "${mastodonDB_POSTGRES_USER}" "${mastodonDB_POSTGRES_PASSWORD}" "${mastodonDB_POSTGRES_DB}" mastodon postgres
 		;;
 	    roundcube)
 		echo "save roundcube"
-		saveDB ${roundcubeDBName} "${roundcube_MYSQL_USER}" "${roundcube_MYSQL_PASSWORD}" "${roundcube_MYSQL_DATABASE}" roundcube mysql
+		. $KAZ_BIN_DIR/getPasswords.sh roundcubeDB
 		saveDB ${roundcubeDBName} "${roundcubeDB_MYSQL_USER}" "${roundcubeDB_MYSQL_PASSWORD}" "${roundcubeDB_MYSQL_DATABASE}" roundcube mysql
 		;;	
 	    vaultwarden)
 		echo "save vaultwarden"
-		saveDB ${vaultwardenDBName} "${vaultwarden_MYSQL_USER}" "${vaultwarden_MYSQL_PASSWORD}" "${vaultwarden_MYSQL_DATABASE}" vaultwarden mysql
+		. $KAZ_BIN_DIR/getPasswords.sh vaultwardenDB
 		saveDB ${vaultwardenDBName} "${vaultwardenDB_MYSQL_USER}" "${vaultwardenDB_MYSQL_PASSWORD}" "${vaultwardenDB_MYSQL_DATABASE}" vaultwarden mysql
 		;;
 	    dokuwiki)
 		# rien à faire (fichiers)
@@ -247,15 +242,18 @@ saveComposes () {
 		echo "save ${ORGA}"		
 		if grep -q "cloud:" "${KAZ_COMP_DIR}/${compose}/docker-compose.yml" 2> /dev/null ; then
 		    echo "    => cloud"
-		    saveDB "${ORGA}-DB" "${nextcloud_MYSQL_USER}" "${nextcloud_MYSQL_PASSWORD}" "${nextcloud_MYSQL_DATABASE}" "${ORGA}-cloud" mysql
+			. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudDB
 		    saveDB "${ORGA}-DB" "${MYSQL_USER}" "${MYSQL_PASSWORD}" "${MYSQL_DATABASE}" "${ORGA}-cloud" mysql
 		fi
 		if grep -q "agora:" "${KAZ_COMP_DIR}/${compose}/docker-compose.yml" 2> /dev/null ; then
 		    echo "    => mattermost"
-		    saveDB "${ORGA}-DB" "${mattermost_MYSQL_USER}" "${mattermost_MYSQL_PASSWORD}" "${mattermost_MYSQL_DATABASE}" "${ORGA}-mattermost" mysql
+			. $KAZ_KEY_DIR/orgas/$ORGA/env-mattermostDB
 			saveDB "${ORGA}-DB" "${MYSQL_USER}" "${MYSQL_PASSWORD}" "${MYSQL_DATABASE}" "${ORGA}-mattermost" mysql
 		fi
 		if grep -q "wordpress:" "${KAZ_COMP_DIR}/${compose}/docker-compose.yml" 2> /dev/null ; then
 		    echo "    => wordpress"
-		    saveDB "${ORGA}-DB" "${wp_MYSQL_USER}" "${wp_MYSQL_PASSWORD}" "${wp_MYSQL_DATABASE}" "${ORGA}-wordpress" mysql
+			. $KAZ_KEY_DIR/orgas/$ORGA/env-wpDB
 		    saveDB "${ORGA}-DB" "${MYSQL_USER}" "${MYSQL_PASSWORD}" "${MYSQL_DATABASE}" "${ORGA}-wordpress" mysql
 		fi
 		;;
 	esac
--- a/bin/createDBUsers.sh
+++ b/bin/createDBUsers.sh
@@ -0,0 +1,87 @@
 #!/bin/bash
 KAZ_ROOT=$(cd $(dirname $0)/..; pwd)
 . "${KAZ_ROOT}/bin/.commonFunctions.sh"
 setKazVars
 # pour mise au point
 # SIMU=echo
 # Améliorations à prévoir
 # - donner en paramètre les services concernés (pour limité les modifications)
 # - pour les DB si on déclare un nouveau login, alors les privilèges sont créé mais les anciens pas révoqués
 . "${DOCKERS_ENV}"
 . "${KAZ_KEY_DIR}/SetAllPass.sh"
 createMysqlUser(){
    # $1 = envName
    # $2 = containerName of DB
 	. $KAZ_BIN_DIR/getPasswords.sh $1
    rootPass="$1_MYSQL_ROOT_PASSWORD"
    dbName="$1_MYSQL_DATABASE"
    userName="$1_MYSQL_USER"
    userPass="$1_MYSQL_PASSWORD"
    # seulement si pas de mdp pour root
    # pb oeuf et poule (il faudrait les anciennes valeurs) :
    # * si rootPass change, faire à la main
    # * si dbName change, faire à la main
    checkDockerRunning "$2" "$2" || return
    echo "change DB pass on docker $2"
    echo "grant all privileges on ${!dbName}.* to '${!userName}' identified by '${!userPass}';" | \
 	docker exec -i $2 bash -c "mysql --user=root --password=${!rootPass}"
 }
 framadateUpdate(){
    [[ "${COMP_ENABLE}" =~ " framadate " ]] || return
    if [ ! -f "${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php" ]; then
 	return 0
    fi
 	.$KAZ_BIN_DIR/getPasswords.sh framadateDB framadateServ
    checkDockerRunning "${framadateServName}" "Framadate" &&
 	${SIMU} docker exec -ti "${framadateServName}" bash -c -i "htpasswd -bc /var/framadate/admin/.htpasswd ${framadateServ_HTTPD_USER} ${framadateServ_HTTPD_PASSWORD}"
    ${SIMU} sed -i \
 	    -e "s/^#*const DB_USER[ ]*=.*$/const DB_USER= '${framadateDB_MYSQL_USER}';/g" \
 	    -e "s/^#*const DB_PASSWORD[ ]*=.*$/const DB_PASSWORD= '${framadateDB_MYSQL_PASSWORD}';/g" \
 	    "${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php"
 }
 jirafeauUpdate(){
    [[ "${COMP_ENABLE}" =~ " jirafeau " ]] || return
    if [ ! -f "${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php" ]; then
 	return 0
    fi
 	. $KAZ_BIN_DIR/getPasswords.sh jirafeauServ
    SHA=$(echo -n "${jirafeauServ_HTTPD_PASSWORD}" | sha256sum | cut -d \  -f 1)
    ${SIMU} sed -i \
 	    -e "s/'admin_password'[ ]*=>[ ]*'[^']*'/'admin_password' => '${SHA}'/g" \
 	    "${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php"
 }
 ####################
 # main
 createMysqlUser "etherpadDB" "${etherpadDBName}"
 createMysqlUser "framadateDB" "${framadateDBName}"
 createMysqlUser "giteaDB" "${gitDBName}"
 createMysqlUser "mattermostDB" "${mattermostDBName}"
 createMysqlUser "nextcloudDB" "${nextcloudDBName}"
 createMysqlUser "roundcubeDB" "${roundcubeDBName}"
 createMysqlUser "sympaDB" "${sympaDBName}"
 createMysqlUser "vigiloDB" "${vigiloDBName}"
 createMysqlUser "wpDB" "${wordpressDBName}"
 createMysqlUser "vaultwardenDB" "${vaultwardenDBName}"
 createMysqlUser "castopodDB" "${castopodDBName}"
 createMysqlUser "spipDB" "${spipDBName}"
 createMysqlUser "mastodonDB" "${mastodonDBName}"
 framadateUpdate
 jirafeauUpdate
 exit 0
--- a/bin/createEmptyPasswd.sh
+++ b/bin/createEmptyPasswd.sh
@@ -1,104 +0,0 @@
 #!/bin/bash
 cd $(dirname $0)/..
 mkdir -p emptySecret
 rsync -aHAX --info=progress2 --delete secret/ emptySecret/
 cd emptySecret/
 . ../config/dockers.env
 . ./SetAllPass.sh
 # pour mise au point
 # SIMU=echo
 cleanEnvDB(){
    # $1 = prefix
    # $2 = envName
    # $3 = containerName of DB
    rootPass="--root_password--"
    dbName="--database_name--"
    userName="--user_name--"
    userPass="--user_password--"
    ${SIMU} sed -i \
 	    -e "s/MYSQL_ROOT_PASSWORD=.*/MYSQL_ROOT_PASSWORD=${rootPass}/g" \
 	    -e "s/MYSQL_DATABASE=.*/MYSQL_DATABASE=${dbName}/g" \
 	    -e "s/MYSQL_USER=.*/MYSQL_USER=${userName}/g" \
 	    -e "s/MYSQL_PASSWORD=.*/MYSQL_PASSWORD=${userPass}/g" \
 	    "$2"
 }
 cleanEnv(){
    # $1 = prefix
    # $2 = envName    
    for varName in $(grep "^[a-zA-Z_]*=" $2 | sed "s/^\([^=]*\)=.*/\1/g")
    do
 	srcName="$1_${varName}"
 	srcVal="--clean_val--"
 	${SIMU} sed -i \
 		-e "s~^[ ]*${varName}=.*$~${varName}=${srcVal}~" \
 		"$2"
    done
 }
 cleanPasswd(){
    ${SIMU} sed -i \
 	    -e 's/^\([# ]*[^#= ]*\)=".[^{][^"]*"/\1="--clean_val--"/g' \
 	    ./SetAllPass.sh
 }
 ####################
 # main
 # read -r -p "Do you want to remove all password? [Y/n] " input
 # case $input in
 #     [yY][eE][sS]|[yY])
 #  echo "Remove all password"
 #  ;;
 #     [nN][oO]|[nN])
 #  echo "Abort"
 #        ;;
 #     *)
 #  echo "Invalid input..."
 #  exit 1
 #  ;;
 # esac
 cleanPasswd
 cleanEnvDB "etherpad" "./env-${etherpadDBName}" "${etherpadDBName}"
 cleanEnvDB "framadate" "./env-${framadateDBName}" "${framadateDBName}"
 cleanEnvDB "git" "./env-${gitDBName}" "${gitDBName}"
 cleanEnvDB "mattermost" "./env-${mattermostDBName}" "${mattermostDBName}"
 cleanEnvDB "nextcloud" "./env-${nextcloudDBName}" "${nextcloudDBName}"
 cleanEnvDB "roundcube" "./env-${roundcubeDBName}" "${roundcubeDBName}"
 cleanEnvDB "sso" "./env-${ssoDBName}" "${ssoDBName}"
 cleanEnvDB "sympa" "./env-${sympaDBName}" "${sympaDBName}"
 cleanEnvDB "vigilo" "./env-${vigiloDBName}" "${vigiloDBName}"
 cleanEnvDB "wp" "./env-${wordpressDBName}" "${wordpressDBName}"
 cleanEnv "etherpad" "./env-${etherpadServName}"
 cleanEnv "gandi" "./env-gandi"
 cleanEnv "jirafeau" "./env-${jirafeauServName}"
 cleanEnv "mattermost" "./env-${mattermostServName}"
 cleanEnv "nextcloud" "./env-${nextcloudServName}"
 cleanEnv "office" "./env-${officeServName}"
 cleanEnv "roundcube" "./env-${roundcubeServName}"
 cleanEnv "sso" "./env-${ssoServName}"
 cleanEnv "vigilo" "./env-${vigiloServName}"
 cleanEnv "wp" "./env-${wordpressServName}"
 cat > allow_admin_ip <<EOF
 # ip for admin access only
 # local test
 allow 127.0.0.0/8;
 allow 192.168.0.0/16;
 EOF
 chmod -R go= .
 chmod -R +X .
--- a/bin/createSrcDocker.sh
+++ b/bin/createSrcDocker.sh
@@ -3,14 +3,13 @@
 cd $(dirname $0)
 ./setOwner.sh
 ./createEmptyPasswd.sh
 cd ../..
-FILE_NAME="/tmp/$(date +'%Y%M%d')-KAZ.tar.bz2"
+FILE_NAME="/tmp/$(date +'%Y%m%d')-KAZ.tar.bz2"
-tar -cjf "${FILE_NAME}" --transform s/emptySecret/secret/ \
+tar -cjf "${FILE_NAME}" --transform s/secret.tmpl/secret/ \
-     ./kaz/emptySecret/ ./kaz/bin ./kaz/config ./kaz/dockers
+     ./kaz/secret.tmpl/ ./kaz/bin ./kaz/config ./kaz/dockers
 ls -l "${FILE_NAME}"
--- a/bin/createUser.sh
+++ b/bin/createUser.sh
@@ -37,7 +37,9 @@ setKazVars
 cd "${KAZ_ROOT}"
 . "${DOCKERS_ENV}"
-. "${KAZ_KEY_DIR}/SetAllPass.sh"
+
 . $KAZ_BIN_DIR/getPasswords.sh ldapServ sympaServ paheko
 # DOCK_DIR="${KAZ_COMP_DIR}" # ???
@@ -221,6 +223,7 @@ dos2unix "${TFILE_MM}"
 echo "done"
 # se connecter à l'agora pour ensuite pouvoir passer toutes les commandes mmctl
 . $KAZ_KEY_DIR/env-mattermostAdmin
 echo "docker exec -i mattermostServ bin/mmctl auth login ${httpProto}://${URL_AGORA} --name local-server --username ${mattermost_user} --password ${mattermost_pass}" | tee -a "${CMD_INIT}"
 # vérif des emails
@@ -393,9 +396,9 @@ nextcloudEnabled: TRUE\n\
 nextcloudQuota: ${QUOTA} GB\n\
 mobilizonEnabled: TRUE\n\
 agoraEnabled: TRUE\n\
-userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldap_LDAP_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
+userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
    fi
-#userPassword: {CRYPT}\$6\$${pass}\n\n\" | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldap_LDAP_CONFIG_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldap_LDAP_CONFIG_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
+#userPassword: {CRYPT}\$6\$${pass}\n\n\" | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldapServ_LDAP_CONFIG_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldapServ_LDAP_CONFIG_ADMIN_PASSWORD}" | tee -a "${CMD_LOGIN}"
    CREATE_ORGA_SERVICES=""
@@ -424,15 +427,16 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
    MESSAGE_MAIL_ORGA_1="${MESSAGE_MAIL_ORGA_1}${NL}* un bureau virtuel pour stocker des fichiers/calendriers/contacts et partager avec vos connaissances : ${httpProto}://${URL_NC}"
    # le user existe t-il déjà sur NC ?
-    curl -o "${TEMP_USER_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
+	. $KAZ_KEY_DIR/env-nextcloudServ
    curl -o "${TEMP_USER_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
    if grep -q "<element>${IDENT_KAZ}</element>" "${TEMP_USER_NC}"; then
 	echo "${IDENT_KAZ} existe déjà sur ${URL_NC}" | tee -a "${LOG}"
    else
      # on créé l'utilisateur sur NC sauf si c'est le NC général, on ne créé jamais l'utilisateur7
 	  if [ ${URL_NC} != "${cloudHost}.${domain}" ]; then
-	
+		. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudServ
-	    echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
+	    echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
 -d userid='${IDENT_KAZ}' \
 -d displayName='${PRENOM} ${NOM}' \
 -d password='${PASSWORD}' \
@@ -445,19 +449,22 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
 	# s'il est admin de son orga, on le met admin
 	if [ "${service[ADMIN_ORGA]}" == "O" -a "${ORGA}" != "" -a "${service[NC_ORGA]}" == "O" ]; then
-	    echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${nextcloud_NEXTCLOUD_ADMIN_USER}:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid='admin'" | tee -a "${CMD_INIT}"
+		. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudServ
 	    echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid='admin'" | tee -a "${CMD_INIT}"
 	fi
 	# faut-il mettre le user NC dans un groupe particulier sur le NC de base ?
 	if [ "${GROUPE_NC_BASE}" != "" -a  "${service[NC_BASE]}" == "O" ]; then
 		# ici on travaille à nouveau sur le NC commun, donc on rechoppe les bons mdp
 		. $KAZ_KEY_DIR/env-nextcloudServ
 	    # le groupe existe t-il déjà ?
-	    curl -o "${TEMP_GROUP_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups?search=${GROUPE_NC_BASE}"
+	    curl -o "${TEMP_GROUP_NC}" -X GET -H 'OCS-APIRequest:true' "${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups?search=${GROUPE_NC_BASE}"
 	    nb=$(grep "<element>${GROUPE_NC_BASE}</element>" "${TEMP_GROUP_NC}" | wc -l)
 	    if [ "${nb}" == "0" ];then
-		echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
+		echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
 	    fi
 	    # puis attacher le user au groupe
-	    echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
+	    echo "curl -X POST -H 'OCS-APIRequest:true' ${httpProto}://${NEXTCLOUD_ADMIN_USER}:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users/${IDENT_KAZ}/groups -d groupid=${GROUPE_NC_BASE}" | tee -a "${CMD_INIT}"
 	fi
    fi
@@ -483,7 +490,8 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
 	# TODO : vérif existance user
 	# 			# le user existe t-il déjà sur le wp ?
-	# 			curl -o "${TEMP_USER_WP}" -X GET "${httpProto}://${wp_WORDPRESS_ADMIN_USER}:${wp_WORDPRESS_ADMIN_PASSWORD}@${URL_WP_ORGA}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
+	#			. $KAZ_BIN_DIR/getPasswords.sh wpServ
 	# 			curl -o "${TEMP_USER_WP}" -X GET "${httpProto}://${wpServ_WORDPRESS_ADMIN_USER}:${wpServ_WORDPRESS_ADMIN_PASSWORD}@${URL_WP_ORGA}/ocs/v1.php/cloud/users?search=${IDENT_KAZ}"
 	# 			nb_user_wp_orga=$(grep "<element>${IDENT_KAZ}</element>" "${TEMP_USER_WP}" | wc -l)
 	# 			if [ "${nb_user_wp_orga}" != "0" ];then
 	# 				(
@@ -501,7 +509,7 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
 	# 					) | tee -a "${LOG}"
 	#
 	# 					# on supprime l'utilisateur sur NC.
-	# 					echo "curl -X DELETE -H 'OCS-APIRequest:true' ${httpProto}://admin:${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
+	# 					echo "curl -X DELETE -H 'OCS-APIRequest:true' ${httpProto}://admin:${NEXTCLOUD_ADMIN_PASSWORD}@${URL_NC}/ocs/v1.php/cloud/users \
 	    # 					-d userid='${IDENT_KAZ}' \
 	    # 					" | tee -a "${CMD_INIT}"
 	# 				fi
@@ -619,13 +627,13 @@ userPassword: {CRYPT}${pass}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=$
    # docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=https://listes.kaz.sns/sympasoap --trusted_application=SOAP_USER --trusted_application_password=SOAP_PASSWORD --proxy_vars="USER_EMAIL=contact1@kaz.sns" --service=which
    if [[ "${mode}" = "dev" ]]; then
 	echo "# DEV, on teste l'inscription à sympa"| tee -a "${CMD_SYMPA}"
-	LISTMASTER=$(echo ${sympa_LISTMASTERS} | cut -d',' -f1)
+	LISTMASTER=$(echo ${sympaServ_LISTMASTERS} | cut -d',' -f1)
-	echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\""  | tee -a "${CMD_SYMPA}"
+	echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\""  | tee -a "${CMD_SYMPA}"
    else
 	echo "# PROD, on inscrit à sympa"| tee -a "${CMD_SYMPA}"
-	LISTMASTER=$(echo ${sympa_LISTMASTERS} | cut -d',' -f1)
+	LISTMASTER=$(echo ${sympaServ_LISTMASTERS} | cut -d',' -f1)
-	echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\""  | tee -a "${CMD_SYMPA}"
+	echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SOUHAITE}\""  | tee -a "${CMD_SYMPA}"
-	echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SECOURS}\""  | tee -a "${CMD_SYMPA}"
+	echo "docker exec -i sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=\"USER_EMAIL=${LISTMASTER}\" --service=add --service_parameters=\"${NL_LIST},${EMAIL_SECOURS}\""  | tee -a "${CMD_SYMPA}"
    fi
    if [ "${service[ADMIN_ORGA]}" == "O" ]; then
--- a/bin/gestContainers.sh
+++ b/bin/gestContainers.sh
@@ -7,7 +7,6 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
 . $KAZ_ROOT/bin/.commonFunctions.sh
 setKazVars
 . $DOCKERS_ENV
 . $KAZ_ROOT/secret/SetAllPass.sh
 . $KAZ_ROOT/secret/env-kaz
 PRG=$(basename $0)
--- a/bin/gestContainers_v2.sh
+++ b/bin/gestContainers_v2.sh
@@ -7,7 +7,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
 . $KAZ_ROOT/bin/.commonFunctions.sh
 setKazVars
 . $DOCKERS_ENV
-. $KAZ_ROOT/secret/SetAllPass.sh
+
 PRG=$(basename $0)
--- a/bin/gestUsers.sh
+++ b/bin/gestUsers.sh
@@ -8,7 +8,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
 setKazVars
 . $DOCKERS_ENV
-. $KAZ_ROOT/secret/SetAllPass.sh
+. $KAZ_BIN_DIR/getPasswords.sh ldapServ nextcloudServ sympaServ paheko
 VERSION="18-05-2025"
 PRG=$(basename $0)
@@ -24,7 +24,7 @@ URL_PAHEKO="$httpProto://${paheko_API_USER}:${paheko_API_PASSWORD}@kaz-paheko.$(
 NL_LIST=infos@listes.kaz.bzh
 URL_AGORA_API=${URL_AGORA}/api/v4
 EQUIPE=kaz
-LISTMASTER=$(echo ${sympa_LISTMASTERS} | cut -d',' -f1)
+LISTMASTER=$(echo ${sympaServ_LISTMASTERS} | cut -d',' -f1)
 #### Test du serveur sur lequel s' execute le script ####
@@ -47,6 +47,8 @@ rm -rf /tmp/*.json
 ############################################ Fonctions #######################################################
 ExpMail() {
 		. $KAZ_KEY_DIR/env-mail
        MAIL_DEST=$1
        MAIL_SUJET=$2
        MAIL_TEXTE=$3
@@ -58,6 +60,7 @@ ExpMail() {
 }
 PostMattermost() {
 		. $KAZ_KEY_DIR/env-mattermostAdmin
        PostM=$1
        CHANNEL=$2
        TEAMID=$(curl -s -H "Authorization: Bearer ${mattermost_token}" "${URL_AGORA_API}/teams/name/${EQUIPE}" | jq .id | sed -e 's/"//g')
@@ -91,8 +94,8 @@ searchEmail() {
 			fi
 		done
 		ldapsearch -H ldap://${LDAP_IP} \
-		-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+		-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-		-w "${ldap_LDAP_ADMIN_PASSWORD}" \
+		-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
 		-b "${ldap_root}" "(&(objectclass=${SEARCH_OBJECT_CLASS})(cn=*${RMAIL}*))" cn | grep ^cn | sed -e 's/^cn: //' >$TFILE_EMAILS
 		COMPTEUR_LIGNE=0
 		while read LIGNE
@@ -136,6 +139,7 @@ searchEmail() {
 searchMattermost() {
 		#Ici $1 est une adresse email
 		. $KAZ_KEY_DIR/env-mattermostAdmin
        docker exec -ti ${mattermostServName} bin/mmctl --suppress-warnings auth login $httpProto://$URL_AGORA --name local-server --username $mattermost_user --password $mattermost_pass >/dev/null 2>&1
 		docker exec -ti ${mattermostServName} bin/mmctl --suppress-warnings config set ServiceSettings.EnableAPIUserDeletion "true" >/dev/null 2>&1
 		#on créé la list des mails dans mattermost
@@ -182,12 +186,12 @@ infoEmail() {
 					printKazMsg " DETAILS DU COMPTE DANS NEXTCLOUD PRINCIPAL"
 					echo -e ""
 					#TEMP_USER_NC=$(mktemp /tmp/$RACINE.XXXXXXXXX.TEMP_USER_NC)
-					#curl -s -o $TEMP_USER_NC -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=$CHOIX_MAIL
+					#curl -s -o $TEMP_USER_NC -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=$CHOIX_MAIL
 					#cat $TEMP_USER_NC | grep -i "element" | sed -e s/[\<\>\/]//g | sed -e s/element//g
 					echo -ne "${NC}"
 					echo -ne " - Nextcloud enable : "
 					echo -ne "${GREEN}"
-					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudEnabled | cut -c 18-30
+					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudEnabled | cut -c 18-30
 					echo -ne "${NC}"
 					echo -e "${NC} ------------------------------------------------"
 					printKazMsg " DETAILS DU COMPTE DANS LDAP ET PAHEKO"
@@ -203,11 +207,11 @@ infoEmail() {
 					echo -ne "${NC}"
 					echo -n " - Quota Mail (Ldap) : " 
 					echo -ne "${GREEN}"
-					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i mailquota | cut -c 11-60
+					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i mailquota | cut -c 11-60
 					echo -ne "${NC}"
 					echo -n " - Quota Nextcloud (Ldap) : "
 					echo -ne "${GREEN}"
-					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudquota | cut -c 17-60
+					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i nextcloudquota | cut -c 17-60
 					echo -ne "${NC}"
 					echo -n " - Mail de secours (Paheko ): "
 					echo -ne "${GREEN}"
@@ -215,11 +219,11 @@ infoEmail() {
 					echo -ne "${NC}"
 					echo -n " - Mail de secours (Ldap): "
 					echo -ne "${GREEN}"
-					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i maildeSecours | sed -e 's/mailDeSecours://'
+					ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i maildeSecours | sed -e 's/mailDeSecours://'
 					echo -ne "${NC}"
 					echo -n " - Alias (Ldap) : "
 					echo -ne "${GREEN}"
-					LDAP_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i alias | cut -c 11-60)
+					LDAP_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "cn=${CHOIX_MAIL},ou=users,${ldap_root}" | grep -i alias | cut -c 11-60)
 					echo -ne "${NC}"
 					echo -ne "${GREEN}"
 					for ldap_alias in ${LDAP_ALIAS}
@@ -239,8 +243,8 @@ infoEmail() {
                			echo "------------------------------------------------"
 					echo  " Alias : ${CHOIX_MAIL} "
 					echo ""
-					for INFOALIAS in $(ldapsearch -H ldap://${LDAP_IP} -x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+					for INFOALIAS in $(ldapsearch -H ldap://${LDAP_IP} -x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-                		        -w "${ldap_LDAP_ADMIN_PASSWORD}" -b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${CHOIX_MAIL}*))" mail \
+                		        -w "${ldapServ_LDAP_ADMIN_PASSWORD}" -b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${CHOIX_MAIL}*))" mail \
 					| grep ^mail: | sed -e 's/^mail://')
 					do
 						echo -ne "=====> ${GREEN}  " 
@@ -307,12 +311,12 @@ searchDestroy() {
 						fi
 						echo -e "${NC}"
 						echo -e "Recherche de ${GREEN} ${REP_SEARCH_DESTROY} ${NC} dans nextcloud"
-						USER_NEXTCLOUD_SUPPR=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${REP_SEARCH_DESTROY} | grep element | sed -s 's/[ \<\>\/]//g' | sed  's/element//g')
+						USER_NEXTCLOUD_SUPPR=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${REP_SEARCH_DESTROY} | grep element | sed -s 's/[ \<\>\/]//g' | sed  's/element//g')
 						if [ ! -z ${USER_NEXTCLOUD_SUPPR} ]
 						then
 							printKazMsg "le user trouvé est : ${USER_NEXTCLOUD_SUPPR}"
 							echo -e "${RED} Suppresion de ${USER_NEXTCLOUD_SUPPR}"
-							curl -H 'OCS-APIREQUEST: true' -X DELETE $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_SUPPR} >/dev/null 2>&1
+							curl -H 'OCS-APIREQUEST: true' -X DELETE $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_SUPPR} >/dev/null 2>&1
 							if [ "$?" -eq "0" ]
                        				then
 								printKazMsg "Suppresion ok"
@@ -327,7 +331,7 @@ searchDestroy() {
 							echo -e "${RED} suppression de ${REP_SEARCH_DESTROY} dans la liste info de sympa"
 							echo -e "${NC}"
 							echo ""
-							docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${REP_SEARCH_DESTROY}"
+							docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${REP_SEARCH_DESTROY}"
 							echo -e "${NC}"
 							echo ""
 							echo  -e "${RED} suppression de ${REP_SEARCH_DESTROY} dans le serveur de mail"
@@ -344,7 +348,7 @@ searchDestroy() {
                                                echo  -e "${RED} suppression de ${REP_SEARCH_DESTROY} dans le ldap"
                                                echo -e "${NC}"
                                                echo ""
-						ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" "cn=${REP_SEARCH_DESTROY},ou=users,${ldap_root}"
+						ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" "cn=${REP_SEARCH_DESTROY},ou=users,${ldap_root}"
 						if [ "$?" -eq "0" ]
 						then
 							printKazMsg "Suppresion ok"
@@ -377,8 +381,8 @@ gestPassword() {
 		# MAIL_SECOURS=$(jq .results[].email_secours $FICMAILSECOURS | sed -e 's/\"//g')
 		MAIL_SECOURS=$(ldapsearch -H ldap://${LDAP_IP} \
-                -x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+                -x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-                -w "${ldap_LDAP_ADMIN_PASSWORD}" \
+                -w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
                -b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=*${CHOIX_MAIL}*))" | grep ^mailDeSecours | sed -e 's/^mailDeSecours: //')
 		if [ "$MAIL_SECOURS" = "" ]
                then
@@ -405,19 +409,19 @@ gestPassword() {
 		fi
 		if [ "$SEARCH_RESET_INPUT" = "o" ] || [ "$SEARCH_RESET_INPUT" = "O" ]
 		then
-			USER_NEXTCLOUD_MODIF=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${COMPTE_A_MODIFIER} | grep element | sed -e 's/[ \<\>\/]//g' -e 's/element//g')
+			USER_NEXTCLOUD_MODIF=$(curl -s -X GET -H 'OCS-APIRequest:true' $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users?search=${COMPTE_A_MODIFIER} | grep element | sed -e 's/[ \<\>\/]//g' -e 's/element//g')
 			echo -e "$GREEN Compte à modifier = $RED ${COMPTE_A_MODIFIER}  ${NC}"
 			echo -e "$GREEN Mail de secours = $RED ${MAIL_SECOURS}  ${NC}"
 			echo -e "$GREEN Compte $RED $(searchMattermost $COMPTE_A_MODIFIER)  ${NC}"
 			echo -e "$GREEN Compte Nextcloud $RED ${USER_NEXTCLOUD_MODIF} ${NC}"
 			echo -e "$GREEN Le mot de passe sera = $RED ${PASSWORD} ${NC}"
 			docker exec -ti mattermostServ bin/mmctl user change-password $(searchMattermost $COMPTE_A_MODIFIER) -p $PASSWORD >/dev/null 2>&1
-			curl -H 'OCS-APIREQUEST: true' -X PUT $httpProto://admin:$nextcloud_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_MODIF} -d key=password -d value=${PASSWORD} >/dev/null 2>&1
+			curl -H 'OCS-APIREQUEST: true' -X PUT $httpProto://admin:$nextcloudServ_NEXTCLOUD_ADMIN_PASSWORD@$URL_NC/ocs/v1.php/cloud/users/${USER_NEXTCLOUD_MODIF} -d key=password -d value=${PASSWORD} >/dev/null 2>&1
 			pass=$(mkpasswd -m sha512crypt ${PASSWORD})
 			echo -e "\n\ndn: cn=${COMPTE_A_MODIFIER},ou=users,${ldap_root}\n\
 changeType: modify\n\
 replace: userPassword\n\
-userPassword: {CRYPT}${pass}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}"
+userPassword: {CRYPT}${pass}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}"
 			echo -e "Envoi d'un message dans mattermost pour la modification du mot de passe"
 			docker exec -ti mattermostServ bin/mmctl post create kaz:Creation-Comptes --message "Le mot de passe du compte ${COMPTE_A_MODIFIER} a été modifié" >/dev/null 2>&1
 			if [ $ADRESSE_SEC == "OUI" ]
@@ -465,8 +469,8 @@ createMail() {
 		if [[ ${EMAIL_SOUHAITE} =~ ${regexMail} ]] 
 		then
 			ldapsearch -H ldap://${LDAP_IP} \
-                        -x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+                        -x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-                        -w "${ldap_LDAP_ADMIN_PASSWORD}" \
+                        -w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
                        -b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=${EMAIL_SOUHAITE}))" cn | grep ^cn | sed -e 's/^cn: //' >$TFILE_EMAILS
 	        	if grep -q "^${EMAIL_SOUHAITE}$" "${TFILE_EMAILS}"
 			then
@@ -564,7 +568,7 @@ nextcloudEnabled: ${TRUE_KAZ}\n\
 nextcloudQuota: ${QUOTA} GB\n\
 mobilizonEnabled: ${TRUE_KAZ}\n\
 agoraEnabled: ${TRUE_KAZ}\n\
-userPassword: {CRYPT}${LDAPPASS}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldap_LDAP_ADMIN_PASSWORD}" >${TFILE_CREATE_MAIL}
+userPassword: {CRYPT}${LDAPPASS}\n\n' | ldapmodify -c -H ldap://${LDAP_IP} -D \"cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}\" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}" >${TFILE_CREATE_MAIL}
 # on execute le fichier avec les données ldap pour créer l' entrée dans l' annuaire
 bash ${TFILE_CREATE_MAIL} >/dev/null
 # on colle le compte et le mot de passe dans le fichier 
@@ -610,12 +614,12 @@ createAlias() {
 		if [[ ${AMAIL} =~ ${regexMail} ]] 
 		then
 			RESU_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} \
-			-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+			-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-			-w "${ldap_LDAP_ADMIN_PASSWORD}" \
+			-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
 			-b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${AMAIL}*))" | grep ^cn | sed -e 's/^cn: //')
 			RESU_ALIAS_IS_MAIL=$(ldapsearch -H ldap://${LDAP_IP} \
- 	                -x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+ 	                -x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-			-w "${ldap_LDAP_ADMIN_PASSWORD}" \
+			-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
             		-b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=*${AMAIL}*))" cn | grep ^cn | sed -e 's/^cn: //')
 	        	if echo ${RESU_ALIAS} | grep -q "^${AMAIL}$" || echo ${RESU_ALIAS_IS_MAIL} | grep -q "^${AMAIL}$"
@@ -690,7 +694,7 @@ changeType: add\n\
 objectClass: organizationalRole\n\
 objectClass: PostfixBookMailForward\n\
 mailAlias: ${AMAIL}\n\
-${LDAPALAISMAIL}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+${LDAPALAISMAIL}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
 			fait=1
 			printKazMsg "Création de ${AMAIL}"
 			sleep 3			
@@ -722,8 +726,8 @@ delAlias() {
                if [[ ${RALIAS} =~ ${regexMail} ]]
                then
                	RESU_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} \
-                        -x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+                        -x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-                        -w "${ldap_LDAP_ADMIN_PASSWORD}" \
+                        -w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
                        -b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=${RALIAS}))" cn | grep ^cn | sed -e 's/^cn: //')
 			if [ ! -z ${RESU_ALIAS} ]
 			then
@@ -733,7 +737,7 @@ delAlias() {
 					read -p "suppression de ${RESU_ALIAS} ? (o/n): " REPDELALIAS
 					case "${REPDELALIAS}" in
 					o | O )
-                        			ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldap_LDAP_ADMIN_PASSWORD}" "cn=${RESU_ALIAS},ou=mailForwardings,${ldap_root}"
+                        			ldapdelete -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w "${ldapServ_LDAP_ADMIN_PASSWORD}" "cn=${RESU_ALIAS},ou=mailForwardings,${ldap_root}"
 						printKazMsg "suppression ${RESU_ALIAS} effectuée"
 						sleep 2
 						faitdel=1
@@ -769,8 +773,8 @@ modifyAlias()
 	ACHANGE=0
 	searchEmail alias
 	LISTE_MAIL_ALIAS=$(ldapsearch -H ldap://${LDAP_IP} \
-        -x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+        -x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-        -w "${ldap_LDAP_ADMIN_PASSWORD}" \
+        -w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
        -b "${ldap_root}" "(&(objectclass=PostfixBookMailForward)(cn=*${CHOIX_MAIL}*))" \
 	| grep -i ^mail: | sed -e 's/^mail: /_/' | tr -d [:space:] | sed -s 's/_/ /g')
 	echo "-------------------------------------------------------------------"
@@ -845,8 +849,8 @@ modifyAlias()
 				echo "mail: ${key}" >>${FIC_MODIF_LDIF}
 			done
 			echo "-" >>${FIC_MODIF_LDIF}
-		 	ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+		 	ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-			-x -w ${ldap_LDAP_ADMIN_PASSWORD} \
+			-x -w ${ldapServ_LDAP_ADMIN_PASSWORD} \
 			-f ${FIC_MODIF_LDIF} >/dev/null
 		else
 			printKazMsg "Pas de changement"
@@ -872,8 +876,8 @@ updateUser() {
 		for attribut in mailDeSecours mailAlias mailQuota nextcloudQuota
 		do
 			ATTRIB+=([${attribut}]=$(ldapsearch -H ldap://${LDAP_IP} \
-	               	-x -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+	               	-x -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-                	-w "${ldap_LDAP_ADMIN_PASSWORD}" \
+                	-w "${ldapServ_LDAP_ADMIN_PASSWORD}" \
                	-b "${ldap_root}" "(&(objectclass=inetOrgPerson)(cn=*${CHOIX_MAIL}*))" \
 			 | grep ^"${attribut}": | sed -e 's/^'${attribut}': //' | tr -s '[:space:]' ' ' ))
 			# si l' attribut est mailDesecours on l' attrape et on on le stocke pour pouvoir l' enlever de sympa
@@ -1056,15 +1060,15 @@ updateUser() {
 					done
 					cat ${FIC_MODIF_LDIF}
 					sleep 3
-					ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" \
+					ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" \
-					-x -w ${ldap_LDAP_ADMIN_PASSWORD} \
+					-x -w ${ldapServ_LDAP_ADMIN_PASSWORD} \
 					-f ${FIC_MODIF_LDIF}
 					if [ ! -z ${MAILDESECOURS} ]
 					then
 						# suppression du mail de secours de la liste infos
-						docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${MAILDESECOURSACTUEL}"
+						docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=del --service_parameters="${NL_LIST},${MAILDESECOURSACTUEL}"
 						# ajout de l' adresse  de la nouvelle adresse de secours
-						docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympa_SOAP_USER} --trusted_application_password=${sympa_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=add --service_parameters="${NL_LIST},${MAILDESECOURS}"
+						docker exec -ti sympaServ /usr/lib/sympa/bin/sympa_soap_client.pl --soap_url=${httpProto}://${URL_LISTE}/sympasoap --trusted_application=${sympaServ_SOAP_USER} --trusted_application_password=${sympaServ_SOAP_PASSWORD} --proxy_vars=USER_EMAIL=${LISTMASTER} --service=add --service_parameters="${NL_LIST},${MAILDESECOURS}"
 					fi
 					updateUser
 				fi
--- a/bin/getPasswords.sh
+++ b/bin/getPasswords.sh
@@ -0,0 +1,63 @@
 #!/bin/bash
 KAZ_ROOT=$(cd "$(dirname $0)/.."; pwd)
 . "${KAZ_ROOT}/bin/.commonFunctions.sh"
 PRG=$(basename $0)
 usage() {
 echo "${PRG} [OPTIONS] [envname ...] 
 Récupère les variables d'environnement présentes dans /kaz/secret/env-envname et crée des variables à partir de ces noms là.
 Les variables sont du type envname_NOMVARIABLE=valeur
 On peut passer plusieurs fichiers env, à partir du moment ou ils sont tous dans le même répertoire !
 OPTIONS 
 -h|--help            Cette aide :-)
 -n|--simu            SIMULATION
 -d foldername        prend les envfiles dans un sous dossier /kaz/secret/foldername/ (pour les orgas !) 
                      Les variables seront du type foldername-envname_NOMVARIABLE=valeur
 "
 }
 for ARG in "$@"; do
    if [ -n "${DIRECTORYARG}" ]; then # après un -d
        SUBDIRECTORY="${ARG}"
        DIRECTORYARG=
    else
      case "${ARG}" in
          '-d' | '--directory' | '-f' | '--folder' | '--foldername')
              DIRECTORYARG="ON ATTEND UN REPERTOIRE APRES CA" ;;
          '-h' | '--help' )
            usage && exit ;;
          '-n' | '--simu')
            SIMU="echo" ;;
          *)
            ENVFILES="${ENVFILES} ${ARG%}";;
      esac
    fi
 done
 NB_FILES=$(echo "${ENVFILES}" | wc -w )
 if [[ $NB_FILES = 0 ]]; then
    usage
    exit 1
 fi
 for ENVFILE in $ENVFILES; do
    FILENAME="$KAZ_KEY_DIR/env-$ENVFILE"
    VARNAME="$ENVFILE"_
    if [ -n "${SUBDIRECTORY}" ]; then
      FILENAME="$KAZ_KEY_DIR/orgas/$SUBDIRECTORY/env-$ENVFILE"
      VARNAME="${SUBDIRECTORY}-${ENVFILE}_"
    fi
    if ! [ -f "$FILENAME" ]; then
      echo "$FILENAME does not exist."
      continue
    fi
    # formule magique qui crée des variables envname_NOMVARIABLE=la valeur trouvé (le sed vire les commentaires et les lignes vides)
    # on pourrait se contenter d'un "source env-file", mais avec un prefix dans les variables pour savoir ce qu'on manipule c'est bien aussi ...
    $SIMU export $(sed -e 's/#.*//' -e '/^\s*$/d' "$FILENAME" | awk -F= -v ENV="$VARNAME" '{output=output" "ENV$1"="$2} END {print output}')
 done
--- a/bin/init.sh
+++ b/bin/init.sh
@@ -214,7 +214,6 @@ fi
 if [ ! -d "${KAZ_ROOT}/secret" ]; then
    rsync -a "${KAZ_ROOT}/secret.tmpl/" "${KAZ_ROOT}/secret/"
    . "${KAZ_ROOT}/secret/SetAllPass.sh"
    "${KAZ_BIN_DIR}/secretGen.sh"
-    "${KAZ_BIN_DIR}/updateDockerPassword.sh"
+    "${KAZ_BIN_DIR}/createDBUsers.sh"
 fi
--- a/bin/interoPaheko.sh
+++ b/bin/interoPaheko.sh
@@ -6,7 +6,8 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
 setKazVars
 . $DOCKERS_ENV
-. $KAZ_ROOT/secret/SetAllPass.sh
+
 . $KAZ_BIN_DIR/getPasswords.sh paheko
 URL_PAHEKO="$httpProto://${paheko_API_USER}:${paheko_API_PASSWORD}@kaz-paheko.$(echo $domain)"
--- a/bin/ldap/ldapvi.sh
+++ b/bin/ldap/ldapvi.sh
@@ -5,7 +5,7 @@ KAZ_ROOT=/kaz
 setKazVars
 . $DOCKERS_ENV
-. $KAZ_ROOT/secret/SetAllPass.sh
+. $KAZ_BIN_DIR/getPasswords.sh ldapServ
 LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
@@ -20,4 +20,4 @@ EDITOR=${EDITOR:-vi}
 EDITOR=${EDITOR:-vi}
 export EDITOR=${EDITOR}
-ldapvi -h $LDAP_IP -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldap_LDAP_ADMIN_PASSWORD} --discover
+ldapvi -h $LDAP_IP -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldapServ_LDAP_ADMIN_PASSWORD} --discover
--- a/bin/ldap/migrate_to_ldap.sh
+++ b/bin/ldap/migrate_to_ldap.sh
@@ -8,7 +8,7 @@ KAZ_ROOT=/kaz
 setKazVars
 . $DOCKERS_ENV
-. $KAZ_ROOT/secret/SetAllPass.sh
+. $KAZ_BIN_DIR/getPasswords.sh ldapServ paheko
 ACCOUNTS=/kaz/dockers/postfix/config/postfix-accounts.cf
@@ -126,7 +126,7 @@ replace: agoraEnabled\n\
 agoraEnabled: TRUE\n\
 -\n\
 replace: mobilizonEnabled\n\
-mobilizonEnabled: TRUE\n\n" | tee /tmp/ldap/${mail}.ldif | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+mobilizonEnabled: TRUE\n\n" | tee /tmp/ldap/${mail}.ldif | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
 done
 #replace: nextcloudEnabled\n\
@@ -164,7 +164,7 @@ do
 			echo -e "dn: cn=${mail},ou=users,${ldap_root}\n\
 changeType: modify
 replace: mailAlias\n\
-$LIST\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+$LIST\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
 		else
 			echo "Alias vers un mail externe, go fichier"
 			echo $line >> ${ALIASES_WITHLDAP}
@@ -185,7 +185,7 @@ replace: mailAlias\n\
 mailAlias: ${src}\n\
 -\n\
 replace: mail\n\
-mail: ${dst}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+mail: ${dst}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
 		fi
 	else
 		echo "Forward vers plusieurs adresses, on met dans le fichier"
@@ -215,7 +215,7 @@ replace: mailAlias\n\
 mailAlias: ${src}\n\
 -\n\
 replace: mail\n\
-${LIST}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldap_LDAP_ADMIN_PASSWORD}
+${LIST}\n\n" | ldapmodify -c -H ldap://${LDAP_IP} -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -x -w ${ldapServ_LDAP_ADMIN_PASSWORD}
 	fi
 done
--- a/bin/ldap/tests/nc_orphans.sh
+++ b/bin/ldap/tests/nc_orphans.sh
@@ -6,15 +6,16 @@ setKazVars
 . $DOCKERS_ENV
 . $KAZ_ROOT/secret/SetAllPass.sh
 . $KAZ_BIN_DIR/getPasswords.sh ldapServ nextcloudDB
 LDAP_IP=$(docker inspect -f '{{.NetworkSettings.Networks.ldapNet.IPAddress}}' ldapServ)
-docker exec -i nextcloudDB mysql --user=${nextcloud_MYSQL_USER} --password=${nextcloud_MYSQL_PASSWORD} ${nextcloud_MYSQL_DATABASE} <<< "select uid from oc_users;" > /tmp/nc_users.txt
+docker exec -i nextcloudDB mysql --user=${nextcloudDB_MYSQL_USER} --password=${nextcloudDB_MYSQL_PASSWORD} ${nextcloudDB_MYSQL_DATABASE} <<< "select uid from oc_users;" > /tmp/nc_users.txt
 OLDIFS=${IFS}
 IFS=$'\n'
 for line in `cat /tmp/nc_users.txt`; do
-	result=$(ldapsearch -h $LDAP_IP -D "cn=${ldap_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldap_LDAP_ADMIN_PASSWORD} -b $ldap_root -x "(identifiantKaz=${line})" | grep numEntries)
+	result=$(ldapsearch -h $LDAP_IP -D "cn=${ldapServ_LDAP_ADMIN_USERNAME},${ldap_root}" -w ${ldapServ_LDAP_ADMIN_PASSWORD} -b $ldap_root -x "(identifiantKaz=${line})" | grep numEntries)
 	echo "${line} ${result}" | grep -v "numEntries: 1" | grep -v "^uid"
 done
 IFS=${OLDIFS}
--- a/bin/manageAgora.sh
+++ b/bin/manageAgora.sh
@@ -83,7 +83,8 @@ Init(){
    [ $? -ne 0 ] && printKazError "$DockerServName ne parvient pas à démarrer correctement : impossible de terminer l'install" && return 1 >& $QUIET
    # creation compte admin
-    ${SIMU} curl -i -d "{\"email\":\"${mattermost_MM_ADMIN_EMAIL}\",\"username\":\"${mattermost_user}\",\"password\":\"${mattermost_pass}\",\"allow_marketing\":true}" "${MATTER_URL}/api/v4/users"
+    _getPasswords
    ${SIMU} curl -i -d "{\"email\":\"${mattermostServ_MM_ADMIN_EMAIL}\",\"username\":\"${mattermost_user}\",\"password\":\"${mattermost_pass}\",\"allow_marketing\":true}" "${MATTER_URL}/api/v4/users"
    MM_TOKEN=$(_getMMToken ${MATTER_URL})
@@ -98,12 +99,13 @@ Version(){
 _getMMToken(){
    #$1 MATTER_URL
    _getPasswords
    ${SIMU} curl -i -s -d "{\"login_id\":\"${mattermost_user}\",\"password\":\"${mattermost_pass}\"}" "${1}/api/v4/users/login" | grep 'token' | sed 's/token:\s*\(.*\)\s*/\1/' | tr -d '\r'
 }
 PostMessage(){
    printKazMsg "Envoi à $TEAM : $MESSAGE" >& $QUIET
-    
+    _getPasswords
    ${SIMU} docker exec -ti "${DockerServName}" bin/mmctl auth login "${MATTER_URL}" --name local-server --username ${mattermost_user} --password ${mattermost_pass}
    ${SIMU} docker exec -ti "${DockerServName}" bin/mmctl post create "${TEAM}" --message "${MESSAGE}"
 }
@@ -113,6 +115,16 @@ MmctlCommand(){
    ${SIMU} docker exec -u 33 "$DockerServName" bin/mmctl $1
 }
 _getPasswords(){
    # récupération des infos du compte admin
    if [ -n "$AGORACOMMUN" ] ; then 
        . $KAZ_KEY_DIR/env-mattermostAdmin
        . $KAZ_BIN_DIR/getPasswords.sh mattermostServ
    else
        . $KAZ_KEY_DIR/orgas/${ORGA}/env-mattermostAdmin
        . $KAZ_BIN_DIR/getPasswords.sh -d ${ORGA} mattermostServ
    fi
 }
 ########## Main #################
 for ARG in "$@"; do
--- a/bin/manageCastopod.sh
+++ b/bin/manageCastopod.sh
@@ -63,11 +63,12 @@ Init(){
    cookies=$(curl -c - ${POD_URL})    
    CSRF_TOKEN=$(curl --cookie <(echo "$cookies") ${POD_URL}/cp-install | grep "csrf_test_name" | sed "s/.*value=.//" | sed "s/.>//") 
    _getPasswords
    #echo ${CSRF_TOKEN}
    ${SIMU} curl --cookie <(echo "$cookies") -X POST \
-        -d "username=${castopod_ADMIN_USER}" \
+        -d "username=${ADMIN_USER}" \
-        -d "password=${castopod_ADMIN_PASSWORD}" \
+        -d "password=${ADMIN_PASSWORD}" \
-        -d "email=${castopod_ADMIN_MAIL}" \
+        -d "email=${ADMIN_MAIL}" \
        -d "csrf_test_name=${CSRF_TOKEN}" \
        "${POD_URL}/cp-install/create-superadmin"
@@ -78,7 +79,13 @@ Version(){
    echo "Version $DockerServName : ${GREEN}${VERSION}${NC}"
 }
-
+_getPasswords(){
    if [ -n "$CASTOPOD_COMMUN" ]; then 
        . $KAZ_KEY_DIR/env-castopodAdmin
    else
        . $KAZ_KEY_DIR/orgas/$ORGA/env-castopodAdmin
    fi
 }
 ########## Main #################
 for ARG in "$@"; do 
--- a/bin/manageCloud.sh
+++ b/bin/manageCloud.sh
@@ -75,7 +75,7 @@ Init(){
        CONF_FILE="${NAS_VOL}/orga_${ORGA}-cloudConfig/_data/config.php"
    fi
-    firstInstall "$CLOUD_URL" "$CONF_FILE" " NextCloud de $NOM"
+    firstInstall "$CLOUD_URL" "$CONF_FILE" "$NOM"
    updatePhpConf "$CONF_FILE"
    InstallApplis
    echo "${CYAN}  *** Paramétrage richdocuments pour $ORGA${NC}" >& $QUIET
@@ -100,25 +100,38 @@ firstInstall(){
    # $2 phpConfFile
    # $3 orga
    if ! grep -q "'installed' => true," "$2" 2> /dev/null; then
-        printKazMsg "\n  *** Premier lancement de $3" >& $QUIET
+
        printKazMsg "\n  *** Premier lancement nextcloud $3" >& $QUIET
        _getPasswords
        ${SIMU} waitUrl "$1"
        ${SIMU} curl -X POST \
            -d "install=true" \
-            -d "adminlogin=${nextcloud_NEXTCLOUD_ADMIN_USER}" \
+            -d "adminlogin=${NEXTCLOUD_ADMIN_USER}" \
-            -d "adminpass=${nextcloud_NEXTCLOUD_ADMIN_PASSWORD}" \
+            -d "adminpass=${NEXTCLOUD_ADMIN_PASSWORD}" \
            -d "directory=/var/www/html/data" \
            -d "dbtype=mysql" \
-            -d "dbuser=${nextcloud_MYSQL_USER}" \
+            -d "dbuser=${MYSQL_USER}" \
-            -d "dbpass=${nextcloud_MYSQL_PASSWORD}" \
+            -d "dbpass=${MYSQL_PASSWORD}" \
-            -d "dbname=${nextcloud_MYSQL_DATABASE}" \
+            -d "dbname=${MYSQL_DATABASE}" \
-            -d "dbhost=${nextcloud_MYSQL_HOST}" \
+            -d "dbhost=${MYSQL_HOST}" \
            -d "install-recommended-apps=true" \
            "$1"
    fi
 }
 _getPasswords(){
    if [ -n "$CLOUDCOMMUN" ]; then 
        . $KAZ_KEY_DIR/env-nextcloudServ
        . $KAZ_KEY_DIR/env-nextcloudDB
    else
        . $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudServ
        . $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudDB
    fi
 }
 setOfficeUrl(){
    # Did le 25 mars les offices sont tous normalisé sur les serveurs https://${site}-${officeHost}.${domain}
    #OFFICE_URL="https://${officeHost}.${domain}"
@@ -131,13 +144,14 @@ setOfficeUrl(){
 }
 initLdap(){
    . $KAZ_BIN_DIR/getPasswords.sh ldapServ
    # $1 Nom du cloud
    echo "${CYAN}  *** Installation LDAP pour $1${NC}" >& $QUIET
    occCommand "app:enable user_ldap" "${DockerServName}"
    occCommand "ldap:delete-config s01" "${DockerServName}"
    occCommand "ldap:create-empty-config" "${DockerServName}"
    occCommand "ldap:set-config s01 ldapAgentName cn=cloud,ou=applications,${ldap_root}" "${DockerServName}"
-    occCommand "ldap:set-config s01 ldapAgentPassword ${ldap_LDAP_CLOUD_PASSWORD}" "${DockerServName}"
+    occCommand "ldap:set-config s01 ldapAgentPassword ${ldapServ_LDAP_CLOUD_PASSWORD}" "${DockerServName}"
    occCommand "ldap:set-config s01 ldapBase ${ldap_root}" "${DockerServName}"
    occCommand "ldap:set-config s01 ldapBaseGroups ${ldap_root}" "${DockerServName}"
    occCommand "ldap:set-config s01 ldapBaseUsers ou=users,${ldap_root}" "${DockerServName}"
--- a/bin/manageWiki.sh
+++ b/bin/manageWiki.sh
@@ -55,15 +55,7 @@ Init(){
    PLG_DIR="${VOL_PREFIX}wikiPlugins/_data"
    CONF_DIR="${VOL_PREFIX}wikiConf/_data"
-    # Gael, j'avais ajouté ça mais j'ai pas test alors je laisse comme avant ... 
+    . $KAZ_BIN_DIR/getPasswords.sh dokuwiki
    # A charge au prochain qui monte un wiki de faire qque chose
    #WIKI_ROOT="${dokuwiki_WIKI_ROOT}"
    #WIKI_EMAIL="${dokuwiki_WIKI_EMAIL}"
    #WIKI_PASS="${dokuwiki_WIKI_PASSWORD}"
    WIKI_ROOT=Kaz
    WIKI_EMAIL=wiki@kaz.local
    WIKI_PASS=azerty
    ${SIMU} checkDockerRunning "${DockerServName}" "${NOM}" || exit
@@ -77,11 +69,11 @@ Init(){
            -d "l=fr" \
            -d "d[title]=${NOM}" \
            -d "d[acl]=true" \
-            -d "d[superuser]=${WIKI_ROOT}" \
+            -d "d[superuser]=${dokuwiki_WIKI_ROOT}" \
            -d "d[fullname]=Admin"\
-            -d "d[email]=${WIKI_EMAIL}" \
+            -d "d[email]=${dokuwiki_WIKI_EMAIL}" \
-            -d "d[password]=${WIKI_PASS}" \
+            -d "d[password]=${dokuwiki_WIKI_PASSWORD}" \
-            -d "d[confirm]=${WIKI_PASS}" \
+            -d "d[confirm]=${dokuwiki_WIKI_PASSWORD}" \
            -d "d[policy]=1" \
            -d "d[allowreg]=false" \
            -d "d[license]=0" \
--- a/bin/manageWp.sh
+++ b/bin/manageWp.sh
@@ -61,11 +61,11 @@ Init(){
    echo "\n  *** Premier lancement de WP" >& $QUIET
    ${SIMU} waitUrl "${WP_URL}"
-
+    . $KAZ_BIN_DIR/getPasswords.sh wpServ
    ${SIMU} curl -X POST \
-        -d "user_name=${wp_WORDPRESS_ADMIN_USER}" \
+        -d "user_name=${wpServ_WORDPRESS_ADMIN_USER}" \
-        -d "admin_password=${wp_WORDPRESS_ADMIN_PASSWORD}" \
+        -d "admin_password=${wpServ_WORDPRESS_ADMIN_PASSWORD}" \
-        -d "admin_password2=${wp_WORDPRESS_ADMIN_PASSWORD}" \
+        -d "admin_password2=${wpServ_WORDPRESS_ADMIN_PASSWORD}" \
        -d "pw_weak=true" \
        -d "admin_email=admin@kaz.bzh" \
        -d "blog_public=0" \
--- a/bin/migration.sh
+++ b/bin/migration.sh
@@ -20,8 +20,7 @@ ${SIMU} "${CV1}" stop orga
 ${SIMU} "${CV1}" stop
 ${SIMU} rsync "${EV1}/dockers.env" "${EV2}/"
-${SIMU} rsync "${SV1}/SetAllPass.sh" "${SV2}/"
+${SIMU} rsync "${SV1}/" "${SV2}/"
 ${SIMU} "${BV2}/updateDockerPassword.sh"
 # XXX ? rsync /kaz/secret/allow_admin_ip /kaz-git/secret/allow_admin_ip
--- a/bin/nextcloud_maintenance.sh
+++ b/bin/nextcloud_maintenance.sh
@@ -10,6 +10,7 @@ URL_AGORA=https://$matterHost.$domain/api/v4
 EQUIPE=kaz
 PostMattermost() {
        . $KAZ_KEY_DIR/env-mattermostAdmin
        PostM=$1
        CHANNEL=$2
        TEAMID=$(curl -s -H "Authorization: Bearer ${mattermost_token}" "${URL_AGORA}/teams/name/${EQUIPE}" | jq .id | sed -e 's/"//g')
--- a/bin/postfix-superviz.sh
+++ b/bin/postfix-superviz.sh
@@ -15,6 +15,8 @@ OLDIFS=$IFS
 IFS=" "
 COUNT_MAILQ=$(docker exec -t mailServ mailq | tail -n1 | gawk '{print $5}')
 # récupération mots de passes
 . $KAZ_KEY_DIR/env-mattermostAdmin
 docker exec ${mattermostServName} bin/mmctl --suppress-warnings auth login $httpProto://$URL_AGORA --name local-server --username $mattermost_user --password $mattermost_pass >/dev/null 2>&1
 if [ "${COUNT_MAILQ}" -gt "${MAX_QUEUE}" ]; then
--- a/bin/scriptBorg.sh
+++ b/bin/scriptBorg.sh
@@ -17,7 +17,7 @@ KAZ_ROOT=$(cd "$(dirname $0)"/..; pwd)
 . $KAZ_ROOT/bin/.commonFunctions.sh
 setKazVars
 . $DOCKERS_ENV
-. $KAZ_ROOT/secret/SetAllPass.sh
+. $KAZ_BIN_DIR/getPasswords.sh borg
 VERSION="V-10-03-2025"
 PRG=$(basename $0)
--- a/bin/updateDockerPassword.sh
+++ b/bin/updateDockerPassword.sh
@@ -1,127 +0,0 @@
 #!/bin/bash
 KAZ_ROOT=$(cd $(dirname $0)/..; pwd)
 . "${KAZ_ROOT}/bin/.commonFunctions.sh"
 setKazVars
 # pour mise au point
 # SIMU=echo
 # Améliorations à prévoir
 # - donner en paramètre les services concernés (pour limité les modifications)
 # - pour les DB si on déclare un nouveau login, alors les privilèges sont créé mais les anciens pas révoqués
 . "${DOCKERS_ENV}"
 . "${KAZ_KEY_DIR}/SetAllPass.sh"
 updateEnvDB(){
    # $1 = prefix
    # $2 = envName
    # $3 = containerName of DB
    rootPass="$1_MYSQL_ROOT_PASSWORD"
    dbName="$1_MYSQL_DATABASE"
    userName="$1_MYSQL_USER"
    userPass="$1_MYSQL_PASSWORD"
    ${SIMU} sed -i \
 	    -e "s/MYSQL_ROOT_PASSWORD=.*/MYSQL_ROOT_PASSWORD=${!rootPass}/g" \
 	    -e "s/MYSQL_DATABASE=.*/MYSQL_DATABASE=${!dbName}/g" \
 	    -e "s/MYSQL_USER=.*/MYSQL_USER=${!userName}/g" \
 	    -e "s/MYSQL_PASSWORD=.*/MYSQL_PASSWORD=${!userPass}/g" \
 	    "$2"
    # seulement si pas de mdp pour root
    # pb oeuf et poule (il faudrait les anciennes valeurs) :
    # * si rootPass change, faire à la main
    # * si dbName change, faire à la main
    checkDockerRunning "$3" "$3" || return
    echo "change DB pass on docker $3"
    echo "grant all privileges on ${!dbName}.* to '${!userName}' identified by '${!userPass}';" | \
 	docker exec -i $3 bash -c "mysql --user=root --password=${!rootPass}"
 }
 updateEnv(){
    # $1 = prefix
    # $2 = envName
    for varName in $(grep "^[a-zA-Z_]*=" $2 | sed "s/^\([^=]*\)=.*/\1/g")
    do
 	srcName="$1_${varName}"
 	srcVal=$(echo "${!srcName}" | sed -e "s/[&]/\\\&/g")
 	${SIMU} sed -i \
 		-e "s%^[ ]*${varName}=.*\$%${varName}=${srcVal}%" \
 		"$2"
    done
 }
 framadateUpdate(){
    [[ "${COMP_ENABLE}" =~ " framadate " ]] || return
    if [ ! -f "${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php" ]; then
 	return 0
    fi
    checkDockerRunning "${framadateServName}" "Framadate" &&
 	${SIMU} docker exec -ti "${framadateServName}" bash -c -i "htpasswd -bc /var/framadate/admin/.htpasswd ${framadate_HTTPD_USER} ${framadate_HTTPD_PASSWORD}"
    ${SIMU} sed -i \
 	    -e "s/^#*const DB_USER[ ]*=.*$/const DB_USER= '${framadate_MYSQL_USER}';/g" \
 	    -e "s/^#*const DB_PASSWORD[ ]*=.*$/const DB_PASSWORD= '${framadate_MYSQL_PASSWORD}';/g" \
 	    "${DOCK_LIB}/volumes/framadate_dateConfig/_data/config.php"
 }
 jirafeauUpdate(){
    [[ "${COMP_ENABLE}" =~ " jirafeau " ]] || return
    if [ ! -f "${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php" ]; then
 	return 0
    fi
    SHA=$(echo -n "${jirafeau_HTTPD_PASSWORD}" | sha256sum | cut -d \  -f 1)
    ${SIMU} sed -i \
 	    -e "s/'admin_password'[ ]*=>[ ]*'[^']*'/'admin_password' => '${SHA}'/g" \
 	    "${DOCK_LIB}/volumes/jirafeau_fileConfig/_data/config.local.php"
 }
 ####################
 # main
 updateEnvDB "etherpad" "${KAZ_KEY_DIR}/env-${etherpadDBName}" "${etherpadDBName}"
 updateEnvDB "framadate" "${KAZ_KEY_DIR}/env-${framadateDBName}" "${framadateDBName}"
 updateEnvDB "gitea" "${KAZ_KEY_DIR}/env-${gitDBName}" "${gitDBName}"
 updateEnvDB "mattermost" "${KAZ_KEY_DIR}/env-${mattermostDBName}" "${mattermostDBName}"
 updateEnvDB "nextcloud" "${KAZ_KEY_DIR}/env-${nextcloudDBName}" "${nextcloudDBName}"
 updateEnvDB "roundcube" "${KAZ_KEY_DIR}/env-${roundcubeDBName}" "${roundcubeDBName}"
 updateEnvDB "sympa" "${KAZ_KEY_DIR}/env-${sympaDBName}" "${sympaDBName}"
 updateEnvDB "vigilo" "${KAZ_KEY_DIR}/env-${vigiloDBName}" "${vigiloDBName}"
 updateEnvDB "wp" "${KAZ_KEY_DIR}/env-${wordpressDBName}" "${wordpressDBName}"
 updateEnvDB "vaultwarden" "${KAZ_KEY_DIR}/env-${vaultwardenDBName}" "${vaultwardenDBName}"
 updateEnvDB "castopod" "${KAZ_KEY_DIR}/env-${castopodDBName}" "${castopodDBName}"
 updateEnvDB "spip" "${KAZ_KEY_DIR}/env-${spipDBName}" "${spipDBName}"
 updateEnvDB "mastodon" "${KAZ_KEY_DIR}/env-${mastodonDBName}" "${mastodonDBName}"
 updateEnv "apikaz" "${KAZ_KEY_DIR}/env-${apikazServName}"
 updateEnv "ethercalc" "${KAZ_KEY_DIR}/env-${ethercalcServName}"
 updateEnv "etherpad" "${KAZ_KEY_DIR}/env-${etherpadServName}"
 updateEnv "framadate" "${KAZ_KEY_DIR}/env-${framadateServName}"
 updateEnv "gandi" "${KAZ_KEY_DIR}/env-gandi"
 updateEnv "gitea" "${KAZ_KEY_DIR}/env-${gitServName}"
 updateEnv "jirafeau" "${KAZ_KEY_DIR}/env-${jirafeauServName}"
 updateEnv "mattermost" "${KAZ_KEY_DIR}/env-${mattermostServName}"
 updateEnv "nextcloud" "${KAZ_KEY_DIR}/env-${nextcloudServName}"
 updateEnv "office" "${KAZ_KEY_DIR}/env-${officeServName}"
 updateEnv "roundcube" "${KAZ_KEY_DIR}/env-${roundcubeServName}"
 updateEnv "vigilo" "${KAZ_KEY_DIR}/env-${vigiloServName}"
 updateEnv "wp" "${KAZ_KEY_DIR}/env-${wordpressServName}"
 updateEnv "ldap" "${KAZ_KEY_DIR}/env-${ldapServName}"
 updateEnv "sympa" "${KAZ_KEY_DIR}/env-${sympaServName}"
 updateEnv "mail" "${KAZ_KEY_DIR}/env-${smtpServName}"
 updateEnv "mobilizon" "${KAZ_KEY_DIR}/env-${mobilizonServName}"
 updateEnv "mobilizon" "${KAZ_KEY_DIR}/env-${mobilizonDBName}"
 updateEnv "vaultwarden" "${KAZ_KEY_DIR}/env-${vaultwardenServName}"
 updateEnv "castopod" "${KAZ_KEY_DIR}/env-${castopodServName}"
 updateEnv "spip" "${KAZ_KEY_DIR}/env-${spipServName}"
 updateEnv "ldap" "${KAZ_KEY_DIR}/env-${ldapUIName}"
 updateEnv "peertube" "${KAZ_KEY_DIR}/env-${peertubeServName}"
 updateEnv "peertube" "${KAZ_KEY_DIR}/env-${peertubeDBName}" "${peertubeDBName}"
 updateEnv "mastodon" "${KAZ_KEY_DIR}/env-${mastodonServName}"
 framadateUpdate
 jirafeauUpdate
 exit 0
--- a/config/dockers.tmpl.env
+++ b/config/dockers.tmpl.env
@@ -159,3 +159,8 @@ apikazServName=apikazServ
 # services activés par container.sh
 # variables d'environneements utilisées
 # pour le tmpl du mandataire (proxy)
 ##################
 #qui on envoi le mail d'inscription ?
 EMAIL_CONTACT="toto@kaz.bzh"
--- a/config/orgaTmpl/app/Dockerfile
+++ b/config/orgaTmpl/app/Dockerfile
@@ -1,58 +0,0 @@
 FROM alpine:3.17
 # Some ENV variables
 ENV PATH="/mattermost/bin:${PATH}"
 #ENV MM_VERSION=5.32.0
 ENV MM_VERSION=6.1.0
 ENV MM_INSTALL_TYPE=docker
 # Build argument to set Mattermost edition
 ARG edition=enterprise
 ARG PUID=2000
 ARG PGID=2000
 ARG MM_BINARY=
 # Install some needed packages
 RUN apk add --no-cache \
 	ca-certificates \
 	curl \
 	jq \
 	libc6-compat \
 	libffi-dev \
 	libcap \
 	linux-headers \
 	mailcap \
 	netcat-openbsd \
 	xmlsec-dev \
 	tzdata \
 	&& rm -rf /tmp/*
 # Get Mattermost
 RUN mkdir -p /mattermost/data /mattermost/plugins /mattermost/client/plugins \
 	&& if [ ! -z "$MM_BINARY" ]; then curl $MM_BINARY | tar -xvz ; \
 		elif [ "$edition" = "team" ] ; then curl https://releases.mattermost.com/$MM_VERSION/mattermost-team-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; \
 		else curl https://releases.mattermost.com/$MM_VERSION/mattermost-$MM_VERSION-linux-amd64.tar.gz?src=docker-app | tar -xvz ; fi \
 	&& cp /mattermost/config/config.json /config.json.save \
 	&& rm -rf /mattermost/config/config.json \
 	&& addgroup -g ${PGID} mattermost \
 	&& adduser -D -u ${PUID} -G mattermost -h /mattermost -D mattermost \
 	&& chown -R mattermost:mattermost /mattermost /config.json.save /mattermost/plugins /mattermost/client/plugins \
 	&& setcap cap_net_bind_service=+ep /mattermost/bin/mattermost
 USER mattermost
 #Healthcheck to make sure container is ready
 HEALTHCHECK CMD curl --fail http://localhost:8000 || exit 1
 # Configure entrypoint and command
 COPY entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
 WORKDIR /mattermost
 CMD ["mattermost"]
 # Expose port 8000 of the container
 EXPOSE 8000
 # Declare volumes for mount point directories
 VOLUME ["/mattermost/data", "/mattermost/logs", "/mattermost/config", "/mattermost/plugins", "/mattermost/client/plugins"]
--- a/config/orgaTmpl/app/entrypoint.sh
+++ b/config/orgaTmpl/app/entrypoint.sh
@@ -1,82 +0,0 @@
 #!/bin/sh
 # Function to generate a random salt
 generate_salt() {
 	tr -dc 'a-zA-Z0-9' < /dev/urandom | fold -w 48 | head -n 1
 }
 # Read environment variables or set default values
 DB_HOST=${DB_HOST:-db}
 DB_PORT_NUMBER=${DB_PORT_NUMBER:-5432}
 # see https://www.postgresql.org/docs/current/libpq-ssl.html
 # for usage when database connection requires encryption
 # filenames should be escaped if they contain spaces
 #  i.e. $(printf %s ${MY_ENV_VAR:-''}  | jq -s -R -r @uri)
 # the location of the CA file can be set using environment var PGSSLROOTCERT
 # the location of the CRL file can be set using PGSSLCRL
 # The URL syntax for connection string does not support the parameters
 # sslrootcert and sslcrl reliably, so use these PostgreSQL-specified variables
 # to set names if using a location other than default
 DB_USE_SSL=${DB_USE_SSL:-disable}
 MM_DBNAME=${MM_DBNAME:-mattermost}
 MM_CONFIG=${MM_CONFIG:-/mattermost/config/config.json}
 _1=$(echo "$1" | awk  '{ s=substr($0, 0, 1); print s; }' )
 if [ "$_1" = '-' ]; then
 	set -- mattermost "$@"
 fi
 if [ "$1" = 'mattermost' ]; then
 	# Check CLI args for a -config option
 	for ARG in "$@"; do
 		case "$ARG" in
 			-config=*) MM_CONFIG=${ARG#*=};;
 		esac
 	done
 	if [ ! -f "$MM_CONFIG" ]; then
 		# If there is no configuration file, create it with some default values
 		echo "No configuration file $MM_CONFIG"
 		echo "Creating a new one"
 		# Copy default configuration file
 		cp /config.json.save "$MM_CONFIG"
 		# Substitute some parameters with jq
 		jq '.ServiceSettings.ListenAddress = ":8000"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.LogSettings.EnableConsole = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.LogSettings.ConsoleLevel = "ERROR"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.FileSettings.Directory = "/mattermost/data/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.FileSettings.EnablePublicLink = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq ".FileSettings.PublicLinkSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.EmailSettings.SendEmailNotifications = false' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.EmailSettings.FeedbackEmail = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.EmailSettings.SMTPServer = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.EmailSettings.SMTPPort = ""' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq ".EmailSettings.InviteSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq ".EmailSettings.PasswordResetSalt = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.RateLimitSettings.Enable = true' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.SqlSettings.DriverName = "postgres"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq ".SqlSettings.AtRestEncryptKey = \"$(generate_salt)\"" "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 		jq '.PluginSettings.Directory = "/mattermost/plugins/"' "$MM_CONFIG" > "$MM_CONFIG.tmp" && mv "$MM_CONFIG.tmp" "$MM_CONFIG"
 	else
 		echo "Using existing config file $MM_CONFIG"
 	fi
 	# Configure database access
 	if [ -z "$MM_SQLSETTINGS_DATASOURCE" ] && [ -n "$MM_USERNAME" ] && [ -n "$MM_PASSWORD" ]; then
 		echo "Configure database connection..."
 		# URLEncode the password, allowing for special characters
 		ENCODED_PASSWORD=$(printf %s "$MM_PASSWORD" | jq -s -R -r @uri)
 		export MM_SQLSETTINGS_DATASOURCE="postgres://$MM_USERNAME:$ENCODED_PASSWORD@$DB_HOST:$DB_PORT_NUMBER/$MM_DBNAME?sslmode=$DB_USE_SSL&connect_timeout=10"
 		echo "OK"
 	else
 		echo "Using existing database connection"
 	fi
 	# Wait another second for the database to be properly started.
 	# Necessary to avoid "panic: Failed to open sql connection pq: the database system is starting up"
 	sleep 1
 	echo "Starting mattermost"
 fi
 exec "$@"
--- a/config/orgaTmpl/init-db.sh
+++ b/config/orgaTmpl/init-db.sh
@@ -25,57 +25,66 @@ SQL=""
 for ARG in "$@"; do
    case "${ARG}" in
 	'cloud' )
 		. $KAZ_KEY_DIR/orgas/$ORGA/env-nextcloudDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${nextcloud_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
-DROP USER IF EXISTS '${nextcloud_MYSQL_USER}';
+DROP USER IF EXISTS '${MYSQL_USER}';
-CREATE USER '${nextcloud_MYSQL_USER}'@'%';
+CREATE USER '${MYSQL_USER}'@'%';
-GRANT ALL ON ${nextcloud_MYSQL_DATABASE}.* TO '${nextcloud_MYSQL_USER}'@'%' IDENTIFIED BY '${nextcloud_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
 FLUSH PRIVILEGES;"
        ;;
 	'agora' )
 		. $KAZ_KEY_DIR/orgas/$ORGA/env-mattermostDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${mattermost_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
-DROP USER IF EXISTS '${mattermost_MYSQL_USER}';
+DROP USER IF EXISTS '${MYSQL_USER}';
-CREATE USER '${mattermost_MYSQL_USER}'@'%';
+CREATE USER '${MYSQL_USER}'@'%';
-GRANT ALL ON ${mattermost_MYSQL_DATABASE}.* TO '${mattermost_MYSQL_USER}'@'%' IDENTIFIED BY '${mattermost_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
 FLUSH PRIVILEGES;"
 	    ;;
 	'wp' )
 		. $KAZ_KEY_DIR/orgas/$ORGA/env-wpDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${wp_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
-DROP USER IF EXISTS '${wp_MYSQL_USER}';
+DROP USER IF EXISTS '${MYSQL_USER}';
-CREATE USER '${wp_MYSQL_USER}'@'%';
+CREATE USER '${MYSQL_USER}'@'%';
-GRANT ALL ON ${wp_MYSQL_DATABASE}.* TO '${wp_MYSQL_USER}'@'%' IDENTIFIED BY '${wp_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
 FLUSH PRIVILEGES;"
 	    ;;
 	'castopod' )
 		. $KAZ_KEY_DIR/orgas/$ORGA/env-castopodDB
 	    SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${castopod_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
-DROP USER IF EXISTS '${castopod_MYSQL_USER}';
+DROP USER IF EXISTS '${MYSQL_USER}';
-CREATE USER '${castopod_MYSQL_USER}'@'%';
+CREATE USER '${MYSQL_USER}'@'%';
-GRANT ALL ON ${castopod_MYSQL_DATABASE}.* TO '${castopod_MYSQL_USER}'@'%' IDENTIFIED BY '${castopod_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
 FLUSH PRIVILEGES;"
 	    ;;
 	'spip' )
 		. $KAZ_KEY_DIR/orgas/$ORGA/env-spipDB
           SQL="$SQL
-CREATE DATABASE IF NOT EXISTS ${spip_MYSQL_DATABASE};
+CREATE DATABASE IF NOT EXISTS ${MYSQL_DATABASE};
-DROP USER IF EXISTS '${spip_MYSQL_USER}';
+DROP USER IF EXISTS '${MYSQL_USER}';
-CREATE USER '${spip_MYSQL_USER}'@'%';
+CREATE USER '${MYSQL_USER}'@'%';
-GRANT ALL ON ${spip_MYSQL_DATABASE}.* TO '${spip_MYSQL_USER}'@'%' IDENTIFIED BY '${spip_MYSQL_PASSWORD}';
+GRANT ALL ON ${MYSQL_DATABASE}.* TO '${MYSQL_USER}'@'%' IDENTIFIED BY '${MYSQL_PASSWORD}';
 FLUSH PRIVILEGES;"
 	    ;;
@@ -84,4 +93,4 @@ FLUSH PRIVILEGES;"
    esac
 done
-echo $SQL | docker exec -i ${ORGA}-DB bash -c "mariadb --user=root --password=${wp_MYSQL_ROOT_PASSWORD}"
+echo $SQL | docker exec -i ${ORGA}-DB bash -c "mariadb --user=root --password=${MYSQL_ROOT_PASSWORD}"
--- a/config/orgaTmpl/initdb.d/orga.sql
+++ b/config/orgaTmpl/initdb.d/orga.sql
@@ -1,3 +0,0 @@
 CREATE DATABASE IF NOT EXISTS nextcloud;
 CREATE DATABASE IF NOT EXISTS mattermost;
 CREATE DATABASE IF NOT EXISTS wpdb;
--- a/config/orgaTmpl/wiki-conf/acl.auth.php
+++ b/config/orgaTmpl/wiki-conf/acl.auth.php
@@ -1,10 +0,0 @@
 # acl.auth.php
 # <?php exit()?>
 # Don't modify the lines above
 #
 # Access Control Lists
 #
 # Auto-generated by install script
 # Date: Sat, 13 Feb 2021 17:42:28 +0000
 *	@ALL	1
 *	@user	8
--- a/config/orgaTmpl/wiki-conf/local.php
+++ b/config/orgaTmpl/wiki-conf/local.php
@@ -1,26 +0,0 @@
 <?php
 /*
 * Dokuwiki's Main Configuration File - Local Settings
 * Auto-generated by config plugin
 * Run for user: felix
 * Date: Sun, 28 Feb 2021 15:56:13 +0000
 */
 $conf['title'] = 'Kaz';
 $conf['template'] = 'docnavwiki';
 $conf['license'] = 'cc-by-sa';
 $conf['useacl'] = 1;
 $conf['superuser'] = '@admin';
 $conf['manager'] = '@manager';
 $conf['disableactions'] = 'register';
 $conf['remoteuser'] = '';
 $conf['mailfrom'] = 'dokuwiki@kaz.bzh';
 $conf['updatecheck'] = 0;
 $conf['userewrite'] = '1';
 $conf['useslash'] = 1;
 $conf['plugin']['ckgedit']['scayt_auto'] = 'on';
 $conf['plugin']['ckgedit']['scayt_lang'] = 'French/fr_FR';
 $conf['plugin']['ckgedit']['other_lang'] = 'fr';
 $conf['plugin']['smtp']['smtp_host'] = 'smtp.kaz.bzh';
 $conf['plugin']['todo']['CheckboxText'] = 0;
 $conf['plugin']['wrap']['restrictionType'] = '1';
--- a/config/orgaTmpl/wiki-conf/users.auth.php
+++ b/config/orgaTmpl/wiki-conf/users.auth.php
@@ -1,13 +0,0 @@
 # users.auth.php
 # <?php exit()?>
 # Don't modify the lines above
 #
 # Userfile
 #
 # Auto-generated by install script
 # Date: Sat, 13 Feb 2021 17:42:28 +0000
 #
 # Format:
 # login:passwordhash:Real Name:email:groups,comma,separated
 admin:$2y$10$GYvFgViXeEUmDViplHEs7eoYV8tmbfsS8wA1vfHQ.tWgW14o9aTjy:admin:contact@kaz.bzh:admin,user
--- a/config/proxy/proxy_params
+++ b/config/proxy/proxy_params
@@ -1,21 +0,0 @@
 #proxy_buffering off;
 #proxy_set_header X-Forwarded-Host $host:$server_port;
 #proxy_set_header X-Forwarded-Server $host;
 #XXX pb proxy_set_header Connection $proxy_connection;
 proxy_buffers 256 16k;
 proxy_buffer_size 16k;
 # mattermost
 http2_push_preload on; # Enable HTTP/2 Server Push
 add_header Strict-Transport-Security max-age=15768000;
 proxy_set_header Host $http_host;
 proxy_set_header X-Real-IP $remote_addr;
 #proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Proto $scheme;
 #proxy_hide_header 'x-frame-options';
 #proxy_set_header x-frame-options allowall;
 proxy_set_header X-Frame-Options SAMEORIGIN;
--- a/dockers/ldap/UIHooks/post-hook.sh
+++ b/dockers/ldap/UIHooks/post-hook.sh
@@ -5,7 +5,9 @@ NEWPASSWORD=$(base64 -d <<< $2)
 OLDPASSWORD=$(base64 -d <<< $3)
 URL_AGORA="https://${matterHost}.${domain}"
-mattermost_token=${LDAPUI_MM_ADMIN_TOKEN}
+
 #mattermost_token=${LDAPUI_MM_ADMIN_TOKEN}
 . $KAZ_KEY_DIR/env-mattermostAdmin
 IDUSER=$(curl -s -H "Authorization: Bearer ${mattermost_token}" "${URL_AGORA}/api/v4/users/email/${EMAIL}" | awk -F "," '{print $1}' | sed -e 's/{"id"://g' -e 's/"//g')
 if [ ${IDUSER} == 'app.user.missing_account.const' ]
--- a/dockers/sympa/alerting/sympa.sh
+++ b/dockers/sympa/alerting/sympa.sh
@@ -6,7 +6,7 @@ KAZ_ROOT=/kaz
 setKazVars
 . $DOCKERS_ENV
-. $KAZ_ROOT/secret/SetAllPass.sh
+. $KAZ_KEY_DIR/env-mattermostAdmin
 DOCKER_CMD="docker exec sympaServ"
 URL_AGORA=$(echo $matterHost).$(echo $domain)
--- a/dockers/traefik/proxy-gen.sh
+++ b/dockers/traefik/proxy-gen.sh
@@ -4,7 +4,7 @@ KAZ_ROOT=$(cd "$(dirname $0)/../.."; pwd)
 . "${KAZ_ROOT}/bin/.commonFunctions.sh"
 setKazVars
 . "${DOCKERS_ENV}"
-. "${KAZ_ROOT}/secret/SetAllPass.sh"
+. $KAZ_BIN_DIR/getPasswords.sh traefik
 printKazMsg "\n  *** Proxy update config"
--- a/secret.tmpl/SetAllPass.sh
+++ b/secret.tmpl/SetAllPass.sh
@@ -2,227 +2,43 @@
 # Attention à cause des scripts pas de ["'/] dans les mot de passe
 ####################
 # ethercalc
 ethercalc_REDIS_PORT_6379_TCP_ADDR="redis"
 ethercalc_REDIS_PORT_6379_TCP_PORT="6379"
 ####################
 # etherpad
 etherpad_MYSQL_ROOT_PASSWORD="--clean_val--"
 etherpad_MYSQL_DATABASE="--clean_val--"
 etherpad_MYSQL_USER="--clean_val--"
 etherpad_MYSQL_PASSWORD="--clean_val--"
 # Share with etherpadDB
 etherpad_DB_NAME="${etherpad_MYSQL_DATABASE}"
 etherpad_DB_USER="${etherpad_MYSQL_USER}"
 etherpad_DB_PASS="${etherpad_MYSQL_PASSWORD}"
 etherpad_DB_TYPE="mysql"
 etherpad_DB_HOST="padDB"
 etherpad_DB_PORT="3306"
 #etherpad_DB_CHARSET="utf8"
 #user: admin
 etherpad_ADMIN_PASSWORD="--clean_val--"
 etherpad_PAD_OPTIONS_LANG="fr"
 etherpad_TITLE="KazPad"
 etherpad_TRUST_PROXY="true"
 ####################
 # framadate
 framadate_MYSQL_ROOT_PASSWORD="--clean_val--"
 framadate_MYSQL_DATABASE="--clean_val--"
 framadate_MYSQL_USER="--clean_val--"
 framadate_MYSQL_PASSWORD="--clean_val--"
 framadate_HTTPD_USER="--clean_val--"
 framadate_HTTPD_PASSWORD="--clean_val--"
 ##################
 # Gandi
 # à supprimer et à replacer par dns_gandi_api_key
 gandi_GANDI_KEY="xxx"
 gandi_GANDI_API="https://api.gandi.net/v5/livedns/domains/${domain}"
 gandi_dns_gandi_api_key="${gandi_GANDI_KEY}"
 ####################
 # mattermost
 mattermost_MYSQL_ROOT_PASSWORD="--clean_val--"
 mattermost_MYSQL_DATABASE="--clean_val--"
 mattermost_MYSQL_USER="--clean_val--"
 mattermost_MYSQL_PASSWORD="--clean_val--"
 # Share with mattermostDB
 mattermost_MM_DBNAME="${mattermost_MYSQL_DATABASE}"
 mattermost_MM_USERNAME="${mattermost_MYSQL_USER}"
 mattermost_MM_PASSWORD="${mattermost_MYSQL_PASSWORD}"
 mattermost_DB_PORT_NUMBER="3306"
 mattermost_DB_HOST="db"
 mattermost_MM_SQLSETTINGS_DRIVERNAME="mysql"
 mattermost_MM_ADMIN_EMAIL="admin@kaz.bzh"
 # mattermost_MM_SQLSETTINGS_DATASOURCE = "MM_USERNAME:MM_PASSWORD@tcp(DB_HOST:DB_PORT_NUMBER)/MM_DBNAME?charset=utf8mb4,utf8&readTimeout=30s&writeTimeout=30s"
 # Don't forget to replace all entries (beginning by MM_ and DB_) in MM_SQLSETTINGS_DATASOURCE with the real variables values.
 mattermost_MM_SQLSETTINGS_DATASOURCE="${mattermost_MYSQL_USER}:${mattermost_MYSQL_PASSWORD}@tcp(${mattermost_DB_HOST}:${mattermost_DB_PORT_NUMBER})/${mattermost_MM_DBNAME}?charset=utf8mb4,utf8&readTimeout=30s&writeTimeout=30s"
 # sinon avec postgres
 # mattermost_MM_SQLSETTINGS_DATASOURCE = "postgres://${MM_USERNAME}:${MM_PASSWORD}@db:5432/${MM_DBNAME}?sslmode=disable&connect_timeout=10"
 # A COPIER DANS UN FICHIER DE CONF !! ->  mattermostAdmin
 # pour envoyer des messages sur l'agora avec mmctl
 mattermost_user="admin-mattermost"
 mattermost_pass="--clean_val--"
 mattermost_token="xxx-private"
 ##################
 # Openldap
 ldap_LDAP_ADMIN_USERNAME="--clean_val--"
 ldap_LDAP_ADMIN_PASSWORD="--clean_val--"
 ldap_LDAP_CONFIG_ADMIN_USERNAME="--clean_val--"
 ldap_LDAP_CONFIG_ADMIN_PASSWORD="--clean_val--"
 ldap_LDAP_POSTFIX_PASSWORD="--clean_val--"
 ldap_LDAP_LDAPUI_PASSWORD="--clean_val--"
 ldap_LDAP_MATTERMOST_PASSWORD="--clean_val--"
 ldap_LDAP_CLOUD_PASSWORD="--clean_val--"
 ldap_LDAP_MOBILIZON_PASSWORD="--clean_val--"
 ldap_LDAPUI_URI=ldap://ldap
 ldap_LDAPUI_BASE_DN=${ldap_root}
 ldap_LDAPUI_REQUIRE_STARTTLS=FALSE
 ldap_LDAPUI_ADMINS_GROUP=admins
 ldap_LDAPUI_ADMIN_BIND_DN=cn=ldapui,ou=applications,${ldap_root}
 ldap_LDAPUI_ADMIN_BIND_PWD=${ldap_LDAP_LDAPUI_PASSWORD}
 ldap_LDAPUI_IGNORE_CERT_ERRORS=TRUE
 ldap_LDAPUI_PASSWORD="--clean_val--"
 ldap_LDAPUI_MM_ADMIN_TOKEN=${mattermost_token}
 ###################
 # gitea
 gitea_MYSQL_ROOT_PASSWORD="--clean_val--"
 gitea_MYSQL_DATABASE="--clean_val--"
 gitea_MYSQL_USER="--clean_val--"
 gitea_MYSQL_PASSWORD="--clean_val--"
 # on ne peut pas utiliser le login "admin"
 gitea_user_admin="admin_gitea"
 gitea_pass_admin="--clean_val--"
 gitea_admin_email="admin@kaz.bzh"
 ####################
 # jirafeau
 jirafeau_HTTPD_PASSWORD="--clean_val--"
 jirafeau_DATA_DIR="--clean_val--"
 ####################
 # nexcloud
 nextcloud_MYSQL_ROOT_PASSWORD="${mattermost_MYSQL_ROOT_PASSWORD}"
 nextcloud_MYSQL_DATABASE="--clean_val--"
 nextcloud_MYSQL_USER="--clean_val--"
 nextcloud_MYSQL_PASSWORD="--clean_val--"
 nextcloud_NEXTCLOUD_ADMIN_USER="admin"
 nextcloud_NEXTCLOUD_ADMIN_PASSWORD="--clean_val--"
 nextcloud_MYSQL_HOST="db"
 #user: admin
 nextcloud_RAIN_LOOP="--clean_val--"
 ####################
 # collabora
 office_username="admin"
 office_password="--clean_val--"
 ####################
 # roundcube
 roundcube_MYSQL_ROOT_PASSWORD="--clean_val--"
 roundcube_MYSQL_DATABASE="--clean_val--"
 roundcube_MYSQL_USER="--clean_val--"
 roundcube_MYSQL_PASSWORD="--clean_val--"
 # Share with roundcubeDB
 roundcube_ROUNDCUBEMAIL_DB_TYPE="mysql"
 roundcube_ROUNDCUBEMAIL_DB_NAME="${roundcube_MYSQL_DATABASE}"
 roundcube_ROUNDCUBEMAIL_DB_USER="${roundcube_MYSQL_USER}"
 roundcube_ROUNDCUBEMAIL_DB_PASSWORD="${roundcube_MYSQL_PASSWORD}"
 roundcube_ROUNDCUBEMAIL_UPLOAD_MAX_FILESIZE="1G"
 ####################
 # postfix LDAP
 mail_LDAP_BIND_DN=cn=postfix,ou=applications,${ldap_root}
 mail_LDAP_BIND_PW=${ldap_LDAP_POSTFIX_PASSWORD}
 ####################
 # sympa
 sympa_MYSQL_ROOT_PASSWORD="--clean_val--"
 sympa_MYSQL_DATABASE="sympa"
 sympa_MYSQL_USER="sympa"
 sympa_MYSQL_PASSWORD="--clean_val--"
 sympa_KEY="/etc/letsencrypt/live/${domain}/privkey.pem"
 sympa_CERT="/etc/letsencrypt/live/${domain}/fullchain.pem"
 sympa_LISTMASTERS="listmaster@${domain_sympa}"
 sympa_ADMINEMAIL="listmaster@${domain_sympa}"
 sympa_SOAP_USER="sympa"
 sympa_SOAP_PASSWORD="--clean_val--"
 # pour inscrire des users sur des listes sympa avec soap
 #il faut que le user soit admin de sympa
 sympa_user="a@${domain}"
 sympa_pass="--clean_val--"
 ##################
 # vigilo
 vigilo_MYSQL_ROOT_PASSWORD="--clean_val--"
 vigilo_MYSQL_USER="--clean_val--"
 vigilo_MYSQL_PASSWORD="--clean_val--"
 vigilo_MYSQL_DATABASE="--clean_val--"
 vigilo_MYSQL_HOST="db"
 #vigilo_BIND=
 ####################
 # wordpress
 wp_MYSQL_ROOT_PASSWORD="${mattermost_MYSQL_ROOT_PASSWORD}"
 wp_MYSQL_DATABASE="--clean_val--"
 wp_MYSQL_USER="--clean_val--"
 wp_MYSQL_PASSWORD="--clean_val--"
 # Share with wpDB
 wp_WORDPRESS_DB_HOST="db:3306"
 wp_WORDPRESS_DB_NAME="${wp_MYSQL_DATABASE}"
 wp_WORDPRESS_DB_USER="${wp_MYSQL_USER}"
 wp_WORDPRESS_DB_PASSWORD="${wp_MYSQL_PASSWORD}"
 wp_WORDPRESS_ADMIN_USER="admin"
 wp_WORDPRESS_ADMIN_PASSWORD="--clean_val--"
 ##################
 # A DEPLACER DANS DOCKER ENV
 #qui envoi le mail d'inscription ?
 EMAIL_CONTACT="toto@kaz.bzh"
 # A COPIER DANS UN FICHIER DE CONF !! ->  paheko
 ##################
 # Paheko
 paheko_API_USER="admin-api"
 paheko_API_PASSWORD="--clean_val--"
 ##################
 # La nas de Kaz chez Grifon
 nas_admin1="admin"
 nas_password1="--clean_val--"
 nas_admin2="kaz"
 nas_password1="--clean_val--"
 # compte mail pour les notifications du nas
 nas_email_account="admin-nas@${domain}"
 nas_email_password="--clean_val--"
 # A virer dans koffre
 ##################
 #Compte sur outlook.com
 outlook_user="kaz-user@outlook.fr"
 outlook_pass="--clean_val--"
 # A COPIER DANS UN FICHIER DE CONF !! ->  mail
 service_mail=admin-kaz@kaz.bzh
 service_password=_bif2OkFaid_
 ##################
 #Borg
 # A COPIER DANS UN FICHIER DE CONF !! ->  borg
 BORG_REPO="/mnt/backup-nas1/BorgRepo"
 BORG_PASSPHRASE="--clean_val--"
 VOLUME_SAUVEGARDES="/mnt/backup-nas1"
@@ -230,148 +46,21 @@ MAIL_RAPPORT="a@${domain};b@${domain};c@${domain}"
 BORGMOUNT="/mnt/disk-nas1/tmp/repo_mount"
 ###################
 # mobilizon
 mobilizon_POSTGRES_USER="--clean_val--"
 mobilizon_POSTGRES_PASSWORD="--clean_val--"
 mobilizon_POSTGRES_DB=mobilizon
 mobilizon_MOBILIZON_DATABASE_USERNAME="${mobilizon_POSTGRES_USER}"
 mobilizon_MOBILIZON_DATABASE_PASSWORD="${mobilizon_POSTGRES_PASSWORD}"
 mobilizon_MOBILIZON_DATABASE_DBNAME=mobilizon
 mobilizon_MOBILIZON_INSTANCE_REGISTRATIONS_OPEN=false
 mobilizon_MOBILIZON_INSTANCE_NAME="Mobilizon"
 mobilizon_MOBILIZON_INSTANCE_HOST="${mobilizonHost}.${domain}"
 mobilizon_MOBILIZON_INSTANCE_SECRET_KEY_BASE=changeme
 mobilizon_MOBILIZON_INSTANCE_SECRET_KEY=changeme
 mobilizon_MOBILIZON_INSTANCE_EMAIL=noreply@${domain}
 mobilizon_MOBILIZON_REPLY_EMAIL=contact@${domain_sympa}
 mobilizon_MOBILIZON_ADMIN_EMAIL=admin@${domain_sympa}
 mobilizon_MOBILIZON_SMTP_SERVER="${smtpHost}.${domain}"
 mobilizon_MOBILIZON_SMTP_PORT=25
 mobilizon_MOBILIZON_SMTP_HOSTNAME="${smtpHost}.${domain}"
 mobilizon_MOBILIZON_SMTP_USERNAME=noreply@${domain}
 mobilizon_MOBILIZON_SMTP_PASSWORD=
 mobilizon_MOBILIZON_SMTP_SSL=false
 mobilizon_MOBILIZON_LDAP_BINDUID=cn=mobilizon,ou=applications,${ldap_root}
 mobilizon_MOBILIZON_LDAP_BINDPASSWORD=${ldap_LDAP_MOBILIZON_PASSWORD}
 #####################
 # Vaultwarden
 vaultwarden_MYSQL_ROOT_PASSWORD="--clean_val--"
 vaultwarden_MYSQL_DATABASE="vaultwarden"
 vaultwarden_MYSQL_USER="vaultwarden"
 vaultwarden_MYSQL_PASSWORD="--clean_val--"
 vaultwarden_DATABASE_URL="mysql://${vaultwarden_MYSQL_USER}:${vaultwarden_MYSQL_PASSWORD}@db/${vaultwarden_MYSQL_DATABASE}"
 vaultwarden_ADMIN_TOKEN="--clean_val--"
 #####################
 #Traefik
 # A COPIER DANS UN FICHIER DE CONF !! ->  traefik
 traefik_DASHBOARD_USER="admin"
 traefik_DASHBOARD_PASSWORD="--clean_val--"
 #####################
 # dokuwiki
 dokuwiki_WIKI_ROOT=Kaz
 dokuwiki_WIKI_EMAIL=wiki@kaz.local
 dokuwiki_WIKI_PASSWORD="--clean_val--"
 #####################
 # Castopod
-castopod_MYSQL_ROOT_PASSWORD="--clean_val--"
+# A COPIER DANS UN FICHIER DE CONF !! castopodAdmin
-castopod_MYSQL_DATABASE="--clean_val--"
+
 castopod_MYSQL_USER="--clean_val--"
 castopod_MYSQL_PASSWORD="--clean_val--"
 castopod_CP_REDIS_PASSWORD="${castopodRedisPassword}"
 castopod_ADMIN_USER=adminKaz
 castopod_ADMIN_MAIL=admin@${domain}
 castopod_ADMIN_PASSWORD="--clean_val--"
 castopod_CP_EMAIL_SMTP_HOST="${smtpHost}.${domain}"
 castopod_CP_EMAIL_SMTP_PORT=25
 castopod_CP_EMAIL_SMTP_USERNAME=noreply@${domain}
 castopod_CP_EMAIL_SMTP_PASSWORD=
 castopod_CP_EMAIL_FROM=noreply@${domain}
 castopod_CP_EMAIL_SMTP_CRYPTO=tls
 #####################
 # Spip
 spip_MYSQL_ROOT_PASSWORD="--clean_val--"
 spip_MYSQL_DATABASE="--clean_val--"
 spip_MYSQL_USER="--clean_val--"
 spip_MYSQL_PASSWORD="--clean_val--"
 spip_SPIP_AUTO_INSTALL=1
 spip_SPIP_DB_SERVER=mysql
 spip_SPIP_DB_LOGIN="${spip_MYSQL_USER}"
 spip_SPIP_DB_PASS="${spip_MYSQL_PASSWORD}"
 spip_SPIP_DB_NAME="${spip_MYSQL_DATABASE}"
 spip_SPIP_ADMIN_NAME=admin
 spip_SPIP_ADMIN_LOGIN=admin
 spip_SPIP_ADMIN_EMAIL=admin@${domain}
 spip_SPIP_ADMIN_PASS="--clean_val--"
 spip_PHP_TIMEZONE="Europe/Paris"
 #####################
 # Peertube
 peertube_POSTGRES_USER="--clean_val--"
 peertube_POSTGRES_PASSWORD="--clean_val--"
 peertube_PEERTUBE_DB_NAME="--clean_val--"
 peertube_PEERTUBE_DB_USERNAME="${peertube_POSTGRES_USER}"
 peertube_PEERTUBE_DB_PASSWORD="${peertube_POSTGRES_PASSWORD}"
 peertube_PEERTUBE_DB_SSL=false
 peertube_PEERTUBE_DB_HOSTNAME="${peertubeDBName}"
 peertube_PEERTUBE_WEBSERVER_HOSTNAME="${peertubeHost}.${domain}"
 peertube_PEERTUBE_TRUST_PROXY="['10.0.0.0/8', '127.0.0.1', 'loopback', '172.18.0.0/16']"
 peertube_PEERTUBE_SECRET="--clean_val--"
 peertube_PT_INITIAL_ROOT_PASSWORD="--clean_val--"
 #peertube_PEERTUBE_SMTP_USERNAME=
 #peertube_PEERTUBE_SMTP_PASSWORD=
 # Default to Postfix service name "postfix" in docker-compose.yml
 # May be the hostname of your Custom SMTP server
 peertube_PEERTUBE_SMTP_HOSTNAME=
 peertube_PEERTUBE_SMTP_PORT=25
 peertube_PEERTUBE_SMTP_FROM=
 peertube_PEERTUBE_SMTP_TLS=false
 peertube_PEERTUBE_SMTP_DISABLE_STARTTLS=false
 peertube_PEERTUBE_ADMIN_EMAIL=
 peertube_POSTFIX_myhostname=
 #peertube_OPENDKIM_DOMAINS=peertube
 peertube_OPENDKIM_RequireSafeKeys=no
 peertube_PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PUBLIC="public-read"
 peertube_PEERTUBE_OBJECT_STORAGE_UPLOAD_ACL_PRIVATE="private"
 ######################
 peertube_POSTGRES_DB="${peertube_PEERTUBE_DB_NAME}"
 ######################
 # SNAPPYMAIL
 # Url  https://snappymail.${domain}/?admin
 # au premier lancement un mot de passe est généré en aut par l' appli dans le
 # volume Data : /var/lib/docker/volumes/snappymail_data/_data/_data_/_default_
 # le fichier s' appelle admin_password.txt
 # une fois le mot de passe changé dans le Gui de l' admin, ce fichier est automatiquement supprimé
 snappymail_TZ="Europe/Paris"
 snappymail_UPLOAD_MAX_SIZE="100M"
 ####################
 # mastodon
 mastodon_POSTGRES_USER="--clean_val--"
 mastodon_POSTGRES_PASSWORD="--clean_val--"
 mastodon_POSTGRES_DB=mastodon
 mastodon_DB_USER="${mastodon_POSTGRES_USER}"
 mastodon_DB_PASS="${mastodon_POSTGRES_PASSWORD}"
 mastodon_DB_NAME=mastodon
--- a/secret.tmpl/env-borg
+++ b/secret.tmpl/env-borg
@@ -0,0 +1,17 @@
 VOLUME_SAUVEGARDES=
 BORG_REPO=
 BORG_PASSPHRASE=
 BORGLOG="/var/log/borg"
 BORG_FIC_DEL="/tmp/sauvegarde_supp.txt"
 BORG_EXCLUDE_BACKUP=
 MAIL_RAPPORT=
 LISTREPSAUV=
 BORGMOUNT="/mnt/repo_borg"
 MAILOK=
 MAILWARNING=
 MAILDETAIL=
 BACKUPS_KEEP="4m"
 NB_BACKUPS_JOUR=90
 NB_BACKUPS_SEM=30
 NB_BACKUPS_MOIS=12
 BORGSCRIPTS=/root/borgscripts
--- a/secret.tmpl/env-castopodAdmin
+++ b/secret.tmpl/env-castopodAdmin
@@ -0,0 +1,3 @@
 ADMIN_USER=
 ADMIN_MAIL=
 ADMIN_PASSWORD="--clean_val--"
--- a/secret.tmpl/env-mail
+++ b/secret.tmpl/env-mail
@@ -0,0 +1,2 @@
 service_mail=
 service_password=
--- a/secret.tmpl/env-mattermostAdmin
+++ b/secret.tmpl/env-mattermostAdmin
@@ -0,0 +1,3 @@
 mattermost_user=
 mattermost_pass=
 mattermost_token=
--- a/secret.tmpl/env-paheko
+++ b/secret.tmpl/env-paheko
@@ -0,0 +1,2 @@
 API_USER="admin-api"
 API_PASSWORD="--clean_val--"
--- a/secret.tmpl/env-traefik
+++ b/secret.tmpl/env-traefik
@@ -0,0 +1,2 @@
 DASHBOARD_USER="admin"
 DASHBOARD_PASSWORD="--clean_val--"
--- a/secret.tmpl/env-wpServ
+++ b/secret.tmpl/env-wpServ
@@ -4,3 +4,5 @@ WORDPRESS_DB_HOST=
 WORDPRESS_DB_USER=
 WORDPRESS_DB_PASSWORD=
 WORDPRESS_DB_NAME=
 WORDPRESS_ADMIN_USER=
 WORDPRESS_ADMIN_PASSWORD=
		`@@ -0,0 +1,2 @@`
							`API_USER="admin-api"`
							`API_PASSWORD="--clean_val--"`
		`@@ -0,0 +1,2 @@`
							`DASHBOARD_USER="admin"`
							`DASHBOARD_PASSWORD="--clean_val--"`